Networking-Notes

  Control plane ACLs cisco FTD On cisco firewall traffic destined to the firewall cannot be blocked by ACP. Even if you do not bypass the ACLs. Talking about control plane traffic. Eg remote access vpn. Geolocation based is not supported. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322?rfs=iqvred   The solution with control plane ACL is well documented in the below link. https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html#toc-hId-689510534

ISE Logging are missing when change the Secondary as Primary monitoring ISE01 -- PRI(A), SEC(M) ISE02 -- SEC(A), PRI(M) To resolve this go to Administraton - System - Logging - Log Settings and disable ISE Messaging Settings.

Reset the session database on cisco ISE - No way to reset the session from GUI ISE02/admin# application configure ise Selection configuration option [1]Reset M&T Session Database    <- This will clear all the sessions.  [4]Reset M&T Database            <- This will delete the logs also. Run this if [1] is not working. 1 You are about to reset the M&T session database. Following this operation, an application restart will be required. Are you sure you want to proceed? y/n [n]: y

  Bypass users from a splash page  Configure a new Group Policy (Network-Wide > Group Policies).  Splash page bypass can be configured by selecting "Bypass" in "Splash" dropdown, see the picture below: Leaving anything else as "use SSID default" will ensure that all the other global configuration is left untouched. Once a group policy is assigned, navigate to  Network-wide > Clients > click on the clients name > look for Group Policy > change from Normal to the group policy you created.

Run Upgrade Readiness Tool (URT) to validate config DB upgrade from 2.7,3.0,3.1 to 3.2. This is a signed bundle for image integrity (ise-urtbundle-3.2.0.542a-1.0.0.SPA.x86_64.tar.gz) In this case i am running ise 3.1 patch 7 and will upgrade to 3.2 As we are running an HA the URT need to run on secondary admin node. Got the below error once i tried to run it on Primary Checking ISE persona ======================================================   - Failed (URT can only be run on Secondary Admin Node or Standalone % Application install or upgrade cancelled. ise03/admin# ====================================================== *Note When you need to run it on secondary note, you have to generate on secondary the key (crypto host_key add host 10.10.10.10) and then you can run the URT. Below is URT logging ise04/adMIN# application install ise-urtbundle-3.2.0.542a-1.0.0.SPA.x86_64.tar.gz  ""SFTP-SRV01"" Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Gen

  Go to Administration-System-Maintenance and select Repository Add new repository and complete the required fields After this the setup need this additional command to work You have to login through cli and run the below command ise/admin# crypto host_key add host 10.10.10.10 Where 10.10.10.10 is your SFTP server Thanks to https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/215348-how-to-configure-repository-on-identity.html#toc-hId--287746172

SECURITY WSA //Check WSA authenticated Users //authcache Then select LIST option ISE //Check restore status for backup and restore procedure // show restore status (here i wish you this command to finish and not stay forever in progress) //check process status // show application status ise //restart ISE application // application start ise //Add SFTP command// crypto host_key add host 10.10.10.10 //Rset ISE GUI password  application reset-passwd ise <username-here> //Factory reset cisco ISE from cli  // reset-config Copy From FTP  //copy ftp://cisco:cisco@10.10.10.10/C9800-CL-universalk9.17.09.03.SPA.bin bootflash: