Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Internet Edge
Deployment Scenarios
Jeff Fanelli - Principal Systems Engineer -
jefanell@cisco.com
BRKSEC-2050
#jefanell
About your speaker
Jeff Fanelli
Principal Systems Engineer
Cisco Global Security Sales Organization
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Firepower NGFW Software
Firepower Threat Defense
CISCO COLLECTIVE SECURITY INTELLIGENCE
WWW
Malware
High Intrusion URL Filtering
Protection
Availability Prevention
Analytics &
Application Automation
Network
Firewall and Visibility Network
Network Identity Based
Identity-Policy
Routing &Control Profiling Policy Control
Profiling Control
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Firepower Threat Defense
ASA with Firepower Firepower Threat Defense
Services
Full Feature Set Single Converged OS
Firepower (L7)
• Threat-Centric NGIPS
• AVC, URL Filtering for NGFW
• Advanced Malware Protection
Continuous Feature Firewall URL Visibility Threats
ASA (L2-L4)
Migration
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing
• Application inspection
Firepower Management
Center (FMC)
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
What are the Firepower Deployment Options?
ASA with
Firepower Appliances Firepower Services Firepower Threat Defense
FirePOWER
Firepower Services Firepower
Appliances Threat Defense
ASA 9.5.x
HA (Active/Passive) ✔ ✔
Clustering (Active/Active) ✔ ✔
Site to Site VPN ✔ ✔
Policy based on SGT tags ✔ ✔
Unified ASA and Firepower rules and
objects
✔ ✘
DIFFERENCES
Hypervisor Support ✔ ✘
(AWS, VMware, KVM, Azure 6.2)
û
Cisco database
• 4,000+ apps ü
ü
2
Prioritize traffic
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Web acceptable use controls and threat prevention
URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability
Security feeds
Cisco URL Database
00100101101
01001010100
URL | IP | DNS
NGFW
Filtering Safe Search
…………
Allow Block
ü û
Allow Block
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Granular SSL Decryption Capabilities
SSL TLS handshake certificate inspection and TLS decryption engine
SSL Enforcement
NGIPS AVC http://www.%$*#$ @ #$.c om ü
decryption engine decisions
http://www.%$*#$ @ #$.c om û
http://www.%$*#$ @ #$.c om û
http://www.%$&^*#$@#$.com http://www.%$*#$ @ #$.c om ü
http://www.%$*#$ @ #$.c om ü
http://www.%$*#$ @ #$.c om ü
gambling
http://www.%$*#$ @ #$.c om û
http://www.%$*#$ @ #$.c om ü
http://www.%$&^*#$@#$.com elicit
http://www.%$*#$ @ #$.c om û
http://www.%$*#$ @ #$.c om û
Decrypt 3.5 Gbps traffic over Inspect deciphered packets Track and log all SSL sessions
five million simultaneous flows
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Application and Context aware Intrusion Prevention
Next-Generation Intrusion Prevention System (NGIPS)
ISE
App & Device Data
Blended threats
Prioritize Automate
response policies
01011101001
010 1
Block
010001101
010010 10 10 2
Data packets
• Network • Innocuous
3
Communications profiling payloads Accept
• Phishing • Infrequent
attacks callouts
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Malware and ransomware detection and blocking
Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)
c
File Reputation File & Device Trajectory
AMP for AMP for
Endpoint Log Network Log
û
?
Block known malware Investigate files safely Detect new threats Respond to alerts
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
ASA & Firepower Platforms
Cisco ASA 5500-X
SMB and Enterprise Branch NGFW
• Wireless Option for 5506-X • 5545 / 5555 Redundant • Firepower Device Manager
• Software Switching capability Power Supply and SSD (On Box Manager)
option
• Firepower Threat Defense or • Cisco Defense Orchestrator
ASA Software Options • Firepower Threat Defense or (Cloud Management)
ASA Software Options
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Cisco Firepower 2100 Series
Introducing four high-performance models
Performance and
Purpose Built NGFW Unified Management
Density Optimization
• 1-Gbp and 10-Gbps interfaces • Integrated inspection engines • Firepower Management Center
• Up to 8.5-Gbps throughput for FW, NGIPS, Application (Enterprise Management)
• 1-rack-unit (RU) form factor Visibility and Control (AVC),
• Dual SSD slots URL, Cisco Advanced • Firepower Device Manager
• 12x RJ45 ports, 4xSFP(+) Malware Protection (AMP) (On Box Manager)
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Firepower 2100 Series Performance for FTD
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput
NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
NO DROP IN
Throughput PERFORMACE!
NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum
concurrent
sessions 1M 1.2 M 2M 3.5 M
Maximum new
connections per
second 12000 16000 24000 40000
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Cisco Firepower 4100 Series
High performance campus and data center
• 10-Gb and 40-Gb interfaces • Integrated inspection engines • Firepower Management Center
• Up to 24-Gbps throughput for FW, NGIPS, Application (Enterprise Management)
• 1-rack-unit (RU) form factor Visibility and Control (AVC),
• Low latency URL, Cisco Advanced • Firepower Device Manager
Malware Protection (AMP) (On Box Manager)
• Radware DefensePro DDoS
• ASA and other future • Cisco Defense Orchestrator
third party (Cloud Management)
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Cisco Firepower 9300
Platform
High performance data center
Multiservice
Modular Carrier Class
Security
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Up to 16x with clustering!
Cisco NGFW Platforms
Firepower Threat Defense for Firepower 4100 Series
Firepower 2100 Series
ASA 5500-X and Firepower 9300
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Software Support – Physical Platforms
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Software Support - Virtual Platforms
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Management Platform Options
Management Options
On-box Centralized On-box
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Firepower Device Manager
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Management Options
On-box Centralized On-box
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Firepower Management Center
• Single manager for Firepower Threat Defense
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Management Options
On-box Centralized On-box
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Management Options
On-box Centralized On-box
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
On-box vs Off-box
Firepower Management Center Firepower Device Manager
(Off-box) (On-box)
NAT & Routing
Access Control
Security Intelligence
Active/Passive Authentications
Risk Reports
Interface Port-Channel
High Availability
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Firepower Management Center
New Capabilities
Troubleshooting: Packet Tracer
• Displays logs for a single simulated (virtual) packet
• Tracing data will include information from Snort & preprocessors about
verdicts and actions taken while processing a packet
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Troubleshooting: Packet Capture with Trace
• Captures and displays packets from live traffic
• Allows PCAP file download of the capture buffer
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Lookup features – Geolocation & WHOIS
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Lookup Feature: URL
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
ISE remediation in using pxGrid
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Cisco Threat Intelligence Director
Cisco Threat Intelligence Director (CTID)
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Cisco Threat Intelligence Director Overview
Cisco Threat
Intelligence
Director
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Hail a TAXII !!
• Free source of TAXII feeds
• Website URL: http://hailataxii.com
• Multiple feeds
• To configure the TAXII intelligence source
• URL: http://hailataxii.com/taxii-discovery-service
• USERNAME: guest
• PASSWORD: guest
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
BRKSEC-205 0 43
Deployment Designs
Use Case
Use Case
Internet Edge Firewall
Service
ISP
Requirement
Provider
Connectivity and Availability Requirement:
• High Availability ROUTED mode
• Firewall should support Router or Transparent Mode
Routing Requirements:
• Static and BGP Routing
• Dynamic NAT/PAT and Static NAT
Internet
Security Requirements: Edge
• Application Control + URL Acceptable Use enforcement
• IPS and Malware protection DMZ Network
• SSL Decryption
Authentication Requirements: FW in HA
• User authentication and device identity
Solution
Security Application: Firepower Threat Defense application with
Campus/Priv Port-
FMC
ate Network Channel
Private Network
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Connectivity and Availability
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or
10.1.1.0/24
more interfaces that separate L3 domains – Firewall is the
Router and Gateway for local hosts. 10.1.1.1
NAT
DRP
• Transparent Mode is where the firewall acts as a bridge 192.168.1.1
functioning at L2.
• Transparent mode firewall offers some unique benefits in the DC.
192.168.1.0/24
• Transparent deployment is tightly integrated with our ‘best
practice’ data center designs.
IP:192.168.1.100
GW: 192.168.1.1
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Link and Platform Redundancy Capabilities
Firewall Link Aggregation – High Availability - Clustering
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Routing Requirements
Dynamic NAT for Direct Internet Access
Automatic and Manual (complex) NAT Support for FTD including IPv6
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Routing Protocol support
IPv4 and IPv6 advanced routing
• OSPF and OSPFv3 (IPv6)
• Static Route
• Tunneled Route support for VPNs
• Reverse Route Injection for VPNs
• Multicast Routing
• IGMP
• PIM
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Rate limiting Cloud File Sharing Traffic
• QOS Policy is a new policy type with separate policy table
• Not associated with an Access Control Policy – directly associated with devices
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
FlexConfig
• Provides a way to configure ASA features not exposed directly by Firepower
Management Center
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
FlexConfig for Internet Edge Use Case:
Enable ICMP Inspection & Disable DNS Inspection
Prepend FlexConfig:
• Disables DNS Inspection to allow
Umbrella DNSCrypt Traffic
Append FlexConfig:
• Enables ICMP and ICMP Error ASA
Inspection Engines in Firepower
• Edit FlexConfig Text Object as below
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
FlexConfig for Internet Edge Use Case:
IPv6 Prefix Delegation (IPv6-PD)
Prepend FlexConfig:
• Clears IPv6-PD on each deployment
Append FlexConfig:
• Enables outside interface (recipient of
delegated prefix) for IPv6 prefix delegation
• Assigns one or more inside interfaces with
a subnet and address from delegated
prefix
• Trust IPv6 default route from IPv6 DHCP
Server (Neighbor Advertisement)
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Security Requirements
Access Control Policy blocking inappropriate content
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Granular SSL Decrypt
Can specify by application, certificate fields / status, ciphers, etc.
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Custom IPS Policy
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Malware and File Analysis
Attached to Access Policy
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
URL-Based Security Intelligence
• Extension of IP-based SI
• TALOS dynamic feed, 3rd party feeds and
lists
• Multiple categories: Malware, Phishing,
CnC,…
• Multiple Actions: Allow, Monitor, Block,
Interactive Block,…
• Policy configured via Access Rules or
black-list
• IoC tags for CnC and Malware URLs
• New Dashboard widget for UR SI
• Black/White-list URL with one click URL-SI
Categories
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
DNS Inspection
• Security Intelligence support for
domains
• Addresses challenges with fast-flux
domains
• Cisco provided and user defined
DNS lists: CnC, Spam, Malware,
Phishing
• Multiple Actions: Block, Domain Not
Found, Sinkhole, Monitor
• Indications of Compromise extended
with DNS Security Intelligence DNS List Action
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Identity Requirements
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Access Control Policy Identity Control
Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Active Directory “Realm” Configuration
• Realm configuration
used in Identity Policy
• User and Group
downloads used in
Access Policy
• Can have Multiple
Entries
• LDAP / LDAPS
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
ISE Integration
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Identity Services Engine pxGrid Integration
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
TrustSec Security Group Tag based identity from ISE
Can also reference Identity Services Engine identified Device Profiles
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
External Authentication
for Administration
• LDAP / AD or RADIUS
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Branch Firewall Use Cases
Site to Site and Remote Access VPN
Branch Use Case
WAN Edge Firewall with Direct Internet Access
Requirement Firewall Internet
“Outside”
Connectivity and Availability Requirement:
• MPLS Primary Network Connectivity
• Direct Internet Access for LAN Traffic
VPN
• VPN Tunnel as WAN Backup (Hub and Spoke)
Internet Tunnel
• Standalone or High Availability NGFW
• Will manage Firewall over VPN Edge
Routing Requirements:
• OSPF Routing (or BGP) for MPLS WAN MPLS WAN
• Static or learned routes for Internet
• Dynamic NAT/PAT for outbound Internet traffic NGFW
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Headquarters and Branch NGFW Example
Use of Groups in FMC for organization
• Same policy sets applied to all branch firewalls
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Adding Firewall to Firepower Management Center
• Host = Out of band
management IP
• Must be reachable by FMC
• Can add with temporary
“staging” IP if ”NAT ID” field is
used
• Device can be set to “offline” in
FMC. Devices -> Device
Management -> Device TAB ->
Management
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Branch NGFW Use Case – Interface Configuration
Outside / Inside / MPLS Interfaces configuration (Static IP)
• Can have dual MPLS and multiple inside interfaces / LAN segments
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Headquarters and Branch NGFW Example
Shared Access Policy for all sites
• Allow traffic from all Branch and HQ LAN subnets to each other
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Headquarters and Branch NGFW Example
HUB (Headquarters) Static Routes:
• Note “floating static routes” for all remote branch subnets to Internet gateway!
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Headquarters and Branch NGFW Example
HQ & Branch OSPF Routing Configuration for MPLS:
• Redistributing ”connected” and “static” routes to OSPF
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Headquarters and Branch NGFW Example
Single Hub & Spoke Site to Site VPN Configuration
• Static ”outside” IP Addresses on HUB and all Spoke firewalls
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Headquarters and Branch NGFW Example
Create Hub and Spoke IKEv2 VPN Topology with all default settings
• DISABLE Reverse Route Injection on IPSec Tab or OSPF routes are ignored
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Headquarters and Branch NGFW Example
Dynamic Endpoint option for sites with DHCP Outside Interface
• Set Crypto Map type to Dynamic in IPSec Tab. Hub + Spokes as Bi-directional
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Headquarters and Branch NGFW Example
Optional: Disable Health Monitoring Interface Warnings
• Will prevent FMC warnings when no traffic seen on an interface
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Headquarters and Branch NGFW Example
Benefits and Caveats
• OSPF routes from MPLS will always be preferred
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Headquarters and Branch NGFW Example
HQ Firewall Routing Table with all site MPLS links UP
• FTDv-A Hub Site routing table (branch site routing tables will look similar)
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Headquarters and Branch NGFW Example
HQ Firewall Routing Table with MPLS links to FTDv-C Branch DOWN
• FTDv-A Hub Site routing table
OSPF route for Branch LAN replaced by “floating static” route to outside (VPN)
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Headquarters and Branch NGFW Example
HQ Firewall Routing Table with MPLS links to FTDv-C Branch DOWN
• FTDv-B Branch routing table
OSPF route for Branch FTDv-C LAN now points to MPLS connected Hub firewall
FTDv-B branch will “talk” through MPLS to Hub site then VPN connection to FTDv-C
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Secure Remote Access for
Roaming User
ISP
Secure access using Firepower
• Secure SSL/IPsec AnyConnect access to corporate
Internet
network Edge
• AMP and File inspection Policy to monitor roaming
user data.
• Easy RA VPN Wizard to configure AnyConnect
Remote Access VPN
• Advanced Application level inspection can be
enabled to enforce security on inbound Remote FP2100 in
HA
Access User data.
• Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Campus/Priv
ate Network
Private Network
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Remote Access VPN
• AnyConnect client-
based VPN
• Limitations:
• No clientless VPN
support (client
download only)
• No legacy Cisco
IPsec IKEv1 client
support
• No Dynamic
Access Policies
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Firepower AnyConnect Remote Access
Before You Start Wizard:
1. Configure Realm or RADIUS 3. Have Firepower device interfaces
Server Group for authentication and routing configured
2. Upload AnyConnect package(s) 4. Install Self-Signed Certificate or
(can pull from Cisco during wizard) enroll device with public CA
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Firepower AnyConnect Remote Access
Configuration Wizard Steps:
1. (Group) Policy Assignment
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Firepower AnyConnect Remote Access
Connection Profile:
1. Name (mandatory)
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Firepower AnyConnect Remote Access
AnyConnect client software selection:
• Upload from your workstation
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Firepower AnyConnect Remote Access
Interface Selection & Certificate:
1. Choose Interface / Zone
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Firepower AnyConnect Remote Access
• Configuration Summary
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Firepower AnyConnect Remote Access
Don’t forget!
1. Allow VPN traffic from Outside
zone in your Access Policy!
2. Exempt traffic to and from your
VPN subnet from NAT!
3. Disable proxy ARP in your
NAT Exempt rule
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Firepower Threat Defense Summary
Power Internet Edge and
Branch WAN Platform
• Powerful Threat Defense
Flexible
Capabilities
Deployment
• Advanced Site to Site VPN
and routing protocol support Robust NGFW
• AnyConnect Remote Access Feature set
Unified Management
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Cisco Spark
Ask Question, Get Answers
www.ciscospark.com
Use Cisco Spark to communicate with the speaker after the event!
What if I have a question after visiting Cisco Live? ... Cisco Spark
*Get the Cisco Spark app from iTunes store or Google Play store
1. Go to the Cisco Live Mobile app
2. Find this session BRKSEC-2050
3. Click the join link in the session description
4. Navigate to the room, room name = Session ID
5. Enter messages in the room
cs.co/ciscolive/#session ID
E.g: session ID = BRKSEC-2050
Spark rooms will be available until Friday 17 November 2017
Complete Your Online Session Evaluation
• Give us your feedback about the session
you just joined
Ø Complete your session surveys through the
Cisco Live mobile app:
https://www.ciscolive.com/latam/attend/attendee-info/#mobile-app (English)
https://www.ciscolive.com/latam/attend-es/attendee-info/#mobile-app (Español)
98
Thank you