2050

Firepower NGFW
Internet Edge
Deployment Scenarios
Jeff Fanelli - Principal Systems Engineer -
jefanell@cisco.com
BRKSEC-2050
#jefanell
About your speaker
Jeff Fanelli
Principal Systems Engineer
Cisco Global Security Sales Organization
I’m from the U.S. state with the

largest FRESH water coastline
in the world!
MICHIGAN (the “mitten” state..)
Today’s Agenda
• Firepower Software Overview
• ASA & Firepower NGFW
Platforms
• Management Options
• New Release Capabilities
• Deployment Use Cases
• Internet Edge
• Enterprise Branch
• Remote Access VPN
Abbreviation Key!
ASA = Adaptive Security Appliance AMP = Advanced Malware Protection
FTD = Firepower Threat Defense API = Application Programming Interface
FPS = Firepower Services ISE = Identity Services Engine
FMC = Firepower Management IoC = Indicator of Compromise
Center
PAN = Place to cook your eggs
FDM = Firepower Device Manager
NGFW = Next Generation Firewall
NGIPS = Next Generation Intrusion
Prevention System
BRKSEC-205 0 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Firepower NGFW Software
Firepower Threat Defense
CISCO COLLECTIVE SECURITY INTELLIGENCE
WWW
Malware
High Intrusion URL Filtering
Protection
Availability Prevention
Analytics &
Application Automation
Network
Firewall and Visibility Network
Network Identity Based
Identity-Policy
Routing &Control Profiling Policy Control
Profiling Control
Integrated Software - Single Management
ASA with Firepower Firepower Threat Defense
Services
Full Feature Set Single Converged OS
Firepower (L7)
• Threat-Centric NGIPS
• AVC, URL Filtering for NGFW
• Advanced Malware Protection
Continuous Feature Firewall URL Visibility Threats
ASA (L2-L4)
Migration
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing
• Application inspection
Firepower Management
Center (FMC)
What are the Firepower Deployment Options?
ASA with
Firepower Appliances Firepower Services Firepower Threat Defense
FirePOWER
Firepower Services Firepower
Appliances Threat Defense
ASA 9.5.x
7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual

Firepower 2100 / 4100 / 9300
5585 cannot run FTD Image!
All Managed by Firepower Management Center

Feature Comparison: ASA with Firepower
Services and Firepower Threat Defense
Note: Not an exhaustive feature list
Features Firepower Threat Defense Firepower Services for ASA

Routing +NAT ✔ ✔
OnBox Management ✔ ✔
SIMILARITIES
HA (Active/Passive) ✔ ✔
Clustering (Active/Active) ✔ ✔
Site to Site VPN ✔ ✔
Policy based on SGT tags ✔ ✔
Unified ASA and Firepower rules and
objects
✔ ✘
DIFFERENCES
Hypervisor Support ✔ ✘
(AWS, VMware, KVM, Azure 6.2)
Smart Licensing Support ✔ ✘

Multi-Context Support ✘(Coming Soon!) ✔
Remote Access VPN ✔ ✔
BRKSEC-205 0 10
Next-generation visibility with OpenAppID
Application Visibility & Control
û
Cisco database
• 4,000+ apps ü
• 180,000+ Micro- Network &

apps users
ü 1 OpenAppID
û
ü
2
Prioritize traffic
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Web acceptable use controls and threat prevention
URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability
Security feeds
Cisco URL Database
00100101101
01001010100
URL | IP | DNS
NGFW
Filtering Safe Search
…………
Allow Block
ü û
Allow Block
DNS Sinkhole Category-based

Policy Creation Admin
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Granular SSL Decryption Capabilities
SSL TLS handshake certificate inspection and TLS decryption engine
SSL Enforcement
NGIPS AVC http://www.%$*#$ @ #$.c om ü
decryption engine decisions
http://www.%$*#$ @ #$.c om û
http://www.%$*#$ @ #$.c om û
http://www.%$&^*#$@#$.com http://www.%$*#$ @ #$.c om ü
http://www.%$*#$ @ #$.c om ü
http://www.%$*#$ @ #$.c om ü
gambling
http://www.%$*#$ @ #$.c om û
http://www.%$*#$ @ #$.c om ü
http://www.%$&^*#$@#$.com elicit
http://www.%$*#$ @ #$.c om û
http://www.%$*#$ @ #$.c om û
Encrypted Traffic Log
Decrypt 3.5 Gbps traffic over Inspect deciphered packets Track and log all SSL sessions
five million simultaneous flows
Application and Context aware Intrusion Prevention
Next-Generation Intrusion Prevention System (NGIPS)
ISE
App & Device Data
Blended threats
Prioritize Automate
response policies
01011101001
010 1
Block
010001101
010010 10 10 2
Data packets
• Network • Innocuous
3
Communications profiling payloads Accept
• Phishing • Infrequent
attacks callouts
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
Malware and ransomware detection and blocking
Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)
c
File Reputation File & Device Trajectory
AMP for AMP for
Endpoint Log Network Log
û
?
Threat Grid Sandboxing Threat Disposition

• Known Signatures
• Advanced Analytics
Uncertain Safe Risky
• Fuzzy Fingerprinting • Dynamic analysis Enforcement across
• Indications of compromise • Threat intelligence
Sandbox Analysis all endpoints
Block known malware Investigate files safely Detect new threats Respond to alerts
ASA & Firepower Platforms
Cisco ASA 5500-X
SMB and Enterprise Branch NGFW
5506 / 5508 / 5516 5525 / 5545 / 5555

Unified Management
Performance Performance
• 1-Gbp interfaces • 1-Gbp interfaces • Firepower Management Center

• Up to 450 Mbps throughput • Up to 1.2 Gbps throughput (Enterprise Management)
• Wireless Option for 5506-X • 5545 / 5555 Redundant • Firepower Device Manager
• Software Switching capability Power Supply and SSD (On Box Manager)
option
• Firepower Threat Defense or • Cisco Defense Orchestrator
ASA Software Options • Firepower Threat Defense or (Cloud Management)
ASA Software Options
Cisco Firepower 2100 Series
Introducing four high-performance models
Performance and
Purpose Built NGFW Unified Management
Density Optimization
• 1-Gbp and 10-Gbps interfaces • Integrated inspection engines • Firepower Management Center
• Up to 8.5-Gbps throughput for FW, NGIPS, Application (Enterprise Management)
• 1-rack-unit (RU) form factor Visibility and Control (AVC),
• Dual SSD slots URL, Cisco Advanced • Firepower Device Manager
• 12x RJ45 ports, 4xSFP(+) Malware Protection (AMP) (On Box Manager)
• 2130 / 2140 Models • Cisco Defense Orchestrator

• 1x Network Module (Cloud Management)
• Fail to Wire Option
• DC & Dual PSU support
Firepower 2100 Series Performance for FTD
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput
NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
NO DROP IN
Throughput PERFORMACE!
NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum
concurrent
sessions 1M 1.2 M 2M 3.5 M
Maximum new
connections per
second 12000 16000 24000 40000
Cisco Firepower 4100 Series
High performance campus and data center
Performance and Multiservice

Unified Management
Density Optimization Security
• 10-Gb and 40-Gb interfaces • Integrated inspection engines • Firepower Management Center
• Up to 24-Gbps throughput for FW, NGIPS, Application (Enterprise Management)
• 1-rack-unit (RU) form factor Visibility and Control (AVC),
• Low latency URL, Cisco Advanced • Firepower Device Manager
Malware Protection (AMP) (On Box Manager)
• Radware DefensePro DDoS
• ASA and other future • Cisco Defense Orchestrator
third party (Cloud Management)
Cisco Firepower 9300
Platform
High performance data center
Multiservice
Modular Carrier Class
Security
Benefits Benefits Features

• Standards and interoperability • Integration of best-in-class security • Compact, 3RU form factor
• Flexible architecture • Dynamic service stitching • 10-Gbps/40-Gbps I/O; 100-Gbps
ready
Features Features* • Terabit backplane
• Template-driven security • ASA container option • Low latency, intelligent fast path
• Secure containerization for • Firepower™ Threat Defense: • Network Equipment-Building
customer apps • NGIPS, AMP, URL, AVC System (NEBS) ready
• RESTful/JSON API • Third-party containers:
• Third-party orchestration and • Radware DDoS
management
* Contact Cisco for services availability
Up to 16x with clustering!
Cisco NGFW Platforms
Firepower Threat Defense for Firepower 4100 Series
Firepower 2100 Series
ASA 5500-X and Firepower 9300
250 Mb -> 1.75 Gb 2 Gb -> 8 GB 41xx = 10 Gb -> 24 Gb

(NGFW + IPS Throughput) (NGFW + IPS Throughput) 93xx = 24 Gb -> 53Gb
NGFW capabilities all managed by Firepower Management Center
Software Support – Physical Platforms
ASA with Firepower

Firepower
ASA FirePOWER Threat
NGIPS
Services Defense
ASA 5506X -> 5555X (all models) ✓ ✓ ✓

Firepower 2100 (all models) ✓ ✓
ASA 5585 (With SSP blade) ✓ ✓
Firepower 7000 / 8000 (IPS appliances) ✓
Software Support - Virtual Platforms
Firepower Firepower Threat

ASA
NGIPS Defense
ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓

Firepower NGIPSv (vSphere + ISR UCSE) ✓
Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓
Management Platform Options
Management Options
On-box Centralized On-box
Firepower Device Firepower Management ASDM with

Manager Center FirePOWER Services
Enables easy on-box Enables comprehensive Enables easy on-

management of security administration box migration and
common security and and automation of management of ASA
policy tasks multiple appliances with Firepower
Firepower Device Manager
• On-box manager for

managing a single
device
• Targeted for SMB market
• Designed for Networking
Security Administrator
• Simple & Intuitive
• Mutually Exclusive from
FMC
• CLI for troubleshooting
Management Options


Firepower Management Center
• Single manager for Firepower Threat Defense
• Can also manage Firepower appliance and “Services” deployments
• Broadest set of security capabilities for Firepower platforms!
Management Options


Management Options


On-box vs Off-box
Firepower Management Center Firepower Device Manager
(Off-box) (On-box)
NAT & Routing
Access Control
Intrusion & Malware
Device & Events Monitoring
VPN - Site to Site & RA
Security Intelligence
Other Policies: SSL, Identity, Rate Limiting (QoS) etc.
Active/Passive Authentications
Firewall Mode Router / Transparent Routed
Threat Intelligence & Analytics
Correlation & Remediation
Risk Reports
Device Setup Wizard
Interface Port-Channel
High Availability
Firepower Management Center
New Capabilities
Troubleshooting: Packet Tracer
• Displays logs for a single simulated (virtual) packet
• Tracing data will include information from Snort & preprocessors about
verdicts and actions taken while processing a packet
Troubleshooting: Packet Capture with Trace
• Captures and displays packets from live traffic
• Allows PCAP file download of the capture buffer
Lookup features – Geolocation & WHOIS
Lookup Feature: URL
ISE remediation in using pxGrid
Cisco Threat Intelligence Director
Cisco Threat Intelligence Director (CTID)
• Uses customer threat intelligence to

identify threats
• Automatically blocks supported
indicators on Cisco NGFW
• Provides a single integration point for all
STIX and CSV intelligence sources
Cisco Threat Intelligence Director Overview
Cisco Threat
Intelligence
Director
Hail a TAXII !!
• Free source of TAXII feeds
• Website URL: http://hailataxii.com
• Multiple feeds
• To configure the TAXII intelligence source
• URL: http://hailataxii.com/taxii-discovery-service
• USERNAME: guest
• PASSWORD: guest
BRKSEC-205 0 43
Deployment Designs
Use Case
Use Case
Internet Edge Firewall
Service
ISP
Requirement
Provider
Connectivity and Availability Requirement:
• High Availability ROUTED mode
• Firewall should support Router or Transparent Mode
Routing Requirements:
• Static and BGP Routing
• Dynamic NAT/PAT and Static NAT
Internet
Security Requirements: Edge
• Application Control + URL Acceptable Use enforcement
• IPS and Malware protection DMZ Network
• SSL Decryption
Authentication Requirements: FW in HA
• User authentication and device identity
Solution
Security Application: Firepower Threat Defense application with
Campus/Priv Port-
FMC
ate Network Channel
Private Network
Connectivity and Availability
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or
10.1.1.0/24
more interfaces that separate L3 domains – Firewall is the
Router and Gateway for local hosts. 10.1.1.1
NAT
DRP
• Transparent Mode is where the firewall acts as a bridge 192.168.1.1
functioning at L2.
• Transparent mode firewall offers some unique benefits in the DC.
192.168.1.0/24
• Transparent deployment is tightly integrated with our ‘best
practice’ data center designs.
IP:192.168.1.100
GW: 192.168.1.1
Link and Platform Redundancy Capabilities
Firewall Link Aggregation – High Availability - Clustering
Link Redundancy Active / Standby HA Inter-chassis Clustering
LACP Link Resiliency

Aggregation with link Combine up to
Control failures
Protocol
6
LACP Link BRKSEC-3032
9300 blades or
Redundancy 4100 chasses
NGFW Clustering
Deep Dive
Routing Requirements
Dynamic NAT for Direct Internet Access
Automatic and Manual (complex) NAT Support for FTD including IPv6
Routing Protocol support
IPv4 and IPv6 advanced routing
• OSPF and OSPFv3 (IPv6)
• BGP (IPv4 & IPv6)
• Static Route
• Tunneled Route support for VPNs
• Reverse Route Injection for VPNs
• Multicast Routing
• IGMP
• PIM
• EIGRP via FlexConfig
Rate limiting Cloud File Sharing Traffic
• QOS Policy is a new policy type with separate policy table
• Not associated with an Access Control Policy – directly associated with devices
FlexConfig
• Provides a way to configure ASA features not exposed directly by Firepower
Management Center
• EIGRP Routing • ALG inspections

• Policy Based Routing • IPv6 header inspection
• ISIS Routing • BGP-BFD
• NetFlow (NSEL) export • Platform Sysopt commands
• VXLAN • WCCP
FlexConfig for Internet Edge Use Case:
Enable ICMP Inspection & Disable DNS Inspection
Prepend FlexConfig:
• Disables DNS Inspection to allow
Umbrella DNSCrypt Traffic
Append FlexConfig:
• Enables ICMP and ICMP Error ASA
Inspection Engines in Firepower
• Edit FlexConfig Text Object as below
FlexConfig for Internet Edge Use Case:
IPv6 Prefix Delegation (IPv6-PD)
Prepend FlexConfig:
• Clears IPv6-PD on each deployment
Append FlexConfig:
• Enables outside interface (recipient of
delegated prefix) for IPv6 prefix delegation
• Assigns one or more inside interfaces with
a subnet and address from delegated
prefix
• Trust IPv6 default route from IPv6 DHCP
Server (Neighbor Advertisement)
Security Requirements
Access Control Policy blocking inappropriate content
Granular SSL Decrypt
Can specify by application, certificate fields / status, ciphers, etc.
Decrypt Cert required!
Custom IPS Policy
Malware and File Analysis
Attached to Access Policy
URL-Based Security Intelligence
• Extension of IP-based SI
• TALOS dynamic feed, 3rd party feeds and
lists
• Multiple categories: Malware, Phishing,
CnC,…
• Multiple Actions: Allow, Monitor, Block,
Interactive Block,…
• Policy configured via Access Rules or
black-list
• IoC tags for CnC and Malware URLs
• New Dashboard widget for UR SI
• Black/White-list URL with one click URL-SI
Categories
DNS Inspection
• Security Intelligence support for
domains
• Addresses challenges with fast-flux
domains
• Cisco provided and user defined
DNS lists: CnC, Spam, Malware,
Phishing
• Multiple Actions: Block, Domain Not
Found, Sinkhole, Monitor
• Indications of Compromise extended
with DNS Security Intelligence DNS List Action
Identity Requirements
Authentication and Authorization

Identity Policy based on Passive Authentication
Must create, attaches to Access Control Policy
Access Control Policy Identity Control
Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
Active Directory “Realm” Configuration
• Realm configuration
used in Identity Policy
• User and Group
downloads used in
Access Policy
• Can have Multiple
Entries
• LDAP / LDAPS
ISE Integration
• pxGrid feed to retrieve form ISE:

• AD Username (Group lookup via AD Realm)
• Device type profile & location
• TrustSec Security Group Tag (SGT)
• Ability to exert control based on the above in rules
• i.e. block HR users from using personal iPads
• Reduces ACL size and complexity
Identity Services Engine pxGrid Integration
• MUST install ROOT

certificate (chain) on FMC
that signed ISE pxGrid
Cert
• MUST install ROOT
certificate (chain) on ISE
that signed FMC Cert
• Private keys not needed
(of course!)
TrustSec Security Group Tag based identity from ISE
Can also reference Identity Services Engine identified Device Profiles
External Authentication
for Administration
• LDAP / AD or RADIUS
• Example allows “External Users” to

be defined that exist in Active-
Directory for FMC or shell login
• Can stack multiple methods
Branch Firewall Use Cases
Site to Site and Remote Access VPN
Branch Use Case
WAN Edge Firewall with Direct Internet Access
Requirement Firewall Internet
“Outside”
Connectivity and Availability Requirement:
• MPLS Primary Network Connectivity
• Direct Internet Access for LAN Traffic
VPN
• VPN Tunnel as WAN Backup (Hub and Spoke)
Internet Tunnel
• Standalone or High Availability NGFW
• Will manage Firewall over VPN Edge
Routing Requirements:
• OSPF Routing (or BGP) for MPLS WAN MPLS WAN
• Static or learned routes for Internet
• Dynamic NAT/PAT for outbound Internet traffic NGFW
Firewall OSPF Routing

Security Requirements:
“MPLS”
• Application Control + URL Acceptable Use enforcement Local Area
• IPS and Malware protection Network
• SSL Decryption
Solution
Authentication Requirements:
Security Application: Firepower Threat Defense application with
• User authentication and device identity
FMC Firewall
“Inside” LAN
Headquarters and Branch NGFW Example
Use of Groups in FMC for organization
• Same policy sets applied to all branch firewalls
Adding Firewall to Firepower Management Center
• Host = Out of band
management IP
• Must be reachable by FMC
• Can add with temporary
“staging” IP if ”NAT ID” field is
used
• Device can be set to “offline” in
FMC. Devices -> Device
Management -> Device TAB ->
Management
Branch NGFW Use Case – Interface Configuration
Outside / Inside / MPLS Interfaces configuration (Static IP)
• Can have dual MPLS and multiple inside interfaces / LAN segments
Shared Access Policy for all sites
• Allow traffic from all Branch and HQ LAN subnets to each other
HUB (Headquarters) Static Routes:
• Note “floating static routes” for all remote branch subnets to Internet gateway!
HQ & Branch OSPF Routing Configuration for MPLS:
• Redistributing ”connected” and “static” routes to OSPF
Single Hub & Spoke Site to Site VPN Configuration
• Static ”outside” IP Addresses on HUB and all Spoke firewalls
Create Hub and Spoke IKEv2 VPN Topology with all default settings
• DISABLE Reverse Route Injection on IPSec Tab or OSPF routes are ignored
Dynamic Endpoint option for sites with DHCP Outside Interface
• Set Crypto Map type to Dynamic in IPSec Tab. Hub + Spokes as Bi-directional
Optional: Disable Health Monitoring Interface Warnings
• Will prevent FMC warnings when no traffic seen on an interface
Benefits and Caveats
• OSPF routes from MPLS will always be preferred
• Routing “failover” time to VPN tunnel will depend upon

OSPF Hello & Dead Interval values (must use
FlexConfig to change)
• Spoke-to-spoke traffic will transit hub site for sites with
MPLS down (only for static IP spokes!)
• Use dynamic spoke option for DHCP addressed sites.
• Static spoke supports tunnel creation from hub or spoke
• Add “VPN only” network route to keep tunnels forced up
HQ Firewall Routing Table with all site MPLS links UP
• FTDv-A Hub Site routing table (branch site routing tables will look similar)
Learned OSPF routes from MPLS WAN for Branch LANs
HQ Firewall Routing Table with MPLS links to FTDv-C Branch DOWN
• FTDv-A Hub Site routing table
OSPF route for Branch LAN replaced by “floating static” route to outside (VPN)
HQ Firewall Routing Table with MPLS links to FTDv-C Branch DOWN
• FTDv-B Branch routing table
OSPF route for Branch FTDv-C LAN now points to MPLS connected Hub firewall
FTDv-B branch will “talk” through MPLS to Hub site then VPN connection to FTDv-C
Secure Remote Access for
Roaming User
ISP
Secure access using Firepower
• Secure SSL/IPsec AnyConnect access to corporate
Internet
network Edge
• AMP and File inspection Policy to monitor roaming
user data.
• Easy RA VPN Wizard to configure AnyConnect
Remote Access VPN
• Advanced Application level inspection can be
enabled to enforce security on inbound Remote FP2100 in
HA
Access User data.
• Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Campus/Priv
ate Network
Private Network
Remote Access VPN
• AnyConnect client-
based VPN
• Limitations:
• No clientless VPN
support (client
download only)
• No legacy Cisco
IPsec IKEv1 client
support
• No Dynamic
Access Policies
Firepower AnyConnect Remote Access
Before You Start Wizard:
1. Configure Realm or RADIUS 3. Have Firepower device interfaces
Server Group for authentication and routing configured
2. Upload AnyConnect package(s) 4. Install Self-Signed Certificate or
(can pull from Cisco during wizard) enroll device with public CA
Configuration Wizard Steps:
1. (Group) Policy Assignment
2. Connection Profile Creation
3. AnyConnect package selection
4. Access & Certificates
Connection Profile:
1. Name (mandatory)
2. Authentication Method (AAA

= username + password)
3. IPv4 / IPv6 Address Pool(s)
4. Group Policy Selection (can

use default)
AnyConnect client software selection:
• Upload from your workstation
• Download from Cisco.com using Wizard (need CCO credentials)
Interface Selection & Certificate:
1. Choose Interface / Zone
2. Choose Interface Identity

Certificate
3. Optional: Create Self-
Signed Certificate
4. Can also enroll device in
public Certificate Authority
*best practice
• Configuration Summary
• Recommended Next Steps
Don’t forget!
1. Allow VPN traffic from Outside
zone in your Access Policy!
2. Exempt traffic to and from your
VPN subnet from NAT!
3. Disable proxy ARP in your
NAT Exempt rule
Firepower Threat Defense Summary
Power Internet Edge and
Branch WAN Platform
• Powerful Threat Defense
Flexible
Capabilities
Deployment
• Advanced Site to Site VPN
and routing protocol support Robust NGFW
• AnyConnect Remote Access Feature set
Unified Management
Cisco Spark
Ask Question, Get Answers
www.ciscospark.com
Use Cisco Spark to communicate with the speaker after the event!
What if I have a question after visiting Cisco Live? ... Cisco Spark
*Get the Cisco Spark app from iTunes store or Google Play store
1. Go to the Cisco Live Mobile app
2. Find this session BRKSEC-2050
3. Click the join link in the session description
4. Navigate to the room, room name = Session ID
5. Enter messages in the room
cs.co/ciscolive/#session ID
E.g: session ID = BRKSEC-2050
Spark rooms will be available until Friday 17 November 2017
Complete Your Online Session Evaluation
• Give us your feedback about the session
you just joined
Ø Complete your session surveys through the
Cisco Live mobile app:
https://www.ciscolive.com/latam/attend/attendee-info/#mobile-app (English)
https://www.ciscolive.com/latam/attend-es/attendee-info/#mobile-app (Español)
Ø or from the Session Catalog on

CiscoLive.com/latam.
Don’t forget: Cisco Live sessions will be available for

viewing on-demand after the event at
CiscoLive.com/Online
98
Thank you

2050

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

2050

Caricato da

Copyright:

Formati disponibili

Firepower NGFW

I’m from the U.S. state with the

Integrated Software - Single Management

7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual

5585 cannot run FTD Image!

All Managed by Firepower Management Center

Features Firepower Threat Defense Firepower Services for ASA

Smart Licensing Support ✔ ✘

• 180,000+ Micro- Network &

DNS Sinkhole Category-based

Encrypted Traffic Log

Threat Grid Sandboxing Threat Disposition

5506 / 5508 / 5516 5525 / 5545 / 5555

• 1-Gbp interfaces • 1-Gbp interfaces • Firepower Management Center

• 2130 / 2140 Models • Cisco Defense Orchestrator

Performance and Multiservice

Benefits Benefits Features

250 Mb -> 1.75 Gb 2 Gb -> 8 GB 41xx = 10 Gb -> 24 Gb

NGFW capabilities all managed by Firepower Management Center

ASA with Firepower

ASA 5506X -> 5555X (all models) ✓ ✓ ✓

Firepower Firepower Threat

ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓

Firepower Device Firepower Management ASDM with

Enables easy on-box Enables comprehensive Enables easy on-

• On-box manager for

Firepower Device Firepower Management ASDM with

Enables easy on-box Enables comprehensive Enables easy on-

• Can also manage Firepower appliance and “Services” deployments

• Broadest set of security capabilities for Firepower platforms!

Firepower Device Firepower Management ASDM with

Enables easy on-box Enables comprehensive Enables easy on-

Firepower Device Firepower Management ASDM with

Enables easy on-box Enables comprehensive Enables easy on-

Intrusion & Malware

Device & Events Monitoring

VPN - Site to Site & RA

Other Policies: SSL, Identity, Rate Limiting (QoS) etc.

Firewall Mode Router / Transparent Routed

Threat Intelligence & Analytics

Correlation & Remediation

Device Setup Wizard

• Uses customer threat intelligence to

Link Redundancy Active / Standby HA Inter-chassis Clustering

LACP Link Resiliency

• BGP (IPv4 & IPv6)

• EIGRP via FlexConfig

• EIGRP Routing • ALG inspections

Decrypt Cert required!

Authentication and Authorization

Must create, attaches to Access Control Policy

• pxGrid feed to retrieve form ISE:

• Reduces ACL size and complexity

• MUST install ROOT

• Example allows “External Users” to

Firewall OSPF Routing

• Routing “failover” time to VPN tunnel will depend upon

• Static spoke supports tunnel creation from hub or spoke

• Add “VPN only” network route to keep tunnels forced up

Learned OSPF routes from MPLS WAN for Branch LANs

2. Connection Profile Creation

3. AnyConnect package selection

4. Access & Certificates

2. Authentication Method (AAA