FJBT Network Security Overview

GSSO Channel Engineering
January 2017
Product Overview
Capabilities
Platform
Management
Sizing
Agenda Licensing
Evolution of Firepower and ASA
March 2016
September 2014 Firepower Threat Defense
ASA with Firepower Services
FOR the ASA-5500-X,
ON the ASA-5500-X and FP-4100, and FP-9300
ASA-5585-X
October 2013
Firepower AND
ASA
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Relevant Terminology
Firepower Threat Defense (FTD)
Unified codebase software image
ASA with FirePOWER Services
Two managers, full firewall feature set
Firepower 4100 Series and 9300 Appliances
Brand for new hardware product offerings. Can run FTD or ASA
Firepower Next-Generation Firewall (NGFW)
FTD + Hardware or Virtual appliance
Firepower Management Center (FMC)
Formerly FireSIGHT Management Center, Defense Center
Converged Software Firepower Threat Defense
New Converged Software Image:

Firepower Threat Defense
Contains all Firepower Services plus
select ASA capabilities
New
Single Manager: ASA Features
Firepower Management Center*
Same subscriptions as FirePOWER

Services, enabled by Smart Licensing: FirePOWER
Threat (IPS + SI + DNS)
Malware (AMP + ThreatGrid)
URL Filtering
* Also manages Firepower Appliances, Firepower Services (not ASA Software)
The industry focus has been protecting before, but not
during and after, attacks
Attack Continuum
BEFORE DURING AFTER
Typical NGFW Silos
Enable applications
IPS URL GAP
DDoS Sandbox
Incident
Response
What does Firepower NGFW enable?
Cisco Firepower NGFW
Stop more Gain more Detect earlier, Reduce Get more from
threats insight act faster complexity your network
- Superior - Industry - Detect and - Unified - Enhance security,

effectiveness leading contain rapidly management leverage existing
before, during, visibility, with as quickly as and fewer investments, with
and after automated hours not vendors Cisco and 3rd
attacks and prioritized months party integrations
response
Threat-focused Fully Integrated
Gain more insight
with increased visibility
You cant protect what you cant see
Client applications
Operating systems
C&C
Servers
File transfers Mobile Devices
Threats
Routers & switches
Users Application
protocols
Web applications
Typical IPS Printers
Malware
Typical NGFW Network Servers
VOIP phones
Cisco Firepower NGFW
Reduce complexity with simplified,
consistent management
Unified
Network to endpoint visibility
Manages firewall, applications, threats, & files
Track, contain, recover remediation tools
Scalable
Central, role-based management
Multi tenancy
Policy inheritance
Automated
Impact assessment
Rule recommendations
Firepower Management Center
Remediation APIs
Capabilities
Firepower Capabilities
Overview
Application visibility
Advanced malware protection Security intelligence
& control
Tailor application behavior to reduce Protect against the most advanced forms Block access to known malicious IPs and
attack surface and risk of data loss of malware and remediate after a breach URLs
URL filtering Identity based policy control Next Generation IPS
Restrict access to specific sites and sub- Enforce policy with complete visibility and Superior intrusion detection and threat
sites, as well as categories of sites granular control across the network prevention
Application Visibility and Control (AVC)
Overview
Control port- and protocol-hopping apps that evade Enforce acceptable use policies with granular control over
traditional firewalls applications
Apps
Limit the exposure created by social media applications Use custom application detectors/Open App ID
Enhanced Application Visibility and Control

Cisco database
4,000+ apps

Network & users
1 OpenAppID

2
Prioritize traffic
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
OpenAppID Overview
What is OpenAppID?
Application Visibility and Control (AVC) done the right way
An open source application-focused detection language
Enables users to create, share and implement custom application detection
Available for download as an extension of Snort 2.9.7 from http://www.snort.org
Key advantages
New simple language to detect apps
Reduces dependency on vendor release cycles
Build custom detections for new or specific
(ex. Geo-based) app-based threats
Application-specific detail with security events
15
With the smartest threat defense available
Talos
Inspect over 300 insight
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00 into
Identify advanced threats quickly with III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
nearly 16 billion
billion emails per
industry-leading threat data and research III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
web requests
day 00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00
each day
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
Receives 1.5 II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0
million incoming 200
00 Billion
Get industry-specific threat intelligence malware 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0IThreats000 Blocked
tailored to your business samples daily Daily
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I
Threat Intelligence
Catch advanced threats endpoints miss WWW
with Ciscos threat engineers and analysts
Email Endpoints Web Networks NGIPS Devices
Research Response
Stay protected against the latest threats Jan
with regular updates pushed automatically 250+ Researchers 24 7 365 Operations
Uncover hidden threats in the environment
Advanced Malware Protection (AMP)
c
File Reputation File & Device Trajectory
AMP for AMP for
Endpoint Log Network Log
Threat Grid Sandboxing Threat Disposition

Known Signatures
Advanced Analytics
Fuzzy Fingerprinting Dynamic analysis
Uncertain Safe Risky
Enforcement across
Indications of compromise Threat intelligence
Sandbox Analysis all endpoints
Block known malware Investigate files safely Detect new threats Respond to alerts
AMP for Networks Network File Trajectory
When AMP for Networks is

enabled within FMC users
can see the trajectory of a
file as well as the
disposition of the file, as
well as Patient 0.
18
AMP Everywhere Remote Endpoints
AMP
Architecture Cloud AMP for Endpoints
Threat Grid
AMP on Firepower NGIPS Malware Analysis + Threat AMP Private Cloud
Appliance Intelligence Engine Virtual Appliance
(AMP for Networks)
AMP on Web and Email

AMP on Cisco ASA Firewall AMP for Endpoints Security Appliances
with Firepower Services
CWS/CTA
AMP on ISR with Firepower AMP on Cloud Web Security

Services and Hosted Email
CentOS, Red Hat

Windows OS Android Mobile Virtual MAC OS Linux for servers
and datacenters
AMP for Endpoints can be

launched from AnyConnect
URL Filtering
Block specific URLs Restrict categories of URLs Reputation filtering
Gambling
bad_url.com Social Media -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10
office365.com Health
Gaming Who What Where
Drug Use
How
Restrict access to specific sites and subsites Filter out over 280 million URLs based on Blocks malicious websites based on who,
any of the 80+ categories into which they are what, where, how and when
grouped
Block or Allow Access to IPs or URLs
Security feeds 3rd Party
00100101101
01001010100
URL | IP | DNS URL Database
NGFW
Filtering Safe Search

Allow Block
Allow Block
DNS Sinkhole Category-based

Policy Creation Admin
Classify 280M+ URLs Filter sites using 80+ categories Manage allow/block lists easily Block latest malicious URLs
Identity Based Policy Control
Integrates with Cisco Identity Services Engine
Gain awareness of everything hitting your network
Provide access consistently and efficiently
Relieve the stress of complex access management
ISE
See and share rich user and device details Who
Improve your Cisco security and network solutions What

Strengthen your non-Cisco security solutions
Make better decisions with user and device insights
Where
How
Stop threats from getting in and spreading
Ease security policy setting
Limit unnecessary network exposure
Prevent threats from compromising your network in real
time
Rapid Threat Containment
Automatically Defend Against Threats with FMC and ISE
Corporate user Cisco security FMC detects Based on the new Device is
downloads file, not sensors scan the flagrantly suspicious policy, network quarantined for
knowing its actually user activity and file and alerts ISE. enforcers remediation or
malicious downloaded file. ISE then changes automatically mitigationaccess
FMC aggregates the users/devices restrict access is denied per
and correlates access policy to security policy
sensor data suspicious
Intrusion Prevention (IPS)
Protect the network more effectively
Impact 1 www

Impact 2
Impact 3
NGIPS automatically correlates information Compares baseline network behavior to

Blended threats and attacks coming through
from intrusion events with network assets to actual behavior and highlights abnormal
multiple vectors are quickly identified
prioritize threat investigation activity
Reduce IT management burden
Policies can be updated automatically based on Admins can make adjustments to policies and system
vulnerabilities and previous intrusion events settings across locations from a single, central location
Speed Impact Assessment and Response
Administrator
Correlates all intrusion events Impact Flag
Action
Why
to an impact of the attack against the target
Event corresponds
Act immediately;
1 vulnerable
to vulnerability
mapped to host
Relevant port open

Investigate; or protocol in use,
2 potentially vulnerable but no vulnerability
mapped
Good to know; Relevant port not

3 currently not
vulnerable
open or protocol
not in use
Good to know; Monitored network,

4 unknown target but unknown host
Good to know;
0 unknown network
Unmonitored network
Streamline Operations
Recommend Rules to Improve Defenses
Indications of Compromise (IoCs)
IPS Events Security Intelligence Malware Events

Malware backdoors Connections Malware detections
Exploit kits to suspect Office/PDF/Java
Web app attacks IP, DNS, URL compromises
CnC connections Malware executions
Admin privilege escalations Dropper infections
IOC Data In Context Explorer
Uncover Hidden Threats at the Edge
SSL decryption engine
SSL Enforcement
NGIPS and AMP AVC https://www.%$*#$@#$.com
decryption engine decisions
https://www.%$*#$@#$.com
https://www.%$&^*#$@#$.com
gambling
https//www.%$*#$@#$.com
https://www.%$&^*#$@#$.com elicit
Encrypted Traffic Log
Decrypt interesting traffic Inspect deciphered packets Track and log all SSL sessions
Secure Remote Access for
Mobile User
Secure access using FP2100 ISP
Secure SSL/IPSec AnyConnect access to corporate
network
Easy RA VPN Wizard to configure AnyConnect Internet Edge
Remote Access VPN
Advanced Application level inspection can be
enabled to enforce security on inbound Remote
Access User data.
AMP / File inspection Policy to monitor roaming user
data. FP2100 in HA
Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Campus/
Private
Network
Private Network
Secure Connection with
Branch Office
Secure Connection with Branch Office
Simplified IPSec Wizard for Site to Site VPN
Configuration
Advanced Application level inspection can be ISP
enabled VPN traffic of Partner and Vendor Network.
IPSec VPN
Prefilter policy to bypass Advance inspection and
improve performance. Edge Router
Authentication supports both Pre-Share Key and
PKI.
Branch Office Deployment to secure connection with FRP2100
Head Office. Failover
Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Platform
Firepower Threat Defense (FTD) Software
Firepower (L7) Firepower Threat Defense

Threat-Centric NGIPS
AVC, URL Filtering for NGFW Full Feature Set Single Converged OS
Advanced Malware Protection
ASA (L2-L4)
L2-L4 Stateful Firewall
Scalable CGNAT, ACL, routing Continuous Feature Firewall URL Visibility Threats
Application inspection Migration
Firepower Management Center

(FMC)*
* Also manages Firepower Appliances and Firepower Services (not ASA Software)
Feature Comparison: ASA with Firepower Services and
Firepower Threat Defense (6.2)
Features Firepower Threat Defense Firepower Services for ASA

Routing (OSPF, BGP, Static, RIP, Multicast, EIGRP/PBR (OSPF, BGP, EIGRP, static, RIP,
via FlexConfig) Multicast)

SIMILARITIES
NAT
OnBox Management
HA (Active/Passive)
Clustering (Active/Active)
Site to Site VPN
Policy based on SGT tags
Unified ASA and Firepower rules and

objects
DIFFERENCES
Hypervisor Support
(AWS, VMware, KVM, Azure)
Smart Licensing Support

Multi-Context Support * 6.X (Roadmap) 2HCY17
Remote Access VPN *6.2.1 (Roadmap) 1HCY17
Note: Not an exhaustive feature list
Cisco Firepower Next-Generation IPS (NGIPS)
Fail to wire
capabilities, Linear
scalability
Industry-best Intrusion Prevention Unparalleled Performance

Real-time Contextual Awareness and Scalability
Full Stack Visibility Easily add Application Control,

URL Filtering and Advanced Malware
Intelligent Security Automation with Firepower
Protection with optional subscription
licenses
Cisco Firepower NGIPS Platform
All appliances include:
Integrated lights-out management
Firepower acceleration technology
LCD display
IPS Performance and Scalability
AMP 8150
2 Gbps, All Services Enabled
AMP 7150
500 Mbps, All Services Enabled
Firepower 8300 Series
15 Gbps 60 Gbps
AMP 8300 Series

5 Gbps 20 Gbps
Firepower 8100/8200
2 Gbps - 10 Gbps
Firepower 7120/7125/8120
NGIPSv
1 Gbps - 2 Gbps
500 Mbps 1 Gbps
50 Mbps 250 Mbps
SOHO Branch Office Internet Edge Campus Data Center
Cisco ASA and Firepower Platforms
FP 2100
FPR 2100Series
Series FPR 4110, FPR 4120 FPR 9300 -SM-24
ASA 5506-X
FPR 4140, FPR 4150 FPR 9300 -SM-36
FPR 9300 -SM-44
ASA 5508-X
ASA 5516-X
ASA 5585-X SSP10
SSP20, SSP40, SSP60
ASA 5555-X
ASA 5515-X ASA 5545-X
ASA 5505 ASA 5512-X ASA 5525-X FTDv NGIPSv
SMB/SOHO Branch Internet Edge Data Center Large Enterprise and SP
Software Support by Platform
Firepower
Firepower Threat Firepower ASA
Services
Defense NGIPS Firewall
on ASA
Old (Series 2) Firepower Appliances

ASA Low-end (5506/08/16) (reimage)
ASA Mid-Range (5512/15/25/45/55) (reimage)
ASA High-end (5585 SSP-10/20/40/60)
Firepower 4100, 9300 (SSP 3RU - SM-24/36)
VMware
AWS
ASA to FTD Migration Information
FTD 6.1 Migration Information:
https://cisco.app.box.com/v/CiscoSecurityTools
with a password of BDA123$%
Available to Cisco Advanced Services, Sales Engineers,
and Partners only.
Migrate policy settings from Firepower Services

for ASA to a Firepower Threat Defense
ASA: http://www.cisco.com/go/asa
FTD: http://www.cisco.com/go/ngfw
Migrate an ASA configuration to a new

Firepower Threat Defense device, or to the
original ASA device after refreshing it as a
Firepower Threat Defense device. Link to the video walk through: FTD best practices
Techtorial 2 of 2 - SEVT - Security
ASA to FTD Migration Tool: https://salesconnect.cisco.com/open.html?c=664b6ae1-
373f-459e-8e08-abb4c215bc01
https://communities.cisco.com/docs/DOC-
69629
Management
Simplify management with an easy, unified approach
Firepower Device Firepower Management Cisco Defense

Manager Center Orchestrator (CDO)
Enables easy on-box Enables comprehensive Enables centralized

management of security administration cloud-based policy
common security and and automation of management of
policy tasks multiple appliances multiple
deployments
ASA Software Management
Cisco Security Manager Cisco Adaptive Security Device

(CSM) Manager (ASDM)
Comprehensive policy GUI tool used to manage

management for firewall, VPN, the Cisco ASA security
and IPS on heterogeneous appliances
devices (Cisco ASA, IPS, ISR,
and ASR)
On-box Vs. Off-box Comparison at 6.2
Firepower Management Center Firepower Device Manager
(Off-box) (On-box)
NAT & Routing

Access Control
Intrusion & Malware
Device & Events Monitoring
Site to Site VPN
Security Intelligence In Roadmap
Other Policies: SSL, Identity, Rate Limiting (QoS) etc. In Roadmap
Active/Passive Authentications In Roadmap
Threat Intelligence & Analytics NCP
Risk Reports NCP
Correlation & Remediation NCP
Easy Device Setup
=> Detailed => Optimized for SMBs => Not Present NCP => No Current Plan
Available only for Firepower Threat Defense Software (FTD)
Cisco Defense Orchestrator
Ciscos vision for managing a wide range of security solutions
Simple
Cisco Defense
Manage next-gen protection through a single interface
Orchestrator
Orchestrate security policy management from one place
Build security policy templates that help to apply consistent security policy
across all branches
Efficient
Enable security experts to craft policy templates to be deployed by any
member of your team
Use simple search-based management to quickly see how policies are
enforced across devices
Leverage automatic layer 7 protection
Effective
Design and deploy policy uniformly
Uncover and remediate unplanned changes
Extend protection to the application layer
Cisco Defense Orchestrator Tech Talk, Recorded on, 1/11/17: https://communities.cisco.com/docs/DOC-30977

CDO Security Platforms Supported Today!
UMBRELLA
All ASA Umbrella

ASA with Firepower
Series Firewalls
All ASA Platforms AMP-URL-IPS Onbox

4100/9300 Supported 5506-5555
AWS/Azure Lots More To Come In
* ASA Image Only on 5585* 2017!
* Requires 8.4 Code or FTD on the Roadmap
greater * ASA Image only on 4100-
9300 Appliances *
Note: Cannot be used concurrently with FMC

FMC Appliance
Legacy Appliances
DC750 FS2000 FS4000
4-Core Xeon 6-Core Xeon 2x10-Core Xeon

2G RAM 64G RAM 128G RAM
8 GB 64 GB 128GB
2 x 1 Gbps, NIC 2 x 1 Gbps, 2 x 10 2 x 1 Gbps, 2 x 10
2000 events per Gbps (optional SFPs Gbps (optional SFPs
second event rate available in available in
Cisco Commerce) NIC Cisco Commerce) NIC
12,000 events per 20,000 events per
second event rate second event rate
FMC Appliance Refresh
New FMC Platforms
FMC1000 FMC2500 FMC4500

Refreshes DC750 Refreshes FS2000 Refreshes FS4000
Intel E5-2620E CPU 2 Intel E5-2620E CPUs 2 Intel E5-2640E CPUs

32G RAM 64G RAM 128G RAM
2 900G 10k RPM HDs 4 600G 10k RPM SAS 6 800G SAS SSDs
(RAID 1) drives (RAID 5) (RAID 6)
Built-in dual-port 1G Dual-port 10G NIC (in Dual-port 10G NIC (in
NIC addition to built-in dual addition to built-in dual
2000 events per 1G NIC) 1G NIC)
second event rate 12,000 events per 20,000 events per
second event rate second event rate
Sizing
NGFW Performance and Size
Why it matters?
Impact a Sale
Properly sizing a NGFW impacts customer satisfaction
Firewall sizing is based on performance estimates, and sizing and features
determine NGFW solution cost
Product specification sheets do not typically include performance estimates that
are based on real-world traffic characteristics
As with all performance discussions, YOUR MILEAGE MAY VARY!!
Features Enabled
A primary factor affecting

performance is the number and type
of features that are enabled on the
NGFW
Not every feature has the same level of
impact on performance
Understand what features will be enabled
but we must also be able to evaluate the
impact of each feature on performance
NGFW location in a network also affects performance
NGFW location plays a role in determining:

Average packet size the NGFW will process
Amount of inspections to be enabled
Traffic rate, in terms of Packets Per Second (PPS) or Connections Per
Second (CPS)
Size of various rule tables, like IPS rule tables, ACL rule tables,
routing tables etc.
Factors that affect NGFW performance
Data to collect before starting a sizing estimation
Data to collect to most accurately estimate performance are:

Type of traffic the NGFW will process (Mostly DNS or Mostly HTTP etc.)
Average packet size the NGFW will see
Average CPS and PPS numbers
The features the customer will enable
Average number of rules and routes the customer expects
Expected degree of malicious traffic
Amount of analysis and logging
Factors that affect NGFW performance
Understanding the data sheets
Publish performance numbers under 3 main categories

Effect of Features on Performance
Throughput
Maximum concurrent sessions, with AVC
Maximum new connections per second, with AVC
Relationships and recommended use of 3 throughput
measurements
Cisco NGFW Performance Metrics as of September 2016
Publicly published in Data Sheets: 1024 Bytes
450 Byte HTTP Throughput:
AVC and IPS
Impact of enabling URL Filtering
URL Filtering
Impact of Enabling Cisco AMP for Networks
We do not publish in our data

sheets is the performance with
Cisco Advanced Malware
Protection (AMP) for Networks
enabled
The reason we do not publish

this number is because this
feature is specific to Cisco
NGFW and we want to avoid
competitors misusing the
performance number with
AMP.
Firepower 2100 Series Performance
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput FW
+ AVC 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Throughput FW
+ AVC + NGIPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum
concurrent
sessions, with 1M 1.2 M 2M 3.5 M
AVC
Maximum new
connections per
second, with 12000 16000 24000 40000
AVC
Note: Early Performance Numbers

How to measure?
Datasheets generally have some indication of performance. In most
cases this includes the infamous throughput measurement.
The firewall industry almost always publishes a max throughput
number, usually based on a traffic type that is never helpful in
determining sizing of the product.
The IPS industry has generally been more conservative about
throughput estimates on their datasheets, partly because their
performance range is much more variable than firewalls, and partly
because of industry choice.
Open a case with partner help and ask them to utilize the performance
estimator: www.cisco.com/go/ph
https://communities.cisco.com/docs/DOC- https://communities.cisco.com/docs/DOC-70837
69840
Licensing
Cisco Firepower Management Center
Management Center 750, 2000, and 4000 physical appliances or the Management Center virtual
appliance
See Network Security Ordering Guide page on the Security Partner Community for information
on ordering FMCv https://communities.cisco.com/docs/DOC-70838
Management Center hardware is selected based on the firewall configuration deployed and the
number of appliances and events to be monitored
SMARTnet is ordered separately
Firepower Management Center Virtual (FMCv) licensing
Clarification
When ordering FMCv for 5.4 and prior, you purchase on the following SKUs noting that the 2 and 10 device SKUs
are only for ASA 5500 platforms.
FS-VMW-SW-K9 - Cisco Firepower Management Center, (VMWare) for 25 devices
FS-VMW-2-SW-K9 - Cisco Firepower Management Center,(VMWare) for 2 devices
FS-VMW-10-SW-K9 - Cisco Firepower Management Center,(VMWare) for 10 devices
When ordering FMC for 6.0 or later, the guide states that a FireSIGHT license is no longer required. This does NOT
mean that you do not need to purchase the FMCv. You still need to purchase one of the following SKUs which are
Smart License Enabled. These do not come up in a CCW search, but can be added to your ordering by entering the
correct SKU. The 2 and 10 device SKUs can currently be used to manage any FTD device. This is inclusive of
FTDv, 4100, and 9300 unlike the classic 2 and 10 SKUs for for Firepower Services which only support ASA based
systems.
SF-FMC-VMW-K9 - Cisco Firepower Management Center, (VMWare) for 25 devices
SF-FMC-VMW-2-K9 - Cisco Firepower Management Center,(VMWare) for 2 devices
SF-FMC-VMW-10-K9 - Cisco Firepower Management Center,(VMWare) for 10 devices
SF-FMC-KVM-K9 - Cisco Firepower Management Center, (KVM) for 25 devices
SF-FMC-KVM-2-K9 - Cisco Firepower Management Center,(KVM) for 2 devices
SF-FMC-KVM-10-K9 - Cisco Firepower Management Center,(KVM) for 10 devices
Network Security Ordering Guide Page: https://communities.cisco.com/docs/DOC-70838

Firepower Threat Defense Licensing
Structure
Perpetual base License comes with appliance
(IPS / SI / DNS)
URL Filtering
(Networking, Firewall and AVC)
(AMP / TG)
Malware
Threat
Term-based licenses for advanced protection
(Threat, Malware, and URL Filtering)
One (1), three (3) and five (5) year Licensing
terms available
SMARTnet is ordered separately Base (NGFW)
Traditional ASA licenses not needed Blue = Term-based
Green = Perpetual
Licenses required for both elements of HA pair
ASA Firepower Services Packaging
Subscription Packages Component License Name and Features Enabled License Type Fulfillment
Perpetual PAK claim certificate

ships with
Protect License Appliance/Upgrade
(Included) License
Enables Firepower Services
(IPS and AVC Core Functionality)
Perpetual PAK claim certificate
ships with
Control License Appliance/Upgrade
ASA
(Included) License
Firepower
Services
No License!
IPS IPS Subscription Service Contract
(Sold)
PAK claim certificate
Term License
URL Filtering URL Filtering Subscription ships with URL
(Sold) Subscriptions
PAK claim certificate
Malware Term License
AMP Subscription ships with AMP
Protection (Sold) Subscriptions
At least one of the five subscription licenses

must be installed for any
of the Firepower Services to work
Smart Licensing: Key Benefits
Helps customers understand how Cisco Software is used across their network
Limited View
Classic Complete View
Smart
Customers do not know Software, services, devices
what they own. in one easy to use portal.
Manual Registration Automated Registration

Manually register each device with PAK. No PAKs. Easy activation.
Unlock with license key. Product is ready to use.
Device Specific Company Specific

Licenses specific to only one device. Flexible licensing, use across products.
Voice of the Engineer: https://communities.cisco.com/docs/DOC-30718

Migrating Licenses: ASA w/FP to Firepower
Threat Defense
Migrate ASA with Firepower Services to Firepower Threat Defense
licenses at License Registration Portal
Customer needs
Smart Account
Ordering
https://communities.cisco.com/docs/DOC-70838

FJBT Network Security Overview

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

FJBT Network Security Overview

Caricato da

Copyright:

Formati disponibili

GSSO Channel Engineering

New Converged Software Image:

Same subscriptions as FirePOWER

BEFORE DURING AFTER

Typical NGFW Silos

Cisco Firepower NGFW

- Superior - Industry - Detect and - Unified - Enhance security,

Threat-focused Fully Integrated

Typical NGFW Network Servers

Cisco Firepower NGFW

URL filtering Identity based policy control Next Generation IPS

Threat Grid Sandboxing Threat Disposition

When AMP for Networks is

AMP on Web and Email

AMP on ISR with Firepower AMP on Cloud Web Security

CentOS, Red Hat

AMP for Endpoints can be

bad_url.com Social Media -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10

Gaming Who What Where

Security feeds 3rd Party

DNS Sinkhole Category-based

See and share rich user and device details Who

Improve your Cisco security and network solutions What

Automatically Defend Against Threats with FMC and ISE

NGIPS automatically correlates information Compares baseline network behavior to

Reduce IT management burden

Relevant port open

Good to know; Relevant port not

Good to know; Monitored network,

IPS Events Security Intelligence Malware Events

Encrypted Traffic Log

Firepower (L7) Firepower Threat Defense

Firepower Management Center

Smart Licensing Support

Industry-best Intrusion Prevention Unparalleled Performance

Full Stack Visibility Easily add Application Control,

AMP 8300 Series

SMB/SOHO Branch Internet Edge Data Center Large Enterprise and SP

Old (Series 2) Firepower Appliances

Migrate policy settings from Firepower Services

Migrate an ASA configuration to a new

Firepower Device Firepower Management Cisco Defense

Enables easy on-box Enables comprehensive Enables centralized

Cisco Security Manager Cisco Adaptive Security Device

Comprehensive policy GUI tool used to manage

NAT & Routing

Cisco Defense Orchestrator Tech Talk, Recorded on, 1/11/17: https://communities.cisco.com/docs/DOC-30977

All ASA Umbrella

All ASA Platforms AMP-URL-IPS Onbox

Note: Cannot be used concurrently with FMC

DC750 FS2000 FS4000

4-Core Xeon 6-Core Xeon 2x10-Core Xeon

FMC1000 FMC2500 FMC4500

Intel E5-2620E CPU 2 Intel E5-2620E CPUs 2 Intel E5-2640E CPUs

A primary factor affecting

NGFW location plays a role in determining:

Data to collect to most accurately estimate performance are:

Publish performance numbers under 3 main categories

We do not publish in our data

The reason we do not publish

Note: Early Performance Numbers

Network Security Ordering Guide Page: https://communities.cisco.com/docs/DOC-70838

Licenses required for both elements of HA pair

Perpetual PAK claim certificate