Professional Documents
Culture Documents
Firepower NGFW
Deployment
in the Data Center and Enterprise
Network Edge Using FTD
Steven Chimes, Consulting Systems Engineer
BRKSEC-2020
#CLUS
Agenda
• Deploy L3 Firewalls at the Edge
• Interfaces, Routing & NAT
• NGFW Policy Tips/SSL Decrypt
• High Availability
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Firepower Sessions: Building Blocks
Monday Tuesday Wednesday Thursday
BRKSEC-2031 BRKSEC-2064
08:00
08:00
08:00
BRKSEC-3030
Advanced
Firepower IPS
Deployment
BRKSEC-3455 BRKSEC-2066
13:30 10:30
Dissecting Firepower Optimizing Your
Installation & Firepower/FTD
Troubleshooting Deployment
BRKSEC-2050 BRKSEC-2050
13:30
BRKSEC-2058
Firepower NGFW Firepower NGFW
Deep Dive into
Internet Edge Internet Edge
Firepower Manager
Deployment Deployment
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
In
Depth
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Reference
CLINET (clinet.com)
Cisco LIVE Information Networking Company
• CLINET (clinet.com) is a fictional company created for
understanding use cases in FTD firewall deployment.
• CLINET has embarked on a network/security deployment project entitled
“The Security 20/20 Project” which serves as the basis for the use case.
• There
Company are ~100
requirements and slides we examples
configuration will not are
cover
based upon
real-life customer conversations and deployments.
today
ASA (L2-L4)
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing Continuous Feature Firewall URL Visibility Threats
Firepower Management
Centre (FMC)*
* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Reference
Firepower 9300
Performance and Scalability
Firepower 4140
Firepower 4150
Firepower 2110
Firepower 2120
Firepower 2130 Firepower 4110
ASA 5525-X Firepower 2140 Firepower 4120
ASA 5545-X
ASA 5506H-X ASA 5516-X ASA 5555-X
ASA 5508-X ASA 5515-X
ASA 5506W-X ASA 5512-X
ASA 5506-X
FTDv
SMB & Distributed Enterprise Commercial & Enterprise Data Centre & Service Provider
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
FTD Initial Setup
New in 6.2.3! Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Management Connections
ASA 5506 – 5555 / Firepower 2100 (1 Management)
FTD Management Inside
Outside
Management interfaces can be placed
on the same subnets as data interfaces
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Suggested Version: FTD 6.2.3.X
FTD 6.2.3 (now 6.2.3.1) – “FTD SP1”
FTD 6.2.0.2 Policy Apply Improvements FTD 6.2.2 Policy Apply Improvements
• Introduced snort preserve-connection • Accelerated policy deployment
• Preserves existing connections on routed and • Eliminated most Snort restarts due to
transparent interfaces if the Snort process reconfiguration (e.g. changing AMP policy)
goes down
• Eliminated most Snort restarts due to memory
• Preserved connections must not be tunneled reallocation (e.g. enabling/disabling AMP)
or proxied (e.g. SSL decrypt, Safe Search)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Reference
Deploying Changes
Changes don’t take affect until you deploy the policy
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Reference
Deploying Changes
Changes don’t take affect until you deploy the policy
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Reference
Management Connections
• FTD is managed by FMC through a management interface.
• Management interface is used only for management and eventing.
• Can be on the same subnet as a data interface or on separate subnet.
• Usually is placed on the same subnet as the inside interface.
• Management interfaces are not shown on diagrams, but are present.
Firepower Management
Centre (FMC)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Reference
• Firewall mode is one of the few features configured locally. We will cover modes in
more detail later on.
Configure firewall mode? (routed/transparent) [routed]:
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Reference
Either hostname
or IP address
Registration key
we used in CLI Add device
drop down
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Firewall Deployment
Mode & Interfaces
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or more 10.1.1.0/24
interfaces that separate L3 domains – Firewall is the Router and 10.1.1.1
Gateway for local hosts.
NAT
DRP
192.168.1.1
192.168.1.0/24
IP:192.168.1.100
GW: 192.168.1.1
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Firewall Design: Modes of Operation 192.168.1.1
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Routed/Transparent Interface Types
Standalone Interface Redundant Interface EtherChannel Interface
#3 #2 #1
Choice Choice Choice
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Reference
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/1
VPC VPC
Edge Aggregation
VDC
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Reference
outside
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/1 G1/2
VPC VPC
Edge Aggregation
VDC
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Reference
ISP-A ISP-B
No security
Edge
zone this time Aggregation
DMZ Network(2)
(Public Web/DB)
GigabitEthernet1/3
VPC VPC
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Reference
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/3 VLAN
150
VLAN
trunk
G1/4 151
VPC VPC
Edge Aggregation
VDC
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Reference
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/3 VLAN
150
VLAN
trunk
G1/4 151
VPC VPC
Edge Aggregation
VDC
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Reference
What is an EtherChannel?
• EtherChannel LAG (IEEE standard is 802.3ad) allows up
to 16 physical Ethernet links to be combined into one
logical link. 16 links can be active and forwarding data.
• Ports must be of same capabilities: duplex, speed, type, etc.
• Benefits of EtherChannel are increasing scale, load-
balancing and HA
• Load balancing is performed via a load-balancing hashing
algorithm (src-dst-ip, src-dst-ip-port, etc.) LACP Load Balance
src-dst-IP (hash)
• EtherChannel uses LACP (Link Aggregation Control
Protocol) to allow dynamic bundling and dynamic
recovery in case of failure
• Static LAG can be used on non-FXOS platforms, but should
be aware of potential traffic black holes this may cause
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Reference
• vPC can maximize throughput since each port channel is treated LACP Load Balance
src-dst-IP (hash)
as a single link for spanning-tree purposes
• Spanning Tree is not disabled, but does not affect the network
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
EtherChannel on FTD
• Supports 802.3ad and LACP standards
Single • Direct support for vPC/VSS
• FP2100/FP4100/FP9300 require LACP (“On” mode is not
or supported)
Stack • Up to 16 active links
• 100Mb, 1Gb, 10Gb, 40Gb are all supported – must match
No security zone on
the port-channel
because we are using
sub-interfaces
No IP
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Reference
VLAN 120
Repeat 2x for VLAN 2 and VLAN 1299
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Routing on FTD
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Routing on FTD
• FTD performs L3 route lookup as part of its normal packet processing flow Outside Network
• Multicast
• EIGRP (via FlexConfig)
• Complete IP Routing config:
http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configurati Inside Network
on/guide/fpmc-config-guide-v601.pdf
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
BGP
• FTD supports BGPv4 with IPv4 and IPv6 for dynamic routing across all platforms
• Standard communities / all path attributes, route redistribution; up to 100K prefixes and 2K neighbors
• Null0 and Remotely-Triggered Black Hole (RTBH) support
• Confederations, route reflectors, tagging, neighbor source-interface, and BFD are not supported
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Reference
• Non Stop Forwarding (NSF) and Graceful Restart (GR) support in FTD:
• Cisco or IETF compatible for OSPFv2, OSPF3; RFC 4724 for BGPv4
• FTD notifies compatible peer routers after a switchover in failover
• FTD acts as a helper to support a graceful or unexpected restart of a peer router in all modes
1. Active FTD fails over to standby; newly active 2. Router re-establishes OSPF adjacency with the
unit initiates OSPF adjacency with the router OSPF FTD while retaining the stale routes; these routes
indicating that traffic forwarding should continue. are refreshed when the adjacency reestablishes.
4. FTD continues normal traffic forwarding until the 3. Primary Route Processor undergoes a restart,
primary RP restarts or the backup takes over or the OSPF signals the peer FTD to continue forwarding while
timeout expires. Forwarding Plane the backup re-establishes adjacencies.
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
NAT on FTD
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
NAT on FTD
• NAT on FTD is built around objects, with two types of NAT:
• Auto NAT – Only source is used as a match criteria
• Only used for static or dynamic NAT
• When configuring, it is configured within a network object (internally)
• Device automatically orders the rules for processing:
• Static over dynamic
• Quantity of real IP addresses – from smallest to largest
• IP address – from lowest to highest
• Name of network object – in alphabetical order
Manual NAT
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Manual NAT Use Case
Static NAT 192.168.1.10 192.168.1.155 to 128.107.1.242 128.107.1.155
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Reference
Easy to understand
NAT logic
Manual NAT Rules
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
FTD NGFW Policy Tips
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Reference
• Criteria can includes zones, networks, VLAN tags, applications, ports, URLs and
SGT/ISE attributes
• The same Access Control Policy can be applied to one or more device
• Complex policies can contain multiple rules, inherit settings from other access
control policies and specify other policy types that should be used for inspection
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Reference
Displays block
page over HTTP
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Reference
Access Control Policy Use Case #1 –
Applications
Allow MS SQL from inside to pubdmz
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Access Control Policy Use Case #1 – Logging Tab
Allow MS SQL from inside to pubdmz
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Logging Considerations for Large Deployments
Americas – DC #1
Americas – DC #2
1 FP4150 = 200K CPS
EMEA – DC #1
Policy With Full Logging:
EMEA – DC #2 10x FP4150s = 2M EPS 1x FMC4500
Rated for 20K EPS
APJC – DC #1
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Logging Design for Large Deployments
FTD FMC
Security Events Security Events SEIM
Syslog or eStreamer
Connection Events
Syslog
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Reference
For more, check out :
• Individual rules can be set to generate events, drop and generate events, or disabled
• Layers allow for grouping of settings/rules for easier management
• Complex policies can contain multiple layers and multiple levels of inheritance
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Reference
Freeform search
Selecting browser-chrome
populates the appropriate
filter in the filter bar
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Reference
• Inspection includes static analysis of the file (via Spero), dynamic analysis (via AMP
Threat Grid) and local analysis (via ClamAV)
• Complex policies can include different actions and levels of inspections for different
application protocols, directions and file types.
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Reference
Detection only
(no blocking)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Reference
Detection only
(no blocking)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Reference
Malware & File Policy for Use Case #2 – Rule
Added
Block malicious Office, Executable and PDF files transferred over HTTP
Rule we just
created
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Reference
• Many actions can be taken on encrypted traffic without decryption by inspecting the
certificate, distinguished name (DN), certificate status, cipher suite and version (all
supported by FTD)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
SSL Decrypt
Technically TLS, but is called SSL throughout the product
• SSL decryption consists of three
components (simplistically):
Session Setup Application Data
• TLS Proxy
Encrypt/Decrypt Encrypt/Decrypt
• Session Setup Encrypt/Decrypt (Asymmetric Key) (Symmetric Key)
• Application Data Encrypt/Decrypt
TLS Proxy
• TLS Proxy is always done in software (Software Only)
• Encrypt/Decrypt can be done in
hardware on:
Network Data
• ASA 5525-X, 5545-X, 5555-X
• Firepower 4100 series
• Firepower 9300 series
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Enabling SSL Decrypt in Hardware
Not enabled by default
• If not in the FTD console on a FP4100/FP9300, connect to FTD:
Firepower-module1> connect ftd
Enabling or disabling SSL hardware acceleration reboots the system. Continue? (y/n) [n]: y
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Setting Up an SSL Policy
Step #1 – Import Root or Certificates (If Doing Decryption)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Setting Up an SSL Policy
Step #3 – Create the SSL Rule
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Setting Up an SSL Policy
Step #3 – Specify the Criteria
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Setting Up an SSL Policy
Step #4 – Assign the SSL Policy to the Access Control Policy
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Reference
Inspection Options
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Reference
Edge SSL
Policy
Inspection Options
Criteria Action
Access Control
Rule All HTTP Allow Edge Intrusion Edge Malware &
Traffic Policy File Policy
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Reference
Access Control Policy Use Case #2 –
Applications
Inspect Outbound HTTP/HTTPS Connections (IDS, Malware and SSL)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Reference
Intrusion policy we
created previously
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Reference
Rule we just
created
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Organizing Access
Control Rules
Policy Management – Categories
• All access control policies contain two categories - Mandatory and Default
• Customer categories can be created to further organize rules
• Note - After you create a category, you cannot move it. You can delete it, rename it,
and move rules into, out of, within, and around it
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Policy Management – Inheritance
• Allows an access control policy to inherit Global Domain
the access control rules from another
policy. 2nd Level Domain
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Policy Management – Multi-Domain Management
• Multitenancy for the Firepower management console
• Maximum of 50 domains and 3 level deep (2 children domains)
• Segments user access to devices, configurations and events
• Users can administer devices in that domain and below
• Devices are assigned to a domain
• Primarily for MSPs Global Domain
EMEA
Americas Domain
Domain
• Uses in the Enterprise:
• Force a policy to apply to all firewalls in a domain Edge DC
Domain Domain
• Limit user visibility to only select devices and events
• Delegate admin control while maintaining global visibility/control
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Policy Management – Object Overrides
• Allows an object to be reused on multiple firewalls, but with different meanings
• Networks, Ports, VLAN Tags and URLs all support overrides
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
How Failover Works
Failover link passes hellos between active
and standby units every 15 seconds
(tunable from 200msec - 15 seconds)
HELLO HELLO
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
How Failover Works
HELLO
HELLO
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
How Failover Works
Failover Secondary
FTD
State (active)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Reference
Easier Way:
Stateful Failover Unsupported Features
• Every feature is supported, except:
• Sessions inside plaintext tunnels
• Inspection after decryption
• TLS Decryption State
• The HTTP connection table
• DHCP client
• DHCP server address leases
• Multicast routing
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
HA with Interface Redundancy
Before… After with redundant interfaces
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
HA with Interface Redundancy
Before… After with redundant interfaces
Failures 11 - 7,
7 still
no FAILOVER
1
1 2 3
Any Causes
1 4
1
FAILOVER
1 6 7
Port Channel feature makes this concept somewhat obsolete if switches support VSS/vPC
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Deploying Active/Standby Failover – Secondary IPs
Required to send hellos between data interfaces
Edit interfaces to
add standby IP
addresses for better
interface monitoring
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Deploying Active/Standby Failover –
MAC Address
For stability, set virtual MAC address
Why? Traffic disruption due to MAC
address changes:
• If the secondary unit boots without
detecting the primary unit, the
secondary unit becomes the active
unit and uses its own MAC addresses.
When the primary unit becomes
available, the secondary (active) unit
changes the MAC addresses to those
of the primary.
Not required
functionally, but • If the primary unit is replaced with
best set for stability new hardware, the MAC addresses
from the new primary are used.
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
FTD Clustering
Overview
FTD Clustering Basics
• Designed to solve two critical issues with firewall HA:
• Aggregates firewall capacities for DC environments (bandwidth,
connections/sec, etc.)
• Provides dynamic N+1 stateful redundancy with zero packet loss
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
FTD Clustering Types with FP9300
FTD Inter-Chassis Cluster
• Cluster of up to 6 modules (across 2 – 6 chassis)
• Off-chassis flow backup for complete redundancy
Switch 1 Switch 2
Nexus vPC
Supervisor Supervisor
FTD FTD FTD FTD
Cluster
FTD Cluster FTD
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Cluster Scalability – FTD 6.2.3 Example
54G 226G
30M 108M
Sessions Sessions
200K cps 2 6 600K cps
100% with no
Bandwidth 70% Avg.
Asymmetry*
Example 2 Firepower 9300s w/ 6 Total SM-44 Modules at 54 Gbps → 226 Gbps of throughput
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Correct Use of EtherChannels When Clustering
with VPCs 1 2 3 4
N7K VPC 32
Cluster Data Plane
Cluster Control Plane VPC PEER LINK
Control Plane [Cluster Control Link]
of Cluster MUST use standard LACP
(Local Port-Channel)
Each VPC Identifier on Nexus 7K is N7K VPC 42
unique N7K VPC 40
N7K VPC 41
N7K VPC 43
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Reference
Clustering Roles
Flow Owner
• The unit that receives the connection, registers with Director
Flow Director
• Backup to the Owner and responds to lookup requests from the Forwarders.
• Maintains a copy of state for individual Owner’s flow
Forwarder
• Receives a connection but does not own it, queries Director for Owner
• Forwarders can derive Owner from SYN cookie if present (SYN-ACK) in asymmetric scenarios
or may query the Director via Multicast on CCL
Owner Forwarder Forwarder Director
Flow A
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Reference
Note #2: Some switches, such as the Nexus series, do not support LACP rate fast when performing in-service
software upgrades (ISSUs). Cisco does not recommend using ISSUs with clustering.
FXOS Compatibility Guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Cisco Verified Switches for Clustering
Supported and Recommended: Supported but not recommended for spanned
EtherChannel mode:
• Nexus 7000 (M1, M2, F2 and F3)
• Cisco Nexus 7000 (F1)
• Cisco ASR 9000 with RSP 440
• Cisco Nexus 3000
• Cisco Nexus 9500, 9300, 6000, 5000
• Catalyst 4500-X
• Catalyst 6800 with Supervisor 2T
• Catalyst 3850
• Catalyst 6500 with Supervisor 2T, 32, 720,
and 720-10GE Reason – Asymmetric load-balancing can
cause performance degradation for data
• Catalyst 4500 with Supervisor 8-E throughput on the cluster
• Catalyst 3750-X
Note: Switches must run as a stack, vPC or VSS pair if cluster EtherChannel spans multiple switches
FXOS Compatibility Guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Cluster Connectivity Preferences
Firewall on a Stick Same Model Switches Different Model Switches
#1 #2 #3
Choice Choice Choice
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Using 2 Different Switches –
Switch Port Numbers Matter
Ascending
EtherChannel RBH values are sequentially Order
allocated in ascending order starting from the 1/1 1/2 1/3 1/4
lowest numeric line card and port ID.
0,4 1,5 2,6 3,7
For best cluster performance, keep traffic
symmetric and off the CCL:
• Use a symmetric hashing algorithm
• Use fixed RBH allocation for EtherChannels 0,4 1,5 2,6 3,7
e.g. “port-channel hash-distribution fixed”
on Nexus 7K and Catalyst 6500 1/7 2/1 5/7 6/1
• Links should be connected in matching Also
Ascending
ascending order on each switch
Configuring Load Balancing Using Port Channels in Nexus 7000 Series NX-OS Interfaces Configuration Guide:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/interfaces/configuration/guide/b-Cisco-Nexus-7000-Series-NX-
OS-Interfaces-Configuration-Guide-Book/configuring-port-channels.html
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Reference
6. Respond through
Flow Forwarder another unit
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Reference
Client Server
Flow Director
1. Connection is established
through the cluster
Flow Owner
2. Owner fails
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
FTD Clustering
Configuration
Clustering Setup – Firepower Chassis Manager
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Steps Involved in Bringing up a FTD Cluster
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Reference
North Zone
VLAN 200
None
VPC
VLAN 200
Outside
VLAN 201
Inside
VPC BVI 172.16.25.86/24
Server in
VLAN 201
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Clustering Setup – Firepower Chassis Manager
Interfaces All Configured
Name of the
individual device,
not the cluster aka “Image Type” -
ASA or FTD
Images uploaded by the
user into the Firepower
Chassis Manager, make
sure they match across
cluster members
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
Port-channel48 is
automatically selected as the
cluster interface if configured
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
Chassis ID of the
unit in the cluster
(must be unique)
Key to authenticate
units joining the
Name of the cluster cluster, must be the
to join, must be the same on all devices
same on all devices
Dedicated out-of-band
management port
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
Key to authenticate
the management
connection from FMC
Admin password to
login to FTD locally
Needed for dc-fw.clinet.com
uploading files to
AMP, etc. Routed or
Transparent
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
FTD management
IP, this must work
for communications
to the FMC
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #1
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
Name of the
individual device,
not the cluster
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
Must be different
than other units
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
Key to authenticate
the management
connection from FMC
Admin password to
login to FTD
dc-fw.clinet.com
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
Change to be
unique
Populated from the
pasted config
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Clustering Setup – Firepower Chassis Manager
Creating Cluster Member #2
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Clustering Setup – Firepower Management
Centre
Creating the Cluster
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Cluster Successfully Added
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Deploying FTD in
Transparent Mode
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Why Deploy Transparent Mode?
• Very popular architecture in data center environments
• Existing Nexus/DC network fabric does not need to be modified to employ L2 Firewall!
• It is as simple as changing host(s) VLAN ID
• Firewall does not need to run routing protocols / become a segment gateway
• Firewalls are more suited to flow-based inspection (not packet forwarding like a
router)
• Routing protocols can establish adjacencies through the firewall
• Protocols such as HSRP, VRRP, GLBP can cross the firewall
• Multicast streams can traverse the firewall
• Non-IP traffic can be allowed (IPX, MPLS, BPDUs)
• Much faster deployment time for brown field (months vs. years)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Firewall – Transparent Mode
• Firewall functions like a bridge
• “Bump in the wire” at L2
• Only ARP packets pass without an
explicit ACL
• Full policy functionality is included –
NAT, AVC, NGIPS, AMP, etc.
• Same subnet exists on all interfaces
in the bridge-group
• Different VLANs on inside and
outside interfaces
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Reference
North Zone
VLAN 200
VPC
VLAN 200
Outside
VLAN 201
Inside
VPC BVI 172.16.25.86/24
Server in
VLAN 201
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Transparent Mode Configuration in the DC (2 interfaces)
Step 2 – Stitch everything together with a Bridge Group Interface
SVI VLAN200 172.16.25.253 SVI VLAN200 172.16.25.254
FHRP – 172.16.25.1 FHRP – 172.16.25.1
North Zone
VLAN 200
VPC
VLAN 200
Outside
interfaces per
bridge group
Trunk Allowed 1,201 South Zone
VLAN 201
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Set Cluster Control Link (CCL) MTU
Avoids fragmentation after encapsulation on CCL
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Reference
After deploying
changes, cluster
should turn green
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Pro-Tip – Set Virtual MAC Addresses
For stability, set Active Mac address, especially if using non-interface NAT IPs
Why? Traffic disruption due to
MAC address changes:
• On boot, the MAC addresses of
the master unit are used across
/ the cluster. If the master unit
becomes unavailable, the MAC
addresses of the new master unit
Not required, but more are used across the cluster.
stable if set. For clustering,
only Active Mac Address
• Gratuitous ARP for interface IPs
needs to be set. partially mitigates this, but has no
effect on NAT IPs.
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Reference
Destination 1
1
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Reference
Destination 5
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Alternative Designs
Interfaces Revisited: Optional Interface Modes
• By default, all interfaces are firewall interfaces (routed or transparent)
• Optionally, specific interfaces can be configured for use as IDS or IPS
• IDS Mode
• Inline Tap
• Passive
• ERSPAN
• IPS Mode
• Inline Pair
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Optional FTD Interface Modes
A Routed or Transparent
F Interfaces
Passive Policy Tables
B G
Inline Pair 1
C H
Inline Set
Inline Pair 2
D I
Inline Tap
E J
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Inline NGFW
Firewall without Routing or Bridging Interfaces
• Although not a “Firewall” interface,
L3/L4/L7 rules can be enforced when
using “IPS” interface types
• Useful when Routed or Transparent aren’t
possible/feasible
Inline Pair
• No subinterfaces required for trunks, use
“VLAN Tags” in ACP instead:
• Caveats:
• No NAT / No Routing
• No strict TCP state tracking
Configuration: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Out-of-Band IDS - Multichassis SPAN
When a single Firepower appliance is not enough
• Each device configured as a standalone
device
• Cluster not supported, as it requires all
firewall ports to be EtherChannels
FW: Passive
• On switch, SPAN destination configured as Interfaces
EtherChannel
• EtherChannel set to mode of “On”
SW: EtherChannel
• On firewall, each port configured as Passive without LACP
interface:
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Inline IPS – Passthrough EtherChannel w/ HA
LACP EtherChannel through FTD w/o Symmetric Traffic
• Useful for IPS HA without Clustering VSS
or VPC
X X
• Same interface configuration as SW Only: Port Channel 1
Passthrough EtherChannel w/o HA Disabled
by LACP
• Traffic is automatically symmetric through
FTD, since only 1 unit is ever active
HA Pair
• Inline pair interfaces on Standby HA unit
Active Standby
are forced down when not active
• On failure of Active unit, LACP on SW: Disabled
SW Only: Port Channel 1 by LACP
X X VSS
or VPC
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Inline IPS – Passthrough EtherChannel w/ HA
LACP EtherChannel through FTD w/o Symmetric Traffic
• Useful for IPS HA without Clustering VSS
or VPC
X X
• Same interface configuration as SW Only: Port Channel 1
Passthrough EtherChannel w/o HA Disabled
by LACP
• Traffic is automatically symmetric through
FTD, since only 1 unit is ever active
HA Pair
• Inline pair interfaces on Standby HA unit
Standby Active
are forced down when not active
• On failure of Active unit, LACP on SW: Disabled
SW Only: Port Channel 1 by LACP
• Detects links on old Active unit are down and
removes those ports from use in EtherChannel X X VSS
or VPC
• Detects links to new Active unit are now up and
starts sending traffic across those links
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Inline IPS – EtherChannel Termination w/ Cluster
LACP EtherChannel to FTD
• Preferred method of scaling IPS w/ FTD VSS
or VPC
• Unlike previous designs, LACP
EtherChannel terminates on FTD SW+FW: Port Channel 1
• Traffic is automatically symmetric through FTD,
since Cluster handles any asymmetry
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
FTD Flow Bypass
FTD Flow Offload
• Trusted flow processing with limited security visibility
• Maximize single-flow throughput and packet rate, minimize latency
• High performance compute, frequency trading, demanding data center applications
• Static hardware-based offload in Smart NIC for FTD
• Automatically enabled when rule in Prefilter Policy uses the Fastpath action
• 20+ Gbps per single flow (TCP/UDP) and 2.9us of 64-byte UDP latency
• Unicast IPv4 TCP/UDP/GRE and VLAN encapsulation only, no CMD/SGT
• FXOS 2.2(1) supports 4 million unidirectional or 2 million bidirectional flows
per security module
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Reference
Incoming Established
Flow Classifier Rewrite Engine
traffic trusted flows
Smart NIC
Flow Offload
• Limited state tracking, NAT/PAT, TCP Sequence Randomization
• 20+ Gbps per single TCP/UDP flow, 2.5us UDP latency, 4M unidirectional/2M bidirectional (6.2.2)
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
Reference
VMware KVM
OVF for vSphere and ESXi Cisco FTDv qcow2 image
VMware ESXi 5.x, 6.x
Public Cloud
KVM 1.0 Virtio driver
E1000, VMXNET3
Amazon Web Services
AMI in the marketplace
Microsoft Azure
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Reference
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Reference
VM VM VM VM
VM Port-Group Failover VM VM
Port-Group A
VM VM VM VM
Port-Group B
Distributed Virtual Switch
ESXi-1 ESXi-2
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
Reference
NIC2 NIC3
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Reference
Protected vSwitch
• Use port channels to avoid loops – NIC2 NIC4
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
A Familiar Platform With Advanced Functionality
Output of show running-config on FTD
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
Security Beta Programs
Beta Software Product Access to Test Hardware Bugs Fixed for Influence
Access Training Dev Teams and Licenses Release Product Roadmap
ASA | NGFW | NGIPS | Firepower Platforms | AMP | CTA | ESA | WSA | ISE | Umbrella
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
Continuing the Discussion
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
Complete your online session evaluation
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
#CLUS BRKSEC-2020 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
Thank you
#CLUS
Q&A
#CLUS