Professional Documents
Culture Documents
BRKCRT 2215
BRKCRT 2215
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
BRKCRT-2215
John Wise
Security Instructor
Your Speaker
Security Instructor: Cisco High Touch Delivery
Started with Sourcefire many years back!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKCRT-2215
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Reference Slides
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Firepower Platforms
Dedicated NGIPS
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco ASA 5500-X with FirePOWER Services
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Firepower Threat Defense – 2100 NGFW
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Firepower Threat Defense – 4100 NGFW
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Firepower Threat Defense – 9300 NGFW
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Software Availability
Classic Device 5.x/6.x Firepower Threat Defense (FTD) 6.x
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Managed by the Firepower Management Center
FMC
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Firepower Packet Flow
The better you know
the packet flow,
the
more Firepower success
and the
less
Firepower stress
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Firepower Security Inspections
• Inspect, Block,
Store files
• Detect and
Block known or
suspected
Malware
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Firepower Threat Defense Packet Flow
Firepower OS
ASA OS (Lina)
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Network Discovery
Firepower Network Discovery
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
What is Network Discovery?
To Build
Host
Profiles
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Is Your Network Discovery Policy Defined?
Firepower will automatically build Host Profiles Based on your Network Discovery Policy
When you define this, Firepower builds these
automatically
Network Vulnerabilities
Discovery
Services Protocols
Policy
Applications Ports
Operating Systems
Managed Device
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Network Discovery Policy Processing Order
Discovery occurs here
Intrusion
Policy
If traffic does not reach this inspection point no discovery information is captured!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Firepower Threat Defense Packet Flow
Network discovery occurs here
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Enabling Network Discovery Policy
You must go in and define this
policy to match your protected network
Caution! Not defining your Network Discovery Policy can cause you to
exceed your host limits!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Define By Discover And Exclude
This is how
you enable
• Discover – build host profile information Network
• Your internal network – what you are protecting Discovery
• Note: Prior to 6.x this was on by default
• Exclude – don’t build host profile information
• Load Balancers, NAT Devices, anything you don’t want to build host profiles on
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Network Discovery Discover Rule
Notice only Private IP spaces? This has been changed to represent
only internal IP addresses. By default its all IPs, and you need to
change this! Otherwise you will build host profiles for public hosts.
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
ACP Allow Rule
Mistakes
Access Control Policy
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
URL Filtering
URL Filtering
Category Reputation License
required!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
URL Filtering– How does it work?
URL Database
• Ensure you have a URL Filtering license and
enable it in the FMC
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
URL Filtering with SSL
URL Filtering For Well-Known Sites
Consider not decrypting well—known sites
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
URL Filtering To Prevent Decrypting Financial
Do not decrypt Financial websites
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
URL Filtering For Uncategorized Websites
Decrypt all uncategorized websites
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
URL Filtering with Security Inspections
Uncategorized websites are suspicious – consider inspecting for malware
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Easy mistake to make!
Do not overlook assigning an IPS policy to ALLOW rules
• Voice Traffic
• Backup Traffic
• Scanner Traffic
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Why Trust?
• Certain types of traffic can cause issues in Firepower:
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Fast Path
Try to ‘Fast Path’ Trusted Traffic
You can also block at this point in the flow on certain platforms
Fast-pathed traffic is
trusted BEFORE all security
inspections and SSL
decryption
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Fast Pathing on Different Platforms
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Fast Path on the ASA with FirePOWER Services
Fast Path is done on
the ASA, not in
FirePOWER
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Fast Path on the 8000 Series Appliance
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Rule Promotion in FirePOWER 7000/8000 Series
BLOCK and TRUST ACP rules can be Promoted, which will allow
Firepower to process the traffic in hardware
VLAN
Security
Zone
IP
Port
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
How to Promote Rules on the 7000/8000 Series
They must: Example:
1. Trust or Block Action The first two rules will be promoted
2. Contain only IP, Port, VLAN, Sec Zone conditions
3. Be placed above all other rules
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Promoted Rule Processing
The rules are promoted and processed here once you deploy the Policy
In the GUI, however, you will still see the rules in your ACP
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Fast Pathing with Firepower Threat Defense
FTD has a Prefilter Policy, which uses
limited outer-header criteria to fast
path traffic
You can Trust and Block here, using the same network-based
conditions. In addition, you can also log the traffic.
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Prefilter Policy in FTD
Prefilter Policy in
GUI
Action of Fastpath
for trusting
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Firepower Threat Defense Packet Flow
Prefiltering
occurs here
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Connection Events
Managing Connection Events
You manage the bulk of your Connection Events in your Access Control Policy
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Connection Event Logging
In Firepower, a ’Connection Event’ is any packet seen going through the device.
All events are
FMC stored here
‘Event Viewer’ refers to your FMC
Event
data
Managed
Device
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Logging Options
Should I log at beginning or the end?
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
EStreamer
EStreamer is Firepower’s proprietary tool for streaming events to a SIEM
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
You Will Need to Tune Connection Events
In most environments you do not have the option to log every connection
Logging all connections
can result in performance
WHY? issues on your FMC and
unrealistic retention times
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Tune Using an Access Control Policy Rule
Use your ACP rules to create rules to tune connection logging
Every ACP rule allows you to specify
To turn logging off simply
logging options!
select no options under the
logging tab
Choose ‘Log at
End’ unless you are
tying this to an
event you wish to
see immediately
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
DNS No Logging Rule Example
DNS request rule to reduce logging
Connection logging is off
Notice you are still
sending this traffic
through SNORT (your
Intrusion Policy)
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Database Settings in Your FMC
You can adjust the retention amount in your FMC
Under System-Configuration-Database you can
adjust how many events you retain…
Caution! It is not
recommended to
change these
settings unless
recommended by
support!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Malware and File Policy
Strategies
Malware and File Policy Inspection
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Mapping ACP to Your Malware and File Policy
Map your Access Control Policy to the Protocols to the Malware/File Policy
Intrusion
Policy Malware/File
Policy
SafeSearch YouTube
EDU Logging
Application Protocols
available in your
Malware/File Policy
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Malware Blocking Behavior
Test the behavior when Blocking Malware in Email Protocols
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
File Storage This stores the
File on the
Don’t be overzealous with storing files Managed Device,
and selecting all
The 8000, 2100/4100/9300 all have an optional Malware Storage Pack for this!
might over-
burden the
device
Consider
instead storing
only Unknown
so you can
submit them
later for
analysis
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Misc. Firepower SNORT
Settings
SNORT Misc Settings
A few settings are configurable to deal with potential latency issues
within SNORT
• Available in all
Classic Device
versions
• Available in FTD
effective 6.2.1
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Automatic Application Bypass Settings
Disabled by Default
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Automatic Application Bypass Alerting
The Health Monitor can alert you to AAB events
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
SNORT Performance Thresholds
Firepower has two threshold settings
Latency-Based Rule-Based
These are found in
the Access Control
Policy Advanced
Prevents latency for packets Prevents SNORT Tab!
going through SNORT rules from
causing latency
Disables and re-
enables SNORT rules
automatically when
thy are causing
Note: These are set by default issues
and Cisco does not
recommend you change these
in most environments
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Latency Threshold Alerting
By default you are not alerted when these are triggered
Consider alerting on these – select the ‘Generate Events’ to
generate an Intrusion Event
Packet-
latency time
exceeded
Rule disabled
Rule re-
enabled
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Intrusion Policies Manage Your SNORT Rules
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Understanding Base Policies
Base Polices are provided for you by Cisco Talos
These are also updated for you regularly during Rule Updates
Base Policies
Connectivity Balanced Security Security
over and over
Security Connectivity Connectivity
-1,000 rules enabled +- 8,000 rules enabled +- 12,000 rules enabled
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Intrusion Policy Key Points to Remember
For each Managed Device, you can have only one ACP, however:
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Less Common Base Intrusion Policies
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Firepower Recommendations!
Disable Enable
SNORT
No CVE seen in CVE seen in host Rules
Host Profiles? Turns profile but rule is
rule with this CVE off? Turns rule with
OFF. this CVE ON.
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Firepower Recommendations Gone Wrong
Scenario 1:
• Network Discovery ON, but left to Any/Any for Discovery (the default)
• Remember this MUST define only your protected network, and all of the network spaces you are protecting
What would happen? It would enable rules that are not part of your network, and would likely
oversubscribe the box
Scenario 2:
• Network Discovery ON, but host profiles are not identifying host information correctly because
of Asymmetric Routing
• If Firepower does not see all parts of the conversation, it cannot properly identify host data,
and would cause this feature to be completely inaccurate
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Firepower Recommendations Tips
Make sure this
matches your
Network Discovery!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Variables
Variables Used in your Intrusion Policy
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Variables in your SNORT Rules
Rule Header
Rule header determines what traffic the enabled rules will run against
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
1) Packet
Variables in the Flow matches
2) It’s an
’Allow’ rule,
the ACP and sends the
rule traffic to the
specified
Intrusion Policy
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Your Default-Set
In your Objects, you will find your ‘Default-Set’ Variable set. This is what is used for all
variable definitions unless otherwise specified.
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
HOME_NET Variable Tuning
You will need to ensure you have
defined HOME_NET
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
How to Define HOME_NET Variable
Define Your
HOME_NET as all
RFC1918 Private IP
spaces and any
public spaces you
own
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
EXTERNAL_NET Variable
EXTERNAL_NET is
defined as ‘any’ by
default
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Defining EXTERNAL_NET
It is typical to define this
as !HOME_NET which
excludes these networks,
but doing so can result in
missing attacks!
If it is an internal to internal attack, the rule will not be run against that traffic!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Consider Two Definitions of EXTERNAL_NET
This variable set will be for all This variable set will be for external to
internally sourced traffic internal traffic
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Externally Sourced Traffic EXTERNAL_NET
Security Zones to identify externally sourced traffic
The EXTERNAL_NET
definition is excluding
HOME_NET
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Internally Sourced Traffic EXTERNAL_NET
Security Zones to identify internally-sourced traffic
The EXTERNAL_NET
definition is left to ANY for the
Default Set
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Advanced Variable Tuning Caution
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Tuning False Positives
False Positive Intrusion Events
Most false positives occur here… with SNORT rules firing on traffic that is
determined to not a security concern
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
False Positive Tuning
SNORT rules can generate False Positives
Remember and Intrusion
Event comes from
SNORT, and is either a
SNORT or Preprocessor
rule.
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
False Positive Example
You can’t change how the
Consider this example:
application operates, so you
A server at 10.2.2.3 has an in- need to address the rule is
house application triggering a breaking the application.
SNORT rule that drops the packet
and breaks the application
X
SNORT drops
the packet 10.2.2.3
because it
Internet matched the
rule
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
False Positive Option 1
Suppress or Threshold the event
FMC FMC
Intrusion Event
generated and
sent to FMC
when SNORT Suppression
rule fires
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
False Positive Option 3
Disable the Rule
Unless this rule does not apply to your environment, this is clearly not a viable option
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
False Positive Option 4
Use your ACP and a new Intrusion Policy to fix this
Here you see a rule written
just for the traffic destined to
that server
Technically this
solution would
work, but is not
what Cisco
recommends!
A big solution to a
small problem.
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
False Positive Option 5
Rewrite the SNORT rule
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
False Positive Option 6
Write a Pass Rule
A Pass Rule is a rule designed match on specific traffic conditions that when
met, pass the respective packet through SNORT.
Pass rules are
processed first!
Intrusion Intrusion
Pass Rules Rules
A Pass rule can be written to identify just the traffic destined to that server, and if it
matches the rule, it passes the traffic through SNORT without being inspected by the
other rule that was dropping the packet.
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Steps to Writing a Pass Rule
Identify the SNORT Rule causing the issue
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Identify the Rule Header
The rule header is what we change in writing a pass rule
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Identify the Rule Header Modification Needed
The header destination IP is what needs to be changed in our example
Change the destination to the IP or subnet you wish to ‘pass’
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Locate the Rule in your FMC
Remember all your SNORT rules are in your FMC
Click ‘edit’
SID is 40134
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Change the Rule Header to Match as Required
Changing the action to pass
puts the rule in the pass
area of SNORT and will be
processed before any alert
rules!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Find The Rule in Your Intrusion Policy
All imported and created
rules are stored in Local
Rules
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Set The Rule to Generate Events
1’st Select ‘Rule State’
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Optionally Add a Suppression
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Use a New Variable For Frequent Changes
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Commit Changes and Deploy
Once deployed traffic destined to that IP that matches the rule will be
processed by the Pass rule, and will not match on the unmodified rule!
All Done!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Pass Rule Logic
Intrusion
Rules
All other
traffic
No other
Triggers SID
rules
Traffic to 1,000,000
10.2.2.3 evaluted
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Where To Go Next
Support Documentation
Cisco’s Support Page
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Find the Appliances You Have
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Download the Correct FMC User Guide
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Understand Your Managed Devices
‘Classic’ refers to the 7000/8000, NGIPSv,
and the ASA/FP module
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Product Updates Perspective
Remember
Classic FTD there are
two
• 5.4 • 6.0 software
• 6.0 • 6.0.1 types
available!
• 6.0.1 • 6.1
• 6.1 • 6.2
• 6.2 • 6.2.1 FTD software
• 6.2.1 • 6.2.2 updates have
• 6.2.2 • 6.2.3 significant
• 6.2.3 • 6.3 new features
available since
it is bringing
over ASA
features!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Do you have the winning number?
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
We Offer Cisco Firepower Training!
Official Cisco Training for Firepower, SNORT
Rule writing and AMP for Endpoints! Offered
In-Person and as a Virtual Class.
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKCRT-2215
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Continue Your Education
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Questions?
This Photo
by Unknown
Author is
licensed
under CC
BY-SA
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Thank you