Professional Documents
Culture Documents
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Deploy L3 Firewalls at the Edge
• Interfaces, Routing & NAT
• NGFW Policy Tips/SSL Decrypt
• High Availability
• Deploy L2 Firewalls in the DC
• Clustering Overview
• Deploy Multi-Instance
• Overview
• Configuration Walkthrough
• Alternative Designs
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-2020
Or email me: schimes@cisco.com
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Reference
CLINET (clinet.com)
Cisco LIVE Information Networking Company
• CLINET (clinet.com) is a fictional company created for understanding use
cases in FTD firewall deployment.
• CLINET has embarked on a network/security deployment project entitled
“The Security 20/20 Project” which serves as the basis for the use case.
• Company requirements and configuration examples are based upon real-
life customer conversations and deployments.
There are ~100 slides we will not cover today
ASA (L2-L4)
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing Continuous Feature Firewall URL Visibility Threats
Firepower Management
Center (FMC)*
* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Reference
Firepower 9300
Performance and Scalability
Firepower 4140
Firepower 4150
Firepower 2110
Firepower 2120
Firepower 2130 Firepower 4110
ASA 5525-X Firepower 2140 Firepower 4120
ASA 5545-X
ASA 5506H-X ASA 5516-X ASA 5555-X
ASA 5508-X ASA 5515-X
ASA 5506W-X ASA 5512-X
ASA 5506-X
FTDv
SMB & Distributed Enterprise Commercial & Enterprise Data Center & Service Provider
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
FTD Initial Setup
New in 6.2.3! Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Management Connections
ASA 5506 – 5555 / Firepower 2100 (1 Management)
FTD Management Inside
Outside
Management interfaces can be placed
on the same subnets as data interfaces
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Reference
Management Connections
• FTD is managed by FMC through a management interface.
• Management interface is used only for management and eventing.
• Can be on the same subnet as a data interface or on separate subnet.
• Usually is placed on the same subnet as the inside interface.
• Management interfaces are not shown on diagrams, but are present.
Firepower Management
Center (FMC)
• Preserves existing connections on routed and • Eliminated most Snort restarts due to
transparent interfaces if the Snort process reconfiguration (e.g. changing AMP policy)
goes down
• Eliminated most Snort restarts due to memory
• Preserved connections must not be tunneled reallocation (e.g. enabling/disabling AMP)
or proxied (e.g. SSL decrypt, Safe Search)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Reference
Deploying Changes
Changes don’t take affect until you deploy the policy
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Reference
Deploying Changes
Changes don’t take affect until you deploy the policy
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Reference
FTD Initial Setup –
FTD Console on Firepower 2100
• Initial setup through console interface is prompted. Default
username/password is admin/Admin123
Cisco Firepower 2140 Threat Defense v6.2.1 (build 10223)
firepower login: admin
Password: Admin123
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Reference
• Firewall mode is one of the few features configured locally. We will cover modes in
more detail later on.
Configure firewall mode? (routed/transparent) [routed]:
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Reference
Either hostname
or IP address
Registration key
we used in CLI Add device
drop down
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Firewall Deployment
Mode & Interfaces
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or more 10.1.1.0/24
interfaces that separate L3 domains – Firewall is the Router and 10.1.1.1
Gateway for local hosts.
NAT
DRP
192.168.1.1
192.168.1.0/24
IP:192.168.1.100
GW: 192.168.1.1
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Firewall Design: Modes of Operation 192.168.1.1
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Routed/Transparent Interface Types
Standalone Interface Redundant Interface EtherChannel Interface
#3 #2 #1
Choice Choice Choice
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Reference
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/1
VPC VPC
Edge Aggregation
VDC
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Reference
outside
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/1 G1/2
VPC VPC
Edge Aggregation
VDC
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Reference
ISP-A ISP-B
No security
Edge
zone this time Aggregation
DMZ Network(2)
(Public Web/DB)
GigabitEthernet1/3
VPC VPC
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Reference
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/3 VLAN
150
VLAN
trunk
G1/4 151
VPC VPC
Edge Aggregation
VDC
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Reference
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/3 VLAN
150
VLAN
trunk
G1/4 151
VPC VPC
Edge Aggregation
VDC
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Reference
What is an EtherChannel?
• EtherChannel LAG (IEEE standard is 802.3ad) allows up
to 16 physical Ethernet links to be combined into one
logical link. 16 links can be active and forwarding data.
• Ports must be of same capabilities: duplex, speed, type, etc.
• Benefits of EtherChannel are increasing scale, load-
balancing and HA
• Load balancing is performed via a load-balancing hashing
algorithm (src-dst-ip, src-dst-ip-port, etc.) LACP Load Balance
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Reference
• vPC can maximize throughput since each port channel is treated LACP Load Balance
src-dst-IP (hash)
as a single link for spanning-tree purposes
• Spanning Tree is not disabled, but does not affect the network
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
EtherChannel on FTD
• Supports 802.3ad and LACP standards
Single • Direct support for vPC/VSS
• FP2100/FP4100/FP9300 require LACP w/ 6.2.3
or • FP4100/9300 support Etherchannel “On” mode w/ 6.3
Stack
• Up to 16 active links
• 100Mb, 1Gb, 10Gb, 40Gb are all supported – must match
No security zone on
the port-channel
because we are using
sub-interfaces
No IP
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Reference
VLAN 120
Repeat 2x for VLAN 2 and VLAN 1299
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Routing on FTD
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Routing on FTD
• FTD performs L3 route lookup as part of its normal packet processing flow Outside Network
• Multicast
• EIGRP (via FlexConfig)
• Complete IP Routing config:
http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configurati Inside Network
on/guide/fpmc-config-guide-v601.pdf
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Reference
BGP
• FTD supports BGPv4 with IPv4 and IPv6 for dynamic routing across all platforms
• Standard communities / all path attributes, route redistribution; up to 100K prefixes and 2K neighbors
• Null0 and Remotely-Triggered Black Hole (RTBH) support
• Confederations, route reflectors, tagging, neighbor source-interface, and BFD are not supported
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Reference
• Non Stop Forwarding (NSF) and Graceful Restart (GR) support in FTD:
• Cisco or IETF compatible for OSPFv2, OSPF3; RFC 4724 for BGPv4
• FTD notifies compatible peer routers after a switchover in failover
• FTD acts as a helper to support a graceful or unexpected restart of a peer router in all modes
1. Active FTD fails over to standby; newly active 2. Router re-establishes OSPF adjacency with the
unit initiates OSPF adjacency with the router OSPF FTD while retaining the stale routes; these routes
indicating that traffic forwarding should continue. are refreshed when the adjacency reestablishes.
4. FTD continues normal traffic forwarding until the 3. Primary Route Processor undergoes a restart,
primary RP restarts or the backup takes over or the OSPF signals the peer FTD to continue forwarding while
timeout expires. Forwarding Plane the backup re-establishes adjacencies.
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
NAT on FTD
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
NAT on FTD
• NAT on FTD is built around objects, with two types of NAT:
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
NAT on FTD Processing
• Single NAT rule table (matching on a first match basis).
• Uses a simplified “Original Packet” to “Translated Packet” approach:
Manual NAT
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Manual NAT Use Case
Static NAT 192.168.1.10 192.168.1.155 to 128.107.1.242 128.107.1.155
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Reference
Easy to understand
NAT logic
Manual NAT Rules
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
FTD NGFW Policy Tips
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Reference
• Criteria can includes zones, networks, VLAN tags, applications, ports, URLs and
SGT/ISE attributes
• The same Access Control Policy can be applied to one or more device
• Complex policies can contain multiple rules, inherit settings from other access
control policies and specify other policy types that should be used for inspection
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Reference
Displays block
page over HTTP
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Reference
Access Control Policy Use Case #1 –
Applications
Allow MS SQL from inside to pubdmz
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Access Control Policy Use Case #1 – Logging Tab
Allow MS SQL from inside to pubdmz
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Logging Considerations for Large Deployments
Americas – DC #1
Americas – DC #2
1 FP4150 = 200K CPS
EMEA – DC #1
Policy With Full Logging:
EMEA – DC #2 10x FP4150s = 2M EPS 1x FMC4500
Rated for 20K EPS
APJC – DC #1
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
6.2.3
Logging Design for Large Deployments Example
FTD FMC
Security Events Security Events SEIM
Syslog or eStreamer
Connection Events
Syslog
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Reference
For more, check out :
• Individual rules can be set to generate events, drop and generate events, or disabled
• Layers allow for grouping of settings/rules for easier management
• Complex policies can contain multiple layers and multiple levels of inheritance
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Reference
Freeform search
Selecting browser-chrome
populates the appropriate
filter in the filter bar
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Reference
• Inspection includes static analysis of the file (via Spero), dynamic analysis (via AMP
Threat Grid) and local analysis (via ClamAV)
• Complex policies can include different actions and levels of inspections for different
application protocols, directions and file types.
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Reference
Detection only
(no blocking)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Reference
Detection only
(no blocking)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Reference
Rule we just
created
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Reference
• Many actions can be taken on encrypted traffic without decryption by inspecting the
certificate, distinguished name (DN), certificate status, cipher suite and version (all
supported by FTD)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
SSL Decrypt
Technically TLS, but is called SSL throughout the product
• SSL decryption consists of three
components (simplistically):
• TLS Proxy Session Setup Application Data
Encrypt/Decrypt Encrypt/Decrypt
• Session Setup Encrypt/Decrypt
(Asymmetric Key) (Symmetric Key)
• Application Data Encrypt/Decrypt
• TLS Proxy is always done in software TLS Proxy
(Software Only)
• Encrypt/Decrypt can be done in
hardware on:
• ASA 5525-X, 5545-X, 5555-X (6.2.3+) Network Data
• Firepower 4100/9300 series (6.2.3+)
• Firepower 2100 series (6.3+)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Enabling SSL Decrypt in Hardware
Enabled by default in 6.3+. Enabled via CLI in 6.2.3.
• If not in the FTD console on a FP4100/FP9300, connect to FTD:
Firepower-module1> connect ftd
Enabling or disabling SSL hardware acceleration reboots the system. Continue? (y/n) [n]: y
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Reference
Inspection Options
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Reference
Edge SSL
Policy
Inspection Options
Criteria Action
Access Control
Rule All HTTP Allow Edge Intrusion Edge Malware &
Traffic Policy File Policy
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Reference
Intrusion policy we
created previously
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Reference
Rule we just
created
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
NTP Config #1 - FXOS
A leading cause of “no events are showing up in my FMC”…
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
NTP Config #2 – FMC for Non-FXOS Devices
A leading cause of “no events are showing up in my FMC”…
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
NTP Config #3 – FMC Itself
A leading cause of “no events are showing up in my FMC”…
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Organizing Access
Control Rules
Policy Management – Categories
• All access control policies contain two categories - Mandatory and Default
• Customer categories can be created to further organize rules
• Note - After you create a category, you cannot move it. You can delete it, rename it,
and move rules into, out of, within, and around it
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Policy Management – Inheritance
• Allows an access control policy to inherit Global Domain
the access control rules from another
policy. 2nd Level Domain
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Policy Management – Multi-Domain Management
• Multitenancy for the Firepower management console
• Maximum of 50 domains and 3 level deep (2 children domains)
• Segments user access to devices, configurations and events
• Users can administer devices in that domain and below
• Devices are assigned to a domain
Global Domain
• Primarily for MSPs
EMEA
Americas Domain
Domain
• Uses in the Enterprise:
Edge DC
• Force a policy to apply to all firewalls in a domain Domain Domain
• Limit user visibility to only select devices and events
• Delegate admin control while maintaining global visibility/control
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Policy Management – Object Overrides
• Allows an object to be reused on multiple firewalls, but with different meanings
• Networks, Ports, VLAN Tags and URLs all support overrides
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
How Failover Works
Failover link passes hellos between active
and standby units every 15 seconds
(tunable from 200msec - 15 seconds)
HELLO HELLO
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
How Failover Works
HELLO
HELLO
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
How Failover Works
Failover Secondary
FTD
State (active)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Reference
Easier Way:
Stateful Failover Unsupported Features
• Every feature is supported, except:
• Sessions inside plaintext tunnels
• Inspection after decryption
• TLS Decryption State
• The HTTP connection table
• DHCP client
• DHCP server address leases
• Multicast routing
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
HA with Interface Redundancy
Before… After with redundant interfaces
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
HA with Interface Redundancy
Before… After with redundant interfaces
Failures 11 - 7,
7 still
no FAILOVER
1
1 2 3
Any Causes
1 4
1
FAILOVER
1 6 7
Port Channel feature makes this concept somewhat obsolete if switches support VSS/vPC
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Deploying Active/Standby Failover – Secondary IPs
Required to send hellos between data interfaces
Edit interfaces to
add standby IP
addresses for better
interface monitoring
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Deploying Active/Standby Failover – MAC Address
For stability, set virtual MAC address
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
FTD Clustering
Overview
FTD Clustering Basics
• Designed to solve two critical issues with firewall HA:
• Aggregates firewall capacities for DC environments (bandwidth, connections/sec,
etc.)
• Provides dynamic N+1 stateful redundancy with zero packet loss
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
FTD Clustering Types with FP9300
FTD Inter-Chassis Cluster
• Cluster of up to 6 modules (across 2 – 6 chassis)
• Off-chassis flow backup for complete redundancy
Switch 1 Switch 2
Nexus vPC
Supervisor Supervisor
FTD FTD FTD FTD
Cluster
FTD Cluster FTD
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Cluster Scalability – FTD 6.2.3 Example
54G 226G
30M 108M
Sessions Sessions
200K cps 2 6 600K cps
100% with no
Bandwidth 70% Avg.
Asymmetry*
Example 2 Firepower 9300s w/ 6 Total SM-44 Modules at 54 Gbps → 226 Gbps of throughput
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Correct Use of EtherChannels When Clustering
with VPCs 1 2 3 4
N7K VPC 32
Cluster Data Plane
Cluster Control Plane VPC PEER LINK
▪ Control Plane [Cluster Control Link]
of Cluster MUST use standard LACP
(Local Port-Channel)
▪ Each VPC Identifier on Nexus 7K is N7K VPC 42
unique N7K VPC 40
N7K VPC 41
N7K VPC 43
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Reference
Clustering Roles
• Flow Owner
• The unit that receives the connection, registers with Director
• Flow Director
• Backup to the Owner and responds to lookup requests from the Forwarders.
• Maintains a copy of state for individual Owner’s flow
• Forwarder
• Receives a connection but does not own it, queries Director for Owner
• Forwarders can derive Owner from SYN cookie if present (SYN-ACK) in asymmetric scenarios
or may query the Director via Multicast on CCL
Owner Forwarder Forwarder Director
Flow A
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Reference
Note #2: Some switches, such as the Nexus series, do not support LACP rate fast when performing in-service
software upgrades (ISSUs). Cisco does not recommend using ISSUs with clustering.
FXOS Compatibility Guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Cisco Verified Switches for Clustering
Supported and Recommended: Supported but not recommended for
spanned EtherChannel mode:
• Nexus 7000 (M1, M2, F2 and F3)
• Cisco Nexus 7000 (F1)
• Cisco ASR 9000 with RSP 440
• Cisco Nexus 3000
• Cisco Nexus 9500, 9300, 6000, 5000
• Catalyst 4500-X
• Catalyst 6800 with Supervisor 2T
• Catalyst 3850
• Catalyst 6500 with Supervisor 2T, 32, 720,
and 720-10GE Reason – Asymmetric load-balancing can
cause performance degradation for data
• Catalyst 4500 with Supervisor 8-E throughput on the cluster
• Catalyst 3750-X
Note: Switches must run as a stack, vPC or VSS pair if cluster EtherChannel spans multiple switches
FXOS Compatibility Guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Cluster Connectivity Preferences
Firewall on a Stick Same Model Switches Different Model Switches
#1 #2 #3
Choice Choice Choice
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Using 2 Different Switches –
Switch Port Numbers Matter
Ascending
EtherChannel RBH values are sequentially Order
allocated in ascending order starting from the 1/1 1/2 1/3 1/4
lowest numeric line card and port ID.
0,4 1,5 2,6 3,7
For best cluster performance, keep traffic
symmetric and off the CCL:
• Use a symmetric hashing algorithm
• Use fixed RBH allocation for EtherChannels 0,4 1,5 2,6 3,7
e.g. port-channel hash-distribution fixed
on Nexus 7K and Catalyst 6500 1/7 2/1 5/7 6/1
• Links should be connected in matching Also
Ascending
ascending order on each switch
Configuring Load Balancing Using Port Channels in Nexus 7000 Series NX-OS Interfaces Configuration Guide:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/interfaces/configuration/guide/b-Cisco-Nexus-7000-Series-NX-
OS-Interfaces-Configuration-Guide-Book/configuring-port-channels.html
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
FMC Clustering Improvements with FTD 6.3
Discovery of cluster nodes is now automatic in FMC
FTD 6.2.3 - 6 Node Cluster Setup FTD 6.3 - 6 Node Cluster Setup
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Set Cluster Control Link (CCL) MTU
Avoids fragmentation after encapsulation on CCL
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Pro-Tip – Set Virtual MAC Addresses
For stability, set Active Mac address, especially if using non-interface NAT
IPs
Why? Traffic disruption due to
MAC address changes:
• On boot, the MAC addresses of
the master unit are used across
/ the cluster. If the master unit
becomes unavailable, the MAC
addresses of the new master unit
Not required, but more
are used across the cluster.
stable if set. For clustering,
• Gratuitous ARP for interface IPs
only Active Mac Address
needs to be set. partially mitigates this, but has no
effect on NAT IPs.
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Reference
6. Respond through
Flow Forwarder another unit
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Reference
Client Server
Flow Director
1. Connection is established
through the cluster
Flow Owner
2. Owner fails
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Reference
FTD Clustering
Configuration
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Reference
North Zone
VLAN 200
None
VPC
VLAN 200
Outside
VLAN 201
Inside
VPC BVI 172.16.25.86/24
Server in
VLAN 201
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Reference
Name of the
individual device,
not the cluster a.k.a. “Image Type”
- ASA or FTD
Images uploaded by the
user into the Firepower
Chassis Manager, make
sure they match across
cluster members
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Reference
Port-channel48 is
automatically selected as the
cluster interface if configured
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Reference
Chassis ID of the
unit in the cluster
(must be unique)
Key to authenticate
units joining the
Name of the cluster cluster, must be the
to join, must be the same on all devices
same on all devices
Dedicated out-of-band
management port
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Reference
Key to authenticate
the management
connection from FMC
Admin password to
login to FTD locally
Needed for dc-fw.clinet.com
uploading files to
AMP, etc. Routed or
Transparent
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Reference
FTD management
IP, this must work
for communications
to the FMC
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Reference
Name of the
individual device,
not the cluster
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Reference
Must be different
than other units
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Reference
Key to authenticate
the management
connection from FMC
Admin password to
login to FTD
dc-fw.clinet.com
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Reference
Change to be
unique
Populated from the
pasted config
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Reference
Deploying FTD in
Transparent Mode
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Reference
• Firewall does not need to run routing protocols / become a segment gateway
• Firewalls are more suited to security inspection (not packet forwarding like a router)
• Routing protocols can establish adjacencies through the firewall
• Protocols such as HSRP, VRRP, GLBP can cross the firewall
• Multicast streams can traverse the firewall
• Non-IP traffic can be allowed (IPX, MPLS, BPDUs)
• Much faster deployment time for brown field (months vs. years)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Reference
North Zone
VLAN 200
VPC
VLAN 200
Outside
VLAN 201
Inside
VPC BVI 172.16.25.86/24
Server in
VLAN 201
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Reference
North Zone
VLAN 200
VPC
VLAN 200
Outside
interfaces per
bridge group
Trunk Allowed 1,201 South Zone
VLAN 201
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Reference
After deploying
changes, cluster
should turn green
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Reference
Destination 1
1
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Reference
Destination 5
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
FTD Multi-Instance
Overview
BRKSEC-2020
FTD Multi-Instance Intro
• Next generation replacement for ASA Multiple Context Mode
• Create multiple logical devices on a single module or appliance
• Instances are truly virtual (unlike ASA contexts), leveraging Docker containers
• Dedicated resources allows for traffic processing and management isolation
• Each container instance runs its own FTD software version
• Physical, logical and VLAN separation provided by chassis supervisor
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
FTD Multi-Instance Key Details
• Requires FTD 6.3+
• Supported on Firepower 4100 and 9300 hardware only
• Supports inter-chassis HA for high availability only
• Maximum of 42 instances per chassis
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Instance Counts by Platform
Maximum CPU Cores Maximum FTD Instances
Firepower Platform
Per Instance Per Chassis
4110 22 3
4120 46 3
4140 70 7
4150 86 7
9300 w/ 1 x SM-24 46 7
9300 w/ 1 x SM-36 70 11
9300 w/ 1 x SM-44 86 14
9300 w/ 3 x SM-24 46 21
9300 w/ 3 x SM-36 70 33
9300 w/ 3 x SM-44 86 42
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Network Interfaces
• Supervisor assigns physical, EtherChannel, and VLAN subinterfaces
• FXOS supports up to 500 total VLAN subinterfaces
• FTD can create VLAN subinterfaces on physical/Etherchannel interfaces
• Each instance can have a combination of different interface types
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Network Interface Scalability
If you only read one section of FXOS docs, read the interface section:
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos241/cli-guide/b_CLI_ConfigGuide_FXOS_241/interface_management.html
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
Interface Combinations That Work
Documented in FXOS docs under “Shared Interface Usage Examples”
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
Alternatives to
Multi-Instance
Use Cases for Multi-Tenancy
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
Multi-Tenancy Use Case Mapping to FTD
Policy Simplification Routing Independent Traffic Processing
Resource Sharing
Only Separation Only Management Isolation
Less Than
No 42 Tenants?
Yes
FMC Zones,
Future FTD Multi-
SG Tags, FTDv
Release Instance Mode
Categories
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
Zones and Categories for Policy Management
Migrate ASA contexts to FTD, without FTD Multi-Instance
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
Zones and Categories for Policy Management
Migrate ASA contexts to FTD, without FTD Multi-Instance
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Zones and Categories for Policy Management
Migrate ASA contexts to FTD, without FTD Multi-Instance
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Zones and Categories for Policy Management
Migrate ASA contexts to FTD, without FTD Multi-Instance
Outside DMZ
Inside
DC Firewall DC Servers
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
Demo Scenario Logical Design
Edge DMZ Firewall
(Physical – L3)
Outside DMZ
DC Firewall DC Servers
(Instance – L2)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
Demo Scenario Logical Design
Edge DMZ Firewall
(Physical – L3)
Outside DMZ
Po3 Po4
Inside
Po5.301,Po5.302
DC Firewall DC Servers
(Instance – L2) Po5.303,Po5.304
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
Demo Scenario Multi-Instance Design
Po5.301 Po5.301
Po5.302 Po5.302
Po5.303 Po5.303
Po3 Po5.100 Po4 Po5.304 Po3 Po5.100 Po4 Po5.304
Internet Firewall DMZ Firewall DC Firewall Internet Firewall DMZ Firewall DC Firewall
FPR4K08-1-A FPR4K08-2-A FPR4K08-3-A FPR4K09-1-B FPR4K09-2-B FPR4K09-3-B
(Primary) (Primary) (Primary) (Secondary) (Secondary) (Secondary)
FPR4K08 FPR4K09
HA Link 1: Eth1/8.1001
HA Link 2: Eth1/8.1002
HA Link 3: Eth1/8.1003
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
Steps Involved in Bringing up a Multi-Instance
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
Multi-Instance Setup – FXOS Upgrade
Upload and upgrade FXOS to 2.4.1+
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
Multi-Instance Setup – FXOS Upgrade
Upload and upgrade FXOS to 2.4.1+
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
Multi-Instance Setup – FXOS Upgrade
Upload and upgrade FXOS to 2.4.1+
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
Multi-Instance Setup – FXOS Upgrade
Upload and upgrade FXOS to 2.4.1+ - If you are impatient
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
Multi-Instance Setup – FXOS Upgrade
Upload and upgrade FXOS to 2.4.1+ - If you are impatient
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
Multi-Instance Setup – FXOS Upgrade
Upload and upgrade FXOS to 2.4.1+
Upgrade is complete
when you are prompted to
log in again.
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
Multi-Instance Setup – Module Reinitialization
Required to support Container instances
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Multi-Instance Setup – Configuring Interfaces
Adding Data-Sharing Interface for FPR4K08-1-A and FPR4K08-2-B
Data-Sharing interfaces
can be shared across
interfaces. Physical
interfaces, port-channels New in 6.3 is the option to
and subinterfaces can all add subinterfaces
be set to Data-Sharing
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
Multi-Instance Setup – Configuring Interfaces
Adding Data-Sharing Interface for FPR4K08-1-A and FPR4K08-2-B
Subinterface ID used by
FXOS and FMC
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
Multi-Instance Setup – Configuring Interfaces
Completed Interface Configuration
Dedicated port-channel to
be used on FPR4K08-1-A
Dedicated port-channel to
be used on FPR4K08-2-A
Shared subinterface to be
used on FPR4K08-1-A and
FPR4K08-2-A
Dedicated subinterfaces to
be used on FPR4K08-3-A
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Multi-Instance Setup – First Instance Creation
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
Multi-Instance Setup – First Instance Creation
FPR4K08-1-A
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
Multi-Instance Setup – First Instance Creation
FPR4K08-1-A
Semi-shared management
interface. If empty, check that
interfaces of type Management
are defined under Interfaces.
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
Multi-Instance Setup – First Instance Creation
FPR4K08-1-A
Registration key used only
once when pairing with FMC.
Doesn’t need to be complex.
Admin password for FTD, not
the password for FMC
Controls whether entering
expert mode (Linux shell) is
allowed via SSH.
Transparent or Routed
Alphanumeric string to assist
setup w/ NAT. Must be unique
across all devices in FMC.
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
Multi-Instance Setup – First Instance Creation
FPR4K08-1-A
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 209
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 210
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 211
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
Multi-Instance Setup – Modify Resource Profile
FPR4K08-3-A
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
Multi-Instance Setup – Modify Resource Profile
FPR4K08-3-A
Default profile
of 6 CPUs
Multiples of 2,
excluding 8.
(e.g. 6, 10, 12, 14, 16)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 216
Multi-Instance Setup – Modify Resource Profile
FPR4K08-3-A
If previously created,
the profile could have
been selected during
setup. It can be
changed after setup.
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 217
Multi-Instance Setup – Modify Resource Profile
FPR4K08-3-A
With HA and
decreasing resource,
stateful failover is not
guaranteed.
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 218
Multi-Instance Setup – Completed FXOS Setup
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 219
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 220
Multi-Instance Setup – FMC Setup
Adding devices
Adding an Instance to
FMC is no different than
adding a physical firewall
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 221
Multi-Instance Setup – FMC Setup
Adding devices
6 instances on 2 modules
requires only 2 licenses
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 224
Multi-Instance High Availability
• Container instances only support inter-chassis HA
• Configured exactly as you would physical appliances
• Multiple instances can share one HA Link, using one VLAN per instance
• An HA pair allows differently sized instances for seamless resizing
• Stateful HA is supported but not guaranteed when downsizing
Internet Firewall DMZ Firewall DC Firewall Internet Firewall DMZ Firewall DC Firewall
(Primary) (Primary) (Primary) (Secondary) (Secondary) (Secondary)
FPR4K08 FPR4K09
HA Link 1: Eth1/8.1001
HA Link 2: Eth1/8.1002
HA Link 3: Eth1/8.1003
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 225
Managed Just Like A Physical Firewall
HA, Policies, Eventing, etc.
Subinterfaces are
managed within FXOS
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 226
Alternative Designs
Interfaces Revisited: Optional Interface Modes
• By default, all interfaces are firewall interfaces (routed or transparent)
• Optionally, specific interfaces can be configured for use as IDS or IPS
• IDS Mode
• Inline Tap
• Passive
• ERSPAN
• IPS Mode
• Inline Pair
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 228
Optional FTD Interface Modes
A Routed or Transparent
F Interfaces
Passive Policy Tables
B G
Inline Pair 1
C H
Inline Set
Inline Pair 2
D I
Inline Tap
E J
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
Inline NGFW
Firewall without Routing or Bridging Interfaces
• Although not a “Firewall” interface,
L3/L4/L7 rules can be enforced when
using “IPS” interface types
• Useful when Routed or Transparent aren’t
possible/feasible
Inline Pair
• No subinterfaces required for trunks, use
“VLAN Tags” in ACP instead:
• Caveats:
• No NAT / No Routing
• No strict TCP state tracking
Configuration: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 230
Out-of-Band IDS - Multichassis SPAN
When a single Firepower appliance is not enough
• Each device configured as a standalone
device
• Cluster not supported, as it requires all
firewall ports to be EtherChannels
FW: Passive
• On switch, SPAN destination configured as
Interfaces
EtherChannel
• EtherChannel set to mode of “On”
SW: EtherChannel
• On firewall, each port configured as Passive without LACP
interface:
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 232
Inline IPS – Passthrough EtherChannel w/ HA
LACP EtherChannel through FTD w/o Symmetric Traffic
• Useful for IPS HA without Clustering VSS
or VPC
X X
• Same interface configuration as SW Only: Port Channel 1
Passthrough EtherChannel w/o HA Disabled
by LACP
• Traffic is automatically symmetric through FTD,
since only 1 unit is ever active
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 233
Inline IPS – Passthrough EtherChannel w/ HA
LACP EtherChannel through FTD w/o Symmetric Traffic
• Useful for IPS HA without Clustering VSS
or VPC
X X
• Same interface configuration as SW Only: Port Channel 1
Passthrough EtherChannel w/o HA Disabled
by LACP
• Traffic is automatically symmetric through FTD,
since only 1 unit is ever active
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 234
Inline IPS – EtherChannel Termination w/ Cluster
LACP EtherChannel to FTD
• Preferred method of scaling IPS w/ FTD VSS
or VPC
• Unlike previous designs, LACP
EtherChannel terminates on FTD SW+FW: Port Channel 1
• Traffic is automatically symmetric through FTD,
since Cluster handles any asymmetry
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 235
Reference
• 20+ Gbps per single flow (TCP/UDP) and 2.9us of 64-byte UDP latency
• Unicast IPv4 TCP/UDP/GRE and VLAN encapsulation only, no CMD/SGT
• FXOS 2.2(1) supports 4 million unidirectional or 2 million bidirectional flows
per security module
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 237
Reference
Incoming Established
Flow Classifier Rewrite Engine
traffic trusted flows
Smart NIC
Flow Offload
• Limited state tracking, NAT/PAT, TCP Sequence Randomization
• 20+ Gbps per single TCP/UDP flow, 2.5us UDP latency, 4M unidirectional/2M bidirectional (6.2.2)
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 238
Reference
VMware KVM
OVF for vSphere and ESXi Cisco FTDv qcow2 image
VMware ESXi 5.x, 6.x
Public Cloud
KVM 1.0 Virtio driver
E1000, VMXNET3
Amazon Web Services
AMI in the marketplace
Microsoft Azure
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 240
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 241
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 242
Reference
VM VM VM VM
VM Port-Group Failover VM VM
Port-Group A
VM VM VM VM
Port-Group B
Distributed Virtual Switch
ESXi-1 ESXi-2
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 243
Reference
Virtual
Server B
NIC2 NIC3
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 244
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 245
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 246
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 247
Complete your online
session survey
• Please complete your Online Session
Survey after each session BRKSEC-2020
• Complete 4 Session Surveys & the Overall was
Conference Survey (available from awesome!
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 248
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-2020
Or email me: schimes@cisco.com
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 249
Reference
BRKSEC-2020 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 250
Thank you
Q&A