Brksec 3093

ARM yourself using NGFWv
and ASAv
Azure
Anubhav Swami, Security Solution Architect

@swamianubhav
BRKSEC-3093
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKSEC-3093 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Speaker TAC Engineer (Security) – 5 Years NGFW NGIPS ASA
Then Now
ASA Business Unit – 2 Years

Cloud DC ACI
Security Security Security
Technical Marketing Engineer – 5 Years
Current Role
Security Solutions Architect Azure AWS GCP
Anubhav Swami
Security Solutions Architect
CCIE# 21208
From Based in
answami@cisco.com Photography
Delhi (India) RTP (NC) - USA
http://cs.co/anubhavswami
answami-public-folder
Q&A Manager
1999 Now
Security Business – 6 Years

NGFW ASA Automation
ASA Business Unit – 6 Years
Erick Waterworth
Technical Lead - Engineering Networking – 26 Years
Azure AWS Python
Current Role
ewaterwo@cisco.com Technical Lead - Engineering
From Based in Anything in

NC USA RTP (NC) - USA Mountains
Agenda
• Introduction
• Cisco NGFW and ASAv introduction and what’s new
• Use-cases
• Default Azure marketplace template deployment
• Azure Resource Manager (ARM) template Overview
• Introduction and benefit of an ARM template deployment
• Structure, sections, format and tools
• ARM template deployment

• Azure - Resource Group, Virtual Network, Network Security Group, Storage Account, Load Balancers
• Cisco – NGFWv, addition of firewalls in Load Balancer, and Day0 configuration
• Deploy infrastructure using ARM template (Demo)

• Best practices for using ARM template
• Resources
Instructor Lead Lab
Deploy NGFWv and ASAv in Public Cloud (AWS and Azure)
Register Now
January 30, 2020
9 AM
Few seats available
Lab is Full
Introduction
Changing Tread
Movement to public cloud
Challenges
Visibility and Control
Layer 2 Abstraction
Security Model
Cloud Services
Ease HA, Scalability and

Benefits Application Agility
of Deployment Low Cost
Data Center Public Cloud Hybrid Cloud Multi Cloud

(Private Cloud – Hypervisors)
Why is everyone moving to the cloud?
Reliability, Scalability & Device & Location

Sustainability Independent
Cloud-Native
24x7 support
Transformation
Easy & agile

Rapid Service Innovation
development
Utility Based Lower TCO
Secure Access & Storage

Highly Automated
Management
Free up Internal
Lower Capital Expenditure
Resources
Azure Services Overview
Azure Resource Group Resource Group
Region (us-east-1)
Region
Availability Zone 1 Availability Zone
Subnet 1a and Availability Set
Network Security Group
NGFWv ASAv Subnet

Network Virtual
Internal Appliance (NVA)
Load Workload Workload and Public IP
Balancer
Network Virtual Appliance
Availability Zone 2
Load Balancer
Subnet 1b Gateway Subnet External (Internal and External)
Load
Balancer User Defined Route
(ELB)
Virtual Network
User Defined Router Workload Gateway Network Security Group
Azure
(UDR)
Express Route
VPN Gateway
Express Route
LTRSEC-3052 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Azure Load Balancer
Basic LB and Standard LB
Basic LB Standard LB
Azure Basic Load Balancer
Azure Load Balancer you can scale your
applications and create high availability for
services.
• Supports inbound and outbound traffic flow

• Supports TCP and UDP traffic
• LB distributes new inbound flows that arrive on
the load balancer's frontend to backend pool
instances, according to rules and health probes
• Public load balancer can provide outbound
connections for virtual machines (VMs) inside
your virtual network by translating their private
IP addresses to public IP addresses.
• Type: Internal and External LB
• SKUs: Basic and Standard
• Standard LB comes with HA port functionality
• Public LB rewrites destination address
Azure Standard Load Balancer
• Standard Load Balancer can

be public or internal
• Supports TCP and UDP
• Scales upto 1000 backend
instances compared 100 by
basic LB
• Support availability zones
• Cross-zone load
balancing is available for
the backend pool
• HA port functionality is
available for Internal LB
Cisco NGFW, ASA
Introduction
and
what’s new
FTD
Next-Generation Firewall
Overview Stateful firewall
NAT
Static and dynamic routing
Firewall
NGIPS URL
AVC AMP VPN

IPSEC
AVC - Application Visibility and Control (S2S & RAVPN)
NGIPS – Next-Generation Intrusion Prevention System
AMP – Advanced Malware Protection
VPN – Virtual Private Network
SI URL – URL filtering
SI – Security Intelligence
NGFWv
FTD Appliance
NGFWv Management Options
Cisco Firepower Cisco Firepower
Cisco Defense Orchestrator
Management Center Device Manager
(CDO)
(FMC) (FDM) Cloud based manager
Centralized Manager On-box manager
FTD
release 6.5+
Helps administrators enforce For easy on-box management Cloud-based multi-device

consistent access policies, of single FTD or pair of FTDs manager that facilitates
rapidly troubleshoot security running in HA management of security policies
events, and view summarized in highly distributed
reports across the deployment environments
Physical Appliance, Virtual Appliance
(VMware, KVM, AWS and Azure)
API
FMC API Explorer
Firepower Management Center API
Firepower offers powerful, documented FMC API Explorer
integration points in context-rich APIs which
allow configuration orchestration
and device monitoring.
FMC APIs
Device Registration and De-registration
Create and delete Device Group
Create and delete Object Group
Create and delete Access Control Policy

API explorer
Create and delete Security Zone
https://FMC_Management_IP/api-explorer
Configure and Edit Interface Configuration
Physical Interface, Sub Interface, Port-Channel, Inline Pair and BVI
Programming with Firepower (Recommended)

NAT, Static Routing, VPN, High Availability
https://developer.cisco.com/firepower/
ASAv overview
AWS and Azure
Stateful Firewall, NAT, Routing and ACL
ASAv HA for Azure using built-in HA Agent
ASAv Supports REST API for programmability

9.13.x
VPN
IPSEC and SSL
VPN
RAVPN and S2S
VPN
Policy Based VPN and Route Based VPN (VTI)
Management Options
CLI, ASDM, CSM, CDO, and API
ASA Appliance
Programmability using API
ASAv Management Options
ASDM CDO CLI CSM
Adaptive Security Device Manager Simplify and unify policy across Cisco ASA offers powerful CLI for Cisco Security Manager helps
(ASDM) delivers world-class firewalls, next-generation firewalls, Cisco configuration, monitoring, to enable consistent policy
security management and Web Security Appliances, and Cisco troubleshooting enforcement and rapid
monitoring through an intuitive, Umbrella. Spot misconfigurations easily. troubleshooting of security
easy to use Web-based Respond to threats quickly. Orchestrate events, offering summarized
management interface. policy changes across dozens or reports across the security
thousands of devices in a single pane of deployment.
glass.
ASA API for configuration orchestration and monitoring
FTD Release 6.5
What’s new in NGFWv (FTD)
New Instance Type New Management Options New Licensing Model
Cisco Firepower
Standard D4v2 PAY-G model
Device Manager - FDM
Cisco Firepower Defense

Standard D5v2
Orchestrator - CDO
Upto Eight NIC*
Higher Throughput
* NIC0 is Management and NIC1 is diagnostics
NGFWv Supported Instance Types and No. of Interfaces
New Instance Type Number of Interfaces
Standard D3
Four Interfaces
(management, diagnostics, external, and internal)
Standard D3v2
Standard D4v2
Upto Eight Interfaces
(minimum four interfaces)
Standard D5v2
ASAv
ASAv Supported Instance Types
Use-cases
Azure User Defined Route (UDR)
Reference
Azure UDR is a native tool provided by Azure, it lets you create custom routes in a
route-table. UDR is associated with a subnet and routes defined in UDR override Azure’s
default system routes.
Next-hop in Azure UDR:

• Virtual Appliance
• Virtual Network Gateway
• Virtual Network
• Internet
• None
Benefits:
• UDR can be modified using an API call
• UDR can have more specific route
ASAv HA (Active/Backup)
Protected ASAv HA released in version 9.8.1.200
Workloads HA Agent (Aug 2017)
• Communicates with Peer
and determines Integrated Solution
Active/Backup State Frontend Public IP No external scripts/agent required
• Responses to LB probes Active Frontend IP is assigned on
• Programs Azure user Azure Load Balancer
defined route (UDR) ASAv
Azure UDR HA Multiple Subscription
(user defined route) Agent Support
HA can modify UDR in multiple
Public subscription
IP
• Traffic is steered to active

HA Azure LB Fast Switchover
Agent Detection to recovery in seconds
ASAv Load Balancer Probes
• Routes are programmed Backup Load balancer probes each
via Azure Rest APIs ASAv’s using TCP handshake
ASAv and HA agent on Active ASAv
UDR for Inside Subnet
responds to the probes.
Stateless Switchover
Connections are not replicated to
Destination Next Hop backup firewall
Availability Set
0.0.0.0/0 Active ASAv
Inside
vNET Youtube: Demo1 Demo2
Probe port – TCP 44441, Control port – TCP 44442
ASAv HA– Multiple subscriptions
vNET 10.82.0.0/16
Protected
Workloads Azure UDR
(dmz1-RT)
10.82.2.0/24
vNET 10.32.0.0/16
Active
Azure UDR
ASAv (dmz2-RT)
Azure UDR
(partner-udr)
10.82.3.0/24
HA 10.32.1.0/24
Agent vNET peer
HA
Azure UDR Agent
(inside-RT)
10.82.1.0/24 Backup Subscription 2
ASAv
Availability Set
Inside Subscription 1
Cloud Failover Configuration Recommendation
Primary ASA configuration Backup ASA configuration
failover cloud route-table inside-RT failover cloud route-table inside-RT
rg answamiasavha rg answamiasavha
route Route-Internet-To-ASAv prefix 0.0.0.0/0 nexthop 10.82.1.4 route Route-Internet-To-ASAv prefix 0.0.0.0/0 nexthop 10.82.1.5
route Route-Subnet1-To-ASAv prefix 10.82.0.0/24 nexthop 10.82.1.4 route Route-Subnet1-To-ASAv prefix 10.82.0.0/24 nexthop 10.82.1.5
failover cloud route-table partner-udr subscription-id cd5fe6b4-d2ed failover cloud route-table partner-udr subscription-id cd5fe6b4-d2ed
rg answamiasavha rg answamiasavha
route Route-Internet-To-ASAv prefix 0.0.0.0/0 nexthop 10.82.3.4 route Route-Internet-To-ASAv prefix 0.0.0.0/0 nexthop 10.82.3.5
Recommendation
• Manage all directly connected UDR from ASA

• Never add routes in UDR from Azure portal for UDRs managed by ASAv HA agent
• Support for multiple udr and multiple subscription
NGFWv and ASAv scalable design
Azure internal load balancer (ILB) standard & external load balancer
vNET
WEB-UDR Stateless
Destination Next Hop Switchover
Default/Internet ILB VIP
FW01 Firewalls in
DB, APP and DC ILB VIP Availability Set
Internet Users
WEB
NGFWv
FW02
APP-UDR
ILB
Destination Next Hop
Standard NGFWv
Internet

x
(VIP)
HA Port FW..n
External
DB, WEB and DC ILB VIP LB
APP NGFWv
FMC
NVA Subnet (inside)
DB-UDR
Destination Next Hop GW-UDR Azure

Express Route
Default/Internet ILB VIP Destination Next Hop
Virtual Network
APP, WEB & DC ILB VIP WEB, APP & DB ILB VIP Gateway
DB Gateway Subnet Data Center
NGFWv ARM Template (LB Sandwich): Template Youtube video1: overview video2: End to end deployment demo
NGFWv and ASAv scalable design (cont.)
Traffic flow - Inbound traffic
vNET
Translate inbound traffic to
Inbound traffic (N/S)
Inside Interface of NGFWv
FW01
Internet Users
WEB
NGFWv
FW02
ILB
Standard NGFWv
Internet
x
(VIP)
HA Port FW..n
External
LB
APP NGFWv
FMC
NVA Subnet (inside)
Azure
Express Route
Virtual Network
Gateway
DB
Gateway Subnet Data Center
Traffic flow - Outbound traffic (Mapped public IP address)
vNET
Translate outbound traffic to Mapped Public IP
outside Interface of NGFWv
FW01
Internet Users
WEB
NGFWv
FW02
APP-UDR
ILB
Standard NGFWv
Internet

x
(VIP)
HA Port FW..n
External
DB, WEB and DC ILB VIP LB
APP NGFWv
FMC
NVA Subnet (inside)
Azure
Express Route
Virtual Network
Gateway
DB
Traffic flow – East/West traffic
vNET
Stateless
WEB-UDR
Switchover
FW01
Internet Users
WEB APP, DB & DC ILB VIP
NGFWv
FW02
ILB
Standard NGFWv
Internet
x
(VIP)
HA Port FW..n
External
LB
APP NGFWv
FMC
NVA Subnet (inside)
Azure
Express Route
Virtual Network
Gateway
DB
Traffic flow – DC traffic
vNET
Stateless
Switchover
DC traffic (N/S) FW01
Internet Users
WEB
NGFWv
FW02
ILB
Standard NGFWv
Internet
x
(VIP)
HA Port FW..n
External
LB
APP NGFWv
FMC
NVA Subnet (inside)
GW-UDR Azure
Express Route
Virtual Network
WEB, APP & DB ILB VIP
Gateway
DB
NGFWv and ASAv scalable design
Separation of Internet and E/W traffic
FW01 vNET
Firewalls in
WEB-UDR Internet Users
Availability Set
Destination Next Hop ILB
NGFWv
Default/Internet ILB VIP1 Standard
DB, APP and DC ILB VIP2 (VIP1) FW02
HA Port
WEB (Internet traffic) Internet
NGFWv
External
APP-UDR FW03 LB
ILB
Default/Internet ILB VIP1
Standard NGFWv
DB, WEB and DC ILB VIP2 (VIP2)
HA Port FW04
APP
(E/W traffic)
NGFWv Gateway Subnet FMC
DB-UDR NVA Subnet (inside)
Destination Next Hop GW-UDR Azure
Express Route
Default/Internet ILB VIP1 Destination Next Hop
Virtual Network
APP, WEB & DC ILB VIP2 WEB, APP & DB ILB VIP2 Gateway
DB
Data Center
Stateless Switchover
Secure Service vNET
NGFWv and ASAv Spoke vNETs
All-Subnets-UDR
vNET A vNET B
All-Subnets ILB VIP
Internet ILB VIP

vNET peer
UDR applied all subnets in all vNET
Service NVA Subnet

vNET Internal LB
External LB FW01
Gateway Subnet
ILB GW-Subnet-UDR
Internet (VIP)
FW02 Destination Next Hop
All-Subnets ILB VIP
Internet ILB VIP

FW0n
HUB
Traffic is handled by UDR and LBs
NGFWv Management
FDM (On-box manager) and CDO (Cloud based manager)
vNET
FTD release 6.5 introduced FDM
FW01
WEB
CDO
NGFWv
Cisco Defense Orchestrator
FW02 (Cloud based management)
ILB
MGMT
Standard NGFWv
(VIP)
HA Port FW..n
Firewall
APP NGFWv Administrator
NVA Subnet (inside)

FMC
Azure
Express Route
Virtual Network
Gateway
DB Gateway Subnet
Data Center
Default Azure Marketplace
Template
Azure Marketplace
• Vendors/OEMs can publish their virtual appliances in Azure marketplace
• Cisco NGFWv, FMCv, and ASAv are available in Azure marketplace
• Customers can Azure search marketplace and deploy these virtual appliances using
default ARM template published by Cisco
Cisco appliances in Azure Marketplace
Deploy NGFWv using marketplace default template
Basic settings
• Access Azure marketplace and search for Cisco
Firepower Next-Generation Firewall
• Click create and enter information on basic
settings
• Add following detail:
• VM name
• Username
• Password/SSH public key
• Select Subscription
• Select Resource Group (New)
• Pick Location
• Click OK to configure FTDv settings
New “resource group” is required for

Azure
deploying new firewall
FTDv settings
• Select FTD VM size
• Standard D3, D3v2, D4v2, or D5v2
• Create Storage Account
• Create Public IP for management (can be

removed later)
• Specify DNS label
• Select vNET (existing or new)
• Select Subnets (existing or new)
• Click OK to view summary
Cisco
Minimum 4 subnets required and
additional interfaces can be attached later
Summary
• Azure portal is going to run deployment
script validation.
• Once validation is passed, click OK
button to read and accept “Term of
use/Privacy Policy”
Summary
• Read and accept “Term of use/Privacy
Policy”
• Enter contact information
• Click Create
Points to remember when using default template
deployment
Azure Cisco Others
New resource group Minimum four NICs Prone to human error
Minimum four subnets No support for bulk

Existing or new vNET
in vNET deployment
Single Instance per Additional Interfaces should

deployment be added post deployment
Azure Resource Manager
Template Overview
Azure Resource Management Overview
• Azure Resource Manager is the deployment and management service for Azure. It
provides a management layer that enables you to create, update, and delete
resources in your Azure subscription
• Resource Manager sends the request to the Azure service, which takes the
requested action. All requests are handled through the same API
Azure Resource Manager handling requests from deferent Azure tools

Azure Resource Management Template Overview
ARM template can automate deployments and use the practice of infrastructure as
code. ARM template defines the infrastructure that needs to be deployed. Just like
application code, you store the infrastructure code in a source repository and version
it. ARM template is a JavaScript Object Notation (JSON) file that defines the
infrastructure and configuration for your infrastructure and resources. It uses
declarative syntax, which lets you state what you intend to deploy without having to
write the sequence of programming commands to create it.
Recommended Tools for creating

ARM template
Visual Studio
Azure Portal Code
Visual Studio
Microsoft VS Code
• VS Code has a plugin from Microsoft for ARM templates:
“Azure Resource Manager (ARM) Tools”
• Color coding
• Mouse over help for some
elements
• Highlight formatting errors
• Template outline
Why ARM template?
Declarative Syntax Policy as code
Repeatable results Deployment Blueprints
Orchestration CI/CD Integration
Built-in validation Exportable Code
Modular Files Tracked Deployments
Structure and syntax of
ARM template
Template File Sections
Reference
Provide values during deployment that allow the same

Parameters template to be used with different environments
Define values that are reused in your templates. They can

Variables be constructed from parameter values
User defined
Create customized functions that simplify your template
functions
Resources Specify the resources to deploy
Outputs Return values from the deployed resources
Template Format
In its simplest structure, a template has the following elements:
Type Required Function

$schema Yes Location of the JSON schema file that describes the version of the template language
contentVersion Yes You can provide any value for this element
apiProfile No (optional) An API version that serves as a collection of API versions for resource types
parameters No (optional) Values that are provided as inputs when deployment is executed to customize resource
deployment
variables No (optional) Values used as JSON fragments in the template to simplify template language expressions
functions No (optional) User-defined functions that are available within the template
resources Yes Resource types that are deployed or updated in a resource group or subscription
outputs No (optional) Values that are returned after deployment
$schema, contentVersion, and apiProfile
Example
• $schema: Specifies the location of the JSON schema file. The schema
file describes the properties that are available within a template.
• contentVersion: Specifies the version of the template (such as

1.0.0.0). You can provide any value for this element. Use this value to
document significant changes in your template
• apiProfile: An API version that serves as a collection of API versions for

resource types
parameters
Example
parameters: Values that are provided when deployment is executed to

customize resource deployment
variables
Example
variables: Values used as JSON fragments in the template to simplify template

language expressions
Resources
Example
resources:
Resource types that are
deployed or updated in a
resource group or
subscription
ARM template references
and resource IDs
Arm template reference
useful when composing templates
How do you know what elements to include when creating a resource with an ARM
template?
Azure Reference: https://docs.microsoft.com/en-us/azure/templates/
Compute
• Virtual machines
• availability sets
• Disks
• Image
• VM scale sets
• + more
Arm template reference
useful when composing templates
Azure Reference: https://docs.microsoft.com/en-us/azure/templates/
Network
• Virtual Networks
• Subnets
• Public IP Addresses
• Route Tables
• Network Security Groups
• + more
Resource IDs
• Resources in Azure are identified by a resource id.
• Often a resource definition includes the ids of other resources.
• They’re long and cumbersome to compose manually in template
• Azure provides a resourceId() function
The general format:

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProvide
rNamespace}/{resourceType}/{resourceName}
An Example:
/subscriptions/c1234567-89012-1234-5678-91bcdef0123456/resourceGroups/ourteam-
rg/providers/Microsoft.Network/networkInterfaces/mynic
Azure provides a convenient resourceId() function to make it easier to supply

the resource id when needed:
"id": "[resourceId('Microsoft.Network/networkInterfaces’, ’mynic’')]"
Order of resource
deployment
Order of Resource deployment in an ARM
template
• By default Azure Resource Manager will attempt to deploy resources in
parallel, however, many resources are dependent upon other
resources – without defined dependencies there can be intermittent
deployment failures.
• Explicitly define dependencies with the “DependsOn” property in

resource.
• Alternatively, a resource that uses a Reference() function will

automatically be dependent upon its reference.
• DependsOn statements that point to conditionally deployed resources

will consider a “don’t deploy” decision on that resource to be a
satisfied dependency.
Order of Resource deployment in an ARM
template
Example:
• The Virtual Machine deployment

dependent upon its NICs being
created in advance as well as upon a
storage account creation.
• The NICs themselves were
dependent upon the Network and
Subnet creations.
ARM template Example
Deploy Azure Infrastructure and NGFWv
using an ARM template
vNET 10.0.0.0/16
Internet Users
mgmt 10.0.1.0/24 diag 10.0.2.0/24
Inside 10.0.3.0/24 Outside 10.0.2.0/24 Internet

FW01
ILB
Standard NGFWv
(VIP1)
FW02 NGFWv
HA Port
(Internet traffic)
NGFWv External
LB
Inside-UDR Outside-UDR
Destination Next Hop Destination Next Hop
Default/Internet ILB VIP1 (10.0.3.100) Default/Internet 10.0.2.1
ARM template: Link
Example Template
Template header
• $schema
• ContentVersion
• no parameters
• no variables
• The beginning of the resource list []
Example Template
First two resources are route tables
Type: Microsoft.Network/routeTables
• Name: inside-rt and outside-rt
• API-Version: “2019-09-01”
• Location: derived by function
• And a route in each routing table

points to FTD
Example Template
Virtual Network
Type: Microsoft.Network/virtualNetworks
• Dependencies declared on route tables
• Vnet CIDR block 10.0.0.0/16
• Subnet names and prefixes
• routing table associations for 2 subnets
Example Template
Availability Set
Type: Microsoft.Compute/availabilitySets
• Name = NGFWvAVS
• 2 fault domains: a single failure can

only take out 1 fault domain
• 5 update domains: Microsoft will only

perform maintenance on 1 update
domain at a time.
Example Template
Public IP address
Type: Microsoft.Network/publicIPAddresses
• Name = ngfwv-elb-ip
• Sku = standard
• Static address – not reselected at

each boot
• DNS name will be ngfwv-elb-ip
• Idle time = 30 minutes for connections that use this public ip
Example Template
Network Security Group
Type:
Microsoft.Network/networkSecurityGroups
• Name = MGMT-SG
• Security rules: one of many
• This one allows HTTPS
Example Template
Network Interface
Type:
Microsoft.Network/networkInterfaces
• Named
• Dependencies are declared
• Given static ip of 10.0.0.10
• Attached to a subnet
• Associated with a specific public IP
• Attached to a Network Security
Group
• Ip forwarding enabled (enables
through traffic)
Example Template breakdown
Load Balancer (1 of 3)
Type: Microsoft.Network/loadBalancers
• Resource is Named
• SKU
• Given a public IP
• The front-end config is given a name
• backend pool definition
• Load balancing rule definition

link to FrontEndIP (the public IP)
link to the backend address pool
link to probe (defined later)
• Definition of the traffic to select and

how to forward it
The Probe definition
• protocol
• port
• probe interval
• Number of failed probes that
constitute a failed backend pool
member
Revisit Network Interface – now with Load Balancer attachment
Type: Microsoft.Network/networkInterfaces
• Assignment of VMs to backend pools is

done at the VM (via the NIC).
• Load Balancer Backend Pool is assigned
NGFWv (1 of 4)
Type: Microsoft.Compute/virtualMachines
• Plan – required for deploying from a

marketplace image
• Dependencies defined
NGFWv (2 of 4)
• Vm Size
• osProfile
id and password required (can’t be admin)
customData = day0 config
• storageProfile
Points to marketplace offer / version
osDisk – no specific disk specified so it will
be given an azure “managed disk”
NGFWv (3 of 4)
• Nics are attached – order matters here
1st will be Management0/0

2nd will be Diagnostic0/0
3rd will be GigabitEthernet0/0
4th will be GigabitEthernet0/1
NGFWv (4 of 4)
Optional diagnostics disk.
Demo - Deploy Azure Infrastructure and
NGFWv using ARM template
Deploy Azure Infrastructure and NGFWv
using an ARM template
vNET 10.0.0.0/16
Internet Users
mgmt 10.0.1.0/24 diag 10.0.2.0/24
Inside 10.0.3.0/24 Outside 10.0.2.0/24 Internet

FW01
ILB
Standard NGFWv
(VIP1)
FW02 Availability
NGFWv Set
HA Port
(Internet traffic)
NGFWv External
LB
Inside-rt Outside-rt
Destination Next Hop Destination Next Hop
Default/Internet ILB VIP1 (10.0.3.100) Default/Internet 10.0.2.1
ARM template: Link
Best Practices for using
ARM templates
Best practices for using ARM templates
Use marketplace image Specify Instance Size Specify License
(D3, D3v2, D4v2, D5v2) (BYOL or PAYG)
NGFWv & ASAv can be

While deploying NGFWv
deployed using a private
or ASAv in Azure, always
image or Azure Specify BYOL or PAYG
design an ARM
marketplace image, license information in an
template to accept
the recommendation is ARM template
instance size as an input
to use marketplace
from the user
image
Best practices for using ARM templates (cont.)
Use linked ARM Test every template and
Automate Deployments
templates automate it
This is also known

as Infrastructure as Linked ARM templates
Testing your templates
Code. Applying CD enable you to link from
helps you to maintain
enables you to develop one template to another
your quality. Run the
your infrastructure in a template. Linking
tests on each new
repeatable and reusable templates enables you to
version to see whether
way, and you can reuse decompose your
the ARM templates are
your ARM templates over templates into purpose-
working.
multiple teams by specific reusable parts.
applying practices.
Minimize number of Make naming convention
Use output parameters
parameters template
Make the number of

parameters the smallest
Use output to track
set possible. This way
progress of the resource Always use naming
you keep the input of
deployment, this enables convention template to
your templates small and
better deployment prevent duplicate code
changes that can cause
experience
misconfiguration become
less likely.
One deployment per Keep secrets out of your
Default parameters
resource group deployment parameters
An ARM template is
executed on a single
resource group by If you have secrets like Don’t set default values
default. An application ssh keys, disk encryption for required input
can be deployed to keys, and passwords, parameters or
multiple resource etc. Best practice is to parameters that need to
groups. Each resource mask all secrets. differ over environments
group has its own ARM
template with resources.
Use complete deployment
mode as much as possible
Always use versioning
When deploying
resources to a resource
group, complete
Always use version in
deployments will
your template to track
guarantee that your
your deployment and
resources in the
upgrade
resource group are the
same as in your source
control
Licensing
Smart Licensing for NGFWv and ASAv
NGFWv
1
2 Cisco Smart
HTTP/HTTPS
ASAv FMC(v)
3 proxy
Licensing
Cisco® ASAv or FMCv sends and receives Satellite

entitlement requests and responses from the connector
smart backend through a direct Internet
connection, HTTP/HTTPS proxy, or an
on-premises satellite connector
• Cisco ASA entitlements: ASAv model and strong encryption

• NGFWv through FMC entitlements: threat, malware, and URL services
Note: In NGFWv, Base features such as networking, firewall. and application visibility and control are enabled by default.
Licensing ASAv and NGFWv in Public Cloud
Cisco Smart Licensing for NGFWv and ASAv in AWS and Azure
Base License Azure

Firewall, AVC
• Bring you own license

NGFW Term based • Pay-G
Threat, URL, AMP
Standard License Azure

Firewall, throughput
• Bring you own license

ASA Anyconnect Apex
License
SSL, IPSEC
ASAv entitlement in Public Cloud

AWS (ASAv10 & ASAv30): ASAv10 & ASAv30 entitlement (1G*, 250 (ASAv10) or 750 (ASAv30) VPN endpoints)
Azure (ASAv30): ASAv5, ASAv10 & ASAv30 entitlement (100M (ASAv5), 1G*(ASAv10 or ASAv30), 50 (ASAv5), 250 (ASAv10) or 750 (ASAv30) VPN endpoints)
Note: No Cisco TAC support from AWS pay-as-you-go model license model but you can purchase one-year TAC support from listed partner: Purchase TAC Support
* Maximum throughput is measured with traffic under ideal conditions

Instance Cost in Azure
Link: Azure calculator
This is just an example, actual cost of instance would depend on region, instance type and billing option (on-demand) or Upfront
Resources
Additional Resources
Important Links and YouTube Channel
• TDM: Public Cloud TDMs

• Youtube: YouTube Channel
• Marketplace listing
• NGFWv: NGFWv AWS BYOL
• NGFWv: NGFWv AWS Annual
• FMCv: FMCv AWS BYOL
• FMCv: FMCv AWS Annual
• NGFWv: NGFWv Azure BYOL
• ASAv: ASAv Azure Standalone
• ASAv (HA): ASAv Azure HA
• Template
• ARM (NGFWv): ASAv template
• ARM (ASAv): NGFWv template
• ARM (NGFWv): NGFWv LB Sandwich
• Licensing
• ASAv: ASAv Licensing
• NGFWv: NGFWv Licensing
• Public Folder: Public Cloud Security
Youtube Channel: Link

Cisco Live Sessions on Public Cloud Security
NGFWv and ASAv (Breakout & Instructor Lead Lab)
BRKSEC-2064 LTRSEC-3052
NGFWv and ASAv in Public Cloud (AWS and Azure) Deploy NGFWv and ASAv in Public Cloud (AWS and Azure)
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

Brksec 3093

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 3093

Uploaded by

Copyright:

Available Formats

ARM yourself using NGFWv

Anubhav Swami, Security Solution Architect

ASA Business Unit – 2 Years

Security Business – 6 Years

From Based in Anything in

• ARM template deployment

• Deploy infrastructure using ARM template (Demo)

Visibility and Control

Ease HA, Scalability and

Data Center Public Cloud Hybrid Cloud Multi Cloud

Reliability, Scalability & Device & Location

Easy & agile

Utility Based Lower TCO

Secure Access & Storage

NGFWv ASAv Subnet

• Supports inbound and outbound traffic flow

• Standard Load Balancer can

AVC AMP VPN

Helps administrators enforce For easy on-box management Cloud-based multi-device

Device Registration and De-registration

Create and delete Device Group

Create and delete Object Group

Create and delete Access Control Policy

Programming with Firepower (Recommended)

ASAv HA for Azure using built-in HA Agent

ASAv Supports REST API for programmability

Programmability using API

ASDM CDO CLI CSM

ASA API for configuration orchestration and monitoring

New Instance Type New Management Options New Licensing Model

Cisco Firepower Defense

Upto Eight NIC*

* NIC0 is Management and NIC1 is diagnostics

New Instance Type Number of Interfaces

Next-hop in Azure UDR:

• Traffic is steered to active

• Manage all directly connected UDR from ASA

Default/Internet ILB VIP

Destination Next Hop GW-UDR Azure

Default/Internet ILB VIP

All-Subnets ILB VIP

Internet ILB VIP

Service NVA Subnet

All-Subnets ILB VIP

Internet ILB VIP

NVA Subnet (inside)

New “resource group” is required for

• Create Public IP for management (can be

• Select vNET (existing or new)

• Select Subnets (existing or new)

• Click OK to view summary

Azure Cisco Others

New resource group Minimum four NICs Prone to human error

Minimum four subnets No support for bulk

Single Instance per Additional Interfaces should

Azure Resource Manager handling requests from deferent Azure tools

Recommended Tools for creating

Declarative Syntax Policy as code

Repeatable results Deployment Blueprints

Orchestration CI/CD Integration

Built-in validation Exportable Code

Modular Files Tracked Deployments

Provide values during deployment that allow the same