Brksec 2050

Firepower NGFW
Internet Edge
Deployment Scenarios
Jeff Fanelli - Principal Systems Engineer
jefanell@cisco.com
BRKSEC-2050
#jefanell
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
About Your Speaker
Jeff Fanelli
Principal Systems Engineer
Cisco Global Security Sales Organisation
My city was was founded in

1701 by Antoine de la Mothe
Cadillac (some French guy)
BRKSEC-2050
Detroit, Michigan
Important: Hidden Slide Alert
Look for this “For Your Reference”

Symbol in your PDF’s
There is a tremendous amount of

hidden content, for you to use later!
(60+ slides)
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Complete Your Online Session Evaluation
Today’s Agenda
• Firepower Software & Platforms
• ASA & Firepower NGFW
Platforms
• Management Options
• Cisco & 3rd Party Integration
• Deployment Use Cases
Firepower NGFW Software
Firepower Threat Defence
CISCO COLLECTIVE SECURITY INTELLIGENCE
WWW
Malware
High Intrusion URL Filtering
Protection
Availability Prevention
Analytics &
Network Application Automation
Firewall and Visibility Network
Network Identity Based
Identity-Policy
Routing &Control Profiling
Profiling Policy Control
Control
Integrated Software - Single Management
What’s New with Cisco NGFW and NGIPS
Cisco Next Generation Firewall
Operational Shared Threat Third-Party
Manageability Performance
Simplicity Intelligence Recognition
Expanded set of
security policies on Unmask threats with
FDM, the on-box Easy single-hop hardware-based
IBM and Cisco Cisco NGFW and
manager upgrade to 6.2.3, SSL decryption;
NGIPS NGIPS recognised
with minimised performance
upgrade of 3-5x
collaboration by analysts
Flexibility to manage downtime
local devices using throughput
REST API
ASA with Firepower Firepower Threat Defence

Services
Full Feature Set Single Converged OS
Firepower (L7)
• Threat-Centric NGIPS
• AVC, URL Filtering for NGFW
• Advanced Malware Protection
Continuous Feature Firewall URL Visibility Threats
ASA (L2-L4)
Migration
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing
• Application inspection
Firepower Management
Centre (FMC)
ASA with FirePOWER Services old ”marketing”
spelling!
FirePOWER FirePOWER Independent Configuration
Full Packet Copy
1 2 Mid-Flow Pickup w/Policy Reevaluation
Functional Overlap
No AVC Verdict on Mid-Flow Pickup
Single Uplink Queue

IP-Based Load-Balancing
HA/CCL
Full ASA Feature Set ASA 1 ASA 2 Configuration/State Replication
Functionality vs Performance
Leaning toward NGIPS use case
Advanced Advanced
Inspection Inspection
Modules Modules
(“Snort”) (“Snort”)
Load-Based Distribution
HA/CCL
Multiple Work Queues Configuration Replication
IP/TCP/UDP Load-Balancing NGFW/NGIPS State Replication
Based on ASA Software Data Plane Data Plane

Packets Stay in Data Plane (“Lina”) (“Lina”)
FTD 1 FTD 2
Balanced Functionality and Performance

True NGFW use case
Capabilities and Licensing Summary
Base License (Perpetual) URL License (Subscription)
• User and App control policies • Web category / reputation policies
• TLS Decryption policies Threat License (Subscription)
Remote Access (Term or Perpetual) • Intrusion Prevention System (IPS)
• AnyConnect Base / Plus / Apex • Security Intelligence Feed Service
• Must have export-control flag set on • Threat Intelligence Director
Smart License account!
Malware License (Subscription)
Firepower Management Center
• Advanced Malware Protection
• No license needed, included.
• Threat Grid File Submissions
ASA & Firepower Platforms
Up to 16x with clustering!
Cisco NGFW Platforms
Firepower Threat Defence for Firepower 4100 Series
Firepower 2100 Series
ASA 5500-X and Firepower 9300
250 Mb -> 1.75 Gb 2 Gb -> 8 GB 41xx = 10 Gb -> 24 Gb

(NGFW + IPS Throughput) (NGFW + IPS Throughput) 93xx = 24 Gb -> 53Gb
NGFW capabilities all managed by Firepower Management Centre
Software Support - Virtual Platforms
Amazon
Microsoft
Hyper-V KVM VMWare Web
Azure
Services
ASAv
Firepower NGIPSv (FTD)
Firepower NGFWv (FTD)
Management Platform Options
Management Options
On-box Centralised On-box
Firepower Device Firepower Management ASDM with

Manager Centre FirePOWER Services
Enables easy on-box Enables comprehensive Enables easy on-

management of security administration box migration and
common security and and automation of management of ASA
policy tasks multiple appliances with Firepower
Firepower Management Centre
Management Options


Firepower Device Manager
• On-box manager for

managing a single
device
• Targeted for SMB market
• Designed for Networking
Security Administrator
• Simple & Intuitive
• Mutually Exclusive from
FMC
• CLI for troubleshooting
Management Options


ASDM (managing FirePOWER Services)
Management Options


3rd Party Integration
SNMP, Syslog, NetFlow or

eStreamer
SNMP, Syslog, NetFlow or eStreamer
SNMP support for:
• Firepower NGFW Software
• FXOS / Chassis Manager
• (2100, 4100, 9300)
• Firepower Management Centre
Firepower NGFW also supports:
• NetFlow Security Event
Logging
• Syslog (for all event types)
Syslog and eStreamer for Events
eStreamer APIs
• Intrusion Events
• Intrusion Event Packet Data
FMC Syslog (optional)
FTD Syslog & NetFlow • Intrusion Event Extra Data
Malware Events
• Connection Logs • File Events- SHA, SPERO
• 5 tuple • Health • Connection Logs and Security
• NAT • IPS (including Impact Intelligence Events
• Routing flags) • Correlation and White List Events
• VPN • Malware (network,
• IP • Impact Flag Alerts
retrospective)
• HA • Discovery events (Host • Connection Events (optional)
• sessions profiles, IOC , port, etc..) • URL categories
• other stateful • Rule ids
features
• AMP endpoint detectors
• Sinkhole Metadata
• SSL
• Network Analysis, Discovery
events
IBM QRadar
Firepower App
• Firepower App – November

• Dashboard with 6 components
• Intrusion Events by Impact
• Indicators of Compromise
• Malware Sources
• Malware Recipients
• Malware hashed
Firepower App for Qradar
Shows hosts that are Malware observed most

Shows hosts that are know to be often on my network
potentially compromised compromised
Which hosts on my
network have sent the
most malware
Intrusion events by
‘Impact’ or likelihood of
an attack impacting the
targeted system
BRKSEC-2050 53
Cisco eStreamer app for Splunk
52
Cisco eStreamer app for Splunk
53
54
LiveAction
55
Deployment Designs
Use Case
Use Case
Internet Edge Firewall
Service
ISP
Requirement
Provider
Connectivity and Availability Requirement:
• High Availability ROUTED mode
• Firewall should support Router or Transparent Mode
Routing Requirements:
• Static and BGP Routing
• Dynamic NAT/PAT and Static NAT
Internet
Security Requirements: Edge
• Application Control + URL Acceptable Use enforcement
• IPS and Malware protection DMZ Network
• SSL Decryption
Authentication Requirements: FW in HA
• User authentication and device identity
Solution
Security Application: Firepower Threat Defence application with
Campus/Priv Port-
FMC
ate Network Channel
Private Network
Connectivity and Availability
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or 10.1.1.0/24
more interfaces that separate L3 domains – Firewall is the
10.1.1.1
Router and Gateway for local hosts.
NAT
DRP
• Transparent Mode is where the firewall acts as a bridge 192.168.1.1
functioning at L2.
• Transparent mode firewall offers some unique benefits in the DC.
192.168.1.0/24
• Transparent deployment is tightly integrated with our ‘best
practice’ data centre designs.
IP:192.168.1.100
GW: 192.168.1.1
• Integrated Routing and Bridging (IRB) combines both

modes. Helpful for grouping “switchports” in routed mode.
Link and Platform Redundancy Capabilities
Firewall Link Aggregation – High Availability - Clustering
Link Redundancy Active / Standby HA Inter-chassis Clustering
LACP Link Resiliency

Aggregation with link Combine up to
Control failures
Protocol
16
LACP Link 9300 blades or
Redundancy 4100 chassis
FTD High Availability
• Full flow state replication with NGFW policy verdicts
• Active/Standby operation in all NGFW/NGIPS interface modes
• Interfaces are always up on standby, but any transit traffic is dropped
• MAC learning/spoofing on switchover in transparent NGFW, inline NGIPS
• GARP on switchover in routed NGFW
vPC
• Interface and Snort instance (at least 50%) status monitoring
• Zero-downtime upgrades for most applications
A HA Link S
• Some packet loss is always expected with failover
FTD FTD
vPC
Routing Requirements
Dynamic NAT for Direct Internet Access
Automatic and Manual (complex) NAT Support for FTD including IPv6
Routing Protocol support
IPv4 and IPv6 advanced routing
• OSPF and OSPFv3 (IPv6)
• BGP (IPv4 & IPv6)
• Static Route
• Tunneled Route support for VPNs
• Reverse Route Injection for VPNs
• Multicast Routing
• IGMP
• PIM
• EIGRP via FlexConfig
Rate limiting Cloud File Sharing Traffic
QOS Policy is a new policy type with separate policy table
Not associated with an Access Control Policy – directly associated with devices
FlexConfig
• Provides a way to configure ASA features not exposed directly by Firepower
Management Centre
• EIGRP Routing • ALG inspections

• Policy Based Routing • IPv6 header inspection
• ISIS Routing • BGP-BFD
• NetFlow (NSEL) export • Platform Sysopt commands
• VXLAN • WCCP
FlexConfig Policies
• Device-level free form CLI policies that follow ASA syntax
• Supports pre-defined object templates and completely custom objects
• Natively managed feature commands are blacklisted
• Must push an object with negated commands to remove
• FlexConfig is only supported on best-effort basis

• Assume no validation and no interoperability guarantees
• When in doubt, don’t use it
• Deploy Once; Everytime is for interactions with managed features

• Always select Append rather than Prepend type
Security Requirements
• Identity Policy
• Decryption Policy (optional)
• IPS Policy (optional, use default)
• File (AMP) Policy
• Prefilter Policy (optional)
• Access Policy
• Security Intelligence Policy
• Threat Intelligence Director
77
Identity Requirements
Authentication and Authorisation

Identity Use Cases
• Associate traffic to users and devices (IoT etc)
• Access based on users, groups and TrustSec TAG
Method Source LDAP/AD Authoritative?
Active Forced authentication through device LDAP and AD yes
Passive Identity and IP mapping from AD Agent AD yes
User Discovery Username scraped from traffic. LDAP and AD, no

passive from the
wire
User Discovery
• Deduces user identity by
passively analysing
network
traffic
• Considered non-
authoritative
• Cannot be used in access
control policies
Active and Passive Authentication
• Passive authentication
• IP-to-user mappings are learned from ISE or Firepower User Agent
• Active authentication
• Also called captive portal
• Redirects user to HTTPS server running on the firewall
• User authenticates with username and password
• Identity policy
• Specifies what traffic requires active, passive or no authentication
• Attached to an access control policy
Passive Authentication
Cisco Firepower User Agent
• The agent monitors users when they log in and out of hosts
or authenticate with Active Directory credentials
• The User Agent does not report failed login attempts
• The agents associate users with IP addresses
• Can use one agent to monitor user activity
• Up to five Active Directory servers
• Send encrypted data to up to five Firepower Management Centres
Identity Services Engine Integration
Uses pxGrid protocol to All ISE retrieved attributes

retrieve: can be used in:
• ISE username (can map to • Access Policies
Active Directory) • Decryption Policies
• Device type profile & location • QoS Policies
• TrustSec Scalable Group Tag
• FMC has 64k user limit
(SGT)
• ISE-PIC provides username • Mappings sent to all
identity only firewalls
Active Authentication (Captive
Portal)
Captive Portal Use Cases
• Can be used for non-domain endpoints
• Enforces authentication through the browser
• Can augment passive authentication (Fall-back to Active feature)
• Various Supported Authentication types (Basic, NTLM, Kerberos, Form)
• Guest / Non Windows Device Authentication Support
• Multi-realm Support
Identity Policy based on Passive Authentication
Must create, attaches to Access Control Policy
Access Control Policy Identity Control
Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
TrustSec Security Group Tag based identity from ISE
Can also reference Identity Services Engine identified Device Profiles
ISE Remediation in using pxGrid
TLS Decryption
Customer Use Case
• Protect the network from threats from remote TLS servers
• Called the outbound or unknown key case
• Example: Malware downloaded over HTTPS by users surfing
the web.
• Protect the network from attacks on internal TLS servers
• Called the inbound or known key case
• Example: Protect DMZ HTTPS servers from intrusion attacks
Challenges
• Inspection fails for some applications
• No end-user notifications unless traffic is decrypted
• Inspection fails for some client/server combinations
• Load on firewall creates throughput degradation
• Currently TLS is being performed in software
• TLS decryption will be in hardware (roadmap / release beta)
Best Practices
• Block TLS traffic without decrypting
• Block URL categories
• Block Application (approx. 400 applications can be identified)
• Block based on certificate status, TLS version or cipher suite
• Use Replace Key Only feature

• Enable logging
to help
troubleshooting
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Granular TLS Decrypt
Can specify by application, certificate fields / status, ciphers, etc.
Decrypt Cert required!
IPS Policy
Custom IPS Policy
What’s in the Default IPS & Network Access
Policies?
Connectivity Over Security
• CVSS Score 10. 2 years
• 499 rules
• 15 preprocessors enabled
Balanced Security and Connectivity

• CVSS Score 9 or higher. 2 years
• 9250 rules
Security Over Connectivity

• CVSS Score 8 or higher. 3 years
• 12706 rules
Malware and File Analysis
Attached to Access Policy
Prefilter & Access Policies
Prefilter Policy (Optional) – Based on L2-L4 flow
Attributes
• First access control phase in Data Plane for each new flow
• Block: Deny the flow without any further processing
• Fastpath: Allow and process entirely in Data Plane, attempt Flow Offload
• Analyse: Pass for evaluation in Main AP, optionally assign tunnel zone
• Use correctly -- not a “high performance” substitute to NGFW policies

• Limited early IP blacklisting
• Tunneled traffic inspection
• Allowing high-bandwidth and low latency trusted flows (Flow Offload)
Access Policy – Based on Layer 2 - Layer 7 Flow
Attributes
• Primary access control phase in Snort
• Block [with reset]: Deny connection [and TCP RST]
• Interactive Block [with reset]: Show HTTP(S) block page [and TCP RST]
• Monitor: Log event and continue policy evaluation
• Trust: Push all subsequent flow processing into Data Plane only
• Allow: Permit connection to go through NGIPS/File inspection
• Appropriate place for implementing NGFW policy rules
• Full NGFW traffic selection criteria
• Decisions may need multiple packets
Access Control Policy Blocking Example
Security Intelligence Policies
Network & URL-Based Security Intelligence
• Block traffic to IP addresses and URLs with
bad reputation
• TALOS dynamic feed, 3rd party feeds
• Multiple Actions: Allow, Monitor, Block,
Interactive Block,…
• Policy configured via Access Rules or
black-list
• IoC tags for CnC and Malware matches
• Black/White-list IP / URL with one click
• Blocked traffic not subject to additional
inspection. Logged separately!
URL-SI Categories
Security Intelligence Network & URL Categories
Category Description
Attacker Active scanners and blacklisted hosts known for outbound malicious
activity
Malware Sites that host malware binaries or exploit kits
Phishing Sites that host phishing pages
Spam Mail hosts that are known for sending spam
Bots Sites that host binary malware droppers
CnC Sites that host command and control servers for botnets
Open Proxy Open proxies that allow anonymous web browsing
Open Relay Open mail relays that are known to be used for spam
Tor Exit Node Tor exit nodes
Bogon Bogon networks and unallocated IP addresses
BRKSEC-2050 125123
DNS Inspection
• Security Intelligence support for
domains
• Addresses challenges with fast-flux
domains
• Cisco provided and user defined
DNS lists: CnC, Spam, Malware,
Phishing
• Multiple Actions: Block, Domain Not
Found, Sinkhole, Monitor
• Indications of Compromise extended
with DNS Security Intelligence DNS List Action
Additional Categories for DNS Security Intelligence
Feeds
Same categories as Network and URL feeds plus the following:
Category Description
DGA Malware algorithms used to generate a large number of domain names
acting as rendezvous points with their command and control servers
Exploit Kit Software kit designed to identify software vulnerabilities in client
machines
Response A list of IP/ URLs which seems to be actively participation in the
malicious/ suspicious activity
Suspicious Files that appear to be suspicious and have characteristics that
resembles known malware
Cisco Threat Intelligence Director
Cisco Threat Intelligence Director (CTID)
• Uses customer threat intelligence to

identify threats
• Automatically blocks supported
indicators on Cisco NGFW
• Provides a single integration point
for all STIX and CSV intelligence
sources
129
Branch Firewall Use Cases
Site to Site and Remote Access VPN
Branch Use Case
WAN Edge Firewall with Direct Internet Access
Requirement Firewall Internet
“Outside”
Connectivity and Availability Requirement:
• MPLS Primary Network Connectivity
• Direct Internet Access for LAN Traffic
VPN
• VPN Tunnel as WAN Backup (Hub and Spoke)
Internet Tunnel
• Standalone or High Availability NGFW
• Will manage Firewall over VPN Edge
Routing Requirements:
• OSPF Routing (or BGP) for MPLS WAN MPLS WAN
• Static or learned routes for Internet
• Dynamic NAT/PAT for outbound Internet traffic NGFW
Firewall OSPF Routing

Security Requirements:
“MPLS”
• Application Control + URL Acceptable Use enforcement Local Area
• IPS and Malware protection Network
• SSL Decryption
Solution
Authentication Requirements:
Security Application: Firepower Threat Defence application with
• User authentication and device identity
FMC Firewall
“Inside” LAN
Ordered Steps for
Remote Site
Configuration
• Create Shared Access Policy
• Add firewalls to management
console
• Configure Interfaces and static
routes on each firewall
• Configure dynamic routing for
dedicated WAN (optional)
• Configure Shared VPN Policy
• Deploy policies
• Re-address firewalls for remote
Headquarters and Branch NGFW Example
Shared Access Policy for all sites
• Allow traffic from all Branch and HQ LAN subnets to each other
Adding Firewall to Firepower Management Centre
• Host = Out of band
management IP
• Must be reachable by FMC
• Can add with temporary
“staging” IP if ”NAT ID” field is
used (don’t forget this!)
• Device can be set to “offline” in
FMC. Devices -> Device
Management -> Device TAB ->
Management
Branch NGFW Use Case – Interface Configuration
Outside / Inside / MPLS Interfaces configuration (Static IP)
• Can have dual MPLS and multiple inside interfaces / LAN segments
HUB (Headquarters) Static Routes:
• Note “floating static routes” for all remote branch subnets to Internet gateway!
HQ & Branch OSPF Routing Configuration for MPLS:
• Redistributing ”connected” and “static” routes to OSPF
Single Hub & Spoke Site to Site VPN Configuration
• Static ”outside” IP Addresses on HUB and all Spoke firewalls
Create Hub and Spoke IKEv2 VPN Topology with all default settings
• DISABLE Reverse Route Injection on IPSec Tab or OSPF routes are ignored
Dynamic Endpoint option for sites with DHCP Outside Interface
• Set Crypto Map type to Dynamic in IPSec Tab. Hub + Spokes as Bi-directional
Best Practice: Disable Health Monitoring Interface Warnings
• Will prevent FMC warnings when no traffic seen on an interface
Deploy Configurations To All Firewalls
• FTD configurations are pushed to
firewalls via “STUNNEL” secure
communications channel via
management interface
• After configuration deployment,
management interface can be
changed for target site
Manually Changing FTD Management IP Address
Information
Serial Console connection to firewall is easiest (can be
done via ssh)
• configure network ipv4 manual <IP> <MASK> <GW>
Both IPv4 and IPv6 management addresses may be

configured and used for SSH to Firewall.
Only IPv4 -or- IPv6 will be used for SFTUNNEL

communication to Firepower Manager Centre
Bring Spoke Firewalls Online
After connecting interface cables,

firewall should come online (verify
ICMP ping to next hop on all
interfaces)
If no dedicated WAN, spoke VPN
tunnel should immediately come up.
Optional: Verify with “show crypto
ipsec sa” via CLI.
Best Practice: Use of Groups in FMC for organisation
• GREEN status bubble indicates firewall is online and reachable from FMC
• Same policy sets applied to all branch firewalls
Benefits and Caveats
• OSPF routes from private WAN will always be preferred
• Routing “failover” time to VPN tunnel will depend upon
OSPF Hello & Dead Interval values (must use
FlexConfig to change)
• Spoke-to-spoke traffic will transit VPN hub for sites with
WAN down (only for static IP spokes!)
• Use dynamic spoke option for DHCP addressed sites.
• Static spoke supports tunnel creation from hub or spoke
• Add “VPN only” network route to keep tunnels forced up
Remote Access VPN for Roaming User
ISP
Secure access using Firepower
• Secure SSL/IPsec AnyConnect access to corporate
Internet
network Edge
• Support for Split Tunnelling or Backhauling to
handle traffic from remote uses to Internet.
• AMP and File inspection Policy to monitor roaming
user data.
• Easy RA VPN Wizard to configure AnyConnect
Remote Access VPN FP2100 in
HA
• Advanced Application level inspection can be
enabled to enforce security on inbound Remote
Access User data.
• Monitoring and Troubleshooting to monitor remote
Campus/Priv
access activity and simplified tool for troubleshooting. ate Network
Private Network
Remote Access VPN
• AnyConnect client-
based VPN
• Limitations:
• No clientless VPN
support (client
download only)
• No legacy Cisco
IPsec IKEv1 client
support
• No Dynamic
Access Policies
Firepower AnyConnect Remote Access
Before You Start Wizard:
1. Configure Realm or RADIUS 3. Have Firepower device interfaces
Server Group for authentication and routing configured
2. Upload AnyConnect package(s) 4. Install Self-Signed Certificate or
(can pull from Cisco during wizard) enroll device with public CA
Configuration Wizard Steps:
1. (Group) Policy Assignment
2. Connection Profile Creation
3. AnyConnect package selection
4. Access & Certificates
Connection Profile:
1. Name (mandatory)
2. Authentication Method (AAA
= username + password)
3. IPv4 / IPv6 Address Pool(s)
4. Group Policy Selection (can
use default)
AnyConnect client software selection:
• Upload from your workstation
• Download from Cisco.com using Wizard (need CCO credentials)
Interface Selection & Certificate:
1. Choose Interface / Zone
2. Choose Interface Identity
Certificate
3. Optional: Create Self-
Signed Certificate
4. Can also enroll device in
public Certificate Authority
*best practice
• Configuration Summary
• Recommended Next Steps
Don’t forget!
1. Allow VPN traffic from Outside
zone in your Access Policy!
2. Exempt traffic to and from your
VPN subnet from NAT!
3. Disable proxy ARP in your
NAT Exempt rule
Firepower Threat Defence Summary
Power Internet Edge and
Branch WAN Platform
• Powerful Threat Defence
Capabilities
Flexible
Deployment
• Advanced Site to Site VPN
and routing protocol support
Robust NGFW
• AnyConnect Remote Access Feature set
Unified Management
Q&A
Complete Your Online
Session Evaluation
• Give us your feedback and
receive a Cisco Live 2018 Cap
by completing the overall event
evaluation and 5 session
evaluations.
• All evaluations can be completed
via the Cisco Live Mobile App.
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Global.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos on the Cisco stand
• Walk-in Self-Paced Labs
• Meet the Expert 1:1 meetings
• Related sessions
Thank you

Brksec 2050

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 2050

Uploaded by

Copyright:

Available Formats

Firepower NGFW

My city was was founded in

Look for this “For Your Reference”

There is a tremendous amount of

Integrated Software - Single Management

ASA with Firepower Firepower Threat Defence

Single Uplink Queue

Based on ASA Software Data Plane Data Plane

Balanced Functionality and Performance

250 Mb -> 1.75 Gb 2 Gb -> 8 GB 41xx = 10 Gb -> 24 Gb

NGFW capabilities all managed by Firepower Management Centre

Firepower NGIPSv (FTD)

Firepower NGFWv (FTD)

Firepower Device Firepower Management ASDM with

Enables easy on-box Enables comprehensive Enables easy on-

Firepower Device Firepower Management ASDM with

Enables easy on-box Enables comprehensive Enables easy on-

• On-box manager for

Firepower Device Firepower Management ASDM with

Enables easy on-box Enables comprehensive Enables easy on-

Firepower Device Firepower Management ASDM with

Enables easy on-box Enables comprehensive Enables easy on-

SNMP, Syslog, NetFlow or

• Firepower App – November

Shows hosts that are Malware observed most

• Integrated Routing and Bridging (IRB) combines both

Link Redundancy Active / Standby HA Inter-chassis Clustering

LACP Link Resiliency

• EIGRP via FlexConfig

• EIGRP Routing • ALG inspections

• FlexConfig is only supported on best-effort basis

• Deploy Once; Everytime is for interactions with managed features

Authentication and Authorisation

Method Source LDAP/AD Authoritative?

Active Forced authentication through device LDAP and AD yes

Passive Identity and IP mapping from AD Agent AD yes

User Discovery Username scraped from traffic. LDAP and AD, no

Uses pxGrid protocol to All ISE retrieved attributes

Must create, attaches to Access Control Policy

• Use Replace Key Only feature

Decrypt Cert required!

Balanced Security and Connectivity

Security Over Connectivity

• Use correctly -- not a “high performance” substitute to NGFW policies

• Uses customer threat intelligence to

Firewall OSPF Routing

Both IPv4 and IPv6 management addresses may be

Only IPv4 -or- IPv6 will be used for SFTUNNEL

After connecting interface cables,

You might also like