Professional Documents
Culture Documents
Internet Edge
Deployment Scenarios
Jeff Fanelli - Principal Systems Engineer
jefanell@cisco.com
BRKSEC-2050
#jefanell
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
About Your Speaker
Jeff Fanelli
Principal Systems Engineer
Cisco Global Security Sales Organisation
BRKSEC-2050
Detroit, Michigan
Important: Hidden Slide Alert
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Complete Your Online Session Evaluation
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Today’s Agenda
• Firepower Software & Platforms
• ASA & Firepower NGFW
Platforms
• Management Options
• Cisco & 3rd Party Integration
• Deployment Use Cases
Firepower NGFW Software
Firepower Threat Defence
CISCO COLLECTIVE SECURITY INTELLIGENCE
WWW
Malware
High Intrusion URL Filtering
Protection
Availability Prevention
Analytics &
Network Application Automation
Firewall and Visibility Network
Network Identity Based
Identity-Policy
Routing &Control Profiling
Profiling Policy Control
Control
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
What’s New with Cisco NGFW and NGIPS
Cisco Next Generation Firewall
Operational Shared Threat Third-Party
Manageability Performance
Simplicity Intelligence Recognition
Expanded set of
security policies on Unmask threats with
FDM, the on-box Easy single-hop hardware-based
IBM and Cisco Cisco NGFW and
manager upgrade to 6.2.3, SSL decryption;
NGIPS NGIPS recognised
with minimised performance
upgrade of 3-5x
collaboration by analysts
Flexibility to manage downtime
local devices using throughput
REST API
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Firepower Threat Defence
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
ASA with FirePOWER Services old ”marketing”
spelling!
FirePOWER FirePOWER Independent Configuration
Full Packet Copy
1 2 Mid-Flow Pickup w/Policy Reevaluation
Functional Overlap
No AVC Verdict on Mid-Flow Pickup
HA/CCL
Full ASA Feature Set ASA 1 ASA 2 Configuration/State Replication
Functionality vs Performance
Leaning toward NGIPS use case
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Firepower Threat Defence
Advanced Advanced
Inspection Inspection
Modules Modules
(“Snort”) (“Snort”)
Load-Based Distribution
HA/CCL
Multiple Work Queues Configuration Replication
IP/TCP/UDP Load-Balancing NGFW/NGIPS State Replication
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
ASA & Firepower Platforms
Up to 16x with clustering!
Cisco NGFW Platforms
Firepower Threat Defence for Firepower 4100 Series
Firepower 2100 Series
ASA 5500-X and Firepower 9300
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Software Support - Virtual Platforms
Amazon
Microsoft
Hyper-V KVM VMWare Web
Azure
Services
ASAv
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Management Platform Options
Management Options
On-box Centralised On-box
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Firepower Management Centre
Management Options
On-box Centralised On-box
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Firepower Device Manager
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Management Options
On-box Centralised On-box
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
ASDM (managing FirePOWER Services)
Management Options
On-box Centralised On-box
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
3rd Party Integration
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Syslog and eStreamer for Events
eStreamer APIs
• Intrusion Events
• Intrusion Event Packet Data
FMC Syslog (optional)
FTD Syslog & NetFlow • Intrusion Event Extra Data
Malware Events
• Connection Logs • File Events- SHA, SPERO
• 5 tuple • Health • Connection Logs and Security
• NAT • IPS (including Impact Intelligence Events
• Routing flags) • Correlation and White List Events
• VPN • Malware (network,
• IP • Impact Flag Alerts
retrospective)
• HA • Discovery events (Host • Connection Events (optional)
• sessions profiles, IOC , port, etc..) • URL categories
• other stateful • Rule ids
features
• AMP endpoint detectors
• Sinkhole Metadata
• SSL
• Network Analysis, Discovery
events
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
IBM QRadar
Firepower App
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Firepower App for Qradar
Which hosts on my
network have sent the
most malware
Intrusion events by
‘Impact’ or likelihood of
an attack impacting the
targeted system
BRKSEC-2050 53
Cisco eStreamer app for Splunk
52
Cisco eStreamer app for Splunk
53
54
LiveAction
55
Deployment Designs
Use Case
Use Case
Internet Edge Firewall
Service
ISP
Requirement
Provider
Connectivity and Availability Requirement:
• High Availability ROUTED mode
• Firewall should support Router or Transparent Mode
Routing Requirements:
• Static and BGP Routing
• Dynamic NAT/PAT and Static NAT
Internet
Security Requirements: Edge
• Application Control + URL Acceptable Use enforcement
• IPS and Malware protection DMZ Network
• SSL Decryption
Authentication Requirements: FW in HA
• User authentication and device identity
Solution
Security Application: Firepower Threat Defence application with
Campus/Priv Port-
FMC
ate Network Channel
Private Network
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Connectivity and Availability
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or 10.1.1.0/24
more interfaces that separate L3 domains – Firewall is the
10.1.1.1
Router and Gateway for local hosts.
NAT
DRP
• Transparent Mode is where the firewall acts as a bridge 192.168.1.1
functioning at L2.
• Transparent mode firewall offers some unique benefits in the DC.
192.168.1.0/24
• Transparent deployment is tightly integrated with our ‘best
practice’ data centre designs.
IP:192.168.1.100
GW: 192.168.1.1
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Link and Platform Redundancy Capabilities
Firewall Link Aggregation – High Availability - Clustering
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
FTD High Availability
• Full flow state replication with NGFW policy verdicts
• Active/Standby operation in all NGFW/NGIPS interface modes
• Interfaces are always up on standby, but any transit traffic is dropped
• MAC learning/spoofing on switchover in transparent NGFW, inline NGIPS
• GARP on switchover in routed NGFW
vPC
• Interface and Snort instance (at least 50%) status monitoring
• Zero-downtime upgrades for most applications
A HA Link S
• Some packet loss is always expected with failover
FTD FTD
vPC
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Routing Requirements
Dynamic NAT for Direct Internet Access
Automatic and Manual (complex) NAT Support for FTD including IPv6
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Routing Protocol support
IPv4 and IPv6 advanced routing
• OSPF and OSPFv3 (IPv6)
• BGP (IPv4 & IPv6)
• Static Route
• Tunneled Route support for VPNs
• Reverse Route Injection for VPNs
• Multicast Routing
• IGMP
• PIM
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Rate limiting Cloud File Sharing Traffic
QOS Policy is a new policy type with separate policy table
Not associated with an Access Control Policy – directly associated with devices
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
FlexConfig
• Provides a way to configure ASA features not exposed directly by Firepower
Management Centre
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
FlexConfig Policies
• Device-level free form CLI policies that follow ASA syntax
• Supports pre-defined object templates and completely custom objects
• Natively managed feature commands are blacklisted
• Must push an object with negated commands to remove
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Security Requirements
• Identity Policy
• Decryption Policy (optional)
• IPS Policy (optional, use default)
• File (AMP) Policy
• Prefilter Policy (optional)
• Access Policy
• Security Intelligence Policy
• Threat Intelligence Director
77
Identity Requirements
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
User Discovery
• Deduces user identity by
passively analysing
network
traffic
• Considered non-
authoritative
• Cannot be used in access
control policies
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Active and Passive Authentication
• Passive authentication
• IP-to-user mappings are learned from ISE or Firepower User Agent
• Active authentication
• Also called captive portal
• Redirects user to HTTPS server running on the firewall
• User authenticates with username and password
• Identity policy
• Specifies what traffic requires active, passive or no authentication
• Attached to an access control policy
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Passive Authentication
Cisco Firepower User Agent
• The agent monitors users when they log in and out of hosts
or authenticate with Active Directory credentials
• The User Agent does not report failed login attempts
• The agents associate users with IP addresses
• Can use one agent to monitor user activity
• Up to five Active Directory servers
• Send encrypted data to up to five Firepower Management Centres
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Identity Services Engine Integration
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Active Authentication (Captive
Portal)
Captive Portal Use Cases
• Can be used for non-domain endpoints
• Enforces authentication through the browser
• Can augment passive authentication (Fall-back to Active feature)
• Various Supported Authentication types (Basic, NTLM, Kerberos, Form)
• Guest / Non Windows Device Authentication Support
• Multi-realm Support
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Identity Policy based on Passive Authentication
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Access Control Policy Identity Control
Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
TrustSec Security Group Tag based identity from ISE
Can also reference Identity Services Engine identified Device Profiles
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
ISE Remediation in using pxGrid
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
TLS Decryption
Customer Use Case
• Protect the network from threats from remote TLS servers
• Called the outbound or unknown key case
• Example: Malware downloaded over HTTPS by users surfing
the web.
• Protect the network from attacks on internal TLS servers
• Called the inbound or known key case
• Example: Protect DMZ HTTPS servers from intrusion attacks
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Challenges
• Inspection fails for some applications
• No end-user notifications unless traffic is decrypted
• Inspection fails for some client/server combinations
• Load on firewall creates throughput degradation
• Currently TLS is being performed in software
• TLS decryption will be in hardware (roadmap / release beta)
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Best Practices
• Block TLS traffic without decrypting
• Block URL categories
• Block Application (approx. 400 applications can be identified)
• Block based on certificate status, TLS version or cipher suite
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Granular TLS Decrypt
Can specify by application, certificate fields / status, ciphers, etc.
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
IPS Policy
Custom IPS Policy
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
What’s in the Default IPS & Network Access
Policies?
Connectivity Over Security
• CVSS Score 10. 2 years
• 499 rules
• 15 preprocessors enabled
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Malware and File Analysis
Attached to Access Policy
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Prefilter & Access Policies
Prefilter Policy (Optional) – Based on L2-L4 flow
Attributes
• First access control phase in Data Plane for each new flow
• Block: Deny the flow without any further processing
• Fastpath: Allow and process entirely in Data Plane, attempt Flow Offload
• Analyse: Pass for evaluation in Main AP, optionally assign tunnel zone
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Access Policy – Based on Layer 2 - Layer 7 Flow
Attributes
• Primary access control phase in Snort
• Block [with reset]: Deny connection [and TCP RST]
• Interactive Block [with reset]: Show HTTP(S) block page [and TCP RST]
• Monitor: Log event and continue policy evaluation
• Trust: Push all subsequent flow processing into Data Plane only
• Allow: Permit connection to go through NGIPS/File inspection
• Appropriate place for implementing NGFW policy rules
• Full NGFW traffic selection criteria
• Decisions may need multiple packets
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Access Control Policy Blocking Example
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Security Intelligence Policies
Network & URL-Based Security Intelligence
• Block traffic to IP addresses and URLs with
bad reputation
• TALOS dynamic feed, 3rd party feeds
• Multiple Actions: Allow, Monitor, Block,
Interactive Block,…
• Policy configured via Access Rules or
black-list
• IoC tags for CnC and Malware matches
• Black/White-list IP / URL with one click
• Blocked traffic not subject to additional
inspection. Logged separately!
URL-SI Categories
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Security Intelligence Network & URL Categories
Category Description
Attacker Active scanners and blacklisted hosts known for outbound malicious
activity
Malware Sites that host malware binaries or exploit kits
Phishing Sites that host phishing pages
Spam Mail hosts that are known for sending spam
Bots Sites that host binary malware droppers
CnC Sites that host command and control servers for botnets
Open Proxy Open proxies that allow anonymous web browsing
Open Relay Open mail relays that are known to be used for spam
Tor Exit Node Tor exit nodes
Bogon Bogon networks and unallocated IP addresses
BRKSEC-2050 125123
DNS Inspection
• Security Intelligence support for
domains
• Addresses challenges with fast-flux
domains
• Cisco provided and user defined
DNS lists: CnC, Spam, Malware,
Phishing
• Multiple Actions: Block, Domain Not
Found, Sinkhole, Monitor
• Indications of Compromise extended
with DNS Security Intelligence DNS List Action
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Additional Categories for DNS Security Intelligence
Feeds
Same categories as Network and URL feeds plus the following:
Category Description
DGA Malware algorithms used to generate a large number of domain names
acting as rendezvous points with their command and control servers
Exploit Kit Software kit designed to identify software vulnerabilities in client
machines
Response A list of IP/ URLs which seems to be actively participation in the
malicious/ suspicious activity
Suspicious Files that appear to be suspicious and have characteristics that
resembles known malware
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Cisco Threat Intelligence Director
Cisco Threat Intelligence Director (CTID)
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
129
Branch Firewall Use Cases
Site to Site and Remote Access VPN
Branch Use Case
WAN Edge Firewall with Direct Internet Access
Requirement Firewall Internet
“Outside”
Connectivity and Availability Requirement:
• MPLS Primary Network Connectivity
• Direct Internet Access for LAN Traffic
VPN
• VPN Tunnel as WAN Backup (Hub and Spoke)
Internet Tunnel
• Standalone or High Availability NGFW
• Will manage Firewall over VPN Edge
Routing Requirements:
• OSPF Routing (or BGP) for MPLS WAN MPLS WAN
• Static or learned routes for Internet
• Dynamic NAT/PAT for outbound Internet traffic NGFW
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Ordered Steps for
Remote Site
Configuration
• Create Shared Access Policy
• Add firewalls to management
console
• Configure Interfaces and static
routes on each firewall
• Configure dynamic routing for
dedicated WAN (optional)
• Configure Shared VPN Policy
• Deploy policies
• Re-address firewalls for remote
Headquarters and Branch NGFW Example
Shared Access Policy for all sites
• Allow traffic from all Branch and HQ LAN subnets to each other
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 137135
Adding Firewall to Firepower Management Centre
• Host = Out of band
management IP
• Must be reachable by FMC
• Can add with temporary
“staging” IP if ”NAT ID” field is
used (don’t forget this!)
• Device can be set to “offline” in
FMC. Devices -> Device
Management -> Device TAB ->
Management
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Branch NGFW Use Case – Interface Configuration
Outside / Inside / MPLS Interfaces configuration (Static IP)
• Can have dual MPLS and multiple inside interfaces / LAN segments
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139137
Headquarters and Branch NGFW Example
HUB (Headquarters) Static Routes:
• Note “floating static routes” for all remote branch subnets to Internet gateway!
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Headquarters and Branch NGFW Example
HQ & Branch OSPF Routing Configuration for MPLS:
• Redistributing ”connected” and “static” routes to OSPF
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Headquarters and Branch NGFW Example
Single Hub & Spoke Site to Site VPN Configuration
• Static ”outside” IP Addresses on HUB and all Spoke firewalls
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Headquarters and Branch NGFW Example
Create Hub and Spoke IKEv2 VPN Topology with all default settings
• DISABLE Reverse Route Injection on IPSec Tab or OSPF routes are ignored
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Headquarters and Branch NGFW Example
Dynamic Endpoint option for sites with DHCP Outside Interface
• Set Crypto Map type to Dynamic in IPSec Tab. Hub + Spokes as Bi-directional
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Headquarters and Branch NGFW Example
Best Practice: Disable Health Monitoring Interface Warnings
• Will prevent FMC warnings when no traffic seen on an interface
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Deploy Configurations To All Firewalls
• FTD configurations are pushed to
firewalls via “STUNNEL” secure
communications channel via
management interface
• After configuration deployment,
management interface can be
changed for target site
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Manually Changing FTD Management IP Address
Information
Serial Console connection to firewall is easiest (can be
done via ssh)
• configure network ipv4 manual <IP> <MASK> <GW>
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Bring Spoke Firewalls Online
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Headquarters and Branch NGFW Example
Best Practice: Use of Groups in FMC for organisation
• GREEN status bubble indicates firewall is online and reachable from FMC
• Same policy sets applied to all branch firewalls
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Headquarters and Branch NGFW Example
Benefits and Caveats
• OSPF routes from private WAN will always be preferred
• Routing “failover” time to VPN tunnel will depend upon
OSPF Hello & Dead Interval values (must use
FlexConfig to change)
• Spoke-to-spoke traffic will transit VPN hub for sites with
WAN down (only for static IP spokes!)
• Use dynamic spoke option for DHCP addressed sites.
• Static spoke supports tunnel creation from hub or spoke
• Add “VPN only” network route to keep tunnels forced up
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Remote Access VPN for Roaming User
ISP
Secure access using Firepower
• Secure SSL/IPsec AnyConnect access to corporate
Internet
network Edge
• Support for Split Tunnelling or Backhauling to
handle traffic from remote uses to Internet.
• AMP and File inspection Policy to monitor roaming
user data.
• Easy RA VPN Wizard to configure AnyConnect
Remote Access VPN FP2100 in
HA
• Advanced Application level inspection can be
enabled to enforce security on inbound Remote
Access User data.
• Monitoring and Troubleshooting to monitor remote
Campus/Priv
access activity and simplified tool for troubleshooting. ate Network
Private Network
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Remote Access VPN
• AnyConnect client-
based VPN
• Limitations:
• No clientless VPN
support (client
download only)
• No legacy Cisco
IPsec IKEv1 client
support
• No Dynamic
Access Policies
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Firepower AnyConnect Remote Access
Before You Start Wizard:
1. Configure Realm or RADIUS 3. Have Firepower device interfaces
Server Group for authentication and routing configured
2. Upload AnyConnect package(s) 4. Install Self-Signed Certificate or
(can pull from Cisco during wizard) enroll device with public CA
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Firepower AnyConnect Remote Access
Configuration Wizard Steps:
1. (Group) Policy Assignment
2. Connection Profile Creation
3. AnyConnect package selection
4. Access & Certificates
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Firepower AnyConnect Remote Access
Connection Profile:
1. Name (mandatory)
2. Authentication Method (AAA
= username + password)
3. IPv4 / IPv6 Address Pool(s)
4. Group Policy Selection (can
use default)
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Firepower AnyConnect Remote Access
AnyConnect client software selection:
• Upload from your workstation
• Download from Cisco.com using Wizard (need CCO credentials)
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Firepower AnyConnect Remote Access
Interface Selection & Certificate:
1. Choose Interface / Zone
2. Choose Interface Identity
Certificate
3. Optional: Create Self-
Signed Certificate
4. Can also enroll device in
public Certificate Authority
*best practice
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Firepower AnyConnect Remote Access
• Configuration Summary
• Recommended Next Steps
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Firepower AnyConnect Remote Access
Don’t forget!
1. Allow VPN traffic from Outside
zone in your Access Policy!
2. Exempt traffic to and from your
VPN subnet from NAT!
3. Disable proxy ARP in your
NAT Exempt rule
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Firepower Threat Defence Summary
Power Internet Edge and
Branch WAN Platform
• Powerful Threat Defence
Capabilities
Flexible
Deployment
• Advanced Site to Site VPN
and routing protocol support
Robust NGFW
• AnyConnect Remote Access Feature set
Unified Management
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Q&A
Complete Your Online
Session Evaluation
• Give us your feedback and
receive a Cisco Live 2018 Cap
by completing the overall event
evaluation and 5 session
evaluations.
• All evaluations can be completed
via the Cisco Live Mobile App.
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Global.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos on the Cisco stand
• Walk-in Self-Paced Labs
• Meet the Expert 1:1 meetings
• Related sessions
BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
Thank you