#CiscoLive

Firepower NGFW Design

Best Practices
Cisco Live 2020

Nazmul Rajib – Network Security Technical Marketing Engineer

Namit Kumar Agarwal – Network Security Technical Marketing Engineer
DGTL-BRKSEC-2113

#CiscoLive
About the Speakers
• Nazmul is a Technical Marketing Engineer with the Cisco Security Business Group
• Prior to this, he was a Senior Security Consultant of Cisco Advanced Services
• Nazmul also served as a Technical Lead for Cisco Technical Services for long time
• As a veteran of Sourcefire, Inc., Nazmul supported the networks of many Fortune 500
companies and U.S. government agencies
• With his decade of experiences with NGFW and NGIPS solutions, Nazmul trained hundreds of
Cisco engineers and partners around the world
• Nazmul is the author of the Cisco Press book on Cisco Firepower Threat Defense
Nazmul Rajib

• Technical Marketing Engineer with the Cisco Security Business Group

• Prior to this, Technical Leader with the Cisco Security TAC
• Just over 11 years at Cisco. CCIE Security and experience with multiple Cisco Security
solutions such as NGFW, AAA, VPN, IPS, and Cloud Security
• Specializes in Firewall platform
• Likes to work on Automation Projects, travel and spend time with his family
• Based out of Toronto, Canada (PS: I love maple syrup )

Namit Kumar Agarwal

Agenda
• Chapter 1: Product Selection
• Firewall Management Platform Selection
• Firewall Device Platform Selection
• Logging Platform Selection
• Software and Deployment Mode Selection

• Chapter 2: Use Case Studies

• Internet Edge, RAVPN, Branch
• Virtual & Cloud, Data Center
• Next-Gen IPS & Air-Gapped Environment
• Multi-tenancy & Segmentation

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Product Selection
Nazmul Rajib
Technical Marketing Engineer, Network Security
Cisco Security Business Group
Cisco Firewall Management
Platforms
Management Designed for the User
Flexibility of cloud or on-premises options
Security Integrations Common APIs
Cisco Firepower Management Center Cisco Defense Orchestrator Cisco Firepower Device Manager
(FMC) (CDO) (FDM)

Coexist

On premise Centralized Manager Cloud Based Centralized Manager On-box manager

SecOps Focused NetOps Focused NetOps Focused

For consistent policy enforcement, and For centralized cloud-based policy For easy on-box management of
to view security events and reports management of multiple deployments single FTD or pair of FTDs running in
across the deployment *For FTD release 6.4 or higher HA

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco Firepower
Device Manager (FDM)
Firepower Device Manager (FDM)
Simple & Intuitive On-Box Manager

Manages a single Firepower Threat Defense

• Default device manager

• Included in all Firepower Threat Defence
software
• Can co-exist with cloud based
management platform, Cisco Defence
Orchestrator (CDO)

Predefined security policies

Wizard-based guided workflows Built on FTD Device APIs
for quick administration

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Wizard Based Guided Workflow

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Browser Based User Interface

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
API-First Approach
An open, documented management and reporting architecture

Achieve operational Automate complex Integrate with

efficiency tasks at scale ecosystem

FDM and CDO use the

FTD APIs
Key Features
FDM FTD CDO
• Day 0 Provisioning
• Day 1-2 Configuration
Management
FDM Automation Scripts
FTD Orchestration Tools: • Operations,
Everyone can use the
Troubleshooting,
APIs for automation NSO, DNAC
Monitoring
Ansible, AlgoSec, Tufin
FTD

FTD FMC
Useful Resource
developer.cisco.com/site/ftd-api-reference

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Cisco Firepower
Management Center (FMC)
Firepower Management Center (FMC)
Cisco Firepower
Management Center
(FMC)

• Helps administrators to enforce consistent

access policies in all FTDs
• Rapidly troubleshoot security events
• Generate summarized reports across the
deployment
On premise Centralized Manager
SecOps Focused

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Policy Management
• Integrates multiple security features into a single access policy
• Centralized on premise management across multiple Firepower platforms
• Reduces complexity of manual policy configuration through inheritance and template use.

Reduce complexity of policy

maintenance

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Security Operations
• Customizable dashboard
• Context explorer

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
FMC: Automate Security Response
Reduce the noise and connect the dots

• Correlate Security events Correlation Policy

• Trigger automated response
– Email
– Syslog Correlation
Correlation Rule
– SNMP Event
– Remediation module
• Integration with ISE and other Cisco/3rd party Correlation Rule Action
products

100,000 events 3 events

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Threat Intelligence and Analytics
Visibility & analytics beyond network discovery

1. Right-click on an IP address

• Security Intelligence (Powered by

Talos)
• Threat Intelligence Director (CTID)
• Contextual Cross-Launch
• Integration of FMC with AMP for
Endpoints
• Cisco SecureX Threat Response
• Leverage 3rd party SIEM to extend • Pivot directly to Cisco Architecture
visibility • Pivot 3rd party tools
2. Select Talos IP lookup
• Reduce complexity of integration
• Reduce time to analyze IoCs to drive down TTR

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Third Party Integrations
Vulnerability Threat Intelligence
Information Director
• Rapid7 SIEM
• Visa
• Qualys • ThreatQ • IBM Qradar
• Tenable • Anomaly • Splunk
• SAINT • NC4 • LogRhythm
• Greenbone • IntSights • McAfee
• Outpost24 • Seclytics • LogZilla
• Tripwire • Arcsight
• Claroty Host Input TID eStreamer
• Hawk
• Huntsman
FMC • Blackstratus

Database Access REST

Security Policy Orchestration &
Automation
• Tufin
• Firemon
• Algosec
Host and Event Database • Skybox
• Panaseer FDM
• Firesec
• MicroFocus (Arcsight) FTD
• Ansible

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Firepower Management Center
FMC 4600
750 3.2 TB
FMC 2600

Internal Storage
Managed Devices

300 1.8 TB
FMCv
FMC 1600 300
50 900 GB
FMCv
25
25 10 250GB
2
5000 12000 20000
Events Per Second (EPS)
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Specification and Capacity – FMC Hardware
Performance and
FMC 1600 FMC 2600 FMC 4600
Functionality
Maximum number of managed
50 300 750
devices

Memory 32 GB 64 GB 128 GB

Storage 900 GB 1.8 TB 3.2 TB

Maximum Event Rate

5000 12000 20000
(events per second)

Hosts/Users 50,000 150,000 600,000

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Specification and Capacity – FMC Virtual & Cloud
Platform VMWare KVM AWS Cloud Azure

c3.xlarge and c3.2xlarge and Standard Standard

Type FMCv 25 FMCv 300 FMCv 25
c4.xlarge c4.2xlarge D3_v2 D4_v2

vCPUs 4-8 CPUs 32 vCPUs 4 vCPUs 4 vCPUs 8 vCPUs 4 vCPUs 8 vCPUs

Memory 32GB* 64GB 32GB 7.5GB 15GB 14GB 28GB

Maximum number
of managed devices
25 300 25 25 25 25 25

Storage 250 GB 2.2 TB 250GB 80GB 160GB 250GB 400GB

Max Event Rate

Varies, depends on CPU, memory, storage assigned to your virtual machine
(events/second)

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Cisco Defense
Orchestrator (CDO)
Cisco Defense Orchestrator (CDO)
Consistently manage policies across your Cisco security products. CDO is a cloud-based application that cuts through complexity to save time and
keep your organization protected against the latest threats.

Key Benefits Features

Policy – CDO
Visibility & Evening – SLA
Streamline security Incident response - CTR

management Cross-platform object and ASA FTD

policy management HQ

Network
Reduce time spent on security
management tasks up to 90% Faster device deployments SD-WAN Users

Cloud Application
Achieve better security while Configuration management Branch
Data Center
reducing complexity Roaming Users

Prioritize response Supports ASA, FTD, WSA, Admin

Meraki, IOS, AWS

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Cloud / SAAS Delivery Advantages in General
Highly available, full featured/managed cloud deployment

• Scalability / Flexibility
• No maintenance
• Faster feature delivery
• Low up-front cost
99.999%
SLA Backed Uptime
• Responsive to new requirements

Provision in Subscription pay as Low maintenance

<1 day you grow model costs

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
CDO Architecture: Secure and Flexible
Connects to devices using
device API with TLS v1.2

Authorization Connection in the Customer A

Server connection pool are
unauthenticated. Configuration encrypted at
Requires key to rest and in transit.
access the database.

CDO data center locations:

Get Oauth Customer B AWS – US West
Token AWS – US East
Authenticate AWS – EU Central

Browser Rest Call

Secures management access

Send Oauth Customer C using role-based access
Use Oauth token to retrieve a
Token key to authenticate to the control with SAML based 2-
database and encrypt traffic
factor authentication

Key
Manager
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Scalable & Consistent Policy Management
Simple, flexible management platform for mixed firewall environment

Policy management at a large scale

• Templates and macros allow quick creation of
configuration across 1000s of devices.
• Integrate multiple security features into a single
access policy
• Single pane migration of ASA to FTD

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Simple and Effective Object Management
Provides easy graphical comparison across objects

Object conflict detection allows easy

mitigation of unnecessary objects
• Duplicate
• Unused
• Inconsistent

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Easier Device Onboarding and Management
Full lifecycle management of firewalls

• Fast device onboarding

• Easy bulk image upgrades. It
reduces the time it takes to plan
and execute upgrades
• Capture configuration changes
globally using audit log
• Quick configuration backup and
restore reduces network downtime

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
CDO Supported Platforms
Hardware Minimum Supported Software Versions

ASA 5500-X, ISA 3000 ASA 8.4 FTD 6.4

Firepower 1000 ASA 9.13 FTD 6.4

Firepower 2100 ASA 8.4 FTD 6.4

Firepower 4100 and 9300 ASA 8.4 FTD 6.5

Virtual – Private Cloud KVM, VMWare ASA 8.4 FTD 6.4

Virtual – Public Cloud *AWS, Azure ASA 8.4 FTD 6.5

Meraki MX
Latest software update
Router IOS

*AWS security Groups

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Cisco Security
Analytics and Logging (SAL)
Cisco SAL Feature Tiers
Store firewall and network logs securely in the Enable smarter response and reduce
cloud, accessible and searchable from CDO investigation times

Identify and enrich high fidelity alerts Enhance breach detection capability
using best-in-class security analytics

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Cisco SAL Operations
Secure cloud storage and consumption of FTD connection logs with CDO

Cisco
Defense CDO pulls events from SWC via API
Orchestrator
Cisco
Security Services Exchange
(SSE)
CDO is used to configure FTD, view
connection and security events, and pivot
to SWC for advanced analytics Stealthwatch
Cloud (SWC)
Secure Device Connector
(SDC) w/optional Secure
Event Connector (SEC)

SEC adds event compression NGFW

Firewall
Administrator

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Logging & Troubleshooting
Sends and stores FTD logs to SWC, and offers view in CDO

Cisco
Defense Orchestrator
Logs delivered via SSE

SSE
Storage in SWC
Event Logs

CDO viewing platform On-Premise

Network
Stealthwatch
Cloud

Storage
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Logging Analytics & Detection
Provides access to SWC portal, uses FTD flow data in telemetry

Cisco
Defense Orchestrator
Logging & Troubleshooting

SSE
5-tuple data from firewall logs
used as telemetry
Event Logs

SWC Portal for analytics On-Premise Telemetry

Network
Stealthwatch
Cloud

Storage
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Total Network Analytics
Provides whole suite of features

Cisco
Defense Orchestrator
Logging Analytics & Detection

SSE
Analytics from on-prem
network devices Event Logs
50 SWC
Sensor

50 endpoint licenses On-Premise Telemetry

Network
SWC SWC Sensor Stealthwatch
Sensor
lightweight deployment Cloud

Storage
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cisco Security Analytics & Logging Licenses
90-day rolling log retention (at 1, 5, 10, 15 or 25 GB per day) per tenant Every higher licensed
feature tier is cumulative
SWC Analytics for PNM
Commentary
Extend behavioral analytics inside
the network
Logging Service
SWC Analytics for NGFW SWC Analytics for NGFW • Storage amount needed to
store 90-days of logs at
Behavioral Threat Detection on Behavioral Threat Detection on chosen ingest rate.
Firewall Logs Firewall Logs
• Ingest and storage shared
Per Tenant

across all CDO managed

Logging Service Logging Service Logging Service
firewalls of tenant/ customer
Near-Real time events viewer – search, Near-Real time events viewer – search, Near-Real time events viewer –
sort, filter sort, filter search, sort, filter Logging Analytics
• Behavioral Analytics
performed on logs sent at
Single Single Single
PID 1/3/5 Year Subscription PID 1/3/5 Year Subscription PID 1/3/5 Year Subscription the ingest rate.

Total Network Analytics

Lic LT - Logging and Lic FA - Firewall Analytics Lic TA -Total Network Analytics • 50 endpoint licenses for
Troubleshooting (CDO UI) & Detections (SWC UI) & Detections (SWC UI)
PNM included with 1GB/day
Cisco Defense Orchestrator purchased per Firewall ( if devices CDO managed ) of NGFW ingest

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Choosing the Appropriate
Events and Platforms for Logging
Benefits of Enabling Logging

Visibility of network events Validation of configured policy

Indicator of security incident Key troubleshooting tool

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Connection Logging
Additional connection properties
Basic connection properties
Src/Dst SGTs
Ingress/Egress Zones URL category Device type
Timestamp Applications
Geo IP User details
Action
Vlan
Src/Dst IPs Managed device Vulnerability information
Security intelligence
Malware disposition

Connection events generally include transactions detected by:

Access control policies SSL policies Prefilter policies

DNS blacklists URL blacklists Network (IP address) blacklists

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Estimation of Event Rate & Storage
NGFW

NGFW Connection, IPS, File, Malware

NGFW FMC
Configuration, Updates, Image
NGFW

NGFW

𝐵 𝐿
𝐸= ∗ 0.01 Event I= 𝐸 ∗ 0.000012
𝑃 Rate 𝑇𝑜𝑡𝑎𝑙

E = Estimated event rate (eps) I = Estimated event retention time

B = Throughput (bytes per seconds) Event L = Total logging limit (events)
P = Average packet size (bytes) Storage E = Total event rate (eps)
B = 2 Gbps Total NGFW throughput E = 2393 events per second
P = 1024B Avg. Packet Size L = 1.4 billion
E = 2393 events per second I = 7 days
Scaling of Logging
CDO
Syslog
servers
Automation
scripts

SIEM Homegrown or
3rd party tools

Event
connector API
FMC FTD FDM
Connection, Security, AAA
CLI
FMC

Eventing Management
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Best Practices for Logging
Enable connection logging on a per-access-control-rule basis

Don’t enable logging for access rules with trust action

Don’t enable logging for rules with block action in passive mode

Log either at the beginning or end of the connection (not both)

Log events to an external location

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Choosing an Appropriate
Firewall Manager
Multi-Device Manager: The Key Characteristics
FMC CDO
On-Premise Cloud
Available in physical and virtual options Easy & quick set up with predefined policies

Investigate incidents and automated response Simplified management with guided Workflows

Customizable application, NGIPS, AMP and Security Consistent policy enforcement across multiple
intelligence feed device types (ASA, FTD, Meraki, IOS)

Simple & effective object handling and build in

PxGrid integration
Optimization

Network discovery, Impact flag analysis and Cloud advantage of scalability, availability & very
Firepower recommendations low TCO

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Factors and Considerations

Total number of managed Number of users and Cumulative event rate

devices hosts to discover from all devices

Total number of events to Software maintenance

Logging policy
store and downtime

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Next-Generation Firewall Platforms
Cisco Next-Generation Firewall Portfolio Overview
Platforms, Operating Systems and Management options

Multi-Device On-prem On-Box Multi-Device - Cloud On-Box Multi-Device On-prem

Management

Coexist Coexist

Firepower Management Center Firepower Device Manager Cisco Defense Orchestrator Adaptive Security Device Cisco Security Manager
(FMC) (FDM) (CDO) Manager (ASDM) (CSM)

Firepower Threat Defense Adaptive Security Appliance

Operating
System

FTD ASA
Platform

Cloud Virtual
Firepower Series ASA Series

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Software and Platform Selection
ASA Software Provides
Robust, Resilient Stateful Firewall and VPN Concentrator

Rule Feature Automate Security

• Stateful controls • VPN: Remote Access, • Leverage API’s to integrate • Packet Filtering and
Clientess, EzVPN, with SIEM legacy Layer 2 to Layer 4
• Rules based on 5 Tuples
IKEv1/L2TP/3rd party Remote API’s to create security and controls
only •
Access, Site-Site Route Based enforcement based on 5
• Allow or Block as 2 • No advanced security
and Policy Based VPN, DTLS tuples
primary rule action controls like IPS, AMP,
1.2
URL Filtering,
• Routing & Quality of Service Application control etc.
• Carrier Grade NAT
• DAP *
• SSO with SAML

* CSM does not support AnyConnect 4.6

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Firepower Threat Defense (FTD) Software Provides
Threat Focused, Contextual Awareness and Visibility

Rule Feature Automate Security

• Protection from Layer 2 to
• Rules based on • Traditional firewall controls • Leverage API’s for
Layer 7
combination of 5 tuples like VPN, NAT, Routing etc. Automation and
and Identity/ Application/ Orchestration of NGFW • Block all network-based
• Next-Gen IPS with auto
URL functions threats
tuning
• Rule action as trust, • Integration with AMP EP, • Deep packet inspection
• Anti-Malware protection
monitor, reset, allow & ISE, CTR, Tetration, SIEM • Scan and block malicious
with Sandboxing
block etc. files be it archive,
• Rate Limiting with Layer 7
• Rules to decrypt TLS and • Leverage API’s to ingest executable, doc etc.
parameters
apply actions information and threat • Sandbox Integration
• Event Prioritization and feeds
auto response. • Dynamic Threat
• Act as a platform to Intelligence
enforce controls

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
ASA or FTD?
Choose ASA for • Next Gen IPSChoose
(NGIPS) FTD for
• Traditional/Stateful L3-L4 Firewall • Next Gen Firewall (NGFW)
• Remote Access VPN Headend:
• Advanced Malware Protection (AMP)
o Clientless VPN
o EZVPN • True multi-tenancy with Multi-Instance
o IKEv1/L2TP/3rd party clients • Advanced network visibility and threat analytics
o DAP/Hostscan o Correlation Rules
o SAML Authentication o Custom IPS Rules
o DTLS 1.2 o Firepower Recommendations
o VPN Load balancing
• Incident response and threat investigation
• Multi-context firewall

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
FTD : Platform and Management Options
Platforms, Operating Systems and Management options

Multi-Device On-prem On-Box Multi-Device - Cloud On-Box Multi-Device On-prem

Management

Coexist Coexist

Firepower Management Center Firepower Device Manager Cisco Defense Orchestrator Adaptive Security Device Cisco Security Manager
(FMC) (FDM) (CDO) Manager (ASDM) (CSM)

Firepower Threat Defense Adaptive Security Appliance

Operating
System

FTD ASA
Platform

Cloud Virtual
Firepower Series ASA Series

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
ASA: Platform and Management Options
Platforms, Operating Systems and Management options

Multi-Device On-prem On-Box Multi-Device - Cloud On-Box Multi-Device On-prem

Management

Coexist Coexist

Firepower Management Center Firepower Device Manager Cisco Defense Orchestrator Adaptive Security Device Cisco Security Manager
(FMC) (FDM) (CDO) Manager (ASDM) (CSM)

Firepower Threat Defense Adaptive Security Appliance

Operating
System

FTD ASA
Platform

Cloud Virtual
Firepower Series ASA Series

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Putting it all together
Platforms, Operating Systems and Management options

Multi-Device On-prem On-Box Multi-Device - Cloud On-Box Multi-Device On-prem

Management

Coexist Coexist

Firepower Management Center Firepower Device Manager Cisco Defense Orchestrator Adaptive Security Device Cisco Security Manager
(FMC) (FDM) (CDO) Manager (ASDM) (CSM)

Firepower Threat Defense Adaptive Security Appliance

Operating
System

FTD ASA
Platform

Cloud Virtual
Firepower Series ASA Series

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Firepower Hardware and Cloud Platforms

Private Cloud*
FPR 4112/4115/25/45
FPR 9300 Series

Public Cloud*
SM-24 SM-40
SM-36 SM-48
FPR 4110/20/40/50 SM-44 SM-56

FPR 1010 FPR 1120/40/50 FPR 2110/20/30/40

650 Mbps AVC or AVC+IPS 1.5-3 Gbps AVC or AVC+IPS 2-8.5 Gbps AVC or AVC IPS Stand-alone device: One Module:
12-53 Gbps AVC 30-70 Gbps AVC
10-47 Gbps AVC+IPS 6 24-64 Gbps AVC+IPS

*Cloud performance depends on the allocation of Six node cluster: Six node (2 chassis) cluster:
underlying resources and average packet size Up to 254 Gbps AVC Up to 336 Gbps AVC
Up to 226 Gbps AVC+IPS Up to 307 Gbps AVC+IPS
SOHO/ Branch Mid-Size Large Data Service
SMB Office Enterprise Enterprise Center Provider

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Firepower Virtual Platforms

Private Cloud Public Cloud

4 Core • 1.2 Gbps AVC
• 1.2 Gbps AVC • 1.1 Gbps AVC+IPSc
• 1.1 Gbps AVC+IPS
AWS Instance types
8 Core • c3.xlarge
• 2.4 Gbps AVC
• c4.xlarge
• 2.2 Gbps AVC+IPS
• c5.xlarge
12 Core
Azure Instance types
• 3.6 Gbps AVC
• Standard D3, D3_v2
• 3.3 Gbps AVC+IPS
• D4_v2
• D5_v2

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Hardware Platforms Specific Features
Features 1000 2100 4100 9300
Hardware Switch + PoE *

Hardware TLS Decrypt *

Hardware Flow Offload

Fail to Wire Interfaces **

Clustering
Multi-Instance
Radware vDP
VRF
* Firepower 1010 model only with
** 2130 and 2140 models
QuickAssist Crypto Acceleration
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Factors and Considerations

Bandwidth Average size of the Operational or

requirements packets security features

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
EOL Updates and Last Supported Code
Last Supported Releases

Name Replacement ASA ASA w FPS FTD

ASA 5505 1010 9.2 X X

ASA5506 1010 TBD 6.2.3 6.2.3

ASA5512 FPR1120 9.9.2 9.9.2/6.2.3 6.2.3

ASA 5515 FPR1140 9.12 9.12/6.4 6.4

ASA 5585-X FPR4100/9300 9.12 9.12/6.4 N/A

FPR7K FPR1140/50/FPR2K N/A N/A 6.4

FPR8K FPR4100/FPR9300 N/A N/A 6.4

FMC 1500, 3500 FMC 1600, 2600, 4600 N/A 6.4 6.4

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Deployment Mode Selection
FTD Deployment Modes

NGFW NGIPS

10.1.1.0/24 10.1.2.0/24 Inline FTD

Routed FTD
inside outside Eth1/1 Eth1/2
DMZ 10.1.3.0/24

Transparent FTD Inline Tap FTD

inside outside Eth1/1 Eth1/2
DMZ 10.1.1.0/24

Integrated Routing 10.1.2.0/24 Passive FTD

FTD Eth1/1
inside outside
and Bridging
10.1.1.0/24 DMZ

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Deployment Options
Feature VMware KVM AWS Azure

Routed Mode
Transparent Mode
Inline Pair
Inline TAP
Passive
High Availability

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Use Case Studies
Namit Kumar Agarwal
Technical Marketing Engineer, Network Security
Cisco Security Business Group
Common Use Cases for NGFW
Low Latency
Superior Threat Efficacy High Availability
Threat Intelligence NGIPS Internet Edge Breach Detection
Scalability Dynamic Routing
Carrier Grade Nat
Integration & Threat Intel
Support for DPDK/ SRIOV
NSEW Inspection
IE or VPN Gateway
Where Cisco High Availability
Resiliency
can help Branch Site to Site VPN
Cloud/Virtual Breach Detection
Multi connectivity options
Acceptable Use Control

Multi Tenancy & High Resiliency Cisco VPN and third-party VPN
Hyper density & High performance client options
Data Center RA VPN Authentication, Authorization &
NSEW Inspection
Integration to DC Fabric Accounting
Integration with AMP solution

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Enterprise Branch
What is an Enterprise Branch Data Center or HQ

NGFW HA

• An extension of Corporate Network

which is remotely located EDGE router (HSRP)

IPSEC SITE-TO-SITE VPN

• Doesn’t house business critical servers

• Requires multiple outbound connectivity Internet

options like MPLS, Direct Internet EDGE router (HSRP)

Access, Site to Site VPN

Branch NGFW HA

Internal Network

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
What Comprises of Enterprise Branch Solution
• Comprises of multiple connectives including Data Center or HQ

MPLS, Direct Internet Access, Site to Site NGFW HA

VPN
EDGE router (HSRP)

• Site to Site VPN acting as a WAN backup IPSEC SITE-TO-SITE VPN

• Support of either cloud management or Internet

management over VPN/ MPLS EDGE router (HSRP)

• Simple and easy to replicate setup and Branch

policies with the help of automation and NGFW HA

APIs Internal Network

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Enterprise Branch
Key Functions Key Capabilities Data Center or HQ

NGFW HA
Applications, URLs, Users, and TrustSec
Advanced access control options
Policy using SGTs
Remote Access VPN Cisco AnyConnect EDGE router (HSRP)

Site to site VPN Route Based VPN IPSEC SITE-TO-SITE VPN

Dual ISP Support IP SLA or Traffic Zones

Internet
Block access to malicious
Talos Security Intelligence
IP's, URL's, DNS
EDGE router (HSRP)
Block traffic to 3rd party lists Threat Intelligence Director
Detecting malicious network traffic Snort IPS Branch
NGFW HA
Visibility and tracking of file transfers,
Advanced Malware Protection
Blocking of malicious files
Internal Network
Dynamic analysis of unknown files Threat Grid Integration

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Type of Branch Networks

Small Medium Large

Preference of integrated Redundant LAN and WAN Redundant and Resilient

services within few Infrastructure resources Multi Tier architecture
network components

Majority of Application in Higher user density than Distribution of services

Data Canter or Cloud small branch across local, DC and cloud

No requirement of multi
tier architecture like core, Higher user density than
User footprint less than 25
distribution, dmz 100

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Branch Positioning Choices and Benefits
When to Position FTD Benefits for Network Operations

• API based management

• Local Internet breakout requires NGFW
• No SFTunnel
(IPS/AMP/URL Filtering) features
• Easy on-boarding to CDO
implemented
• Configuration templates
• Bandwidth is not a concern
• SLA Monitoring (routing)
• VTI is not required (targeted 6.6)
• High-scale, High-availability

Manager: CDO, FDM

When to Position ASA Software: FTD Benefits for Security Operations

• Pre-defined IPS Policies

• VTI (Route based VPN) capability is a hard
• URL Filtering capabilities
requirement
• Security and Analytics
• Low footprint image is a hard
• Firewall object analysis
requirement
• Migration tool (built-in CDO)
• CLI based configuration is important
• Visibility across branches

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Scenario 1
Internet Edge Remote Access VPN Branch Virtual and Cloud

Classified
Data Center Next-Gen IPS Network/AirGap Multi-tenancy

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Pharmaceutical company with
40,000 employees worldwide

Ensuring security & visibility using a

single pane of view for 120 branches
Customer Profile and worldwide

Business Requirements Standardize the branch deployment

to Next-Generation Firewall over the
next 2 years

Able to support future growth

without any performance issues

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Technical Requirement
Unified management of ASA and FTD
devices from a single pane

Gradual migration of 70 ASAs to FTD

over the next 12 months

Support existing 14 FTD devices, 70

replacement FTD devices, and
additional 50 FTD devices

Three types of bandwidth needs: 100

Mbps, 500 Mbps, 1 Gbps

25% throughput increase in demand

over the next 2 years

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Finding the Missing Data

Planning Design Redesign

• Assess current inventory • Evaluate design options • Understand customer feedback

capabilities and features • Cost of new solutions, • Evaluate
• Evaluate the current bandwidth • Generate Bill of Material with • Adjust the design
utilization options for budget estimation
• Select the Next-Gen features to • Share the result before the final
enable proposal
• Identify the device models per
branch
• Determine the EOL of the
current HW and SW

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Current Solutions
Citywide Statewide Regional
100 Mbps 500 Mbps 1 Gbps

50 of ASA 5506-X 12 of ASA 5516-X 8 of ASA 5545-X

running classic firewall running classic firewall running classic firewall

8 of FPR 1010 devices 4 of FPR 1120 devices 2 of FPR 4112 devices

Classic Firewall + AVC Classic Firewall + AVC Classic Firewall + AVC

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Assessment on Current Deployment
▪ 5506-X: Software supports up to 6.2.3 Data Center or HQ

▪ 5516-X: Software supports up to 6.6

NGFW HA

▪ 5545-X: Software maintenance ends on EDGE router (HSRP)

IPSEC SITE-TO-SITE VPN

September 4, 2021
FM
C

🚫Current FPR 1000 series devices in Citywide and Internet

Statewide locations are not aligned with future EDGE router (HSRP)

need and growth Branch

NGFW HA

✅FPR 4112 can support the need of Regional

Internal Network

branches even after 25% growth and the next-

gen features

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Our Recommendation - Manager
Phase 1 Phase 2
During Migration After Migration

Use CDO Stay and build on CDO

✓ To manage the ASA and FTD using ✓ To manage all the new and
single management platform replacement FTD devices (Total
✓ To migrate the config of ASA to FTD number: 134 devices)
✓ To streamline Day-Day operations ✓ To ensure cloud-based availability
by unifying rules and objects and higher capacity
✓ To overcome any connectivity ✓ Investigate integration points (i.e.
issues between branches and HQ AWS, SAL, CTR)
(No worries with sftunnel uptime) ✓ Opportunity to manage Meraki MX
using the same manager in future

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Best Practices for Enterprise Branch
Leverage Site-Site VPN to create backup for WAN or MPLS failure

For S2S VPN use IKEv2 – better performance, conserved bandwidth

Prevent overlapping networks across the branches

Think about sysopt permit-vpn

Apply strong encryption wherever is possible (license dependant)

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Service Provider Internet
Remote User

HSRP

Internet Edge

Remote Access VPN DMZ

NGFW
HA

Campus/ Private
Network

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
What is Remote Access VPN (RAVPN)
Service Provider Internet

• Complementary to Internet Edge Remote User

• Provides secure connectivity to Internal HSRP

assets over an unsecured connection Internet Edge

• Enables the data to be in reach of its

consumer with all security controls in DMZ

place NGFW
HA

Campus/ Private
Network

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
What Comprises of Remote Access VPN Solution
• Underlying setup is same as Internet Edge
Service Provider Internet
Remote User

• Because of its tight integration with IE HSRP

most of the networking & security Internet Edge

requirements remain same

• Support for either Split tunnel or DMZ

Backhauling of traffic from remote user to HA

NGFW

Internet
Campus/ Private
Network

• Support for SSL/IPsec

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Remote Access VPN (RA VPN)
Service Provider Internet
Key Functions Key Capabilities Remote User

Resilience (and scalability) VPN load balancing

HSRP
Advanced Access Control IPSEC and SSL
Block access to malicious Internet Edge
Talos Security Intelligence
IP's, URL's, DNS
Dynamic NAT/PAT and Static NAT AD, LDAP and Radius
Remote Access VPN IKEv2 DMZ

Site to Site VPN RADIUS CoA

NGFW
HA
Detecting malicious network traffic Snort IPS
Visibility and tracking of file transfers,
Advanced Malware Protection
Blocking of malicious files Campus/ Private
Network

Dynamic analysis of unknown files Threat Grid Integration

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
RAVPN Positioning Choices & Benefits
When to Position FTD Benefits for Network Operations
• Shared VPN appliance
• Simple VPN functionality is enough • Granular VPN Settings
• For DAP ISE can be used • Flexconfig
• No requirements for host-scan, posturing or • Integration with ISE
other AnyConnect modules • Integration with AD
• NGFW features • VPN Config Wizard
• Network and application visibility

Manager: CSM, ASDM

When to Position ASA Software: ASA

Benefits for Security Operations
• Dedicated VPN concentrator
• Clientless SSL VPN
• Visibility of VPN Clients
• Granular DAP Policy
• Network Discovery Policy
• SAML integration (Azure AD, MFA…)
• Correlation Policies
• All AnyConnect modules supported
• Threat intelligence Director
• AnyConnect Profile Editor
• SIEM Integration
• Custom VPN attributes required
• Management via CLI is important

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Scenario 2
Internet Edge Remote Access VPN Branch Virtual and Cloud

Classified
Data Center Next-Gen IPS Network/AirGap Multi-tenancy

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Financial Institution – One of the
largest banks in the region

Heavily invested in Cisco

technologies across all domains (DC,
Customer Profile and Routing, Security)

Business Requirements Global organization with two main

data centers in the country

Current VPN solution does not scale

to their requirements

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Customer Challenges Customer Goals
Fix amount of users could be Scalable Remote Access VPN solution
served with the current to provide access to the office during
solution the COVID-19 stay-home policy

Can’t do posture and any other

Ability to scale or increase bandwidth
advanced VPN policies with
by adding extra HW
the current setup

One DC is required to handle Ability to integrate with DUO and ISE

full capacity in case of DC for posture and Multi-Factor
failure Authentication (MFA)

Day0: 40,000 RAVPN users with a

Solution is required ASAP
possibility to scale up

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Technical Requirements

Current Solution Future Solution

• Based on old HW, with EOL • Provide support for 40K users on
announced Day 1
• Can’t support the amount of users • Scaling up in case of more users
required in future required
• Can only support 10K users and they • Integrating seamlessly with other
are struggling with performance Cisco Solutions such as ISE, DUO
• Single DC solution – in case of DC • Highly scalable and fully redundant
failure the RAVPN service is not solution
available

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Design Options: Three Choices
ASA HA + VPN Load-
ASA VPN Load-balancing FTD HA
balancing

• 4*4145 Chassis (2 per • 8*4145 (4 per DC) • 8*4145 Chassis (4 per

DC) running ASA Chassis running ASA DC) running FTD
• VPN Load-balancing • HA + VPN Load- • 2 HA Pair per DC to
used across the ASAs balancing used achieve the 40000
running on the 4145s together to achieve users per DC – no VPN
• CSM as a device high-availability and Load-balancing natively
management platform scale (DNS-based load
• CSM as a device balancing only)
management platform • FMC as a device
management platform

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Our Recommendations
ASA + VPN Load Balancing
ASA HA + VPN Load-Balancing

• Redundancy provided only by load-balancing

• Native Load-balancing capability • Fault-tolerance can be a challenge in future
• HA act as a second layer of
redundancy
• Scalable VPN solution FTD HA
• Full-featured VPN capability
• Can be integrated with other Cisco • No Native Load-balancing capability (DNS
solutions based load-balancing only)
• Weaker VPN performance due to Snort core
allocations
• VPN is still behind ASA capabilities (by 6.8
we are planning to bring this to normal)

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Best Practices for RAVPN
Build a resilient solution to provide seamless access

Preferred deployment mode is Routed

Use multiple connection profile based on authentication type

Leverage Group policies for user specific attributes

Use NextGen security controls and create specific access rules

Make use of split tunnel with other security controls like Umbrella

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
ISP

VPC

Active HA Update Standby

NGIPS NGIPS NGIPS

VPC

Internal Network

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
What is Next Generation IPS
• NGIPS/NIPS is a threat defense solution unlike a ISP

stateful access control like traditional firewall

VPC

• NGIPS/NIPS provides hardware-based fail-open/

fail-close or fail-to-wire capabilities Active HA Update Standby

• NGIPS doesn’t enforce network session NGIPS NGIPS

validation and allows flows to transfer over the

device
VPC

• It provides capabilities like App control, threat

intel & AMP etc.
Internal Network

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
What Comprises of Next Generation IPS solution
ISP

• NGIPS solution is often layered with Firewall

and is either deployed in internal zone or
VPC
external zone depending upon needs
• HA or Clustering is used depending upon the Active HA Update Standby

throughput & scalability needs NGIPS NGIPS

• If more segments are needed to be

monitored then passive interface can be used VPC

or if monitoring plus protection is needed

then inline pair
Internal Network

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
NGIPS
ISP

Key Functions Key Capabilities

VPC

Applications, URLs, Users, and TrustSec

Advanced access control options
Policy using SGTs
Active HA Update Standby
Block access to malicious IP's, URL's, DNS Talos Security Intelligence
NGIPS NGIPS
Block traffic to 3rd party lists Threat Intelligence Director
Detecting malicious network traffic Snort IPS
Visibility and tracking of file transfers,
Advanced Malware Protection
Blocking of malicious files VPC

Dynamic analysis of unknown files Threat Grid Integration

Internal Network

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
NGIPS Positioning: Choices & Benefits
When to Position FTD Benefits for Network Operations
• Snort based deep packet inspection
• Fail-to-Wire capability
• FTW capability when inline (Fail-Open/Fail-Close)
• Inline Mode
• Built-in Threat-Intelligence capabilities
• Passive Mode
• Integration capability with the rest of Cisco
• Port-channel as inline pair
Security portfolio (ThreatGrid/AMP4E)
• Connection Events
• TLS Decryption
• Granular Access Control
• File and malware analysis

Manager: FMC
When to Position ASA Benefits for Security Operations
Software: FTD
• Granular IPS Policy Settings
• Network Discovery Policy
• Correlation Policies, Impact Analysis
• Do not position ASA as an NGIPS • Threat intelligence Director
• SIEM Integration
• Talos Ruleset, Custom Intrusion Rule
• Automated Policy Tuning

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Best Practices for NGIPS
Build a resilient solution leveraging fail-open, fail-close capabilities

Leverage Inline mode for critical network segments

Leverage Passive mode for non critical network segments

Be specific configuring Variable Set and Network Discovery Policy

Leverage Firepower Recommendations and Impact Flag Analysis

Do selective TLS Decrypt & forward Logs to SIEM for long term storage

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Scenario 3
Internet Edge Remote Access VPN Branch Virtual and Cloud

Classified
Data Center Next-Gen IPS Network/AirGap Multi-tenancy

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Government organization
Department of Cybersecurity

No data can be shared with Cisco

once the devices are in production
Customer Profile and
Business Requirements Transparent device in the network

No downtime in case of failure

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Technical Requirement

High-Speed NGIPS Solution

Fault Tolerant: FTW, HA, Cluster

Day 1 BW requirement: 10Gbps

with 8-10% growth/year

Current user base 50K

Grow up to 70K-80K in 5yrs

Air-Gapped Licensing
DoD Compliant: CC & UCAPL

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Routed vs. Transparent vs. NGIPS Only
Routed Mode Transparent Mode NGIPS Only

• L3 routed interfaces • L2 BVI interfaces • L1.5 inline pairs/inline sets

• Route Lookup • MAC lookup • Lina features are limited
(only for HA and Clustering)
• NAT/PAT • NAT/PAT
• Security Capabilities
• Dynamic Routing Protocols • No Dynamic Routing (AMP/IPS/URL Filtering/SSL
(passthrough only) Decrypt)
• VPN Features
• No VPN (S2S MGMT only)
• Security Capabilities
(AMP/IPS/URL Filtering/SSL • Security Capabilities
Decrypt) (AMP/IPS/URL/SSL Decrypt)

More Detail
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Design Options for NGIPS
Inline Pair with NGIPS Mode in HA Pair NGIPS in Cluster
Fail-to-Wire (No Fail-to-Wire) (No Fail-to-Wire)

• Can be layered with a firewall • Allows you to avoid connection • Provides all the convenience of a
• Can be deployed either in internal drops due to any Access policy single device while achieving the
Pros

zone or external zone depending verdicts increased throughput and

upon needs redundancy of multiple devices.
• Synchronizes certain Snort pre-
• Provides hardware-based fail-
processor states between HA pair • Part of Ether-channel
open or fail-close capabilities

• Ports in the FTW module cannot • To support security certifications • Cluster does not support security
be part of an EtherChannel (link- compliance, FTD device must be certifications compliance
Cons

state propagation) deployed in routed mode

• Clustering does not support High-
• Fail-to-Wire interface does not Availability mode
add any value in Transparent HA

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Design Options: Fault Tolerance

VPC VPC

Active Backup
Path Active HA Update Standby
Path

NGIPS NGIPS NGIPS NGIPS

FMC FMC
VPC
VPC

Internal Network Internal Network

Redundant NGIPS (FTW) – no HA NGIPS in a HA Pair

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Our Recommendations
NGIPS in HA Pair
NGIPS with FTW
The customer requires full fault-
isolation between the devices, and
NGIPS with FTW module supports they ensure symmetric traffic.
compliance mode while ensuring
uninterrupted connection during any
hardware failure NGIPS in a Cluster

NGIPS support cluster, but FTD

devices in clusters do not support CC
or UCAPL mode

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Design Options: No Sharing of Data
Direct cloud
access HTTPS Cisco.com
Cisco software
usage

Ease of use
Direct cloud access
via https proxy
Cisco software

Security policy
Cisco.com
Trans gateway or HTTPS usage

Mediated access
via satellite server Cisco software
Smart Software Cisco.com
HTTPS Manager Satellite usage

PAK
Licenses
License assigned
manually
Reservation Cisco.com
Cisco software
usage

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Design Options: Air-Gapped Licensing
Satellite Server SLR PLR*

• For security sensitive • Highly Secure Environments • Dark Networks

customers
• Can exchange initial • Can exchange only minimal
• Cannot or do not want to information electronically information
manage licenses via a direct
• Want to consume • Possibly no electronic
Internet connection
entitlements normally communication with outside
• Installed on customer
• Track entitlement usage in • Codes can only be written
premises
the portal down and manually typed
• Provides subset of CSSM
• Licenses are perpetual
*For FDM – PLR is available from 6.6 version

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Obtaining Permanent License Reservation (PLR)

Open a smart
Ensure PLR SKUs are
licensing support Case is submitted Approval
used and provide
case via and processed granted/denied
required details
cisco.com/support

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Compliance Requirement

After enabling compliance, you cannot disable it.

To take the appliance out of CC or UCAPL mode, you must reimage the appliance.
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Offline Update of Product and Rules

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Service Provider Internet

HSRP

Internet Edge

Internet Edge DMZ

NGFW
HA

Campus/ Private
Network

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
What is Internet Edge (IE)
Service Provider Internet

• Place in the Network (PIN) which provides

connectivity to the Public Internet, Service HSRP

Providers, Partners & Customers

Internet Edge

• Acting as a first line of defense for

inbound threats from outside world DMZ

• Irrespectively of the size of the HA

NGFW

organization Internet Edge is required with

specific network and security controls Campus/ Private
Network

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
What Comprises of Internet Edge Solution
• A Single/Pair of ISP or Enterprise managed Service Provider Internet

Routers/Load Balancer providing Internet

HSRP
Breakout
Internet Edge

• A pair of NGFW connecting internal core

network to outside world DMZ

• Some organizations often deploy multiple HA

NGFW

solutions segregating Network and Security

Controls into various solutions Campus/ Private
Network

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Internet Edge
Key Functions Key Capabilities Service Provider Internet

Resilience (and scalability) HA or Clustering

Applications, URLs, Users, and HSRP
Advanced Access Control
TrustSec Policy using SGTs
Block access to malicious Internet Edge
Talos Security Intelligence
IP's, URL's, DNS
Dynamic NAT/PAT and Static NAT Carrier Grade NAT
DMZ
Remote Access VPN Cisco AnyConnect
Point to Point, Hub and
Site to Site VPN NGFW
Spoke, Full mesh HA

Detecting malicious network traffic Snort IPS

Campus/ Private
Visibility and tracking of file transfers, Network
Advanced Malware Protection
Blocking of malicious files
Dynamic analysis of unknown files Threat Grid Integration

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Internet Edge Positioning: Choices & Benefits
When to Position FTD Benefits for Network Operations
• Market leading AMP/IPS functionality
• Granular Routing Options
• Threat Intelligence Required
• Detailed Platform Settings
• Application Visibility and Control
• Variety of Logging
• Identity Policies
• SGT/DGT Integration
• SSL Decryption
• Traffic baselines
• AMP Integration
• ISE Remediation
• ISE PIC Integration
Manager: FMC

When to Position ASA Software: FTD

Benefits for Security Operations

• Granular IPS Policy Settings

• Active/Active – Multi-Context mode • Network Discovery Policy
• Granular EIGRP functionality • Correlation Policies
• Granular IS-IS functionality • Threat intelligence Director
• SIEM Integration

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Best Practices for Internet Edge
Build Device, Link & Interface Level Redundancy

Preferred deployment mode should be Routed

Modify the default policies with your network specific values

Use RBAC for clear segregation of duties and access

Use rule grouping for separation of Trusted & Untrusted rules

Do selective TLS Decrypt & disable logging when not needed

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Data Center
Edge Extranet

North-South
vPC/Port-Channel NGFW in HA/Cluster

Data Center
Data Center
Distribution

vPC/Port-Channel
NGFW Cluster

Access Layer East-West

App Servers Web App Database Tools

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
What is Data Center
Data Center
Edge Extranet

• PIN where business critical, corporate

North-South

applications and resources are housed vPC/Port-Channel NGFW in HA/Cluster

• Since DC are primary intended targets

security becomes paramount but Data Center Distribution

because of its nature and resources

performance also plays a key role vPC/Port-Channel
NGFW Cluster

• It provides services & data to company

Access Layer

users and business entities

East-West

App Servers Web App Database Tools

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
What Comprises of Data Center Solution
Data Center
Edge Extranet

• A pair of firewall serving east-west &

North-South
north-south traffic vPC/Port-Channel NGFW in HA/Cluster

• Build to provide segmentation,

separation of services & improved Data Center Distribution

security posture
• Leverage underlying technologies such
vPC/Port-Channel
NGFW Cluster

as SDN, ACI, VDI & Hyperflex etc.

Access Layer East-West

App Servers Web App Database Tools

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Data Centers Types
Single Site Multi-Site
All Resources including
Resources spread across
Location redundant ones are in a central
multiple sites
site

Complex and requires

Operation Simplified and has a low TCO
Automation & Orchestration

Highly Resilient, Scalable with

Need to implement strong
High performance, relies
Resiliency Disaster Recovery mechanisms
heavily on underlying
and built-in redundancy
infrastructure

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Data Center
Key Functions Key Capabilities
Data Center
Edge Extranet
TrustSec Policy using SGTs,
Advanced Access Control
ACI Policy Control with EPGs
North-South
vPC/Port-Channel NGFW in HA/Cluster
Low Latency Capabilities Hardware Flow Offload

Scalability and Resilience HA or Clustering

Geographic DC Separation Inter-site Clustering Data Center

Distribution

Detecting malicious network traffic Snort IPS

vPC/Port-Channel
Visibility and tracking of file transfers, NGFW Cluster
Advanced Malware Protection
Blocking of malicious files
Access Layer East-West
Dynamic analysis of unknown files Threat Grid Integration

Firewall Segmentation Multi-Instance

App Servers Web App Database Tools

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Data Center Positioning: Choices & Benefits
When to Position FTD Benefits for Network Operations
• TLS decryption is required
• Identity based policies are required • Transparent/Routed mode
• Threat-centric approach is in focus of the • Clustering/HA mode
customer • Flow-offload function
• Integration with the rest of Cisco Security • SSL Policy config
portfolio • FMC HA Capability
• High-Throughput NGFW is required with • Multi-Instance capability
HA/Clustering/Multi-Instance capabilities

Manager: FMC
When to Position ASA Benefits for Security Operations
Software: FTD
• Active/Active – Multi-Context mode
• Granular EIGRP functionality
• Granular IPS Policy Settings
• Granular IS-IS functionality
• Network Discovery Policy
• Network—centric approach is in the focus of the
• Correlation Policies
customer (granular routing configurations
• Threat intelligence Director
required)
• SIEM Integration
• High-throughput firewall is required with
HA/Clustering capabilities (no NGFW func.)

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Best Practices for Data Center
Build Device, Link & Interface Level Redundancy

Prefer Routed mode for Edge and Transparent for Core

Use Segmentation: TrustSec, ACI & Multi Instance

Be aware of clustering positioning, sizing and supported features

Implement selective logging and use APIs for automation

Use Hardware Flow Offload & do selective TLS decrypt

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Scenario 4
Internet Edge Remote Access VPN Branch Virtual and Cloud

Classified
Data Center Next-Gen IPS Network/AirGap Multi-tenancy

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Education sector – one of the
biggest in the region

Heavily invested in Cisco

technologies such as SDA,
Customer Profile and Stealthwatch, ISE

Business Requirements The Cisco partner has partnership

with with other firewall vendors

Firewall refresh is upcoming –

looking to maximize their current
security investments

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Customer Challenges Customer Goals
Requires a firewall which can
Limited throughput on the current
leverage existing investments
firewalls
such as ISE/Stealth Watch/SDA

Scale up is not possible: 20-40Gbps Ability to scale or increase

near future, 100Gbps later bandwidth by adding extra HW

Limited Integration with existing Complete isolation of firewall

investments (such as SGT support) management and traffic plane

Day0: 20Gbps throughput,

Existing firewalls will be EOL soon AVC+IPS+URL Filtering, future
support of VRF

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Technical Requirements
Current Solution Future Solution

• An HA pair across two physical DCs (dark fibre • Provide a like for like solution with the following
between) enhancements:
• Firewall Licenses: Threat Protection, URL • 20-40 Gbps near term throughput – 100Gbps
Filtering, RAVPN future term throughput
• Use of User-ID + AD groups in Policies • ISE/Active Directory integration
• Accept external Threat Feeds • Policy enforcement based on SGT
• Border Firewall is acting as Internet GW + Fusion (Source/Destination)
router for MPLS • External security feed integration
• BGP + Static Routing + VRF Capable • BGP + Static Routing + VRF Capable

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Design Options: Three Choices
Native HA Native Clustering Multi-Instance HA

• 2*9300 Chassis with • 2*9300 Chassis with • 2*9300 Chassis with

1*SM-40 each from Day 1*SM-40 each from Day 1*SM-40 each from Day
1* running FTD 1* running FTD 1* running FTD

• Native High-Availability • Native Clustering used • Multi-Instance High-

used between the two between the two Chassis Availability used between
SM-40s (Like for Like) (9300) the instances running on
the two SM-40s
• FMC 2600 as a device • FMC 2600 as a device
management platform management platform • FMC 2600 as a device
management platform

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Our Recommendations
Multi-Instance HA Native HA
(With a potential of multi-instance
clustering and multi-tenancy using domain) • Depends on a single chassis throughput
• Scalability is limited
• HA setup works on the same way as the • In case of migration to clustering – the
chassis needs to be reconfigured
previous
• Spare capacity could be used to create
Native Clustering
test instances
• Opens up a possibility for future migration
to Clustering (On 6.6 or greater, you can • Adds complexity and extra inter-dc cabling
choose MI-Clustering which could co- required for CCL
exists with their HA instances) • With only 2 northbound switches – CCL
running through on them in case of switch
• They could mix and match Security upgrade they could loose the cluster
Modules (SM) for future expansion (MI- • BGP Peer only established from the Cluster
Clustering could run on SM-56 and SM-40) master (convergence could be enhanced
with GR enabled)

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Multi-Instance Clustering
• Requires FTD 6.6 and FXOS 2.8(1)
• Instance-level clustering with one cluster member instance per module
• Shared CCL, but no shared data interfaces between instance clusters
• Unused resources can be used for standalone or HA instances
Firepower 9300 1 Firepower 9300 2
Cluster A Cluster B HA C Cluster Cluster A Cluster B Standalone F
Control Link

Cluster A Cluster B HA D Cluster A Cluster B HA C

Cluster A: VLAN100
Cluster A Cluster B Standalone E Cluster B: VLAN101 Cluster A Cluster B HA D

• Mixed hardware in a cluster for container instances only

• E.g. Firepower 4120 and 4145, Firepower 9300 SM-24 and SM-44

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Data Center
N/S
Inside
External E/W
LB
DMZ
Inside
ESXi
E/W Host A Outside N/S
DMZ

ESXi

Cloud & Virtual Host B

HA Pair
Internet
External
LB
Internal
LB
E/W
Inside

Security
DMZ

N/S
Inside KVM Host
E/W A
Outside
Branch
DMZ CSP or ENCS
(Computer cluster)

KVM
Host B Inside

HA Pair

N/S

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
What is Public/Private Cloud NGFW Security
• With customers taking Cloud First Data Center
N/S
Inside
approach workloads are moving to either External
LB
E/W
DMZ

Public Cloud like AWS, Azure or co- Inside

E/W
ESXi
Host A Outside N/S

located DC DMZ

ESXi
Host B

Applications governs the routing, policy,

Inside
• HA Pair
Internet
External
LB
Internal
LB
E/W
DMZ

access & security decisions unlike N/S

traditional network Inside
E/W
KVM
Host A Outside
CSP or ENCS Branch
DMZ (Computer
cluster)

• Automation and lower TCO are main KVM

Host B Inside

driving factors here HA Pair

N/S

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
What Comprises of Public Cloud Solution
Virtual Network Virtual Private Cloud
vNET VPC

Availability Set Availability Zone

AZ

Subnet Security Subnet

Azure Virtual Machine
VM
Security Group EC2 Instance
User Defined Route Route Table
UDR NACL
RT

ARM Template Network Security Group

CloudFormation Template
Layer 7 firewall CF template
Load Balancer Load Balancer
Internal, external and ILB Standard NLB, CLB, ALB, Internal and External

ExpressRoute Direct Connect

Public IP Elastic IP
EIP

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Cloud/Virtual
Key Functions Key Capabilities Data Center
N/S
Inside
Advanced access Applications, URLs, Users, and External E/W
LB
control options TrustSec Policy using SGTs/CCP DMZ
Inside
Remote VPN Cisco AnyConnect E/W
ESXi
Host A Outside N/S
Route Based VPN (ASA) and Policy DMZ
Site to Site VPN
Based VPN
ESXi
Host B
Block access to Inside
Talos Security Intelligence External Internal
malicious IP's, URL's, DNS HA Pair
Internet LB LB
E/W
DMZ
Block traffic to 3rd party lists Threat Intelligence Director
Detecting malicious N/S
Snort IPS Inside KVM Host
network traffic E/W A
Outside
Branch
DMZ CSP or ENCS
Visibility and tracking of file (Computer cluster)
transfers, Blocking of Advanced Malware Protection KVM
malicious files Host B Inside

HA Pair
Dynamic analysis of
Threat Grid Integration
unknown files N/S

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Supported Platforms
Private Cloud
• Hypervisors: NGFWv is supported on VMware and KVM
• ISR-4K (UCS-E): UCS-E blade can run VMware or KVM
• CSP (NFVIS): NGFWv is supported on NFVIS on CSP
• ENCS: NGFWv is supported on ENCS
• ACI (managed or unmanaged): NGFWv can be inserted in ACI fabric for E/W traffic

Public Cloud
• Amazon Web Services (AWS) and Microsoft Azure
• AWS Gov. Cloud (FTD 6.6) and Azure Gov. Cloud (Since 6.3)
• Auto Scale Support

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Deployment Options

Feature VMware KVM AWS Azure

Routed Mode
Transparent Mode
Inline Pair
Inline TAP
Passive
High Availability

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Cloud/Virtual Positioning: Choices and Benefits
When to Position FTD Benefits for Network Operations
• Available in AWS/Azure
• Scalable designs with LB
• NGFW features such as AMP/URL Filtering • Visibility in the Cloud
• NGIPS in the cloud is a requirement • Segmentation in the cloud
• Different instances for different needs
• Advanced Access Control
Manager: FMC,
CDO+FDM
When to Position ASA Software: FTD
Benefits for Security Operations
• Granular IPS Policy Settings
• Requirement is a low footprint stateful
• Network Discovery Policy
firewall in Public Clouds
• Correlation Policies
• Next-Gen features are not important
• Threat intelligence Director
• Granular VPN capability in the cloud is
• SIEM Integration
required
• Cloud+OnPrem visibility

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Best Practices for Cloud & Virtual
Build a scalable design with Native/3rd Party LLB

Connect your virtual appliances to FMC either on cloud or local on-prem

Leverage various available tools to identify cloud APP’s and put controls.

Use RBAC for access separation and granular policies to avoid policy risk

Leverage logs and use Firepower Recommendations

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Summary of Use Cases
Discussion
Recommended Manager and OS per Use Case
Managers of
Use case Details
Choice
CDO – cloud-based manager with SAL for logging and threat analytics
Internet Edge CDO or FMC
FMC for advanced security configuration and analytics

FTDs can connect to CDO directly through the data interface

Branch / Distributed CDO or FDM Onboarding is low-touch
SAL for logging and threat analytics

RA VPN (Dedicated) CSM, ASDM, CDO ASA incorporates full functionalities.

Data Center Edge / Core /

FMC FMC supports advanced security configuration and analytics, clustering, TrustSec
Campus fabric

CDO – cloud-based manager with SAL for logging and threat analytics
NGFWv in Public Cloud CDO, FMC, FDM
FMC for advanced security configuration and analytics

FMC supports all the advanced IPS features, and provides a separate interface
NGIPS FMC
from the Firewall

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Recommended Managed Device per Use Case

Use Case Virtual 1000 2100 4100 9300

Internet Edge *

Remote Access VPN *

Enterprise Branch

Data Center **

NGIPS **

*Integrated
**Private Cloud
#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Migration of Config Using FMT

#CiscoLive © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Thank you

#CiscoLive
#CiscoLive