ASA Firepower NGFW Typical Deployment Scenarios

ASA Firepower NGFW Typical
Deployment Scenarios
Jeff Fanelli - Principal Systems Engineer - jefanell@cisco.com

BRKSEC-2050
#jefanell
About your speaker
Jeff Fanelli
Principal Systems Engineer
Cisco Global Security Sales Organization
I’m from the U.S. state with the

longest suspension bridge in
the western hemisphere!
MICHIGAN (the “mitten” state..)
Cisco Firepower Sessions: Building Blocks
BRKSEC-2056 BRKSEC-2050 BRKSEC-2058

Threat Centric Network ASA Firepower NGFW A Deep Dive into using
Security typical deployment the Firepower
scenarios
Manager
Tuesday 11:15 Tuesday 14:15 Tuesday 16:45
BRKSEC-3032 BRKSEC-3035 BRKSEC-3455

NGFW Clustering Deep Firepower Platform Dissecting Firepower
Dive Deep Dive NGFW (FTD+FPS)
Wednesday 9:00 Thursday 9:00 Friday 9:00
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Today’s Agenda
• Firepower System Architecture Overview

• Platforms & Capabilities
• Firepower Software Deep Dive
• Firepower 6.1 / 6.2 New Capabilities
• Management Options
• Deployment Modes
• Deployment Use Cases
Abbreviation Key!
ASA = Adaptive Security Appliance AMP = Advanced Malware Protection
FTD = Firepower Threat Defense API = Application Programming Interface
FPS = Firepower Services ISE = Identity Services Engine
FMC = Firepower Management IoC = Indicator of Compromise
Center
PAN = Place to cook your eggs
FDM = Firepower Device Manager
NGFW = Next Generation Firewall
NGIPS = Next Generation Intrusion
Prevention System
Systems Architecture Overview
How did we get here from there?
• Adaptive Security Appliance (ASA)
• FirePOWER NGIPS
• ASA with FirePOWER Services?
• Firepower NGFW?
ASA “Adaptive Security Appliance”
Protocol Data Center

HA and Clustering
VPN Inspection Security
Network Firewall Mix Multi Context Identity Based Service Provider

[Routing | Switching] Mode Policy Control Security
ASDM (OnBox) / Command Line

Cisco Security Manager / RESTful API for Management
ASA with FirePOWER Services
► Cisco ASA is world’s most widely

Cisco Collective Security Intelligence Enabled deployed, enterprise-class stateful
firewall
Advanced WWW
Clustering & Intrusion Malware
Protection URL Filtering ► Granular Cisco® Application
High Availability Prevention (Subscription)
(Subscription)
FireSIGHT
(Subscription)
Analytics &
Visibility and Control (AVC)
Automation
► Industry-leading FirePOWER next-

Application
Network Firewall
Routing | Switching
Visibility & Built-in Network
Profiling
Identity-Policy generation IPS (NGIPS)
Control Control & VPN
► Reputation- and category-based

Cisco ASA URL filtering
► Advanced malware protection
Firepower Threat Defense
CISCO COLLECTIVE SECURITY INTELLIGENCE
WWW
Malware
High Intrusion URL Filtering
Protection
Availability Prevention
Analytics &
Network Application Automation
Firewall and Visibility Network
Network Identity Based
Identity-Policy
Routing &Control Profiling
Profiling Policy Control
Control
Integrated Software - Single Management
Firepower Threat Defense (FTD) Software
ASA with Firepower Firepower Threat Defense

Services
Full Feature Set Single Converged OS
Firepower (L7)
• Threat-Centric NGIPS
• AVC, URL Filtering for NGFW
• Advanced Malware Protection
Continuous Feature Firewall URL Visibility Threats
ASA (L2-L4)
Migration
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing
• Application inspection
Firepower Management
Center (FMC)*
* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)
Feature Comparison: ASA with Firepower Services
and Firepower Threat Defense
Note: Not an exhaustive feature list
Features Firepower Threat Defense Firepower Services for ASA

✔ ✔
Routing +NAT (OSPF, BGP, Static, RIP, Multicast, EIGRP/PBR (OSPF, BGP, EIGRP, static, RIP,
via FlexConfig) Multicast)
SIMILARITIES
OnBox Management ✔ ✔
HA (Active/Passive) ✔ ✔
Clustering (Active/Active) ✔ ✔
Site to Site VPN ✔ ✔
Policy based on SGT tags ✔ ✔
Unified ASA and Firepower rules and objects ✔ ✘
DIFFERENCES
Hypervisor Support ✔ ✘
(AWS, VMware, KVM, Azure 6.2)
Smart Licensing Support ✔ ✘

Multi-Context Support ✘(Coming Soon!) ✔
Remote Access VPN ✔ (6.2.1) ✔
What are the Firepower Deployment Options?
Firepower Appliances ASA with Firepower Threat Defense
Firepower Services (Unified Software Image)
FirePOWER
Firepower Services Firepower
Appliances Threat Defense
ASA 9.5.x
7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual

Firepower 2100 / 4100 / 9300
5585 cannot run FTD Image!
All Managed by Firepower Management Center

Platforms & Capabilities
Cisco ASA 5500-X
SMB and Enterprise Branch NGFW
5506 / 5508 / 5516 5525 / 5545 / 5555

Unified Management
Performance Performance
• 1-Gbp interfaces • 1-Gbp interfaces • Firepower Management Center

• Up to 450 Mbps throughput • Up to 1.2 Gbps throughput (Enterprise Management)
• Wireless Option for 5506-X • 5545 / 5555 Redundant • Firepower Device Manager
• Software Switching capability Power Supply and SSD (On Box Manager)
option
• Firepower Threat Defense or • Cisco Defense Orchestrator
ASA Software Options • Firepower Threat Defense or (Cloud Management)
ASA Software Options
Cisco Firepower 2100 Series
Introducing four high-performance models
Performance and
Purpose Built NGFW Unified Management
Density Optimization
• 1-Gbp and 10-Gbps interfaces • Integrated inspection engines • Firepower Management Center
• Up to 8.5-Gbps throughput for FW, NGIPS, Application (Enterprise Management)
• 1-rack-unit (RU) form factor Visibility and Control (AVC),
• Dual SSD slots URL, Cisco Advanced • Firepower Device Manager
• 12x RJ45 ports, 4xSFP(+) Malware Protection (AMP) (On Box Manager)
• 2130 / 2140 Models • Cisco Defense Orchestrator

• 1x Network Module (Cloud Management)
• Fail to Wire Option
• DC & Dual PSU support
Firepower 2100 Series Performance
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput
NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
NO DROP IN
Throughput PERFORMACE!
NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum
concurrent
sessions 1M 1.2 M 2M 3.5 M
Maximum new
connections per
second 12000 16000 24000 40000
Note: Early Performance Numbers

Cisco Firepower 4100 Series
High performance campus and data center
Performance and Multiservice

Unified Management
Density Optimization Security
• 10-Gb and 40-Gb interfaces • Integrated inspection engines • Firepower Management Center
• Up to 24-Gbps throughput for FW, NGIPS, Application (Enterprise Management)
• 1-rack-unit (RU) form factor Visibility and Control (AVC),
• Low latency URL, Cisco Advanced • Firepower Device Manager
Malware Protection (AMP) (On Box Manager)
• Radware DefensePro DDoS
• ASA and other future • Cisco Defense Orchestrator
third party (Cloud Management)
Cisco Firepower 9300
Platform
High performance data center
Multiservice
Modular Carrier Class
Security
Benefits Benefits Features
• Standards and interoperability • Integration of best-in-class security • Compact, 3RU form factor
• Flexible architecture • Dynamic service stitching • 10-Gbps/40-Gbps I/O; 100-Gbps
ready
Features Features* • Terabit backplane
• Template-driven security • ASA container option • Low latency, intelligent fast path
• Secure containerization for • Firepower™ Threat Defense: • Network Equipment-Building
customer apps • NGIPS, AMP, URL, AVC System (NEBS) ready
• RESTful/JSON API • Third-party containers:
• Third-party orchestration and • Radware DDoS
management
* Contact Cisco for services availability

Up to 6x with clustering!
Cisco NGFW Platforms
Firepower Threat Defense for Firepower 4100 Series
Firepower 2100 Series
ASA 5500-X and Firepower 9300
250 Mb -> 1.75 Gb 2 Gb -> 8 GB 41xx = 10 Gb -> 24 Gb

(NGFW + IPS Throughput) (NGFW + IPS Throughput) 93xx = 24 Gb -> 53Gb
NGFW capabilities all managed by Firepower Management Center
Software Support – Physical Platforms
ASA with Firepower

Firepower
ASA FirePOWER Threat
NGIPS
Services Defense
ASA 5506X -> 5555X (all models) ✓ ✓ ✓

Firepower 2100 (all models) NO! ✓
Firepower 4100 (all models) ✓ ✓
Firepower 9300 (all models) ✓ ✓
ASA 5585 (With SSP blade) ✓ ✓
Firepower 7000 / 8000 (IPS appliances) ✓
Software Support - Virtual Platforms
Firepower Firepower Threat

ASA
NGIPS Defense
ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓

Firepower NGIPSv (vSphere + ISR UCSE) ✓
Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓
Firepower NGFW Software
Provide next-generation visibility into app usage
Application Visibility & Control

Cisco database
• 4,000+ apps 

• 180,000+ Micro- Network &
apps users
 1 OpenAppID


2
Prioritize traffic
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
OpenAppID Integration
Open source application-focused detection language that enables users to create, share and implement custom application detection.
• What is OpenAppID ?
• Open source app-focused detection
language
• > 2500 detectors contributed by Cisco
• > 20,000 downloads of the detection
pack since last September
• Snort-community supported
• Simple Language
• Reduced dependency on vendor release
cycles
• Written using the Lua scripting language
Web acceptable use controls and threat prevention
URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability
Security feeds
00100101101
01001010100
Cisco URL Database
URL | IP | DNS
NGFW
Filtering Safe Search
…………
Allow Block
 
Allow Block
DNS Sinkhole Category-based

Policy Creation
Admin
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
URL-Based Security Intelligence
• Extension of IP-based SI
• TALOS dynamic feed, 3rd party feeds and
lists
• Multiple categories: Malware, Phishing,
CnC,…
• Multiple Actions: Allow, Monitor, Block,
Interactive Block,…
• Policy configured via Access Rules or
black-list
• IoC tags for CnC and Malware URLs
• New Dashboard widget for UR SI
• Black/White-list URL with one click URL-SI
Categories
DNS Inspection
• Security Intelligence support for domains
• Addresses challenges with fast-flux domains
• Cisco provided and user defined DNS lists:
CnC, Spam, Malware, Phishing
• Multiple Actions: Block, Domain Not Found,
Sinkhole, Monitor
• Indications of Compromise extended with
DNS Security Intelligence
• New Dashboard widget for DNS SI
DNS List Action
NGFW Policy
DNS SI: C&C servers
DNS Inspection: DNS Sinkhole Action: DNS Sinkhole

Generates SI events & IOC’s
Local DNS Server
Connection to Sinkhole IP
X Sinkhole
Endpoint
(10.15.0.21)
Visibility for encrypted traffic
SSL TLS handshake certificate inspection and TLS decryption engine
SSL Enforcement
NGIPS AVC http://www.%$*#$@#$.com 
decryption engine decisions
http://www.%$*#$@#$.com 
http://www.%$&^*#$@#$.com http://www.%$*#$@#$.com 
http://www.%$*#$@#$.com 
gambling
http://www.%$&^*#$@#$.com elicit
Encrypted Traffic Log
Decrypt 3.5 Gbps traffic over Inspect deciphered packets Track and log all SSL sessions
five million simultaneous flows
Integrated SSL Decryption
• Multiple Deployment modes
• Passive Inbound (known keys)
• Inbound Inline (with or without keys)
• Outbound Inline (without keys)
• Flexible SSL support for HTTPS & StartTLS based apps

• E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS
• Decrypt by URL category and other attributes
• Centralized enforcement of SSL certificate policies
• e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites,
unapproved mobile devices
Application and Context aware Intrusion Prevention
Next-Generation Intrusion Prevention System (NGIPS)
ISE
App & Device Data
Blended threats
Prioritize Automate
response policies
01011101001
010 1
Block
010001101
010010 10 10 2
Data packets
• Network • Innocuous
3
Communications profiling payloads Accept
• Phishing • Infrequent
attacks callouts
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
Malware and ransomware detection and blocking
Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)
c
File Reputation File & Device Trajectory
AMP for AMP for
Endpoint Log Network Log

?
Threat Grid Sandboxing Threat Disposition

• Known Signatures
• Advanced Analytics
Uncertain Safe Risky
• Fuzzy Fingerprinting • Dynamic analysis Enforcement across
• Indications of compromise • Threat intelligence
Sandbox Analysis all endpoints
Block known malware Investigate files safely Detect new threats Respond to alerts
Improve traffic control with new features
Additional Firewall Features
Identity Integration Captive Portal FlexConfig

• ISE • Active/Passive • CLI policies
• pxGrid • NTLM • Legacy ASA
• VDI • Kerberos feature control
Target threats accurately Enforce authentication Granular Config Controls
Rate limiting Tunnel Policy

• Rule-based limits • Pre-filtering
• Reports • Priority policy
• QoS rules • Policy migration
Control application usage Block unwanted traffic early
ISE Integration
• pxGrid feed to retrieve form ISE:

• AD Username (Group lookup via AD Realm)
• Device type profile & location
• TrustSec Security Group Tag (SGT)
• Ability to exert control based on the above in rules
• i.e. block HR users from using personal iPads
• Reduces ACL size and complexity
ISE Integration Screen Shot
Captive Portal / Active Authentication
• Enforces Authentication through the appliance

• Multiple Authentication modes (Passive, Active, Passive with Active Fallback)
• Various Supported Authentication types (e.g. Basic, NTLM, Advanced, Form)
• Guest / Non Windows Device Authentication Support
• Multi Realm Support
Method Source LDAP/AD Authoritative?
Active Forced authentication through device LDAP and AD yes
Passive Identity and IP mapping from AD Agent AD yes
User Discovery Username scraped from traffic. LDAP and AD, no

passive from the
wire
Captive Portal - Configuration
Exclude User Agent
Action
 Authentication Type
Rate limiting configuration
• QOS Policy is a new policy type with separate policy table
• Not associated with an Access Control Policy – directly associated with devices
FlexConfig
• Provides a way to configure ASA features not exposed directly by

Firepower Management Center
• EIGRP Routing • ALG inspections
• PBR • IPv6 header inspection
• ISIS Routing • BFD
• NetFlow (NSEL) export • Platform Sysopt commands
• VXLAN • WCCP
FlexConfig Example:
DHCPv6_Prefix_Delegation_Configure
• Description: Configure IPv6 Prefix Delegation on FTD

• Configure:
• One outside (Prefix Delegation client) interface
• One inside interface (recipient of delegated prefix) for IPv6 prefix delegation.
• This template should be copied and the variables modified as

appropriate.
FlexConfig Example:
DHCPv6_Prefix_Delegation_Configure
## Outside interface (PD client): logical name, prefix pool name, prefix hint
#set ( $pdoutside = ["outside", "Outside-Prefix", "::/56"] )
#foreach($j in $SYS_FTD_ROUTED_INTF_MAP_LIST)
#if($j.intf_logical_name == $pdoutside.get(0))
interface $j.intf_hardwarare_id
ipv6 dhcp client pd $pdoutside.get(1)
ipv6 dhcp client pd hint $pdoutside.get(2)
#end
#end
## Inside interface (recipient of delegate prefix): logical name, prefix pool name, suffix
#set ( $pdinside = ["inside", "Outside-Prefix", "::1:0:0:0:4/64"] )
#foreach($j in $SYS_FTD_ROUTED_INTF_MAP_LIST)
#if($j.intf_logical_name == $pdinside.get(0))
interface $j.intf_hardwarare_id
ipv6 address $pdinside.get(1) $pdinside.get(2)
#end
#end
New Capabilities
Troubleshooting: Packet Tracer
• Displays logs for a single simulated (virtual) packet
• Tracing data will include information from Snort & preprocessors about
verdicts and actions taken while processing a packet
47
Troubleshooting: Packet Capture with Trace
• Captures and displays packets from live traffic
• Allows PCAP file download of the capture buffer
Lookup features – Geolocation & WHOIS
Lookup Feature: URL
ISE remediation in using pxGrid
Cisco Threat Intelligence Director
Cisco Threat Intelligence Director (CTID)
• Uses customer threat intelligence to

identify threats
• Automatically blocks supported
indicators on Cisco NGFW
• Provides a single integration point
for all STIX and CSV intelligence
sources
Cisco Threat Intelligence Director Overview
Cisco Threat
Intelligence
Director
Hail a TAXII !!
• Free source of TAXII feeds
• Website URL: http://hailataxii.com
• Multiple feeds
• To configure the TAXII intelligence source
• URL: http://hailataxii.com/taxii-discovery-service
• USERNAME: guest
• PASSWORD: guest
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management Platform Options
Management Options
On-box Centralized Cloud-based
Firepower Device Firepower Management Cisco Defense

Manager Center Orchestrator
Enables easy on-box Enables comprehensive Enables centralized

management of security administration cloud-based policy
common security and and automation of management of
policy tasks multiple appliances multiple
deployments
Management Options


deployments
Firepower Device Manager
• Free local manager for managing a single Firepower Threat Defense device
• Targeted for SMB market
• Designed for Networking
Security Administrator
• Simple & Intuitive
Firepower Device Manager Demo
Management Options


deployments
Firepower Management Center: Overview
• Single manager for Firepower Threat Defense
• Can also manage Firepower appliance and “Services” deployments
• Unified policy management for Firepower appliances and Firepower Threat
Defense
One
• Broadest set of security capabilities for Firepower platforms! Rule
Table
Demo
Management Options


deployments
Management Options


deployments
CDO
On-box vs Off-box
Firepower Management Center (Off-box) Firepower Device Manager (On-box)
NAT & Routing
Access Control
Intrusion & Malware
Device & Events Monitoring
VPN - Site to Site & RA
Security Intelligence
Other Policies: SSL, Identity, Rate Limiting (QoS) etc.
Active/Passive Authentications
Firewall Mode Router / Transparent Routed
Threat Intelligence & Analytics
Correlation & Remediation
Risk Reports
Device Setup Wizard
Interface Port-Channel
High Availability
Deployment Designs
Use Case
Firepower Threat Defense

Internet / WAN Edge
Use Case
Internet Edge Firewall
Service
ISP
Requirement
Provider
Connectivity and Availability Requirement:
• High Availability ROUTED mode
• Firewall should support Router or Transparent Mode
Routing Requirements:
• Static and BGP Routing HSRP
• Dynamic NAT/PAT and Static NAT
Internet
Security Requirements: Edge
• Application Control + URL Acceptable Use enforcement
• IPS and Malware protection DMZ Network
• SSL Decryption
Authentication Requirements: FW in HA
• User authentication and device identity
Solution
Security Application: Firepower Threat Defense application with
Campus/Priv vPC / Port-
FMC
ate Network Channel
Private Network
Connectivity and Availability
Deliver scalable performance across many sites
Firewall Link Aggregation – High Availability - Clustering
Link Redundancy Active / Standby HA Inter-chassis Clustering
LACP Link Resiliency

Aggregation with link Combine up to
Control failures
Protocol
6
LACP Link BRKSEC-3032
9300 blades or
Redundancy 4100 chasses
NGFW Clustering
Deep Dive
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or 10.1.1.0/24
more interfaces that separate L3 domains – Firewall is the
10.1.1.1
Router and Gateway for local hosts.
NAT
DRP
192.168.1.1
192.168.1.0/24
IP:192.168.1.100
GW: 192.168.1.1
Firewall Design: Modes of Operation 192.168.1.1
• Routed Mode is the traditional mode of the firewall. Two or

more interfaces that separate L3 domains – Firewall is the VLAN192
Router and Gateway for local hosts.
• Transparent Mode is where the firewall acts as a bridge
functioning at L2.
• Transparent mode firewall offers some unique benefits in the DC. VLAN1920
• Transparent deployment is tightly integrated with our ‘best
practice’ data center designs. 192.168.1.0/24
• Note:
IP:192.168.1.100
• No multiple context mode available on FTD today. GW: 192.168.1.1
• Routed or transparent mode configured with setup dialog.
• Changing between these modes requires re-registering with FMC.
• Policies will be re-deployed.
IPv4 + IPv6 Support
Wired and Wireless in same zone
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Routing Requirements
Dynamic NAT for Direct Internet Access
Automatic and Manual (complex) NAT Support for FTD including IPv6
Security Requirements
Access Control Policy blocking inappropriate content
SSL Decrypt is fully configurable
Can specify by application, certificate fields / status, ciphers, etc
DNS Sink-holing / Traffic Drop Rule Set
Based on DNS query results of client
Security Intelligence DNS Global Settings
Whitelist / Blacklist capabilities
Custom IPS Policy
Malware and File Analysis
Attached to Access Policy
Identity Requirements
Authentication and Authorization

Identity Policy based on Passive Authentication
Attaches to Access Control Policy
Access Control Policy Identity Control
Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
Active Directory “Realm” Configuration
• Multiple Entries
• LDAP / LDAPS
• Assigned to Identity
Policy for Active or
Passive Authentication
Identity Services Engine pxGrid Integration
• MUST install ROOT

certificate (chain) on FMC
that signed ISE pxGrid
Cert
• MUST install ROOT
certificate (chain) on ISE
that signed FMC Cert
• Private keys not needed
(of course!)
TrustSec Security Group Tag based identity from ISE
Can also reference Identity Services Engine identified Device Profiles
External Authentication
for Administration
• LDAP / AD or RADIUS
• Example allows “External
Users” to be defined that exist
in Active-Directory for FMC or
shell login
• Can stack multiple methods
Secure Connection with
Branch Office
Secure Connection with Branch Office
• Simplified IPsec Wizard for Site to Site VPN
Configuration
• Advanced Application level inspection can be ISP
enabled VPN traffic of Partner and Vendor Network.
IPSec VPN
• Prefilter policy to bypass Advance inspection and
improve performance. Edge Router
• Authentication supports both Pre-Share Key and PKI.
• Branch Office Deployment to secure connection with
Head Office. FRP2100
• Monitoring and Troubleshooting to monitor remote Failover
access activity and simplified tool for troubleshooting.
Site-to-Site VPN
• Firepower Management Center will provide monitoring of VPN tunnels
• Pre-shared key support
• PKI Certificate authentication support
Secure Remote Access for
Roaming User
ISP
Secure access using Firepower
• Secure SSL/IPsec AnyConnect access to corporate
Internet
network Edge
• AMP and File inspection Policy to monitor roaming
user data.
• Easy RA VPN Wizard to configure AnyConnect
Remote Access VPN
• Advanced Application level inspection can be
enabled to enforce security on inbound Remote FP2100 in
HA
Access User data.
• Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Campus/Priv
ate Network
Private Network
Remote Access VPN
• AnyConnect client-
based VPN
• Limitations:
• No clientless VPN
support (client
download only)
• No legacy Cisco
IPsec IKEv1 client
support
• No Dynamic Access
Policies
Deployment Designs
Use Cases
Other Modes
Firepower Threat Defense Deployment Modes
Can Mix and Match on same hardware to maximize value and visibility
Inline or Passive Fail-to-wire NetMods Additional options

Inline
Routed
NetMod
✔ 101110
Inline Tap
Transparent
101110
Passive
Virtual or Physical
Firepower Threat Defense Inline Pairs
• Allows IPS (or IDS) inspection of
traffic bridge between physical
interfaces.
• Can be configuration in addition to
routed / transparent NGFW
interfaces on FTP Device
• Be careful not to exceed platform
performance limitations!
Promiscuous Interface
• Only copies of the packets are sent to
the sensor
• Mostly detection, limited protection
Promiscuous Interface
• Optional prevention through external
blocking
SPAN Destination Port
• Separate device must send copies of the or VACL Capture
packets
• Span (or monitor) from a switch
Ethernet Switch
• VACL capture from a switch
• Network Taps
Virtual Deployment Modes
Virtual FTD prerequisites
 Multi-Hypervisor Support
 KVM
 VMWare vSphere 5.5+
 Cisco Cloud Services Platform
 Provide necessary virtual resources

 4 x vCPUs
 4-8GB of RAM
 48GB of disk space
Firepower Threat Defense for AWS & Azure
• Global AWS data

center support
• Smart license
capable (“BYOL”)
• Manage with
FMC
Integrated Routing and Bridging
• ”Software Switch” capability

• Allows configuration of bridges in routed firewall mode
• Regular routed interfaces can now co-exist with BVI interfaces and
interfaces that are members of bridge groups.
FTD or ASA (Single Context)
BVI 1 BVI 2 Dept. X Outside
Integrated Routing and Bridging = Software Switch
SAME VLAN
• BVI interface can now have name assigned to it  this enables it to
participate in routing
• Only static routing is enabled on BVI interfaces in
ASA - FTD Migration Tool
ASA – FTD Migration
Firepower 6.1+ introduces migration support for key ASA configurations
Access Rules,
Support for
NAT and
ASA 9.1.x
referenced
onwards
Objects
For Partners
and customers
Better Expanded config

Roadmap
Scale Support
Migration Tool Features
• Migration tool features:
 ASA to FTD Configuration Migration
 Migrated policies downloadable as .sfo file importable in FMC
 Migration Report
• Migration tools supports ASA Access-Rules, NAT policies

and its referenced objects
• Qualified with10,000 ACEs and objects, with no more
than 50,000 flattened rule entries.
Migration Process Overview Import as Access Control
Policy or Prefilter policy
FMC .sfo
FMCv file FMC
Deployed
( Managing
as
FTD
migration
Device )
Tool
Migrati
on
Report
Apply Migrated
ASA .cfg
Register Policy
or .txr
file
FirePower
ASA
Migration Capabilities – Today & Roadmap
Firepower 6.1/6.2 Firepower 6.x- Roadmap
ACLs Additional Object Support
Ability to migrate Access Control Rules Ability to migrate additional types of

objects for access rules-
NAT Users, Time Range, FQDN, SGT
Ability to migrate NAT rules User Experience
Objects Improved usability

Support for migrating objects Tool, report improvements
corresponding to ACL, NAT rules Device Configurations
Except Users, Time Range, FQDN, SGT Routing, VPN, Platform Settings etc.
ASA Versions
ASA Versions
Support for ASA 9.1+ versions
Support for ASA 8.4+ versions
Firepower Threat Defense Summary
Robust NGFW Flexible Unified Management

Feature set Deployment
Extending our threat Enabling more NGFW use Delivering on our
leadership cases convergence story
Complete Your Online Session Evaluation
• Please complete your Online
Session Evaluations after each
session
• Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Don’t forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
Thank You

ASA Firepower NGFW Typical Deployment Scenarios

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ASA Firepower NGFW Typical Deployment Scenarios

Uploaded by

Copyright:

Available Formats

ASA Firepower NGFW Typical

Jeff Fanelli - Principal Systems Engineer - jefanell@cisco.com

I’m from the U.S. state with the

BRKSEC-2056 BRKSEC-2050 BRKSEC-2058

BRKSEC-3032 BRKSEC-3035 BRKSEC-3455

Wednesday 9:00 Thursday 9:00 Friday 9:00

• Firepower System Architecture Overview

Protocol Data Center

Network Firewall Mix Multi Context Identity Based Service Provider

ASDM (OnBox) / Command Line

► Cisco ASA is world’s most widely

► Industry-leading FirePOWER next-

► Reputation- and category-based

► Advanced malware protection

Integrated Software - Single Management

ASA with Firepower Firepower Threat Defense

Features Firepower Threat Defense Firepower Services for ASA

Smart Licensing Support ✔ ✘

7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual

5585 cannot run FTD Image!

All Managed by Firepower Management Center

5506 / 5508 / 5516 5525 / 5545 / 5555

• 1-Gbp interfaces • 1-Gbp interfaces • Firepower Management Center

• 2130 / 2140 Models • Cisco Defense Orchestrator

Note: Early Performance Numbers

Performance and Multiservice

* Contact Cisco for services availability

250 Mb -> 1.75 Gb 2 Gb -> 8 GB 41xx = 10 Gb -> 24 Gb

NGFW capabilities all managed by Firepower Management Center

ASA with Firepower

ASA 5506X -> 5555X (all models) ✓ ✓ ✓

Firepower Firepower Threat

ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓

DNS Sinkhole Category-based

DNS Inspection: DNS Sinkhole Action: DNS Sinkhole

Local DNS Server

Encrypted Traffic Log

• Flexible SSL support for HTTPS & StartTLS based apps

Threat Grid Sandboxing Threat Disposition

Identity Integration Captive Portal FlexConfig

Target threats accurately Enforce authentication Granular Config Controls

Rate limiting Tunnel Policy

Control application usage Block unwanted traffic early

• pxGrid feed to retrieve form ISE:

• Reduces ACL size and complexity

• Enforces Authentication through the appliance

Active Forced authentication through device LDAP and AD yes

Passive Identity and IP mapping from AD Agent AD yes

User Discovery Username scraped from traffic. LDAP and AD, no

Exclude User Agent

• Provides a way to configure ASA features not exposed directly by

• Description: Configure IPv6 Prefix Delegation on FTD

• This template should be copied and the variables modified as

• Uses customer threat intelligence to

Firepower Device Firepower Management Cisco Defense

Enables easy on-box Enables comprehensive Enables centralized

Firepower Device Firepower Management Cisco Defense

Enables easy on-box Enables comprehensive Enables centralized

Firepower Device Firepower Management Cisco Defense

Enables easy on-box Enables comprehensive Enables centralized

Firepower Device Firepower Management Cisco Defense

Enables easy on-box Enables comprehensive Enables centralized

Firepower Device Firepower Management Cisco Defense

Enables easy on-box Enables comprehensive Enables centralized