Professional Documents
Culture Documents
ASA Firepower NGFW Typical Deployment Scenarios
ASA Firepower NGFW Typical Deployment Scenarios
Deployment Scenarios
#jefanell
About your speaker
Jeff Fanelli
Principal Systems Engineer
Cisco Global Security Sales Organization
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Today’s Agenda
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Systems Architecture Overview
How did we get here from there?
• Adaptive Security Appliance (ASA)
• FirePOWER NGIPS
• ASA with FirePOWER Services?
• Firepower NGFW?
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
ASA “Adaptive Security Appliance”
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
ASA with FirePOWER Services
Analytics &
Visibility and Control (AVC)
Automation
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Firepower Threat Defense
CISCO COLLECTIVE SECURITY INTELLIGENCE
WWW
Malware
High Intrusion URL Filtering
Protection
Availability Prevention
Analytics &
Network Application Automation
Firewall and Visibility Network
Network Identity Based
Identity-Policy
Routing &Control Profiling
Profiling Policy Control
Control
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Firepower Threat Defense (FTD) Software
* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Feature Comparison: ASA with Firepower Services
and Firepower Threat Defense
Note: Not an exhaustive feature list
OnBox Management ✔ ✔
HA (Active/Passive) ✔ ✔
Clustering (Active/Active) ✔ ✔
Site to Site VPN ✔ ✔
Policy based on SGT tags ✔ ✔
Unified ASA and Firepower rules and objects ✔ ✘
DIFFERENCES
Hypervisor Support ✔ ✘
(AWS, VMware, KVM, Azure 6.2)
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
What are the Firepower Deployment Options?
Firepower Appliances ASA with Firepower Threat Defense
Firepower Services (Unified Software Image)
FirePOWER
Firepower Services Firepower
Appliances Threat Defense
ASA 9.5.x
• Wireless Option for 5506-X • 5545 / 5555 Redundant • Firepower Device Manager
• Software Switching capability Power Supply and SSD (On Box Manager)
option
• Firepower Threat Defense or • Cisco Defense Orchestrator
ASA Software Options • Firepower Threat Defense or (Cloud Management)
ASA Software Options
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Cisco Firepower 2100 Series
Introducing four high-performance models
Performance and
Purpose Built NGFW Unified Management
Density Optimization
• 1-Gbp and 10-Gbps interfaces • Integrated inspection engines • Firepower Management Center
• Up to 8.5-Gbps throughput for FW, NGIPS, Application (Enterprise Management)
• 1-rack-unit (RU) form factor Visibility and Control (AVC),
• Dual SSD slots URL, Cisco Advanced • Firepower Device Manager
• 12x RJ45 ports, 4xSFP(+) Malware Protection (AMP) (On Box Manager)
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Firepower 2100 Series Performance
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput
NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
NO DROP IN
Throughput PERFORMACE!
NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum
concurrent
sessions 1M 1.2 M 2M 3.5 M
Maximum new
connections per
second 12000 16000 24000 40000
• 10-Gb and 40-Gb interfaces • Integrated inspection engines • Firepower Management Center
• Up to 24-Gbps throughput for FW, NGIPS, Application (Enterprise Management)
• 1-rack-unit (RU) form factor Visibility and Control (AVC),
• Low latency URL, Cisco Advanced • Firepower Device Manager
Malware Protection (AMP) (On Box Manager)
• Radware DefensePro DDoS
• ASA and other future • Cisco Defense Orchestrator
third party (Cloud Management)
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Cisco Firepower 9300
Platform
High performance data center
Multiservice
Modular Carrier Class
Security
Benefits Benefits Features
• Standards and interoperability • Integration of best-in-class security • Compact, 3RU form factor
• Flexible architecture • Dynamic service stitching • 10-Gbps/40-Gbps I/O; 100-Gbps
ready
Features Features* • Terabit backplane
• Template-driven security • ASA container option • Low latency, intelligent fast path
• Secure containerization for • Firepower™ Threat Defense: • Network Equipment-Building
customer apps • NGIPS, AMP, URL, AVC System (NEBS) ready
• RESTful/JSON API • Third-party containers:
• Third-party orchestration and • Radware DDoS
management
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Software Support – Physical Platforms
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Software Support - Virtual Platforms
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Firepower NGFW Software
Provide next-generation visibility into app usage
Application Visibility & Control
Cisco database
• 4,000+ apps
• 180,000+ Micro- Network &
apps users
1 OpenAppID
2
Prioritize traffic
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
OpenAppID Integration
Open source application-focused detection language that enables users to create, share and implement custom application detection.
• What is OpenAppID ?
• Open source app-focused detection
language
• > 2500 detectors contributed by Cisco
• > 20,000 downloads of the detection
pack since last September
• Snort-community supported
• Simple Language
• Reduced dependency on vendor release
cycles
• Written using the Lua scripting language
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Web acceptable use controls and threat prevention
URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability
Security feeds
00100101101
01001010100
Cisco URL Database
URL | IP | DNS
NGFW
Filtering Safe Search
…………
Allow Block
Allow Block
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
URL-Based Security Intelligence
• Extension of IP-based SI
• TALOS dynamic feed, 3rd party feeds and
lists
• Multiple categories: Malware, Phishing,
CnC,…
• Multiple Actions: Allow, Monitor, Block,
Interactive Block,…
• Policy configured via Access Rules or
black-list
• IoC tags for CnC and Malware URLs
• New Dashboard widget for UR SI
• Black/White-list URL with one click URL-SI
Categories
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
DNS Inspection
• Security Intelligence support for domains
• Addresses challenges with fast-flux domains
• Cisco provided and user defined DNS lists:
CnC, Spam, Malware, Phishing
• Multiple Actions: Block, Domain Not Found,
Sinkhole, Monitor
• Indications of Compromise extended with
DNS Security Intelligence
• New Dashboard widget for DNS SI
DNS List Action
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
NGFW Policy
DNS SI: C&C servers
Connection to Sinkhole IP
X Sinkhole
Endpoint
(10.15.0.21)
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Visibility for encrypted traffic
SSL TLS handshake certificate inspection and TLS decryption engine
SSL Enforcement
NGIPS AVC http://www.%$*#$@#$.com
decryption engine decisions
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$&^*#$@#$.com http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
gambling
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$&^*#$@#$.com elicit
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
Decrypt 3.5 Gbps traffic over Inspect deciphered packets Track and log all SSL sessions
five million simultaneous flows
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Integrated SSL Decryption
• Multiple Deployment modes
• Passive Inbound (known keys)
• Inbound Inline (with or without keys)
• Outbound Inline (without keys)
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Application and Context aware Intrusion Prevention
Next-Generation Intrusion Prevention System (NGIPS)
ISE
App & Device Data
Blended threats
Prioritize Automate
response policies
01011101001
010 1
Block
010001101
010010 10 10 2
Data packets
• Network • Innocuous
3
Communications profiling payloads Accept
• Phishing • Infrequent
attacks callouts
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Malware and ransomware detection and blocking
Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)
c
File Reputation File & Device Trajectory
AMP for AMP for
Endpoint Log Network Log
?
Block known malware Investigate files safely Detect new threats Respond to alerts
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Improve traffic control with new features
Additional Firewall Features
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
ISE Integration
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
ISE Integration Screen Shot
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Captive Portal / Active Authentication
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Captive Portal - Configuration
Action
Authentication Type
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Rate limiting configuration
• QOS Policy is a new policy type with separate policy table
• Not associated with an Access Control Policy – directly associated with devices
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
FlexConfig
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
FlexConfig Example:
DHCPv6_Prefix_Delegation_Configure
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
FlexConfig Example:
DHCPv6_Prefix_Delegation_Configure
## Outside interface (PD client): logical name, prefix pool name, prefix hint
#set ( $pdoutside = ["outside", "Outside-Prefix", "::/56"] )
#foreach($j in $SYS_FTD_ROUTED_INTF_MAP_LIST)
#if($j.intf_logical_name == $pdoutside.get(0))
interface $j.intf_hardwarare_id
ipv6 dhcp client pd $pdoutside.get(1)
ipv6 dhcp client pd hint $pdoutside.get(2)
#end
#end
## Inside interface (recipient of delegate prefix): logical name, prefix pool name, suffix
#set ( $pdinside = ["inside", "Outside-Prefix", "::1:0:0:0:4/64"] )
#foreach($j in $SYS_FTD_ROUTED_INTF_MAP_LIST)
#if($j.intf_logical_name == $pdinside.get(0))
interface $j.intf_hardwarare_id
ipv6 address $pdinside.get(1) $pdinside.get(2)
#end
#end
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Firepower Management Center
New Capabilities
Troubleshooting: Packet Tracer
• Displays logs for a single simulated (virtual) packet
• Tracing data will include information from Snort & preprocessors about
verdicts and actions taken while processing a packet
47
Troubleshooting: Packet Capture with Trace
• Captures and displays packets from live traffic
• Allows PCAP file download of the capture buffer
Lookup features – Geolocation & WHOIS
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Lookup Feature: URL
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
ISE remediation in using pxGrid
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Cisco Threat Intelligence Director
Cisco Threat Intelligence Director (CTID)
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Cisco Threat Intelligence Director Overview
Cisco Threat
Intelligence
Director
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Hail a TAXII !!
• Free source of TAXII feeds
• Website URL: http://hailataxii.com
• Multiple feeds
• To configure the TAXII intelligence source
• URL: http://hailataxii.com/taxii-discovery-service
• USERNAME: guest
• PASSWORD: guest
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management Platform Options
Management Options
On-box Centralized Cloud-based
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Management Options
On-box Centralized Cloud-based
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Firepower Device Manager
• Free local manager for managing a single Firepower Threat Defense device
• Targeted for SMB market
• Designed for Networking
Security Administrator
• Simple & Intuitive
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Firepower Device Manager Demo
Management Options
On-box Centralized Cloud-based
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Firepower Management Center: Overview
• Single manager for Firepower Threat Defense
• Can also manage Firepower appliance and “Services” deployments
• Unified policy management for Firepower appliances and Firepower Threat
Defense
One
• Broadest set of security capabilities for Firepower platforms! Rule
Table
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Firepower Management Center
Demo
Management Options
On-box Centralized Cloud-based
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Management Options
On-box Centralized Cloud-based
CDO
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
On-box vs Off-box
Firepower Management Center (Off-box) Firepower Device Manager (On-box)
Access Control
Security Intelligence
Active/Passive Authentications
Risk Reports
Interface Port-Channel
High Availability
Deployment Designs
Use Case
Routing Requirements:
• Static and BGP Routing HSRP
• Dynamic NAT/PAT and Static NAT
Internet
Security Requirements: Edge
• Application Control + URL Acceptable Use enforcement
• IPS and Malware protection DMZ Network
• SSL Decryption
Authentication Requirements: FW in HA
• User authentication and device identity
Solution
Security Application: Firepower Threat Defense application with
Campus/Priv vPC / Port-
FMC
ate Network Channel
Private Network
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Connectivity and Availability
Deliver scalable performance across many sites
Firewall Link Aggregation – High Availability - Clustering
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or 10.1.1.0/24
more interfaces that separate L3 domains – Firewall is the
10.1.1.1
Router and Gateway for local hosts.
NAT
DRP
192.168.1.1
192.168.1.0/24
IP:192.168.1.100
GW: 192.168.1.1
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Firewall Design: Modes of Operation 192.168.1.1
• Note:
IP:192.168.1.100
• No multiple context mode available on FTD today. GW: 192.168.1.1
• Routed or transparent mode configured with setup dialog.
• Changing between these modes requires re-registering with FMC.
• Policies will be re-deployed.
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
IPv4 + IPv6 Support
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Routing Requirements
Dynamic NAT for Direct Internet Access
Automatic and Manual (complex) NAT Support for FTD including IPv6
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Security Requirements
Access Control Policy blocking inappropriate content
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
SSL Decrypt is fully configurable
Can specify by application, certificate fields / status, ciphers, etc
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS Sink-holing / Traffic Drop Rule Set
Based on DNS query results of client
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Security Intelligence DNS Global Settings
Whitelist / Blacklist capabilities
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom IPS Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware and File Analysis
Attached to Access Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity Requirements
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Access Control Policy Identity Control
Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Active Directory “Realm” Configuration
• Multiple Entries
• LDAP / LDAPS
• Assigned to Identity
Policy for Active or
Passive Authentication
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity Services Engine pxGrid Integration
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
TrustSec Security Group Tag based identity from ISE
Can also reference Identity Services Engine identified Device Profiles
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
External Authentication
for Administration
• LDAP / AD or RADIUS
• Example allows “External
Users” to be defined that exist
in Active-Directory for FMC or
shell login
• Can stack multiple methods
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Secure Connection with
Branch Office
Secure Connection with Branch Office
• Simplified IPsec Wizard for Site to Site VPN
Configuration
• Advanced Application level inspection can be ISP
enabled VPN traffic of Partner and Vendor Network.
IPSec VPN
• Prefilter policy to bypass Advance inspection and
improve performance. Edge Router
• Authentication supports both Pre-Share Key and PKI.
• Branch Office Deployment to secure connection with
Head Office. FRP2100
• Monitoring and Troubleshooting to monitor remote Failover
access activity and simplified tool for troubleshooting.
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Site-to-Site VPN
• Firepower Management Center will provide monitoring of VPN tunnels
• Pre-shared key support
• PKI Certificate authentication support
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Secure Remote Access for
Roaming User
ISP
Secure access using Firepower
• Secure SSL/IPsec AnyConnect access to corporate
Internet
network Edge
• AMP and File inspection Policy to monitor roaming
user data.
• Easy RA VPN Wizard to configure AnyConnect
Remote Access VPN
• Advanced Application level inspection can be
enabled to enforce security on inbound Remote FP2100 in
HA
Access User data.
• Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Campus/Priv
ate Network
Private Network
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Remote Access VPN
• AnyConnect client-
based VPN
• Limitations:
• No clientless VPN
support (client
download only)
• No legacy Cisco
IPsec IKEv1 client
support
• No Dynamic Access
Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment Designs
Use Cases
Other Modes
Firepower Threat Defense Deployment Modes
Can Mix and Match on same hardware to maximize value and visibility
NetMod
✔ 101110
Inline Tap
Transparent
101110
Passive
Virtual or Physical
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Firepower Threat Defense Inline Pairs
• Allows IPS (or IDS) inspection of
traffic bridge between physical
interfaces.
• Can be configuration in addition to
routed / transparent NGFW
interfaces on FTP Device
• Be careful not to exceed platform
performance limitations!
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Promiscuous Interface
• Only copies of the packets are sent to
the sensor
• Mostly detection, limited protection
Promiscuous Interface
• Optional prevention through external
blocking
SPAN Destination Port
• Separate device must send copies of the or VACL Capture
packets
• Span (or monitor) from a switch
Ethernet Switch
• VACL capture from a switch
• Network Taps
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Virtual Deployment Modes
Virtual FTD prerequisites
Multi-Hypervisor Support
KVM
VMWare vSphere 5.5+
Cisco Cloud Services Platform
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Firepower Threat Defense for AWS & Azure
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrated Routing and Bridging
Integrated Routing and Bridging
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Integrated Routing and Bridging = Software Switch
SAME VLAN
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Integrated Routing and Bridging
• BVI interface can now have name assigned to it this enables it to
participate in routing
• Only static routing is enabled on BVI interfaces in
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA - FTD Migration Tool
ASA – FTD Migration
Firepower 6.1+ introduces migration support for key ASA configurations
Access Rules,
Support for
NAT and
ASA 9.1.x
referenced
onwards
Objects
For Partners
and customers
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Migration Tool Features
• Migration tool features:
ASA to FTD Configuration Migration
Migrated policies downloadable as .sfo file importable in FMC
Migration Report
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Migration Process Overview Import as Access Control
Policy or Prefilter policy
FMC .sfo
FMCv file FMC
Deployed
( Managing
as
FTD
migration
Device )
Tool
Migrati
on
Report
Apply Migrated
ASA .cfg
Register Policy
or .txr
file
FirePower
ASA
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Migration Capabilities – Today & Roadmap
Firepower 6.1/6.2 Firepower 6.x- Roadmap
ACLs Additional Object Support
Except Users, Time Range, FQDN, SGT Routing, VPN, Platform Settings etc.
ASA Versions
ASA Versions
Support for ASA 9.1+ versions
Support for ASA 8.4+ versions
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Firepower Threat Defense Summary
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Complete Your Online Session Evaluation
• Please complete your Online
Session Evaluations after each
session
• Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Don’t forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-2050 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Thank You