Brksec 2050

ASA Firepower NGFW
Typical Deployment
Scenarios
BRKSEC-2050
Jeff Fanelli
Technical Solutions Architect [email protected]
#jefanell
About your speaker
Jeff Fanelli
Technical Solutions Architect (2006)
Cisco Global Security Sales Organization
#jefanell
Trivia!
Im from the only U.S. state you can drive
south into Canada from..
About your speaker
From the mitten state..

Session Objectives & Housekeeping
The BRKSEC-2050 session is designed to detail the architectural and functional capabilities
of the Firepower line of NGFW physical and virtual appliances.
Relevant diagrams and configuration examples are the foundation of the format.
At the end of the session, you should have:
Overview of the Cisco NGFW systems architecture, platforms and capabilities and management
offerings.
Knowledge of common NGFW deployment scenarios, including Internet Edge, WAN Edge, and
virtual installations.
Understanding of how various NGFW policies are configured and fit together.
Note: Session will NOT cover Cisco IOS Firewall, FWSM, ASA, IPSec/SSL VPN or clustering. This
session is not a deep-dive on NGIPS or AMP.
BRKSEC-2050 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco Firepower Sessions: Building Blocks
BRKSEC-2050 BRKSEC-2020 BRKSEC-2058

ASA Firepower NGFW Firewall Deployment A Deep Dive into using
typical deployment (FTD DC + Campus) the Firepower Manager
scenarios
(Mon 1:30 PM) (Mon 8:00 AM) (Wed 8:00 AM)
(Tue 1:30 PM) (Tue 8:00 AM) (Wed 1:30 PM)
BRKSEC-3004 BRKSEC-2030 BRKSEC-3035 BRKSEC-3032

Deep Dive on Cisco Deploying Intrusion Firepower 9300 ASA Clustering
Security in ACI Prevention Systems Deep Dive Deep Dive
(Tue 1:30 PM) (Tue 1:30 PM) (Wed 1:30 PM) (Thu 8:00 AM)
Todays Agenda
Firepower System Architecture Overview

Platforms & Capabilities
Firepower Software Deep Dive
Management Options
Firepower 6.1 New Capabilities
Deployment Modes
Deployment Use Cases
Systems Architecture Overview
How did we get here from there?
Adaptive Security Appliance (ASA)
FirePOWER NGIPS
ASA with FirePOWER Services?
Firepower NGFW?
ASA Adaptive Security Appliance
Protocol Data Center

HA and Clustering
VPN Inspection Security
Network Firewall Mix Multi Context Identity Based Service Provider

[Routing | Switching] Mode Policy Control Security
ASDM (OnBox) / Command Line

Cisco Security Manager / RESTful API for Management
Firepower NGIPS Platforms
Firepower Next Generation IPS
Best of breed IPS
Based on open source Snort
Integrated Advanced Malware Protection
Acquired by Cisco in 2013
ASA with FirePOWER Services
Cisco ASA is worlds most widely

Cisco Collective Security Intelligence Enabled deployed, enterprise-class stateful
firewall
Advanced WWW
Clustering & Intrusion Malware
Protection URL Filtering Granular Cisco Application
High Availability Prevention (Subscription)
(Subscription)
FireSIGHT
(Subscription)
Analytics &
Visibility and Control (AVC)
Automation
Industry-leading FirePOWER next-

Application
Network Firewall
Routing | Switching
Visibility & Built-in Network
Profiling
Identity-Policy generation IPS (NGIPS)
Control Control & VPN
Reputation- and category-based

Cisco ASA URL filtering
Advanced malware protection
Firepower Threat Defense
CISCO COLLECTIVE SECURITY INTELLIGENCE
WWW
Malware
High Intrusion URL Filtering
Protection
Availability Prevention
Analytics &
Network Application Automation
Firewall and Visibility Network
Network Identity Based
Identity-Policy
Routing &Control Profiling
Profiling Policy Control
Control
Integrated Software - Single Management
Firepower 6.0 on ASA Upgrade vs Migrate
Choose Firepower Services or unified Threat Defense Software
Firepower Software on ASA Platforms
FirePOWER
Services 5.4
ASA 9.5.x
Upgrade Re-Image**
FirePOWER
*Firepower Services **All shipping ASA 5500-
6.0 compatible ASA
Services 6.0 or Firepower
Threat Defense
X supported, except
Version Required 5585-X and 5505
ASA 9.5.x+ * 6.x
What are the Firepower 6 Deployment Options?
Firepower Appliances ASA with Firepower Firepower Threat Defense
Services (Unified Software Image)
FirePOWER
Firepower Services 6.0 Firepower
Appliaces Threat Defense
6.0 ASA 9.5.x 6.0
7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / New Models

vSphere / AWS
5585 cannot run FTD Image!
All Managed by Firepower Management Center 6

Platforms & Capabilities
Cisco NGFW Platforms
Firepower Threat Defense for Firepower 4100 Series Firepower Services
ASA 5500-X and Firepower 9300 on ASA 5500-X and 5585-X
250 Mb -> 1.75 Gb 41xx = 12 Gb -> 25 Gb 4.5 Gb -> 15 Gb

(Max AVC throughput) 93xx = 25 Gb -> 100Gb (Max AVC throughput)
NGFW capabilities all managed by Firepower Management Center
Firepower 4100 Series
Introducing four new high-performance models
Performance and Multiservice

Unified Management
Density Optimization Security
10-Gbps and 40-Gbps Integrated inspection engines Single management interface

interfaces for FW, NGIPS, Application with Firepower Threat Defense
Up to 80-Gbps throughput Visibility and Control (AVC), Unified policy with inheritance
1-rack-unit (RU) form factor URL, Cisco Advanced Choice of management
Low latency Malware Protection (AMP) deployment options
Radware DefensePro DDoS
ASA and other future
third party
Cisco Firepower 9300
Platform
High-speed, scalable security
Multiservice
Modular Carrier Class
Security
Benefits Benefits Benefits
Standards and interoperability Integration of best-in-class security Industry-leading performance:
Flexible architecture Dynamic service stitching 600% higher performance
30% higher port density
Features Features*
Template-driven security Cisco ASA container Features
Secure containerization for Cisco Firepower Threat Defense Compact, 3RU form factor
customer apps containers: 10-Gbps/40-Gbps I/O; 100-Gbps
RESTful/JSON API NGIPS, AMP, URL, AVC ready
Third-party orchestration and Third-party containers: Terabit backplane
management Radware DDoS Low latency, intelligent fast path
Other ecosystem partners Network Equipment-Building
System (NEBS) ready
Software Support Physical Platforms
ASA with Firepower

Firepower
ASA FirePOWER Threat
NGIPS
Services Defense
ASA 5506X -> 5555X (all models)

ASA 5585 (With SSP blade)
Firepower 4100 (all models)
Firepower 9300 (all models)
Firepower 7000
Firepower 8000
Software Support - Virtual Platforms
Firepower Firepower Threat

ASA
NGIPS Defense
ASAv (vSphere, AWS, Azure, Hyper-V, KVM)

Firepower NGIPSv (vSphere + ISR UCSE)
Firepower NGFWv (vSphere, AWS, KVM)
Firepower NGFW Software
Summary of Capabilities in Firepower 6
Threat Innovation Enterprise Management Unified Image
DNS Inspection and Sinkholing Domains with Role-Based Unified ASA and Firepower
Access Rules
URL-based Security Intelligence Unified ASA and Firepower
Policy Hierarchy with Objects
SSL Decryption Inheritance
Transparent and Routed
ThreatGRID Analysis Deployment
OpenAppID ASA NAT (Policy & Static)
Captive Portal / Active Auth ASA Routing: RIP, OSPF, BGP,

Static (no EIGRP or Multicast)
File Property Analysis with Local
Malware Checks ASA SYN Cookies / Anti-
Spoofing
ISE Identity
Common Across Firepower Platforms Threat Defense Only
Next Generation Feature Overview
Snort
AVC with
IDS and much more
OpenAppID
Custom and Open Source
application detections
URL & DNS
Protection
IoCs and Sink-holing
malicious Domains
Security Intelligence
Unparalleled knowledge about the Internet
AMP
Integration
Sandbox dynamic analysis,
locally and in the cloud
Key Firepower 6.0 Capabilities
Flexible Deployment
Multi-Domain SSL Decryption
Management Threat detection inside SSL
encrypted traffic
Separated Event Data,
SOC OPERATORS
Reports and Network
Maps, with RBAC
Integrated Protection
CUSTOMER / NETWORK 3 Advanced Access Control with
CUSTOMER / NETWORK 1
ISE Device Profiling
and Security Group Tags
CUSTOMER / NETWORK 2
Captive Portal
Active Authentication
and Guest support
Integrated SSL Decryption
Multiple Deployment modes
Passive Inbound (known keys)
Inbound Inline (with or without keys)
Outbound Inline (without keys)
Flexible SSL support for HTTPS & StartTLS based apps

E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS
Decrypt by URL category and other attributes
Centralized enforcement of SSL certificate policies
e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites,
unapproved mobile devices
URL-Based Security Intelligence
Extension of IP-based SI
TALOS dynamic feed, 3rd party feeds and
lists
Multiple categories: Malware, Phishing,
CnC,
Multiple Actions: Allow, Monitor, Block,
Interactive Block,
Policy configured via Access Rules or
black-list
IoC tags for CnC and Malware URLs
New Dashboard widget for UR SI
Black/White-list URL with one click URL-SI
Categories
DNS Inspection
Security Intelligence support for domains
Addresses challenges with fast-flux domains
Cisco provided and user defined DNS lists:
CnC, Spam, Malware, Phishing
Multiple Actions: Block, Domain Not Found,
Sinkhole, Monitor
Indications of Compromise extended with
DNS Security Intelligence
New Dashboard widget for DNS SI
DNS List Action
NGFW Policy
DNS SI: C&C servers
DNS Inspection: DNS Sinkhole Action: DNS Sinkhole

Generates SI events & IOCs
Local DNS Server
Connection to Sinkhole IP
X Sinkhole
Endpoint
(10.15.0.21)
OpenAppID Integration
Open source application-focused detection language that enables users to create, share and implement custom application detection.
What is OpenAppID ?
Open source app-focused detection
language
> 2500 detectors contributed by Cisco
> 20,000 downloads of the detection
pack since last September
Snort-community supported
Simple Language
Reduced dependency on vendor release
cycles
Written using the Lua scripting language
File Property Analysis and Local Malware Checks
Identify popular/common malware on the appliance via ClamAV
Reduced need to send samples to the cloud for dynamic analysis
Local assessment of container files for malware viability inside nested content.
File Composition report with risk assessment
Added Automatic analysis:
PDF
Office Documents
Others: EXE/DLL, MSOLE2
File Composition Report

Captive Portal / Active Authentication
Enforces Authentication through the appliance

Multiple Authentication modes (Passive, Active, Passive with Active Fallback)
Various Supported Authentication types (e.g. Basic, NTLM, Advanced, Form)
Guest / Non Windows Device Authentication Support
Multi Realm Support
Method Source LDAP/AD Authoritative?
Active Forced authentication through device LDAP and AD yes
Passive Identity and IP mapping from AD Agent AD yes
User Discovery Username scraped from traffic. LDAP and AD, no

passive from the
wire
Captive Portal - Configuration
Exclude User Agent
Action
Authentication Type
ISE Integration
Receive identity data from pxGrid / ISE

Receive device-type/network Security Group Tags
from pxGrid / ISE
Ability to exert control based on the above in rules
i.e. block HR users from using personal iPads
Reduces ACL size and complexity
ISE Integration Screen Shot
Management Platform Options
Firepower Management Center 6.0: Overview
Single manager for Firepower Threat Defense
Can also manage Firepower appliance and Services deployments
Unified policy management for Firepower appliances and Firepower Threat
Defense
One
Rule
Table
Global Policies
1
Multi-domain Global Objects
Management Global Analytics
2
3
Policies Policies Policies

UK/London UK/Oxford
Objects Objects Objects
Analytics Analytics Analytics
USA INDIA UK
Supports up to 50 domains and 3 levels

Available for all platforms running 6.0
Access Control Policy Hierarchy
External Authentication
for Administration
LDAP / AD or RADIUS
Example allows External
Users to be defined that exist
in Active-Directory for FMC or
shell login
Can stack multiple methods
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
New Capabilities in 6.1 Release
New capabilities in 6.1
Enterprise Management Threat Innovation Unified Image
Geo-location + Whois lookup True-IP Policy Inline Security Group Tags

(SGT)
AMP Private Cloud SSL ClientHello
FMC HA Shared NAT
YouTube EDU enforcement
ISE remediation Rate limiting
Interface objects Safe Search Enforcement Prefilter Policies
REST API Active authentication Site-to-site VPN support

VDI User Input API enhancements Routing enhancements
KVM Virtualization Support Citrix VDI Authentication Firepower Device Manager

Integrated risk reports (on box manager)
Event QoS Traffic Rate Limiting
Common Across Firepower Platforms Threat Defense Only

Firepower Management Center 6.1
Features
Lookup features geolocation
Lookup features Whois
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP Private Cloud
1. Log into your

Private Cloud Portal
2. Navigate to
Integrations
Defense Center
3. Follow the
instructions provided
FMC 6.1 HA
Very different from 5.4 FMC HA
Active/Standby Deployment
Failover manual
Sybase database duplicated
Both FMC nodes receive
events from each sensor
Policy changes made on primary
are copied over to the secondary
ISE remediation in 6.1 using pxGrid
RESTful API & API Explorer
Free tool build into the FMC that can be used to use the REST API
Facilitates in the creation of Python, PERL, and JavaScript code
Integrated risk reports
VDI Identity: The Problem
user2 Internet
user1
Citrix Logon
Hypervisor (i.e. VMware ESXi)
Server-hosted apps: Sensor

Word
Excel
Power Point
Server-hosted desktops
192.168.0.23
what?
is 192.168.0.23
user1 or user2?
Firepower Identity Sources
Traffic Based ISE / pxGRID

Detection AD AD
LDAP / Oracle / AD Agent AD
HTTP / FTP
Captive Portal
Inline SGT (6.1) FMC
VDI Agent (6.1)
Guest (no auth)
ASA
FTD w/FPS
Added Virtual support for FTD and FMC
VMware KVM (FTD 6.1)

OVF for vSphere and ESXi Cisco FTDv qcow2 image
VMware ESXi 5.x, 6.x Public Cloud
KVM 1.0 Virtio driver
E1000, VMXNET3
Amazon Web Services
AMI in the marketplace
Same Feature Set As Physical Appliances
Firepower Device Manager
Free local manager for managing a single Firepower Threat Defense device
Targeted for SMB market
Designed for Networking
Security Administrator
Beta is only available
on Kenton models
Firepower Features
Safe Search YouTube EDU enforcement
Filter inappropriate content from search results
Critical for enabling education customers
Utilizes a new Snort preprocessor: HTTP header modification Pre-processor
Last preprocessor in Snort preprocessor chain
Based on AppID & FW rule engine, HTTP header pre-proc will generate modified packet
Safe Search
Action varies depending on search engine
YouTube EDU
Injects X-YouTube-Edu-Filter
True-IP Policy for XFF Proxy Headers
Currently True-IP Policy are not used for policy decisions.
In 6.1 True-IP Policy can be used in policy decisions

X-Forwarded-For
True-Client-IP header
Custom headers that support XFF like syntax see RFC 7239
Will be able to specify which source IPs are trusted for these headers
Will display client IP information in all relevant event tables
Active authentication enhancements
Kerberos authentication
Kerberos provides secure authentication without user credentials leaving the hands of the user
Similar to NTLM, browsers can be configured to transparently authenticate the user
Using Kerberos, the firewall can provide secure, transparent, ticket-based authentication
Guest access
Before 6.1, guest policies could be
provided to users that failed authentication
With 6.1, there is a new button on the
portal page. This button allows a user to
choose guest access without trying to
authenticate.
Identity policy configuration for Kerberos
FTD Specific Features
Inline Security Group Tags (SGT)
Behavior in 6.0
SGTs in network traffic were not utilized
Access policy rules used IP to SGT mapping provided by ISE
SGTs could not be defined locally on the FMC
Behavior in 6.1
SGTs in network traffic are utilized
SGTs seen in traffic take precedence SGT to IP mapping provided by ISE
Untagged traffic is still matched to rule using IP to SGT mapping provided by ISE
ISE integration is no longer needed SGTs can be defined in FMC
If ISE integration is enabled, locally defined SGTs are not available
Sensor does not add or remove tags from traffic

Sensor may be running 6.0 or 6.1
Sensor does not add or remove tags
Inline Security Group Tags (SGT) configuration
Locally defined SGTs are objects on the FMC
Using SGTs in Access Policy rules in 6.1 is the same as in 6.0
Rate limiting configuration
QOS Policy is a new policy type with separate policy table
Not associated with an Access Control Policy directly associated with devices
Prefilter Policies
New type of policy called Prefilter policies
Precedes access control policy
Together with access control policy, allows control of both tunneled and tunneling protocol
Also used to facilitate tools to migrate from ASA to NGFW
Prefilter Policies are implemented without involving Snort

Site-to-Site VPN
Firepower Management Center will provide monitoring of VPN tunnels
Limitations
Only between FTD and FTD or FTD and ASA
No support for ISR routers feature targeted for 6.2 release
No RA VPN feature targeted for 6.2 release
Uses pre-shared key only, no PKI
Routing enhancements
Routing has been enhanced to include multicast routing
IGMP version 1 and version 2 are supported
PIM only sparse mode is supported
Multicast Routes
Multicast Boundary Filter
First you must enable multicast routing (may be enabled from IGMP or PIM page)
Deployment Modes
Requirements: Availability and Scaling
Scaling IPS with ASA5585-X Clustering
Up to 16 ASA5585-X IPS
Stateless load balancing by external switch
Support for VPC and LACP
Cluster Control Protocol/Link
State-sharing between Firewalls for concerted
operation and high availability
Every session has a primary and secondary owner
ASA
ASA provides traffic symmetry to IPS modules
Internal
Network
Requirements: Availability and Scaling
Scaling IPS for the DC with Dedicated Appliances Core
VPC/VSS are both a challenge and an asset for IPS
With VSS/VPC, traffic for a single flow can go across
either switch
IPS (normalizer) needs to see a full bi-directional TCP session vPC Peer-link
N7K
Load-splitting and per-switch symmetry via ECLB
Inter-switch flow-affinity using inter-VRF routing
Up to 160Gbs Max IPS throughput / 80 Gbps Real World vPC
Average
Access
IPS Solution
DC Servers
FirePOWER Services Support All Current ASA
Deployment Models
Clustering for linear HA for increased Multi-context mode for

scalability redundancy policy flexibility
Up to 16x ASA in cluster Redundancy and state Each ASA Interface appears as a
separate interface to FirePOWER
Eliminates Asymmetrical traffic sharing (A/S & A/A pair)
Services module
issues L2 and L3 designs Allows for granular policy enforcement
Each FirePOWER Services on both ASA and FirePOWER
module inspects traffic services
independently
*State sharing does not occur between FirePOWER Services Modules
Firepower Threat Defense Deployment Modes
Next Generation Firewall deployment modes:
Routed
IPS
Transparent Host
Next Generation IPS / IDS modes:
IDS
Inline (interface pairing)
Inline Tap (external TAP, IDS only) +
Passive (SPAN, IDS only)
Can Mix and Match on same hardware to maximize value and visibility
Firepower Threat Defense High Availability
Active/Standby only
Stateful failover mode only
Primarys policies are synchronized to Secondarys
FMC
Two nodes connected by one or two dedicated
connections called failover links FTD FTD
Active Standby
Management interface on each unit has/maintains a
distinct management IP address
Config/Policy updates are sent to the current active node
by FMC
On FP9300 platforms, failover is only supported
across blades in different chassis
in non-cluster mode
with matching interfaces on separate blades
Firepower Threat Defense for VMware
Firepower
ASAv
NGIPSv
9.x
5.4
Migrate Upgrade
Upgrade
Firepower Firepower Threat

ASAv
NGIPSv Defense Virtual 6.0
9.x
6.0
Virtual FTD prerequisites
Set up Smart Licensing on Firepower Management Center
Smart Licensing Product Registration
Evaluation Mode
Download OVA
Ngfw-6.0.0-xxx.ova
Provide necessary virtual resources

VMware vSphere 5.5 or vSphere 6.0
4 x vCPUs
4-8GB of RAM
48GB of disk space
Virtual FTD Installation steps (vSphere)
Deploy OVF Template
Enter the details asked

for by the Setup Wizard
Add FTD to Firepower

Management Center
Deployment Designs
Use Cases
ASA with Firepower Services

Internet / WAN Edge
Use Case
Internet Edge Firewall with VPN Support Branch Office
Requirement
Service
ISP
Connectivity and Availability Requirement: Provider Remote VPN
Firewall for High Availability (Redundancy) Users
Firewall in the Router Mode

vPC/Port-Channel for interface redundancy and link speed
aggregation
Security Requirement: HSRP

Dynamic NAT/PAT and Static NAT
Application Inspection
Internet
ACL to control the traffic flows
Edge
VPN support (S2S, SSL and AnyConnect)
DMZ Network
FW in HA
Solution
Security Application: ASA Firewall

Campus/Priv vPC / Port-
ate Network Channel
Private Network
Firewall Policies Edge Firewall
Use Cases
1. Inbound (Outside->in)
2.Outbound (Inside->Out)
Firepower
Services
ASA
Firewall Policies Edge Firewall - Inbound
Policy Requirements
Static NAT to a DMZ server
Policy to control inbound ports (TCP/80, TCP/443, Passive FTP )
Policy to inspect inbound traffic by SNORT engine (security over connectivity)
Policy to control file types uploaded to DMZ server
Configuration Steps
Configure NAT ASA
Configure Inbound ACLs on outside interface
Create File policy
Configure Access policy Firepower MC
ASDM:
Configure NAT ASA
CLI: object network WebServer5

host 10.100.1.5
description Web Server
nat static 64.100.14.3 net-to-net
Configure Inbound ACLs on outside interface (if required by interface levels)
Optionally controlled exclusively in Firepower Management Center
ASDM:
CLI:
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq http
port-object eq https
access-list Outside_access_in line 1 extended permit tcp any object
WebServer5 object-group DM_INLINE_TCP_1
access-group Outside_access_in in interface Outside
Create the file policy
Firewall Policies Edge Firewall - InBound
Configure Access policy in Firepower Management Center
Configure Access policy Firepower Management Center
Firewall Policies Edge Firewall - Outbound
Dynamic NAT
User authentication
Per user policy
Application control
Reputation
Category
Policy to inspect outbound traffic by SNORT engine (connectivity over security)
Policy to control files based on AMP disposition from the Internet
Configuration Steps
Configure Dynamic Port Address Translation ASA
Create File policy
Configure Dynamic Port Address Translation ASA
ASDM:
CLI:
nat (Inside,Outside) 1 source dynamic any interface description Dynamic NAT
Create File policy
Deployment Designs
Use Cases
Firepower Threat Defense

Internet / WAN Edge
Use Case
Internet Edge Firewall
Service
ISP
Requirement
Provider
Connectivity and Availability Requirement:
Firewall for High Availability (Redundancy)
Firewall should support Router or Transparent Mode
vPC/Port-Channel for interface redundancy and link speed
aggregation
HSRP
Security Requirement:
Dynamic NAT/PAT and Static NAT Internet
AVC, URL filtering, IPS and Malware protection Edge
SSL Decryption
DMZ Network
FW in HA
Solution
Security Application: Firepower Threat Defense application with
Campus/Priv vPC / Port-
FMC
ate Network Channel
Private Network
Firepower Threat Defense Edge Example
Wired and Wireless Interface Configuration and Zone
Assignments
Dynamic NAT for Direct Internet Access traffic
User authentication
Group identity based Application Control
Selective Decryption Policy
DNS Sink-holing
Policy to inspect outbound traffic by SNORT engine
(connectivity over security)
Policy to control files based on AMP disposition from the
Internet
IPv4 + IPv6 Support
Wired and Wireless in same zone
Dynamic NAT for Direct Internet Access
Automatic and Manual (complex) NAT Support for FTD including IPv6
Identity Policy based on Passive Authentication
Attaches to Access Control Policy
Access Control Policy blocking inappropriate content
105
Access Control Policy Identity Control
Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc)
Active Directory Realm Configuration
Multiple Entries
LDAP / LDAPS
Assigned to Identity
Policy for Active or
Passive Authentication
107
Identity Services Engine PXGrid Integration
MUST install ROOT

certificate (chain) on FMC
that signed ISE PXGrid
Cert
MUST install ROOT
certificate (chain) on ISE
that signed FMC Cert
Private keys not needed
(of course!)
TrustSec Security Group Tag based identity from ISE
Can also reference Identity Services Engine identified Device Profiles
SSL Decrypt is fully configurable
Can specify by application, certificate fields / status, ciphers, etc
DNS Sink-holing / Traffic Drop Rule Set
Based on DNS query results of client
Security Intelligence DNS Global Settings
Whitelist / Blacklist capabilities
Custom IPS Policy
Malware and File Analysis
Attached to Access Policy
Deployment Designs
Use Cases
Other Modes
Firepower Threat Defense Inline Sets
Allows IPS (or IDS) inspection of
traffic bridge between physical
interfaces
IDS TAP mode use in conjunction
with external splitter / SPAN
sessions.
Can be configuration in addition to
routed / transparent NGFW
interfaces on FTP Device
Be careful not to exceed platform
performance limitations!
Promiscuous Interface
Only copies of the packets are sent to
the sensor
Mostly detection, limited protection
Promiscuous Interface
Optional prevention through external
blocking
SPAN Destination Port
Separate device must send copies of the or VACL Capture
packets
Span (or monitor) from a switch
Ethernet Switch
VACL capture from a switch
Network Taps
ASA - FTD Migration Tool
ASA FTD Migration
Firepower 6.1 introduces migration support for key ASA configurations
Access Rules,
NAT and Limited
referenced availability
Objects in phase-1
Support for
ASA 9.1.x
onwards
Better Expanded config

Roadmap
Scale Support
Migration Tool Features (6.1 initial release)
Migration tool features:
ASA to FTD Configuration Migration
Migrated policies downloadable as .sfo file importable in FMC
Migration Report
Migration tools supports ASA Access-Rules, NAT policies

and its referenced objects
Qualified with10,000 ACEs and objects, with no more
than 50,000 flattened rule entries.
Input for Migration Tool
Migration tool supports ASA config files in .txt and .cfg format
ASA version command in config file is mandatory for Migration (ex: ASA
version 9.1)
ASA configuration file should have ACL and NAT policies
ASA configuration file with version 9.1 and above from any ASA models
(including vASA) can be used for FTD/FMC migration.
Firepower Threat Defense Summary
Robust NGFW Flexible Unified Management

Feature set Deployment
Extending our threat Enabling more NGFW use Delivering on our
leadership cases convergence story
Complete Your Online Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
Dont forget: Cisco Live sessions will be available

for viewing on-demand after the event at
CiscoLive.com/Online
Security Joins the Customer Connection Program
Customer User Group Program
19,000+
Members
Who can join: Cisco customers, service Strong
providers, solution partners and training partners
Private online community to connect with Join in World of Solutions
peers & Ciscos Security product teams
Security zone Customer Connection stand
Monthly technical & roadmap briefings via
WebEx Learn about CCP and Join
New member thank-you gift*
Opportunities to influence product direction Customer Connection Member badge ribbon
Local in-person meet ups starting Fall 2016

Join Online
New member thank you gift*
& badge ribbon www.cisco.com/go/ccp
when you join in the Cisco Security booth
Come to Security zone to get your new member gift*
Other CCP tracks: Collaboration & Enterprise and ribbon
Networks
* While supplies last
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
Thank you
Appendix
Life Of A Packet
Flow Diagrams
ASA-5506/5506W-X Back Panel
2 3 4
1 7 8
5 9
6
1) Power LED: Green -> power applied OK
2) Status LED: Green blinking -> system is booting up
Green solid -> successful boot
Orange -> error during boot-up
3) Active LED: Green -> unit is Active in failover pair
Orange -> unit is Standby in failover pair
Off -> not part of a failover pair
4) WLAN Module not lit for 5506/Supported in the 5506W
5) GE ports: Left-side LED Green -> link. Right-side LED blinking -> network activity
6) Console Ports: RJ-45 and mini-USB Connector. If mini-USB is connected, RJ-45 becomes disconnected
7) GE Management Port
8) USB port for external storage shows up as disk1
9) Reset Pin
ASA-5506H-X (Ruggedized) 6
3 4 5 7
1 2
5V AC
1) Power LED: Green -> power applied OK
2) Status LED: Green blinking -> system is booting up
Operating 20 to 60C Green solid -> successful boot
Temperature Orange -> error during boot-up
3) Active LED: Green -> unit is Active in failover pair
Orange -> unit is Standby in failover pair
Off -> not part of a failover pair
4) GE ports: Left-side LED Green -> link. Right-side LED blinking -> network activity
5) Console Ports: RJ-45 and mini-USB Connector.
6) GE Management Port
7) USB port for external storage shows up as disk19)
ASA-5508-X/5516-X Back Panel
Fixed Power Supply Dedicated Mgmt Port (1GE)
USB Port
Serial Console
RJ45/USB SSD
8x GE Ethernet ports
ASA-5512-X & 5515-X Back Panel
Dedicated Mgmt Port (1GE)
Status LEDs
I/O Expansion Slot Serial Console
Fixed Power Supply
6 x 1GE Cu Ports
USB Port
ASA-5525-X & 5545-X / 5555-X Back Panel
8 x 1GE Cu Ports Fixed Power Supply

Status LEDs Serial Console
USB Port
I/O Expansion Slot
Status LEDs Redundant

Serial Console 8 x 1GE Cu Ports
I/O Expansion Slot Hot Swappable PSU
USB Port
ASA-5585
5585-X + FirePOWER module in top slot Hardware Module
Two Hard Drives Raid

FirePOWER SSP 8 GB eUSB (System)
1 (Event Data)
Two GE Management
10GE and GE ports
ASA SSP Ports
Firepower 4100 Series Front and Rear View
SSD1 SSD2
Power Mgmt. SYS
Console SSD Status 1 3 5 7 NetMod 1 (Slot) NetMod 2 (Slot)
ACT
2 4 6 8
PS1 PS2 FAN1 FAN2 FAN3 FAN4 FAN5 FAN6
Firepower 9300
Supervisor Network Modules
Application deployment and orchestration 10GE/40GE and future 100GE
Network attachment and traffic distribution Hardware bypass for inline NGIPS
Clustering base layer for ASA/FTD
Security Modules
Embedded Smart NIC and crypto hardware
Cisco (ASA, FTD) and third-party (Radware DDoS) applications
Standalone or clustered within and across chassis
Cisco Firepower Threat Defense for ISR
FirePOWER Threat Defense Cisco 4000 Series ISR
BEFORE DURING AFTER

Discover Detect Scope
Enforce Block Contain
Harden Defend Remediate
Network Advanced Malware

NGIPS
Visibility Protection
Granular App Security

Retrospective Security
Control Intelligence
Cisco UCS
Modern Threat
Control
URL Filtering
IoCs/Incident
Response OR
Visibility and Automation
+
Cisco ISR G2 Series
AppX + Security
License
Virtualization platform capable of running NGFWv / NGIPSv
FirePower 8300
Single-pass, high-performance, low-latency
Flexible in Software
Firepower NGIPS & AMP
Flexible in Hardware
Modular for options in Interfaces, including
10GE and 40GE
High-Performance:
15Gbps with 8350
Cost Effective
Best in class for IPS by NSS Labs
Best in class for NGFW by NSS Labs
Best in class for Breach Detection by NSS
Labs
Cisco FirePOWER Platform Features
Virtual 7000 7100 8100 8200/8300
1GE Interfaces YES YES YES YES
10GE Interfaces NO NO YES YES
40GE Interfaces NO NO NO YES
SFP Ports NO YES * YES ** YES **
Hardware Bypass YES YES YES YES
Software Bypass YES YES YES YES YES
Hardware Fast Pass NO NO YES YES
L3 Mode NO YES YES YES YES
* 7115, 7125, and 7150 models only ** Fiber-to-SFP Tranceiver
FTD Packet Processing Flow
SSL Policy Enforcement

Yes
IP Application Policy Enforcement
Application
Reputation/ URL Policy Enforcement
Identification
SI NGIPS Policy Enforcement
AMP Policy Enforcement Trustpath
Event Gen or Allow
Yes No
No DROP No
RX Ingress Existing NAT Advanced No
Pkt Conn TrustPath? DROP
Interface Untranslate ACL
Permit
Yes
No
Yes Yes Yes

DROP
ALG NAT IP Egress L3 L2 TX
Checks Header Interface Route Addr Pkt
No No
No No
DROP DROP DROP DROP
Detailed ASA SFR Packet Flow
FirePOWER does not drop flows, it FirePOWER

marks them for drop by the ASA
YES
1 2 3 4 5 6
Receive Ingress Existing ACL Match Inspections

PKT Interface Conn Permit Xlate sec checks
NO YES YES
NO NO NO
DROP DROP DROP
7 8 9 10 11
NAT IP Egress L3 L2 XMIT
Header Interface Route YES Addr YES PKT
NO NO
DROP DROP
Life of a packet in Routed mode
Application, URL
Yes reputation/Category based
IP Application access control enforcement
Reputation/ Identification IPS policy enforcement
SI
File/Network AMP policy Trustpat
enforcement h or
Event gen Allow
Yes No
No DROP No
RX
Existing
Ingress NAT No
Pkt Interface
Conn/Cluste Advanced TrustPath? DROP
Untranslate
r redirect ACL
permit
Yes
No
Yes Yes Yes

DROP
L3 L2
ASA ALG NAT IP Egress Route TX
Checks Header Addr Pkt
Interface
No No
No No
DROP DROP DROP DROP
Life of a packet in Transparent mode
Application, URL
IP Application access control enforcement
Reputation/ Identification IPS policy enforcement
SI
enforcement h or
Event gen Allow
Yes No
DROP No
No
Existing NAT
RX Ingress No
Pkt
Conn/Cluste Untranslat Advanced TrustPath? DROP
Interface
r redirect e ACL
permit
Yes
No
DROP Yes
L2
ASA ALG NAT IP Entry? TX
Checks Header Pkt
No
No
DROP DROP
Life of a packet in Passive mode
Application, URL
RX Ingress
Existing No IP Update
Application access control enforcement
Pkt Conn/Cluste TrustPath? Reputation/ Trustpath
Interface Identification IPS policy enforcement
r redirect SI
enforcement h
Yes Yes Event gen
No
No or DROP
DROP DROP
Redirect Allow
DROP
Life of a packet in Inline pair mode
Application, URL
RX Ingress
Existing No IP Application Update
access control enforcement
Pkt Conn/Cluste TrustPath? Reputation/ Identification Trustpath
Interface IPS policy enforcement
r redirect SI
File/Network AMP policy Allow or
enforcement Trustpat
Yes Yes Event gen h
No
Deny
DROP
Redirect
DROP
TX
Pkt
Life of a packet in Inline pair tap mode
Application, URL
Existing Copy IP Update
RX Ingress No Application access control enforcement
Conn/Cluste TrustPath? Packet Reputation/ Trustpath
Pkt Interface Identification IPS policy enforcement
SI Trustpat
r redirect File/Network AMP policy h
enforcement
Yes Yes No Event gen
DROP
DROP No or
Redirect Allow
DROP
TX
Pkt

Brksec 2050

Uploaded by

Copyright:

Available Formats

Brksec 2050

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 2050

Uploaded by

Copyright:

Available Formats

What are the different deployment modes covered in the document?

What are the different deployment modes covered in the document?

What are some of the platforms and capabilities covered?

What are some of the platforms and capabilities covered?

ASA Firepower NGFW

From the mitten state..

BRKSEC-2050 BRKSEC-2020 BRKSEC-2058

BRKSEC-3004 BRKSEC-2030 BRKSEC-3035 BRKSEC-3032

Firepower System Architecture Overview

Protocol Data Center

Network Firewall Mix Multi Context Identity Based Service Provider

ASDM (OnBox) / Command Line

Acquired by Cisco in 2013

Cisco ASA is worlds most widely

Industry-leading FirePOWER next-

Reputation- and category-based

Advanced malware protection

Integrated Software - Single Management

Firepower Software on ASA Platforms

7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / New Models

5585 cannot run FTD Image!

All Managed by Firepower Management Center 6

250 Mb -> 1.75 Gb 41xx = 12 Gb -> 25 Gb 4.5 Gb -> 15 Gb

NGFW capabilities all managed by Firepower Management Center

Performance and Multiservice

10-Gbps and 40-Gbps Integrated inspection engines Single management interface

ASA with Firepower

ASA 5506X -> 5555X (all models)

Firepower Firepower Threat

ASAv (vSphere, AWS, Azure, Hyper-V, KVM)

OpenAppID ASA NAT (Policy & Static)

Captive Portal / Active Auth ASA Routing: RIP, OSPF, BGP,

Flexible SSL support for HTTPS & StartTLS based apps

DNS Inspection: DNS Sinkhole Action: DNS Sinkhole

Local DNS Server

File Composition Report

Enforces Authentication through the appliance

Active Forced authentication through device LDAP and AD yes

Passive Identity and IP mapping from AD Agent AD yes

User Discovery Username scraped from traffic. LDAP and AD, no

Exclude User Agent

Receive identity data from pxGrid / ISE

Reduces ACL size and complexity

Management Global Analytics

Policies Policies Policies

Supports up to 50 domains and 3 levels

Geo-location + Whois lookup True-IP Policy Inline Security Group Tags

REST API Active authentication Site-to-site VPN support

KVM Virtualization Support Citrix VDI Authentication Firepower Device Manager

Event QoS Traffic Rate Limiting

Common Across Firepower Platforms Threat Defense Only

1. Log into your

Facilitates in the creation of Python, PERL, and JavaScript code

Hypervisor (i.e. VMware ESXi)

Server-hosted apps: Sensor

Traffic Based ISE / pxGRID

VMware KVM (FTD 6.1)

Same Feature Set As Physical Appliances

SFP Ports NO YES * YES YES