ASA Firepower NGFW Update and Deployment Scenarios

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
NGFW Update and
Deployment Scenarios
Michael Mercier
Consulting Systems Engineer – Security Solutions
May 19, 2016

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Housekeeping notes
Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes
to ensure we all enjoy the session today.
• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed
during the session

Agenda
Firepower NGFW
Firepower Threat Defense
Software Overview
Firepower 4100
Next-GenerationSecurity Architecture
Firepower 9300
Next-GenerationSecurity Architecture
FTDv
Licensing
Performance
Deployment Modes / Use Cases
DeploymentConsiderations

Firepower Threat Defense (FTD)
• Unified codebase software image
Firepower 4100 Series and 9300 Appliances
• Brand for new hardware product offerings which run FTD or ASA
“Firepower Next-Generation Firewall (NGFW)”
• FTD + Hardware appliance
Firepower Management Center (FMC)
• Formerly FireSIGHT. Unified manager for NGFW, NGIPS, AMP, FirePOWER on ISR
ASA with FirePOWER Services
• Two managers, full firewall feature set
Relevant Terminology

Detect earlier,
act faster
Gain more
insight
Reduce
complexity
Get more from
your network
Stop more
threats
Enable your business with a fully integrated, threat-
focused solution
Threat Focused Fully Integrated
Cisco Firepower™ NGFW

Stop more threats across
the entire attack continuum
Remediate breaches and
prevent future attacks
Detect, block, and defend
against attacks
Discover threats and enforce
security policies
BEFORE AFTERDURING

“You can’t protect what you can’t see”
Gain more insight
with increased visibility
Malware
Clientapplications
Operating systems
Mobile devices
VoIP phones
Routers and switches
Printers
Command
and control
servers
Network servers
Users
File transfers
Web applications
Application
protocols
Threats
TypicalIPS
TypicalNGFW

Cisco: 17.5 hoursIndustry TTD rate:* 100 days
Detect infections earlier and act faster
• Automated attack
correlation
• Indications of
compromise
• Local or cloud
sandboxing
• Malware infection
tracking
• Two-click containment
• Malware analysis
Source: Cisco® 2016 Annual Security Report
*Median time to detection (TTD)
JAN
MONDAY
1
JAN
FEB
MAR
APR

Cisco Confidential 9© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower Management Center

Cisco Firepower™ Management Center
Reduce complexity with simplified,
consistent management
• Network-to-endpoint visibility
• Manages firewall, applications, threats, and files
• Track, contain, and recover remediation tools
Unified
• Central, role-based management
• Multitenancy
• Policy inheritance
Scalable
• Impact assessment
• Rule recommendations
• Remediation APIs
Automated

Shared intelligence
Shared contextual
awareness
Consistent policy
enforcement
Cisco Firepower™ Management Center
Get more from your network
through integrated defenses
Talos
Firepower 4100 Series Firepower 9300 Platform
Visibility
Radware
DDoS
Network
analysis Email Threats
Identity
and NAC DNS FirewallURL

FS750 FS2000 FS4000 Virtual
Maximum
devices
managed*
10 70 300
Virtual FireSIGHT®
Management Center
Up to 25 managed devices
ASA or FirePOWER appliancesEvent storage 100 GB 1.8 TB 3.2 TB
Maximum
network map
(hosts/users)
2000/2000
150,000/
150,000
600,000/
600,000
Virtual FireSIGHT®
Management for 2 or 10 ASA
devices only!
Not upgradeable
FS-VMW-2-SW-K9
FS-VMW-10-SW-K9
Events per
second (EPS)
2000 12,000 20,000
Max number of devices is dependent upon sensor type and event rate
Management
Firepower Management Center Appliances
12

Cisco NGFW Platforms
*5585-Xmanagement available 2HCY16
All* Managed by Cisco Firepower Management Center
Cisco Firepower™ 4100
Series and 9300
Cisco FirePOWER™ Services
on ASA 5585-X
Cisco Firepower Threat
Defense on ASA 5500-X
New
Appliances

New Converged Software Image:
Contains all Firepower Services plus
select ASA capabilities
Single Manager:
Firepower Management Center*
Same subscriptions as FirePOWER
Services, enabled by Smart Licensing:
Threat (IPS + SI + DNS)
Malware (AMP + ThreatGrid)
URL Filtering
Converged Software – Firepower Threat Defense
* Also manages FirepowerAppliances, Firepower Services (not ASASoftware)

• Everything from Firepower 6.0.1
• Phased introduction of features from ASA
• FTD 6.0.1
IPv4 and IPv6 Connection state tracking and TCP normalization
Access Control
NAT (Full support)
Unicast Routing (except EIGRP)
ALGs (only default configuration)
Intra chassis Clustering on Firepower 9300
Stateful Failover (HA)
What features are available?

High-Level Feature Comparison:
ASA with FirePOWER Services, Firepower Threat Defense
Feature Firepower
Services for ASA
Firepower Threat
Defense
Notes for Firepower Threat
Defense
HA, NAT ✔ ✔
Routing ✔ ✔ Multicast in 6.1, No EIGRP
Unified ASA and Firepower rules/objects ✘ ✔
Local Management ✔ ✔ In 6.1, features differ
Multi-Context ✔ ✘
Inter-chassis Clustering ✔ ✘
VPN ✔ ✔ Site-to-Site VPN in 6.1
Hypervisor Support ✘ ✔ AWS, VMware; KVM in 6.1
Smart Licensing support ✘ ✔
Note: Not an exhaustive list of differences between these offerings.

Firepower Threat Defense – Phased Delivery
• Remote Access VPN
• Device Clustering
• SSLAcceleration
• Traffic QoS
• Time-based Policies
• Hyper-V / Azure
• MS Exchange
identity
• Pkt Trace/Capture
• Configuration CLI
• Site-to-Site VPN
• Rate-Limiting
• Multicast and EIGRP
• VDI User Identity
• AMP Private Cloud
• ISE Remediation
• X-Forwarded-For
• Web Safe Search
• Built-in Risk Reports
• KVM Virtual platform
• On-box Web UI
• FMC HA, Scale and
API
GeneralAvailability
V6.0.1 – Mar. 2016
• FP 9300/4100 platforms
• ASALow/Mid platforms
• All of FP Services 6.0
• ASA+FP Rules/Objects
• Transp/Routed Deploy
• Active/Passive HA
• NAT (Dynamic/Static)
• OSPF, BGP, RIP, Static
• ALGs (fixed config)
• Syn Cookie/Anti-Spoof
V6.1 - Q4FY16 1HFY17
High-Priority NGFW Feature Parity

What Platforms run Firepower Threat Defense?
*5585-XASAmodule management being investigated for 2HCY16
All* Managed by Cisco Firepower Management Center
Defense on Firepower™ 4100
Series and 9300
Cisco FirePOWER Services
on ASA 5585-X
Cisco FirePOWER on
7000/8000 Series Appliances
Defense on ASA 5500-X
New
Appliances

Software Overview

• New Next Generation Firewall offering
• Brings together the best features from
ASA and Firepower, all under one OS
• Zero-copy packet inspection
• Single management application
• Duplicate functionality removed
Advantages of Firepower Threat Defense
Firepower Threat
Defense
L2-L4
Inspections
(ASA
Technology)
Advanced
Inspections
(FirePOWER
Technology)
Firepower
Management Center
ASA
FirePOWER
Services
CSM/ASDM FireSIGHT

ASA with FirePOWER Services Packet flow
Ingress NIC
L2/L3 Decode
L4 Decode
Flow Lookup Route Lookup
NAT Lookup
Inspection
checks
Routing
NAT
Egress NIC
Flow Update
File/AMP
IPS
AVC
Kernel
Virtual TAP
FirePOWER Services
Event
Database
Virtual Container
2 OS, ASA & FP

Firepower Threat Defense Packet Flow
Ingress NIC
L2/L3 Decode
L4 Decode
Flow Lookup Route Lookup
NAT Lookup
Inspection
checks
Routing
NAT
Egress NIC
Flow Update
File/AMP
IPS
AVC
FirePOWER Services
Event
Database
PacketLibrary(PDTS)
Zero Copy Single OS

• Access policies broken down into 2 sets of rules
• Advanced ACLs - Evaluate L2 – L4 attributes and give a verdict
Permit
Deny
Trust
• NGFW ACLs – Evaluate L7 attributes
Allow
Block
TrustPath
Unified Access Control policies

Unified Objects Configuration
Objects in 5.4
Objects in 6.0

Firepower 4100
Next Generation Firewall

Cisco Firepower 4100 Series
Introducing four new high-performance models
Performance and
Density Optimization
Unified Management
Multiservice
Security
• Integrated inspectionengines
for FW, NGIPS,Application
Visibility and Control (AVC),
URL, Cisco Advanced
Malware Protection (AMP)
• Radware DefensePro DDoS
• ASA and otherfuture
third party
• 10-Gbps and 40-Gbps
interfaces
• Up to 80-Gbpsthroughput
• 1-rack-unit(RU) form factor
• Low latency
• Single managementinterface
with FirepowerThreatDefense
• Unified policy with inheritance
• Choice of management
deploymentoptions

Hardware Overview

Firepower 4100 Series Front and Rear View
SSD1 SSD2
1 3 5 7 NetMod 1 (Slot)
NetMod 2 (Slot)
2 4 6 8
PS1 PS2 FAN1 FAN2 FAN3 FAN4 FAN5 FAN6
Power
Console
Mgmt. SYS
ACT SSD Status

Supervisor Module:
Console and Management Port
8 10G Fixed Ethernet Ports
2 x Network Modules
Security Engine:
Dual CPU, each connected with a Smart
NIC and Crypto accelerator card
Two SSD - 1 Default + 1 Optional (For AMP
service)
SSD Size
200GB for 4120
400GB for 4140
Backplane
80GB Backplane support
Firepower 4110/20/40/50 - Hardware Components
Internal 720G Switch Fabric
Security Engine
RAMSmart NIC + Crypto Accelerator
2x40Gpbs
2x100Gbps
Built-in
8x10GE
interfaces
NM
Slot 1
X86
CPU
NM
Slot 2
80G
8x 10G (or) 4x 40G Network Module
…… ……
Console Mgmt. Port
200G2x40Gbps
5x
40Gbps 200G
5x
40Gbps
SSD
SSD

Software Overview

§ FP 4100 Series of platform supported from
FXOS 1.1.4
§ FXOS provides interfacefor device
managementand provisioning of the
security application on security engine.
§ All images are digitally signed and
validated throughSecure Boot.
§ Security application imagesare in Cisco
Secure Package(CSP)format
§ Multiple version of same application can be
stored in Supervisor. It can deployed to
Security Engine on demand
§ Contains system (i.e. ASA, FTD) and other
images (i.e. ASDM, REST, and so on)
Firepower 4100 Software
Decorator application from third-party (KVM)
Primary application from
Cisco (Native)
DDoS
ASAor FTD
FXOS
Firepower Extensible Operating System (FXOS)
Supervisor
Security
Engine

Security Service Architecture for Firepower 4100 Series
Platform
Supervisor
Ethernet 1/1-8 Ethernet 2/1-8
Standalone/Cluster
Security Module 1
Ethernet 3/1-4
Application
Image Storage
PortChannel1
Ethernet1/7
(Management)
Data
Logical
Device
Link
Decorator
External
Connector
Primary
Application
Decorator
Application
On-board 8x10GE
interfaces
8x10GE NM
Slot 1
4x40GE NM
Slot 2
ASA/FTD
Packet
Flow
Security Engine
Radware vDP

Firepower 9300 Next Generation
Firewall

Cisco Firepower 9300
Platform
Benefits
• Integration of best-in-class security
• Dynamic service stitching
Features*
• Cisco®ASA container
• Cisco Firepower™ Threat Defense
containers:
• NGIPS, AMP, URL, AVC
• Third-party containers:
• Radware DDoS
• Other ecosystem partners
Benefits
• Standards and interoperability
• Flexible architecture
Features
• Template-driven security
• Secure containerization for
customer apps
• RESTful/JSON API
• Third-party orchestration and
management
Benefits
• Industry-leading performance:
• 600% higher performance
• 30% higher port density
Features
• Compact, 3RU form factor
• 10-Gbps/40-Gbps I/O; 100-Gbps
ready
• Terabit backplane
• Low latency, intelligent fast path
• Network Equipment-Building
System (NEBS) ready
* Contact Cisco for services availability
Modular Carrier Class
Multiservice
Security
High-speed, scalable security

Cisco Firepower 9300 Overview
Supervisor
§ Application deployment and orchestration
§ Network attachment (10/40/100GE) and traffic distribution
§ Clustering base layer for Cisco® ASA, NGFW, and NGIPS
1
3
2
Security
Modules
§ Embedded packet and flow classifier and crypto hardware
§ Cisco (ASA, NGFW, and NGIPS) and third-party (DDoS, load-balancer) applications
§ Standalone or clustered within (up to 240 Gbps) and across (1 Tbps+) chassis

Cisco Firepower 9300 Chassis Hardware
§ 19-inch 3RU rack (32 in. deep, 17.5 in. wide, and
135 lb fully loaded)
§ Four FRU fan modules with OIR
§ N+1 redundancy
§ Front-to-back airflow
§ Dual redundant power supplies with load sharing and OIR
§ 2500 and 1300W AC power supplies initially; 2500W DC to
follow
§ Single supply at 110V is not enough for full chassis; 220V is
required
§ Scalable backplane support up to 200 Gbps per security
module

Supervisor Module
Overall chassis management and network interaction
§ Network interface allocation and security module connectivity (960-Gbps internal fabric)
§ Application image storage, deployment, provisioning, and service chaining
§ Clustering infrastructure for supported applications
§ Cisco® Smart Licensing and NTP for entire chassis
RJ-45 Console
1 GE Management (SFP)
Built-in 10 GE Data (SFP+) Optional Network Modules (NMs)
1 2

Supervisor Simplified Hardware Diagram
Internal Switch Fabric (up to 24x40GE)
Security Module 1 Security Module 2 Security Module 3
On-Board 8 x 10
GE Interfaces Network Module 1 Network Module 2
2 x 40 Gbps 2 x 40 Gbps 2 x 40 Gbps
2 x 40 Gbps 5 x 40 Gbps 5 x 40 Gbps
x86 CPU
RAM
System Bus Ethernet

Network Modules
§ Supervisor configures interfaces and directs traffic to
security modules
§ All interfaces are called “Ethernet” and 1
referenced (for example, Ethernet1/1)
§ Hardware OIR support; software support to follow
§ Mix and match up to two 10 and 40 GE half-width
modules
§ 8 x 10 GE SFP or SFP+ per module
§ 4 x 40 GE QSFP per module; each port can be
split
to 4 x 10 GE
§ 100 GE modules

Security Modules
§ Three security module configurations
§ SM36: 72 x86 CPU cores for up to 80 Gbps of
firewalled throughput
§ SM24: 48 x86 CPU cores for up to 60 Gbps of
firewalled throughput
§ (Future) NEBS: SM24 NEBS certification
§ Dual 800GB SSD in RAID1 by default
§ Built-in hardware packet and flow classifier and
crypto accelerator
§ Hardware VPN acceleration is targeted for a
subsequent software release

Security Module Simplified Diagram
System Bus
x86 CPU 1
24 or 36 Cores
Packet and Flow Classifier
and
Crypto Accelerator
Backplane Supervisor Connection
x86 CPU 2
24 or 36 Cores
2 x 100 Gbps
2 x 100 Gbps
RAM
Ethernet

Cisco Firepower 9300 Software
§ Supervisor and security modules use multiple
independent images
§ Infrastructure software bundle for supervisor
§ Security module firmware bundle
§ Security application images bundles for modules
§ All images are digitally signed and validated through
Secure Boot
§ Service application images are in Cisco® Secure
Package (CSP) format
§ Stored on supervisor and deployed to security module on
demand
§ Multiple versions of the same application may be stored
§ Contains system (for example, CiscoASA) and other
images (Cisco ASDM, REST, etc.)

Security Services Architecture on Firepower 9300
Cisco® ASA Cluster
Security Module 1 Security Module 2 Security Module 3
Supervisor
On-Board 8 x 10
GE Interfaces
8 x 10 GE NM
Slot 1
Application Image
Storage
4 x 40 GE NM
Slot 2
Ethernet 1/7
(Management)
Ethernet 1/1-8 Ethernet 2/1-8 Ethernet 3/1-4
Logical Device
Logical Device
Unit
Link Decorator
Application
Connector
External
Connector
Packet Flow
Primary
Application
Decorator
Application
PortChannel1
Data
DDoS DDoS DDoS
ASA ASA ASA

Management Overview
§ Chassis management is independent from applications
§ On-box chassis manager UI and CLI
§ Cisco® ASDM is the only management GUI for
Cisco ASA initially
§ Future off-box Cisco Firepower Device Manager for
both chassis and Cisco applications
§ SNMP and syslog support for chassis-level counters
and events on supervisor
§ REST API on supervisor for third-party service
management
§ SDN orchestration enablement for security services
on demand

FTDv

FTDv
FMC
Cisco FTDv for Vmware: Routed, Transparent, Inline Mode

FTDv for Vmware: Passive mode
FTDv

BD1
BD2BD1
BD2
• Routed Mode (Go-To)
• Transparent Mode (Go-Through)
FTDv Service Graph in the ACI Fabric
EPG
App
EPG
DB
FTDv
Graph B
10.0.0.0/24
Tenant B
External Internal
EPG
Web
EPG
App
Graph A
10.0.0.0/24 10.0.0.1 20.0.0.1 20.0.0.0/24
Tenant A
External Internal
FTDv
Bridge Domains need
flooding turned on, to
allow ASA to see and
bridge packets between
two EPGsBVI 10.0.0.10
Use port-channels on ESXi hosts instead of NIC teaming. It can break Go-Through mode.

• FTDv can connect to Amazon Virtual Private Cloud (VPC) network which closely resembles
a traditional network topology.
• The FTDv and FMCv run as guests in AWS private Xen Hypervisor* environment.
• Protect your AWS environment by controlling and monitoring traffic. All features, Stateful L3
mode and ERSPAN Passive modes supported.
• FTDv Transparent Mode and Active/Standby HA is NOT supported (Roadmap)
Cisco FMCv/FTDv in AWS
*Note: The FTDv and FMCv do not supportthe Xen Hypervisoroutsideof the AWS environment.

AWS FMCv is optional as many organizations like to use their on premises FMC.
• Cisco Smart Licensing,AWS hourly comingsoon
• AWS Security Group Accesscontrolmustpermit SSH/HTTPs access to yourinstances
• Create and attach Network interfaces and add Route table entry for Internet access
• An Elastic IP (Static persistentPublic IP) is required for eitherFTDv or FMCv remote admin access
• * 2 managementinterfaces requiredfor AWS FTDv
Cisco FMCv/FTDv in AWS
Instance Type Interf. Subnets vCPUs RAM (GB)
FMCv m3.large 3 2 7.5
FMCv m3.xlarge 3 4 15
FMCv & FTDv* c3.xlarge 2 4 7.5
FMCv c3.2xlarge 8 4 15

Licensing

Firepower Threat Defense Smart Licensing
Structure
• Base License enables NGFW
• Networking, Firewall and Application Visibility &
Control
• Perpetual license - included with appliance
purchase
• Term-based licenses for advanced protection
• Threat, Malware and URL Filtering
• Smart License Enabled only
Base (NGFW)
Threat
(IPS/SI/DNS)
Malware
(AMP/TG)
URLFiltering
Blue = Term-based
Green = Perpetual

Mapping Classic Licenses to new Smart Licenses
Functionality Traditional Licensing Smart Licensing
Base License (includes
AVC)
Protect + Control Base
IPS (SI, DNS) (EULA Enforced) Threat
AMP/Threat GRID Malware Malware
URL Filtering URL Filtering URL Filtering
Management FireSIGHT Built into Firepower Management
Center

Performance:
Firepower 4100 and 9300

Performance Highlights
4110 4120 4140 SM-24 SM-36 SM-36x3
Highlights Max FW 20G 40G 60G 75G 80G 225G
1024 AVC 12G 20G 25G 25G 35G 100G
1024 AVC+IPS 10G 15G 20G 20G 30G 90G

FTD Performance
4110 4120 4140 SM-24 SM-36 SM-36x3
Max Throughput: Application
Control (AVC)
12G 20G 25G 25G 35G 100G
Max Throughput: Application
Control (AVC) and IPS
10G 15G 20G 20G 30G 90G
Sizing Throughput: AVC (450B) 4G 8G 10G 9G 12.5G 30G
Sizing Throughput: AVC+IPS
(450B)
3G 5G 6G 6G 8G 20G
Maximum concurrent sessions
w/AVC
4.5M 11M 14M 28M 29M 57M

ASA Performance
4110 4120 4140 SM-24 SM-36 SM-36x3
Stateful inspection firewall
throughput (maximum)
20G 40G 60G 75G 80G 225G
Stateful inspection firewall
throughput (multiprotocol)
10G 20G 30G 50G 60G 100G
Concurrent firewall connections 10M 15M 25M 55M 60M 70M
New connections per second 150K 250K 350K 0.6M 0.9M 2M
Security contexts 250 250 250 250 250 250
Virtual Interfaces 1024 1024 1024 1024 1024 1024
IPSec 3DES/AES VPN
Throughput
8G 10G 14G 15G 18G 18G

Deployment Modes and Use
Cases

Branding Terms: Review
Firepower NGFW
New NGFW brand (Unified ASA+Firepower)
New unified appliance software
New unified manager
Firepower Appliances
New Firepower4100 Series and
Firepower9300 appliances.
ASA with FirePOWER Services
• ASAApplianceswith ASAand
Firepowersoftware,application
firewalling and threat defense.
• The ASAand FirePOWER functions
have separatemanagers.
Today Recently Announced

Deployment Modes
• Basic deployment modes: Firewall modes (choose one)
Routed
Transparent
• Other interface modes: IPS/IDS modes
Inline
Inline Tap
Passive

Firepower Threat Defense interface modes
Routed/TransparentA
B
C
D
F
G
H
I
Inline Pair 1
Inline Pair 2
Inline Set
E J
Policy Tables
Passive
Interfaces
Inline Tap

Malware
Protection
Network Profiling
CISCO COLLECTIVE SECURITY INTELLIGENCE
URL Filtering
Integrated Software - Single Management
WWW
Identity-Policy
Control
Identity Based
Policy Control
Network
Profiling
Analytics &
AutomationApplication
Visibility
&Control
Intrusion
Prevention
High
Availability
Network
Firewall and
Routing

Internet Edge Use Case
Firepower NGFW
Requirements
Connectivity and Availability Requirements:
• Firewall for High Availability (Redundancy)
• Firewall should support Routed Mode
• Port-Channel for interface redundancy and link speed aggregation
• Dynamic Routing Support (OSPF / BGP)
Security Requirements:
• Single Context mode
• Dynamic NAT/PAT and Static NAT
• Identity based AVC, URL filtering, IPS and Malware protection
• SSL Decryption
Solution
Security Application: Firepower NGFW appliances with Firepower
Management Center
VPN connections via separate appliance until until 6.1+
ISP
FW in HA
Private Network
Service
Provider
Campus/Priv
ate Network
DMZ Network
Port-
Channel
Internet Edge
HSRP
Caveats

Cloud Data Center Edge
Firepower NGFWv
Requirements
• Virtual appliance form factor AWS / vSphere
• Firewall in router or transparent mode
• Support for both North/South and East/West deployments
• Identity based AVC, IPS and Malware & CnC protection
• SSL Decryption
• TrustSec Security Group Tag Support
Solution
Security Application: Firepower NGFWv virtual appliance with
KVM support in 6.1 and Microsoft Azure in 6.2
Not suitable for Micro-Segmentation / per server firewalling.
ISP
FW in HA
Service
Provider
Data Center
Network
vPC / Port-
Channel
Data Center
Edge Traffic Zone
StorageApp
Servers
WWW
Server
Caveats

Local Data Center Edge
Appliance & Virtual Firepower NGFW
Requirements
• High bandwidth interfaces (10/40Gb/100Gb) and throughput
• High bandwidth flow offload support (fast path)
• Support for both North/South and East/West deployments
• SSL Decryption
Solution
Security Application: Firepower Threat Defense physical or virtual
appliance for Amazon Web Services (AWS) with FMC management
Active / Standy Failover only, no clustering until future release.
No VXLAN support.
ISP
FW in HA
Service
Provider
Data Center
Network
vPC / Port-
Channel
Data Center
Edge Traffic Zone
StorageApp
Servers
WWW
Server
Caveats

Campus NGFW
Firepower NGFW
Requirements
• Dynamic Routing Support (OSPF / BGP)
• High bandwidth interfaces (10/40Gb) and throughput
• Port-Channel for interface redundancy and firewall-on-a-stick
• Firewall support between security domains within campus
• Campus edge firewall
Security Application: Firepower NGFW appliances with Firepower
Management Center
Active / Standy Failover only, no clustering until future release.
HA for FMC in 6.1+
No EIGRP Support
DC / Internet
FW in HA
Access Layer
Port-
Channel
Data Center
Edge
Campus
Distriubtion
Core
FW in A/S HA
NGFW
Database
App
Servers
WWW Database
App
Servers
WWW
vPC / Port-
Channel
Caveats
Solution

ASA
ASDM/CSM/RESTful API for Management
HA and Clustering
Network Firewall
[Routing | Switching]
Data Center
Security
Service Provider
Security
Protocol
Inspection
Identity Based
Policy Control
VPN
Mix Multi Context
Mode

Use Case
Internet Edge Firewall with VPN Support
Requirement
Connectivity and Availability Requirement:
• Firewall in the Router Mode
• vPC/Port-Channel for interface redundancy and link speed
aggregation
Security Requirement:
• Dynamic NAT/PAT and Static NAT
• Application Inspection
• ACL to control the traffic flows
• VPN support (S2S, SSL and AnyConnect)
Solution
Security Application: ASA Firewall
ISP
FW in HA
Private Network
Service
Provider
Campus/Priv
ate Network
DMZ Network
vPC / Port-
Channel
Internet Edge
Remote VPN
Users
Branch Office
HSRP

Map Product to Use Case
5585-X
Firepower 4100
& 9300
Firepower 4100
& 9300
ASA with Firepower Services ASA Software Firepower Threat Defense Software
NGFW for Data Center &
Enterprise Core; anywhere
clustering, VPN, on-box
managementare required.
Dedicated ASA
Service Provider, Data
Center
(Firewall only)
Firepower NGFW
High-speed Internet Edge (where
clustering, VPN, multi-context, and
on-box managementare not
required)
Cisco’s driving rapid feature parity between ASA with FirePOWER Services and
Firepower NGFW, with two additional major releases planned for this year.

• There are no EOS/EOL plans: won’t be considered until
CY2017
• Superior reputation: 5585-X cited in Nov. 2015 Gartner
Research Highlight for Carrier Class Firewalls: our market
share is near 50%
• As customers migrate to newer platforms over the next
5 years, long-term evolution and protection is assured
• Investment protection built into the engineering
plan: threat defense innovation will continue to
come regularly to both ASA with FirePOWER
Services and Firepower NGFWs
• Firepower Management Center expected to support
mgmt. of key ASA features on 5585-X Q4CY2016*
ASA5585-X: 2016 and Beyond
ASA 5585 – X:
üProven
üReliable
üSupported
* Pre-Commit Date

Deployment Considerations

Software Support by Platform
Firepower
NGFW
(Firepower
Threat
Defense)
Firepower
NGIPS/
AMP
Appliance
ASA with
FirePOWER
Services
ASA
Radware
vDP
DDoS
FirePOWER 7000/8000 Series ✓
ASA Low/Mid Range (5506/08/16/25/45/55) ✓ ✓ ✓
ASA High-end (5585 SSP-10/20/40/60) ✓ ✓
Firepower 4100/9300 (4110/20/40
/ FPR9K, SM-24/36) ✓ ✓ ✓
*Subject to Compliance Hold

Deployment Considerations - Migration
• New Deployments
All hardware and software options depending on the requirements
Firepower appliances for 40/100 Gb interfaces
• ASA Refresh
All hardware options – ASA and Fireppwer appliances
Software Migration
ASA to ASA software
Limited migration from ASA to FTD in July timeframe
Native migration from ASA to FTD in the November timeframe

Security Architecture

More than just an NGFW
• When considering the move to an NGFW
Think about more than just the firewall features
Consider the various use cases and integration opportunities
Use an architectural approach to ensure the NGFW meets the capabilities required

ASA Firepower NGFW Update and Deployment Scenarios

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a ASA Firepower NGFW Update and Deployment Scenarios

Semelhante a ASA Firepower NGFW Update and Deployment Scenarios (20)

Mais de Cisco Canada

Mais de Cisco Canada (20)

Último

Último (20)

ASA Firepower NGFW Update and Deployment Scenarios