NGF TDM Deck
NGF TDM Deck
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 5
Traditional Network Security
Public internet
One control point for all
traffic
Firewall
Network edge
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 6
The New Reality
A one-size fits all approach has proved ineffective in today’s landscape
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 7
Firewall Validated Use Cases
Where can Cisco help?
Remote
Internet Edge Data Center Branch Cloud/Virtual Secure IPS
Access VPN
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 8
Why Cisco Secure Firewall?
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 9
Cisco’s Comprehensive Security Portfolio
Secure Firewall Threat Defense Secure Firewall Management Center Secure Workload
Secure Endpoint
Talos Cisco Defense Orchestrator
TrustSec
SecureX threat response
Cisco Identity Services Engine
Secure Network Analytics
Rapid Threat Containment
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 10
World-class security
controls
World-Class Security Controls
Need: improve encrypted traffic performance and detect more sophisticated
threats with a complete line of firewall solutions.
Cisco offering:
• Stop more threats: Contain known and unknown malware with leading Cisco® Advanced Malware Protection and
sandboxing (Secure Malware Analytics).
• Prioritize threats: Gain superior visibility into your environment. Automate risk rankings and impact flags to quickly
identify priorities.
• Detect earlier, act faster: Talos threat intelligence underpins the entire Cisco Secure ecosystem:
if you own a Cisco Secure product, you’re harnessing the power of Talos
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 12
Additional Secure Firewall Resources
• Secure Firewall Release 7.2 Overview
‑ Previous release overview presentation under Features > Release Overviews
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 13
Secure Firewall Platforms
Secure Firewall Appliances
Supporting your choice of FTD or ASA software
Stand-alone device: Stand-alone device: One Module:
17-45 Gbps* AVC+IPS 15.5-53 Gbps* AVC+IPS 55-70 Gbps* AVC+IPS
8 node cluster: 16 node cluster: 16 node cluster:
880 Mbps* AVC+IPS 2.3-4.9 Gbps* AVC+IPS 2.6-10.4 Gbps* AVC+IPS Up to 288 Gbps* AVC + IPS Up to 680 Gbps* AVC+IPS NEW
Up to 950 Gbps* AVC+IPS
New
FPR 4110/12/15/25/45 FPR 9300 Series
SM-40
SM-48
3110/20/30/40 SM-56
NEW
NEW FPR 2110/20/30/40
FPR 1120/40/50
FPR 1010
New New
New Features
Clustering Accelerated Networking
Dynamic Policy Gateway Load balancer integration
Better integration with public cloud infrastructure Auto Scaling
Infrastructure as Code and Automation Snapshot support
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 16
Clustering Virtual Cisco Secure Firewalls – New with
7.2
Public Cloud (AWS and GCP) Private Cloud (KVM and VMware)
• Up to 16 cluster nodes • Up to 4 cluster nodes
• Cluster configuration does not use FMC. • Cluster configuration uses FMC.
• Day 0 configuration bootstraps cluster. • Each device in the cluster is registered
‑ User data (AWS) or startup script (GCP) separately.
• One node of the cluster is registered to • Use the FMC to assemble devices into
the FMC. clusters.
• Other cluster nodes are discovered.
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 19
Enabling the cloud transition
Database
Database
Pods
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 20
Firepower Hardware Update
As the threat landscape evolves, our firewall portfolio does too. Gain more features and
better performance at the same or lower price point.
Better performance
• Up to 3.5x boost in Firewall throughput
• Up to 5x boost in VPN throughput
More connections
• Up to 2x more connections per second (CPS)
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 21
Firepower 1000 Series
Small business and branch office security with superior price/performance
• PoE, 8 10/100/1000 Base-T RJ45 switching ports • 8 10/100/1000Base-T RJ45 switching ports, 4 1000Base-
F SFP switching ports, 2 x 1/10Gbps SFP+ (1150)
• Stateful firewall, AVC, NGIPS, AMP, URL filtering
• Stateful firewall, AVC, NGIPS, AMP, URL filtering
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 22
Cisco Secure Firewall 3100 Series
Make hybrid work and zero trust practical, with the flexibility to
ensure strong return on investment
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 23
3100 Series: Key Hardware Highlights
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 24
Up to 3x performance boost
Secure Firewall 2100 Series vs. Firepower 3100
*Performance Estimates are in Gbps, subject to 1024B packet size, protocol type, and other networking variables.
IPSEC numbers for the Firepower 3100 series are with VPN Offload enabled.
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 25
3100 Series: Front Panel
SSD SSD
1 2
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 26
3100 Series: Back Panel
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 27
Hardware Specification Summary
SSD, 2 slots FRU, Default slot 1 populated, 2nd slot is for SW RAID1, 900GB minimum
NetMod 1 Slot
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 28
3100 Series: Network Interfaces
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 29
3100 Series: Minimum Supported Versions
Minimum Manager Version Managed Devices Software Minimum Version on Managed Devices
ASA
CSM ASA 9.17.1
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 30
Firepower 4100 Series
• Up to 50% performance improvement over
previous models
• Up to 44% higher TLS performance!
• Supported software releases:
• FTD 6.4+ – including multi-instance
• ASA 9.12.1+
• FXOS 2.6.1+
Enterprise and data center security with Four new appliance models:
exceptional price/performance 4112*, 4115, 4125, 4145
up to 47 Gbps Firewall throughput**
* 4112 FXOS 2.8.1, FTD 6.6 or ASA 9.14.1
** 1024B FW+AVC+IPS
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 31
Firepower 9300 Service Modules
• Up to 80% performance boost than previous
generation SM
• Up to 33% higher TLS performance!
• Supported software releases:
• FTD 6.4+ – including multi-instance
• ASA 9.12.1+
• FXOS 2.6.1+
3 new 9300 SM models:
SM-40, SM-48, SM-56
up to 153 Gbps Firewall throughput*
*1024B FW+AVC+IPS
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 32
FMC Virtual 300
• Up to 300 managed devices!
• CPU: 2 x 8 cores, Memory: 64 GB, hard
disk: 2.2 TB
• Migrate easily from one FMC model to
another
• High Availability for on prem, AWS and
OCI clouds – 7.1 or higher
• Supported software releases:
• FTD 6.5 or higher – including multi-instance
• FMC 6.5 or higher
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 33
Multi-Instance Expands Deployment Options
• Install multiple FTD logical devices on a single module • Supports HA between identical instances on different physical
or appliance devices
• Container architecture • Example: 54 instances on a FPR9300 chassis with 3 x SM-56
• Instance failure does not affect other instances modules
• Allows tenant management separation, independent instance • Improved crypto acceleration in hardware
upgrade
NEW
FTD Instance A Active FTD Instance B Standalone FTD Instance A Standby FTD Instance C Standalone
Firepower 9300/4100 Service Module Firepower 9300/4100 Service Module
HA/State
Link
Firepower 9300/4100 MIO Firepower 9300/4100 MIO
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 34
Clustering
Drive high return on investment while
maintaining high availability vPC
• Combine multiple devices to make a single scalable logical
device
FTD Cluster
• Scale as you grow
• Scale throughput, concurrent and new connection
• Can span multiple datacenters vPC
• N+1 resilience
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 35
Multi-Site Data Center
Site 1 Site 2
• North-South insertion with LISP
Firewall Cluster
inspection and owner reassignment CCL is fully extended between DCs at L2 with <10ms latency
VPC1 VPC2
Data VLANs are not extended for North-South insertion; filtering is required
to avoid loops and MAC/IP conflicts for East-West
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 36
Secure Firewall Threat
Defense
What is Secure Firewall Threat Defense (FTD)?
Delivers nearly 100% efficacy on blocking malicious flows and guards the
network against threats
• Key Benefits
• Tenant management separation
• Scale as you grow
• Impact analysis
• Prioritize administration
• Features
• Firewall
• Intrusion Prevention
• Integrated TLS Decryption
• VPN
• Cisco Threat Intelligence Director
• Malware Continuous Analysis with Retrospection
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 38
Release 7.2 Highlights
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 39
Firewall Policy Powered by Talos and OpenAppID
Control traffic based on IP, URL, FQDN, or application
Security feeds
URL | IP |DNS
0010
0100
Firewall
Allow Block
Category-based
DNS Sinkhole Admin
Policy Creation
Security Intelligence: AVC with OpenAppID: AVC with OpenAppID: URL Categories:
Block latest malicious Identify and control over Easily create custom Classify 280M+ URLs
IPs, URLs and FQDNs 4,000+ pre-defined apps application detectors using 80+ categories
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 40
Secure IPS
Reduce the noise/volume of events and prioritize administration
Powered by Snort 3 – Best of breed, open source IPS
Firewall brings the power of context to IPS
Impact of IPS events can be deduced. Rule recommendation can tune IPS
Event Corresponds
Act immediately,
1 Vulnerable to vulnerability
mapped to host
Good to know,
0 Unknown Network Unmonitored network
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 41
Snort 2 vs. Snort 3
Snort 2 Snort 3
Multi-Threaded Architecture
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 42
Correlate Host Profile and IPS
Drive impact analysis and rule recommendations
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 43
Cisco Threat Intelligence Director (CTID)
Support of open integration
• Extend Talos Security Intelligence with 3rd party cyber threat intelligence
• Parse and operationalize simple and complex threat indicators
FMC publishes
observables
to FTD
Cisco Threat
FTD
Intelligence Director
Block Monitor
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 44
Indications of Compromise (IoCs) Events
Connections to known
Malware backdoors Web app attacks CnC IPs: DNS Servers, Malware detections Malware executions
Suspect URLs
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 45
IoCs Facilitate Remediation
Facilitate understanding and remediation to reduce impact
• Identifies compromised and potentially compromised systems
• Take automatic action through Cisco Rapid Threat Containment
Indications of Compromise
Hosts by Indication
Impact 1 intrus…tack
Impact 2 intrus…user
Impact 1 intrus…user
Impact 2 intrus…tack
Impact 1 intrus…dmin
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 46
Integrated TLS Decryption
Finds encrypted threat while reducing performance impact
• TLS hardware acceleration delivers high-performance inspection of encrypted traffic
• Centralized enforcement of TLS certificate policies
‒ Examples: Blocking self-signed encrypted traffic, specified TLS version, cypher suites
https://www.goodsite.com
TLS Enforcement
Encrypted Traffic decryption engine
Firewall/NGIPS AVC
decisions https://www.badsite.com
https://www.badsite.com
https://www.goodsite.com
https://www.goodsite.com
https://www.goodsite.com
https://www.goodsite.com
gambling
https://www.badsite.com
https://www.goodsite.com
https://www.badsite.com ilicit
https://www.badsite.com
https://www.badsite.com
Log
Decrypt traffic in hardware Inspect deciphered packets Track and log all TLS sessions
or software
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 47
Fast App and URL Actions with TLS 1.3
AVC, URL, and Decryption Policy decisions on pre-1.3 TLS header
Cleartext, but spoofable Common and Subject Alternative Names are encrypted in TLS 1.3
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 48
Encrypted Visibility Engine
• Utilizes machine learning to determine the application (client process) generating the
Client Hello packet
• Identifies known processes/browsers
• AC policy actions available based on client applications*
• Identifies malware based on Secure Malware Analytics fingerprints
TLS
SERVER
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 49
Site-to-Site VPN
Easily and securely interconnect remote sites
• IKEv1/IKEv2 policy-based
FTD FTD
VPN or
• Easy topology-based
management of VPN on
multiple peers
• Point-to-point FTD Router Hub
• Hub and Spoke or
• Full Mesh
• Flexible authentication
options – pre-shared key
(automatic) and certificates FTD Third Party
Device
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 50
Remote Access VPN
Provide ubiquitous secure access from remote and roaming users
• Posture assessment
• Uses TLS, DTLS or IKEv2
AnyConnect
• Easy wizard-based
configuration
• Identity based security
policies
• Enhanced security with 2
FA/MFA provided by Secure
Access (Duo)
• Passwordless Authentication
Protect Maintain application Support multiple
Extend access remotely
important data performance sites
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 51
Consistent Policy
and Visibility
Consistent Policy and Visibility
Need: stronger security policy management practices that can effectively
protect the business at scale
Cisco offering:
• Maintain consistent policies: Write a policy once and scale enforcement consistently across tens of
thousands of security controls throughout your network.
• Reduce complexity: Get unified management and automated threat correlation across tightly integrated
security functions, including application firewalling, NGIPS, and AMP.
• Accelerate key security operations functions: Leveraging existing resources and make the team more
efficient by removing manual processes. Access security patches and new features faster by completing
software image upgrades in a just a few clicks.
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 53
Management Designed for the User
Flexibility of cloud or on-premises options
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 54
Flexibility of Management Consumption
Event Event
On-prem Config Analytics
Storage
Analytics
Storage
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 55
Management Platforms: When to Position?
Use case Managers of choice Details
Campus fabric FMC • FMC supports clustering on 3100 4100 and 9300, TrustSec
IPS only Cloud-delivered or On-Prem • FMC supports all the advanced IPS features and provides a
FMC separate interface from the Firewall
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 56
Logging Options: When to position?
Choice of Storage Details Benefits
• Unified Event Viewer for ASA and FTD Events
• Available through an additional subscription of Security
Analytics and Logging (SAL) • Usage-based pricing
• Unified Event Viewer and summary dashboard in Cisco • Correlate with telemetry from internal network and
Cloud Defense Orchestrator cloud logs in Secure Cloud Analytics
• Default storage of 90 days extendible up to 3 years • Higher storage capacity than on-prem storage
• Additional Behavioral Analytics through the Security Analytics
and Logging integration • Can help reduce the cost of 3rd party logging
• Available in US, EMEA and APJC solutions by sending only filtered or high-priority
alerts from SAL
• Available through integration with Secure Network Analytics • Unified log storage for ASA and FTD events
(SNA) • Exponentially higher on-prem storage capacity than
• Events stored in FMC and SNA depending on retention the native storage capacity of FMC
configuration in FMC
Extended On-prem • Multiple storage capacity options using SNA clustered • Additional behavioural analytics powered by Secure
datastore Network Analytics
• Event Viewer in FMC with easy configuration wizard and • Correlate with telemetry from the internal network
contextual cross launch from FMC and on-prem sensor logs in Secure Network Analytics
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 57
Secure Firewall
Management Center
(FMC)
What is Firewall Management Center (FMC)?
On-premise, centralized management for multi-site deployments
• Key Benefits
• Manage across many sites
• Control access and set policies
• Investigate incidents
• Prioritize response
• Available in physical and virtual options
• Features
• Multi-domain management
• Role-based access control
• High availability
• APIs and pxGrid integration
• Policy & device management
• Endpoint
• Security intelligence
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 59
Network Discovery
Provides the right data, at the right time, in the right format
• Discovers applications, users, and
hosts through passive analysis of network
traffic
• Provides context and helps determine the
impact of attacks
• Tune IPS signature sets to devices
discovered on the network
• Update host profiles with 3rd party
vulnerability management integration
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 60
Policy Management
Reduce complexity of policy maintenance
• Centralized on premise management across
multiple Firewall platforms
• Integrates multiple security features into a
single access policy
• Reduces manual configuration of policy
through inheritance and template use.
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 61
FMC: Automate Security Response
Reduce the noise and connect the dots
• Correlate Security events Correlation Policy
• Trigger automated response
• Email Correlation Rule Correlation Event
• Syslog
• SNMP
• Remediation module Correlation Rule Action
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 62
Unified Event Viewer
True Correlation
Clicking on the
Intrusion Event
1 highlights the
associated
Expand rows to view all details Connection Event
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 63
FMC Integrations
Visibility and analytics beyond network discovery
• Close integration of FMC with Secure Endpoint
• Standards based threat indicators (STIX/TAXII)
• Cisco Threat Intelligence Director (CTID)
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 64
Contextual cross-launch
Tight integration and pivoting to accelerate threat hunting
1 Right-click on an IP address
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 65
Dynamic Policy Across Multicloud Environments
Zone-based Secure Firewall
Secure
Workload
segmentation rules Seamless Integration
Unified segmentation policy across
Secure Firewall & Secure Workload
“
“ Eagerly awaiting this! Integration across our multicloud controls
will help drive better security in our distributed environment.
in FMC Orchestrator
FMC
Data Center
Distribution
Secure
Workload
E-W Firewall
Access Layer
• Secure Workload segmentation policies rules can be inserted at the top or bottom
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 68
Meaningful Dynamic Objects Naming
Easier Dynamic Objects Naming!
• Dynamic objects now have meaningful
prefixes
• Easy to identify in policies
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 69
Cisco Secure Dynamic Attribute Connector
Problem: In a dynamic and multicloud world,
admins struggle to keep up with ever changing
object IPs as workloads are spun up, down and
change.
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 70
Cisco Secure Dynamic Attribute Connector
Integrations:
• AWS instances
• Azure instances
• Azure service tags
• VMware categories and tags managed by vCenter and
NSX-T
• Google Cloud
• GitHub
• Office 365
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 71
Cisco Secure Dynamic Attributes Connector
Dynamic Mappings
Object
Linux- 172.16.0.1
Servers 172.16.0.3
Finance
10.0.1.11 App
Windows-
10.0.1.14
Servers
10.0.1.20
Azure HR
Powered-On 10.0.1.14
Adapters Dynamic Attributes Filters Connectors App
Azure
os = 'RHEL 7 (64-bit)’ Connector
Linux- OR
vCenter
Servers os = 'CentOS 7 (64-bit)’
IT
App
{REST} FMC
os = 'MS Windows Server 2016 (64-bit)’ AWS
Adapter AND
Windows-
Servers
vCenter network=‘PROD_NETW’ Connector AWS HR
AND App
FMC Power=‘running’
(Consumer) Powered-
Power=‘running’ vCenter
vCenter AND
On
(network=‘PROD_NETW’ OR host=‘SplunkVM’) Connector
Benefits:
CSDAC HR
DB
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 72
Secure Firewall Device
Manager (FDM)
What is Secure Firewall Device Manager (FDM)
On-box manager and API platform
• Key Benefits
• Easy set up
• Control access and set policies
• Automate configuration
• Enhanced control
• Features
• Role-based access control
• High availability
• NAT and routing
• Intrusion and malware protection
• Device monitoring
• VPN support
• Support for Secure Firewall in GCP New
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 74
Simplified Firewall Management
Easy to setup, management, and monitoring
Manages Firepower Threat Defense on low-end and mid-range platforms
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 75
API-First Approach
An open, documented management and reporting architecture
Achieve operational Automate complex Integrate with
efficiency tasks at scale ecosystem
FTD TDM
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 76
Cisco Defense
Orchestrator
Cisco Defense Orchestrator Overview
Consistently manage policies across your cisco security products.
CDO is a Cloud-based application that cuts through complexity to save time and
keep your organization protected against the latest threats.
Key Benefits
• Cloud-delivered Firewall Management Center
Roaming Users
• Streamline security management
• Reduce time spent on security management Cloud applications
complexity
Incident response - SecureX
Branch
Features
• Consistent policy enforcement Admin Network Data center Users
Cisco Umbrella Roaming User
• Faster device deployments
• Configuration management
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 78
NEW
What’s New? – CDO
August 2022 CDO is continually updated, check here for the latest information
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 80
Cloud / SaaS Delivery Advantages
Highly available, full featured/managed cloud deployment
99.999%
• Connects to devices using device API with TLS • No maintenance
v1.2
• Faster feature delivery
• Configuration encrypted at rest and in transit. SLA Backed Uptime
• Low up-front cost
• CDO data center locations:
• AWS – US West
• Responsive to new requirements
• AWS – US East
• AWS – EU Central
• AWS – APJC
• Secures management access using role-based
access control with SAML based 2-factor
authentication Provision in Subscription pay as Low maintenance
• Allows multi-tenant management – full <1 day you grow model costs
client separation
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 81
Secure Services Edge Enablement
ASA to Umbrella SIG SASE Tunnels
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 82
Monitor Remote Access VPN Users
Visibility into active sessions across a customer's ASA and FTD headends
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 83
Cloud-delivered Firewall Management Center
Now the new cloud-delivered Firewall Management Center boosts your productivity even further.
Eliminate change management Support at least 25% more No rack space and utility bill,
and update overhead firewalls per tenant lowering operational cost
Device Licensing
Overall
Security Analytics and Logging (SAL)
cloud Logging
Volume
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Cloud-delivered Firewall Management Center
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 87
Familiar User Experience
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 88
Simple Onboarding Experience
• Registration Key based Onboarding
• Zero Touch Provisioning using S/N
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 89
Easily migrate to Cloud-delivered management
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 90
Easily migrate to Cloud-delivered management (Contd.)
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 91
Logging and Analytics – On Prem/Cloud
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 92
Cloud Analytics Dashboard
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 93
Cloud Delivered Dynamic Attributes Connector
• Update policy in real
time using attributes
from dynamically
changing cloud
environments
• Monitoring Dashboard
• Multi-tenant support
• Support for On-Prem
and Cloud Delivered
FMC
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 94
Connectivity Flow for AD/ISE
cdFMC
ISE
Private
FTD used as a Proxy Network
AD
FTD
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 95
Secure Firewall support for Cisco Defense Orchestrator
Hardware Minimum Software
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information Cloud-delivered FMC for FTD 96
Cisco Security Analytics
and Logging
SAL (SaaS) Cloud Hosted Features
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 99
CDO: Cisco Security Analytics and Logging
Reduce complexity and logging event volume
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 100
SAL On-Premise Features
FTD (including data plane logs) and ASA logging
in a scalable data store hosted on-premises
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 101
FMC Integration with Cisco Security Analytics and
Logging (On-Prem )
Easy button for setup
• Setup FMC analytics cross launch links to the Secure
Analytics console
• Setup remote query credentials from Secure Analytics
datastore
*Security Analytics and Logging (On Premises) is currently only available with Logging and Troubleshooting License, which includes remote query by the FMC
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 103
ASA
Adaptive Security Appliance (ASA)
Robust and effective firewall with stateful inspection and VPN functionality
• Features
• Remote Access and Clientess VPN
• EzVPN, IKEv2/L2TP, DTSL1.2
• Site to Site VPN
• SSO with SAML, DAP
• Routing, CG NAT, QOS
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 105
ASA Software Provides
Robust, resilient stateful firewall and VPN concentrator
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 106
ASA Installation Modes
Platform Mode Appliance Mode
• Provisioning and Initial configuration done from FXOS • Provisioning and initial configuration
CLI or Firewall Chassis Manager can be done from the ASA CLI or
ASDM
• Firewall 2100/4100/9300
• Firewall 1000/2100
• Default before 9.13.1, maintained on upgrading from
lower releases to 9.13.1 or higher • Default starting ASA 9.13.1 ( fresh
installation or reimage )
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 107
ASA Release 9.18.1 Highlights
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 108
Integrated Security
Portfolio
Gain an Integrated Security Portfolio
Need: As IT infrastructure continues to become more diverse, the job of securing it
becomes more dynamic. The perimeter becomes flexible, which requires a broader
portfolio of security solutions.
Cisco offering:
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 110
Cisco Rapid Threat Containment
Proven approach to reduce time and impact of threat
• Automatic network threat
containment using the Open
Remediation 3rd Party
network as Devices
API
an enforcer
172.20.100.3
• Threat-centric network
access determines network ISE Secure
access based on IoCs Workload
Authorization
• Richer visibility from
bidirectional data sharing FMC
with the network access ACI APIC
Routers
EMPLOYEES
Firepower
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 111
Protect Your Network Using AMP
Understand the motion and behavior of files through network and endpoint visibility.
Telemetry Stream
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 112
Application-Centric Infrastructure
Transparent policy-based security for both physical and virtual environments
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 113
Control Traffic Based on User Awareness
• Use Active Directory users and groups in
policy configuration
• Use Cisco Identity Services Engine to
provide identity
• TrustSec Security Group Tag (SGT)
• Device type (endpoint profiles)
and location
• Identity Mapping Propagation & device level
filtering
• Examples
• Block HR users from using personal iPads
• Create rules for quarantined iPhones
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 114
Simplify Security Management with TrustSec
Leverage the network and investment
• Scalable and agile
€¥£
segmentation Simplified Access Management $
technology in over 40 Manage policies using plain language and Employee Developer Financial
HTTP
different Cisco product maintain compliance by regulating access Info Server Server SGACLs
based on
families business role
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 115
Talos
What is Talos?
Talos is the threat intelligence group at Cisco. We are here to fight the good
fight — we work to keep our customers, and users at large, safe from malicious
actors.
Engineering
Community
and Development
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 117
From Unknown to Understood
Endpoint Detection and Response
Product
Telemetry Endpoint Mobile Security
Multi-factor authentication
Data Firewall
Sharing Intrusion Prevention
SD Segmentation
Vulnerability
Discovery Behavioral Analytics
Secure Email
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 118
Secure Firewall & Secure
Workload
Policy Authoring is a Significant Roadblock
When Adding Segmentation
Cisco Secure Workload provides industry-leading integrated policy discovery as a part of
the firewall policy lifecycle.
On-premises SaaS
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 120
Secure Workload Features
Continuously tracks
Reduces your attack surface
security compliance
SecureX integrated,
unifying visibility and
enabling automation
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 121
Breaking down silos
Security Architects DevSecOps
• Security at application
• Synchronized Security
speed
• Policy enforcement on
• Full Visibility &
agents & network
Automation
NetOps Auditors
• Full Visibility & Control • Single pane of glass view
• Real time updates using ensuring security controls
dynamic objects across workloads & firewall
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 122
Cisco end-to-end protections bridges the gap
Closer to application
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 123
Secure Firewall & Secure Workload Integration
Key Functions Key Capabilities
• Real time updates on rules using • Leveraging Secure Firewall for
Dynamic objects without policy Policy enforcement on workloads
deployment without agents
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 124
Secure Firewall – High Level Architecture
Secure Workload Secure
Dynamic Policy Secure Firewall
Connector
Management Center
(FMC)
SaaS or proxy
Ingest
Connector
Secure Firewall
NSEL Threat Defense
Access Control
Policy
Dynamic Objects
• Reduced deployments
• Faster updates
• Greater efficiency
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 126
Secure Firewall Integration – Dynamic Objects
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 127
Secure Workload Integration Use Cases
Secure Firewall
FMC Secure
Workload
Dynamic Firewall rule Dynamic object updates
updates
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 128
Secure Workload Integration Use Cases
Secure Firewall
App to App
FMC Secure
Workload
Dynamic Firewall rule Dynamic object updates
updates
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 129
Secure Workload Integration Use Cases
Secure Firewall
App to App
Workload to Internet
Secure Firewall
Workloads with the Secure Workload agent get
maximum visibility and protection with fine-
grained controls to detect and prevent malicious FMC Secure
Workload
activity.
Dynamic Firewall rule Dynamic object updates
updates
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 130
Secure Workload Integration Use Cases
Secure Firewall
App to App
Workload to Internet
Secure Firewall
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 131
Secure Workload Integration Use Cases
Secure Firewall
App to App
Workload to Internet
Secure Firewall
FMC Secure
Workload
Dynamic Firewall rule Dynamic object updates
updates
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 132
SecureX
Cisco SecureX
A cloud-native, built-in platform experience within our portfolio
Cisco Secure Your Infrastructure
Unified Visibility
Your teams
SecOps ITOps NetOps
integrations ribbon & sign-on dashboard threat response orchestration device insights
built-in, pre-built never leaves you customizable for what is at the core drag-drop GUI device inventory
or custom maintains context matters to you of the platform for no/low code with the contextual
awareness
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 135
Maximizing operational efficiency
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Partner Confidential Information 136
Investigate Any Item: Endpoint
Reduce complexity and time needed for threat hunting
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 137
Leverage a Seamless Workflow
FTD supplies security events to SecureX threat response
New Features Save Time and Effort New Workflows Simplify Administration
Simplified smart licensing allows users to Proactively monitor the health of Firewall
have a seamless integration in 3 steps deployment
Onboard entire suite of FMC API’s directly to Streamline PSIRT impact and patch
the cloud management processes
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 139
FMC SecureX Ribbon Expanded
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 140
SecureX threat response and CDO Integration
Pivot to threat response from CDO using the event viewer
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 141
Migrating to FTD
What’s New? – Firepower Migration Tool NEW v3.0
Support of software version 7.2 and VPN Optimization of rules during migration
features • Identify redundant and shadowed rules
• Migrations to cloud-delivered FMC and provide users with the following
• RA VPN connection profile, group rule options: remove, migrate disabled,
or migrate fully
policy, IKEv2, AAA, address pools,
Trustpoint, certificate map • Comprehensive reporting on
• AnyConnect client profiles, DAP, and configuration optimization for access
rules and objects
Hostscan profiles
• S2S VPN: pre-shared key fetch and • Streamlined object optimizations:
port if configuration is loaded with remove unreferenced objects, reuse
more system: running-config config existing objects, and resolve
inconsistent objects
format © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 143
Migration from ASA to FTD
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 144
Firepower Migration Tool Paths (ASA to FTD)
Firewall Migration Tool
FMC
Cloud-delivered FMC
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 145
Benefit of the Firepower Migration Tool
Derive faster value realization from Complementary to partner
Cisco’s Firepower Threat Defense driven services
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 146
Use Cases
Common and Unique Requirements for Secure Firewall
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 148
Internet Edge Service
Provider
Remote
Key Functions Key Capabilities User
HSRP
• Resilience (and scalability) • VPN load balancing
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 149
Remote Access VPN (RA VPN) Service
Provider
Extranet
Remote
Key Functions Key Capabilities User
HSRP
• Resilience (and scalability) • VPN load balancing
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 150
Data Center N/S
Branch Firewall HA
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 151
Data Center Data Center
Edge Extranet
Distribution
• Geographic DC Separation • Inter-site Clustering
vPC/Port-Channel
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 152
Cloud/Virtual
Data Center N/S
Inside
External
LB
E/W
ESXi Host
Inside A
• Advanced Access Control options • Applications, URLs, Users, and N/S
TrustSec Policy using SGTs/CCP E/W Outside
• Remote
• VPN DMZ
ESXi Host
B Inside
• Site to Site VPN • Route Based VPN (ASA) and HA Pair External
LB
Internal
LB
E/W
Internet
Policy Based VPN DMZ
• Block access to malicious IP's, URL's,
DNS • Talos Security Intelligence
N/S
HA Pair
• Dynamic analysis of unknown files
• Malware Analytics Integration N/S
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 153
NGIPS Service
Provider
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 154
Thank you