NGF TDM Deck

Cisco Secure Firewall
Technical Decision Maker (TDM)
NetSec Technical Marketing, Security Business Unit

July 2022
1 Overview 9 Small Business Edition
2 Secure Firewall Platforms 10 Secure Firewall ASA
Secure Firewall Integrated Security

3 Threat Defense (FTD)
11 Portfolio
Table 4 Consistent Policy

and Visibility
12 Talos
of contents Secure Firewall Management Secure Firewall and

5 13 Secure Workload
Center (FMC)
Secure Firewall Device
6 14 SecureX
Manager (FDM)
Cisco Defense Migrating from ASA
7 15 to FTD
Orchestrator (CDO)
Security Analytics and
8 16 Use Cases
Logging
Overview
Brand Naming Changes
Further Cisco Security Brand Det
ails
Firepower Management Cisco Secure Firewall Management

Center (FMC) Center (FMC)
Firepower Threat Defense Cisco Secure Firewall

(FTD) Threat Defense (FTD)
Adaptive Security Cisco Secure Firewall

Appliance (ASA) ASA
Firepower Threat Defense Cisco Secure Firewall

Virtual / NGFWv Threat Defense Virtual (FTDv)
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 5
Traditional Network Security
Public internet
One control point for all
traffic
Firewall
Internal traffic was

considered trustworthy,
and external traffic was
untrustworthy Data center
Network edge
The New Reality
A one-size fits all approach has proved ineffective in today’s landscape
Single control point is not adequate Management complexity

Every environment needs its own micro- NetSec and IT use dozens of point
perimeter products, each with its own management
console
Evolving form factor
Singe control point replaced by multiple
firewalls, both physical and virtual
Policy sprawl Evolving threat landscape

Harmonizing policies across micro- $ $ Security products need a continuous feed of
perimeters is challenging threat intelligence to stay ahead of attackers
Firewall Validated Use Cases
Where can Cisco help?
Remote
Internet Edge Data Center Branch Cloud/Virtual Secure IPS
Access VPN
Why Cisco Secure Firewall?
World-class Consistent policy Integrated security

security controls and visibility portfolio
Protect your workloads with a Streamline security policy and Extend network security beyond the
complete portfolio of Firewall device management across your firewall with malware protection,
solutions, backed by industry- extended network and accelerate identity-based routing, multi-factor
leading threat intelligence. key security operations. authentication, and more.
Cisco’s Comprehensive Security Portfolio
World-class Consistent policies Integrated security

security controls and visibility portfolio
Secure Firewall Threat Defense Secure Firewall Management Center Secure Workload
Secure Firewall ASA Secure Firewall Device Manager Secure Access by Duo
Secure Endpoint
Talos Cisco Defense Orchestrator
TrustSec
SecureX threat response
Cisco Identity Services Engine
Secure Network Analytics
Rapid Threat Containment
Application Centric Infrastructure
World-class security
controls
World-Class Security Controls
Need: improve encrypted traffic performance and detect more sophisticated
threats with a complete line of firewall solutions.
Cisco offering:
• Stop more threats: Contain known and unknown malware with leading Cisco® Advanced Malware Protection and
sandboxing (Secure Malware Analytics).
• Prioritize threats: Gain superior visibility into your environment. Automate risk rankings and impact flags to quickly
identify priorities.
• Detect earlier, act faster: Talos threat intelligence underpins the entire Cisco Secure ecosystem:
if you own a Cisco Secure product, you’re harnessing the power of Talos
Additional Secure Firewall Resources
• Secure Firewall Release 7.2 Overview
‑ Previous release overview presentation under Features > Release Overviews
• Secure Firewall Cloud Native TDM

• Secure Firewall YouTube channel
• Secure Firewall GitHub repository – cs.co/sfGitHub
• Secure Firewall DevNet portal – cs.co/sfDevNet
• Secure Firewall AppID portal – appid.cisco.com
Secure Firewall Platforms
Secure Firewall Appliances
Supporting your choice of FTD or ASA software
Stand-alone device: Stand-alone device: One Module:
17-45 Gbps* AVC+IPS 15.5-53 Gbps* AVC+IPS 55-70 Gbps* AVC+IPS
8 node cluster: 16 node cluster: 16 node cluster:
880 Mbps* AVC+IPS 2.3-4.9 Gbps* AVC+IPS 2.6-10.4 Gbps* AVC+IPS Up to 288 Gbps* AVC + IPS Up to 680 Gbps* AVC+IPS NEW
Up to 950 Gbps* AVC+IPS
New
FPR 4110/12/15/25/45 FPR 9300 Series
SM-40
SM-48
3110/20/30/40 SM-56
NEW
NEW FPR 2110/20/30/40
FPR 1120/40/50
FPR 1010
SMB Branch Mid Data Service

Office Enterprise Center Provider
*1024-byte packet size

Simplifying Multi-cloud Environments
Private Cloud Public Cloud
New New
New Features
Clustering Accelerated Networking
Dynamic Policy Gateway Load balancer integration
Better integration with public cloud infrastructure Auto Scaling
Infrastructure as Code and Automation Snapshot support
Clustering Virtual Cisco Secure Firewalls – New with
7.2
Public Cloud (AWS and GCP) Private Cloud (KVM and VMware)
• Up to 16 cluster nodes • Up to 4 cluster nodes
• Cluster configuration does not use FMC. • Cluster configuration uses FMC.
• Day 0 configuration bootstraps cluster. • Each device in the cluster is registered
‑ User data (AWS) or startup script (GCP) separately.
• One node of the cluster is registered to • Use the FMC to assemble devices into
the FMC. clusters.
• Other cluster nodes are discovered.
* This process is known as Auto-Registration

NIC order for 7.2 FTDv in GCP
Autoscale for Public Cloud N = Number of NICs ≥ 4
• Available before 7.2
‑ ASAv autoscale for network load balancers:
AWS, Azure, GCP, and OCI
‑ FTDv autoscale for network load balancers:
AWS, Azure, and OCI
(GCP not included because ELB
can only use primary interfaces)
• New with 7.2
‑ ASAv autoscale for AWS gateway load balancer
‑ FTDv autoscale for AWS gateway load balancer
‑ FTDv autoscale in GCP
(achieved by re-ordering interfaces)
‑ AWS and Azure snapshot support to accelerate scale-out
Smart Licensing Performance Tiers
• 7.0+ Evaluation mode and Smart License performance tiers
• Current perpetual BASE license moves to a subscription model
Performance Device Rate RA VPN

Tier Specifications Limit Session Limit
FTDv5 4 cores/8 GB 100Mbps 50

FTDv10 4 cores/8 GB 1Gbps 250
Enabling the cloud transition
Secure Firewall Cloud Native

Firewall Cluster Application Cluster

Micro Service 1
Easily deliver firewall services with Web
WebServer
Server
massive scale and resiliency in cloud VPN

VPN Threat
VPN Pods
Service
Service Defense
Service
environments Micro Service 2
Database
Database
Micro Service N Pods
Insert security controls next to Access

Control
Malware
Protection
Micro Service N
Image
application containers Processing
Pods
Highly scalable & elastic firewall for edge

use cases – RA VPN, DC Backhaul,
Mobility carriers, MSP/MSSPs
Developer-friendly elastic firewall for
Kubernetes-based environments
Firepower Hardware Update
As the threat landscape evolves, our firewall portfolio does too. Gain more features and
better performance at the same or lower price point.
Better performance
• Up to 3.5x boost in Firewall throughput
• Up to 5x boost in VPN throughput
More connections
• Up to 2x more connections per second (CPS)
Improved encrypted traffic throughput

• Up to 3x boost in encrypted traffic performance
Firepower 1000 Series
Small business and branch office security with superior price/performance
Firepower 1010 Firepower 1120/40/50
• High–performance desktop firewall • High–performance rackmount firewall
• PoE, 8 10/100/1000 Base-T RJ45 switching ports • 8 10/100/1000Base-T RJ45 switching ports, 4 1000Base-
F SFP switching ports, 2 x 1/10Gbps SFP+ (1150)
• Stateful firewall, AVC, NGIPS, AMP, URL filtering
• Stateful firewall, AVC, NGIPS, AMP, URL filtering
650Mbps Firewall Throughput 1120-1.5Gbps Firewall Throughput

1140-2.2Gbps Firewall Throughput
1150-3 Gbps Firewall Throughput
Cisco Secure Firewall 3100 Series
Make hybrid work and zero trust practical, with the flexibility to
ensure strong return on investment
The new enterprise-class Cisco Secure Firewall 3100

Series supports your evolving world
Performance & Flexibility Visibility & Enforcement Efficiency & Simplicity

Provide an exceptional hybrid Keep the network from going dark and Advanced automation and integrations drive
work experience strengthen your zero-trust posture cost-savings for modern environments
3100 Series: Key Hardware Highlights
Crypto Accelerator Encrypted SSD Drive

Accelerates bulk cryptographic operations. Comes with a single SSD. A second SSD
Processes packets before the Firewall software. can be added to form RAID 1 (Optional).
Flow- Accelerator FIPS Compliance

A specially built circuit to provide Supports all FIPS 140-3
flow acceleration and flow-offload* requirements
* Available from Version 7.2
Up to 3x performance boost
Secure Firewall 2100 Series vs. Firepower 3100
2110 vs 3110 2120 vs 3120 2130 vs 3130 2140 vs 3140
FW+AVC+IPS 2.6  17 3.4  21 5.4  38 10.4  45
IPsec VPN 0.9  11 1.2  13.5 1.9  33.0 3.6  39.4
*Performance Estimates are in Gbps, subject to 1024B packet size, protocol type, and other networking variables.
IPSEC numbers for the Firepower 3100 series are with VPN Offload enabled.
3100 Series: Front Panel
SSD SSD
1 2
Network Module Network Module Additional

Fixed Copper Ports Fixed Fiber Ports Network Module
3100 Series: Back Panel
Power Supply Unit 1 Power Supply Unit 2
Dual Fan Dual Fan

Module 1 Module 2
Hardware Specification Summary
FPR3110 FPR3120 FPR3130 FPR3140

Core Count 12 16 24 32
System Memory 2x32GB@3200 2x64GB@3200 4x32GB@3200 4x64GB@3200
Front Panel Copper 8x 10/100/1000MBase-T

Ports
Front Panel Fiber Ports 8x 1/10G 8x 1/10/25G
SSD, 2 slots FRU, Default slot 1 populated, 2nd slot is for SW RAID1, 900GB minimum
NetMod 1 Slot
USB port 1x USB3.0 with 5W, type A connector
Management Port 1x 1/10G SFP port
Console Supports 1x RJ45 interface
PSU, FRU 1+1 (default 1) 1+1 (default 2)
3100 Series: Network Interfaces
3110 3120 3130 3140

Management 1 x 1/10G SFP 1 x 1/10G SFP 1 x 1/10G SFP 1 x 1/10G SFP
8 x 10M/100M/ 8 x 10M/100M/ 8 x 10M/100M/ 8 x 10M/100M/

1GBASE-T Ethernet 1GBASE-T Ethernet 1GBASE-T Ethernet 1GBASE-T Ethernet
Integrated interfaces (RJ- 45), interfaces (RJ- 45), interfaces (RJ- 45), interfaces (RJ- 45),
Interfaces
8 x 1/10 Gigabit (SFP) 8 x 1/10 Gigabit (SFP) 8 x 1/10/25 Gigabit (SFP) 8 x 1/10/25 Gigabit
Ethernet interfaces Ethernet interfaces Ethernet interfaces (SFP) Ethernet interfaces
Network 8 x 1/10/25G, 8 x 1/10/25G,

8 x 1/10G Options 8 x 1/10G Options
Modules 4 x 40G Options 4 x 40G Options
3100 Series: Minimum Supported Versions
Minimum Manager Version Managed Devices Software Minimum Version on Managed Devices
FMC 7.1 FTD FTD 7.1
FDM 7.1 FTD FTD 7.1
ASDM ASA ASA 9.17.1
ASA
CSM ASA 9.17.1
Firepower 4100 Series
• Up to 50% performance improvement over
previous models
• Up to 44% higher TLS performance!
• Supported software releases:
• FTD 6.4+ – including multi-instance
• ASA 9.12.1+
• FXOS 2.6.1+
Enterprise and data center security with Four new appliance models:
exceptional price/performance 4112*, 4115, 4125, 4145
up to 47 Gbps Firewall throughput**
* 4112 FXOS 2.8.1, FTD 6.6 or ASA 9.14.1
** 1024B FW+AVC+IPS
Firepower 9300 Service Modules
• Up to 80% performance boost than previous
generation SM
• Up to 33% higher TLS performance!
• FTD 6.4+ – including multi-instance
• ASA 9.12.1+
• FXOS 2.6.1+
3 new 9300 SM models:
SM-40, SM-48, SM-56
up to 153 Gbps Firewall throughput*
*1024B FW+AVC+IPS
FMC Virtual 300
• Up to 300 managed devices!
• CPU: 2 x 8 cores, Memory: 64 GB, hard
disk: 2.2 TB
• Migrate easily from one FMC model to
another
• High Availability for on prem, AWS and
OCI clouds – 7.1 or higher
• FTD 6.5 or higher – including multi-instance
• FMC 6.5 or higher
Multi-Instance Expands Deployment Options
• Install multiple FTD logical devices on a single module • Supports HA between identical instances on different physical
or appliance devices
• Container architecture • Example: 54 instances on a FPR9300 chassis with 3 x SM-56
• Instance failure does not affect other instances modules
• Allows tenant management separation, independent instance • Improved crypto acceleration in hardware
upgrade
NEW
FTD Instance A Active FTD Instance B Standalone FTD Instance A Standby FTD Instance C Standalone
Firepower 9300/4100 Service Module Firepower 9300/4100 Service Module
HA/State
Link
Firepower 9300/4100 MIO Firepower 9300/4100 MIO
Ethernet Port-channel Ethernet Port-channel

1/1.10 11.11 1/1.10 11.11
Clustering
Drive high return on investment while
maintaining high availability vPC
• Combine multiple devices to make a single scalable logical
device
FTD Cluster
• Scale as you grow
• Scale throughput, concurrent and new connection
• Can span multiple datacenters vPC
• N+1 resilience
• Handles asymmetric traffic seamlessly

Example: 16 node cluster
Upto 950 Gbps AVC+IPS
Multi-Site Data Center
Site 1 Site 2
• North-South insertion with LISP
Firewall Cluster
inspection and owner reassignment CCL is fully extended between DCs at L2 with <10ms latency
• East-West insertion for first hop

redundancy with VM mobility
CCL CCL Sigle Spanned CCL CCL
EtherChannel for Data
on cluster side
Local VPC/VSS pairs at Local Data EtherChannel Local VPC/VSS pairs at

each site on each VPC/VSS switch each site
pair
VPC1 VPC2
Data VLANs are not extended for North-South insertion; filtering is required
to avoid loops and MAC/IP conflicts for East-West
Secure Firewall Threat
Defense
What is Secure Firewall Threat Defense (FTD)?
Delivers nearly 100% efficacy on blocking malicious flows and guards the
network against threats
• Key Benefits
• Tenant management separation
• Scale as you grow
• Impact analysis
• Prioritize administration
• Features
• Firewall
• Intrusion Prevention
• Integrated TLS Decryption
• VPN
• Cisco Threat Intelligence Director
• Malware Continuous Analysis with Retrospection
Release 7.2 Highlights
• Elephant flow bypass/throttle

• Encrypted Visibility Engine policy enforcement
Snort 3 • Port scan detection and prevention
• TLS 1.3 decryption
• 16 node threat defense cluster support (4100/9300/AWS/GCP)
• SAML authentication with single or multiple certificate authentication

VPN • Support for VTI in user defined VRF
Management • Static VTI support for Hub and Spoke topology
• Improved Site to Site VPN listing page with filter and live tunnel
status
• FTDv autoscale support in GCP

• Alibaba support
Public Cloud • Azure Stack Hub
• Cluster support for AWS/GCP
• AWS Gateway Load Balancer autoscale
Firewall Policy Powered by Talos and OpenAppID
Control traffic based on IP, URL, FQDN, or application
Security feeds
URL | IP |DNS
0010
0100
Firewall
Allow Warn Block
Allow Block
Category-based
DNS Sinkhole Admin
Policy Creation
Security Intelligence: AVC with OpenAppID: AVC with OpenAppID: URL Categories:
Block latest malicious Identify and control over Easily create custom Classify 280M+ URLs
IPs, URLs and FQDNs 4,000+ pre-defined apps application detectors using 80+ categories
Secure IPS
Reduce the noise/volume of events and prioritize administration
Powered by Snort 3 – Best of breed, open source IPS
Firewall brings the power of context to IPS
Impact of IPS events can be deduced. Rule recommendation can tune IPS
Impact flag Administrator action Why
Event Corresponds
Act immediately,
1 Vulnerable to vulnerability
mapped to host
Relevant port open or

Investigate, Potentially
2 Vulnerable protocol in use but
no vuln mapped
Relevant port not

Good to know, Currently
3 Not available open or protocol not
in use
Good to know, Monitored network

4 Unknown Target but unknown host
Good to know,
0 Unknown Network Unmonitored network
Snort 2 vs. Snort 3
Snort 2 Snort 3
Multi-Threaded Architecture
Capable of running multiple Snort Processes
Port Independent Protocol Inspection
IPS Accelerators / Hyperscan Support
Modularity – Easier TALOS contributions
Scalable Memory Allocation
Next Gen TALOS Rules – e.g., Regex/Rule Options/Sticky Buffers
New and Improved HTTP Inspector – e.g., HTTP/2 support
Lightweight content updates from TALOS
Correlate Host Profile and IPS
Drive impact analysis and rule recommendations
Cisco Threat Intelligence Director (CTID)
Support of open integration
• Extend Talos Security Intelligence with 3rd party cyber threat intelligence
• Parse and operationalize simple and complex threat indicators
FMC ingests third-party

cyber threat intelligence (CTI)
FMC publishes
observables
to FTD
Cisco Threat
FTD
Intelligence Director
Block Monitor
FMC detects incidents FTD reports observables
Indications of Compromise (IoCs) Events
IPS Events Security Intelligence Events Malware Events
Connections to known
Malware backdoors Web app attacks CnC IPs: DNS Servers, Malware detections Malware executions
Suspect URLs
Admin privilege Office/PDF/Java

Exploits kits Dropper infections
escalations Compromises
Web app attacks
IoCs Facilitate Remediation
Facilitate understanding and remediation to reduce impact
• Identifies compromised and potentially compromised systems
• Take automatic action through Cisco Rapid Threat Containment
Indications of Compromise
Hosts by Indication
Threat Detected…sfer Impact 2 intrus…dmin
Impact 1 intrus…tack
Impact 2 intrus…user
Impact 1 intrus…user
Impact 2 intrus…tack
Impact 1 intrus…dmin
Integrated TLS Decryption
Finds encrypted threat while reducing performance impact
• TLS hardware acceleration delivers high-performance inspection of encrypted traffic
• Centralized enforcement of TLS certificate policies
‒ Examples: Blocking self-signed encrypted traffic, specified TLS version, cypher suites
https://www.goodsite.com
TLS Enforcement
Encrypted Traffic decryption engine
Firewall/NGIPS AVC
decisions https://www.badsite.com
https://www.badsite.com
gambling
https://www.badsite.com ilicit
Log
Decrypt traffic in hardware Inspect deciphered packets Track and log all TLS sessions
or software
Fast App and URL Actions with TLS 1.3
AVC, URL, and Decryption Policy decisions on pre-1.3 TLS header
Cleartext, but spoofable Common and Subject Alternative Names are encrypted in TLS 1.3
ClientHello, Server Name Indication (SNI)

Client Server
ServerHello, ServerCertificate, ServerHelloDone
[…] ApplicationData
TLS Session
TLS Server Identity Discovery without decryption since FTD 6.7

2. FTD opens a sidecar TLS 1.2 connection to identify server,
cache the result, make policy decision
1. TLS 1.3 ClientHello

3. If permitted without TLS decryption, pass original ClientHello
FTD and disengage; if permitted with TLS decryption, engage TLS
Proxy and generate new ClientHello
Encrypted Visibility Engine
• Utilizes machine learning to determine the application (client process) generating the
Client Hello packet
• Identifies known processes/browsers
• AC policy actions available based on client applications*
• Identifies malware based on Secure Malware Analytics fingerprints
TLS
SERVER
*Requres Threat license
Site-to-Site VPN
Easily and securely interconnect remote sites
• IKEv1/IKEv2 policy-based
FTD FTD
VPN or
• Easy topology-based
management of VPN on
multiple peers
• Point-to-point FTD Router Hub
• Hub and Spoke or
• Full Mesh
• Flexible authentication
options – pre-shared key
(automatic) and certificates FTD Third Party
Device
Point-to-Point Hub and Spoke Full Mesh
Remote Access VPN
Provide ubiquitous secure access from remote and roaming users
• Posture assessment
• Uses TLS, DTLS or IKEv2
AnyConnect
• Easy wizard-based
configuration
• Identity based security
policies
• Enhanced security with 2
FA/MFA provided by Secure
Access (Duo)
• Passwordless Authentication
Protect Maintain application Support multiple
Extend access remotely
important data performance sites
Consistent Policy
and Visibility
Consistent Policy and Visibility
Need: stronger security policy management practices that can effectively
protect the business at scale
Cisco offering:
• Maintain consistent policies: Write a policy once and scale enforcement consistently across tens of
thousands of security controls throughout your network.
• Reduce complexity: Get unified management and automated threat correlation across tightly integrated
security functions, including application firewalling, NGIPS, and AMP.
• Accelerate key security operations functions: Leveraging existing resources and make the team more
efficient by removing manual processes. Access security patches and new features faster by completing
software image upgrades in a just a few clicks.
Management Designed for the User
Flexibility of cloud or on-premises options
Firewall Management Center Firewall Device Manager
On premise centralized manager Cloud-delivered centralized manager via On-box manager

Cisco Defense Orchestrator NetOps focused
Flexibility of Management Consumption
On-prem Hybrid SaaS

Event
Cloud Config Config Analytics
Storage
Event Event
On-prem Config Analytics
Storage
Analytics
Storage
• Driven by security concerns • Sensitivities around customer • Cloud-first approach

or regulatory compliance data • Technology, startups
• Government, financials • Retail, financials
Increasing customer cloud acceptance
Management Platforms: When to Position?
Use case Managers of choice Details
• Cloud-delivered for ease of use and netops users

Internet edge Cloud-delivered or On-Prem
FMC • FMC for advanced security analytics
• Ask your customer about their priority
• Choice of onboarding FTD through data interface or management

Enterprise branch Cloud-delivered or On-Prem interface
FMC
• Low-touch onboarding
• Cloud-delivered FMC eliminates the need for change

management and update overhead
SMB / Small Business Edition Cloud-delivered FMC • No rack space and utility bill, lowering operational cost
Data center Edge / Core

FMC • FMC supports clustering on 3100, 4100 and 9300, TrustSec
Campus fabric FMC • FMC supports clustering on 3100 4100 and 9300, TrustSec
Firewall running in public cloud Cloud-delivered or On-Prem

FMC • FMC supports Firewalls running in public cloud
IPS only Cloud-delivered or On-Prem • FMC supports all the advanced IPS features and provides a
FMC separate interface from the Firewall
Logging Options: When to position?
Choice of Storage Details Benefits
• Unified Event Viewer for ASA and FTD Events
• Available through an additional subscription of Security
Analytics and Logging (SAL) • Usage-based pricing
• Unified Event Viewer and summary dashboard in Cisco • Correlate with telemetry from internal network and
Cloud Defense Orchestrator cloud logs in Secure Cloud Analytics
• Default storage of 90 days extendible up to 3 years • Higher storage capacity than on-prem storage
• Additional Behavioral Analytics through the Security Analytics
and Logging integration • Can help reduce the cost of 3rd party logging
• Available in US, EMEA and APJC solutions by sending only filtered or high-priority
alerts from SAL
• Events sent from Secure Firewall to Management Center over

sftunnel • Suitable for deployments with restrictions around
On-prem • Events are stored in FMC at no additional cost storing data in the cloud
• Event Viewer and Analytics in FMC • Familiar dashboard, reporting and workflows in FMC
• Storage capacity dependent on the FMC model
• Available through integration with Secure Network Analytics • Unified log storage for ASA and FTD events
(SNA) • Exponentially higher on-prem storage capacity than
• Events stored in FMC and SNA depending on retention the native storage capacity of FMC
configuration in FMC
Extended On-prem • Multiple storage capacity options using SNA clustered • Additional behavioural analytics powered by Secure
datastore Network Analytics
• Event Viewer in FMC with easy configuration wizard and • Correlate with telemetry from the internal network
contextual cross launch from FMC and on-prem sensor logs in Secure Network Analytics
Secure Firewall
Management Center
(FMC)
What is Firewall Management Center (FMC)?
On-premise, centralized management for multi-site deployments
• Key Benefits
• Manage across many sites
• Control access and set policies
• Investigate incidents
• Prioritize response
• Available in physical and virtual options
• Features
• Multi-domain management
• Role-based access control
• High availability
• APIs and pxGrid integration
• Policy & device management
• Endpoint
• Security intelligence
Network Discovery
Provides the right data, at the right time, in the right format
• Discovers applications, users, and
hosts through passive analysis of network
traffic
• Provides context and helps determine the
impact of attacks
• Tune IPS signature sets to devices
discovered on the network
• Update host profiles with 3rd party
vulnerability management integration
Policy Management
Reduce complexity of policy maintenance
• Centralized on premise management across
multiple Firewall platforms
• Integrates multiple security features into a
single access policy
• Reduces manual configuration of policy
through inheritance and template use.
FMC: Automate Security Response
Reduce the noise and connect the dots
• Correlate Security events Correlation Policy
• Trigger automated response
• Email Correlation Rule Correlation Event
• Syslog
• SNMP
• Remediation module Correlation Rule Action
• Integration with Secure Network

Access and other Cisco/3rd party
products
100,000 events 3 events
Unified Event Viewer
True Correlation
Clicking on the
Intrusion Event
1 highlights the
associated
Expand rows to view all details Connection Event
FMC Integrations
Visibility and analytics beyond network discovery
• Close integration of FMC with Secure Endpoint
• Standards based threat indicators (STIX/TAXII)
• Cisco Threat Intelligence Director (CTID)
• Drive down TTR with broad detection and

collation
• SecureX threat response
• Leverage other Cisco and 3rd party product to

extend visibility
• FMC external Cisco lookups
• Leverage SIEMs with Unified Events
Contextual cross-launch
Tight integration and pivoting to accelerate threat hunting
1 Right-click on an IP address
• Pivot directly to Cisco

Architecture
• Pivot 3rd party tools
• Reduce time to analyze

IoCs to drive down TTR
• Reduce complexity of
integration
2 Select Talos IP lookup
Dynamic Policy Across Multicloud Environments
Zone-based Secure Firewall
Secure
Workload
segmentation rules Seamless Integration
Unified segmentation policy across
Secure Firewall & Secure Workload
Microsegmentation Firewall Dynamic Policies

rules Policies Policy updated dynamically based on
application communications information
Expanding to Cloud Providers

This fall, extending recommendation functionality
to AWS and Azure security groups
“
“ Eagerly awaiting this! Integration across our multicloud controls
will help drive better security in our distributed environment.
-- Global payments and fleet management enterprise

Domain Awareness
Selective orchestration using FMC Domains!
• Allows to select specific domains
for enforcement (Starting 3.6-Patch3) Internet Edge
• Only pushes policies to domains onboarded N-S Firewall
in FMC Orchestrator
FMC
Data Center
Distribution
Secure
Workload
E-W Firewall
Access Layer
Segmentation Policies for Agent and Agentless Workloads

Improved Rule Ordering
Keeping the Intent-Based policies across different enforcement points
• Keep the intent of the policies
• Compliance/Mandates absolutes policies under Mandatory category
• Application rules under Default category
• Secure Workload segmentation policies rules can be inserted at the top or bottom
Meaningful Dynamic Objects Naming
Easier Dynamic Objects Naming!
• Dynamic objects now have meaningful
prefixes
• Easy to identify in policies
Cisco Secure Dynamic Attribute Connector
Problem: In a dynamic and multicloud world,
admins struggle to keep up with ever changing
object IPs as workloads are spun up, down and
change.
Solution: Cisco provides a programmatic way

to create, deploy and maintain dynamic objects.
Benefits: Dramatically reduces the admin

overhead to keep security policies up to date,
provides on demand updates without a deploy.
Gain confident control of cloud services and
other dynamic environments.
Cisco Secure Dynamic Attribute Connector
Integrations:
• AWS instances
• Azure instances
• Azure service tags
• VMware categories and tags managed by vCenter and
NSX-T
• Google Cloud
• GitHub
• Office 365
Cisco Secure Dynamic Attributes Connector
Dynamic Mappings
Object
Linux- 172.16.0.1
Servers 172.16.0.3
Finance
10.0.1.11 App
Windows-
10.0.1.14
Servers
10.0.1.20
Azure HR
Powered-On 10.0.1.14
Adapters Dynamic Attributes Filters Connectors App
Name Connector Query
Azure
os = 'RHEL 7 (64-bit)’ Connector
Linux- OR
vCenter
Servers os = 'CentOS 7 (64-bit)’
IT
App
{REST} FMC
os = 'MS Windows Server 2016 (64-bit)’ AWS
Adapter AND
Windows-
Servers
vCenter network=‘PROD_NETW’ Connector AWS HR
AND App
FMC Power=‘running’
(Consumer) Powered-
Power=‘running’ vCenter
vCenter AND
On
(network=‘PROD_NETW’ OR host=‘SplunkVM’) Connector
Benefits:
CSDAC HR
DB
• Sensors immediately see

dynamic object changes vCenter Private Cloud
• Change without policy deploy
Secure Firewall Device
Manager (FDM)
What is Secure Firewall Device Manager (FDM)
On-box manager and API platform
• Key Benefits
• Easy set up
• Control access and set policies
• Automate configuration
• Enhanced control
• Features
• Role-based access control
• High availability
• NAT and routing
• Intrusion and malware protection
• Device monitoring
• VPN support
• Support for Secure Firewall in GCP New
Simplified Firewall Management
Easy to setup, management, and monitoring
Manages Firepower Threat Defense on low-end and mid-range platforms
Wizard-based guided workflows
Predefined security policies for quick

administration
Built on FTD Device APIs
API-First Approach
An open, documented management and reporting architecture
Achieve operational Automate complex Integrate with
efficiency tasks at scale ecosystem
FDM and CDO use the

Key Features
FTD APIs
• Day 0 Provisioning
FTD
• Day 1-2
Configuration FDM CDO
Management
FTD
Everyone can use the APIs Automation Scripts
• Operations, Orchestration Tools:
for automation
Troubleshooting, FDM
• NSO, DNAC
Monitoring
• Ansible, AlgoSec,
FTD Tufin
FTD TDM
Cisco Defense
Orchestrator
Cisco Defense Orchestrator Overview
Consistently manage policies across your cisco security products.
CDO is a Cloud-based application that cuts through complexity to save time and
keep your organization protected against the latest threats.
Key Benefits
• Cloud-delivered Firewall Management Center
Roaming Users
• Streamline security management
• Reduce time spent on security management Cloud applications
tasks up to 90% Log Data

Policies
• Achieve better security while reducing SD-WAN

Policy – CDO
Visibility and Evening – Secure Analytics
complexity
Incident response - SecureX
• Prioritize response On-premises network
Branch
Features
• Consistent policy enforcement Admin Network Data center Users
Cisco Umbrella Roaming User
• Faster device deployments
• Configuration management
NEW
What’s New? – CDO
August 2022 CDO is continually updated, check here for the latest information
• Cloud-delivered Firewall Management

Center
• Firepower Migration tool for migrating
ASA and 3rd party Firewalls to cloud-
delivered FMC managed FTD
• ASA IPv6-based policies
• AWS Transit Gateway Monitoring
• Global Search
• Cisco Secure Firewall 3100 support
Cisco Defense Orchestrator
MSP Portal
• Use the CDO MSP portal to manage an unlimited
number of customer accounts
• Easily view and search devices across all customer
tenants
• Split customers across multiple MSP portals to limit
admin access
• Low Upfront Cost(s) – Pay As You Grow

• Minimized Deployment and Adoption Time
• Central Visibility with the MSP Portal
• Support for a Multi-Tenant Architecture
Benefits • Audit and Optimize
• Drive Automation Via API
Cloud / SaaS Delivery Advantages
Highly available, full featured/managed cloud deployment
Global • Scalability / Flexibility
99.999%
• Connects to devices using device API with TLS • No maintenance
v1.2
• Faster feature delivery
• Configuration encrypted at rest and in transit. SLA Backed Uptime
• Low up-front cost
• CDO data center locations:
• AWS – US West
• Responsive to new requirements
• AWS – US East
• AWS – EU Central
• AWS – APJC
• Secures management access using role-based
access control with SAML based 2-factor
authentication Provision in Subscription pay as Low maintenance
• Allows multi-tenant management – full <1 day you grow model costs
client separation
Secure Services Edge Enablement
ASA to Umbrella SIG SASE Tunnels
• Onboard Umbrella Organization

• View, Manage and Create SSE tunnels
from Branch ASAs to Umbrella SIG
• Ensure consistency by leveraging Cross
Launch into Umbrella Dashboard
Monitor Remote Access VPN Users
Visibility into active sessions across a customer's ASA and FTD headends
• View all active sessions across a

customer's ASA and FDM-managed FTD
headends
• Filter, search and export the data
• Historical Reporting of VPN sessions
• Usage patterns
• Terminate sessions
• Cisco+ Secure Connect Choice (formerly
CSMRA)
Cloud-delivered Firewall Management Center
Now the new cloud-delivered Firewall Management Center boosts your productivity even further.
Eliminate change management Support at least 25% more No rack space and utility bill,
and update overhead firewalls per tenant lowering operational cost
Cisco ensures uptime, Same look and feel, no

increasing resiliency learning curve for existing
users
Unifying Cloud and On-Prem Management
Re-use of components
New Cloud-Delivered FMC
Cloud Management
Simple and consistent UX
Easy migration from

on-prem to cloud
Policy Config Analytics
Shared components for

consistency
Common services for unified On-prem Management
policy, XDR and logging
SecureX Unified Intent-Based Secure Analytics
for XDR Policy for Eventing/
Logging
Common Services
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Licensing & Orderability Example CDO Ordering Guide
Under Compliance Hold
CDO Platform Licensing
Per Tenant
CDO Base (CDO-SEC-SUB)
CDO Device License Per Managed

CDO Device License Device
Device Licensing
Threat Malware URL Filt. Feature Licenses SAL Ordering Guide

Per Managed
Premium Support Device using Smart
Basic Support Licensing
Overall
Security Analytics and Logging (SAL)
cloud Logging
Volume
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Cloud-delivered Firewall Management Center
Updated CDO landing

page with easy launch
options for FTD
management
Familiar User Experience
Simple Onboarding Experience
• Registration Key based Onboarding
• Zero Touch Provisioning using S/N
Easily migrate to Cloud-delivered management
Easy Launch Points from

Cisco Defense Orchestrator
Easily migrate to Cloud-delivered management (Contd.)
Onboard On-Prem FMC
Logging and Analytics – On Prem/Cloud
Cloud Analytics Dashboard
Cloud Delivered Dynamic Attributes Connector
• Update policy in real
time using attributes
from dynamically
changing cloud
environments
• Monitoring Dashboard
• Multi-tenant support
• Support for On-Prem
and Cloud Delivered
FMC
Connectivity Flow for AD/ISE
cdFMC
ISE
Private
FTD used as a Proxy Network
AD
FTD
Secure Firewall support for Cisco Defense Orchestrator
Hardware Minimum Software
Firepower 1000 FTD 7.2
Virtual – Private Cloud KVM, VMWare FTD 7.2
Alibaba,AWS, Azure, GCP, HyperFlex, Nutanix, OCI,

Virtual – Public Cloud FTD 7.2
OpenStack
ISA 3000 FTD 7.2
Meraki MX Latest software update
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information Cloud-delivered FMC for FTD 96
Cisco Security Analytics
and Logging
SAL (SaaS) Cloud Hosted Features
Cloud storage 90 days (default) up to 3 years, with

viewing and download enabled within CDO
Supports all Cisco FTD & ASA devices. Direct-to-

cloud option enabled for FMC 7.0+ managed devices
Firewall log analysis for advanced threat

detections using Secure Cloud Analytics (SCA)
Correlation of firewall logs with internal network

and cloud logs in SCA
Existing CTR-SecureX customers can opt-in to SAL

logging easily by merging with their SecureX tenant
CDO: Cisco Security Analytics and Logging
Reduce complexity and logging event volume
Store firewall and network logs securely

in the cloud, accessible
and searchable from CDO
Identify and enrich high

fidelity alerts
Enable smarter response and

reduce investigation times
Enhance breach detection

capability using best-in-class security
analytics
SAL On-Premise Features
FTD (including data plane logs) and ASA logging
in a scalable data store hosted on-premises
Logging wizard in FMC 7.0+ simplifies on-

premises and cloud logging configuration
FMC 7.0+ logging and analytics scale drastically

extended by a significant 300X magnitude via remote
query of SAL/ SNA 7.3.2+
Context pivot to SAL’s event viewer in Secure

Network Analytics (SNA) for enhanced context
Multiple Flow Collector support with Firewall to

Flow Collect mapping
FMC Integration with Cisco Security Analytics and
Logging (On-Prem )
Easy button for setup
• Setup FMC analytics cross launch links to the Secure
Analytics console
• Setup remote query credentials from Secure Analytics
datastore
Longer Event Retention and increased scale

• External Storage through Cisco Security Analytics
and Logging On-Prem
• Auto select event source or manually specify
• Multiple Flow Collectors as event destination
Security Analytics and Logging Licenses
3 license tiers (nested)
Logging and Logging Analytics and Total Network Analytics and

Troubleshooting* Detection Detection
Scalable FTD and ASA event logging Firewall log data analysis using the Consolidated analysis run on combined
both in the cloud and on-premises, with behavior-based threat detections of Secure dataset of firewall, internal and public
API integration with Manager; CDO for Cloud Analytics (SaaS) cloud logs for comprehensive threat
cloud, and FMC for on premises stores detection
*Security Analytics and Logging (On Premises) is currently only available with Logging and Troubleshooting License, which includes remote query by the FMC
ASA
Adaptive Security Appliance (ASA)
Robust and effective firewall with stateful inspection and VPN functionality
ASA 5500X Series or Firewall hardware and ASA Stateful Firewall OS

• Key Benefits
• Basic inspection ( L2-L4)
• Layer 7 Protocol Inspection
• Simple 5 tuple-based rules
• Multi-Context
• VPN load balancing
• Features
• Remote Access and Clientess VPN
• EzVPN, IKEv2/L2TP, DTSL1.2
• Site to Site VPN
• SSO with SAML, DAP
• Routing, CG NAT, QOS
ASA Software Provides
Robust, resilient stateful firewall and VPN concentrator
Rule Feature Automate Security

• Stateful controls • VPN: Remote Access, • Leverage API’s to integrate • Packet Filtering and legacy
• Rules based on 5 Tuples Clientess, EzVPN, with SIEM Layer 2 to Layer
only IKEv2/L2TP/3rd party • API’s to create enforcement 4 security and controls
Remote Access, Site-Site based on • No advanced security
• Allow or Block as two Route Based and Policy
primary rule action 5 tuples controls like IPS, Endpoint,
Based VPN, DTLS 1.2 URL Filtering, Application
• Routing and Quality control etc.
of Service
• Carrier Grade NAT
• DAP
• SSO with SAML
ASA Installation Modes
Platform Mode Appliance Mode
• Provisioning and Initial configuration done from FXOS • Provisioning and initial configuration
CLI or Firewall Chassis Manager can be done from the ASA CLI or
ASDM
• Firewall 2100/4100/9300
• Firewall 1000/2100
• Default before 9.13.1, maintained on upgrading from
lower releases to 9.13.1 or higher • Default starting ASA 9.13.1 ( fresh
installation or reimage )
• FXOS CLI is used only for advanced

troubleshooting
ASA Release 9.18.1 Highlights
• Multiple DNS support

Usability • Server Certificate Hostname Validation
• Path Monitoring for Traffic steering using PBR
• Mutual authentication for secure LDAP

• SAML authentication with single or multiple certificate
VPN
authentication
Management • Force NAT Option for reserving ports for IKE operations
• RFC 8748 support for post-quantum safe Pre-shared Keys
Public Cloud • Autoscale for Gateway Load Balancer in AWS

• Alibaba Support
Integrated Security
Portfolio
Gain an Integrated Security Portfolio
Need: As IT infrastructure continues to become more diverse, the job of securing it
becomes more dynamic. The perimeter becomes flexible, which requires a broader
portfolio of security solutions.
Cisco offering:
Get more from your Greater security Extend

existing network control points protection
Tightly integrate existing investments, Enforce polices across your entire Remove blind spots, protect users anywhere
including Cisco Application-Centric environment, including any device they go and anywhere they access the
Infrastructure (ACI) and Network Access administered by the organization. internet.
with your Firewall solution.
Cisco Rapid Threat Containment
Proven approach to reduce time and impact of threat
• Automatic network threat
containment using the Open
Remediation 3rd Party
network as Devices
API
an enforcer
172.20.100.3
• Threat-centric network
access determines network ISE Secure
access based on IoCs Workload
Authorization
• Richer visibility from
bidirectional data sharing FMC
with the network access ACI APIC
Routers
EMPLOYEES
Firepower
Protect Your Network Using AMP
Understand the motion and behavior of files through network and endpoint visibility.
Breadth and Control points Threat Visibility
Retrospective Behavioral File Threat

Email Endpoints Web Network IPS Devices
Detection IoCs Trajectory Hunting
Telemetry Stream
File and Network I/O File Fingerprint and

Metadata
Process Information Talos and Malware Analytics

Intelligence
Application-Centric Infrastructure
Transparent policy-based security for both physical and virtual environments
• Link security to software

defined networking
• Create identity-based policy with Application
Policy Infrastructure Controller (APIC)
• Segment physical and virtual endpoints based
on group policies with detailed and flexible
segmentation
Control Traffic Based on User Awareness
• Use Active Directory users and groups in
policy configuration
• Use Cisco Identity Services Engine to
provide identity
• TrustSec Security Group Tag (SGT)
• Device type (endpoint profiles)
and location
• Identity Mapping Propagation & device level
filtering
• Examples
• Block HR users from using personal iPads
• Create rules for quarantined iPhones
Simplify Security Management with TrustSec
Leverage the network and investment
• Scalable and agile
€¥£
segmentation Simplified Access Management $
technology in over 40 Manage policies using plain language and Employee Developer Financial
HTTP
different Cisco product maintain compliance by regulating access Info Server Server SGACLs
based on
families business role
• Enables dynamic, role- Enterprise

Network
based policy Key
enforcement anywhere Rapid Security Administration
Speed-up adds, moves, and changes, Consistent
on simplifying firewall administration to Accelerated Simplified Access Policy Anywhere
your network speed up Security Options Management
server onboarding
• Extend TrustSec
policies over
Firepower Threat Consistent Policy Anywhere
Defense with SRC & Control all network segments centrally,
Guest
Non
Compliant Developer Employee
regardless of whether devices are wired,
DST SGT matching wireless or on VPN
endpoint endpoint endpoint endpoint
Talos
What is Talos?
Talos is the threat intelligence group at Cisco. We are here to fight the good
fight — we work to keep our customers, and users at large, safe from malicious
actors.
Threat Intelligence Vulnerability

and Interdiction Research and Discovery
Global Outreach Detection Research
Engineering
Community
and Development
From Unknown to Understood
Endpoint Detection and Response
Product
Telemetry Endpoint Mobile Security
Multi-factor authentication
Data Firewall
Sharing Intrusion Prevention
Network Web Security
SD Segmentation
Vulnerability
Discovery Behavioral Analytics
Security Internet Gateway
Threat Traps Cloud DNS Security
Secure Email
Secure Firewall & Secure
Workload
Policy Authoring is a Significant Roadblock
When Adding Segmentation
Cisco Secure Workload provides industry-leading integrated policy discovery as a part of
the firewall policy lifecycle.
On-premises SaaS
See all workload Automatically discover Validate and simulate

network behavior workload identity and policy prior to
groups enforcement
Secure Workload Features
Contains lateral Identifies behavioral

movement anomalies
Continuously tracks
Reduces your attack surface
security compliance
SecureX integrated,
unifying visibility and
enabling automation
Breaking down silos
Security Architects DevSecOps
• Security at application
• Synchronized Security
speed
• Policy enforcement on
• Full Visibility &
agents & network
Automation
NetOps Auditors
• Full Visibility & Control • Single pane of glass view
• Real time updates using ensuring security controls
dynamic objects across workloads & firewall
Cisco end-to-end protections bridges the gap
North-South Security with East-West Security with Workload Security with

Cisco Secure Firewall Cisco Secure Firewall Cisco Secure Workload
(formerly NGFW)
Broad Visibility Coarse Control Fine-Grained Control

• Secure Firewall at data center edge • Segment within your data centers • Provides detailed inter-application
controls, software-based
• Visibility into Internet, branch, • Handles workloads without agents
campus • Supports rapid automation
• Single/multi site public cloud
• Attribute based policies
• Physical/virtual form factors
Closer to application
Secure Firewall & Secure Workload Integration
Key Functions Key Capabilities
• Real time updates on rules using • Leveraging Secure Firewall for
Dynamic objects without policy Policy enforcement on workloads
deployment without agents
• Additional threat protection using • Enhancing static firewall rules with

Secure Firewall on existing Secure dynamic workload intelligence
Workload policies
• Ensuring security at application
• Advanced access control options speed with constantly changing
(intrusion and file/malware policy, DevOps environment
URL filtering etc.)
• Automated firewall access-rule
• Fine grained policies from Secure updates based on workload changes
Workload to implement contextual
access-rules on firewall
Secure Firewall – High Level Architecture
Secure Workload Secure
Dynamic Policy Secure Firewall
Connector
Management Center
(FMC)
SaaS or proxy
Ingest
Connector
Secure Firewall
NSEL Threat Defense
Virtual Machines Containers Bare Metal Workloads without Agents

Segmentation policies enforcement at workloads Segmentation policies enforcement at firewall
Dynamic Policy with Secure Firewall
NEW Dynamic Objects
FMC v7.x
Access Control
Policy
Dynamic Objects
• Reduced deployments
• Faster updates
• Greater efficiency
Secure Firewall Integration – Dynamic Objects
Secure Workload Integration Use Cases
Secure Firewall
End-User to Application Agentless control Fine control
App servers without

Connections from application users passing through a Cisco Secure agent
Firewall can be controlled for application workloads regardless of
whether the Secure Workload agent is deployed at the application App to App
instance.
Secure Firewall also enables advanced security features

Workload to Internet
such as deep packet inspection and malware file analysis.
Secure Firewall
FMC Secure
Workload
Dynamic Firewall rule Dynamic object updates
updates
Secure Firewall
App servers without

agent
App to App
In cases where the Secure Workload agent cannot be

installed, Secure Firewall
Workload can provide protection and
to Internet
control for workload communications.
Secure Firewall
FMC Secure
Workload
updates
Secure Firewall
App servers without

agent
App to App
Secure Firewall
Workloads with the Secure Workload agent get
maximum visibility and protection with fine-
grained controls to detect and prevent malicious FMC Secure
Workload
activity.
updates
Secure Firewall
App servers without

agent
App to App
Secure Firewall
Traffic passing through the network perimeter is

inspected and controlled by both the Secure FMC Secure
Workload
Firewall and Secure Workload through dynamic Dynamic Firewall rule Dynamic object updates
firewall policy updates. updates
Secure Firewall
App servers without

agent
App to App
Secure Firewall
FMC Secure
Workload
updates
SecureX
Cisco SecureX
A cloud-native, built-in platform experience within our portfolio
Cisco Secure Your Infrastructure
Network Endpoint 3rd Party/ITSM Intelligence
Cloud Applications Identity SIEM/

SOAR
Unified Visibility
Detection Investigation Managed Orchestration

Analytics Remediation Policy Automation
Your teams
SecOps ITOps NetOps
integrations ribbon & sign-on dashboard threat response orchestration device insights
built-in, pre-built never leaves you customizable for what is at the core drag-drop GUI device inventory
or custom maintains context matters to you of the platform for no/low code with the contextual
awareness
Maximizing operational efficiency
BEFORE: Repetitive, SOLUTION: AFTER: “I combined 9 tasks

human-powered tasks Orchestrating security across 3 security tools,
across the full lifecycle 2 infrastructure systems, and 3
Automation
teams in one keystroke!”
Playbook Pre-built or customizable workflows
Outdated script that
playbook works
“sometimes” ALERT “We have never
communicated faster: Our
task approvals are automated”
“I make automated “My top 5 most
condition task
playbook changes frustrating tasks
in minutes with a have all be
task task drag-drop interface” automated”
while
loop
Integration
script that no task:
longer works REMEDIATE
Cisco or non-Cisco infrastructure
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Partner Confidential Information 136
Investigate Any Item: Endpoint
Reduce complexity and time needed for threat hunting
Leverage a Seamless Workflow
FTD supplies security events to SecureX threat response
• Limited data is stored in cloud

• FMC can send IPS events to SecureX threat response
• Any IP, domain, file hash or IoC seen in FMC can queried in SecureX threat response, reducing complexity and time for threat
hunting
• Continuous analysis with retrospection facilitates remediation and enhances forensics
Firewall and SecureX are better together
New Features Save Time and Effort New Workflows Simplify Administration
Simplified smart licensing allows users to Proactively monitor the health of Firewall
have a seamless integration in 3 steps deployment
Onboard entire suite of FMC API’s directly to Streamline PSIRT impact and patch
the cloud management processes
Save time by importing workflows with Automate policy management of time-

minimal configuration based rules
Access orchestration capabilities at no

additional cost
FMC SecureX Ribbon Expanded
SecureX threat response and CDO Integration
Pivot to threat response from CDO using the event viewer
Migrating to FTD
What’s New? – Firepower Migration Tool NEW v3.0
Support of software version 7.2 and VPN Optimization of rules during migration
features • Identify redundant and shadowed rules
• Migrations to cloud-delivered FMC and provide users with the following
• RA VPN connection profile, group rule options: remove, migrate disabled,
or migrate fully
policy, IKEv2, AAA, address pools,
Trustpoint, certificate map • Comprehensive reporting on
• AnyConnect client profiles, DAP, and configuration optimization for access
rules and objects
Hostscan profiles
• S2S VPN: pre-shared key fetch and • Streamlined object optimizations:
port if configuration is loaded with remove unreferenced objects, reuse
more system: running-config config existing objects, and resolve
inconsistent objects
format © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 143
Migration from ASA to FTD
Automation Reporting Scale

Easy and fast cloud based and Pre- and post- FMC REST API based,
stand-alone solutions migration reports supports Windows or Mac
Selective migration and Ability to edit the configuration CDO integration* to leverage
optimizations such as being migrated orchestration benefits
object re-use
Live running logs, graceful Programmability* through
Object conflict detection error handling and resume from tool APIs
and resolution failure
Firepower Migration Tool Paths (ASA to FTD)
Firewall Migration Tool
FMC
Upload API Calls Deploy
ASA Secure Firewall

Shared FMT core engine*
Configuration Threat Defense
Upload API Calls Deploy
Cloud-delivered FMC
Benefit of the Firepower Migration Tool
Derive faster value realization from Complementary to partner
Cisco’s Firepower Threat Defense driven services
Cisco Secure Services

Our Secure Services portfolio of
people, tool, processes and Provide you with design best
Migration configuration
technology helps you to do more, practices based on Cisco’s
validated by seasoned and and many of our services are history of experience with
skilled Secure consultants widely recognized by industry
leaders and analysts as amongst
variety of vertical industries
the best capabilities in the market
Provide support during migration Enhance your knowledge on Cisco’s

to help mitigate risks during migration Firewall product features
Use Cases
Common and Unique Requirements for Secure Firewall
Internet Edge Data Center Branch Cloud/Virtual Secure IPS RA VPN

High availability and High availability Site to site VPN High availability Separation of duties Cisco VPN and third-party
redundancy VPN clients
Scalability High availability Support for DPDK and IPS capability
Dynamic routing and SRIOV Integration with end point
address translation Very high bandwidth, very Dynamic routing Superior threat efficacy security
low latency Internet edge or VPN
Integration with end Application visibility gateway Threat intelligence Authentication,
point security Cloud scale and control Authorization, Accounting
SD-WAN backhaul TLS decryption
Integration with NAC Hyper-density and Breach detection
network access control high performing volts NSEW inspection Mirror traffic and deploy
Threat intelligence in active, inline, or passive
DDoS Inbound inspection mode
Incident response
IPS capability Device acting as edge Network reliability
Dual-WAN
Multi-instance Scalability
Internet Edge Service
Provider
Remote
Key Functions Key Capabilities User
HSRP
• Resilience (and scalability) • VPN load balancing
• Advanced Access Control • Applications, URLs, Users, and

TrustSec Policy using SGTs Internet Edge
• Block access to malicious IP's, URL's,
DNS • Talos Security Intelligence
• Dynamic NAT/PAT and Static NAT • Carrier Grade NAT DMZ
• Remote Access VPN • Cisco Secure VPN Firepower or ASA

HA
• Site to Site VPN • Point to Point, Hub and Spoke,
Full mesh
• Detecting malicious network traffic
• Snort IPS
• Visibility and tracking of file transfers, Campus/ Private
Blocking of malicious files • Advanced Malware Protection Network
• Dynamic analysis of unknown files • Malware Analytics Integration
Remote Access VPN (RA VPN) Service
Provider
Extranet
Remote
Key Functions Key Capabilities User
HSRP
• Resilience (and scalability) • VPN load balancing
• Advanced Access Control • IPSEC and SSL

Internet Edge
• Talos Security Intelligence
DNS
DMZ
• Dynamic NAT/PAT and Static NAT • AD, LDAP and Radius
Firepower or ASA
• Remote Access VPN • IKEv2 HA
• Site to Site VPN • RADIUS CoA
• Detecting malicious network traffic • Snort IPS

Campus/ Private
• Visibility and tracking of file transfers,
• Advanced Malware Protection Network
Blocking of malicious files
Data Center N/S
Branch Firewall HA

EDGE router (HSRP)
• Advanced access control options • Applications, URLs, Users, and TrustSec

Policy using SGTs
• Remote Access VPN
• Cisco Secure VPN
• Site to site VPN Internet
• Route Based VPN
• Dual ISP Support
• IP SLA or Traffic Zones
• Block access to malicious
EDGE router (HSRP)
IP's, URL's, DNS
• Block traffic to 3rd party lists
• Threat Intelligence Director Firewall HA
• Snort IPS
Blocking of malicious files • Advanced Malware Protection
Internal
Network
Data Center Data Center
Edge Extranet

Firewall in HA/Cluster
• TrustSec Policy using SGTs, vPC/Port-Channel
• Advanced Access Control ACI Policy Control with EPGs
• Low Latency Capabilities • Hardware Flow Offload
• Scalability and Resilience • HA or Clustering Data Center
Distribution
• Geographic DC Separation • Inter-site Clustering
vPC/Port-Channel
• Detecting malicious network traffic • Snort IPS

Firewall Cluster

• Advanced Malware Protection Access Layer
Blocking of malicious files
• Firewall Segmentation • Multi-Instance
Cloud/Virtual
Data Center N/S
Inside
External
LB
E/W
Key Functions Key Capabilities DMZ
ESXi Host
Inside A
• Advanced Access Control options • Applications, URLs, Users, and N/S
TrustSec Policy using SGTs/CCP E/W Outside
• Remote
• VPN DMZ
ESXi Host
B Inside
• Site to Site VPN • Route Based VPN (ASA) and HA Pair External
LB
Internal
LB
E/W
Internet
Policy Based VPN DMZ
DNS • Talos Security Intelligence
N/S
• Block traffic to 3rd party lists

• Threat Intelligence Director Inside
KVM
Host A CSP or ENCS
Branch
(Computer cluster)
• Snort IPS E/W Outside
• Visibility and tracking of file transfers, DMZ Inside

KVM
blocking of malicious files • Advanced Malware Protection Host B
HA Pair
• Dynamic analysis of unknown files
• Malware Analytics Integration N/S
NGIPS Service
Provider

VPC
• Advanced access • Applications, URLs, Users, and
control options TrustSec Policy using SGTs
• Block access to malicious IP's, Active Standby

URL's, DNS HA Update
• Block traffic to 3rd party lists • Threat Intelligence Director

NGIPS NGIPS
• Snort IPS
• Visibility and tracking of file • Advanced Malware Protection

transfers, Blocking of malicious files
VPC
• Malware Analytics Integration
• Dynamic analysis of
Internal
unknown files Network
Thank you

NGF TDM Deck

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NGF TDM Deck

Uploaded by

Copyright:

Available Formats

Cisco Secure Firewall

Technical Decision Maker (TDM)

NetSec Technical Marketing, Security Business Unit

2 Secure Firewall Platforms 10 Secure Firewall ASA

Secure Firewall Integrated Security

Table 4 Consistent Policy

of contents Secure Firewall Management Secure Firewall and

Firepower Management Cisco Secure Firewall Management

Firepower Threat Defense Cisco Secure Firewall

Adaptive Security Cisco Secure Firewall

Firepower Threat Defense Cisco Secure Firewall

Internal traffic was

Single control point is not adequate Management complexity

Policy sprawl Evolving threat landscape

World-class Consistent policy Integrated security

World-class Consistent policies Integrated security

Secure Firewall ASA Secure Firewall Device Manager Secure Access by Duo

Application Centric Infrastructure

• Secure Firewall Cloud Native TDM

SMB Branch Mid Data Service

*1024-byte packet size

* This process is known as Auto-Registration

Performance Device Rate RA VPN

FTDv5 4 cores/8 GB 100Mbps 50

Secure Firewall Cloud Native

Firewall Cluster Application Cluster

massive scale and resiliency in cloud VPN

Micro Service N Pods

Insert security controls next to Access

application containers Processing

Highly scalable & elastic firewall for edge

Improved encrypted traffic throughput

Firepower 1010 Firepower 1120/40/50

• High–performance desktop firewall • High–performance rackmount firewall

650Mbps Firewall Throughput 1120-1.5Gbps Firewall Throughput

The new enterprise-class Cisco Secure Firewall 3100

Performance & Flexibility Visibility & Enforcement Efficiency & Simplicity

Crypto Accelerator Encrypted SSD Drive

Flow- Accelerator FIPS Compliance

2110 vs 3110 2120 vs 3120 2130 vs 3130 2140 vs 3140

FW+AVC+IPS 2.6  17 3.4  21 5.4  38 10.4  45

IPsec VPN 0.9  11 1.2  13.5 1.9  33.0 3.6  39.4

Network Module Network Module Additional

Power Supply Unit 1 Power Supply Unit 2

Dual Fan Dual Fan

FPR3110 FPR3120 FPR3130 FPR3140

System Memory 2x32GB@3200 2x64GB@3200 4x32GB@3200 4x64GB@3200

Front Panel Copper 8x 10/100/1000MBase-T

USB port 1x USB3.0 with 5W, type A connector

Management Port 1x 1/10G SFP port

Console Supports 1x RJ45 interface

PSU, FRU 1+1 (default 1) 1+1 (default 2)

3110 3120 3130 3140

8 x 10M/100M/ 8 x 10M/100M/ 8 x 10M/100M/ 8 x 10M/100M/

Network 8 x 1/10/25G, 8 x 1/10/25G,

FMC 7.1 FTD FTD 7.1

FDM 7.1 FTD FTD 7.1

ASDM ASA ASA 9.17.1

Ethernet Port-channel Ethernet Port-channel

• Handles asymmetric traffic seamlessly

• East-West insertion for first hop

Local VPC/VSS pairs at Local Data EtherChannel Local VPC/VSS pairs at

• Elephant flow bypass/throttle