A summary of an “Ask the Expert” discussion with 50 Cisco Gateway Members
The capability of visibility and analysis up to layer 7: Intrusion prevention, Application visibility, Malware protection, URL Filtering, Security intelligence with Talos. This is the key reason why Cisco decided to take this direction. And everything can be managed from a single central point.
In this presentation done at Cisco Live Barcelona2020 you will find useful references to TLS 1.3 and Firepower.
ASA does support REST APIs, please refer to the following guide which provide instructions on how to generate Python code scripts. Regarding libraries, please check on DEVNET. Currently there are no ASA libraries; generation of ASA libraries is mainly based on
Yes! Most features are exported via REST APIs. For a good starting point on leveraging NGFW REST APIs please take a look at the following page.
Note that you can explore the APIs of your FMC instance by going here: https://<management_center_IP_or_name>:<https_port>/ api/api-explorer.
A common reason could be to check the URL that your endpoints are accessing (limiting malware sites, or blocking certain categories),or analyzing your endpoint network traffic for malware with the AMP (Anti-Malware Protection) capabilities of NGFW. Here is a reference guide that provides additional information on AMP for networks (which runs is only supported on NGFW). In addition, there are numerous customers that still use the ASA software for their VPN needs and there are no plans to End Of Life ASA software.
The best way to get started is with the NGFW webinars available at the following link: https://learningnetwork.cisco.com/s/next-generation- firewall-training-videos. There are multiple recorded sessions under “Training Videos”.
Choosing between ASA (Adaptive Security Appliance Software ) or Cisco Next Generation Firewall (NGFW) depends on your deployment requirements. There is still a large demand for traditional L3/L4 FW and VPN concentrators that is satisfied by customers running ASA software on Firepower hardware. In addition, ASA is optimized to run on the latest Firepower appliance. FTD software delivers the layer 7 NGFW features beyond traditional stateful inspection and VPN, including: NGIPS, Malware protection, URL filtering, etc. Choosing which firewall application is the best fit is all a matter of your requirements. The key difference is FTD has the capacity for enhanced visibility and analysis of traffic and threats all managed from a centralized console.
To test Cisco NGFW, submit an assessment request here and a partner will let you try the best NGFW aligned with your needs providing you a free security network assessment.
Yes, there is integration between NGFW and Application Centric Infrastructure (ACI).
The best place to start is to review the session named Deep Dive on Cisco Security in ACI - BRKACI-3004 that was given at Cisco Live. There are device packages available for Firepower Threat Defence (FTD), Firepower Management Center(FMC) , Deep Dive on ACI integration.
There are numerous customer benefits from the NGFW, Cisco Identity Services Engine (ISE) and ACI integration; you can correlate user identities with IP addresses, and in addition you can inherit Security Group Tags (SGT) from ISE and use them in the policies. There is a very good webinar that describes this more here. You have to click on “Training Videos”, and then choose “FMC External Authentication & Sources”, in particular “Lesson 3: User Awarenesses & User Policy”. The related documentation is in the Config Guide.
Regarding the ACI integration, we have device packages available to integrate FTD into ACI. Some customers still choose to have NGFW unmanaged and use it as a choke point within ACI. Firepower Threat Defense (FTD) and ISE have a number of integrations including SGTs, ISE attributes to build policy, as well as the integration of PxGrid and the NGFW remediation module to take action on bad actors. There is also an RAVPN integration with ISE and CoA.
Here are some very good references:
Today these fusion routers and firewalls must be external to the fabric.
FTD does support AnyConnect for SSL and IPsec-IKEv2 remote access VPNs. For available features and configuration steps please refer to the config guide: FMC Guide
Unfortunately not at this time. According to the FTD configuration guide “Firepower 9300 and 4100 series in cluster mode do not support remote access VPN configuration”. The same applies to the ASA software. RA VPN is supported in Active/Standby HA on ASA or FTD. RA VPN is not supported on clustering in either ASA or FTD.
We have a very powerful Firepower Migration Tool, which now supports migration from third party firewall platforms. Contact a Cisco Specialist here who can provide you a link to test this tool.
There is a very good performance estimator tool available for cisco customer at https://ngfwpe.cisco.com using their Cisco credentials.
It’s also possible to flag the IPS checkbox and see how much it impacts the performance and throughput of your appliance. Additionally, there are a number of factors that go into performance; traffic profile, object size, rule size, latency, etc. A general expectation of the impact of enabling IPS on our NGFWs is documented in our datasheets. We have an internal Proof Of Value and test team that can be used to bench test the FWs to show the performance with your specified criteria. If you want to test it or try the Firepower estimator tool please contact a Cisco Specialist filling this form.
Please try accessing with your Cisco credentials and let us know if it works for you.
A The aim of Cisco Defence Orchestrator (CDO) is a bit different than simply trying to make it “Firepower Management Console (FMC) in the cloud.” The goals of CDO initially are to harmonize policies across multiple Cisco enforcement points (Cisco Adaptive Security Appliance ASA Software , Firepower Threat Defense , Meraki MX, etc) as well as extend policy management to select third-party enforcement points (such as Amazon Web Services Security Groups). Thus we do not anticipate feature parity with FMC for some time.
For more information on CDO, please watch this demo
For a big fleet of Cisco firewalls, we have two possibilities: the Firepower Management Console (FMC), which can manage hundreds of devices, and the Cloud Defence Orchestrator (CDO), which can manage thousands of ASA devices as well as harmonize security policies for FTD and other devices.
The difference is that FMC is an appliance (physical or virtual), while CDO is a cloud-based solution. In addition, CDO is also able to manage ASA software, while FMC can manage FTD and “ASA with Firepower”.
“After our initial tests, we were able to transition 100% of our students and teachers from our previous authentication platform and the old infrastructure to Cisco Next Generation Firepower”
Prof. Stefano Vinti IT Coordinator at Convitto Nazionale Umberto Primo
We are currently investigating the integration of SD-WAN to Firepower Threat Defense (FTD) as we continue to develop out our solution. At present, we have found that most customers only need a few features and not the whole SD-WAN suite
We currently offer FTD in both AWS and Azure marketplaces to help organizations secure their public cloud infrastructure. We will be adding support for GCP and OCI this year as well as an ongoing roadmap for other public clouds.
“Next Generation Firewall helps us keep our network secure by giving us better visibility and control to manage threats and prevent breaches.”
Oleksandr Fisun,Cybersecurity Analyst at Ansell
“We can immediately find potentially harmful events and remediate quickly thanks to Cisco Next Generation Firewall.”
David Clark Senior Network Engineer,