Frequently Asked Questions about Cisco Next Generation Firewall(NGFW)

The capability of visibility and analysis up to layer 7: Intrusion prevention, Application visibility, Malware protection, URL Filtering, Security intelligence with Talos. This is the key reason why Cisco decided to take this direction. And everything can be managed from a single central point.

In this presentation done at Cisco Live Barcelona2020 you will find useful references to TLS 1.3 and Firepower.

In terms of automation, are there any API´s/Python libraries available for the ASA firewalls?

ASA does support REST APIs, please refer to the following guide which provide instructions on how to generate Python code scripts. Regarding libraries, please check on DEVNET. Currently there are no ASA libraries; generation of ASA libraries is mainly based on

Are NGFW’s automation-oriented?

Yes! Most features are exported via REST APIs. For a good starting point on leveraging NGFW REST APIs please take a look at the following page.

Note that you can explore the APIs of your FMC instance by going here: https://<management_center_IP_or_name>:<https_port>/ api/api-explorer.

Why should I use the NGFW, when I use only VPN- connections?

A common reason could be to check the URL that your endpoints are accessing (limiting malware sites, or blocking certain categories),or analyzing your endpoint network traffic for malware with the AMP (Anti-Malware Protection) capabilities of NGFW. Here is a reference guide that provides additional information on AMP for networks (which runs is only supported on NGFW). In addition, there are numerous customers that still use the ASA software for their VPN needs and there are no plans to End Of Life  ASA software.

What are the best practices for managing NGFW policies to secure my network?

The best way to get started is with the NGFW webinars available at the following link: https://learningnetwork.cisco.com/s/next-generation- firewall-training-videos. There are multiple recorded sessions under “Training Videos”.

Overall is NGFW better than ASA?

Choosing between ASA (Adaptive Security Appliance Software ) or Cisco Next Generation Firewall (NGFW) depends on your deployment requirements. There is still a large demand for traditional L3/L4 FW and VPN concentrators that is satisfied by customers running ASA software on Firepower hardware. In addition, ASA is optimized to run on the latest Firepower appliance. FTD software delivers the layer 7 NGFW features beyond traditional stateful inspection and VPN, including: NGIPS, Malware protection, URL filtering, etc. Choosing which firewall application is the best fit is all a matter of your requirements. The key difference is FTD has the capacity for enhanced visibility and analysis of traffic and threats all managed from a centralized console.

To test Cisco NGFW, submit an assessment request here and a partner will let you try the best NGFW aligned with your needs providing you a free security network assessment.

Does NGFW integrate with ACI? Can Cisco integrate FMC into ACI the same way Cisco does with Palo Alto’s Management tool?

Yes, there is integration between NGFW and Application Centric Infrastructure (ACI).

The best place to start is to review the session named Deep Dive on Cisco Security in ACI - BRKACI-3004 that was given at Cisco Live. There are device packages available for Firepower Threat Defence (FTD), Firepower Management Center(FMC) , Deep Dive on ACI integration.

Can you provide some guidance on the benefits of the NGFW, ISE and ACI integration?

There are numerous customer benefits from the NGFW, Cisco Identity Services Engine (ISE) and ACI integration; you can correlate user identities with IP addresses, and in addition you can inherit Security Group Tags (SGT) from ISE and use them in the policies. There is a very good webinar that describes this more here. You have to click on “Training Videos”, and then choose “FMC External Authentication & Sources”, in particular “Lesson 3: User Awarenesses & User Policy”. The related documentation is in the Config Guide.

Regarding the ACI integration, we have device packages available to integrate FTD into ACI. Some customers still choose to have NGFW unmanaged and use it as a choke point within ACI. Firepower Threat Defense (FTD) and ISE have a number of integrations including SGTs, ISE attributes to build policy, as well as the integration of PxGrid and the NGFW remediation module to take action on bad actors. There is also an RAVPN integration with ISE and CoA.

How does NGFW interact with Cisco Application Centric Infrastructure (ACI), Cisco Digital Network Architecture (DNA) and Cisco Software-Defined WAN (SD-WAN) ? Is there a plan to import the Security Group membership of NSX-T into Cisco NGFW?

Here are some very good references:

• For the NGFW integration with ACI, we recommend watching the following Cisco Live presentation. In addition, please take a look at the Quick Start Guide.
• For the DNA interaction, according to the DNA compatibility information only Cisco Adaptive Security Appliance (ASA) Software is supported (ASA5500-X, min supported version is 9.8.2). From the design guide we can use a firewall as a “fusion” device. A firewall, Layer 3 switch, or router can then be used to leak routing information, maintained in each VRF, thus enabling communication between virtual networks while also providing a control point to enforce established security policies. These network devices are commonly referred to as “fusion” firewalls or routers.

Today these fusion routers and firewalls must be external to the fabric.

• For the SD-WAN we have the IOS-XE ZBF and UTD functionalities. In the webpage you will find how to install, configure, activate, and update the Cisco SD-WAN Release 18.4 IPS/IDS and URL-F Security Policy Virtual Image. Zone-based firewalls are a type of localized data policy that allows stateful inspection of TCP, UDP, and ICMP data traffic flows.
• Regarding the Security Group membership of NSX-T, it’s supported with the Firepower Threat Defense (FTD) of Cisco Next-Generation Intrusion Prevention System (NGIPS) . We currently have device packages for FTD support in ACI and we support the use of SGTs. We are actively developing the use of dynamic objects from environments such as NSX-T into the NGFW for policy

What about Cisco Firepower Threat Defense (FTD) and Remote Access VPN? Does FTD fully support AnyConnect?

FTD does support AnyConnect for SSL and IPsec-IKEv2 remote access VPNs. For available features and configuration steps please refer to the config guide: FMC Guide

If we have two different Cisco firewalls (FTD or ASA) in cluster, do they support remote VPN connections?

Unfortunately not at this time. According to the FTD configuration guide “Firepower 9300 and 4100 series in cluster mode do not support remote access VPN configuration”. The same applies to the ASA software. RA VPN is supported in Active/Standby HA on ASA or FTD. RA VPN is not supported on clustering in either ASA or FTD.

We have been using different Firewall platforms over the past years and now we are interested in unifying the platforms. Can you state how easy it is to convert rulebases to NGFW from multiple different platforms?

We have a very powerful Firepower Migration Tool, which now supports migration from third party firewall platforms. Contact a Cisco Specialist here who can provide you a link to test this tool.

What is performance impact on my NGFW appliance when IPS is enabled?

There is a very good performance estimator tool available for cisco customer at https://ngfwpe.cisco.com using their Cisco credentials.

It’s also possible to flag the IPS checkbox and see how much it impacts the performance and throughput of your appliance. Additionally, there are a number of factors that go into performance; traffic profile, object size, rule size, latency, etc. A general expectation of the impact of enabling IPS on our NGFWs is documented in our datasheets. We have an internal Proof Of Value and test team that can be used to bench test the FWs to show the performance with your specified criteria. If you want to test it or try the Firepower estimator tool please contact a Cisco Specialist filling this form.

Please try accessing with your Cisco credentials and let us know if it works for you.

Can Firepower Threat Defense (FTD) be fully managed by Cisco Defence Orchestrator  (is feature parity with Firepower Management Console available in Cisco Defence Orchestrator ) and if not when can we expect it?

A The aim of Cisco Defence Orchestrator (CDO) is a bit different than simply trying to make it “Firepower Management Console (FMC) in the cloud.” The goals of CDO initially are to harmonize policies across multiple Cisco enforcement points (Cisco Adaptive Security Appliance ASA Software , Firepower Threat Defense , Meraki MX, etc) as well as extend policy management to select third-party enforcement points (such as Amazon Web Services Security Groups). Thus we do not anticipate feature parity with FMC for some time.

For more information on CDO, please watch this demo

What would be a good tool to monitor and manage (deploying configuration and rules) a fleet of NGFW’s? Also, could older generation ASAs be managed by that same tool?

For a big fleet of Cisco firewalls, we have two possibilities: the Firepower Management Console (FMC), which can manage hundreds of devices, and the Cloud Defence Orchestrator (CDO), which can manage thousands of ASA devices as well as harmonize security policies for FTD and other devices.
The difference is that FMC is an appliance (physical or virtual), while CDO is a cloud-based solution. In addition, CDO is also able to manage ASA software, while FMC can manage FTD and “ASA with Firepower”. 

Are there any plans to integrate Firepower Threat Defense into existing Cisco Software-Defined WAN (SD-WAN) solutions and/or offer a Secure SD-WAN solution based on Firepower Threat Defense ? PAN, FTNet and others already offer SD-WAN capabilities based on their NGFW platforms, when can we expect similar from Cisco ?

We are currently investigating the integration of SD-WAN to Firepower Threat Defense (FTD)  as we continue to develop out our solution. At present, we have found that most customers only need a few features and not the whole SD-WAN suite

Is NGFW supported in public cloud/IaaS environments?

We currently offer FTD in both AWS and Azure marketplaces to help organizations secure their public cloud infrastructure. We will be adding support for GCP and OCI this year as well as an ongoing roadmap for other public clouds.