Cisco Secure Firewall

Netformers Firewall Roadshow

Przemysław Zawadzki przawadz@[Link]

Channel Cybersecurity Technical Solutions Specialist
3rd October 2023
 ‣ Overview
‣ Secure Firewall Physical Platforms
‣ Virtual Firewalls

Agenda ‣
‣
Secure Firewall Threat Defense (FTD)
Consistent Policy and Visibility
‣ Secure Firewall Management Center (FMC)
‣ Cisco Defense Orchestrator (CDO)
‣ Security Analytics and Logging
‣ Integrated Security Portfolio
‣ Use Cases
Overview
Traditional Network Security
Public internet
One control point for all
traffic

Firewall

Internal traffic was

considered trustworthy,
and external traffic was
untrustworthy Data center

Network edge

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 5
The New Reality
A one-size fits all approach has proved ineffective in today’s landscape

Single control point is not adequate Management complexity

Every environment needs its own micro- NetSec and IT use dozens of point
perimeter products, each with its own management
console
Evolving form factor
Singe control point replaced by multiple
firewalls, both physical and virtual

Policy sprawl Evolving threat landscape

Harmonizing policies across micro-perimeters $ $ Security products need a continuous feed of
is challenging threat intelligence to stay ahead of attackers

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 6
Firewall Validated Use Cases
Where can Cisco help?

Remote
Internet Edge Data Center Branch Cloud/Virtual Secure IPS
Access VPN

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 7
Why Cisco Secure Firewall?

World-class Consistent policy Integrated security

security controls and visibility portfolio
Protect your workloads with a Streamline security policy and Extend network security beyond the
complete portfolio of Firewall device management across your firewall with malware protection,
solutions, backed by industry- extended network and accelerate identity-based routing, multi-factor
leading threat intelligence. key security operations. authentication, and more.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 8
Cisco’s Comprehensive Security Portfolio

World-class Consistent policies Integrated security

security controls and visibility portfolio

Secure Firewall Threat Defense Secure Firewall Management Center Secure Workload

Secure Access by Duo

Secure Firewall ASA Secure Firewall Device Manager
Secure Endpoint
Talos Cisco Defense Orchestrator
TrustSec
SecureX threat response
Cisco Identity Services Engine
Secure Network Analytics
Rapid Threat Containment

Application Centric Infrastructure

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 9
World-Class Security Controls
Need: improve encrypted traffic performance and detect more sophisticated
threats with a complete line of firewall solutions.

Cisco offering:
• Stop more threats: Contain known and unknown malware with leading Cisco® Advanced Malware Protection and
sandboxing (Secure Malware Analytics).

• Prioritize threats: Gain superior visibility into your environment. Automate risk rankings and impact flags to quickly
identify priorities.

• Detect earlier, act faster: Talos threat intelligence underpins the entire Cisco Secure ecosystem:
if you own a Cisco Secure product, you’re harnessing the power of Talos

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 10
Phasing Out FlexConfig

Firewall Management Center GUI Support 7.1 7.2 7.3 7.4

(FlexConfig depricated)
ECMP Zones

EIGRP, VXLAN Interfaces (VTEP/VNI) -

BFD for BGP, Cluster Health Settings, PBR Next-

- -
Hop Settings
FlexConfig Easy Migration to FMC for ECMP,
- -
EIGRP and VxLAN
NSEL (NetFlow Secure Event Logging) - - -

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 11
Secure Firewall Physical
Platforms
 Cisco Secure Firewall Hardware Portfolio One Module:
30-70 Gbps AVC
Stand-alone device: Stand-alone device: 24-64 Gbps AVC+IPS
17-45 Gbps AVC+IPS 12-53 Gbps AVC 70-150 Gbps AVC Sixteen node cluster:
8 - 22.4 Gbps IPsec VPN 10-47 Gbps AVC+IPS 70-145 Gbps AVC+IPS AVC+IPS
8 Node Cluster: Sixteen node cluster: Sixteen node cluster: SM40*16n = 704 Gbps
650 Mbps 1.5-2.2 Gbps AVC+IPS 2.3-20 Gbps With 3140, up to Up to 680 Gbps AVC Up to 1.7 Tbps AVC SM48*16n = 830 Gbps
AVC+IPS AVC+IPS AVC+IPS(1024B) = 288 Gbps Up to 675 Gbps AVC+IPS Up to 1.6 Tbps AVC+IPS SM56*16n = 950 Gbps

NEW

9300 Series
SM-40
4215/25/45 SM-48
SM-56
2110/20/30/40 3105/10/20/30/40 4112/15/25/45

1010 1120/40/50

SMB Branch Office Mid Enterprise Large Enterprise Data Center Service Provider

All appliances can run either ASA or FTD applications, FP9300 can run both on different SMs

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 14
Introducing the Cisco Secure Firewall 4200 Series

Superior Performance Outstanding ROI

• Achieve High Performance Packet Processing • Grow your security infrastructure as your
business grows with clustering capability of
with powerful hardware, a wide range of high
up to 16 firewall devices.
performing network interfaces with a 1 RU
footprint. • Ensure business uptime with hot-
swappable network modules, including fail-
• Gain visibility into encrypted traffic with
to-wire interfaces.
crypto-accelerated architecture, speeding up
TLS and IPsec decryption.

1RU, 16X clustering, 200G interface support, 2X interface module bays, dual SSD, dual mgt interface

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 15
Firepower Hardware Update
As the threat landscape evolves, our firewall portfolio does too. Gain more features and
better performance at the same or lower price point.

Better performance
• Up to 3.5x boost in Firewall throughput
• Up to 5x boost in VPN throughput

More connections
• Up to 2x more connections per second (CPS)

Improved encrypted traffic throughput

• Up to 3x boost in encrypted traffic performance

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 16
3100 and 4200 Series: Key Hardware Highlights

Crypto Acceleration Interface Flexibility

A specially built circuit to provide Support for 1G,10G,25G,40G,100G,200G
encryption/decryption acceleration interfaces across 2 Network Modules
Crypto-acceleration using an FPGA (Field-programmable gate array)

Flow Offload FIPS Compliance

Flow offload engine processes packets in Supports all FIPS 140-3 requirements
hardware up through layer 4
Firepower 1000 Series
Small business and branch office security with superior price/performance

Firepower 1010 Firepower 1120/40/50

• High–performance desktop firewall • High–performance rackmount firewall

• PoE, 8 10/100/1000 Base-T RJ45 switching ports • 8 10/100/1000Base-T RJ45 switching ports, 4 1000Base-
F SFP switching ports, 2 x 1/10Gbps SFP+ (1150)
• Stateful firewall, AVC, NGIPS, AMP, URL filtering
• Stateful firewall, AVC, NGIPS, AMP, URL filtering

650Mbps Firewall Throughput 1120-1.5Gbps Firewall Throughput

1140-2.2Gbps Firewall Throughput
1150-3 Gbps Firewall Throughput

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 18
Cisco Secure Firewall 3100 Series
Make hybrid work and zero trust practical, with the flexibility to
ensure strong return on investment

The new enterprise-class Cisco Secure Firewall 3100

Series supports your evolving world

Performance & Flexibility Visibility & Enforcement Efficiency & Simplicity

Provide an exceptional hybrid Keep the network from going dark and Advanced automation and integrations drive
work experience strengthen your zero-trust posture cost-savings for modern environments

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 19
Up to 3x performance boost
Secure Firewall 2100 Series vs. Firepower 3100

2110 vs 3110 2120 vs 3120 2130 vs 3130 2140 vs 3140

FW+AVC+IPS 2.6 à 17 3.4 à 21 5.4 à 38 10.4 à 45

IPsec VPN 0.9 à 11 1.2 à 13.5 1.9 à 33.0 3.6 à 39.4

*Performance Estimates are in Gbps, subject to 1024B packet size, protocol type, and other networking
variables.
IPSEC numbers for the Firepower 3100 series are with VPN Offload enabled.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 20
 Firepower 4100 Series
• Up to 50% performance improvement
over previous models
• Up to 44% higher TLS performance!
• Supported software releases:
• FTD 6.4+ – including multi-instance
• ASA 9.12.1+
• FXOS 2.6.1+

Enterprise and data center security with

Four new appliance models:
exceptional price/performance 4112*, 4115, 4125, 4145
up to 47 Gbps Firewall throughput**
Staring 7.3, 2X100G Netmod supported * 4112 FXOS 2.8.1, FTD 6.6 or ASA 9.14.1
** 1024B FW+AVC+IPS

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 24
4200 Series Flexible Interface Architecture
• 2 x 1/10/25G Management Port
• 8 x built in 1/10/25 G SFP28 data ports
• 2 x netmod slots
- Hot swappable
- 1G, 10G, 25G, 40G,100G, 200G, 400G (Coming)
- Fail to wire, standard

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 26
Firepower 9300 Service Modules
• Up to 80% performance boost than
previous generation SM
• Up to 33% higher TLS performance!
• Supported software releases:
• FTD 6.4+ – including multi-instance
• ASA 9.12.1+
• FXOS 2.6.1+
3 new 9300 SM models:
SM-40, SM-48, SM-56
up to 153 Gbps Firewall throughput*
*1024B FW+AVC+IPS

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 29
Multi-Instance Expands Deployment Options
• Install multiple FTD logical devices on a single module • Supports HA between identical instances on different physical
or appliance devices
• Container architecture
• Example: 54 instances on a FPR9300 chassis with 3 x SM-56
• Instance failure does not affect other instances modules
• Allows tenant management separation, independent instance
• Improved crypto acceleration in hardware
upgrade

NEW

FTD Instance A Active FTD Instance B Standalone FTD Instance A Standby FTD Instance C Standalone

Firepower 9300/4100 Service Module Firepower 9300/4100 Service Module

HA/State
Link
Firepower 9300/4100 MIO Firepower 9300/4100 MIO

Ethernet Port-channel Ethernet Port-channel

1/1.10 11.11 1/1.10 11.11

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 30
Clustering
Drive high return on investment while
maintaining high availability vPC
• Combine multiple devices to make a single scalable logical
device
FTD Cluster
• Scale as you grow
• Scale throughput, concurrent and new connection
• Can span multiple datacenters vPC

• N+1 resilience

• Handles asymmetric traffic seamlessly

Example: 16 node cluster
Upto 950 Gbps AVC+IPS

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 31
Multi-Site Data Center
Site 1 Site 2
• North-South insertion with LISP
Firewall Cluster
inspection and owner reassignment CCL is fully extended between DCs at L2 with <10ms latency

• East-West insertion for first hop

redundancy with VM mobility
CCL CCL Sigle Spanned CCL CCL
EtherChannel for Data
on cluster side

Local VPC/VSS pairs at Local Data EtherChannel Local VPC/VSS pairs at

each site on each VPC/VSS switch each site
pair
VPC1 VPC2
Data VLANs are not extended for North-South insertion; filtering is required
to avoid loops and MAC/IP conflicts for East-West

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 32
Virtual Firewalls
Simplifying Multi-Cloud Environments
Private Cloud Public Cloud Gov/IC Cloud

NEW

NEW NEW NEW NEW

Virtual firewall performance-based licensing from 100Mbps up to 16Gbps

Cloud Leadership
Integration with cloud native
Clustering & Auto Scaling Accelerated Networking Smart & Tiered Licensing
services & infrastructure

Quickstarts, Infrastructure as Gateway Load balancer

Dynamic Policy Snapshots
Code and Automation integration

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 35
Smart Licensing Performance Tiers
• 7.0+ Evaluation mode and Smart License performance tiers
• Current perpetual BASE license moves to a subscription model

Performance Device Rate RA VPN

Tier Specifications Limit Session Limit

FTDv5 4 cores/8 GB 100Mbps 50

FTDv10 4 cores/8 GB 1Gbps 250
FTDv20 4 cores/8 GB 3Gbps 250
FTDv30 8 cores/16 GB 5Gbps 250
FTDv50 12 cores/24 GB 10Gbps 750
FTDv100 16 cores/32 GB 20Gbps 10000

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 36
FMC Virtual 300
• Up to 300 managed devices
• KVM and Azure support in 7.3
• CPU: 2 x 8 cores, Memory: 64 GB, hard disk:
2.2 TB
• Migrate easily from one FMC model to
another
• High Availability for on prem, AWS and OCI
clouds – 7.1 or higher
• Supported software releases:
• FTD 6.5 or higher – including multi-instance
• FMC 6.5 or higher
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 37
Secure Firewall Threat
Defense
What is Secure Firewall Threat Defense (FTD)?
Delivers nearly 100% efficacy on blocking malicious flows and guards the
network against threats
• Key Benefits
• Tenant management separation
• Scale as you grow
• Impact analysis
• Prioritize administration
• Features
• Firewall
• Intrusion Prevention
• Integrated TLS Decryption
• VPN
• Cisco Threat Intelligence Director
• Malware Continuous Analysis with Retrospection
• QUIC Fingerprinting

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 49
Release 7.3 Highlights
Threat Efficacy Device Management Licensing

• QUIC Fingerprinting • Improved Upgrade workflow

• MITRE support for Snort Rules • Email Notification for Scheduled Jobs • Carrier License Support
• Event Viewer shows MITRE ATT&CK • Dual ISP support for data interface • License Renaming here
Techniques management

SASE/Secure Access Virtual Deployment Platform Updates

• DVTI • Clustering Support with Gateway load
• RAVPN Dashboard balancer • Performance Profile for CPU Core
• Umbrella Auto Tunnel Configuration allocation
• 6 node FTDv cluster in Azure
• Loopback Support for VTI and • IPv6 support validation for public and • 3105 platform launch
management services private cloud
• TLS 1.3 RAVPN

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 50
Firewall Policy Powered by Talos and OpenAppID
Control traffic based on IP, URL, FQDN, or application
Cloudlock's Cloud Application
Security feeds
Security Insights (CASI)
URL | IP |DNS merging with Secure Firewall
OpenAppID for SaaS App detection

0010
0100
Firewall

Allow Warn Block

Allow Block

Category-based
DNS Sinkhole Admin
Policy Creation

Security Intelligence: AVC with OpenAppID: AVC with OpenAppID: URL Categories:
Block latest malicious Identify and control over Easily create custom Classify 280M+ URLs
IPs, URLs and FQDNs 6,000+ pre-defined apps application detectors using 80+ categories

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 51
Secure IPS
Reduce the noise/volume of events and prioritize administration
Powered by Snort 3 – Best of breed, open source IPS
Firewall brings the power of context to IPS

Impact of IPS events can be deduced. Rule recommendation can tune IPS

Impact flag Administrator action Why

Event Corresponds
Act immediately,
1 Vulnerable to vulnerability
mapped to host

Relevant port open or

Investigate, Potentially
2 Vulnerable protocol in use but
no vuln mapped

Relevant port not

Good to know, Currently
3 Not available open or protocol not
in use

Good to know, Monitored network

4 Unknown Target but unknown host

Good to know,
0 Unknown Network
Unmonitored network

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 52
Snort 2 vs. Snort 3
Snort 2 Snort 3
Multi-Threaded Architecture

Capable of running multiple Snort Processes

Port Independent Protocol Inspection

IPS Accelerators / Hyperscan Support

Modularity – Easier TALOS contributions

Scalable Memory Allocation

Next Gen TALOS Rules – e.g., Regex/Rule Options/Sticky Buffers

New and Improved HTTP Inspector – e.g., HTTP/2 support

Lightweight content updates from TALOS

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 53
Correlate Host Profile and IPS
Drive impact analysis and rule recommendations

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 54
Cisco Threat Intelligence Director (CTID)
Support of open integration
• Extend Talos Security Intelligence with 3rd party cyber threat intelligence
• Parse and operationalize simple and complex threat indicators

FMC ingests third-party

cyber threat intelligence (CTI)

FMC publishes
observables
to FTD
Cisco Threat
FTD
Intelligence Director

Block Monitor

FMC detects incidents FTD reports observables

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 55
Indications of Compromise (IoCs) Events

IPS Events Security Intelligence Events Malware Events

Connections to known
Malware backdoors Web app attacks CnC IPs: DNS Servers, Malware detections Malware executions
Suspect URLs

Admin privilege Office/PDF/Java

Exploits kits Dropper infections
escalations Compromises

Web app attacks

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 56
IoCs Facilitate Remediation
Facilitate understanding and remediation to reduce impact
• Identifies compromised and potentially compromised systems
• Take automatic action through Cisco Rapid Threat Containment
Indications of Compromise
Hosts by Indication

Threat Impact 2
Detected…sfer intrus…dmin

Impact 1
intrus…tack

Impact 1 Impact 2
intrus…user intrus…user

Impact 2
Impact 1 intrus…tack
intrus…dmin

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 57
Integrated TLS 1.3 Decryption
Finds encrypted threat while reducing performance impact
• TLS hardware acceleration delivers high-performance inspection of encrypted traffic
• Centralized enforcement of TLS certificate policies
‒ Examples: Blocking self-signed encrypted traffic, specified TLS version, cypher suites

[Link]
TLS Enforcement
Encrypted Traffic decryption engine
Firewall/NGIPS AVC
decisions [Link]

[Link]

[Link]

[Link] [Link]

[Link]
gambling
[Link]

[Link]
[Link] ilicit
[Link]

[Link]

Log

Decrypt traffic in hardware Inspect deciphered packets Track and log all TLS
or software sessions

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 58
Fast App and URL Actions with TLS 1.3
AVC, URL, and Decryption Policy decisions on pre-1.3 TLS header
Cleartext, but spoofable Common and Subject Alternative Names are encrypted in TLS 1.3

ClientHello, Server Name Indication (SNI)

Client Server
ServerHello, ServerCertificate, ServerHelloDone
[…] ApplicationData

TLS Session

TLS Server Identity Discovery without decryption since FTD 6.7

2. FTD opens a sidecar TLS 1.2 connection to identify server,
cache the result, make policy decision

1. TLS 1.3 ClientHello

3. If permitted without TLS decryption, pass original ClientHello and
FTD disengage; if permitted with TLS decryption, engage TLS Proxy and
generate new ClientHello

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 59
Encrypted Visibility Engine Benefits

Detects and blocks malware in encrypted flows

Can be used for APP control in the firewall policy

Encrypted Visibility Engine Triggers Indications of Compromise

Minimal performance impact

60

Enriches Endpoint DB with Application and OS

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 60
EVE Empowers Defense-in-Depth with a New ML-
Powered Line of Defense
Security Intelligence
• EVE is a new player in the
security features team
Umbrella / TALOS DNS
• Sifts out malware threats
with minimal effort Encrypted Visibility Engine

• EVE reduce pressure on more

Application Visibility / URL
resource-heavy functions Categories

• It brings the best value when Threat Intelligence

used as yet another layer of Director
protection TLS Decryption

IPS and AMP

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 61
Site-to-Site VPN
Easily and securely interconnect remote sites

• IKEv1/IKEv2 policy-based
FTD FTD
VPN or

• Easy topology-based
management of VPN on
multiple peers
• Point-to-point FTD Router Hub
• Hub and Spoke or

• Full Mesh
• Flexible authentication
options – pre-shared key
(automatic) and certificates FTD Third Party
Device

Point-to-Point Hub and Spoke Full Mesh

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 62
Remote Access VPN
Provide ubiquitous secure access from remote and roaming users
• Posture assessment
• Uses TLS, DTLS or IKEv2
AnyConnect
• Easy wizard-based configuration
• Identity-based security policies
• Enhanced security with 2 FA/MFA
provided by Secure Access (Duo)
• Passwordless Authentication
• Monitoring Dashboard
• TLS 1.3 support
Extend access Protect Maintain application Support multiple
remotely important data performance sites

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 63
Simplified Branch
WAN Connect and Remote Branch Management
• Data Interface Management Internet
Applications Physical Connection
• Intelligent Routing with Path VTI Tunnels
Monitoring ECMP on VTI Interfaces
DIA Traffic
• WAN PBR Path Monitoring
• Direct Internet Access
• Hub and Spoke DVTI
ISP1

• Loopback Interface
ISP2
• Auto-configuration rollback Internal Branch Corporate Corporate
Clients FTD FTD Network
• User Identity and SGT-based
routing (in 7.4)
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 64
 7.4 Release

Enhanced Application Health Monitoring

• Under the Path Monitoring tab of

Interface dialog, a new option to
enable/disable HTTP-based Application
Monitoring is added.
• A read-only view of the applications
selected for Path Monitoring is also
listed below the Enable option

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 65
FTD
New with 7.4
MITRE ATT&CK Support
• MITRE ATT&CK Tactics and Techniques provide a framework for descriptive categorization of IPS
and Malware events.
• Snort3 Intrusion Policies include MITRE ATT&CK groups for signature tuning
• IPS and Local Malware Analysis events are now enriched with MITRE ATT&CK meta data making
security incident investigation easier

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 67
The “Why” and “How” - MITRE ATT&CK Framework
Intrusion Prevention Group The “How” – MITRE
(~1500 signatures) The “Why” – MITRE Tactics. Techniques.
reflecting MITRE
Framework.

It is no longer only a signature

GID:SID 1:42785 – it tells you a
“story about the attack”.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 68
Encrypted Visibility Engine 7.4 Enhancements
Decide if EVE engine be used
for client application
detection.

You can view EVE fingerprints

in a new column Unified Event
and cross-launch to
[Link] for more
details.

Specify acceptable EVE’s

confidence level for blocking
malware in encrypted flows.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 69
 Viewing EVE Process Analysis
…and cross-launch to You can view EVE fingerprints
[Link] to check the in a new column Unified
Process Analysis. Events…

Fingerprint prevalance across Destination context – SNI / IP /

processes in EVE’s dataset. Port distribution in EVE’s
dataset.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 70
Phasing Out FlexConfig

Firewall Management Center GUI Support 7.1 7.2 7.3 7.4

(FlexConfig depricated)
ECMP Zones

EIGRP, VXLAN Interfaces (VTEP/VNI) -

BFD for BGP, Cluster Health Settings, PBR Next-

- -
Hop Settings
FlexConfig Easy Migration to FMC for ECMP,
- -
EIGRP and VxLAN
NSEL (NetFlow Secure Event Logging) - - -

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 71
Consistent Policy
and Visibility
Consistent Policy and Visibility
Need: stronger security policy management practices that can effectively
protect the business at scale

Cisco offering:
• Maintain consistent policies: Write a policy once and scale enforcement consistently across tens of
thousands of security controls throughout your network.
• Reduce complexity: Get unified management and automated threat correlation across tightly
integrated security functions, including application firewalling, NGIPS, and AMP.
• Accelerate key security operations functions: Leveraging existing resources and make the team
more efficient by removing manual processes. Access security patches and new features faster by
completing software image upgrades in a just a few clicks.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 73
Management Designed for the User
Flexibility of cloud or on-premises options

Firewall Management
Firewall Device Manager
Center

On premise centralized manager Cloud-delivered centralized manager via On-box manager

Cisco Defense Orchestrator NetOps focused

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 74
Flexibility of Management Consumption

On-prem Hybrid SaaS

Event
Cloud Config Config Analytics
Storage

Event Event
On-prem Config Analytics
Storage
Analytics
Storage

• Driven by security concerns • Sensitivities around customer • Cloud-first approach

or regulatory compliance data • Technology, startups
• Government, financials • Retail, financials

Increasing customer cloud acceptance

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 75
Management Platforms: When to Position?
Use case Managers of choice Details

• Cloud-delivered for ease of use and netops users

Internet edge Cloud-delivered or On-Prem
• FMC for advanced security analytics
FMC
• Ask your customer about their priority

• Choice of onboarding FTD through data interface or management

Enterprise branch Cloud-delivered or On-Prem interface
FMC
• Low-touch onboarding
• Cloud-delivered FMC eliminates the need for change
management and update overhead
SMB / Small Business Edition
Cloud-delivered FMC • No rack space and utility bill, lowering operational cost

Data center Edge / Core

FMC • FMC supports clustering on 3100, 4100 and 9300, TrustSec

Campus fabric
FMC • FMC supports clustering on 3100 4100 and 9300, TrustSec

Firewall running in public cloud Cloud-delivered or On-Prem

• FMC supports Firewalls running in public cloud
FMC

IPS only Cloud-delivered or On-Prem • FMC supports all the advanced IPS features and provides a
FMC separate interface from the Firewall
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 76
Logging Options: When to position?
Choice of Storage Details Benefits
• Unified Event Viewer for ASA and FTD Events
• Available through an additional subscription of Security
Analytics and Logging (SAL) • Usage-based pricing
• Unified Event Viewer and summary dashboard in Cisco • Correlate with telemetry from internal network and
Cloud Defense Orchestrator cloud logs in Secure Cloud Analytics
• Default storage of 90 days extendible up to 3 years • Higher storage capacity than on-prem storage
• Additional Behavioral Analytics through the Security Analytics
and Logging integration • Can help reduce the cost of 3rd party logging
• Available in US, EMEA and APJC solutions by sending only filtered or high-priority
alerts from SAL
• Events sent from Secure Firewall to Management Center over
sftunnel • Suitable for deployments with restrictions around
On-prem • Events are stored in FMC at no additional cost storing data in the cloud
• Event Viewer and Analytics in FMC • Familiar dashboard, reporting and workflows in FMC
• Storage capacity dependent on the FMC model

• Available through integration with Secure Network Analytics • Unified log storage for ASA and FTD events
(SNA) • Exponentially higher on-prem storage capacity than
• Events stored in FMC and SNA depending on retention the native storage capacity of FMC
configuration in FMC
Extended On-prem • Additional behavioural analytics powered by Secure
• Multiple storage capacity options using SNA clustered
datastore Network Analytics
• Event Viewer in FMC with easy configuration wizard and • Correlate with telemetry from the internal network
contextual cross launch from FMC and on-prem sensor logs in Secure Network Analytics

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 77
Secure Firewall
Management Center
(FMC)
What is Firewall Management Center (FMC)?
On-premise, centralized management for multi-site deployments
• Key Benefits
• Manage across many sites
• Control access and set policies
• Investigate incidents
• Prioritize response
• Available in physical and virtual options
• Features
• Multi-domain management
• Role-based access control
• High availability
• APIs and pxGrid integration
• Policy & device management
• Endpoint
• Security intelligence

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 79
Network Discovery
Provides the right data, at the right time, in the right format
• Discovers applications, users, and
hosts through passive analysis of network
traffic
• Provides context and helps determine the
impact of attacks
• Tune IPS signature sets to devices
discovered on the network
• Update host profiles with 3rd party
vulnerability management integration

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 80
Policy Management
Reduce complexity of policy maintenance
• Centralized on premise management
across multiple Firewall platforms
• Integrates multiple security features into a
single access policy
• Reduces manual configuration of policy
through inheritance and template use.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 81
FMC: Automate Security Response
Reduce the noise and connect the dots
• Correlate Security events Correlation Policy
• Trigger automated response
• Email Correlation Rule Correlation Event
• Syslog
• SNMP
• Remediation module Correlation Rule Action

• Integration with Secure Network

Access and other Cisco/3rd party
products
100,000 events 3 events

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 82
Unified Event Viewer
True Correlation
Clicking on the
Intrusion Event
1 highlights the
associated
Expand rows to view all details Connection Event

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 83
Health Monitoring Dashboard
• FMC and Managed Firewalls
• All deployment modes –
standalone, NGIPS, HA,
Cluster
• Custom Health Stats
• Overall Cluster Stats added
in 7.3
New with 7.3
• Power Supply Monitoring
for 4100/9300 in 7.3

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 84
VPN Monitoring Dashboard
Application aware firewall policy enforcement, path selection, and decryption
DEPLOYMENT SCENARIO
• Mid to Large VPN deployment base
• Monitor user activity and session details
• Capacity Planning and availability statistics

BENEFITS
• Consolidated Dashboard
• User Geolocation info
• Analytics for the deployment base, such as
common workstation OS platforms
• Terminate one or all VPN sessions for
upgrade planning/troubleshooting

New with FTD 7.3

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 85
Anyconnect customization
• Customization of
GUI Text and messages
Icons and Images
OnConnect/Disconnect Scripts
• Works with Cisco Secure
Client (Formerly AnyConnect)

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 86
 7.4 Release

WAN Summary Dashboard

Dashboard refresh
controls
• The overall health of
the Firewalls in WAN
topology
• Application Bandwidth
Consumption Data
• Inventory of Devices
part of WAN topology
• Detailed View in
Health Monitoring WAN Summary Widgets

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 87
 7.4 Release

Low Touch Onboarding to On-prem FMC

©© 2023
2 0 2 3 CCisco
isco a n dand/or its te
/ o r its a ffilia affiliates.
s. A ll r ig h ts All
r e serights
r ve d . Creserved.
isco C o n fid e nCisco
tia l Partner Confidential Information 88
FMC Integrations
Visibility and analytics beyond network discovery
• Close integration of FMC with Secure Endpoint
• Standards based threat indicators (STIX/TAXII)
• Cisco Threat Intelligence Director (CTID)
• Drive down TTR with broad detection and
collation
• SecureX threat response
• Leverage other Cisco and 3rd party product to
extend visibility
• FMC external Cisco lookups
• Leverage SIEMs with Unified Events

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 89
Contextual cross-launch
Tight integration and pivoting to accelerate threat hunting
1 Right-click on an IP address

• Pivot directly to Cisco

Architecture

• Pivot 3rd party tools

• Reduce time to analyze
IoCs to drive down TTR
• Reduce complexity of
integration

2 Select Talos IP lookup

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 90
Dynamic Policy Across Multicloud Environments
Zone-based Secure Firewall
Secure
Workload
segmentation rules Seamless Integration
Unified segmentation policy across
Secure Firewall & Secure Workload

Microsegmentation Firewall Dynamic Policies

rules Policies Policy updated dynamically based on
application communications information

Expanding to Cloud Providers

This fall, extending recommendation functionality
to AWS and Azure security groups

“ Eagerly awaiting this! Integration across our multicloud controls

“
will help drive better security in our distributed environment.
-- Global payments and fleet management enterprise

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 91
Cisco Secure Dynamic Attribute Connector
Problem: In a dynamic and multicloud world,
admins struggle to keep up with ever changing
object IPs as workloads are spun up, down and
change.
Solution: Cisco provides a programmatic way
to create, deploy and maintain dynamic
objects.
Benefits: Dramatically reduces the admin
overhead to keep security policies up to date,
provides on demand updates without a deploy.
Gain confident control of cloud services and
other dynamic environments.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 92
Cisco Secure Dynamic Attribute Connector
Integrations:
• AWS instances
• Azure instances
• Azure service tags
• VMware categories and tags managed by vCenter and
NSX-T
• Google Cloud
• GitHub
• Office 365
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 93
Cisco Secure Dynamic Attributes Connector
Dynamic Mappings
Object

Linux- [Link]
Servers [Link]
Finance
[Link] App
Windows-
[Link]
Servers
[Link]

Adapters Dynamic Attributes Filters Connectors

Azure HR
Powered-On [Link] App

Name Connector Query

Azure
os = 'RHEL 7 (64-bit)’ Connector
Linux- OR
vCenter
Servers os = 'CentOS 7 (64-bit)’
IT
{REST} App
FMC
os = 'MS Windows Server 2016 (64-bit)’ AWS
Adapter
AWS
AND
Windows-
vCenter network=‘PROD_NETW’ Connector HR
Servers
AND App
FMC Power=‘running’

(Consumer) Powered-
Power=‘running’ vCenter
vCenter AND
On
(network=‘PROD_NETW’ OR host=‘SplunkVM’) Connector

Benefits:
CSDAC HR
DB

• Sensors immediately see

dynamic object changes vCenter Private Cloud
• Change without policy deploy

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 94
FMC
New with 7.4
CSDAC in FMC

• You must configure

• Connectors
• Dynamic attribute filters
• You do not configure any adapters
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 96
 External User Identity with CSDAC
• Key motivation
Customers want to use Identity Services Engine (ISE) 802.1x Authentication with Lightweight
Directory Access Protocol (LDAP)
FMC today does not support LDAP in Passive Authentication

• Three new connectors added to CSDAC

ISE Connector – creates IP-to-user mapping
LDAP Connector – creates user-to-groups
mapping
Decorator – creates IP-user/groups mapping

• Adapter configuration has not changed

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 97
Azure AD Integration
Azure AD
• Objectives
Integrate Secure Firewall user identity with Azure AD and ISE
Receive Azure AD logins from ISE
• Active authentication not supported in this release
Enforce access policy based on Azure AD users and groups
Users and
• Feature Overview Groups
New Azure AD realm to get users, groups from Azure AD
Receive and process Azure AD user sessions from ISE
Stream real time user, group membership changes
using Azure Event hub.
User
Login/Logout
Revamped UI for User Analysis Screens ISE FMC
Events
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 98
4100/9300 Chassis Registration to FMC

SFTunnel

Firewall Management FPR 4100/9300 Series

Center Chassis

• FMC have capability to register 4100/9300 chassis into device list

• FXOS faults (including HW bypass) collected by the FMC
• Chassis events available in UMS messages, Health Monitor and Events
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 99
Secure Firewall Device
Manager (FDM)
What is Secure Firewall Device Manager (FDM)
On-box manager and API platform
• Key Benefits
• Easy set up
• Control access and set policies
• Automate configuration
• Enhanced control
• Features
• Role-based access control
• High availability
• NAT and routing
• Intrusion and malware protection
• Device monitoring
• VPN support
• Support for Secure Firewall in GCP New

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 104
Simplified Firewall Management
Easy to setup, management, and monitoring
Manages Firepower Threat Defense on low-end and mid-range platforms

Wizard-based guided workflows

Predefined security policies for quick

administration

Built on FTD Device APIs

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 105
API-First Approach
An open, documented management and reporting architecture
Achieve operational Automate complex Integrate with
efficiency tasks at scale ecosystem

FDM and CDO use the

Key Features FTD APIs
• Day 0 Provisioning
FTD
• Day 1-2
Configuration FDM CDO
Management
FTD
Everyone can use the APIs Automation Scripts
• Operations, for automation Orchestration Tools:
Troubleshooting, FDM
• NSO, DNAC
Monitoring
• Ansible, AlgoSec,
FTD Tufin

FTD TDM

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 106
Cisco Defense
Orchestrator
Cisco Defense Orchestrator Overview
Consistently manage policies across your cisco security products.
CDO is a Cloud-based application that cuts through complexity to save time and
keep your organization protected against the latest threats.
Key Benefits
• Cloud-delivered Firewall Management Center
Roaming Users
• Streamline security management
• Reduce time spent on security management Cloud applications

tasks up to 90% Log Data

Policies

• Achieve better security while reducing SD-WAN

Policy – CDO
Visibility and Evening – Secure Analytics

complexity Incident response - SecureX

• Prioritize response On-premises network

Branch

Features
• Consistent policy enforcement Admin Network Data center Users
Cisco Umbrella Roaming User
• Faster device deployments
• Configuration management
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 108
Cloud / SaaS Delivery Advantages
Highly available, full featured/managed cloud deployment

Global • Scalability / Flexibility

99.999%
• Connects to devices using device API with TLS v1.2 • No maintenance
• Configuration encrypted at rest and in transit. • Faster feature delivery
• CDO data center locations: SLA Backed Uptime
• Low up-front cost
• AWS – US
• Responsive to new requirements
• AWS – EU Central
• AWS – APJC
• Secures management access using role-based access
control with SAML-based two-factor authentication
• Allows multi-tenant management – full
client separation
Provision in Subscription pay Low maintenance
<1 day as you grow model costs

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 109
 NEW
What’s New? – CDO

June 2023 CDO is continually updated, check here for the latest information

• Cisco Multicloud Defense (To be announced

at Cisco Live)
• FTDv provisioning in the public cloud (Beta)
• Firepower Migration Tool cloud hosted (Beta)
• Consolidated Remote Access VPN Dashboard
for ASA and FTD
• Improved Event Filtering

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 110
Cisco Defense Orchestrator
MSP Portal
• Use the CDO MSP portal to manage an unlimited
number of customer accounts
• Easily view and search devices across all customer
tenants
• Split customers across multiple MSP portals to limit
admin access

• Low Upfront Cost(s) – Pay As You Grow

• Minimized Deployment and Adoption Time
• Central Visibility with the MSP Portal
• Support for a Multi-Tenant Architecture
Benefits • Audit and Optimize
• Drive Automation Via API

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 111
Secure Services Edge Enablement
ASA to Umbrella SIG SASE Tunnels

• Onboard Umbrella Organization

• View, Manage and Create SSE tunnels
from Branch ASAs to Umbrella SIG
• Ensure consistency by leveraging Cross
Launch into Umbrella Dashboard

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 112
Consolidated RAVPN Monitoring Dashboard
• Consolidated RAVPN dashboard
Customers who have both ASA and FTD
as VPN head-ends
Customers migrating their VPN
deployment from ASA to FTD

• Filter, search and export the data

• Historical Reporting of VPN sessions

• Usage patterns

• Terminate sessions

• Same look and feel as the RAVPN

dashboard in FMC

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 113
 Beta
FTD provisioning in the public cloud using CDO
• Easy integration with multi-cloud
environments
• Provision Firewall in any public
cloud environment using a few
clicks
• Combine with CSDAC available in
CDO to enable automated policy
deploy in multi-cloud
environments

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 114
 Beta
Firepower Migration Tool cloud-delivered

• Easily migrate from ASA or

3rd Party Firewalls to on-
prem FMC or cloud-
delivered FMC-managed
FTDs
• No need for a desktop-
based Migration tool as this
is now cloud delivered as
part of CDO

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 115
New Dashboard

• Actionable Insights about

managed devices
Connectivity
Configuration state

• Tunnel Status
• Remote Access VPN Sessions
• Recent Configuration
Changes

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 116
 Improvements to Event Filtering
• User can run search for events in
the background
Continue with other tasks
Notification upon completion

Revisit the background

search page to view
and download the
results

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 117
Cloud-delivered Firewall Management Center
Now the new cloud-delivered Firewall Management Center boosts your productivity even further.

Eliminate change management Support at least 25% more No rack space and utility bill,
and update overhead firewalls per tenant lowering operational cost

Cisco ensures uptime, Same look and feel, no

increasing resiliency learning curve for existing
users
Unifying Cloud and On-Prem Management
Re-use of components
New Cloud-Delivered FMC
Cloud Management
Simple and consistent UX

Easy migration from

on-prem to cloud
Policy Config Analytics

Shared components for

consistency
Common services for unified On-prem Management
policy, XDR and logging
SecureX Unified Intent-Based Secure Analytics
for XDR Policy for Eventing/
Logging
Common Services
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119
Familiar User Experience

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 122
Simple Onboarding Experience
• Registration Key based Onboarding
• Zero Touch Provisioning using S/N

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 123
Easily migrate to Cloud-delivered management

Easy Launch Points from

Cisco Defense Orchestrator

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 124
Easily migrate to Cloud-delivered management (Contd.)

Onboard On-Prem FMC

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 125
Logging and Analytics – On Prem/Cloud

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 126
Cloud Analytics Dashboard

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 127
Cloud Delivered Dynamic Attributes Connector
• Update policy in real
time using attributes
from dynamically
changing cloud
environments
• Monitoring Dashboard
• Multi-tenant support
• Support for On-Prem
and Cloud Delivered
FMC

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 128
Connectivity Flow for AD/ISE

cdFMC

ISE
Private
FTD used as a Proxy Network
AD

FTD

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 129
Secure Firewall support for Cisco Defense Orchestrator
Hardware Minimum Software

Firepower 1000 FTD 7.2

Firepower 2100 FTD 7.2

Firepower 3100 FTD 7.2

Firepower 4100 FTD 7.2

Firepower 9300 FTD 7.2

Virtual – Private Cloud KVM, VMWare FTD 7.2

Alibaba,AWS, Azure, GCP, HyperFlex, Nutanix, OCI,

Virtual – Public Cloud FTD 7.2
OpenStack

ISA 3000 FTD 7.2

Meraki MX Latest software update

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information
Cloud-delivered FMC for FTD 130
Cisco Security Analytics
and Logging
SAL (SaaS) Cloud Hosted Features

Cloud storage 90 days (default) up to 3 years, with

viewing and download enabled within CDO

Supports all Cisco FTD & ASA devices. Direct-to-cloud

option enabled for FMC 7.0+ managed devices

Firewall log analysis for advanced threat

detections using Secure Cloud Analytics (SCA)

Correlation of firewall logs with internal network

and cloud logs in SCA

Existing CTR-SecureX customers can opt-in to SAL

logging easily by merging with their SecureX tenant

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 132
CDO: Cisco Security Analytics and Logging
Reduce complexity and logging event volume

Store firewall and network logs securely

in the cloud, accessible
and searchable from CDO

Identify and enrich high

fidelity alerts

Enable smarter response and

reduce investigation times

Enhance breach detection

capability using best-in-class security
analytics

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 133
SAL On-Premise Features
FTD (including data plane logs) and ASA logging in
a scalable data store hosted on-premises

Logging wizard in FMC 7.0+ simplifies on-premises

and cloud logging configuration

FMC 7.0+ logging and analytics scale drastically

extended by a significant 300X magnitude via remote
query of SAL/ SNA 7.3.2+

Context pivot to SAL’s event viewer in Secure

Network Analytics (SNA) for enhanced context

Multiple Flow Collector support with Firewall to

Flow Collect mapping

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 134
FMC Integration with Cisco Security Analytics and
Logging (On-Prem )
Easy button for setup
• Setup FMC analytics cross launch links to the Secure
Analytics console
• Setup remote query credentials from Secure
Analytics datastore
Longer Event Retention and increased scale
• External Storage through Cisco Security Analytics and
Logging On-Prem
• Auto select event source or manually specify
• Multiple Flow Collectors as event destination
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 135
Security Analytics and Logging Licenses
3 license tiers (nested)

Logging and Logging Analytics and Total Network Analytics and

Troubleshooting* Detection Detection
Scalable FTD and ASA event logging both Firewall log data analysis using the Consolidated analysis run on combined
in the cloud and on-premises, with API behavior-based threat detections of Secure dataset of firewall, internal and public
integration with Manager; CDO for Cloud Analytics (SaaS) cloud logs for comprehensive threat
cloud, and FMC for on premises stores detection

*Security Analytics and Logging (On Premises) is currently only available with Logging and Troubleshooting License, which includes remote query by the FMC

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 136
Cisco Secure Firewall ASA
Adaptive Security Appliance (ASA)
Robust and effective firewall with stateful inspection and VPN functionality

ASA 5500X Series or Firewall hardware and ASA Stateful Firewall OS

• Key Benefits
• Basic inspection ( L2-L4)
• Layer 7 Protocol Inspection
• Simple 5 tuple-based rules
• Multi-Context
• VPN load balancing

• Features
• Remote Access and Clientess VPN
• EzVPN, IKEv2/L2TP, DTSL1.2
• Site to Site VPN
• SSO with SAML, DAP
• Routing, CG NAT, QOS

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 138
ASA Software Provides
Robust, resilient stateful firewall and VPN concentrator

Rule Feature Automate Security

• Stateful controls • VPN: Remote Access, • Leverage API’s to integrate • Packet Filtering and legacy
• Rules based on 5 Tuples Clientess, EzVPN, with SIEM Layer 2 to Layer
only IKEv2/L2TP/3rd party • API’s to create enforcement 4 security and controls
Remote Access, Site-Site based on • No advanced security
• Allow or Block as two Route Based and Policy
primary rule action 5 tuples controls like IPS, Endpoint,
Based VPN, DTLS 1.2 URL Filtering, Application
• Routing and Quality control etc.
of Service
• Carrier Grade NAT
• DAP
• SSO with SAML

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 139
ASA Installation Modes
Platform Mode Appliance Mode
• Provisioning and Initial configuration done from FXOS • Provisioning and initial configuration
CLI or Firewall Chassis Manager can be done from the ASA CLI or ASDM

• Firewall 2100/4100/9300 • Firewall 1000/2100

• Default before 9.13.1, maintained on upgrading from • Default starting ASA 9.13.1 ( fresh
lower releases to 9.13.1 or higher installation or reimage )

• FXOS CLI is used only for advanced

troubleshooting

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 140
ASA Release 9.19.1 Highlights

• BGPv6 Graceful Restart

Platform • DHCPv6 Support
• Flow Offload extended to non-IPSEC flows

• Loopback Interface for VTI and Management Services

• Dynamic VTI
VPN
• Dual Stack Support for IKEv2 Remote Access VPN
Management
• TLS 1.3 Remote Access VPN

Public Cloud • Autoscale for Gateway Load Balancer in Azure

• ASAv Clustering with AWS Gateway load balancer
• IPv6 validation support in virtual deployments

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 141
Integrated Security
Portfolio
Gain an Integrated Security Portfolio
Need: As IT infrastructure continues to become more diverse, the job of securing it
becomes more dynamic. The perimeter becomes flexible, which requires a broader
portfolio of security solutions.

Cisco offering:

Get more from your Greater security Extend

existing network control points protection
Tightly integrate existing investments, Enforce polices across your entire Remove blind spots, protect users
including Cisco Application-Centric environment, including any device anywhere they go and anywhere they
Infrastructure (ACI) and Network Access administered by the organization. access the internet.
with your Firewall solution.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 143
Cisco Rapid Threat Containment
Proven approach to reduce time and impact of threat
• Automatic network threat
containment using the Open
Remediation 3rd Party
network as API Devices
an enforcer
[Link]
• Threat-centric network
access determines ISE Secure
network access based on Workload
IoCs Authorization

• Richer visibility from FMC

bidirectional data sharing ACI APIC Routers
with the network access
EMPLOYEES

Firepower

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 144
Protect Your Network Using AMP
Understand the motion and behavior of files through network and endpoint visibility.

Breadth and Control points Threat Visibility

Retrospective Behavioral File Threat

Email Endpoints Web Network IPS Devices
Detection IoCs Trajectory Hunting

Telemetry Stream

File and Network I/O File Fingerprint and

Metadata

Process Information Talos and Malware Analytics

Intelligence

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 145
Application-Centric Infrastructure
Transparent policy-based security for both physical and virtual environments

• Link security to software

defined networking
• Create identity-based policy with Application
Policy Infrastructure Controller (APIC)
• Segment physical and virtual endpoints based
on group policies with detailed and flexible
segmentation

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 146
Control Traffic Based on User Awareness
• Use Active Directory users and groups in
policy configuration
• Use Cisco Identity Services Engine to provide
identity
• TrustSec Security Group Tag (SGT)
• Device type (endpoint profiles)
and location
• Identity Mapping Propagation & device level
filtering
• Examples
• Block HR users from using personal iPads
• Create rules for quarantined iPhones

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 147
Simplify Security Management with TrustSec
Leverage the network and investment
• Scalable and agile €¥£
segmentation Simplified Access Management $
technology in over 40 Manage policies using plain language and Employee Developer Financial
HTTP
different Cisco maintain compliance by regulating access Info Server Server SGACLs
based on
product families business role Deny Employee to Financial Server
Permit Developer to Developer Server
Permit Guest to Web

• Enables dynamic, role- Enterprise Permit Developer to Developer Server

Network
based policy Key
enforcement Rapid Security Administration
Speed-up adds, moves, and changes, Employee Tag Consistent
anywhere on simplifying firewall administration to Accelerated Simplified Access Policy Anywhere
Developer Tag
your network speed up Security Options Management
server onboarding Voice Tag
• Extend TrustSec Non-Compliant Tag

policies over Employee Info Tag

Firepower Threat Consistent Policy Anywhere Developer Server Tag
Defense with SRC & Control all network segments centrally, Financial Server Tag Guest
Non
Compliant Developer Employee
regardless of whether devices are wired,
DST SGT matching wireless or on VPN HTTP Tag
endpoint endpoint endpoint endpoint

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 148
Umbrella Integration
SASE Deployments Auto Tunnel and Common DNS Security Policy
• Common Security Policies for all branches • SASE use case

• Multi-layered DNS Security • Umbrella SIG – Cloud-delivered Firewall

• Faster Protection • Auto-generation and deployment of configuration

on Firewall and Umbrella
• Improved Internet Performance

• Uniform Security policy for Hybrid workers

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 149
Talos
What is Talos?
Talos is the threat intelligence group at Cisco. We are here to fight the good
fight — we work to keep our customers, and users at large, safe from malicious
actors.

Threat Intelligence Vulnerability

and Interdiction Research and Discovery

Global Outreach Detection Research

Engineering
Community
and Development

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 151
From Unknown to Understood
Endpoint Detection and Response
Product
Telemetry Endpoint Mobile Security

Multi-factor authentication

Data Firewall
Sharing Intrusion Prevention

Network Web Security

SD Segmentation
Vulnerability
Discovery Behavioral Analytics

Security Internet Gateway

Threat Traps Cloud DNS Security

Secure Email

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 152
SecureX and Cisco XDR
Cisco SecureX
A cloud-native, built-in platform experience within our portfolio
Cisco Secure Your Infrastructure

Network Endpoint 3rd Party/ITSM Intelligence

Cloud Applications Identity SIEM/SOAR

Unified Visibility

Detection Investigation Managed Orchestration

Analytics Remediation Policy Automation

Your teams
SecOps ITOps NetOps

integrations ribbon & sign-on dashboard threat response orchestration device insights
built-in, pre-built never leaves you customizable for what is at the core drag-drop GUI device inventory
or custom maintains context matters to you of the platform for no/low code with the contextual
awareness
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 171
Maximizing operational efficiency

BEFORE: Repetitive, SOLUTION: AFTER: “I combined 9 tasks

human-powered tasks Orchestrating security across 3 security tools,
across the full lifecycle 2 infrastructure systems, and 3
Automation
teams in one keystroke!”
Playbook Pre-built or customizable workflows
Outdated script that
playbook works
“sometimes” ALERT “We have never
communicated faster: Our
task approvals are automated”
“I make automated “My top 5 most
condition task
playbook changes frustrating tasks
in minutes with a have all be
task task drag-drop interface” automated”
while
loop
Integration
script that no task:
longer works REMEDIATE

Cisco or non-Cisco infrastructure

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 172
Investigate Any Item: Endpoint
Reduce complexity and time needed for threat hunting

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 173
Leverage a Seamless Workflow
FTD supplies security events to SecureX threat response

• Limited data is stored in cloud

• FMC can send IPS events to SecureX threat response
• Any IP, domain, file hash or IoC seen in FMC can queried in SecureX threat response, reducing complexity and time for threat
hunting
• Continuous analysis with retrospection facilitates remediation and enhances forensics
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 174
Firewall and SecureX are better together

New Features Save Time and Effort New Workflows Simplify Administration

Simplified smart licensing allows users to Proactively monitor the health of Firewall
have a seamless integration in 3 steps deployment

Onboard entire suite of FMC API’s directly to Streamline PSIRT impact and patch
the cloud management processes

Save time by importing workflows with Automate policy management of time-

minimal configuration based rules

Access orchestration capabilities at no

additional cost

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 175
FMC SecureX Ribbon Expanded

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 176
SecureX threat response and CDO Integration
Pivot to threat response from CDO using the event viewer

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 177
Cisco XDR for Dynamic Environments

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 178
Benefits of Cisco XDR
Where are we most
exposed to risk? How
good are we at detecting
1 Detect Sooner
attacks early? Are we prioritizing the
attacks that represent the
Prioritize by Impact 2 largest
material impacts to our
How quickly are we able business?
to understand the full
scope and entry vectors of 3 Reduce Investigation Time
attacks? How fast can we
confidently respond? How
much can
Accelerate Response 4 SecOps automate? Are we
improving our time to
Do we have full visibility respond?
into all our assets? Can we
reliably identify a device 5 Extend Asset Context
and who uses it?

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 179
 Building Cisco XDR
The most
comprehensive
integrated cybersecurity
Started with Began acquiring Unified
platform on the planet
foundational new technologies and networking
gets even better
security solutions innovating at a rapid pace and security

2007 2009 2011 2013 2015 2017 2019 2021 2023

Network Cloud Web Network Unified Threat CASB Access Management

Segmentation Security Access Management Network Security Threat
Email Security Gateway Control Enterprise Policy Response
Web Security Firewall Cisco XDR
Gateway Security
SD-WAN Cloud Email
Malware Analysis Services VPN Network telemetry
SD-Access Security
Endpoint Detection becomes
Application Performance Supplements
and Response Cloud Security foundations for
Management XDR outcomes
NGIPS Traffic Analytics
Cloud Analytics
DC Networking Workload Protection

Over $6B in M&A Over 400 Unparalleled

over the past 6 years threat researchers platform breadth

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 180
 XDR Components Detect Prioritize by
Reduce
Accelerate Extend Asset
Investigation
Sooner Impact Response Context
Time

Integrations Investigation Integrations

Correlated Prebuilt
Events Playbooks
Incident
Intelligence
Manager

Account
Threat and
Hunting Device
Machine Asset Automated Correlation
Learning Insights Workflows
Automated
Enrichment

Analytics Incidents Integrations Investigate Automate Devices

Detections based on Security alerts, correlated, built-in, pre-built is at the core drag-drop GUI device inventory
raw telemetry prioritized and enriched or custom of the platform for no/low code with the contextual awareness
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 181
Use Cases
Common and Unique Requirements for Secure Firewall

Internet Edge Data Center Branch Cloud/Virtual Secure IPS Remote Access
High availability and High availability Site to site VPN High availability Separation of duties Cisco VPN and third-party
redundancy VPN clients
Scalability High availability Support for DPDK and IPS capability
Dynamic routing and SRIOV Integration with end point
address translation Very high bandwidth, very Dynamic routing Superior threat efficacy security
low latency Internet edge or VPN
Integration with end Application visibility gateway Threat intelligence Authentication,
point security Cloud scale and control Authorization, Accounting
SD-WAN backhaul TLS decryption
Integration with NAC Hyper-density and Breach detection Zero Trust Clientless
network access control high performing volts NSEW inspection Mirror traffic and deploy access to private
Threat intelligence in active, inline, or passive applications
DDoS Inbound inspection mode
Incident response
IPS capability Device acting as edge Network reliability
Dual-WAN
Multi-instance Scalability
Application Aware
Intelligent Routing(DIA)
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 199
Internet Edge Service
Provider
Remote
Key Functions Key Capabilities User
HSRP
• Resilience (and scalability) • VPN load balancing
• Advanced Access Control • Applications, URLs, Users, and
TrustSec Policy using SGTs Internet Edge
• Block access to malicious IP's, URL's,
DNS • Talos Security Intelligence
• Dynamic NAT/PAT and Static NAT • Carrier Grade NAT DMZ

• Remote Access VPN • Cisco Secure VPN Firepower or ASA

HA
• Site to Site VPN • Point to Point, Hub and Spoke,
Full mesh
• Detecting malicious network traffic
• Snort IPS
• Visibility and tracking of file transfers, Campus/ Private
Blocking of malicious files • Advanced Malware Protection Network

• Dynamic analysis of unknown files • Malware Analytics Integration

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 200
Remote Access VPN (RA VPN) Service
Provider
Extranet

Remote
Key Functions Key Capabilities User
HSRP
• Resilience (and scalability) • VPN load balancing

• Advanced Access Control • IPSEC and SSL

Internet Edge
• Block access to malicious IP's, URL's,
• Talos Security Intelligence
DNS
DMZ
• Dynamic NAT/PAT and Static NAT • AD, LDAP and Radius
Firepower or ASA
• Remote Access VPN • IKEv2 HA

• Site to Site VPN • RADIUS CoA

• Detecting malicious network traffic • Snort IPS

Campus/ Private
• Visibility and tracking of file transfers, Network
• Advanced Malware Protection
Blocking of malicious files

• Dynamic analysis of unknown files • Malware Analytics Integration

• Access to private applications • Zero Trust application Access

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 201
 Data Center N/S
Branch Firewall HA

Key Functions Key Capabilities

EDGE router (HSRP)

• Advanced access control options • Applications, URLs, Users, and TrustSec

Policy using SGTs
• Remote Access VPN
• Cisco Secure VPN
• Site to site VPN Internet
• Route Based VPN
• Dual ISP Support
• IP SLA or Traffic Zones
• Block access to malicious
EDGE router (HSRP)
IP's, URL's, DNS
• Talos Security Intelligence
• Block traffic to 3rd party lists
• Threat Intelligence Director Firewall HA
• Detecting malicious network traffic
• Snort IPS
• Visibility and tracking of file transfers,
Blocking of malicious files, Dynamic • Advanced Malware Protection
Internal
analysis of unknown files Network
• Application Aware Intelligent Routing • Malware Analytics Integration
(Direct Internet Access)
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 202
Data Center Data Center
Edge Extranet

Key Functions Key Capabilities

Firewall in HA/Cluster
• TrustSec Policy using SGTs, vPC/Port-Channel
• Advanced Access Control ACI Policy Control with EPGs

• Low Latency Capabilities • Hardware Flow Offload

• Scalability and Resilience • HA or Clustering Data Center

Distribution
• Geographic DC Separation • Inter-site Clustering
vPC/Port-Channel

• Detecting malicious network traffic • Snort IPS

Firewall Cluster

• Visibility and tracking of file transfers,

• Advanced Malware Protection Access Layer
Blocking of malicious files

• Dynamic analysis of unknown files • Malware Analytics Integration

• Firewall Segmentation • Multi-Instance

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 203
Cloud/Virtual
Data Center N/S

Inside

External
LB E/W

Key Functions Key Capabilities DMZ

ESXi Host
Inside A
• Advanced Access Control options • Applications, URLs, Users, and N/S
TrustSec Policy using SGTs/CCP E/W Outside

• Remote
• VPN DMZ
ESXi Host
B Inside

• Site to Site VPN • Route Based VPN (ASA) and HA Pair

External
LB
Internal
LB E/W
Policy Based VPN Internet
DMZ

• Block access to malicious IP's, URL's, DNS

• Talos Security Intelligence
N/S

• Block traffic to 3rd party lists

• Threat Intelligence Director Inside
KVM Host
A CSP or ENCS Branch
(Computer cluster)

• Detecting malicious network traffic

• Snort IPS E/W Outside

• Visibility and tracking of file transfers, DMZ Inside

KVM Host
blocking of malicious files • Advanced Malware Protection B

HA Pair
• Dynamic analysis of unknown files
• Malware Analytics Integration N/S

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 204
NGIPS Service
Provider

Key Functions Key Capabilities

VPC
• Advanced access • Applications, URLs, Users, and TrustSec
control options Policy using SGTs

• Block access to malicious IP's, URL's, Active Standby

• Talos Security Intelligence
DNS HA Update

• Block traffic to 3rd party lists • Threat Intelligence Director

NGIPS NGIPS
• Detecting malicious network traffic
• Snort IPS

• Visibility and tracking of file • Advanced Malware Protection

transfers, Blocking of malicious files
VPC
• Malware Analytics Integration
• Dynamic analysis of
Internal
unknown files
Network

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential Information 205
Dostęp do labów:
[Link]