Cisco Secure Firewall

(1)

Ruslan Ivanov

Technical Solutions Architect [email protected]

7.0 Release Preview

(2)

Agenda

‣ Introduction

‣ Threat Efficacy

‣ Event Management

‣ VPN and Identity Updates

‣ Policy Workflow and Device Administration

‣ Virtual and Platform Features

‣ Integrations

(3)

Brand Naming Changes

Firepower Management Center (FMC) Firepower Threat Defense (FTD) Adaptive Security Appliance (ASA) Firepower Hardware Appliance

Cisco Secure Firewall

Management Center (FMC)

Cisco Secure Firewall Threat Defense (FTD)

Cisco Secure Firewall ASA

2100 Series

Firepower Threat Defense Virtual /

NGFWv

(4)

(5)

ASA/FTD Release Lifecycle

9.12 / 6.4 9.13 / 6.5 9.14 / 6.6 9.15 / 6.7 9.16 / 7.0 9.17 / 7.1 Spring 2021 Release

(6)

Preview of Firepower 7.0 and ASA 9.16.1

•

Cisco’s next long-term release for FTD and ASA includes:

• Government certification

• Incorporates several high-profile customer and field requests

• Further reduces the VPN parity gap between the ASA and FTD

• Better performance, reduced time to upgrade

• Policy deploy improvements

(7)

Firewall Threat Defense 7.0 (1HCY21)

Major improvements in an extra long-term release – shifting to 7.0 in Spring 2021

Simplified Product Experience

Unified health metrics (via SNMP), health dashboard in FMC, Change management

(rollback, change previews, improved audit

logs), Searching and Filtering etc.

Outcomes Much better user experience, reduced operational complexity

and cost

Dynamic objects for quick changes

Attribute based policy feature adds dynamic network objects in AC

policy

Change dynamic objects in policies quickly without

need for deploy configuration

Public Cloud & Virtualization

Support dynamic policies for cloud-native policy

and create quick instance (with Secure Threat Services)

Hybrid cloud support ready for any customer

environment

Threat Efficacy Enhancement

Improved Threat Detection enabled via major architecture updates:

Snort 3 in FMC

Customers get better detection with less resource

consumption. Troubleshoot and track

current and historical event data in common UI

Scalable Eventing and Logging

Real time event viewer, scalable eventing and logging

using on-prem SAL

Many more improvements in…

• Remote access and site-to-site VPN • Secure-X Integration

• FMC API for orchestration and migration

• APIC FMC App Multi domain support

• PAT operations in clustering • Multiple realm support for Identity

(8)

Threat Efficacy

Improvements

‣

Snort 3

(9)

(10)

Snort 2 vs. Snort 3

Snort 2 Snort 3

Multi-Threaded Architecture

Capable of running multiple Snort Processes

Port Independent Protocol Inspection

IPS Accelerators / Hyperscan Support

Modularity – Easier TALOS contributions

Scalable Memory Allocation

Next Gen TALOS Rules – e.g., Regex/Rule Options/Sticky Buffers

New and Improved HTTP Inspector – e.g., HTTP/2 support

(11)

Functionality

FMC

_{FTD Device API}

FDM*

Upgrade

Base Install

Snort 2

Snort 3

Snort version maintained from previous config

Snort 3

Snort 3 Enablement in 7.0

(12)

(13)

What’s New - Overview

•

Snort 3 is now supported with FMC as well as FDM

•

Snort 3 Device Management

-

_{Ability to toggle device Snort versions (Snort 2<->Snort 3) from FMC}

device management

•

Upgrade / Migration Changes

-

_{Simplified Migration of Snort 2 to Snort 3 policies after upgrading to}

FP 7.0

-

_{Support for synchronizing common intrusion policies between Snort 2}

and Snort 3 versions

Solution

(14)

Snort Engine Selection

- _{For existing deployments (upgrades), after upgrade to FP 7.0, devices will}

continue to use Snort 2 as the detection engine

- _{For new deployments (fresh install of FMC), new 7.x devices will receive Snort}

3. Existing devices registered running 6.x will remain at Snort 2

How it Works

7.0.0

(15)

Intrusion Rule Groups - Navigation

•

Rule groups can be accessed for an intrusion policy under

Policies-> Intrusion-> Intrusion Policies -> Snort 3 version

(16)

Feature Overview – Custom Intrusion Rules

•

Users can upload custom intrusion rules, written in Snort 3 rule syntax

•

snort2lua tool on the FMC can be used to convert Snort 2 rules to Snort

3 syntax

•

_{Each custom rule must have a SID (>1000000) and REV information}

•

GID need not be provided by the user

-

_{GID will be auto-generated per domain as in case of Snort 2}

-

_{Auto generated GID will be different from Snort 2 GID to avoid SID}

collision`

How it Works

(17)

Snort 3 Rule Conversion – Final

alert http (

msg:"BLACKLIST URI request for known malicious URI"; flow:established,to_server;

http_uri;

regex:"/setup_b\.asp\?prj=\d&pid=.*&mac=", nocase, fast_pattern; sid:19626; rev:4;

)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URI request for known malicious URI"; flow:established,to_server; content:"/setup_b.asp?prj="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mac="; nocase; http_uri;

pcre:"/\/setup_b\.asp\?prj=\d\x26pid=[^\r\n]*\x26mac=/Ui"; metadata:service http; sid:19626; rev:2;)

(18)

(19)

Firepower Device Manager - Custom Snort 3 Rules

•

Custom Snort 3 rules supported

•

Paste in single rule

•

Upload rule text file

(20)

(21)

What’s New

•

_{New feature support:}

- _{User can filter web traffic at the DNS level using category-reputation rules in}

the access control policy.

- _{Connection events are shown with category-reputation information for domain}

names.

- _{Because the majority of DNS traffic is not encrypted, performance on the}

device should improve because decryption using an SSL policy is not needed.

(22)

FMC Configuration

•

Reputation enforcement on DNS

traffic is enabled by default in

Firepower 7.0.

•

_{Setting is available in FMC under}

- _{Access control policy > Advanced tab}

> General Settings > Enable reputation enforcement on DNS traffic.

(23)

• On FDM, from the AC Policy page, click the tool icon to open the settings dialog.

to

Click the Tool icon to open the Access Policy Settings window

(24)

Event

Management

‣

Unified Event Viewer

(25)

(26)

What’s New

This release adds a new Unified Event Viewer with the following new capabilities

- _{Unified view}

• Connection, File, Malware, and Intrusion events are in a single page

- _{Simplified searching}

• Search bar on top of page rather than a completely different page

- _{Real time mode}

• Automatically loads new events into the view

- _{View full event details inline} - _{Updated UX/UI}

- _{Supports querying events stored locally as well as remotely (using Cisco}

Security Analytics and Logging On Prem)

(27)

Walkthrough

Modify event filters

Shrink/Expand the time window ...or use real-time view

Show/Hide specific event columns Expand rows to view all details of specific events

(28)

Walkthrough

True Correlation Clicking on the Intrusion Event highlights the associated Connection Event

1

2

(29)

Monitoring the Event Capacity and Rate

•

External Storage through Cisco Security Analytics and Logging On-Prem

(30)

External Event Storage for

FMC

(31)

FMC Integration with Cisco Security Analytics

and Logging (SAL)

FMC Integration with SAL Cloud

•

_{Builds on the existing cloud logging}

available in FMC starting FTD release

6.4

- _{Only high priority connection events}

were supported through direct to cloud integration

•

Enables FMC managed FTDs to send

all types of connection events to

Stealthwatch Analytics and Logging

Cloud

FMC Integration with SAL On-Prem

•

_{Phase 1 introduced in release 6.7}

•

_{Phase 2 adds supports for}

- _{Easy Provisioning wizard for}

Stealthwatch integration

- _{Allow FMC Analytics to use both}

Stealthwatch Appliance Event datastore and local connection event datastore

- _{FMC Cross Launch}

- _{FTD Security events and FTD-LINA}

(32)

FMC Integration with Cisco Security Analytics and

Logging (Cloud )

(33)

FMC Integration with Cisco Security Analytics and

Logging (On-Prem )

(34)

FMC Integration with Cisco Security Analytics

and Logging (SAL On Prem ) – Easy Wizard

Easy button for setup

•

_{Setup cross launch links for}

FMC analytics to the

Stealthwatch console

•

Setup credentials for

remote query from

Stealthwatch datastore

(35)

FMC Integration with Cisco Security Analytics

and Logging (SAL On Prem) – Cross Launch

(36)

FMC Integration with Cisco Security Analytics

and Logging (SAL On Prem ) – Data Store selection

•

External Storage through Cisco Security Analytics and Logging On-Prem

(37)

VPN Updates

‣

Authentication and Authorization

‣ Dynamic Access Policy

‣ Custom Attributes

‣ SAML Authorization

‣ Local User

‣ Multiple Certificates

‣

Scaling and Redundancy

‣ Load Balancing ‣ VTI Enhancements

‣

Minor Improvements

‣ SSL Ciphers FDM UI ‣ PKI Enhancements ‣ VPN API

(38)

Dynamic Access Policy

Support in FMC

(39)

What’s New

•

_{Introduction of Dynamic Access Policy in FMC for managed FTDs}

•

Simplified Dynamic Access Policy UI Editor

• Configure AAA attributes

• Configure Endpoint attributes

•

Unified flow for both HostScan and Dynamic Access Policy configurations

•

Easy migration of DAP policies from ASA to FTD

- _{FDM/FTD API to upload DAP xml file previously available in 6.7}

(40)

(41)

Anyconnect Custom

Attributes

(42)

What’s New

• In 7.0, FMC will support a user-friendly way to configure the Anyconnect Custom Attributes

- _{Per App VPN on mobile devices with AnyConnect} - _{Dynamic Split Tunneling}

- _{AnyConnect Defer Update}

• FMC 7.0 builds the framework for flexibility to configure other custom attributes in addition to the above-mentioned ones. This will allow user to configure other existing and new AnyConnect features

• Custom attribute provides a generic infrastructure to configure AnyConnect client features without adding hard-coded support for these features on the FTD and FMC UI

(43)

Per App VPN on Mobile devices

• _{Allows for tunneling specified subset of apps}

through one AnyConnect tunnel. For example:

- Save resources: don’t Netflix over VPN tunnel

- Security: don’t allow non enterprise apps on enterprise network

- _{Avoiding tunneling trusted cloud applications}

(to minimize latency)

• _{PerApp VPN must be configured via Mobile}

Device Manager (MDM) and each device must be enrolled to the MDM server

(44)

Dynamic Split Tunneling

• _{Static split tunneling involves defining the IP addresses of hosts and networks that should be}

included in or excluded from the remote access VPN tunnel.

• _{Dynamic Split tunnel with AnyConnect was introduced to dynamically provision split}

include/exclude tunneling after tunnel establishment based on the host DNS domain name.

• Dynamic Split tunneling can be provisioned using

- _{Dynamic Split Exclude} - _{Dynamic Split Include}

(45)

Defer Update

• _{Defer Update allows the user to delay update of the AnyConnect client}

• When a client update is available, AnyConnect opens a dialog asking the user if they would like to update or defer the update

(46)

(47)

What’s New

•

_{The release 7.0 introduces}

- _{SAML authorization support for Remote Access VPN using Dynamic Access}

Policy (DAP) in FMC

- _{SAML authentication for Remote Access VPN users was added in 6.7 release}

•

Support for user attributes delivered in SAML assertions within the AAA

and DAP frameworks

•

ASA 9.16 adds support for using SAML Assertion Attributes for Dynamic

Access Policy outcomes

(48)

Local User Authentication

for Anyconnect VPN users

(49)

What’s New

•

_{In the release 7.0,}

- _{FMC introduces the ability to configure and deploy Local Users to FTD via GUI}

and REST API

• When a RADIUS/LDAP/AD Server used for RA VPN Authentication fails, a fallback to authenticate to the Corporate Network through RA VPN and fix the issue

• Need a quick way to setup RA VPN for a quick demo/test

• _{Use cases where the authentication requests cannot go outside of FTD to an}

external AAA server for reasons of securing data in transit and data at rest

•

It is already supported with FDM management

Solution

(50)

Feature Overview

• _{Local User Database can be used for VPN}

• Primary Authentication

• Secondary Authentication

• Fallback for Primary Authentication

• Fallback for Secondary Authentication

• Local Users database configured as Realm (like AD/LDAP implementation)

• Can be reused or shared across VPN configurations on multiple FTDs Co rp o ra te N et w o rk RA V PN En d p oint s Local User Database AAA Server NGFW

(51)

Multiple Certificate

Authentication

(52)

What’s New

•

_{This release allows}

• Certificate-based authentication in Remote Access VPN Connection Profile to use both User certificate and Machine certificate

• Administrator can choose if the username for the session should be taken from the machine certificate or user certificate

•

Validate if the device is a corporate device along with the identity of the

user

(53)

Configuration Workflow in FMC

• Enable Multiple Certificate Authentication

• Select the certificate for pre-filling username

Pre-fill username for Secondary Authentication

(54)

Remote Access VPN Load

Balancing

(55)

What’s New

•

This release adds support for

• configuring and deploying two or more FTDs in a logical group for

Load Balancing the Remote Access VPN sessions

• share the Load Balancing configuration among multiple devices

•

VPN Scalability combined with increased availability

• Different from FTD Clustering or FTD High Availability

• FTD Standalone or High Availability pair can be added as part of the Load Balancing group

(56)

Feature Overview

• _{AnyConnect VPN session shared among devices}

• Two or more devices virtually grouped to form a Load Balancing Group

• _Members

- FTDs participating in Load Balancing Group

- Share the VPN connections

• _Director

- _{One FTD acts as a director}

- _{Distributes the load to other members in the group} - Also participates in serving VPN sessions

(57)

Virtual Tunnel Interface

(VTI) Enhancements

(58)

What’s New

•

This release adds support for

• IPv6 addressing on Static Virtual Tunnel Interface

• Ability to configure backup VTI interfaces natively from FMC

• Increased the maximum number of VTI from 100 to 1024

•

Adds support for ASA and CSM UI as well

(59)

•

IPv6 addressed VTIs can be configured

•

_{The tunnel source interface can have a IPv6 address and this IPv6 address can be}

used as the tunnel endpoint

•

Following combinations of VTI IP (or internal networks IP version) over public IP

versions are supported:

- _{IPv6 over IPv6} - _{IPv4 over IPv6} - _{IPv4 over IPv4} - _{IPv6 over IPv4}

Feature Overview - IPv6 VTI

Example -

IPv6 over IPv4 tunnel

and

(60)

FDM SSL Ciphers UI

Support

(61)

FDM SSL Ciphers UI Support

• Starting with 7.0 release, customers will be able to configure SSL Ciphers from the FDM UI

- _{Currently in FDM, customer can configure SSL Cipher server via FTD Device}

REST APIs

• _{Support is added from FDM UI for configuring SSL Cipher Objects:}

- _{Allow configuring the relation between protocol versions and SSL security level}

• _{Support is added from FDM UI for updating SSL Cipher Data settings:}

- _{Allow configuring Diffie Hellman and Elliptical Curve Diffie Hellman group} - _{Allow selection of multiple SSL Cipher objects}

(62)

(63)

Enrollment over Secure Transport (EST)

•

_{A new enrollment type - Enrollment over Secure Transport (EST)}

supported in this release.

- _{EST is the successor to the Simple Certificate Enrollment Protocol (SCEP)} - _{EST uses TLS for the secure transport of messages.}

- _{In EST, the certificate signing request (CSR) can be tied to a requestor that is}

already trusted and authenticated with TLS.

•

_{EST is described in RFC 7030}

(64)

Edwards-Curve Digital Signature Algorithm (EdDSA)

Support

•

_{Support for the Edwards-Curve Digital Signature Algorithm (EdDSA) key}

algorithm support added.

•

Ed25519 is the EdDSA signature scheme using SHA-512 (SHA-2)

and Curve25519.

•

_{The key is encoded in 256 bits.}

(65)

1K/SHA1 RSA Constraints

•

_{Generation of RSA keys less than 2048 has been removed}

•

By default, certificates signed with SHA-1 or with a key size less than

2048 will not be accepted by FTD.

•

There is an option for users to override this restriction.

- _{Useful in upgrade scenarios.}

- _{Certificates with key size lower than 1024 and signed by SHA-1 can be}

imported.

- _{Override does not apply to key generation.}

(66)

GET API for Remote

Access VPN

(67)

FMC VPN API

•

FMC RAVPN REST APIs delivered in 7.0:

- _{FMC Get APIs for RAVPN Objects} - _{FMC Get APIs for RAVPN Policies}

- _{Existing Policy Assignment’s GET APIs enhanced to return RAVPN Policy Assignments}

•

These REST APIs are not being used by the FMC UI itself

•

FMC only feature

- _{FTD can be on older release}

(68)

Identity Updates

‣

Subnet Filter for Identity Policy

Mappings

‣

FMC Cross Domain Groups

‣ Refreshed Realm UI

‣ Identity Change Management

(69)

Subnet Filter for Identity

Policy Mappings

(70)

Where does Identity Filter takes place?

FMC Cisco ISE pxGrid

MS Active Directory Users

Users Users Switch Device Level Mappings Filtering 300k Firepower 9300 SM-56 Firepower 2140 NGFWv 300k 150k 64k

(71)

FMC UI Configuration

Identity Mapping Filter Settings!

Allows to create or select existing Network Object or Group as the filter criteria.

New Identity Source tab in the Identity Policy Editor

(72)

How Identity Device Filter helps?

Total number of identity bindings/mappings

(combined User-IP,SGT-IP,Dynamic Object Mappings) on the selected FTD is currently over 265k.

(73)

How Identity Device Filter helps?

Total number of identity bindings/mappings

(combined User-IP,SGT-IP,Dynamic Object Mappings) on the selected FTD has been reduced down to 65k after

(74)

Benefits of Identity Mapping Subnet Filter Feature

•

Lower usage of Snort Identity Memory

- _{by ignoring identity mappings from subnets that are not being monitored by the managed}

device (FTD)

- _{only required Identity Mappings (User-IP, SGT-IP, Dynamic Object Mappings) are loaded to}

the Snort memory on the managed device/s (FTD)

•

Ability to manage all type of managed devices (low/mid/high-end) by single

management platform (FMC)

•

Control total number of user identity mappings (through subnet filter)

(75)

FMC

(76)

Cross Domain Group - deployment scenario

FMC Cisco ISE MS Active Directory MS Active Directory [email protected] [email protected] [email protected]

(77)

(78)

Requirements: Control Traffic Between Devices

• Want to allow traffic between related devices

• Want to block traffic between unrelated devices

• Other identity features are a bad fit

• ISE Attributes, Active Directory groups

• Want to avoid redeploying policy to sensors

Requirements Accountant Engineer Finance Data Product Development Allow Allow 78

(79)

Traffic Enforcement Options prior 7.0 Release

• Active Directory Groups

• Cisco ISE SGT’s, endpoint profiles • Hard-coded IP addresses • Network Objects Finance Data Product Development NGFW Engineer Accountant – 10.10.10.1 IP Camera IP Printer

VM

… 10.100.14.7 10.100.0.9 10.100.1.37

VM

Cisco ISE 79

(80)

Solution

• New type of Network Object: Dynamic Object

• Unlike other objects, sensors immediately see changes to Dynamic Objects

• Works with any FMC Domain

• Change without policy deploy!

• Access Control Policy can match Dynamic Object on source or destination IP

• Like regular Network Object

• FMC REST API is used to edit Dynamic Objects

• This allows an outside client to dynamically change the definition of an object

• Cisco authored solution is planned, and will be available as a tool, separately from a FP release (more details are covered later in this presentation)

• Sample Python script available to Beta testers in box folder

Solution

(81)

FMC Configuration: Prior-7.0 release

• _{AC Policy Rule has an SGT/ISE Attributes tab} • Selectors refer to “Metadata”

(82)

FMC Configuration: Post-7.0 release

•

_{AC Policy Rule has a Dynamic Attributes tab}

•

SGT, Device Type, Location IP, and Dynamic Objects can be selected from Available

Attributes. Selectors refer to Attributes.

(83)

Accountant -10.?.?.? Engineer -10.?.?.? Finance Data -10.0.0.1 Product Development -10.0.2.19

Automating Dynamic Objects

Custom Script

Edit Dynamic Object via REST

Role + IP Address Reported

• Network Admin writes some kind of custom script to gather Role and IP Address from PCs when they connect to the network

• Custom script uses REST to regularly update IPs assigned to the

ACCOUNTING_PC and ENGINEER_PC Dynamic Objects

allow traffic between related devices

block traffic between unrelated devices _NGFW

(84)

Policy Workflow

Improvements

‣

Global Search

‣

Improved Change Management

(85)

(86)

FMC Global Search

•

Search by

- _Name - _Category - _{IP address}

(87)

Improved Change

Management

(88)

VPN is now available for selective deployment

VPN Configuration Selective Deployment

(89)

Deployment Page – Filter by User and Device

New column ”Modified By”

(90)

Deployment History Page

Expand ( > ) a Deploy_Job to access the Transcript and Preview icons. • Click on the Preview icon to

launch the Deployment History Preview Config Dialog, which shows details

(91)

Deployment History Preview Config Dialog

• Deployment history

preview config dialog like

deployment preview

dialog.

• With option to change

the versions for

comparison.

(92)

Deployment History Preview Config Dialog

Option to select

various jobs

After selection,

user needs to click

on show option

(93)

FTD Configuration

(94)

Feature Overview

•

User can rollback to one of last 10 successful deployment configurations

•

_{Rollback Preview - compare deployed configuration and the configuration selected for}

rollback

•

Rollback support for

- _HA/Cluster

- _{Bulk rollback of multiple devices}

•

Ability to add custom deploy notes as part of every deployment

(95)

User Launches Rollback

Rollback Launch Point

Solves confusion around multiple rollback launch points by providing a clean workflow

User will be able to search using deploy notes

(96)

(97)

Device

Administration

Enhancements

‣

Low Touch Provisioning Improvements

‣

Device Health Monitoring

Enhancements

(98)

Low Touch Provisioning

Improvements

(99)

Inside Interface Subnet Issue

•

Prior to 7.0, the inside (Ethernet1/2) or vlan1 interface on an FTD has a default IP

address of 192.168.1.1 with a DHCP server allocating addresses:

192.168.1.5-192.168.1.254

- _{Conflict in some scenarios where ISP allocated DHCP address on outside interface was}

colliding with inside interface

- _{The outside interface is a default DHCP client}

- _{192.168.1.1 is the default inside IP on many router devices. The chance of a conflict will likely}

occur in some customer environments.

•

In 7.0:

- _{The IP address for inside Interface: 192.168.95.1}

(100)

Inside Interface Subnet Change – Platforms

•

Platforms: FPR1000 Series, FPR2100 Series, ASA5508/ASA5516

•

_{Inside interface subnet change is applicable only for FDM-managed and not for FMC}

managed devices.

New subnet change applicable scenarios Not Applicable scenarios

FP 7.0 fresh install FDM Upgrade from prior version to 7.0 will retain customer inside interface IP (custom or 192.168.1.1)

Manager switch to FDM on fresh install of FP 7.0

Manager switch to FDM on an upgraded FP 7.0 device from prior release

(101)

IPv6 DHCP Autoconfig – Outside Ethernet1/1 Interface

•

As of FP 6.7 and prior releases, FTD outside interface is by default as a DHCP client

for IPv4.

•

_{New in FP 7.0, the outside interface also includes IPv6 auto-enabled and the DHCP}

Client enabled for IPv6 by default on fresh install.

- _{show running-config interface from the diagnostic CLI on fresh install will have this}

newly-added IPv6 config

interface Ethernet1/1

nameif outside

ip address dhcp setroute

IPv6 address autoconfig IPv6 enable

(102)

Low Touch Provisioning Enhancements

•

LTP Serial number onboarding is

supported with a HTTP proxy in

between the FTD device and Cloud

•

LTP Serial number onboarding is

supported with a FTD device having

just IPv6 address to reach to cloud

(either management interface or data

interface having IPv6)

•

Platforms: FPR1000 Series, FPR2100

Series

•

_{LTP enhancements are applicable only}

for FDM-managed and not for

FMC-managed devices.

(103)

Device Health Monitoring

Enhancements

(104)

Feature Overview

•

New health dashboard for FMC which provides Trend charts, overlays and custom

dashboards.

•

_{New FTD metrics available in FTD dashboards}

- _{110+ metrics covering 12 categories}

•

_{In FMC’s Health Dashboard, accessible from the system menu}

(System > Health > Monitor)

- _{From the FMC REST API}

- _{When the device is managed by FDM, FTD Device REST API makes metrics available for}

querying by external entities

•

Health modules in Health Policy need to be enabled and deployed for some metrics

to appear.

(105)

FMC Dashboard

FMC Dashboard • HA • Event Rate • Event Capacity • Process Health • CPU • Memory • Interface • Disk Usage

This dashboard is available to both Active and Standby FMC

(106)

SNMP Health Monitoring Enhancements

•

Available with FTD Device REST API (for FDM managed FTD) and FMC

•

Feature specific diagnostic information, made available using new OID’s.

- _{RA VPN: number of users and sessions, peak number of sessions} - _{Site-2to-site VPN: number of sessions, peak number of session}

- _{Connections: number of active connections, peak number of active connections, connections}

per second, peak connections per second

- _{NAT translations: active and peak} - _{Number of routes}

- _{Interface duplex status} - _{Snort 3 intrusion event rate}

(107)

SNMP on VRF Interfaces

•

Firepower 7.0 allows SNMP configurations (user defined) VRF interfaces

•

If the Network Management Station (NMS) IP is reachable By the VRF interfaces,

then the SNMP polling and Traps to the NMS can be established

•

_{FMC managed devices: configure SNMP over VRF interface from UI}

•

FDM managed devices: configuration requires FTD Device REST API

(108)

Install and Upgrade

Improvements

(109)

Fleet Upgrades

• _{Increase number of}

concurrent upgrades of FMC managed FTDs

• Decrease the time to upgrade deployment with more than 15 devices

• Stacks/Clusters and HA are supported

• _{Faster upgrade times}

(110)

Error message for base version less than 7.0.0

No error message displayed

Error message for base version >= 7.0.0

(111)

Faster Boot Strapping

• _{Reduced time for FDM bootstrap process}

after application startup

• Minimizes startup overhead

• Allows the UI to come up earlier

• All REST API calls will redirect to the Setup Job API until system setup is complete

• Job status clearly identifies what task is currently running

• Provides estimated time to finish

• Reduced FTDv first boot install time

(112)

Virtual Updates

‣

Platform Additions

‣ ASAc ‣ OpenStack ‣ High Performance FTDv

‣

Tiered Licensing

(113)

(114)

ASAc

•

Containerization of ASA using

Docker containers

•

_{Supported platforms:}

- _OpenStack - _AWS

•

Managed by Kubernetes using kubectl

•

Provisioning via MsgLayer and ZeroMQ

(115)

OpenStack Support

•

_{OpenStack benefits}

• Deploy applications on private cloud instead of public cloud

• Hardware resources can be easily integrated with the cloud infrastructure

• No licensing and opensource code can be modified based on the requirements.

•

OpenStack support

- _{FMCv, FTDv and ASAv} - _{No FDM support}

•

OpenStack platform bring-up steps

(116)

OpenStack Requirements

Category Supported Versions Notes

Server UCS C240 M5 2 UCS servers are recommended, one each for

os-controller and os-compute nodes

Driver VIRTIO, IXGBE, I40E Supported drivers

Operating System Ubuntu Server 18.04 Recommended OS on UCS servers

OpenStack Version Stein Release OpenStack Software available at

https://releases.openstack.org/

Minimum Version FTD 7.0.0 and ASA 9.16.1

License BYOL

(117)

High Performance FTDv

•

Initial delivery for VMware and KVM only

•

_Optimize

- _{FW performance} - _{RA VPN performance} - _{TLS performance}

•

_{Enable support for a 16 core FTDv}

- _{This is just an added option when you instantiate an FTDv}

(118)

(119)

Feature Overview

• _{Performance Tiered Licensing support with Evaluation mode and Smart License} • Base Install or upgrade

- _{FDM users can still use legacy licensing model in 7.0}

• Supported for both FDM and FTD Device REST API, FMC

• Supported on all virtual FTD platforms

• Tiered licensing supports

- _{Smart license satellite}

- _{Universal Permanent License Reservation (uPLR) for FMC and FDM} - _{Special License Reservation (SLR) for FMC}

(120)

Upgrades and Managing Lower Versions

•

When a FTDv is upgraded to FP 7.0:

- _{The device is automatically moved to a “Legacy” tier, and continues to consume non-tiered}

entitlements

- _{Customers can then select a tier}

•

FMC 7.0 managed devices with versions lower than 7.0.0

- _{Tiers are not used}

(121)

Performance Tiers for Smart Licensing

Performance Tier Device

Specifications Rate Limit

RA VPN Session Limit FTDv5 4 cores/8 GB 100Mbps 50 FTDv10 4 cores/8 GB 1Gbps 250 FTDv20 4 cores/8 GB 3Gbps 250 FTDv30 8 cores/16 GB 5Gbps 250 FTDv50 12 cores/24 GB 10Gbps 750 FTDv100 TBD TBD TBD

(122)

Supported Platforms

Min Supported

Manager Version Managed Devices

Min Supported Managed Device Version Required Notes FDM 7.0 FTD on any virtual platform FTD 7.0.0 FDM

FTD Device REST API FMC 7.0 FTD on any virtual

(123)

Feature Details

•

Default settings:

- _{FMC: If not selected, defaults to FTDv50. (FMC manages both physical and virtual devices as}

well as devices on lower FP versions)

- _{FDM: User must select a tier via FDM UI}

- _{Initial provisioning via the FTD Device REST API defaults to the FTDv50 tier}

•

_FDM:

- _{Performance Tier cannot be updated when device is in Universal PLR mode. User should}

deregister device and register with a new tier.

(124)

FDM Setup with Performance

Tier Evaluation or Smart License

(125)

FDM

(126)

FMC Performance Tier In Device Registration

• The Performance Tier selection is a new addition in the device registration dialog in FP 7.0.0 for FTDv devices

(127)

(128)

Platform Features

‣

Equal Cost Multi Path Support

‣

IoT

(129)

Equal-Cost Multi-Path

Support

(130)

Equal-Cost Multi-Path Support

•

_{Equal Cost Multi Path (ECMP) allows}

for equal cost routes to the same

destination network

•

Interfaces are assigned to a Traffic

Zone

•

_{Flows load balanced across multiple}

interfaces assigned to the same Traffic

Zone

- _{Egress route chosen upon new}

connection build up

- _{Only Static Routes}

•

Allow creation of up to 8 Equal-Cost

Static Routes across interfaces for the

same destination network

•

Data plane uses hash of packet

information and ingress interface to

choose the egress interface

•

_{FDM UI and FTD Device REST API}

support

(131)

Use Cases

•

Asymmetric Routing

- _{Inside host establishes connection through ISP1}

on Outside1 interface

- _{Inside host receives return traffic through ISP2}

•

Lost Route

- _{Inside host establishes connection through ISP1}

- _{If route through ISP1 is lost, FTD maintains}

connection, routing traffic through ISP2

•

_{Load Balancing}

Inside network ISP1 ISP2 Outside Host Inside Host FDM Outside1 _Outside2 Inside Route1 Route2

(132)

(133)

Support for Additional Protocols

• Application Detectors for for C37.118, COSEM/DLMS

• Access control rules can be written to block or allow certain COSEM/DLMS & IEEE C37.118

commands/transactions

• SNORT 3 support for Siemens S7 protocol

- _{SNORT 2 supported was added in 6.7}

release

• Supported on any FTD platform

(134)

Zero Touch Replacement

C O N S O L E COM IN2 REF IN1 ! + 1 2 -4 8 2 .5 -0 .6 5 A S D C A R D IN1 -+ 3 D C -A D C -B -+ IN2 OUT ALARM 4 4 3 2 1 1 2 M G M T E N E T MGMT RESET C O N S O L E SYS CON RESET BUTTON SD CARD

Simplified Device Replacement

• Unplug SD card from non-working ISA3000 • Plug-in the SD card into the new unit

• Press Reset button on the new unit to trigger backup restore

• New ISA3000 boots up with existing config from SD card and ready to be deployed with exactly same configuration as the old unit.

(135)

VRF and EtherChannel Support

VRF

•

Add support for Virtual routers feature

on ISA3000

- _{VRF support compatibility with FTD}

•

Configured with FDM & FMC

•

Maximum of 10 Virtual routers

EtherChannel

•

Enable EtherChannel support in FDM

for ISA3000

- _{Similar to EtherChannel feature in FTD}

•

Configured with FDM

•

FMC EtherChannel support already

exists for ISA3000

(136)

Integrations

‣

SecureX

(137)

(138)

What’s New

•

_{SecureX Ribbon integrated to FMC UI}

• New SecureX configuration UI Page

• Accessible by users with SecureX permission

• Per-user SecureX Ribbon

• Applicable to all types of user (Local, External, SSO)

• Each user can customize the placement and appearance of the ribbon with details as per access

• Does not depend on user permission on FMC

• Not related to FMC domains

• When "On", the Ribbon shows up for every user

• Every user Authorizes FMC to access SecureX on their behalf

• _{SecureX Integration Feature can be switched on/off}

(139)

(140)

FMC SecureX Configuration Page

(141)

Integration with SecureX

• The Security Platform Ribbon React Component is accessible from all pages of the FMC web UI

• SecureX Action Orchestrator can make API calls to FMC through the SSE

(142)

(143)

What’s New

•

_{FMC Endpoint Update app v1.1 was released in October 2019}

- _{In FMC Endpoint Update app 1.2, we add multi-site / multi-domain support.}

•

Device Packages for ASA and FMC/FTD will continue to be supported,

but only in “maintenance mode”

- _{We will validate release version compatibility with supported platforms and}

setups.

- _{Our focus is on the FMC Endpoint Update app for new features.}

(144)

FMC Endpoint Update App

FMC

REST Post/Put/Delete

REST Get

APIC

FMC Endpoint Update

ACI dynamic EPGs information from various ACI tenants is pushed to configured FMC(s) under specified FMC subdomains through FMC REST APIs.

(145)

Supported Software Matrix

FMC Endpoint Update

Version Platforms APIC Versions FMC Versions

1.2 APIC

FMC 5.0(1l) or above

6.6 6.7 7.0

(146)

Service Automation Through Device Package

Service automation requires a vendor device package. It is a zip file containing

- _{Device specification (XML file)} - _{Device scripts (Python)}

• Cisco® APIC interfaces with the device using device Python scripts

• Cisco APIC uses the device configuration model provided in the package to pass appropriate configurations to the device scripts

• Device script handlers interface with the device using its REST or CLI interface

(147)

Supported Software Matrix (ASA device package)

Device Package Version Integration Model APIC Versions ASA Versions

1.3(12.4) Cloud Orchestrator Policy Orchestration Fabric Insertion 4.2(4o) 5.0(2h) 9.14(x) 9.15(x) 9.16(x) 1.2(12.3) Cloud Orchestrator Policy Orchestration Fabric Insertion 4.2(4o) 5.0(2h) 9.14(x) 9.15(x) 9.16(x)

(148)

Supported Software Matrix (FTD Device Package)

Device Package Version Platforms APIC Versions FTD Versions

1.0.5.2 Firepower-93xx Firepower-41xx Firepower-21xx FTDv 4.2(4o) 5.0(2h) 6.6 6.7 7.0