Answers to the most frequently asked questions by IT professionals about Cisco Firewalls
A summary of an “Ask the Expert” discussion about Cisco Firewalls with 50 Security and Network Professionals members of Cisco Gateway and Cisco Experts
Experts Learning from Experts - Gateway member discussion
Answers to the most frequently asked questions by IT professionals about Cisco Firewalls
Frequently Asked Questions about Cisco Firewalls
This is a summary of a “Experts learning from Experts” discussion between 50 Security and Network Professionals Cisco customers , members of Cisco Gateway , and Cisco Experts about Cisco Firewalls that took place in April 2020
It gives you a quick overview of the frequently asked questions we got about Cisco Firewalls
Why Cisco Firewalls
Automation FAQ
Integration and Migration FAQ
Monitoring FAQ
Roadmap and How to test it FAQ
It’s divided into 5 topics. To get started click on the topic you would like to know more about.
This is summary of a “Experts learning from Experts” discussion with 50 Cisco Customers Gateway Members and Cisco Experts that took place in April 2020
Q: What is the greatest benefit of Cisco Next Generation Firewall (NGFW)?
A: The capability of visibility and analysis up to layer 7: Intrusion prevention, Application visibility, Malware protection, URL Filtering, Security intelligence with Talos. This is the key reason why Cisco decided to take this direction. And everything can be managed from a single central point
Q: How does the Cisco NGFW work with TLS 1.3?
A: In this presentation done at Cisco Live Barcelona 2020 you will find useful references to TLS 1.3 and Firepower
TLS Decryption on Cisco Security Devices by Tobias Mayer, Technical Solutions Architect
Q: Why should I use the NGFW, when I use only VPN-connections?
A: A common reason could be to check the URL that your endpoints are accessing (limiting malware sites, or blocking certain categories), or analyzing your endpoint network traffic for malware with the AMP (Anti-Malware Protection) capabilities of NGFW.
Cisco AMP for Networks web page
Here is a web page that provides additional information on AMP for networks (which runs is only supported on NGFW). In addition, there are numerous customers that still use the Cisco Adaptive Security Appliance (ASA) Software software for their VPN needs and there are no plans to End Of Life ASA software.
Q: Overall is NGFW better than ASA?
A: Choosing between ASA (Adaptive Security Appliance Software ) or NGFW depends on your deployment requirements. There is still a large demand for traditional L3/L4 FW and VPN concentrators that is satisfied by customers running ASA software on Firepower hardware. In addition, ASA is optimized to run on the latest Firepower appliance.
Firepower Threat Defense (FTD) software delivers the layer 7 NGFW features beyond traditional stateful inspection and VPN, including: NGIPS, Malware protection, URL filtering, etc. Choosing which firewall application is the best fit is all a matter of your requirements.
The key difference is FTD has the capacity for enhanced visibility and analysis of traffic and threats all managed from a centralized console
“Cisco Next Generation Firewall give us better visibility and control to manage threats and prevent breaches .”
Oleksandr Fisun , Cybersecurity Analyst at Ansell
Cisco Gateway Member
A Video about Cisco Firewall vision (1:47)
Automation
Cisco Firewalls FAQ
Q: Are NGFW’s automation-oriented?
A: Yes! Most features are exported via REST APIs. For a good starting point on leveraging NGFW REST APIs please take a look at the following page about the Firepower Management Center REST API.
Note that you can explore the APIs of your FMC instance by going here: ttps://<management_center_IP_or_name>:<https_port>/api/api-explorer.
Firepower Management Center REST API Quick Start Guide, Version 6.4.0
Q: In terms of automation, are there any API´s/ Python libraries available for the ASA firewalls?
A : ASA does support REST APIs, please refer to the following guide which provide instructions on how to generate Python code scripts. Regarding libraries, please check on DEVNET. Currently there are no ASA libraries; generation of ASA libraries is mainly based on demand.
Guide about how to generate Python code scripts
"We can immediately find potentially harmful events and remediate quickly thanks to Cisco Next Generation Firewall"
David Clark, Senior Network Engineer, Amelco UK Limited
Cisco Gateway Member
Integration and Migration
Cisco Firewalls FAQ
Q: Does Cisco Next Generation Firewall (NGFW) integrate with ACI ? Can Cisco integrate FMC into ACI the same way Cisco does with Palo Alto’s Management tool?
A: Yes, there is integration between NGFW and Application Centric Infrastructure (ACI).
The best place to start is to review the session named Deep Dive on Cisco Security in ACI - BRKACI-3004 that was given at Cisco Live. There are device packages available for Firepower Threat Defence (FTD), Firepower Management Center (FMC) , Deep Dive on ACI integration.
TechValidate Survey - August 2019
Q: Can you provide some guidance on the benefits of the NGFW, ISE and ACI integration?
A : There are numerous customer benefits from the NGFW, Cisco Identity Services Engine (ISE) and ACI integration; you can correlate user identities with IP addresses, and in addition you can inherit Security Group Tags (SGT) from ISE and use them in the policies. There is a very good webinar that describes this more here. You have to click on “Training Videos”, and then choose “FMC External Authentication & Sources”, in particular “Lesson 3: User Awarenesses & User Policy”. The related documentation is in the Config Guide.
Regarding the ACI integration, we have device packages available to integrate FTD into ACI. Some customers still choose to have NGFW unmanaged and use it as a choke point within ACI. Firepower Threat Defense (FTD) and ISE have a number of integrations including SGTs, ISE attributes to build policy, as well as the integration of PxGrid and the NGFW remediation module to take action on bad actors. There is also an RAVPN integration with ISE and CoA.
Tech Validate Survey - August 2019
Q: How does NGFW interact with Cisco Application Centric Infrastructure (ACI), Cisco Digital Network Architecture (DNA) and Cisco Software-Defined WAN (SD-WAN) ? Is there a plan to import the Security Group membership of NSX-T into Cisco NGFW?
A: Here are some very good references:
- for the NGFW integration with ACI, we recommend watching the following Cisco Live presentation. In addition, please take a look at the Quick Start Guide.
- For the DNA interaction, according to the DNA compatibility information only Cisco Adaptive Security Appliance (ASA) Software is supported (ASA5500-X, min supported version is 9.8.2). From the design guide we can use a firewall as a “fusion” device. A firewall, Layer 3 switch, or router can then be used to leak routing information, maintained in each VRF, thus enabling communication between virtual networks while also providing a control point to enforce established security policies. These network devices are commonly referred to as “fusion” firewalls or routers.
Today these fusion routers and firewalls must be external to the fabric.
- For the SD-WAN we have the IOS-XE ZBF and UTD functionalities. In the webpage you will find how to install, configure, activate, and update the Cisco SD-WAN Release 18.4 IPS/IDS and URL-F Security Policy Virtual Image. Zone-based firewalls are a type of localized data policy that allows stateful inspection of TCP, UDP, and ICMP data traffic flows.
- Regarding the Security Group membership of NSX-T, it’s supported with the Firepower Threat Defense (FTD) of Cisco Next-Generation Intrusion Prevention System (NGIPS) . We currently have device packages for FTD support in ACI and we support the use of SGTs. We are actively developing the use of dynamic objects from environments such as NSX-T into the NGFW for policy
Q: What about Cisco Firepower Threat Defense (FTD) and Remote Access VPN? Does FTD fully support AnyConnect?
A: FTD does support AnyConnect for SSL and IPsec-IKEv2 remote access VPNs. For available features and configuration steps please refer to the config guide: FMC Guide
"I don't want to spend my time integrating security products. I just want to do security. I tell my team I want to see three things when it comes to a new product: make sure it works, make sure it gives full visibility, make sure it's integrated with the rest of our security ecosystem"
Steve Martino, SVP, Chief Information and Security Officer of Cisco
Q: If we have two different Cisco firewalls (FTD or ASA) in cluster, do they support remote VPN connections?
A: Unfortunately not at this time. According to the FTD configuration guide "Firepower 9300 and 4100 series in cluster mode do not support remote access VPN configuration”. The same applies to the ASA software. RA VPN is supported in Active/Standby HA on ASA or FTD. RA VPN is not supported on clustering in either ASA or FTD.
Q: We have been using different Firewall platforms over the past years and now we are interested in unifying the platforms. Can you state how easy it is to convert rulebases to NGFW from multiple different platforms?
A: We have a very powerful Firepower Migration Tool, which now supports migration from third party firewall platforms. Contact a Cisco Specialist here who can provide you a link to test this tool.
Cisco Firepower Migration Tool webpage
Monitoring
Cisco Firewalls FAQ
A The aim of Cisco Defence Orchestrator (CDO) is a bit different than simply trying to make it “Firepower Management Console (FMC) in the cloud.”
The goals of CDO initially are to harmonize policies across multiple Cisco enforcement points (Cisco Adaptive Security Appliance ASA Software , Firepower Threat Defense , Meraki MX, etc) as well as extend policy management to select third-party enforcement points (such as Amazon Web Services Security Groups). Thus we do not anticipate feature parity with FMC for some time.
For more information on CDO, please watch this demo
Cisco Defence Orchestrator Demo
If you want to try CDO there is also a free trial here.
Cisco Defence Orchestrator Free Trial
Q: What would be a good tool to monitor and manage (deploying configuration and rules) a fleet of Cisco Next Generation Firewall (NGFW) ?
Q: Also, could older generation ASAs be managed by that same tool?
A: For a big fleet of Cisco firewalls, we have two possibilities: the Firepower Management Console (FMC), which can manage hundreds of devices, and the Cloud Defence Orchestrator (CDO), which can manage thousands of ASA devices as well as harmonize security policies for FTD and other devices.
The difference is that FMC is an appliance (physical or virtual), while CDO is a cloud-based solution. In addition, CDO is also able to manage ASA software, while FMC can manage FTD and “ASA with Firepower”.
Q: What is performance impact on my NGFW appliance when IPS is enabled?
There is a very good performance estimator tool available for cisco customer at https://ngfwpe.cisco.com using their Cisco credentials.
It’s also possible to flag the IPS checkbox and see how much it impacts the performance and throughput of your appliance. Additionally, there are a number of factors that go into performance; traffic profile, object size, rule size, latency, etc. A general expectation of the impact of enabling IPS on our NGFWs is documented in our datasheets.
We have an internal Proof Of Value and test team that can be used to bench test the FWs to show the performance with your specified criteria. If you want to test it or try the Firepower estimator tool please contact a Cisco Specialist filling this form.
Please try accessing with your Cisco credentials and let us know if it works for you at contact us form
Securing student learning with Cisco solutions: the example of Italian University Convitto Nazionale Umberto Primo
"After our initial tests, we were able to transition 100% of our students and
teachers from our previous authentication platform and the old infrastructure to Cisco Next Generation Firepower"
Prof. Stefano Vinti
IT Coordinator at Convitto Nazionale Umberto Primo
"Thanks to Cisco Next Generation Firewall we can more effectively prevent data leakage and manage threats."
Girgis Hady
Network Manager at Wadi Degla Holding
Cisco Gateway Member
Roadmap and How to test it
Cisco Firewalls FAQ
FAQ about Roadmap and how to test Cisco Next Generation Firewall (NGFW)
Q: Are there any plans to integrate Firepower Threat Defense into existing Cisco Software-Defined WAN (SD-WAN) solutions and/or offer a Secure SD-WAN solution based on Firepower Threat Defense ? PAN, FTNet and others already offer SD-WAN capabilities based on their NGFW platforms, when can we expect similar from Cisco ?
A: We are currently investigating the integration of SD-WAN to Firepower Threat Defense (FTD) as we continue to develop out our solution. At present, we have found that most customers only need a few features and not the whole SD-WAN suite
Q: Is NGFW supported in public cloud/IaaS environments ?
A: We currently offer FTD in both Amazon Web Services and Azure marketplaces to help organizations secure their public cloud infrastructure. We will be adding support for GCP and OCI this year as well as an ongoing roadmap for other public clouds.
Q: Amazing solution. I need to test it soon!!
A: To test Cisco NGFW, submit an assessment request here and a partner will let you try the best NGFW aligned with your needs providing you a free security network assessment.
"Cisco Next Generation Firewall improved the visibility of our network traffic and the ability to block malicious traffic via snort rules"
Wouter Hindriks, Team Lead Network & Security at Missing Piece
Cisco free security scan