Integration and Migration

Cisco Firewalls FAQ

FAQ about Integration and Cisco Firewalls

Q: Does Cisco Next Generation Firewall (NGFW) integrate with ACI ? Can Cisco integrate FMC into ACI the same way Cisco does with Palo Alto’s Management tool?
A: Yes, there is integration between NGFW and Application Centric Infrastructure (ACI).
The best place to start is to review the session named Deep Dive on Cisco Security in ACI - BRKACI-3004 that was given at Cisco Live. There are device packages available for Firepower Threat Defence (FTD), Firepower Management Center (FMC) , Deep Dive on ACI integration.

TechValidate Survey - August 2019

Q: Can you provide some guidance on the benefits of the NGFW, ISE and ACI integration?
A : There are numerous customer benefits from the NGFW, Cisco Identity Services Engine (ISE) and ACI integration; you can correlate user identities with IP addresses, and in addition you can inherit Security Group Tags (SGT) from ISE and use them in the policies. There is a very good webinar that describes this more here. You have to click on “Training Videos”, and then choose “FMC External Authentication & Sources”, in particular “Lesson 3: User Awarenesses & User Policy”. The related documentation is in the Config Guide.Regarding the ACI integration, we have device packages available to integrate FTD into ACI. Some customers still choose to have NGFW unmanaged and use it as a choke point within ACI. Firepower Threat Defense (FTD) and ISE have a number of integrations including SGTs, ISE attributes to build policy, as well as the integration of PxGrid and the NGFW remediation module to take action on bad actors. There is also an RAVPN integration with ISE and CoA.

Tech Validate Survey - August 2019

Q: How does NGFW interact with Cisco Application Centric Infrastructure (ACI), Cisco Digital Network Architecture (DNA) and Cisco Software-Defined WAN (SD-WAN) ? Is there a plan to import the Security Group membership of NSX-T into Cisco NGFW?A: Here are some very good references:

for the NGFW integration with ACI, we recommend watching the following Cisco Live presentation. In addition, please take a look at the Quick Start Guide.

For the DNA interaction, according to the DNA compatibility information only Cisco Adaptive Security Appliance (ASA) Software is supported (ASA5500-X, min supported version is 9.8.2). From the design guide we can use a firewall as a “fusion” device. A firewall, Layer 3 switch, or router can then be used to leak routing information, maintained in each VRF, thus enabling communication between virtual networks while also providing a control point to enforce established security policies. These network devices are commonly referred to as “fusion” firewalls or routers.

Today these fusion routers and firewalls must be external to the fabric.

For the SD-WAN we have the IOS-XE ZBF and UTD functionalities. In the webpage you will find how to install, configure, activate, and update the Cisco SD-WAN Release 18.4 IPS/IDS and URL-F Security Policy Virtual Image. Zone-based firewalls are a type of localized data policy that allows stateful inspection of TCP, UDP, and ICMP data traffic flows.

Regarding the Security Group membership of NSX-T, it’s supported with the Firepower Threat Defense (FTD) of Cisco Next-Generation Intrusion Prevention System (NGIPS) . We currently have device packages for FTD support in ACI and we support the use of SGTs. We are actively developing the use of dynamic objects from environments such as NSX-T into the NGFW for policy

Q: What about Cisco Firepower Threat Defense (FTD) and Remote Access VPN? Does FTD fully support AnyConnect?A: FTD does support AnyConnect for SSL and IPsec-IKEv2 remote access VPNs. For available features and configuration steps please refer to the config guide: FMC Guide

"I don't want to spend my time integrating security products. I just want to do security. I tell my team I want to see three things when it comes to a new product: make sure it works, make sure it gives full visibility, make sure it's integrated with the rest of our security ecosystem"

Steve Martino, SVP, Chief Information and Security Officer of Cisco

Q: If we have two different Cisco firewalls (FTD or ASA) in cluster, do they support remote VPN connections?A: Unfortunately not at this time. According to the FTD configuration guide "Firepower 9300 and 4100 series in cluster mode do not support remote access VPN configuration”. The same applies to the ASA software. RA VPN is supported in Active/Standby HA on ASA or FTD. RA VPN is not supported on clustering in either ASA or FTD.

Migration and Cisco Firewalls

Q: We have been using different Firewall platforms over the past years and are interested in unifying the platforms. Can you state how easy it is to convert rulebases to NGFW from multiple different platforms? A: We have a very powerful Firepower Migration Tool, which now supports migration from third party firewall platforms. Contact a Cisco Specialist here who can provide you a link to test this tool.

Cisco Firepower Migration Tool webpage