使用思科虛擬安全防火墻保護您的多云基礎設施.pdf

《使用思科虛擬安全防火墻保護您的多云基礎設施.pdf》由會員分享，可在線閱讀，更多相關《使用思科虛擬安全防火墻保護您的多云基礎設施.pdf（184頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveAnubhav Swami Principal ArchitectswamianubhavBRKSEC-3023Secure your multi-cloud infrastructure using Cisco Secure Firewall Virtual 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYour SpeakerAnubhav SwamiPrincipal ArchitectCCIE#21208http:/cs.co/http:/cs

2、.co/anubhavswami-Cloud Security Cloud NativePublic CloudPrivateCloudSASE SSEDC Security K8sContainerTAC Engineer(5Yrs.)Software Engineer(2Yrs.)Technical Marketing Engineer(5Yrs.)Security Solution Architect(2Yrs.)http:/cs.co/anubhavswamiblogsBRKSEC-30233 2023 Cisco and/or its affiliates.All rights re

3、served.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions i

4、n the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.1234https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-30234 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDisclaimerReferenceThe deck contains over 180 techn

5、ical deep-dive slidesDuring the session,slides containing a reference icon in the top right corner will not be presentedSecurity Deep-Dive,Example:Firewall Features RoadmapConfiguration TroubleshootingExpectation:what is not covered?Reference SlidesX XNot Covered Not Covered TodayTodayX XX XX XX XBR

6、KSEC-30235This session focuses on Cisco Secure Firewall virtual ArchitectureCloud services overview Securing multicloud infrastructure using Cisco Secure Firewall virtual(Technical Deep-Dive)Best practices,reference architectures&integrations6#CiscoLive 2023 Cisco and/or its affiliates.All rights re

7、served.Cisco PublicBRKSEC-3023Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroductionCisco Secure Firewall OverviewPublic Cloud Architecture Deep-Dive&IntegrationPrivate CloudArchitecture Deep-Dive&IntegrationAutomation&OrchestrationResources BRKSEC-30237 2023 Cisco and/

8、or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplications are everywhereRequires visibility and control in multi-cloud environmentApplications are everywhereRequires rapid scalabilityVisibilityMulticloudScalabilityBRKSEC-30238 2023 Cisco and/or its affiliates.All rights reserved.Cisco

9、 Public#CiscoLive82%of IT leaders have adopted hybrid cloud1or Multi-cloud47%of IT leaders are deploying 2 to 3 public IaaS cloudsIT AppHR AppPublic Cloud 1Finance AppHR AppPublic Cloud 2Sales DBERM AppPrivate Data CenterOps AppHR App Distributed data and apps constantly change Encrypted traffic is

10、everywhere Hybrid work is here to stay Applications are everywhere,Increase in Multi-cloud deployments The world operates with data and apps living everywhereReferenceBRKSEC-30239 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSimplifying Firewalling for MulticloudVirtual

11、 firewall performance-based licensing from 100Mbps up to 16GbpsCloud LeadershipDynamic Policy Dynamic Policy Clustering and Auto ScalingClustering and Auto ScalingQuick starts,Infrastructure Quick starts,Infrastructure as Code and Automationas Code and AutomationIntegration with cloud native Integra

12、tion with cloud native services and infrastructureservices and infrastructureGateway Load Gateway Load balancer integration balancer integration Accelerated NetworkingAccelerated NetworkingSnapshotsSnapshotsSmart&Tiered LicensingSmart&Tiered LicensingNEWNEWPrivate CloudNEWNEWNEWNEWPublic CloudGov/IC

13、 CloudCisco Secure Firewall Threat Defense Virtual Cisco Secure Firewall ASA Virtual Cisco Firewall Management Center Virtual BRKSEC-302310 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOur firewall has comprehensive capabilities Superior Threat ProtectionCisco Talos Sec

14、urity IntelligenceConfiguration and Analytics ConsoleFirewall,Routing,NATTLS DecryptionIdentity and Attribute Based Access ControlML-Driven Encrypted Visibility EngineVPN/ZTNAHigh Availability and ScalabilityApplication Control,Custom App DetectorsMalware Protection and SandboxingURL Filtering and C

15、ategorizationIntrusion PreventionAutomation,Remediation,and IntegrationWAN CapabilitiesReferenceBRKSEC-302311 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Firewall Management OptionsFlexibility of cloud or on-premise optionsFirewall Management CenterCloud-delivere

16、dVirtual or HardwareOn-box managerOption 1 Option 1 Cisco Firewall Management Center(FMC)Option 2 Option 2 Cloud-delivered Firewall Management Center(cdFMC)Option 3 Option 3 Cisco Firewall Device ManagerBRKSEC-302312 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud-de

17、livered Firewall Management Center(cdFMC)Hybrid management support Support up to 1000 devices1000 devices Periodic configuration snapshotssnapshots Easy migrationmigration from on-premises FMC to cdFMC Real-time security policy updates for multi-cloud environments Secure SaaS applications like O365

18、using realreal-time time community feedscommunity feeds Flexibility between hybrid and cloud eventinghybrid and cloud eventingKey benefitsKey features Eliminate change management change management and updateupdate overhead No rack space and utility bill,lowering operational costrack space and utilit

19、y bill,lowering operational cost Cisco ensures uptime,increasing resiliencyuptime,increasing resiliency No learning curve No learning curve for on-premise FMC usersCloud-delivered Firewall Management Center works with CDOReferenceBRKSEC-302313Public Cloud-Amazon Web Service(AWS)-Microsoft Azure-Goog

20、le Cloud Platform(GCP)-Oracle Cloud Infrastructure(OCI)-Alkira-AlibabaAmazon Web Services(AWS)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAWS overviewRegionVPC and Availability ZoneSubnetPublic Subnet and Private SubnetEC2 instance Elastic IPSecurity GroupInternet Gate

21、way(IGW)NAT Gateway Route TableVPN Gateway and Direct ConnectElastic Load BalancerGWLB,NLB,ALB and CLBAWS CloudRegion(us-east-1)VPCAvailability Zone 1Availability Zone 2us-east-1cus-east-1dEC2 instanceEC2 instanceNAT GatewayRoute tableElastic IP addressSecurity groupInternet GatewayDirect ConnectVPN

22、 GatewayElastic Load BalancerVPC PeeringBRKSEC-302316 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVPC peeringA VPC peering connection is a networking connection betweentwo VPCs that enables you to route traffic between themYou can create a VPC peering connection betwee

23、n your ownVPCs,or with a VPC in another AWS accountThe VPCs can be in differentdifferent RegionsRegions(also known as an inter-Region VPC peering connection)AWS uses the existingexisting infrastructureinfrastructure of a VPC to create a VPCpeering connection;it is neither a gateway nor a VPN connect

24、ionThere is no single point of failure for communication or abandwidth bottleneckYou cannot have more than one VPC peering connection between two VPCs at the same timeA VPC peering connection is a one-to-one relationship between two VPCsT Transitive peering ransitive peering relationships are not su

25、pportedVPC PeeringMultiple VPC PeeringReferenceBRKSEC-302317 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAWS Elastic Load balancer*Cisco Secure Firewall Threat Defense release 7.1 or higher and Cisco Secure Firewall ASA release 9.17.1 or higherElastic Load Balancing(EL

26、B)automatically distributes incoming application traffic across multiple targets and virtual appliances in one or more Availability Zones(AZs)Layer 4 TCP/UDP connection-based load balancingSource IP PreservationHealth CheckSticky SessionsZonal IsolationLong Live TCP connectionsLow LatencyIP address

27、as TargetsTLS offloadingWorks with Cisco Secure Firewall Threat Defense and Cisco Secure Firewall ASANetwork Load BalancerLayer 3 load balancing(GWLBEP)Layer 4 GWLBSource IP PreservationHealth CheckSticky SessionsZonal IsolationLong Live TCP connectionsSource&Destination are unaware the traffic is i

28、nspectedGeneve Encapsulation packet is preservedWorks with Cisco Secure Firewall Threat Defense and Cisco Secure Firewall ASA*Gateway Load BalancerLayer 7(HTTP/HTTPS)connection-based load balancingSupport for HTTP 1.1&HTTP 2Content-based routingHealth CheckSticky SessionsWorks with Cisco Secure Fire

29、wall Threat Defense and Cisco Secure Firewall ASAApplication Load BalancerForwards traffic only to the primary interface of a VM in the backend poolNot recommendedWorks with Cisco Secure Firewall ASA onlyClassic Load BalancerReferenceBRKSEC-302318 2023 Cisco and/or its affiliates.All rights reserved

30、.Cisco Public#CiscoLiveA customer gateway(CGW)is a resource that you create in AWS that represents the customer gateway device in your on-premises network.When you create a customer gateway,you provide information about your device to AWS.Internet GatewayAWS GatewayAn internet gateway(IGW)is a horiz

31、ontally scaled,redundant,and highly available VPC component that allows communication between your VPC and the internet.It supports IPv4 and IPv6 traffic.It does not cause availability risks or bandwidth constraints on your network traffic.Transit GatewayAWS Transit Gateway(TGW)connects your Amazon

32、Virtual Private Clouds(VPCs)and on-premises networks through a central hub.This connection simplifies your network and puts an end to complex peering relationships.Transit Gateway acts as a highly scalable cloud routereach new connection is made only once.NAT GatewayA NAT gateway(NAT-GW)is a Network

33、 Address Translation(NAT)service.You can use a NAT gateway so that instances in a private subnet can connect to services outside the VPC,but external services cannot initiate a connection with those instances.VPN Gateway A virtual private gateway is(VPN-GW)the VPN concentrator on the Amazon side of

34、the Site-to-Site VPN connection.You create a virtual private gateway and attach it to the VPC from which you want to create the Site-to-Site VPN connection.Customer GatewayReferenceBRKSEC-302319 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAWS ComputeEC2 InstanceAmazon

35、Elastic Compute Cloud(Amazon EC2)is a web service that provides secure,resizable compute capacity in the cloud.Amazon Machine Image(AMI)An Amazon Machine Image(AMI)is a supported and maintained image provided by AWS that provides the information required to launch an instance.You must specify an AMI

36、 when you launch an instance.Cisco provides marketplace image for Secure Firewall Threat Defense and Firewall Management Center.Elastic Network Interface(ENI)An elastic network interface is a logical networking component in a VPC that represents a virtual network card.Elastic IP Address(EIP)An Elast

37、ic IP address is a static IPv4 address designed for dynamic cloud computing.Auto Scaling AWS Auto Scaling monitors your instance and automatically adjusts capacity to maintain steady,predictable performance at the lowest possible cost.ReferenceBRKSEC-302320 2023 Cisco and/or its affiliates.All right

38、s reserved.Cisco Public#CiscoLiveAWS SecuritySecurity GroupA security group controls the traffic that is allowed to reach and leave the resources that it is associated with.For example,after you associate a security group with an EC2 instance,it controls the inbound and outbound traffic for the inst

39、ance.Network ACLA network access control list(ACL)allows or denies specific inbound or outbound traffic at the subnet level.AWS GuardDutyAmazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts,workloads,a

40、nd data stored in Amazon S3.AWS CloudWatchCloudWatch provides you with data and actionable insights to monitor your applications,respond to system-wide performance changes,and optimize resource utilization.AWS Security LakeA data lake is a centralized repository that allows you to store all your str

41、uctured and unstructured data at any scale.You can store your data as-is,without having to first structure the data,and run different types of analyticsfrom dashboards and visualizations to big data processing,real-time analytics,and machine learning to guide better decisions.ReferenceBRKSEC-302321

42、2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRoute 53DNS registrar DNS-based load balancerIdeal for RA VPN load balancingThe domain must be registeredwith AWSCan load balance based on-Weight-Failover(active/passive)-Geolocation-LatencyReferenceBRKSEC-302322 2023 Cisco a

43、nd/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Virtual Routed ModeDeploymentCisco Secure Firewall Threat Defense and Cisco Firewall Management Center are available in MarketplaceSupports for BYOL and PAY-G Acts as a next-hop for workloads/EC2 inst

44、ances Management Firewall Management Center(FMC)Orchestrate configuration using FMC APICloud-delivered Firewall Management CenterTerraform&AnsibleUse-caseStateful FW,VPN,AVC,IPS,URL-Filtering,and Malware ProtectionVirtual Private Cloud(VPC)Public SubnetPrivate SubnetEC2 InstancesEC2 InstancesRemote

45、Users(VPN&non-VPN)Cisco Secure Firewall Threat Defense Virtual Routed ModeInternet GatewayRoute Table Private Subnet0.0.0.0/0eni-FW-internal Cisco Secure Firewall Threat Defense VirtualManagement Subnet Cisco Firewall Management Center (FMC)Management InterfaceBRKSEC-302323 2023 Cisco and/or its aff

46、iliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Virtual Passive ModeDeploymentSupports passive mode deploymentSelect passive mode for interface receiving dataManagementFirewall Management Center(FMC)Orchestrate configuration using FMC APICloud-delivered Firewal

47、l Management CenterTerraform&AnsiblePrerequisites for passive modeCSR or CAT8Kv sends a copy of traffic using ERSPANCreate a passive-interface for receiving spanned trafficThe passive interface requires an IP addressSet MTU to 1600Virtual Private Cloud(VPC)Public SubnetPrivate SubnetEC2 InstancesEC2

48、 InstancesRemote Users(VPN&non-VPN)Cisco Secure Firewall Threat Defense Virtual Passive ModeInternet GatewayEC2 InstancesCisco Secure Firewall Threat Defense VirtualCat8kvERSPANBRKSEC-302324 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirewall Management Options&Connec

49、tivity Cisco Secure Firewall can be managed using these options:Firewall Management Center(Centralized Manager)Cloud-delivered Firewall Management Center(Cloud-based)Firewall Device Manager(on-box manager)APITerraform and AnsibleConnectivity&Management(FMCv in AWS)Cisco Firewall Management Center Vi

50、rtual is available AWS marketplace.FMC requires connectivity to each Secure Firewall on the following ports:HTTPS(UI)TCP 8305(SFtunnel)Firewall Management Center can be deployed in the following infrastructureSame VPC Another VPC(Centralized security model)Virtual Private Cloud(VPC)Public SubnetPriv

51、ate SubnetEC2 InstancesEC2 InstancesRemote Users(VPN&non-VPN)Cisco Firewall Management Center Virtual managing Secure FirewallInternet GatewayCisco Secure Firewall Threat Defense VirtualManagement Subnet Cisco Firewall Management Center Virtual(FMC)Management InterfaceReferenceBRKSEC-302325 2023 Cis

52、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Virtual Licensing Cisco Secure Firewall Threat Defense Virtual and Cisco Firewall Manager Virtual offers are available in the AWS marketplace Cisco Secure Firewall Threat Defense supports“Bring“Br

53、ing-youryour-ownown-license(BYOL)”license(BYOL)”and“Pay“Pay-asas-youyou-go(PAYgo(PAY-G)”G)”Bring-your-own-license(BYOL)using Cisco Smart License and you get the following options for BYOL TieredTiered Licensing PAY-G provides a fully featured firewall.Cisco Secure Firewall Threat Defense Virtual PAY

54、-G and 30-Day Free Trial By default,support is not part of PAY-G,customers can purchase support from resellers listed here PAY-G is not supported with Firewall Device Manager(FDM)PAY-G is available on“hourlyhourly”and“annualannual”pricingBase License:Stateful Firewalling and Application Visibility a

55、nd Control Term-based License:Threat(IPS/IDS),URL-filtering and Malware ProtectionAnyConnect Licenses for VPNCisco Secure Firewall Threat Defense VirtualBYOL OptionsBRKSEC-302326 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Virtual L

56、icensing(contd.)Total cost of using license and instance(compute and storage)is billed directly by the cloud provider PAY-G is available on“hourlyhourly”and“annualannual”pricing Switch to annual pricing for savings up to 49%49%The Cisco Secure Threat Defense Virtual instance can be terminated at any

57、 time to stop incurring charges Customers can purchase TAC support separately(optional)from resellers(US/CAN)https:/ http:/WWW.SYCOMP.COM http:/WWW.COMPUTACENTER.COM(APJ)http:/WWW.VELOCIS.INReferenceBRKSEC-302327 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure

58、 Firewall Threat Defense Tiered LicenseCisco Secure Firewall Threat Defense Tiered License Provides different license tiers basedon performance requirements Available FMC and FDM managed devices Includes base and feature licenses License enforced by traffic throttle FTDv variable is for supporting l

59、egacy license when you upgrade FTDv to release 7.0 or higherFTDv5 100 MbpsFTDv10 1 GbpsFTDv20 3 GbpsFTDv30 5 GbpsFTDv50 10 GbpsFTDv100 unthrottledReferenceBRKSEC-302328 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualPerformance-

60、based Tiered LicensePerformance TierDevice SpecificationsRate LimitRA VPN Session LimitFTDv54 cores/8 GB100Mbps50FTDv104 cores/8 GB1Gbps250FTDv204 cores/8 GB3Gbps250FTDv308 cores/16 GB5Gbps250FTDv5012 cores/24 GB10Gbps750FTDv10016 cores/32 GB16Gbps10,000Note:Performance may vary based on the feature

61、s enabled/used and traffic patterns.See product data sheets for details.ReferenceBRKSEC-302329 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Virtual Licensing(Contd.)Cisco Secure Firewallmanagement platforms send and receive entitleme

62、nt requests and responses from the smart backend through a direct Internet connection,HTTP/HTTPS proxy,or an on-premises satellite connector.Cisco Firewall Management CenterCisco Secure Firewall Threat Defense VirtualCisco Smart LicensingSatellite connectorHTTP/HTTPS proxy123Managed by Cisco Firewal

63、l Management Center(FMC)Cisco Documentation on Cisco Firewall Management CenterThe management center virtual requires an entitlement for each device it will manage,whether the devices use Smart or Classic licensing.ReferenceBRKSEC-302330 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

64、lic#CiscoLiveCisco Secure Firewall Threat Defense Virtual LicensingFirewall Device Manager(FDM)On-box ManagementCisco Secure Firewallmanagement platforms send and receive entitlement requests and responses from the smart backend through a direct Internet connection,HTTP/HTTPS proxy,or an on-premises

65、 satellite connector.Cisco Secure Firewall Threat Defense VirtualCisco Smart LicensingSatellite connectorHTTP/HTTPS proxy123On-box ManagementFirewall Device Manager(FDM)Cisco Firewall Device Manager supports BYOL licensing onlyReferenceBRKSEC-302331 2023 Cisco and/or its affiliates.All rights reserv

66、ed.Cisco Public#CiscoLiveVPCCisco Secure Firewall Threat Defense VirtualMultiple Firewall DeploymentMultiple Firewalls behind AWS NLB or ALBNLB health check for fault trackingSupport for multi-AZ deploymentFQDN-based NAT on Cisco FirewallManual scaleSNAT is required for traffic symmetryCisco Secure

67、Firewall InsideSubnetOutsideSubnetFirewall Management Center(FMC)Internet facing Network Load BalancerCisco Secure Firewall Threat Defense Virtual managed by FMCAvailability Zone 1 Availability Zone 2 Subnet 1Subnet 2Subnet 3Subnet 4InternetBRKSEC-302332 2023 Cisco and/or its affiliates.All rights r

68、eserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualAutoscale Overview Cisco Secure Firewall Threat Defense release 6.6 6.6 or higher or higher ServerlessServerless Implementation(no helper VMs required for autoscaling feature)Automated firewall instance registrationregistratio

69、n and dede-registeredregistered with FMC NAT,Access Policy,and Routes are fully automated and applied to the scaled-out instance AWS Cloud FormationCloud Formation templatetemplate-based based deployment Support for PAYPAY-G G and BYOLBYOL licensing.Users can select licensing type during deployment.

70、The maximum number of firewalls supported in Auto Scale is based on the FMC limit.Uses cloud-native services like Lambda Function,Load Balancers,Security Groups,Storage,Auto Scale Group,SNS,Lifecycle hooks,etc.Cisco Secure Firewall automated horizontal scaling requires a scale set with InternetInter

71、net-facing facing NLBNLB.For traffic symmetry,Inbound traffic is translated to the egress interfaces(Inside)IP address and outbound traffic is translated to the egress interfaces(Outside)IP address SNAT.Autoscale support is available for GWLB GWLB deploymentdeploymentReferenceBRKSEC-302333 2023 Cisc

72、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualAutoscale ArchitectureFTDVInsideSubnetOutsideSubnetFirewall Management Center(FMC)Internet facing Network Load BalancerCisco Secure Firewall Threat Defense Virtual managed by FMCVPCAvailabil

73、ity Zone 1 Availability Zone 2 Subnet 1Subnet 2Subnet 3Subnet 4Secure Firewall Autoscale GroupAWS autoscaling ManagerInternetSnapshot SupportBRKSEC-302334 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualAutoscale(Contd.)Internet-

74、facing Network Load BalancerAutoscaleGroupAWS autoscaling ManagerTarget GroupEC2 AutoscaleLaunch and terminate EventsFirewall Management Center(FMC)Cisco Secure Firewall Threat Defense(register/de-register)configuration and deployment via REST APIInsideOutsideLifecycle Hook,Health DoctorScale-OutAut

75、oscale Infrastructure EC2 InstanceNAT GatewayInbound traffic is SNATed on inside interface of NGFWvScale-InPolicyScale-Out PolicyScale-OutLifecycleSNS TopicInternetBRKSEC-302335 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualSna

76、pshot Support“Snapshot”is a process to create a replica image from one running virtual machine instance Faster boot time for Threat Defense Virtual in public cloud auto-scale setup With Secure Firewall release 7.2,we introduced the capability to create a custom virtual image using the existing deplo

77、yed Secure Firewall Threat Defense Virtual.When the customer image is used for bringing up new instances,the instances boot faster than the original image.A faster boot time is essential for auto-scale deployment.The resulting Threat Defense Virtual can then be managed by either Firewall Management

78、Center or Firewall Device Manager(Note:no Manager should be associated with the Threat Defense Virtual when making a snapshot)In AWS,a snapshot image can be created using the“create image”optionEBS-backed Linux AMI creation process Select an AMI#1 Launch an instance from AMI#1 and customize Stop the

79、 instance to ensure data integrity Create AMI#2 using“create image”option Amazon automatically register the EBS-backed AMI AMI#2 can now be used to launch new instancesBRKSEC-302336 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransit Gateway(TGW)AWS Transit Gateway con

80、nects your Amazon Virtual Private Clouds(VPCs)and on-premises networks through a central hub.This connection simplifies your network and puts an end to complex peering relationships.Transit Gateway acts as a highly scalable cloud routereach new connection is made only once.VPC attachmentAWS CloudVPC

81、 1App Subnet Instances Azure/GCP/OCIAWS CloudVPC 2App Subnet Instances AWSTransit GatewayVPC attachmentVPN attachmentData CenterServersVPN attachment or Direct Connect TWG AttachmentTWG Attachment1.VPC attachment 2.VPN attachment Instances ReferenceBRKSEC-302337 2023 Cisco and/or its affiliates.All

82、rights reserved.Cisco Public#CiscoLiveTransit Gateway(TGW)Multi-AZ architectureVPC attachmentAWS CloudVPC 1App Subnet Instances Security VPC AWS CloudVPC 2App Subnet Instances AWSTransit GatewayVPC attachmentVPC attachment(Appliance Mode)Data CenterServersVPN attachment or Direct Connect TWG Attachm

83、entTWG Attachment1.VPC attachment 2.VPN attachment3.Appliance mode attachment Instances Instances AZ1AZ2BRKSEC-302338 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat DefenseAWS Gateway Load Balancer(GWLB)Integration Overview(Contd.)VXLANOuter M

84、ACOuter IPUDP 4789VXLANInner MacPayloadFCSGENEVEOuter MACOuter IPUDP 6801GENEVEVariablePayloadFCSFlexible Inner Header Setting Defined by GENEVE Header Cisco Secure Firewall can terminate GENEVE tunnels Allows integration with AWS Gateway Load Balancer Implemented using VNI interface with NVEAdded i

85、n FTD release 7.1 Stands for Generic Network Virtualization Encapsulation Designed to accommodate network virtualization changing capabilities and needs Provides flexible and extensible data formatGENEVEFixedFixedReferenceBRKSEC-302339 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi

86、c#CiscoLiveCisco Secure Firewall Threat DefenseAWS Gateway Load Balancer(GWLB)Integration OverviewThe new approach to load balancingAWS introduced it in November 2020November 2020Provides transparent insertion of servicesThe right way to do load balancing between firewallsThe right way to service ch

87、aining in the public cloudGWLB encapsulates traffic before sending it to the targets on the same subnetA firewall does not need to apply NAT or routing to trafficGWLB deployment varies significantly between public cloud providersGWLB uses GENEVE protocol,and support for GENEVE on Cisco Secure Firewa

88、ll Threat Defense is available from release 7.1Support for Autoscale Deployment is available from release 7.2Gateway Load Balancer EndpointGateway Load BalancerBRKSEC-302340 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGateway Load balancerGateway Load Balancer helps yo

89、u easily deploy,scale,and manage your third-party virtual appliances.It gives you one gateway for distributing trafficacross multiple virtual appliances while scaling them up or down,based on demand.This decreases potential points of failure in your network and increasesavailability.VPC attachmentAW

90、S CloudSpoke 1App Subnet Instances AWS CloudSecurity VPCGateway Load BalancerAWS CloudSpoke 2App Subnet Instances AWSTransit GatewayVPC attachmentVPC attachmentGateway Load Balancer EndpointsData CenterServersVPN attachment or Direct Connect FW 1FW 2FW 3Firewalls BRKSEC-302341 2023 Cisco and/or its

91、affiliates.All rights reserved.Cisco Public#CiscoLiveInternetCisco Secure Firewall Threat Defense VirtualGWLB Integration Internet IngressAWS CloudSecurity VPCAWS CloudSpoke 1Gateway Load BalancerGateway Load Endpoint(GWLBEP1)App Subnet 110.81.100.0/24GWLBEP Subnet 110.81.200.0/24Instances InternetG

92、atewayInbound traffic is forwarded to firewalls in a security VPC for FW inspectionNo requirement for SNAT,the server sees the real IP of the clientTraffic is routed to GWLB endpoints and then to GWLB using the AWS route tableGWLB encapsulates traffic and then forwards the same FW for inspectionSupp

93、ort for multi-AZ deploymentGWLBEPsubnet1-RTNetworkNext-hop0.0.0.0/0IGW10.81.0.0/16localAppSubnet1-RTNetworkNext-hop0.0.0.0/0GWLBEP110.81.0.0/16localIGW1-RTNetworkNext-hop10.81.100.0/24GWLBEP110.81.0.0/16localInboundUserCisco Secure FirewallThreat Defense VirtualBRKSEC-302342 2023 Cisco and/or its af

94、filiates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualGWLB Integration Internet EgressAWS CloudSecurity VPCAWS CloudSpoke 1Gateway Load BalancerGateway Load Endpoint(GWLBEP1)App Subnet 110.81.100.0/24GWLBEP Subnet 110.81.200.0/24Instances InternetGatewayOutbo

95、und traffic is forwarded to firewalls in a security VPC for FW inspectionNo SNAT on the firewall,the destination sees the elastic IP address of the host or NAT GW IP addressTraffic is routed to GWLB endpoints and then to GWLB using the AWS route tableGWLB encapsulates traffic and then forwards the s

96、ame FW for inspectionSupport for multi-AZ deploymentGWLBEPsubnet1-RTNetworkNext-hop0.0.0.0/0IGW10.81.0.0/16localAppSubnet1-RTNetworkNext-hop0.0.0.0/0GWLBEP110.81.0.0/16localIGW1-RTNetworkNext-hop10.81.100.0/24GWLBEP110.81.0.0/16localICisco Secure FirewallThreat Defense VirtualOutboundBRKSEC-302343 2

97、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualGWLB Integration East/West Traffic FlowVPC attachmentAWS CloudSpoke 1App Subnet Instances AWS CloudSecurity VPCGateway Load BalancerAWS CloudSpoke 2App Subnet Instances AWSTransit Ga

98、tewayVPC attachmentVPC attachmentGateway Load Balancer EndpointsEast/West traffic inspection with TGW and GLWBSupport for multi-AZ deployment for FW in Security VPC using appliance mode attachmentNo need to SNAT traffic GWLB encapsulates traffic in GENEVE and forwards the traffic to the right FW in

99、the pool.Traffic is routed to the GWLB via the GWLB endpoint using the AWS route tables Cisco Secure Firewall Threat Defense Virtual East/WestBRKSEC-302344 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualGWLB Integration East/Wes

100、t Traffic Flow(Data Center to VPC)VPC attachmentAWS CloudSpoke 1App Subnet Instances AWS CloudSecurity VPCGateway Load BalancerAWS CloudSpoke 2App Subnet Instances AWSTransit GatewayVPC attachmentVPC attachmentGateway Load Balancer EndpointsData CenterServersVPN attachment or Direct Connect Cisco Se

101、cure FirewallThreat Defense VirtualTGW connects AWS infrastructure to Customer DC using TGW(VPN attachment)or Direct Connect(DX)Firewall insertion between DC to VPC and VPC to DC using TGW,GWLB,and AWS route table.BRKSEC-302345 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoL

102、iveCisco Secure Firewall Threat DefendAutoscale for GWLB architectureCisco Secure Firewall Threat Defense integration with GWLB on AWS supports autoscaleAutoscale ensures new firewall is added with the right configuration and registers new appliances with FMC automatically Supports BYOL and PAY-G mo

103、del for autoscale+GWLB insertionAutoscale support is added in release 7.2Support for multi-AZ architectureBRKSEC-302346 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall ClusteringOverviewServerClientCisco Secure Firewall ClusterForwarderDirectorOwnerCC

104、LCCLCCLSYNSYNSYN/ACKSYN/ACKStateUpdate12345SYN/ACK6ReferenceBRKSEC-302347 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Clustering on AWS Clustering in AWS can go up to 16 nodes 16 nodes(minimum one node)Stateful connection with Load balancer rebala

105、nce feature Config and State sync over Cluster Control Link(CCL)Individual interfaces clustering on AWS Avoid source NAT for inbound connection(cluster native handles return traffic)Uses VXLAN over UDP Minimum 5 interfaces(outside,inside,management,diagnostic&CCL)&Cluster behind GWLB can support 4 i

106、nterfaces(management,diagnostics,CCL,and Geneve)Clustering is supported on the following models only:FTDv 20,FTDv30 FTDv50 and FTDv100FTDv 20,FTDv30 FTDv50 and FTDv100ServerClientCisco Secure Firewall Cluster12345ForwarderDirectorOwnerCCLCCLCCLSYNSYNSYN/ACKSYN/ACKStateUpdateSYN/ACK6BRKSEC-302348 202

107、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense ClusteringInternet IngressAWS CloudSecurity VPCAWS CloudSpoke 1Gateway Load BalancerGateway Load Endpoint(GWLBEP1)App Subnet 110.81.100.0/24GWLBEP Subnet 110.81.200.0/24Instances InternetGate

108、wayInbound traffic is forwarded to firewalls in a security VPC for FW inspectionNo requirement for SNAT,the server sees the real IP of the clientTraffic is routed to GWLB endpoints and then to GWLB using the AWS route tableGWLBEPsubnet1-RTNetworkNext-hop0.0.0.0/0IGW10.81.0.0/16localAppSubnet1-RTNetw

109、orkNext-hop0.0.0.0/0GWLBEP110.81.0.0/16localIGW1-RTNetworkNext-hop10.81.100.0/24GWLBEP110.81.0.0/16localInboundUserInternetNode 1Node 2Node 3Cisco Secure Firewall ClusterGWLB encapsulates traffic and then forwards the same FW for inspectionSupport for multi-AZ deploymentState sharing using Cluster C

110、ontrol Link(CCL)Session failover using“AWS Target Failover of Existing Flows”BRKSEC-302349 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense ClusteringInternet Ingress Failure EventAWS CloudSecurity VPCAWS CloudSpoke 1Gateway Load Balance

111、rGateway Load Endpoint(GWLBEP1)App Subnet 110.81.100.0/24GWLBEP Subnet 110.81.200.0/24Instances InternetGatewayState sharing using Cluster Control Link(CCL)Session failover using“AWS Target Failover of Existing Flows”“AWS Target Failover of Existing Flows”GWLBEPsubnet1-RTNetworkNext-hop0.0.0.0/0IGW1

112、0.81.0.0/16localAppSubnet1-RTNetworkNext-hop0.0.0.0/0GWLBEP110.81.0.0/16localIGW1-RTNetworkNext-hop10.81.100.0/24GWLBEP110.81.0.0/16localUserInternetNode 1Node 2Node 3Cisco Secure Firewall ClusterX XInboundBRKSEC-302350 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco

113、 Secure Firewall Threat Defense ClusteringEast/West Traffic FlowAWS CloudSecurity VPCAWS CloudSpoke 1Gateway Load BalancerGateway Load Endpoint(GWLBEP1)GWLBEP Subnet 110.81.200.0/24InternetGatewayApp Subnet 110.81.100.0/24Instances GWLBEPsubnet1-RTNetworkNext-hop0.0.0.0/0IGW10.81.0.0/16localIGW1-RTN

114、etworkNext-hop10.81.100.0/24GWLBEP110.81.0.0/16localEast/WestNode 1Node 2Node 3Cisco Secure Firewall ClusterApp Subnet 210.81.100.0/24Instances AppSubnet1-RTNetworkNext-hop10.81.101.0/0GWLBEP110.81.0.0/16localAppSubnet2-RTNetworkNext-hop10.81.100.0/0GWLBEP110.81.0.0/16localBRKSEC-302351 2023 Cisco a

115、nd/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense ClusteringEast/West-Failure Event AWS CloudSecurity VPCAWS CloudSpoke 1Gateway Load BalancerGateway Load Endpoint(GWLBEP1)GWLBEP Subnet 110.81.200.0/24InternetGatewayApp Subnet 110.81.100.0/24Instance

116、s GWLBEPsubnet1-RTNetworkNext-hop0.0.0.0/0IGW10.81.0.0/16localIGW1-RTNetworkNext-hop10.81.100.0/24GWLBEP110.81.0.0/16localNode 1Node 2Node 3Cisco Secure Firewall ClusterApp Subnet 210.81.100.0/24Instances AppSubnet1-RTNetworkNext-hop10.81.101.0/0GWLBEP110.81.0.0/16localAppSubnet2-RTNetworkNext-hop10

117、.81.100.0/0GWLBEP110.81.0.0/16localX XReferenceBRKSEC-302352 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense ClusteringInter VPC Traffic FlowVPC attachmentAWS CloudSpoke 1App Subnet Instances AWS CloudSecurity VPCGateway Load BalancerAW

118、S CloudSpoke 2App Subnet Instances AWSTransit GatewayVPC attachmentVPC attachmentGateway Load Balancer EndpointsNode 1Node 2Node 3Cisco Secure Firewall ClusterInter VPCBRKSEC-302353 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Cluste

119、ringEast/West Traffic Flow Failure EventVPC attachmentAWS CloudSpoke 1App Subnet Instances AWS CloudSecurity VPCGateway Load BalancerAWS CloudSpoke 2App Subnet Instances AWSTransit GatewayVPC attachmentVPC attachmentGateway Load Balancer EndpointsNode 1Node 2Node 3Cisco Secure Firewall ClusterX XRef

120、erenceBRKSEC-302354 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense ClusteringVPC to Data Center traffic FlowVPC attachmentAWS CloudSpoke 1App Subnet Instances AWS CloudSecurity VPCGateway Load BalancerAWS CloudSpoke 2App Subnet Instanc

121、es AWSTransit GatewayVPC attachmentVPC attachmentGateway Load Balancer EndpointsData CenterServersVPN attachment or Direct Connect Node 1Node 2Node 3Cisco Secure Firewall ClusterBRKSEC-302355 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNode 1Node 2Node 3Cisco Secure Fi

122、rewall Threat Defense ClusteringVPC to Data Center Traffic Flow Failure EventVPC attachmentAWS CloudSpoke 1App Subnet Instances AWS CloudSecurity VPCGateway Load BalancerAWS CloudSpoke 2App Subnet Instances AWSTransit GatewayVPC attachmentVPC attachmentGateway Load Balancer EndpointsData CenterServe

123、rsVPN attachment or Direct Connect Cisco Secure Firewall ClusterX XReferenceBRKSEC-302356 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Firewall&AWS Transit Gateway ArchitectureOverviewRemote WorkerDNS RequestDNSReply12VPN user connects to firewall3Transit GatewayI

124、nternet GatewayVPN Load balancing using Route53AWS Route 53 maintains host recordfor each firewallTTL is defined on AWS Route 53AWSRoute53healthchecktomonitor firewallEach AZ may have multiple firewallsCisco ASAv or NGFWv acts as a VPNconcentratorTransit Gateway connects VPC usingVPC attachmentTrans

125、itGatewayconnectstoDataCenter using VPN attachmentoutside10.0.1.0/24inside10.0.2.0/24outside10.0.4.0/24inside10.0.5.0/24outside10.0.7.0/24inside10.0.8.0/24Web10.1.1.0/24Web10.2.1.0/24Spoke1-WebServer10.1.1.100Spoke2-WebServer10.2.1.100 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi

126、c#CiscoLiveIntegrationsCisco Secure Workload Cisco Secure Dynamic Attribute Connector(CSDAC)Amazon GuardDuty Amazon Cloud Watch Amazon Control TowerReferenceBRKSEC-302358 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Integration with Secure Workload

127、 Key FunctionsKey Capabilities Real time updates on rules using Dynamic Dynamic objects objects without policy deployment Additional threat protectionthreat protection using Secure Firewall on existing Secure Workload policies Advanced access control options(intrusion and file/malware policy,URL fil

128、tering etc.)Fine-grained policies from Secure Workload to implement contextual access rules on firewall Leveraging Secure Firewall for Policy Policy enforcement enforcement on workloads without agents Enhancing static firewall rules with dynamic workload intelligence Ensuring security at application

129、 speed with constantly changing DevOps environment Automated firewall access-rule updates based on workload changesReferenceBRKSEC-302359 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Integration with Secure Workload Integration Secure FirewallManag

130、ement Center(FMC)NSELIngestConnectorSecure FirewallThreat DefenseSegmentation policies enforcement at workloadsSegmentation policies enforcement at firewallDynamic PolicySecure WorkloadSecure ConnectorSaaS or proxyWorkloads without AgentsBare MetalVirtual MachinesContainersDynamic PolicyBRKSEC-30236

131、0 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Integration Cisco Secure Dynamic Attribute Connector(CSDAC)FMC NativeCSDACAttribute-Based PolicyUser-defined&Global/Regional Service Tags IP-SGT,802.1x Users,Endpoint Profiles,User-IP,Syslog User-Defin

132、ed Tags ESXi/NSX Workloads Meta DataExchange,SharePoint,Skype for BusinessUser-Defined TagsGitHub Public ServicesEndpoint Groups(EPG)Endpoint Security Groups(ESG)Custom Dynamic Attributes with open REST APISecure Workload Scopes,Inventory Filters,ClustersWorkflow Dynamic Object atomic actions out-of

133、-the-boxCSDAC in cdFMCBRKSEC-302361 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe new cloud form factorStandalone CSDAC(Linux Machine)Cloud DeliveredCSDAC in cdFMC Tools&ServicesBuilt InCSDAC in FMCNo separate VM requiredNEWNEWNEWNEWReferenceBRKSEC-302362 2023 Cisco

134、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Dynamic Attribute Connector(CSDAC)Deployment Scenario Create dynamic policy for On-prem and Cloud elements Dynamic object for SaaS applications e.g.,O365 etc.Benefits Accelerate integration Adapt to changes instantaneously

135、Prevent build-up of outdated firewall rules Control access to Office 365 and GitHub with community-based security feeds Accelerate your digital transformation Filter attributes with meaningful logical contextAggregates dynamic attributes from public and private cloud for Secure Firewall Policy.NameC

136、onnectorQueryLinux-ServersvCenteros=RHEL 7(64-bit)ORos=CentOS7(64-bit)Windows-ServersvCenteros=MS Windows Server 2016(64-bit)AND(network=PROD_NETW OR Host=NODE1)ANDPower=runningPowered-OnvCenterPower=runningAND(network=PROD_NETW OR Host=NODE1)Dynamic ObjectMappingsLinux-Servers172.16.0.1172.16.0.3Wi

137、ndows-Servers10.0.1.1110.0.1.1410.0.1.20Powered-On10.0.1.14Dynamic Attributions FiltersAzureConnectorAWSConnectorvCenter/NSXConnectoro365ConnectorGCPConnectorConnectorsAdaptersFMCAdapterCSDAC(Container)FMCReferenceBRKSEC-302363 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoL

138、iveCisco Secure Firewall Threat DefenseAWS Control Tower IntegrationCisco Secure Firewall Integration with AWS Control Tower Many AWS and Cisco customers use multiple accounts to isolate resources and workloads across their AWS environment.Using multiple accounts helps customers meet regulatory and

139、compliance needs,track operational costs,and add an extra layer of security.AWS Control Tower uses best practices to establish a well-architected,multi-account baseline across your AWS accounts.Using this integration,you can provision customized AWS accounts in AWS Control Tower that is enabled for

140、network security inspection use cases with Cisco Secure Firewall Threat Defense Virtual(FTDv).AWS MarketplaceBRKSEC-302364 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAWS GuardDutyAmazon GuardDuty is a threat detection service that continuously monitors your AWS accoun

141、ts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.Improve security operations visibility Assist security analysts in investigations Identify files containing malwareRoute insightful information on security findings with preferred operation

142、 tools AWS GuardDutyAWS GuardDuty DocumentationCisco Secure Firewall Threat Defense Integration with AWS GuardDutyCisco Secure Firewall Threat Defense Integration with AWS GuardDutyBRKSEC-302365 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat D

143、efense integration with AWS GuardDuty Solution OverviewThe AWS GuardDuty service reports a finding for the malicious activity detected in the AWS environment,the CloudWatch event rule(which monitors the GuardDuty findings)triggers the AWS Lambda function,which:Processes the reported finding to verif

144、y that all the required criteria are met(severity,INBOUND connection direction,presence of malicious IP,not a duplicate finding,etc.)Update the network object group(s)with the malicious IP on the ASA Virtual,threat defense virtual management devices-Secure Firewall Management Center Virtual,Secure F

145、irewall Device manager(as per the input configuration)Update the malicious IP in the report file on the S3 bucket Send a mail notification to the administrator regarding the updates(and/or any errors)Firewall Management Center(FMCv)This integration works with Cisco Firewall Management Center Virtual

146、(FMCv)Security Intelligence Network Feed URLNetwork Object Group(s)update Cisco Firewall Device Manager(FDM)Network Object Group(s)updateCisco Secure Firewall Threat Defense Integration with AWS GuardDutyCisco Secure Firewall Threat Defense Integration with AWS GuardDutyBRKSEC-302366 2023 Cisco and/

147、or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense integration with AWS GuardDutySecurity Level Value RangeDescription8.9 to 7.0A High severity level indicates that the resource in question(an Ec2 instance or a set of IAM user credentials)is compromised

148、and is actively being used for unauthorized purposes.6.9 to 4.0A Medium severity level indicates suspicious activity that deviates from normally observed behavior and depending on your use case,may be indicative of a resource compromise.3.9 to 1.0A low severity level indicates attempted suspicious a

149、ctivity that did not compromise your network,for example,a port scan or a failed intrusion attempt.Amazon GuardDuty(GD)is a continuous security monitoring and threat detection service that incorporates threat intelligence,anomaly detection,and machine learning to help protect your AWS resources,incl

150、uding your AWS accounts AWS GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment.Based on the resource type,GuardDuty findings are categorized to EC2,IAM,and S3 finding types The value of the severity can fall anywhere within the 0.1

151、 to 8.9 range,with higher values indicating greater security riskMediumHighLowReferenceBRKSEC-302367 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense integration with AWS GuardDuty(contd.)Cisco Firewall Management Center Virtual(FMCv)Cis

152、co Firewall Device Manager(FDM)Security Intelligence Network Feed URL Network Object Group(s)update Network Object Group(s)update This integration provides threat analysis from AWS GuardDuty to Cisco Secure Firewall Threat Defense.Cisco Secure Firewall Threat Defense uses this information to protect

153、 the underlying network and application against future threats originating from these sources(malicious IP).This is a complete serverless implementation and this integration uses AWS Lambda)This service uses several other AWS services such as GuardDuty,CloudWatch,S3,SNS,etc.The minimum supported ver

154、sion for this integration is release 7.2 In order to use the Security Intelligence Network Feed URL-based solution with Secure Firewall Management Center Virtual(FMCv),Threat licensing should be enabled for the applicable devices(FTDv).This integration works with:ReferenceBRKSEC-302368 2023 Cisco an

155、d/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirewall Management Center Virtual Network Object Group(s)updateGuardDuty sends Threat finds to CloudWatchCloudWatch event triggers the Lambda function Update malicious host in the report fileSNS sends email notificationAmazon GuardDutyAm

156、azon CloudWatchAmazon SNSAWSS3 BucketAWSLambda123Managed DevicesApp nApp 14Cisco Secure Firewall Management CenterReferenceBRKSEC-302369 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirewall Management Center Virtual Security Intelligence Network FeedGuardDuty sends Thr

157、eat finds to CloudWatchCloudWatch event triggers the Lambda function Update malicious host in the report fileSNS sends email notificationThe user configures the Security Intelligence Feed with the S3 object of the malicious IP report file provided by Lambda.Configures the access policy which uses th

158、e Security Intelligence Feed for blocking the traffic from the malicious hosts reported by Lambda and GuardDuty.Amazon GuardDutyAmazon CloudWatchAmazon SNSAWSS3 BucketAWSLambda123Managed DevicesApp nApp 14Cisco Secure Firewall Management CenterReferenceBRKSEC-302370 2023 Cisco and/or its affiliates.

159、All rights reserved.Cisco Public#CiscoLiveFirewall Device Manager Network Object Group(s)updateGuardDuty sends Threat finds to CloudWatchCloudWatch event triggers the Lambda function Update malicious host in the report fileSNS sends email notificationThe user configures and deploys the required acce

160、ss rule/policy which uses the given network object group for blocking the traffic from the malicious hosts reported by Lambda/GuardDuty.Amazon GuardDutyAmazon CloudWatchAmazon SNSAWSS3 BucketAWSLambda123Managed DevicesApp nApp 14Cisco Secure Firewall Management CenterReferenceBRKSEC-302371Azure 2023

161、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAzure OverviewAzure Resource GroupAvailability Zone 1Availability Zone 2Subnet 1aSubnet 1bNetwork Security GroupUser Defined Router(UDR)Resource GroupRegion&VNetAvailability Zone and Availability SetSubnetWorkload and Public IPNe

162、twork Virtual ApplianceLoad Balancer(Internal and External)User Defined RouteNetwork Security GroupVPN GatewayExpress RouteWorkloadWorkloadNetwork Virtual Appliance(NVA)ExternalLoadBalancer(ELB)Region(us-east-1)&VNetInternalLoadBalancerGateway SubnetAzureExpress RouteVirtual Network GatewayThreat De

163、fenseASA 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Virtual Routed ModeDeployment Cisco Secure Firewall Threat Defense and Cisco Firewall Management Center is available in Marketplace Supports for BYOL and PAY-G Acts as a next-hop

164、for workloads instances Management Firewall Management Center(FMC)Orchestrate configuration using FMC API Cloud-delivered Firewall Management Center Terraform&AnsibleUse-case Stateful FW,VPN,AVC,IPS,URL-Filtering,and Malware ProtectionRemote Users(VPN&non-VPN)Cisco Secure Firewall Threat Defense Vir

165、tual Routed ModeAvailability Zone 1Subnet:InsideRegion(us-east-1)Resource GroupAvailability Zone 1Subnet:OutsideCisco Secure Firewall Threat Defense Virtual vNETBRKSEC-302374 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAzure User Defined Route(UDR)ReferenceAzure UDR is

166、 a native tool provided by Azure,it lets you create custom routes in a route-table.UDR is associated with a subnet and routes defined in UDR override Azures default system routes.Next-hop in Azure UDR:Virtual Appliance Virtual Network GatewayVirtual NetworkInternet NoneBenefits:UDR can be modified u

167、sing an API callUDR can have more specific routeBRKSEC-302375 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall ASA virtual High Availability(Active/Standby)vNETProtected WorkloadsInsideAzure UDR(user defined route)Availability SetHA AgentActive ASAvBac

168、kupASAvHA AgentCommunicates with Peer and determines Active/Backup StateResponses to LB probesPrograms Azure user defined route(UDR)HA AgentPublicIPFrontend Public IPFrontend IP is assigned on Azure Load Balancer Load Balancer ProbesLoad balancer probes each ASAvs using TCP handshake and HA agent on

169、 Active ASAv responds to the probes.Azure LBRelease 9.8.1.200 or higherTraffic is steered to active ASAvRoutes are programmed via Azure Rest APIs UDR for Inside SubnetDestinationNext Hop0.0.0.0/0Active ASAv Integrated SolutionNo external scripts/agent requiredMultiple Subscription Support HA can mod

170、ify UDR in multiple subscription Fast SwitchoverDetection to recovery in secondsStateless SwitchoverConnections are not replicated to backup firewallYouTube:Demo1Demo2Probe port TCP 44441,Control port TCP 44442ReferenceBRKSEC-302376 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C

171、iscoLiveCisco Secure Firewall ASAv HA Multiple subscriptions vNET 10.82.0.0/16Protected WorkloadsInsideAvailability SetHA AgentActive ASAvBackupASAvHA AgentAzure UDR(dmz1-RT)10.82.2.0/24Azure UDR(inside-RT)10.82.1.0/24Azure UDR(partner-udr)10.32.1.0/24vNET peervNET 10.32.0.0/16Subscription 1Subscrip

172、tion 2Azure UDR(dmz2-RT)10.82.3.0/24ReferenceBRKSEC-302377 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud Failover Configuration Recommendationfailover cloud route-table inside-RTrg answamiasavharoute Route-Internet-To-ASAv prefix 0.0.0.0/0 nexthop 10.82.1.4route Ro

173、ute-Subnet1-To-ASAv prefix 10.82.0.0/24 nexthop 10.82.1.4route Route-Subnet2-To-ASAv prefix 10.82.2.0/24 nexthop 10.82.1.4route Route-Subnet3-To-ASAv prefix 10.82.3.0/24 nexthop 10.82.1.4failover cloud route-table partner-udr subscription-id cd5fe6b4-d2edrg answamiasavharoute Route-Internet-To-ASAv

174、prefix 0.0.0.0/0 nexthop 10.82.3.4route Route-Subnet1-To-ASAv prefix 10.82.0.0/24 nexthop 10.82.3.4route Route-Subnet2-To-ASAv prefix 10.82.1.0/24 nexthop 10.82.3.4route Route-Subnet3-To-ASAv prefix 10.82.2.0/24 nexthop 10.82.3.4failover cloud route-table inside-RTrg answamiasavharoute Route-Interne

175、t-To-ASAv prefix 0.0.0.0/0 nexthop 10.82.1.5route Route-Subnet1-To-ASAv prefix 10.82.0.0/24 nexthop 10.82.1.5route Route-Subnet2-To-ASAv prefix 10.82.2.0/24 nexthop 10.82.1.5route Route-Subnet3-To-ASAv prefix 10.82.3.0/24 nexthop 10.82.1.5failover cloud route-table partner-udr subscription-id cd5fe6

176、b4-d2edrg answamiasavharoute Route-Internet-To-ASAv prefix 0.0.0.0/0 nexthop 10.82.3.5route Route-Subnet1-To-ASAv prefix 10.82.0.0/24 nexthop 10.82.3.5route Route-Subnet2-To-ASAv prefix 10.82.1.0/24 nexthop 10.82.3.5route Route-Subnet3-To-ASAv prefix 10.82.2.0/24 nexthop 10.82.3.5Primary ASA configu

177、ration Backup ASA configurationRecommendation Manage all directly connected UDR from ASANever add routes in UDR from Azure portal for UDRs managed by ASAv HA agentSupport for multiple udr and multiple subscription ReferenceBRKSEC-302378 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ

178、ic#CiscoLiveSecure Firewall Scalable DesignAzure internal load balancer(ILB)standard&external load balancerxvNETWEBAPPDBData CenterFMCGateway SubnetAzureExpress RouteVirtual Network GatewayDB-UDRDestinationNext HopDefault/InternetILB VIPAPP,WEB&DCILB VIPAPP-UDRDestinationNext HopDefault/InternetILB

179、VIPDB,WEB and DCILB VIPWEB-UDRDestinationNext HopDefault/InternetILB VIPDB,APP and DCILB VIPInternetILB Standard(VIP)HA PortGW-UDRDestinationNext HopWEB,APP&DBILB VIPFW01FW02FW.nNVA Subnet(inside)ExternalLBInternet UsersStateless SwitchoverFirewalls in Availability SetYouTube video1:overview video2:

180、End to end deployment demoNGFWv ARM Template(LB Sandwich):TemplateBRKSEC-302379 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Firewall Scalable Design(cont.)Traffic flow-Inbound traffic xvNETWEBAPPDBData CenterFMCGateway SubnetAzureExpress RouteVirtual Network Gat

181、ewayInternetILB Standard(VIP)HA PortNVA Subnet(inside)ExternalLBInbound traffic(N/S)Translate inbound traffic to Inside Interface of NGFWvInternet UsersFW01FW02FW.nReferenceBRKSEC-302380 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Firewall Scalable Design(cont.)

182、Traffic flow-Outbound traffic(Mapped public IP address)xvNETWEBAPPDBData CenterFMCGateway SubnetAzureExpress RouteVirtual Network GatewayInternetILB Standard(VIP)HA PortNVA Subnet(inside)ExternalLBInternet UsersTranslate outbound traffic to outside Interface of NGFWvMapped Public IPAPPAPP-UDRUDRDest

183、inationNext HopDefault/InternetILB VIPDB,WEB and DCILB VIPFW01FW02FW.nReferenceBRKSEC-302381 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Firewall Scalable Design(cont.)Traffic flow East/West trafficxvNETWEBAPPDBData CenterFMCGateway SubnetAzureExpress RouteVirtu

184、al Network GatewayInternetILB Standard(VIP)HA PortNVA Subnet(inside)ExternalLBInternet UsersStateless SwitchoverWEBWEB-UDRUDRDestinationNext HopDefault/InternetILB VIPAPP,DB&DCILB VIPFW01FW02FW.nReferenceBRKSEC-302382 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure

185、Firewall Scalable Design(cont.)Traffic flow DC traffic xvNETWEBAPPDBData CenterFMCGateway SubnetAzureExpress RouteVirtual Network GatewayInternetILB Standard(VIP)HA PortNVA Subnet(inside)ExternalLBInternet UsersStateless SwitchoverGWGW-UDRUDRDestinationNext HopWEB,APP&DBILB VIPDC traffic(N/S)FW01FW0

186、2FW.nReferenceBRKSEC-302383 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLB ProbesInternal and external Azure Load balancers track the availability of firewalls using probes.1.Probe firewall(enable web on interfaces and probe interfaces)2.Probe through a firewall(requir

187、es NAT and routes)3.Probe application port(requires NAT and ACP to allow application traffic)Through the firewall probeProbe firewall interfacesProbe Application Port(Less FW configuration because NAT&ACLs are already configured for application Server)ReferenceBRKSEC-302384 2023 Cisco and/or its aff

188、iliates.All rights reserved.Cisco Public#CiscoLiveSecure Firewall Scalable DesignSeparation of Internet and E/W trafficvNETWEBAPPDBData CenterFMCGateway SubnetAzureExpress RouteVirtual Network GatewayDB-UDRDestinationNext HopDefault/InternetILB VIP1APP,WEB&DCILB VIP2APP-UDRDestinationNext HopDefault

189、/InternetILB VIP1DB,WEB and DCILB VIP2WEB-UDRDestinationNext HopDefault/InternetILB VIP1DB,APP and DCILB VIP2ILB ILB Standard Standard(VIP1)HA Port(Internet traffic)(Internet traffic)GW-UDRDestinationNext HopWEB,APP&DBILB VIP2NGFWvNGFWvNVA Subnet(inside)ExternalLBInternet UsersStateless SwitchoverFi

190、rewalls in Availability SetILB ILB Standard Standard(VIP2)HA Port(E/W traffic)(E/W traffic)InternetFW01FW02FW03FW04ReferenceBRKSEC-302385 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Service vNETvNET BvNET ASpoke vNETsInternetInternetServicevNETGateway SubnetvNET

191、 peerAllAll-SubnetsSubnets-UDRUDRDestinationNext HopAll-SubnetsILB VIPInternetILB VIPUDR applied all subnets in all vNETInternal LBNVA SubnetILB(VIP)External LBGWGW-SubnetSubnet-UDRUDRDestinationNext HopAll-SubnetsILB VIPInternetILB VIPHUBTraffic is handled by UDR and LBsFW01FW02FW.nBRKSEC-302386 20

192、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall ManagementFDM(On-box manager),CDO(Cloud-based manager)and cdFMCvNETWEBAPPDBData CenterFMCGateway SubnetAzureExpress RouteVirtual Network GatewayILB Standard(VIP)HA PortNVA Subnet(inside)CDOMGMTCisco Defens

193、e Orchestrator(Cloud based management)Firewall AdministratorFTD release 6.5 introduced FDMFW01FW02FW.nReferenceBRKSEC-302387 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Thread Defense Load Balancer Sandwich DesignAzure Resource GroupWorkloadInside

194、InsideSubnetSubnetOutsideOutsideSubnetSubnetFirewall Firewall Management Management CenterCenterWeb SubnetWeb SubnetApp SubnetApp SubnetDB SubnetDB SubnetWorkloadExternal External Load BalancerLoad Balancer(ELB)(ELB)Internal Internal Load BalancerLoad Balancer(ILB)(ILB)VIPVIPUDR-ILB(VIP)UDR-ILB(VIP)

195、UDR-ILB(VIP)Secure Firewall thread Defense managed by Secure Firewall thread Defense managed by FMCFMCInternetInternetvNETReferenceBRKSEC-302388 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomated Cisco Secure Firewall Threat Defense Virtual Horizontal Scaling AzureA

196、vailable from FTDv release 6.6Serverless Implementation(no helper VMs required for Autoscale)Automated NGFWv instance registration,de-registered,NAT,Access Policy,&Routes are fully automated and applied to the scaled-out instanceSupport for Standard Load Balancers and Multi-Availability ZonesAzure R

197、esource Manager(ARM)template-based deploymentUses cloud native services like Internal Load Balance(ILB),External Load Balancer(ELB),Azure Scale-set,Azure Function,&Logic AppSupport for PAY-G and BYOL licensing,user can select licensing type duringdeploymentReferenceBRKSEC-302389 2023 Cisco and/or it

198、s affiliates.All rights reserved.Cisco Public#CiscoLiveAutomated Cisco Secure Firewall Threat Defense Virtual Horizontal Scaling Azure Maximum number of NGFWv supported in Auto Scale is based on FMC limit NGFWvautomatedhorizontalscalingrequiresNGFWvscalesetsandwiched between ILB and ELB ELB distribu

199、tes traffic from internet to NGFWv instances in scale-set.Firewall then forwards traffic to application ILB distributes outbound internet traffic from an application to NGFWvinstances in the scale-set A network packet will never pass through both(internal&external)loadbalancers in a single connectio

200、nReferenceBRKSEC-302390 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomated Cisco Secure Firewall Threat Defense Virtual Horizontal Scaling Azure For traffic symmetry,outbound traffic is translated to egress interfaces(outside)IP address and Inbound traffic is transl

201、ated to egress interfaces(inside)IP address Support for Multi-Availability Zone ArchitectureReferenceBRKSEC-302391 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomated Cisco Secure Firewall Thread Defense Virtual Auto ScalingAzure Resource GroupWorkloadInsideInsideSub

202、netSubnetOutsideOutsideSubnetSubnetFirewall Firewall Management Management CenterCenterWeb SubnetWeb SubnetApp SubnetApp SubnetDB SubnetDB SubnetWorkloadExternal External Load BalancerLoad Balancer(ELB)(ELB)Internal Internal Load BalancerLoad Balancer(ILB)(ILB)VIPVIPUDR-ILB(VIP)UDR-ILB(VIP)UDR-ILB(V

203、IP)Secure Firewall Threat Defense managed by FMCSecure Firewall Threat Defense managed by FMCInternetInternetAzure Autoscale ManagerAzure Function Azure Function&Logic APP&Logic APPAzure Virtual Machine Scale Set-VMSSvNETSnapshot support 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

204、lic#CiscoLiveAutomated Cisco Secure Firewall Thread Defense Virtual Auto Scaling(contd.)InsideInsideSubnetSubnetOutsideOutsideSubnetSubnetFirewall Firewall Management Management Center(FMC)Center(FMC)External External Load BalancerLoad Balancer(ELB)(ELB)Internal Internal Load BalancerLoad Balancer(I

205、LB)(ILB)Azure Virtual Machine Scale Set Azure Virtual Machine Scale Set-VMSSVMSSRequest and monitor VMSS metrics via REST APIRequest and monitor VMSS metrics via REST APIAuto Scale ManagerAuto Scale Manager-Decides scaling based on VMSS Decides scaling based on VMSS metric(Scalemetric(Scale-In&Scale

206、In&Scale-Out)Out)-Manages NGFWv config via APIManages NGFWv config via API-Log Management Log Management-Runtime config changes(runs in Runtime config changes(runs in Azure Functions and Logic App)Azure Functions and Logic App)ScaleScale-In/ScaleIn/Scale-Out via REST APIOut via REST APIReply from VM

207、SSReply from VMSSNGFWv(register/deNGFWv(register/de-register),configuration register),configuration and deployment via REST APIand deployment via REST APIReferenceBRKSEC-302393 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualSnap

208、shot Support“Snapshot”is a process to create a replica image from one running virtual machine instance Faster boot time for Threat Defense Virtual in public cloud auto-scale setup With Secure Firewall release 7.2,we introduced the capability to create a custom virtual image using the existing deploy

209、ed Secure Firewall Threat Defense Virtual.When the customer image is used for bringing up new instances,the instances boot faster than the original image.A faster boot time is essential for auto-scale deployment.The resulting Threat Defense Virtual can then be managed by either Firewall Management C

210、enter or Firewall Device Manager(Note:no Manager should be associated with the Threat Defense Virtual when making a snapshot)In Azure,a snapshot image can be created using the“capture”optionCreate managed Image using capture option Select an managed image#1 Launch an instance from image#1 and custom

211、ize Stop the instance to ensure data integrity Create new managed image#2 using“capture”option Azure will add the image#2 to Azure Gallery Use manage image#2 to launch new instancesReferenceBRKSEC-302394 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall

212、 Threat Defense ClusteringAzureCisco Secure Firewall clustering with Azure GWLB FTDv supported on release 7.3 or higherASAv supported on release 9.19.1 or higherSupport up to 16 node cluster Support for Azure Network Load Balancer and Azure Gateway Load BalancerLicensing BYOL and PAYG ReferenceBRKSE

213、C-302395 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense ClusteringNLB based ArchitecturexvNETWEBAPPDBDB-UDRDestinationNext HopDefault/InternetILB VIPAPP,WEB&DCILB VIPAPP-UDRDestinationNext HopDefault/InternetILB VIPDB,WEB and DCILB VIP

214、WEB-UDRDestinationNext HopDefault/InternetILB VIPDB,APP and DCILB VIPInternetILB Standard(VIP)HA PortFW01FW02FW.nExternalLBInternet UsersNGFWv ARM Template(LB Sandwich):TemplateFTDv Cluster with NLBCCLCCLCCLBRKSEC-302396 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisc

215、o Secure Firewall Threat Defense ClusteringGWLB architectureAssociated with a(standard SKU)public load balanceror network interface.Network interface must have a(standard SKU)public IP.Does not currently support East-West traffic.Transparently intercepts trafficRequires no Azure routing changesTraff

216、ic received by the GWLB is load-balancedbetween backend pool devicesUses VXLAN over UDPAlways load balances all ports and protocolsThis is called HA Port HA Port in AzureReferenceBRKSEC-302397 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Def

217、ense ClusteringGWLB architecture Inbound Traffic FlowGateway load balancerCisco Secure FirewallsInbound flow uses public IP of public load balancer.Flow is forwarded transparently from the public load balancer to the gateway load balancer.Flow is inspected by a firewall and returned to the gateway l

218、oad balancer.Flow is returned to the public load balancer.Flow is forwarded to an internal server.InternetVMsPublic load balancerBRKSEC-302398 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense ClusteringGWLB architecture Outbound Traffic

219、FlowGateway load balancerInternetVMsPublic load balancerInbound flow uses public IP of internal server.Flow is forwarded transparently from the public load balancer to the gateway load balancer.Flow is inspected by a firewall and returned to the gateway load balancer.Flow is returned to the public l

220、oad balancer.Flow is forwarded to an internal server.BRKSEC-302399 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRemote WorkerAzure Traffic Manager based VPN load balancingWeighted average load balancing is recommendedAzure Traffic Manager control TTL and ProbeEach Avail

221、ability Zone may have multiple firewallsCisco ASAv or NGFWv acts as a VPN concentratorEach Availability Zone may have multiple firewallsvNET peering for interconnecting vNETIPSEC Tunnel or Express route for connection to DC Azure Traffic ManagerCisco Secure RAVPN architecture for Azure(Single AZ)Azu

222、re Traffic ManagerBRKSEC-3023100 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRemote WorkerAzure Traffic Manager based VPN load balancingWeighted average load balancing is recommendedAzure Traffic Manager control TTL and ProbeEach Availability Zone may have multiple fir

223、ewallsCisco ASAv or NGFWv acts as a VPN concentratorEach Availability Zone may have multiple firewallsvNET peering for interconnecting vNETIPSEC Tunnel or Express route for connection to DC Azure Traffic ManagerCisco Secure RAVPN architecture for AzureAzure Traffic ManagerReferenceBRKSEC-3023101 202

224、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRemote WorkerAzure Traffic ManagerUDR:Spoke1insideUDRUDR:Spoke1insideUDR10.82.64.0.0/18 10.82.2.10(hubasa01 Inside IP)10.82.128.0/18-10.82.2.11(hubasa02 Inside IP)10.82.192.0/18-10.82.2.12(hubasa03 Inside IP)UDR:Spoke1insideUDRU

225、DR:Spoke1insideUDR10.82.64.0.0/18 10.82.2.10(hubasa01 Inside IP)10.82.128.0/18-10.82.2.11(hubasa02 Inside IP)10.82.192.0/18-10.82.2.12(hubasa03 Inside IP)Cisco Secure RAVPN architecture for AzureAzure Traffic Manager VPN PoolVPN Pool10.82.64.0/18VPN Pool10.82.128.0/18VPN Pool10.82.192.0/18ReferenceB

226、RKSEC-3023102 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRemote WorkerAzure Traffic ManagerRoute on hubasa01Route on hubasa0110.83.0.0/16(Spoke1vNET)10.82.2.1(Azure Network GW)10.84.0.0/16(Spoke2vNET)10.82.2.1(Azure Network GW)10.3.0.0/16(DC)10.82.2.1(Azure Network GW

227、)Route on hubasa02Route on hubasa0210.83.0.0/16(Spoke1vNET)10.82.2.1(Azure Network GW)10.84.0.0/16(Spoke2vNET)10.82.2.1(Azure Network GW)10.3.0.0/16(DC)10.82.2.1(Azure Network GW)Route on hubasa03Route on hubasa0310.83.0.0/16(Spoke1vNET)10.82.2.1(Azure Network GW)10.84.0.0/16(Spoke2vNET)10.82.2.1(Az

228、ure Network GW)10.3.0.0/16(DC)10.82.2.1(Azure Network GW)Cisco Secure RAVPN architecture for AzureAzure Traffic Manager RoutingReferenceBRKSEC-3023103 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRemote WorkerAzure Traffic ManagerASA or FTD IPSec VPN ASA or FTD IPSec VP

229、N Cisco Secure RAVPN architecture for AzureAzure Traffic Manager-RoutingReferenceBRKSEC-3023104 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLicensing ASAv and NGFWv in Public Cloud Cisco Smart Licensing for NGFWv and ASAv in AWS and AzureStandard LicenseStandard Licens

230、eFirewall,throughputFirewall,throughputAnyconnect Apex Anyconnect Apex LicenseLicenseSSL,IPSECSSL,IPSECAzureAzureBring you own licensePay-GNGFWNGFWBase LicenseBase LicenseFirewall,AVCFirewall,AVCTerm basedTerm basedThreat,URL,AMPThreat,URL,AMPAzureAzureBring you own licensePay-G Note:No Cisco TAC su

231、pport from AWS pay-as-you-go model license model but you can purchase one-year TAC support from listed partner:Purchase TAC Support*Maximum throughput is measured with traffic under ideal conditionsThread DefenseASAReferenceBRKSEC-3023105 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

232、blic#CiscoLiveAzure Application InsightsAzure Application Insights is the monitoring platform provided by Microsoft Azure Cloud,Application Insights is a platform-as-a-service.Publish Secure Firewall Threat Defense metrics on Azure Application Insights.REST API-based integration with Azure Applicati

233、on InsightsSupported only with FDM 7.0 or higherSecure Firewall Threat Defense FDM REST APIAzure Application InsightsBRKSEC-3023106 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAzure Stack HubSecure FirewallAzure Stack Hub Azure Stack Hub is an extension of Azure Cloud

234、that provides a way to run apps in an on-premises environment and deliver services in the data centerCisco Secure Firewall is available in Azure Stack Hub ASAv release 9.18FTDv release 7.2.0 FMCv release 7.2.0 Marketplace offers available with a solution template Upload ASAv/FTDv/FMCv disk images to

235、 Azure Stack and deploy them with customer ARM templatesUse-casesE/W N/W Edge Firewall VPN(RAVPN&S2S VPN)Licensing BYOL Cisco Secure Firewall on Azure Stack HubCisco Secure Firewall on Azure Stack HubBRKSEC-3023107Google Cloud Platform 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi

236、c#CiscoLiveGCP ProjectsAll GCP resources are grouped under projects.Project ID,is a unique identifier for the project.Project Number,is automatically assigned when creating the project.It is read-only.One mutable display nameReferenceBRKSEC-3023109 2023 Cisco and/or its affiliates.All rights reserve

237、d.Cisco Public#CiscoLiveGCP Compute EngineCompute Engine lets you create and run virtual machines on Google infrastructure.Launch VMs from the standard images or custom images created by usersMachine Types/Sizes for FMCv,FTDv,and ASAv are on upcoming slideshttps:/ 2023 Cisco and/or its affiliates.Al

238、l rights reserved.Cisco Public#CiscoLiveGCP Regions and zonesGlobal Resource:Global Resource:Resources accessible by any other resource,across regions and zones.Global resources include preconfigured disk images,disk snapshots,and networks.Regional resource:Regional resource:Resources accessible onl

239、y by resources located in the same region.Regional resources include static external IP addresses.Zone resource:Zone resource:Resources accessible only by resources located in the same zone.Zone resources include VM instances,their types,and disks.ReferenceBRKSEC-3023111 2023 Cisco and/or its affili

240、ates.All rights reserved.Cisco Public#CiscoLiveGCP VPCVPC provide a global private communications spaceVPCs are global,spanning all regions.The instances within the VPC have internal IP addresses&can communicate privately with each other globallySubnets,Routes,Firewall,Internal DNShttps:/ 2023 Cisco

241、 and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Routed ModeManagement VPC10.1.250.0/24 Diagnostics VPC10.1.250.0/24 Outside VPC10.1.200.0/24 Inside VPC10.1.100.0/24 G0/0G0/1G0/2G0/3Cisco Secure Firewall Threat DefenseGCP Route Table(outside)GCP R

242、oute Table(outside)DestinationDestination10.1.100.0/2410.1.100.0/24Next HopNext Hop10.1.200.5010.1.200.50GCP Route Table(inside)GCP Route Table(inside)DestinationDestination10.1.200.0/2410.1.200.0/24Next HopNext Hop10.1.100.5010.1.100.50Firewall Management CenterFirewall Management CenterBRKSEC-3023

243、113 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Packet MirroringManagement VPC10.1.250.0/24 Diagnostics VPC10.1.250.0/24 Outside VPC10.1.200.0/24 Inside VPC10.1.100.0/24 G0/0G0/1G0/2G0/3Cisco Secure Firewall Threat DefenseFirewall M

244、anagement CenterFirewall Management CenterPacket MirroringIDS deployment Provides visibilityBRKSEC-3023114 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall ASA Routed ModeManagement VPC10.1.250.0/24 Outside VPC10.1.200.0/24 Inside VPC10.1.100.0/24 G0/0

245、G0/1G0/2Cisco Secure Firewall Threat DefenseGCP Route Table(outside)GCP Route Table(outside)DestinationDestination10.1.100.0/2410.1.100.0/24Next HopNext Hop10.1.200.5010.1.200.50GCP Route Table(inside)GCP Route Table(inside)DestinationDestination10.1.200.0/2410.1.200.0/24Next HopNext Hop10.1.100.501

246、0.1.100.50BRKSEC-3023115 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense AutoscalingASAv GCP Cisco Secure Firewall Autoscale is supportedSupport was added on 9.17.19.17.1 but validated on earlier releases such as 9.15,9.16CPU utilizatio

247、n-based autoscalingSupport for multimulti-AZAZ(auto-scaled instances are spread across multiple availability-zone)Deployment templates are available on GitHubComplete Serverless Implementation(No Helper VMs needed)Automatic ASAv configuration through start-up scriptsSupport for serverless deregistra

248、tion of licenses while scaling-downSupport for External and Internal Load BalancersSupport BYOL license Load balancer sandwich model support for ingress and egress trafficBRKSEC-3023116 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutoscaleASAv GCP Autoscale ManagerASAv

249、FW-01ASAvFW-02ASAvFW-nInbound Traffic Internet ELB ASAv ApplicationOutbound Traffic Application ILB ASAv InternetBRKSEC-3023117 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense ReorderingGCPnic0 Mangement0/0nic1 diagnosticnic2 GigabitEth

250、ernet0/0nic3 GigabitEthernet0/0Cisco Secure Firewall Thread Defense Virtual BRKSEC-3023118 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Reordering(cont.)GCPCisco Secure Firewall Thread Defense Virtual nic0GCP External Load Balancer(E

251、LB)forwards packets only to nic0nic0 on FTDv is a management interface,and cannot be used as a data interfaceIn release 7.2,we have added an option to order interfaces on FTDv nic2 is fixed as management nic3 is fixed as diagnostic nic0 is gig0/0nic1 is gig0/1The minimum support FMC and FDM is 7.2On

252、ly for FTDv deployed in GCPBRKSEC-3023119 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense AutoscalingFTDV GCP Cisco Secure Firewall Autoscale is supported on FTDv release 7.2 or higherCPU utilization-based autoscalingSupport for multi-A

253、Z(auto-scaled instances are spread across multiple availability-zone)Deployment templates are available in GitHubComplete Serverless Implementation(No Helper VMs needed)Automatic Secure Firewall Threat Defense configurationSupport for serverless deregistration of licenses while scaling-downSupport f

254、or External(NIC Reordering)(NIC Reordering)and Internal Load Balancers Support BYOL license Load balancer sandwich model support for ingress and egress trafficBRKSEC-3023120 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutoscaleFTDv GCP FTDvFW-01FTDvFW-02FTDvFW-nInstanc

255、e Group(FTDv)Firewall Management Center(FMC)Inbound Traffic Internet ELB FTDv ApplicationOutbound Traffic Application ILB FTDv InternetBRKSEC-3023121 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Clustering on GCP Clustering in GCP can go up to 16 n

256、odes(minimum one node)Stateful connection with Load balancer rebalance feature Config and State sync over Cluster Control Link(CCL)Individual interfaces clustering on AWS Avoid source NAT for inbound connection(cluster native handles return traffic)Uses VXLAN over UDP Minimum 5 interfaces(outside,in

257、side,management,diagnostic&CCL)&Cluster behind GWLB can support 4 interfaces(management,diagnostics,CCL,and Geneve)Clustering is supported on the following models only:FTDv 20,FTDv30 FTDv50 and FTDv100ServerClientCisco Secure Firewall Cluster12345ForwarderDirectorOwnerCCLCCLCCLSYNSYNSYN/ACKSYN/ACKSt

258、ateUpdateSYN/ACK6BRKSEC-3023122Oracle Cloud Infrastructure(OCI)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHub VCN Hub VCN 192.168.0.0/16192.168.0.0/16Database Spoke VCN 10.0.1.0/24Database Spoke VCN 10.0.1.0/24Web Spoke VCN 10.0.0.0/24Web Spoke VCN 10.0.0.0/24Web Tier

259、Database TierOutsideOutsideSubnetSubnetCisco Secure Firewall(s)Cisco Secure Firewall(s)ORACLE CLOUD INFRASTRUCTURE(REGION)DestinationDestinationTargetTarget172.16.0.0/16172.16.0.0/16DRGDRGNLB Subnet Route TableNLB Subnet Route TableALBALBInsideInsideSubneSubnet tNLBNLBSubneSubnet tDestinationDestina

260、tionTargetTarget10.0.0.0/2410.0.0.0/24DRGDRG10.1.0.0/2410.1.0.0/24DRGDRGFW Inside Subnet Route TableFW Inside Subnet Route TableDestinationDestinationTargetTarget0.0.0.0/00.0.0.0/0Internet GWInternet GWFW Outside Subnet Route TableFW Outside Subnet Route TableALBALBSubneSubnet tDestinationDestinatio

261、nTargetTarget10.0.0.0/2410.0.0.0/24Internal NLB Internal NLB IPIP10.1.0.0/2410.1.0.0/24Internal NLB Internal NLB IPIPDRG Route TableDRG Route TableVPNFastConnect Customer Data Center172.16.0.0/172.16.0.0/1616WebVirtual MachinesDBVirtual MachinesNLBNLBInternalInternalNLBNLBExternalExternalDestinatioD

262、estination nTargetTarget0.0.0.0/00.0.0.0/0DRGDRGSpoke Subnet Route TableSpoke Subnet Route TableDestinatioDestination nTargetTarget0.0.0.0/00.0.0.0/0DRGDRGSpoke Subnet Route TableSpoke Subnet Route TableTransit VCN:Hub&Spoke Design with Cisco Secure Firewall BRKSEC-3023124 2023 Cisco and/or its affi

263、liates.All rights reserved.Cisco Public#CiscoLiveNorth-South Inbound TrafficReferenceBRKSEC-3023125 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOutbound TrafficReferenceBRKSEC-3023126 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEast-West

264、Traffic(Web to Database)ReferenceBRKSEC-3023127 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEast-West Traffic(Web Application to Oracle Services Network)ReferenceBRKSEC-3023128 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEast-West Traffic

265、(Oracle Services Network to Web Application)ReferenceBRKSEC-3023129 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense AutoscalingASAvCisco Secure Firewall Autoscale is supportedCisco Secure Firewall Threat Defense release 9.17.1 or higher

266、 9.17.1 or higher The solution is validated on 9.15 or higher9.15 or higherDeployment templates are available on GitHub Complete ServerlessServerless Implementation(No Helper VMs needed)Configuration automatically applied to the auto-scaled instancesCPU and Memory based scaling,metrics are published

267、 to OCI alarmsThe architecture used OCI internal and external load balancers Support BYOLBYOL license Supports OCI cloud shell-based deploymentBRKSEC-3023130 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall ASA virtual AutoscaleCisco Secure Firewall AS

268、AvFW-01Cisco Secure Firewall ASAvFW-02Cisco Secure Firewall ASAvFW-nBRKSEC-3023131 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall AutoscalingThreat Defense Virtual Cisco Secure Firewall Autoscale is supportedCisco Secure Firewall Threat Defense relea

269、se 7.17.1The solution is validated on 6.7 6.7 or higherDeployment templates are available on GitHub Complete ServerlessServerless Implementation(No Helper VMs needed)Configuration automatically applied to the auto-scaled instancesCPU and Memory based scaling,metrics are published to OCI alarmsThe ar

270、chitecture used OCI internal and external load balancers Support BYOLBYOL license Supports OCI cloud shell-based deploymentBRKSEC-3023132 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Virtual AutoscaleCisco Secure Firewall Threat Defe

271、nse FW-01Cisco Secure Firewall Threat Defense FW-02Cisco Secure Firewall Threat Defense FW-nFirewall Management Center FMCBRKSEC-3023133 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveScalable RAVPN architecture with Cisco Secure Firewall DNS-based load balancingOracle Cl

272、oud Infrastructure(US East)Outside(VCN)Management(VCN)Inside(VCN)Availability Domain 2OutsideInsideAvailability Domain 1Availability Domain 2ManagementVirtualMachineCisco Secure Firewall ASA Cisco Secure Firewall ASA Cisco Secure Firewall ASA Cisco Secure Firewall ASA nic0/1nic0/2nic0/2nic0/1nic0/0n

273、ic0/0Internet Internet GatewayGatewayRouteRouteTableTableDNSManagement optionsCisco Secure Firewall ASA-Day0,CLI,API,ASDM,CSM and CDOCisco Secure Firewall Threat Defense Cisco Secure Firepower Management Center-User sends DNS query for ,DNS has firewalls public IP in A records-DNS returns Public IP

274、address of the firewall-User connects to the firewall Note:Each firewall has a dedicated VPN pool Availability Domain 1Availability Domain 2VirtualMachineRouteRouteTableTableAvailability Domain 1Availability Domain 2RouteRouteTableTableReferenceBRKSEC-3023134 2023 Cisco and/or its affiliates.All rig

275、hts reserved.Cisco Public#CiscoLiveScalable RAVPN architecture with Cisco Secure Firewall NLB-based load balancingManagement optionsCisco Secure Firewall ASA-Day0,CLI,API,ASDM,CSM and CDOCisco Secure Firewall Threat Defense Cisco Secure Firepower Management Center-User uses Network Load Balancers VI

276、P as VPN headend-NLB has multiple Cisco Secure Firewalls in endpoints,and it load balances traffic based on two-tuple hashing-NLB load balances SSL VPN session-Each firewall has a dedicated VPN pool Oracle Cloud Infrastructure(US East)Outside(VCN)Management(VCN)Inside(VCN)OutsideInsideAvailability D

277、omain 1Availability Domain 2ManagementVirtualMachineCisco Secure Firewall ASA Cisco Secure Firewall ASA Cisco Secure Firewall ASA Cisco Secure Firewall ASA nic0/1nic0/2nic0/2nic0/1nic0/0nic0/0RouteRouteTableTableAvailability Domain 1Availability Domain 2VirtualMachineRouteRouteTableTableAvailability

278、 Domain 1Availability Domain 2RouteRouteTableTableLoad Load BalancerBalancerReferenceBRKSEC-3023135 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveManagement optionsCisco Secure Firewall ASA-Day0,CLI,API,ASDM,CSM and CDOCisco Secure Firewall Threat Defense Cisco Secure Fi

279、repower Management Center-User sends DNS query for ,DNS has VIP of NLBs in the A record.-DNS returns Public IP address of NLB-User uses Network Load Balancers VIP as VPN headend-NLB has multiple Cisco Secure Firewalls as endpoints,and it load balances traffic based on two-tuple-NLB load balances SSL

280、 VPN session-Each firewall has a dedicated VPN pool DNSScalable RAVPN architecture with Cisco Secure Firewall Multi-region load balancing(DNS and NLB)ReferenceBRKSEC-3023136Alkira 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense on Alkir

281、aMultiplePublic CloudsSaaS/InternetApplicationsHyperscale InfrastructureRemote UsersIntegration with Cisco SD-WANRemoteSitesBusinessPartnersData CentersCarrier-NeutralFacilitiesSecurityServicesAlkira CSX PortalAlkiraCisco Secure Firewall Threat Defense VirtualSD-WANFabricsReferenceBRKSEC-3023138 202

282、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense on AlkiraInternet Ingress/EgressIntra&Inter CloudCloud and Enterprise DMZOn-Prem to CloudM&A&Partner ConnectivityIntegration with Cisco Firewall Management Center using APIFirewall Lifecycle

283、ManagementSingle cluster of Firewalls for all traffic patternsConsistent&automated traffic steeringAutoscalingSupport for BYOL and PAYG license models Multi-Segment,Multi-Region,Multi-Cloud deploymentUse CasesBenefitsCisco Secure Firewall Threat Defense on Alkira BRKSEC-3023139 2023 Cisco and/or its

284、 affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualBase LicenseBase LicenseFirewall,AVCTerm basedTerm basedThreat,URL,AMPCisco Secure Firewall Threat Defense Licensing on AlkiraBring your own license(BYOL)Cisco Secure Firewall Threat Defense VirtualPAYG

285、PAYGFirewall,AVC,Threat,URL,AMPPay-as-you-go(PAYG)-Cisco Smart Licensing-The base license is perpetual-Threat,AMP and URL license is term-based-Cisco Secure Firewall Licensing:documentation-All features are enabled when using PAYGCisco Secure Firewall Threat Defense is available in the Alkira servic

286、e marketplaceReferenceBRKSEC-3023140 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAlkira PortalReferenceBRKSEC-3023141 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEasier Firewall Integration and Insertion1.Add 2 Spoke VPCs2.Add 3 Security

287、VPCs3.Add 6 firewalls4.Add 2 TGW Route Tables5.Add IGW6.Add SLB7.Attach Spoke VPCs to RT8.Add TGW VPC attach for Sec RT9.Prop FW Routes to Spoke RTMinutesNoCloud To LearnOptimizedArchitecture2+DaysDeepCloud ExpertiseNotBestPracticeCisco Secure Firewall Threat Defense Virtual Insertion in Alkira CXP

288、Cisco Secure Firewall Threat Defense Virtual Insertion in Alkira CXP VirtualFirewallVirtualFirewallVirtualFirewallVirtualFirewallVirtualFirewallVirtualFirewallReferenceBRKSEC-3023142Secure Firewall Thread Defense in Alkira DemoDemo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci

289、scoLiveBRKSEC-3023144Alibaba 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Alibaba Cisco Secure Firewall is now available on AlibabaSecure Firewall Threat Defense release 7.2.0Secure Firewall ASA release 9.18.1Firewall Management Center is available

290、 on AlibabaSupport for Routed mode QCOW2 image can be uploaded to AlibabaUse-casesNorth-South Traffic Inspection Edge Firewall VPN(RAVPN&S2S)Supported Model:ASAv5,ASAv10,and ASAv30FTDv5,FTDv10,and FTDv30Licensing supportASAv&FTDv BYOL BYOL(Smart Licensing&Specific License Reservation SLR)and Evaluat

291、ion licenseASAv ASAv Edge Deployment Edge Deployment Secure Firewall-ASAvFTDv FTDv Edge Deployment Edge Deployment Secure Firewall Threat DefenseBRKSEC-3023146 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall on AlibabaSupported instance type-FTDvGetti

292、ng Started Guide:https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall on AlibabaSupported instance type-FTDvGetting Started Guide:https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall on AlibabaSup

293、ported instance type FMCvGetting Started Guide:https:/ CloudVMware 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualVMwareSecure Firewall Threat Defense on VMware Getting Started GuideCisco Secure Firewall Threat Defense Virtual i

294、s available for VMware vSphere vCenter and ESXi Deployment Modes Routed(Standalone),High Availability&ClusterInline&Inline TAPPassive TransparentSupported vNICs(VMXNET3,IXGBE,E1000,and IXGBE-VF(SR-IOV)Performance TierDevice Specifications(Core/RAM)Rate LimitRA VPN Session LimitFTDv5,100Mbps4 core/8

295、GB100Mbps50FTDv10,1Gbps4 core/8 GB1Gbps250FTDv20,3Gbps4 core/8 GB3Gbps250FTDv30,5Gbps8 core/16 GB5Gbps250FTDv50,10Gbps12 core/24 GB10Gbps750FTDv100,16Gbps16 core/32 GB16Gbps10,000Routed Modeg0/0g0/1outsideInsideTransparent Modeg0/0g0/1Inline Pairg0/0g0/0g0/1g0/1g0/0g0/1Passive ModeSwitchERSPANserver

296、clientclientclientclientserverserverserverBRKSEC-3023152 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense Virtual(cont.)VMwareVMware Feature Support for Threat Defense VirtualFeatureSupport(Yes/No)vMotionYesSuspend and resumeYesOptionReq

297、uired SettingActionPromiscuous ModeAcceptYou must edit the security policy for a vSphere standard switch in the vSphere Web Client and set the Promiscuous mode option to Accept.Firewalls,port scanners,intrusion detection systems and so on,need to run in promiscuous mode.MAC Address ChangesAcceptYou

298、should verify the security policy for a vSphere standard switch in the vSphere Web Client and confirm the MAC address changes option is set to Accept.Forged TransmitsAcceptYou should verify the security policy for a vSphere standard switch in the vSphere Web Client and confirm the Forged transmits o

299、ption is set to Accept.vSphere Standard Switch Security Policy OptionsvSphere Standard Switch Security Policy OptionsVMware FeaturesVMware FeaturesReferenceBRKSEC-3023153 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall ASA VirtualVMwareCisco Secure Fi

300、rewall ASAv is available for VMware vSphere vCenter and ESXi Deployment Modes Routed(Standalone),Routed HA&ClusterTransparentSupported vNICs(VMXNET3,i40evf/ixgbe-vf,and i40e in PCI passthrough)Performance TierDevice Specifications(Core/RAM)Rate LimitRA VPN Session LimitASAv51 core/2 GB100Mbps50ASAv1

301、01 core/2 GB1Gbps250ASAv304 core/8 GB2Gbps750ASAv508 core/16 GB10Gbps10,000ASAv10016 core/32 GB20Gbps20,000Routed Modeg0/0g0/1outsideInsideTransparent Modeg0/0g0/1clientclientserverserverASAv on VMware Getting Started GuideBRKSEC-3023154 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

302、lic#CiscoLiveCisco Secure Firewall ASA Virtual(cont.)VMwarePort Group Security Policy ExceptionsPort Group Security Policy ExceptionsVMware FeaturesVMware FeaturesSecurity ExceptionRouted Firewall ModeTransparent Firewall ModeNo FailoverFailoverNo FailoverFailoverPromiscuous ModeAcceptAcceptMAC Addr

303、ess ChangesAcceptAcceptForged TransmitsAcceptAcceptAcceptVMware Feature Support for ASAvFeatureSupport(Yes/No)vMotionYesSuspend and resumeYesCloneYesDRSYesSnapshotYesVM Migration,vMotion,VMware HA Yes ReferenceBRKSEC-3023155 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive

304、Cisco Secure Firewall Clustering VMware Clustering groups devices as a single logical unitCisco Secure Firewall is now available Secure Firewall Threat Defense release 7.1 Secure Firewall ASA release 9.17.1Available on VMwareVMwareSupports up to 16 nodes 16 nodes in a single clusterVirtual Extensibl

305、e LAN(VXLAN)Network Virtualization VXLAN Tunnel End Point(VTEP)Cluster Control Link(CCL)uses VXLAN encapsulationSupported modelsSecure Firewall Threat Defense FTDv30,FTDv50&FTDv100Secure Firewall ASAv ASAv30,ASAv50&ASAv100 BRKSEC-3023156Cisco Hyperflex 2023 Cisco and/or its affiliates.All rights res

306、erved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense on Cisco HyperflexMin Supported Manager Min Supported Manager VersionVersionManaged DevicesManaged DevicesMin Supported Managed Min Supported Managed Device Version RequiredDevice Version RequiredFDM 7.0FTD on Virtual HardwareFTD 7.0.0

307、FMC 7.0 FTD on Virtual HardwareFTD 7.0.0Cisco Secure Firewall Threat Defense&Firewall Management Center virtual can run on Cisco Hyperflex Deployment Modes(Threat Defense Virtual)Routed(Standalone)&Routed HAInline&Inline TAPPassive TransparentLicensing is same as VMwareSupport Cores 4,8,12,and 16 vC

308、PUSupported vNICsFirewall Management CenterStandalone High AvailabilityBRKSEC-3023158 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense on Cisco HyperflexSecurity Policy for vSphere Standard Switch On the MenuMenu optionclick NetworkingNe

309、tworking andselect a virtual switchvirtual switch.Select ActionsActions and click Edit Edit Settings.Settings.Select SecuritySecurity and view the current settings.Accept Accept promiscuous mode activation,MAC address changes,and forged transmits.ReferenceBRKSEC-3023159KVM 2023 Cisco and/or its affi

310、liates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense VirtualKVMSecure Firewall Threat Defense on KVM Getting Started GuideCisco Secure Firewall Threat Defense Virtual is available for KVMDeployment Modes Routed(Standalone),High Availability&ClusterTransparentInline&I

311、nline TAPPassive Supports virtIO driversSupports ixgbe-vf drivers for SR-IOVSupports a total of 10 interfacesPerformance TierDevice Specifications(Core/RAM)Rate LimitRA VPN Session LimitFTDv5,100Mbps4 core/8 GB100Mbps50FTDv10,1Gbps4 core/8 GB1Gbps250FTDv20,3Gbps4 core/8 GB3Gbps250FTDv30,5Gbps8 core/

312、16 GB5Gbps250FTDv50,10Gbps12 core/24 GB10Gbps750FTDv100,16Gbps16 core/32 GB16Gbps10,000Routed Modeg0/0g0/1outsideInsideTransparent Modeg0/0g0/1Inline Pairg0/0g0/1g0/0g0/1Passive ModeSwitchERSPANserverclientclientclientclientserverserverserverBRKSEC-3023161 2023 Cisco and/or its affiliates.All rights

313、 reserved.Cisco Public#CiscoLiveCisco Secure Firewall Clustering KVM Available on KVMClustering groups devices as a single logical unitsingle logical unitCisco Secure Firewall is now available Secure Firewall Threat Defense release 7.17.1Secure Firewall ASA release 9.17.19.17.1Supports up to 16 node

314、s 16 nodes in a single clusterVirtual Extensible LAN(VXLAN)Network Virtualization VXLAN Tunnel End Point(VTEP)Cluster Control Link(CCL)uses VXLAN encapsulationSupported modelsSecure Firewall Threat Defense FTDv30,FTDv50&FTDv100Secure Firewall ASAv ASAv30,ASAv50&ASAv100 BRKSEC-3023162Nutanix 2023 Cis

315、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense on NutanixMin Supported Manager Min Supported Manager VersionVersionManaged DevicesManaged DevicesMin Supported Min Supported Managed Device Managed Device Version RequiredVersion RequiredFDM 7.0F

316、TD on Virtual HardwareFTD 7.0.0FMC 7.0 FTD on Virtual HardwareFTD 7.0.0Cisco Secure Firewall Threat Defense&Firewall Management Center virtual can run on Nutanix Deployment Modes(Threat Defense Virtual)Routed(Standalone)&Routed HAInline&Inline TAPPassive TransparentLicensing is same as KVMSupport Co

317、res 4,8,12,and 16 vCPUSupported vNICs VirtIO(Nutanix does not support SR-IOV&DPDK-OVS)Firewall Management CenterStandalone High Availability Not supported on KVMBRKSEC-3023164 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Threat Defense on NutanixIn

318、terface Mapping Network AdapterNetwork AdapterSource NetworksSource NetworksDestination Destination NetworksNetworksFunctionFunctionNetwork adapter 1Management0-0Management0/0ManagementNetwork adapter 2Diagnostic0-0Diagnostic0/0DiagnosticNetwork adapter 3GigabitEthernet0-0GigabitEthernet0/0Outside d

319、ataNetwork adapter 4GigabitEthernet0-1GigabitEthernet0/1Inside dataNetwork adapter 5GigabitEthernet0-2GigabitEthernet0/2Data traffic(Optional)Network adapter 6GigabitEthernet0-3GigabitEthernet0/3Data traffic(Optional)ReferenceBRKSEC-3023165Scalable multicloud security 2023 Cisco and/or its affiliate

320、s.All rights reserved.Cisco Public#CiscoLiveData Center(VMware,KVM,Hyperflex,Nutanix)AWS Account 1Security VPC(Hub)VPC1VPC2App VPC Region 1AWS Account 2Security VPC(Hub)VPC1VPC2App VPC Region 2Azure Subscription 1Security VNet(Hub)VNet1VNet2App VNet Region 1Azure Subscription 2Security VNet(Hub)VNet

321、1VNet2App VNet Region 2Cisco Multicloud Defense Gateways Cisco Multicloud Defense Gateways Cisco Multicloud Cisco Multicloud Defense Gateways Defense Gateways GCP Account 1Security VPC(Hub)VPC1VPC2App VPC Region 1GCP Account 2Security VPC(Hub)VPC2VPC2App VPC Region 2Cisco Multicloud Defense Gateways

322、 Cisco Multicloud Defense Gateways Cisco Multicloud Cisco Multicloud Defense Gateways Defense Gateways VCN 1VCN 2OCI Account 1Region 1Security VCN(Hub)App VCNVCN 2VCN 1VCN 1VCN 2OCI Account 2Region 2Security VCN(Hub)App VCNVCN 2VCN 1Scalable multicloud security using Cisco Secure FirewallFirewall Ma

323、nagement Center167Automation&Orchestration 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInfrastructure as Code3 Ways for Network Practitioners to Embrace DevOps with Infrastructure-as-CodeBRKSEC-3023169 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C

324、iscoLiveThese all depend on certain capabilities to exist.Ansible,Terraform,Git and API access are the popular tools.IaCInfrastructure as Code DevSecOpsSecurity as Code Policy as CodeAutomation and OrchestrationReferenceBRKSEC-3023170 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public

325、#CiscoLiveToolboxManage with Create FTDv,ASAv and FMC On Private Cloud:Vmware,KVM On Public cloud:AWS,Azure,GCP,Create infrastructureBRKSEC-3023171 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveScriptsTemplatePoliciesVPNAccess controlIPS policyEncrypted Visibility Engine

326、TerraformHow does Terraform work?FirewallsFMCBRKSEC-3023172Resources 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Blogs on Secure Firewall Threat Defense in AWS Build resilience at scale with stateful firewall clusteringBuilding a Scalable Security Architecture on

327、 AWS with Cisco Secure Firewall and AWS Gateway Load BalancerSimplified Insertion of Cisco Secure Firewall with AWS Route Table EnhancementCisco Remote Access VPN architecture for Amazon Web Services(AWS)Cisco Secure Cloud Architecture for AWSConfiguring Cisco Security with Amazon VPC Ingress Routin

328、gBRKSEC-3023174 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnubhav Swami on YouTube ChannelResources:YouTube ChannelBRKSEC-3023175 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveResources:GitHub repo and playlistCisco Secure Firewall Terraf

329、orm Deployment YouTube playlistCisco Secure Firewall GitHub RepoBRKSEC-3023176 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall examples for cloudhttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePublic Resources Manage

330、 FMC moduleManage FMC moduleSource code:DevNet public repo ASA CollectionASA CollectionSource code:public Github CSDAC RoleCSDAC RoleSource code:DevNet public repo Manage FTD moduleManage FTD module Manage FMC ProviderManage FMC ProviderSource code Manage ASA ProviderManage ASA ProviderSource code E

331、nable CSDAC in FMC moduleEnable CSDAC in FMC moduleSource code Module to deploy FTD and FMC on AWSModule to deploy FTD and FMC on AWSSource codeBRKSEC-3023178 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of

332、four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.

333、BRKSEC-3023179 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco