Firepower Scalable Designs

Tue Frei Nørgaard

Consulting Systems Engineer
 Agenda
•  Velkommen - introduktion

•  Unified image – Firepower Threat Defense

•  Hardware – 4100, 9300 and ASA 5500-X

•  Firepower Management Center

•  High Availability and Scalability

•  Performance

•  Use cases

•  Q & A

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
 Next Generation Firewall (NGFW) Essentials
Cisco Collective Security Intelligence Enabled

WWW
Advanced Malware
NGIPS Protection URL Filtering
High Availability

Analytics &
Automation

Network Firewall Built-in Network Identity-Policy Control

Application
Routing | Switching Profiling & VPN
Visibility & Control

One Operating System + One Management

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
3
© 2015 Cisco and/or its affiliates. All rights reserved.
 Cisco NGFW Platforms

New
Appliances

Firepower 4100 Series Firepower Threat Defense for Firepower Services

and Firepower 9300 ASA 5500-X* on ASA 5500-X and 5585-X

All Managed by Firepower Management Center - FMC

* Not ASA5585
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Firepower Threat Defense (FTD) is a NGFW SW Platform that
Delivers Unified Code (Single OS) and Single Management

ASA with FirePOWER Service FTD

OS1 ASA (L2-L4) Benefits

Continuous feature
migration Single OS Single Management
Simple Deployment
FirePOWER Services
OS2 (L7)
Full Feature
Set

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
 Firepower Threat Defense (FTD)
New Converged ASA+FirePOWER Image Firepower Threat
•  All FirePOWER capabilities plus select ASA features Defense 6.0.1
•  Single Manager: Firepower Management Center 6.0* ASA features
Unified ASA and Firepower Rules and
Same subscriptions as FirePOWER Services Objects

•  Delivered via Smart Licensing only ASA Dynamic and Static NAT
ASA Routing Support: OSPFv2, BGP4,
•  Threat (IPS + SI) RIP, Static, no PIM
•  Malware (AMP + ThreatGrid) Syn Cookies, Anti-Spoofing
•  URL Filtering ASA ALGs (fixed configuration)
VMware and AWS Support
Smart Licensing Support

* Also manages Firepower Appliances and Firepower Services, but not ASA Software

Firepower Threat Defense 6.1 – release July 2016

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
 Software Support by Platform

Firepower
Firepower Threat Firepower ASA
Services
Defense NGIPS Firewall
on ASA

Old (Series 2) FirePOWER Appliances ✗ ✗ ✗ ✗

FirePOWER 7000 Series ✗ ✓ ✗ ✗
FirePOWER 8000 Series ✗ ✓ ✗ ✗
ASA Low-end (5506/08/16) ✓(reimage) ✗ ✓ ✓
ASA Mid-Range (5512/15/25/45/55) ✓(reimage) ✗ ✓ ✓
ASA High-end (5585 SSP-10/20/40/60) ✗ ✗ ✓ ✓
Firepower 4100, 9300 (SSP 3RU - SM-24/36) ✓ ✗ ✓ ✗
VMware ✓ ✓ ✓ ✗
AWS ✓ ✗ ✓ ✗
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Hardware overview
 Cisco ASA Firewalls
Firepower 9300
(60-240 Gbps)
Firepower 4100
(20-60) Gbps

ASA 5585 SSP60

(40 Gbps,
350K conn/s)
Next-Generation ASA 5585 SSP40
(20 Gbps,
ASA 5585 SSP20 240K conn/s)
(10 Gbps,
ASA 5585 SSP10 140K conn/s)
(4 Gbps,
65K conn/s)
ASA 5555-X
ASA 5516-X (4 Gbps,
(1.8 Gbps, ASA 5545-X 50K conn/sec)
ASA 5508-X 20K conn/s) (3 Gbps,
(1Gbps, 30K conn/s)
10K conn/s) ASA 5525-X
(2 Gbps,
ASA 5506-X
(750 Mbps,
20K conn/s) Firewall and VPN ASA SM
5K conn/s) ASA 5515-X
(750 Mbps, (16-20 Gbps,
ASA 5512-X 15K conn/s) 300K conn/s)
(500 Mbps,
10K conn/s)
ASA 5505 ASAv
(150 Mbps, (100Mbps-2Gbps,
4K conn/s) 20-60K conn/s)

Teleworker Branch Office Internet Edge Campus Data Center

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
 Platforms and Places in the Network
IPS Performance and Scalability

FirePOWER 8300 Series

15 Gbps – 60 Gbps

FirePOWER 8100/8200
2 Gbps - 10 Gbps

FirePOWER
7120/7125/8120
FirePOWER 7100 Series 1 Gbps - 2 Gbps
FirePOWER 7000 Series 500 Mbps – 1 Gbps
50 Mbps – 250 Mbps
ROBO Branch Internet Campus Data
Office Edge Center

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
 Firepower 4100 Overview

Built-in Supervisor and Security Module Solid State Drives

•  Same hardware and software architecture as 9300 •  Independent operation (no RAID)
•  Fixed configurations (4110, 4120, 4140, 4150) •  Slot 1 today provides limited AMP storage
•  FXOS 1.1.4 for 4110-4140, 2.0.1 for 4150 •  Slot 2 will add 400GB of AMP storage in FXOS 2.0.1

1RU

Network Modules
•  10GE/40GE interchangeable with 9300
•  Partially overlapping fail-to-wire controller options

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Firepower 4100 Series Hardware Specification
Future
Description FP 4110 FP 4120 FP 4140 FP 4150
Chassis & I/O 1RU, 2xNetwork Module slots, 8 Fixed SFP+ ports, 2 SSD slots, Dual PSU Slots

PSU – Default CFG Single AC Single AC Redundant AC Redundant AC

Processor - Xeon Single Dual Dual Dual
12 Core 12 Core 18 Core 22 Core

DDR4 RAM 64GB 128GB 256GB 256GB

SSD – Default CFG. 1 x 200GB 1 x 400GB

Security Acceleration Single Accelerator

Module Card Dual Accelerator Card

•  10 and 40G Port Modules are same for both FP 9300 and FP 4100 Series
•  DC Power Supply for FP 4110/FP 4120 only. Estimated at FCS + 3 months.
•  NEBS Certification completion for FP 4120 and FP 4140, 3 to 6 months after FCS

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Firepower 9300 Overview
Supervisor Network Modules
•  Application deployment and orchestration •  10GE, 40GE, and 100GE
•  Network attachment and traffic distribution •  Hardware bypass for inline NGIPS
•  Clustering base layer for ASA/FTD

3RU

Security Modules
•  Embedded Smart NIC and crypto hardware
•  Cisco (ASA, FTD) and third-party (Radware DDoS) applications
•  Standalone or clustered within and across chassis

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Firepower 9300 Security Modules
Future
Description SM-24 SM-36 SM-44
Chassis & I/O 3RU, 2xNetwork Module slots, 8 Fixed SFP+ ports, Dual PSU Slots

PSU – Default CFG Redundant AC Redundant AC Redundant AC

Processor - Xeon Dual Dual Dual
12 CPU 18 CPU 22 CPU
DDR4 RAM 128GB 256GB 256GB

SSD – Default CFG. 2*800GB SSD in RAID 1

Security Acceleration
Module Dual Built-in hardware Smart NIC and Crypto Accelerator

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
 Standard Network Modules

•  All external network modules require fiber or copper transceivers

•  Support online insertion and removal
8x10GE 4x40GE 2x100GE FXOS 1.1.4

•  Firepower 4100 and 9300 •  Firepower 4100 and 9300 •  Firepower 9300 only
•  Single width •  Single width •  Double width
•  1GE/10GE SFP •  4x10GE breakouts for •  QSFP28 connector
each 40GE port •  No breakout support
•  Single-width module requires Supervisor
hardware change Future

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
 Future

Fail-To-Wire (Hardware Bypass)

•  Support from FXOS 2.0.1 in both FP9300 and Security Engine
FP4100 Series
FTD
•  Network Module should have the FTW capability
Backplane

•  Provides Hardware Bypass for network

connectivity during software or certain hardware Internal 720G Switch Fabric
failure
2x40Gbps 80G 5x40Gbps 200G 200G

•  Used in the case where the network connectivity Built-in NM NM

is important than the security during failure 8x10GE
Slot 1 Slot 2
interfaces

•  Only allowed on inline interface and inline Hardware Bypass is Supported

interface tab mode in FTD App from version 6.1; Hardware Bypass Not using Fail to Wire capable Network
module
Supported
not in ASA App

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
 Future

Hardware-Bypass Capable Network Modules

1Gbps Fiber 40Gbps Fiber
10Gbps Fiber SR 10Gbps Fiber LR
SX SR
Port Specification

Type 1000BASE-SX 10GBASE-MMSR 10GBASE-SMLR 40GBASE-SR4

PID FPR9K-NM-6X1SX-F FPR9K-NM-6X10SR-F FPR9K-NM-6X10LR-F FPR9K-NM-4X40G-F

Mode Multi-mode Multi-mode (SR) Single-mode (LR) Multi-mode

Interfaces 6 6 6 2

Interface Speed 1Gbps 10Gbps 10Gbps 40Gbps

Integrated /Programmable
Yes Yes Yes Yes
FTW

Breakout cable supported in

N N N N
FTW Ports

Transceivers SFP Inbuilt Inbuilt Inbuilt Inbuilt

Note: No SFP OIR and No Port-Channel Support

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Flow Offload

•  Trusted flow processing with limited security visibility in Smart NIC

•  Up to 39Gbps of single-flow UDP throughput with 1500-byte packets
•  2.9us latency with 64-byte UDP packets
•  Supports up to 128K offloaded stateful connections
•  Untagged IPv4 TCP/UDP (32K) and GRE (32K), 32K each with VLAN tags
•  Static offload on ASA with IP/SGACL in MPF
•  Offload multicast in transparent mode with 2 bridge group ports in 9.6(2)
•  Pre-filter offload policy for IP/TCP/UDP Trust rules in FTD 6.1
•  Dynamic offload for fast-forwarded connections in the future

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Miscellaneous New Features FXOS 2.0.1

•  Lina (“ASA”) Dataplane bypass for FTD NGIPS interfaces

•  Interface link state propagation for inline FTD NGIPS interfaces
•  Support for 2048 VLAN subinterfaces
•  Graceful chassis shutdown
•  Scheduled Supervisor configuration export
•  Miscellaneous changes for FIPS, CC, and USGv6 compliance
•  Customizable chassis manager login banner

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Firepower Management
Center - FMC
Firepower Management Center - FMC

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
FMC HA
•  Very different from 5.4 FMC HA
•  Active/Standby Deployment
•  Failover manual
•  Sybase database duplicated
•  Both FMC nodes receive
events from each sensor
•  Policy changes made on primary
are copied over to the secondary

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
FMC HA 5.4 vs 6.1.0
•  FMC HA is Active/Standby. In 5.4.x, it was Active/Active
•  Active FMC: fully functional. As good as standalone
•  Standby FMC: read-only. Most of the tabs/sub-tabs on UI are hidden.
•  Standby FMC: No CSM processes. Except VmsDbEngine.
•  Standby FMC: Configuration database (Sybase) is read-only.
•  No sync for events. Events are pushed to both the FMCs (no change from 5.4.x)
•  FMC HA is supported on 4K, 2K, 3500 and 1500. Not supported on Virtual
•  All configuration related tables of MySQL are moved to Sybase
•  FMC HA 5.4 FMC HA managed FP only; FMC HA 6.1 managed HA for both FP and FTD

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
FMC – logging
•  You can’t log all connections in a large - or even medium - environment and expect to get weeks of
history on the FMC.
•  Tune your AC policy to log the connections you really need and reduce the “noisy” connection
events (DNS, Dropbox, etc.)
•  You will always get connection events for any IPS alerts regardless of your connection event
logging settings in the AC policy. However if you try and log too many these valuable events will be
purged along with the noise.
•  The “important” events are typically much less noisy and we can keep months or years of history
(IPS, Malware, IOCs, etc.)
•  If you have to keep these connection events longer, then send them off to a SIEM. Syslog seems to
be more efficient at this than eStreamer.
•  Be careful increasing the log storage too high. Even though the FS4000 supports 1 billion
connection events that will impact your query performance (analysis).

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
 High availability and
scalability for 4100 and 9300
High Availability and Scalability Options

High Availability High Scalability High Availability and

Scalability
ASA Active/Standby Failover Intra-Chassis Clustering* Inter-chassis clustering
(2 modules) (≤3 modules) (≤16 modules, 1.2Tbps)
Active/Active Failover Inter-Chassis Clustering
(2 modules) ((≤16 modules)
FTD Active/Standby Failover Intra-chassis Clustering* -
(2 modules) (≤3 modules)

Radware - Intra-chassis Clustering -

vDP (≤3 modules)

* Not applicable for FP4100 platforms.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Application Clustering with FP9300
Inter-Chassis Cluster Control Link
•  Cluster of up to 16 modules across 5+ chassis
•  Off-chassis flow backup for complete redundancy

Switch 1 Switch 2
Nexus vPC

FP9300 Chassis 1 FP9300 Chassis 2

Supervisor Supervisor
ASA ASA ASA ASA
Cluster
ASA Cluster ASA

Intra-Chassis Cluster Control Link

•  Same-application modules can be clustered within chassis
•  Bootstrap configuration is applied by Supervisor

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Application Clustering with FP4100
Inter-Chassis Cluster Control Link
•  Cluster of up to 16 Device
•  Off-chassis flow backup for complete redundancy

Switch 1 Switch 2
Nexus vPC

FP4100 Device 1 FP4100 Device 2

Supervisor Supervisor
ASA Cluster ASA

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
FTD Failover and Clustering

•  FTD uses ASA data plane and similar failover/clustering infrastructure

•  Enhanced to replicate full NGFW/NGIPS configuration and opaque flow state
•  Current intra-chassis clustering support on Firepower 9300 platform only
•  Module-level Active/Standby failover for inter-chassis high availability

•  Ensures full stateful flow symmetry in both NGIPS and NGFW modes
vPC vPC

Failover: Both directions of Failover Clustering: All packets for a

a flow traverse a single Cluster flow are redirected to
FTD FTD FTD FTD
active unit connection Owner

vPC vPC

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Performance
Performance (Same for ASA w/Firepower Services and FTD)
Model 5506-X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X
Max AVC 250 450 300 500 850 1100 1500 1750
Throughput Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps
Max AVC and IPS 125 250 150 250 450 650 1000 1250
Throughput Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps
AVC or IPS
90 180 100 150 300 375 575 725
Sizing
Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps
Throughput

Max 1,000,0
50,000 100,000 100,000 250,000 250,000 500,000 750,000
Connections 00

Max CPS 5,000 10,000 10,000 15,000 20,000 20,000 30,000 50,000

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Firepower Appliances – 7100/8100/8300

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
 FTD Performance

4110 4120 4140 SM-24 SM-36 SM-36x3

Max  Throughput:  Applica2on   12G   20G   25G   25G   35G   100G  
Control  (AVC)  
Max  Throughput:  Applica2on   10G   15G   20G   20G   30G   90G  
Control  (AVC)  and  IPS  
Sizing  Throughput:    AVC  (450B)   4G   8G   10G   9G   12.5G   30G  

Sizing  Throughput:    AVC+IPS   3G   5G   6G   6G   8G   20G  

(450B)  
Maximum  concurrent  sessions   4.5M   11M   14M   28M   29M   57M  
w/AVC  

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
 ASA Performance
4110 4120 4140 SM-24 SM-36 SM-36x3
Stateful  inspec2on  firewall   20G   40G   60G   75G   80G   225G  
throughput  (maximum)  
Stateful  inspec2on  firewall   10G   20G   30G   50G   60G   100G  
throughput  (mul2protocol)  
Concurrent  firewall   10M   15M   25M   55M   60M   70M  
connec2ons  
New  connec2ons  per  second   150K   250K   350K   0.6M   0.9M   2M  

Security  contexts   250   250   250   250   250   250  

Virtual  Interfaces   1024   1024   1024   1024   1024   1024  

IPSec  3DES/AES  VPN   8G   10G   14G   15G   18G   18G  

Throughput  
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Use cases
 Use cases – what to use where ?

•  ASA is a powerful and scalable solution for basic stateful segmentation

•  Ease of integration and scaling in large and distributed data centers
•  Real-time trading and high performance application protection with Flow Offload Firewall

•  Infrastructure and Internet edge protection for service providers

•  FTD is a comprehensive threat-centric security solution

•  NGIPS for data center and service provider environments
•  NGFW for edge protection and smaller data centers NGFW NGIPS

•  Radware vDP is a behavioral DDoS mitigation solution

•  Internet edge protection for web commerce and service provider environments
DDoS

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
FTD Deployment Modes

•  FTD is both NGFW and NGIPS on different network interfaces

•  NGFW inherits operational modes from ASA and adds FirePOWER features
•  NGIPS operates as standalone FirePOWER with limited ASA data plane functionality

NGFW NGIPS

Routed 10.1.1.0/24
FTD 10.1.2.0/24 Inline FTD
inside outside Eth1/1 Eth1/2
DMZ 10.1.3.0/24
Inline Tap FTD
Eth1/1 Eth1/2
Transparent FTD
inside outside
Passive FTD
DMZ 10.1.1.0/24 Eth1/1

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
 FTD as NGFW at the Edge

AVC, Reputation, TLS decryption, URL DNS Sinkholing redirects potentially

Filtering, File Analysis, Advanced Malware malicious connections to a local honeypot
Protection for outbound connections Honeypot

Continuous updates from Talos

ensure relevant protection

Campus

OSPF, BGP, NSF/GR, NGFW

and similar features for File hashes are checked against AMP
easy network integration AMP cloud, unknown samples
Data Center
are submitted to ThreatGRID;
ACL and NGIPS policies, optional TLS ThreatGRID feeds the data back
decryption for inbound connections into AMP/Talos ThreatGRID

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Key Takeaways
Key takeaways
•  FTD is the new unified software – one management platform

•  ASA 5500-x can be an NGIPS device with FTD

•  Consider 41xx and 9300 for high performance environments

•  Scale based on feature functionality needed.

•  Reach out to Cisco DK or Partner Helpline (partners)

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Q&A
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42