《DC 和企业中的安全防火墙 - 部署提示和新功能.pdf》由会员分享,可在线阅读,更多相关《DC 和企业中的安全防火墙 - 部署提示和新功能.pdf(108页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveSteven Chimes,Technical Solutions ArchitectBRKSEC-2828Deployment Tips and New FeaturesSecure Firewall in the DC and Enterprise 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout Your SpeakerSecurity Architect focused on global financials and global l
2、ife sciences customers15 years in industry including higher ed,manufacturing and 10 years at CiscoAuthor of CCNP Security Virtual Private Networks SVPN 300-730 Official Cert GuideBRKSEC-28283Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicFrequently Asked QuestionsHardware Se
3、lectionLogging at ScaleUseful FeaturesAccess Control Policy TipsHA and ClusteringDynamic ObjectsBRKSEC-28284 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessi
4、onFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12345https:/ 2023 Cisco and/or its affiliates.All rights rese
5、rved.Cisco PublicBRKSEC-28285Frequently Asked Questions 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFAQ-What Version Should I Be Running?Software Download Page on Has Latest Suggested ReleaseFor the 4100/9300 Only For the 4100/9300 Only-Latest Compatible FXOS Version,C
6、urrently Latest Compatible FXOS Version,Currently 2.12(0.31)+2.12(0.31)+Cisco FXOS Compatibility:https:/ for the starSuggested Release Is the Same for All PlatformsBRKSEC-28287 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFAQ-What Version Do I Run Next?Note-These are on
7、ly estimates,plans can/do change9.16/7.09.17/7.19.18/7.2 9.19/7.39.20/7.4vNext7.0 is planned to have software support slightly longer than 7.2Ciscos NGFW Product Line Software Release and Sustaining Bulletin:https:/ is planned to be an extra long term release 2023 Cisco and/or its affiliates.All rig
8、hts reserved.Cisco Public#CiscoLiveFAQ What Firewall Manager Do I Use?Firewall Device ManagerFirewall Management CenterOn-box managerNetOps focused Cloud-delivered centralized manager via Cisco Defense OrchestratorOn premise centralizedmanagerBRKSEC-28289 2023 Cisco and/or its affiliates.All rights
9、reserved.Cisco Public#CiscoLiveCloud Delivered Firewall Management Center10BRKSEC-28287.2Clustered firewalls must be running 7.3 to be onboarded to cdFMCor running 7.4 to be migrated from FMC to cdFMCHardwareSelection 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco S
10、ecure Firewall Hardware PortfolioNEWNEWData CenterSMBBranch OfficeMid EnterpriseService ProviderAll appliances can run either ASA or FTD applications,FP9300 can run both on different SMsLarge Enterprise1010 1120/40/502110/20/30/403105/10/20/30/404112/15/25/459300 SeriesSM-40SM-48SM-564215/25/454215/
11、25/45650 Mbps AVC+IPS1.5-2.2 Gbps AVC+IPS2.3-20 GbpsAVC+IPSStand-alone device:12-53 Gbps AVC10-47 Gbps AVC+IPSSixteen node cluster:Up to 680 Gbps AVCUp to 675 Gbps AVC+IPSOne Module:30-70 Gbps AVC24-64 Gbps AVC+IPSSixteen node cluster:AVC+IPSSM40*16n=704 GbpsSM48*16n=830 GbpsSM56*16n=950 Gbps17-45 G
12、bps AVC+IPS8-22.4 Gbps IPsec VPN8 Node Cluster:With 3140,up toAVC+IPS(1024B)=288 GbpsStand-alone device:70-150 Gbps AVC70-145 Gbps AVC+IPSSixteen node cluster:Up to 1.7 Tbps AVCUp to 1.6 Tbps AVC+IPSBRKSEC-282812 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure
13、 Firewall 4200 SeriesGrow your security infrastructure as your business grows with clustering capability of up to 16 firewall devices.Ensure business uptime with hot-swappable network modules,including fail-to-wire interfaces.Achieve High Performance Packet Processing with powerful hardware,a wide r
14、ange of high performing network interfaces with a 1 RU footprint.Gain visibility into encrypted traffic with crypto-accelerated architecture,speeding up TLS and IPsec decryption.Superior PerformanceOutstanding ROI1RU,16X clustering,200G interface support,2X interface module bays,dual SSD,dual mgt in
15、terfaceBRKSEC-282813Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall 4200 SeriesCrypto AccelerationCrypto AccelerationA specially built circuit to provide encryption/decryption accelerationCrypto-acceleration using an FPGA(Field-programmable
16、gate array)Interface FlexibilityInterface FlexibilitySupport for 1G,10G,25G,40G,100G,200G interfaces across 2 Network ModulesFlow OffloadFlow OffloadFlow offload engine processes packets in hardware up through layer 4FIPS ComplianceFIPS ComplianceSupports all FIPS 140-3 requirementsBRKSEC-282814Refe
17、rence 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePerformance MetricsMetricMetric4222542454245Throughput*FW+AVC+IPS 71 Gbps89 Gbps149 GbpsThroughput*IPsec VPN(Fastpath)51 Gbps86 Gbps96 GbpsMaximum number of VPN peers200002500030000Maximum concurrent connecti
18、ons with AVC15 M30 M60 MMaximum new connections per second(ASA code)1.5 M1.8 M2.1 M*Stateful Inspection 1024 Byte PacketsBRKSEC-282815 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHigh-Level Hardware ArchitectureCrypto Crypto EngineEngineSystem BusEthernetInternal Switc
19、h FabricInternal Switch Fabric(3.2Tbps Switching Capability)(3.2Tbps Switching Capability)On-board 8x10GE interfacesNMSlot 1NMSlot 24215/4225:1x100Gbps4245:2x100Gbps8x50 Gbps16x50 GbpsCPU 1CPU 14215:32 cores4225:64 cores4245:64 coresRAMRAM4215:8x32=256GB4225:8x64=512GB4245:16x64=1TBCPU 2CPU 24215:0
20、Cores4225:0 Cores4245:64 cores16x50 GbpsCrypto Crypto EngineEngineCrypto Crypto EngineEngineFlow OffloadFlow OffloadEngineEngineForward TrafficForward Traffic4215/4225:100 Gbps4245:200 GbpsChip to Chip LinkCrypto Crypto EngineEngineQty 1:4215Qty 2:4225Qty 4:4245BRKSEC-282816 2023 Cisco and/or its af
21、filiates.All rights reserved.Cisco Public#CiscoLiveFlexible Interface Architecture2 x 1/10/25 G Management Port8 x built in 1/10/25 G SFP28 data ports2 x netmod slots-Hot swappable-1G,10G,25G,40G,100G,200G,400G(Coming)-Fail to wire,standardReferenceBRKSEC-282817 2023 Cisco and/or its affiliates.All
22、rights reserved.Cisco Public#CiscoLiveHigh Performance Packet ProcessingFlow Offload and Dynamic Flow OffloadAll 4200s include specialized hardware capable ofstateful flow processing up through layer 4Flow does not need to transit the system bus or engage the CPU complexFlow offload engine supports
23、up to 32M concurrent flows for IPv4 and 12M for IPv6Example:the 4245 can do up to 125Gbps in a single TCP flowStatic flow offloadTrusted flows can be specified by the administrator(using prefilter policies for FTD or service-policy for ASA)Dynamic flow offloadSnort deep packet inspection does not al
24、ways require to inspection of the entire flowFlows can be dynamically offloaded once inspection is completedReferenceBRKSEC-282818 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHardware Crypto AccelerationHardware Crypto Accelerator chips can perform IPsec Encryption/Dec
25、ryption in hardware4215 Nitrox V4225 2 x Nitrox V4245 4 x Nitrox VDedicate inter-chip links between the crypto acceleration chip and the flow offload engineAllows traffic to be decrypted and encrypted without adding traffic to the system bus.4200 series includes support for full-stack TLS decryption
26、 including TLS 1.3ReferenceBRKSEC-282819Logging at Scale 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLogging Considerations for Large DeploymentsAmericas DC#1Americas DC#2EMEA DC#1EMEA DC#2APJC DC#1Total=10 x FP4145sTotal=10 x FP4145s1x FP4145=365K CPSPolicy With Full
27、Logging:10 x FP4145s=3.6M EPS1x FMC46001x FMC4600Rated for 20K EPSRated for 20K EPSBRKSEC-282821 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Firewall Logging OptionsLog stored on physical or virtual Secure Networks Analytics(SNA)appliance(s)Logs sent via s
28、yslogView logs in FMC w/Unified Event View or on SNA Manager Logs stored in SAL cloudLogs sent via built-in Secure Services Exchange(SSE)connector or via syslog to the Secure Event Connector(SEC)View logs in CDOLogs stored on physical or FMC virtual applianceLogs sent via sftunnelView logs in FMCFir
29、ewall Management CenterSecurity Analytics and Logging(On-Premises)Security Analytics and Logging(SaaS)Best for larger FMC Best for larger FMC managed deploymentsmanaged deploymentsBest for CDO managed Best for CDO managed deployments deployments Best for small FMC Best for small FMC managed deployme
30、ntsmanaged deploymentsBRKSEC-282822 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRemote QueryRemote QuerySecurity Analytics and Logging(On-Premises)Single NodeMulti-NodeSNA FlowCollector(s)SecureFirewallSecure Firewall Management CenterSecure Network Analytics Manager3+
31、SNA DatastoreAppliancesSecureFirewallSecure Firewall Management CenterSecure Network Analytics ManagerOptionalLoggingto FMCOptionalLoggingto FMCScales to 20k EPS(sustained)Retention of 200 days 5k EPSScales to 100k+EPS(sustained)Retention of 600+days 5k EPSSyslogSyslog7.0BRKSEC-282823Best for Larger
32、 FMC Managed Deployments 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnified Event ViewerConnection,Security Intelligence,Intrusion,File&Malware Events24BRKSEC-28287.0Dropdown to show all data for an eventUses data from FMC if it exists,otherwise pulls from SALStream o
33、f events with most recent event at top 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnified Event ViewerConnection,Security Intelligence,Intrusion,File&Malware Events25BRKSEC-2828Searchable filterAdd/remove columnsReference 2023 Cisco and/or its affiliates.All rights re
34、served.Cisco Public#CiscoLiveSecurity Analytics and Logging(SaaS)via CDO Secure Event ConnectorDirect to CloudScales to 8.5k EPS/FWRetention Up to 3 YearsUnlimited ScaleRetention Up to 3 YearsSecureFirewallCisco DefenseOrchestratorSecureFirewallCisco DefenseOrchestratorCDO Secure EventConnector(s)Sy
35、slog7.0BRKSEC-282826Best for Larger CDO Managed DeploymentsSSESSE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity Analytics and Logging(SaaS)CDO Log Viewer27BRKSEC-2828Filter builder7.0Freeform filter entry(supports Boolean logic)Click on a field to filter or clic
36、k on magnifying class to add to an existing filterExport to CSV 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive28SAL Log Data Retention MatrixBRKSEC-2828*Single-node=Repurposed SMC 2210(HW or Virtual)*Multi-node=SMC 2210+FC 4210+3 x DS 6200(All appliances HW or Virtual)*C
37、ompare FMC native logs retention day 20,000 peak EPSSustained Sustained Firewall Firewall Events per Events per Second(EPS)Second(EPS)Equivalent Equivalent GB/dayGB/dayOnOn-premisespremisesCloudCloudSingle Node*Single Node*1TB Storage1TB StorageSingle Node*Single Node*2TB Storage2TB StorageSingle No
38、de*Single Node*4TB Storage4TB StorageMultiMulti-Node*Node*VirtualVirtualMultiMulti-node*node*HWHWSingle SECSingle SECMultiMulti-SECSECDirectDirect-toto-CloudCloudExpected Retention period in Expected Retention period in days days(under average deployment conditions)(under average deployment conditio
39、ns)5,000 562 50500300300600600Up to 3 years(extendable)Up to 3 years(extendable)Up to 3 years(extendable)Not suggested when individual devices logging rate exceeds 8,500 eps 10,000 1,123 25255050030030020,000 2,246 12.512.5252550507575150*150*50,000 5,616 NANANANANANA3030606075
40、,000 8,424 NANANANANANANANA4040100,000 11,232 NANANANANANANANA3030200,00022,464 NANANANANANANANANANANANoteNote:The on-premises log retention in days above are based on average deployment conditions,and may vary materially in different production environments Reference 2023 Cisco and/or its affiliate
41、s.All rights reserved.Cisco Public#CiscoLiveFor Best Performance,Send Logs Only OnceUse Telemetry Broker to Send Logs to Multiple Destinations29BRKSEC-2828SAL OnSAL On-Premises(MultiPremises(Multi-Node)Node)SNA Flow Collector(s)SecureFirewallSecure Firewall Management CenterSAL SAL OnOn-Premises Pre
42、mises(Single Node)(Single Node)Secure Network Analytics ManagerOptionalLoggingto FMCSyslogOther Log SystemsOther Log SystemsSIEM(e.g.Splunk,NetWitness)SAL SaaSSAL SaaSCDO Secure Event Connector(s)SyslogTelemetry Broker orOther Syslog Replicator7.0Useful Features You May Not Know About 2023 Cisco and
43、/or its affiliates.All rights reserved.Cisco Public#CiscoLive4100/9300 Chassis Registration to FMCFPR 4100/9300 SeriesChassisSFTunnelFirewall ManagementCenterFMC have capability to register 4100/9300 chassis into device listFXOS faults(including HW bypass)collected by the FMC Chassis events availabl
44、e in Health Monitor and EventsBRKSEC-2828317.4 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Policy Bulk Edit32BRKSEC-28286.6Shift-click then shift-click to select a rangeORctrl/command-click to select individual rules.Then right click to open the bulk edi
45、t menu.Clicking without holding shift/ctrl/command will immediately open the clicked rule 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Policy Bulk Edit33BRKSEC-2828Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess
46、 Control Policy New UI34BRKSEC-28287.2Processing chain shown in orderSelect rules for bulk actionToggle new UIBulk actions 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Policy New UI/Bulk Edit35BRKSEC-2828Reference 2023 Cisco and/or its affiliates.All righ
47、ts reserved.Cisco Public#CiscoLiveBulk Import of ObjectsAvailable for DN,Network,Port,URL&VLAN objects36BRKSEC-28286.7 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBulk Import of ObjectsAvailable for DN,Network,Port,URL&VLAN objectsObject TypeObject TypeRulesRulesIndivi
48、dual objectThe file must have the columns headers:NAME,DNBoth NAME and DN column entries are mandatory to import an entry.You can import individual objects directly into an existing distinguished name object group.Network objectThe file must have the columns headers:NAME,DESCRIPTION,TYPE,VALUE,LOOKU
49、PThe NAME and VALUE column entries are mandatory to import an entry of host,range,or network object type.For an FQDN object,the TYPE column entry must mention fqdn,and the LOOKUP column entry must be specified as ipv4,ipv6,or ipv4_ipv6.If no content is provided in the LOOKUP column entry for the FQD
50、N object,then the object is saved with the ipv4_ipv6 field value.PortThe file must have the columns headers:NAME,PROTOCOL,PORT,ICMPCODE,ICMPTYPEThe NAME column entry is mandatory.For tcp and udp protocol types,the PORT column entry is mandatory.For icmp and icmp6 protocol types,the ICMPCODE and ICMP
51、TYPE column entries are mandatory.URLThe file must have the columns headers:NAME,DESCRIPTION,URLThe NAME and URL column entries are mandatory to import an entry.VLAN TagThe file must have the following columns headers:NAME,DESCRIPTION,TAGThe NAME and TAG column entries are mandatory to import an ent
52、ry.The column header is required and must be in capital letters.BRKSEC-282837Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGlobal SearchEasily Find Navigation Pages,Policies,Objects by Name or Values(e.g.IP)7.0If you forget where something is in the menu,use gl
53、obal searchSearches both the name of objects/policies,as well as the content(e.g.rule named“Allow DNS”in Egress Policy)BRKSEC-282838 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDevice Health Monitoring DashboardNo more going to the CLI for basic performance troubleshoo
54、ting!Data Plane=LINAMark deploymentsBRKSEC-282839Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDevice Health Monitoring DashboardUse Correlated Dashboards for Easy Troubleshooting6.7Spike in CPU causedby connection spikeCreate custom and prebuilt dashboardsBRKS
55、EC-282840 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveElephant Flow RemediationBRKSEC-282841Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveElephant Flow RemediationAvailable with Snort 3 Running 7.2 or Higher7.2Enable bypass for th
56、e apps you trust.Throttle the rest.Throttle=10%less than current flow rateBRKSEC-282842 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePacket Tracer PCAP UploadSingle flow,maximum of 100 packetsMake sure you specify a snaplen to avoid an“Unsupported Protocol found”error w
57、hen uploading the PCAPBRKSEC-282843 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePacket Tracer PCAP UploadResult of each packet is shownExpand to see processing details of each stepExpandable trace historyBRKSEC-282844 2023 Cisco and/or its affiliates.All rights reserve
58、d.Cisco Public#CiscoLiveUse Cases for Multi-TenancyRouting Table Routing Table SeparationSeparationIndependent and/or overlapping IP spacesPolicy Management Policy Management SimplificationSimplificationSmaller policy views that are managed by a single administratorTraffic Processing Traffic Process
59、ing IsolationIsolationCompliance separation and tenant resource overflow protectionManagement Management SeparationSeparationIndependent management of firewall partitionsResourceResourceSharingSharingOversubscription of firewall resourcesBRKSEC-282845 2023 Cisco and/or its affiliates.All rights rese
60、rved.Cisco Public#CiscoLiveMulti-Tenancy Use Case MappingLess Than54 Tenants?Virtual Routingand ForwardingFMC Zones&CategoriesFTD Multi-Instance ModePolicySimplification OnlyRoutingSeparation OnlyIndependentManagementTraffic ProcessingIsolationResource SharingYesYesNoNoFTDvBRKSEC-282846 2023 Cisco a
61、nd/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Firewall Multi-Instance IntroNext generation replacement for ASA Multiple Context ModeCreate multiple logical devices on a single module or applianceInstances are truly virtual(unlike ASA contexts),leveraging Docker containersDedi
62、cated resources allows for traffic processing and management isolationEach container instance runs its own Secure Firewall software versionPhysical,logical and VLAN separation provided by chassis supervisor47BRKSEC-28283100,4100,4200 or 9300DMZ Firewallv7.36 CPUInternet Firewallv7.2.46 CPUDC Firewal
63、lV7.2.410 CPU 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMulti-Instance on 310031xx series Multi-Instance feature functionality is identical to the Firepower 4100 series,but it differs in the number of instances supported:3105 supports no(0)InstancesCSF 3110 supports
64、up to 3 Instances maxCSF 3120 supports up to 5 Instances maxCSF 3130 supports up to 7 Instances maxCSF 3140 supports up to 10 Instances maxAll Multi-Instance configuration is only through FMC.Multi-Instance configuration is not supported via CLI.However,changing from Native to Container Mode is supp
65、orted in the CLI.7.4BRKSEC-282848 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMulti-Instance on 3100 Config1.Run CLI to enable FMC as MI manager and Register 3100 Series(MI mode)device in FMC.2.Update Physical Interface(s)3.Create Secure Firewall instance(s)and assign
66、interface(s)4.Create/Update/Delete Port channel and subinterfacesfrom FMC5.Configure platform settings6.Deploy configuration changes to device7.Secure Firewall instance(s)auto registers to FMC.FTD1D3Register 3100 Series(MI mode)Manage Interface(s)Create Secure Firewall Instance(s)Update Instance,Int
67、erface,Platform settingsConfiguration DeploymentConfiguration DeploymentBRKSEC-282849 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLimitationsSecure Firewall is the only application to support Multi-Instance(no ASA)Mixing Native and Multi-Instance on the same 3100 Serie
68、s chassis is not supportedNative Secure Firewall applications cannot be converted or migrated into Multi-Instance Secure Firewall applications or vice versaThe Secure Firewall applications will have to be reinstalled,with all configuration lost,to switch between the two modesClustering,HW Crypto,Flo
69、w offload/redirect is not supported in the initial releaseAll assigned resources are dedicated to an instance.Oversubscription is not supported.ReferenceBRKSEC-282850 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVirtual Routing and ForwardingThis is a button,not a title
70、BRKSEC-282851Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVirtual Routing and ForwardingBRKSEC-282852Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVirtual Routing and Forwarding6.6EIGRP,ISIS and PBR are not shown but are
71、supported through Flex Config for VRFAssign VRF interfaces to zones and use those zones as the source/destination in Access Control,IPS,SSL and Identity policies make those policies VRF aware.This is a button,not a titleBRKSEC-282853 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#
72、CiscoLiveZones and Categories for Policy ManagementMigrate ASA contexts to FTD,without FTD Multi-Instance54BRKSEC-2828Multi-Context Mode ASAInsideOutsideContext AOutsideContext BOutsideContext COutsideContext DPo5.301Po5.303Po5.305Po5.307Po5.302Po5.304Po5.306Po5.308InsideInsideInside 2023 Cisco and/
73、or its affiliates.All rights reserved.Cisco Public#CiscoLiveZones and Categories for Policy ManagementMigrate ASA contexts to FTD,without FTD Multi-Instance55BRKSEC-2828Define the context interfaces as zone objectsInsideOutsideContext APo5.301Po5.302 2023 Cisco and/or its affiliates.All rights reser
74、ved.Cisco Public#CiscoLiveZones and Categories for Policy ManagementMigrate ASA contexts to FTD,without FTD Multi-Instance56BRKSEC-2828Define the context interfaces as zone objectsInsideOutsideContext APo5.301Po5.302Group the rules that were in an ASA context in a category 2023 Cisco and/or its affi
75、liates.All rights reserved.Cisco Public#CiscoLiveZones and Categories for Policy ManagementMigrate ASA contexts to FTD,without FTD Multi-Instance57BRKSEC-2828Define the context interfaces as zone objectsInsideOutsideContext APo5.301Po5.302Group the rules that were in an ASA context in a categoryUse
76、the previously defined zones as a source/destination in each rule 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePhasing Out FlexConfig Firewall Management Center GUI SupportFirewall Management Center GUI Support(FlexConfig depricated)(FlexConfig depricated)7.17.17.27.27.
77、37.37.47.4ECMP ZonesEIGRP,VXLAN Interfaces(VTEP/VNI)-BFD for BGP,Cluster Health Settings,PBR Next-Hop Settings-FlexConfig Easy Migration to FMC for ECMP,EIGRP and VxLAN-NSEL(NetFlow Secure Event Logging)-BRKSEC-282858Access Control Policy Tips 2023 Cisco and/or its affiliates.All rights reserved.Cis
78、co Public#CiscoLivePolicy Management InheritanceAllows an access control policy to inherit the access control rules from another policy.Two types of sections in an policy:Mandatory Processed before any rules in a child policyDefault Processed after all mandatory rules and after any default rules fro
79、m child policiesExample of what the Europe Data Center Policy will look like in the Access Control Policy EditorGlobal Domain2ndLevel Domain3rd Level Domain/Leaf DomainBRKSEC-282860 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePolicy Management Multi-Domain ManagementMu
80、ltitenancy for the Firepower management consoleMaximum of 50(6.0+),100(6.5+)or 1024 domains(via expert mode in 6.5+)Maximum of 3 levels deep(2 child domains)Segments user access to devices,configurations and eventsUsers can administer devices in that domain and belowDevices are assigned to a domainP
81、rimarily for MSPsUses in the Enterprise:Force a policy to apply to all firewalls in a domainLimit user visibility to only select devices and eventsDelegate admin control while maintaining global visibility/controlGlobal DomainAmericas DomainEdge DomainEMEADomainDC DomainBRKSEC-282861 2023 Cisco and/
82、or its affiliates.All rights reserved.Cisco Public#CiscoLivePolicy Management Object OverridesAllows an object to be reused on multiple firewalls,but with different meaningsNetworks,Ports,VLAN Tags and URLs all support overrides62BRKSEC-2828Example use cases:Selectively override an object on the few
83、 devices that need a different valueCreate an empty object,so that an override is required for every firewallCreate a default value in the global domain,but allow subdomain administrators to override the default valueDefault value,can be left emptyOverridden valuesEnable overrides 2023 Cisco and/or
84、its affiliates.All rights reserved.Cisco Public#CiscoLiveDesigning Your Access Control Policy63BRKSEC-2828Prefilter rules are the fastestAny rules that are layer 14 based and traffic that does not need security inspection(e.g.backup traffic)should be placed in the prefilter policy for best performan
85、ceRule order in Access Control Policy is not strictly requiredLeads to the fastest blocking with the fewest number of transmitted packets*length of flow does not matter on 1000/21000*length of flow only matters on 3100/4100/4200/9300Prefilter Policy(no AVC/IPS/AMP)Prefilter Policy(no AVC/IPS/AMP)Acc
86、ess Control PolicyAccess Control PolicyTargeted layer 7 allow rules(e.g.allow HTTP with tailored AMP policy)Generic layer 7 allow rules(e.g.allow all traffic with generic IPS policy)Layer 1-4 block rulesand/orLayer 14 allow rules for medium/long*lived flows(e.g.allow backups)Layer 5 block rules(e.g.
87、block servers with self signed certificates)and/orLayer 7 URL block rules(e.g.block URL category Adult)Layer 1-4 block rulesand/orLayer 1-4 allow rules for short lived*flows(e.g.allow Umbrella DNS)Layer 7 application block rules(e.g.block Office 365)HA and Clustering 2023 Cisco and/or its affiliates
88、.All rights reserved.Cisco Public#CiscoLiveSecure Firewall High AvailabilityTwo nodes connected by one or two dedicated connections called“failover links”Failover and stateCan use the same link for bothBest practice is to use a dedicated link for each if possible(cross-over or VLAN)When first config
89、ured,Primarys policies are synchronized to SecondaryConfiguration/policy updates are sent to current active node by FMCActive unit replicates policies to standby65BRKSEC-2828PrimaryNGFW(active)BackupNGFW(standby)FailoverState 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv
90、eHA with Interface RedundancyBeforeBeforeAfter with redundant interfacesAfter with redundant interfacesPrimaryFTD(active)BackupFTD(standby)FailoverStateBackupFTD(standby)FailoverStatePrimaryFTD(active)BRKSEC-282866 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive67HA with
91、Interface RedundancyBRKSEC-2828BeforeBeforeAfter with redundant interfacesAfter with redundant interfacesPrimaryFTD(active)BackupFTD(standby)FailoverStateBackupFTD(standby)FailoverStatePrimaryFTD(active)FAILOVER1 11 11 11 11 1Any CausesFailures 1-7,still no FAILOVER1 14 41 12 23 34 4 2023 Cisco and/
92、or its affiliates.All rights reserved.Cisco Public#CiscoLiveClustering Concepts Physical and VirtualCluster rolesControl Node synchronizes cluster configurationFlow Director(deterministic)keeps track of ownerFlow Owner(nondeterministic)receiver of first packet of flowCluster Control Link(CCL)Interno
93、de communicationAsymmetric traffic redirection to flow ownerState sharingCluster nodes share connection state Each connection state is stored on two nodesCluster nodes do not share IPS statevPCvPCFTD ClusterBRKSEC-282868 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData
94、 Center-Cluster Connectivity PreferencesSame Model SwitchesSame Model SwitchesTwo EtherChannels to different switch pairsSame model switchFirewall on a StickFirewall on a StickSingle EtherChannel for the inside and outsideDifferent Model SwitchesDifferent Model SwitchesTwo EtherChannels to different
95、 switch pairsDifferent model switches#2Choice#3Choice#1ChoiceBRKSEC-282869 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData Center-Using 2 Different SwitchesEtherChannel RBH values RBH values are sequentially allocated in ascending order starting from the lowest numeri
96、c line card and port ID.For best cluster performance,keep traffic symmetric and off the CCL:Use a symmetric hashing algorithmUse fixed RBH allocation for EtherChannelse.g.port-channel hash-distribution fixedLinks should be connected in matching ascending order on each switchSwitch Port Numbers Matte
97、r70BRKSEC-28281,52,63,71,52,63,71/1 1/21/41/31/7 2/16/15/7Ascending OrderAlso Ascending0,40,4 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSet Cluster Control Link(CCL)MTUAvoids fragmentation after encapsulation on CCL71BRKSEC-2828Set MTU at 100 bytes above highest data
98、 MTU 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePro-Tip Set Virtual MAC AddressesFor stability,set Active Mac address,especially if using non-interface NAT IPs Not required,but more stable if set.For clustering,only Active Mac Address needs to be set.Why?Traffic disru
99、ption due to MAC address changes:On boot,the MAC addresses of the master unit are used across the cluster.If the master unit becomes unavailable,the MAC addresses of the new master unit are used across the cluster.Gratuitous ARP for interface IPs partially mitigates this,but has no effect on NAT IPs
100、.BRKSEC-282872 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Clustering SupportPhysical ClusterPhysical ClusterASA3100(min 1 node;max 8 nodes)4100/4200(min 1 node;max 16 nodes)9300(min 1 node;max 16 nodes)FTD3100(min 1 node;max 8 nodes)4100/4200(min 1 node;max 16 n
101、odes)9300(min 1 node;max 16 nodes)Virtual ClusterVirtual ClusterASAvAlready released(9.17.1)Private cloud(VMware and KVM)FTDvFMC managed nodes,running 7.2Private cloud(VMware and KVM)Public cloud(AWS and GCP)Minimum 1 node;maximum 16 nodes All nodes require 5 interfaces(with CCL)AWS cluster behind G
102、WLB can have 4 interfaces7.2Use 90 day FMC trial to license FMC and FTDv appliances and learn/experiment with clustering for free.BRKSEC-282873 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePorting Cisco Clustering to the Public CloudPhysical ClusterPhysical ClusterData
103、interfaces have two modesIndividual interface mode(different IP addresses on different nodes)Spanned interface mode(uses EtherChannel)CCL uses proprietary protocol over IP(no transport layer protocol)CCL uses broadcast for internode communicationDynamic node discoveryVirtual ClusterVirtual ClusterDa
104、ta interfaces on each node use different IP addressesCCL uses VXLAN over UDPCCL uses unicast Cluster requires static peer listBRKSEC-282874Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCluster ConfigurationPhysical ClusterPhysical ClusterCluster configuration a
105、nd management requires two stepsCluster bootstrapping with Chassis Manager(of FXOS)Registering a cluster node to FMCOther cluster nodes are discoveredFMC automatically register remaining nodes*FMC provides remaining configurationVirtual ClusterVirtual ClusterAWS and GCPCluster bootstrapping with day
106、0 configRegistering a cluster node to FMCOther cluster nodes are discoveredFMC automatically registers remaining nodes*FMC provides remaining configurationVMware and KVMFMC performs all cluster configuration*This process is known as AutoAuto-RegistrationRegistrationBRKSEC-282875Reference 2023 Cisco
107、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse src-ip hashing on client side switch to keep NAT IPs consistentPAT Pool:192.168.1.200PAT Pool:192.168.1.FTD ClusterHigh SecurityHigh SecurityWeb AppWeb AppPAT in Clustering for Internet Egress(6.6 or Lower)FTD ClusterHigh
108、SecurityHigh SecurityWeb AppWeb AppPAT Pool:192.168.1.200PAT Pool:192.168.1.TCP:192.168.1.200/31401TCP:192.168.1.200/31401TCP:192.168.1.201/24109TCP:192.168.1.201/24109ERRORERROR:multiple app connections come from different source IP addressesMultiple app connections load-balance to differ
109、ent cluster memberswith symmetric etherchannel hashesTCP:192.168.1.200/10002TCP:192.168.1.200/10002Multiple app connections load-balance to same cluster memberwith src-ip etherchannel hashingTCP:192.168.1.200/10001TCP:192.168.1.200/10001TCP:192.168.1.201/10001TCP:192.168.1.201/10001PAT pool is unifo
110、rmly distributed to all cluster members at IP levelBRKSEC-282876 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePAT with Cluster Best Practices(6.6 or Lower)Ensure there are as many or more IPs in the PAT pool as there are cluster members or required for translations4 clu
111、ster members=4+IPs in PAT pool,8+is ideal250k translations=4+IPs in PAT pool,8+is dealClusterCluster-PATPAT-PoolPoolOriginal SrcOriginal Src PortPortTranslated Translated SrcSrc PortPortTranslatedTranslated Src Port Src Port(flat)(flat)1--65-10-655351024-655
112、351024-65535Use flat port range optionStops FTD from prematurely moving to next PAT IP due to high low port range usageHelps keep PAT IP pool IP distribution even across the cluster members(each unit owns one or more IP)These ranges can fill up quickly if NTP,NETBIOS,etc.is allowedNAT Details:https:
113、/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive Port Address Translation is distributed in cluster PAT Pool IPs distributed and owned by cluster nodes Multiple Connections to a server from the same host can be load balanced across different nodes,each using its own PAT
114、Pool IP for translating those connectionsCluster PAT Pool ImprovementsClusterClientServerIP a.b.c.da.b.c.d port xa.b.c.d port y13 This feature introduces port block based distribution of PAT Pool IPs Cluster members now own a port block from the same PAT address Multiple Connections from the same ho
115、st are translated using the same IP address,even if load balanced across different members26.7BRKSEC-282878Alternative Designs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInline NGFWFirewall without Routing or Bridging InterfacesInline PairAlthough not a“Firewall”inter
116、face,L3/L4/L7 rules can be enforced when using“IPS”interface typesUseful when Routed or Transparent arent possible/feasibleNo subinterfaces required for trunks,use“VLAN Tags”in ACP instead:Caveats:No NAT/No RoutingNo strict TCP state trackingBRKSEC-282880 2023 Cisco and/or its affiliates.All rights
117、reserved.Cisco Public#CiscoLiveOut-of-Band IDS-Multichassis SPANWhen a single Firepower appliance is not enough81BRKSEC-2828FW:Passive InterfacesSW:EtherChannel without LACPEach device configured as a standalone deviceOn switch,SPAN destination configured as EtherChannel EtherChannel set to mode of“
118、On”On firewall,each port configured as Passive interface:EtherChannel load balancing distributes traffic to different Firepower chassis 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInline IPS Passthrough EtherChannel w/o HALACP EtherChannel through FTDVSSor VPCVSSor VPC
119、SW Only:Port Channel 1SW Only:Port Channel 1Not HA or ClusteredUseful for scaling IPS without Clustering or scaling IPS with total fault isolationLACP EtherChannel formed between switches on either side of FTDFTD has no knowledge of EtherChannelInterfaces configured as Inline Pair on FWEach FTD appl
120、iance configured as standalone device in FMCFailover of FTD handled by LACP on SWEtherChannel MUST deliver symmetric EtherChannel MUST deliver symmetric traffic for effective securitytraffic for effective securityBRKSEC-282882 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLi
121、veInline IPS Passthrough EtherChannel w/HALACP EtherChannel through FTD w/o Symmetric TrafficHA PairVSSor VPCVSSor VPCSW Only:Port Channel 1StandbyActiveX XX XDisabled by LACPDisabled by LACPSW Only:Port Channel 1X XX XUseful for IPS HA without ClusteringSame interface configuration as Passthrough E
122、therChannel w/o HATraffic is automatically symmetric through FTD,since only 1 unit is ever activeInline pair interfaces on Standby HA unit are forced down when not activeOn failure of Active unit,LACP on SW:BRKSEC-282883 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInli
123、ne IPS Passthrough EtherChannel w/HALACP EtherChannel through FTD w/o Symmetric TrafficHA PairVSSor VPCVSSor VPCSW Only:Port Channel 1SW Only:Port Channel 1ActiveStandbyX XX XX XX XDisabled by LACPDisabled by LACPUseful for IPS HA without ClusteringSame interface configuration as Passthrough EtherCh
124、annel w/o HATraffic is automatically symmetric through FTD,since only 1 unit is ever activeInline pair interfaces on Standby HA unit are forced down when not activeOn failure of Active unit,LACP on SW:Detects links on old Active unit are down and removes those ports from use in EtherChannelDetects l
125、inks to new Active unit are now up and starts sending traffic across those linksBRKSEC-282884HA PairVSSor VPCVSSor VPCSW Only:Port Channel 1StandbyActiveX XX XDisabled by LACPDisabled by LACPSW Only:Port Channel 1X XX X 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInlin
126、e IPS EtherChannel Termination w/ClusterLACP EtherChannel to FTDVSSor VPCClusterVSSor VPCSW+FW:Port Channel 2SW+FW:Port Channel 1Preferred method of scaling IPS w/FTDUnlike previous designs,LACP EtherChannel terminates on FTDTraffic is automatically symmetric through FTD,since Cluster handles any as
127、ymmetryPhysical ports for both PC1and PC2 configured in FXOS FCMPC1 and PC2 configured as Inline Pair within FMCBRKSEC-282885Dynamic Objects 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDynamic ObjectsWithout Dynamic Objects:With Dynamic Objects:API Changeto FMC ObjectP
128、olicy Push from FMC to FTDObject Changed on FTDAPI Changeto FMC ObjectObject Changed on FTD7.0BRKSEC-282887 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDynamic Objects REST API/api/fmc_platform/v1/domain/domainUUID/object/dynamicobjectmappings/api/fmc_platform/v1/domai
129、n/domainUUID/object/dynamicobjects/objectIdOrName/mappingsGET/api/fmc_platform/v1/domain/domainUUID/object/dynamicobjects/api/fmc_platform/v1/domain/domainUUID/object/dynamicobjectsGET/api/fmc_platform/v1/domain/domainUUID/object/dynamicobjects/objectIdOrName/mappingsPUT/api/fmc_platform/v1/domain/d
130、omainUUID/object/dynamicobjects/objectIdOrNameGET/api/fmc_platform/v1/domain/domainUUID/object/dynamicobjects/objectIdOrNamePUT/api/fmc_platform/v1/domain/domainUUID/object/dynamicobjects/objectIdOrNameDELETERetrieves the list of all Dynamic Objects or creates a new Dynamic Object.Retrieves,deletes
131、or modifies an existing Dynamic Object with the specified ID.Retrieves,adds or removes IP addresses mapped to an existing Dynamic Object with the specified ID.Adds or removes IP addresses mapped to existing Dynamic Objects in bulk.Connect to your FMC at”https:/api/api-explorer”to browse the REST API
132、 documentations POSTPOSTBRKSEC-282888Reference 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnvironment Variables:X-auth-access-token=Domain UUID=Workload_A Object ID=Updating Dynamic Object with REST APIFMCStatus:204 HEADER X-auth-access-token:c8303605dDomain_UUID:e276
133、abecb625fStatus:200BODYid:005056AF199,name:Workload_A,type:DynamicObject,Status:201c830333c-614e-44a7-b6ca-dca7b8be605de276abec-e0f2-11e3-8169-6d9ed49b625f005056AF-6E04-0ed3-99/api/fmc_platform/v1/auth/generatetokenPOSTHEADER Authorization:Basic cnWzdFAcdDovcW86RFfTMU=/api/fmc_platfor
134、m/v1/domain/e276abecb625f/object/dynamicobjectmappingsPOSTHEADER X-auth-access-token:c830333c-614e-44a7-b6ca-dca7b8be605dBODY add:mappings:”172.16.11.100,dynamicObject:id:005056AF-6E04-0ed3-99GETHEADER X-auth-access-token:c830333c-614e-44a7-b6ca-dca7b8be605d/api/fmc_platform/v1/domain
135、/e276abecb625f/object/dynamicobjectDynamic ObjectDynamic ObjectContent:Content:Workload_A:172.16.11.100BRKSEC-282889ReferenceDynamic Objects API Demo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo SetupCreate Dynamic Object(Can Also Be Done via API)7.0BRKSEC-282891 2
136、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemo SetupApply Dynamic Object to Access Control Policy7.0BRKSEC-282892 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-282893 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public
137、#CiscoLiveOptions for Implementing Dynamic AttributesAdmin Handled/System Handled or AssistedDynamic Attribute Dynamic Attribute FMC APIFMC APICisco Secure WorkloadCisco Secure WorkloadCisco Secure Dynamic Cisco Secure Dynamic Attribute Connector(CSDAC)Attribute Connector(CSDAC)Interact w/FMC APIInt
138、eract w/FMC APIInteract w/FMC APIDefine Dynamic ObjectsDefine Dynamic ObjectsDefine PolicyInteract w/Upstream API(s)Define Dynamic ObjectsDefine PolicyInteract w/Upstream API(s)Interact w/Upstream API(s)Define PolicyBRKSEC-282894 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc
139、oLiveCisco Secure Dynamic Attributes ConnectorFMCAdapterAdaptersDynamic Attributes FiltersConnectorsNameNameConnectorConnectorQueryQueryLinuxLinux-ServersServersvCenterosos=RHEL 7(64-bit)ORORosos=CentOS 7(64-bit)WindowsWindows-ServersServersvCenterosos=MS Windows Server 2016(64-bit)ANDANDnetworknetw
140、ork=PROD_NETWANDANDPowerPower=runningPoweredPowered-OnOnvCenterPowerPower=runningANDAND(networknetwork=PROD_NETW OR OR hosthost=NODE1)CSDAC(Container or Cloud or FMC)AWS ConnectorAzure ConnectorvCenter/NSXConnectoro365ConnectorGCPConnectorConsumersConsumersFMCDynamic Dynamic ObjectObjectMappingsMapp
141、ingsLinux-Servers172.16.0.1172.16.0.3Windows-Servers10.0.1.1110.0.1.1410.0.1.20Powered-On10.0.1.14FMCProvidersProviders7.0RESTBRKSEC-282895Available for Free:https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCSDAC in FMCYou must configureConnectorsDynamic attribute f
142、iltersYou do not configure any adapters7.4BRKSEC-282896 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnables Identity Services Engine(ISE)802.1x Authentication with Lightweight Directory Access Protocol(LDAP)FMC today does not support LDAP with Passive AuthenticationThr
143、ee new connectors added to CSDACISE Connector creates IP-to-user mappingLDAP Connector creates user-to-groups mappingDecorator creates IP-user/groups mappingExternal User Identity with CSDAC7.0BRKSEC-282897 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExternal User Iden
144、tity with CSDAC98BRKSEC-28287.0 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Workload 3.6(Tetration)Telemetry&MicrosegmentationrulesFMCZone-basedsegmentation rulesFirewall PoliciesIntegrate with FMCCreate the FMC external orchestrator in Secure WorkloadMonitor an
145、d Auto-Update Secure Workload continuously checks for changes and automatically pushes updates every 5 seconds.Secure Workload Dynamic Policy IntegrationCreate Segmentation PoliciesDefine scopes,filters and clusters.Define consumers and providers.Push Dynamic PoliciesSegmentation Policy pushed to FM
146、C as access control rules with Dynamic Objects7.0NSELSecure Workload and Secure Firewall integration walkthrough:https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Workload/Secure Firewall IntegrationUsing Dynamic ObjectsReferenceBRKSEC-2828100 2023 Cisco and/o
147、r its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Workload/Secure Firewall IntegrationFMC Domain SelectionFMC orchestrator now allows the ability to select specific FMC domains for enforcement(Starting 3.6-Patch3)Policies are pushed only to FTDs within the selectedFMC domains.FMC Dom
148、ainsInternet EdgeN-S FirewallData CenterDistributionAccess LayerCSW:Manage CSW:Manage External Orchestrator FMC Domains External Orchestrator FMC Domains Agentless WorkloadsFMC:FMC:DomainsDomainsEast-West FirewallAgent based Workloads7.0BRKSEC-2828101 2023 Cisco and/or its affiliates.All rights rese
149、rved.Cisco Public#CiscoLiveSecure Workload/Secure Firewall IntegrationRule OrderingAbsolute policies from Secure Workload map to mandatory rules in FMC access control policy.Default policies from Secure Workload map to default rules in FMC access control policy.Absolute and default policies from Sec
150、ure Workload can be inserted at the top or bottom of the mandatory and default rules in the FMC access control policy.CSW UI:Manage External CSW UI:Manage External Orchestrator FMCOrchestrator FMCFMC UI:Access Control FMC UI:Access Control PolicyPolicy7.0BRKSEC-2828102 2023 Cisco and/or its affiliat
151、es.All rights reserved.Cisco Public#CiscoLiveFMC:Objects Object FMC:Objects Object Management External Attributes Management External Attributes Dynamic Objects Dynamic Objects Secure Workload/Secure Firewall IntegrationBetter Object NamingDynamic objects now have meaningful names on the Firewall Ma
152、nagement Center.Simplifies the identification and mapping of the policies on Secure Workload and FMC.Naming Format WorkloadObj_CSW:Organize Inventory FiltersCSW:Organize Inventory Filters7.0BRKSEC-2828103 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your sessio
153、n surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!104BRKSEC-2828These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 po
154、ints in theCisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and
155、Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive107Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234107 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2828#CiscoLive