Scribd
Upload
176 views119 pages

FTD v7

The document provides an overview of the Cisco Firepower 9300 and 4100 platforms. It describes the hardware components including the supervisor module, network modules, and security modules. It also discusses the software architecture and capabilities of the platforms such as high availability, scalability, and service chaining. Deployment examples are provided for using Firepower Threat Defense instances on the Firepower 4100 chassis.

Uploaded by

Priti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
176 views119 pages

FTD v7

The document provides an overview of the Cisco Firepower 9300 and 4100 platforms. It describes the hardware components including the supervisor module, network modules, and security modules. It also discusses the software architecture and capabilities of the platforms such as high availability, scalability, and service chaining. Deployment examples are provided for using Firepower Threat Defense instances on the Firepower 4100 chassis.

Uploaded by

Priti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 119

#CLUS

Firepower Platform
Deep Dive

Andrew Ossipov, Distinguished Engineer


BRKSEC-3035

#CLUS
Your Speaker

Andrew Ossipov
aeo@cisco.com
Distinguished Engineer
NGFW, Solution Architecture, Hybrid Cloud DC
IETF: SFC and TLS Working Groups

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot# BRKSEC-3035


by the speaker until June 16, 2019.

#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Hardware and Software
• Firepower Threat Defense Overview
• Security Applications on Firepower 4100 and 9300
• Multi-Instance Capability on Firepower 4100 and 9300
• Availability and Scalability
• Deployment Example: FTD Instance on Firepower 4100
• Closing

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Hardware and
Software
Reference

Next Generation Platform Requirements


Modular System hardware components can Dynamic service chaining based Service
Chassis be upgraded independently on policy and context Insertion

Leverage the best of security Services be added, removed,


Architectural Rapid Inline
processing components (x86, NPU, upgraded, and modified without
Scale Changes
Crypto) and scale with Clustering disrupting existing flows

All hardware and software


No Single Architecture open to quickly add 3rd Party
Failure Point components are redundant and as Integration
new services as market evolves
independent as possible

Provide the same benefits in Every chassis configuration and


Deployment Full
Agnostic physical, virtual, and hybrid SDN monitoring function is available Automation
environments through REST API

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Firepower 9300 Overview
Supervisor Network Modules
• Application deployment and orchestration • 10GE, 40GE, 100GE
• Network attachment and traffic distribution • Hardware bypass for inline NGIPS
• Clustering base layer for ASA or FTD

3RU

Security Modules
• Embedded Smart NIC and crypto hardware
• Cisco (ASA, FTD) and third-party (Radware DDoS) applications
• Standalone or clustered within and across chassis

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Supervisor Module
RJ-45 1GE Management Built-in 10GE Data Optional Network
Console Interface (SFP) Interfaces (SFP+) Modules (NM)

1 2

• Network interface allocation and security module connectivity


• LACP or Static (in FXOS 2.4.1) Port-Channel creation with up to 16 member ports
• Up to 500 VLAN subinterfaces for Container instances in FXOS 2.4.1

• Application image storage, deployment, provisioning, and service chaining


• Clustering infrastructure for supported applications
• Smart Licensing and NTP for entire chassis

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Supervisor Architecture

System Bus
Security Security Security
RAM
Module 1 Module 2 Module 3

2x40Gbps 2x40Gbps 2x40Gbps Ethernet

Internal Switch Fabric


x86 CPU
(up to 24x40GE)

2x40Gbps 5x40Gbps 5x40Gbps

On-board 8x10GE NM NM
interfaces Slot 1 Slot 2

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Firepower 9300 Security Modules
• All modules have to match within a chassis for now
• Built-in hardware Smart NIC and Crypto Accelerator
• Previous generation SM-24, SM-36, and SM-44
• Dual 800GB SSD in RAID1 by default
• SM-24 is NEBS Level 3 Certified
• New SM-40, SM-48, and SM-56
• Dual 1.6TB SSD in RAID1 by default
• Higher performance on cryptographic operations

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Security Module Architecture

RAM System Bus

SM-24/36/44: 256Gb x86 CPU 1 x86 CPU 2


SM-40/48/56: 384Gb
24, 36, 40, 44, 48, or 56 24, 36, 40, 44, 48, or 56 Ethernet
cores cores

2x100Gbps

Smart NIC and


Crypto Accelerator

2x40Gbps
Backplane Supervisor Connection

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Firepower 4100 Overview
Solid State Drives
Built-in Supervisor and Security Module • Independent operation (no RAID)
• Same hardware and software architecture as 9300 • Slot 1 today provides limited AMP storage
• Fixed configurations (4110 – 4150) • Slot 2 adds 400GB of AMP storage

1RU

Network Modules
• 10GE and 40GE interchangeable with 9300
• Partially overlapping fail-to-wire options

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Firepower 4100 Architecture
RAM
4110: 64Gb
4115: 192Gb x86 CPU 1 x86 CPU 2
4120: 128Gb 4110: 24 cores 4110: N/A
4125: 192Gb 4115: 24 cores
4140: 256Gb 4120: 24 cores
4115: 24 cores
4120: 24 cores
System Bus
4145: 384Gb 4125: 32 cores 4125: 32 cores
4150: 256Gb 4140: 36 cores
RAM
4140: 36 cores
4145/4150: 44 cores 4145/4150: 44 cores

4110: 1x100Gbps Ethernet


4115-4150: 2x100Gbps
Smart NIC and
Crypto Accelerator
4110: 1x40Gbps
4115-4150: 2x40Gbps

Internal Switch Fabric x86 CPU


(up to 18x40GE)

2x40Gbps 5x40Gbps 5x40Gbps

On-board NM NM
8x10GE interfaces Slot 1 Slot 2

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Firepower 4100/9300 Smart NIC and Crypto
x86 CPU 1 x86 CPU 2
Crypto Accelerator
• Single on 4110, dual elsewhere
• Configurable core bias to IPsec/TLS
on Firepower 4110, 4120, 4140,
4150 and Firepower 9300 SM-24,
Crypto Crypto SM-36, SM-44; shared elsewhere
1 2 • IPsec S2S and RAVPN
• TLS/DTLS RAVPN
• TLS inspection assistance
Cisco Programmable NIC
• Single on 4110, dual elsewhere Smart Smart
• 40Gbps connectivity each NIC 1 NIC 1
System Bus
• Packet Matching and Rewrite
• Tracks 2M flows for Flow Offload
FXOS 2.3.1 Ethernet
Internal Switch Fabric

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Firepower 2100 Overview
Integrated Security Platform for FTD or ASA Application
• Lightweight virtual Supervisor module
• Embedded x86 and NPU with Hardware Crypto Acceleration SFP/SFP+ Data Interfaces
• Fixed configurations (2110, 2120, 2130, 2140) • 4x1GE on Firepower 2110 and 2120
• Dual redundant power supplies on 2130 and 2140 only • 4x10GE on Firepower 2130 and 2140

1RU

Copper Data Interfaces Network Module


• 12x1GE Ethernet • Firepower 2130 and 2140 only
• Same 8x10GE SFP module as on Firepower 4100/9300

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Reference

Firepower 2100 Functionality


• Designed and optimized for FTD application
• Data Plane runs on integrated NPU and Crypto module
• Threat-centric Advanced Inspection Modules run on x86
• No separate Flow Offload engine
• Supports ASA application as well
• Single point of management for chassis and application
• Firepower Device Manager (FDM) with device REST API for on-box
• Firepower Management Center (FMC) for multi-device

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Firepower 2100 Architecture
x86 CPU RAM
2110: 4 cores
2120: 6 cores 2110-2120: 16GB
2130: 8 cores 2130: 32GB
System Bus
2140: 16 cores 2140: 64GB

Ethernet
Network Processor Unit (NPU) RAM
2110: 6 cores
2120: 8 cores
2130: 12 cores 2110-2120: 8GB
2140: 16 cores 2130-2140: 16GB

2110-2120: 2x10Gbps
2x10Gbps 2130-2140: 1x40Gbps

Internal Switch Fabric


2110-2120 :4x1Gbps
12x1Gbps 2130-2140: 4x10Gbps
8x10Gbps

Management On-board 12x1GE On-Board 4xSFP Interface expansion


interface copper interfaces interfaces module (2130-2140 only)

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Firepower 1100 Overview

Integrated Security Appliance with ASA or FTD


• Embedded x86 CPU with QuickAssist Crypto Acceleration SFP Data Interfaces
• Fixed non-modular configurations (1120, 1140) • 4x1GE

1RU

Copper Data Interfaces Field Replaceable SSD


• 8x1GE Ethernet

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Firepower 1010 Overview

Integrated Security Appliance with ASA or FTD


• Embedded x86 CPU with QuickAssist Crypto Acceleration
• Fixed non-modular configuration

Desktop

Copper Data Interfaces


• 8x1GE Ethernet
• Built-in Layer 2 switch (future)
• Power over Ethernet (PoE) on ports 7 and 8

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Firepower 1000 Architecture
System Bus
x86 CPU
RAM
1010: 8 cores
1120: 24 cores 1010: 8Gb Ethernet
1140: 32 cores 1120-1140: 16Gb

1010: 2x2.5Gbps
1120-1140: 2x10Gbps

Internal Switch Fabric


Embedded Layer 2 Switch (1010 only)
8x1Gbps 4x1Gbps

Management On-board 8x1GE copper On-Board 4x1GE SFP


interface interfaces interfaces (1120-1140 only)

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Standard Network Interfaces
• Supervisor attaches security modules to network
• All interfaces are called “Ethernet” and 1-referenced (i.e. Ethernet1/1)
• All external network ports require fiber or copper transceivers (SFP)
• Third-party SFP are allowed on best-effort support basis
•Same-kind OIR is supported for external network modules
8x1GE 8x10GE 4x40GE 2x100GE and 4x100GE

• Firepower 2100 only • Firepower 2100, • Firepower 4100 • Firepower 9300 only
in FXOS 2.4.1 4100, 9300 and 9300 • Single width in FXOS 2.4.1
• Single width • Single width • Single width • QSFP28 connector
• 10M/100M/1GE • 1GE/10GE SFP • 4x10GE breakouts • Future 4x25GE breakout
for each 40GE port • Legacy double width
2x100 still available
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Fail-to-Wire Network Modules
• Fixed interfaces, no removable SFP support or module OIR
• NGIPS inline interfaces for standalone FTD 6.1+ only
• Sub-second reaction time to application, software, or hardware failure
• Designed to engage during unplanned failure or restart events
• <90ms reaction time for Standby→Bypass with full power failure

8x1GE 6x1GE 6x10GE 2x40GE

• Firepower 2100, 4100 • Firepower 2100, 4100 • Firepower 2100, 4100, • Firepower 4100 and 9300
• Single width • Single width 9300 • Single width
• 10M/100M/1GE copper • 1GE fibre SX • Single width • 40GE SR4
• 10GE SR or LR • No 10GE breakout support
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Maximum Transmission Unit (MTU)
• Layer 2 MTU defines maximum Ethernet frame size on the wire
• Mostly relevant to switches and other passive Layer 2 devices
• Frames above the MTU size are discarded, not fragmented
• 9206 bytes on Firepower 4100/9300 in FXOS 2.1.1; 9216 bytes on 2100

MAC 802.1q Type IP Header FCS


IP Payload
12 bytes 4 bytes 2 bytes 20+ bytes 4 bytes

• Layer 3 MTU defines maximum IP packet size with header


• Relevant to routers and devices that may perform transit IP reassembly
• Packets larger than configured MTU are fragmented at IP level
• Configured on per-interface basis on ASA and FTD
• 9184 bytes on Firepower 4100/9300 in FXOS 2.1.1; 9194 bytes on 2100

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Firepower 4100/9300 Software
• Supervisor and security modules use multiple independent images
• All images are digitally signed and validated through Secure Boot
• Security application images are in Cisco Secure Package (CSP) format
Security Module 1 Security Module 2 Security Module 3
Decorator application from third-party (KVM)
DDoS
FTD FTD
Primary Cisco application (Native or Container) FTD
FXOS FXOS FXOS
FXOS upgrades are applied to Supervisor and
resident provisioning agent on modules
Firepower Extensible Operating System (FXOS)
Supervisor stores CSP application images Supervisor

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Firepower Platform Bundle
• Platform Bundle contains all Supervisor and module firmware images

fxos-9000-k9.2.4.1.101.gSPA
platform encryption version [g]db [S]igned [S]pecial key revision
or [P]roduction
• FXOS creates an environment for security applications
• Supervisor automatically selects components to upgrade
• Relevant components are reloaded automatically during the upgrade

• Firepower 1000 and 2100 FTD or ASA bundle includes virtual FXOS

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Firepower Supervisor CLI Interface
• FXOS uses object-based CLI representation similar to UCS Manager
• scope, enter, or exit select a command mode within the hierarchy
• create instantiates a new configuration object within the hierarchy
• set assigns a value to a configuration variable or object
• show displays object content
• commit-buffer applies changes to the running configuration
FP9300# scope eth-uplink
FP9300 /eth-uplink # scope fabric a
FP9300 /eth-uplink/fabric # create port-channel 2
FP9300 /eth-uplink/fabric/port-channel* # create member-port 1 11
FP9300 /eth-uplink/fabric/port-channel* # create member-port 1 12
FP9300 /eth-uplink/fabric/port-channel* # set speed 10gbps
FP9300 /eth-uplink/fabric/port-channel* # commit-buffer
FP9300 /eth-uplink/fabric/port-channel # exit

• Read-only access on Firepower 1100 and 2100 with FTD


#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Firepower Threat
Defense Overview
Reference

Security Application Convergence


ASA FirePOWER
• L2-L4 Stateful Firewall • Threat-centric NGIPS
• Scalable CGNAT, ACL, routing • AVC, URL Filtering for NGFW
• Application inspection • Advanced Malware Protection

Firepower Threat Defense (FTD)


• Converged NGFW/NGIPS image on new Firepower and ASA5500-X platforms
• Single point of management with Firepower Management Center (FMC)
• Full FirePOWER functionality for NGFW/NGIPS deployments
• ASA Data Plane with TCP Normalizer, NAT, ACL, dynamic routing, failover, clustering

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Architecture and Logical Packet Flow

FTD
Main Access IP Reputation,
Policy SI

New Exist
ing Anomaly,
Flow Lookup
NGIPS, AMP
Advanced Inspection Modules (“Snort”)
Data Plane (“Lina”) Pointer
Prefilter
Flow Creation Normalization Verdict
Policy
New Fastpath
Exist
Packet Ingress ing Egress Packet
RX
Flow Lookup Clustering VPN
Checks Checks TX
Reinject

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Monitoring System Utilization
• Data Plane (Lina)
ftd# show cpu detailed
Break down of per-core data path versus control point cpu usage:
Core 5 sec 1 min 5 min Control Plane
Data Plane (most Core 0 2.0 (2.0 + 0.0) 1.1 (1.1 + 0.0) 0.9 (0.9 + 0.0) (network control and
transit traffic) Core 1 3.2 (3.2 + 0.0) 1.8 (1.8 + 0.0) 1.5 (1.5 + 0.0) application inspection)
[…]
Core 35 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0)

• Advanced Inspection Modules (Snort)


ftd# show asp inspect-dp snort
SNORT Inspect Instance Status Info

Id Pid Cpu-Usage Conns Segs/Pkts Status


tot (usr | sys)
-- ----- ---------------- ---------- ---------- ----------
Inspection Load 0 47430 1% ( 1%| 0%) 621 0 READY
1 47434 0% ( 0%| 0%) 610 0 READY Processing State
[…]
Load Distribution 45 47474 2% ( 2%| 0%) 572 0 READY

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
NGFW Interface Modes
• Must choose routed or transparent at deployment
10.1.1.0/24 10.1.2.0/24 Transparent FTD
Routed FTD inside outside
inside outside
DMZ 10.1.1.0/24
DMZ 10.1.3.0/24

• Must configure IP on BVI in transparent mode


• Integrated Routing and Bridging combines both in routed mode
inside1
BVI:inside 10.1.2.0/24
Routed with IRB 10.1.1.1/24
FTD
outside
inside2
DMZ 10.1.3.0/24
• Full feature set and state enforcement
• VLAN or VxLAN ID must change during traversal

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
NGIPS Interface Modes
• Any unused interface in routed/transparent can be in NGIPS mode
Inline FTD Inline Tap FTD Passive FTD
Eth1/1 Eth1/2 Eth1/1 Eth1/2 Eth1/1
• Inline pairing at physical/Etherchannel level; inline sets allow asymmetry
• True pass-through mode for VLAN
• LACP pass-through is supported with standalone interfaces in FXOS 2.3.1
• Most classic firewall functionality is disabled
• All security policies still apply
• Data Plane tracks connections for HA/clustering with no state enforcement
• NAT, application inspection, and similar ASA-style functionality is disabled
• Flow Offload is not triggered

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Prefilter Policy
• First access control phase in Data Plane for each new flow
• Block: Deny the flow without any further processing
• Fastpath: Allow and process entirely in Data Plane, attempt Flow Offload
• Analyze: Pass for evaluation in Main ACP, optionally assign tunnel zone
• Not a “high performance” substitute to true NGFW policies
• Non-NGFW traffic match criteria
• Limited early IP blacklisting
• Tunneled traffic inspection
• Accelerating high-bandwidth and latency-sensitive trusted flows

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Main Access Control Policy
• Second and final access control phase in Snort
• Block [with reset]: Deny connection [and TCP RST]
• Interactive Block [with reset]: Show HTTP(S) block page [and TCP RST]
• Monitor: Log event and continue policy evaluation
• Trust: Push all subsequent flow processing into Data Plane only
• Allow: Permit connection to go through NGIPS/File inspection
• Appropriate place for implementing NGFW policy rules

• Policy decisions may require multiple packets

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
FlexConfig Policies
• Device-level free form CLI policies that follow ASA syntax
• Supports pre-defined object templates and completely custom objects
• Natively managed feature commands are blocked
• Must push an object with negated commands to remove
• FlexConfig is only supported on best-effort basis
• Deploy Once; Everytime is for interactions with managed features
• Always select Append rather than Prepend type

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Security
Applications on
Firepower 4100
and 9300
Security Applications Overview
• ASA or FTD are Primary applications in Native or Container mode
• Native application consumes full hardware resources of an entire module
• Firepower 4100 and 9300 support multiple FTD Container instances in FXOS 2.4.1
• All modules in a chassis run same primary application for now
• A Decorator application shares a module with a Native primary application
• Traffic flows from network interfaces through a decorator to primary application
• Service chaining with Radware vDefensePro decorator and ASA or FTD 6.2+
• Not supported with Container applications at this time

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Radware vDefensePro Summary
Application Server Network
Behavioral HTTP
Behavioral HTTP DNS Protection
DNS Protection Behavioral DoS
Behavioral DoS
Flood
Flood Protection
Protection
Anti-Scan
Anti-Scan SYN Protection
SYN Protection
Available Server
Server Cracking
Cracking
Services Connection Limit
Connection Limit Out-Of-State
Out-Of-State
Signature
Signature Connection PPS
Protection
Protection Per-flow PPS Limit Blacklist/Whitelist
BL/WL
Limit

• Supported with ASA and FTD on Firepower 4100 and 9300


• vDP on Firepower 4110 is not supported with ASA until FXOS 2.4.1

• Up to 18Gbps of Peak traffic per module on 10 assigned CPU cores


• Assign 2-10 CPU cores at ~2Gbps of Peak traffic per core in FXOS 2.3.1
• 200Mbps-10Gbps of Peace Time traffic based on a strictly enforced license
• Linear scaling with intra- and inter-chassis clustering

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Firepower 9300 Native Application Deployment
Logical
Device FTD Cluster
Security Module 1 Security Module 2 Security Module 3 Primary
Application
Instance FTD FTD FTD Application

Decorator
Link DDoS DDoS DDoS
Decorator Application

Logical
Supervisor Data Outside Data Inside Packet Flow
PortChannel2 PortChannel1
Ethernet1/7
(Management)

On-board 8x10GE 4x40GE NM 4x40GE NM Application


interfaces Slot 1 Slot 2 Image Storage

Ethernet 1/1-8 Ethernet 2/1-4 Ethernet 3/1-4

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Reference

Detailed Inbound Flow with Radware vDP


8. Two-tuple symmetric hash 6. Five-tuple symmetric hash on {Proto=TCP,
on {SRC_IP=192.168.1.1, SRC_IP=172.16.1.1, SRC_PORT=80,
1. TCP request from DST_IP=10.0.0.1} DST_IP=10.0.0.1, DST_PORT=1024} 5. TCP response
10.0.0.1/1024 to from 172.16.1.1/80
192.168.1.1/80 to 10.0.0.1/1024
vDP Cluster 7. ASA cluster FTD Cluster
Outside Radware vDP statefully redirects FTD Inside
[Decorated] Module 1 to owner, owner Module 1 [Undecorated]
reverses NAT

Radware vDP FTD


Supervisor Module 2
Supervisor Module 2 Supervisor

Radware vDP FTD


Module 3 Module 3
4. Static NAT
192.168.1.1/80
2. Two-tuple symmetric 3. Five-tuple symmetric hash on {Proto=TCP, ↔172.16.1.1/80
hash on {SRC_IP=10.0.0.1, SRC_IP=10.0.0.1, SRC_PORT=1024,
DST_IP=192.168.1.1} DST_IP=192.168.1.1, DST_PORT=80}

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Reference

Future Vision: Security Service Chaining


• Contextual policy- and outcome based service insertion
• Meta data exchange with Network Services Header (NSH)
Security Module
Service Function (SF) processes
packet, attaches meta data, and DDoS FTD ?
returns to SFF SF, SC, and SFF may
influence service path
based on policy,
Service Classifier (SC) and context, and meta data
Service Function Forwarder (SFF) Stateful Data Path
direct incoming traffic through
necessary services

Input packets Output packets

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Smart Licensing
Cisco applications request feature license Third-party applications may
entitlements from Supervisor or FMC use out-of-band licensing

ASA FTD DDoS


1
2 HTTP/HTTPS Cisco Smart
Supervisor Proxy Licensing
3

Supervisor or FMC fulfill aggregated entitlement requests


with Smart backend through a direct Internet connection, Satellite
HTTP/HTTPS Proxy, or an on-premise Satellite connector Connector

• ASA entitlements: Strong Encryption, Security Contexts, Carrier Inspections


• FTD entitlements: Threat, Malware, and URL Services

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Management Overview
• Chassis management is independent from applications
• On-box chassis manager UI, CLI, and REST
• SNMP and syslog support for chassis level counters/events on Supervisor
• Applications are managed through their respective interfaces
• CLI, REST API (except 1100 and 2100), ASDM, CSM, and CDO for ASA
• Off-box FMC, FMC REST API, and CDO (1100 and 2100 only for now) for FTD
• Device API-driven on-box FDM (1100 and 2100 only for now) for FTD
• Off-box APsolute Vision for Radware vDP
• Future off-box FMC support for both chassis and FTD management
• Already supported on Firepower 2100

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Automated Initial Provisioning
• FXOS 2.6.1 added remote provisioning on Firepower 4100 and 9300 only
DHCP Server

1. DHCP client enabled on 3. DHCP request includes platform ID and


management interface by default serial number; management IP issued

4. Inform of the new device


and its management IP
5. Basic FXOS configuration and new admin
credentials; can continue with logical device
creation and full ASA/FTD orchestration
2. Completion of initial configuration
dialogue on console cancels
automated provisioning Provisioning
Server

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Multi-Instance
Capability on
Firepower 4100
and 9300
Multi-Instance Capability Summary
• Supported on Firepower 4100 and 9300 only
• Instantiate multiple logical devices on a single module or appliance
• FTD application in 6.3, a mix of FTD and ASA instances in the future
• Leverage Docker infrastructure and container packaging
• Complete traffic processing and management isolation
• Physical and logical interface and VLAN separation at Supervisor
FTD Instance A FTD Instance B FTD Instance C FTD Instance D ASA Instance A (Future)
10 CPU 6 CPU 10 CPU
12 CPU 12 CPU

Firepower 4100 or Firepower 9300 module

Ethernet1/1-3 Ethernet1/4-5 Port-Channel1.100-101 Port-Channel2 Port-Channel1.101-102

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Anatomy of a Container Instance
• Each instance uses from 6 logical CPU cores up to the platform maximum
• User-defined assignment with a 2-core step, skipping 8; e.g.: 6, 10, 12, …
• Memory size is automatically selected based on configured CPU core count
• Instance restart is required to change resource configuration, so use stateful HA
• Automatic CPU core allocation between internal components based on size
• System/Management process always takes 2 logical cores
FTD Docker Container (Instance A) FTD Docker Container (Instance B)
Advanced System/ Advanced System/
Data Plane Data Plane
Inspection Management Inspection Management
FXOS Docker Environment
CPU Memory Disk CPU Memory Disk
Firepower Module or Appliance

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Instance Scalability by Platform
CPU core count divided by at Disk space divided by 48Gb of
• Lower of the two limits: least 6 cores per instance required space per instance

Total Application Native CPU Core Allocation Total Application Maximum FTD Instances
Platform
CPU Cores (Data Plane/Snort/System) Disk CPU Bound Disk Bound
Firepower 4110 22 8/12/2 150Gb 3 3

Firepower 4115 new 46 16/28/2 350Gb 7 7

Firepower 4120 46 20/24/2 150Gb 7 3


Firepower 4125 new 62 24/36/2 750Gb 10 15

Firepower 4140 70 32/36/2 350Gb 11 7


Firepower 4145 new 86 32/52/2 750Gb 14 15

Firepower 4150 86 36/48/2 350Gb 14 7


Firepower 9300 SM-24 46 20/24/2 750Gb 7 15

Firepower 9300 SM-36 70 32/36/2 750Gb 11 15

Firepower 9300 SM-40 new 78 32/44/2 1.55Tb 13 32

Firepower 9300 SM-44 86 36/48/2 750Gb 14 15

Firepower 9300 SM-48 new 94 40/52/2 1.55TB 15 32

Firepower 9300 SM-56 new 110 44/64/2 1.55TB 18 32

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Performance
• All inter-instance communication occurs through Supervisor
• Docker form factor itself has minimal effect on performance
• Single full-blade instance performance is same as native application
• Main performance impact comes from additional System cores
• SM-44: 28 System cores with 14 instances → 33% overall impact
• Price to pay for independent and predicable management
• Partially offset by a more favorable inter-component CPU core allocation
• Future support for Clustering, Flow Offload, and Hardware Crypto Engine

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Reference

CPU Core Allocation by Instance Size


Firepower 4110
Core Data Plane/Snort/System
Count Cores

6 2/2/2
10 4/4/2
12 4/6/2
14 4/8/2
16 6/8/2
18 6/10/2
20 8/10/2
22 8/12/2

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Reference

CPU Core Allocation by Instance Size


Firepower 4115
Core Data Plane/Snort/System Core Data Plane/Snort/System
Count Cores Count Cores

6 2/2/2 28 10/16/2
10 4/4/2 30 10/18/2
12 4/6/2 32 12/18/2
14 4/8/2 34 12/20/2
16 6/8/2 36 12/22/2
18 6/10/2 38 14/22/2
20 6/12/2 40 14/24/2
22 8/12/2 42 14/26/2
24 8/14/2 44 16/26/2
26 8/16/2 46 16/28/2
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Reference

CPU Core Allocation by Instance Size


Firepower 4120 and Firepower 9300 SM-24
Core Data Plane/Snort/System Core Data Plane/Snort/System
Count Cores Count Cores

6 2/2/2 28 12/14/2
10 4/4/2 30 12/16/2
12 4/6/2 32 14/16/2
14 6/6/2 34 14/18/2
16 6/8/2 36 16/18/2
18 8/8/2 38 16/20/2
20 8/10/2 40 18/20/2
22 10/10/2 42 18/22/2
24 10/12/2 44 20/22/2
26 10/14/2 46 20/24/2
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Reference

CPU Core Allocation by Instance Size


Firepower 4125
Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System
Count Cores Count Cores Count Cores

6 2/2/2 28 10/16/2 48 18/28/2


10 4/4/2 30 12/16/2 50 20/28/2
12 4/6/2 32 12/18/2 52 20/30/2
14 4/8/2 34 12/20/2 54 20/32/2
16 6/8/2 36 14/20/2 56 22/32/2
18 6/10/2 38 14/22/2 58 22/34/2
20 8/10/2 40 16/22/2 60 24/34/2
22 8/12/2 42 16/24/2 62 24/36/2
24 8/14/2 44 16/26/2
26 10/14/2 46 18/26/2
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Reference

CPU Core Allocation by Instance Size


Firepower 4140 and Firepower 9300 SM-36
Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System
Count Cores Count Cores Count Cores Count Cores

6 2/2/2 28 12/14/2 48 22/24/2 68 32/34/2


10 4/4/2 30 14/14/2 50 22/26/2 70 32/36/2
12 4/6/2 32 14/16/2 52 24/26/2
14 6/6/2 34 16/16/2 54 24/28/2
16 6/8/2 36 16/18/2 56 26/28/2
18 8/8/2 38 16/20/2 58 26/30/2
20 8/10/2 40 18/20/2 60 28/30/2
22 10/10/2 42 18/22/2 62 28/32/2
24 10/12/2 44 20/22/2 64 30/32/2
26 12/12/2 46 20/24/2 66 30/34/2
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Reference

CPU Core Allocation by Instance Size


Firepower 4145
Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System
Count Cores Count Cores Count Cores Count Cores

6 2/2/2 28 10/16/2 48 18/28/2 68 26/40/2


10 4/4/2 30 10/18/2 50 18/30/2 70 26/42/2
12 4/6/2 32 12/18/2 52 20/30/2 72 26/44/2
14 4/8/2 34 12/20/2 54 20/32/2 74 28/44/2
16 6/8/2 36 14/20/2 56 20/34/2 76 28/46/2
18 6/10/2 38 14/22/2 58 22/34/2 78 30/46/2
20 8/10/2 40 14/24/2 60 22/36/2 80 30/48/2
22 8/12/2 42 16/24/2 62 24/36/2 82 30/50/2
24 8/14/2 44 16/26/2 64 24/38/2 84 32/50/2
26 10/14/2 46 16/28/2 66 24/40/2 86 32/52/2
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Reference

CPU Core Allocation by Instance Size


Firepower 4150 and Firepower 9300 SM-44
Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System
Count Cores Count Cores Count Cores Count Cores

6 2/2/2 28 12/14/2 48 20/26/2 68 28/38/2


10 4/4/2 30 12/16/2 50 20/28/2 70 30/38/2
12 4/6/2 32 14/16/2 52 22/28/2 72 30/40/2
14 6/6/2 34 14/18/2 54 22/30/2 74 30/42/2
16 6/8/2 36 14/20/2 56 24/30/2 76 32/42/2
18 8/8/2 38 16/20/2 58 24/32/2 78 32/44/2
20 8/10/2 40 16/22/2 60 26/32/2 80 34/44/2
22 8/12/2 42 18/22/2 62 26/34/2 82 34/46/2
24 10/12/2 44 18/24/2 64 26/36/2 84 36/46/2
26 10/14/2 46 18/26/2 66 28/36/2 86 36/48/2
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Reference

CPU Core Allocation by Instance Size


Firepower 9300 SM-40
Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System
Count Cores Count Cores Count Cores Count Cores

6 2/2/2 28 12/14/2 48 20/26/2 68 28/38/2


10 4/4/2 30 12/16/2 50 20/28/2 70 28/40/2
12 4/6/2 32 12/18/2 52 22/28/2 72 30/40/2
14 6/6/2 34 14/18/2 54 22/30/2 74 30/42/2
16 6/8/2 36 14/20/2 56 22/32/2 76 32/42/2
18 6/10/2 38 16/20/2 58 24/32/2 78 32/44/2
20 8/10/2 40 16/22/2 60 24/34/2
22 8/12/2 42 16/24/2 62 26/34/2
24 10/12/2 44 18/24/2 64 26/36/2
26 10/14/2 46 18/26/2 66 28/36/2
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Reference

CPU Core Allocation by Instance Size


Firepower 9300 SM-48
Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System
Count Cores Count Cores Count Cores Count Cores

6 2/2/2 28 12/14/2 48 20/26/2 68 28/38/2


10 4/4/2 30 12/16/2 50 20/28/2 70 30/38/2
12 4/6/2 32 14/16/2 52 22/28/2 72 30/40/2
14 6/6/2 34 14/18/2 54 22/30/2 74 32/40/2
16 6/8/2 36 14/20/2 56 24/30/2 76 32/42/2
18 8/8/2 38 16/20/2 58 24/32/2 78 34/42/2
20 8/10/2 40 16/22/2 60 26/32/2 80 34/44/2
22 8/12/2 42 18/22/2 62 26/34/2 82 34/46/2
24 10/12/2 44 18/24/2 64 28/34/2 84 36/46/2
26 10/14/2 46 20/24/2 66 28/36/2 86 36/48/2
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Reference

CPU Core Allocation by Instance Size


Firepower 9300 SM-48 (Continued)
Core Data Plane/Snort/System
Count Cores

88 38/48/2
90 38/50/2
92 40/50/2
94 40/52/2

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Reference

CPU Core Allocation by Instance Size


Firepower 9300 SM-56
Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System Core Data Plane/Snort/System
Count Cores Count Cores Count Cores Count Cores

6 2/2/2 28 10/16/2 48 18/28/2 68 28/38/2


10 4/4/2 30 12/16/2 50 20/28/2 70 28/40/2
12 4/6/2 32 12/18/2 52 20/30/2 72 28/42/2
14 6/6/2 34 14/18/2 54 22/30/2 74 30/42/2
16 6/8/2 36 14/20/2 56 22/32/2 76 30/44/2
18 6/10/2 38 14/22/2 58 22/34/2 78 32/44/2
20 8/10/2 40 16/22/2 60 24/34/2 80 32/46/2
22 8/12/2 42 16/24/2 62 24/36/2 82 32/48/2
24 10/12/2 44 18/24/2 64 26/36/2 84 34/48/2
26 10/14/2 46 18/26/2 66 26/38/2 86 34/50/2
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Reference

CPU Core Allocation by Instance Size


Firepower 9300 SM-56 (Continued)
Core Data Plane/Snort/System Core Data Plane/Snort/System
Count Cores Count Cores

88 36/50/2 108 44/62/2


90 36/52/2 110 44/64/2
92 36/54/2
94 38/54/2
96 38/56/2
98 40/56/2
100 40/58/2
102 40/60/2
104 42/60/2
106 42/62/2
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Estimating Per-Instance Throughput
• Maximum container instance throughput is proportional to CPU core count
• Step 1: Obtain maximum native instance (full cores) throughput from data sheet
• Step 2: Divide figure from Step 1 by native Snort cores on slide 49
• Step 3: Multiply figure in Step 2 by Snort cores for instance size on slides 51-62
• Example: 28-core instance on Firepower 4140
• 20Gbps of 1024-byte AVC+IPS throughput per
data sheet
• 20Gbps / 36 Snort cores on a full native instance →
555Mbps per core
• 555Mbps * 14 Snort cores on a 28-core container
instance → 7.78Gbps per instance

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Network Interfaces
• Supervisor assigns physical, EtherChannel, and VLAN subinterfaces
• FXOS supports up to 500 total VLAN subinterfaces in FXOS 2.4.1
• FTD can also create VLAN subinterfaces on physical and EtherChannel interfaces
• Each instance can have a combination of different interface types

Data (Dedicated) Data-Sharing (Shared) Mgmt/Firepower-Eventing


FTD Instance A FTD Instance B FTD Instance A FTD Instance B FTD Instance A FTD Instance B
4 CPU 2 CPU 4 CPU 2 CPU 4 CPU 2 CPU

Ethernet1/1-3 Ethernet1/4-5
PortChannel1.100-101 PortChannel2
Supported Modes: Routed, Transparent, Supported Modes: Routed (no BVI Supported Modes: Management,
Inline, Inline-tap, Passive, HA members), HA Eventing
Supported Traffic: unicast, broadcast, Supported Traffic: unicast, Supported Traffic: unicast,
multicast broadcast, multicast broadcast, multicast

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Reference

MAC Address Restrictions


• Virtual MAC addresses are auto-generated for all instance interfaces
• All container instance interfaces use A2XX.XXYY.YYYY format

Default prefix derived from a chassis MAC or user-defined Counter that increments for every interface

• Manual MAC address configuration within FTD is still available


• Must be unique across all instances on a shared interface (obviously)
• Must be unique for all Supervisor VLAN subinterfaces under one parent
• Supervisor faults are raised for all MAC address conflicts

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Network Interface Scalability
• Supervisor has strict hardware limits on forwarding tables
• Use show detail under scope fabric-interconnect to monitor
• Limits apply across all standalone modules in a chassis or a cluster
• Ingress VLAN Group Entry Count defines maximum FXOS VLAN ID count
• Up to 500 total entries or unique Supervisor VLAN subinterfaces
• Re-using same VLAN ID under two parent interfaces consumes 2 entries
• Switch Forwarding Path Entry Count limits shared interfaces
• Up to 1021 TCAM entries for ingress/egress path programming
• Each Dedicated data interface consumes at least 2 entries
• Entries for Shared Data interfaces grow exponentially with instance count

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Interface Scalability Best Practices
• Refer to FXOS documentation for real-world examples
• Minimise the number of Shared Data (sub)interfaces
• A single instance can have up to 10 shared (sub)interfaces
• A single (sub)interface can be shared with up to 14 instances
• Sharing an interface across a subset of instances scales better
• Share subinterfaces rather than physical interfaces
• One parent interface is best, multiple parents is also acceptable
• 2 Dedicated, 10 Shared physical: 69% TCAM usage at 5 instances
• 10 Dedicated, 10 Shared subinterfaces: 46% TCAM usage at 14 instances

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Management and Licensing
• After FXOS 2.4.1 upgrade, must Reinitialize a module to deploy instances
• Different instances look and feel like completely independent FTD devices
• Software upgrades, restarts, and configuration management are isolated
• Each FTD instance has separate management IP, so add to FMC separately
• FTD Expert Mode access is enabled on per-instance basis at provisioning
• No additional feature license to enable multi-instance capability
• Each FTD subscription license is shared by all instances on a module
• License sharing requires all instances to be managed by a single FMC
• With multiple FMCs, each requires a separate set of FTD subscriptions

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Availability and
Scalability
Reference

High Availability and Scalability Options


High Scalability High Availability and Scalability
High Availability
(Firepower 9300 only) (Firepower 4100/9300 only)
• Active/Standby Failover • Intra-chassis Clustering • Inter-chassis clustering
(2 modules or appliances) (≤3 modules, 240Gbps) (≤16 modules, 1.2Tbps)
ASA • Active/Active Failover • Inter-chassis Clustering
(2 modules or appliances) (≤16 modules, 1.2Tbps)

• Active/Standby HA • Intra-chassis Clustering • Inter-chassis clustering


FTD (2 modules or appliances) (≤3 modules, 100Gbps) (≤6 modules, 270Gbps)

Radware - • Intra-chassis Clustering • Inter-chassis Clustering


vDP (≤3 modules, 54Gbps) (≤16 modules, 288Gbps)

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
FTD High Availability and Clustering
• FTD inherits failover and clustering infrastructure from ASA
• Replicates full NGFW/NGIPS configuration and opaque flow state
• Supports all NGFW/NGIPS interface modes
• Interface and Snort instance (at least 50%) health monitoring
• Zero-Downtime upgrades for most applications
• Ensures full stateful flow symmetry in both NGIPS and NGFW modes
vPC vPC

HA/Failover: Both A HA Link S


Clustering: All packets for a
directions of a flow traverse Cluster flow are redirected to
FTD FTD FTD FTD
a single active unit connection Owner

vPC vPC

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Multi-Instance High Availability
• Container instances support inter-chassis HA only
• Two instances are configured into an Active/Standby HA pair
• Share single physical HA link with one VLAN per instance pair
FTD Instance A FTD Instance B FTD Instance A FTD Instance B
Active Standby Standby Active
HA Link
Firepower 4100 Chassis 1 HA Pair A: VLAN100 Firepower 4100 Chassis 2
HA Pair B: VLAN101

• An HA pair allows differently sized instances for seamless resizing


• Stateful HA is supported but not guaranteed when downsizing

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
FTD and ASA Clustering Overview
Inter-Chassis Cluster Control Link
• Cluster of up to 16 modules across 5+ chassis
• Off-chassis flow backup for complete redundancy

Switch 1 Switch 2
Nexus vPC

Chassis 1 Chassis 2

Supervisor Supervisor
FTD FTD FTD FTD
Cluster
FTD FTD
Cluster

Intra-Chassis Cluster Control Link


• Same-application modules can be clustered within chassis
• Bootstrap configuration is applied by Supervisor
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Reference

Clustering Changes for Firepower 4100/9300


• Only Spanned Etherchannel interface mode is supported
• Remote flow backup for N+1 chassis-level fault tolerance
• Firewall context mode on ASA and SSL/TLS ciphers are replicated
• HTTP flows are not replicated by default until 5 seconds of uptime
asa(config)# cluster replication delay http

• Chassis- and cluster-level overflow protection syslogs


%ASA-6-748008: CPU load 80% of module 1 in chassis 1 (unit-1-1) exceeds overflow
protection threshold CPU 75%. System may be oversubscribed on member failure.
%ASA-6-748009: Memory load 80% of chassis 1 exceeds overflow protection threshold
memory 78%. System may be oversubscribed on chassis failure.

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
New TCP Flow with FTD Inter-Chassis Clustering
1. Attempt new FTD Cluster
2. C1M1: Become
flow with TCP SYN Owner, add SYN
FTD O FTD B Cookie, send to Server
7. C1M1: Calculate
Module 1 off-chassis Backup
Module 1
C2M1, send update
5. C1M1:
Client FTD FTD
Send to Client M
Module 2 Module 2 Server
6. C1M1: Calculate
Director C1M3,
FTD D 4. C2M3: Redirect FTD F
send flow update 3. Server responds
Module 3 to Owner C1M1 Module 3
from SYN Cookie, with TCP SYN ACK
Chassis 1 become Forwarder Chassis 2 through another unit

M Master O Owner D Director F Forwarder B Off-Chassis Backup


Global Role Per-Connection Roles

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Equal Cost MultiPath with Traffic Zones
Standalone switches or
routers are common with Solution: Create a
multiple upstream paths separate Spanned
Etherchannel logical
Po10: outside-1 Po11: outside-2
BGP/OSPF BGP/OSPF interface per upstream
outside zone device and group them
into a single ECMP Traffic
Zone with FlexConfig
Supervisor Supervisor
FTD FTD FTD FTD
Cluster
FTD FTD

inside

A Spanned Etherchannel in clustering


should be connected to a single logical
switch (vPC/VSS) at a site
vPC

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Inter-Site Clustering with ASA or FTD
• North-South insertion with LISP inspection and owner reassignment
Site A Site B

Inter-Site
Cluster

OTV

• East-West insertion for first hop redundancy with VM mobility


Site A Site B

Inter-Site
Cluster
OTV

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Reference

Radware vDP Clustering


• Requires intra-chassis ASA or FTD clustering for operation
• Control link is shared with primary application and automatically configured
• Health checks tie primary application and vDP instances on a module together
1. vDP Master/Slave
vDP Cluster
instances and configured and
vDP M managed independently.
Module 1
Cookie?
Cookie 2. Time-based secret vDP APSolute
S
value is replicated Module 3 Vision
3. Asymmetrical L7 session from Master to Slaves.
authentication with cookies
uses same secret value OK! vDP S
across cluster. Module 2

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Reference

Turbo Performance Mode


• Automatically enabled on all Firepower 9300 modules in FXOS 2.0.1
• Accelerates FTD and ASA performance on demand
• All x86 CPU cores on a module temporarily increase clock frequency
• Triggered when 25% of ASA or FTD Data Plane cores reach 80% load
• Disabled when all cores drop below 60% load
• Boosts performance by 10-20%

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Transport Layer Security
• Secure Sockets Layer (SSL) is broken, obsolete and no longer in use
• Transport Layer Security (TLS) is the current generic protocol layer
ClientHello, Server Name Indication (SNI)
Client ServerHello, ServerCertificate, ServerHelloDone Server
PKI Phase ClientKeyExchange, ChangeCipherSpec, Finished
ChangeCipherSpec, Finished
ApplicationData
Bulk Data Phase

• Some detectors do not need full session decryption until TLS 1.3
• Cleartext SNI extension indicates where client may be going – spoofable
• ServerCertificate contains server identity – legitimate, if CA is trusted

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Man-in-the-Middle (MITM) TLS Inspection
• Two separate TLS sessions with client and server
Client Public Key FTD Public Key
FTD (Resign) or Server (Known) Public Key Server Public Key

• Public Key Pinning breaks Resign mode


• Client certificate authentication or custom encryption always break MITM
• FTD 6.3 enables TLS inspection in hardware on all platforms
• Up to 6x throughput improvement with large transfers (Bulk Data)
• Up to 26x connections-per-second improvement with a transactional profile (PKI)

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Single-Flow Performance Considerations
• A single stateful flow must be processed by one CPU core at a time
• Trying to share a complex data structure leads to race conditions
• Stateless parallel processing leads to out-of-order packets
• No magic trick to single-flow throughput
• Deploy more powerful CPU cores
• Reduce the amount of security inspection
• Pay performance price for real security
• … or deploy a router or a switch instead

Source: https://science.energy.gov/~/media/ascr/ascac/pdf/reports/2013/SC12_Harrod.pdf
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Managing Single-Flow Throughput
• Roughly estimated as overall throughput divided by Snort cores on slide 49
• 53Gbps of 1024-byte AVC+IPS on SM-44 / 48 Snort cores = ~1.1Gbps
• Similar on most high-end ASA, FirePOWER, and Firepower platforms
• Reducing impact on all flows from few Superflows is more important
• Checking if an NGFW automatically reduces inspection is easy
• Transfer multiple benign and malicious files over a single SMB session
• Use HTTP Pipelining to service multiple requests over one TCP connection
• “What does your security policy tell you to do?”
• NGFW performance capacity must not dictate your security policy
• Flow Offload vs Intelligent Application Bypass (IAB)

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Flow Offload on Firepower 4100 and 9300
• Trusted flow processing with limited security visibility in Smart NIC
• Up to 39.7Gbps of single-flow UDP with 1500-byte packets
• Use for long-lived connections only
• Supports up to 4M offloaded stateful connections in FXOS 2.3.1
• Static offload for unicast flows on ASA with IP/SGACL in MPF
policy-map OFFLOAD_POLICY
class TRUSTED_FLOWS
set connection advanced-options flow-offload

• Offload multicast in transparent mode with 2 bridge group ports in ASA 9.6(2)
• Prefilter offload policy for IP/TCP/UDP Fastpath rules in FTD 6.1
• Dynamic Flow Offload for Trusted and Whitelisted flows in FTD 6.3
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Flow Offload Operation
Full Inspection
• Dynamically program Offload engine after flow establishment
• Ability to switch between Offload and full inspection on the fly

Security Module
x86 CPU Complex
Full FTD or ASA Engine

New and fully Offload Flow


inspected flows instructions updates

Incoming Established
Flow Classifier Rewrite Engine
traffic trusted flows
Smart NIC

Flow Offload
• Limited state tracking, NAT/PAT, TCP Seq Randomization
• 20-40Gbps per single TCP/UDP flow, 2.9us UDP latency, 4M tracked flows

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Reference

TCP Flow Handling with Flow Offload


Flow Classifier Rewrite Engine ASA or FTD
Establishment

TCP SYN No flow match

TCP SYN ACK No flow match

TCP ACK No flow match


TCP conn open
TCP Data No flow match
Exchange

Install Offload entry


Flow offload request
TCP Data Match flow entry Packet processed in
Offload Path
Byte count
Flow data sync monitoring
TCP FIN Conn termination
Teardown

End flow offload


TCP FIN ACK No match

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Deployment
Example: FTD
Container
Instances on
Firepower 4100
Firepower Chassis Manager (FCM)

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Logical Device Overview

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Interface Configuration

Supervisor VLAN subinterface

Container instance allocation

Cluster Control Link (CCL)

Dedicated data (Native or Container)

Shared data interface (Container only)

Dedicated management

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Adding a Supervisor VLAN Subinterface

Select Subinterface

Data or Data-Sharing type


Parent physical interface
Subinterface and VLAN ID
do not have to match

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Creating Instance Resource Profile

Custom reusable name

Instance size in even


number of CPU cores
(6-86, except 8)

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Adding Container Instance
Add new device.

Locally significant name

Application type

Application version from locally


loaded images

Native and Container instances


cannot mix on one module

Containers instances only support


Standalone and HA deployments
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Assigning FTD Interfaces

One dedicated and one shared data interfaces

Supervisor VLAN subinterface for HA

Configure logical device properties for chassis


(4100) or modules (9300)

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Configuring FTD Instance Size and Management

Pre-created CPU core sizing profile

Dedicated FTD management interface

Management interface addressing:


IPv4, IPv6, or both

Dedicated FTD management IP

FTD management interface subnet

Default gateway for FTD management


interface

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Configuring FTD Device Settings
FMC management registration key must
match the device

FTD management password for CLI

FMC real IP address to connect with

Expert mode access is disabled for


container instances by default

Optional default domain name

Routed of transparent NGFW operating


mode

Optional default DNS server

Optional FMC NAT mapped address to


connect with

Optional FTD device FQDN

Optional interface for FTD events

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
FTD Instance Installation

Monitor logical device


deployment status

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Adding FTD Instance to FMC
FTD application real management IP
Add new FTD device

Unique display name in FMC

FMC registration key must match logical device configuration

Must assign a default main Access Control Policy

Shared licenses for container instances on single module and FMC

Optional FTD NAT mapped IP


address

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Reference

Application Use
Cases
Reference

Application Use Case Summary


• ASA is a powerful and scalable solution for basic stateful segmentation
• Ease of integration and scaling in large and distributed data centers
• Infrastructure and Internet edge protection for service providers Firewall

• Scalable and fully featured RAVPN termination


• FTD is a comprehensive threat-centric security solution
• NGIPS for data center and service provider environments
NGFW NGIPS
• NGFW for edge protection and single- or multi-site data centers
• Radware vDP is a behavioral DDoS mitigation solution
• Internet edge protection for web commerce and service providers DDoS

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Reference

ASA and FTD in Data Center


• Routed or transparent insertion into common data center topologies
• vPC, VxLAN, PBR, OSPFv2/v3, BGP-4, ECMP, NSF/GR, PIM-SM, BSR, ACI
• Integrated Routing and Bridging (IRB) in ASA 9.7(1) and FTD 6.2
Layer 2 Data Center Layer 3 Data Center Application Centric Infrastructure
Core/Edge ACI Fabric
Spine Nodes

Services

Distribution/ Leaf Nodes


Aggregation
VS
Access Endpoints

Files Users
• Scalable IP and Trustsec policies in single or multiple contexts
• Same- and inter-site clustering with LISP integration

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Reference

Data Center Segmentation with IRB


BVI 1 BVI 2 Different bridge groups (IP subnets) are routed to
each other by a single FTD/ASA context or instance

Different VLAN/VxLAN segments (security zones) in


VLAN 11 12 13 14 15 16 VLAN 21 22 same IP subnet are bridged together and separated
FTD/ASA by transparent FTD/ASA

VLAN Trunk
Switch

Each security zone within a subnet is


Subnet A Subnet B modeled as a separate VLAN (physical
hosts) or VxLAN (virtual machines)

A single IP subnet contains endpoints from multiple different security zones

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Reference

Private VLAN Remapping with ASA


• ASA 9.5(2) can re-map a set of secondary VLANs to a primary VLAN
interface Ethernet1/3
vlan 100 secondary 110, 120, 130

ASA maps frames received from


secondary VLANs to primary VLAN
subinterface and then processes Primary VLAN 100 VLAN 100
Private VLAN trunk transmits
them normally
upstream traffic for all
secondary and primary VLANs
Switch assigns ports to secondary
VLANs and enforces connectivity VLAN 110 VLAN 120
between different port types within
the primary VLAN
VLAN 130 Promiscuous ports can talk to
any other port
Community ports can only talk to
Community Promiscuous
each other and promiscuous ports
Isolated
Isolated ports can only talk to
promiscuous ports

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Reference

ASA and FTD for Scalable VPN Termination


• Use standalone modules or failover for scaling S2S and RA VPN
• Reverse Route Injection (RRI) with dynamic crypto maps and OSPF/BGP

RAVPN with ASA Load-Balancing ASA/FTD S2S VPN with Nexus ITD
RRI
RRI RRI RRI
Chassis 1 Chassis 2 Chassis 1 Chassis 2
Mas ter

.10 .20 .30 .10 .20 .30 .10 .20 .30 .40 .50 .60

203.0.113.0/24 198.51.100.0/24 10.1.1.0/24 Intelligent


203.0.113.0/24 Traffic Director
10.1.1.85 10.1.1.100 VIP .1
172.16.171.0/24 192.168.1.0/24

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Reference

ASA for Service Providers


Evolved Packet Core Hosted Services
MME S-GW

PCRF HSS P-GW

Protect mobile backhaul Stateful Internet edge


connection with scalable protection and CGNAT Stateful Internet edge
S2S VPN protection with multiple-context
for mobile clients
mode for hosted services
Protect roaming
agreements and billing
systems with GTP/Diameter Stateful perimeter protection
inspection and advanced for external (Type III) SP
filtering policies
Roaming Partner Internet
MME S-GW

External Service Provider


PCRF

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Reference

ASA Application Inspection


• Protocol conformance, NAT/PAT rewrites, dynamic ACL pinholes
• SIP inspection for scalable VoIP environments (>10K calls per second)
• SCTP, Diameter, and GTPv2 inspection for Carriers in ASA 9.5(2)
• TLS Proxy with SIP; multi-core Diameter inspection in ASA 9.6(1)
Endpoints establish an inspected control
channel TLS connection over TCP

ASA uses pre-configured trustpoints to cut


into TLS connection, inspect traffic, and
open secondary connections as necessary

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Reference

Carrier Grade NAT on FTD and ASA


• Fully conforms to RFC6888 except Port Control Protocol (PCP) support
• High single-module capacity and further scalability with clustering
• 60M+ concurrent NAT translation per module with ASA
• 500K+ new translation creations per second per module with ASA
• Port Block Allocation for PAT reduces logging volume in ASA 9.5(2)
• Each PAT client is assigned blocks of ports (512 each by default) for translation
• A single syslog is recorded for each block allocation event
%ASA-6-305014: Allocated TCP block of ports for translation from inside:10.1.1.10 to
outside:20.1.1.10/1024-1535.
%ASA-6-305015: Released TCP block of ports for translation from inside:10.1.1.10 to
outside:20.1.1.10/1024-1535.

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Reference

FTD as NGFW at the Edge


AVC, Reputation, TLS decryption, URL DNS Sinkholing redirects potentially
Filtering, File Analysis, Advanced Malware malicious connections to a local honeypot
Protection for outbound connections Honeypot

Continuous updates from Talos


ensure relevant protection

Campus

OSPF, BGP, NSF/GR, NGFW


and similar features for File hashes are checked against AMP
easy network integration AMP Cloud, unknown samples
Data Center
are submitted to ThreatGrid;
ACL and NGIPS policies, optional TLS ThreatGrid feeds the data back
decryption for inbound connections into AMP Cloud and Talos ThreatGrid

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Reference

Scalable Edge NGFW with FTD and Nexus ITD


3. Return traffic is routed to correct
4. Connection switchover is stateful
Firepower 9300 chassis based on
on module failure (same chassis),
separate PAT pools; intra-chassis
Outside stateless on chassis failure
clustering resolves asymmetry
203.0.113.0/24

Firepower 9300 PAT Pool .11-13 Firepower 9300 PAT Pool .14-16 Firepower 9300 PAT Pool .17-19

Supervisor Supervisor Supervisor


FTD FTD FTD FTD FTD FTD
FTD FTD Cluster 2 FTD
Cluster 1 Cluster 3
.10 .11 .12
Inside-Transit .1
2. ITD load-balances packets based on 192.168.1.0/24
source IP across multiple independent 1. Outgoing edge connections hit an
Firepower 9300 FTD intra-chassis clusters Nexus Intelligent ITD VIP (loopback) on Nexus
Traffic Director (ITD)
Inside
VIP .1
10.1.1.0/24
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Reference

FTD Identity Management with pxGrid


• Extended identity attributes with Platform eXchange Grid (pxGrid)
• User identity, Geolocation, Source Security Group and Tag, Device Type
• Replaces Firepower User Agent with ISE or ISE-PIC
4. ISE publishes
IP↔Attribute mappings
through FMC to FTD

ISE NGFW

2. ISE authorises 3. FMC resolves AD group


users against AD membership; FTD actively
authenticates users through LDAP
1. Wireless, wired, and VPN
clients authorise network Active Directory
access through ISE

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Reference

Behavioral DDoS with Radware vDP


• Behavioral detection for maximum efficacy and low false positives

Rate-Based Detection Behavioural Detection


• Effectively protects web, e-mail, VoIP, and other services
• Adaptive behavioral DoS against IPv4/IPv6 TCP/UDP/ICMP/IGMP floods
• SYN flood protection with active Layer 4 challenges
• DNS flood protection with request/response record tracking
• Application signature protection for HTTP, SMTP, FTP, POP3, SIP, SMB, SQL
• Anomaly protection against basic malformed packets

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Reference

FTD or ASA with DDoS in Enterprise


Cloud
Scrubbing Radware Defense Messaging used
Service to initiate cloud-based mitigation
for volumetric attacks beyond on-
premise processing capabilities

Dirty traffic pulled into Radware Cisco


Radware DefensePipe,
vDP FTD Data Center
sanitised, and then redirected
to edge router over GRE
Internal traffic
traverses FTD only for
Firepower 9300 stateful segmentation
Inbound Internet traffic traverses
DDoS and FTD for behavioral
and stateful protection at up to
10Gbps per module

Campus
#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Closing Remarks
Firepower Platform Summary
• Next-generation security platform architecture
• Security service chaining with Cisco and third-party applications
• Classic stateful firewall, VPN, NGFW, NGIPS, and DDoS protection
• Powerful multi-instance capability with resource reservation
• Intra- and inter-chassis clustering for high scalability
• Flow Offload for real time applications

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Questions?
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Continue your education

Demos in the
Walk-in labs
Cisco campus

Meet the engineer


Related sessions
1:1 meetings

#CLUS BRKSEC-3035 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Thank you

#CLUS
#CLUS

You might also like