Secure Firewall
FEATURES
HARDWARE
1000 Series
Best for smaller businesses and branch offices.
2100 Series
Ideal for larger branch offices and medium-sized organizations.
3100 Series
Designed for enterprise, campus, and data center environments.
4100 Series
Designed for enterprise, campus, and data center environments.
9100 Series
Optimized for service providers and high-performance data centers.
NGFWv Series
Optimized for service providers and high-performance data centers.
software
Umbrella Connector
TLS 1.3 Decryption
Access Control Policy Lock
VPN : Certificate & SAML Authentication
Elephant Flow Handling
QUIC Fingerprinting
MITRE Rule Groups
Remote Access VPN Dashboard
MANAGEMENT options
fmc
FMC can be deployed as
a) Physical appliance
b) Virtual appliance,
c) Cloud service.
RESOURCES
cdo
Cisco Defense Orchestrator is a cloud-delivered version of Firewall Management Center (FMC).
Cisco Defense Orchestrator (CDO) centrally manages elements of policy and configuration across:
Cisco Secure Firewall ASA, both on-premises and virtual
Cisco Secure Firewall Threat Defense (FTD), both on-premises and virtual
Cisco Secure IPS (formerly Firepower NGIPS)
Cisco Firewall Threat Defense for ISR
Cisco Meraki™ MX
Cisco IOS devices
AWS security groups
As it’s a cloud-based solution, does not require capital expenditures, rack space, or manual patching and upgrading, dramatically reducing your operational costs.
Features and benefits [Check Table 1]
Begin Trial [Please register for Cisco Defense Orchestrator Trial offer before placing an order]
COMPETITIVE ADVANTAGE
Recognition's & Awards
#1 in current offering with top marks for Zero Trust, workload protection, threat intelligence, cloud-delivered components, micro-segmentation, firewall-as-a-service, and usability
#1 in market presence
Leader in platform strategy
5/5 for product vision
2022 Forrester TEI report of Cisco Secure Firewall - https://www.cisco.com/c/dam/en/us/products/collateral/security/forrester-secure-firewall-tei-study.pdf (80% reduction in risk of breach)
The Gartner Magic Quadrant for Network Firewalls Dec 2022 Field Response Guide - https://cisco.sharepoint.com/:b:/r/sites/GSSOSalesAcceleration/Shared%20Documents/Gartner-MQ-for-Firewall-2022---Field-Response-Guide.pdf?csf=1&web=1&e=hY5CFs
SE Labs awarded Best NGFW and NGFW of the year
SE Labs awarded Secure Firewall both an “AAA” on Threat Defense rating and NGFW of the Year
CRN’s 2023 Products Of The Year
CRN recognized Cisco Secure Firewall 4200 series as the Product of the Year
beating Palo Alto & SonicWall
competitive advantage
Cisco Talos® examines 600 billion events daily, compared to Fortinet’s FortiGuard Labs’ 81 billion
In Fortinet F series Firewalls the difference between Firewall throughput and NGFW throughput is huge which suggests that the device slows down when IPS, Malware, URL Filtering features are enabled.
Concurrent sessions are overvalued if you do the math. For example, in 400F the max concurrent sessions are 7.8M and NGFW throughput is 10Gbps which means for every connection you are just getting 1.3kbps. In Cisco 3110 for every connection, you get 8.5kbps.
Risky partial packet inspection - Fortinet only inspects the first 200 bytes of a packet to maintain throughput
Fortinet lacks true next-generation IPS capabilities, which is why Fortinet is missing from Gartner’s NGIPS Magic Quadrant report. Cisco’s SNORT NGIPS is an open-source industry-leading solution powered by Talos Threat Intelligence.
Cisco Secure Firewall 3100 offer better storage capacity (900GB) compared to FortiGate 200F and 400F
Gartner calls out Fortinet's multiple touchpoints in a recent Single SASE Vendor MQ "FortiFatigue is real." Source: Gartner MQ report ; Field Response Guide
Fortinet says hackers exploited critical vulnerability to infect VPN customers | https://arstechnica.com/information-technology/2023/01/fortinet-says-hackers-exploited-critical-vulnerability-to-infect-vpn-customers
ORDERING GUIDE
LICENSING OPTIONS
Select Hardware Options and Quantity.
Select Subscriptions - T=, URL=, AMP=,TC=, TM=, TMC=.
Select Term – 1, 3 or 5 years.
Select ISE-PIC for Active Directory Integration - Cisco ISE Passive Identity Connector Data Sheet - Cisco (Mandatory)
Select SAL (Security Analytics and Logging) for extended Logging - Cisco Network Security Ordering Guide - Cisco (Optional)
Cisco Secure DDOS Protection is provided by Radware Virtual DefensePro (vDP), available and supported directly from Cisco. It is available with the Cisco Firepower 9300 and selected Cisco Firepower 4100 Series models running either the ASA or FTD software image. - Cisco Network Security Ordering Guide - Cisco (Optional)
RESOURCES
SDWAN - Wizard
The Cisco Secure Firewall Essentials Hub - Comprehensive documentation to help you start working with the Cisco Secure Firewall solutions
Secure Firewall Application Detectors - Current list of application detectors
Firestarter - Pilot program for Cisco Firewall
Firewall Migration Tool - Simplified migration to Cisco Secure Firewall [Firewall Upgrade Requestion Form]
Secure Firewall Field Guide - Sales strategy, updates, and sales support.
Basic configuration steps
DEEP DIVE
Firestarter FAQ Home https://wiki.cisco.com/display/FPWRFAQ/Firestarter+FAQ+Home
LEARN
ARCHITECTURE
FXOS - Chasis OS like BIOS Manages the hardware
Security Software : ftdOS / asaOS
Lina Software : Underlying ASA -derived process
Snort Software : Deep Packet Inspection
FTD CLI
Default
Username : admin
Password : Admin123
IP : 192.168.95.1/24 (Connect to any of the LAN Interface)
OS : FXOS / Chasis OS / BIOS (The Prompt is #)
Various Modes for FTD
FXOS Mode : Chasis login (The Prompt is #)
Clish Mode / Unified CLI : Regular ftd mode / Default mode (The Prompt is >)
# connect ftd
Diagnostic Mode : Enter by typing "system support diagnostic-cli" . Used for advanced troubleshooting. (The Prompt is HOSTNAME>) It contains User-Exec Mode and Privileged mode. Enter by typing "enable" . (The Prompt is HOSTNAME#)
>system support diagnostic-cli
>enable
Expert mode : Enter by typing "expert" (The Prompt is admin@HOSTNAME $)
>enable
How to Reset FTD
#connect local-mgmt
#erase configuration
Debug commands
>system support firewall-engine-debug (Firewall Engine debug)
>debug arp (Enables ARP Logs)
Show command from Unfied CLI
>show chassis detail (View Chassis details)
>show interface Ethernet 1/3 (L2/L3 interface information)
>show running-config nat (View NAT configuration)
>show xlate (View NAT Translations)
>show nat pool (View NAT Information)
>show nat detail (View NAT Details)
>show route (View active routes)
>show conn protocol tcp (View TCP state)
>show conn detail (View Connection table)
>show running-config access-list (Voew L3/L4 ACL)
>show traffic (View Traffic rates)
>show tech-support (View Logs related to tech support)
Unable to access FDM?
#conn ftd
>configure network ipv4 manual 192.168.45.45 255.255.255.0 192.168.45.1 (Updates the ip address of management interface on the firewall)
>configure manager local
>configure https-access-list 0.0.0.0/0
Unable to update 3DES License on ASA?
ciscoasa(config)# license smart
ciscoasa(config)# feature tier standard
ciscoasa(config)# feature strong-encryption
ciscoasa(config)# license smart register idtoken <smart-token> force