NGFWv & ASAv in Public Cloud (AWS & Azure)

Transcription

1

2 & in Public Cloud (AWS & Azure) Anubhav Swami, CCIE# Technical Marketing Engineer

3 Your Speaker Anubhav Swami Technical Marketing Engineer 5 years in Cisco TAC 2 years in ASA BU 2 years in Technical Marketing 14+ years in Networking Youtube Channel: Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot# 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

5 Spark Room Managers Goran Saradzic Manager, Technical Marketing David Abercrombie Sr. Manager, Product Management 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Related Cisco Live Las Vegas 2017 Sessions BRKSEC-3035 Firepower Platform Deep Dive BRKSEC-2050 Firepower NGFW Edge Deployment Scenarios BRKACI-3004 Deep Dive on Cisco Security in ACI (NGFW, ASA and NGIPS) BRKSEC-3032 NGFW Clustering Deep Dive BRKARC-2749 Extending Enterprise Network into Public Cloud with Cisco CSR1000v 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Agenda Introduction to Security in Public Cloud /FTDv & in Azure Demo ( N/S, E/W traffic inspection & Micro segmentation) /FTDv and in AWS Demo ( Stateless Scale-out) Conclusion

8 Challenges for IT APP Applications On-Premise or cloud? Build/Buy/Rent? Agility Provision app development Risk Mitigation Security. Compliance. Sovereignty Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Cloud Terminology For your Reference Azure Resource Group (RG) Virtual Network (VNET) Subnet User Defined Routes (UDR) Load Balancer Availability Set Azure Resource Manager Template (ARM) AWS Virtual Private Cloud (VCP) Route Table and Subnet Elastic Cloud Compute (EC2) Elastic Load balancer (ELB) Elastic IP Availability Zone (AZ) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 & Overview

11 Native security in Azure and AWS Azure Network Security Group (NSG) and AWS Security Group (SG) Similar to access control list Action (Allow or Deny) traffic Layer 3/Layer 4 rules Control Inbound and Outbound traffic Today security requires critical function like stateful packet inspection, application visibility and control, threat centric protection, URL filtering, advanced malware protection and Virtual Private Network (VPN) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Next Generation Firewall () Features (Public Cloud) Next Generation Firewall 6.2 Routed & Passive modes (AWS), ACL, application inspection and S2S VPN. Comprehensive threat prevention, Layer 7 Application Visibility and Control Security intelligence (C&C, botnets, IP, DNS) threat/risk reports Networking, Firewalling and NAT URL filtering, malware blocking, continuous file analysis, malware network trajectory Cisco AMP public and private cloud with Threat Grid integration Management Tool Firepower Management Center (FMC) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Firepower Management Center (FMC) Next Generation Firewall 6.2 FMC 1000, 2500, 4500, Virtual Appliance FMC is required for managing FTDv/ Virtual FMC can be deployed on ESXi, KVM and in AWS Required for configuration, management & checking events in cloud can be managed by FMC in AWS or FMC on premise (physical or virtual) FMC dashboard provides complete visibility 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Deployment modes and FTDv Firepower Thread Defense Virtual on Hypervisors (ESXi and KVM) Next Generation Firewall Virtual in Public Cloud Routed Inline Routed (AWS and Azure) Passive (AWS) Transparent Inline Tap Passive No support for passive mode in Azure because ERSPAN is not supported 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Firewall Features (Public Cloud) ASA 9.7 Firewall functionality, NAT, ACL and packet inspection VPN capability (LAN-to-LAN, RAVPN (AnyConnect) and Clientless VPN REST API for programmed configuration and monitoring AAA with Local, Radius, TACACS+, and LDAP support Route based VPN (VTI) Management tools ASDM, CSM, API or Cisco Defense Orchestrator 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Orchestrate configuration using Cisco Defense Orchestrator (CDO) Cisco Defense Orchestrator (CDO) ASA configuration orchestration CDO is licensed per device Cloud based solution Easy to integrate Cisco Defense Orchestrator 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Performance Numbers

18 & Performance Numbers AWS Instance Instance Type Throughput Interface VPN Endpoints c3.xlarge 1 Gbps 2 + 2* S2S VPN Azure c3/c4.large (10) 1 Gbps 2 + 1* 250 c3/c4.xlarge ( 30) 2 Gbps 3 + 1* 750 Instance Instance Type Throughput Interface VPN Endpoints Standard D3, D3v2 1 Gbps 2 + 2* S2S VPN Standard D3, D3v2 (10) 1 Gbps 3 + 1* 750 * Management interface 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 & in Azure

20 in Azure Deploy in Routed Mode Launch supported instance from Azure Marketplace Edge firewall and S2S VPN, AVC, Threat-centric protection, URL and AMP capabilities North/South & East/West traffic inspection Supports Cisco Smart BYOL model Supported Machine Size Number of Interfaces (Subnets) NGFW Platform Number of vcpus Standard D3 & D3v RAM (GB) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 in Azure Deploy in Routed Mode Launch supported instance from Azure Marketplace Deploy at the edge to provide RA VPN, Site to Site VPN and edge firewall capabilities North-South, East-West traffic control capability Supports Cisco Smart BYOL model Supported Machine Size Number of Interfaces (Subnets) Platform Number of vcpus Standard D3 & D3v RAM (GB) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Deployment modes

23 in Azure Routed Mode Internal eth3 eth2 External Management Workloads vnet On premise FMC 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 in Azure Routed Mode Inside dmz1 Workloads Mgmt/Outside dmz2 Workloads vnet Workloads 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Use Cases ( & )

26 Use Cases - Azure North/South, East/West Traffic Inspection Micro segmentation Multiple IP on interface VNET peering Site to Site VPN and Remote access VPN Inter-subnet communication Edge Firewall Service Chain 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 N/S, E/W traffic filtering & Micro Segmentation WEB-RT vnet WEB Destination APP DB WEB Next Hop APP-RT Destination INT-RT Next Hop Management0/0 FMC Highlighted routes are required for Micro Segmentation Destination Next Hop WEB Internal External APP DB APP Destination DB-RT Next Hop Destination WEB Routes on Next Hop users DB APP WEB APP DB x.x.x.1 (First IP of Internal Subnet) DB /0 y.y.y.1 (First IP of external Subnet) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 N/S, E/W traffic filtering & Micro Segmentation WEB-RT INT-RT vnet Destination Next Hop Destination Next Hop WEB APP DB WEB dmz1 dmz2 Highlighted routes are required for Micro Segmentation APP-RT Destination WEB Next Hop Inside Outside Mgmt0/0 APP DB APP DB Destination APP WEB DB-RT Next Hop Destination WEB APP DB Routes on Next Hop x.x.x.1 (First IP of Internal Subnet) /0 y.y.y.1 (First IP of external Subnet) users DB same-security-traffic permit intra-interface command is required on ASA to enable Hairpinning 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 / Multiple IPs on Interface NAT on Firewall Real IP Mapped IP WEB-RT Destination APP DB Next Hop (internal) (internal) (internal) Internal /24 External /24 Translation on Azure NAT Gateway WEB vnet 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 NAT configuration Example: Above NAT configuration is an example of one-to-one translation & you still need access control policy to allow traffic 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 interconnect VNETs (Site to Site VPN tunnel) Internal-RT Internal-RT Destination Next Hop Destination Next Hop vnet2.vnetn (internal) (internal) FMC vnet2.vnetn (internal) (internal) Internal vnet vnet Internal External Site to Site VPN Tunnel External Destination External-RT Next Hop AS Av Destination External-RT Next Hop AS Av /0 x.x.x.1 (external subnet) /0 x.x.x.1 (external subnet) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 interconnect VNETs (Site to Site VPN tunnel) Internal-RT Internal-RT Destination Next Hop Destination Next Hop (internal) (internal) vnet2.vnetn (internal) vnet2.vnetn (internal) Inside vnet vnet dmz1 dmz2 dmz2 dmz1 Internal Inside Outside Site to Site VPN Tunnel Outside Destination External-RT Next Hop AS Av Destination External-RT Next Hop AS Av /0 x.x.x.1 (external subnet) /0 x.x.x.1 (external subnet) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Site to Site VPN Internal Internal-RT Destination Corporate DC Next Hop (internal) (internal) Management0/0 FMC External Site to Site VPN Tunnel Use case Network Address Translation (NAT) vnet Site to Site Tunnel Access Control Policy, IPS Policy and AMP policy Networking, Firewalling and AVC NGFW Corporate Data Centre Site-to-site VPN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Inter Subnet and Edge Firewall DB Use case Network Address Translation (NAT) Access Control Policy, IPS Policy and AMP policy Networking, Firewalling and AVC WEB DB-RT WEB-RT 1 users Destination Next Hop Destination Next Hop (Internal) -Edge (inside) WEB (Internal) DB (External) vnet 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Cisco Edge Firewall, RA VPN & Site to Site VPN Inside Destination Internal-RT Next Hop RA VPN Users (internal) Corporate DC (internal) RA VPN Pool (Internal) Outside Site to Site VPN Tunnel Remote Access VPN Dmz1 and DMZ2 RT dmz1 dmz2 Destination Next Hop (internal) ASA Workloads vnet Corporate DC RA VPN Pool (internal) (Internal) Corporate Data Centre Site-to-site VPN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Inter Subnet and Service Chain Inside dmz1 Workloads DM VPN Other Security Outside CSRv Services dmz2 ASR vnet Workloads Workloads Corporate Data Centre 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 HA in Azure

38 HA in Azure Overview Integrated solution No external scripts or agents Stateless Switchover Connections must be initiated Fast switchover From detection to recovery in seconds Management s are managed separately (configuration, control, monitoring). No config sync between active and backup.) HA in Azure is coming out in July Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 ARM Template Deployment ( and )

40 Deploy / using ARM template Add / to existing resource group Publish template to customers, partner and vendors Deploy firewall with additional parameters (example: Availability Set) Multiple device deployment ARM template is a.json script 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Pre-requisites for template deployment Following should be created before initiating firewall deployment using ARM template Resource Group Availability Set VNET Subnets Storage Account No conflicting resource name ARM Template: ARM Template: Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Stateless scale-out design ( & )

43 Scale out design Inside dmz1 Translated Source Egress Interface Source Translated Destination Internal Load Balancer address Destination users Load Balancer mgmt Azure Internal Load Balancer dmz2 Availability Set Azure External Load Balancer (Public IP) vnet Incoming Traffic Return Traffic 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 ASA NAT configuration example For your Reference object service obj-http service tcp destination eq www object network obj host object network obj host object service obj-8080 service tcp destination eq 8080 nat (management,inside) source dynamic any interface destination static interface obj service obj-http obj-http nat (management,inside) source dynamic any interface destination static interface obj service obj-8080 obj Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Scale out design Inside dmz1 Translated Source Egress Interface Source Load Balancer Translated Destination Internal Load balancer address Destination mgmt users Azure Internal Load Balancer dmz2 Availability Set Azure External Load Balancer (Public IP) PowerShell script is required to send traffic to eth2 interface vnet Incoming Traffic Return Traffic 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 Scale out design (Contd.) Power Shell Script to change behavior of Azure Load Balancer Login-AzureRmAccount Select-AzureRmSubscription -Subscriptionid "xxxxxxx" $RG=Get-AzureRmResourceGroup -Name "answami-ngfw" -location "westcentralus" $NRPLB = Get-AzureRmLoadBalancer -ResourceGroupName "answami-ngfw" -Name "answami-ngfwelb $beaddresspool= Get-AzureRmLoadBalancerBackendAddressPoolConfig -Name "ngfwpool" - LoadBalancer $NRPLB $nic1 = Get-AzureRmNetworkInterface -Name "answami-ngfw001-nic2" -ResourceGroupName "answami-ngfw" $nic1.ipconfigurations[0].loadbalancerbackendaddresspools=$beaddresspool Set-AzureRmNetworkInterface -NetworkInterface $nic1 $nic2 = Get-AzureRmNetworkInterface -Name "answami-ngfw002-nic2" -ResourceGroupName "answami-ngfw" $nic2.ipconfigurations[0].loadbalancerbackendaddresspools=$beaddresspool Set-AzureRmNetworkInterface -NetworkInterface $nic2 $NRPLB Set-AzureRmLoadBalancer 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Demo N/S, E/W traffic inspection & Micro Segmentation in Azure

48 N/S, E/W traffic filtering & Micro Segmentation WEB-RT vnet / WEB / APP Destination APP DB WEB Destination WEB DB APP APP-RT Next Hop Next Hop INT-RT Destination Next Hop /24 Internal Management0/ /24 External FMC Highlighted routes are required for Micro Segmentation / DB Destination APP WEB DB DB-RT Next Hop Destinati on WEB APP DB Next Hop Routes on (First IP of Internal Subnet) / (First IP of external Subnet) users IP Add Interface Internal external 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 & in Amazon Web Services (AWS)

50 in AWS Deploy & FMCv in AWS and FMCv AMI are available in AWS market place supports Routed & Passive Mode Provides Networking, firewalling, threat-centric protection, URL filtering & AMP capabilities Cisco Smart BYOL, hourly and annual model Instance Type Interfaces Number of vcpus FMCv & c3.xlarge 2 + 2* FMCv c3.2xlarge RAM (GB) * Management interface 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 in AWS Deploy in AWS in Routed Mode Deploy at the edge to provide RA VPN, Site to Site VPN & edge firewall capabilities East/West traffic control capability Cisco Smart BYOL, hourly and annual model Supported Instance Types Number of Interfaces (Subnets) Platform Number of vcpus c3.large/c4.large 2+1* c3.xlarge/c4.xlarge 3+1* RAM (GB) * Management interface can be used as a data interface 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Deployment modes

53 in AWS Routed Mode Internal Workloads EC2 Management External Firepower Management Center* * Firepower Management can be on Premise or in AWS AWS Gateway 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 in AWS Passive Mode Internal Management Workloads EC2 CSRv ERSPAN Firepower Management Center* External * Firepower Management can be on Premise or in AWS AWS Gateway 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 in AWS Routed Mode Inside dmz1 EC2 AWS Gateway Mgmt/Outside dmz2 EC2 EC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Use Cases (AWS)

57 Use Cases - AWS Secure Transit VPC Multiple IP on interface VPC peering Edge firewall and Site to Site VPN Inter-subnet communication Remote access VPN ASA Virtual Tunnel Interface (Route Based VPN) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Secure Transit VPC - VPC A VPC B Spoke VPC AZ1 AZ2 CSRv CSRv RT Transit VPC *Only one IGW, two IGWs for better diagram Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Control plane connectivity Transit VPC Transit VPC Subnet Next Hop IGW Add specific routes to No default routes because it will be learned from BGP session with IGW Subnet /24 MGMT RT Subnet /24 Add specific routes to No default routes because it will be learned from BGP session with Subnet Next Hop Subnet Next Hop / Csr1-ngfwv Csr2-ngfwv / /24.6 CSR1 RT CSR / IGW Subnet Next Hop MGMT RT -IN /24 IN.4 can reach out to 5.5 and 6.6 through IN (4.4).224 -OUT OUT /24 Subnet Next Hop / IGW / Traffic to get out from -OUT interface FMCv AZ1 Subnet / AZ2 *Only one IGW, two IGWs for better diagram Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Data Plan connectivity Transit VPC Transit VPC Subnet IGW Next Hop IGW *Only one IGW, two IGWs for better diagram. IGW Subnet Next Hop / Subnet Next Hop MGMT RT CSR1 Subnet /24 Csr1-ngfwv Csr2-ngfwv / /24.6 -IN / IN RT.4 MGMT RT Subnet Next Hop / (Active CSR1) (Standby CSR2) Spoke-CIDR Subnet /24 CSR (Active CSR1) (Standby CSR2) / () -OUT OUT /24 Subnet Next Hop / Subnet Next Hop / For return traffic to spoke vpc to be redirected to CSR Active For internet traffic from spoke vpc to be redirected to IGW / FMCv AZ1 Subnet / AZ Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Packet flow: to Spoke Spoke-A Transit VPC Subnet IGW Next Hop IGW *Only one IGW, two IGWs for better diagram. IGW Subnet Next Hop / Subnet IGW Next Hop MGMT RT CSR1 Subnet /24 Csr1-ngfwv Csr2-ngfwv / /24.6 -IN / IN RT.4 MGMT RT Subnet Subnet /24 Next Hop / (Active CSR1) (Standby CSR2) Spoke-CIDR CSR (Active CSR1) (Standby CSR2) / () -OUT OUT /24 Subnet Next Hop / / Subnet Next Hop / For return traffic to spoke vpc to be redirected to CSR Active For internet traffic from spoke vpc to be redirected to FMCv AZ1 Subnet / AZ Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Packet flow:spoke to Spoke-A Transit VPC Subnet IGW Next Hop IGW Subnet Next Hop Subnet-1 MGMT RT Subnet-2 Subnet Next Hop *Only one IGW, two IGWs for better diagram. IGW / Subnet Next Hop MGMT RT CSR1 Csr1-ngfwv Csr2-ngfwv / /24.6 -IN / IN RT.4 Subnet Next Hop / (Active CSR1) (Standby CSR2) Spoke-CIDR CSR (Active CSR1) (Standby CSR2) / () OUT -OUT /24 Subnet Next Hop / / For return traffic to spoke vpc to be redirected to CSR Active For internet traffic from spoke vpc to be redirected to IGW / FMCv AZ1 Subnet / AZ Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 / in AWS Multiple IPs inside outside EC2 instances Users 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 in AWS Inter VPC inside outside Site to Site VPN Tunnel outside EC2 instances FMC 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 in AWS Interconnect VPCs (Site to Site VPN) For your Reference inside outside Site to Site VPN Tunnel outside EC2 instances 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 in AWS Edge Firewall & Site to Site VPN inside Corporate DC Site-to-site VPN NGFW outside Site to Site VPN Tunnel Traffic Management EC2 instances FMC Users 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 in AWS RA VPN, Site 2 Site VPN, Edge Firewall and inter-subnet Inside dmz1 Corporate DC Site-to-site VPN EC2 instances outside Site to Site VPN Tunnel Remote Access VPN NGFW ASA dmz2 EC2 instances EC2 instances RA VPN Users 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 ASA in AWS VTI (Route Based VPN) Inside ASA should have version running Route based VPN requires BGP Corporate DC (Site-to-site VPN) Site to Site VPN Tunnel ASA NGFW EC2 instances AWS VPN Connection Steps to configuration Route-based VPN 1. Create Customer Gateway (Dynamic for Route based VPN) 2. Create Virtual Private Gateway 3. Attach Virtual Private Gateway to VPC 4. Create VPN connection 5. Enable route propagation in AWS route table to learn routes 6. Download configuration 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 ASA VTI Configuration Steps Step 1 Click VPC from AWS services Step 2 Click VPC from AWS services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 ASA VTI Configuration Steps Step 3: Click Customer Gateway, Step 4: Create Customer Gateway, Step 5: Yes, Create Name Tag: Enter name Routing: Dynamic IP address: Public address of your on premise ASA BGP ASN: Required for route based VPN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 ASA VTI Configuration Steps (contd.) Step 6: click VPN Gateway Step 7: Enter name for VPN Gateway, Step 8: Yes, Create Name Tag: Enter name 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 ASA VTI Configuration Steps (contd.) Step 9: Attach to VPC, Step 10: Select VPC from drop down, Step 11: Yes, Attach This process can take few minutes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 ASA VTI Configuration Steps (contd.) Step 12: Click VPN connections, Step 13: Create VPN connection, Step 14: Select proper customer gateway, VPN Gateway and routing option Dynamic, Step 15: Yes, Create Dynamic routing is required for route based VPN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 ASA VTI Configuration Steps (contd.) Step 17: Enable route propagation in AWS route table 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 ASA VTI Configuration Steps (contd.) Step 17: Download the suggested configuration. Choose the values below in order to generate a configuration that is a VTI style configuration. Select Vendor: Cisco Platform: ISR Series Router Software: IOS: Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 ASA VTI Configuration Steps (contd.) After downloading configuration some conversion is required For your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 ASA VTI Configuration Steps (contd.) For your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 ASA VTI Configuration Steps (contd.) For your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 ASA VTI Configuration Steps (contd.) For your Reference Final Step is to add converted configuration on ASA (on premise) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 Stateless Scale-Out Design (AWS)

81 Load Balancing across Availability Zones Subnet-2a Subnet-1a Subnet-3a AZ1 Subnet-2b ELB IGW users Subnet-1b Subnet-3b AZ Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 NAT configuration For your Reference asaaz1 object service obj-http service tcp destination eq www object network obj host nat (management,inside) source dynamic any interface destination static interface obj service obj-http obj-http asaaz2 object service obj-http service tcp destination eq www object network obj host nat (management,inside) source dynamic any interface destination static interface obj service obj-http obj-http 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 Demo stateless scale-out design & load balance traffic across Availability Zone in AWS

84 stateless scale-out design & load balance traffic across Availability Zone lnx-az1 asaaz1 ELB asaaz2 lnx-az2 us-west-2a us-west-2b users AWS IGW 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

85 NAT configuration For your Reference asaaz1 object service obj-http service tcp destination eq www object network obj host nat (management,inside) source dynamic any interface destination static interface obj service obj-http obj-http asaaz2 object service obj-http service tcp destination eq www object network obj host nat (management,inside) source dynamic any interface destination static interface obj service obj-http obj-http 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 Licensing & Marketplace Listings

87 Azure AWS licensing Cisco Smart License (BYOL) Bring your own license Hourly & annual usage model 2 Activate and Use Software Licenses are managed by Firepower Management Center Cisco Smart Software Manager Entitlement 1 Place Order Distribution Cisco Smart License (BYOL) Bring your own license 3 Cisco Smart Software Manager BASE License (Networking, Firewalling, AVC) Term Based Licenses* (Threat, URL Filtering, AMP) * Term is 1yr, 3yr & 5 year 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 Azure AWS licensing Cisco Smart License (BYOL) Bring your own license Hourly & annual usage model 2 Activate and Use Software Cisco Smart Software Manager Entitlement 1 Place Order Distribution Cisco Smart License (BYOL) Standard License (Firewalling & Throughput) VPN License (Anyconnect & IPSEC) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 and Marketplace Listings Product Marketplace listing BYOL Marketplace listing Hourly & Annual FMCv Marketplace listing BYOL Marketplace listing BYOL, Hourly & Annual AWS Marketplace listing Product Marketplace listing BYOL Marketplace listing BYOL Azure Marketplace listing Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 Summary Available in AWS and Azure Flexible licensing (BYOL + Hourly + Annual) Feature Parity Template Deployment for and in Azure Leverage existing management/monitoring tools and operational resources Stateless Scale-Out design High Availability in Azure for releasing in July 2017 REST-API support for orchestration and automation Integration with Cisco Defense Orchestrator for configuration orchestration 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 Demo Videos For your Reference Demo1: North-South, East-West traffic inspection and micro segmentation Demo2: Scale-Out in AWS Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 YouTube Channel Public Cloud Playlist: Cisco and/or its affiliates. All rights reserved. Cisco Public 92

93 in cloud (Videos) For your Reference Cisco deployment in AWS and block malware (Part1, 2 and 3) Cisco deployment in Azure Cisco Firepower in Azure : Protect vnet workloads N/S and E/W Cisco micro-segmentation use case in Azure Cisco and/or its affiliates. All rights reserved. Cisco Public 93

94 in cloud (Videos) For your Reference Cisco deployment in AWS Cisco deployment in Azure Cisco template deployment Cisco scale out design in AWS Cisco scale out design in Azure Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 Reference Links For your Reference Cisco licensing (BYOL) Cisco licensing (BYOL) ARM Template ARM Template Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

97 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

98 Thank you

99