Firepower 9300 Deep Dive

Andrew Ossipov, Principal Engineer

Your Speaker

Andrew Ossipov
aeo@cisco.com
Principal Engineer
8 years in Cisco TAC

19+ years in Networking

Agenda
Next Generation Security Architecture
Hardware and Software
Security Applications
On-Box Manager Demo
Availability and Scalability
Application Use Cases
Closing Remarks
Next Generation Security
Architecture
Platform-Based Security Architecture
Management Common Security Policy and Management

Security Cisco Security Applications Third-Party Security Applications

Access Context Content Application Threat
Services and
Control Awareness Inspection Visibility Prevention
Applications
Common Security Policy & Management
Security Orchestration
Services Security Cisco ONE Platform Cloud Intelligence
Platform Management APIs APIs APIs APIs

Physical Appliance Virtual Cloud

APIs APIs
Infrastructure Device API: OnePK, OpenFlow, CLI
Element Cisco Networking Operating Systems (Enterprise, Data Centre, Service Provider)
Layer
ASIC Data Plane RouteSwitchCompute Software Data Plane
Next Generation Platform Requirements
Dynamic
Modular System hardware components can be Dynamic service insertion based Service
Compute upgraded independently on policy and context Insertion

Leverage the best of security Services be added, removed,

Architectural Rapid Inline
processing components (x86, NPU, upgraded, and modified without
Scale Changes
Crypto) and scale with Clustering disrupting existing flows

All hardware and software

No Single Architecture built to quickly add new 3rd Party
Failure Point components are redundant and as Integration
services as market evolves
independent as possible

Provide the same benefits in Offer a unified SDK/API for all

Deployment
physical, virtual, and hybrid SDN services, including unified licensing Unified API
Agnostic
environments and logging.
Security Application Convergence
ASA
L2-L4 Stateful Firewall
Scalable CGNAT, ACL, routing
Application inspection
FirePOWER
Threat-centric NGIPS
AVC, URL Filtering for NGFW
Advanced Malware Protection

Firepower Threat Defence (FTD)

New converged NGFW/NGIPS image
Full FirePOWER functionality for NGFW/NGIPS deployments
ASA Datapath with TCP Normaliser, NAT, ACL, dynamic routing, failover functions
Hardware and Software
Firepower 9300 Overview
Supervisor Network Modules
Application deployment and orchestration 10GE/40GE and future 100GE
Network attachment and traffic distribution Hardware bypass for inline NGIPS
Clustering base layer for ASA/FTD

Security Modules
Embedded Smart NIC and crypto hardware
Cisco (ASA, FTD) and third-party (Radware DDoS) applications
Standalone or clustered within and across chassis
Supervisor Module
RJ-45 1GE Management Built-in 10GE Data Optional Network
Console (SFP) (SFP+) Modules (NM)
1 2

Overall chassis management and network interaction

Network interface allocation and module connectivity (960Gbps internal fabric)
Application image storage, deployment, provisioning, and service chaining
Clustering infrastructure for supported applications
Smart Licensing and NTP for entire chassis
Supervisor Simplified Hardware Diagram

System Bus
Security Security Security
RAM
Module 1 Module 2 Module 3

2x40Gbps 2x40Gbps 2x40Gbps Ethernet

Internal Switch Fabric

x86 CPU
(up to 24x40GE)

2x40Gbps 5x40Gbps 5x40Gbps

On-board 8x10GE NM NM
interfaces Slot 1 Slot 2
Network Interfaces

Supervisor attaches security modules to network

All interfaces are called Ethernet and 1-referenced (i.e. Ethernet1/1)
All external network modules require fibre or copper transceivers
8x10GE 4x40GE 2x100GE

1GE optical or 4x10GE breakouts Double width

copper SFP for each 40GE port QSFP28 connector
Hardware bypass Hardware bypass No breakout support
with FTD with FTD Hardware bypass with FTD
Future single-width module requires
Supervisor hardware upgrade
Security Modules

Two configurations
SM-36 Extreme: 72 x86 CPU cores (up to 80Gbps)
SM-24 Enterprise: 48 x86 CPU cores (up to 60Gbps), NEBS Ready

Dual 800GB SSD in RAID1 by default

Built-in hardware Smart NIC and Crypto Accelerator
Flow Offload
VPN connection acceleration
Future transit TLS inspection with FTD
Security Module Simplified Diagram

System Bus
RAM
256GB
x86 CPU 1 x86 CPU 2
24 or 36 cores 24 or 36 cores Ethernet

2x100Gbps

Smart NIC and

Crypto Accelerator

2x40Gbps
Backplane Supervisor Connection
Firepower 9300 Software

Supervisor and security modules use multiple independent images

All images are digitally signed and validated through Secure Boot
Security application images are in Cisco Secure Package (CSP) format
Security Module 1 Security Module 2 Security Module 3
Decorator application from third-party (KVM)
DDoS
ASA ASA
Primary application from Cisco (Native) ASA
FXOS FXOS FXOS
FXOS upgrades are applied to Supervisor
and resident provisioning agent on modules
Firepower Extensible Operating System (FXOS)
Supervisor stores CSP application images Supervisor
Firepower 9300 Platform Bundle

Platform Bundle contains all Supervisor and module firmware images

fxos-9000-k9.99.1.2.300.gSPA
platform encryption version [g]db [S]igned [S]pecial key revision
or [P]roduction
FXOS creates an environment for security applications
Supervisor automatically selects components to upgrade
Relevant components are reloaded automatically during the upgrade
Supervisor CLI Interface

FXOS uses object-based CLI representation similar to UCS Manager

scope, enter, or exit select a command mode within the hierarchy
create instantiates a new configuration object within the hierarchy
set assigns a value to a configuration variable or object
show displays object content
commit-buffer applies changes to the running configuration
FP9300# scope eth-uplink
FP9300 /eth-uplink # scope fabric a
FP9300 /eth-uplink/fabric # create port-channel 2
FP9300 /eth-uplink/fabric/port-channel* # create member-port 1 11
FP9300 /eth-uplink/fabric/port-channel* # create member-port 1 12
FP9300 /eth-uplink/fabric/port-channel* # set speed 10gbps
FP9300 /eth-uplink/fabric/port-channel* # commit-buffer
FP9300 /eth-uplink/fabric/port-channel # exit
Security Applications
Security Applications Overview

Applications are security services that run on Firepower 9300 modules

Primary application consumes full resources of an entire module
ASA or FTD; no plans for standalone NGIPS image
All modules in a chassis run same primary application

A decorator application shares a security module with a primary

Traffic flows from network interface through decorator to primary application
Service chaining with Radware vDefencePro decorator and ASA/FTD
 Security Services Architecture
Logical
Device ASA Cluster
Security Module 1 Security Module 2 Security Module 3 Primary
Logical
Device Unit ASA ASA ASA Application

DDoS DDoS Decorator

Link DDoS
Decorator Application

Logical
Supervisor Data Outside Data Inside Packet Flow
PortChannel2 PortChannel1
Ethernet1/7
(Management)

On-board 8x10GE 4x40GE NM 4x40GE NM Application

interfaces Slot 1 Slot 2 Image Storage

Ethernet 1/1-8 Ethernet 2/1-4 Ethernet 3/1-4

Radware vDefencePro Summary
Application Server Network
Behavioural HTTP
Behavioral HTTP DNS Protection Behavioural
Behavioral DoS
DoS
Flood Protection
Anti-Scan SYN Protection
Available Server Cracking
Services Connection Limit Out-Of-State
Signature Connection PPS
protection
Protection Per-flow PPS Limit Blacklist/Whitelist
BL/WL
Limit

Up to 10Gbps per module on 6 allocated x86 CPU cores

vDP intra-chassis clustering allows up to 30Gbps with 3 modules
Future inter-chassis clustering support
Impact to ASA throughput from core allocation is 10-15%
 Detailed Inbound Flow with Radware vDP
8. Two-tuple symmetric hash 6. Five-tuple symmetric hash on {Proto=TCP,
on {SRC_IP=192.168.1.1, SRC_IP=172.16.1.1, SRC_PORT=80,
1. TCP request DST_IP=10.0.0.1} DST_IP=10.0.0.1, DST_PORT=1024} 5. TCP response
from 10.0.0.1/1024 from 172.16.1.1/80
to 192.168.1.1/80 to 10.0.0.1/1024
vDP Cluster 7. ASA cluster ASA Cluster
Outside Radware vDP statefully redirects ASA Inside
[Decorated] Module 1 to owner, owner Module 1 [Undecorated]
reverses NAT

Radware vDP ASA

Supervisor Module 2
Supervisor Module 2 Supervisor

Radware vDP ASA

Module 3 Module 3
4. Static NAT
192.168.1.1/80
2. Two-tuple symmetric hash 3. Five-tuple symmetric hash on {Proto=TCP, 172.16.1.1/80
on {SRC_IP=10.0.0.1, SRC_IP=10.0.0.1, SRC_PORT=1024,
DST_IP=192.168.1.1} DST_IP=192.168.1.1, DST_PORT=80}
 Future Vision: Security Service Chaining

Contextual policy- and outcome based service insertion

Meta data exchange with Network Services Header (NSH)
Security Module
Service Function (SF) processes
packet, attaches meta data, and DDoS FTD ?
returns to SFF SF, SC, and SFF may
influence service path
based on policy,
Service Classifier (SC) and context, and meta data
Service Function Forwarder Stateful Data Path
(SFF) direct incoming traffic
through necessary services

Input packets Output packets

Smart Licensing
Cisco applications request feature Third-party applications may
license entitlements from Supervisor use out-of-band licensing

ASA FTD DDoS

1
2 HTTP/HTTPS Cisco Smart
Supervisor Proxy Licensing
3

Supervisor fulfills aggregated entitlement requests with

Smart backend through a direct Internet connection, Satellite
HTTP/HTTP Proxy, or an on-premise Satellite connector Connector

ASA entitlements: Strong Encryption, Security Contexts, Carrier Inspections

FTD entitlements: Threat, Malware, and URL Services
Management Overview

Chassis management is independent from applications

On-box chassis manager UI, CLI, and REST
SNMP and syslog support for chassis level counters/events on Supervisor

Applications are managed through their respective interfaces

CLI, REST API, ASDM, and off-box Cisco Security Manager (CSM) 4.9 SP1 for ASA
Off-box Firepower Management Centre (FMC) 6.0.1 for FTD
Off-box APsolute Vision for Radware vDP

Future off-box FMC support for both chassis and FTD management
On-Box Manager Demo
Availability and Scalability
 High Availability and Scalability Options
High Availability and
High Availability High Scalability
Scalability
Active/Standby Failover Intra-chassis Clustering Inter-chassis clustering
(2 modules) (3 modules, 240Gbps) (16 modules, 1.2Tbps)
ASA Active/Active Failover Inter-chassis Clustering
(2 modules) (16 modules, 1.2Tbps)

Active/Standby Failover Intra-chassis Clustering -

FTD
(2 modules) (3 modules, 240Gbps)
Radware - Intra-chassis Clustering -
vDP (3 modules, 30Gbps)
 ASA Failover for High Availability

Active/Standby or Active/Active failover at module level

Full stateful connection synchronisation as with ASA appliances
Failover control and state links are configured at application level
Recommend VLAN multiplexing of failover links with a management interface type
Per-pair Physical Data Interfaces Shared Physical Management VLAN Trunk
Eth1/1 Eth1/2 Eth1/3 Eth1/1 Eth1/2 Eth1/3 Port-Channel1 Eth1/1-2 Eth1/1-2 Port-Channel1

Supervisor Supervisor Supervisor Supervisor

VLAN VLAN VLAN VLAN VLAN VLAN
Eth1/1 Eth1/2 Eth1/3 Eth1/1 Eth1/2 Eth1/3 10 20 30 10 20 30
Pri ASA 1 Sec ASA 3 Pri ASA 3 Sec ASA 1 Pri ASA 1 Sec ASA 3 Pri ASA 3 Sec ASA 1

Pri ASA 2 Chassis 1 Sec ASA 2 Chassis 2 Pri ASA 2 Sec ASA 2
Chassis 1 Chassis 2
Inter-Chassis Failover Control and State Link Connection
ASA Clustering Overview
Inter-Chassis Cluster Control Link
Cluster of up to 16 modules across 5+ chassis
Off-chassis flow backup for complete redundancy

Switch 1 Switch 2
Nexus vPC

Chassis 1 Chassis 2

Supervisor Supervisor
ASA ASA ASA ASA
Cluster
ASA Cluster ASA

Intra-Chassis Cluster Control Link

Same-application modules can be clustered within chassis
Bootstrap configuration is applied by Supervisor
Platform Specifics for ASA Clustering

Only Spanned Etherchannel interface mode is supported

Additional off-chassis flow backup for N+1 chassis-level fault tolerance
Firewall context mode, 3DES/AES license, SSL ciphers are replicated
HTTP flows are not replicated by default until 5 seconds of uptime
cluster replication delay 5 match tcp any any eq www

Chassis- and cluster-level overflow protection syslogs

%ASA-6-748008: CPU load 80% of module 1 in chassis 1 (unit-1-1) exceeds overflow
protection threshold CPU 75%. System may be oversubscribed on member failure.
%ASA-6-748009: Memory load 80% of chassis 1 exceeds overflow protection threshold
memory 78%. System may be oversubscribed on chassis failure.
 New TCP Flow with ASA Inter-Chassis Clustering
1. Attempt new ASA Cluster
2. C1M1: Become
flow with TCP SYN Owner, add SYN
ASA O ASA B Cookie, send to Server
Module 1 7. C1M1: Calculate Module 1
off-chassis Backup
Client 5. C1M1: C2M1, send update
Send to Client ASA ASA M
Module 2 Module 2 Server
6. C1M1: Calculate
Director C1M3,
ASA D 4. C2M3: Redirect ASA F
send flow update 3. Server responds
Module 3 to Owner C1M1 Module 3
from SYN Cookie, with TCP SYN ACK
Chassis 1 become Forwarder Chassis 2 through another unit

M Master O Owner D Director F Forwarder B Off-Chassis Backup

Global Role Per-Connection Roles
Inter-Site Clustering with ASA

North-South insertion with LISP inspection and owner reassignment

Site A Site B

Inter-Chassis
Cluster

OTV

East-West insertion for first hop redundancy with VM mobility

Site A Site B

Inter-Chassis
Cluster
OTV
FTD Failover and Clustering

FTD uses ASA data plane and similar failover/clustering infrastructure

Enhanced to replicate full NGFW/NGIPS configuration and opaque flow state
Current intra-chassis clustering support on Firepower 9300 platform only
Module-level Active/Standby failover for inter-chassis high availability

Ensures full stateful flow symmetry in both NGIPS and NGFW modes
vPC vPC

Failover: Both directions of A Failover S

Clustering: All packets for a
a flow traverse a single Cluster flow are redirected to
FTD FTD FTD FTD
active unit connection Owner

vPC vPC
 Radware vDP Clustering

Requires intra-chassis ASA clustering for operation

Backplane CCL is shared with ASA and automatically configured
Health checking ties ASA and vDP instances on a module together

vDP Cluster 1. vDP Master/Slave

instances and configured
vDP M and managed independently.
Module 1
Cookie?
Cookie 2. Time-based secret vDP APSolute
S
value is replicated from Module 3 Vision
3. Asymmetrical L4/L7 Master to Slaves.
session authentication with
cookies uses same secret OK! vDP S
value across cluster. Module 2
ASA Flow Offload

Trusted flow processing with limited security visibility

Maximise single-flow throughput and packet rate, minimise latency
High performance compute, frequency trading, demanding data centre applications

Static hardware-based offload in Smart NIC for ASA

policy-map OFFLOAD_POLICY
class TRUSTED_FLOWS
set connection advanced-options flow-offload
Targeting 30Gbps+ per single flow (TCP/UDP) and 2.5us of 64-byte UDP latency
Unicast IPv4 TCP/UDP/GRE and VLAN encapsulation only, no CMD/SGT

Conditional offloading and selective inspection in the future

ASA Flow Offload Operation
Full Inspection Extended Offload Path (Future)
Dynamically program Offload engine after flow establishment Dedicated x86 cores for advanced processing
Ability to switch between Offload and full inspection on the fly Packet capture and extended statistics

Security Module
x86 CPU Complex
Full ASA or FTD Engine Lightweight Data Path

New and fully Offload Flow Advanced

inspected flows instructions updates Processing

Incoming Established
Flow Classifier Rewrite Engine
traffic trusted flows
Smart NIC

Flow Offload
Limited state tracking, NAT/PAT, TCP Seq Randomisation
30-40Gbps per single TCP/UDP flow, 2.5us UDP latency, 32K tracked flows
Application Use Cases
Application Positioning Summary

ASA is a powerful and scalable solution for basic stateful segmentation

Ease of integration and scaling in large and distributed data centres
Real-time trading and high performance application protection with Flow Offload Firewall

Infrastructure and Internet edge protection for service providers

FTD is a comprehensive threat-centric security solution

NGIPS for data centre and service provider environments
NGFW for edge protection and smaller data centres NGFW NGIPS

Radware vDP is a behavioural DDoS mitigation solution

Internet edge protection for web commerce and service provider environments
DDoS
ASA in Data Centre

Routed or transparent insertion into common data centre topologies

vPC, VxLAN, PBR, OSPFv2/v3, BGP-4, ECMP, NSF/GR, PIM-SM, BSR

Scalable IP and Trustsec policies in single or multiple contexts

Same- and inter-site clustering with LISP integration
Layer 2 Data Centre Layer 3 Data Centre

Core/Edge
Spine Nodes

Services
Leaf Nodes
Distribution/
Aggregation 1000v
Endpoints
Access
 ASA for Scalable VPN Termination

Use standalone modules or failover for scaling S2S and RA VPN

Reverse Route Injection (RRI) with dynamic crypto maps and OSPF/BGP
RAVPN with ASA Load-Balancing S2S VPN with Nexus ITD
RRI
RRI RRI RRI
Chassis 1 Chassis 2 Chassis 1 Chassis 2
Mas ter

.10 .20 .30 .10 .20 .30 .10 .20 .30 .40 .50 .60

203.0.113.0/24 198.51.100.0/24 10.1.1.0/24 Intelligent

203.0.113.0/24 Traffic Director
10.1.1.85 10.1.1.100 VIP .1
172.16.171.0/24 192.168.1.0/24
 ASA for Service Providers
Evolved Packet Core Hosted Services
MME S-GW

PCRF HSS P-GW

Protect mobile backhaul Stateful Internet edge

connection with S2S VPN
Protect roaming agreements
and billing systems with
GTP/Diameter inspection and
advanced filtering policies
Stateful Internet edge
protection and CGNAT
protection with multiple-context
for mobile clients
mode for hosted services
Stateful perimeter protection
Roaming Partner Internet for external (Type III) SP
MME S-GW

External Service Provider

PCRF
ASA Application Inspection

Protocol conformance, NAT/PAT rewrites, dynamic ACL pinholes

SIP inspection for scalable VoIP environments (>10K calls per second)
SCTP, Diameter, and GTPv2 inspection for Carriers in ASA 9.5(2)
TLS Proxy with SIP; multi-core Diameter inspection in ASA 9.6(1)
Endpoints establish an inspected control
channel TLS connection over TCP

ASA uses pre-configured trustpoints to cut

into TLS connection, inspect traffic, and
open secondary connections as necessary
Carrier Grade NAT with ASA

Fully conforms to RFC6888 except Port Control Protocol (PCP) support

High single-module capacity and further scalability with clustering
60M+ concurrent NAT translation per module
500K+ new translation creations per second per module

Port Block Allocation for PAT reduces logging volume in ASA 9.5(2)
Each PAT client is assigned blocks of ports (512 each by default) for translation
A single syslog is recorded for each block allocation event
%ASA-6-305014: Allocated TCP block of ports for translation from inside:10.1.1.10 to
outside:20.1.1.10/1024-1535.
%ASA-6-305015: Released TCP block of ports for translation from inside:10.1.1.10 to
outside:20.1.1.10/1024-1535.
FTD Deployment Modes

FTD can act as both NGFW and NGIPS on different network interfaces
NGFW inherits operational modes from ASA and adds FirePOWER features
NGIPS operates as standalone FirePOWER with limited ASA data plane functionality

NGFW NGIPS

Routed 10.1.1.0/24
FTD
10.1.2.0/24 Inline FTD
inside outside Eth1/1 Eth1/2
DMZ 10.1.3.0/24
Inline Tap FTD
Eth1/1 Eth1/2
Transparent FTD
inside outside
Passive FTD
DMZ 10.1.1.0/24 Eth1/1
 FTD as NGFW at the Edge

AVC, Reputation, TLS decryption, URL DNS Sinkholing redirects potentially

Filtering, File Analysis, Advanced Malware malicious connections to a local honeypot
Protection for outbound connections Honeypot

Continuous updates from Talos

ensure relevant protection

Campus

OSPF, BGP, NSF/GR, NGFW

and similar features for File hashes are checked against AMP
easy network integration AMP cloud, unknown samples
Data Centre
are submitted to ThreatGRID;
ACL and NGIPS policies, optional TLS ThreatGRID feeds the data back
decryption for inbound connections into AMP/Talos ThreatGRID
FTD Identity Management with pxGrid

Extended identity attributes with Platform eXchange Grid (pxGrid)

User identity, Geolocation, Source Security Group and Tag, Device Type
Replaces Firepower User Agent with ISE
4. ISE publishes
IPAttribute mappings
through FMC to FTD.

ISE NGFW

2. ISE authorises 3. FMC resolves AD group

users against AD membership; FTD actively
authenticates users through LDAP.
1. Wireless, wired, and VPN
clients authorise network Active Directory
access through ISE
Behavioural DDoS with Radware vDP

Behavioural detection for maximum efficacy and low false positives

Rate-Based Detection Behavioural Detection

Effectively protects web, e-mail, VoIP, and other services
Adaptive behavioural DoS against IPv4/IPv6 TCP/UDP/ICMP/IGMP floods
SYN flood protection with active Layer 4 challenges
DNS flood protection with request/response record tracking
Application signature protection for HTTP/SMTP/FTP/POP3/SIP/SMB/SQL
Anomaly protection against basic malformed packets
 ASA and DDoS in Enterprise
Cloud
Scrubbing Radware Defence Messaging used
Service to initiate cloud-based mitigation for
volumetric attacks beyond on-
premise processing capabilities

Dirty traffic pulled into Radware Cisco

Radware DefencePipe,
vDP ASA Data Centre
sanitised, and then redirected
to edge router over GRE
Internal traffic
traverses ASA only for
Firepower 9300 stateful segmentation
Inbound Internet traffic traverses
DDoS and ASA for behavioural
and stateful protection at up to
10Gbps per module

Campus
Closing Remarks
Firepower 9300 Summary

Next-generation security platform architecture

Security service chaining with Cisco and third-party applications
Intra- and inter-chassis clustering for high scalability
Flow Offload for real time applications
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.
Directly from your mobile device on the Cisco Live
Mobile App
By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/ciscolivemelbourne2016/
Visit any Cisco Live Internet Station located
throughout the venue
Learn online with Cisco Live!
T-Shirts can be collected Friday 11 March Visit us online after the conference
for full access to session videos and
at Registration presentations.
www.CiscoLiveAPAC.com
Thank you