You are on page 1of 70

GSSO Channel Engineering

January 2017
Product Overview
Capabilities
Platform
Management
Sizing
Agenda Licensing
Evolution of Firepower and ASA

March 2016
September 2014 Firepower Threat Defense
ASA with Firepower Services
FOR the ASA-5500-X,
ON the ASA-5500-X and FP-4100, and FP-9300
ASA-5585-X
October 2013
Firepower AND
ASA
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Relevant Terminology
Firepower Threat Defense (FTD)
Unified codebase software image
ASA with FirePOWER Services
Two managers, full firewall feature set
Firepower 4100 Series and 9300 Appliances
Brand for new hardware product offerings. Can run FTD or ASA
Firepower Next-Generation Firewall (NGFW)
FTD + Hardware or Virtual appliance
Firepower Management Center (FMC)
Formerly FireSIGHT Management Center, Defense Center

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Converged Software Firepower Threat Defense

New Converged Software Image:


Firepower Threat Defense
Contains all Firepower Services plus
select ASA capabilities
New
Single Manager: ASA Features
Firepower Management Center*

Same subscriptions as FirePOWER


Services, enabled by Smart Licensing: FirePOWER
Threat (IPS + SI + DNS)
Malware (AMP + ThreatGrid)
URL Filtering
* Also manages Firepower Appliances, Firepower Services (not ASA Software)

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
The industry focus has been protecting before, but not
during and after, attacks
Attack Continuum

BEFORE DURING AFTER

Typical NGFW Silos

Enable applications
IPS URL GAP
DDoS Sandbox
Incident
Response

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
What does Firepower NGFW enable?

Cisco Firepower NGFW

Stop more Gain more Detect earlier, Reduce Get more from
threats insight act faster complexity your network

- Superior - Industry - Detect and - Unified - Enhance security,


effectiveness leading contain rapidly management leverage existing
before, during, visibility, with as quickly as and fewer investments, with
and after automated hours not vendors Cisco and 3rd
attacks and prioritized months party integrations
response

Threat-focused Fully Integrated

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Gain more insight
with increased visibility
You cant protect what you cant see
Client applications

Operating systems

C&C
Servers
File transfers Mobile Devices
Threats
Routers & switches
Users Application
protocols
Web applications
Typical IPS Printers
Malware

Typical NGFW Network Servers

VOIP phones

Cisco Firepower NGFW

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Reduce complexity with simplified,
consistent management
Unified
Network to endpoint visibility
Manages firewall, applications, threats, & files
Track, contain, recover remediation tools

Scalable
Central, role-based management
Multi tenancy
Policy inheritance

Automated
Impact assessment
Rule recommendations
Firepower Management Center
Remediation APIs

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Capabilities
Firepower Capabilities
Overview
Application visibility
Advanced malware protection Security intelligence
& control
Tailor application behavior to reduce Protect against the most advanced forms Block access to known malicious IPs and
attack surface and risk of data loss of malware and remediate after a breach URLs

URL filtering Identity based policy control Next Generation IPS

Restrict access to specific sites and sub- Enforce policy with complete visibility and Superior intrusion detection and threat
sites, as well as categories of sites granular control across the network prevention
Application Visibility and Control (AVC)
Overview
Control port- and protocol-hopping apps that evade Enforce acceptable use policies with granular control over
traditional firewalls applications

Apps

Limit the exposure created by social media applications Use custom application detectors/Open App ID
Enhanced Application Visibility and Control


Cisco database
4,000+ apps


Network & users

1 OpenAppID


2
Prioritize traffic

See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
OpenAppID Overview
What is OpenAppID?
Application Visibility and Control (AVC) done the right way
An open source application-focused detection language
Enables users to create, share and implement custom application detection
Available for download as an extension of Snort 2.9.7 from http://www.snort.org
Key advantages
New simple language to detect apps
Reduces dependency on vendor release cycles
Build custom detections for new or specific
(ex. Geo-based) app-based threats
Application-specific detail with security events

15
With the smartest threat defense available
Talos
Inspect over 300 insight
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00 into
Identify advanced threats quickly with III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
nearly 16 billion
billion emails per
industry-leading threat data and research III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
web requests
day 00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00
each day
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
Receives 1.5 II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0
million incoming 200
00 Billion
Get industry-specific threat intelligence malware 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0IThreats000 Blocked
tailored to your business samples daily Daily
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I

Threat Intelligence
Catch advanced threats endpoints miss WWW
with Ciscos threat engineers and analysts
Email Endpoints Web Networks NGIPS Devices

Research Response
Stay protected against the latest threats Jan
with regular updates pushed automatically 250+ Researchers 24 7 365 Operations
Uncover hidden threats in the environment
Advanced Malware Protection (AMP)

c
File Reputation File & Device Trajectory
AMP for AMP for
Endpoint Log Network Log

Threat Grid Sandboxing Threat Disposition


Known Signatures
Advanced Analytics
Fuzzy Fingerprinting Dynamic analysis
Uncertain Safe Risky
Enforcement across
Indications of compromise Threat intelligence
Sandbox Analysis all endpoints

Block known malware Investigate files safely Detect new threats Respond to alerts
AMP for Networks Network File Trajectory

When AMP for Networks is


enabled within FMC users
can see the trajectory of a
file as well as the
disposition of the file, as
well as Patient 0.

18

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
AMP Everywhere Remote Endpoints
AMP
Architecture Cloud AMP for Endpoints

Threat Grid
AMP on Firepower NGIPS Malware Analysis + Threat AMP Private Cloud
Appliance Intelligence Engine Virtual Appliance
(AMP for Networks)

AMP on Web and Email


AMP on Cisco ASA Firewall AMP for Endpoints Security Appliances
with Firepower Services

CWS/CTA

AMP on ISR with Firepower AMP on Cloud Web Security


Services and Hosted Email

CentOS, Red Hat


Windows OS Android Mobile Virtual MAC OS Linux for servers
and datacenters

AMP for Endpoints can be


launched from AnyConnect
URL Filtering
Block specific URLs Restrict categories of URLs Reputation filtering

Gambling

bad_url.com Social Media -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10

office365.com Health

Gaming Who What Where

Drug Use
How
Restrict access to specific sites and subsites Filter out over 280 million URLs based on Blocks malicious websites based on who,
any of the 80+ categories into which they are what, where, how and when
grouped
Block or Allow Access to IPs or URLs

Security feeds 3rd Party

00100101101
01001010100
URL | IP | DNS URL Database

NGFW
Filtering Safe Search


Allow Block

Allow Block

DNS Sinkhole Category-based


Policy Creation Admin

Classify 280M+ URLs Filter sites using 80+ categories Manage allow/block lists easily Block latest malicious URLs
Identity Based Policy Control
Integrates with Cisco Identity Services Engine
Gain awareness of everything hitting your network
Provide access consistently and efficiently
Relieve the stress of complex access management
ISE

See and share rich user and device details Who

Improve your Cisco security and network solutions What


Strengthen your non-Cisco security solutions
Make better decisions with user and device insights
Where

How
Stop threats from getting in and spreading
Ease security policy setting
Limit unnecessary network exposure
Prevent threats from compromising your network in real
time
Rapid Threat Containment

Automatically Defend Against Threats with FMC and ISE

Corporate user Cisco security FMC detects Based on the new Device is
downloads file, not sensors scan the flagrantly suspicious policy, network quarantined for
knowing its actually user activity and file and alerts ISE. enforcers remediation or
malicious downloaded file. ISE then changes automatically mitigationaccess
FMC aggregates the users/devices restrict access is denied per
and correlates access policy to security policy
sensor data suspicious
Intrusion Prevention (IPS)
Protect the network more effectively

Impact 1 www

Impact 2

Impact 3

NGIPS automatically correlates information Compares baseline network behavior to


Blended threats and attacks coming through
from intrusion events with network assets to actual behavior and highlights abnormal
multiple vectors are quickly identified
prioritize threat investigation activity

Reduce IT management burden

Policies can be updated automatically based on Admins can make adjustments to policies and system
vulnerabilities and previous intrusion events settings across locations from a single, central location
Speed Impact Assessment and Response
Administrator
Correlates all intrusion events Impact Flag
Action
Why
to an impact of the attack against the target
Event corresponds
Act immediately;
1 vulnerable
to vulnerability
mapped to host

Relevant port open


Investigate; or protocol in use,
2 potentially vulnerable but no vulnerability
mapped

Good to know; Relevant port not


3 currently not
vulnerable
open or protocol
not in use

Good to know; Monitored network,


4 unknown target but unknown host

Good to know;
0 unknown network
Unmonitored network
Streamline Operations
Recommend Rules to Improve Defenses
Indications of Compromise (IoCs)

IPS Events Security Intelligence Malware Events


Malware backdoors Connections Malware detections
Exploit kits to suspect Office/PDF/Java
Web app attacks IP, DNS, URL compromises
CnC connections Malware executions
Admin privilege escalations Dropper infections
IOC Data In Context Explorer
Uncover Hidden Threats at the Edge
SSL decryption engine

SSL Enforcement
NGIPS and AMP AVC https://www.%$*#$@#$.com
decryption engine decisions
https://www.%$*#$@#$.com

https://www.%$*#$@#$.com
https://www.%$&^*#$@#$.com
https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$*#$@#$.com
gambling
https//www.%$*#$@#$.com

https://www.%$*#$@#$.com

https://www.%$&^*#$@#$.com elicit
https://www.%$*#$@#$.com

https://www.%$*#$@#$.com

Encrypted Traffic Log

Decrypt interesting traffic Inspect deciphered packets Track and log all SSL sessions
Secure Remote Access for
Mobile User
Secure access using FP2100 ISP
Secure SSL/IPSec AnyConnect access to corporate
network
Easy RA VPN Wizard to configure AnyConnect Internet Edge
Remote Access VPN
Advanced Application level inspection can be
enabled to enforce security on inbound Remote
Access User data.
AMP / File inspection Policy to monitor roaming user
data. FP2100 in HA
Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Campus/
Private
Network

Private Network
Secure Connection with
Branch Office
Secure Connection with Branch Office
Simplified IPSec Wizard for Site to Site VPN
Configuration
Advanced Application level inspection can be ISP
enabled VPN traffic of Partner and Vendor Network.
IPSec VPN
Prefilter policy to bypass Advance inspection and
improve performance. Edge Router
Authentication supports both Pre-Share Key and
PKI.
Branch Office Deployment to secure connection with FRP2100
Head Office. Failover
Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Platform
Firepower Threat Defense (FTD) Software

Firepower (L7) Firepower Threat Defense


Threat-Centric NGIPS
AVC, URL Filtering for NGFW Full Feature Set Single Converged OS
Advanced Malware Protection

ASA (L2-L4)
L2-L4 Stateful Firewall
Scalable CGNAT, ACL, routing Continuous Feature Firewall URL Visibility Threats
Application inspection Migration

Firepower Management Center


(FMC)*

* Also manages Firepower Appliances and Firepower Services (not ASA Software)

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Feature Comparison: ASA with Firepower Services and
Firepower Threat Defense (6.2)
Features Firepower Threat Defense Firepower Services for ASA

Routing (OSPF, BGP, Static, RIP, Multicast, EIGRP/PBR (OSPF, BGP, EIGRP, static, RIP,
via FlexConfig) Multicast)


SIMILARITIES

NAT
OnBox Management
HA (Active/Passive)
Clustering (Active/Active)
Site to Site VPN
Policy based on SGT tags
Unified ASA and Firepower rules and

objects
DIFFERENCES

Hypervisor Support
(AWS, VMware, KVM, Azure)

Smart Licensing Support


Multi-Context Support * 6.X (Roadmap) 2HCY17
Remote Access VPN *6.2.1 (Roadmap) 1HCY17
Note: Not an exhaustive feature list
Cisco Firepower Next-Generation IPS (NGIPS)
Fail to wire
capabilities, Linear
scalability

Industry-best Intrusion Prevention Unparalleled Performance


Real-time Contextual Awareness and Scalability

Full Stack Visibility Easily add Application Control,


URL Filtering and Advanced Malware
Intelligent Security Automation with Firepower
Protection with optional subscription
licenses

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Cisco Firepower NGIPS Platform
All appliances include:
Integrated lights-out management
Firepower acceleration technology
LCD display
IPS Performance and Scalability

AMP 8150
2 Gbps, All Services Enabled

AMP 7150
500 Mbps, All Services Enabled
Firepower 8300 Series
15 Gbps 60 Gbps

AMP 8300 Series


5 Gbps 20 Gbps
Firepower 8100/8200
2 Gbps - 10 Gbps
Firepower 7120/7125/8120
NGIPSv
1 Gbps - 2 Gbps
Firepower 7100 Series
500 Mbps 1 Gbps
Firepower 7000 Series
50 Mbps 250 Mbps
SOHO Branch Office Internet Edge Campus Data Center

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Cisco ASA and Firepower Platforms

FP 2100
FPR 2100Series
Series FPR 4110, FPR 4120 FPR 9300 -SM-24
ASA 5506-X
FPR 4140, FPR 4150 FPR 9300 -SM-36
FPR 9300 -SM-44
ASA 5508-X

ASA 5516-X
ASA 5585-X SSP10
SSP20, SSP40, SSP60

ASA 5555-X
ASA 5515-X ASA 5545-X
ASA 5505 ASA 5512-X ASA 5525-X FTDv NGIPSv

SMB/SOHO Branch Internet Edge Data Center Large Enterprise and SP

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Software Support by Platform
Firepower
Firepower Threat Firepower ASA
Services
Defense NGIPS Firewall
on ASA

Old (Series 2) Firepower Appliances


Firepower 7000 Series
Firepower 8000 Series
ASA Low-end (5506/08/16) (reimage)
ASA Mid-Range (5512/15/25/45/55) (reimage)
ASA High-end (5585 SSP-10/20/40/60)
Firepower 4100, 9300 (SSP 3RU - SM-24/36)
VMware
AWS
ASA to FTD Migration Information
FTD 6.1 Migration Information:
https://cisco.app.box.com/v/CiscoSecurityTools
with a password of BDA123$%
Available to Cisco Advanced Services, Sales Engineers,
and Partners only.

Migrate policy settings from Firepower Services


for ASA to a Firepower Threat Defense
ASA: http://www.cisco.com/go/asa
FTD: http://www.cisco.com/go/ngfw

Migrate an ASA configuration to a new


Firepower Threat Defense device, or to the
original ASA device after refreshing it as a
Firepower Threat Defense device. Link to the video walk through: FTD best practices
Techtorial 2 of 2 - SEVT - Security
ASA to FTD Migration Tool: https://salesconnect.cisco.com/open.html?c=664b6ae1-
373f-459e-8e08-abb4c215bc01
https://communities.cisco.com/docs/DOC-
69629

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Management
Simplify management with an easy, unified approach

Firepower Device Firepower Management Cisco Defense


Manager Center Orchestrator (CDO)

Enables easy on-box Enables comprehensive Enables centralized


management of security administration cloud-based policy
common security and and automation of management of
policy tasks multiple appliances multiple
deployments

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
ASA Software Management

Cisco Security Manager Cisco Adaptive Security Device


(CSM) Manager (ASDM)

Comprehensive policy GUI tool used to manage


management for firewall, VPN, the Cisco ASA security
and IPS on heterogeneous appliances
devices (Cisco ASA, IPS, ISR,
and ASR)

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
On-box Vs. Off-box Comparison at 6.2
Firepower Management Center Firepower Device Manager
(Off-box) (On-box)

NAT & Routing


Access Control
Intrusion & Malware
Device & Events Monitoring
Site to Site VPN
Security Intelligence In Roadmap
Other Policies: SSL, Identity, Rate Limiting (QoS) etc. In Roadmap
Active/Passive Authentications In Roadmap
Threat Intelligence & Analytics NCP
Risk Reports NCP
Correlation & Remediation NCP
Easy Device Setup

=> Detailed => Optimized for SMBs => Not Present NCP => No Current Plan
Available only for Firepower Threat Defense Software (FTD)
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Cisco Defense Orchestrator
Ciscos vision for managing a wide range of security solutions
Simple
Cisco Defense
Manage next-gen protection through a single interface
Orchestrator
Orchestrate security policy management from one place
Build security policy templates that help to apply consistent security policy
across all branches

Efficient
Enable security experts to craft policy templates to be deployed by any
member of your team
Use simple search-based management to quickly see how policies are
enforced across devices
Leverage automatic layer 7 protection

Effective
Design and deploy policy uniformly
Uncover and remediate unplanned changes
Extend protection to the application layer

Cisco Defense Orchestrator Tech Talk, Recorded on, 1/11/17: https://communities.cisco.com/docs/DOC-30977


2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
CDO Security Platforms Supported Today!

UMBRELLA

All ASA Umbrella


ASA with Firepower
Series Firewalls

All ASA Platforms AMP-URL-IPS Onbox


4100/9300 Supported 5506-5555
AWS/Azure Lots More To Come In
* ASA Image Only on 5585* 2017!
* Requires 8.4 Code or FTD on the Roadmap
greater * ASA Image only on 4100-
9300 Appliances *

Note: Cannot be used concurrently with FMC


2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
FMC Appliance
Legacy Appliances

DC750 FS2000 FS4000

4-Core Xeon 6-Core Xeon 2x10-Core Xeon


2G RAM 64G RAM 128G RAM
8 GB 64 GB 128GB
2 x 1 Gbps, NIC 2 x 1 Gbps, 2 x 10 2 x 1 Gbps, 2 x 10
2000 events per Gbps (optional SFPs Gbps (optional SFPs
second event rate available in available in
Cisco Commerce) NIC Cisco Commerce) NIC
12,000 events per 20,000 events per
second event rate second event rate

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
FMC Appliance Refresh
New FMC Platforms

FMC1000 FMC2500 FMC4500


Refreshes DC750 Refreshes FS2000 Refreshes FS4000

Intel E5-2620E CPU 2 Intel E5-2620E CPUs 2 Intel E5-2640E CPUs


32G RAM 64G RAM 128G RAM
2 900G 10k RPM HDs 4 600G 10k RPM SAS 6 800G SAS SSDs
(RAID 1) drives (RAID 5) (RAID 6)
Built-in dual-port 1G Dual-port 10G NIC (in Dual-port 10G NIC (in
NIC addition to built-in dual addition to built-in dual
2000 events per 1G NIC) 1G NIC)
second event rate 12,000 events per 20,000 events per
second event rate second event rate

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Sizing
NGFW Performance and Size
Why it matters?

Impact a Sale
Properly sizing a NGFW impacts customer satisfaction
Firewall sizing is based on performance estimates, and sizing and features
determine NGFW solution cost
Product specification sheets do not typically include performance estimates that
are based on real-world traffic characteristics
As with all performance discussions, YOUR MILEAGE MAY VARY!!

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
NGFW Performance and Size
Features Enabled

A primary factor affecting


performance is the number and type
of features that are enabled on the
NGFW
Not every feature has the same level of
impact on performance
Understand what features will be enabled
but we must also be able to evaluate the
impact of each feature on performance

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
NGFW Performance and Size
NGFW location in a network also affects performance

NGFW location plays a role in determining:


Average packet size the NGFW will process
Amount of inspections to be enabled
Traffic rate, in terms of Packets Per Second (PPS) or Connections Per
Second (CPS)
Size of various rule tables, like IPS rule tables, ACL rule tables,
routing tables etc.

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Factors that affect NGFW performance
Data to collect before starting a sizing estimation

Data to collect to most accurately estimate performance are:


Type of traffic the NGFW will process (Mostly DNS or Mostly HTTP etc.)
Average packet size the NGFW will see
Average CPS and PPS numbers
The features the customer will enable
Average number of rules and routes the customer expects
Expected degree of malicious traffic
Amount of analysis and logging

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Factors that affect NGFW performance
Understanding the data sheets

Publish performance numbers under 3 main categories


Effect of Features on Performance
Throughput
Maximum concurrent sessions, with AVC
Maximum new connections per second, with AVC
Relationships and recommended use of 3 throughput
measurements

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Cisco NGFW Performance Metrics as of September 2016
Publicly published in Data Sheets: 1024 Bytes

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
450 Byte HTTP Throughput:
AVC and IPS

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Impact of enabling URL Filtering
URL Filtering

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Impact of Enabling Cisco AMP for Networks

We do not publish in our data


sheets is the performance with
Cisco Advanced Malware
Protection (AMP) for Networks
enabled

The reason we do not publish


this number is because this
feature is specific to Cisco
NGFW and we want to avoid
competitors misusing the
performance number with
AMP.

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Firepower 2100 Series Performance
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput FW
+ AVC 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps

Throughput FW
+ AVC + NGIPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps

Maximum
concurrent
sessions, with 1M 1.2 M 2M 3.5 M
AVC

Maximum new
connections per
second, with 12000 16000 24000 40000
AVC

Note: Early Performance Numbers


2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
How to measure?
Datasheets generally have some indication of performance. In most
cases this includes the infamous throughput measurement.
The firewall industry almost always publishes a max throughput
number, usually based on a traffic type that is never helpful in
determining sizing of the product.
The IPS industry has generally been more conservative about
throughput estimates on their datasheets, partly because their
performance range is much more variable than firewalls, and partly
because of industry choice.
Open a case with partner help and ask them to utilize the performance
estimator: www.cisco.com/go/ph

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
https://communities.cisco.com/docs/DOC- https://communities.cisco.com/docs/DOC-70837
69840
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Licensing
Cisco Firepower Management Center
Management Center 750, 2000, and 4000 physical appliances or the Management Center virtual
appliance
See Network Security Ordering Guide page on the Security Partner Community for information
on ordering FMCv https://communities.cisco.com/docs/DOC-70838
Management Center hardware is selected based on the firewall configuration deployed and the
number of appliances and events to be monitored
SMARTnet is ordered separately

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Firepower Management Center Virtual (FMCv) licensing
Clarification
When ordering FMCv for 5.4 and prior, you purchase on the following SKUs noting that the 2 and 10 device SKUs
are only for ASA 5500 platforms.
FS-VMW-SW-K9 - Cisco Firepower Management Center, (VMWare) for 25 devices
FS-VMW-2-SW-K9 - Cisco Firepower Management Center,(VMWare) for 2 devices
FS-VMW-10-SW-K9 - Cisco Firepower Management Center,(VMWare) for 10 devices

When ordering FMC for 6.0 or later, the guide states that a FireSIGHT license is no longer required. This does NOT
mean that you do not need to purchase the FMCv. You still need to purchase one of the following SKUs which are
Smart License Enabled. These do not come up in a CCW search, but can be added to your ordering by entering the
correct SKU. The 2 and 10 device SKUs can currently be used to manage any FTD device. This is inclusive of
FTDv, 4100, and 9300 unlike the classic 2 and 10 SKUs for for Firepower Services which only support ASA based
systems.
SF-FMC-VMW-K9 - Cisco Firepower Management Center, (VMWare) for 25 devices
SF-FMC-VMW-2-K9 - Cisco Firepower Management Center,(VMWare) for 2 devices
SF-FMC-VMW-10-K9 - Cisco Firepower Management Center,(VMWare) for 10 devices
SF-FMC-KVM-K9 - Cisco Firepower Management Center, (KVM) for 25 devices
SF-FMC-KVM-2-K9 - Cisco Firepower Management Center,(KVM) for 2 devices
SF-FMC-KVM-10-K9 - Cisco Firepower Management Center,(KVM) for 10 devices

Network Security Ordering Guide Page: https://communities.cisco.com/docs/DOC-70838


2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Firepower Threat Defense Licensing
Structure
Perpetual base License comes with appliance

(IPS / SI / DNS)

URL Filtering
(Networking, Firewall and AVC)

(AMP / TG)
Malware
Threat
Term-based licenses for advanced protection
(Threat, Malware, and URL Filtering)
One (1), three (3) and five (5) year Licensing
terms available
SMARTnet is ordered separately Base (NGFW)
Traditional ASA licenses not needed Blue = Term-based
Green = Perpetual

Licenses required for both elements of HA pair

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
ASA Firepower Services Packaging
Subscription Packages Component License Name and Features Enabled License Type Fulfillment

Perpetual PAK claim certificate


ships with
Protect License Appliance/Upgrade
(Included) License
Enables Firepower Services
(IPS and AVC Core Functionality)
Perpetual PAK claim certificate
ships with
Control License Appliance/Upgrade
ASA
(Included) License
Firepower
Services
No License!
IPS IPS Subscription Service Contract
(Sold)
PAK claim certificate
Term License
URL Filtering URL Filtering Subscription ships with URL
(Sold) Subscriptions
PAK claim certificate
Malware Term License
AMP Subscription ships with AMP
Protection (Sold) Subscriptions

At least one of the five subscription licenses


must be installed for any
of the Firepower Services to work

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Smart Licensing: Key Benefits
Helps customers understand how Cisco Software is used across their network

Limited View
Classic Complete View
Smart
Customers do not know Software, services, devices
what they own. in one easy to use portal.

Manual Registration Automated Registration


Manually register each device with PAK. No PAKs. Easy activation.
Unlock with license key. Product is ready to use.

Device Specific Company Specific


Licenses specific to only one device. Flexible licensing, use across products.

Voice of the Engineer: https://communities.cisco.com/docs/DOC-30718


2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Migrating Licenses: ASA w/FP to Firepower
Threat Defense
Migrate ASA with Firepower Services to Firepower Threat Defense
licenses at License Registration Portal

Customer needs
Smart Account
Ordering

https://communities.cisco.com/docs/DOC-70838

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83