21-Mar-2022

Understanding Cisco Firewall Management Options! Fxos, Ftd, Cdo, Firepower, Fdm, Restful Api, Asa

Hi guys, this video is on understanding Cisco firewalls and the management options in this video we'll go over the Cisco firewall security devices and the different management options for Cisco firewalls. So we will have a look at security software devices, that's, Cisco adaptive security appliances and easy with firepower services. Then we will have a look at Cisco. Firepower threat, defense, FTD that Cisco's. Listen, grace, firewall will then move on to the hardware chassis, which is the Cisco fire. Power extensible operating system, FXR chassis.

And then we will have a look at the actual management platforms and options, which are the four right at the bottom. So that's, Cisco fire. Powered device manager. FDM, Cisco, fire. Power management center, FMC, Cisco, defense orchestra, Acadia.

And finally, we will have look at Cisco restful API as the management options. So as you can see this quite a few elements to cover off with the security software devices, the hardware shut 0s and the management platforms. Options, and we will have a look at all of them. Now. So first let's go over the Cisco SA and the AC with firepower services before moving on to firepower threat, defense and the rest. So the SA was always Cisco's original firewall VPN security device.

However, one Cisco purchased a company called sauce fire who specialized in next generation, IPS technology, Cisco combined, the two and called the ESA with firepower services. This meant having the Best of Breed, traditional stateful firewall and the Best of. Breed IPS technology, SA with fire. Power services is basically a Cisco fire. Power, SFR module that runs on a Cisco ASA.

Firewall appliance, therefore is a combination of a SA and firepower containing all features of both products. However, two major issues with the SA with firepower services was first there were two management. Consoles. One was to manage the essay using SDM and another to manage the firepower module. And the other issue is packets had to be copied from the SAA plane to the fire pole. Module, you have to actually redirect traffic to the SFI power SFR module. If for example, you wanted to scan for traffic, such as IPS.

There are also two separate software images and two operating systems on the same hardware. So these were the challenges with the ESA with firepower services. So due to the issues just mentioned with the ACA with firepower services. Cisco created a new firewall called firepower threat defense, which was a combination of DSA and source files, firepower software, rather.Then using the SI software, so using the firepower, software all firepower devices were instantly available in FTD started as a version of firepower with certain SA features, phased in with Cisco, continuing to phase in a SA features over the last few years with FTD.

It solved the issue of having two separate management, consoles, one fire and another SA with FTD. It solved the issue of having two separate management, consoles, one fire and another SA also the issue of having to copy packets from. The SA firewall to the firepower module, and finally, FTD looks and feels like a modern GUI where an SDM, although it was a solid application and still is its it'll. Look dated moving on FX worse is the chassis manager that sits on top of the firepower appliances. FX OS is the chassis manager that sits on top of the firepower appliances and FX OS is obstructed from these security applications, the ACN FTD applications, which are installed using the FX or a chassis manager.

So FX worse, you should look. At it like a BIOS where you configure the BIOS, and then you install the Windows operating system on top of the BIOS on the firewall, you would install the AC FTD applications using the FX West chassis manager. So first with FX where you have to initially configure, the appliance from within the chassis manager.

Typically, the chassis manager is used for setting up the interfaces and installing and managing the security software essay or FTD, depending on which one you are going to use you typically. Create any port channels from here, then move on to deploying and configuring the logical device. The logical device is the AC or the FTD. Then once that's done assigned interfaces to the logical device.

One of the interfaces will be the management interface. So you will unfortunately lose an interface from the chassis manager to manage the device itself. But that one interface can be shared across the security modules. Instances, FX OS comes with a comprehensive CLI as well. So anything within the. Chassis manager can be done in the CLI, but most customers use the shuttle manager for ease of use next. We will have a look at firepower device manager.

So firepower device manager is a local on Box option on the firepower threat. Defense appliance, this is a management GUI directly on the appliance itself users, get web interface, providing the ability to configure firewall features, such as fire wall. And that rules application control, intrusion prevention and VPN monitoring and all the other stuff.

And in terms of a use case, FDM is a good option for setting up low-end firewalls for customers with less complex scenarios. Firepower management center through Cisco's acquisition of Source fire is had quite a few name changes. So it used to be called defense center. Then they changed it to fire site. And now eventually it's been called firepower management center or FM C. So FM, C can manage all firepower devices and ESA appliances. And it can collect logs for all the devices can be put. Into management domains for multi-tenancy, if you wanted to separate the management of devices for different administrators, you can also have domains can also have subdomains.

And within the domain users can have certain roles to manage the devices in the domain. And you can also create customized roles so use case for the FMC is required for customers who need an on-site, comprehensive security management service for multiple appliances. So customers with multiple SA firewalls and Cisco fire. Power appliances can use the FMC to manage all their firewalls from one graphical user interface. Next we will have a look at Cisco defense Orchestrator, which is a cloud service for the management of multiple firewalls across geographical locations that require central policy management through the cloud, it simplifies firewall management and can manage both AC and FTD, including Merak appliances as well. And it also integrates with Amazon Web Services.

You can do the usual firewall things with. Cydia such as maintain security policies, also upgrade and maintain the appliances from Lydia as well. You can also undertake bulk firewall upgrades.

It also has an image repository, which can be automated to download the latest images. So you don't need to manually do it. You can apply it firewall policies to multiple firewalls at a time.

You can create based templates to help you with quickly, onboarding new firewall devices. Furthermore, you can consolidate firewall objects, ensuring there are no duplicates. So you. Can let's see do resolve issues with objects, such as unused and inconsistent objects.

You can consolidate Farewell objects as well. Ensuring there are no duplicates. Oh, you can let's see do resolve issues with objects, such as unused and inconsistent objects. You can use hit counts and shadowed rules to clean up and optimize the configuration. You can also manage a single object across all management devices, which is a very useful feature.

There is also sight and remote access VPN support on Lydia. As well finally, we'd see do it also integrates with Amazon Web Services. So Lydia can integrate with the AWS and manage the AWS security groups. What you can do is you can view the AWS VPC, ID region, security groups and the rules and objects signs of those security groups.

You can create new rules in a security group, read them, edit them and delete rules in a security group. Finally, moving on to restful API as the final management option. So ask configurations are getting huge and complex. We need to. Find a way for tasks to become more streamlined and to be able to get our changes and deployments out there quicker. For example, when updating 30 or 40 firewall rules, it can be error-prone. And this can be taken away when automating the changes using automation tools.

So for this very purpose, we can use a restful API client, which allows you to programmatically, make changes or retrieve data from devices. API tools allows you to automate, many of the firewall tasks. It allows you to build scripts change.Then, reuse them as required and simplifies a lot of the complex tasks. And there are lots of API clients out there.

You can use Python to script changes or use a restful API client. Such as postman is a very popular example, it's a Google Chrome app for interacting with HTTP API. S. And it allows you to quickly put together both simple and complex HTTP requests, however, instead of using postman, or any third party API client, we can use the FMC Explorer, which is Cisco's own built-in restful API. Client and with Cisco's API Explorer, it has a great feature to help you learn Python.

So whatever you set up in API to do, you can see the output in a Python script. And then that script is a real script that you can use. And you can change it and reuse it on the firewall to help automate. These changes. And finally, just to give you an example of what you would do with the Cisco API Explorer is for the ability to automate, the calls to create firewall objects and firewall rules. But you can also do a.

Lot more with it and finally, guys just to summarize the video and go over the options again. You'd use the FX OS manager at the chassis level to configure, the physical firepower appliances in regard to managing the security software you can use the on box, FMD management, GUI to undertake changes directly on the device itself, or you can use the on-site, FMC appliance to manage multiple firewalls. You can also use Cisco CDL as a cloud-based management option for managing a CNF TV firewalls and. Finally, you have the option to use API's to automate tasks, which is between a very popular tool. Hope you found this video useful, and thanks for watching.