Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
804
Views
0
Helpful
0
Comments

Cisco Secure Firewall | The Evolution of Security

zsoulios
Cisco Employee
Cisco Employee
‎09-05-2024 04:10 PM

Thank you for watching the Cisco Secure Firewall Webinar presented by Cisco Experts. Below you will find any questions that were not answered during the Q&A portion of the webinar. If you are interested in additional resources please check out the Internet Edge Protection Guided Resources page as well as the Data Center Firewall Operations Guided Resources page.

 

Q & A Follow-Up

 

Q: Will the 2100 FTD series support 7.4.x ? Is 7.4.x still beta release (not production ready?

A: 2100 does support 7.4.x. You can see full supported software here.

 

Q: When will 7.6 be production ready?

A: 7.6 is scheduled for September 2024. Exact release date is still TBD.

 

Q: Can we bulk select unused network objects and delete with a single click? can we filter view network objects?

A: Network Objects can be searched/filtered. Deleting them is an individual click

 

Q: Are the new NGFW platforms FIPS certified?

A: Certification is in progress and is expected in September for the new 1200 series. The 3100 and 4200 series are FIPS certified.

 

Q: Does Cisco have a Gov approved Cloud Management offering?

A: The current recommendation is to deploy virtual FMC in government approved cloud providers. Version 7.4x is FIPS 140-3 approved.  CDO / Security Cloud Control meet FedRAMP security requirements, but FedRAMP approval is still in process. More information can be found here.

 

Q: With an idea of FTD as a single SD-WAN solution for branch deployment does it mean FTD is going to have capability of SD-WAN EDGE?

A: Our full SSE solution is Secure Access. Currently, FTD has ZTNA, SD-WAN, and extensive routing capabilities including multi-VRF, BFD, and dynamic/static VTI, alongside its NGFW capabilities.

 

Q: How soon would FMCv in Azure have capability to run more then up to 25 devices (FTDs) such as up to 300?

A: Version 7.4.2 and above support FMCv300 in Azure, which can manage up to 300 devices.

 

Q: I was told ASA code was going away 5years ago. Will Cisco continue to roadmap ASA software along w/ FTD code in their NGFW's?

A: ASA software continues to be supported, including in our upcoming September release. However, we do recommend that customers migrate to FTD for the expanded security functionality including IPS, malware sandbox integration, and other features. Documentation on the migration process is available here, and a migration tool is also provided.

Q: Will this replace the current Meraki MX cloud management?

A: No

 

Q: Any work being done to reduce deployment times?

A: Yes there are continuous optimizations being done by our Engineering team to reduce deployment times as one can see from the past Rel 6.4.x to now in Rel 7.2.x+.

 

Q: How about vManage (SDWAN) and Cisco Secure Cloud? 

A: Additional synchronization of Catalyst SD-WAN and Secure Firewall SD-WAN is planned, but at present the two are separately managed.

 

Q: Question about 2100 FTD series still is already lacking some features, will it support full 7.4 and 7.6 features or would be announces EoS?

A: While the 2100 series continues to be supported with, it is 7.5 years since release and has some limitations with mem/compute compared to high end hardware platform models. A migration tool has been provided to move from 2100 to 3100. Information on platform migration and platform restrictions for different models are covered in this document.

 

Q: We are running 2100 series FW's and 3K series firewalls. The 3k series hardware is awesome. The migration tool looks interesting in version 7.4. Is that the best way to migrate 2100's to 3100's and is there a "how to guide" in order to successfully use the tool?

A: Steps for migrating to the 3100 series are covered in the section Migrate the Configuration to a New Model in this document.

 

Q: Which version of 7.4 is production ready or it is still not recommended, looking how many issues 7.2.x introduced

A: 7.4.2 is the version you should use if you are moving to 7.4.x, however the recommended release for firepower is currently 7.2.8.

Q: When will 7.4 become the recommended release?

A: We don't have a date for that at present. There will be an announcement when the recommended release is changed. Worth noting that 7.6 is close, so 7.4 will move to recommended in future.

 

Q: 7.4.2 is already production ready?

A: It is, and has been deployed by a segment of our customer base.

 

Q:   Is there a trace-up deal from 1120 to 1200?

A: The 1200 is priced very competitively relative to its performance so promotions are unlikely, but please talk to your account team.

 

Q: Do you have a plan in place for FTD HA, to schedule a switchover for a specific time slot during an upgrade 

A: I’m not aware of a roadmap for a scheduled failover.

 

Q: What would really be helpful is a cloud/web simulation environment to work out configuration changes so you're not using the production firewall.

A: Hypershield has a dual dataplane that can be used to test deployment changes on a copy of production traffic.

 

Q: What software version does the Encrypted Visabilty engine come with?

A: EVE is available in both 7.2 and 7.4. Additional improvements are in 7.6.

 

Q: When will SD-WAN FW be available?

A: SD-WAN application monitoring is available in REL 7.4.1 with more adv. functionality coming in REL 7.6. Refer here.

 

Q: I was told ASA code was going away 5years ago. Will Cisco continue to roadmap ASA software along w/ FTD code in their NGFW's?

A: ASA software continues to be supported on new hardware models. A chart of support can be found here.

 

Q: Is there any guide for migrating flexconfig eigrp to fmc config eigrp without downtime

A: This document should assist you with this migration.

Q: Will local management be supported when device is FMC managed

A: Management is currently an either/or between local or FMC. There are no announcements for changes in FMC managed devices as of yet, but this could change in the future.

 

Q: Any specifics of why one would run ASA OS vs FTD OS on these? Pros/Cons ?

A: For most customers it’s a matter of compatibility with their current environment. In general FTD OS should be viewed as the successor to ASA OS. FTD OS has many more security features including IPS, malware sandboxing, application detection, and other features, and is recommended. ASA continues to be used for existing customers who have not migrated

 

Q: What version will the Encrypted Visibility engine be available?

A: It's available on both 7.2 and 7.4. Additional EVE improvements are coming in 7.6.

 

Q: We are on 7.4 already, how is EVE enabled

A: Steps below:

 Under the Advanced Settings of the Access Control Policy, click the pencil icon next to Encrypted Visibility Engine.

Enable the toggle for Block Traffic Based on EVE Score

Refer this document for configuration details

 

Q: Is SDWAN FW support on all FTD models? Or just a subset?

A: The following document lists SD-WAN features, minimum required versions, and excluded hardware for specific features: No FTD models are excluded from the SD-WAN features listed in the doc, but the FTD models must be compatible with version 7.2 or 7.4, depending on the feature.

 

 

 

 
 
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents