Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Post a new Project
47289
Views
66
Helpful
6
Comments

From Stateful Firewalling to Next Generation Firewall

Narayan Dev Sarma
Spotlight
Spotlight
‎07-29-2020 09:52 AM

A customer of ours was running Cisco ASA firewalls (HA) for more than 10 years which was mainly handling their corporate segment traffic. Over the time these boxes faced end of life and end of support, what made the customer go for the next generation firewalls as replacement option. As a replacement process they procured Cisco Firepower Threat Defense boxes.

As we started planning for the migration we found few challenges listed below -

  • Routing from static, EIRGP to BGP.
  • GRE/IPSEC traffic that would traverse the FTD.
  • Time based ACL – Not resolved as the current version 6.4.0.9 running on this boxes don’t support this feature. Waiting for a stable version of 6.6 or above.
  • S2S VPN etc.

body image 1.png

Used Firepower migration tool to migrate the configuration from ASA to FTD which is quite helpful to build up the migration process with all the unsupported configurations listed in the pre and post migration reports.

body image 2.pngbody image 3.png

We had to face failure during the initial migration window and reschedule the migration. GRE/IPSec traffic found out the main culprit for failing the tunnels pairing. We took support from Cisco TAC and the engineers were quite supportive and further we did our homework too by reproducing the issue at our office lab. The GRE/IPSec traffic are subjected to get inspected by the Snort in FTD and the verdict for these types of traffic is dropped.body image 5.png

body image 5.png

In our rescheduled migration window we exactly knew what needs to be done but still faced the same issue with the GRE/IPsec traffic getting dropped by Snort. Eventually, after 30mins we were able to fix it by fine tuning the pre-filter policy and allowing the GRE and ESP with action as fastpath and “clear conn” was a great help to bounce the tunnels and traffic to take the correct rules.body image 6.png

The allocated migration window time was 4 hours but we managed to finish the activity within 3 hours. After that came the big challenge with all the application owners going to check their applications and we just put our finger crossed as we didn’t want a roll back. Almost all applications worked fine, but few issues were reported like remote branches VIOP calls weren’t going through and also swift application reported an issue. All these issues were related to routing and was taking care. Some other issues were reported related to RAVPN anyconnect with ISE posturing and windows login slowness which were related to NAT and access rules on FTD and were also taken care. Constantly, worked for almost 26 long hours to provide a better experience to the client for their next business working day.  

Now with the successful migration and handed over the boxes to their operation team, we provided a KT session where we pointed few things out.

  • This NGFW comes loaded with advanced features like Security intelligence, URL blacklist and Whitelist, DNS blacklist and Whitelist, Intrusion prevention system and some more features.
  • These features are connected to Talos and snort cloud to provide proactive resolution for network security related threats.
  • So they need understand the power and capability of it and use it in proper and efficient way.

                              “With great power comes great responsibility.”

 

 

Labels:
6 Comments
ShashankBangari38827
Level 1
Level 1
‎07-31-2020 06:42 AM
‎07-31-2020 06:42 AM

Very well explained and will surely be of great help where ASAs as being migrated to FTDs. Thank you for sharing your experience.

mateens
Level 1
Level 1
‎08-27-2020 02:26 AM
‎08-27-2020 02:26 AM

I am also have issues with establishing dynamic IPsec tunnels with FTD. It is not working with more than one tunnel at a time. site to site vpn with dynamic endpoint.

ataleb6
Level 1
Level 1
‎07-30-2021 10:57 PM
‎07-30-2021 10:57 PM

thanks for this sharing, very helpful

williaat0125
Level 1
Level 1
‎08-31-2022 06:44 AM
‎08-31-2022 06:44 AM

So is your FTD working as passive IDS only? We are having similar problems and our problems are resolved when we prefilter tunnel traffic with fastpath. This tells us that an inspection in snort is dropping the packets, however, prefilter of tunnel traffic to fastpath bypasses snort, thus defeats our purpose of needing this FTD to be an edge IPS.

Aftab Khan
Level 1
Level 1
‎10-12-2023 01:31 PM
‎10-12-2023 01:31 PM

This article highlights the challenges and successful migration of a customer from legacy Cisco ASA firewalls to the next-generation Cisco Firepower Threat Defense (FTD) boxes. It showcases the dedication and teamwork involved in overcoming hurdles during the migration process, especially with GRE/IPsec traffic. The mention of advanced features and the importance of responsible use of the new NGFW is a valuable takeaway. Kudos to the team for their hard work and dedication!

adrianslackman
Level 1
Level 1
‎10-16-2023 01:33 PM
‎10-16-2023 01:33 PM

It's great to hear about your successful migration from Cisco ASA firewalls to Cisco Firepower Threat Defense (FTD) boxes. Such transitions can be challenging, but your team seemed to handle it well. The hurdles you faced, especially with routing and the GRE/IPSec traffic, can be common when moving to next-generation firewalls.

Using the Firepower migration tool to transfer the ASA configuration to FTD was a wise move, and the pre and post migration reports likely made the process smoother by highlighting unsupported configurations.

Dealing with the GRE/IPSec traffic issue and enlisting support from Cisco TAC showed your team's dedication to resolving problems. Fine-tuning the pre-filter policy to allow GRE and ESP traffic and using "clear conn" to manage tunnels effectively were smart solutions.

The fact that you managed to complete the migration within 3 hours of the allocated 4-hour window is commendable. It's no small feat, considering the potential application issues and concerns from various stakeholders. Addressing routing problems, VIOP call disruptions, and application-specific concerns demonstrates your commitment to delivering a smooth transition.

Finally, the knowledge transfer (KT) session emphasizing the advanced features of the NGFW, such as Security intelligence, URL blacklist and whitelist, DNS blacklist and whitelist, and Intrusion Prevention System, is essential. Connecting these features to Talos and Snort cloud for proactive security resolution is a significant benefit. Ensuring the client's team understands and utilizes these capabilities effectively is crucial for maximizing the benefits of their new custom game boxes , which will contribute to a more secure and efficient network infrastructure.

Congratulations on a successful migration, and I hope the client enjoys the enhanced security and features of their new NGFW solution.

Welcome to the Project Gallery!

This is a place for Cisco customers and partners to share stories about their technology projects.

Use the comment section to ask a question, make a suggestion or just say well done. If you like a project, thank the author by clicking the Helpful button at the end of the post!

Did you complete a deployment recently? Share your great work with fellow community members! No project is too big or too small.

Popular Articles
Customers Also Viewed These Support Documents