Cisco's NGFWv and IPSEC tunnels

s.shen · ‎06-11-2018

Is Cisco's NGFWv for Azure a capable replacement for an on-prem 5525 ASA? I like the fact that it has IPS/AMP built-in but I'm wondering if it can replace our ASA entirely. I see that it does support AnyConnect, but not sure if it supports site to site IPSEC through VTI's or by setting up crypto-maps... does anyone know if this is possible or if there's any documentation on it specifically? Also are there any plans to increase the throughput for the NGFWv?

s.shen · ‎06-11-2018

Wanted to clarify and mention that we are building out a network within Azure, the NGFWv would not replace our on-prem firewall.

Marvin Rhoads · ‎06-14-2018

Remote access SSL VPN (AnyConnect) has a couple of caveats currently with respect to unsupported features:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Site-to-site IPsec VPN supports crypto maps but not VTIs. There's no DMVPN or FlexVPN support. The configuration guide covers most of what you need to know:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/firepower_threat_defense_site_to_site_vpns.html

s.shen · ‎06-14-2018

Thank you Marvin, I appreciate the help and especially the links you provided. I have another question, do you happen to know if the IPS service provided in the NGFW is managed by Cisco or does it manually need to be managed by an admin?

Marvin Rhoads · ‎06-14-2018

The local admin needs to setup things initially. There is the option to "set and forget" - updated Security Intelligence information, periodic IPS rule deployments etc. can all be completely automated.

It's not a managed service from Cisco per se although they provide the feeds and rules. Their backend information coming from Talos (Cisco's in-house security researchers) are part of what you're buying.