SlideShare una empresa de Scribd logo

Cisco adaptive security appliance (asa) firewalls lifeline of today’s data centers

Descargar como DOCX, PDF
IT Tech
IT Tech

Cisco adaptive security appliance (asa) firewalls lifeline of today’s data centers.

TecnologíaEducación
1 de 13
Cisco Adaptive Security Appliance (ASA) Firewalls: Lifeline of Today’s Data Centers-FAQs from Live Webcast ASA & Firewall Questions Q. What would be the real-world throughput of ASA 5505 applance? A. You can find the details on datasheet mentioned below: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod uct_data_sheet0900aecd802930c5.html Q. Does Cisco have good feedback regarding 5585x clustering so far? We wanted to implement this earlier this year but got the impression that we were pilot users with this solution due to the questions we got from Cisco's PM team so we abandoned the project? A: Though you can surely go for the clustering but for detailed analysis with respect to your network, a clarification from PM/SA will be required so as to have a better understanding. Q. It would be great if I can get a document that shows recommended real-world throughput of each models? A: As in real it depends on the type of traffic youa re pushing through the firewall. So you can check the multiprotocol field if you are pushing different type of traffic. http://www.cisco.com/en/US/products/ps6120/prod_models_comparison .html Q. Can we have context configure with cluster? A: Yes we can have context configure with clustering. Q. Can you briefly describe how the ASA can link up with an IPS module for next gen intrussion threats? A: The details available at http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html will help you to know the IPS with ASA. Q. What is Sub Second failover ? A: Sub second failover as the failover can happen in under a second. Both the interface and unit polling times can be configured in milliseconds. Be careful setting the failover settings too low though as you may have a quick communnication loss due to congestion. Q. How can we cap the bandwidth on Cisco ASA? A: To check what is the supported thoughput, please refer: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_ poster_revision_r8.pdf Q. Is there any plans for introducing the clusterin in ASA5500-x for Saleen Series?
A: The complete supported platforms for ASA clustering can be found from: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_ c67-712934.html. Q. What applications are supported for "full applications satat sync" does ASA supports SS/IPSecVPN ? Multiprotocol throughput for ASA 5505? A: Since 5505 is for remote user, you can refer following link for more info on it. http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_ poster_revision_r8.pdf Q. Can you configure site-to-site vpn with asa in multi-context mode? A: Yes, you can as per shown in: http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_site 2site.html Q. Can we have ISP level redundancy or Link Load balancing with Cisco ASA,as I have multiple link to my DC for resundancy? A: ASA is not designed to do WAN load balancing between ISP links. Though you may refer to a similar setup in lab as shown in https://supportforums.cisco.com/docs/DOC-15622 Q. Does site-to-site vpn co-exist with remote acces? A: If using ASA clustering then vpn will not work. If non-cluster environment you can use L2L vpn and can co-exist in standalone version. Q. You just told about using different Cisco boxes in a multi-tier firewall design.but the good practise is using different vendor firewall in different tier? How would you justify using only cisco firewalls in a multi-tier design? A: Ease of management with single tool like CSM (Cisco Security Manager), additional security with Trustsec& ISE deployment which integrates seamlessly with Cisco environment. Q. How should we size the firewall for the data center? Is there any guideline on the sizing? A: For sizing we need to have the number of connections and type of traffice which we need to push through te firewall, then you can refer the following link for information on which model suits your need. Please refer http://www.cisco.com/en/US/products/ps99 Q. Can you explain the significance of SGT in the context of ASA? A: SGT is part of TrustSec. Q. Can you load balance your outgoing internet connecvitiy with two inter connections hooked to one ASA?
A: Presently it is not possible to load balance traffic between two ISP links on an ASA. Q. How to ASA 5500-X react on zero day attack? A: Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available. Q. Clustering up to 8 firewall would be active/active or active/standby? A: All 8 Units will be active in a cluster Q. What is Multi protocoltroughput ? A: When different type of traffic going through the firewall, i.e HTTP, FTP, etc. Q. Can we block https traffic on firewall A: When you are saying Block, I assume you are saying traffice going through the firewall, then the answer to that would be Yes. Q. Can Security Manger be a Syslog server as well? A: CSM is built to be a single point of management and configuration for ASA and other securiyt products. The function of Syslogging is to be offload to external server. Q. Does Cisco have a UTM box? A: Yes, Please refer: http://www.cisco.com/en/US/products/ps9932/prod_models_comparison.html Q. Cluster of 8 FW is supported on all models of ASA? A: Complete detail is available at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_ c67-712934.html Q. What are the diff HA modes supported A: You can refer to Cisco ASA datasheet on Cisco.com Q.Can we mix different models in clustering i.e. Can Cisco 5510 be clustered with Cisco 5520? A: No, we can't mix different asa models. And clustering is only supported with 5580, 5585 or 5585X Q. When we say ASA virtualization, is that the hardware virtualization, IOS or theconfigurations ? A: You can use ASA 1000V for virtualized environment and that's what it means. Again, if term virtual is used, it can be a context as many times these two terms are used inter-changeably.
Q. Is access to the scanSafe database a subscription service? A: Yes, a scansafe subscription will be required. Q. Can i have multi-context along with clustering? A: You won't need a context in cluster mode but you can have multi contexts. Q. Can we block https traffic on firewall A: Yes, with ACLs you can block HTTPS traffic going though the firewall Q. IsClustering possible across geographies or is there any distance limitation ? A: This can be done through VPNs (Site to site) but never recommended.Such setup in production environment is not recommended. Q. Are there only 8 ASA in a cluster possible, and can I mix the models? A: It has to be same model with same hardware configuration like memory etc. Q. Can we detect NMAP scans with ASA ?? A: You may refer to http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3 913.shtml for nmapscan as attacker example. Q. How can i block facebook on firewall A: You can block using scan safe. Q. What is the best choice for site-2-site vPN, Firewall ASA or Cisco security router? A: ASA vpn edition will be the best as it supports lot many more features in security compared to router. Q. Firewall virtualization supported in ASA? A: Yes, We call it Context in ASA http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_ c67-712934.htmllist all the features supported by ASA with 9.0 Q. Can I have a HA Design with Two ASA5525X in two separate places in Active/Active Mode? A: In that case you are expanding your cluster, there is no restriction but I do not see any use case of this Q. What is one of the ASA goes down, will other 7 modules are still deliver 280 GBPS? A: Only the throughput will drop on overall basis but no impact on traffic.
Total Throughput = N x Single node throughput x Scaling Factor Q. Hello do we need to have even number of Firewalls to participate in clustering? A: No, there's no such mandates. Q. How to ASA 5500-X react on zero day attack A: Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available. Help in Day 0 Attack Q. Please, could you explain more about the 'individual' and 'spanned' mode at the clustering. A: Refer to http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_clust er.html for complete details on HA cluster configuration and various interface modes. Q. ASA5585-SSP-10-2units, ASA ver 8.2(5),Old ASDM ver 6.4(5),Current ASDM ver 7.1(3),anny compatibility issue of Java 1.7 with ASDM?Please suggest any stable java version which works with all ASDM versions. A: You can get in touch with Cisco TAC support for granular information of ASA & ASDM with java. Q. What will happen if one node fails in ASA cluster. Traffic which was going through failed node will be dropped or it will be processed by some other node in cluster? A: Processed by other member in cluster Q. We have IPS module with our ASA. It cannot detect external scans like NMAP OS finger printing. I opened a TAC case also. They confrm that this not possible with Cisco IPS and it only detect it as a normal traffic. Is that true? A: Thats an extensive topic and this discussion may help https://supportforums.cisco.com/thread/2152269 Q. Does clustering support IPv6? A: Yes Q. So where to point the route from inside equipment, when ASAs are addressed from a dynamic pool? Is there a VIP address? A: No, each firewall would get an address from the Pool created by master ASA in a cluster Q. Can we create context in cluster?
A: You can have ASA with multiple context part of cluster, however all the ASA should be in multiple mode inthatcluster Q. How many context firewall we have configuration on a single ASA A: Depends on the model, please refer http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_ poster_revision_r8.pdf Q. Why do I still have to manually copy xml profiles from the active to the standby ? A: Depends on the version you are using. More detailed info can be obtained from Cisco TAC as its specific to Anyconnect. Q. Few years ago threat detection, routing protocols, etc. will not be used if you enable multiple context mode on ASA. Was this resolved already in today's software or product line? A: Virtually not, you can have as many policies but can be brought down if combined with Trustsec. Still same: Multiple context mode does not support the following features: RIP OSPFv3. (OSPFv2 is supported.) Multicast routing Threat Detection Unified Communications QoS Remote access VPN. (Site-to-site VPN is supported.) Q. Based on active cluster configuration, if new firewall picks a ipaddress from the pool, alter if the firewall goes down how the session failover will happen, the live session will be dropped or it will failover to other active firewall ? A: It will be taken care by the next priority firewall in the cluster. Q. Is there any policy limitiation of cisco ASA A: Virtually not, you can have as many policies but can be brought down if combined with Trustsec. Q. Can you also have visibility of the SGT at the level of the CX module? A: Complete details are available at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c 67-700607.html Q. ASA CLI or ASDM Logging feature does not provide the rule number details
(unlike Checkpoint FW), We need to know which rule is blocking or allowing the traffic.That will be easy for troubleshooting any issue. A: You can use packet tracer under ASDM. Q. What other features do we have with ADSM 9.0 and also can we config bridge and routed mode same time A: No, we cannot have different mode in ASA cluster .Please refer the link for new feature in OS 9.0 http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html# wp586890 Q. How does the VIP is maintained in the cluster A: There is no VIP, all firewalls have there own firewall, we need loadbalancing from outside the cluster Q. We are using 3 differenet Management servers, We are facing this ASDM Loading issue with all of them, How there can be issue with OS Level? A: Please get in touch with Cisco TAC for in-depth review &troublshooting. Q. Does the load balancing into the cluster need to be "sticky"? Must traffic for a particular connection always hit the same appliance? Or is connection state replicated between all appliances in the cluster? A: No, the sessions backup exists on clustering setup. If a asa goes down then the session wont be dropped and the next master will handle it. In short, yes, connections replication happens. Q. CCL has to be in routed mode or can be made l2.I believe its like VSL in VSS or like stacking ? A: VSS is supported and refer to http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_clust er.html#wp1559338 Q. Does the ASA supports Server Load Balancing? A: No ASA doesn't support Server Load Balancing. Q. Is that also the fact with Site2site VPN when cluster master fails or does it work more like Active/Standby VPN state failover? A: Clustering is analogous to failover not the same. The VPN sessions will be replicated across the cluster. Q. Can the IPS in ASA5500-x do heuristic detection? A: Basic Heruristics are there, 0day attacks are identified (now better by SacanSafe an improvement over local engine)
Q. Will Remote VPN works with Clustering mode ? A: RA VPN is not available in clustered mode, Full list of centralized and disabled features can be found at: http://asapedia.cisco.com/index.php/Clustering Q. Which is the best module which can block the torrent traffic as it is using any dynamic port available ? A: IPS Module will be the best option as it can look into the payload . Q. I have about 30+ Cisco ASA Firewalls, all of them running on Cisco ASA 8.2(5) is there a document that i can follow to upgrade them to 9.0 ? A: Yes, a plan is needed for upgrade. Refer to https://supportforums.cisco.com/thread/2183482 as a similar request and do take the help of TAC for such major upgradation of over 30+ firewalls. Q. Will Remote VPN works with Clustering mode ? A: It doesn't work. Q. Do easy VPN works with Active/standby mode in ASA ? A: Yes it works with failover ASA Q. Can we use ASA for web filtering like PROXY? A: Yes ASA can be used for Web Filtering and it has been possible for many years. Now, you also have ScanSafe Q. And how do I just point to _one_ ASA IP from core routing equipment, when clustering? A: Adresses configured in pool is given to firewalls in cluster, you can simply push the traffice any given address assigned to specific firewall in cluster Q. What will happen if one node fails in ASA cluster. Traffic which was going through failed node will be dropped or it will be processed by some other node in cluster? A: Yes, ASA clustering always has a backup node (owner) for every flow through the clsuter so, if the node through which traffic is passing is down, the next owner will process the n+1 traffic (if previous node was processing nth packet. Q. How many "sessions/connection per second" does 5585-X can support? Is there a public document that shows performance matrix for ASA? Something similar with Router & Switch performance matrix, there is one available for Router & Switch product line? A: You can access the video and regular data sheets for 5585-X series firewall athttp://www.cisco.com/en/US/products/ps11061/index.html
Q. Any plan for a refresh of the 5505 ? Right now alot of our customers are looking elsewhere (Checkpoint, Palo Alto) for a layer 4-7 aware firewall. A: If you're looking for a replacement of 5505 you have multiple options as explained at Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated) such as 5512-X and 5515-X next gen firewalls with better throughput and a host of new features http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data _sheet_c78-701253.html Q. Is Clustering supported across all models or not ? A: Clustering is only supported with 5580, 5585 and 5585X models Q. If cisco marketing 5500X products stops, does that means slowly cisco will stop 5500 models? A: Not sure where this is coming from since, 5500X is the latest in next gen firewalls and Cisco intends to continue with both 5500 and 5500X series Q. What’s about a blade system on cisco side fürASA ? A: Cisco FWSM is the current generation and Cisco NGFW services module is the solution for next gen DC which supports many new features http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c 67-700607.html Q. Can Cisco Security Manager be a netflow collector for ASA devices? A: CSM is primarily meant for configuring and managing the firewalls. If you wish to collect netflow data it's better to look at Cisco LMS/Prime solutions. Q. What is the max throughput at line speed? A: For information on the throughput and other parameter splease consult the respective data sheets of ASA 5500 and 5500 X series Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated) http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data _sheet_c78-701253.html Cisco ASA 5500 and ASA 5500-X Series Next Generation Firewalls for the Internet Edge Data Sheet http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data _sheet_c78-701808.html Cisco ASA 5500 Series Adaptive Security Appliances http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod uct_data_sheet0900aecd802930c5.html
Q. Can CSM take backup of ASA configuration ? A: In CSM if you would like to see the configurations there are two ways to do this. 1) From the Device View, right-click on the device and select "Preview Configuration..." 2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM CSM based backups are manual and are not automated. Q. Can we expect remote access vpn support for contexts anytime soon? A: As far as I know it's not on the roadmap for next few releases. Q. Why does the management interface not work when working with an active/standby solution ? A: You can access the video and regular data sheets for 5585-X series firewall at http://www.cisco.com/en/US/products/ps11061/index.html Q. Do you have a recommended scenario or plan for ASA deployment in Data Center or VMDC? A: Each network and organization has different requirement for services and security. Hence, putting one size fits all is not a possible solution. You can check the Cisco recommended design and configuration guidelines at following URLs ASA DC deployment guide http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smar t_Business_Architecture/February2012/SBA_Mid_DC_DataCenterDeploymentGuideFebruary2012.pdf Cisco ASA DC config guide http://docwiki.cisco.com/wiki/Cisco_ASA_Firewall_Configuration_for_Data_Center Q. Is there road-map to allow VPN functionality with ASA Cluster Deployment? A: Site to site VPN is already supported in clustering. Remote access VPN is not supported as of today and is not on roadmap as I know. Q. Does ASA supports statefull sync for SSL or IPSec VPN sessions, means suppose primary fails then SSL or IPSec VPN session need not to re-established connectivity with Secondary? A: Yes, stateful failover is available for IPSec and SSL connections. Q. Can we confgiurion the cisco ASA on distrubuterartechtue?
A: ASA clustering is distributed architecture for High Availability and is compatible with next gen and current switching infrastructure. Q. Does packet tracer supports FWSM ? A: FWSM doesn't support packet tracer command. Q. Is there a concept of Inter-Context communication in current ASA? Meaning no need to forward the traffic out of the interface but instead inside ASA and between context. Saves interface and much faster? A: As of today, inter context communication has to go out of a physical interface and come in again (same or different interface). Essentially trombone of traffic needs to happen out and in to the firewall. Q. Based on active cluster configuration, if new firewall picks a ipaddress from the pool, alter if the firewall goes down how the session failover will happen, the live session will be dropped or it will failover to other active firewall ? A: You can access the video and regular data sheets for 5585-X series firewall athttp://www.cisco.com/en/US/products/ps11061/index.html Q. What about MGCP support? A: Cisco ASA Clustering does not support any UC protocols including H.323 suite, RTP, RTCP, SIP, SCCP and MGCP Q. Does it option for snap sort for backup purpose so we can restore the all configuration very fast. and how many snapshot it can store? A: If the query is about CSM, and you would like to see the configurations within the CSM interface there are two ways to do this. 1) From the Device View, right-click on the device and select "Preview Configuration..." 2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM Q. What is the monitoring solution in cisco where we can see what each user is doing from the cisco trustsec perspective? A: You can do this from ISE dashboard for monitoring the network. Please see http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp 1226014 for more details Q. What is the VPN split in IPv4/IPv6 network? Is there VPN bypass with ASA? A: VPN in IPv4 or IPv6 depends on the configuration for the VPN site to site or client (remote access) VPN. ASA can do VPN bypass for IPSec and SSL VPN so the client's / remote site can connect with a headend behind ASA.
Q. What is the CX module in ASA- X series? A: ASA NGFW Services(formerly ASA CX) re-imagines the firewall, delivering context-aware security that empowers enterprises to manage applications, devices and the evolving global workforce, while ensuring unprecedented visibility and control. Unlike other next-generation firewalls, only ASA NGFW Services outpaces complexity to address evolving security needs by leveraging local network intelligence via Cisco AnyConnect and TrustSec, and global threat information via Cisco’s Security Intelligence Operation. Q. Can you please share the Packet flow in context mode? and the mode or context is it support multicast or unicast? A: Here's a URL which covers packet classification examples and flows in detail http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts .html#wp1134280. Contexts support both unicast and multicast howevr, PIM is only support in single context. Q. Packet tracer &Traceroute feature is also not available in FWSM? A: Packet Tracer feature is not available on FWSM. Traceroute command is supported on FWSM. General Questions Q. Recommended tools for monitoring traffic, security events, syslogs ? Any cisco developed Netflowanalyzers ? Is there anything budled with the IOS or is it an additional package ? A: You can use Cisco Security Manager for such task. More info available at http://www.cisco.com/en/US/products/ps6498/index.html Q. Is that only Secure X platform has support for Trust sec? A: You can have complete detail from http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html. Q. Can ISE integrate with AD or do we need a AAA/LDAP A: Yes, we can integrate ISE directly with AD Q. What is the secure x architecture A: The Cisco SecureX Architecture is a context-aware, network-centric approach to security from cisco. Secure X architechture detail can be found on http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/whit e_paper_c11-700240.html#wp9000078 Q. Where can we download the presentation? A: https://supportforums.cisco.com/docs/DOC-35101 Q. Does Secure X supports built in IPS and IDS inline ?
A: CX modules for ASA do support inline IPS as they will be on same chassis as the firewall. CX services module doesn't support it as of today, its on roadmap. Q. Which all are Authentication support in trustsec? A: The following authentication types are support with TrustSec Flexible authentication (FlexAuth) including - IEEE 802.1X - Web authentication (WebAuth) - MAC authentication bypass (MAB) - IEEE 802.1X-REV MACsec Key Agreement (MKA) Please see http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/solution_ov erview_c22-591771.html#wp9000026 for more details Reference from: https://supportforums.cisco.com/docs/DOC-35563 More Tech Tips Related to Cisco ASA Firewalls: Q&A: How to Troubleshoot ASA, PIX, and FWSM? Cisco ASA5510 Vs ASA5512-X or Cisco 5515-X How to Connect to Cisco ASA? Cisco ASA 5520 Basic Configuration Guide

Recomendados

ubantu mod security
ubantu mod securityubantu mod security
ubantu mod securityKunal gupta
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
SauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauce Labs
 
TechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICsTechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICsRobb Boyd
 
Win av as_pm_de_3_6_11098_2
Win av as_pm_de_3_6_11098_2Win av as_pm_de_3_6_11098_2
Win av as_pm_de_3_6_11098_2Bloombase
 
versity: Ochrana IT infraštruktúry pomocou VMware Site Recovery Manager
versity: Ochrana IT infraštruktúry pomocou VMware Site Recovery Managerversity: Ochrana IT infraštruktúry pomocou VMware Site Recovery Manager
versity: Ochrana IT infraštruktúry pomocou VMware Site Recovery ManagerASBIS SK
 
Win av as_pm_de_3_6_10363_2
Win av as_pm_de_3_6_10363_2Win av as_pm_de_3_6_10363_2
Win av as_pm_de_3_6_10363_2Bloombase
 
Ruby and Framework Security
Ruby and Framework SecurityRuby and Framework Security
Ruby and Framework SecurityCreston Jamison
 

Recomendados

ubantu mod security
ubantu mod securityubantu mod security
ubantu mod securityKunal gupta
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
SauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauce Labs
 
TechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICsTechWiseTV Workshop: Programmable ASICs
TechWiseTV Workshop: Programmable ASICsRobb Boyd
 
Win av as_pm_de_3_6_11098_2
Win av as_pm_de_3_6_11098_2Win av as_pm_de_3_6_11098_2
Win av as_pm_de_3_6_11098_2Bloombase
 
versity: Ochrana IT infraštruktúry pomocou VMware Site Recovery Manager
versity: Ochrana IT infraštruktúry pomocou VMware Site Recovery Managerversity: Ochrana IT infraštruktúry pomocou VMware Site Recovery Manager
versity: Ochrana IT infraštruktúry pomocou VMware Site Recovery ManagerASBIS SK
 
Win av as_pm_de_3_6_10363_2
Win av as_pm_de_3_6_10363_2Win av as_pm_de_3_6_10363_2
Win av as_pm_de_3_6_10363_2Bloombase
 
Ruby and Framework Security
Ruby and Framework SecurityRuby and Framework Security
Ruby and Framework SecurityCreston Jamison
 
CPU vulnerabilities - where are we now?
CPU vulnerabilities - where are we now?CPU vulnerabilities - where are we now?
CPU vulnerabilities - where are we now?DefCamp
 
Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip Young
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015Adam Baldwin
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemAnant Shrivastava
 
Get started with Varnish
Get started with VarnishGet started with Varnish
Get started with VarnishVarnish Software
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hackingPhilip Young
 
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)Positive Hack Days
 
TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security
TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security
TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security Robb Boyd
 
Q&A for TechWiseTV Workshop: HyperFlex
Q&A for TechWiseTV Workshop: HyperFlexQ&A for TechWiseTV Workshop: HyperFlex
Q&A for TechWiseTV Workshop: HyperFlexRobb Boyd
 
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...Robb Boyd
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
TechWiseTV Workshop: Q&A 5th Generation UCS
TechWiseTV Workshop: Q&A 5th Generation UCSTechWiseTV Workshop: Q&A 5th Generation UCS
TechWiseTV Workshop: Q&A 5th Generation UCSRobb Boyd
 
Configuration cisco asa ips module
Configuration cisco asa ips moduleConfiguration cisco asa ips module
Configuration cisco asa ips moduleLirouter Li
 
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...IT Tech
 
Vpc aws meetup
Vpc aws meetupVpc aws meetup
Vpc aws meetupMatthew Boeckman
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Q&A: Cisco Open NX-OS and Puppet
Q&A: Cisco Open NX-OS and PuppetQ&A: Cisco Open NX-OS and Puppet
Q&A: Cisco Open NX-OS and PuppetRobb Boyd
 
Q&A from Cisco Modeling Labs Workshop
Q&A from Cisco Modeling Labs WorkshopQ&A from Cisco Modeling Labs Workshop
Q&A from Cisco Modeling Labs WorkshopRobb Boyd
 
Отказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA ClusteringОтказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA ClusteringCisco Russia
 
Q&A for TechWiseTV Workshop on Cisco UCS and Splunk
Q&A for TechWiseTV Workshop on Cisco UCS and SplunkQ&A for TechWiseTV Workshop on Cisco UCS and Splunk
Q&A for TechWiseTV Workshop on Cisco UCS and SplunkRobb Boyd
 
Cisco asa 5545 datasheet
Cisco asa 5545 datasheetCisco asa 5545 datasheet
Cisco asa 5545 datasheetMark Tsui
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 

Más contenido relacionado

La actualidad más candente

CPU vulnerabilities - where are we now?
CPU vulnerabilities - where are we now?CPU vulnerabilities - where are we now?
CPU vulnerabilities - where are we now?DefCamp
 
Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip Young
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemAnant Shrivastava
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hackingPhilip Young
 
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)Positive Hack Days
 

La actualidad más candente (7)

CPU vulnerabilities - where are we now?
CPU vulnerabilities - where are we now?CPU vulnerabilities - where are we now?
CPU vulnerabilities - where are we now?
 
Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control System
 
Get started with Varnish
Get started with VarnishGet started with Varnish
Get started with Varnish
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hacking
 
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)
 

Similar a Cisco adaptive security appliance (asa) firewalls lifeline of today’s data centers

TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security
TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security
TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security Robb Boyd
 
Q&A for TechWiseTV Workshop: HyperFlex
Q&A for TechWiseTV Workshop: HyperFlexQ&A for TechWiseTV Workshop: HyperFlex
Q&A for TechWiseTV Workshop: HyperFlexRobb Boyd
 
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...Robb Boyd
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
TechWiseTV Workshop: Q&A 5th Generation UCS
TechWiseTV Workshop: Q&A 5th Generation UCSTechWiseTV Workshop: Q&A 5th Generation UCS
TechWiseTV Workshop: Q&A 5th Generation UCSRobb Boyd
 
Configuration cisco asa ips module
Configuration cisco asa ips moduleConfiguration cisco asa ips module
Configuration cisco asa ips moduleLirouter Li
 
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...IT Tech
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Q&A: Cisco Open NX-OS and Puppet
Q&A: Cisco Open NX-OS and PuppetQ&A: Cisco Open NX-OS and Puppet
Q&A: Cisco Open NX-OS and PuppetRobb Boyd
 
Q&A from Cisco Modeling Labs Workshop
Q&A from Cisco Modeling Labs WorkshopQ&A from Cisco Modeling Labs Workshop
Q&A from Cisco Modeling Labs WorkshopRobb Boyd
 
Отказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA ClusteringОтказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA ClusteringCisco Russia
 
Q&A for TechWiseTV Workshop on Cisco UCS and Splunk
Q&A for TechWiseTV Workshop on Cisco UCS and SplunkQ&A for TechWiseTV Workshop on Cisco UCS and Splunk
Q&A for TechWiseTV Workshop on Cisco UCS and SplunkRobb Boyd
 
Cisco asa 5545 datasheet
Cisco asa 5545 datasheetCisco asa 5545 datasheet
Cisco asa 5545 datasheetMark Tsui
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for ComplianceDataStax
 
OpenNebulaConf 2016 - OpenNebula, a story about flexibility and technological...
OpenNebulaConf 2016 - OpenNebula, a story about flexibility and technological...OpenNebulaConf 2016 - OpenNebula, a story about flexibility and technological...
OpenNebulaConf 2016 - OpenNebula, a story about flexibility and technological...OpenNebula Project
 
Migration to cisco next generation firewall
Migration to cisco next generation firewallMigration to cisco next generation firewall
Migration to cisco next generation firewallIT Tech
 
Cisco asa 5506 datasheet
Cisco asa 5506 datasheetCisco asa 5506 datasheet
Cisco asa 5506 datasheetMark Tsui
 
Brkaci 1002
Brkaci 1002Brkaci 1002
Brkaci 1002ccherel
 

Similar a Cisco adaptive security appliance (asa) firewalls lifeline of today’s data centers (20)

TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security
TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security
TechWiseTV Workshop 314 - Q&A Cisco SD-WAN Security
 
Q&A for TechWiseTV Workshop: HyperFlex
Q&A for TechWiseTV Workshop: HyperFlexQ&A for TechWiseTV Workshop: HyperFlex
Q&A for TechWiseTV Workshop: HyperFlex
 
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
 
TechWiseTV Workshop: Q&A 5th Generation UCS
TechWiseTV Workshop: Q&A 5th Generation UCSTechWiseTV Workshop: Q&A 5th Generation UCS
TechWiseTV Workshop: Q&A 5th Generation UCS
 
Configuration cisco asa ips module
Configuration cisco asa ips moduleConfiguration cisco asa ips module
Configuration cisco asa ips module
 
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
 
Vpc aws meetup
Vpc aws meetupVpc aws meetup
Vpc aws meetup
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Q&A: Cisco Open NX-OS and Puppet
Q&A: Cisco Open NX-OS and PuppetQ&A: Cisco Open NX-OS and Puppet
Q&A: Cisco Open NX-OS and Puppet
 
Q&A from Cisco Modeling Labs Workshop
Q&A from Cisco Modeling Labs WorkshopQ&A from Cisco Modeling Labs Workshop
Q&A from Cisco Modeling Labs Workshop
 
Отказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA ClusteringОтказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA Clustering
 
Q&A for TechWiseTV Workshop on Cisco UCS and Splunk
Q&A for TechWiseTV Workshop on Cisco UCS and SplunkQ&A for TechWiseTV Workshop on Cisco UCS and Splunk
Q&A for TechWiseTV Workshop on Cisco UCS and Splunk
 
Cisco asa 5545 datasheet
Cisco asa 5545 datasheetCisco asa 5545 datasheet
Cisco asa 5545 datasheet
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
 
OpenNebulaConf 2016 - OpenNebula, a story about flexibility and technological...
OpenNebulaConf 2016 - OpenNebula, a story about flexibility and technological...OpenNebulaConf 2016 - OpenNebula, a story about flexibility and technological...
OpenNebulaConf 2016 - OpenNebula, a story about flexibility and technological...
 
Migration to cisco next generation firewall
Migration to cisco next generation firewallMigration to cisco next generation firewall
Migration to cisco next generation firewall
 
Cisco asa 5506 datasheet
Cisco asa 5506 datasheetCisco asa 5506 datasheet
Cisco asa 5506 datasheet
 
Brkaci 1002
Brkaci 1002Brkaci 1002
Brkaci 1002
 

Más de IT Tech

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 

Más de IT Tech (20)

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 

Último

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Último (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Cisco adaptive security appliance (asa) firewalls lifeline of today’s data centers

  • 1. Cisco Adaptive Security Appliance (ASA) Firewalls: Lifeline of Today’s Data Centers-FAQs from Live Webcast ASA & Firewall Questions Q. What would be the real-world throughput of ASA 5505 applance? A. You can find the details on datasheet mentioned below: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod uct_data_sheet0900aecd802930c5.html Q. Does Cisco have good feedback regarding 5585x clustering so far? We wanted to implement this earlier this year but got the impression that we were pilot users with this solution due to the questions we got from Cisco's PM team so we abandoned the project? A: Though you can surely go for the clustering but for detailed analysis with respect to your network, a clarification from PM/SA will be required so as to have a better understanding. Q. It would be great if I can get a document that shows recommended real-world throughput of each models? A: As in real it depends on the type of traffic youa re pushing through the firewall. So you can check the multiprotocol field if you are pushing different type of traffic. http://www.cisco.com/en/US/products/ps6120/prod_models_comparison .html Q. Can we have context configure with cluster? A: Yes we can have context configure with clustering. Q. Can you briefly describe how the ASA can link up with an IPS module for next gen intrussion threats? A: The details available at http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html will help you to know the IPS with ASA. Q. What is Sub Second failover ? A: Sub second failover as the failover can happen in under a second. Both the interface and unit polling times can be configured in milliseconds. Be careful setting the failover settings too low though as you may have a quick communnication loss due to congestion. Q. How can we cap the bandwidth on Cisco ASA? A: To check what is the supported thoughput, please refer: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_ poster_revision_r8.pdf Q. Is there any plans for introducing the clusterin in ASA5500-x for Saleen Series?
  • 2. A: The complete supported platforms for ASA clustering can be found from: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_ c67-712934.html. Q. What applications are supported for "full applications satat sync" does ASA supports SS/IPSecVPN ? Multiprotocol throughput for ASA 5505? A: Since 5505 is for remote user, you can refer following link for more info on it. http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_ poster_revision_r8.pdf Q. Can you configure site-to-site vpn with asa in multi-context mode? A: Yes, you can as per shown in: http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_site 2site.html Q. Can we have ISP level redundancy or Link Load balancing with Cisco ASA,as I have multiple link to my DC for resundancy? A: ASA is not designed to do WAN load balancing between ISP links. Though you may refer to a similar setup in lab as shown in https://supportforums.cisco.com/docs/DOC-15622 Q. Does site-to-site vpn co-exist with remote acces? A: If using ASA clustering then vpn will not work. If non-cluster environment you can use L2L vpn and can co-exist in standalone version. Q. You just told about using different Cisco boxes in a multi-tier firewall design.but the good practise is using different vendor firewall in different tier? How would you justify using only cisco firewalls in a multi-tier design? A: Ease of management with single tool like CSM (Cisco Security Manager), additional security with Trustsec& ISE deployment which integrates seamlessly with Cisco environment. Q. How should we size the firewall for the data center? Is there any guideline on the sizing? A: For sizing we need to have the number of connections and type of traffice which we need to push through te firewall, then you can refer the following link for information on which model suits your need. Please refer http://www.cisco.com/en/US/products/ps99 Q. Can you explain the significance of SGT in the context of ASA? A: SGT is part of TrustSec. Q. Can you load balance your outgoing internet connecvitiy with two inter connections hooked to one ASA?
  • 3. A: Presently it is not possible to load balance traffic between two ISP links on an ASA. Q. How to ASA 5500-X react on zero day attack? A: Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available. Q. Clustering up to 8 firewall would be active/active or active/standby? A: All 8 Units will be active in a cluster Q. What is Multi protocoltroughput ? A: When different type of traffic going through the firewall, i.e HTTP, FTP, etc. Q. Can we block https traffic on firewall A: When you are saying Block, I assume you are saying traffice going through the firewall, then the answer to that would be Yes. Q. Can Security Manger be a Syslog server as well? A: CSM is built to be a single point of management and configuration for ASA and other securiyt products. The function of Syslogging is to be offload to external server. Q. Does Cisco have a UTM box? A: Yes, Please refer: http://www.cisco.com/en/US/products/ps9932/prod_models_comparison.html Q. Cluster of 8 FW is supported on all models of ASA? A: Complete detail is available at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_ c67-712934.html Q. What are the diff HA modes supported A: You can refer to Cisco ASA datasheet on Cisco.com Q.Can we mix different models in clustering i.e. Can Cisco 5510 be clustered with Cisco 5520? A: No, we can't mix different asa models. And clustering is only supported with 5580, 5585 or 5585X Q. When we say ASA virtualization, is that the hardware virtualization, IOS or theconfigurations ? A: You can use ASA 1000V for virtualized environment and that's what it means. Again, if term virtual is used, it can be a context as many times these two terms are used inter-changeably.
  • 4. Q. Is access to the scanSafe database a subscription service? A: Yes, a scansafe subscription will be required. Q. Can i have multi-context along with clustering? A: You won't need a context in cluster mode but you can have multi contexts. Q. Can we block https traffic on firewall A: Yes, with ACLs you can block HTTPS traffic going though the firewall Q. IsClustering possible across geographies or is there any distance limitation ? A: This can be done through VPNs (Site to site) but never recommended.Such setup in production environment is not recommended. Q. Are there only 8 ASA in a cluster possible, and can I mix the models? A: It has to be same model with same hardware configuration like memory etc. Q. Can we detect NMAP scans with ASA ?? A: You may refer to http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3 913.shtml for nmapscan as attacker example. Q. How can i block facebook on firewall A: You can block using scan safe. Q. What is the best choice for site-2-site vPN, Firewall ASA or Cisco security router? A: ASA vpn edition will be the best as it supports lot many more features in security compared to router. Q. Firewall virtualization supported in ASA? A: Yes, We call it Context in ASA http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_ c67-712934.htmllist all the features supported by ASA with 9.0 Q. Can I have a HA Design with Two ASA5525X in two separate places in Active/Active Mode? A: In that case you are expanding your cluster, there is no restriction but I do not see any use case of this Q. What is one of the ASA goes down, will other 7 modules are still deliver 280 GBPS? A: Only the throughput will drop on overall basis but no impact on traffic.
  • 5. Total Throughput = N x Single node throughput x Scaling Factor Q. Hello do we need to have even number of Firewalls to participate in clustering? A: No, there's no such mandates. Q. How to ASA 5500-X react on zero day attack A: Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available. Help in Day 0 Attack Q. Please, could you explain more about the 'individual' and 'spanned' mode at the clustering. A: Refer to http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_clust er.html for complete details on HA cluster configuration and various interface modes. Q. ASA5585-SSP-10-2units, ASA ver 8.2(5),Old ASDM ver 6.4(5),Current ASDM ver 7.1(3),anny compatibility issue of Java 1.7 with ASDM?Please suggest any stable java version which works with all ASDM versions. A: You can get in touch with Cisco TAC support for granular information of ASA & ASDM with java. Q. What will happen if one node fails in ASA cluster. Traffic which was going through failed node will be dropped or it will be processed by some other node in cluster? A: Processed by other member in cluster Q. We have IPS module with our ASA. It cannot detect external scans like NMAP OS finger printing. I opened a TAC case also. They confrm that this not possible with Cisco IPS and it only detect it as a normal traffic. Is that true? A: Thats an extensive topic and this discussion may help https://supportforums.cisco.com/thread/2152269 Q. Does clustering support IPv6? A: Yes Q. So where to point the route from inside equipment, when ASAs are addressed from a dynamic pool? Is there a VIP address? A: No, each firewall would get an address from the Pool created by master ASA in a cluster Q. Can we create context in cluster?
  • 6. A: You can have ASA with multiple context part of cluster, however all the ASA should be in multiple mode inthatcluster Q. How many context firewall we have configuration on a single ASA A: Depends on the model, please refer http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_ poster_revision_r8.pdf Q. Why do I still have to manually copy xml profiles from the active to the standby ? A: Depends on the version you are using. More detailed info can be obtained from Cisco TAC as its specific to Anyconnect. Q. Few years ago threat detection, routing protocols, etc. will not be used if you enable multiple context mode on ASA. Was this resolved already in today's software or product line? A: Virtually not, you can have as many policies but can be brought down if combined with Trustsec. Still same: Multiple context mode does not support the following features: RIP OSPFv3. (OSPFv2 is supported.) Multicast routing Threat Detection Unified Communications QoS Remote access VPN. (Site-to-site VPN is supported.) Q. Based on active cluster configuration, if new firewall picks a ipaddress from the pool, alter if the firewall goes down how the session failover will happen, the live session will be dropped or it will failover to other active firewall ? A: It will be taken care by the next priority firewall in the cluster. Q. Is there any policy limitiation of cisco ASA A: Virtually not, you can have as many policies but can be brought down if combined with Trustsec. Q. Can you also have visibility of the SGT at the level of the CX module? A: Complete details are available at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c 67-700607.html Q. ASA CLI or ASDM Logging feature does not provide the rule number details
  • 7. (unlike Checkpoint FW), We need to know which rule is blocking or allowing the traffic.That will be easy for troubleshooting any issue. A: You can use packet tracer under ASDM. Q. What other features do we have with ADSM 9.0 and also can we config bridge and routed mode same time A: No, we cannot have different mode in ASA cluster .Please refer the link for new feature in OS 9.0 http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html# wp586890 Q. How does the VIP is maintained in the cluster A: There is no VIP, all firewalls have there own firewall, we need loadbalancing from outside the cluster Q. We are using 3 differenet Management servers, We are facing this ASDM Loading issue with all of them, How there can be issue with OS Level? A: Please get in touch with Cisco TAC for in-depth review &troublshooting. Q. Does the load balancing into the cluster need to be "sticky"? Must traffic for a particular connection always hit the same appliance? Or is connection state replicated between all appliances in the cluster? A: No, the sessions backup exists on clustering setup. If a asa goes down then the session wont be dropped and the next master will handle it. In short, yes, connections replication happens. Q. CCL has to be in routed mode or can be made l2.I believe its like VSL in VSS or like stacking ? A: VSS is supported and refer to http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_clust er.html#wp1559338 Q. Does the ASA supports Server Load Balancing? A: No ASA doesn't support Server Load Balancing. Q. Is that also the fact with Site2site VPN when cluster master fails or does it work more like Active/Standby VPN state failover? A: Clustering is analogous to failover not the same. The VPN sessions will be replicated across the cluster. Q. Can the IPS in ASA5500-x do heuristic detection? A: Basic Heruristics are there, 0day attacks are identified (now better by SacanSafe an improvement over local engine)
  • 8. Q. Will Remote VPN works with Clustering mode ? A: RA VPN is not available in clustered mode, Full list of centralized and disabled features can be found at: http://asapedia.cisco.com/index.php/Clustering Q. Which is the best module which can block the torrent traffic as it is using any dynamic port available ? A: IPS Module will be the best option as it can look into the payload . Q. I have about 30+ Cisco ASA Firewalls, all of them running on Cisco ASA 8.2(5) is there a document that i can follow to upgrade them to 9.0 ? A: Yes, a plan is needed for upgrade. Refer to https://supportforums.cisco.com/thread/2183482 as a similar request and do take the help of TAC for such major upgradation of over 30+ firewalls. Q. Will Remote VPN works with Clustering mode ? A: It doesn't work. Q. Do easy VPN works with Active/standby mode in ASA ? A: Yes it works with failover ASA Q. Can we use ASA for web filtering like PROXY? A: Yes ASA can be used for Web Filtering and it has been possible for many years. Now, you also have ScanSafe Q. And how do I just point to _one_ ASA IP from core routing equipment, when clustering? A: Adresses configured in pool is given to firewalls in cluster, you can simply push the traffice any given address assigned to specific firewall in cluster Q. What will happen if one node fails in ASA cluster. Traffic which was going through failed node will be dropped or it will be processed by some other node in cluster? A: Yes, ASA clustering always has a backup node (owner) for every flow through the clsuter so, if the node through which traffic is passing is down, the next owner will process the n+1 traffic (if previous node was processing nth packet. Q. How many "sessions/connection per second" does 5585-X can support? Is there a public document that shows performance matrix for ASA? Something similar with Router & Switch performance matrix, there is one available for Router & Switch product line? A: You can access the video and regular data sheets for 5585-X series firewall athttp://www.cisco.com/en/US/products/ps11061/index.html
  • 9. Q. Any plan for a refresh of the 5505 ? Right now alot of our customers are looking elsewhere (Checkpoint, Palo Alto) for a layer 4-7 aware firewall. A: If you're looking for a replacement of 5505 you have multiple options as explained at Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated) such as 5512-X and 5515-X next gen firewalls with better throughput and a host of new features http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data _sheet_c78-701253.html Q. Is Clustering supported across all models or not ? A: Clustering is only supported with 5580, 5585 and 5585X models Q. If cisco marketing 5500X products stops, does that means slowly cisco will stop 5500 models? A: Not sure where this is coming from since, 5500X is the latest in next gen firewalls and Cisco intends to continue with both 5500 and 5500X series Q. What’s about a blade system on cisco side fürASA ? A: Cisco FWSM is the current generation and Cisco NGFW services module is the solution for next gen DC which supports many new features http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c 67-700607.html Q. Can Cisco Security Manager be a netflow collector for ASA devices? A: CSM is primarily meant for configuring and managing the firewalls. If you wish to collect netflow data it's better to look at Cisco LMS/Prime solutions. Q. What is the max throughput at line speed? A: For information on the throughput and other parameter splease consult the respective data sheets of ASA 5500 and 5500 X series Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated) http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data _sheet_c78-701253.html Cisco ASA 5500 and ASA 5500-X Series Next Generation Firewalls for the Internet Edge Data Sheet http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data _sheet_c78-701808.html Cisco ASA 5500 Series Adaptive Security Appliances http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod uct_data_sheet0900aecd802930c5.html
  • 10. Q. Can CSM take backup of ASA configuration ? A: In CSM if you would like to see the configurations there are two ways to do this. 1) From the Device View, right-click on the device and select "Preview Configuration..." 2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM CSM based backups are manual and are not automated. Q. Can we expect remote access vpn support for contexts anytime soon? A: As far as I know it's not on the roadmap for next few releases. Q. Why does the management interface not work when working with an active/standby solution ? A: You can access the video and regular data sheets for 5585-X series firewall at http://www.cisco.com/en/US/products/ps11061/index.html Q. Do you have a recommended scenario or plan for ASA deployment in Data Center or VMDC? A: Each network and organization has different requirement for services and security. Hence, putting one size fits all is not a possible solution. You can check the Cisco recommended design and configuration guidelines at following URLs ASA DC deployment guide http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smar t_Business_Architecture/February2012/SBA_Mid_DC_DataCenterDeploymentGuideFebruary2012.pdf Cisco ASA DC config guide http://docwiki.cisco.com/wiki/Cisco_ASA_Firewall_Configuration_for_Data_Center Q. Is there road-map to allow VPN functionality with ASA Cluster Deployment? A: Site to site VPN is already supported in clustering. Remote access VPN is not supported as of today and is not on roadmap as I know. Q. Does ASA supports statefull sync for SSL or IPSec VPN sessions, means suppose primary fails then SSL or IPSec VPN session need not to re-established connectivity with Secondary? A: Yes, stateful failover is available for IPSec and SSL connections. Q. Can we confgiurion the cisco ASA on distrubuterartechtue?
  • 11. A: ASA clustering is distributed architecture for High Availability and is compatible with next gen and current switching infrastructure. Q. Does packet tracer supports FWSM ? A: FWSM doesn't support packet tracer command. Q. Is there a concept of Inter-Context communication in current ASA? Meaning no need to forward the traffic out of the interface but instead inside ASA and between context. Saves interface and much faster? A: As of today, inter context communication has to go out of a physical interface and come in again (same or different interface). Essentially trombone of traffic needs to happen out and in to the firewall. Q. Based on active cluster configuration, if new firewall picks a ipaddress from the pool, alter if the firewall goes down how the session failover will happen, the live session will be dropped or it will failover to other active firewall ? A: You can access the video and regular data sheets for 5585-X series firewall athttp://www.cisco.com/en/US/products/ps11061/index.html Q. What about MGCP support? A: Cisco ASA Clustering does not support any UC protocols including H.323 suite, RTP, RTCP, SIP, SCCP and MGCP Q. Does it option for snap sort for backup purpose so we can restore the all configuration very fast. and how many snapshot it can store? A: If the query is about CSM, and you would like to see the configurations within the CSM interface there are two ways to do this. 1) From the Device View, right-click on the device and select "Preview Configuration..." 2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM Q. What is the monitoring solution in cisco where we can see what each user is doing from the cisco trustsec perspective? A: You can do this from ISE dashboard for monitoring the network. Please see http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp 1226014 for more details Q. What is the VPN split in IPv4/IPv6 network? Is there VPN bypass with ASA? A: VPN in IPv4 or IPv6 depends on the configuration for the VPN site to site or client (remote access) VPN. ASA can do VPN bypass for IPSec and SSL VPN so the client's / remote site can connect with a headend behind ASA.
  • 12. Q. What is the CX module in ASA- X series? A: ASA NGFW Services(formerly ASA CX) re-imagines the firewall, delivering context-aware security that empowers enterprises to manage applications, devices and the evolving global workforce, while ensuring unprecedented visibility and control. Unlike other next-generation firewalls, only ASA NGFW Services outpaces complexity to address evolving security needs by leveraging local network intelligence via Cisco AnyConnect and TrustSec, and global threat information via Cisco’s Security Intelligence Operation. Q. Can you please share the Packet flow in context mode? and the mode or context is it support multicast or unicast? A: Here's a URL which covers packet classification examples and flows in detail http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts .html#wp1134280. Contexts support both unicast and multicast howevr, PIM is only support in single context. Q. Packet tracer &Traceroute feature is also not available in FWSM? A: Packet Tracer feature is not available on FWSM. Traceroute command is supported on FWSM. General Questions Q. Recommended tools for monitoring traffic, security events, syslogs ? Any cisco developed Netflowanalyzers ? Is there anything budled with the IOS or is it an additional package ? A: You can use Cisco Security Manager for such task. More info available at http://www.cisco.com/en/US/products/ps6498/index.html Q. Is that only Secure X platform has support for Trust sec? A: You can have complete detail from http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html. Q. Can ISE integrate with AD or do we need a AAA/LDAP A: Yes, we can integrate ISE directly with AD Q. What is the secure x architecture A: The Cisco SecureX Architecture is a context-aware, network-centric approach to security from cisco. Secure X architechture detail can be found on http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/whit e_paper_c11-700240.html#wp9000078 Q. Where can we download the presentation? A: https://supportforums.cisco.com/docs/DOC-35101 Q. Does Secure X supports built in IPS and IDS inline ?
  • 13. A: CX modules for ASA do support inline IPS as they will be on same chassis as the firewall. CX services module doesn't support it as of today, its on roadmap. Q. Which all are Authentication support in trustsec? A: The following authentication types are support with TrustSec Flexible authentication (FlexAuth) including - IEEE 802.1X - Web authentication (WebAuth) - MAC authentication bypass (MAB) - IEEE 802.1X-REV MACsec Key Agreement (MKA) Please see http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/solution_ov erview_c22-591771.html#wp9000026 for more details Reference from: https://supportforums.cisco.com/docs/DOC-35563 More Tech Tips Related to Cisco ASA Firewalls: Q&A: How to Troubleshoot ASA, PIX, and FWSM? Cisco ASA5510 Vs ASA5512-X or Cisco 5515-X How to Connect to Cisco ASA? Cisco ASA 5520 Basic Configuration Guide