A next-generation firewall (NGFW) is a network security device with capabilities that go beyond those of a traditional, stateful firewall. A traditional firewall normally offers stateful inspection of incoming and outgoing network traffic. A next-generation firewall does this as well and it also incorporates features such as application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence. Next-generation firewalls must have advanced malware protection and should be able to prevent application-layer attacks. According to Gartner, Inc., next-generation firewalls possess the following features, which a Cisco NGFW also have:
- Standard firewall capabilities like stateful inspection
- Integrated intrusion prevention
- Application awareness and control to detect and ban dangerous programs
- Threat intelligence sources
- Upgrade paths to incorporate future information feeds
- Techniques to address evolving security threats
Cisco integrated their existing ASA firewall software with the Firepower NGIPS services software, and the result greatly surpasses Gartner’s definition of NGFW. The Cisco Firepower NGFW is the industry’s first fully integrated, threat-focused NGFW with unified management.
Firepower NGFW is available on the following Cisco solutions:
- Firepower series appliances
- ASA 5500-X appliances, except ASA 5585-X
The Cisco Firepower next-generation firewall security appliances support the following software:
- ASA software image – the device is converted into a standard legacy firewall with no Firepower NGIPS functions. All Firepower and ASA Cisco firewalls were supported.
- ASA software image with Firepower Services software image (NGIPS) – runs two software images in the same appliance, each with its own set of management applications. The Firepower services software (NGIPS) allows the ASA 5500-X appliances, except ASA 5585-X, to function as an NGFW.
- Firepower Threat Defense (FTD) software image – The ASA software image and the Firepower Services image are combined into a single unified image. All Firepower and ASA 5500-X appliances are supported, except for ASA 5585-X. FTD is also supported by ISR modules and Firepower virtual firewalls (NGFWv), supported in VMware, KVM, Amazon Web Services (AWS), and Microsoft Azure settings.
For NGFWs, the following management options are available:
1. For Firepower Threat Defense (FTD) or Firepower Services software:
- Firepower Management Center (FMC)
- Firepower Device Manager (FDM)
2. For ASA software:
- Command-Line Interface (CLI)
- Cisco Security Manager (CSM)
- Adaptive Security Device Manager (ASDM)
- Cisco Defense Orchestrator
Cisco NGFW Next-Generation Firewall Benefits
The finest next-generation firewalls provide the following five main advantages to businesses of all sizes, from SMBs to corporations:
1. Breach Prevention and Advanced Security
A firewall’s primary function should be to prevent breaches and attacks. Aside from keeping the organization secure, NGFWs should also be able to detect advanced malware as soon as it evades your front-line defenses. A built-in next-generation IPS would be a great feature as well in order to detect and neutralize stealthy attacks quickly.
More NGFW features are built-in URL filtering, Sandboxing, and powerful malware protection that continually monitors file activity to identify and destroy threats. Also, it includes a world-class threat intelligence organization that feeds the latest information to the firewall in order to block emerging threats.
2. Comprehensive Network Visibility
NGFW provides a comprehensive picture of activity and full contextual awareness to monitor threat behavior across users, hosts, networks, and devices. It shows where and when a threat originated, where else it has been across your network, and what it is currently doing. Active applications and websites are visible, as well as interactions between virtual machines and file transfers.
3. Flexible Management and Deployment Options
The NGFW must fit your organization’s specific needs. There must be management, either on-box or centralized, for all use cases across all appliances. It should also be flexible and can be deployed either on-premise, virtually, or in the cloud. Subscriptions should be available for extra features and there should be a variety of throughput speeds to choose from
4. Fastest Detection Time
Threats are detected in seconds and breaches are detected within minutes or hours. Alerts are prioritized so that you can respond quickly and precisely to threats. Consistent security policies are deployed with automatic enforcement across all the various aspects of the organization.
5. Automation and Product Integrations
NGFWs connect with and collaborate with the rest of the security architecture. It integrates well with other tools from the same vendor. Security tasks are automated, and threat information, policy, event data, and contextual information are shared automatically as well.
Cisco Firepower Management Center (FMC)
The Cisco FMC is a centralized management platform for aggregating and correlating threat events, contextual data, and network device performance data. It may be used to investigate the overall network activity and monitor the information that Firepower security devices report to each other.
The FMC manages events and policies for the Firepower security Cisco security products listed below:
- Cisco Firepower NGFW and NGFWv
- Cisco Firepower NGIPS and NGIPSv
- Cisco Firepower Threat Defense for ISR
- Cisco ASA with Firepower Services
- Cisco Advanced Malware Protection (AMP)
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: