1 00:00:00,000 --> 00:00:10,680 Today, April 17th, welcome everybody to the show, the latest episode of Security in 45. 2 00:00:10,680 --> 00:00:16,680 Today as you can see from the invite, we'll be talking about the latest and greatest innovations 3 00:00:16,680 --> 00:00:24,700 in Cisco firewalls, specifically what we know as Firepower or Secure Firewall, but particularly 4 00:00:24,700 --> 00:00:31,720 the new stuff, which is going to be like version 7.x and above. 5 00:00:31,720 --> 00:00:35,620 If you missed the previous episode on Cisco firewalls, which Andres, I think that was 6 00:00:35,620 --> 00:00:37,200 our opening session, session one. 7 00:00:37,200 --> 00:00:38,920 That was our first one. 8 00:00:38,920 --> 00:00:39,920 Okay. 9 00:00:39,920 --> 00:00:42,000 Definitely go back after the show and watch that. 10 00:00:42,000 --> 00:00:47,320 That was a real good introduction there about what Cisco firewalls are and how they evolved 11 00:00:47,320 --> 00:00:49,840 from Cisco ASAs today. 12 00:00:49,840 --> 00:00:50,840 Yeah. 13 00:00:50,840 --> 00:00:53,800 And still very excited, it was my Mike, to be here. 14 00:00:53,800 --> 00:01:02,160 We have two legends that if you tuned in before 12th, probably you heard some of us chatting 15 00:01:02,160 --> 00:01:07,480 about multiple things, but yeah, we have Josh Parabog and Seth Richardson. 16 00:01:07,480 --> 00:01:11,240 Both of these guys have worked with the tag team. 17 00:01:11,240 --> 00:01:12,920 They have crazy backgrounds. 18 00:01:12,920 --> 00:01:18,440 Probably you've talked to them and if you've been working on firewall for the longest time, 19 00:01:18,440 --> 00:01:23,280 I think I've talked to Mike, I've talked to so many other people that I work with now. 20 00:01:23,280 --> 00:01:28,760 So super exciting to be here and guys, if you don't mind, Josh and Seth, if you don't 21 00:01:28,760 --> 00:01:31,400 mind introducing yourself, that would be awesome. 22 00:01:31,400 --> 00:01:32,400 Hello world. 23 00:01:32,400 --> 00:01:36,840 As Andres said, my name is Joshua Scarborough. 24 00:01:36,840 --> 00:01:41,040 I've been at Cisco coming up for about 10 years now. 25 00:01:41,040 --> 00:01:45,480 I've been in the security architect role that I have now for about four years. 26 00:01:45,480 --> 00:01:48,160 I support Department of Defense. 27 00:01:48,160 --> 00:01:52,720 I support the United States Army and I support special operations programs within them. 28 00:01:52,720 --> 00:01:54,840 So I've been doing this role for about four years now. 29 00:01:54,840 --> 00:02:00,640 Prior to that, as Andres said, I was in TAC where I handled anything CAP case related. 30 00:02:00,640 --> 00:02:04,040 So if it was high severity, I would have my hands on it. 31 00:02:04,040 --> 00:02:08,640 And as you might have heard prior to this, I was in the United States Navy where I worked 32 00:02:08,640 --> 00:02:10,920 on F-18 Super Hornets. 33 00:02:10,920 --> 00:02:16,040 I was primarily responsible for making sure ejection seats went off correctly when the 34 00:02:16,040 --> 00:02:17,800 lanyard was pulled. 35 00:02:17,800 --> 00:02:24,520 And I've never wanted any of my, let's just say, constituents to be able to pull that 36 00:02:24,520 --> 00:02:28,440 lever, but I did the work regardless. 37 00:02:28,440 --> 00:02:30,480 Nice. 38 00:02:30,480 --> 00:02:38,280 Yeah, so Seth Richardson and I have been at Cisco for about 10 years, almost divided my 39 00:02:38,280 --> 00:02:45,120 time up in half between TAC and my current role as a customer success specialist. 40 00:02:45,120 --> 00:02:49,320 And now my main goal and focus is adoption. 41 00:02:49,320 --> 00:02:55,040 So if you get a firewall, for example, I'm here to help you to get the most out of it. 42 00:02:55,040 --> 00:02:59,120 Prior to Cisco, wow, a lot of different things. 43 00:02:59,120 --> 00:03:05,440 So IT worked probably since 2005 when I got into that. 44 00:03:05,440 --> 00:03:10,880 And prior to that, not many people know, but I was trying to make a career short track 45 00:03:10,880 --> 00:03:17,080 racing and eventually in bigger leagues than that, but had to grow up at some point. 46 00:03:17,080 --> 00:03:18,080 Do we know? 47 00:03:18,080 --> 00:03:20,120 Do we have to grow up? 48 00:03:20,120 --> 00:03:21,120 We don't. 49 00:03:21,120 --> 00:03:22,120 That's the thing. 50 00:03:22,120 --> 00:03:23,120 Yeah. 51 00:03:23,120 --> 00:03:24,840 Seth, that's pretty cool about the racing. 52 00:03:24,840 --> 00:03:26,840 I did not know that. 53 00:03:26,840 --> 00:03:27,840 Yeah. 54 00:03:27,840 --> 00:03:34,840 And Josh, I knew US Navy, but that must have been pretty crazy testing the ejection system. 55 00:03:34,840 --> 00:03:37,480 Did you ever have to get in there and get ejected? 56 00:03:37,480 --> 00:03:38,480 No. 57 00:03:38,480 --> 00:03:39,480 So you don't want to do that, right? 58 00:03:39,480 --> 00:03:45,600 So if you, if anybody knows, if you sit in ejection seat and you are in a very critical 59 00:03:45,600 --> 00:03:50,200 precarious moment where you have to pull that lever, you actually go up about 2,500 feet 60 00:03:50,200 --> 00:03:52,280 in less than a quarter of a second. 61 00:03:52,280 --> 00:03:55,760 It compresses your spine a third of an inch. 62 00:03:55,760 --> 00:04:02,200 So there are some pilots you've actually had to eject and they come out a third of an inch 63 00:04:02,200 --> 00:04:03,200 shorter. 64 00:04:03,200 --> 00:04:05,320 You don't ever really want anyone to do that. 65 00:04:05,320 --> 00:04:10,440 Like that's like, that's the very last line of defense of someone's life right there. 66 00:04:10,440 --> 00:04:11,440 Right. 67 00:04:11,440 --> 00:04:12,440 So I had one pilot. 68 00:04:12,440 --> 00:04:15,240 Yes, you did eject and he was very, he was safe. 69 00:04:15,240 --> 00:04:18,000 I got out just fine. 70 00:04:18,000 --> 00:04:22,040 But it's kind of like that real just heart thumping moment. 71 00:04:22,040 --> 00:04:26,840 You're like, Oh my gosh, did I, what I do correctly, you know, save someone's life. 72 00:04:26,840 --> 00:04:29,560 But yeah, it's wild. 73 00:04:29,560 --> 00:04:32,200 So it's not something you test, right? 74 00:04:32,200 --> 00:04:36,480 You just do the work and you're like, I did this work correctly. 75 00:04:36,480 --> 00:04:37,480 And I know I did it. 76 00:04:37,480 --> 00:04:38,480 I paid for myself, right? 77 00:04:38,480 --> 00:04:39,480 That's it. 78 00:04:39,480 --> 00:04:40,480 That's awesome. 79 00:04:40,480 --> 00:04:41,480 Very cool. 80 00:04:41,480 --> 00:04:46,160 Andres, after a good start, pretty interesting guests we've got here. 81 00:04:46,160 --> 00:04:48,840 I'm super excited to kick this off. 82 00:04:48,840 --> 00:04:51,240 And Josh, let's get right into the nitty gritty. 83 00:04:51,240 --> 00:04:56,720 And again, not any type of introduction stuff, but some of the more advanced features of 84 00:04:56,720 --> 00:04:57,720 our firewalls. 85 00:04:57,720 --> 00:05:03,960 Can you tell me about kind of what I consider the heart of next generation firewall, which 86 00:05:03,960 --> 00:05:05,200 would be the IPS. 87 00:05:05,200 --> 00:05:07,160 Oh, yeah. 88 00:05:07,160 --> 00:05:09,760 Some of us on the call have heard of snort. 89 00:05:09,760 --> 00:05:10,760 What is snort? 90 00:05:10,760 --> 00:05:12,080 What version are we on today? 91 00:05:12,080 --> 00:05:13,080 Yeah. 92 00:05:13,080 --> 00:05:14,080 So fun introduction. 93 00:05:14,080 --> 00:05:18,160 If you go to Google and type in world's best open source IPS snort comes up. 94 00:05:18,160 --> 00:05:20,360 So that's fun. 95 00:05:20,360 --> 00:05:26,280 snort we acquired back in 2013 when we acquired source fire snort is our intrusion prevention 96 00:05:26,280 --> 00:05:31,920 system and like all good movie trilogies, we've just recently upgraded to the third and the 97 00:05:31,920 --> 00:05:34,040 third is always the best film in the series. 98 00:05:34,040 --> 00:05:35,040 Right. 99 00:05:35,040 --> 00:05:43,520 Joking aside, no snort 3.0 has just happened in firepower 7.0, one of the latest upgrade 100 00:05:43,520 --> 00:05:45,640 paths for firepower. 101 00:05:45,640 --> 00:05:50,480 So essentially what the intrusion prevention system does is if there is some kind of known 102 00:05:50,480 --> 00:05:55,160 exploit, maybe just say an Apache server that somebody knows how to take advantage of, maybe 103 00:05:55,160 --> 00:05:59,640 it's a specific script, somebody has a targeted attack, the intrusion prevention system is 104 00:05:59,640 --> 00:06:04,080 there to stop those packets into the firewall. 105 00:06:04,080 --> 00:06:08,960 So it kind of adds a further layer between layer two and layer three and it's doing deep 106 00:06:08,960 --> 00:06:12,760 packet inspection to be able to determine, you know, hey, this is a known exploit, someone's 107 00:06:12,760 --> 00:06:13,760 attacking me. 108 00:06:13,760 --> 00:06:19,760 Some of the notable changes though from snort two to snort three and the biggest one is 109 00:06:19,760 --> 00:06:22,100 multi-threaded architecture. 110 00:06:22,100 --> 00:06:27,560 So firepower has already had the ability to run multiple snort processes. 111 00:06:27,560 --> 00:06:30,960 What they've done is they've opened them up and made them multi-threaded. 112 00:06:30,960 --> 00:06:38,320 So each process can now investigate hundreds of packets at any given time and we have hundreds 113 00:06:38,320 --> 00:06:41,960 of different versions of snort running at any given time as well. 114 00:06:41,960 --> 00:06:46,000 So that increases the throughput by quite a bit. 115 00:06:46,000 --> 00:06:51,440 If you're upgrading from, you know, 6.x to 7.x and you go to snort three, roughly is 116 00:06:51,440 --> 00:06:57,360 about a 20 to 25, even 40% throughput increase on specific devices. 117 00:06:57,360 --> 00:07:02,440 Another one, if there's any snorties out there, if anybody's written any custom snort rules, 118 00:07:02,440 --> 00:07:05,560 we have made it much easier to write custom snort rules. 119 00:07:05,560 --> 00:07:12,880 It's much easier human syntax, much easier to define regex out there and we've also added 120 00:07:12,880 --> 00:07:19,180 a lot of different libraries like multi-scan regex to help promote those rules and make 121 00:07:19,180 --> 00:07:22,480 more specific rules faster. 122 00:07:22,480 --> 00:07:28,760 That is snort in a quick instance and the increases from snort two to snort three. 123 00:07:28,760 --> 00:07:36,640 I think it's interesting about this, the performance increase due to a software based upgrade. 124 00:07:36,640 --> 00:07:40,600 Usually when I upgrade something, software is going to slow it down a little bit if anything 125 00:07:40,600 --> 00:07:43,360 due to the larger size, but that's pretty cool. 126 00:07:43,360 --> 00:07:45,760 Oh, I did forget to mention one thing also. 127 00:07:45,760 --> 00:07:54,360 If anybody's familiar with snort two and looking to go up to snort three, we've added ways 128 00:07:54,360 --> 00:07:59,160 to categorize and organize these snort rules so the user interface looks much cleaner. 129 00:07:59,160 --> 00:08:02,920 One of the more important ones I like to talk about is MITRE. 130 00:08:02,920 --> 00:08:07,600 Now we have a specific framework of intrusion rules dedicated to the techniques and tactics 131 00:08:07,600 --> 00:08:10,080 and procedures that MITRE puts out. 132 00:08:10,080 --> 00:08:13,680 If there's any incident response teams out there or any SOCs out there looking at snort 133 00:08:13,680 --> 00:08:20,360 three, you have the ability to map snort rules to what MITRE says that this technique is. 134 00:08:20,360 --> 00:08:25,800 You can cross examine and then follow that packet through your network as well. 135 00:08:25,800 --> 00:08:27,520 Interesting. 136 00:08:27,520 --> 00:08:34,960 When I log into my FMC and I'm looking at an IPS policy and I'll see a snort two bond 137 00:08:34,960 --> 00:08:39,320 and a snort three bond, if I'm a customer, what does that mean for me? 138 00:08:39,320 --> 00:08:42,160 Am I using snort three or do I need to? 139 00:08:42,160 --> 00:08:44,480 Yeah, so you'll actually make that distinguish on the FMC. 140 00:08:44,480 --> 00:08:50,320 So it'll say, hey, this specific sensor is using a snort three policy or a snort two 141 00:08:50,320 --> 00:08:51,320 policy. 142 00:08:51,320 --> 00:08:54,520 Because we're not telling you that you have to use snort three, you have the ability to 143 00:08:54,520 --> 00:08:58,640 have both a snort two and a snort three profile on the FMC. 144 00:08:58,640 --> 00:09:03,960 But the sensors themselves, the actual firewalls, they will only have one snort policy. 145 00:09:03,960 --> 00:09:05,840 So you distinguish which one goes to them. 146 00:09:05,840 --> 00:09:09,520 And the reason why you have two there, of course, is there's going to be a lot of customers 147 00:09:09,520 --> 00:09:13,720 out there that have custom snort two rules and they need to convert to snort three. 148 00:09:13,720 --> 00:09:17,440 So it's just giving them the option to be able to say, hey, these are my snort two rules. 149 00:09:17,440 --> 00:09:19,600 Let's see what they look like in snort three. 150 00:09:19,600 --> 00:09:20,600 Okay. 151 00:09:20,600 --> 00:09:22,600 So, excellent. 152 00:09:22,600 --> 00:09:27,520 The other thing that I'd like to point out is that what you mentioned, Josh, it looks 153 00:09:27,520 --> 00:09:29,760 a lot cleaner than it used to before. 154 00:09:29,760 --> 00:09:30,760 Yeah. 155 00:09:30,760 --> 00:09:33,360 And more readable. 156 00:09:33,360 --> 00:09:38,160 There's a very common theme across Firepower for every upgrade that we try to do and every 157 00:09:38,160 --> 00:09:39,760 patch that gets put out. 158 00:09:39,760 --> 00:09:45,240 And that is having the most effective security policy you have while maintaining the simplest 159 00:09:45,240 --> 00:09:48,960 way to deploy it, understand it, and make sure somebody who logs into these devices 160 00:09:48,960 --> 00:09:52,120 can say, hey, these are my rules. 161 00:09:52,120 --> 00:09:53,920 These are my intrusion rules. 162 00:09:53,920 --> 00:09:56,600 And this is my routing pieces. 163 00:09:56,600 --> 00:10:03,080 So it's trying to be as simple as possible while maintaining maximum efficacy. 164 00:10:03,080 --> 00:10:05,120 There's a lot of syllables at once. 165 00:10:05,120 --> 00:10:06,120 Sorry. 166 00:10:06,120 --> 00:10:07,120 That's awesome. 167 00:10:07,120 --> 00:10:08,120 That's good. 168 00:10:08,120 --> 00:10:11,840 Seth, anything to add to that? 169 00:10:11,840 --> 00:10:12,840 Yeah. 170 00:10:12,840 --> 00:10:18,600 Just on the interface itself, you know, when you log into – I think it's your IPS rule 171 00:10:18,600 --> 00:10:19,800 you're looking at. 172 00:10:19,800 --> 00:10:20,800 I hear feedback. 173 00:10:20,800 --> 00:10:22,800 Is that – anybody else hear that? 174 00:10:22,800 --> 00:10:23,800 I don't. 175 00:10:23,800 --> 00:10:24,800 Sorry. 176 00:10:24,800 --> 00:10:25,800 Yeah. 177 00:10:25,800 --> 00:10:32,060 When you open your IPS rule, as you mentioned, there's two options, snort two, snort three. 178 00:10:32,060 --> 00:10:38,520 One thing you'll notice quickly is that snort three loads significantly faster when you load 179 00:10:38,520 --> 00:10:40,800 the snort three version of your policy. 180 00:10:40,800 --> 00:10:46,320 But once you're inside the policy as well, just visually, you'll see some differences 181 00:10:46,320 --> 00:10:47,320 there. 182 00:10:47,320 --> 00:10:51,080 It's pretty much the same as far as the way it works as snort two, kind of like getting 183 00:10:51,080 --> 00:10:56,160 a – you know, upgrading from the family van to a sports car. 184 00:10:56,160 --> 00:11:01,440 Pretty much the features and functionality are about the same, but there's some improvements. 185 00:11:01,440 --> 00:11:03,240 One thing you'll notice is the groupings, right? 186 00:11:03,240 --> 00:11:06,460 So when you look at your rules now in snort three on the left-hand side, you're going 187 00:11:06,460 --> 00:11:09,920 to see various groupings of rule sets. 188 00:11:09,920 --> 00:11:13,240 So for example, you might have browser rules. 189 00:11:13,240 --> 00:11:15,960 And let's say that you configured your IPS policy. 190 00:11:15,960 --> 00:11:19,600 Let's say that your base policy was balance, security, and connectivity. 191 00:11:19,600 --> 00:11:24,280 But maybe for whatever reason, there's a specific group of rules that you have, and 192 00:11:24,280 --> 00:11:25,820 you want to increase that. 193 00:11:25,820 --> 00:11:29,960 So I'm going to use browser as an example, and let's pick on Chrome. 194 00:11:29,960 --> 00:11:36,060 So you can take the Chrome rule, and you can edit that in the group, and you can change 195 00:11:36,060 --> 00:11:42,840 the level of the rule base for those rules specifically to be pulled from, say for example, 196 00:11:42,840 --> 00:11:45,000 security over connectivity instead of balance. 197 00:11:45,000 --> 00:11:49,400 So even though your base policy is balanced, you can adjust those rules in the groupings 198 00:11:49,400 --> 00:11:51,700 by category to be different. 199 00:11:51,700 --> 00:11:55,040 So that's one significant difference there between two and three. 200 00:11:55,040 --> 00:11:56,040 That's cool. 201 00:11:56,040 --> 00:12:01,320 And for everybody listening in, what the recommended by Cisco is the balanced rule, correct? 202 00:12:01,320 --> 00:12:02,320 Correct. 203 00:12:02,320 --> 00:12:03,320 Balance, security, and connectivity. 204 00:12:03,320 --> 00:12:04,320 Okay. 205 00:12:04,320 --> 00:12:06,200 So we want to know when you're spinning that up. 206 00:12:06,200 --> 00:12:10,640 Especially when you're making your first policy, you can make a balanced one, or you could 207 00:12:10,640 --> 00:12:14,240 just create an audit policy just to see what would have blocked. 208 00:12:14,240 --> 00:12:19,880 But if you're using an IPS nine times out of 10, people want to see something be blocked. 209 00:12:19,880 --> 00:12:22,000 But always take... 210 00:12:22,000 --> 00:12:24,280 Your mileage may vary with every single policy. 211 00:12:24,280 --> 00:12:28,520 These policies are updated very often by Talos. 212 00:12:28,520 --> 00:12:33,440 But they are designed for threats that are out in the network, out in the world right 213 00:12:33,440 --> 00:12:34,440 now. 214 00:12:34,440 --> 00:12:38,280 So all of those rules will be turned on or turned off depending on what's happening in 215 00:12:38,280 --> 00:12:39,600 the world. 216 00:12:39,600 --> 00:12:43,760 Firepower does a good job actually with Firepower recommendations to say, hey, you have these 217 00:12:43,760 --> 00:12:49,040 operating systems within your network, these users, these devices, and they will actually 218 00:12:49,040 --> 00:12:52,960 tell you which rules to turn on and which rules have no use for you. 219 00:12:52,960 --> 00:12:58,040 There's no reason to have 400 Apache rules if you have no Apache servers within your 220 00:12:58,040 --> 00:12:59,040 network. 221 00:12:59,040 --> 00:13:03,440 So Firepower does a really great job through Firepower recommendations to help you tune 222 00:13:03,440 --> 00:13:08,560 those firewalls after you create the base policy. 223 00:13:08,560 --> 00:13:10,920 That's good and good information. 224 00:13:10,920 --> 00:13:16,000 And one thing, if I could just throw an additional item on there too, and I see this often, right, 225 00:13:16,000 --> 00:13:21,960 in helping customers to tune their firewalls is you can use the Firepower recommendation, 226 00:13:21,960 --> 00:13:26,880 but oftentimes there's a lack of awareness of where we get that information from. 227 00:13:26,880 --> 00:13:32,120 So you have a network discovery policy that's within your FMC, and there you want to make 228 00:13:32,120 --> 00:13:34,000 sure that you are discovering hosts, right? 229 00:13:34,000 --> 00:13:39,580 By default, you're only discovering applications, and typically you'll be discovering all networks. 230 00:13:39,580 --> 00:13:41,720 So you want to make sure you adjust that. 231 00:13:41,720 --> 00:13:48,080 So you are discovering only the hosts or subnets that you're trying to protect, but you want 232 00:13:48,080 --> 00:13:53,000 to make sure as the discovery part it includes hosts as well as applications. 233 00:13:53,000 --> 00:13:59,200 That way we've got data to pull from to be able to make those recommendations. 234 00:13:59,200 --> 00:14:00,200 More good information. 235 00:14:00,200 --> 00:14:03,200 And just the first question, Mike, that's awesome. 236 00:14:03,200 --> 00:14:05,320 All right. 237 00:14:05,320 --> 00:14:13,280 So I'm going to do pretty much like a segue, and then we come back to more of that piece 238 00:14:13,280 --> 00:14:14,760 that we're talking about firewalls. 239 00:14:14,760 --> 00:14:20,960 But in the segue it's going to be on the FMC, the cloud-delivered FMC. 240 00:14:20,960 --> 00:14:27,880 So I said this question is for you if you can just briefly touch on what is cloud FMC, 241 00:14:27,880 --> 00:14:32,680 and just whatever you have to share about cloud FMC. 242 00:14:32,680 --> 00:14:33,680 Be nice. 243 00:14:33,680 --> 00:14:34,680 Yeah, sure. 244 00:14:34,680 --> 00:14:35,720 I'll try to hit the highlights. 245 00:14:35,720 --> 00:14:43,700 So cloud FMC is just pretty much think of your traditional FMC, except it's in the cloud. 246 00:14:43,700 --> 00:14:47,640 So when you think about that, what are some key differences? 247 00:14:47,640 --> 00:14:50,960 Well one of those is you no longer have hardware to maintain. 248 00:14:50,960 --> 00:14:55,880 So there's no rack space, no utility overhead, those type of things. 249 00:14:55,880 --> 00:15:01,360 When it comes to patching, uptime, all these things, these are things that, you know, especially 250 00:15:01,360 --> 00:15:06,140 in certain organizations if you've got a lot of irons in the fire, patching and updates 251 00:15:06,140 --> 00:15:11,280 can be something that gets overlooked and can actually be critical down the road. 252 00:15:11,280 --> 00:15:18,400 So with the cloud-delivered FMC, then, or cloud FMC, then Cisco takes care of that. 253 00:15:18,400 --> 00:15:21,120 You don't have to worry about that responsibility. 254 00:15:21,120 --> 00:15:23,420 That's something that we take care of. 255 00:15:23,420 --> 00:15:28,080 When it comes to your day-to-day, the navigation, you'll notice that the response time is really 256 00:15:28,080 --> 00:15:29,080 quick. 257 00:15:29,080 --> 00:15:33,360 So when you're navigating around the FMC and the dashboard, you'll see that things happen 258 00:15:33,360 --> 00:15:35,720 pretty quickly in there. 259 00:15:35,720 --> 00:15:39,780 Some other items you can think about with logging, there's a few options. 260 00:15:39,780 --> 00:15:48,360 So you could log to an offsite SIM, perhaps to an on-prem FMC, or you could also integrate 261 00:15:48,360 --> 00:15:52,720 with security analytics and logging as well. 262 00:15:52,720 --> 00:15:55,560 So those are some of the features there. 263 00:15:55,560 --> 00:16:01,560 And if I missed anything, maybe Josh can jump in there and throw some more details in there. 264 00:16:01,560 --> 00:16:06,360 The number one reason why I see cloud FMC outside of uptime upgrades, patches, just 265 00:16:06,360 --> 00:16:09,320 kind of being automated and done for you in the background. 266 00:16:09,320 --> 00:16:14,120 The Firepower Management Center itself is a centralized management plan. 267 00:16:14,120 --> 00:16:17,480 What I mean by that is you can have an FMC on West Coast and manage firewalls on the 268 00:16:17,480 --> 00:16:18,800 East Coast. 269 00:16:18,800 --> 00:16:22,840 But those firewalls would have to traverse and go across to the West Coast, and you'd 270 00:16:22,840 --> 00:16:26,080 have to have cross and boundaries, and you'd have to have specific configurations. 271 00:16:26,080 --> 00:16:31,960 You'll have to make sure that that specific sensor on the East Coast can talk to the FMC. 272 00:16:31,960 --> 00:16:36,640 Primarily, what I see cloud FMC for is true centralized management. 273 00:16:36,640 --> 00:16:42,000 You can have just your singular FMC sitting in the cloud that we manage for you. 274 00:16:42,000 --> 00:16:48,320 And any firewall that you deploy across the world or continental United States, wherever 275 00:16:48,320 --> 00:16:51,960 you may be, you can do something like low touch provisioning and say, hey, this is my 276 00:16:51,960 --> 00:16:53,400 serial number. 277 00:16:53,400 --> 00:16:58,040 And as long as that sensor has internet connectivity, it'll automatically register over to that 278 00:16:58,040 --> 00:16:59,920 FMC. 279 00:16:59,920 --> 00:17:05,280 And you can get right to chugging along, making your policies, making those intrusion policies. 280 00:17:05,280 --> 00:17:08,400 But true, true centralized management. 281 00:17:08,400 --> 00:17:14,840 You have one policy for your firewalls, and that goes across the world. 282 00:17:14,840 --> 00:17:19,640 Anybody listening in that's like, I'm currently using the on-prem FMC. 283 00:17:19,640 --> 00:17:21,620 That sounds pretty great. 284 00:17:21,620 --> 00:17:25,360 We have a team that'll do that migration. 285 00:17:25,360 --> 00:17:30,720 I'd call that with you, with slash for you. 286 00:17:30,720 --> 00:17:34,760 And that's a no cost migration service that Cisco offers. 287 00:17:34,760 --> 00:17:36,840 So very cool. 288 00:17:36,840 --> 00:17:39,560 All right. 289 00:17:39,560 --> 00:17:48,480 Big one for me of the new stuff is, and this goes back to the tap days, encrypted analytics 290 00:17:48,480 --> 00:17:54,880 and all this pain about decrypting all this SSL traffic and cert exchanges. 291 00:17:54,880 --> 00:17:57,560 And now I broke something. 292 00:17:57,560 --> 00:17:58,560 I don't know. 293 00:17:58,560 --> 00:18:04,480 Last I checked or heard, it was like 80% of the world's or 80% of enterprise networking 294 00:18:04,480 --> 00:18:07,040 traffic is encrypted. 295 00:18:07,040 --> 00:18:10,880 This is a problem, but it's also a good thing because it adds privacy. 296 00:18:10,880 --> 00:18:17,120 How do, can you tell us about, I won't give it away, but the new engine that Cisco Firepower 297 00:18:17,120 --> 00:18:18,120 has? 298 00:18:18,120 --> 00:18:21,080 Yeah, I mean, the power's in the name, right? 299 00:18:21,080 --> 00:18:24,560 Encrypted analytics engine, our encrypted visibility engine rather. 300 00:18:24,560 --> 00:18:27,120 But we do call it encrypted analytics. 301 00:18:27,120 --> 00:18:36,200 And a lot of stats numbers out there are, I don't know where the source comes from, but 302 00:18:36,200 --> 00:18:39,400 what I'll tell you is you can go to a hundred websites, Google anything you want. 303 00:18:39,400 --> 00:18:44,000 And if you don't see the lock that comes up on your URI bar, guarantee you're more than 304 00:18:44,000 --> 00:18:46,440 most likely going to consider not going to it. 305 00:18:46,440 --> 00:18:50,080 So yeah, a lot of traffic is encrypted. 306 00:18:50,080 --> 00:18:57,400 TLS 1.3 being the newest version of that has added some problem scenarios. 307 00:18:57,400 --> 00:19:03,960 In the past, we typically would see that the TLS handshake, the SIN, SINAC, and then ACK 308 00:19:03,960 --> 00:19:05,440 come through, it wouldn't be encrypted. 309 00:19:05,440 --> 00:19:08,520 So we could pull out SIRTS and things like that. 310 00:19:08,520 --> 00:19:10,620 So what does that mean for us, right? 311 00:19:10,620 --> 00:19:13,560 We now have a harder time decrypting anything TLS 1.3 related. 312 00:19:13,560 --> 00:19:17,980 And I say we, but the world, the world has a harder time decrypting it. 313 00:19:17,980 --> 00:19:24,800 So we have come out with the encrypted visibility engine and this allows you to do what is called 314 00:19:24,800 --> 00:19:30,680 packet fingerprinting on applications and files within your network without decrypting 315 00:19:30,680 --> 00:19:31,680 anything. 316 00:19:31,680 --> 00:19:37,520 So you don't have to spend overhead or time or compute thinking about, Hey, I need to 317 00:19:37,520 --> 00:19:43,200 have this specific SSL slash TLS rule and I only need it to be this website and I want 318 00:19:43,200 --> 00:19:44,200 it to be man in the middle. 319 00:19:44,200 --> 00:19:46,320 I need to be aware of this. 320 00:19:46,320 --> 00:19:51,480 So you simply can just go to your access control policy, turn on encrypted visibility engine, 321 00:19:51,480 --> 00:19:56,760 and what we'll do is we'll start fingerprinting specific packets for the application. 322 00:19:56,760 --> 00:20:01,920 While the certificate is still encrypted in the TLS handshake, we can still get some information 323 00:20:01,920 --> 00:20:03,400 out of it. 324 00:20:03,400 --> 00:20:08,820 Packet size, the cipher suite, and then the preference that they have for those ciphers, 325 00:20:08,820 --> 00:20:15,320 how many packets they've exchanged within that session, and then also source and destination 326 00:20:15,320 --> 00:20:20,440 gives us a lot of clues onto what is within that packet and who is communicating to and 327 00:20:20,440 --> 00:20:22,360 what the application would be. 328 00:20:22,360 --> 00:20:26,440 And that was a lot of words basically says, Hey, we can still help you block malicious 329 00:20:26,440 --> 00:20:31,560 applications, malicious files, and give you a confidence score base of that without ever 330 00:20:31,560 --> 00:20:33,480 decrypting anything. 331 00:20:33,480 --> 00:20:35,820 And that goes to TLS 1.3 as well. 332 00:20:35,820 --> 00:20:39,620 So like you said, a lot of traffic is encrypted. 333 00:20:39,620 --> 00:20:45,100 What we want is to be able to give you the ability to have a safe, secure firewall without 334 00:20:45,100 --> 00:20:50,840 having massive overhead of doing TLS decryption. 335 00:20:50,840 --> 00:20:51,840 That's super cool. 336 00:20:51,840 --> 00:20:57,280 And, you know, I set this up on my own FMC and yeah, you just click a button, you just 337 00:20:57,280 --> 00:21:00,640 do a slide bar to enable the the Eve engine. 338 00:21:00,640 --> 00:21:07,000 And now I can actually enforce my policies even when they're encrypted, I still know 339 00:21:07,000 --> 00:21:08,860 which applications are flowing. 340 00:21:08,860 --> 00:21:12,220 And then mentioned the malware perspective, I can still block malware and I don't need 341 00:21:12,220 --> 00:21:14,120 to do all that decryption. 342 00:21:14,120 --> 00:21:20,560 Because we used to have to price firewalls based on where you're going to be doing SSL 343 00:21:20,560 --> 00:21:21,560 decryption. 344 00:21:21,560 --> 00:21:25,760 I mean, I'll tell you in the past, that's that's been a big pain point. 345 00:21:25,760 --> 00:21:30,680 A lot of customers, a lot of users will say, Hey, I have a one gig uplink. 346 00:21:30,680 --> 00:21:36,440 And you know, you can average how much encrypted traffic you may have. 347 00:21:36,440 --> 00:21:41,880 But honestly, if somebody really wanted to decrypt, they would likely decrypt probably 348 00:21:41,880 --> 00:21:43,800 about 60 to 70% of traffic. 349 00:21:43,800 --> 00:21:46,120 Now there's some rules out there. 350 00:21:46,120 --> 00:21:50,320 Don't decrypt medical, don't decrypt payroll, don't decrypt criminal justice, things like 351 00:21:50,320 --> 00:21:51,320 that. 352 00:21:51,320 --> 00:21:57,140 And we have great guidance on how to create, you know, a proper decryption policy. 353 00:21:57,140 --> 00:21:59,360 But there are just there are things that you don't want to decrypt. 354 00:21:59,360 --> 00:22:07,080 But what we can do is is say, you know, hey, if you are if you are looking for a firewall 355 00:22:07,080 --> 00:22:13,240 that blocks malware and blocks malicious applications, you don't have to have this massive, massive 356 00:22:13,240 --> 00:22:15,680 firewall to get one gig of decryption. 357 00:22:15,680 --> 00:22:19,040 We can be very surgical with how we create a decryption policy. 358 00:22:19,040 --> 00:22:24,800 So you say you I want to decrypt this one server or a group of users, things like that. 359 00:22:24,800 --> 00:22:30,960 And then you're not going to have this massive, you know, 60 50% hit on your firewalls just 360 00:22:30,960 --> 00:22:31,960 for decryption. 361 00:22:31,960 --> 00:22:38,560 And then you can rely and allow to supplement with encrypted visibility analytics and, you 362 00:22:38,560 --> 00:22:43,480 know, other features to help you pull out that traffic with never decrypting it. 363 00:22:43,480 --> 00:22:52,000 Yeah, just the amount of visibility we get with with this is really good, actually makes 364 00:22:52,000 --> 00:22:53,000 a huge difference. 365 00:22:53,000 --> 00:22:54,560 And of course, on the resources. 366 00:22:54,560 --> 00:22:56,560 Actually, I should thank you, Andres. 367 00:22:56,560 --> 00:23:03,560 I should say everything that we do with encrypted visibility analytics, right, it's not definitive. 368 00:23:03,560 --> 00:23:04,880 So you won't see something else. 369 00:23:04,880 --> 00:23:07,760 This is a guaranteed this application. 370 00:23:07,760 --> 00:23:11,560 What we do is we give you confidence score and we say, hey, we're 90% confident that 371 00:23:11,560 --> 00:23:12,560 this is this application. 372 00:23:12,560 --> 00:23:17,360 And we base it off of the packet fingerprinting that I had mentioned before. 373 00:23:17,360 --> 00:23:21,720 But basically, you have the choice to say, I only want to block it if you're 90% sure 374 00:23:21,720 --> 00:23:25,280 or you know, your confidence score is very high. 375 00:23:25,280 --> 00:23:26,640 And that's because it is encrypted. 376 00:23:26,640 --> 00:23:30,360 We'll never be definitive of what that application 100% is. 377 00:23:30,360 --> 00:23:37,360 We just build these algorithms for you to say, hey, this application exhibits all of 378 00:23:37,360 --> 00:23:39,800 these examples that we have detected. 379 00:23:39,800 --> 00:23:43,040 And you know, we're 99% sure. 380 00:23:43,040 --> 00:23:46,740 So yeah, it's never going to be 100% all of the time. 381 00:23:46,740 --> 00:23:48,320 It is packet fingerprinting. 382 00:23:48,320 --> 00:23:52,480 And we do make very educated guesses based off of that. 383 00:23:52,480 --> 00:23:57,520 If you're on if you're listening to this and you're on 6.x, all you got to do is a software 384 00:23:57,520 --> 00:24:03,600 upgrade software upgrade to version seven, go to your go to your access policy, the little 385 00:24:03,600 --> 00:24:07,440 more tab and then the advanced settings and you'll see encrypted visibility engine. 386 00:24:07,440 --> 00:24:11,280 And you also see that TLS identity discovery that Josh mentioned as well. 387 00:24:11,280 --> 00:24:12,280 Cool. 388 00:24:12,280 --> 00:24:21,320 So Eve actually was introduced in 7.1 experimentally and then fully added as a feature in 7.2 389 00:24:21,320 --> 00:24:25,360 and then 7.4 added the ability to do malware on like payloads. 390 00:24:25,360 --> 00:24:26,360 Awesome. 391 00:24:26,360 --> 00:24:28,200 That's good information. 392 00:24:28,200 --> 00:24:30,080 All right. 393 00:24:30,080 --> 00:24:31,720 So I'm going to go to the next question. 394 00:24:31,720 --> 00:24:41,280 I know we talked a lot about all these features with Eve, with Cloud FMC, with Snort, but 395 00:24:41,280 --> 00:24:45,320 we introduced recently SD-WAN capabilities. 396 00:24:45,320 --> 00:24:50,040 So Seth, if you don't mind going over some of those capabilities, it would be nice for 397 00:24:50,040 --> 00:24:51,840 everybody to listen to. 398 00:24:51,840 --> 00:24:52,840 Sure. 399 00:24:52,840 --> 00:24:59,200 So when you think about SD-WAN, perhaps, you know, what comes to mind would be visibility, 400 00:24:59,200 --> 00:25:04,920 control, redundancy, availability, and a central point of management. 401 00:25:04,920 --> 00:25:10,740 So if you take all those same features, that functionality, you just apply that to Cisco 402 00:25:10,740 --> 00:25:16,640 secure firewall, then you have those those features there on the firewall side. 403 00:25:16,640 --> 00:25:22,920 So speaking of that feature specifically that you would see with SD-WAN in the firewall 404 00:25:22,920 --> 00:25:25,240 would be policy based routing. 405 00:25:25,240 --> 00:25:33,120 So you can also route policy based for applications, ECMP support for load balancing across multiple 406 00:25:33,120 --> 00:25:34,880 ISPs. 407 00:25:34,880 --> 00:25:40,560 You have application based load balancing as well using policy based routing and also 408 00:25:40,560 --> 00:25:46,820 multiple ISP configuration with optimal path selection, which is based on application based 409 00:25:46,820 --> 00:25:48,180 interface monitoring. 410 00:25:48,180 --> 00:25:50,840 So that's just some of the features. 411 00:25:50,840 --> 00:25:56,200 One use case that you might think of where you could combine most of those would be the 412 00:25:56,200 --> 00:26:02,240 routing application traffic from the branch to the internet using direct internet access 413 00:26:02,240 --> 00:26:03,240 or DIA. 414 00:26:03,240 --> 00:26:04,920 We use a lot of acronyms. 415 00:26:04,920 --> 00:26:08,900 So I'm trying to instead of using the acronym, let me tell you what it is. 416 00:26:08,900 --> 00:26:15,440 So if you think back, for example, like in 2020, a lot of people, a lot of the workforce 417 00:26:15,440 --> 00:26:20,200 was sent home to work remotely and you had a bit of a scramble that took place, right? 418 00:26:20,200 --> 00:26:23,480 We're trying to figure out what are we going to do with all this data that's coming back 419 00:26:23,480 --> 00:26:27,440 with this VPN tunnels back to our head end. 420 00:26:27,440 --> 00:26:31,640 And one of the ways that we use to address that was with split tunneling. 421 00:26:31,640 --> 00:26:35,120 That might have been one of the recommendations that you remember from that time. 422 00:26:35,120 --> 00:26:39,560 So there might be some types of traffic that you don't need to send back across the tunnel 423 00:26:39,560 --> 00:26:41,220 to the hub site, right? 424 00:26:41,220 --> 00:26:45,280 You can just send that out your local ISP connection. 425 00:26:45,280 --> 00:26:50,440 So if you think about that, when it comes to direct internet access, it's really kind 426 00:26:50,440 --> 00:26:52,040 of the same thing. 427 00:26:52,040 --> 00:26:55,040 But what we're doing is we're just applying this to your site to site, right? 428 00:26:55,040 --> 00:26:59,460 So it's from your hub to your or your branch to your hub connection. 429 00:26:59,460 --> 00:27:03,640 So if you're over here at the branch, there might be some traffic you don't want to send 430 00:27:03,640 --> 00:27:05,440 back across the tunnel, right? 431 00:27:05,440 --> 00:27:07,840 And cause latency or bandwidth issues. 432 00:27:07,840 --> 00:27:16,200 So let's say, for example, you're at the branch location and maybe you use YouTube as, you 433 00:27:16,200 --> 00:27:20,560 know, for whatever reason, maybe it's educational or whatever, you trust that. 434 00:27:20,560 --> 00:27:22,240 And you also have Webex. 435 00:27:22,240 --> 00:27:29,120 Well, you can have each of those applications to not go across the tunnel, but to go out 436 00:27:29,120 --> 00:27:32,540 the local ISP connection. 437 00:27:32,540 --> 00:27:39,380 And then you can also combine that as well with your policy based routing. 438 00:27:39,380 --> 00:27:44,740 So let's say if you had multiple interfaces, egress interfaces on your firewall, you could 439 00:27:44,740 --> 00:27:49,680 have Webex go out one interface, you could have YouTube go out the other. 440 00:27:49,680 --> 00:27:54,640 And then you could additionally include the equal cost multipath. 441 00:27:54,640 --> 00:28:00,840 So let's say that maybe you have an application that is really sensitive to latency, right? 442 00:28:00,840 --> 00:28:07,120 It could be some voice, it might be video, it could be Webex, whatever that is. 443 00:28:07,120 --> 00:28:15,280 Then you could have monitoring, path monitoring also applied so that we would know which interface, 444 00:28:15,280 --> 00:28:19,880 which egress interface is under the most load, which one is under the least load, and we 445 00:28:19,880 --> 00:28:22,840 could direct that traffic automatically out that interface. 446 00:28:22,840 --> 00:28:28,040 So really, if you think about all the things you love about SD-WAN, just apply it to the 447 00:28:28,040 --> 00:28:29,040 firewall. 448 00:28:29,040 --> 00:28:31,040 Well said. 449 00:28:31,040 --> 00:28:36,240 I think it comes down to use cases when I meet with customers. 450 00:28:36,240 --> 00:28:39,760 Cool, I heard you guys can do SD-WAN now on Firepower. 451 00:28:39,760 --> 00:28:44,120 I'm like, yes, but let's talk about your use cases. 452 00:28:44,120 --> 00:28:46,560 What does SD-WAN mean to you? 453 00:28:46,560 --> 00:28:49,440 But yeah, great examples of that equal cost multipath. 454 00:28:49,440 --> 00:28:56,320 I've got, hey, maybe two VPN tunnels that I want to dynamically and automatically, without 455 00:28:56,320 --> 00:29:04,360 human interaction, failover between them or utilize both paths at a layer seven. 456 00:29:04,360 --> 00:29:06,240 Great stuff there, Seth. 457 00:29:06,240 --> 00:29:11,560 Again, another reason to get on that version seven because this is something that just 458 00:29:11,560 --> 00:29:14,360 gets included. 459 00:29:14,360 --> 00:29:23,960 Josh, version TLS of 1.3, you touched on that a little bit earlier and about how the part 460 00:29:23,960 --> 00:29:29,800 of that handshake is now encrypted, and it made it difficult for us to know what users 461 00:29:29,800 --> 00:29:31,920 are talking to in terms of application. 462 00:29:31,920 --> 00:29:35,480 I know you touched on it a little bit earlier, but if you could just clarify that a little 463 00:29:35,480 --> 00:29:40,680 bit more because it's really interesting knowing because people listening in are going to have 464 00:29:40,680 --> 00:29:44,120 to be dealing with that and are going to get questions from their management about, I heard 465 00:29:44,120 --> 00:29:45,120 about TLS 1.3. 466 00:29:45,120 --> 00:29:49,960 How are we going to be able to enforce our policies since the handshake is now encrypted? 467 00:29:49,960 --> 00:29:56,280 Like I said, you go on the website, you go to Google, you search for any websites that 468 00:29:56,280 --> 00:29:59,520 you want, and I guarantee you're looking for that lock. 469 00:29:59,520 --> 00:30:02,480 You can see if you go to the lock, you can see what TLS version it is. 470 00:30:02,480 --> 00:30:09,360 Maybe not everybody's using TLS 1.3 right now, but that is going to, if not already, 471 00:30:09,360 --> 00:30:14,400 is the standard of how these new websites are being programmed. 472 00:30:14,400 --> 00:30:16,640 It's what people are wanting to use. 473 00:30:16,640 --> 00:30:21,980 The biggest difference that I mentioned from 1.2 to 1.3 is the handshake is fully encrypted, 474 00:30:21,980 --> 00:30:27,320 so you can't just pull a certificate out anymore and then base the domain score, the domain 475 00:30:27,320 --> 00:30:31,200 that you're looking for, reputation off of that anymore. 476 00:30:31,200 --> 00:30:39,440 With TLS Server Identity Discovery and our ability to do TLS description, decryption, 477 00:30:39,440 --> 00:30:42,040 we do server identity. 478 00:30:42,040 --> 00:30:47,920 It's the same concept as the encrypted visibility engine, whereas instead of looking at packet 479 00:30:47,920 --> 00:30:53,240 fingerprinting, we're essentially doing source destination and packet fingerprinting on that 480 00:30:53,240 --> 00:30:55,000 original handshake. 481 00:30:55,000 --> 00:30:58,600 We're helping you determine, hey, this is the source, the destination, this is where 482 00:30:58,600 --> 00:31:01,520 they're going, and this is the server that they're trying to reach out to, and we'll 483 00:31:01,520 --> 00:31:03,920 profile the server. 484 00:31:03,920 --> 00:31:10,520 For all intents and purposes, hijack that connection, and we will see what kind of website 485 00:31:10,520 --> 00:31:14,840 or domain that they're connecting to, what servers they're connecting to, and we'll take 486 00:31:14,840 --> 00:31:17,680 that responsibility on the firewall. 487 00:31:17,680 --> 00:31:19,720 That's where TLS Server Identity comes into play. 488 00:31:19,720 --> 00:31:21,120 It's not full decryption. 489 00:31:21,120 --> 00:31:24,120 It's more of an intercept, TLS intercept. 490 00:31:24,120 --> 00:31:29,560 I was just going to say, similar to Eve and the fact that we're identifying, but we're 491 00:31:29,560 --> 00:31:32,000 not actually decrypting any payloads. 492 00:31:32,000 --> 00:31:33,000 Correct. 493 00:31:33,000 --> 00:31:34,480 It's 100% what that is. 494 00:31:34,480 --> 00:31:36,600 It's just two pieces to the same concept. 495 00:31:36,600 --> 00:31:38,740 Eve is the packet itself. 496 00:31:38,740 --> 00:31:40,080 It's the offending packet. 497 00:31:40,080 --> 00:31:46,160 It's the, hey, this is the stream, and TLS Server Identity is, this is the TLS handshake. 498 00:31:46,160 --> 00:31:48,160 It's encrypted. 499 00:31:48,160 --> 00:31:52,960 It's specifically going to be for TLS 1.3 where it's encrypted, but if it's TLS 1.2 500 00:31:52,960 --> 00:31:57,040 and that handshake is not encrypted, much easier to pull that certificate out. 501 00:31:57,040 --> 00:32:01,520 But yeah, TLS Server Identity Discovery is basically TLS intercept where we have the 502 00:32:01,520 --> 00:32:07,760 ability to pull through, see that certificate, and then make distinguished access control 503 00:32:07,760 --> 00:32:10,800 hits based off that certificate or that URL. 504 00:32:10,800 --> 00:32:15,360 Did you ask about TLS decryption, like how we do it? 505 00:32:15,360 --> 00:32:17,080 No, no, that was exactly. 506 00:32:17,080 --> 00:32:23,040 I was just wanting to know about how do you identify applications in TLS 1.3 traffic, 507 00:32:23,040 --> 00:32:24,040 and you answered that. 508 00:32:24,040 --> 00:32:25,040 Yeah. 509 00:32:25,040 --> 00:32:30,280 We're going to encrypt just that portion of that handshake only. 510 00:32:30,280 --> 00:32:32,400 We don't need to decrypt the whole payload. 511 00:32:32,400 --> 00:32:33,400 You know what? 512 00:32:33,400 --> 00:32:36,840 I don't even know if I want to say we decrypt it. 513 00:32:36,840 --> 00:32:39,560 It's more of like an intercept. 514 00:32:39,560 --> 00:32:44,480 We provide the connection to the server from the firewall where then we start to communicate 515 00:32:44,480 --> 00:32:49,600 with them and we pull out as much information as we can glean, and then we'll either scramble 516 00:32:49,600 --> 00:32:54,160 like a TCP packet and then just drop the whole thing, or we'll say, hey, this is malicious, 517 00:32:54,160 --> 00:32:58,040 and then just won't allow that connection to ever happen. 518 00:32:58,040 --> 00:32:59,040 Great. 519 00:32:59,040 --> 00:33:03,880 Guys, in the chat, there's some really good Q&A coming in from the audience. 520 00:33:03,880 --> 00:33:09,520 If we don't get to it live on the call, we will absolutely send. 521 00:33:09,520 --> 00:33:13,920 If anybody asks a question, we'll have the answer and we'll reply all to everybody on 522 00:33:13,920 --> 00:33:14,920 here. 523 00:33:14,920 --> 00:33:17,800 Real quick, Josh, I wonder if you could touch on this live one from Isaac. 524 00:33:17,800 --> 00:33:22,800 Isaac asked, is there an impact to the firewall on enabling Eve? 525 00:33:22,800 --> 00:33:26,480 Any before and after check to see the benefits of enabling Eve? 526 00:33:26,480 --> 00:33:29,680 Probably got about 15 seconds to answer that if you could. 527 00:33:29,680 --> 00:33:30,680 Okay. 528 00:33:30,680 --> 00:33:33,920 So enabling Eve, there's, I would say, minimal impact, right? 529 00:33:33,920 --> 00:33:34,920 You'll always be aware. 530 00:33:34,920 --> 00:33:39,680 If you're already over an 80% CPU threshold, maybe just be aware of the changes that you're 531 00:33:39,680 --> 00:33:40,680 making. 532 00:33:40,680 --> 00:33:44,560 But Eve is actually pretty minimal because it's simply just a predefined algorithm that 533 00:33:44,560 --> 00:33:48,880 we have cached that says, hey, this packet is exhibiting these links, these sequence, 534 00:33:48,880 --> 00:33:51,160 these cypers, and it prefers these cypers. 535 00:33:51,160 --> 00:33:57,440 And we can just kind of assign that to a specific application that we have in our database. 536 00:33:57,440 --> 00:34:01,720 And yes, there is, on the FMC, there's actually unified events. 537 00:34:01,720 --> 00:34:07,000 You can see something that's marked as an Eve. 538 00:34:07,000 --> 00:34:08,000 Why are my words failing me? 539 00:34:08,000 --> 00:34:09,800 It's marked as like an Eve detection. 540 00:34:09,800 --> 00:34:15,160 And it'll tell you, hey, we have given you this confidence score because it has exhibited 541 00:34:15,160 --> 00:34:16,600 these specific features. 542 00:34:16,600 --> 00:34:18,920 And it'll give you everything that we've determined it to be. 543 00:34:18,920 --> 00:34:22,220 But yeah, there's a totally before and after on your... 544 00:34:22,220 --> 00:34:27,760 If you go to the FMC analysis and unified events, and if you turn Eve on, you'll start 545 00:34:27,760 --> 00:34:31,320 to see some Eve hits on your connection events. 546 00:34:31,320 --> 00:34:36,440 That's a great call out because you can edit those columns in that analysis, unified events. 547 00:34:36,440 --> 00:34:41,080 If you edit those columns and you search for just the word encrypted and you'll see like 548 00:34:41,080 --> 00:34:44,760 encrypted engine visibility, confidence score, process name. 549 00:34:44,760 --> 00:34:45,760 That's a great call out there. 550 00:34:45,760 --> 00:34:49,720 Since you answered that one so quick, I'll throw this out either to set through Josh, 551 00:34:49,720 --> 00:34:50,720 another live question. 552 00:34:50,720 --> 00:34:55,560 Going back to the IPS, why should we not... 553 00:34:55,560 --> 00:34:57,680 Seth, you talked about like the balance. 554 00:34:57,680 --> 00:35:01,960 We talked about the balance IPS setting being the recommended. 555 00:35:01,960 --> 00:35:02,960 Great question, yours. 556 00:35:02,960 --> 00:35:05,920 Why would I not just turn on the maximum detection policy? 557 00:35:05,920 --> 00:35:08,240 Isn't that the most secure of all the policies? 558 00:35:08,240 --> 00:35:09,240 Oh, okay. 559 00:35:09,240 --> 00:35:11,240 Can I answer this one, please? 560 00:35:11,240 --> 00:35:12,240 Yeah, go for it. 561 00:35:12,240 --> 00:35:13,240 Okay. 562 00:35:13,240 --> 00:35:14,240 That's a valid question though. 563 00:35:14,240 --> 00:35:15,240 It is, yeah. 564 00:35:15,240 --> 00:35:18,960 The operating word is detection. 565 00:35:18,960 --> 00:35:23,440 There's two forms of intrusion prevention or intrusion rules. 566 00:35:23,440 --> 00:35:26,660 There's intrusion detection and intrusion prevention. 567 00:35:26,660 --> 00:35:30,080 Detection being the operating word is it is a full audit policy. 568 00:35:30,080 --> 00:35:33,020 It'll basically say, hey, this is an exploit. 569 00:35:33,020 --> 00:35:34,020 We see it. 570 00:35:34,020 --> 00:35:35,320 It happened. 571 00:35:35,320 --> 00:35:39,920 But because you're in detection mode, we let it through. 572 00:35:39,920 --> 00:35:44,640 If you are looking for auditing purposes and you're looking for IDS, then yeah, you can 573 00:35:44,640 --> 00:35:46,720 do maximum detection. 574 00:35:46,720 --> 00:35:50,560 If your firewall is like in a span or if it's like somewhere off on its own where it's just 575 00:35:50,560 --> 00:35:55,080 doing secondhand pack analysis, detection is great. 576 00:35:55,080 --> 00:36:00,080 But if you're putting a firewall in line and word has come down, it's like, hey, we need 577 00:36:00,080 --> 00:36:06,280 an IPS desperately because we're getting these attacks, start off with balanced security 578 00:36:06,280 --> 00:36:12,720 and connectivity and then monitor it from there and make quick subtle changes as you 579 00:36:12,720 --> 00:36:17,320 start to determine what's within your firewall and as you start to determine the connections 580 00:36:17,320 --> 00:36:18,360 that you see. 581 00:36:18,360 --> 00:36:21,760 But maximum detection is purely auditing. 582 00:36:21,760 --> 00:36:23,440 Very cool. 583 00:36:23,440 --> 00:36:24,440 Yeah. 584 00:36:24,440 --> 00:36:26,600 And it was really actually a good question. 585 00:36:26,600 --> 00:36:27,600 It's a logical question. 586 00:36:27,600 --> 00:36:29,400 It makes sense. 587 00:36:29,400 --> 00:36:34,240 But just as Josh explained, the reason for my response, like, oh, boy, is like he mentioned, 588 00:36:34,240 --> 00:36:38,720 if it's in line, you're really going to be just stopping traffic. 589 00:36:38,720 --> 00:36:41,200 It happens all the time. 590 00:36:41,200 --> 00:36:42,200 Yeah. 591 00:36:42,200 --> 00:36:45,120 I wish I could have the words changed on that. 592 00:36:45,120 --> 00:36:48,000 But I've seen it fairly often. 593 00:36:48,000 --> 00:36:52,680 If your idea, though, is maximum security, there are four types of policies. 594 00:36:52,680 --> 00:36:56,520 So there's maximum detection, there's balanced security over connection and then prioritized 595 00:36:56,520 --> 00:36:57,520 connectivity. 596 00:36:57,520 --> 00:37:03,040 And then I think there is one that's like maximum or max security or prioritized security. 597 00:37:03,040 --> 00:37:05,560 I forgot the exact names. 598 00:37:05,560 --> 00:37:07,120 I probably should have researched that. 599 00:37:07,120 --> 00:37:08,120 Sorry. 600 00:37:08,120 --> 00:37:11,800 But there is a one that's kind of like the mirror of maximum detection where it will 601 00:37:11,800 --> 00:37:17,280 also have like 50,000 rules turned on immediately and all set to block. 602 00:37:17,280 --> 00:37:19,800 But there is a mirror for it. 603 00:37:19,800 --> 00:37:20,800 Excellent. 604 00:37:20,800 --> 00:37:21,800 Thanks. 605 00:37:21,800 --> 00:37:25,520 I just wanted to get those live ones in the rest of those. 606 00:37:25,520 --> 00:37:26,920 We'll send out the answers to those. 607 00:37:26,920 --> 00:37:27,920 Thank you, guys. 608 00:37:27,920 --> 00:37:28,920 Yeah. 609 00:37:28,920 --> 00:37:29,920 Yeah. 610 00:37:29,920 --> 00:37:33,800 And I love that, you know, you were excited to answer those. 611 00:37:33,800 --> 00:37:35,800 I love the firewall. 612 00:37:35,800 --> 00:37:36,800 Passion. 613 00:37:36,800 --> 00:37:42,360 Another thing, too, like just if I can just for a moment, you know, we're talking about 614 00:37:42,360 --> 00:37:43,360 IPS. 615 00:37:43,360 --> 00:37:46,240 And I know earlier we talked about making adjustment to rules and so forth. 616 00:37:46,240 --> 00:37:51,680 However, if you're say go to policies and then intrusion policy, you're not going to 617 00:37:51,680 --> 00:37:53,840 see anything out of the box there. 618 00:37:53,840 --> 00:37:57,960 The only options you have for IPS is if you go to your access control policy rule and 619 00:37:57,960 --> 00:38:01,520 you go to inspection, you have your system provided. 620 00:38:01,520 --> 00:38:05,680 So if you do want to make changes, you have to create a new policy. 621 00:38:05,680 --> 00:38:09,600 And then you can use as a base one of those other policies. 622 00:38:09,600 --> 00:38:11,400 So I probably should have mentioned that earlier. 623 00:38:11,400 --> 00:38:12,400 That's good. 624 00:38:12,400 --> 00:38:13,400 That's good. 625 00:38:13,400 --> 00:38:14,400 All right, guys. 626 00:38:14,400 --> 00:38:16,760 So I'm going to go. 627 00:38:16,760 --> 00:38:21,800 We have three more questions prepared and I know we're running short on time, but I'm 628 00:38:21,800 --> 00:38:27,760 going to make this one real quick for you, Seth, about cloud deployment options. 629 00:38:27,760 --> 00:38:29,520 What can you share with us? 630 00:38:29,520 --> 00:38:36,400 Can we deploy firepower in Azure, AWS, GCP, film and growing overdose? 631 00:38:36,400 --> 00:38:37,400 Yeah. 632 00:38:37,400 --> 00:38:43,760 So, you know, I think usually you've got either cloud native, non-native. 633 00:38:43,760 --> 00:38:47,720 So you think of maybe there's various terms, right? 634 00:38:47,720 --> 00:38:53,400 There's cloud native, there's cloud, cloud ready, cloud deployed, various terms for this. 635 00:38:53,400 --> 00:38:58,200 But maybe if you think about your ASAV, your firepower threat defense virtual, you can 636 00:38:58,200 --> 00:39:03,320 run these in an Azure environment, AWS. 637 00:39:03,320 --> 00:39:09,680 So yes, we do have appliances, virtual appliances that run in those environments. 638 00:39:09,680 --> 00:39:15,120 Typically, you know, when you think about those devices, you're doing most of the configuration, 639 00:39:15,120 --> 00:39:16,120 right? 640 00:39:16,120 --> 00:39:19,320 You are configuring the devices themselves like normal. 641 00:39:19,320 --> 00:39:24,280 But even though you're running on another, say, a cloud provider's infrastructure, there's 642 00:39:24,280 --> 00:39:28,520 still going to be some items that you'll have to manually configure. 643 00:39:28,520 --> 00:39:33,800 Even when it comes to scaling, you can scale up pretty rapidly, but it's still going to 644 00:39:33,800 --> 00:39:39,480 require you to do some configuration typically within that environment. 645 00:39:39,480 --> 00:39:43,000 And then you have, for example, cloud native. 646 00:39:43,000 --> 00:39:52,680 So you have, it's very similar to the cloud, cloud ready, for example, I'll use that term. 647 00:39:52,680 --> 00:39:55,560 It's very similar to that. 648 00:39:55,560 --> 00:40:02,520 And especially when you think of Cisco secure firewall cloud native, you have all these 649 00:40:02,520 --> 00:40:08,440 functionalities, but you also have increased agility and availability and a really simple 650 00:40:08,440 --> 00:40:12,640 management with cloud SaaS manager or API. 651 00:40:12,640 --> 00:40:16,240 So you know, when you think about a day, things are changing rapidly. 652 00:40:16,240 --> 00:40:20,840 And that seems to be the only norm is that things change and it's happening quickly. 653 00:40:20,840 --> 00:40:24,940 And so this can cause problems for organizations that are they're scrambling to keep up with 654 00:40:24,940 --> 00:40:26,560 all of the changes. 655 00:40:26,560 --> 00:40:33,040 So with Cisco secure firewall cloud native, that's a long word, but trying to be precise 656 00:40:33,040 --> 00:40:34,320 with it. 657 00:40:34,320 --> 00:40:38,160 We can help you to roll with those changes in your organization to take advantage, for 658 00:40:38,160 --> 00:40:40,980 example, of Kubernetes orchestration. 659 00:40:40,980 --> 00:40:47,160 So as your user demand or your activity increases, then it will automatically scale up to meet 660 00:40:47,160 --> 00:40:48,920 that demand. 661 00:40:48,920 --> 00:40:52,180 In addition, we can provide always on security. 662 00:40:52,180 --> 00:40:56,280 So we're able to monitor container health and have the ability to automatically heal, 663 00:40:56,280 --> 00:40:59,840 replace or even create new containers as needed. 664 00:40:59,840 --> 00:41:03,800 And then, you know, we mentioned earlier the back in 2020, you know, a lot of people were 665 00:41:03,800 --> 00:41:08,960 having to be sent home and you had this this massive remote workforce. 666 00:41:08,960 --> 00:41:10,780 And you think about all the VPNs that were needed. 667 00:41:10,780 --> 00:41:19,120 So with the Cisco secure cloud native firewall, you can quickly spin up those remote access 668 00:41:19,120 --> 00:41:20,480 VPNs as needed. 669 00:41:20,480 --> 00:41:27,740 So as things happen and change rapidly, we're able to help you to adapt and change rapidly 670 00:41:27,740 --> 00:41:28,740 as well. 671 00:41:28,740 --> 00:41:35,080 So you can probably sum it up in three words, efficiency, automation and speed. 672 00:41:35,080 --> 00:41:36,080 That was awesome. 673 00:41:36,080 --> 00:41:37,600 That was awesome. 674 00:41:37,600 --> 00:41:45,360 So for the sake of time, Josh, I want to ask you maybe in just like a minute, just briefly 675 00:41:45,360 --> 00:41:47,120 touch on hardware innovations. 676 00:41:47,120 --> 00:41:51,480 We've talked a lot about software, but hardware innovations at the end of it. 677 00:41:51,480 --> 00:41:56,160 Could you tell me about maybe like a secret knob to turn on for users listening in? 678 00:41:56,160 --> 00:41:57,320 So maybe just a minute. 679 00:41:57,320 --> 00:42:01,880 So hardware innovations in like a secret setting that you would recommend people turn on? 680 00:42:01,880 --> 00:42:02,880 Yeah. 681 00:42:02,880 --> 00:42:07,880 So let me say, look, I know everybody's probably heard, you know, Cisco is going software subscription 682 00:42:07,880 --> 00:42:10,960 where, you know, but hardware is still hardware is everywhere. 683 00:42:10,960 --> 00:42:14,600 If it's cloud, if it's your personal cloud, private cloud doesn't matter. 684 00:42:14,600 --> 00:42:15,920 Hardware is everywhere. 685 00:42:15,920 --> 00:42:19,200 So Cisco has always been heavily invested in hardware. 686 00:42:19,200 --> 00:42:22,600 And what I want everyone to do, if you're interested in, go look at some data sheets. 687 00:42:22,600 --> 00:42:26,120 The first firewall we ever created on the Firepower side was the 2100. 688 00:42:26,120 --> 00:42:30,920 It's been out for almost 10 years now versus the two newest ones that we have. 689 00:42:30,920 --> 00:42:35,880 The Firepower 1100 series and the Firepower 3100 series. 690 00:42:35,880 --> 00:42:42,000 The 1100s are either a small form unit or a one rack unit device. 691 00:42:42,000 --> 00:42:47,480 Those devices actually out power the 2100s by a lot and vice versa. 692 00:42:47,480 --> 00:42:52,100 The 3100s overpower the highest versions of the 2100s. 693 00:42:52,100 --> 00:42:54,760 We have made drastic improvement. 694 00:42:54,760 --> 00:43:01,000 I'm talking like 200% improvement on our new form factor firewalls. 695 00:43:01,000 --> 00:43:04,360 Virtually every firewall we sell is one rack unit. 696 00:43:04,360 --> 00:43:08,240 So we don't have any of these like huge line cards anymore. 697 00:43:08,240 --> 00:43:13,720 These ASR 7200s, it's taller than me and I'm six foot two. 698 00:43:13,720 --> 00:43:18,120 We have made drastic, drastic improvements on the hardware and especially with the forms 699 00:43:18,120 --> 00:43:19,120 of ASICs. 700 00:43:19,120 --> 00:43:25,520 The fact that we have a very strong partnership with NVIDIA and one of the things I want to 701 00:43:25,520 --> 00:43:30,600 say is just look out for Cisco and NVIDIA announcements. 702 00:43:30,600 --> 00:43:35,480 If you know what data processing units are, look out. 703 00:43:35,480 --> 00:43:37,360 Be ready for some news. 704 00:43:37,360 --> 00:43:42,680 And the secret thing I'll tell you about, if anybody's deployed Firepower or is looking 705 00:43:42,680 --> 00:43:47,280 into Firepower, spend some time on the objects page. 706 00:43:47,280 --> 00:43:49,920 Look at your variables. 707 00:43:49,920 --> 00:43:53,480 Virtually every single thing within Firepower is a variable. 708 00:43:53,480 --> 00:44:00,380 Not many people are making static IP to IP with a specific URL. 709 00:44:00,380 --> 00:44:03,400 Everyone is using some form of variables within their rules. 710 00:44:03,400 --> 00:44:06,800 They want things to be dynamic and they don't want to have to make hundreds of thousands 711 00:44:06,800 --> 00:44:09,600 of rules, each one static. 712 00:44:09,600 --> 00:44:13,440 And I say that by default, your home net variable is set up to zeros. 713 00:44:13,440 --> 00:44:18,600 So you're going to search every single network, whether it's inbound or outbound, and it may 714 00:44:18,600 --> 00:44:22,240 not even apply to you. 715 00:44:22,240 --> 00:44:27,680 Make your home net variable unique to your network, your IP scheme, and it's going to 716 00:44:27,680 --> 00:44:31,720 increase the throughput of your firewall tremendously. 717 00:44:31,720 --> 00:44:35,080 That's sender, what F and C go to objects and then? 718 00:44:35,080 --> 00:44:36,080 Objects and variables. 719 00:44:36,080 --> 00:44:37,080 Objects and variables. 720 00:44:37,080 --> 00:44:38,080 Great. 721 00:44:38,080 --> 00:44:39,080 Okay. 722 00:44:39,080 --> 00:44:40,680 Thank you, Josh. 723 00:44:40,680 --> 00:44:47,200 Any, just real quick, any things people should turn on, your little secrets of FMC? 724 00:44:47,200 --> 00:44:51,560 I probably had a dozen floating in my head and now you've asked me and I can't really 725 00:44:51,560 --> 00:44:52,560 think of anything. 726 00:44:52,560 --> 00:44:58,440 But maybe, you know, one I see often, and it's really simple, is if you look at the 727 00:44:58,440 --> 00:45:02,560 access control list, so when you go to access control policy and you're looking at your 728 00:45:02,560 --> 00:45:06,760 rule set, right in the middle you've got the search bar and then right beside that is this 729 00:45:06,760 --> 00:45:11,080 little tick box and it allows you to show rule conflicts. 730 00:45:11,080 --> 00:45:17,120 So just by selecting that, I see so many firewalls where the rules maybe are out of order. 731 00:45:17,120 --> 00:45:21,560 You've got a rule you expect traffic to hit and it's being preempted by a rule above in 732 00:45:21,560 --> 00:45:22,560 that list. 733 00:45:22,560 --> 00:45:27,720 So secret knob, it's not really a secret, but it doesn't jump out at you and it can 734 00:45:27,720 --> 00:45:32,440 be just a quick visual to help you reorganize your rule set or see where something's out 735 00:45:32,440 --> 00:45:33,440 of order there. 736 00:45:33,440 --> 00:45:34,440 Awesome. 737 00:45:34,440 --> 00:45:37,640 That's great. 738 00:45:37,640 --> 00:45:38,640 That's great. 739 00:45:38,640 --> 00:45:42,920 All right, Andres, you want to kick off the next part of this? 740 00:45:42,920 --> 00:45:45,520 And what we just got about two minutes left in the show. 741 00:45:45,520 --> 00:45:49,760 So Andres, let's kick off the part everyone's been waiting for and then we'll close this 742 00:45:49,760 --> 00:45:50,760 out. 743 00:45:50,760 --> 00:45:51,760 Let's do it. 744 00:45:51,760 --> 00:45:52,760 Let's do it. 745 00:45:52,760 --> 00:45:59,720 So this is our not joke session and we're going to make it like, I don't know, a game 746 00:45:59,720 --> 00:46:06,880 and we're going to ask you one question each and then you give us your answer and whoever 747 00:46:06,880 --> 00:46:10,720 wins it's not a hot potato, I guess. 748 00:46:10,720 --> 00:46:14,200 But all right, I'm going to go with the first question. 749 00:46:14,200 --> 00:46:16,760 That one goes for you, Josh. 750 00:46:16,760 --> 00:46:24,640 And this one is, what's a secret agents favorite thing to wear? 751 00:46:24,640 --> 00:46:25,640 Firepower? 752 00:46:25,640 --> 00:46:28,640 Pretty good. 753 00:46:28,640 --> 00:46:30,920 Secret agents would wear. 754 00:46:30,920 --> 00:46:33,160 I assume the answer is no for that one. 755 00:46:33,160 --> 00:46:35,040 Secret agent would wear something like firepower. 756 00:46:35,040 --> 00:46:36,040 That's cool. 757 00:46:36,040 --> 00:46:37,040 Like a firepower cape. 758 00:46:37,040 --> 00:46:38,040 Yeah, whatever you know. 759 00:46:38,040 --> 00:46:39,040 That could be the answer. 760 00:46:39,040 --> 00:46:40,040 Yeah. 761 00:46:40,040 --> 00:46:43,040 So the answer will be spyware. 762 00:46:43,040 --> 00:46:44,040 Oh, of course. 763 00:46:44,040 --> 00:46:47,040 Of course it's spyware. 764 00:46:47,040 --> 00:46:51,000 Seth, I didn't know the answer either. 765 00:46:51,000 --> 00:46:56,720 Seth, what do you call a computer mouse that swears a lot? 766 00:46:56,720 --> 00:47:02,400 Those cuss words all the time. 767 00:47:02,400 --> 00:47:03,400 I have no idea. 768 00:47:03,400 --> 00:47:12,200 He would be a cursor. 769 00:47:12,200 --> 00:47:13,960 My favorite part always. 770 00:47:13,960 --> 00:47:18,640 Guys, Josh, any super quick closing remarks? 771 00:47:18,640 --> 00:47:19,640 30 seconds. 772 00:47:19,640 --> 00:47:20,640 Thanks for having me. 773 00:47:20,640 --> 00:47:21,640 It's a pleasure to be here. 774 00:47:21,640 --> 00:47:27,040 I love the firewall, guys. 775 00:47:27,040 --> 00:47:28,040 I'll answer your question. 776 00:47:28,040 --> 00:47:29,040 You send them to me. 777 00:47:29,040 --> 00:47:31,040 I'll answer them to the best of my ability. 778 00:47:31,040 --> 00:47:33,040 And I wasn't kidding. 779 00:47:33,040 --> 00:47:38,880 Cisco has announced a couple of partnerships with Nvidia and data processing units are 780 00:47:38,880 --> 00:47:39,880 on the rise. 781 00:47:39,880 --> 00:47:45,680 So if TLS decryption is your thing, look out. 782 00:47:45,680 --> 00:47:47,680 Very great. 783 00:47:47,680 --> 00:47:49,760 Seth, closing remarks? 784 00:47:49,760 --> 00:47:51,880 Yeah, I appreciate you having me on here. 785 00:47:51,880 --> 00:47:52,880 It's been fun. 786 00:47:52,880 --> 00:47:55,400 Good to see everybody again. 787 00:47:55,400 --> 00:48:01,720 If you have a firewall and you want to get more out of it, definitely get with the account 788 00:48:01,720 --> 00:48:02,720 team. 789 00:48:02,720 --> 00:48:08,280 That's pretty much what I do is try to help you get the most out of your firewalls and 790 00:48:08,280 --> 00:48:09,640 be happy to work with you. 791 00:48:09,640 --> 00:48:10,640 Look forward to it. 792 00:48:10,640 --> 00:48:15,360 I think we failed to mention the firepower migration tool and team. 793 00:48:15,360 --> 00:48:20,920 If anybody has an ASA and they want to migrate from ASA to firepower, we have a tool that 794 00:48:20,920 --> 00:48:23,280 is designed to help you do that. 795 00:48:23,280 --> 00:48:27,520 And I think Seth, is it your team that actually helps people go through and take care of that 796 00:48:27,520 --> 00:48:28,520 tool? 797 00:48:28,520 --> 00:48:31,360 Yeah, so we're part of the process, right? 798 00:48:31,360 --> 00:48:34,680 We help you learn to use the tool. 799 00:48:34,680 --> 00:48:39,880 And there's also I think there's another team that's involved, at least maybe I forget the 800 00:48:39,880 --> 00:48:45,360 timeframe, but they can actually help you with some of the migration. 801 00:48:45,360 --> 00:48:49,160 But for sure, I can help you get prepared for that as well. 802 00:48:49,160 --> 00:48:56,480 Yeah, if you're hearing this and you're like, it is time to upgrade away from our ASAs or 803 00:48:56,480 --> 00:49:00,240 from the on-prem FMC and the cloud FMC, just reach out to your Cisco account team. 804 00:49:00,240 --> 00:49:03,640 We'll put you on the, that's a zero cost to you service. 805 00:49:03,640 --> 00:49:05,840 So definitely take advantage of that. 806 00:49:05,840 --> 00:49:06,840 Great stuff, guys. 807 00:49:06,840 --> 00:49:07,840 Thank you. 808 00:49:07,840 --> 00:49:14,880 My takeaways for this, Andres, snort 3.0, IPS that's always on actually makes my firewall 809 00:49:14,880 --> 00:49:18,120 faster and more secure. 810 00:49:18,120 --> 00:49:24,160 Cloud FMC Seth, I love not having to manage FMC myself in terms of manage the deployment 811 00:49:24,160 --> 00:49:25,160 of it. 812 00:49:25,160 --> 00:49:29,720 I like logging in to a cloud-based, Josh, you talked about firewalls geographically 813 00:49:29,720 --> 00:49:35,120 dispersed and this actually being really centralized because it's in the cloud. 814 00:49:35,120 --> 00:49:37,880 Decrypted analytics is a big one for me. 815 00:49:37,880 --> 00:49:43,480 I don't like the idea of just not being able to enforce my policies or detect malware just 816 00:49:43,480 --> 00:49:44,920 because something is encrypted. 817 00:49:44,920 --> 00:49:49,760 And I like doing that at line rate speed without actually doing SSL decryption. 818 00:49:49,760 --> 00:49:53,240 Seth, you touched on the SD-WAN capabilities. 819 00:49:53,240 --> 00:49:54,520 Very cool stuff here. 820 00:49:54,520 --> 00:49:56,560 I do a software upgrade to version seven. 821 00:49:56,560 --> 00:49:57,560 Awesome. 822 00:49:57,560 --> 00:50:00,680 All of a sudden I can utilize all these paths I have at layer seven. 823 00:50:00,680 --> 00:50:02,640 I don't need to manually do that. 824 00:50:02,640 --> 00:50:07,280 I don't need to manually be ready to get a call to start failing things over to a backup 825 00:50:07,280 --> 00:50:08,280 path. 826 00:50:08,280 --> 00:50:09,280 Right. 827 00:50:09,280 --> 00:50:12,160 Thank you for that, Mike. 828 00:50:12,160 --> 00:50:16,800 And my takeaways are going to be on the TLS server discovery. 829 00:50:16,800 --> 00:50:22,800 You just mentioned something about Eve along the same lines, just more visibility, more 830 00:50:22,800 --> 00:50:27,800 understanding of the traffic that is going through without sacrificing resources. 831 00:50:27,800 --> 00:50:28,800 That's great. 832 00:50:28,800 --> 00:50:32,920 Cloud deployment options, I think Seth, you covered a lot of that. 833 00:50:32,920 --> 00:50:40,240 And we have multiple products that we can use and we can offer services on that site. 834 00:50:40,240 --> 00:50:46,840 I don't remember seeing something about Cloud FMC, how fast it is to get it started. 835 00:50:46,840 --> 00:50:47,840 Super fast. 836 00:50:47,840 --> 00:50:49,480 There's actually a website. 837 00:50:49,480 --> 00:50:52,320 We're going to publish it on the community site. 838 00:50:52,320 --> 00:50:53,720 And it's very easy. 839 00:50:53,720 --> 00:50:56,560 It gets provisioned super quick. 840 00:50:56,560 --> 00:51:01,200 The last thing that I want to mention is the advanced configuration, the nuggets that we 841 00:51:01,200 --> 00:51:04,280 heard today from Josh and Seth. 842 00:51:04,280 --> 00:51:11,600 And this is something that you may want to look into the conflict resolution inside of 843 00:51:11,600 --> 00:51:15,120 the policies for FMC. 844 00:51:15,120 --> 00:51:16,400 The network discovery as well. 845 00:51:16,400 --> 00:51:24,040 I know you mentioned that, Seth, and make sure you turned on Eve into your policies. 846 00:51:24,040 --> 00:51:26,480 So that's all I had. 847 00:51:26,480 --> 00:51:27,480 That's awesome. 848 00:51:27,480 --> 00:51:31,600 Guys, Josh and Seth, it's been fun. 849 00:51:31,600 --> 00:51:34,600 And thanks for all the good you do in the world, keeping everyone secure. 850 00:51:34,600 --> 00:51:35,600 I mean that. 851 00:51:35,600 --> 00:51:41,280 The firewalls are such a fundamental part of the changing landscape, but they're still 852 00:51:41,280 --> 00:51:43,480 so fundamental. 853 00:51:43,480 --> 00:51:47,560 If you'd like to learn more about what we talked about today, you can reach out again 854 00:51:47,560 --> 00:51:49,440 to your Cisco account team. 855 00:51:49,440 --> 00:51:52,840 Myself, Andres, Josh offered himself up. 856 00:51:52,840 --> 00:51:55,080 Seth, that's much appreciated. 857 00:51:55,080 --> 00:52:00,640 Andres, next call, May 24th, what is it? 858 00:52:00,640 --> 00:52:02,920 Identity management, I believe. 859 00:52:02,920 --> 00:52:03,920 Identity management. 860 00:52:03,920 --> 00:52:04,920 It's going to be exciting. 861 00:52:04,920 --> 00:52:07,480 It's going to be really interesting. 862 00:52:07,480 --> 00:52:08,960 Great conversation today, guys. 863 00:52:08,960 --> 00:52:10,160 Stay secure. 864 00:52:10,160 --> 00:52:13,160 We will see you next month, everybody. 865 00:52:13,160 --> 00:52:14,160 Thank you. 866 00:52:14,160 --> 00:52:29,080 Stay safe.