Cisco Network Firewall Best Practices You Should Follow.

At Tufin, we know how important it is to monitor, maintain, and enhance your network security to protect your infrastructure and your operations from cybersecurity threats. That’s why Tufin’s approach to security automation and orchestration is so comprehensive.   

Yet we also work with a wide range of partners whose equipment is on your network and who you trust to help keep you secure. One of Tufin’s deepest partnerships is with Cisco, which includes end-to-end visibility across Cisco’s application-centric infrastructure. Tufin also offers seamless integration and security policy automation for Cisco’s next-generation firewalls.

Cisco firewalls have long been crucial to many network defenses but managing them can be complex. In this post, we will explore how to think about Cisco firewalls, the best practices you should follow when deploying Cisco firewalls (as well as some troubleshooting tips), and how Tufin can help enhance Cisco firewall management and network security.

How Cisco Firewalls Work  

You may be familiar with Cisco Adaptive Security Appliance (Cisco ASA), Cisco’s family of legacy stateful firewalls. Cisco ASA operates from Layer 2 to Layer 4 in the network, conducts scalable routing, and performs application inspection. However, for several years, Cisco has encouraged its customers to migrate away from Cisco ASA and toward its next-generation firewall, Cisco Firepower NGFW. 

Cisco Firepower offers all Cisco ASA benefits regarding access control and traffic filtering. Still, it provides several distinct advantages in terms of application and threat visibility, capabilities, and architecture, including:

• Integrated next-generation intrusion prevention system (NGIPS) and advanced malware protection capabilities that let admins see where threats have originated and then have the tools to stop them 

• URL filtering prevents internet access to malicious sites  

• Access to threat intelligence from Cisco’s Talos team of threat researchers  

• Enhanced reliability and uptime  

• Deep integration with other elements of Cisco’s Integrated Security Architecture   

Cisco says it aims to make a migration from Cisco ASA to Cisco Firepower NGFW easy with its Cisco Secure Firewall Migration ToolCisco Secure Firewall Migration Tool. The tool automatically converts the configuration of a supported Cisco ASA platform to a supported Cisco NGFW running its Firepower Threat Defense (FTD) platform.

Tufin also helps to smooth the migration, allowing you to automate, optimize, and migrate rule sets from Cisco ASA firewalls to Cisco Firepower NGFW systems without the complexity of console management. 

Make sure you are using a Microsoft Windows 10 64-bit operating system or macOS version 10.13 or higher.    

Regarding access control lists (ACL), the Firepower Migration Tool provides support to identify and segregate ACLs that can be optimized (disabled or deleted) from the firewall rule base without impacting the network functionality from firewalls. ACL Optimization supports the following ACL types:

• Redundant ACL: When two ACLs have the same config and access rules, removing the non-base ACL will not impact the network 

• Shadow ACL: The first ACL completely shadows the config of the second ACL    

Cisco Firewall Best Practices and Troubleshooting Tips  

There are many best practices you should follow when configuring and managing Cisco Firepower firewalls running on Cisco FTD. According to Cisco, they can be broken down into several categories, and here is a high-level look at them:    

• Access policies: Focus on rationalizing rulesets (something Tufin SecureChange+ can automate) and streamlining and optimizing your firewall rules. Sometimes, firewall rules have grown out of date or are duplicative. It would help to use pre-filter policies to exclude network traffic that doesn’t require additional scrutiny. Additionally, it would help if you defined which kinds of inbound traffic and which IP addresses should be blocked automatically, which traffic and IP addresses need encryption and decryption, and an SSL decryption policy.   

• Intrusion prevention system policies: Test your IPS policies before deploying them, configure variable sets to increase detection accuracy, populate them with information that reflects your environment and potential vulnerabilities, and use Firepower Recommendations to protect network assets, routers, web servers, and applications.  

• Malware policies: Use the default value under “Advanced” unless your environment dictates otherwise, define which traffic flows require malware inspection, and then optimize policies for those flows.  

• SSL policies: When defining the flows that need decryption and require an SSL decryption policy, use the minimum number of attributes to uniquely classify the traffic. Make sure these policies align with corporate policies and are in line with your overall security posture.  

• Identity policies: If you are using passive authentication with the Cisco Firepower User Agent, ensure all domain servers are targeted and only include groups needed for policy enforcement.  

• Network analysis policies: Align your network analysis policy to your intrusion prevention system policy (e.g., if your IPS policy balances connectivity and security, ensure your network analysis policy does the same.).”    

You may encounter challenges with Cisco Firepower. For example, clients traversing FTD cannot access an internal web server; however, other clients on the server subnet can.   

Here are some key troubleshooting techniques you should also consider for Cisco Firepower and Cisco FTD:   

• Policy deployment: You may encounter issues related to misconfiguration, communication, database and system health, software defects, and other issues. Cisco recommends starting troubleshooting sessions on the Firewall Management Center appliance.  

• Device rule issues: Go to settings à Firewall Analyzer à Device Rule page. You can try deleting failed devices, adding rules, and providing mandatory values.  

• TCP Ping: Verify bi-directional TCP connectivity from FTD to a remote server using an injected packet. This provides FTD policy and upstream path verification without client host access. Further, TCP RST and ICMP error responses are intercepted and displayed, providing mandatory values.  

• Telnet tests: Run a quick Telnet test to the port of the destination IP server from your firewall or proxy servers. If you can connect, move on to the next firewall. If you can’t connect, a third party may allow file transfer protocol access on their firewall or SMTP server.  

• Resetting a Cisco FTD appliance: If FMC manages the FTD, you can reset the device to factory default by removing the manager or switching firewall mode from CLI. This will delete all firewall configurations pushed down from the FMC.

How Tufin Can Simplify Your Cisco Firewall Management   

Tufin enables you to manage your Cisco firewalls easily, broader Cisco network security products (e.g., ACI, Meraki, routers and switches, and CiscoSD-WAN), and other vendors’ firewalls. With Tufin, you can eliminate risky manual processes and strengthen network security with network change automation.   

Specifically, you can deploy more customizations and automation than Cisco’s Firewall Management Center. Tufin’s native integration with Cisco’s NGFWs enables complete rule lifecycle management, beginning with visibility, through change management workflow and automation.

With this integration, you can gain centralized, real-time visibility into interfaces, firewall configurations, and policy violations from multiple NGFWs, such as Cisco Firepower, to all leading cloud networks and vendors. You can also save time by automating rule cleanup and policy optimization to reduce your attack surface, improve network performance, and always remain audit-ready.  

To learn more about how Tufin can help automate and orchestrate your security, sign up for a live demo.