42
Pavel Rodionov Technical Solutions Architect Cisco GSSO BRKSEC-2064 AWS и Azure NGFWv и ASAv в публичных облаках

NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

  • Upload
    others

  • View
    5

  • Download
    0

Embed Size (px)

Citation preview

Page 1: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

Pavel RodionovTechnical Solutions Architect

Cisco GSSOBRKSEC-2064AWS и Azure

NGFWv и ASAv в публичных облаках

Page 2: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

• Введение в публичные облака• Преимущества и проблемы использования AWS и Azure)• Компоненты и сервисы AWS и Azure

• NGFWv м ASA в Azure • Модели развертывания, лицензии, масштабирование

• NGFWv и ASAv в AWS• Модели развертывания, лицензии, масштабирование

• Полезные ссылки• Канал Youtube, руководства и другая полезная информация

Программа

Page 3: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Приложения в ЦОД

Полный контроль и видимость

Page 4: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Сдвиг прилодженийПреимущества и проблемы публичных облаков

Публичные облака Гибридные облакаЦОД(Локальные облака –

гипервизоры)

Multi Cloud

Видимость и контроль

Абстракция Layer 2

Модель безопасности

Облачные сервисы

Проблемы

Выгоды Гибкость приложений HA и масштабируемость Стоимость

Page 5: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Компоненты облаков

Page 6: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

LB

IGW

RRoouuttee TTaabbllee:: RRTT

destination next-hop

0.0.0.0 IGW

Elastic IPinside-1c

outside-1cworkload1

us-east-1c

mgmt-1c

inside-2c

outside-2cworkload2

us-east-2c

mgmt-2c

Компоненты AWSОбзор

8

VPC

Virtual Private Cloud

Availability Zone

SubnetEC2 Instance

Workload

Elastic IPLoad Balancer

NLB, CLB and ALB

Internet Gateway

Route Table

Region

VGW & Direct Connect

Direct Connect

Virtual Private Gateway

Page 7: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

vNET

WEB

APP

DB

NNGGFFWWvv AASSAAvvNetwork Virtual

Appliance (NVA)

Gateway Subnet

AzureExpress Route

Virtual Network Gateway

LB

Availability Set

Компоненты Azure

11

Resource GroupVirtual Network

vNET

Subnet

WorkloadVM

User Defined Route UDR

Network Virtual Appliance NVA

Availability Set

Load BalancerInternal and External

Express Route

WEB-UDR

Destination Next Hop

x.x.x.x NVA (Internal)

APP-UDR

Destination Next Hop

x.x.x.x NVA (Internal)

DB-UDR

Destination Next Hop

x.x.x.x NVA (Internal)

New: Availability Zone

Page 8: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Security

Новые компоненты

14

Virtual NetworkvNET

Availability Set

SubnetAzure Virtual Machine

VM

User Defined RouteUDR

ARM TemplateLoad Balancer

Internal, external and ILB Standard

ExpressRoute

Public IP

Virtual Private CloudVPC

Availability ZoneAZ

Subnet

EC2 InstanceRoute Table

RT

CloudFormation TemplateCF template

Load BalancerNLB, CLB, ALB, Internal and External

Direct ConnectElastic IP

EIP

Security Group

NACL

Network Security Group and

Layer 7 firewall

Page 9: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Компоненты облачной безопасности

Page 10: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Набор средств безопасности Cisco

Firewalls NGFWv, FMCv, ASAv, и

ASAv umbrella connector

ПолитикиCloud Policy Connector

CDO

SteathwatchCloud/Tetration

Page 11: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Обзор NGFWvAWS и Azure

17

Firewall

Stateful firewallNATСтатическая и динамическая маршрутизация

NGFWvFTD Appliance

AVC

NGIPS

AMP

URL

VPNIPSEC

(S2S & RAVPN)AVC - Application Visibility and ControlNGIPS – Next-Generation Intrusion Prevention System AMP – Advanced Malware ProtectionVPN – Virtual Private NetworkURL – URL фильтрацияSI – Security Intelligence

SI

Page 12: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Опции управления

18

Помогает администратору применять согласованные политики, быстро

получать информацию о событиях безопасности, автоматизировать

реакцию, проводить расследования

Cisco Firepower Management Center

(FMC)ЦЦааннттррааллииззооввааннннооее ууппррааввллееннииее

GUI и API API

Простой интерфейс управления для одного или

двух устройств (в HA)

Cisco Firepower Device Manager

(FDM)ЛЛооккааллььннооее ууппррааввллееннииее

Page 13: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Оркестрация конфигурацииFMC API• FMC поддерживает следующие API• Регистрация/дерегистрация устройств• Группы устройств• Объекты• Access Control Policy• Интерфейсы• Физические, сабинтерфейсы• Port Channel, BVI, inline pair

• Security Zone• NAT• Маршрутизация• VPN • FTD High Availability

19

Оркестрация настроек - API Explorer

Page 14: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Обзор ASAvAWS и Azure

20

ASAv9.14.x

ASA Appliance

Stateful F/W, NAT, маршрутизация и ACL

VPNIIPPSSEECC ии SSSSLL

REST API

Route based VPNVVTTII

УправлениеCCLLII,, AASSDDMM,, CCSSMM ии CCDDOO

Page 15: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Стандартной безопасности в облаке недостаточно

21

Операторы облака

Физическая инфраструктура

Сетевая инфраструктура

Уровень виртуализации

Клиент

Защита сети и приложений

NSG & L7FW

ВВииддииммооссттьь LL44 ии ооггррааннииччеенннноо LL77

ASAvNGFWv

Firewall, AVC, NGIPS, AMP VPN и URL фильтрация

(L4 и L7 видимость)

Stateful firewall, NAT, маршрутизация, ACL и

VPNCisco Security для Public Cloud

SG NACL

Page 16: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

NGFWv и ASAv в публичных облаках

Page 17: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

NGFWv and ASAv InstancesPublic and Gov Cloud

NNGGFFWWvv IInnssttaannccee ((MMaarrkkeettppllaaccee))c3.xlarge, c4.xlarge

FFMMCCvv IInnssttaannccee ((MMaarrkkeettppllaaccee))c3.xlarge, c3.2xlargec4.xlarge, c4.2xlarge

cc55..eexxttrraallaarrggee((66..66))

ASA instance (Marketplace)c3.large, c3.xlarge c4.large, c4.xlargecc55..eexxttrraallaarrggee((66..55))

m4.large, m4.xlarge

SSD storage on c3 instance and EBS storage on c4 or m4 instance

large instance is ASAv10, xlarge instance is ASAv30

NGFWv Instance (Marketplace)Standard D3, D3v2, DD44vv22 aanndd DD55vv22((66..55))

FMCv Instance (Marketplace)Standard D3v2 and D4v2AAvvaaiillaabbllee ffrroomm FFMMCC//FFTTDD rreelleeaassee 66..44

ASAv Instance (Marketplace)Standard D3 and D3v2

D3 и D3v2 instance is ASAv30Standard_D3v2 (4 CPU, memory: 14GB) Standard_D4v2 (8CPU, Memory: 28GB) D5v2 (16 CPU, 56 GB)

Page 18: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Режимы развертывания

Page 19: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Режимы развертывания NGFWv

29

Routed mode (NGFWv) - AWS Passive mode (NGFWv) - AWS Routed mode (NGFWv) - Azure

• Пассивный режим доступен только для NGFWv в AWS

Page 20: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

FMC в облакахAWS and Azure

30

• FMC доступен в AWS

• FMC доступен в Azure начиная с релиза 6.4

Standard_D3v2 (4 CPU, memory: 14GB)Standard_D4v2 – (8CPU, Memory: 28GB)

Release 6.4

NEW

Page 21: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Режимы развертывания ASAv в облаках

31

Routed mode (ASAv) - AWS Routed mode (ASAv) - Azure

Page 22: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Управление

Page 23: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Management access – NGFWv

38

vNET

Data Center

FMC

Gateway Subnet

Virtual Network Gateway

eth0

NNGGFFWWvv

AzureExpress Route

Internet

Data Center

FMC

eth0

NNGGFFWWvv

Internet

Manage using public IP(Internet)

Manage using public IP(Internet)

Manage using private IP(Azure Express Route)Manage using private IP

(AWS Direct Connect – DX)

Direct Connect

AWS Azure

IGW

Page 24: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Management access - ASAv

39

vNET

Data CenterGateway Subnet

Virtual Network Gateway

AASSAAvvAASSAAvv

Internet

Data Center

Internet

Manage using private IP(AWS Direct Connect – DX)

Direct Connect

AWS Azure

IGWManage using public IP

(Internet)Manage using public IP

(Internet)

AzureExpress Route

Manage using private IP(Azure Express Route)

ASDM ASDM

Page 25: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Оркестрация с помощью Cisco Defense Orchestrator (CDO)

40BRKSEC-2064

Cisco Defense Orchestrator (CDO)

• Оркестрация конфигурации ASA/FTDv

• CDO лицензируется на устройство

• Облачное решение• Простая интеграция и настройка• Согласованные политики и

объекты

Internet

Cisco Defense Orchestrator

Internet

Page 26: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Отказоустойчивость в облаках…

Page 27: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Active/Standby HA в современных Firewall(как организованы потоки трафика)

Active MAC

Active MAC

Standby MAC

Standby MAC

Page 28: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Active/Standby HA в современных Firewall(как организованы потоки трафика)

Active MAC

Active MAC

Standby MAC

Standby MAC

Page 29: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

• В облаках отсутствует доступ к L2, поэтому нельзя быстро поменять MAC и IP и затем использовать gratuitous ARP для того, чтобы заставить коммутаторы на любой стороне обновить свои CAM таблицы. Это можно сделать только с помощью API на Azure или AWS для того, чтобы сохранить изменения IP на узле и затем подождать распространения этой информации. Это занимает время. В целом довольно много времени.

• Балансировщики в Azure и AWS не могут изменить путь существующего потока на новый IP адрес, поэтому это исключает их использование в дизайне, где основная задача --это перемещение потока из одного устройства на другое.

Почему это не работает в публичных облаках?

Page 30: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Масштабируемый дизайнAzure

Page 31: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

ASAv HA (Active/Backup)

vNET

Protected Workloads

Inside

Azure UDR(user defined route)

Availability Set

HA Agent

Active ASAv

BackupASAv

HA Agent• Communicates with Peer

and determines Active/Backup State

• Responses to LB probes• Programs Azure user

defined route (UDR)

HA Agent

PublicIP

Frontend Public IPFrontend IP is assigned on

Azure Load Balancer

Load Balancer ProbesLoad balancer probes each

ASAv’s using TCP handshake and HA agent on Active ASAv

responds to the probes.

Azure LB

ASAv HA выпущен в 9.8.1.200(Август 2017)

• Traffic is steered to active ASAv

• Routes are programmed via Azure Rest APIs

UDR for Inside Subnet

Destination Next Hop

0.0.0.0/0 Active ASAv

Интегрированное решение

Не требуются внешние скрипты/агент

Поддержка несколькихSubscription

HA модифицирует UDR в нескольких subscription

Быстрое переключение

Обнаружение и переключение в секунды

Stateless переключение

Соединения не реплицируются

Youtube: Demo1 Demo2Probe port – TCP 44441, Control port – TCP 44442

Page 32: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Масштабируемый дизайн NGFWv и ASAvAzure internal load balancer (ILB) standard и external load balancer

48BRKSEC-2064

x

vNET

WEB

APP

DB Data Center

FMC

Gateway Subnet

AzureExpress Route

Virtual Network Gateway

DB-UDR

Destination Next Hop

Default/Internet ILB VIP

APP, WEB & DC ILB VIP

APP-UDR

Destination Next Hop

Default/Internet ILB VIP

DB, WEB and DC ILB VIP

WEB-UDR

Destination Next Hop

Default/Internet ILB VIP

DB, APP and DC ILB VIP

InternetILB

Standard (VIP)

HA Port

GW-UDR

Destination Next Hop

WEB, APP & DB ILB VIP

FW01

FW02

FW..n

NNGGFFWWvv

NNGGFFWWvv

NNGGFFWWvv

NVA Subnet (inside)

ExternalLB

Internet Users

Stateless Switchover

Firewalls in Availability Set

Youtube video1: overview video2: End to end deployment demoNGFWv ARM Template (LB Sandwich): Template

Page 33: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Масштабируемый дизайнAWS

Page 34: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Балансировщики AWSALB, NLB и CLB

50

AApppplliiccaattiioonn LLooaadd BBaallaanncceerr

Cookie based Load Balancing

Не для межсетевого экрана

NNeettwwoorrkk LLooaadd BBaallaanncceerr

IP адреса как Targets

Поддержка ASAv и NGFWv

CCllaassssiiccLLooaadd BBaallaanncceerr

Отправляет трафик на интерфейс VM

Не поддерживается с NGFWV

Page 35: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

NGFWv масштабируемый дизайн AWS NLBNetwork Load Balancer (NLB) или Application Load Balancer

inside-1c

ALB/NLB

outside-1c

inside-1d

management-1c

Route Table: RT

subnet next-hop

0.0.0.0 IGW

FMCv

WebServer01

NNGGFFWWvv

management-1d

us-east-1c

us-east-1d

Elastic IP

NNGGFFWWvv

outside-1d

NNGGFFWWvv

Stateless switchover

WebServer02

Youtube: Demo

VPC

IGW

Page 36: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

NGFWv масштабируемый дизайн AWS NLBNetwork Load Balancer (NLB) или Application Load Balancer

inside-1c

ALB/NLB

outside-1c

inside-1d

management-1c

Route Table: RT

subnet next-hop

0.0.0.0 IGW

FMCv

WebServer01

NNGGFFWWvv

management-1d

us-east-1c

us-east-1d

Elastic IP

NNGGFFWWvv

outside-1d

NNGGFFWWvv

Stateless switchover

WebServer02

Youtube: Demo

VPC

IGW

NNGGFFWWvv

NNGGFFWWvv

Для масштабируемости на уровне Avalability Zone можно добавить несколько Firewalls

Page 37: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

Лицензирование

Page 38: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

ЛицензированиеNGFWv и ASAv в публичных облаках

54

Cisco Smart Licensing для NGFWv и ASAv в AWS и Azure

SSttaannddaarrdd LLiicceennsseeFFiirreewwaallll,, tthhrroouugghhppuutt

AAnnyyccoonnnneecctt AAppeexx LLiicceennsseeSSSSLL,, IIPPSSEECC

AWS Azure

• Bring you own license • Hourly or Annual

license

• Bring you own license • Pay as you goAASSAA

NNGGFFWW

BBaassee LLiicceennsseeFFiirreewwaallll,, AAVVCC

TTeerrmm bbaasseeddTThhrreeaatt,, UURRLL,, AAMMPP

AWS Azure

• Bring you own license • Hourly or Annual

license

• Bring you own license • Pay as you go

Примечание: При применении модели Pay as you go отсутствует поддержка TAC, но вы можете приобрести дополнительный контракт на поддержку

ASAv entitlement in Public Cloud

Page 39: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Youtube Channel http://cs.co/DCandCloudSecurity

55

Page 40: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

NGFWv and ASAv Marketplace Listings

56

AWSProduct Marketplace ListingNGFWv Marketplace listing – BYOL http://cs.co/CiscoNGFWvBYOL

NGFWv Marketplace listing – Hourly & Annual http://cs.co/CiscoNGFWvHourlyAnnual

FMCv Marketplace listing – BYOL http://cs.co/CiscoFMCvBYOL

ASAv Marketplace listing – BYOL, Hourly & Annual http://cs.co/CiscoASAvBYOLHourlyAnnual

Azure

Product Marketplace ListingNGFWv Marketplace listing – BYOL http://cs.co/CiscoNGFWv

ASAv Marketplace listing – BYOL http://cs.co/CiscoASAv

ASAv HA Marketplace listing - BYOL http://cs.co/AzureASAvHA

Page 41: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Важные ссылкиSecurity in public cloud Youtube channelhttp://cs.co/DCandCloudSecurity

Cisco NGFWv, ASAv and FMC Chalk talk in Public Cloudhttp://cs.co/PublicCloudSecChalkTalk

Cisco ASAv licensing (BYOL)http://cs.co/ASAvLicensing

Cisco NGFWv licensing (BYOL)http://cs.co/CiscoNGFWvLicensing

57

Page 42: NGFWv иASAv в публичных облаках › c › dam › m › ru_ua › training-events › 2020 › ...VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation

Спасибо!