Keeping Up on Network Security

with Cisco Secure Firewall

Nicholas C. Carrieri
Director of Product Management
Technical Marketing and Go-To Market
[Link]/in/nicholas-carrieri-782b3530

BRKSEC-2236
Your Speaker

Nicholas Carrieri
nicarrie@[Link]
Director, Product Management
Go To Market and Technical Marketing
Firewall Architecture, Threat Visibility, Hybrid Cloud

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 2

Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space

4 Enter messages/questions in the Webex space

Enter your personal notes here

Webex spaces will be moderated by the speaker until June 13, 2025.

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 3

Agenda 01 Hybrid Mesh Vision
02 Firewall Platforms
03 Threat Protection
04 SDWAN Capabilities
05 Management
06 Workload Update
07 Hypershield
FTD 7.4.2
FTD 7.2.8 FTD 7.6 FTD 7.7.0 FTD 7.7.1 FTD 10.0 Future

August September March July November

2024 2024 2025 2025 2025

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 4

Hybrid Mesh Firewall
 Traditional “Next-Gen” Firewall is Struggling

Pervasive Traffic New Protocols Evasive Network Data Sovereignty and

Encryption against with single-flow attachment point in Cloud Management
Deep Packet throughput hybrid cloud Considerations
Inspection constraints

TLS 1.3, DNS-over- Stream multiplexing in Application connection On Prem, Cloud,

HTTPS, QUIC (HTTP/3), HTTP/2 and QUIC abstraction with Sovereign Cloud,
Certificate Pinning Multipath TCP and QUIC Customer Hosted

© 2025 Cisco and/or its affiliates. All rights reserved.

Firewalling needs to evolve to meet today’s challenges

Our North Star

Every server

Make it easy for organizations to

Every flow
Every app
Every VM
Cisco Hybrid
Mesh Firewall

Placement
Every container
Reduce attack surface Every IoT device
Every user

Prevent compromise Encrypted traffic at scale

Prevent exploit —
known & unknown threats
Stop lateral movement Core Hybrid

Perimeter
Identity intelligence
Firewall AI app runtime guardrails
in the modern data center, Manage NGFW in Microsegmentation
multiple form factors
cloud, campus, and factory at key chokepoints
Protect vulnerable IoT

Traditional Modern

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 Threat Protection 7
Hybrid Mesh Firewall: Network, Workload, Cloud
Cisco Security Cloud Control abstracts end-to-end policy intent from enforcement point specific configuration.

Internet
Customers

VM 3
Secure Access Secure Workload
SD-WAN
Campus Firewall Threat
Defense SD-WAN
Branch

Multicloud Defense Hypershield

Firewall Threat Defense Gateway Front
Private Cloud
• Firewall Threat Defense admits Zero Trust user and SD-WAN
VM 1 VM 2 sessions, applies network threat controls (IPS, URL Filtering,
Malware) at campus, branch, and data center edge.
Hypershield Hypershield • Multicloud Defense applies full security service stack (IPS,
Hypershield WAF, DLP) at Virtual Public Cloud (VPC) edge.
• Hypershield expands on Secure Workload with inline threat
inspection at workload and microservice level via eBPF and
Logic DB Front DPU insertion.
Secure Secure
Workload Workload
© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 8
Cisco Hybrid Mesh Firewall

SECURITY CLOUD CONTROL

NEW

Hypershield

DPU

Secure 3rd Party Secure Smart Secure

Isovalent ACI
Firewall Firewall Workload Switches Router
runtime
protection

Write policy once, enforce across the mesh

© 2025 Cisco and/or its affiliates. All rights reserved.
Security Cloud Control Outcomes

One Experience Simplified Tenancy Role-Based Access Shared Services

• Common User experience • Cross-product trust – no • Configure permissions once • Portfolio convergence around
across products manual integrations per user identity and subscription
concepts
• Centralized onboarding and • Extends to MSPs who don’t • Manage access
provisioning want to provision and manage control/compliance auditing • Enables common frameworks
individual products centrally, reduce potential for for hybrid deployment (Policy,
• End-to-end product
misconfiguration network, posture)
interactions (e.g. Hybrid
ZTNA) • Take advantage of IDP • Common services (search,
integration and group notifications, AI) extend
mapping across all products

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 10

Firewall Platforms
Cisco Secure Firewall Portfolio
Full coverage, from IoT/OT & Branch / SASE to
Enterprise/Carrier Class modular chassis

6100 Series
150-400 Gbps
4200 Series up to 5Tbps in 16x cluster
3100 Series 65-145 Gbps
10-45 Gbps up to 1.79Tbps in 16x cluster
1200 Series up to 0.57Tbps in 16x cluster
1200 Series Compact 9-18 Gbps
200 Series 6-9 Gbps
1.5 Gbps

93xx
41xx 55-68 Gbps
19-53 Gbps
21xx
11xx 2.5-10 Gbps
1010 2-5 Gbps
ISA 3000 <1 Gbps
<0.7 Gbps

OT/IoT Branch / SASE Campus / Enterprise / Data Center / SP

* all performance values for 1024B avg. packet size with NGFW traffic profile
© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236

Cisco Confidential
 Secure Firewall 1200 Overview FTD
7.6+
ASA
9.21+

Appliance-Mode Security Platform for FTD or ASA Application

• Desktop (1210CE/CP and 1220CX) or Rack-Mount (1230, 1240, and 1250)
• Fully integrated System-on-a Chip (SOC) for crypto acceleration
• No multi-instance or Clustering support, Failover only

1RU

Copper Data Interfaces SFP Data Interfaces

• 1210-1240: 8x1GE (4xPoE on 1210CP only) • 1220CX: 2x1GE/10GE SFP+
• 1250: 8x1GE/2.5GE • 1230 and 1240: 4x1GE/10GE SFP+
• 1250: 4x1GE/10GE (future 2x25GE)

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 13

Secure Firewall 1200 Architecture FTD
7.6+
ASA
9.21+

ARM CPU Complex System Bus

1210-1220: 8 Cores RAM
1230-1240: 12 Cores 1210-1230: 16GB
1250: 16 Cores 1240-1250: 32GB

Ethernet
Inline Crypto Accelerator

1210-1240: 2x10GE 1210-1240: 1x10GE

1250: 1x50GE 1250: 1x25GE
1x1GE

Internal Switch Fabric

1220: 2x10GE
8x1GE 1230-1240: 4x10GE
1250: 2x10GE, 2x25GE
Management
On-board copper interfaces On-board SFP interfaces
interface

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 14

Secure Firewall 1200 Performance FTD
7.6+
ASA
9.21+

1210CE/CP 1220CX 1230 1240 1250

FTD AVC+IPS 6 Gbps 9 Gbps 11 Gbps 15 Gbps 22 Gbps

HTTP 1024B Avg Packet

ASA 6 Gbps 15 Gbps 18 Gbps 20 Gbps 20 Gbps

TCP 1024B Avg Packet

IPsec VPN 5 Gbps 10 Gbps 13 Gbps 18 Gbps 22 Gbps

1024B TCP Avg Packet

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 15

Threat Protection
QUIC Decryption and Inspection FMC
7.6+

QUIC (HTTP/3) uses UDP with modified TLS 1.3 for encryption
Initial, ClientHello
Client Initial, ServerHello, Certificate, Finished Server
Finished, HTTP Request
HTTP Response
HTTP Session Data

• All firewall vendors require downgrade to HTTP/2 for inspection

• Some browsers ignore Enterprise CA in local trust store for decryption
• Encrypted Visibility Engine supported QUIC apps since FTD 7.3
• Full QUIC decryption and inspection is supported in FTD 7.6
© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 17
Simplified TLS Decryption Policy FMC
7.6

Decryption is not required for all visibility

• URL Filtering and some AppID work without
• IPS and File/Malware policies imply full decryption
Native TLS 1.2 and 1.3 decryption
Wizard-style flow for Decryption policy
• Outbound is ineffective for most SaaS apps
• Inbound gives full control via access to app server

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 18

SnortML: Neural Exploit Detector FMC
7.6+

Traditional IPS rules are based on known and fixed patterns

• Slight changes to payload patterns can evade static signatures
• Undisclosed or new vulnerabilities take time to become signatures
SnortML uses Machine Learning to expand IPS capabilities
• Trained on all known embodiments for a given vulnerability type
• Detects new patterns for the vulnerability without a static signature
• TLS or QUIC decryption is still required
• Supports Command and SQL Injection attacks today
© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236
Intelligent Decryption Bypass FMC
7.7

Build into Decryption Policy creation wizard

• Utilized by EVE and URL Category Reputation
• Creates and enables a Do Not Decrypt Rule

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 20

Rule Level Configuration of Intelligent FMC
7.7

Decryption Bypass
• New Client Threat tab in the
Decryption Rule Editor
• Client Threat – Identified by EVE
• Threat Levels – Very Low to Very
High (Or Any)
• For traffic originating from clients
identified by EVE as Very Low,
decryption is bypassed.
• Recommended to add a URL
Category and Reputation filter.

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 21

Block Insecure TLS Versions & Certificate Statuses FMC
7.7

Build into Decryption Policy creation wizard

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 22

Decryption Policy with Auto Generated Rules FMC
7.7

Rules for Certificate

Status/TLS Versions

Rule for Intelligent

Decryption Bypass
(EVE)

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 23

SDWAN Capabilities
Simplifying Branch Deployments FMC
7.0+

Secure Elastic High availability with Increased Usable Direct internet access for Simplified
Connectivity near-zero network down Bandwidth public cloud and guest Management
time / WAN optimization traffic
• Configure route-based • ECMP support for load- • Zero Touch
VPN VTI tunnels • Multi-ISP configuration balancing across • SaaS application Provisioning
between branches multiple ISPs detection (First Packet
(Spokes) to • Active-standby backup using DNS snooping) • Data interface
headquarters (Hubs) VTI tunnel • ECMP support for VTI management
configuration with SLA • Policy-based routing
• IPv6 overlay support monitoring • Application based load using application, user • Auto config rollback
balancing using policy- and SGT as matching
• BGPv6 over VTI • Optimal path selection based routing criteria • Bulk pre-provisioning
based on interface with device templates
• EIGRP, OSPF and BGP monitoring • SDWAN Monitoring • Local tunnel ID support
over VTI Dashboard with for Umbrella • Umbrella SASE auto-
• HA Management with Application tunnel deployment
• DVTI supports DHCP Dual WAN links via performance • BGP AS Override
(spokes) Data Interface • Simplified branch to
hub communication
using SD-WAN Wizard

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 25

Recovery CLI Example FMC
7.7

Emergency Local Configuration Changes When

Management Connectivity is not available
Always available, but intended for FMC-down
emergencies only
Currently Supports CLI Configuration changes for:
• Static Routes
• Dynamic Routing (BGP and OSPF)
• PreFilters
• Site-to-Site VPN
• Interface Configurations
Manual Reconciliation once the firewall is
connected to the central manager

© 2025 Cisco and/or its affiliates. All rights reserved. 26

Universal Zero Trust Network Access (ZTNA) FTD
7.7.1

2. Secure Client creates a control connection to

Secure Access. It is used to authenticate and
authorize application access and select the
appropriate edge device based on policy or proximity.

App Public Cloud

Secure Access Connector App
Remote
User
1. Secure Access provisions private Firewall
3. Per-application tunnels to public apps or instances with appropriate private application
Secure Client private apps requiring advanced inspection access policies.
features (e.g. DLP) go through Secure
Access and App Connectors.

4. Eligible per-application tunnels to Firewall

Firewall Threat
private apps are automatically directed to Management Center
Defense
closest edge Firewall Threat Defense
instance for full threat inspection.
Private Cloud Private Cloud
App

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 27

Consistent Zero FTD
7.7.1

Trust Access –
Hybrid Private
Access
• Unified management and
distributed enforcement for
cloud and on-premises

• Dynamic steering of traffic

through the nearest enforcement
point via Trusted Network
Detection (TND).

• Protect your existing firewall

investments while moving
towards Zero Trust model.

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 28

Management
 Firewall Upgrade Improvements over Releases
Progress: Achieving 80% of North Star with 7.7, targeting complete realization with 7.8
Future

7.0 7.2 7.4 7.6 7.7 10.0

🟣 ◽️ Fleet 🔻FMC and Device: 🟣 FMC: Reduced 🟣 ◽️ FMC and Device: Remove 🟣 ◽️ Wizard
🟣 ◽️ FMC: UX HA
Upgrade Fixed 52 Upgrade backup time significantly need for Readiness Check before Enhancement –
Simplification – reduce
Improvements defects upgrade – FMC ->3 click upgrade reduce clicks by
need to switch FMC’s
= 9 click 🟣 ◽️ FMC and Device: 🟣 ◽️ FMC: In Product 🟣 FMC: Reduce Backup time - 50%
during upgrades, reduce
improvement Package Management Notifications for 75% 🟣 ◽️ Complete
time, reduce user
and Landing Page Suggested Releases - 🟣 FMC and Device: Reduce FMC and FTD
interactions/clicks
improvements = can don’t have to ad hoc find Upgrade Image Size by 25% Install Scripts
🔻 Reduce Failures -
complete upgrade out about releases = 4 🟣 🔻FMC and Device: Install redesign 25-40%
Target 99.5% success
process without having click improvement Scripts Redesign – 200+ scripts time reduction
🔻 FMC and Device:
to leave the product reviewed for purpose, 🟣 ◽️ Deployment
Build Telemetry about
🟣 ◽️ FMC: New Upgrade modernized, potential 25%-time by Need only
Upgrades = proactive
Wizard – single landing reduction
recognition of patterns
page 🟣 FMC: Reduce Reboot Time –
or problems
◽️ Simple Target = -75% from 7.2.4
🟣 Swift 🟣 ◽️ Device - Direct pull of image
– 1 click
🔻 Success
🔻 Reduce Failures - Target
© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 99.5% success 30
Firewall Upgrade Dashboard FMC
7.7

© 2025 Cisco and/or its affiliates. All rights reserved.

Policy Analyzer and Optimizer FMC
7.6

Provided in CDO for Cloud-Delivered and private onboarded FMC

Expanded set of ACP rule conflict and anomaly detection
• Partially overlapping (Shadowed) and fully Redundant objects and rules
• Expired time-based and unused (by Hitcount) rules
• Identify mergeable rules
All conflicts allow for user-supervised automated remediation
• Remove fully redundant objects and rules
• Remove unused and expired rules
• Merge similar adjacent rules into one

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 32

Policy Analyzer and Optimizer Dashboard FMC
7.6+

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 33

FMC View: AI Interactive Assistant FMC
7.6+

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 34

 Security Cloud Control: AI Ops and Insights Shipping!

Capacity Planning Elephant Flow

of RAVPN Detection
Predictable headend Quickly and easily identify
capacity that will stop and remediate elephant flows
capacity issues before they before they cause a network
happen issue

Apply Best Practice Policy Analyzer and

Recommendations Optimizers
Hundreds of best practices Reduce misconfigurations
applied in real time to your and optimize security posture
configuration from our TAC with in product remediation
database

BRKSEC-2236 35

© 2025 Cisco and/or its affiliates. All rights reserved.

Workload
 Secure Workload Architecture
3 Policy
DNA
Campus Policy Analysis
Center 4
Cisco ISE
2 2
Context

IOT Device Network

Enforcement Policy
Cyber Vision
Center

Telemetry
Administration Network
1 5 1 5 DNS

AnyConnect
Employee Network NVM

Guest Network

Enforcement

Software Defined Access Policy Policy Policy

NSX/Other
Container Bare Metal VM

Application Workloads
© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 37
© 2025 Cisco and/or its affiliates. All rights reserved.
Workload Segmentation with Nvidia DPU Workload
3.9

• Nvidia DPU adds advanced micro segmentation in hybrid cloud

• Expanded inter-application visibility with a resident Workload agent
• Future inline inspection and crypto acceleration capabilities

Generic x86 Compute Platform

x86 CPU Complex App 1 App 2

NIC with DPU

General Purpose ARM Cores Crypto and
Workload Agent Regex Engine

External Network

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 42

Hypershield
Cisco Hypershield Use Cases

Autonomous Distributed
Segmentation Exploit Protection
• Deep understanding • Mitigate known and
of app behavior unknown
• Comprehensive inputs vulnerabilities
for policy creation • Surgical mitigating
• Constantly adapting to controls
changing apps • Protection within
minutes, while app
keeps running

© 2025 Cisco and/or its affiliates. All rights reserved. 44

Cisco N9300 Smart switch
A platform to enable stateful services

Network Security

N9300 Series Cisco

Smart Switches Hypershield
Converge stateful services and network Integrated security (license add-on)
• 800G stateful services throughput and scale • Intelligent security policy placement
• 24-port 100G • Self-qualifying policy updates
• 4.8T Silicon One + 4 AMD DPU • Policy unified with workload/network
• 1 RU enforcement, public and private clouds

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 45

Conclusion
 Cisco Security Beta Programs
Sign Up Now:
[Link]

“I've been involved in many beta programs…I must say that this one has been the
best organized. This beta takes a very active, hands-on approach.”
Higher-Ed Beta Customer

Early Feedback Beta Software Product Influence

Programs Access Training Product Roadmap

Presented by Security Customer Insights

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 47
Join our Security Research Community

Participating in design
research gives you a place to
share your thoughts and
experiences to influence the
future of Cisco Security
Products.

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 48

 Complete your session evaluations

Complete a minimum of Earn 100 points per Level up and earn Complete your surveys
4 session surveys and survey completed exclusive prizes! in the Cisco Live
the Overall Event Survey and compete on the mobile app.
to be entered in a Cisco Live Challenge
drawing to win 1 of 5 leaderboard.
full conference passes
to Cisco Live 2026.

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 49

 Continue your education

Visit the Cisco Book your one-on-one Attend the interactive Visit the On-Demand
Showcase for related Meet the Engineer education with DevNet, Library for more
demos meeting Capture the Flag, and sessions at
Walk-in Labs [Link]/
on-demand

Contact me at: nicarrie@[Link]

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 50

 Love Cisco Security?
Tell Your Peers!
Share what you’re most proud of!
Join us at World of Solutions.

Hall C, Kiosk #2549

© 2025 Cisco and/or its affiliates. All rights reserved. BRKSEC-2236 51

Thank you