This document contains questions and answers about Cisco Adaptive Security Appliance (ASA) firewalls. Some key points addressed include:
- Real-world throughput specifications for various ASA models
- Features supported in ASA clustering configurations
- How the ASA can integrate with IPS modules to detect intrusion threats
- Options for blocking specific traffic types like HTTPS, Facebook, and torrents
- Compatibility of features like site-to-site VPNs and remote access in clustered or multi-context modes
Mod Security is an open source web application firewall module for Apache. It provides protection from a range of attacks against web applications by allowing HTTP traffic monitoring and real-time analysis. It uses regular expressions and rules to detect and block common exploits. The document provides steps to install Mod Security on Ubuntu, configure OWASP rules, test with a SQL injection attack, and check the log file for details.
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
In this presentation, we show promising new defense-in-depth techniques to protect modern web applications from old and new classes of bugs: Suborigins to have finer-grained control over origin boundaries, Site Isolation and XSDB against Spectre and Meltdown attacks, and last but not least Origin and Feature Policy. In addition to that, we explain new features of the upcoming CSP 3 specification like 'unsafe-hashed-attributes' and give an overview of how we were able to enforce CSP as a strong mitigation against cross-site scripting on over 50% of production web traffic at Google. With increased adoption new challenges arise: dealing with CSP report noise - generated by buggy browsers, extensions, malware and security software - devising an effective monitoring infrastructure, and keeping on top of bypassing techniques. In this presentation we reveal how our internal CSP infrastructure works and how we solved problems, share our experience, show real-world examples, best practices and common pitfalls. Finally, we hint at a new promising web mitigation technique, which we hope to see gaining traction in the near future: Suborigins.
SauceCon 2017: Building a Better WormholeSauce Labs
Sauce Connect is beloved for its ability to create a magical wormhole between internal systems under test and the Sauce Labs cloud. But oftentimes InfoSec departments are wary of opening up the whole internal network to a 3rd party via the Internet.
Why trade performance for flexibility when you can program your network with new protocols and capabilities at wire speed?
In this workshop learn how ASICs are made, why flexible silicon is critical to the future of networking and what you can do with Cisco’s next-generation UADP 2.0.
Resources:
Watch the related TechWiseTV episode: http://bit.ly/2fiqH1f
Watch the TechWiseTV: New Era in Networking playlist: http://bit.ly/2jpoRjB
This document provides information on the anti-virus, anti-spyware, patch management, and disk encryption products supported by the Cisco ISE Posture Agent compliance module version 3.6.11098.2 for Windows. It lists the product name, version, whether it supports definition and live updates, and the minimum compliance module version required for each supported anti-virus vendor and product.
versity: Ochrana IT infraštruktúry pomocou VMware Site Recovery ManagerASBIS SK
This document discusses using VMware Site Recovery Manager (SRM) to protect virtual infrastructure. SRM allows creating protection groups of virtual machines on a protected site that can be recovered to a recovery site in case of disaster. It uses array-based replication between the protected and recovery sites' storage arrays to keep synchronized copies of virtual machine data. The document outlines SRM concepts like protection groups, recovery plans, and how it integrates with vSphere to enable failover and failback between sites for disaster recovery of virtual infrastructure.
I discuss how to keep up to date on the security disclosures for Ruby and frameworks such as Rails and Sinatra. I cover all the different places to receive notifications for all of the services in my application stack.
Mod Security is an open source web application firewall module for Apache. It provides protection from a range of attacks against web applications by allowing HTTP traffic monitoring and real-time analysis. It uses regular expressions and rules to detect and block common exploits. The document provides steps to install Mod Security on Ubuntu, configure OWASP rules, test with a SQL injection attack, and check the log file for details.
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
In this presentation, we show promising new defense-in-depth techniques to protect modern web applications from old and new classes of bugs: Suborigins to have finer-grained control over origin boundaries, Site Isolation and XSDB against Spectre and Meltdown attacks, and last but not least Origin and Feature Policy. In addition to that, we explain new features of the upcoming CSP 3 specification like 'unsafe-hashed-attributes' and give an overview of how we were able to enforce CSP as a strong mitigation against cross-site scripting on over 50% of production web traffic at Google. With increased adoption new challenges arise: dealing with CSP report noise - generated by buggy browsers, extensions, malware and security software - devising an effective monitoring infrastructure, and keeping on top of bypassing techniques. In this presentation we reveal how our internal CSP infrastructure works and how we solved problems, share our experience, show real-world examples, best practices and common pitfalls. Finally, we hint at a new promising web mitigation technique, which we hope to see gaining traction in the near future: Suborigins.
SauceCon 2017: Building a Better WormholeSauce Labs
Sauce Connect is beloved for its ability to create a magical wormhole between internal systems under test and the Sauce Labs cloud. But oftentimes InfoSec departments are wary of opening up the whole internal network to a 3rd party via the Internet.
Why trade performance for flexibility when you can program your network with new protocols and capabilities at wire speed?
In this workshop learn how ASICs are made, why flexible silicon is critical to the future of networking and what you can do with Cisco’s next-generation UADP 2.0.
Resources:
Watch the related TechWiseTV episode: http://bit.ly/2fiqH1f
Watch the TechWiseTV: New Era in Networking playlist: http://bit.ly/2jpoRjB
This document provides information on the anti-virus, anti-spyware, patch management, and disk encryption products supported by the Cisco ISE Posture Agent compliance module version 3.6.11098.2 for Windows. It lists the product name, version, whether it supports definition and live updates, and the minimum compliance module version required for each supported anti-virus vendor and product.
versity: Ochrana IT infraštruktúry pomocou VMware Site Recovery ManagerASBIS SK
This document discusses using VMware Site Recovery Manager (SRM) to protect virtual infrastructure. SRM allows creating protection groups of virtual machines on a protected site that can be recovered to a recovery site in case of disaster. It uses array-based replication between the protected and recovery sites' storage arrays to keep synchronized copies of virtual machine data. The document outlines SRM concepts like protection groups, recovery plans, and how it integrates with vSphere to enable failover and failback between sites for disaster recovery of virtual infrastructure.
I discuss how to keep up to date on the security disclosures for Ruby and frameworks such as Rails and Sinatra. I cover all the different places to receive notifications for all of the services in my application stack.
Manuel Wiesinger in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Philip young current state of mainframe hacking - vanguard - 101016Philip Young
Literally a ‘black box’ to some, the mainframe is a mainstay of processing power for the enterprise. Yet, throughout the world, teams responsible for securing these machines know almost nothing about it. Due to either a lack of maturity within cybersecurity, or the assumption these systems are ‘unhackable,’ the mainframe is oddly missing from most security discussions. This talk focuses on current known attack vectors that were either created by the speaker or by the (few) others in this space. Philip uses live, real world examples of poor operational awareness, exposures and new advances in mainframe “hacking”. Attendees will be able to operationalize their knowledge with the very tools the speaker used allowing them to begin (or force) discussions with their security teams.
Node Security Experiments discusses security issues in the Node.js ecosystem. It covers topics like malicious modules hosted on NPM, insecure installation scripts, typosquatting vulnerabilities, password exposure, auditing packages for vulnerabilities, static analysis tools to detect security issues, and challenges of keeping up with the large number of packages. The document also mentions detecting and preventing specific security vulnerabilities, tools for auditing packages like NSP and Retire.js, potential bots in the ecosystem, and challenges with binary modules and exposing vulnerabilities in Node.js core.
Exploiting publically exposed Version Control SystemAnant Shrivastava
This document discusses exploiting version control systems (VCS) like Git, SVN, and Mercurial. It describes how VCS work and why they can be exploited, noting that auto-deployment features can allow code to be deployed by committing changes. It provides an overview of common VCS files and folders that can be used to extract code from repositories. Tools for extracting code from VCS are also listed. The document concludes with a demonstration of exploiting VCS and checks that can be done to find exposed VCS files.
This document provides an overview and agenda for a Varnish Cache workshop, including installing Varnish Cache, configuring it, monitoring the configuration, and extending the configuration. The workshop will guide participants on getting started with Varnish Cache through four main sections.
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)Positive Hack Days
Vulnerabilities in SCADA systems, after the mass propagation of the Stuxnet worm, have become journalists' favorite bugbear and a nightmare for all who has something to do with industry and national security.
How difficult is it to detect a vulnerability in SCADA systems? Which attack vectors are the most dangerous for such systems? How many unfixed vulnerabilities in SCADA are known as yet?
The reporter will practically demonstrate 0-day vulnerabilities in some popular systems of production process management.
The document is a Q&A session on Cisco's SD-WAN security capabilities. Questions covered include how SD-WAN handles network access control, quality of service, central management software, integration with other Cisco products, differences compared to dedicated firewalls, hardware options for different site sizes, scalability, routing protocols supported, intrusion protection, and centralized management of security policies.
The document contains questions and answers about Cisco HyperFlex systems. It discusses that currently only VMware is supported, with other hypervisors like Red Hat Enterprise Virtualization and Hyper-V planned for the future. It also addresses questions about storage capacity per node, data protection methods, cluster size limits, and lack of performance impact from inline deduplication and compression. Plans for one-click software and hypervisor updates are also mentioned.
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...Robb Boyd
Cisco Catalyst 9600 Series Switches are the next-generation purpose-built 40/100G modular core/aggregation platform, providing resiliency at scale with the industry’s most comprehensive security while allowing the business to grow at a low total operational cost.
The Cisco Catalyst 9606R is a 6-slot 8RU chassis ready to support a wired switching capacity of up to 25.6 Tbps, with up to 6.4 Tbps of bandwidth per slot. Some salient features of the Cisco Catalyst 9606R chassis are:
- Supports a nonblocking 40/100G Quad Small Form-Factor Pluggable (QSFP+, QSFP28) line card
- Supports a line-rate 1/10/25G SFP and Enhanced SFP (SFP, SFP+, SFP28) line card
- Optimized for the enterprise with efficient side-to-side airflow
- Front accessibility for all removable components, such as the supervisor, line cards, power supply, and fan tray
- Dual accessible fan tray for easy removal
- Embedded RFID tag for easy asset tracking
How to configure cisco asa virtual firewallIT Tech
Virtual firewalls, also known as security contexts, allow a single Cisco ASA device to act as multiple independent firewalls. This document discusses how to configure multiple security contexts on a Cisco ASA. It describes allocating interfaces and resources to unique contexts for separate network segments or customers. The admin context manages the entire ASA device and is used to create other contexts. Features like routing and VPN are unavailable in multiple context mode.
Watch the replay: http://bit.ly/2wbz3Cd
The fifth generation of Cisco Unified Computing System (UCS) offers faster CPUs, and more cores, GPUs, memory and modularity than any other UCS server. We introduced these new M5 Series Servers in a recent episode of TechWiseTV.
Explore all the customer-inspired innovations that can help you scale up or out, and deliver greater insights with data-intensive analytics where you need them most.
Resources:
Watch the related TechWiseTV episode: http://bit.ly/2wQ6fMp
The document discusses configuring the Cisco ASA IPS module, which provides intrusion prevention capabilities. The IPS module can be a physical module or software module depending on the ASA model. The module detects attacks by comparing traffic to known attack signatures. It can operate in either inline or promiscuous mode, with inline blocking traffic during inspection. Virtual sensors allow individual contexts to use separate IPS policies. Basic configuration involves setting the network settings, creating virtual sensors, and defining an IPS traffic matching policy.
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...IT Tech
The document discusses Cisco's recommendations for migrating from older ASA 5500 firewall models like the ASA 5510, ASA 5520, and ASA 5550 to newer ASA 5500-X next-generation firewall models like the ASA 5515-X, ASA 5525-X, and ASA 5555-X. It provides comparison tables of features between the older and newer models, noting improvements in throughput, connections, interfaces, memory, and the ability of the newer models to run services like IPS and advanced security without extra hardware.
This document discusses VPC networking on AWS. It summarizes some key advantages of VPC like network ACLs allowing true edge blocking and security groups that can change after instance launch. It also discusses some challenges faced with VPC like figuring out networking configurations and properly sizing NAT instances. The document provides guidance on using VPC features like connecting VPCs to on-premise networks with VPN and limitations around VPC components.
Отказоустойчивость с использованием Cisco ASA ClusteringCisco Russia
Отказоустойчивость с использованием Cisco ASA Clustering - принципы работы, ограничения, диагностика.
Ссылка на запись вебинара: https://www.youtube.com/watch?v=h73ZVhSqd64
Q&A for TechWiseTV Workshop on Cisco UCS and SplunkRobb Boyd
You can watch and listen to the replay of this workshop at http://bit.ly/UCS_SPLUNK.
Robert Novak, our Cisco Big Data CSE along with two excellent speakers from Spunk: Kevin Faulkner, Product Manager and
Wissam Ali-Ahmad, the Splunk Technical Alliance Manager did a live demo.
Cisco ASA 5545 delivers superior performance with up to 3 Gbps stateful inspection throughput, 2500 IPsec VPN peers, 750,000 concurrent connections and 1 expansion slot makes it ideally suited for the mid-size, large-size enterprises, internet edge deployments or even data center while delivering enterprise-strength security.
This document discusses securing Cassandra for compliance or paranoia. It covers encrypting data at rest and on the wire, authentication and authorization, and securing management tools like JMX. Encrypting data at rest can be done with options like dmcrypt, Vormetric, or DSE encryption. Node to node encryption and SSL is recommended to encrypt data on the wire. Role-based access control in Cassandra 2.2 allows for authentication and authorization. Securing JMX involves SSL and password-based authentication.
Manuel Wiesinger in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Philip young current state of mainframe hacking - vanguard - 101016Philip Young
Literally a ‘black box’ to some, the mainframe is a mainstay of processing power for the enterprise. Yet, throughout the world, teams responsible for securing these machines know almost nothing about it. Due to either a lack of maturity within cybersecurity, or the assumption these systems are ‘unhackable,’ the mainframe is oddly missing from most security discussions. This talk focuses on current known attack vectors that were either created by the speaker or by the (few) others in this space. Philip uses live, real world examples of poor operational awareness, exposures and new advances in mainframe “hacking”. Attendees will be able to operationalize their knowledge with the very tools the speaker used allowing them to begin (or force) discussions with their security teams.
Node Security Experiments discusses security issues in the Node.js ecosystem. It covers topics like malicious modules hosted on NPM, insecure installation scripts, typosquatting vulnerabilities, password exposure, auditing packages for vulnerabilities, static analysis tools to detect security issues, and challenges of keeping up with the large number of packages. The document also mentions detecting and preventing specific security vulnerabilities, tools for auditing packages like NSP and Retire.js, potential bots in the ecosystem, and challenges with binary modules and exposing vulnerabilities in Node.js core.
Exploiting publically exposed Version Control SystemAnant Shrivastava
This document discusses exploiting version control systems (VCS) like Git, SVN, and Mercurial. It describes how VCS work and why they can be exploited, noting that auto-deployment features can allow code to be deployed by committing changes. It provides an overview of common VCS files and folders that can be used to extract code from repositories. Tools for extracting code from VCS are also listed. The document concludes with a demonstration of exploiting VCS and checks that can be done to find exposed VCS files.
This document provides an overview and agenda for a Varnish Cache workshop, including installing Varnish Cache, configuring it, monitoring the configuration, and extending the configuration. The workshop will guide participants on getting started with Varnish Cache through four main sections.
Positive Hack Days. Gurkin. Zero Day for SCADA (0-day)Positive Hack Days
Vulnerabilities in SCADA systems, after the mass propagation of the Stuxnet worm, have become journalists' favorite bugbear and a nightmare for all who has something to do with industry and national security.
How difficult is it to detect a vulnerability in SCADA systems? Which attack vectors are the most dangerous for such systems? How many unfixed vulnerabilities in SCADA are known as yet?
The reporter will practically demonstrate 0-day vulnerabilities in some popular systems of production process management.
The document is a Q&A session on Cisco's SD-WAN security capabilities. Questions covered include how SD-WAN handles network access control, quality of service, central management software, integration with other Cisco products, differences compared to dedicated firewalls, hardware options for different site sizes, scalability, routing protocols supported, intrusion protection, and centralized management of security policies.
The document contains questions and answers about Cisco HyperFlex systems. It discusses that currently only VMware is supported, with other hypervisors like Red Hat Enterprise Virtualization and Hyper-V planned for the future. It also addresses questions about storage capacity per node, data protection methods, cluster size limits, and lack of performance impact from inline deduplication and compression. Plans for one-click software and hypervisor updates are also mentioned.
TechWiseTV Workshop - Q&A - Cisco Catalyst 9600: Deep Dive and Design Conside...Robb Boyd
Cisco Catalyst 9600 Series Switches are the next-generation purpose-built 40/100G modular core/aggregation platform, providing resiliency at scale with the industry’s most comprehensive security while allowing the business to grow at a low total operational cost.
The Cisco Catalyst 9606R is a 6-slot 8RU chassis ready to support a wired switching capacity of up to 25.6 Tbps, with up to 6.4 Tbps of bandwidth per slot. Some salient features of the Cisco Catalyst 9606R chassis are:
- Supports a nonblocking 40/100G Quad Small Form-Factor Pluggable (QSFP+, QSFP28) line card
- Supports a line-rate 1/10/25G SFP and Enhanced SFP (SFP, SFP+, SFP28) line card
- Optimized for the enterprise with efficient side-to-side airflow
- Front accessibility for all removable components, such as the supervisor, line cards, power supply, and fan tray
- Dual accessible fan tray for easy removal
- Embedded RFID tag for easy asset tracking
How to configure cisco asa virtual firewallIT Tech
Virtual firewalls, also known as security contexts, allow a single Cisco ASA device to act as multiple independent firewalls. This document discusses how to configure multiple security contexts on a Cisco ASA. It describes allocating interfaces and resources to unique contexts for separate network segments or customers. The admin context manages the entire ASA device and is used to create other contexts. Features like routing and VPN are unavailable in multiple context mode.
Watch the replay: http://bit.ly/2wbz3Cd
The fifth generation of Cisco Unified Computing System (UCS) offers faster CPUs, and more cores, GPUs, memory and modularity than any other UCS server. We introduced these new M5 Series Servers in a recent episode of TechWiseTV.
Explore all the customer-inspired innovations that can help you scale up or out, and deliver greater insights with data-intensive analytics where you need them most.
Resources:
Watch the related TechWiseTV episode: http://bit.ly/2wQ6fMp
The document discusses configuring the Cisco ASA IPS module, which provides intrusion prevention capabilities. The IPS module can be a physical module or software module depending on the ASA model. The module detects attacks by comparing traffic to known attack signatures. It can operate in either inline or promiscuous mode, with inline blocking traffic during inspection. Virtual sensors allow individual contexts to use separate IPS policies. Basic configuration involves setting the network settings, creating virtual sensors, and defining an IPS traffic matching policy.
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...IT Tech
The document discusses Cisco's recommendations for migrating from older ASA 5500 firewall models like the ASA 5510, ASA 5520, and ASA 5550 to newer ASA 5500-X next-generation firewall models like the ASA 5515-X, ASA 5525-X, and ASA 5555-X. It provides comparison tables of features between the older and newer models, noting improvements in throughput, connections, interfaces, memory, and the ability of the newer models to run services like IPS and advanced security without extra hardware.
This document discusses VPC networking on AWS. It summarizes some key advantages of VPC like network ACLs allowing true edge blocking and security groups that can change after instance launch. It also discusses some challenges faced with VPC like figuring out networking configurations and properly sizing NAT instances. The document provides guidance on using VPC features like connecting VPCs to on-premise networks with VPN and limitations around VPC components.
Отказоустойчивость с использованием Cisco ASA ClusteringCisco Russia
Отказоустойчивость с использованием Cisco ASA Clustering - принципы работы, ограничения, диагностика.
Ссылка на запись вебинара: https://www.youtube.com/watch?v=h73ZVhSqd64
Q&A for TechWiseTV Workshop on Cisco UCS and SplunkRobb Boyd
You can watch and listen to the replay of this workshop at http://bit.ly/UCS_SPLUNK.
Robert Novak, our Cisco Big Data CSE along with two excellent speakers from Spunk: Kevin Faulkner, Product Manager and
Wissam Ali-Ahmad, the Splunk Technical Alliance Manager did a live demo.
Cisco ASA 5545 delivers superior performance with up to 3 Gbps stateful inspection throughput, 2500 IPsec VPN peers, 750,000 concurrent connections and 1 expansion slot makes it ideally suited for the mid-size, large-size enterprises, internet edge deployments or even data center while delivering enterprise-strength security.
This document discusses securing Cassandra for compliance or paranoia. It covers encrypting data at rest and on the wire, authentication and authorization, and securing management tools like JMX. Encrypting data at rest can be done with options like dmcrypt, Vormetric, or DSE encryption. Node to node encryption and SSL is recommended to encrypt data on the wire. Role-based access control in Cassandra 2.2 allows for authentication and authorization. Securing JMX involves SSL and password-based authentication.
Describes in detail the security architecture of Apache Cassandra. We discuss encryption at rest, encryption on the wire, authentication and authorization and securing JMX and management tools
OpenNebulaConf 2016 - OpenNebula, a story about flexibility and technological...OpenNebula Project
Cloud providers are constantly addressing the technology limitations on their infrastructures, which must be overcome to meet customer needs. On this presentation, we will demonstrate how technological agnosticism and management flexibility of OpenNebula has allowed Todoencloud to provide the most efficient open source solution to the needs of its customers, choosing the most appropriate virtualization technology (Xen and KVM), storage approach (ZFS vs CEPH), Cloud Bursting solutions (Azure, Amazon) and customized networking topologies.
Migration to cisco next generation firewallIT Tech
The document discusses Cisco's next-generation firewall options and migration paths from legacy Cisco firewalls to NGFWs. It provides tables outlining the recommended migration options from various Cisco ASA firewall models to Cisco's next-generation firewall appliances like the Cisco Firepower 2100/4100/9300 series. The tables also show the throughput performance enhancements of the different NGFW models. It recommends customers to confirm their current firewall model, review the recommended migration path, and contact a Cisco account manager or partner to get started on the migration process.
Cisco ASA 5506-X, designed for small or mid-size enterprise or branch offices, is one of the Cisco ASA 5500-X Next-generation series firewalls with Firepower services.
The document provides an introduction to ACI for network administrators. It discusses building an ACI network through the perspective of a network administrator. The session objectives are to understand ACI components and models, configure external connectivity and integrate third-party devices, and automate ACI configuration. The agenda covers topics such as ACI building blocks, VMware integration, service graphs, and getting started with ACI.
Similar to Cisco adaptive security appliance (asa) firewalls lifeline of today’s data centers (20)
The Cisco IP Phone 8800 Key Expansion Module adds extra programmable buttons to the phone. The programmable buttons can be set up as phone speed-dial buttons, or phone feature buttons.
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
The Cisco Catalyst 9200 Series switches are Cisco’s latest addition to the fixed enterprise switching access platform, and are built for security, resiliency, and programmability.
The 900 ISRs offer easy management and pro-visioning capabilities through Cisco Configuration Professional Express, Cisco DNA Center, and Cisco IOS Software, with full visibility into and control of network configurations and applications.
Hpe pro liant gen9 to gen10 server transition guideIT Tech
The document summarizes the key features and benefits of HPE ProLiant Gen10 servers. It introduces the new Gen10 servers as offering high performance, security, and flexibility to run demanding applications and workloads. Specific Gen10 server models highlighted include the DL360 and DL380 for compute environments, the ML110 and ML350 for versatility, and the MicroServer for small offices. Key security capabilities of the HPE iLO 5 management tool are also outlined.
Cisco ISR 4461 is the newest number of Cisco 4000 Family Integrated Services Router. Now the Cisco 4000 Family contains the following platforms: the 4461 ISR, 4451 ISR, 4431 ISR, 4351 ISR, 4331 ISR, 4321 ISR and 4221 ISR.
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
Cisco unveiled new 400 Gigabit Ethernet (400G) switches to help large cloud and data center customers meet modern network challenges of high scale and bandwidth. The new portfolio includes the Nexus 3400 fixed switches and Nexus 9000 switches for Cisco's ACI architecture. The 400G switches bring more than just increased speed, with flexible deployment options and support for features like superfast policy enforcement, packet visibility, smart buffering, and low latency traffic prioritization.
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
Cisco ISR 1000 offers a branch-in-a-box solution with various types of uplink connectivity, multiple Power over Ethernet (PoE) and PoE+ capable Gigabit-Ethernet ports, and built-in Cisco Mobility Express Solution for WLAN access and SD-WAN capability.
Aruba’s modern, programmable switches easily integrate with our industry leading network management solutions, either cloud-based Aruba Central or on premise Aruba AirWave.
Cisco IOS XE opens a completely new paradigm in network configuration, operation, and monitoring through network automation. Cisco’s automation solution is open, standards-based, and extensible across the entire lifecycle of a network device. The various automation mechanisms are outlined here.
Cisco's wireless solutions can be broadly classified into Standalone systems that operate Cisco Aironet Access Points individually and Controller-based systems that centrally manage multiple Cisco Aironet Access Points using a Cisco Wireless Controller. Multiple expansion modes are also supported in Controller-based systems.
Four reasons to consider the all in-one isr 1000IT Tech
The document discusses the benefits of Cisco's 1000 Series Integrated Services Routers for small and medium-sized businesses. It provides an all-in-one solution for routing, switching, wireless access and security in a single device. Key benefits include advanced wired and wireless connectivity, enterprise-class security features, and the ability to evolve the software-defined WAN over time through centralized management and policies. The 1000 Series offers an affordable way for SMBs to securely connect endpoints, devices and networks.
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
What is the Difference between Yellow and White Labeled Ports on a Nexus 2300 Series FEX?
The Cisco Nexus 2300 platform provides two types of ports: ports for end-host attachment (host interfaces) and uplink ports (fabric interfaces). Both yellow and white colored fabric interfaces can be used to provide connectivity to the upstream parent Cisco Nexus switch. There is no difference between yellow labeled and white labeled uplink ports.
The Cisco 892F ISRs have an SFP port that supports auto-media-detection, auto-failover, and remote fault indication (RFI), as described in the IEEE 802.3ah specification.
The Nexus 7000 Series switches form the core data center networking fabric. There are multiple chassis options from the Nexus 7000 and Nexus 7700 product family. The Nexus 7000 and the Nexus 7700 switches offer a comprehensive set of features for the data center network.
The document discusses the replacement of legacy Cisco transceiver modules that have reached end-of-sale and end-of-life with newer models. It provides a table listing the legacy modules and their replacement modules. It also discusses the target end-of-sale dates for legacy modules and features of the new modules, including backward compatibility and enhanced monitoring. Finally, it lists and describes the newest Cisco SFP transceiver modules.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
In our second session, we shall learn all about the main features and fundamentals of UiPath Studio that enable us to use the building blocks for any automation project.
📕 Detailed agenda:
Variables and Datatypes
Workflow Layouts
Arguments
Control Flows and Loops
Conditional Statements
💻 Extra training through UiPath Academy:
Variables, Constants, and Arguments in Studio
Control Flow in Studio
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
"What does it really mean for your system to be available, or how to define w...Fwdays
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Northern Engraving | Nameplate Manufacturing Process - 2024
Cisco adaptive security appliance (asa) firewalls lifeline of today’s data centers
1. Cisco Adaptive Security Appliance (ASA) Firewalls: Lifeline of Today’s Data
Centers-FAQs from Live Webcast
ASA & Firewall Questions
Q. What would be the real-world throughput of ASA 5505 applance?
A. You can find the details on datasheet mentioned below:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod
uct_data_sheet0900aecd802930c5.html
Q. Does Cisco have good feedback regarding 5585x clustering so far? We wanted to
implement this earlier this year but got the impression that we were pilot users
with this solution due to the questions we got from Cisco's PM team so we
abandoned the project?
A: Though you can surely go for the clustering but for detailed analysis with respect
to your network, a clarification from PM/SA will be required so as to have a better
understanding.
Q. It would be great if I can get a document that shows recommended real-world
throughput of each models?
A: As in real it depends on the type of traffic youa re pushing through the firewall. So
you can check the multiprotocol field if you are pushing different type
of traffic. http://www.cisco.com/en/US/products/ps6120/prod_models_comparison
.html
Q. Can we have context configure with cluster?
A: Yes we can have context configure with clustering.
Q. Can you briefly describe how the ASA can link up with an IPS module for next
gen intrussion threats?
A: The details available at
http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html will
help you to know the IPS with ASA.
Q. What is Sub Second failover ?
A: Sub second failover as the failover can happen in under a second. Both the
interface and unit polling times can be configured in milliseconds. Be careful
setting the failover settings too low though as you may have a quick
communnication loss due to congestion.
Q. How can we cap the bandwidth on Cisco ASA?
A: To check what is the supported thoughput, please refer:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_
poster_revision_r8.pdf
Q. Is there any plans for introducing the clusterin in ASA5500-x for Saleen Series?
2. A: The complete supported platforms for ASA clustering can be found from:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_
c67-712934.html.
Q. What applications are supported for "full applications satat sync" does ASA
supports SS/IPSecVPN ? Multiprotocol throughput for ASA 5505?
A: Since 5505 is for remote user, you can refer following link for more info on it.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_
poster_revision_r8.pdf
Q. Can you configure site-to-site vpn with asa in multi-context mode?
A: Yes, you can as per shown in:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_site
2site.html
Q. Can we have ISP level redundancy or Link Load balancing with Cisco ASA,as I
have multiple link to my DC for resundancy?
A: ASA is not designed to do WAN load balancing between ISP links. Though you may
refer to a similar setup in lab as shown in
https://supportforums.cisco.com/docs/DOC-15622
Q. Does site-to-site vpn co-exist with remote acces?
A: If using ASA clustering then vpn will not work. If non-cluster environment you can
use L2L vpn and can co-exist in standalone version.
Q. You just told about using different Cisco boxes in a multi-tier firewall design.but
the good practise is using different vendor firewall in different tier? How would you
justify using only cisco firewalls in a multi-tier design?
A: Ease of management with single tool like CSM (Cisco Security Manager), additional
security with Trustsec& ISE deployment which integrates seamlessly with Cisco
environment.
Q. How should we size the firewall for the data center? Is there any guideline on
the sizing?
A: For sizing we need to have the number of connections and type of traffice which
we need to push through te firewall, then you can refer the following
link for
information on which model suits your need. Please refer
http://www.cisco.com/en/US/products/ps99
Q. Can you explain the significance of SGT in the context of ASA?
A: SGT is part of TrustSec.
Q. Can you load balance your outgoing internet connecvitiy with two inter
connections hooked to one ASA?
3. A: Presently it is not possible to load balance traffic between two ISP links on an ASA.
Q. How to ASA 5500-X react on zero day attack?
A: Cisco anomaly detection learns the normal behavior on your network and alerts
you when it sees anomalous activities in your network. Cisco anomaly protection
helps protect you against new threats even before signatures are available.
Q. Clustering up to 8 firewall would be active/active or active/standby?
A: All 8 Units will be active in a cluster
Q. What is Multi protocoltroughput ?
A: When different type of traffic going through the firewall, i.e HTTP, FTP, etc.
Q. Can we block https traffic on firewall
A: When you are saying Block, I assume you are saying traffice going through the
firewall, then the answer to that would be Yes.
Q. Can Security Manger be a Syslog server as well?
A: CSM is built to be a single point of management and configuration for ASA and
other securiyt products. The function of Syslogging is to be offload to external server.
Q. Does Cisco have a UTM box?
A: Yes, Please refer:
http://www.cisco.com/en/US/products/ps9932/prod_models_comparison.html
Q. Cluster of 8 FW is supported on all models of ASA?
A: Complete detail is available at
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_
c67-712934.html
Q. What are the diff HA modes supported
A: You can refer to Cisco ASA datasheet on Cisco.com
Q.Can we mix different models in clustering i.e. Can Cisco 5510 be clustered with
Cisco 5520?
A: No, we can't mix different asa models. And clustering is only supported with 5580,
5585 or 5585X
Q. When we say ASA virtualization, is that the hardware virtualization, IOS or
theconfigurations ?
A: You can use ASA 1000V for virtualized environment and that's what it means.
Again, if term virtual is used, it can be a context as many times these two terms are
used inter-changeably.
4. Q. Is access to the scanSafe database a subscription service?
A: Yes, a scansafe subscription will be required.
Q. Can i have multi-context along with clustering?
A: You won't need a context in cluster mode but you can have multi contexts.
Q. Can we block https traffic on firewall
A: Yes, with ACLs you can block HTTPS traffic going though the firewall
Q. IsClustering possible across geographies or is there any distance
limitation ?
A: This can be done through VPNs (Site to site) but never recommended.Such setup
in production environment is not recommended.
Q. Are there only 8 ASA in a cluster possible, and can I mix the
models?
A: It has to be same model with same hardware configuration like memory etc.
Q. Can we detect NMAP scans with ASA ??
A: You may refer to
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3
913.shtml for nmapscan as attacker example.
Q. How can i block facebook on firewall
A: You can block using scan safe.
Q. What is the best choice for site-2-site vPN, Firewall ASA or Cisco security
router?
A: ASA vpn edition will be the best as it supports lot many more features in security
compared to router.
Q. Firewall virtualization supported in ASA?
A: Yes, We call it Context in ASA
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_
c67-712934.htmllist all the features supported by ASA with 9.0
Q. Can I have a HA Design with Two ASA5525X in two separate places in
Active/Active Mode?
A: In that case you are expanding your cluster, there is no restriction but I do not see
any use case of this
Q. What is one of the ASA goes down, will other 7 modules are still deliver 280
GBPS?
A: Only the throughput will drop on overall basis but no impact on traffic.
5. Total Throughput = N x Single node throughput x Scaling Factor
Q. Hello do we need to have even number of Firewalls to participate in
clustering?
A: No, there's no such mandates.
Q. How to ASA 5500-X react on zero day attack
A: Cisco anomaly detection learns the normal behavior on your network and alerts
you when it sees anomalous activities in your network. Cisco anomaly protection
helps protect you against new threats even before signatures are available. Help in
Day 0 Attack
Q. Please, could you explain more about the 'individual' and 'spanned' mode at the
clustering.
A: Refer to
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_clust
er.html for complete details on HA cluster configuration and various interface modes.
Q. ASA5585-SSP-10-2units, ASA ver 8.2(5),Old ASDM ver 6.4(5),Current ASDM ver
7.1(3),anny compatibility issue of Java 1.7 with ASDM?Please suggest any stable
java version which works with all ASDM versions.
A: You can get in touch with Cisco TAC support for granular information of ASA &
ASDM with java.
Q. What will happen if one node fails in ASA cluster. Traffic which was going
through failed node will be dropped or it will be processed by some other node in
cluster?
A: Processed by other member in cluster
Q. We have IPS module with our ASA. It cannot detect external scans like NMAP OS
finger printing. I opened a TAC case also. They confrm that this not possible with
Cisco IPS and it only detect it as a normal traffic. Is that true?
A: Thats an extensive topic and this discussion may help
https://supportforums.cisco.com/thread/2152269
Q. Does clustering support IPv6?
A: Yes
Q. So where to point the route from inside equipment, when ASAs are addressed
from a dynamic pool? Is there a VIP address?
A: No, each firewall would get an address from the Pool created by master ASA in a
cluster
Q. Can we create context in cluster?
6. A: You can have ASA with multiple context part of cluster, however all the ASA should
be in multiple mode inthatcluster
Q. How many context firewall we have configuration on a single ASA
A: Depends on the model, please refer
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_
poster_revision_r8.pdf
Q. Why do I still have to manually copy xml profiles from the active to the
standby ?
A: Depends on the version you are using. More detailed info can be obtained from
Cisco TAC as its specific to Anyconnect.
Q. Few years ago threat detection, routing protocols, etc. will not be used if you
enable multiple context mode on ASA. Was this resolved already in today's
software or product line?
A: Virtually not, you can have as many policies but can be brought down if combined
with Trustsec. Still same: Multiple context mode does not support the following
features:
RIP
OSPFv3. (OSPFv2 is supported.)
Multicast routing
Threat Detection
Unified Communications
QoS
Remote access VPN. (Site-to-site VPN is supported.)
Q. Based on active cluster configuration, if new firewall picks a ipaddress from the
pool, alter if the firewall goes down how the session failover will happen, the live
session will be dropped or it will failover to other active
firewall ?
A: It will be taken care by the next priority firewall in the cluster.
Q. Is there any policy limitiation of cisco ASA
A: Virtually not, you can have as many policies but can be brought down if combined
with Trustsec.
Q. Can you also have visibility of the SGT at the level of the CX
module?
A: Complete details are available at
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c
67-700607.html
Q. ASA CLI or ASDM Logging feature does not provide the rule number details
7. (unlike Checkpoint FW), We need to know which rule is blocking or allowing the
traffic.That will be easy for troubleshooting any issue.
A: You can use packet tracer under ASDM.
Q. What other features do we have with ADSM 9.0 and also can we config bridge
and routed mode same time
A: No, we cannot have different mode in ASA cluster .Please refer the link for new
feature in OS 9.0
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#
wp586890
Q. How does the VIP is maintained in the cluster
A: There is no VIP, all firewalls have there own firewall, we need loadbalancing from
outside the cluster
Q. We are using 3 differenet Management servers, We are facing this ASDM
Loading issue with all of them, How there can be issue with OS Level?
A: Please get in touch with Cisco TAC for in-depth review &troublshooting.
Q. Does the load balancing into the cluster need to be "sticky"? Must traffic for a
particular connection always hit the same appliance? Or is connection state
replicated between all appliances in the cluster?
A: No, the sessions backup exists on clustering setup. If a asa goes down then the
session wont be dropped and the next master will handle it. In short, yes,
connections replication happens.
Q. CCL has to be in routed mode or can be made l2.I believe its like VSL in VSS or
like stacking ?
A: VSS is supported and refer to
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_clust
er.html#wp1559338
Q. Does the ASA supports Server Load Balancing?
A: No ASA doesn't support Server Load Balancing.
Q. Is that also the fact with Site2site VPN when cluster master fails or does it work
more like Active/Standby VPN state failover?
A: Clustering is analogous to failover not the same. The VPN sessions will be
replicated across the cluster.
Q. Can the IPS in ASA5500-x do heuristic detection?
A: Basic Heruristics are there, 0day attacks are identified (now better by SacanSafe an
improvement over local engine)
8. Q. Will Remote VPN works with Clustering mode ?
A: RA VPN is not available in clustered mode, Full list of centralized and disabled
features can be found at:
http://asapedia.cisco.com/index.php/Clustering
Q. Which is the best module which can block the torrent traffic as it is using any
dynamic port available ?
A: IPS Module will be the best option as it can look into the payload .
Q. I have about 30+ Cisco ASA Firewalls, all of them running on Cisco ASA 8.2(5) is
there a document that i can follow to upgrade them to 9.0 ?
A: Yes, a plan is needed for upgrade. Refer to
https://supportforums.cisco.com/thread/2183482 as a similar request and do take
the help of TAC for such major upgradation of over 30+ firewalls.
Q. Will Remote VPN works with Clustering mode ?
A: It doesn't work.
Q. Do easy VPN works with Active/standby mode in ASA ?
A: Yes it works with failover ASA
Q. Can we use ASA for web filtering like PROXY?
A: Yes ASA can be used for Web Filtering and it has been possible for many years.
Now, you also have ScanSafe
Q. And how do I just point to _one_ ASA IP from core routing equipment, when
clustering?
A: Adresses configured in pool is given to firewalls in cluster, you can simply push the
traffice any given address assigned to specific firewall in cluster
Q. What will happen if one node fails in ASA cluster. Traffic which was going
through failed node will be dropped or it will be processed by some other node in
cluster?
A: Yes, ASA clustering always has a backup node (owner) for every flow through the
clsuter so, if the node through which traffic is passing is down, the next owner will
process the n+1 traffic (if previous node was processing nth packet.
Q. How many "sessions/connection per second" does 5585-X can support? Is there
a public document that shows performance matrix for ASA? Something similar with
Router & Switch performance matrix, there is one available for Router & Switch
product line?
A: You can access the video and regular data sheets for 5585-X series firewall
athttp://www.cisco.com/en/US/products/ps11061/index.html
9. Q. Any plan for a refresh of the 5505 ? Right now alot of our customers are looking
elsewhere (Checkpoint, Palo Alto) for a layer 4-7 aware firewall.
A: If you're looking for a replacement of 5505 you have multiple options as explained
at Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices
and Branch Locations Data Sheet (Updated) such as 5512-X and 5515-X next gen
firewalls with better throughput and a host of new features
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data
_sheet_c78-701253.html
Q. Is Clustering supported across all models or not ?
A: Clustering is only supported with 5580, 5585 and 5585X models
Q. If cisco marketing 5500X products stops, does that means slowly cisco will stop
5500 models?
A: Not sure where this is coming from since, 5500X is the latest in next gen firewalls
and Cisco intends to continue with both 5500 and 5500X series
Q. What’s about a blade system on cisco side fürASA ?
A: Cisco FWSM is the current generation and Cisco NGFW services module is the
solution for next gen DC which supports many new features
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c
67-700607.html
Q. Can Cisco Security Manager be a netflow collector for ASA devices?
A: CSM is primarily meant for configuring and managing the firewalls. If you wish to
collect netflow data it's better to look at Cisco LMS/Prime solutions.
Q. What is the max throughput at line speed?
A: For information on the throughput and other parameter splease consult the
respective data sheets of ASA 5500 and 5500 X series
Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices
and Branch Locations Data Sheet (Updated)
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data
_sheet_c78-701253.html
Cisco ASA 5500 and ASA 5500-X Series Next Generation Firewalls for the Internet
Edge Data Sheet
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data
_sheet_c78-701808.html
Cisco ASA 5500 Series Adaptive Security Appliances
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod
uct_data_sheet0900aecd802930c5.html
10. Q. Can CSM take backup of ASA configuration ?
A: In CSM if you would like to see the configurations there are two ways to do this.
1) From the Device View, right-click on the device and select "Preview
Configuration..."
2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a
history of previous configurations pushed for each device managed by CSM
CSM based backups are manual and are not automated.
Q. Can we expect remote access vpn support for contexts anytime soon?
A: As far as I know it's not on the roadmap for next few releases.
Q. Why does the management interface not work when working with an
active/standby solution ?
A: You can access the video and regular data sheets for 5585-X series firewall at
http://www.cisco.com/en/US/products/ps11061/index.html
Q. Do you have a recommended scenario or plan for ASA deployment in Data
Center or VMDC?
A: Each network and organization has different requirement for services and security.
Hence, putting one size fits all is not a possible solution. You can check the Cisco
recommended design and configuration guidelines at following URLs
ASA DC deployment guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smar
t_Business_Architecture/February2012/SBA_Mid_DC_DataCenterDeploymentGuideFebruary2012.pdf
Cisco ASA DC config guide
http://docwiki.cisco.com/wiki/Cisco_ASA_Firewall_Configuration_for_Data_Center
Q. Is there road-map to allow VPN functionality with ASA Cluster Deployment?
A: Site to site VPN is already supported in clustering. Remote access VPN is not
supported as of today and is not on roadmap as I know.
Q. Does ASA supports statefull sync for SSL or IPSec VPN sessions, means suppose
primary fails then SSL or IPSec VPN session need not to re-established connectivity
with Secondary?
A: Yes, stateful failover is available for IPSec and SSL connections.
Q. Can we confgiurion the cisco ASA on distrubuterartechtue?
11. A: ASA clustering is distributed architecture for High Availability and is compatible
with next gen and current switching infrastructure.
Q. Does packet tracer supports FWSM ?
A: FWSM doesn't support packet tracer command.
Q. Is there a concept of Inter-Context communication in current ASA? Meaning no
need to forward the traffic out of the interface but instead inside ASA and between
context. Saves interface and much faster?
A: As of today, inter context communication has to go out of a physical interface and
come in again (same or different interface). Essentially trombone of traffic needs to
happen out and in to the firewall.
Q. Based on active cluster configuration, if new firewall picks a ipaddress from the
pool, alter if the firewall goes down how the session failover will happen, the live
session will be dropped or it will failover to other active firewall ?
A: You can access the video and regular data sheets for 5585-X series firewall
athttp://www.cisco.com/en/US/products/ps11061/index.html
Q. What about MGCP support?
A: Cisco ASA Clustering does not support any UC protocols including H.323 suite, RTP,
RTCP, SIP, SCCP and MGCP
Q. Does it option for snap sort for backup purpose so we can restore the all
configuration very fast. and how many snapshot it can store?
A: If the query is about CSM, and you would like to see the configurations within the
CSM interface there are two ways to do this.
1) From the Device View, right-click on the device and select "Preview
Configuration..."
2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a
history of previous configurations pushed for each device managed by CSM
Q. What is the monitoring solution in cisco where we can see what each user is
doing from the cisco trustsec perspective?
A: You can do this from ISE dashboard for monitoring the network. Please see
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp
1226014 for more details
Q. What is the VPN split in IPv4/IPv6 network? Is there VPN bypass with ASA?
A: VPN in IPv4 or IPv6 depends on the configuration for the VPN site to site or
client (remote access) VPN. ASA can do VPN bypass for IPSec and SSL VPN so the
client's / remote site can connect with a headend behind ASA.
12. Q. What is the CX module in ASA- X series?
A: ASA NGFW Services(formerly ASA CX) re-imagines the firewall, delivering
context-aware security that empowers enterprises to manage applications, devices
and the evolving global workforce, while ensuring unprecedented visibility and
control. Unlike other next-generation firewalls, only ASA NGFW Services outpaces
complexity to address evolving security needs by leveraging local network
intelligence via Cisco AnyConnect and TrustSec, and global threat information via
Cisco’s Security Intelligence Operation.
Q. Can you please share the Packet flow in context mode? and the mode or context
is it support multicast or unicast?
A: Here's a URL which covers packet classification examples and flows in detail
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts
.html#wp1134280. Contexts support both unicast and multicast howevr, PIM is only
support in single context.
Q. Packet tracer &Traceroute feature is also not available in FWSM?
A: Packet Tracer feature is not available on FWSM. Traceroute command is
supported on FWSM.
General Questions
Q. Recommended tools for monitoring traffic, security events, syslogs ? Any cisco
developed Netflowanalyzers ? Is there anything budled with the IOS or is it an
additional package ?
A: You can use Cisco Security Manager for such task. More info available
at http://www.cisco.com/en/US/products/ps6498/index.html
Q. Is that only Secure X platform has support for Trust sec?
A: You can have complete detail from
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html.
Q. Can ISE integrate with AD or do we need a AAA/LDAP
A: Yes, we can integrate ISE directly with AD
Q. What is the secure x architecture
A: The Cisco SecureX Architecture is a context-aware, network-centric approach to
security from cisco. Secure X architechture detail can be found on
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/whit
e_paper_c11-700240.html#wp9000078
Q. Where can we download the presentation?
A: https://supportforums.cisco.com/docs/DOC-35101
Q. Does Secure X supports built in IPS and IDS inline ?
13. A: CX modules for ASA do support inline IPS as they will be on same chassis as the
firewall. CX services module doesn't support it as of today, its on roadmap.
Q. Which all are Authentication support in trustsec?
A: The following authentication types are support with TrustSec
Flexible authentication (FlexAuth) including
- IEEE 802.1X
- Web authentication (WebAuth)
- MAC authentication bypass (MAB)
- IEEE 802.1X-REV MACsec Key Agreement (MKA)
Please see
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/solution_ov
erview_c22-591771.html#wp9000026 for more details
Reference from: https://supportforums.cisco.com/docs/DOC-35563
More Tech Tips Related to Cisco ASA Firewalls:
Q&A: How to Troubleshoot ASA, PIX, and FWSM?
Cisco ASA5510 Vs ASA5512-X or Cisco 5515-X
How to Connect to Cisco ASA?
Cisco ASA 5520 Basic Configuration Guide