because most applications met the port/protocol
expectations. NGFWs filter traffic based on the
applications or traffic types traversing specific ports. For
example, you could open up port 80 for only selected
HTTP traffic or for particular applications, sites, or
services that you allow. Firepower provides a
combination of firewall and QoS functions in a single
application-aware solution. Here are the characteristic
features of most NGFWs:
Standard firewall features: These include the traditional (first-
generation) firewall functionalities such as stateful port/protocol
inspection, Network Address Translation (NAT), and virtual private
network (VPN) capabilities.
Application identification and filtering: An NGFW identifies and
filters traffic based on specific applications rather than just opening
ports for all kinds of traffic. An NGFW prevents malicious apps and
activities from using nonstandard ports in order to avoid the firewall.
SSL and SSH inspection: NGFWs can inspect SSL- and SSH-
encrypted traffic. An NGFW decrypts traffic, makes sure the
applications are allowed, checks other policies, and then re-encrypts
the traffic. This provides additional protection against malicious apps
and activities that try to hide by using encryption to avoid the firewall.
Intrusion prevention: An NGFW has intelligent capabilities to
provide more in-depth traffic inspection to perform intrusion detection
and prevention.
ISE integration: NGFWs have the support of Cisco ISE. This
integration allows authorized users and devices to use specific
applications.
Malware filtering: NGFWs can provide reputation-based screening
to block applications that have bad reputations. This functionality can
check for phishing, viruses, and other malware sites and apps.Figure 11-4 shows the components of the Firepower
solution:
Firepower Management Center (a management console that has APIs
to control and manage application control, URL filtering, AMP, and so
on)
Firepower Threat Defense