The best video I have ever watched, explaining with graphics, simplifying the terms and showing the related demo are just making it much easier to understand and remember. Thank you so much. Really appreciate it!
this is funny Keith has been my teacher for the long time and we dont even know each other :D, got all the way to my CCNPs with him and Jeremy Cioara. I would love to meet those guys in real world.
I have been watching since 2009 , it looks like I always knew these guys ( Keith and Jeremy) . I got my first networking job thanks to all the stuff I leaned from these guys, I am able to pay forward by teaching others. It was a far cry from driving cab, delivering pizza to senior network engineer for DOD , all kudos to these guys. Keith, you might not know it, but understand you have impacted so many lives in good way. My family 's life changed and also I was able to change two families 's lives thanks to Keith !!
Cisco NGFW uses a Linux (Lina) engine which is run on top of the Cisco code in FTD's, the problem in my experience is that in an FTD device you cannot use "normal" or should I say conventional commands in the ngfw to make configuration changes. Everything is done in the Firepower Management Console. You can only view the current running config in expert mode. That's a huge problem. What if I am unable to reach the firewall to deploy a configuration change from the FMC however, I am at the console with a db9 attached?. Then it becomes a pain in the arse. Cisco or any other NGFW developer should implement a way to configure AND manage the firewalls both remotely through deployment AND locally further, at a minimum we should be able to make simple switch port changes using conventional ASA commands i.e. config - t etc
Love your videos! Maybe mention that in the EU you can't just implement https inspection without permission from HR/management. You can land you company in a very bad place with that.
Check out for complet ccnp and ccie playlist, this man is also good in teaching and he is a well experienced prof like Keith th-cam.com/users/thinQtankS
The explicit permission by the individual user (!) is required. If the user is an employee, the employee contract must have appropriate text. Otherwise there is no effective user agreement wrt GPDR, and management will be liable. As a user, even of a company owned device, I expect HTTPS to be secure and not monitored other than by the target website. Also, NGFWs are misnamed: they are TLS interception intermediaries aka wiretaps. Which is ok, if I'm being made aware and explicitly and freely agree.
Could you add a few comments regarding the placement of the firewall? Specifically, since it can do routing and NAT, what advantages / disadvantages there are to placing the firewall before an edge router vs. replacing the edge router with the firewall itself. In the last two companies that I worked at the edge device was a firewall (Cisco ASA and Palo Alto, respectively) at each office; there were no dedicated routers.
I don't know every single pros or cons of the placement, but I picked up some of them. With a dedicated router Pros Sharing the load, on the internet side there are a lot of things happening. Take for example port scans. When you have a dedicated router that will be handled by the router. This means that the firewall can scans all traffic without the noise of the internet. Also security wise are more devices, more secure if configured correctly. If a intruder needs to get access to one device or to several devices. It's more difficult and time consuming to get access to several devices, which gives a higher chance of detection. Cons Higher price because more devices Double NAT (which can also be a pro because of obscurity) Without a router Pros Lower cost No double NAT Cons Internet traffic can fill up the logs, which makes monitoring more difficult One device to handle the security. Some parts of this you need to know for the CCNA, but most of it is a higher level of certification. CCNA is more basic understanding the Cisco technology.
hey keith I really admire you and I want to thank you so much you are explain those concepts really good and clear. could you make a video LAB about FHRP with vlans?
Thank you for the feedback, and the request. Most of my FG content is up at CBT Nuggets. I may be making a few more FG vids here on TH-cam, time will tell. Thanks again.
Thanks Keith so much for the session .. can i know what kind of pin/tab u r using for hand notes and what software u r using for the notes, i like the font and how clear ur hand notes ?
Thank you for the question David Chang. There are a few vendors who have NGFW offerings, including: Cisco (Firepower Threat Defense (FTD)) FortiNet (FortiGates) Check Point Palo Alto (and there are more vendors as well, but those are the ones that come to mind first). They all have very similar NGFW features.
Thank you for the question stuart duperron. Most firewalls are L3 routers (in addition to the firewall services). Most firewalls are physical appliances (devices) do to needing dedicated hardware and circuits to do all the work very fast. Having said that, most vendors also offer a virtualized version of their firewalls as well. Examples would be for use in cloud networking such as Azure or AWS.
Thank you for the suggestion Saibot❗ Cisco's Firepower Threat Defense FTD and their Firepower Management Center (FMC) both provide 90 day evaluations for the VMs, with most of the features enabled, without having to register them or purchase licenses.
Thank you for the question Md. Parvez Limon. Packet Tracer doesn't have most of the NGFW features available in that emulation tool yet. Perhaps someday it will.
You don't need NAT IF you have public addresses, like you should have in IPv6. But still, at work our machines have public IPv4 addresses, so we do not need the ugly NAT hack. But each public IPv4 address is EXPENSIVE, compare to IPv6.
Your videos are actually getting better and better and i didn't even think that was possible. These are great
Thank you Don Neto!
High Quality Content + High Quality Expert + High Quality Mentor +++ == Keith Barker
Thank you Nerses Avakyan!
The best video I have ever watched, explaining with graphics, simplifying the terms and showing the related demo are just making it much easier to understand and remember. Thank you so much. Really appreciate it!
Happy to do it, thanks for the feedback kaiyu lee.
The visuals really help with understanding the theory. Thanks again Keith!
Thank you Cycle of 7's!
this is funny Keith has been my teacher for the long time and we dont even know each other :D, got all the way to my CCNPs with him and Jeremy Cioara. I would love to meet those guys in real world.
Thank you CMD Tech! Next time you are in Vegas, ping me.
I have been watching since 2009 , it looks like I always knew these guys ( Keith and Jeremy) . I got my first networking job thanks to all the stuff I leaned from these guys, I am able to pay forward by teaching others. It was a far cry from driving cab, delivering pizza to senior network engineer for DOD , all kudos to these guys. Keith, you might not know it, but understand you have impacted so many lives in good way. My family 's life changed and also I was able to change two families 's lives thanks to Keith !!
Man, this is a wonderful networking video. It finally clicks for me.
Congratulations B P❗
So great to hear. Best wishes on your continued success.
Hallelujah!
One of the greatest and the most comprehensive tutorial I've ever seen. Thank you Keith!
Wow, thanks!
you changed my life keith. May the odds be ever in your favor
Thank You So Much!
Studio is looking GREAT! Thnx for sharing this important info!! - Ramsey
Thank you ramdogproductions!
Thanks Keith. That was a great tutorial. Keep up the good work
Thanks, will do!
Thanks Keith. Very helpful video!
great content, simplified and easy to understand and to remember
Thank you ccna lab!
I started watching your videos. Thank you Keith
Thank you Matthew567!
great nugget you are definitely the OG of IT :)
Thank you Pedro Gonzalez!
Cisco NGFW uses a Linux (Lina) engine which is run on top of the Cisco code in FTD's, the problem in my experience is that in an FTD device you cannot use "normal" or should I say conventional commands in the ngfw to make configuration changes. Everything is done in the Firepower Management Console. You can only view the current running config in expert mode. That's a huge problem. What if I am unable to reach the firewall to deploy a configuration change from the FMC however, I am at the console with a db9 attached?. Then it becomes a pain in the arse. Cisco or any other NGFW developer should implement a way to configure AND manage the firewalls both remotely through deployment AND locally further, at a minimum we should be able to make simple switch port changes using conventional ASA commands i.e. config - t etc
Very helpful and useful. Thanks Keith.
Thank you Akintola Michael!
Really excellent explanations thank you!
Thank you Kieran O!
Thank you so much!!, It was super beneficial
Happy to do it, thanks for the feedback M A.
thanks this is so great
Thank you Abiodun Samuel!
Fire video!
Thank You!
Very good explanation.
Thank you Popescu Silviu!
Love your videos! Maybe mention that in the EU you can't just implement https inspection without permission from HR/management. You can land you company in a very bad place with that.
Check out for complet ccnp and ccie playlist, this man is also good in teaching and he is a well experienced prof like Keith th-cam.com/users/thinQtankS
Thank you for the suggestion Michele Klau❗
Is it as per the EU GDPR?
The explicit permission by the individual user (!) is required. If the user is an employee, the employee contract must have appropriate text. Otherwise there is no effective user agreement wrt GPDR, and management will be liable. As a user, even of a company owned device, I expect HTTPS to be secure and not monitored other than by the target website. Also, NGFWs are misnamed: they are TLS interception intermediaries aka wiretaps. Which is ok, if I'm being made aware and explicitly and freely agree.
Could you add a few comments regarding the placement of the firewall? Specifically, since it can do routing and NAT, what advantages / disadvantages there are to placing the firewall before an edge router vs. replacing the edge router with the firewall itself. In the last two companies that I worked at the edge device was a firewall (Cisco ASA and Palo Alto, respectively) at each office; there were no dedicated routers.
I don't know every single pros or cons of the placement, but I picked up some of them.
With a dedicated router
Pros
Sharing the load, on the internet side there are a lot of things happening. Take for example port scans. When you have a dedicated router that will be handled by the router. This means that the firewall can scans all traffic without the noise of the internet. Also security wise are more devices, more secure if configured correctly. If a intruder needs to get access to one device or to several devices. It's more difficult and time consuming to get access to several devices, which gives a higher chance of detection.
Cons
Higher price because more devices
Double NAT (which can also be a pro because of obscurity)
Without a router
Pros
Lower cost
No double NAT
Cons
Internet traffic can fill up the logs, which makes monitoring more difficult
One device to handle the security.
Some parts of this you need to know for the CCNA, but most of it is a higher level of certification. CCNA is more basic understanding the Cisco technology.
Thank you!
Having an edge router don't mean you need to double Nat....you can have point to point and workload public IPs
Thanks Keith. Very Helpfull video :)
Glad it was helpful!
Very cool and good video on NGFWs
Thank you for the question Patrik Mansuri.
I love you Keith
Thank you J T!
hey keith I really admire you and I want to thank you so much you are explain those concepts really good and clear. could you make a video LAB about FHRP with vlans?
Thank you or itzhak!
Im a new network admin and we just got the new ftds to deploy. We're replacing our ASAs im pretty nervous.
thank you keith for this awesome tutorial , i wish to provide us more advanced courses on fortinet FG firewall if it is possible .
Thank you for the feedback, and the request. Most of my FG content is up at CBT Nuggets. I may be making a few more FG vids here on TH-cam, time will tell.
Thanks again.
awesome video
Thank you Kyle Wankin!
@@KeithBarker can you give a link for packet tracers on this topic? i would really like to explore firewalls more
Thanks Keith so much for the session .. can i know what kind of pin/tab u r using for hand notes and what software u r using for the notes, i like the font and how clear ur hand notes ?
Thank you for the question Yasser Saied.
I use a Wacom screen, which supports a pen. I also use EpicPen software, for the pen work.
Thank you
You're welcome
Can we get a video series for FTD and FMC Pls
Thanks.
You're welcome
Very nice, my friend. :)
Thank you! Cheers!
Hi Keith, I couldn't find the practice lab on your website for 2-Tier and 3-Tier. could you send me the link to download it please?
How do you not have more subscribers....
Thank you Gato Libero!
Are NGFWs the equivalent of Firepower ? How does it fare against Fortigate ?
Thank you for the question David Chang.
There are a few vendors who have NGFW offerings, including:
Cisco (Firepower Threat Defense (FTD))
FortiNet (FortiGates)
Check Point
Palo Alto
(and there are more vendors as well, but those are the ones that come to mind first).
They all have very similar NGFW features.
I see in the picture that there's 2 routers and a NGFW. can a NGFW be a router? or is it always a seperate piece of gear / VM
Thank you for the question stuart duperron.
Most firewalls are L3 routers (in addition to the firewall services).
Most firewalls are physical appliances (devices) do to needing dedicated hardware and circuits to do all the work very fast. Having said that, most vendors also offer a virtualized version of their firewalls as well. Examples would be for use in cloud networking such as Azure or AWS.
It seems WSA and NGFW both have the same features... why having two products we the same functionalities?
Thank you for the question Javier Anaya Pacheco.
I think the answer is both $$$, as well as having specific products to fit specific needs.
What is the difference between NGFW and UTM?
Thank you for the question Hugo Teixeira. NGFWs are an example of a Unified Threat Management (UTM) system.
What's the cheapest way to get hands on with this
Thank you for the suggestion Saibot❗ Cisco's Firepower Threat Defense FTD and their Firepower Management Center (FMC) both provide 90 day evaluations for the VMs, with most of the features enabled, without having to register them or purchase licenses.
You are gorgeous!
Thank you The Future For Me!
Cisco has NGFWs?
Thank you for the question Chris F. The Cisco Firepower line is a NGFW solution.
Thank you sir, can you create a packet tracer lab on this topic sir.
Thank you for the question Md. Parvez Limon. Packet Tracer doesn't have most of the NGFW features available in that emulation tool yet. Perhaps someday it will.
@@KeithBarker thank you sir, I am learning many things from you. you are great.
You don't need NAT IF you have public addresses, like you should have in IPv6. But still, at work our machines have public IPv4 addresses, so we do not need the ugly NAT hack. But each public IPv4 address is EXPENSIVE, compare to IPv6.
Thank you Anders Jackson!
Next-gen Firewall, more like Next-gen disaster. Don’t ever buy Cisco’s firewall device.
why
@@yihadsamir1368 it’s pain in the ass to manage, their software is full of bugs as well.
And juniper. The flakiest of them all.
Good explanation but you need to speak slower.
Sorry for that