CCNP Chapter 7: Cisco NGFW & NGIPS

Next-Generation Firewalls (NGFW)

NGFWs go beyond traditional firewall functions by incorporating deep packet inspection, application awareness, and threat intelligence. Cisco's NGFW solutions, such as the Firepower series, allow network admins to control traffic at Layer 7, detect malware, and enforce user policies.

firepower(config)# access-list BLOCK-MALWARE extended deny ip any any malware
firepower(config)# access-group BLOCK-MALWARE in interface outside
Cisco NGFW Diagram View Full Image

Intrusion Prevention Systems (NGIPS)

NGIPS systems detect and prevent known and unknown threats in real time. Cisco NGIPS, integrated with Firepower Threat Defense (FTD), uses dynamic analysis and reputation-based filtering to block malicious traffic before it affects internal systems.

NGIPS supports inline mode and passive mode deployments, allowing organizations to choose between active blocking and alert-only monitoring based on risk levels.

NGIPS Threat Correlation View Full Image

Application Visibility and Control (AVC)

AVC enables visibility into the types of applications running on the network. It allows NGFWs to apply granular policies such as blocking social media during work hours or prioritizing VoIP traffic. Cisco AVC uses NetFlow and NBAR2 to classify and manage applications.

class-map match-any social-media
  match protocol facebook
  match protocol instagram
policy-map internet-policy
  class social-media
    drop
Application Visibility and Control View Full Image
Back to Home