topic I got internal note from in Network Security

cisco Asa firepower traffic rate limiting

susim — Tue, 12 Mar 2019 05:50:37 GMT

Does cisco Asa firepower supports url filtering and traffic rate limiting ?

Thanks

URL Filtering is possible.

Marvin Rhoads — Mon, 27 Apr 2015 12:52:48 GMT

URL Filtering is possible. Advanced features are enabled when you have the URL license. Reference.

You cannot rate limit outbound traffic using the FirePOWER module but you you can perform rate-based attack prevention. Reference.

Hi So how can we do the

susim — Mon, 27 Apr 2015 12:58:25 GMT

So how can we do the traffic shaping ?

Thanks

If you need to do traffic

Marvin Rhoads — Mon, 27 Apr 2015 13:01:01 GMT

If you need to do traffic shaping, you would create a policy on the base ASA, not on the FirePOWER module.

Here's a guide for doing that.

So how can we do the layer7

mscottini — Mon, 28 Sep 2015 19:56:19 GMT

So how can we do the layer7 traffic shaping?

Thanks

Well.. you can't do true L7

Daniel Sandstrom — Thu, 01 Oct 2015 13:50:51 GMT

Well.. you can't do true L7 traffic shaping today in a ASA/Firepower combination.. You need something else.. like Meraki..

As per our Cisco Security CSE

dlongpre — Tue, 06 Oct 2015 23:01:18 GMT

As per our Cisco Security CSE, L7 shaping/policing (QoS) and Time-based will be available into Firepower/Firesight 6.1 release...

My guest, should be available in 2016...

Any news on this?

TM13 — Mon, 25 Apr 2016 02:09:21 GMT

Any news on this?

It's not available as of the

Marvin Rhoads — Mon, 25 Apr 2016 03:20:46 GMT

It's not available as of the current 6.0.1.

Please watch the release notes for future updates.

http://www.cisco.com/c/en/us/support/security/asa-firepower-services/products-release-notes-list.html

http://www.cisco.com/c/en/us/support/security/defense-center/products-release-notes-list.html

Hehe, thanks, better go for

TM13 — Mon, 25 Apr 2016 04:27:44 GMT

Hehe, thanks, better go for Fortinet 😛

Hi Marvin,

Marcin Szatkowski — Thu, 26 May 2016 09:17:23 GMT

Hi Marvin,

Do you know any ETA of the Layer 7 traffic shaping feature ?

Best regards,

Marcin

We hope for it in 6.1 (Summer

Marvin Rhoads — Thu, 26 May 2016 11:43:59 GMT

We hope for it in 6.1 (Summer 2016) but it won't be confirmed until released.

Thanks Marvin.

Marcin Szatkowski — Thu, 26 May 2016 11:51:38 GMT

Thanks Marvin.

I got internal note from

dlongpre — Thu, 26 May 2016 13:03:56 GMT

I got internal note from Cisco Security SE, and 6.1 should include rate-limiting and other new features like SITE-TO-SITE VPN, Shared NAT...

6.1 should be available July 2016.

Thanks,

Dominic.

Thanks for the update Dominic

Marcin Szatkowski — Thu, 26 May 2016 13:09:01 GMT

Thanks for the update Dominic.

QoS is now available in 6.1.0

Barrett Cowan — Tue, 27 Sep 2016 23:12:19 GMT

QoS is now available in 6.1.0 (released Aug 29th), but only works with FirePower Threat Defense devices, which is the ASA/FirePower unified image. There are other ASA base limitations when running this image, ie. no AnyConnect, although this is set to be added soon ... they are making big leaps on FTD.

What is mean "no AnyConnect"

TM13 — Wed, 28 Sep 2016 01:59:18 GMT

What is mean "no AnyConnect" ? actually Cisco traditional Policy based rule is set on Source/Destination IP or range, not like every IP or bulk configuration on different rate on IP range ... by the way FirePower has Load balancing?

"AnyConnect" = shorthand for

Marvin Rhoads — Wed, 28 Sep 2016 02:18:45 GMT

"AnyConnect" = shorthand for client-based remote access SSL VPN. Cisco uses the AnyConnect Secure Mobility Client software for that function.

FTD-based rule sets can be based on application, URL category, etc. in addition to traditional 5-tuple criteria (protocol, source and destination address and port).

Load balancing - how do you mean that?

Means if we order Cisco

TM13 — Wed, 28 Sep 2016 02:34:33 GMT

Means if we order Cisco FirePower it hasn't AnyConnect? :O, that FTP sounds nice, but still does it can possible give same bandwidth limit on each IP having session established?

Load balancing is for 2 different Internet Gateways solution, using both ISP for Internet access.

Please keep in mind the

Marvin Rhoads — Wed, 28 Sep 2016 03:04:39 GMT

Please keep in mind the distinction between "FirePOWER" = a general set of features and technologies based on the Cisco acquisition of Sourcefire in 2013 and specific products, i.e:

1. Cisco ASA with FirePOWER services. Has all the traditional ASA features plus FirePOWER services in an added module that perform Next Generation IPS, URL Filtering and Advance Malware Protection (depending on licensing).

2. FirePOWER Threat Defense (FTD). A new unified image that can run on an ASA (or FirePOWER 4100 and 9300 series) that includes many (but not all) of the classic ASA features along with the FirePOWER features.

Remote access SSL VPN ("AnyConnect") is only available with option #1 at this time.

#1 has crude rate limiting (classic QoS policing and shaping). #2 has that plus the ability to use Layer 7 characteristics to your policy.

As far as load balancing, that is a separate topic unto itself.

A lot depends on your Internet connectivity. If you have your own provider-independent addressing and BGP peering to separate providers you can technically use that with the classic ASA solution (#1). However it's usually not a good choice to do that on an ASA since it's really not designed to accept a full routing table and make dynamic decisions based on the routes installed in the FIB on a per-flow basis. You can also do policy-based routing on an ASA with FirePOWER services. Again not really ISP load balancing.

An FTD solution has fewer routing options and is generally best suited for single egress route use cases at this stage.

In either case, it is almost always much better to let an upstream router route. They are fit for that purpose. A security appliance is fit to provide security. Don't count on it having all the routing features of a true router.