Solved: Re: CISCO FirePOWER Recommendation

dpsw120 · ‎09-19-2019

Hello All,

So i need to buy a Firewall Hardware and the requirements are :

1. Firewall Capability

2. IDS and IPS (one if possible both)

3. No Subscription

And my seller offer me ASA5508-FTD-K9, my questions are :

1. What feature does it have?

2. Does it include IDS and IPS?

3. Do i need to buy Subscription for this? and when im not buying it, what would happen?

I already ask this to my seller but no reply so i hope someone can answer it in here.

Thank You.

Rob Ingram · ‎09-19-2019

Hi,
When you run the FTD software you get Firewall, Threat (IPS), Content Inspection, AMP, SSL Decrytion and IPSec features.
You can run the IPS as an IDS if you wish to just get notifications of events.
You should buy a subscription, otherwise you won't get the latest updates, you could buy a 1, 3 or 5 year subscription.

As far as hardware is concerned the more features you enable the less throughput you receive. So make sure you purchase the correct hardware. I would personally recommend you purchase (budget permitting) the newer Firewpower 1000 series appliances then the ASA 5508-X, they are older hardware and more than likely to be EOS sooner rather than later.

HTH

View solution in original post

Rob Ingram · ‎09-19-2019

Hi,
When you run the FTD software you get Firewall, Threat (IPS), Content Inspection, AMP, SSL Decrytion and IPSec features.
You can run the IPS as an IDS if you wish to just get notifications of events.
You should buy a subscription, otherwise you won't get the latest updates, you could buy a 1, 3 or 5 year subscription.

As far as hardware is concerned the more features you enable the less throughput you receive. So make sure you purchase the correct hardware. I would personally recommend you purchase (budget permitting) the newer Firewpower 1000 series appliances then the ASA 5508-X, they are older hardware and more than likely to be EOS sooner rather than later.

HTH

dpsw120 · ‎09-19-2019

Okay so this FTD has may features, it's good.
What this latest update for? IPS rules? can you specified, thank you.

So there're new player in town can you recommend me what to choose with Firepower 1000 that has same capability as ASA 5508-X

Thank You

Marvin Rhoads · ‎09-19-2019

Actually Threat protection on an FTD device requires a license. Almost anything Cisco sells in the security product arena requires licensing of one type or another. Without at least a Threat license you get only VERY limited application visibility and control.

While Cisco does not prevent you from downloading the threat updates (Snort rule updates, VDB updates, Cisco Security Intelligence Feeds for IP and URL reputation) without the Threat license being active, you would not be operating a device in according with the licensing terms and conditions if you were to do so.

Deploying a File (Malware) or URL Filtering policy requires those respective licenses as well. Also remote access VPN using AnyConnect requires AnyConnect licenses.

Which device is recommended for your environment depends mostly on required throughput and number (and type) of interfaces. Also, if it needs to be rack mounted then the very smallest Firepower 1010 is not the best choice since it's a very small device designed to sit on a shelf or desktop. there is an available rack mount kit but it's pretty pricey (US$350 list price) compared to the cost of the appliance itself (US$1195 list price). The next larger device is the Firepower 1120. Either one has more throughput capability than an ASA 5508.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

dpsw120 · ‎09-19-2019

What are the limited application visibility and control i get?

I just need firewall and IDS/IPS capability, using snort would be great. And those are awesome too (VDB updates, Cisco Security Intelligence Feeds for IP and URL reputation).

Ignoring File (Malware) or URL Filtering policy wouldn't hurt much right?
About VPN though, im using OpenVPN other thann AnyConnect and my VPN Hardware right now is RV320 but OpenVPN concurrent user it's only 5 it's to small, are ASA and Firepower 1000 series capable running OpenVPN? and how concurrent user can connect?

Yes i think i will chose rackmount device because it's got more throughput. I'm still confuse about choosing this two Firepower 1120 or ASA 5508.

Marvin Rhoads · ‎09-20-2019

Application Visibility and Control (AVC) allows you to do things like block FTP, derive reports on how much traffic is web browsing vs other protocols, identify use of insecure protocols etc.

Cisco does not support third party VPN client or server software. If you get it to work it's good for you but most Cisco customers choose Cisco's AnyConnect Secure Mobility client due to its breadth of features and manageability.

As @Rob Ingram said, 1000 series will have more lifetime ahead of it since it was just introduced earlier this year. I would not be surprised to see end of sales for the lower end 5500 series in the coming year.

dpsw120 · ‎09-20-2019

With limited AVC there still Firewall that will do the job right?

That's too bad about third party VPN. I hope i can get it work. I never try AnyConnect i think i will consider it, is it support any OS or just Windows for client?

Are 1000 series like FPR1010-NGFW-K9 and FPR1120-NGFW-K9 has the same feature like ASA5508-FTD-K9?

Marvin Rhoads · ‎09-20-2019

AnyConnect is available for Windows, Mac OS and Linux.

Features are similar between the models but not exactly the same. Please refer to the data sheets to confirm feature that are important to you.

dpsw120 · ‎09-23-2019

I'll read the data sheets.

Thank you.

dpsw120 · ‎09-23-2019

If i buy this FPR1120-NGFW-K9 what feature do i get? is it already included with Thread License?

Thank you

Marvin Rhoads · ‎09-23-2019

Threat protection is a paid license. It is not included automatically with any hardware. You must ALWAYS purchase it if you want the feature.

You can use all licensed features for 90 days by using the free trial licenses; but after that period you must purchase any of the ones you want to continue using.

dpsw120 · ‎09-23-2019

So without threat license i will lose IPS feature? Or just the support feature?

How about this bundle ASA5508-FTD-K9 is it already include threat protection?

Marvin Rhoads · ‎09-23-2019

You have to buy the license to get the feature. It doesn’t matter which hardware you buy or even if you run FTD Virtual edition.

No exceptions after the 90 day trial.

dpsw120 · ‎09-23-2019

I'm reading about "Firepower Management Center Configuration Guide" and reading this section

Service Subscriptions for Firepower Features (Smart Licensing)

Some features require a service subscription.

A service subscription enables a specific Firepower feature on a managed device for a set length of time.
Service subscriptions can be purchased in one-, three-, or five-year terms. If a subscription expires, 
Cisco notifies you that you must renew the subscription. If a subscription expires 
for a Firepower Threat Defense device, you can continue to use the related features.

So i just have to buy it 1 time and keep continue using it if expired, right?

Can you confirm sir, thank you.

Marvin Rhoads · ‎09-23-2019

You can keep using Threat Defense (IPS) after the service subscription expires. Technically you are no longer entitled to download updates but Cisco won't prevent you from doing so (as of Firepower 6.4.0.5 anyway - that may change in the future).

If you are using policies that need the URL Filtering or AMP (File) licenses you won't be able to deploy any policy changes once those licenses expire. You can remove the parts of your policies that use those features and then deploy.

I think I have answered as thoroughly as possible - there is no free license. Trying to find some loophole or obscure reference won't change that fact.