So i need to buy a Firewall Hardware and the requirements are :
1. Firewall Capability
2. IDS and IPS (one if possible both)
3. No Subscription
And my seller offer me ASA5508-FTD-K9, my questions are :
1. What feature does it have?
2. Does it include IDS and IPS?
3. Do i need to buy Subscription for this? and when im not buying it, what would happen?
I already ask this to my seller but no reply so i hope someone can answer it in here.
Solved! Go to Solution.
Actually Threat protection on an FTD device requires a license. Almost anything Cisco sells in the security product arena requires licensing of one type or another. Without at least a Threat license you get only VERY limited application visibility and control.
While Cisco does not prevent you from downloading the threat updates (Snort rule updates, VDB updates, Cisco Security Intelligence Feeds for IP and URL reputation) without the Threat license being active, you would not be operating a device in according with the licensing terms and conditions if you were to do so.
Deploying a File (Malware) or URL Filtering policy requires those respective licenses as well. Also remote access VPN using AnyConnect requires AnyConnect licenses.
Which device is recommended for your environment depends mostly on required throughput and number (and type) of interfaces. Also, if it needs to be rack mounted then the very smallest Firepower 1010 is not the best choice since it's a very small device designed to sit on a shelf or desktop. there is an available rack mount kit but it's pretty pricey (US$350 list price) compared to the cost of the appliance itself (US$1195 list price). The next larger device is the Firepower 1120. Either one has more throughput capability than an ASA 5508.
Application Visibility and Control (AVC) allows you to do things like block FTP, derive reports on how much traffic is web browsing vs other protocols, identify use of insecure protocols etc.
Cisco does not support third party VPN client or server software. If you get it to work it's good for you but most Cisco customers choose Cisco's AnyConnect Secure Mobility client due to its breadth of features and manageability.
As @RJI said, 1000 series will have more lifetime ahead of it since it was just introduced earlier this year. I would not be surprised to see end of sales for the lower end 5500 series in the coming year.
AnyConnect is available for Windows, Mac OS and Linux.
Features are similar between the models but not exactly the same. Please refer to the data sheets to confirm feature that are important to you.
Threat protection is a paid license. It is not included automatically with any hardware. You must ALWAYS purchase it if you want the feature.
You can use all licensed features for 90 days by using the free trial licenses; but after that period you must purchase any of the ones you want to continue using.
So without threat license i will lose IPS feature? Or just the support feature?
How about this bundle ASA5508-FTD-K9 is it already include threat protection?
You have to buy the license to get the feature. It doesn’t matter which hardware you buy or even if you run FTD Virtual edition.
No exceptions after the 90 day trial.
I'm reading about "Firepower Management Center Configuration Guide" and reading this section
Service Subscriptions for Firepower Features (Smart Licensing)
Some features require a service subscription. A service subscription enables a specific Firepower feature on a managed device for a set length of time.
Service subscriptions can be purchased in one-, three-, or five-year terms. If a subscription expires,
Cisco notifies you that you must renew the subscription. If a subscription expires
for a Firepower Threat Defense device, you can continue to use the related features.
So i just have to buy it 1 time and keep continue using it if expired, right?
Can you confirm sir, thank you.
You can keep using Threat Defense (IPS) after the service subscription expires. Technically you are no longer entitled to download updates but Cisco won't prevent you from doing so (as of Firepower 18.104.22.168 anyway - that may change in the future).
If you are using policies that need the URL Filtering or AMP (File) licenses you won't be able to deploy any policy changes once those licenses expire. You can remove the parts of your policies that use those features and then deploy.
I think I have answered as thoroughly as possible - there is no free license. Trying to find some loophole or obscure reference won't change that fact.