Is there a head on comparison sheet available between the PAN and the ASA-cx

Hey Vibeesh, there may be. Keep in mind that the design of the PAN's core is 100% night-n-day different from the ASA. They have built-in heuristic scanning of packets for both signature-matching patterns and non-signature matching patterns, along with simultaneous inspection of services (what ASA does), application match (what ASA is starting to do), and URL matching (something the ASA does not do natively without tying itself to something else, i.e. Websense or WSA).

As for what ASA is starting to do with application matching, this is something I just found out. They are now doing application matching with social networks. They're finally coming around in part due to PAN and PAN hitting the market so strong with their feature set. I sure wish PAN's worked! I want them to work. I'm even considering rolling them back to 4.1.9, but at what cost? I can't support them in their current state. Any ways.

Here's the link that ASA addresses application style matching for social networks: (need to watch the 2nd video)

http://www.cisco.com/en/US/products/ps10164/index.html

Long story short, I don't believe PAN's and ASA's is a fair apples-to-apples comparison. PAN's in another league, provided they worked! =)

Tony,

   You are aware that you are pointing at the Ironport product line .... which is an entirely new product mix to what you might have; we have them ... and they have some interesting lack of enterprise fault tolerant features [  what happens if the outside interface goes down .... does the WCCP communications with the internal routers still work - blackholing "X" % of the traffic ?

Sorry? Not sure I follow. Pointing to IRONPORT? I have Ironport, ASA's, PAN Firewalls, MobileIron, etc. I manage all of them. Not sure where you're referring to, but I'm willing to find out; curious. All my comments thus far are about the PAN firewall.

I point to the CISCO WSA (my 2nd choice when considering PAN v. Cisco as a web filter) which was coined IRONPORT WSA early on, but they dropped the IRONPORT from the name soon after IRONPORT ESA took off. I don't hear that very often any more. I could be wrong on my impression.

That said, I have redundancy in my network. I don't use WCCP. I use manipulated Administrative values and weights with BGP and EIGRP via ROUTE-MAPs, I use multiple routes to my remote sites using Comcast's Metro-Ethernet and AT&T's MPLS, all addressing fault-taulerance, with multiple PAN's configured in Active-Passive mode (or had to be fair).

Help me out a little with your comment. What part of my conversation were you referring to?

http://www.cisco.com/en/US/products/ps10164/index.html

I got it Robert. My bad bro. We'd marry the new ASA's (in a Fail-over design) to the Cisco WSA (providng web-filtering and other services). The WSA would not be stand-alone, nor would I implement a WSA that doesn't include some fault-tolerance to its own design. I'm in discussions with my Cisco Sales team as we speak.

My bad man. Thanks. I include the link you provide above in my posting as well. Appreciate it. =)

You will find that to be an interesting challenge -

Give me a buzz when you solve it.  I plan on using EEM

Thanks tony. Some additional info on the compliance and certification;

http://www.niap-ccevs.org/st/vid10330/

All,

This is by far one of the best threads that I have seen in our forum. Thanks to everyone who has contributed thus far. Except for chiming in initially, I have been one of the silent observers/readers.

I have a question for one of the PAN users on this thread.  Does PAN detect BYOD  such as iPhone, iPad, iPod, iPad-mini, or other vendor tablets and filter based on the detected device?

-Kureli

Can you suggest a scenario where you would want to do this and it would not be better done on backend devices (webservers with user-agent checks ) ?

I am not sure that I would allow Android 4.x  full access to google services but limit Ipads to only gmail messaging.

My end users access the same resources with a variety of devices in the same time window.

I currently am typing this on a Windows7 32 bit ... but might pick up my rooted G2 or if I'm in my office use my week old Macbook ... downstairs before the NCAA game I could pick up the Ipad or even use my Fedora VM from the 64 bit Windows 7 box ( I do this as a sandbox and overwrite the VM image weekly to clean up any crap )...This does not even count chrome vs aurora vs IE or safari ....

1 user, 1 location, 1 day , 7-10 browser environments - and I'm not terribly sophisticated ....

That sounds more like a NAC/ISE/RBAC type scenario as I am not sure how you could tell an approved iPad from an unapproved iPad at the packet level unless NAC/ISE capabilities was really the question.

however,

That may not be an actual good example;

the vendors I know of - Epic, Cerner - actually want you to use their apps that exact way - Really. The more that can the better the sale.  If you could run them on a D i ck Tracy phone and that increased market penetration ...

Epic for instance uses remote desktop technologies so the actual client is not an important component in the equation and the client to server transport is SSL wrapping ... RDP or ICA  so a specific client is mostly immaterial other than performance and screen issue once you authenticated to the desktop client and application.

This is from a Citrix login page -

Your Windows desktops and apps on demand - from any PC, Mac, smartphone or tablet.

Before I pulled the PAN from production, we configured it to work with MOBILEIRON, which would handle our BYOD. MobileIron is by far the best product for BYOD. There isn't anything you would be able to do to "manage" a pool of mobile devices with policies without something "like" MobileIron. PAN isn't a player in that arena.

As for BYOD, here's the only problem with PAN. PAN uses the user's Windows credentials to authenticate their ability to use the Internet, or traverse through it. So how does it do this for a mobile device who doesn't prompt the user, nor is Windows? (i.e.Apple iOS and Droid; Note: I've got both to work using MobileIron)

Answer: Captive Portal.

PAN requires USER ID AGENTS running on DOMAIN CONTROLLERS and TS UID AGENTS on Terminal Servers so it can associate the user's logon credentials to an IP. With MobileIron, we push down a policy that installs the SSID for our WIRELESS environment. It pushes the password for them as well so they don't have to call me! (Sweeet!) However, if they want to browse the Internet, because they don't have a UID and PW, the PAN traps that session and forces the CAPTIVE PORTAL to pop up a USER ID and PASSWORD prompt. It's a simple page. The user then enters their Windows credentials from your Active Directory (which is tied to the PAN through LDAP), and the user is then allowed to browse the Internet through their mobile device.

The only thing I haven't got to work yet, because of my problems with PAN firewalls in general, is the ALWAYS ON protection. They say, and I've read, that the DEFAULT ROUTE is dependant on its ability to detect its location: either on a PRIVATE LAN here in my organization, or a PUBLIC LAN, like at Starbucks. If it can reach the private LAN's default gateway, it's PRIVATE and uses normal DEFAULT ROUTE. If it doesn't, then the 0.0.0.0 changes to the VPN's configuration, forces the device to our network, and thus force PAN policies on the device.

Of course, people would say, "But what if its their own device, not a company-owned device???" If it's company-owned, that's what they get and they can't change it. Meaning, we will protect our investment and our infrastructure on our own devices, regardless. Live with it! If it's NOT company-owned, then they can simply disable the MobileIron app, which is detected by the policy, which immediately disables the WiFi SSID, their  Email, and their connectivity to our network. that has been tested and it works today.

For those who asked me, "Why not downgrade to 4.1.9?" after my woes with 5.0.2. I did a week ago, Failed. The SCHEMA gets massively modified going up. You can downgrade, but you lose a lot. I lost all my VPN configurations. When I upgraded to 5.0.3, I did not get them back. Oh well. (Yes, I opened a ticket with PAN. They couldn't figure it out. I was stuck.)

We are in the process of assessing whether or not to put them back into production, or replacing them entirely with ASA firewalls. Hard to justify spending an additional $30k-$40k though after having spent $60k on these PAN's. We already own an ASA. We just need two more to be in the same situation we are today with PAN.

Thanks.