What is mean "no AnyConnect" ? actually Cisco traditional Policy based rule is set on Source/Destination IP or range, not like every IP or bulk configuration on different rate on IP range ... by the way FirePower has Load balancing?

"AnyConnect" = shorthand for client-based remote access SSL VPN. Cisco uses the AnyConnect Secure Mobility Client software for that function.

FTD-based rule sets can be based on application, URL category, etc. in addition to traditional 5-tuple criteria (protocol, source and destination address and port).

Load balancing - how do you mean that?

Means if we order Cisco FirePower it hasn't AnyConnect? :O, that FTP sounds nice, but still does it can possible give same bandwidth limit on each IP having session established? 

 Load balancing is for 2 different Internet Gateways solution, using both ISP for Internet access.

Please keep in mind the distinction between "FirePOWER" = a general set of features and technologies based on the Cisco acquisition of Sourcefire in 2013 and specific products, i.e:

1. Cisco ASA with FirePOWER services. Has all the traditional ASA features plus FirePOWER services in an added module that perform Next Generation IPS, URL Filtering and Advance Malware Protection (depending on licensing).

2. FirePOWER Threat Defense (FTD). A new unified image that can run on an ASA (or FirePOWER 4100 and 9300 series) that includes many (but not all) of the classic ASA features along with the FirePOWER features. 

Remote access SSL VPN ("AnyConnect") is only available with option #1 at this time.

#1 has crude rate limiting (classic QoS policing and shaping). #2 has that plus the ability to use Layer 7 characteristics to your policy.

As far as load balancing, that is a separate topic unto itself.

A lot depends on your Internet connectivity. If you have your own provider-independent addressing and BGP peering to separate providers you can technically use that with the classic ASA solution (#1). However it's usually not a good choice to do that on an ASA since it's really not designed to accept a full routing table and make dynamic decisions based on the routes installed in the FIB on a per-flow basis. You can also do policy-based routing on an ASA with FirePOWER services. Again not really ISP load balancing.

An FTD solution has fewer routing options and is generally best suited for single egress route use cases at this stage.

In either case, it is almost always much better to let an upstream router route. They are fit for that purpose. A security appliance is fit to provide security. Don't count on it having all the routing features of a true router.

Hi Marvin,

  For the great reply, final one, what Cisco suggests on DDOS prevention, as i've heard FirePower higher series have own good DDoS prevention, is it right? how is it on Option#1?

Enterprise and small-medium business class DDOS protection capabilities are equivalent between the FirePOWER features available on the higher end FirePOWER appliances, the ASA with FirePOWER Services and an appliance running the FTD image.

For carrier-class DDOS you can run the Radware DefensePro as a separate dedicated image on a service module in the Firepower 9300 platform.

Can you name the minimum version of ASA could block DDOS? we know traditional DOS attack prevention like depending on the port blocking ... but we looking quite smart DDOS blocking

You would need an ASA 5500-X series with at least version 9.2(2) to run the FirePOWER Services modules and get the IPS-based DDOS protection in addition to that which is provided by the base ASA. DDOS comes in many forms and there's no one solutions that can be said to fit all use cases.

I recommend you contact your local Cisco security reseller or Cisco SE for a more detailed analysis of your environment and requirements.

Hi,

This QoS is still not available if you run ASA with firepower module? Will this ever be available if you run it like this instead of the FTD image.

Thanks.