Solved: Hi Neno Spasov,

varife1234 · ‎05-05-2016

good evening,

i wish add Intrusion Detention System to Cisco ASA FirePOWER license ( with I.P.S., A.M.P., Apps and URL protection ). Is possible that? i have to purchase another license or only an ( not free ) upgrade?

the starting date of Cisco ASA FirePOWER license-protection starts since purchase date or since activation/installation date on router ASA5506-X?

nspasov · ‎05-08-2016

Hi again, my answers below:

3) The L-ASA5506W-TAMC= is the correct part number if you are looking to get the Wireless ASA 5506-X model. Not sure why ours (CDW's) site does not have it listed :) However, we do have the promotional SKU listed: L-ASA5506WTAMC-1PR. For more info I would suggest you reach out to your CDW account manager. If you are not a CDW customer then I would suggest you contact your local Cisco partner reseller

4) Here is the Data Sheet for FireSIGHT:

http://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

The appliance can be virtual or physical

5.1) IOS-Based-2960 - I am not sure I understand the question. Can you elaborate a bit more on what you are asking here?

5.2) I.D.S. does not require additional licenses. It is part of the solution if you purchase the subscriptions listed above. The main difference here is that IPS (Intrusion Prevention System) is deployed in-line and it will drop traffic/connections if a malicious activity is detected. IDS (Intrusion Detection System) is monitor only. Thus, if malicious traffic is detected, FirePOWER will alert you about it but it will not drop any traffic.

5.3) 3DES/AES will be included with both of the SKUs that you have listed.

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎05-10-2016

3) Yes, CDW is a US based company but we also have international presence:

https://uk.cdw.com/it-products-and-services/

You can also use Cisco's partner locator to find a partner that is close and local to you:

https://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do

5.1) The type of switch that you get will depend on all of the requirements that you have. If you only need L2 then a 2960 would do the job. However, if you think that you might need L3 then I would suggest you go with a 3K level switches. Also, other things like, stacking, PoE, etc could be driving factors. I personally like the compact type switches. Below is the data sheet for those models (both 2K and 3K)

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3560-cx-series-switches/datasheet-c78-733229.html?cachemode=refresh

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎05-05-2016

Hi there, not sure what happened as I just typed my reply but it did not post...so let's try this again :)

1) Yes, you can enable all of the features that you mentioned above on the 5506-X. Just keep in mind that enabling all features will reduce the total throughput on the Firewall

2) By default, the ASA 5506-X comes with the AVC/Apps free of charge. This is essentially the Layer 7 firewall.

3) The other FirePOWER features (IPS, AMP and URL Filtering) are subscription based and will need to be purchased separately. The subscription can be 1, 3 and 5 years.

4) You can manage all of the features mentioned above via the ASDM management GUI that comes with the Firewall free of charge. However, to get the full benefits and visibility of the FirePOWER features, it is recommended that you also purchase the FireSIGHT management center. That appliance can be either physical or virtual.

I hope this helps!

Thank you for rating helpful posts!

varife1234 · ‎05-06-2016

Hi Neno Spasov,

very clear answers about my questions.

3) - i wish to purchase the L-ASA5506-TAMC-1Y on website https://www.cdw.com/shop/products/Cisco-ASA-with-FirePOWER-Services-IPS-Apps-AMP-and-URL-Filtering-subscr/3617964.aspx ( but what i was looking, the wireless version L-ASA5506W-TAMC-1Y i don't have found it ). The L-ASA5506-TAMC-1Y it's the right choice if i wish to have I.P.S., A.M.P., Apps and URL protection, right?

4) - where is possible to take the FireSIGHT management center?

5) - i wish to configure in addition to ASA5506-X also the switch IOS-based 2960. does it will work properly?

about I.D.S. is it possible to add it to the ASA5506-X and to the FirePOWER features?

the Strong Encryption License (3DES/AES) and Security Plus is included both ASA5506-SEC-BUN-K9 and ASA5506-K9?

Jetsy Mathew · ‎05-07-2016

Hello Neno,

You can manage the sourcefire module via ASDM or else you can get the Firesight Management Center to manage the sfr module with ASA . You can deploy the Virtual Firesight Management . Refer the quick start guide and asa sfr installation guide so that you will get a fair idea about the integration. After the ASA Firepower module integration , you can attach the features such as URL filtering and Malware detection.

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Regards

Jetsy

nspasov · ‎05-08-2016

hi Jetsy, I did not ask that question ;)

Thank you for rating helpful posts!

varife1234 · ‎05-10-2016

Dear Jetsy,

thanks for your help, anyway.

nspasov · ‎05-08-2016

Hi again, my answers below:

3) The L-ASA5506W-TAMC= is the correct part number if you are looking to get the Wireless ASA 5506-X model. Not sure why ours (CDW's) site does not have it listed :) However, we do have the promotional SKU listed: L-ASA5506WTAMC-1PR. For more info I would suggest you reach out to your CDW account manager. If you are not a CDW customer then I would suggest you contact your local Cisco partner reseller

4) Here is the Data Sheet for FireSIGHT:

http://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

The appliance can be virtual or physical

5.1) IOS-Based-2960 - I am not sure I understand the question. Can you elaborate a bit more on what you are asking here?

5.2) I.D.S. does not require additional licenses. It is part of the solution if you purchase the subscriptions listed above. The main difference here is that IPS (Intrusion Prevention System) is deployed in-line and it will drop traffic/connections if a malicious activity is detected. IDS (Intrusion Detection System) is monitor only. Thus, if malicious traffic is detected, FirePOWER will alert you about it but it will not drop any traffic.

5.3) 3DES/AES will be included with both of the SKUs that you have listed.

Thank you for rating helpful posts!

varife1234 · ‎05-10-2016

hi to you Neno,

3 ) i have thought of to purchase router and ASA FirePOWER license on cdw.com, but Cdw it's a company base in USA, and i believe it's a problem to purchase in USA for european VAT. Can you give some information about?

5.1) yes you have right, my question not is clear. My question about the correct working in case of ASA5506-X plus Switch IOS-Based-2960 is referred to the Switch IOS-Based-2960, does Switch IOS-Based-2960 will work properly, is possible to configure the switch ( for ex., i have the purpose of isolate by lan/wan internet only one user account of Windows 7 Ultimate/enterprise of a pc client, is possible to do it with Switch IOS-Based-2960 added to Cisco Asa 5506-X router?

nspasov · ‎05-10-2016

3) Yes, CDW is a US based company but we also have international presence:

https://uk.cdw.com/it-products-and-services/

You can also use Cisco's partner locator to find a partner that is close and local to you:

https://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do

5.1) The type of switch that you get will depend on all of the requirements that you have. If you only need L2 then a 2960 would do the job. However, if you think that you might need L3 then I would suggest you go with a 3K level switches. Also, other things like, stacking, PoE, etc could be driving factors. I personally like the compact type switches. Below is the data sheet for those models (both 2K and 3K)

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3560-cx-series-switches/datasheet-c78-733229.html?cachemode=refresh

Thank you for rating helpful posts!

varife1234 · ‎05-16-2016

hi Neno Spasov,

i have another two questions to submit you.

6) - the ASA5506-SEC-BUN-K9 is the router wtihout wireless feature. Which is the wireless versione of ASA5506-SEC-BUN-K9?

7) - the ASA5506-SEC-BUN-K9 has the wps feature?

nspasov · ‎05-22-2016

Hi again, my answers below:

6) This would depend on the country that you are planning on deploying the ASA in. For more info and the different models I would recommend referencing the data sheet:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

7) No, you need the wireless model in order to take advantage of any of the wireless features

I hope this helps!

Thank you for rating helpful posts!

varife1234 · ‎05-10-2016

Hi Neno Spasov,

very clear answers about my questions.

3) - i wish to purchase the L-ASA5506-TAMC-1Y on website https://www.cdw.com/shop/products/Cisco-ASA-with-FirePOWER-Services-IPS-Apps-AMP-and-URL-Filtering-subscr/3617964.aspx ( but what i was looking, the wireless version L-ASA5506W-TAMC-1Y i don't have found it ). The L-ASA5506-TAMC-1Y it's the right choice if i wish to have I.P.S., A.M.P., Apps and URL protection, right?

4) - where is possible to take the FireSIGHT management center?

5) - i wish to configure in addition to ASA5506-X also the switch IOS-based 2960. does it will work properly?

about I.D.S. is it possible to add it to the ASA5506-X and to the FirePOWER features?

the Strong Encryption License (3DES/AES) and Security Plus is included both ASA5506-SEC-BUN-K9 and ASA5506-K9?

varife1234 · ‎05-10-2016

Hi Neno Spasov,

very clear answers about my questions.

3) - i wish to purchase the L-ASA5506-TAMC-1Y on website https://www.cdw.com/shop/products/Cisco-ASA-with-FirePOWER-Services-IPS-Apps-AMP-and-URL-Filtering-subscr/3617964.aspx ( but what i was looking, the wireless version L-ASA5506W-TAMC-1Y i don't have found it ). The L-ASA5506-TAMC-1Y it's the right choice if i wish to have I.P.S., A.M.P., Apps and URL protection, right?

4) - where is possible to take the FireSIGHT management center?

5) - i wish to configure in addition to ASA5506-X also the switch IOS-based 2960. does it will work properly?

about I.D.S. is it possible to add it to the ASA5506-X and to the FirePOWER features?

the Strong Encryption License (3DES/AES) and Security Plus is included both ASA5506-SEC-BUN-K9 and ASA5506-K9?

Jetsy Mathew · ‎05-05-2016

Hello,

If you need to enable the Firepower features such as URL filtering and Malware you need to purchase it separately by contacting the Cisco Global Licensing team. There are two types of licenses. One is permanent and other is eval which expires after few months (mostly 3 months ).

The basic license required to manage the Firepower is protect and Control license. Without atleast protect and control license, you wont be able to manage the Firepower module after integration.

You cant manage the access control policies without having atleast protection and control license. For the url filtering to work , you need the URL filtering license which is the basic pre-requisite. The start date of the license starts from the day which it generates .

To manage the Firepower module , you can use either ASDM or Firesight Management Center. Firesight Management Center is available in hardware models as well as virtual. If you dont want to manage the module via ASDM, you can either buy a hardware or you can install the Virtual Firesight Manager (can be installed in ESX 5.5)which gives you all facilities. Hardware and software matters when it comes to the performance.

Rate if this post helps you.

Regards

Jetsy

add Intrusion Detention System and Cisco ASA FirePOWER activation date