01-23-2016 03:45 PM - edited 02-21-2020 05:42 AM
Hi,
I'm preparing a CCIE security lab and I'm thinking about buying the 5506-x to practice with it so I will need some insight from you guys about the product. I have some questions about it:
1-Is the CX context aware supported on this model. Do I have to install the cx software on it and do I need an SSD card for this task?
2-Can the 5506-x be added to Cisco Prime Security Manager
3-Does it come with the firepower software package or do I have to also download it and install it?
4-Can it be managed with the FireSight?
5-Overall how do you rate this product and do you recommend it for practicing CCIE security topics especially the NG and sourcefire stuff?
Thanks
Solved! Go to Solution.
01-24-2016 01:35 AM
CX has effectively been deprecated. Everything is FirePower now.
You would need to buy an ASA 5506 Firepower bundle, to get all the right hardware. Then you need to buy FirePower licences to activate it. It can be managed with Firesight, but the 5506 does offer basic onboard management. Note that Firesight is another product you would have to buy. Normally it runs on VMWare.
Buying a SmartNet with the 5506 would be a good idea to give you access to different software, and to Cisco TAC to ask questions.
If you are mostly interested in NG and FirePower then it will be fine. As far as I am aware, FirePower on the 5506 is the same as FirePower on the much bigger ASA's.
01-24-2016 10:56 AM
Neither the CX nor the FirePOWER NGIPS are on the CCIE Security V4 (or 4.1) blueprint. The CX is covered in the CCNP Security SITCS exam.
For better or worse, the CCIE Security blueprint still includes the old school (and also discontinued) classic Cisco IPS types (IPS appliance and IOS-based IPS).
https://learningnetwork.cisco.com/community/certifications/ccie_security/written_exam/study-material
The FirePOWER line is only currently covered in product-specific exams (e.g. SSFIPS 500-285 and SSFAMP 500-275). Those are not on any of the career certification tracks (CCNP or CCIE) and primarily currently used by customers wanting training on their equipment and Cisco and partner field engineers (FEs).
That aside, a 5506 is fine for practicing all of the base ASA concepts while giving you the opportunity to be exposed to the new FirePOWER system (even though that latter bit isn't in the CCIE Security). If cost is a concern and you don't care about the bits not in the V4 exam, then you can probably get a used 5505 or 5510 for a lot less.
01-24-2016 01:35 AM
CX has effectively been deprecated. Everything is FirePower now.
You would need to buy an ASA 5506 Firepower bundle, to get all the right hardware. Then you need to buy FirePower licences to activate it. It can be managed with Firesight, but the 5506 does offer basic onboard management. Note that Firesight is another product you would have to buy. Normally it runs on VMWare.
Buying a SmartNet with the 5506 would be a good idea to give you access to different software, and to Cisco TAC to ask questions.
If you are mostly interested in NG and FirePower then it will be fine. As far as I am aware, FirePower on the 5506 is the same as FirePower on the much bigger ASA's.
02-02-2016 09:50 AM
Thanks Philip. Is Firepower a part of the code now or do I still have to buy licenses for it?
02-02-2016 11:02 AM
Both - it is part of the code, but you have to buy licences for it to turn it on.
01-24-2016 10:56 AM
Neither the CX nor the FirePOWER NGIPS are on the CCIE Security V4 (or 4.1) blueprint. The CX is covered in the CCNP Security SITCS exam.
For better or worse, the CCIE Security blueprint still includes the old school (and also discontinued) classic Cisco IPS types (IPS appliance and IOS-based IPS).
https://learningnetwork.cisco.com/community/certifications/ccie_security/written_exam/study-material
The FirePOWER line is only currently covered in product-specific exams (e.g. SSFIPS 500-285 and SSFAMP 500-275). Those are not on any of the career certification tracks (CCNP or CCIE) and primarily currently used by customers wanting training on their equipment and Cisco and partner field engineers (FEs).
That aside, a 5506 is fine for practicing all of the base ASA concepts while giving you the opportunity to be exposed to the new FirePOWER system (even though that latter bit isn't in the CCIE Security). If cost is a concern and you don't care about the bits not in the V4 exam, then you can probably get a used 5505 or 5510 for a lot less.
01-24-2016 03:46 PM
Thanks Marvin this clarified it for me. As for the firepower license is it needed or can I use a free evaluation or something. I'm saying just because it will be for my personal use/practice.
01-24-2016 04:05 PM
I think you can get a 60 day eval licence from the licencing centre for the ASA.
http://www.cisco.com/go/licencing
I'm not sure there is any demo for the VMWare appliance.
01-24-2016 07:12 PM
The FirePOWER license is completely optional and only needed if you want to actually use the features of that module. The base ASA does not depend on it at all and only directs traffic to it if there is a service-policy applied referencing a policy map that instructs the ASA to send traffic to the module for inspection.
Adding to what Philip said, it's a free 45 day license that's available for the ASA 5506 models (the base, hardened or wireless variations). the license is the full IPS, URL Filtering and Malware (aka AMP) version also referred to as "TAMC". You can get it from the self-service licensing portal at www.cisco.com/go/license which redirects you to https://tools.cisco.com/SWIFT/LicensingUI/Quickstart . Select "Get Other Licenses > Demo and Evaluation"
01-24-2016 07:38 PM
Hmm I just thought of something. Would I achieve similar results is If I virtualize the NGIPS, ASAv, and Firesight?
01-24-2016 07:52 PM
ASAv would definitely work, with the caveats that it doesn't support multi-context, clustering and Etherchannel (or any software module - sfr, cx or ips). An unlicensed ASAv is otherwise limited only in throughput (100 Kbps - designed for lab / connectivity testing use). You can even install it on Hyper-V.
NGIPS (FirePOWER appliance) can be virtual but neither it nor the virtual FireSIGHT / FirePOWER Manager are offered with evaluation licenses (unless you work for a partner).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide