05-01-2013 05:10 AM - edited 03-11-2019 06:37 PM
Hi!
I was checking the ASA 5500-X series Next-Generation Firewalls and I noticed that it supports features like IPS, Application Visibility and Control (AVC) and Web Security Essentials (WSE).
I have a doubt on the ASA 5500-X capabilities and my question is as follows:
Can an ASA 5500-X really support all these featues in the same box?
It appears to me that if for example an ASA 5515-X is needed with IPS functionality, the following hardware will be needed:
and if an ASA 5515-X is needed with Application Visibility and Control (AVC) and Web Security Essentials (WSE), the following will be needed:
Based on the above, I am pretty sure that it is either IPS or AVC/WSE and not both in one box.
Can someone shed some light on this.
Regards,
Alvin
Solved! Go to Solution.
05-15-2013 06:21 AM
This is not possible yet.
in Q&A you will find http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html
IPS:
Q. Does ASA CX support intrusion protection system (IPS) functionality?
A: Not currently. IPS capabilities will be embedded in ASA CX in a near-term feature release.
07-07-2014 02:40 PM
Hi startx001,
Please see inline comment:
QUESTION: I know that i can do URL filtering on it using ASDM, right ?
ANSWER: Yes. You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance by using a separate server running one of the following Internet filtering products:
•Websense Enterprise for filtering HTTP, HTTPS, and FTP.
•Secure Computing SmartFilter for filtering HTTP only. (Although some versions of Sentian support HTTPS, the security appliance only supports filtering HTTP with Sentian.)
For more information, please check the link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/fltrrule.html
QUESTION: But can i and what bennefit i would have with WSE on it and can i put WSE ? maybe PID for WSE .
ANSWER: Cisco WSE, which enables reputation-based web application security policies. In addition, Cisco WSE enables robust content-based URL filtering with differentiated access policies based on user, group, device, and role.
WSE, IPS on NGFW, and CWS use threat intelligence feeds from Cisco Security Intelligence Operations (SIO) for advanced web reputation analysis and near-real-time protection from zero-day threats. For more information on how SIO helps the Cisco IPS control threats in real-life production environments, visit: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps12156/white_paper_c11-715386.html.
The subscriptions terms are 1 year, 3 years and 5 years. It is also possible to purchase both the services together using the AVC + WSE bundle license. With a built-in discount, the bundle price is less than the price of buying these services a la carte.
ASA5515-AW3Y-PR= (ASA 5515-X CX AVC and Web Security Essentials 3Year (Promo) - USD 3,450.00 regular price is USD 5,150
or
ASA5515-WS1Y= (ASA 5515-X CX Web Security Essentials only 1Year) - USD 1,900
just add "L-" to the part numbers above to get the eDelivery version.
Please check the links below for your reference(s):
Cisco Application Visibility and Control
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns483/ns780/at_a_glance_c45-649117.pdf
Cisco ASA CX Context-Aware Security Data Sheet
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701659.html
QUESTION: I was reading that i can put SSD in ASA ( please PID if know ) and can i ? and then i can put WSE ( it is license or part of software and get some robust url filtering .
ANSWER: If you purchase the regular ASA 5500-X without the SSD, the Web Security Essentials (WSE) that deploys the web filtering may not work or function as per the Release Notes for the Cisco ASA Series, Version 9.1(x) http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.pdf
Since Solid state drive (SSD) is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series.
ASA5500X-SSD120= (ASA 5512-X through 5555-X 120 GB MLC SED SSD (Spare) - USD 800.00
The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.
QUESTION: Can someone explain me difference with regular url filtering and with WSE , and process how to put SSD in asa and WSE .
ANSWER: Please check the document link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_procs.html#wp1097873
"niLz"
Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network
07-15-2014 12:05 PM
Hi Alvin,
Older versions of ASA software does not support running IPS and AVC/WSE at the same time as of the current (9.1) release and said it was road mapped in a near-term feature release. Evidenced by a Cisco Support Community Discussion (https://supportforums.cisco.com/thread/2214705) that said:
This is not possible yet.
In Cisco ASA Next-Generation Firewall Services Q&A you will find http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html
IPS:
Q. Does ASA CX support intrusion protection system (IPS) functionality?
A: Not currently. IPS capabilities will be embedded in ASA CX in a near-term feature release.
But this same Cisco ASA Next-Generation Firewall Services Q&A was recently updated and now stating:
IPS:
Q. What version of Cisco ASA CX do the Cisco ASA Next-Generation Firewalls with IPS operate on?
A. Cisco ASA CX Software Release 9.2 or later is needed to run Cisco IPS on Cisco ASA 5500-X Series Next-Generation Firewalls.
So it means that the Cisco ASA Next-Generation Firewall supports running IPS (NGFW IPS) and AVC/WSE at the same time as of the current (9.2) release.
Please note that there are two type of IPS that can be deployed on the Cisco ASA 5500-X Next-Generation Firewalls:
a) Next-Generation Firewalls with Cisco IPS Service (NGFW IPS) - provides intrusion prevention within the Cisco ASA 5500-X Series Next‑Generation Firewalls and was created with some new technologies that were modified from the Cisco ASA IPS. IPS with Next-Generation Firewall provides protection for end users and the computing environments under their direct control such as desktops, laptops, and personal communication devices. It is ideal for Internet edge deployments.
Example:
ASA5515-SSD120-K9 (NGFW ASA 5515-X w/ SW,6GE Data,1GE Mgmt,AC,3DES/AES,SSD 120G) - $ 5,295.00 with ASA5515-IP1Y= (ASA 5515-X NGFW IPS 1Year) - $ 1,400.00
b) Cisco ASA IPS (ASA IPS) or "classic IPS"- optimized for Data Center server protection where there maybe a need to inspect additional traffic types like SMB, MSRPC or advanced tuning of signatures is essential.
Example:
ASA5515-IPS-K9 (ASA 5515-X with IPS, SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES) - $ 8,495.00
Since Solid state drive (SSD) is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series.
The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.
"niLz"
Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network
05-01-2013 06:07 AM
I believe it is possible to have IPS and AVC/WSE at the same time, you need to buy ASA5515-IPS-K9 which comes with IPS pre-installed (this is required if you need IPS subscription, explained here), then add the ASA5500X-SSD120 (the part ID for the external SSD which is required for AVC/WSE, explained here) and the ASA5515-AWxY (the subscription license for the AVC and WSE for x year, explained here).
HTH
05-15-2013 06:21 AM
This is not possible yet.
in Q&A you will find http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html
IPS:
Q. Does ASA CX support intrusion protection system (IPS) functionality?
A: Not currently. IPS capabilities will be embedded in ASA CX in a near-term feature release.
05-15-2013 06:31 AM
Jacek's citation is accurate. IPS and CX are not available simultaneously on the 5500X series as of the current (9.1) release)
12-12-2013 09:25 AM
Hi,
I'm not sure if this has now changed with ASA CX software version 9.2 as the Q&A link that is referenced above is no longer present and the new entries state the following:-
Q. Do Cisco ASA Next-Generation Firewall Services support IPS functionality?
A. Yes. Cisco Next-Generation Firewall with IPS is currently supported and can simultaneously run alongside other services, including Cisco AVC and WSE.
Q. What version of Cisco ASA CX do the Cisco ASA Next-Generation Firewalls with IPS operate on?
A. Cisco ASA CX Software Release 9.2 or later is needed to run Cisco IPS on Cisco ASA 5500-X Series Next-Generation Firewalls.
Q. What is the new Cisco IPS Service on Cisco ASA 5500-X Next-Generation Firewalls?
A. Cisco IPS Service is the module that provides intrusion prevention within the Cisco ASA 5500-X Series Next-Generation Firewalls. The firewalls have multiple security services operating within them. The Cisco IPS uses the firewalls' other services such as application visibility, identity, and off-device reputation to make inspection and enforcement decisions.
The only problem with this is that the current IPS bundles, for example ASA5515X-IPS still do not say that they include the 120GB SSD which is required for the CX features to work.
ADDITIONAL:-
The "Memory Requirements" section of the compatibility matrix states that this is no longer a problem but that each feature will reserve large amounts of memory for its own use:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
Thanks
12-12-2013 03:52 PM
Correct, NGFW 9.2 has added IPS functionality. The license subscription is not quite orderable yet (as of 12 Dec 2013) but the software is available on CCO for a couple of weeks now.
Note this is not the same IPS as you are used to (i.e on the older SSP modules or stand alone IPS appliances and configured via ASDM-IDM or IME or CSM) but a slightly different release that is specific to the NGFW that is configured and managed solely by PRSM.
02-27-2014 08:15 AM
What's the verdict here?
Can you order ASA5525-IPS-K9, add SSD drives, and then add spare SKUs for NGFW AVS/WSE licensing?
Of if you use SSD drives to get CX functionality, are you limited to the "lite" ASA NGFW IPS?
02-27-2014 08:48 AM
Hi Jason,
I spoke with a supplier in the UK (Comstor) back in early January and they confirmed that, as Marvin has said, the newer version of Next Generation Firewall Service (ASA CX) software 9.2 does allow with operation with IPS at the same time, however they are not available as a bundled option yet, so you can but the IPS package and then add the SSDs.
Personally I'd double-check with a supplier before purchasing though as things were still evolving when I last checked. Hopefully when the main ASA software version 9.2 is released they'll probably offer the full bundles.
Thanks
David
02-27-2014 09:54 AM
David,
No problem on the bundle. I was looking at the ASA5525-IPS-K9 (adding in SSDs is possible under that main part number), but then adding on spare SKUs for AVC/WSE. From what you're saying, this will work in 9.2, but the install for AVC/WSE, will just be manual, correct?
Another question is, will this just work after installing proper licesning/sw or is there special partitioning that needs to be done to get IPS working with AVC/WSE?
Being my customer is purchasing soon, it looks like the lite IPS will be the best option to use with WSE.
Thanks,
Jason
02-27-2014 04:28 PM
If you add the SSD after purchasing the ASA you will need to install the kickstart and system image to get the CX / NGFW up and running and access the on-box PRSM interface (or manage the unit with off-box PRSM).
As long as it's the requisite PRSM software level (9.2(x) or later - 9.2(1.2) Build 52 is current and recommended as of right now) you will have the option of applying the IPS license (or activating the built-in 60-day evaluation license) in addtion to the AVC/WSE ones that have been available all along. No special partitioning or imaging is necessary.
08-13-2014 04:18 PM
08-13-2014 06:46 PM
You have to have the SSD120 to run PRSM. Without it you cannot install the CX software module and activate the services (WSE, AVC and/or IPS).
The CX module's log events are written in real time to the SSD. They transfer from there to the off-box PRSM via Reliable Binary Logging over SSL in near-real time.
In the event that the off-box PRSM is not reachable, you still have the logs locally.
09-23-2014 07:59 AM
Hi guys,
pls help, we have CISCO ASA5525-SSD120-K9, we would like to purchase and IPS license for 1 year, I'm very confused which one we have to buy....what is the main difference?
1) L-ASA5525-IPS-
or
2) ASA5525-IP1Y
p.s We need our CISCO to work same as CISCO ASA5525-IPS-K9
09-23-2014 10:45 AM
Hi armansat83,
If you have the ASA5525-SSD120-K9 then you would have to order the ASA5525-IP1Y. This part number has a corresponding eDelivery part number L-ASA5525-IP1Y=
L-ASA5525-IP1Y= (ASA 5525-X NGFW IPS 1Year (eDel) - USD 2,100.00
ASA5525-IP1Y= (ASA 5525-X NGFW IPS 1Year) - USD 2,100.00
"niLz"
Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network
09-23-2014 04:32 PM
Nilz I would qualify your advice to armansat83 that while the NGFW IPS licenses you cited will indeed provide IPS functionality on the CX module, they will not make it "work same as CISCO ASA5525-IPS-K9". That reference is to the older "classic " IPS module.
Of course, most security professional (and the marketplace) agree that NGFW IPS is a better choice. Indeed, once would be even better advised to look into the ASA FirePOWER module with its IPS functionality.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide