Solved: Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls

net buzz · ‎05-01-2013

Hi!

I was checking the ASA 5500-X series Next-Generation Firewalls and I noticed that it supports features like IPS, Application Visibility and Control (AVC) and Web Security Essentials (WSE).

I have a doubt on the ASA 5500-X capabilities and my question is as follows:

Can an ASA 5500-X really support all these featues in the same box?

It appears to me that if for example an ASA 5515-X is needed with IPS functionality, the following hardware will be needed:

ASA5512-IPS-K9 which is a Cisco ASA 5515-X IPS Edition

and if an ASA 5515-X is needed with Application Visibility and Control (AVC) and Web Security Essentials (WSE), the following will be needed:

ASA5515-SSD120-K9 which is a ASA 5515-X with SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES, 120G SSD
ASA5515-AW1Y which is a license for Application Visibility Control and Web Security Essentials for 1Year

Based on the above, I am pretty sure that it is either IPS or AVC/WSE and not both in one box.

Can someone shed some light on this.

Regards,

Alvin

jacek.agdan · ‎05-15-2013

This is not possible yet.

in Q&A you will find http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html

IPS:

Q. Does ASA CX support intrusion protection system (IPS) functionality?

A: Not currently. IPS capabilities will be embedded in ASA CX in a near-term feature release.

View solution in original post

Nilo Noguera · ‎07-07-2014

Hi startx001,

Please see inline comment:

QUESTION: I know that i can do URL filtering on it using ASDM, right ?
ANSWER: Yes. You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance by using a separate server running one of the following Internet filtering products:

•Websense Enterprise for filtering HTTP, HTTPS, and FTP.

•Secure Computing SmartFilter for filtering HTTP only. (Although some versions of Sentian support HTTPS, the security appliance only supports filtering HTTP with Sentian.)

For more information, please check the link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/fltrrule.html

QUESTION: But can i and what bennefit i would have with WSE on it and can i put WSE ? maybe PID for WSE .
ANSWER: Cisco WSE, which enables reputation-based web application security policies. In addition, Cisco WSE enables robust content-based URL filtering with differentiated access policies based on user, group, device, and role.

WSE, IPS on NGFW, and CWS use threat intelligence feeds from Cisco Security Intelligence Operations (SIO) for advanced web reputation analysis and near-real-time protection from zero-day threats. For more information on how SIO helps the Cisco IPS control threats in real-life production environments, visit: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps12156/white_paper_c11-715386.html.

The subscriptions terms are 1 year, 3 years and 5 years. It is also possible to purchase both the services together using the AVC + WSE bundle license. With a built-in discount, the bundle price is less than the price of buying these services a la carte.

ASA5515-AW3Y-PR= (ASA 5515-X CX AVC and Web Security Essentials 3Year (Promo) - USD 3,450.00 regular price is USD 5,150

or

ASA5515-WS1Y= (ASA 5515-X CX Web Security Essentials only 1Year) - USD 1,900

just add "L-" to the part numbers above to get the eDelivery version.

Please check the links below for your reference(s):

Cisco Application Visibility and Control
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns483/ns780/at_a_glance_c45-649117.pdf

Cisco ASA CX Context-Aware Security Data Sheet
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701659.html

QUESTION: I was reading that i can put SSD in ASA ( please PID if know ) and can i ? and then i can put WSE ( it is license or part of software and get some robust url filtering .
ANSWER: If you purchase the regular ASA 5500-X without the SSD, the Web Security Essentials (WSE) that deploys the web filtering may not work or function as per the Release Notes for the Cisco ASA Series, Version 9.1(x) http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.pdf

Since Solid state drive (SSD) is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series.

ASA5500X-SSD120= (ASA 5512-X through 5555-X 120 GB MLC SED SSD (Spare) - USD 800.00

The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.

QUESTION: Can someone explain me difference with regular url filtering and with WSE , and process how to put SSD in asa and WSE .
ANSWER: Please check the document link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_procs.html#wp1097873

"niLz"

Nilo Noguera Jr.

| Specialist, Virtual Engineering - Partner Helpline Organization

together we are the human network

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

View solution in original post

Nilo Noguera · ‎07-15-2014

Hi Alvin,

Older versions of ASA software does not support running IPS and AVC/WSE at the same time as of the current (9.1) release and said it was road mapped in a near-term feature release. Evidenced by a Cisco Support Community Discussion (https://supportforums.cisco.com/thread/2214705) that said:

This is not possible yet.

In Cisco ASA Next-Generation Firewall Services Q&A you will find http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html

IPS:

Q. Does ASA CX support intrusion protection system (IPS) functionality?

A: Not currently. IPS capabilities will be embedded in ASA CX in a near-term feature release.

But this same Cisco ASA Next-Generation Firewall Services Q&A was recently updated and now stating:

IPS:

Q. What version of Cisco ASA CX do the Cisco ASA Next-Generation Firewalls with IPS operate on?

A. Cisco ASA CX Software Release 9.2 or later is needed to run Cisco IPS on Cisco ASA 5500-X Series Next-Generation Firewalls.

So it means that the Cisco ASA Next-Generation Firewall supports running IPS (NGFW IPS) and AVC/WSE at the same time as of the current (9.2) release.

Please note that there are two type of IPS that can be deployed on the Cisco ASA 5500-X Next-Generation Firewalls:

a) Next-Generation Firewalls with Cisco IPS Service (NGFW IPS) - provides intrusion prevention within the Cisco ASA 5500-X Series Next‑Generation Firewalls and was created with some new technologies that were modified from the Cisco ASA IPS. IPS with Next-Generation Firewall provides protection for end users and the computing environments under their direct control such as desktops, laptops, and personal communication devices. It is ideal for Internet edge deployments.

Example:

ASA5515-SSD120-K9 (NGFW ASA 5515-X w/ SW,6GE Data,1GE Mgmt,AC,3DES/AES,SSD 120G) - $ 5,295.00 with ASA5515-IP1Y= (ASA 5515-X NGFW IPS 1Year) - $ 1,400.00

b) Cisco ASA IPS (ASA IPS) or "classic IPS"- optimized for Data Center server protection where there maybe a need to inspect additional traffic types like SMB, MSRPC or advanced tuning of signatures is essential.

Example:

ASA5515-IPS-K9 (ASA 5515-X with IPS, SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES) - $ 8,495.00

Since Solid state drive (SSD) is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series.

The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.

"niLz"

Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

View solution in original post

Rudy Sanjoko · ‎05-01-2013

I believe it is possible to have IPS and AVC/WSE at the same time, you need to buy ASA5515-IPS-K9 which comes with IPS pre-installed (this is required if you need IPS subscription, explained here), then add the ASA5500X-SSD120 (the part ID for the external SSD which is required for AVC/WSE, explained here) and the ASA5515-AWxY (the subscription license for the AVC and WSE for x year, explained here).

HTH

jacek.agdan · ‎05-15-2013

This is not possible yet.

in Q&A you will find http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html

IPS:

Q. Does ASA CX support intrusion protection system (IPS) functionality?

A: Not currently. IPS capabilities will be embedded in ASA CX in a near-term feature release.

Marvin Rhoads · ‎05-15-2013

Jacek's citation is accurate. IPS and CX are not available simultaneously on the 5500X series as of the current (9.1) release)

dgraystone · ‎12-12-2013

Hi,

I'm not sure if this has now changed with ASA CX software version 9.2 as the Q&A link that is referenced above is no longer present and the new entries state the following:-

Q. Do Cisco ASA Next-Generation Firewall Services support IPS functionality?

A. Yes. Cisco Next-Generation Firewall with IPS is currently supported and can simultaneously run alongside other services, including Cisco AVC and WSE.

Q. What version of Cisco ASA CX do the Cisco ASA Next-Generation Firewalls with IPS operate on?

A. Cisco ASA CX Software Release 9.2 or later is needed to run Cisco IPS on Cisco ASA 5500-X Series Next-Generation Firewalls.

Q. What is the new Cisco IPS Service on Cisco ASA 5500-X Next-Generation Firewalls?

A. Cisco IPS Service is the module that provides intrusion prevention within the Cisco ASA 5500-X Series Next-Generation Firewalls. The firewalls have multiple security services operating within them. The Cisco IPS uses the firewalls' other services such as application visibility, identity, and off-device reputation to make inspection and enforcement decisions.

The only problem with this is that the current IPS bundles, for example ASA5515X-IPS still do not say that they include the 120GB SSD which is required for the CX features to work.

ADDITIONAL:-

The "Memory Requirements" section of the compatibility matrix states that this is no longer a problem but that each feature will reserve large amounts of memory for its own use:

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

Thanks

Marvin Rhoads · ‎12-12-2013

Correct, NGFW 9.2 has added IPS functionality. The license subscription is not quite orderable yet (as of 12 Dec 2013) but the software is available on CCO for a couple of weeks now.

Note this is not the same IPS as you are used to (i.e on the older SSP modules or stand alone IPS appliances and configured via ASDM-IDM or IME or CSM) but a slightly different release that is specific to the NGFW that is configured and managed solely by PRSM.

jason.edelman · ‎02-27-2014

What's the verdict here?

Can you order ASA5525-IPS-K9, add SSD drives, and then add spare SKUs for NGFW AVS/WSE licensing?

Of if you use SSD drives to get CX functionality, are you limited to the "lite" ASA NGFW IPS?

dgraystone · ‎02-27-2014

Hi Jason,

I spoke with a supplier in the UK (Comstor) back in early January and they confirmed that, as Marvin has said, the newer version of Next Generation Firewall Service (ASA CX) software 9.2 does allow with operation with IPS at the same time, however they are not available as a bundled option yet, so you can but the IPS package and then add the SSDs.

Personally I'd double-check with a supplier before purchasing though as things were still evolving when I last checked. Hopefully when the main ASA software version 9.2 is released they'll probably offer the full bundles.

Thanks

David

jason.edelman · ‎02-27-2014

David,

No problem on the bundle. I was looking at the ASA5525-IPS-K9 (adding in SSDs is possible under that main part number), but then adding on spare SKUs for AVC/WSE. From what you're saying, this will work in 9.2, but the install for AVC/WSE, will just be manual, correct?

Another question is, will this just work after installing proper licesning/sw or is there special partitioning that needs to be done to get IPS working with AVC/WSE?

Being my customer is purchasing soon, it looks like the lite IPS will be the best option to use with WSE.

Thanks,

Jason

Marvin Rhoads · ‎02-27-2014

If you add the SSD after purchasing the ASA you will need to install the kickstart and system image to get the CX / NGFW up and running and access the on-box PRSM interface (or manage the unit with off-box PRSM).

As long as it's the requisite PRSM software level (9.2(x) or later - 9.2(1.2) Build 52 is current and recommended as of right now) you will have the option of applying the IPS license (or activating the built-in 60-day evaluation license) in addtion to the AVC/WSE ones that have been available all along. No special partitioning or imaging is necessary.

zheka_pefti · ‎08-13-2014

And I would like to ask a question, Marvin, following up on your post about SSD drive. Let's say we want to quote the client for off-box PRSM (5 devices license) that will manage two ASA5500-X series firewalls and CX modules on them. Will they need to buy ASA with SSD drive to run CX (ASA5515-SSD120-K9) or just the regular one (ASA5515-K9). As far as I understand (correct me if I'm wrong) SSD is required to store logs and events. But if off-box PRSM will manage the CX component why would need the SSD drive in the ASA ?

Marvin Rhoads · ‎08-13-2014

You have to have the SSD120 to run PRSM. Without it you cannot install the CX software module and activate the services (WSE, AVC and/or IPS).

The CX module's log events are written in real time to the SSD. They transfer from there to the off-box PRSM via Reliable Binary Logging over SSL in near-real time.

In the event that the off-box PRSM is not reachable, you still have the logs locally.

Cisco7777 · ‎09-23-2014

Hi guys,

pls help, we have CISCO ASA5525-SSD120-K9, we would like to purchase and IPS license for 1 year, I'm very confused which one we have to buy....what is the main difference?

1) L-ASA5525-IPS-SSP

or

2) ASA5525-IP1Y

p.s We need our CISCO to work same as CISCO ASA5525-IPS-K9

Nilo Noguera · ‎09-23-2014

Hi armansat83,

If you have the ASA5525-SSD120-K9 then you would have to order the ASA5525-IP1Y. This part number has a corresponding eDelivery part number L-ASA5525-IP1Y=

L-ASA5525-IP1Y= (ASA 5525-X NGFW IPS 1Year (eDel) - USD 2,100.00

ASA5525-IP1Y= (ASA 5525-X NGFW IPS 1Year) - USD 2,100.00

"niLz"

Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

Marvin Rhoads · ‎09-23-2014

Nilz I would qualify your advice to armansat83 that while the NGFW IPS licenses you cited will indeed provide IPS functionality on the CX module, they will not make it "work same as CISCO ASA5525-IPS-K9". That reference is to the older "classic " IPS module.

Of course, most security professional (and the marketplace) agree that NGFW IPS is a better choice. Indeed, once would be even better advised to look into the ASA FirePOWER module with its IPS functionality.