Solved: Hi startx001,Please see - Page 2

net buzz · ‎05-01-2013

Hi!

I was checking the ASA 5500-X series Next-Generation Firewalls and I noticed that it supports features like IPS, Application Visibility and Control (AVC) and Web Security Essentials (WSE).

I have a doubt on the ASA 5500-X capabilities and my question is as follows:

Can an ASA 5500-X really support all these featues in the same box?

It appears to me that if for example an ASA 5515-X is needed with IPS functionality, the following hardware will be needed:

ASA5512-IPS-K9 which is a Cisco ASA 5515-X IPS Edition

and if an ASA 5515-X is needed with Application Visibility and Control (AVC) and Web Security Essentials (WSE), the following will be needed:

ASA5515-SSD120-K9 which is a ASA 5515-X with SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES, 120G SSD
ASA5515-AW1Y which is a license for Application Visibility Control and Web Security Essentials for 1Year

Based on the above, I am pretty sure that it is either IPS or AVC/WSE and not both in one box.

Can someone shed some light on this.

Regards,

Alvin

Cisco7777 · ‎09-23-2014

Thank you guys, got it. Also pls give an advice in order to run IPS on our CISCO firewall, do we need to buy the license below:

ASA5525-AW1Y

and

CX software

Marvin Rhoads · ‎09-24-2014

Nilz advised the correct part number earlier for IPS only on the CX module.

The part numbers ending with "AW1Y" are a bundled subscription for AVC and WSE combined for 1 year. If you want to see all of the various Next Generation Firewall with CX module part number options, please refer to this cheat sheet.

Cisco7777 · ‎09-23-2014

Another question is about VPN users, we will have 40~50 VPN users, which license we shall buy for our CISCO firewall?

Marvin Rhoads · ‎09-24-2014

The part numbers depend on what you want to setup. Basic remote access VPN (SSL- or IPSEC IKEv2-based) with the Cisco AnyConnect Secure Mobility client requires AnyConnect Essentials license on the firewall. The Essentials license allows users up to the firewall's capacity (up to 750 for the ASA 5525-X). Part number is ASA-AC-E-5525

If you want mobile users (devices running iOS or Android) to access your VPN you need to add AnyConnect for Mobile. Part number is ASA-AC-M-5525

If you want clientless (browser-based access) remote access VPN, then you need to purchase AnyConnect Premium (50 user license). Part number is L-ASA5500-SSL50.

A good graphical guide to the above can be found here. (external site but useful)

Syed Farhan Ali · ‎04-14-2014

In my opinion, you should go for ASA5515-SSD120-K9 and then add the subscription license ASA5515AWI1Y which is a bundled license for AVC, WSE and IPS for 1 year.

You will get a better price if you select ASA5515AWI3Y which is a license for 3 years.

As of the current (9.2) release, IPS and CX are supported on the same box.

Regards,

Farhan.

todd coplien · ‎02-27-2014

This is super news! We just had a customer send a PO for the IPS edition with the spare AVC/WSE subscription. I was just about to tell the rep we got it wrong! Phew!

Sent from Cisco Technical Support Android App

startx001 · ‎06-19-2014

Hi all ,

I have ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual

I know that i can do URL filtering on it using ASDM , right ?

But can i and what bennefit i would have with WSE on it and can i put WSE ? maybe PID for WSE .

I was reading that i can put SSD in ASA ( please PID if know ) and can i ? and then i can put WSE ( it is license or part of software and get some robust url filtering .

Can someone explain me diffrenece with regular url filtering and with WSE , and process how to put SSD in asa and WSE .

Maybe some link where is explained .

Marvin Rhoads · ‎06-19-2014

Startx001 - duplicate post on your part.

I will answer in the new thread you posted.

Nilo Noguera · ‎07-07-2014

Hi startx001,

Please see inline comment:

QUESTION: I know that i can do URL filtering on it using ASDM, right ?
ANSWER: Yes. You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance by using a separate server running one of the following Internet filtering products:

•Websense Enterprise for filtering HTTP, HTTPS, and FTP.

•Secure Computing SmartFilter for filtering HTTP only. (Although some versions of Sentian support HTTPS, the security appliance only supports filtering HTTP with Sentian.)

For more information, please check the link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/fltrrule.html

QUESTION: But can i and what bennefit i would have with WSE on it and can i put WSE ? maybe PID for WSE .
ANSWER: Cisco WSE, which enables reputation-based web application security policies. In addition, Cisco WSE enables robust content-based URL filtering with differentiated access policies based on user, group, device, and role.

WSE, IPS on NGFW, and CWS use threat intelligence feeds from Cisco Security Intelligence Operations (SIO) for advanced web reputation analysis and near-real-time protection from zero-day threats. For more information on how SIO helps the Cisco IPS control threats in real-life production environments, visit: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps12156/white_paper_c11-715386.html.

The subscriptions terms are 1 year, 3 years and 5 years. It is also possible to purchase both the services together using the AVC + WSE bundle license. With a built-in discount, the bundle price is less than the price of buying these services a la carte.

ASA5515-AW3Y-PR= (ASA 5515-X CX AVC and Web Security Essentials 3Year (Promo) - USD 3,450.00 regular price is USD 5,150

or

ASA5515-WS1Y= (ASA 5515-X CX Web Security Essentials only 1Year) - USD 1,900

just add "L-" to the part numbers above to get the eDelivery version.

Please check the links below for your reference(s):

Cisco Application Visibility and Control
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns483/ns780/at_a_glance_c45-649117.pdf

Cisco ASA CX Context-Aware Security Data Sheet
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701659.html

QUESTION: I was reading that i can put SSD in ASA ( please PID if know ) and can i ? and then i can put WSE ( it is license or part of software and get some robust url filtering .
ANSWER: If you purchase the regular ASA 5500-X without the SSD, the Web Security Essentials (WSE) that deploys the web filtering may not work or function as per the Release Notes for the Cisco ASA Series, Version 9.1(x) http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.pdf

Since Solid state drive (SSD) is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series.

ASA5500X-SSD120= (ASA 5512-X through 5555-X 120 GB MLC SED SSD (Spare) - USD 800.00

The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.

QUESTION: Can someone explain me difference with regular url filtering and with WSE , and process how to put SSD in asa and WSE .
ANSWER: Please check the document link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_procs.html#wp1097873

"niLz"

Nilo Noguera Jr.

| Specialist, Virtual Engineering - Partner Helpline Organization

together we are the human network

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

Nilo Noguera · ‎07-15-2014

Hi Alvin,

Older versions of ASA software does not support running IPS and AVC/WSE at the same time as of the current (9.1) release and said it was road mapped in a near-term feature release. Evidenced by a Cisco Support Community Discussion (https://supportforums.cisco.com/thread/2214705) that said:

This is not possible yet.

In Cisco ASA Next-Generation Firewall Services Q&A you will find http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html

IPS:

Q. Does ASA CX support intrusion protection system (IPS) functionality?

A: Not currently. IPS capabilities will be embedded in ASA CX in a near-term feature release.

But this same Cisco ASA Next-Generation Firewall Services Q&A was recently updated and now stating:

IPS:

Q. What version of Cisco ASA CX do the Cisco ASA Next-Generation Firewalls with IPS operate on?

A. Cisco ASA CX Software Release 9.2 or later is needed to run Cisco IPS on Cisco ASA 5500-X Series Next-Generation Firewalls.

So it means that the Cisco ASA Next-Generation Firewall supports running IPS (NGFW IPS) and AVC/WSE at the same time as of the current (9.2) release.

Please note that there are two type of IPS that can be deployed on the Cisco ASA 5500-X Next-Generation Firewalls:

a) Next-Generation Firewalls with Cisco IPS Service (NGFW IPS) - provides intrusion prevention within the Cisco ASA 5500-X Series Next‑Generation Firewalls and was created with some new technologies that were modified from the Cisco ASA IPS. IPS with Next-Generation Firewall provides protection for end users and the computing environments under their direct control such as desktops, laptops, and personal communication devices. It is ideal for Internet edge deployments.

Example:

ASA5515-SSD120-K9 (NGFW ASA 5515-X w/ SW,6GE Data,1GE Mgmt,AC,3DES/AES,SSD 120G) - $ 5,295.00 with ASA5515-IP1Y= (ASA 5515-X NGFW IPS 1Year) - $ 1,400.00

b) Cisco ASA IPS (ASA IPS) or "classic IPS"- optimized for Data Center server protection where there maybe a need to inspect additional traffic types like SMB, MSRPC or advanced tuning of signatures is essential.

Example:

ASA5515-IPS-K9 (ASA 5515-X with IPS, SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES) - $ 8,495.00

Since Solid state drive (SSD) is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series.

The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.

"niLz"

Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

zheka_pefti · ‎08-12-2014

This is quite a long reading and I still don't see any good answer about "How to enable both IPS and CX" on 5500-X series firewalls. As an example, I have 5512-X unit that was used to run with IPS. Now I upgraded it to 9.3 code and installed the boot image for CX version 9.3 in the firewall flash. Now my attempt to enable it to boot failed: asatest# sw-module module cxsc recover configure image disk0:asacx-5500x-boot-9.3.1.1-112.img ERROR: Another service (ips) is running, only one service is allowed to run at any time Our client purchased a three years subscriptions license for both IPS and CX: L-ASA5515AWI3Y= How am I supposed to enable both IPS and CX ?

Nilo Noguera · ‎08-12-2014

Since you already have the ASA 5512-X to enable both IPS and CX is to get a Solid state drive (SSD) that is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series. You can order part number ASA5500X-SSD120=.

ASA5500X-SSD120= (ASA 5512-X through 5555-X 120 GB MLC SED SSD (Spare) - USD 800.00

The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.

And for the IPS, you can order part number L-ASA5512-IP1Y=.

L-ASA5512-IP1Y= (ASA 5512-X NGFW IPS 1Year (eDel) - USD 1,000.00

and then add any of the two subscription-based features:

1. Application Visibility and Control (AVC): Activates application recognition, visibility and control features

2. Web Security Essentials (WSE): Activates URL filtering and Web Reputation based access control

The subscriptions terms are 1 year, 3 years and 5 years. It is also possible to purchase both the services together using the AVC + WSE bundle license. With a built-in discount, the bundle price is less than the price of buying these services a la carte.

You can also contact our Technical Assistance Center (TAC) for guidance of the upgrade. To check for the Cisco Technical Assistance Center (TAC) support number per country, please check the link below:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

You can email tac@cisco.com or open a case (online): https://tools.cisco.com/ServiceRequestTool/scm/mgmt/case

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

zheka_pefti · ‎08-12-2014

Hello Nilz, Thanks a lot for your elaborate explanations about pricing and licensing. I honestly expected an answer how to enable both IPS and CX. And sorry if I didn't specify that the ASA in question is the right one already - ASA5512-SSD120-K9. The license that is purchased is a bundle for everything - ASA 5515-X AVC WSE IPS 3Year (eD)

Nilo Noguera · ‎08-12-2014

Oh you mean part number L-ASA5512AWI3Y=? I was kind of confused when you say about ASA 5515-X AVC WSE IPS 3Year (eD) and your ASA device is a ASA 5512-X.

L-ASA5512AWI3Y= (ASA 5512-X AVC,WSE, IPS 3 Year) - USD 6,000.00

The license above will enable Application Visibility and Control (AVC), Web Security Essentials (WSE) and NGFW IPS for 3 years.

You can contact our Technical Assistance Center (TAC) for guidance of the upgrade. To check for the Cisco Technical Assistance Center (TAC) support number per country, please check the link below:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

You can email tac@cisco.com or open a case (online): https://tools.cisco.com/ServiceRequestTool/scm/mgmt/case

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

zheka_pefti · ‎08-12-2014

Yeah, it's L-ASA5512AWI3Y= (just copied and pasted the wrong field from the spreadsheet).

Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls