05-01-2013 05:10 AM - edited 03-11-2019 06:37 PM
Hi!
I was checking the ASA 5500-X series Next-Generation Firewalls and I noticed that it supports features like IPS, Application Visibility and Control (AVC) and Web Security Essentials (WSE).
I have a doubt on the ASA 5500-X capabilities and my question is as follows:
Can an ASA 5500-X really support all these featues in the same box?
It appears to me that if for example an ASA 5515-X is needed with IPS functionality, the following hardware will be needed:
and if an ASA 5515-X is needed with Application Visibility and Control (AVC) and Web Security Essentials (WSE), the following will be needed:
Based on the above, I am pretty sure that it is either IPS or AVC/WSE and not both in one box.
Can someone shed some light on this.
Regards,
Alvin
Solved! Go to Solution.
09-23-2014 09:21 PM
Thank you guys, got it. Also pls give an advice in order to run IPS on our CISCO firewall, do we need to buy the license below:
ASA5525-AW1Y
and
CX software
09-24-2014 09:38 AM
Nilz advised the correct part number earlier for IPS only on the CX module.
The part numbers ending with "AW1Y" are a bundled subscription for AVC and WSE combined for 1 year. If you want to see all of the various Next Generation Firewall with CX module part number options, please refer to this cheat sheet.
09-23-2014 09:25 PM
Another question is about VPN users, we will have 40~50 VPN users, which license we shall buy for our CISCO firewall?
09-24-2014 09:53 AM
The part numbers depend on what you want to setup. Basic remote access VPN (SSL- or IPSEC IKEv2-based) with the Cisco AnyConnect Secure Mobility client requires AnyConnect Essentials license on the firewall. The Essentials license allows users up to the firewall's capacity (up to 750 for the ASA 5525-X). Part number is ASA-AC-E-5525
If you want mobile users (devices running iOS or Android) to access your VPN you need to add AnyConnect for Mobile. Part number is ASA-AC-M-5525
If you want clientless (browser-based access) remote access VPN, then you need to purchase AnyConnect Premium (50 user license). Part number is L-ASA5500-SSL50.
A good graphical guide to the above can be found here. (external site but useful)
04-14-2014 11:05 PM
In my opinion, you should go for ASA5515-SSD120-K9 and then add the subscription license ASA5515AWI1Y which is a bundled license for AVC, WSE and IPS for 1 year.
You will get a better price if you select ASA5515AWI3Y which is a license for 3 years.
As of the current (9.2) release, IPS and CX are supported on the same box.
Regards,
Farhan.
02-27-2014 04:47 PM
This is super news! We just had a customer send a PO for the IPS edition with the spare AVC/WSE subscription. I was just about to tell the rep we got it wrong! Phew!
Sent from Cisco Technical Support Android App
06-19-2014 07:01 AM
Hi all ,
I have ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
I know that i can do URL filtering on it using ASDM , right ?
But can i and what bennefit i would have with WSE on it and can i put WSE ? maybe PID for WSE .
I was reading that i can put SSD in ASA ( please PID if know ) and can i ? and then i can put WSE ( it is license or part of software and get some robust url filtering .
Can someone explain me diffrenece with regular url filtering and with WSE , and process how to put SSD in asa and WSE .
Maybe some link where is explained .
06-19-2014 07:19 AM
Startx001 - duplicate post on your part.
I will answer in the new thread you posted.
07-07-2014 02:40 PM
Hi startx001,
Please see inline comment:
QUESTION: I know that i can do URL filtering on it using ASDM, right ?
ANSWER: Yes. You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance by using a separate server running one of the following Internet filtering products:
•Websense Enterprise for filtering HTTP, HTTPS, and FTP.
•Secure Computing SmartFilter for filtering HTTP only. (Although some versions of Sentian support HTTPS, the security appliance only supports filtering HTTP with Sentian.)
For more information, please check the link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/fltrrule.html
QUESTION: But can i and what bennefit i would have with WSE on it and can i put WSE ? maybe PID for WSE .
ANSWER: Cisco WSE, which enables reputation-based web application security policies. In addition, Cisco WSE enables robust content-based URL filtering with differentiated access policies based on user, group, device, and role.
WSE, IPS on NGFW, and CWS use threat intelligence feeds from Cisco Security Intelligence Operations (SIO) for advanced web reputation analysis and near-real-time protection from zero-day threats. For more information on how SIO helps the Cisco IPS control threats in real-life production environments, visit: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps12156/white_paper_c11-715386.html.
The subscriptions terms are 1 year, 3 years and 5 years. It is also possible to purchase both the services together using the AVC + WSE bundle license. With a built-in discount, the bundle price is less than the price of buying these services a la carte.
ASA5515-AW3Y-PR= (ASA 5515-X CX AVC and Web Security Essentials 3Year (Promo) - USD 3,450.00 regular price is USD 5,150
or
ASA5515-WS1Y= (ASA 5515-X CX Web Security Essentials only 1Year) - USD 1,900
just add "L-" to the part numbers above to get the eDelivery version.
Please check the links below for your reference(s):
Cisco Application Visibility and Control
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns483/ns780/at_a_glance_c45-649117.pdf
Cisco ASA CX Context-Aware Security Data Sheet
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701659.html
QUESTION: I was reading that i can put SSD in ASA ( please PID if know ) and can i ? and then i can put WSE ( it is license or part of software and get some robust url filtering .
ANSWER: If you purchase the regular ASA 5500-X without the SSD, the Web Security Essentials (WSE) that deploys the web filtering may not work or function as per the Release Notes for the Cisco ASA Series, Version 9.1(x) http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.pdf
Since Solid state drive (SSD) is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series.
ASA5500X-SSD120= (ASA 5512-X through 5555-X 120 GB MLC SED SSD (Spare) - USD 800.00
The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.
QUESTION: Can someone explain me difference with regular url filtering and with WSE , and process how to put SSD in asa and WSE .
ANSWER: Please check the document link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_procs.html#wp1097873
"niLz"
Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network
07-15-2014 12:05 PM
Hi Alvin,
Older versions of ASA software does not support running IPS and AVC/WSE at the same time as of the current (9.1) release and said it was road mapped in a near-term feature release. Evidenced by a Cisco Support Community Discussion (https://supportforums.cisco.com/thread/2214705) that said:
This is not possible yet.
In Cisco ASA Next-Generation Firewall Services Q&A you will find http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html
IPS:
Q. Does ASA CX support intrusion protection system (IPS) functionality?
A: Not currently. IPS capabilities will be embedded in ASA CX in a near-term feature release.
But this same Cisco ASA Next-Generation Firewall Services Q&A was recently updated and now stating:
IPS:
Q. What version of Cisco ASA CX do the Cisco ASA Next-Generation Firewalls with IPS operate on?
A. Cisco ASA CX Software Release 9.2 or later is needed to run Cisco IPS on Cisco ASA 5500-X Series Next-Generation Firewalls.
So it means that the Cisco ASA Next-Generation Firewall supports running IPS (NGFW IPS) and AVC/WSE at the same time as of the current (9.2) release.
Please note that there are two type of IPS that can be deployed on the Cisco ASA 5500-X Next-Generation Firewalls:
a) Next-Generation Firewalls with Cisco IPS Service (NGFW IPS) - provides intrusion prevention within the Cisco ASA 5500-X Series Next‑Generation Firewalls and was created with some new technologies that were modified from the Cisco ASA IPS. IPS with Next-Generation Firewall provides protection for end users and the computing environments under their direct control such as desktops, laptops, and personal communication devices. It is ideal for Internet edge deployments.
Example:
ASA5515-SSD120-K9 (NGFW ASA 5515-X w/ SW,6GE Data,1GE Mgmt,AC,3DES/AES,SSD 120G) - $ 5,295.00 with ASA5515-IP1Y= (ASA 5515-X NGFW IPS 1Year) - $ 1,400.00
b) Cisco ASA IPS (ASA IPS) or "classic IPS"- optimized for Data Center server protection where there maybe a need to inspect additional traffic types like SMB, MSRPC or advanced tuning of signatures is essential.
Example:
ASA5515-IPS-K9 (ASA 5515-X with IPS, SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES) - $ 8,495.00
Since Solid state drive (SSD) is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series.
The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.
"niLz"
Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network
08-12-2014 01:22 PM
08-12-2014 01:48 PM
Since you already have the ASA 5512-X to enable both IPS and CX is to get a Solid state drive (SSD) that is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series. You can order part number ASA5500X-SSD120=.
ASA5500X-SSD120= (ASA 5512-X through 5555-X 120 GB MLC SED SSD (Spare) - USD 800.00
The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.
And for the IPS, you can order part number L-ASA5512-IP1Y=.
L-ASA5512-IP1Y= (ASA 5512-X NGFW IPS 1Year (eDel) - USD 1,000.00
and then add any of the two subscription-based features:
1. Application Visibility and Control (AVC): Activates application recognition, visibility and control features
2. Web Security Essentials (WSE): Activates URL filtering and Web Reputation based access control
The subscriptions terms are 1 year, 3 years and 5 years. It is also possible to purchase both the services together using the AVC + WSE bundle license. With a built-in discount, the bundle price is less than the price of buying these services a la carte.
You can also contact our Technical Assistance Center (TAC) for guidance of the upgrade. To check for the Cisco Technical Assistance Center (TAC) support number per country, please check the link below:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
You can email tac@cisco.com or open a case (online): https://tools.cisco.com/ServiceRequestTool/scm/mgmt/case
08-12-2014 02:09 PM
08-12-2014 02:22 PM
Oh you mean part number L-ASA5512AWI3Y=? I was kind of confused when you say about ASA 5515-X AVC WSE IPS 3Year (eD) and your ASA device is a ASA 5512-X.
L-ASA5512AWI3Y= (ASA 5512-X AVC,WSE, IPS 3 Year) - USD 6,000.00
The license above will enable Application Visibility and Control (AVC), Web Security Essentials (WSE) and NGFW IPS for 3 years.
You can contact our Technical Assistance Center (TAC) for guidance of the upgrade. To check for the Cisco Technical Assistance Center (TAC) support number per country, please check the link below:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
You can email tac@cisco.com or open a case (online): https://tools.cisco.com/ServiceRequestTool/scm/mgmt/case
08-12-2014 02:24 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide