04-26-2015 08:32 PM - edited 03-11-2019 10:50 PM
Hi
Does cisco Asa firepower supports url filtering and traffic rate limiting ?
Thanks
09-27-2016 04:12 PM
QoS is now available in 6.1.0 (released Aug 29th), but only works with FirePower Threat Defense devices, which is the ASA/FirePower unified image. There are other ASA base limitations when running this image, ie. no AnyConnect, although this is set to be added soon ... they are making big leaps on FTD.
09-27-2016 06:59 PM
What is mean "no AnyConnect" ? actually Cisco traditional Policy based rule is set on Source/Destination IP or range, not like every IP or bulk configuration on different rate on IP range ... by the way FirePower has Load balancing?
09-27-2016 07:18 PM
"AnyConnect" = shorthand for client-based remote access SSL VPN. Cisco uses the AnyConnect Secure Mobility Client software for that function.
FTD-based rule sets can be based on application, URL category, etc. in addition to traditional 5-tuple criteria (protocol, source and destination address and port).
Load balancing - how do you mean that?
09-27-2016 07:34 PM
Means if we order Cisco FirePower it hasn't AnyConnect? :O, that FTP sounds nice, but still does it can possible give same bandwidth limit on each IP having session established?
Load balancing is for 2 different Internet Gateways solution, using both ISP for Internet access.
09-27-2016 08:04 PM
Please keep in mind the distinction between "FirePOWER" = a general set of features and technologies based on the Cisco acquisition of Sourcefire in 2013 and specific products, i.e:
1. Cisco ASA with FirePOWER services. Has all the traditional ASA features plus FirePOWER services in an added module that perform Next Generation IPS, URL Filtering and Advance Malware Protection (depending on licensing).
2. FirePOWER Threat Defense (FTD). A new unified image that can run on an ASA (or FirePOWER 4100 and 9300 series) that includes many (but not all) of the classic ASA features along with the FirePOWER features.
Remote access SSL VPN ("AnyConnect") is only available with option #1 at this time.
#1 has crude rate limiting (classic QoS policing and shaping). #2 has that plus the ability to use Layer 7 characteristics to your policy.
As far as load balancing, that is a separate topic unto itself.
A lot depends on your Internet connectivity. If you have your own provider-independent addressing and BGP peering to separate providers you can technically use that with the classic ASA solution (#1). However it's usually not a good choice to do that on an ASA since it's really not designed to accept a full routing table and make dynamic decisions based on the routes installed in the FIB on a per-flow basis. You can also do policy-based routing on an ASA with FirePOWER services. Again not really ISP load balancing.
An FTD solution has fewer routing options and is generally best suited for single egress route use cases at this stage.
In either case, it is almost always much better to let an upstream router route. They are fit for that purpose. A security appliance is fit to provide security. Don't count on it having all the routing features of a true router.
09-27-2016 08:17 PM
Hi Marvin,
For the great reply, final one, what Cisco suggests on DDOS prevention, as i've heard FirePower higher series have own good DDoS prevention, is it right? how is it on Option#1?
09-27-2016 08:29 PM
Enterprise and small-medium business class DDOS protection capabilities are equivalent between the FirePOWER features available on the higher end FirePOWER appliances, the ASA with FirePOWER Services and an appliance running the FTD image.
For carrier-class DDOS you can run the Radware DefensePro as a separate dedicated image on a service module in the Firepower 9300 platform.
09-28-2016 12:51 AM
Can you name the minimum version of ASA could block DDOS? we know traditional DOS attack prevention like depending on the port blocking ... but we looking quite smart DDOS blocking
05-25-2017 04:18 AM
You would need an ASA 5500-X series with at least version 9.2(2) to run the FirePOWER Services modules and get the IPS-based DDOS protection in addition to that which is provided by the base ASA. DDOS comes in many forms and there's no one solutions that can be said to fit all use cases.
I recommend you contact your local Cisco security reseller or Cisco SE for a more detailed analysis of your environment and requirements.
12-03-2018 01:44 AM
Hi,
This QoS is still not available if you run ASA with firepower module? Will this ever be available if you run it like this instead of the FTD image.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide