The ASA 5515-X (along with

fabflorent · ‎04-28-2017

Hello,

1- Can you help me defend the solution Cisco FireSIGHT Management Center. My company is planning to acquire two ASA5515-FPWR (for failover) to deploy at Internet Edge. I suggest the acquisition in addition of Cisco FMC Appliance. But I have to give the advantages, knowing that we can also manage ASA FirePOWER services with ASDM!

2- Can you explain me the licensing process for FirePOWER Services. Is the license ordering process different when you use Cisco FCM to manage FirePOWER on ASA ?

Jetsy Mathew · ‎04-28-2017

Hello ,

If you have the choice between management with ASDM and through FPMC (which can also run virtually on ESXi), choose FPMC as that is much more powerful then the management through ASDM. When you manage via ASDM , you can see only real time connection events . Using an FMC you can get the full view of connection events and based on the database settings you can decide how much events you want to store.

http://www.cisco.com/c/en/us/products/security/firesight-management-center/index.html

Licensing Information as follows:-

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Licensing_the_Firepower_System.html

http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-licenseroadmap.html

Rate if the post helps you.

Regards

Jetsy

fabflorent · ‎04-28-2017

Thank you Jetsy,

Which model do you recommend for me?

What is a sensor at FMC point of view?

Please can you tell me which visibility FMC provides on other devices like routers, switch, servers, printers, VoIP phones, etc... ?

Marvin Rhoads · ‎04-28-2017

Definitely use FMC. In addition to what Jetsy mentioned, there you create one set of policies and deploy to both of your ASA FirePOWER service modules.

A sensor is a managed device - a FirePOWER service module in your case. It can also be an FTD device or a classic dedicated FirePOWER appliance (like 3D series).

FMC provides visibility on devices based on the traffic flowing through its managed devices or sensors - it does not manage or otherwise interact with them.

fabflorent · ‎05-03-2017

Thank you Marvin,

Please, apart from devices with firePOWER sensors like ASA, can Cisco FMC receives any type of logs or alerts generated by other devices like hosts, servers, routers and switch?

Marvin Rhoads · ‎05-03-2017

Not in the way you are asking. It cannot act as a general purpose syslog or snmp trap server.

It can ingest data such as Netflow for network discovery, host - IP address mapping from a Cisco user agent in your domain or ISE server for userid-IP mapping and AD group information from your AD DC for use in policies.

Threat information can be ingested from Qualys via the eStreamer feature or any number of community source via the STIX standard via Taxi.

fabflorent · ‎05-04-2017

Thank you!

I want to order 2 appliance ASA5515-FPWR-K9 and 1 appliance Cisco FMC 1000-K9. I plan to user Threat + Control + Malware features.

Can you help me determine the license ordering I need in this case to manage my ASA FirePOWER modules with FMC ?

In fact I have listed the following items:

- ASA 5515-X with FirePOWER Services. Chassis

- Cisco ASA5515 FirePOWER IPS, Apps and AMP 3YR Subscription

- FireSIGHT Management Center 1000, Chassis 1U

I don't know if I am right!

Marvin Rhoads · ‎05-04-2017

The ASA 5515-X (along with 5512-X) are about to go end-of sales:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-738644.html

You would be better advised to select the ASA 5516-X. It costs about 10% more but offers significantly higher performance.

Also, if you have an ESXi (VMware) environment, you might consider the virtual FMC. The FMC 1000 appliance, while definitely higher performance, will cost more than the two ASAs plus 3 years of licensing for each combined.

All that aside, the line items you listed are the right high level ones for an order.

If you're a partner and want to validate your estimate, the Partner helpdesk can help (in addition to what's built into CCW the Cisco Commerce Workspace ordering tool).

If you're an end customer, your reseller should provide you a validated bill of materials. There are items like which power cable, the term of licenses, support contract etc. that need to be considered.