02-15-2016 05:15 AM - edited 03-12-2019 12:18 AM
Hi, i just placed question a week ago in security/sourcefire/license section but unfortunately no response so i am trying to ask here.
My original post:
Hi,i am trying to understand Firepower licensing but still don't understand it very well.
I would like to have ASA5512-X with basic URL filtering (without reputation functions etc.). I just need to create whitelist or blacklist and that's it.
When i am reading this article http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html so under URL paragraph there is:
Tip: Without a URL Filtering license, you can specify individual URLs or groups of URLs to allow or block. This gives you granular, custom control over web traffic, but does not allow you to use URL category and reputation data to filter network traffic.
So what does it means? When i buy ASA5512-FPWR-K9 so there should be Protection license included right? And regarding paragraph about URL, ASA should be able to make some basic URL filtering without buying annual URL filtering license.
Am I correct?
Thank you for help,
Jan
Solved! Go to Solution.
02-15-2016 06:39 AM
Regarding ordering codes ... The purpose of the bundle is really to buy the hardware and the subscription with one SKU. ASA5508-K9 also includes FP and would be the option you need.
The 5512-X doesn't have a dedicated HW-module for FP. All ASAs below the 5585 use software modules. That means that there are reserved resources (CPU-cores and memory) for Firepower. The "base" ASA uses the remaining resources. Thats the same for 5508 and 5512 so the values from the datasheet are comparable.
02-15-2016 05:59 AM
You are right, you can achieve that without any additional term-based licenses. All you need in regard to licenses comes with the box when you buy the firepower bundle.
Today, I would also consider buying the 5508-X instead of the 5512-X.
02-15-2016 06:24 AM
Thanks for quick response!
I hope that's really like it's described :-). Regarding your consideration you are right. I just noticed that 5508-X is little bit better in performance than 5512-X what confuses me again. But let's say that it is really like in table.
Another thing is about -BUN and -K9. I didn't found 5508-FPWR-K9 just BUN or ASA5508-K9.
Probably for ASA5508-K9 there is not dedicated FirePower module so maybe it will consume more CPU time of whole ASA?
5512-FPWR-K9 has dedicated FirePower module just for this purposes. So finally it should be more powerful than 5508-X.
Regards,
Jan
02-15-2016 06:39 AM
Regarding ordering codes ... The purpose of the bundle is really to buy the hardware and the subscription with one SKU. ASA5508-K9 also includes FP and would be the option you need.
The 5512-X doesn't have a dedicated HW-module for FP. All ASAs below the 5585 use software modules. That means that there are reserved resources (CPU-cores and memory) for Firepower. The "base" ASA uses the remaining resources. Thats the same for 5508 and 5512 so the values from the datasheet are comparable.
02-15-2016 06:53 AM
> I just noticed that 5508-X is little bit better in performance than 5512-X what confuses me again
One more note ... The 5508 is from the newest generation of ASAs (5506, 5508, 5516). That not only makes them faster compared to some other older devices, they are probably also more future-proof.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide