great thx a lot

Confusing - what I want is IPS and application control on my ASA-X nothing more .

What I find out is:

I have a CX module ( see attach) this allows application control

For IPS funktionality I Need the Firepower Module

That´s right ?

But only one module is allowed to run at the thame time other must be shutdown

so , How to use IPS and application control parallel on the ASA-X ?

Where is my mistake

Hi Alfred,

Yes, that is correct you can run only one module at a time on ASA.

The FirePOWER ngIPS services will run on top of your ASA software. 

So with sfr module installed on your ASA you get, ASA functionality and added granular control of sfr.

Hope it helps!!!

Thanks,

R.Seth

but , how to I get application functionality  than ?

do I Need the CX module for that ?

If yes, either IPS can running or application control , right ?

What to do to have both IPS and Application control parallel ?

The Control (CTRL) license is included at no charge with all ASA FirePOWER modules. That gives you application visibility similar to what the CX offered.

Adding the term-based IPS license subscription adds that feature.

You can then create policies in FireSIGHT Management Center that use both sets features and deploy them to your ASA with FirePOWER services module..

Hi Alfred,

With the SFR module (FirePOWER services) you can perform application functionality and also get ngIPS features.

For more details you can refer following link:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

Hope it answers your query!

Thanks,

R.Seth

does it mean all the rules, all configurations from my 5515  are gone after coverting to the NGFW ?

Also CSM Manager can not be used  anymore after converting ?

No, all your actual config stays in place and is not changed. For all the NGFW-stuff, you tell your ASA which traffic should be processed by the FirePOWER-module. This traffic gets (internally) redirected to the module and the additional security-controls are applied.

hmm , does it mean one part can be managed further by CSM and other part by firesight Manager ?

Yes, that's the way it has to be done while there is no "unified" management-tool. Probably sooner or later there will be one. But at the moment the "base-ASA" is still managed in a "traditional" way (CLI, ASDM, CSM) and the NGFW is managed with FireSight.

At the Moment i´am writing a list of  several Firewall Producer and compare the product and the Prices .

Does Cisco NGFW has all this Features on board :

Antivirus, Anti-Spyware, URL Filter, sandbox  ?

The Cisco ASA with FirePOWER services offers:

Virus and spyware -collectively covered by the IPS and Advanced Malware Protection (AMP) licensed features of the FirePOWER service module.

URL filtering is likewise an available license.

Sandbox technology is one of many analysis methods used in in the background by Cisco's Talos cloud. 

If you specifically want on-demand sandboxing (i.e. the ability to submit files for Sandbox analysis on an ad hoc basis), you can supplement your service with AMP Threatgrid.

Marvin thanks a lot

There are any data about the workload means CPU , Backplane , Memory ?

Other vendors have performace problens e.g. if the IPS is active and under load