cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3315
Views
10
Helpful
16
Replies

How to convert a ASA 5515 to a NGFW - steps ?

Dear all,

We want to test now the Cisco ASA NGFW and therefore I have to convert the 5515 Firewall .

What I have is a SSD Card ?

 

What are the steps now ?

( putting the SSD in the fw and then re-Imaging ? How  , Need a IPS License , Loading IPS SW etc.)

 

can anybody help ?

 

 show modul

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515            FCH1725J3KS
 ips Unknown                                      N/A                FCH1725J3KS
cxsc Unknown                                      N/A                FCH1725J3KS

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   0 7c69.f62b.ee63 to 7c69.f62b.ee6a  1.0          2.1(9)8      9.1(1)
 ips 7c69.f62b.ee61 to 7c69.f62b.ee61  N/A          N/A
cxsc 7c69.f62b.ee61 to 7c69.f62b.ee61  N/A          N/A

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 ips Unknown                        No Image Present Not Applicable
cxsc Unknown                        No Image Present Not Applicable

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable
 ips Unresponsive       Not Applicable
cxsc Unresponsive       Not Applicable

Mod  License Name   License Status  Time Remaining
---- -------------- --------------- ---------------
 ips IPS Module     Disabled        perpetual

 

1 Accepted Solution

Accepted Solutions

The needed steps are outlined in the quick-start guide. Basically you install the SSD and load the FirePower-software.

Then you need a license for the security-services. At http://www.cisco.com/go/license there are demo-licenses for FirePOWER, but only for the 5506 ... Not sure if there is a demo for you 5515-X available. Probably you have to buy the license at your preferred Cisco-reseller. There are different licence-combinations available like IPS, URL and AMP. In addition to that you need a FireSight management-Server that is available as a physical or virtual appliance.

View solution in original post

16 Replies 16

The needed steps are outlined in the quick-start guide. Basically you install the SSD and load the FirePower-software.

Then you need a license for the security-services. At http://www.cisco.com/go/license there are demo-licenses for FirePOWER, but only for the 5506 ... Not sure if there is a demo for you 5515-X available. Probably you have to buy the license at your preferred Cisco-reseller. There are different licence-combinations available like IPS, URL and AMP. In addition to that you need a FireSight management-Server that is available as a physical or virtual appliance.

great thx a lot

Confusing - what I want is IPS and application control on my ASA-X nothing more .

What I find out is:

I have a CX module ( see attach) this allows application control

For IPS funktionality I Need the Firepower Module

That´s right ?

But only one module is allowed to run at the thame time other must be shutdown

so , How to use IPS and application control parallel on the ASA-X ?

 

Where is my mistake

Hi Alfred,

Yes, that is correct you can run only one module at a time on ASA.

The FirePOWER ngIPS services will run on top of your ASA software. 

So with sfr module installed on your ASA you get, ASA functionality and added granular control of sfr.

Hope it helps!!!

 

Thanks,

R.Seth

but , how to I get application functionality  than ?

do I Need the CX module for that ?

 

If yes, either IPS can running or application control , right ?

 

What to do to have both IPS and Application control parallel ?

 

The Control (CTRL) license is included at no charge with all ASA FirePOWER modules. That gives you application visibility similar to what the CX offered.

Adding the term-based IPS license subscription adds that feature.

You can then create policies in FireSIGHT Management Center that use both sets features and deploy them to your ASA with FirePOWER services module..

Hi Alfred,

 

With the SFR module (FirePOWER services) you can perform application functionality and also get ngIPS features.

For more details you can refer following link:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

 

Hope it answers your query!

 

Thanks,

R.Seth

does it mean all the rules, all configurations from my 5515  are gone after coverting to the NGFW ?

 

Also CSM Manager can not be used  anymore after converting ?

 

No, all your actual config stays in place and is not changed. For all the NGFW-stuff, you tell your ASA which traffic should be processed by the FirePOWER-module. This traffic gets (internally) redirected to the module and the additional security-controls are applied.

hmm , does it mean one part can be managed further by CSM and other part by firesight Manager ?

Yes, that's the way it has to be done while there is no "unified" management-tool. Probably sooner or later there will be one. But at the moment the "base-ASA" is still managed in a "traditional" way (CLI, ASDM, CSM) and the NGFW is managed with FireSight.

At the Moment i´am writing a list of  several Firewall Producer and compare the product and the Prices .

 

Does Cisco NGFW has all this Features on board :

Antivirus, Anti-Spyware, URL Filter, sandbox  ?

 

The Cisco ASA with FirePOWER services offers:

Virus and spyware -collectively covered by the IPS and Advanced Malware Protection (AMP) licensed features of the FirePOWER service module.

URL filtering is likewise an available license.

Sandbox technology is one of many analysis methods used in in the background by Cisco's Talos cloud. 

If you specifically want on-demand sandboxing (i.e. the ability to submit files for Sandbox analysis on an ad hoc basis), you can supplement your service with AMP Threatgrid.

Marvin thanks a lot

 

There are any data about the workload means CPU , Backplane , Memory ?

Other vendors have performace problens e.g. if the IPS is active and under load

Review Cisco Networking for a $25 gift card