Re: Need help understanding ASA Service Contracts

Matt Bell · ‎03-09-2013

I currently have 2 5505 SEC BUN as Primary/FO Firewalls and I am considering purchasing the ASA5510-AIP10-K9 for use as a dedicated IPS device.

Looking at http://www.cisco-servicefinder.com I see that for service updates, CON-SU1-AS1A10K9 is available for this product, providing "IPS Signature and Engine Updates" and "OS Updates."

It is my understanding that in the ASA5510-AIP10-K9 there are 2 OS:

1. ASA OS

2. AIP SSM-10 OS

My question is: Are both the ASA and AIP SSM-10 able to receive "OS updates" with this service contract? Essentailly, I want to make sure that when I submit by budget, there isn't another contract that I also need.

After looking around these forums, I decided to follow a popular recommendation and ask licensing@cisco.com - but their answer was,

"Hi,

Regarding your queries, kindly contact your Account Team and/or Point of Sale about it."

I don't know what an Account Team is and I don't yet have a Point of Sale.

I'll call pre-sales again on Monday, but last week they gave be a bunch of contradictory information and weren't much help because of it.

In the meantime, can someone point me in the right direction?

Regards,

Matt

Julio Carvajal · ‎03-09-2013

Hello Matt,

The license you are refering is for the IPS only, why?

because if you want to upgrade the ASA itself you have to do it manually while the IPS can use global-correlation updates and the latest signature by being able to download them as soon as there is an update, that is what the license is going to do

Hope that I answer all of your questions,

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Matt Bell · ‎03-09-2013

Hi Julio,

Thank you for trying to answer my question - but I don't think you understood my question and I'm afraid you are creating confusion. I'm sure you are not doing this deliberately.

You mistakenly appear to think I am am asking about the "IPS Signature and Engine Updates" as evidenced by your observation that, "the IPS can use global-correlation updates and the latest signature by being able to download them as soon as there is an update". To be clear, I am not asking about "IPS Signature and Engine Updates".

I had hoped by using bold to make it clear that I am asking about OS Updates. So much for formatting. I'm going to ask again and try to be more specific.

Currently, the OS for the ASA is 8.4. I *think* the SSM-10 has an OS and is on version 7.0x.

If I purchase CON-SU1-AS1A10K9 contract (which provided "OS Updates") and in 214 days a new version of the ASA OS is released and in 215 days a new version of the SSM-10 is released, do I have upgrade rights to both OS versions? Or do I just get the ASA OS? Or just the SSM-10 OS?

Great Regards,

Matt

Richard Burts · ‎03-09-2013

Matt

From what I think I understand of your question the service contract to which you refer would provide updates for the IPS but not for the ASA. For the ASA updates you would need a maintenance contract for the ASA (separate from the IPS contract).

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

Matt Bell · ‎03-11-2013

Hi Richard,

Thank you for understanding my question. However I don't understand what you mean by "maintenance" contract. I can't find Cisco referencing "maintenance" contracts and you didn't provide a link to a "maintenance" contract.

I think you meant a "service" contract - because Cisco has service contracts.

For a given device or device bundle, I believe the various service contracts can be found here:

http://www.cisco-servicefinder.com

Here you can find services for devices like the ASA5510-SEC-BUN-K9 which doesn't have an IPS module - these services provide OS updates. And you can find service contracts for the ASA5510-AIP10-K9 which does have an IPS module and the service contracts provide IPS updates AND OS updates.

Anyway, I actually think I found part of my answer here:

http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e962.pdf

Q. Do I need both a Cisco SMARTnet® Service and a Cisco Services for IPS contract?

A. No. Cisco Services for IPS also includes Cisco SMARTnet Service deliverables. Infact, only Cisco Services for

IPS is available for IPS appliances.

I think this means that ASA OS updates are included, don't you?

Matt

jocamare · ‎03-10-2013

There's no auto-update on any of the devices.

What you need is a Smartnet contract, it will let you download files from Cisco.com and manually install them on the units.

Matt Bell · ‎03-11-2013

I think I was able to answer my own question:

Q. Are Cisco operating system software updates included with the Cisco Services for IPS contract?

A. Yes. For Cisco operating systems, such as Cisco IPS Version6.0 and Cisco IOS Software, all software updates for the licensed feature set are part of the service. Software updates include bug fixes and maintenance, minor, and major releases within a feature set. There are no additional charges for updates as long as the product remains under Cisco Services for IPS coverage.

Source: http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e962.pdf

Re: There's no auto-update on any of the devices.

I don't believe I asked this question - but thanks! Unfortunately, Cisco disagrees.

Q. How do I obtain signature updates?

With IPS version 6.1 and later, new auto update functionality has been added to the IPS device operating system that allows you to configure your IPS devices to automatically pull new signature updates from Cisco.com. You can also configure auto updates of operating system and IPS engine updates.

Richard Burts · ‎03-11-2013

Matt

I think that you have done well in finding answers to your own questions. What I had assumed, that you would need both a contract on the ASA and a controct on the IPS seems not to be the case. So thanks for finding that for me.

HTH

Rick

HTH

Rick

AravindaLeaves · ‎03-15-2013

Matt

Congrats! It looks like you answered your own question!

-Ara