Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1599
Views
5
Helpful
3
Replies

NGFW and WSA is AMP recomended for NGFW?

Jim Matuska
Level 1
Level 1

‎09-05-2018 04:14 PM - edited ‎03-12-2019 06:56 AM

We have a Cisco IronPort Web Security Appliance (WSA) and are looking to change out our existing firewall to a FirePOWER 2140 NGFW.  

 

The question I am running into is whether it would be of any benefit to add AMP and IPS licensing to the Firepower 2140 NGFW or if this would be duplicating the Malware Protection already provided by the WSA.  Would it be worth spending the extra on AMP and IPS licenses or would it be better to save the money and just get IPS Licensing for the NGFW 2140?  

 

Any thoughts?  

Labels:
0 Helpful
3 Replies 3

Ajay Saini
Level 7
Level 7

‎09-06-2018 06:44 AM

Hello,

 

WSA will be able to inspect web based traffic and act as malware protection for the same. Also, the traffic which is inspected by WSA is North to South (LAN to Internet) majorly and is not ideal for east-to-west traffic (between internal segments).

 

 

If you want 100% protection, WSA can be considered for web based protection and you dont need URL filtering feature on FTD. You can rely completely on WSA for all URL based protection. 

 

Now, for IPS and Malware analysis over all web and non-web traffic, you can use the IPS and Malware, east to west and North to South, you can use FTD with IPS and Malware license. There is a bit of overalp but if we understand what WSA can and can not do, you can make a informed decision. Plus, you have keep in mind the Organization's requirement in mind - For example, if the east to west traffic does not need Malware protection or IPS protection and for you the biggest threat is internet, then WSA alone can do the job and no need for IPS and Malware license on FTD. This will be a decision, specially if you have endpoint Protection in place.

 

HTH

AJ

0 Helpful

Jim Matuska
Level 1
Level 1
In response to Ajay Saini

‎09-06-2018 10:17 AM

The WSA is already in place and working fine for URL protection and North to South Inspection so URL protection is not needed on the FTD. 

 

That being said, how would the FTD inspect traffic East to West as it is only going to be connected to 3 segments.  1. our internal core switch, 2. our DMZ, and 3. Our outside internet segment.  How would that ever do East to West Traffic inspection?

 

Also, we would only be using 2 NGFW's in a failover configuration, would FireSIGHT Management Center VM provide any real advantage, especially if we decided not to get IPS and Malware protection.  Could this be done with the build in management software on the NGFW?  

 

Jim

0 Helpful

Ajay Saini
Level 7
Level 7
In response to Jim Matuska

‎09-06-2018 11:09 AM

From east to west I meant inside to dmz and dmz to inside apart from any other internal segments, if you had them configured.

The basic FTD will only provide classic ASA engine protection and also the application visibility(AVC) but not the IPS and Malware inspection. If you have some good endpoint protection configured for LAN users, then you can live with only FTD with URl filtering through WSA>

 

In the end, its a fight between price and Security as required by Business. Ofcourse, WSA can not provide the protection for non-web traffic so that void will be there.

 

Regards,

AJ

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card