Hello Marvin,

In my original post, I stated that we were purchasing the following:

ASA 5525-X with FirePOWER Svcs. Chassis and Subs. Bundle
Cisco ASA5525 FirePOWER IPS, AMP and URL Licenses
Cisco FireSIGHT Management Center,(VMWare) for 2 devices

Our vendor understood what we were looking to do and provided the necessary licensing to accomplish that.  I'll take a look at the video from Cisco Live to get an idea as to how to start.  Thanks!

Terence

OK sure - I saw that but I was picking up on where you said further down "proceed to configure CX for content filtering?"

There are also some good free videos on Lab Minutes for setting up FirePOWER. See the following:  http://labminutes.com/video/sec/ASA%20FirePower

Oh ok lol.  Yeah the reason I mentioned CX is because LabMinutes has their videos labeled as CX but that may be for the older module as you stated.  Thanks again!

Terence

Marvin,

I just happened to notice that the FireSIGHT Management Center is VMWare so does that mean it doesn't support Hyper-V?  If not, then I'll need to look at another solution for what I'm trying to do for our guest network as we're a Hyper-V shop and won't be adding another VM environment.

Terence

Thanks Marvin.

Unfortunately, we would be looking to purchase 2 ASA 5525-Xs with the appropriate FirePOWER licenses but now we won't because we're a Hyper-V only shop and will not add a mixed VM environment.  Thanks for your response.

You're welcome.

Maybe the Cisco BU will read your post and tip the scales to get the developers to release Hyper-V support. After all it's just a Linux box with an Oracle db, Tomcat app server and Apache web server under the covers.

Please mark your question as answered it it has been.

Marvin,

Do I have to run IPS in order to use URL/Content Filtering or can I just use URL/Content filtering without running IPS?

Terence

Terence,

The IPS license is optional although I've always seen my customers opt for it.

The URL Filtering license can be added alone to the base Cisco ASA with FirePOWER Services license or as part of a bundle with the IPS and Apps or IPS and Apps and AMP licenses.

Gotcha.  So I don't have to run IPS in order to use URL/Content filtering because they're separate licenses.  Thanks!

Marvin,

One last question.  I'm going to be running my ASAs in active/standby HA.  How does this work with FirePOWER?  Is there documentation that covers this scenario?  I'm assuming that I would have to have the same source fire files installed on both devices.  I also understand that the management interface needs to be used so does this mean separate IP addresses for both boxes for the management interface?  Some clarity would be greatly appreciated!

Thanks,

Terence

HA pairs and/or multiple ASAs with FirePOWER modules (or dedicated FirePOWER appliances) are where FirePOWER Manager becomes more compelling (contrasted with local management using ASDM).

With the manager, we can combine devices into a device group and apply policy once. They will always be in sync and there's little or no need to log into the individual modules or appliances once they've been setup. Their respective events will be correlated into single database to give you a unified view of all the connections, IOCs, etc.

Yes each FirePOWER module in an ASA HA pair has its own unique IP address and uses the ASA physical management interface (m0/0) for communications back to the FirePOWER Manager (or to ASDM if you go that route). That is in addition to any management address or interface you use on the ASA itself.

Thought I wouldn't have any more questions but I have to ask this...do I have to have my ASAs configured prior to installing FireSIGHT or can I install FireSIGHT and then get my ASAs configured prior to doing the actual configuration of my policies via the management console?  I know what IPs I need to use for my ASAs and FireSIGHT.

Thanks,

Terence