Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3074
Views
10
Helpful
6
Replies

SourceFire and firewall

Go to solution
CSCO11428485
Level 1
Level 1

‎04-13-2015 12:47 AM - edited ‎03-12-2019 05:39 AM

could i replace the asa with sourcefire NOT "FIrepower" , because i have asa 5520 as a current firewall and some one advice me to replace it with  a "Sourcefire SF-3D8140 ", and if bought it, how could i use this with the current setup scenario If the budget cannot afford to buy a new  ٍِِASA device instead of the old asa that i had, please advice 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-16-2015 07:53 PM

Wow an 8140 is way overkill to replace a 5520.

If you went with even an HA pair of new ASA 5545-X with full FirePOWER module licenses and the necessary two node FireSIGHT Management Center (FMC) license, the cost would be less than half that of a single 8140 with similar licenses and the larger FMC that's necessary.

I recommend to get your advice from a better qualified source.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
scdugan
Level 1
Level 1

‎04-15-2015 07:57 AM

There is not enough information about how you are implementing the ASA 5520 to answer your question fully.  You can replace your older ASA with a 8140 Firepower sensor and implement NGFW and NGIPS.  HOWEVER, the ASA is very good at the NGFW part while the SourceFire sensor is very good at the NGIPS piece.  Remember also that the sensor isn't configured directly on box.  it requires a FireSight manager to implement policy.

The easier solution for most would be to upgrade your ASA to a 5500-X NGFW model and install the FirePower module for NGIPS with a FireSight manager (virtual or appliance) to control the IPS, AMP, AIC, and URL filter policies.

Go to solution
CSCO11428485
Level 1
Level 1
In response to scdugan

‎04-17-2015 03:11 AM

Thanks so much for your advice 

0 Helpful

Go to solution
Skjalg Eggen
Level 1
Level 1

‎04-16-2015 08:18 AM

No need to buy a 3D8140, just get two ASA5515-X or 5525-X and buy a firepower amp/url/ips lic. also get the 2 device license for Firesight management and download the vmware version. 

use the regular asa ASDM for regular accesslists/routing/NAT and then inspect the wanted traffic with FirePower.

this way you can loosen up on the ACL's and tighten down with application rules. 

set up an E-mail warning for impact 1 events, block all bad reputation websites in URL and all malware with a file policy.

 

 

 

Go to solution
CSCO11428485
Level 1
Level 1
In response to Skjalg Eggen

‎04-17-2015 03:06 AM

Thanks so much.  For Your valuable information 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-16-2015 07:53 PM

Wow an 8140 is way overkill to replace a 5520.

If you went with even an HA pair of new ASA 5545-X with full FirePOWER module licenses and the necessary two node FireSIGHT Management Center (FMC) license, the cost would be less than half that of a single 8140 with similar licenses and the larger FMC that's necessary.

I recommend to get your advice from a better qualified source.

0 Helpful

Go to solution
CSCO11428485
Level 1
Level 1
In response to Marvin Rhoads

‎04-17-2015 03:04 AM

Thanks for your advice and information 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card