cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Please be advised, the GuideMe Wizard is no longer available on the Small Business Support Community. For search capability please use the community search field to find content related to Cisco Small Business documents, videos, and discussions.
8075
Views
0
Helpful
9
Replies
Beginner

ISA 550 or 570 product line and traffic blocking

Hello,

I am considering to buy a Cisco ISA 570, since this product line is not really known by my local Gold supplier, I am seeking for advise and help.

I want to replace a Cisco 871 for a medical practice of 8 people where suppliers (4 to 5) needs to have remote access to provide support activities for medical devices. In addition, I want to make sure that Social Network sites (e.g. facebook, twitter etc...) are being effectively blocked in HTTP and HTTPS. I am not so much interested in AV or SPAM protection as the environment is mainly running on MacOS and email server is outsourced to a provider.

-Can the ISA 870 be used to effectively block the Facebook/Twitter in HTTP/HTTPS ? (I know that I can block by IP --> but I want to avoid maintenance of IP addresses on the device. I want to rely on the updates provided by the licensing program)

-For my specific needs, would it be possible to use a normal router Cisco 1921 with the SEC package ? (what about the performance compare to the ISA 570 ?)

-If I activate SSL VPN for remote access for the suppliers, is there any license requirements i.e. extra cost to be paid ?

-I am currently testing a Fortigate 60C, which is blocking the traffic to social network. However, since the rest of the infrastructure is Cisco based (IP Telephony and Switching), I would prefer to keep Cisco. On top, I don't have time to explain to the supplier how to change their VPN client to Fortigate.

-What would then be the main differences between a Cisco ISA 570 and Fortigate 60C for web application filtering ?

Many thanks for your support and help.

Pierre-Olivier

Everyone's tags (3)
9 REPLIES 9
Rising star

ISA 550 or 570 product line and traffic blocking

Hi Olivier, thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. ISA new product are really nice device, with multiple block features, to answer your question you can block specific web sites per URL, here you can see two ways to block that websites.

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3551

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3522

If you want to compare the features of both devices you can check this link. However the main difference is the 550 has 6 LAN ports, the 570 has 9 and supports more VPN tunnels.

For VPN SSL is supported without additional cost, here you can see how to configure it.

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3533

About your question regardless the Fortigate router, I have no information about it, I apologize for that.

I hope you find this answer useful,

*Please mark the question as Answered or rate it so other users can benefit from it"

Greetings,

Johnnatan Rodriguez Miranda.

Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.
Beginner

ISA 550 or 570 product line and traffic blocking

Hi Jonathan,

Thanks for the reply. On top of the Webfiltering capabilities, is it possible to block Facebook as an "application", thereby all chat and other FB functionalities could be blocked ?

Will the subscription over the 3 years period will cover any update (i.e. if facebook introduce new capabilities, will I be able to automatically block those ?

Thanks a lot

Best

Beginner

ISA 550 or 570 product line and traffic blocking

Hi Best,

If you want to block Facebook as an application, you can achieve that by selecting and denying Social Networrk under Application Control. If you want to block just Facebook specifically, you can do that in Web URL Filterig. For any new introduction of capabilities from Facebook, you can upgrade your image when they are supported. Hope this helps.

Regards,

Jeff

Beginner

ISA 550 or 570 product line and traffic blocking

I have an add on to the above question. Is there any way I can bulk add the number of URLs to be blocked by the Policy Profile creation?  My objective is to block torrents, Youtube downloads and proxy sites in my network. I have created a master list of keywords and urls to be blocked. However as far as I can see I can only add one URL at a time.

It would be cool if I could bulk add several hundreds of URLs into the Policy profile, all to be blocked or to be permitted.

Is there any such option for ISA570 ?

Beginner

ISA 550 or 570 product line and traffic blocking

We support adding only one URL or keyword at a time now.

Jeff

Highlighted
Beginner

ISA 550 or 570 product line and traffic blocking

Several of my clients purchased the SA 540 with the intent to setup URL blocking and use other advanced UTM features.  All had to scrap their plans because the SA 540's just could not handle the load of even a small 25 node network.  Can you provide assurances that your new devices and in particular the ISA 550 can handle the load?  I have prospect for several ot these but hesitate due to my experience with the SA 540.

Cisco Employee

Re: ISA 550 or 570 product line and traffic blocking

Gokul,

bulk import URLs to be allowed (for web reputation filtering) is on the roadmap.

Wei

ISA 550 or 570 product line and traffic blocking

Hi Jonathan,

Can i achieve MAC based filtering and IP based filtering in content security, rather one rule for entire network.

Share any URL to understand.

Regards,

Venkata S. Dendukuri

Contributor

ISA 550 or 570 product line and traffic blocking

Venkata,

With Application Control, you can create multiple policies and apply them by Zone in whatever order you wish.  With Web Filtering, you can create multiple policies however you can only apply one policy per Zone.  In both instances, there are no options to control by IP or MAC.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.