Solved: Re: Cisco 5545-X with Firepower Module and Hostscan

kiranrokkam · ‎12-09-2019

Hi Guys,

Need some help with questions we have.

We debating to go for Firepower 2130 vs Cisco 5545-X with Firepower module. We are going to use these devices for purely for AnyConnect VPN solutions with posture check. We dont want to use the ISE appliance at the moment for posture check.

1. Can we use hostscan in Cisco ASA 5545-X with Firepower module without using the ISE appliance ?

2. Is it mandatory to use ISE for posture check if we go with FTD on Cisco 2130 ?

3. I guess we can reimage Cisco 2130 with ASA image, in that Case can I use regular hostscan without the need of the ISE ?

Rob Ingram · ‎12-09-2019

If the appliance is dedicated to just RAVPN and user internet traffic is tunneled into the network and accesses the internet via another firewall or proxy and not hairpinned and routed back out of the RAVPN appliance, then you could argue there is no need for those advanced features on that RAVPN appliance.

You would of course want to run posturing checking and running Anti-Virus and/or Anti-Malware solutions to ensure the end user devices' are secure before they are allowed to access the network.

Although if you were to run FTD and integrated into ISE, any malware infection detected once connected to the VPN, you could quarantine the users' session automatically. I don't believe with the ASA code you can do this.

View solution in original post

Rob Ingram · ‎12-09-2019

Hi,

I'd recommend going with the newer FP2130 hardware rather than the ASA appliance, as the ASA hardware is not going to be supported much longer.

If you run ASA code then you can use Hostscan without using ISE. If you purchase the FP2130 hardware you can still run the ASA code, so you do not necessarily need to run FTD. The ASA code currently supports more Remote Access VPN features than the current version of FTD. FTD v6.5 is the latest and it does not support Hostscan/DAP etc, whereas ASA code does. Therefore if you did run FTD code, then yes you would need to run ISE to support posture checking.

HTH

kiranrokkam · ‎12-09-2019

Hi RJI ,

Thanks for your quick response.

I guess by reimaging FTD to ASA code, we will lose Threat prevent support so if we have to go with Cisco ASA with Firepower module, can we use hostscan or ISE ?

I'm never worked on Cisco ASA with Firepower module, though I'm familar with ASAs and FTDs.

TIA

Rob Ingram · ‎12-09-2019

Yes, if you used the ASA code you could use either hostscan or ISE.

kiranrokkam · ‎12-09-2019

Thanks a lot for quick response.

A different question, Do you even consider threat detection on Remote Access VPN appliances ? Is it a very common solutions ?

I see threat detection on Outbound or Inbound firewalls, but not on RA VPN appliances. Is there is any downside with having RA VPN with Threat detection, if use Cisco ASA with Firewpower ?

Rob Ingram · ‎12-09-2019

If the appliance is dedicated to just RAVPN and user internet traffic is tunneled into the network and accesses the internet via another firewall or proxy and not hairpinned and routed back out of the RAVPN appliance, then you could argue there is no need for those advanced features on that RAVPN appliance.

You would of course want to run posturing checking and running Anti-Virus and/or Anti-Malware solutions to ensure the end user devices' are secure before they are allowed to access the network.

Although if you were to run FTD and integrated into ISE, any malware infection detected once connected to the VPN, you could quarantine the users' session automatically. I don't believe with the ASA code you can do this.

kiranrokkam · ‎12-09-2019

Thanks for your quick replies.