cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5265
Views
0
Helpful
7
Replies

Ironport WSA vs ASA 5515-X with Firepower for web filtering

arosenaugfmhm
Level 1
Level 1

We currently have a pair of ASA 5510's and a separate single Ironport S170 for web filtering. My Smartnet is coming due next year on all of them, so I'm wondering should i renew and stay as I am, or should I replace the ASA's with two 5515-X with Firepower services and get rid of the Ironport. Is anyone use the 5515-X firepower services inplace of Ironport, is there any added functionality or any functionality that is lost?

7 Replies 7

Hi arosenaugfmhm,

                Since you already have an existing Ironport S170 appliance, you can do similar features on the ASA5515-X as shown on Slide 3 of the attached PPT but not all features are supported. Both the Data Sheet for the WSA and At-a-Glance for the FirePOWER services will provide you with the differences. Rest assured that the attached PPT will be more direct in providing you with this information. If you are only using common features then it will be best to utilize the S170 as a Web Proxy server or for Web Caching and then have FirePOWER services on the ASA5515-X do the features you have been doing on the S170. The Ordering Guide on Page 10 will show you the appropriate steps in ordering this. The Data Sheet for WSA will show you that the necessary features and functionality to utilize the S170 as a Web Proxy Server are provided under the section Deployment and the Quick Start Guide will provide details on how to implement this. The ASA5510 is already EoS as stated on Table 1 of the EoS Notice and Table 3 indeed shows that the ASA5515-X is the appropriate replacement. This specifically means that it will be best not to renew the Smartnet services for this and you are correct in proposing the ASA5515-X for it. 

for more information or need further help  please send me an email at fguasque@cisco.com

 

Thanks,

Ferdinand Guasque

 

Hi Ferdinand,

 

Can you provide the attached PPT file as I would like to take a look at this document.

 

As I am also doing a comparison between WSA and Firepower.

 

Thanks

Keep in mind that with URL filtering on firepower you cannot provide a block screen for HTTPS traffic.

To the user it will just spin and eventually time out. 

That's a huge limitation 

hi,

thanks for the info, Can you please attach the PPT and Data sheet you are referring

Regards,

Hi Ferdinand,

Appreciate if you can attach the PPT file. Thanks.

captkloss
Level 1
Level 1

Hi, 

One thing that killed ASA web filtering for us is the fact that Firepower does not support wildcards/regex.

dropfreeze
Level 4
Level 4

Hello,

 

I run a pair for ASA 5515-X with Firepower along with an WSA S170 and ESA C170. As well I have been running all this with AMP for Endpoints over the past year. They all complement themselves pretty well and intergrate better than most other  comparable solutions. 

 

Currently I am considering swapping my ASA’s out with 2 Firepower 4110’s. However, I am still on the fence about doing this. I work for a MSP and Cisco Partner so part of my job is to make sure we have the latest and greatest to show clients for the lab/production internal environment. But your only as big as your smallest pipe. Also,  I recently found out we had a number  of licenses for umbrella but it’s never been set up,  i’ve been in the process of getting that setup as well. 

 

If you have questions or need some help let me know. I know it sounds sick but I love this stuff and alothough it’s my job it also my hobby and passion. 

 

-E