Solved: Cisco ASAv with FirePOWER?

m1xed0s · ‎09-17-2014

First, does Cisco ASAv has integrated with Sourcefire/FirePower? If not yet, will there be any plan?

Second, what is the difference between ASAv and ASA 1000v?

Marvin Rhoads · ‎09-22-2014

Your requirements will guide you to one set of solutions or another. Your local Cisco account team or partners in your area should be able to guide you with some whiteboard sessions to flesh out the most appropriate solution set.

Meanwhile, have you looked at the Cisco Secure Data Center Solution guides? I'd especially recommend a close look at "Secure Data Center for Enterprise — Threat Management with NextGen IPS Design Guide", just published in August 2014.

View solution in original post

Marvin Rhoads · ‎09-17-2014

The ASA with FirePOWER module is only supported on the ASA 5585-X (hardware module) or ASA 5512 through 5555-X (software module). It's not supported on the ASAv (or ASA 1000V or ASA SM). Reference.

If your scenario is the ASAv and you're also interested in the FirePOWER line, you could just put a virtual FirePOWER appliance in line with the ASAv.

The ASAv is an independent VM that can be deployed in a variety of virtual environments (or even in a home lab with a free throughput-limited evaluation license). The ASA 1000V is more tightly integrated into a VMware environment and requires the Cisco 1000V as a plug-in replacement of the VMware distributed virtual switch. The two were compared a bit more eloquently in the most recent TAC Security podcast (Episode 43, 26 August 2014)

m1xed0s · ‎09-17-2014

Thanks for the info. We currently do not have virtual ASA just the physical ones. But we are seeking some multi-tenant solutions for Datacenter edge firewall, preferably the NGFW.

Since ASA multi-context has limitation, e.g. VPN Support(still the same with 5500-x series I think), we are start looking at the virtual firewall. The other factor we are start looking for virtual firewall, we can not have the malfunction of one instance or context firewall on the same physical box blow away the whole physical firewall affecting other tenants.

Any multi-tenant datacenter edge firewall design guide available for reference, even not using Cisco gears(if not using Cisco, what to use :( )?

Marvin Rhoads · ‎09-18-2014

I have heard of some data center service providers successfully using Palo Alto Networks' virtual machine variant of their firewalls in secure multi-tenancy environments.

My limited personal experience with them is that they may cover some use cases that the ASA family doesn't but that overall they are a much less comprehensive solution set. And of course you won't have the wonderful Cisco Support Community resource if you go that route. :)

Please rate helpful replies and mark your question as answered when it has been.

m1xed0s · ‎09-18-2014

So ASAv and FirePower virtual appliance combination for each tenant probably wont make sense financial wise, right?

I prefer to stay with cisco, not only because the Cisco community (sales people from Cisco also plays here) but also no need to re-learn knowledge on the ASA.

Cisco claim ASA 1000v Cloud firewall is designed for multi-tenant environment but I failed to find use cases and details feature list...

mbeain · ‎03-24-2017

ASA with Firepower module was just an intermediary step for Cisco.

Now the new generation of firewalls has been launched. ASA is dead . Firepower 2100 series is completely new. I hope there is a virtual version for learning but I don´t know.

Marvin Rhoads · ‎03-24-2017

The ASA platform is still being actively developed.

That aside, one can run FTDv (virtual machine image of FirePOWER Threat Defense) with an evaluation license.

m1xed0s · ‎09-22-2014

I am also checking the Fortinet virtual appliance. I guess my struggle maybe the design part towards Security as a Service offerring.

Do you have any insight regarding designing Datacenter edge to offer Security as a Service?

Marvin Rhoads · ‎09-22-2014

Your requirements will guide you to one set of solutions or another. Your local Cisco account team or partners in your area should be able to guide you with some whiteboard sessions to flesh out the most appropriate solution set.

Meanwhile, have you looked at the Cisco Secure Data Center Solution guides? I'd especially recommend a close look at "Secure Data Center for Enterprise — Threat Management with NextGen IPS Design Guide", just published in August 2014.

m1xed0s · ‎09-23-2014

Thanks, I will read through the articles from your links. I will have a meeting with local cisco team this afternoon and we will see what they propose :)

Moin Ilyas · ‎09-17-2014

Adding to Marvin,

Cisco ASA with FirePOWER Services includes combinations of the following orderable components:
● Cisco ASA 5500-X Series and 5585-X appliances
◦ Cisco ASA 5500-X Series with FirePOWER Services
◦ Cisco ASA 5585-X with FirePOWER Services
◦ Cisco ASA 5585-X with FirePOWER Services spare modules
● Cisco ASA with FirePOWER Services subscriptions for (1-year and 3-year term options)
◦ IPS subscription
◦ URL Filtering subscription

◦ AMP subscription
● Management systems
◦ Cisco FireSIGHT Management Center hardware or virtual appliance (required)
◦ Cisco Security Manager (recommended)
● Cisco SSL Appliances (optional)
● Cisco SMARTnet support services
● Cisco SASU

m1xed0s · ‎09-17-2014

Thanks, this will be greatly helpful for the sales people to present to get BOM done :)