Thanks for your input on this, at least now i do not feel like i am the only one complaining.

1.) ASDM Management

Yes, it does look like a dirty hack. Nevertheless, since the ASA is running a Linux Kernel, Cisco could have done better. Or at least advised that this is just a temp implementation and it will go away. Luckily i only pitched the integration to the customers as a "helper" and the FMC should be used for serious work.

We may see a centralized management for ASA and FP in the future, but hopefully this will be NEAR future. Long time overdue it is anyways, especially getting rid of Java.
While i like the console of course, some things, especially on the ASA are just easier with ASDM, VPN wizard e.g.

Remembering the botched implementation of CX,AIX etc, it just leaves you with a bad aftertaste.

2.) Ugh, makes sense, i did suspect that, well, it is mentioned in the online docs - but failed to specify EXACTLY which ASA suffers from that and which may not.

But, if a customer does test "porn" - and they do, missing the first hit on goggle and not being able to correctly block it - makes it look ridicules in the eyes of the customer. There is no excuse why it cannot block that site - probably the whole IP, where there is one porn site hosted, probably a lot of others are too.
Legally, if a minor gets a hit on that, you can be in BIG trouble. So it is a decision maker.

3.) I sure hope so, currently it is more a bonus option to have FP instead of a selling point.

If i need in depth filtering and reporting, of course there is no way past WSA.
And it comes with a hefty price tag. That is one thing i do not get with Cisco. If they just lower their prices for mid sized business - i remember the Spam Filter was such a project, and we sold that thing like hot chocolate croissants on a cold winter day, and then it got dropped - they could slam the market with Cisco and point the world green.

4.)Yeah well, it is not like Hyper V just popped up out of nowhere, it has been pushed hard by MS and we have a lot of customers - especially in the mid size business, that are using MS instead of VMW. Granted VMW has stepped down from their high horse a bit, but considering that the small to medium companies in a whole have more assets compared to the major players, ignoring them you should not.

If the two device VM is indeed free, well, at least it would be a band aid for the time being.

5.) Yes it does, but it should not. FP should be able to read the NAT rules and understand to not block traffic on these ports - or a warning of a possible overlap woulda been nice.
I guess if and when it is a fully integrated system, we just have to keep that in mind. Although i do not remember a warning anywhere pointing that out. Learning by doing i guess.

6.) Actually i have not thought of that since i was thinking the management interface is more like an isolated interface. OK, i will give that a try.

But by doing so, if the ASA has to communicate with the FPMC especially for the URL filtering, latency may just be to much and user experience will drop. And if users have to wait an additional second for a page to open - you know how that goes.

Thanks for your participation.

Markus

Now, just for kicks, 

as i understand i buy a Firewpower System, in my case an ASA + Subs.

And then i still have to BUY a License to manage to afore mentioned system?

FS-VMW-2-SW-K9 (Because the ASA Firepower Management is pointless)

Really.... this is like buying a car and afterwards being told the motor is not included but instead comes on a separate trailer, that also only hooks up to certain hitches (VMware,KVM)

And then have the audacity to charge 15k for a 25 Dev Lic ???

The Price for a car for some software that should have been included ?

I do not know who in the upper section makes decisions like that, but this is definitely one of the major reasons people are turning their back on Cisco.

There is NO REASON to charge 400 -500 ticks PER Device Lic.

And in the same sentence saying " oh this is really cheap and affordable pricing"

Sorry but the price is not and never will be justified.

I got feedback considering licensing from my cisco rep. The device licenses for FMCv are still required - the output from the licensing page is quite misleading atm.

I am also not a big fan of the licensing model and would prefer some tearing which could include advanced reporting/analytics for X devices, but device configuration/management should not be licensed IMO.

Considering the price... substract 50% to get the real price. ;)

True, i posted the list price but whats even worse and i just had this happening today, explain to a customer why a 10dev lic cost 1200 but a 25 dev lic cost 6000? in  my calculation it should be x2.5 = 3600 or even less since you buy MORE.

Funny thing thou, it looks like they took the price for the hardware box (50dev), took 50 percent of it and made it the price for the virtual 25devs.

Just forgot to take into account that IT DOES NOT COME WITH A SERVER!@! They are just lic's.

I am going to complain about this to a Cisco Rep but unless you are a Fortune 500 customer....

(50% already deducted :))

Hi everyone. That's why i hate ASA when licensing part comes. Unfortunately, I have to install around 30 5512, 5515 boxes for a customer who only love brand and two of them are in my lab with same problem mentioned by Michael Braun.  I worked on fortigate and its 1000 % better than ASA from SMB to midsize. One box everything is inside url, ips, app control, amp. All is gui based on one page to mention everything that's why anyone can manage it. When u compare the price of box and license, fortigate is ahead from ASA. 

Regards!

And now the fun part, due to Intel's Atom disaster, we can now reinstall all of our FP ASAs, just one takes hours to complete and afterwards the hassle with switching the license keys...do this times 30 - fun fun ahead....

Well yea don't get us started on Cisco licensing hell on the new ASA platform.

The opposite of simplicity... chassis lic, anyconnect, no wait... also APEX to enable some functions, sourcefire IDS, no wait u need also URL filtering to do that and that... ah well you need to manage it, so buy also the vmware appliance... lol... and of course multiple point and GUI to input the license data you payed for..  the VARs too have difficulty in navigating such twisted licensing landscape...

Hope that at least they are able to squeeze that extra profit in product differentiation with these overly designed licensing plans, otherwise I can't explain it.

And yes u are right....... have fun in replacing all of the above during RMA scenarios.... :(

We have been on Cisco for firewalling for legacy reasons, but those were the time that you bought a PIX series and that's it..... nowadays if starting from ground zero I would reconsider the brand choice JUST for the licensing overhead...

I feel you. Been there, done that.  One to two hours to reinstall or update Firepower in ASA. And if you change your mind to use FP from ASDM to Firepower management System, you have to delete the license also from your cisco account and transfer it to firepower management system machine.

Hi, I just want to back everyone's opinion up.

I'm running a 5506W-X, ASA part is good although ASDM could do with a makeover, but what the heck is this Firepower thing doing? Initially I thought waoo NGFW, how cool - however this turned out to be a huge disappointment.

1. You buy a firewall with firepower, but then have to pay extra to use it.

2. You need a smartnet account to download updates to fix defects in for something you've already payed for, additional $$$$.

3. Dispite all, I've played around with firepower and it doesn't do anything.

Get your act together Cisco!

By the way, have looked at Paloalto, looks good so far.

Yea Cisco is doing big favors to their competitors with the latest instances of Firewalls.

As a summary, my 2 cents:

- simplify, simplify, simplify as a general guideline

- get tradeoff between license complexity and profit right. If you get things too much complicated many costumers you go to competitors due to the licensing nonsense. Even experienced VARs minds explode when confronted with Cisco license-delirium

- replace ASDM with a web client. One solution for all the features. Don't let customers think of two products (ASA and FP) when they use the product. The necessary management system should be on the firewall itself not outside as default (just run a VM on the firewall itself if you want to isolate things).