I have been under the impression that an IPS was used in conjunction with an ASA because ASA can work only on L3/L4 and cant check the payload of a packet. But if ASA can do L7 inspection, URL filtering etc with the help of MPF, then why are the the devices like IPS, WSA being used to do the same?
The ASA can do L7 inspection but its capabilities are very limited. You have to know in advance the exact URLs you want to filter, you cannot filter on categories, there's almost no reporting of the filtering, etc. etc.
NGIPS like ASA with Firepower Services and URL Filtering license or ASA/Firepower appliance running FTD image can do much more with respect to URL filtering. All the things I mentioned above plus more. A WSA, as a purpose built appliance, has even more capabilities - very granular reporting, more categories etc.
AMP for Endpoints has very limited URL filtering functionality- it is primarily a malware protection tool (with Antivirus).
Cisco Umbrella is the other option. It is a very good URL filtering tool with the advantage that it can cover clients both on- and off-premises with the roaming client.
ASA can do very basic stuff with L7 header, basically it can just make sure that l7 traffic is adhering to RFP for that particular protocol. We can do bare minimum with layer 7 policies even if we were to modify the default policy for the defined protocols. Also, ASA does not even handle all the well defined protocols at layer 7.
It can not deep analyze the traffic on l7 layer and is not aware of the attack patterns which ofcourse an additional module like IPS or Sourcefire can do.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :