I have been under the impression that an IPS was used in conjunction with an ASA because ASA can work only on L3/L4 and cant check the payload of a packet. But if ASA can do L7 inspection, URL filtering etc with the help of MPF, then why are the the devices like IPS, WSA being used to do the same?
The ASA can do L7 inspection but its capabilities are very limited. You have to know in advance the exact URLs you want to filter, you cannot filter on categories, there's almost no reporting of the filtering, etc. etc.
NGIPS like ASA with Firepower Services and URL Filtering license or ASA/Firepower appliance running FTD image can do much more with respect to URL filtering. All the things I mentioned above plus more. A WSA, as a purpose built appliance, has even more capabilities - very granular reporting, more categories etc.
AMP for Endpoints has very limited URL filtering functionality- it is primarily a malware protection tool (with Antivirus).
Cisco Umbrella is the other option. It is a very good URL filtering tool with the advantage that it can cover clients both on- and off-premises with the roaming client.
ASA can do very basic stuff with L7 header, basically it can just make sure that l7 traffic is adhering to RFP for that particular protocol. We can do bare minimum with layer 7 policies even if we were to modify the default policy for the defined protocols. Also, ASA does not even handle all the well defined protocols at layer 7.
It can not deep analyze the traffic on l7 layer and is not aware of the attack patterns which ofcourse an additional module like IPS or Sourcefire can do.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...