Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
5
Replies

ASA5515-X and NGFW features

Go to solution
Dan Torres
Level 1
Level 1

‎07-28-2014 01:10 PM - edited ‎03-11-2019 09:32 PM

What NGFW features can be enabled if I purchase the ASA5515-x (ASA5515-SSD120-K9) and 3 year license of AVC, WSE, and IPS (ASA5515AWI3Y)?  I was under impression that all three services can be enabled on a single ASA5515-x unit but I read somewhere that I can only enable one service at a time.

 

Also does the ASA5515-x even support AVC? I’m asking because it seems some people classify AVC as the CX service and it seems only the ASA5585-X supports the CX module.

 

I am very confused here. I would like to stick with Cisco and utilize the NGFW features. 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Dan Torres

‎07-28-2014 03:27 PM

You're welcome.

Here're the answers to your follow-on questions:

1) It has the SSD installed. IPS is a feature license on the NGFW. This in unlike the older 5500 series (and still-available (for now - but likely not much longer) 5500-X series with the legacy IPS bundle) which instantiated IPS via an SSM or SSC hardware module/card.

2) Funny the reseller site you linked to quoted my earlier responses on the matter. If you click through the Cisco Q&A link in that same blog post you will see it has been updated and now reads:

"Q.    Do Cisco ASA Next-Generation Firewall Services support IPS functionality?

A.     Yes. Cisco Next-Generation Firewall with IPS is currently supported and can simultaneously run alongside other services, including Cisco AVC and WSE."

I tried to post a comment over there to that effect but the function appears to be broken on their site.

3) Yes, that's correct. You will need to activate the license once you set things up.

If you're running more than one or two you would also be advised to have a look at off-box PRSM (separately licensed, runs as a VM in your VMware environment) as it will ease management quite a bit by allowing you to create and apply common policies across multiple devices.

Please mark questions as answered once they have been and rate helpful posts.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Dan Torres

‎07-28-2014 03:48 PM

You're welcome.

AVC and WSE are very powerful and flexible although the new policy model can take a bit of reading and practice to get comfortable with it.

The product had a good number of bugs when first introduced but Cisco has been diligently working them off. See the list of resolved caveats in the frequent point releases that have been issued.

All three components can be used in a 60-day trial out of the box (no PAK redemption or lic file required). It can be extended an additional 60 days just by clicking the button to extend it. This is noted in the User Guide thus:

"Each CX device includes evaluation subscription licenses for each feature that you can configure on the device. These licenses are good for 60 days. You can renew the evaluation licenses one time to extend the period an additional 60 days. "

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-28-2014 01:22 PM

All three services can run simultaneously with that license. I've set them up myself on several 5515-X.

The difference with the 5585-X is that it has the CX in a hardware form factor (SSP module). The other models in the line support the CX in a software module (the SSD is used mostly for log storage).

0 Helpful

Go to solution
Dan Torres
Level 1
Level 1
In response to Marvin Rhoads

‎07-28-2014 02:44 PM

Hi Marvin,

 

Thank you for the reply. Could you also answer the following questions?

 

1) the ASA5515-SSD120-K9 bundle that I’m looking at – does it have the IPS and SSD pre-installed?

 

2) I was reading http://blog.router-switch.com/2014/05/does-cisco-asa-5500-x-series-support-both-ips-and-avcwse-in-one-box/ and it said both IPS and AVC/WSE cannot be run at the same time (as of May 28 2014). Did cisco release a patch recently that allows it?

 

3) to run all three NGFW features simultaneously in one ASA5515-x box, I just need Smartnet + ASA5515-SSD120-K9 + ASA5515AWI3Y correct?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Dan Torres

‎07-28-2014 03:27 PM

You're welcome.

Here're the answers to your follow-on questions:

1) It has the SSD installed. IPS is a feature license on the NGFW. This in unlike the older 5500 series (and still-available (for now - but likely not much longer) 5500-X series with the legacy IPS bundle) which instantiated IPS via an SSM or SSC hardware module/card.

2) Funny the reseller site you linked to quoted my earlier responses on the matter. If you click through the Cisco Q&A link in that same blog post you will see it has been updated and now reads:

"Q.    Do Cisco ASA Next-Generation Firewall Services support IPS functionality?

A.     Yes. Cisco Next-Generation Firewall with IPS is currently supported and can simultaneously run alongside other services, including Cisco AVC and WSE."

I tried to post a comment over there to that effect but the function appears to be broken on their site.

3) Yes, that's correct. You will need to activate the license once you set things up.

If you're running more than one or two you would also be advised to have a look at off-box PRSM (separately licensed, runs as a VM in your VMware environment) as it will ease management quite a bit by allowing you to create and apply common policies across multiple devices.

Please mark questions as answered once they have been and rate helpful posts.

0 Helpful

Go to solution
Dan Torres
Level 1
Level 1
In response to Marvin Rhoads

‎07-28-2014 03:27 PM

Thank you so much Marvin. One final question please. what is your opinion on  AVC and WSE? are they worth getting and do you know if there is like a trial ips/avc/wse license?  

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Dan Torres

‎07-28-2014 03:48 PM

You're welcome.

AVC and WSE are very powerful and flexible although the new policy model can take a bit of reading and practice to get comfortable with it.

The product had a good number of bugs when first introduced but Cisco has been diligently working them off. See the list of resolved caveats in the frequent point releases that have been issued.

All three components can be used in a 60-day trial out of the box (no PAK redemption or lic file required). It can be extended an additional 60 days just by clicking the button to extend it. This is noted in the User Guide thus:

"Each CX device includes evaluation subscription licenses for each feature that you can configure on the device. These licenses are good for 60 days. You can renew the evaluation licenses one time to extend the period an additional 60 days. "

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card