Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5515-X URL Filtering / Upgrade WSE

 

Hi all , 

 

I have ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515 

 

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual

 

I know that i can do URL filtering on it using ASDM , right ?

 

But can i and what bennefit i would have with WSE on it and can i put WSE ? maybe PID for WSE .

 

I was reading that i can put SSD in ASA  ( please PID if know ) and can i ? and then i can  put WSE ( it is license or part of software and get some robust url filtering .

 

Can someone explain me diffrenece with regular url filtering and with WSE , and  process how to put SSD in asa  and WSE  .

 

Maybe some link where is explained .

 

Thanks ,

KR 

VZ

 

5 REPLIES
New Member

Hi startx001,Please see

Hi startx001,

Please see inline comment:

QUESTION: I know that i can do URL filtering on it using ASDM , right ?
ANSWER: Yes. You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance by using a separate server running one of the following Internet filtering products:

•Websense Enterprise for filtering HTTP, HTTPS, and FTP.

•Secure Computing SmartFilter for filtering HTTP only. (Although some versions of Sentian support HTTPS, the security appliance only supports filtering HTTP with Sentian.)

For more information, please check the link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/fltrrule.html


QUESTION: But can i and what bennefit i would have with WSE on it and can i put WSE ? maybe PID for WSE .
ANSWER: Cisco WSE, which enables reputation-based web application security policies. In addition, Cisco WSE enables robust content-based URL filtering with differentiated access policies based on user, group, device, and role.

WSE, IPS on NGFW, and CWS use threat intelligence feeds from Cisco Security Intelligence Operations (SIO) for advanced web reputation analysis and near-real-time protection from zero-day threats. For more information on how SIO helps the Cisco IPS control threats in real-life production environments, visit: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps12156/white_paper_c11-715386.html.

The subscriptions terms are 1 year, 3 years and 5 years. It is also possible to purchase both the services together using the AVC + WSE bundle license. With a built-in discount, the bundle price is less than the price of buying these services a la carte.

ASA5515-AW3Y-PR= (ASA 5515-X CX AVC and Web Security Essentials 3Year (Promo) - USD 3,450.00 regular price is USD 5,150

or

ASA5515-WS1Y= (ASA 5515-X CX Web Security Essentials only 1Year) - USD 1,900

just add "L-" to the part numbers above to get the eDelivery version.

Please check the links below for your reference(s):

Cisco Application Visibility and Control
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns483/ns780/at_a_glance_c45-649117.pdf

Cisco ASA CX Context-Aware Security Data Sheet
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701659.html


QUESTION: I was reading that i can put SSD in ASA  ( please PID if know ) and can i ? and then i can  put WSE ( it is license or part of software and get some robust url filtering .
ANSWER: If you purchase the regular ASA 5500-X without the SSD, the Web Security Essentials (WSE) that deploys the web filtering may not work or function as per the Release Notes for the Cisco ASA Series, Version 9.1(x) http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.pdf 

Since Solid state drive (SSD) is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series.

ASA5500X-SSD120= (ASA 5512-X through 5555-X 120 GB MLC SED SSD (Spare) - USD 800.00

The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.


QUESTION: Can someone explain me diffrenece with regular url filtering and with WSE , and  process how to put SSD in asa  and WSE  .
ANSWER: Please check the document link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_procs.html#wp1097873


         "niLz"

Nilo Noguera Jr. 

| Specialist, Virtual Engineering - Partner Helpline Organization 

together we are the human network

 

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network
Hall of Fame Super Silver

VZ,URL filtering on the base

VZ,

URL filtering on the base ASA is very old-style and requires you write regular expressions (regex) to match on URLs. It does not do deep packet inspection and analyze type of flows (e.g. micro applications on facebook, file transfers with in a chat session, etc). To get those sort of functions, you use Next Generation Firewall (NGFW) services on the CX module. WSE and AVC work hand in hand to provide them (and you can optionally add IPS).

To add WSE to an ASA 5500-X series you do need the SSD (or an SSP-20/40/60 in the 5585-X) plus a license for the service - it is licensed and subscription-based. The product data sheet lists several 3-year bundles for the software and there are other terms (1 year, 5 year etc.) available.

Your reseller has access to Cisco Commerce Workspace and other partner collateral so they can generate a valid bill of materials for your upgrade. That would include the required SSD (part number ASA5500X-SSD120=).

New Member

So i can activate WSE and AVC

So i can activate WSE and AVC on my ASA ?? 

 

I already hace that CX module ?

 

Kind Regards,

Vladimir Zolnjan

Hall of Fame Super Silver

Yes - If you have the SSD and

Yes - If you have the SSD and purchase the license for WSE And AVC yes you can activate and configure it. Even without the purchased license you can run an evaluation license.

Please refer to the CX module Quick Start Guide for details on setting it up.

New Member

The ASA CX module might be a

The ASA CX module might be a hardware module or a software module, depending on your ASA model. For the ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X it's a ASA CX SSP software module that requires a Cisco solid state drive (SSD) to work.

Cisco ASA CX Module Quick Start Guide
http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html

ASA 5500 and Module Compatibility
http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#72331

         "niLz"

Nilo Noguera Jr. 

| Specialist, Virtual Engineering - Partner Helpline Organization 

together we are the human network

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network
323
Views
0
Helpful
5
Replies
CreatePlease login to create content