06-19-2014 06:36 AM - edited 03-11-2019 09:20 PM
Hi all ,
I have ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
I know that i can do URL filtering on it using ASDM , right ?
But can i and what bennefit i would have with WSE on it and can i put WSE ? maybe PID for WSE .
I was reading that i can put SSD in ASA ( please PID if know ) and can i ? and then i can put WSE ( it is license or part of software and get some robust url filtering .
Can someone explain me diffrenece with regular url filtering and with WSE , and process how to put SSD in asa and WSE .
Maybe some link where is explained .
Thanks ,
KR
VZ
06-19-2014 07:52 AM
Hi startx001,
Please see inline comment:
QUESTION: I know that i can do URL filtering on it using ASDM , right ?
ANSWER: Yes. You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance by using a separate server running one of the following Internet filtering products:
•Websense Enterprise for filtering HTTP, HTTPS, and FTP.
•Secure Computing SmartFilter for filtering HTTP only. (Although some versions of Sentian support HTTPS, the security appliance only supports filtering HTTP with Sentian.)
For more information, please check the link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/fltrrule.html
QUESTION: But can i and what bennefit i would have with WSE on it and can i put WSE ? maybe PID for WSE .
ANSWER: Cisco WSE, which enables reputation-based web application security policies. In addition, Cisco WSE enables robust content-based URL filtering with differentiated access policies based on user, group, device, and role.
WSE, IPS on NGFW, and CWS use threat intelligence feeds from Cisco Security Intelligence Operations (SIO) for advanced web reputation analysis and near-real-time protection from zero-day threats. For more information on how SIO helps the Cisco IPS control threats in real-life production environments, visit: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps12156/white_paper_c11-715386.html.
The subscriptions terms are 1 year, 3 years and 5 years. It is also possible to purchase both the services together using the AVC + WSE bundle license. With a built-in discount, the bundle price is less than the price of buying these services a la carte.
ASA5515-AW3Y-PR= (ASA 5515-X CX AVC and Web Security Essentials 3Year (Promo) - USD 3,450.00 regular price is USD 5,150
or
ASA5515-WS1Y= (ASA 5515-X CX Web Security Essentials only 1Year) - USD 1,900
just add "L-" to the part numbers above to get the eDelivery version.
Please check the links below for your reference(s):
Cisco Application Visibility and Control
http://www.cisco.com/en/US/solutions/collateral/ns1015/ns483/ns780/at_a_glance_c45-649117.pdf
Cisco ASA CX Context-Aware Security Data Sheet
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701659.html
QUESTION: I was reading that i can put SSD in ASA ( please PID if know ) and can i ? and then i can put WSE ( it is license or part of software and get some robust url filtering .
ANSWER: If you purchase the regular ASA 5500-X without the SSD, the Web Security Essentials (WSE) that deploys the web filtering may not work or function as per the Release Notes for the Cisco ASA Series, Version 9.1(x) http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.pdf
Since Solid state drive (SSD) is required in order to run the Application Visibility and Control (AVC) and Web Security Essentials (WSE) next-generation firewall services on the Cisco ASA 5500-X Series.
ASA5500X-SSD120= (ASA 5512-X through 5555-X 120 GB MLC SED SSD (Spare) - USD 800.00
The purpose of the SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.
QUESTION: Can someone explain me diffrenece with regular url filtering and with WSE , and process how to put SSD in asa and WSE .
ANSWER: Please check the document link below:
http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_procs.html#wp1097873
"niLz"
Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network
06-19-2014 08:19 AM
VZ,
URL filtering on the base ASA is very old-style and requires you write regular expressions (regex) to match on URLs. It does not do deep packet inspection and analyze type of flows (e.g. micro applications on facebook, file transfers with in a chat session, etc). To get those sort of functions, you use Next Generation Firewall (NGFW) services on the CX module. WSE and AVC work hand in hand to provide them (and you can optionally add IPS).
To add WSE to an ASA 5500-X series you do need the SSD (or an SSP-20/40/60 in the 5585-X) plus a license for the service - it is licensed and subscription-based. The product data sheet lists several 3-year bundles for the software and there are other terms (1 year, 5 year etc.) available.
Your reseller has access to Cisco Commerce Workspace and other partner collateral so they can generate a valid bill of materials for your upgrade. That would include the required SSD (part number ASA5500X-SSD120=).
06-19-2014 08:19 AM
So i can activate WSE and AVC on my ASA ??
I already hace that CX module ?
Kind Regards,
Vladimir Zolnjan
06-19-2014 08:36 AM
Yes - If you have the SSD and purchase the license for WSE And AVC yes you can activate and configure it. Even without the purchased license you can run an evaluation license.
Please refer to the CX module Quick Start Guide for details on setting it up.
06-19-2014 08:58 AM
The ASA CX module might be a hardware module or a software module, depending on your ASA model. For the ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X it's a ASA CX SSP software module that requires a Cisco solid state drive (SSD) to work.
Cisco ASA CX Module Quick Start Guide
http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html
ASA 5500 and Module Compatibility
http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#72331
"niLz"
Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide