11-01-2013 03:51 AM - edited 03-07-2019 04:22 PM
Hi all,
I have read in Q and A that CX version 9.2 will support IPS on ASA. My question is, if a client wants CX and IPS in one box, at common workspace, which product shall i choose ? IPS bundle or CX bundle ? currently v9.2 is not listed there but still which product shall i use ?
Solved! Go to Solution.
11-01-2013 04:32 AM
It's hard to suggest something that's not yet available. But I would buy the CX-bundle because there the needed hardware (the SSD) is included while in the IPS-bundle it's only a license. Assuming that this will not change it's likely that IPS can then later just be enabled by license. on the CX-bundle.
Another question is the available hardware. The IPS uses dedicated cores of the multi-core architecture. This processing-power is not available for CX in this case. So perhaps you need to buy a bigger box to handle the load of both CX and IPS. But we only know when it's officially anounced.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-05-2013 03:10 PM
really I don't understand the suggestion, because with CX bundle I cant use the IPS of the normal asa 5500-X, and now I cant buy the IPS service into the CX bundle neither, so what we can do?
11-01-2013 04:32 AM
It's hard to suggest something that's not yet available. But I would buy the CX-bundle because there the needed hardware (the SSD) is included while in the IPS-bundle it's only a license. Assuming that this will not change it's likely that IPS can then later just be enabled by license. on the CX-bundle.
Another question is the available hardware. The IPS uses dedicated cores of the multi-core architecture. This processing-power is not available for CX in this case. So perhaps you need to buy a bigger box to handle the load of both CX and IPS. But we only know when it's officially anounced.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-01-2013 04:59 AM
Version 9.2 is released on oct 14 but i dont understand why its not listed in CCW ?
11-01-2013 05:03 AM
Do you have any public statement for the release? It's not available on the download-area and there are also no release-notes.
EDIT: Oh, I typed the wrong link and didn't realize that I was on the general ASA page ... But still, I have no answer. Probably Cisco will add a new bundle sometime in the future?
LATER: The following statement seems like it's just an add-on license:
Next Generation IPS filtering is a separately-licensed service; the device includes an evaluation license.
So perhaps there won't be any new bundles ...
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-01-2013 05:31 AM
11-05-2013 03:10 PM
really I don't understand the suggestion, because with CX bundle I cant use the IPS of the normal asa 5500-X, and now I cant buy the IPS service into the CX bundle neither, so what we can do?
11-05-2013 03:31 PM
The 5500-X Series Next-Generation Firewall product data sheets have been updated to show the ordering options now including the NGFW IPS. Please refer to Table 4 here. The product SKUs haven't been released for orderability just yet but should be on CCW later this month.
So you will soon be able to buy the IPS service (and use them on the CX module with or without the AVC and WSE features). It is a bit different from the old school Cisco IPS module - reflecting the new architecture and design of the product (i.e., managed by PRSM - either on-box or off-box).
11-05-2013 03:58 PM
thanks Marvin,
and what is the big difference between the Cisco IPS module and the Cisco IPS service? in a design environment which would we decide to use and why?
thanks in advance
Carolina Morales
11-05-2013 04:20 PM
You're welcome. I've only seen a few high level slides so far. Official release of the information has not yet been done.
A general description would be that NGFW IPS is better integrated with the overall access policy as expressed in the policies defined in PRSM. As such, it is able to leverage the application awareness (AVC) and source reputation (WSE) data and is enhanced by the more frequent (near real time) updates from Cisco's SIO cloud.
Sorry that's kind of marketing-speak but that's all that available at the moment.
03-26-2014 03:08 PM
Marvin, we just bought this
ASA5512-SSD120-K9
L-ASA5512-IP1Y=
We originally intented to buy the classic IPS for our customer, but our vendor indicated that the CX module with the IPS service was essentially the new replacement for classic IPS module. However, after a nightmarish support call with licensing and TAC and finally finding someone who understood that there are 2 IPSs now, the person I spoke with gave me the impression that the IPS service with the CX module is not as robust as the classic IPS module, or maybe wasn't quite as feature rich?
Does anyone understand the difference between these two IPSs in terms of their features, etc? My customer only wants an IPS, so which one would you choose if you don't need the other CX module features? The easier to manage the better, but their focus is security and blocking and/or alerting on potential threats, etc.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: