Does Cisco ASA 5500-X Series Support Both IPS and AVC/WSE in One Box?

Some Cisco ASA 5500-X users want to be clear that whether an ASA 5500-X supports all these features such as IPS, AVC (Application Visibility and Control) and WSE (Web Security Essentials ) in the same box? The detailed example show as follows:

  • a. If an ASA 5515-X is needed with IPS functionality, the following hardware will be needed: ASA5512-IPS-K9 which is a Cisco ASA 5515-X IPS Edition
  • b. If an ASA 5515-X is needed with Application Visibility and Control (AVC) and Web Security Essentials (WSE), the following will be needed: ASA5515-SSD120-K9 which is a ASA 5515-X with SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES, 120G SSD ASA5515-AW1Y which is a license for Application Visibility Control and Web Security Essentials for 1Year.

Cisco ASA5512-X & ASA5515-X

Cisco ASA 5525-X, 5545-X, and 5555-X

So it is either IPS or AVC/WSE and not both in one box from the above information, is it true?

Ahem, here we will share some Cisco champions’ opinions on this question: Does Cisco ASA 5500-X Series Support Both IPS and AVC/WSE in One Box?

Jacek.agdan: “This is not possible yet. In Q&A you will find http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html. Not currently. IPS capabilities will be embedded in ASA CX in a near-term feature release.”

But Rudy Sanjoko said: “I believe it is possible to have IPS and AVC/WSE at the same time, you need to buy ASA5515-IPS-K9 which comes with IPS pre-installed (this is required if you need IPS subscription, explained here), then add the ASA5500X-SSD120 (the part ID for the external SSD which is required for AVC/WSE, explained here) and the ASA5515-AWxY (the subscription license for the AVC and WSE for x year, explained here).

Marvin Rhoads: “IPS and CX are not available simultaneously on the 5500X series as of the current (9.1) release). We can see it in the following Q an A:
Q. Do Cisco ASA Next-Generation Firewall Services support IPS functionality?
A. Yes. Cisco Next-Generation Firewall with IPS is currently supported and can simultaneously run alongside other services, including Cisco AVC and WSE.

Q. What version of Cisco ASA CX do the Cisco ASA Next-Generation Firewalls with IPS operate on?
A. Cisco ASA CX Software Release 9.2 or later is needed to run Cisco IPS on Cisco ASA 5500-X Series Next-Generation Firewalls.

Q. What is the new Cisco IPS Service on Cisco ASA 5500-X Next-Generation Firewalls?
A. Cisco IPS Service is the module that provides intrusion prevention within the Cisco ASA 5500-X Series Next-Generation Firewalls. The firewalls have multiple security services operating within them. The Cisco IPS uses the firewalls’ other services such as application visibility, identity, and off-device reputation to make inspection and enforcement decisions.

The only problem with this is that the current IPS bundles, for example ASA5515X-IPS still do not say that they include the 120GB SSD which is required for the CX features to work.
ADDITIONAL: The “Memory Requirements” section of the compatibility matrix states that this is no longer a problem but that each feature will reserve large amounts of memory for its own use: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html”

More points: Correct, NGFW 9.2 has added IPS functionality. The license subscription is not quite orderable yet (as of 12 Dec 2013) but the software is available on CCO for a couple of weeks now.

Note this is not the same IPS as you are used to (i.e on the older SSP modules or stand-alone IPS appliances and configured via ASDM-IDM or IME or CSM) but a slightly different release that is specific to the NGFW that is configured and managed solely by PRSM.

Jason.edelman: “What’s the verdict here? Can you order ASA5525-IPS-K9, add SSD drives, and then add spare SKUs for NGFW AVS/WSE licensing? Of if you use SSD drives to get CX functionality, are you limited to the “lite” ASA NGFW IPS?”

David: “I spoke with a supplier in the UK (Comstor) back in early January and they confirmed that, as Marvin has said, the newer version of Next Generation Firewall Service (ASA CX) software 9.2 does allow with operation with IPS at the same time, however they are not available as a bundled option yet, so you can but the IPS package and then add the SSDs. Personally I’d double-check with a supplier before purchasing though as things were still evolving when I last checked. Hopefully when the main ASA software version 9.2 is released they’ll probably offer the full bundles.”

Jason (Reply to David): “No problem on the bundle. I was looking at the ASA5525-IPS-K9 (adding in SSDs is possible under that main part number), but then adding on spare SKUs for AVC/WSE. From what you’re saying, this will work in 9.2, but the install for AVC/WSE, will just be manual, correct? Another question is, will this just work after installing proper licensing/sw or is there special partitioning that needs to be done to get IPS working with AVC/WSE? Being my customer is purchasing soon, it looks like the lite IPS will be the best option to use with WSE.”

Marvin Rhoads: (Talking about the Jason’s question) “If you add the SSD after purchasing the ASA you will need to install the kickstart and system image to get the CX / NGFW up and running and access the on-box PRSM interface (or manage the unit with off-box PRSM). As long as it’s the requisite PRSM software level (9.2(x) or later – 9.2(1.2) Build 52 is current and recommended as of right now) you will have the option of applying the IPS license (or activating the built-in 60-day evaluation license) in addition to the AVC/WSE ones that have been available all along. No special partitioning or imaging is necessary.”

Furthermore, Farhan suggested that Jason should go for ASA5515-SSD120-K9 and then add the subscription license ASA5515AWI1Y which is a bundled license for AVC, WSE and IPS for 1 year. Because he will get a better price if you select ASA5515AWI3Y which is a license for 3 years. As of the current (9.2) release, IPS and CX are supported on the same box.

From the discussion we can get the two main points: IPS and CX are not available simultaneously on the 5500X series as of the current (9.1) release). And from the Q and A of IPS and CX on Cisco ASA 5500-X series, it means that the Cisco ASA Next-Generation Firewall supports running IPS and AVC/WSE at the same time as of the current (9.2) release.

What are your opinions on the Cisco ASA 5500-X Series’ IPS, AVC and WSE features? Share with us…

Discussion from supportforums.cisco.com

More Cisco ASA Firewall Topics:
ASA 5505 vs. ASA 5510 vs. ASA 5512-X vs. ASA 5515-X
Cisco ASA Failover, Failover Modes & ASA Failover Configuration
Cisco ASA IPS Module Configuration
Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel
How to Troubleshoot ASA, PIX, and FWSM?

Share This Post

Post Comment