Upgrading 5510 ASAs to 5585 Firepower

EdificerEdificer Member Posts: 187 ■■■□□□□□□□
I'm looking into upgrading our 5510s in our data center with 5585 with Firepower services.

I'm wondering, will many of our 5505's and 5510's at our remote VPN endpoints still be able to be as operational as they are?

I'm sure they'll need an IOS upgrade, not sure about the licenses.. I am aware this will need many more hours of research for interoperability, specifications, although I am willing to dwell into it as closest I can to get a better insight.

Only been asked today to upgrade our data center ASAs am I making the right step into integrating ASAs with Firepower Services? I think that is the closest I can get to 'upgrading'. This is a huge chance for me to try something new it's also aligned with where I want my career to go in the next few years (Security), but if I don't deliver successfully, it may cost my head.
“Our greatest glory is not in never falling, but in rising every time we fall.” Confucius

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    ASAs do not use IOS. They use ASA software which looks and feels like IOS, but they're not the same.

    This is the first I've heard of FirePOWER Services and it looks like the Sourcefire acquisition is finally taking hold with the merging of the Sourcefire NGFW and Cisco ASA technologies. I've always wondered how this would play out. Note that Sourcefire technology is quite complex (because, well, security is complex) and upgrading datacenter firewalls may be a complicated proposition in terms of laying out requirements, understanding feature sets, licensing, etc. when we're still looking at the first stages of these technologies coming together.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • EdificerEdificer Member Posts: 187 ■■■□□□□□□□
    Thank you. I will look for all the information I can to find more about it. My first question before deciding to take this on would be if these can be integrated with our current live production.

    It's definitely a great service, been looking at FireSIGHT too they both seem perfect with the aim of my organization.

    Edit: 5525-X platforms are almost exactly the same as 5520 which answers my question of should VPNs still work if we deploy these and replace them with our 5520 VPN concentrators.
    “Our greatest glory is not in never falling, but in rising every time we fall.” Confucius
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    I've run ASA with Firepower service on my ASA 5512 at home. It is pretty sweet. With the 5512 thru 5555, it's a upgrade to SSD drives in the ASA and license. With the 5585, it's an actual hardware blade plus license. The ASA with Firepower integration has been out since July or August of last year so it's had some time to work out the bugs and wayyyyyy better than CX.

    Edit: here's a great free video series on the "how tos" of ASA with Firepower to get a little more familiar: http://labminutes.com/video/sec/ASA%20FirePower
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • rowelldrowelld Member Posts: 176
    I've run ASA with Firepower service on my ASA 5512 at home. It is pretty sweet. With the 5512 thru 5555, it's a upgrade to SSD drives in the ASA and license. With the 5585, it's an actual hardware blade plus license. The ASA with Firepower integration has been out since July or August of last year so it's had some time to work out the bugs and wayyyyyy better than CX.

    Edit: here's a great free video series on the "how tos" of ASA with Firepower to get a little more familiar: Video: Security - ASA FirePower | Lab Minutes

    Thanks for the resource! I'm just going through Firepower now with a 5512X. Quite excited :)
    Visit my blog: http://www.packet6.com - I'm on the CWNE journey!
  • EdificerEdificer Member Posts: 187 ■■■□□□□□□□
    Thanks! I contacted my Cisco dealer in my area and found out with a possible promo price 3 yr subscription for the 5525-X with Firepower services are $7,750,00. It's definitely not coming out of my pocket.
    “Our greatest glory is not in never falling, but in rising every time we fall.” Confucius
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Wow. Did they give you list price or something? Are you getting IPS, URL and AMP licensing or a subset of some of those?
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • EdificerEdificer Member Posts: 187 ■■■□□□□□□□
    I called from work and left my notes on my workstation there. It was I think ASA 5525-X AVC and WSE, 3-year $10,250,00. without promo price.
    I also requested a price quote for ASA 5525-X IPS Edition 5 yr term, which should be the software subscription I think. I'm calling back tomorrow for the price quote on that and on what I will be getting with the license to maximize the use of the service.

    Disappointed in the way Cisco manages licenses, was hoping for a lifetime subscription, now I am not sure if my boss agrees since it'll be a reoccurring fee.
    “Our greatest glory is not in never falling, but in rising every time we fall.” Confucius
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    It sounds like you're looking at the cost of the ASA + the subscription. As far as subscription licenses are concerned, It's pretty standard with NGFWs - Checkpoint and PAN are going to charge your boss subscription fees as well and they are not cheap by any means. I was a bit disappointed by the performance of PAN in the last NSS Labs report and their reaction to it. Checkpoint is pretty awesome performance-wise but their yearly costs for maintenance is downright painful if you want to have support within a 4 hour window icon_sad.gif
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I just saw the name "Check Point" and my fists start shaking. They have a good name in the security space, but their licensing is [fill in the blank with your favorite expletive). There was a firewall refresh some years ago where I worked and I simply refused to consider them based on their licensing schemes and difficulty maintaining them ... plus the support I got.

    PAN isn't a bad vendor, but they're over-hyped in my opinion. They're not the only ones doing what they do, although they like to think they do and sometimes their arrogance seems to show. PAN's subscription model is much simpler than Check Point's, but neither are cheap.

    Cisco's trying to make more money off software licenses. I'm not surprised they're stringing customers along with subscriptions, but when it comes to things like maintaining app and IPS signatures, it makes sense since that's an ongoing cost for them. You're no longer buying hardware these days, but services that get bundled into the appliance.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • BroadcastStormBroadcastStorm Member Posts: 496
    Any other materials available for SourceFire? I've used lab minutes so far, some of the example worked but not everything.
  • ninjaturtleninjaturtle Member Posts: 245 ■■■□□□□□□□
    So much for getting a new ASA in the lab to play with Firepower. You guys said the word "subscription"!! Not a word you want to hear in the home lab environment. I've already got a Fortinet and Meraki subscription going, I don't think I could add another one. Or should I ...hmmm. #technologyaddiction.
    Current Study Discipline: CCIE Data Center
    Cisco SEAL, Cisco SWAT, Cisco DeltaForce, Cisco FBI, Cisco DoD, Cisco Army Rangers, Cisco SOCOM .ιlι..ιlι.
  • kohr-ahkohr-ah Member Posts: 1,277
    So much for getting a new ASA in the lab to play with Firepower. You guys said the word "subscription"!! Not a word you want to hear in the home lab environment. I've already got a Fortinet and Meraki subscription going, I don't think I could add another one. Or should I ...hmmm. #technologyaddiction.

    I feel you I have the same two subscriptions going as well :D
Sign In or Register to comment.