Cisco Firepower - URL Filtering

TechGuy215TechGuy215 Explore_Dream_DiscoverPhiladelphia, PAMember Posts: 404 ■■■■□□□□□□
Quick Backstory...

So I'm in the process of upgrading our Cisco Firewall Infrastructure. All legacy ASA's are being replaced with NGASA's with Firepower Modules. I've setup our Cisco FirePower Management Center (virtual via Vmware) and successfully linked all my NGASA's Sfr's to the
FirePower Management Center and deployed an IPS Policy and Access Policy, everything is working as expected..Joy!

But now my Infrastructure Manager wants to trash our current Web Filtering Infrastructure (Websense) and look at using Firepower.

Does anyone have any experience (good or bad) with the FirePower URL Filtering Capabilities?
* Currently pursuing: PhD: Information Security and Information Assurance
* Certifications: CISSP, CEH, CHFI, CCNA:Sec, CCNA:R&S, CWNA, ITILv3, VCA-DCV, LPIC-1, A+, Network+, Security+, Linux+, Project+, and many more...
* Degrees: MSc: Cybersecurity and Information Assurance; BSc: Information Technology - Security; AAS: IT Network Systems Administration


  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    what's the reason for ditching websense? just to unify everything under one vendor? naturally this has associated cost/integration benefits, but is he pushing that? most people seem to like websense from word of mouth that i hear.
  • IristheangelIristheangel CCIEx2 (Sec + DC), CCNP RS, CCNA V/S/R/DC, CISSP, CEH, MCSE 2003, A+/L+/N+/S+, and a lot more from m Pasadena, CAMod Posts: 4,133 Mod
    Nothing horribly bad but any firewall doing URL filtering is going to have different limitations. The big differences are this:
    - I wouldn't call ASA's scalable SSL decryption but not everyone leverages SSL decryption. Things can hide in SSL but there are legal issues you might face from just decrypting everything.
    - Content Security proxies tend to use signature-based AV, the ASA uses Advanced Malware Protection - there might be a compliance checkbox you might need to say AV was used. One thing to be aware of

    I had a guide from 2014 and unfortunately, that's REALLY old in terms of features of Firepower since we've had half a dozen updates since then but here are the big ones that I see WSA or your WebSense potentially supporting that your Firepower wouldn't really do:

    It's not necessarily a deal breaker for all but important to understand the differences and make an informed decision based on what's best for your company
    BS, MS, and CCIE #50931
  • NotHackingYouNotHackingYou Member Posts: 1,460 ■■■■■■■■□□
    I worked on a project swithing from Websense to Palo Alto URL filtering. Overall, we were pleased with Palo's offering for URL filtering and were able to accommodate decryption exceptions like health data. The Websense reporting was better, but given the choice between Websense and UTM URL filtering, I would choose the UTM.
    When you go the extra mile, there's no traffic.
Sign In or Register to comment.