Q. What are the Cisco® ASA 5500-X Series Next-Generation Firewalls?
A. The Cisco ASA 5500-X Series combines the most widely deployed stateful inspection firewall in the industry with a comprehensive suite of next-generation network security services - for comprehensive security without compromise. These firewalls deliver multiple security services, multigigabit performance, flexible interface options, and redundant power supplies, all in a compact 1-RU form factor. They deliver next-generation network security services through an array of integrated cloud- and software-based security services security services such as Application Visibility and Control (AVC), Web Security Essentials (WSE), and Intrusion Prevention (IPS), with no need for additional hardware modules. ASA 5500-X Series Next-Generation Firewalls are built on the same proven security platform as the rest of the ASA family of security appliances, and have been designed to deliver superior performance for exceptional operational efficiency.
Q. What are Cisco ASA Next-Generation Firewall Services?
A. Cisco ASA Next-Generation Firewall Services add next-generation capabilities, including Application Visibility and Control (AVC) and Web Security Essentials (WSE), to the industry's most proven stateful inspection firewall. The result is end-to-end network intelligence and streamlined security operations, so organizations can reap the productivity benefits of new applications and devices without compromising security.
Cisco ASA Next-Generation Firewall Services provide:
• End-to-end network intelligence
• Granular application control
• Proactive, intelligent threat protection
• Control over which devices can access the network
For more information, please visit the Cisco ASA Next-Generation Firewall Services webpage.
Q. Why is Cisco introducing these products?
A. With the rise of Web 2.0 technologies and "bring-your-own-device" (BYOD) policies, and the demand for increased Internet connection bandwidth, businesses of all sizes are facing challenges to provide effective security while maintaining high levels of performance. The ASA 5500-X Series Next-Generation Firewalls address this need while enabling administrators to implement additional network security. These next-generation firewalls are designed to run multiple simultaneous services without sacrificing performance.
Q. What models are included in the Cisco ASA 5500-X Series?
A. Cisco is introducing five next-generation firewalls to the ASA 5500-X Series portfolio: the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X.
Q. How do these appliances compare with the Cisco ASA 5510 through 5550 appliances?
A. The biggest difference between the new ASA 5500-X Series and the previous hardware is that the new models support Cisco ASA Next-Generation Firewall Services, whereas the existing ASA 5510 through 5550 appliances do not. Also, compared to the previous hardware, the ASA 5500-X Series provides four times the firewall throughput, better scaling, more Ethernet ports (up to 14 Gigabit Ethernet ports), dedicated intrusion protection system (IPS) acceleration hardware and redundant power supplies (5545-X and 5555-X only). Moreover, network security services like IPS can now be enabled without requiring additional hardware modules, providing additional deployment flexibility.
Q. When will Cisco discontinue the currently available Cisco ASA 5510 through 5550?
A. The End of Sale announcement for the ASA 5510, 5520, 5540 and 5550 platforms will be published on March 18, 2013.
Q. How do I migrate from the existing ASA 5500 Series to the newer ASA 5500-X Series?
A. Migration from ASA 5500 Series to the new ASA 5500-X Series is fast and easy. You can find more information on this in the Migration Guide.
Q. What are the incentives and promotions available on the End of Sale and the migration?
A. For information on incentives and promotions, please visit the internal Cisco ASA webpage. You will need an account to access these details.
Q. What are the benefits of the Cisco ASA 5500-X Series Next-Generation Firewalls?
A. The benefits of the Cisco ASA 5500-X Series Next-Generation Firewalls include:
• Leading-edge, next-generation firewall with multigigabit throughput to help manage service-level agreements (SLAs) and prevent performance bottlenecks.
• Broad and deep network security through an array of next-generation firewall services, including:
– Application Visibility and Control (AVC), which recognizes over 1000 applications and more than 75,000 micro-applications, enabling administrators to enforce individual- and group-based access to specific components of an application while disabling others. Specific behaviors within allowed micro-applications can also be controlled.
– Web Security Essentials (WSE) enables reputation-based web application security policies. In addition, WSE enables robust content-based URL filtering with differentiated access policies based on user, group, device, and role.
– Cisco IPS, the only solution that combines passive OS fingerprinting and reputation for better threat mitigation.
– Cisco Cloud Web Security (CWS), which provides exceptional threat protection and control for organizations of all sizes, delivered through the cloud.
– Cisco ASA Botnet Traffic Filter (BTF), which monitors network ports across all ports and protocols for rogue activity, and detects infected internal endpoints sending command and control traffic back to a host on the Internet.
WSE, IPS, and CWS use threat intelligence feeds from Cisco Security Intelligence Operations (SIO) for advanced web reputation analysis and near-real-time protection from zero-day threats. For more information on how SIO helps IPSs control threats in real-life production environments, visit: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps12156/white_paper_c11-715386.html.
• Redundant power supplies (5545-X and 5555-X only) to support high availability.
These security services can be enabled quickly and easily, without requiring additional hardware modules, in response to changing needs.
Q. What does the "-X" suffix in the product name indicate?
A. The "-X" suffix indicates the ability of the appliances to run next-generation security services, including Application Visibility and Control (AVC) and Web Security Essentials (WSE).
Q. How do the models in the Cisco ASA 5500-X Series compare?
A. Please refer to Table 1.
Table 1. Cisco ASA 5512-X through ASA 5555-X
1 Maximum throughput with UDP traffic measured under ideal test conditions.
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3 Throughput was measured on Cisco ASA CX Software Release 9.1.1 with multiprotocol traffic profile with both AVC and WSE. Traffic logging was enabled as well. Also, these services require an external SSD.
4 Firewall traffic that does not go through the IPS SSP module can have higher throughput.
Q. Does running IPS require additional hardware modules?
A. No. The Cisco ASA 5500-X Series will run IPS and an array of other next-generation firewall services as integrated cloud- and software-based security services, with no need for additional hardware modules.
Hardware
Q. What are the hardware specifications for the Cisco ASA 5500-X Series?
A. Table 2 highlights the specifications for each model in the Cisco ASA 5500-X Series.
Table 2. Hardware Specifications for Cisco ASA 5500-X Series Next-Generation Firewalls
5 An external SSD is required to run AVC and WSE.
Q. Is a DC power supply supported on the Cisco ASA 5500-X Series?
A. Yes. A DC power supply option is available on the Cisco ASA 5500-X Series.
Q. Is a redundant power supply configuration supported on the Cisco ASA 5500-X Series?
A. Yes, on certain models. A redundant power supply option is available on the ASA 5545-X and 5555-X.
Q. Is there an expansion slot on the Cisco ASA 5500-X Series? What is it used for?
A. Yes. There is one expansion slot on each appliance, which is used exclusively for I/O expansion modules.
Q. What I/O module options are available on the Cisco ASA 5500-X Series?
A. Table 3 lists the available options.
Table 3. I/O Module Options for Cisco ASA 5500-X Series Next-Generation Firewalls
Q. What do the "-A," "-B," and "-C" suffixes in the I/O SKUs indicate?
A. The suffixes indicate custom-built I/O modules (including different form factors) for the Cisco ASA 5500-X Series.
Q. What small form-factor pluggable (SFP) transceiver/module options are supported on the Cisco ASA 5500-X Series?
A. The following transceivers are currently supported on the Cisco ASA 5500-X Series:
• GLC-SX-MM (1000BASE-SX SFP transceiver module for MMF, 850-nm wavelength)
• GLGLC-SX-MMD (1000BASE-SX SFP transceiver module for MMF, 850-nm wavelength, DOM)
• GLC-LH-SM (1000BASE-LX/LH SFP transceiver module for MMF and SMF, 1300-nm wavelength)
• GLC-LH-SMD (1000BASE-LX/LH SFP transceiver module for MMF and SMF, 1300-nm wavelength, DOM
Additional details regarding transceivers can be found at: http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html.
Q. Can I/O modules from other ASA appliances be used in the Cisco ASA 5500-X Series?
A. No. Only the I/O modules listed in Table 3 are supported on the Cisco ASA 5500-X Series.
Q. Does the Cisco ASA 5500-X Series support 10G interfaces?
A. No. At this time, 10G interface options are not available on the Cisco ASA 5500-X Series. There are no current or near-term plans to offer 10G interfaces on these appliances.
Q. Does the Cisco ASA 5500-X Series support field-upgradable memory?
A. No. The Cisco ASA 5500-X Series comes preinstalled with high memory configurations and does not support field-upgradable memory.
Q. What is the purpose of the solid state drive (SSD)?
A. The SSD is required in order to run the AVC and WSE next-generation firewall services on the Cisco ASA 5500-X Series. The SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.
Software
Q. What software is supported on the Cisco ASA 5500-X Series Next-Generation Firewalls?
A. The Cisco ASA 5500-X Series supports Cisco ASA Software Release 8.6.1 and later. CWS requires ASA Software Release 9.0.1 or later. The IPS service on the ASA 5500-X Series requires Cisco IPS Sensor Software Release 7.1.4 or later. AVC and WSE require ASA CX Software Release 9.1.1 (Cisco ASA Software Release must be 9.1.1).
Q. How do I download software for the Cisco ASA 5500-X Series?
A. The software can be downloaded from the Cisco Download Software page (registered customers only).
Q. What software features are available in Cisco ASA Software Release 9.1.1?
A. ASA Software Release 9.1.1 includes all features provided in Release 8.6.1, along with support for Cisco ASA Next-Generation Firewall Services.
For 9.1.1 Release Notes, visit: http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html.
Q. Does ASA Software Release 8.6.1 and later include 64-bit support?
A. Yes.
Q. Does IPS Sensor Software Release 7.1.4 and later include 64-bit support?
A. Yes.
Q. Does ASA CX Sensor Software Release 9.1.1 include 64-bit support?
A. Yes.
Remote Access
Q. We have an ASA 5550 Series appliance today. Can we add an ASA 5555-X Series Next-Generation Firewall for load balancing?
A. Yes. However, Cisco recommends that you add an ASA of a similar size to the one you have today. If you add a smaller or larger ASA, you can load balance to the capacity of the smaller ASA.
Q. Can we add the ASA 5545-X to our existing shared licensing pool?
A. Yes. The ASA 5545-X can be used either as a shared license server or as a participant in an existing ASA pool.
Q. Does the ASA 5525-X offer a separate hardware cryptographic module like some other offerings in the market?
A. No. Hardware cryptographic acceleration is already built into the ASA 5525-X, so there is no need for an optional hardware cryptographic module.
Q. Can the ASA 5545-X be used simultaneously as a firewall and a remote access appliance?
A. Yes. The ASA 5500-X Series has been designed to run multiple simultaneous services without sacrificing performance.
Management
Q. How do I manage Cisco ASA 5500-X Series Next-Generation Firewalls?
A. You have several options for managing the Cisco ASA 5500-X Series:
• Cisco Security Manager 4.3, an off-box GUI management application for managing most of your physical network security infrastructure. The upgrade path from CSM 3.x to CSM 4.3 is mentioned here.
• Command-line interface (CLI)
• Cisco Adaptive Service Device Manager (ASDM), the ASA on-box management application
• Cisco Prime™ Security Manager, the Cisco ASA Next-Generation Firewall Services management application for both on- and off-box deployments
For more information on Cisco ASDM, visit: http://www.cisco.com/go/asdm.
For more information on Cisco Security Manager, visit: http://www.cisco.com/en/US/products/ps6498/index.html.
For more information on Cisco Prime Security Manager, visit http://www.cisco.com/en/US/products/ps12635/index.html.
Q. What version of ASDM is used to manage the Cisco ASA 5500-X Series?
A. The Cisco ASA 5500-X Series can be managed using ASDM Version 6.6.1 or later. Previous versions of ASDM are not supported.
Q. What version of Cisco Security Manager is used to manage the Cisco ASA 5500-X Series?
A. The Cisco ASA 5500-X Series can be managed using Cisco Security Manager Version 4.3. Previous versions of Cisco Security Manager do not support the Cisco ASA 5500-X Series.
Q. How do I manage IPS on the Cisco ASA 5500-X Series?
A. There are several options, depending on your specific configuration. Cisco Security Manager is an off-box GUI management solution that provides enterprise-class policy control and visibility for managing the entire feature set (including IPS) of the Cisco ASA 5500-X Series. Cisco IPS Manager Express is an off-box GUI management application that provides policy, configuration, reporting, and event management for fewer than 10 appliances running IPS. Cisco IPS Device Manager (IDM) is the on-box GUI management application for Cisco IPS.
For more information on Cisco IPS Manager Express, visit http://www.cisco.com/go/ime.
For more information on Cisco Security Manager, visit http://www.cisco.com/en/US/products/ps6498/index.html.
Q. How do I manage AVC and WSE on the Cisco ASA 5500-X Series?
A. AVC and WSE are managed using Cisco Prime Security Manager, which can be used either in an on-box or off-box mode.
Q. What version of Cisco IPS Manager Express is used to manage the Cisco ASA 5500-X Series?
A. The Cisco ASA 5500-X Series can be managed using IPS Manager Express Version 7.2.1. Previous versions of IPS Manager Express do not support these next-generation firewalls.
Ordering
Q. Is the Cisco ASA 5500-X Series currently orderable?
A. Yes. Use the Cisco Ordering Tool to place your order.
Q. Where can I get pricing information?
A. Check the current Cisco Product Price List (requires a Cisco.com username and password), or contact your Cisco account representative.
Q. How do I build and verify a Cisco ASA 5500-X Series configuration?
A. Use the dynamic configuration tool (DCT) and enter the respective part number(s).
Q. What product service and support options are available?
A. Please visit Cisco Service Finder for available support options.