Got me an Asa 5506-x interesting product.

[Hugo Drax]

It's bigger than the 5505 and it has a significantly more powerful CPU it uses an atom c2000 64bit 4 core CPU.

4gb of ram

8gb of flash

Only 1 core is exposed to the Asa firewall software environment. The other cores are for the firepower software module.

There is no layer 2 switch like the 5505 it is all layer 3 but no big deal you can sort of cheat and use all the interfaces if you do not want to buy a switch.

Although I do use a switch ie 2 Cisco sg300 series. One trunked to it.

Trunking is different on the 5506 you create sub interfaces instead of a trunk port with multi vlans.

Each subinterface is assigned a vlan and ip/subnet.

 

[drebo]

The really nice thing about it is that you can license UTM features and it's less expensive and more powerful than an unlimited user ASA5505 was.

It's definitely a step in the right direction, but I fear it might be too little too late, in terms of UTM competition.

It's a far better appliance than anything SonicWall, Watchguard or Sophos has to offer, but it took Cisco way too long for a successor to the ASA5505.

 

[Hugo Drax]

The really nice thing about it is that you can license UTM features and it's less expensive and more powerful than an unlimited user ASA5505 was.

It's definitely a step in the right direction, but I fear it might be too little too late, in terms of UTM competition.

It's a far better appliance than anything SonicWall, Watchguard or Sophos has to offer, but it took Cisco way too long for a successor to the ASA5505.

I think it is a bit too little to late. It is an interesting product with lots of shortcomings compared to the UTMS.

#1 The sourcefire3d is its own virtual machine running inside of the ASA, Think of the 5506 as a server running ESX hypervisor. the ASA being one virtual machine allocated 1 cpu and Sourcefire3d being another virtual machine allocated 3 cpus.

Its kind of a hack like buying an IPS and a FW and then taping them together.. So you actually have 2 consoles! to mess with. and not only that but you need to use the management ethernet interface as the sourcefire3d interface and plug it into a switch so it can go back and talk to itself.

Then you need to create service policies to forward traffic into this "Sourcefire3d" engine for inspection. (and if your a Cisco ASA noob, You will be in a WORLD OF HURT) if you do not understand how to work with service policies.

There is no single plane of glass as with the modern UTM's

Its actually a pretty complex setup, its nothing like the UTMs where you plug in and go, and you get to see everything and are pretty idiot proof and easy for someone starting out.

Now that said, I like the ASA 5506 for what it is, a solid little firewall that works great as a firewall and its solid. My 5505 has 1 year 3 months of runtime. and thats because I unplugged it when moving stuff around.

The sourcefire aquisition was recent so right now you have this hacked product, It would be interesting to see how Cisco moves towards integrating the two. There is no reason to run two operating systems and the associated overhead to add NGFW features to the firewall.

No other vendor does.


The funny thing though is Cisco dropped the ball and the ports are only layer 3 ports unlike the 5505 which makes no sense for a SOHO,small branch office product. NO other vendor sells something in that market that does not have a built in switch.

 

[drebo]

See, I see those things as a positive of the design.

The UTM components being in a VM is the same as Cisco's previous CX design and it actually works pretty well. It gives a lot of flexibility while keeping the actual guts of the firewall fairly lean.

Having the interfaces as L3 interfaces is also a benefit, imo. It brings it in line with the rest of the ASA line and keeps Cisco from doing stupid shit like limiting you to two and a half VLANs if you don't buy Security Plus licensing.

The worst thing Cisco did with the latest generation of ASA is they broke AnyConnect licensing and made it stupid.

 

[Hugo Drax]

I could see your point regarding having them separate, I was able to update the IPS without impacting connectivity. So far it's a nice box.

Also smartnet rules, I had an issue close to midnight, I open a case online and 5 minutes later my phone rings, it's Cisco.

In 15 minutes Later it's all functioning 100%

And I was ready for opening of markets.

This is why I stick with Cisco as well, the TAC service they offer I don't think anyone else can beat.

Worth the price of admission.

Also the 5506s now seem to include a perpetual IPS and control license.

 

[Hugo Drax]

The firepower software module in the 5506-x is definitely blocking attempted malware.

Its blocked a bunch of banner adds that were hosted on servers trying to push malware. I verified the ip addresses blocked by the security intelligence reputation field.

they were loaded with all kinds of rootkit junk.

it has also blocked via the signatures, sites trying to exploit adobe weaknesses.