Every day I seem to get three or four searches looking for my ASA CX post even though it was written over a year ago. I think that’s due in part to the large amount of interest in next-generation firewalls and also in the lack of information that Cisco has put out there about the ASA CX in general. Sure, there’s a lot of marketing. When you try to dig down into the tech side of things though, you find yourself quickly running out of release notes and whitepapers to read. I wanted to write a bit about the things that have changed in the last year that might shed some light on the positioning of the ASA CX now that it has had time in the market.
First and foremost, the classic ASA as you know it is gone. Cisco made the End of Sale announcement back in March. After September 16, 2013 you won’t be able to buy one any longer. Considering the age of the platform this isn’t necessarily a bad thing. Firstly, the software that’s been released since version 8.3 has required more RAM than the platform initially shipped with. That makes keeping up with the latest patches difficult. Also, there was a change in the way that NAT is handled around the 8.3/8.4 timeframe. That lead to some heartache from people that were just getting used to the way that it worked prior to that code release. Even though it behaves more like IOS now (i.e. the right way), it’s still confusing to a lot of people. When you’ve got an underpowered platform that requires expensive upgrades to function at a baseline level, it’s time to start looking at replacing it. Cisco has already had the replacement available for a while in the ASA-X line, but there hasn’t been a compelling reason to cause customers to upgrade there existing boxes. The End of Sale/End of Life notice is the first step in migrating the existing user base to the ASA-X line.
The second reason the ASA-X line is looking more attractive to people today is the inclusion of ASA CX functionality in the entire ASA-X line. If you recall from my previous post, the only ASA capable of running the CX module was the 5585. It had the spare processing power needed to work the kinks out of the system during the initial trial runs. Now that the ASA CX software is up to version 9.1, you can install it on any ASA-X appliance. As always, there is a bit of a catch. While the release notes tell you that the ASA CX for the mid-range (non 5585) platforms is software based, please note that you need to have a secondary solid state disk (SSD) drive installed in the chassis in order to even download the software. If you are running ASA OS 9.1 and try to pull down the ASA CX software, you’re going to get an error about a missing storage device. Even if you purchased the software licensing for the ASA CX, you won’t get very far without some hardware. The part you’re looking for is ASA5500X-SSD120=, which is a spare 120GB SSD that you can install in the ASA chassis. If you don’t already have an ASA-X and want the ASA CX functionality, you’re much better off ordering one of the bundle part numbers. That’s because it includes the SSD in the chassis preloaded with a copy of the ASA CX software. Save yourself some effort and just order the bundle.
Another thing that I found curious about the 9.1 release of the ASA CX software was in the release notes. As previously mentioned, the UI for the ASA CX is a copy of Cisco Prime Security Manager (PRSM), also pronounced “prism.” At first, I just thought this meant that Cisco had borrowed concepts from PRSM to make the ASA CX UI a bit more familiar to people. Then I read the 9.1 release notes. Those notes are combined for the ASA CX and PRSM 9.1. You’d almost never know it though, outside of a couple of mentions for the ASA CX. Almost the entire document references PRSM, which makes sense when you think about it. That really did clear up a lot of the questions I had about the ASA CX functionality. I wondered what kind of strange parallel development track Cisco had used to come up with their answer in the next generation firewall space. I was also worried that they had either borrowed or licensed software from a third part and that their effort would end up as doomed as the ASA UTM module that died a painful death thanks to Trend Micro‘s strange licensing.
ASA CX isn’t really a special kit. It’s an on-box copy of PRSM. The ASA is configured with a rule to punt packets to PRSM for inspection before being shunted back for forwarding. No magic. No special sauce. Just placing one product inside another. When you think about how IDS/IPS has worked in the ASA for the past several years I suppose it shouldn’t come as too big of a shock. While vendors like Palo Alto and Sonicwall have rewritten their core OS to take advantage of fast next generation processing, Cisco is still going back to their tried-and-true method of passing all that traffic to a module. In this case, I’m not even sure what that “module” is in the midrange devices, as it just appears to be an SSD for storing the software and not actually doing any of the processing. That means that the ASA CX is likely a separate context on the ASA-X. All the processing for both packet forwarding and next generation inspection is done by the firewall processor. I know that that the ASA-X has much more in the processing department than its predecessor, but I wonder how much traffic those boxes are going to be able to take before they give out?
Cisco is playing catch up in the next generation market. Yes, I understand that the term didn’t even really exist until Palo Alto started using it to differentiate their offering. Still, when you look at vendors like Sonicwall, Fortinet, and even Watchguard, you see that they are embracing the idea of expanding unifed threat management (UTM) into a specific focus designed to let IT people root out traffic that’s doing something it’s not supposed to be. Cisco needs to take a long hard look at the ASA-X platform. If it is selling well enough against units like the Juniper SRX and the various Checkpoint boxes then the next generation piece needs to be spun out into a different offering. If the ASA-X is losing ground, what harm could there be in pushing the reset button and turning the whole box into something a bit more grand that a high speed packet filter? The ASA CX is a great first step. But given the lack of publicity and difficulty in finding information about it, I think Cisco is in danger of stumbling before the race is even going.
Nice post. However, you can’t summarise with “Cisco is playing catch up in the next generation market.” after this post https://networkingnerd.net/2013/04/22/generation-lost/
Mea culpa. I debated whether or not to call it “application filtering firewall,” but next generation seems to be the common nomenclature for this category of devices. Guess I’ll just have to live with the bad taste in my mouth.
And don’t forget that you currently can NOT run both the IPS software and the AVC (CX) software at the same time on the same ASA.
Weak. This can’t compete with Palo Alto’s offering–limited throughput, add-on modules, no vulnerability protection (as Robert pointed out), and it doesn’t sound like there’s any central management platform.
Incorrect. Prime Security Manager can be used on-box to manage the individual next-gen firewall. For multiple next-gen firewalls, Prime Security Manager can be leveraged off-box for centralized management. The interface is the same for both and the centralized management supersedes the on-box.
Please quantify or clarify your assertions in re limited throughput.
So far, we have around 150 ASAs, 12 PAs, and 350 Checkpoints deployed. The PAs are going out the door. The signature quality is consistently low (high FP rate) and the performance numbers per $ are a joke. The entire reason to buy a black box ie a device with no API for writing application signatures, is that it better be really damn good at what it does. PA is made of fail.
I hope they grow up, but right now it seems that they are riding the shtick of ‘good enough’ as long as it impresses management types with pretty graphs.