ASA CX SSP management

The Context aware modules for the Cisco ASA provide enhanced functionality for L7 services. These include but are not limited to URL category/reputation databases, HTTP inspections, AVC, TLS proxy, TCP Proxy, and Multiple Policy decision points.

The management of these devices when loaded with a CX module different from the traditional firewalls and require some thought when scaling in a large environment. The CX modules are configured by PRSM – Prime Security Manager. It is a HTML5 based Web UI that is comes in two flavors. The PRSM install on a local ASA provides a cut down amount of features. It is limited to Configuration, Eventing, and reporting. When PRSM is installed as a standalone product on a dedicated service, included are the above plus multi-device support, RBAC, device and object import, push and pull deployments, historical event analysis, distributed deployment and configuration synchronization across HA environments. This lends itself to large-scale management.

Not quite your plug and play.
Not quite your plug and play.

This picture shows the management architecture that supports the Cisco CX when looking at it from an end to end solution. Firstly, the Administrator will have the client installed for Prime Security Manager. This will allow access to the firewall and PRSM. This is different to the old CLI method. To present the information requested by the administrator the ASA-CX talks to PRSM via a RESTful XML lookup. This two-way transaction provides information as well as deployment through an administrators interactions.

Cisco SIO support the ASA-CX and PRSM by offering up the latest information surrounding threats and emerging online trends by pushing down information manually or automatically. These updates include Application signatures, Web reputation scores, URL filters, and trusted CA root revocation. It is important to note that all but CA root revocation requires a subscription based licensing.

When building out a Cisco firewall edge solution you need to consider the method of which you manage your hardware and the method in which this will increase your firewalls functionality. Ensuring an adequate management environment exists for the CX is important as it provides Administrators the ability to use this Next Generation Firewall to its full potential.

Leave a Reply

Your email address will not be published. Required fields are marked *