Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cisco ASA CX versus Websense

Posted on 2013-06-20
Medium Priority
Last Modified: 2016-03-23
So not too long ago Cisco finally integrated a solution in to their ASA's which would allow for web security. At the moment, this post is only concerned with the URL filtering portion. It has been a long time running that when a customer compares firewalls (usually the smaller customers), they know they want the basic features of a firewall such as ACL's, NAT, VPN, but many wanted that one additional feature that Cisco couldn't seem to do within an SMB customer's budget: Web Filtering. Now the X series of ASA's can do this via minimal hardware and licensing (and not using a CSC which I've found to be very unreliable in my experience).

My problem is that I do not have one of these firewalls to play with, and I don't want to use any of my customers' networks as a playground unless they were to ask me specifically.

Has anyone used the ASA CX for url filtering? How was your experience on the configuration side, user experience side, and troubleshooting side of things? Do you know how it compares to products like Websense/Fortigate/Sonicwall/Palo Alto/etc.?

I do realize that each product has numerous feature differences that make the products unique, but I tend to have customers with a common goal: simple url filtering based on category/reputation that must be dynamically updated without administrator intervention. Policies based on user identity would be a bonus to some of my customers, but in many cases they only needed an ability to whitelist certain machines from having the filter apply.

Please don't respond if you don't have actual experience with the product as I can search Google for this as well, but would like to hear from anyone that might have recently had experience since most things I've found online so far date back much closer to the launch of the product and many features/bugs may have changed.
Question by:rauenpc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 39265774
where i coming from is hopefully not another NGFW hype - All in one hype or even to be compared to UTM. Ppl will consider CX only if they already has Cisco in them and upgrade looks more feasible to to get budget for upgrade or refresh rather than try out another new technology - who is the incubment for URL filtering - I will ask instead for choice - why did you even consider one - Actually Bluecoat may be also considered with it recent acquisition of Solera (doing n/w forensic), they are into DPI ...

but instead of looking at capability, look at your business objectives.
-Can they handle SSL traffic not compromising performance and slowering the transaction
-Can they block specific facebook microsite but not the whole of facebook
-Can they allow scanning of traffic by offloading to my Enterprise AV (via ICAP or equ) and DLP solution
-Can it really prevent since it is not allowed to be inline (need to get approval) and if so, WCCP support or passive is effective ...doubt so
-Can it extend the feeds for cyber intelligences online or offline (that is cost and richness in the info, just look at which has the "big data" direction....)
-Can I scale up and attain high availability esp it is sitting inline breaking the SSL (inbound? and outbound?)

I do feel none may be the choice but if I really choose CX is new kid on the block and WS is a long runner ... just to keep it short... Probably Ironport is another candidate if Web security is really your concern...I see it far more than just appl aware which CX is trying to do...Oops... they are from the Cisco family :)

Probably the most important CX design consideration is today Cisco ASA 5500X can either leverage CX or IPS however not both simultaneously. Then again how comprehensive you will want .... if minimal both can do, but if comprehensive then should compared WebSense and IronPort WSA

Expert Comment

ID: 40325188
We have been using the Cisco ASA 5555-x and ASA 5512-X with Prime security manager for 5 months.
It crashes constantly and code upgrades have been a nightmare, with every upgrade there is a new set of problems! Do not buy this product!It is a piece of garbage!

We have been working with CiSCo TAC through out the whole ordeal and the issues persist.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What we learned in Webroot's webinar on multi-vector protection.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question