Cisco ASA CX versus Websense

Posted on 2013-06-20
Last Modified: 2016-03-23
So not too long ago Cisco finally integrated a solution in to their ASA's which would allow for web security. At the moment, this post is only concerned with the URL filtering portion. It has been a long time running that when a customer compares firewalls (usually the smaller customers), they know they want the basic features of a firewall such as ACL's, NAT, VPN, but many wanted that one additional feature that Cisco couldn't seem to do within an SMB customer's budget: Web Filtering. Now the X series of ASA's can do this via minimal hardware and licensing (and not using a CSC which I've found to be very unreliable in my experience).

My problem is that I do not have one of these firewalls to play with, and I don't want to use any of my customers' networks as a playground unless they were to ask me specifically.

Has anyone used the ASA CX for url filtering? How was your experience on the configuration side, user experience side, and troubleshooting side of things? Do you know how it compares to products like Websense/Fortigate/Sonicwall/Palo Alto/etc.?

I do realize that each product has numerous feature differences that make the products unique, but I tend to have customers with a common goal: simple url filtering based on category/reputation that must be dynamically updated without administrator intervention. Policies based on user identity would be a bonus to some of my customers, but in many cases they only needed an ability to whitelist certain machines from having the filter apply.

Please don't respond if you don't have actual experience with the product as I can search Google for this as well, but would like to hear from anyone that might have recently had experience since most things I've found online so far date back much closer to the launch of the product and many features/bugs may have changed.
Question by:rauenpc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 64

Accepted Solution

btan earned 500 total points
ID: 39265774
where i coming from is hopefully not another NGFW hype - All in one hype or even to be compared to UTM. Ppl will consider CX only if they already has Cisco in them and upgrade looks more feasible to to get budget for upgrade or refresh rather than try out another new technology - who is the incubment for URL filtering - I will ask instead for choice - why did you even consider one - Actually Bluecoat may be also considered with it recent acquisition of Solera (doing n/w forensic), they are into DPI ...

but instead of looking at capability, look at your business objectives.
-Can they handle SSL traffic not compromising performance and slowering the transaction
-Can they block specific facebook microsite but not the whole of facebook
-Can they allow scanning of traffic by offloading to my Enterprise AV (via ICAP or equ) and DLP solution
-Can it really prevent since it is not allowed to be inline (need to get approval) and if so, WCCP support or passive is effective ...doubt so
-Can it extend the feeds for cyber intelligences online or offline (that is cost and richness in the info, just look at which has the "big data" direction....)
-Can I scale up and attain high availability esp it is sitting inline breaking the SSL (inbound? and outbound?)

I do feel none may be the choice but if I really choose CX is new kid on the block and WS is a long runner ... just to keep it short... Probably Ironport is another candidate if Web security is really your concern...I see it far more than just appl aware which CX is trying to do...Oops... they are from the Cisco family :)

Probably the most important CX design consideration is today Cisco ASA 5500X can either leverage CX or IPS however not both simultaneously. Then again how comprehensive you will want .... if minimal both can do, but if comprehensive then should compared WebSense and IronPort WSA

Expert Comment

ID: 40325188
We have been using the Cisco ASA 5555-x and ASA 5512-X with Prime security manager for 5 months.
It crashes constantly and code upgrades have been a nightmare, with every upgrade there is a new set of problems! Do not buy this product!It is a piece of garbage!

We have been working with CiSCo TAC through out the whole ordeal and the issues persist.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question