06-10-2015 06:54 AM - edited 03-10-2019 12:26 AM
I just finished watching the video on this service. There seems to be quite a bit more functionality in the Cisco ASA w/Firepower services than CIsco's Cloud Web Services
They clearly compete with each other where the features overlap, but it seems to me that Cisco ASA w/Firepower Services would cover everything that CWS does. Am I correct? I guess put another way, why would you choose one of these services over the other?
Thanks,
Rob
06-11-2015 09:45 AM
Hi Rob,
Thanks for the question! Cloud Web Security is complementary to the ASA with FirePOWER Services. In fact, you can enable CWS on the ASA without any additional hardware. The firewall will then redirect select HTTP and HTTPS traffic to the CWS proxy servers to scan and allow, block or warn about traffic. You can read more about this integration here:
Hope that helps!
Brian
06-11-2015 02:15 PM
Brian,
Thanks for the response. We currently utilize CWS with our ASA's now. We put this in place some time back, mainly to replace a web filtering application we were using on premise. Certainly an additional layer would never hurt, however budgetary constraints would prevent both. I am trying to determine which would be the best solution if I have to choose only one. Any suggestions on what we would lose and/or gain by switching to using ASA with FirePOWER over CWS?
Thanks again,
Rob
06-12-2015 09:22 AM
Hi Rob.
What you win/lose is "anywhere". ASA w/ FirePOWER is tied to a location. You can use CWS from anywhere through AnyConnect. You could check your web traffic if you're in the office, airport, home or where ever you are.
Regards.
Rafa.
06-12-2015 09:27 AM
Rob,
I asked my colleague on the CWS team for her input and she said:
"The main thing he would lose if he currently has only CWS Essentials, which I assume is the case (it would be more if he has CWS Premium) is the ability to analyze https traffic. If he has a large concentration of this kind of traffic he might think twice about switching because the firewall won’t be able to analyze this traffic. There is extra malware protection on CWS, but the main thing to look at is the % of https traffic in his environment.
One the other hand, if he is more concerned with an inline stateful firewall functionality that can control port-hopping (or multi-protocol) applications such as Skype, he is better served with a firewall. This also, of course, includes the IPS functionality as well which CWS does not."
Brian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide