Solved: Why dedicated IPS?

CSCO10662744_2 · ‎04-27-2017

Now that FTD & FirePOWER service module are available on NGFW platform, why & when would I need a dedicated IPS?

Wouldn't it be more cost effective to just have one NGFW that can perform multiple functions, instead of a dedicated IPS appliance, that can only do IPS?

Marvin Rhoads · ‎04-28-2017

Reasons for needing a separate dedicated appliance for IPS are fewer but still exist. Here are the ones that come to mind off the top of my head:

The integrated FTD appliances have almost all of the IPS features but not all of the ASA features. Customers needing 100% of both may want to keep the functions separate. Also some features like hardware bypass are only available in limited cases on the FTD platform.

An ASA with FirePOWER service module has (pretty much) all of each feature set but the FirePOWER module is software only (except for 5585-X) and thus incurs performance penalty on the platform (reduced overall throughput).

View solution in original post

Marvin Rhoads · ‎04-28-2017

Reasons for needing a separate dedicated appliance for IPS are fewer but still exist. Here are the ones that come to mind off the top of my head:

The integrated FTD appliances have almost all of the IPS features but not all of the ASA features. Customers needing 100% of both may want to keep the functions separate. Also some features like hardware bypass are only available in limited cases on the FTD platform.

An ASA with FirePOWER service module has (pretty much) all of each feature set but the FirePOWER module is software only (except for 5585-X) and thus incurs performance penalty on the platform (reduced overall throughput).

CSCO10662744_2 · ‎04-28-2017

Thank you Marvin for the reply.