Tuesday 2 April 2013

ASA, support and IPS signatures

Here's a specific  issue I ran into which I'll document here for reference, and maybe it'll stop someone else getting the same problem.

When buying an ASA firewall, if you want to use IPS you will need signature updates from Cisco. There is little point running IPS without signature updates because outdated security doesn't really help anyone.

A confusing point I found is that if you are a partner ordering partner support some ASA firewalls don't let you select a IPS signatures support level in the CCW, only the standard support levels without IPS updates. This is a strange omission and hopefully it will be fixed at some point but for now (March 2013) it's not.

Therefore to get IPS signature updates on ASA firewalls, You order an ASA with support, for example:

ASA5512-IPS-K9
CON-PSRT-A12IPS9    (This is partner support so will only be available to applicable partners)


And then once the device arrives (or when you have the serial number) you can order a SUSA IPS signatures service. it cannot be done all together at point of order.


After the contract has been generated (post shipping), the secondary coverage for Cisco IPS signature updates can be quoted or ordered in Cisco Service Contract Center (CSCC). You will need to use the serial number of the device that was shipped before you can create a quote for the IPS signature updates. 


Cisco Services for IPS:
http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e96e.pdf

No comments:

Post a Comment