Need of a good book (or online material) covering latest gen of ASA (5506-x and up)

I found the Cisco Orange book
( Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services (3rd Edition) 3rd Edition
by Jazib Frahim (Author), Omar Santos (Author), Andrew Ossipov (Author) )
However it was published in 2014, one of the critical review was that it’s missing features from 9.1+ and up. It seems every time I find a good book I try the examples and the syntax is no longer valid. Do you think this book will still work being published in 2014 or will it mostly be invalid? I will eventually work my way up to the security certs that cover these in detail but for now I at least need to learn the basics (VPN setups for example). I am looking for a good read to understand the ASA not just how to regurgitate magic commands and watch it all work. Does anybody have any suggestions? I already bought one book before this one (Cisco ASA Firewall Fundamentals 3rd edition by Harris Andrea), they all seem to cover the 5505 era.

This is going to be a little ranty, but having last week gone through a six figure firewall RFI, documentation on Cisco’s strategy doesn’t exist from Cisco. Everything in their firewall portfolio is a clusterfuck. They are in a transitional phase after about a dozen acquisitions. They have some cool ideas (including the tracking of malware peer to peer and automatic quarantine at network level once discovered) but the coherence just isn’t there. We asked for a firewall, they tried to sell us half endpoint security, half reputation. When my coworker and I pressed them for “show us the beef, we’re engineers with purchasing power” they gave us a hackjob demo with a limited pre-populated dataset via a GUI that didn’t even render properly in the browser they chose.

You want an ASA? They have that. You want Firepower? They have that. Does Firepower do everything an ASA does? Oh, you want VPN…? You’ll still probably want an ASA. Is the ASA being phased out via ever increasing service and support costs? Absolutely, we want you to buy Firepower. All the cool stuff we just demonstrated? Oh you need to buy endpoint licensing that is six times the cost of the competitor.

I came into the presentation thinking “oh man let’s see what Cisco has it’s gotta be good” and came away angry. Fuck Cisco. Buy a Fortigate or a Palo. Maybe Cisco will pull it together in the next 2-3 years, but right now you’re wasting your time studying an inferior platform that’s needlessly complex for no reason at all. I welcome criticism from the community if I missed something or had a dud presentation, but holy crap. I wouldn’t waste an hour of my time trying to figure out how to implement.

To answer your question directly, my recommendation is to make things work the best you can with the ASA via ASDM, and explore other options. There’s plenty of material out there which is mostly decent that will help you achieve this, but if you’re skilling up in the ASA, you’re studying a dead platform.

That’s still a fine book. The major things on an ASA aren’t going to change that much between 9.x versions.

As far as the orange ASA book, it’s still the go to. It looks intimidatingly thick but a lot of that is probably ASDM screenshots and can be ignored.

excellent review, do you know of any hardcore evidence of the PA vs the 4100 series cisco NGFW for maximum thruput vs with all the bells and whistles running like ids/ips, app-id, user-id, url filtering/SSL decryption, NAT translations, Global Protect, and Site to Site VPN. I created a post last week asking why people chose on vs the other, mer personally i like the PA but i need hard evidence with other then my opinion.

As someone who’s yet to ramp up on the security portfolio @ Cisco, what are the main capability differences between a fp and an asa? I believe the newer Asa line has fp built in? Except the 5585 which has fp via a module.

Not ranty at all, I love getting real feedback from people who are already there. Many thanks!

Going to start out saying I work at a partner. These are my 2 cents:

• The endpoint license is pretty damn cheap compared to regular AV or even Cylance or Traps and it does have an AV checkbox if you want to enable it. It’s pretty cool and offers anti-malware with visibility to the endpoints. Now you can buy that separately from the Firepower solution but I think it’s cool you can combine the two and see some extra intelligence in the dashboard.
• Quarantining endpoints is great too but you need to have a supported NAC (ISE) to make that happen on the port level or you can do stuff like firewall/route shun without anything else etra.
• RA VPN - I’m part of the partner betas for that. It’s coming probably in the next couple months when the beta is over.

Someone asked what FP vs ASA with Firepower is. Firepower Threat Defense (FTD) is the unified code which has a lot of great features on it but there are obviously features missing from ASA as they’re porting stuff over. ASA with Firepower is ASA code with a software module you can send your traffic through.

Check out the NSS labs reports. You have to pay to get independent access to them, but you should be able to get a free copy from your sales reps. I’d also strongly suggest you include Fortigate in your analysis… they have a great product at a reasonable cost and will likely be who we go with.

I sat through 3 hours of presentation with Cisco and a VAR and can’t clearly answer that question. I quite literally think Cisco may not even know (LOL).

Cisco will claim otherwise, but judging by the Smartnet trajectory, they are heavily incentivizing you to move to the FP platform. The ASA platform is going away or at best will be neglected. I wouldn’t buy a 5585 right now. You could get a Fortigate for half the TCO and not have to deal with the Cisco bullshit.

Among the limitations I noted, FP doesn’t do (or the SE was dumb) NAT, simple ACLs, or client VPN. Which is fucking hilarious. You need a firewall to get your firewall to do firewall things. The FP is also basically a hypervisor, and Cisco has modules for everything. They recommended like 6 different products for us. I imagine that’s going to be a major pain in the ass to configure and maintain with subscriptions and service for everything.

When I pressed the SE with “I shouldn’t need a CCIE-Sec to configure this firewall, this seems very complicated and I’m not seeing the vision”, they dodged with Oh man but check out this cool stuff we can do if you get endpoint security.

RemindMe! 5 weeks “update this guy when you know fp”

FTD currently does NAT, simple ACLS and will do client VPN in the next version which my company is beta testing now. Sounds like your SE did a canned demo of all the integration points and wasn’t much of a security expert to answer you on the things you cared about. It happens…

I will be messaging you on [2017-03-02 18:12:16 UTC](2017-03-02 - Wolfram|Alpha 18:12:16 UTC To Local Time) to remind you of this link.

[CLICK THIS LINK](http://np.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=[https://www.reddit.com/r/networking/comments/5q70kv/need_of_a_good_book_or_online_material_covering/dcxwwvj] RemindMe! 5 weeks ) to send a PM to also be reminded and to reduce spam.

^(Parent commenter can ) [^(delete this message to hide from others.)](http://np.reddit.com/message/compose/?to=RemindMeBot&subject=Delete Comment&message=Delete! dcxx07w)