topic Re: Do I need Threat License with FTD in Network Security

Do I need Threat License with FTD

Ken C. Musk — Thu, 02 Sep 2021 18:36:15 GMT

All,

I am starting to convert all my 5516x ASA with FirePower Services over to the full FTD image. I have 22 total to convert and have successfully converted 4 of them over. Now that those 4 are on full FTD image I need to use Smart Licensing instead of the Classic Licensing.

On the old Classic Licensing we have Control/Protection which is perpetual, but with Smart Licensing Protection turns into Threat and is a renewable license. Cisco says I only need this Threat license if I am using IPS, and honestly not sure if I am. Pretty sure I am since the symbol within the ACP is checked under inspection. We had a third party set all these up years ago, but now I get to learn and take them over...

Are the system provided Intrusion Policy's part of threat or just if I create my own Intrusion Policy?

Speaking with TAC and well its clear as mud so figured I would ask here. My newly created ACP are VERY basic for what we do. We do have URL Filtering, but no AMP. Within my ACP rules if I set the Intrusion to None what am I really gaining or missing?

Thanks,

Ken~

Re: Do I need Threat License with FTD

Amine ZAKARIA — Thu, 02 Sep 2021 19:49:26 GMT

Hello @Ken C. Musk ,

For the threat license it has 3 features : IPS, File control and Security intelligence filtering.

Are the system provided Intrusion Policy's part of threat or just if I create my own Intrusion Policy? You can create IPS policy with no base policy (system provided ips policy) BUT Without Threat license enabled you cannot deploy an ACP contains IPS enabled.

Within my ACP rules if I set the Intrusion to None what am I really gaining or missing? As you know IPS used for deep analyse the flow for exploits, Downloaded viruses and so on, so it's obvious what you are missing.

If you are using URL Filtering then you need even the URL license.
Both of these licenses are term-based which means you can purshase them for 1 year, 3 years, or 5 years.

For more detailled info's : https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/Licensing_the_Firepower_System.html

Hope that helps!

Re: Do I need Threat License with FTD

Milos_Jovanovic — Thu, 02 Sep 2021 19:55:02 GMT

Hi @Ken C. Musk,

First of all, Control/Protect license is a license that activates IPS. Although it is displayed in FMC as perpetual, it actually isn't, and it is expected from you to purchase it on regular basis. With Smart Licensing, this is much easier to understand, as you get clear visibility on your Smart Account portal.

You can easily verify whether you are using IPS or not, if you take a look at your Access Control Policy, as it must be enabled under rules there (in rule, under Inspection tab):

Here you can also see which policy are you using.

Yes, you can use system predefined ones (there are few), but I would recommend creating your own.

URL filtering is quite different service from IPS. IPS provides protection against malicious attempts to breach your infrastructure, while URL filtering is mostly used to control what your users can access to.

BR,

Milos

Re: Do I need Threat License with FTD

Ken C. Musk — Fri, 03 Sep 2021 13:00:55 GMT

Perfect, these are the answers I needed to know. Appears we are using IPS within our ACP rules, so will get Threat quoted. Will look to get both Threat and URL together so its easier to renew each time.

Thanks,

Ken~