Solved: Refer this document.

roesch4alc · ‎06-02-2016

Hi,

I´m interested in AMP and would like to understand better how it works. If there are documentations to my questions (that I didn´t found so far) it would be very kind, if you could send me the links.

1.) When we are talking about Firepower integrated in Cisco ASA, is there a local sandbox running on the firewall that analyses the files or will all files be uploaded to the cloud?

2.) Are normal virus or all in generall all types of malicious files recognized aswell or is this feature just about malware? Is there an overview available?

3.) If I decided to use AMP on a Cisco ASA, is it necessary to install Software on endpoints or is it optional to collect more data to get a better overview.

4.) What can I see in firesight with ASDM in use? If there is a threat, can I see from which host it originates or, how will this be displayed? Are the capabilities from the ASDM integrated solution enough to analyse where the threats came from? Where are the restrictions here?

Probably there are much more questions, but this are the most important one...

Thanks

Sebastian

Kasun Bandara · ‎06-03-2016

Refer this document.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/guide-c07-732249.pdf?keycode=000035512

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html#49220

L-ASA5506T-TM= is for Cisco ASA5506 Threat Defense Threat and Malware Protection

L-ASA5506T-AMP= is for Cisco ASA5506 Threat Defense Malware Protection

Regards,

Kasun

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

View solution in original post

Kasun Bandara · ‎06-14-2016

Yes you are right. see below table.

Table 34-2 FirePOWER Services Subscriptions
Subscription You Purchase	License You Assign in FirePOWER System
TA	Control + Protection (a.k.a. "Threat & Apps," required for system updates)
TAC	Control + Protection + URL Filtering
TAM	Control + Protection + Malware
TAMC	Control + Protection + URL Filtering + Malware
AMP	Malware (add-on where TA is already present)
URL	URL Filtering (add-on where TA is already present)

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

View solution in original post

roesch4alc · ‎06-02-2016

Another question:

5.) Where are the differences between L-ASA5506T-TM= and L-ASA5506T-AMP= ?

Kasun Bandara · ‎06-03-2016

Refer this document.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/guide-c07-732249.pdf?keycode=000035512

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html#49220

L-ASA5506T-TM= is for Cisco ASA5506 Threat Defense Threat and Malware Protection

L-ASA5506T-AMP= is for Cisco ASA5506 Threat Defense Malware Protection

Regards,

Kasun

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

roesch4alc · ‎06-14-2016

Hi,

thanks for your answer... Regarding the license, I also found these descriptions:

L-ASA5506T-TM= is for Cisco ASA5506 Threat Defense Threat and Malware Protection

L-ASA5506T-AMP= is for Cisco ASA5506 Threat Defense Malware Protection

But where exactly is the difference? I understand it this way: For example, if I already have a Threat Defence License, I only need to order a L-ASA5506T-AMP= for adding AMP to my subscriptions....

Thanks!

Kasun Bandara · ‎06-14-2016

Yes you are right. see below table.

Table 34-2 FirePOWER Services Subscriptions
Subscription You Purchase	License You Assign in FirePOWER System
TA	Control + Protection (a.k.a. "Threat & Apps," required for system updates)
TAC	Control + Protection + URL Filtering
TAM	Control + Protection + Malware
TAMC	Control + Protection + URL Filtering + Malware
AMP	Malware (add-on where TA is already present)
URL	URL Filtering (add-on where TA is already present)

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

roesch4alc · ‎06-16-2016

Thank you!

Kasun Bandara · ‎06-16-2016

its pleasure to help you..

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

yogdhanu · ‎06-02-2016

Hi

With AMP in firepower, only SHA value is calculated there and its matched with the known malicious SHA values on the cloud. Sand-boxing is available with threadgrid integration.

http://www.cisco.com/assets/global/RO/events/2015/ciscoconnect/pdf/walnut/sourcefire/SourceFire-ThreatGrid.pdf

http://www.cisco.com/c/en_ca/products/security/amp-threat-grid-appliances/index.html

Which can be integrated with Firepower management center (FMC) as cloud or you can have on-prem appliance.

AMP is about malware and file analysis. So if there is a malicious file , you should be able to block it. Also you can block file types based on their type.

Endpoint AMP and AMP on network are 2 different things so you don't need to install endpoint amp for amp on ASA-Firepower.

endpoint AMP are like separate software on endpoints managed by separate cloud account, though you can integrate it with FMC for reporting.

You cannot manage the firepower with both ASDM and firesight (not called firepower management center) ASDM is very limited in terms of logging and analysis capability.

FMC can see retrospective analysis. Example is a file went through which was unknown at that time but later it was found to be malicious. You would see its analysis on FMC later along with host information.

Rate if helps.

Yogesh

Some questions about AMP