cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3628
Views
0
Helpful
7
Replies

Some questions about AMP

roesch4alc
Level 1
Level 1

Hi,

I´m interested in AMP and would like to understand better how it works. If there are documentations to my questions (that I didn´t found so far) it would be very kind, if you could send me the links.

1.) When we are talking about Firepower integrated in Cisco ASA, is there a local sandbox running on the firewall that analyses the files or will all files be uploaded to the cloud?

2.) Are normal virus or all in generall all types of malicious files recognized aswell or is this feature just about malware? Is there an overview available?

3.) If I decided to use AMP on a Cisco ASA, is it necessary to install Software on endpoints or is it optional to collect more data to get a better overview.

4.) What can I see in firesight with ASDM in use? If there is a threat, can I see from which host it originates or, how will this be displayed? Are the capabilities from the ASDM integrated solution enough to analyse where the threats came from? Where are the restrictions here? 

Probably there are much more questions, but this are the most important one...

Thanks

Sebastian

2 Accepted Solutions

Accepted Solutions

Refer this document.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/guide-c07-732249.pdf?keycode=000035512

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html#49220

L-ASA5506T-TM=  is for Cisco ASA5506 Threat Defense Threat and Malware Protection 

L-ASA5506T-AMP= is for  Cisco ASA5506 Threat Defense Malware Protection 

Regards,

Kasun

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

View solution in original post

Yes you are right. see below table.

Table 34-2 FirePOWER Services Subscriptions

Subscription You Purchase
License You Assign in FirePOWER System

TA

Control + Protection (a.k.a. "Threat & Apps," required for system updates)

TAC

Control + Protection + URL Filtering

TAM

Control + Protection + Malware

TAMC

Control + Protection + URL Filtering + Malware

AMP

Malware (add-on where TA is already present)

URL

URL Filtering (add-on where TA is already present)

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

View solution in original post

7 Replies 7

roesch4alc
Level 1
Level 1

Another question:

5.) Where are the differences between L-ASA5506T-TM= and L-ASA5506T-AMP= ?

Refer this document.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/guide-c07-732249.pdf?keycode=000035512

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html#49220

L-ASA5506T-TM=  is for Cisco ASA5506 Threat Defense Threat and Malware Protection 

L-ASA5506T-AMP= is for  Cisco ASA5506 Threat Defense Malware Protection 

Regards,

Kasun

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Hi,

thanks for your answer... Regarding the license, I also found these descriptions:

L-ASA5506T-TM=  is for Cisco ASA5506 Threat Defense Threat and Malware Protection 

L-ASA5506T-AMP= is for  Cisco ASA5506 Threat Defense Malware Protection

But where exactly is the difference? I understand it this way: For example, if I already have a Threat Defence License, I only need to order a L-ASA5506T-AMP= for adding AMP to my subscriptions....

Thanks!

Yes you are right. see below table.

Table 34-2 FirePOWER Services Subscriptions

Subscription You Purchase
License You Assign in FirePOWER System

TA

Control + Protection (a.k.a. "Threat & Apps," required for system updates)

TAC

Control + Protection + URL Filtering

TAM

Control + Protection + Malware

TAMC

Control + Protection + URL Filtering + Malware

AMP

Malware (add-on where TA is already present)

URL

URL Filtering (add-on where TA is already present)

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Thank you!

its pleasure to help you..

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

yogdhanu
Cisco Employee
Cisco Employee

Hi

With AMP in firepower, only SHA value is calculated there and its matched with the known malicious SHA values on the cloud. Sand-boxing is available with threadgrid integration.

http://www.cisco.com/assets/global/RO/events/2015/ciscoconnect/pdf/walnut/sourcefire/SourceFire-ThreatGrid.pdf

http://www.cisco.com/c/en_ca/products/security/amp-threat-grid-appliances/index.html

Which can be integrated with Firepower management center (FMC) as cloud or you can have on-prem appliance.

AMP is about malware and file analysis. So if there is a malicious file , you should be able to block it. Also you can block file types based on their type.

Endpoint AMP and AMP on network are 2 different things so you don't need to install endpoint amp for amp on ASA-Firepower.

endpoint AMP are like separate software on endpoints managed by separate cloud account, though you can integrate it with FMC for reporting.

You cannot manage the firepower with both ASDM and firesight (not called firepower management center) ASDM is very limited in terms of logging and analysis capability.

FMC can see retrospective analysis. Example is a file went through which was unknown at that time but later it was found to be malicious. You would see its analysis on FMC later along with host information.

Rate if helps.

Yogesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: