I did configure site to site HQ and Branch
and also branch traffic go to HQ include internet..
and HQ have a firepower and use it for HQ
so i wonder
Can HQ ASA5525 firepower control branch traffic ? URL,, application.. ?
without license or something else ?
other branch is just ASA 5506 ...
Your ASA Firepower service module at Hqs requires licensing. There are 4 types:
1. Control and Protect - free and included with all Firepower service modules.
2. IPS - a subscription service that gives you Snort rules (i.e. IPS signatures), VDB updates and Geolocation database.
3. URL Filtering - a term license (1, 3 or 5 years)
4. Malware (AMP) - also a term license.
How much visibility and control you can have over all your traffic (Hq and branch both) is affected by which licenses you have. As long as the traffic passes through the ASA (and is unencrypted as some point), you can fully inspect it and enforce policy with the Firepower service module.
all of the FMC licenses are currently used by the HQ ASA 5525-X. notice the count of one "(1)"
you'll need an additional URL filtering "classic" license for your branch ASA 5506-X FP module/sensor.
you can ask TAC for the free PROTECT+CONTROL license for the branch ASA 5506-X before applying additional license/policies.
just give TAC the FMC key and ASA platform (in this case ASA 5506-X).
see helpful link:
If all of the remote site’s Internet-bound traffic egresses via Hq, then your Hq only licenses suffice.
Otherwise what @johnlloyd_13 said is correct
Basically you need a license on the device(s) where you apply Firepower policy.