Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2154
Views
0
Helpful
4
Replies

Can HQ ASA5525 firepower control branch traffic ? URL,, application.. ?

takhan
Level 1
Level 1

‎07-14-2019 09:27 PM - edited ‎02-21-2020 09:18 AM

Hi guys!  

 

I did  configure  site to site   HQ and  Branch

 

and also  branch traffic go to HQ include internet..

 

and HQ have a firepower and use it for HQ

 

so i wonder  

 

Can HQ ASA5525 firepower control branch traffic ? URL,, application.. ?  

 

without license  or something else ?

 

other branch is just ASA 5506 ...

 

 

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-14-2019 11:01 PM

Your ASA Firepower service module at Hqs requires licensing. There are 4 types:

1. Control and Protect - free and included with all Firepower service modules.

2. IPS - a subscription service that gives you Snort rules (i.e. IPS signatures), VDB updates and Geolocation database.

3. URL Filtering - a term license (1, 3 or 5 years)

4. Malware (AMP) - also a term license.

How much visibility and control you can have over all your traffic (Hq and branch both) is affected by which licenses you have. As long as the traffic passes through the ASA (and is unencrypted as some point), you can fully inspect it and enforce policy with the Firepower service module.

0 Helpful

takhan
Level 1
Level 1
In response to Marvin Rhoads

‎07-14-2019 11:11 PM

캡처.PNG

 

thank you for reply

 

yes  i have a license in HQ ASA but branch .. we don't have it..

 

is it no problem ?

Preview file
6 KB
0 Helpful

johnlloyd_13
Level 9
Level 9
In response to takhan

‎07-15-2019 12:13 AM - edited ‎07-15-2019 01:06 AM

hi,

all of the FMC licenses are currently used by the HQ ASA 5525-X. notice the count of one "(1)"

you'll need an additional URL filtering "classic" license for your branch ASA 5506-X FP module/sensor.

you can ask TAC for the free PROTECT+CONTROL license for the branch ASA 5506-X before applying additional license/policies.

just give TAC the FMC key and ASA platform (in this case ASA 5506-X).

see helpful link:

http://wannabecybersecurity.blogspot.com/2019/04/configuring-fmc-623-updates-licenses.html

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to takhan

‎07-15-2019 12:57 AM

If all of the remote site’s Internet-bound traffic egresses via Hq, then your Hq only licenses suffice. 

 

Otherwise what @johnlloyd_13 said is correct 

 

Basically you need a license on the device(s) where you apply Firepower policy. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card