cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

529
Views
0
Helpful
4
Replies
Beginner

Can HQ ASA5525 firepower control branch traffic ? URL,, application.. ?

Hi guys!  

 

I did  configure  site to site   HQ and  Branch

 

and also  branch traffic go to HQ include internet..

 

and HQ have a firepower and use it for HQ

 

so i wonder  

 

Can HQ ASA5525 firepower control branch traffic ? URL,, application.. ?  

 

without license  or something else ?

 

other branch is just ASA 5506 ...

 

 

Everyone's tags (4)
4 REPLIES 4
Hall of Fame Master

Re: Can HQ ASA5525 firepower control branch traffic ? URL,, application.. ?

Your ASA Firepower service module at Hqs requires licensing. There are 4 types:

1. Control and Protect - free and included with all Firepower service modules.

2. IPS - a subscription service that gives you Snort rules (i.e. IPS signatures), VDB updates and Geolocation database.

3. URL Filtering - a term license (1, 3 or 5 years)

4. Malware (AMP) - also a term license.

How much visibility and control you can have over all your traffic (Hq and branch both) is affected by which licenses you have. As long as the traffic passes through the ASA (and is unencrypted as some point), you can fully inspect it and enforce policy with the Firepower service module.

Beginner

Re: Can HQ ASA5525 firepower control branch traffic ? URL,, application.. ?

캡처.PNG

 

thank you for reply

 

yes  i have a license in HQ ASA but branch .. we don't have it..

 

is it no problem ?

Engager

Re: Can HQ ASA5525 firepower control branch traffic ? URL,, application.. ?

hi,

all of the FMC licenses are currently used by the HQ ASA 5525-X. notice the count of one "(1)"

you'll need an additional URL filtering "classic" license for your branch ASA 5506-X FP module/sensor.

you can ask TAC for the free PROTECT+CONTROL license for the branch ASA 5506-X before applying additional license/policies.

just give TAC the FMC key and ASA platform (in this case ASA 5506-X).

see helpful link:

http://wannabecybersecurity.blogspot.com/2019/04/configuring-fmc-623-updates-licenses.html

Hall of Fame Master

Re: Can HQ ASA5525 firepower control branch traffic ? URL,, application.. ?

If all of the remote site’s Internet-bound traffic egresses via Hq, then your Hq only licenses suffice. 

 

Otherwise what @johnlloyd_13 said is correct 

 

Basically you need a license on the device(s) where you apply Firepower policy.