Solved: AMP for Networks License Requirments

AFlack20 · ‎11-23-2020

Question regarding what is specifically required to have a functional AMP for networks (module/application?) on FTD firewall utilizing the FMC.

I know that it will need the malware and threat licenses for the specific firewall at a minimum, but is a license for the AMP public cloud also required?

If so what is that product now called? I see that Cisco is still selling amp private cloud VM but cant find anything on the public cloud. Has that been rebranded as part of threat grid? When I navigate the the AMP tab in FMC and go to Dynamic Analysis Connections, on the far right under actions there is a button to associate and when I click it it take me to threat grid login page. But I don't know what kind of license I would need to for threat grid.

Last thing is it even worth having amp for networks if you don't have amp for endpoints? My worry would be that I wont be able to make the full correlation?

Marvin Rhoads · ‎11-24-2020

"AMP for Networks" is the Malware license on a Firepower system. It does not require an AMP for Endpoints license or any cloud service subscription. It has limits on its efficacy primarily due to many files (potentially) coming in via SSL sessions that are not decrypted at the firewall.

So basically Firepower is only capable of seeing and analyzing the SHA-256 of files that are transmitted in plain text - a small minority in most networks, especially for edge firewalls.

View solution in original post

Marvin Rhoads · ‎11-24-2020

"AMP for Networks" is the Malware license on a Firepower system. It does not require an AMP for Endpoints license or any cloud service subscription. It has limits on its efficacy primarily due to many files (potentially) coming in via SSL sessions that are not decrypted at the firewall.

So basically Firepower is only capable of seeing and analyzing the SHA-256 of files that are transmitted in plain text - a small minority in most networks, especially for edge firewalls.

AFlack20 · ‎11-24-2020

Thanks Marvin!

rcbarnachea · ‎01-23-2024

Hello @Marvin Rhoads

Based on this documentation:

Malware Licenses

A Malware license lets you perform AMP for Networks and Secure Malware Analytics. With this feature, you can use devices to detect and block malware in files transmitted over your network. To support this feature license, you can purchase the Malware (AMP) service subscription as a stand-alone subscription or in combination with Threat (TM) or Threat and URL Filtering (TMC) subscriptions. Threat license is a prerequisite for a Malware license.

What does this mean? since we don't need any license for this AMP?

Reference: Firepower Management Center Administration Guide, 7.1 - Licenses [Cisco Secure Firewall Management Center] - Cisco

Please help me understand, thank you

Marvin Rhoads · ‎01-23-2024

When you buy a new firewall you can get Threat + Malware licenses in one part number (SKU). If you have an existing firewall with Threat, you can add Malware license as a separate SKU to add it on.

If you buy a new firewall you cannot order ONLY Malware license since, as the guide mentions, you must always have Threat to add the additional Malware license

rcbarnachea · ‎01-24-2024

Hello @Marvin Rhoads

So it means that the AMP(AMP for Endpoints) that showing on health status from cisco FMC is included on the Malware License or not?(just to be clear on my side).

Marvin Rhoads · ‎01-25-2024

That health status is showing an error it means that the FMC cannot successfully connect to the AMP (Secure Endpoint) cloud. It will show up if the integration between FMC and AMP cloud is setup but not working. It's independent of any license or file policy.