ASA 5506 FP URL Category and URL/Malware License

johnlloyd_13 · ‎11-06-2018

hi all,

i created access control policy/rule on a 5506 that blocks (w/ reset) URL categories: adult, games, P2P. i initially chose the category reputation of '1 - High Risk' but it didn't work. i changed it to a 'Any' and it worked. what are the difference between the reputation levels and how would you know which one to use (or which is best practice)? see photo 'fp-1' below.

also, i download and enabled a 45-day demo/eval license (L-5506-TAMC-E45D) for URL filtering and malware license and the status became 'never expires'

is this a cosmetic bug? i thought it's a 45 day demo license. see photo 'fp-2'

what do you mean by 'IPS Term Subscription is still required for IPS'?

Abheesh Kumar · ‎11-07-2018

Hi ,

URL filtering is clearly explained in the below thread.

https://community.cisco.com/t5/security-documents/ftd-url-filtering-how-it-works/ta-p/3347292

URL filtering license is a term based license and you need to renew it, otherwise it will stop protecting. In your case it may be a bug thats the reason it showing never expire.

IPS license is permanent and will not expire. Protection license (along with a Control license) is automatically included in the purchase of any Classic managed device. This license is perpetual, but you must also purchase a TA subscription to enable system updates.

For more license details refer

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/licensing_firepower_system.html#ID-2240-00000035

https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/Licensing_the_Firepower_System.pdf

HTH

Abheesh