Re: ASA firepower without IPS License

razastar123 · ‎04-08-2015

Hi Everyone

Can i use ASA5525-FPWR-K9 without any IPS license and later on if i want to enable IPS then only i need purchase License or any hardware require?

Is that will work for me ???

which software do i need to purchase to manage my firewall with IPS

Cisco FireSIGHT management center or Cisco IPS manage Express ?

Raza

Marvin Rhoads · ‎04-10-2015

If you buy the " ASA5525-FPWR-K9 without any IPS license" and later wish to add IPS, you only need to add the license.

You would need to purchase a FireSIGHT Management Center (FMC) (you can buy the two device license at a pretty low cost) which runs as a separate VM (requires an ESXi server). The FirePOWER module IPS license is managed and applied from the FMC.

IPS Manager Express (IME) only manages the legacy Cisco IPS sensors.

Alexander Hartmaier · ‎07-03-2015

What about the standalone manageability of 5506-X's?

We have a failover pair and sadly it doesn't work at all because after clicking a few menu items we always end up at the screen you see when you access the firepower management ip directly with a browser.

Isn't the application filtering part of the base firepower bundle without any additional license?

Marvin Rhoads · ‎07-03-2015

The Control license by itself (assuming you've applied it) doesn't do a whole lot of anything without a Protect license.

Reference the User Guide section on the Control license (emphasis added):

A Control license allows you to implement user and application control by adding user and application conditions to access control rules. To enable Control, you must also enable Protection.

Alexander Hartmaier · ‎07-06-2015

The license model is confusing as there seems to be the Sourcefire license level names (Protect, Control, ...) and the Cisco ones (IPS, AMP, URL).

Also our defense center shows the license that shipped with the ASA5516-X as 'Protection Control'. 'URL Filtering' and 'Malware' are listed separately although we purchased the TAMC license which includes IPS as well which I guess falls unter 'Protection' in Sourcefire speak.

I suggest listing the (new) Cisco names besides the Sourcefire ones to help people coming from the Cisco world understand the licensing.

So does this mean that when you purchase a Cisco FirePOWER bundle you get a 'Protection' license in additional to the 'Control' one and it's called 'Protection Control'?

Moin Ilyas · ‎04-20-2015

Adding to Marvin, following could be ordered if you plan to enable IPS in future:

L-ASA5525-TA=

Also, ASA with FirePower Services could only be managed by FireSight Management Centre.

Barrett Cowan · ‎11-07-2017

Just to clarify here, Cisco used to "require" the purchase of a "soft" IPS license. As of recently, the IPS license is no longer needed, and from what I've been told, cannot even be purchased any longer. I've added quotes here to require, because in my experience, it was never needed for IPS to work unimpeded. I've also added quotes to soft, in reference to the IPS license, because it was never an installable license, it was more like a Windows CAL. Cisco documentation stated it was required to receive IPS updates, but in my experience, this was untrue.

The AVC license (a.k.a Protect and Control license), which is included with the purchase of an ASA, enables IPS functionality (If configured through FirePower of course). Malware (AMP) and URL filtering definitely require licenses to function, and these are installable licenses that are received from your vendor.

FirePower can be configured by using ASDM or FirePower Management Center (FMC). ASDM management for FirePower is terrible, and I would recommend for everyone to use FMC.