Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3389
Views
0
Helpful
6
Replies

ASA with FirePOWER, any need for the botnet license?

mozmorris1974
Level 1
Level 1

‎06-08-2015 06:10 AM - edited ‎03-10-2019 06:23 AM

  1. We are looking to upgrade our ASA from the Legacy IDS/IPS to FirePOWER(need to purchase SSD), we are using the botnet license, would going to FirePOWER make the botnet redundant as sourcefire/firepower does the same job?
  2. We are looking to purchase 2 new 5516 for a site with firePOWER so i need to know whether to add botnet to the order.

 

Cheers


 

2 people had this problem
Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-10-2015 08:56 AM

The botnet license is made redundant when you have a licensed FirePOWER module and apply an access policy blocking Botnet CnC connections etc.

The only reason I've seen customers use both is to satisfy an auditor who's interested in checking the  box that says "is botnet filter installed" and won't listen to the explanation that the FirePOWER module accomplishes this function more thoroughly.

0 Helpful

mozmorris1974
Level 1
Level 1
In response to Marvin Rhoads

‎06-11-2015 02:40 AM

Hi Marvin

I was hoping that you would reply as you seem to be the main man when it comes to firepower.

My customer will do a little cart wheel as they can knock the botnet off next years budget for the 5525X's we have to upgrade.

Thankyou!

0 Helpful

francis56
Level 1
Level 1
In response to mozmorris1974

‎03-18-2016 10:06 AM

On the same note, is it possible to have a trial of the botnet license while in the process to purchase the license ?

0 Helpful

corpengineer818
Level 1
Level 1
In response to Marvin Rhoads

‎03-18-2016 11:25 AM

With Firepower, I see how 'known malware/botnet' sites can be blocked via URL filtering, as destination addresses.

 

But how about the case when one is trying to block known malware/botnet sites, as source addresses?  I do not see where this can be configured within Firepower. 

 

However, I believe that the botnet license does offer this functionality.  Is my understanding correct?

 

Thank you.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to corpengineer818

‎03-18-2016 07:30 PM

corpengineer818  

You're correct that the URL Filtering policy is used for connections initiated from the inside.

However if you include the Botnet connections in your Access Policy it should address the concern. While in the Intrusion Policy Screen, select Rules in the left pane. When you select rule, you will see numerous categories. Select Rules in the left pane. When you select rule, you will see numerous categories and rules. On the Rules page, type malware into the filter and hit return. The specific rules for Malware should appear. Select the checkbox next to GID to select all malware rules.
Select the Rule State drop-down and choose Drop and Generate events.

You're correct that the URL Filtering policy is used for connections initiated from the inside.

0 Helpful

corpengineer818
Level 1
Level 1
In response to Marvin Rhoads

‎03-18-2016 08:55 PM

So you are saying to address blocking bad IPs as source address is accomplished w/ an intrusion policy?  I thought the old botnet license functioned differently? Thank you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card