cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6739
Views
30
Helpful
11
Replies

Do Cisco 2100 firewalls support IPS functionality?

kasper123
Level 4
Level 4

I'm looking into Cisco 2100 firewalls and I need it to have a TAMC license but I'm unable to find this kind of license that would enable IPS functionality. I'm only able to select TMC license which does not include IPS funtionality.

The documentation states "The Cisco Firepower 2100 Series appliances can be deployed either as a Next-Generation Firewall (NGFW) or as a Next-Generation IPS (NGIPS)" so I guess it should support IPS.

 

Regards.

1 Accepted Solution

Accepted Solutions

hello,

 

T is same as TA. First license -L-FPR2130T-T= will provide you the IPS and Security Intelligence SI features.

Similarly TAMC is equivalent to TMC and so on.

Regards,

 

AJ

View solution in original post

11 Replies 11

Ajay Saini
Level 7
Level 7

Hello,

 

TAMC basically covers everything. For the IPS only feature, we only require TA license.

Please refer to the below screenshot and the link:

 

https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html

 

Capture.PNG

 

And IPS license TA can be individually installed without any prior license addition. 

If you install 2100 as FPWR then you wont be able to install IPS features, that will basically convert it into ASA. For all the features like IPS, ASA, Malware, and URL filtering, use it in NGIPS mode.

 

 

HTH
AJ

 

 

 

Hi @Ajay Saini

I need to use it with all the licenses (TAMC).

Question is how do I use it in NGIPS mode?

If I select top Part number: FPR2130-BUN then I only have two options to select for hardware:

-FPR2130-NGFW-K9 and 

-FPR2130-ASA-K9 

(see the attached screenshot).

So no option for NGIPS. 

 

If on the other hand I select FPR4110-BUN as top part number then there is an option to add  FPR4110-NGIPS-K9 as hardware.

 

Hence my question here: Is NGIPS mode supported on 2100 series (like the documentation says it is) or is it only available on the 4100 series?

 

Regards.

Hello,

 

NGIPS mode is definitely supported, I have a 2140 HA pair configured and working as NGIPS with all the features. Out of 2, you should order FPR2130-NGFW-K9. This will run FTD image vs an ASA image which runs on FPR2130-ASA-K9.

 

-HTH

AJ

Hi @Ajay Saini

If I select FPR2130-NGFW-K9 as the hardware then under subscription I only have this options:
-L-FPR2130T-T= - Threat Defense Threat Protection License

-L-FPR2130T-TM= - Threat Defense Threat and Malware License

-L-FPR2130T-TC= - Threat Defense Threat and URL License

-L-FPR2130T-TMC= - Threat Defense Threat, Malware and URL License

(See attached screenshot)

So no option for IPS?

Which one of the licenses would cover everything (IPS, Malware, URL filtering)?

 

Regards.

hello,

 

T is same as TA. First license -L-FPR2130T-T= will provide you the IPS and Security Intelligence SI features.

Similarly TAMC is equivalent to TMC and so on.

Regards,

 

AJ

Thank you very much for clearing that up. It's definitely confusing. 

And what about management? The devices should be managed through a regular Firepower management server right? Are additional licenses required for this (for the management through a Firepower management server)?

Can the same firepower management server manage ASA 5545 with firepower and 2100 firewalls?

Regards.

Hello,

 

FMC will manage only firepower portion of the ASA, not the complete ASA. Unlike ASDM, FMC will only manage the firepower components. Also, if you have sufficient licenses and memory available, you should be able to manage multiple devices using same FMC. So, you should be able to manage ASA 5545 Firepower and 2130 devices(provided license is sufficient)

 

License is required for FMC to be able to manage sensors(devices). For example, Virtual FMC can manage 2,10 or 25 devices based on the license added:

 

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html?cachemode=refresh

 

Ofcourse all the licenses are added to the FMC(FMC and device licenses) once it is installed.

 

-HTH
AJ 

Hi,

Yes, I'm aware that you buy a FMC with a certain ammount of licenses for the number of the devices that it should manage.

What I meant was are some licenses required on the 2100 so that it can me managed by a FMC? Like connect license?

Regards.

No specific license is needed on 2100 or any other device to be managed by FMC.

 

The only license required is the FMC license wherein we define the number of devices that can be managed.

 

Regards,

 

Ajay

Thank you very much!

Actually, if you re-image your ASA with FTD (firewall+ngfw unified image) then you will be able to manage the entire firewall with FMC.

However, mind that FTD does not have all the features the classic ASA image has. They're working on it, but will take a while.

Review Cisco Networking for a $25 gift card