Showing results for 
Search instead for 
Did you mean: 

Simon O'Sullivan

Firepower license required to detect a spambot/virus infected PC on the network

Hi all,

I'm after a plain English answer for a simple tech like myself. 

I'm trying to understand what each licensing component of the Cisco Firepower suite are. I work for a Cisco partner (I'm Cisco qualified), and neither our Cisco contact or distributor has been able to give me a clear answer.

This is a typical question I get from a Client who is considering and ASA with firepower....

Say a client installs a Cisco ASA with firepower installed. They want to be able to detect a PC that is behaving unusually - eg it is infected with a virus and is perhaps a spambot, is scanning the network for SMB shares that are not secure, or any other odd behavior that may indicate an issue.

My understanding is that IPS license on its own should be able to achieve the basic anomaly detection described above.

The options are:




(or some combination of the above)

What license do they need to achieve the above?

If someone describe me a real world examples of what each license actually protects against that would be great as well. e.g. Developers call them "stories".


Cisco Employee

Hi Simon,

First off, the protect license is your base license and provides IPS functionality.


Yes, IPS will detect malicious attacks based on IPS enabled rules.


AMP for networks will, based on your file policy, detect malware. This will show you initiator and responder.


URL filtering is similar to traditional web categories filtering, meaning, block porn, gambling, etc.


Hope this sheds some light.




Thanks for the reply Paul.

Basically clients what to know - if I have a PC that is infected with a virus, can IPS alert me and tell me the IP address of the PC so I can go and take it off the network.

So would a PC infected with a virus be considered Malware, and require a malware license to detect?or could it be detected as a malicious attack come under the IPS license?



Hi Simon,


IPS will typically not detect viruses but malicious payload targeting your clients' assets. 

Malware detection is not an A/V solution but complementary. Detection is based on a cloud lookup using the file's SHA 256 hash and not on local signatures like A/V does.


I would always position AMP complimentary to A/V. Another option is AMP for endpoints.

This is a host based connector that allows you to detect malware before it is executed our copied.





Content for Community-Ad