Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1144
Views
0
Helpful
3
Replies

Firepower license required to detect a spambot/virus infected PC on the network

sossie
Level 1
Level 1

‎08-03-2015 08:16 PM - last edited on ‎03-25-2019 05:21 PM by Community Manager

Hi all,

I'm after a plain English answer for a simple tech like myself. 

I'm trying to understand what each licensing component of the Cisco Firepower suite are. I work for a Cisco partner (I'm Cisco qualified), and neither our Cisco contact or distributor has been able to give me a clear answer.

This is a typical question I get from a Client who is considering and ASA with firepower....

Say a client installs a Cisco ASA with firepower installed. They want to be able to detect a PC that is behaving unusually - eg it is infected with a virus and is perhaps a spambot, is scanning the network for SMB shares that are not secure, or any other odd behavior that may indicate an issue.

My understanding is that IPS license on its own should be able to achieve the basic anomaly detection described above.

The options are:

IPS

URL

AMP

(or some combination of the above)

What license do they need to achieve the above?

If someone describe me a real world examples of what each license actually protects against that would be great as well. e.g. Developers call them "stories".

Thanks

Labels:
0 Helpful
3 Replies 3

pazzi
Cisco Employee
Cisco Employee

‎08-03-2015 09:46 PM

Hi Simon,

First off, the protect license is your base license and provides IPS functionality.

 

Yes, IPS will detect malicious attacks based on IPS enabled rules.

 

AMP for networks will, based on your file policy, detect malware. This will show you initiator and responder.

 

URL filtering is similar to traditional web categories filtering, meaning, block porn, gambling, etc.

 

Hope this sheds some light.

 

Paul

 

0 Helpful

sossie
Level 1
Level 1
In response to pazzi

‎08-03-2015 09:52 PM

Thanks for the reply Paul.

Basically clients what to know - if I have a PC that is infected with a virus, can IPS alert me and tell me the IP address of the PC so I can go and take it off the network.

So would a PC infected with a virus be considered Malware, and require a malware license to detect?or could it be detected as a malicious attack come under the IPS license?

 

Simon.

0 Helpful

pazzi
Cisco Employee
Cisco Employee
In response to sossie

‎08-03-2015 10:04 PM

Hi Simon,

 

IPS will typically not detect viruses but malicious payload targeting your clients' assets. 

Malware detection is not an A/V solution but complementary. Detection is based on a cloud lookup using the file's SHA 256 hash and not on local signatures like A/V does.

 

I would always position AMP complimentary to A/V. Another option is AMP for endpoints.

This is a host based connector that allows you to detect malware before it is executed our copied.

 

HTH

Paul

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card