ā08-31-2019 06:22 AM - edited ā09-02-2019 09:56 PM
Dears
I want to know more on the NGIPS of Cisco, hence what i know the NGIPS are signature less and they detected on the pattern based , actually can anybody share with me an example how threat will be detected by a pattern algorithm, If it is pattern algorithm then what are the rule update in the Cisco Firepower.
As if now the fortinet firewalls are capable of doing DLP, Antivirus, NGIPS, Web Filtering, APP Filtering, WAF, EMAIL Security all in one box,, is it Cisco Firepower supports DLP, Antivirus, WAF,Email Security i don't think so becz i don't see any option to configure them.
Also i would like to know about Cisco AMP, Cisco has 2 types of AMP , AMP for endpoint and Network AMP ( AMP 7150, 8050 etc etc ),what difference these AMP do then a Threat grid ( Sandboxing),
If a customer has an AMP does he require a Cisco Threat Grid subscription or on premises ??? and if a customer has a Threat Grid does he needs a Cisco AMP. ( network or endpoint)
Thanks
Solved! Go to Solution.
ā09-18-2019 08:28 PM
1. 7XXX and 8XXX are NOT AMP private cloud appliances. AMP Private cloud is orderable as a virtual or physical appliance:
It acts as the "server" in an AMP for Networks or AMP for Endpoints deployment.
2. AMP for Networks is not a separate product but rather refers to AMP (Malware) licensing on network devices - those include classic Firepower (7XXX, 8XXX 3D series appliances and NSIPSv), Firepower Threat Defense devices or ASAs with Firepower service modules.
3. Yes if you want to use your 41XX as only NGIPS then you create inline interfaces and only configure the IPS-specific features (Intrusion policy).
4. Similarly if you only wanted to use your appliance only for file protection then you would only configure file policy. this would be a very unusual setup though as the cost of an appliance would not normally be justified to use it in such a limited sense.
5. I cannot comment on why Gartner does or doesn't include certain products in certain categories.
ā09-06-2019 07:41 AM
It's easiest to just have a look at a typical IPS rule (see screenshot below) than to explain it in general. Rule updates in Firepower are new Snort rules created by Cisco Talos = IPS rules.
Firepower is not a Unified threat Management (UTM) device so its coverage of the other areas you mentioned is little to none. You can do very crude DLP with sensitive data protection feature.
AMP is available on Firepower as well as as an endpoint product. They are complimentary. If we can see and block the file as it transits the perimeter then that's a good thing. The endpoint product is more comprehensive but only for the endpoints where it is installed.
AMP (all kinds) uses the Threatgrid backend to a certain extent. Without a Threatgrid subscription your account is limited to a small number of file submissions (200 if I recall correctly) for Threatgrid analysis per 24 hour period. You also get the detailed insight when you have full threatgrid and the ability to play the sandbox recordings, submit files on an ad hoc basis directly etc. It's more useful for a full Security Operations Center and/or forensic investigative purpose. If you only have Threatgrid (and no AMP) then you are only doing manual file submission - not very useful for most enterprises.
ā09-16-2019 01:31 PM - edited ā09-16-2019 01:33 PM
Dear marvin
thanks for the reply,
Can AMP4E replaces corporate antivirus solution which is been used for years and years.
As you have mentioned that without a AMP we can manual submission to threat grid , what if i dont have a AMP ( All kinds) ans i have a ASA with firepoewer services or FTD, they can send file to threatgrid for sanboxing and accordingly they can block, Please correct me if i m wrong.
thanks
ā09-16-2019 08:14 PM
You're welcome.
Yes AMP4E can replace traditional antivirus products.
If you do not have AMP for Networks licensing on your ASA Firepower service module or FTD device then they cannot avail themselves of Threatgrid by themselves. The automated file upload requires an AMP for Network license.
ā09-16-2019 11:49 PM
Dear Marvin
Thanks for the reply,
Please find the attached , I have once question here , is it FPR4110-NGIPS-K9 and FPR4110-AMP-K9 all are using the same OS ???, so i am confused here AMP for Network has different appliance but are these appliance use the same OS 6.X???
Also want to know for NGIPS OS even, what i understand is FPR 2100,4100,9100 can act as a standalone NGIPS with the same image of FPR 6.X only configuring the IPS part from the FTD OS.
Please confirm.
ā09-17-2019 01:51 AM
They are all the same hardware and software. The difference is in how you configure and use them.
Other minor differences are things like if you specify the appliance with ASA image, the ordering tool doesn't allow you to choose Fail-to-wire (FTW) netmods as they are incompatible with ASA software.
ā09-17-2019 12:38 PM
Dear marvin
Thanks for the reply, You are the one from whom i can expect the replies, Please reply for below queries to have more clarity on the products
ā09-18-2019 07:58 AM
You're welcome.
1. 3D Series (71xx and 8xxx) are NOT based on FTD. They are all NGIPS and use classic Firepower OS (from Sourcefire).
2. In AMP4E the "server" is usually Cisco's AMP cloud. It can be an on-premises AMP Private appliance. It is never a 3D series appliance.
3. Cisco contends the AMP for Endpoints product can be characterized as both Endpoint Detection and Response (EDR) and Endpoint Protection Platform (EPP).
Neither term is exact though so people may differ in their opinion.
4. I'm not sure I understand your question.
ā09-18-2019 12:50 PM - edited ā09-18-2019 01:15 PM
Dear Marvin
ā09-18-2019 08:28 PM
1. 7XXX and 8XXX are NOT AMP private cloud appliances. AMP Private cloud is orderable as a virtual or physical appliance:
It acts as the "server" in an AMP for Networks or AMP for Endpoints deployment.
2. AMP for Networks is not a separate product but rather refers to AMP (Malware) licensing on network devices - those include classic Firepower (7XXX, 8XXX 3D series appliances and NSIPSv), Firepower Threat Defense devices or ASAs with Firepower service modules.
3. Yes if you want to use your 41XX as only NGIPS then you create inline interfaces and only configure the IPS-specific features (Intrusion policy).
4. Similarly if you only wanted to use your appliance only for file protection then you would only configure file policy. this would be a very unusual setup though as the cost of an appliance would not normally be justified to use it in such a limited sense.
5. I cannot comment on why Gartner does or doesn't include certain products in certain categories.
ā09-20-2019 12:27 AM
Dear Marvin
Thanks for the reply we are near to the closure of the post. You have cleared 90% of my doubts hence Cisco has made things complicated in datasheets.
ā09-20-2019 04:24 AM
Very few new installations will use the classic series.
Most of the larger vendors have differences in their product lines for various reasons - compatibility with older products, some features customers rely on have not been ported to new architecture, operational models that are slow to adopt new products etc.
For a dedicated IPS with absolutely no need for other FTD features some (but fewer than before) might still select a new classic series. They might cost a bit less, all other things being equal. On the other hand, they are limited should the organization decide later they want the non-IPS features.
ā09-21-2019 12:02 AM - edited ā09-21-2019 12:12 AM
Dear marvin
Thanks for the reply,
For a dedicated IPS with absolutely no need for other FTD features some (but fewer than before) might still select a new classic series. They might cost a bit less, all other things being equal. On the other hand, they are limited should the organization decide later they want the non-IPS features.
U mean to say that anybody if planing to deploy a dedicated IPS in their network then they should go with Classics series by configuring IPS features only in the classic boxes, apart from IPS feature if they want to configure any other feature it is their choice to do that. Please correct me if my understandings are not correct according to your reply in above post.
I have found some post mentioning about IPS.
https://community.cisco.com/t5/security-documents/upgrade-to-a-ngips/ta-p/3635567
The one mentioning in the below link is not been covered by Firepower.
ā09-21-2019 03:10 AM
I was saying that sometimes the customer insists in IPS only. At the end of the day they may make decisions different from my recommendations. There are few reasons for needing a dedicated IPS such as the classic series. If that's their choice then so be it. I usually advise otherwise though.
Those links you mentioned are marketing documents from 2+ years ago. I try to focus on technical and functional requirements and not debate marketing presentations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide