The packet inspection process in FirePOWER is explained in great detail in several Cisco Live presentations.

I recommend you refer to "BRKSEC-2028 Deploying Next-Generation Firewall Services on the ASA (2015 San Diego)".

The CX isn't covered in quite as much detail but the older presentation "BRKSEC-2699 - Deploying Next Generation Firewalling with ASA-CX (2013 London) " does a decent job explaining how it works.

hey Marvin,

Cisco live videos are not playing, it shows "attempting to reload please wait" 

The page you requested is not currently available.

can you help?

Thanks

I'm just a partner and don't work for Cisco so I can't help you with that one.

For what it's worth, I just checked both sessions' vidoes from my PC and they worked fine.

ok,

I have several queries about Sourcefire,

first I m confused with cisco term:

Cisco Next generation firewall

Cisco Next generation IPS

Cisco AVC+IPS, means AVC and IPS are two different things,

AVC is part of firewall? or but Visibility is considered in IPS, 

ESA and WSA with Sourcefire?

What about signature database in cx and firepower?

Please help me out 

Thanks

The terms aren't precise scientific terms but rather a combination of commonly used industry terms combined with product positioning or marketing.

Generally speaking, Cisco most commonly used the term Next Generation Firewall to refer to the ASA firewall with the CX module.

Next Generation IPS refers in Cisco terms generally to anything with the FirePOWER technology from the Sourcefire acquisition built into it. That includes ASA firewalls with FirePOWER service modules as well as dedicated FirePOWER appliances.

AVC is the ability to inspect packet content to determine Application content and behavior in order to assess risk and enforce policy. There is very rudimentary AVC in a base ASA in that we can do things like regex matching on http payload in an inspection. It's generally not considered as a serious way to enforce policy. When we use the more full-featured AVC (CX term) or Control (FirePOWER term) as a source of data for matching Intrusion Prevention System profiles and blocking, warning etc., it's IPS.

ESA and WSA are complimentary products to the FirePOWER set, providing much more granular control over emails and web content filtering respectively. There is some overlap and each of those two has the option to add-on Advanced Malware Protection (AMP) in ways specific to their function. Also, we can do URL filtering with FirePOWER, although the WSA provides additioanl layers of control and scalability in that specific area.

The CX has the concept of signature updates if you have the IPS feature license. It does not allow fine grained selection of the signatures nor customizing the signatures used. There are also updates to the AVC profiles.

The FirePOWER products have a combination of updates - SNORT Rule updates, Vulnerability Database updates and Geolocation updates.

AMP also has dynamic cloud-based lookup of file hashes to determine disposition of files when analyzing for potential malware.

thanks Marvin,

I would like to ask you that how can we reduce false positive in our Network,

I am seeing Firesight Recommendation in Sourcefire, which is I think not present in old CX

and how This whole things works,

 how to stop useless connection events,if my internal user is 100, then my connection events should not be much higher,

firesight recommendation and security intelligence are same,

the total agenda is reduce sensor to unneccessary processing

Thanks