Dear

Pls help to understand hence I read the Datasheets but same things are repeating on the datasheet for the AMP, sandboxing, and threat grid, which is confusing to understand the real action/work  from each , that's I posted to have a clear understanding from experts on community.

On FTD device when we configure the AMP it is the file tracking and scanning mechanism which is requested on the cloud to check the file before it is processed to the internal network. so you are confirming me that AMP is not called a sandboxing instead what it is called ??? can you elaborate.

 what is the special in the sandboxing ???

what is the special in the thread grid appliance or cloud ??? 

Regards

AMP checks files for disposition - clean, malicious or unknown are the potential outcomes. It does this by taking a SHA-256 hash of the file as it is seen and then sending that value to the Cisco cloud (or AMP private cloud if that's the configured option).

If the outcome is unknown, you have the option (in most AMP offerings) to send a copy of the file to Cisco's AMP cloud (or a ThreatGrid on-premise private server) for further analysis. Cisco uses the ThreatGrid service on the backend to do this analysis. Part of ThreatGrid's technique is to open the file in a virtual machine "sandbox" and analyze the resulting behavior. Based on multiple dynamic analysis factors (about 70 or so if I recall correctly), ThreatGrid then returns a more definitive disposition to the requesting AMP service. That's not real time though - it takes about 5-10 minutes or so.

If you have the ThreatGrid separate subscription service you also have additional capabilities such as doing a video playback of the behavior of the file on the VM. You can also submit files directly for analysis apart from AMP doing so on your behalf.

Dear Marvin,

I was expecting your answer and thank for you reply, now the post will not be incomplete  until and unless you make me understand the facts,

let's assume scenarios one by one.

so if a  ASA 5525-X  customer with IPS, URL, AMP license as below does sandboxing also ??? please confirm. becz I don't see any sandboxing license separately for ASA 5525-X in the datasheet I found the below.

and If I m purchasing an FTD 4100 series then the license part number is as below.

how I can purchase an sandboxing and threat grid subscription for the above 2 models ???? 

thanks

No Firepower or FTD device has a separate Threatgrid license available per se.

When you have the AMP license on any of your Cisco security products, you get an "integrated" ThreatGrid analysis capability for up to 200 file submissions per 24-hour period. You will not have access to the sandboxes (which are an integrated part of ThreatGrid and not a separate product offering in any form) or their output directly - only indirectly via the AMP disposition.

When you purchase the completely separate ThreatGrid cloud subscription (or ThreatGrid appliance for on-premises use) you get access to the full feature set including the ability to playback sandbox results.

More details can be found here:

https://www.cisco.com/c/dam/en/us/products/se/2018/2/Collateral/aag-tg-integration-vs-prem.pdf

Dear Marvin,

Excellent!!!

Now please make me understand what are the AMP dedicated appliance ?? as per the link below.

https://www.cisco.com/c/en/us/products/collateral/security/amp-appliances/datasheet-c78-733182.html?cachemode=refresh

what separate these AMP devices do rather than thread grid.

Also please help me to understand which appliances are called NGIPS and what is the difference between past IPS and today's IPS.

Thanks

Dear Experts

Advise please for the above query.

thanks

Dears

Any update on the topic.

thanks

The AMP "dedicated appliances" are simply NGIPS appliances that have extra storage (for greater capacity to hold local files pending analysis) built-in. Other than that they run the same Firepower image as all of the other 3D (7000 and 8000) series NGIPS appliances.

NGIPS vs. "classic" IPS is not an exact distinction based on some standards body (like IETF or IEEE) definition. Rather is is a product marketing / industry term indicating that more than signature matching is going on as part of the protection. Things like the cloud-based analysis (including ThreatGrid sandboxing on the back end), URL filtering, the file and network trajectory features etc. are what Cisco uses to distinguish and position their products as "NGIPS".