Cisco ASA FirePOWER Services Licensing
You have already learned that the Cisco ASA FirePOWER module can be managed by the Firepower Management Center or ASDM, in the case of the Cisco ASA 5506-X and 5508-X. The Firepower Management Center and the Cisco ASA FirePOWER module require different licenses. These licenses are installed in the Cisco FirePOWER module and the Cisco Firepower Management Center. There are no additional licenses required in the Cisco ASA.
The following are the different types of Cisco ASA FirePOWER Services licenses:
Table 2-2 provides a high-level overview of each license.
Table 2-2 The Different Types of Cisco ASA FirePOWER Services Licenses
Intrusion detection and prevention
Security intelligence filtering
User and application control
Advanced malware protection (network-based malware detection and blocking)
Category and reputation-based URL filtering
The Protection License
The Protection license enables a network security administrator to perform intrusion detection and prevention, file control, and security intelligence filtering. The intrusion detection and prevention capabilities are used to analyze network traffic for intrusions and exploits, to alert the network security administrator and optionally block offending packets. File control allows network security administrators to detect and (optionally) block users from sending or receiving files of specific types over specific application protocols.
Security intelligence filtering allows network security administrators to blacklist different hosts/IP addresses before the traffic is analyzed by access control rules. Cisco provides dynamic feeds, allowing a network security administrator to immediately blacklist connections based on the Cisco threat intelligence capabilities, fueled by Cisco’s research organization, Talos. You can also configure this to be monitor only.
The Control License
The Control license allows a network security administrator to implement user and application control. The administrator does this by adding user and application settings to access control rules. As with the Protection license, you can add user and application conditions to access control rules without a Control license. You cannot apply the policy until the Control license is installed and enabled in the Cisco ASA FirePOWER module, however.
The URL Filtering License
The URL Filtering license allows a network security administrator to implement access control rules that determine what traffic can pass through the firewall, based on URLs requested by monitored hosts. The Cisco ASA FirePOWER module obtains information about those URLs from the Cisco cloud, as illustrated in Figure 2-9.
Figure 2-9 URL Filtering Information Obtained from Cisco’s Cloud
You can configure individual URLs or groups of URLs to be allowed or blocked by the Cisco ASA FirePOWER module without a URL Filtering license; however, you cannot use URL category and reputation data to filter network traffic without a URL Filtering license. The example in Figure 2-9 applies to Cisco ASA FirePOWER modules managed by ASDM. If the Cisco ASA FirePOWER module is managed by the FMC, the URL categorization and reputation information is received from Cisco by the FMC and then sent to the managed devices (that is, Cisco ASA FirePOWER modules, NGIPS, FTD, etc.).
The Malware License
The Malware license enables Advanced Malware Protection (AMP) in the Cisco ASA FirePOWER module. With AMP you can detect and block malware potentially being transmitted over the network.
Malware detection is configured as part of a file policy, which you then associate with one or more access control rules.
Viewing the Installed Cisco ASA FirePOWER Module Licenses
You can view the installed licenses in the Cisco ASA FirePOWER module by navigating to System > Licenses in the Cisco Firepower Management Center. The Licenses page lists all the licenses in the devices managed by the Cisco Firepower Management Center, as shown in Figure 2-10.
Figure 2-10 Cisco Firepower Management Center Licenses Page
In Figure 2-10, a Cisco ASA 5515-X is being managed by the Cisco Firepower Management Center. The Protection, Control, Malware, and URL Filtering licenses are enabled.
Another way to view the installed licenses in the Cisco ASA FirePOWER module is by navigating to Devices > Device Management in the Cisco Firepower Management Center. Then click the device for which you want to see the details, as shown in Figure 2-11.
Figure 2-11 Cisco Firepower Management Center Device Management
Adding a License to the Cisco ASA FirePOWER Module
This section covers how to add a license to the Cisco ASA FirePOWER module after you receive the activation key provided by Cisco when you purchase the license. The following are the steps to add a license:
Step 1. Navigate to System > Licenses in the Cisco Firepower Management Center, as shown in Figure 2-12.
Figure 2-12 Adding a New License in the FMC
Step 2. Click Add New License on the Licenses page.
Step 3. Copy and paste the license into the License field and click Submit License. If you do not have the license, follow the instructions onscreen to obtain your license.
If you are configuring the Cisco ASA FirePOWER module using ASDM, you can manage and install FirePOWER licenses by navigating to Configuration > ASA FirePOWER Configuration > Licenses, as shown in Figure 2-13.
Figure 2-13 Adding a New License in ASDM