Understanding Licensing
License: Any
You can license a variety of features to create an optimal ASA FirePOWER deployment for your organization.
Licenses allow your device to perform a variety of functions including:
-
intrusion detection and prevention
-
Security Intelligence filtering
-
file control and advanced malware protection
-
application, user, and URL control
There are a few ways you may lose access to licensed features in the ASA FirePOWER module. You can remove licensed capabilities. Though there are some exceptions, you cannot use the features associated with an expired or deleted license.
This section describes the types of licenses available in an ASA FirePOWER module deployment. The licenses you can enable on an appliance can depend the other licenses enabled.
The following table summarizes ASA FirePOWER module licenses.
License |
Granted Capabilities |
Requires |
---|---|---|
Protection |
intrusion detection and prevention file control Security Intelligence filtering |
none |
Control |
user and application control |
Protection |
Malware |
advanced malware protection (network-based malware detection and blocking) |
Protection |
URL Filtering |
category and reputation-based URL filtering |
Protection |
Protection
License: Protection
A Protection license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering:
-
Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
-
File control allows you to detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols. With a Malware license (see Malware), you can also inspect and block a restricted set of those file types based on their malware dispositions.
-
Security Intelligence filtering allows you to block—deny traffic to and from—specific IP addresses, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately block connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.
Although you can configure an access control policy to perform Protection-related inspection without a license, you cannot apply the policy until you first add a Protection license to the ASA FirePOWER module.
If you delete your Protection license from the ASA FirePOWER module, the ASA FirePOWER module stops detecting intrusion and file events. Additionally, the ASA FirePOWER module will not contact the internet for either Cisco-provided or third-party Security Intelligence information. You cannot reapply existing policies until you re-enable Protection.
Because a Protection license is required for URL Filtering, Malware, and Control licenses, deleting or disabling a Protection license has the same effect as deleting or disabling your URL Filtering, Malware, or Control license.
Control
License: Control
A Control license allows you to implement user and application control by adding user and application conditions to access control rules. To enable Control, you must also enable Protection.
Although you can add user and application conditions to access control rules without a Control license, you cannot apply the policy until you first add a Control license to the ASA FirePOWER module.
If you delete your Control license, you cannot reapply existing access control policies if they include rules with user or application conditions.
URL Filtering
License: URL Filtering
URL filtering allows you to write access control rules that determine the traffic that can traverse your network based on URLs requested by monitored hosts, correlated with information about those URLs, which is obtained from the Cisco cloud by the ASA FirePOWER module. To enable URL Filtering, you must also enable a Protection license.
Tip |
Without a URL Filtering license, you can specify individual URLs or groups of URLs to allow or block. This gives you granular, custom control over web traffic, but does not allow you to use URL category and reputation data to filter network traffic. |
URL filtering requires a subscription-based URL Filtering license. Although you can add category and reputation-based URL conditions to access control rules without a URL Filtering license, the ASA FirePOWER module will not contact the cloud for URL information. You cannot apply the access control policy until you first add a URL Filtering license to the ASA FirePOWER module.
You may lose access to URL filtering if you delete the license from the ASA FirePOWER module. Also, URL Filtering licenses may expire. If your license expires or if you delete it, access control rules with URL conditions immediately stop filtering URLs, and your ASA FirePOWER module can no longer contact the cloud. You cannot reapply existing access control policies if they include rules with category and reputation-based URL conditions.
Malware
License: Malware
A Malware license allows you to perform advanced malware protection, that is, use devices to detect and block malware in files transmitted over your network. To enable Malware on a device, you must also enable Protection.
You configure malware detection as part of a file policy, which you then associate with one or more access control rules. File policies can detect your users uploading or downloading files of specific types over specific application protocols. The Malware license allows you to inspect a restricted set of those file types for malware. The Malware license also allows you to add specific files to a file list and enable the file list within a file policy, allowing those files to be automatically allowed or blocked on detection.
Although you can add a malware-detecting file policy to an access control rule without a Malware license, the file policy is marked with a warning icon in the access control rule editor. Within the file policy, Malware Cloud Lookup rules are also marked with the warning icon. Before you can apply an access control policy that includes a malware-detecting file policy, you must add a Malware license. If you later delete the license, you cannot reapply an existing access control policy to those devices if it includes file policies that perform malware detection.
If you delete your Malware license or it expires, the ASA FirePOWER module stops performing malware cloud lookups, and also stops acknowledging retrospective events sent from the Cisco cloud. You cannot reapply existing access control policies if they include file policies that perform malware detection. Note that for a very brief time after a Malware license expires or is deleted, the system can use cached dispositions for files detected by Malware Cloud Lookup file rules. After the time window expires, the system assigns a disposition of Unavailable to those files, rather than performing a lookup.