1-12
Firepower 7000 and 8000 Series Installation Guide
Chapter 1 Introduction to the Firepower System
Licensing the Firepower System
•
For Firepower, ASA FirePOWER, and NGIPSv devices, you must use Classic Licenses.
By default, your Firepower Management Center can perform domain control, host, application, and user
discovery, as well as decrypting and inspecting SSL- and TLS-encrypted traffic.
Feature-specific classic licenses allow your managed devices to perform a variety of functions including:
•
intrusion detection and prevention
•
Security Intelligence filtering
•
file control and AMP for Firepower
•
application, user, and URL control
•
switching and routing
•
device high availability
•
network address translation (NAT)
•
virtual private network (VPN) deployments
There are a few ways you may lose access to licensed features in the Firepower System. You can remove
licenses from the Firepower Management Center, which affects all of its managed devices. You can also
disable licensed capabilities on specific managed devices. Finally, some licenses may expire. Though
there are some exceptions, you cannot use the features associated with an expired or deleted license.
The following summarizes Firepower System Classic Licenses:
Protection
A Protection license allows managed devices to perform intrusion detection and prevention, file
control, and Security Intelligence filtering.
Control
A Control license allows managed devices to perform user and application control, switching and
routing (including DHCP relay), and NAT. It also allows configuring devices and stacks into
high-availability pairs. A Control license requires a Protection license.
URL Filtering
A URL Filtering license allows managed devices to use regularly updated cloud-based category and
reputation data to determine which traffic can traverse your network, based on the URLs requested
by monitored hosts. A URL Filtering license requires a Protection license.
Malware
A Malware license allows managed devices to perform network-based advanced malware protection
(AMP), that is, to detect and block malware in files transmitted over your network. It also allows
you to view trajectories, which track files transmitted over your network. A Malware license
requires a Protection license.
VPN
A VPN license allows you to build secure VPN tunnels among the virtual routers on Cisco managed
devices, or from managed devices to remote devices or other third-party VPN endpoints. A VPN
license requires Protection and Control licenses.
See the
Firepower Management Center Configuration Guide
for complete information about classic
license types and restrictions.