ASA FirePOWER Module Licenses
Licenses allow your device to perform a variety of functions including:
- Intrusion Detection and Prevention
- Security Intelligence filtering
- File Control and Advanced Malware Protection
- Application, User, and URL Control
Certain licenses, like the Control license, are perpetual. Other licenses require that you purchase a service subscription to enable the license.
| License Type | Service Subscription | Capabilities | Prerequisite | Expire Capable |
| Protection | TA | Intrusion Detection and Prevention, File Control, Security Intelligence Filtering |
None | No |
| Control | None (included with module) | User and Application Control | Protection | No |
| Malware | TAM, TAMC, AMP | Advanced Malware Protection (Network-based Malware Detection and Blocking) |
Protection | Yes |
| URL Filtering | TAC, TAMC, URL | Category and Reputation-based URL Filtering | Protection | Yes |
Service Subscriptions
| Subscription Types | License You Assign in FirePOWER System |
| TA | Control + Protection (a.k.a. “Threat & Apps,” required for system updates) |
| TAC | Control + Protection + URL Filtering |
| TAM | Control + Protection + Malware |
| TAMC | Control + Protection + URL Filtering + Malware |
| AMP | Malware (add-on where TA is already present) |
| URL | URL Filtering (add-on where TA is already present) |
TA – Threat & Apps License required for system updates
TAC – URL Filtering license as a services subscription combined with Threat & Apps
TAM – Malware license as a subscription combined with Threat & Apps
TAMC – Malware license as a subscription combined with Threat & Apps and URL Filtering
AMP – Advanced Malware Protection License
URL – URL Filtering License
Protection License
- Intrusion Detection and Prevention – It allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
- File control – It allows you to detect and, optionally, block users from uploading or downloading files of specific types over specific application protocols. With a Malware license , you can also inspect and block a restricted set of those file types
based on their malware dispositions. - Security Intelligence Filtering – It allows you to blacklist (deny traffic to and from) specific IP addresses, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow to immediately blacklist connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.
A Protection license is automatically included (along with a Control license) in the purchase of an ASA FirePOWER module. This license is perpetual, but you must also purchase a TA subscription to enable system updates.
Control License
A Control license allows you to implement user and application control by adding user and application conditions to access control rules. To enable Control, you must also enable Protection.
A Control license is automatically included (along with a Protection license) in the purchase of an ASA FirePOWER module. This license is perpetual, but you must also purchase a TA subscription to enable system updates.
Malware License
A Malware license allows you to perform advanced malware protection, that is, use devices to detect and block malware in files transmitted over your network. To enable Malware on a device, you must also enable Protection.
URL Filtering License
URL filtering allows you to write access control rules that determine the traffic that can traverse network based on URLs requested by monitored hosts, correlated with information about those URLs, which is obtained from the Cisco cloud by the ASA FirePOWER module. To enable URL Filtering, you must also enable a Protection license.
