01-17-2019 07:49 AM - edited 03-12-2019 07:13 AM
I'm looking to activate the FirePower services on a 5555X ASA which run in HA and multi-context mode (3 contexts). I'm used to manage FirePower devices and multi-context ASAs but never tried both together up to this point.
Is there any license requirements for multi-context or do we only need standard FirePower licenses? (1 L-ASA5555-TAMC per device?) FirePower boxes seem to allow for 10 contexts without additional licenses but I can't find the information for the FirePower module running on ASA boxes.
Will each Firepower module consume a single license in the Management center or does each context count as a managed device?
Also, I have a couple technical question - I guess I'll find out in the lab tests but I'm a bit curious;
My understanding is that the FP module can only be activated/deactivated for all contexts but there's only a need for FP in 2 of our 3 ASA contexts. Are the contexts shown as separate devices in the management center? If so I guess it would be simple to just apply a policy to allow all the traffic for one of the context.
Thanks!
Solved! Go to Solution.
01-17-2019 09:26 AM
I'm looking to activate the FirePower services on a 5555X ASA which run in HA and multi-context mode (3 contexts). I'm used to manage FirePower devices and multi-context ASAs but never tried both together up to this point.
as long as you have worked on ASA with SFR its a same thing nothing to worry.
Is there any license requirements for multi-context or do we only need standard FirePower licenses? (1 L-ASA5555-TAMC per device?) FirePower boxes seem to allow for 10 contexts without additional licenses but I can't find the information for the FirePower module running on ASA boxes.
if SFR which i am sure you are on ASA software with SFR which will be a traditional licinece. and to answer your question on (1 L-ASA5555-TAMC per device?) yes.
Will each Firepower module consume a single license in the Management center or does each context count as a managed device?
single license per box of ASA.
My understanding is that the FP module can only be activated/deactivated for all contexts but there's only a need for FP in 2 of our 3 ASA contexts. Are the contexts shown as separate devices in the management center? If so I guess it would be simple to just apply a policy to allow all the traffic for one of the context.
in my production network we are running multi context but with only one context. i remember when i added the sfr in FMC. it just pick up itself everything and i have to deivce the interfaces from the object managemt tab
01-17-2019 09:26 AM
I'm looking to activate the FirePower services on a 5555X ASA which run in HA and multi-context mode (3 contexts). I'm used to manage FirePower devices and multi-context ASAs but never tried both together up to this point.
as long as you have worked on ASA with SFR its a same thing nothing to worry.
Is there any license requirements for multi-context or do we only need standard FirePower licenses? (1 L-ASA5555-TAMC per device?) FirePower boxes seem to allow for 10 contexts without additional licenses but I can't find the information for the FirePower module running on ASA boxes.
if SFR which i am sure you are on ASA software with SFR which will be a traditional licinece. and to answer your question on (1 L-ASA5555-TAMC per device?) yes.
Will each Firepower module consume a single license in the Management center or does each context count as a managed device?
single license per box of ASA.
My understanding is that the FP module can only be activated/deactivated for all contexts but there's only a need for FP in 2 of our 3 ASA contexts. Are the contexts shown as separate devices in the management center? If so I guess it would be simple to just apply a policy to allow all the traffic for one of the context.
in my production network we are running multi context but with only one context. i remember when i added the sfr in FMC. it just pick up itself everything and i have to deivce the interfaces from the object managemt tab
01-17-2019 10:00 PM
In addition to what @Sheraz.Salim correctly replied, I would add that the Firepower service module really isn't aware of the multiple contexts. It is a single managed device (per physical ASA - so two devices if you have an HA pair of ASAs) in FMC, it uses one license and it has a single policy set applied to it. So your Firepower policy set needs to account for any and all contexts that are sending traffic to it via their respective service-policy setting(s) in the individual ASA contexts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: