cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28860
Views
30
Helpful
14
Replies

ASA 5506, and included Control License

J W
Level 1
Level 1

Hello! I have been looking, but have yet to come up with a solid answer on this. We received an ASA5506-X, which has an included control license.

 

From what I am seeing, to get any benefit out of the control license, I will also need a protection license (as described here:http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html)

 

Is this correct? Is the included Control License essentially useless until we get a protection license, or would we gain any benefit by applying it?

 

Thanks for the help!

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Control by itself gives you very limited functionality. See the following Cisco description:. 

Application Visibility and Control (AVC) function by default. This feature provides application identification and control of more than 3,000 applications, detected and classified by risk and business relevance.

To do any of the more interesting policy-based actions, you would need one of the extra cost licenses like IPS, URL Filtering or Advanced Malware Protection (AMP).

View solution in original post

14 Replies 14

Marvin Rhoads
Hall of Fame
Hall of Fame

Control by itself gives you very limited functionality. See the following Cisco description:. 

Application Visibility and Control (AVC) function by default. This feature provides application identification and control of more than 3,000 applications, detected and classified by risk and business relevance.

To do any of the more interesting policy-based actions, you would need one of the extra cost licenses like IPS, URL Filtering or Advanced Malware Protection (AMP).

Thank you, Marvin. That is exactly what I was looking for.

IMHO, the control and protect should be CORE base licenses that are included with all devises

AS well if i was the CEO, i would give make all four license core and come with all units at no extra cost. i would charge soley for data rate or traffic basis

WHY

poeple would see the value in all featres. now, the users only sees what they paid for, they might not  know what their missing ( ie didn't paty for)

as well why does the user need seperate licensesfor the ASA vs the firepower VM. is this not double charging.tax( ie like the Boston tea Party in the 1700's) 

Hey Marvin, do you know if there any method of getting a trial license of the FS-VMW-2-SW-K9 version to manage a 5506 and allow for firesight visibility? 

Hi Jake,

For a partner lab (or customer Proof of Value being led by a partner), you can get limited period licensing using the process documented by GSSO in the partner community. (partner access required).

The 5506 (and 5508 and 5516) can also be managed with the FireSIGHT Management Center "lite version" (my term) built into ASDM for that specific platform and thus not have to spin up a VM with the full FMC. You'd still need to apply Control, IPS, URL Filtering and/or AMP licenses. The limitations of that approach are described in the Release Notes.

Considering that Control requires Protection, has this changed recently ?

When I registered my Control license it seems to have activated Protection as well, and IPS seems to work..

Some limitations I am not aware of ?

The messaging on that has been very unclear.

The best explanation I've been able to find is that the Protect (IPS) license is required to be entitled to download updates for the IPS via the subscription that you are entitled to by virtue of the license.

However it does not appear to be enforced technically thus leaving a lot of users a bit bewildered.

It's very unclear. Licensing portal clearly shows "License Control+Protect Perpetual"... What's the difference between this Protect and the "other one" ?

Perpetual implies that this is all there is, unless there is an additional update subscription needed... 

Entitlement to update the IPS "signatures" (Vulnerability Database -VDB etc.) is a subscription.

See this TAC-provided document:

https://supportforums.cisco.com/document/12455001/firesight-firepower-sourcefire-license-matrix

I'm actually not surprised by this ;)

But I'm surprised it still works without it...

They are probably working out a way to make it not work without causing as much pain as the old Cisco IPS subscription licenses did.

I do see the place for "Smart Licenses" in the FirePOWER Management Center 6.0. So far I think they are only used with the new FP 9300 and 4000 series.

hello marvin could you help me to obtain my license with the PAK.

and to block facebook, youtube and so on witch license sould i have?

@yaokouassiAntoine83938 

Please start a new discussion with more details of what you want rather than adding on to this 4 year old thread.

i said i need to activate my license after deploymen i have PAK number order S/O also. please help me to  download my lisence

Review Cisco Networking for a $25 gift card