I am Looking for an advice before Purchase. I need to Block Download, Especially Torrents otherthan the security features, also Want to see Bandwidth/internet usage per device. If i go for ASA5506-FPWR-BUN and L-ASA5506-TAMC= is this will do those things.? [50Mbps internet speed and 30-40 Devices in the Network]

Functionally the 5506 with TAMC license can do what you are asking.

Note that you can see but not control bandwidth usage at this time (with FirePOWER software version 6.0.x). 

You would be right at the edge of its performance with all features active if you sustain 50 Mbps throughput.

Thank You Very Much. Appreciate your Response.. 

Hi Guys, 

I can see that for the 5506 to support HA the security plus license is needed. My question is, do we need to buy 2 x L-ASA5506-SEC-PL= ? i.e one for each device?. The documentation is not very explicit in this regard. ASA Licensing

@ppatel101

Part number L-ASA5506-SEC-PL= is just a license to add Security Plus to an existing ASA 5506.

If you want a new ASA 5506, you need to choose several things such as:

- ASA vs. FTD software,

- Security Plus license or not,

- licenses for Firepower service module or not,

- AnyConnect clients (and what type - Plus, Apex or VPN only) and

- what support level you require.

I recommend working directly with a Cisco reseller or systems engineer to make sure you get the right part numbers. It's a bit more nuanced than one can simply lay out prescriptively in a forum posting.

Marvin do you have the sku for the FireSIGHT ?  So we run the firepower via the 5506, but if we want to run it off the 5506, there is an additional license?

The Protect and Control (included with every ASA with FirePOWER service module) license enables you to use AVC and IPS features on the module.

The IPS license ("TA" - can be combined with other license type and may or may not be part of a "-PR" promo package) is actually a subscription that entitles you to keep your IPS definitions current (i.e. download and apply VDB and Geolocation updates). Confusingly, it isn't enforced via technical means like the old Cisco IPS was. (That product checked your serial number against internal Cisco contract entitlement system.)

See attached, this is clipped from the bottom of my PAK, so wouldn't one conclude that this does, as the vendor told me it does include the subscription? After applying it how will I know its actually active and able to update. The second on shows the URL and MALWARE with subscription end dates, I would expected to see and IPS one there as well.

Yes I agree it would be useful if Cisco showed you the subscription status - either in the license, the PAK or anywhere.

Unfortunately they do not currently do so for that particular feature.

Since they do not prevent downloads even without a current valid subscriptions, the only way (that I know of) you can actually find out if your entitlement is current is by asking your vendor to check in the Cisco Service Contract Center (CSCC) portal.

Ok, thank you for the information.

May as well ask, so using the FirePower services on the 5506 vs using the Firesight VM to manage it, is there a big cost to move to the Firesight platform?

The entry level FirePOWER Management Center VMs (2-device and 10-device licenses) are pretty inexpensive at US$500 and US$2000 list price respectively.

If you add Smartnet support (i.e part number CON-SAU-VMWSW2 for example), it's list price is about US$100/year.