Re: ASA + FirePOWER failover licensing

db1 · ‎09-13-2017

Hi,

We have 4 offices, each with ASA5516-X running regular ASA software with FirePOWER modules. Those 4 devices are managed by the Management Center running as w VM. All 4 also are licensed for AMP and URL modules.

We are considering adding high-availability to our setup and deploying another ASA5516 on each site in Active / Standby mode, but I am not sure how licensing will work with FirePOWER in that case?

I read on this forum that we will have to configure FirePOWER module on standby firewalls separately, with a different management IP address and add them to the management center, but does that mean we will also have to purchase AMP / URL licenses for those standby units?

Thanks

Jakub

Marvin Rhoads · ‎09-13-2017

Correct - separate Firepower modules require separate licenses.

Cisco is currently offering some bundle discounts for FTD (but not ASA with Firepower module) when you buy multiples together. (That offer is 50% discount on the licensing of the second unit in case any other readers are wondering.)

db1 · ‎09-13-2017

Thanks. Would it be technically possible to run two ASAs in active/standby failover with one of them not having firepower at all? Or just the free Control license? If the main device dies, we will be fine if we don't have URL / AMP protection for a day.

Marvin Rhoads · ‎09-14-2017

Yes - you could do what you ask.

You would need to manage their policies separately since the one without the full license set will not accept the policy elements requiring paid license features.

apereira3 · ‎01-29-2018

Please Marvin,

What are the firewall bundle SKU elegible for the 50% discount on the software subscription licensing of the second unit?

The ASA5516-FTD-K9 is elegible? And ASA5516-FPWR-BUN? I have added at Cisco CCW but the discount doesn't apply to this SKU.

Thank you!

mikael.lahtela · ‎01-29-2018

Hi,

I think the SKU is for FTD only (ASA5516-FTD-HA-BUN).

Here is some more information:

https://www.cisco.com/c/en/us/products/collateral/security/firepower-8000-series-appliances/guide-c07-737902.html#_Toc494406840

br, Micke

apereira3 · ‎01-29-2018

Hi Mikael,

Thank you for your reply.

But when I will configure the PN ASA5516-FTD-HA-BUN at Cisco Commerce Workspace, the pair of software subscription license (L-ASA5516T-T, L-ASA5516T-TM, L-ASA5516T-TC, L-ASA5516T-TMC) has normal price. The second license has the same price of the another, so I would like to know what are the specific bundles that are elegible for this promotion.

Thanks!

Marvin Rhoads · ‎01-30-2018

If your compare the prices for the subscription line items on the BUN SKUs vs. the non-BUN SKUs you will see they are 75% of the normal price.

For example, L-ASA5516T-TMC-3Y is list price US$6480 per device in a bundle vs. US$8640 when part of a single unit order.

Thus two subscriptions for the appliances in a 2-unit bundle cost 1.5x what a single unit would cost. that discount is built into the pricing in CCW and not "added onto" a configuration.