Solved: ASA Firepower Threat Defense High Availability Licensing

ROBBY HARRELL · ‎06-29-2017

We are looking at quoting a customer a replacement of their Cisco ASA 5520 High Availability pair (Active/Standby) with either an ASA 5525x w/Firepower Services or do the ASA 5525x Threat Defense 6.2. The customer is still wanting the High Availability either way. I have worked with the older generation of ASAs in High Availability (failover) not with the new Firewall Services. The ones I have installed so far have been standalone units.

On the previous ASAs doing HA, the second hardware unit that was to be Standby had a separate SKU, and was less expensive than the primary. I read that doing the ASA with the Firepower services module, that each Firepower Services module had to be fully licensed separately. Is there a separate SKU for the secondary ASA chassis as with the previous generation?

Does this work the same with doing the Firepower Threat Defense? From what I read in a doc on the FTD 6.2 High Availability, the subscription license is transferred from the Active to the Standby unit during Failover.

Would there be a cost savings by specifying two ASA5525x FTD 6.2 with HA and the full AMP-IPS-URL license versus two ASAs 5525x w/Firepower services modules and the each Firepower module being fully licensed with AMP-IPS-URL?

The customer has just one campus and Internet connection, and the firewalls would be in the same equipment rack.

Rahul Govindan · ‎06-29-2017

If you go with the ASA with Firepower services, the Firepower services need to be separately licensed on each unit, they are not shared in a high availability pair. Any ASA license can be shared between both ASA's - like Anyconnect plus and Apex licenses.

IF you go with the ASA HW with FTD - all licenses for meant for the FTD. There have to be individually licensed for each unit of the high availability pair. FTD does not support Remote access yet, but that requires just one license for both units.

As far as I remember, the price for the secondary ASA hw was the same as the primary. The PIX firewall had the concept of failover license, which allowed the standby ASA to be only used for that purpose - thus considerably cheaper. Since the ASA's have been release, you had to 2 hardware units at the same cost for a HA pair. Licenses started to be shared starting 8.3 onwards.

I am not sure on the cost difference, but the FTD's are well priced compared to the ASA with Firepower services devices.

View solution in original post

Rahul Govindan · ‎06-29-2017

If you go with the ASA with Firepower services, the Firepower services need to be separately licensed on each unit, they are not shared in a high availability pair. Any ASA license can be shared between both ASA's - like Anyconnect plus and Apex licenses.

IF you go with the ASA HW with FTD - all licenses for meant for the FTD. There have to be individually licensed for each unit of the high availability pair. FTD does not support Remote access yet, but that requires just one license for both units.

As far as I remember, the price for the secondary ASA hw was the same as the primary. The PIX firewall had the concept of failover license, which allowed the standby ASA to be only used for that purpose - thus considerably cheaper. Since the ASA's have been release, you had to 2 hardware units at the same cost for a HA pair. Licenses started to be shared starting 8.3 onwards.

I am not sure on the cost difference, but the FTD's are well priced compared to the ASA with Firepower services devices.