cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1836
Views
10
Helpful
5
Replies

ASA Firewpower High Availability

alexdelangel
Level 1
Level 1

Hello Friends

In the past, I worked many times with the ASA with CX module. If you wanted to setup a failover pair with two CX modules, you only need one suscription (for expamle WSE, IPS, AVC), and then PRSM used to assign the licenses to the current Active device.

 

Now with the firepower module, I have read the user guide for many times and I´m not able to figure out if we wanted to implement an Active / Stanby pair, do we need one license for each firewall? Or just we need One license for the two firewalls?

 

Plase, feel free to request as much information as needed. Any comment or documentation will be appreciated.

 

Best Regards!

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Each and every FirePOWER module needs a unique license assigned to it from the managing FireSIGHT Management Center (aka Defense Center).

The same applies whether they are part of ASAs in a HA pair, a cluster, or wholly separate.

View solution in original post

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

Each and every FirePOWER module needs a unique license assigned to it from the managing FireSIGHT Management Center (aka Defense Center).

The same applies whether they are part of ASAs in a HA pair, a cluster, or wholly separate.

Hi Marvin,

We are going to buy asa 5508-X which would be in cluster and having TAMC license with URL, AMP services.

Do i need to buy two licenses for the cluster?

Regards

Vaibhav

vaibhav58  ,

Yes.

The advice I had provided 2 years ago remains valid. Each FirePOWER service module must be separately licensed.

Several of us partners have raised the issue with Cisco sales, asserting that this is a bit unfair in the case of an Active-Standby HA pair. To date the situation remains unchanged. 

Thanks Marvin. It helps.

I know this is not related to this discussion but can ASA (5508-x) be integrated with a DLP solution ( say McAfee ) . . I have read it works with cisco WSA but not with ASA.

It could, with Firepower, under some conditions. If you are referring though files, it can block files that you provide the SHA sum for them, though unencrypted channels or encrypted with decryption policies channels.

Review Cisco Networking for a $25 gift card