cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9591
Views
10
Helpful
12
Replies

ASA with FIREPower Service and licensing

gschoenle
Level 1
Level 1

Hello,

if I buy a ASA with FirePOWER Service (e.g. 5516-X) which licenses do I need to buy?

As I understand I have to order a license for the FirePOWER Service. E.g. IPS, URL and AMP.

Do I need to order a FireSIGHT Management license, too? Is the FireSIGHT Management Center mendatory? Which license is needed?

Regards

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

You will need the Control (CTRL ) license. It's no-cost and automatically included with any FirePOWER bundle SKU (i.e. ASA5516-FPWR-K9).

You then need to add the IPS, URL or AMP (or combination thereof) services in 1-, 3- or 5-year term.

FireSIGHT Management Center is not mandatory for the entry level models (5506, 5508, or 5516). It's optional on those as you can use the entry level FireSIGHT built into ASDM for those model. 

For all other models it is required. If you're managing more than a single ASA (even an HA pair) it's recommended even for the entry level models as you will then be able to sync policies across them all.

View solution in original post

12 Replies 12

Marvin Rhoads
Hall of Fame
Hall of Fame

You will need the Control (CTRL ) license. It's no-cost and automatically included with any FirePOWER bundle SKU (i.e. ASA5516-FPWR-K9).

You then need to add the IPS, URL or AMP (or combination thereof) services in 1-, 3- or 5-year term.

FireSIGHT Management Center is not mandatory for the entry level models (5506, 5508, or 5516). It's optional on those as you can use the entry level FireSIGHT built into ASDM for those model. 

For all other models it is required. If you're managing more than a single ASA (even an HA pair) it's recommended even for the entry level models as you will then be able to sync policies across them all.

Thank you very much for this excellent answer.

You're welcome.

Please mark your question as answered if it has been.

Hi Marvin,

Do we need to buy any additional license to support dual ISP?

I am planning to buy a cisco asa with firepower services.

Regards

Vaibhav

What happens if I don't order any IPS/URL/AMP license? Am I able to run the ASA like a 5515 but with the performance of a 5516? 

Michael Please rate all helpful posts

Ok, asked the Partner Helpline, you can run a 5516 without any subscriptions as you would do with a 5515.

Michael Please rate all helpful posts

I'm confused. Here is a snippet from the Firepower data sheet.

"The following table includes Cisco ASA FirePOWER Services bundle SKUs (including hardware and subscription) that offer a convenient mechanism for ordering both the appliances and software subscriptions in a single SKU configuration. It is the recommended mode of configuration for ordering. Standalone AMP license and subscriptions are also available to upgrade an existing TA or TAC subscription license. Please see the ASA with FirePOWER Services Ordering Guide for details."

This makes it sound as if the subscription is included in the bundle, is it not?

When a partner or reseller uses the bundle SKU in Cisco's ordering tool (Cisco Commerce Workspace - CCW), they are prompted while configuring the order to select from among the available subscription services (IPS, URL and Malware or a combination thereof) and terms (1, 3 or 5 year).

It's not required to select any particular one (or even one at all) to build a valid order.

I guess what was confusing is it sounds like the subscription is included in the bundle, in other words, you didn't need to purchase the separate yearly subscription.

Hi Marvin,

Would you know about the below?

L-ASA5525-AMP

This AMP license, on it own appears on CCW/Price list etc. but does not appear on the Firepower data sheets/ordering guide.

Data sheet offering are:

TA = IPS

TAC = IPS and URL

TAM = IPS and AMP, TAMC adds URL

Then there is a specific URL on it own license.

 

I am hoping that where TA was purchased the AMP as above can just be added-on as the URL can.

 

My worry about the AMP license is that it is not on the data sheets/CCW in bundle build option?

 

Many thanks,

Regards,

Garry.

 

Garry,

 

"L-ASA5525-AMP=" is in CCW - you just need to call it up under "Find Products and Solutions". Once you add it to your estimate your would need to configure the term of the license (1-, 3- or 5-years just like the other term licenses). Ideally it would be co-termed with the other licenses for the module 

 

5525 AMP.PNG

 

It is, as you surmised, an à la carte add-on for customers who already have either the basic IPS (or IPS plus URL Filtering) license for their Firepower service module(s). It is not a valid SKU to add onto an unlicensed module. (Although I suspect FMC would accept it as long as you have the prerequisite Protect + Control free license.)

Hi Marvin,

 

Ok perfect, many thanks for the confirmation.

 

Regards,

Garry.

 

Review Cisco Networking for a $25 gift card