cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4396
Views
21
Helpful
16
Replies

ASA with FirePower

simoscomp
Level 1
Level 1

Hi,

 

1) Do I need Firesight management center to manage ASA with Firepower? 

2) Can i manage ASA and Firepower with CLI?

 

Please help me.

 

Thanks in advance.

 

 

 

 

16 Replies 16

Marvin Rhoads
Hall of Fame
Hall of Fame

1. Yes. There is an special FMC license offered for a VM that manages only up to 2 ASAs with FirePOWER. Pricing is pretty good for that but you need to have an ESX i server of your own to deploy it onto.

2. ASA via cli - sure. FirePOWER module cli - only for initial setup (host name ip address etc.) and (in rare cases) debugging.

Hi Marvin,

Can we have FMC license that manages up to 10 or 20 ASAs with firePower services ?

The part number are "FS-VMW-10-SW-K9" and "FS-VMW-SW-K9".

Thanks & best regards,

Huu,

Yes the first part number you listed is for managing 10 sensors.

The second part number is not restricted by software license but subject to the performance limitations due to the resources allocated to the VM.

So in summary there are three FMC VM licenses: 2, 10 or no limit (via license) managed sensors.

Note an HA pair of ASAs each with FirePOWER module consumes two managed sensor licenses on the FMC and each module requires dedicated Control, IPS, etc. licenses applied to it.

Hi Marvin,

As you said the Virtual (VMware) FireSIGHT License managing sensors, but in Cisco datasheet it is managed for devices. Maybe I misunderstood.

Can you explain detail  "Note an HA pair of ASAs each with FirePOWER module consumes two managed sensor licenses on the FMC and each module requires dedicated Control, IPS, etc. licenses applied to it" please ?

 

Thank you very much,

I use the term sensor and device interchangeably.

Re the question about HA - when you have two ASAs in a High Availability (HA) pair, they share ASA feature licenses (AnyConnect, Botnet etc.). A license on one of the units is shared across the pair.

The modules however (ips, cxsc or sfr for classic IPS, CX Context Security or FirePOWER Services respectively) do not work that way.

In the case of the FirePOWER service module each ASA's module requires its own license(s) - Control, IPS, URL Filtering and/or Malware (AMP).

Hi Marvin. I have another question about FirePower. Lets say i have two ASA5525-x firewalls and i wat to add IPs functionality to this firewalls. I have 3 options:

1. Install SSD on ASA5525-x (version 9.2 or later ), download SFR images to it, install hardware or VMware version of FireSigt management server, and so on. 

2. Buy new IPS hardware or new FirePower services ASA with FireSight server again.

3. Buy FirePower ips and Firesight server both virtually.

 

Am i right ? I am little bit confused about what licenses to what devices or virtual appliances i must buy. 

CSCO12031810

Yes, those are your high level options.

If you contact your local Cisco reseller or account manager they can walk you through the details of the options specific to your environment and generate a configuration with the necessary details.

Licensing for the ASA FirePOWER module or standalone NGIPS appliance (physical or virtual) is very similar. All need the (no cost) Control license (CTRL) which will be included with any configuration built in Cisco's ordering tool.

You then choose the optional license(s) below:

 

Thank you )

Hi Marvin,

There are any official Cisco Paper or Link about FirePOWER High Availability( HA) Licensing?.

Regards.

José Luis

I'm not aware of any public-facing collateral that specifically talks about the licensing except for the sections of the configuration guide that tell you how to apply licenses.

The partner ordering guide does specifically confirm that both devices need to have identical licenses. That's also been confirmed by Cisco SEs and TMEs during partner training sessions I have attended. 

Marvin,

Just having a look at this old thread...

Penny for your thoughts.. Say the customer are price conscious .. (who isn't these days).. and is willing to lose TAMC for a brief period of time until they recover their primary 5506 (2 x 5506's in HA A/P) .. this technically will work will it not ? And the secondary member, when active, purely won't be able to process against URL, IPS and malware.. But steady state operation.. fundamental forwarding.. application profiling .. will still work in FMC.. and it won't stop any of the aforementioned functions ?

Hi Michael.

Technically you are correct. It is not a recommended or endorsed setup by Cisco but the features not requiring a license will work as you describe.

My suspicions confirmed. Thanks Marvin.

magayacorp
Level 1
Level 1

Hello,

After speaking with someone from sales on the phone, I'm still confused. I only need to manage 1 ASA 5515-X.  I know I can configure it via CLI. However, If I wanted to use the FirePower features, do I need to purchase the FireSIGHT Management Center VMware (pn: fs-vmw-sw-k9) and the 2 ASA license (pn: fs-vmw-2-sw-k9) or is the 2 ASA license PN: fs-vmw-2-sw-k9 all I need? 

Review Cisco Networking for a $25 gift card