Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1467
Views
0
Helpful
2
Replies

ASA5516-X feature licensing

Go to solution
steve.blunt
Level 1
Level 1

‎11-20-2019 07:41 AM

Hi, I don't normally specify security products and would welcome clarification re the below in reference to the ASA5516-X with Firepower (ASA5516-FPWR-K9)

 

1. In a HA (active/standby) deployment is it mandatory that I need to purchase a L-ASA5516-TAMC URL, AMP and IPS license for each appliance.? I would have thought not as these are subscription based and the secondary firewall should hopefully never activate or only be active for a short period.

 

2. Table 3 in the datasheet below says that the Security Plus license is not required for the ASA5516-X in any HA mode. Is this still correct based upon I want to license the deployment with the L-ASA5516-TAMC?

 

Thanks

 

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-20-2019 06:39 PM

In an ASA 5516-X HA pair it is only the base ASAs - not the Firepower service modules - that are in "HA". The service modules essentially act as independent units and inspect traffic (or not) depending on the policies configured on them and associated licensing.

So you could have an HA pair with the secondary unit (normally running with Standby role) having an unlicensed Firepower service module. Upon failover, when it assumes the Active role, you would not have any Firepower service module protections.

The problem with that is many organizations don't carefully monitor for failover events. You could have one and never notice it.

Best practice and my recommendation is to license both units. If you do it at the time of purchase, the second unit's license can be had at a 50% discount by using the "HA" SKU in ordering.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-20-2019 06:39 PM

In an ASA 5516-X HA pair it is only the base ASAs - not the Firepower service modules - that are in "HA". The service modules essentially act as independent units and inspect traffic (or not) depending on the policies configured on them and associated licensing.

So you could have an HA pair with the secondary unit (normally running with Standby role) having an unlicensed Firepower service module. Upon failover, when it assumes the Active role, you would not have any Firepower service module protections.

The problem with that is many organizations don't carefully monitor for failover events. You could have one and never notice it.

Best practice and my recommendation is to license both units. If you do it at the time of purchase, the second unit's license can be had at a 50% discount by using the "HA" SKU in ordering.

0 Helpful

Go to solution
steve.blunt
Level 1
Level 1
In response to Marvin Rhoads

‎11-21-2019 12:59 AM

Hi, I now understand from a technical perspective, shame clients end up having to purchase a license that may never be used though

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card