11-20-2019 07:41 AM
Hi, I don't normally specify security products and would welcome clarification re the below in reference to the ASA5516-X with Firepower (ASA5516-FPWR-K9)
1. In a HA (active/standby) deployment is it mandatory that I need to purchase a L-ASA5516-TAMC URL, AMP and IPS license for each appliance.? I would have thought not as these are subscription based and the secondary firewall should hopefully never activate or only be active for a short period.
2. Table 3 in the datasheet below says that the Security Plus license is not required for the ASA5516-X in any HA mode. Is this still correct based upon I want to license the deployment with the L-ASA5516-TAMC?
Thanks
Solved! Go to Solution.
11-20-2019 06:39 PM
In an ASA 5516-X HA pair it is only the base ASAs - not the Firepower service modules - that are in "HA". The service modules essentially act as independent units and inspect traffic (or not) depending on the policies configured on them and associated licensing.
So you could have an HA pair with the secondary unit (normally running with Standby role) having an unlicensed Firepower service module. Upon failover, when it assumes the Active role, you would not have any Firepower service module protections.
The problem with that is many organizations don't carefully monitor for failover events. You could have one and never notice it.
Best practice and my recommendation is to license both units. If you do it at the time of purchase, the second unit's license can be had at a 50% discount by using the "HA" SKU in ordering.
11-20-2019 06:39 PM
In an ASA 5516-X HA pair it is only the base ASAs - not the Firepower service modules - that are in "HA". The service modules essentially act as independent units and inspect traffic (or not) depending on the policies configured on them and associated licensing.
So you could have an HA pair with the secondary unit (normally running with Standby role) having an unlicensed Firepower service module. Upon failover, when it assumes the Active role, you would not have any Firepower service module protections.
The problem with that is many organizations don't carefully monitor for failover events. You could have one and never notice it.
Best practice and my recommendation is to license both units. If you do it at the time of purchase, the second unit's license can be had at a 50% discount by using the "HA" SKU in ordering.
11-21-2019 12:59 AM
Hi, I now understand from a technical perspective, shame clients end up having to purchase a license that may never be used though
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide