cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6241
Views
15
Helpful
17
Replies

Cisco Firepower Management Center

Hi All,

 

Can you please provide some guidance here?

 

One of my client bought (Cisco Firepower Management Center,(VMWare) for 2 devices), at the time of implementation it is discovered that they do not have VMware environment to host the Cisco Firepower Management Center,(VMWare) for 2 devices.


It is suggested to use the AWS Virtual Infrastructure to host the FMC,

Can you please provide some direction if I can use the same part number to host the FMC instance in the AWS Cloud?

 

Regards,

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Hosting in AWS if the modules are on premises isn't usually a good idea. It's much easier to just use the free ESXi server on a small server. A server with 16 GB of RAM and 500 GB hard drive can be purchased for under US$1000.

 

That said, you can use the existing FMC license and run the server in AWS. You would use the BYOL (Bring Your Own License) model in that case.

View solution in original post

17 Replies 17

Marvin Rhoads
Hall of Fame
Hall of Fame

Hosting in AWS if the modules are on premises isn't usually a good idea. It's much easier to just use the free ESXi server on a small server. A server with 16 GB of RAM and 500 GB hard drive can be purchased for under US$1000.

 

That said, you can use the existing FMC license and run the server in AWS. You would use the BYOL (Bring Your Own License) model in that case.

Marv, so in the BYOL model, can I rehost my controller license from my ASA5506 Firepower to the FMC? Is the FMC a free download now, if you have your own license? I finally got my clock timing replacement, and then had to wait till I had time to play with it, to upgrade it, just did that, but I was debating on moving to the FTD image, and was told by someone else if you already have the controller license, you can get the FMC and use your existing license. So that's what I need to find out.

I'm not sure what you mean by controller license.

 

Are you asking about the Firepower Management Center (FMC) license or your ASA 5506-X Firepower service module Control license.

 

The first one is for FMC. That is not a free download and never has been. It requires entitlement based on having purchased it and having a license but you don't need to install it anywhere as it is right-to-use now.

 

The second one is for the Firepower service module only and does not transfer to FTD.  FTD requires a "Threat" smart license to enable its base functionality.

So if I take my existing 5506 sec+ model and image it to FTD, nothing will work without buying additional license? Won't it still be a working firewall with just the FTD web interface. I know some features won't work as yet, but those are suppose to come in the future.(But I know it will have limitations),  I was told for now to get certain VPN, and Anyconnect you would have to download the VM of FMC, and host, then pull your 5506 into it to be managed. Won't that work with out any additional licensing?

 

 

The FTD image - running on ASA hardware or anywhere else ( I.e. virtual appliance or Firepower hardware) - requires at a minimum the base Threat license. That applies whether you manage it locally via the built-in Firepower Device Manager user interface or remotely with a (separately licensed) Firepower Management Center. 

 

You you can start with a free trial license but sooner or later need to buy a term license.

So the control and protect that comes with the firepower unit when purchased basically becomes no good then ? If you move to the FTD. If I have the IPS AMP&URL license on the box, would that even transfer?

 

Do you have a sku for the threat license, or a link to all the new Smart vs Classic licensing. I would of thought they would of let you convert and use it as a basic firewall, even though it doesn't support all the options as yet, I would be fine with that, but they always find a way to get your pockets.

 Basically any of these 1 year subscriptions would work the? Long as they have T. Then you just renew?

L-ASA5506T-TMC= L-ASA5506T-TMC-1Y Cisco ASA5506 Threat Defense Threat, Malware, and URL 1YR Subscription
L-ASA5506T-T= L-ASA5506T-T-1Y Cisco ASA5506 Threat Defense Threat Protection 1YR Subscription
L-ASA5506T-URL= L-ASA5506T-URL-1Y Cisco ASA5506 Threat Defense URL Filtering 1YR Subscription
L-ASA5506T-TC= L-ASA5506T-TC-1Y Cisco ASA5506 Threat Defense Threat and URL 1Y Subscription
L-ASA5506T-TM= L-ASA5506T-TM-1Y Cisco ASA5506 Threat Defense Threat and Malware Protection 1Y Subscription
L-ASA5506T-AMP= L-ASA5506T-AMP-1Y Cisco ASA5506 Threat Defense Malware Protection 1Y Subscription
L-ASA5506-TAMC-1PR, ASA5506FirePWR IPS Amp & URL 1-Year Subs

 

So if you move to the Smart license, are you still going to have to pay annual Smart Net for hardware coverage ?

 

Cisco has started offering a license transfer from the Classic PAK style Firepower licenses to Smart Licenses for FTD.

 

See the details here:

 

https://www.cisco.com/c/en/us/products/collateral/security/firepower-8000-series-appliances/guide-c07-737902.html#_Toc494406869

 

Once those Smart entitlements expire you'd have to renew or buy a new term license.

Ok, so if you convert, and have like URL Threat, and keep that renewed your would be good then, at a minimum?

 

The link seem to block me, is that hosted somewhere else. Appears it goes to the 8000 model and I only have 5506x

The ordering guide might be restricted to partner access. Sorry about that.

 

Here's the relevant text:

 

Customers who already have a midrange Cisco ASA 5500-X appliance with an SSD will first need to create a Smart Licensing account on Cisco's Smart Software Manager portal before initiating an order for the relevant service subscriptions to run Threat Defense software. Next, you will need to migrate your existing ASA with FirePOWER Services licenses to Cisco Firepower Threat Defense licenses on the License Registration Portal. Customers who only have a TA license cannot use the License Registration portal. Instead they will need to file a GLO case to have their licenses migrated.

 

 

Ok, thank you.

 

The more I look into this, it appears, these issues/questions come up little to often, so I would suggest Cisco take that into consideration. The amount of confusion in migrating and licensing is enormous, and there is as many answers as there are questions. One can only infer this is causing customers to consider other vendor options that have more clarity. I have a number of IT associates who have migrated to Ubiquity or Ruckus wireless because they ran into the same type of issues with Cisco, and at the end of the day every company is trying to do more with less, to keep costs down, and time can't be wasted on the simple stuff, that is made more convoluted than it should be will cost customers in the long run.

I figured Cisco would be moving to a subscription system a while ago, and they have to have new ways to keep the revenue stream flowing. With the success of so many other models, as much of a pain it is for the customer, its totally worth it. For me, its par for the course, if your paying smart net, your pretty much already paying a subscription to have the latest greatest updates. So it's more of a lateral move, only issue I see of concern is how they will cover hardware, if they will require you to carry a smart net on top of the licensing subscription, any idea?  And do you know if there licensing subscription will work like Meraki, were if you already have 2 devices with 2 years of subscription, and you buy a third device and at that time  you by a 3 year subscription it doesn't bound the subscription to the device but spreads it across all 3 devices of similar hardware?

I hear your pain. I've provided similar feedback to Cisco may times.

 

Re Smartnet, that is distinct from the licenses (or as Cisco likes to say "term subscriptions"). It covers hardware and TAC support.

 

The term subscriptions are purchased individually. If you add new ones their term does not affect any existing ones.

So I finally got my Smart Account setup, Got my license L-ASA5506-TAC-1Y, URL, and IPS Thought the SKU had Apps, but didn't see that button or license listed.

I am going to work toward putting up and FMC and move to that so I can have the full setup. My question is, I noticed on the FDM, it shows RA-VPN, So none of my VPN licenses transfer, is that something you loose as well. My ASA was Security Plus, so I had more options do we lose those?

I thought someone stated that once you are setup with smart license, you have to get with a TAC to have the VPN's done.

Do you know anything about that?

Apps are included in the free Control license with a Firepower service module.

 

Remote access VPN does require AnyConnect licenses (Plus or Apex type). If you have existing AnyConnect 4.x PAK-based licenses you can convert them the Smart licensing entitlements. You can do it via self-service at software.cisco.com or via sending a request to open a case via email to licensing@cisco.com

Thank you for the reply. So my day's with my ASA are for ever getting worse. As I stated before it appears Cisco must totally want to shake the SOHO, or so it seams. So getting past the domain name issue for my ASA to convert to the new version, and getting some licenses installed for Threat and URL filtering, where starting to feel some TechLuv here.

 

Then the AnyConnect issue. Trying to get RA-VPN.....So I was fairly sure my 5506 sec+ had 4 anyconnect seats on it, I have looked in all my documentation, but possibly I was wrong. I did have AnyConnect for my 5505 and a mobility.

Problem now is those were Essentials.

Appears now you can't buy AnyConnect in any seat number less than 25 is that correct? If so this is just another blow to the SOHO......ug.......

Review Cisco Networking for a $25 gift card