11-15-2021 08:56 AM
Hi,
Could someone confirm exactly what the FPR2K-ENC-K9 'strong encryption (3DES/AES)' licence covers on firepower boxes?
Cisco doco states: -
Strong Encryption (3DES/AES) license—FPR2K-ENC-K9 .
Although this license is not generally required (for example, ASA’s that use older Satellite Server versions (pre-2.3.0) require this license), you should still add it to your account for tracking purposes.
It is a separately order-able item on FPR-2110-ASA-K9 boxes
But as i understood it the -K9 boxes can do 3DES/AES IPsec S2S tunnels on its standard licence
and the above Cisco blurb adds to the confusion
What is FPR2K-ENC-K9 for and what would you need it on FPR-2110-ASA-K9 boxes for ?
thanks in advance,
Chris
Solved! Go to Solution.
12-23-2021 01:06 AM
In case it helps anyone else confused by Cisco's documentation (?) on the topic
From experience with a FPR2110 running ASA code in appliance mode
On first boot with { sh ver / sh lic feat } the initial status shows as: -
Encryption-3DES-AES : Disabled
Once the device is set with smart lic config to contact the tools.cisco.com portal and it registers successfully, then the status changes to: -
Export Compliant: YES
Encryption-3DES-AES : Enabled
The only smart lic involved was the Cisco FPR2110 ASA Licence ( L-FPR2100-ASA )
There was no need for the Strong Encryption 3DES/AES licence ( FPR2K-ENC-K9 )
Draw you own conclusions / YMMV
11-15-2021 09:09 AM
@chris-goulder you need this license to use the strong encryption algorithms, without you cannot, it is free however. Export regulations control access to this license, so it may not necessarily come pre-installed on a brand-new Cisco device by default.
11-15-2021 09:30 AM
Thanks for the quick reply Rob
Its all Smart Licence on the Firepower boxes
As you say its a $0 lic at box order time but Cisco Lic TAC say it is a chargeable lic if you want to retrospectively order it for an already delivered box - hence why i'm trying to understand exactly what it is for in the Firepower product line
As a general point, if it really is needed to config a box for 3DES/AES - It doesn't make sense to me that it is not included by default (like the ASA standard lic) in the FPR-2110-ASA-K9 boxes. After all a firewall that doesn't support 3DES/AES is pretty much a brick
Export regulations control could still control whether the lic could be applied under Smart Licencing
And what totally confused was the Cisco Firepower documentation that makes the statement "this license is not generally required"
11-15-2021 09:44 AM
And elsewhere in the Firepower smart lic doco it lists strong encryption depending on the (smart) account export compliance
Kind of suggesting a std smart lic'd box would get 3DES/AES type stuff as long as the smart account has export compliance status
General Licenses | |
Encryption | Base (DES) or Strong (3DES/AES), depending on the account's export compliance setting |
12-23-2021 01:06 AM
In case it helps anyone else confused by Cisco's documentation (?) on the topic
From experience with a FPR2110 running ASA code in appliance mode
On first boot with { sh ver / sh lic feat } the initial status shows as: -
Encryption-3DES-AES : Disabled
Once the device is set with smart lic config to contact the tools.cisco.com portal and it registers successfully, then the status changes to: -
Export Compliant: YES
Encryption-3DES-AES : Enabled
The only smart lic involved was the Cisco FPR2110 ASA Licence ( L-FPR2100-ASA )
There was no need for the Strong Encryption 3DES/AES licence ( FPR2K-ENC-K9 )
Draw you own conclusions / YMMV
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide