Solved: Firepower and expired licenses

Chess Norris · ‎08-02-2022

Hello,

We have an ASA5585-SSP-20 with both IPS, Malware and URL filtering licenses. This ASA is EOL and we cannot extend the licenses and the will expire next month. We are migrating to a FTD 4112-X, but the delivery was delayed and we just received them so I am not sure we will be able to finish the migration before the licenses expires. The question is what will happen when those licenses expires? Is it only the IPS signature and security intelligence updates that we will not be able to download and install or will affect all the current rules that are using IPS and URL filter?

Thanks

/Chess

Marius Gunnerud · ‎08-02-2022

Any updates from the cloud, so as you mentioned Snort updates (IPS), URL malware sites downloads, etc. will no longer be updated. You will also not be able to configure anything that will require those licenses to be active, infact you will not be able to do any deployment until you remove any and all configuration that requires theses licenses. The only thing you will be able to configure are the ACP rules not referencing URL, File, Malware or IPS.

If you do not need to make any configuration changes during the migration period then you should not experience any problems. I suppose you could classify the installation as running in a degraded state due to the downloads and configuration limitations.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎08-02-2022

Any updates from the cloud, so as you mentioned Snort updates (IPS), URL malware sites downloads, etc. will no longer be updated. You will also not be able to configure anything that will require those licenses to be active, infact you will not be able to do any deployment until you remove any and all configuration that requires theses licenses. The only thing you will be able to configure are the ACP rules not referencing URL, File, Malware or IPS.

If you do not need to make any configuration changes during the migration period then you should not experience any problems. I suppose you could classify the installation as running in a degraded state due to the downloads and configuration limitations.

--
Please remember to select a correct answer and rate helpful posts

Chess Norris · ‎08-02-2022

Thanks for clarifying this.

/Chess

Marvin Rhoads · ‎08-02-2022

Actually, URL and File/Malware rules will be the only ones affected.

The IPS feature which is based on a subscription will continue to be available although the subscription is technically expired. The IPS features rely on the Protect+Control license which is permanent along with right-to-use the subscription which Cisco doesn't check on these PAK-based license types used on Firepower service modules.

Marius Gunnerud · ‎08-02-2022

Are you sure IPS will still be available? according to documentation they will not be triggered.

If you disable Threat on managed devices, the Firepower Management Center stops acknowledging intrusion and file events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria stop firing. Additionally, the Firepower Management Center will not contact the internet for either Cisco-provided or third-party Security Intelligence information. You cannot re-deploy existing intrusion policies until you re-enable Threat.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/licensing_the_firepower_system.pdf

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads · ‎08-03-2022

@Marius Gunnerud that is true for the Threat license. However Threat is specific to FTD and Smart licenses. The original poster is inquiring about ASA 5585-X with Firepower service module. That device type uses the PAK-based classic license, specifically the Protect+Control license (permanent) which works in conjunction with the IPS subscription. The Cisco Security Intelligence feed along with the ability to download and install SRUs (Snort Rule Updates) and VDB updates is not affected by the IPS subscription expiring.