cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1676
Views
10
Helpful
2
Replies
Cedrik
Beginner

FirePower on Multicontext ASA

I'm looking to activate the FirePower services on a 5555X ASA which run in HA and multi-context mode (3 contexts). I'm used to manage FirePower devices and multi-context ASAs but never tried both together up to this point.

 

Is there any license requirements for multi-context or do we only need standard FirePower licenses? (1 L-ASA5555-TAMC per device?) FirePower boxes seem to allow for 10 contexts without additional licenses but I can't find the information for the FirePower module running on ASA boxes.

 

Will each Firepower module consume a single license in the Management center or does each context count as a managed device?

 

Also, I have a couple technical question - I guess I'll find out in the lab tests but I'm a bit curious;

My understanding is that the FP module can only be activated/deactivated for all contexts but there's only a need for FP in 2 of our 3 ASA contexts. Are the contexts shown as separate devices in the management center? If so I guess it would be simple to just apply a policy to allow all the traffic for one of the context. 

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Sheraz.Salim
VIP Advocate

I'm looking to activate the FirePower services on a 5555X ASA which run in HA and multi-context mode (3 contexts). I'm used to manage FirePower devices and multi-context ASAs but never tried both together up to this point.

 

as long as you have worked on ASA with SFR its a same thing nothing to worry.

 

 

Is there any license requirements for multi-context or do we only need standard FirePower licenses? (1 L-ASA5555-TAMC per device?) FirePower boxes seem to allow for 10 contexts without additional licenses but I can't find the information for the FirePower module running on ASA boxes.

 

if SFR which i am sure you are on ASA software with SFR which will be a traditional licinece. and to answer your question on (1 L-ASA5555-TAMC per device?) yes.

 

 

Will each Firepower module consume a single license in the Management center or does each context count as a managed device?

 

single license per box of ASA.

 

 

My understanding is that the FP module can only be activated/deactivated for all contexts but there's only a need for FP in 2 of our 3 ASA contexts. Are the contexts shown as separate devices in the management center? If so I guess it would be simple to just apply a policy to allow all the traffic for one of the context. 

 

in my production network we are running multi context but with only one context. i remember when i added the sfr in FMC. it just pick up itself everything and i have to deivce the interfaces from the object managemt tab

please do not forget to rate.

View solution in original post

2 REPLIES 2
Sheraz.Salim
VIP Advocate

I'm looking to activate the FirePower services on a 5555X ASA which run in HA and multi-context mode (3 contexts). I'm used to manage FirePower devices and multi-context ASAs but never tried both together up to this point.

 

as long as you have worked on ASA with SFR its a same thing nothing to worry.

 

 

Is there any license requirements for multi-context or do we only need standard FirePower licenses? (1 L-ASA5555-TAMC per device?) FirePower boxes seem to allow for 10 contexts without additional licenses but I can't find the information for the FirePower module running on ASA boxes.

 

if SFR which i am sure you are on ASA software with SFR which will be a traditional licinece. and to answer your question on (1 L-ASA5555-TAMC per device?) yes.

 

 

Will each Firepower module consume a single license in the Management center or does each context count as a managed device?

 

single license per box of ASA.

 

 

My understanding is that the FP module can only be activated/deactivated for all contexts but there's only a need for FP in 2 of our 3 ASA contexts. Are the contexts shown as separate devices in the management center? If so I guess it would be simple to just apply a policy to allow all the traffic for one of the context. 

 

in my production network we are running multi context but with only one context. i remember when i added the sfr in FMC. it just pick up itself everything and i have to deivce the interfaces from the object managemt tab

please do not forget to rate.

View solution in original post

Marvin Rhoads
Hall of Fame Guru

In addition to what @Sheraz.Salim correctly replied, I would add that the Firepower service module really isn't aware of the multiple contexts. It is a single managed device (per physical ASA - so two devices if you have an HA pair of ASAs) in FMC, it uses one license and it has a single policy set applied to it. So your Firepower policy set needs to account for any and all contexts that are sending traffic to it via their respective service-policy setting(s) in the individual ASA contexts.

Content for Community-Ad