Solved: Re: FirePower on Multicontext ASA

Cedrik · ‎01-17-2019

I'm looking to activate the FirePower services on a 5555X ASA which run in HA and multi-context mode (3 contexts). I'm used to manage FirePower devices and multi-context ASAs but never tried both together up to this point.

Is there any license requirements for multi-context or do we only need standard FirePower licenses? (1 L-ASA5555-TAMC per device?) FirePower boxes seem to allow for 10 contexts without additional licenses but I can't find the information for the FirePower module running on ASA boxes.

Will each Firepower module consume a single license in the Management center or does each context count as a managed device?

Also, I have a couple technical question - I guess I'll find out in the lab tests but I'm a bit curious;

My understanding is that the FP module can only be activated/deactivated for all contexts but there's only a need for FP in 2 of our 3 ASA contexts. Are the contexts shown as separate devices in the management center? If so I guess it would be simple to just apply a policy to allow all the traffic for one of the context.

Thanks!

Sheraz.Salim · ‎01-17-2019

I'm looking to activate the FirePower services on a 5555X ASA which run in HA and multi-context mode (3 contexts). I'm used to manage FirePower devices and multi-context ASAs but never tried both together up to this point.

as long as you have worked on ASA with SFR its a same thing nothing to worry.

Is there any license requirements for multi-context or do we only need standard FirePower licenses? (1 L-ASA5555-TAMC per device?) FirePower boxes seem to allow for 10 contexts without additional licenses but I can't find the information for the FirePower module running on ASA boxes.

if SFR which i am sure you are on ASA software with SFR which will be a traditional licinece. and to answer your question on (1 L-ASA5555-TAMC per device?) yes.

Will each Firepower module consume a single license in the Management center or does each context count as a managed device?

single license per box of ASA.

My understanding is that the FP module can only be activated/deactivated for all contexts but there's only a need for FP in 2 of our 3 ASA contexts. Are the contexts shown as separate devices in the management center? If so I guess it would be simple to just apply a policy to allow all the traffic for one of the context.

in my production network we are running multi context but with only one context. i remember when i added the sfr in FMC. it just pick up itself everything and i have to deivce the interfaces from the object managemt tab

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎01-17-2019

I'm looking to activate the FirePower services on a 5555X ASA which run in HA and multi-context mode (3 contexts). I'm used to manage FirePower devices and multi-context ASAs but never tried both together up to this point.

as long as you have worked on ASA with SFR its a same thing nothing to worry.

Is there any license requirements for multi-context or do we only need standard FirePower licenses? (1 L-ASA5555-TAMC per device?) FirePower boxes seem to allow for 10 contexts without additional licenses but I can't find the information for the FirePower module running on ASA boxes.

if SFR which i am sure you are on ASA software with SFR which will be a traditional licinece. and to answer your question on (1 L-ASA5555-TAMC per device?) yes.

Will each Firepower module consume a single license in the Management center or does each context count as a managed device?

single license per box of ASA.

My understanding is that the FP module can only be activated/deactivated for all contexts but there's only a need for FP in 2 of our 3 ASA contexts. Are the contexts shown as separate devices in the management center? If so I guess it would be simple to just apply a policy to allow all the traffic for one of the context.

in my production network we are running multi context but with only one context. i remember when i added the sfr in FMC. it just pick up itself everything and i have to deivce the interfaces from the object managemt tab

please do not forget to rate.

Marvin Rhoads · ‎01-17-2019

In addition to what @Sheraz.Salim correctly replied, I would add that the Firepower service module really isn't aware of the multiple contexts. It is a single managed device (per physical ASA - so two devices if you have an HA pair of ASAs) in FMC, it uses one license and it has a single policy set applied to it. So your Firepower policy set needs to account for any and all contexts that are sending traffic to it via their respective service-policy setting(s) in the individual ASA contexts.