cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
37331
Views
10
Helpful
31
Replies

FirePOWER Threat Defense - Smart Licensing FAQ's

dhvenkat
Cisco Employee
Cisco Employee

What are the FirePOWER ASA models which can support Firepower Threat Defense Image upgrade?

Following are the ASA FirePOWER models which can support Cisco Smart licensing                                             

                  • ASA5506W
                  • ASA5506
                  • ASA5506H
                  • ASA5508
                  • ASA5516
                  • ASA5512
                  • ASA5515
                  • ASA5525
                  • ASA5545
                  • ASA5555
                  • FPR9300
                  • FPR4110
                  • FPR4120
                  • FPR4140
                  • FPR4150

What is process to upgrade to Smart license on FirePOWER?

In order to upgrade to Smart, FireSIGHT/Defense Center needs to be upgraded to new FMC 6.0.1 SW version. There is no FIRESIGHT license in FMC 6.0.1. Add new ASA FirePOWER sensor or upgrade existing ASA FirePOWER sensor with Firepower Threat Defense image. Convert any unfulfilled PAKs to Smart entitlements using “Convert SMART” functionality on LRP. Use CSSM to convert partial device conversion to Smart.         

Where can I download the SW for FMC 6.0 and Firepower Threat defense?

SW for FMC 6.0 and FirePOWER Threat Defense can be downloaded from CCO download page. Reach to your Cisco contact for more information.

I tried to upgrade SW on my FireSIGHT device from 5.4 SW to FMC 6.0.1 but it failed

This can be related to HW and SW image dependency. Capture the error and please reach out to Cisco TAC for more help.

I tried to upgrade my ASA FirePOWER device from SW 5.4 to Firepower Threat Defense image but it failed

This can be related to HW and SW image dependency. Capture the error and please reach out to Cisco TAC for more help.
 

How can I convert my traditional ASA FirePOWER license to Smart entitlements?

            • Login to LRP with CCO ID
            • Add the PAK to their CCO ID, with Add New PAKs/Tokens option
            • On mouse over to the PAK, click on the options view and select "Convert to Smart entitlements"
            • Assign the Smart Account and Virtual Account
            • PAKs once converted to Smart cannot to converted back
            • Click Submit

My tried to convert an Unfulfilled ASA FirePOWER PAK to Smart entitlements but it failed ?

Verify if the PAK is already fulfilled inside the system. You can convert fulfilled PAKs to Smart entitlements. If the PAKs are unfulfilled and if it still fails please reach out to Cisco GLO for more support

Tried to convert a fulfilled ASA FirePOWER PAK to Smart entitlement and it failed ?

Conversion from traditional license PAK to Smart entitlements are allowed for only unfulfilled PAKs in FirePOWER. You can try to partial device conversion to convert the licenses already installed on the device from LRP.

              • Login to LRP with CCO ID
              • Click on Devices Tab
              • Select the device or use filter option to search for particular device using license-key of the device
              • On mouse over to the licenses, click on the options and select "Convert to Smart entitlements"
              • Select the licenses and submit

Note: You can convert licenses on a device to Smart only if all the licenses on the devices are smart convertible licenses. If there are any licenses which can be converted to Smart the conversion will fail.

How can I add my FMC device to my Smart Account ?

          • Login to CSSM portal with CCO ID, select your Smart account
          • Select on Inventory tab on the portal, click on New Token
          • Copy the Token information
          • Login to FMC, on the management console add the device token

How to convert unfulfilled ASA FirePOWER PAK to Smart entitlements ?

          • Login to LRP with CCO ID
          • Add the PAK to their CCO ID, with Add New PAKs/Tokens option
          • On mouse over to the PAK, click on the options view and select "Convert to Smart entitlements"
          • Assign the Smart Account and Virtual Account.
          • PAKs once converted to Smart cannot to converted back
          • Click Submit

What features available on ASA Firepower Threat Defense sensor ?

For ASAFirePOWER sensor with Firepower Threat defense image support smart license for

              • BASE
              • URLFilter
              • Advanced MALWARE (AMP) license
              • IPS term subscription
              • Advanced LE/SP features
              • Strong Crypto

BASE license replaces the "PROTECT+CONTROL" license in SMART

Can we have only ASA Smart features on ASA FirePOWER threat defense image ?

ASAFirePOWER threat defense image support both ASA license  and FirePOWER license. All ASA features are turned on default on ASA FirePOWER threat defense imgage.

What are the new FirePOWER Models that support smart license ?

FPR4110, FPR4120, FPR4140, FPR4150, FPR9K

 

what features support smart license for FPR 4100 and FPR 9300 series ?

For FPR 4100 and FPR9300 we support smart license for BASE, URLFilter and Advanced MALWARE (AMP) license, IPS, Advanced LE/SP features, Strong Crypto

What is FMC?

FireSIGHT also called as "Defense Center" can be upgraded to new SW version FMC 6.0. Once it is upgraded it is called FMC (Firepower Management Center)

Can FMC support both Smart and traditional Licenses?

Yes FMC can support both Smart license and traditional license

FireSIGHT upgrades to FMC failure?

This can be related to HW and SW image dependency

Want FIRESIGHT traditional License to convert to Smart license?

FIRESIGHT license is not required for FMC 6.0.1 (image which supports Smart). It is already integrated into the SW

 

31 Replies 31

Oliver Kaiser
Level 7
Level 7

I am currently using smart licensing for FTD. My current license will expire soon and I also see the new license in the Smart Licensing portal. Will it be assigned automatically to FMC or do I need to do anything else?

regards

Oliver

Hi all,

How to install anyconnect vpn license in Firepower 4120 for the ASA ?

i have the PAK for the ASA, but i don't know how to install in 4120.

Already enabled smart licensing,

Does it include anyconnect vpn license ?

How to install 5k user license in Firepower for ASA ?

As far as I have seen any connect is not yet supported in the Firepower Threat Defense software. The rumor is that it will be with the next release which should hopefully be soon (also rumored for March but ... that's almost done now).

Previous documents show that VPN licensing is 'all inclusive' already but anyconnect may be different. I expect it will need a new license for it to work with smart licensing, like everything else.

The 5515-X is missing from the list of supported hardware but is not End of Life/Support/Sale yet and there are Firepower Threat Defense software packages available to download for it. It seems that Cisco is either releasing software for it by mistake, or they have overlooked it on their support list. I contacted Licensing support and was told that the ASA 5515-X will not work with Firepower Threat Defense 6.2 and later because it requires the use of smart licensing and the 5515-X will not support smart licensing. However, I have tested installing FTD 6.2.0 on a 5515-X and it works fine with the evaluation smart license.

I'm not sure who to believe now. I just purchased 2 ASA 5515-X with Firepower under the understanding that they would work with Firepower Threat Defense (and that Firepower Services model is going away soon) so am I supposed to return them? Never upgrade past 6.1? Stay on Firepower Services design with the outdated ASA software and SFR module setup?

So far, support from Cisco doesn't seem to know the answer other than to point me back to that same list that is strangely missing the 5515 even though it is the same generation hardware as the 5512 and 5525.

Just talked to someone in TAC instead of Licensing support and they confirmed that it will work with smart licensing as long as the ASA 5515-X is running the Firepower Threat Defense integrated image (not the old deployment model with the SFR module for Firepower Services on ASA). The 5515-X is left off of documentation to drive people to buy the 5516 but the 5515 works fine.

Of course, now I am trying to use the ASA5515-X with Firepower Management Center (which I apparently bought a license for but don't need anymore?) and the FMC shows I am out of compliance but I can't figure out what I need to do to get in compliance. I have opened a ticket with the GLO people from Cisco but they only reply every 2 days or so and have done nothing. I asked them for help and they asked me how many licenses I needed. I told them 2 and they waited 2 days, did nothing and then replied asking if there is anything else I need help with. :/

I told the lady that I still need help with the original issue because she didn't do anything yet. No reply so far...

Are you using your 5515-X with FirePOWER Service module or FTD image?

The former uses classic licenses only while the latter uses Smart licenses only. Either can be managed by FirePOWER Management Center.

Even though you don't have to apply a classic license file with FMC for the management center itself anymore, you are still required to have purchased the product. That gives you right to use per the End User Licensing Agreement that is required to be acknowledged during initial installation

Yeah, I am using the integrated FTD image on both firewalls (in a failover HA setup controlled by the FMC). I can add the classic license to the "device" of the FMC but it doesn't help with the license compliance issue showing in the FMC.

The part about the FMC license is pretty silly. You have to have it to effectively run anything other than a single firewall so they really should make it free as it will encourage more hardware sales. I can see charging for the bigger FMC installs, for many managed devices. That's a big convenience for large deployments but again, making it free means you sell more gear and if you want feature parity with competition, I can get failover HA from just about any other firewall vendor without having to buy extra software. The part where you buy it, redeem the PAK and then can't do anything with the license they issue is pretty silly too. Makes you feel like you bought it for no reason. I don't know who made the decision on that but it is pretty weird.

Anyway, the License support people have not told me anything useful and now referred me to an email address specifically for Smart Licensing smart-support-team@cisco.com

When I email that address they have an auto responder that says they closed that team last summer. :(

Pretty frustrating experience when Cisco can't tell you how to properly buy and use their own products.

Have you registered your FMC in your organization's Smart licensing portal? That's a prerequisite to apply licenses to FTD-based sensors.

Once you do that, you should be able to assign and manage the FTD devices' Smart licenses as well.

Yeah I have, it shows up in the list of devices.

Hi all,

How to install anyconnect vpn license in Firepower 4120 for the ASA ?

i have the PAK for the ASA, but i don't know how to install in 4120.

Already enabled smart licensing,

Does it include anyconnect vpn license ?

How to install 5k user license in Firepower for ASA ?

Hi Jonathan,

What license is the compilance throwing error for?

Login to your Smart license portal and you should see the license which is consumed in excess to what you have...

We can help to resolve the issue if you can provide snapshot of your device to my email <dhvenkat@cisco.com> 

- DD (SW Licensing Cisco)

It is the "Firepower MCv Device License", in use 2 so I am short 2 of them. I have tried license conversion but it seems the ASA5515-CTRL-LIC cannot be converted. I'll email you the screenshot of the inventory page.

Thanks

Hi Jonathan,

I have replied to your email, 

MCv License is for virtual FMC models alone, you can get this license by converting any of your existing FireSIGHT license SKU (FS-VMW-2-SW-K9) to Smart license from License portal.

 Thanks,

DD (SW Licensing - Cisco)

Review Cisco Networking for a $25 gift card