Solved: Re: FMC - Firepower - SFR - ASA - FTD - FDM

Wee2o · ‎08-30-2022

Currently I am having trouble understanding all these products.

I purchased two ASA 5508-X and during the setup Cisco TAC advised to install something called "FMC" to manage the device.

I am renewing the same contracts every year.

Recently whenever I try to raise a TAC ticket it always goes to the "Entitlement Team" and they keep asking for the serial number and contract number and they comeback saying it's not covered.

So just to understand:

1. If I am elgible to download all the above FMC - Firepower - SFR - ASA - FTD from cisco download, then I can use them and get support is that correct?

2. My understanding also is the ASA+SFR is FTD is that correct? TAC also recommended switching to FTD, because it's the new generation firewall.

3. Since I am not getting a clear answer from the entitlement team? So which products do I need to purchase to be able to get support from cisco?

Marvin Rhoads · ‎09-04-2022

For FMC, when you purchase the product you are given entitlement to download it and the right to use it for the tier of licensed devices purchased (2, 10, or 25).

To get TAC support, it is also required to purchase a support contract (Smartnet). That is a separate line item (SKU) and is not automatically included. When purchased, it will be associated with a support contract number which should be associated with your cisco.com ID. That current contract plus that association is what entitles you as part of the organization with whom the contract is associated to obtain TAC support.

Example:

FS-VMW-2-SW-K9 is the product FMC virtual for 2 devices. (list price US$500)

CON-ECMUS-VMWSW2 is the support contract for that product. (list price US$120 for one year)

View solution in original post

FranciscoOpenLink · ‎08-30-2022

Hello

The FMC (The Firewall Management Center) is a server used to manage several firepower devices.

The ASA with Firepower module: It is an ASA device that has an integrated ship that has some firepower functions which you can manage from the FMC, however you continue to keep the ASA administration.

The Firepower: It is a new generation firewall, if you manage it from the FMC you lose local administration.

What you must have under a Cisco contract is the Firewall, in your case you have an ASA 5508-X with a firepower module, I imagine that your equipment is already out of contract, so you must update it to a Firepower. (The serial you are going to give is the Firepower one).

Communicate with your partner and he will know which solution is the most suitable for you.

Wee2o · ‎08-30-2022

Actually, the devices with the firepower module are in the contract. They are saying FMC is not covered however I am able to download it. and if FMC is not covered how am supposed to manage the device!?

FranciscoOpenLink · ‎08-31-2022

Ok, the FMC also has a license and a contract. The Software can be downloaded for free from the internet but then you have to license it.

Marius Gunnerud · ‎08-31-2022

To manage an FTD running Firepower software, you can either use the on box Firepower Device Manager (FDM) or install the Firepower Management Center (FMC). Depending on the size of your network and the functionality you require from the FTD you would need to decide which one you want to go for. So far the FDM doesn't support all the features that are supported in FMC, but if you have a small network you might not need the FMC. For both you would also need to decide which licenses you will purchase and that would depend on your needs.

1. If I am elgible to download all the above FMC - Firepower - SFR - ASA - FTD from cisco download, then I can use them and get support is that correct? What you are able to download is based on when privileges your user is given when the device is registered to your Cisco account. Usually you will be given rights to only download software that is already installed on the device that is shipped to you. For newer software you would need a support contract (usually through a Cisco partner) which would also entitle you to TAC support.

2. My understanding also is the ASA+SFR is FTD is that correct? TAC also recommended switching to FTD, because it's the new generation firewall. This is not correct. SFR is just a module that is installed on the ASA. Though you can reimage the ASA to only run FTD software. The ASA5508 is end of life and will be end of support in 2026. FTD hardware would be FTD1000, FTD 2000, FTD3000 (new release), and FTD4100 series. on these you can run FTD software or if you wish you can run ASA software.

3. Since I am not getting a clear answer from the entitlement team? So which products do I need to purchase to be able to get support from cisco? You would need to purchase a support contract from Cisco, this is not product based. Your local Cisco partner should be able to assist you with this, or you can contact Cisco yourself perhaps. If you already have other devices that are on support contract with Cisco, you would need to get the new ASAs added to that same contract.

--
Please remember to select a correct answer and rate helpful posts

Wee2o · ‎08-31-2022

Thanks!

1. I can download newer software without any issue, I even update my FMC and ASA/ASDM to the latest recommended, so i guess this means its in the contract correct?

2. Since I have access to FTD download and can be installed on the ASA5508-X, will i get support or do i need to buy FTD for ASA5508-X?

3. I do have a support contract with cisco which is covering the ASA/SFR and updates(Cisco ASA5508 FirePOWER IPS, AMP and URL Licenses) as well, unfortuntly we are small company and we dont get attention from any of the distributor in the region. that is why i am trying to reach out to cisco and community.

My FMC has license installed and it is being renewed in the smart license portal. do I need to purchase FMC seperately to manage the two Firewall? If I did not purchase before how is the license is working and how I have access to download?

Marius Gunnerud · ‎09-03-2022

1. I can download newer software without any issue, I even update my FMC and ASA/ASDM to the latest recommended, so i guess this means its in the contract correct? Ability to download software might be that you have been given to much privilege, or that you do have a support contract but the devices have not been associated with that contract. To check your device coverage on contracts you can go to Cisco Coverage Checker

2. Since I have access to FTD download and can be installed on the ASA5508-X, will i get support or do i need to buy FTD for ASA5508-X? Buying FTD for ASA5508 will not give you the right to support. The support contract is a separate subscription based purchase. I really do suggest you contact your local Cisco partner or contact Cisco your selves if you feel that the partners do not give you the attention you are looking for.

3. I do have a support contract with cisco which is covering the ASA/SFR and updates(Cisco ASA5508 FirePOWER IPS, AMP and URL Licenses) as well, unfortuntly we are small company and we dont get attention from any of the distributor in the region. that is why i am trying to reach out to cisco and community. If you do have a support contract with Cisco then chances are that the devices in question are not added to your contract. I find it strange that your company does not get attention from the distributors, what region are you located in? Unfortunately we in the community wont be able to help much getting your devices under contract.

My FMC has license installed and it is being renewed in the smart license portal. do I need to purchase FMC seperately to manage the two Firewall? If I did not purchase before how is the license is working and how I have access to download? I do not understand what you are say here. First you mention that you have an FMC with license installed and being renewed in the smart licensing portal, and then you say if you did not purchase the license, how you are able to have access to download. So what is the situation? Do you have an FMC installed with license or not? If the FMC you have is a virtual FMC you only need to purchase licenses for it to work.

--
Please remember to select a correct answer and rate helpful posts

Wee2o · ‎09-03-2022

1. Thanks for the website I have checked and both devices are covered.

2/3. I am located in Dubai - UAE.

4. sorry to confuse you, I will ask a direct question. I have FMCv licensed and managing the 2 devices. why is Cisco refusing to support the FMC mentioning it is not in the contract? how is it licensed then?

I appreciate your suppot.

Marvin Rhoads · ‎09-04-2022

For FMC, when you purchase the product you are given entitlement to download it and the right to use it for the tier of licensed devices purchased (2, 10, or 25).

To get TAC support, it is also required to purchase a support contract (Smartnet). That is a separate line item (SKU) and is not automatically included. When purchased, it will be associated with a support contract number which should be associated with your cisco.com ID. That current contract plus that association is what entitles you as part of the organization with whom the contract is associated to obtain TAC support.

Example:

FS-VMW-2-SW-K9 is the product FMC virtual for 2 devices. (list price US$500)

CON-ECMUS-VMWSW2 is the support contract for that product. (list price US$120 for one year)

Wee2o · ‎09-04-2022

Thank you this is very helpful, I wonder why the cisco entitlement team does not have this information.

So I just need to buy the CON-ECMUS-VMWSW2 to get the FMC support.

Wee2o · ‎09-04-2022

Why I cannot find these part numbers here? Build & Price (cisco.com)

Marvin Rhoads · ‎09-05-2022

@Wee2o I don't know - it works for me.

Wee2o · ‎09-05-2022

Thanks you Main search does not work, but it works from the estimates. the cisco websites are not user friendly at all, and you have to navigate 4 websites to check your stuff. Thank you, you are super helpful, you should head the Global support team in cisco. Seriously!