Solved: Re: FPR4150 HA licensing

LSA4 · ‎10-18-2018

if i have 2 4150 appliances and I want High availability

Do i buy for TMC subscriptions for both firewalls?

as i read if you only buy for one, you smart account will be Out Of Compliance, does this mean the fail over wont work?

as the info i have read up is confusing. e.g below

Firepower Threat Defense devices in a high availability configuration must have the same licenses. Before high availability is established, it does not matter which licenses are assigned to the secondary/standby device. During high availability configuration, the Firepower Management Center releases any unnecessary licenses assigned to the standby device and replacesthem with identical licenses assigned to the primary/active device. For example, if the active device has a Base license and a Threat license, and the standby device has only a Base license, the Firepower Management Center communicates with the Cisco Smart Software Manager to obtain an available Threat license from your account for the standby device. If your Smart Licenses account does not include enough purchased entitlements, your account becomes Out-of-Compliance until you purchase the correct number of licenses. High availability configurations require two Smart License entitlements; one for each device in the pair.

Rahul Govindan · ‎10-18-2018

You need TMC on both Firewalls for Failover to work correctly. I haven't tried this, but if you have no licenses on the secondary and it becomes active, the new standby device also gets no licenses attached to it. The features that you enabled with the licenses (IPS, AMP, URL) can no longer work correctly since the license gets disabled for the entire system. Following is the behavior when a feature license gets disabled:

Malware license—The system stops querying the AMP cloud, and also stops acknowledging retrospective events sent from the AMP cloud. You cannot re-deploy existing access control policies if they include file policies that apply malware inspection. Note that for a very brief time after a Malware license is disabled, the system can use existing cached file dispositions. After the time window expires, the system assigns a disposition of Unavailable to those files.
Threat—The system no longer applies intrusion or file-control policies. You cannot re-deploy existing policies that require the license.
URL Filtering—Access control rules with URL category conditions immediately stop filtering URLs, and the system no longer downloads updates to URL data. You cannot re-deploy existing access control policies if they include rules with category and reputation-based URL conditions.

View solution in original post

Rahul Govindan · ‎10-18-2018

You need TMC on both Firewalls for Failover to work correctly. I haven't tried this, but if you have no licenses on the secondary and it becomes active, the new standby device also gets no licenses attached to it. The features that you enabled with the licenses (IPS, AMP, URL) can no longer work correctly since the license gets disabled for the entire system. Following is the behavior when a feature license gets disabled:

Malware license—The system stops querying the AMP cloud, and also stops acknowledging retrospective events sent from the AMP cloud. You cannot re-deploy existing access control policies if they include file policies that apply malware inspection. Note that for a very brief time after a Malware license is disabled, the system can use existing cached file dispositions. After the time window expires, the system assigns a disposition of Unavailable to those files.
Threat—The system no longer applies intrusion or file-control policies. You cannot re-deploy existing policies that require the license.
URL Filtering—Access control rules with URL category conditions immediately stop filtering URLs, and the system no longer downloads updates to URL data. You cannot re-deploy existing access control policies if they include rules with category and reputation-based URL conditions.