Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
0
Helpful
2
Replies

Just upgraded two 5515X to FTD, do I need to purchase FMC for HA?

Go to solution
Jack G
Level 1
Level 1

‎08-01-2017 10:56 AM - edited ‎03-12-2019 02:45 AM

Just upgraded two 5515X to FTD, do I need to purchase FMC for HA? I used to be able to do HA without additional purchase. If I need to purchase FMC, is this the correct license for VMWare ESXi? SF-FMC-VMW-2-K9 Also is there SmartNet I need to get as well for supporting FMC? If so, is there a SKU for that?

Thanks in advanced!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-02-2017 12:10 AM

Yes, FMC is required. 

Per the configuration guide:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_high_availability.html

Software Requirements

The two units in a High Availability configuration must:

  • Be in the same firewall mode (routed or transparent).

  • Have the same major (first number), minor (second number), and maintenance (third number) software version.

  • Be in the same domain or group on the Firepower Management Center.

  • Have the same NTP configuration. See Configure NTP Time Synchronization for Threat Defense.

  • Be fully deployed on the Firepower Management Center with no uncommitted changes.

  • Not have DHCP or PPPoE configured in any of their interfaces.

It's a bit too subtle, but bullets 3 and 5 both mention FMC. Additionally, the FDM on-box manager does not provide the capability to setup HA.

The SKU you mentioned suffices to license an FMC to manage a single HA pair. It is a Smart license like the FTD devices are. In HA it manages the licensesThere is a Smartnet line item that goes with it - CON-ECMU-SFMMCVWK is the SKU. You can purchase that in 1-, 3- or 5-year term.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-02-2017 12:10 AM

Yes, FMC is required. 

Per the configuration guide:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_high_availability.html

Software Requirements

The two units in a High Availability configuration must:

  • Be in the same firewall mode (routed or transparent).

  • Have the same major (first number), minor (second number), and maintenance (third number) software version.

  • Be in the same domain or group on the Firepower Management Center.

  • Have the same NTP configuration. See Configure NTP Time Synchronization for Threat Defense.

  • Be fully deployed on the Firepower Management Center with no uncommitted changes.

  • Not have DHCP or PPPoE configured in any of their interfaces.

It's a bit too subtle, but bullets 3 and 5 both mention FMC. Additionally, the FDM on-box manager does not provide the capability to setup HA.

The SKU you mentioned suffices to license an FMC to manage a single HA pair. It is a Smart license like the FTD devices are. In HA it manages the licensesThere is a Smartnet line item that goes with it - CON-ECMU-SFMMCVWK is the SKU. You can purchase that in 1-, 3- or 5-year term.

0 Helpful

Go to solution
Jack G
Level 1
Level 1
In response to Marvin Rhoads

‎08-02-2017 07:08 AM

Marvin,

Thank you so much for verifying. Just wanted to ensure I had to purchase FMC and it wasn't free when using HA. I also wanted to verify I had the correct SKUs.

My last question, would be if I change the FMC IP address to a different management IP address, but it's still on the management network, will the FMC still manage the devices or do I have to remove the firewalls and add them again to FMC? Just trying to figure out how FMC IP address changes affect the management of devices.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card