Solved: Just upgraded two 5515X to FTD, do I need to purchase FMC for HA?

Jack G · ‎08-01-2017

Just upgraded two 5515X to FTD, do I need to purchase FMC for HA? I used to be able to do HA without additional purchase. If I need to purchase FMC, is this the correct license for VMWare ESXi? SF-FMC-VMW-2-K9 Also is there SmartNet I need to get as well for supporting FMC? If so, is there a SKU for that?

Thanks in advanced!

Marvin Rhoads · ‎08-02-2017

Yes, FMC is required.

Per the configuration guide:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_high_availability.html

Software Requirements

The two units in a High Availability configuration must:

Be in the same firewall mode (routed or transparent).

Have the same major (first number), minor (second number), and maintenance (third number) software version.

Be in the same domain or group on the Firepower Management Center.

Have the same NTP configuration. See Configure NTP Time Synchronization for Threat Defense.

Be fully deployed on the Firepower Management Center with no uncommitted changes.

Not have DHCP or PPPoE configured in any of their interfaces.

It's a bit too subtle, but bullets 3 and 5 both mention FMC. Additionally, the FDM on-box manager does not provide the capability to setup HA.

The SKU you mentioned suffices to license an FMC to manage a single HA pair. It is a Smart license like the FTD devices are. In HA it manages the licensesThere is a Smartnet line item that goes with it - CON-ECMU-SFMMCVWK is the SKU. You can purchase that in 1-, 3- or 5-year term.

View solution in original post

Marvin Rhoads · ‎08-02-2017

Yes, FMC is required.

Per the configuration guide:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_high_availability.html

Software Requirements

The two units in a High Availability configuration must:

Be in the same firewall mode (routed or transparent).

Have the same major (first number), minor (second number), and maintenance (third number) software version.

Be in the same domain or group on the Firepower Management Center.

Have the same NTP configuration. See Configure NTP Time Synchronization for Threat Defense.

Be fully deployed on the Firepower Management Center with no uncommitted changes.

Not have DHCP or PPPoE configured in any of their interfaces.

It's a bit too subtle, but bullets 3 and 5 both mention FMC. Additionally, the FDM on-box manager does not provide the capability to setup HA.

The SKU you mentioned suffices to license an FMC to manage a single HA pair. It is a Smart license like the FTD devices are. In HA it manages the licensesThere is a Smartnet line item that goes with it - CON-ECMU-SFMMCVWK is the SKU. You can purchase that in 1-, 3- or 5-year term.

Jack G · ‎08-02-2017

Marvin,

Thank you so much for verifying. Just wanted to ensure I had to purchase FMC and it wasn't free when using HA. I also wanted to verify I had the correct SKUs.

My last question, would be if I change the FMC IP address to a different management IP address, but it's still on the management network, will the FMC still manage the devices or do I have to remove the firewalls and add them again to FMC? Just trying to figure out how FMC IP address changes affect the management of devices.