You don't need to install a

mo shea · ‎05-09-2017

Hello,

We have purchased a pair of 4110 appliances with IPS subscription and intend to run them using FTD 6.2 image. We are using FMC virtual to manage the devices.

Since this will be deployed in an air gapped network, internet connectivity is not possible hence smart licensing would be not convenient, especially after the 3 months sync period expires. Even satellite or manual licensing maight not be possible. We tried to request for a permanent license reservation PLR, but the feedback we are getting is that it is not supported for FTD image, only ASA image, meaning we will waste the paid subscription if we run ASA version.

There is an open bug for this (FTD support PLR CSCvc01298) but still no workaround.

- Is there any timeframe / roadmap when the PLR will be supported for FTD on 4100 appliances?

- If the device becomes unsynchronized, what functionalities would we lose? Can we modify the rules and policies?

- If we deploy this as ASA image, and if PLR would be supported in 6.3, would we lose any subscription time if we install the subscription license after we upgrade to 6.3?

All help is appreciated

ab_ahmadi · ‎06-01-2017

We have the same problem as we run an air gaped network .i open a thread on this site and ask the same Q but didn't get a clear answer.we need the same functionality as old ASA with PAK and we want to manually update the IPS/GeoLoc/AVC database without any online connection to the internet and periodically license verification .

honestly i didn't get the reason why Cisco move to Smart Licensing when you are running a physical appliance.it may be reasonable for NFV (VM Appliance) but not for physical appliances.

what make thing worse is even the perpetual license features (FW,NAT) need to connect to the internet every months .

after 3 month with no success with FTD solution , we are trying Fortinet FortiGate with the same feature set.it worked in the air gaped network and do not need internet access on you management network as you can download IPS/AV/AVC updates from their support site and manually update those security services fully offline (some Cloud base Security Services Still need the Internet connection)

it is really sad for me to move from Cisco Firewall solution as i am working with their Firewall/IPS technology for more than 12 year.i hope Cisco eventually fix that problem as FTD look as great and promising solution

atatistc · ‎06-01-2017

You don't need to install a smart license on the device if you're running FTD. The FTD license is distributed from the FMC. This is unfortunately not too clear in the documentation. If you run ASA code on the 4100 device then you do need to have the smart license activated by either giving the device Internet access or setting up a smart license satellite (VM) in your network. However, if you're running FTD only the FMC needs to have it's smart license enabled. It then pulls the license entitlements for all your FTD devices from the Cisco license server. Hope that clears things up a little.

mo shea · ‎06-04-2017

Does that mean that it is not possible to register an FTD running appliance using a satellite server. I thought that we could connect the satellite server to the internet, let it sync with Cisco servers, then disconnect it, change its IP an place it in the a air gapped network to act as a license server to FMC present in that network.

As the guys mentioned, this has been a pain to go through all this (still unsuccessful) and wasting all this for a licensing issue. I hope Cisco acts fast on this, I have seen how this licensing model can turn away several potential customers.

ab_ahmadi · ‎06-06-2017

Thanks for response.but still there are too many things unclear and it look like Cisco don't want to give the customers a clear answer.these are some Q i ask for many many time with no success.

- are the FTD basic Stateful Firewall/NAT functionality need Smart Licensing and internet access on FMC as they are perpetual and no reason for any license verification ? we still running some ASA 5585-X in our DC for 3-tired apps and all we need is just stateful firewall inspection (between WEB-APP-DB) and don't want to any internet access from FP/FMC to the Internet .

- what is the license management tool for the FTD ? Smart-Licensing / Satellite Proxy or FMC (we don't want even Satellite server in Offline Mode) .

- as others asked what happen when some term based license (IPS/AVC/Malware) can't access the internet for more than 3 month ? will does features rate limited like ASAv or just don't get any update from Cisco cloud ?

Permanent License for 4100 running FTD