Solved: Questions regarding Cisco ASA with Firepower + Firepower Management Center

roesch4alc · ‎12-14-2016

Hi,

I still don´t fully understand the licensing in relation to Cisco ASA Firepower Licensing. I already asked a question regarding the FMC here: https://supportforums.cisco.com/discussion/13086371/firesight-license-60-not-needed. I learned, that for Firesight, we still need a license for Support. In general I read the new order guide. (http://www.cisco.com/c/en/us/products/collateral/security/firepower-8000-series-appliances/guide-c07-737902.html?cachemode=refresh)

Lets assume, we want to use 2x Cisco ASA5525x as a Failover pair with Failover Firepower Services Module. The Firesight Management Center is standalone, installed as a virtual machine in vmware. The complete system is up and running, everything is prepared, only the Control Licenses are installed.

Now I want to sum up my question with an example. My question is, what licenses are really necessary in order to be able/allowed to make Software Updates/Upgrades for Cisco ASA Firepower Software and Firesight Management Center Software.

Are these licenses sufficient?

- 2x Cicso ASA5525 Firepower IPS 3YR L-ASA5525-TA-3Y

- Cisco Service SW App Supp + Upgr (SAU) FS-VMW-2-SW-K9

What for reasons do I need to order L-ASA5525-TA-3Y? Is it necessary, to 1.) get product updates/upgrades and 2.) to be able to download IPS patterns? For this is a question, because until now, I didn´t Install any license but the control license, but as you can see, I was already able to activate protection and control for both ASA Sensors. What would be, if I don´t order and install L-ASA5525-TA-3Y, what Features would not be accessible/useable?

I just want to clarify all this questions... Hopefully some of you guys already went through this jungle ;)

Best Regards,

Sebastian

Marvin Rhoads · ‎12-20-2016

For the IPS feature on Sourcefire appliances and ASA FirePOWER modules, Cisco does not currently enforce by technical means the ability to continue to download Snort Rule Updates (SRU) and Vulnerability Database (VDB) into your FMC or ASDM and then apply them to any registered devices having the non-expiring Protect + Control licenses.

i.e., They do not check for presence of a valid IPS subscription or support contract like they used to with the classic Cisco IPS.

However, the terms of use of the subscription agreement require you to have a current subscription to continue these updates.

In contrast, policy elements using the URL filtering and AMP licenses will stop working once those licenses expire.

View solution in original post

nspasov · ‎12-18-2016

Hello Sebastian. My answers below:

I learned, that for Firesight, we still need a license for Support. In general I read the new order guide.

NS: Yes, even though not enforced anymore the license should still be purchased to be compliant

Are these licenses sufficient?
- 2x Cicso ASA5525 Firepower IPS 3YR L-ASA5525-TA-3Y
- Cisco Service SW App Supp + Upgr (SAU) FS-VMW-2-SW-K9

NS: Those licenses will give you Layer 7 Firewall and IPS for the ASA (See below) and Software + Support (TAC) for the virtual FireSIGHT/Defense Center/Firepower Management Center.

What for reasons do I need to order L-ASA5525-TA-3Y?

NS: This license is a 3 year subscription for ASA model 5525 that enables the IPS (Snort) capabilities of Sourcefire. This license is required if you want to receive IPS signature updates and to be able to configure IPS policies inside FMC

Is it necessary, to 1.) get product updates/upgrades and 2.) to be able to download IPS patterns?

NS: Yes, it is necessary for IPS signature updates.

For this is a question, because until now, I didn´t Install any license but the control license, but as you can see, I was already able to activate protection and control for both ASA Sensors. What would be, if I don´t order and install L-ASA5525-TA-3Y, what Features would not be accessible/useable?

NS: That is correct, every ASA (If purchased with the base FirePOWER Bundle) will come by default with the Control and Protect license which is essentially the L7 Firewall. The rest of the features (AMP, IPS and URL Filtering) are an additional subscription.

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!

roesch4alc · ‎12-19-2016

Hi NS,

thanks for your detailed answer, I appreciate it. Just one more question: With the L-ASA5525-TA-3Y License, does it behave the same way like Firesight license, that I am not forced to install the license?

I learned this license is a RTU (Right to use) license. So I only get a license confirmation, but no licensefile to download or install into FMC. So I could force the FMC system to download this IPS Patterns, even this is not legal.

I think, this whole topic could be explained more better in the licensing guide, currently I am not able to understand it without additional questions. Verfy confusing for me.

Have a nice day,

Best Regards

Sebastian

nspasov · ‎12-19-2016

Hi Sebastian-

I hear your pain as licensing has always been a major pain when dealing with not only Cisco but just about any other vendor out there :)

To answer your question: The L-ASA5525-TA-3Y is definitely NOT a RTU type license. This one, along with URL Filtering and AMP are a must if you want to use those features. If the license is not present then those features will not work.

Thank you for rating helpful posts!

Thank you for rating helpful posts!

roesch4alc · ‎12-20-2016

Hi,

I cannot really confirm, that it is the same with the other vendors... I have different experiences

But now, after your answer:

To answer your question: The L-ASA5525-TA-3Y is definitely NOT a RTU type license. This one, along with URL Filtering and AMP are a must if you want to use those features. If the license is not present then

those features will not work.

, it is starting to become more confusing for me!

This is because, I got this answer from a Cisco TAC engineer!

Quote:

I clarified this from my end, for you to enable this, you will require a protect and control license for you to be allowed for your software download (for IPS patterns etc).

This IPS RTU license is not really a feature for you to enable on your end.

For your reference here’s how Sourcefire license work http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118396-technote-firesight-00.html as we don’t have a proper documentation for the IPS licenses.

So, what´s right now? Two people two statements... That´s not very easy ;(

Regards

Sebastian

Marvin Rhoads · ‎12-20-2016

For the IPS feature on Sourcefire appliances and ASA FirePOWER modules, Cisco does not currently enforce by technical means the ability to continue to download Snort Rule Updates (SRU) and Vulnerability Database (VDB) into your FMC or ASDM and then apply them to any registered devices having the non-expiring Protect + Control licenses.

i.e., They do not check for presence of a valid IPS subscription or support contract like they used to with the classic Cisco IPS.

However, the terms of use of the subscription agreement require you to have a current subscription to continue these updates.

In contrast, policy elements using the URL filtering and AMP licenses will stop working once those licenses expire.

roesch4alc · ‎12-20-2016

Furthermore, let me add the fact, that there is no SKU download available. The license, I could download after we ordered it and received the edelivery mail, is only a license EULA, no SKU or license file.... So very confusing for me.

nspasov · ‎12-21-2016

Marvin, I stand corrected! Thank you for chiming in and correcting me as I think I was an auto-pilot and referencing knowledge from legacy Cisco IPS :/ Upon reviewing my Sourcefire notes I realized my mistake. Endorsement for you sir!

Happy holidays!

Neno

Thank you for rating helpful posts!