Showing results for 
Search instead for 
Did you mean: 

Setup new ASA with Firepower

Mohd Khairul Nizam

Hi all,

i just bought and receive below item

1. ASA5515-FPWR-K9 ASA 5515-X with FirePOWER Services 6GE AC 3DES/AES SSD

2. SF-FP5.3.1-K9 - Cisco FirePOWER Softwarev5.3.1

3. ASA5515-CTRL-LIC Cisco ASA5515 Control License



1. Is there any guide/manual on how to install/enable the Firepower? I couldn't see inside ASDM? i now how to configure the traditional ASA

2. I'm trying to install the Control License but it asking for License Key of sourcefire? where to get?


The VDB files support the IPS functionality. While you would have the access to download them with a FireSIGHT Management Center or any of the IPS, URL Filtering or Malware (AMP) licenses (in your case the TAMC includes all of those latter three), you could only use them in a policy if you have an Control and IPS license (at least) on one of the devices (FirePOWER appliance or ASA FirePOWER module) that you are managing.

Your time-based question doesn't make sense to me. If you are downloading manually, the time is whenever you go to and make the download. You would then need to upload the files manually into FMC and then apply them. If you do this manually you are by definition not using an automated scheduled task (time-based).

The files themselves are updated a couple of time a week, depending on the threat landscape as determined by Cisco's TALOS security researchers. 

ok, but i mean if i cant connect my FMC server to internet what license i will need for download VDB files from

if there is such license, what is the part number for ASA5545?

and for "time based", i mean if there is such license, it will be time bases, for example 1-y or 3-y? same as firepower license


Ok, I understand your question better now. No worries.

We call these license "term-based". The term is how long the license is valid for.

In the case of "L-ASA5545-TAMC-3Y" which you indicated above, the term is indicated in the last two characters - "3Y" or 3 years in this case.

All of the FirePOWER licenses (see the types below) are currently available in 1 year, 3 year or 5 year terms. The part number is, generally speaking "L-ASA<model number>-<License type>-<term>.

As I noted earlier, your ID won't be prevented from downloading the VDB files once you have access to the FirePOWOR file area as a result of any valid FMC or FirePOWER license type. However, you will need one of the license types that includes the IPS feature in order to be able to use the VDB definitions in a policy. That is enforced on the FMC itself when you build and apply policies.

I think I could not represent my question well, I ask the other way

As you noted earlier: "The files are available for download here and require your userid be associated with a current support contract (or term-licensed software)."

now, my question is this: when i want download VDB files from above link, I will need a service contract account. to have this service contract what part number i must order to Cisco reseller?

If you have the "L-ASA5545-TAMC-3Y", that is a qualifying term-licensed software subscription that will entitle you to the VDB updates. So are any of the other variations shown in the screenshot I posted earlier. Those by themselves will entitle you to the updates (when associated with your account).

As far as support contracts, you will also have access to the files if you have a Smartnet contract for your FMC. For the "FS-VMW-2-SW-K9" 2 device license you mentioned earlier, that part number would be "CON-SAU-VMWSW2". I wouldn't focus on that thought since without the subscription license, you would not be able to use the updated definitions in a policy.

Your reseller has access to all of this information and should be able to guide you using tools available to them via Cisco's partner channels.

You mean, if i buy the "L-ASA5545-TAMC-3Y" i can download VDB files from and apply them on FMC server(as offline update) and i dont need to buy the Smartnet contract?

That's correct.

There are lots of other reasons why having Smartnet is a good idea; but it's not mandatory to be able to download and apply VDB files - either offline or online.

For instance: if you're not familiar with the product and need configuration assistance, if it breaks and you need it fixed, if new ASA (or FMC) software is released that introduces a new feature or fixes a bug, etc. - all reasons to have Smartnet.

1 year ago, for traditional ASA IPS I bought 1 year license but my reseller did not give me any account for offline update,
so, now I must request him to give me a account with the "L-ASA5545-TAMC-3Y" for access to 
is that a routine procedure in Cisco?

Getting a account is a self-service action.

When you purchase either a new smartnet contract or a subscription license that gives you additional access (as in the case we are discussing), your reseller SHOULD update your association or entitlement.

If they do not for whatever reason or say they cannot, you can contact Cisco TAC and tell the Tier 1 folks who answer the phone that you need your ID updated accordingly. They will ask for either the Smartnet contract number of sales order (SO) number. The SO in this case is the one between your reseller and Cisco.

I am in the same boat. I have a 5516-X HA pair. The control licenses are installed. I would like to start diverting traffic to the FP module to start monitoring the traffic. Don't want to block anything (yet), but just want to start getting deeper visibility into the traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: