Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
824
Views
5
Helpful
3
Replies

SFR licensing in cluster mode?

Go to solution
mythosmc1
Level 1
Level 1

‎06-02-2015 08:29 PM

If I am running two ASAs in cluster mode, is there any special configuration I need to do on the sfr modules ?

Does the pair of clustered ASAs forward traffic to both sfr modules?

The documentation is very vague on the topic of sourcefire clustering, all it really says is "keep consistent policies on the sfr modules and dont use zones for your rules"

 

Is there any additional licenses required? i.e I have 2x control + protect however only 1 AMP / URL license

Does that mean only one of the SFR modules can process Malware and URL filtering?

 

Any help would be greatly appreciated

 

thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-03-2015 12:40 PM

Are you running the ASAs in an Active-Standby HA pair with FirePOWER module on each of them?

If so, the licensing on the modules should match on each module. Otherwise, you will not be able to appply any URL Filtering or file (AMP) policies on one of the modules.

If the ASAs are truly in a 2-node cluster (not active-Standby) then it's even more important that the licenses match because flow-by-flow the traffic may take a different member as the forwarding device.

Ideally you will simply build one set of policies in FireSIGHT Management Center and apply them to both FirePOWER modules.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mythosmc1

‎06-03-2015 12:46 PM

Unfortuately yes - each unit needs a license. Perhaps Cisco will eventually see the light for these Active-Standby setups like they did for the ASA licensing since version 8.3 but for now you need to match them up.

If it helps, there are some promo pricing deals on for the smaller boxes (5506, 5508, 5516 and 5525) going on through the end of July.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-03-2015 12:40 PM

Are you running the ASAs in an Active-Standby HA pair with FirePOWER module on each of them?

If so, the licensing on the modules should match on each module. Otherwise, you will not be able to appply any URL Filtering or file (AMP) policies on one of the modules.

If the ASAs are truly in a 2-node cluster (not active-Standby) then it's even more important that the licenses match because flow-by-flow the traffic may take a different member as the forwarding device.

Ideally you will simply build one set of policies in FireSIGHT Management Center and apply them to both FirePOWER modules.

Go to solution
mythosmc1
Level 1
Level 1
In response to Marvin Rhoads

‎06-03-2015 12:40 PM

Ouch, so i've gotta buy both licenses again at the FULL price?

 

Are there any discounted licenses if you're clustering?

 

thanks so much for your replies

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mythosmc1

‎06-03-2015 12:46 PM

Unfortuately yes - each unit needs a license. Perhaps Cisco will eventually see the light for these Active-Standby setups like they did for the ASA licensing since version 8.3 but for now you need to match them up.

If it helps, there are some promo pricing deals on for the smaller boxes (5506, 5508, 5516 and 5525) going on through the end of July.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card