Solved: SourceFIRE Licensing

geraldschwab · ‎11-05-2021

Greetings Cisco Community,

This is my first time posting here, I appreciate any feedback you can provide on my issue.

I have a quick question regarding how SourceFIRE licenses are installed/handled.

This is my first time deploying Firepower Services but I do have 25 years experience on this platform going back to the PIX Firewall days, so apologies for any n00b unawareness I have with FirePOWER.

Quick recap of my environment -

I have 19x Cisco 5516-X with FirePOWER services

I have 1x Cisco Firepower Management Center 1600

The FMC is running Cisco Fire Linux OS 6.4.0.

My ASA's are running 9.8(4)32 with ASDM 7.16(1)150.

My SFR Modules are running 6.2.2-81

My goal is to have all of the SFR Modules/Censors centrally managed (configured, monitored, licensed, etc) from the FMC.

I've been going back and forth with Cisco Licensing for months trying to get my licenses which I acquired in August installed on this system.

I finally received 19x individual licenses for URL Filtering product I purchased.

When I tried to install these licenses in the FMC I received the following error and was told by Cisco that I had to install the licenses in the ASDM. This doesn't make any sense to me since the FMC has a section for "Classic Licenses", why would it have that if you need to install the licenses on the individual appliances from ASDM? -

Incase the above is illegible the error message displayed via the FMC is "License is Invalid/Failed".

So I said ["OK, even though my devices are only managed from the CLI, and it would be a huge inconvenience to install the ASDM on 19x firewalls only to do a short task like add a license that should be able to be add via the FMC, I said [Why not, let me at least try since this has been dragging out for months now"].

So I went ahead and installed ASDM, and added the licenses and they were added successfully. I should note that this requires removing the devices from the FMC because you can't access the SFR Module configuration via the ASDM if the SFR Module is configured to use a "Manager" (FMC).

So to install the 19x licenses on all of my devices I had to deploy ASDM image and reboot each firewall, then subsequently remove each firewall from the FMC, install the license via the ASDM, then re-add the firewall to the FMC. That process would be horrible but if that at least worked, I could live with it.... However:

I added the license via the ASDM (successfully):

Subsequent view via the ASDM of the licenses installed (success):

(As an aside, I'm not sure why it says there are 2x URL Filtering Licenses installed, I only installed one license key but perhaps it's 2x 6month licenses - anyway not really important/relevant to this post)

So the ASDM successfully registered the license which I was not able to install via the FMC.

So far so good.

But now when I re-add the SFR to the FMC, the device shows up again as "Unlicensed" and none of the licenses are enabled in the FMC:

All devices still show as "Unlicensed" -

Is this normal behavior?

Are my SourceFIRE Modules properly licensed for URL Filtering and can they be fully managed from the FMC even though the FMC shows as Unlicensed?

Marvin Rhoads · ‎11-05-2021

ASA Firepower service modules exclusively use Classic licensing. All such modules managed by a given FMC use the FMC's license key which is provided to Cisco to generate the actual unique licenses. A unique (set of) license(s) per managed module is required. So in your case you would have Cisco licensing redeem all of the PAKs to get 19x sets of licenses back. Those would all have to be entered into FMC individually and then assigned to each managed module under device management.

For a complete description in case you or a future reader is wondering, FTD devices exclusively use Smart licensing. You can mix Classic and Smart licensing in a given FMC. In the case of Smart licensing, FMC registers once to the Cisco portal using a licensing token you generate in the portal and then automatically allocates available licenses from your smart account as needed for the FTD devices you have assigned licenses to (in FMC via device management).

View solution in original post

Marvin Rhoads · ‎11-05-2021

TAC gave you bad advice. If a Firepower service module is FMC-managed then its license(s) should ONLY be assigned via FMC. Changing from local (ASDM) management to remote (FMC) management removes all configuration and licensing from a given module (except the bootstrap config like IP address, gateway etc.)

All Firepower service modules require a no cost control license and then you can add IPS, URL Filtering and Malware according to what you have purchased. The licenses should all be installed from FMC assuming you have registered them to your FMC.

geraldschwab · ‎11-05-2021

Marvin, Thank you so much. That's kind of what I figured but having never done this before I really needed a second set of eyes.

Since the FMC didn't accept the license I was given for the SFR Modules (Cisco asked for license keys for the individual SFR Modules) how should this have gone down? Should I have only provided Cisco the FMC key, and is the license that's generated for the FMC presumably different from the license applied to individual SFR Modules (if they're unmanaged for those customers that wish to use unmanaged), which is what it seems like I was given and didn't work for the FMC?

This would explain why the license I was provided was able to be installed in ASDM and not FMC. Just wondering what I need to tell the Licensing/TAC folks.

Trying to understand what information I should expect to provide, what information I should expect to receive back, and how I should go about activating the license I receive back.

If I receive licenses for installation on the FMC does that go into the "Classic Licensing" portion of the FMC (under System -> Licensing -> Classic Licenses) since I am running Cisco ASA with Firepower software (not the unified FTD image but the separate images for ASA and SFR)? Are the 19x URL Filtering, and Control licenses still provided individually or is it a single license key for that you can activate X number of times depending on entitlement?

Sorry I know that's a lot of questions but I tried to find this everywhere in the documentation and have literally spent months trying to get answers for this... you are a genuine life saver!

Marvin Rhoads · ‎11-05-2021

ASA Firepower service modules exclusively use Classic licensing. All such modules managed by a given FMC use the FMC's license key which is provided to Cisco to generate the actual unique licenses. A unique (set of) license(s) per managed module is required. So in your case you would have Cisco licensing redeem all of the PAKs to get 19x sets of licenses back. Those would all have to be entered into FMC individually and then assigned to each managed module under device management.

For a complete description in case you or a future reader is wondering, FTD devices exclusively use Smart licensing. You can mix Classic and Smart licensing in a given FMC. In the case of Smart licensing, FMC registers once to the Cisco portal using a licensing token you generate in the portal and then automatically allocates available licenses from your smart account as needed for the FTD devices you have assigned licenses to (in FMC via device management).

geraldschwab · ‎11-05-2021

Thank you.

I think part of the confusion was, TAC/Licensing was asking for individual license keys from SFR Modules, and the FMC is not able to generate those, so they kept asking me to get them from the ASDM, and we kept going back and forth on this point... Further annoying the situation was the fact that I don't even use the ASDM for my ASA management.

Now I am expecting the following going forward:

I will provide Cisco Entitlement with the license key for my FMC, and only the FMC.

They will generate 19x Control & URL Filtering Licenses, which I will enter into the FMC.

Then I will be able to check the boxes according to licenses I purchased via the FMC interface on the individual managed devices that are added to the FMC. Note these are currently grayed out, they will presumably not be grayed out anymore once I add the licenses to the FMC I receive back after they exchange the SFR PAKs I received earlier:

If I got this correct, it pretty much wraps it up for me!

Thanks again I'll follow up and mark this as solution

Marvin Rhoads · ‎11-07-2021

Correct - once the licenses are available for FMC to assign, the check boxes will not be grayed out, allowing you to assign licenses to your sensors. Note the Protect and Control (combined license) is a mandatory prerequisite before you can assign Malware or URL filtering license(s).