Firepower Management Center Configuration

Firepower Management Center Configuration

Licensing the Firepower System

About Firepower Licenses

Your Firepower products (Firepower Management Center and managed devices) include licenses for basic operation, but some features require separate licensing or service subscriptions, as described in this chapter.

A “right-to-use” license does not expire, but service subscriptions require periodic renewal. The type of license your products require (Smart or Classic) depends on the software you use, not on the hardware it runs on.

License Requirements for Firepower Management Center

Firepower Management Center allows you to assign licenses to managed devices and manage licenses for the system.

Hardware FMC

A hardware Firepower Management Center does not require purchase of additional licenses or service subscriptions in order to manage devices.

Virtual FMC

Firepower Management Center Virtual has additional licensing requirements.

Firepower Management Center Virtual Licenses

Generally, Firepower Management Center Virtual requires a license entitlement for each device that it will manage. If an FMCv manages Firepower Threat Defense devices that are configured in a high availability pair, you still need one entitlement for each device (not one entitlement for the pair.) In multi-instance deployments, you need one entitlement for each security module. In standard, connected Smart Licensing, these licenses are perpetual. In Specific License Reservation, these licenses are term-based. This entitlement appears in Cisco Smart Software Manager as Firepower MCv Device License with different numbers of entitlements.

 

Evaluation License Caveats

Not all functionality is available with an evaluation license, functionality under an evaluation license may be partial, and transition from evaluation licensing to standard licensing may not be seamless.

For example, if you have Firepower Threat Defense devices configured in a cluster, and you switch from an evaluation license to Smart Licensing, service will be interrupted when you deploy the change Review information about evaluation license caveats in information about particular features in this Licensing chapter and in the chapters related to deploying each feature.

Smart vs. Classic Licenses

For managed devices, the licenses you need (Smart or Classic) depend on the software that runs on the device. Any FMC can simultaneously manage devices with Smart and Classic licenses. You must configure each type of licensing separately.

License Firepower Threat Defense Devices (FTD)

Firepower Threat Defense devices require Smart Licensing. Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, Smart Licenses are not tied to a specific serial number or license key. Smart Licensing lets you assess your license usage and needs at a glance.

In addition, Smart Licensing does not prevent you from using product features that you have not yet purchased. You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval.

How to License Firepower Threat Defense Devices

Firepower Threat Defense devices require Smart Licensing. Follow the steps outlined in this overview to license FTD devices managed by a hardware or virtual Firepower Management Center. If your FMC also manages Classic devices (ASA FirePOWER, NGIPSv), you can follow this procedure for FTD devices, then follow the instructions under License Classic Devices (ASA FirePOWER and NGIPSv)( https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/licensing_the_firepower_system.html#id_49477) for devices that use Classic licensing.

Procedure

Step 1       

If you do not already have a Smart Account, create one. We recommend you have a Smart Account before you purchase licenses. To create a new Smart Account, see Create a Smart Account to Hold Your Licenses.( https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/licensing_the_firepower_system.html#id_81767)

 

Step 2       

Understand the platform licenses your organization needs:

  • Firepower Management Center physical hardware:

This appliance comes with the licensing it needs; you do not need to do anything to activate this.

  • Firepower Management Center Virtual:

You need additional licenses. For details, see Firepower Management Center Virtual Licenses. (If your FMCv will also manage devices that use Classic licenses, those devices will also require these entitlements when you configure Classic licensing.)

  • Firepower Threat Defense devices:

Each device automatically includes a license for basic functionality. You do not need to do anything to activate a base license, but many features require separate licensing, which is discussed below.

 

Step 3       

Understand the feature licenses (sometimes called service subscriptions) that your organization needs.

Step 4       

Determine the number of feature licenses/service subscriptions that your organization needs.

  • Generally, each managed device needs to be licensed for each feature you will use.
  • For Firepower Management Centers in a high availability pair:

See FMC HA License Requirements.

  • For Firepower Threat Defense devices in a high availability pair:

Each device (whether active or standby) must be licensed for each feature to be used. No additional licensing is required. See License Requirements for FTD Devices in a High Availability Pair.

  • For inter- or intra-chassis clustered Firepower Threat Defense devices:

See Licenses for Clustering.

  • For a multi-instance deployment:

See Licensing for Multi-Instance Deployments.

Step 5       

If you have existing licenses that you need to move:

  • To convert a Classic license to a license that can be used for Firepower Threat Defense:

See How to Convert a Classic License for Use on an FTD Device.

  • To transfer Smart Licenses that are currently registered to another Firepower Management Center:

See Transfer FTD Licenses to a Different Firepower Management Center and Deregister a Firepower Management Center from the Cisco Smart Software Manager.

  • To move Smart Licenses that are currently registered to another Firepower Threat Defense device:

See Move or Remove Licenses from FTD Devices.

Step 6       

If your Firepower appliances have restricted internet access:

Determine which solution is best for your situation

  • If your Firepower Management Center is not connected to the internet, but it can connect to an internal server that can connect to Cisco’s licensing authority, or can receive manual license updates:

Deploy a Smart Software Satellite Server.

  • If your deployment is completely air-gapped and cannot connect to the licensing authority or to a satellite server that connects to the licensing authority, or receive manual license updates:

See the options at Specific License Reservation (SLR)  and skip the rest of this procedure.

  • For a comparison of these options, see Licensing Options for Air-Gapped Deployments.

 

Step 7       

If you have multiple Firepower Management Center appliances and you want to connect to Cisco’s licensing authority through a single proxy:

Deploy a Smart Software Satellite Server.

Step 8       

If you want to enable features that use strong encryption and that are restricted by geographic region:

See Licensing for Export-Controlled Functionality.

 

Step 9       

Purchase the licenses you need:

Contact your Cisco sales representative or authorized reseller.

 

Step 10

Verify that your reseller or Cisco sales representative has added your licenses to your Smart Account.

Look in CSSM: https://software.cisco.com/#SmartLicensing-Inventory.Click Inventory, then the Licenses tab. Filter the list as needed. You may need your purchase confirmation in order to understand the license naming.

If you don’t see the licenses you expect to see, make sure you are looking at the correct virtual account. For assistance with this, see the resource links in CSSM. If you still don’t see your licenses, or the licenses are not correct, contact the person from whom you purchased the licenses.

Step 11     

After your virtual account (Smart Account) holds the licenses you expect, register your Firepower Management Center to CSSM:

You must configure licensing in the Firepower Management Center using the web interface.

  • If your Firepower Management Center connects directly to CSSM:

See the following topics:

  • If your Firepower Management Center connects to a Smart Software Satellite Server:

See Configure the Connection to a Smart Software Satellite Server.

Step 12     

Verify that registration was successful:

In the Firepower Management Center web interface, go to System > Licenses > Smart Licenses. Product Registration should show a green checkmark.

 

Step 13     

If you have not yet done so, add your devices to the Firepower Management Center as managed devices.

See Add Devices to the Firepower Management Center

 

Step 14     

Assign licenses to your managed Firepower Threat Defense devices:

See Assign Licenses to Multiple Managed Devices

Step 15     

Verify that licenses have successfully been added to your devices.

See View FTD Licenses and License Status.

 

Step 16     

As applicable, set up licensing for high-availability and clustered deployments:

For Firepower Management Centers in a high availability pair:

See the prerequisites to Establishing Firepower Management Center High Availability.

After you configure FMC high-availability pairs, device licenses are automatically transferred from the active to the standby management center. You do not need to configure anything specific for licensing.

For Firepower Threat Defense devices in a high availability pair:

Assign the licenses for the features that you want to use to both the active and standby device before you configure high availability. If the devices are licensed for different features, the licenses on the standby device will be replaced with the same set of licenses as the active device.

For clustered Firepower Threat Defense devices:

See Licenses for Clustering Licensing steps are included in FMC: Add a Cluster

Smart Software Manager (CSSM)

When you purchase one or more Smart Licenses for Firepower features, you manage them in the Cisco Smart Software Manager: http://www.cisco.com/web/ordering/smart-software-manager/index.html. The Smart Software Manager lets you create a master account for your organization.

By default, your licenses are assigned to the Default Virtual Account under your master account. As the account administrator, you can create additional virtual accounts; for example, for regions, departments, or subsidiaries. Multiple virtual accounts help you manage large numbers of licenses and appliances.

You manage licenses and appliances by virtual account. Only that virtual account’s appliances can use the licenses assigned to the account. If you need additional licenses, you can transfer an unused license from another virtual account. You can also transfer appliances between virtual accounts.

For each virtual account, you can create a Product Instance Registration Token. Enter this token ID when you deploy each Firepower Management Center, or when you register an existing FMC. You can create a new token if an existing token expires. An expired token does not affect a registered FMC that used this token for registration, but you cannot use an expired token to register a FMC. Also, a registered FMC becomes associated with a virtual account based on the token you use.

For more information about the Cisco Smart Software Manager, see Cisco Smart Software Manager User Guide or https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html or the online help in CSSM, also available from: https://www.cisco.com/web/fw/softwareworkspace/smartlicensing/SSMCompiledHelps/.

 

Periodic Communication with the License Authority

In order to maintain your product license entitlement, your product must communicate periodically with the Cisco License Authority.

When you use a Product Instance Registration Token to register a Firepower Management Center, the appliance registers with the Cisco License Authority. The License Authority issues an ID certificate for communication between the Firepower Management Center and the License Authority. This certificate is valid for one year, although it will be renewed every six months. If an ID certificate expires (usually in nine months or a year with no communication), the Firepower Management Center reverts to a deregistered state and licensed features usage become suspended.

The Firepower Management Center communicates with the License Authority on a periodic basis. If you make changes in the Smart Software Manager, you can refresh the authorization on the Firepower Management Center so the changes immediately take effect. You also can wait for the appliance to communicate as scheduled.

Your Firepower Management Center must have either direct Internet access to the License Authority through the Cisco Smart Software Manager or access through the Smart Software Satellite Server at scheduled time periods. Normal license communication occurs every 30 days, but with the grace period, your appliance will operate for up to 90 days without calling home. You must contact the License Authority before 90 days have passed.

Optionally, you can configure a Smart Software Satellite Server to serve as a proxy for communicating with the License Authority.

Service Subscriptions for FTD Features

Some features require a service subscription.

A service subscription enables a specific Firepower feature on a managed device for a set length of time. Service subscriptions can be purchased in one-, three-, or five-year terms. If a subscription expires, Cisco notifies you that you must renew the subscription. If a subscription expires for a Firepower Threat Defense device, you can continue to use the related features.

Your purchase of a managed device that uses Smart Licenses automatically includes a Base license. This license is perpetual and enables system updates. All service subscriptions are optional for Firepower Threat Defense devices.

FTD License Types and Restrictions

This section describes the types of Smart Licenses available in a Firepower System deployment. The Firepower Management Center requires Smart Licenses to manage Firepower Threat Defense devices.

The following table summarizes Firepower System Smart Licenses.

Base Licenses

A base license is automatically included with every purchase of a Firepower Threat Defense or Firepower Threat Defense Virtual device.

The Base license allows you to:

  • configure your FTD devices to perform switching and routing (including DHCP relay and NAT)
  • configure FTD devices as a high availability pair
  • configure security modules as a cluster within a Firepower 9300 chassis (intra-chassis clustering)
  • configure Firepower 9300 or Firepower 4100 series devices running Firepower Threat Defense as a cluster (inter-chassis clustering)
  • implement user and application control by adding user and application conditions to access control rules

Threat and malware detection and URL filtering features require additional, optional licenses.

Except in deployments using Specific License Reservation, Base licenses are automatically added to the Firepower Management Center for every Firepower Threat Defense device you register.

 

Malware Licenses for Firepower Threat Defense Devices

A Malware license for Firepower Threat Defense devices allows you to perform Cisco Advanced Malware Protection (AMP) with AMP for Networks and Cisco Threat Grid. With this feature, you can use Firepower Threat Defense devices to detect and block malware in files transmitted over your network. To support this feature license, you can purchase the Malware (AMP) service subscription as a stand-alone subscription or in combination with Threat (TM) or Threat and URL Filtering (TMC) subscriptions.

Note: Firepower Threat Defense managed devices with Malware licenses enabled periodically attempt to connect to the AMP cloud even if you have not configured dynamic analysis. Because of this, the device’s Interface Traffic dashboard widget shows transmitted traffic; this is expected behavior.

You configure AMP for Networks as part of a file policy, which you then associate with one or more access control rules. File policies can detect your users uploading or downloading files of specific types over specific application protocols. AMP for Networks allows you to use local malware analysis and file preclassification to inspect a restricted set of those file types for malware. You can also download and submit specific file types to the Cisco Threat Grid cloud for dynamic and Spero analysis to determine whether they contain malware. For these files, you can view the network file trajectory, which details the path the file has taken through your network. The Malware license also allows you to add specific files to a file list and enable the file list within a file policy, allowing those files to be automatically allowed or blocked on detection.

If you disable all your Malware licenses, the system stops querying the AMP cloud, and also stops acknowledging retrospective events sent from the AMP cloud. You cannot re-deploy existing access control policies if they include AMP for Networks configurations. Note that for a very brief time after a Malware license is disabled, the system can use existing cached file dispositions. After the time window expires, the system assigns a disposition of Unavailable to those files.

Note that a Malware license is required only if you deploy AMP for Networks and Cisco Threat Grid. Without a Malware license, the Firepower Management Center can receive AMP for Endpoints malware events and indications of compromise (IOC) from the AMP cloud.

Threat Licenses

A Threat license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering:

  • Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
  • File control allows you to detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols. AMP for Networks, which requires a Malware license, allows you to inspect and block a restricted set of those file types based on their dispositions.
  • Security Intelligence filtering allows you to blacklist—deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately blacklist connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.

You can purchase a Threat license as a stand-alone subscription (T) or in combination with URL Filtering (TC), Malware (TM), or both (TMC).

If you disable Threat on managed devices, the Firepower Management Center stops acknowledging intrusion and file events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria stop firing. Additionally, the Firepower Management Center will not contact the internet for either Cisco-provided or third-party Security Intelligence information. You cannot re-deploy existing intrusion policies until you re-enable Threat.

 

URL Filtering Licenses for Firepower Threat Defense Devices

The URL Filtering license allows you to write access control rules that determine the traffic that can traverse your network based on URLs requested by monitored hosts, correlated with information about those URLs. To support this feature license, you can purchase the URL Filtering (URL) service subscription as a stand-alone subscription or in combination with Threat (TC) or Threat and Malware (TMC) subscriptions.

Firepower Management Center Order Pricing

Customers can order various Firepower software and licenses by contacting our sales specialists at Golicense.net.

Firepower Management Center License

Customers are able to get more information about different Firepower licenses from our sales specialists.

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!
X