Smart Licensing

Cisco Secure Firewall Smart Licensing Guidance

Introduction

This document provides information, configuration, and troubleshooting guidance on Smart Licensing for Cisco Secure Firewall deployments using the Firewall Management Center (FMC) as the management platform.

Licensing Firewall Threat Defense

Cisco Smart Licensing allows you to centrally organize your licenses, devices, and specific license agreements based on your business needs. The number and type of licenses required depend on your deployment and the enabled features.

License Types

Firepower and Secure Firewall devices include a standard base firewall license and advanced Subscriptions for different features.

**Figure 1:** FTD License Types

Figure 1: FTD License Types


It is essential to understand that the license type depends on the software components, not the hardware. Table 1 shows the licenses available and a description of the capabilities each one provides.
LicenseSubscription you purchaseDurationGranted Capabilities
Essentials (previously known as Base)Subscription is required only for FTDv
  • Perpetual (hardware platforms)
  • Term-based (virtual platforms)
  • User and application control
  • Geolocation based rules
  • Switching & routing
  • NAT
  • For details, see Essentials Licenses
IPS (previously known as Threat)T (IPS)Term-based
  • Encrypted Visibility Engine
  • Intrusion detection and prevention
  • File control
  • Security Intelligence filtering
  • For details, see IPS Licenses
URL FilteringC (URL)
TC (IPS + URL)
TMC (IPS + Malware Defense + URL)
Term-based
Malware Defense (previously known as Malware)M (Malware Defense)
TM (IPS + Malware Defense)
TMC(IPS + Malware Defense + URL)
Term-based
CarrierLicensing PID per familyTerm-based
  • Inspection of Diameter, GTP/GPRS, M3UA and SCTP protocols
  • For Firepower 9300,4100, 3100 and Virtual platforms
  • For details, see Carrier License
Firewall Management Center VirtualPurchased using FMCv PIDs
  • Perpetual
  • Term-based (Specific License Reservation)
Export Controlled FeaturesNo subscription requiredPerpetual
Secure Client Licenses
  • Advantage (previously known as AnyConnect Plus)
  • Premier (previously known as AnyConnect Apex)
  • VPN Only (previously known as AnyConnect VPN Only)
Ordering info available in the Secure Client Ordering guideTerm-based or Perpetual
  • Remote Access VPN Configuration
  • Export-controlled functionality should be enabled to configure Remote Access VPN
  • For details, see Secure Client Licenses

Table 1: Firewall Smart License Types

There are options to purchase licenses individually (e.g., T, M, or C) or bundled together to provide greater functionality (e.g., TM, TC, or TMC).

How Many Licenses are Required?

Each managed device requires a license for each feature used for deployments managed by the FMC. Figure 2 illustrates the number of licenses required based on a sample deployment with a mixed feature use.

**Figure 2:**  How Many Licenses Are Required?

Figure 2: How Many Licenses Are Required?

📘

Note

Subscriptions have 1, 3, or 5-year terms. No specific licenses are required to enable high availability or clustering scenarios; however, each device or security module in the cluster or HA-pair must have the same number of feature licenses.

Multi-Instance Deployments

For devices that support the Multi-Instance feature (Firepower 4100/9300 Series appliances), note the following:

  • No special license is required to enable Multi-Instance.
  • Each device/security module includes a base license.
  • Each device/security module requires a feature license for the features enabled.
  • All instances on the device/security module share the feature licenses assigned to the device/security module.
  • Assign licenses to each instance in the UI (same as assigning licenses to native appliances).

📘

Note

For different FMCs managing different FTD instances with a device or security module, each FMC must have sufficient licenses installed for each device/security module.

Smart Licensing Deployment Modes

Smart Licensing from Cisco is a cloud-based service. Security is a crucial concern for customers, so to address this, Cisco provides different deployment modes for Smart Licensing that allow customers to choose the most suitable option.

**Figure 3:** Smart License Deployment Modes

Figure 3: Smart License Deployment Modes


Configuration

The configuration that follows covers the "Direct Cloud Access" deployment mode since this is the most common. Complete the steps outlined below to configure Secure Firewall deployments to use Smart Licensing.

Prerequisites

  1. Ensure you have a Smart Account. If not, create a Smart account here: Cisco Software Central

  2. For direct cloud access, the FMC requires Internet access.

Generating a New Smart Licensing Token

Step 1: Open a web browser and access Smart Software Licensing from the Cisco Software Central portal.

Step 2: Next, issue a new Token by choosing Inventory > General > New Token. You use the token in a later step within the Smart License registration page on your Firewall Management Center (FMC).

**Figure 4:** Issue a New Token in the Smart Software Licensing Portal

Figure 4: Issue a New Token in the Smart Software Licensing Portal

Step 3: If applicable, select a Virtual Account that contains sufficient license entitlements for the deployment or leave the default account chosen.

Step 4: Enter a description (optional), an expiry date, and/or a Max. Number of Uses value. The expiry date and the maximum number of uses allow using the same token to onboard multiple FMCs rather than generating a token per FMC.

Step 5: Check the check box to allow export-controlled functionality to enable strong encryption such as 3DES or AES. Leaving this check box unchecked will only allow the use of DES.

**Figure 5:** Create Registration Token

Figure 5: Create Registration Token

Step 6: After creating the token, choose Actions > Copy or click the copy icon.

(Copy Icon)

(Copy Icon)

FMC Smart License Registration

Step 1: Log in to your FMC, navigate to System > Licenses > Smart Licenses, and click the Register button.

**Figure 6:** FMC Smart License Registration

Figure 6: FMC Smart License Registration

Step 2: In the window (Figure 7) that displays:

a. Paste in the Token from the previous section.

b. Click the "Enable Cisco Success Network" checkbox (optional).

c. Click Apply Changes.

**Figure 7:**  Product Registration

Figure 7: Product Registration

d. If the registration process is successful, a Smart License status change displays to indicate that Product Registration is now "Registered" as shown in Figure 8:

**Figure 8:** Successful registration to Smart Licensing portal

Figure 8: Successful registration to Smart Licensing portal

📘

Note

Another option to view the registration confirmation in the Smart Licensing portal is by choosing Inventory > Event Log and then viewing the messages displayed.

Step 3: The final step is to assign the term-based subscription licenses to the managed devices. From the Smart Licenses screen in your FMC Figure 8 above, click Edit Licenses.

Step 4: Choose a managed device from the Devices without license window and add it to the Devices with licenses window for each subscription you have purchased (i.e., Malware Defense, IPS, URL, etc.).

Figure 9:\*\* Edit Licenses

Figure 9: Edit Licenses

Step 5: Finally, click Apply to save the changes.

📘

Note

After registering the FMC to your Smart Account and adding the licenses required, the system checks your entitlement whenever deploying a policy to a device. For example, the policy will fail to deploy if you have enabled a Next-Generation Intrusion Prevention policy on a device without IPS license.

Verification/Troubleshooting

For troubleshooting and validating your Smart Licensing configuration, follow the steps outlined in the link below:

FMC and FTD Smart Licensing Registration

Summary

Smart Licensing is an effective mechanism for managing your Cisco licenses. It provides a central repository for all of your licensing needs. It allows you to assign and remove licenses as your business needs change, allowing you to focus on your Secure Firewall deployment operation.