Smart Licensing
Cisco Secure Firewall Smart Licensing Guidance
Introduction
This document provides information, configuration, and troubleshooting guidance on Smart Licensing for Cisco Secure Firewall deployments using the Firewall Management Center (FMC) as the management platform.
Licensing Firewall Threat Defense
Cisco Smart Licensing allows you to centrally organize your licenses, devices, and specific license agreements based on your business needs. The number and type of licenses required depend on your deployment and the enabled features.
License Types
Firepower and Secure Firewall devices include a standard base firewall license and advanced Subscriptions for different features.
Figure 1: FTD License Types
It is essential to understand that the license type depends on the software components, not the hardware. Table 1 shows the licenses available and a description of the capabilities each one provides.
| License | Subscription you purchase | Duration | Granted Capabilities |
|---|---|---|---|
| Essentials (previously known as Base) | Subscription is required only for FTDv |
|
|
| IPS (previously known as Threat) | T (IPS) | Term-based |
|
| URL Filtering | C (URL) TC (IPS + URL) TMC (IPS + Malware Defense + URL) | Term-based |
|
| Malware Defense (previously known as Malware) | M (Malware Defense) TM (IPS + Malware Defense) TMC(IPS + Malware Defense + URL) | Term-based |
|
| Carrier | Licensing PID per family | Term-based |
|
| Firewall Management Center Virtual | Purchased using FMCv PIDs |
|
|
| Export Controlled Features | No subscription required | Perpetual |
|
Secure Client Licenses
| Ordering info available in the Secure Client Ordering guide | Term-based or Perpetual |
|
Table 1: Firewall Smart License Types
There are options to purchase licenses individually (e.g., T, M, or C) or bundled together to provide greater functionality (e.g., TM, TC, or TMC).
How Many Licenses are Required?
Each managed device requires a license for each feature used for deployments managed by the FMC. Figure 2 illustrates the number of licenses required based on a sample deployment with a mixed feature use.
Figure 2: How Many Licenses Are Required?
Note
Subscriptions have 1, 3, or 5-year terms. No specific licenses are required to enable high availability or clustering scenarios; however, each device or security module in the cluster or HA-pair must have the same number of feature licenses.
Multi-Instance Deployments
For devices that support the Multi-Instance feature (Firepower 4100/9300 Series appliances), note the following:
- No special license is required to enable Multi-Instance.
- Each device/security module includes a base license.
- Each device/security module requires a feature license for the features enabled.
- All instances on the device/security module share the feature licenses assigned to the device/security module.
- Assign licenses to each instance in the UI (same as assigning licenses to native appliances).
Note
For different FMCs managing different FTD instances with a device or security module, each FMC must have sufficient licenses installed for each device/security module.
Smart Licensing Deployment Modes
Smart Licensing from Cisco is a cloud-based service. Security is a crucial concern for customers, so to address this, Cisco provides different deployment modes for Smart Licensing that allow customers to choose the most suitable option.
Figure 3: Smart License Deployment Modes
Configuration
The configuration that follows covers the "Direct Cloud Access" deployment mode since this is the most common. Complete the steps outlined below to configure Secure Firewall deployments to use Smart Licensing.
Prerequisites
-
Ensure you have a Smart Account. If not, create a Smart account here: Cisco Software Central
-
For direct cloud access, the FMC requires Internet access.
Generating a New Smart Licensing Token
Step 1: Open a web browser and access Smart Software Licensing from the Cisco Software Central portal.
Step 2: Next, issue a new Token by choosing Inventory > General > New Token. You use the token in a later step within the Smart License registration page on your Firewall Management Center (FMC).
Figure 4: Issue a New Token in the Smart Software Licensing Portal
Step 3: If applicable, select a Virtual Account that contains sufficient license entitlements for the deployment or leave the default account chosen.
Step 4: Enter a description (optional), an expiry date, and/or a Max. Number of Uses value. The expiry date and the maximum number of uses allow using the same token to onboard multiple FMCs rather than generating a token per FMC.
Step 5: Check the check box to allow export-controlled functionality to enable strong encryption such as 3DES or AES. Leaving this check box unchecked will only allow the use of DES.
Figure 5: Create Registration Token
Step 6: After creating the token, choose Actions > Copy or click the copy icon.
(Copy Icon)
FMC Smart License Registration
Step 1: Log in to your FMC, navigate to System > Licenses > Smart Licenses, and click the Register button.
Figure 6: FMC Smart License Registration
Step 2: In the window (Figure 7) that displays:
a. Paste in the Token from the previous section.
b. Click the "Enable Cisco Success Network" checkbox (optional).
c. Click Apply Changes.
Figure 7: Product Registration
d. If the registration process is successful, a Smart License status change displays to indicate that Product Registration is now "Registered" as shown in Figure 8:
Figure 8: Successful registration to Smart Licensing portal
Note
Another option to view the registration confirmation in the Smart Licensing portal is by choosing Inventory > Event Log and then viewing the messages displayed.
Step 3: The final step is to assign the term-based subscription licenses to the managed devices. From the Smart Licenses screen in your FMC Figure 8 above, click Edit Licenses.
Step 4: Choose a managed device from the Devices without license window and add it to the Devices with licenses window for each subscription you have purchased (i.e., Malware Defense, IPS, URL, etc.).
Figure 9: Edit Licenses
Step 5: Finally, click Apply to save the changes.
Note
After registering the FMC to your Smart Account and adding the licenses required, the system checks your entitlement whenever deploying a policy to a device. For example, the policy will fail to deploy if you have enabled a Next-Generation Intrusion Prevention policy on a device without IPS license.
Verification/Troubleshooting
For troubleshooting and validating your Smart Licensing configuration, follow the steps outlined in the link below:
FMC and FTD Smart Licensing Registration
Summary
Smart Licensing is an effective mechanism for managing your Cisco licenses. It provides a central repository for all of your licensing needs. It allows you to assign and remove licenses as your business needs change, allowing you to focus on your Secure Firewall deployment operation.
Updated about 1 month ago