Smart Licensing for the Firewall System
Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure—you control what users can access. With Smart Licensing you get:
-
Easy Activation: Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more PAKs (Product Activation Keys).
-
Unified Management: My Cisco Entitlements (MCE) provides a complete view into all of your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.
-
License Flexibility: Your software is not node-locked to your hardware, so you can easily use and transfer licenses as needed.
To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide
Cisco Smart Software Manager
When you purchase one or more licenses for the FTD device, you manage them in the Cisco Smart Software Manager: https://software.cisco.com/#SmartLicensing-Inventory. The Cisco Smart Software Manager lets you create a primary account for your organization.
By default, your licenses are assigned to the Default Virtual Account under your primary account. As the account administrator, you can create additional virtual accounts; for example, for regions, departments, or subsidiaries. Multiple virtual accounts help you manage large numbers of licenses and appliances.
Licenses and appliances are managed per virtual account; only that virtual account’s appliances can use the licenses assigned to the account. If you need additional licenses, you can transfer an unused license from another virtual account. You can also transfer appliances between virtual accounts.
When you register a device with Cisco Smart Software Manager, you create a Product Instance Registration Token in the manager, and then enter it in FDM. A registered device becomes associated with a virtual account based on the token that is used.
For more information about the Cisco Smart Software Manager, see the online help for the manager.
Periodic Communication with the License Authority
When you use a Product Instance Registration Token to register the FTD device, the device registers with the Cisco License Authority. The License Authority issues an ID certificate for communication between the device and the License Authority. This certificate is valid for one year, although it will be renewed every six months. If an ID certificate expires (usually in nine months or a year with no communication), the device reverts to a de-registered state and licensed feature usage is suspended.
The device communicates with the License Authority on a periodic basis. If you make changes in the Cisco Smart Software Manager, you can refresh the authorization on the device so the changes immediately take effect. You also can wait for the device to communicate as scheduled. Normal license communication occurs every 12 hours, but with the grace period, your device will operate for up to 90 days without calling home. You must contact the License Authority before 90 days have passed.
Smart License Types
The following table explains the licenses available for the FTD device.
Your purchase of a FTD device automatically includes a Base license. All additional licenses are optional.
License |
Duration |
Granted Capabilities |
---|---|---|
Base |
Perpetual |
All features not covered by the optional term licenses. The Base license is automatically added to your account when you register. The exception is for the Secure Firewall 3100. You obtain a Base license when you purchase the firewall, and the license is managed like other licenses in your account. For example, you need to make sure the license is in the correct virtual account when you register. You must also specify whether to Allow export-controlled functionality on the products registered with this token. You can select this option only if your country meets export-control standards. This option controls your use of advanced encryption and the features that require advanced encryption. |
Threat |
Term-based |
Required to use the following policies:
|
Malware |
Term-based |
File policies (the Threat is also required). |
URL |
Term-based |
URL policies—Category and reputation-based URL filtering or DNS lookup request filtering. You can perform URL filtering on individual URLs without this license. |
RA VPN:
|
Term-based or perpetual based on license type. |
Remote access VPN configuration. Your base license must allow export-controlled functionality to configure RA VPN. You select whether you meet export requirements when you register the device. The FDM can use any valid AnyConnect Client license. The available features do not differ based on license type. If you have not already purchased one, see Licensing Requirements for Remote Access VPN. Also see Cisco AnyConnect Ordering Guide, http://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf. |
FTDv Licensing
This section describes the performance-tiered license entitlements available for the FTDv.
Any FTDv license can be used on any supported FTDv vCPU/memory configuration. This allows FTDv customers to run on a wide variety of VM resource footprints. This also increases the number of supported AWS and Azure instances types. When configuring the FTDv VM, the maximum supported number of cores (vCPUs) is 16 ; and the maximum supported memory is 32 GB RAM .
Performance Tiers for FTDv Smart Licensing
Session limits for RA VPNs are determined by the installed FTDv platform entitlement tier, and enforced via a rate limiter. The following table summarizes the session limits based on the entitlement tier and rate limiter.
Performance Tier |
Device Specifications (Core/RAM) |
Rate Limit |
RA VPN Session Limit |
---|---|---|---|
FTDv5, 100Mbps |
4 core/8 GB |
100Mbps |
50 |
FTDv10, 1Gbps |
4 core/8 GB |
1Gbps |
250 |
FTDv20, 3Gbps |
4 core/8 GB |
3Gbps |
250 |
FTDv30, 5Gbps |
8 core/16 GB |
5Gbps |
250 |
FTDv50, 10Gbps |
12 core/24 GB |
10Gbps |
750 |
FTDv100, 16Gbps |
16 core/32 GB |
16Gbps |
10,000 |
FTDv Performance Tier Licensing Guidelines and Limitations
Please keep the following guidelines and limitations in mind when licensing your FTDv device.
-
The FTDv supports performance-tiered licensing that provides different throughput levels and VPN connection limits based on deployment requirements.
-
Any FTDv license can be used on any supported FTDv core/memory configuration. This allows the FTDv customers to run on a wide variety of VM resource footprints.
-
You can select a performance tier when you deploy the FTDv, whether your device is in evaluation mode or is already registered with Cisco Smart Software Manager.
Note
Make sure your Smart Licensing account contains the available licenses you need. It’s important to choose the tier that matches the license you have in your account. If you are upgrading your FTDv to Version 7.0, you can choose FTDv - Variable to maintain your current license compliance. Your FTDv continues to perform with session limits based on your device capabilities (number of cores/RAM).
-
The default performance tier is FTDv50 when deploying a new FTDv device, or when provisioning the FTDv using the REST API.
-
Base licenses are subscription-based and mapped to performance tiers. Your virtual account needs to have the Base license entitlements for the FTDv devices, as well as for Threat, Malware, and URL Filtering licenses.
-
Each HA peer consumes one entitlement, and the entitlements on each HA peer must match, including Base license.
-
A change in performance tier for an HA pair should be applied to the primary peer.
-
Universal PLR licensing is applied to each device in an HA pair separately. The secondary device will not automatically mirror the performance tier of the primary device. It must be updated manually.
Impact of Export Control Setting on Encryption Features
When you register a device, you must also specify whether to Allow export-controlled functionality on the products registered with this token. You can select this option only if your country meets export-control standards. This option controls your use of advanced encryption and the features that require advanced encryption.
Evaluation mode is treated the same as registering using a non-export-compliant account. That means that you cannot configure remote access VPN, or use advanced encryption algorithms, when running in evaluation mode.
Most particularly, the DES standard is available only in evaluation or non-export-compliant mode.
Thus, if you configure encrypted features, such as site-to-site VPN, or encrypt the failover connection in a high availability group, you might end up with connection problems after registering in an export-compliant account. If the feature was using DES in evaluation mode, that configuration will be broken after you register the account.
Consider the following recommendations for avoiding encryption-related problems:
-
Avoid configuring encrypted features, such as site-to-site VPN and encrypted failover connections, until after you register the device.
-
After registering the device using an export-compliant account, edit all encrypted features that you configured in evaluation mode and select more secure encryption algorithms. Test and verify each of these features to ensure they are functioning correctly.
Note |
If you configured HA failover encryption in evaluation mode, you will also need to reboot both devices in the HA group to start using stronger encryption. We recommend you remove the encryption first to avoid a split-brain situation, where both devices consider themselves the active unit. |
Impact of Expired or Disabled Optional Licenses
If one of the following optional licenses expires, you can continue using features that require the license. However, the license is marked out of compliance and you need to purchase the license and add it to your account to bring the license back into compliance.
If you disable an optional license, the system reacts as follows:
-
Malware—The system stops querying the Secure Malware Analytics Cloud, and also stops acknowledging retrospective events sent from the Secure Malware Analytics Cloud. You cannot re-deploy existing access control policies if they include file policies. Note that for a very brief time after a Malware license is disabled, the system can use existing cached file dispositions. After the time window expires, the system assigns a disposition of Unavailable to those files.
-
Threat—The system no longer applies intrusion or file policies. For Security Intelligence policies, the system no longer applies the policy and stops downloading feed updates. You cannot re-deploy existing policies that require the license.
-
URL—Access control rules with URL category conditions immediately stop filtering URLs or DNS lookup requests, and the system no longer downloads updates to URL data. You cannot re-deploy existing access control policies if they include rules with category and reputation-based URL conditions.
-
RA VPN—You cannot edit the remote access VPN configuration, but you can remove it. Users can still connect using the RA VPN configuration. However, if you change the device registration so that the system is no longer export compliant, the remote access VPN configuration stops immediately and no remote users can connect through the VPN.