The management center virtual requires a platform license that correlates with the number of devices it can manage.

The management center virtual supports Smart Licensing.

In regular Smart Licensing, these licenses are perpetual.

In Specific License Reservation (SLR), these licenses are subscription-based.

Note	For the add-on license requirements of your new devices on FMCv, it is recommended to migrate to a higher management center virtual model that supports additional devices.

The Essentials license allows you to:

• Configure your devices to perform switching and routing (including DHCP relay and NAT)

• Configure devices as a high availability pair

• Configure clustering

• Implement user and application control by adding user and application conditions to access control rules

• Update the Vulnerability database (VDB) and geolocation database (GeoDB).

• Download intrusion rules such as SRU/LSP. However, you cannot deploy access control policy or rules that have intrusion policy to the device unless IPS license is enabled.

Secure Firewall 3100

You obtain a Essentials license when you purchase the Secure Firewall 3100.

Other Models

Except in deployments using Specific License Reservation, a Essentials license is automatically added to your account when you register a device to the management center. For Specific License Reservation, you need to add the Essentials license to your account.

A Malware defense license lets you perform malware defense and Secure Malware Analytics. With this feature, you can use devices to detect and block malware in files transmitted over your network. To support this feature license, you can purchase the Malware defense (AMP) service subscription as a stand-alone subscription or in combination with IPS (TM) or IPS and URL Filtering (TMC) subscriptions. IPS license is a prerequisite for a Malware defense license.

Note	Managed devices with Malware defense licenses enabled periodically attempt to connect to the Secure Malware Analytics Cloud even if you have not configured dynamic analysis. Because of this, the device’s Interface Traffic dashboard widget shows transmitted traffic; this is expected behavior.

You configure malware defense as part of a file policy, which you then associate with one or more access control rules. File policies can detect your users uploading or downloading files of specific types over specific application protocols. Malware defense allows you to use local malware analysis and file preclassification to inspect a restricted set of those file types for malware. You can also download and submit specific file types to the Secure Malware Analytics Cloud for dynamic and Spero analysis to determine whether they contain malware. For these files, you can view the network file trajectory, which details the path the file has taken through your network. The Malware Defense license also allows you to add specific files to a file list and enable the file list within a file policy, allowing those files to be automatically allowed or blocked on detection.

Note that a Malware defense license is required only if you deploy malware defense and Secure Malware Analytics. Without a Malware defense license, the management center can receive Secure Endpoint malware events and indications of compromise (IOC) from the Secure Malware Analytics Cloud.

See also important information at License Requirements for File and Malware Policies in the Cisco Secure Firewall Management Center Device Configuration Guide.

When you disable this license:

• The system stops querying the Secure Malware Analytics Cloud, and also stops acknowledging retrospective events sent from the Secure Malware Analytics Cloud.

• You cannot re-deploy existing access control policies if they include malware defense configurations.

• For a very brief time after a Malware defense license is disabled, the system can use existing cached file dispositions. After the time window expires, the system assigns a disposition of Unavailable to those files.

If the license expires, your entitlement for the above capabilities ceases and the management center moves to the out-of-compliance state.

A IPS license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering:

• Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.

• File control allows you to detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols. Malware defense, which requires a Malware defense license, allows you to inspect and block a restricted set of those file types based on their dispositions.

• Security Intelligence filtering allows you to block —deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately block connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.

You can purchase a IPS license as a stand-alone subscription (T) or in combination with URL Filtering (TC), Malware defense (TM), or both (TMC).

When you disable this license:

• The management center stops acknowledging intrusion and file events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria stop firing.

• The management center does not contact the internet for either Cisco-provided or third-party Security Intelligence information.

• You cannot re-deploy existing intrusion policies until you re-enable IPS.

If the license expires, your entitlement for the above capabilities ceases and the management center moves to the out-of-compliance state.

The Carrier license enables the inspection of the following protocols:

• Diameter—Diameter is an Authentication, Authorization, and Accounting (AAA) protocol used in next-generation mobile and fixed telecom networks such as EPS (Evolved Packet System) for LTE (Long Term Evolution) and IMS (IP Multimedia Subsystem). It replaces RADIUS and TACACS in these networks.

• GTP/GPRS—GPRS Tunneling Protocol (GTP) is used in GSM, UMTS, and LTE networks for general packet radio service (GPRS) traffic. GTP provides a tunnel control and management protocol to provide GPRS network access for a mobile station by creating, modifying, and deleting tunnels. GTP also uses a tunneling mechanism for carrying user data packets.

• M3UA—MTP3 User Adaptation (M3UA) is a client/server protocol that provides a gateway to the Signaling System 7 (SS7) network for IP-based applications that interface with the SS7 Message Transfer Part 3 (MTP3) layer. M3UA makes it possible to run the SS7 User Parts (such as ISUP) over an IP network.

• SCTP—Stream Control Transmission Protocol (SCTP) is a transport-layer protocol that supports the SS7 protocol over IP networks. It supports the 4G LTE mobile network architecture. SCTP can handle multiple simultaneous streams, multiplexed streams, and provides more security features.

Note	After you enable this license on a device, use a FlexConfig policy to enable the protocol inspection.

The Carrier license PIDs are available per family and not per device model. You can enable this license for each device either in the evaluation mode or with a Smart License.

The Carrier license for Firepower 4100/9300, Secure Firewall 3100, and Threat Defense Virtual is term-based. This license also supports Specific License Reservation.

Supported Devices

The devices that support the Carrier License are:

• Secure Firewall 3110

• Secure Firewall 3120

• Secure Firewall 3130

• Secure Firewall 3140

• Firepower 4112

• Firepower 4115

• Firepower 4125

• Firepower 4145

• Firepower 9300

• Threat Defense Virtual

The URL Filtering license allows you to write access control rules that determine the traffic that can traverse your network based on URLs requested by monitored hosts, correlated with information about those URLs. To support this feature license, you can purchase the URL Filtering service subscription as a stand-alone subscription or in combination with IPS (TC) or Threat and Malware defense (TMC) subscriptions. IPS license is a prerequisite for this license.

Tip	Without a URL Filtering license, you can specify individual URLs or groups of URLs to allow or block. This option gives you granular, custom control over web traffic, but does not allow you to use URL category and reputation data to filter network traffic.

Although you can add category and reputation-based URL conditions to access control rules without a URL Filtering license, the management center will not download URL information. You cannot deploy the access control policy until you first add a URL Filtering license to the management center, then enable it on the devices targeted by the policy.

When you disable this license:

• You may lose access to URL filtering.

• Access control rules with URL conditions immediately stop filtering URLs.

• Your management center can no longer download updates to URL data.

• You cannot re-deploy existing access control policies if they include rules with category and reputation-based URL conditions.

If the license expires, your entitlement for the above capabilities ceases and the management center moves to the out-of-compliance state.

You can configure remote access VPN using the Secure Client and standards-based IPSec/IKEv2.

To enable remote access VPN, you must purchase and enable one of the following licenses: Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only. You can select Secure Client Advantage and Secure Client Premier if you have both licenses and you want to use them both. The Secure Client VPN Onlylicense cannot be used with Apex or Plus. The Secure Client license must be shared with the Smart Account. For more instructions, see http://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf.

You cannot deploy the remote access VPN configuration to the device if the specified device does not have the entitlement for a minimum of one of the specified Secure Client license types. If the registered license moves out of compliance or entitlements expire, the system displays licensing alerts and health events.

While using remote access VPN, your Smart Account must have the export controlled features (strong encryption) enabled. The threat defense requires strong encryption (which is higher than DES) for successfully establishing remote access VPN connections with Secure Clients.

You cannot deploy remote access VPN if the following are true:

• Smart Licensing on the management center is running in evaluation mode.

• Your Smart Account is not configured to use export-controlled features (strong encryption).

Features that require export-controlled functionality

Certain software features are subject to national security, foreign policy, and anti-terrorism laws and regulations. These export-controlled features include:

• Security certifications compliance

• Remote access VPN

• Site-to-site VPN with strong encryption

• SSH platform policy with strong encryption

• SSL policy with strong encryption

• Functionality such as SNMPv3 with strong encryption

How to determine whether export-controlled functionality is currently enabled for your system

To determine whether export-controlled functionality is currently enabled for your system: Go to System > Licenses > Smart Licenses and see if Export-Controlled Features displays Enabled.

About enabling export-controlled functionality

If Export-Controlled Features shows Disabled and you want to use features that require strong encryption, there are two ways to enable strong cryptographic features. Your organization may be eligible for one or the other (or neither), but not both.

• If there is no option to enable export-controlled functionality when you generate a new Product Instance Registration Token in the Smart Software Manager, contact your account representative.

  When approved by Cisco, you can manually add a strong encryption license to your account so you can use export-controlled features. For more information, see Enable the Export Control Feature for Accounts Without Global Permission

• If the option “Allow export-controlled functionality on the products registered with this token” appears when you generate a new Product Instance Registration Token in the Smart Software Manager, make sure you check it before generating the token.

  If you did not enable export-controlled functionality for the Product Instance Registration Token that you used to register the management center, then you must deregister and then re-register the management center using a new Product Instance Registration Token with export-controlled functionality enabled.

If you registered devices to the management center in evaluation mode or before you enabled strong encryption on the management center, reboot each managed device to make strong encryption available. In a high availability deployment, the active and standby devices must be rebooted together to avoid an Active-Active condition.

The entitlement is perpetual and does not require a subscription.

More Information

For general information about export controls, see https://www.cisco.com/c/en/us/about/legal/global-export-trade.html.

This section describes the performance-tiered license entitlements available for the threat defense virtual.

Any threat defense virtual license can be used on any supported threat defense virtual vCPU/memory configuration. This allows threat defense virtual customers to run on a wide variety of VM resource footprints. This also increases the number of supported AWS and Azure instances types. When configuring the threat defense virtual VM, the maximum supported number of cores (vCPUs) is 16 ; and the maximum supported memory is 32 GB RAM .

Performance Tiers for Threat Defense Virtual Smart Licensing

Session limits for RA VPNs are determined by the installed threat defense virtual platform entitlement tier, and enforced via a rate limiter. The following table summarizes the session limits based on the entitlement tier and rate limiter.

Management Center Virtual PIDs

• VMware:

  • SF-FMC-VMW-2-K9—2 devices

  • SF-FMC-VMW-10-K9—10 devices

  • SF-FMC-VMW-K9—25 devices

  • SF-FMC-VMW-300-K9—300 devices

• KVM:

  • SF-FMC-KVM-2-K9—2 devices

  • SF-FMC-KVM-10-K9—10 devices

  • SF-FMC-KVM-K9—25 devices

• PAK-based VMware:

  • FS-VMW-2-SW-K9—2 devices

  • FS-VMW-10-SW-K9—10 devices

  • FS-VMW-SW-K9—25 devices

Threat Defense Virtual PIDs

When you order FTDV-SEC-SUB, you must choose a Essentials license and optional feature licenses (12 month term):

• Essentials license:

  • FTD-V-5S-BSE-K9

  • FTD-V-10S-BSE-K9

  • FTD-V-20S-BSE-K9

  • FTD-V-30S-BSE-K9

  • FTD-V-50S-BSE-K9

  • FTD-V-100S-BSE-K9

• IPS, Malware defense, and URL license combination:

  • FTD-V-5S-TMC

  • FTD-V-10S-TMC

  • FTD-V-20S-TMC

  • FTD-V-30S-TMC

  • FTD-V-50S-TMC

  • FTD-V-100S-TMC

• Carrier—FTDV_CARRIER

• Cisco Secure Client—See the Cisco Secure Client Ordering Guide.

Firepower 1010 PIDs

• IPS, Malware defense, and URL license combination:

  • L-FPR1010T-TMC=

  When you add the above PID to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

  • L-FPR1010T-TMC-1Y

  • L-FPR1010T-TMC-3Y

  • L-FPR1010T-TMC-5Y

• Cisco Secure Client—See the Cisco Secure Client Ordering Guide.

Firepower 1100 PIDs

• IPS, Malware defense, and URL license combination:

  • L-FPR1120T-TMC=

  • L-FPR1140T-TMC=

  • L-FPR1150T-TMC=

  When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

  • L-FPR1120T-TMC-1Y

  • L-FPR1120T-TMC-3Y

  • L-FPR1120T-TMC-5Y

  • L-FPR1140T-TMC-1Y

  • L-FPR1140T-TMC-3Y

  • L-FPR1140T-TMC-5Y

  • L-FPR1150T-TMC-1Y

  • L-FPR1150T-TMC-3Y

  • L-FPR1150T-TMC-5Y

• Cisco Secure Client—See the Cisco Secure Client Ordering Guide.

Firepower 2100 PIDs

Secure Firewall 3100 PIDs

• Essentials license:

  • L-FPR3110-BSE=

  • L-FPR3120-BSE=

  • L-FPR3130-BSE=

  • L-FPR3140-BSE=

• IPS, Malware defense, and URL license combination:

  • L-FPR3110T-TMC=

  • L-FPR3120T-TMC=

  • L-FPR3130T-TMC=

  • L-FPR3140T-TMC=

  When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

  • L-FPR3105T-TMC-1Y

  • L-FPR3105T-TMC-3Y

  • L-FPR3105T-TMC-5Y

  • L-FPR3110T-TMC-1Y

  • L-FPR3110T-TMC-3Y

  • L-FPR3110T-TMC-5Y

  • L-FPR3120T-TMC-1Y

  • L-FPR3120T-TMC-3Y

  • L-FPR3120T-TMC-5Y

  • L-FPR3130T-TMC-1Y

  • L-FPR3130T-TMC-3Y

  • L-FPR3130T-TMC-5Y

  • L-FPR3140T-TMC-1Y

  • L-FPR3140T-TMC-3Y

  • L-FPR3140T-TMC-5Y

• Carrier—L-FPR3K-FTD-CAR=

• Cisco Secure Client—See the Cisco Secure Client Ordering Guide.

Firepower 4100 PIDs

• IPS, Malware defense, and URL license combination:

  • L-FPR4112T-TMC=

  • L-FPR4115T-TMC=

  • L-FPR4125T-TMC=

  • L-FPR4145T-TMC=

  When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

  • L-FPR4112T-TMC-1Y

  • L-FPR4112T-TMC-3Y

  • L-FPR4112T-TMC-5Y

  • L-FPR4115T-TMC-1Y

  • L-FPR4115T-TMC-3Y

  • L-FPR4115T-TMC-5Y

  • L-FPR4125T-TMC-1Y

  • L-FPR4125T-TMC-3Y

  • L-FPR4125T-TMC-5Y

  • L-FPR4145T-TMC-1Y

  • L-FPR4145T-TMC-3Y

  • L-FPR4145T-TMC-5Y

• Carrier—L-FPR4K-FTD-CAR=

• Cisco Secure Client—See the Cisco Secure Client Ordering Guide.

Firepower 9300 PIDs

• IPS, Malware defense, and URL license combination:

  • L-FPR9K-40T-TMC=

  • L-FPR9K-48T-TMC=

  • L-FPR9K-56T-TMC=

  When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

  • L-FPR9K-40T-TMC-1Y

  • L-FPR9K-40T-TMC-3Y

  • L-FPR9K-40T-TMC-5Y

  • L-FPR9K-48T-TMC-1Y

  • L-FPR9K-48T-TMC-3Y

  • L-FPR9K-48T-TMC-5Y

  • L-FPR9K-56T-TMC-1Y

  • L-FPR9K-56T-TMC-3Y

  • L-FPR9K-56T-TMC-5Y

• Carrier—L-FPR9K-FTD-CAR=

• Cisco Secure Client—See the Cisco AnyConnect Ordering Guide.

ISA 3000 PIDs

• IPS, Malware defense, and URL license combination:

  • L-ISA3000T-TMC=

  When you add the above PID to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

  • L-ISA3000T-TMC-1Y

  • L-ISA3000T-TMC-3Y

  • L-ISA3000T-TMC-5Y

• Cisco Secure Client—See the Cisco AnyConnect Ordering Guide.