Smart License Types
Your purchase of an FTD automatically includes a Base license. All additional licenses are optional.The following table explains the licenses available for Firepower Threat Defense (FTD) devices.
|Base License (automatically included)||Perpetual||
All features not covered by the subscription term licenses.
You must also specify whether to Allow export-controlled functionality on the products registered with this token. You can select this option only if your country meets export-control standards. This option controls your use of advanced encryption and the features that require advanced encryption.
Intrusion detection and prevention—Intrusion policies analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
File control—File policies detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types. AMP for Firepower, which requires a Malware license, allows you to inspect and block files that contain malware. You must have the Threat license to use any type of File policy.
Security Intelligence filtering—Drop selected traffic before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to drop connections based on the latest intelligence immediately.
File policies that check for malware, which use Cisco Advanced Malware Protection (AMP) with AMP for Firepower (network-based Advanced Malware Protection) and Cisco Threat Grid.
File policies can detect and block malware in files transmitted over your network.
You can perform URL filtering on individual URLs without this license.
RA VPN Only License
RA VPN Plus License
RA VPN Apex License
|Term-based or perpetual based on the license type||
Remote access VPN configuration. Your base license must allow export-controlled functionality to configure RA VPN. You select whether you meet export requirements when you register the device.
Firepower Device Manager can use any valid AnyConnect license. The available features do not differ based on the license type. If you have not already purchased one, see Licensing Requirements for Remote Access VPN.
Also, see the Cisco AnyConnect Ordering Guide, http://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf.
FTDv Tiered Licenses in Version 7.0
Version 7.0 supports performance-tiered Smart Licensing for virtual FTD (FTDv) devices based on throughput requirements and RA VPN session limits. When the FTDv is licensed with one of the available performance licenses, two things occur: session limits for RA VPNs are determined by the installed FTDv platform entitlement tier, and enforced via a rate limiter.
CDO does not fully support tiered smart licensing at this time; see the following limitations:
- You cannot modify the tiered license through CDO. You must make the changes in the FDM UI.
- If you register an FTDv to CDO for cloud services, the tiered license selection automatically resets to Variable, which is the default tier.
- If you onboard an FTDv running 7.0 and select a license that is not a default license during the onboarding process, the tiered license selection automatically resets to Variable, which is the default tier.
We strongly recommend selecting a tier for your FTDv license after onboarding your device to avoid the issues listed above. See Managing Smart Licenses for more information.
Viewing Smart-Licenses for a Device
- In the CDO navigation bar at the left, click Devices & Services.
- Select an FTD device to view its current license status.
- In the Device Actions pane on the right, click Manage Licenses. The Manage Licenses screen provides the following information:
- Smart License Agent status: Shows whether you're using a 90-day evaluation license, or if you have registered with the Cisco Smart Software Manager. The Smart License Agent status can be the following:
- “Connected,” “Sufficient Licenses”—The device has contacted and registered successfully with the License Authority, which has authorized the license entitlements for the appliance. The device is now In-Compliance.
- Out-of-Compliance—There's no available license entitlement for the device. Licensed features continue to work. However, you can either purchase or free up extra entitlements to become In-Compliance.
- Authorization Expired—The device hasn't communicated with the Licensing Authority in 90 or more days. Licensed features continue to work. In this state, the Smart License Agent retries its authorization requests. If a retry succeeds, the agent enters either an Out-of-Compliance or Authorized state and begins a new Authorization Period. Try manually synchronizing the device.
- License Registration: Allows you to apply smart-license to an already onboarded FTD device. For more information, see Smart-licensing an Already Onboarded FTD Device. Once registered, you can see the status of the connection to the Cisco Smart Software Manager and the status for each type of license.
- License Status: Shows the status of the optional licenses available for your FTD device. You can enable a license to use the features controlled by the license.
Enabling or Disabling Optional Licenses
You can enable (register) optional licenses on FTD devices that are using a 90-day evaluation license or a full license. You must enable a license to use the features controlled by the license.
If you no longer want to use the features covered by an optional term license, you can disable (release) the license. Disabling the license releases it in your Cisco Smart Software Manager account so that you can apply it to another device.
In evaluation mode, you can also enable evaluation versions of the optional licenses and perform all operations. In this mode, the licenses aren’t registered with Cisco Smart Software Manager until you register the device.
Note: You can’t enable the RA VPN license in evaluation mode.
Before you Begin
Before disabling a license, ensure that you are not using it. Rewrite or delete any policies that require the license.
For units operating in a high availability configuration, you enable or disable licenses on the active unit only. The change is reflected in the standby unit the next time you deploy the configuration when the standby unit requests (or frees) the necessary licenses. When enabling licenses, you must ensure that your Cisco Smart Software Manager account has sufficient licenses available, or you could have one unit compliant while the other unit is non-compliant.
To enable or disable optional licenses, follow this procedure:
- In the Devices & Services page, select the FTD device that you want and click Manage Licenses in Device Actions pane.
The Manage Licenses screen appears.
- Click the slider control for each optional license to enable or disable the license.
The status of the license shows OK when enabled.
Enabled: Registers the license with your Cisco Smart Software Manager account and enable the controlled features. You can now configure and deploy policies controlled by the license.
Disabled: Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features. You cannot configure the features in new policies, nor can you deploy policies that use the feature.
- Click Save to save the changes.
Impact of Expired or Disabled Optional Licenses
If an optional license expires, you can continue using features that require the license. However, the license is marked out of compliance, and you need to purchase the license and add it to your account to bring the license back into compliance.
If you disable an optional license, the system reacts as follows:
- Malware license: The system stops querying the AMP cloud and also stops acknowledging retrospective events sent from the AMP cloud. You cannot re-deploy existing access control policies if they include file policies that apply malware inspection. Note that for a very brief time after a Malware license is disabled, the system can use existing cached file dispositions. After the time window expires, the system assigns a disposition of Unavailable to those files.
- Threat: The system no longer applies intrusion or file-control policies. For Security Intelligence policies, the system no longer applies the policy and stops downloading feed updates. You cannot re-deploy existing policies that require the license.
- URL Filtering: Access control rules with URL category conditions immediately stop filtering URLs, and the system no longer downloads updates to URL data. You cannot re-deploy existing access control policies if they include rules with category and reputation-based URL conditions.
- RA VPN: You cannot edit the remote access VPN configuration, but you can remove it. Users can still connect using the RA VPN configuration. However, if you change the device registration so that the system is no longer export compliant, the remote access VPN configuration stops immediately, and no remote users can connect through the VPN.