Guest

Cisco PIX 500 Series Security Appliances

Cisco PIX Security Appliance Licensing

  • Viewing Options

  • PDF (185.4 KB)
  • Feedback
DATA SHEET

The market-leading Cisco PIX Security Appliance Series supports a variety of licensing options, enabling businesses to select the capabilities that are best-suited for their specific environment. Licensing options range from user-based licenses on the Cisco PIX 501 Security Appliance to licenses for advanced capabilities, such as Active/Active failover, which are available on specific Cisco PIX Security Appliance models.

This document describes the different types of licenses available, how licenses and activation keys are obtained, and what specific licenses are supported on each model of Cisco PIX Security Appliances.

FOUR TYPES OF LICENSES PROVIDE BUSINESSES FLEXIBLE SECURITY SOLUTIONS

Cisco PIX Security Appliances support a variety of license types. These types include:

• User licenses

• Platform licenses

• Feature licenses

• Encryption licenses

User Licenses

Cisco PIX 501 Security Appliances, a popular security solution for Small Office/Home Office network environments, support User Licenses. This license controls how many internal users (located on the inside network of a Cisco PIX Security Appliance) that can concurrently access the Internet, or other resources through the outside interface of the appliance. Supported license levels include: 10 users, 50 users, and unlimited users. Cisco Systems provides three different pre-configured bundles of the Cisco PIX 501 Security Appliance, making it easy for businesses to purchase an appliance with the appropriate User License installed. Businesses can upgrade from one User License level to another, as their needs grow, by purchasing the appropriate User License upgrade part number.

Platform Licenses

Cisco PIX 515, 515E, 525, and 535 Security Appliances support the concept of a Platform License. This license establishes what base capabilities the appliance has-each Cisco PIX 515, 515E, 525, and 535 Appliance must have a single Platform License installed. License levels range from Restricted (R), Unrestricted (UR), Failover (FO), and Failover-Active/Active (FO-AA). The table below outlines the capabilities that each of these license levels provides:

Table 1. Platform License Benefits

Platform License

Benefits

Restricted (R)

Provides businesses a security solution with excellent value, but with some restrictions on its capabilities, including:

• Limited number of physical and virtual interfaces supported

• Limited number of concurrent connections supported

• Limited amount of RAM included

• Limited VPN performance included, yet allows businesses to add hardware VPN acceleration as an optional upgrade

• No support for failover, including Active/Active and Active/Standby stateful failover

• No support for advanced features such as security contexts (virtual firewalls) or General Packet Radio Service Tunneling Protocol (GTP) inspection

Unrestricted (UR)

Provides businesses a robust, high-performance security solution, allowing them to take full advantage of the platforms capabilities, including:

• Maximum number of physical and virtual interfaces supported

• Maximum number of concurrent firewall and VPN connections supported

• Maximum amount of RAM included

• Maximum VPN performance via integrated hardware VPN acceleration (Cisco VPN Accelerator or Cisco VPN Accelerator+)

• Active/Active* stateful failover support (requires similar Cisco PIX Security Appliance model with Failover-Active/Active license)

• Active/Standby stateful failover support (requires similar Cisco PIX Security Appliance model with Failover or Failover-Active/Active license)

• Security context* support, with two security contexts included as part of the UR license

• GTP inspection* support, when a GTP Feature License is also installed on the system

Failover (FO)

• Designed for use in conjunction with a similar Cisco PIX Security Appliance model that has an Unrestricted license, providing a cost-effective, Active/Standby high-availability solution.

• Provides the same capabilities as the Unrestricted license, except the Failover license does not support Active/Active failover. Requires presence of similar Cisco PIX Security Appliance model with an Unrestricted license to operate properly.

Failover-Active/Active (FO-A/A)*

• Designed for use in conjunction with a similar Cisco PIX Security Appliance that has an Unrestricted license, providing a scalable Active/Active high-availability solution (with support for Active/Standby failover as well).

• Provides the same capabilities as the Unrestricted license. Requires presence of similar Cisco PIX Security Appliance model with an Unrestricted license to operate properly.

* Cisco PIX Security Appliance Software v7.0, or higher, required for this capability

Feature Licenses

Cisco PIX 515, 515E, 525, and 535 Security Appliances support the concept of Feature Licenses. These licenses control what advanced features are enabled on a Cisco PIX Security Appliance which has an Unrestricted (UR), Failover (FO), or Failover-Active/Active (FO-AA) Platform License. The table below outlines the Feature Licenses currently available:

Table 2. Feature License Benefits

Feature License

Benefits

Security Contexts*

Allows businesses to create multiple security contexts (virtual firewalls) within a single Cisco PIX Security Appliance, with each context having its own set of security policies, logical interfaces, and administrative domain.

• Four license levels for number of security contexts supported: 5, 10, 20, and 50 contexts

Note: Maximum number of security contexts supported depends on model of Cisco PIX Security Appliance

GTP/GPRS Inspection*

Provides advanced security services for GTP/GPRS 3G Mobile Wireless environments.

* Cisco PIX Security Appliance Software v7.0, or higher, required for this capability

Encryption Licenses

All Cisco PIX Security Appliance support the concept of Encryption Licenses. These licenses activate encryption services on Cisco PIX Security Appliances, which are required before using certain features including VPN, secure remote management, and more. The table below outlines the Encryption Licenses currently available:

Table 3. Encryption License Benefits

Encryption License

Benefits

NONE

Disables encryption capabilities of a Cisco PIX Security Appliance.

DES

Enables support of:

• 512 bit RSA (Rivest, Shamir, Adelmen) public key cryptography

• 512 bit DSA** (Digital Signature Algorithm) public key cryptography

• 56 bit DES (Data Encryption Standard) symmetric key cryptography

• 40 and 56 bit RC4 symmetric key cryptography

3DES/AES

Enables support of:

• 512 to 4,096 bit** RSA public key cryptography

• 512 to 1,024 bit** DSA public key cryptography

• 56 bit DES symmetric key cryptography

• 168 bit 3DES (Triple DES) symmetric key cryptography

• 128, 192, and 256 bit AES* symmetric key cryptography

• 40, 56, 64, and 128 bit RC4 symmetric key cryptography

* Cisco PIX Security Appliance Software v6.3, or higher, required for this capability
** Cisco PIX Security Appliance Software v7.0, or higher, required for this capability

PURCHASING AND INSTALLING LICENSES

To enable the licenses on a Cisco PIX Security Appliance, an activation key must be installed on that appliance. This key combines all licensed features for a specific Cisco PIX Security Appliance into a single 32 or 40 digit hexadecimal number. An activation key is installed at manufacturing time on each Cisco PIX Security Appliance, and it includes any specific licensed features selected by a business at time of purchase. Businesses can either purchase a configurable Cisco PIX Security Appliance chassis with all desired license and hardware options, or alternatively, businesses can simply purchase a Cisco PIX Security Appliance bundle-bundles combine each Cisco PIX Security Appliance model with its most popular license and hardware options into a single part number for simplified purchasing.
Businesses can upgrade the licensed features for an existing Cisco PIX Security Appliance using two different methods. Encryption Licenses can be obtained free-of-charge through a Web-based process on Cisco.com (details provided in the section below). Businesses can upgrade all other license types by purchasing the appropriate license upgrade part number from Cisco Systems or an authorized reseller (see upgrade part numbers available by chassis in tables 7, 9, 11, and 13 below). Upon purchasing an upgrade, businesses will receive an upgrade kit that contains a Product Authorization Key (PAK), along with instructions on how to access Cisco.com to complete the upgrade process. Using this easy-to-follow Web-based process, businesses simply enter the PAK from their upgrade kit and the serial number of the Cisco PIX Security Appliance they wish to upgrade, and a new activation key for their appliance will be emailed to them. Upon receiving the activation key, businesses can install the new activation key on their Cisco PIX Security Appliance by following the remaining instructions that came with the upgrade kit.

OBTAINING ENCRYPTION LICENSES

Businesses wishing to activate or upgrade the Encryption License on their Cisco PIX Security Appliance can go to the following URL below, and select the type of Encryption License they wish to request. Encryption licenses are free-of-charge, but are subject to export controls. Customers must have a crypto-enabled Cisco.com account in order to request a Cisco PIX Security Appliance Encryption License. Customers will be required to enter the serial number of the Cisco PIX Security Appliance they wish to upgrade. After submitting the request and passing the necessary export control checks, customers will receive an email with the new activation key for their appliance.

PLATFORM CAPABILITIES AND ORDERING INFORMATION

Cisco PIX 501 Security Appliance

Table 4. Cisco PIX 501 Security Appliance Bundle Descriptions

 

10 User

50 User

Unlimited User

Memory

16 MB
16 MB
16 MB

Maximum Connections

7,500
7,500
7,500

Maximum Physical Interfaces

1 + 4-port 10/100 switch
1 + 4-port 10/100 switch
1 + 4-port 10/100 switch

Maximum Virtual Interfaces

Not supported
Not supported
Not supported

Maximum DHCP Clients

32
128
256

Hardware VPN Acceleration

Not supported
Not supported
Not supported

Maximum Security Contexts

Not supported
Not supported
Not supported

GTP/GPRS Inspection

Not supported
Not supported
Not supported

Active/Standby Failover

Not supported
Not supported
Not supported

Active/Active Failover

Not supported
Not supported
Not supported

Table 5. Cisco PIX 501 Security Appliance Bundle and License Ordering Information

Product Number

Description

Bundles

PIX-501-BUN-K9
PIX 501 10 User 3DES/AES Bundle (chassis, SW, 10 Users, 3DES/AES)
PIX-501-50-BUN-K9
PIX 501 50 User 3DES/AES Bundle (chassis, SW, 50 Users, 3DES/AES)
PIX-501-UL-BUN-K9
PIX 501 Unlimited User 3DES/AES Bundle (chassis, SW, Unlimited Users, 3DES/AES)

User License Upgrades

PIX-501-SW-10-50=
PIX 501 10-to-50 User Upgrade Software License
PIX-501-SW-10-UL=
PIX 501 10-to-Unlimited User Upgrade Software License
PIX-501-SW-50-UL=
PIX 501 50-to-Unlimited User Upgrade Software License

Encryption Licenses

PIX-VPN-NONE
No VPN/SSH/SSL Encryption License for PIX Models
PIX-VPN-DES
PIX DES VPN/SSH/SSL Encryption License
PIX-VPN-501-3DES
PIX 501 3DES/AES VPN/SSH/SSL Encryption License

Cisco PIX Security 506/506E Appliance

Table 6. Cisco PIX 506E Security Appliance Bundle Descriptions

 

Base Model

Memory

32 MB

Maximum Connections

25,000

Maximum Physical Interfaces

2

Maximum Virtual Interfaces

2

Hardware VPN Acceleration

Not supported

Maximum Security Contexts

Not supported

GTP/GPRS Inspection

Not supported

Active/Standby Failover

Not supported

Active/Active Failover

Not supported

Table 7. Cisco PIX 506/506E Security Appliance Bundle and License Ordering Information

Product Number

Description

Bundles

PIX-506E
PIX 506E Chassis (Chassis, Software, 2 FE Ports)
PIX-506E-BUN-K9
PIX 506E 3DES/AES Bundle (Chassis, Software, 2 FE Ports, VLAN DMZ, 3DES/AES)

Encryption Licenses

PIX-VPN-NONE
No VPN/SSH/SSL Encryption License for PIX Models
PIX-VPN-DES
PIX DES VPN/SSH/SSL Encryption License
PIX-SW-506-3DES
PIX 506E 3DES/AES VPN/SSH/SSL Encryption License

Cisco PIX Security 515/515E Appliance

Table 8. Cisco PIX 515E Security Appliance Bundle Descriptions

 

Restricted (R)

Unrestricted (UR)

Failover (FO)

Failover-Active/Active (FO-AA)

Memory

64 MB (formally 32MB)*
128 MB (formally 64MB)*
128 MB (formally 64MB)*
128 MB (formally 64MB)*

Maximum Connections

48,000
130,000
130,000
130,000

Maximum Physical Interfaces

3
6
6
6

Maximum Virtual Interfaces

10
25
25
25

Hardware VPN Acceleration

Add-on
Included
Included
Included

Maximum Security Contexts

Not supported
5 (2 included with UR license)
5 (2 included with FO license)
5 (2 included with FO-AA license)

GTP/GPRS Inspection

Not supported
Add-on
Add-on
Add-on

Active/Standby Failover

Not supported
Supported
Supported
Supported

Active/Active Failover

Not supported
Supported
Not supported
Supported

* Changed in mid-February 2005 to support Cisco PIX Security Appliance Software v7.0

Table 9. Cisco PIX 515/515E Security Appliance Bundle and License Ordering Information

Product Number

Description

Bundles

PIX-515E
PIX 515E Chassis (chassis, software, 2 10/100 interfaces)
PIX-515E-R-BUN
PIX 515E Restricted Bundle (chassis, restricted license, software, 2 10/100 interfaces, 64 MB RAM)
PIX-515E-R-DMZ-BUN
PIX 515E DMZ Bundle (chassis, restricted license, software, 3 10/100 interfaces, 64 MB RAM)
PIX515E-DMZ-CSA-K9
PIX 515E DMZ + CSA + VMS Basic Bundle (chassis, restricted license, software, 3 10/100 interfaces, 64 MB RAM), 10 desktop and 1 server license of Cisco Security Agent, CiscoWorks VMS Basic
PIX-515E-UR-BUN
PIX 515E Unrestricted Bundle (chassis, unrestricted license, software, 2 10/100 ports, 128 MB RAM, VAC or VAC+)
PIX-515E-UR-FE-BUN
PIX 515E Unrestricted 6-port Fast Ethernet Bundle (chassis, unrestricted license, software, 6 10/100 ports, 128 MB RAM, VAC or VAC+)
PIX-515E-FO-BUN
PIX 515E Active/Standby Failover Bundle (chassis, Active/Standby failover license, software, 2 10/100 interfaces, 128 MB RAM, VAC or VAC+)
PIX-515E-FO-FE-BUN
PIX 515E Active/Standby Failover 6-port Fast Ethernet Bundle (chassis, Active/Standby failover license, software, 6 10/100 interfaces, 128 MB RAM, VAC or VAC+)
PIX-515E-AA-FE-BUN
PIX 515E Active/Active Failover 6-port Fast Ethernet Bundle (chassis, Active/Active failover license, software, 6 10/100 interfaces, VAC or VAC+)

Platform License Upgrades

PIX-515-SW-R-UR=
PIX 515/515E R to UR Platform License Upgrade (includes VAC+, 128 MB RAM)
PIX-515-SW-FO-R=
PIX 515/515E FO to R Platform License Upgrade
PIX-515-SW-FO-UR=
PIX 515/515E FO to UR Platform License Upgrade
PIX-515-SW-FO-AA=
PIX 515/515E FO to FO-AA Platform License Upgrade

Feature License Upgrades

PIX-SW-SC-5=
PIX 5 Security Contexts License
PIX-SW-GTP=
PIX GTP/GPRS Inspection License

Encryption Licenses

PIX-VPN-NONE
No VPN/SSH/SSL Encryption License for PIX Models
PIX-VPN-DES
PIX DES VPN/SSH/SSL Encryption License
PIX-VPN-515-3DES
PIX 515/515E 3DES/AES VPN/SSH/SSL Encryption License

Cisco PIX Security 525 Appliance

Table 10. Cisco PIX 525 Security Appliance Primary Bundle Descriptions

 

Restricted (R)

Unrestricted (UR)

Failover (FO)

Failover-Active/Active (FO-AA)

Memory

128 MB
256 MB
256 MB
256 MB

Maximum Connections

140,000
280,000
280,000
280,000

Maximum Physical Interfaces

6
10
10
10

Maximum Virtual Interfaces

25
100
100
100

Hardware VPN Acceleration

Add-on
Included
Included
Included

Maximum Security Contexts

Not supported
50 (2 included with UR license)
50 (2 included with FO license)
50 (2 included with FO-AA license)

GTP/GPRS Inspection

Not supported
Add-on
Add-on
Add-on

Active/Standby Failover

Not supported
Supported
Supported
Supported

Active/Active Failover

Not supported
Supported
Not supported
Supported

Table 11. Cisco PIX 525 Security Appliance Bundle and License Ordering Information

Product Number

Description

Bundles

PIX-525
Cisco PIX 525 Chassis (chassis, software, two 10/100 interfaces)
PIX-525-R-BUN
Cisco PIX 525 Restricted Bundle (chassis, restricted license, software, two 10/100 interfaces, 128 MB RAM)
PIX-525-UR-BUN
Cisco PIX 525 Unrestricted Bundle (chassis, unrestricted license, software, two 10/100 interfaces, 256 MB RAM, VAC or VAC+)
PIX-525-UR-GE-BUN
Cisco PIX 525 Unrestricted two GE + two FE Bundle (chassis, unrestricted license, software, two Gigabit Ethernet + two 10/100 interfaces, 256 MB RAM, VAC or VAC+)
PIX-525-FO-BUN
Cisco PIX 525 Active/Standby Failover Bundle (chassis, Active/Standby failover license, software, two 10/100 interfaces, 256 MB RAM, VAC or VAC+)
PIX-525-FO-GE-BUN
Cisco PIX 525 Active/Standby Failover two GE + two FE Bundle (chassis, Active/Standby failover license, software, two Gigabit Ethernet + two 10/100 interfaces, VAC or VAC+)
PIX-525-AA-GE-BUN
Cisco PIX 525 Active/Active Failover two GE + two FE Bundle (chassis, Active/Active failover license, software, two Gigabit Ethernet + two 10/100 interfaces, VAC or VAC+)

Platform License Upgrades

PIX-525-SW-R-UR=
PIX 525 R to UR Platform License Upgrade (includes VAC+, 128 MB RAM)
PIX-525-SW-FO-R=
PIX 525 FO to R Platform License Upgrade
PIX-525-SW-FO-UR=
PIX 525 FO to UR Platform License Upgrade
PIX-525-SW-FO-AA=
PIX 525 FO to FO-AA Platform License Upgrade

Feature License Upgrades

PIX-SW-SC-5=
PIX 5 Security Contexts License
PIX-SW-SC-10=
PIX 10 Security Contexts License
PIX-SW-SC-20=
PIX 20 Security Contexts License
PIX-SW-SC-50=
PIX 50 Security Contexts License
PIX-SW-SC-5-10=
PIX 5 to 10 Security Context License Upgrade
PIX-SW-SC-10-20=
PIX 10 to 20 Security Context License Upgrade
PIX-SW-SC-20-50=
PIX 20 to 50 Security Context License Upgrade
PIX-SW-GTP=
PIX GTP/GPRS Inspection License

Encryption Licenses

PIX-VPN-NONE
No VPN/SSH/SSL Encryption License for PIX Models
PIX-VPN-DES
PIX DES VPN/SSH/SSL Encryption License
PIX-VPN-3DES
PIX 3DES/AES VPN/SSH/SSL Encryption License

Cisco PIX Security 535 Appliance

Table 12. Cisco PIX 535 Security Appliance Primary Bundle Descriptions

 

Restricted (R)

Unrestricted (UR)

Failover (FO)

Failover-Active/Active (FO-AA)

Memory

512 MB
1024 MB
1024 MB
1024 MB

Maximum Connections

250,000
500,000
500,000
500,000

Maximum Physical Interfaces

8
14
14
14

Maximum Virtual Interfaces

50
150
150
150

Hardware VPN Acceleration

Add-on
Included
Included
Included

Maximum Security Contexts

Not supported
50 (2 included with UR license)
50 (2 included with FO license)
50 (2 included with FO-AA license)

GTP/GPRS Inspection

Not supported
Add-on
Add-on
Add-on

Active/Standby Failover

Not supported
Supported
Supported
Supported

Active/Active Failover

Not supported
Supported
Not supported
Supported

Table 13. Cisco PIX 535 Security Appliance Bundle and License Ordering Information

Product Number

Description

Bundles

PIX-535
Cisco PIX 535 Chassis (chassis, software, two 10/100 interfaces)
PIX-535-R-BUN
Cisco PIX 535 Restricted Bundle (chassis, restricted license, software, two 10/100 interfaces, 512 MB RAM)
PIX-535-UR-BUN
Cisco PIX 535 Unrestricted Bundle (chassis, unrestricted license, software, two 10/100 interfaces, 1 GB RAM, VAC or VAC+)
PIX-535-UR-GE-BUN
Cisco PIX 535 Unrestricted Three GE + Two FE Bundle (chassis, unrestricted license, software, three Gigabit Ethernet + two 10/100 interfaces, 1 GB RAM, VAC or VAC+, dual AC power supplies)
PIX-535-FO-BUN
Cisco PIX 535 Active/Standby Failover Bundle (chassis, Active/Standby failover license, software, two 10/100 interfaces, 1 GB RAM, VAC or VAC+)
PIX-535-AA-GE-BUN
Cisco PIX 535 Active/Active Failover Bundle (chassis, Active/Active failover license, software, three Gigabit Ethernet + two 10/100 interfaces, 1 GB RAM, VAC+, dual AC power supplies)

Platform License Upgrades

PIX-535-SW-R-UR=
PIX 535 R to UR Platform License Upgrade (includes VAC+, 512 MB RAM)
PIX-535-SW-FO-R=
PIX 535 FO to R Platform License Upgrade
PIX-535-SW-FO-UR=
PIX 535 FO to UR Platform License Upgrade
PIX-535-SW-FO-AA=
PIX 535 FO to FO-AA Platform License Upgrade

Feature License Upgrades

PIX-SW-SC-5=
PIX 5 Security Contexts License
PIX-SW-SC-10=
PIX 10 Security Contexts License
PIX-SW-SC-20=
PIX 20 Security Contexts License
PIX-SW-SC-50=
PIX 50 Security Contexts License
PIX-SW-SC-5-10=
PIX 5 to 10 Security Context License Upgrade
PIX-SW-SC-10-20=
PIX 10 to 20 Security Context License Upgrade
PIX-SW-SC-20-50=
PIX 20 to 50 Security Context License Upgrade
PIX-SW-GTP=
PIX GTP/GPRS Inspection License

Encryption Licenses

PIX-VPN-NONE
No VPN/SSH/SSL Encryption License for PIX Models
PIX-VPN-DES
PIX DES VPN/SSH/SSL Encryption License
PIX-VPN-3DES
PIX 3DES/AES VPN/SSH/SSL Encryption License

ADDITIONAL INFORMATION

For more information, please visit the following links.
Cisco PIX Security Appliance Series: http://www.cisco.com/go/pix
Obtain Activation Keys and Additional Licensing Information: http://www.cisco.com/go/license
Obtain Cryptographic License and Software Download Access on Cisco.com: (Cisco.com login required to view this content) https://www.cisco.com/cgi-bin/swc/front.x/Software/Crypto/crypto.cgi