Installation Guide for Cisco Security Manager 4.3
Licensing
Downloads: This chapterpdf (PDF - 126.0KB) The complete bookPDF (PDF - 2.34MB) | Feedback

Licensing

Table Of Contents

Licensing

Determining Which License You Need to Install and Use Security Manager 4.3

New Installation of Security Manager 4.3

Upgrade from Security Manager 4.0, 4.0.1, 4.1, or 4.2

Upgrade from Security Manager 3.3 or 3.3.1

Upgrade from Security Manager 3.2, 3.2.1, or 3.2.2

Description of Licenses for Security Manager

Standard and Professional

90-day Evaluation License

Standard-to-Professional Upgrade License

Version Upgrade License

Incremental ("Add-on") Licenses

Active and Standby Servers

Licenses for Component Applications

Device Count

Example for any Standalone Firewall Blade in Multi-context Mode

Installing a License for Security Manager or Component Applications

Updating a License for Security Manager or Component Applications

Additional Documentation on Licensing

API Licensing

Getting Help with Licensing


Licensing


With the information in this chapter, you can determine which license you need to install and use Cisco Security Manager 4.3. This chapter also has descriptions of the various licenses available, such as standard, professional, and evaluation.

Other than a few notes, this chapter does not discuss license installation. Refer to Chapter 5 "Installing and Upgrading Server Applications"

This chapter discusses device count, with the purpose of helping you determine which Security Manager server license you need.

This chapter concludes with information on API licensing for Cisco Partners who want to use the Cisco Security Manager API.

Determining Which License You Need to Install and Use Security Manager 4.3

The license that you need depends upon whether you are performing a new installation or upgrading from one of several previous versions:

New Installation of Security Manager 4.3

Upgrade from Security Manager 4.0, 4.0.1, 4.1, or 4.2

Upgrade from Security Manager 3.3 or 3.3.1

Upgrade from Security Manager 3.2, 3.2.1, or 3.2.2

New Installation of Security Manager 4.3

A new installation of Cisco Security Manager 4.3 requires the purchase of the appropriate Cisco Security Manager 4.3 license. Details about Cisco Security Manager licensing can be found in the product bulletin at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.

Upgrade from Security Manager 4.0, 4.0.1, 4.1, or 4.2

To upgrade from Security Manager 4.0, 4.0.1, 4.1, or 4.2, you do not need to apply any licenses. Your existing license is valid.

Upgrade from Security Manager 3.3 or 3.3.1

Customers upgrading from Cisco Security Manager 3.3 or 3.3.1 are required to purchase the appropriate Cisco Security Manager 4.3 license or a version upgrade license. Details about Cisco Security Manager licensing can be found in the product bulletin at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.

Upgrade from Security Manager 3.2, 3.2.1, or 3.2.2

Customers upgrading from Cisco Security Manager 3.2, 3.2.1, or 3.2.2 are required to purchase the appropriate Cisco Security Manager 4.3 license or a version upgrade license. Details about Cisco Security Manager licensing can be found in the product bulletin at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.

Description of Licenses for Security Manager

Two base license types, Standard and Professional, are available, in addition to a free 90-day evaluation license.

Standard and Professional

For a list of the base licenses available for Cisco Security Manager 4.3, refer to Table 2-1.

Table 2-1 List of the Base Licenses Available  

License Name
License Abbreviation
Number of Devices that can be Managed (Refer to Device Count)

Standard-5

ST5

5

Standard-10

ST10

10

Standard-25

ST25

25

Professional-50

PRO50

50

Professional-100

PRO100

100

Professional-250

PRO250

250


For a comparison of Professional base versions with Standard base versions, refer to Table 2-2.

Table 2-2 Comparison of Professional Base Versions with Standard Base Versions 

Feature
Supported in Professional?
Supported in Standard?

Support of incremental ("add-on") device license packages in increments of 50, 100, and 250 devices

Yes

No

Support for the management of Cisco Catalyst 6500 and 7600 Series switches and associated services modules

Yes

No

Support for the management of firewall service modules

Yes

No

Support for temporary licenses (licenses with an expiration date)

Yes

No (only permanent licenses are supported)


To obtain a base license, you must have (or obtain) a Cisco.com user ID, and you must register your copy of the software on Cisco.com. When registering, you must provide the Product Authorization Key (PAK) that is attached to the Software License Claim Certificate inside the shipped software package:

If you are a registered Cisco.com user, start at http://www.cisco.com/go/license.

If you are not a registered Cisco.com user, start at http://tools.cisco.com/RPF/register/register.do.

You must register Security Manager as soon as you can within the first 90 days and for the number of devices that you need to ensure uninterrupted use of the product. Each time you start the application, you are reminded of how many days remain on your evaluation license and you are prompted to upgrade during the evaluation period. At the end of the evaluation period, you cannot log in until you upgrade your license.

After registration, the base software license is sent to the email address that you provided during registration. Keep the license in a secure location.

90-day Evaluation License

If you provide no license during installation, the resulting installation will be an evaluation version. You can also select Evaluation Only during installation. Refer to Installing Security Manager Server, Common Services, and AUS.

The evaluation license is limited to 50 devices.

The evaluation license provides the same privileges as the Professional Edition licenses, except that you cannot apply incremental licenses to the evaluation version.

Standard-to-Professional Upgrade License

A Standard-to-Professional upgrade license is available. It can be applied only if the base license is a Standard-25 ("ST25") license.

Version Upgrade License

If you need to upgrade to Security Manager 4.3 from a previous major version, such as 3.3, you can purchase a version upgrade license.

There are different version upgrade licenses. Each one corresponds to a particular base license from the previous version. You can use a particular upgrade license (e.g., PRO50U) only if you applied the corresponding base license (e.g., PRO50) to the previous version of Security Manager. Other upgrade licenses are not accepted.

Incremental ("Add-on") Licenses

If your base license is a Professional version (not a Standard version or the evaluation version), you can purchase incremental ("add-on") licenses to increase the number of devices that you are allowed to manage. You can purchase as many incremental licenses as you wish.

Incremental ("add-on") licenses for previous versions are valid for the current version. For example, if you have a Professional-50 license for Security Manager 4.3, you can use a 4.2 incremental device license.

Incremental licenses are available in increments of 50, 100, and 250 devices.

Active and Standby Servers

A Cisco Security Manager license allows the use of Cisco Security Manager on a single server. A standby Cisco Security Manager server, such as one used in a high-availability or disaster recovery configuration, does not require a separate license if only one server is active at any one time. This is true even when high availability (HA) configuration is being used.


Note Users who use a standby server are responsible for manually restoring the database from their active server on a regular basis.


Licenses for Component Applications

Some component applications do not require a license file:

Common Services does not require a license file.

Auto Update Server does not require a license file.

Device Count

Security Manager consumes one device count (of the number allowed by the license) when you add any of the following to the device inventory:

Each physical device

Each security context

Each virtual sensor

Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, IPS Advanced Integration Modules (IPS AIM), and any other modules supported for devices other than the AIP-SSC 5 and the Catalyst 6500 or 7600 installed in the host device do not consume a license; however, additional virtual sensors (added after the first sensor) do consume a license.

In the case of a Firewall Services Module (FWSM) or ASA device, the module itself consumes a device count and then consumes an additional device count for each additional security context. For example, an FWSM with two security contexts would consume three device counts: one for the module, one for the admin context, and one for the second security context.

Unmanaged devices are a special case. In Security Manager you can add unmanaged devices to the device inventory. An unmanaged device is a device for which you have deselected Manage in Cisco Security Manager in the device properties. An unmanaged device does not consume a license.

Another class of unmanaged device is an object that is added to a topology map. You can use the Map > Add Map Object command to add different types of objects on the map such as network clouds, firewalls, hosts, networks, and routers. These objects do not appear in the device inventory and do not consume a device license.

To determine your device count, which you will need to do to determine which Security Manager server license you need, refer to Table 2-3.


Tip For the purpose of determining which Security Manager server license you need, devices are counted for Security Manager 4.3 in the same way that they were for Security Manager 4.2.


Table 2-3 Determining Your Device Count

Device
Mode (also called Context)
Device Count (also called License Count or simply License)
Comments

Excluded Devices

Advanced Inspection and Prevention Security Services Modules (AIP-SSMs)

 

0

Additional virtual sensors (added after the first sensor) consume 1 license each.

IDS Network Modules

 

0 (but see comment in the next column)

Additional virtual sensors (added after the first sensor) consume 1 license each.

IPS Advanced Integration Modules (IPS AIMs)

 

0

 

Any other modules supported for devices other than the AIP-SSC 5 and the Catalyst 6500 or 7600 installed in the host device

 

0

 

Standalone Firewall Devices

Any standalone firewall device

Single-context mode

1

 

Any standalone firewall device

Multi-context mode

c, where c is the context count other than the system context

 

Standalone IPS devices

Any standalone IPS device

 

n, where n is the virtual sensor count and includes virtual sensor vs0

Additional virtual sensors (added after the first sensor) consume 1 license each.

Non-standalone IPS devices

IPS modules, IPS blades, and IPS virtual machines

 

n, where n is the virtual sensor count and includes virtual sensor vs0

IPS modules, IPS blades, and IPS virtual machines are discovered independently in Security Manager.

IPS virtual machines are used in Cisco ASA-5500 Series Adaptive Security Appliances, which are 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X.

Firewall Blades

Any standalone firewall blade

Single-context mode

1

 

Any standalone firewall blade

Multi-context mode

c, where c is the context count other than the system context

Example:

Please refer to "Example for any Standalone Firewall Blade in Multi-context Mode" below this table.

Firewalls in Failover Configuration

Any firewall in failover configuration

Single-context mode

1

 

Any firewall in failover configuration

Multi-context mode

c, where c is the context count other than the system context

 

IPS Modules or Virtual Machines that are part of an ASA Failover Configuration

Each IPS device

 

n, where n is the virtual sensor count and includes virtual sensor vs0

Additional virtual sensors (added after the first sensor) consume 1 license each.


Example for any Standalone Firewall Blade in Multi-context Mode

This subsection gives an example of context that will be useful in understanding device count.

The following command was run in system context on a firewall with two security contexts—admin and ctx1:

r41-appinfra-arsenal# sh context
Context Name Class Interfaces Mode URL
*admin default GigabitEthernet3/2, Routed disk0:/admin.cfg
Management0/0 
ctx1 default Routed disk0:/ctx1.cfg
 
   
Total active Security Contexts: 2
r41-appinfra-arsenal# sh context count
 
   
Total active Security Contexts: 2 

Installing a License for Security Manager or Component Applications

During the installation of Security Manager, you are asked for license information. Refer to Installing Security Manager Server, Common Services, and AUS.

During the installation of Common Services and AUS, you are not asked for license information. Common Services does not require a license file. Auto Update Server does not require a license file.

Updating a License for Security Manager or Component Applications

To learn how to update a license file for Security Manager or a component application, see Updating Security Manager.

Additional Documentation on Licensing

For complete information on the types of licenses available and the various supported upgrade paths, as well as information about the Cisco Software Application Support service agreement contracts that you can purchase, see the product bulletin for the most recent major release of Security Manager at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.

API Licensing

Cisco Partners who want to use the API need to have an API license. There are two kinds of API licenses:

A developer license. This is a 90-day license that is to be used by developers to integrate their products with Security Manager.

A production license. This license is required by the end customers who use certain third-party products.


Note There is no API evaluation license. Both the developer license and the production license need to be ordered explicitly by Cisco Partners who want to use the API.


The orderable part ID (PID) for the Northbound API license is L-CSMPR-API.

Getting Help with Licensing

For licensing problems with Security Manager, contact the Licensing Department in the Cisco Technical Assistance Center (TAC):

Phone: +1 (800) 553-2447

Email: licensing@cisco.com

http://www.cisco.com/tac