Licensing
With the information in this chapter, you can determine which license you need to install and use Cisco Security Manager 4.4. This chapter also has descriptions of the various licenses available, such as standard, professional, and evaluation.
Other than a few notes, this chapter does not discuss license installation. Refer to Chapter 1, “Installing and Upgrading Server Applications”
This chapter discusses device count, with the purpose of helping you determine which Security Manager server license you need.
This chapter concludes with information on API licensing for Cisco Partners who want to use the Cisco Security Manager API.
Determining Which License You Need to Install and Use Security Manager 4.4
The license that you need depends upon whether you are performing a new installation or upgrading from one of several previous versions:
Upgrade from Security Manager 4.0, 4.0.1, 4.1, 4.2, or 4.3
To upgrade from Security Manager 4.0, 4.0.1, 4.1, 4.2, or 4.3, you do not need to apply any licenses. Your existing license is valid.
Upgrade from Security Manager 3.3 or 3.3.1
Customers upgrading from Cisco Security Manager 3.3 or 3.3.1 are required to purchase the appropriate Cisco Security Manager 4.4 license or a version upgrade license. Details about Cisco Security Manager licensing can be found in the product bulletin at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.
Upgrade from Security Manager 3.2, 3.2.1, or 3.2.2
Customers upgrading from Cisco Security Manager 3.2, 3.2.1, or 3.2.2 are required to purchase the appropriate Cisco Security Manager 4.4 license or a version upgrade license. Details about Cisco Security Manager licensing can be found in the product bulletin at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.
Description of Licenses for Security Manager
Two base license types, Standard and Professional, are available, in addition to a free 90-day evaluation license.
Standard and Professional
For a list of the base licenses available for Cisco Security Manager 4.4, refer to Table 1-1 .
Table 1-1 List of the Base Licenses Available
|
|
Number of Devices that can be Managed (Refer to
Device Count)
|
Standard-5 |
ST5 |
5 |
Standard-10 |
ST10 |
10 |
Standard-25 |
ST25 |
25 |
Professional-50 |
PRO50 |
50 |
Professional-100 |
PRO100 |
100 |
Professional-250 |
PRO250 |
250 |
For a comparison of Professional base versions with Standard base versions, refer to Table 1-2 .
Table 1-2 Comparison of Professional Base Versions with Standard Base Versions
|
Supported in Professional?
|
|
Support of incremental (“add-on”) device license packages in increments of 50, 100, and 250 devices |
Yes |
No |
Support for the management of Cisco Catalyst 6500 and 7600 Series switches and associated services modules |
Yes |
No |
Support for the management of firewall service modules |
Yes |
No |
Support for temporary licenses (licenses with an expiration date) |
Yes |
No (only permanent licenses are supported) |
To obtain a base license, you must have (or obtain) a Cisco.com user ID, and you must register your copy of the software on Cisco.com. When registering, you must provide the Product Authorization Key (PAK) that is attached to the Software License Claim Certificate inside the shipped software package:
You must register Security Manager as soon as you can within the first 90 days and for the number of devices that you need to ensure uninterrupted use of the product. Each time you start the application, you are reminded of how many days remain on your evaluation license and you are prompted to upgrade during the evaluation period. At the end of the evaluation period, you cannot log in until you upgrade your license.
After registration, the base software license is sent to the email address that you provided during registration. Keep the license in a secure location.
90-day Evaluation License
If you provide no license during installation, the resulting installation will be an evaluation version. You can also select Evaluation Only during installation. Refer to Installing Security Manager Server, Common Services, and AUS.
The evaluation license is limited to 50 devices.
The evaluation license provides the same privileges as the Professional Edition licenses, except that you cannot apply incremental licenses to the evaluation version.
Standard-to-Professional Upgrade License
A Standard-to-Professional upgrade license is available. It can be applied only if the base license is a Standard-25 (“ST25”) license.
Version Upgrade License
If you need to upgrade to Security Manager 4.4 from a previous major version, such as 3.3, you can purchase a version upgrade license.
There are different version upgrade licenses. Each one corresponds to a particular base license from the previous version. You can use a particular upgrade license (e.g., PRO50U) only if you applied the corresponding base license (e.g., PRO50) to the previous version of Security Manager. Other upgrade licenses are not accepted.
Incremental (“Add-on”) Licenses
If your base license is a Professional version (not a Standard version or the evaluation version), you can purchase incremental (“add-on”) licenses to increase the number of devices that you are allowed to manage. You can purchase as many incremental licenses as you wish.
Incremental (“add-on”) licenses for previous versions are valid for the current version. For example, if you have a Professional-50 license for Security Manager 4.4, you can use a 4.3 incremental device license.
Incremental licenses are available in increments of 50, 100, and 250 devices.
Active and Standby Servers
A Cisco Security Manager license allows the use of Cisco Security Manager on a single server. A standby Cisco Security Manager server, such as one used in a high-availability or disaster recovery configuration, does not require a separate license if only one server is active at any one time. This is true even when high availability (HA) configuration is being used.
Note Users who use a standby server are responsible for manually restoring the database from their active server on a regular basis.
Licenses for Component Applications
Some component applications do not require a license file:
- Common Services does not require a license file.
- Auto Update Server does not require a license file.
Device Count
Security Manager consumes one device count (of the number allowed by the license) when you add any of the following to the device inventory:
- Each physical device
- Each security context
- Each virtual sensor
Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, IPS Advanced Integration Modules (IPS AIM), and any other modules supported for devices other than the AIP-SSC 5 and the Catalyst 6500 or 7600 installed in the host device do not consume a device count; however, additional virtual sensors (added after the first sensor) do consume a device count.
In the case of a Firewall Services Module (FWSM) or ASA device, the module itself consumes a device count and then consumes an additional device count for each additional security context. For example, an FWSM with two security contexts would consume three device counts: one for the module, one for the admin context, and one for the second security context.
Unmanaged devices are a special case. In Security Manager you can add unmanaged devices to the device inventory. An unmanaged device is a device for which you have deselected Manage in Cisco Security Manager in the device properties. An unmanaged device does not consume a device count.
Another class of unmanaged device is an object that is added to a topology map. You can use the Map > Add Map Object command to add different types of objects on the map such as network clouds, firewalls, hosts, networks, and routers. These objects do not appear in the device inventory and do not consume a device count.
To determine your device count, which you will need to do to determine which Security Manager server license you need, refer to Table 1-3 .
Tip For the purpose of determining which Security Manager server license you need, devices are counted for Security Manager 4.4 in the same way that they were for Security Manager 4.3.
Table 1-3 Determining Your Device Count
|
Mode (also called Context)
|
Device Count (also called License Count or simply License)
|
|
Excluded Devices |
Advanced Inspection and Prevention Security Services Modules (AIP-SSMs) |
|
0 |
Additional virtual sensors (added after the first sensor) consume 1 license each. |
IDS Network Modules |
|
0 (but see comment in the next column) |
Additional virtual sensors (added after the first sensor) consume 1 license each. |
IPS Advanced Integration Modules (IPS AIMs) |
|
0 |
|
Any other modules supported for devices other than the AIP-SSC 5 and the Catalyst 6500 or 7600 installed in the host device |
|
0 |
|
Standalone Firewall Devices |
Any standalone firewall device |
Single-context mode |
1 |
|
Any standalone firewall device |
Multi-context mode |
c, where c is the context count other than the system context |
|
Standalone IPS devices |
Any standalone IPS device |
|
n, where n is the virtual sensor count and includes virtual sensor vs0 |
Additional virtual sensors (added after the first sensor) consume 1 license each. |
Non-standalone IPS devices |
IPS modules, IPS blades, and IPS virtual machines |
|
n, where n is the virtual sensor count and includes virtual sensor vs0 |
IPS modules, IPS blades, and IPS virtual machines are discovered independently in Security Manager. IPS virtual machines are used in Cisco ASA-5500 Series Adaptive Security Appliances, which are 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X. |
Firewall Blades |
Any standalone firewall blade |
Single-context mode |
1 |
|
Any standalone firewall blade |
Multi-context mode |
c, where c is the context count other than the system context |
Example: Please refer to “Example for any Standalone Firewall Blade in Multi-context Mode” below this table. |
Firewalls in Failover Configuration |
Any firewall in failover configuration |
Single-context mode |
1 |
|
Any firewall in failover configuration |
Multi-context mode |
c, where c is the context count other than the system context |
|
IPS Modules or Virtual Machines that are part of an ASA Failover Configuration |
Each IPS device |
|
n, where n is the virtual sensor count and includes virtual sensor vs0 |
Additional virtual sensors (added after the first sensor) consume 1 license each. |
Licenses Related to ASA Load Balancing Clusters |
Each ASA load balance cluster |
Single-context mode |
N, where N is the number of nodes in the single-context ASA cluster |
System & Admin context represents 1 context |
Each ASA load balance cluster |
Multi-context mode |
N * c, where N is the number of nodes in the multi-context ASA cluster and c is the context count |
System & Admin context represents 1 context. See also Example for Licenses Related to ASA Load Balancing Clusters. |
Example for any Standalone Firewall Blade in Multi-context Mode
This subsection gives an example of context that will be useful in understanding device count.
The following command was run in system context on a firewall with two security contexts—admin and ctx1:
r41-appinfra-arsenal# sh context
Context Name Class Interfaces Mode URL
*admin default GigabitEthernet3/2, Routed disk0:/admin.cfg
ctx1 default Routed disk0:/ctx1.cfg
Total active Security Contexts: 2
r41-appinfra-arsenal# sh context count
Total active Security Contexts: 2
Example for Licenses Related to ASA Load Balancing Clusters
This subsection gives an example of the device count for an ASA load balancing cluster in multi-context mode.
3 Nodes with 4 security contexts each: License Count = 3 * 5 = 15.
Installing a License for Security Manager or Component Applications
During the installation of Security Manager, you are asked for license information. Refer to Installing Security Manager Server, Common Services, and AUS.
During the installation of Common Services and AUS, you are not asked for license information. Common Services does not require a license file. Auto Update Server does not require a license file.
Updating a License for Security Manager or Component Applications
To learn how to update a license file for Security Manager or a component application, see Updating Security Manager.
Additional Documentation on Licensing
For complete information on the types of licenses available and the various supported upgrade paths, as well as information about the Cisco Software Application Support service agreement contracts that you can purchase, see the product bulletin for the most recent major release of Security Manager at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.
API Licensing
Cisco Partners who want to use the API need to have an API license. There are two kinds of API licenses:
- A developer license. This is a 90-day license that is to be used by developers to integrate their products with Security Manager.
- A production license. This license is required by the end customers who use certain third-party products.
Note There is no API evaluation license. Both the developer license and the production license need to be ordered explicitly by Cisco Partners who want to use the API.
The orderable part ID (PID) for the Northbound API license is L-CSMPR-API.
Getting Help with Licensing
For licensing problems with Security Manager, contact the Licensing Department in the Cisco Technical Assistance Center (TAC):