The market-leading Cisco PIX Security Appliance Series supports a variety of licensing options, enabling businesses to select the capabilities that are best-suited for their specific environment. Licensing options range from user-based licenses on the Cisco PIX 501 Security Appliance to licenses for advanced capabilities, such as Active/Active failover, which are available on specific Cisco PIX Security Appliance models.
This document describes the different types of licenses available, how licenses and activation keys are obtained, and what specific licenses are supported on each model of Cisco PIX Security Appliances.
FOUR TYPES OF LICENSES PROVIDE BUSINESSES FLEXIBLE SECURITY SOLUTIONS
Cisco PIX Security Appliances support a variety of license types. These types include:
• User licenses
• Platform licenses
• Feature licenses
• Encryption licenses
User Licenses
Cisco PIX 501 Security Appliances, a popular security solution for Small Office/Home Office network environments, support User Licenses. This license controls how many internal users (located on the inside network of a Cisco PIX Security Appliance) that can concurrently access the Internet, or other resources through the outside interface of the appliance. Supported license levels include: 10 users, 50 users, and unlimited users. Cisco Systems provides three different pre-configured bundles of the Cisco PIX 501 Security Appliance, making it easy for businesses to purchase an appliance with the appropriate User License installed. Businesses can upgrade from one User License level to another, as their needs grow, by purchasing the appropriate User License upgrade part number.
Platform Licenses
Cisco PIX 515, 515E, 525, and 535 Security Appliances support the concept of a Platform License. This license establishes what base capabilities the appliance has-each Cisco PIX 515, 515E, 525, and 535 Appliance must have a single Platform License installed. License levels range from Restricted (R), Unrestricted (UR), Failover (FO), and Failover-Active/Active (FO-AA). The table below outlines the capabilities that each of these license levels provides:
Table 1. Platform License Benefits
Platform License
Benefits
Restricted (R)
Provides businesses a security solution with excellent value, but with some restrictions on its capabilities, including:
• Limited number of physical and virtual interfaces supported
• Limited number of concurrent connections supported
• Limited amount of RAM included
• Limited VPN performance included, yet allows businesses to add hardware VPN acceleration as an optional upgrade
• No support for failover, including Active/Active and Active/Standby stateful failover
• No support for advanced features such as security contexts (virtual firewalls) or General Packet Radio Service Tunneling Protocol (GTP) inspection
Unrestricted (UR)
Provides businesses a robust, high-performance security solution, allowing them to take full advantage of the platforms capabilities, including:
• Maximum number of physical and virtual interfaces supported
• Maximum number of concurrent firewall and VPN connections supported
• Maximum amount of RAM included
• Maximum VPN performance via integrated hardware VPN acceleration (Cisco VPN Accelerator or Cisco VPN Accelerator+)
• Active/Active* stateful failover support (requires similar Cisco PIX Security Appliance model with Failover-Active/Active license)
• Active/Standby stateful failover support (requires similar Cisco PIX Security Appliance model with Failover or Failover-Active/Active license)
• Security context* support, with two security contexts included as part of the UR license
• GTP inspection* support, when a GTP Feature License is also installed on the system
Failover (FO)
• Designed for use in conjunction with a similar Cisco PIX Security Appliance model that has an Unrestricted license, providing a cost-effective, Active/Standby high-availability solution.
• Provides the same capabilities as the Unrestricted license, except the Failover license does not support Active/Active failover. Requires presence of similar Cisco PIX Security Appliance model with an Unrestricted license to operate properly.
Failover-Active/Active (FO-A/A)*
• Designed for use in conjunction with a similar Cisco PIX Security Appliance that has an Unrestricted license, providing a scalable Active/Active high-availability solution (with support for Active/Standby failover as well).
• Provides the same capabilities as the Unrestricted license. Requires presence of similar Cisco PIX Security Appliance model with an Unrestricted license to operate properly.
* Cisco PIX Security Appliance Software v7.0, or higher, required for this capability
Feature Licenses
Cisco PIX 515, 515E, 525, and 535 Security Appliances support the concept of Feature Licenses. These licenses control what advanced features are enabled on a Cisco PIX Security Appliance which has an Unrestricted (UR), Failover (FO), or Failover-Active/Active (FO-AA) Platform License. The table below outlines the Feature Licenses currently available:
Table 2. Feature License Benefits
Feature License
Benefits
Security Contexts*
Allows businesses to create multiple security contexts (virtual firewalls) within a single Cisco PIX Security Appliance, with each context having its own set of security policies, logical interfaces, and administrative domain.
• Four license levels for number of security contexts supported: 5, 10, 20, and 50 contexts
Note: Maximum number of security contexts supported depends on model of Cisco PIX Security Appliance
GTP/GPRS Inspection*
Provides advanced security services for GTP/GPRS 3G Mobile Wireless environments.
* Cisco PIX Security Appliance Software v7.0, or higher, required for this capability
Encryption Licenses
All Cisco PIX Security Appliance support the concept of Encryption Licenses. These licenses activate encryption services on Cisco PIX Security Appliances, which are required before using certain features including VPN, secure remote management, and more. The table below outlines the Encryption Licenses currently available:
Table 3. Encryption License Benefits
Encryption License
Benefits
NONE
Disables encryption capabilities of a Cisco PIX Security Appliance.
DES
Enables support of:
• 512 bit RSA (Rivest, Shamir, Adelmen) public key cryptography
• 512 bit DSA** (Digital Signature Algorithm) public key cryptography
• 56 bit DES (Data Encryption Standard) symmetric key cryptography
• 40 and 56 bit RC4 symmetric key cryptography
3DES/AES
Enables support of:
• 512 to 4,096 bit** RSA public key cryptography
• 512 to 1,024 bit** DSA public key cryptography
• 56 bit DES symmetric key cryptography
• 168 bit 3DES (Triple DES) symmetric key cryptography
• 128, 192, and 256 bit AES* symmetric key cryptography
• 40, 56, 64, and 128 bit RC4 symmetric key cryptography
* Cisco PIX Security Appliance Software v6.3, or higher, required for this capability
** Cisco PIX Security Appliance Software v7.0, or higher, required for this capability
PURCHASING AND INSTALLING LICENSES
To enable the licenses on a Cisco PIX Security Appliance, an activation key must be installed on that appliance. This key combines all licensed features for a specific Cisco PIX Security Appliance into a single 32 or 40 digit hexadecimal number. An activation key is installed at manufacturing time on each Cisco PIX Security Appliance, and it includes any specific licensed features selected by a business at time of purchase. Businesses can either purchase a configurable Cisco PIX Security Appliance chassis with all desired license and hardware options, or alternatively, businesses can simply purchase a Cisco PIX Security Appliance bundle-bundles combine each Cisco PIX Security Appliance model with its most popular license and hardware options into a single part number for simplified purchasing.
Businesses can upgrade the licensed features for an existing Cisco PIX Security Appliance using two different methods. Encryption Licenses can be obtained free-of-charge through a Web-based process on Cisco.com (details provided in the section below). Businesses can upgrade all other license types by purchasing the appropriate license upgrade part number from Cisco Systems or an authorized reseller (see upgrade part numbers available by chassis in tables 7, 9, 11, and 13 below). Upon purchasing an upgrade, businesses will receive an upgrade kit that contains a Product Authorization Key (PAK), along with instructions on how to access Cisco.com to complete the upgrade process. Using this easy-to-follow Web-based process, businesses simply enter the PAK from their upgrade kit and the serial number of the Cisco PIX Security Appliance they wish to upgrade, and a new activation key for their appliance will be emailed to them. Upon receiving the activation key, businesses can install the new activation key on their Cisco PIX Security Appliance by following the remaining instructions that came with the upgrade kit.
OBTAINING ENCRYPTION LICENSES
Businesses wishing to activate or upgrade the Encryption License on their Cisco PIX Security Appliance can go to the following URL below, and select the type of Encryption License they wish to request. Encryption licenses are free-of-charge, but are subject to export controls. Customers must have a crypto-enabled Cisco.com account in order to request a Cisco PIX Security Appliance Encryption License. Customers will be required to enter the serial number of the Cisco PIX Security Appliance they wish to upgrade. After submitting the request and passing the necessary export control checks, customers will receive an email with the new activation key for their appliance.
Cisco PIX 525 Unrestricted Bundle (chassis, unrestricted license, software, two 10/100 interfaces, 256 MB RAM, VAC or VAC+)
PIX-525-UR-GE-BUN
Cisco PIX 525 Unrestricted two GE + two FE Bundle (chassis, unrestricted license, software, two Gigabit Ethernet + two 10/100 interfaces, 256 MB RAM, VAC or VAC+)
PIX-525-FO-BUN
Cisco PIX 525 Active/Standby Failover Bundle (chassis, Active/Standby failover license, software, two 10/100 interfaces, 256 MB RAM, VAC or VAC+)
PIX-525-FO-GE-BUN
Cisco PIX 525 Active/Standby Failover two GE + two FE Bundle (chassis, Active/Standby failover license, software, two Gigabit Ethernet + two 10/100 interfaces, VAC or VAC+)
PIX-525-AA-GE-BUN
Cisco PIX 525 Active/Active Failover two GE + two FE Bundle (chassis, Active/Active failover license, software, two Gigabit Ethernet + two 10/100 interfaces, VAC or VAC+)
Platform License Upgrades
PIX-525-SW-R-UR=
PIX 525 R to UR Platform License Upgrade (includes VAC+, 128 MB RAM)
Cisco PIX 535 Unrestricted Bundle (chassis, unrestricted license, software, two 10/100 interfaces, 1 GB RAM, VAC or VAC+)
PIX-535-UR-GE-BUN
Cisco PIX 535 Unrestricted Three GE + Two FE Bundle (chassis, unrestricted license, software, three Gigabit Ethernet + two 10/100 interfaces, 1 GB RAM, VAC or VAC+, dual AC power supplies)
PIX-535-FO-BUN
Cisco PIX 535 Active/Standby Failover Bundle (chassis, Active/Standby failover license, software, two 10/100 interfaces, 1 GB RAM, VAC or VAC+)
PIX-535-AA-GE-BUN
Cisco PIX 535 Active/Active Failover Bundle (chassis, Active/Active failover license, software, three Gigabit Ethernet + two 10/100 interfaces, 1 GB RAM, VAC+, dual AC power supplies)
Platform License Upgrades
PIX-535-SW-R-UR=
PIX 535 R to UR Platform License Upgrade (includes VAC+, 512 MB RAM)
PIX-535-SW-FO-R=
PIX 535 FO to R Platform License Upgrade
PIX-535-SW-FO-UR=
PIX 535 FO to UR Platform License Upgrade
PIX-535-SW-FO-AA=
PIX 535 FO to FO-AA Platform License Upgrade
Feature License Upgrades
PIX-SW-SC-5=
PIX 5 Security Contexts License
PIX-SW-SC-10=
PIX 10 Security Contexts License
PIX-SW-SC-20=
PIX 20 Security Contexts License
PIX-SW-SC-50=
PIX 50 Security Contexts License
PIX-SW-SC-5-10=
PIX 5 to 10 Security Context License Upgrade
PIX-SW-SC-10-20=
PIX 10 to 20 Security Context License Upgrade
PIX-SW-SC-20-50=
PIX 20 to 50 Security Context License Upgrade
PIX-SW-GTP=
PIX GTP/GPRS Inspection License
Encryption Licenses
PIX-VPN-NONE
No VPN/SSH/SSL Encryption License for PIX Models
PIX-VPN-DES
PIX DES VPN/SSH/SSL Encryption License
PIX-VPN-3DES
PIX 3DES/AES VPN/SSH/SSL Encryption License
ADDITIONAL INFORMATION
For more information, please visit the following links.
