Troubleshoot Malware License Error in FTD Policy Deployment

Available Languages

Download Options

  • PDF     (436.2 KB)
    View with Adobe Reader on a variety of devices
Updated:May 28, 2026
Document ID:225984

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

When attempting to make policy changes in Cisco Secure Firewall Management Center (FMC), an error message appears indicating that "This rule requires a Malware license, but at least one device does not have a Malware license". This error prevents policy deployment and configuration changes from being applied to the affected firewall devices.

FMC_Errors

Environment

  • FMC 7.4.2. Other software versions are also affected.

  • FPR1140 running Firewall Threat Defense (FTD). Other platforms are also affected.

  • FTD uses an Access Control Policy (ACP) with file policy enabled on one or more rules.

ACP

Resolution

The resolution for this malware license error involves obtaining and installing the necessary Malware license on the affected device. Use these steps to resolve the issue:

Step 1. Identify the Licensing Gap

Verify that the affected firewall device has file policies configured to use Advanced Malware Protection (AMP) but lacks the corresponding Malware Defense license. This can be confirmed by checking the device configuration and comparing it against the available licenses.

In this case, only the FTD_HA2 pair has the malware license. The FTD_HA1 pair does not have it:

Smart_License

FTD_HA1 firewall pair has Malware license set to No:

Device_License

Step 2. Obtain the Required License

Work with your Cisco sales representative or authorized partner to obtain the necessary Malware license for the affected device. The license must be appropriate for your specific firewall model and deployment requirements.

Step 3. Install the Malware License

Once the license is obtained, install it on the affected device through the standard Cisco licensing process. This typically involves applying the license through the FMC or directly on the device, depending on your management configuration.

Step 4. Verify License Installation

After license installation, verify that the Malware Defense capability is now properly enabled and that the licensing error has been cleared.

Step 5. Test Policy Deployment

Attempt to deploy your policy changes again to confirm that the licensing issue has been resolved and that policy operations can proceed normally.

Cause

The error occurs due to a licensing validation mismatch where file policies are configured to use AMP functionality, but the corresponding Malware Defense license is not installed or activated on the affected firewall device. The FMC enforces license compliance and prevents policy deployment when required licenses are missing, even if the policies are technically configured.

This validation ensures that only properly licensed features are deployed to devices, maintaining compliance with Cisco's licensing requirements and preventing the use of unlicensed capabilities.

Related Content

Revision History

Revision Publish Date Comments
1.0
27-May-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Mikis Zafeiroudis
    Cisco TAC Engineer
  • Ilkin Gasimov
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products