Managing System Licenses
Both the CX device and the PRSM Multiple Device mode server require licenses. The following topics explain license management.
CX Feature and PRSM Licenses
CX features and PRSM Multiple Device mode use separate licenses, but you can use the PRSM server to manage the feature licenses used on CX systems. The following topics explain the different types of licenses.
Many features of the
CX device are available without special
licensing. However, you must install the following licenses to obtain the
services covered by the license:
Application Visibility and Control license—This
subscription-based license allows the use of application-based access control.
Specifically, you need this license if you want to create access policies based
on applications or their attributes, including application or application
services policy objects.
Web Security Essentials
license—This subscription-based license allows the use of URL filtering and the
use of web-reputation-based policies. Specifically, you need this license if
you want to use URL objects or web reputation profiles in policies.
Generation IPS license—This subscription-based
license allows the use of
Generation IPS filtering. Specifically, you need this
license if you want to create access policies that apply NG IPS profiles, which
can identify threats and apply drop or monitor decisions based on IPS
(intrusion prevention system) threats.
license—The 3DES/AES (K9) license determines the relative strength of the
encryption algorithms used in the product. The license is tied directly to the
hardware (by serial number) and is a permanent license that does not require
renewal. The license is free, but its availability is limited by export
restriction laws, so it is not available for all users. Consult Cisco.com to
determine if you can download the 3DES/AES (K9) license.
Licenses are valid for
specific device models only. You must purchase the correct license for the
device model you are using.
CX device includes evaluation
subscription licenses for each feature that you can configure on the device.
These licenses are good for 60 days. You can renew the evaluation licenses one
time to extend the period an additional 60 days. The
PRSM server also includes these evaluation
licenses for up to two devices.
Cisco Prime Security Manager Licenses
Cisco Prime Security
Manager Multiple Device mode requires a license. The license determines the number of devices that you can manage using the PRSM server.
PRSM includes a 90-day unlimited device count license, which you can renew once by obtaining and uploading a new evaluation license. The remaining period available in the evaluation license is shown in the menu bar next to the Pending Changes link.
If the evaluation license expires, you can no longer deploy changes to devices.
Ensure that you purchase and upload a license with a sufficient device count.
How Feature Licenses
Affect Policy Configuration
When you create a policy, you can use options that are controlled by
feature licenses. A device must have a valid appropriate feature license to
implement these policies.
However, features are divided into the following categories, and the
impact of licensing problems differ based on them:
Hard Enforcement—Any licensed feature that is used in traffic
matching criteria is hard enforced. This means that you cannot use the
features, or edit policies that use the feature, if you do not have a license
(either you never applied a license, or the license expired). Hard enforced
features include application filtering (which
requires the AVC license) and URL filtering (that is, the use of URL objects in
the destination criteria of a policy, which requires the WSE license).
Policies that use hard-enforced features with an expired license
continue to work if they are already configured on the device. However, the
device does not receive updates related to the feature. For example, if the Web
Security Essentials license expires on a device, that device stops downloading
URL category updates. The longer the device operates without a license, the
greater the difference between the signatures used by the policy and the
current state of the signatures.
Soft Enforcement—Any license feature that you configure using
profile objects is soft enforced. This means that you can create and apply
profiles at any time to any policy, but that the profiles are implemented only
if a valid license is assigned to the device.
The reason for the difference between hard and soft enforcement is
because the hard enforced features actually define the traffic to which a
policy applies. If the system simply ignored those criteria when the associated
license was not available, your policies would have a different meaning, and
you could see unwanted changes to how traffic is allowed or denied. Soft
enforced features, on the other hand, do not change which traffic matches a
policy, but whether that traffic is scanned for potentially harmful traffic, so
these can be safely ignored if you do not have the required license.
The Details about License Enforcement
licenses have expiration dates, you must also ensure that the licenses have not
expired. As licenses near their expiration dates, you will be warned about the
pending expiration, and there is a 60 day grace period after expiration to give
you some time to upload new licenses. A link appears in the menu bar, next to
the Pending Changes link, that shows the number of expired licenses. Evaluation
licenses do not have a grace period.
License problems are
indicated by caution icons or messages. Mousing over the icon will show
messages that explain the exact problem. The message can include links to the
Licensing page or to filter the policy list to show affected policies.
License enforcement includes the following:
When importing a device into the
inventory, you must have sufficient licenses for hard-enforced features or the
import fails. The licenses can be non-evaluation licenses on the device (which
are imported), or available licenses in
When sharing policies, you cannot select devices that do not have
the required licenses for policies that use hard-enforced features. You can,
however, share soft-enforced features.
If a policy is assigned to one or more devices that do not have a
particular feature license, you cannot edit that policy to select an option
that requires an unlicensed hard-enforced feature. Either exclude the
unlicensed devices for that policy, create a separate policy to implement the
feature, or simply apply the license to the unlicensed devices.
If an assigned license is within 30 days of expiring, the policies
lists will be littered with warning icons on the device and on any policy that
will be affected by the expiration.
If an assigned license has expired, but is within the 60 day grace
period, you will see the same warning icons as you would for an expiring
license. However, policy creation and edit will act as if the device is
unlicensed. You will not be able to add hard-enforced options that require the
license to policies shared with this device.
If an assigned license has expired and is outside of its grace
period, you will see all the same warning icons, but you will not be able to
edit any policies that use unlicensed hard-enforced features that are shared
with the device. You can delete these policies. Also note that dashboard data
will not be generated for these policies.
Overview of the
the features you can use, or in the case of
Multiple Device mode, how many devices you can manage. The
Licenses page shows the licenses that are currently installed in the system.
Each license shows the maximum number of devices it covers, the number of
devices that are using the license, the available number of licenses remaining
for device assignment, and the license expiration date, if any. From this page,
you can upload licenses and perform other license management activities.
To open the Licenses
. You can also open the page
by clicking a license notification link in the menu bar, which will appear next
to the Pending Changes link if you are using an evaluation license or if a
license has expired.
The Licenses page
includes the following items:
- I Want To
File—To add a license file. In
Single Device mode, uploading a license automatically
applies the license to the device if the new license has an expiration date
more remote than the currently-used license.
Licenses—To renew all evaluation licenses. You can renew evaluation
licenses once before purchasing new licenses. This command is not available If
you have already renewed licenses, or in
Single Device mode if you have uploaded feature licenses.
- List of Licenses
license available on the system. Each license also contains a list of devices
that are using the license.
Devices configured for high availability (HA) are
shown once, using the logical name for the pair. HA devices use one license per
mouse over a license or device to see the commands related to it. The following
are the available commands:
License—(License command.) To assign the license to a device that
does not currently have a license of this type. You will not see this command
if there are no available licenses to apply.
License—(License command.) To assign a new, different license to
the devices that are using this license. For expiring licenses, ensure that you
assign a new license using this command before the grace period expires. This
command does not appear if there are no devices using the license.
License—(License command.) To delete a license that you no longer
need. You can delete a license only if is unused.
License—(Device command.) To remove the license from this device.
You can revoke a license only if no policies assigned to the device use
hard-enforced services covered by the license. The purpose of revoking a
license is to free it for use on another device.
Configuring System Licenses
The following topics explain the basic procedures for configuring system licenses.
Using Evaluation Licenses
Each CX device and PRSM server includes evaluation copies of the subscription feature licenses. In Multiple Device mode, the evaluation licenses are good for two devices; in Single Device mode, the evaluation licenses are good for that device only. The PRSM server includes an additional evaluation license for the server to allow you to manage an unlimited number of devices.
- The feature evaluation licenses are good for 60 days. You can renew the evaluation licenses once for an additional 60 days, for a total of 120 days of evaluation. There is no grace period upon evaluation license expiration. The following procedure explains how to renew these licenses.
- The PRSM server license is good for 90 days. To renew the license, you obtain a new evaluation license from Cisco.com and upload the file.
You are prompted with an explanation of the renewal and asked to confirm that you want to renew both evaluation licenses. If you have already used up your renewals, you are told so.
||Click Yes to renew the licenses.|
Uploading License Files
When you obtain a license, you get a license file with the file extension .lic. You need to upload the file to the system. The method for uploading the license is the same for Single Device mode or Multiple Device mode, but you must ensure that you are uploading the right type of license based on the mode you are in.
Besides the method described below, you can also upload licenses while renewing an old license.
||Select I want to > Upload License File.|
||Add license files to the Upload License Files box. |
You can drag files from your system into the box (if supported) or click the box to open a file selector.
The license is added to the list of licenses and further action is based on the mode you are in:
- Single Device mode—The license is applied and activated when you commit changes. If you have more than one of a particular type of license, the license with the longest remaining life is used and the others are not used. The licenses must be for the correct device type. Any evaluation license is removed.
- Multiple Device mode, CX license—The license is available for use. You must apply it to a device.
However, 3DES/AES (K9) licenses are applied automatically to the appropriate device. 3DES/AES (K9) licenses are tied to a specific device based on serial number; if a device with the correct serial number is in the inventory, the license is automatically applied. The correct device must be in the inventory or upload is blocked.
- Multiple Device mode, PRSM license—The license replaces the evaluation license, if you still have one. If you upload multiple licenses, the license count is accumulative (for example, a 5-device plus a 10-device license gives you 15 devices).
||Click Close to return to the license list.|
Assigning Feature Licenses
Each device that uses subscription-based features must have a license for the feature.
When you upload a license file to a CX device, it is automatically applied to the device. However, in PRSM Multiple Device mode mode, you need to explicitly assign licenses to devices. In Single Device mode, you can also assign a license if you happen to revoke it. In both modes, you must commit changes before the license takes effect.
When a feature license expires, you must replace it (which is called “renewing” the license), or you will not be able to use the feature controlled by the license. There is a grace period to give you time to replace the license.
procedure explains how to apply a feature license with an available license
count to devices that currently have no license or whose license has expired.
|| Select the
license you are applying and click
This opens the
Apply License window, which shows the license type, device model, and the
number of licenses still available for assignment.
devices that should have this license.
selector will show only devices of the appropriate model that do not already
have a valid license. You cannot select more devices than the available license
Devices configured for high availability are show once, using the logical name of the pair. These pairs use a single license, rather than two.
procedure explains how to renew a license by replacing it with another unused
feature license. You would typically do this on licenses that are expiring or
on evaluation licenses when you obtain a purchased license.
|| Select the
license you are replacing and click
This opens the
Renew License window, which shows the license type and device model. The
Selected Devices box includes all devices that are
currently using this license. You can delete devices from this list if you do
not want to replace the license on certain devices.
Available License Files list shows all unused licenses that are
available to replace this license; if there are no available licenses based on
feature and model, the list does not appear. The licenses are sorted with the
nearest expiration dates at the top.
If there are no
licenses, or no licenses that you want to use, you can upload licenses files in
this window. You can drag files from your system into the box (if supported) or
click the box to open a file selector.
license you want to apply until you have selected a sufficient number of
If there are
available licenses, they are pre-selected to match the required count, which is
all devices that you have selected. You can change the selection. Clicking a
selected license deselects it.
High availability pairs use one license for the pair, not two.
continue until you have selected the required number of licenses.
Obtaining and Installing the 3DES/AES (K9) License for Strong Encryption
A 3DES/AES license, otherwise known as a K9 license, is required for strong encryption. If you do not have a K9 license, decryption processing with a server that requires strong encryption will fail. Any flow that requires decryption that the device cannot perform will be denied regardless of access policies. Although the K9 license is free, its availability is limited by export restrictions.
If you cannot use a K9 license, you should test decryption processing in a controlled environment to ensure that it satisfies your requirements before enabling decryption in your production network. Without a K9 license, your decryption policies will require careful testing and fine-tuning to ensure that desirable traffic is not blocked.
Obtain the serial number (SN) of your ASA CX device. You can obtain this number using the following techniques:|
- If you are managing the device in PRSM, the device inventory page shows the serial number.
- If ASA CX is already operational, you can log into the CLI and use the show platform hardware info command; the PCB SN is the number you need.
- If the ASA CX hardware module is installed in an ASA 5585-X appliance, you can get the number through the ASA CLI using the show module 1 details command.
- If the ASA CX software module is installed in an ASA 5500-X series appliance, the ASA CX and the ASA share the same serial number. Use the show version command from the ASA CLI to get the number. If ASA CX is operational, you can also use the show module cxsc details command from the ASA CLI.
||Go to http://www.cisco.com/go/license and obtain a new K9 Crypto license. Select and select Cisco ASA CX 3DES/AES License under Security Products. Follow the wizard instructions to obtain the license. (Note that this procedure might have changed since the publication of this document.)|
||In the ASA CX/PRSM web interface, select Multiple Device mode, the device must already be in the inventory., then , to upload the K9 license. The license is tied to the SN, so as long as the SN for the license matches the device, it is applied immediately. In |
You can revoke a license from a device if you no longer want to use
the features covered by the license. Revoking the license frees it for use by
You cannot revoke a license if the
device is using hard-enforced features that require it. For example, if the
device uses a policy set that includes application-based rules, you cannot
revoke the Application Visibility and Control license. However, you can revoke
a license if the only features that require it are soft enforced.
You cannot revoke a
3DES/AES (K9) license.
device within the license you want to revoke and click
You are asked to
confirm the revocation.
If a license is not
assigned to any device, you can delete it. You should delete expired licenses
once you have removed all device assignments to them.
|| Select the
license you want to delete and click