About Smart Software Licensing
This section describes how Smart Software Licensing works.
Note |
This section only applies to ASA logical devices on the Firepower 4100/9300 chassis. For more information on licensing for Firepower Threat Defense logical devices, see the FMC Configuration Guide. |
Smart Software Licensing for the ASA
For the ASA application on the Firepower 4100/9300 chassis, Smart Software Licensing configuration is split between the Firepower 4100/9300 chassis supervisor and the application.
-
Firepower 4100/9300 chassis—Configure all Smart Software Licensing infrastructure in the supervisor, including parameters for communicating with the License Authority. The Firepower 4100/9300 chassis itself does not require any licenses to operate.
Note
Inter-chassis clustering requires that you enable the same Smart Licensing method on each chassis in the cluster.
-
ASA Application—Configure all license entitlements in the application.
Note |
Cisco Transport Gateway is not supported on Firepower 4100/9300 security appliances. |
Smart Software Manager and Accounts
When you purchase 1 or more licenses for the device, you manage them in the Cisco Smart Software Manager:
https://software.cisco.com/#module/SmartLicensing
The Smart Software Manager lets you create a master account for your organization.
Note |
If you do not yet have an account, click the link to set up a new account. The Smart Software Manager lets you create a master account for your organization. |
By default, your licenses are assigned to the Default Virtual Account under your master account. As the account administrator, you can optionally create additional virtual accounts; for example, you can create accounts for regions, departments, or subsidiaries. Multiple virtual accounts let you more easily manage large numbers of licenses and devices.
Offline Management
If your devices do not have Internet access, and cannot register with the License Authority, you can configure offline licensing.
Permanent License Reservation
If your devices cannot access the internet for security reasons, you can optionally request permanent licenses for each ASA. Permanent licenses do not require periodic access to the License Authority. Like PAK licenses, you will purchase a license and install the license key for the ASA. Unlike a PAK license, you obtain and manage the licenses with the Smart Software Manager. You can easily switch between regular smart licensing mode and permanent license reservation mode.
You can obtain a license that enables all features: Standard tier with maximum Security Contexts and the Carrier license. The license is managed on the Firepower 4100/9300 chassis, but you also need to request the entitlements in the ASA configuration so that the ASA allows their use.
Satellite Server
If your devices cannot access the internet for security reasons, you can optionally install a local Smart Software Manager satellite server as a virtual machine (VM). The satellite provides a subset of Smart Software Manager functionality, and allows you to provide essential licensing services for all your local devices. Only the satellite needs to connect periodically to the main License Authority to sync your license usage. You can sync on a schedule or you can sync manually.
Once you download and deploy the satellite application, you can perform the following functions without sending data to Cisco SSM using the Internet:
-
Activate or register a license
-
View your company's licenses
-
Transfer licenses between company entities
For more information, see the Smart Software Manager satellite installation and configuration guides on Smart Account Manager satellite.
Licenses and Devices Managed per Virtual Account
Licenses and devices are managed per virtual account: only that virtual account’s devices can use the licenses assigned to the account. If you need additional licenses, you can transfer an unused license from another virtual account. You can also transfer devices between virtual accounts.
Only the Firepower 4100/9300 chassis registers as a device, while the ASA applications in the chassis request their own licenses. For example, for a Firepower 9300 chassis with 3 security modules, the chassis counts as one device, but the modules use 3 separate licenses.
Evaluation License
The Firepower 4100/9300 chassis supports two types of evaluation license:
-
Chassis-level evaluation mode—Before the Firepower 4100/9300 chassis registers with the Licensing Authority, it operates for 90 days (total usage) in evaluation mode. The ASA cannot request specific entitlements in this mode; only default entitlements are enabled. When this period ends, the Firepower 4100/9300 chassis becomes out-of-compliance.
-
Entitlement-based evaluation mode—After the Firepower 4100/9300 chassis registers with the Licensing Authority, you can obtain time-based evaluation licenses that can be assigned to the ASA. In the ASA, you request entitlements as usual. When the time-based license expires, you need to either renew the time-based license or obtain a permanent license.
Note
You cannot receive an evaluation license for Strong Encryption (3DES/AES); only permanent licenses support this entitlement.
Smart Software Manager Communication
This section describes how your device communicates with the Smart Software Manager.
Device Registration and Tokens
For each virtual account, you can create a registration token. This token is valid for 30 days by default. Enter this token ID plus entitlement levels when you deploy each chassis, or when you register an existing chassis. You can create a new token if an existing token is expired.
At startup after deployment, or after you manually configure these parameters on an existing chassis, the chassis registers with the Cisco License Authority. When the chassis registers with the token, the License Authority issues an ID certificate for communication between the chassis and the License Authority. This certificate is valid for 1 year, although it will be renewed every 6 months.
Periodic Communication with the License Authority
The device communicates with the License Authority every 30 days. If you make changes in the Smart Software Manager, you can refresh the authorization on the device so the change takes place immediately. Or you can wait for the device to communicate as scheduled.
You can optionally configure an HTTP proxy.
The Firepower 4100/9300 chassis must have internet access either directly or through an HTTP proxy at least every 90 days. Normal license communication occurs every 30 days, but with the grace period, your device will operate for up to 90 days without calling home. After the grace period, you must contact the Licensing Authority, or you will not be able to make configuration changes to features requiring special licenses; operation is otherwise unaffected.
Note |
If your device is unable to communicate with the license authority for one year, the device will enter an unregistered state but will not lose any previously enabled strong encryption capabilities. |
Out-of-Compliance State
The device can become out of compliance in the following situations:
-
Over-utilization—When the device uses unavailable licenses.
-
License expiration—When a time-based license expires.
-
Lack of communication—When the device cannot reach the Licensing Authority for re-authorization.
To verify whether your account is in, or approaching, an Out-of-Compliance state, you must compare the entitlements currently in use by your Firepower 4100/9300 chassis against those in your Smart Account.
In an out-of-compliance state, you will not be able to make configuration changes to features requiring special licenses, but operation is otherwise unaffected. For example, existing contexts over the Standard license limit can continue to run, and you can modify their configuration, but you will not be able to add a new context.
Smart Call Home Infrastructure
By default, a Smart Call Home profile exists in the FXOS configuration that specifies the URL for the Licensing Authority. You cannot remove this profile. Note that the only configurable option for the License profile is the destination address URL for the License Authority. Unless directed by Cisco TAC, you should not change the License Authority URL.
Note |
Cisco Transport Gateway is not supported on Firepower 4100/9300 security appliances. |
Cisco Success Network
Cisco Success Network is a user-enabled cloud service. When you enable Cisco Success Network, a secure connection is established between the Firepower 4100/9300 chassis and the Cisco cloud to stream usage information and statistics. Streaming telemetry provides a mechanism that selects data of interest from the ASA and transmits it in a structured format to remote management stations to do the following:
-
Inform you of available unused features that can improve the effectiveness of the product in your network
-
Inform you of additional technical support services and monitoring that might be available for your product
-
Help Cisco improve our products
You enable Cisco Success Network when you register the Firepower 4100/9300 with the Cisco Smart Software Manager. See Register the Firepower 4100/9300 chassis with the License Authority.
You can enroll in the Cisco Success Network only if all the following conditions are met:
-
Smart Software License is registered.
-
Smart License Satellite mode is disabled.
-
Permanent License is disabled.
Once you enroll in the Cisco Success Network, the chassis establishes and maintains the secure connection at all times. You can turn off this connection at any time by disabling Cisco Success Network, which disconnects the device from the Cisco Success Network cloud.
You can view your current Cisco Success Network enrollment status on the Change Cisco Success Network Enrollment.
page, and you can change your enrollment status. SeeCisco Success Network Telemetry Data
Cisco Success Network allows the chassis to stream configuration and operating state information once in every 24 hours to the Cisco Success Network cloud. Collected and monitored data include the following:
-
Enrolled device information—Firepower 4100/9300 chassis model name, product identifier, serial number, UUID, system uptime, and Smart Licensing information. See Enrolled Device Data.
-
Software information—Type and version number for the software running on the Firepower 4100/9300 chassis. See Software Version Data.
-
ASA device information—Information about the ASA devices running on the security module/engine of the Firepower 4100/9300. Note that for the Firepower 4100 series, only the information about a single ASA device is included. ASA device information includes smart licenses in use for each device, device models, serial numbers, and software version. See ASA Device Data.
-
Performance information—System uptime, CPU usage, memory usage, disk space usage, and bandwidth usage information of the ASA devices. See Performance Data.
-
Usage information—Feature status, cluster, failover, and login information:
-
Feature status—List of enabled ASA features that you have configured or are enabled by default.
-
Cluster information—Includes cluster information if the ASA device is in clustered mode. If the ASA device is not in clustered mode, this information is not displayed. The cluster information includes the cluster group name of the ASA device, cluster interface mode, unit name, and state. For the other peer ASA devices in the same cluster, the information includes the name, state, and serial number.
-
Failover information—Includes failover information if the ASA is in failover mode. If the ASA is not in failover mode, this information is not displayed. The failover information includes the role and state of the ASA, and the role, state, and serial number of the peer ASA device.
-
Login history—User login frequency, login time, and date stamp for the most recent successful login on the ASA device. However, the login history does not include the user login name, credentials, or any other personal information.
See Usage Data for more information.
-
-
Enrolled Device Data
Once you enroll the Firepower 4100/9300 chassis in Cisco Success Network, select telemetry data about the chassis is streamed to the Cisco cloud. The following table describes the collected and monitored data.
Data Point |
Example Value |
---|---|
Device model |
Cisco Firepower FP9300 Security Appliance |
Serial number |
GMX1135L01K |
Smart license PIID |
752107e9-e473-4916-8566-e26d0c4a5bd9 |
Smart license virtual account name |
FXOS-general |
System uptime |
32115 |
UDI product identifier |
FPR-C9300-AC |
Software Version Data
Cisco Success Network collects software information that pertains to the chassis including type and software version. The following table describes the collected and monitored software information.
Data Point |
Example Value |
---|---|
Type |
package_version |
Version |
2.7(1.52) |
ASA Device Data
Cisco Success Network collects information about the ASA devices running on the security module/engine of the Firepower 4100/9300. The following table describes the collected and monitored information about ASA devices.
Data Point |
Example Value |
---|---|
ASA device PID |
FPR9K-SM-36 |
ASA device model |
Cisco Adaptive Security Appliance |
ASA device serial number |
XDQ311841WA |
Deployment type (native or container) |
Native |
Security context mode (single or multiple) |
Single |
ASA software version |
|
Device manager version |
|
Activated smart licenses in use |
|
Performance Data
Cisco Success Network collects the performance-specific information for the ASA devices. The information includes system uptime, CPU usage, memory usage, disk space usage, and bandwidth usage information.
-
CPU usage—CPU usage information for the past five minutes
-
Memory usage—Free, used, and total memory of the system
-
Disk usage—Free, used, and total disk space information
-
System uptime—System uptime information
-
Bandwidth usage—System bandwidth usage; aggregated from all nameif-ed interfaces
This shows the statistics for received and transmitted packets (or bytes) per second since system up time.
The following table describes the collected and monitored information.
Data Point |
Example Value |
---|---|
System CPU usage in past five minutes |
|
System memory usage |
|
System disk usage |
|
System uptime |
99700000 |
System bandwidth usage |
|
Usage Data
Cisco Success Network collects feature status, cluster, failover, and login information for the ASA devices running on the security module/engine of the chassis. The following table describes the collected and monitored data about ASA device usage.
Data Point |
Example Value |
---|---|
Feature status |
|
Cluster information |
|
Failover information |
|
Login history |
|
Telemetry Example File
Firepower 4100/9300 chassis aggregates the data received from all ASA devices that have telemetry enabled and are online with the chassis-specific information and additional fields before sending the data to Cisco cloud. If there are no applications with telemetry data, then telemetry is still sent to the Cisco cloud with the chassis information.
The following is an example of a Cisco Success Network telemetry file that includes the information sent to the Cisco cloud for two ASA devices on a Firepower 9300.
{
"version": "1.0",
"metadata": {
"topic": "ASA.telemetry",
"contentType": "application/json",
"msgID": "2227"
},
"payload": {
"recordType": "CST_ASA",
"recordVersion": "1.0",
"recordedAt": 1560868270055,
"FXOS": {
"FXOSdeviceInfo": {
"deviceModel": "Cisco Firepower FP9300 Security Appliance",
"serialNumber": "HNY4475P01K",
"smartLicenseProductInstanceIdentifier": "413509m0-f952-5822-7492-r62c0a5h4gf4",
"smartLicenseVirtualAccountName": "FXOS-general",
"systemUptime": 32115,
"udiProductIdentifier": "FPR-C9300-AC"
},
"versions": {
"items": [
{
"type": "package_version",
"version": "2.7(1.52)"
}
]
}
},
"asaDevices": {
"items": [
{
"CPUUsage": {
"fiveMinutesPercentage": 0,
"fiveSecondsPercentage": 0,
"oneMinutePercentage": 0
},
"bandwidthUsage": {
"receivedBytesPerSec": 1,
"receivedPktsPerSec": 0,
"transmittedBytesPerSec": 1,
"transmittedPktsPerSec": 0
},
"deviceInfo": {
"deploymentType": "Native",
"deviceModel": "Cisco Adaptive Security Appliance",
"securityContextMode": "Single",
"serialNumber": "ADG2158508T",
"systemUptime": 31084,
"udiProductIdentifier": "FPR9K-SM-24"
},
"diskUsage": {
"freeGB": 19.781810760498047,
"totalGB": 20.0009765625,
"usedGB": 0.21916580200195312
},
"featureStatus": {
"items": [
{
"name": "aaa-proxy-limit",
"status": "enabled"
},
{
"name": "firewall_user_authentication",
"status": "enabled"
},
{
"name": "IKEv2 fragmentation",
"status": "enabled"
},
{
"name": "inspection-dns",
"status": "enabled"
},
{
"name": "inspection-esmtp",
"status": "enabled"
},
{
"name": "inspection-ftp",
"status": "enabled"
},
{
"name": "inspection-hs232",
"status": "enabled"
},
{
"name": "inspection-netbios",
"status": "enabled"
},
{
"name": "inspection-rsh",
"status": "enabled"
},
{
"name": "inspection-rtsp",
"status": "enabled"
},
{
"name": "inspection-sip",
"status": "enabled"
},
{
"name": "inspection-skinny",
"status": "enabled"
},
{
"name": "inspection-snmp",
"status": "enabled"
},
{
"name": "inspection-sqlnet",
"status": "enabled"
},
{
"name": "inspection-sunrpc",
"status": "enabled"
},
{
"name": "inspection-tftp",
"status": "enabled"
},
{
"name": "inspection-xdmcp",
"status": "enabled"
},
{
"name": "management-mode",
"status": "normal"
},
{
"name": "mobike",
"status": "enabled"
},
{
"name": "ntp",
"status": "enabled"
},
{
"name": "sctp-engine",
"status": "enabled"
},
{
"name": "smart-licensing",
"status": "enabled"
},
{
"name": "static-route",
"status": "enabled"
},
{
"name": "threat_detection_basic_threat",
"status": "enabled"
},
{
"name": "threat_detection_stat_access_list",
"status": "enabled"
}
]
},
"licenseActivated": {
"items": []
},
"loginHistory": {
"lastSuccessfulLogin": "05:53:18 UTC Jun 18 2019",
"loginTimes": "1 times in last 1 days"
},
"memoryUsage": {
"freeMemoryInBytes": 226031548496,
"totalMemoryInBytes": 241583656960,
"usedMemoryInBytes": 15552108464
},
"versions": {
"items": [
{
"type": "asa_version",
"version": "9.13(1)248"
},
{
"type": "device_mgr_version",
"version": "7.13(1)31"
}
]
}
},
{
"CPUUsage": {
"fiveMinutesPercentage": 0,
"fiveSecondsPercentage": 0,
"oneMinutePercentage": 0
},
"bandwidthUsage": {
"receivedBytesPerSec": 1,
"receivedPktsPerSec": 0,
"transmittedBytesPerSec": 1,
"transmittedPktsPerSec": 0
},
"deviceInfo": {
"deploymentType": "Native",
"deviceModel": "Cisco Adaptive Security Appliance",
"securityContextMode": "Single",
"serialNumber": "RFL21764S1D",
"systemUptime": 31083,
"udiProductIdentifier": "FPR9K-SM-24"
},
"diskUsage": {
"freeGB": 19.781543731689453,
"totalGB": 20.0009765625,
"usedGB": 0.21943283081054688
},
"featureStatus": {
"items": [
{
"name": "aaa-proxy-limit",
"status": "enabled"
},
{
"name": "call-home",
"status": "enabled"
},
{
"name": "crypto-ca-trustpoint-id-usage-ssl-ipsec",
"status": "enabled"
},
{
"name": "firewall_user_authentication",
"status": "enabled"
},
{
"name": "IKEv2 fragmentation",
"status": "enabled"
},
{
"name": "inspection-dns",
"status": "enabled"
},
{
"name": "inspection-esmtp",
"status": "enabled"
},
{
"name": "inspection-ftp",
"status": "enabled"
},
{
"name": "inspection-hs232",
"status": "enabled"
},
{
"name": "inspection-netbios",
"status": "enabled"
},
{
"name": "inspection-rsh",
"status": "enabled"
},
{
"name": "inspection-rtsp",
"status": "enabled"
},
{
"name": "inspection-sip",
"status": "enabled"
},
{
"name": "inspection-skinny",
"status": "enabled"
},
{
"name": "inspection-snmp",
"status": "enabled"
},
{
"name": "inspection-sqlnet",
"status": "enabled"
},
{
"name": "inspection-sunrpc",
"status": "enabled"
},
{
"name": "inspection-tftp",
"status": "enabled"
},
{
"name": "inspection-xdmcp",
"status": "enabled"
},
{
"name": "management-mode",
"status": "normal"
},
{
"name": "mobike",
"status": "enabled"
},
{
"name": "ntp",
"status": "enabled"
},
{
"name": "sctp-engine",
"status": "enabled"
},
{
"name": "smart-licensing",
"status": "enabled"
},
{
"name": "static-route",
"status": "enabled"
},
{
"name": "threat_detection_basic_threat",
"status": "enabled"
},
{
"name": "threat_detection_stat_access_list",
"status": "enabled"
}
]
},
"licenseActivated": {
"items": []
},
"loginHistory": {
"lastSuccessfulLogin": "05:53:16 UTC Jun 18 2019",
"loginTimes": "1 times in last 1 days"
},
"memoryUsage": {
"freeMemoryInBytes": 226028740080,
"totalMemoryInBytes": 241581195264,
"usedMemoryInBytes": 15552455184
},
"versions": {
"items": [
{
"type": "asa_version",
"version": "9.13(1)248"
},
{
"type": "device_mgr_version",
"version": "7.13(1)31"
}
]
}
}
]
}
}
}