Frequently Asked Questions (FAQ) about Firepower Licensing

General License Management

Q. 

Does the Firepower Management Center require a license?

A. 

In Version 6.0 and later, the Firepower Management Center manages feature licenses for your devices, but you do not need a feature license to use the Management Center hardware. Virtual Firepower Management Center requires an entitlement for each device it will manage.

In Version 5.4.x and earlier, a FireSIGHT license is required to use a FireSIGHT Defense Center. You must add this license to the Defense Center during initial setup.

Q. 

Does my Firepower product need Classic or Smart Licenses?

A. 

The software, not the hardware, determines the required license type for Firepower products.

  • Devices running Firepower Threat Defense software require Smart Licenses.

  • All other devices running Firepower software (ASA with FirePOWER Services, 7000 or 8000 Series, and NGIPSv) require Classic licenses.

  • For Firepower hardware that is not running Firepower software, see the documentation for your software product.

    For example, for Firepower hardware running Cisco Adaptive Security Appliance (ASA) software without FirePOWER Services, see https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/licenseroadmap.html.

Q. 

What is the difference between a Smart License and a Classic license?

A. 

The details and processes for deploying each type of license differ.

Additional information about deploying each type of license is available in the Firepower Management Center Configuration Guide, available from https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html.

Q. 

Can a Firepower Management Center manage devices that use different license types (Smart and Classic)?

A. 

Yes. However, the steps you take on the Firepower Management Center to manage the license types differ slightly. For more information, see the Licensing chapter in the Firepower Management Center Configuration Guide, available from https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html.

Q. 

Can I convert my Classic license to a Smart License entitlement?

A. 

Generally, if your hardware can run either a Firepower software product that uses a Classic license or a Firepower software product that uses a Smart License, you can convert the license.

You can look in your account to see which PAKs can be converted:

  • In the Product License Registration Portal (LRP), after the PAK is in the Smart Account, click the PAKs or Tokens tab, mouse over a PAK to see the blue arrow, then click the blue arrow. If the license can be converted, you will see a Convert to Smart Licensing option. (The LRP shows the product associated with the PAK, but lists all PAKs whether or not they can be converted.)

  • In Cisco Smart Software Manager (CSSM), click the Convert to Smart Licensing tab to view your convertible PAKs. To see which product is associated with each PAK in the list, click the PAK to view details. (CSSM only lists PAKs that can be converted, but you must click each PAK to determine what product the PAK is associated with.)

Convertibility may change over time; if a PAK becomes eligible for conversion, its status in the LRP and CSSM will update automatically.

For conversion instructions, see:

Information about converting licenses is in the Licensing chapter in versions 6.2.3 and later of the Firepower Management Center Configuration Guide available from https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html.

See also "Convert PAK License SKU’s in LRP to Smart License Entitlements in Smart Software Manager (SSM)" in the Cisco License Registration Portal (LRP) User Guide.

Q. 

Can I convert my Smart License entitlement to a Classic license?

A. 

No. If you accidentally use a Smart License entitlement instead of a Classic license, contact Cisco TAC.

Q. 

What is the difference between a license and a service subscription?

A. 

A Firepower feature license is a right-to-use license. The license is perpetual; you can continue to use the features and functionality present in the version of the feature you initially install, regardless of whether you purchase a Firepower service subscription to support the license.

A Firepower service subscription is the entitlement to download updates related to the feature. For example, if you buy a Threat (T) subscription to support your Threat license, you can download intrusion rule updates. This entitlement is term-based; that is, it expires periodically. For more information, see Firepower License and Service Subscription Expiration.

Q. 

When does the term for a service subscription start and end? Is the start date tied to the purchase date or the initial activation date?

A. 

The start and end date of each service subscription is specified on the sales order. The subscription start date is not tied to the initial activation date.

Q. 

Is Permanent License Reservation (PLR) available for Firepower devices?

A. 

Specific License Reservation for deployments with Firepower Threat Defense devices was introduced in release 6.3. For details, see the Licensing chapter in the Firepower Management Center Configuration Guide, available from https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html.

Q. 

Can I register my Firepower Management Center to more than one Smart Account? Can I register it to multiple virtual accounts with in the same Smart Account?

A. 

No.


Note

Smart Accounts can manage both Smart Licenses and Classic licenses, so this answer applies to both types of licenses.


If you need to move your registration, you must first un-register the Firepower Management Center from the original account. Licenses assigned to devices managed by that management center instance are automatically released.

Q. 

I have FTD and ASA running on the same chassis. How do I license them?

A. 

Your hardware model must support this configuration. License each software product as if it were not sharing a chassis.

Q. 

Where can I find documentation to help me with Cisco's license-management tools (Not Firepower-specific)?

A. 

https://community.cisco.com/t5/licensing-enterprise-agreements/software-on-demand-training-resources-for-customers/ta-p/3639797

Q. 

What if I have a question about or problem with a license that the account administrator at my company cannot answer?

A. 

Contact licensing@cisco.com.

Smart Licensing for Firepower Features

Q. 

What is a Smart License?

A. 

Cisco Smart Licensing is the newer form of license at Cisco. It allows you to manage a pool of licenses centrally. Unlike Classic licenses, Smart Licenses are not tied to a specific serial number or PAK. You activate a Smart License from the Firepower Management Center or the Firepower Device Manager.

Q. 

What devices use Smart Licenses for Firepower features?

A. 

Products that support Firepower Threat Defense software use Smart Licensing. For a full list of these devices, see the Cisco Firepower Compatibility Guide.

Q. 

What is a Smart Account and how do I get one?

A. 

Your Smart Account holds the Smart Licenses that your company has purchased. Licenses must be in your Smart Account before you can see them in the Smart Software Manager (CSSM) and consume them.

Your Cisco account representative or authorized reseller deposits your purchased licenses to your Smart Account, and may create your Smart Account for you.

If you need to create a Smart Account, go to https://software.cisco.com/smartaccounts/setup#accountcreation-account. For information about setting up your Smart Account, see https:/​/​www.cisco.com/​c/​en/​us/​buy/​smart-accounts.html.

Q. 

What if Smart Licenses that I have purchased do not appear in my Smart Account?

A. 

Check the following, in order:

  • Make sure the licenses are not in a different virtual account within your organization's Smart Account. Because the licenses may be in a virtual account that you cannot access, you will need to contact the Smart Account administrator at your organization.

  • Contact the person or organization who sold you the licenses.

  • Contact Licensing@cisco.com.

Q. 

How do I give other people at my company access to a Smart Account that I set up?

A. 

See https://community.cisco.com/t5/licensing-enterprise-agreements/request-access-to-an-existing-smart-account-quick-reference/ta-p/3628587?attachment-id=144211.

Q. 

What is a Product Instance Registration Token?

A. 

The Product Instance Registration Token allows you to register your Firepower Management Center or Firepower Device Manager with the Cisco Smart Software Manager. You create the token in the Cisco Smart Software Manager. For more information, see https://www.cisco.com/web/fw/softwareworkspace/smartlicensing/SSMCompiledHelps/c_Creating_a_Product_Instance_Registration_Token.html.

You can create tokens with or without enabling export-controlled functionality. However, some important Firepower features require that you enable export-controlled functionality. If your account qualifies for export-controlled functionality, this functionality must be must be authorized before you generate the token and you must select the option when you generate the token. Cisco recommends that you understand your needs before generating these tokens. (Starting in Release 6.3, accounts that do not qualify for export-controlled functionality may be able to obtain it on a per-FMC basis. Contact your reseller or account representative for more information. The mechanism for this solution does not involve the Product Instance Registration Token.)

After you create the token, you add it to the managing device to register that device with the Cisco Smart Software Manager. After the managing device is registered, you can assign Smart Licenses to managed devices. For more information, see the Firepower Management Center Configuration Guide at https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html.

Q. 

Where do I find the Product Instance Registration Token for my Firepower Management Center or Firepower Device Manager?

A. 

You can create and copy the token from your virtual account in the Cisco Smart Software Manager. For more information, see https://www.cisco.com/web/fw/softwareworkspace/smartlicensing/SSMCompiledHelps/c_Managing_Product_Instance_Registration_Tokens.html.

Q. 

How do I access the Cisco Smart Software Manager (CSSM)?

A. 

On the Firepower Management Center, choose System > Licenses > Smart Licenses, and click Cisco Smart Software Manager.

You can also access the Cisco Smart Software Manager directly in a browser:

https://software.cisco.com/#module/SmartLicensing

For more information, see the Cisco Smart Software Manager User Guide.

Q. 

How many licenses do I need for a multi-instance deployment?

A. 

If all instances are managed by the same Firepower Management Center, you need one license per feature per module, regardless of the number of container instances on the module. For details about licensing multi-instance deployments, see the Licensing chapter in the Firepower Management Center Configuration Guide at https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html.

Q. 

What happens if my products are not able to communicate with the smart licensing server?

A. 

Each product communicates with the License Authority every 30 days. If you make changes in the Smart Software Manager, you can refresh the authorization on your product so the change takes place immediately. Or you can wait for the device to communicate as scheduled. Optionally, you can configure an HTTP proxy.

The product must have Internet access either directly or through an HTTP proxy at least every 90 days. Normal license communication occurs every 30 days, but with the grace period, your device will operate for up to 90 days without calling home. After the grace period, the device must contact the Licensing Authority, or you will not be able to make configuration changes to features requiring special licenses; operation is otherwise unaffected.

To deploy a Cisco Smart Satellite Server to communicate with the License Authority, see the Licensing chapter in the Firepower Management Center Configuration Guide at https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html.

Version 6.3 introduces Specific License Reservation functionality for air-gapped deployments. Contact your reseller or authorized account representative for more information.

Q. 

What does it mean when my product is in an out-of-compliance state and how do I know if this happens?

A. 

The license can become out of compliance in the following situations:

  • Over-utilization—When the product uses unavailable licenses.

  • License expiration—When a time-based license expires

  • Lack of communication—When the product cannot reach the Licensing Authority for re-authorization.

To verify whether your account is in, or approaching, an Out-of-Compliance state, you must compare the entitlements currently in use by your product against those in your Smart Account.

Classic Licensing for Firepower Features

Q. 

What is a Classic license?

A. 

This is the older form of license at Cisco. Classic licenses require a product authorization key (PAK) to activate and are non-transferrable between devices. Classic licensing is also referred to as "traditional licensing."

Q. 

What devices use Classic licenses for Firepower features?

A. 

7000 and 8000 Series devices, ASA FirePOWER modules, and NGIPSv.

Q. 

Are Classic licenses transferrable between devices?

A. 

No.

Q. 

What is a product authorization key (PAK)?

A. 

The product authorization key (PAK) enables you to activate a Classic license. The PAK is included in the Software Claim Certificate that Cisco provides when you purchase a license.

In the Cisco Product License Registration Portal, use the PAK in combination with the Firepower license key to generate the license text required to add licenses to the Firepower Management Center.

Q. 

How do I access the Cisco License Registration Portal (LRP)?

A. 

On the Firepower Management Center, choose System > Licenses > Classic Licenses, click Add New License, and click Get License.

You can also access the License Registration Portal directly in a browser:

https://www.cisco.com/go/license

For more information on using this portal, see Product License Registration Tools & Resources (https://www.cisco.com/web/fw/tools/swift/xui/html/help.html).

Q. 

How are Software Claim Certificates (SCCs) delivered?

A. 

If you buy a physical device (for example, a Firepower 8250), you receive a paper copy of the Software Claim Certificate for the related Control license in the box with the physical device.

If you deploy a virtual device (for example, Firepower Management Center Virtual), you receive the Software Claim Certificate for the related Control license as an email attachment.

If you buy Firepower feature licenses for either physical or virtual devices (for example, URL Filtering), you receive the Software Claim Certificate as an email attachment.

Q. 

What happens if I lose or misplace my Software Claim Certificate before I register my PAK in the Cisco Product Licensing Registration Portal?

A. 

Contact Cisco TAC.

Q. 

What is a Firepower license key?

A. 

The Firepower license key uniquely identifies a managing device in the Cisco Product License Registration Portal. Managing devices include ASDM locally managing ASA FirePOWER modules, and Firepower Management Centers.

This license key has the following format:

product_code:address

The product_code element varies depending on the type of managing device, and the address element is the MAC address of the managing device. On Firepower Management Center, this is the MAC address of the management interface (Eth0).

For example, a possible licensing key for a Firepower Management Center is "66:00:00:77:FF:CC:88".

In the Cisco Product License Registration Portal, use the license key in combination with the PAK to generate the license text required to add Classic feature licenses to the managing device.

Q. 

Where do I find the Firepower license key?

A. 

  • On the Firepower Management Center, choose System > Licenses > Classic Licenses > Add New License. The License Key appears in the resulting dialog.

  • In ASDM, obtain the License Key for your chassis by choosing Configuration > ASA FirePOWER Configuration > Licenses and clicking Add New License. The License Key is near the top; for example, 72:78:DA:6E:D9:93:35.

Q. 

Where do I find the license text I need to add a Classic license to the Firepower Management Center?

A. 

Generate the license text in the Cisco Product License Registration Portal. After you generate the license text, either copy the text from the License Registration Portal display or from the email the License Registration Portal sends you.


Important

The licensing text block in the portal or email message may include more than one license. Make sure that you copy and paste only one license at a time. Each license begins with a BEGIN LICENSE line and ends with an END LICENSE line. (Include these lines when you copy and paste each license.)


Q. 

How soon after purchasing a Firepower feature license in the Cisco Commerce Workspace (CCW) can I generate license text in the Cisco License Registration Portal (LRP)?

A. 

Typically, you receive the electronic Software Claim Certificate immediately. However, you may encounter a delay of up to 24 hours between purchasing the feature license in Cisco Commerce Workspace and being able to register the PAK and generate license text in the License Registration Portal .

Q. 

Can I delete a license from one Firepower Management Center and then reuse it on a different Firepower Management Center?

A. 

Not directly. The generated license is specific to each Firepower Management Center. However, you can re-use the PAK in the Cisco Product License Registration Portal to generate a new license that uses the unique identifier of the other Firepower Management Center.

Q. 

I bought a Classic license for a device, but did not register it in the Cisco License Registration Portal (LRP) or assign it to the device. Can I repurpose this license for another device?

A. 

You can only repurpose an unused license if the original device and new device are the same model. For example, if you buy a Protection license for an ASA FirePOWER module on an ASA 5508-X, you can assign it to any ASA 5508-X, but you cannot assign it to an ASA 5516-X.

You cannot repurpose the service subscription that you bought at the same time as the original license. The timer on that subscription starts the day it is issued, even if you do not assign it to a device. Contact Sales to inquire about a possible credit for the remaining portion of the service subscription.

Licensing in High Availability Configurations

Firepower Management Center High Availability

Q. 

Do I need any special licensing to configure two Firepower Management Center appliances as a high-availability pair?

A. 

A hardware Firepower Management Center requires no special licensing, whether it is standalone or part of a high-availability pair.

A Firepower Management Center Virtual appliance cannot be a member of a high-availability pair.

Q. 

If I want to enable a licensed feature for a device managed by a Firepower Management Center high availability pair, how many licenses must I buy?

A. 

A device managed with Firepower Management Center instances in a high availability configuration requires the same number of feature licenses and related subscriptions as a device managed by a single Firepower Management Center.

The system automatically replicates all managed devices' feature licenses from active to standby Firepower Management Center, so the licenses are available to managed devices on failover.

Firepower Threat Defense High Availability

Q. 

What are the license requirements for Firepower Threat Defense devices in a high-availability configuration?

A. 

There is no specific license required to configure Firepower Threat Defense devices in a high-availability pair. However, each device should have a license for each feature your deployment will use.

Q. 

If a Firepower Management Center Virtual appliance manages Firepower Threat Defense devices that are configured in a high availability pair, do I need one entitlement for each device or one entitlement for each pair?

A. 

You need one entitlement for each device.

Q. 

If I want to enable a licensed feature for Firepower Threat Defense devices in a high-availability configuration, how many licenses must I buy?

A. 

Each device should be licensed for every feature it will use, whether or not the device is a member of a high-availability pair.

Therefore, for each feature, you should buy two Smart License entitlements for that feature—an entitlement for each device in the high-availability pair. Contact Sales to discuss possible discounting for licenses used in this configuration.

When you configure Firepower Threat Defense devices in a high-availability pair, the Firepower Management Center communicates with the Cisco Smart Software Manager and obtains the necessary licenses from your account so that the standby device has the same feature licenses as the active device. If your Smart Licenses account does not include enough purchased entitlements, your account becomes out of compliance (OOC) until you purchase the necessary licenses. Licenses for features on the standby device that were not present on the active device are released back into the pool of available licenses.

Q. 

Are there limitations on changing licenses for Firepower Threat Defense devices in a high-availability configuration?

A. 

After you pair the devices on the Firepower Management Center, you cannot change the license options for individual devices in the pair, but you can change the license for the entire high-availability pair.

Q. 

How many licenses do I need for a high-availability pair in a multi-instance deployment

A. 

High availability pairs are formed between instances on two different chassis and thus will consume two feature licenses.

Firepower 7000 & 8000 Series Device High Availability

Q. 

If I want to enable a licensed feature for Firepower 7000 & 8000 Series devices in a high-availability configuration, how many licenses must I buy?

A. 

You must buy two licenses for that feature—one for each device in the high-availability pair. Contact Sales to discuss possible discounting for licenses used in this configuration.

Q. 

What are the license requirements for Firepower 7000 & 8000 Series devices in a high-availability configuration?

A. 

There is no additional license required to configure 7000 & 8000 Series devices in a high-availability pair. However, before you can configure 7000 & 8000 Series devices in a high-availability pair, you must assign the same feature licenses to both devices on the Firepower Management Center.

Q. 

Are there limitations on changing licenses for Firepower 7000 & 8000 Series devices in a high-availability configuration?

A. 

After you pair the devices on the Firepower Management Center, you cannot change the license options for individual devices in the pair, but you can change the license for the entire high-availability pair.

Licensing in Firepower Threat Defense Device Clusters

Intra-Chassis Clustering


Note

Intra-chassis clustering is only supported for Firepower Threat Defense modules on Firepower 9300 devices.


Q. 

If I want to enable a licensed feature for Firepower Threat Defense modules in an intra-chassis cluster, how many licenses must I buy?

A. 

You must buy a Smart license for that feature for each module in the cluster. For example, if you want your cluster to include three modules that use URL filtering, you must buy three URL Filtering licenses and related subscriptions.

Q. 

What are the license requirements for intra-chassis clustering of Firepower Threat Defense modules?

A. 

The Base license allows you to cluster security modules within an FXOS chassis. There is no additional license required. However, if you want to use license-based features in the cluster (for example, URL filtering), you must assign equivalent licenses to all Firepower Threat Defense modules before configuring them as a cluster.

Q. 

Are there limitations on changing licenses for Firepower Threat Defense modules configured in an intra-chassis cluster?

A. 

After you cluster the devices, you cannot change the license options for individual modules in the cluster, but you can change the license options for the entire cluster.

Inter-Chassis Clustering


Note

Inter-chassis clustering is only supported for Firepower Threat Defense on Firepower 9300 and Firepower 4100 series devices.


Q. 

If I want to enable a licensed feature for Firepower Threat Defense devices in an inter-chassis cluster, how many licenses must I buy?

A. 

You must buy a Smart license for that feature for each device in the cluster. For example, if you want your cluster to include four devices that use URL filtering, you must buy four URL Filtering licenses and related subscriptions.

Q. 

What are the license requirements for inter-chassis clustering of Firepower Threat Defense devices?

A. 

The Base license allows you to cluster Firepower Threat Defense devices running on the FXOS chassis. There is no additional license required. However, if you want to use license-based features in the cluster (for example, URL filtering), you must assign equivalent licenses to all Firepower Threat Defense devices before configuring them as a cluster.

Q. 

Are there limitations on changing licenses for Firepower Threat Defense devices in an inter-chassis cluster?

A. 

After you cluster the devices, you cannot change the license options for individual devices in the cluster, but you can change the license options for the entire cluster.

Licensing in 8000 Series Device Stacks

Q. 

If I want to enable a licensed feature for an 8000 Series device stack, how many licenses must I buy?

A. 

You must buy a Classic license for that feature for each device in the stack. For example, if you want your stack to include four devices that use URL filtering, you must buy four URL Filtering licenses and related subscriptions.

Q. 

What are the license requirements for an 8000 Series device stack?

A. 

There is no additional license required to configure an 8000 Series device stack. However, to configure 8000 Series devices in a stack, you must assign the same feature licenses to all devices before including them in the stack.

Q. 

Are there limitations on changing licenses for devices configured in an 8000 Series stack?

A. 

After you stack the devices, you cannot change the license options for individual devices in the stack, but you can change the license options for the entire stack.

Firepower License and Service Subscription Expiration

License Expiration vs. Service Subscription Expiration

Q. 

Do Firepower feature licenses expire?

A. 

Strictly speaking, Firepower feature licenses do not expire. Instead, the service subscriptions that support those licenses expire. For details about service subscriptions, see "Service Subscriptions for Firepower Features" in the Firepower Management Center Configuration Guide available from https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html.

Smart Licensing

Q. 

Can a Product Instance Registration Token expire?

A. 

A token can expire if it is not used to register a product within the specified validity period. You set the number of days that the token is valid when you create the token in the Cisco Smart Software Manager. If the token expires before you use it to register a Firepower Management Center, you must create a new token.

After you use the token to register a Firepower Management Center, the token expiration date is no longer relevant. When the token expiration date elapses, there is no impact on the Firepower Management Center that you used the token to register.

Token expiration dates do not affect subscription expiration dates.

For more information, see the Cisco Smart Software Manager User Guide.

Q. 

How can I tell if my Smart Licenses/service subscriptions are expired or about to expire?

A. 

To determine when a service subscription will expire (or when it expired), review your entitlements in the Cisco Smart Software Manager.

On the Firepower Management Center, you can determine whether a service subscription for a feature license is currently in compliance by choosing System > Licenses > Smart Licenses. On this page, a table summarizes the Smart License entitlements associated with this Firepower Management Center via its product registration token. You can determine whether the service subscription for the license is currently in compliance based on the License Status field.

On Firepower Device Manager, use the Smart License page to view the current license status for the system: Click Device, then click View Configuration in the Smart License summary.

In addition, the Cisco Smart Software Manager will send you a notification 3 months before a license expires.

Q. 

What happens if my Smart License/subscription expires?

A. 

If a purchased service subscription expires, you can see in Firepower Management Center and in your Smart Account that your account is out of compliance. Cisco notifies you that you must renew the subscription; see Subscription Renewals. There is no other impact.

Specific License Reservation

Q. 

What happens if my Specific License Reservation expires?

A. 

SLR licenses are term-based.

If required licenses are unavailable or expired, the following actions are restricted:

  • Device registration

  • Policy deployment

Classic Licensing

Q. 

How can I tell if my Classic licenses/service subscriptions are expired or about to expire?

A. 

On the Firepower Management Center, choose System > Licenses > Classic Licenses.

On this page, a table summarizes the Classic licenses you have added to this Firepower Management Center.

You can determine whether the service subscription for the license is currently in compliance based on the Status field.

You can determine when the service subscription will expire (or when it expired) by the date in the Expires field.

You can also obtain this information by reviewing your license information in the Cisco Product License Registration Portal.

Q. 

What does this mean: 'IPS Term Subscription is still required for IPS'?

A. 

This message merely informs you that Protect and Control functionality requires not only a right-to-use license (which never expires), but also one or more associated service subscriptions, which must be renewed periodically. If the service subscriptions you want to use are current and will not expire soon, no action is required. To determine the status of your service subscriptions, see How can I tell if my Classic licenses/service subscriptions are expired or about to expire?.

Q. 

What happens if my Classic license/subscription expires?

A. 

If a service subscription supporting a Classic license expires, Cisco notifies you that you must renew the subscription; see Subscription Renewals.

You might not be able to use the related features, depending on the feature type:

Table 1. Expiration Impact for Classic Licenses/Subscriptions

Classic License

Possible Supporting Subscriptions

Expiration Impact

Control

TA, TAC, TAM, TAMC

You can continue to use existing Firepower functionality, but you cannot download VDB updates, including application signature updates.

Protection

TA, TAC, TAM, TAMC

You can continue to perform intrusion inspection, but you cannot download intrusion rule updates.

URL Filtering

URL, TAC, TAMC

  • Access control rules with URL conditions immediately stop filtering URLs.

  • Other policies (such as SSL policies) that filter traffic based on URL category and reputation immediately stop doing so.

  • The Firepower Management Center can no longer download updates to URL data.

  • You cannot re-deploy existing policies that perform URL category and reputation filtering.

Malware

AMP, TAM, TAMC

  • For a very brief time, the system can use existing cached file dispositions. After the time window expires, the system assigns a disposition of Unavailable to those files.

  • The system stops querying the AMP cloud, and stops acknowledging retrospective events sent from the AMP cloud.

  • You cannot re-deploy existing access control policies if they include AMP for Firepower configurations.

Subscription Renewals

Q. 

How do I renew an expiring Classic license?

A. 

To renew an expiring Classic license, simply purchase a new PAK key and follow the same process as for implementing a new subscription.

Q. 

Can I renew a Firepower service subscription from the Firepower Management Center?

A. 

No. To renew a Firepower service subscription (Classic or Smart), purchase a new subscription using either the Cisco Commerce Workspace or the Cisco Service Contract Center.

More Information

For additional information about licensing, see the following documents: