Licensing for Security Manager

With the information in this chapter, you can determine which license you need to install and use Cisco Security Manager 4.19. This chapter also has descriptions of the various licenses available, such as standard, professional, and evaluation.

Other than a few notes, this chapter does not discuss license installation. Refer to Chapter 5, “Installing and Upgrading Server Applications”

This chapter discusses device count, with the purpose of helping you determine which Security Manager server license you need.

License Types

The Cisco Security Manager has two base license types, Standard and Professional. Apart from the base licenses, Cisco Security Manager offers:

Base Licenses (Standard and Professional)

Table 2-1 displays the list of the Standard and Professional base licenses available for Cisco Security Manager 4.19.

Table 2-1 List of the Base Licenses Available

License Name
License Abbreviation
Number of Devices that can be Managed (Refer to Understanding Device Count for Purchasing License)

Standard-5

ST5

5

Standard-10

ST10

10

Standard-25

ST25

25

Professional-50

PRO50

50

Professional-100

PRO100

100

Professional-250

PRO250

250

Table 2-2 provides a comparison of Professional base versions with Standard base versions.

Table 2-2 Comparison of Professional Base Versions with Standard Base Versions

Feature
Supported in Professional?
Supported in Standard?

Support of incremental (“add-on”) device license packages in increments of 50, 100, and 250 devices

Yes

No

Support for the management of Cisco Catalyst 6500 and 7600 Series switches and associated services modules

Yes

No

Support for the management of firewall service modules

Yes

No

Support for temporary licenses (licenses with an expiration date)

Yes

No (only permanent licenses are supported)

To obtain a base license, you must have (or obtain) a Cisco.com user ID, and you must register your copy of the software on Cisco.com. When registering, you must provide the Product Authorization Key (PAK) that is attached to the Software License Claim Certificate inside the shipped software package:

You must register Security Manager as soon as you can within the first 90 days and for the number of devices that you need to ensure uninterrupted use of the product. Each time you start the application, you are reminded of how many days remain on your evaluation license and you are prompted to upgrade during the evaluation period. At the end of the evaluation period, you cannot log in until you upgrade your license.

After registration, the base software license is sent to the email address that you provided during registration. Keep the license in a secure location.

Standard-to-Professional Upgrade License

When your needs have outgrown the capabilities of the Standard license, such as, to manage Catalyst security blades or when deployment grows beyond 25 devices, you need to upgrade to Cisco Security Manager Professional. You can purchase the Standard-to-Professional upgrade license. However, this upgrade license can be applied only if the base license is a Standard-25 (“ST25”) license. The orderable part ID (PID) for the Standard-to-Professional upgrade license is L-CSMSTPR-U-K9.

Incremental (“Add-on”) Licenses

If your base license is a Professional version (not a Standard version or the evaluation version), you can purchase incremental (“add-on”) licenses to increase the number of devices that you are allowed to manage. You can purchase as many incremental licenses as you wish.

Incremental (“add-on”) licenses for previous versions are valid for the current version. For example, if you have a Professional-50 license for Security Manager 4.19, you can use a 4.18 incremental device license.

Incremental licenses are available in increments of 50, 100, and 250 devices.

API License

Cisco Partners who want to use the API need to have an API license. They need to have a base PRO license in order to purchase a API license. There are two kinds of API licenses:

  • A developer license. This is a 90-day license that is to be used by developers to integrate their products with Security Manager.
  • A production license. This license is required by the end customers who use certain third-party products.
note.gif

Noteblank.gif There is no API evaluation license. Both the developer license and the production license need to be ordered explicitly by Cisco Partners who want to use the API.


The orderable part ID (PID) for the Northbound API license is L-CSMPR-API.

Licensing and Deployment Scenarios

Active/Active

You are required to purchase two licenses of Cisco Security Manager in Active/Active setup.

Active and Standby

A Cisco Security Manager license allows the use of Cisco Security Manager on a single server. A standby Cisco Security Manager server, such as one used in a high-availability or disaster recovery configuration, does not require a separate license if only one server is active at any one time. This is true even when high availability (HA) configuration is being used.

note.gif

Noteblank.gif Users who use a standby server are responsible for manually restoring the database from their active server on a regular basis.


License Types and Applicability

The Cisco Security Manager 4.19 licenses and their applicability are depicted in Table 2-3

Table 2-3 Licenses and their Applicability

License
Applicability
Description

L-CSMST-5-K9

L-CSMST-10-K9

L-CSMST-25-K9

L-CSMPR-50-K9

L-CSMPR-100-K9

L-CSMPR-250-K9

Base Licenses (standard and professional license)

 

L-CSMPR-LIC- 50/100/250

Incremental license

Can be applied on any professional licenses

L-CSMSTPR-U-K9

Upgrade from standard to professional license

Upgrade from Cisco Security Manager Standard 25-Device Limit to Cisco Security Manager Professional

L-CSMPR-API

For API

 

Licenses for Component Applications

Some component applications do not require a license file:

  • Common Services.
  • Auto Update Server.

Understanding Device Count for Purchasing License

Security Manager consumes one device count (of the number allowed by the license) when you add any of the following to the device inventory:

  • Each physical device
  • Each security context
  • Each added Cisco Catalyst 6500 Series services module
  • Each virtual sensor

Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, IPS Advanced Integration Modules (IPS AIM), and any other modules supported for devices other than the AIP-SSC 5 and the Catalyst 6500 or 7600 installed in the host device do not consume a device count; however, additional virtual sensors (added after the first sensor) do consume a device count.

In the case of a Firewall Services Module (FWSM) or ASA device, the module itself consumes a device count and then consumes an additional device count for each additional security context. For example, an FWSM with two security contexts would consume three device counts: one for the module, one for the admin context, and one for the second security context.

Unmanaged devices are a special case. In Security Manager you can add unmanaged devices to the device inventory. An unmanaged device is a device for which you have deselected Manage in Cisco Security Manager in the device properties. An unmanaged device does not consume a device count.

Another class of unmanaged device is an object that is added to a topology map. You can use the Map > Add Map Object command to add different types of objects on the map such as network clouds, firewalls, hosts, networks, and routers. These objects do not appear in the device inventory and do not consume a device count.

To determine your device count, which you will need to do to determine which Security Manager server license you need, refer to Table 2-4 .

tip.gif

Tipblank.gif For the purpose of determining which Security Manager server license you need, devices are counted for Security Manager 4.19 in the same way that they were for Security Manager 4.18.


Table 2-4 Determining Your Device Count

Device
Mode (also called Context)
Device Count (also called License Count or simply License)
Comments

Standalone Firewall Devices

Any standalone firewall device

Single-context mode

1

 

Any standalone firewall device

Multi-context mode

c, where c is the context count other than the system context

 

Firewall Blades

Any standalone firewall blade

Single-context mode

1

 

Any standalone firewall blade

Multi-context mode

c, where c is the context count other than the system context

Example:

Refer to “Example for any Standalone Firewall Blade in Multi-context Mode” below this table.

Firewalls in Failover Configuration

Any firewall in failover configuration

Single-context mode

1

 

Any firewall in failover configuration

Multi-context mode

c, where c is the context count other than the system context

 

Standalone IPS devices

Any standalone IPS device

 

n, where n is the virtual sensor count and includes virtual sensor vs0

Additional virtual sensors (added after the first sensor) consume 1 license each.

Non-standalone IPS devices

IPS modules, IPS blades, and IPS virtual machines

 

n, where n is the virtual sensor count and includes virtual sensor vs0

IPS modules, IPS blades, and IPS virtual machines are discovered independently in Security Manager.

IPS virtual machines are used in Cisco ASA-5500 Series Adaptive Security Appliances, which are 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X.

IPS Modules or Virtual Machines that are part of an ASA Failover Configuration

Each IPS device

 

n, where n is the virtual sensor count and includes virtual sensor vs0

Additional virtual sensors (added after the first sensor) consume 1 license each.

Licenses Related to ASA Load Balancing Clusters

Each ASA load balance cluster

Single-context mode

N, where N is the number of nodes in the single-context ASA cluster

System & Admin context represents 1 context

Each ASA load balance cluster

Multi-context mode

N * c, where N is the number of nodes in the multi-context ASA cluster and c is the context count

System & Admin context represents 1 context.

See also Example for Licenses Related to ASA Load Balancing Clusters.

Excluded Devices

Advanced Inspection and Prevention Security Services Modules (AIP-SSMs)

 

0

However, additional virtual sensors (added after the first sensor) consume 1 license each.

Additional virtual sensors (added after the first sensor) consume 1 license each.

IDS Network Modules

 

0

However, additional virtual sensors (added after the first sensor) consume 1 license each.

Additional virtual sensors (added after the first sensor) consume 1 license each.

IPS Advanced Integration Modules (IPS AIMs)

 

0

 

Any other modules supported for devices other than the AIP-SSC 5 and the Catalyst 6500 or 7600 installed in the host device

 

0

 

Example for any Standalone Firewall Blade in Multi-context Mode

This subsection gives an example of context that will be useful in understanding device count.

The following command was run in system context on a firewall with two security contexts—admin and ctx1:

r41-appinfra-arsenal# sh context
Context Name Class Interfaces Mode URL
*admin default GigabitEthernet3/2, Routed disk0:/admin.cfg
Management0/0
ctx1 default Routed disk0:/ctx1.cfg
 
Total active Security Contexts: 2
r41-appinfra-arsenal# sh context count
 
Total active Security Contexts: 2

Example for Licenses Related to ASA Load Balancing Clusters

This subsection gives an example of the device count for an ASA load balancing cluster in multi-context mode.

3 Nodes with 4 security contexts each: License Count = 3 * 5 = 15.

Determining Which License You Need

The license that you need depends upon whether you are performing a new installation or upgrading from one of several previous versions:

New Installation of Security Manager 4.19

A new installation of Cisco Security Manager 4.19 requires the purchase of the appropriate Cisco Security Manager license.

Upgrade from Security Manager 4.x

  • If you have a valid SAS contract, you can upgrade to any latest version of Cisco Security Manager at no additional cost. The current license will be recognized and retained by the Security Manager installation program, so you are not required to apply for license during upgrade.
  • Users without SAS contracts must either purchase a SAS contract or purchase a valid Security Manager 4.19 license.
note.gif

Noteblank.gif With a SAS contract, users can upgrade to the latest version for free.


90-day Evaluation License

If you provide no license during installation, the resulting installation will be an evaluation version. You can also select Evaluation Only during installation. Refer to Installing Security Manager Server, Common Services, and AUS.

The evaluation license is limited to 50 devices.

The evaluation license provides the same privileges as the Professional Edition licenses, except that you cannot apply incremental licenses to the evaluation version.

Choosing the Right License when you are a New 4.x Customer

A typical scenario for a new 4.x Cisco Security Manager customer and the licensing options are explained as follows:

1.blank.gif [BASE] Selection of CSM Base Product Version

a.blank.gif Based on the number of devices you need to manage using Cisco Security Manager (after accounting for future growth prospects), obtain

  • L-CSMST5-K9/L-CSMST10-K9/ L-CSMST25-K9 for networks of 5, 10, 25 or less devices respectively.
  • L-CSMPR-50-K9/L-CSMPR-100-K9/L-CSMPR-250-K9 for larger networks. In addition, consider [INCREMENTAL] licenses.

b.blank.gif If you need to manage Catalyst 6500 or FWSM/IDSM switch blades, choose L-CSMPR-50-K9.

c.blank.gif If you obtained a standard license, but later needed to manage Catalyst switches or switch blades, or needed to manage more than 25 devices, obtain L-CSMSTPR-U-K9 to upgrade to the PRO version of the product.

d.blank.gif If you already purchased a PRO license, but later needed to manage more than 50 devices, obtain the incremental license of 4.x.

2.blank.gif [INCREMENTAL] Incremental licenses allow you to manage more devices. Based on the size of the network you need to manage, obtain:

a.blank.gif L-CSMPR-LIC-50/L-CSMPR-LIC-100/L-CSMPR-LIC-250 to add management of 50, 100, or 250 additional devices respectively.

b.blank.gif For larger networks,

  • Purchase multiple units of [INCREMENTAL] licenses if you are looking for installing these on the same Cisco Security Manager server
  • Purchase [BASE] licenses and/or [INCREMENTAL] licenses if you are looking for installing multiple Cisco Security Manager servers to obtain better performance.

3.blank.gif [SUPPORT] In addition to the [BASE] and [INCREMENTAL] licenses, you will have to purchase equivalent SAS contracts. Having a SAS contract will enable you to upgrade to any latest version of Cisco Security Manager without any additional cost.

Choosing the Right License when you are an Existing 4.x Customer

A typical scenario for an existing 4.x Cisco Security Manager customer and the licensing options are explained as follows:

1.blank.gif [BASE] To upgrade from CSM 4.x Standard to CSM 4.x PRO, purchase the L-CSMSTPR-U-K9 and then add incremental as you grow.

2.blank.gif [INCREMENTAL] Any existing incremental licenses you already own will also be applicable for the latest Cisco Security Manager version. You do not need to obtain new incremental licenses to manage same number of devices. If you intend to enable event management for larger networks, you may need to consider deploying multiple Cisco Security Manager servers. This involves obtaining additional [BASE] product licenses.

3.blank.gif [SUPPORT] CSM 4.x support contracts will continue to support CSM 4.19.

Installing a License for Security Manager or Component Applications

During the installation of Security Manager, you are asked for license information. Refer to Installing Security Manager Server, Common Services, and AUS.

During the installation of Common Services and AUS, you are not asked for license information. Common Services does not require a license file. Auto Update Server does not require a license file.

Updating a License for Security Manager or Component Applications

To learn how to update a license file for Security Manager or a component application, see Updating Security Manager.

Additional Documentation on Licensing

For complete information on the types of licenses available and the various supported upgrade paths, as well as information about the Cisco Software Application Support service agreement contracts that you can purchase, see the product bulletin for the most recent major release of Security Manager at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.

Getting Help with Licensing

For licensing problems with Security Manager, contact the Licensing Department in the Cisco Technical Assistance Center (TAC):