- Installation Guide for Cisco Security Manager 4.9
- Contents
- Preface
- Overview
- Licensing
- Requirements and Dependencies
- Preparing a Server for Installation
- Installing and Upgrading Server Applications
- Installing and Configuring the Client
- Post-Installation Server Tasks
- Managing User Accounts
- Troubleshooting
- Permissions Matrix for Image Manager
- License Types
- Licenses for Component Applications
- Understanding Device Count for Purchasing License
- Determining Which License You Need
- Installing a License for Security Manager or Component Applications
- Updating a License for Security Manager or Component Applications
- Additional Documentation on Licensing
- Getting Help with Licensing
Licensing for Security Manager
With the information in this chapter, you can determine which license you need to install and use Cisco Security Manager 4.19. This chapter also has descriptions of the various licenses available, such as standard, professional, and evaluation.
Other than a few notes, this chapter does not discuss license installation. Refer to Chapter 5, “Installing and Upgrading Server Applications”
This chapter discusses device count, with the purpose of helping you determine which Security Manager server license you need.
License Types
The Cisco Security Manager has two base license types, Standard and Professional. Apart from the base licenses, Cisco Security Manager offers:
- Base Licenses (Standard and Professional)
- Standard-to-Professional Upgrade License
- Incremental (“Add-on”) Licenses
- API License
Base Licenses (Standard and Professional)
Table 2-1 displays the list of the Standard and Professional base licenses available for Cisco Security Manager 4.19.
|
|
|
---|---|---|
Table 2-2 provides a comparison of Professional base versions with Standard base versions.
To obtain a base license, you must have (or obtain) a Cisco.com user ID, and you must register your copy of the software on Cisco.com. When registering, you must provide the Product Authorization Key (PAK) that is attached to the Software License Claim Certificate inside the shipped software package:
- If you are a registered Cisco.com user, start at http://www.cisco.com/go/license.
- If you are not a registered Cisco.com user, start at http://tools.cisco.com/RPF/register/register.do.
You must register Security Manager as soon as you can within the first 90 days and for the number of devices that you need to ensure uninterrupted use of the product. Each time you start the application, you are reminded of how many days remain on your evaluation license and you are prompted to upgrade during the evaluation period. At the end of the evaluation period, you cannot log in until you upgrade your license.
After registration, the base software license is sent to the email address that you provided during registration. Keep the license in a secure location.
Standard-to-Professional Upgrade License
When your needs have outgrown the capabilities of the Standard license, such as, to manage Catalyst security blades or when deployment grows beyond 25 devices, you need to upgrade to Cisco Security Manager Professional. You can purchase the Standard-to-Professional upgrade license. However, this upgrade license can be applied only if the base license is a Standard-25 (“ST25”) license. The orderable part ID (PID) for the Standard-to-Professional upgrade license is L-CSMSTPR-U-K9.
Incremental (“Add-on”) Licenses
If your base license is a Professional version (not a Standard version or the evaluation version), you can purchase incremental (“add-on”) licenses to increase the number of devices that you are allowed to manage. You can purchase as many incremental licenses as you wish.
Incremental (“add-on”) licenses for previous versions are valid for the current version. For example, if you have a Professional-50 license for Security Manager 4.19, you can use a 4.18 incremental device license.
Incremental licenses are available in increments of 50, 100, and 250 devices.
API License
Cisco Partners who want to use the API need to have an API license. They need to have a base PRO license in order to purchase a API license. There are two kinds of API licenses:
- A developer license. This is a 90-day license that is to be used by developers to integrate their products with Security Manager.
- A production license. This license is required by the end customers who use certain third-party products.
Note There is no API evaluation license. Both the developer license and the production license need to be ordered explicitly by Cisco Partners who want to use the API.
The orderable part ID (PID) for the Northbound API license is L-CSMPR-API.
Licensing and Deployment Scenarios
Active/Active
You are required to purchase two licenses of Cisco Security Manager in Active/Active setup.
Active and Standby
A Cisco Security Manager license allows the use of Cisco Security Manager on a single server. A standby Cisco Security Manager server, such as one used in a high-availability or disaster recovery configuration, does not require a separate license if only one server is active at any one time. This is true even when high availability (HA) configuration is being used.
Note Users who use a standby server are responsible for manually restoring the database from their active server on a regular basis.
License Types and Applicability
The Cisco Security Manager 4.19 licenses and their applicability are depicted in Table 2-3
|
|
|
---|---|---|
Upgrade from Cisco Security Manager Standard 25-Device Limit to Cisco Security Manager Professional |
||
Licenses for Component Applications
Understanding Device Count for Purchasing License
Security Manager consumes one device count (of the number allowed by the license) when you add any of the following to the device inventory:
- Each physical device
- Each security context
- Each added Cisco Catalyst 6500 Series services module
- Each virtual sensor
Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, IPS Advanced Integration Modules (IPS AIM), and any other modules supported for devices other than the AIP-SSC 5 and the Catalyst 6500 or 7600 installed in the host device do not consume a device count; however, additional virtual sensors (added after the first sensor) do consume a device count.
In the case of a Firewall Services Module (FWSM) or ASA device, the module itself consumes a device count and then consumes an additional device count for each additional security context. For example, an FWSM with two security contexts would consume three device counts: one for the module, one for the admin context, and one for the second security context.
Unmanaged devices are a special case. In Security Manager you can add unmanaged devices to the device inventory. An unmanaged device is a device for which you have deselected Manage in Cisco Security Manager in the device properties. An unmanaged device does not consume a device count.
Another class of unmanaged device is an object that is added to a topology map. You can use the Map > Add Map Object command to add different types of objects on the map such as network clouds, firewalls, hosts, networks, and routers. These objects do not appear in the device inventory and do not consume a device count.
To determine your device count, which you will need to do to determine which Security Manager server license you need, refer to Table 2-4 .
Tip For the purpose of determining which Security Manager server license you need, devices are counted for Security Manager 4.19 in the same way that they were for Security Manager 4.18.
|
|
|
|
---|---|---|---|
c, where c is the context count other than the system context |
|||
c, where c is the context count other than the system context |
Refer to “Example for any Standalone Firewall Blade in Multi-context Mode” below this table. |
||
c, where c is the context count other than the system context |
|||
n, where n is the virtual sensor count and includes virtual sensor vs0 |
Additional virtual sensors (added after the first sensor) consume 1 license each. |
||
n, where n is the virtual sensor count and includes virtual sensor vs0 |
IPS modules, IPS blades, and IPS virtual machines are discovered independently in Security Manager. IPS virtual machines are used in Cisco ASA-5500 Series Adaptive Security Appliances, which are 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X. |
||
IPS Modules or Virtual Machines that are part of an ASA Failover Configuration |
|||
n, where n is the virtual sensor count and includes virtual sensor vs0 |
Additional virtual sensors (added after the first sensor) consume 1 license each. |
||
N, where N is the number of nodes in the single-context ASA cluster |
|||
N |
System & Admin context represents 1 context. See also Example for Licenses Related to ASA Load Balancing Clusters. |
||
Advanced Inspection and Prevention Security Services Modules (AIP-SSMs) |
However, additional virtual sensors (added after the first sensor) consume 1 license each. |
Additional virtual sensors (added after the first sensor) consume 1 license each. |
|
However, additional virtual sensors (added after the first sensor) consume 1 license each. |
Additional virtual sensors (added after the first sensor) consume 1 license each. |
||
Any other modules supported for devices other than the AIP-SSC 5 and the Catalyst 6500 or 7600 installed in the host device |
Example for any Standalone Firewall Blade in Multi-context Mode
This subsection gives an example of context that will be useful in understanding device count.
The following command was run in system context on a firewall with two security contexts—admin and ctx1:
Example for Licenses Related to ASA Load Balancing Clusters
This subsection gives an example of the device count for an ASA load balancing cluster in multi-context mode.
Determining Which License You Need
The license that you need depends upon whether you are performing a new installation or upgrading from one of several previous versions:
New Installation of Security Manager 4.19
A new installation of Cisco Security Manager 4.19 requires the purchase of the appropriate Cisco Security Manager license.
Upgrade from Security Manager 4.x
- If you have a valid SAS contract, you can upgrade to any latest version of Cisco Security Manager at no additional cost. The current license will be recognized and retained by the Security Manager installation program, so you are not required to apply for license during upgrade.
- Users without SAS contracts must either purchase a SAS contract or purchase a valid Security Manager 4.19 license.
Note With a SAS contract, users can upgrade to the latest version for free.
90-day Evaluation License
If you provide no license during installation, the resulting installation will be an evaluation version. You can also select Evaluation Only during installation. Refer to Installing Security Manager Server, Common Services, and AUS.
The evaluation license is limited to 50 devices.
The evaluation license provides the same privileges as the Professional Edition licenses, except that you cannot apply incremental licenses to the evaluation version.
Choosing the Right License when you are a New 4.x Customer
A typical scenario for a new 4.x Cisco Security Manager customer and the licensing options are explained as follows:
1. [BASE] Selection of CSM Base Product Version
a. Based on the number of devices you need to manage using Cisco Security Manager (after accounting for future growth prospects), obtain
- L-CSMST5-K9/L-CSMST10-K9/ L-CSMST25-K9 for networks of 5, 10, 25 or less devices respectively.
- L-CSMPR-50-K9/L-CSMPR-100-K9/L-CSMPR-250-K9 for larger networks. In addition, consider [INCREMENTAL] licenses.
b. If you need to manage Catalyst 6500 or FWSM/IDSM switch blades, choose L-CSMPR-50-K9.
c. If you obtained a standard license, but later needed to manage Catalyst switches or switch blades, or needed to manage more than 25 devices, obtain L-CSMSTPR-U-K9 to upgrade to the PRO version of the product.
d. If you already purchased a PRO license, but later needed to manage more than 50 devices, obtain the incremental license of 4.x.
2. [INCREMENTAL] Incremental licenses allow you to manage more devices. Based on the size of the network you need to manage, obtain:
a. L-CSMPR-LIC-50/L-CSMPR-LIC-100/L-CSMPR-LIC-250 to add management of 50, 100, or 250 additional devices respectively.
- Purchase multiple units of [INCREMENTAL] licenses if you are looking for installing these on the same Cisco Security Manager server
- Purchase [BASE] licenses and/or [INCREMENTAL] licenses if you are looking for installing multiple Cisco Security Manager servers to obtain better performance.
3. [SUPPORT] In addition to the [BASE] and [INCREMENTAL] licenses, you will have to purchase equivalent SAS contracts. Having a SAS contract will enable you to upgrade to any latest version of Cisco Security Manager without any additional cost.
Choosing the Right License when you are an Existing 4.x Customer
A typical scenario for an existing 4.x Cisco Security Manager customer and the licensing options are explained as follows:
1. [BASE] To upgrade from CSM 4.x Standard to CSM 4.x PRO, purchase the L-CSMSTPR-U-K9 and then add incremental as you grow.
2. [INCREMENTAL] Any existing incremental licenses you already own will also be applicable for the latest Cisco Security Manager version. You do not need to obtain new incremental licenses to manage same number of devices. If you intend to enable event management for larger networks, you may need to consider deploying multiple Cisco Security Manager servers. This involves obtaining additional [BASE] product licenses.
3. [SUPPORT] CSM 4.x support contracts will continue to support CSM 4.19.
Installing a License for Security Manager or Component Applications
During the installation of Security Manager, you are asked for license information. Refer to Installing Security Manager Server, Common Services, and AUS.
During the installation of Common Services and AUS, you are not asked for license information. Common Services does not require a license file. Auto Update Server does not require a license file.
Updating a License for Security Manager or Component Applications
To learn how to update a license file for Security Manager or a component application, see Updating Security Manager.
Additional Documentation on Licensing
For complete information on the types of licenses available and the various supported upgrade paths, as well as information about the Cisco Software Application Support service agreement contracts that you can purchase, see the product bulletin for the most recent major release of Security Manager at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.
Getting Help with Licensing
For licensing problems with Security Manager, contact the Licensing Department in the Cisco Technical Assistance Center (TAC):
- Phone: +1 (800) 553-2447
- Email: licensing@cisco.com
- http://www.cisco.com/tac