Cisco Network Security Ordering Guide

Available Languages

Download Options

  • PDF
    (11.9 MB)
    View with Adobe Reader on a variety of devices
Updated:October 15, 2024

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (11.9 MB)
    View with Adobe Reader on a variety of devices
Updated:October 15, 2024
 

 

Introduction

Purpose

This document describes ordering Cisco physical, virtual, and containerized network security solutions, including:

      Cisco Secure Firewall Threat Defense (FTD).

      Cisco Secure Firewall Adaptive Security Appliance (ASA).

      Cisco Firepower 1000 Series, 1200 Series, 3100 Series, 4100 Series, 4200 Series and 9300 Series Appliances (which can run either FTD or ASA software).

In addition, this guide details the process of enabling extended logging and analytics for both FTD and ASA platforms as well as Cisco ISE Passive Identity Connector (ISE-PIC) for identity integration into FTD.

This guide will help you make sure that the right quantities and types of parts are selected to reduce the risk of order rejection.

Audience

This guide is intended for Cisco sales, partners, and distributors.

Scope

This document covers orderability for the following products, associated licenses and options:

Cisco Secure Firewall (Both Firewall Threat Defense and ASA software).

      Hardware appliances (Cisco Firepower or Cisco Secure Firewall appliances).

      Virtualized and containerized appliances (FTDv, ASAv).

Firewall management solutions

      Cisco Secure Firewall Management Center (formerly Firepower Management Center): provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. Quickly and easily go from managing a firewall to controlling applications to investigating and remediating malware outbreaks. Firewall Management Center is available in all form factors – physical appliance, virtual appliance, public cloud and cloud-delivered (software as a service model).

      Cisco Defense Orchestrator helps you establish and maintain a security posture by managing security policies across Cisco security devices. Cisco Defense Orchestrator also incorporates the cloud-delivered version of Secure Firewall Management Center. As a cloud service, it is an always-available, highly reliable, highly scalable, multitenant platform.

Cisco Defense Orchestrator provides management of security policy, objects and configuration for Cisco Adaptive Security Appliance and Cisco Secure Firewall Threat Defense (formerly Next-Generation Firewalls, or NGFW). Also supported are the Meraki MX Firewalls and AWS Security Groups for pure policy and object management. Configuration management for these platforms is still available through their native user interface.

Note:      For the Cisco Defense Orchestrator Ordering Guide, please click here.

      Cisco Security Manager software is an on-premise centralized management platform for Cisco Adaptive Security Appliances (ASA), enabling consistent policy enforcement, troubleshooting, and summarized reports.

Optional Software

      Cisco Secure DDoS Protection (formerly Radware Virtual DefensePro DDoS Mitigation).

      Cisco Secure Client (formerly Cisco AnyConnect Secure Mobility Client).

Support

      Cisco Smart Net Total Care appliance support services.

      Cisco Software Application Support plus Upgrades (SASU).

Note:      Any order for a service will be subject to the detailed terms and conditions presented in this guide.

Selecting the Appropriate Management Solution

Several management solutions are available to manage Cisco Secure Firewalls. Use these guidelines to choose the best ask a Cisco expert for advice.

Choosing the right management solution is tied to a few factors:

      The software image you select, either Firewall Threat Defense (FTD) or ASA software image.

      Willingness to use a cloud-based solution for management.

      Need for specific features or environment scale.

Local managers are included with both software options for single firewall deployments:

      ASDM is included with the ASA software image.

      Firewall Device Manager (FDM) is included with the Firewall Threat Defense software Image for all supported appliance models (Cisco Firepower 1000 Series, 4100 Series and 9300 Series).

The Cisco Secure Firewall Threat Defense software image enables centralized management with either an on-premise, virtual or cloud based manager - Cisco Secure Firewall Management Center.

Cisco Defense Orchestrator unites management across Cisco solutions and incorporates the cloud-delivered version of Secure Firewall Management Center. This makes Cisco Defense Orchestrator the best option for customers who want to use a cloud based solution for the management of ASAs, FTDs or a mix of ASAs and FTDs from a single pane of glass.

Devices running the ASA software can be managed centrally with the Cisco Security Manager (on-premise) or Cisco Defense Orchestrator (Cloud).

If a customer wants to manage multiple ASA with FirePOWER Services devices centrally, then two managers are required: Firewall Management Center for threat functions and Cisco Security Manager for firewall functions.

The following table can help guide you in which manager to select with your firewall order.

Manager selection matrix

Manager selection matrix

Licensing

Smart Licensing is Cisco’s licensing system. It enables customers to easily move licenses themselves between similar systems in their organization, overcoming limitations associated with previous device-locked Product Authorization Key (PAK)-based licenses. Become familiar with the new Smart Software Licensing portion of the ordering process.

End customers must create a Smart Licensing account on Cisco’s Smart Software Manager portal before ordering the Cisco Secure Firewall Threat Defense software on select ASA appliances. Alternatively, Cisco or a partner can help create the Smart Licensing account on behalf of the end customer. The Smart Software Manager portal is available for customers to manage the efficient use of purchased smart licenses. When the order is placed, all ordered licenses are added to the customer’s Smart Licensing account.

Table 1.        Product licensing by product type

Product

Licensing

Cisco ASA Virtual appliances

Cisco Smart Licensing

Cisco Secure Firewall Threat Defense Virtual appliances

Cisco Smart Licensing

Cisco Secure DDOS Protection (Radware vDefensePro) on Cisco Firepower 9300 and 4100 Series appliances

Supplied by Radware

Cisco Secure Firewall Management Center

None required

Cisco Secure Firewall Management Center Virtual Appliance

Cisco Smart Licensing

Cisco Security Manager

Cisco PAK Licensing

Cisco Security Analytics and Logging

Either Cisco Smart Licensing or Classic License

Cisco ISE Passive Identity Connector (ISE-PIC)

Either Cisco Smart Licensing or Classic License

With the Cisco Smart License Manager, the customer can connect devices to the Smart Software Manager portal, so purchased licenses can be consumed as needed. These licenses can be relinquished back to the portal when a device is powered down or a user is finished using the license. With Smart Software Licensing, customers can easily check in and check out licenses to use on different platforms. Licenses are no longer locked to a specific platform.

A Smart Account can be created from Cisco Software Central. For more information on setting up a Smart Account, please refer to this Smart Licensing Deployment Guide.

Table 2.        Additional Smart Licensing training, resources and support are available here

Location

Description

https://www.cisco.com/c/en/us/buy/licensing.html

Cisco Software Licensing and Smart Accounts

Software Operation Exchange Page

Live Training Schedule

Orderable Smart Licensing SKU List

Additional Software training and informational resources

ASA and Firewall Threat Defense License Terminology

This guide consistently uses the license terminology used in the Cisco Commerce tool. As of ASA 9.19.1 and FTD 7.3, new licensing terminology appears in the user interfaces of the management platforms. The differences are only in naming and are not different licenses per se.

Table 3.        License terminology differences between Cisco Commerce and the user interfaces of the management platforms

License Name Used in the Cisco Commerce tool

License Name Seen in User Interface

Base

Essentials

 

Threat

IPS

 

Malware

Malware Defense

 

URL License

URL

Cisco Secure DDoS Protection (Radware vDefensePro) Licensing

Licensing of the vDP and Vision will be administered directly by Radware. Once the order is shipped, Radware will send an email to the customer with their serial numbers. Please note the address of the person on the customer order who will receive the email. These serial numbers will be needed along with the MAC address for either vDP and/or Vision after installation. If the email with the serial numbers cannot be found, please open a TAC case to get them reissued. For detailed licensing instructions, please refer to Radware License Generator.

High Availability Pair Licensing

Cisco requires two (2) subscriptions for a High Availability (HA) pair of appliances running Firewall Threat Defense software image, which is configured for active-passive operation. The models available with this optional configuration include:

      Cisco Firepower 1000 Series

      Cisco Secure Firewall 3100 Series

      Cisco Firepower 4100 Series

      Cisco Secure Firewall 4200 Series

      Cisco Firepower 9300 Series

      Cisco Secure Firewall Threat Defense Virtual appliances (except Public Cloud)

      Cisco ASA Virtual appliances (except Public Cloud)

We now offer specially configured bundle SKUs that enable the purchase of a high availability pair of physical appliances and software subscriptions that includes 50% discounted pricing for the second software subscription in the two-appliance bundle.

The bundle consists of:

      Two (2) identically configured hardware appliances

      Two (2) identical software subscriptions

A 50% discount will be automatically applied to the second software subscription in the bundle. See the specific model section in this document for the appropriate bundle PID.

Renewing HA Bundle Software Subscriptions

The 50% pricing discount also applies to HA bundles at time of renewal.

Cisco Secure Client Licensing

Cisco Secure Client (formerly AnyConnect Plus, Apex, and VPN Only) licenses are required to use the Remote Access VPN (RA VPN) functions on all firewalls (physical and virtual) running the Secure Firewall ASA or Secure Firewall Threat Defense code base.

For information on purchasing Cisco Secure Client licenses and sharing the licenses with your Smart Account, please see the Cisco Secure Client Ordering Guide.

Instructions can also be found in the Cisco Secure Client License FAQ.

Service and Support Offerings

Software Application Support Plus Upgrades (SASU)

Cisco Secure Firewall Threat Defense software, ASA with FirePOWER Services, ASA firewall, and Cisco Secure Firewall Management Center security licenses include software subscription support. SASU is essential to keeping your business-critical applications available, highly secure, and operating at optimal performance. For the term of your software subscription licenses, you will receive timely, uninterrupted access to the latest software updates and major upgrade releases, which may contain significant architectural changes and new features and functions. With software subscription support, you will have the latest software working to protect your business. You will also have access to a wide range of online tools and communities that can help you solve problems quickly, maintain business continuity, improve your competitiveness, and make the most of limited resources through increased productivity.

This support entitles customers to the services listed here for the full term of the purchased software subscription:

      Software updates and major upgrades, to keep applications performing optimally with the most current feature set.

      Access to the Cisco Technical Assistance Center (TAC), which provides fast, specialized support.

      Online tool building, to expand in-house expertise and boost business agility.

      Collaborative learning, to provide additional knowledge and training opportunities.

No additional products or fees are required to receive these services with a software subscription.

Cisco SASU includes:

      Registered access to Cisco.com.

      24-hour access to the Cisco TAC and Cisco software specialists.

      Maintenance and minor software release updates.

      Major software upgrade releases.

Please refer to the following link for more detailed information regarding Cisco SASU:
https://www.cisco.com/en/US/services/ps2827/ps2993/services_at_a_glance_sas_sasu.pdf.

Cisco Smart Net Total Care Service

Customers require a Cisco Smart Net Total Care support contract with each appliance to download application signature updates. The Smart Net Total Care Service gives customers access to an abundance of Cisco support tools and expertise, providing them with greater network availability and performance while reducing operating costs. Technical service is required to be attached at the point of the product sale so that customers get the necessary support and entitlement and the best possible return on investment. When ordering Threat Defense software on select ASA hardware, ASA with FirePOWER Services, the Management Center, or Cisco SSL hardware in Cisco Commerce, the appropriate Smart Net Total Care service items are automatically added to your quote.

The Cisco Smart Net Total Care Service provides:

      Global 24-hour access to the Cisco TAC.

      Access to the online knowledge base, communities, and tools.

      Current hardware replacement option: next business day, where available.

      Operating system software updates.

      Smart, proactive diagnostics and real-time alerts on devices enabled with Cisco Smart Call Home.

Please refer to the following link for more detailed information regarding Cisco Smart Net Total Care Service:
https://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2978/serv_group_home.html.

Cisco Advanced Services

The Cisco Global Security Solutions team provides comprehensive assessment, design, deployment, and migration assistance through the Cisco Advanced Services Transaction (AS-T) model, which involves the use of a Statement of Work (SOW). These Cisco AS-T offers are custom scoped and priced, and partners need to engage a Cisco Services account manager to purchase them.

Cisco Security Plan and Build Services help customers develop and deploy a comprehensive security strategy they can rely on to deliver the industry's most comprehensive advanced threat protection solution. This service incorporates a best-practice review, deployment, and mini-tune-up to help ensure that the system is alerting properly.

Cisco Security Migration Services help customers move from existing Cisco Source fire or competitive environments. Cisco performs an analysis of the current environment, develops a migration plan, tests the plan in a lab, and performs the migration in the production environment.

To order the customized Cisco Security Plan and Build Services and Migration Services, use the Cisco AS-T part numbers in the table below.

Table 4.        Cisco AS-T ordering information

Part numbers

Description

Price (US$)

AS-SEC-CNSLT (-A, -L)

Cisco Security Plan and Build Services

Custom priced

AS-SEC-CNSLT (-A, -L)

Cisco Security Migration Services

Custom priced

Cisco Technical Services

Cisco Technical Services for Cisco products can be quoted and ordered in Cisco tools, including the Cisco Service Contract Center (SCC) and Cisco Commerce (CCW). Tool use varies depending on the service offer and partner type and whether the service is attached at the time of product purchase.

Partner Supported Services (PSS)

Customers who choose to purchase Partner Supported Services (PSS) from an authorized Cisco partner are also entitled to download application signature updates.
For more details, visit
https://www.cisco.com/go/partnerservices and the Partner Support Service Global Ordering Guide for Cisco 1-Tier Partners.

Cisco Talos Incident Response

Cisco Talos Incident Response (CTIR) provides a full suite of proactive and emergency services to help you prepare, respond and recover from a cyber security breach. CTIR enables 24 hour emergency response capabilities and direct access to Cisco Talos, the world's largest threat intelligence and research group.

You can order and transact CTIR while ordering specific Cisco Firepower 4K and 9K Series master bundles. This will provide you yet another option to create a stronger security posture and stay protected in case of a security breach. The CTIR PID will be auto-attached based on product order size. The auto-attached SKU can be removed and is not mandatory.

Table 5.        CTIR option available in Cisco Firepower master bundles

CTIR PID
(Orderable PID)

CTIR SKU
(Do not order without CTIR PID)

Description

CTIR-NGFW-S=

CON-CTIR-NGFW

Cisco Talos Incident Response Retainer-Small, Attach with NGFW

To learn more on CTIR, click here.

SKUs and ordering guidance for Cisco Secure Firewall 1000, 3100, 4100, 4200 and 9300 Series

Introduction

Scope: This section describes the pricing and ordering for the following products:

      Cisco Firepower 1000 Series

      Cisco Secure Firewall 3100 Series

      Cisco Firepower 4100 Series

      Cisco Secure Firewall 4200 series

      Cisco Firepower 9300 Series

About the Cisco Firepower 1000, 3100, 4100,4200 and 9300 Series

The Cisco Firepower 1000, 3100, 4100, 4200 and 9300 Series, when deployed as Layer 3, 4, and 7 firewall sensors, use the Cisco Secure Firewall Threat Defense software image. The Cisco Secure Firewall Management Center provides unified management for firewall and dedicated IPS. The on-device Firewall Device Manager is also available with Secure Firewall Threat Defense software. Alternatively, the Cisco Secure Firewall with Adaptive Security Appliance (ASA) software image is also supported on the Cisco Firepower and Secure Firewall platforms. When running the ASA software image, the ADSM on-device manager is available. Cisco Firepower 4100 and 9300 series appliances are also available with the Cisco Secure DDoS Protection. Alternatively, all Secure Firewalls are available with cloud-based Cisco Secure DDoS Protection.

Cisco Firepower 1000 Series Appliances

The Cisco Firepower 1000 Series comprises three threat-focused security appliances. The 1000 Series addresses SMB, Branch/Distributed Enterprise and Internet Edge deployments. The 1000 Series hardware delivers superior threat defense, at fast spends, with a smaller footprint than their predecessors, the ASA-5506-X, ASA-5508-X and ASA-5516-X. The 1000 Series is now available in ASA and FTD software images.

Chassis Overview: Cisco Firepower 1010

Front view

Integrated 8x10/100/1000 RJ45 ports

Integrated 4x1G SFP ports

Console (Cisco RJ45 serial or mini-USB)

1x USB 2.0 Host and 1x USB console

1 RJ45 10/100/1000Base-T Management Port

  Management Console and Ethernet
  Singular AC PSU

Chassis Overview: Cisco Firepower 1010

Rear view

1 power supply module bay

Chassis Overview: Cisco Firepower 1010

Chassis Overview: Cisco Firepower 1120 and 1140

Front view

1. Fixed ports

  Integrated 8x10/100/1000 RJ45 ports
  Integrated 4x1G SFP ports
  Console (Cisco RJ45 serial or mini-USB)
  1x USB 2.0 Host and 1x USB console
  1 RJ45 10/100/1000Base-T Management Port
  Management Console and Ethernet

2. Modular options (FRU)

Chassis Overview: Cisco Firepower 1010

Rear view

1 power supply module bay

Chassis Overview: Cisco Firepower 1010

Chassis Overview: Cisco Firepower 1150

Front view

1. Fixed ports

  Integrated 8x10/100/1000 RJ45 ports
  Integrated 2x1G SFP ports and 2x10G SPF+ ports
  Console (Cisco RJ45 serial or mini-USB)
  1x USB 2.0 Host and 1x USB console
  1 RJ45 10/100/1000Base-T Management Port
  Management Console and Ethernet

2. Modular options (FRU)

Chassis Overview: Cisco Firepower 1010

Rear view

1 power supply module bay

Related image, diagram or screenshot

Cisco Secure Firewall 3100 Series Appliances

The Cisco Secure Firewall 3100 Series comprises four threat-focused security appliances. The 3100 Series addresses emerging hybrid mid-market and high-end use cases from the Internet edge to the data center, providing superior performance at a highly competitive price point and bringing several high-end capabilities to the mid-market.

Chassis Overview: Cisco Secure Firewall 3100 Series

Front view

1. Fixed ports

  8x 10/100/1000 Base-T RJ45 Copper Ports
  8x 1/10G (SFP+) Ports
  1x Netmod Bay with 1/10/25/40/100G Interface options
  Secondary bay for optional RAID1 support
  Management Console and Ethernet
  Singular AC PSU
  Optional DC

Chassis Overview: Cisco Firepower 1010

Rear view

1.     1 power supply module bay

2.     2 Fans

Chassis Overview: Cisco Firepower 1010

Cisco Firepower 4100 Series Appliances

The Cisco Firepower 4100 Series comprises four threat-focused security appliances. The 4100 Series addresses use cases from the Internet edge to the data center. The 4100 Series hardware delivers superior threat defense, at faster speeds, with a smaller footprint. Also, the Cisco Firepower 4100 Series enables an upgrade path, on the customer’s timeline, to the Cisco Secure Firewall Threat Defense software, even if the customer chooses the ASA image in the immediate term.

Chassis Overview: Cisco Firepower 4100 Series

Front view

1. 8 SFP+ ports (require SFP optics module selection)

  2 Network Module bays
  Optional Network Modules with optional optics modules

2. SSD bays (one occupied by default, second bay for future expansion)

Chassis Overview: Cisco Firepower 4100 Series

Rear view

1. 2 power supply module bays

  4112, and 4115: single AC default, dual AC or DC optional
  4125 and 4145: dual AC default, DC optional

2. 6 hot-swappable fans (default configuration, no options)

Chassis Overview: Cisco Firepower 4100 Series

Cisco Secure Firewall 4200 Series Appliances

The Cisco Secure Firewall 4200 Series is a high-end firewall designed to meet the security requirements of large enterprises, datacenters, and service providers. It is available in three different performance models, offering superior threat defense within a compact 1 RU form factor. Key features and benefits of the appliance include:

      Cryptographic acceleration architecture preserves performance with SSL and VPN decryption.

      Save space and energy with 1RU form factor.

      Future-proof your investment with 16x node cluster.

      Flexibility of 2x interface module bays for additional interface support.

      Customize and future proof investment up to 400G interfaces.

      2x SSD for event storage and malware analysis.

      Uptime/resilience with dual management interfaces.

      Fail-to-wire network modules, further enhancing its reliability and fault tolerance.

These platforms can be deployed in both firewall and dedicated IPS modes, providing versatile deployment options. For inline sets and passive interfaces, the 4200 Series supports Q-in-Q (stacked VLAN) with the ability to handle up to two 802.1Q headers in a packet.

Chassis Overview: Cisco Secure Firewall 4200 Series

Front view

1.     8 SFP28 ports (require transceiver selection)

2.     Qty 2 Network Module bays

  Optional Network Modules
3.      Qty 2 SSD bays (Both occupied by default)

Chassis Overview: Cisco Secure Firewall 4200 Series

Rear view

1. 2 power supply module bays

  4215: single AC default, dual AC optional
  4225 and 4245: dual AC default

2. 3 hot-swappable fan trays (default configuration, no options)

Chassis Overview: Cisco Secure Firewall 4200 Series

Cisco Firepower 9300 Series Appliances

The Cisco Firepower 9300 is a modular, scalable, carrier-grade appliance, available in Network Equipment Building System (NEBS) configurations, designed for service providers, data centers, campuses, supercomputing centers, high-frequency trading environments, and other environments requiring both low latency and the greatest throughput. In the service provider context, it is specifically designed for carriers, content providers, and cloud service providers to protect the Cisco Evolved Programmable Network, Cisco Evolved Services platform, and Cisco Application Centric Infrastructure architectures.
(For more information, please see
Cisco service provider security solutions.)

Tightly integrating threat-centric security services from Cisco and its partners, the 9300 appliance lowers integration costs and supports the full realization of highly secure, open, and programmable networks. In addition to providing class-leading security services, it offers low (less than 5-microsecond) latency, throughput for single flows exceeding 30 Gbps, and class-leading performance and port density on a per-rack-unit basis.

Chassis Overview: Cisco Firepower 9300

Supervisor module (included): provides overall chassis management and network interaction

  Network interface allocation and security module connectivity (960-Gbps internal fabric)

2 x Network Module bays

  10, 40, and 100 Gigabit Ethernet network connectivity options

Chassis Overview: Cisco Firepower 9300

Security Modules: modular computing capability expands as your needs grow. Pictured are the three bays for Security Modules. A minimum of one must be ordered for standard operation.

With three SM-56 Security Modules, Cisco Firepower 9300 features up to 235 Gbps of stateful (ASA) firewalling performance, and 1.2 Tbps of clustered performance with 5 clustered Cisco Firepower 9300 chassis.

Also available: NEBS-compliant modules.

Pictured at right is the rear view of the Cisco Firepower 9300. Note that it is available with dual AC, DC, or HVDC power supplies. Also, the fan assemblies and power supplies are user replaceable.

Reminder: The Cisco Firepower 9300 is available with 10, 40, and 100 Gigabit Ethernet Network Modules.

Chassis Overview: Cisco Firepower 9300 2

 

Chassis Overview: Cisco Firepower 9300

Special Guidelines for Quoting the Cisco Firepower 9300

Cisco Firepower 9300 ordering is highly customizable, and options are offered separately. You’ll nevertheless find the ordering process straightforward.

The following table shows the four core components of a Cisco Firepower 9300 order.

Table 6.        Components of a Cisco Firepower 9300 order

Common hardware

Optional modules

Software licenses

Services and subscriptions

Base Cisco Firepower 9300 Security Appliances include:

  Chassis (1)
  Supervisor (1)
  Fans (4)
  Power supplies
(2 – AC, DC or HVDC)

Choice of Security Modules—up to three bays per chassis:

  SM-40, 48, 56

Choice of network modules — two bays per chassis:

  1/10/40/100Gbps options

Smart Licenses

ASA:

  ASA Standard
  Carrier
  Strong Encryption
  Security Contexts

Cisco Secure Firewall Threat Defense:

  Threat Base (includes Application Visibility and Control – AVC)
  Threat license and subscription terms (see next column)

Third-party software:

  Cisco Secure DDOS Protection (Radware Virtual DefensePro)

Smart Net Total Care Service

Cisco Secure Firewall Threat Defense Subscriptions

(1, 3, or 5 year terms)

  Threat (includes Security Intelligence, IPS)
  Malware defense
  URL

Common hardware is bundled. However, your customer may wish to order extra fans and power supplies with the initial order, as these are hot-swappable, user-replaceable items. Please note that every order will require at least one, and up to three, Security Modules. Network Modules are also ordered separately.

Regarding software licenses, keep in mind that the Cisco Firepower 9300 runs either the ASA software image or the Cisco Secure Firewall Threat Defense image. Also, please note that the Encryption license is export controlled. It is available for most markets, to customers in countries where U.S. export control permits the export of strong cryptography. For more information, visit export compliance details.

In the third-party software category, Cisco Secure DDOS Protection (Radware Virtual DefensePro DDoS-mitigation capability) has been tightly integrated into the Cisco Firepower 9300 and 4100 Series with ASA software, is orderable from and supported directly by Cisco.

ASA Licensing for Cisco Firepower Appliances

The 9300 appliance, 4100 Series, 3100 Series, 4200 Series, and 1000 Series are available with either the

Cisco Secure Firewall Threat Defense (FTD) image or the Cisco Adaptive Security Appliance (ASA) image. Cisco Firepower appliances with ASA are available through Smart Licenses. They include a Base license and up to three optional licenses (Encryption, Security Contexts, and Carrier).

Base License (Free)

L-F9K-ASA(=) (for the Cisco Firepower 9300), L-FPR4100-ASA(=) (for the Cisco Firepower 4100 Series models), L-FPR3100-ASA(=) (for the Cisco Secure Firewall 3100 Series models), or L-FPR1000-ASA(=) (for the Cisco Firepower 1000 Series models) and FPR42xx-BSE (for the Cisco Secure Firewall 4200 Series models): Licensing on the ASA is simplified for the Cisco Firepower appliances. More than 50 ASA feature licenses are condensed into a single license. This license also includes the following security contexts by default: 10 security contexts for Firepower 9300, 10 security contexts for Firepower 4100 Series, 10 security contexts for Secure Firewall 4200, 2 security contexts for Secure Firewall 3100 Series and 2 security contexts for Firepower 1000 Series.

Encryption License (Free)

L-F9K-ASA-ENCR-K9(=) (for the Cisco Firepower 9300), L-FPR4K-ENC-K9(=) (for Cisco Firepower 4100 Series models), L-FPR3K-ENC-K9(=) (for Cisco Secure Firewall 3100 Series models) or L-FPR1K-ENC-K9(=) (for Cisco Firepower 1000 Series models) and FPR4200-ENC-K9/ L-FPR4200-ENC-K9= (for Cisco Secure Firewall 4200 Series models): This license provides for strong encryption (K9) on the platform. The U.S. export of strong cryptography is not available to export-restricted regions. Cisco solutions and products with strong encryption may not be delivered to individuals or entities on the U.S. government's list of denied or restricted parties.

Please review the U.S. Bureau of Industry and Security's list of parties of concern at:
https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern.

Additional Security Contexts (Paid)

L-F9K-ASA-SC-10(=) (for the Cisco Firepower 9300), L-FPR4K-ASASC-10(=) (for the Cisco Firepower 4100 Series models), L-FPR3K-ASASC-10(=) (for the Cisco Secure Firewall 3100 Series models), FPR4200-ASASC-10/ L-FPR4200-ASASC10= (for the Cisco Secure Firewall 4200 Series models): This license adds 10 security contexts to an ASA instance on the 9300 appliance, 4100 appliance, 4200 appliance, 3100 appliance respectively.

Carrier License Option (Paid)

L-F9K-ASA-CAR(=) (for the Cisco Firepower 9300) or L-FP4K-ASA-CAR= (for Cisco Firepower 4100 Series models), FPR42K-ASA-CAR/L-FPR42-ASA-CAR= (for Cisco Secure Firewall 4200 Series models), or L-FPR3K-ASA-CAR= (for Cisco Secure Firewall 3100 Series models): This license covers carrier feature enablement that allows for inspection of Diameter, GTP/GPRS and SCTP protocols

Cisco Secure Firewall Threat Defense Licensing for Cisco Firepower Appliances

Figure 2 provided for general reference only, shows the typical order flow. Start with the primary bundle part numbers and the software image (ASA or Firewall Threat Defense), and then, in the case of the example, associated Cisco Secure Firewall Threat Defense–related licenses and subscriptions for functionality like Security Intelligence and IPS (“T”), Advanced Malware Protection (“M”), and URL Filtering (“C”). This example concludes with ordering the associated virtualized Cisco Secure Firewall Management Center. Note that Cisco Secure Firewall Threat Defense ships standard with the option to activate a 3-month trial license without activation of a Smart License account.

Typical order flow

Figure 2.            

Typical order flow

Ordering Steps for Cisco Firepower 9300, FTD-Based Cisco Firepower 9300

Start with one of the following FTD Bundle SKUs in CCW, example shown above is FPR9K-FTD-BUN.

Select Hardware Options and Quantity.

Chassis Type – AC, DC, or HVDC.

Chassis Options including Netmod, Sup, SFPs, power cables.

Security Module Quantity - up to 3 per chassis.

Select Subscriptions - T=, URL=, AMP=,TC=, TM=, TMC=.

Select Term – 1, 3 or 5 years.

Select Base Software License for each security module.

You can add additional features to the system. For example, starting with FTD release 7.3, you can add Carrier License to Firepower 3100 (FPR3K-FTD-CAR), Firepower 4100 (FPR4K-FTD-CAR), Firepower 9300 (FPR9K-FTD-CAR) and FTD virtual (FTDV-CAR) configurations. This license covers inspection of Diameter, GTP/GPRS and SCTP protocols.

Save and exit bundle configuration and select quantity of each bundle configured. Each bundle corresponds to a single-chassis configuration. After saving the configuration, you can change quantity for more than one chassis with the same configuration

Cisco ISE Passive Identity Connector (ISE-PIC)

Due to End-of-Life for the Cisco Firepower User Agent, FTD requires the use of either Cisco Identity Services Engine (ISE) or Cisco ISE Passive Identity Connector (ISE-PIC) in order to control policy based on Active Directory user. This section describes the procedure for ordering Cisco ISE Passive Identity Connector (ISE-PIC). For information on how to order of Cisco Identity Services Engine (ISE) please see the Cisco ISE Licensing Guide.

The Cisco Identity Services Engine (ISE) Passive Identity Connector centralizes, consolidates, and distributes identity information, including IP addresses, MAC addresses, and usernames. It centralizes the authentication information, becoming the single source of truth for its subscribers. Using the Cisco Platform Exchange Grid (pxGrid), the Cisco ISE Passive Identity Connector can support up to 20 subscribers. Further details on the capabilities of the Cisco ISE Passive Identity Connector (ISE-PIC) can be found on the
Cisco ISE Passive Identity Connector Data Sheet.

Table 7.        Cisco ISE-PIC ordering information

SKU

Description

Services and subscriptions

R-ISE-PIC-VM-K9=

ISE Passive Identity Connector 3,000 session Virtual Machine

CON-ECMU-RISEPIVM

L-ISE-PIC-UPG=

ISE Passive Identity Connector – Upgrade to maximum 300,000 sessions

CON-ECMU-LISEPUPG

Note:      You may be entitled to ISE-PIC at no cost if you have a qualifying FMC and valid support contract. For more information see End-of-Life and End-of-Support for the Cisco Firepower User Agent.

Cisco Security Analytics and Logging

This section describes the procedure to enable extended logging and analytics by ordering Cisco Security Analytics and Logging as part of your firewall purchase. The detail ordering process is described here.

The Security Analytics and Logging offer has two distinct delivery mechanisms:

      Security Analytics and Logging (SaaS): A cloud-delivered, Software-as-a-Service (SaaS) offering with a Cloud Data Store.

      Security Analytics and Logging (On prem): An on-premises appliance-based software application with an On-premises Data Store.

Discounted Bundling When Attaching with Firewall Subscriptions via CCW

a.     Begin by navigating to the firewall model to be ordered (FPR1150-NGFW-K9, for example).

b.     Make your software choice under the “Subscriptions” category at the top (wherever present) and navigate to the “Extended Logging and Analytics” category below.

c.     You are presented with two options to the right: “On-Premises Data Store” or “Cloud Data Store.” Only one option can be selected per firewall being ordered, with either the same or different subscription term as the firewall subscription.

d.     The “Cloud Data Store” option allows selection of either the Logging License, SEC-LOG-CL, or the “Logging Analytics License,” SEC-ANYL-CL. Only one option needs be chosen, as the Logging License is nested under Logging Analytics. Both Cloud licenses include access to a Cisco Defense Orchestrator tenant for log viewing only, which can be requisitioned using the link here:
https://www.ciscofeedback.vovici.com/se/6A5348A75C69D114.

e.     Choosing either of the two data store options will attach a default logging volume in GB/day for that firewall model, based on expected daily volume per the Logging Volume Estimator Tool. Logging rate comes with a default retention of 90 days rolling storage for Cloud Logging.

f.      The last three optional licenses are Data Retention extensions, which extend log retention to 1, 2, or 3 years in the cloud.

Discounted Bundling When Attaching with Firewall Subscriptions via CCW

g.     If SAL (Op) is desired, the “On-Premises Data Store” tab allows choosing the base Logging and Troubleshooting license, SEC-LOG-OP. This license supports remote query by FMC and is hosted on SNA appliance(s), as detailed in section 1.2.2.

Discounted Bundling When Attaching with Firewall Subscriptions via CCW

h.     The process for bundling extended logging and analytics for Firewall FPR9K series devices is different, as the Security Modules (SM) configured as part of order determines the Logging quantity required. The Logging quantities needed are 190, 225 and 257 GBs/day for each SM-40, SM-48 and SM-56 respectively, and this quantity needs to be entered manually for the extended logging and analytics licenses. The system will display a warning of the logging quantities required for each Security Module, as shown below:

Process for bundling extended

Expected Retention Period

The expected retention period for the SAL service under average deployment conditions (see note below table) is as follows:

Table 8.        Retention Matrix

Sustained Firewall Events per Second (eps)

Equivalent GB/day

On-premises

Cloud

 

Single node* 1TB Storage

Single node 2TB Storage

Single node 4TB Storage

Multinode** Virtual

Multinode HW

Single SEC

MultiSEC

Direct-to Cloud

 

 

Expected Retention period in days (under average deployment conditions)

 

5,000

562

50

100

200

300

600

Up to 3 years

NA

Up to 3 years

Up to 3 years

Not recommended when individual device’s logging rate exceeds 8,500 eps

10,000

1,123

25

50

100

150

300

20,000

2,246

12.5

25

50

75

150***

50,000

5,616

NA

NA

NA

30

60

75,000

8,424

NA

NA

NA

NA

40

100,000

11,232

NA

NA

NA

NA

30

200,000

22,464

NA

NA

NA

NA

NA

Note:      The on-premises log retention in days above are based on average deployment conditions, and may vary materially in different production environments.

* Single-node = Repurposed SMC 2210 (HW or Virtual)
** Multi-node = SMC 2210 + FC 4210 + DS 6200 (All appliances HW or Virtual)
*** Compare FMC native logs retention ½ day @ 20,000 peak eps

Cisco Secure DDoS Protection (formerly Radware Virtual DefensePro DDoS Mitigation Option)

Overview

Cisco Secure DDoS Protection is provided by Radware Virtual DefensePro (vDP), available and supported directly from Cisco. It is available with the Cisco Firepower 9300 and select Cisco Firepower 4100 Series models running either the ASA or FTD software image. The following table details Firepower model and software image compatibility with Radware vDP.

Table 9.        Cisco Secure DDOS Protection (Radware vDP) on Cisco Firepower running either ASA or FTD software image

Firepower Series

ASA Compatibility

FTD Compatibility

9300 Series – All Security Modules

yes

yes

4100 Series – All Models

yes

yes

Performance

The performance figures in the tables below apply to all Cisco Firepower 9300 and 4100 Series model configurations running either the ASA or FTD software image.

Table 10.     Key DDoS performance metrics for Cisco Firepower 4100 Series

Parameter

Firepower 4100 Metric

Maximum mitigation capacity/throughput

10 Gbps

Maximum legitimate concurrent sessions

209,000 Connections Per Second (CPS)

Maximum DDoS flood attack prevention rate

1,800,000 Packets Per Second (PPS)

The performance figures in the following table are for Cisco Firepower 9300 with 1 to 3 Security Modules irrespective of Security Module type.

Table 11.     Key DDoS performance metrics for Cisco Firepower 9300 with 1, 2, or 3 Security Modules

Parameter

Firepower 9300 with 1 Security Module

Firepower 9300 with 2 Security Modules

Firepower 9300 with 3 Security Modules

Maximum mitigation capacity/throughput

10 Gbps

20 Gbps

30 Gbps

Maximum legitimate concurrent sessions

209,000 Connections Per Second (CPS)

418,000 Connections Per Second (CPS)

627,000 Connections Per Second (CPS)

Maximum DDoS flood attack prevention rate

1,800,000 Packets Per Second (PPS)

3,600,000 Packets Per Second (PPS)

5,400,000 Packets Per Second (PPS)

Capacity vs. Licensing

Performance/Capacity/Throughput is dependent on the number of cores assigned to the vDP virtual device:

      By default, Radware virtual DefensePro (vDP) installs using 6 cores (1 management, 5 software) across each of Cisco Firepower 9300’s Security Modules and 4100 Series platforms.

      At install, the number of cores assigned to vDP can be adjusted from 2 to 10 to optimize the throughput performance of Cisco Firepower appliance depending on the customer need.

      While using the default 6 cores, the performance numbers for vDP are constant across platforms. The table below represents the relative performance level expected from ASA and FTD by removing 6 cores from the total available cores on the respective platforms (i.e. 24 cores minus 6 equals 75% of the total performance still available).

Table 12.     Expected ASA or FTD image performance with 6 of the available cores assigned to vDP

Cisco Firepower Model

Total vCores

Expected ASA or FTD Performance with vDP Active

Firepower 9300 – SM-56

56

89.3%

Firepower 9300 – SM-48

48

87.5%

Firepower 9300 – SM-40

40

85.0%

Firepower 4145

44

93.2%

Firepower 4125

32

90.6%

Firepower 4115

24

75.0%

Firepower 4112

24

75.0%

Licensing is based on the amount of legitimate traffic, not the capacity of the VM to process information.

      Purchase vDP licenses based on the amount of the client’s peak legitimate traffic flow.

      This approach differs from other vendors that charge based on attack volume. Radware licenses are based on known legitimate traffic rather than an unknown attack volume.

Capacity vs. licensing

Figure 3.            

Capacity vs. licensing

Example 1: Client has a 10-Gbps WAN link with a daily peak traffic flow of 2-Gbps.

      Purchase a 2-Gbps license or higher if the traffic is expected to increase in the near future.

      vDP will be able to mitigate a DDoS attack up to the capacity of the WAN link’s 10-Gbps, after which a cloud scrubbing solution will have to take over at the ISP level.

    Radware can be set up to automatically notify a cloud scrubber to take over.

    Radware’s Emergency Response Team (ERT) can assist in configuring vDP for each customer as part of the standard Cisco ECMU support contract for vDP.

    Radware cloud availability on GPL is on the roadmap.

      Warning: Do not over-purchase or over-quote the client’s throughput needs. License is based on clean traffic only, not the capacity of the VM.

The vDP Software Licenses and Support SKUs

The following tables outline the product information and SKUs for ordering. Cisco is only OEMing the Virtual License for Radware Manager Vision. Customers may want additional Manager Options that are provided directly by Radware.

Table 13.     vDP spare SKUs: May be ordered separately

SKU

Description

Service ECMU SKU

L-FPR-RVDP-10G=

Radware Virtual Defense Pro 10-Gbps license for Firepower

CON-ECMU-LFPRRVG1

L-FPR-RVDP-5G=

Radware Virtual Defense Pro 5-Gbps license for Firepower

CON-ECMU-LFPR5RGV

L-FPR-RVDP-2G=

Radware Virtual Defense Pro 2-Gbps license for Firepower

CON-ECMU-LFPRRVG2

L-FPR-RVDP-1G=

Radware Virtual Defense Pro 1-Gbps license for Firepower

CON-ECMU-LFPRRVGP

L-FPR-RVDP-500M=

Radware Virtual Defense Pro 500-Mbps license for Firepower

CON-ECMU-LFPR5RVD

L-FPR-RVDP-200M=

Radware Virtual Defense Pro 200-Mbps license for Firepower

CON-ECMU-LFPR0RVD

L-RD-APV-VA-LIC==

APSolute Vision - VA - Yearly Subscription

None

L-RD-APV-RTU6-LIC

APSolute Vision RTU - 6/30 - Yearly Subscription

None

Table 14.     Regular SKUs: Orderable with the Cisco Firepower platform

SKU

Description

Service ECMU SKU

FPR-RVDP-10G

Radware Virtual Defense Pro 10-Gbps license for Firepower

CON-ECMU-LFPRRVG1

FPR-RVDP-5G

Radware Virtual Defense Pro 5-Gbps license for Firepower

CON-ECMU-LFPR5RGV

FPR-RVDP-2G

Radware Virtual Defense Pro 2-Gbps license for Firepower

CON-ECMU-LFPRRVG2

FPR-RVDP-1G

Radware Virtual Defense Pro 1-Gbps license for Firepower

CON-ECMU-LFPRRVGP

FPR-RVDP-500M

Radware Virtual Defense Pro 500-Mbps license for Firepower

CON-ECMU-LFPR5RVD

FPR-RVDP-200M

Radware Virtual Defense Pro 200-Mbps license for Firepower

CON-ECMU-LFPR0RVD

Notes:

      Radware vDP license are based on legitimate traffic. Please refer to this deck for more details: Cisco Secure DDoS Protection

      L-RDWR-APV-VA includes both APSolute Vision with Security Reporter – 10 vDP

      The CON Service SKUs should automatically be added to the cart with a 12-month term

      Cisco will provide Level 0/1 to determine if problem is Cisco Firepower or vDP. All vDP issues will be escalated to Radware.

      Radware vDP clustering is currently only supported in the Cisco Firepower 9300 intrachassis configuration. This is clustering of multiple security modules (SM-40, SM-48, SM-56) within the same Cisco Firepower 9300 chassis.

      For High Availability (HA), Active-Active and Active-Standby modes are supported.

      Radware Vision Manager is a Virtual License and needs to be installed on its own server, not the Cisco Firepower platform. For version 4.6, VMware ESXi 5.1, 5.5, 6.0, 6.5, 6.7, 6.7U2 or VMware Workstation 8 or 11 are supported. Please check Cisco Secure Firewall Radware DefensePro DDoS Release Notes for details.

Cisco Secure DDOS Protection (Radware vDP) Ordering Steps

Ordering SPARE SKUs for existing equipment:

Spare SKUs are provided (start with “L” and end in “=” sign) to allow you to order the vDP software license for existing equipment. These are the L-FPR-RVDP-10G=. 5G=, and 2G=, respectively.

      Go to the Cisco Commerce home page.

      Create a new estimate or edit an old one.

      In the “Search by SKU” box, paste in one of the SPARE SKUs. Or click on the “Find Products and Solutions” link to the right of the “Search by SKU” box.

      Typing in “Radware” in search box will return all active Radware SPARE SKUs.

Find products and solutions

Figure 4.            

Find products and solutions

      Once you find the SKU you need, then click the ‘+’ sign to add it to the cart.

      Next click on the “Edit Service/Subscription” link and set the term of the service contract.

Edit service/subscription

Figure 5.            

Edit service/subscription

A 12-month (1y) ECME contract is selected by default, but that can be increased up to 60 months (5y).

Note:      As of this writing, you have to visit the Edit Service/Subscription link and click done to accept the default 12-month service contract. Otherwise, the cart will produce an error.

If you do not already own Radware Vision Manager, please add to your order SKU: L-RDWR-APV-VA=. This is the Radware Manager Vision and Security Reporter with support for 10 vDP instances.

Secure Workload Ordering Steps in Firewall Bundle

Ordering SPARE SKUs for existing equipment

A Workload SKU is provided to allow you to order workload within a firewall bundle, securing a multi-product discount. The SKU is C1-TAAS-XX-SW-K9 and is available for Firepower 4100 and 9300 bundles.

      Go to the Cisco Commerce home page.

      Select the firewall bundle to be ordered, for example FPR4115-FTD-HA-BUN.

      Click “Select Options” for the bundle to open the configurator.

Ordering SPARE SKUs for existing equipment

      Open the “Secure Workload” section on the left-hand side and add the license C1-TAAS-XX-SW-K9 to the bundle.

      Finalize the bundle configuration and proceed with the purchase.

Cisco Secure Firewall Small Business Edition License Pack

Overview

To meet real-world needs of small businesses, Cisco Secure Firewall Small Business Edition is tailor-made to simplify security. Secure Firewall Small Business Edition licenses are available in 2 types and can ordered at the time of hardware purchase or as standalone license.

Table 15.     Small Business Edition – Included Feature Set

License Feature (Available in 3 Yr Term only)

SBE Lite

SBE Standard

Threat Protection, Malware and URL Filtering

Yes

Yes

Cisco Defense Orchestrator Device Management License

Yes*

Yes*

Cisco Secure Client - 50 Licenses (Secure Client Advantage for Mobile Devices and or Desktops)

Yes

Yes

Security Analytics and Logging (Logging and Troubleshooting)

No

Yes

Platforms available

Table 16.     Small Business Edition – Product Series Availability

Product Series

SBE Lite

SBE Standard

Firepower 1000 Series

Yes – Only on FPR1010

Yes – Only on FPR1010

All other platforms

Not Available

Not Available

* requires CDO-SEC-SUB-Cisco Defense Orchestrator XaaS Subscription

SKUs and Ordering

Table 17.     Small Business Edition – Part Numbers

Part Number

Description

FPR-SEC-TERM

Cisco Secure Firewall Term Licenses - For Distributors/Drop Ship Orders

FPR1010T-SBE

Cisco Secure Firewall FPR1010 Small Business Edition

FPR1010T-SBE-L

Cisco Secure Firewall FPR1010 Small Business Edition Lite without Logging

FPR1010T-SBE-3Y

Cisco FPR1010 Small Business Edition, 3Y Subs

FPR1010T-SBE-L-3Y

Cisco FPR1010 Small Business Edition Lite, 3Y Subs

Ordering Steps for Cisco Secure Small Business Edition

Ordering Steps for Cisco Secure Small Business Edition

Start with one of the Firepower 1010 SKUs, for example - FPR1010-NGFW-K9.

Select “Edit Options”.

Select Subscription for Small Business Edition or Small Business Edition Lite: FPR1010T-SBE or FPR1010T-SBE-L.

Select Country.

Save and exit configuration.

Ordering Steps for Cisco Secure Small Business Edition for Distributors

Ordering Steps for Cisco Secure Small Business Edition for Distributors

Start with the following SKU in CCW FPR-SEC-TERM.

Select Subscription for Small Business Edition or Small Business Edition Lite: FPR1010T-SBE or FPR1010T-SBE-L.

Save and exit configuration.

Ordering vDP with the Cisco Secure Firewall Platform

The non-spare versions of the SKUs are available options when ordering the 9300 or 4100 Cisco Firepower platform.

      Go to Cisco Commerce: https://apps.cisco.com/Commerce/home.

      Create a new estimate or edit an old one.

      Add Cisco Firepower 9300 or 4100 as desired (example is of a 4125) and configure appropriately.

 

Configuration options for Cisco Firepower 4125 platform

Figure 6.            

Configuration options for Cisco Firepower 4125 platform

The Radware vDP SKUs are available under “Feature Licenses.” When configuring a Firepower 9300, you will need 1 license of equal size for each blade.

Feature licenses

Figure 7.            

Feature licenses

When you make your selection, you will see the Service Contract and the Right-to-Use licenses are automatically added to the cart. As with the SPARE license, you can change the length of the service contract by clicking the “Edit Service/Subscription” link. You will find the EMCU contract under the selected Radware SKU.

If you do not already own Radware Vision Manager, please add to your order SKU: L-RDWR-APV-VA=. This is the Radware Manager Vision and Security Reporter with support for 10 vDP instances.

Links and Resources for Radware vDP

For Cisco internal questions, please send an email to: ask-radware@external.cisco.com

For Radware specific questions, please go to Cisco Technology Partnership with Radware.

SKUs and Ordering for Cisco Firepower 1000 Series

The following tables outline the product part number information for the Cisco Firepower 1000 Series. Note that the customer may want extra power supplies and fans. You can add these to the order separately. Table 18A and 18B provides the chassis part numbers for chassis running the ASA software and chassis running the Firewall Threat Defense software. Note that software subscriptions can only be added to chassis running the Firewall Threat Defense software. The chassis SKUs are automatically included in the bundle. The bundle also offers the part numbers for network modules, and Table 14 provides part numbers for accessories.

Table 18A. 1000 Series Chassis Part Numbers

Part Number

Description

Bundles

FPR1010-BUN

Cisco Firepower 1010 Master Bundle

FPR1120-BUN

Cisco Firepower 1120 Master Bundle

FPR1140-BUN

Cisco Firepower 1140 Master Bundle

FPR1150-BUN

Cisco Firepower 1150 Master Bundle

FPR1010-FTD-HA-BUN

Cisco Firepower 1010 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR1120-FTD-HA-BUN

Cisco Firepower 1120 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR1140-FTD-HA-BUN

Cisco Firepower 1140 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR1150-FTD-HA-BUN

Cisco Firepower 1150 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

Appliances

FPR1010-NGFW-K9

Cisco Firepower 1010 NGFW Appliance, Desktop, PoE
(runs FTD software + optional subscriptions)

FPR1010E-NGFW-K9

Cisco Firepower 1010E NGFW Appliance, Desktop, no PoE
(runs FTD software + optional subscriptions)

FPR1120-NGFW-K9

Cisco Firepower 1120 NGFW Appliance, 1RU
(runs FTD software + optional subscriptions)

FPR1140-NGFW-K9

Cisco Firepower 1140 NGFW Appliance, 1RU
(runs FTD software + optional subscriptions)

FPR1150-NGFW-K9

Cisco Firepower 1150 NGFW Appliance, 1RU
(runs FTD software + optional subscriptions)

FPR1010-ASA-K9

Cisco Firepower 1010 NGFW Appliance, Desktop, PoE
(run ASA SW + Optional security plus license for High Availability)

FPR1010E-ASA-K9

Cisco Firepower 1010E NGFW Appliance, Desktop. no PoE
(run ASA SW + Optional security plus license for High Availability)

FPR1120-ASA-K9

Cisco Firepower 1120 NGFW Appliance, 1RU
(runs ASA software + optional security context license)

FPR1140-ASA-K9

Cisco Firepower 1140 NGFW Appliance, 1RU
(runs ASA software + optional security context license)

FPR1150-ASA-K9

Cisco Firepower 1150 NGFW Appliance, 1RU
(runs ASA software + optional security context license)

Table 18B.     1000 Series ASA Licenses and SKUs

Part Number

Description

ASA Standard License

FPR1000-ASA

Cisco Firepower 1000 Standard ASA License

L-FPR1000-ASA=

Cisco Firepower 1000 Standard ASA License

Security Context Licenses

L-FPR1K-ASASC-10=

Cisco Firepower 1000 - Add 10 Security Context Licenses

L-FPR1K-ASASC-5=

Cisco Firepower 1000 - Add 5 Security Context Licenses

Encryption Licenses

L-FPR1K-ENC-K9=

Cisco Firepower 1K Series ASA Strong Encryption (3DES/AES)

FPR1010 Security Plus License (for HA)

L-FPR1010-SEC-PL=

Cisco Firepower 1010 - Security Plus License

Table 19.          1000 Series Accessories Part Numbers

Part Number

Description

FPR1K-CBL-MGMT=

Cisco Firepower 1k Series Cable Mgmt Brackets 1120/1140/1150

FPR1K-DT-ACY-KIT=

Cisco Firepower 1K Series Accessory Kit for FPR-1010

FPR1K-DT-PWR-AC=

Cisco Firepower 1K Series 150W Power Adapter for FPR-1010

FPR1K-DT-RACK-MNT=

Cisco Firepower 1K Series Rackmount Kit for FPR-1010

FPR1K-DT-WALL-MNT=

Cisco Firepower 1K Series Wall Mount for FPR-1010

FPR1K-RM-ACY-KIT=

Cisco Firepower 1K Series Accessory Kit for FPR-1120/1140/1150

FPR1K-RM-BRKT=

Cisco Firepower 1K Series Rackmount Brackets - FPR-1120/1140/1150

FPR1K-RM-FIPS-KIT=

Cisco Firepower 1K Series FIPS Kits for FPR-1120/1140/1150

FPR1K-RM-SSD200=

Cisco Firepower 1K Series 200GB for FPR-1120/1140/1150

Note:      Use these part numbers if the customer is ordering spare fans, power supplies, or a rack mount kit.

SKUs for 1000 Series Licenses and Subscriptions

When ordering a 1000 Series with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:

Table 20.     Threat Subscription Details

Threat Subscription Abbreviations

Description

T

Threat (Security Intelligence and IPS)

M or AMP*

Malware defense

C or URL*

URL Filtering

1Y

1-Year Subscription

3Y

3-Year Subscription

5Y

5-Year Subscription

*Note that Threat/IPS (T) License is a requirement for the use of Malware (M) or URL (C) license features.

Table 21.     Cisco Firepower 1000 Series License Part Numbers for Configurations with the Cisco Secure Firewall Threat Defense Image

Part Number

Description

L-FPR1010T-AMP=

Cisco Firepower 1010 Threat Defense Malware Protection License

L-FPR1010T-T=

Cisco Firepower 1010 Threat Defense Threat Protection License

L-FPR1010T-TC=

Cisco Firepower 1010 Threat Defense Threat and URL License

L-FPR1010T-TM=

Cisco Firepower 1010 Threat Defense Threat and Malware License

L-FPR1010T-TMC=

Cisco Firepower 1010 Threat Defense Threat, Malware, and URL License

L-FPR1010T-URL=

Cisco Firepower 1010 Threat Defense URL Filtering License

L-FPR1120T-AMP=

Cisco Firepower 1120 Threat Defense Malware Protection License

L-FPR1120T-T=

Cisco Firepower 1120 Threat Defense Threat Protection License

L-FPR1120T-TC=

Cisco Firepower 1120 Threat Defense Threat and URL License

L-FPR1120T-TM=

Cisco Firepower 1120 Threat Defense Threat and Malware License

L-FPR1120T-TMC=

Cisco Firepower 1120 Threat Defense Threat, Malware, and URL License

L-FPR1120T-URL=

Cisco Firepower 1120 Threat Defense URL Filtering License

L-FPR1140T-AMP=

Cisco Firepower 1140 Threat Defense Malware Protection License

L-FPR1140T-T=

Cisco Firepower 1140 Threat Defense Threat Protection License

L-FPR1140T-TC=

Cisco Firepower 1140 Threat Defense Threat and URL License

L-FPR1140T-TM=

Cisco Firepower 1140 Threat Defense Threat and Malware License

L-FPR1140T-TMC=

Cisco Firepower 1140 Threat Defense Threat, Malware, and URL License

L-FPR1140T-URL=

Cisco Firepower 1140 Threat Defense URL Filtering License

L-FPR1150T-AMP=

Cisco Firepower 1150 Threat Defense Malware Protection License

L-FPR1150T-T=

Cisco Firepower 1150 Threat Defense Threat Protection License

L-FPR1150T-TC=

Cisco Firepower 1150 Threat Defense Threat and URL License

L-FPR1150T-TM=

Cisco Firepower 1150 Threat Defense Threat and Malware License

L-FPR1150T-TMC=

Cisco Firepower 1150 Threat Defense Threat, Malware, and URL License

L-FPR1150T-URL=

Cisco Firepower 1150 Threat Defense URL Filtering License

Table 22.     Cisco Firepower 1000 Series Subscription Part Numbers for Configurations with the Firewall Threat Defense Image

Part Number

Description

L-FPR1010T-AMP-1Y

Cisco Firepower 1010 Threat Defense Malware Protection 1Y Subscription

L-FPR1010T-AMP-3Y

Cisco Firepower 1010 Threat Defense Malware Protection 3Y Subscription

L-FPR1010T-AMP-5Y

Cisco Firepower 1010 Threat Defense Malware Protection 5Y Subscription

L-FPR1010T-T-1Y

Cisco Firepower 1010 Threat Defense Threat Protection 1Y Subscription

L-FPR1010T-T-3Y

Cisco Firepower 1010 Threat Defense Threat Protection 3Y Subscription

L-FPR1010T-T-5Y

Cisco Firepower 1010 Threat Defense Threat Protection 5Y Subscription

L-FPR1010T-TC-1Y

Cisco Firepower 1010 Threat Defense Threat and URL 1Y Subscription

L-FPR1010T-TC-3Y

Cisco Firepower 1010 Threat Defense Threat and URL 3Y Subscription

L-FPR1010T-TC-5Y

Cisco Firepower 1010 Threat Defense Threat and URL 5Y Subscription

L-FPR1010T-TM-1Y

Cisco Firepower 1010 Threat Defense Threat and Malware 1Y Subscription

L-FPR1010T-TM-3Y

Cisco Firepower 1010 Threat Defense Threat and Malware 3Y Subscription

L-FPR1010T-TM-5Y

Cisco Firepower 1010 Threat Defense Threat and Malware 5Y Subscription

L-FPR1010T-TMC-1Y

Cisco Firepower 1010 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR1010T-TMC-3Y

Cisco Firepower 1010 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR1010T-TMC-5Y

Cisco Firepower 1010 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR1010T-URL-1Y

Cisco Firepower 1010 Threat Defense URL Filtering 1Y Subscription

L-FPR1010T-URL-3Y

Cisco Firepower 1010 Threat Defense URL Filtering 3Y Subscription

L-FPR1010T-URL-5Y

Cisco Firepower 1010 Threat Defense URL Filtering 5Y Subscription

L-FPR1120T-AMP-1Y

Cisco Firepower 1120 Threat Defense Malware Protection 1Y Subscription

L-FPR1120T-AMP-3Y

Cisco Firepower 1120 Threat Defense Malware Protection 3Y Subscription

L-FPR1120T-AMP-5Y

Cisco Firepower 1120 Threat Defense Malware Protection 5Y Subscription

L-FPR1120T-T-1Y

Cisco Firepower 1120 Threat Defense Threat Protection 1Y Subscription

L-FPR1120T-T-3Y

Cisco Firepower 1120 Threat Defense Threat Protection 3Y Subscription

L-FPR1120T-T-5Y

Cisco Firepower 1120 Threat Defense Threat Protection 5Y Subscription

L-FPR1120T-TC-1Y

Cisco Firepower 1120 Threat Defense Threat and URL 1Y Subscription

L-FPR1120T-TC-3Y

Cisco Firepower 1120 Threat Defense Threat and URL 3Y Subscription

L-FPR1120T-TC-5Y

Cisco Firepower 1120 Threat Defense Threat and URL 5Y Subscription

L-FPR1120T-TM-1Y

Cisco Firepower 1120 Threat Defense Threat and Malware 1Y Subscription

L-FPR1120T-TM-3Y

Cisco Firepower 1120 Threat Defense Threat and Malware 3Y Subscription

L-FPR1120T-TM-5Y

Cisco Firepower 1120 Threat Defense Threat and Malware 5Y Subscription

L-FPR1120T-TMC-1Y

Cisco Firepower 1120 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR1120T-TMC-3Y

Cisco Firepower 1120 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR1120T-TMC-5Y

Cisco Firepower 1120 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR1120T-URL-1Y

Cisco Firepower 1120 Threat Defense URL Filtering 1Y Subscription

L-FPR1120T-URL-3Y

Cisco Firepower 1120 Threat Defense URL Filtering 3Y Subscription

L-FPR1120T-URL-5Y

Cisco Firepower 1120 Threat Defense URL Filtering 5Y Subscription

L-FPR1140T-AMP-1Y

Cisco Firepower 1140 Threat Defense Malware Protection 1Y Subscription

L-FPR1140T-AMP-3Y

Cisco Firepower 1140 Threat Defense Malware Protection 3Y Subscription

L-FPR1140T-AMP-5Y

Cisco Firepower 1140 Threat Defense Malware Protection 5Y Subscription

L-FPR1140T-T-1Y

Cisco Firepower 1140 Threat Defense Threat Protection 1Y Subscription

L-FPR1140T-T-3Y

Cisco Firepower 1140 Threat Defense Threat Protection 3Y Subscription

L-FPR1140T-T-5Y

Cisco Firepower 1140 Threat Defense Threat Protection 5Y Subscription

L-FPR1140T-TC-1Y

Cisco Firepower 1140 Threat Defense Threat and URL 1Y Subscription

L-FPR1140T-TC-3Y

Cisco Firepower 1140 Threat Defense Threat and URL 3Y Subscription

L-FPR1140T-TC-5Y

Cisco Firepower 1140 Threat Defense Threat and URL 5Y Subscription

L-FPR1140T-TM-1Y

Cisco Firepower 1140 Threat Defense Threat and Malware 1Y Subscription

L-FPR1140T-TM-3Y

Cisco Firepower 1140 Threat Defense Threat and Malware 3Y Subscription

L-FPR1140T-TM-5Y

Cisco Firepower 1140 Threat Defense Threat and Malware 5Y Subscription

L-FPR1140T-TMC-1Y

Cisco Firepower 1140 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR1140T-TMC-3Y

Cisco Firepower 1140 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR1140T-TMC-5Y

Cisco Firepower 1140 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR1140T-URL-1Y

Cisco Firepower 1140 Threat Defense URL Filtering 1Y Subscription

L-FPR1140T-URL-3Y

Cisco Firepower 1140 Threat Defense URL Filtering 3Y Subscription

L-FPR1140T-URL-5Y

Cisco Firepower 1140 Threat Defense URL Filtering 5Y Subscription

L-FPR1150T-AMP-1Y

Cisco FPR1150 Threat Defense Malware Protection 1Y Subs

L-FPR1150T-AMP-3Y

Cisco FPR1150 Threat Defense Malware Protection 3Y Subs

L-FPR1150T-AMP-5Y

Cisco FPR1150 Threat Defense Malware Protection 5Y Subs

L-FPR1150T-T-1Y

Cisco FPR1150 Threat Defense Threat Protection 1Y Subs

L-FPR1150T-T-3Y

Cisco FPR1150 Threat Defense Threat Protection 3Y Subs

L-FPR1150T-T-5Y

Cisco FPR1150 Threat Defense Threat Protection 5Y Subs

L-FPR1150T-TC-1Y

Cisco FPR1150 Threat Defense Threat and URL 1Y Subs

L-FPR1150T-TC-3Y

Cisco FPR1150 Threat Defense Threat and URL 3Y Subs

L-FPR1150T-TC-5Y

Cisco FPR1150 Threat Defense Threat and URL 5Y Subs

L-FPR1150T-TM-1Y

Cisco FPR1150 Threat Defense Threat and Malware 1Y Subs

L-FPR1150T-TM-3Y

Cisco FPR1150 Threat Defense Threat and Malware 3Y Subs

L-FPR1150T-TM-5Y

Cisco FPR1150 Threat Defense Threat and Malware 5Y Subs

L-FPR1150T-TMC-1Y

Cisco FPR1150 Threat Defense Threat, Malware and URL 1Y Subs

L-FPR1150T-TMC-3Y

Cisco FPR1150 Threat Defense Threat, Malware and URL 3Y Subs

L-FPR1150T-TMC-5Y

Cisco FPR1150 Threat Defense Threat, Malware and URL 5Y Subs

L-FPR1150T-URL-1Y

Cisco FPR1150 Threat Defense URL Filtering 1Y Subs

L-FPR1150T-URL-3Y

Cisco FPR1150 Threat Defense URL Filtering 3Y Subs

L-FPR1150T-URL-5Y

Cisco FPR1150 Threat Defense URL Filtering 5Y Subs

Ordering Example: Cisco Firepower 1010 with FTD

Step 1: Smart Software Licensing

Before placing a Cisco Firepower 1010 order, a Smart Software Licensing account for the end customer must be initiated. If the customer already has a Smart Software Licensing account, that account must be associated with the order. More information on Smart Software Licensing account establishment is available in the Smart Software Licensing section of this ordering guide, and online at: https://www.cisco.com/web/ordering/smart-software-manager/index.html.

To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you can complete the order only if the account is initiated on the end customer’s behalf and associated with the order.

Go to Cisco Commerce: https://www.cisco.com/go/ccw.

From the Orders pull-down menu, select Create Order.

Select Assign Smart Account and follow the subsequent prompts for Smart Licensing.

Ordering Example: Cisco Firepower 1010 with FTD

Step 2: Navigate to Catalog -> Products -> Security -> Cisco Firepower 1000 Series. Click on FPR1010-NGFW-K9

Navigate to Catalog

The Chassis is added on the cart along with the software subscription. By default the 3 Year FPR1010-TMC license will be added to the configuration.

Chassis is added

Step 3: Follow the instructions in the yellow box. First, click the power cables link and make the cable selection in the next screen.

Chassis is added

 

Chassis is added

Step 4: After cable(s) selection, if there is a requirement for extended logging and analytics. Click on Extended logging and analytics on the configuration summary and add the cloud logging option along with the data retention SKU.

After cable(s) selection

 

Chassis is added

Step 5: After completing the selection of the Extended logging and analytics. Click “Done” to complete the configuration. An alert message appears to indicate to the user of the selected configuration. Click “Done” to proceed to the summary screen.

Extended logging

Step 6: After clicking done. The product configuration summary page will appear with all the selection.

Extended logging  2

SKUs and Ordering for Cisco Secure Firewall 3100 Series

The following tables outline the product part number information for the Cisco Secure Firewall 3100 Series. Note that the customer may want extra power supplies and fans. You can add these to the order separately. Note that software subscriptions can only be added to chassis running the FTD software. The chassis SKUs are automatically included in the bundle. The bundle also offers the part numbers for network modules.

Table 23.     3100 Series chassis part numbers

Part Number

PID

Description

Bundles

FPR3100-FTD-HA-BUN

Cisco Secure Firewall 3100 series Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

Appliances

FPR3105-NGFW-K9

Cisco Secure Firewall 3105 NGFW Appliance, 1RU (runs FTD software + optional subscriptions)

FPR3110-NGFW-K9

Cisco Secure Firewall 3110 NGFW Appliance, 1RU (runs FTD software + optional subscriptions)

FPR3120-NGFW-K9

Cisco Secure Firewall 3120 NGFW Appliance, 1RU (runs FTD software + optional subscriptions)

FPR3130-NGFW-K9

Cisco Secure Firewall 3130 NGFW Appliance, 1RU, 1 x Network Module Bays (runs FTD software + optional subscriptions)

FPR3140-NGFW-K9

Cisco Secure Firewall 3140 NGFW Appliance, 1RU, 1 x Network Module Bays (runs FTD software + optional subscriptions)

FPR3105-ASA-K9

Cisco Secure Firewall 3105 ASA Appliance, 1RU (runs ASA software with optional security context license)

FPR3110-ASA-K9

Cisco Secure Firewall 3110 ASA Appliance, 1RU (runs ASA software with optional security context license)

FPR3120-ASA-K9

Cisco Secure Firewall 3120 ASA Appliance, 1RU (runs ASA software with optional security context license)

FPR3130-ASA-K9

Cisco Secure Firewall 3130 ASA Appliance, 1RU, 1 x Network Module Bays (runs ASA software with optional security context license)

FPR3140-ASA-K9

Cisco Secure Firewall 3140 ASA Appliance, 1RU, 1 x Network Module Bays (runs ASA software with optional security context license)

Netmods

FPR3K-XNM-8X10G

Cisco SECURE FIREWALL 3100 8-port 1G/10G SFP+ Network Module

FPR3K-XNM-8X10G=

Cisco SECURE FIREWALL 3100 8-port 1G/10G SFP+ Network Module (Spare)

FPR3K-XNM-8X25G

Cisco SECURE FIREWALL 3100 8-port 1/10/25G ZSFP Network Module

FPR3K-XNM-8X25G=

Cisco SECURE FIREWALL 3100 8-port 1/10/25G ZSFP Network Module (Spare)

FPR3K-XNM-4X40G

Cisco SECURE FIREWALL 3100 4-port 40G QSFP+ Network Module

FPR3K-XNM-4X40G=

Cisco SECURE FIREWALL 3100 4-port 40G QSFP+ Network Module (Spare)

FPR3K-XNM-2X100G

Cisco SECURE FIREWALL 3100 2-port 100G QSFP28 Network Module

FPR3K-XNM-2X100G=

Cisco SECURE FIREWALL 3100 2-port 100G QSFP28 Network Module (Spare)

Table 24.     3100 Series ASA software license SKUs

Part Number

Description

Multicontext License

L-FPR3K-ASASC-10=

Cisco Secure Firewall 3100 Add-on 10 security context licenses

L-FPR3K-ASASC-5=

Cisco Secure Firewall 3100 add-on 5 security context licenses

Encryption License

L-FPR3K-ENC-K9=

License to enable strong encryption for ASA on Cisco Secure Firewall 3100 Series

Table 25.     3100 Series accessories part numbers

Part Number

Description

FPR3K-PWR-AC-400=

Cisco Secure Firewall 3100 Series 400W AC Power Supply

FPR3K-PWR-DC-400=

Cisco Secure Firewall 3100 Series 400W DC Power Supply

FPR3K-FAN=

Cisco Secure Firewall 3100 Series Fan Tray

FPR3K-PSU-BLANK=

Cisco Secure Firewall 3100 Series Chassis Power Supply Blank Slot Cover

FPR3K-SSD-BLANK=

Cisco Secure Firewall 3100 Series SSD Slot Carrier

FPR3K-NM-BLANK=

Cisco Secure Firewall 3100 Series Network Module Blank Slot Cover

FPR3K-SSD900=

Cisco Secure Firewall 3100 Series SSD for FPR 3100 Series

FPR3K-BRKT=

Cisco Secure Firewall 3100 Series Rackmount Brackets

FPR3K-RAIL-BRKT=

Cisco Secure Firewall 3100 Series Slide Rail Brackets

FPR3K-CBL-MGMT=

Cisco Secure Firewall 3100 Series Cable Management Brackets

FPR3K-FIPS-KIT=

Cisco Secure Firewall 3100 Series FIPS Kit

FPR3K-SLIDE-RAILS=

Cisco Secure Firewall 3100 Series Slide Rail Kit

FPR3K-ACY-KIT

Cisco Secure Firewall 3100 Series Accessory Kit

Note:      Use these part numbers if the customer is ordering spare fans, power supplies, or a rack mount kit.

SKUs for 3100 Series Licenses and Subscriptions

When ordering a 3100 Series with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:

Table 26.     Threat Subscription Details

Threat Subscription Abbreviations

Description

T

Threat (Security Intelligence and IPS)

M or AMP*

Malware defense

C or URL*

URL Filtering

1Y

1-Year Subscription

3Y

3-Year Subscription

5Y

5-Year Subscription

*Note that Threat/IPS (T) License is a requirement for the use of Malware (M) or URL (C) license features.

Table 27.     Cisco Secure Firewall 3100 Series license part numbers for configurations with the Cisco Secure Firewall Threat Defense image

Part Number

Description

L-FPR3105T-AMP=

Cisco Secure Firewall 3105 Threat Defense Malware Protection License

L-FPR3105T-T=

Cisco Secure Firewall 3105 Threat Defense Threat Protection License

L-FPR3105T-TC=

Cisco Secure Firewall 3105 Threat Defense Threat and URL License

L-FPR3105T-TM=

Cisco Secure Firewall 3105 Threat Defense Threat and Malware License

L-FPR3105T-TMC=

Cisco Secure Firewall 3105 Threat Defense Threat, Malware, and URL License

L-FPR3105T-URL=

Cisco Secure Firewall 3105 Threat Defense URL Filtering License

L-FPR3110T-AMP=

Cisco Secure Firewall 3110 Threat Defense Malware Protection License

L-FPR3110T-T=

Cisco Secure Firewall 3110 Threat Defense Threat Protection License

L-FPR3110T-TC=

Cisco Secure Firewall 3110 Threat Defense Threat and URL License

L-FPR3110T-TM=

Cisco Secure Firewall 3110 Threat Defense Threat and Malware License

L-FPR3110T-TMC=

Cisco Secure Firewall 3110 Threat Defense Threat, Malware, and URL License

L-FPR3110T-URL=

Cisco Secure Firewall 3110 Threat Defense URL Filtering License

L-FPR3120T-AMP=

Cisco Secure Firewall 3120 Threat Defense Malware Protection License

L-FPR3120T-T=

Cisco Secure Firewall 3120 Threat Defense Threat Protection License

L-FPR3120T-TC=

Cisco Secure Firewall 3120 Threat Defense Threat and URL License

L-FPR3120T-TM=

Cisco Secure Firewall 3120 Threat Defense Threat and Malware License

L-FPR3120T-TMC=

Cisco Secure Firewall 3120 Threat Defense Threat, Malware, and URL License

L-FPR3120T-URL=

Cisco Secure Firewall 3120 Threat Defense URL Filtering License

L-FPR3130T-AMP=

Cisco Secure Firewall 3130 Threat Defense Malware Protection License

L-FPR3130T-T=

Cisco Secure Firewall 3130 Threat Defense Threat Protection License

L-FPR3130T-TC=

Cisco Secure Firewall 3130 Threat Defense Threat and URL License

L-FPR3130T-TM=

Cisco Secure Firewall 3130 Threat Defense Threat and Malware License

L-FPR3130T-TMC=

Cisco Secure Firewall 3130 Threat Defense Threat, Malware, and URL License

L-FPR3130T-URL=

Cisco Secure Firewall 3130 Threat Defense URL Filtering License

L-FPR3140T-AMP=

Cisco Secure Firewall 3140 Threat Defense Malware Protection License

L-FPR3140T-T=

Cisco Secure Firewall 3140 Threat Defense Threat Protection License

L-FPR3140T-TC=

Cisco Secure Firewall 3140 Threat Defense Threat and URL License

L-FPR3140T-TM=

Cisco Secure Firewall 3140 Threat Defense Threat and Malware License

L-FPR3140T-TMC=

Cisco Secure Firewall 3140 Threat Defense Threat, Malware, and URL License

L-FPR3140T-URL=

Cisco Secure Firewall 3140 Threat Defense URL Filtering License

Table 28.     Cisco Secure Firewall 3100 Series subscription part numbers for configurations with the Firewall Threat Defense image

Part Number

Description

L-FPR3105T-AMP-1Y

Cisco Secure Firewall 3105 Threat Defense Malware Protection 1Y Subscription

L-FPR3105T-AMP-3Y

Cisco Secure Firewall 3105 Threat Defense Malware Protection 3Y Subscription

L-FPR3105T-AMP-5Y

Cisco Secure Firewall 3105 Threat Defense Malware Protection 5Y Subscription

L-FPR3105T-T-1Y

Cisco Secure Firewall 3105 Threat Defense Threat Protection 1Y Subscription

L-FPR3105T-T-3Y

Cisco Secure Firewall 3105 Threat Defense Threat Protection 3Y Subscription

L-FPR3105T-T-5Y

Cisco Secure Firewall 3105 Threat Defense Threat Protection 5Y Subscription

L-FPR3105T-TC-1Y

Cisco Secure Firewall 3105 Threat Defense Threat and URL 1Y Subscription

L-FPR3105T-TC-3Y

Cisco Secure Firewall 3105 Threat Defense Threat and URL 3Y Subscription

L-FPR3105T-TC-5Y

Cisco Secure Firewall 3105 Threat Defense Threat and URL 5Y Subscription

L-FPR3105T-TM-1Y

Cisco Secure Firewall 3105 Threat Defense Threat and Malware 1Y Subscription

L-FPR3105T-TM-3Y

Cisco Secure Firewall 3105 Threat Defense Threat and Malware 3Y Subscription

L-FPR3105T-TM-5Y

Cisco Secure Firewall 3105 Threat Defense Threat and Malware 5Y Subscription

L-FPR3105T-TMC-1Y

Cisco Secure Firewall 3105 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR3105T-TMC-3Y

Cisco Secure Firewall 3105 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR3105T-TMC-5Y

Cisco Secure Firewall 3105 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR3105T-URL-1Y

Cisco Secure Firewall 3105 Threat Defense URL Filtering 1Y Subscription

L-FPR3105T-URL-3Y

Cisco Secure Firewall 3105 Threat Defense URL Filtering 3Y Subscription

L-FPR3105T-URL-5Y

Cisco Secure Firewall 3105 Threat Defense URL Filtering 5Y Subscription

L-FPR3110T-AMP-1Y

Cisco Secure Firewall 3110 Threat Defense Malware Protection 1Y Subscription

L-FPR3110T-AMP-3Y

Cisco Secure Firewall 3110 Threat Defense Malware Protection 3Y Subscription

L-FPR3110T-AMP-5Y

Cisco Secure Firewall 3110 Threat Defense Malware Protection 5Y Subscription

L-FPR3110T-T-1Y

Cisco Secure Firewall 3110 Threat Defense Threat Protection 1Y Subscription

L-FPR3110T-T-3Y

Cisco Secure Firewall 3110 Threat Defense Threat Protection 3Y Subscription

L-FPR3110T-T-5Y

Cisco Secure Firewall 3110 Threat Defense Threat Protection 5Y Subscription

L-FPR3110T-TC-1Y

Cisco Secure Firewall 3110 Threat Defense Threat and URL 1Y Subscription

L-FPR3110T-TC-3Y

Cisco Secure Firewall 3110 Threat Defense Threat and URL 3Y Subscription

L-FPR3110T-TC-5Y

Cisco Secure Firewall 3110 Threat Defense Threat and URL 5Y Subscription

L-FPR3110T-TM-1Y

Cisco Secure Firewall 3110 Threat Defense Threat and Malware 1Y Subscription

L-FPR3110T-TM-3Y

Cisco Secure Firewall 3110 Threat Defense Threat and Malware 3Y Subscription

L-FPR3110T-TM-5Y

Cisco Secure Firewall 3110 Threat Defense Threat and Malware 5Y Subscription

L-FPR3110T-TMC-1Y

Cisco Secure Firewall 3110 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR3110T-TMC-3Y

Cisco Secure Firewall 3110 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR3110T-TMC-5Y

Cisco Secure Firewall 3110 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR3110T-URL-1Y

Cisco Secure Firewall 3110 Threat Defense URL Filtering 1Y Subscription

L-FPR3110T-URL-3Y

Cisco Secure Firewall 3110 Threat Defense URL Filtering 3Y Subscription

L-FPR3110T-URL-5Y

Cisco Secure Firewall 3110 Threat Defense URL Filtering 5Y Subscription

L-FPR3120T-AMP-1Y

Cisco Secure Firewall 3120 Threat Defense Malware Protection 1Y Subscription

L-FPR3120T-AMP-3Y

Cisco Secure Firewall 3120 Threat Defense Malware Protection 3Y Subscription

L-FPR3120T-AMP-5Y

Cisco Secure Firewall 3120 Threat Defense Malware Protection 5Y Subscription

L-FPR3120T-T-1Y

Cisco Secure Firewall 3120 Threat Defense Threat Protection 1Y Subscription

L-FPR3120T-T-3Y

Cisco Secure Firewall 3120 Threat Defense Threat Protection 3Y Subscription

L-FPR3120T-T-5Y

Cisco Secure Firewall 3120 Threat Defense Threat Protection 5Y Subscription

L-FPR3120T-TC-1Y

Cisco Secure Firewall 3120 Threat Defense Threat and URL 1Y Subscription

L-FPR3120T-TC-3Y

Cisco Secure Firewall 3120 Threat Defense Threat and URL 3Y Subscription

L-FPR3120T-TC-5Y

Cisco Secure Firewall 3120 Threat Defense Threat and URL 5Y Subscription

L-FPR3120T-TM-1Y

Cisco Secure Firewall 3120 Threat Defense Threat and Malware 1Y Subscription

L-FPR3120T-TM-3Y

Cisco Secure Firewall 3120 Threat Defense Threat and Malware 3Y Subscription

L-FPR3120T-TM-5Y

Cisco Secure Firewall 3120 Threat Defense Threat and Malware 5Y Subscription

L-FPR3120T-TMC-1Y

Cisco Secure Firewall 3120 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR3120T-TMC-3Y

Cisco Secure Firewall 3120 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR3120T-TMC-5Y

Cisco Secure Firewall 3120 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR3120T-URL-1Y

Cisco Secure Firewall 3120 Threat Defense URL Filtering 1Y Subscription

L-FPR3120T-URL-3Y

Cisco Secure Firewall 3120 Threat Defense URL Filtering 3Y Subscription

L-FPR3120T-URL-5Y

Cisco Secure Firewall 3120 Threat Defense URL Filtering 5Y Subscription

L-FPR3130T-AMP-1Y

Cisco Secure Firewall 3130 Threat Defense Malware Protection 1Y Subscription

L-FPR3130T-AMP-3Y

Cisco Secure Firewall 3130 Threat Defense Malware Protection 3Y Subscription

L-FPR3130T-AMP-5Y

Cisco Secure Firewall 3130 Threat Defense Malware Protection 5Y Subscription

L-FPR3130T-T-1Y

Cisco Secure Firewall 3130 Threat Defense Threat Protection 1Y Subscription

L-FPR3130T-T-3Y

Cisco Secure Firewall 3130 Threat Defense Threat Protection 3Y Subscription

L-FPR3130T-T-5Y

Cisco Secure Firewall 3130 Threat Defense Threat Protection 5Y Subscription

L-FPR3130T-TC-1Y

Cisco Secure Firewall 3130 Threat Defense Threat and URL 1Y Subscription

L-FPR3130T-TC-3Y

Cisco Secure Firewall 3130 Threat Defense Threat and URL 3Y Subscription

L-FPR3130T-TC-5Y

Cisco Secure Firewall 3130 Threat Defense Threat and URL 5Y Subscription

L-FPR3130T-TM-1Y

Cisco Secure Firewall 3130 Threat Defense Threat and Malware 1Y Subscription

L-FPR3130T-TM-3Y

Cisco Secure Firewall 3130 Threat Defense Threat and Malware 3Y Subscription

L-FPR3130T-TM-5Y

Cisco Secure Firewall 3130 Threat Defense Threat and Malware 5Y Subscription

L-FPR3130T-TMC-1Y

Cisco Secure Firewall 3130 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR3130T-TMC-3Y

Cisco Secure Firewall 3130 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR3130T-TMC-5Y

Cisco Secure Firewall 3130 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR3130T-URL-1Y

Cisco Secure Firewall 3130 Threat Defense URL Filtering 1Y Subscription

L-FPR3130T-URL-3Y

Cisco Secure Firewall 3130 Threat Defense URL Filtering 3Y Subscription

L-FPR3130T-URL-5Y

Cisco Secure Firewall 3130 Threat Defense URL Filtering 5Y Subscription

L-FPR3140T-AMP-1Y

Cisco Secure Firewall 3140 Threat Defense Malware Protection 1Y Subscription

L-FPR3140T-AMP-3Y

Cisco Secure Firewall 3140 Threat Defense Malware Protection 3Y Subscription

L-FPR3140T-AMP-5Y

Cisco Secure Firewall 3140 Threat Defense Malware Protection 5Y Subscription

L-FPR3140T-T-1Y

Cisco Secure Firewall 3140 Threat Defense Threat Protection 1Y Subscription

L-FPR3140T-T-3Y

Cisco Secure Firewall 3140 Threat Defense Threat Protection 3Y Subscription

L-FPR3140T-T-5Y

Cisco Secure Firewall 3140 Threat Defense Threat Protection 5Y Subscription

L-FPR3140T-TC-1Y

Cisco Secure Firewall 3140 Threat Defense Threat and URL 1Y Subscription

L-FPR3140T-TC-3Y

Cisco Secure Firewall 3140 Threat Defense Threat and URL 3Y Subscription

L-FPR3140T-TC-5Y

Cisco Secure Firewall 3140 Threat Defense Threat and URL 5Y Subscription

L-FPR3140T-TM-1Y

Cisco Secure Firewall 3140 Threat Defense Threat and Malware 1Y Subscription

L-FPR3140T-TM-3Y

Cisco Secure Firewall 3140 Threat Defense Threat and Malware 3Y Subscription

L-FPR3140T-TM-5Y

Cisco Secure Firewall 3140 Threat Defense Threat and Malware 5Y Subscription

L-FPR3140T-TMC-1Y

Cisco Secure Firewall 3140 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR3140T-TMC-3Y

Cisco Secure Firewall 3140 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR3140T-TMC-5Y

Cisco Secure Firewall 3140 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR3140T-URL-1Y

Cisco Secure Firewall 3140 Threat Defense URL Filtering 1Y Subscription

L-FPR3140T-URL-3Y

Cisco Secure Firewall 3140 Threat Defense URL Filtering 3Y Subscription

L-FPR3140T-URL-5Y

Cisco Secure Firewall 3140 Threat Defense URL Filtering 5Y Subscription

Ordering Example: Cisco Secure Firewall 3140 with FTD

Step 1: Smart Software Licensing

Before placing a Cisco Secure Firewall 3100 order, a Smart Software Licensing account for the end customer must be initiated. If the customer already has a Smart Software Licensing account, that account must be associated with the order. More information on Smart Software Licensing account establishment is available in the Smart Software Licensing section of this ordering guide, and online at: https://www.cisco.com/web/ordering/smart-software-manager/index.html.

To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you can complete the order only if the account is initiated on the end customer’s behalf and associated with the order.

Go to Cisco Commerce: https://www.cisco.com/go/ccw.

From the Orders pull-down menu, select Create Order.

Select Assign Smart Account and follow the subsequent prompts for Smart Licensing.

Step 2: Navigate to Products -> Security -> Cisco Secure Firewall 3100 series-> Cisco Secure Firewall 3140 -> FPR3140-NGFW-K9

Assign Smart Account

 

Assign Smart Account  2

Step 3: Follow the instructions on the yellow box. Select the Power Cables or the DC Power Supply.

Assign Smart Account 3

 

Assign Smart Account 4

Step 4: After the cable selection is complete. Click on the Network module to add to the configuration.

After the cable selection is complete

Step 5: Complete the configuration by clicking on done. An alert message appears for the user to confirm the selection.

A screenshot of a computerDescription automatically generated

Step 6: Product summary page appears with the selected configurations.

After the cable selection is complete 6

SKUs and Ordering for Cisco Firepower 4100 Series

The following tables outline the product part number information for the Cisco Firepower 4100 Series. Note that the customer may want extra power supplies and fans.

Table 29.     4100 Series chassis part numbers

Part Number

Description

FPR4112-BUN

Cisco Firepower 4112 Master Bundle

FPR4115-BUN

Cisco Firepower 4115 Master Bundle

FPR4125-BUN

Cisco Firepower 4125 Master Bundle

FPR4145-BUN

Cisco Firepower 4145 Master Bundle

FPR4112-FTD-HA-BUN

Cisco Firepower 4112 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR4115-FTD-HA-BUN

Cisco Firepower 4115 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR4125-FTD-HA-BUN

Cisco Firepower 4125 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR4145-FTD-HA-BUN

Cisco Firepower 4145 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR4112-ASA-K9

Cisco Firepower 4112 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4112-NGFW-K9

Cisco Firepower 4112 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4112-NGIPS-K9

Cisco Firepower 4112 NGIPS Appliance, 1RU, 2 x Network Module Bays

FPR4115-ASA-K9

Cisco Firepower 4115 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4115-NGFW-K9

Cisco Firepower 4115 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4115-NGIPS-K9

Cisco Firepower 4115 NGIPS Appliance, 1RU, 2 x Network Module Bays

FPR4125-ASA-K9

Cisco Firepower 4125 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4125-NGFW-K9

Cisco Firepower 4125 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4125-NGIPS-K9

Cisco Firepower 4125 NGIPS Appliance, 1RU, 2 x Network Module Bays

FPR4145-ASA-K9

Cisco Firepower 4145 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4145-NGFW-K9

Cisco Firepower 4145 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4145-NGIPS-K9

Cisco Firepower 4145 NGIPS Appliance, 1RU, 2 x Network Module Bays

Note:      Use the bundle part number unless you have an explicit reason not to. the bundle PID ensures that all necessary components are purchased.

Table 30.     4100 Series network module part numbers

Part Number

Description

FPR4K-NM-2X40G-F

Cisco Firepower 2-port 40G SR FTW Network Module

FPR4K-NM-2X40G-F=

Cisco Firepower 2-port 40G SR FTW Network Module

FPR4K-NM-4X40G

Cisco Firepower 4-port QSFP+ Network Module

FPR4K-NM-4X40G=

Cisco Firepower 4-port QSFP+ Network Module

FPR4K-NM-6X10LR-F

Cisco Firepower 6-port 10G LR FTW Network Module

FPR4K-NM-6X10LR-F=

Cisco Firepower 6-port 10G LR FTW Network Module

FPR4K-NM-6X10SR-F

Cisco Firepower 6-port 10G SR FTW Network Module

FPR4K-NM-6X10SR-F=

Cisco Firepower 6-port 10G SR FTW Network Module

FPR4K-NM-6X1SX-F

Cisco Firepower 6-port 1G SX Fiber FTW Network Module

FPR4K-NM-6X1SX-F=

Cisco Firepower 6-port 1G SX Fiber FTW Network Module

FPR4K-NM-8X10G

Cisco Firepower 8-port SFP+ Network Module

FPR4K-NM-8X10G=

Cisco Firepower 8-port SFP+ Network Module

FPR4K-NM-8X1G-F

Cisco Firepower 8-port 1Gbps copper FTW Network Module

FPR4K-NM-8X1G-F=

Cisco Firepower 8-port 1Gbps copper FTW Network Module

FPR4K-NM-2X100G=

Cisco FirePower 2 port 100G Network Module

 

Table 31.     4100 Series accessories part numbers

Part Number

Description

FPR4K-FAN

Cisco Firepower 4000 Series Fan

FPR4K-FAN=

Cisco Firepower 4000 Series Fan

FPR4K-NM-BLANK

Cisco Firepower 4000 Series Network Module Blank Slot Cover

FPR4K-NM-BLANK=

Cisco Firepower 4000 Series Network Module Blank Slot Cover

FPR4K-PSU-BLANK

Cisco Firepower 4000 Series Chassis Power Supply Blank Slot Cover

FPR4K-PSU-BLANK=

Cisco Firepower 4000 Series Chassis Power Supply Blank Slot Cover

FPR4K-PWR-AC-1100

Cisco Firepower 4000 Series 1100W AC Power Supply

FPR4K-PWR-AC-1100=

Cisco Firepower 4000 Series 1100W AC Power Supply

FPR4K-PWR-DC-950

Cisco Firepower 4000 Series 950W DC Power Supply

FPR4K-PWR-DC-950=

Cisco Firepower 4000 Series 950W DC Power Supply

FPR4K-RACK-MNT

Cisco Firepower 4000 Series Rack Mount Kit

FPR4K-RACK-MNT=

Cisco Firepower 4000 Series Rack Mount Kit

FPR4K-SSD-BBLKD

Cisco Firepower 4000 Series SSD Slot Carrier

FPR4K-SSD-BBLKD=

Cisco Firepower 4000 Series SSD Slot Carrier

FPR4K-SSD200

Cisco Firepower 4000 Series SSD for 4110 and 4120

FPR4K-SSD200=

Cisco Firepower 4000 Series SSD for 4110 and 4120

FPR4K-SSD400

Cisco Firepower 4000 Series SSD for 4140 and 4150

FPR4K-SSD400=

Cisco Firepower 4000 Series SSD for 4140 and 4150

FPR4K-SSD800

Cisco Firepower 4000 Series 800GB SSD

FPR4K-SSD800=

Cisco Firepower 4000 Series 800GB SSD

FPR4K-ACC-KIT

Cisco Firepower 4000 Series Hardware Accessory Kit (Rack Mounts, Cables)

FPR4K-ACC-KIT=

Cisco Firepower 4000 Series Hardware Accessory Kit (Rack Mounts, Cables)

FPR4K-ACC-KIT2

Cisco Firepower 4115/25/45 Hardware Accessory Kit

FPR4K-ACC-KIT2=

Cisco Firepower 4115/25/45 Hardware Accessory Kit

FPR4K-CBL-MGMT

Cisco Firepower 4100 Series Cable Management Kit

FPR4K-CBL-MGMT=

Cisco Firepower 4100 Series Cable Management Kit

Note:      Use these part numbers if the customer is ordering spare fans, power supplies, or a rack mount kit.

SKUs for 4100 Series Licenses and Subscriptions

When ordering a 4100 Series firewall with the ASA configuration, a license is required. When ordering a 4100 Series hardware with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:

Table 32.     Threat Subscription Details

Threat Subscription Abbreviations

Description

T

Threat (Security Intelligence and IPS)

M or AMP*

Malware defense

C or URL*

URL Filtering

1Y

1-Year Subscription

3Y

3-Year Subscription

5Y

5-Year Subscription

*Note that Threat/IPS (T) License is a requirement for the use of Malware (M) or URL (C) license features.

Table 33.     Cisco Firepower 4100 Series license part numbers for configurations with the Cisco Secure Firewall Threat Defense image

Part Number

Description

L-FPR4112T-AMP=

Cisco Firepower 4112 Threat Defense Malware Protection License

L-FPR4112T-T=

Cisco Firepower 4112 Threat Defense Threat Protection License

L-FPR4112T-TC=

Cisco Firepower 4112 Threat Defense Threat and URL License

L-FPR4112T-TM=

Cisco Firepower 4112 Threat Defense Threat and Malware License

L-FPR4112T-TMC=

Cisco Firepower 4112 Threat Defense Threat, Malware, and URL License

L-FPR4112T-URL=

Cisco Firepower 4112 Threat Defense URL Filtering License

L-FPR4115T-AMP=

Cisco Firepower 4115 Threat Defense Malware Protection License

L-FPR4115T-T=

Cisco Firepower 4115 Threat Defense Threat Protection License

L-FPR4115T-TC=

Cisco Firepower 4115 Threat Defense Threat and URL License

L-FPR4115T-TM=

Cisco Firepower 4115 Threat Defense Threat and Malware License

L-FPR4115T-TMC=

Cisco Firepower 4115 Threat Defense Threat, Malware, and URL License

L-FPR4115T-URL=

Cisco Firepower 4115 Threat Defense URL Filtering License

L-FPR4125T-AMP=

Cisco Firepower 4125 Threat Defense Malware Protection License

L-FPR4125T-T=

Cisco Firepower 4125 Threat Defense Threat Protection License

L-FPR4125T-TC=

Cisco Firepower 4125 Threat Defense Threat and URL License

L-FPR4125T-TM=

Cisco Firepower 4125 Threat Defense Threat and Malware License

L-FPR4125T-TMC=

Cisco Firepower 4125 Threat Defense Threat, Malware, and URL License

L-FPR4125T-URL=

Cisco Firepower 4125 Threat Defense URL Filtering License

L-FPR4145T-AMP=

Cisco Firepower 4145 Threat Defense Malware Protection License

L-FPR4145T-T=

Cisco Firepower 4145 Threat Defense Threat Protection License

L-FPR4145T-TC=

Cisco Firepower 4145 Threat Defense Threat and URL License

L-FPR4145T-TM=

Cisco Firepower 4145 Threat Defense Threat and Malware License

L-FPR4145T-TMC=

Cisco Firepower 4145 Threat Defense Threat, Malware, and URL License

L-FPR4145T-URL=

Cisco Firepower 4145 Threat Defense URL Filtering License

Table 34.     Cisco Firepower 4100 Series subscription part numbers for configurations with the Firewall Threat Defense image

Part Number

Description

L-FPR4112T-AMP-1Y

Cisco Firepower 4112 Threat Defense Malware Protection 1Y Subscription

L-FPR4112T-AMP-3Y

Cisco Firepower 4112 Threat Defense Malware Protection 3Y Subscription

L-FPR4112T-AMP-5Y

Cisco Firepower 4112 Threat Defense Malware Protection 5Y Subscription

L-FPR4112T-T-1Y

Cisco Firepower 4112 Threat Defense Threat Protection 1Y Subscription

L-FPR4112T-T-3Y

Cisco Firepower 4112 Threat Defense Threat Protection 3Y Subscription

L-FPR4112T-T-5Y

Cisco Firepower 4112 Threat Defense Threat Protection 5Y Subscription

L-FPR4112T-TC-1Y

Cisco Firepower 4112 Threat Defense Threat and URL 1Y Subscription

L-FPR4112T-TC-3Y

Cisco Firepower 4112 Threat Defense Threat and URL 3Y Subscription

L-FPR4112T-TC-5Y

Cisco Firepower 4112 Threat Defense Threat and URL 5Y Subscription

L-FPR4112T-TM-1Y

Cisco Firepower 4112 Threat Defense Threat and Malware 1Y Subscription

L-FPR4112T-TM-3Y

Cisco Firepower 4112 Threat Defense Threat and Malware 3Y Subscription

L-FPR4112T-TM-5Y

Cisco Firepower 4112 Threat Defense Threat and Malware 5Y Subscription

L-FPR4112T-TMC-1Y

Cisco Firepower 4112 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR4112T-TMC-3Y

Cisco Firepower 4112 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR4112T-TMC-5Y

Cisco Firepower 4112 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR4112T-URL-1Y

Cisco Firepower 4112 Threat Defense URL Filtering 1Y Subscription

L-FPR4112T-URL-3Y

Cisco Firepower 4112 Threat Defense URL Filtering 3Y Subscription

L-FPR4112T-URL-5Y

Cisco Firepower 4112 Threat Defense URL Filtering 5Y Subscription

L-FPR4115T-AMP-1Y

Cisco Firepower 4115 Threat Defense Malware Protection 1Y Subscription

L-FPR4115T-AMP-3Y

Cisco Firepower 4115 Threat Defense Malware Protection 3Y Subscription

L-FPR4115T-AMP-5Y

Cisco Firepower 4115 Threat Defense Malware Protection 5Y Subscription

L-FPR4115T-T-1Y

Cisco Firepower 4115 Threat Defense Threat Protection 1Y Subscription

L-FPR4115T-T-3Y

Cisco Firepower 4115 Threat Defense Threat Protection 3Y Subscription

L-FPR4115T-T-5Y

Cisco Firepower 4115 Threat Defense Threat Protection 5Y Subscription

L-FPR4115T-TC-1Y

Cisco Firepower 4115 Threat Defense Threat and URL 1Y Subscription

L-FPR4115T-TC-3Y

Cisco Firepower 4115 Threat Defense Threat and URL 3Y Subscription

L-FPR4115T-TC-5Y

Cisco Firepower 4115 Threat Defense Threat and URL 5Y Subscription

L-FPR4115T-TM-1Y

Cisco Firepower 4115 Threat Defense Threat and Malware 1Y Subscription

L-FPR4115T-TM-3Y

Cisco Firepower 4115 Threat Defense Threat and Malware 3Y Subscription

L-FPR4115T-TM-5Y

Cisco Firepower 4115 Threat Defense Threat and Malware 5Y Subscription

L-FPR4115T-TMC-1Y

Cisco Firepower 4115 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR4115T-TMC-3Y

Cisco Firepower 4115 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR4115T-TMC-5Y

Cisco Firepower 4115 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR4115T-URL-1Y

Cisco Firepower 4115 Threat Defense URL Filtering 1Y Subscription

L-FPR4115T-URL-3Y

Cisco Firepower 4115 Threat Defense URL Filtering 3Y Subscription

L-FPR4115T-URL-5Y

Cisco Firepower 41154115 Threat Defense URL Filtering 5Y Subscription

L-FPR4125T-AMP-1Y

Cisco Firepower 4125 Threat Defense Malware Protection 1Y Subscription

L-FPR4125T-AMP-3Y

Cisco Firepower 4125 Threat Defense Malware Protection 3Y Subscription

L-FPR4125T-AMP-5Y

Cisco Firepower 4125 Threat Defense Malware Protection 5Y Subscription

L-FPR4125T-T-1Y

Cisco Firepower 4125 Threat Defense Threat Protection 1Y Subscription

L-FPR4125T-T-3Y

Cisco Firepower 4125 Threat Defense Threat Protection 3Y Subscription

L-FPR4125T-T-5Y

Cisco Firepower 4125 Threat Defense Threat Protection 5Y Subscription

L-FPR4125T-TC-1Y

Cisco Firepower 4125 Threat Defense Threat and URL 1Y Subscription

L-FPR4125T-TC-3Y

Cisco Firepower 4125 Threat Defense Threat and URL 3Y Subscription

L-FPR4125T-TC-5Y

Cisco Firepower 4125 Threat Defense Threat and URL 5Y Subscription

L-FPR4125T-TM-1Y

Cisco Firepower 4125 Threat Defense Threat and Malware 1Y Subscription

L-FPR4125T-TM-3Y

Cisco Firepower 4125 Threat Defense Threat and Malware 3Y Subscription

L-FPR4125T-TM-5Y

Cisco Firepower 4125 Threat Defense Threat and Malware 5Y Subscription

L-FPR4125T-TMC-1Y

Cisco Firepower 4125 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR4125T-TMC-3Y

Cisco Firepower 4125 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR4125T-TMC-5Y

Cisco Firepower 4125 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR4125T-URL-1Y

Cisco Firepower 4125 Threat Defense URL Filtering 1Y Subscription

L-FPR4125T-URL-3Y

Cisco Firepower 4125 Threat Defense URL Filtering 3Y Subscription

L-FPR4125T-URL-5Y

Cisco Firepower 4125 Threat Defense URL Filtering 5Y Subscription

L-FPR4140T-AMP-5Y

Cisco Firepower 4140 Threat Defense Malware Protection 5Y Subscription

L-FPR4140T-T-1Y

Cisco Firepower 4140 Threat Defense Threat Protection 1Y Subscription

L-FPR4145T-AMP-1Y

Cisco Firepower 4145 Threat Defense Malware Protection 1Y Subscription

L-FPR4145T-AMP-3Y

Cisco Firepower 4145 Threat Defense Malware Protection 3Y Subscription

L-FPR4145T-AMP-5Y

Cisco Firepower 4145 Threat Defense Malware Protection 5Y Subscription

L-FPR4145T-T-1Y

Cisco Firepower 4145 Threat Defense Threat Protection 1Y Subscription

L-FPR4145T-T-3Y

Cisco Firepower 4145 Threat Defense Threat Protection 3Y Subscription

L-FPR4145T-T-5Y

Cisco Firepower 4145 Threat Defense Threat Protection 5Y Subscription

L-FPR4145T-TC-1Y

Cisco Firepower 4145 Threat Defense Threat and URL 1Y Subscription

L-FPR4145T-TC-3Y

Cisco Firepower 4145 Threat Defense Threat and URL 3Y Subscription

L-FPR4145T-TC-5Y

Cisco Firepower 4145 Threat Defense Threat and URL 5Y Subscription

L-FPR4145T-TM-1Y

Cisco Firepower 4145 Threat Defense Threat and Malware 1Y Subscription

L-FPR4145T-TM-3Y

Cisco Firepower 4145 Threat Defense Threat and Malware 3Y Subscription

L-FPR4145T-TM-5Y

Cisco Firepower 4145 Threat Defense Threat and Malware 5Y Subscription

L-FPR4145T-TMC-1Y

Cisco Firepower 4145 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR4145T-TMC-3Y

Cisco Firepower 4145 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR4145T-TMC-5Y

Cisco Firepower 4145 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR4145T-URL-1Y

Cisco Firepower 4145 Threat Defense URL Filtering 1Y Subscription

L-FPR4145T-URL-3Y

Cisco Firepower 4145 Threat Defense URL Filtering 3Y Subscription

L-FPR4145T-URL-5Y

Cisco Firepower 4145 Threat Defense URL Filtering 5Y Subscription

Ordering Example: Cisco Firepower 4145 with ASA

Step 1: Smart Software Licensing

Before placing a Cisco Firepower 4100 order, a Smart Software Licensing account for the end customer must be initiated. If the customer already has a Smart Software Licensing account, that account must be associated with the order. More information on Smart Software Licensing account establishment is available in the Smart Software Licensing section of this ordering guide, and online at: https://www.cisco.com/web/ordering/smart-software-manager/index.html.

To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you can complete the order only if the account is initiated on the end customer’s behalf and associated with the order.

Go to Cisco Commerce: https://www.cisco.com/go/ccw.

From the Orders pull-down menu, select Create Order.

Select Assign Smart Account and follow the subsequent prompts for Smart Licensing.

Step 2: Navigate to Products -> Security -> Cisco Firepower 4100 Series -> Cisco Firepower 4145 Security Appliance -> FPR4145-ASA-K9

Cisco Firepower 4100 Series

Step 3: Click on the Power cables to make the selection.

Cisco Firepower 4100 Series 2

 

Cisco Firepower 4100 Series  3

Step 4: Click on “SFP-Modules – On Chassis ports” to make the selection.

SFP-Modules – On Chassis ports

 

SFP-Modules – On Chassis ports 2

Step 5: Select the Network Modules – Slot 1 and Slot 2

Slot 1 and Slot 2

 

After the cable selection is complete

Step 6: Select Feature License

Select Feature License

Step 7: Select Cables from Cable Management

Select Feature License 2

Step 8: Adding Spares. Navigate back to Products -> Security -> Cisco Firepower 4100 Series -> Accessories and Spares > Cisco Firepower 4145 Security Appliance -> FPR4K-NM-2X100G= -> Click Configure

Select Feature License 3

Step 9: Select the trans receiver for the SFP Option and click done.

Select Feature License2

Step 10: Final Product Summary configuration.

Final Product Summary

SKUs and Ordering for Cisco Firepower 4200 Series

The following tables outline the product part number information for the Cisco Firepower 4200 Series. Note that the customer may want extra power supplies and fans.

Table 35.     4200 Series chassis part numbers

Part Number

Description

FPR4200-FTD-HA-BUN

Cisco Secure Firewall 4200 series Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR4215-BUN

Cisco Secure Firewall 4215 Master Bundle

FPR4225-BUN

Cisco Secure Firewall 4225 Master Bundle

FPR4245-BUN

Cisco Secure Firewall 4245 Master Bundle

FPR4215-ASA-K9

Cisco Secure Firewall 4215 ASA Appliance, 1U, 2x NetMod Bays

FPR4215-NGFW-K9

Cisco Secure Firewall 4215 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4225-ASA-K9

Cisco Secure Firewall 4225 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4225-NGFW-K9

Cisco Secure Firewall 4225 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4245-ASA-K9

Cisco Secure Firewall 4125 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4245-NGFW-K9

Cisco Secure Firewall 4125 NGFW Appliance, 1RU, 2 x Network Module Bays

Note:      Use the bundle part number unless you have an explicit reason not to. the bundle pid ensures that all necessary components are purchased.

Table 36.     4200 Series network module part numbers

Part Number

Description

FPR4K-XNM-2X400G

Cisco Secure Firewall 4200 2X400G Netmod

FPR4K-XNM-2X100G

Cisco Secure Firewall 4200 2X100G QSFP28 Netmod

FPR4K-XNM-4X200G

Cisco Secure Firewall 4200 4X200G Netmod

FPR4K-XNM-4X40G

Cisco Secure Firewall 4200 4X40G QSFP+ Netmod

FPR4K-XNM-6X10LRF

Cisco Secure Firewall 4200 6X10G FTW Netmod, LR-Singlemode

FPR4K-XNM-6X10SRF

Cisco Secure Firewall 4200 6X10G FTW Netmod, SR-Multimode

FPR4K-XNM-6X25LRF

Cisco Secure Firewall 4200 6X25G FTW Netmod, LR-Singlemode

FPR4K-XNM-6X25SRF

Cisco Secure Firewall 4200 6X25G FTW Netmod, SR-Multimode

FPR4K-XNM-8X10G

Cisco Secure Firewall 4200 8X10G SFP+ Netmod

FPR4K-XNM-8X25G

Cisco Secure Firewall 4200 8X25G ZSFP Netmod

Table 37.     4200 Series accessories part numbers

Part Number

Description

FPR4200-PWR-AC

Cisco Secure Firewall 4200 Series AC Power Supply

FPR4200-PWR-AC=

Cisco Secure Firewall 4200 Series AC Power Supply

FPR4200-SSD1800

Cisco Secure Firewall 4200 Series 1.8TB SSD

FPR4200-SSD1800=

Cisco Secure Firewall 4200 Series 1.8TB SSD

FPR4200-PSU-BLANK

Cisco Secure Firewall 4200 Series Chassis PWR Blank Slot Cvr

FPR4200-PSU-BLANK=

Cisco Secure Firewall 4200 Series Chassis PWR Blank Slot Cvr

FPR4200-NM-BLANK

Cisco Secure Firewall 4200 Series NM Blank Slot Cover

FPR4200-NM-BLANK=

Cisco Secure Firewall 4200 Series NM Blank Slot Cover

FPR4200-FAN

Cisco Secure Firewall 4200 Series Fan

FPR4200-FAN=

Cisco Secure Firewall 4200 Series Fan

FPR4200-ACC-KIT

Cisco Secure Firewall 4200 HW Acc Kit (Rack Mounts, Cables)

FPR4200-ACC-KIT=

Cisco Secure Firewall 4200 HW Acc Kit (Rack Mounts, Cables)

FPR4200-CBL-MGMT

Cisco Secure Firewall 4200 Series Cable Management Brackets

FPR4200-CBL-MGMT=

Cisco Secure Firewall 4200 Series Cable Management Brackets

FPR4200-FIPS-KIT

Cisco Secure Firewall 4200 Series FIPS Kits

FPR4200-FIPS-KIT=

Cisco Secure Firewall 4200 Series FIPS Kits

FPR4200-SLD-RAILS

Cisco Secure Firewall 4200 Series Slide Rail Kit

FPR4200-SLD-RAILS=

Cisco Secure Firewall 4200 Series Slide Rail Kit

Note:      Use these part numbers if the customer is ordering spare fans, power supplies, or a rack mount kit.

SKUs for 4200 Series Licenses and Subscriptions

When ordering a 4200 Series firewall with the ASA configuration, a license is required. When ordering a 4200 Series hardware with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:

Table 38.     Threat Subscription Details

Threat Subscription Abbreviations

Description

T

Threat (Security Intelligence and IPS)

M or AMP*

Malware defense

C or URL*

URL Filtering

1Y

1-Year Subscription

3Y

3-Year Subscription

5Y

5-Year Subscription

*Note that Threat/IPS (T) License is a requirement for the use of Malware (M) or URL (C) license features.

Table 39.     Cisco Firepower 4200 Series license part numbers for configurations with the Cisco Secure Firewall Threat Defense image

Part Number

Description

L-FPR4215T-AMP=

Cisco Secure Firewall 4215 Threat Defence License

FPR4215T-T / L-FPR4215T-T=

Cisco Secure Firewall 4215 TD and URL Filtering License

FPR4215T-TC / L-FPR4215T-TC=

Cisco Secure Firewall 4215 TD, AMP & URL Filtering License

FPR4215T-TM / L-FPR4215T-TM=

Cisco Secure Firewall 4215 TD, AMP & URL Filtering License

FPR4215T-TMC / L-FPR4215T-TMC=

Cisco Secure Firewall 4225 Threat Defence License

L-FPR4215T-URL=

Cisco Secure Firewall 4225 TD and URL Filtering License

L-FPR4225T-AMP=

Cisco Secure Firewall 4225 TD, AMP & URL Filtering License

FPR4225T-T / L-FPR4225T-T=

Cisco Secure Firewall 4225 TD, AMP & URL Filtering License

FPR4225T-TC / L-FPR4225T-TC=

Cisco Secure Firewall 4245 Threat Defence License

FPR4225T-TM / L-FPR4225T-TM=

Cisco Secure Firewall 4245 TD and URL Filtering License

FPR4225T-TMC / L-FPR4225T-TMC=

Cisco Secure Firewall 4245 TD, AMP & URL Filtering License

L-FPR4225T-URL=

Cisco Secure Firewall 4245 TD, AMP & URL Filtering License

L-FPR4245T-AMP=

Cisco Secure Firewall 4215 Adv Malware Protection License

FPR4245T-T / L-FPR4245T-T=

Cisco Secure Firewall 4215 Threat Defence License

FPR4245T-TC / L-FPR4245T-TC=

Cisco Secure Firewall 4215 TD and URL Filtering License

FPR4245T-TM / L-FPR4245T-TM=

Cisco Secure Firewall 4215 Threat Defence and AMP License

FPR4245T-TMC / L-FPR4245T-TMC=

Cisco Secure Firewall 4215 TD, AMP & URL Filtering License

L-FPR4245T-URL=

Cisco Secure Firewall 4215 URL Filtering License

Table 40.     Cisco Secure Firewall 4200 Series subscription part numbers for configurations with the FTD image

Part Number

Description

L-FPR4215T-T-1Y

Cisco Secure Firewall 4215 Threat Defence 1Y Subs

L-FPR4215T-T-3Y

Cisco Secure Firewall 4215 Threat Defence 3Y Subs

L-FPR4215T-T-5Y

Cisco Secure Firewall 4215 Threat Defence 5Y Subs

L-FPR4215T-TC-1Y

Cisco Secure Firewall 4215 TD and URL Filtering 1Y Subs

L-FPR4215T-TC-3Y

Cisco Secure Firewall 4215 TD and URL Filtering 3Y Subs

L-FPR4215T-TC-5Y

Cisco Secure Firewall 4215 TD and URL Filtering 5Y Subs

L-FPR4215T-TM-1Y

Cisco Secure Firewall 4215 Threat Defence and AMP 1Y Subs

L-FPR4215T-TM-3Y

Cisco Secure Firewall 4215 Threat Defence and AMP 3Y Subs

L-FPR4215T-TM-5Y

Cisco Secure Firewall 4215 Threat Defence and AMP 5Y Subs

L-FPR4215T-TMC-1Y

Cisco Secure Firewall 4215 TD, AMP & URL Filtering 1Y Subs

L-FPR4215T-TMC-3Y

Cisco Secure Firewall 4215 TD, AMP & URL Filtering 3Y Subs

L-FPR4215T-TMC-5Y

Cisco Secure Firewall 4215 TD, AMP & URL Filtering 5Y Subs

L-FPR4215T-AMP-1Y

Cisco Secure Firewall 4215 Adv Malware Protection 1Y Subs

L-FPR4215T-AMP-3Y

Cisco Secure Firewall 4215 Adv Malware Protection 3Y Subs

L-FPR4215T-AMP-5Y

Cisco Secure Firewall 4215 Adv Malware Protection 5Y Subs

L-FPR4215T-URL-1Y

Cisco Secure Firewall 4215 URL Filtering 1Y Subs

L-FPR4215T-URL-3Y

Cisco Secure Firewall 4215 URL Filtering 3Y Subs

L-FPR4215T-URL-5Y

Cisco Secure Firewall 4215 URL Filtering 5Y Subs

L-FPR4225T-T-1Y

Cisco Secure Firewall 4225 Threat Defence 1Y Subs

L-FPR4225T-T-3Y

Cisco Secure Firewall 4225 Threat Defence 3Y Subs

L-FPR4225T-T-5Y

Cisco Secure Firewall 4225 Threat Defence 5Y Subs

L-FPR4225T-TC-1Y

Cisco Secure Firewall 4225 TD and URL Filtering 1Y Subs

L-FPR4225T-TC-3Y

Cisco Secure Firewall 4225 TD and URL Filtering 3Y Subs

L-FPR4225T-TC-5Y

Cisco Secure Firewall 4225 TD and URL Filtering 5Y Subs

L-FPR4225T-TM-1Y

Cisco Secure Firewall 4225 Threat Defence and AMP 1Y Subs

L-FPR4225T-TM-3Y

Cisco Secure Firewall 4225 Threat Defence and AMP 3Y Subs

L-FPR4225T-TM-5Y

Cisco Secure Firewall 4225 Threat Defence and AMP 5Y Subs

L-FPR4225T-TMC-1Y

Cisco Secure Firewall 4225 TD, AMP & URL Filtering 1Y Subs

L-FPR4225T-TMC-3Y

Cisco Secure Firewall 4225 TD, AMP & URL Filtering 3Y Subs

L-FPR4225T-TMC-5Y

Cisco Secure Firewall 4225 TD, AMP & URL Filtering 5Y Subs

L-FPR4225T-AMP-1Y

Cisco Secure Firewall 4225 Adv Malware Protection 1Y Subs

L-FPR4225T-AMP-3Y

Cisco Secure Firewall 4225 Adv Malware Protection 3Y Subs

L-FPR4225T-AMP-5Y

Cisco Secure Firewall 4225 Adv Malware Protection 5Y Subs

L-FPR4225T-URL-1Y

Cisco Secure Firewall 3140 URL Filtering 1Y Subs

L-FPR4225T-URL-3Y

Cisco Secure Firewall 4225 URL Filtering 3Y Subs

L-FPR4225T-URL-5Y

Cisco Secure Firewall 4225 URL Filtering 5Y Subs

L-FPR4245T-T-1Y

Cisco Secure Firewall 4245 Threat Defence 1Y Subs

L-FPR4245T-T-3Y

Cisco Secure Firewall 4245 Threat Defence 3Y Subs

L-FPR4245T-T-5Y

Cisco Secure Firewall 4245 Threat Defence 5Y Subs

L-FPR4245T-TC-1Y

Cisco Secure Firewall 4245 TD and URL Filtering 1Y Subs

L-FPR4245T-TC-3Y

Cisco Secure Firewall 4245 TD and URL Filtering 3Y Subs

L-FPR4245T-TC-5Y

Cisco Secure Firewall 4245 TD and URL Filtering 5Y Subs

L-FPR4245T-TM-1Y

Cisco Secure Firewall 4245 Threat Defence and AMP 1Y Subs

L-FPR4245T-TM-3Y

Cisco Secure Firewall 4245 Threat Defence and AMP 3Y Subs

L-FPR4245T-TM-5Y

Cisco Secure Firewall 4245 Threat Defence and AMP 5Y Subs

L-FPR4245T-TMC-1Y

Cisco Secure Firewall 4245 TD, AMP & URL Filtering 1Y Subs

L-FPR4245T-TMC-3Y

Cisco Secure Firewall 4245 TD, AMP & URL Filtering 3Y Subs

L-FPR4245T-TMC-5Y

Cisco Secure Firewall 4245 TD, AMP & URL Filtering 5Y Subs

L-FPR4245T-AMP-1Y

Cisco Secure Firewall 4245 Adv Malware Protection 1Y Subs

L-FPR4245T-AMP-3Y

Cisco Secure Firewall 4245 Adv Malware Protection 3Y Subs

L-FPR4245T-AMP-5Y

Cisco Secure Firewall 4245 Adv Malware Protection 5Y Subs

L-FPR4245T-URL-1Y

Cisco Secure Firewall 3140 URL Filtering 1Y Subs

L-FPR4245T-URL-3Y

Cisco Secure Firewall 4245 URL Filtering 3Y Subs

L-FPR4245T-URL-5Y

Cisco Secure Firewall 4245 URL Filtering 5Y Subs

Ordering Example: Cisco Secure Firewall 4225 with FTD

Step 1: Smart Software Licensing

Before placing a Cisco Secure Firewall 4200 order, a Smart Software Licensing account for the end customer must be initiated. If the customer already has a Smart Software Licensing account, that account must be associated with the order. More information on Smart Software Licensing account establishment is available in the Smart Software Licensing section of this ordering guide, and online at: https://www.cisco.com/web/ordering/smart-software-manager/index.html.

To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you can complete the order only if the account is initiated on the end customer’s behalf and associated with the order.

Go to Cisco Commerce: https://www.cisco.com/go/ccw.

From the Orders pull-down menu, select Create Order.

Select Assign Smart Account and follow the subsequent prompts for Smart Licensing.

Step 2: Navigate to Products -> Security -> Cisco Secure Firewall 4200 Series -> Cisco Secure Firewall 4225 Security Appliance -> FPR4225-NGFW-K9

Navigate to Products

Step 3: Select the Power Cables

Power Cables

 

Power Cables 2

Step 4: Select Transceiver modules – On-Chassis Ports

Power Cables 3

Step 5: Select Transceiver modules – Management Ports

Select Transreceiver modules

Step 6: Select Network Modules for Slot-1 and Slot-2

Select Transreceiver modules  6

 

Select Network Modules for Slot-1 and Slot-2

Step 7: Select the cables from Cable Management

Select the cables from Cable Management

Step 8: Adding Spares. Navigate back to Products -> Security -> Cisco Secure Firewall 4200 Series -> Accessories and Spares -> Cisco Firepower 4225 Security Appliance -> Accessories and Spares -> L-FPR4225T-TMC= -> Click Add to Cart. The spare license is added to cart. The final product summary shown below.

A screenshot of a computerDescription automatically generated

4200 Firewall Solution Attached Services Ordering Example

1.     In Cisco Commerce Workspace (CCW), click Estimate dropdown. Select Create Estimate.

Cisco Commerce Workspace (CCW)

2.     On the estimate page, complete all necessary fields

On the estimate page

3.     Click Edit Estimate tab. Complete fields on page. Click Save and Continue when done

Complete fields

4.     Under the Estimate tab:

      Enter FPR4200-FTD-HA-BUN into Search field.

      Click Add.

      Select a Select Options.

Estimate tab

Related image, diagram or screenshot

5.     The CON-CXP-SEN-SAS SKU pricing will take a few seconds refresh and displays a message “The Advanced Services SKU in the bundle is being priced.”

Estimate tab 2

6.     Click Save and Continue to price the MLB.

      Review the estimate pricing.

      Any additional changes made will require user to click Save and Continue again

SKUs and Ordering for Cisco Firepower 9300

SKUs and Ordering for Cisco Firepower 9300

The following tables outline the product part number information for the Cisco Firepower 9300. Note that the customer may want extra power supplies and fans. You can add these to the order separately. When you order, you choose between one and three security modules per chassis. Note that security module types cannot be mixed within a chassis.

Table 41.     Chassis and sublevel assemblies and components included with each chassis

Part Number (Chassis Hardware)

Description

FPR-C9300-AC

Cisco Firepower 9300 AC Chassis - includes 2 power supply units + 4 fans + rack-mount kit (3RU; accommodates up to three security modules)

FPR-C9300-DC

Cisco Firepower 9300 DC Chassis - includes 2 power supply units + 4 fans + rack-mount kit (3RU; accommodates up to three security modules)

FPR-C9300-HVDC

Cisco Firepower 9300 high-voltage DC Chassis - includes 2 power supply units + 4 fans + rack-mount kit (3RU; accommodates up to three security modules)

FPR-C9300-AC=

Cisco Firepower 9300 AC Chassis Spare – without power supply and fans

FPR-C9300-DC=

Cisco Firepower 9300 DC Chassis Spare – without power supply and fans

FPR9K-PS-AC=

Cisco Firepower 9000 Series AC Power Supply (order for spare only)

FPR9K-PS-DC=

Cisco Firepower 9000 Series DC Power Supply (order for spare only)

FPR9K-FAN=

Cisco Firepower 9000 Series Fan (order for spare only)

FPR9K-RMK=

Cisco Firepower 9000 Series Rack Mount Kit (order for spare only)

FPR9K-SUP=

Cisco Firepower 9000 Series Supervisor Spare

 

Part Number (Security Modules)

Description

FPR9K-SM-40=

Cisco Firepower 9000 Series, Security Module 40 Spare, includes 2 SSDs

FPR9K-SM-48=

Cisco Firepower 9000 Series, Security Module 48 Spare, includes 2 SSDs

FPR9K-SM-56=

Cisco Firepower 9000 Series, Security Module 56 Spare, includes 2 SSDs

FPR9K-FTD-BUN

Cisco FPR9300 Threat Defense Bundle for Security Modules

FPR9K-SM40-FTD-BUN

Cisco FPR9300 SM-40 Threat Defense Chassis, Subs HA Bundle

FPR9K-SM48-FTD-BUN

Cisco FPR9300 SM-48 Threat Defense Chassis, Subs HA Bundle

FPR9K-SM56-FTD-BUN

Cisco FPR9300 SM-56 Threat Defense Chassis, Subs HA Bundle

Breakout Cables

Generic breakout cables can be used, please see: https://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/data_sheet_c78-660083.html

Note:      There are eight 10-Gbps ports on the supervisor module bundled by default with the chassis. However, customers that plan to use supervisor module ports will require connectors for both those ports as well as for the ports on the network modules. Only one 1-Gbps connector, for the management port, is included by default with each supervisor module.

Table 42.     Cisco Firepower 9300 Network Modules

Network Modules

Description

FPR9K-NM-4X40G

Firepower 9000 Series – 4 port QSFP+ Network Module

FPR9K-NM-4X40G=

Firepower 9000 Series – 4 port QSFP+ Network Module

FPR9K-NM-8X10G

Firepower 9000 Series – 8 port SFP+ Network Module

FPR9K-NM-8X10G=

Firepower 9000 Series – 8 port SFP+ Network Module

FPR9K-DNM-2X100G

Cisco FirePower 2 port 100G Network Module, Double Width

FPR9K-DNM-2X100G=

Cisco FirePower 2 port 100G Network Module, Double Width

FPR9K-NM-2X100G

Cisco FirePower 2 port 100G Network Module

FPR9K-NM-2X100G=

Cisco FirePower 2 port 100G Network Module

FPR9K-NM-4X100G

Cisco FirePower 4 port 100G Network Module

FPR9K-NM-4X100G=

Cisco FirePower 4 port 100G Network Module

FPR9K-NM-6X10SR-F

10G Short range Fail to Wire Network Module (includes built-in SFP)

FPR9K-NM-6X10SR-F=

10G Short range Fail to Wire Spare Network Module (includes built-in SFP)

FPR9K-NM-6X10LR-F

10G Long range Fail to Wire Network Module (includes built-in SFP)

FPR9K-NM-6X10LR-F=

10G Long range Fail to Wire Spare Network Module (includes built-in SFP)

FPR9K-NM-2X40G-F

40G Fail to Wire Network Module (includes built-in QSFP)

FPR9K-NM-2X40G-F=

40G Fail to Wire Spare Network Module (includes built-in QSFP)

FPR9K-NM-6X1SX-F

Cisco Firepower 6-port 1G SX Fiber FTW Network Module (includes built-in SFP)

FPR9K-NM-6X1SX-F=

Cisco Firepower 6-port 1G SX Fiber FTW Network Module (Spare) (includes built-in SFP)

Table 43.     SFP module options for 10G netmod and 10G supervisor ports

Part Number (SFP Modules)

SKU

Description

SFP-10G-SR

10GBASE-SR SFP Module

SFP-10G-LR

10GBASE-LR SFP Module

SFP-10G-SR-S

10GBASE-SR SFP Module, Enterprise-Class

SFP-10G-LR-S

10GBASE-LR SFP Module, Enterprise-Class

SFP-10G-LRM

10GBASE-LRM SFP Module

SFP-10G-ER

10GBASE-ER SFP Module

SFP-H10GB-CU1M

10GBASE-CU SFP+ Cable 1m

SFP-H10GB-CU3M

10GBASE-CU SFP+ Cable 3m

SFP-H10GB-CU5M

10GBASE-CU SFP+ Cable 5m

SFP-H10GB-ACU7M

Active Twinax cable assembly, 7m

SFP-H10GB-ACU10M

Active Twinax cable assembly, 10m

SFP-10G-AOC1M

10GBASE Active Optical SFP+ Cable, 1m

SFP-10G-AOC2M

10GBASE Active Optical SFP+ Cable, 2m

SFP-10G-AOC3M

10GBASE Active Optical SFP+ Cable, 3m

SFP-10G-AOC5M

10GBASE Active Optical SFP+ Cable, 5m

SFP-10G-AOC7M

10GBASE Active Optical SFP+ Cable, 7m

SFP-10G-AOC10M

10GBASE Active Optical SFP+ Cable, 10m

GLC-SX-MMD

1000BASE-SX SFP transceiver module, MMF, 850nm, DOM

GLC-LH-SMD

1000BASE-LX/LH SFP transceiver module, MMF/SMF, 1310nm, DOM

GLC-EX-SMD

1000BASE-EX SFP transceiver module, SMF, 1310nm, DOM

GLC-ZX-SMD

1000BASE-ZX SFP transceiver module, SMF, 1550nm, DOM

Table 44.     SFP module options for 40G netmod

Part Number (SFP Modules)

Description

QSFP-40G-SR4

40GBASE-SR4 QSFP Transceiver Module with MPO Connector

QSFP-40G-CSR4

QSFP 4x10GBASE-SR Transceiver Module, MPO, 300M

QSFP-40G-SR-BD

QSFP40G BiDi Short-reach Transceiver

QSFP-40G-LR4-S

QSFP 40GBASE-LR4 Transceiver Mod, LC, 10km, Enterprise-Class

QSFP-40G-LR4

QSFP 40GBASE-LR4 OTN Transceiver, LC, 10km

WSP-Q40GLR4L

QSFP 40G Ethernet - LR4 Lite, LC, 2KM

QSFP-H40G-CU1M

40GBASE-CR4 Passive Copper Cable, 1m

QSFP-H40G-CU3M

40GBASE-CR4 Passive Copper Cable, 3m

QSFP-H40G-CU5M

40GBASE-CR4 Passive Copper Cable, 5m

QSFP-H40G-AOC1M

40GBASE Active Optical Cable, 1m

QSFP-H40G-AOC2M

40GBASE Active Optical Cable, 2m

QSFP-H40G-AOC3M

40GBASE Active Optical Cable, 3m

QSFP-H40G-AOC5M

40GBASE Active Optical Cable, 5m

QSFP-H40G-AOC7M

40GBASE Active Optical Cable, 7m

QSFP-H40G-AOC10M

40GBASE Active Optical Cable, 10m

QSFP-H40G-AOC15M

40GBASE Active Optical Cable, 15m

QSFP-H40G-ACU7M

40GBASE-CR4 Active Copper Cable, 7m

QSFP-H40G-AOC10M

40GBASE-CR4 Active Copper Cable, 10m

Table 45.     100G network QSFP28 module options

Part Number (SFP Modules)

Description

QSFP-100G-LR4-S

100GBASE LR4 QSFP Transceiver, LC, 10km over SMF

When ordering a Cisco Firepower 9300 firewall with the ASA configuration, a Standard (base) ASA license (LF9KASA) is required.

Table 46.     Cisco Firepower 9300 power cables

Part Number
(Power Cables)

Country

Description

CAB-AC-2500W-INT

International

Power Cord, 250VAC 16A, INTL

CAB-C19-CBN

International

Cabinet Jumper Power Cord, 250VAC 16A, C20-C19 Connectors

CAB-AC-C6K-TWLK

[All Categories]

Power Cord, 250VAC 16A, twist lock NEMA L6-20 plug, US

CAB-AC-2500W-US1

North America and Japan

Power Cord, 250VAC 16A, straight blade NEMA 6-20 plug, US

CAB-AC-16A-AUS

Australia

Power Cord, 250VAC, 16A, Australia C19

CAB-AC16A-CH

China

16A AC Power Cord for China

CAB-AC-2500W-ISRL

People's Republic of China

Power Cord, 250VAC, 16A, Israel

CAB-S132-C19-ISRL

Israel

S132 to IEC-C19 14ft Israeli

CAB-ACS-16

Switzerland

AC Power Cord (Swiss) 16A

CAB-IR2073-C19-AR

Argentina

IRSM 2073 to IEC-C19 14ft Argentina

CAB-BS1363-C19-UK

United Kingdom

BS-1363 to IEC-C19 14ft UK

CAB-SABS-C19-IND

India

SABS 164-1 to IEC-C19 India

CAB-C2316-C19-IT

Italy

CEI 23-16 to IEC-C19 14ft Italy

UCSB-CABL-C19-BRZ

Brazil

NBR 14136 to C19 AC 14ft Power Cord, Brazil

CAB-C19-C20-3M-JP

Japan

Power Cord C19-C20, 3m/10ft Japan PSE mark

CAB-AC-2500W-INT

International

Power Cord, 250VAC 16A, INTL

SKUs for Cisco Firepower 9300 Series Licenses and Firewall Threat Defense Subscriptions

When ordering a Cisco Firepower 9300 firewall with the ASA configuration, a Standard (base) ASA license (L-F9K-ASA) is required.

Alternatively, when ordering a 9300 Series with the Cisco Secure Firewall Threat Defense image, base AVC capability comes by default with Cisco Secure Firewall Threat Defense license (L-FPR9K-TD-BASE=). Additionally, subscriptions can be purchased (one license per security module) to add IPS, URL Filtering, and malware defense capabilities. Similarly, if the customer already has a Firepower 9300, the same PIDs are used to upgrade to the Cisco Secure Firewall Threat Defense image. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:

Table 47.     Threat subscription decoder

Threat Subscription Abbreviations

Description

T

Threat (Security Intelligence and IPS)

M or AMP*

Malware defense

C or URL*

URL Filtering

1Y

1-Year Subscription

3Y

3-Year Subscription

5Y

5-Year Subscription

*Note that Threat/IPS (T) License is a requirement for the use of Malware (M) or URL (C) license features.

Table 48.     Cisco Firepower 9300 Series license part numbers and subscription terms for Cisco Secure Firewall Threat Defense on Security Module SM-40

PID

Description

L-FPR9K-40T-T=

Cisco FPR9K SM-40 Threat Defense Threat Protection License

L-FPR9K-40T-AMP=

Cisco FPR9K SM-40 Threat Defense Malware Protection License

L-FPR9K-40T-URL=

Cisco FPR9K SM-40 Threat Defense URL Filtering License

L-FPR9K-40T-TM=

Cisco FPR9K SM-40 Threat Defense Threat and Malware License

L-FPR9K-40T-TC=

Cisco FPR9K SM-40 Threat Defense Threat and URL License

L-FPR9K-40T-TMC=

Cisco FPR9K SM-40 Threat Defense Threat, Malware and URL License

L-FPR9K-40T-AMP-1Y

Cisco FPR9K SM-40 Threat Defense Malware Protection 1Y Subs

L-FPR9K-40T-AMP-3Y

Cisco FPR9K SM-40 Threat Defense Malware Protection 3Y Subs

L-FPR9K-40T-AMP-5Y

Cisco FPR9K SM-40 Threat Defense Malware Protection 5Y Subs

L-FPR9K-40T-URL-1Y

Cisco FPR9K SM-40 Threat Defense URL Filtering 1Y Subs

L-FPR9K-40T-URL-3Y

Cisco FPR9K SM-40 Threat Defense URL Filtering 3Y Subs

L-FPR9K-40T-URL-5Y

Cisco FPR9K SM-40 Threat Defense URL Filtering 5Y Subs

L-FPR9K-40T-T-1Y

Cisco FPR9K SM-40 Threat Defense Threat Protection 1Y Subs

L-FPR9K-40T-T-3Y

Cisco FPR9K SM-40 Threat Defense Threat Protection 3Y Subs

L-FPR9K-40T-T-5Y

Cisco FPR9K SM-40 Threat Defense Threat Protection 5Y Subs

L-FPR9K-40T-TM-1Y

Cisco FPR9K SM-40 Threat Defense Threat and Malware 1Y Subs

L-FPR9K-40T-TM-3Y

Cisco FPR9K SM-40 Threat Defense Threat and Malware 3Y Subs

L-FPR9K-40T-TM-5Y

Cisco FPR9K SM-40 Threat Defense Threat and Malware 5Y Subs

L-FPR9K-40T-TC-1Y

Cisco FPR9K SM-40 Threat Defense Threat and URL 1Y Subs

L-FPR9K-40T-TC-3Y

Cisco FPR9K SM-40 Threat Defense Threat and URL 3Y Subs

L-FPR9K-40T-TC-5Y

Cisco FPR9K SM-40 Threat Defense Threat and URL 5Y Subs

L-FPR9K-40T-TMC-1Y

Cisco FPR9K SM-40 Threat Defense Threat, Malware, URL 1Y Sub

L-FPR9K-40T-TMC-3Y

Cisco FPR9K SM-40 Threat Defense Threat, Malware, URL 3Y Sub

L-FPR9K-40T-TMC-5Y

Cisco FPR9K SM-40 Threat Defense Threat, Malware, URL 5Y Sub

Table 49.     Cisco Firepower 9300 Series license part numbers and subscription terms for Cisco Secure Firewall Threat Defense on Security Module SM-48

FPR9K-SM-48

Firepower 9000 Series High Performance Security Module

L-FPR9K-48T-T=

Cisco FPR9K SM-48 Threat Defense Threat Protection License

L-FPR9K-48T-AMP=

Cisco FPR9K SM-48 Threat Defense Malware Protection License

L-FPR9K-48T-URL=

Cisco FPR9K SM-48 Threat Defense URL Filtering License

L-FPR9K-48T-TM=

Cisco FPR9K SM-48 Threat Defense Threat and Malware License

L-FPR9K-48T-TC=

Cisco FPR9K SM-48 Threat Defense Threat and URL License

L-FPR9K-48T-TMC=

Cisco FPR9K SM-48 Threat Defense Threat, Malware and URL License

L-FPR9K-48T-AMP-1Y

Cisco FPR9K SM-48 Threat Defense Malware Protection 1Y Subs

L-FPR9K-48T-AMP-3Y

Cisco FPR9K SM-48 Threat Defense Malware Protection 3Y Subs

L-FPR9K-48T-AMP-5Y

Cisco FPR9K SM-48 Threat Defense Malware Protection 5Y Subs

L-FPR9K-48T-URL-1Y

Cisco FPR9K SM-48 Threat Defense URL Filtering 1Y Subs

L-FPR9K-48T-URL-3Y

Cisco FPR9K SM-48 Threat Defense URL Filtering 3Y Subs

L-FPR9K-48T-URL-5Y

Cisco FPR9K SM-48 Threat Defense URL Filtering 5Y Subs

L-FPR9K-48T-T-1Y

Cisco FPR9K SM-48 Threat Defense Threat Protection 1Y Subs

L-FPR9K-48T-T-3Y

Cisco FPR9K SM-48 Threat Defense Threat Protection 3Y Subs

L-FPR9K-48T-T-5Y

Cisco FPR9K SM-48 Threat Defense Threat Protection 5Y Subs

L-FPR9K-48T-TM-1Y

Cisco FPR9K SM-48 Threat Defense Threat and Malware 1Y Subs

L-FPR9K-48T-TM-3Y

Cisco FPR9K SM-48 Threat Defense Threat and Malware 3Y Subs

L-FPR9K-48T-TM-5Y

Cisco FPR9K SM-48 Threat Defense Threat and Malware 5Y Subs

L-FPR9K-48T-TC-1Y

Cisco FPR9K SM-48 Threat Defense Threat and URL 1Y Subs

L-FPR9K-48T-TC-3Y

Cisco FPR9K SM-48 Threat Defense Threat and URL 3Y Subs

L-FPR9K-48T-TC-5Y

Cisco FPR9K SM-48 Threat Defense Threat and URL 5Y Subs

L-FPR9K-48T-TMC-1Y

Cisco FPR9K SM-48 Threat Defense Threat, Malware, URL 1Y Sub

L-FPR9K-48T-TMC-3Y

Cisco FPR9K SM-48 Threat Defense Threat, Malware, URL 3Y Sub

L-FPR9K-48T-TMC-5Y

Cisco FPR9K SM-48 Threat Defense Threat, Malware, URL 5Y Sub

Table 50.     Cisco Firepower 9300 Series license part numbers and subscription terms for Cisco Secure Firewall Threat Defense on Security Module SM-56

FPR9K-SM-56

Firepower 9000 Series Security Module 56

L-FPR9K-56T-T=

Cisco FPR9K SM-56 Threat Defense Threat Protection License

L-FPR9K-56T-AMP=

Cisco FPR9K SM-56 Threat Defense Malware Protection License

L-FPR9K-56T-URL=

Cisco FPR9K SM-56 Threat Defense URL Filtering License

L-FPR9K-56T-TM=

Cisco FPR9K SM-56 Threat Defense Threat and Malware License

L-FPR9K-56T-TC=

Cisco FPR9K SM-56 Threat Defense Threat and URL License

L-FPR9K-56T-TMC=

Cisco FPR9K SM-56 Threat Defense Threat, Malware and URL License

L-FPR9K-56T-AMP-1Y

Cisco FPR9K SM-56 Threat Defense Malware Protection 1Y Subs

L-FPR9K-56T-AMP-3Y

Cisco FPR9K SM-56 Threat Defense Malware Protection 3Y Subs

L-FPR9K-56T-AMP-5Y

Cisco FPR9K SM-56 Threat Defense Malware Protection 5Y Subs

L-FPR9K-56T-URL-1Y

Cisco FPR9K SM-56 Threat Defense URL Filtering 1Y Subs

L-FPR9K-56T-URL-3Y

Cisco FPR9K SM-56 Threat Defense URL Filtering 3Y Subs

L-FPR9K-56T-URL-5Y

Cisco FPR9K SM-56 Threat Defense URL Filtering 5Y Subs

L-FPR9K-56T-T-1Y

Cisco FPR9K SM-56 Threat Defense Threat Protection 1Y Subs

L-FPR9K-56T-T-3Y

Cisco FPR9K SM-56 Threat Defense Threat Protection 3Y Subs

L-FPR9K-56T-T-5Y

Cisco FPR9K SM-56 Threat Defense Threat Protection 5Y Subs

L-FPR9K-56T-TM-1Y

Cisco FPR9K SM-56 Threat Defense Threat and Malware 1Y Subs

L-FPR9K-56T-TM-3Y

Cisco FPR9K SM-56 Threat Defense Threat and Malware 3Y Subs

L-FPR9K-56T-TM-5Y

Cisco FPR9K SM-56 Threat Defense Threat and Malware 5Y Subs

L-FPR9K-56T-TC-1Y

Cisco FPR9K SM-56 Threat Defense Threat and URL 1Y Subs

L-FPR9K-56T-TC-3Y

Cisco FPR9K SM-56 Threat Defense Threat and URL 3Y Subs

L-FPR9K-56T-TC-5Y

Cisco FPR9K SM-56 Threat Defense Threat and URL 5Y Subs

L-FPR9K-56T-TMC-1Y

Cisco FPR9K SM-56 Threat Defense Threat, Malware, URL 1Y Sub

L-FPR9K-56T-TMC-3Y

Cisco FPR9K SM-56 Threat Defense Threat, Malware, URL 3Y Sub

L-FPR9K-56T-TMC-5Y

Cisco FPR9K SM-56 Threat Defense Threat, Malware, URL 5Y Sub

Ordering Example: Cisco Firepower 9300 with ASA

Step 1: Smart Software Licensing

Before placing a Cisco Firepower 9300 order, a Smart Software Licensing account for the end customer must be initiated. If the customer already has a Smart Software Licensing account, that account must be associated with the order. More information on Smart Software Licensing account establishment is available in the Smart Software Licensing section of this ordering guide, and online at: https://www.cisco.com/web/ordering/smart-software-manager/index.html.

To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you are able to complete the order only if the account is initiated on the end customer’s behalf and associated with the order.

Go to Cisco Commerce: https://www.cisco.com/go/ccw.

From the Orders pull-down menu, select Create Order.

Select Assign Smart Account, and follow the subsequent prompts for Smart Licensing.

Step 2: Navigate to Catalog > Products > Security > Cisco Firepower 9300 Series -> Search for FPR9KT-HA-BUN. Add the chassis to the cart by clicking add.

Ordering Example: Cisco Firepower 9300 with ASA

Step 3: Check the box 1.0 FPR9KT-HA-BUN and select Options.

Follow the instructions in the yellow box. First click the hardware and make the selection.

Ordering Example: Cisco Firepower 9300 with ASA 2

Step 4: Click on Edit Options in the FPR-CH-9300-AC Hardware and select the power cables, supervisor and network modules.

1.     Power Cables Selection

Ordering Example: Cisco Firepower 9300 with ASA 3

 

Ordering Example: Cisco Firepower 9300 with ASA 3

2.     Supervisor Selection

Ordering Example: Cisco Firepower 9300 with ASA4

 

Ordering Example: Cisco Firepower 9300 with ASA 5

3.     Network Module Selection

Ordering Example: Cisco Firepower 9300 with ASA6

Step 5: Add a Security Module

Add a Security Module

Step 6: Add a Subscription License

Add a Security Module 3

Step 7: Product Configuration Summary.

Product Configuration Summary

Example of Cisco Firepower Solution Configurations

Below tables show example configurations for ordering the 9300 appliances. Note that these are high-level overviews and that actual orders will include additional items. Fully populated chassis with three SM-48 Security Modules for maximum I/O capability.

Table 51.           

Part Number

Description

Quantify

FPR-C9300-AC

Cisco Firepower 9300 AC Chassis + 2 PSU + 4 fans

1

FPR9K-SUP

Cisco Firepower 9000 Series Supervisor

1

FPR9K-SM-48

Cisco Firepower 9000 Series 48 Physical Core, Security Module includes 2 SSDs

3

FPR9K-NM-4X40G

Cisco Firepower 9000 Series - 4-port QSFP+ Network Module

1

FPR9K-NM-8X10G

Cisco Firepower 9000 Series - 8-port SFP+ Network Module

1

CAB-AC-C6K-TWLK

Power Cord, 250VAC 16A, twist-lock NEMA L6-20 plug, U

1

L-F9K-ASA-SC-10=

License to add 10 Security Contexts to ASA in Cisco Firepower 9000

3

Table 52.     Chassis with one SM-40 Security Module

Part Number

Description

Quantify

FPR-C9300-AC

Cisco Firepower 9300 AC Chassis + 2 PSU + 4 fans

1

FPR9K-SUP

Cisco Firepower 9000 Series Supervisor

1

FPR9K-SM-40

Cisco Firepower 9000 Series Enterprise, 40 Physical Core, Security Module (NEBS Ready) includes 2 SSDs

1

CAB-AC-C6K-TWLK

Power Cord, 250VAC 16A, twist lock NEMA L6-20 plug, U

1

 

SKUs and Ordering Guidance for Cisco Secure Firewall Threat Defense Virtual

Cisco Secure Firewall Threat Defense Virtual is available where virtualized firewall and IPS capabilities are required, including in public cloud environments. It is the virtualized version of Firewall Threat Defense. It enables consistent security policies to follow workloads across your physical, virtual, and cloud environments, and between clouds. Complexity is further minimized with simple provisioning and a single console, the Firewall Management Center (FMC), which enables threat visibility, and automated defense, across your estate. FMC can manage both physical and virtual devices. See the Firewall Management Center section of this guide for FMC part numbers.

In Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI) environments, Cisco Secure Firewall Threat Defense Virtual devices can be managed either by an on-premises FMC, or in the respective public cloud with the virtualized FMC. When deployed in AWS and Microsoft Azure environments, two licensing models are available:

      Bring Your Own License (BYOL), where an existing Threat Defense Virtual license is required.

      Hourly billing (a pay-as-you-go model) available through the AWS interface.

Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI) only support the Bring Your Own License (BYOL) licensing model.

For the supported private cloud platforms and Hyper Converged Infrastructure like Cisco Hyperflex and Nutanix AHV the same licenses can be used in the BYOL model.

Cisco Secure Firewall Threat Defense Virtual enables inter-VM and east-west traffic inspection, as well as at ingress and egress points to the cloud. It is designed to address security concerns in both traditional networks infrastructures and to be optionally inserted into Cisco’s Application Centric Infrastructure (ACI) for flexible orchestration.

Firewall Threat Defense Virtual performance tiered Subscriptions

Performance tiered licensing is available starting from Firewall Threat Defense Virtual version 7.0. The new licensing model also includes Base License as a subscription. There are 6 tiers in the new performance tiered licensing model which can be ordered using the following SKU’s.

Table 53.     Cisco Secure Firewall Threat Defense Virtual Performance tiered Base Subscription and Threat, Malware and URL Filtering Subscription SKUs

Top level SKU

License

Term Subscription

Description

FTDV-SEC-SUB

1,3 and 5 Year

Cisco Secure Firewall Threat Defense Virtual Subscription

 

Term Subscription 1, 3 and 5 year

Description

FTDv 5s

FTDv 10s

FTDv 20s

FTDv 30s

FTDv 50s

FTDv 100s

FTD-V-5S-BSE-K9

FTD-V-10S-BSE-K9

FTD-V-20S-BSE-K9

FTD-V-30S-BSE-K9

FTD-V-50S-BSE-K9

FTD-V-100S-BSE-K9

Cisco Firepower TD Virtual Base License

FTD-V-5S-TMC

FTD-V-10S-TMC

FTD-V-20S-TMC

FTD-V-30S-TMC

FTD-V-50S-TMC

FTD-V-100S-TMC

Cisco Firepower TD Virtual Threat, Malware and URL Filtering License

FTD-V-5S-TM

FTD-V-10S-TM

FTD-V-20S-TM

FTD-V-30S-TM

FTD-V-50S-TM

FTD-V-100S-TM

Cisco Firepower TD Virtual Threat Protection, Malware License

FTD-V-5S-TC

FTD-V-10S-TC

FTD-V-20S-TC

FTD-V-30S-TC

FTD-V-50S-TC

FTD-V-100S-TC

Cisco Firepower TD Virtual Threat Protection, URL Filtering License

FTD-V-5S-T

FTD-V-10S-T

FTD-V-20S-T

FTD-V-30S-T

FTD-V-50S-T

FTD-V-100S-T

Cisco Firepower TD Virtual Threat Protection License

FTD-V-5S-URL

FTD-V-10S-URL

FTD-V-20S-URL

FTD-V-30S-URL

FTD-V-50S-URL

FTD-V-100S-URL

Cisco Firepower TD Virtual URL Filtering License

FTD-V-5S-AMP

FTD-V-10S-AMP

FTD-V-20S-AMP

FTD-V-30S-AMP

FTD-V-50S-AMP

FTD-V-100S-AMP

Cisco Firepower TD Virtual Malware License

Search for the top level subscription SKU – FTDV-SEC-SUB and “Add”

Ordering SPARE SKUs for existing equipment

Add Base License quantity for the tiers required

Ordering SPARE SKUs for existing equipment

Then select the tier.

Ordering SPARE SKUs for existing equipment

Select Additional features for each of Base license selected (Optional). Quantity should be aligned to Base License quantity

Ordering SPARE SKUs for existing equipment

The Service tab shows the support options available. Cisco Solution Support is the default level of support for the Base and TMC subscription. It provides 24*7 technical phone support and is the recommended level of support. Included in the subscription at no additional cost is 8*5 online support which also provides Software upgrades.

Related image, diagram or screenshot

Default term is 3 Years which can be updated by clicking on Terms tab and editing duration. Click on Save Changes

Ordering SPARE SKUs for existing equipment

Once the changes are saved, the complete configuration is displayed. There is an option to switch from Solution support to basic support

Ordering SPARE SKUs for existing equipment

Click on Save and Continue to review the complete configuration by clicking on Save and Continue. This will redirect to the main CCW screen.

Ordering SPARE SKUs for existing equipment

Please note the older non tiered license with perpetual base will continue to work with 7.0. This can be selected as FTDv – Variable license on FMC UI during registration.

Table 54.     Cisco Secure Firewall Threat Defense Virtual Perpetual Base

SKUs

Base License

Term Subscription

Description

FPRTD-V-K9

Cisco Firepower NGFWv Base License

Table 55.     Cisco Secure Firewall Threat Defense Subscription SKUs

Term Licenses

Term Subscription

Description

L-FPRTD-V-TMC=

L-FPRTD-V-TMC-1Y

Cisco Firepower NGFWv Threat Defense Threat, Malware, and URL 1YR Subscription

L-FPRTD-V-TMC=

L-FPRTD-V-TMC-3Y

Cisco Firepower NGFWv Threat Defense Threat, Malware, and URL 3YR Subscription

L-FPRTD-V-TMC=

L-FPRTD-V-TMC-5Y

Cisco Firepower NGFWv Threat Defense Threat, Malware, and URL 5YR Subscription

L-FPRTD-V-T=

L-FPRTD-V-T-1Y

Cisco Firepower NGFWv Threat Defense Threat Protection 1YR Subscription

L-FPRTD-V-T=

L-FPRTD-V-T-3Y

Cisco Firepower NGFWv Threat Defense Threat Protection 3YR Subscription

L-FPRTD-V-T=

L-FPRTD-V-T-5Y

Cisco Firepower NGFWv Threat Defense Threat Protection 5YR Subscription

L-FPRTD-V-URL=

L-FPRTD-V-URL-1Y

Cisco Firepower NGFWv Threat Defense URL Filtering 1YR Subscription

L-FPRTD-V-URL=

L-FPRTD-V-URL-3Y

Cisco Firepower NGFWv Threat Defense URL Filtering 3YR Subscription

L-FPRTD-V-URL=

L-FPRTD-V-URL-5Y

Cisco Firepower NGFWv Threat Defense URL Filtering 5YR Subscription

L-FPRTD-V-TC=

L-FPRTD-V-TC-1Y

Cisco Firepower NGFWv Threat Defense Threat and URL 1Y Subscription

L-FPRTD-V-TC=

L-FPRTD-V-TC-3Y

Cisco Firepower NGFWv Threat Defense Threat and URL 3Y Subscription

L-FPRTD-V-TC=

L-FPRTD-V-TC-5Y

Cisco Firepower NGFWv Threat Defense Threat and URL 5Y Subscription

L-FPRTD-V-TM=

L-FPRTD-V-TM-1Y

Cisco Firepower NGFWv Threat Defense Threat and Malware Protection 1Y Subscription

L-FPRTD-V-TM=

L-FPRTD-V-TM-3Y

Cisco Firepower NGFWv Threat Defense Threat and Malware Protection 3Y Subscription

L-FPRTD-V-TM=

L-FPRTD-V-TM-5Y

Cisco Firepower NGFWv Threat Defense Threat and Malware Protection 5Y Subscription

L-FPRTD-V-AMP=

L-FPRTD-V-AMP-1Y

Cisco Firepower NGFWv Threat Defense Malware Protection 1Y Subscription

L-FPRTD-V-AMP=

L-FPRTD-V-AMP-3Y

Cisco Firepower NGFWv Threat Defense Malware Protection 3Y Subscription

L-FPRTD-V-AMP=

L-FPRTD-V-AMP-5Y

Cisco Firepower NGFWv Threat Defense Malware Protection 5Y Subscription

SKUs and Ordering Guidance for Cisco Adaptive Security Virtual Appliance (ASAv)

The Cisco ASAv brings the power of ASA to the virtual domain and private cloud environments. It runs the same software as the physical ASA appliance to deliver proven security functionality. You can use ASAv to protect virtual workloads within your data center. Later, you can expand, contract, or shift the location of these workloads over time and can span physical and virtual infrastructures. The Adaptive Security Virtual Appliance runs as a virtual machine inside a hypervisor in a virtual host. Most of the features that are supported on a physical ASA by Cisco software are supported on the virtual appliance as well, except for clustering and multiple contexts. The virtual appliance supports site-to-site VPN, remote-access VPN, and clientless VPN functionalities as supported by physical ASA devices. See the ASAv data sheet for more details.

ASAv is available in both subscription and perpetual licensing models.

Table 56.     Cisco Adaptive Security Virtual Appliance (ASAv) Subscription License

Part number

Description

L-ASA-V-5S-K9=

Cisco 100 Mbps entitlement (ASAv5) subscription

L-ASA-V-10S-K9=

Cisco 1 Gbps entitlement (ASAv10) subscription

L-ASA-V-30S-K9=

Cisco 2 Gbps entitlement (ASAv30) subscription

L-ASA-V-50S-K9=

Cisco 10 Gbps entitlement (ASAv50) subscription

L-ASA-V-100S-K9=

Cisco 20 Gbps entitlement (ASAv100) subscription*

Table 57.     Cisco Adaptive Security Virtual Appliance (ASAv) Perpetual License

Cisco Adaptive Security Virtual Appliance (ASAv)

L-ASAV5S-K9=

Cisco 100 Mbps entitlement (ASAv5) selection

L-ASAV5S-STD-8

8-pack Cisco ASAv5(100 Mbps) with all firewall features licensed

L-ASAV10S-K9=

Cisco ASAv10 (1 Gbps) selection

L-ASAV10S-STD

Cisco ASAv10 (1 Gbps) with all firewall features licensed

L-ASAV10S-STD-16

16-pack Cisco ASAv10 (1 Gbps) with all firewall features licensed

L-ASAV30S-K9=

Cisco ASAv30 (2 Gbps) selection

L-ASAV30S-STD

Cisco ASAv30 (2 Gbps) with all firewall features licensed

L-ASAV30S-STD-4

4-pack Cisco ASAv30 (2 Gbps) with all firewall features licensed

L-ASAV50S-K9=

Cisco ASAv50 selection

L-ASAV50S-STD-4

4-Pack Cisco ASAv50 with all firewall features licensed

Note:      For ASAv, remote-access VPN functionality can be licensed separately as outlined in
https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/guide-c07-732790.html.

Qualys Connector

The Qualys Connector is a software application that collects Qualys Guard vulnerability report data and sends it to the Cisco Secure Firewall Management Center. The Qualys vulnerability data is then aggregated with Cisco’s vulnerability information found in the host map. Customers can choose to use Cisco or Qualys vulnerability data, or both, for Impact Flag calculations and automatic rule recommendations.

Firepower Product Licensing and License Activation

      The customer logs on to https://cisco.com/go/licensing and uses the Smart Licensing feature to request a token to be installed in the FMC or FDM. This license is then applied to the Cisco Secure Firewall Management Center that is going to manage the feature or appliance.

      Exception: Cisco Secure Endpoint (formerly AMP for Endpoints) does not require an activation key at this time.

High-Availability Configurations

Type 1: Secure Firewall High-Availability

      If the customer wants high availability for sensors, two appliances are required.

      Appliances must be of the same model and generation.

      Both appliances must be identically licensed and have support.

      Licenses will be applied to the same primary Cisco Secure Firewall Management Center managing the high-availability pair.

Snort Subscriber Rule Set: Subscription Options

Personal: This subscription type is for use in a home network environment. If you’d like to purchase a subscription online using a credit card, you may do so. For a personal subscription, please go to https://www.snort.org/products to place an order. It is not available to purchase on Cisco Commerce. As you approach the expiration date, renewal by way of Snort.org is automatic for credit card orders and is part of the license agreement.

Business: This subscription type is for use in businesses, nonprofit organizations, colleges and universities, government agencies, consultancies, and other venues where Snort sensors are in use in a production or lab environment. This subscription type does not include a license to redistribute the Snort Subscriber Rule Set except as described in section 2.1 of the Rule Set license agreement.

If you’d like to purchase a Rule subscription online using a credit card, you may do so. Customers or end users who cannot purchase by credit card are requested to contact a partner or distributor who can purchase on their behalf through Cisco Commerce. If you need assistance with a quote, contact snort-sub@cisco.com. Unlike Snort.org automatic renewals, orders placed in Cisco Commerce require a manual renewal to trigger another subscription. Important: Email address of the recipient of the subscription license needs to be included on the order for electronic delivery.

For more information, visit: https://www.snort.org/products.

SKUs and ordering guidance for Cisco Security Manager

Cisco Security Manager provides scalable and centralized operations management for ASA functions, including policy and object management, event management, reporting, and troubleshooting for Cisco ASA firewall functions. The Security Manager can be used to manage:

      Cisco Firepower 1000, 3100 4100, 4200 and 9300 series platforms with ASA software.

      Cisco Secure Firewall ASA Virtual on Private and Public Cloud.

      Cisco Secure Client (formerly AnyConnect Secure Mobility Client).

Security Manager is available in two feature levels: Standard and Professional (Table 64). Enterprise customers with numerous security devices will benefit from Security Manager Professional, and customers with fewer security device deployments will find Security Manager Standard an exceptional value. For small-scale and simple deployments, the Cisco Adaptive Security Device Manager (ASDM) is available to provide on-device, GUI-based firewall network operations management for Cisco ASA deployments.

Note:      Modern server hardware is required. Please see the Cisco Security Manager data sheet for more details.

Table 58.     Cisco Security Manager models

E-Delivery Part Number

Description

L-CSMST-5-K9

Cisco Security Manager Standard - 5 Device License

L-CSMST-10-K9

Cisco Security Manager Standard - 10 Device License

L-CSMST-25-K9

Cisco Security Manager Standard - 25 Device License

L-CSMPR-50-K9

Cisco Security Manager Professional - 50 Device License

L-CSMPR-100-K9

Cisco Security Manager Professional - 100 Device License

L-CSMPR-250-K9

Cisco Security Manager Professional - 250 Device License

Cisco Security Manager Professional Incremental Device Licenses

L-CSMSTPR-U-K9

Cisco Security Manager Upgrade License from 25 Device license (Standard) to 50 Device license (Professional)

L-CSMPR-LIC-50

50 additional Devices on top of any Cisco Security Manager Professional license

L-CSMPR-LIC-100

100 additional Devices on top of any Cisco Security Manager Professional license

L-CSMPR-LIC-250

250 additional Devices on top of any Cisco Security Manager Professional license

Table 59.     Cisco Security Manager Software Application Support (SAS) SKUs

Cisco Security Manager

E-Delivery Part Number

Product Description

SKU

L-CSMST-5-K9

Cisco Security Manager Standard - 5 Device License SAS (Minor Software Updates)

CON-SAS-LSMST5K9

L-CSMST-10-K9

Cisco Security Manager Standard - 10 Device License SAS (Minor Software Updates)

CON-SAS-LSMST10K

L-CSMST-25-K9

Cisco Security Manager Standard - 25 Device License SAS (Minor Software Updates)

CON-SAS-LSMST25K

L-CSMSTPR-U-K9

Cisco Security Manager ST-25 To PR-50 Upgrade License SAS (Minor Software Updates)

CON-SAS-LCMSTPU9

Cisco Security Manager Enterprise Professional Incremental Device Licenses

L-CSMPR-50-K9

Cisco Security Manager Professional - 50 Device License SAS (Minor Software Updates)

CON-SAS-LSMPR50K

L-CSMPR-100-K9

Cisco Security Manager Professional - 100 Device License SAS (Minor Software Updates)

CON-SAS-LSMPR100

L-CSMPR-250-K9

Cisco Security Manager Professional - 250 Device License SAS (Minor Software Updates)

CON-SAS-LCMPR250

SKUs and ordering guidance for Cisco Secure Firewall Management Center

The Cisco Secure Firewall Management Center, available as a physical or virtual appliance, provides unified management of:

      Cisco Secure Firewall Threat Defense software on the Cisco Firepower 1000 Series appliances.

      Cisco Secure Firewall Threat Defense software on the Cisco Firepower 3100 Series appliances.

      Cisco Secure Firewall Threat Defense software on the Cisco Firepower 4100 Series appliances.

      Cisco Secure Firewall Threat Defense software on the Cisco Firepower 4200 Series appliances.

      Cisco Secure Firewall Threat Defense Virtual.

      Cisco Secure Firewall Threat Defense software on the Cisco Firepower 9300.

      FirePOWER module of Cisco ASA with FirePOWER Services (up until release 7.4).

      Cisco Secure Intrusion Prevention System (IPS) and Cisco Secure Firewall malware defense solutions (up until release 7.0).

      Cisco Secure Firewall Threat Defense for Integrated Services Routers (ISR).

The Firewall Management Center provides a centralized management console and event database repository. It is available in a range of physical appliance models, as a virtual appliance for private and public cloud platforms or a cloud-delivered version that is delivered via the Cisco Defense Orchestrator. One physical or virtual management appliance can manage multiple appliances as long as all the appliances are running the compatible firewall configuration.

The appropriate Firewall Management Center hardware is selected based on the firewall configuration deployed and the number of appliances and events to be monitored. Firewall Management Center 1600, 1700, 2600, 2700, 4600 and 4700 physical appliances or the Firewall Management Center virtual appliance can be used to manage Cisco ASA with Firepower Services and the Firewall Threat Defense (FTD) software image. Cisco Security Manager is required to manage ASA physical or virtual appliance firewall functionality. Cisco Defense Orchestrator delivers the cloud-delivered version of Firewall Management Center and a consistent and simplified cloud-based security policy management for ASA, ASA with FirePOWER Services, and FTD devices. For more details, visit Cisco Defense Orchestrator (CDO) home page. For CDO ordering details, visit the Guidelines for Quoting Cisco Defense Orchestrator Products.

Table 60.     Cisco Secure Firewall Management Center SKUs

Cisco Secure Firewall Management Center (Hardware) Appliances

Part Number

Product Description

FMC1600-K9

Cisco Secure Firewall Management Center 1600 Chassis, 1RU

FMC1700-K9

Cisco Secure Firewall Management Center 1700 Chassis, 1RU

FMC2600-K9

Cisco Secure Firewall Management Center 2600 Chassis, 1RU

FMC2700-K9

Cisco Secure Firewall Management Center 2700 Chassis, 1RU

FMC4600-K9

Cisco Secure Firewall Management Center 4600 Chassis, 1RU

FMC4700-K9

Cisco Secure Firewall Management Center 4700 Chassis, 1RU

Cisco Secure Firewall Management Center (Hardware) Spare

FMC-M5-PS-AC-770W=

Cisco Secure Firepower 770W AC Power Supply for FMC1600, 2600, 4600

UCSC-PSU1-1050W=

Cisco Secure Firepower 1050W Power Supply for FMC1700, 2700, 4700

For new deployments, a compatible Management Center can be ordered with Firepower 3100 Series, 4100 Series, 4200 Series, and Secure Firewall 9300 devices. For small-scale FTD deployments, Firewall Device Manager on-device manager is included (except for CSF 4200).

Note:      To manage network operations in large-scale deployments of devices running the ASA software image, using Cisco Security Manager or Cisco Defense Orchestrator is highly recommended.

SKUS and Ordering Guidance for Cisco Secure Firewall Management Center Virtual Appliance

The PAK-enabled, 2- and 10-device Firewall Management Center Virtual Appliances (FMCv) are part of a promotional offer to more cost-effectively manage FirePOWER Services or Firewall Threat Defense on small-scale deployments of low-end ASA-X Series appliances. However, the 2-, 10-, and 25-device FMCv Smart License or PAK SKUs do not have any limitations with respect to which appliances they can manage. For add-on licenses requirement for new devices on your FMCv, it is recommended to migrate to a higher FMCv model that supports additional devices.

Table 61.     Smart Licensing–enabled Cisco Secure Firewall Management Center Virtual Appliance SKUs

Cisco Secure Firewall Management Center (Software) Virtual Appliance

SF-FMC-VMW-K9

Cisco Secure Firewall Management Center, for 25 devices

SF-FMC-VMW-2-K9

Cisco Secure Firewall Management Center, for 2 devices

SF-FMC-VMW-10-K9

Cisco Secure Firewall Management Center, for 10 devices

SF-FMC-KVM-K9

Cisco Secure Firewall Management Center, for 25 devices

SF-FMC-KVM-2-K9

Cisco Secure Firewall Management Center, for 2 devices

SF-FMC-KVM-10-K9

Cisco Secure Firewall Management Center, for 10 devices

SF-FMC-VMW-300-K9

Cisco Secure Firewall Management Center, Virtual for 300 devices Firepower License

SF-FMC-VMW-25-300

Upgrade SKU from FMCv25 to FMCv300 Cisco Secure Firewall Management Center, Virtual

Note:      FMCv SKUs are not tied to specific Private or Public Cloud platforms. The SKUs listed can be used with any supported Private or Public Cloud Deployment.

Licensing Guidance for Cisco Secure Firewall Management Center

Firewall Management Center physical appliances do not require any separate management licenses. Firewall Management Center virtual appliances require only one of the licenses mentioned in the previous table based on the number of devices being managed. These licenses cannot be combined, for example, entitlement for management of four (4) managed devices, a minimum of one (1) Cisco Secure Firewall Management Center, for 10 devices is required. Use of two (2) Cisco Secure Firewall Management Center, for 2 devices licenses is not compliant for this use-case. Separate to the Firewall Management Center, the managed devices each require classic or Smart subscription feature licenses. Firewall Management Center Virtual Appliance Smart SKUs can manage any device running Firewall Threat Defense software.

IMPORTANT: For version 6.3 and later:

Enablement of strong crypto features (3DES/AES VPN) continues to happen automatically via Smart Licensing for those customers that are not subject to export restrictions or require an export license. However, those customers who are subject to export restrictions or require an export license will be asked to select a $0 strong crypto enablement key during configuration of any FMC device with version 6.3+.

For those customers who are subject to export restrictions or require an export license that upgrades an existing FMC to version 6.3+, there are spare versions of the PIDs available (those with “=” suffix).

To determine if you are subject to export restrictions or require an export license, customers can log in to CSSM and try to generate an installation token. For those customers that do NOT have export restrictions, this box will be checked by default. If you do NOT see this box or are NOT able to check the box, this means that your account is subject to export restrictions. See image below:

Create Registration Token

Table 62.     Cisco Secure Firewall Management Center strong crypto enablement SKUs

Firewall Management Center strong crypto

L-FMCVIR-ENC-K9=

Cisco Virtual FMC Series Strong Encryption (3DES/AES)

L-FMC1K-ENC-K9=

Cisco FMC 1K Series Strong Encryption (3DES/AES)

L-FMC2K-ENC-K9=

Cisco FMC 2K Series Strong Encryption (3DES/AES)

L-FMC4K-ENC-K9=

Cisco FMC 4K Series Strong Encryption (3DES/AES)

The standalone Cisco Secure Firewall Management Center is optimal for high-availability pairing. For the FMC, a high-availability or redundancy feature helps ensure continuity of operations. The secondary Management Center must be the same model as the primary appliance.

The Cisco Secure Firewall Management Center Virtual Appliance also supports High Availability on some Private and Public Cloid offerings. Use of High Availability for Cisco Secure Firewall Management Center Virtual requires an additional identical license.

Product high-availability configuration:

High availability for the Management Center

      If the customer wants high availability for the Management Center, an additional appliance is required.

      The secondary Management Center must be of the same model and generation as the primary one.

      License keys for all sensors, feature licenses (including Cisco Firepower), and subscriptions managed on the primary Management Center can be duplicated and loaded onto the secondary Management Center using the original activation keys.

High availability for the Management Center Virtual Appliance

      If the customer wants high availability for the Management Center Virtual Appliance, two (2) identical licenses (see Table 67) are required.

      High Availability support is varied across Private and Public Cloud as well as model types, please review the latest guidance provided in the Cisco Secure Firewall Management Center Administration Guide for specific information.

      High availability for the Management Center Virtual Appliance is not supported with the Cisco Secure Firewall Management Center, for 2 devices license.

Connect and protect bundle ordering

Overview

Partners can now order Cisco’s security portfolio tailored for 3 specific customer use cases: Secure Campus, Secure Branch and Secure Hybrid Datacenter. The bundles include products that address the real-world needs of each use case. The bundles are designed to simplify ordering and providing an attractive price-point.

Please contact your partner for eligibility and additional information.

Connect and Protect Offers – Included Products and Criteria

Figure 8.            

Connect and Protect Offers – Included Products and Criteria

SKUs and ordering

Adding the below to the estimate and configuring the required/optional sub-lines (“->”) by clicking “select options” for the main line, following the indicated (minimum/maximum) quantities.

The hardware selection will need to happen as a separate line-item on the estimate. First, select and configure the use-case-specific bundle:

Table 63.     Connect and Protect bundle components and options (Step 1)

Product Category

Secure Campus

Secure Branch

Secure Hybrid Datacenter

Bundle for Discount and Pre-Configuration

FPR-SECURE-CAMPUS

FPR-SECURE-BRANCH

FPR-SECURE-DC

Firewall HW

(Quantity combined

with virtual firewalls: 2-40)

FPR31XX-NGFW-K9

  L-FPR31XXT-TMC=3Y (or
  L-FPR31XXT-TMC=1Y)

FPR11XX-NGFW-K9

  L-FPR11XXT-TMC=3Y (or
  L-FPR11XXT-TMC=1Y)

FPR41X5-NGFW-K9

  L-FPR41X5T-TM=3Y (or
  L-FPR41X5T-TM=1Y)
  L-FPR41X5T-TMC=3Y (or
  L-FPR41X5T-TMC=1Y)

Technical support: Solution support must be purchased or attached appliance ordered

CON-SSSNT-xxx

CON-SSSNT-xxx

CON-SSSNT-xxx

Firewall Management

(optional)

SF-FMC-VMW-300-K9

SF-FMC-VMW-K9

Technical support: Solution support must be purchased or attached to the FMC

CON-ECMUS-XXX

SW Solution Support (Required- match the same quantity as HW or/and virtual appliance)

FPR3K-SWSUPP-ENH= (top level)

 

CON-SWC1-TMC33XX

FPR1K-SWSUPP-ENH=

 

CON-SWS1-TMC11XX

FPR4K-SWSUPP-ENH=

 

CON-SWS1-TMC41X5

AnyConnect

(Quantity: minimum 250)

L-AC-APX-LIC=

L-AC-APX-LIC=

L-AC-APX-LIC=

Next, configure the remaining items required for the respective bundles:

Table 64.          Connect and Protect bundle components and options (Step 2)

Product Category

Secure Campus

Secure Branch

Secure Hybrid Datacenter

Bundle for Discount and Pre-Configuration

FPR-CAMPUS-SUB

FPR-BRANCH-SUB

FPR-DC-SUB

Virtual Firewalls

(Quantity combined with

hardware firewalls: 2-40)

FTDv-SEC-SUB

  FTD-V-50S-BSE-K9 (or
  FTD-V-30S-BSE-K9 or
  FTD-V-100S-BSE-K9)
  SVS-FTDV-SEC-S

FTDv-SEC-SUB

  FTD-V-30S-BSE-K9 (or
  FTD-V-50S-BSE-K9 or
  FTD-V-100S-BSE-K9)
  SVS-FTDV-SEC-S

FTDv-SEC-SUB

  FTD-V-100S-BSE-K9 (or
  FTD-V-50S-BSE-K9)
  SVS-FTDV-SEC-S

CDO tenant if needed

CDO-SEC-SUB

  CDO-BASE-LIC
  SVS-CDO-SUP-B

CDO device license with unlimited logging and 90 days retention (Quantity matching firewall quantity if CDO management selected)

CDO-ML-FP31xx-LIC

CDO-ML-FP11xx-LIC

CDO-ML-FP41x5-LIC

DNS Essentials

or

UMB-SEC-SUB

  UMB-[DNS or SIG]-ESS-K9 (quantity: minimum 250)

NA

DNS Advantage (optional upgrade to DNS Essentials)

UMB-[DNS or SIG]-ADV-K9 (quantity: minimum 250)

  SVS-UMB-SUP-S or SVS-UMB-SUP-E or SVS-UMB-SUP-P

Secure Workload

(optional)

NA

NA

C1-TAAS-SW-K9

  C1TAAS-WD-FND-k9
  SVS-TAAS-WP

MINT Security

(optional)

MINT-SECURITY

  MINT-SECURITY-SVW

For additional information regarding the ordering of Umbrella / DNS essentials or advantage, also see the Umbrella ordering guide.

Additional resources

Cisco Commerce

Cisco Commerce is the primary tool used for ordering Cisco products and new services offered on the Cisco Price List. Three main steps are involved in creating an order: creating a quick quote, converting a quote to an order, and submitting an order.

Cisco Commerce Software Subscriptions and Services (CCW-R) is used to quote, order, and manage your service contracts and software subscriptions. Use CCW-R to create new or renew Technical Services (TS) and software subscription (Term-and-Content) quotes, submit approved orders, and manage your contracts.

Cisco Capital Financing

The significant benefits offered by the Cisco Firepower 9300 make it the natural choice for service provider security and provisioning. As with any technology investment, the question is whether the new system is affordable. The answer is Cisco Capital financing. We can give customers the financing solution that works best for them. We offer both flexible repayments to help mitigate cash flow issues and operating leases to help negate capital expenditures.

Cisco Capital can help remove or reduce the barriers preventing organizations from obtaining the technology they need. Total solution financing programs help customers and partners:

      Achieve business objectives.

      Accelerate growth.

      Acquire technology to match current strategies and future needs.

      Remain competitive.

Cisco Capital also helps your customers achieve financial goals such as optimizing investment dollars, turning capital expenditures into operating expenses, and managing cash flow. And there’s just one predictable payment. Cisco Capital operates in more than 100 countries, so regardless of location, customers and partners have access to a trusted means to secure Cisco products and services.

For more information about Cisco Capital financing, visit the following sites:

      For channel partners: https://www.ciscocapital.com/.

      For Cisco sales staff: https://wwwin.cisco.com/FinAdm/csc/.

 

Learn more