Cisco Secure Firewall License Types
Cisco Secure Firewalls (Formerly Cisco Firepower) can provide security along consistency and without speed reduction in the networks. Cisco FTD contains various features, which can be managed by Cisco FMC and FDM, should be enabled using different licenses which we are about to explain in this article.
Essentially, a base license is automatically included with every purchase of a Firepower Threat Defense (FTD) or Cisco FTDv device. The Base license allows you to:
- Config your FTD devices (Including Routing, Switching, DHCP relay and NAT)
- Config FTD HA pair
- Config security intra-chassis clustering (within a FPR 9300 and FPR 4100)
- Implement user and application control rules
Except in deployments using Firepower Universal licenses, Base licenses are automatically added to the Firepower Management Center for every Firepower Threat Defense device you register.
A Malware license leverages Cisco Advanced Malware Protection (AMP) with AMP for Networks and Cisco Threat Grid for Firepower Threat Defense devices. Using this feature, you can use FTD devices to detect and block malware in files transmitted over your network.
Note: Customers can purchase the Malware (AMP) service subscription as a stand-alone subscription or in combination with Threat (TM) or Threat and URL Filtering (TMC) subscriptions. Also, registering the device using Cisco PLR license will enable this feature permanently.
A FTD Threat license lets you to perform:
- Intrusion detection and prevention: Analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
- File control: Detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols.
- Security Intelligence filtering: Block —deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by access control rules
Note: Customers can purchase a Threat license as a stand-alone subscription (T) or in combination with URL Filtering (TC), Malware (TM), or both (TMC). Plus, Cisco FMC PLR license enables this feature permanently on the FTD devices.
URL Filtering Licenses
The FTD URL Filtering license permits you to write ACP (Access Control Policy) rules that determine the traffic that can traverse your network based on URLs requested by monitored hosts, correlated with information about those URLs.
Note: Customers can purchase the URL Filtering (URL) service subscription as a stand-alone subscription or in combination with Threat (TC) or Threat and Malware (TMC) subscriptions. Moreover, Cisco FTD PLR license will enable this feature permanently.
Customers can add category and reputation-based URL conditions to ACP without a URL Filtering license, though the Firepower Management Center will not download URL information. You cannot deploy the access control policy until you first add a URL Filtering license to the Firepower Management Center, then enable it on the devices targeted by the policy.
Customers can use the FTD device to configure remote access VPN using the Cisco AnyConnect Secure Mobility Client (AnyConnect) and standards-based IPSec/IKEv2.
This feature can be enabled after purchasing and enabling one of the following licenses:
- FTD AnyConnect Plus
- AnyConnect Apex
- AnyConnect VPN Only
Note: Cisco FMC Universal offline license will activate these features permanently on the FTD devices.
FTD Export-controlled functionality
Due to national security, foreign policy, and anti-terrorism laws and regulations, the export-controlled features are needed specific entitlements.
Note: Cisco FTD PLR license can enable all these features permanently.
Universal vs. SLR Licenses
Generally, Universal Permanent License Reservation (Universal PLR or UPLR) allows perpetual, unlimited use of supported Firepower products, including all optional licenses. However, Specific Permanent License Reservation (Specific PLR or SPLR) requires the same number and types of licenses as standard Smart Licensing.
Note: Customers must work with your Cisco representative to enable Universal Permanent License Reservation (PLR) mode in your Cisco Smart Software Manager (CSSM) account.
In PLR mode, features that require access to the internet, such as file policies, URL Lookups, or contextual cross-launch to public web sites, will not work. Plus, customers will need to manually upload updates to the Geolocation Database, Intrusion Rules, and Vulnerability Database (VDB).