[Cisco Firepower(ASA)] How to deal with Smart Licensing [Offline/PLR]

Firewall (UTM)

Operation confirmation environment

  • Firepower 2100 series
    • ASA OS 9.16.x

Smart Licensing Support in Firepower

Firepower also requires license management with Smart Licensing.

Like other Cisco models, it has both online and offline options, but be aware that the method also differs depending on whether the Firepower uses his ASA or FTD OS.

As of March 2023, other models do not support the mainstream Smart Licensing Using Policy, so basically it will be an old-fashioned smart licensing method.

The following describes Smart Licensing workarounds in Firepower for the following conditions:

  • ASA OS
  • Offline method

Understanding Offline Method in Firepower (ASA OS)

For other Cisco models, the offline method in the old smart licensing method was the license reservation method (SLR: Specific License Reservation).

However, in Firepower (ASA OS), SLR is not available.

Instead, it is necessary to use a method called PLR (Permanent License Reservation).

In order to adopt PLR, a special license is required. Therefore, if you choose to use this method, you must ensure that the appropriate licenses have been purchased.

PLR processing flow

No.OperationManager
1Enabling Smart License Reservation on your deviceConstruction manager
2Issuing a Reservation Request Code on the deviceConstruction manager
3Issuing a Reservation Authorization Code with CSSMCustomer
4Enter Reservation Authorization Code on deviceConstruction manager
5Activate the function on the deviceConstruction manager

PLR handling procedure details

① Enabling Smart License Reservation on the device

Enable Smart License Reservation by executing the following command in global configuration mode.

  • ciscoasa(config)# license smart reservation

② Issuing a Reservation Request Code on the device

Issue the request code by executing the following command in privileged mode.

  • ciscoasa# license smart reservation request universal

Execution example:

ciscoasa# license smart reservation request universal
Enter this request code in the Cisco Smart Software Manager portal:
UDI: PID:FPR-2100,SN:JADxxxxxxxx
    Request code: CB-ZFPR-1010:JADxxxxxxxx-BhfSxxxxx-xx

The Request code: above is the Reservation Request Code.

③ Issuing a Reservation Authorization Code with CSSM

Distribute the Reservation Request Code issued in step 2 to the customer.

Then ask the customer to enter the Reservation Request Code on CSSM to get the Reservation Authorization Code.

④ Enter Reservation Authorization Code on device

After receiving the Reservation Authorization Code from the customer, execute the following command.

  • ciscoasa(config)# license smart reservation install <Reservation Authorization Code>

If the code is successfully submitted, the prompt will return without any particular log output.

Check the current license status with the show license all command.

ciscoasa# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED
License Reservation is ENABLED

Registration:
Status: REGISTEREDUNIVERSAL LICENSE RESERVATION
Export-Controlled Functionality: ALLOWED
Initial Registration: SUCCEEDED on Feb 10 2022 12:34:56 UTC

License Authorization:
Status: AUTHORIZEDRESERVED on Feb 10 2022 12:34:56 UTC

—-omit—-

License Usage
======================

No licenses in use

⑤ Activate the function on the device

Here is an example of activating only the standard Tier Standard license.

Additional settings may be required depending on the model and functions used, so please check the official manual for details.

Configure with the following command.

  1. ciscoasa(config)# license smart
  2. ciscoasa(config-smart-lic)# feature tier standard
  3. ciscoasa(config-smart-lic)# end

This completes the PLR handling.

Check license status

Check the status with the show license all command.

ciscoasa# show license all

Smart Licensing Status
======================

Smart Licensing is ENABLED
License Reservation is ENABLED

Registration:
Status: REGISTEREDUNIVERSAL LICENSE RESERVATION
Export-Controlled Functionality: ALLOWED
Initial Registration: SUCCEEDED on Feb 10 2022 12:34:56 UTC

License Authorization:
Status: AUTHORIZEDRESERVED on Feb 10 2022 12:34:56 UTC

—-omit—-

License Usage
======================

(FIREPOWER_2100_ASA_STANDARD): <—— Displays license information
Description:
Count: 1
Version: 1.0
Status: AUTHORIZED
Export status: NOT RESTRICTED
Reservation:
Reservation status: UNIVERSAL INSTALLED]

—-omit—-

In the case of Failover redundancy configuration, License Usage will be displayed as No licenses in use on the Standby side device, but license information will be displayed in License Usage when switched to Active.

References

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.16 - Licenses: Smart Software Licensing [Cisco Secure Firewall ASA]
Licenses: Smart Software Licensing
www.cisco.com

Firepower(ASA) Configuration Information Summary
Telnet/SSH management access settings and notes on Firepower (ASA) Firepower(ASA) Configuration Tips How ...
network-knowledge.work
2022.11.03
スポンサーリンク

Comments

Copied title and URL