Thanks Marvin for your response.

You're welcome. Please mark your question as answered if it has been. 

Hello Marvin,

I'm exactly in same situation : buy a license for a standby firewall seems pretty useless (in my case).

You said that technically it will work, but is this asymmetric configuration officially supported ?

Is that possible that TAC refuse to troubleshoot a potential issue in this configuration ?

Thanks

Marc

It's not an issue of TAC support. From the point of view of the FireSIGHT Management Center, you have two separate managed ASA's, each with a different set of policies applied.

The problem is that your desired security level - with intrusion, URL and potentially file (AMP) policies - cannot be applied to a module without the prerequisite license. So you need to make two sets of policies - one for the fully licensed module and one for the partially licensed module. Depending on what licenses you have on the latter, your security protection may suffer during a failover scenario until you've restored the primary unit to operation.

Operationally you could go in and "unlicense" the failed module and apply that license to the operational one and then reapply the more secure policy set. That's a lot more headache and opportunity for human error than is advisable for most customers though.

Thank you for your answer Marvin !

I have 2 ASA 5525X FirePOWER added to my FireSIGHT manager, I added FireSIGHT host and User license, and 2 Malware Licenses for ASA5525, but My Devices License Type shows 'Unlicensed".

I don't know where to start fixing this, I'm with SourceFire stuff.

I don't know, maybe I'm missing something

Please help

Hi Sandile,

You need to edit the device and add the license that you have uploaded to the Management Centre. 

Hi Sandi,

Please add the PROTECT+CONTROL license for the ASA5525, there should be a PAK sent along with the device. Please register the PAK to obtain the license for "PROTECT+CONTROL".

- DD

The PAKs I got gave me only the licenses you see on the images. Part number L-ASA5525-TAMC

Sandile,

The Protect+Control PAK is delivered as a paper PAK in the box with the appliance. It is a zero cost item delivered with all FirePOWER modules. If it has been misplaced, the vendor can call it up on the Cisco ordering system.

You need to redeem that PAK and apply the license as a prerequisite for any of the other licenses. 

Hi Marvin,

Thank you for your iput. Perhaps this is a matter of symantics with the words licensing vs subscription which is why I need clarification. I have two ASA5512X Appliances with FirePower Services (ASA5512-FPWR-K9) in Active/Standby mode. I am now looking to purchase the necessary subscription, specifically "Cisco ASA with FirePOWER Services IPS, Advanced Malware Protection and URL Subscription" (Mfg. Part#: L-ASA5512-TAMC-1Y). Do I need to purchase a quantity of two subscriptions - one for each appliance? In other words, do I need to purchase a subscription for the standby unit? Thank you!

@KK Admin,

Yes - both the Active and Standby units require their own subscription.