Obtain the License Key for a Firepower Device and a Firepower Service Module
Mar 09, 2016
In order to generate a Classic License for any Firepower service, a License Key is necessary. You can use a Firepower Management Center (FMC) or an Adaptive Security Device Manager (ASDM) to determine the license key. This document describes the steps to obtain the License Key for a Classic License from both user interfaces - FMC and ASDM.
Obtain the License Key
Using the Firepower Management Center (FMC)
Using the Adaptive Security Device Manager (ASDM)
-- DD (Sourcefire Acquisition Business Analyst)
The DC License key is:
the asa 5506-x is a piece of JUNK
poor license process
i have unlimted interaces yet the gui wont let me use more than two
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 30 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 50 perpetual
Total VPN Peers : 50 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 160 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
it states that the mgmt if and int 1/2 should be on the same subnet
on the gui you get a subnet overlap error if using the same subnet
the later short document is inconsistent
w.r.t. to firepower access
my ASDM is never able to access or load the firepower modeule
i try to apply my PAK . it tells me i need a virtual mgmt appliance to get a key (;
there is a known bug in the lastest version of ASDM (7.51), downgrade ASDM 7.43 in order to provision multiple interfaces on the ASA platform.
We have Physical and Virtual Defense Center in SourceFire,
Physical DC License PIDs: FS750-FSIGHT-LIC=, FS1500-FSIGHT-LIC=, FS3500-FSIGHT-LIC=
Virtual DC License PIDs : FS_VMW-SW-K9
For many new technologies such as this, we deploy the system multiple times before the production deployment on-prem for the client. I'm using their ASA, but a vDC (virtual Defense Center) is being used to manage the SFR module.
How difficult is it to re-host a license? I need to be able to configure the module in our pre-deployment lab but if I use the client's license key for this purpose than it's locked to our very temporary vDC instance. Once I spin up the client's vDC, I won't be able to register the PAC again to its serial # and will have to 're-host' the license. Are there any eval/demo licenses that I can leverage rather than re-host?
You can create Demo/EVAL licenses by using the Internal License generation tool,
I am getting an error (activation key reqd) while generating license file on "keyserver.sourcefire.com", I have license keys for the sensor but don't have the activation key, do i need to use serial number in place of activation key, since there is no activation key for 8000 series and DC 1500.
Any help will be appreciated ?
Are these PAKs created from CISCO, if so then you need to register them on Cisco licensing tool rather than SourceFire Keyserver.
i have just received my brand new ASA5506-X and trying to register the product.
i have the PAK but i dont know how to log in to "Defense Center" to get the License Key!
appreciate your help
It's an official document from cisco but wasn't helpful for me.
I have two, brand new 5506-X and on Step 2 (Assign to a Target Device) after entering PAK I get "Invalid License Key"... and everything stops here.
I don't want to use FirePower/SourceFire/whatever right now. I just want to register my ASA and obtain Security Plus license and proceed with failover config!
Probably I use a wrong manual but anyway - I'm going to open a Support Case and wait for their recommendation.
Networld-ITS - I hope you resolved this by now but in case you haven't, the "Defense Center" is either an external Defense Center / FireSIGHT Management Center appliance (or VM) OR - in the case of ASA 5560 / 5508 and 5516 - it can be the FireSIGHT section withing ASDM GUI for those platforms.
So for your ASA 5506 just log into ASDM and get the license key from it. See screenshot below. (I have blacked out my ASA's license key value.)
i.popov01 - It sounds like you may be using the PAK for FireSIGHT features and not the Security Plus license PAK.
Thank you for a comment Marvin.
I found where my misconception starts and Cisco TAC land me to same point:
1. When you log into ASDM, do you see 3 ASA FirePOWER tabs on the home screen?
2. If yes, please skip this step. If no, please answer the following
- Have you performed the initial ip configuration of the module?
- Is the management interface of the ASA plugged in?
3. If you see the 3 ASA FIrePOWER tabs, then you are able to communicate with the module. To find the license key, please do the following:
- From ASDM
- Select Configuration
- Select ASA FirePOWER Configuration (left hand pane)
- You should see the ASA FirePOWER Configuration options in the left hand pane
- Select the option Licenses
- A new page will load
- Select Add New License in the upper right hand corner of the new page
- You will now see your license key
Thank you for sharing this! after wasting 1 hour by googling around due to lack of proper documentation I found your post. And it did the trick.
Unlike 5510 onwards Appliances, Mgmt port on this firewall is only for FirePOWER feature and it has to be connected and routable to the interface from where you are connected to ASDM and then you have to run the wizard to configure FirePOWER IP by running firewall wizard (or cli). Only then you will be able to see the extra tab as mentioned in Cisco doc and Marvin in this thread.
Here's a fun one: I'm stuck on step 2.5. I have a Firepower tab on the home screen, but no ASA Firepower Configuration option on the Configuration screen. Any thoughts?
Do you have the Firepower module installed completely on the device ?
Can you make sure that the management interface is up on the ASA ?
Please verify that the user id has at least privilege 15. The user id needs high enough privilege to access the FirePOWER components.
Rate if it helps !
Also if the module has been registered to a FirePOWER Manager, then ASDM will not show the FirePOWER configuration or monitoring options - only the module status on the home page.
i need urgent assistance on this issue of license key. the ASA firepower tab is showing up, but under configuration i can't find ASA firePower configuration tab. so, i am stuck in generating the license key for my ASA 5506-X appliance. i want to generate license for url filtering. i don't know if there is another way of doing this. Kindly find the attached of the screenshots of the challenge.
I will really appreciate your feedback, i am seriously running out of time.
it appears your FirePOWER module either has not been completely setup ( module IP address, gateway etc.) or else your ASDM session cannot reach the module via its IP address. The information appearing in the home tab is retrieved from the main ASA software and the configuration (and monitoring) tabs require IP connectivity to the module.
Many thanks for your response. I am using the device mangement IP address to reach the asdm. Is there any special way to configure FirePOWER module IP address, apart from interfaces IP addresses?
Please refer to the ASA FirePOWER module Quick Start Guide.
Both the ASA and the FirePOWER module need to have distinct management addresses. The module uses the physical management interface only. The ASA can use that one as well ( with its own different address as long as it's in the same subnet) or any other physical interface. Both interfaces addresses must be configured and accessible from your client running ASDM for the FirePOWER configuration and monitoring functions to be displayed in ASDM.
If you are using local credentials, make sure you have the following configured on the ASA a username name with privilege 15 and you must have configured AAA authorization, than reload the ASDM and the tab will show up.
username cisco password cisco123 privilege 15
aaa authorization command LOCAL
This is the go to page for licensing the asa 5506-x? A blog forum, really?
It is very unprofessional,looping through the registartion tool and back again. Very frustrating. Can any vendor get the licensing part smooth?
Cisco Support Community, while hosted by Cisco, is contributed to by mostly non-Cisco volunteers who give freely of their time to help the greater community.
If you have an operational issue requiring direct support, there are a variety of options to get such support via the Cisco TAC and partners.
SUre thing. Strange that the quick start process sends everyone to this forum as their point of reference to learn what to do. Very surprised.
I have registered my interest for the firepower demo lic, I received the email.
It says to rgister my control lic first via go/license.
after performing a cli show activation-key detail. I
1/ entered my PAK that came with the 5506-x
2/ copied my lic from the key detail command
3/ received the frustrating error of 'error occured, invalid request or your session may have expired.