Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco Employee

SourceFire - How to get License Key of the Defense center

Obtain the License Key for a Firepower Device and a Firepower Service Module

Document ID200376

Updated:Mar 09, 2016

Download Document

 

Print

Contents

Introduction

Obtain the License Key

Using the Firepower Management Center (FMC)

Using the Adaptive Security Device Manager (ASDM)

Related Documents

Introduction

In order to generate a Classic License for any Firepower service, a License Key is necessary. You can use a Firepower Management Center (FMC) or an Adaptive Security Device Manager (ASDM) to determine the license key. This document describes the steps to obtain the License Key for a Classic License from both user interfaces - FMC and ASDM.

Obtain the License Key

Using the Firepower Management Center (FMC)

If the device is managed by the Firepower Management Center, follow the steps below to find the License Key:

  1. Login to the Firepower Management Center.
  2. Navigate to the SystemLicense > Classic Licenses

Note: If the FMC is running a version prior to 6.x, navigate to the System > License page.

 

  1. Click onAdd New License 
  2. From the screen, obtain the License Key.

Using the Adaptive Security Device Manager (ASDM)

If the device is managed by the Adaptive Security Device Manager, follow the steps below to find the License Key:

  1. Select the Configurationoption that is located at the top of the window.
  2. Select the ASA FirePOWER Configurationoption which is located at the bottom of left pane.
  3. Select the Licenseoption from the middle of the left pane.

  4. Click the Add New Licensebutton to obtain the License Key.

 


 

-- DD (Sourcefire Acquisition Business Analyst)

29 REPLIES
Cisco Employee

The DC License key is:•Unique

The DC License key is:

•Unique identifier which locks the license to a node
•Consists of the Defense Center Product Name Code and its MAC ID
•License Key will be found on the installed Defense Center
 
-Merv Reyes
Licensing PM
 
 
 
New Member

the asa 5506-x is a piece of

the asa 5506-x is a piece of JUNK

poor license process

i have unlimted interaces yet the gui wont let me use more than two

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 30 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 50 perpetual
Total VPN Peers : 50 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 160 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

poor docuementation

it states that the mgmt if and int 1/2 should be on the same subnet

on the gui you get a subnet overlap error if using the same subnet

the later short document is inconsistent

w.r.t. to firepower access

my ASDM is never able to access or load the firepower modeule

i try to apply my PAK . it tells me i need a virtual mgmt appliance to get a key (;

New Member

there is a known bug in the

there is a known bug in the lastest version of ASDM (7.51), downgrade ASDM 7.43 in order to provision multiple interfaces on the ASA platform.

Cisco Employee

DD,Can you tell me what are

DD,

Can you tell me what are the Product IDs for the Sourcefire Defense Center?

 

Thanks,

Merv Reyes

Cisco Employee

We have Physical and Virtual

We have Physical and Virtual Defense Center in SourceFire,

Physical DC License PIDs: FS750-FSIGHT-LIC=, FS1500-FSIGHT-LIC=, FS3500-FSIGHT-LIC=

Virtual DC License PIDs : FS_VMW-SW-K9

 

For many new technologies

For many new technologies such as this, we deploy the system multiple times before the production deployment on-prem for the client. I'm using their ASA, but a vDC (virtual Defense Center) is being used to manage the SFR module.

How difficult is it to re-host a license? I need to be able to configure the module in our pre-deployment lab but if I use the client's license key for this purpose than it's locked to our very temporary vDC instance. Once I spin up the client's vDC, I won't be able to register the PAC again to its serial # and will have to 're-host' the license. Are there any eval/demo licenses that I can leverage rather than re-host?

Kind Regards, Kevin Sheahan, CCIE # 41349
Cisco Employee

Hi,You can create Demo/EVAL

Hi,

You can create Demo/EVAL licenses by using the Internal License generation tool,

http://wwwin-tools.cisco.com/SWIFT/SSCSLT/viewIntPubKeyGen.action?subGroup=SFIRETERMFEAT&keytype=PUBLICINTERNAL

Thanks,

DD

New Member

DD,The Internal License

DD,

The Internal License generation tool link doesn't work for me; is there another?

 

Thanks,

JS

New Member

I am getting an error

I am getting an error (activation key reqd) while generating license file on "keyserver.sourcefire.com", I have license keys for the sensor but don't have the activation key, do i need to use serial number in place of activation key, since there is no activation key for 8000 series and DC 1500.

Any help will be appreciated ?

 

Regards,

Akhtar

Cisco Employee

Hi,Are these PAKs created

Hi,

Are these PAKs created from CISCO, if so then you need to register them on Cisco licensing tool rather than SourceFire Keyserver.

 

Thanks,

DD

New Member

i have just received my brand

i have just received my brand new ASA5506-X and trying to register the product.

i have the PAK but i dont know how to log in to "Defense Center" to get the License Key!

appreciate your help

New Member

http://www.cisco.com/c/en/us

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/intro-license.html#pgfId-2268682

It's an official document from cisco but wasn't helpful for me. 

I have two, brand new 5506-X and on Step 2 (Assign to a Target Device) after entering PAK I get "Invalid License Key"... and everything stops here.

I don't want to use FirePower/SourceFire/whatever right now. I just want to register my ASA and obtain Security Plus license and proceed with failover config!

Probably I use a wrong manual but anyway - I'm going to open a Support Case and wait for their recommendation.

 

Hall of Fame Super Silver

Networld-ITS - I hope you

Networld-ITS - I hope you resolved this by now but in case you haven't, the "Defense Center" is either an external Defense Center / FireSIGHT Management Center appliance (or VM) OR - in the case of ASA 5560 / 5508 and 5516 - it can be the FireSIGHT section withing ASDM GUI for those platforms.

So for your ASA 5506 just log into ASDM and get the license key from it. See screenshot below. (I have blacked out my ASA's license key value.)

i.popov01 - It sounds like you may be using the PAK for FireSIGHT features and not the Security Plus license PAK.

 

New Member

Thank you for a comment

Thank you for a comment Marvin.

I found where my misconception starts and Cisco TAC land me to same point:

 

1. When you log into ASDM, do you see 3 ASA FirePOWER tabs on the home screen?

2. If yes, please skip this step. If no, please answer the following

 - Have you performed the initial ip configuration of the module?

 - Is the management interface of the ASA plugged in?

3. If you see the 3 ASA FIrePOWER tabs, then you are able to communicate with the module. To find the license key, please do the following:

 - From ASDM

 - Select Configuration

 - Select ASA FirePOWER Configuration (left hand pane)

 - You should see the ASA FirePOWER Configuration options in the left hand pane

 - Select the option Licenses

 - A new page will load

 - Select Add New License in the upper right hand corner of the new page

 - You will now see your license key

New Member

Hello i.popov01, Thank you

Hello i.popov01,

 

Thank you for sharing this! after wasting 1 hour by googling around due to lack of proper documentation I found your post. And it did the trick.

Unlike 5510 onwards Appliances, Mgmt port on this firewall is only for FirePOWER feature and it has to be connected and routable to the interface from where you are connected to ASDM and then you have to run the wizard to configure FirePOWER IP by running firewall wizard (or cli). Only then you will be able to see the extra tab as mentioned in Cisco doc and Marvin in this thread.

New Member

Here's a fun one: I'm stuck

Here's a fun one: I'm stuck on step 2.5. I have a Firepower tab on the home screen, but no ASA Firepower Configuration option on the Configuration screen. Any thoughts?

Cisco Employee

Hi,

Hi,

Do you have the Firepower module installed completely on the device ?

Can you make sure that the management interface is up on the ASA ?

Please verify that the user id has at least privilege 15.  The user id needs high enough privilege to access the FirePOWER components.

Thanks,

Pujita

Rate if it helps !

Hall of Fame Super Silver

Also if the module has been

Also if the module has been registered to a FirePOWER Manager, then ASDM will not show the FirePOWER configuration or monitoring options - only the module status on the home page.

New Member

Yeah, I overlooked you guys

Yeah, I overlooked you guys talking about that further up this thread. Have it working now. Thanks!

New Member

Hi Mavin,

Hi Mavin,

i need urgent assistance on this issue of license key. the ASA firepower tab is showing up, but under configuration i can't find ASA firePower configuration tab. so, i am stuck in generating the license key for my ASA 5506-X appliance. i want to generate license for url filtering. i don't know if there is another way of doing this. Kindly find the attached of the screenshots of the challenge.

I will really appreciate your feedback, i am seriously running out of time.

Thanks.

Hall of Fame Super Silver

Olag,

Olag,

it appears your FirePOWER module either has not been completely setup ( module IP address, gateway etc.) or else your ASDM session cannot reach the module via its IP address. The information appearing in the home tab is retrieved from the main ASA software and the configuration (and monitoring) tabs require IP connectivity to the module. 

New Member

Hi Mavin,

Hi Mavin,

Many thanks for your response. I am using the device mangement IP address to reach the asdm. Is there any special way to configure FirePOWER module IP address, apart from interfaces IP addresses?

Thanks.

Hall of Fame Super Silver

Please refer to the ASA

Please refer to the ASA FirePOWER module Quick Start Guide. 

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Both the ASA and the FirePOWER module need to have distinct management addresses. The module uses the physical management interface only. The ASA can use that one as well ( with its own different address as long as it's in the same subnet) or any other physical interface. Both interfaces addresses must be configured and accessible from your client running ASDM for the FirePOWER configuration and monitoring functions to be displayed in ASDM. 

New Member

Many thanks Mavin.....I just

Many thanks Mavin.....I just glance through the doc. It should be helpful.

I will update you.

New Member

If you are using local

If you are using local credentials, make sure you have the following configured on the ASA a username name with privilege 15 and you must have configured AAA authorization, than reload the ASDM and the tab will show up.  

username cisco password cisco123 privilege 15

aaa authorization command LOCAL

Regards,

New Member

This is the go to page for

This is the go to page for licensing the asa 5506-x? A blog forum, really? 

It is very unprofessional,looping through the registartion tool and back again. Very frustrating. Can any vendor get the licensing part smooth?

Hall of Fame Super Silver

Evan,

Evan,

Cisco Support Community, while hosted by Cisco, is contributed to by mostly non-Cisco volunteers who give freely of their time to help the greater community.

If you have an operational issue requiring direct support, there are a variety of options to get such support via the Cisco TAC and partners. 

New Member

SUre thing. Strange that the

SUre thing. Strange that the quick start process sends everyone to this forum as their point of reference to learn what to do. Very surprised. 

Cheers, 

New Member

I have registered my interest

I have registered my interest for the firepower demo lic, I received the email. 
It says to rgister my control lic first via go/license. 

after performing a cli show activation-key detail. I 

1/ entered my PAK that came with the 5506-x

2/ copied my lic from the key detail command

3/ received the frustrating error of 'error occured, invalid request or your session may have expired.

Help anyone?

3229
Views
25
Helpful
29
Replies
CreatePlease login to create content