Research coverage includes software application benchmarks, service provider assessments, market size and forecast models, a global survey of 400 heads of EHS and best practices studies.
If you are looking for more details, kindly visit SCICO CARE.
View EHS & Quality research
Our ESG and sustainability research improves the decisions of investors, tech providers, financial services firms and corporate leaders. We deliver on this mission by conducting in-depth research on the full range of services and technologies required to succeed with ESG and sustainability strategies.
View ESG & Sustainability research
Verdantix Industrial Transformation research includes an annual survey of more than 250 operations managers, software product benchmarks and coverage of emerging technologies such as real-time risk controls, digital twins and IIoT.
View Industrial Transformation research
Our Net Zero & Energy Transition research improves the decisions of investors, tech providers, financial services firms and corporate leaders. We deliver on this mission by conducting in-depth research on the full range of services and technologies required to succeed with net zero strategies.
View Net Zero & Energy Transition research
Our Risk Management research supports corporate decision-makers, software and service vendor leadership teams, insurers and consultants specializing in risk-related areas, and investors of all types.
View Risk Management research
Introduction
Purpose
This document describes ordering Cisco physical, virtual, and containerized network security solutions, including:
● Cisco Secure Firewall Threat Defense (FTD).
● Cisco Secure Firewall Adaptive Security Appliance (ASA).
● Cisco Firepower Series, Series, and Series Appliances (which can run either FTD or ASA software).
● Cisco Secure Firewall Series, Series and Series Appliances (which can run either FTD or ASA software).
In addition, this guide details the process of enabling extended logging and analytics for both FTD and ASA platforms as well as Cisco ISE Passive Identity Connector (ISE-PIC) for identity integration into FTD.
This guide will help you make sure that the right quantities and types of parts are selected to reduce the risk of order rejection.
Audience
This guide is intended for Cisco sales, partners, and distributors.
Scope
This document covers orderability for the following products, associated licenses and options:
Cisco Secure Firewall (Both Firewall Threat Defense and ASA software).
● Hardware appliances (Cisco Firepower or Cisco Secure Firewall appliances).
● Virtualized and containerized appliances (FTDv, ASAv).
Firewall management solutions
●Cisco Secure Firewall Management Center (formerly Firepower Management Center): provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. Quickly and easily go from managing a firewall to controlling applications to investigating and remediating malware outbreaks. Firewall Management Center is available in all form factors – physical appliance, virtual appliance, public cloud and cloud-delivered (software as a service model).
●Cisco Defense Orchestrator helps you establish and maintain a security posture by managing security policies across Cisco security devices. Cisco Defense Orchestrator also incorporates the cloud-delivered version of Secure Firewall Management Center. As a cloud service, it is an always-available, highly reliable, highly scalable, multitenant platform.
Cisco Defense Orchestrator provides management of security policy, objects and configuration for Cisco Adaptive Security Appliance and Cisco Secure Firewall Threat Defense (formerly Next-Generation Firewalls, or NGFW). Also supported are the Meraki MX Firewalls and AWS Security Groups for pure policy and object management. Configuration management for these platforms is still available through their native user interface.
Note: For the Cisco Defense Orchestrator Ordering Guide, please click here.
●Cisco Security Manager software is an on-premise centralized management platform for Cisco Adaptive Security Appliances (ASA), enabling consistent policy enforcement, troubleshooting, and summarized reports.
Optional Software
● Cisco Secure DDoS Protection (formerly Radware Virtual DefensePro DDoS Mitigation).
● Cisco Secure Client (formerly Cisco AnyConnect Secure Mobility Client).
Support
● Cisco Smart Net Total Care appliance support services.
● Cisco Software Application Support plus Upgrades (SASU).
Note: Any order for a service will be subject to the detailed terms and conditions presented in this guide.
Selecting the Appropriate Management Solution
Several management solutions are available to manage Cisco Secure Firewalls. Use these guidelines to choose the best ask a Cisco expert for advice.
Choosing the right management solution is tied to a few factors:
● The software image you select, either Firewall Threat Defense (FTD) or ASA software image.
● Willingness to use a cloud-based solution for management.
● Need for specific features or environment scale.
Local managers are included with both software options for single firewall deployments:
● ASDM is included with the ASA software image.
● Firewall Device Manager (FDM) is included with the Firewall Threat Defense software Image for all supported appliance models (Cisco Firepower Series, Series and Series; Cisco Secure Firewall Series and Series).
The Cisco Secure Firewall Threat Defense software image enables centralized management with either an on-premise, virtual or cloud based manager - Cisco Secure Firewall Management Center.
Cisco Defense Orchestrator unites management across Cisco security solutions and incorporates the cloud-delivered version of Secure Firewall Management Center. This makes Cisco Defense Orchestrator the best option for customers who want to use a cloud based solution for the management of ASAs, FTDs or a mix of ASAs and FTDs from a single pane of glass.
Devices running the ASA software can be managed centrally with the Cisco Security Manager (on-premise) or Cisco Defense Orchestrator (Cloud).
If a customer wants to manage multiple ASA with FirePOWER Services devices centrally, then two managers are required: Firewall Management Center for threat functions and Cisco Security Manager for firewall functions.
The following table can help guide you in which manager to select with your firewall order.
Manager selection matrix
Licensing
Smart Licensing is Cisco’s licensing system. It enables customers to easily move licenses themselves between similar systems in their organization, overcoming limitations associated with previous device-locked Product Authorization Key (PAK)-based licenses. Become familiar with the new Smart Software Licensing portion of the ordering process.
End customers must create a Smart Licensing account on Cisco’s Smart Software Manager portal before ordering the Cisco Secure Firewall Threat Defense software or certain ASA appliances. Alternatively, Cisco or a partner can help create the Smart Licensing account on behalf of the end customer. The Smart Software Manager portal is available for customers to manage the efficient use of purchased smart licenses. When the order is placed, all ordered licenses are added to the customer’s Smart Licensing account.
Table 1.Product licensing by product type
With the Cisco Smart License Manager, the customer can connect devices to the Smart Software Manager portal, so purchased licenses can be consumed as needed. These licenses can be relinquished back to the portal when a device is powered down or a user is finished using the license. With Smart Software Licensing, customers can easily check in and check out licenses to use on different platforms. Licenses are no longer locked to a specific platform.
A Smart Account can be created from Cisco Software Central. For more information on setting up a Smart Account, please refer to this Smart Licensing Deployment Guide.
Table 2.Additional Smart Licensing training, resources and support are available here
ASA and Firewall Threat Defense License Terminology
This guide consistently uses the license terminology used in the Cisco Commerce tool. As of ASA 9.19.1 and FTD 7.3, new licensing terminology appears in the user interfaces of the management platforms. The differences are only in naming and are not different licenses per se.
Table 3.License terminology differences between Cisco Commerce and the user interfaces of the management platforms
Cisco Secure DDoS Protection (Radware vDefensePro) Licensing
Licensing of the vDP and Vision will be administered directly by Radware. Once the order is shipped, Radware will send an to the customer with their serial numbers. Please note the address of the person on the customer order who will receive the . These serial numbers will be needed along with the MAC address for either vDP and/or Vision after installation. If the with the serial numbers cannot be found, please open a TAC case to get them reissued.
For detailed licensing instructions, please refer to Radware License Generator.
High Availability Pair Licensing
Cisco requires two (2) subscriptions for a High Availability (HA) pair of appliances running Firewall Threat Defense software image, which is configured for active-passive operation. The models available with this optional configuration include:
● Cisco Firepower Series
● Cisco Secure Firewall Series
● Cisco Secure Firewall Series
● Cisco Firepower Series
● Cisco Secure Firewall Series
● Cisco Firepower Series
● Cisco Secure Firewall Threat Defense Virtual appliances (except Public Cloud)
● Cisco ASA Virtual appliances (except Public Cloud)
We now offer specially configured bundle SKUs that enable the purchase of a high availability pair of physical appliances and software subscriptions that includes 50% discounted pricing for the second software subscription in the two-appliance bundle.
The bundle consists of:
● Two (2) identically configured hardware appliances
● Two (2) identical software subscriptions
A 50% discount will be automatically applied to the second software subscription in the bundle. See the specific model section in this document for the appropriate bundle PID.
Renewing HA Bundle Software Subscriptions
The 50% pricing discount also applies to HA bundles at time of renewal.
Cisco Secure Client Licensing
Cisco Secure Client (formerly AnyConnect Plus, Apex, and VPN Only) licenses are required to use the Remote Access VPN (RA VPN) functions on all firewalls (physical and virtual) running the Secure Firewall ASA or Secure Firewall Threat Defense code base.
For information on purchasing Cisco Secure Client licenses and sharing the licenses with your Smart Account,
please see the Cisco Secure Client Ordering Guide.
Instructions can also be found in the Cisco Secure Client License FAQ.
Service and Support Offerings
Software Application Support Plus Upgrades (SASU)
Cisco Secure Firewall Threat Defense software, ASA with FirePOWER Services, ASA firewall, and Cisco Secure Firewall Management Center security licenses include software subscription support. SASU is essential to keeping your business-critical applications available, highly secure, and operating at optimal performance. For the term of your software subscription licenses, you will receive timely, uninterrupted access to the latest software updates and major upgrade releases, which may contain significant architectural changes and new features and functions. With software subscription support, you will have the latest software working to protect your business. You will also have access to a wide range of online tools and communities that can help you solve problems quickly, maintain business continuity, improve your competitiveness, and make the most of limited resources through increased productivity.
This support entitles customers to the services listed here for the full term of the purchased software subscription:
● Software updates and major upgrades, to keep applications performing optimally with the most current feature set.
● Access to the Cisco Technical Assistance Center (TAC), which provides fast, specialized support.
● Online tool building, to expand in-house expertise and boost business agility.
● Collaborative learning, to provide additional knowledge and training opportunities.
No additional products or fees are required to receive these services with a software subscription.
Cisco SASU includes:
● Registered access to Cisco.com.
● 24-hour access to the Cisco TAC and Cisco software specialists.
● Maintenance and minor software release updates.
● Major software upgrade releases.
Please refer to the following link for more detailed information regarding Cisco SASU:
https://www.cisco.com/en/US/services/ps/ps/services_at_a_glance_sas_sasu.pdf.
Cisco Smart Net Total Care Service
Customers require a Cisco Smart Net Total Care support contract with each appliance to download application signature updates. The Smart Net Total Care Service gives customers access to an abundance of Cisco support tools and expertise, providing them with greater network availability and performance while reducing operating costs. Technical service is required to be attached at the point of the product sale so that customers get the necessary support and entitlement and the best possible return on investment. When ordering Threat Defense software on select ASA hardware, ASA with FirePOWER Services, the Management Center, or Cisco SSL hardware in Cisco Commerce, the appropriate Smart Net Total Care service items are automatically added to your quote.
The Cisco Smart Net Total Care Service provides:
● Global 24-hour access to the Cisco TAC.
● Access to the online knowledge base, communities, and tools.
● Current hardware replacement option: next business day, where available.
● Operating system software updates.
● Smart, proactive diagnostics and real-time alerts on devices enabled with Cisco Smart Call Home.
Please refer to the following link for more detailed information regarding Cisco Smart Net Total Care Service: https://www.cisco.com/en/US/products/svcs/ps/ps/ps/serv_group_home.html.
Cisco Advanced Services
The Cisco Global Security Solutions team provides comprehensive assessment, design, deployment, and migration assistance through the Cisco Advanced Services Transaction (AS-T) model, which involves the use of a Statement of Work (SOW). These Cisco AS-T offers are custom scoped and priced, and partners need to engage a Cisco Services account manager to purchase them.
Cisco Security Plan and Build Services help customers develop and deploy a comprehensive security strategy they can rely on to deliver the industry's most comprehensive advanced threat protection solution. This service incorporates a best-practice review, deployment, and mini-tune-up to help ensure that the system is alerting properly.
Cisco Security Migration Services help customers move from existing Cisco Source fire or competitive environments. Cisco performs an analysis of the current environment, develops a migration plan, tests the plan in a lab, and performs the migration in the production environment.
To order the customized Cisco Security Plan and Build Services and Migration Services, use the Cisco AS-T part numbers in the table below.
Table 4.Cisco AS-T ordering information
Cisco Technical Services
Cisco Technical Services for Cisco products can be quoted and ordered in Cisco tools, including the Cisco Service Contract Center (SCC) and Cisco Commerce (CCW). Tool use varies depending on the service offer and partner type and whether the service is attached at the time of product purchase.
Partner Supported Services (PSS)
Customers who choose to purchase Partner Supported Services (PSS) from an authorized Cisco partner are also entitled to download application signature updates.
For more details, visit https://www.cisco.com/go/partnerservices and
the Partner Support Service Global Ordering Guide for Cisco 1-Tier Partners.
Cisco Talos Incident Response
Cisco Talos Incident Response (CTIR) provides a full suite of proactive and emergency services to help you prepare, respond and recover from a cyber security breach. CTIR enables 24 hour emergency response capabilities and direct access to Cisco Talos, the world's largest threat intelligence and research group.
You can order and transact CTIR while ordering specific Cisco Firepower 4K and 9K Series master bundles. This will provide you yet another option to create a stronger security posture and stay protected in case of a security breach. The CTIR PID will be auto-attached based on product order size. The auto-attached SKU can be removed and is not mandatory.
Table 5.CTIR option available in Cisco Firepower master bundles
To learn more on CTIR, click here.
SKUs and ordering guidance for Cisco Secure Firewall Appliances
Introduction
Scope: This section describes the pricing and ordering for the following products:
● Cisco Firepower Series
● Cisco Secure Firewall Series
● Cisco Secure Firewall Series
● Cisco Firepower Series
● Cisco Secure Firewall series
● Cisco Firepower Series
About the Cisco Secure Firewall Appliances
Cisco firewall appliances, when deployed as Layer 3, 4, and 7 firewall sensors, use the Cisco Secure Firewall Threat Defense software image. The Cisco Secure Firewall Management Center provides unified management for firewall and dedicated IPS. The on-device Firewall Device Manager is also available with Secure Firewall Threat Defense software. Alternatively, the Cisco Secure Firewall with Adaptive Security Appliance (ASA) software image is also supported on the Cisco Firepower and Secure Firewall platforms. When running the ASA software image, the ADSM on-device manager is available. Cisco Firepower and series appliances are also available with the Cisco Secure DDoS Protection. Alternatively, all Secure Firewalls are available with cloud-based Cisco Secure DDoS Protection.
Cisco Firepower Series Appliances
The Cisco Firepower Series is a family of threat-focused security appliances for branch, Distributed Enterprise and Internet Edge deployments. The Series hardware delivers superior threat defense, with greater throughput than earlier models such as the ASA--X, ASA--X and ASA--X. The Series is available with ASA and FTD software images.
Chassis Overview: Cisco Firepower
]Chassis Overview: Cisco Firepower and
Chassis Overview: Cisco Firepower
Cisco Secure Firewall Series Appliances
The Cisco Secure Firewall Series is a family of threat-focused security appliances for the distributed enterprise. It extends high levels of inspection to branch locations to enable direct internet connectivity and SD-WAN.
The Series includes three compact models (CE, CP, CX) that can be installed in a variety of configurations (wall-mounted, on a desktop, rack-mounted, in a suitable cabinet). The family also includes three 1U rack-mount models (, , ) for larger branches.
Chassis Overview: Cisco Secure Firewall Series – Compact Models
Chassis Overview: Cisco Secure Firewall Series – Rack-mount Models
Cisco Secure Firewall Series Appliances
The Cisco Secure Firewall Series is a family of threat-focused security appliances. The Series addresses emerging hybrid mid-market and high-end use cases from the Internet edge to the data center, providing superior performance at a highly competitive price point.
Chassis Overview: Cisco Secure Firewall Series
Cisco Firepower Series Appliances
The Cisco Firepower Series comprises four threat-focused security appliances. The Series addresses use cases from the Internet edge to the data center. The Series hardware delivers superior threat defense, at faster speeds, with a smaller footprint. Also, the Cisco Firepower Series enables an upgrade path, on the customer’s timeline, to the Cisco Secure Firewall Threat Defense software, even if the customer chooses the ASA image in the immediate term.
Chassis Overview: Cisco Firepower Series
Cisco Secure Firewall Series Appliances
The Cisco Secure Firewall Series is a high-end firewall designed to meet the security requirements of large enterprises, datacenters, and service providers. It is available in three different performance models, offering superior threat defense within a compact 1 RU form factor. Key features and benefits of the appliance include:
● Cryptographic acceleration architecture preserves performance with SSL and VPN decryption.
● Save space and energy with 1RU form factor.
● Future-proof your investment with 16x node cluster.
● Flexibility of 2x interface module bays for additional interface support.
● Customize and future proof investment up to 400G interfaces.
● 2x SSD for event storage and malware analysis.
● Uptime/resilience with dual management interfaces.
● Fail-to-wire network modules, further enhancing its reliability and fault tolerance.
These platforms can be deployed in both firewall and dedicated IPS modes, providing versatile deployment options. For inline sets and passive interfaces, the Series supports Q-in-Q (stacked VLAN) with the ability to handle up to two 802.1Q headers in a packet.
Chassis Overview: Cisco Secure Firewall Series
Cisco Firepower Series Appliances
The Cisco Firepower is a modular, scalable, carrier-grade appliance, available in Network Equipment Building System (NEBS) configurations, designed for service providers, data centers, campuses, supercomputing centers, high-frequency trading environments, and other environments requiring both low latency and the greatest throughput. In the service provider context, it is specifically designed for carriers, content providers, and cloud service providers to protect the Cisco Evolved Programmable Network, Cisco Evolved Services platform, and Cisco Application Centric Infrastructure architectures.
For more information, please see Cisco service provider security solutions.
Tightly integrating threat-centric security services from Cisco and its partners, the appliance lowers integration costs and supports the full realization of highly secure, open, and programmable networks. In addition to providing class-leading security services, it offers low (less than 5-microsecond) latency, throughput for single flows exceeding 30 Gbps, and class-leading performance and port density on a per-rack-unit basis.
Chassis Overview: Cisco Firepower
Special Guidelines for Quoting the Cisco Firepower
Cisco Firepower ordering is highly customizable, and options are offered separately. You’ll nevertheless find the ordering process straightforward.
The following table shows the four core components of a Cisco Firepower order.
Table 6.Components of a Cisco Firepower order
Common hardware is bundled. However, your customer may wish to order extra fans and power supplies with the initial order, as these are hot-swappable, user-replaceable items. Please note that every order will require at least one, and up to three, Security Modules. Network Modules are also ordered separately.
Regarding software licenses, keep in mind that the Cisco Firepower runs either the ASA software image or the Cisco Secure Firewall Threat Defense image. Also, please note that the Encryption license is export controlled. It is available for most markets, to customers in countries where U.S. export control permits the export of strong cryptography.
For more information, visit export compliance details.
In the third-party software category, Cisco Secure DDOS Protection (Radware Virtual DefensePro DDoS-mitigation capability) has been tightly integrated into the Cisco Firepower and Series with ASA software, is orderable from and supported directly by Cisco.
ASA Licensing for Cisco Firepower Appliances
The appliance, Series, Series, Series, and Series are available with either the
Cisco Secure Firewall Threat Defense (FTD) image or the Cisco Adaptive Security Appliance (ASA) image. Cisco Firepower appliances with ASA are available through Smart Licenses. They include a Base license and up to three optional licenses (Encryption, Security Contexts, and Carrier).
Base License (Free)
L-F9K-ASA(=) (for the Cisco Firepower ), L-FPR-ASA(=) (for the Cisco Firepower Series models), L-FPR-ASA(=) (for the Cisco Secure Firewall Series models), or L-FPR-ASA(=) (for the Cisco Firepower Series models) and FPR42xx-BSE (for the Cisco Secure Firewall Series models): Licensing on the ASA is simplified for the Cisco Firepower appliances. More than 50 ASA feature licenses are condensed into a single license. This license also includes the following security contexts by default: 10 security contexts for Firepower , 10 security contexts for Firepower Series, 10 security contexts for Secure Firewall , 2 security contexts for Secure Firewall Series and 2 security contexts for Firepower Series.
Encryption License (Free)
L-F9K-ASA-ENCR-K9(=) (for the Cisco Firepower ), L-FPR4K-ENC-K9(=) (for Cisco Firepower Series models), L-FPR3K-ENC-K9(=) (for Cisco Secure Firewall Series models) or L-FPR1K-ENC-K9(=) (for Cisco Firepower Series models) and FPR-ENC-K9/ L-FPR-ENC-K9= (for Cisco Secure Firewall Series models): This license provides for strong encryption (K9) on the platform. The U.S. export of strong cryptography is not available to export-restricted regions. Cisco solutions and products with strong encryption may not be delivered to individuals or entities on the U.S. government's list of denied or restricted parties.
Please review the U.S. Bureau of Industry and Security's list of parties of concern at:
https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern.
Additional Security Contexts (Paid)
L-F9K-ASA-SC-10(=) (for the Cisco Firepower ), L-FPR4K-ASASC-10(=) (for the Cisco Firepower Series models), L-FPR3K-ASASC-10(=) (for the Cisco Secure Firewall Series models), FPR-ASASC-10/ L-FPR-ASASC10= (for the Cisco Secure Firewall Series models): This license adds 10 security contexts to an ASA instance on the appliance, appliance, appliance, appliance respectively.
Carrier License Option (Paid)
L-F9K-ASA-CAR(=) (for the Cisco Firepower ) or L-FP4K-ASA-CAR= (for Cisco Firepower Series models), FPR42K-ASA-CAR/L-FPR42-ASA-CAR= (for Cisco Secure Firewall Series models), or L-FPR3K-ASA-CAR= (for Cisco Secure Firewall Series models): This license covers carrier feature enablement that allows for inspection of Diameter, GTP/GPRS and SCTP protocols
Cisco Secure Firewall Threat Defense Licensing for Cisco Firepower Appliances
Figure 2 provided for general reference only, shows the typical order flow. Start with the primary bundle part numbers and the software image (ASA or Firewall Threat Defense), and then, in the case of the example, associated Cisco Secure Firewall Threat Defense–related licenses and subscriptions for functionality like Security Intelligence and IPS (“T”), Advanced Malware Protection (“M”), and URL Filtering (“C”). This example concludes with ordering the associated virtualized Cisco Secure Firewall Management Center. Note that Cisco Secure Firewall Threat Defense ships standard with the option to activate a 3-month trial license without activation of a Smart License account.
Figure 2.Typical order flow
Ordering Steps for Cisco Firepower , FTD-Based Cisco Firepower
Start with one of the following FTD Bundle SKUs in CCW, example shown above is FPR9K-FTD-BUN.
Select Hardware Options and Quantity.
Chassis Type – AC, DC, or HVDC.
Chassis Options including Netmod, Sup, SFPs, power cables.
Security Module Quantity - up to 3 per chassis.
Select Subscriptions - T=, URL=, AMP=,TC=, TM=, TMC=.
Select Term – 1, 3 or 5 years.
Select Base Software License for each security module.
You can add additional features to the system. For example, starting with FTD release 7.3, you can add Carrier License to Firepower (FPR3K-FTD-CAR), Firepower (FPR4K-FTD-CAR), Firepower (FPR9K-FTD-CAR) and FTD virtual (FTDV-CAR) configurations. This license covers inspection of Diameter, GTP/GPRS and SCTP protocols.
Save and exit bundle configuration and select quantity of each bundle configured. Each bundle corresponds to a single-chassis configuration. After saving the configuration, you can change quantity for more than one chassis with the same configuration.
Cisco ISE Passive Identity Connector (ISE-PIC)
Due to End-of-Life for the Cisco Firepower User Agent, FTD requires the use of either Cisco Identity Services Engine (ISE) or Cisco ISE Passive Identity Connector (ISE-PIC) in order to control policy based on Active Directory user. This section describes the procedure for ordering Cisco ISE Passive Identity Connector (ISE-PIC).
For information on how to order of Cisco Identity Services Engine (ISE) please see the Cisco ISE Licensing Guide.
The Cisco Identity Services Engine (ISE) Passive Identity Connector centralizes, consolidates, and distributes identity information, including IP addresses, MAC addresses, and usernames. It centralizes the authentication information, becoming the single source of truth for its subscribers. Using the Cisco Platform Exchange Grid (pxGrid), the Cisco ISE Passive Identity Connector can support up to 20 subscribers. Further details on the capabilities of the Cisco ISE Passive Identity Connector (ISE-PIC) can be found on the
Cisco ISE Passive Identity Connector Data Sheet.
Table 7.Cisco ISE-PIC ordering information
Note: You may be entitled to ISE-PIC at no cost if you have a qualifying FMC and valid support contract. For more information see End-of-Life and End-of-Support for the Cisco Firepower User Agent.
Cisco Security Analytics and Logging
This section describes the procedure to enable extended logging and analytics by ordering Cisco Security Analytics and Logging as part of your firewall purchase. The detail ordering process is described here.
The Security Analytics and Logging offer has two distinct delivery mechanisms:
●Security Analytics and Logging (SaaS): A cloud-delivered, Software-as-a-Service (SaaS) offering with a Cloud Data Store.
●Security Analytics and Logging (On prem): An on-premises appliance-based software application with an On-premises Data Store.
Discounted Bundling When Attaching with Firewall Subscriptions via CCW
a. Begin by navigating to the firewall model to be ordered (FPR-NGFW-K9, for example).
b. Make your software choice under the “Subscriptions” category at the top (wherever present) and navigate to the “Extended Logging and Analytics” category below.
c. You are presented with two options to the right: “On-Premises Data Store” or “Cloud Data Store.” Only one option can be selected per firewall being ordered, with either the same or different subscription term as the firewall subscription.
d. The “Cloud Data Store” option allows selection of either the Logging License, SEC-LOG-CL, or the “Logging Analytics License,” SEC-ANYL-CL. Only one option needs be chosen, as the Logging License is nested under Logging Analytics. Both Cloud licenses include access to a Cisco Defense Orchestrator tenant for log viewing only, which can be requisitioned using the link here:
https://www.ciscofeedback.vovici.com/se/6AA75C69D114.
e. Choosing either of the two data store options will attach a default logging volume in GB/day for that firewall model, based on expected daily volume per the Logging Volume Estimator Tool. Logging rate comes with a default retention of 90 days rolling storage for Cloud Logging.
f. The last three optional licenses are Data Retention extensions, which extend log retention to 1, 2, or 3 years in the cloud.
g. If SAL (Op) is desired, the “On-Premises Data Store” tab allows choosing the base Logging and Troubleshooting license, SEC-LOG-OP. This license supports remote query by FMC and is hosted on SNA appliance(s), as detailed in section 1.2.2.
h. The process for bundling extended logging and analytics for Firewall FPR9K series devices is different, as the Security Modules (SM) configured as part of order determines the Logging quantity required. The Logging quantities needed are 190, 225 and 257 GBs/day for each SM-40, SM-48 and SM-56 respectively, and this quantity needs to be entered manually for the extended logging and analytics licenses. The system will display a warning of the logging quantities required for each Security Module, as shown below:
Expected Retention Period
The expected retention period for the SAL service under average deployment conditions (see note below table) is as follows:
Table 8.Retention Matrix
Note: The on-premises log retention in days above are based on average deployment conditions, and may vary materially in different production environments.
Cisco Secure DDoS Protection (formerly Radware Virtual DefensePro DDoS Mitigation Option)
Overview
Cisco Secure DDoS Protection is provided by Radware Virtual DefensePro (vDP), available and supported directly from Cisco. It is available with the Cisco Firepower and select Cisco Firepower Series models running either the ASA or FTD software image. The following table details Firepower model and software image compatibility with Radware vDP.
Table 9.Cisco Secure DDOS Protection (Radware vDP) on Cisco Firepower running either ASA or FTD software image
Performance
The performance figures in the tables below apply to all Cisco Firepower and Series model configurations running either the ASA or FTD software image.
Table 10.Key DDoS performance metrics for Cisco Firepower Series
The performance figures in the following table are for Cisco Firepower with 1 to 3 Security Modules irrespective of Security Module type.
Table 11.Key DDoS performance metrics for Cisco Firepower with 1, 2, or 3 Security Modules
Capacity vs. Licensing
Performance/Capacity/Throughput is dependent on the number of cores assigned to the vDP virtual device:
● By default, Radware virtual DefensePro (vDP) installs using 6 cores (1 management, 5 software) across each of Cisco Firepower ’s Security Modules and Series platforms.
● At install, the number of cores assigned to vDP can be adjusted from 2 to 10 to optimize the throughput performance of Cisco Firepower appliance depending on the customer need.
● While using the default 6 cores, the performance numbers for vDP are constant across platforms. The table below represents the relative performance level expected from ASA and FTD by removing 6 cores from the total available cores on the respective platforms (i.e. 24 cores minus 6 equals 75% of the total performance still available).
Table 12.Expected ASA or FTD image performance with 6 of the available cores assigned to vDP
Licensing is based on the amount of legitimate traffic, not the capacity of the VM to process information.
● Purchase vDP licenses based on the amount of the client’s peak legitimate traffic flow.
● This approach differs from other vendors that charge based on attack volume. Radware licenses are based on known legitimate traffic rather than an unknown attack volume.
Figure 3.Capacity vs. licensing
Example 1: Client has a 10-Gbps WAN link with a daily peak traffic flow of 2-Gbps.
● Purchase a 2-Gbps license or higher if the traffic is expected to increase in the near future.
● vDP will be able to mitigate a DDoS attack up to the capacity of the WAN link’s 10-Gbps, after which a cloud scrubbing solution will have to take over at the ISP level.
◦ Radware can be set up to automatically notify a cloud scrubber to take over.
◦ Radware’s Emergency Response Team (ERT) can assist in configuring vDP for each customer as part of the standard Cisco ECMU support contract for vDP.
◦ Radware cloud availability on GPL is on the roadmap.
●Warning: Do not over-purchase or over-quote the client’s throughput needs. License is based on clean traffic only, not the capacity of the VM.
The vDP Software Licenses and Support SKUs
The following tables outline the product information and SKUs for ordering. Cisco is only OEMing the Virtual License for Radware Manager Vision. Customers may want additional Manager Options that are provided directly by Radware.
Table 13.vDP spare SKUs: May be ordered separately
Table 14.Regular SKUs: Orderable with the Cisco Firepower platform
Notes:
● Radware vDP license are based on legitimate traffic. Please refer to this deck for more details: Cisco Secure DDoS Protection
● L-RDWR-APV-VA includes both APSolute Vision with Security Reporter – 10 vDP
● The CON Service SKUs should automatically be added to the cart with a 12-month term
● Cisco will provide Level 0/1 to determine if problem is Cisco Firepower or vDP. All vDP issues will be escalated to Radware.
● Radware vDP clustering is currently only supported in the Cisco Firepower intrachassis configuration. This is clustering of multiple security modules (SM-40, SM-48, SM-56) within the same Cisco Firepower chassis.
● For High Availability (HA), Active-Active and Active-Standby modes are supported.
● Radware Vision Manager is a Virtual License and needs to be installed on its own server, not the Cisco Firepower platform. For version 4.6, VMware ESXi 5.1, 5.5, 6.0, 6.5, 6.7, 6.7U2 or VMware Workstation 8 or 11 are supported. Please check Cisco Secure Firewall Radware DefensePro DDoS Release Notes for details.
Cisco Secure DDOS Protection (Radware vDP) Ordering Steps
Ordering SPARE SKUs for existing equipment:
Spare SKUs are provided (start with “L” and end in “=” sign) to allow you to order the vDP software license for existing equipment. These are the L-FPR-RVDP-10G=. 5G=, and 2G=, respectively.
● Go to the Cisco Commerce home page.
● Create a new estimate or edit an old one.
● In the “Search by SKU” box, paste in one of the SPARE SKUs. Or click on the “Find Products and Solutions” link to the right of the “Search by SKU” box.
● Typing in “Radware” in search box will return all active Radware SPARE SKUs.
Figure 4.Find products and solutions
● Once you find the SKU you need, then click the ‘+’ sign to add it to the cart.
● Next click on the “Edit Service/Subscription” link and set the term of the service contract.
Figure 5.Edit service/subscription
A 12-month (1y) ECME contract is selected by default, but that can be increased up to 60 months (5y).
Note: As of this writing, you have to visit the Edit Service/Subscription link and click done to accept the default 12-month service contract. Otherwise, the cart will produce an error.
If you do not already own Radware Vision Manager, please add to your order SKU: L-RDWR-APV-VA=. This is the Radware Manager Vision and Security Reporter with support for 10 vDP instances.
Secure Workload Ordering Steps in Firewall Bundle
Ordering SPARE SKUs for existing equipment
A Workload SKU is provided to allow you to order workload within a firewall bundle, securing a multi-product discount. The SKU is C1-TAAS-XX-SW-K9 and is available for Firepower and bundles.
● Go to the Cisco Commerce home page.
● Select the firewall bundle to be ordered, for example FPR-FTD-HA-BUN.
● Click “Select Options” for the bundle to open the configurator.
● Open the “Secure Workload” section on the left-hand side and add the license C1-TAAS-XX-SW-K9 to the bundle.
● Finalize the bundle configuration and proceed with the purchase.
Firewall Disk Retention Service/Subscription Ordering Steps
Disk Retention service allows customers to keep firewall/FMC disks during RMAs.
● Go to the Cisco Commerce home page
● Select the Firewall/FMC product to be ordered and add it to cart
● Click on “Edit Service/Subscription” link
● Search for "DR" in the "Service Options" section. It will show the list all disk retention service PIDs available to the product
● After selecting the service option click on “Apply” to confirm the service
Cisco Secure Firewall Small Business Edition License Pack
Overview
To meet real-world needs of small businesses, Cisco Secure Firewall Small Business Edition is tailor-made to simplify security. Secure Firewall Small Business Edition licenses are available in 2 types and can ordered at the time of hardware purchase or as standalone license.
Table 15.Small Business Edition – Included Feature Set
Platforms available
Table 16.Small Business Edition – Product Series Availability
*requires CDO-SEC-SUB-Cisco Defense Orchestrator XaaS SubscriptionSKUs and Ordering
Table 17.Small Business Edition – Part Numbers
The company is the world’s best SCICO CARE supplier. We are your one-stop shop for all needs. Our staff are highly-specialized and will help you find the product you need.
Ordering Steps for Cisco Secure Small Business Edition
Start with one of the Firepower SKUs, for example - FPR-NGFW-K9.
Select “Edit Options”.
Select Subscription for Small Business Edition or Small Business Edition Lite: FPRT-SBE or FPRT-SBE-L.
Select Country.
Save and exit configuration.
Ordering Steps for Cisco Secure Small Business Edition for Distributors
Start with the following SKU in CCW FPR-SEC-TERM.
Select Subscription for Small Business Edition or Small Business Edition Lite: FPRT-SBE or FPRT-SBE-L.
Save and exit configuration.
Ordering vDP with the Cisco Secure Firewall Platform
The non-spare versions of the SKUs are available options when ordering the or Cisco Firepower platform.
● Go to Cisco Commerce: https://apps.cisco.com/Commerce/home.
● Create a new estimate or edit an old one.
● Add Cisco Firepower or as desired (example is of a ) and configure appropriately.
Figure 6.Configuration options for Cisco Firepower platform
The Radware vDP SKUs are available under “Feature Licenses.” When configuring a Firepower , you will need 1 license of equal size for each blade.
Figure 7.Feature licenses
When you make your selection, you will see the Service Contract and the Right-to-Use licenses are automatically added to the cart. As with the SPARE license, you can change the length of the service contract by clicking the “Edit Service/Subscription” link. You will find the EMCU contract under the selected Radware SKU.
If you do not already own Radware Vision Manager, please add to your order SKU: L-RDWR-APV-VA=. This is the Radware Manager Vision and Security Reporter with support for 10 vDP instances.
Links and Resources for Radware vDP
For Cisco internal questions, please send an to:
For Radware specific questions, please go to Cisco Technology Partnership with Radware.
Ordering the Cisco Firepower Series
The following tables outline the product part number information for the Cisco Firepower Series. Table 18A and 18B provide the top-level part numbers for chassis running ASA or Firewall Threat Defense software. Note that threat defense subscriptions can only be added to chassis running Firewall Threat Defense software.
Table 18A. Series Chassis Part Numbers
Table 18B. Series ASA Licenses
Table 19. Series Accessories
Note: Use these part numbers if the customer is ordering spare assemblies or mounting accessories
SKUs for Series Licenses and Subscriptions
When ordering a Series with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with discounts applied to multi-year terms . In the listed part numbers, the threat services are identified as follows:
Table 20.Threat Subscription Details
Table 21.Cisco Firepower Series License Part Numbers for Configurations with the Cisco Secure Firewall Threat Defense Image
Table 22.Cisco Firepower Series Subscription Part Numbers for Configurations with the Firewall Threat Defense Image
Ordering Example: Cisco Firepower with FTD
Step 1: Smart Software Licensing
Before placing a Cisco Firepower order, the end customer must have a Cisco Smart Licensing account.
For information about Smart Accounts and instructions on how to create an account, visit:
https://www.cisco.com/web/ordering/smart-software-manager/index.html.
To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you can complete the order only if the account is initiated on the end customer’s behalf and associated with the order.
Go to Cisco Commerce: https://www.cisco.com/go/ccw.
From the Orders pull-down menu, select Create Order.
Select Assign Smart Account and follow the subsequent prompts for Smart Licensing.
Step 2: Navigate to Catalog -> Products -> Security -> Firewalls -> Cisco Firepower Series.
Select “Configure” for the FPR-NGFW-K9
The Chassis is added on the cart along with the software subscription. By default the 3 Year FPR-TMC license will be added to the configuration.
Step 3: Follow the instructions in the yellow box. First, click the power cables link and make the cable selection in the next screen.
Step 4: After cable(s) selection, if there is a requirement for extended logging and analytics. Click on Extended logging and analytics on the configuration summary and add the cloud logging option along with the data retention SKU.
Step 5: After completing the selection of the Extended logging and analytics. Click “Done” to complete the configuration. An alert message appears to indicate to the user of the selected configuration. Click “Done” to proceed to the summary screen.
Step 6: After clicking done. The product configuration summary page will appear with all the selection.
Ordering the Cisco Secure Firewall Series
The following tables provide product part numbers for the Cisco Secure Firewall Series. Start by selecting an appliance, then review the available options. Spare components and accessories can also be ordered separately.
Table 23. Series Appliances – Compact models
Table 24. Series Accessories – Compact Models
Table 25. Series Appliances – 1U rack-mount models
Table 26. Series Accessories – 1U rack-mount models
Threat Defense subscriptions provide signature updates for Series appliances with FTD software. Subscriptions are available with 1-year, 3-year and 5-year terms. Select a subscription package first, then select a subscription term.
A-la-carte subscription licenses can be ordered separately, or for renewals. A-la-carte part numbers are prefixed with L-, for example “L-CSFCET-T=” is the stand-alone equivalent of “CSFCET-T”
Table 27. Series Threat Defense Subscriptions
SKUs and Ordering for Cisco Secure Firewall Series
The following tables provide part numbers for the Cisco Secure Firewall Series.
Table 28. Series chassis part numbers
Table 29. Series ASA software license SKUs
Table 30. Series accessories
SKUs for Series Licenses and Subscriptions
When ordering a Series with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:
Table 31.Threat Subscription Details
Table 32.Cisco Secure Firewall Series license part numbers for configurations with the Cisco Secure Firewall Threat Defense image
Table 33.Cisco Secure Firewall Series subscription part numbers for configurations with the Firewall Threat Defense image
Ordering Example: Cisco Secure Firewall with FTD
Step 1. Smart Software Licensing
Before placing a Cisco Secure Firewall order, a Smart Software Licensing account for the end customer must be initiated. If the customer already has a Smart Software Licensing account, that account must be associated with the order.
For more information on Smart Software Licensing account establishment is available in the Smart Software Licensing section of this ordering guide, and online at:
https://www.cisco.com/web/ordering/smart-software-manager/index.html.
To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you can complete the order only if the account is initiated on the end customer’s behalf and associated with the order.
Go to Cisco Commerce: https://www.cisco.com/go/ccw.
From the Orders pull-down menu, select Create Order.
Select Assign Smart Account and follow the subsequent prompts for Smart Licensing.
Step 2. Navigate to Products -> Security -> Cisco Secure Firewall series-> Cisco Secure Firewall -> FPR-NGFW-K9
Step 3. Follow the instructions on the yellow box. Select the Power Cables or the DC Power Supply.
Step 4. After the cable selection is complete. Click on the Network module to add to the configuration.
Step 5. Complete the configuration by clicking on done. An alert message appears for the user to confirm the selection.
Step 6. Product summary page appears with the selected configurations.
SKUs and Ordering for Cisco Firepower Series
The following tables outline the product part number information for the Cisco Firepower Series. Note that the customer may want extra power supplies and fans.
Table 34. Series chassis part numbers
Note: Use the bundle part number unless you have an explicit reason not to. the bundle PID ensures that all necessary components are purchased.
Table 35. Series network module part numbers
Table 36. Series accessories part numbers
Note: Use these part numbers if the customer is ordering spare fans, power supplies, or a rack mount kit.
SKUs for Series Licenses and Subscriptions
When ordering a Series firewall with the ASA configuration, a license is required. When ordering a Series hardware with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:
Table 37.Threat Subscription Details
Table 38.Cisco Firepower Series license part numbers for configurations with the Cisco Secure Firewall Threat Defense image
Table 39.Cisco Firepower Series subscription part numbers for configurations with the Firewall Threat Defense image
Ordering Example: Cisco Firepower with ASA
Step 1: Smart Software Licensing
Before placing a Cisco Firepower order, a Smart Software Licensing account for the end customer must be initiated. If the customer already has a Smart Software Licensing account, that account must be associated with the order.
For more information on Smart Software Licensing account establishment is available in the Smart Software Licensing section of this ordering guide, and online at:
https://www.cisco.com/web/ordering/smart-software-manager/index.html.
To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you can complete the order only if the account is initiated on the end customer’s behalf and associated with the order.
Go to Cisco Commerce: https://www.cisco.com/go/ccw.
From the Orders pull-down menu, select Create Order.
Select Assign Smart Account and follow the subsequent prompts for Smart Licensing.
Step 2: Navigate to Products -> Security -> Cisco Firepower Series -> Cisco Firepower Security Appliance -> FPR-ASA-K9
Step 3: Click on the Power cables to make the selection.
Step 4: Click on “SFP-Modules – On Chassis ports” to make the selection.
Step 5: Select the Network Modules – Slot 1 and Slot 2
Step 6: Select Feature License
Step 7: Select Cables from Cable Management
Step 8: Adding Spares. Navigate back to Products -> Security -> Cisco Firepower Series -> Accessories and Spares > Cisco Firepower Security Appliance -> FPR4K-NM-2X100G= -> Click Configure
Step 9: Select the trans receiver for the SFP Option and click done.
Step 10: Final Product Summary configuration.
SKUs and Ordering for Cisco Firepower Series
The following tables outline the product part number information for the Cisco Firepower Series. Note that the customer may want extra power supplies and fans.
Table 40. Series chassis part numbers
Note: Use the bundle part number unless you have an explicit reason not to. the bundle pid ensures that all necessary components are purchased.
Table 41. Series network module part numbers
Table 42. Series accessories part numbers
Note: Use these part numbers if the customer is ordering spare fans, power supplies, or a rack mount kit.
SKUs for Series Licenses and Subscriptions
When ordering a Series firewall with the ASA configuration, a license is required. When ordering a Series hardware with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:
Table 43.Threat Subscription Details
Table 44.Cisco Firepower Series license part numbers for configurations with the Cisco Secure Firewall Threat Defense image
Table 45.Cisco Secure Firewall Series subscription part numbers for configurations with the FTD image
Ordering Example: Cisco Secure Firewall with FTD
Step 1: Smart Software Licensing
Before placing a Cisco Secure Firewall order, a Smart Software Licensing account for the end customer must be initiated. If the customer already has a Smart Software Licensing account, that account must be associated with the order.
For more information on Smart Software Licensing account establishment is available in the Smart Software Licensing section of this ordering guide, and online at:
https://www.cisco.com/web/ordering/smart-software-manager/index.html.
To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you can complete the order only if the account is initiated on the end customer’s behalf and associated with the order.
Go to Cisco Commerce: https://www.cisco.com/go/ccw.
From the Orders pull-down menu, select Create Order.
Select Assign Smart Account and follow the subsequent prompts for Smart Licensing.
Step 2: Navigate to Products -> Security -> Cisco Secure Firewall Series -> Cisco Secure Firewall Security Appliance -> FPR-NGFW-K9
Step 3: Select the Power Cables
Step 4: Select Transceiver modules – On-Chassis Ports
Step 5: Select Transceiver modules – Management Ports
Step 6: Select Network Modules for Slot-1 and Slot-2
Step 7: Select the cables from Cable Management
Step 8: Adding Spares. Navigate back to Products -> Security -> Cisco Secure Firewall Series -> Accessories and Spares -> Cisco Firepower Security Appliance -> Accessories and Spares -> L-FPRT-TMC= -> Click Add to Cart. The spare license is added to cart. The final product summary shown below.
Firewall Solution Attached Services Ordering Example
1. In Cisco Commerce Workspace (CCW), click Estimate dropdown. Select Create Estimate.
2. On the estimate page, complete all necessary fields
3. Click Edit Estimate tab. Complete fields on page. Click Save and Continue when done
4. Under the Estimate tab:
● Enter FPR-FTD-HA-BUN into Search field.
● Click Add.
● Select a Select Options.
5. The CON-CXP-SEN-SAS SKU pricing will take a few seconds refresh and displays a message “The Advanced Services SKU in the bundle is being priced.”
6. Click Save and Continue to price the MLB.
● Review the estimate pricing.
● Any additional changes made will require user to click Save and Continue again
SKUs and Ordering for Cisco Firepower
The following tables outline the product part number information for the Cisco Firepower . Note that the customer may want extra power supplies and fans. You can add these to the order separately. When you order, you choose between one and three security modules per chassis. Note that security module types cannot be mixed within a chassis.
Table 46.Chassis and sublevel assemblies and components included with each chassis
Note: There are eight 10-Gbps ports on the supervisor module bundled by default with the chassis. However, customers that plan to use supervisor module ports will require connectors for both those ports as well as for the ports on the network modules. Only one 1-Gbps connector, for the management port, is included by default with each supervisor module.
Table 47.Cisco Firepower Network Modules
Table 48.SFP module options for 10G netmod and 10G supervisor ports
Table 49.SFP module options for 40G netmod
Table 50.100G network QSFP28 module options
When ordering a Cisco Firepower firewall with the ASA configuration, a Standard (base) ASA license (LF9KASA) is required.
Table 51.Cisco Firepower power cables
SKUs for Cisco Firepower Series Licenses and Firewall Threat Defense Subscriptions
When ordering a Cisco Firepower firewall with the ASA configuration, a Standard (base) ASA license (L-F9K-ASA) is required.
Alternatively, when ordering a Series with the Cisco Secure Firewall Threat Defense image, base AVC capability comes by default with Cisco Secure Firewall Threat Defense license (L-FPR9K-TD-BASE=). Additionally, subscriptions can be purchased (one license per security module) to add IPS, URL Filtering, and malware defense capabilities. Similarly, if the customer already has a Firepower , the same PIDs are used to upgrade to the Cisco Secure Firewall Threat Defense image. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:
Table 52.Threat subscription decoder
Table 53.Cisco Firepower Series license part numbers and subscription terms for Cisco Secure Firewall Threat Defense on Security Module SM-40
Table 54.Cisco Firepower Series license part numbers and subscription terms for Cisco Secure Firewall Threat Defense on Security Module SM-48
Table 55.Cisco Firepower Series license part numbers and subscription terms for Cisco Secure Firewall Threat Defense on Security Module SM-56
Ordering Example: Cisco Firepower with ASA
Step 1: Smart Software Licensing
Before placing a Cisco Firepower order, a Smart Software Licensing account for the end customer must be initiated. If the customer already has a Smart Software Licensing account, that account must be associated with the order.
For more information on Smart Software Licensing account establishment is available in the Smart Software Licensing section of this ordering guide, and online at:
https://www.cisco.com/web/ordering/smart-software-manager/index.html.
To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you are able to complete the order only if the account is initiated on the end customer’s behalf and associated with the order.
Go to Cisco Commerce: https://www.cisco.com/go/ccw.
From the Orders pull-down menu, select Create Order.
Select Assign Smart Account, and follow the subsequent prompts for Smart Licensing.
Step 2: Navigate to Catalog > Products > Security > Cisco Firepower Series -> Search for FPR9KT-HA-BUN. Add the chassis to the cart by clicking add.
Step 3: Check the box 1.0 FPR9KT-HA-BUN and select Options.
Follow the instructions in the yellow box. First click the hardware and make the selection.
Step 4: Click on Edit Options in the FPR-CH--AC Hardware and select the power cables, supervisor and network modules.
1.Power Cables Selection
2.Supervisor Selection
3.Network Module Selection
Step 5: Add a Security Module
Step 6: Add a Subscription License
Step 7: Product Configuration Summary.
Example of Cisco Firepower Solution Configurations
Below tables show example configurations for ordering the appliances. Note that these are high-level overviews and that actual orders will include additional items. Fully populated chassis with three SM-48 Security Modules for maximum I/O capability.
Table 56.
Table 57.Chassis with one SM-40 Security Module
SKUs and Ordering Guidance for Cisco Secure Firewall Threat Defense Virtual
Cisco Secure Firewall Threat Defense Virtual is available where virtualized firewall and IPS capabilities are required, including in public cloud environments. It is the virtualized version of Firewall Threat Defense. It enables consistent security policies to follow workloads across your physical, virtual, and cloud environments, and between clouds. Complexity is further minimized with simple provisioning and a single console, the Firewall Management Center (FMC), which enables threat visibility, and automated defense, across your estate. FMC can manage both physical and virtual devices. See the Firewall Management Center section of this guide for FMC part numbers.
In Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI) environments, Cisco Secure Firewall Threat Defense Virtual devices can be managed either by an on-premises FMC, or in the respective public cloud with the virtualized FMC. When deployed in AWS and Microsoft Azure environments, two licensing models are available:
● Bring Your Own License (BYOL), where an existing Threat Defense Virtual license is required.
● Hourly billing (a pay-as-you-go model) available through the AWS interface.
Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI) only support the Bring Your Own License (BYOL) licensing model.
For the supported private cloud platforms and Hyper Converged Infrastructure like Cisco Hyperflex and Nutanix AHV the same licenses can be used in the BYOL model.
Cisco Secure Firewall Threat Defense Virtual enables inter-VM and east-west traffic inspection, as well as at ingress and egress points to the cloud. It is designed to address security concerns in both traditional networks infrastructures and to be optionally inserted into Cisco’s Application Centric Infrastructure (ACI) for flexible orchestration.
Firewall Threat Defense Virtual performance tiered Subscriptions
Performance tiered licensing is available starting from Firewall Threat Defense Virtual version 7.0. The new licensing model also includes Base License as a subscription. There are 6 tiers in the new performance tiered licensing model which can be ordered using the following SKU’s.
Table 58.Cisco Secure Firewall Threat Defense Virtual Performance tiered Base Subscription and Threat, Malware and URL Filtering Subscription SKUs
Search for the top level subscription SKU – FTDV-SEC-SUB and “Add”
Add Base License quantity for the tiers required
Then select the tier.
Select Additional features for each of Base license selected (Optional). Quantity should be aligned to Base License quantity
The Service tab shows the support options available. Cisco Solution Support is the default level of support for the Base and TMC subscription. It provides 24*7 technical support and is the recommended level of support. Included in the subscription at no additional cost is 8*5 online support which also provides Software upgrades.
Default term is 3 Years which can be updated by clicking on Terms tab and editing duration. Click on Save Changes
Once the changes are saved, the complete configuration is displayed. There is an option to switch from Solution support to basic support
Click on Save and Continue to review the complete configuration by clicking on Save and Continue. This will redirect to the main CCW screen.
Please note the older non tiered license with perpetual base will continue to work with 7.0. This can be selected as FTDv – Variable license on FMC UI during registration.
Table 59.Cisco Secure Firewall Threat Defense Virtual Perpetual Base
Table 60.Cisco Secure Firewall Threat Defense Subscription SKUs
SKUs and Ordering Guidance for Cisco Adaptive Security Virtual Appliance (ASAv)
The Cisco ASAv brings the power of ASA to the virtual domain and private cloud environments. It runs the same software as the physical ASA appliance to deliver proven security functionality. You can use ASAv to protect virtual workloads within your data center. Later, you can expand, contract, or shift the location of these workloads over time and can span physical and virtual infrastructures. The Adaptive Security Virtual Appliance runs as a virtual machine inside a hypervisor in a virtual host. Most of the features that are supported on a physical ASA by Cisco software are supported on the virtual appliance as well, except for clustering and multiple contexts. The virtual appliance supports site-to-site VPN, remote-access VPN, and clientless VPN functionalities as supported by physical ASA devices. See the ASAv data sheet for more details.
ASAv is available in both subscription and perpetual licensing models.
Table 61.Cisco Adaptive Security Virtual Appliance (ASAv) Subscription License
Table 62.Cisco Adaptive Security Virtual Appliance (ASAv) Perpetual License
Note: For ASAv, remote-access VPN functionality can be licensed separately as outlined in https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/guide-c07-.html.
Qualys Connector
The Qualys Connector is a software application that collects Qualys Guard vulnerability report data and sends it to the Cisco Secure Firewall Management Center. The Qualys vulnerability data is then aggregated with Cisco’s vulnerability information found in the host map. Customers can choose to use Cisco or Qualys vulnerability data, or both, for Impact Flag calculations and automatic rule recommendations.
Firepower Product Licensing and License Activation
● The customer logs on to https://cisco.com/go/licensing and uses the Smart Licensing feature to request a token to be installed in the FMC or FDM. This license is then applied to the Cisco Secure Firewall Management Center that is going to manage the feature or appliance.
● Exception: Cisco Secure Endpoint (formerly AMP for Endpoints) does not require an activation key at this time.
High-Availability Configurations
Type 1: Secure Firewall High-Availability
● If the customer wants high availability for sensors, two appliances are required.
● Appliances must be of the same model and generation.
● Both appliances must be identically licensed and have support.
● Licenses will be applied to the same primary Cisco Secure Firewall Management Center managing the high-availability pair.
Snort Subscriber Rule Set: Subscription Options
Personal: This subscription type is for use in a home network environment. If you’d like to purchase a subscription online using a credit card, you may do so. For a personal subscription, please go to https://www.snort.org/products to place an order. It is not available to purchase on Cisco Commerce. As you approach the expiration date, renewal by way of Snort.org is automatic for credit card orders and is part of the license agreement.
Business: This subscription type is for use in businesses, nonprofit organizations, colleges and universities, government agencies, consultancies, and other venues where Snort sensors are in use in a production or lab environment. This subscription type does not include a license to redistribute the Snort Subscriber Rule Set except as described in section 2.1 of the Rule Set license agreement.
If you’d like to purchase a Rule subscription online using a credit card, you may do so. Customers or end users who cannot purchase by credit card are requested to contact a partner or distributor who can purchase on their behalf through Cisco Commerce. If you need assistance with a quote, contact . Unlike Snort.org automatic renewals, orders placed in Cisco Commerce require a manual renewal to trigger another subscription. Important: address of the recipient of the subscription license needs to be included on the order for electronic delivery.
For more information, visit: https://www.snort.org/products.
SKUs and ordering guidance for Cisco Security Manager
Cisco Security Manager provides scalable and centralized operations management for ASA functions, including policy and object management, event management, reporting, and troubleshooting for Cisco ASA firewall functions. The Security Manager can be used to manage:
● Cisco Firepower , , and series platforms with ASA software.
● Cisco Secure Firewall ASA Virtual on Private and Public Cloud.
● Cisco Secure Client (formerly AnyConnect Secure Mobility Client).
Security Manager is available in two feature levels: Standard and Professional (Table 63). Enterprise customers with numerous security devices will benefit from Security Manager Professional, and customers with fewer security device deployments will find Security Manager Standard an exceptional value. For small-scale and simple deployments, the Cisco Adaptive Security Device Manager (ASDM) is available to provide on-device, GUI-based firewall network operations management for Cisco ASA deployments.
Note: Modern server hardware is required. Please see the Cisco Security Manager data sheet for more details.
Table 63.Cisco Security Manager models
Table 64.Cisco Security Manager Software Application Support (SAS) SKUs
SKUs and ordering guidance for Cisco Secure Firewall Management Center
The Cisco Secure Firewall Management Center, available as a physical or virtual appliance, provides unified management of:
● Cisco Secure Firewall Threat Defense software on the Cisco Firepower Series appliances.
● Cisco Secure Firewall Threat Defense software on the Cisco Firepower Series appliances.
● Cisco Secure Firewall Threat Defense software on the Cisco Firepower Series appliances.
● Cisco Secure Firewall Threat Defense software on the Cisco Firepower Series appliances.
● Cisco Secure Firewall Threat Defense Virtual.
● Cisco Secure Firewall Threat Defense software on the Cisco Firepower .
● FirePOWER module of Cisco ASA with FirePOWER Services (up until release 7.4).
● Cisco Secure Intrusion Prevention System (IPS) and Cisco Secure Firewall malware defense solutions (up until release 7.0).
● Cisco Secure Firewall Threat Defense for Integrated Services Routers (ISR).
The Firewall Management Center provides a centralized management console and event database repository. It is available in a range of physical appliance models, as a virtual appliance for private and public cloud platforms or a cloud-delivered version that is delivered via the Cisco Defense Orchestrator. One physical or virtual management appliance can manage multiple appliances as long as all the appliances are running the compatible firewall configuration.
The appropriate Firewall Management Center hardware is selected based on the firewall configuration deployed and the number of appliances and events to be monitored. Firewall Management Center , , , , and physical appliances or the Firewall Management Center virtual appliance can be used to manage Cisco ASA with Firepower Services and the Firewall Threat Defense (FTD) software image. Cisco Security Manager is required to manage ASA physical or virtual appliance firewall functionality. Cisco Defense Orchestrator delivers the cloud-delivered version of Firewall Management Center and a consistent and simplified cloud-based security policy management for ASA, ASA with FirePOWER Services, and FTD devices. For more details, visit Cisco Defense Orchestrator (CDO) home page. For CDO ordering details, visit the Guidelines for Quoting Cisco Defense Orchestrator Products.
Table 65.Cisco Secure Firewall Management Center SKUs
For new deployments, a compatible Management Center can be ordered with Firepower Series, Series, Series, and Secure Firewall devices. For small-scale FTD deployments, Firewall Device Manager on-device manager is included (except for CSF ).
Note: To manage network operations in large-scale deployments of devices running the ASA software image, using Cisco Security Manager or Cisco Defense Orchestrator is highly recommended.
SKUS and Ordering Guidance for Cisco Secure Firewall Management Center Virtual Appliance
The PAK-enabled, 2- and 10-device Firewall Management Center Virtual Appliances (FMCv) are part of a promotional offer to more cost-effectively manage FirePOWER Services or Firewall Threat Defense on small-scale deployments of low-end ASA-X Series appliances. However, the 2-, 10-, and 25-device FMCv Smart License or PAK SKUs do not have any limitations with respect to which appliances they can manage. For add-on licenses requirement for new devices on your FMCv, it is recommended to migrate to a higher FMCv model that supports additional devices.
Table 66.Smart Licensing–enabled Cisco Secure Firewall Management Center Virtual Appliance SKUs
Note: FMCv SKUs are not tied to specific Private or Public Cloud platforms. The SKUs listed can be used with any supported Private or Public Cloud Deployment.
Licensing Guidance for Cisco Secure Firewall Management Center
Firewall Management Center physical appliances do not require any separate management licenses. Firewall Management Center virtual appliances require only one of the licenses mentioned in the previous table based on the number of devices being managed. These licenses cannot be combined, for example, entitlement for management of four (4) managed devices, a minimum of one (1) Cisco Secure Firewall Management Center, for 10 devices is required. Use of two (2) Cisco Secure Firewall Management Center, for 2 devices licenses is not compliant for this use-case. Separate to the Firewall Management Center, the managed devices each require classic or Smart subscription feature licenses. Firewall Management Center Virtual Appliance Smart SKUs can manage any device running Firewall Threat Defense software.
IMPORTANT: For version 6.3 and later:
Enablement of strong crypto features (3DES/AES VPN) continues to happen automatically via Smart Licensing for those customers that are not subject to export restrictions or require an export license. However, those customers who are subject to export restrictions or require an export license will be asked to select a $0 strong crypto enablement key during configuration of any FMC device with version 6.3+.
For those customers who are subject to export restrictions or require an export license that upgrades an existing FMC to version 6.3+, there are spare versions of the PIDs available (those with “=” suffix).
To determine if you are subject to export restrictions or require an export license, customers can log in to CSSM and try to generate an installation token. For those customers that do NOT have export restrictions, this box will be checked by default. If you do NOT see this box or are NOT able to check the box, this means that your account is subject to export restrictions. See image below:
Table 67.Cisco Secure Firewall Management Center strong crypto enablement SKUs
The standalone Cisco Secure Firewall Management Center is optimal for high-availability pairing. For the FMC, a high-availability or redundancy feature helps ensure continuity of operations. The secondary Management Center must be the same model as the primary appliance.
The Cisco Secure Firewall Management Center Virtual Appliance also supports High Availability on some Private and Public Cloid offerings. Use of High Availability for Cisco Secure Firewall Management Center Virtual requires an additional identical license.
Product high-availability configuration:
High availability for the Management Center
● If the customer wants high availability for the Management Center, an additional appliance is required.
● The secondary Management Center must be of the same model and generation as the primary one.
● License keys for all sensors, feature licenses (including Cisco Firepower), and subscriptions managed on the primary Management Center can be duplicated and loaded onto the secondary Management Center using the original activation keys.
High availability for the Management Center Virtual Appliance
● If the customer wants high availability for the Management Center Virtual Appliance, two (2) identical licenses (see Table 67) are required.
● High Availability support is varied across Private and Public Cloud as well as model types, please review the latest guidance provided in the Cisco Secure Firewall Management Center Administration Guide for specific information.
● High availability for the Management Center Virtual Appliance is not supported with the Cisco Secure Firewall Management Center, for 2 devices license.
Connect and protect bundle ordering
Overview
Partners can now order Cisco’s security portfolio tailored for 3 specific customer use cases: Secure Campus, Secure Branch and Secure Hybrid Datacenter. The bundles include products that address the real-world needs of each use case. The bundles are designed to simplify ordering and providing an attractive price-point.
Please contact your partner for eligibility and additional information.
Figure 8.Connect and Protect Offers – Included Products and Criteria
SKUs and ordering
Adding the below to the estimate and configuring the required/optional sub-lines (“->”) by clicking “select options” for the main line, following the indicated (minimum/maximum) quantities.
The hardware selection will need to happen as a separate line-item on the estimate. First, select and configure the use-case-specific bundle:
Table 68.Connect and Protect bundle components and options (Step 1)
Next, configure the remaining items required for the respective bundles:
Table 69.Connect and Protect bundle components and options (Step 2)
For additional information regarding the ordering of Umbrella/DNS essentials or advantage, also see the Umbrella ordering guide.
Additional resources
Cisco Commerce
Cisco Commerce is the primary tool used for ordering Cisco products and new services offered on the Cisco Price List. Three main steps are involved in creating an order: creating a quick quote, converting a quote to an order, and submitting an order.
Cisco Commerce Software Subscriptions and Services (CCW-R) is used to quote, order, and manage your service contracts and software subscriptions. Use CCW-R to create new or renew Technical Services (TS) and software subscription (Term-and-Content) quotes, submit approved orders, and manage your contracts.
Cisco Capital Financing
The significant benefits offered by the Cisco Firepower make it the natural choice for service provider security and provisioning. As with any technology investment, the question is whether the new system is affordable. The answer is Cisco Capital financing. We can give customers the financing solution that works best for them. We offer both flexible repayments to help mitigate cash flow issues and operating leases to help negate capital expenditures.
Cisco Capital can help remove or reduce the barriers preventing organizations from obtaining the technology they need. Total solution financing programs help customers and partners:
● Achieve business objectives.
● Accelerate growth.
● Acquire technology to match current strategies and future needs.
● Remain competitive.
Cisco Capital also helps your customers achieve financial goals such as optimizing investment dollars, turning capital expenditures into operating expenses, and managing cash flow. And there’s just one predictable payment. Cisco Capital operates in more than 100 countries, so regardless of location, customers and partners have access to a trusted means to secure Cisco products and services.
For more information about Cisco Capital financing, visit the following sites:
● For channel partners: https://www.ciscocapital.com/.
Contact us to discuss your requirements of Comprehensive Bandage. Our experienced sales team can help you identify the options that best suit your needs.