CH A P T E R
65
Licensing the FireSIGHT System
You can license a variety of features to create an optimal FireSIGHT System deployment for your
organization. You use the Defense Center to manage licenses for itself and the devices it manages.
For more information, see:
•
Understanding Licensing, page 65-1
•
Viewing Your Licenses, page 65-11
•
Adding a License to the Defense Center, page 65-12
•
Deleting a License, page 65-13
•
Changing a Device’s Licensed Capabilities, page 65-13
Understanding Licensing
License: Any
You can license a variety of features to create an optimal FireSIGHT System deployment for your
organization. A FireSIGHT license is included with your Defense Center and is required to perform host,
application, and user discovery.
Additional model-specific licenses allow your managed devices to perform a variety of functions
including:
•
intrusion detection and prevention
•
Security Intelligence filtering
•
file control and advanced malware protection
•
application, user, and URL control
•
switching and routing
•
device clustering
•
network address translation (NAT)
•
virtual private network (VPN) deployments
There are a few ways you may lose access to licensed features in the FireSIGHT System. You can remove
licenses from the Defense Center, which affects all of its managed devices. You can also disable licensed
capabilities on specific managed devices. Finally, some licenses may expire. Though there are some
exceptions, you cannot use the features associated with an expired or deleted license.
FireSIGHT System User Guide
65-1
Chapter 65
Licensing the FireSIGHT System
Understanding Licensing
Certain licenses, like the FireSIGHT license, are perpetual. Other licenses require that you purchase a
service subscription to enable the license.
For more information, see:
•
License Types and Restrictions, page 65-2
•
Service Subscriptions, page 65-7
•
Licensing High Availability Pairs, page 65-8
•
Licensing Stacked and Clustered Devices, page 65-8
•
Licensing Series 2 Appliances, page 65-8
•
Understanding FireSIGHT Host and User License Limits, page 65-8
License Types and Restrictions
License: Any
This section describes the types of licenses available in a FireSIGHT System deployment. The licenses
you can enable on an appliance depend on its model, version, and (for managed devices) the other
licenses enabled.
For virtual and Series 3 devices, licenses are model specific; you cannot enable a license on a managed
device unless the license exactly matches the device’s model. For example, you cannot use a 3D8250
Protection license to enable Protection capabilities on a 3D8140 device. As your organization and
deployment grow, you can purchase additional licenses for additional managed devices.
Series 2 devices automatically have Protection capabilities (with the exception of Security Intelligence
filtering). Although you do not need to explicitly enable Protection on Series 2 devices, you also cannot
enable any other licenses.
Also note that although you can enable Control on a virtual device or ASA FirePOWER device to
perform user and application control, these devices do not support switching, routing, stacking, or
clustering.
The following table summarizes FireSIGHT System licenses.
Table 65-1
FireSIGHT System Licenses
License You Assign Service
in FireSIGHT
Subscription You
System
Purchase
Platforms
Granted Capabilities
Requires
Expire
Capable?
FireSIGHT
none
Defense Centers
discovery
none
no
Protection
(licensed)
TA (included with
device)
Series 3, Virtual,
X-Series,
ASA FirePOWER
intrusion detection and
prevention
none
no
none
no
file control
Security Intelligence
filtering
Protection
(automatic)
none (included with Series 2
device)
intrusion detection and
prevention
file control
Control
none (included with Virtual,
device)
ASA FirePOWER
FireSIGHT System User Guide
65-2
user and application control Protection
no
Chapter 65
Licensing the FireSIGHT System
Understanding Licensing
Table 65-1
FireSIGHT System Licenses (continued)
License You Assign Service
in FireSIGHT
Subscription You
System
Purchase
Control
Platforms
none (included with Series 3
device)
Granted Capabilities
Requires
user and application control Protection
Expire
Capable?
no
switching and routing
clustering
Malware
TAM, TAMC, or
AMP
Series 3, Virtual,
ASA FirePOWER
advanced malware
protection (network-based
malware detection and
blocking)
Protection
yes
URL Filtering
TAC, TAMC, or
URL
Series 3, Virtual,
X-Series,
ASA FirePOWER
category and
reputation-based URL
filtering
Protection
yes
VPN
none (contact Sales Series 3
for more
information)
deploying virtual private
networks
Control
yes
Note that the DC500 Defense Center does not support the capabilities provided by a URL Filtering or
Malware license.
For more information, see:
•
FireSIGHT, page 65-3
•
Protection, page 65-4
•
Control, page 65-5
•
Malware, page 65-6
•
URL Filtering, page 65-5
•
VPN, page 65-7
FireSIGHT
License: FireSIGHT
A FireSIGHT license is included with your Defense Center and allows you to perform host, application,
and user discovery. Discovery data allows the system to create a complete, up-to-the-minute profile of
your network, and correlate threat, endpoint, and network intelligence with user identity information.
You can use discovery data to perform traffic profiling, assess network compliance, and implement
correlation policies.
Your FireSIGHT license also determines how many individual hosts and users you can monitor with the
Defense Center and its managed devices. Note that the user limit applies independently to the following:
•
the Users database, which contains a record for each user detected by the FireSIGHT System
•
the number of users you can use in access control rules to perform user control, also called
access-controlled users
For information on the consequences of reaching the licensed limit, see Understanding FireSIGHT Host
and User License Limits, page 65-8.
FireSIGHT System User Guide
65-3
Chapter 65
Licensing the FireSIGHT System
Understanding Licensing
Without a FireSIGHT license, you can still perform basic system configuration, monitoring,
network-based access control (zone, network, VLAN, and port rule conditions), connection logging, and
reporting. Additionally, you can receive endpoint-based malware events from the Collective Security
Intelligence Cloud without a FireSIGHT license, although your organization does need a FireAMP
subscription.
Tip
The License statements in this guide assume your Defense Center has a FireSIGHT license. However, if
the Defense Center was previously running Version 4.10.x, you may be able to use legacy RNA Host and
RUA User licenses instead of a FireSIGHT license. For more information, see Protection, page 65-4.
Protection
License: Protection
Supported Devices: Series 3, Virtual, X-Series, ASA FirePOWER
A Protection license allows you to perform intrusion detection and prevention, file control, and Security
Intelligence filtering:
•
Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits
and, optionally, drop offending packets.
•
File control allows you to detect and, optionally, block users from uploading (sending) or
downloading (receiving) files of specific types over specific application protocols. With a Malware
license (see Malware, page 65-6), you can also inspect and block a restricted set of those file types
based on their malware dispositions.
•
Security Intelligence filtering allows you to blacklist—deny traffic to and from—specific IP
addresses, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow
you to immediately blacklist connections based on the latest intelligence. Optionally, you can use a
“monitor-only” setting for Security Intelligence filtering.
A Protection license (along with a Control license) is automatically included in the purchase of any
managed device. This license is perpetual, but you must also purchase a TA subscription to enable
system updates.
Although you can configure an access control policy to perform Protection-related inspection without a
license, you cannot apply the policy until you first add a Protection license to the Defense Center, then
enable it on the devices targeted by the policy.
If you delete your Protection license from the Defense Center or disable Protection on managed devices,
the Defense Center stops acknowledging intrusion and file events from the affected devices. As a
consequence, correlation rules that use those events as a trigger criteria stop firing. Additionally, the
Defense Center will not contact the internet for either Cisco-provided or third-party Security Intelligence
information. You cannot reapply existing policies until you re-enable Protection.
Because a Protection license is required for URL Filtering, Malware, and Control licenses, deleting or
disabling a Protection license has the same effect as deleting or disabling your URL Filtering, Malware,
or Control license.
Note
Series 2 devices automatically have most Protection capabilities; you do not have to purchase or enable
Protection licenses for these devices. However, Series 2 devices cannot perform Security Intelligence
filtering.
FireSIGHT System User Guide
65-4
Chapter 65
Licensing the FireSIGHT System
Understanding Licensing
Control
License: Control
Supported Devices: Series 3, Virtual, ASA FirePOWER
Supported Defense Centers: feature dependent
A Control license allows you to implement user and application control by adding user and application
conditions to access control rules. It also allows you to configure your Series 3 managed devices to
perform switching and routing (including DHCP relay and NAT), as well as cluster managed devices. To
enable Control on a managed device, you must also enable Protection.
Note
Although you can enable a Control license on a virtual device or ASA FirePOWER device, these devices
do not support switching, routing, stacking, or clustering.
A Control license is automatically included (along with a Protection license) in the purchase of any
managed device. This license is perpetual, but you must also purchase a TA subscription to enable
system updates.
Although you can add user and application conditions to access control rules without a Control license,
you cannot apply the policy until you first add a Control license to the Defense Center, then enable it on
the devices targeted by the policy.
Note that the DC500 Defense Center does not support adding user conditions in access control rules.
Without a Control license, you cannot create switched, routed, or hybrid interfaces on your managed
devices; create NAT entries; or configure DHCP relay for virtual routers. Although you can create virtual
switches and routers, they are not useful without switched and routed interfaces to populate them.
Further, you cannot apply a device configuration that includes switching or routing to a managed device
where you have not enabled Control. Additionally, establishing clustering between managed devices
requires that the devices are enabled for Control.
If you delete your Control license from the Defense Center or disable Control on individual devices, the
affected devices do not stop performing switching or routing, nor do device clusters break. Although you
can edit and delete existing configurations, you cannot apply your changes to the affected devices. You
cannot add new switched, routed, or hybrid interfaces, nor can you add new NAT entries, configure
DHCP relay, or establish device clustering. Finally, you cannot reapply existing access control policies
if they include rules with user or application conditions.
URL Filtering
License: URL Filtering
Supported Devices: Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers: Any except DC500
URL filtering allows you to write access control rules that determine the traffic that can traverse your
network based on URLs requested by monitored hosts, correlated with information about those URLs,
which is obtained from the Cisco cloud by the Defense Center. To enable URL Filtering, you must also
enable a Protection license.
Tip
Without a URL Filtering license, you can specify individual URLs or groups of URLs to allow or block.
This gives you granular, custom control over web traffic, but does not allow you to use URL category
and reputation data to filter network traffic.
FireSIGHT System User Guide
65-5
Chapter 65
Licensing the FireSIGHT System
Understanding Licensing
You can purchase a URL Filtering license as a services subscription combined with Threat & Apps
(TAC) or Threat & Apps and Malware (TAMC), or as an add-on subscription (URL) for a system where
Threat & Apps (TA) is already enabled.
Although you can add category and reputation-based URL conditions to access control rules without a
URL Filtering license, the Defense Center will not contact the cloud for URL information. You cannot
apply the access control policy until you first add a URL Filtering license to the Defense Center, then
enable it on the devices targeted by the policy.
You may lose access to URL filtering if you delete the license from the Defense Center or disable URL
Filtering on managed devices. Also, URL Filtering licenses may expire. If your license expires or if you
delete or disable it, access control rules with URL conditions immediately stop filtering URLs, and your
Defense Center can no longer contact the cloud. You cannot reapply existing access control policies if
they include rules with category and reputation-based URL conditions.
Malware
License: Malware
Supported Devices: Series 3, Virtual, ASA FirePOWER
Supported Defense Centers: Any except DC500
A Malware license allows you to perform advanced malware protection, that is, use managed devices to
detect and block malware in files transmitted over your network. To enable Malware on a managed
device, you must also enable Protection.
Note
Managed devices with Malware licenses enabled periodically attempt to connect to the Cisco cloud even
if you have not configured dynamic analysis. Because of this, the device’s Interface Traffic dashboard
widget shows transmitted traffic; this is expected behavior.
You configure malware detection as part of a file policy, which you then associate with one or more
access control rules. File policies can detect your users uploading or downloading files of specific types
over specific application protocols. The Malware license allows you to inspect a restricted set of those
file types for malware, as well as download and submit specific file types to the Cisco cloud for dynamic
and Spero analysis to determine whether they contain malware. The Malware license also allows you add
specific files to a file list and enable the file list within a file policy, allowing those files to be
automatically allowed or blocked on detection.
You can purchase a Malware license as a subscription combined with Threat &Apps (TAM) or Threat &
Apps and URL Filtering (TAMC), or as an add-on subscription (AMP) for a system where Threat & Apps
(TA) is already enabled.
Although you can add a malware-detecting file policy to an access control rule without a Malware
license, the file policy is marked with a warning icon ( ) in the access control rule editor. Within the
file policy, Malware Cloud Lookup rules are also marked with the warning icon. Before you can apply
an access control policy that includes a malware-detecting file policy, you must add a Malware license,
then enable it on the devices targeted by the policy. If you later disable the license on the devices, you
cannot reapply an existing access control policy to those devices if it includes file policies that perform
malware detection.
If you delete all your Malware licenses or they all expire, the Defense Center stops performing malware
cloud lookups, and also stops acknowledging retrospective events sent from the Cisco cloud. You cannot
reapply existing access control policies if they include file policies that perform malware detection. Note
FireSIGHT System User Guide
65-6
Chapter 65
Licensing the FireSIGHT System
Understanding Licensing
that for a very brief time after a Malware license expires or is deleted, the system can use cached
dispositions for files detected by Malware Cloud Lookup file rules. After the time window expires, the
system assigns a disposition of Unavailable to those files, rather than performing a lookup.
Note that a Malware license is only required if you want the system to detect malware in network traffic.
Without a Malware license, the Defense Center can receive endpoint-based malware events from the
Cisco cloud if your organization has a FireAMP subscription. For more information, see Understanding
Malware Protection and File Control, page 37-2.
VPN
License: VPN
Supported Devices: Series 3
VPN allows you to establish secure tunnels between endpoints via a public source, such as the Internet
or other network. You can configure the FireSIGHT System to build secure VPN tunnels between the
virtual routers of Cisco managed devices. To enable VPN, you must also enable Protection and Control
licenses. To purchase a VPN license, contact Sales.
Without a VPN license, you cannot configure a VPN deployment with your managed devices. Although
you can create deployments, they are not useful without at least one VPN-enabled routed interface to
populate them.
If you delete your VPN license from the Defense Center or disable VPN on individual devices, the
affected devices do not break the current VPN deployments. Although you can edit and delete existing
deployments, you cannot apply your changes to the affected devices.
Service Subscriptions
License: Any
A service subscription enables specific features on a managed device for a set length of time. Service
subscriptions can be purchased in one-, three-, or five-year terms. If a subscription expires, Cisco notifies
you that you must renew the subscription. If a subscription expires, you might not be able to use the
related features, depending on the feature type.
Your purchase of a managed device automatically includes Control and Protection licenses. These
licenses are perpetual, but you must also purchase a TA service subscription to enable system updates.
Additional service subscriptions are optional.
Service subscriptions correspond to the licenses you assign to managed devices in the FireSIGHT
System, as follows:
Table 65-2
FireSIGHT Service Subscriptions
Subscription
You Purchase
License You Assign in FireSIGHT System
TA
Control + Protection (a.k.a. "Threat & Apps," required for system updates)
TAC
Control + Protection + URL Filtering
TAM
Control + Protection + Malware
TAMC
Control + Protection + URL Filtering + Malware
AMP
Malware (add-on where TA is already present)
URL
URL Filtering (add-on where TA is already present)
FireSIGHT System User Guide
65-7
Chapter 65
Licensing the FireSIGHT System
Understanding Licensing
Licensing High Availability Pairs
License: Any
Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
Defense Centers in a high availability pair do not share licenses. You must apply equivalent licenses to
each member of the pair. Because Cisco generates licenses based on each Defense Center’s unique
license key, you cannot use the same licenses on different Defense Centers.
Licensing Stacked and Clustered Devices
License: Any
Supported Devices: feature dependent
Individual devices must have equivalent licenses before they can be stacked or clustered. After you stack
devices, you can change the licenses for the entire stack. However, you cannot change the enabled
licenses on a device cluster.
You can stack 3D8140, 3D8200 family, 3D8300 family, and 3D9900 devices of the same model that meet
the requirements described in Managing Stacked Devices, page 4-42. You can cluster two devices of the
same Series 3 model that meet the requirements described in Clustering Devices, page 4-29.
Licensing Series 2 Appliances
License: Protection
Supported Devices: Series 2
With the exception of the DC500, Series 2 and Series 3 Defense Center licensing is identical. Because
the DC500 does not support URL filtering or network-based malware detection, it cannot take advantage
of URL Filtering or Malware licenses.
Series 2 devices automatically have the capabilities, except for Security Intelligence, enabled by a
Protection license. You cannot disable the Protection license on Series 2 devices, and you cannot enable
other licenses.
See the following sections for more information:
•
Service Subscriptions, page 65-7 describes the types of licenses available in a FireSIGHT System
deployment.
•
Summary of Supported Capabilities by Managed Device Model, page 1-5 summarizes supported
and unsupported features on Series 2 appliances.
Understanding FireSIGHT Host and User License Limits
License: FireSIGHT
The FireSIGHT license on your Defense Center determines how many individual hosts and users you
can monitor with the Defense Center and its managed devices, as well as how many users you can use
to perform user control. FireSIGHT host and user license limits are model specific, as listed in the
following table.
FireSIGHT System User Guide
65-8
Chapter 65
Licensing the FireSIGHT System
Understanding Licensing
Table 65-3
FireSIGHT Limits by Defense Center Model
Defense Center Model
FireSIGHT Host and User Limit
DC500
1000
DC750
2000
DC1000
20,000
DC1500
50,000
DC2000
100,000
DC3000
100,000
DC3500
300,000
DC4000
600,000
virtual
50,000
For example, you can monitor 1000 hosts and 1000 users with the DC500.
If your Defense Center was previously running Version 4.10.x of the FireSIGHT System and you used
an ISO file to “restore” the appliance to Version 5.x factory defaults, you may be able to use your legacy
RNA Host and RUA User licenses instead of a FireSIGHT license.
For more information, see the following sections:
•
Understanding the FireSIGHT Host Limit, page 65-9
•
Understanding the FireSIGHT User Limit, page 65-10
•
Understanding the Access-Controlled User Limit, page 65-10
•
Protection, page 65-4
Understanding the FireSIGHT Host Limit
License: FireSIGHT
The FireSIGHT license on your Defense Center determines how many individual hosts you can monitor
with the Defense Center and its managed devices, and therefore how many hosts you can store in your
network map.
Note that the system counts MAC-only hosts separately from hosts identified by both IP addresses and
MAC addresses. All IP addresses associated with a host are counted together as one host.
When the system detects activity associated with a host with an IP address in your monitored network
(as defined by your network discovery policy), that host is added to the network map.
If you reach the host limit and the system detects a new host, whether the new host is added to the
network map depends on the When Host Limit Reached setting in your network discovery policy. You can
configure the system either to stop adding new hosts to the database, or to replace the hosts that have
remained inactive for the longest time.
Note
Even if you cannot add a new host to the network map, the system still performs access control on that
host’s network traffic. Although reaching the FireSIGHT host limit does not prevent you from
performing access control on hosts discovered after you reached your licensed limit, you cannot view or
FireSIGHT System User Guide
65-9
Chapter 65
Licensing the FireSIGHT System
Understanding Licensing
perform analysis on those hosts using host profile data. For example, you cannot use compliance white
lists to monitor network compliance for those hosts, or use those hosts in host profile qualifications, and
so on.
You can also manually delete a host, an entire subnet, or all of your hosts from the network map. Keep
in mind, however, that if the system detects activity associated with a deleted host, it re-adds the host to
the network map.
Note also that if the system has not detected network traffic from a host in the last Host Timeout period
specified in your network discovery policy, the host is removed from the network map. The default
setting is 10080 minutes (7 days).
To help you track your host license use, the FireSIGHT Host License Limit health module warns you if
you have fewer than a configurable number of host licenses left.
Understanding the FireSIGHT User Limit
License: FireSIGHT
The FireSIGHT license on your Defense Center determines how many individual users you can monitor.
When the system detects activity from a new user, that user is added to the Users database. You can detect
users in the following ways:
•
You can use the network discovery policy to configure managed devices to passively detect logins
for LDAP, AIM, POP3, IMAP, Oracle, SIP (VoIP), FTP, HTTP, MDNS, and SMTP users.
•
You can install User Agents on your Microsoft Active Directory LDAP servers to detect
authentications against Active Directory credentials.
After you reach the licensed limit, in most cases the system stops adding new users to the database. To
add new users, you must either manually delete users from the database, or purge all users from the
database.
However, the system favors authoritative user logins. If you have reached the licensed limit and the
system detects an authoritative user login for a previously undetected user, the system deletes the
non-authoritative user who has remained inactive for the longest time, and replaces it with the new user.
Tip
Note that if you are using managed devices to detect user activity, you can restrict user logging by
protocol to help minimize username clutter and preserve FireSIGHT user licenses. For example,
monitoring users discovered via AIM, POP3, and IMAP may add users not relevant to your organization
due to network access from contractors, visitors, and other guests. For more information, see Restricting
User Logging, page 45-29.
Understanding the Access-Controlled User Limit
License: Control
Supported Devices: Series 3, Virtual, ASA FirePOWER
The FireSIGHT license on your Defense Center determines not only how many individual users you can
monitor, but also how many users you can use in access control rules to perform user control. These users
are called access-controlled users.
FireSIGHT System User Guide
65-10
Chapter 65
Licensing the FireSIGHT System
Viewing Your Licenses
Note
To perform user control, your organization must use Microsoft Active Directory. The system uses User
Agents running on Active Directory servers to associate access-controlled users with IP addresses,
which is what allows access control rules to trigger.
You specify the groups that access-controlled users must belong to by configuring a connection (called
a user awareness object) between the Defense Center and an Active Directory server. Then, on a regular
basis, the Defense Center queries the server and retrieves a list of the users in the groups you specified
in the authentication object. You can then use these users to perform access control.
You must make sure the total number of users in the groups you specify in the authentication object is
less than your FireSIGHT user license. If your parameters are too broad, the Defense Center obtains
information on as many users as it can and reports the number of users it failed to retrieve in the task
queue. For performance and licensing reasons, Cisco recommends that you specify only the groups that
represent the users you want to use in access control.
Viewing Your Licenses
License: Any
Use the Licenses page to view the licenses for a Defense Center and its managed devices. For each type
of appliance in your deployment, the page lists the total number of licenses you have as well as the
portion of those licenses that are in use.
Keep in mind that on this page, the number of FireSIGHT User licenses in use represents the number of
users detected by the FireSIGHT System, that is, the number of users in the Users database. It does not
represent the number of access-controlled users you are using for access control. For more information,
see Understanding FireSIGHT Host and User License Limits, page 65-8.
The Licenses page also provides details on each of your licenses. For each model, you can see how many
licenses of each type you have, and how many managed devices you can license with each type of
license. For licenses that expire, the page provides you with the expiration date.
Other than the Licenses page, there are a few other ways you can view licenses and license limits:
•
The Product Licensing dashboard widget provides an at-a-glance overview of your licenses.
•
The Device Management page (Devices > Device Management) lists the licenses applied to each of your
managed devices.
•
Two health modules, License Monitor and FireSIGHT Host License Limit, communicate license
status when used in a health policy.
To view your licenses:
Access: Admin
Step 1
Select System > Licenses.
The Licenses page appears.
FireSIGHT System User Guide
65-11
Chapter 65
Licensing the FireSIGHT System
Adding a License to the Defense Center
Adding a License to the Defense Center
License: Any
Before you add a license to the Defense Center, make sure you have the activation key provided by Cisco
when you purchased the license.
With the exception of FireSIGHT, you must enable licenses on your managed devices before you can
use licensed features. You can enable a license either when you add a device to the Defense Center, or
by editing the device’s general properties after you add the device, Note that because Series 2 devices
automatically have Protection capabilities, with the exception of Security Intelligence filtering, you
cannot disable these capabilities, nor can you apply other licenses to a Series 2 device. See Changing a
Device’s Licensed Capabilities, page 65-13.
Note
If you add licenses after a backup has completed, these licenses will not be removed or overwritten if
this backup is restored. To prevent a conflict on restore, remove those licenses before restoring the
backup, noting where the licenses were used, and add and reconfigure them after restoring the backup.
If a conflict occurs, contact Support.
To add a license:
Access: Admin
Step 1
Select System > Licenses.
The Licenses page appears.
Step 2
Click Add New License.
The Add License page appears.
Step 3
Did you receive an email with your license?
•
If yes, copy the license from the email, paste it into the License field, and click Submit License.
If the license is correct, the license is added. Skip the rest of the procedure.
•
If no, click Get License.
The Licensing Center web site appears. If you cannot access the Internet, switch to a computer that
can. Note the license key at the bottom of the page and browse to
https://tools.cisco.com/SWIFT/LicensingUI/Home.
Step 4
Tip
Step 5
Follow the on-screen instructions to obtain your license, which will be sent to you in an email.
You can also request a license on the Licenses tab after you log into the Support Site.
Copy the license from the email, paste it into the License field in the Defense Center’s web interface, and
click Submit License.
If the license is valid, it is added. You can now enable the license’s capabilities on your managed devices,
as described in Changing a Device’s Licensed Capabilities, page 65-13.
FireSIGHT System User Guide
65-12
Chapter 65
Licensing the FireSIGHT System
Deleting a License
Deleting a License
License: Any
Use the following procedure if you need to delete a license for any reason. Keep in mind that because
Cisco generates licenses based on each Defense Center’s unique license key, when you delete the license
from one Defense Center and then reuse it on a different Defense Center, you must request a new license
based on the license key from the new Defense Center.
In most cases, deleting a license removes your ability to use features enabled by that license. For more
information, see Service Subscriptions, page 65-7.
To delete a license:
Access: Admin
Step 1
Select System > Licenses.
The Licenses page appears.
Step 2
Next to the license you want to delete, click the delete icon (
).
Deleting a license removes the licensed capability from all devices using that license. For example, if
your Protection license is valid for and enabled on 100 managed devices, deleting the license removes
Protection capabilities from all 100 devices.
Step 3
Confirm that you want to delete the license.
The license is deleted.
Changing a Device’s Licensed Capabilities
License: Any
Supported Devices: Series 3, Virtual, X-Series, ASA FirePOWER
To change the licensed capabilities of a Series 3 device, virtual device, Cisco NGIPS for Blue Coat
X-Series, or ASA FirePOWER device, edit the device’s general properties on the Device Management
page. Although there are some exceptions, you cannot use the features associated with a license if you
disable it on a managed device.
Series 2 devices automatically have Protection capabilities, with the exception of Security Intelligence
filtering. You cannot disable these capabilities, nor can you apply other licenses to a Series 2 device.
Note that, although you cannot use a Malware or URL Filtering license with a DC500 Defense Center,
you can use a DC500 to enable or change these and other licensed capabilities of a Series 3 device,
virtual device, Cisco NGIPS for Blue Coat X-Series, or ASA FirePOWER device.
For detailed information on the licenses you can enable, including version, model, and other
requirements, see Service Subscriptions, page 65-7.
To enable or disable a device’s licensed capabilities:
Access: Admin/Network Admin
Step 1
Select Devices > Device Management.
FireSIGHT System User Guide
65-13
Chapter 65
Licensing the FireSIGHT System
Changing a Device’s Licensed Capabilities
The Device Management page appears.
Step 2
Next to the device where you want to enable or disable a license, click the edit icon (
).
The Interfaces tab for that device appears.
Step 3
Click Device.
The Device tab appears.
Step 4
Next to the License section, click the edit icon (
).
The License pop-up window appears.
Step 5
Enable or disable the licensed capabilities of the device by clearing or selecting the appropriate check
boxes.
Step 6
Click Save.
The changes are saved but do not take effect until you apply the device configuration; see Applying
Changes to Devices, page 4-25.
FireSIGHT System User Guide
65-14