Tag Archives: License

ASA FirePOWER Licensing

ASA FirePOWER Module Licenses

Licenses allow your device to perform a variety of functions including:

  • Intrusion Detection and Prevention
  • Security Intelligence filtering
  • File Control and Advanced Malware Protection
  • Application, User, and URL Control

Certain licenses, like the Control license, are perpetual. Other licenses require that you purchase a service subscription to enable the license.

License Type  Service Subscription Capabilities Prerequisite Expire Capable
Protection TA Intrusion Detection and Prevention, File Control,
Security Intelligence Filtering
None No
Control None (included with module) User and Application Control Protection No
Malware TAM, TAMC, AMP Advanced Malware
Protection (Network-based
Malware Detection and
Protection Yes
URL Filtering TAC, TAMC, URL Category and Reputation-based URL Filtering Protection Yes
Service Subscriptions
Subscription Types License You Assign in FirePOWER System
TA Control + Protection (a.k.a. “Threat & Apps,” required for system updates)
TAC Control + Protection + URL Filtering
TAM Control + Protection + Malware
TAMC Control + Protection + URL Filtering + Malware
AMP Malware (add-on where TA is already present)
URL URL Filtering (add-on where TA is already present)

TA – Threat & Apps License required for system updates
TAC – URL Filtering license as a services subscription combined with Threat & Apps
TAM – Malware license as a subscription combined with Threat & Apps
TAMC – Malware license as a subscription combined with Threat & Apps and URL Filtering
AMP – Advanced Malware Protection License
URL – URL Filtering License

Protection License
  • Intrusion Detection and Prevention – It allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
  • File control – It allows you to detect and, optionally, block users from uploading or downloading files of specific types over specific application protocols. With a Malware license , you can also inspect and block a restricted set of those file types
    based on their malware dispositions.
  • Security Intelligence Filtering – It allows you to blacklist (deny traffic to and from) specific IP addresses, before the traffic is subjected to analysis by access control rules.  Dynamic feeds allow to immediately blacklist connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.

A Protection license is automatically included (along with a Control license) in the purchase of an ASA FirePOWER module. This license is perpetual, but you must also purchase a TA subscription to enable system updates.

Control License

A Control license allows you to implement user and application control by adding user and application conditions to access control rules. To enable Control, you must also enable Protection.

A Control license is automatically included (along with a Protection license) in the purchase of an ASA FirePOWER module. This license is perpetual, but you must also purchase a TA subscription to enable system updates.

Malware License

A Malware license allows you to perform advanced malware protection, that is, use devices to detect and block malware in files transmitted over your network. To enable Malware on a device, you must also enable Protection.

URL Filtering License

URL filtering allows you to write access control rules that determine the traffic that can traverse network based on URLs requested by monitored hosts, correlated with information about those URLs, which is obtained from the Cisco cloud by the ASA FirePOWER module. To enable URL Filtering, you must also enable a Protection license.

Cisco IOS Packages and Licenses

Feature Sets/Technology Package
  1. IP Base (ipbasek9) – Entry level Cisco IOS functionality. Some of the key feature are AAA BGP, OSPF, EIGRP, ISIS, RIP, PBR, IGMP, Multicast, DHCP, HSRP, GLBP, NHRP, HTTP, HQF QoS ACL, NBAR GRE CDP, ARP NTP PPP PPPoA PPPoE RADIUS TACACS, RSVP, NTP, Flexible Netflow etc.
  2. DATA  (datak9) – Data features found in SP Services and Enterprise Services IOS image on ISR Routers. It support MPLS, ATM, and Multiprotocol support.
  3. Security (securityk9) – It support Cisco IOS Firewall , IPS , IPsec , 3DES, VPN etc.
  4. Unified Communications (uck9) – It support VOIP & IP Telephony


Universal IOS Packaging Overview

ISR Integrated Service Router comes with IPbase feature set and we need to get the license package to  run the other three technology packages.

License Types Available on ISR Routers
Permanent Licenses

Permanent licenses are valid for the life of the device on which it is installed. Some examples of permanent licenses are IOS Technology Packages (IPBase, UC, SEC, DATA), Feature Licenses such as SSL VPN etc.

Temporary Licenses

Temporary licenses are used for evaluating new capabilities or in emergency situations. A temporary license allows a feature set to be used for 60 days of actual usage. When the 60-day period expires, the device will continue to operate normally until reloaded. After the reload, the device will default to the original functionality before the temporary license was enabled. Only actual time that the temporary license is enabled counts towards the 60 day limit. The Cisco Technical Assistance Center (TAC) can provide an extension license for longer trials or other circumstances.