Cisco Network Security Ordering Guide

Available Languages

Download Options

  • PDF
    (5.1 MB)
    View with Adobe Reader on a variety of devices
Updated:September 24, 2022

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (5.1 MB)
    View with Adobe Reader on a variety of devices
Updated:September 24, 2022
 

 

Introduction

Purpose

This document describes the ordering guidance for Ciscophysical, virtual, and containerizednetwork security solutions, including:

      Cisco Secure Firewall Threat Defense (FTD)

      Cisco Secure Firewall Adaptive Security Appliance (ASA)

      Cisco Firepower 1000 Series, 2100 Series, 3100 Series, 4100 Series, and 9300 Series Appliances
(which can run both FTD and ASA software)

In addition, this guide details process of enabling extended logging and analytics for both FTD and ASA platforms as well as Cisco ISE Passive Identity Connector (ISE-PIC) for identity integration into FTD.

This guide will help you make sure that the right quantities and types of parts are selected to reduce the risk of order rejection.

Audience

This guide is intended for Cisco sales, partners, and distributors.

Scope

This document covers order ability for the following products, associated licenses and options:

Cisco Secure Firewall (Both Firewall Threat Defense and ASA software)

      Hardware appliances (Cisco Firepower or Cisco Secure Firewall appliances)

      Virtualized and containerized appliances (FTDv, ASAv, and Secure Firewall Cloud Native)

Firewall management solutions

      Cisco Secure Firewall Management Center (formerly Firepower Management Center): It provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. Quickly and easily go from managing a firewall to controlling applications to investigating and remediating malware outbreaks. Firewall Management Center is available in all form factors – physical appliance, virtual appliance, public cloud and cloud-delivered (software as a service model).

      Cisco Defense Orchestrator: It helps you establish and maintain a security posture by managing security policies across Cisco security devices. Cisco Defense Orchestrator also incorporates the cloud-delivered version of Secure Firewall Management Center. As a cloud service, it is an always-available, highly reliable, highly scalable, multitenant platform.

Cisco Defense Orchestrator provides management of security policy, objects and configuration for Cisco Adaptive Security Appliance and Cisco Secure Firewall Threat Defense (formerly Next-Generation Firewalls, or NGFW). Also supported are the Meraki MX Firewalls and AWS Security Groups for pure policy and object management. Configuration management for these platforms is still available through their native user interface.

Note: For the Cisco Defense Orchestrator Ordering Guide, please click here.

      Cisco Security Manager software: Cisco Security Manager is an on-premise centralized management platform for Cisco Adaptive Security Appliances (ASA), enabling consistent policy enforcement, troubleshooting and summarized reports.

Optional Software

      Cisco Secure DDOS Protection (formerly Radware Virtual DefensePro DDoS Mitigation)

      Cisco Secure Client (formerly Cisco AnyConnect Secure Mobility Client)

Support

      Cisco Smart Net Total Care appliance support services

      Cisco Software Application Support plus Upgrades (SASU)

Note:      Any order for a service will be subject to the detailed terms and conditions presented in this guide.

Selecting the Appropriate Management Solution

Several management solutions are available to manage Cisco Secure Firewalls. The following guidelines can help select the most appropriate one, but you can consult a Cisco expert to help select the best manager for your customer or use cases.

Choosing the right management solution is tied to a few factors:

      The software image you select, either Firewall Threat Defense (FTD) or ASA software image

      Willingness to use a cloud based solution for management

      Need for specific features or environment scale

Local managers are included with both software options for single firewall deployments:

      ASDM is included with the ASA software image

      Firewall Device Manager (FDM) is included with the Firewall Threat Defense software Image for all supported appliance models (Cisco Firepower 1000 Series, 2100 Series, 4100 Series and 9300 Series)

The Cisco Secure Firewall Threat Defense software image enables centralized management with either an on-premise, virtual or cloud based manager - Cisco Secure Firewall Management Center.

Cisco Defense Orchestrator unites management across Cisco solutions and incorporates the cloud-delivered version of Secure Firewall Management Center. This makes Cisco Defense Orchestrator the best option for customers who want to use a cloud based solution for the management of ASAs, FTDs or a mix of ASAs and FTDs from a single pane of glass.

Devices running the ASA software can be managed centrally with the Cisco Security Manager (local) or Cisco Defense Orchestrator (Cloud).

If a customer wants to manage multiple ASA with FirePOWER Services devices centrally, then two managers are required: Firewall Management Center for threat functions and Cisco Security Manager for firewall functions.

The following table can help guide you in which manager to select with your firewall order.

Manager selection matrix

Manager selection matrix

Licensing

Smart Licensing is Cisco’s new licensing system. It enables customers to easily move licenses themselves between similar systems in their organization, overcoming limitations associated with previous device-locked Product Authorization Key (PAK)-based licenses. Become familiar with the new Smart Software Licensing portion of the ordering process.

End customers must create a Smart Licensing account on Cisco’s Smart Software Manager portal before initiating an order for the Cisco Secure Firewall Threat Defense software on select ASA appliances. Alternatively, Cisco or a partner can begin the process of creating the Smart Licensing account on behalf of the end customer. The Smart Software Manager portal is available for customers to manage the efficient use of purchased smart licenses. When the order is placed, all ordered licenses are added to the customer’s Smart Licensing account.

Table 1.        Product licensing by product type

Product

Licensing

Cisco ASA Virtual appliances

Cisco Smart Licensing

Cisco Secure Firewall Threat Defense Virtual appliances

Cisco Smart Licensing

Cisco Secure DDOS Protection (Radware vDefensePro) on Cisco Firepower 9300 and 4100 Series appliances

Supplied by Radware

Cisco Secure Firewall Management Center

None required

Cisco Secure Firewall Management Center Virtual Appliance

Either Cisco PAK and Smart Licensing

Cisco Security Manager

Cisco PAK Licensing

Cisco Security Analytics and Logging

Either Cisco Smart Licensing or Classic License

Cisco ISE Passive Identity Connector (ISE-PIC)

Either Cisco Smart Licensing or Classic License

With the Cisco Smart License Manager, the customer can connect devices to the Smart Software Manager portal, so purchased licenses can be consumed as needed. These licenses can be relinquished back to the portal when a device is powered down or a user is finished using the license. With Smart Software Licensing, customers can easily check in and check out licenses to use on different platforms. Licenses are no longer locked to a specific platform.

A Smart Account can be created from Cisco Software Central. For more information on setting up a Smart Account, please refer to this Quick Reference Guide.

Additional Smart Licensing resources are available here:

Location

Description

https://cisco.com/go/smartaccounts

Cisco Smart Accounts Overview

https://cisco.com/go/smartlicensing

Cisco Smart Software Licensing Overview

Software Operation Exchange Page

Live Training Schedule

Orderable Smart Licensing SKU List

Additional Software training and informational resources

Cisco Secure DDOS Protection (Radware vDefensePro) Licensing

Licensing of the vDP and Vision will be administered directly by Radware. Once the order is shipped, Radware will send an email to the customer with their serial numbers. Please note the address of the person on the customer order who will receive the email. These serial numbers will be needed along with the MAC address for either vDP and/or Vision after installation. If the email with the serial numbers cannot be found, please open a TAC case to get them reissued. For detailed licensing instructions, please refer to the Radware Customer Onboarding and License Generation Instructions.

High Availability Pair Licensing

Cisco requires two (2) subscriptions for a High Availability (HA) pair of appliances running Firewall Threat Defense software image, which is configured for active-passive operation. The hardware models available with this optional configuration include:

      Cisco Firepower 1000 Series

      Cisco Firepower 2100 Series

      Cisco Secure Firewall 3100 Series

      Cisco Firepower 4100 Series

      Cisco Firepower 9300 Series

We now offer specially configured bundle SKUs that enable the purchase of a high availability pair of appliances and software subscriptions that includes 50% discounted pricing for the second software subscription in the two-appliance bundle.

The bundle consists of:

      Two (2) identically configured hardware appliances

      Two (2) identical software subscriptions

A 50% discount will be automatically applied to the second software subscription in the bundle. See the specific model section in this document for the appropriate bundle PID.

Renewing HA Bundle Software Subscriptions

The 50% pricing discount also applies to HA bundles at time of renewal.

Cisco Secure Client Licensing

Cisco Secure Client (formerly AnyConnect Plus, Apex, and VPN Only) licenses are required to use the Remote Access VPN (RA VPN) functions on all firewalls (physical and virtual) running the Firewall Threat Defense code base version 6.2.1 and later. This adds capability to the Firewall Threat Defense code base previously only available on appliances running the ASA code base.

For information on purchasing Cisco Secure Client licenses and sharing the licenses with your Smart Account, please see the Cisco Secure Client Ordering Guide.

Instructions can also be found in the Cisco Secure Client License FAQ.

Service and Support Offerings

Software Application Support Plus Upgrades (SASU)

Cisco Secure Firewall Threat Defense software, ASA with FirePOWER Services, ASA firewall, and Cisco Secure Firewall Management Center security licenses include software subscription support. SASU is essential to keeping your business-critical applications available, highly secure, and operating at optimal performance. For the term of your software subscription licenses, you will receive timely, uninterrupted access to the latest software updates and major upgrade releases, which may contain significant architectural changes and new features and functions. With software subscription support, you will have the latest software working to protect your business. You will also have access to a wide range of online tools and communities that can help you solve problems quickly, maintain business continuity, improve your competitiveness, and make the most of limited resources through increased productivity.

This support entitles customers to the services listed here for the full term of the purchased software subscription:

      Software updates and major upgrades, to keep applications performing optimally with the most current feature set

      Access to the Cisco Technical Assistance Center (TAC), which provides fast, specialized support

      Online tool building, to expand in-house expertise and boost business agility

      Collaborative learning, to provide additional knowledge and training opportunities

No additional products or fees are required to receive these services with a software subscription.

Cisco SASU includes:

      Registered access to Cisco.com

      24-hour access to the Cisco TAC and Cisco software specialists

      Maintenance and minor software release updates

      Major software upgrade releases

Please refer to the following link for more detailed information regarding Cisco SASU:
https://www.cisco.com/en/US/services/ps2827/ps2993/services_at_a_glance_sas_sasu.pdf.

Cisco Smart Net Total Care Service

Customers require a Cisco Smart Net Total Care support contract with each appliance to download application signature updates. The Smart Net Total Care Service gives customers access to an abundance of Cisco support tools and expertise, providing them with greater network availability and performance while reducing operating costs. Technical service is required to be attached at the point of the product sale so that customers get the necessary support and entitlement and the best possible return on investment. When ordering Threat Defense software on select ASA hardware, ASA with FirePOWER Services, the Management Center, or Cisco SSL hardware in Cisco Commerce, the appropriate Smart Net Total Care service items are automatically added to your quote.

The Cisco Smart Net Total Care Service provides:

      Global 24-hour access to the Cisco TAC

      Access to the online knowledge base, communities, and tools

      Current hardware replacement option: next business day, where available

      Operating system software updates

      Smart, proactive diagnostics and real-time alerts on devices enabled with Cisco Smart Call Home

Please refer to the following link for more detailed information regarding Cisco Smart Net Total Care Service: https://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2978/serv_group_home.html.

Cisco Advanced Services

The Cisco Global Security Solutions team provides comprehensive assessment, design, deployment, and migration assistance through the Cisco Advanced Services Transaction (AS-T) model, which involves the use of a Statement of Work (SOW). These Cisco AS-T offers are custom scoped and priced, and partners need to engage a Cisco Services account manager to purchase them.

Cisco Security Plan and Build Services help customers develop and deploy a comprehensive security strategy they can rely on to deliver the industry's most comprehensive advanced threat protection solution. This service incorporates a best-practice review, deployment, and mini-tune-up to help ensure that the system is alerting properly.

Cisco Security Migration Services help customers move from existing Cisco Source fire or competitive environments. Cisco performs an analysis of the current environment, develops a migration plan, tests the plan in a lab, and performs the migration in the production environment.

To order the customized Cisco Security Plan and Build Services and Migration Services, use the Cisco AS-T part numbers in the table below.

Table 2.        Cisco AS-T ordering information

Part numbers

Description

Price (US$)

AS-SEC-CNSLT (-A, -L)

Cisco Security Plan and Build Services

Custom priced

AS-SEC-CNSLT (-A, -L)

Cisco Security Migration Services

Custom priced

Cisco Technical Services

Cisco Technical Services for Cisco products can be quoted and ordered in Cisco tools, including the Cisco Service Contract Center (SCC) and Cisco Commerce (CCW). Tool use varies depending on the service offer and partner type and whether the service is attached at the time of product purchase.

Partner Supported Services (PSS)

Customers who choose to purchase Partner Supported Services (PSS) from an authorized Cisco partner are also entitled to download application signature updates. For more details, visit https://www.cisco.com/go/partnerservices and the Partner Support Service Global Ordering Guide for Cisco 1-Tier Partners.

Cisco Talos Incident Response

Cisco Talos Incident Response (CTIR) provides a full suite of proactive and emergency services to help you prepare, respond and recover from a cyber security breach. CTIR enables 24 hour emergency response capabilities and direct access to Cisco Talos, the world's largest threat intelligence and research group.

You can order and transact CTIR while ordering specific Cisco Firepower 4K and 9K Series master bundles. This will provide you yet another option to create a stronger security posture and stay protected in case of a security breach. The CTIR PID will be auto-attached based on product order size. The auto-attached SKU can be removed and is not mandatory.

CTIR option available in Cisco Firepower master bundles:

CTIR PID
(Orderable PID)

CTIR SKU
(Do not order without CTIR PID)

Description

CTIR-NGFW-S=

CON-CTIR-NGFW

Cisco Talos Incident Response Retainer-Small, Attach with NGFW

To learn more on CTIR, click here.

SKUs and Ordering Guidance for Cisco Firepower 1000, 2100, 3100, 4100 and 9300 Series

Introduction

Scope: This section describes the pricing and ordering for the following products:

      Cisco Firepower 1000 Series

      Cisco Firepower 2100 Series

      Cisco Secure Firewall 3100 Series

      Cisco Firepower 4100 Series

      Cisco Firepower 9300 Series

About the Cisco Firepower 1000, 2100, 3100, 4100, and 9300 Series

The Cisco Firepower 1000, 2100, 3100, 4100, and 9300 Series, when deployed as Layer 3, 4, and 7 firewall sensors, use the Cisco Secure Firewall Threat Defense software image. The Cisco Secure Firewall Management Center provides unified management for firewall and dedicated IPS. The on-device Firewall Device Manager is also available with Secure Firewall Threat Defense software. Alternatively, the Cisco Secure Firewall with Adaptive Security Appliance (ASA) software image is also supported on the Cisco Firepower 9300, Cisco 4100 Series, Cisco 3100 Series, Cisco 2100 Series and Cisco 1000 Series. When running the ASA software image, the ADSM on-device manager is available. Cisco Firepower 4100 and 9300 series appliances are also available with the Cisco Secure DDoS Protection. Alternatively, all Secure Firewalls are available with cloud-based Cisco Secure DDoS Protection.

Cisco Firepower 1000 Series Appliances

The Cisco Firepower 1000 Series comprises of three threat-focused security appliances. The 1000 Series addresses SMB, Branch/Distributed Enterprise and Internet Edge deployments. The 1000 Series hardware delivers superior threat defense, at fast spends, with a smaller footprint than their predecessors, the ASA-5506-X, ASA-5508-X and ASA-5516-X. The 1000 Series is now available in ASA and FTD software images.

Chassis Overview: Cisco Firepower 1010

Front view

Integrated 8x10/100/1000 RJ45 ports

Integrated 4x1G SFP ports

Console (Cisco RJ45 serial or mini-USB)

1x USB 2.0 Host and 1x USB console

1 RJ45 10/100/1000Base-T Management Port

  Management Console and Ethernet
  Singular AC PSU

Chassis Overview: Cisco Firepower 1010

Rear view

1. 1 power supply module bay

Chassis Overview: Cisco Firepower 1010

Chassis Overview: Cisco Firepower 1120 and 1140

Front view

1. Fixed ports

  Integrated 8x10/100/1000 RJ45 ports
  Integrated 4x1G SFP ports
  Console (Cisco RJ45 serial or mini-USB)
  1x USB 2.0 Host and 1x USB console
  1 RJ45 10/100/1000Base-T Management Port
  Management Console and Ethernet

2. Modular options (FRU)

Chassis Overview: Cisco Firepower 1010

Rear view

1. 1 power supply module bay

Chassis Overview: Cisco Firepower 1010

Chassis Overview: Cisco Firepower 1150

Front view

1. Fixed ports

  Integrated 8x10/100/1000 RJ45 ports
  Integrated 2x1G SFP ports and 2x10G SPF+ ports
  Console (Cisco RJ45 serial or mini-USB)
  1x USB 2.0 Host and 1x USB console
  1 RJ45 10/100/1000Base-T Management Port
  Management Console and Ethernet

2. Modular options (FRU)

Chassis Overview: Cisco Firepower 1010

Rear view

1. 1 power supply module bay

Related image, diagram or screenshot

Cisco Firepower 2100 Series Appliances

The Cisco Firepower 2100 Series comprises four threat-focused security appliances. The 2100 Series addresses mid-market use cases from the Internet edge to the data center.

Chassis Overview: Cisco Firepower 2110 and 2120

Front view

1. Fixed ports

  4 x SFP and 12 x RJ45 ports, USB2.0
  12 x 1G copper and 4 x SFP 1G
  Secondary bay for AMP storage
  Management Console and Ethernet
  Singular AC PSU

Chassis Overview: Cisco Firepower 1010

Rear view

1. 1 power supply module bay

Chassis Overview: Cisco Firepower 1010

Chassis Overview: Cisco Firepower 2130 and 2140

Front view

1. Fixed ports

  4 x SFP+ and 12 x RJ45 ports, USB2.0
  12 x 1G Copper and integrated 4 x SFP+ 10G
  Secondary bay for AMP storage
  Netmod bay with optional expansion for fiber, copper modules
  Management Console and Ethernet

2. Modular options (FRU)

  Optional dual PSU 2130, standard dual PSU 2140
  Optional DC

Chassis Overview: Cisco Firepower 1010

Rear view

1. 2 power supply module bays

Chassis Overview: Cisco Firepower 1010

Cisco Secure Firewall 3100 Series Appliances

The Cisco Secure Firewall 3100 Series comprises four threat-focused security appliances. The 3100 Series addresses emerging hybrid mid-market and high-end use cases from the Internet edge to the data center, providing superior performance at a highly competitive price point and bringing several high-end capabilities to the mid-market.

Chassis Overview: Cisco Firepower 3110 and 3120

Front view

1. Fixed ports

  8x 10/100/1000 Base-T Copper Ports
  8x 1/10G (SFP) Fiber Ports
  Secondary bay for optional RAID1 support
  Management Console and Ethernet
  Singular AC PSU
  Optional DC

Chassis Overview: Cisco Firepower 1010

Rear view

1.     1 power supply module bay

2.     2. Fans

Chassis Overview: Cisco Firepower 1010

Chassis Overview: Cisco Firepower 3130 and 3140

Front view

1. Fixed ports

  8x 10/100/1000 Base-T Copper Ports
  8x 1/10/25G (SFP) Fiber Ports
  4x 40G Netmod Bays
  Secondary bay for optional RAID1 support
  Management Console and Ethernet

2. Modular options (FRU)

  Standard dual PSU
  Optional DC

Chassis Overview: Cisco Firepower 1010

Rear view

1.     2 power supply module bays

2.     2. Fans

Chassis Overview: Cisco Firepower 1010

Cisco Firepower 4100 Series Appliances

The Cisco Firepower 4100 Series comprises four threat-focused security appliances. The 4100 Series addresses use cases from the Internet edge to the data center. The 4100 Series hardware delivers superior threat defense, at faster speeds, with a smaller footprint. Also, the Cisco Firepower 4100 Series enables an evolutionary path, on the customer’s timeline, to the Cisco Secure Firewall Threat Defense, even if the customer chooses the ASA image in the immediate term.

Chassis Overview: Cisco Firepower 4100 Series

Front view

1. 8 SFP+ ports (require SFP optics module selection)

  2 Network Module bays
  Optional Network Modules with optional optics modules

2. SSD bays (one occupied by default, second bay for future expansion)

Cisco Firepower 4100 Series

Rear view

1. 2 power supply module bays

  4110, 4112, and 4115: single AC default, dual AC or DC optional
  4125 and 4145: dual AC default, DC optional

2. 6 hot-swappable fans (default configuration, no options)

Cisco Firepower 4100 Series

Cisco Firepower 9300 Series Appliances

The Cisco Firepower 9300 is a modular, scalable, carrier-grade appliance, available in Network Equipment Building Standards (NEBS) configurations, designed for service providers, data centers, campuses, supercomputing centers, high-frequency trading environments, and other environments requiring both low latency and the greatest throughput. In the service provider context, it is specifically designed for carriers, content providers, and cloud service providers to protect the Cisco Evolved Programmable Network, Cisco Evolved Services platform, and Cisco Application Centric Infrastructure architectures. (For more information, please see Cisco service provider security solutions.)

Tightly integrating threat-centric security services from Cisco and its partners, the 9300 appliance lowers integration costs and supports the full realization of highly secure, open, and programmable networks. In addition to providing class-leading security services, it offers low (less than 5-microsecond) latency, throughput for single flows exceeding 30 Gbps, and class-leading performance and port density on a per-rack-unit basis.

Chassis Overview: Cisco Firepower 9300

Supervisor module (included): provides overall chassis management and network interaction

  Network interface allocation and security module connectivity (960-Gbps internal fabric)

2 x Network Module bays

  10, 40, and 100 Gigabit Ethernet network connectivity options

Related image, diagram or screenshot

Security Modules: modular computing capability expands as your needs grow. Pictured are the three bays for Security Modules. A minimum of one must be ordered for standard operation.

With three SM-56 Security Modules, Cisco Firepower 9300 features up to 235 Gbps of stateful (ASA) firewalling performance, and 1.2 Tbps of clustered performance with 5 clustered Cisco Firepower 9300 chassis.

Also available: NEBS-compliant modules.

Also pictured at right is the rear views of the Cisco Firepower 9300. Note that it is available with dual AC, DC, or HVDC power supplies. Also, the fan assemblies and power supplies are user replaceable.

Reminder: The Cisco Firepower 9300 is available with 10, 40, and 100 GE Network Modules.

Related image, diagram or screenshot

 

Related image, diagram or screenshot

Special Guidelines for Quoting the Cisco Firepower 9300

Cisco Firepower 9300 ordering is highly customizable, and options are offered “à la carte” (that is, separately). You’ll nevertheless find the ordering process quite straightforward.

The following table shows the four core components of a Cisco Firepower 9300 order.

Table 3.          Components of a Cisco Firepower 9300 order

Common hardware

Optional modules

Software licenses

Services and subscriptions

Base Cisco Firepower 9300 Security Appliances include:

  Chassis (1)
  Supervisor (1)
  Fans (4)
  Power supplies
(2 – AC, DC or HVDC)

Choice of Security Modules—up to three bays per chassis:

  SM-40, 48, 56

Choice of network modules — two bays per chassis:

  1/10/40/100Gbps options

Smart Licenses

ASA:

  ASA Standard
  Carrier
  Strong Encryption
  Security Contexts

Cisco Secure Firewall Threat Defense:

  Threat Base (includes Application Visibility and Control – AVC)
  Threat license and subscription terms (see next column)

Third-party software:

  Cisco Secure DDOS Protection (Radware Virtual DefensePro)

Smart Net Total Care Service

Cisco Secure Firewall Threat Defense Subscriptions

(1-, 3-, or 5-year terms)

  Threat (includes Security Intelligence, IPS)
  Malware defense
  URL

Common hardware is bundled. However, your customer may wish to order extra fans and power supplies with the initial order, as these are hot-swappable, user-replaceable items. Please note that every order will require at least one, and up to three, Security Modules. Network Modules are also ordered separately.

Regarding software licenses, keep in mind that the Cisco Firepower 9300 runs either the ASA software image or the Cisco Secure Firewall Threat Defense image. Also, please note that the Encryption license is export controlled. It is available for most markets, to customers in countries where U.S. export control permits the export of strong cryptography. For more information, visit export compliance details.

In the third-party software category, Cisco Secure DDOS Protection (Radware Virtual DefensePro DDoS-mitigation capability) has been tightly integrated into the Cisco Firepower 9300 and 4100 Series with ASA software, is orderable from and supported directly by Cisco.

ASA Licensing for Cisco Firepower Appliances

The 9300 appliance, 4100 Series, 3100 Series, 2100 Series and 1000 Series are available with either the Cisco Secure Firewall Threat Defense image or the Cisco Adaptive Security Appliance (ASA) image. Cisco Firepower appliances with ASA are available through Smart Licenses. They include a Base license and up to three optional licenses (Encryption, Security Contexts, and Carrier).

Base License (Free)

L-F9K-ASA(=) (for the Cisco Firepower 9300), L-FPR4100-ASA(=) (for the Cisco Firepower 4100 Series models), L-FPR3100-ASA(=) (for the Cisco Secure Firewall 3100 Series models), L-FPR2100-ASA(=) (for the Cisco Firepower 2100 Series models) or L-FPR1000-ASA(=) (for the Cisco Firepower 1000 Series models): Licensing on the ASA is simplified for the Cisco Firepower appliances. More than 50 ASA feature licenses are condensed into a single license. This license also includes the following security contexts by default: 10 security contexts for Firepower 9300, 10 security contexts for Firepower 4100 Series, 2 security contexts for Secure Firewall 3100 Series , 2 security contexts for Firepower 2100 Series and 2 security contexts for Firepower 1000 Series.

Encryption License (Free)

L-F9K-ASA-ENCR-K9(=) (for the Cisco Firepower 9300), L-FPR4K-ENC-K9(=) (for Cisco Firepower 4100 Series models), L-FPR3K-ENC-K9(=) (for Cisco Secure Firewall 3100 Series models), L-FPR2K-ENC-K9(=) (for the Cisco Firepower 2100 Series models) or L-FPR1K-ENC-K9(=) (for Cisco Firepower 1000 Series models): This license provides for strong encryption (K9) on the platform. The U.S. export of strong cryptography is not available to export-restricted regions. Cisco solutions and products with strong encryption may not be delivered to individuals or entities on the U.S. government's list of denied or restricted parties.

Please review the U.S. Bureau of Industry and Security's list of parties of concern at: https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern.

Additional Security Contexts (Paid)

L-F9K-ASA-SC-10(=) (for the Cisco Firepower 9300), L-FPR4K-ASASC-10(=) (for the Cisco Firepower 4100 Series models), L-FPR3K-ASASC-10(=) (for the Cisco Secure Firewall 3100 Series models) or L-FPR2K-ASASC-10(=) (for the Cisco Firepower 2100 Series models): This license adds 10 security contexts to an ASA instance on the 9300 appliance, 4100 appliance, 3100 appliance or 2100 appliance, respectively.

Carrier License Option (Paid)

L-F9K-ASA-CAR(=) (for the Cisco Firepower 9300) or L-FP4K-ASA-CAR= (for Cisco Firepower 4100 Series models) or L-FPR3K-ASA-CAR= (for Cisco Secure Firewall 3100 Series models): This license covers carrier feature enablement.

Cisco Secure Firewall Threat Defense Licensing for Cisco Firepower Appliances

Figure 2, which is provided for general reference purposes only, highlights the typical order flow. Start with the primary bundle part numbers and the software image (ASA or Firewall Threat Defense), and then, in the case of the example, associated Cisco Secure Firewall Threat Defense–related licenses and subscriptions for functionality like Security Intelligence and IPS (“T”), Advanced Malware Protection (“M”), and URL Filtering (“C”). This example concludes with ordering the associated virtualized Cisco Secure Firewall Management Center. Note that Cisco Secure Firewall Threat Defense ships standard with the option to activate a 3-month trial license without activation of a Smart License account.

Typical order flow

Figure 2.         

Typical order flow

Ordering Steps for Cisco Firepower 9300, FTD-Based Cisco Firepower 9300

1.     Start with one of the following FTD Bundles SKUs in CCW

      FPR9K-FTD-BUN

2.     Select Hardware Options and Quantity

a.   Chassis Type – AC, DC, or HVDC

i.    Chassis Options including Netmod, Sup, SFPs, power cables

b.   Security Module Quantity - up to 3 per chassis

3.     Select Subscriptions

a.   Type

i.    T=

ii.   URL=

iii.   AMP=

iv.   TC=

v.   TM=

vi.   TMC=

b.   Term

i.    1 Year

ii.   3 Years

iii.   5 Years

4.     Select Base Software License for each security module

5.     Save and exit bundle configuration and select quantity of each bundle configured. Each bundle corresponds to a single-chassis configuration. After saving the configuration, you can change quantity for more than one chassis with the same configuration

Cisco ISE Passive Identity Connector (ISE-PIC)

Due to End-of-Life for the Cisco Firepower User Agent, FTD requires the use of either Cisco Identity Services Engine (ISE) or Cisco ISE Passive Identity Connector (ISE-PIC) in order to control policy based on Active Directory user. This section describes the procedure for ordering Cisco ISE Passive Identity Connector (ISE-PIC). For information on how to order of Cisco Identity Services Engine (ISE) please see the Identity Services Engine Ordering Guide.

The Cisco Identity Services Engine (ISE) Passive Identity Connector centralizes, consolidates, and distributes identity information, including IP addresses, MAC addresses, and usernames. It centralizes the authentication information, becoming the single source of truth for its subscribers. Using the Cisco Platform Exchange Grid (pxGrid), the Cisco ISE Passive Identity Connector can support up to 20 subscribers. Further details on the capabilities of the Cisco ISE Passive Identity Connector (ISE-PIC) can be found on the Cisco ISE Passive Identity Connector (ISE-PIC) Data Sheet.

Table 4.          Cisco ISE-PIC ordering information

SKU

Description

Services and subscriptions

R-ISE-PIC-VM-K9=

ISE Passive Identity Connector 3,000 session Virtual Machine

CON-ECMU-RISEPIVM

L-ISE-PIC-UPG=

ISE Passive Identity Connector – Upgrade to maximum 300,000 sessions

CON-ECMU-LISEPUPG

Note:      You may be entitled to ISE-PIC at no cost if you have a qualifying FMC and valid support contract. For more information see EoS/EoL Notice for Cisco Firepower User Agent.

Cisco Security Analytics and Logging

This section describes the procedure to enable extended logging and analytics by ordering Cisco Security Analytics and Logging as part of your firewall purchase. The detail ordering process is described here.

The Security Analytics and Logging offer has two distinct delivery mechanisms, as shown below:

      Security Analytics and Logging (SaaS): A cloud-delivered, Software-as-a-Service (SaaS) offering with a Cloud Data Store.

      Security Analytics and Logging (On prem): An on-premises appliance-based software application with an On-premises Data Store.

Discounted Bundling When Attaching with Firewall Subscriptions via CCW

a.     Begin by navigating to the firewall model to be ordered (FPR1150-NGFW-K9, for example).

b.     Make your software choice under the “Subscriptions” category at the top (wherever present) and navigate to the “Extended Logging and Analytics” category below.

c.     You are presented with two options to the right: “On-Premises Data Store” or “Cloud Data Store.” Only one option can be selected per firewall being ordered, with either the same or different subscription term as the firewall subscription.

d.     The “Cloud Data Store” option allows selection of either the Logging License, SEC-LOG-CL, or the “Logging Analytics License,” SEC-ANYL-CL. Only one option needs be chosen, as the Logging License is nested under Logging Analytics. Both Cloud licenses include access to a Cisco Defense Orchestrator tenant for log viewing only, which can be requisitioned using the link here: https://www.ciscofeedback.vovici.com/se/6A5348A75C69D114

e.     Choosing any one of the two data store options will attach a default logging volume in GB/day for that firewall model, based on expected daily volume per the Estimator Tool. Logging rate comes with a default retention of 90 days rolling storage for Cloud Logging.

f.      The last three optional licenses are Data Retention extensions, which extend log retention to 1, 2, or 3 years in the cloud.

Discounted Bundling When Attaching with Firewall Subscriptions via CCW

a.     If SAL (Op) is desired, the “On-Premises Data Store” tab allows choosing the base Logging and Troubleshooting license, SEC-LOG-OP. This license supports remote query by FMC and is hosted on SNA appliance(s), as detailed in section 1.2.2.

Discounted Bundling When Attaching with Firewall Subscriptions via CCW

a.     The process for bundling extended logging and analytics for the Firewall FPR9K series devices is different, as the Security Modules (SM) configured as part of order determines the Logging quantity required. The Logging quantities needed are 190, 225 and 257 GBs/day for each SM-40, SM-48 and SM-56 respectively, and this quantity needs to be entered manually for the extended logging and analytics licenses. The system will display a warning of the logging quantities required for each Security Module, as shown below:

Process for bundling extended

Expected Retention Period

The expected retention period for the SAL service under average deployment conditions (see note below table) is as follows:

Table 5.        Retention Matrix

Sustained Firewall Events per Second (eps)

Equivalent GB/day

On-premises

Cloud

 

Single node* 1TB Storage

Single node 2TB Storage

Single node 4TB Storage

Multinode** Virtual

Multinode HW

Single SEC

MultiSEC

Direct-to Cloud

 

 

Expected Retention period in days (under average deployment conditions)

 

5,000

562

50

100

200

300

600

Up to 3 years

NA

Up to 3 years

Up to 3 years

Not recommended when individual device’s logging rate exceeds 8,500 eps

10,000

1,123

25

50

100

150

300

20,000

2,246

12.5

25

50

75

150***

50,000

5,616

NA

NA

NA

30

60

75,000

8,424

NA

NA

NA

NA

40

100,000

11,232

NA

NA

NA

NA

30

200,000

22,464

NA

NA

NA

NA

NA

Note:      The on-premises log retention in days above are based on average deployment conditions, and may vary materially in different production environments.

* Single-node = Repurposed SMC 2210 (HW or Virtual)
** Multi-node = SMC 2210 + FC 4210 + DS 6200 (All appliances HW or Virtual)
*** Compare FMC native logs retention ½ day @ 20,000 peak eps

Cisco Secure DDOS Protection (Radware Virtual DefensePro DDoS Mitigation Option)

Overview

Cisco Secure DDOS Protection is provided by Radware Virtual DefensePro (vDP), available and supported directly from Cisco. It is available with the Cisco Firepower 9300 and select Cisco Firepower 4100 Series models running either the ASA or FTD software image. The following table details Firepower model and software image compatibility with Radware vDP.

Table 6.          Cisco Secure DDOS Protection (Radware vDP) on Cisco Firepower running either ASA or FTD software image

9300 Series – All Security Modules

yes

yes

4100 Series – All Models

yes

yes

Performance

The performance figures in the tables below apply to all Cisco Firepower 9300 and 4100 Series model configurations running either the ASA or FTD software image.

Table 7.          Key DDoS performance metrics for Cisco Firepower 4100 Series

Parameter

Value

Maximum mitigation capacity/throughput

10 Gbps

Maximum legitimate concurrent sessions

209,000 Connections Per Second (CPS)

Maximum DDoS flood attack prevention rate

1,800,000 Packets Per Second (PPS)

The performance figures in the following table are for Cisco Firepower 9300 with 1 to 3 Security Modules irrespective of Security Module type.

Table 8.        Key DDoS performance metrics for Cisco Firepower 9300 with 1, 2, or 3 Security Modules

Parameter

Firepower 9300 with 1 Security Module

Firepower 9300 with 2 Security Modules

Firepower 9300 with 3 Security Modules

Maximum mitigation capacity/throughput

10 Gbps

20 Gbps

30 Gbps

Maximum legitimate concurrent sessions

209,000 Connections Per Second (CPS)

418,000 Connections Per Second (CPS)

627,000 Connections Per Second (CPS)

Maximum DDoS flood attack prevention rate

1,800,000 Packets Per Second (PPS)

3,600,000 Packets Per Second (PPS)

5,400,000 Packets Per Second (PPS)

Capacity vs. Licensing

Performance/Capacity/Throughput is dependent on the number of cores assigned to the vDP virtual device:

      By default, Radware virtual DefensePro (vDP) installs using 6 cores (1 management, 5 software) across each of Cisco Firepower 9300’s Security Modules and 4100 Series platforms.

      At install, the number of cores assigned to vDP can be adjusted from 2 to 10 to optimize the throughput performance of Cisco Firepower appliance depending on the customer need.

      While using the default 6 cores, the performance numbers for vDP are constant across platforms. The table below represents the relative performance level expected from ASA and FTD by removing 6 cores from the total available cores on the respective platforms (i.e. 24 cores minus 6 equals 75% of the total performance still available).

Table 9.          Expected ASA or FTD image performance with 6 of the available cores assigned to vDP

Cisco Firepower Model

Total vCores

Expected ASA or FTD Performance with vDP Active

9300 – SM-56

56

89.3%

9300 – SM-48

48

87.5%

9300 – SM-40

40

85.0%

Firepower 4145

44

93.2%

Firepower 4125

32

90.6%

Firepower 4115

24

75.0%

Firepower 4112

24

75.0%

Firepower 4110

24

75.0%

Licensing is based on the amount of legitimate traffic, not the capacity of the VM to process information.

      Purchase vDP licenses based on the amount of the client’s peak legitimate traffic flow.

      This approach differs from other vendors who charge based on attack volume. Radware licenses are based on known legitimate traffic rather than an unknown attack volume.

Capacity vs. licensing

Figure 3.         

Capacity vs. licensing

Example 1: Client has a 10-GB WAN link with a daily peak traffic flow of 2 GB.

      Purchase a 2-GB license or higher if the traffic is expected to increase in the near future.

      vDP will be able to mitigate a DDoS attack up to the capacity of the WAN link’s 10 GB, after which a cloud scrubbing solution will have to take over at the ISP level.

    Radware can be set up to automatically notify a cloud scrubber to take over.

    Radware’s Emergency Response Team (ERT) can assist in configuring vDP for each customer as part of the standard Cisco ECMU support contract for vDP.

    Radware cloud availability on GPL is on the roadmap.

      Warning: Do not over-purchase or over-quote the client’s throughput needs. License is based on clean traffic only, not the capacity of the VM.

The vDP Software Licenses and Support SKUs

The following tables outline the product information and SKUs for ordering. Cisco is only OEMing the Virtual License for Radware Manager Vision. Customers may want additional Manager Options that are provided directly by Radware.

Table 10.       vDP spare SKUs: May be ordered separately

SKU

Description

Service ECMU SKU

L-FPR-RVDP-10G=

Radware Virtual Defense Pro 10-Gbps license for Firepower

CON-ECMU-LFPRRVG1

L-FPR-RVDP-5G=

Radware Virtual Defense Pro 5-Gbps license for Firepower

CON-ECMU-LFPR5RGV

L-FPR-RVDP-2G=

Radware Virtual Defense Pro 2-Gbps license for Firepower

CON-ECMU-LFPRRVG2

L-FPR-RVDP-1G=

Radware Virtual Defense Pro 1-Gbps license for Firepower

CON-ECMU-LFPRRVGP

L-FPR-RVDP-500M=

Radware Virtual Defense Pro 500-Mbps license for Firepower

CON-ECMU-LFPR5RVD

L-FPR-RVDP-200M=

Radware Virtual Defense Pro 200-Mbps license for Firepower

CON-ECMU-LFPR0RVD

L-RDWR-APV-VA=

Radware Manager Vision and Security Reporter
(supports 10 vDP instances)

None

L-RDWR-APV-RTU6=

Radware Manager Vision Only (supports 60 vDP instances)

None

Table 11.     Regular SKUs: Orderable with the Cisco Firepower platform

SKU

Description

Service ECMU SKU

FPR-RVDP-10G

Radware Virtual Defense Pro 10-Gbps license for Firepower

CON-ECMU-LFPRRVG1

FPR-RVDP-5G

Radware Virtual Defense Pro 5-Gbps license for Firepower

CON-ECMU-LFPR5RGV

FPR-RVDP-2G

Radware Virtual Defense Pro 2-Gbps license for Firepower

CON-ECMU-LFPRRVG2

FPR-RVDP-1G

Radware Virtual Defense Pro 1-Gbps license for Firepower

CON-ECMU-LFPRRVGP

FPR-RVDP-500M

Radware Virtual Defense Pro 500-Mbps license for Firepower

CON-ECMU-LFPR5RVD

FPR-RVDP-200M

Radware Virtual Defense Pro 200-Mbps license for Firepower

CON-ECMU-LFPR0RVD

Notes:

      Radware vDP license are based on legitimate traffic. Please refer to this deck for more details:

    Cisco Secure DDoS Protection

      L-RDWR-APV-VA includes both APSolute Vision with Security Reporter – 10 vDP.

      The CON Service SKUs should automatically be added to the cart with a 12-month term.

      Cisco will provide Level 0/1 to determine if problem is Cisco Firepower or vDP. All vDP issues will be escalated to Radware.

      Radware vDP clustering is currently only supported in the Cisco Firepower 9300 intrachassis configuration. This is clustering of multiple security modules (SM-40, SM-48, SM-56) within the same Cisco Firepower 9300 chassis.

      For High Availability (HA), Active-Active and Active-Standby modes are supported.

      Radware Vision Manager is a Virtual License and needs to be installed on its own server, not the Cisco Firepower platform. The recommended hardware and software for Radware Manager Vision are:

    VMware vSphere             ESXi 4.1                          ESXi 5.1

    Processor                        2 vCPUs                          4vCPUs

    Memory                           4 GB RAM                        8 GB RAM

    Hard drive                        50 GB HD                        250 GB HD

    Networking                       3 vNICs                           3 vNICs

Cisco Secure DDOS Protection (Radware vDP) Ordering Steps

Ordering SPARE SKUs for existing equipment

Spare SKUs are provided (start with “L” and end in “=” sign) to allow you to order the vDP software license for existing equipment. These are the L-FPR-RVDP-10G=. 5G=, and 2G=, respectively.

1.     Go to Cisco Commerce: https://apps.cisco.com/Commerce/home.

2.     Create a new estimate or edit an old one.

3.     In the “Search by SKU” box, paste in one of the SPARE SKUs. Or click on the “Find Products and Solutions” link to the right of the “Search by SKU” box.

a.     Typing in “Radware” in search box will return all active Radware SPARE SKUs.

Find products and solutions

Figure 4.         

Find products and solutions

4.     Once you find the SKU you need, then click the ‘+’ sign to add it to the cart.

5.     Next click on the “Edit Service/Subscription” link and set the term of the service contract.

Edit service/subscription

Figure 5.         

Edit service/subscription

6.     A 12-month (1y) ECME contract is selected by default, but that can be increased up to 60 months (5y).

Note:      As of this writing, you have to visit the Edit Service/Subscription link and click done to accept the default 12-month service contract. Otherwise, the cart will produce an error.

7.     If you do not already own Radware Vision Manager, please add to your order SKU: L-RDWR-APV-VA=.

a.     This is the Radware Manager Vision and Security Reporter with support for 10 vDP instances.

Secure Workload Ordering Steps in Firewall Bundle

Ordering SPARE SKUs for existing equipment

A Workload SKU is provided to allow you to order workload within a firewall bundle, securing a multi-product discount. The SKU is C1-TAAS-XX-SW-K9 and is available for Firepower 4100 and 9300 bundles.

      Go to Cisco Commerce: https://apps.cisco.com/Commerce/home.

      Select the firewall bundle to be ordered, for example FPR4115-FTD-HA-BUN

      Click “Select Options” for the bundle to open the configurator

Ordering SPARE SKUs for existing equipment

      Open the “Secure Workload” section on the left-hand side and add the license C1-TAAS-XX-SW-K9 to the bundle

      Finalize the bundle configuration and proceed with the purchase

Cisco Secure Firewall Small Business Edition License Pack

Overview

To meet real-world needs of small business, Cisco Secure Firewall Small Business Edition is tailor-made to simplify security. Secure Firewall Small Business Edition licenses are available in 2 flavors and can ordered at the time of hardware purchase or as standalone license. See table below for Part Numbers.

Table 12.       Small Business Edition – Included Feature Set

License Feature (Available in 3 Yr Term only)

SBE Lite

SBE Standard

Threat Protection, Malware and URL Filtering

Yes

Yes

Cisco Defense Orchestrator

Yes*

Yes*

Cisco Secure Client - 50 Licenses (Anyconnect Plus for Mobile Devices and or Desktops)

Yes

Yes

Security Analytics and Logging (Logging and Troubleshooting)

No

Yes

Platforms available

Table 13.       Small Business Edition – Product Series Availability

Product Series

SBE Lite

SBE Standard

Firepower 1000 Series

Yes – Only on FPR1010

Yes – Only on FPR1010

All other platforms

Not Available

Not Available

*require CDO-SEC-SUB-Cisco Defense Orchestrator XaaS Subscription

SKUs and Ordering

Table 14.       Small Business Edition – Part Numbers

Part Number

Description

FPR-SEC-TERM

Cisco Secure Firewall Term Licenses - For Distributors/Drop Ship Orders

FPR1010T-SBE

Cisco Secure Firewall FPR1010 Small Business Edition

FPR1010T-SBE-L

Cisco Secure Firewall FPR1010 Small Business Edition Lite without Logging

FPR1010T-SBE-3Y

Cisco FPR1010 Small Business Edition, 3Y Subs

FPR1010T-SBE-L-3Y

Cisco FPR1010 Small Business Edition Lite, 3Y Subs

Ordering Steps for Cisco Secure Small Business Edition

Ordering Steps for Cisco Secure Small Business Edition

8.     Start with one of the following Firepower 1010 SKU in CCW

      FPR1010-NGFW-K9

9.     Select “Edit Options”

10.  Select Subscription for Small Business Edition or Small Business Edition Lite

a.   FPR1010T-SBE

b.   FPR1010T-SBE-L

11.  Select Country

12.  Save and exit configuration

Ordering Steps for Cisco Secure Small Business Edition for Distributors

Ordering Steps for Cisco Secure Small Business Edition for Distributors

1.     Start with the following SKU in CCW

      FPR-SEC-TERM

2.     Select Subscription for Small Business Edition or Small Business Edition Lite

a.   FPR1010T-SBE

b.   FPR1010T-SBE-L

3.     Save and exit configuration

Ordering vDP with the Cisco Secure Firewall Platform

The non-spare versions of the SKUs are available options when ordering the 9300 or 4100 Cisco Firepower platform.

1.     Go to Cisco Commerce: https://apps.cisco.com/Commerce/home.

2.     Create a new estimate or edit an old one.

3.     Add Cisco Firepower 9300 or 4100 as desired (example is of a 4120) and configure appropriately.

a.   As of January 2017, vDP now works with both ASA (minimum version 9.6.1) and Firewall Threat Defense (minimum version 6.2).

Configuration options for Cisco Firepower 4120 platform

Figure 6.         

Configuration options for Cisco Firepower 4120 platform

4.     The Radware vDP SKUs are available under “Feature Licenses.”

a.   When configuring a Firepower 9300, you will need 1 license of equal size for each blade.

Feature licenses

Figure 7.         

Feature licenses

5.     When you make your selection, you will see the Service Contract and the Right-to-Use licenses are automatically added to the cart.

6.     As with the SPARE license, you can change the length of the service contract by clicking the “Edit Service/Subscription” link. You will find the EMCU contract under the selected Radware SKU.

7.     If you do not already own Radware Vision Manager, please add to your order SKU: L-RDWR-APV-VA=.

a.   This is the Radware Manager Vision and Security Reporter with support for 10 vDP instances.

Links and Resources for Radware vDP

For Cisco internal questions, please send an email to: ask-radware@external.cisco.com

For Radware specific questions, please see: https://www.radware.com/Partners/TechnologyPartners/Cisco-Resources/.

SKUs and Ordering for Cisco Firepower 1000 Series

The following tables outline the product part number information for the Cisco Firepower 1000 Series. Note that the customer may want extra power supplies and fans. You can add these to the order separately. Table 13A and 13B provides the chassis part numbers for chassis running the ASA software and chassis running the Firewall Threat Defense software. Note that software subscriptions can only be added to chassis running the Firewall Threat Defense software. The chassis SKUs are automatically included in the bundle. The bundle also offers the part numbers for network modules, and Table 14 provides part numbers for accessories.

Table 14A.   1000 Series Chassis Part Numbers

Part Number

Description

Bundles

FPR1010-BUN

Cisco Firepower 1010 Master Bundle

FPR1120-BUN

Cisco Firepower 1120 Master Bundle

FPR1140-BUN

Cisco Firepower 1140 Master Bundle

FPR1010-FTD-HA-BUN

Cisco Firepower 1010 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR1120-FTD-HA-BUN

Cisco Firepower 1120 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR1140-FTD-HA-BUN

Cisco Firepower 1140 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR1150-FTD-HA-BUN

Cisco Firepower 1150 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

Appliances

FPR1010-NGFW-K9

Cisco Firepower 1010 NGFW Appliance, Desktop
(runs FTD software + optional subscriptions)

FPR1120-NGFW-K9

Cisco Firepower 1120 NGFW Appliance, 1RU
(runs FTD software + optional subscriptions)

FPR1140-NGFW-K9

Cisco Firepower 1140 NGFW Appliance, 1RU
(runs FTD software + optional subscriptions)

FPR1150-NGFW-K9

Cisco Firepower 1150 NGFW Appliance, 1RU
(runs FTD software + optional subscriptions)

FPR1010-ASA-K9

Cisco Firepower 1010 NGFW Appliance, Desktop
(run ASA SW + Optional security plus license for High Availability)

FPR1120-ASA-K9

Cisco Firepower 1120 NGFW Appliance, 1RU
(runs ASA software + optional security context license)

FPR1140-ASA-K9

Cisco Firepower 1140 NGFW Appliance, 1RU
(runs ASA software + optional security context license)

FPR1150-ASA-K9

Cisco Firepower 1150 NGFW Appliance, 1RU
(runs ASA software + optional security context license)

Table 14B.   1000 Series ASA Licenses and SKUs

Part Number

Description

ASA Standard License

FPR1000-ASA

Cisco Firepower 1000 Standard ASA License

L-FPR1000-ASA=

Cisco Firepower 1000 Standard ASA License

Security Context Licenses

L-FPR1K-ASASC-10=

Cisco Firepower 1000 - Add 10 Security Context Licenses

L-FPR1K-ASASC-5=

Cisco Firepower 1000 - Add 5 Security Context Licenses

Encryption Licenses

L-FPR1K-ENC-K9=

Cisco Firepower 1K Series ASA Strong Encryption (3DES/AES)

FPR1010 Security Plus License (for HA)

L-FPR1010-SEC-PL=

Cisco Firepower 1010 - Security Plus License

Table 15.       1000 Series Accessories Part Numbers

Part Number

Description

FPR1K-CBL-MGMT=

Cisco Firepower 1k Series Cable Mgmt Brackets 1120/1140/1150

FPR1K-DT-ACY-KIT=

Cisco Firepower 1K Series Accessory Kit for FPR-1010

FPR1K-DT-PWR-AC=

Cisco Firepower 1K Series 150W Power Adapter for FPR-1010

FPR1K-DT-RACK-MNT=

Cisco Firepower 1K Series Rackmount Kit for FPR-1010

FPR1K-DT-WALL-MNT=

Cisco Firepower 1K Series Wall Mount for FPR-1010

FPR1K-RM-ACY-KIT=

Cisco Firepower 1K Series Accessory Kit for FPR-1120/1140/1150

FPR1K-RM-BRKT=

Cisco Firepower 1K Series Rackmount Brackets - FPR-1120/1140/1150

FPR1K-RM-FIPS-KIT=

Cisco Firepower 1K Series FIPS Kits for FPR-1120/1140/1150

FPR1K-RM-SSD200=

Cisco Firepower 1K Series 200GB for FPR-1120/1140/1150

Note:      Use these part numbers if the customer is ordering spare fans, power supplies, or a rack mount kit.

SKUs for 1000 Series Licenses and Subscriptions

When ordering a 1000 Series with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:

Threat Subscription Abbreviations

Description

T

Threat (Security Intelligence and IPS)

M or AMP

Malware defense

C or URL

URL Filtering

1Y

1-Year Subscription

3Y

3-Year Subscription

5Y

5-Year Subscription

Table 16.       Cisco Firepower 1000 Series License Part Numbers for Configurations with the Cisco Secure Firewall Threat Defense Image

Part Number

Description

L-FPR1010T-AMP=

Cisco Firepower 1010 Threat Defense Malware Protection License

L-FPR1010T-T=

Cisco Firepower 1010 Threat Defense Threat Protection License

L-FPR1010T-TC=

Cisco Firepower 1010 Threat Defense Threat and URL License

L-FPR1010T-TM=

Cisco Firepower 1010 Threat Defense Threat and Malware License

L-FPR1010T-TMC=

Cisco Firepower 1010 Threat Defense Threat, Malware, and URL License

L-FPR1010T-URL=

Cisco Firepower 1010 Threat Defense URL Filtering License

L-FPR1120T-AMP=

Cisco Firepower 1120 Threat Defense Malware Protection License

L-FPR1120T-T=

Cisco Firepower 1120 Threat Defense Threat Protection License

L-FPR1120T-TC=

Cisco Firepower 1120 Threat Defense Threat and URL License

L-FPR1120T-TM=

Cisco Firepower 1120 Threat Defense Threat and Malware License

L-FPR1120T-TMC=

Cisco Firepower 1120 Threat Defense Threat, Malware, and URL License

L-FPR1120T-URL=

Cisco Firepower 1120 Threat Defense URL Filtering License

L-FPR1140T-AMP=

Cisco Firepower 1140 Threat Defense Malware Protection License

L-FPR1140T-T=

Cisco Firepower 1140 Threat Defense Threat Protection License

L-FPR1140T-TC=

Cisco Firepower 1140 Threat Defense Threat and URL License

L-FPR1140T-TM=

Cisco Firepower 1140 Threat Defense Threat and Malware License

L-FPR1140T-TMC=

Cisco Firepower 1140 Threat Defense Threat, Malware, and URL License

L-FPR1140T-URL=

Cisco Firepower 1140 Threat Defense URL Filtering License

L-FPR1150T-AMP=

Cisco Firepower 1150 Threat Defense Malware Protection License

L-FPR1150T-T=

Cisco Firepower 1150 Threat Defense Threat Protection License

L-FPR1150T-TC=

Cisco Firepower 1150 Threat Defense Threat and URL License

L-FPR1150T-TM=

Cisco Firepower 1150 Threat Defense Threat and Malware License

L-FPR1150T-TMC=

Cisco Firepower 1150 Threat Defense Threat, Malware, and URL License

L-FPR1150T-URL=

Cisco Firepower 1150 Threat Defense URL Filtering License

Table 17.       Cisco Firepower 1000 Series Subscription Part Numbers for Configurations with the Firewall Threat Defense Image

Part Number

Description

L-FPR1010T-AMP-1Y

Cisco Firepower 1010 Threat Defense Malware Protection 1Y Subscription

L-FPR1010T-AMP-3Y

Cisco Firepower 1010 Threat Defense Malware Protection 3Y Subscription

L-FPR1010T-AMP-5Y

Cisco Firepower 1010 Threat Defense Malware Protection 5Y Subscription

L-FPR1010T-T-1Y

Cisco Firepower 1010 Threat Defense Threat Protection 1Y Subscription

L-FPR1010T-T-3Y

Cisco Firepower 1010 Threat Defense Threat Protection 3Y Subscription

L-FPR1010T-T-5Y

Cisco Firepower 1010 Threat Defense Threat Protection 5Y Subscription

L-FPR1010T-TC-1Y

Cisco Firepower 1010 Threat Defense Threat and URL 1Y Subscription

L-FPR1010T-TC-3Y

Cisco Firepower 1010 Threat Defense Threat and URL 3Y Subscription

L-FPR1010T-TC-5Y

Cisco Firepower 1010 Threat Defense Threat and URL 5Y Subscription

L-FPR1010T-TM-1Y

Cisco Firepower 1010 Threat Defense Threat and Malware 1Y Subscription

L-FPR1010T-TM-3Y

Cisco Firepower 1010 Threat Defense Threat and Malware 3Y Subscription

L-FPR1010T-TM-5Y

Cisco Firepower 1010 Threat Defense Threat and Malware 5Y Subscription

L-FPR1010T-TMC-1Y

Cisco Firepower 1010 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR1010T-TMC-3Y

Cisco Firepower 1010 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR1010T-TMC-5Y

Cisco Firepower 1010 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR1010T-URL-1Y

Cisco Firepower 1010 Threat Defense URL Filtering 1Y Subscription

L-FPR1010T-URL-3Y

Cisco Firepower 1010 Threat Defense URL Filtering 3Y Subscription

L-FPR1010T-URL-5Y

Cisco Firepower 1010 Threat Defense URL Filtering 5Y Subscription

L-FPR1120T-AMP-1Y

Cisco Firepower 1120 Threat Defense Malware Protection 1Y Subscription

L-FPR1120T-AMP-3Y

Cisco Firepower 1120 Threat Defense Malware Protection 3Y Subscription

L-FPR1120T-AMP-5Y

Cisco Firepower 1120 Threat Defense Malware Protection 5Y Subscription

L-FPR1120T-T-1Y

Cisco Firepower 1120 Threat Defense Threat Protection 1Y Subscription

L-FPR1120T-T-3Y

Cisco Firepower 1120 Threat Defense Threat Protection 3Y Subscription

L-FPR1120T-T-5Y

Cisco Firepower 1120 Threat Defense Threat Protection 5Y Subscription

L-FPR1120T-TC-1Y

Cisco Firepower 1120 Threat Defense Threat and URL 1Y Subscription

L-FPR1120T-TC-3Y

Cisco Firepower 1120 Threat Defense Threat and URL 3Y Subscription

L-FPR1120T-TC-5Y

Cisco Firepower 1120 Threat Defense Threat and URL 5Y Subscription

L-FPR1120T-TM-1Y

Cisco Firepower 1120 Threat Defense Threat and Malware 1Y Subscription

L-FPR1120T-TM-3Y

Cisco Firepower 1120 Threat Defense Threat and Malware 3Y Subscription

L-FPR1120T-TM-5Y

Cisco Firepower 1120 Threat Defense Threat and Malware 5Y Subscription

L-FPR1120T-TMC-1Y

Cisco Firepower 1120 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR1120T-TMC-3Y

Cisco Firepower 1120 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR1120T-TMC-5Y

Cisco Firepower 1120 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR1120T-URL-1Y

Cisco Firepower 1120 Threat Defense URL Filtering 1Y Subscription

L-FPR1120T-URL-3Y

Cisco Firepower 1120 Threat Defense URL Filtering 3Y Subscription

L-FPR1120T-URL-5Y

Cisco Firepower 1120 Threat Defense URL Filtering 5Y Subscription

L-FPR1140T-AMP-1Y

Cisco Firepower 1140 Threat Defense Malware Protection 1Y Subscription

L-FPR1140T-AMP-3Y

Cisco Firepower 1140 Threat Defense Malware Protection 3Y Subscription

L-FPR1140T-AMP-5Y

Cisco Firepower 1140 Threat Defense Malware Protection 5Y Subscription

L-FPR1140T-T-1Y

Cisco Firepower 1140 Threat Defense Threat Protection 1Y Subscription

L-FPR1140T-T-3Y

Cisco Firepower 1140 Threat Defense Threat Protection 3Y Subscription

L-FPR1140T-T-5Y

Cisco Firepower 1140 Threat Defense Threat Protection 5Y Subscription

L-FPR1140T-TC-1Y

Cisco Firepower 1140 Threat Defense Threat and URL 1Y Subscription

L-FPR1140T-TC-3Y

Cisco Firepower 1140 Threat Defense Threat and URL 3Y Subscription

L-FPR1140T-TC-5Y

Cisco Firepower 1140 Threat Defense Threat and URL 5Y Subscription

L-FPR1140T-TM-1Y

Cisco Firepower 1140 Threat Defense Threat and Malware 1Y Subscription

L-FPR1140T-TM-3Y

Cisco Firepower 1140 Threat Defense Threat and Malware 3Y Subscription

L-FPR1140T-TM-5Y

Cisco Firepower 1140 Threat Defense Threat and Malware 5Y Subscription

L-FPR1140T-TMC-1Y

Cisco Firepower 1140 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR1140T-TMC-3Y

Cisco Firepower 1140 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR1140T-TMC-5Y

Cisco Firepower 1140 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR1140T-URL-1Y

Cisco Firepower 1140 Threat Defense URL Filtering 1Y Subscription

L-FPR1140T-URL-3Y

Cisco Firepower 1140 Threat Defense URL Filtering 3Y Subscription

L-FPR1140T-URL-5Y

Cisco Firepower 1140 Threat Defense URL Filtering 5Y Subscription

L-FPR1150T-AMP-1Y

Cisco FPR1150 Threat Defense Malware Protection 1Y Subs

L-FPR1150T-AMP-3Y

Cisco FPR1150 Threat Defense Malware Protection 3Y Subs

L-FPR1150T-AMP-5Y

Cisco FPR1150 Threat Defense Malware Protection 5Y Subs

L-FPR1150T-T-1Y

Cisco FPR1150 Threat Defense Threat Protection 1Y Subs

L-FPR1150T-T-3Y

Cisco FPR1150 Threat Defense Threat Protection 3Y Subs

L-FPR1150T-T-5Y

Cisco FPR1150 Threat Defense Threat Protection 5Y Subs

L-FPR1150T-TC-1Y

Cisco FPR1150 Threat Defense Threat and URL 1Y Subs

L-FPR1150T-TC-3Y

Cisco FPR1150 Threat Defense Threat and URL 3Y Subs

L-FPR1150T-TC-5Y

Cisco FPR1150 Threat Defense Threat and URL 5Y Subs

L-FPR1150T-TM-1Y

Cisco FPR1150 Threat Defense Threat and Malware 1Y Subs

L-FPR1150T-TM-3Y

Cisco FPR1150 Threat Defense Threat and Malware 3Y Subs

L-FPR1150T-TM-5Y

Cisco FPR1150 Threat Defense Threat and Malware 5Y Subs

L-FPR1150T-TMC-1Y

Cisco FPR1150 Threat Defense Threat, Malware and URL 1Y Subs

L-FPR1150T-TMC-3Y

Cisco FPR1150 Threat Defense Threat, Malware and URL 3Y Subs

L-FPR1150T-TMC-5Y

Cisco FPR1150 Threat Defense Threat, Malware and URL 5Y Subs

L-FPR1150T-URL-1Y

Cisco FPR1150 Threat Defense URL Filtering 1Y Subs

L-FPR1150T-URL-3Y

Cisco FPR1150 Threat Defense URL Filtering 3Y Subs

L-FPR1150T-URL-5Y

Cisco FPR1150 Threat Defense URL Filtering 5Y Subs

SKUs and Ordering for Cisco Firepower 2100 Series

The following tables outline the product part number information for the Cisco Firepower 2100 Series. Note that the customer may want extra power supplies and fans. You can add these to the order separately. Note that software subscriptions can only be added to chassis running the FTD software. The chassis SKUs are automatically included in the bundle. The bundle also offers the part numbers for network modules.

Table 18.       2100 Series chassis part numbers

Part Number

PID

Description

Bundles

FPR2110-BUN

Cisco Firepower 2110 Master Bundle

FPR2120-BUN

Cisco Firepower 2120 Master Bundle

FPR2130-BUN

Cisco Firepower 2130 Master Bundle

FPR2140-BUN

Cisco Firepower 2140 Master Bundle

FPR2110-FTD-HA-BUN

Cisco Firepower 2110 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR2120-FTD-HA-BUN

Cisco Firepower 2120 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR2130-FTD-HA-BUN

Cisco Firepower 2130 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR2140-FTD-HA-BUN

Cisco Firepower 2140 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

Appliances

FPR2110-NGFW-K9

Cisco Firepower 2110 NGFW Appliance, 1RU (runs FTD software + optional subscriptions)

FPR2120-NGFW-K9

Cisco Firepower 2120 NGFW Appliance, 1RU (runs FTD software + optional subscriptions)

FPR2130-NGFW-K9

Cisco Firepower 2130 NGFW Appliance, 1RU, 1 x Network Module Bays (runs FTD software + optional subscriptions)

FPR2140-NGFW-K9

Cisco Firepower 2140 NGFW Appliance, 1RU, 1 x Network Module Bays (runs FTD software + optional subscriptions)

FPR2110-ASA-K9

Cisco Firepower 2110 ASA Appliance, 1RU (runs ASA software with optional security context license)

FPR2120-ASA-K9

Cisco Firepower 2120 ASA Appliance, 1RU (runs ASA software with optional security context license)

FPR2130-ASA-K9

Cisco Firepower 2130 ASA Appliance, 1RU, 1 x Network Module Bays (runs ASA software with optional security context license)

FPR2140-ASA-K9

Cisco Firepower 2140 ASA Appliance, 1RU, 1 x Network Module Bays (runs ASA software with optional security context license)

Netmods

FPR2K-NM-8X10G

Cisco Firepower 8 port SFP+ Network Module

FPR2K-NM-8X10G=

Cisco Firepower 8 port SFP+ Network Module

FPR2K-NM-8X1G

Cisco Firepower 8-port SFP Network Module

FPR2K-NM-8X1G=

Cisco Firepower 8-port SFP FTW Network Module (Spare)

FPR2K-NM-8X1G-F

Cisco Firepower 8-port 1G Copper FTW Network Module

FPR2K-NM-8X1G-F=

Cisco Firepower 8-port 1G Copper FTW Network Module (Spare)

FPR2K-NM-6X10LR-F=

Cisco Firepower 6 port 10G LR FTW Network Module

FPR2K-NM-6X10LR-F

Cisco Firepower 6 port 10G LR FTW Network Module

FPR2K-NM-6X10SR-F=

Cisco Firepower 6 port 10G SR FTW Network Module

FPR2K-NM-6X10SR-F

Cisco Firepower 6 port 10G SR FTW Network Module

FPR2K-NM-6X1SX-F=

Cisco Firepower 6 port 1G SX Fiber FTW Network Module

FPR2K-NM-6X1SX-F

Cisco Firepower 6 port 1G SX Fiber FTW Network Module

Table 19.       2100 Series ASA software license SKUs

Part Number

Description

Multicontext License

L-FPR2K-ASASC-10=

Cisco Firepower 2100 Add-on 10 security context licenses

L-FPR2K-ASASC-5=

Cisco Firepower 2100 add-on 5 security context licenses

Encryption License

L-FPR2K-ENC-K9=

License to enable strong encryption for ASA on Cisco Firepower 2100 Series

Table 20.       2100 Series accessories part numbers

Part Number

Description

FPR2K-PWR-AC-400=

Firepower 2000 Series 400W AC Power Supply

FPR2K-PWR-DC-350=

Firepower 2000 Series 350W DC Power Supply

FPR2K-FAN=

Firepower 2000 Series Fan Tray

FPR2K-PSU-BLANK=

Firepower 2000 Series Chassis Power Supply Blank Slot Cover

FPR2K-NM-BLANK=

Firepower 2000 Series Network Module Blank Slot Cover

FPR2K-SSD100=

Firepower 2000 Series SSD for FPR-2110/2120

FPR2K-SSD200=

Firepower 2000 Series SSD for FPR-2130/2140

FPR2K-BBLKD=

Firepower 2000 Series SSD Carrier

FPR2K-RM-BRKT=

Firepower 2000 Rackmount Brackets

FPR2K-RAIL-BRKT=

Firepower 2000 Slide Rail Brackets

FPR2K-CBL-MGMT=

Firepower 2000 Cable Management Brackets

FPR-2100-FIPS-KIT=

Firepower 2000 FIPS Kit

FPR2K-SLIDE-RAILS=

Firepower 2000 Slide Rail Kit

Note:      Use these part numbers if the customer is ordering spare fans, power supplies, or a rack mount kit.

SKUs for 2100 Series Licenses and Subscriptions

When ordering a 2100 Series with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:

Threat Subscription Abbreviations

Description

T

Threat (Security Intelligence and IPS)

M or AMP

Malware defense

C or URL

URL Filtering

1Y

1-Year Subscription

3Y

3-Year Subscription

5Y

5-Year Subscription

Table 21.       Cisco Firepower 2100 Series license part numbers for configurations with the Cisco Secure Firewall Threat Defense image

Part Number

Description

L-FPR2110T-AMP=

Cisco Firepower 2110 Threat Defense Malware Protection License

L-FPR2110T-T=

Cisco Firepower 2110 Threat Defense Threat Protection License

L-FPR2110T-TC=

Cisco Firepower 2110 Threat Defense Threat and URL License

L-FPR2110T-TM=

Cisco Firepower 2110 Threat Defense Threat and Malware License

L-FPR2110T-TMC=

Cisco Firepower 2110 Threat Defense Threat, Malware, and URL License

L-FPR2110T-URL=

Cisco Firepower 2110 Threat Defense URL Filtering License

L-FPR2120T-AMP=

Cisco Firepower 2120 Threat Defense Malware Protection License

L-FPR2120T-T=

Cisco Firepower 2120 Threat Defense Threat Protection License

L-FPR2120T-TC=

Cisco Firepower 2120 Threat Defense Threat and URL License

L-FPR2120T-TM=

Cisco Firepower 2120 Threat Defense Threat and Malware License

L-FPR2120T-TMC=

Cisco Firepower 2120 Threat Defense Threat, Malware, and URL License

L-FPR2120T-URL=

Cisco Firepower 2120 Threat Defense URL Filtering License

L-FPR2130T-AMP=

Cisco Firepower 2130 Threat Defense Malware Protection License

L-FPR2130T-T=

Cisco Firepower 2130 Threat Defense Threat Protection License

L-FPR2130T-TC=

Cisco Firepower 2130 Threat Defense Threat and URL License

L-FPR2130T-TM=

Cisco Firepower 2130 Threat Defense Threat and Malware License

L-FPR2130T-TMC=

Cisco Firepower 2130 Threat Defense Threat, Malware, and URL License

L-FPR2130T-URL=

Cisco Firepower 2130 Threat Defense URL Filtering License

L-FPR2140T-AMP=

Cisco Firepower 2140 Threat Defense Malware Protection License

L-FPR2140T-T=

Cisco Firepower 2140 Threat Defense Threat Protection License

L-FPR2140T-TC=

Cisco Firepower 2140 Threat Defense Threat and URL License

L-FPR2140T-TM=

Cisco Firepower 2140 Threat Defense Threat and Malware License

L-FPR2140T-TMC=

Cisco Firepower 2140 Threat Defense Threat, Malware, and URL License

L-FPR2140T-URL=

Cisco Firepower 2140 Threat Defense URL Filtering License

Table 22.       Cisco Firepower 2100 Series subscription part numbers for configurations with the Firewall Threat Defense image

Part Number

Description

L-FPR2110T-AMP-1Y

Cisco Firepower 2110 Threat Defense Malware Protection 1Y Subscription

L-FPR2110T-AMP-3Y

Cisco Firepower 2110 Threat Defense Malware Protection 3Y Subscription

L-FPR2110T-AMP-5Y

Cisco Firepower 2110 Threat Defense Malware Protection 5Y Subscription

L-FPR2110T-T-1Y

Cisco Firepower 2110 Threat Defense Threat Protection 1Y Subscription

L-FPR2110T-T-3Y

Cisco Firepower 2110 Threat Defense Threat Protection 3Y Subscription

L-FPR2110T-T-5Y

Cisco Firepower 2110 Threat Defense Threat Protection 5Y Subscription

L-FPR2110T-TC-1Y

Cisco Firepower 2110 Threat Defense Threat and URL 1Y Subscription

L-FPR2110T-TC-3Y

Cisco Firepower 2110 Threat Defense Threat and URL 3Y Subscription

L-FPR2110T-TC-5Y

Cisco Firepower 2110 Threat Defense Threat and URL 5Y Subscription

L-FPR2110T-TM-1Y

Cisco Firepower 2110 Threat Defense Threat and Malware 1Y Subscription

L-FPR2110T-TM-3Y

Cisco Firepower 2110 Threat Defense Threat and Malware 3Y Subscription

L-FPR2110T-TM-5Y

Cisco Firepower 2110 Threat Defense Threat and Malware 5Y Subscription

L-FPR2110T-TMC-1Y

Cisco Firepower 2110 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR2110T-TMC-3Y

Cisco Firepower 2110 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR2110T-TMC-5Y

Cisco Firepower 2110 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR2110T-URL-1Y

Cisco Firepower 2110 Threat Defense URL Filtering 1Y Subscription

L-FPR2110T-URL-3Y

Cisco Firepower 2110 Threat Defense URL Filtering 3Y Subscription

L-FPR2110T-URL-5Y

Cisco Firepower 2110 Threat Defense URL Filtering 5Y Subscription

L-FPR2120T-AMP-1Y

Cisco Firepower 2120 Threat Defense Malware Protection 1Y Subscription

L-FPR2120T-AMP-3Y

Cisco Firepower 2120 Threat Defense Malware Protection 3Y Subscription

L-FPR2120T-AMP-5Y

Cisco Firepower 2120 Threat Defense Malware Protection 5Y Subscription

L-FPR2120T-T-1Y

Cisco Firepower 2120 Threat Defense Threat Protection 1Y Subscription

L-FPR2120T-T-3Y

Cisco Firepower 2120 Threat Defense Threat Protection 3Y Subscription

L-FPR2120T-T-5Y

Cisco Firepower 2120 Threat Defense Threat Protection 5Y Subscription

L-FPR2120T-TC-1Y

Cisco Firepower 2120 Threat Defense Threat and URL 1Y Subscription

L-FPR2120T-TC-3Y

Cisco Firepower 2120 Threat Defense Threat and URL 3Y Subscription

L-FPR2120T-TC-5Y

Cisco Firepower 2120 Threat Defense Threat and URL 5Y Subscription

L-FPR2120T-TM-1Y

Cisco Firepower 2120 Threat Defense Threat and Malware 1Y Subscription

L-FPR2120T-TM-3Y

Cisco Firepower 2120 Threat Defense Threat and Malware 3Y Subscription

L-FPR2120T-TM-5Y

Cisco Firepower 2120 Threat Defense Threat and Malware 5Y Subscription

L-FPR2120T-TMC-1Y

Cisco Firepower 2120 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR2120T-TMC-3Y

Cisco Firepower 2120 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR2120T-TMC-5Y

Cisco Firepower 2120 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR2120T-URL-1Y

Cisco Firepower 2120 Threat Defense URL Filtering 1Y Subscription

L-FPR2120T-URL-3Y

Cisco Firepower 2120 Threat Defense URL Filtering 3Y Subscription

L-FPR2120T-URL-5Y

Cisco Firepower 2120 Threat Defense URL Filtering 5Y Subscription

L-FPR2130T-AMP-1Y

Cisco Firepower 2130 Threat Defense Malware Protection 1Y Subscription

L-FPR2130T-AMP-3Y

Cisco Firepower 2130 Threat Defense Malware Protection 3Y Subscription

L-FPR2130T-AMP-5Y

Cisco Firepower 2130 Threat Defense Malware Protection 5Y Subscription

L-FPR2130T-T-1Y

Cisco Firepower 2130 Threat Defense Threat Protection 1Y Subscription

L-FPR2130T-T-3Y

Cisco Firepower 2130 Threat Defense Threat Protection 3Y Subscription

L-FPR2130T-T-5Y

Cisco Firepower 2130 Threat Defense Threat Protection 5Y Subscription

L-FPR2130T-TC-1Y

Cisco Firepower 2130 Threat Defense Threat and URL 1Y Subscription

L-FPR2130T-TC-3Y

Cisco Firepower 2130 Threat Defense Threat and URL 3Y Subscription

L-FPR2130T-TC-5Y

Cisco Firepower 2130 Threat Defense Threat and URL 5Y Subscription

L-FPR2130T-TM-1Y

Cisco Firepower 2130 Threat Defense Threat and Malware 1Y Subscription

L-FPR2130T-TM-3Y

Cisco Firepower 2130 Threat Defense Threat and Malware 3Y Subscription

L-FPR2130T-TM-5Y

Cisco Firepower 2130 Threat Defense Threat and Malware 5Y Subscription

L-FPR2130T-TMC-1Y

Cisco Firepower 2130 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR2130T-TMC-3Y

Cisco Firepower 2130 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR2130T-TMC-5Y

Cisco Firepower 2130 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR2130T-URL-1Y

Cisco Firepower 2130 Threat Defense URL Filtering 1Y Subscription

L-FPR2130T-URL-3Y

Cisco Firepower 2130 Threat Defense URL Filtering 3Y Subscription

L-FPR2130T-URL-5Y

Cisco Firepower 2130 Threat Defense URL Filtering 5Y Subscription

L-FPR2140T-AMP-1Y

Cisco Firepower 2140 Threat Defense Malware Protection 1Y Subscription

L-FPR2140T-AMP-3Y

Cisco Firepower 2140 Threat Defense Malware Protection 3Y Subscription

L-FPR2140T-AMP-5Y

Cisco Firepower 2140 Threat Defense Malware Protection 5Y Subscription

L-FPR2140T-T-1Y

Cisco Firepower 2140 Threat Defense Threat Protection 1Y Subscription

L-FPR2140T-T-3Y

Cisco Firepower 2140 Threat Defense Threat Protection 3Y Subscription

L-FPR2140T-T-5Y

Cisco Firepower 2140 Threat Defense Threat Protection 5Y Subscription

L-FPR2140T-TC-1Y

Cisco Firepower 2140 Threat Defense Threat and URL 1Y Subscription

L-FPR2140T-TC-3Y

Cisco Firepower 2140 Threat Defense Threat and URL 3Y Subscription

L-FPR2140T-TC-5Y

Cisco Firepower 2140 Threat Defense Threat and URL 5Y Subscription

L-FPR2140T-TM-1Y

Cisco Firepower 2140 Threat Defense Threat and Malware 1Y Subscription

L-FPR2140T-TM-3Y

Cisco Firepower 2140 Threat Defense Threat and Malware 3Y Subscription

L-FPR2140T-TM-5Y

Cisco Firepower 2140 Threat Defense Threat and Malware 5Y Subscription

L-FPR2140T-TMC-1Y

Cisco Firepower 2140 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR2140T-TMC-3Y

Cisco Firepower 2140 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR2140T-TMC-5Y

Cisco Firepower 2140 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR2140T-URL-1Y

Cisco Firepower 2140 Threat Defense URL Filtering 1Y Subscription

L-FPR2140T-URL-3Y

Cisco Firepower 2140 Threat Defense URL Filtering 3Y Subscription

L-FPR2140T-URL-5Y

Cisco Firepower 2140 Threat Defense URL Filtering 5Y Subscription

SKUs and Ordering for Cisco Secure Firewall 3100 Series

The following tables outline the product part number information for the Cisco Secure Firewall 3100 Series. Note that the customer may want extra power supplies and fans. You can add these to the order separately. Note that software subscriptions can only be added to chassis running the FTD software. The chassis SKUs are automatically included in the bundle. The bundle also offers the part numbers for network modules.

Table 23.       3100 Series chassis part numbers

Part Number

PID

Description

Bundles

FPR3110-BUN

Cisco Secure Firewall 3110 Master Bundle

FPR3120-BUN

Cisco Secure Firewall 3120 Master Bundle

FPR3130-BUN

Cisco Secure Firewall 3130 Master Bundle

FPR3140-BUN

Cisco Secure Firewall 3140 Master Bundle

FPR3110-FTD-HA-BUN

Cisco Secure Firewall 3110 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR3120-FTD-HA-BUN

Cisco Secure Firewall 3120 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR3130-FTD-HA-BUN

Cisco Secure Firewall 3130 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR3140-FTD-HA-BUN

Cisco Secure Firewall 3140 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

Appliances

FPR3110-NGFW-K9

Cisco Secure Firewall 3110 NGFW Appliance, 1RU (runs FTD software + optional subscriptions)

FPR3120-NGFW-K9

Cisco Secure Firewall 3120 NGFW Appliance, 1RU (runs FTD software + optional subscriptions)

FPR3130-NGFW-K9

Cisco Secure Firewall 3130 NGFW Appliance, 1RU, 1 x Network Module Bays (runs FTD software + optional subscriptions)

FPR3140-NGFW-K9

Cisco Secure Firewall 3140 NGFW Appliance, 1RU, 1 x Network Module Bays (runs FTD software + optional subscriptions)

FPR3110-ASA-K9

Cisco Secure Firewall 3110 ASA Appliance, 1RU (runs ASA software with optional security context license)

FPR3120-ASA-K9

Cisco Secure Firewall 3120 ASA Appliance, 1RU (runs ASA software with optional security context license)

FPR3130-ASA-K9

Cisco Secure Firewall 3130 ASA Appliance, 1RU, 1 x Network Module Bays (runs ASA software with optional security context license)

FPR3140-ASA-K9

Cisco Secure Firewall 3140 ASA Appliance, 1RU, 1 x Network Module Bays (runs ASA software with optional security context license)

Netmods

FPR3K-XNM-8X10G

Cisco SECURE FIREWALL 3100 8-port 1G/10G SFP+ Network Module

FPR3K-XNM-8X10G=

Cisco SECURE FIREWALL 3100 8-port 1G/10G SFP+ Network Module (Spare)

FPR3K-XNM-8X25G

Cisco SECURE FIREWALL 3100 8-port 1/10/25G ZSFP Network Module

FPR3K-XNM-8X25G=

Cisco SECURE FIREWALL 3100 8-port 1/10/25G ZSFP Network Module (Spare)

FPR3K-XNM-4X40G

Cisco SECURE FIREWALL 3100 4-port 40G QSFP+ Network Module

FPR3K-XNM-4X40G=

Cisco SECURE FIREWALL 3100 4-port 40G QSFP+ Network Module (Spare)

Table 24.       3100 Series ASA software license SKUs

Part Number

Description

Multicontext License

L-FPR3K-ASASC-10=

Cisco Secure Firewall 3100 Add-on 10 security context licenses

L-FPR3K-ASASC-5=

Cisco Secure Firewall 3100 add-on 5 security context licenses

Encryption License

L-FPR3K-ENC-K9=

License to enable strong encryption for ASA on Cisco Secure Firewall 3100 Series

Table 25.       3100 Series accessories part numbers

Part Number

Description

FPR3K-PWR-AC-400=

Cisco Secure Firewall 3100 Series 400W AC Power Supply

FPR3K-PWR-DC-400=

Cisco Secure Firewall 3100 Series 400W DC Power Supply

FPR3K-FAN=

Cisco Secure Firewall 3100 Series Fan Tray

FPR3K-PSU-BLANK=

Cisco Secure Firewall 3100 Series Chassis Power Supply Blank Slot Cover

FPR3K-SSD-BLANK=

Cisco Secure Firewall 3100 Series SSD Slot Carrier

FPR3K-NM-BLANK=

Cisco Secure Firewall 3100 Series Network Module Blank Slot Cover

FPR3K-SSD900=

Cisco Secure Firewall 3100 Series SSD for FPR 3100 Series

FPR3K-BRKT=

Cisco Secure Firewall 3100 Series Rackmount Brackets

FPR3K-RAIL-BRKT=

Cisco Secure Firewall 3100 Series Slide Rail Brackets

FPR3K-CBL-MGMT=

Cisco Secure Firewall 3100 Series Cable Management Brackets

FPR3K-FIPS-KIT=

Cisco Secure Firewall 3100 Series FIPS Kit

FPR3K-SLIDE-RAILS=

Cisco Secure Firewall 3100 Series Slide Rail Kit

FPR3K-ACY-KIT

Cisco Secure Firewall 3100 Series Accessory Kit

Note:      Use these part numbers if the customer is ordering spare fans, power supplies, or a rack mount kit.

SKUs for 3100 Series Licenses and Subscriptions

When ordering a 3100 Series with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:

Threat Subscription Abbreviations

Description

T

Threat (Security Intelligence and IPS)

M or AMP

Malware defense

C or URL

URL Filtering

1Y

1-Year Subscription

3Y

3-Year Subscription

5Y

5-Year Subscription

Table 26.     Cisco Secure Firewall 3100 Series license part numbers for configurations with the Cisco Secure Firewall Threat Defense image

Part Number

Description

L-FPR3110T-AMP=

Cisco Secure Firewall 3110 Threat Defense Malware Protection License

L-FPR3110T-T=

Cisco Secure Firewall 3110 Threat Defense Threat Protection License

L-FPR3110T-TC=

Cisco Secure Firewall 3110 Threat Defense Threat and URL License

L-FPR3110T-TM=

Cisco Secure Firewall 3110 Threat Defense Threat and Malware License

L-FPR3110T-TMC=

Cisco Secure Firewall 3110 Threat Defense Threat, Malware, and URL License

L-FPR3110T-URL=

Cisco Secure Firewall 3110 Threat Defense URL Filtering License

L-FPR3120T-AMP=

Cisco Secure Firewall 3120 Threat Defense Malware Protection License

L-FPR3120T-T=

Cisco Secure Firewall 3120 Threat Defense Threat Protection License

L-FPR3120T-TC=

Cisco Secure Firewall 3120 Threat Defense Threat and URL License

L-FPR3120T-TM=

Cisco Secure Firewall 3120 Threat Defense Threat and Malware License

L-FPR3120T-TMC=

Cisco Secure Firewall 3120 Threat Defense Threat, Malware, and URL License

L-FPR3120T-URL=

Cisco Secure Firewall 3120 Threat Defense URL Filtering License

L-FPR3130T-AMP=

Cisco Secure Firewall 3130 Threat Defense Malware Protection License

L-FPR3130T-T=

Cisco Secure Firewall 3130 Threat Defense Threat Protection License

L-FPR3130T-TC=

Cisco Secure Firewall 3130 Threat Defense Threat and URL License

L-FPR3130T-TM=

Cisco Secure Firewall 3130 Threat Defense Threat and Malware License

L-FPR3130T-TMC=

Cisco Secure Firewall 3130 Threat Defense Threat, Malware, and URL License

L-FPR3130T-URL=

Cisco Secure Firewall 3130 Threat Defense URL Filtering License

L-FPR3140T-AMP=

Cisco Secure Firewall 3140 Threat Defense Malware Protection License

L-FPR3140T-T=

Cisco Secure Firewall 3140 Threat Defense Threat Protection License

L-FPR3140T-TC=

Cisco Secure Firewall 3140 Threat Defense Threat and URL License

L-FPR3140T-TM=

Cisco Secure Firewall 3140 Threat Defense Threat and Malware License

L-FPR3140T-TMC=

Cisco Secure Firewall 3140 Threat Defense Threat, Malware, and URL License

L-FPR3140T-URL=

Cisco Secure Firewall 3140 Threat Defense URL Filtering License

Table 27.     Cisco Secure Firewall 3100 Series subscription part numbers for configurations with the Firewall Threat Defense image

Part Number

Description

L-FPR3110T-AMP-1Y

Cisco Secure Firewall 3110 Threat Defense Malware Protection 1Y Subscription

L-FPR3110T-AMP-3Y

Cisco Secure Firewall 3110 Threat Defense Malware Protection 3Y Subscription

L-FPR3110T-AMP-5Y

Cisco Secure Firewall 3110 Threat Defense Malware Protection 5Y Subscription

L-FPR3110T-T-1Y

Cisco Secure Firewall 3110 Threat Defense Threat Protection 1Y Subscription

L-FPR3110T-T-3Y

Cisco Secure Firewall 3110 Threat Defense Threat Protection 3Y Subscription

L-FPR3110T-T-5Y

Cisco Secure Firewall 3110 Threat Defense Threat Protection 5Y Subscription

L-FPR3110T-TC-1Y

Cisco Secure Firewall 3110 Threat Defense Threat and URL 1Y Subscription

L-FPR3110T-TC-3Y

Cisco Secure Firewall 3110 Threat Defense Threat and URL 3Y Subscription

L-FPR3110T-TC-5Y

Cisco Secure Firewall 3110 Threat Defense Threat and URL 5Y Subscription

L-FPR3110T-TM-1Y

Cisco Secure Firewall 3110 Threat Defense Threat and Malware 1Y Subscription

L-FPR3110T-TM-3Y

Cisco Secure Firewall 3110 Threat Defense Threat and Malware 3Y Subscription

L-FPR3110T-TM-5Y

Cisco Secure Firewall 3110 Threat Defense Threat and Malware 5Y Subscription

L-FPR3110T-TMC-1Y

Cisco Secure Firewall 3110 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR3110T-TMC-3Y

Cisco Secure Firewall 3110 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR3110T-TMC-5Y

Cisco Secure Firewall 3110 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR3110T-URL-1Y

Cisco Secure Firewall 3110 Threat Defense URL Filtering 1Y Subscription

L-FPR3110T-URL-3Y

Cisco Secure Firewall 3110 Threat Defense URL Filtering 3Y Subscription

L-FPR3110T-URL-5Y

Cisco Secure Firewall 3110 Threat Defense URL Filtering 5Y Subscription

L-FPR3120T-AMP-1Y

Cisco Secure Firewall 3120 Threat Defense Malware Protection 1Y Subscription

L-FPR3120T-AMP-3Y

Cisco Secure Firewall 3120 Threat Defense Malware Protection 3Y Subscription

L-FPR3120T-AMP-5Y

Cisco Secure Firewall 3120 Threat Defense Malware Protection 5Y Subscription

L-FPR3120T-T-1Y

Cisco Secure Firewall 3120 Threat Defense Threat Protection 1Y Subscription

L-FPR3120T-T-3Y

Cisco Secure Firewall 3120 Threat Defense Threat Protection 3Y Subscription

L-FPR3120T-T-5Y

Cisco Secure Firewall 3120 Threat Defense Threat Protection 5Y Subscription

L-FPR3120T-TC-1Y

Cisco Secure Firewall 3120 Threat Defense Threat and URL 1Y Subscription

L-FPR3120T-TC-3Y

Cisco Secure Firewall 3120 Threat Defense Threat and URL 3Y Subscription

L-FPR3120T-TC-5Y

Cisco Secure Firewall 3120 Threat Defense Threat and URL 5Y Subscription

L-FPR3120T-TM-1Y

Cisco Secure Firewall 3120 Threat Defense Threat and Malware 1Y Subscription

L-FPR3120T-TM-3Y

Cisco Secure Firewall 3120 Threat Defense Threat and Malware 3Y Subscription

L-FPR3120T-TM-5Y

Cisco Secure Firewall 3120 Threat Defense Threat and Malware 5Y Subscription

L-FPR3120T-TMC-1Y

Cisco Secure Firewall 3120 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR3120T-TMC-3Y

Cisco Secure Firewall 3120 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR3120T-TMC-5Y

Cisco Secure Firewall 3120 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR3120T-URL-1Y

Cisco Secure Firewall 3120 Threat Defense URL Filtering 1Y Subscription

L-FPR3120T-URL-3Y

Cisco Secure Firewall 3120 Threat Defense URL Filtering 3Y Subscription

L-FPR3120T-URL-5Y

Cisco Secure Firewall 3120 Threat Defense URL Filtering 5Y Subscription

L-FPR3130T-AMP-1Y

Cisco Secure Firewall 3130 Threat Defense Malware Protection 1Y Subscription

L-FPR3130T-AMP-3Y

Cisco Secure Firewall 3130 Threat Defense Malware Protection 3Y Subscription

L-FPR3130T-AMP-5Y

Cisco Secure Firewall 3130 Threat Defense Malware Protection 5Y Subscription

L-FPR3130T-T-1Y

Cisco Secure Firewall 3130 Threat Defense Threat Protection 1Y Subscription

L-FPR3130T-T-3Y

Cisco Secure Firewall 3130 Threat Defense Threat Protection 3Y Subscription

L-FPR3130T-T-5Y

Cisco Secure Firewall 3130 Threat Defense Threat Protection 5Y Subscription

L-FPR3130T-TC-1Y

Cisco Secure Firewall 3130 Threat Defense Threat and URL 1Y Subscription

L-FPR3130T-TC-3Y

Cisco Secure Firewall 3130 Threat Defense Threat and URL 3Y Subscription

L-FPR3130T-TC-5Y

Cisco Secure Firewall 3130 Threat Defense Threat and URL 5Y Subscription

L-FPR3130T-TM-1Y

Cisco Secure Firewall 3130 Threat Defense Threat and Malware 1Y Subscription

L-FPR3130T-TM-3Y

Cisco Secure Firewall 3130 Threat Defense Threat and Malware 3Y Subscription

L-FPR3130T-TM-5Y

Cisco Secure Firewall 3130 Threat Defense Threat and Malware 5Y Subscription

L-FPR3130T-TMC-1Y

Cisco Secure Firewall 3130 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR3130T-TMC-3Y

Cisco Secure Firewall 3130 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR3130T-TMC-5Y

Cisco Secure Firewall 3130 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR3130T-URL-1Y

Cisco Secure Firewall 3130 Threat Defense URL Filtering 1Y Subscription

L-FPR3130T-URL-3Y

Cisco Secure Firewall 3130 Threat Defense URL Filtering 3Y Subscription

L-FPR3130T-URL-5Y

Cisco Secure Firewall 3130 Threat Defense URL Filtering 5Y Subscription

L-FPR3140T-AMP-1Y

Cisco Secure Firewall 3140 Threat Defense Malware Protection 1Y Subscription

L-FPR3140T-AMP-3Y

Cisco Secure Firewall 3140 Threat Defense Malware Protection 3Y Subscription

L-FPR3140T-AMP-5Y

Cisco Secure Firewall 3140 Threat Defense Malware Protection 5Y Subscription

L-FPR3140T-T-1Y

Cisco Secure Firewall 3140 Threat Defense Threat Protection 1Y Subscription

L-FPR3140T-T-3Y

Cisco Secure Firewall 3140 Threat Defense Threat Protection 3Y Subscription

L-FPR3140T-T-5Y

Cisco Secure Firewall 3140 Threat Defense Threat Protection 5Y Subscription

L-FPR3140T-TC-1Y

Cisco Secure Firewall 3140 Threat Defense Threat and URL 1Y Subscription

L-FPR3140T-TC-3Y

Cisco Secure Firewall 3140 Threat Defense Threat and URL 3Y Subscription

L-FPR3140T-TC-5Y

Cisco Secure Firewall 3140 Threat Defense Threat and URL 5Y Subscription

L-FPR3140T-TM-1Y

Cisco Secure Firewall 3140 Threat Defense Threat and Malware 1Y Subscription

L-FPR3140T-TM-3Y

Cisco Secure Firewall 3140 Threat Defense Threat and Malware 3Y Subscription

L-FPR3140T-TM-5Y

Cisco Secure Firewall 3140 Threat Defense Threat and Malware 5Y Subscription

L-FPR3140T-TMC-1Y

Cisco Secure Firewall 3140 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR3140T-TMC-3Y

Cisco Secure Firewall 3140 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR3140T-TMC-5Y

Cisco Secure Firewall 3140 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR3140T-URL-1Y

Cisco Secure Firewall 3140 Threat Defense URL Filtering 1Y Subscription

L-FPR3140T-URL-3Y

Cisco Secure Firewall 3140 Threat Defense URL Filtering 3Y Subscription

L-FPR3140T-URL-5Y

Cisco Secure Firewall 3140 Threat Defense URL Filtering 5Y Subscription

SKUs and Ordering for Cisco Firepower 4100 Series

The following tables outline the product part number information for the Cisco Firepower 4100 Series. Note that the customer may want extra power supplies and fans.

Table 28.     4100 Series chassis part numbers

Part Number

Description

PID

Description

FPR4110-BUN

Cisco Firepower 4110 Master Bundle

FPR4112-BUN

Cisco Firepower 4112 Master Bundle

FPR4115-BUN

Cisco Firepower 4115 Master Bundle

FPR4125-BUN

Cisco Firepower 4125 Master Bundle

FPR4145-BUN

Cisco Firepower 4145 Master Bundle

FPR4110-FTD-HA-BUN

Cisco Firepower 4110 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR4112-FTD-HA-BUN

Cisco Firepower 4112 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR4115-FTD-HA-BUN

Cisco Firepower 4115 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR4125-FTD-HA-BUN

Cisco Firepower 4125 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR4145-FTD-HA-BUN

Cisco Firepower 4145 Two Unit High Availability Bundle (will order 2 identical chassis and software subscriptions to be configured as a high-availability pair)

FPR4110-ASA-K9

Cisco Firepower 4110 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4110-NGFW-K9

Cisco Firepower 4110 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4110-NGIPS-K9

Cisco Firepower 4110 NGIPS Appliance, 1RU, 2 x Network Module Bays

FPR4110-AMP-K9

Cisco Firepower 4110 AMP Appliance, 1RU, 2 x Network Module Bays

FPR4112-ASA-K9

Cisco Firepower 4112 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4112-NGFW-K9

Cisco Firepower 4112 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4112-NGIPS-K9

Cisco Firepower 4112 NGIPS Appliance, 1RU, 2 x Network Module Bays

FPR4115-ASA-K9

Cisco Firepower 4115 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4115-NGFW-K9

Cisco Firepower 4115 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4115-NGIPS-K9

Cisco Firepower 4115 NGIPS Appliance, 1RU, 2 x Network Module Bays

FPR4125-ASA-K9

Cisco Firepower 4125 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4125-NGFW-K9

Cisco Firepower 4125 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4125-NGIPS-K9

Cisco Firepower 4125 NGIPS Appliance, 1RU, 2 x Network Module Bays

FPR4145-ASA-K9

Cisco Firepower 4145 ASA Appliance, 1RU, 2 x Network Module Bays

FPR4145-NGFW-K9

Cisco Firepower 4145 NGFW Appliance, 1RU, 2 x Network Module Bays

FPR4145-NGIPS-K9

Cisco Firepower 4145 NGIPS Appliance, 1RU, 2 x Network Module Bays

Note:      USE THE BUNDLE PART NUMBER UNLESS YOU HAVE AN EXPLICIT REASON NOT TO. THE BUNDLE PID ENSURES THAT ALL NECESSARY COMPONENTS ARE PURCHASED.

Table 29.       4100 Series network module part numbers

Part Number

Description

FPR4K-NM-2X40G-F

Cisco Firepower 2-port 40G SR FTW Network Module

FPR4K-NM-2X40G-F=

Cisco Firepower 2-port 40G SR FTW Network Module

FPR4K-NM-4X40G

Cisco Firepower 4-port QSFP+ Network Module

FPR4K-NM-4X40G=

Cisco Firepower 4-port QSFP+ Network Module

FPR4K-NM-6X10LR-F

Cisco Firepower 6-port 10G LR FTW Network Module

FPR4K-NM-6X10LR-F=

Cisco Firepower 6-port 10G LR FTW Network Module

FPR4K-NM-6X10SR-F

Cisco Firepower 6-port 10G SR FTW Network Module

FPR4K-NM-6X10SR-F=

Cisco Firepower 6-port 10G SR FTW Network Module

FPR4K-NM-6X1SX-F

Cisco Firepower 6-port 1G SX Fiber FTW Network Module

FPR4K-NM-6X1SX-F=

Cisco Firepower 6-port 1G SX Fiber FTW Network Module

FPR4K-NM-8X10G

Cisco Firepower 8-port SFP+ Network Module

FPR4K-NM-8X10G=

Cisco Firepower 8-port SFP+ Network Module

FPR4K-NM-8X1G-F

Cisco Firepower 8-port 1Gbps copper FTW Network Module

FPR4K-NM-8X1G-F=

Cisco Firepower 8-port 1Gbps copper FTW Network Module

Table 30.     4100 Series accessories part numbers

Part Number

Description

FPR4K-FAN

Cisco Firepower 4000 Series Fan

FPR4K-FAN=

Cisco Firepower 4000 Series Fan

FPR4K-NM-BLANK

Cisco Firepower 4000 Series Network Module Blank Slot Cover

FPR4K-NM-BLANK=

Cisco Firepower 4000 Series Network Module Blank Slot Cover

FPR4K-PSU-BLANK

Cisco Firepower 4000 Series Chassis Power Supply Blank Slot Cover

FPR4K-PSU-BLANK=

Cisco Firepower 4000 Series Chassis Power Supply Blank Slot Cover

FPR4K-PWR-AC-1100

Cisco Firepower 4000 Series 1100W AC Power Supply

FPR4K-PWR-AC-1100=

Cisco Firepower 4000 Series 1100W AC Power Supply

FPR4K-PWR-DC-950

Cisco Firepower 4000 Series 950W DC Power Supply

FPR4K-PWR-DC-950=

Cisco Firepower 4000 Series 950W DC Power Supply

FPR4K-RACK-MNT

Cisco Firepower 4000 Series Rack Mount Kit

FPR4K-RACK-MNT=

Cisco Firepower 4000 Series Rack Mount Kit

FPR4K-SSD-BBLKD

Cisco Firepower 4000 Series SSD Slot Carrier

FPR4K-SSD-BBLKD=

Cisco Firepower 4000 Series SSD Slot Carrier

FPR4K-SSD200

Cisco Firepower 4000 Series SSD for 4110 and 4120

FPR4K-SSD200=

Cisco Firepower 4000 Series SSD for 4110 and 4120

FPR4K-SSD400

Cisco Firepower 4000 Series SSD for 4140 and 4150

FPR4K-SSD400=

Cisco Firepower 4000 Series SSD for 4140 and 4150

FPR4K-SSD800

Cisco Firepower 4000 Series 800GB SSD

FPR4K-SSD800=

Cisco Firepower 4000 Series 800GB SSD

FPR4K-ACC-KIT

Cisco Firepower 4000 Series Hardware Accessory Kit (Rack Mounts, Cables)

FPR4K-ACC-KIT=

Cisco Firepower 4000 Series Hardware Accessory Kit (Rack Mounts, Cables)

FPR4K-ACC-KIT2

Cisco Firepower 4115/25/45 Hardware Accessory Kit

FPR4K-ACC-KIT2=

Cisco Firepower 4115/25/45 Hardware Accessory Kit

FPR4K-CBL-MGMT

Cisco Firepower 4100 Series Cable Management Kit

FPR4K-CBL-MGMT=

Cisco Firepower 4100 Series Cable Management Kit

Note:      Use these part numbers if the customer is ordering spare fans, power supplies, or a rack mount kit.

SKUs for 4100 Series Licenses and Subscriptions

When ordering a 4100 Series firewall with the ASA configuration, a license is required. When ordering a 4100 Series hardware with the Cisco Secure Firewall Threat Defense image, both licenses and a subscription to optional security services are required. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:

Threat Subscription Abbreviations

Description

T

Threat (Security Intelligence and IPS)

M or AMP

Malware defense

C or URL

URL Filtering

1Y

1-Year Subscription

3Y

3-Year Subscription

5Y

5-Year Subscription

Table 31.     Cisco Firepower 4100 Series license part numbers for configurations with the Cisco Secure Firewall Threat Defense image

Part Number

Description

L-FPR4110T-AMP=

Cisco Firepower 4110 Threat Defense Malware Protection License

L-FPR4110T-T=

Cisco Firepower 4110 Threat Defense Threat Protection License

L-FPR4110T-TC=

Cisco Firepower 4110 Threat Defense Threat and URL License

L-FPR4110T-TM=

Cisco Firepower 4110 Threat Defense Threat and Malware License

L-FPR4110T-TMC=

Cisco Firepower 4110 Threat Defense Threat, Malware, and URL License

L-FPR4110T-URL=

Cisco Firepower 4110 Threat Defense URL Filtering License

L-FPR4112T-AMP=

Cisco Firepower 4112 Threat Defense Malware Protection License

L-FPR4112T-T=

Cisco Firepower 4112 Threat Defense Threat Protection License

L-FPR4112T-TC=

Cisco Firepower 4112 Threat Defense Threat and URL License

L-FPR4112T-TM=

Cisco Firepower 4112 Threat Defense Threat and Malware License

L-FPR4112T-TMC=

Cisco Firepower 4112 Threat Defense Threat, Malware, and URL License

L-FPR4112T-URL=

Cisco Firepower 4112 Threat Defense URL Filtering License

L-FPR4115T-AMP=

Cisco Firepower 4115 Threat Defense Malware Protection License

L-FPR4115T-T=

Cisco Firepower 4115 Threat Defense Threat Protection License

L-FPR4115T-TC=

Cisco Firepower 4115 Threat Defense Threat and URL License

L-FPR4115T-TM=

Cisco Firepower 4115 Threat Defense Threat and Malware License

L-FPR4115T-TMC=

Cisco Firepower 4115 Threat Defense Threat, Malware, and URL License

L-FPR4115T-URL=

Cisco Firepower 4115 Threat Defense URL Filtering License

L-FPR4125T-AMP=

Cisco Firepower 4125 Threat Defense Malware Protection License

L-FPR4125T-T=

Cisco Firepower 4125 Threat Defense Threat Protection License

L-FPR4125T-TC=

Cisco Firepower 4125 Threat Defense Threat and URL License

L-FPR4125T-TM=

Cisco Firepower 4125 Threat Defense Threat and Malware License

L-FPR4125T-TMC=

Cisco Firepower 4125 Threat Defense Threat, Malware, and URL License

L-FPR4125T-URL=

Cisco Firepower 4125 Threat Defense URL Filtering License

L-FPR4145T-AMP=

Cisco Firepower 4145 Threat Defense Malware Protection License

L-FPR4145T-T=

Cisco Firepower 4145 Threat Defense Threat Protection License

L-FPR4145T-TC=

Cisco Firepower 4145 Threat Defense Threat and URL License

L-FPR4145T-TM=

Cisco Firepower 4145 Threat Defense Threat and Malware License

L-FPR4145T-TMC=

Cisco Firepower 4145 Threat Defense Threat, Malware, and URL License

L-FPR4145T-URL=

Cisco Firepower 4145 Threat Defense URL Filtering License

Table 32.    Cisco Firepower 4100 Series subscription part numbers for configurations with the Firewall Threat Defense image

Part Number

Description

L-FPR4110T-AMP-1Y

Cisco Firepower 4110 Threat Defense Malware Protection 1Y Subscription

L-FPR4110T-AMP-3Y

Cisco Firepower 4110 Threat Defense Malware Protection 3Y Subscription

L-FPR4110T-AMP-5Y

Cisco Firepower 4110 Threat Defense Malware Protection 5Y Subscription

L-FPR4110T-T-1Y

Cisco Firepower 4110 Threat Defense Threat Protection 1Y Subscription

L-FPR4110T-T-3Y

Cisco Firepower 4110 Threat Defense Threat Protection 3Y Subscription

L-FPR4110T-T-5Y

Cisco Firepower 4110 Threat Defense Threat Protection 5Y Subscription

L-FPR4110T-TC-1Y

Cisco Firepower 4110 Threat Defense Threat and URL 1Y Subscription

L-FPR4110T-TC-3Y

Cisco Firepower 4110 Threat Defense Threat and URL 3Y Subscription

L-FPR4110T-TC-5Y

Cisco Firepower 4110 Threat Defense Threat and URL 5Y Subscription

L-FPR4110T-TM-1Y

Cisco Firepower 4110 Threat Defense Threat and Malware 1Y Subscription

L-FPR4110T-TM-3Y

Cisco Firepower 4110 Threat Defense Threat and Malware 3Y Subscription

L-FPR4110T-TM-5Y

Cisco Firepower 4110 Threat Defense Threat and Malware 5Y Subscription

L-FPR4110T-TMC-1Y

Cisco Firepower 4110 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR4110T-TMC-3Y

Cisco Firepower 4110 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR4110T-TMC-5Y

Cisco Firepower 4110 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR4110T-URL-1Y

Cisco Firepower 4110 Threat Defense URL Filtering 1Y Subscription

L-FPR4110T-URL-3Y

Cisco Firepower 4110 Threat Defense URL Filtering 3Y Subscription

L-FPR4110T-URL-5Y

Cisco Firepower 4110 Threat Defense URL Filtering 5Y Subscription

L-FPR4112T-AMP-1Y

Cisco Firepower 4112 Threat Defense Malware Protection 1Y Subscription

L-FPR4112T-AMP-3Y

Cisco Firepower 4112 Threat Defense Malware Protection 3Y Subscription

L-FPR4112T-AMP-5Y

Cisco Firepower 4112 Threat Defense Malware Protection 5Y Subscription

L-FPR4112T-T-1Y

Cisco Firepower 4112 Threat Defense Threat Protection 1Y Subscription

L-FPR4112T-T-3Y

Cisco Firepower 4112 Threat Defense Threat Protection 3Y Subscription

L-FPR4112T-T-5Y

Cisco Firepower 4112 Threat Defense Threat Protection 5Y Subscription

L-FPR4112T-TC-1Y

Cisco Firepower 4112 Threat Defense Threat and URL 1Y Subscription

L-FPR4112T-TC-3Y

Cisco Firepower 4112 Threat Defense Threat and URL 3Y Subscription

L-FPR4112T-TC-5Y

Cisco Firepower 4112 Threat Defense Threat and URL 5Y Subscription

L-FPR4112T-TM-1Y

Cisco Firepower 4112 Threat Defense Threat and Malware 1Y Subscription

L-FPR4112T-TM-3Y

Cisco Firepower 4112 Threat Defense Threat and Malware 3Y Subscription

L-FPR4112T-TM-5Y

Cisco Firepower 4112 Threat Defense Threat and Malware 5Y Subscription

L-FPR4112T-TMC-1Y

Cisco Firepower 4112 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR4112T-TMC-3Y

Cisco Firepower 4112 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR4112T-TMC-5Y

Cisco Firepower 4112 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR4112T-URL-1Y

Cisco Firepower 4112 Threat Defense URL Filtering 1Y Subscription

L-FPR4112T-URL-3Y

Cisco Firepower 4112 Threat Defense URL Filtering 3Y Subscription

L-FPR4112T-URL-5Y

Cisco Firepower 4112 Threat Defense URL Filtering 5Y Subscription

L-FPR4115T-AMP-1Y

Cisco Firepower 4115 Threat Defense Malware Protection 1Y Subscription

L-FPR4115T-AMP-3Y

Cisco Firepower 4115 Threat Defense Malware Protection 3Y Subscription

L-FPR4115T-AMP-5Y

Cisco Firepower 4115 Threat Defense Malware Protection 5Y Subscription

L-FPR4115T-T-1Y

Cisco Firepower 4115 Threat Defense Threat Protection 1Y Subscription

L-FPR4115T-T-3Y

Cisco Firepower 4115 Threat Defense Threat Protection 3Y Subscription

L-FPR4115T-T-5Y

Cisco Firepower 4115 Threat Defense Threat Protection 5Y Subscription

L-FPR4115T-TC-1Y

Cisco Firepower 4115 Threat Defense Threat and URL 1Y Subscription

L-FPR4115T-TC-3Y

Cisco Firepower 4115 Threat Defense Threat and URL 3Y Subscription

L-FPR4115T-TC-5Y

Cisco Firepower 4115 Threat Defense Threat and URL 5Y Subscription

L-FPR4115T-TM-1Y

Cisco Firepower 4115 Threat Defense Threat and Malware 1Y Subscription

L-FPR4115T-TM-3Y

Cisco Firepower 4115 Threat Defense Threat and Malware 3Y Subscription

L-FPR4115T-TM-5Y

Cisco Firepower 4115 Threat Defense Threat and Malware 5Y Subscription

L-FPR4115T-TMC-1Y

Cisco Firepower 4115 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR4115T-TMC-3Y

Cisco Firepower 4115 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR4115T-TMC-5Y

Cisco Firepower 4115 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR4115T-URL-1Y

Cisco Firepower 4115 Threat Defense URL Filtering 1Y Subscription

L-FPR4115T-URL-3Y

Cisco Firepower 4115 Threat Defense URL Filtering 3Y Subscription

L-FPR4115T-URL-5Y

Cisco Firepower 4110 Threat Defense URL Filtering 5Y Subscription

L-FPR4125T-AMP-1Y

Cisco Firepower 4125 Threat Defense Malware Protection 1Y Subscription

L-FPR4125T-AMP-3Y

Cisco Firepower 4125 Threat Defense Malware Protection 3Y Subscription

L-FPR4125T-AMP-5Y

Cisco Firepower 4125 Threat Defense Malware Protection 5Y Subscription

L-FPR4125T-T-1Y

Cisco Firepower 4125 Threat Defense Threat Protection 1Y Subscription

L-FPR4125T-T-3Y

Cisco Firepower 4125 Threat Defense Threat Protection 3Y Subscription

L-FPR4125T-T-5Y

Cisco Firepower 4125 Threat Defense Threat Protection 5Y Subscription

L-FPR4125T-TC-1Y

Cisco Firepower 4125 Threat Defense Threat and URL 1Y Subscription

L-FPR4125T-TC-3Y

Cisco Firepower 4125 Threat Defense Threat and URL 3Y Subscription

L-FPR4125T-TC-5Y

Cisco Firepower 4125 Threat Defense Threat and URL 5Y Subscription

L-FPR4125T-TM-1Y

Cisco Firepower 4125 Threat Defense Threat and Malware 1Y Subscription

L-FPR4125T-TM-3Y

Cisco Firepower 4125 Threat Defense Threat and Malware 3Y Subscription

L-FPR4125T-TM-5Y

Cisco Firepower 4125 Threat Defense Threat and Malware 5Y Subscription

L-FPR4125T-TMC-1Y

Cisco Firepower 4125 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR4125T-TMC-3Y

Cisco Firepower 4125 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR4125T-TMC-5Y

Cisco Firepower 4125 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR4125T-URL-1Y

Cisco Firepower 4125 Threat Defense URL Filtering 1Y Subscription

L-FPR4125T-URL-3Y

Cisco Firepower 4125 Threat Defense URL Filtering 3Y Subscription

L-FPR4125T-URL-5Y

Cisco Firepower 4125 Threat Defense URL Filtering 5Y Subscription

L-FPR4140T-AMP-5Y

Cisco Firepower 4140 Threat Defense Malware Protection 5Y Subscription

L-FPR4140T-T-1Y

Cisco Firepower 4140 Threat Defense Threat Protection 1Y Subscription

L-FPR4145T-AMP-1Y

Cisco Firepower 4145 Threat Defense Malware Protection 1Y Subscription

L-FPR4145T-AMP-3Y

Cisco Firepower 4145 Threat Defense Malware Protection 3Y Subscription

L-FPR4145T-AMP-5Y

Cisco Firepower 4145 Threat Defense Malware Protection 5Y Subscription

L-FPR4145T-T-1Y

Cisco Firepower 4145 Threat Defense Threat Protection 1Y Subscription

L-FPR4145T-T-3Y

Cisco Firepower 4145 Threat Defense Threat Protection 3Y Subscription

L-FPR4145T-T-5Y

Cisco Firepower 4145 Threat Defense Threat Protection 5Y Subscription

L-FPR4145T-TC-1Y

Cisco Firepower 4145 Threat Defense Threat and URL 1Y Subscription

L-FPR4145T-TC-3Y

Cisco Firepower 4145 Threat Defense Threat and URL 3Y Subscription

L-FPR4145T-TC-5Y

Cisco Firepower 4145 Threat Defense Threat and URL 5Y Subscription

L-FPR4145T-TM-1Y

Cisco Firepower 4145 Threat Defense Threat and Malware 1Y Subscription

L-FPR4145T-TM-3Y

Cisco Firepower 4145 Threat Defense Threat and Malware 3Y Subscription

L-FPR4145T-TM-5Y

Cisco Firepower 4145 Threat Defense Threat and Malware 5Y Subscription

L-FPR4145T-TMC-1Y

Cisco Firepower 4145 Threat Defense Threat, Malware, and URL 1Y Subscription

L-FPR4145T-TMC-3Y

Cisco Firepower 4145 Threat Defense Threat, Malware, and URL 3Y Subscription

L-FPR4145T-TMC-5Y

Cisco Firepower 4145 Threat Defense Threat, Malware, and URL 5Y Subscription

L-FPR4145T-URL-1Y

Cisco Firepower 4145 Threat Defense URL Filtering 1Y Subscription

L-FPR4145T-URL-3Y

Cisco Firepower 4145 Threat Defense URL Filtering 3Y Subscription

L-FPR4145T-URL-5Y

Cisco Firepower 4145 Threat Defense URL Filtering 5Y Subscription

Example of Cisco Firepower Solution Configurations

Below tables show sample configurations for ordering the 9300 appliances. Note that these are high-level overviews and that actual orders will include additional items.

Table 33.       Fully populated chassis with three SM-48 Security Modules for maximum I/O capability

Part Number

Description

Quantify

FPR-C9300-AC

Cisco Firepower 9300 AC Chassis + 2 PSU + 4 fans

1

FPR9K-SUP

Cisco Firepower 9000 Series Supervisor

1

FPR9K-SM-48

Cisco Firepower 9000 Series 48 Physical Core, Security Module includes 2 SSDs

3

FPR9K-NM-4X40G

Cisco Firepower 9000 Series - 4-port QSFP+ Network Module

1

FPR9K-NM-8X10G

Cisco Firepower 9000 Series - 8-port SFP+ Network Module

1

CAB-AC-C6K-TWLK

Power Cord, 250VAC 16A, twist-lock NEMA L6-20 plug, U

1

L-F9K-ASA-SC-10=

License to add 10 Security Contexts to ASA in Cisco Firepower 9000

3

Table 34.       Chassis with one SM-40 Security Module

Part Number

Description

Quantify

FPR-C9300-AC

Cisco Firepower 9300 AC Chassis + 2 PSU + 4 fans

1

FPR9K-SUP

Cisco Firepower 9000 Series Supervisor

1

FPR9K-SM-40

Cisco Firepower 9000 Series Enterprise, 40 Physical Core, Security Module (NEBS Ready) includes 2 SSDs

1

CAB-AC-C6K-TWLK

Power Cord, 250VAC 16A, twist lock NEMA L6-20 plug, U

1

Ordering Examples: Cisco Commerce, Step-by-Step

Cisco Commerce provides a Deals and Quotes application that helps the Cisco sales team and specialized channel partners to build a system quote with:

      Products, required modules, and software

      Automatically generated services based on products and installation-site location

      Customized leasing options from Cisco Capital financing, where available

For additional information about Cisco Commerce, go to: https://apps.cisco.com/Commerce/home.

You will find several helpful tools to estimate and order solutions so you can configure products and view lead times and prices for each selection. You can view lead time and price changes under a variety of price lists and service contract terms. You can also track your order.

The following product and related options are supported in the workspace:

      Cisco Firepower 9300 (FPR-C9300-AC)

      Cisco Firepower 4100 Series (FPR-41xx-xxx)

For other ordering tools, such as services ordering, please consult the Additional Resources section at the end of this document.

Ordering Example 1: Cisco Firepower 9300 with ASA

Step 1.    Smart Software Licensing

Before placing a Cisco Firepower 9300 order, a Smart Software Licensing account for the end customer must be initiated. If the customer already has a Smart Software Licensing account, that account must be associated with the order. More information on Smart Software Licensing account establishment is available in the Smart Software Licensing section of this ordering guide, and online at: https://www.cisco.com/web/ordering/smart-software-manager/index.html.

To associate the order’s licenses with the customer’s Smart Licensing account, or to begin the establishment of the Smart Licensing account, follow these steps. Note that if you are initiating the account, you are able to complete the order only if the account is initiated on the end customer’s behalf and associated with the order.

1.     Go to Cisco Commerce: https://www.cisco.com/go/ccw.

2.     From the Orders pull-down menu, select Create Order.

3.     Select Assign Smart Account, and follow the subsequent prompts for Smart Licensing.

Assign Smart Account

Step 2.    Navigate to Products > Security > Cisco Firepower 9000 Series. In the search box, enter the part number FPR-C9300-AC.

Cisco Firepower 9000 Series

Step 3.    Add the chassis to the cart by clicking the blue plus sign (+), and then the Add button.

cart by clicking

Step 4.    Check the box at 1.0 FPR-C9300-AC and click Select Options.

Check the box at 1.0 FPR-C9300-AC

Step 5.    Follow the instructions in the yellow box. First, click the Power Cables link and make a cable selection in the next screen.

Power Cables

Step 6.          After selecting appropriate cable(s), click Security Module Slot 1 in the yellow box.

Security Module Slot 1

Step 7.    Select either the SM-40 or SM-48 security module type, and then enter quantity 1. Repeat this process as required for two and three security modules, if ordered. Remember, you cannot mix module types in the chassis. Then click Security Module Slot 1 to add software.

SM-24 or SM-36 security module type

Step 8.    Check the button under the SKU selection column to add software, and then click Supervisor.

SKU selection column to add software

Step 9.    Check the box to add the supervisor module, and click the FPR9K-SUP link to add modules.

FPR9K-SUP link to add modules

Step 10. Select the supervisor module, and then click Network Modules to add.

Network Modules to add

Step 11. Select the required network modules, and then click FPR-NM-4X40G to select the required connectors.

click FPR-NM-4X40G

Step 12. Browse and select compatible connectors from the list, and then click Done.

Browse and select compatible connectors

Step 13. Any missing components will be flagged at this time. Here we see that a Strong Encryption license is missing. If required, return to the menu under Feature Licenses to add.

Feature Licenses to add

Step 14. Select L-FPR9K-ASA to display additional software licenses. Select Strong Encryption and additional security contexts if desired, and then click Done.

Select L-FPR9K-ASA

Ordering Example 2: Firepower 4100 Series (Uses the Firewall Threat Defense Image)

Step 15.  

1.     In Cisco Commerce, select one of the bundles for desired platform based on performance requirements:

      FPR4110-BUN

      FPR4112-BUN

      FPR4115-BUN

      FPR4125-BUN

      FPR4145-BUN

2.     Select the desired appliance by deployment type (4110 example):

      FPR4110-ASA-K9 (for firewall deployment, running standalone ASA firewall)

or

      FPR4110-NGFW-K9 (for firewall deployment, running Cisco Secure Firewall Threat Defense)

or

      FPR4110-NGIPS-K9 (for Secure IPS deployment [inline options], running Cisco Secure Firewall Threat Defense)

Firepower 4100 NGFW

Step 16.  

3.     FPR4110-NGFW-K9 is selected from the “Firepower Hardware” section.

4.     Select the Redundant Power Supply option where applicable. If chosen, two (2) power cords must be selected.

5.     Select Country Specification (affects power cord selection).

6.     Warnings will be presented in a yellow box until the number of power cords selected is equal to the number of power supplies.

Firepower Hardware_FPR4110-NGFW-K9

Step 17. Configure the supervisor software.

7.     The FXOS license is selected by default, as it is the supervisor operating system and required for system function. No selection is required.

Configure the supervisor software -

Step 18. Configure the Cisco Secure Firewall Threat Defense software version.

Configure the Cisco Firepower Threat Defense software version -

Step 19. Configure the supervisor SFP modules.

8.     Select SFP modules for the supervisor (up to 8 allowed). These are the on-chassis included ports and require an optics module to function.

Select SFP modules for the supervisor

Step 20. Configure the network modules.

9.     Select optional network module(s).

10.  There are two network module slots (1 and 2). Each contains selectable options.

11.  Certain network modules offer SFP options when selected. These appear as a links below the Slot 1 and Slot 2 section headings.

Configure the network modules

Step 21. Configure the network modules (continued).

12.  When the link is clicked, SFP options appear (example: FPR4K-NM-4X40G).

13.  Select the appropriate number of SFPs for the network module.

Configure the network modules

Step 22. Complete the bundle by adding optional subscriptions.

14.  After completion of hardware options, return to the main bundle page.

15.  Click the SUBSCRIPTIONS link on the lower left.

Click the SUBSCRIPTIONS link

16.  When selected, the subscription options will expand. Subscriptions for the firewall configuration are optional:

      T = Threat (IPS)

      TM = Threat + AMP

      TC = Threat + URL

      TMC = Threat + AMP +URL

NGFW configuration

Step 23. Complete the bundle by adding optional subscriptions.

17.  Click the blue plus sign (+) to add a desired subscription.

18.  The subscription will then appear below the previously completed hardware selection.

Bundle by adding optional subscriptions

19.  You may then configure the term of the subscription by clicking the “Edit Services/Subscriptions” link. 3Y is the default term, with options for 1Y and 5Y.

Edit Services/Subscriptions

SKUs and Ordering for Cisco Firepower 9300

The following tables outline the product part number information for the Cisco Firepower 9300. Note that the customer may want extra power supplies and fans. You can add these to the order separately. When you order, you choose between one and three security modules per chassis. Note that security module types cannot be mixed within a chassis.

Table 35.       Chassis and sublevel assemblies and components included with each chassis

Part Number (Chassis Hardware)

Description

FPR-C9300-AC

Cisco Firepower 9300 AC Chassis - includes 2 power supply units + 4 fans + rack-mount kit (3RU; accommodates up to three security modules)

FPR-C9300-DC

Cisco Firepower 9300 DC Chassis - includes 2 power supply units + 4 fans + rack-mount kit (3RU; accommodates up to three security modules)

FPR-C9300-HVDC

Cisco Firepower 9300 high-voltage DC Chassis - includes 2 power supply units + 4 fans + rack-mount kit (3RU; accommodates up to three security modules)

FPR-C9300-AC=

Cisco Firepower 9300 AC Chassis Spare – without power supply and fans

FPR-C9300-DC=

Cisco Firepower 9300 DC Chassis Spare – without power supply and fans

FPR9K-PS-AC=

Cisco Firepower 9000 Series AC Power Supply (order for spare only)

FPR9K-PS-DC=

Cisco Firepower 9000 Series DC Power Supply (order for spare only)

FPR9K-FAN=

Cisco Firepower 9000 Series Fan (order for spare only)

FPR9K-RMK=

Cisco Firepower 9000 Series Rack Mount Kit (order for spare only)

FPR9K-SUP=

Cisco Firepower 9000 Series Supervisor Spare

 

Part Number (Security Modules)

Description

FPR9K-SM-40=

Cisco Firepower 9000 Series, Security Module 40 Spare, includes 2 SSDs

FPR9K-SM-48=

Cisco Firepower 9000 Series, Security Module 48 Spare, includes 2 SSDs

FPR9K-SM-56=

Cisco Firepower 9000 Series, Security Module 56 Spare, includes 2 SSDs

FPR9K-FTD-BUN

Cisco FPR9300 Threat Defense Bundle for Security Modules

FPR9K-SM40-FTD-BUN

Cisco FPR9300 SM-40 Threat Defense Chassis, Subs HA Bundle

FPR9K-SM48-FTD-BUN

Cisco FPR9300 SM-48 Threat Defense Chassis, Subs HA Bundle

FPR9K-SM56-FTD-BUN

Cisco FPR9300 SM-56 Threat Defense Chassis, Subs HA Bundle

 

Part Number (Cables)

Description

Breakout Cables

Generic breakout cables can be used, please see: https://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/data_sheet_c78-660083.html

Note:      There are eight 10-Gbps ports on the supervisor module, which is bundled by default with the chassis. However, customers that plan to use supervisor module ports will require connectors for both those ports as well as for the ports on the network modules. Only one 1-Gbps connector, for the management port, is included by default with each supervisor module.

Table 36.       Cisco Firepower 9300 Network Modules

Network Modules

Description

FPR9K-NM-4X40G

Firepower 9000 Series – 4 port QSFP+ Network Module

FPR9K-NM-4X40G=

Firepower 9000 Series – 4 port QSFP+ Network Module

FPR9K-NM-8X10G

Firepower 9000 Series – 8 port SFP+ Network Module

FPR9K-NM-8X10G=

Firepower 9000 Series – 8 port SFP+ Network Module

FPR9K-DNM-2X100G

Cisco FirePower 2 port 100G Network Module, Double Width

FPR9K-DNM-2X100G=

Cisco FirePower 2 port 100G Network Module, Double Width

FPR9K-NM-2X100G

Cisco FirePower 2 port 100G Network Module

FPR9K-NM-2X100G=

Cisco FirePower 2 port 100G Network Module

FPR9K-NM-4X100G

Cisco FirePower 4 port 100G Network Module

FPR9K-NM-4X100G=

Cisco FirePower 4 port 100G Network Module

FPR9K-NM-6X10SR-F

10G Short range Fail to Wire Network Module (includes built-in SFP)

FPR9K-NM-6X10SR-F=

10G Short range Fail to Wire Spare Network Module (includes built-in SFP)

FPR9K-NM-6X10LR-F

10G Long range Fail to Wire Network Module (includes built-in SFP)

FPR9K-NM-6X10LR-F=

10G Long range Fail to Wire Spare Network Module (includes built-in SFP)

FPR9K-NM-2X40G-F

40G Fail to Wire Network Module (includes built-in QSFP)

FPR9K-NM-2X40G-F=

40G Fail to Wire Spare Network Module (includes built-in QSFP)

FPR9K-NM-6X1SX-F

Cisco Firepower 6-port 1G SX Fiber FTW Network Module (includes built-in SFP)

FPR9K-NM-6X1SX-F=

Cisco Firepower 6-port 1G SX Fiber FTW Network Module (Spare) (includes built-in SFP)

Table 37.       SFP module options for 10G netmod and 10G supervisor ports

Part Number (SFP Modules)

SKU

Description

SFP-10G-SR

10GBASE-SR SFP Module

SFP-10G-LR

10GBASE-LR SFP Module

SFP-10G-SR-S

10GBASE-SR SFP Module, Enterprise-Class

SFP-10G-LR-S

10GBASE-LR SFP Module, Enterprise-Class

SFP-10G-LRM

10GBASE-LRM SFP Module

SFP-10G-ER

10GBASE-ER SFP Module

SFP-H10GB-CU1M

10GBASE-CU SFP+ Cable 1m

SFP-H10GB-CU3M

10GBASE-CU SFP+ Cable 3m

SFP-H10GB-CU5M

10GBASE-CU SFP+ Cable 5m

SFP-H10GB-ACU7M

Active Twinax cable assembly, 7m

SFP-H10GB-ACU10M

Active Twinax cable assembly, 10m

SFP-10G-AOC1M

10GBASE Active Optical SFP+ Cable, 1m

SFP-10G-AOC2M

10GBASE Active Optical SFP+ Cable, 2m

SFP-10G-AOC3M

10GBASE Active Optical SFP+ Cable, 3m

SFP-10G-AOC5M

10GBASE Active Optical SFP+ Cable, 5m

SFP-10G-AOC7M

10GBASE Active Optical SFP+ Cable, 7m

SFP-10G-AOC10M

10GBASE Active Optical SFP+ Cable, 10m

GLC-SX-MMD

1000BASE-SX SFP transceiver module, MMF, 850nm, DOM

GLC-LH-SMD

1000BASE-LX/LH SFP transceiver module, MMF/SMF, 1310nm, DOM

GLC-EX-SMD

1000BASE-EX SFP transceiver module, SMF, 1310nm, DOM

GLC-ZX-SMD

1000BASE-ZX SFP transceiver module, SMF, 1550nm, DOM

Table 38.       SFP module options for 40G netmod

Part Number (SFP Modules)

Description

QSFP-40G-SR4

40GBASE-SR4 QSFP Transceiver Module with MPO Connector

QSFP-40G-CSR4

QSFP 4x10GBASE-SR Transceiver Module, MPO, 300M

QSFP-40G-SR-BD

QSFP40G BiDi Short-reach Transceiver

QSFP-40G-LR4-S

QSFP 40GBASE-LR4 Transceiver Mod, LC, 10km, Enterprise-Class

QSFP-40G-LR4

QSFP 40GBASE-LR4 OTN Transceiver, LC, 10km

WSP-Q40GLR4L

QSFP 40G Ethernet - LR4 Lite, LC, 2KM

QSFP-H40G-CU1M

40GBASE-CR4 Passive Copper Cable, 1m

QSFP-H40G-CU3M

40GBASE-CR4 Passive Copper Cable, 3m

QSFP-H40G-CU5M

40GBASE-CR4 Passive Copper Cable, 5m

QSFP-H40G-AOC1M

40GBASE Active Optical Cable, 1m

QSFP-H40G-AOC2M

40GBASE Active Optical Cable, 2m

QSFP-H40G-AOC3M

40GBASE Active Optical Cable, 3m

QSFP-H40G-AOC5M

40GBASE Active Optical Cable, 5m

QSFP-H40G-AOC7M

40GBASE Active Optical Cable, 7m

QSFP-H40G-AOC10M

40GBASE Active Optical Cable, 10m

QSFP-H40G-AOC15M

40GBASE Active Optical Cable, 15m

QSFP-H40G-ACU7M

40GBASE-CR4 Active Copper Cable, 7m

QSFP-H40G-AOC10M

40GBASE-CR4 Active Copper Cable, 10m

Table 39.     100G network QSFP28 module options

Part Number (SFP Modules)

Description

QSFP-100G-LR4-S

100GBASE LR4 QSFP Transceiver, LC, 10km over SMF

When ordering a Cisco Firepower 9300 firewall with the ASA configuration, a Standard (base) ASA license (L‑F9K‑ASA) is required.

Table 40.       Cisco Firepower 9300 power cables

Part Number
(Power Cables)

Country

Description

CAB-AC-2500W-INT

International

Power Cord, 250VAC 16A, INTL

CAB-C19-CBN

International

Cabinet Jumper Power Cord, 250VAC 16A, C20-C19 Connectors

CAB-AC-C6K-TWLK

[All Categories]

Power Cord, 250VAC 16A, twist lock NEMA L6-20 plug, US

CAB-AC-2500W-US1

North America and Japan

Power Cord, 250VAC 16A, straight blade NEMA 6-20 plug, US

CAB-AC-16A-AUS

Australia

Power Cord, 250VAC, 16A, Australia C19

CAB-AC16A-CH

China

16A AC Power Cord for China

CAB-AC-2500W-ISRL

People's Republic of China

Power Cord, 250VAC, 16A, Israel

CAB-S132-C19-ISRL

Israel

S132 to IEC-C19 14ft Israeli

CAB-ACS-16

Switzerland

AC Power Cord (Swiss) 16A

CAB-IR2073-C19-AR

Argentina

IRSM 2073 to IEC-C19 14ft Argentina

CAB-BS1363-C19-UK

United Kingdom

BS-1363 to IEC-C19 14ft UK

CAB-SABS-C19-IND

India

SABS 164-1 to IEC-C19 India

CAB-C2316-C19-IT

Italy

CEI 23-16 to IEC-C19 14ft Italy

UCSB-CABL-C19-BRZ

Brazil

NBR 14136 to C19 AC 14ft Power Cord, Brazil

CAB-C19-C20-3M-JP

Japan

Power Cord C19-C20, 3m/10ft Japan PSE mark

CAB-AC-2500W-INT

International

Power Cord, 250VAC 16A, INTL

SKUs for Cisco Firepower 9300 Series Licenses and Firewall Threat Defense Subscriptions

When ordering a Cisco Firepower 9300 firewall with the ASA configuration, a Standard (base) ASA license (L-F9K-ASA) is required.

Alternatively, when ordering a 9300 Series with the Cisco Secure Firewall Threat Defense image, base AVC capability comes by default with Cisco Secure Firewall Threat Defense license (L-FPR9K-TD-BASE=). Additionally, subscriptions can be purchased (one license per security module) to add IPS, URL Filtering, and malware defense capabilities. Similarly, if the customer already has a Firepower 9300, the same PIDs are used to upgrade to the Cisco Secure Firewall Threat Defense image. Subscription terms are 1, 3, and 5 years, with the greatest price discount at 5 years. In the listed part numbers, the threat services are identified as follows:

Table 41.       Threat subscription decoder

Threat Subscription Abbreviations

Description

T

Threat (Security Intelligence and IPS)

M or AMP

Malware defense

C or URL

URL Filtering

1Y

1-Year Subscription

3Y

3-Year Subscription

5Y

5-Year Subscription

Table 42.       Cisco Firepower 9300 Series license part numbers and subscription terms for Cisco Secure Firewall Threat Defense on Security Module SM-40

PID

Description

L-FPR9K-40T-T=

Cisco FPR9K SM-40 Threat Defense Threat Protection License

L-FPR9K-40T-AMP=

Cisco FPR9K SM-40 Threat Defense Malware Protection License

L-FPR9K-40T-URL=

Cisco FPR9K SM-40 Threat Defense URL Filtering License

L-FPR9K-40T-TM=

Cisco FPR9K SM-40 Threat Defense Threat and Malware License

L-FPR9K-40T-TC=

Cisco FPR9K SM-40 Threat Defense Threat and URL License

L-FPR9K-40T-TMC=

Cisco FPR9K SM-40 Threat Defense Threat, Malware and URL License

L-FPR9K-40T-AMP-1Y

Cisco FPR9K SM-40 Threat Defense Malware Protection 1Y Subs

L-FPR9K-40T-AMP-3Y

Cisco FPR9K SM-40 Threat Defense Malware Protection 3Y Subs

L-FPR9K-40T-AMP-5Y

Cisco FPR9K SM-40 Threat Defense Malware Protection 5Y Subs

L-FPR9K-40T-URL-1Y

Cisco FPR9K SM-40 Threat Defense URL Filtering 1Y Subs

L-FPR9K-40T-URL-3Y

Cisco FPR9K SM-40 Threat Defense URL Filtering 3Y Subs

L-FPR9K-40T-URL-5Y

Cisco FPR9K SM-40 Threat Defense URL Filtering 5Y Subs

L-FPR9K-40T-T-1Y

Cisco FPR9K SM-40 Threat Defense Threat Protection 1Y Subs

L-FPR9K-40T-T-3Y

Cisco FPR9K SM-40 Threat Defense Threat Protection 3Y Subs

L-FPR9K-40T-T-5Y

Cisco FPR9K SM-40 Threat Defense Threat Protection 5Y Subs

L-FPR9K-40T-TM-1Y

Cisco FPR9K SM-40 Threat Defense Threat and Malware 1Y Subs

L-FPR9K-40T-TM-3Y

Cisco FPR9K SM-40 Threat Defense Threat and Malware 3Y Subs

L-FPR9K-40T-TM-5Y

Cisco FPR9K SM-40 Threat Defense Threat and Malware 5Y Subs

L-FPR9K-40T-TC-1Y

Cisco FPR9K SM-40 Threat Defense Threat and URL 1Y Subs

L-FPR9K-40T-TC-3Y

Cisco FPR9K SM-40 Threat Defense Threat and URL 3Y Subs

L-FPR9K-40T-TC-5Y

Cisco FPR9K SM-40 Threat Defense Threat and URL 5Y Subs

L-FPR9K-40T-TMC-1Y

Cisco FPR9K SM-40 Threat Defense Threat, Malware, URL 1Y Sub

L-FPR9K-40T-TMC-3Y

Cisco FPR9K SM-40 Threat Defense Threat, Malware, URL 3Y Sub

L-FPR9K-40T-TMC-5Y

Cisco FPR9K SM-40 Threat Defense Threat, Malware, URL 5Y Sub

Table 43.       Cisco Firepower 9300 Series license part numbers and subscription terms for Cisco Secure Firewall Threat Defense on Security Module SM-48

FPR9K-SM-48

Firepower 9000 Series High Performance Security Module

L-FPR9K-48T-T=

Cisco FPR9K SM-48 Threat Defense Threat Protection License

L-FPR9K-48T-AMP=

Cisco FPR9K SM-48 Threat Defense Malware Protection License

L-FPR9K-48T-URL=

Cisco FPR9K SM-48 Threat Defense URL Filtering License

L-FPR9K-48T-TM=

Cisco FPR9K SM-48 Threat Defense Threat and Malware License

L-FPR9K-48T-TC=

Cisco FPR9K SM-48 Threat Defense Threat and URL License

L-FPR9K-48T-TMC=

Cisco FPR9K SM-48 Threat Defense Threat, Malware and URL License

L-FPR9K-48T-AMP-1Y

Cisco FPR9K SM-48 Threat Defense Malware Protection 1Y Subs

L-FPR9K-48T-AMP-3Y

Cisco FPR9K SM-48 Threat Defense Malware Protection 3Y Subs

L-FPR9K-48T-AMP-5Y

Cisco FPR9K SM-48 Threat Defense Malware Protection 5Y Subs

L-FPR9K-48T-URL-1Y

Cisco FPR9K SM-48 Threat Defense URL Filtering 1Y Subs

L-FPR9K-48T-URL-3Y

Cisco FPR9K SM-48 Threat Defense URL Filtering 3Y Subs

L-FPR9K-48T-URL-5Y

Cisco FPR9K SM-48 Threat Defense URL Filtering 5Y Subs

L-FPR9K-48T-T-1Y

Cisco FPR9K SM-48 Threat Defense Threat Protection 1Y Subs

L-FPR9K-48T-T-3Y

Cisco FPR9K SM-48 Threat Defense Threat Protection 3Y Subs

L-FPR9K-48T-T-5Y

Cisco FPR9K SM-48 Threat Defense Threat Protection 5Y Subs

L-FPR9K-48T-TM-1Y

Cisco FPR9K SM-48 Threat Defense Threat and Malware 1Y Subs

L-FPR9K-48T-TM-3Y

Cisco FPR9K SM-48 Threat Defense Threat and Malware 3Y Subs

L-FPR9K-48T-TM-5Y

Cisco FPR9K SM-48 Threat Defense Threat and Malware 5Y Subs

L-FPR9K-48T-TC-1Y

Cisco FPR9K SM-48 Threat Defense Threat and URL 1Y Subs

L-FPR9K-48T-TC-3Y

Cisco FPR9K SM-48 Threat Defense Threat and URL 3Y Subs

L-FPR9K-48T-TC-5Y

Cisco FPR9K SM-48 Threat Defense Threat and URL 5Y Subs

L-FPR9K-48T-TMC-1Y

Cisco FPR9K SM-48 Threat Defense Threat, Malware, URL 1Y Sub

L-FPR9K-48T-TMC-3Y

Cisco FPR9K SM-48 Threat Defense Threat, Malware, URL 3Y Sub

L-FPR9K-48T-TMC-5Y

Cisco FPR9K SM-48 Threat Defense Threat, Malware, URL 5Y Sub

Table 44.       Cisco Firepower 9300 Series license part numbers and subscription terms for Cisco Secure Firewall Threat Defense on Security Module SM-56

FPR9K-SM-56

Firepower 9000 Series Security Module 56

L-FPR9K-56T-T=

Cisco FPR9K SM-56 Threat Defense Threat Protection License

L-FPR9K-56T-AMP=

Cisco FPR9K SM-56 Threat Defense Malware Protection License

L-FPR9K-56T-URL=

Cisco FPR9K SM-56 Threat Defense URL Filtering License

L-FPR9K-56T-TM=

Cisco FPR9K SM-56 Threat Defense Threat and Malware License

L-FPR9K-56T-TC=

Cisco FPR9K SM-56 Threat Defense Threat and URL License

L-FPR9K-56T-TMC=

Cisco FPR9K SM-56 Threat Defense Threat, Malware and URL License

L-FPR9K-56T-AMP-1Y

Cisco FPR9K SM-56 Threat Defense Malware Protection 1Y Subs

L-FPR9K-56T-AMP-3Y

Cisco FPR9K SM-56 Threat Defense Malware Protection 3Y Subs

L-FPR9K-56T-AMP-5Y

Cisco FPR9K SM-56 Threat Defense Malware Protection 5Y Subs

L-FPR9K-56T-URL-1Y

Cisco FPR9K SM-56 Threat Defense URL Filtering 1Y Subs

L-FPR9K-56T-URL-3Y

Cisco FPR9K SM-56 Threat Defense URL Filtering 3Y Subs

L-FPR9K-56T-URL-5Y

Cisco FPR9K SM-56 Threat Defense URL Filtering 5Y Subs

L-FPR9K-56T-T-1Y

Cisco FPR9K SM-56 Threat Defense Threat Protection 1Y Subs

L-FPR9K-56T-T-3Y

Cisco FPR9K SM-56 Threat Defense Threat Protection 3Y Subs

L-FPR9K-56T-T-5Y

Cisco FPR9K SM-56 Threat Defense Threat Protection 5Y Subs

L-FPR9K-56T-TM-1Y

Cisco FPR9K SM-56 Threat Defense Threat and Malware 1Y Subs

L-FPR9K-56T-TM-3Y

Cisco FPR9K SM-56 Threat Defense Threat and Malware 3Y Subs

L-FPR9K-56T-TM-5Y

Cisco FPR9K SM-56 Threat Defense Threat and Malware 5Y Subs

L-FPR9K-56T-TC-1Y

Cisco FPR9K SM-56 Threat Defense Threat and URL 1Y Subs

L-FPR9K-56T-TC-3Y

Cisco FPR9K SM-56 Threat Defense Threat and URL 3Y Subs

L-FPR9K-56T-TC-5Y

Cisco FPR9K SM-56 Threat Defense Threat and URL 5Y Subs

L-FPR9K-56T-TMC-1Y

Cisco FPR9K SM-56 Threat Defense Threat, Malware, URL 1Y Sub

L-FPR9K-56T-TMC-3Y

Cisco FPR9K SM-56 Threat Defense Threat, Malware, URL 3Y Sub

L-FPR9K-56T-TMC-5Y

Cisco FPR9K SM-56 Threat Defense Threat, Malware, URL 5Y Sub

SKUs and Ordering Guidance for Cisco Secure Firewall Threat Defense Virtual

Cisco Secure Firewall Threat Defense Virtual is available where virtualized firewall and IPS capabilities are required, including in public cloud environments. It is the virtualized version of Firewall Threat Defense. It enables consistent security policies to follow workloads across your physical, virtual, and cloud environments, and between clouds. Complexity is further minimized with simple provisioning and a single console, the Firewall Management Center (FMC), which enables threat visibility, and automated defense, across your estate. FMC can manage both physical and virtual devices. See the Firewall Management Center section of this guide for FMC part numbers.

In Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI) environments, Cisco Secure Firewall Threat Defense Virtual devices can be managed either by an on-premises FMC, or in the respective public cloud with the virtualized FMC. When deployed in AWS and Microsoft Azure environments, two licensing models are available:

      Bring Your Own License (BYOL), where an existing Threat Defense Virtual license is required

      Hourly billing (a pay-as-you-go model) available through the AWS interface

Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI) only support the Bring Your Own License (BYOL) licensing model.

For the supported private cloud platforms and Hyper Converged Infrastructure like Cisco Hyperflex and Nutanix AHV the same licenses can be used in the BYOL model.

Cisco Secure Firewall Threat Defense Virtual enables inter-VM and east-west traffic inspection, as well as at ingress and egress points to the cloud. It is designed to address security concerns in both traditional networks infrastructures and to be optionally inserted into Cisco’s Application Centric Infrastructure (ACI) for flexible orchestration.

Firewall Threat Defense Virtual performance tiered Subscriptions

Performance tiered licensing is available starting from Firewall Threat Defense Virtual version 7.0. The new licensing model also includes Base License as a subscription. There are 6 tiers in the new performance tiered licensing model which can be ordered using the following SKU’s.

Table 45.       Cisco Secure Firewall Threat Defense Virtual Performance tiered Base Subscription and Threat, Malware and URL Filtering Subscription SKUs

Top level SKU

License

Term Subscription

Description

FTDV-SEC-SUB

1,3 and 5 Year

Cisco Secure Firewall Threat Defense Virtual Subscription

 

Term Subscription 1, 3 and 5 year

Description

FTDv 5s

FTDv 10s

FTDv 20s

FTDv 30s

FTDv 50s

FTDv 100s

FTD-V-5S-BSE-K9

FTD-V-10S-BSE-K9

FTD-V-20S-BSE-K9

FTD-V-30S-BSE-K9

FTD-V-50S-BSE-K9

FTD-V-100S-BSE-K9

Cisco Firepower TD Virtual Base License

FTD-V-5S-TMC

FTD-V-10S-TMC

FTD-V-20S-TMC

FTD-V-30S-TMC

FTD-V-50S-TMC

FTD-V-100S-TMC

Cisco Firepower TD Virtual Threat, Malware & URL Filtering License

FTD-V-5S-TM

FTD-V-10S-TM

FTD-V-20S-TM

FTD-V-30S-TM

FTD-V-50S-TM

FTD-V-100S-TM

Cisco Firepower TD Virtual Threat Protection, Malware License

FTD-V-5S-TC

FTD-V-10S-TC

FTD-V-20S-TC

FTD-V-30S-TC

FTD-V-50S-TC

FTD-V-100S-TC

Cisco Firepower TD Virtual Threat Protection, URL Filtering License

FTD-V-5S-T

FTD-V-10S-T

FTD-V-20S-T

FTD-V-30S-T

FTD-V-50S-T

FTD-V-100S-T

Cisco Firepower TD Virtual Threat Protection License

FTD-V-5S-URL

FTD-V-10S-URL

FTD-V-20S-URL

FTD-V-30S-URL

FTD-V-50S-URL

FTD-V-100S-URL

Cisco Firepower TD Virtual URL Filtering License

FTD-V-5S-AMP

FTD-V-10S-AMP

FTD-V-20S-AMP

FTD-V-30S-AMP

FTD-V-50S-AMP

FTD-V-100S-AMP

Cisco Firepower TD Virtual Malware License

1.     Search for the top level subscription SKU – FTDV-SEC-SUB and “Add”

Ordering SPARE SKUs for existing equipment

2.     Add Base License quantity for the tiers required

Ordering SPARE SKUs for existing equipment

 

Ordering SPARE SKUs for existing equipment

3.     Select Additional features for each of Base license selected (Optional). Quantity should be aligned to Base License quantity

Ordering SPARE SKUs for existing equipment

4.     The Service tab shows the support options available. Cisco Solution Support is the default level of support for the Base and TMC subscription. It provides 24*7 technical phone support and is the recommended level of support. Included in the subscription at no additional cost is 8*5 online support which also provides Software upgrades.

Ordering SPARE SKUs for existing equipment

5.     Default term is 3 Years which can be updated by clicking on Terms tab and editing duration. Click on Save Changes

Ordering SPARE SKUs for existing equipment

6.     Once the changes are saved, the complete configuration is displayed. There is an option to switch from Solution support to basic support

Ordering SPARE SKUs for existing equipment

7.     Click on Save and Continue to review the complete configuration by clicking on Save and Continue. This will redirect to the main CCW screen.

Ordering SPARE SKUs for existing equipment

Please note the older non tiered license with perpetual base will continue to work with 7.0. This can be selected as FTDv – Variable license on FMC UI during registration

Table 46.       Cisco Secure Firewall Threat Defense Virtual Perpetual Base and Subscription SKUs

SKUs

Base License

Term Subscription

Description

FPRTD-V-K9

 

Cisco Firepower NGFWv Base License

 

Term Licenses

Term Subscription

Description

L-FPRTD-V-TMC=

L-FPRTD-V-TMC-1Y

Cisco Firepower NGFWv Threat Defense Threat, Malware, and URL 1YR Subscription

L-FPRTD-V-TMC=

L-FPRTD-V-TMC-3Y

Cisco Firepower NGFWv Threat Defense Threat, Malware, and URL 3YR Subscription

L-FPRTD-V-TMC=

L-FPRTD-V-TMC-5Y

Cisco Firepower NGFWv Threat Defense Threat, Malware, and URL 5YR Subscription

L-FPRTD-V-T=

L-FPRTD-V-T-1Y

Cisco Firepower NGFWv Threat Defense Threat Protection 1YR Subscription

L-FPRTD-V-T=

L-FPRTD-V-T-3Y

Cisco Firepower NGFWv Threat Defense Threat Protection 3YR Subscription

L-FPRTD-V-T=

L-FPRTD-V-T-5Y

Cisco Firepower NGFWv Threat Defense Threat Protection 5YR Subscription

L-FPRTD-V-URL=

L-FPRTD-V-URL-1Y

Cisco Firepower NGFWv Threat Defense URL Filtering 1YR Subscription

L-FPRTD-V-URL=

L-FPRTD-V-URL-3Y

Cisco Firepower NGFWv Threat Defense URL Filtering 3YR Subscription

L-FPRTD-V-URL=

L-FPRTD-V-URL-5Y

Cisco Firepower NGFWv Threat Defense URL Filtering 5YR Subscription

L-FPRTD-V-TC=

L-FPRTD-V-TC-1Y

Cisco Firepower NGFWv Threat Defense Threat and URL 1Y Subscription

L-FPRTD-V-TC=

L-FPRTD-V-TC-3Y

Cisco Firepower NGFWv Threat Defense Threat and URL 3Y Subscription

L-FPRTD-V-TC=

L-FPRTD-V-TC-5Y

Cisco Firepower NGFWv Threat Defense Threat and URL 5Y Subscription

L-FPRTD-V-TM=

L-FPRTD-V-TM-1Y

Cisco Firepower NGFWv Threat Defense Threat and Malware Protection 1Y Subscription

L-FPRTD-V-TM=

L-FPRTD-V-TM-3Y

Cisco Firepower NGFWv Threat Defense Threat and Malware Protection 3Y Subscription

L-FPRTD-V-TM=

L-FPRTD-V-TM-5Y

Cisco Firepower NGFWv Threat Defense Threat and Malware Protection 5Y Subscription

L-FPRTD-V-AMP=

L-FPRTD-V-AMP-1Y

Cisco Firepower NGFWv Threat Defense Malware Protection 1Y Subscription

L-FPRTD-V-AMP=

L-FPRTD-V-AMP-3Y

Cisco Firepower NGFWv Threat Defense Malware Protection 3Y Subscription

L-FPRTD-V-AMP=

L-FPRTD-V-AMP-5Y

Cisco Firepower NGFWv Threat Defense Malware Protection 5Y Subscription

SKUs for Cisco Secure Firewall Threat Defense Software on New ASA Appliances

The following tables provide ordering information for all Threat Defense software on ASA appliances. For optimal threat defense, we recommend choosing one of the multiservice subscriptions highlighted below. As well, we recommend multiyear subscriptions to customers for value and convenience.

Cisco Firepower 1000, 2100, 4100 and 9300 Series appliances function as a stateful firewall when running the ASA operating system. This is sometimes referred to as a L3/L4 firewall. The ASA firewall delivers enterprise-class firewall capabilities for ASA devices in an array of form factors—standalone appliances, blades, and virtual appliances—for any distributed network environment. Among its benefits, Cisco ASA Software:

      Offers integrated IPS, VPN, and unified communications capabilities

      Helps increase capacity and improve performance through high-performance, multisite, multinode clustering

      Delivers high availability for high-resiliency applications

      Provides collaboration between physical and virtual devices

      Provides context awareness with Cisco TrustSec security group tags and identity-based firewall technology

      Facilitates dynamic routing and clientless and site-to-site VPN on a per-context basis

Cisco ASA software also supports modern encryption standards, including the Suite B set of cryptographic algorithms. It also integrates with the Cisco Cloud Web Security solution to provide world-class, web-based threat protection.

SKUs and Ordering Guidance for Cisco Adaptive Security Virtual Appliance (ASAv)

The Cisco ASAv brings the power of ASA to the virtual domain and private cloud environments. It runs the same software as the physical ASA appliance to deliver proven security functionality. You can use ASAv to protect virtual workloads within your data center. Later, you can expand, contract, or shift the location of these workloads over time and can span physical and virtual infrastructures. The Adaptive Security Virtual Appliance runs as a virtual machine inside a hypervisor in a virtual host. Most of the features that are supported on a physical ASA by Cisco software are supported on the virtual appliance as well, except for clustering and multiple contexts. The virtual appliance supports site-to-site VPN, remote-access VPN, and clientless VPN functionalities as supported by physical ASA devices. See the ASAv data sheet for more details.

ASAv is available in both subscription and perpetual licensing models.

Table 47.       Cisco Adaptive Security Virtual Appliance (ASAv) Subscription License

Part number

Description

L-ASA-V-5S-K9=

Cisco 100 Mbps entitlement (ASAv5) subscription

L-ASA-V-10S-K9=

Cisco 1 Gbps entitlement (ASAv10) subscription

L-ASA-V-30S-K9=

Cisco 2 Gbps entitlement (ASAv30) subscription

L-ASA-V-50S-K9=

Cisco 10 Gbps entitlement (ASAv50) subscription

L-ASA-V-100S-K9=

Cisco 20 Gbps entitlement (ASAv100) subscription*

Table 48.       Cisco Adaptive Security Virtual Appliance (ASAv) Perpetual License

Cisco Adaptive Security Virtual Appliance (ASAv)

L-ASAV5S-K9=

Cisco 100 Mbps entitlement (ASAv5) selection

L-ASAV5S-STD-8

8-pack Cisco ASAv5(100 Mbps) with all firewall features licensed

L-ASAV10S-K9=

Cisco ASAv10 (1 Gbps) selection

L-ASAV10S-STD

Cisco ASAv10 (1 Gbps) with all firewall features licensed

L-ASAV10S-STD-16

16-pack Cisco ASAv10 (1 Gbps) with all firewall features licensed

L-ASAV30S-K9=

Cisco ASAv30 (2 Gbps) selection

L-ASAV30S-STD

Cisco ASAv30 (2 Gbps) with all firewall features licensed

L-ASAV30S-STD-4

4-pack Cisco ASAv30 (2 Gbps) with all firewall features licensed

L-ASAV50S-K9=

Cisco ASAv50 selection

L-ASAV50S-STD-4

4-Pack Cisco ASAv50 with all firewall features licensed

Note:      For ASAv, remote-access VPN and clientless VPN functionality can be licensed separately as outlined in https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/guide-c07-732790.html.

Firepower Virtual Appliances: Multiple-Quantity Order

When ordered, Firepower virtual appliances are licensed as software since they are not tied to a hardware appliance platform. The result is that if multiple virtual appliances are ordered, a single product authorization key, or PAK, is generated for that quantity. In Figure 11, a quantity of 10 virtual sensors with a subscription is configured. A single PAK would be generated for the entire quantity. In this example, all 10 virtual sensors must be registered to the same Cisco Secure Firewall Management Center. The 10 cannot be separated into smaller quantities.

Should the customer require virtual appliances to be registered to different Cisco Secure Firewall Management Centers, desired quantities must be ordered as separate line items. The customer can then register each group of five appliances to a different Cisco Secure Firewall Management Center if so desired.

Regardless of the licenses installed and applied, virtual appliances do not support hardware-based features, including clustering, switching, routing, Network Address Translation, fast-path, and fail-open; nor is VPN supported. Also, virtual appliances do not have a local web-based interface.

Qualys Connector

The Qualys Connector is a software application that collects Qualys Guard vulnerability report data and sends it to the Cisco Secure Firewall Management Center. The Qualys vulnerability data is then aggregated with Cisco’s vulnerability information found in the host map. Customers can choose to use Cisco or Qualys vulnerability data, or both, for Impact Flag calculations and automatic rule recommendations.

Firepower Product Licensing and License Activation

      The customer logs on to https://cisco.com/go/licensing and uses the Smart Licensing feature to request a token to be installed in the FMC or FDM. This license is then applied to the Cisco Secure Firewall Management Center that is going to manage the feature or appliance.

      Exception: Cisco Secure Endpoint (formerly AMP for Endpoints) does not require an activation key at this time.

High-Availability Configurations

Type 1: Secure Firewall High-Availability

      If the customer wants high availability for sensors, two appliances are required.

      Appliances must be of the same model and generation.

      Both appliances must be identically licensed and have support.

      Licenses will be applied to the same primary Cisco Secure Firewall Management Center managing the high-availability pair.

Cisco Secure Firewall Malware Defense

Cisco malware defense is based on the FirePOWER platform. It delivers network-based protection against targeted and advanced malware attacks. Malware defense is available in two deployment options:

      As an add-on, software-enabled subscription that can be added to any FirePOWER appliance as part of a FirePOWER IPS configuration.

      As a purpose-built, dedicated appliance based on FirePOWER technology that is optimized to deliver enhanced malware defense related performance and meet storage requirements. A separate subscription is required for malware defense functionality, even with dedicated malware defense appliances.

Snort Subscriber Rule Set: Subscription Options

Personal: This subscription type is for use in a home network environment. If you’d like to purchase a subscription online using a credit card, you may do so. For a personal subscription, please go to https://www.snort.org/products to place an order. It is not available to purchase on Cisco Commerce. As you approach the expiration date, renewal by way of Snort.org is automatic for credit card orders and is part of the license agreement.

Business: This subscription type is for use in businesses, nonprofit organizations, colleges and universities, government agencies, consultancies, and other venues where Snort sensors are in use in a production or lab environment. This subscription type does not include a license to redistribute the Snort Subscriber Rule Set except as described in section 2.1 of the Rule Set license agreement.

If you’d like to purchase a Rule subscription online using a credit card, you may do so. Customers or end users who cannot purchase by credit card are requested to contact a partner or distributor who can purchase on their behalf through Cisco Commerce. If you need assistance with a quote, contact snort-sub@cisco.com. Unlike Snort.org automatic renewals, orders placed in Cisco Commerce require a manual renewal to trigger another subscription. Important: Email address of the recipient of the subscription license needs to be included on the order for electronic delivery.

For more information, visit: https://www.snort.org/products.

SKUs and Ordering Guidance for Cisco Security Manager

Cisco Security Manager provides scalable and centralized operations management for ASA functions, including policy and object management, event management, reporting, and troubleshooting for Cisco ASA firewall functions. The Security Manager can be used to manage:

      Cisco Firepower 2100, 4100 and 9300 series platforms with ASA management

      Cisco Secure Firewall ASA Virtual on VMware and KVM

      Cisco Secure Client (formerly AnyConnect Secure Mobility Client)

      Integrated Services Router (ISR) platforms running a Cisco IOS Software security image

      Cisco Catalyst 6500 Series ASA Services Modules

Security Manager is available in two feature levels: Standard and Professional (Table 94). Enterprise customers with numerous security devices will benefit from Security Manager Professional, and customers with fewer security device deployments will find Security Manager Standard an exceptional value. For small-scale and simple deployments, the Cisco Adaptive Security Device Manager (ASDM) is available to provide on-device, GUI-based firewall network operations management for Cisco ASA with FirePOWER Services deployments.

Note:      Modern server hardware is required. Please see the Cisco Security Manager data sheet for more details.

Table 49.     Cisco Security Manager models

E-Delivery Part Number

Description

L-CSMST-5-K9

Cisco Security Manager Standard - 5 Device License

L-CSMST-10-K9

Cisco Security Manager Standard - 10 Device License

L-CSMST-25-K9

Cisco Security Manager Standard - 25 Device License

L-CSMSTPR-U-K9

Cisco Security Manager ST-25 To PR-50 Upgrade License

Cisco Security Manager Enterprise Professional Incremental Device Licenses

L-CSMPR-50-K9

Cisco Security Manager Professional - 50 Device License

L-CSMPR-100-K9

Cisco Security Manager Professional - 100 Device License

L-CSMPR-250-K9

Cisco Security Manager Professional - 250 Device License

Table 50.       Cisco Security Manager SASU SKUs

Cisco Security Manager

E-Delivery Part Number

Product Description

SKU

L-CSMST-5-K9

Cisco Security Manager Standard - 5 Device License SASU (Software Updates)

CON-SAS-LSMST5K9

L-CSMST-10-K9

Cisco Security Manager Standard - 10 Device License SASU (Software Updates)

CON-SAS-LSMST10K

L-CSMST-25-K9

Cisco Security Manager Standard - 25 Device License SASU (Software Updates)

CON-SAS-LSMST25K

L-CSMSTPR-U-K9

Cisco Security Manager ST-25 To PR-50 Upgrade License SASU (Software Updates)

CON-SAS-LCMSTPU9

Cisco Security Manager Enterprise Professional Incremental Device Licenses

L-CSMPR-50-K9

Cisco Security Manager Professional - 50 Device License SASU (Software Updates)

CON-SAS-LSMPR50K

L-CSMPR-100-K9

Cisco Security Manager Professional - 100 Device License SASU (Software Updates)

CON-SAS-LSMPR100

L-CSMPR-250-K9

Cisco Security Manager Professional - 250 Device License SASU (Software Updates)

CON-SAS-LCMPR250

SKUs and Ordering Guidance for Cisco Secure Firewall Management Center

The Cisco Secure Firewall Management Center, available as a physical or virtual appliance, provides unified management of:

      Cisco Secure Firewall Threat Defense software on the Cisco Firepower 1000 Series appliances

      Cisco Secure Firewall Threat Defense software on the Cisco Firepower 2100 Series appliances

      Cisco Secure Firewall Threat Defense software on the Cisco Firepower 4100 Series appliances

      Cisco Secure Firewall Threat Defense Virtual

      Cisco Secure Firewall Threat Defense software on the Cisco Firepower 9300

      FirePOWER module of Cisco ASA with FirePOWER Services

      Cisco Secure Intrusion Prevention System (IPS) and Cisco Secure Firewall malware defense solutions

      Cisco Secure Firewall Threat Defense for Integrated Services Routers (ISR)

The Firewall Management Center provides a centralized management console and event database repository. It is available in a range of physical appliance models, as a virtual appliance for VMware or KVM or a cloud-delivered version that is delivered via the Cisco Defense Orchestrator. One physical or virtual management appliance can manage multiple appliances as long as all the appliances are running the compatible firewall configuration.

The appropriate Firewall Management Center hardware is selected based on the firewall configuration deployed and the number of appliances and events to be monitored. Firewall Management Center 1600, 2600, and 4600 physical appliances or the Firewall Management Center virtual appliance is required to manage Cisco ASA with FirePOWER Services or Cisco ASA with Threat Defense software deployments. Version 6.0 or later is required to manage the Firewall Threat Defense (FTD) software image. Cisco Security Manager is required to manage ASA physical or virtual appliance firewall functionality. Cisco Defense Orchestrator delivers the cloud-delivered version of Firewall Management Center and a consistent and simplified cloud-based security policy management for ASA, ASA with FirePOWER Services, and FTD devices. For more details, visit the Cisco Defense Orchestrator (CDO). For CDO ordering details, visit the CDO Ordering Guide.

Table 51.     Cisco Secure Firewall Management Center SKUs

Cisco Secure Firewall Management Center (Hardware) Appliances

Part Number

Product Description

FMC1600-K9

Cisco Secure Firewall Management Center 1600 Chassis, 1RU

FMC2600-K9

Cisco Secure Firewall Management Center 2600 Chassis, 1RU

FMC4600-K9

Cisco Secure Firewall Management Center 4600 Chassis, 1RU

Cisco Secure Firewall Management Center (Hardware) Spare

FMC-M5-PS-AC-770W=

Cisco Secure Firepower 770W AC Power Supply for FMC1600, 2600, 4600

For new deployments, a compatible Management Center can be ordered with Firepower 2100, 4100 Series, and Firepower 9300 devices. Alternately, ASDM 7.3 on-device management is available for small-scale deployments, and the Management Center is optional. For small-scale FTD deployments, Firewall Device Manager on-device manager is included.

Note:      To manage network operations in large-scale deployments of devices running the ASA software image, using the Cisco Secure Firewall Management Center and Cisco Security Manager is highly recommended.

SKUS and Ordering Guidance for Cisco Secure Firewall Management Center Virtual Appliance

The PAK-enabled, 2- and 10-device Firewall Management Center Virtual Appliances (FMCv) are part of a promotional offer to more cost-effectively manage FirePOWER Services or Firewall Threat Defense on small-scale deployments of low-end ASA-X Series appliances. However, the 2-, 10-, and 25-device FMCv Smart License or PAK SKUs do not have any limitations with respect to which appliances they can manage. For add-on licenses requirement for new devices on your FMCv, it is recommended to migrate to a higher FMCv model that supports additional devices.

The FMCv software is not different for PAK or Smart Licensing.

Table 52.     PAK Licensing–enabled Cisco Secure Firewall Management Center Virtual Appliance SKUs

Cisco Secure Firewall Management Center (Software) Virtual Appliance (PAK enabled)

FS-VMW-SW-K9

Cisco Secure Firewall Management Center, Virtual for 25 devices Firepower License

FS-VMW-2-SW-K9*

Cisco Secure Firewall Management Center, for 2 devices Firepower License

FS-VMW-10-SW-K9*

Cisco Secure Firewall Management Center, for 10 devices Firepower License

Table 53.     Smart Licensing–enabled Cisco Secure Firewall Management Center Virtual Appliance SKUs

Cisco Secure Firewall Management Center (Software) Virtual Appliance

SF-FMC-VMW-K9

Cisco Secure Firewall Management Center, for 25 devices

SF-FMC-VMW-2-K9

Cisco Secure Firewall Management Center, for 2 devices

SF-FMC-VMW-10-K9

Cisco Secure Firewall Management Center, for 10 devices

SF-FMC-KVM-K9

Cisco Secure Firewall Management Center, for 25 devices

SF-FMC-KVM-2-K9

Cisco Secure Firewall Management Center, for 2 devices

SF-FMC-KVM-10-K9

Cisco Secure Firewall Management Center, for 10 devices

SF-FMC-VMW-300-K9

Cisco Secure Firewall Management Center, Virtual for 300 devices Firepower License

SF-FMC-VMW-25-300

Upgrade SKU from FMCv25 to FMCv300 Cisco Secure Firewall Management Center, Virtual

Licensing Guidance for Cisco Secure Firewall Management Center

Firewall Management Center physical or virtual appliances running version 6.0 or later do not require separate management licenses. You can purchase either a physical Firewall Management Center or a Firewall Management Center Virtual Appliance. Managed devices still require classic or Smart subscription feature licenses. Firewall Management Center Virtual Appliance Smart SKUs can manage any device running Firewall Threat Defense software.

IMPORTANT: For version 6.3 and later:

Enablement of strong crypto features (3DES/AES VPN) continues to happen automatically via Smart Licensing for those customers that are not subject to export restrictions or require an export license. However, those customers who are subject to export restrictions or require an export license will be asked to select a $0 strong crypto enablement key during configuration of any FMC device with version 6.3+.

For those customers who are subject to export restrictions or require an export license that upgrades an existing FMC to version 6.3+, there are spare versions of the PIDs available (those with “=” suffix).

To determine if you are subject to export restrictions or require an export license, customers can log in to CSSM and try to generate an installation token. For those customers that do NOT have export restrictions, this box will be checked by default. If you do NOT see this box or are NOT able to check the box, this means that your account is subject to export restrictions. See image below:

Create Registration Token

Table 54.       Cisco Secure Firewall Management Center strong crypto enablement SKUs

L-FMCVIR-ENC-K9=

Cisco Virtual FMC Series Strong Encryption (3DES/AES)

L-FMC1K-ENC-K9=

Cisco FMC 1K Series Strong Encryption (3DES/AES)

L-FMC2K-ENC-K9=

Cisco FMC 2K Series Strong Encryption (3DES/AES)

L-FMC4K-ENC-K9=

Cisco FMC 4K Series Strong Encryption (3DES/AES)

      The standalone Cisco Secure Firewall Management Center is optimal for high-availability pairing. For the FMC, a high-availability or redundancy feature helps ensure continuity of operations. The secondary Management Center must be the same model as the primary appliance.

For Version 6.0 and later: Cisco ASA with FirePOWER Services system software release 5.0 and later for the Management Center can be hosted on VMware ESX and ESXi. A virtual Management Center can manage up to 300 physical or virtual devices.

The Cisco Secure Firewall Management Center Virtual Appliance does not offer high availability. However, native VMware capabilities such as VMware vSphere High Availability, Distributed Resource Scheduling (DRS), and snapshots can improve availability. As for the physical Management Center, both Cisco FireSIGHT and Cisco NetFlow licenses can be added to the Management Center virtual appliance.

Product high-availability configuration:

High availability for the Management Center (available for all versions earlier than 6.0 and later than 6.1; high availability is not supported with the 6.0 version)

      If the customer wants high availability for the Management Center, an additional appliance is required.

      The secondary Management Center must be of the same model and generation as the primary one.

      If the primary Management Center has a FireSIGHT license (v. 5.4 and earlier ONLY), an additional Cisco Firepower license does not need to be ordered for the secondary Management Center.

      License keys for all sensors, feature licenses (including Cisco Firepower), and subscriptions managed on the primary Management Center can be duplicated and loaded onto the secondary Management Center using the original activation keys.

Product Licensing and License Activation

      License activation keys are used to generate licenses to activate the Cisco ASA with FirePOWER Services configuration on all virtual and physical appliances. License keys activate added software features such as application control and subscription-based features such as URL Filtering and malware defense.

      The customer logs on to https://cisco.com/go/licensing and uses the activation key to request appliance or feature licenses. The license is then applied to the Management Center or on-device ASDM or FDM that will be managing the feature or appliance.

      Exceptions:

    Physical and virtual Management Center appliances do not require activation keys, and none are issued.

Additional Resources

Cisco Commerce

Cisco Commerce is the primary tool used for ordering Cisco products and new services offered on the Cisco Price List. Three main steps are involved in creating an order: creating a quick quote, converting a quote to an order, and submitting an order.

Cisco Commerce also acts as a quoting, pricing, configuration, and status tool. The Cisco Service Contract Center can be used to view the status of a covered item as well as service contract information.

Cisco Service Contract Center

The Cisco Service Contract Center is the primary tool used for ordering services, purchasing follow-on software subscription licenses, and processing renewals of service offerings available on the Cisco Price List. Three main steps are involved in creating an order: creating a quick quote, validating the quote, and submitting an order.

Customers and partners use the standard quoting process, and distributors have the option of using the standard or quick-quote function to create a quote. Prior to ordering, partners and distributors validate and save the quote after all software subscription licenses and services have been added.

The Cisco Service Contract Center is an integrated solution that makes it easy for Cisco service sales teams and partners to manage and grow their service business, profitably. It will:

      Quote and book your service orders and manage your service contracts and renewals with one simple, easy-to-use solution

      Reduce the time you spend solving administrative problems, searching for opportunities, and creating quotes

      Give you more time to grow your business using data you can trust, because you do not need to spend time fixing or verifying data

      Help partners to create and proactively manage their contracts

Cisco Capital Financing

The significant benefits offered by the Cisco Firepower 9300 make it the natural choice for service provider security and provisioning. As with any technology investment, the question is whether the new system is affordable. The answer is Cisco Capital financing. We can give customers the financing solution that works best for them. We offer both flexible repayments to help mitigate cash flow issues and operating leases to help negate capital expenditures.

Cisco Capital can help remove or reduce the barriers preventing organizations from obtaining the technology they need. Total solution financing programs help customers and partners:

      Achieve business objectives

      Accelerate growth

      Acquire technology to match current strategies and future needs

      Remain competitive

Cisco Capital also helps your customers achieve financial goals such as optimizing investment dollars, turning capital expenditures into operating expenses, and managing cash flow. And there’s just one predictable payment. Cisco Capital operates in more than 100 countries, so regardless of location, customers and partners have access to a trusted means to secure Cisco products and services.

For more information about Cisco Capital financing, visit the following sites:

      For channel partners: https://www.ciscocapital.com/.

      For Cisco sales staff: https://wwwin.cisco.com/FinAdm/csc/

 

 

 

Our experts recommend

Learn more