Section 2-2. Firewall Features and Licenses

2-2. Firewall Features and Licenses

When a Cisco firewall runs an image of the operating system, it must have the proper license activation keys to unlock the required features. To see a list of features and their current availability on a firewall, you can use the following EXEC command:

 Firewall# show version 

Example 2-1 shows some sample output from a PIX Firewall. The show version command displays the current version of the firewall operating system (6.3(4) in this case), the firewall's elapsed uptime, and some information about the hardware. You can find the amount of RAM memory, Flash memory, and the MAC addresses of the physical interfaces here too. In this example, the firewall is a model PIX-525 and has 256 MB of RAM, 16 MB of Flash, two ethernet interfaces, and two gb-ethernet interfaces. (Here, ethernet implies a 10/100BASE-TX interface; Gigabit Ethernet interfaces are called gb-ethernet.)

Example 2-1. Sample Output from the PIX 6.3 show version Command

 Firewall# show version Cisco PIX Firewall Version 6.3(4) Cisco PIX Device Manager Version 3.0(1) Compiled on Wed 13-Aug-03 13:55 by morlee Firewall up 252 days 7 hours Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz Flash E28F128J3 @ 0x300, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5 0: ethernet0: address is 0030.8587.446e, irq 10 1: ethernet1: address is 0030.8587.446f, irq 11 2: gb-ethernet0: address is 0003.4725.1f97, irq 5 3: gb-ethernet1: address is 0003.4725.1e32, irq 11 Licensed Features: Failover:                    Enabled VPN-DES:                     Enabled VPN-3DES-AES:                Enabled Maximum Physical Interfaces: 8 Maximum Interfaces:          12 Cut-through Proxy:           Enabled Guards:                      Enabled URL-filtering:               Enabled Inside Hosts:                Unlimited Throughput:                  Unlimited IKE peers:                   Unlimited This PIX has an Unrestricted (UR) license. Serial Number: 431030631 (0x19b10167) Running Activation Key: 0xb0751733 0xd6201f9f 0x135e15a6 0xef5e1f26 Configuration last modified by enable_15 at 22:00:46.880 EST Thu Feb 24 2005 Firewall# 

The shaded text lists all the firewall features. This sample firewall has a valid license to operate as one of two firewalls in a failover pair. The firewall can use the DES, 3DES, and AES encryption methods and has four physical interfaces, with the capability to add more if needed.

However, notice that the firewall has a limit of eight physical interfaces and a maximum of 12 interfaces. How is it possible to have up to 12 interfaces? Cisco firewalls can also support logical interfaces, in the form of virtual LANs (VLANs). A total of 12 interfaces, either physical or logical, can be configured for use.

For comparison, Example 2-2 shows the same show version output from a PIX 525 running release 7.0 of the operating system. The output format is only slightly different. The interfaces are listed without their MAC addresses.

Example 2-2. Sample Output from the PIX 7.x show version Command

 Firewall# show version Cisco PIX Security Appliance Software Version 7.0(1) Compiled on Tue 15-Feb-05 22:01 by weathers System image file is "flash:/pix.image" Config file at boot was "flash:/Firewall.cfg" Firewall up 152 days 12 hours Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz Flash E28F128J3 @ 0xfff00000, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)  0: Ext: Ethernet0           : media index  0: irq 10  1: Ext: Ethernet1           : media index  1: irq 11  2: Ext: GigabitEthernet0    : media index  0: irq 5  3: Ext: GigabitEthernet1    : media index  1: irq 11 License Features for this Platform: Maximum Physical Interfaces : 10 Maximum VLANs               : 100 Inside Hosts                : Unlimited Failover                    : Active/Active VPN-DES                     : Enabled VPN-3DES-AES                : Enabled Cut-through Proxy           : Enabled Guards                      : Enabled URL-filtering               : Enabled Security Contexts           : 5 GTP/GPRS                    : Enabled VPN Peers                   : Unlimited This machine has an Unrestricted (UR) license. Serial Number: 431030631 Running Activation Key: 0xcc05f766 0xd4c47768 0x98500748 0x8a8c7890 0x4b337295 Configuration last modified by enable_15 at 02:10:23.400 EST Fri Feb 25 2005 Firewall# 

Physical and VLAN interface limits are broken out separately, as 10 and 100, respectively. Also notice that two types of failover licenses can be listed: Active/Standby and Active/Active, corresponding to the failover modes available in PIX 7.x. This firewall is limited to five security contexts whenever it is configured for multiple context mode.

The last shaded line tells what type of firewall license is being used. In this case, an Unrestricted license is mentioned. Firewalls can have the following types of licenses:

• Unrestricted (UR) An unlimited number of active connections, inspection throughput, and firewall memory are allowedbounded only by the performance limits of the firewall itself. You also can use up to the maximum number of interfaces supported by the firewall model.

  The UR license also allows the firewall to participate in a failover pair without a specific failover license.

• Restricted (R) An unlimited number of connections and throughput are allowed. However, the firewall memory and the total number of interfaces usually are limited to specific values. The R license also prevents the firewall from participating in a failover pair.

• Failover (FO) The firewall can participate in a failover pair as the secondary unit. This is unique, because the firewall also takes on any other features that are licensed and unlocked by the companion primary failover unit. This also means that the firewall with the FO license cannot be used standalone.

• Failover-Active/Active (FO-AA) The firewall can participate in active/active failover as the secondary unit. With this license, the firewall must be used alongside another firewall with the UR license.

The maximum supported memory and number of physical interfaces vary across the family of Cisco firewalls. Table 2-3 shows how the models and types of licenses break down. All memory is shown in megabytes (MB).

^[1] The PIX 501 supports licenses of unlimited users, 50 users, or 10 users. Although the number of users can be unlimited, the PIX 501 does not support all the unrestricted features.

^[2] The PIX 501 has an integrated four-port switch that acts as one of the two physical interfaces.

^[3] The Catalyst 6500 FWSM has no physical interfaces. Rather, it supports up to 256 logical VLAN interfaces per security context, or up to 1000 total VLAN interfaces. The Unrestricted license is inherent with the FWSM.

Firewall features are unlocked by a license activation key. Beginning with PIX 7.x, the activation key is a 20-byte string consisting of five groups of eight hexadecimal digits each. Prior releases use a 16-byte string consisting of four groups of eight hexadecimal digits each.

TIP

The Catalyst 6500 FWSM comes standard with an Unrestricted license. Because of this, it doesn't use an activation key.

If your firewall doesn't have the 56-bit Data Encryption Standard (DES), 168-bit Triple DES (3DES), or 256-bit Advanced Encryption Standard (AES) encryption methods enabled, you can obtain a free license activation key from Cisco.com. Go to http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl. Select one of the PIX Firewall links under Cisco Secure Products. You have to fill out an Encryption Software Export Distribution Authorization Form to get permission to legally download and use strong encryption technology from Cisco.

You can also request an activation key to upgrade any of the other features. Select SW License Upgrades and fill out the form.

When you request any type of license upgrade on Cisco.com, you must also enter your PIX serial number. You can find the serial number, programmed into the firewall hardware or the Flash memory at the factory, by issuing the show version command. The serial number is used to calculate a license activation key; therefore, the activation key works only with the firewall it was intended to support.

Upgrading a License Activation Key

A firewall keeps its activation key stored in nonvolatile Flash memory, along with an image of its operating system. The key and image are read, copied into RAM, and used when the firewall boots up.

You also can download a new key and a new operating system image to a running firewall. The new key and operating system image are immediately stored in Flash memory, because the firewall is already running from its RAM resources.

You can see the current activation key (the one copied into RAM) by issuing the following EXEC command:

 Firewall# show activation-key 

Example 2-3 shows a sample of the output from this PIX 7.x command. Notice that this firewall has the same key in both Flash and running (RAM) memory. This only means that the key has not been updated or changed since the firewall was booted up.

Example 2-3. Sample Output from the show activation-key Command

 Firewall# show activation-key Serial Number: 807243559 Running Activation Key: 0xc422440f 0x2eb1445a 0x46fb4413 0x74a344ee 0x4b33d295 Licensed features for this platform: Maximum Physical Interfaces : 10 Maximum VLANs               : 100 Inside Hosts                : Unlimited Failover                    : Active/Active VPN-DES                     : Enabled VPN-3DES-AES                : Enabled Cut-through Proxy           : Enabled Guards                      : Enabled URL Filtering               : Enabled Security Contexts           : 5 GTP/GPRS                    : Enabled VPN Peers                   : Unlimited This platform has an Unrestricted (UR) license. The flash activation key is the SAME as the running key. Firewall# 

Before you can enter a new activation key, the firewall must be running the exact same operating system image as the one stored in Flash memory. This ensures that the features unlocked by the activation key are applicable to the most recent image present on the firewall. If the images differ, you see the following message from the show activation-key command:

 The flash image is DIFFERENT from the running image. The two images must be the same in order to examine the flash activation key. 

In this case, the firewall must be reloaded so that the image in Flash is the one being run.

You can enter a new license activation key in one of two ways:

• ROM monitor mode

  After an image of the firewall operating system has been downloaded via TFTP from monitor mode, the firewall asks if a new activation key is needed. The new key is added before the image is run.

• Configuration mode

   Firewall# activation-key activation-key-tuples 

  
  

  activation-key-tuples is a string of four groups (PIX 6.x) or five groups (PIX 7.x) of eight hex digits each, provided by Cisco. Each tuple or group of eight digits can begin with 0x to designate hexadecimal notation, but this isn't necessary. This command was first made available in PIX release 6.2.

For example, a new activation key is entered on a firewall running PIX 7.x as follows:

 Firewall# activation-key 0xcc055f66 0xd4c45b68 0x98505048 0x8a8c5890 0x4b35d295 License Features for this Platform: Maximum Physical Interfaces : 10 Maximum VLANs               : 100 Inside Hosts                : Unlimited Failover                    : Active/Active VPN-DES                     : Enabled VPN-3DES-AES                : Enabled Cut-through Proxy           : Enabled Guards                      : Enabled URL Filtering               : Enabled Security Contexts           : 5 GTP/GPRS                    : Enabled VPN Peers                   : Unlimited This machine has an Unrestricted (UR) license. Both running and flash activation keys were updated with the requested key. Firewall#