Cisco PIX Firewalls R, UR and FO

WHICH PIX LICENSE IS RIGHT FOR YOU: (Written by net_architects)
The current mid-range and enterprise PIX firewalls are sold with either an Unrestricted, Restricted or Failover software license. The PIX 520 was primarily sold on a connection-based license (either 128, 1024 or 65,536 concurrent users). If you are trying to choose a PIX firewall license that best meets your needs, here are some bullet points to help you decide:
Unrestricted PIX 515/515E/525/535 configuration:

The unrestricted (UR) license is the high-end PIX software configuration and the most expensive.
An unrestricted PIX allows you to cluster two PIX firewalls in a redundant failover configuration. With a properly deployed failover configuration, your network stays up if your primary firewall dies for any reason. Feel free to send us e-mail for details about how failover works (there are 4 different ways to configure failover on a PIX firewall and various other network requirements).
An unrestricted PIX allows you to deploy up to 6 Fast Ethernet ports on a PIX 515, 515E and 520. This is useful if you different set of machines that need to be grouped into different security levels or if you have multiple untrusted or semi-trusted connections. Feel free to send us e-mail to discuss a proper network design for your environment. Many customers underestimate the number of Fast Ethernet ports they really need to properly lay out their network.
An unrestricted PIX typically supports more concurrent connections through the firewall.
An unrestricted PIX typically gees configured with more RAM.
Restricted PIX 515/515E/525/535 configuration:

A restricted (R) license is the basic PIX software configuration and more affordable. It is probably adequate if you do not have extreme network requirements.
A restricted PIX does not support failover.
A restricted PIX 515/515E is limited to just 3 Fast Ethernet ports. This is enough to support an outside (untrusted) network, a DMZ (semi-trusted) network, and an inside (trusted) network.
Although a restricted PIX typically supports fewer concurrent connections through the firewall, it is not a problem for most customers because even the lower-end restricted PIX 515 will support 50,000 concurrent users.
A restricted PIX typically gees with about half of the RAM of an unrestricted PIX. This is not a problem for our PIX firewalls because we always increase the RAM in our restricted PIX firewalls.
Our deployment experience tells us you really do need the extra RAM.
Failover PIX 515/515E/525/535 configuration:

A PIX with a failover (FO) license is pretty much identical to a PIX with an unrestricted license.
A The one difference between a failover PIX and an unrestricted PIX is that the failover PIX will not run unless it is matched with an unrestricted PIX firewall.
Warning: in many cases, the "show version" output of a failover PIX firewall looks perfectly identical to the "show version" output of an unrestricted PIX firewall.