FirePOWER Services Module on CISCO ASA 5585X Family
FirePOWER Services Module on CISCO ASA 5585X Family
Today we are going to install & upgrade Cisco Firepower module on cisco asa 5585x before installation Let’s briefly review them:-
We must have an ASA that supports the SFR. Currently, these are: 5506-X, 5512-X, 5515-X, 5525-X, 5545-X, 5555-X or 5585-X. For software modules, we must have a SSD disk drive inserted into ASA box. Either we buy the ASA with this disk or we purchase it separately. The 5506-X comes with the SSD drive installed.
Our ASA needs to run the specific version of code. For 5506-X this is at least 9.3(2) and for all other ASA family members, this must be at least 9.2(2.4)
With the minimal required software version of ASA code, we must have appropriate version of FirePOWER software. For 5506-X this must be 5.4.1, and for all other members, this must be 5.3.1
For all members of ASA boxes, except for 5506-X, we must have the FireSIGHT or Defence Center that will manage the SFR module. This can be hardware appliance or VMware virtual appliance and must run the same or higher version of code than the module itself. So, for SFR code 5.3.1, the Defence Center must run at least 5.3.1 version. The 5506-X does not require the Defence Center and can be managed through the ASDM.
TFTP server reachable by the management interface of FirePOWER module from Workstation.
FireSIGHT Management Center with Version 5.3.1 or greater
Download cisco firepower image asasfr-boot-6.2.0-2.img (expand 6.2 and click on 6.2.0 release, on the right side click the download button for the img file – approx. 39 MB in size) & Package asasfr-sys-6.2.0-362.pkg (expand 6.2 and click on 6.2.0 release, on the right side click the download for the pkg file – approx. 1.2 Gb in size)
While logged into cisco asa you will see Fire-Power Module via Show Module command
1] Restart the module via login into cisco asa
ciscoasa# hw-module module 1 reload
If you have the password to the SFR module, you can reboot the sensor directly from its Console.
default credentials
Username: admin
Password: Sourcefire
While Module rebooting interrupt by CTRL+ALT+BREAK or ESCAPE of your terminal session software to place the module into ROMMON.
Configure the SFR module management interface with an IP Address and indicate the location of the TFTP Server and TFTP path to the bootstrap image. Enter the following commands to set an IP Address on the interface and retrieve the TFTP image:
Below are the Example: -
set
ADDRESS = Your_IP_Address
GATEWAY = Your_Gateway
SERVER = Your_TFTP_Server
IMAGE = Your_TFTP_Filepath
sync
tftp
Now login via Initial Image with default Username & Password:-
default credentials
Username: admin
Password: Admin123
Update for your environment:-
Configure the Boot image to pull and install the System Software image using the system install command. Include the no confirm option if you do not want to respond to confirmation messages.
Replace the url keyword with the location of .pkg file. Here I have use FTP for uploading image into SFR
Important Note: -
This installation process will complete in 20 to 30 minutes, you will be prompt on terminal to hit Enter key to reboot. Allow 10 or more minutes for application component installation and for the ASA FirePOWER services to start.
After successful installation: -
You have to configure ASA SFR module as per your convenient Ip address/Mask in your domain:-
Now we will move to configure FireSIGHT Management Center: -
In order to manage an ASA FirePOWER module and security policy, you must register it with a FireSIGHT Management Center. You cannot do the following with a FireSIGHT Management Center:
1]Cannot configure ASA FirePOWER interfaces.
2]Cannot shut down, restart, or otherwise manage ASA FirePOWER processes.
3]Cannot create backups from or restore backups to ASA FirePOWER devices.
4]Cannot write access control rules to match traffic using VLAN tag conditions.
Redirect Traffic to SFR Module
You redirect traffic to the ASA FirePOWER module by creating a service policy that identifies specific traffic. In order to redirect traffic to a FirePOWER module, follow the steps below:
We will match this traffic on access-list:
There are 2 modes for deployment either a passive ("monitor-only") or inline deployment. You cannot configure both monitor-only mode and normal inline mode at the same time on the ASA. Only one type of security policy is allowed.
Inline Mode: -
In an inline deployment, after dropping undesired traffic and taking any other actions applied by policy, the traffic is returned to the ASA for further processing and ultimate transmission.
Passive Mode: -
A copy of the traffic or copy of each packet is sent to the device, but it is not returned to the ASA.Passive mode lets you see what the device would have done to traffic, and lets you evaluate the content of the traffic, without impacting the network.
If you want to configure the FirePOWER module in passive mode, use the monitor-only keyword as below. If you do not include the keyword, the traffic is sent in inline mode.
The policy map global_policy is a default policy. If you use this policy and want to remove this policy on your device for troubleshooting purpose, make sure you understand its implication. The last step is to apply the policy. You can apply a policy globally or on an interface. You can override the global policy on an interface by applying a service policy to that interface.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed.
