Cisco ASA FirePOWER (SFR) Quick Start Guide

The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation Intrusion Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP).

The ASA FirePOWER module runs a separate application from the ASA. The module can be a hardware module (on the ASA 5585-X only) or a software module (all other models).

As below snapshot shows Packet flow for software module;

Cisco ASA FirePOWER packet Flow

The module has a basic command line interface (CLI) for initial configuration and troubleshooting only. You configure and manage the security policy on the ASA FirePOWER module using one of the following methods:

Firepower Management Center—Can be hosted on a separate Firepower Management Center appliance or as a virtual appliance.

Adaptive Security Device Manager—(check for compatibility with your model version)—You can manage both the ASA and the module using the on-box ASDM.

Now we will see the steps to configure FirePOWER software module. Refer the following design to understand the topology.

Network Design

1 – First verify the versions of FirePOWER module. If its running old version then upgrade it to newer version. In our case it’s running older version.

2. Cisco ASA SFR image Verification

2 – Check on cisco download page for latest version of Boot Image (login required).

3. Download SFR Serivces Boot Image

3 – Download newer version (asasfr-5500x-boot-6.0.0-1005.img) and copy it onto the disk0:/ in the ASA via TFTP,HTTP,HTTPS,FTP server.

4. Copy SFR boot image to disk0

4 – Verify SFR boot image in disk0:/

5. Verify SFR boot image

5 – Remove older image from the disk0:/ or re-image a SFR module.

asa#sw-module module sfr uninstall

asa#sw-module module sfr recover boot

6. Unistall Previous SFR or older software

6 – After re-imaging check the module status using show module sfr details command.

7. SFR module details

7 – Enter the below command to configure Boot Image location in Cisco ASA disk0:/ or flash drive.

ciscoasa#sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.0.0-1005.img

8. Cisco SFR Boot image location

8 – Enter below command to load ASA SFR boot image and debug module-boot for module events. wait 5-15 minutes to complete the recovery.

ciscoasa#sw-module module sfr recover boot

9. Load boot image

10. Cisco SFR module events

9 – Setup the basic configuration via console (admin/Admin123) of FirePOWER module.

asa#session sfr console

11. Basic Configuration - SFR12. Verify basic Configuration - SFR

After this setup you should get reachability for this module. You must have to use MANAGEMENT interface of ASA to reach SFR module. There is no any specific configuration on MGMT interface, just connect the cable between MGMT interface and Switch/Core Sw.

10 – Now download SFR install package for the same boot image version. (login required)

13. Download FP Services Install Package

11 – Install this package using HTTP or FTP on ASA SFR module using system install command.

asasfr-boot>system intall ftp://172.X.X.X/asasfr-sys-6.0.0-1005.pkg

14. Installing Package on SFR

Now it will take 10-20 minute to get console.

12 – Verify the Module status using show module sfr details command on ASA.

15. show module SFR details

Check the card Type, software version, App. name, version etc. in the show output. You have to configure network setting again as these are now in default state.

16. SFR basic Setup

13 – Configure FireSight Manager to manage FirePOWER module. Download below software for FireSIGHT manager, which will be installed or configured on ESXi server.

17. Firepower Management Center Virtual64 VMWare

14 – After installing FireSight Manager on ESXi, you have to register FirePOWER module with FireSight Manager.

asa#session sfr console

>configure manager add 172.X.X.X 123456789

18 - Register FirePOWER module to FireSight Manager

15 – To add FirePower module device with FireSight Manager follow the below link.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html#anc5

HTH!

#DV

Advertisements

One thought on “Cisco ASA FirePOWER (SFR) Quick Start Guide

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s