Install a SFR Module on an ASA 5585-X Hardware Module

Introduction

The ASA FirePOWER module, also known as ASA SFR, supplies next-generation firewall services, including Next-Generation IPS (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advance Malware Protection (AMP). You can use the module in single or multiple context mode, and in routed or transparent mode. This document describes the prerequisites and installation processes of a FirePOWER (SFR) module on ASA 5585-X hardware module. It also provides the steps to register an SFR module with FireSIGHT Management Center.

Note: The FirePOWER (SFR) Services reside on a hardware module in the ASA 5585-X, whereas, the FirePOWER services on the ASA 5512-X through 5555-X Series appliances are installed on a software module, resulting differences in installation processes.

Prerequisites

Requirements

The instructions on this document require access to the privileged EXEC mode. In order to access the privileged EXEC mode, enter the enable command. If a password was not set, just hit Enter.

ciscoasa> enable
Password:
ciscoasa#

In order to install FirePOWER Services on an ASA, the following components are necessary:

• ASA software Version 9.2.2 or greater
• ASA 5585-X platform
• A TFTP server reachable by the management interface of FirePOWER module
• FireSIGHT Management Center with Version 5.3.1 or greater

Note: The information in this document is created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configuration

Before You Begin

Given an ASA SSM always occupies one of the two slots in the ASA 5585-X chassis, if you have a hardware module other than the FirePOWER (SFR) Services SSP such as the SSP-CX (Context Aware) or AIP-SSM (Advanced Inspection and Prevention Security), the other module must be uninstalled to make space for the SSP-SFR. Before you remove a hardware module, run the following command to shutdown a module:

ciscoasa# hw-module module 1 shutdown

Cabling and Management

• You cannot access the SFR module's serial port via the ASA's console on the ASA 5585-X.
• Once the SFR module is provisioned, you can session into the blade using the "session 1" command.
• In order to completely reimage the SFR module on an ASA 5585-X, you must use the management Ethernet interface and a console session on the serial management port, which are on the SFR module and separate from the ASA's management interface and console.

Tip: In order to find the status of a module on the ASA, run the "show module 1 details" command which retrieves the SFR module's management IP and associated Defense Center.

Install FirePOWER (SFR) Module on ASA

1. Download the ASA FirePOWER SFR module initial bootstrap image from Cisco.com to a TFTP server accessible from ASA FirePOWER management interface. The image name looks like "asasfr-boot-5.3.1-152.img"

2. Download the ASA FirePOWER system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the ASA FirePOWER management interface.

3. Restart the SFR Module

Option 1: If you do not have the password to the SFR Module, you can issue the following command from the ASA to restart the module.

ciscoasa# hw-module module 1 reload 
Reload module 1? [confirm]
Reload issued for module 1

Option 2: If you have the password to the SFR module, you can reboot the sensor directly from its command line.

Sourcefire3D login: admin
Password:

Sourcefire Linux OS v5.3.1 (build 43)
Sourcefire ASA5585-SSP-10 v5.3.1 (build 152)

> system reboot

4. Interrupt the boot process of the SFR module using ESCAPE or the break sequence of your terminal session software to place the module into ROMMON.

The system is restarting...
CISCO SYSTEMS
Embedded BIOS Version 2.0(14)1 15:16:31 01/25/14

<truncated output>

Cisco Systems ROMMON Version (2.0(14)1) #0: Sat Jan 25 16:44:38 CST 2014

Platform ASA 5585-X FirePOWER SSP-10, 8GE

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 8 seconds.

Boot interrupted.

Management0/0
Link is UP
MAC Address: xxxx.xxxx.xxxx

Use ? for help.

rommon #0>

5. Configure the SFR module management interface with an IP Address and indicate the location of the TFTP Server and TFTP path to the bootstrap image. Enter the following commands to set an IP Address on the interface and retrieve the TFTP image:

• set
• ADDRESS = Your_IP_Address
• GATEWAY = Your_Gateway
• SERVER = Your_TFTP_Server
• IMAGE = Your_TFTP_Filepath
• sync
• tftp

! Example IP address information used. Update for your environment.

rommon #1> ADDRESS=198.51.100.3
rommon #2> GATEWAY=198.51.100.1
rommon #3> SERVER=198.51.100.100
rommon #4> IMAGE=/tftpboot/asasfr-boot-5.3.1-152.img
rommon #5> sync

Updating NVRAM Parameters...

rommon #6> tftp
ROMMON Variable Settings:
  ADDRESS=198.51.100.3
  SERVER=198.51.100.100
  GATEWAY=198.51.100.1
  PORT=Management0/0
  VLAN=untagged
  IMAGE=/tftpboot/asasfr-boot-5.3.1-152.img
  CONFIG=
  LINKTIMEOUT=20
  PKTTIMEOUT=4
  RETRY=20

tftp /tftpboot/asasfr-boot-5.3.1-152.img@198.51.100.100 via 198.51.100.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<truncated output>

Received 41235627 bytes

Launching TFTP Image...

Execute image at 0x14000

6. Login to the initial boot image. Login as admin and with the password Admin123

Cisco ASA SFR Boot Image 5.3.1

asasfr login: admin
Password:

            Cisco ASA SFR Boot 5.3.1 (152)
                  Type ? for list of commands

 
7. Use the initial boot image to configure an IP Address on the management interface of the module. Enter the setup command to enter the wizard. You are prompted for the following information:

• Hostname: Up to 65 alphanumeric characters, no spaces. Hyphens are allowed.
• Network address: You can set static IPv4 or IPv6 addresses, or use DHCP (for IPv4) or IPv6 stateless autoconfiguration.
• DNS information: You must identify at least one DNS server, and you can also set the domain name and search domain.
• NTP information: You can enable NTP and configure the NTP servers, for setting system time.

! Example information used. Update for your environment.

asasfr-boot>setup

                         Welcome to SFR Setup
                          [hit Ctrl-C to abort]
                        Default values are inside []

Enter a hostname [asasfr]: sfr-module-5585
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 198.51.100.3
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 198.51.100.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 198.51.100.15
Do you want to configure Secondary DNS Server? (y/n) [n]: N
Do you want to configure Local Domain Name? (y/n) [n]: N
Do you want to configure Search domains? (y/n) [n]: N
Do you want to enable the NTP service? [Y]: N

Please review the final configuration:
Hostname:               sfr-module-5585
Management Interface Configuration

IPv4 Configuration:     static
        IP Address:     198.51.100.3
        Netmask:        255.255.255.0
        Gateway:        198.51.100.1

IPv6 Configuration:     Stateless autoconfiguration

DNS Configuration:
        DNS Server:     198.51.100.15

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Restarting NTP service...
Done.

 
8. Use the boot image to pull and install the System Software image using the system install command. Include the noconfirm option if you do not want to respond to confirmation messages. Replace the url keyword with the location of .pkg file.

asasfr-boot> system install [noconfirm] url

For example,

> system install http://Server_IP_Address/asasfr-sys-5.3.1-152.pkg

Verifying     
Downloading     
Extracting     

Package Detail
Description:                    Cisco ASA-SFR 5.3.1-152 System Install
Requires reboot:                Yes

Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Upgrading     
Starting upgrade process ...
Populating new system image ...

Note: When installation is complete in 20 to 30 minutes, you will be prompted to hit Enter key to reboot. Allow 10 or more minutes for application component installation and for the ASA FirePOWER services to start. The show module 1 details output should show all processes as Up.

Module status during install

ciscoasa# show module 1 details

Getting details from the Service Module, please wait...
Unable to read details from module 1

Card Type:          ASA 5585-X FirePOWER SSP-10, 8GE
Model:              ASA5585-SSP-SFR10
Hardware version:   1.0
Serial Number:      JAD18400028
Firmware version:   2.0(14)1
Software version:   5.3.1-152
MAC Address Range:  58f3.9ca0.1190 to 58f3.9ca0.119b
App. name:          ASA FirePOWER
App. Status:        Not Applicable
App. Status Desc:   Not Applicable
App. version:       5.3.1-152
Data Plane Status:  Not Applicable
Console session:    Not ready
Status:             Unresponsive

Module status after successful install

ciscoasa# show module 1 details
 
Getting details from the Service Module, please wait...

Card Type:          ASA 5585-X FirePOWER SSP-10, 8GE
Model:              ASA5585-SSP-SFR10
Hardware version:   1.0
Serial Number:      JAD18400028
Firmware version:   2.0(14)1
Software version:   5.3.1-152
MAC Address Range:  58f3.9ca0.1190 to 58f3.9ca0.119b
App. name:          ASA FirePOWER
App. Status:        Up
App. Status Desc:   Normal Operation
App. version:       5.3.1-152
Data Plane Status:  Up
Console session:    Ready
Status:             Up
DC addr:            No DC Configured                                            
Mgmt IP addr:       192.168.45.45                                               
Mgmt Network mask:  255.255.255.0                                               
Mgmt Gateway:       0.0.0.0                                                     
Mgmt web ports:     443                                                         
Mgmt TLS enabled:   true

Configuration

Configure FirePOWER Software

1.You can connect to the ASA 5585-X FirePOWER module via one of the following external ports:

• ASA FirePOWER console port
• ASA FirePOWER Management 1/0 interface using SSH

Note: You cannot access the ASA FirePOWER hardware module CLI over the ASA backplane using the session sfr command.

2. After you access the FirePOWER module via console, log in with the username admin and the password Sourcefire.

Sourcefire3D login: admin
Password: 

Last login: Fri Jan 30 14:00:51 UTC 2015 on ttyS0

Copyright 2001-2013, Sourcefire, Inc. All rights reserved. Sourcefire is a registered
 trademark of Sourcefire, Inc. All other trademarks are property of their respective
 owners.

Sourcefire Linux OS v5.3.1 (build 43)
Sourcefire ASA5585-SSP-10 v5.3.1 (build 152)

Last login: Wed Feb 18 14:22:19 on ttyS0

System initialization in progress.  Please stand by.  
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: dhcp
If your networking information has changed, you will need to reconnect.
[1640209.830367] ADDRCONF(NETDEV_UP): eth0: link is not ready
[1640212.873978] e1000e: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[1640212.966250] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
For HTTP Proxy configuration, run 'configure network http-proxy'

This sensor must be managed by a Defense Center.  A unique alphanumeric registration
 key is always required.  In most cases, to register a sensor to a Defense Center,
 you must provide the hostname or the IP address along with the registration key.
 'configure manager add [hostname | ip address ] [registration key ]'

However, if the sensor and the Defense Center are separated by a NAT device, you
 must enter a unique NAT ID, along with the unique registration key. 'configure
 manager add DONTRESOLVE [registration key ] [ NAT ID ]'

Later, using the web interface on the Defense Center, you must use the same
 registration key and, if necessary, the same NAT ID when you add this
 sensor to the Defense Center.

> 

Configure FireSIGHT Management Center

In order to manage an ASA FirePOWER module and security policy, you must register it with a FireSIGHT Management Center. You cannot do the following with a FireSIGHT Management Center:

• Cannot configure ASA FirePOWER interfaces.
• Cannot shut down, restart, or otherwise manage ASA FirePOWER processes.
• Cannot create backups from or restore backups to ASA FirePOWER devices.
• Cannot write access control rules to match traffic using VLAN tag conditions.

Redirect Traffic to SFR Module

You redirect traffic to the ASA FirePOWER module by creating a service policy that identifies specific traffic. In order to redirect traffic to a FirePOWER module, follow the steps below:

Step 1: Select Traffic

First, select traffic using access-list command. In the following example, we are redirecting all traffic from all of the interfaces. You could do it for specific traffic as well.

ciscoasa(config)# access-list sfr_redirect extended permit ip any any

Step 2: Match Traffic

The following example shows how to create a class-map and match the traffic on an access list:

ciscoasa(config)# class-map sfr
ciscoasa(config-cmap)# match access-list sfr_redirect

Step 3: Specify Action

You can configure your device in either a passive ("monitor-only") or inline deployment. You cannot configure both monitor-only mode and normal inline mode at the same time on the ASA. Only one type of security policy is allowed.

Inline Mode

In an inline deployment, after dropping undesired traffic and taking any other actions applied by policy, the traffic is returned to the ASA for further processing and ultimate transmission. The following example shows how to create a policy-map and configure the FirePOWER module in inline mode:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class sfr
ciscoasa(config-pmap-c)# sfr fail-open

Passive Mode

In a passive deployment,

• A copy of the traffic is sent to the device, but it is not returned to the ASA.
• Passive mode lets you see what the device would have done to traffic, and lets you evaluate the content of the traffic, without impacting the network.

If you want to configure the FirePOWER module in passive mode, use the monitor-only keyword as below. If you do not include the keyword, the traffic is sent in inline mode.

ciscoasa(config-pmap-c)# sfr fail-open monitor-only

Step 4: Specify Location

The last step is to apply the policy. You can apply a policy globally or on an interface. You can override the global policy on an interface by applying a service policy to that interface. 

The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. In the following example, the policy is applied globally:

ciscoasa(config)# service-policy global_policy global

Caution: The policy map global_policy is a default policy. If you use this policy and want to remove this policy on your device for troubleshooting purpose, make sure you understand its implication.

Related Document

• Register a Device with a FireSIGHT Management Center
• Deployment of FireSIGHT Management Center on VMware ESXi
• IPS Management Configuration Scenarios on a 5500-X IPS Module