The ASA FirePOWER module, also known as ASA SFR, supplies next-generation firewall services, including Next-Generation IPS (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advance Malware Protection (AMP). You can use the module in single or multiple context mode, and in routed or transparent mode. This document describes the prerequisites and installation processes of a FirePOWER (SFR) module on ASA 5585-X hardware module. It also provides the steps to register an SFR module with FireSIGHT Management Center.
The instructions on this document require access to the privileged EXEC mode. In order to access the privileged EXEC mode, enter the enable command. If a password was not set, just hit Enter.
ciscoasa> enable
Password:
ciscoasa#
In order to install FirePOWER Services on an ASA, the following components are necessary:
Given an ASA SSM always occupies one of the two slots in the ASA 5585-X chassis, if you have a hardware module other than the FirePOWER (SFR) Services SSP such as the SSP-CX (Context Aware) or AIP-SSM (Advanced Inspection and Prevention Security), the other module must be uninstalled to make space for the SSP-SFR. Before you remove a hardware module, run the following command to shutdown a module:
ciscoasa# hw-module module 1 shutdown
1. Download the ASA FirePOWER SFR module initial bootstrap image from Cisco.com to a TFTP server accessible from ASA FirePOWER management interface. The image name looks like "asasfr-boot-5.3.1-152.img"
2. Download the ASA FirePOWER system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the ASA FirePOWER management interface.
3. Restart the SFR Module
Option 1: If you do not have the password to the SFR Module, you can issue the following command from the ASA to restart the module.
ciscoasa# hw-module module 1 reload
Reload module 1? [confirm]
Reload issued for module 1
Option 2: If you have the password to the SFR module, you can reboot the sensor directly from its command line.
Sourcefire3D login: admin
Password:
Sourcefire Linux OS v5.3.1 (build 43)
Sourcefire ASA5585-SSP-10 v5.3.1 (build 152)
> system reboot
4. Interrupt the boot process of the SFR module using ESCAPE or the break sequence of your terminal session software to place the module into ROMMON.
The system is restarting...
CISCO SYSTEMS
Embedded BIOS Version 2.0(14)1 15:16:31 01/25/14
<truncated output>
Cisco Systems ROMMON Version (2.0(14)1) #0: Sat Jan 25 16:44:38 CST 2014
Platform ASA 5585-X FirePOWER SSP-10, 8GE
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 8 seconds.
Boot interrupted.
Management0/0
Link is UP
MAC Address: xxxx.xxxx.xxxx
Use ? for help.
rommon #0>
5. Configure the SFR module management interface with an IP Address and indicate the location of the TFTP Server and TFTP path to the bootstrap image. Enter the following commands to set an IP Address on the interface and retrieve the TFTP image:
! Example IP address information used. Update for your environment.
rommon #1> ADDRESS=198.51.100.3
rommon #2> GATEWAY=198.51.100.1
rommon #3> SERVER=198.51.100.100
rommon #4> IMAGE=/tftpboot/asasfr-boot-5.3.1-152.img
rommon #5> sync
Updating NVRAM Parameters...
rommon #6> tftp
ROMMON Variable Settings:
ADDRESS=198.51.100.3
SERVER=198.51.100.100
GATEWAY=198.51.100.1
PORT=Management0/0
VLAN=untagged
IMAGE=/tftpboot/asasfr-boot-5.3.1-152.img
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
tftp /tftpboot/asasfr-boot-5.3.1-152.img@198.51.100.100 via 198.51.100.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<truncated output>
Received 41235627 bytes
Launching TFTP Image...
Execute image at 0x14000
6. Login to the initial boot image. Login as admin and with the password Admin123
Cisco ASA SFR Boot Image 5.3.1
asasfr login: admin
Password:
Cisco ASA SFR Boot 5.3.1 (152)
Type ? for list of commands
7. Use the initial boot image to configure an IP Address on the management interface of the module. Enter the setup command to enter the wizard. You are prompted for the following information:
! Example information used. Update for your environment.
asasfr-boot>setup
Welcome to SFR Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [asasfr]: sfr-module-5585
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 198.51.100.3
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 198.51.100.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 198.51.100.15
Do you want to configure Secondary DNS Server? (y/n) [n]: N
Do you want to configure Local Domain Name? (y/n) [n]: N
Do you want to configure Search domains? (y/n) [n]: N
Do you want to enable the NTP service? [Y]: N
Please review the final configuration:
Hostname: sfr-module-5585
Management Interface Configuration
IPv4 Configuration: static
IP Address: 198.51.100.3
Netmask: 255.255.255.0
Gateway: 198.51.100.1
IPv6 Configuration: Stateless autoconfiguration
DNS Configuration:
DNS Server: 198.51.100.15
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Restarting NTP service...
Done.
8. Use the boot image to pull and install the System Software image using the system install command. Include the noconfirm option if you do not want to respond to confirmation messages. Replace the url keyword with the location of .pkg file.
asasfr-boot> system install [noconfirm] url
For example,
> system install http://Server_IP_Address/asasfr-sys-5.3.1-152.pkg
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-SFR 5.3.1-152 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Upgrading
Starting upgrade process ...
Populating new system image ...
Module status during install
ciscoasa# show module 1 details
Getting details from the Service Module, please wait...
Unable to read details from module 1
Card Type: ASA 5585-X FirePOWER SSP-10, 8GE
Model: ASA5585-SSP-SFR10
Hardware version: 1.0
Serial Number: JAD18400028
Firmware version: 2.0(14)1
Software version: 5.3.1-152
MAC Address Range: 58f3.9ca0.1190 to 58f3.9ca0.119b
App. name: ASA FirePOWER
App. Status: Not Applicable
App. Status Desc: Not Applicable
App. version: 5.3.1-152
Data Plane Status: Not Applicable
Console session: Not ready
Status: Unresponsive
Module status after successful install
ciscoasa# show module 1 details
Getting details from the Service Module, please wait...
Card Type: ASA 5585-X FirePOWER SSP-10, 8GE
Model: ASA5585-SSP-SFR10
Hardware version: 1.0
Serial Number: JAD18400028
Firmware version: 2.0(14)1
Software version: 5.3.1-152
MAC Address Range: 58f3.9ca0.1190 to 58f3.9ca0.119b
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 5.3.1-152
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 192.168.45.45
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 0.0.0.0
Mgmt web ports: 443
Mgmt TLS enabled: true
1.You can connect to the ASA 5585-X FirePOWER module via one of the following external ports:
2. After you access the FirePOWER module via console, log in with the username admin and the password Sourcefire.
Sourcefire3D login: admin
Password:
Last login: Fri Jan 30 14:00:51 UTC 2015 on ttyS0
Copyright 2001-2013, Sourcefire, Inc. All rights reserved. Sourcefire is a registered
trademark of Sourcefire, Inc. All other trademarks are property of their respective
owners.
Sourcefire Linux OS v5.3.1 (build 43)
Sourcefire ASA5585-SSP-10 v5.3.1 (build 152)
Last login: Wed Feb 18 14:22:19 on ttyS0
System initialization in progress. Please stand by.
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: dhcp
If your networking information has changed, you will need to reconnect.
[1640209.830367] ADDRCONF(NETDEV_UP): eth0: link is not ready
[1640212.873978] e1000e: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[1640212.966250] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
For HTTP Proxy configuration, run 'configure network http-proxy'
This sensor must be managed by a Defense Center. A unique alphanumeric registration
key is always required. In most cases, to register a sensor to a Defense Center,
you must provide the hostname or the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'
However, if the sensor and the Defense Center are separated by a NAT device, you
must enter a unique NAT ID, along with the unique registration key. 'configure
manager add DONTRESOLVE [registration key ] [ NAT ID ]'
Later, using the web interface on the Defense Center, you must use the same
registration key and, if necessary, the same NAT ID when you add this
sensor to the Defense Center.
>
In order to manage an ASA FirePOWER module and security policy, you must register it with a FireSIGHT Management Center. You cannot do the following with a FireSIGHT Management Center:
You redirect traffic to the ASA FirePOWER module by creating a service policy that identifies specific traffic. In order to redirect traffic to a FirePOWER module, follow the steps below:
First, select traffic using access-list command. In the following example, we are redirecting all traffic from all of the interfaces. You could do it for specific traffic as well.
ciscoasa(config)# access-list sfr_redirect extended permit ip any any
The following example shows how to create a class-map and match the traffic on an access list:
ciscoasa(config)# class-map sfr
ciscoasa(config-cmap)# match access-list sfr_redirect
You can configure your device in either a passive ("monitor-only") or inline deployment. You cannot configure both monitor-only mode and normal inline mode at the same time on the ASA. Only one type of security policy is allowed.
In an inline deployment, after dropping undesired traffic and taking any other actions applied by policy, the traffic is returned to the ASA for further processing and ultimate transmission. The following example shows how to create a policy-map and configure the FirePOWER module in inline mode:
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class sfr
ciscoasa(config-pmap-c)# sfr fail-open
In a passive deployment,
If you want to configure the FirePOWER module in passive mode, use the monitor-only keyword as below. If you do not include the keyword, the traffic is sent in inline mode.
ciscoasa(config-pmap-c)# sfr fail-open monitor-only
The last step is to apply the policy. You can apply a policy globally or on an interface. You can override the global policy on an interface by applying a service policy to that interface.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. In the following example, the policy is applied globally:
ciscoasa(config)# service-policy global_policy global
Revision | Publish Date | Comments |
---|---|---|
1.0 |
18-Feb-2015 |
Initial Release |