Installing Cisco ASA FirePOWER software module

sfrinstall4

Now that we know something about the SFR module, it’s time to make it running. We will break down the installation into following steps:

Prepare

Like we saw in previous blog, there are some prerequisites that must be met before we can install the SFR module. Let’s briefly review them:

  • We must have an ASA that supports the SFR. Currently, these are: 5506-X, 5512-X, 5515-X, 5525-X, 5545-X, 5555-X or 5585-X. For software modules, we must have a SSD disk drive inserted into ASA box. Either we buy the ASA with this disk or we purchase it separately. The 5506-X comes with the SSD drive installed
  • Our ASA needs to run the specific version of code. For 5506-X this is at least 9.3(2) and for all other ASA family members, this must be at least 9.2(2.4)
  • With the minimal required software version of ASA code, we must have appropriate version of FirePOWER software. For 5506-X this must be 5.4.1, and for all other members, this must be 5.3.1
  • For all members of ASA boxes, except for 5506-X, we must have the FireSIGHT or Defence Center that will manage the SFR module. This can be hardware appliance or VMware virtual appliance and must run the same or higher version of code than the module itself. So, for SFR code 5.3.1, the Defence Center must run at least 5.3.1 version. The 5506-X does not require the Defence Center and can be managed through the ASDM

If we bought the ASA with the SSD disk drive, there could be the old version of SFR code, or even other software module installed. Currently we can only run one type of software module. So, if we have the ips or cxsc software installed, we have to remove it before installing the new SFR code. Let’s check our module type and version:

sfrinstall2

So, we have the cxsc module installed end we have to remove it:

ciscoasa# sw-module module cxsc shutdown
ciscoasa# sw-module module cxsc uninstall
ciscoasa# reload

If we had the ips module, we would issue this set of commands:

ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall
ciscoasa# reload

Now we are ready to install the SFR module.

 

Installation

The installation consists of two steps. First, we need to upload the boot image to the ASA appliance, and make it run. This image is a small Linux distribution (about 40 megs) that boots and allows us to connect to the network in order to retrieve and start the software installation from the software package that is about 400 megs and is called a system image. So, let’s upload our boot image. We will use the FTP protocol in this example:

copy ftp://spop:spop123@10.10.10.10/asasfr-5500x-boot-5.3.1-152.img disk0:

Then we issue:

sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.3.1-152.img
sw-module module sfr recover boot
Module sfr will be recovered. This may erase all configuration and all data
on that device and attempt to download/install a new image for it. This may take
several minutes.
Recover module sfr? [confirm]
Recover issued for module sfr.

We can track the process of loading the boot image with the debug module-boot command. This process can take some time, so let’s grab a cup of coffee… In order to connect to the module, we issue session sfr console command.

The default credentials for boot image are admin/Admin123. After we type them in, we get the SFR boot image prompt and begin the basic boot image setup. This is the process outlined:

ciscoasa#
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’.
Cisco ASA SFR Boot Image 5.3.1
asasfr login: admin
Password:
Cisco ASA SFR Boot 5.3.1 (152)
Type ? for list of commands
asasfr-boot>
asasfr-boot>setup
Welcome to SFR Setup
                          [hit Ctrl-C to abort]
                        Default values are inside []
Enter a hostname [asasfr]: SFR
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 10.10.10.227
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 10.10.10.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.1
Do you want to configure Secondary DNS Server? (y/n) [n]: Y
Enter the secondary DNS server IP address: 192.168.1.2
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: popravak.local
Do you want to configure Search domains? (y/n) [n]: n
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 192.168.200.1,192.168.200.2
Do you want to enable the NTP symmetric key authentication? [N]: N

Please review the final configuration:
Hostname:               SFR
Management Interface Configuration
IPv4 Configuration:     static
IP Address:     10.10.10.227
Netmask:        255.255.255.0
Gateway:        10.10.10.1
IPv6 Configuration:     Stateless autoconfiguration
DNS Configuration:
Domain:         popravak.local
DNS Server:
192.168.1.1
192.168.1.2
NTP configuration:
192.168.200.1     192.168.200.2
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying…
Restarting network services…
Restarting NTP service…
Done.
Press ENTER to continue…

We are now ready to fetch and install our system image from the network. This could take a while… Again, we could track the process in more detail by issuing the debug module-boot command.

asasfr-boot> system install ftp://spop:spop123@10.10.10.10/asasfr-sys-5.3.1-152.pkg
Verifying
Downloading
Extracting
Package Detail
Description:                    Cisco ASA-SFR 5.3.1-152 System Install
Requires reboot:             Yes
Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Upgrading
Starting upgrade process …
Populating new system image…
Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.

This also could take some time… We can verify that the installation process is successful with show module sfr command:

sfrinstall3

Now we log to the sfr module again with session sfr console :

ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’.
Sourcefire ASA5525 v5.3.1 (build 152)
Sourcefire3D login:

The login credentials now are admin/Sourcefire. We need to accept the EULA and walk through the setup process:

ciscoasa#
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’.
Sourcefire ASA5525 v5.3.1 (build 152)
Sourcefire3D login: admin
Password:
Copyright 2001-2013, Sourcefire, Inc. All rights reserved. Sourcefire is
a registered trademark of Sourcefire, Inc. All other trademarks are
property of their respective owners.
Sourcefire Linux OS v5.3.1 (build 43)
Sourcefire ASA5525 v5.3.1 (build 152)
Last login: Tue Mar 17 02:50:29 on ttyS1
You must accept the EULA to continue.
Press <ENTER> to display the EULA:
END USER LICENSE AGREEMENT
< Lines omitted. We can walk through the EULA by pressing ENTER or SPACE >
Please enter ‘YES’ or press <ENTER> to AGREE to the EULA: YES
System initialization in progress.  Please stand by.
You must change the password for ‘admin’ to continue.
Enter new password:
Confirm new password:
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [n]:
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 10.10.10.228
Enter an IPv4 netmask for the management interface [255.255.255.0]:
Enter the IPv4 default gateway for the management interface []: 10.10.10.1
Enter a fully qualified hostname for this system [Sourcefire3D]: SFR
Enter a comma-separated list of DNS servers or ‘none’ []: 192.168.1.1,192.168.1.2
Enter a comma-separated list of search domains or ‘none’ [example.net]: popravak.local
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run ‘configure network http-proxy’
This sensor must be managed by a Defense Center.  A unique alphanumeric
registration key is always required.  In most cases, to register a sensor
to a Defense Center, you must provide the hostname or the IP address along
with the registration key.
‘configure manager add [hostname | ip address ] [registration key ]’
However, if the sensor and the Defense Center are separated by a NAT device,
you must enter a unique NAT ID, along with the unique registration key.
‘configure manager add DONTRESOLVE [registration key ] [ NAT ID ]’
Later, using the web interface on the Defense Center, you must use the same
registration key and, if necessary, the same NAT ID when you add this
sensor to the Defense Center.
>

 

Setup

At this point, we have completed the installation of the SFR module. As for the setup steps, on the SFR side, we only need to specify which Defense Center or FireSIGHT server will be used to manage our module. We do this by issuing:

>
> configure manager add 10.10.10.67 spop123
Manager successfully configured.
>

By this command we specified the IP address of the Defense Center and the key. We will use this key on the FireSIGHT server to be able to manage this SFR module. The current status of the connection to the Defense Center can be viewed from the SFR module CLI:

>
> show managers
Host                                : 10.10.10.67
Registration Key             : spop123
Registration                   : pending
RPC Status                    :
>

Now we need to install and setup the FireSIGHT server and import our SFR module. This we will do next time. For now, we will exit the module CLI by typing exit and hitting CTRL+SHIFT+6+x combination. For this blog to be complete, we will import this module in the existing Defense Center.

We access the Defense Center with web browser  https: //ipaddressofdefensecenter  and using our credentials. Then under the Devices menu, we click the Add button and select Add Device. A dialog box opens which needs to be filled in:

sfrinstall5

We can see that we are using the IP address we assigned to our SFR. When we are talking about the SFR IP address, let me say that the way the SFR module gets connected to the network is usually by sharing the Management0/0 interface with the ASA box. The SFR module has its own IP and MAC addresses. We also see the key we typed in when we were configuring the module. Here is also the default policy for this module. More about these in next blogs. For now, let’s just click the Register button.

After a while, our device will be registered with the management server, which can be verified on the SFR module as well:

>
> show managers
Type                            : Manager
Host                            : 10.10.10.67
Registration                : Completed
>

 

That’s all for now. Thanks for reading.

 

 

 

 

 

 

 

 

 

 

 

 

 

Advertisements
This entry was posted in ASA, Cisco, FirePOWER, Firewall, Security and tagged , , , , , . Bookmark the permalink.

29 Responses to Installing Cisco ASA FirePOWER software module

  1. jatin jesse says:

    Great Article…!!

  2. Jaleel says:

    I have a 5506-x, will I still need a Firesight management center to generate a key? I purchased the TAMC license and I cannot find a doc which clearly states what I will need to activate the license/

    • Sasa says:

      I did not have the opportunity to work with zero-six, but it can be managed with ASDM, so you may try installing licenses from there.

    • Jim says:

      Jafeel,

      To get the FirePOWER license key for the 5506-X:

      1) Open ASDM (make sure that the sfr module has time to boot first).
      2) Go to Configuration > ASA FIrePOWER Configuration > Licenses > Add New License.
      3) Use the PAK that came with your 5506-X and the License Key listed on the above page in ASDM to register your license on the Cisco Product License Registration Portal.
      4) When you receive your license open the *.lic file and paste everything from “— BEGIN SourceFire Product License :” to “— END SourceFire Product License —” into the License textbox in ASDM.
      5) Click “Verify License” and, if it shows as “Valid license” click “Submit License”.

      That’s all there is to it.

  3. Olson says:

    Thanks! great article. Just received a pair of 5516x and a 5506x and this was a perfect start point!

  4. Tony says:

    Great job man.

    I have a question does it work asasfr-sys-5.3.1-155.pkg
    on
    asasfr-5500x-boot-5.3.1-152

    because im trying to download from ftp server and on verifying… asasfr-sys-5.3.1-155.pkg

    it shows an error 113.

    Are this compatible or not?

  5. mikgruff says:

    These are the images you want to use.
    asasfr-5500x-boot-5.4.0-763.img
    and
    asasfr-sys-5.4.0-764.pkg

  6. Jeffrey Cheah says:

    Boot image and System mgmt. IPs are different but why I cannot ping or access the Boot image IP directly?

    • Sasa says:

      These images are just used when setting up the SFR module. There is no point in accessing them directly. Once the setup is completed, we can access the SFR module IP directly.

  7. Pavel says:

    Just installed 6.0 version. Default login/pass of admin/Sourcefire did not work. But admin/Admin123 (the same as at the first stage of install) worked.

  8. Jimmy says:

    The procedure says the config may be erased. Is there a way we can do this without having the config erased?

    • Sasa says:

      Really it does not matter. This procedure is supposed to be done only once, during initial installation and setup (and perhaps if module fails). Everything else is done via management center.

  9. ganesh says:

    Hi,

    I would like to access SPF from out side(interneat ) so what are the configuration I have done.

    As I have configure SPF on management port and I can able to access from LAN through ASDM.

    Kindly suggest….

    • Sasa says:

      Although I did not try, as long as the IP address of the SFR module is routable on the Internet, perhaps NATed and allowed by the ACL, you should be able to access the SFR module. To be honest, I don’t see the reason for doing that. If you want to configure and/or monitor your IPS infrastructure, you only need to access the Defense Center from the outside, and that is easily achieved. You set up the firewalls/routers as if the DC was an ordinary web server.

  10. JW says:

    Does the boot image IP stay and/or every get resused i.e for recovery or something? I’m trying to determine if I need to allocate two separate IP address or can I just use the same IP for both, if it gets over written in the file system image configuration.

    • Sasa says:

      Boot image is used only for installation purposes. So you use those parameters only once and afterwards you can re-use them for running the SFR module.

  11. smith says:

    Hi Sasa. you’re been very helpfull for folks. Please find a solution for me:

    i have sfr 5.3.1 boot img on my asa 5515 and ios 9.2.2 with asdm 7.221.

    i upgraded the asdm to 7.52 and ios to 9.4.2. and downloaded sfr asasfr-5500x-boot-6.0.0-1005 with asasfr-sys-6.0.0-1005.

    Please advise me on installing the new image and how to downgrade if something goes wrong.

    THE GOAL IS TO MANAGE FIREPOWER WITH ASDM (because the client didn’t purchase the Firesight DC)

    My licence is TAMC. will i be able to use my licence with the new image?

    NB: – the licence is not yet install. (because no management to get and install the licence; only PAK we have and associated with cisco account profile)
    – the asdm show that the firepower is up but nothing is configured

    Thanks in advance for your help,

    Best Regards.

    • Sasa says:

      I’m sorry, but I don’t use ASDM. Perhaps somebody who reads this will post a solution for your problem.

      Cheers!

    • JW says:

      It’s my understanding that you can not manage an ASA 5515 with firepower via ASDM. You must use FCM. I believe you can use ASDM with select ASAs like 5516x. There is a migration compatibility matrix on Cisco site.

  12. Amel says:

    koliko treba cekati da recover predje u up state…sve je proslo ok isao je na restart i sad i dalje pise recover

  13. Yusten says:

    Hi sasa great article, i have question for you..
    I have problem add device SFR module to Firepower MGMT. i tried to add device but always
    “could not establish a connection with sensor. make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection. firepower”
    OS Sourcefire Module : 5.4.1-211
    OS Firepower Management : 6.0.0
    Sourcefire Module and Firepower MGMT should be the same version??

    • Sasa says:

      You can manage older devices with defense center. Not always (depending on how older the modules are) but in this case you can. The modules cannot be managed with older version of DC than the version on the modules.

      • Yusten Wuntoro says:

        haii sasa,, thanks for reply..
        i tried to download and install firepower management with os version 5.4.1.0 but still “could not establish a connection with sensor. make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection. firepower” i can ping between firepower management and sourcefire module. i dont know why..

  14. Ali says:

    Hi
    i have 3 contex on my asa and management interface is under Admin context but in sfr that i installed i cant ping my gateway

    can u help me on this ?

  15. tom says:

    Hi,

    I have a small query. Will I need ASDM at any point of time to configure firepower? I have installed the firepower image in my ASA 5515 but when I access the ASDM, it gives me an error that it cannot load ASA configuration. So I wont be able to use ASDM.

    Thanks.

  16. Pingback: Upgrade Cisco Sourcefire to 6.2.0 | popravak

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s