Solved: Re: FirePOWER Module Installation

Magesh Kumar · ‎05-01-2019

Hi all,

We have two ASA 5525-X Firewall in our Public Zone with Failover setup. Both ASAs running with SFR module version 5.4.0.2. Now we have planned to upgrade FirePOWER module version to 6.3.0. Since our FirePOWER module version is 5.4.0.2, Upgrading FirePOWER module through FirePOWER Management Center become more hectic. So we have planned to uninstall existing FirePOWER module 5.4.0.2 from ASA 5525-X and freshly Install FirePOWER module 6.3.0.

Our doubt is, when uninstalling FirePOWER module version 5.4.0.2 from ASA 5525-X, we must reload ASA or it is optional step?

In ASA, We configured SFR redirection policy to permit traffic if SFR card fails (fail-open), So Uninstalling existing SFR module will affect the traffic flow?

Is their any cisco guide with an complete procedure to uninstall and reinstall SFR module in failover setup?

Any other constraints we need to consider before doing SFR module uninstall and Install specially for failover setup?

Also, Upgrading FirePOWER management center, will affect FirePOWER Module devices?

Please help us...

Thanks.

Regards,
Magesh Kumar G

GRANT3779 · ‎05-01-2019

Hi Magesh,

I completely understand in the decision to just uninstall and rebuild the module with the newer image. This is a lot easier/cleaner with the jump you are doing.
You do not need to reload the ASA at any point for this.

With regards to the redirect policy for the SFR, I have took this out temporarily during this procedure.

A gotcha that you should also look out for is the interfaces you are monitoring in your ASA Failover pair. If you are monitoring the SFR module then remember this will reboot a few times during the uninstall/install which in turn would cause your ASAs to failover. Disable monitoring of your SFR temporarily if you are doing so as part of the HA setup.

For the FMC upgrade, be aware that it cannot manage any devices that run a higher code than itself so it may make sense to upgrade this first.

reference for the complete upgrade/uninstall you are looking to do -
https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

View solution in original post

GRANT3779 · ‎05-01-2019

Hi Magesh,

I completely understand in the decision to just uninstall and rebuild the module with the newer image. This is a lot easier/cleaner with the jump you are doing.
You do not need to reload the ASA at any point for this.

With regards to the redirect policy for the SFR, I have took this out temporarily during this procedure.

A gotcha that you should also look out for is the interfaces you are monitoring in your ASA Failover pair. If you are monitoring the SFR module then remember this will reboot a few times during the uninstall/install which in turn would cause your ASAs to failover. Disable monitoring of your SFR temporarily if you are doing so as part of the HA setup.

For the FMC upgrade, be aware that it cannot manage any devices that run a higher code than itself so it may make sense to upgrade this first.

reference for the complete upgrade/uninstall you are looking to do -
https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Marvin Rhoads · ‎05-01-2019

@GRANT3779 - perfect - well said.

Magesh Kumar · ‎05-04-2019

Hi GRANT,

Thanks for your reply.

With respect to uninstalling SFR module in fail-over setup, If we have sets ASA to block all the traffic when SFR fails (fail-close), we should disable traffic redirection from the ASA to SFR module by removing SFR redirection policy?

If we need to do it, from where we can start? Whether In Active ASA or Standby ASA?

For example, If we removed SFR redirection policy in Active ASA, It will be replicated in Standby ASA. So overall all the traffic will by passes or avoids SFR module?

With Regards,

Magesh Kumar.G

Regards,
Magesh Kumar G

GRANT3779 · ‎05-04-2019

Hi Magesh,

I have always removed the class from the policy-map when doing this. E. G if you were using global policy (see below) you would go in there and remove the class below. I think in theory you could also amend the action to fail-open but i have always been more cautious and just removed the whole redirect. Another way i guess would be to just deny all traffic in your redirect acl so it doesn't go to SFR. If you do any of the above on the primary it will in turn apply to the secondary. Just remember though that the actual SFRs are completely independent of each other and when rebuilding them, they will both need to be done.

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class YOUR_SFR_REDIRECT
sfr fail-close

Magesh Kumar · ‎05-04-2019

So you mean If we disable traffic redirection on ASA, all the traffic will bypass SFR module? But we always need to send our traffic thorough SFR module.

Below I have briefly described my plan, please let me know if you found any lags...

We will plan to start our activity from secondary ASA (Standby). Will uninstall and install SFR module on secondary ASA (Standby). Since it is an Standby ASA, It will not affect the traffic flow?
After installed SFR module on secondary ASA, we will manually change state of secondary ASA from standby to active. Then will uninstall and install SFR on Primary ASA (stand by now).
During above activity, overall the traffic will go through SFR module without any interruption ?

Thanks.

With Regards,

Magesh Kumar.G

Regards,
Magesh Kumar G

GRANT3779 · ‎05-04-2019

Hi Magesh,

Yes that sounds at a high level a plan if you require constant inspection from Firepower during the upgrades.