06-10-2015 05:25 AM - edited 03-11-2019 11:05 PM
Hello Everyone,
I am installing new firewall 5515-X with firepower services. i setup the firewall with inside and outside network and i am able to access the internet and everything works fine.
Now i enable the firepower services using "session sfr console",
1. accepted the End user license agreement
2. change the ip to management interface 192.168.1.2/24
3 . I am able to ping to the IP 192.168.1.2 but i am unable to take the GUI of the device.
Note. ASDM to the firewall works fine and there is no issue in that. I also setup global policy map for firepower module via asdm in fail open mode for testing and i saw there was incoming traffic.
Please tell how the GUI screen can be taken https://192.168.1.2 does not work but ping is fine for management interface and fire power module.
I also have ASA control license where i have to apply that one.
Some show outputs
ciscoasa# sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515
ips Unknown N/A
cxsc Unknown N/A
sfr FirePOWER Services Software Module ASA5515
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 84b8.0208.d532 to 84b8.0208.d539 1.0 2.1(9)8 9.2(2)4
ips 84b8.0208.d530 to 84b8.0208.d530 N/A N/A
cxsc 84b8.0208.d530 to 84b8.0208.d530 N/A N/A
sfr 84b8.0208.d530 to 84b8.0208.d530 N/A N/A 5.3.1-152
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr ASA FirePOWER Up 5.3.1-152
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Up Up
Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual
ciscoasa#
> show traffic-statistics
-----------------[ Traffic Status ]-----------------
Name : kvm_ivshmem
Transmitted Bytes (TX) : 0
Recieved Bytes (RX) : 208154
Dropped Packets : 0
> show summary
------------------[ Sourcefire3D ]------------------
Model : ASA5515 (72) Version 5.3.1 (Build 152)
UUID : e65a9242-b431-11e4-8f88-9bb8ab209ff9
VDB version :
----------------------------------------------------
---------------[ GigabitEthernet0/0 ]---------------
Physical Interface : GigabitEthernet0/0
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------[ GigabitEthernet0/2 ]---------------
Physical Interface : GigabitEthernet0/2
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.4.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Link Mode : Autoneg
MDI/MDIX : Auto
MTU : 1518
MAC Address : 84:B8:02:08:D5:30
IPv4 Address : 192.168.1.2
----------------------[ eth1 ]----------------------
---------------------[ tunl0 ]----------------------
----------------------------------------------------
Please advice for above.
Thanks.
06-10-2015 06:50 AM
Hi, for this ASA model you need a Fireisght Defense Center installation(vm or hw) to manage the onboard module.
Its only the newest ASA models 5506/8/16 that also have onbox Firepower management(but with less functionality)
http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.pdf
06-10-2015 07:31 AM
Many thanks for your reply akjellerstedt.
could you please send me the download link for Firesight management center.
Is this the right software (FireSIGHT Virtual Defense Center for VMware Package Installer) what i am trying to download and will i need any additional licences for this to add Firepower module in it.
https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=SEU&relind=AVAILABLE&rellifecycle=&reltype=latest
06-10-2015 08:50 AM
The FireSIGHT Management Center (FMC - aka Defense Center) is a separately purchased and licensed product. It is a mandatory prerequisite for managing ASA FirePOWER modules.
You will need to install both the FMC license as well as license your FirePOWER modules from the FMC GUI. The FirePOWER modules do not have a GUI - only the basic cli which serves to set it up and link to its controlling FMC.
06-10-2015 11:53 PM
Many Thanks for the reply Marvin.
Attached is the BOQ which is quoted for 5515-X firewall. I Received only two CD's with the box one is for VPN client software and another is for control license.
If FireSIGHT Management Center software is not ordered in the attached BOQ. Will it need to be ordered seperately.
Also find attached some show outputs (version, module, flash, etc)
Please advice on the above
Thanks
06-10-2015 11:53 PM
Fazal,
Please check your posting - nothing was attached.
In any case - FMC must be purchased and installed. A small environment is usually the version licensed for management of two modules (part number FS-VMW-2-SW-K9).
It runs as a VM in a VMware ESXi virtualization environment. (There are also 10 device and 25 devices licenses for the VMs and physical appliances for larger deployments.)
You must also have the licenses for your module - they are usually fulfilled via e-Delivery. the part numbers are something like L-ASA55xx-TAMC= (for IPS, URL Filtering and AMP).
06-11-2015 12:27 AM
Please find the attached BOQ and show outputs
Marvin, Apart from normal firewall functions customer priority is URL filtering. Is it possible to use Cloud Web Security (CWS), with the present licenses or any additional licences are require to enable CWS in firewall.
Please advice.
Thanks.
06-11-2015 08:07 PM
As we suspected - the purchase doesn't have either the FireSIGHT management center or the required licenses for the FirePOWER module (beyond the no cost Control license).
You will need to purchase that, download and install the VM and redeem the licenses.
Sorry to be the bearer of bad news.
06-14-2015 12:07 AM
Thanks Marvin for your support. It seems that firepower module comes by default with new 551X-X firewalls and there is no additional cost for that.
But if customer need any url filtering and another feature for it, then Fire sight need to be purchased.
06-14-2015 07:47 AM
That's correct, Fazal.
If you are a partner, note that CCW will prompt you to add FMC and any desired feature licenses when you build a configuration.
Also, the ASA with Firepower Services Ordering Guide (partner access required) explains the options and requirements in great detail.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide