CISCO ASA 5515-x - How to access GUI for FirePOWER Services Software Module

Fazal E Rasool Khan · ‎06-10-2015

Hello Everyone,

I am installing new firewall 5515-X with firepower services. i setup the firewall with inside and outside network and i am able to access the internet and everything works fine.

Now i enable the firepower services using "session sfr console",

1. accepted the End user license agreement

2. change the ip to management interface 192.168.1.2/24

3 . I am able to ping to the IP 192.168.1.2 but i am unable to take the GUI of the device.

Note. ASDM to the firewall works fine and there is no issue in that. I also setup global policy map for firepower module via asdm in fail open mode for testing and i saw there was incoming traffic.

Please tell how the GUI screen can be taken https://192.168.1.2 does not work but ping is fine for management interface and fire power module.

I also have ASA control license where i have to apply that one.

Some show outputs

ciscoasa# sh module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515
ips Unknown N/A
cxsc Unknown N/A
sfr FirePOWER Services Software Module ASA5515

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 84b8.0208.d532 to 84b8.0208.d539 1.0 2.1(9)8 9.2(2)4
ips 84b8.0208.d530 to 84b8.0208.d530 N/A N/A
cxsc 84b8.0208.d530 to 84b8.0208.d530 N/A N/A
sfr 84b8.0208.d530 to 84b8.0208.d530 N/A N/A 5.3.1-152

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr ASA FirePOWER Up 5.3.1-152

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Up Up

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual

ciscoasa#

> show traffic-statistics
-----------------[ Traffic Status ]-----------------
Name : kvm_ivshmem
Transmitted Bytes (TX) : 0
Recieved Bytes (RX) : 208154
Dropped Packets : 0

> show summary
------------------[ Sourcefire3D ]------------------
Model : ASA5515 (72) Version 5.3.1 (Build 152)
UUID : e65a9242-b431-11e4-8f88-9bb8ab209ff9
VDB version :
----------------------------------------------------

---------------[ GigabitEthernet0/0 ]---------------
Physical Interface : GigabitEthernet0/0
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------[ GigabitEthernet0/2 ]---------------
Physical Interface : GigabitEthernet0/2
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.4.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Link Mode : Autoneg
MDI/MDIX : Auto
MTU : 1518
MAC Address : 84:B8:02:08:D5:30
IPv4 Address : 192.168.1.2
----------------------[ eth1 ]----------------------
---------------------[ tunl0 ]----------------------
----------------------------------------------------

Please advice for above.
Thanks.

akjellerstedt · ‎06-10-2015

Hi, for this ASA model you need a Fireisght Defense Center installation(vm or hw) to manage the onboard module.

Its only the newest ASA models 5506/8/16 that also have onbox Firepower management(but with less functionality)

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.pdf

Fazal E Rasool Khan · ‎06-10-2015

Many thanks for your reply akjellerstedt.
could you please send me the download link for Firesight management center.

Is this the right software (FireSIGHT Virtual Defense Center for VMware Package Installer) what i am trying to download and will i need any additional licences for this to add Firepower module in it.
https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=SEU&relind=AVAILABLE&rellifecycle=&reltype=latest

Marvin Rhoads · ‎06-10-2015

The FireSIGHT Management Center (FMC - aka Defense Center) is a separately purchased and licensed product. It is a mandatory prerequisite for managing ASA FirePOWER modules.

You will need to install both the FMC license as well as license your FirePOWER modules from the FMC GUI. The FirePOWER modules do not have a GUI - only the basic cli which serves to set it up and link to its controlling FMC.

Fazal E Rasool Khan · ‎06-10-2015

Many Thanks for the reply Marvin.

Attached is the BOQ which is quoted for 5515-X firewall. I Received only two CD's with the box one is for VPN client software and another is for control license.

If FireSIGHT Management Center software is not ordered in the attached BOQ. Will it need to be ordered seperately.

Also find attached some show outputs (version, module, flash, etc)

Please advice on the above

Thanks

Marvin Rhoads · ‎06-10-2015

Fazal,

Please check your posting - nothing was attached.

In any case - FMC must be purchased and installed. A small environment is usually the version licensed for management of two modules (part number FS-VMW-2-SW-K9).

It runs as a VM in a VMware ESXi virtualization environment. (There are also 10 device and 25 devices licenses for the VMs and physical appliances for larger deployments.)

You must also have the licenses for your module - they are usually fulfilled via e-Delivery. the part numbers are something like L-ASA55xx-TAMC= (for IPS, URL Filtering and AMP).

Fazal E Rasool Khan · ‎06-11-2015

Please find the attached BOQ and show outputs

Marvin, Apart from normal firewall functions customer priority is URL filtering. Is it possible to use Cloud Web Security (CWS), with the present licenses or any additional licences are require to enable CWS in firewall.

Please advice.

Thanks.

Marvin Rhoads · ‎06-11-2015

As we suspected - the purchase doesn't have either the FireSIGHT management center or the required licenses for the FirePOWER module (beyond the no cost Control license).

You will need to purchase that, download and install the VM and redeem the licenses.

Sorry to be the bearer of bad news.

Fazal E Rasool Khan · ‎06-14-2015

Thanks Marvin for your support. It seems that firepower module comes by default with new 551X-X firewalls and there is no additional cost for that.

But if customer need any url filtering and another feature for it, then Fire sight need to be purchased.

Marvin Rhoads · ‎06-14-2015

That's correct, Fazal.

If you are a partner, note that CCW will prompt you to add FMC and any desired feature licenses when you build a configuration.

Also, the ASA with Firepower Services Ordering Guide (partner access required) explains the options and requirements in great detail.