ASA 5545X with FirePower

TW80CJ5 · ‎09-23-2021

Good Morning Everyone,

I have a configuration question:

We currently have (2) ASA 5545X configured in an Active / Failover. Their SFR / IPS module is managed by an FMC 4600.

Do we configure the Active and Failover's SFR module the exact same way (name, ip address, etc) or do we configure them to have a different name, IP address, etc...

Seems like the FMC uses an IP Address / MAC combo for the SFR's to check in.

We just want to make sure that when our Active / Failover ASA fails over, that the SFR operates with the FMC.

Thanks!!!!!!!

Marius Gunnerud · ‎09-23-2021

redirect to the SFR module usually happens in the backplane on the ASA within policy-map configuration. So the management interface would need to be different and then based on match criteria in policy-map traffic is redirected to the SFR module. So both SFRs should have identical configuration.

Check out this configuration guide:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html#pgfId-131177

--
Please remember to select a correct answer and rate helpful posts

Ketchup57 · ‎09-23-2021

I would also like to have some more clarification on this. From this other community post, you would want to have them separate.

https://community.cisco.com/t5/network-security/upgrade-os-a-pair-of-asa-5555-x/m-p/4266468/highlight/true#M1076995

Posted by Marvin Rhoads

"FMC-managed Firepower service modules do not inherit the Active-Standby HA nature of the ASAs in which they reside. Each module believes itself to be an independent unit and has no concept of being clustered or in an HA pair with another module.

You can group them in FMC but that is just for operational convenience - for example to apply the same policy to all members of a group. When you upgrade them from FMC you will be prompted to select each eligible managed module separately. If you choose the modules from both the Active and Standby ASAs, FMC will push the upgrades simultaneously. If your policy on the ASAs is set to fail-open that won't cause any problem - except that you might have a period of no Firepower services.

If you want to ensure continuous Firepower service then upgrade the standby ASA's module first. Once the module is showing as up/up from the ASA cli then make that ASA active. Then upgrade the other Firepower service module."

I honestly think Cisco needs to spend some quality time and management of their documentation as a whole. It's driving me crazy.

Having to bounce around 5500-X Series Firewall and 5500-X with FirePower Services just to find corresponding documentation. There's way to much confusion when needing to look up what specifically will work with 5545-X with SFR.

rhuysmans · ‎09-23-2021

Like Marvin was saying, the FirePower (SFR) modules are imbedded within the ASA it lives in and has no connection to the other SFR module. Each management IP address for the two SFR modules, in the ASA HA pairing, will be unique. This will allow the FMC to communicate to each SFR module individually.

The policy on the FMC, for the SFR modules, will be deployed to both SFR modules. This is because the traffic flowing through the Primary ASA also flows through the Primary SFR module and when the Primary fails over to the Secondary ASA, the Secondary SFR module will need to filter the traffic just like the Primary SFR module does, using the same policy on the FMC.

When upgrading the SFR modules it pays to disable the failover monitoring of the modules, in case a down state causes the ASAs to inadvertently failover.