Solved: ASA5525-X SFR with IPS and FireSIGHT Management Center Virtual Appliance

blemser01 · ‎12-07-2015

Somenone can tell me the missing parts for using three ASA5525-FPWR-K9
with L-ASA5525-TA-1Y IPS Licenses ?
Every ASA has a separate ASA5525-CTRL-LIC with PAK in the box.

At the moment, the ASA 5525-X units running ASDM 7.2 with sfr FirePOWER Service
Software Module Version 5.3.1

# show module

Mod Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525
ips Unknown                                      N/A
cxsc Unknown                                      N/A
sfr FirePOWER Services Software Module           ASA5525

Mod SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown                        No Image Present Not Applicable
cxsc Unknown                        No Image Present Not Applicable
sfr ASA FirePOWER                  Up               5.3.1-152

# show flash:
--#-- --length-- -----date/time------ path
   10 4096        Jul 29 2015 15:26:20 log
   20 4096        Jul 29 2015 15:27:00 crypto_archive
   21 4096        Jul 29 2015 15:27:12 coredumpinfo
   22 59          Jul 29 2015 15:27:12 coredumpinfo/coredump.cfg
114 52457472    Jul 29 2015 15:31:36 asa922-4-smp-k8.bin
115 41601024    Jul 29 2015 15:33:14 asasfr-5500x-boot-5.3.1-152.img
116 24070880    Jul 29 2015 15:58:58 asdm-7221.bin
117 12998641    Jul 29 2015 16:02:56 csd_3.5.2008-k9.pkg
118 4096        Jul 29 2015 16:02:56 sdesktop
122 1462        Jul 29 2015 16:02:56 sdesktop/data.xml
119 6487517     Jul 29 2015 16:02:58 anyconnect-macosx-i386-2.5.2014-k9.pkg
120 6689498     Jul 29 2015 16:02:58 anyconnect-linux-2.5.2014-k9.pkg
121 4678691     Jul 29 2015 16:02:58 anyconnect-win-2.5.2014-k9.pkg

8238202880 bytes total (4867211264 bytes free)
ciscoasa#

I read this discussion earlier: https://supportforums.cisco.com/discussion/12393861/firesight-management-virtual-machine-download

The SFR Boards needs the FireSIGHT Management Center and all licensing is done with the center.
PAK registration needs the created License Key of the Center.
The FS-VMW-SW-K9 is the Center Software, and a CON-SAU-VMWSW2 is necessary for Upgrades.
Is it recommended updating the ASA Base Software, and the Versions of the SFR Modules ?
The SFR modules get the new Firmware from the Center ? Does the CON-SAU-VMWSW2 covers this ?

summarized:
we have 3x ASA5525-FPWR-K9 units with above printed Softwareversions, 3x ASA5525-CTRL-LIC, 3x L-ASA5525-TA=
after reading the linked discussion we need further 2x FS-VMW-2SW-K9 and 2x CON-SAU-VMWSW2 ?

Is this enough ?
Any help is very appreciated...

thanks, and rgds

Marvin Rhoads · ‎12-07-2015

Deploying FirePOWER Management Center (new name as of 6.0) would be recommended. You would need the 10 device license as the 2 device licenses are not additive. (i.e buying two each doesn't give you a 4-device license).

Alternatively, you could upgrade each ASA and FirePOWER module to versions 9.5.2 and 6.0 respectively and manage each totally separately using ASDM. Not generally recommended due to the headache of keeping the policies in sync and not having one place to look at all events and logs.

View solution in original post

Marvin Rhoads · ‎12-08-2015

The capability with FirePOWER 6.0 was just introduced in November 2015 with ASA 9.5(1)5 and FirePOWER 6.0.

ASA Release notes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html#pgfId-149508

ASDM User Guide: http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/asdm75/firewall/asdm-75-firewall-config/access-sfr.html#ID-2123-0000034e

The ASDM User Guide mostly refers you to the FirePOWER 6.0 User Guide: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60.html

The data sheet doesn't make a big deal of it but it is noted in table 2 here: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html (See the row labeled "On-Device Maangement".)

The big differences are you will have to create each policy for every ASA separately on its respective ASDM instance. Events and reporting will not be available in a centralized location and are only stored on the ASA and retrievable from ASDM.

View solution in original post

Marvin Rhoads · ‎12-07-2015

Deploying FirePOWER Management Center (new name as of 6.0) would be recommended. You would need the 10 device license as the 2 device licenses are not additive. (i.e buying two each doesn't give you a 4-device license).

Alternatively, you could upgrade each ASA and FirePOWER module to versions 9.5.2 and 6.0 respectively and manage each totally separately using ASDM. Not generally recommended due to the headache of keeping the policies in sync and not having one place to look at all events and logs.

blemser01 · ‎12-08-2015

Ok Marvin,
very helpfull answer. Great to hear of this possibility now to do it without a management center,
I think we prefer this, can you tell me the Part Numbers we need for covering all ASA5525-FPWR-K9
with a contract, that we get all necessary Files for Upgrading.
Is it possible to buy a contract without hardware support ?
Due to this discussion:
https://supportforums.cisco.com/discussion/12547496/how-upgrade-firepower-5525-x-cli-or-virtual defense-center
I believed that it is still up to date, only the entry level ASA's can manage it's firesourcemodule with ASDM. I have a last question for using ASDM instead of FirePOWER Management Center:
management, controlling and reporting of the basic IPS functions is the same ?, and can you give me a link to the Datasheet and Userguide of the new Version, please ?

thanks for your help,

rgds,

I

Marvin Rhoads · ‎12-08-2015

The capability with FirePOWER 6.0 was just introduced in November 2015 with ASA 9.5(1)5 and FirePOWER 6.0.

ASA Release notes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html#pgfId-149508

ASDM User Guide: http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/asdm75/firewall/asdm-75-firewall-config/access-sfr.html#ID-2123-0000034e

The ASDM User Guide mostly refers you to the FirePOWER 6.0 User Guide: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60.html

The data sheet doesn't make a big deal of it but it is noted in table 2 here: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html (See the row labeled "On-Device Maangement".)

The big differences are you will have to create each policy for every ASA separately on its respective ASDM instance. Events and reporting will not be available in a centralized location and are only stored on the ASA and retrievable from ASDM.

blemser01 · ‎12-17-2015

Hi Marvin,
thank you for your great support,
the units and modules are now updated to the latest versions,
all firepower controlling tabs are now available in ASDM ! :-)

Marvin Rhoads · ‎12-17-2015

Great - you're welcome.

Thanks for marking the answer correct.