Cisco ASA 5515x Firepower service and FMC installation

Sureshkumar B · ‎07-24-2018

Hi Team, We have standalone ASA 5515x series firewall ( ASA Version 9.4(3)) and currently having multiple vpn/firewall rules without firepower services installed on it. I have been assigned task to deploy firepower services on the ASA 5515x and to manage it with FMC. I am new to firepower, i need few queries to be cleared before going for schedule activity.

1) FMC virutal appliance version 6.0.0 installed and license activated.

Pending activity

1) Firepower service installation on ASA (both boot image/sfr package), planned to install 6.0.0 img/pkg files on SFR. 2) Integration of FMC with ASA Firewall.

Queries:

1) How much downtime required to install sfr image and pkg.

2) Once we integrate FMC and ASA firewall, what are the settings needs to be configured.

3) FMC will be used only to manage SFR module or Firewall rules also required to manage through FMC.

4) Share me if any step by step procedure to deploy this scenario.

aaron.hackney · ‎07-24-2018

Hello,

In my experience, providing that the 5515s already have SSD drives installed, there was no downtime on the ASA control or data plane.

Once you have your SFR configured and managed by the FMC, you will want to immediately upgrade. I would strongly recommend that you install a fresh copy of FMC 6.2 and then patch to the latest release of 6.2.3. Then base your ASA SFR module with 6.2 and apply the latest 6.2.3 patch via FMC.

On the ASA side, you configure a MPF policy to pass interesting traffic to the SFR module. There is a good guide here. Pro Tip: Don't send all traffic to the SFR, but be selective about what you want to inspect.

Good luck!

-A

Rahul Govindan · ‎07-24-2018

In addition to what @aaron.hackney mentioned, here is the quick start guide that gives you the step by step process to get Firepower integrated with your ASA.

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html