ENABLE FIREPOWER SERVICES ON ASA AND HARDWARE FMC

Jesutofunmi O · ‎09-21-2018

Hello,

So I have an ASA 5515x that I intend to enable Firepower on. What I need basically are;

1. Advanced Malware Protection

2. Sandboxing

3. URL Filtering

4. Application Visibility and Control

5. Intrusion Prevention

6. And whatever more security Cisco has to offer.

I have a hardware FMC that is currently not used. I intend to integrate it with the ASA 5515-x BUT I have not worked with an FMC before. I had tried to go to Cisco's site and search for materials on how to go about this but there were just a million or more PDFs to go through but no clear direction.

My Network is simple. It is such as ISP--->ASA FW---->Core SW(Layer3)--->Access Switches

Someone should kindly guide me through or share a relevant configuration guide. I am aware there will be need for licenses, purchasing those will perhaps not be a problem.

Thank you.

Marvin Rhoads · ‎09-21-2018

1. Make sure you have the required SSD on your ASA appliance. "show inventory" will tell you that.

2. Check if the Firepower service module is installed and what version it is. "show module details". If it's version 6.1 or earlier it will be easiest to just re-image it to 6.2.3 and start from there.

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

You will need a contract with entitlement to download the necessary images.

3. Once you have it installed register it to the FMC, making sure that the FMC is upgraded to the latest release (6.2.3.5 as of now) and that the ASA Firepower service module is also at least 6.2.3.

4. Install your licenses to the FMC and associate them with your registered Firepower service module.

5. Create policies (Access Control, Network Discovery, File, Identity, etc.) on the FMC and deploy them to your module.

Jesutofunmi O · ‎02-27-2019

Hello Marvin,

Many thanks for your reply. I apologise for replying your comment late. I have been very engrossed in other projects, hence, the stall on this one and my response to your comments. These are the results of my show commands.

show module
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr ASA FirePOWER Up 5.3.1-152

show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515 , VID: V03 , SN: FTX192710UF

Name: "Storage Device 1", DESCR: "Model Number: Micron_M550_MTFDDAK128MAY"
PID: N/A , VID: N/A , SN: MSA191905FW

1. I see that I need to upgrade the Firepower Service Module like you suggested.
2. I am not exactly able to make sense out of the show inventory (for SSD details)

Sheraz.Salim · ‎02-27-2019

what is the FMC version you running on? your firepower module is on version 5.3 which is quite old. this need to be upgrade to 6.x version. in regards to you SSID its capacity is 128GB. The sfr module use this disk in order to do the IPS inspection.

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

please do not forget to rate.

Marvin Rhoads · ‎02-27-2019

@Sheraz.Salim suggested correctly to wipe the module and put current software on it.

You have the SSD installed - your "show inventory" confirms that.

Follow this procedure and use 6.3 software image to make your modules current:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc7

Then upgrade the FMC to 6.3.0.1.

Then follow the quick start guide:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-139815

Once you've added the modules onto FMC, you will be able to patch them to 6.3.0.1 (current latest release) and then off to setup your policies.

Jesutofunmi O · ‎02-28-2019

Hello @Marvin Rhoads and @Sheraz.Salim

Thanks for the replies. I will do as advised and update you on progress.

As regards the FMC version, it is a Hardware FMC. I disconnected it from the network sometime ago so I do not have instant access to it. I'll check the version and reply here.

Thank you.

Jesutofunmi O · ‎02-28-2019

Hello @Marvin Rhoads and @Sheraz.Salim

Thanks for the replies. I will do as advised and update you on progress.

As regards the FMC version, it is a Hardware FMC. I disconnected it from the network sometime ago so I do not have instant access to it. I'll check the version and reply here.

Thank you.