Solved: New ASA5525-X replacing 5510 - Replace Existing, then Activate FireSight or Activate First?

stownsend · ‎08-04-2015

I have a ASA5525-X that will be replacing 5510 - I have the ASA Config ported over and running on the new 5525-X, though I'm struggling a bit with the FireSight Installation. Right now I have the ASA5525-X in a Lab environment with all of the Real IPs Configured and the SourceFire Server in a VLAN that it can Access the 5525.

Getting things all connected though the VLANs is proving more Difficult than I wanted. Should I replace the 5510 with the 5525 without the Firepower services connected to SourceFire Server, or should I try and get the FireSight portion of it all operational before I replace the 5510?

Can the Addition of Adding and configuring of the FireSight Services be done without taking the 5525 down?

Is there a Good Primer for Adding Devices to the FireSight Server? The ones I've found all seem to be missing a step or I'm not clear on what's wrong.

Thanks!

Marvin Rhoads · ‎08-04-2015

Adding, activating or configuring the FirePOWER module later will not require the ASA to be offline at all.

I recommend my customers start with the ASA FirePOWER Module Quick Start Guide.

Adding a module as a device in FireSIGHT Management Center is a lot like adding a device to a RADIUS or TACACS server. Setup the device end by pointing it at the manager and providing a shared secret and then in the manager add the device in the GUI, also providing the same shared secret. That's explained in the FireSIGHT System User Guide. (use the PDF version I linked as the html version seems to have left out some bits - table of content links are dead in many cases) See page 4-23 "Adding Devices to the Defense Center".

One big difference that comes next is that the module doesn't do much of anything until you create and deploy policies from FMC. The User Guide is pretty daunting in that regard but there are some good resources elsewhere.

I recommend the Cisco Live 2015 San Diego presentation BRKSEC-2018. It covers everything pretty nicely in a decent level of detail. There is also a series of free Labminutes video tutorials on YouTube. Check them out too.

View solution in original post

Marvin Rhoads · ‎08-04-2015

Adding, activating or configuring the FirePOWER module later will not require the ASA to be offline at all.

I recommend my customers start with the ASA FirePOWER Module Quick Start Guide.

Adding a module as a device in FireSIGHT Management Center is a lot like adding a device to a RADIUS or TACACS server. Setup the device end by pointing it at the manager and providing a shared secret and then in the manager add the device in the GUI, also providing the same shared secret. That's explained in the FireSIGHT System User Guide. (use the PDF version I linked as the html version seems to have left out some bits - table of content links are dead in many cases) See page 4-23 "Adding Devices to the Defense Center".

One big difference that comes next is that the module doesn't do much of anything until you create and deploy policies from FMC. The User Guide is pretty daunting in that regard but there are some good resources elsewhere.

I recommend the Cisco Live 2015 San Diego presentation BRKSEC-2018. It covers everything pretty nicely in a decent level of detail. There is also a series of free Labminutes video tutorials on YouTube. Check them out too.

stownsend · ‎08-04-2015

Thank you Marvin, So I should go a head and deploy the unit as a Typical Firewall and then while its in use, setup the FirePOWER aspect of it?

Thanks again!

Marvin Rhoads · ‎08-04-2015

You're welcome.

That would work functionally. Whether you should do it that way depends on your reasons for migrating and your organizational policies / tolerance for change of production devices.

For instance, some of my customers deploy the FirePOWER module so as to have an IPS as required for compliance. If that's your main goal, then focusing on that is an integral part of the initial deployment. Others just want to replace an old firewall and happened to get the FirePOWER module because they thought it might be a good idea to add the feature but have no pressing business imperative to do so

Hope this helps. Please mark your question as answered it it has been.

stownsend · ‎08-04-2015

This is Me:

replace an old firewall and happened to get the FirePOWER module because they thought it might be a good idea to add the feature but have no pressing business imperative to do so

We want to have better protection and visibility, though not required for compliance.

Thanks!