cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Community November 2020 Spotlight Award Winners

ASA 5500-X Sourcefire / FirePOWER configuration

53363
Views
9
Helpful
24
Comments
Beginner

I have not found any documentation to install/configure the sourcefire/firePOWER module on the 5500-X NGFW so I have decided to create my own.  I hope you find this helpful.

 

*I have not figured all of this out - but this is a good starting point.  As I get more information i'll update this post.*

 

 

Configure firepower / sourcefire module on Cisco ASA 5500-X NGFW w/ SSD

 

I.Download required image and package file.

a.http://software.cisco.com/download/release.html?mdfid=286271174&flowid=70726&softwareid=286277393&release=5.3.1&relind=AVAILABLE&rellifecycle=&reltype=latest

b.At the time of this release – 5.3.1 was the latest build.

II.Once downloaded transfer the asasfr-5500x-boot-5.3.1-152.img  to the flash partition of the ASA

a.I used CoreFTP Server to setup FTP server on my laptop.  Connected to the management interface on ASA

  1. Copy ftp://user:pass@Laptop-IP/asasfr-5500x-boot-5.3.1-152.img  flash:

III.Configure sourcefire module / remove active modules if applicable.

a.Issue the ‘show module' command on the ASA

b.If the IPS or CXSC module are present you will need to shutdown and uninstall

c.From ASA enable prompt:

  1. Sw-module module (ips/cxsc) shutdown
  2. Sw-module module (ips/cxsc) uninstall
  3. Reload

d.Now set the ASA sourcefire boot image location that you recently uploaded to flash:

  1. Sw-module module sfr recover configure image disk0: asasfr-5500x-boot-5.3.1-152.img

ii.Wait approximately 5 minutes for the image to boot up.  For me on the 5515-X it took about five minutes to connect to the console and then another 2 or 3 to allow me to login.

iii.Login to the srf console.  From the ASA enable prompt enter:

1.Session sfr console

a.If the image hasn’t fully booted you’ll receive error message:

i.ERROR: Failed opening console session with module sfr. Module is in "Recover" state.

ii.Please try again later.

2.User: admin |  Pass: Admin123

3.At this point run the ‘ command to configure an IP on the sourcefire management interface (uses the MGT0/0 physical interface).  I just took the defaults.  The IP on the MGT interface defaults to 192.168.8.8/24. 

4.Assign static IP to laptop in above configured subnet.  I used 192.168.8.10/24 for my laptop.

5.Install the .pkg file from FTP.  Only http/ https/ ftp are allowed methods of installation

6.Issue command: system install ftp://user:pass@192.168.8.10/asasfr-sys-5.3.1-152.pkg

7.You will eventually be prompted to reboot the sourcefire module.  The above command took me about 15 minutes to complete.  Once it reboots, press ENTER a few times and you should be back at the ASA enable prompt.  Only the sourcefire image reboots, not the ASA itself.

8.Give it about 5 minutes and connect back to the console ‘

9.NOTE: the username and password have changed automatically. 

a.User: admin | Pass: Sourcefire

10.Once you log in you’ll have to SPACE through the EULA and accept.  You’ll be prompted to reconfigure the IP information. I took the defaults which are 192.168.45.45/24 for the MGT interface.  Once this is done you’ll want to configure the ASA to send traffic through the module.

IV.Connect back to the ASA via ASDM management.

a.Click ‘Configuration – Firewall – Service Policy Rules’

b.Right-click to ‘Add Service Policy Rule…’

i.I selected ‘Global’ (click next)

ii.I named the class ‘sfr-global-class’

iii.Select ‘Any Traffic’ (click next)

iv.Only TAB I configured was ‘ASA FirePOWER Inspection’

1.Check ‘Enable ASA FirePOWER for this traffic flow’

2.Check ‘Permit’

3.Check ‘monitor only’

a.I assume there are policies to configure b/c NOT checking monitor-only blocked all traffic for me. ( haven’t gotten that far yet)

4.Click ‘Finish’ to create the policy.  Apply changes and save to Flash.

 

At this point, connect back to the ASA via CLI and connect to the sourcefire console ‘session srf console’  The command ‘show traffic-statistcs’ should prove you have traffic going through the module.  I haven’t gotten the GUI management figured out yet but this should be enough to get the module installed and you can mess around with it.

24 Comments
Beginner

I am going to run with what you have here and will respond in couple of weeks and tell you how it goes :)

Beginner

Hi

I am also in the process of experimenting with this module and so far you are 'spot on' with your explanation above. I will be implementing this solution in the next month or 2 at a customer and will also share if I come across anything interesting. The requirement is to configure 2 x ASA's in HA with the FirePower modules. Unfortunately I only have the one ASA to practice with. Hopefully there is not too much that can go wrong :-)

Beginner

Also note that the 'sfr' commands was introduced (support added) in Version 9.2 of the ASA IOS Firmware. Suggest that you upgrade to this version as a minimum.

Here is also a link where you can download the FireSight Management Software that support the FirePower 5.3.1 Module

<FireSight Management>

Contributor

Hello,

In order to mange the firepower module on the ASA I requiere Firesight, correct?

Which part number should I use in order to request a quote?

Beginner

Hi Paul,

you are right, you need Firesight to manage the Sourcefire code.

Here is the actual SKU's for the management, the smaller one in yellow:

  • FS750-K9    appliance 
  • FS1500-K9  appliance
  • FS3500-K9 appliance
  • FS-VMW-10-SW-K9 vm - 10 firepower fw services max
  • FS-VMW-2-SW-K9 vm - 2 firepower fw services max
  • FS-VMW-SW-K9 vm - 25 firepower services and firepower appliance 

Please contact your Cisco Sales to obtain the valid SKU according to your requirements.

Regards,
David

Beginner

Do you happen to have a link to the parts numbers page to get the license upgrades for the Cisco ASA 5500-X NGFW w/ SSD? Thanks

Cisco Employee

This is great information thanks.

I'm at the stage of configuring the SourceFire Management Centre. Have downloaded the virtual appliance and installed on ESX. But I can't find any doc anywhere the explains what to do next.

I have a logon prompt on the appliance and have tried admin/Sourcefire and admin/Cisco etc, but I can't even log in to it.

 

Anyone able to outline clearly the next steps?

 

Cheers, Simon

Hi all,

 

I'm also interested in first steps regarding FireSIGHT - FirePOWER integration.

 

There are few links showing SFR Global Policy In order to deliver traffic from ASA to SFR Module, but I'm not really sure about what to do next... I mean, once I defined SFR Global Policy, all traffic is sent to SFR module (monitor-only keyword not used), but, once I did that, can I configure ACLs in FireSIGHT management interface?

 

Is there any further steps to be made before defining ACLs in FireSIGHT management?

 

I'm also concerned about major connection issues, i. e., I'm worried about moving from "passive mode" to "inline mode" and getting disconnected, discarding packets, etc. Any advice on this?

 

Thank you very much.

 

Regards.

Beginner

When I connect to the sfr module console from the console of the ASA, what is the exit keystroke to return me back to the ASA console? After going thru the initial wizard to assign an ip to the module, I can exit and that returns me to the sfr login prompt, but I need to exit all the way out back to the ASA console. 

This issue keeps annoying me when doing initial setups, and I end up having to do a hard reload on the box to get out.

 

The setup documentation does not include this info, and I have not been able to find it anywhere else in the official FirePOWER/ASA documents.

 

Beginner

ctrl+shift+6 then x

Beginner

Hello zsmithtek,

That is a great topic.
And I have one question to ask you.

​asasfr-sys-5.3.1-155.pkg
asasfr-5500x-boot-5.3.1-152

Does it work if the version code is different ?

Best Regards,
Chhayheng

Beginner

hi @darobich ,

What happen if i do not buy Firesight ?

does my ASA still can use Firepower module?

 

thank,

Rising star

Hi,

 

FireSight is required to manage and configure the Firepower module.

You require Firesight in order to apply licenses and policies so that your Firepower module can filter traffic.

Thanks,

R.Seth

Beginner

Look at 5516-x model.  I think they have the built in management.  I'm under the impression that the firesight VM has more features and generally is better.  Not sure though haven't done my own research yet.  But check out 5516-X or 5506-X / 5508-X for smaller models.  They may have this management built in.

Content for Community-Ad