I have not found any documentation to install/configure the sourcefire/firePOWER module on the 5500-X NGFW so I have decided to create my own. I hope you find this helpful.
*I have not figured all of this out - but this is a good starting point. As I get more information i'll update this post.*
Configure firepower / sourcefire module on Cisco ASA 5500-X NGFW w/ SSD
I.Download required image and package file.
a.http://software.cisco.com/download/release.html?mdfid=286271174&flowid=70726&softwareid=286277393&release=5.3.1&relind=AVAILABLE&rellifecycle=&reltype=latest
b.At the time of this release – 5.3.1 was the latest build.
II.Once downloaded transfer the asasfr-5500x-boot-5.3.1-152.img to the flash partition of the ASA
a.I used CoreFTP Server to setup FTP server on my laptop. Connected to the management interface on ASA
- Copy ftp://user:pass@Laptop-IP/asasfr-5500x-boot-5.3.1-152.img flash:
III.Configure sourcefire module / remove active modules if applicable.
a.Issue the ‘show module' command on the ASA
b.If the IPS or CXSC module are present you will need to shutdown and uninstall
c.From ASA enable prompt:
- Sw-module module (ips/cxsc) shutdown
- Sw-module module (ips/cxsc) uninstall
- Reload
d.Now set the ASA sourcefire boot image location that you recently uploaded to flash:
- Sw-module module sfr recover configure image disk0: asasfr-5500x-boot-5.3.1-152.img
ii.Wait approximately 5 minutes for the image to boot up. For me on the 5515-X it took about five minutes to connect to the console and then another 2 or 3 to allow me to login.
iii.Login to the srf console. From the ASA enable prompt enter:
1.Session sfr console
a.If the image hasn’t fully booted you’ll receive error message:
i.ERROR: Failed opening console session with module sfr. Module is in "Recover" state.
ii.Please try again later.
2.User: admin | Pass: Admin123
3.At this point run the ‘ command to configure an IP on the sourcefire management interface (uses the MGT0/0 physical interface). I just took the defaults. The IP on the MGT interface defaults to 192.168.8.8/24.
4.Assign static IP to laptop in above configured subnet. I used 192.168.8.10/24 for my laptop.
5.Install the .pkg file from FTP. Only http/ https/ ftp are allowed methods of installation
6.Issue command: system install ftp://user:pass@192.168.8.10/asasfr-sys-5.3.1-152.pkg
7.You will eventually be prompted to reboot the sourcefire module. The above command took me about 15 minutes to complete. Once it reboots, press ENTER a few times and you should be back at the ASA enable prompt. Only the sourcefire image reboots, not the ASA itself.
8.Give it about 5 minutes and connect back to the console ‘
9.NOTE: the username and password have changed automatically.
a.User: admin | Pass: Sourcefire
10.Once you log in you’ll have to SPACE through the EULA and accept. You’ll be prompted to reconfigure the IP information. I took the defaults which are 192.168.45.45/24 for the MGT interface. Once this is done you’ll want to configure the ASA to send traffic through the module.
IV.Connect back to the ASA via ASDM management.
a.Click ‘Configuration – Firewall – Service Policy Rules’
b.Right-click to ‘Add Service Policy Rule…’
i.I selected ‘Global’ (click next)
ii.I named the class ‘sfr-global-class’
iii.Select ‘Any Traffic’ (click next)
iv.Only TAB I configured was ‘ASA FirePOWER Inspection’
1.Check ‘Enable ASA FirePOWER for this traffic flow’
2.Check ‘Permit’
3.Check ‘monitor only’
a.I assume there are policies to configure b/c NOT checking monitor-only blocked all traffic for me. ( haven’t gotten that far yet)
4.Click ‘Finish’ to create the policy. Apply changes and save to Flash.
At this point, connect back to the ASA via CLI and connect to the sourcefire console ‘session srf console’ The command ‘show traffic-statistcs’ should prove you have traffic going through the module. I haven’t gotten the GUI management figured out yet but this should be enough to get the module installed and you can mess around with it.