必要なもの

• コンソールアクセス
• TFTP Server

作業の大まかな流れ

1. 電源 OFF/ON で rommon> モードへ移行
2. rommon> で 'factory-reset' を実行
3. rommon> で 'boot' を実行
4. FXOS 上で 'format-everything' を実行
5. rommon> でイメージのダウンロードを実行
6. FXOS 上で 'download image' を実行
7. FXOS 上で 'install security-pack' を実行

以下はCLI上で行う作業の詳細となります

###### Power OFF/ON 後
*******************************************************************************
Cisco System ROMMON, Version 1.0.17, RELEASE SOFTWARE
Copyright (c) 1994-2023 by Cisco Systems, Inc.
Compiled Thu 03/23/2023 11:19:30.64 by builder
*******************************************************************************

Current image running: Boot ROM1
Last reset cause: PowerOn (0x00000001)
DIMM0 : Present

Platform FPR-1010 with 8192 MBytes of main memory
Detected Nic devid(0) 15398086
bus: 3 dev: 0 func: 0
BIOS has been successfully locked !!
MAC Address: ec:ce:13:1c:f2:80

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 10 seconds.

###### Escapeキーを押して Boot を中断させる

Boot interrupted.


rommon 1 > factory-reset                                                          ###### 'factory-reset' を実行
Warning: All configuration will be permanently lost with this operation 
and application will be initialized to default configuration.
This operation cannot be undone after booting the application image.

Are you sure you would like to continue ? yes/no [no]: yes                        ###### 'yes' を回答
Please type 'ERASE' to confirm the operation or any other value to cancel: ERASE  ###### 'ERASE' を回答

Performing factory reset...
Warning: filesystem requires journal recovery
Located .boot_string 
Image size 60 inode num 15, bks cnt 1 blk size 8*512

Rommon will continue to boot disk0:installables/switch/fxos-k8-fp1k-lfbff.2.10.1.248.SPA 
Are you sure you would like to continue ? yes/no [no]: no                         ###### 'no' を回答


Execute 'boot' command afterwards for factory-reset to be initiated.
Use of reset/reboot/reload command will cancel the factory-reset request!
rommon 2 > 
rommon 2 > 
rommon 2 > boot                                                                   ###### 'boot' を実行 
Warning: filesystem requires journal recovery
Located installables/switch/fxos-k8-fp1k-lfbff.2.10.1.248.SPA 
Image size 191304784 inode num 456070, bks cnt 46706 blk size 8*512
#################################################################### [SNIP]

+-------------------------------------------------------------------+
+------------------------- SUCCESS ---------------------------------+
+-------------------------------------------------------------------+
|                                                                   |
| LFBFF signature authentication passed !!!                         |
|                                                                   |
+-------------------------------------------------------------------+
LFBFF signature verified.
+-------------------------------------------------------------------+
+------------------------- SUCCESS ---------------------------------+
+-------------------------------------------------------------------+
|                                                                   |
| LFBFF controller type check passed !!!                            |
|                                                                   |
+-------------------------------------------------------------------+

Linux version: 4.18.45-yocto-standard (oe-user@oe-host) #1 SMP Wed Mar 8 23:34:39 UTC 2023
kernel_image = 0x73ab91c8, kernel_size=0x6452a0
Image validated
INIT: version 2.88 booting
Starting udev
Hardware tweak APPLIED: Disable SATA Throttle.1
Hardware tweak APPLIED: Disable SATA Throttle.2
Configuring network interfaces... done.
Starting random number generator daemon.
Primary SSD discovered
Rommon requested SSD reformat
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda1] fsck.ext3 -a /dev/sda1 
/dev/sda1: recovering journal
/dev/sda1: clean, 39/488640 files, 166013/1953024 blocks
fsck(/dev/sda1) returned 0
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda2] fsck.ext3 -a /dev/sda2 
/dev/sda2: recovering journal
/dev/sda2: clean, 133/61056 files, 9459/244224 blocks
fsck(/dev/sda2) returned 0
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda3] fsck.ext3 -a /dev/sda3 
/dev/sda3: recovering journal
/dev/sda3: Clearing orphaned inode 45800 (uid=0, gid=0, mode=0140600, size=0)
/dev/sda3: Clearing orphaned inode 45797 (uid=0, gid=0, mode=0140600, size=0)
/dev/sda3: clean, 81/61056 files, 10168/244224 blocks
fsck(/dev/sda3) returned 0
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda4] fsck.ext3 -a /dev/sda4 
/dev/sda4: recovering journal
/dev/sda4: clean, 13/1831424 files, 158996/7324160 blocks
fsck(/dev/sda4) returned 0
mount_disk_xfs. device: /dev/sda5, dir: /opt/cisco/csp, mount returned: 0.
As ROMMON requested SSD reformat,deleting all the data on SSD except installables present in /mnt/boot/...
Moving FXOS ramdisk to SSD ...
Moving FXOS ramdisk to SSD ... done
Starting TAm services ...
Device configuration status = TAM_SUCCESS
TAm Services started successfully
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
FIPS POST Test Script
NOTICE: The FIPS POST is not run because the FIPS feature is not enabled
Configuring packages on first booT・・NIT: Entering runlevel: 3
Starting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
generating ssh ed25519 key...
done.
Starting rpcbind daemon...done.
starting statd: done
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up with netlink and the input layer
acpid: 1 rule loaded
acpid: waiting for events: event logging is off
Starting DHCP server: .
starting 8 nfsd kernel threads: done
starting mountd: done
Starting ntpd: done
Restarting all devices.
Processing /etc/c3xxx_dev0.conf
Checking status of all devices.
There is 1 QAT acceleration device(s) in the system:
qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up
Starting internet superserver: xinetd.
Starting fan control daemon: fancontrol... done.
INFO: beginning of manager_install
INFO: manager_install: fxmgr=/mnt/boot/installables/switch/fxos-k9-fp1k-manager.2.10.1.248.SPA chmgr= update=false
INFO: manager_install: fxmgr is dummy, skip_fxmgr_install=true
INFO: in validating image ...
INFO: manager_validate_image: fxmgr_absfilename /mnt/boot/installables/switch/fxos-k9-fp1k-manager.2.10.1.248.SPA
INFO: Validating image /mnt/boot/installables/switch/fxos-k9-fp1k-manager.2.10.1.248.SPA signature ...
: File /mnt/boot/installables/switch/fxos-k9-fp1k-manager.2.10.1.248.SPA size 1296
Done!
Computed Hash SHA2: d58f5332e1f5a3b8c91f42f3051ac837
0bf219fc51581dc10e7ba4d901ee3c49
d9da39442b105d5462e15df12b1622b8
cb04645c99504238f901c7361a7751e9

Embedded Hash SHA2: d58f5332e1f5a3b8c91f42f3051ac837
0bf219fc51581dc10e7ba4d901ee3c49
d9da39442b105d5462e15df12b1622b8
cb04645c99504238f901c7361a7751e9

The digital signature of the file: fxos-k9-fp1k-manager.2.10.1.248.SPA verified successfully
INFO: manager_install: skip_fxmgr_install=true - delete unnecessary files and skip
INFO: deleting unnecessary xml file..!!
/bin/rm: cannot remove '/opt/cisco/kppm': Device or resource busy
/bin/mkdir: cannot create directory '/opt/cisco/kppm': File exists
INFO: deleted unnecessary xml file..!!
INFO: manager_post_install ...
INFO: manager_post_install: fxmgr=/mnt/boot/installables/switch/fxos-k9-fp1k-manager.2.10.1.248.SPA chmgr= update=false
INFO: manager_post_install: fxmgr is dummy
INFO: manager_post_install: Linking libraries ...
INFO: manager_post_install: Linking binaries ...
Completed system initial setup.
INFO: Trying to add iptables and ip6tables rules ...
INFO: Set up Application Diagnostic Interface ...
INFO: Configure management0 interface ...
Firepower 1xxx platform..
RTNETLINK answers: File exists
RTNETLINK answers: File exists
Assigning ip to eth0 in FPR-1xxx platform
INFO: Configure rmu interface ...
Bring up rmu and swp1-swp8 switch interfaces
create and bringup lldp sub-interface on lldp-swp7, lldp-swp8
create and bringup lacp and mgmt sub-interface on (lacp-swp1 to lacp-swp8), (mgmt-swp1 to mgmt-swp8)







Stopping rpcbind daemon...
done.
stopping mountd: done
stopping nfsd: .done
INFO: Configure system files ...
INFO: System Name is: firepower-1010
Starting sensors logging daemon: sensord... done.
INFO: console : ttyS0, speed : 9600
INFO: manager_startup: setting up fxmgr apache ...
INFO: manager_startup: Start manager httpd setup...
INFO: manager_startup: /opt/cisco/config/certstore/default.key not found on platform, re-generating files
INFO: manager_startup: reset httpd app config to default
httpdRegister INFO: [httpd.2590 -4 192.168.45.45 -n localhost]
httpdRegister INFO: Starting httpd setup/registration...
httpdRegister INFO: Completed httpd setup/registration!
INFO: httpdRegister [httpd.2590 script exit]
INFO: manager_startup: Completed manager httpd setup!
Starting crond: OK
INFO: starting config regster monitor
INFO: System Disk /dev/sda present. Status: Operable.


firepower-1010 login: 
Waiting for Application infrastructure to be ready...
Verifying the signature of the Application image...
Creating FXOS swap file ...
32768+0 records in
32768+0 records out
4294967296 bytes (4.3 GB, 4.0 GiB) copied, 16.1971 s, 265 MB/s
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=26148b7e-39a8-4b23-80bd-73017459a571
Apr 24 03:35:27 firepower-1010 FPRM: <<%FPRM-2-DEFAULT_INFRA_VERSION_MISSING>> [F1309][critical][default-infra-version-missing][org-root/fw-infra-pack-default] Bundle version in firmware package is empty, need to re-install
Apr 24 03:36:03 firepower-1010 port-manager: Alert: Ethernet1/1 link changed to UP
Apr 24 03:36:04 firepower-1010 port-manager: Alert: Ethernet1/2 link changed to UP

firepower-1010 login: 
firepower-1010 login: admin                                              ###### admin/Admin123 でログイン (このパスワードはDefault)
Password: 
Successful login attempts for user 'admin' : 1
Hello admin. You must change your password.
Enter new password: *********                                            ###### 任意のパスワードを設定 (アスタリスクは出力されません)
Confirm new password: *********                                          ###### 任意のパスワードの再入力 (アスタリスクは出力されません)
Your password was updated successfully.

Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2019, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license.

Certain components of this software are licensed under the "GNU General Public
License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for
details.

Certain components of this software are licensed under the "GNU General Public
License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. See User Manual
(''Licensing'') for details.

Certain components of this software are licensed under the "GNU LESSER GENERAL
PUBLIC LICENSE, version 3" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU LESSER GENERAL PUBLIC LICENSE" Version 3", available here:
http://www.gnu.org/licenses/lgpl.html. See User Manual (''Licensing'') for
details.

Certain components of this software are licensed under the "GNU Lesser General
Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the
terms of "GNU Lesser General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. See User Manual
(''Licensing'') for details.

Certain components of this software are licensed under the "GNU Library General
Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU Library General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html. See User Manual
(''Licensing'') for details.

firepower-1010# 
firepower-1010# connect local-mgmt                ###### 'connect local-mgmt' を実行して 'local-mgmt' に移行
firepower-1010(local-mgmt)# Apr 24 03:36:56 firepower-1010 FPRM: <<%FPRM-2-DEFAULT_INFRA_VERSION_MISSING>> [F1309][cleared][default-infra-version-missing][org-root/fw-infra-pack-default] Bundle version in firmware package is empty, need to re-install

firepower-1010(local-mgmt)# 
firepower-1010(local-mgmt)# format everything     ###### 'format everything' を実行
All configuration and bootable images will be lost.
Do you still want to format? (yes/no):yes         ###### 'yes' を回答
ls: cannot access '/sys/block/sdb': No such file or directory
100+0 records in
100+0 records out
51200 bytes (51 kB, 50 KiB) copied, 0.00350707 s, 14.6 MB/s
4+0 records in
4+0 records out
2048 bytes (2.0 kB, 2.0 KiB) copied, 0.00200042 s, 1.0 MB/s
100+0 records in
100+0 records out
51200 bytes (51 kB, 50 KiB) copied, 0.000230618 s, 222 MB/s
dd: invalid number: ''

Broadcast message from root@firepower-1010 (Mon Apr 24 03:37:09 2023):

All shells being terminated due to system /sbin/reboot

Broadcast message from root@firepower-1010 (Mon Apr 24 03:37:10 2023):

System restarted due to disks being reformatted.

Broadcast message from root@firepower-1010 (ttyS0) (Mon Apr 24 03:37:11 2023)System restarted due to disks being reformatted. 
The system is going down for reboot NOW!
: INIT: Sending processes the TERM signal
2023 Apr 24 03:37:14 PMLOG: PM IPC UTILITY: Shutting down all ports
Apr 24 03:37:14 firepower-1010 port-manager: Alert: Ethernet1/2 link changed to DOWN
Apr 24 03:37:14 firepower-1010 port-manager: Alert: Ethernet1/1 link changed to DOWN
Stopping OpenBSD Secure Shell server: sshd
stopped /usr/sbin/sshd (pid 12418)
done.
Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 1412)
acpid.
Stopping web server: apache2failed
Stopping system message bus: dbus.
Stopping DHCP server: dhcpd3no /usr/sbin/dhcpd found; none killed
.
stopping DNS forwarder and DHCP server: dnsmasq... no /usr/bin/dnsmasq found; none killed
stopping mountd: done
stopping nfsd: done
Stopping ntpd: stopped process in pidfile '/var/run/ntp.pid' (pid 12571)
done
acpid: exiting
Stopping all devices.
Stopping internet superserver: xinetd.
stopping statd: done
Stopping random number generator daemon.
Stopping domain name service: named.
Stopping crond: OK
Stopping rpcbind daemon...
not running.
Stopping fan control daemon: fancontrol... no process in pidfile '/var/run/fancontrol.pid' found; none killed
done.
Stopping sensors logging daemon: sensord... stopped /usr/sbin/sensord (pid 2550)
done.
* Stopping virtualization library daemon: libvirtd
*[fail]
Deconfiguring network interfaces... done.
Stopping FreeRADIUS daemon radiusd Failed
Mon Apr 24 03:37:17 UTC 2023
Apr 24 03:37:17 firepower-1010 KP-NVRAM: Confreg value: confreg = 0x1
SSP-Security-Module is shutting down ...
Mon Apr 24 03:37:18 UTC 2023 SHUTDOWN WARNING: Beginning System Shutdown request for CSP Apps
Mon Apr 24 03:37:18 UTC 2023 SHUTDOWN WARNING: Upgrade process ready for reboot
Mon Apr 24 03:37:18 UTC 2023 SHUTDOWN WARNING: Continue System Shutdown request for CSP Apps
Mon Apr 24 03:37:18 UTC 2023 SHUTDOWN WARNING: Nothing to do for Apps-Services-Down
Mon Apr 24 03:37:18 UTC 2023
FPR-1xxx platform rebooting ...
Note: SIGKILL_ALL will be triggered after after 0 + 2 secs ...
Mon Apr 24 03:37:19 UTC 2023
Sending ALL processes the KILL signal ...
Error: poshd was not running... Starting ...
Mon Apr 24 03:37:20 UTC 2023
Deactivating swap...
Unmounting local filesystems...
mount: /: mount point is busy.
Rebooting... [ 250.500504] reboot: Restarting system




*******************************************************************************
Cisco System ROMMON, Version 1.0.17, RELEASE SOFTWARE
Copyright (c) 1994-2023 by Cisco Systems, Inc.
Compiled Thu 03/23/2023 11:19:30.64 by builder
*******************************************************************************

Current image running: Boot ROM1
Last reset cause: ResetRequest (0x00001000)
DIMM0 : Present

Platform FPR-1010 with 8192 MBytes of main memory
Detected Nic devid(0) 15398086
bus: 3 dev: 0 func: 0
BIOS has been successfully locked !!
MAC Address: ec:ce:13:1c:f2:80

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 10 seconds.

###### Escapeキーを押して Boot を中断させる

Boot interrupted.


rommon 1 > 
rommon 1 > ADDRESS=10.105.101.185                    ###### IP Address の設定
rommon 2 > NETMASK=255.255.255.0                     ###### Netmask の設定
rommon 3 > GATEWAY=10.105.101.1                      ###### Default Gateway の設定
rommon 4 > SERVER=10.76.78.236                       ###### イメージが置いてあるサーバーの設定
rommon 5 > IMAGE=cisco-asa-fp1k.9.16.4.18.SPA        ###### イメージ名の設定
rommon 6 > set                                       ###### 設定内容の確認
ADDRESS=10.105.101.185
NETMASK=255.255.255.0
GATEWAY=10.105.101.1
SERVER=10.76.78.236
IMAGE=cisco-asa-fp1k.9.16.4.18.SPA
CONFIG=
PS1="rommon ! > "

rommon 7 > 
rommon 7 > ping 10.76.78.236                         ###### サーバーへの疎通確認

link upSending 10, 32-byte ICMP Echoes to 10.76.78.236 timeout is 4 seconds
!!!!!!!!!!
Success rate is 100 percent (10/10)
rommon 8 > 
rommon 8 > 
rommon 8 > tftpdnld                                  ###### 'tftpdnld' を実行しイメーをダウンロード
ADDRESS: 10.105.101.185
NETMASK: 255.255.255.0
GATEWAY: 10.105.101.1
SERVER: 10.76.78.236
IMAGE: cisco-asa-fp1k.9.16.4.18.SPA
MACADDR: ec:ce:13:1c:f2:80
VERBOSITY: Progress
RETRY: 40
PKTTIMEOUT: 7200
BLKSIZE: 1460
CHECKSUM: Yes
PORT: GbE/1
PHYMODE: Auto Detect

link up
Receiving cisco-asa-fp1k.9.16.4.18.SPA from 10.76.78.236!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [SNIP]
TFTP: Transfer stopped after 268434140 bytes.
will try boot bundle image !!
File reception completed.
Boot buffer bigbuf=640ff3d8
Boot image size = 191304784 (0xb671450) bytes
[image size] 191304784
[MD5 signature] 32694cdfa6a2da3624f1f3228dd2c905

+-------------------------------------------------------------------+
+------------------------- SUCCESS ---------------------------------+
+-------------------------------------------------------------------+
|                                                                   |
| LFBFF signature authentication passed !!!                         |
|                                                                   |
+-------------------------------------------------------------------+
LFBFF signature verified.
+-------------------------------------------------------------------+
+------------------------- SUCCESS ---------------------------------+
+-------------------------------------------------------------------+
|                                                                   |
| LFBFF controller type check passed !!!                            |
|                                                                   |
+-------------------------------------------------------------------+

Linux version: 4.18.45-yocto-standard (oe-user@oe-host) #1 SMP Wed Mar 8 23:34:39 UTC 2023
kernel_image = 0x6f12b588, kernel_size=0x6452a0
Image validated
INIT: version 2.88 booting
Starting udev
Hardware tweak APPLIED: Disable SATA Throttle.1
Hardware tweak APPLIED: Disable SATA Throttle.2
Configuring network interfaces... done.
Starting random number generator daemon.
Primary SSD discovered
Primary SSD has incorrect partitions
Skipping prompt because disk is blank
Formating Primary SSD...
Creating boot partition: START: 1MB END: 8001MB
mke2fs 1.44.3 (10-July-2018)
/dev/sda1 contains a ext3 file system
last mounted on /mnt/boot on Mon Apr 24 03:33:23 2023
Discarding device blocks: 4096/19530241576960/1953024 done 
Creating filesystem with 1953024 4k blocks and 488640 inodes
Filesystem UUID: c0c86556-f600-4ef1-8086-6a528e825e3f
Superblock backups stored on blocks: 
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables: 0/60 done 
Writing inode tables: 0/60 done 
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: 0/60 done

Creating config partition: START: 8001MB END: 9001MB
mke2fs 1.44.3 (10-July-2018)
/dev/sda2 contains a ext3 file system
last mounted on /opt/cisco/config on Mon Apr 24 03:33:23 2023
Discarding device blocks: 4096/244224 done 
Creating filesystem with 244224 4k blocks and 61056 inodes
Filesystem UUID: 61721c17-18b5-4d18-9f74-0c2719bbaace
Superblock backups stored on blocks: 
32768, 98304, 163840, 229376

Allocating group tables: 0/8 done 
Writing inode tables: 0/8 done 
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: 0/8 done

Creating log partition: START: 9001MB END: 10001MB
mke2fs 1.44.3 (10-July-2018)
/dev/sda3 contains a ext3 file system
last mounted on /opt/cisco/platform/logs on Mon Apr 24 03:33:23 2023
Discarding device blocks: 4096/244224 done 
Creating filesystem with 244224 4k blocks and 61056 inodes
Filesystem UUID: 1de386bb-744f-4d05-be35-bf2075411d64
Superblock backups stored on blocks: 
32768, 98304, 163840, 229376

Allocating group tables: 0/8 done 
Writing inode tables: 0/8 done 
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: 0/8 done

Creating coredump partition: START: 10001MB END: 40001MB
mke2fs 1.44.3 (10-July-2018)
/dev/sda4 contains a ext3 file system
last mounted on Mon Apr 24 03:33:47 2023
Discarding device blocks: 4096/7324160 done 
Creating filesystem with 7324160 4k blocks and 1831424 inodes
Filesystem UUID: f763e63f-d2be-469d-9132-529cd48cfc27
Superblock backups stored on blocks: 
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
4096000

Allocating group tables: 0/224 done 
Writing inode tables: 0/224 4/224 done 
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: 0/224 done

Creating csp partition: START: 40001MB END: 100%
meta-data=/dev/sda5 isize=256 agcount=4, agsize=9765888 blks
= sectsz=4096 attr=2, projid32bit=1
= crc=0 finobt=0, sparse=0, rmapbt=0
= reflink=0
data = bsize=4096 blocks=39063552, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=19074, version=2
= sectsz=4096 sunit=1 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
Done with primary disk partition
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda1] fsck.ext3 -a /dev/sda1 
/dev/sda1: clean, 11/488640 files, 51369/1953024 blocks
fsck(/dev/sda1) returned 0
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda2] fsck.ext3 -a /dev/sda2 
/dev/sda2: clean, 11/61056 files, 8244/244224 blocks
fsck(/dev/sda2) returned 0
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda3] fsck.ext3 -a /dev/sda3 
/dev/sda3: clean, 11/61056 files, 8244/244224 blocks
fsck(/dev/sda3) returned 0
fsck from util-linux 2.32.1
[/sbin/fsck.ext3 (1) -- /dev/sda4] fsck.ext3 -a /dev/sda4 
/dev/sda4: clean, 11/1831424 files, 158994/7324160 blocks
fsck(/dev/sda4) returned 0
mount_disk_xfs. device: /dev/sda5, dir: /opt/cisco/csp, mount returned: 0.
Moving FXOS ramdisk to SSD ...
Moving FXOS ramdisk to SSD ... done
Starting TAm services ...
Device configuration status = TAM_SUCCESS
TAm Services started successfully
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
FIPS POST Test Script
NOTICE: The FIPS POST is not run because the FIPS feature is not enabled
Configuring packages on first boot・・NIT: Entering runlevel: 3
Starting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
generating ssh ed25519 key...
done.
Starting rpcbind daemon...done.
starting statd: done
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up with netlink and the input layer
acpid: 1 rule loaded
acpid: waiting for events: event logging is off
Starting DHCP server: .
starting 8 nfsd kernel threads: done
starting mountd: done
Starting ntpd: done
Restarting all devices.
Processing /etc/c3xxx_dev0.conf
Checking status of all devices.
There is 1 QAT acceleration device(s) in the system:
qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up
Starting internet superserver: xinetd.
Starting fan control daemon: fancontrol... done.
INFO: beginning of manager_install
INFO: deleting unnecessary xml file..!!
/bin/rm: cannot remove '/opt/cisco/kppm': Device or resource busy
/bin/mkdir: cannot create directory '/opt/cisco/kppm': File exists
INFO: deleted unnecessary xml file..!!
INFO: disaster recovery - use default service mgr
INFO: manager_post_install ...
INFO: manager_post_install: boot file does not exist
INFO: manager_post_install: fxmgr= chmgr= update=false
INFO: manager_post_install: Linking libraries ...
INFO: manager_post_install: Linking binaries ...
Completed system initial setup.
INFO: Trying to add iptables and ip6tables rules ...
INFO: Set up Application Diagnostic Interface ...
INFO: Configure management0 interface ...
Firepower 1xxx platform..
RTNETLINK answers: File exists
RTNETLINK answers: File exists
Assigning ip to eth0 in FPR-1xxx platform
INFO: Configure rmu interface ...
Bring up rmu and swp1-swp8 switch interfaces
create and bringup lldp sub-interface on lldp-swp7, lldp-swp8
create and bringup lacp and mgmt sub-interface on (lacp-swp1 to lacp-swp8), (mgmt-swp1 to mgmt-swp8)







Stopping rpcbind daemon...
done.
stopping mountd: done
stopping nfsd: .done
INFO: Configure system files ...
INFO: System Name is: firepower-1010
Starting sensors logging daemon: sensord... done.
INFO: console : ttyS0, speed : 9600
INFO: manager_startup: setting up fxmgr apache ...
INFO: manager_startup: Start manager httpd setup...
INFO: manager_startup: /opt/cisco/config/certstore/default.key not found on platform, re-generating files
INFO: manager_startup: reset httpd app config to default
httpdRegister INFO: [httpd.2574 -4 192.168.45.45 -n localhost]
httpdRegister INFO: Starting httpd setup/registration...
httpdRegister INFO: Completed httpd setup/registration!
INFO: httpdRegister [httpd.2574 script exit]
INFO: manager_startup: Completed manager httpd setup!
Starting crond: OK
INFO: starting config regster monitor


firepower-1010 login: INFO: System Disk /dev/sda present. Status: Operable.

Waiting for Application infrastructure to be ready...
Verifying the signature of the Application image...
Creating FXOS swap file ...
32768+0 records in
32768+0 records out
4294967296 bytes (4.3 GB, 4.0 GiB) copied, 15.8198 s, 271 MB/s
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=d3d394da-b4cd-4b51-9fa3-cea68b6e562e
Apr 24 03:42:52 firepower-1010 FPRM: <<%FPRM-2-DEFAULT_INFRA_VERSION_MISSING>> [F1309][critical][default-infra-version-missing][org-root/fw-infra-pack-default] Bundle version in firmware package is empty, need to re-install

firepower-1010 login: 
firepower-1010 login: admin                             ###### 'admin/Admin123' でログイン
Password: 
Successful login attempts for user 'admin' : 1
Hello admin. You must change your password.
Enter new password: 
Confirm new password: 
Your password was updated successfully.

Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2019, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license.

Certain components of this software are licensed under the "GNU General Public
License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for
details.

Certain components of this software are licensed under the "GNU General Public
License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. See User Manual
(''Licensing'') for details.

Certain components of this software are licensed under the "GNU LESSER GENERAL
PUBLIC LICENSE, version 3" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU LESSER GENERAL PUBLIC LICENSE" Version 3", available here:
http://www.gnu.org/licenses/lgpl.html. See User Manual (''Licensing'') for
details.

Certain components of this software are licensed under the "GNU Lesser General
Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the
terms of "GNU Lesser General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. See User Manual
(''Licensing'') for details.

Certain components of this software are licensed under the "GNU Library General
Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU Library General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html. See User Manual
(''Licensing'') for details.

firepower-1010# Apr 24 03:43:29 firepower-1010 port-manager: Alert: Ethernet1/1 link changed to UP
Apr 24 03:43:29 firepower-1010 port-manager: Alert: Ethernet1/2 link changed to UP

firepower-1010# 
firepower-1010# scope fabric-interconnect a                         ###### 'scope fabric-interconnect a' を実行
                                                       ###### 'set out-of-band static ip' コマンドで IP Addressを設定
firepower-1010 /fabric-interconnect # set out-of-band static ip 10.105.101.184 netmask 255.255.255.0 gw 10.105.101.1
Warning: When committed, this change may disconnect the current CLI session.
Use commit-buffer command to commit the changes.
firepower-1010 /fabric-interconnect* # commit-buffer                ###### 'commit-buffer' で設定変更を確定する
firepower-1010 /fabric-interconnect # exit                          ###### 'exit' で抜ける
firepower-1010# 
firepower-1010# connect local-mgmt                                  ###### 'connect local-mgmt' で 'local-mgmt' に移行
firepower-1010(local-mgmt)# 
firepower-1010(local-mgmt)# ping 10.76.78.236                       ###### ping で TFTP Server への疎通確認
PING 10.76.78.236 (10.76.78.236) from 10.105.101.184 : 56(84) bytes of data.
64 bytes from 10.76.78.236: icmp_seq=18 ttl=57 time=2082 ms
64 bytes from 10.76.78.236: icmp_seq=19 ttl=57 time=1042 ms
64 bytes from 10.76.78.236: icmp_seq=20 ttl=57 time=2.01 ms
64 bytes from 10.76.78.236: icmp_seq=21 ttl=57 time=0.281 ms
64 bytes from 10.76.78.236: icmp_seq=22 ttl=57 time=0.333 ms
64 bytes from 10.76.78.236: icmp_seq=23 ttl=57 time=0.336 ms
64 bytes from 10.76.78.236: icmp_seq=24 ttl=57 time=0.334 ms
^C
--- 10.76.78.236 ping statistics ---
24 packets transmitted, 7 received, 70.8333% packet loss, time 929ms
rtt min/avg/max/mdev = 0.281/446.753/2081.982/758.127 ms, pipe 3

firepower-1010(local-mgmt)#
firepower-1010(local-mgmt)# exit                         ###### 'exit' で抜ける
firepower-1010# 
firepower-1010# scope firmware                           ###### 'scope firmware' を実行
                                              ###### 'download image' コマンドを実行しイメージをダウンロードする
firepower-1010 /firmware # download image tftp://10.76.78.236/cisco-asa-fp1k.9.16.4.18.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
firepower-1010 /firmware # % Download-task cisco-asa-fp1k.9.16.4.18.SPA : transferring 64672 KB
firepower-1010 /firmware # % Download-task cisco-asa-fp1k.9.16.4.18.SPA : transferring 180976 KB
firepower-1010 /firmware # % Download-task cisco-asa-fp1k.9.16.4.18.SPA : transferring 283584 KB
firepower-1010 /firmware # % Download-task cisco-asa-fp1k.9.16.4.18.SPA : transferring 402464 KB
firepower-1010 /firmware # % Download-task cisco-asa-fp1k.9.16.4.18.SPA : transferring 458008 KB
firepower-1010 /firmware # % Download-task cisco-asa-fp1k.9.16.4.18.SPA : verifying image ...
                                                         ###### ダウンロード完了の確認
firepower-1010 /firmware # % Download-task cisco-asa-fp1k.9.16.4.18.SPA : completed successfully.

firepower-1010 /firmware # 
firepower-1010 /firmware # 
firepower-1010 /firmware # show package                   ###### 'show package' を実行してダウンロードしたファイルの 'Package-Vers' を確認しておく
Name                                          Package-Vers
--------------------------------------------- ------------
cisco-asa-fp1k.9.16.4.18.SPA                  9.16.4.18
firepower-1010 /firmware #
firepower-1010 /firmware # 
firepower-1010 /firmware # scope auto-install            ###### 'scope auto-install' を実行
firepower-1010 /firmware/auto-install # 
                                                         ###### 'install security-pack' を実行
                                                         ###### 'version' は上記の 'show package' で確認した 'Package-Vers' を指定
firepower-1010 /firmware/auto-install # install security-pack version 9.16.4.18

The system is currently installed with security software package not set, which has:
- The platform version: not set
If you proceed with the upgrade 9.16.4.18, it will do the following:
- upgrade to the new platform version 2.10.1.248
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes                    ###### 'yes' を回答

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Do you want to proceed? (yes/no):yes                     ###### 'yes' を回答

Triggered the install of software package version 9.16.4.18
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
firepower-1010 /firmware/auto-install # Apr 24 03:47:13 firepower-1010 FPRM: <<%FPRM-2-DEFAULT_INFRA_VERSION_MISSING>> [F1309][cleared][default-infra-version-missing][org-root/fw-infra-pack-default] Bundle version in firmware package is empty, need to re-install

firepower-1010 /firmware/auto-install # show

Firmware Auto-Install:
Package-Vers Oper State Upgrade State
------------ ---------------------------- -------------
9.16.4.18 Scheduled Ready
firepower-1010 /firmware/auto-install # 
firepower-1010 /firmware/auto-install # show detail

Firmware Auto-Install:
Package-Vers: 9.16.4.18
Oper State: Scheduled
Installation Time: 2023-04-24T03:47:12.932
Upgrade State: Ready
Upgrade Status:
Validation Software Pack Status:
Firmware Upgrade Status:
Current Task:
firepower-1010 /firmware/auto-install # 
firepower-1010 /firmware/auto-install # show detail

Firmware Auto-Install:
Package-Vers: 9.16.4.18
Oper State: Scheduled
Installation Time: 2023-04-24T03:47:12.932
Upgrade State: Installing Application
Upgrade Status: installing application image
Validation Software Pack Status: ok
Firmware Upgrade Status: up-to-date
Current Task: Waiting for Application Activation to complete(FSM-STAGE:sam:dme:FirmwareSystemDeploy:PollApplicationActivationStatus)
firepower-1010 /firmware/auto-install # 
firepower-1010 /firmware/auto-install # 
Cisco ASA: CMD=-install, CSP-ID=cisco-asa.9.16.4.18__asa_001_JMX2503X0YP04SZJ11, FLAG=''

firepower-1010 /firmware/auto-install # Verifying signature for cisco-asa.9.16.4.18 ...
Verifying signature for cisco-asa.9.16.4.18 ... success

Cisco ASA: CMD=-start, CSP-ID=cisco-asa.9.16.4.18__asa_001_JMX2503X0YP04SZJ11, FLAG=''
Cisco ASA starting ...
ASA start done pre
ASA Clear status

firepower-1010 login: admin (automatic login)      ###### FXOSへのログインは自動で行われる

Last login: Mon Apr 24 03:43:15 UTC 2023 on ttyS0
Successful login attempts for user 'admin' : 2
Please wait for Cisco ASA to come online...1...
Deleting previous CGroup Configuration ...
Registering to process manager ...
Cisco ASA started successfully.
Apr 24 03:50:42 firepower-1010 port-manager: Alert: Ethernet1/2 link changed to DOWN
Apr 24 03:50:42 firepower-1010 port-manager: Alert: Ethernet1/1 link changed to DOWN
Please wait for Cisco ASA to come online...2...
lina_init_env: memif is not enabled.
System Cores 4 Nodes 1 Max Cores 128
IO Memory Nodes: 1
IO Memory Per Node: 549453824 bytes num_pages = 134144 page_size = 4096

Global Reserve Memory Per Node: 786432000 bytes Nodes=1

LCMB: got DMA 1073741824 bytes on numa-id=0, phys=0x0000000200000000, virt=0x00007fca40000000
LCMB: HEAP-CACHE POOL got 782237696 bytes on numa-id=0, virt=0x00007fca11400000

total_reserved_mem = 1073741824

total_heapcache_mem = 782237696 
ERROR: fail to open /var/run/lina/meminfo_new
ERROR: fail to open /var/run/lina/meminfo_old
total mem 7508097024 system 8303554560 kernel 57092096 image 112489560
new 7508097024 old 661943384 reserve 1855979520 priv new 5709209600 priv old 0
Processor memory: 7508097024
M_MMAP_THRESHOLD 65536, M_MMAP_MAX 114564
POST started...
POST finished, result is 0 (hint: 1 means it failed)

Cisco Adaptive Security Appliance Software Version 9.16(4)18

Compiled on Fri 24-Mar-23 06:51 GMT by builders
FPR-1010 platform
Total SSMs found: 0

Total NICs found: 5
x550em_kr rev 0x11 10 Gigabit Ethernet, index 00 MAC: 00a0.c900.0000
en_vtun rev00 Backplane Ext-Mgmt Interface @ index 03 MAC: ecce.131c.f281
en_vtun rev00 Backplane Tap Interface @ index 04 MAC: 0000.0100.0001
WARNING: Attribute already exists in the dictionary.
24Apr2023 03:50:55 Read error: Open failed. Error message: No such file or directory.
License mode file was not found. Assuming this is the initial bootup. Setting the license mode to Smart Licensing.

INFO: Unable to read firewall mode from flash
Writing default firewall mode (single) to flash

INFO: Unable to read cluster interface-mode from flash
Writing default mode "None" to flash
*** Intel QAT Crypto on-board accelerator detected
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.11.0
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.11.0
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.11.0
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.11.0
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.11.0
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)
Driver version : 4.11.0
The 3DES/AES algorithms require a Encryption-3DES-AES entitlement.
The 3DES/AES algorithms require a Encryption-3DES-AES entitlement.

Cisco Adaptive Security Appliance Software Version 9.16(4)18

****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.16
Copyright (c) 1996-2023 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource

Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

config_fetcher: channel open failed
WARNING: MIGRATION - no startup configuration or configuration not found.

INFO: Power-On Self-Test in process.
........................
INFO: Power-On Self-Test complete.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint CA certificate accepted.
Creating trustpoint "_SmartCallHome_ServerCA2" and installing certificate...

Trustpoint CA certificate accepted.
Apr 24 03:51:39 firepower-1010 port-manager: Alert: Ethernet1/2 link changed to UP
Apr 24 03:51:40 firepower-1010 port-manager: Alert: Ethernet1/3 link changed to UP
Apr 24 03:51:41 firepower-1010 port-manager: Alert: Ethernet1/4 link changed to UP
INFO: Security level for "management" set to 0 by default.
INFO: Security level for "inside" set to 100 by default.
INFO: Security level for "outside" set to 0 by default.
Apr 24 03:51:42 firepower-1010 port-manager: Alert: Ethernet1/5 link changed to UP





User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1. 
Failed logins since the last login: 0. 
Type helor a list of available commands.
ciscoasa> Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

ciscoasa> 
ciscoasa>                                                  ###### ASA が起動する
ciscoasa> enable                                           ###### 'enable' を実行
The enable password is not set. Please set it now.         ###### 初期 'enable password' を設定
Enter Password: *********                                  ###### 初期パスワードの入力
Repeat Password: *********                                 ###### 初期パスワードの再入力
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# 
ciscoasa# 
ciscoasa# write memory                                     ###### 'write memory' の実行
Building configuration...
Cryptochecksum: da4271c1 78c3c5c9 328f4f54 dc39f815

11196 bytes copied in 0.370 secs
[OK]
ciscoasa# 

参考資料

• ASA: FPR2100シリーズをASA (Appliance Mode(Ver 9.13(1)以降))にリイメージする方法について
• ASA: FPR2100シリーズをASA (Platform Mode(Ver 9.13(1)以降))にリイメージする方法について
• ファイアウォール トラブルシューティング
• Firepower System and FTDトラブルシューティング