ASA with FirePOWER Services

Installation
 Installation Requirements
ASA 5512-X to ASA 5555-X and ASA5585-X
ASA version 9.2(2.4) or later
FirePOWER 5.3.1.1 or later
5.4.1 not supported
ASA 5506-X, 5508-X and 5516-X
ASA version 9.3(2.2) or later
FirePOWER 5.4.1 or later
Management port of the ASA needs to be just enabled
In the same VLAN as one of its IP enabled data interfaces
On these platforms FirePOWER is also known as SFR
Supported in routed/transparent mode
Supported in single/multiple-context mode
Copyright www.ine.com
 Installation Steps
Verify if IPS or CX modules are installed
Uninstall it before moving forward
A single software module instance is supported
Copy the boot image on ASA flash
Load the boot image
It will format the SSD, partition it and create directories
Configure it for IP connectivity
Copy the system image on FTP/HTTP/HTTPS server
Install the system image
Configure it for IP connectivity
Copyright www.ine.com
 Uninstall Existing Software Modules
Verify pre-installed modules
show module

Copyright www.ine.com
 Uninstall Existing Software Modules
Shutdown pre-installed modules
sw-module module ips shutdown
sw-module module cxsc shutdown

Copyright www.ine.com
 Uninstall Existing Software Modules
Verify the module is down
show module ips
show module cxsc

Copyright www.ine.com
 Uninstall Existing Software Modules
Uninstall the module
sw-module module ips uninstall
sw-module module cxsc uninstall

Copyright www.ine.com
 Uninstall Existing Software Modules
Verify the module has been uninstalled
show module ips
show module cxsc

Copyright www.ine.com
 Install SFR Boot Image
Configure boot image location from flash
sw-module module sfr recover configure
image disk0:/asasfr-5500x-
boot-5.4.0-763.img
Load/install the boot image
sw-module module sfr recover boot
Depending on the ASA platform, process may
take more than 15 minutes
Copyright www.ine.com
 Install SFR Boot Image
Loading the boot image

Copyright www.ine.com
 Install SFR Boot Image
Following command cannot be used to verify if the boot
image has been successfully loaded
show module sfr
Enable logging to identify when boot image has been
loaded
debug module-boot
show module sfr log console

Copyright www.ine.com
 Install SFR Boot Image
Open a console session
session sfr console
Authenticate with username admin and
password Admin123
Configure IP connectivity, hostname, DNS,
NTP server
setup

Copyright www.ine.com
 Install SFR Boot Image
Verify boot image configuration
show version
show interfaces
show route
Verify network connectivity
ping
traceroute
nslookup
Copyright www.ine.com
 Install SFR System Image
ASA SFR module requires IP connectivity with
FTP/HTTP/HTTPS server
system install ftp://
<username>:<password>@172.16.10.100/asasfr-
sys-5.4.0-763.pkg
Installation may take more than 30 minutes
Once system image is installed, it will ask for reboot
Confirm FirePOWER is functional
show module sfr
Copyright www.ine.com
 Install SFR System Image

Copyright www.ine.com
 Install SFR System Image
Open a console session
session sfr console
Authenticate with username admin and
password Sourcefire
Accept the EULA
Change the user password
Configure IP and DNS connectivity

Copyright www.ine.com
 Install SFR System Image
Verify system version and network
configuration
show version
show network
show ifconfig
show interfaces
Add/remove/change user settings
configure user

Copyright www.ine.com
 Install SFR System Image
Verify module status from ASA
show module sfr details

Copyright www.ine.com
 Install SFR System Image
Troubleshooting network access requires going
to expert mode
expert
Expert mode useful tools
nslookup
traceroute
ping

Copyright www.ine.com
 Install SFR System Image
By default ping is not allowed, permissions
need to be changed
ls -al /bin/ping
sudo chmod u+s /bin/ping
By default traceroute is not allowed, run it as
root
ls -al /sbin/traceroute
sudo su -

Copyright www.ine.com
 Q&A

Copyright www.ine.com All rights reserved.