Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
1 Introduction ................................................................................................................................ 3
2 POV Process................................................................................................................................. 3
3 Training ........................................................................................................................................ 3
4 Deployment ................................................................................................................................. 4
5 Software Download .................................................................................................................. 4
6 Installation .................................................................................................................................. 6
6.1 Confirm Health of Solid State Drive (SSD) ......................................................................................... 6
6.2 Uninstalling Existing IPS or CX Software (If Required) ...................................................................... 7
6.3 Install ASA 5500-X System Software ................................................................................................. 7
6.4 Install Firepower Services on ASA ..................................................................................................... 9
6.5 Bootstrap Firepower on ASA........................................................................................................... 12
2
Cisco FP on ASA POV Best Practices Quick Start Guide
1 Introduction
The Cisco Global Security Sales Organization (GSSO) is pleased to announce the Firepower on ASA (FP on
ASA) Proof of Value (POV) Best Practices quick start guide. This document provides information on the
POV process, training, software download, installation, licensing, initial configuration, customer
deployment, risk report generation, and device sanitization. This quick start guide covers the most
common deployment type and provides necessary information for successful POVs. For different
deployment options or additional details, you can review additional POV materials here:
https://communities.cisco.com/docs/DOC-65405
2 POV Process
A POV is a customer engagement that demonstrates unique business value during an on-site
engagement. The POV process requires proper scoping to identify customer win criteria. Win criteria are
used to focus the on-site engagements on the solution elements that are most important to a particular
customer. Appendix A includes scoping questions to help establish win criteria for FP on ASA POVs.
Most partner executed POVs will be tactical leveraging FP on ASA and dCloud hosted Firepower
Management Centers (FMCs). All customer configurations should be implemented prior to arriving on
site based on pre-defined customer evaluation data including network, management, span port, and
power. A worksheet to collect this information is available in Appendix B.
The following sections cover system installation and configuration steps for a partner executed POV. All
items must be completed together for the system to work properly during the customer engagement.
After the POV, completing the POV Outcome worksheet in Appendix C will help to track POV
information and lead to effective POV decision making and increased win rates. Follow the instructions
below carefully and submit any feedback to asa-assess@external.cisco.com.
3 Training
Cisco offers the Fire Jumper program that develops partner pre-sales security SEs to lead customer
engagements from sizing, scoping, and design through demonstration and proof-of-value. Prior to
delivering a customer FP on ASA POV, we recommend that partners achieve Stage 4 of the Fire Jumper
program for the NGFW & NGIPS competency area. Program and training information is through the
following Security Partner Community posts.
Fire Jumper Program
https://communities.cisco.com/docs/DOC-55046
NGFW & NGIPS Competency Area
https://communities.cisco.com/docs/DOC-57815
3
Cisco FP on ASA POV Best Practices Quick Start Guide
4 Deployment
The majority of tactical POVs will leverage Cisco ASAs running FP on ASA. To minimize risk or disruption
to the customer environment while providing the most value, passive deployments are recommended.
This can be accomplished by configuring a span port on a Cisco switch in the customer environment and
configuring a passive interface on the FP on ASA.
There are multiple options to send traffic to the FP on ASA and the best deployment is one that gives
visibility of both internet facing and internal segments. For tactical POVs, we recommend configuring
multiple SPAN ports on a customer switches to capture both internet and internal traffic. Please refer to
the SPAN configuration examples here that match your customers switch type:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html.
For tactical POVs, we recommend that partners leverage the Cisco Firepower Management Center Proof
of Value available at https://dcloud.cisco.com. When using dCloud, installation options for dCloud
include Endpoint Router and FP on ASA or Standalone FP on ASA. This guide will present the standalone
FP on ASA option.
5 Software Download
The instructions that follow show how to download required software for an ASA 5515-X. As of the
writing of this document, the recommended FP on ASA version is 6.1.0 because of support for
integrated Risk Reports. Verify the current supported version by checking the name of the dCloud
Firepower Management Center Proof of Value. The information below serves as an example of a
common POV configuration. Adjust the process as required to match your hardware specifications.
If you are unable to access any software due to entitlement, engage with your Cisco alliance manager to
associate your CCO account with your company to grant partner-level CCO access. If you are still unable
to access the software, follow the process at this link to request access from partner help through the
special file publish process: https://communities.cisco.com/docs/DOC-55301
For additional information on migration paths and upgrade dependencies, please refer to the following
link: http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/upgrade/upgrade95.html.
4
Cisco FP on ASA POV Best Practices Quick Start Guide
For support of the latest features, Firepower Services for ASA requires system software 9.5(1) or later.
For additional information on migration paths and upgrade dependencies, please refer to the following
link: http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/upgrade/upgrade95.html.
Select each of the following options and download the versions listed below or later.
Adaptive Security Appliance (ASA) Device Manager: 7.6.2.150 (asdm-762-150.bin)
Adaptive Security Appliance (ASA) Software: 9.6.2 (asa962-smp-k8.bin)
Then, select the Firewalls breadcrumb. Continue navigating to Downloads Home > Products > Security >
Firewalls > Next-Generation Firewalls (NGFW) > ASA 5500-X with FirePOWER Services > ASA 5515-X with
FirePOWER Services > Firepower Services Software for ASA.
5
Cisco FP on ASA POV Best Practices Quick Start Guide
Select the following options and download the versions listed below or later.
Cisco ASA with Firepower Services Boot Image (asasfr-5500x-boot-6.1.0-330.img)
Cisco ASA with Firepower Services Install Package (asasfr-sys-6.1.0-330.pkg)
6 Installation
Prior to installation, confirm the health of the solid state drive (SSD) within your 5515-X. Power on the
ASA and access the command line. Enter the show inventory command and confirm the presence of the
SSD storage device
ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE
Mgmt, AC"
PID: ASA5515 , VID: V01 , SN: FGH123456A1
Name: "Storage Device 1", DESCR: "Unigen 128 GB SSD MLC, Model
Number: Micron_M550_MTFDDAK123MAY"
PID: N/A , VID: N/A , SN: 12345678900
6
Cisco FP on ASA POV Best Practices Quick Start Guide
If your ASA is running legacy IPS or CX on the ASA, you need to uninstall the old service before installing
FP on ASA.
Access the ASA command line and follow the procedures below. The commands below will shut down
the IPS module, uninstall the IPS software, and then reload the ASA. If you need to remove CX, follow
the same steps, but use csc in each command instead of ips.
ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall
ciscoasa# reload
For consistency, we will install the ASA 5515-X system software based on the factory-default
configuration. If the ASA is not running the factory-default configuration, enter the following commands.
ciscoasa# copy /noconfirm running-config disk0:/backup.config
ciscoasa# config t
ciscoasa(config)# config factory-default
For the POV, we will be utilizing a custom monitor-only mode that simplifies the deployment greatly and
reduces any possibility of network disruption. First, place the firewall in transparent mode and configure
the management interface and default route based on the network configuration information provided
by the customer.
ciscoasa(config)# firewall transparent
ciscoasa(config)# interface management0/0
ciscoasa(config-if)# nameif management
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address <ASA Management IP> <Netmask>
ciscoasa(config-if)# no shutdown
ciscoasa(config)# exit
ciscoasa(config)# route management 0 0 <Default Gateway>
7
Cisco FP on ASA POV Best Practices Quick Start Guide
Additional configuration items will establish a system password and help to ensure full network
connectivity.
ciscoasa(config)# enable password <Password>
ciscoasa(config)# clock timezone <Timezone> <Hours offset from UTC>
ciscoasa(config)# clock set <hh:mm:ss> <Day> <Month> <Year>
ciscoasa(config)# sysopt noproxyarp management
ciscoasa(config)# dns domain-lookup management
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(configs-dns-server-group)# name-server <DNS IP>
ciscoasa(configs-dns-server-group)# exit
ciscoasa(config)# http server enable
ciscoasa(config)# http 0 0 management
After completing these steps, you should have IP connectivity to the ASA which can be verified by
pinging the ASA Management IP. Next configure SSH access to the ASA.
ciscoasa(config)# username <user> password <pass> privilege 15
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 management
ciscoasa(config)# ssh timeout 60
ciscoasa(config)# crypto key generate rsa general-keys
Finally, configure the interface to receive the SPAN traffic and forward it to the Firepower module. Note
that this feature is intended for Firepower POVs and should not be enabled on a production ASA.
ciscoasa(config)# interface gigabitethernet0/0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# no nameif
ciscoasa(config-if)# traffic-forward sfr monitor-only
ciscoasa(config-if)# exit
ciscoasa(config)# write memory
Copy the previously downloaded software images to the management PC running a TFTP or an FTP
server with connectivity to the ASA. Enter the following commands to upload the files to the ASA.
ciscoasa# copy /noconfirm tftp://<TFTP IP>/asdm-762-150.bin
disk0:/asdm-762-150.bin
ciscoasa# copy /noconfirm tftp://<TFTP IP>/asa962-smp-k8.bin
disk0:/asa962-smp-k8.bin
ciscoasa# copy /noconfirm tftp://<TFTP IP>/asasfr-5500x-boot-6.1.0-
330.img disk0:/asasfr-5500x-boot-6.1.0-330.img
8
Cisco FP on ASA POV Best Practices Quick Start Guide
Use the show flash command to verify that the three files were successfully uploaded. Change the boot
system and asdm image files and save the configuration.
ciscoasa# show flash
ciscoasa# boot system disk0:/asa962-smp-k8.bin
ciscoasa# asdm image disk0:/asdm-762-150.bin
ciscoasa# write memory
Reload the ASA for the changes to take effect. Then, confirm that that ASA is running the appropriate
software with the show version command.
ciscoasa# reload noconfirm
...
ciscoasa# show version | include Software
Cisco Adaptive Security Appliance Software Version 9.6(2)
We previously uploaded the FP on ASA boot image to the ASA and we will continue by setting the
module boot location in the ASA and loading the image.
ciscoasa# sw-module module sfr recover configure image
disk0:/asasfr-5500x-boot-6.1.0-330.img
ciscoasa# sw-module module sfr recover boot
Module sfr will be recovered. This may erase all configuration and
all data on that device and attempt to download/install a new image
for it. This may take several minutes.
Wait approximately 5-10 minutes for the ASA Firepower module to boot up and then open a console
session to the Firepower Services boot image. After opening the session, press enter to be prompted to
login. As of version 6.0, the default username is admin and the default password is Admin123. In version
5.x and prior, the default username is admin and the default password is Sourcefire.
If the module is not fully loaded, the session command will fail with a message about not being able to
connect over ttyS1 OR ERROR: Failed opening console session with module sfr. Module is in Recover
state. Please try again later. If this happens, try again in a few minutes.
9
Cisco FP on ASA POV Best Practices Quick Start Guide
Type setup and configure network settings for the Management interface to establish temporary
connectivity to the HTTP or FTP server so that you can download and install the system software.
asasfr-boot> setup
10
Cisco FP on ASA POV Best Practices Quick Start Guide
Type system install followed by the path to the FP on ASA system software. HTTP and FTP are supported
and the example below shows an FTP installation. When installation is complete, enter y to continue
with the upgrade. When prompted press Enter to reboot the system. The initial reboot after installing FP
on ASA make take 30 minutes or longer.
ciscoasa-boot>system install ftp://10.10.200.2/asasfr-sys-6.1.0-330.pkg
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-SFR 5.4.0-764 System Install
Requires reboot: Yes
Upgrading
Starting upgrade process...
Populating new system image
Allow 20 minutes for application component installation and reboot the ASA when prompted. Session to
the module and login. As of version 6.0, the default username is admin and the default password is
Admin123. In version 5.x and prior, the default username is admin and the default password is
Sourcefire. You will see a different login prompt because you are logging into a fully functional module.
ciscoasa# session sfr
asasfr login: admin
Opening command session with module sfr.
Connected to module sfr. Escape sequence is 'CTRL-^X'.
See the Reimage the Cisco ASA or Firepower Threat Defense Device document for additional details:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html
11
Cisco FP on ASA POV Best Practices Quick Start Guide
When the reboot is complete, login to the FP on ASA CLI with the default username: admin and
password: Admin123. Accept the EULA, change the password, and enter bootstrap information based
on the Data Collection Worksheet. Ensure that you select no when asked if you would like to manage
the device locally. Risk Reports are not supported in the on-box Manager, Firepower Device Manager.
Please enter YES or press <ENTER> to AGREE to EULA:YES
However, if the sensor and the Firepower Management Center are separated
by a NAT device, you must enter a unique NAT ID, along with the unique
registration key. 'configure manager add DONTRESOLVE [registration key ] [
NAT ID ]'
Later, using the web interface on the Firepower Management Center, you
must use the same registration key and, if necessary, the same NAT ID when
you add this sensor to the Defense Center.
12
Cisco FP on ASA POV Best Practices Quick Start Guide
7 FMC Configuration
The FP on ASA supplies NGFW and NGIPS services such as Application Visibility and Control (AVC), URL
filtering, and Advanced Malware Protection (AMP). A FMC is optional to configure FP on ASA, but
required to generate Risk Reports. dCloud provides a hosted and pre-configured FMC that follows POV
best practices and includes customized dashboards optimized for POVs.
To schedule a dCloud POV, browse to http://dcloud.cisco.com and login with your CCO credentials. If
prompted, select the region closest to you to set your default data center.
13
Cisco FP on ASA POV Best Practices Quick Start Guide
Select Catalog from the toolbar and search for Firepower POV. Find the appropriate catalog item and
click Schedule to setup the dCloud POV Session.
Enter the POV timeframe and click Next. Note that dCloud demonstrations are limited to 5-days by
default. This can be extended up to 30-day for POVs by opening a case with dCloud support. Extensions
beyond 30-days are handled on a case-by-case basis and require additional customer opportunity
information. Risk Reports are based on 5-days of customer traffic and additional time should only be
used as required to troubleshoot receiving network traffic or other items.
14
Cisco FP on ASA POV Best Practices Quick Start Guide
Enter Customer Pilot/POC for Primary Use, select the Revenue Impact, and provide relevant customer
and partner information. When finished, click Schedule.
15
Cisco FP on ASA POV Best Practices Quick Start Guide
Access dCloud and select Dashboard which will reflect the current scheduled sessions. Select View for
the Firepower POV.
Select Details and note the Public Address for the FMC.
16
Cisco FP on ASA POV Best Practices Quick Start Guide
Return to the FP on ASA CLI and complete the configuration by identifying the FMC that will manage the
sensor. When using FMC hosted on dCloud, the network management-port must be changed to 8443.
The Public Address from the dCloud session details will be the FMC Public IP. The default registration key
is C1sco12345, and the default nat-id is 12345. The registration key and nat-id are arbitrary, but must
match the key that will be created when adding a device from the FMC.
> configure network management-port 8443
Management port changed to 8443.
> configure manager add <FMC Public IP>
<Registration Key> <nad-id>
Manager successfully configured.
To prepare to connect to the FMC, return to the Firepower Management Center dCloud Session Details
and note the Owner and Session ID.
17
Cisco FP on ASA POV Best Practices Quick Start Guide
Connect to the FMC by launching a web browser and navigating using https to the Public Address
provided in the dCloud Session Details. Login using Owner for the FMC Username and Session ID for the
Password.
326411
To add your FP on ASA to the FMC, navigate to Devices > Device Management. Select Add > Add Device
from the top right.
18
Cisco FP on ASA POV Best Practices Quick Start Guide
When adding a device from dCloud, use the Host of DONTRESOLVE, the Registration Key of C1sco12345,
and select Cisco PoV Access Control Policy from the Access Control Policy drop-down. Select the
Protection, Control, Malware, and URL Filtering licensing options. Expand the advanced settings and
enter a Unique NAT ID of 12345. When complete click Register.
The FMC will contact your FP on ASA and add it as a managed device. If the device is not added
successfully, confirm that the registration keys match, the software versions are compatible, and that a
network device is not blocking the connection. The show managers command from the FP on ASA CLI
will confirm the FMC IP address and show the current status.
If you already registered the FMC with a Smart Licensing Server or enabled the Evaluation Mode, you
will need to manually add the licenses after the device has been added from the System > Licenses >
Classic Licenses screen. FMCs use Classic Licensing for FP on ASA sensors. The dCloud POV comes with a
built-in classic licenses for most appliance types. If you require a license not available on dCloud, follow
the instructions here to request a POV license from Partner Help:
https://communities.cisco.com/docs/DOC-55301.
19
Cisco FP on ASA POV Best Practices Quick Start Guide
To confirm available licenses, navigate to System > Licenses > Classic Licenses.
The variable set should be adjusted to match the monitored network. In the FMC browse to Objects >
Object Management. Select the Variable Set on the left hand side and select to edit the Default-Set.
20
Cisco FP on ASA POV Best Practices Quick Start Guide
Click to create a new Network Object. Provide a Name and enter Network information that matches
the customer environment. Click Save when complete.
Click Include to add the New Network Object in the HOME_NET Variable. Continue by clicking Save,
Save, Yes.
21
Cisco FP on ASA POV Best Practices Quick Start Guide
Browse to Policies > Network Discovery. Select to delete the IPv4-Private-All-RFC1918. Click Yes to
confirm.
Select to add a new rule. Select the Users checkbox. Add the newly created HOME_NET
variable to the right hand pane. Click Save.
Browse to Analysis > Connections > Events. If events are not populating, verify that interfaces are
connected, enabled, and the SPAN port or tap is functional.
22
Cisco FP on ASA POV Best Practices Quick Start Guide
After allowing the system to collect customer data for at least five days, you can generate the Risk
Reports. As of FMC 6.1, Risk Reports are now integrated into the FMC. To generate the reports navigate
to Overview > Reporting and select the Report Templates tab. Then generate the Advanced Malware,
Attacks, and Network Risk Reports. These will provide actionable information based on the customers
traffic.
Once complete, you can access these PDF reports in the FMC and transfer them to your local system
using any cloud based storage solution or email client. Share these reports and your findings with the
customer at the POV close-out meeting. During the meeting focus on the win criteria established
upfront and the differentiating value of the Cisco solution. Provide a bill of materials that positions the
appropriate FP on ASA licensed features
When complete, submit the POV for the company incentive through SIRE if supported in your location:
www.cisco-sire.com. Note that the required proof-of-performance items are:
Win Criteria: Appendix A in POV Best Practices Guides
Data Collection Worksheet: Appendix B in POV Best Practices Guide
POV Outcome: Appendix C in POV Best Practices Guide
Risk Reports or Customer Facing Reports based on POV Best Practices Guide
Bill of Materials (Microsoft Excel Format): Note that there is a $10k minimum opportunity to
qualify for the program
Review the Cisco Funded Network Assessment Post for more information:
https://communities.cisco.com/docs/DOC-65405.
23
Cisco FP on ASA POV Best Practices Quick Start Guide
9 Device Sanitization
After a successful partner executed POV, you will need to purge the customer data to prepare for the
next POV. dCloud will automatically delete the FMC VM and any customer information.
The customer data on the FP on ASA is deleted when you erase and reformat the file system. Enter the
following command to complete the process.
> erase /noconfirm disk0:
To prepare for your next POV, re-install the FP on ASA software as described in section 6.
10 Next Steps
This completes the Cisco FP on ASA POV Best Practices Quick Start Guide. For additional support, send
requests to asa-assess@external.cisco.com.
24
Appendix A: Win Criteria
Customer Name
Win criteria needs to be defined before a partner executed POV begins so that you are able to quickly
demonstrate unique business value to the customer during the on-site engagement. This process focuses the
engagement on the solution elements that are most important to the customer. The worksheet below serves
as a starting point to develop win criteria for a Tactical Partner Executed POV and can be adjusted as required
based on dialogue with your customer.
Prioritize each Win Criteria in order from 1 8 with one being most important and eight being
least important based on your customers priorities.
8
Visibility
Do you want to have a better understanding of the types of devices on your network and the applications they
are running?
Threat 8
Are you concerned about bad actors in your environment and the threat that they pose to other internal
systems?
Automation 8
Would you like to reduce the strain on your security analysts while arrive at a faster resolution of intrusion
information?
Reputation 8
Do you value a robust reputation service that helps to limit traffic to known bad websites and actors on the
Internet?
Malware Detection 8
Would you like to implement network malware detection with file reputation, sandboxing, and retrospection?
File Blocking 8
Do you value visibility of file types entering your environment with the capability to block files before an
attack by type, protocol, or transfer direction?
Application Control 8
Are you interested in granular control of applications that helps maximize productivity and reduce the attack
surface?
8
Cross product integration
Would you be interested in using the eStreamer API to share host and event data with third partner
applications such as SIEM and integrate with systems such as Cisco ISE?
Thank you for giving Cisco the opportunity to demonstrate the security posture of your network using
Firepower Threat Defense. Please provide the following information to prepare for the evaluation.
Network Range(s)
1. Network ranges to be part of the evaluation: Please provide the smallest NETMASKs possible in CIDR
format (e.g. 10.100.0.0/16 instead of 10.100.1.0/24, 10.100.2.0/24, etc.)
2. Networks within these ranges that should be excluded from the above. (Note that this is a non-
intrusive observatory system and will not footprint any of your hosts.)
Time Zone
3. Local Time Zone
What type of switch will the system collect SPAN traffic from? (Cisco 3850, Cisco Catalyst 4K, etc.)
SPAN will be configured using Source Interface or Source VLANs. List sources below (VLAN 10, 20, etc.)
Length of Evaluation
POV Outcome
Partner SE Name
Partner SE Email
Compelling Event
Competitors
POV Duration
Cisco Deal ID
Cisco PO or SO #
Comments