PDF(53.3 KB) View with Adobe Reader on a variety of devices
ePub(89.6 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(80.9 KB) View on Kindle device or Kindle app on multiple devices
Updated:July 11, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
These components are required on the Cisco FireSIGHT Management Center:
FirePOWER Software Version 5.3.1 or later
FireSIGHT Management Center FS2000, FS4000 or virtual appliance
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The Cisco ASA FirePOWER module also known as the ASA SFR, provides next-generation Firewall services, such as:
Next Generation Intrusion Prevention System (NGIPS)
Application Visibility and Control (AVC)
Advanced Malware Protection (AMP)
Note: You can use the ASA SFR module in Single or Multiple context mode, and in Routed or Transparent mode.
Before You Begin
Consider this important information before you attempt the procedures that are described in this document:
If you have an active service policy that redirects traffic to an Intrusion Prevention System (IPS)/Context Aware (CX) module (that you replaced with the ASA SFR), you must remove it before you configure the ASA SFR service policy.
You must shut down any other software modules that currently run. A device can run a single software module at a time. You must do this from the ASA CLI. For example, these commands shut down and uninstall the IPS software module, and then reload the ASA:
When you reimage a module, use the same shutdown and uninstall commands that are used in order to remove an old SFR image. Here is an example:
ciscoasa# sw-module module sfr uninstall
If the ASA SFR module is used in Multiple context mode, perform the procedures that are described in this document within the system execution space.
Tip: In order to determine the status of a module on the ASA, enter the show module command.
This section describes how to install the SFR module on the ASA and how to set up the ASA SFR boot image.
Install the SFR Module on the ASA
Complete these steps in order to install the SFR module on the ASA:
Download the ASA SFR system software from Cisco.com to an HTTP, HTTPS, or FTP server that is accessible from the ASA SFR management interface.
Download the boot image to the device. You can use either the Cisco Adaptive Security Device Manager (ASDM) or the ASA CLI in order to download the boot image to the device.
Note: Do not transfer the system software; it is downloaded later to the Solid State Drive (SSD).
Complete these steps in order to download the boot image via the ASDM:
Download the boot image to your workstation, or place it on an FTP, TFTP, HTTP, HTTPS, Server Message Block (SMB), or Secure Copy (SCP) server.
ChooseTools > File Management in the ASDM.
Choose the appropriate File Transfer command, either Between Local PC and Flash or Between Remote Server and Flash.
Transfer the boot software to the flash drive (disk0) on the ASA.
Complete these steps in order to download the boot image via the ASA CLI:
Download the boot image on an FTP, TFTP, HTTP, or HTTPS server.
Enter the copy command into the CLI in order to download the boot image to the flash drive.
Here is an example that uses HTTP protocol (replace the <HTTP_Server> with your server IP address or hostname). For FTP Server, the URL looks like this:ftp://username:password@server-ip/asasfr-5500x-boot-5.3.1-152.img .
Tip: If the ASA SFR module boot has not been completed, the session command fails and a message appears to indicate that the system is unable to connect over TTYS1. If this occurs, wait for the module boot to complete and try again.
Enter the setup command in order to configure the system so that you can install the system software package:
asasfr-boot> setup Welcome to SFR Setup [hit Ctrl-C to abort] Default values are inside 
You are then prompted for this information:
Host name - The hostname can be up to 65 alphanumeric characters, with no spaces. The use of hyphens is allowed.
Network address - The network address can be either static IPv4 or IPv6 addresses. You can also use DHCP for IPv4, or IPv6 stateless auto-configuration.
DNS information - You must identify at least one Domain Name System (DNS) server, and you can also set the domain name and search domain.
NTP information - You can enable Network Time Protocol (NTP) and configure the NTP servers in order to set the system time.
Enter the system install command in order to install the system software image:
asasfr-boot >system install [noconfirm] url
Include the noconfirm option if you do not want to respond to confirmation messages. Replace the url keyword with the location of the .pkg file. Again, you can use an FTP, HTTP, or HTTPS server. Here is an example:
Do you want to continue with upgrade? [y]: y Warning: Please do not interrupt the process or turn off the system. Doing so might leave system in unusable state.
Upgrading Starting upgrade process ... Populating new system image
Reboot is required to complete the upgrade. Press 'Enter' to reboot the system. (press Enter)
Broadcast message from root (ttyS1) (Mon Jun 23 09:28:38 2014): The system is going down for reboot NOW! Console session with module sfr terminated.
For FTP Server, the URL looks like this:ftp://username:password@server-ip/asasfr-sys-5.3.1-152.pkg.
Note The SFR is in a "Recover" state during the installation process. It can take up to an hour or so to complete the installation of the SFR module. When the installation is complete, the system reboots. Allow ten or more minutes for the application component installation and for the ASA SFR services to start. The output of the show module sfr command indicates that all processes are Up.
This section describes how to configure the FirePOWER software and the FireSIGHT Management Center, and how to redirect traffic to the SFR module.
Configure the FirePOWER Software
Complete these steps in order to configure the FirePOWER software:
Open a session to the ASA SFR module.
Note: A different login prompt now appears because the login occurs on a fully-functional module.
Here is an example:
ciscoasa# session sfr Opening command session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. Sourcefire ASA5555 v5.3.1 (build 152) Sourcefire3D login:
Log in with the username admin and the password differs based on software release:Adm!n123 for 7.0.1 (new device from the factory only), Admin123 for 6.0, and later,Sourcefire for pre-6.0.
Complete the system configuration as prompted, which occurs in this order:
Read and accept the End User License Agreement (EULA).
Change the admin password.
Configure the management address and DNS settings, as prompted.
Note: You can configure both IPv4 and IPv6 management addresses.
Here is an example:
System initialization in progress. Please stand by. You must change the password
for 'admin' to continue. Enter new password: <new password>
Confirm new password: <repeat password>
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]:
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]:198.51.100.3
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface : 198.51.100.1
Enter a fully qualified hostname for this system [Sourcefire3D]: asasfr.example.com
Enter a comma-separated list of DNS servers or 'none' : 198.51.100.15, 198.51.100.14
Enter a comma-separated list of search domains or 'none' [example.net]: example.com
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Wait for the system to reconfigure itself.
Configure the FireSIGHT Management Center
In order to manage an ASA SFR module and security policy, you must register it with a FireSIGHT Management Center. Refer to Register a Device with a FireSIGHT Management Center for more information. You cannot perform these actions with a FireSIGHT Management Center:
Configure the ASA SFR module interfaces
Shut down, restart, or otherwise manage the ASA SFR module processes
Create backups from, or restore backups to, the ASA SFR module devices
Write access control rules in order to match traffic with the use of VLAN tag conditions
Redirect Traffic to the SFR Module
In order to redirect traffic to the ASA SFR module, you must create a service policy that identifies specific traffic. Complete these steps in order to redirect traffic to an ASA SFR module:
Select the traffic that must be identified with the access-list command. In this example, all of the traffic from all of the interfaces is redirected. You can do this for specific traffic as well.
ciscoasa(config)# access-list sfr_redirect extended permit ip any any
Create a class-map in order to match the traffic on an access list:
ciscoasa(config)# class-map sfr ciscoasa(config-cmap)# match access-list sfr_redirect
Specify the deployment mode. You can configure your device in either a passive (monitor-only) or inline (normal) deployment mode.
Note: You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type of security policy is allowed.
In an inline deployment, the SFR Module inspects the traffic based upon the Access Control Policy and provides the verdict to the ASA to take the appropriate action (Allow, Deny, and so on) on the traffic flow. This example shows how to create a policy-map and configure the ASA SFR module in the inline mode.
Please verify that the current global_policy is configured with another module configuration(show run policy-map global_policy, show run service-policy), then first reset/remove the global_policy for other module configuration and then re-configure the global_policy.
ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class sfr ciscoasa(config-pmap-c)# sfr fail-open
In a passive deployment, a copy of the traffic is sent to the SFR service module, but it is not returned to the ASA. Passive mode allows you to view the actions that the SFR module would have completed in regards to the traffic. It also allows you to evaluate the content of the traffic, without an impact to the network.
If you want to configure the SFR module in passive mode, use the monitor-only keyword (as shown in the next example). If you do not include the keyword, the traffic is sent in inline mode.
Warning: The monitor-only mode does not allow the SFR service module to deny or block malicious traffic.
Caution: It can be possible to configure an ASA in monitor-only mode with the use of the interface-level traffic-forward sfr monitor-only command; however, this configuration is purely for demonstration functionality and must not be used on a production ASA. Any issues that are found in this demonstration feature are not supported by the Cisco Technical Assistance Center (TAC). If you desire to deploy the ASA SFR service in passive mode, configure it with the use of a policy-map.
Specify a location and apply the policy. You can apply a policy globally or on an interface. In order to override the global policy on an interface, you can apply a service policy to that interface.
The global keyword applies the policy map to all of the interfaces, and the interface keyword applies the policy to one interface. Only one global policy is allowed. In this example, the policy is applied globally:
ciscoasa(config)# service-policy global_policy global
Caution: The policy map global_policy is a default policy. If you use this policy and want to remove it on your device to troubleshoot, ensure that you understand its implication.
There is currently no verification procedure available for this configuration.
You can run this command (debug module-boot) to enable the debug at the start of the installation of the SFR boot image.
If ASA got stuck in Recover mode and the console did not come up, then you try this command (sw-module module sfr recover stop).
If the SFR Module was not able to come out of the recovery state, then you can try to reload the ASA (reload quick). (If the traffic passes through, then it can cause network disturbance). If Still SFR is stuck in the recovery state, you can shut down the ASA and unplug the SSD card & start the ASA. Check the status of the module and it must be INIT state. Again, shut down the ASA, insert the SSD card & start the ASA. you can start re-image of the ASA SFR module.