This document describes how to install and configure a Cisco FirePOWER (SFR) module that runs on a Cisco Adaptive Security Appliance (ASA) and how to register the SFR module with the Cisco FireSIGHT Management Center.
Cisco recommends that your system meet these requirements before you attempt the procedures that are described in this document:
Ensure that you have at least 3GB of free space on the flash drive (disk0), in addition to the size of the boot software.
Ensure that you have access to the privileged EXEC mode. In order to access the privileged EXEC mode, enter the enable command into the CLI. If a password was not set, then press Enter:
In order to install the FirePOWER Services on a Cisco ASA, these components are required:
These components are required on the Cisco FireSIGHT Management Center:
FirePOWER Software Version 5.3.1 or later
FireSIGHT Management Center FS2000, FS4000 or virtual appliance
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The Cisco ASA FirePOWER module, also known as the ASA SFR, provides next-generation Firewall services, such as:
Next Generation Intrusion Prevention System (NGIPS)
Application Visibility and Control (AVC)
Advanced Malware Protection (AMP)
Note: You can use the ASA SFR module in Single or Multiple context mode, and in Routed or Transparent mode.
Before You Begin
Consider this important information before you attempt the procedures that are described in this document:
If you have an active service policy that redirects traffic to an Intrusion Prevention System (IPS)/Context Aware (CX) module (that you replaced with the ASA SFR), you must remove it before you configure the ASA SFR service policy.
You must shut down any other software modules that currently run. A device can run a single software module at a time. You must do this from the ASA CLI. For example, these commands shut down and uninstall the IPS software module, and then reload the ASA:
Tip: If the ASA SFR module boot has not completed, the session command fails and a message appears to indicate that the system is unable to connect over TTYS1. If this occurs, wait for the module boot to complete and try again.
Enter the setup command in order to configure the system so that you can install the system software package:
asasfr-boot> setup Welcome to SFR Setup [hit Ctrl-C to abort] Default values are inside 
You are then prompted for this information:
Host name - The host name can be up to 65 alphanumeric characters, with no spaces. The use of hyphens is allowed.
Network address - The network address can be either static IPv4 or IPv6 addresses. You can also use DHCP for IPv4, or IPv6 stateless auto-configuration.
DNS information - You must identify at least one Domain Name System (DNS) server, and you can also set the domain name and search domain.
NTP information - You can enable Network Time Protocol (NTP) and configure the NTP servers in order to set the system time.
Enter the system install command in order to install the system software image:
asasfr-boot >system install [noconfirm] url
Include the noconfirm option if you do not want to respond to confirmation messages. Replace the url keyword with the location of the .pkg file. Here is an example:
Do you want to continue with upgrade? [y]: y Warning: Please do not interrupt the process or turn off the system. Doing so might leave system in unusable state.
Upgrading Starting upgrade process ... Populating new system image
Reboot is required to complete the upgrade. Press 'Enter' to reboot the system. (press Enter)
Broadcast message from root (ttyS1) (Mon Jun 23 09:28:38 2014): The system is going down for reboot NOW! Console session with module sfr terminated.
Note: When the installation is complete, the system reboots. Allow ten or more minutes for the application component installation and for the ASA SFR services to start. The output of the show module sfr command should indicate that all processes are Up.
This section describes how to configure the FirePOWER software and the FireSIGHT Management Center, and how to redirect traffic to the SFR module.
Configure the FirePOWER Software
Complete these steps in order to configure the FirePOWER software:
Open a session to the ASA SFR module.
Note: A different login prompt now appears because the login occurs on a fully-functional module.
Here is an example:
ciscoasa# session sfr Opening command session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. Sourcefire ASA5555 v5.3.1 (build 152) Sourcefire3D login:
Log in with the username admin and the password Admin123.
Complete the system configuration as prompted, which occurs in this order:
Read and accept the End User License Agreement (EULA).
Change the admin password.
Configure the management address and DNS settings, as prompted.
Note: You can configure both IPv4 and IPv6 management addresses.
Here is an example:
System initialization in progress. Please stand by. You must change the password
for 'admin' to continue. Enter new password: <new password>
Confirm new password: <repeat password>
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]:
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]:198.51.100.3
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface : 198.51.100.1
Enter a fully qualified hostname for this system [Sourcefire3D]: asasfr.example.com
Enter a comma-separated list of DNS servers or 'none' : 198.51.100.15, 198.51.100.14
Enter a comma-separated list of search domains or 'none' [example.net]: example.com
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Shut down, restart, or otherwise manage the ASA SFR module processes
Create backups from, or restore backups to, the ASA SFR module devices
Write access control rules in order to match traffic with the use of VLAN tag conditions
Redirect Traffic to the SFR Module
In order to redirect traffic to the ASA SFR module, you must create a service policy that identifies specific traffic. Complete these steps in order to redirect traffic to an ASA SFR module:
Select the traffic that should be identified with the access-list command. In this example, all of the traffic from all of the interfaces is redirected. You can do this for specific traffic as well.
ciscoasa(config)# access-list sfr_redirect extended permit ip any any
Create a class-map in order to match the traffic on an access list:
ciscoasa(config)# class-map sfr ciscoasa(config-cmap)# match access-list sfr_redirect
Specify the deployment mode. You can configure your device in either a passive (monitor-only) or inline (normal) deployment mode.
Note: You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type of security policy is allowed.
In an inline deployment, after the undesired traffic is dropped and any other actions that are applied by policy are performed, the traffic is returned to the ASA for further processing and ultimate transmission. This example shows how to create a policy-map and configure the ASA SFR module in the inline mode:
ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class sfr ciscoasa(config-pmap-c)# sfr fail-open
In a passive deployment, a copy of the traffic is sent to the SFR service module, but it is not returned to the ASA. Passive mode allows you to view the actions that the SFR module would have completed in regards to the traffic. It also allows you to evaluate the content of the traffic, without an impact to the network.
If you want to configure the SFR module in passive mode, use the monitor-only keyword (as shown in the next example). If you do not include the keyword, the traffic is sent in inline mode.
Warning: The monitor-only mode does not allow the SFR service module to deny or block malicious traffic.
Caution: It might be possible to configure an ASA in monitor-only mode with the use of the interface-level traffic-forward sfr monitor-only command; however, this configuration is purely for demonstration functionality and should not be used on a production ASA. Any issues that are found in this demonstration feature are not supported by the Cisco Technical Assistance Center (TAC). If you desire to deploy the ASA SFR service in passive mode, configure it with the use of a policy-map.
Specify a location and apply the policy. You can apply a policy globally or on an interface. In order to override the global policy on an interface, you can apply a service policy to that interface.
The global keyword applies the policy map to all of the interfaces, and the interface keyword applies the policy to one interface. Only one global policy is allowed. In this example, the policy is applied globally:
ciscoasa(config)# service-policy global_policy global
Caution: The policy map global_policy is a default policy. If you use this policy and want to remove it on your device for troubleshooting purposes, ensure that you understand its implication.
There is currently no verification procedure available for this configuration.
There is currently no specific troubleshooting information available for this configuration.