This chapter describes how to configure the ASA FirePOWER module that runs on the ASA.
The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation Intrusion Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP).You can use the module in single or multiple context mode, and in routed or transparent mode.
The module is also known as ASA SFR.
Although the module has a basic command line interface (CLI) for initial configuration and troubleshooting, you configure the security policy on the device using a separate application, FireSIGHT Management Center, which can be hosted on a separate FireSIGHT Management Center appliance or as a virtual appliance running on a VMware server. (FireSIGHT Management Center is also known as Defense Center.)
For ASA FirePOWER running on ASA 5506-X devices, you can optionally configure the device using ASDM rather than FireSIGHT Management Center.
You can configure your ASA FirePOWER module using one of the following deployment models:
Be sure to configure consistent policies on the ASA and the ASA FirePOWER. Both policies should reflect the inline or monitor-only mode of the traffic.
In inline mode, traffic goes through the firewall checks before being forwarded to the ASA FirePOWER module. When you identify traffic for ASA FirePOWER inspection on the ASA, traffic flows through the ASA and the module as follows:
2. Incoming VPN traffic is decrypted.
3. Firewall policies are applied.
4. Traffic is sent to the ASA FirePOWER module.
5. The ASA FirePOWER module applies its security policy to the traffic, and takes appropriate actions.
6. Valid traffic is sent back to the ASA; the ASA FirePOWER module might block some traffic according to its security policy, and that traffic is not passed on.
7. Outgoing VPN traffic is encrypted.
The following figure shows the traffic flow when using the ASA FirePOWER module in inline mode. In this example, the module blocks traffic that is not allowed for a certain application. All other traffic is forwarded through the ASA.
Figure 16-1 ASA FirePOWER Module Traffic Flow in the ASA
Note If you have a connection between hosts on two ASA interfaces, and the ASA FirePOWER service policy is only configured for one of the interfaces, then all traffic between these hosts is sent to the ASA FirePOWER module, including traffic originating on the non-ASA FirePOWER interface (because the feature is bidirectional).
This mode sends a duplicate stream of traffic to the ASA FirePOWER module for monitoring purposes only. The module applies the security policy to the traffic and lets you know what it would have done if it were operating in inline mode; for example, traffic might be marked “would have dropped” in events. You can use this information for traffic analysis and to help you decide if inline mode is desirable.
Note You cannot configure both inline tap monitor-only mode and normal inline mode at the same time on the ASA. Only one type of security policy is allowed. In multiple context mode, you cannot configure inline tap monitor-only mode for some contexts, and regular inline mode for others.
The following figure shows the traffic flow when operating in inline tap mode.
Figure 16-2 ASA FirePOWER Inline Tap Monitor-Only Mode
If you want to operate the ASA FirePOWER module as a pure Intrusion Detection System (IDS), where there is no impact on the traffic at all, you can configure a traffic forwarding interface. A traffic forwarding interface sends all received traffic directly to the ASA FirePOWER module without any ASA processing.
The module applies the security policy to the traffic and lets you know what it would have done if it were operating in inline mode; for example, traffic might be marked “would have dropped” in events. You can use this information for traffic analysis and to help you decide if inline mode is desirable.
Traffic in this setup is never forwarded: neither the module nor the ASA sends the traffic on to its ultimate destination. You must operate the ASA in single context and transparent modes to use this configuration.
The following figure shows an interface configured for traffic-forwarding. That interface is connected to a switch SPAN port so the ASA FirePOWER module can inspect all of the network traffic. Another interface sends traffic normally through the firewall.
Figure 16-3 ASA FirePOWER Passive Monitor-Only, Traffic-Forwarding Mode
There are two separate layers of access for managing an ASA FirePOWER module: initial configuration (and subsequent troubleshooting) and policy management.
For initial configuration, you must use the CLI on the ASA FirePOWER module. For information on the default management addresses, see Defaults for ASA FirePOWER.
To access the CLI, you can use the following methods:
– ASA FirePOWER console port—The console port on the module is a separate external console port.
– ASA FirePOWER Management 1/0 interface using SSH—You can connect to the default IP address or you can use ASDM to change the management IP address and then connect using SSH. The management interface on the module is a separate external Gigabit Ethernet interface.
Note You cannot access the ASA FirePOWER hardware module CLI over the ASA backplane using the session command.
– ASA session over the backplane—If you have CLI access to the ASA, then you can session to the module and access the module CLI.
– ASA FirePOWER Management 0/0 interface using SSH (Management 1/1 for the 5506-X)—You can connect to the default IP address or you can use ASDM to change the management IP address and then connect using SSH. The ASA FirePOWER management interface shares the management interface with the ASA. Separate MAC addresses and IP addresses are supported for the ASA and ASA FirePOWER module. You must perform configuration of the ASA FirePOWER IP address within the ASA FirePOWER operating system (using the CLI or ASDM). However, physical characteristics (such as enabling the interface) are configured on the ASA. You can remove the ASA interface configuration (specifically the interface name) to dedicate this interface as an ASA FirePOWER-only interface. This interface is management-only.
After you perform initial configuration, configure the ASA FirePOWER security policy using FireSIGHT Management Center (for all models) or ASDM (for 5506-X). Then configure the ASA policy for sending traffic to the ASA FirePOWER module using ASDM or Cisco Security Manager.
The ASA includes many advanced application inspection features, including HTTP inspection. However, the ASA FirePOWER module provides more advanced HTTP inspection than the ASA provides, as well as additional features for other applications, including monitoring and controlling application usage.
To take full advantage of the ASA FirePOWER module features, use the following guidelines for traffic that you send to the ASA FirePOWER module:
The ASA FirePOWER module and FireSIGHT Management Center require additional licenses, which need to be installed in the module itself rather than in the context of the ASA. The ASA itself requires no additional licenses.
See the Licensing chapter of the FireSIGHT System User Guide or the online help in FireSIGHT Management Center for more information.
Does not support failover directly; when the ASA fails over, any existing ASA FirePOWER flows are transferred to the new ASA. The ASA FirePOWER module in the new ASA begins inspecting the traffic from that point forward; old inspection states are not transferred.
You are responsible for maintaining consistent policies on the ASA FirePOWER modules in the high-availability ASA pair (using FireSIGHT Management Center) to ensure consistent failover behavior.
Does not support clustering directly, but you can use these modules in a cluster. You are responsible for maintaining consistent policies on the ASA FirePOWER modules in the cluster using FireSIGHT Management Center. Do not use different ASA-interface-based zone definitions for devices in the cluster.
Additional Guidelines and Limitations
The following table lists the default settings for the ASA FirePOWER module.
|
|
---|---|
Configuring the ASA FirePOWER module is a process that includes configuration of the ASA FirePOWER security policy on the ASA FirePOWER module and then configuration of the ASA to send traffic to the ASA FirePOWER module. To configure the ASA FirePOWER module, perform the following steps:
Step 1 Connect the ASA FirePOWER Management Interface. Cable the ASA FirePOWER management interfaces and optionally, the console interface.
Step 2 (If necessary.) Install or Reimage the Software Module. Skip this step if you purchased a model with the software module pre-installed.
Step 3 (If necessary.) Change the ASA FirePOWER Management IP Address. This might be required for initial SSH access.
Step 4 Configure Basic ASA FirePOWER Settings at the ASA FirePOWER CLI. You do this on the ASA FirePOWER module.
Step 5 (Optional for ASA 5506-X.) Add ASA FirePOWER to the FireSIGHT Management Center. This identifies the FireSIGHT Management Center that will manage the device. If you do not configure a FireSIGHT Management Center for the 5506-X, you can manage the module using ASDM.
Step 6 Configure the Security Policy on the ASA FirePOWER Module.
Step 7 Redirect Traffic to the ASA FirePOWER Module.
In addition to providing management access to the ASA FirePOWER module, the ASA FirePOWER management interface needs access to an HTTP proxy server or a DNS server and the Internet for signature updates and more. This section describes recommended network configurations. Your network may differ.
The ASA FirePOWER module includes a separate management and console interface from the ASA. For initial setup, you can connect with SSH to the ASA FirePOWER Management 1/0 interface using the default IP address. If you cannot use the default IP address, you can either use the console port or use ASDM to change the management IP address so you can use SSH. (See Change the ASA FirePOWER Management IP Address.)
If you have an inside router, you can route between the management network, which can include both the ASA Management 0/0 and ASA FirePOWER Management 1/0 interfaces, and the ASA inside network for Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router.
If you do not have an inside router
If you have only one inside network, then you cannot also have a separate management network, which would require an inside router to route between the networks. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. Because the ASA FirePOWER module is a separate device from the ASA, you can configure the ASA FirePOWER Management 1/0 address to be on the same network as the inside interface.
These models run the ASA FirePOWER module as a software module, and the ASA FirePOWER management interface shares the Management 0/0 interface with the ASA (Management 1/1 on 5506-X). For initial setup, you can connect with SSH to the ASA FirePOWER default IP address. If you cannot use the default IP address, you can either session to the ASA FirePOWER over the backplane or use ASDM to change the management IP address so you can use SSH.
If you have an inside router, you can route between the Management 0/0 or 1/1 network, which includes both the ASA and ASA FirePOWER management IP addresses, and the inside network for Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router.
If you do not have an inside router
If you have only one inside network, then you cannot also have a separate management network. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 or 1/1 interface. If you remove the ASA-configured name from the Management 0/0 or 1/1 interface, you can still configure the ASA FirePOWER IP address for that interface. Because the ASA FirePOWER module is essentially a separate device from the ASA, you can configure the ASA FirePOWER management address to be on the same network as the inside interface.
Note You must remove the ASA-configured name for Management 0/0 or 1/1; if it is configured on the ASA, then the ASA FirePOWER address must be on the same network as the ASA, and that excludes any networks already configured on other ASA interfaces. If the name is not configured, then the ASA FirePOWER address can be on any network, for example, the ASA inside network.
If you purchase the ASA with the ASA FirePOWER module, the module software and required solid state drives (SSDs) come pre-installed and ready to configure. If you want to add the ASA FirePOWER software module to an existing ASA, or need to replace the SSD, you need to install the ASA FirePOWER boot software, partition the SSD, and install the system software according to this procedure.
Reimaging the module is the same procedure, except you should first uninstall the ASA FirePOWER module. You would reimage a system if you replace an SSD.
For information on how to physically install the SSD, see the ASA hardware guide.
Step 1 Download the boot image to the device. Do not transfer the system software; it is downloaded later to the SSD. You have the following options:
Step 2 Download the ASA FirePOWER system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the ASA FirePOWER management interface. Do not download it to disk0 on the ASA.
Step 3 Set the ASA FirePOWER module boot image location in ASA disk0 by entering the following command:
If you get a message like “ERROR: Another service (cxsc) is running, only one service is allowed to run at any time,” it means that you already have a different software module configured. You must shut it down and remove it to install a new module as described in the prerequisites section above.
Step 4 Load the ASA FirePOWER boot image by entering the following command:
Step 5 Wait approximately 5-15 minutes for the ASA FirePOWER module to boot up, and then open a console session to the now-running ASA FirePOWER boot image. You might need to press enter after opening the session to get to the login prompt. The default username is admin and the default password is Admin123.
If the module boot has not completed, the session command will fail with a message about not being able to connect over ttyS1. Wait and try again.
Step 6 Use the setup command to configure the system
so that you can install the system software package.
You are prompted for the following. Note that the management address and gateway, and DNS information, are the key settings to configure.
Step 7 Install the System Software image using the system
install command:
system install [ noconfirm ] url
Include the noconfirm option if you do not want to respond to confirmation messages. Use an HTTP, HTTPS, or FTP URL; if a username and password are required, you will be prompted to supply them.
When installation is complete, the system reboots. Allow 10 or more minutes for application component installation and for the ASA FirePOWER services to start. (The show module sfr output should show all processes as Up.)
Step 8 Open a session to the ASA FirePOWER module. You will see a different login prompt because you are logging into the fully functional module.
Step 9 Log in with the username admin and the password Sourcefire.
Step 10 Complete the system configuration as prompted.
You must first read and accept the end user license agreement (EULA). Then change the admin password, then configure the management address and DNS settings, as prompted. You can configure both IPv4 and IPv6 management addresses. For example:
Step 11 (Optional for 5506-X.) Identify the FireSIGHT Management Center appliance that will manage this device using the configure manager add command.
You come up with a registration key, which you will then use in FireSIGHT Management Center when you add the device to its inventory. The following example shows the simple case. When there is a NAT boundary, the command is different; see Add ASA FirePOWER to the FireSIGHT Management Center.
For the 5506-X, you can instead use ASDM to configure the policy on the ASA FirePOWER module. When using ASDM, you can configure one module at a time, which is a good solution when you have a single device or very few devices. If you have a large number of devices, FireSIGHT Management Center is a better solution.
Step 12 (Skip for 5506-X when using ASDM.) Log into the FireSIGHT Management Center using an HTTPS connection in a browser, using the hostname or address entered above. For example, https://DC.example.com.
Use the Device Management (Devices > Device Management) page to add the device. For more information, see the online help or the Managing Devices chapter in the FireSIGHT System User Guide.
Tip You also configure NTP and time settings through FireSIGHT Management Center. Use the Time Synchronization settings when editing the local policy from the System > Local > System Policy page.
If you cannot use the default management IP address, then you can set the management IP address from the ASA. After you set the management IP address, you can access the ASA FirePOWER module using SSH to perform additional setup.
If you already configured the management address during initial system setup through the ASA FirePOWER CLI, as described in Configure Basic ASA FirePOWER Settings at the ASA FirePOWER CLI, then it is not necessary to configure it through the ASA CLI or ASDM.
Note For a software module, you can access the ASA FirePOWER CLI to perform setup by sessioning from the ASA CLI; you can then set the ASA FirePOWER management IP address as part of setup. For a hardware module, you can complete the initial setup through the Console port.
To change the management IP address through the ASA, do one of the following. In multiple context mode, perform this procedure in the system execution space.
For example, session 1 do setup host ip 10.1.1.2/24,10.1.1.1.
You must configure basic network settings and other parameters on the ASA FirePOWER module before you can configure your security policy. This procedure assumes you have the full system software installed (not just the boot image), either after you installed it directly, or because it is already installed on a hardware module.
Tip This procedure also assumes that you are performing an initial configuration. During initial configuration, you are prompted for these settings. If you need to change these settings later, use the various configure network commands to change the individual settings. For more information on the configure network commands, use the ? command for help, and see the FireSIGHT System User Guide, or the online help in FireSIGHT Management Center.
Step 1 Do one of the following:
Step 2 Log in with the username admin and the password Sourcefire.
Step 3 Complete the system configuration as prompted.
You must first read and accept the end user license agreement (EULA). Then change the admin password, then configure the management address and DNS settings, as prompted. You can configure both IPv4 and IPv6 management addresses. The configuration is complete when you see the message that says the sensor must be managed by a FireSIGHT Management Center.
Step 4 (Optional for 5506-X.) Now you must identify the FireSIGHT Management Center that will manage this device, as explained in Add ASA FirePOWER to the FireSIGHT Management Center.
FireSIGHT Management Center, also known as Defense Center, is a separate server that manages multiple FirePOWER devices for the same or different models. FireSIGHT Management Center is ideal for managing large deployments, providing configuration consistency across your devices and efficiency in traffic analysis.
For ASA 5512-X through 5585-X, you must register the module to a FireSIGHT Management Center. There is no other way to configure the module.
For ASA 5506-X, FireSIGHT Management Center is optional. If you do not configure one, you use ASDM to configure the ASA FirePOWER policy. There is no CLI for policy configuration, you must use ASDM or FireSIGHT Management Center.
To register a device, use the configure manager add command. A unique alphanumeric registration key is always required to register a device to a FireSIGHT Management Center. This is a simple key that you specify, and is not the same as a license key.
In most cases, you must provide the FireSIGHT Management Center’s hostname or the IP address along with the registration key, for example:
However, if the device and the FireSIGHT Management Center are separated by a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:
Step 1 Do one of the following:
Step 2 Log in with the username admin or another username that has the CLI configuration (Administrator) access level.
Step 3 At the prompt, register the device to a FireSIGHT Management Center using the configure manager add command, which has the following syntax:
configure manager add { hostname | IPv4_address | IPv6_address | DONTRESOLVE } reg_key [ nat_id ]
Step 4 Log into the FireSIGHT Management Center using an HTTPS connection in a browser, using the hostname or address entered above. For example, https://DC.example.com.
Use the Device Management (Devices > Device Management) page to add the device. For more information, see the online help or the Managing Devices chapter in the FireSIGHT System User Guide.
The security policy controls the services provided by the module, such as Next Generation IPS filtering and application filtering.
You use FireSIGHT Management Center to configure the security policy on the module.
For the ASA 5506-X, you can alternatively use ASDM. However, you can never use both ASDM and FireSIGHT Management Center, you must choose one or the other. If you configure a FireSIGHT Management Center for the module, you must use the configured manager. If you do not configure a manager, you must use ASDM.
To open FireSIGHT Management Center, do one of the following:
For information about how to configure the security policy, see the FireSIGHT System User Guide or the online help in FireSIGHT Management Center.
For ASA 5506-X, if you do not configure a FireSIGHT Management Center, you use ASDM to configure the security policy.
ASA FirePOWER pages are separate from the ASA configuration pages. Use the following pages to monitor and configure the module. You can click Help in any page, or choose Help > ASA FirePOWER Help Topics, to learn more about how to configure policies.
ASDM Restrictions for Managing ASA FirePOWER
Keep the following restrictions in mind when configuring ASA FirePOWER using ASDM.
For inline and inline tap (monitor-only) modes, you configure a service policy to redirect traffic to the module. If you want passive monitor-only mode, you configure a traffic redirection interface, which bypasses ASA policies.
Redirect traffic to the ASA FirePOWER module by creating a service policy that identifies specific traffic that you want to send. In this mode, ASA policies, such as access rules, are applied to the traffic before it is redirected to the module.
Step 1 Create an L3/L4 class map to identify the traffic that you want to send to the module.
hostname(config-cmap)# match access-list firepower
If you want to send multiple traffic classes to the module, you can create multiple class maps for use in the security policy. For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps).
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name.
Step 3 Identify the class map you created at the start of this procedure.
Step 4 Send the traffic to the ASA FirePOWER module.
Step 5 If you created multiple class maps for ASA FirePOWER traffic, you can specify another class for the policy and apply the sfr redirect action.
See Feature Matching Within a Service Policy for detailed information about how the order of classes matters within a policy map. Traffic cannot match more than one class map for the same action type.
Step 6 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
If you want to operate the module in passive monitor-only mode, where the module gets a copy of the traffic and neither it nor the ASA can affect the network, configure a traffic forwarding interface and connect the interface to a SPAN port on a switch. For more details, see ASA FirePOWER Passive Monitor-Only Traffic Forwarding Mode.
The following guidelines explain the requirements for this deployment mode:
Step 1 Enter interface configuration mode for the physical interface you want to use for traffic-forwarding.
Step 2 Remove any name configured for the interface. If this interface was used in any ASA configuration, that configuration is removed. You cannot configure traffic-forwarding on a named interface.
Step 3 Enable traffic-forwarding.
Note You can ignore any warnings about traffic forwarding being for demonstration purposes only. This is a supported production mode.
Repeat for any additional interfaces.
The following example makes GigabitEthernet 0/5 a traffic-forwarding interface:
This section includes procedures that help you manage the module.
If you forget the password for the admin user, another user with CLI Configuration permissions can log in and change the password.
If there are no other users with the required permissions, you can reset the admin password from the ASA using the session do command.
Tip The password-reset option on the ASA hw-module and sw-module commands does not work with ASA FirePOWER.
To reset the module password for the user admin to the default, Sourcefire, use the following command. Use 1 for a hardware module, sfr for a software module. In multiple context mode, perform this procedure in the system execution space.
To reload, or to reset and then reload, the module, enter one of the following commands at the ASA CLI. In multiple context mode, perform this procedure in the system execution space.
Shutting down the module software prepares the module to be safely powered off without losing configuration data. To gracefully shut down the module, enter one of the following commands at the ASA CLI. In multiple context mode, perform this procedure in the system execution space.
Note If you reload the ASA, the module is not automatically shut down, so we recommend shutting down the module before reloading the ASA.
You can uninstall a software module image and its associated configuration. In multiple context mode, perform this procedure in the system execution space.
Step 1 Uninstall the software module image and associated configuration.
Step 2 Reload the ASA. You must reload the ASA before you can install a new module.
Use the ASA FirePOWER CLI to configure basic network settings and to troubleshoot the module.
To access the ASA FirePOWER software module CLI from the ASA, you can session from the ASA. (You cannot session to a hardware module running on a 5585-X.)
You can either session to the module (using Telnet) or create a virtual console session. A console session might be useful if the control plane is down and you cannot establish a Telnet session. In multiple context mode, session from the system execution space.
In either a Telnet or a Console session, you are prompted for a username and password. You can log in with any username configured on the ASA FirePOWER. Initially, the admin username is the only one configured (and it is always available). The initial default password is Sourcefire for the full image, and Admin123 for the boot image.
When in the ASA FirePOWER CLI, to exit back to the ASA CLI, enter any command that would log you out of the module, such as logout or exit, or press Ctrl-Shift-6, x.
The only way out of a console session is to press Ctrl-Shift-6, x. Logging out of the module leaves you at the module login prompt.
Note Do not use the session sfr console command in conjunction with a terminal server where Ctrl-Shift-6, x is the escape sequence to return to the terminal server prompt. Ctrl-Shift-6, x is also the sequence to escape the ASA FirePOWER console and return to the ASA prompt. Therefore, if you try to exit the ASA FirePOWER console in this situation, you instead exit all the way to the terminal server prompt. If you reconnect the terminal server to the ASA, the ASA FirePOWER console session is still active; you can never exit to the ASA prompt. You must use a direct serial connection to return the console to the ASA prompt. Use the session sfr command instead of the console command when facing this situation.
If you need to reimage the ASA FirePOWER hardware module in an ASA 5585-X appliance for any reason, you need to install both the Boot Image and a System Software package, in that order. You must install both packages to have a functioning system. Under normal circumstances, you do not need to reimage the system to install upgrade packages.
To install the boot image, you need to TFTP boot the image from the Management-0 port on the ASA FirePOWER SSP by logging into the module’s Console port. Because the Management-0 port is on an SSP in the first slot, it is also known as Management1/0, but rommon recognizes it as Management-0 or Management0/1.
To accomplish a TFTP boot, you must:
Once the boot image is installed, you install the System Software package. You must place the package on an HTTP, HTTPS, or FTP server that is accessible from the ASA FirePOWER.
The following procedure explains how to install the boot image and then install the System Software package.
Step 1 Connect to the Console port. Use the console cable included with the ASA product to connect your PC to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. See the hardware guide for your ASA for more information about the console cable.
Step 2 Enter the system
reboot command to reload the system
.
Step 3 When prompted, break out of the boot by pressing Esc. If you see grub start to boot the system, you have waited too long.
This will place you at the rommon prompt.
Step 4 At the rommon prompt, enter set and configure the following parameters:
Step 5 Enter sync to save the settings.
Step 6 Enter tftp to initiate the download and boot process.
You will see ! marks to indicate progress. When the boot completes after several minutes, you will see a login prompt.
Step 7 Log in as admin, with the password Admin123.
Step 8 Use the setup command to configure the system
so that you can install the system software package.
You are prompted for the following. Note that the management address and gateway, and DNS information, are the key settings to configure.
Step 9 Install the System Software image using the system
install command:
system install [ noconfirm ] url
Include the noconfirm option if you do not want to respond to confirmation messages.
When installation is complete, the system reboots. Allow 10 or more minutes for application component installation and for the ASA FirePOWER services to start.
Step 10 When the boot completes, log in as admin with the password Sourcefire.
Complete the system configuration as prompted.
You must first read and accept the end user license agreement (EULA). Then change the admin password, then configure the management address and DNS settings, as prompted. You can configure both IPv4 and IPv6 management addresses.
Step 11 Identify the FireSIGHT Management Center appliance that will manage this device using the configure manager add command.
You come up with a registration key, which you will then use in FireSIGHT Management Center when you add the device to its inventory. The following example shows the simple case. When there is a NAT boundary, the command is different; see Add ASA FirePOWER to the FireSIGHT Management Center.
Step 12 Log into the FireSIGHT Management Center using an HTTPS connection in a browser, using the hostname or address entered above. For example, https://DC.example.com.
Use the Device Management (Devices > Device Management) page to add the device. For more information, see the Managing Devices chapter in the FireSIGHT System User Guide or the online help in FireSIGHT Management Center.
Use FireSIGHT Management Center to apply upgrade images to the ASA FirePOWER module. Before applying an upgrade, ensure that the ASA is running the minimum required release for the new version; you might need to upgrade the ASA prior to upgrading the module. For more information about applying upgrades, see the FireSIGHT System User Guide or the online help in FireSIGHT Management Center.
If you are managing the module through ASDM, you can apply upgrades to the system software and components using Configuration > ASA FirePOWER Configuration > Updates. Click Help on the Updates page for more information.
The following topics provide guidance on monitoring the module. For ASA FirePOWER-related syslog messages, see the syslog messages guide. ASA FirePOWER syslog messages start with message number 434001.
To check the status of a module, enter one of the following commands:
Shows the status of modules. Include the 1 (for hardware modules) or sfr (for software modules) keyword to see status specific to the ASA FirePOWER module. Include the details keyword to get additional information, including the address of the device that manages the module.
Displays the location of the boot image used when installing the module.
The following is sample output from the show module command for an ASA 5585-X with an ASA FirePOWER hardware module installed:
The following example shows the details for a software module. Note that DC Addr indicates the address of the FireSIGHT Management Center that manages this device.
The following example shows the location of the ASA FirePOWER boot image that was used with the sw-module module sfr recover command when installing the module.
Use the show service-policy sfr command to display statistics and status for each service policy that includes the sfr command. Use clear service-policy to clear the counters.
The following example shows the ASA FirePOWER service policy and the current statistics as well as the module status. In monitor-only mode, the input counters remain at zero.
To show connections through the ASA FirePOWER module, enter one of the following commands:
Shows the NP rules created to send traffic to the ASA FirePOWER module.
Shows dropped packets. The drop types are explained below.
Shows if a connection is being forwarded to a module by displaying the ‘X - inspected by service module’ flag.
The show asp drop command can include the following drop reasons related to the ASA FirePOWER module.
The following example diverts all HTTP traffic to the ASA FirePOWER module, and blocks all HTTP traffic if the module fails for any reason:
The following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network to the ASA FirePOWER module, and allows all traffic through if the module fails for any reason.