Monday, 29 August 2016

Cisco ASA 5545-X with Firepower Complete Initial Setup

Download the ASA SFR system software from
Download the boot image to the device.
Download the boot image to your workstation
Copy Boot Image to ASA Flash


ASA# copy http://<HTTP_SERVER>/asasfr-5500x-boot-5.3.1-152.img  disk0:/asasfr-5500x-boot-5.3.1-152.img

Configure SFR module

ASA# sw-module module sfr recover configure image disk0:/file_path

Example below:

ASA# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.3.1-152.img

Load  the ASA SFR boot image using below command

ASA# sw-module module sfr recover boot

    Initial Configuration
Note: The default username is admin, and the default password is Admin123.
Example Below

ASA# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA SFR Boot Image 5.3.1
asasfr login: admin
Password: Admin123
Enter the setup command in order to configure the system so that you can install the system software package:

asasfr-boot> setup   
Provide below settings                   
·         Host name 
·         Network address.
·         DNS information 
·         NTP information 
 System Software Installation
2.       Enter the system install command:

asasfr-boot >system install [noconfirm] url
Include the noconfirm option if you do not want to respond to confirmation messages. Replace the url keyword with the location of the .pkg file.

Example Below

asasfr-boot >system install http:/<HTTP_SERVER>/asasfr-sys-5.3.1-152.pkg

Package Detail
        Description: Cisco ASA-FirePOWER 5.3.1-152 System Install
        Requires reboot: Yes

Do you want to continue with upgrade? [y]: y

Starting upgrade process ...
Populating new system image

Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.
(press Enter)

Broadcast message from root (ttyS1) (Mon Jun 23 09:28:38 2014):
The system is going down for reboot NOW!
Console session with module sfr terminated.

System Software Configuration
Configure the Firepower Software
Complete these steps in order to configure the Firepower software:
1.       Open a session to the ASA SFR module.

ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Sourcefire ASA5555 v5.3.1 (build 152)
Sourcefire3D login:
2.       Log in with the username admin and the password Sourcefire.
3.       Complete the system configuration as prompted. 

 Register Device with Management Server

Using the Command Line Interface (CLI)

1. Connect to the CLI of the device that you want register with FireSIGHT Management Center. This device could be anyFirePOWER appliance, NGIPS Virtual appliances, or an ASA running FirePOWER services.
Note: If you are using an ASA with FirePOWER services as a managed device, you can open a console session to the module from the ASA CLI. If the ASA is running on multiple context mode, session from the system execution space.
2. Log in with the username admin or another username that has the CLI configuration (Administrator) access level.
3. At the prompt, register the device to a FireSIGHT Management Center using the configure manager add command.
Note: A unique alphanumeric registration key is always required to register a device to a FireSIGHT Management Center. This is a simple key that you specify, and is not the same as a license key.
The command has the following syntax:
> configure manager add <hostname | IPv4_address | IPv6_address | DONTRESOLVE> reg_key <nat_id>
In the above syntax,
  • <hostname | IPv4_address | IPv6_address | DONTRESOLVE> specifies either the fully qualified host name or IP address of the FireSIGHT Management Center. If the FireSIGHT Management Center is not directly addressable, useDONTRESOLVE.
  • reg_key is an unique alphanumeric registration key required to register a device to the FireSIGHT Management Center.
  • nat_id is an optional alphanumeric string used during the registration process between the FireSIGHT Management Center and the device. It is required if the hostname is set to DONTRESOLVE.
In most cases, you must provide the FireSIGHT Management Center's hostname or the IP address along with the registration key, for example:
> configure manager add DC_IP_Address my_reg_key
However, if the device and the FireSIGHT Management Center are separated by a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:
configure manager add DONTRESOLVE my_reg_key my_nat_id
In the following example, there is no NAT boundary between the FireSIGHT Management Center and the managed device, and123456 is used as a registration key.
> configure manager add 123456Manager successfully configured.

Add a Device to the FireSIGHT Management Center

1. Log into the web user interface of the Management Center. Click the Devices tab at the top of the page.

2. Click Add which is located at the top right. A drop down list appears. Click Add Device. A window pops up in the middle of the screen requesting the device informaiton. 

3. In the Host field, enter the IP address of the device.

4. In the Registration Key field, enter the one-time registration key that you specified earlier.

5. Set the rest of the options to your preference. If you used a NAT ID, click on Advanced to expand it and enter the same NAT ID in the Unique NAT ID field.
6. Click Register. You should now be able to manage your device from the FireSIGHT Management Center.