Cisco and SourceFIRE

Installing FirePOWER software module on ASA firewall.

We must have an ASA that supports the FirePOWER module: 5506-X, 5512-X, 5515-X, 5525-X, 5545-X, 5555-X or 5585-X. For software modules, a SSD disk must be installed in firewall SSD disk contains the image we will work with. ASA 5506-X comes with SSD drive installed. ASA and software modules have to be at the certain level – 5506-X must be at 9.3(2), and other ASA members at 9.2(2.4). FirePOWER software must be 5.4.1 for 5506-X and 5.3.1 for other family members.
All ASAs, with exception of 5506-X, must have a Defense Center or FireSIGHT installed that will manage SFR modules. This can be a VM or appliance and must run the same or higher version of code running on software module. 5506-X will use ASDM to manage FirePOWER software.
If you have an ASA running some other software module, like IPS (ips), or CX (sxcs), existing module has to be removed before installing firepower module. At this moment only one software module can be installed on ASA.

ciscoasa#show module

Remove existing software module by issuing:

ciscoasa# sw-module module cxsc shutdown
ciscoasa# sw-module module cxsc uninstall
ciscoasa# reload

Now we are ready to install the SFR module.
Upload a small linux distribution file, called boot image and make it running. This image allows us to connect to the network to retrieve and start the software installation from software package called system image.

copy ftp://max:maxMax@20.20.20.10/asasfr-5500x-boot-5.3.1-152.img disk0:

#sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.3.1-152.img
#sw-module module sfr recover boot

Module sfr will recover and all data will be erased.

To track the loading, issue debug module-boot command.
Connect to module with session sfr console

Login with admin/Admin123 and continue with boot image setup.

Once installation is done, fetch the system image file for ftp:

asasfr-boot>system install ftp://max:maxMax@20.20.20
asasfr-boot> system install ftp ://spop:spop123@10.10.10.10/asasfr-sys-5.3.1-152.pkg

Verify installation with show module sfr by login to sfr module with session sfr console  command.

the prompt is changed to SourceFire3D login: admin/SourceFire and complete installation process.

After installation, configure SFR module to register with Defence Center by issuing:

> configure manager add <manager IP> <secretkey>

To exit sfr module, type exit and CTRL+SHIFT+6+X

Access the defence center and add module using sfr ip address.

The sfr module uses management0/0 interface on ASA to communicate with the network.

Install FireSIGHT Defence Center VM and basic configuration

Download the FireSIGHT VM from Cisco’s web site.
Create a VM on ESXi host.
Console into new VM and watch VM booting (if you have nothing else to do)
Once booted, login to a VM by entering admin/Sourcefire
The prompt will change to Sourcefire3D#

Enter following command to initiate IP address configuration:
# sudo /usr/local/sf/bin/configure-network

Enter ip address/subnemask/default gateway and save config.

This will do the trick for basic config.
Connect to Defense Center by https://DefenseCenterIPAddress and login with admin/Sourcefire

Continue Defense Center configuration by:
– changing default admin password
– entering DNS server ip addresses
– entering NTP server ip addresses
– entering licence info (first you must obtain correct licence from Cisco)
– add ASA into Defense Center (also, add FireSIGHT manger into ASA).

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s