"The What?" - In this blog I want to cover a general understanding of the FirePOWER service module on the ASA, to include the basics of installation & configuration. Note that the ASA FirePOWER module is also known as SFR module.
"The Why?" - The ASA FirePOWER services allow the following capabilities & benefits:
Access control: You can achieve a more complete access control policy with enrichment data based on security threat intelligence. You configure simple or complex rules, you can control traffic based on security zones, network or geographical locations, ports, applications, requested URLs, and per user.
Intrusion detection and prevention: You define intrusion detection and prevention policies based on your access control policies. You get the ability to create or tweak custom policies at a granular level to specify how traffic is inspected in a network.
AMP and file control: You can detect, track, capture, analyze, and optionally block the transmission of files, including malware files and nested files inside archive files in network traffic.
Application programming interfaces (APIs): Cisco ASA FirePOWER Services supports several ways to interact with the system using APIs.
It is also important to understand that the ASA with software/hardware module running FirePower services means that there are two different images running on the same box & traffic is redirected to FirePOWER for L7 inspection. The NGFW FirePOWER Threat Defense (FTD) is a unified image combining ASA and FirePOWER software into a single image.
"The How?" - Now I will dive into installation & configuration.
Note: The SFR module can be a hardware module on ASA 5585-X or a software module on ASA 5500-X models with a solid state drive.
Before we completely dive in I want to cover a few good-to-know items:
Deployment modes: There are two types of modes: inline & promiscuous. In Inline mode traffic passes through the firewall policies before being sent to ASA SFR. Promiscuous mode allows us to audit/monitor packets to evaluate performance. A copy of packets are sent to the module while in this state.
Licensing: There are a variety of licenses for ASA FirePOWER services. The options include the following:
Protection: IDS/IPS, File Control, & Security Intelligence filtering
Control: User & Application Control
Malware: Advanced Malware Protection (network-based malware detection & blocking)
URL: Category & reputation-based URL filtering
Now I will cover the actual installation & configuration of the SFR module on ASA. Installation required components:
ASA software 9.2.2 or later
ASA platform 5512-X - 5555-X
FirePOWER software version 5.3.1 or later
Installation & Configuration building blocks:
Install SFR Module on ASA
Setup the ASA SFR Boot Image
Configure SFR Software
Building Block 1: Installing SFR Module on ASA
Ensure you have downloaded the software and place it in on a server accessible from the ASA or via USB stick directly attached to the unit. You will need to copy the image to disk0:/. An example is as follows:
#copy http://<HTTP_SERVER>/asasfr-5500x-boot-5.3.1-152.img disk0:/asasfr-5500x-boot-5.3.1-152.img
Once the image is on disk0:/ you need to configure the ASA SFR boot image location as follows:
#sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.3.1-152.img
The last part of building block 1 will be to actually load the boot image:
#sw-module module sfr recover boot --This should take 10-15 minutes
Building Block 2: Setting up the ASA SFR Boot Image
In this step you will configure the newly installed SFT boot image. To begin start with this:
# session sfr console
Upon entering that command you should see the following:
Opening console session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. Cisco ASA SFR Boot Image 5.3.1 asasfr login: admin Password: Admin123
At this point you will be ready to configure the SFR module. To start the configuration, enter the following:
After this occurs you are prompted for several items to include hostname, network address, dns, & ntp. Once completed you can now proceeed with the install:
asasfr-boot >system install disk0:/asasfr-sys-5.3.1-152.pkg
Note upon installation the system will reboot. Once the unit reboots, you can verify that SFR services are UP via:
#show module sfr
Building Block 3: Configuring SFR Software
Two options to manage the security policies: ASDM or Firepower Management Center (FMC).
You need to add the SFR module to a FMC in order to manage policies:
Gain access to module via ASA CLI:
#session sfr console
> configure manager add DC_IP_Address my_reg_key
After successful registration you should see the following:
Manager successfully configured.
You can manage the module via the on-box ASDM:
Lastly, for building block 4, Traffic Redirection and packet flows, see here: Traffic Redirection to ASA FirePOWER Module