Installing & Configuring FirePOWER Services Module on ASA - CLI

"The What?" - In this blog I want to cover a general understanding of the FirePOWER service module on the ASA, to include the basics of installation & configuration. Note that the ASA FirePOWER module is also known as SFR module.

"The Why?" - The ASA FirePOWER services allow the following capabilities & benefits:

Access control: You can achieve a more complete access control policy with enrichment data based on security threat intelligence. You configure simple or complex rules, you can control traffic based on security zones, network or geographical locations, ports, applications, requested URLs, and per user.

Intrusion detection and prevention: You define intrusion detection and prevention policies based on your access control policies. You get the ability to create or tweak custom policies at a granular level to specify how traffic is inspected in a network.

AMP and file control: You can detect, track, capture, analyze, and optionally block the transmission of files, including malware files and nested files inside archive files in network traffic.

Application programming interfaces (APIs): Cisco ASA FirePOWER Services supports several ways to interact with the system using APIs.

It is also important to understand that the ASA with software/hardware module running FirePower services means that there are two different images running on the same box & traffic is redirected to FirePOWER for L7 inspection. The NGFW FirePOWER Threat Defense (FTD) is a unified image combining ASA and FirePOWER software into a single image.

"The How?" - Now I will dive into installation & configuration.

Note: The SFR module can be a hardware module on ASA 5585-X or a software module on ASA 5500-X models with a solid state drive.

Before we completely dive in I want to cover a few good-to-know items:

  • Deployment modes: There are two types of modes: inline & promiscuous. In Inline mode traffic passes through the firewall policies before being sent to ASA SFR. Promiscuous mode allows us to audit/monitor packets to evaluate performance. A copy of packets are sent to the module while in this state.

  • Licensing: There are a variety of licenses for ASA FirePOWER services. The options include the following:

  • Protection: IDS/IPS, File Control, & Security Intelligence filtering

  • Control: User & Application Control

  • Malware: Advanced Malware Protection (network-based malware detection & blocking)

  • URL: Category & reputation-based URL filtering

Now I will cover the actual installation & configuration of the SFR module on ASA. Installation required components:

  • ASA software 9.2.2 or later

  • ASA platform 5512-X - 5555-X

  • FirePOWER software version 5.3.1 or later

Installation & Configuration building blocks:

  1. Install SFR Module on ASA

  2. Setup the ASA SFR Boot Image

  3. Configure SFR Software

  4. Traffic Redirection

Building Block 1: Installing SFR Module on ASA

Ensure you have downloaded the software and place it in on a server accessible from the ASA or via USB stick directly attached to the unit. You will need to copy the image to disk0:/. An example is as follows:

#copy http://<HTTP_SERVER>/asasfr-5500x-boot-5.3.1-152.img

Once the image is on disk0:/ you need to configure the ASA SFR boot image location as follows:

#sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.3.1-152.img

The last part of building block 1 will be to actually load the boot image:

#sw-module module sfr recover boot --This should take 10-15 minutes

Building Block 2: Setting up the ASA SFR Boot Image

In this step you will configure the newly installed SFT boot image. To begin start with this:

# session sfr console

Upon entering that command you should see the following:

Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Cisco ASA SFR Boot Image 5.3.1
asasfr login: admin
Password: Admin123

At this point you will be ready to configure the SFR module. To start the configuration, enter the following:

asasfr-boot> setup

After this occurs you are prompted for several items to include hostname, network address, dns, & ntp. Once completed you can now proceeed with the install:

asasfr-boot >system install disk0:/asasfr-sys-5.3.1-152.pkg

Note upon installation the system will reboot. Once the unit reboots, you can verify that SFR services are UP via:

#show module sfr

Building Block 3: Configuring SFR Software

Two options to manage the security policies: ASDM or Firepower Management Center (FMC).


You need to add the SFR module to a FMC in order to manage policies:

Gain access to module via ASA CLI:

#session sfr console
> configure manager add DC_IP_Address my_reg_key

After successful registration you should see the following:

Manager successfully configured.


You can manage the module via the on-box ASDM:

Lastly, for building block 4, Traffic Redirection and packet flows, see here: Traffic Redirection to ASA FirePOWER Module



Recent Posts

See All

"The What?" - In this blog I want to share some valuable Digital Network Architecture Center (DNAC) tips & tricks that I have collected that are quite useful when needing to troubleshoot/perform some

In this post I want to cover the ESA Email pipeline. The email pipeline represents how emails are processed through the system from start to finish. The pipeline consists of 3 main phases: Receipt:

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it