(Part 2: Installation and deployment)
This is the second of three articles that will cover the Cisco ASA Next-Generation firewall platforms and Cisco FirePOWER services. Part 1 of the series was an introduction and technical overview of the system. Today we will cover the installation and deployment of the ASA 5500-X Next-Generation firewalls with FirePOWER services. This blog will outline the overall deployment process and assist with configuring the basic settings for FirePOWER services. In the final post I will review everything after we take it for a test drive.
We will need to cover a few things before configuring everything. First, you will need a Next-Generation ASA 5500-X running 9.2.2 code (or later) with the applicable licensing (see here for more info on licensing: https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html). Second, since the FirePOWER module on the ASA will need to report to the Virtual Defense Center, you will need a VMware vSphere 5.1 (or later) infrastructure in place. Third, to deploy Cisco ASA will require a laptop/PC/other device with an FTP and TFTP server installed (I used FileZilla and TFTPD32) to transfer the installation packages to the module on the ASA.
The general deployment process is as follows:
- Install and configure the Sourcefire module on the ASA
- Install and configure the Virtual Defense Center
- Register the Sourcefire Module with the Virtual defense Center
Step 1 to deploy Cisco ASA: Configure Sourcefire module
Let’s get started by installing the Sourcefire module on the ASA. First, load this file onto the ASA with a tftp server:
We will then point the ASA to that boot image for the Sourcefire module and start a session with the Sourcefire console.
ASADemo# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.4.0-763.img
ASADemo# sw-module module sfr recover boot
Next we will set up the ASA SFR boot image by configuring some basic network settings, which include: host name, IP address, DNS server(s), NTP server. Session into the Sourcefire console with the following command:
ASADemo# session sfr console
Enter the credentials: admin/Admin123
Now you configure the basic network settings on the device. Then copy the FirePOWER package to the module. Connect to the management port on the ASA and transfer the image via ftp to the module. Use the command listed below. (Note: syntax is username and password configured on the FTP server and the IP address of the FTP server.)
asasfr-boot> system install ftp://ftpuser:email@example.com/asasfr-sys-5.4.0-764.pkg
Once you have loaded the image onto the module it will prompt you to select “yes” to proceed with the upgrade. It will then update the software on the module. Don’t forget to press “enter” when the installation completes to reboot the ASA module. (Don’t worry… this will reboot only the module, not the ASA chassis.)
Now we will configure some basic network settings for the FirePOWER module. Complete the system configuration by accepting the EULA (end user license agreement), changing the admin password, and entering the necessary network and IP info.
ASADemo# session sfr Opening command session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. Sourcefire ASA5555 v5.4.0 (build 763) Sourcefire3D login:
Enter the following login credentials at the Sourcefire3d login prompt: admin/Sourcefire
Step 2 to deploy Cisco ASA: Configure Virtual Defense Center
Next we will stand up the Virtual Defense Center. Log in with your Cisco CCO account and grab the Virtual Defense Center files (this will be in a “.tar.gz” format). Extract the files using 7zip or another archiving program. Go ahead and save this file to your local machine and then plug it into the vSphere environment.
Log into the ESXi host/vCenter server and deploy the OVF file using the default settings for provisioning.
Once the process has completed, power on the Virtual Defense Center VM and click on the console tab within the vSphere client. Give it a few minutes to load. If you happen to see the “No such device” message, press “enter” to drop into the Sourcefire3D login prompt.
Use the following login credentials to gain root access: admin/Sourcefire
admin@Sourcefire3D:~$ sudo su - Password:
Next, run this script as root:
Now configure a management IP address for the Virtual Defense Center. (I’ve used 10.0.100.253 in our example.)
Complete the system configuration by accepting the EULA, changing the admin password, and entering the necessary network and IP info.
Now open your browser to the management IP address (as a reminder, I’ve used https://10.0.100.253) and complete the initial setup by populating the fields below.
Step 3 to deploy Cisco ASA: Register Sourcefire module with Virtual Defense Center
Now we will register the Sourcefire module to the newly installed FireSIGHT Management Center (Virtual Defense Center). Log in to the ASA and start a new the Sourcefire module by using this command:
session sfr console
Enter your credentials for the SFR module and run the “configure manager” command. Syntax:
configure manager add (IP address of SFR module) (registration key/password)
configure manager add 10.0.100.252 F!r3P0w3R
Now use a browser to log in to the Web interface of the FireSIGHT Management Center. Click on “Devices” and select the “Add Device” dropdown. Input the IP address of the Sourcefire module on the ASA and the registration key (from the configure manager command above).
Now let’s redirect the network traffic through the Sourcefire module for inspection. This is done on the ASA itself by creating an access list, applying the ACL to a class-map, and tying it to the “global_policy” policy-map. The Sourcefire module will be set to inline mode by using the “fail-open” command.
ASADemo(config)# access-list sfr_redirect_policy extended permit ip any any
ASADemo(config)# class-map sfr_map ASADemo(config-cmap)# match access-list sfr_redirect_policy
ASADemo(config)# policy-map global_policy ASADemo(config-pmap)# class sfr_map ASADemo(config-pmap-c)# sfr fail-open
If you have made it this far, you now have everything configured to begin analyzing traffic and use the SourceFIRE IPS functionality. In some deployments I have seen basic traffic analysis and reporting to the FireSIGHT console in less than five minutes. Not bad at all, considering the level of visibility it gives us into the network in such a short amount of time. Once the dashboard begins to display the network traffic, be sure to check out the following link from Cisco TAC to complete the deployment:
This resource will go into great detail regarding how to customize and configure the FirePOWER services for your environment, including:
- Installing licenses (Protection, Control, Advanced Malware Protection, and URL Filtering)
- Applying a System and Health Policy
- Configuring an Intrusion Policy
- Configuring/applying an Access Control Policy
If you’ve followed along, you have read about how to deploy Cisco ASA and to configure the basic settings for FirePOWER services. At first glance, the FireSIGHT dashboard may look a bit overwhelming, but that’s okay. The good news is that you can customize the display and plug in whatever “widgets” you like. Set it up to view everything in a glance, or make it less cluttered if you are only using certain license features. Dig in and enjoy!
In Part 3 of the series I’ll review the product and provide some analysis of how it performs in the field.