To upgrade an ASA’s FirePOWER module to version 6 and get it ready to be integrated into FirePOWER Management Center is a bit of a process but thankfully most of it isn’t production impacting.
First a few prerequisites.
- The ASA must have a SSD drive installed and functional. Do a show inventory from the CLI to make sure one is found before you get started, if you have a drive installed but it’s not showing up try rebooting the ASA.
- Make sure you are running version 9.4 or later of the ASA code.
- Make sure you have a FTP server that’s accessible to the ASA
Next, we need to make sure only the SFR module is active. Only one feature can be active at a time so run the following command from the CLI:
IF CSX is running do the following commands:
- sw-module module cxsc shutdown
- sw-module module csxcuninstall
IF IPS is running do the following commands:
- sw-module module ips shutdown
- sw-module module ips uninstall
Now that we’re ready, download the images from Cisco’s website. Match the version to the version of the FirePOWER Management Center you will attach this too. Once you obtain the .img file, copy it to the disk0: drive on the ASA.
Now we can start the upgrade, from the CLI:
- sw-module module sfr recover configure image disk0:/asfr-5500x-boot-6.0.0-1005.img disk0:
- sw-module module sfr recover boot
Confirm the recovery has happened, the ASA itself won’t reboot, just the SFR module. It takes some time but you can view it’s progress by running:
show module sfr log console
Once it’s finally up, connect to the SFR module via a session command, from the CLI:
session sfr console
The default credentials are admin/Admin123
From the > prompt type setup
Follow the prompts to setup IPv4 and enter the requested information.
At the end of the min-wizard the module will reboot again. Once that is done, from the session prompt (>) execute:
system install ftp://user:pw@ftpserver/asafr-sys-220.127.116.115.pkg where user:pw is replaced by your FTP username/password and ftpserver is replaced by your FTP server.
This part takes SO LONG to do! I’ve had to wait around 2 hours for this part to finish. When it’s done, session back into the SFR Module.
session sfr console
The credentials are now admin/Sourcefire (nice right? it changes between revisions).
You have to accept the EULA and walkthrough the new setup process again, entering the same information you entered previously.
At this point the base configuration is done. If you re-connect via the latest version of ASDM you will see all the FirePOWER options in the GUI.
You can begin managing the device here or add it to a FirePOWER Management Center to be managed. Check out this post for setting up a FMC.
Oh and if you didn’t know, CTRL+SHIFT+6+x is the magic key combination to exit your session and return back to the ASA in the CLI.