Introduction
In today’s ever-changing cybersecurity environment, having a resilient firewall is more critical than ever. Cisco’s Adaptive Security Appliance (ASA) with FirePOWER Services stands as a formidable line of defense, combining the robust ASA firewall with cutting-edge malware protection. However, there are instances where the ASA FirePOWER (SFR) module may experience severe failures or crashes. When this happens, the ability to reimage and restore the module without resorting to Cisco’s Technical Assistance Center (TAC) becomes invaluable. This blog post is your go-to guide for troubleshooting, reimaging, and restoring your ASA FirePOWER module to full functionality, all without the need for external support.
Prerequisites
Before diving into the reimaging process, ensure you meet the following prerequisites:
- Cisco ASA software Version 9.2.2 or later
- Cisco ASA platforms 5508-X through 5555-X
- FirePOWER Software Version 5.3.1 or later
- At least 3GB of free space on the flash drive (disk0)
- Access to privileged EXEC mode on the ASA
- FTP or HTTP/S server available and reachable for transfering the installation image into the FirePower module
Steps to Reimage the ASA FirePOWER Module
Step 1: Download Required Software
Download the following software from Cisco.com:
- ASA FirePOWER module boot image
- ASA FirePOWER module install package

Step 2: Transfer the Boot Image
Method 1: Using SCP (Secure Copy Protocol)
Use a secure copy protocol (SCP) or any other method to transfer the downloaded boot image to the ASA device.
scp [boot-image-file] [username]@[ASA-IP]:disk0:/
Method 2: Using ASDM (Adaptive Security Device Manager)
- Open the Cisco ASDM and log in to your ASA device.
- Navigate to
Tools
>File Management
. - In the
File Management
window, selectFile Transfer
>Between Local PC and Flash
. - Browse your local files and select the downloaded Firepower boot image.
- Choose the destination as
disk0:/
on the ASA device and clickTransfer
.

Step 3: Configure the ASA SFR Boot Image
Before You Begin
When you reimage a module, use theshutdown
and uninstall
commands that are used in order to remove an old SFR image. Here is an example:
ciscoasa# sw-module module sfr shutdown
ciscoasa# sw-module module sfr uninstall
Run the following commands to configure the ASA SFR boot image location in the ASA flash drive:
ciscoasa# sw-module module sfr recover configure image disk0:
/asasfr-5500x-boot-7.0.6-236.img
And then load the ASA SFR boot image:
ciscoasa# sw-module module sfr recover boot
During this time, if you enable debug module-boot
on the ASA, you can follow the install process logs.
Step 4: Wait for the Boot Process
Wait approximately 5 to 15 minutes for the ASA SFR module to boot up. Once done, open a console session to the operational ASA SFR boot image.
Note: The default username is admin
. The password differs based on software release:Adm!n123
for 7.0.1 (new device from the factory only), Admin123
for 6.0, and later, Sourcefire
for pre-6.0.
ciscoasa# session sfr console
Step 5: Set Up the ASA SFR Boot Image
Enter the setup command if not setup has started automatically:
asasfr-boot> setup
After opening a session, you’ll be prompted to enter various configurations like hostname, network address, DNS information, and NTP information.
Step 6: Install the System Software
Run the following command to install the system software image:
asasfr-boot >system install noconfirm ftp://<FTP_SERVER>/asasfr-sys-7.0.6-236.pkg
After the installation is complete, the system will reboot. Allow ten or more minutes for the application component installation and for the ASA SFR services to start.
This process will take a lot of time, 45 minutes to 1 hour is normal.
The output of the show module sfr
command indicates that all processes are Up
.
Configure the FirePOWER Software
Enter a session to the ASA SFR Module
ciscoasa# session sfr
Complete the system configuration as prompted, which occurs in this order:
- Read and accept the End User License Agreement (EULA).
- Change the admin password.
- Configure the management address and DNS settings, as prompted.
Configure the FireSIGHT Management Center
Step 1: Add a FireSIGHT Management Center to Your Managed Device
Add the manager (FMC ip address) and your device hostname, then a key you must remember because it’s need to match your FMC configuration.
> configure manager add hostname IPv4_address reg_key
Step 2: Add a Device to the FireSIGHT Management Center
1. Log into the web user interface of the Management Center. Click the Devices tab at the top of the page.

2. Click Add which is located at the top right. A drop down list appears. Click Add Device. A window pops up in the middle of the screen requesting the device informaiton.

3. In the Host field, enter the IP address of the device.
4. In the Registration Key field, enter the one-time registration key that you specified earlier.

6. Click Register. You should now be able to manage your device from the FireSIGHT Management Center.
Remember to check your Access Control Policy, Licensing and to deploy to the device.
Conclusion
Reimaging the ASA FirePOWER module is a straightforward process if you follow the steps carefully. This guide should help you navigate through the reimaging process seamlessly, ensuring your Cisco ASA with FirePOWER services is up-to-date and secure.