Conquer the Challenge: Your Step-by-Step Guide to Flawlessly Reimaging Cisco’s ASA FirePOWER Module

Introduction

In today’s ever-changing cybersecurity environment, having a resilient firewall is more critical than ever. Cisco’s Adaptive Security Appliance (ASA) with FirePOWER Services stands as a formidable line of defense, combining the robust ASA firewall with cutting-edge malware protection. However, there are instances where the ASA FirePOWER (SFR) module may experience severe failures or crashes. When this happens, the ability to reimage and restore the module without resorting to Cisco’s Technical Assistance Center (TAC) becomes invaluable. This blog post is your go-to guide for troubleshooting, reimaging, and restoring your ASA FirePOWER module to full functionality, all without the need for external support.

Prerequisites

Before diving into the reimaging process, ensure you meet the following prerequisites:

  • Cisco ASA software Version 9.2.2 or later
  • Cisco ASA platforms 5508-X through 5555-X
  • FirePOWER Software Version 5.3.1 or later
  • At least 3GB of free space on the flash drive (disk0)
  • Access to privileged EXEC mode on the ASA
  • FTP or HTTP/S server available and reachable for transfering the installation image into the FirePower module

Steps to Reimage the ASA FirePOWER Module

Step 1: Download Required Software

Download the following software from Cisco.com:

  • ASA FirePOWER module boot image
  • ASA FirePOWER module install package

Step 2: Transfer the Boot Image

Method 1: Using SCP (Secure Copy Protocol)

Use a secure copy protocol (SCP) or any other method to transfer the downloaded boot image to the ASA device.

scp [boot-image-file] [username]@[ASA-IP]:disk0:/

Method 2: Using ASDM (Adaptive Security Device Manager)

  1. Open the Cisco ASDM and log in to your ASA device.
  2. Navigate to Tools > File Management.
  3. In the File Management window, select File Transfer > Between Local PC and Flash.
  4. Browse your local files and select the downloaded Firepower boot image.
  5. Choose the destination as disk0:/ on the ASA device and click Transfer.

Step 3: Configure the ASA SFR Boot Image

Before You Begin

When you reimage a module, use theshutdown and uninstall commands that are used in order to remove an old SFR image. Here is an example:

ciscoasa# sw-module module sfr shutdown
ciscoasa# sw-module module sfr uninstall

Run the following commands to configure the ASA SFR boot image location in the ASA flash drive:

ciscoasa# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-7.0.6-236.img

And then load the ASA SFR boot image:

ciscoasa# sw-module module sfr recover boot

During this time, if you enable debug module-boot on the ASA, you can follow the install process logs.

Step 4: Wait for the Boot Process

Wait approximately 5 to 15 minutes for the ASA SFR module to boot up. Once done, open a console session to the operational ASA SFR boot image.

Note: The default username is admin. The password differs based on software release:Adm!n123 for 7.0.1 (new device from the factory only), Admin123 for 6.0, and later, Sourcefire for pre-6.0.

ciscoasa# session sfr console

Step 5: Set Up the ASA SFR Boot Image

Enter the setup command if not setup has started automatically:

asasfr-boot> setup

After opening a session, you’ll be prompted to enter various configurations like hostname, network address, DNS information, and NTP information.

Step 6: Install the System Software

Run the following command to install the system software image:

asasfr-boot >system install noconfirm ftp://<FTP_SERVER>/asasfr-sys-7.0.6-236.pkg

After the installation is complete, the system will reboot. Allow ten or more minutes for the application component installation and for the ASA SFR services to start.

This process will take a lot of time, 45 minutes to 1 hour is normal.

The output of the show module sfr command indicates that all processes are Up.

Configure the FirePOWER Software

Enter a session to the ASA SFR Module

ciscoasa# session sfr

Complete the system configuration as prompted, which occurs in this order:

  1. Read and accept the End User License Agreement (EULA).
  2. Change the admin password.
  3. Configure the management address and DNS settings, as prompted.

Configure the FireSIGHT Management Center

Step 1: Add a FireSIGHT Management Center to Your Managed Device

Add the manager (FMC ip address) and your device hostname, then a key you must remember because it’s need to match your FMC configuration.

> configure manager add hostname IPv4_address reg_key
Step 2: Add a Device to the FireSIGHT Management Center

1. Log into the web user interface of the Management Center. Click the Devices tab at the top of the page.

2. Click Add which is located at the top right. A drop down list appears. Click Add Device. A window pops up in the middle of the screen requesting the device informaiton. 

3. In the Host field, enter the IP address of the device.

4. In the Registration Key field, enter the one-time registration key that you specified earlier.

6. Click Register. You should now be able to manage your device from the FireSIGHT Management Center.

Remember to check your Access Control Policy, Licensing and to deploy to the device.

Conclusion

Reimaging the ASA FirePOWER module is a straightforward process if you follow the steps carefully. This guide should help you navigate through the reimaging process seamlessly, ensuring your Cisco ASA with FirePOWER services is up-to-date and secure.

Leave a Reply

Your email address will not be published. Required fields are marked *