Migrating from CX to SourceFIRE

Upgrade Process to migrate from the CX Module to SourceFIRE (SFR)


Two files makeup the SourceFIRE Boot Image and SourceFIRE Software.

 Example as follows:

asasfr-5500x-boot-5.3.1-152.img
asasfr-sys-5.3.1-152.pkg

1.     Perform a “show inventory” to ensure the SSD is present
2.     A “show int ip br” should verify that the Management0/0 interface is up
3.     Upload the “.img” file to flash on the ASA. Using the ASDM GUI is quick and effecient
4.     A “show disk0: | in sfr” will show you the new CX image on disk0:

**** Note: Ensure the CX (cxsc) or IPS (ips) module are shutdown by using the sw-module module cxsc shutdown and uninstall using the sw-module module cxsc uninstall command. ***


Recovery of SFR Module (Prep for Upgrade)

1.     From the Firewall prompt (SSH or Console Access) place the SFR module in recovery mode
2.     Configure Recovery on the SFR module with the following command:

ASA1#sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-5.3.1-152.img

3.     Now to ensure the SFR module boots with the new image use the following command:

ASA1#sw-module module sfr recover boot

*** A warning will be shown as follows ***

“Module sfr will be recovered. This may erase all configuration and all data on that device and attempt to download/install a new image for it. This may take several minutes.”

4.     Performing a “show module” command will show you the status of the sfr module, the status will move from “Shutting Down” to “Recover”

5.     Once in “Recover” mode (approximately 5 minutes) you can Console or SSH into the SFR module using the following command:

ASA1#session sfr console

1.     Login to the SFR Module with the following default credentials:
Username: admin
Password: Admin123
2.     The prompt will show as “asasfr-boot>” which confirms that the SFR module is in recovery mode.

Perform Setup of SFR Module

asasfr-boot>setup
                                      
                Welcome to SFR Setup
                          [hit Ctrl-C to abort]
                        Default values are inside []

Enter a hostname [asasfr]: ASA-SFR
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 10.10.1.201
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 10.10.1.254
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 10.10.1.240
Do you want to configure Secondary DNS Server? (y/n) [n]: y
Enter the secondary DNS server IP address: 4.2.2.2
Do you want to configure Local Domain Name? (y/n) [n]: y
Enter the local domain name: routemypacket.com
Do you want to configure Search domains? (y/n) [n]: y
Enter the comma separated list for search domains: routemypacket.com
Do you want to enable the NTP service? [Y]:  Y
Enter the NTP servers separated by commas: 10.10.1.240
Do you want to enable the NTP symmetric key authentication? [N]: N

6.     Now review the configuration then apply the changes:

Please review the final configuration:

Hostname: RMP-ASA-SFR
Management Interface Configuration
IPv4 Configuration:     static
        IP Address:     10.10.1.201
        Netmask:        255.255.255.0
        Gateway:        10.10.1.254

IPv6 Configuration:     Stateless autoconfiguration
DNS Configuration:
        Domain: routemypacket.com
        Search: routemypacket.com
        DNS Server: 10.10.1.240
                                4.2.2.2

NTP configuration: 10.10.1.240

CAUTION: You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Restarting NTP service...
Done.
Press ENTER to continue...

7     Now perform a quick connectivity check, ping a network resource and make sure it is pingable

SourceFIRE Software Install

1.     This is done by HTTP, HTTPS or FTP. FTP will be the choice for this walkthrough
2.     With FileZilla Server running on your machine, make sure the directory housing the SFR software .pkg file is shared and accessible by the FTP user.
3.     Click on Edit->Users within FileZilla Server and add a new user as shown below
User: cisco 
Password: cisco


4.     Click on “Shared Folders” and add the previously shared folder that houses the SFR pkg file


5.     Now from the asasfr prompt, provide the following command to pull the software from FTP to the SFR module

     Command is: system install ftp://username:password@ftpserverip/imagefilename

asasfr-boot>system install ftp://cisco:cisco@10.10.1.11/asasfr-sys-5.3.1-152.pkg

6.     The upload process will begin and look as follows:

Verifying     sytem install ftp://cisco:cisco@10.10.1.11/asasfr-sys-5.3.1-152.pkg
Downloading    
Extracting    
Package Detail
        Description:                    Cisco ASA-SFR 5.3.1-152 System Upgrade
        Requires reboot:                Yes

Do you want to continue with upgrade? [y]: y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Upgrading    
Starting upgrade process ...    
Populating new system image    
Copying over new application components    
Cleaning up old application components    

Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.
Broadcast message from root (ttyS1) (Sat Sep 20 01:48:30 2014):
The system is going down for reboot NOW!
Console session with module sfr terminated.

7.     Perform a “show module” from the ASA prompt to check the status of the SFR module. It should change from “Recover” to “Ok”
8.     Once the status is “Ok”, login to the SFR module again with the “session sfr console” command

Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

 Now login using the NEW credentials as follows:

Sourcefire3D login: admin
                          Password: Sourcefire

 *** Accept the EULA and type in Yes to accept, then change password ***

***Note: You must also go through the setup process again, same process as before under the Perform Setup of SFR Module section***

You will now see the following bulletin:

This sensor must be managed by a Defense Center. A unique alphanumeric registration key is always required. In most cases, to register a sensor to a Defense Center, you must provide the hostname or IP address along with a registration key.
'configure manager add [hostname | ip address] [registration key ]'

However, if the sensor and the Defense Center are separated by a NAT device, you must enter a unique NAT ID, along with the unique registration key.
'configure manager add DONTRESOLVE [registration key | [ NAT ID ]'

Later using the web interface on the Defense Center, you must use the same registration key and, if necessary, use same NAT ID when you add this sensor to the Defense Center.

That completes the process of migrating from CX to SoureFIRE, in my next blog we will move onto the installation of the FireSIGHT Virtual Appliance and system configuration/s.

Stay tuned.....







Comments

Post a Comment

Popular posts from this blog

SSL Decryption with Palo Alto NGFW

Image
Palo Alto Networks Firewall v8.0.4 SSL Decryption Policy This walk-through assumes you have an internal CA server in your production environment (e.g. Microsoft). 1. Go to the Device Tab->Certficates. Lets import our CA certificate from the Microsoft Internal CA Server (e.g. http://x.x.x.x/certsrv). Click "Download a CA certificate, certificate chain, or CRL", choose Base64 and click "Download CA Certificate". Save this to an accessible location (e.g. Desktop) so it can be imported into the PAN-FW. 2. Back in the PAN GUI, import the CA cert and give it a comprehensive name (Note: You would click "Shared" if configuring this via Panorama and if you would like this cert to be used by multiple device/s. In this instance, we are configuring on a single local Firewall). Click ok!   Note: Click on the new Domain-RootCA cert, put a check mark next to "Trusted CA" and click ok! You will now see this reflected under the ...
Read more

SSL Decryption with Cisco Firepower Management Center

Image
Cisco Firepower Management Center v6.2  SSL Decryption Policy This walk-through assumes you have an internal CA server in your production environment (e.g. Microsoft). 1. Login to Firepower Management Center (FPMC), go to Objects->Object Management->PKI->Internal CA's and click "Generate CA"  2. Fill out each field according to your FPMC setup and click on "Generate CSR" 3. Copy the encrypted information from the certificate signing request, this can also be referred to as a base64 or .pem request. Now open a browser and access your internal certificate server and request a certificate. 4. Click on "Request a certificate", then click on "advanced certificate request" 5. Paste the content of the clipboard to the text box, Certificate Template should be selected as "Subordi...
Read more

Cisco Firepower Management Center v6.2 - Reference Guide

Image
Firepower Management Center v6.2 Reference Guide While I have delivered Cisco Firepower to customers over the last several years, I always prefer that my customers are engaged and shadowing me as I install, configure, and tune Firepower. I am more than happy to explain as I go along however after Firepower is up and running I like to leave my customers with a reference guide that can help them better understand their new best of class NGIPS solution. I would like to share with you an example of this reference guide and I hope that it helps you better understand some partcular features or functions within Firepower Management Center, in this case v6.2. Once we understand the underlying features and functions, we can better configure and thereby tune the NGIPS so we can achieve the highly touted efficacy of the product in terms of detecting and preventing threats! Lets start at the beginning: Initial Configuration Steps - Definitions and HowTo Network Discovery Polic...
Read more