Firepower Threat Defense is the latest product of Cisco's Security Appliance product line. In this post I will explain you the steps you need to migrate an existing Cisco ASA with FirePOWER services to the new Firepower Threat Defense image!
Let's begin (LOS GEHT'S)!!!
One of the things that I appreciate is that Cisco is frequently developing their security portfolio in an attempt to keep up with today's modern threats. In most of the cases ,you have two different codes running on one physical box.(Which is not a good idea in my opinion) That's not the case anymore. Cisco announced an enhanced Next-Generation Platform and a single image to have all the features. With the new Firepower Threat Defense (FTD) image, the ASA is a single image firewall with Firepower services built right into it. Before you initiate an upgrade of your ASA to the new FTD image, you need to make sure you have a supported platform. Currently the following platforms are supported:
In this example, we will be upgrading an ASA 5506-X to FTD. On the ASA 5506 the SSD is standard, and in fact it's standard on the 5508-X and 5516-X as well. On the 5512-X and 5555-X you need to make sure you have an SSD. It might seem funny, but things exist. If you ordered one of those great platforms with FirePOWER, it's already there, but if you didn't you may not have it.Obtaining Firepower Threat Defense (FTD) softwareTo get the software you have to have a support agreement with Cisco. You're going to need the following software:
Actual Firepower Threat Defense boot image. This will be a .cdisk extension unless your using the ASA 5506-X
In that case your extension will be lbff
FTD system package (.pkg extension)
The boot image is loaded using TFTP and the system image is loaded via FTP or HTTP. Once you have get the software you can continue.
Types of images :
There are two types of images you need, and there are patch files you may want to apply as well. Each of these have different file extensions. The boot images end in the extension .ifbff or .cdisk depending on the platform. This was mentioned previously. For all platforms, the system image ends in .pkg and patch files end in .sh.
(Helpful link :(Cisco's install and upgrade guides))
Upgrade ROMMON if it is necessary
Upload and install the FTD OS from the TFTP server
After a reboot assign temporary network settings
Upload and install the FTD system package
Configure the device for management from the FMC(Firepower Management Center)
Upgrade the ROMMON image
First of all, upgrade ROMMON! Let's take a look at the current image that's installed. To do this, we issue the command show module.
It's running version 1.1.10 in my case. If we needed to upgrade, we would follow this process:
Get a copy of the ROMMON image from Cisco.com
Copy the image to the ASA using TFTP:
Upgrade the ROMMON image:
2. Confirm the upgrade after the reload using the show module command. (Sicher ist sicher !! (See German translation! )
Migrate from ASA to FTD
backup is mandatory for life ! So don not forget to take a backup before anything
Second step is to reimage the ASA to the FTD image.
Save it on your local HDD,or SSD with PASSWORD (Secure it)
Then, copy the activation key:
Reload your baby and enter ROMMON mode immediately! Access granted for authorized personell only and through the serial console. (SSH won't work)
When you are in ROMMON mode you have to set up some temporary management settings here. This allows you to pull the boot image off of the TFTP server.
Our next mission is to download the boot image. This as easy as pie!
At this level you should type setup and go through the basic IP settings.
Next, use the system install command to install the FTD system image. This is the .pkg file. (Be patient cause it is gonna take circa 40 minutes)
The default login here will be
username : admin
There are some features which are gone in new image, but this is definitely the future of Cisco's security appliances so I'd highly recommend you get familiar with this awesome product as soon as possible.
We're not going to get into the nitty gritty of the configuration in this post.
However, you now have a sexy new FTD image running on your ASA. One new caveat (My humble opinion) to confront within this case is that management is now different. In old days you could use the CLI or ASDM to manage your ASA. With the FTD image you can use either Firepower Device Manager or FMC to manage your device.
The Firepower Device Manager is an on-box web-based manager that is similar to how we used to use the ASDM to manage a device. If you have a low and mid-range ASA platform running FTD you'll probably run the Firepower Device Manager.