• The ASA Firepower module supplies next-generation firewall
services, including Next-Generation Intrusion Prevention System
(NGIPS), Application Visibility and Control (AVC), URL filtering, and
Advanced Malware Protection (AMP).You can use the module in
single or multiple context mode, and in routed or transparent mode.
• The module is also known as ASA SFR.
• Although the module has a basic command line interface (CLI) for
initial configuration and troubleshooting, you configure the security
policy on the device using a separate application, Firesight
Management Center, which can be hosted on a separate Firesight
Management Center appliance or as a virtual appliance running on a
VMware server. (Firesight Management Center is also known as
• For ASA Firepower running on ASA 5506-X devices, you can
optionally configure the device using ASDM rather than Firesight
• In inline mode, traffic goes through the firewall checks before being
forwarded to the ASA Firepower module. When you identify traffic for
ASA Firepower inspection on the ASA, traffic flows through the ASA and
the module as follows:
• 1. Traffic enters the ASA.
• 2. Incoming VPN traffic is decrypted.
• 3. Firewall policies are applied.
• 4. Traffic is sent to the ASA Firepower module.
• 5. The ASA Firepower module applies its security policy to the traffic,
and takes appropriate actions.
• 6. Valid traffic is sent back to the ASA; the ASA Firepower module might
block some traffic according to its security policy, and that traffic is not
• 7. Outgoing VPN traffic is encrypted.
• 8. Traffic exits the ASA.
• This mode sends a duplicate stream of traffic to the ASA
Firepower module for monitoring purposes only. The
module applies the security policy to the traffic and lets
you know what it would have done if it were operating in
inline mode; for example, traffic might be marked “would
have dropped” in events. You can use this information for
traffic analysis and to help you decide if inline mode is
• ASA Firepower module as a pure Intrusion Detection System
(IDS), where there is no impact on the traffic at all, we can
configure a traffic forwarding interface. A traffic forwarding
interface sends all received traffic directly to the ASA
Firepower module without any ASA processing.
• The module applies the security policy to the traffic and lets
you know what it would have done if it were operating in inline
mode; for example, traffic might be marked “would have
dropped” in events. You can use this information for traffic
analysis and to help you decide if inline mode is desirable.
• Traffic in this setup is never forwarded: neither the module nor
the ASA sends the traffic on to its ultimate destination. You
must operate the ASA in single context and transparent modes
to use this configuration
• 1. Enter the CLI of the ASA.
• If any other module is installed, 1st uninstall it like below.
• hostname# sw-module module ips shutdown hostname# sw-module module ips
uninstall hostname# reload
• Then install the SFR initial image from the below command.
• hostname# sw-module module sfr recover configure image disk0:file_path
hostname# sw-module module sfr recover configure image disk0:asasfr-5500x-
boot-5.3.1-58.img (if not there in the ASA by default, install from the Cisco site
and upload to the ASA in disk0)
• 2. Load the image using:
• hostname# sw-module module sfr recover boot
• Once that is done, Session to the image to get the Sourcefire command line
(login in with user admin and password Admin123)
• hostname# session sfr console
• Type setup and configure the basic settings and then install the system package
of Sourcefire using.
• system install tftp://IP-addr/asasfr-sys-5.3.1-44.pkg
• (Download the package and keep it ready to be uploaded from the tftp or the ftp
or the http)
• 3. Once done, session to the Sourcefire within ASA console using
session sfr in the ASA command line. Login with the user admin
and password Sourcefire. Complete the system configuration.
• Specify the Firesight management IP address (installation process
below) using the following command. Note you need the IP address
and the key. You will need this later when you add this to the
Configure manager add <ip address> <KEY>
• At this point, all future steps are done within the Firesight
• 4. Now you need to build the Firesight management. You will need to
download Virtual Firesight / Defense center for VMWare, which will
be a .tar.gz files. Have to unzip the .gz followed by untaring it. You
should end up with a .vmdk file. Deploy the .OVF file in ESXI and set
basic network configuration.
• Once the OVA is deployed, open the console and login with admin
and Sourcefire and give the below command to set the IP and the
gateway and then access from the browser.
• sudo /usr/local/sf/bin/configure-network
• 5. The ASA with Sourcefire has 4 license offerings to be
installed under System->Licenses.
• Go to System Licenses Add new License
• Take the license key from here and put it on the cisco
license portal and generate it on your given PAK and
then apply it.
• 6. At this point, you should be able to add the Firepower
services from the ASA. Go in the management GUI to
Devices->Device Management, click the Add button
and select Add Device. You will be asked to give the IP
address of the Sourcefire IP inside the ASA and the key
you made up for the Registration Key spot. You can
check which licenses you want to apply assuming you
loaded some in prior to this and click add.
• 7. There are other steps to setting up FireSIGHT such as
building access control policies, enabling network
discovery to see what’s on the network and so on
(discovery found under Policies-> Network Discovery
then adding a rule to specify the entire network). Before
doing that, you should go back to your ASA and configure
traffic to redirect through the firepower component of the
• NOTE: Without redirecting traffic through Sourcefire,
the ASA will just act as a firewall meaning traffic will
not be seen by the Sourcefire software inside.
• 8. Access ASDM and select Configuration > Firewall >
Service Policy Rules. Next select Add > Add Service Policy
Rule. Click Next. The Add Service Policy Rule Wizard –
Traffic Classification Criteria dialog box appears. Provide the
basic info and on the next page select the ASA Firepower
Inspection tab. check the Enable ASA Firepower for this
traffic flow check box. Select if you want to permit traffic if
Sourcefire fails. Click finish.
• Alternatively you can use the below commands from the ASA
CLI to redirect the specific or all the traffic to the DC.
• Class-map global-class
• Match any
• policy-map global_policy
• Class global-class
• sfr fail-open
• A. Download link for the SFR user agent: Link
• 1. Download the User Agent setup file (Sourcefire_User_Agent_2.2-
9_Setup.zip) from the Support Site.
• 2. Copy the setup file to the Windows computer where you want to install the
agent and unpack the file. The agent requires 3 MB free on the hard drive for
installation. Cisco recommends you allocate 4 GB on the hard drive for the
agent local database.
• 3. Open the setup executable file (Sourcefire_User_Agent_2.2-
• 4. If you do not have both Microsoft .NET Framework Version 4.0 Client
Profile and SQL CE Version 3.5 installed on the Windows computer where
you install the agent, you are prompted to download the appropriate files.
Download and install the files.
• 5. Follow the prompts in the wizard to install the agent.
• You can install an agent on any Microsoft Windows Vista, Microsoft Windows
7, Microsoft Windows 8, and Microsoft Windows Server 2003, Microsoft
Windows Server 2008, or Microsoft Windows Server 2012 computer with
TCP/IP access to the Microsoft Active Directory servers you want to monitor.
You can also install on an Active Directory server running one of the
supported operating systems.
• B. After the user agent is installed on your AD
perform the below steps for the UA to receive the
data and send to DC.
• 1. To verify the Active Directory server is logging
• a. On the Active Directory server, select Start > All
Programs > Administrative Tools > Event Viewer.
• b. Select Windows Logs > Security. If logging is
enabled, the Security log displays.
• c. If logging is disabled, see
us/library/cc779487(v=ws.10).aspx for information on
enabling security logging.
• 2. To allow the agent to communicate with the Active
• a) Enable the Remote Administration firewall rule on the Active
Directory server. You have the following options:
• b) If the Active Directory server is running Windows Server
us/library/cc738900%28v=ws.10%29.aspx for more
• c) If the Active Directory server is running Windows Server
2008 or Windows Server 2012, see
us/library/aa822854%28VS.85%29.aspx for more information.
• 3. To grant the agent permission to retrieve login
• a) Enable RPC on the Active Directory server for the
user. You have the following options: • If the Active
Directory server is running Windows Server 2008 R2 or
Windows Server 2012, and the user is not a member of
the Administrators group, grant the user DCOM remote
access, remote launch, and activation permissions. See
for more information.
• b) If the Active Directory server is running any other
supported version of Microsoft Windows, RPC is already
• 4. To grant the agent permission to retrieve logoff data:
• a) Grant the created user Administrator privileges to ensure the user
can log into all workstations that authenticate against the Active
• 5. To grant the agent permission to access the security logs:
• a) Grant the created user full permissions to the WMI Root/CIMV2
namespace on the Active Directory server. See
us/library/cc787533%28v=WS.10%29.aspx for more information.
• 6. Enable the below said option.
• a. Windows Settings > Security Settings > Local Policy Configuration
> Audit Policy > Audit Logon/Logoff > Success
• b. Windows Settings > Security Settings > Advanced Audit Policy
Configuration > Audit Policy > Audit Logon/Logoff > Success
• Note: After all the changes- Update the group policy.