Configuration of the FirePOWER Software

1. Open a session to the ASA SFR module.

INBASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’.
Sourcefire ASA5555 v5.3.1 (build 152)
Sourcefire3D login:

1. Log in with the username admin and the password Admin123.
2. Complete the system configuration as prompted, which occurs in this order:
   • Read and accept the End User License Agreement (EULA).
   • Change the admin password.
   • Configure the management address and DNS settings, as prompted.

Example -ASA:

• System initialization in progress. Please stand by. You must change the password
•  for ‘admin’ to continue. Enter new password: <new password>
• Confirm new password: <repeat password>
• You must configure the network to continue.
• You must configure at least one of IPv4 or IPv6.
• Do you want to configure IPv4? (y/n) [y]: y
• Do you want to configure IPv6? (y/n) [n]:
• Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
• Enter an IPv4 address for the management interface [192.168.45.45]:198.51.100.3
• Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
• Enter the IPv4 default gateway for the management interface []: 198.51.100.1
• Enter a fully qualified hostname for this system [Sourcefire3D]: asasfr.example.com
• Enter a comma-separated list of DNS servers or ‘none’ []:
   198.51.100.15, 198.51.100.14
• Enter a comma-separated list of search domains or ‘none’ [example.net]: example.com
• If your networking information has changed, you will need to reconnect.
• For HTTP Proxy configuration, run ‘configure network http-proxy’
• Wait for the system to reconfigure itself.

 

Redirect Traffic to the SFR Module

In order to redirect traffic to the ASA SFR module, you must create a service policy that identifies specific traffic. Complete these steps in order to redirect traffic to an ASA SFR module:

1. Select the traffic that should be identified with the access-list command. In this example, all of the traffic from all of the interfaces is redirected. You can do this for specific traffic as well.

INBASA(config)# access-list sfr_redirect extended permit ip any any

2.Create a class-map in order to match the traffic on an access list:

INBASA(config)# class-map sfr
INBASA(config-cmap)# match access-list sfr_redirect

• Configure the deployment mode. passive (monitor-only) or inline (normal) .

Note: You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type of security policy is allowed.

• In an inline deployment,
  
  • INBASA(config)# policy-map global_policy
    INBASA(config-pmap)# class sfr
    INBASA(config-pmap-c)# sfr fail-open

• In a passive deployment,

INBASA(config-pmap-c)# sfr fail-open monitor-only

3. Specify a location and apply the policy. You can apply a policy globally or on an interface.

INBASA(config)# service-policy global_policy global

The global keyword applies the policy map to all of the interfaces and the interface keyword applies the policy to one interface.