ASA SFR Information
The Cisco ASA FirePOWER module, also known as the ASA SFR, provides next-generation Firewall services, such as:
- Next Generation Intrusion Prevention System (NGIPS)
- Application Visibility and Control (AVC)
- URL filtering
- Advanced Malware Protection (AMP)
Note: You can use the ASA SFR module in Single or Multiple context mode, and in Routed or Transparent mode.
Before You start SFR Configuration
- If you have an active service policy that redirects traffic to an Intrusion Prevention System remove it before you configure the ASA SFR service policy.
- You must shut down any other software modules that currently run. A device can run a single software module at a time.
Below commands are used to shut down and uninstall the IPS software module, and then reload the ASA:
INBASA# sw-module module ips shutdown
INBASA# sw-module module ips uninstall
Below commands are used to remove the CX module :
INBASA# sw-module module cxsc shutdown
INBASA# sw-module module cxsc uninstall
3.When you reimage a module, use below commands to shutdown and uninstall .
INBASA# sw-module module sfr shutdown
INBASA# sw-module module sfr uninstall
- Download the ASA SFR system software from Cisco.com to an HTTP, HTTPS, or FTP server that is accessible from the ASA SFR management interface.
- Download the boot image to the device. You can use either the Cisco Adaptive Security Device Manager (ASDM) or the ASA CLI in order to download the boot image to the device.
Follow below steps to download the boot image via the ASDM:
- Download the boot image to your workstation, or place it on an FTP, TFTP, HTTP, HTTPS, Server Message Block (SMB), or Secure Copy (SCP) server.
- Choose Tools > File Management in the ASDM.
- Choose the appropriate File Transfer command, either Between Local PC and Flash or Between Remote Server and Flash.
- Transfer the boot software to the flash drive (disk0) on the ASA.
Follow below steps to download the boot image via the ASA CLI:
- Download the boot image on an FTP, TFTP, HTTP, or HTTPS server.
- Enter the copy command into the CLI in order to download the boot image to the flash drive.
Below is example that uses HTTP protocol (replace the <Server> with your server IP address or host name):
INBASA# copy http ://<Server>/asasfr-550x-boot-5.3.1-152.img
(no space between http and : )
- Enter this command in order to configure the ASA SFR boot image location in the ASA flash drive:
INBASA# sw-module module sfr recover configure image disk0:/file_path
Below is example:
INBASA# sw-module module sfr recover configure image disk0:
- To load the ASA SFR boot image enter below command:
INBASA# sw-module module sfr recover boot
- Wait approximately 5 to 15 minutes for the ASA SFR module to boot up, and then open a console session to the operational ASA SFR boot image.
Set Up the ASA SFR Boot Image:
- Press Enter after you open a session in order to reach the login prompt.
- The default username is admin, and the default password is Admin123.
Below is output from ASA:
INBASA# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’.
Cisco ASA SFR Boot Image 5.3.1
asasfr login: admin
- Enter the setup command to configure the system :
Welcome to SFR Setup
[hit Ctrl-C to abort]
Default values are inside 
Put below details:
- Host name
- Network address
- DNS information
- NTP information
Follow with below command:
asasfr-boot >system install [noconfirm] url
Include the noconfirm option if you do not want to respond to confirmation messages. Replace the url keyword with the location of the .pkg file. Here is an example:
asasfr-boot >system install http ://<HTTP_SERVER>/asasfr-sys-5.3.1-152.pkg
(no space between http and : )
Description: Cisco ASA-FirePOWER 5.3.1-152 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: y
Warning: Please do not interrupt the process or turn off the system. Doing so
might leave system in unusable state.
Starting upgrade process …
Populating new system image
Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.
Broadcast message from root (ttyS1):
The system is going down for reboot NOW!
Console session with module sfr terminated.
Note: When the installation is complete, the system reboots. Allow ten or more minutes for the application component installation and for the ASA SFR services to start. The output of the show module sfr command should indicate that all processes are Up.