Getting Started with ASA FirePOWER

Started by icecream-guy, July 14, 2017, 08:58:00 AM

Previous topic - Next topic

icecream-guy

figured it out.

via asdm,
context management
system context
tools
comand line interface
multiple line
enter
config t
sw-module module sfr shutdown noconfirm

then
config t
sw-module module sfr uninstall noconfirm






:professorcat:

My Moral Fibers have been cut.

Dieselboy

Quote from: ristau5741 on July 21, 2017, 10:51:15 AM
I mangled my ASA,  got the firepower sw module loaded, without the proper cabling in place and lost cli and ssh to my ASA CLI,
also lost CLI console. seems the SFR took over.  I do have ASDM access tot he ASA, I do see the firepower module, but cant manage that from asdm either.  trying how to get things back in order so I can continue my firewall testing. can't seem to shut the module down.

Been there :)
You can console into the SFR module from the ASA itself BTW:


session sfr console


Are you using FTD image or ASA image? I have decided to stick with the ASA image as I understand that the FTD image has missing features compared to the ASA image. Eventually we'll need to go FTD but at the moment I don't think it's suitable for most cases. One of the missing features is VPN so you can't VPN to your ASA when using FTD. Although I've not been keeping up with the revisions and roadmap so I am expecting this to change quickly. FTD image was also a higher cost when I had quotes a few weeks ago.

icecream-guy

Quote from: Dieselboy on July 22, 2017, 09:50:33 PM

Are you using FTD image or ASA image? I have decided to stick with the ASA image as I understand that the FTD image has missing features compared to the ASA image. Eventually we'll need to go FTD but at the moment I don't think it's suitable for most cases. One of the missing features is VPN so you can't VPN to your ASA when using FTD. Although I've not been keeping up with the revisions and roadmap so I am expecting this to change quickly. FTD image was also a higher cost when I had quotes a few weeks ago.

using the asa image on the 5500-X devices,  and working to setup FTD and the ASA images on two 4100 eval appliances so I can compare. those, working on installing FMC right now for working through the licensing, Cisco is coming on site to day to assist with
getting the 4100's up and running licensed so I can continue my eval testing. 


btw Cisco needs a CCLE  Cisco Certified Licensing Expert.   that'd be one hell of a test.


:professorcat:

My Moral Fibers have been cut.

deanwebb

Quote from: ristau5741 on July 24, 2017, 06:52:00 AM
btw Cisco needs a CCLE  Cisco Certified Licensing Expert.   that'd be one hell of a test.

It's Cisco Certified Licensing Information Expert, or CCLIE. :smug:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

If you need CCLIE just to fix licensing these days then I need to find the door  :twitch:  :twisted:  >:D :XD:

icecream-guy

Quote from: Dieselboy on July 24, 2017, 10:54:20 PM
If you need CCLIE just to fix licensing these days then I need to find the door  :twitch:  :twisted:  >:D :XD:

it's not about the getting the license, just need to go to the Cisco Licensing portal,

whether you need to use the classic licensing scheme or the new smart software licensing.
The real trick is to know exactly what one needs to license and how many licenses are needed.
this in particular is related to provided Cisco solutions, such as unified communications. Wireless, Mobility, NAC, ISE, etc.



:professorcat:

My Moral Fibers have been cut.

DanC

Stick it on Eval licensing for 90 days, have a play and then activate your PAK's.

There's also the FTDv which is worth running in the lab to play about with. FirePower in general is quite a learning curve I've found, it's an awesome bit of kit when you understand everything it's doing under the hood, but it's still a bit clunky with ASA+FP Services.

I'd recommend Micronics Zero 2 Hero Sec training if you can get work to pay and have the time. They cover a lot of FP on that.

Also, Todd Lammle has started doing a specific FP course online and in person too, I've not attended that but heard good things on LinkedIn etc.

Are you licensed for AMPs and IPS?






icecream-guy

:professorcat:

My Moral Fibers have been cut.

Dieselboy

I have my out of the box 5506 running SFR 6.0.2 - and it's not working properly (doing weird things). I am updating to 6.0.2.52 because this happened before and was fixed after I updated. FYI - update the software on the sensor to get everything working :) Thought I'd mention that.