Upgrading ASA with FirePOWER Services To 6.0.1- Unified Image
Upgrading ASA with FirePOWER Services To 6.0.1- Unified Image
This blog post will cover how to upgrade a virtualized FirePOWER
manager
from 6.0.0.0 to 6.0.1, ASA5512X running 6.0.0.0 centrally managed to 6.0.1 and 5506X not centrally managed from 6.0.0.0 to 6.0.1. I will also show how to install both the unified and non unified versions of 6.01. Let me explain what that means.
The new 6.0.1 software brings a lot of great features listed HERE in the release notes. There are two flavors of the new 6.0.1 code. One version keeps the ASA and FirePOWER code separate like it has been in the past. The other version unifies these codes meaning one management and no ASDM. The reason there are two versions of 6.0.1 is Cisco is slowly migrating the features from the ASA image to the FirePOWER unified image. Here is a list of the features that made it into the 6.0.1 unified image from the ASA image.
- IPv4 and IPv6 Connection state tracking and TCP normalization
- Access Control
- NAT (Full support)
- Unicast Routing (except EIGRP)
- ALGs (only default configuration)
- Intra chassis Clustering on Firepower 9300
- Stateful Failover (HA)
Note: I found out that the unified image is only supported using Smart licensing. If you are using classic licensing in your FirePOWER manager, you must switch over to Smart licensing before you can support the Unified image. This does not apply to the 6.0.1 separate image.
Upgrading FirePOWER Manager from 6.0.0 to 6.0.1
The first step is upgrading the FirePOWER manager to 6.0.0.1. I found
my manager was at 6.0.0.0 when logging in and clicking updates. To
download 6.0.0.1, simply click DOWNLOAD under the updates
section to download the latest patches. After a few minutes, the
6.0.0.1 patch appeared saying it will require a reboot. Click the
package icon to start the upgrade. You should see something like this
during the upgrade process.
It
took me about 30 minutes to complete the upgrade. After it is at 9%, I
was logged out of the manager and couldn’t log back in until the system
upgrade was complete. Its weird because it looks like its running yet
you can’t log in so just be patient.Once you can log in, you will see a task notification letting you know that you are now at 6.0.0.1.
Now
you are ready to upgrade to 6.0.1 IE the latest FirePOWER software as
of March 2016. You can download that from cisco.com, which will be a
file called Sourcefire_3D_Defense_Center_S3_Upgrade-6.0.1-1213.sh. Once you have that, go back to your FirePOWER manager, click updates and select UPLOAD. Upload the .sh file, which will take a few minutes. You should see a success page and be able to apply that once its uploads.NOTE: Minor releases such as 6.0.0.0 to 6.0.0.1 will be available by using the DOWNLOAD button in the Updates section of FirePOWER manager. Major updates such as 6.0.0.1 to 6.0.1 will not appear using the DOWNLOAD button. You must go to Cisco.com to download those and use the UPLOAD button in FirePOWER manager as explained.
Click the package to start the upgrade. You need to select your manager and continue as shown. 
The
installation will take around an 1.5 hours to complete the upgrade. You
will see the installation started under the task window.
After
15 minutes during the upgrade process, it logged me out of the manager.
I logged back in and found it had the following timer showing me the
progress. 
Once completed, you will be able to log into your FirePOWER manager and be alerted things are complete. 
Now lets move to the ASA5512X.
Upgrading a ASA5512X running FirePOWER 6.0.0 to 6.0.1
The first step is to make sure your ASA is managed by the FirePOWER manager. In my case, the ASA is running 6.0.0.0 
Just
like with the FirePOWER manager, you need to upgrade to 6.0.0.1 before
going to 6.0.1. You can download and apply the the 6.0.0.1 update the
exact way as with the manager via going to system -> update, clicking Download and applying the 6.0.0.1 to the sensor. This is a minor update so no need to leave the GUI for this process. 
The upgrade takes around 40 minutes to complete. You can monitor this under the task menu. 
Now
you need to choose which FirePOWER image you want to move forward with
(see the opening of this post for details). In this case, I’m going with
the separate FirePOWER and ASA image for my 5512X. I’ll go with the
other unified image for my 5506x later in this post. The 5512X upgrade
file is Cisco_Network_Sensor_Patch-6.0.1-29.sh. Once downloaded, go under system -> update and upload that file to the FirePOWER manager.NOTE: The separate image upgrade process is simpler than the unified version.
Below shows both the unified and separate ASA and Firepower 6.0.1 images uploaded. I found out I didn’t need to upload the unified image since you have to do a lot more to get it installed shown later in this post.
Next apply the new 6.0.1 update to your ASA running firepower. 
The upgrade took around 40 minutes. You can track the upgrade under the task management.
Once
upgraded, check to see the device is seen as being managed as 6.0.1
under devices -> device management. In my case, things look good. It
took a few minutes after the 5512X reboot for it to show in the manager.
Pretty easy to do this upgrade. 
Now I’m going to move to the 5506X first with the separate image and next with the Unified Image. .
Upgrading a 5506X to the separate ASDM / FirePOWER 6.0.1 image
Next up is upgrading my 5506X to the separate ASA Firepower 6.0.1
image. Its current state pre upgrade is using ASDM without any
centralized management. My goal is to add it to the FirePOWER
centralized manager and upgrade it to 6.0.1.The first step for my situation is to get my 5506X that is not centrally managed added to my FirePOWER management system. As shown in my screenshot of ASDM, my 5506 is running 6.0.0.1-26.
To add my 5506 to the centralized manager, I logged into the console port, typed session sfr console and logged into the sourcefire code. Next I added my manager using configure manager add (IP ADDRESS of Manager) (special word). The next screenshot shows my lab using the 10.0.2.105 and special word is cisco. 
Next I logged into the FirePOWER manager, clicked device -> device management then clicked add device. I filled out the form and added my 5506 as shown. 
In this first example, im going with the separate ASDM and FirePOWER image, which is Cisco_Network_Sensor_Patch-6.0.1-29.sh. Follow the exact same steps as for the 5512X got my system to 6.0.1 as shown.
Upgrading a 5506X to the Unifed FirePOWER 6.0.1 image.
I found the 1.1.8 ROMMON image here under the software download section of the 5506X webpage giving me the file asa5500-firmware-1108.SPA. The documentation says to use a TFTP server however I like easy so I went into ASDM, clicked the File Manager under Tools and used the GUI to move the .SPA file to my ASA5506X disk0:/ as shown. 
Next in the ASA5506X CLI, I typed the following command to start the rommon upgrade process. 
The
process verifies a hash and asks to proceed with a reboot. After the
reboot, the ROMMON is upgraded and the system goes through its cycle
process. The entire process takes 5-10 minutes. Now I ran a show module command to confirm I have ROMMON 1.1.8 running. 
The
next step involves actually using a TFTP server since its the image the
system will boot directly from. Download that image from cisco.com as
well as the .pkg file that will be installed after you boot the boot
image. The boot image file is ftd-boot-9.6.1.0.lfbff and .pkg file is ftd-6.0.1-1213.pkg.I used Solarwind’s free TFTP server as my TFTP server. First reboot the ASA5506 and during the boot up process press the ESC key to stop the boot up and put it in ROMMON mode. Next set the ADDRESS, NETMASK, GATEWAY, SERVER and IMAGE using the term followed by a equal. For example, the remote TFTP server would be set by using SERVER=10.0.2.62 in my example. Once you set everything, type tftpdnld to download the image.
The
ASA will automatically boot to that image. This will put you in the
firepower boot image, very similar to how it looks when you session sfr console when the images are separated. This process tool around 5-10 minutes.
Next use the setup
command to setup basic networking. Now you need to post the .pkg file
to a http or https location so it can be installed. I used dropbox for
this, posting it under a public folder. So for me, the command to
install the .pkg file was system install https://DROPBOXPUBLICLOCATION.pkg. It will download and extract the image. Then you will be asked to continue and later asked to press ENTER
to reboot once the image installs. You are also warned that the disk0
will be erased during the process. The entire install took me around
20-30 minutes. 
Once the entire process completes, you will see the firepower login. The default login is admin and password Admin123.
You will have to go through the EULA upon logging in and provide a new
password. Next you provide basic networking information to get it
online.Once again, you need to add the manager using the configure manager add FIREPOWER_MANAGER_IP (special word) to be able to add it back to the centralized manager. Once that is done, go back to the FirePOWER manager and add it. That is done under the Devices -> Device Management and clicking ADD.
I had been using the classic license mode, which isn’t supported for the Unified management image. I found out when I tried to add my 5506X in the FirePOWER manager and was told I had to switch to smart licensing. Switching the smart licensing offers a 90 trail period, so I went with that and then added my 5506X.
It took a few minutes for the 5506 to be discovered. Now I have a 5506X running the unified 6.0.1. 
Here is an example of routing in the unified image. 
and here is the Interfaces section. Cool, no more ASDM. 
Post a Comment