Security

How to upgrade an ASA 5506-X to the new Firepower Threat Defense software

Firepower Threat Defense is the latest iteration of Cisco's Security Appliance product line. This article explains the steps required to migrate an existing Cisco ASA with FirePOWER services to the new Firepower Threat Defense image.

istock-618652834.jpg
Image: iStock/mrspopman

One of the things that I appreciate is that Cisco is constantly developing their security portfolio in an attempt to keep up with today's modern threats. I've long been a fan of the Cisco ASA and the new FirePOWER module and FireSIGHT management center which I wrote about here. It's a bit frustrating that you have two different codes running on one box. That's not the case anymore. Cisco recently announced an enhanced Next-Generation Platform and a single image to rule them all. With the new Firepower Threat Defense (FTD) image, the ASA is a single image firewall with Firepower services built right in. In this article I'll take you through the steps required to upgrade an ASA with a FirePOWER module to the new single FTD image.

Before you start an upgrade of your ASA to the new FTD image, you need to make sure you have a supported platform. Currently the following platforms are supported:

  • ASA 5506-X
  • ASA 5506W-X
  • ASA 5506H-X
  • ASA 5508-X
  • ASA 5512-X
  • ASA 5515-X
  • ASA 5516-X
  • ASA 5525-X
  • ASA 5545-X
  • ASA 5555-X

In this example, we will be upgrading an ASA 5506-X to FTD. On the ASA 5506 the SSD is standard, and in fact it's standard on the 5508-X and 5516-X as well. On the 5512-X and 5555-X you need to make sure you have an SSD. It might sound funny, but it's not a stock option. If you ordered one of those platforms with FirePOWER, it's already there, but if you didn't you may not have it.

Obtaining Firepower Threat Defense (FTD) software

To get the software you have to have a support agreement with Cisco. You're going to need the following software:

  • The Firepower Threat Defense boot image. This will be a .cdisk extension unless your using the ASA 5506-X like me. In that case your extension will be lbff
  • FTD system package (.pkg extension)
  • TFTP server
  • FTP Server

The boot image is loaded using TFTP and the system image is loaded via FTP or HTTP.

Once you have obtained the software you can proceed.

Types of images

There are two types of images you need, and there are patch files you may want to apply as well. Each of these have different file extensions. The boot images end in the extension .ifbff or .cdisk depending on the platform. This was mentioned previously. For all platforms, the system image ends in .pkg and patch files end in .sh.

High-level process

  1. Upgrade ROMMON if necessary
  2. Upload and install the FTD OS from the TFTP server
  3. After a reboot assign temporary network settings
  4. Upload and install the FTD system package
  5. Configure the device for management from the FMC

Upgrading the ROMMON image

For our first step we want to upgrade ROMMON. Let's take a look at the current image that's installed. To do this, we issue the command show module.

ciscoasa# show module

Mod  Card Type                                    Model              Serial No. 
-------------------------------------------- ------------------ -----------
   1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC   ASA5506            JAD200401KK
 sfr FirePOWER Services Software Module           ASA5506            JAD200401KK

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version     
--------------------------------- ------------ ------------ ---------------
   1 0035.1ae4.89a1 to 0035.1ae4.89aa  1.1          1.1.8        9.5(2)
 sfr 0035.1ae4.89a0 to 0035.1ae4.89a0  N/A          N/A          5.4.1-211

Mod  SSM Application Name           Status           SSM Application Version
------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               5.4.1-211

Mod  Status             Data Plane Status     Compatibility
------------------ --------------------- -------------
   1 Up Sys             Not Applicable        
 sfr Up                 Up                    

ciscoasa# 

In this case the ASA is already running version 1.1.8. Had we needed to upgrade, we would follow this process:

  1. Get a copy of the ROMMON image from Cisco.com
  2. Copy the image to the ASA using TFTP:
ciscoasa# copy tftp://10.0.2.101/asa5500-firmware-1108.SPA disk0:asa5500-firmware-1108.SPA
  1. Upgrade the ROMMON image:
ciscoasa# upgrade rommon disk0:asa5500-firmware-1108.SPA
Verifying file integrity of disk0:/asa5500-firmware-1108.SPA

Computed Hash   SHA2: d824bdeecee1308fc64427367fa559e9
  eefe8f182491652ee4c05e6e751f7a4f
  5cdea28540cf60acde3ab9b65ff55a9f
  4e0cfb84b9e2317a856580576612f4af
  
Embedded Hash   SHA2: d824bdeecee1308fc64427367fa559e9
  eefe8f182491652ee4c05e6e751f7a4f
  5cdea28540cf60acde3ab9b65ff55a9f
  4e0cfb84b9e2317a856580576612f4af
  

Digital signature successfully validated
File Name                     : disk0:/asa5500-firmware-1108.SPA
Image type                    : Release
Signer Information
Common Name           : abraxas
Organization Unit     : NCS_Kenton_ASA
Organization Name     : CiscoSystems
Certificate Serial Number : 553156F4
Hash Algorithm            : SHA2 512
Signature Algorithm       : 2048-bit RSA
Key Version               : A
Verification successful.
Proceed with reload? [confirm]

2. Confirm the upgrade after reload using the show module command.

Reimage the ASA to FTD

Our next step is to reimage the ASA to the FTD image. Before we do that it's a good idea to backup our current system.

ciscoasa# backup
[Press return to continue or enter a backup location]:

No filename provided! Using default ciscoasa.backup.2017-05-12-101022.tar.gz
Begin backup ...
Backing up [ASA Version] ... Done!
Backing up [Running Configurations] ... Done!
Backing up [Startup Configurations] ...
Copy in progress...C Done!
Backing up [WebVPN Data] ... Done!
Compressing the backup directory ... Done!
Copying Backup ... Done!
Cleaning up ... Done!

Backup finished!
ciscoasa# 

Now make sure you save this somewhere.

ciscoasa# copy disk0:/ciscoasa.backup.2017-05-12-101022.tar.gz tftp://10.0.2.1$

Source filename [ciscoasa.backup.2017-05-12-101022.tar.gz]? 

Address or name of remote host [10.0.2.101]? 

Destination filename [ciscoasa.backup.2017-05-12-101022.tar.gz]? 

INFO: No digital signature found
45905 bytes copied in 0.170 secs
ciscoasa# 

Next, copy out the activation key:

ciscoasa# show activation-key 
Serial Number:  JAD200401KK
Running Permanent Activation Key: 0x###64 0x###be6a9 0x3#####28 0x######6c 0x####2289 

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 5              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

The flash permanent activation key is the SAME as the running permanent key.
ciscoasa# 

Now we need to reload the ASA and enter ROMMON mode. Remember that this means you need to do this from the serial console. An SSH session into the ASA will not cut it here.

ciscoasa# reload
System config has been modified. Save? [Y]es/[N]o:  Y
Cryptochecksum: d7f49992 bec177a3 f17e3159 1d47f5c8 

2851 bytes copied in 0.270 secs
Proceed with reload? [confirm] 
ciscoasa# 


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system



***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
INIT: Sending processes the TERM signal
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting... 
Rom image verified correctly


Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
Copyright (c) 1994-2015  by Cisco Systems, Inc.
Compiled Thu 06/18/2015 12:15:56.43 by builders


Current image running: Boot ROM0
Last reset cause: PowerCycleRequest
DIMM Slot 0 : Present

Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: 00:35:1a:e4:89:a1


Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.  

rommon 1 > 

Now that you're sitting at ROMMON you need to set up some temporary management settings. This allows you to pull the boot image off of the TFTP server.

rommon 1 > address 10.0.2.107
rommon 2 > netmask 255.255.255.0
rommon 3 > server 10.0.2.101
rommon 4 > file ftd-boot-9.7.1.4.lfbff
rommon 5 > set
ADDRESS=10.0.2.107
NETMASK=255.255.255.0
GATEWAY=10.0.2.1
SERVER=10.0.2.101
IMAGE=ftd-boot-9.7.1.4.lfbff
CONFIG=
PS1="rommon ! > "

rommon 6 > sync
rommon 7 > 

Our next step is to download the boot image. This is a pretty simple process as you can see below.

rommon 7 > tftpdnld
 ADDRESS: 10.0.2.107
 NETMASK: 255.255.255.0
 GATEWAY: 10.0.2.1
  SERVER: 10.0.2.101
   IMAGE: ftd-boot-9.7.1.4.lfbff
 MACADDR: 00:35:1a:e4:89:a1
   VERBOSITY: Progress
   RETRY: 40
  PKTTIMEOUT: 7200
 BLKSIZE: 1460
CHECKSUM: Yes
PORT: GbE/1
 PHYMODE: Auto Detect

Receiving ftd-boot-9.7.1.4.lfbff from 10.0.2.101!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
File reception completed.
Boot buffer bigbuf=348bd018
Boot image size = 107035120 (0x66139f0) bytes
[image size]      107035120
[MD5 signaure]    fea0e064574aec139158a85fc364df56
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
Detected PID ASA5506.
Found device serial number JAD200401KK.
Found USB flash drive /dev/sdb
Found hard drive(s):  /dev/sda
fsck from util-linux 2.23.2
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
There are differences between boot sector and its backup.
Differences: (offset:original/backup)
  65:01/00
  Not automatically fixing this.
/dev/sdb1: 53 files, 814354/1918808 clusters
Launching boot CLI ...
Configuring network interface using static IP
Bringing up network interface.
Depending on your network, this might take a couple of minutes when using DHCP...
ifup: interface lo already configured
Using IPv4 address: 10.0.2.107
INIT: Starting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
  generating ssh RSA key...
  generating ssh ECDSA key...
  generating ssh DSA key...
Could not load host key: /etc/ssh/ssh_host_ed25519_key
done.
Starting Advanced Configuration and Power Interface daemon: acpid.
acpid: starting up

acpid: 1 rule loaded

acpid: waiting for events: event logging is off

Starting ntpd: done
Starting syslog-ng:[2017-05-12T10:42:55.702033] Connection failed; fd='15', server='AF_INET(127.128.254.1:514)', local='AF_INET(0.0.0.0:0)', error='Network is unreachable (101)'
[2017-05-12T10:42:55.702137] Initiating connection failed, reconnecting; time_reopen='60'
.
Starting crond: OK



Cisco FTD Boot 6.0.0 (9.7.1.4)
  Type ? for list of commands
ciscoasa-boot>

Now that we have booted into the FTD boot image we need to type setup and go through the basic IP settings. Most of your configured settings will come through as you can see in the following output. Items in square brackets are values you can accept by hitting enter.

ciscoasa-boot>setup


Welcome to Cisco FTD Setup 
  [hit Ctrl-C to abort]
Default values are inside []

Enter a hostname [ciscoasa]: ftd1
Do you want to configure IPv4 address on management interface?(y/n) [Y]: 
Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: 
N
Enter an IPv4 address [10.0.2.107]: 
10.0.2.107
Enter the netmask [255.255.255.0]: 
255.255.255.0
Enter the gateway: 10.0.2.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: 
N
Stateless autoconfiguration will be enabled for IPv6 addresses. 
Enter the primary DNS server IP address: 10.0.2.1
Do you want to configure Secondary DNS Server? (y/n) [n]: 
n
Do you want to configure Local Domain Name? (y/n) [n]: 
n
Do you want to configure Search domains? (y/n) [n]: 
n
Do you want to enable the NTP service? [Y]: 
Y
Enter the NTP servers separated by commas [203.0.113.126]: 10.0.2.1
Please review the final configuration:
Hostname:               ftd1
Management Interface Configuration

IPv4 Configuration:     static
IP Address:     10.0.2.107
Netmask:        255.255.255.0
Gateway:        10.0.2.1

IPv6 Configuration:     Stateless autoconfiguration

DNS Configuration:
DNS Server:
10.0.2.1

NTP configuration:
10.0.2.1
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: 
Y
Configuration saved successfully!
Applying...
Restarting network services...
Done.
Press ENTER to continue...
ciscoasa-boot>

Next, use the system install command to install the FTD system image. This is the .pkg file.

ciscoasa-boot>system install noconfirm ftp://10.0.2.101/ftd-6.2.0-363.pkg

################## WARNING ############################
The content of disk0: will be erased during installation! #
#######################################################

Do you want to continue? [y/N] y
Erasing disk0 ...
Extracting   ... 
Verifying     

Enter credentials to authenticate with ftp server
Username: bcarroll
Password: 
Verifying     
Downloading     
Extracting     
Package Detail
Description:                    Cisco ASA-FTD 6.2.0-363 System Install
Requires reboot:                Yes 

Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.

Starting upgrade process ...     
Populating new system image     

Broadcast message from root@ftd1 (ttyS1) (Fri May 12 11:06:27 2017):

The system is going down for reboot NOW!
Stopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 1719)
.
Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 1723)
acpid: exiting

acpid.
Stopping system message bus: dbus.
Stopping ntpd: stopped process in pidfile '/var/run/ntp.pid' (pid 1812)
done
Stopping crond: OK
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting... 

Finally, after about 30 - 40 minutes you are ready to log in.

Cryptochecksum (changed): b03622ce c784e983 5f8c8d31 fe1fc861 

INFO: Power-On Self-Test in process.
.......................................................................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.

Cisco ASA5506-X Threat Defense v6.2.0 (build 363)
firepower login: 

The default login here will be adminAdmin123, but we're not going to get into the specifics of the configuration in this article. However, you now have a shiny new FTD image running on your ASA. One new caveat to deal with in this case is that management is now different. In the past you could use the CLI or ASDM to manage your ASA. With the FTD image you can use either Firepower Device Manager or Firepower Management Center to manage your device. (Cisco's install and upgrade guides have more information.)

The Firepower Device Manager is an on-box web-based manager that is similar to how we used to use the ASDM to manage a device. If you have a low and mid-range ASA platform running FTD you'll likely run the Firepower Device Manager.

While it seems like a lengthy process, you can always step away and work on other things while the images load. You should be aware that you will lose some of the features you used to have with the ASA running the old ASA image, but this is definitely the future of Cisco's security appliances so I'd highly recommend you get familiar now.

Also see:
The best security? Have Zero Trust, says expert
How to register an ASA SFR module with the FirePOWER Management Center
Why businesses have the wrong cybersecurity mindset, and how they can fix it
4 critical points to consider when receiving cybersecurity and privacy advice

About Brandon Carroll

Brandon Carroll has been in the industry since the late 90s specializing in data networking and network security in the enterprise and data center. Brandon holds the CCIE in security and is a published author in network security.

Editor's Picks

Free Newsletters, In your Inbox