²©ñRŠÊ˜·³Ç

FTD on ASA 5500-X Series Hardware

Date: Jul 3, 2018 Sample Chapter is provided courtesy of .

In this sample chapter from Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting Best Practices for the Next-Generation Firewall, Next-Generation Intrusion Prevention System, and Advanced Malware Protection, review the steps required to reimage and troubleshoot any Cisco ASA 5500-X Series hardware.

If your ASA is currently running FirePOWER Services as a separate module and you want to deploy Firepower Threat Defense (FTD), you must reimage your ASA with the unified FTD image. This chapter discusses the steps required to reimage and troubleshoot any Cisco ASA 5500-X Series hardware.

ASA Reimaging Essentials

To reimage ASA hardware with FTD, you need to use more than one type of image on the same hardware. This section describes the purposes of those images.

Figure 2-1 shows the subsets of a Firepower Threat Defense software image that you install or upgrade on the Cisco ASA 5500-X Series hardware platforms during the FTD reimaging process:

Figure 2-1

Figure 2-1 Subsets of a Firepower Threat Defense Software Image

  • ROMMON software: The ROMMON software is the firmware of an ASA. In an ASA, you enter the ROMMON mode to perform all the necessary tasks to copy a boot image from an external server. If you are reimaging one of the low-end ASA hardware platforms, such as ASA 5506-X, 5506W-X, 5506H-X, 5508-X, or 5516-X, you must update the firmware to Release 1.1.8 or greater. If you are running one of the midrange ASA hardware platforms, such as 5512-X, 5515-X, 5525-X, 5545-X, or 5555-X, and want to reimage it to the FTD software, you do not need to update the default firmware.

  • Boot image: The FTD boot image is a subset of the FTD system software. After you load your ASA with an FTD boot image, you can use the CLI of the boot image to prepare your ASA for downloading the FTD system software and beginning the setup.

  • System software: All the features of FTD are packaged in a system software image. You begin the FTD system software installation from the CLI prompt of the boot image. This is the last step of a basic reimaging process.

Table 2-1 summarizes various types of software that you might have to install to complete the FTD reimaging process.

Table 2-1 Software Images Required to Complete an FTD Reimage

ROMMON Software Boot Image System Software
Purpose To update the firmware of an ASA. To load an ASA with the network config, download the system software, and begin setup. To install the features of the FTD system.
Low-end ASA (5506-X, 5508-X, 5516-X) Firmware release 1.1.8 or greater is required. Use the *.SPA file to upgrade firmware. Use a *.lfbff file to load a low-end ASA with the FTD boot image. Use a *.pkg file to install the FTD system software package. You can use the same system software package on any low-end and midrange ASA hardware models.
Midrange ASA (5512-X, 5515-X, 5525-X, 5545-X, 5555-X) Not necessary to update the default firmware version. Use a *.cdisk file to load a midrange ASA with the FTD boot image.

Best Practices for FTD Installation on ASA Hardware

Consider the following best practices before reimaging ASA 5500-X Series hardware:

  • If you have just received a new ASA 5500-X, it might already have the FTD software preinstalled. In this case, you just need to update the FTD to the latest release and complete the configurations. However, reimaging is necessary when the hardware has traditional ASA software installed or when FirePOWER Services is running as a separate module.

  • You should perform reimaging during a maintenance window because the process interrupts the network traffic.

  • Prior to the maintenance window when you plan to do the reimaging, make sure you are able to access the website and can download all the FTD software. If needed, register for a Cisco account. If after the self-registration process you cannot download any of the desired software, you might need to get further assistance from your Cisco channel partner or the Cisco Technical Assistance Center (TAC).

  • The reimaging process may take about an hour, depending on the hardware model. However, you should plan for additional time to fulfill any prerequisites.

  • After you download any software from , always verify the MD5 or SHA512 checksum of the files you have downloaded to confirm that the file is not corrupt and has not been modified during download. Figure 2-2 shows how the MD5 and SHA512 checksum values are displayed at when you hover your mouse over a filename.

    Figure 2-2

    Figure 2-2 Checksum Values of a Boot Image File

  • Reimaging an ASA with FTD software wipes out all the previous configurations, so make a backup of the existing configurations before you start the reimaging.

  • Never power off, shut down, or reboot ASA hardware when reimaging is in progress. A login prompt appears after all the reimaging processes are complete.

  • Read the release notes to determine any known issues and any special requirements or instructions.

Installing and Configuring FTD

In this section, you learn the detailed steps involved in installing the FTD software on ASA 5500-X Series hardware. Before you install anything on an ASA, there are some prerequisites. Once you fulfill them, you can perform the remaining tasks of the reimaging process.

Figure 2-3 summarizes the steps involved in reimaging ASA 5500-X hardware to the FTD system software.

Figure 2-3

Figure 2-3 Major Steps in Reimaging ASA 5500-X Series Hardware

Fulfilling Prerequisites

You must fulfill storage and connectivity requirements before you begin reimaging. The following are the storage prerequisites:

  • To install FTD software, an ASA requires at least 3 GB free space plus additional space to store an FTD boot image (which is usually about 100 MB). See the “Verification and Troubleshooting Tools” section, later in this chapter, to learn how to determine how much free disk space an ASA has.

  • Make sure the ASA has a solid state drive (SSD) installed. See the “Verification and Troubleshooting Tools” section, later in this chapter, to learn how to determine whether an SSD is installed in an ASA.

The following are the connectivity prerequisites:

  • Using a console cable, connect your computer to the console port of the ASA that you want to reimage.

  • Ensure that you have access to TFTP and HTTP servers. You use the TFTP server to copy the firmware and boot image files to the ASA during the reimaging process. You copy the FTD system software from the HTTP server to the ASA. You can use an FTP server in lieu of an HTTP server, but you might find that a basic HTTP server is easier to set up.

Figure 2-4 shows a topology in which the management network is segregated from the data traffic, according to security best practice. An administrator computer is directly connected to an ASA through a console cable, and it also has access to the management network.

Figure 2-4

Figure 2-4 A Simple Topology in Which an ASA Inspects Data Traffic and Keeps Management Traffic Isolated

Figure 2-5 shows the simplest topology that provides both console and IP connectivity between an ASA and a computer and allows an administrator to perform reimaging and basic configuration.

Figure 2-5

Figure 2-5 The Most Basic Connectivity Between an ASA and a Server for Performing Reimaging and Basic Setup

Upgrading Firmware

If you plan to reimage a low-end ASA hardware model, such as 5506-X, 5508-X, or 5516-X, to the FTD software, you must make sure that the firmware version of the ASA is 1.1.8 or greater. See the “Verification and Troubleshooting Tools” section, later in this chapter, to learn how to determine the firmware version.

Follow these steps to upgrade the firmware (ROMMON software) of a low-end ASA model:

  • Step 1. Download the ROMMON software from and store it to your TFTP server. Figure 2-6 shows the ROMMON software file asa5500-firmware-1108.SPA that you use to upgrade the firmware of low-end ASA 5500-X Series hardware before you begin the reimaging process.

    Figure 2-6

    Figure 2-6 The ROMMON Software File Information

  • Step 2. Copy the file from your TFTP server to your ASA storage. To copy a file from a TFTP server to an ASA, run the following command:

    ciscoasa# copy tftp://TFTP_server_address/filename disk0:

    Example 2-1 shows that the ROMMON software file asa5500-firmware- 1108.SPA is successfully copied from a TFTP server (IP address 10.1.1.4, for example) to the storage of ASA 5506-X hardware.

    Example 2-1 Copying a File from a TFTP Server to ASA Hardware

    ciscoasa# copy tftp://10.1.1.4/asa5500-firmware-1108.SPA disk0:
    
    Address or name of remote host [10.1.1.4]?
    Source filename [asa5500-firmware-1108.SPA]?
    Destination filename [asa5500-firmware-1108.SPA]?
    
    Accessing tftp://10.1.1.4/asa5500-firmware-1108.SPA...!!!!!!!!!!!
    Done!
    Computed Hash   SHA2: d824bdeecee1308fc64427367fa559e9
                          eefe8f182491652ee4c05e6e751f7a4f
                          5cdea28540cf60acde3ab9b65ff55a9f
                          4e0cfb84b9e2317a856580576612f4af
    
    Embedded Hash   SHA2: d824bdeecee1308fc64427367fa559e9
                          eefe8f182491652ee4c05e6e751f7a4f
                          5cdea28540cf60acde3ab9b65ff55a9f
                          4e0cfb84b9e2317a856580576612f4af
    
    Digital signature successfully validated
    Writing file disk0:/asa5500-firmware-1108.SPA...
    !!!!!!!!!
    9241408 bytes copied in 8.230 secs (1155176 bytes/sec)
    ciscoasa#
  • Step 3. Once the file is copied successfully, begin the upgrade by running the following command:

    ciscoasa# upgrade rommon disk0:/asa5500-firmware-1108.SPA

    Example 2-2 shows the command to upgrade the firmware of ASA hardware. After the ROMMON software file is verified, the ASA prompts for a confirmation to reload.

    Example 2-2 Running the Command to Begin the ROMMON Upgrade

    ciscoasa# upgrade rommon disk0:/asa5500-firmware-1108.SPA
    
    Verifying file integrity of disk0:/asa5500-firmware-1108.SPA
    
    Computed Hash   SHA2: d824bdeecee1308fc64427367fa559e9
                          eefe8f182491652ee4c05e6e751f7a4f
                          5cdea28540cf60acde3ab9b65ff55a9f
                          4e0cfb84b9e2317a856580576612f4af
    
    Embedded Hash   SHA2: d824bdeecee1308fc64427367fa559e9
                          eefe8f182491652ee4c05e6e751f7a4f
                          5cdea28540cf60acde3ab9b65ff55a9f
                          4e0cfb84b9e2317a856580576612f4af
    
    Digital signature successfully validated
    File Name                     : disk0:/asa5500-firmware-1108.SPA
    Image type                    : Release
        Signer Information
            Common Name           : abraxas
            Organization Unit     : NCS_Kenton_ASA
            Organization Name     : CiscoSystems
       Certificate Serial Number : 55831CF6
        Hash Algorithm            : SHA2 512
        Signature Algorithm       : 2048-bit RSA
        Key Version               : A
    Verification successful.
    Proceed with reload? [confirm]
  • Step 4. Press the Enter key to confirm. Example 2-3 shows the reloading of the ASA hardware after the firmware upgrade starts.

    Example 2-3 Reloading ASA Hardware After an Upgrade Starts

    ***
    *** --- START GRACEFUL SHUTDOWN ---
    ***
    *** Message to all terminals:
    ***
    ***   Performing upgrade on rom-monitor.
    Shutting down isakmp
    Shutting down webvpn
    Shutting down sw-module
    Shutting down License Controller
    Shutting down File system
    ***
    *** --- SHUTDOWN NOW ---
    ***
    *** Message to all terminals:
    ***
    ***   Performing upgrade on rom-monitor.
    Process shutdown finished
    Rebooting... (status 0x9)
    ..
    INIT: Sending processes the TERM signal
    Stopping OpenBSD Secure Shell server: sshdno /usr/sbin/sshd found; none killed
    Deconfiguring network interfaces... done.
    Sending all processes the TERM signal...
    Sending all processes the KILL signal...
    Deactivating swap...
    Unmounting local filesystems...
    Rebooting...

    During the firmware upgrade process, the ASA reboots automatically a few times. Example 2-4 shows the ASA completing the first two steps of the ROMMON upgrade process. The system reloads every time it completes a step.

    Example 2-4 Upgrading the ROMMON Software

    Rom image verified correctly
    Cisco Systems ROMMON, Version 1.1.01, RELEASE SOFTWARE
    Copyright (c) 1994-2014  by Cisco Systems, Inc.
    Compiled Mon 10/20/2014 15:59:12.05 by builder
    
    Current image running: Boot ROM0
    Last reset cause: PowerCycleRequest
    DIMM Slot 0 : Present
    INFO: Rommon upgrade state: ROMMON_UPG_START (1)
    INFO: Reset code: 0x00002000
    Firmware upgrade step 1...
    Looking for file 'disk0:/asa5500-firmware-1108.SPA'
    Located 'asa5500-firmware-1108.SPA' @ cluster 1608398.
    ###################################################################################
      ###
    ##############################################################
    Image base 0x77014018, size 9241408
    LFBFF signature verified.
    Objtype: lfbff_object_rommon (0x800000 bytes @ 0x77014238)
    Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x77814258)
    INFO: FPGA version in upgrade image: 0x0202
    INFO: FPGA version currently active: 0x0202
    INFO: The FPGA image is up-to-date.
    INFO: Rommon version currently active: 1.1.01.
    INFO: Rommon version in upgrade image: 1.1.08.
    Active ROMMON: Preferred 0, selected 0, booted 0
    Switching SPI access to standby rommon 1.
    Please DO NOT reboot the unit, updating ROMMON......
    INFO: Duplicating machine state......
    Reloading now as step 1 of the rommon upgrade process...
    
    Toggling power on system board...
    Rom image verified correctly
    
    Cisco Systems ROMMON, Version 1.1.01, RELEASE SOFTWARE
    Copyright (c) 1994-2014  by Cisco Systems, Inc.
    Compiled Mon 10/20/2014 15:59:12.05 by builder
    Current image running: Boot ROM0
    Last reset cause: RP-Reset
    DIMM Slot 0 : Present
    INFO: Rommon upgrade state: ROMMON_UPG_START (1)
    INFO: Reset code: 0x00000008
    Active ROMMON: Preferred 0, selected 0, booted 0
    Firmware upgrade step 2...
    Detected current rommon upgrade is available, continue rommon upgrade process
    Rommon upgrade reset 0 in progress
    Reloading now as step 2 of the rommon upgrade process...
  • Step 5. After Step 1 and Step 2 of the upgrade process, when the ASA reloads, the ROMMON version shows 1.1.8 (see Example 2-5). The process, however, is still in progress. When the ASA prompts for a manual or automatic reboot, just wait a few seconds and let the system reboot itself.

    Example 2-5 The Last Stage of the ROMMON Upgrade Process

    Rom image verified correctly
    Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
    Copyright (c) 1994-2015  by Cisco Systems, Inc.
    Compiled Thu 06/18/2015 12:15:56.43 by builders
    
    Current image running: *Upgrade in progress* Boot ROM1
    Last reset cause: BootRomUpgrade
    DIMM Slot 0 : Present
    INFO: Rommon upgrade state: ROMMON_UPG_START (1)
    INFO: Reset code: 0x00000010
    PROM B: stopping boot timer
    Active ROMMON: Preferred 0, selected 0, booted 1
    INFO: Rommon upgrade state: ROMMON_UPG_TEST
    
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !! Please manually or auto boot ASAOS now to complete firmware upgrade !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    
    Platform ASA5506 with 4096 Mbytes of main memory
    MAC Address: a4:6c:2a:e4:6b:bf
    Using default Management Ethernet Port: 0
    
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot in 5 seconds.

    Example 2-6 shows the confirmation message you get for a successful ROMMON upgrade, after the final reboot. At this stage, the ROMMON software is fully upgraded, and you are ready to begin the next step of the reimage process.

    Example 2-6 Completion of a Successful Upgrade

    Located '.boot_string' @ cluster 1607965.
    
    #
    Attempt autoboot: "boot disk0:/asa961-50-lfbff-k8.spa"
    Located 'asa961-50-lfbff-k8.spa' @ cluster 10.
    
    ########################################################################################
      ######################################################################################
      ######################################################################################
      #################################################
    LFBFF signature verified.
    INIT: version 2.88 booting
    Starting udev
    Configuring network interfaces... done.
    Populating dev cache
    dosfsck 2.11, 12 Mar 2005, FAT32, LFN
    There are differences between boot sector and its backup.
    Differences: (offset:original/backup)
      65:01/00
      Not automatically fixing this.
    Starting check/repair pass.
    Starting verification pass.
    /dev/sdb1: 104 files, 811482/1918808 clusters
    dosfsck(/dev/sdb1) returned 0
    Mounting /dev/sdb1
    Setting the offload CPU count to 0
    IO Memory Nodes: 1
    IO Memory Per Node: 205520896 bytes
    
    Global Reserve Memory Per Node: 314572800 bytes Nodes=1
    
    LCMB: got 205520896 bytes on numa-id=0, phys=0x10d400000, virt=0x2aaaab000000
    LCMB: HEAP-CACHE POOL got 314572800 bytes on numa-id=0, virt=0x7fedbc200000
    Processor memory:   1502270072
    
    Compiled on Fri 04-Mar-16 10:50 PST by builders
    Total NICs found: 14
    i354 rev03 Gigabit Ethernet @ irq255 dev 20 index 08 MAC: a46c.2ae4.6bbf
    ivshmem rev03 Backplane Data Interface     @ index 09 MAC: 0000.0001.0002
    en_vtun rev00 Backplane Control Interface  @ index 10 MAC: 0000.0001.0001
    en_vtun rev00 Backplane Int-Mgmt Interface     @ index 11 MAC: 0000.0001.0003
    en_vtun rev00 Backplane Ext-Mgmt Interface     @ index 12 MAC: 0000.0000.0000
    en_vtun rev00 Backplane Tap Interface     @ index 13 MAC: 0000.0100.0001
    Rom-monitor was successfully upgraded.
    Verify the activation-key, it might take a while...
    .
    .
    ! Licensing and legal information are omitted for brevity
    .
    .
                    Cisco Systems, Inc.
                    170 West Tasman Drive
                    San Jose, California 95134-1706
    
    Reading from flash...
    !.
    Cryptochecksum (unchanged): 868f669d 9e09ca8b e91c32de 4ee8fd7f
    
    INFO: Power-On Self-Test in process.
    .......................
    INFO: Power-On Self-Test complete.
    INFO: Starting HW-DRBG health test...
    INFO: HW-DRBG health test passed.
    
    INFO: Starting SW-DRBG health test...
    INFO: SW-DRBG health test passed.
    Type help or '?' for a list of available commands.
    ciscoasa>

    When an ASA is running, you can also manually check its ROMMON software version, as discussed in the “Verification and Troubleshooting Tools” section, later in this chapter. Example 2-7 shows that the current firmware version is upgraded to 1.1.8.

    Example 2-7 The Upgraded Firmware Version

    ciscoasa> enable
    Password: 
    ciscoasa# show module
    
    Mod  Card Type                                    Model              Serial No.
    ---- -------------------------------------------- ------------------ -----------
       1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD191100HG
     sfr Unknown                                      N/A                JAD191100HG
    
    Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
    ---- --------------------------------- ------------ ------------ ---------------
       1 a46c.2ae4.6bbf to a46c.2ae4.6bc8  1.0          1.1.8        9.6(1)50
     sfr a46c.2ae4.6bbe to a46c.2ae4.6bbe  N/A          N/A
    
    Mod  SSM Application Name           Status           SSM Application Version
    ---- ------------------------------ ---------------- --------------------------
    
    Mod  Status             Data Plane Status     Compatibility
    ---- ------------------ --------------------- -------------
       1 Up Sys             Not Applicable
     sfr Unresponsive       Not Applicable
    
    ciscoasa#

Installing the Boot Image

You begin the setup of the FTD software from the command line interface (CLI) of a boot image. To access the CLI of the boot image, you need to reload the ASA with the FTD boot. This section discusses the steps that are necessary to reload an ASA with an appropriate boot image on any ASA 5500-X Series hardware:

  • Step 1. Download the appropriate boot image for your ASA hardware:

    • For low-end ASA hardware, use the *.lfbff file.

    • For midrange hardware, use the *.cdisk file.

    Figure 2-7 shows the boot image file ftd-boot-9.6.2.0.lfbff that you use during the reimaging of ASA 5506-X, 5508-X, or 5516-X hardware.

    Figure 2-7

    Figure 2-7 The *.lfbff Boot Image File for Low-End ASA 5500-X Series Hardware

    Figure 2-8 shows the boot image file ftd-boot-9.6.2.0.cdisk that you use during the reimaging of ASA 5512-X, 5515-X, 5525-X, 5545-X, or 5555-X hardware.

    Figure 2-8

    Figure 2-8 The *.cdisk Boot Image File for Midrange ASA 5500-X Series Hardware

  • Step 2. Reload the ASA. As shown in Example 2-8, the ASA shuts down all its processes before it gracefully reboots.

    Example 2-8 Reloading ASA Hardware

    ciscoasa# reload
    Proceed with reload? [confirm]
    ciscoasa#
    ***
    *** --- START GRACEFUL SHUTDOWN ---
    Shutting down isakmp
    Shutting down webvpn
    Shutting down sw-module
    Shutting down License Controller
    Shutting down File system
    ***
    *** --- SHUTDOWN NOW ---
    Process shutdown finished
    Rebooting... (status 0x9)
    ..
    INIT: Sending processes the TERM signal
    Stopping OpenBSD Secure Shell server: sshdno /usr/sbin/sshd found; none killed
    Deconfiguring network interfaces... done.
    Sending all processes the TERM signal...
    Sending all processes the KILL signal...
    Deactivating swap...
    Unmounting local filesystems...
    Rebooting...
  • Step 3. Interrupt the bootup process by pressing the Esc key. Example 2-9 shows that the bootup process is interrupted and the ASA enters ROMMON mode.

    Example 2-9 Interrupting the Bootup Process

    Rom image verified correctly
    
    Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
    Copyright (c) 1994-2015  by Cisco Systems, Inc.
    Compiled Thu 06/18/2015 12:15:56.43 by builders
    
    Current image running: Boot ROM1
    Last reset cause: PowerCycleRequest
    DIMM Slot 0 : Present
    
    Platform ASA5506 with 4096 Mbytes of main memory
    MAC Address: a4:6c:2a:e4:6b:bf
    Using default Management Ethernet Port: 0
    
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot in 7 seconds.
    Boot interrupted.
    rommon 1 >
  • Step 4. To see the ROMMON configuration mode’s limited command options, run the help command. Example 2-10 shows the available commands in the ROMMON configuration mode, with the commands used to install the boot image highlighted.

    Example 2-10 Available Commands in the ROMMON Configuration Mode

    rommon 1 > help
    ?                   Display this help menu
    address             Set the local IP address
    boot                Boot an application program
    confreg             Configuration register contents display and management
    console             Console BAUD rate display and configuration
    dev                 Display a list of available file system devices
    dir                 File directory display command
    erase               erase the specified file system
    file                Set the application image file path/name to be TFTPed
    gateway             Set the default gateway IP address
    help                "help" for this menu
                        "help <command>" for specific command information
    history             Show the command line history
    netmask             Set the IP subnet mask value
    ping                Test network connectivity with ping commands
    server              Set the TFTP server IP address
    show                Display system device and status information
    tftpdnld            Download and run the image defined by "FILE"
    reboot              Reboot the system
    reload              Reboot the system
    repeat              Repeat a CLI command
    reset               Reboot the system
    set                 Display the configured environment variables
    sync                Save the environment variables to persistent storage
    unset               Clear a configured environment variable
  • Step 5. Configure the network by using the commands shown in Example 2-11. You must configure these options to ensure successful network communication between the ASA, FMC, and other servers.

    Example 2-11 Commands to Configure the Network Settings in ROMMON Mode

    rommon 2 > address 10.1.1.21
    rommon 3 > netmask 255.255.255.0
    rommon 4 > gateway 10.1.1.1
    rommon 5 > server 10.1.1.4
  • Step 6. Test the connectivity from the ASA to the TFTP server where the image files are stored, as shown in Example 2-12. You get confirmation that the ASA can communicate with the TFTP server.

    Example 2-12 A Successful ping Test from the ASA to the TFTP Server

    rommon 6 > ping 10.1.1.4
    Sending 10, 32-byte ICMP Echoes to 10.1.1.4 timeout is 4 seconds
    !!!!!!!!!!
    Success rate is 100 percent (10/10)
  • Step 7. Once connectivity is established, provide the name of the boot image file you want to download from the TFTP server, save the changes, and begin the download. Example 2-13 shows that the ASA 5506-X has successfully downloaded the boot image file ftd-boot-9.6.2.0.lfbff from a TFTP server.

    Example 2-13 Commands to Select and Download a File from a TFTP Server to ASA Hardware

    rommon 7 > file ftd-boot-9.6.2.0.lfbff
    rommon 8 > sync
    rommon 9 > tftpdnld
                 ADDRESS: 10.1.1.21
                 NETMASK: 255.255.255.0
                 GATEWAY: 10.1.1.1
                  SERVER: 10.1.1.4
                   IMAGE: ftd-boot-9.6.2.0.lfbff
                 MACADDR: a4:6c:2a:e4:6b:bf
               VERBOSITY: Progress
                   RETRY: 20
              PKTTIMEOUT: 60
                 BLKSIZE: 1460
                CHECKSUM: Yes
                    PORT: GbE/1
                 PHYMODE: Auto Detect
    
    Receiving ftd-boot-9.6.2.0.lfbff from 10.1.1.4!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    File reception completed.

    The ASA boots up automatically with the FTD boot CLI, as shown in Example 2-14.

    Example 2-14 Bootup Process of ASA Hardware with an FTD Boot Image

    Boot buffer bigbuf=348bd018
    Boot image size = 100921600 (0x603f100) bytes
    [image size]      100921600
    [MD5 signature]    0264697f6f1942b9bf80f820fb209ad5
    LFBFF signature verified.
    INIT: version 2.88 booting
    Starting udev
    Configuring network interfaces... done.
    Populating dev cache
    Detected PID ASA5506.
    Found device serial number JAD191100HG.
    Found USB flash drive /dev/sdb
    Found hard drive(s):  /dev/sda
    fsck from util-linux 2.23.2
    dosfsck 2.11, 12 Mar 2005, FAT32, LFN
    There are differences between boot sector and its backup.
    Differences: (offset:original/backup)
      65:01/00
      Not automatically fixing this.
    /dev/sdb1: 52 files, 811482/1918808 clusters
    Launching boot CLI ...
    Configuring network interface using static IP
    Bringing up network interface.
    Depending on your network, this might take a couple of minutes when using DHCP...
    ifup: interface lo already configured
    Using IPv4 address: 10.1.1.21
    INIT: Starting system message bus: dbus.
    Starting OpenBSD Secure Shell server: sshd
      generating ssh RSA key...
      generating ssh ECDSA key...
      generating ssh DSA key...
    done.
    Starting Advanced Configuration and Power Interface daemon: acpid.
    acpid: starting up
    acpid: 1 rule loaded
    acpid: waiting for events: event logging is off
    Starting ntpd: done
    Starting syslog-ng:[2016-09-19T19:43:24.781411] Connection failed; fd='15',
      server='AF_INET(127.128.254.1:514)', local='AF_INET(0.0.0.0:0)', error='Network is
      unreachable (101)'
    [2016-09-19T19:43:24.781508] Initiating connection failed, reconnecting;
      time_reopen='60'
    .
    Starting crond: OK
    
    
                Cisco FTD Boot 6.0.0 (9.6.2.)
                  Type ? for list of commands
    ciscoasa-boot>
  • Step 8. Optionally press the ? key to see the list of the available commands on the FTD boot CLI, as shown in Example 2-15. (In the next section of this chapter, you will see the commands highlighted in this example used to install an FTD software system image.)

    Example 2-15 The Command Options on the FTD Boot CLI

    ciscoasa-boot> ?
        show             => Display system information. Enter show ? for options
        system           => Control system operation
        setup            => System Setup Wizard
        support          => Support information for TAC
        delete           => Delete files
        ping             => Ping a host to check reachability
        traceroute       => Trace the route to a remote host
        exit             => Exit the session
        help             => Get help on command syntax
    ciscoasa-boot>

Installing the System Software

Installing the FTD software is the last step of the reimaging process. This section describes the steps to install the FTD system software on any ASA 5500-X series hardware:

  • Step 1. Download the FTD system software package file from and copy it to an HTTP or FTP server. Figure 2-9 shows the FTD system software package ftd-6.1.0-330.pkg that you install on any low-end or midrange ASA 5500-X Series hardware during the reimaging process.

    Figure 2-9

    Figure 2-9 The *.pkg File Installed on Any Low-End or Midrange ASA Hardware Models

  • Step 2. As shown in Example 2-16, run the setup command to configure or update the network settings so that the ASA can download the FTD system software package from the HTTP server. During the installation of the boot image, you configured the network settings. Now you either verify the existing configuration or provide any missing information that was not entered before.

    Example 2-16 A Complete Walk-through of the Network Setup Process

    ciscoasa-boot> setup
    
                    Welcome to Cisco FTD Setup
                      [hit Ctrl-C to abort]
                    Default values are inside []
    
    Enter a hostname [ciscoasa]:
    Do you want to configure IPv4 address on management interface?(y/n) [Y]:
    Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]:
    Enter an IPv4 address [10.1.1.21]:
    Enter the netmask [255.255.255.0]:
    Enter the gateway [10.1.1.1]:
    Do you want to configure static IPv6 address on management interface?(y/n) [N]:
    Stateless autoconfiguration will be enabled for IPv6 addresses.
    Enter the primary DNS server IP address: 10.1.1.8
    Do you want to configure Secondary DNS Server? (y/n) [n]:
    Do you want to configure Local Domain Name? (y/n) [n]:
    Do you want to configure Search domains? (y/n) [n]:
    Do you want to enable the NTP service? [Y]:
    Enter the NTP servers separated by commas: 10.1.1.9
    
    Please review the final configuration:
    Hostname:               ciscoasa
    Management Interface Configuration
    
    IPv4 Configuration:     static
            IP Address:     10.1.1.21
            Netmask:        255.255.255.0
            Gateway:        10.1.1.1
    
    IPv6 Configuration:     Stateless autoconfiguration
    
    DNS Configuration:
            DNS Server:     10.1.1.8
    
    NTP configuration:      10.1.1.9
    
    CAUTION:
    You have selected IPv6 stateless autoconfiguration, which assigns a global address
    based on network prefix and a device identifier. Although this address is unlikely
    to change, if it does change, the system will stop functioning correctly.
    We suggest you use static addressing instead.
    Apply the changes?(y,n) [Y]:
    Configuration saved successfully!
    Applying...
    Restarting network services...
    Done.
    Press ENTER to continue...
    ciscoasa-boot>
  • Step 3. Test the connectivity, as shown in Example 2-17. This example also shows that the ASA can successfully ping from the FTD boot CLI to the HTTP server.

    Example 2-17 ping Test Between the ASA and the HTTP Server

    ciscoasa-boot> ping 10.1.1.4
    PING 10.1.1.4 (10.1.1.4) 56(84) bytes of data.
    64 bytes from 10.1.1.4: icmp_seq=1 ttl=64 time=0.364 ms
    64 bytes from 10.1.1.4: icmp_seq=2 ttl=64 time=0.352 ms
    64 bytes from 10.1.1.4: icmp_seq=3 ttl=64 time=0.326 ms
    64 bytes from 10.1.1.4: icmp_seq=4 ttl=64 time=0.313 ms
    ^C
    --- 10.1.1.4 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 2997ms
    rtt min/avg/max/mdev = 0.313/0.338/0.364/0.030 ms
    
    ciscoasa-boot>
  • Step 4. Download the FTD system software package from the HTTP server, as shown in Example 2-18. After a successful download, the file is extracted automatically.

    Example 2-18 Downloading the FTD System Software

    ciscoasa-boot> system install http://10.1.1.4/ftd-6.1.0-330.pkg
    
    ######################## WARNING ############################
    # The content of disk0: will be erased during installation! #
    #############################################################
    
    Do you want to continue? [y/N] Y
    Erasing disk0 ...
    Verifying
    Downloading...
  • Step 5. When prompted, press Y to start the upgrade process. Example 2-19 shows the extraction of the FTD system software package ftd-6.1.0-330.pkg and the beginning of the upgrade process.

    Example 2-19 Starting the Upgrade Process

    Extracting.....
    Package Detail
            Description:                    Cisco ASA-FTD 6.1.0-330 System Install
            Requires reboot:                Yes
    
    Do you want to continue with upgrade? [y]:
    Warning: Please do not interrupt the process or turn off the system.
    Doing so might leave system in unusable state.
    
    Starting upgrade process ...
    Populating new system image..
  • Step 6. When the image is populated and the system prompts you to reboot the system, press Enter to reboot. Example 2-20 shows the ASA hardware rebooting after the image is populated.

    Example 2-20 Rebooting the ASA Hardware to Complete the Upgrade

    Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.
    
    Broadcast mStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 1723)
    .
    Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid
      (pid 1727)
    acpid: exiting
    
    acpid.
    Stopping system message bus: dbus.
    Stopping ntpd: stopped process in pidfile '/var/run/ntp.pid' (pid 1893)
    done
    Stopping crond: OKs
    Deconfiguring network interfaces... done.
    Sending all processes the TERM signal...
    Sending all processes the KILL signal...
    Deactivating swap...
    Unmounting local filesystems...
    Rebooting...
    
    Rom image verified correctly
    
    Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
    Copyright (c) 1994-2015  by Cisco Systems, Inc.
    Compiled Thu 06/18/2015 12:15:56.43 by builders
    
    Current image running: Boot ROM1
    Last reset cause: PowerCycleRequest
    DIMM Slot 0 : Present
    
    Platform ASA5506 with 4096 Mbytes of main memory
    MAC Address: a4:6c:2a:e4:6b:bf
    Using default Management Ethernet Port: 0
    
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot in 5 seconds.
    
    
    Located '.boot_string' @ cluster 260097.
    #
    Attempt autoboot: "boot disk0:os.img"
    Located 'os.img' @ cluster 235457.
    
    ##############################################################################################
      ############################################################################################
      ############################################################################################
      ############################################################################################
      ############################################################################################
      #####################################
    LFBFF signature verified.
    INIT: version 2.88 booting
    Starting udev
    Configuring network interfaces... done.
    Populating dev cache
    Detected PID ASA5506.
    Found device serial number JAD191100HG.
    Found USB flash drive /dev/sdb
    Found hard drive(s):  /dev/sda
    fsck from util-linux 2.23.2
    dosfsck 2.11, 12 Mar 2005, FAT32, LFN
    /dev/sdb1: 7 files, 24683/1919063 clusters

    After bootup, the initialization of the FTD software begins automatically. Example 2-21 shows the launch of FTD software and the execution of various scripts throughout the installation process.

    Example 2-21 The FTD Initialization Process

    Use ESC to interrupt boot and launch boot CLI.
    Use SPACE to launch Cisco FTD immediately.
    Cisco FTD launch in 21 seconds ...
    
    Cisco FTD launch in 0 seconds ...
    Running on kenton
    Mounting disk partitions ...
    Initializing Threat Defense ...                                       [  OK  ]
    Starting system log daemon...                                         [  OK  ]
    Stopping mysql...
    Sep 19 20:29:33 ciscoasa SF-IMS[2303]: [2303] pmtool:pmtool [ERROR] Unable to connect
      to UNIX socket at /ngfw/var/sf/run/PM_Control.sock: No such file or directory
    Starting mysql...
    Sep 19 20:29:33 ciscoasa SF-IMS[2304]: [2304] pmtool:pmtool [ERROR] Unable to connect
      to UNIX socket at /ngfw/var/sf/run/PM_Control.sock: No such file or directory
    Flushing all current IPv4 rules and user defined chains: ...success
    Clearing all current IPv4 rules and user defined chains: ...success
    Applying iptables firewall rules:
    Flushing chain 'PREROUTING'
    .
    ! Omitted the messages related to iptables flushing for brevity
    .
    Flushing chain 'OUTPUT'
    Applying rules successed
    Starting nscd...
    mkdir: created directory '/var/run/nscd'                              [  OK  ]
    Starting , please wait...grep: /ngfw/etc/motd: No such file or directory
    ...complete.
    Firstboot detected, executing scripts
    Executing S01reset_failopen_if                                        [  OK  ]
    Executing S01virtual-machine-reconfigure                              [  OK  ]
    Executing S02aws-pull-cfg                                             [  OK  ]
    Executing S02configure_onbox                                          [  OK  ]
    Executing S04fix-httpd.sh                                             [  OK  ]
    Executing S05set-mgmnt-port                                           [  OK  ]
    Executing S06addusers                                                 [  OK  ]
    Executing S07uuid-init                                                [  OK  ]
    Executing S08configure_mysql                                          [  OK  ]
    
    ** Attention ****
    
       Initializing the configuration database.  Depending on available
       system resources (CPU, memory, and disk), this may take 30 minutes
       or more to complete.
    
    ** Attention ****
    
    Executing S09database-init                                            [  OK  ]
    Executing S11database-populate                                        [  OK  ]
    Executing S12install_infodb                                           [  OK  ]
    Executing S15set-locale.sh                                            [  OK  ]
    Executing S16update-sensor.pl                                         [  OK  ]
    Executing S19cert-tun-init                                            [  OK  ]
    Executing S20cert-init                                                [  OK  ]
    Executing S21disable_estreamer                                        [  OK  ]
    Executing S25create_default_des.pl                                    [  OK  ]
    Executing S30init_lights_out_mgmt.pl                                  [  OK  ]
    Executing S40install_default_filters.pl                               [  OK  ]
    Executing S42install_default_dashboards.pl                            [  OK  ]
    Executing S43install_default_report_templates.pl                      [  OK  ]
    Executing S44install_default_app_filters.pl                           [  OK  ]
    Executing S45install_default_realms.pl                                [  OK  ]
    Executing S47install_default_sandbox_EO.pl                            [  OK  ]
    Executing S50install-remediation-modules                              [  OK  ]
    Executing S51install_health_policy.pl                                 [  OK  ]
    Executing S52install_system_policy.pl                                 [  OK  ]
    Executing S53change_reconciliation_baseline.pl                        [  OK  ]
    Executing S70remove_casuser.pl                                        [  OK  ]
    Executing S70update_sensor_objects.sh                                 [  OK  ]
    Executing S85patch_history-init                                       [  OK  ]
    Executing S90banner-init                                              [  OK  ]
    Executing S95copy-crontab                                             [  OK  ]
    Executing S96grow_var.sh                                              [  OK  ]
    Executing S96install_vmware_tools.pl                                  [  OK  ]
    
     Attention 
    
       Initializing the system's localization settings.  Depending on available
       system resources (CPU, memory, and disk), this may take 10 minutes
       or more to complete.
     Attention 
    Executing S96localize-templates                                       [  OK  ]
    Executing S96ovf-data.pl                                              [  OK  ]
    Executing S97compress-client-resources                                [  OK  ]
    Executing S97create_platinum_forms.pl                                 [  OK  ]
    Executing S97install_cas                                              [  OK  ]
    Executing S97install_cloud_support.pl                                 [  OK  ]
    Executing S97install_geolocation.pl                                   [  OK  ]
    Executing S97install_ssl_inspection.pl                                [  OK  ]
    Executing S97update_modprobe.pl                                       [  OK  ]
    Executing S98check-db-integrity.sh                                    [  OK  ]
    Executing S98htaccess-init                                            [  OK  ]
    Executing S98is-sru-finished.sh                                       [  OK  ]
    Executing S99correct_ipmi.pl                                          [  OK  ]
    Executing S99start-system                                             [  OK  ]
    Executing S99z_db_restore                                             [  OK  ]
    Executing S99_z_cc-integrity.sh                                       [  OK  ]
    Firstboot scripts finished.
    Configuring NTP...                                                    [  OK  ]
    fatattr: can't open '/mnt/disk0/.private2': No such file or directory
    fatattr: can't open '/mnt/disk0/.ngfw': No such file or directory
    Model reconfigure detected, executing scripts
    Pinging mysql
    Found mysql is running
    Executing 45update-sensor.pl                                          [  OK  ]
    Executing 55recalculate_arc.pl                                        [  OK  ]
    Starting xinetd:
    Mon Sep 19 20:59:07 UTC 2016
    Starting MySQL...
    Pinging mysql
    Pinging mysql, try 1
    Pinging mysql, try 2
    Found mysql is running
    Running initializeObjects...
    Stopping MySQL...
    Killing mysqld with pid 22285
    Wait for mysqld to exit\c
     done
    Mon Sep 19 20:59:32 UTC 2016
    
    Starting sfifd...                                                     [  OK  ]
    Starting Cisco ASA5506-X Threat Defense, please wait...No PM running!
    ...started.
    INIT: Starting system message bus: dbus.
    Starting OpenBSD Secure Shell server: sshd
      generating ssh RSA key...
      generating ssh ECDSA key...
      generating ssh DSA key...
    done.
    Starting Advanced Configuration and Power Interface daemon: acpid.
    Starting crond: OK
    Sep 19 20:59:42 ciscoasa SF-IMS[22997]: [22997] init script:system [INFO] pmmon
      Setting affinity to 0-3...
    pid 22993's current affinity list: 0-3
    pid 22993's new affinity list: 0-3
    Sep 19 20:59:42 ciscoasa SF-IMS[22999]: [22999] init script:system [INFO] pmmon The
      Process Manager is not running...
    Sep 19 20:59:42 ciscoasa SF-IMS[23000]: [23000] init script:system [INFO] pmmon
      Starting the Process Manager...
    Sep 19 20:59:42 ciscoasa SF-IMS[23001]: [23001] pm:pm [INFO] Using model number 75J
    
    IO Memory Nodes: 1
    IO Memory Per Node: 205520896 bytes
    
    Global Reserve Memory Per Node: 314572800 bytes Nodes=1
    
    LCMB: got 205520896 bytes on numa-id=0, phys=0x2400000, virt=0x2aaaac200000
    LCMB: HEAP-CACHE POOL got 314572800 bytes on numa-id=0, virt=0x7fa17d600000
    Processor memory:   1583098718
    
    Compiled on Tue 23-Aug-16 19:42 PDT by builders
    
    Total NICs found: 14
    .
    ! Omitted the MAC addresses, licensing and legal messages for brevity
    .
                    Cisco Systems, Inc.
                    170 West Tasman Drive
                    San Jose, California 95134-1706
    
    Reading from flash...
    !
    Cryptochecksum (changed): f410387e 8aab8a4e f71eb8a9 f8b37ef9
    
    INFO: Power-On Self-Test in process.
    .......................................................................
    INFO: Power-On Self-Test complete.
    
    INFO: Starting HW-DRBG health test...
    INFO: HW-DRBG health test passed.
    
    INFO: Starting SW-DRBG health test...
    INFO: SW-DRBG health test passed.
    Type help o '?' for a list
    Cisco ASA5506-X Threat Defense v6.1.0 (build 330)
    firepower login:
  • Step 7. At the Firepower login prompt, which indicates that the installation is complete, enter the default login credentials (username admin and password Admin123), as shown in Example 2-22.

    Example 2-22 Entering the Default Login Credentials

    firepower login: admin
    Password: Admin123
  • Step 8. When prompted to accept the End User License Agreement (EULA), press Enter to display the agreement and to accept it. Example 2-23 shows the system prompts for the EULA. The detailed legal messages are omitted from this example for brevity.

    Example 2-23 Agreeing to the EULA

    You must accept the EULA to continue.
    Press <ENTER> to display the EULA:
    END USER LICENSE AGREEMENT
    .
    .
    !The EULA messages are omitted for brevity
    .
    .
    .Please enter 'YES' or press <ENTER> to AGREE to the EULA:
  • Step 9. As the system initialization process begins, change the password for the admin user and set up the network by pressing Enter to accept the default values in brackets ([ ]). Example 2-24 illustrates the configuration of the password and network settings.

    Example 2-24 Configuring the Network After the First Login to FTD

    System initialization in progress.  Please stand by.
    You must change the password for 'admin' to continue.
    Enter new password:
    Confirm new password:
    You must configure the network to continue.
    You must configure at least one of IPv4 or IPv6.
    Do you want to configure IPv4? (y/n) [y]:
    Do you want to configure IPv6? (y/n) [n]:
    Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
    Enter an IPv4 address for the management interface [192.168.45.45]: 10.1.1.21
    Enter an IPv4 netmask for the management interface [255.255.255.0]:
    Enter the IPv4 default gateway for the management interface [192.168.45.1]: 10.1.1.1
    Enter a fully qualified hostname for this system [firepower]:
    Enter a comma-separated list of DNS servers or 'none' []:
    Enter a comma-separated list of search domains or 'none' []:
    If your networking information has changed, you will need to reconnect.
    For HTTP Proxy configuration, run 'configure network http-proxy'
  • Step 10. When the question about local management (also known as on-box management) appears, enter no.

    Example 2-25 shows the configurations related to how to manage this FTD and how to deploy it in the network. In this example, the system is configured to be managed by a dedicated management appliance (the FMC) and is deployed in routed mode.

    Example 2-25 Configuring the Deployment Type and Modes

    Manage the device locally? (yes/no) [yes]: no
    Configure firewall mode? (routed/transparent) [routed]:
    Configuring firewall mode ...
    Update policy deployment information
        - add device configuration
        - add network discovery
        - add system policy
    You can register the sensor to a Firepower Management Center and use the
    Firepower Management Center to manage it. Note that registering the sensor
    to a Firepower Management Center disables on-sensor Firepower Services
    management capabilities.
    
    When registering the sensor to a Firepower Management Center, a unique
    alphanumeric registration key is always required.  In most cases, to register
    a sensor to a Firepower Management Center, you must provide the hostname or
    the IP address along with the registration key.
    'configure manager add [hostname | ip address ] [registration key ]'
    
    However, if the sensor and the Firepower Management Center are separated by a
    NAT device, you must enter a unique NAT ID, along with the unique registration
    key.
    'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'
    
    Later, using the web interface on the Firepower Management Center, you must
    use the same registration key and, if necessary, the same NAT ID when you add
    this sensor to the Firepower Management Center.
    >

    The > prompt at the end of Example 2-25 confirms that the initial network configuration is complete. The next step is to verify network connectivity on the management interface and then begin the registration process. (Chapter 6: “The Firepower Management Network,” explains the management connection, and Chapter 7, “Firepower Licensing and Registration,” describes the registration process.)

Verification and Troubleshooting Tools

This section describes the commands you can use to verify the status of ASA hardware before and after the FTD software is installed.

Navigating to the FTD CLI

After a reboot following a successful installation of FTD software, your ASA hardware should automatically display the > prompt. This prompt is different from the traditional prompt ciscoasa> that you see on classic software running on ASA hardware. Furthermore, when ASA hardware runs the FTD software, you can enter various consoles or shells, including the following:

  • FTD default shell: You can configure most of the necessary items and view their status by using this shell.

  • ASA console: This console allows you to perform advanced commands for diagnostic purposes.

  • Firepower Linux shell: This shell lets you enter the back end of the operating system and is used by Cisco for advanced troubleshooting.

Figure 2-10 shows different types of consoles and command prompts of an ASA running the FTD software.

Figure 2-10

Figure 2-10 Command Prompts on ASA Hardware Running FTD Software

Example 2-26 shows the commands that allow you to navigate various modes of an FTD CLI.

Example 2-26 Commands to Connect to the Various Shells of the FTD CLI

>

! The > prompt confirms that you are on the FTD default shell. Run the following
  command to connect to the ASA console:

> system support diagnostic-cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

firepower>

! Now you have entered the ASA console. Run the enable command to enter the
  privilege exec mode.

firepower> enable
Password:
firepower# exit

Logoff
Type help or '?' for a list of available commands.

firepower>

! If you want to quit from the ASA console, the exit command logs you off from the
  ASA console, but does not let you return to the FTD default shell. To disconnect
  from the ASA console, press the Ctrl+a keys together, then press d separately.

firepower>

Console connection detached.
>

! To connect to the Firepower Linux shell, run the expert command. To return to the
  FTD default shell, run the exit command.

>  expert
admin@firepower:~$ exit
logout
>

Determining the Version of Installed Software

From the default command prompt > in FTD, you can determine what FTD software version is running on ASA hardware.

Example 2-27 shows ASA 5506-X hardware running FTD Version 6.1.0.

Example 2-27 Finding the Software Version Running on an ASA After a Fresh FTD Installation

> show version

-------------------[ firepower ]--------------------
Model                     : Cisco ASA5506-X Threat Defense (75) Version 6.1.0
    (Build 330)
UUID                      : c84ceb32-7ea7-11e6-a7ad-94bcd8f36790
Rules update version      : 2016-03-28-001-vrt
VDB version               : 270
----------------------------------------------------

>

Determining the Free Disk Space on ASA Hardware

Before you install FTD on ASA hardware, you must check whether the currently available space is sufficient. To do so, you can run one of the following commands on your ASA software in privileged exec mode:

ciscoasa# dir
ciscoasa# show flash:

Example 2-28 shows the amount of free space on the same ASA hardware from two different command outputs. The shaded portion of the example shows that the ASA hardware has free space of 4544851968 bytes, which is equal to 4438332 KB, or 4334.3 MB, or 4.23 GB. The first command output uses disk0: to indicate internal flash memory. If there were external flash memory, it would be denoted by disk1:.

Example 2-28 Finding the Amount of Free Space on ASA Hardware

ciscoasa# dir

Directory of disk0:/

88     -rwx  91290240     11:04:08 May 12 2016  asa961-50-lfbff-k8.spa
89     -rwx  63           16:25:14 Sep 19 2016  .boot_string
11     drwx  4096         12:14:22 May 12 2016  log
19     drwx  4096         12:15:12 May 12 2016  crypto_archive
20     drwx  4096         12:15:16 May 12 2016  coredumpinfo

7859437568 bytes total (4544851968 bytes free)

ciscoasa#

ciscoasa# show flash:

--#--  --length--  -----date/time------  path
   88  91290240    May 12 2016 11:04:08  asa961-50-lfbff-k8.spa
   89  63          Sep 19 2016 16:25:14  .boot_string
   11  4096        May 12 2016 12:14:22  log
   13  0           May 12 2016 12:14:22  log/asa-appagent.log
   19  4096        May 12 2016 12:15:12  crypto_archive
   20  4096        May 12 2016 12:15:16  coredumpinfo
   21  59          May 12 2016 12:15:16  coredumpinfo/coredump.cfg

7859437568 bytes total (4544851968 bytes free)

ciscoasa#

Deleting a File from a Storage Device

When you want to delete a file to free up disk space, run the following command in the privileged exec mode:

ciscoasa# delete flash:/filename

Example 2-29 shows the command to delete a file named output.txt.

Example 2-29 Deleting a File from ASA Hardware

ciscoasa# delete flash:/output.txt

Determining the Availability of Any Storage Device or SSD

From the CLI, you can determine the type of a storage device that is installed on an ASA. Example 2-30 shows that the ASA 5506-X hardware has one SSD installed.

Example 2-30 Viewing the Storage Device Information on ASA 5500-X Series Hardware

ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5506-X with FirePOWER services, 8GE, AC, DES"
PID: ASA5506           , VID: V01     , SN: JMX1916Z07V

Name: "Storage Device 1", DESCR: "ASA 5506-X SSD"
PID: ASA5506-SSD       , VID: N/A     , SN: MSA190600NE

ciscoasa#

Example 2-31 shows ASA 5545-X hardware with two storage devices.

Example 2-31 Determining the List of Storage Devices on ASA 5500-X Series Hardware

ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt"
PID: ASA5545           , VID: V02     , SN: FTX1841119Z

Name: "power supply 0", DESCR: "ASA 5545-X/5555-X AC Power Supply"
PID: ASA-PWR-AC        , VID: N/A     , SN: 47K1E0

Name: "Storage Device 1", DESCR: "Model Number: Micron_M550_MTFDDAK128MAY"
PID: N/A               , VID: N/A     , SN: MXA183502EG

Name: "Storage Device 2", DESCR: "Model Number: Micron_M550_MTFDDAK128MAY"
PID: N/A               , VID: N/A     , SN: MXA183502FW

ciscoasa#

Table 2-2 summarizes the default availability of SSDs in various ASA 5500-X Series hardware. It also shows whether an SSD is hot-swappable on a particular model in case of a failure.

Table 2-2 Availability and Replacement of SSD on ASA 5500-X Series Hardware

ASA 5500-X Series Models Availability of SSD Hot-Swappable?
5506-X, 5506W-X, 5506H-X Comes with an SSD. No.
5508-X, 5516-X Comes with an SSD. Yes, requires a screwdriver.
5512-X, 5515-X, 5525-X Might not come with an SSD, if not ordered separately. You can install one Cisco SSD. Yes, easy to hot-swap. A button is available to push and release the locking lever.
5545-X, 5555-X Might not come with an SSD, if not ordered separately. You can install up to two Cisco SSDs with RAID 1.

Determining the Version of the ROMMON Software or Firmware

The version information for the ROMMON software (also known as firmware) is displayed during the bootup process for ASA 5500-X hardware. Example 2-32 shows the initial messages that appear after ASA 5506-X hardware is turned on. It shows that the ROMMON version is 1.1.01.

Example 2-32 Messages That Appear During the Bootup Process

Cisco Systems ROMMON, Version 1.1.01, RELEASE SOFTWARE
Copyright (c) 1994-2014  by Cisco Systems, Inc.
Compiled Mon 10/20/2014 15:59:12.05 by builder

Current image running: Boot ROM0
Last reset cause: PowerCycleRequest
DIMM Slot 0 : Present

Platform ASA5506 with 4096 Mbytes of main memory
MAC Address: a4:6c:2a:e4:6b:bf
Using default Management Ethernet Port: 0

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.

Located '.boot_string' @ cluster 1607965.
#
Attempt autoboot: "boot disk0:/asa961-50-lfbff-k8.spa"
Located 'asa961-50-lfbff-k8.spa' @ cluster 10.
##################################################################################
##################################################################################
##################################################################################
#######################################

LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.

If ASA hardware is running in a production environment, and you do not want to reboot it, you can still determine the version of the ROMMON software by running the show module command. Example 2-33 shows that the ROMMON version of the ASA 5506-X hardware is 1.1.01.

Example 2-33 Command That Displays the ROMMON Software Version of an ASA

ciscoasa# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD191100HG
 sfr Unknown                                      N/A                JAD191100HG

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 a46c.2ae4.6bbf to a46c.2ae4.6bc8  1.0          1.1.1        9.6(1)50
 sfr a46c.2ae4.6bbe to a46c.2ae4.6bbe  N/A          N/A

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Init               Not Applicable

ciscoasa#

Summary

This chapter describes the differences between various images that may be installed on ASA 5500-X hardware. It demonstrates the detailed process of reimaging ASA 5500-X Series hardware to the FTD software. In addition, this chapter shows the command-line tools you can use to verify the status of the hardware and software.

After installation, the next step in deploying FTD in a network is to register it with an FMC. Part II of this book describes that.

Quiz

  1. What would be the correct workflow for reimaging ASA 5506-X hardware to FTD?

    • i. Upgrade the ROMMON software.

    • ii. Reload the ASA hardware with a boot image.

    • iii. Install the FTD system software.

    • iv. Copy the image files to a server.

      • a. ii > i > iii > iv

      • b. iv > ii > iii

      • c. ii > iii

      • d. iv > i > ii > iii

  2. What would be the correct workflow for reimaging ASA 5545-X hardware to FTD?

    • i. Upgrade the ROMMON software.

    • ii. Reload the ASA hardware with a boot image.

    • iii. Install the FTD system software.

    • iv. Copy the image files to a server.

      • a. ii > i > iii > iv

      • b. iv > ii > iii

      • c. iii > ii

      • d. iv > i > ii > iii

  3. When reimaging ASA 5516-X hardware to FTD, which type of file is not necessary?

    • a. *.spa

    • b. *.lfbff

    • c. *.cdisk

    • d. *.pkg

  4. What kind of server should you use to transfer a boot image file to ASA hardware?

    • a. TFTP server

    • b. FTP server

    • c. Web server

    • d. Secure copy server

  5. Which protocol is used in this chapter to transfer the system software image to ASA hardware?

    • a. HTTP

    • b. TFTP

    • c. FTP

    • d. SCP

  6. Which command do you run to confirm whether an SSD is installed on ASA hardware?

    • a. show flash

    • b. show inventory

    • c. show run

    • d. show module

  7. Which command displays the firmware version of an ASA?

    • a. show firmware

    • b. show rommon

    • c. show module

    • d. show inventory

  8. Which of the following is the default command prompt in the FTD software?

    • a. ciscoasa#

    • b. ciscoasa-boot>

    • c. firepower>

    • d. >