From Cisco ASA to FTD with FDM

TOPICS:

Posted By: Kristian von Staffeldt August 20, 2017

Intro

I have been playing a little with a ASA 5515X appliance in the lab and have tried running the latest FTD code (6.2) with both stand-alone management (known as Firepower Device Manager) and the more tradition Firesight management (off-box). In this particular post I will focus on getting the ASA up and running on FTD code.

First a peak under the hood

The old Firepower services needed to be installed in parallel with the ASA software (think of it as a virtual machine running on the ASA box). Then traffic was redirected between the ‘physical’ ASA and the Firepower service.

FTD is still running on the x86 ressources of the ASA-X

It is easy to see the resources available for the firepower system by issuing the following command (for reference the other ASA platforms HW can be seen here.):

asa01# show version | i Hardware

Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)

ASA: 4096 MB RAM, 1 CPU (1 core)

FP: 4096 MB RAM, 1 CPU (3 cores)

Intel Core i3-540 3.06GHz 2C/4T

Crypto Accelerator: Cavium Nitrox PX CN1610

The FTD Unifies the ASA and the Firepower images and features (alas not all features are yet migrated) and only a single image is now required. It is still running though on the same x86 architecture CPU though (with HW assists).

Getting it ready

The ASA 5515X had been sitting a while in my Lab rack with an old ASA image on it, so in order for it to become latest-and-greatest (?) I had to upgrade the device. This is a 2-stage process where first the ASA boot image and then the FTD software has to be downloaded to the device. The process was pretty straightforward following the guidelines in the Cisco documentation. There is no need for me to simply repeat those instructions.

Upgrade is done though Serial interface and (usually) the management interface of the ASA

The first part with the bootloader is done though TFTP (you will need a tftp server), which will take a few minutes to process. The second part is uploading the FTD image, which can be done by FTP (again you will need a FTP server).

When it initially boots up it will go though a wizard (Cisco quick start is fairly clear on how to do this). If you are running it in stand-alone mode with on-box management, you will choose the  following option in the wizard.

Manage the device locally? (yes/no) [yes]: yes

At this time you can start a browser session to the IP address of the management interface.

The documentation states that a Smart License is required. Note however that there is a 90 day evaluations license with all features, that can be enabled (further information on the licensing can be seen in the FDM for FTD config guide). This essentially means that you can download the FTD image an try it out on an existing ASA.

Be the first to comment on "From Cisco ASA to FTD with FDM"

Leave a comment

Your email address will not be published.


*