Upgrading SourceFire module from 5.x to 6.x and recovery procedure
Hardware failures happens. If you have active service contract you’ll get new device from Cisco with same hardware parameters. One thing you don’t know is which version of software will be installed. In almost all cases it’s not the one you are using. Installing new firewall firmware on ASA is not a problem but what if you’re running SourceFire Management Center version 6.2 but your device came with 5.x or 6.0 firmware on SFR module? Well, prepare for process that will take few hours – you need to perform recovery procedure which is one of the ways of upgrading SourceFire.
Most common cases when we have to use recovery procedure for SFR are:
- Problems with booting the SFP module after upgrade performed from Firesight Management Center
- First software installation on SFR (in example when we just put SSD drives in our ASA to get benefits from Sourcefire NGIPS)
- Need to upgrade firmware but our module cannot be registered in Firesight Management Center due to firmware mismatch
Last case is the one usually happening when we get new device during RMA process. Each Firesight Management Center have list of compatible firmwares that are supported on modules and unfortunatelly backward compatibility is not full. If you run one of the most common version 6.1 or 6.2 you need to have your modules in at least 6.1 version. Recovery process require that whole memory is erased and new firmware installed.
Step 1: Get the firmware
There are two sets of files that you need to download from Cisco website. First one are two files that we will use to boot the SFR module and reinstall the software. This have to have the same major and minor version as your Firesight Management Center
First of those files, one with “boot” in the filename, you need to upload to disk0: of your firewall. As the filename suggest we will use it to boot SFR module from.
Second file is the IPS system itself. We will use it after we boot SFR module and perform initial configuration. Annoying thing is that we have to make this file available for SFR module via HTTP or FTP. You might think now “ah, it’s easy, I will just upload this to Firesight Management Center” – wrong! In standard installation neither FTP or HTTP is supported on Management Center. Only HTTPS. And trust me, you don’t want to play with system parameters on FMC. SCP is also not an option. So you need to have other host accessible from SFR via FTP or HTTP where you upload the image. Really Cisco?
Third file you might want to get are the patches. You upload those to FMC so you can perform patching of your SFR like any other IPS module managed from there.
Step 2: Booting the SFR module
Booting SFR module in recovery mode using image we just obtained is easy:
ASA# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.2.0-2.img ASA# sw-module module sfr recover boot
We need to acknowledge recovery procedure by pressing Enter and then wait. This process can take 15-30 minutes depending on your ASA model. For those who like to see what is happening there is nice debug command which makes all console messages from SFR visible on your ASA SSH session
ASA# debug module-boot
Step 3: SFR configuration and software installation
When SFR module boots up it is accessible via dedicated internal console
ASA# session sfr console
Note that the “session sfr” command would not work, you need explicitely define that you are accessing via console. When you get login prompt user “admin” as username and “Admin123” as password. The “Sourcefire” password was default to versions prior to 6.0.
To start setup process execute
asasfr-boot>setup
Mandatory parameters that need to be setup are IP address, netmask, default route and DNS servers. Remember that SFR module share management interface with the firewall so you need to use same subnet!
When all parameters are accepted and saved you should be able to ping SFR module from external network. So it’s time to install the software
asasfr-boot>system install http://172.10.10.10/asasfr-sys-6.2.0-362.pkg
You can now go do other things, this process takes at leas an hour. When completed you should see mdule status as Up
Step 4: Attaching SFR to Firesight Management Center
When installation is complete time to restore full service. We need to connect to SFR module again, we can use console connection again or issue
ASA# session sfr
Use same login and password as before. First thing to accept will be EULA, then change password, then setup all network parameters again. When done we need to associate SFR with FMC
> configure manager add 172.10.10.20 MYKEY
When you execute this command SFR will move to registration pending state. You can now add it to FMC and apply patch (will take probably another hour or so)