Cisco Add FirePOWER Module to FirePOWER Management Center

KB ID 0001178 

Problem

If you only have one FirePOWER service module you can now manage it from the ASDM;

ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM)

But if you have got more than one, and you can manage them centrally with the FirePOWER Management Center, (formally SourceFIRE Defence Center). 

WARNING:  If you are going to use FMC DON’T register your licences in the ASDM, they all need to be registered in the FMC.

 

Solution

Before you can register the SFR module in the FMC, you need to have set it up, and have ran though the initial setup. The process is the same if you intend to use the ASDM or the FMC. You can then choose whether to register from command line in the SFR, or via the ASDM.

Register SFR with FMC via Command Line

Connect to the parent firewall and open a session with the sfr module;

PETES-ASA# session sfr
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

PETES-SFR login: admin
Password:{pasword}
Last login: Fri Apr  8 05:04:49 UTC 2016 on ttyS1

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.0.0 (build 258)
Cisco ASA5506 v6.0.0 (build 1005)

> 

You can then add the FMC as a manager, you will need to supply a registration key.

> configure manager add 10.9.20.25 password123
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

Register SFR with FMC via ASDM

Connect to the ASDM > Configuration > ASA FirePOWER Configuration > Integration  >Remote Management > Add Manager.

Add FirePOWER to FirePOWER Management Console

Specify the IP of the FMC Appliance, and registration key > Save.

FirePOWER Register with FMC

It should then say ‘pending registration’.

Cisco Add SFC to FMC

Configure the FirePOWER Management Appliance to Accept the SFR Registration 

Log into FMC > Devices > Device Management > Add Device.

Add Firepower Management

Provide the IP of the SFR module, a display name, the registration key you used above. If you have setup a group you can use it and select your Access Control Policy (dont panic if you have not configured one yet) > Register.

Add Device to FirePOWER

It can take a while, but eventually it should register like so;

Add SFR to FMC

Problems

Could not establish a connection with sensor

Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible,and that the network is not blocking the connection.

Had this problem for a while, (Credit to Craig Paolozzi for finding the fix.) Both the SFR, and the FMC console needed static routes adding to them (even though they could ping each other!) Pointing to each other.

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

11 Comments

  1. Hi Pete,

    Great article on adding the FirePower module to FirePower Management Center. I have noticed one issue though…

    After adding my ASA to the FPM, I noticed that the FirePower module option was removed from ASDM. Is there a way for both to manage the Firepower module instead of one?

    Post a Reply
    • ASFAIK – No, 6.1 and over should be web manageable, but I’m willing to bet that will get disabled when added to FMC. The old CX modules used to stop being locally manageable when they had been added to PRSM.

      Post a Reply
  2. Hi Pete. Thanks, great post.

    I need to do this procedure but the previous ING registered the licenses in the ASDM. What should be done in this case?

    Regards

    Post a Reply
    • Easiest way is to speak to Cisco TAC with the licensing query.
      Or you can log into the licence portal and migrate the licences.

      Post a Reply
  3. Hi Pete. Thanks, thorough post as always.
    I have a question though : have you ever tried to manage distant SFR with an FMC ?

    I am managing ASA 5506 w/Firepower for several customers and I would like to be able to centralize everything in our FMC. I don’t have S2S VPN with any of them and I can’t find a decent configuration guide on cisco’s sites.

    Thanks in advance for your answer.

    Post a Reply
    • I’ve only ever done this with Site to Site VPNs, I suppose you could do a one-to-one NAT on the SFP IP address, but I’ve never done this in anger?

      Pete

      Post a Reply
      • OK thanks for the quick answer. I’ll look into that 🙂
        Fred

        Post a Reply
    • Hi, did anyone ever find a way around adding multiple remote SFR in different sites to the FMC. Would I need public IP’s for both the ASA outside interface and management interface ? Or could I just add the public ip of the outside interface and somehow get to the management interface since it has an ip from the inside network which is NAT out ?

      Post a Reply
  4. FYI I don’t have ASDM monitoring Firepower so I don’t have the Firepower tab in ASDM.
    I think FP pre 6.0 couldn’t be managed by ASDM and could only e managed by the FMC

    Post a Reply
  5. Hi Guys

    Does anyone knows if the ASA Firepower Module configuration will be lost upon adding it to FMC?

    Thanks in Advance

    Post a Reply

Leave a Reply to PeteLong Cancel reply

Your email address will not be published. Required fields are marked *