KB ID 0001178
Problem
If you only have one FirePOWER service module you can now manage it from the ASDM;
ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM)
But if you have got more than one, and you can manage them centrally with the FirePOWER Management Center, (formally SourceFIRE Defence Center).
WARNING: If you are going to use FMC DON’T register your licences in the ASDM, they all need to be registered in the FMC.
Solution
Before you can register the SFR module in the FMC, you need to have set it up, and have ran though the initial setup. The process is the same if you intend to use the ASDM or the FMC. You can then choose whether to register from command line in the SFR, or via the ASDM.
Register SFR with FMC via Command Line
Connect to the parent firewall and open a session with the sfr module;
[box]
PETES-ASA# session sfr Opening console session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. PETES-SFR login: admin Password:{pasword} Last login: Fri Apr 8 05:04:49 UTC 2016 on ttyS1 Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved. Cisco is a registered trademark of Cisco Systems, Inc. All other trademarks are property of their respective owners. Cisco Fire Linux OS v6.0.0 (build 258) Cisco ASA5506 v6.0.0 (build 1005) >
[/box]
You can then add the FMC as a manager, you will need to supply a registration key.
[box]
> configure manager add 10.9.20.25 password123
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.
[/box]
Register SFR with FMC via ASDM
Connect to the ASDM > Configuration > ASA FirePOWER Configuration > Integration >Remote Management > Add Manager.
Specify the IP of the FMC Appliance, and registration key > Save.
It should then say ‘pending registration’.
Configure the FirePOWER Management Appliance to Accept the SFR Registration
Log into FMC > Devices > Device Management > Add Device.
Provide the IP of the SFR module, a display name, the registration key you used above. If you have setup a group you can use it and select your Access Control Policy (dont panic if you have not configured one yet) > Register.
It can take a while, but eventually it should register like so;
Problems
Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible,and that the network is not blocking the connection.
Had this problem for a while, (Credit to Craig Paolozzi for finding the fix.) Both the SFR, and the FMC console needed static routes adding to them (even though they could ping each other!) Pointing to each other.
Related Articles, References, Credits, or External Links
NA
Hi Pete,
Great article on adding the FirePower module to FirePower Management Center. I have noticed one issue though…
After adding my ASA to the FPM, I noticed that the FirePower module option was removed from ASDM. Is there a way for both to manage the Firepower module instead of one?
ASFAIK – No, 6.1 and over should be web manageable, but I’m willing to bet that will get disabled when added to FMC. The old CX modules used to stop being locally manageable when they had been added to PRSM.
Hi Pete. Thanks, great post.
I need to do this procedure but the previous ING registered the licenses in the ASDM. What should be done in this case?
Regards
Easiest way is to speak to Cisco TAC with the licensing query.
Or you can log into the licence portal and migrate the licences.
Nicely summarized. Thanks
Hi Pete. Thanks, thorough post as always.
I have a question though : have you ever tried to manage distant SFR with an FMC ?
I am managing ASA 5506 w/Firepower for several customers and I would like to be able to centralize everything in our FMC. I don’t have S2S VPN with any of them and I can’t find a decent configuration guide on cisco’s sites.
Thanks in advance for your answer.
I’ve only ever done this with Site to Site VPNs, I suppose you could do a one-to-one NAT on the SFP IP address, but I’ve never done this in anger?
Pete
OK thanks for the quick answer. I’ll look into that 🙂
Fred
Hi, did anyone ever find a way around adding multiple remote SFR in different sites to the FMC. Would I need public IP’s for both the ASA outside interface and management interface ? Or could I just add the public ip of the outside interface and somehow get to the management interface since it has an ip from the inside network which is NAT out ?
FYI I don’t have ASDM monitoring Firepower so I don’t have the Firepower tab in ASDM.
I think FP pre 6.0 couldn’t be managed by ASDM and could only e managed by the FMC
Hi Guys
Does anyone knows if the ASA Firepower Module configuration will be lost upon adding it to FMC?
Thanks in Advance