Cisco Add FirePOWER Module to FirePOWER Management Center

KB ID 0001178 

Problem

If you only have one FirePOWER service module you can now manage it from the ASDM;

ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM)

But if you have got more than one, and you can manage them centrally with the FirePOWER Management Center, (formally SourceFIRE Defence Center). 

WARNING:  If you are going to use FMC DON’T register your licences in the ASDM, they all need to be registered in the FMC.

 

Solution

Before you can register the SFR module in the FMC, you need to have set it up, and have ran though the initial setup. The process is the same if you intend to use the ASDM or the FMC. You can then choose whether to register from command line in the SFR, or via the ASDM.

Register SFR with FMC via Command Line

Connect to the parent firewall and open a session with the sfr module;

[box]

PETES-ASA# session sfr
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

PETES-SFR login: admin
Password:{pasword}
Last login: Fri Apr  8 05:04:49 UTC 2016 on ttyS1

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.0.0 (build 258)
Cisco ASA5506 v6.0.0 (build 1005)

> 

[/box]

You can then add the FMC as a manager, you will need to supply a registration key.

[box]

> configure manager add 10.9.20.25 password123
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

[/box]

Register SFR with FMC via ASDM

Connect to the ASDM > Configuration > ASA FirePOWER Configuration > Integration  >Remote Management > Add Manager.

Specify the IP of the FMC Appliance, and registration key > Save.

It should then say ‘pending registration’.

Configure the FirePOWER Management Appliance to Accept the SFR Registration 

Log into FMC > Devices > Device Management > Add Device.

Provide the IP of the SFR module, a display name, the registration key you used above. If you have setup a group you can use it and select your Access Control Policy (dont panic if you have not configured one yet) > Register.

It can take a while, but eventually it should register like so;

Problems

Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible,and that the network is not blocking the connection.

Had this problem for a while, (Credit to Craig Paolozzi for finding the fix.) Both the SFR, and the FMC console needed static routes adding to them (even though they could ping each other!) Pointing to each other.

Related Articles, References, Credits, or External Links

NA