Recently I was given a Cisco ASA 5508-X Firepower Threat Defense appliance to deploy. While these are the same hardware platform as the tried-true Cisco ASA 5508 firewalls, these run Cisco’s new ‘unified’ SourceFire linux based operating system (asa-ftd), which is essentially an operating system combining the SourceFire FirePower functionality with Cisco’s conventional firewalling capabilities. It’s Cisco’s new direction for combining these two platforms in to one hardware solution.
Without getting in to uber nerd verbosity, after unboxing the new unit and attempting to patch the OS to a new upgrade (version 6.0.2 -> 6.2.2), I was presented with a failed upgrade due to a corrupt MySQL database. Seriously ? This is why I loved the regular Cisco ASA in the first place, minimal OS running from flash memory, upgrades typically only require putting the new firmware in place, telling the Cisco ASA to boot the new firmware and reboot. The new SourceFire OS – it’s a full blown linux OS using MySQL for its backend, sigh… Since it was a new deployment and I couldn’t repair the tables or database I figured I’d go ahead and reach out to the Cisco TAC for insight.
The Cisco TAC advised that since the unit was not a “production” appliance currently, the best recourse would be to manually wipe and reimage the appliance with the intended version of the OS, version 6.2.2. I don’t disagree with that assessment, it makes sense – but the fact that I’m re-imageing a firewall appliance fresh out of the box due to a corrupt MySQL database – doesn’t give me high confidence in the product to be honest.
Cisco provides good documentation of this process here, but I figured I’d capture some of my real world experience doing so.
BEFORE proceeding complete the steps Cisco recommends:
Before You Begin
To ease the process of reimaging back to an ASA, do the following:
Perform a complete system backup using the backup command.
See the configuration guide for more information, and other backup techniques:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/admin-swconfig.html#ID-2152-000009af
Copy and save the current activation key(s) so you can reinstall your licenses using the show activation-key command.
Procedure
Step 1 Download the Firepower Threat Defense boot image (see Download Software) to a TFTP server accessible by the ASA on the Management interface.
For the ASA 5506-X, 5508-X, and 5516-X, you must use the Management 1/1 port to download the image. For the other models, you can use any interface.
Step 2 Download the Firepower Threat Defense system software install package (see Download Software) to an HTTP or FTP server accessible by the ASA on the Management interface.
First off I rebooted the appliance and hit ESC to get the ronmon boot prompt.
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
At this point I figured I’d manually erase the disk myself to be sure all was gone.
rommon 5 > erase disk0:
erase: Erasing 7039 MBytes ....................................................................................................................
Now it’s time to get the image online with basic connectivity so we can grab the ‘boot’ image. Here’s my config with IPs ‘X’ out:
rommon 14 > address 10.x.x.x
rommon 15 > server 10.x.x.x
rommon 16 > gateway 10.x.x.x
rommon 17 > file ftd-boot-9.8.2.3.lfbff
rommon 18 > set
ADDRESS=10.x.x.x
NETMASK=255.255.255.0
GATEWAY=10.x.x.x
SERVER=10.x.x.x
IMAGE=ftd-boot-9.8.2.3.lfbff
CONFIG=
PS1="rommon ! > "
rommon 19 > sync
All set, time to tell it to download that ‘boot’ image:
rommon 20 > tftpdnld
ADDRESS: 10.x.x.x
NETMASK: 255.255.255.0
GATEWAY: 10.x.x.x
SERVER: 10.x.x.x
IMAGE: ftd-boot-9.8.2.3.lfbff
VERBOSITY: Progress
RETRY: 40
PKTTIMEOUT: 7200
BLKSIZE: 1460
CHECKSUM: Yes
PORT: GbE/1
PHYMODE: Auto Detect
Receiving ftd-boot-9.8.2.3.lfbff from 10.x.x.x!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
File reception completed.
Boot buffer bigbuf=348bd018
Boot image size = 104813248 (0x63f52c0) bytes
[image size] 104813248
[MD5 signaure] 914afb2d31d061910d22933d679aabb3
LFBFF signature verified.
INIT: version 2.88 booting
Some more cool boot init stuff will blow by until you get to the basic boot CLI environment:
Cisco FTD Boot 6.0.0 (9.8.2.3)
Type ? for list of commands
firepower-boot>?
show => Display system information. Enter show ? for options
system => Control system operation
setup => System Setup Wizard
support => Support information for TAC
delete => Delete files
ping => Ping a host to check reachability
traceroute => Trace the route to a remote host
exit => Exit the session
help => Get help on command syntax
At this stage we issue the setup command to get the boot-image appliance on the network so it can grab, download and extract the actual operating system image it will install on the appliance:
firepower-boot>setup
Welcome to Cisco FTD Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [firepower]:
firepower
Do you want to configure IPv4 address on management interface?(y/n) [Y]:
Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [Y]:
Y
Do you want to configure static IPv6 address on management interface?(y/n) [N]:
N
Do you want to enable the NTP service? [Y]:
N
Please review the final configuration:
Hostname: firepower
Management Interface Configuration
IPv4 Configuration: dhcp
IPv6 Configuration: Stateless autoconfiguration
CAUTION:
You have selected DHCP. The system will stop functioning correctly if DHCP
changes the assigned address due to lease expiration or other reasons.
We suggest you use static addressing instead.
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.
Apply the changes?(y,n) [Y]:
Y
Configuration saved successfully!
Applying…
Restarting network services…
Done.
Press ENTER to continue…
firepower-boot>ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=7.65 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=7.67 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=59 time=7.66 ms
^C
— 8.8.8.8 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 7.650/7.665/7.679/0.101 ms
And here we go with the actual reimage, CAUTION – this part will take about 45-60 minutes to complete and then reboot.
firepower-boot> system install noconfirm http://x.x.x.x/cisco/ftd-6.2.2-81
######################## WARNING ############################
# The content of disk0: will be erased during installation! #
#############################################################
Do you want to continue? [y/N] y
Erasing disk0 …
Extracting …
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-FTD 6.2.2-81 System Install
Requires reboot: Yes
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Starting upgrade process …
Populating new system image
Broadcast message from root@firepower (ttyS1) (Thu Sep 28 14:17:58 2017):
The system is going down for reboot NOW!
If all goes well you’re now rebooted back in to a freshly installed Cisco ASA FirePower Threat Defense appliance.
> show version
-------------------[ firepower ]--------------------
Model : Cisco ASA5508-X Threat Defense (75) Version 6.2.2 (Build 81)
----------------------------------------------------
Good Luck !!