To ASA with sourcefire CMF 5.4.1 services an other CMF 6.0.1

Hello

I already have CMF 5.4.1 (virtual edition with Max 2 devices) in production, management of OLD pair of ASA-X-5525.

I already have an other CMF 6.0.1 (virtual edition with max 10 devices) in production management NEW pair of ASA-X-5555.

What is the best way to manage the OLD pair using the FMC 6.0.1, without losing configuration with minimum downtime and 5.4.1 FMC?

A given sensor will keep apply its settings configured if the FMC management is accessible or not. It will store events locally until the CSP is available.

Assuming that you have a single strategy defined on 5525-x, you can export strategies Intrusion and control of access from 2 Device Manager and then import them to the new CSP (System > tools > Import.Export). However, you will first need to upgrade to the same output level so that the schema of data would be compatible. If there is not a lot of customization, it may be easier to simply recreate an equivalent policy on 10 Device Manager.

You will need to re - host your licenses on the new CSP. This can be done through self-service portal licenses (www.cisco.com/go/license) or you can open a TAC case if the original license is not associated to your cisco.com login.

You must then remove the current handler on 5525-X ASA modules and add the new CSP. Add modules as managed devices in the new CSP, apply the licenses, and deploy policies.

Tags: Cisco Security

Similar Questions

  • Protect and control the license for ASA with the power of fire

    I had 1 ASA 5515 initially delivered with the software cx, then made room for the software of firepower and got the virtual firesight for 2 devices and license of TAMAS tha L-5515, but this license was told only the URLs and malware license, I thought that this license was for all that since he has no other licenses in the data sheet and it's Reference with more features.

    How can I get the license protect and control now so I can add the asa with the firepower to firesight and apply to all licenses

    Thank you

    Hello

    L ASA5515-TAMAS = SKU license plans to "MALWARE" and "URLFilter" and legally gives the user to updates of the signature "PROTECT + CONTROL". It does not license "PROTECT + CONTROL". You need to buy "ASA5515-CTRL-LIC =" to license "PROTECT + CONTROL".

    Please discuss a case with CISCO GLO, they can help provide a CTRL license

    -DD

  • Cisco ASA with the power of fire vs Cisco IPS Appliance

    Hello

    Question: is there the functional differences between an ASA with the feature of firepower enabled and power of fire IPS appliances 'pure' (e.g. 7000 and 8000 series IPS Modules)?

    Thank you very much!

    Kind regards

    David

    Hello team,

    The same features except hardware bypass and another should trhougputs. Of course the flow rate will be high for hardwrae devices and it also has the ability to bypass equipment. Apart from that URL and all other filtering the same characteristics.

    Rate of good will if this post helps you.

    Concerning
    Jetsy

  • ASA with different failover module IPS

    Hi all

    Is it possible to configure the failover of the ASA with different IPS module configuration because we have: ASA 5585-X with firepower PHC-10 and ASA 5585-X with IPS SSP-10

    Thank you

    N °

    Inventories of material (basic unit, memory and optional modules) must be the same in a pair of failover ASA.

  • ASA with fire 5555 x Installation/Configuration/full features enablment

    Dear,

    I had a lot of confusion about the ASA with the power of fire all the new features, upgrade, changes made me lost.

    Can someone describes the steps to install the ASA with firepower and upgrade its image & package and the license application. (configuration of the box from scratch).

    What is the best practice for the installation of ASA with firepower in a network?

    TAMÁS is our license what are the features will be important for me, if I want to do a total security. And how about internet proxy I think of ending my TMG Web proxy and use this ASA. I want to use the devices to its full occupancy and all the features that I needed to be activated if necessary.

    How to deal with WLC and the wireless network (which is the best practice for ASA with the firepower and WLC

    Yes maybe that's a lot, but I think many inspiring answers will knock at least with redirection to another topic or some brilliant ideas.

    Kind regards

    Christel

    @mishaal-thabet

    There is a Quick Start Guide to ASA with module power of fire services here:

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/Quick_Start/SFR/firepo...

    In addition, to configure your policies of Management Center of firepower to make the most effective module, I recommend the Cisco Live presentation by 2015: "BRKSEC-2018 migration ASA IPS and CX to firepower." You don't have to worry about the title, it's a good overview for most use cases.

    It can be found here:

    https://www.ciscolive.com/online/connect/sessionDetail.WW?SESSION_ID=836...

    The WLC interact with the ASA directly but the placement of your controller and you use anchor and host controllers can play in your ASA interface design (i.e. comments in an area controllers demilitarized). Other than that, Wireless subnets are just part of the variable "$HOME_NET" located on the module of firepower.

    I hope this helps.

  • ASA with firepower and Licensing Service

    Hello

    If I buy an ASA with the power of Fire Service (e.g. 5516-X) should which licenses I buy?

    I understand that I need to order a license for the Service of firepower. E.g. IPS, URLS, and AMP.

    Should I order a license management FireSIGHT, too? The centre of mandatory FireSIGHT management? This license is necessary?

    Concerning

    You will need the license of control (CTRL). It is free and automatically included with any package of power of fire SKU (i.e. ASA5516-FPWR-K9).

    Then you must add the IPS, URLS or AMP (or combination of both) services in term 1, 3 or 5 years.

    FireSIGHT Management Center is not required for entry-level (5506, 5508 or 5516) models. It is optional on those you can use the entry firesight level integrated in ASDM for the model.

    For all other models, it is necessary. If you manage more than a simple ASA (even an HA pair) it is recommended even for the entry level models that you will be so power sync policies through them all.

  • VPN IPSec ASA with two ISP active

    Hi ALL!

    I have a question.

    So I have ASA with 9.2 (1) SW connected to ISP with active SLA.

    I need to configure redundant IPSec VPN via ISP2, while all other traffic must go through isps1. In case if one of the ISP goes down all including VPN traffic must be routed via ISP alive.

    I have configured SLA and it works.

    ciscoasa # display route performance
    Route 0.0.0.0 isps1 0.0.0.0 10.175.2.5 5 track 1
    Route isp2 0.0.0.0 0.0.0.0 10.175.3.5 10 track 2
    Route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 excerpt 2

    Here we can see if isps1 and ISP2 are RISING, all traffic passes through isps1, but traffic intended for the remote peer IPSec 172.22.10.5 passes by ISP2.

    This configuration works just at the moment when isps1 or isp2 is down or if a static route for 172.22.10.5 deleted. Where two Internet service providers are increasing to ASA does not send the next remote IPSec datagrams.

    ciscoasa # display running nat
    NAT (inside, isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary
    NAT (inside isps1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec pmtu aging infinite - the security association
    card crypto cm_vpnc 10 correspondence address acl_vpn
    card crypto cm_vpnc 10 set pfs
    peer set card crypto cm_vpnc 10 172.22.10.5
    card crypto cm_vpnc 10 set transform-set ESP-AES-256-SHA ikev1
    86400 seconds, duration of life card crypto cm_vpnc 10 set - the security association
    card crypto cm_vpnc interface isps1
    cm_vpnc interface isp2 crypto card
    trustpool crypto ca policy
    isps1 enable ikev1 crypto
    isp2 enable ikev1 crypto
    IKEv1 crypto policy 1
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400

    ciscoasa # show ip
    System of IP addresses:
    Subnet mask IP address name interface method
    Vlan1 in 192.168.2.1 255.255.255.0 CONFIG
    Isps1 Vlan2 10.175.2.10 255.255.255.0 CONFIG
    Isp2 Vlan3 10.175.3.10 255.255.255.0 CONFIG

    The main question why?

    Thank you in advance,

    Anton

    Hi anton,.

    If you check the log message on your ASA R301-IS , he's trying to build the tunnel VPN with both IP and it receives packets of asymmetrically your distance ciscoasa.

    TO avoid this asymmetrical connection, point your IP from peers as primary & secondary on your R301-EAST

    set peer 10.175.3.10 10.175.2.10

    Delete the track on your routing entries

    Route isp2 172.22.10.5 255.255.255.255 10.175.3.5

    This should work for you.

    Similalry lower your ISP 2, you should see VPN tunnel is mounted with isps1 one.

    HTH

    Sandy

  • ASA with A/A and three router ISP links

    Can someone help me, I have a problem I need to connect two ASAs with active and I have three routers to three Internet service providers, how do I optimize the gateway redundancy and load balancing.

    and I can use the router to ASA's private beach.

    Another Question is, do I really need host proxy server-based internet access.

    Please help me.

    Concerning

    One solution is to use the Protocol GLBP routers (OSPF in not available in A/A...).

    "GLBP offer deals on several routers (gateways) load balancing using a virtual IP address single and multiple virtual MAC. Each host is configured with the same virtual IP address, and all of the routers in the virtual routing group are involved in the transmission of packets. »

    GLBP group-load balancing [dependent on host: alternating | weighted]

    (see feature cisco IOS to IOS and hardware available browser.) .

    http://www.Cisco.com/en/us/products/ps6550/products_white_paper09186a00801541c8.shtml

    HTH.

    Roberto

  • ASA with two internet connections

    Hello

    I want to connect an ASA with two ISPS for internet traffic, one for the VPN S2S, there is a router VPN dedicatet on the second link.

    In case of failure of the first link, the second must be enabled.

    route outside 0.0.0.0 0.0.0.0 10.20.20.1 1 track 1route backup 0.0.0.0 0.0.0.0 10.20.30.1 254
    
route backup 192.168.0.0 255.255.0.0 10.20.30.1
    

    Is this configuration working??

    Hello

    You need to configure the 'als' monitor configuration to monitor some destination on the main IP address ISP for the ASA whether the connection works. Probably an IP address on the public network.

    SLA 1 monitor

    type echo protocol ipIcmpEcho outside interface

    NUM-packages

    timeout

    frequency

    SLA monitor Appendix 1 point of life to always start-time now

    You will also need a configuration related to 'track' of the order

    track 1 rtr 1 accessibility

    Route outside 0.0.0.0 0.0.0.0 10.20.20.1 track 1

    Backup route 0.0.0.0 0.0.0.0 10.20.30.1 254

    The above combined with the routes you mention should be enough about the delivery. Naturally for each remote VPN L2L network you will always need a specific static route on the SAA to the backup ISP device.

    Also you must naturally maintain the translations on the SAA. Seems that your ISP links have in mind a separate device that contains public IP addresses. So am I right in assuming you pass all traffic from the LAN links for links to PSI via the ASA without any type of NAT, and leave these routers from the private to the public NAT?

    -Jouni

  • When I share a note with a checklist, I can see when the other person check of an item. I do not see when registering an item (it is disabled). Why?

    When I share a note with a checklist, I can see when the other person check of an item. I do not see when registering an item (it is disabled). Why?

    Try switching your Notes on / off under settings > iCloud or maybe restart the device-restart your iPhone, iPad or iPod touch - Apple Support to see if this could solve the problem.

  • I get emails with pictures and when I send them to others. they open them but the images are not displayed. The photos are there when I send them. Thank you

    I get emails with pictures and when I send them to others. they open
    their place but the images are not displayed. The photos are there when I send a
    them. Thank you

    Make sure that your security software (antivirus) is not blocking attachments.

  • Discs CD - R burned with the Finder in Yosemite are unreadable by other players of CD despite the burned music files individual, .aif format. When it is burned with iTunes, all right. Any ideas?

    Discs CD - R burned with the Finder in Yosemite are unreadable by other players of CD despite the burned music files individual, .aif format. When it is burned with iTunes, all right. Any ideas?

    A CD to use in an Audio CD drive must be formatted as an Audio CD.

    Finder cannot create an audio CD, instead, it creates a data CD.

    Therefore, use iTunes to create create an Audio CD.

  • Impossible to retart Window XP as an administrator with the same "selective startup" newspaper (with some third party being disabled services) with an administrator account.

    My computer is a Sony (Vaio) desktop computer with Microsoft Windows XP Professional edition,
    service pack 3. It is installed with Internet Explorer 8.

    I meet the Internet Explorer 8 problem right after I tried to run Norton
    Antivirus (2012 version) Live updates some time ago. Updates Live has not been successfully

    completed.

    I tried to open Internet Explorer 8 to connect the site msn.com and others
    Web pages. It still gives me the message "Internet Explorer cannot Display the Webpage".

    I did a full system scan. The computer is clean.
    I also tried to remove all the Internet Explorer add-on to and reset all settings
    by default, but I still can't get Internet Explorer to work.

    I think that something that connects it to the operation of Internet Explorer 8 has been 'broken '.
    during the download of updates to Norton Live. Maybe it's because as the "dial-up".
    slow internet download speed I use, caused some kind of file corruption.
    I'm not too sure.

    I followed a suggestion to Microsoft support engineer in Microsoft Support community
    and I tried disabling Norton services in starting the configuration to see if
    Internet Explorer will work back or not. However, after I did

    Start > run > msconfig

    and all unchecked Norton services and retarted the computer. I had
    an error message saying "I need to log in as an administrator in order to retart.
    the computer with selective startup"even I had logged in as administrator.

    I turned off the computer and retried the above process again, but I still
    got the same error. I did several times without a bit of luck.

    My computer is used only by myself. My user account is an administrator of type with
    all permissions. It is the only user account in my computer.

    I don't know if other permission settings that must be set correctly in order
    for me to retart the computer with the "selective startup" option

    I hope that someone in the Community Support of Microsoft can give me some suggestions and
    instruction. Thanks a lot for your help.

    Best regards
    vichau

    My computer is a Sony (Vaio) desktop computer with Microsoft Windows XP Professional edition,
    service pack 3. It is installed with Internet Explorer 8.

    I meet the Internet Explorer 8 problem right after I tried to run Norton
    Antivirus (2012 version) Live updates some time ago. Updates Live has not been successfully

    completed.

    I tried to open Internet Explorer 8 to connect the site msn.com and others
    Web pages. It still gives me the message "Internet Explorer cannot Display the Webpage".

    I did a full system scan. The computer is clean.
    I also tried to remove all the Internet Explorer add-on to and reset all settings
    by default, but I still can't get Internet Explorer to work.

    I think that something that connects it to the operation of Internet Explorer 8 has been 'broken '.
    during the download of updates to Norton Live. Maybe it's because as the "dial-up".
    slow internet download speed I use, caused some kind of file corruption.
    I'm not too sure.

    I followed a suggestion to Microsoft support engineer in Microsoft Support community
    and I tried disabling Norton services in starting the configuration to see if
    Internet Explorer will work back or not. However, after I did

    Start > run > msconfig

    and all unchecked Norton services and retarted the computer. I had
    an error message saying "I need to log in as an administrator in order to retart.
    the computer with selective startup"even I had logged in as administrator.

    I turned off the computer and retried the above process again, but I still
    got the same error. I did several times without a bit of luck.

    My computer is used only by myself. My user account is an administrator of type with
    all permissions. It is the only user account in my computer.

    I don't know if other permission settings that must be set correctly in order
    for me to retart the computer with the "selective startup" option

    I hope that someone in the Community Support of Microsoft can give me some suggestions and
    instruction. Thanks a lot for your help.

    Best regards
    vichau

    Repair facility and get rid of Norton once you are able to get into your computer again.

  • Windows Media player on my machine does not run some AVI files. How can I check what the problem with AVI files. Files are running in other utilities of free ware

    Windows Media player on my machine does not run some AVI files. How can I check what the problem with AVI files. Files are running in other utilities free ware. Also, windows Explorer does not display dimension and other video related information for the file. Y at - it a tool that can indicate what exactly is the problem with the file.

    Ritu

    Hello

    1. you get any error message?

    2. don't you make changes to the computer before the show?

    Please follow the steps from the link below.

    http://support.Microsoft.com/kb/279242

  • Service Pack 3 Setup error: "Service Pack 3 Setup cannot update an active (debug) system with a free (retail) version of Service Pack 3, or vice versa"

    Service Pack 3 Setup error: "Service Pack 3 Setup cannot update an active (debug) system with a free (retail) version of Service Pack 3, or vice versa"

    I have XP SP3 download Tuff. I have a Dell Inspiron 16000 w / XP Edition home (version 2002) W / SP 2 is installed.  I couldn't find a reference to the error in line last night.  Can anyone help?

    Turbo Tax 2011 says that I can not download their stuff until I get my XP Stuff to the height.

    Only 6 more days until what the tax man will come :-)...

    Help!

    Put your search inside the quotes term allows when you search for the exact error messages:

    "Service Pack 3 installation cannot update an active (debug) system with a free (retail)"

    The first shot has the answer: http://www.askvg.com/windows-xp-sp3-setup-error-cannot-update-a-checked-debug-system-with-a-free-retail-version-of-service-pack-3/

    CurrentType at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value should read "Uniprocessor Free" or "free multiprocessor".

    John

Maybe you are looking for