How to Upgrade your Cisco ASA to Cisco Firepower Threat Defense (FTD)

  1. Open you ASA CLI, and if you are at the > prompt (because you had the SFR module installed), press Ctrl-Shift-6 Ctrl-Shift-6-X to get back into the ASA.
  2. Verify the ROMMON version with sh module. Version MUST be 1.1.8 or higher.
  3. If it is lower, please follow these direction:

If needed:

Copy the ROMMON image to the ASA flash memory:

copy tftp://x.x.x.x/asa5500-firmware-1108.SPA disk0:asa5500-firmware-1108.SPA 

Upgrade the ROMMON image:

upgrade rommon disk0:asa5500-firmware-1108.SPA

Confirm and reload

After the compelete reload, verify your rommon image.

Now follow these easy, but time consuming steps:

  1. Issue reload and confirm with ENTER, to reload ASA
  2. After about a minute, press ESC to interrupt the boot process, you will have only 10 seconds.

NOTE: If you miss this, you’ll need to wait about 5-10 minutes for it to reload depending on ASA version.

  1. You should be at rommon 1 >

Start by erasing your ASA disk… I know, scary!!

erase disk0:

…now wait about 5-10 minutes for this to finish, depending on ASA version, then enter the following information at the rommon prompt. Configure the following parameters IN ALL CAPS.

ADDRESS=x.x.x.x

NETMASK=x.x.x.x

GATEWAY=x.x.x.x

SERVER=x.x.x.x

IMAGE=ftd-boot-9.8.2.3.lfbff

  1. Issue tftpdnld command to start TFTP download of the FTD boot image.

rommon 7>tftpdnld

(it is possible that you need to run this command more than once to be successful)

  1. After download and extract is complete, you’ll end up at the following prompt:

Cisco FTD Boot 6.0.0 (9.8.2.3)

Type ? for list of commands

firepower-boot>

 

Now we need to configure the FTD module.

  1. Type setup and go through a basic network setup script.

Cisco FTD Boot 6.2

Type ? for list of commands

firepower-boot>setup

Welcome to Cisco FTD Setup

[hit Ctrl-C to abort]

Default values are inside []

Enter a hostname [ASA-x]: FTD-x

Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y

Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [Y]: n

Enter an IPv4 address: x.x.x.x

Enter the netmask: x.x.x.x

Enter the gateway: x.x.x.x

Do you want to configure static IPv6 address on management interface?(y/n) [N]: N

Stateless autoconfiguration will be enabled for IPv6 addresses.

Enter the primary DNS server IP address: x.x.x.x

Do you want to configure Secondary DNS Server? (y/n) [n]: n

Do you want to configure Local Domain Name? (y/n) [n]: y

Enter the local domain name:

Do you want to configure Search domains? (y/n) [n]: n

Do you want to enable the NTP service? [Y]: Y

Enter the NTP servers separated by commas [203.0.113.126]:

 

Apply the changes?(y,n) [Y]:

  1. Hit ENTER to Apply changes and then press ENTER again to continue.
  2. Enter the following command and then specify Y to continue:

firepower-boot>system install ftp://anonymous:[email protected]/ftd-6.2.2-81.pkg

######################## WARNING ############################

# The content of disk0: will be erased during installation! #

#############################################################

Do you want to continue? [y/N] y

Erasing disk0 …

Extracting   …

Verifying

Downloading

Extracting.

 

Package Detail

Description:                 Cisco ASA-FTD 6.2.2-81 System Install

Requires reboot:            Yes

Do you want to continue with upgrade? [y]: y

Warning: Please do not interrupt the process or turn off the system.

Doing so might leave system in unusable state.

Starting upgrade process …

Populating new system image

Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.[PRESS ENTER]

(about 20 minutes)

Rebooting…

  1. During reboot, new databases will be installed, this step should take about 20-30 min

Once rebooted, you’ll be at the firepower login screen.

  1. Login with admin/Admin123 credentials:

Cisco ASA5506-X Threat Defense v6.2.2 (build 81)

firepower login: admin

Password:

 

  1. Press ENTER then press q to skip EULA:

You must accept the EULA to continue.

Press <ENTER> to display the EULA:

 

  1. Go through basic network setup script, use your Pod FTD IP:

System initialization in progress.  Please stand by.

You must change the password for ‘admin’ to continue.

Enter new password:

Confirm new password:

You must configure the network to continue.

You must configure at least one of IPv4 or IPv6.

Do you want to configure IPv4? (y/n) [y]:

Do you want to configure IPv6? (y/n) [n]:

Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:

Enter an IPv4 address for the management interface [192.168.45.45]: x.x.x.x

Enter an IPv4 netmask for the management interface [255.255.255.0]:

Enter the IPv4 default gateway for the management interface [data-interfaces]: x.x.x.x

Enter a fully qualified hostname for this system [firepower]:

Enter a comma-separated list of DNS servers or ‘none’ [208.67.222.222,208.67.220.220]: x.x.x.x

Enter a comma-separated list of search domains or ‘none’ []:

If your networking information has changed, you will need to reconnect.

…..

  1. Type NO and hit enter when prompted for local device management:

Manage the device locally? (yes/no) [yes]: NO

DCHP Server Disabled

Configure firewall mode? (routed/transparent) [routed]: press enter

Configuring firewall mode …

 

Now you can join the FTD to your FMC

  1. Configure your FTD box with the IP address of your FMC:

> configure manager add x.x.x.x cisco

  1. Go to your FMC and enable Smart Licensing
  2. Go to Devices->Device Management and click on Add Device in the Add drop-down menu
  3. Fill out information specific for you
  4. Click Register and wait a few minutes for registration to finish.

 

27 Comments

  1. I’ve been trying to reimage a 5506-x and It keeps hanging at the ‘Populating new system image…’ prompt.

    Am I missing something?

    1. how long are you waiting? that is a SLOW process…it takes almost 2 hours to reimagine the 5506 to FTD

  2. Hi, i need to reimage our ASA 5512-X to FTD. I have loaded the SSD in the ASA. How do we partition the new SSD or have FTD to install on this new SSD? Most of the instructions that i see online talk about using disk0 ( as seen in your article as well) . Is disk0 pointing to the SSD disk or is it the old local flash?
    Pardon my confusion, i am new to cisco world

    1. you do not put anything on the ASA, you put one file on a TFTP server that can reach the ASA box, and one file on a FTP server that can reach the ASA
      No where in my article do I mention loading anything into the SSD, so please reread and let me know how it goes!
      Todd

      1. Thanks for replying and my bad if there was any confusion. For customers like us who were traditionally on ASA and have recently purchased the FTD services, we have been shipped a new SSD as well that needs to go in the ASA. As per cisco documentation, the new Firepower boot image needs to be installed on this new SSD drive. Assuming this scenario , when we load the SSD in the ASA will it also show up as disk0 or do we have to create a different partition on which the firepower boot image needs to go ?

  3. okay, that is for installing FirePOWER on ASA, that is different than turning the ASA into a FTD box – two different things! Yes, if you want to do FirePOWER on ASA you need the SSD drive.

  4. We are looking to re-image our ASA 5515 that have an IPS module that are now running with EOL signatures with new FTD image.

    Initially I was looking at purchasing the Software version of FirePower to install with exiting SSD.

    I guess the benefit of re-imaging to FTD is we dont need to worry about the plug and play SSD cards.

    1) Do we loose our firewall policies if we re-image our exiting ASA 5515 located at different sites with FTD ?

    2) Is there any command changes?

    3) FTD works with which minimum version of FMC?

    4) Do we need additional memory on ASA for FTD ?

    5) How quick is the whole process?

    6) Are there any issues we need to worry about?

    1. 1. Yes, unless you migrate. if you can do a clean install, I highly recommend it!
      2. Yes. You need to manage the whole FTD box via the manager called Firepower Management Center (FMC). Very little CLI; only verification
      3. 6.1
      4. No
      5. Depends on the amount of ACL’s and VPN’s on your existing box
      6. Yes. Possible to take my class?

  5. I hope you are doing well during these hard times.
    I was checking some firewalls 5525-x , when I did show version it gives:

    Cisco Adaptive Security Appliance Software Version 9.8(2)

    Firepower Extensible Operating System Version 2.2(2.52)

    Device Manager Version 7.8(2)151

    what is the purpose of FXOS here?

    does it mean I can install FTD in this chassis instead of ASA software?

    Also I found ”End-of-Sale and End-of-Life Announcement for the Cisco ASA CX Context-Aware Security and Cisco Prime Security Manager” how this will affect my firewalls ASA 5525-x ?

    https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-733917.html
    Thanks for your usual support and guidance.

    KR,

    Faisal

  6. yes, you can absolutely run FTD on top of that FXOS image, and that is why that is there. You can run ASA or FTD on that box. Yes, you need to get rid of the CX and replace it with Firepower…..your way overdue for that!

  7. Hello Todd,
    My team have a dilemma whether it is wise to upgrade asa 5506-x to FTD?
    If we decide to do upgrade, can you answer our question:
    1. Does it posible hardware model ASA 5506-x with Firepower services to be upgraded on recomended FTD version 6.4.0.7 (if it possible, what are the steps)?

    KR,
    Tripio

    1. Hello, thank you for writing to me. I really appreciate you thinking of me when you needed advise.
      You cannot upgrade 5506 past 6.2.3 because of RAM issues. I recommend buying 1010’s which are super cheap and very awesome! They can run the newest latest codes!
      6.2.3.x is a good code, so if you have no budget, you can still use the 5506 with 6.2.3.x
      thank you!
      Todd Lammle

  8. hi . i flow your learning video its great ,
    i have asa 5525-x and
    102 108822528 Jan 17 2019 15:51:52 asa982-smp-k8.bin
    103 26970456 Jan 17 2019 15:53:22 asdm-782.bin
    104 41848832 Jan 17 2019 15:53:56 asasfr-5500x-boot-6.2.2-3.img
    105 4096 Dec 23 2019 00:31:54 tmp

    8238202880 bytes total (4837232640 bytes free)
    what i do to register with FMC and wich version chose , and i want upgrade bin to 9.14 ,asdm 714 , asasfr 6.6
    i wait your advice

  9. Hi,

    How we can migrate the configuration from existing ASA 5512 to New Firepower 1120 device?

    Thanks,
    Prasad Bait

    1. Its rather simple now, use the cisco migration tool, it’s free and it really works!

  10. Can I still use the 5512X firepower services since I am EOL on this device. This is for a lab and training enviroment.

    1. Yes, perfect use for that box. I can’t remember what code version you Dan use, but 6.4 or 6.5 I believe

  11. Hi Todd!

    I got an ASA 5525-X with Firepower Services, I’m trying to reimage to FTD to latest possible version which is 6.6.7.1, I downloaded the image and got: Cisco_Network_Sensor_Patch-6.6.7.1-42.sh.REL.tar (.tar file), should I follow same process you mentioned wit this file (it’s kind of image bundle) thru the ROMMON or could you please guide me how to extract those files (download documentation mentioned a warning: Do not Un Tar), thanks!

    1. So you downloaded the wrong file. You need the main code, and you downloaded a patch

  12. Can I upgrade FTD via CLI? I have try to reimage but that is FTD. I would like to upgrade FTD by didn’t use FMC. Can is it possible?

    1. You can reinstall from CLI and reimage, but not upgrade that I am aware of.

  13. Hi Todd,

    Please am trying to reinstall a cisco FTD image on firepower device running asa image, when i try copying the .SPA image into disk0 from the asa cli it keeps saying “Signature not valid for file disk0:/cisco-ftd-fp2k.7.2.5-208.SPA”. Is there anything i can do to have the image copied successfully. The image successfully?.

    1. The image could be corrupt, re download, or its the wrong image for the device. Make sure you have a 2k device if you are downloading that you are using that image…that is not an ASA image but an FTD image for an FTD box…

Comments are closed.