Sunday, February 9, 2020

Reimaging Cisco Firepower Threat Defense (FTD) to ASA

Here's a nice Cisco link in performing an FTD reimage back to the classic ASA software. First, reboot the FTD device using the reboot command in order to get into ROMMON mode.

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5515-X Threat Defense v6.2.3 (build 83)

> reboot
This command will reboot the system.  Continue?
Please enter 'YES' or 'NO': yes

Broadcast message from root@FTD-ASA5515X (Tue Oct 15 05:16:08 2019):

The system is going down for reboot NOW!
INIT: SwitchingStopping Cisco ASA5515-X Threat Defense......ok
Shutting down sfifd...                                                [  OK  ]
Clearing static routes
Unconfiguring default route                                           [  OK  ]
Unconfiguring address on br1                                          [  OK  ]
Unconfiguring IPv6                                                    [  OK  ]
Downing interface                                                     [  OK  ]
Stopping xinetd:
Stopping nscd...                                                      [  OK  ]
Stopping system log daemon...                                         [  OK  ]
Stopping Threat Defense ...
Stopping system message bus: dbus.                                    [  OK  ]
Un-mounting disk partitions ...
mdadm: stopped /dev/md0
Stopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 5033)
Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 5037)
acpid: exiting
acpid.
Stopping system message bus: dbus.
Deconfiguring network interfaces... ifdown: interface br1 not configured
done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting... Cisco BIOS Version:9B2C108A
Build Date:05/22/2012 11:32:20

CPU Type: Intel(R) Core(TM) i3 CPU         540  @ 3.07GHz, 3059 MHz
Total Memory:8192 MB(DDR3 1333)
System memory:619 KB, Extended Memory:3573 MB

PCI Device Table:
   Bus   Dev   Func   VendID  DevID  Class   IRQ
---------------------------------------------------------
   00    00    00      8086   0040   Bridge Device
   00    06    00      8086   0043   PCI Bridge,IRQ=11
   00    16    00      8086   3B64   I/O Port Device,IRQ=11
   00    1A    00      8086   3B3C   USB Controller,IRQ=11
   00    1C    00      8086   3B42   PCI Bridge,IRQ=10
   00    1C    04      8086   3B4A   PCI Bridge,IRQ=10
   00    1C    05      8086   3B4C   PCI Bridge,IRQ=11
   00    1D    00      8086   3B34   USB Controller,IRQ=7
   00    1E    00      8086   244E   PCI Bridge
   00    1F    00      8086   3B16   Bridge Device
   00    1F    02      8086   3B22   SATA DPA,IRQ=5
   00    1F    03      8086   3B30   SMBus,IRQ=11
   01    00    00      10B5   8618   PCI Bridge,IRQ=11
   02    01    00      10B5   8618   PCI Bridge,IRQ=10
   02    03    00      10B5   8618   PCI Bridge,IRQ=5
   02    05    00      10B5   8618   PCI Bridge,IRQ=10
   02    07    00      10B5   8618   PCI Bridge,IRQ=5
   02    09    00      10B5   8618   PCI Bridge,IRQ=10
   02    0B    00      10B5   8618   PCI Bridge,IRQ=5
   02    0D    00      10B5   8618   PCI Bridge,IRQ=10
   02    0F    00      10B5   8618   PCI Bridge,IRQ=5
   03    00    00      8086   10D3   Ethernet,IRQ=10
   04    00    00      8086   10D3   Ethernet,IRQ=5
   05    00    00      8086   10D3   Ethernet,IRQ=10
   07    00    00      8086   10D3   Ethernet,IRQ=10
   08    00    00      8086   10D3   Ethernet,IRQ=5
   09    00    00      8086   10D3   Ethernet,IRQ=10
   0B    00    00      177D   0010   Cavium Encryption,IRQ=11
   0C    00    00      8086   10D3   Ethernet,IRQ=11
   0D    00    00      1A03   1150   PCI Bridge,IRQ=10
   0E    00    00      1A03   2000   VGA,IRQ=10
   FF    00    00      8086   2C61   Bridge Device
   FF    00    01      8086   2D01   Bridge Device
   FF    02    00      8086   2D10   Bridge Device
   FF    02    01      8086   2D11   Bridge Device
   FF    02    02      8086   2D12   Bridge Device
   FF    02    03      8086   2D13   Bridge Device

Booting from ROMMON

Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011


Hit ESC to get into ROMMON mode and erase the FTD image in the flash memory (disk0:).

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.                              

GigabitEthernet0/1
Link is DOWN
MAC Address: b0fa.eb97.72c9

Use ? for help.
rommon #0> erase disk0:

About to erase the selected device, this will erase
all files including configuration, and images.
Continue with erase? y/n [n]: y

Erasing Disk0:
............................................................................
............................................................................

<OUTPUT TRUNCATED>

................Done!


Configure an IP address on interface G0/1 in order to talk to a TFTP server. Use the tftpdnld command to temporarily boot to the classic ASA image.

rommon #1> interface gigabitethernet0/1
GigabitEthernet0/1
Link is UP
MAC Address: b0fa.eb97.72c9

rommon #2> address 192.168.1.2
rommon #3> netmask 255.255.255.0
Invalid or incorrect command.  Use 'help' for help.
rommon #3> ?

   Variables:     Use "sync" to store in NVRAM
ADDRESS=     <addr>  local IP address
CONFIG=      <name>  config file path/name
GATEWAY=     <addr>  gateway IP address
IMAGE=       <name>  image file path/name
LINKTIMEOUT= <num>   Link UP timeout (seconds)
PKTTIMEOUT=  <num>   packet timeout (seconds)
PORT=        <name>  ethernet interface port
RETRY=       <num>   Packet Retry Count (Ping/TFTP)
SERVER=      <addr>  server IP address
VLAN=        <num>   enable/disable DOT1Q tagging on the selected port

   Commands:
?                 valid command list
address   <addr>  local IP address
boot      <args>  boot an image, valid args are:
     - "image file spec" and/or
     - "cfg=<config file spec>"
clear             clear interface statistics
confreg   <value> set hex configuration register
dev               display platform interface devices
erase     <arg>   erase storage media
file      <name>  application image file path/name
gateway   <addr>  gateway IP address
gdb       <cmd>   edit image gdb settings
help              valid command list
history           display command history
interface <name>  ethernet interface port
no        <feat>  clear feature settings
ping      <addr>  send ICMP echo
reboot            halt and reboot system
reload            halt and reboot system
repeat    <arg>   repeat previous command, valid arguments:
     - no arg: repeat last command
     - number: index into command history table
     - string: most recent 1st arg match in command history table
reset             halt and reboot system
server    <addr>  server IP address
set               display all variable settings
show      <cmd>   display cmd-specific information
sync              save variable settings in NVRAM
tftpdnld          TFTP download
timeout   <num>   packet timeout (seconds)
trace             toggle packet tracing
unset   <varname> unset a variable name

rommon #4> server 192.168.1.1
rommon #5> file asa984-10-smp-k8.bin
rommon #6> set
ROMMON Variable Settings:
  ADDRESS=192.168.1.2
  SERVER=192.168.1.1
  GATEWAY=192.168.1.1
  PORT=GigabitEthernet0/1
  VLAN=untagged
  IMAGE=asa984-10-smp-k8.bin
  CONFIG=
  LINKTIMEOUT=20
  PKTTIMEOUT=4
  RETRY=20

rommon #7> sync

Updating NVRAM Parameters...

rommon #8> ping 192.168.1.1
Sending 20, 100-byte ICMP Echoes to 192.168.1.1, timeout is 4 seconds:
?!!!!!!!!!!!!!!!!!!!
Success rate is 95 percent (19/20)
rommon #9> ping 192.168.1.1
Sending 20, 100-byte ICMP Echoes to 192.168.1.1, timeout is 4 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20)
rommon #10> tftpdnld
ROMMON Variable Settings:
  ADDRESS=192.168.1.2
  SERVER=192.168.1.1
  GATEWAY=192.168.1.1
  PORT=GigabitEthernet0/1
  VLAN=untagged
  IMAGE=asa984-10-smp-k8.bin
  CONFIG=
  LINKTIMEOUT=20
  PKTTIMEOUT=4
  RETRY=20

tftp asa984-10-smp-k8.bin@192.168.1.1 via 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<OUTPUT TRUNCATED>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Received 111550464 bytes

Launching TFTP Image...

Execute image at 0x14000
Cisco Security Appliance admin loader (3.0) #0: Tue Aug 20 12:46:08 PDT 2019
Platform ASA5515

Loading...
IO memory blocks requested from bigphys 32bit: 41217
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
IPMI over LAN not active

Loading...
Application cryptographic hash verified
IO Memory Nodes: 1
IO Memory Per Node: 169869312 bytes

Global Reserve Memory Per Node: 509607936 bytes Nodes=1

LCMB: got 169869312 bytes on numa-id=0, phys=0x1a1800000, virt=0x2aaaab000000
LCMB: HEAP-CACHE POOL got 507510784 bytes on numa-id=0, virt=0x7fccb4e00000
LCMB: HEAP-CACHE POOL got 2097152 bytes on numa-id=0, virt=0x2aaaaac00000
Processor memory:   4266142198
M_MMAP_THRESHOLD 65536, M_MMAP_MAX 65096
POST started...
POST finished, result is 0 (hint: 1 means it failed)

Compiled on Tue 20-Aug-19 12:51 PDT by builders

Total NICs found: 12
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 06 MAC: b0fa.eb97.72cb
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 05 MAC: b0fa.eb97.72ce
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 04 MAC: b0fa.eb97.72ca
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 03 MAC: b0fa.eb97.72cd
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 02 MAC: b0fa.eb97.72c9
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 01 MAC: b0fa.eb97.72cc
i82574L rev00 Gigabit Ethernet @ irq11 dev 0 index 00 MAC: b0fa.eb97.72c8
ivshmem rev03 Backplane Data Interface     @ index 07 MAC: 0000.0001.0002
en_vtun rev00 Backplane Control Interface  @ index 08 MAC: 0000.0001.0001
en_vtun rev00 Backplane Int-Mgmt Interface     @ index 09 MAC: 0000.0001.0003
en_vtun rev00 Backplane Ext-Mgmt Interface     @ index 10 MAC: 0000.0000.0000
en_vtun rev00 Backplane Tap Interface     @ index 11 MAC: 0000.0100.0001
WARNING: Attribute already exists in the dictionary.
WARNING: Attribute already exists in the dictionary.

INFO: Unable to read firewall mode from flash
       Writing default firewall mode (single) to flash

INFO: Unable to read cluster interface-mode from flash
        Writing default mode "None" to flash
Verify the activation-key, it might take a while...
Failed to retrieve permanent activation key.
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

The Running Activation Key is not valid, using default settings:

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Disabled       perpetual    // NOTICE THE LICENSE IS DISABED
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5515 Security Plus license.

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
The 3DES/AES algorithms require a Encryption-3DES-AES activation key.
The 3DES/AES algorithms require a Encryption-3DES-AES activation key.

Cisco Adaptive Security Appliance Software Version 9.8(4)10

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2019 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource

                Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Insufficient flash space available for this request:
  Size info: request:32 free:0  delta:32
Could not initialize system files in flash.
config_fetcher: channel open failed
ERROR: MIGRATION - Could not get the startup configuration.

INFO: Power-On Self-Test in process.
.......................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
Pre-configure Firewall now through interactive prompts [yes]? no
ERROR: Inspect configuration of this type exists, first remove
that configuration and then add the new configuration

User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1. 
Failed logins since the last login: 0. 
Type help or '?' for a list of available commands.
ciscoasa> CXSC module is no longer supported and was prevented from booting
Consider uninstalling the unsupported CXSC module with the command รข€˜sw-module module cxsc uninstall'


Notice the flash memory doesn't contain any ASA image file. Format the flash memory using the format disk0: command.

ciscoasa> enable
Password:<ENTER>
ciscoasa# dir

Directory of disk0:/

11408  drw-  0            05:53:07 Oct 15 2019  coredumpinfo
11313  drw-  0            05:53:06 Oct 15 2019  crypto_archive
9121   drwx  0            05:52:26 Oct 15 2019  log

0 file(s) total size: 0 bytes
0 bytes total (0 bytes free/-2147483648% free)

ciscoasa# format disk0:

Format operation may take a while. Continue? [confirm]

Format operation will destroy all data in "disk0:".  Continue? [confirm]
Initializing partition - done!
Creating FAT32 filesystem
mkdosfs 2.11 (12 Mar 2005)

System tables written to disk

Format of disk0 complete
ciscoasa#
ciscoasa# dir

Directory of disk0:/

No files in directory

0 file(s) total size: 0 bytes
7994437632 bytes total (7994404864 bytes free/99% free)


Configure an IP address and perform FTP (faster compared to TFTP) to transfer the ASA image and ASDM into flash.

ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)# interface g0/1
ciscoasa(config-if)# ip address 192.168.1.2 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# end
ciscoasa# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# copy ftp://ftp:ftp123@192.168.1.1/asa984-10-smp-k8.bin disk0:

Address or name of remote host [192.168.1.1]?

Source username [ftp]?

Source password [ftp123]?

Source filename [asa984-10-smp-k8.bin]?

Destination filename [asa984-10-smp-k8.bin]?

Accessing ftp://ftp:ftp123@192.168.1.1/asa984-10-smp-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<OUTPUT TRUNCATED>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asa984-10-smp-k8.bin...

Writing file disk0:/asa984-10-smp-k8.bin...

111550464 bytes copied in 20.650 secs (5577523 bytes/sec)

ciscoasa# copy ftp://ftp:ftp123@192.168.1.1/asdm-7122.bin disk0:      

Address or name of remote host [192.168.1.1]?

Source username [ftp]?

Source password [ftp123]?

Source filename [asdm-7122.bin]?

Destination filename [asdm-7122.bin]?

Accessing ftp://ftp:ftp123@192.168.1.1/asdm 7122.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<OUTPUT TRUNCATED>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-7122.bin...

Writing file disk0:/asdm-7122.bin...

33696792 bytes copied in 4.340 secs (8424198 bytes/sec)


ciscoasa# dir

Directory of disk0:/

10     -rwx  111550464    06:02:41 Oct 15 2019  asa984-10-smp-k8.bin
11     -rwx  33696792     06:04:16 Oct 15 2019  asdm-7122.bin

2 file(s) total size: 145247256 bytes
7994437632 bytes total (7849156608 bytes free/98% free)


Configure the boot image and ASDM then reboot the ASA using the reload command.

ciscoasa# configure terminal
ciscoasa(config)# boot system ?

configure mode commands/options:
  disk0:  Path and filename on disk0:
  disk1:  Path and filename on disk1:
  flash:  Path and filename on flash:
  tftp:   A URL beginning with this prefix.
ciscoasa(config)# boot system disk0:/asa984-10-smp-k8.bin
ciscoasa(config)# asdm image disk0:/asdm-7122.bin 

ciscoasa# write memory
Building configuration...
Cryptochecksum: 801d6416 f4b10718 088ffb01 b74c9915

3480 bytes copied in 0.750 secs
[OK]
ciscoasa# reload
Proceed with reload? [confirm]
ciscoasa#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system


***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting... (status 0x9)
..
INIT: Sending processes the TERM signal
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting...

<OUTPUT TRUNCATED>

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.8(4)10
Firepower Extensible Operating System Version 2.2(2.121)
Device Manager Version 7.12(2)

Compiled on Tue 20-Aug-19 12:51 PDT by builders
System image file is "disk0:/asa984-10-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 1 min 40 secs

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is b0fa.eb97.72c8, irq 11
 1: Ext: GigabitEthernet0/0  : address is b0fa.eb97.72cc, irq 10
 2: Ext: GigabitEthernet0/1  : address is b0fa.eb97.72c9, irq 10
 3: Ext: GigabitEthernet0/2  : address is b0fa.eb97.72cd, irq 5
 4: Ext: GigabitEthernet0/3  : address is b0fa.eb97.72ca, irq 5
 5: Ext: GigabitEthernet0/4  : address is b0fa.eb97.72ce, irq 10
 6: Ext: GigabitEthernet0/5  : address is b0fa.eb97.72cb, irq 10
 7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
 9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
10: Ext: Management0/0       : address is b0fa.eb97.72c8, irq 0
11: Int: Internal-Data0/3    : address is 0000.0100.0001, irq 0
The Running Activation Key is not valid, using default settings:

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Disabled       perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5515 Security Plus license.

Serial Number: FCH1704J123
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x1

Image type          : Release
Key version         : A

Configuration has not been modified since last system restart.


The 3DES/AES license sometimes get corrupted or removed during an ASA image upgrade or converting to FTD. This license is used to support crypto related commands in order to configure IPSec on the ASA. It's important to always backup the ASA activation key when performing an upgrade.

ciscoasa# activation-key 0x022ceb6a 0x98a0f168 0x0160d178 0xe22c1884 0xc2131234

Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Both Running and Flash permanent activation key was updated with the requested key.

ciscoasa# show version                                                        

Cisco Adaptive Security Appliance Software Version 9.8(4)10
Firepower Extensible Operating System Version 2.2(2.121)
Device Manager Version 7.12(2)

Compiled on Tue 20-Aug-19 12:51 PDT by builders
System image file is "disk0:/asa984-10-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 2 mins 0 secs

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is b0fa.eb97.72c8, irq 11
 1: Ext: GigabitEthernet0/0  : address is b0fa.eb97.72cc, irq 10
 2: Ext: GigabitEthernet0/1  : address is b0fa.eb97.72c9, irq 10
 3: Ext: GigabitEthernet0/2  : address is b0fa.eb97.72cd, irq 5
 4: Ext: GigabitEthernet0/3  : address is b0fa.eb97.72ca, irq 5
 5: Ext: GigabitEthernet0/4  : address is b0fa.eb97.72ce, irq 10
 6: Ext: GigabitEthernet0/5  : address is b0fa.eb97.72cb, irq 10
 7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
 9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
10: Ext: Management0/0       : address is b0fa.eb97.72c8, irq 0
11: Int: Internal-Data0/3    : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA 5515 Security Plus license.

Serial Number: FCH1704J123
Running Permanent Activation Key: 0x022ceb6a 0x98a0f168 0x0160d178 0xe22c1884 0xc2131234
Configuration register is 0x1

Image type          : Release
Key version         : A

Configuration has not been modified since last system restart.

Sunday, February 2, 2020

Cisco FTD Dashboard Monitoring and Reporting via FDM

The FTD traffic statistics and graphs will not be displayed unless is Logging enabled under the Access Control Rules.

Go to Monitoring and this will automatically display the FTD System Dashboard such as CPU and Memory Usage.



Go to Network Overview to monitor Access and SI Rules, Users, Applications, etc.


You can toggle the view between Transactions and Data Usage.


Select any category under Network Overview, in this case select Access and SI Rules > All > select Denied.



Click the Time range drop-down option to filter data on specific time interval: Last 30 minutes, Last hour, Last 24 hours, etc.



Click on any item (a hyperlink) to filter the output and create a summary.

In this case I clicked Applications > HTTP.
 


Go to Monitoring > Events > click Pause.

Hover a specific Event Connection > View Details to view more info.


Type/search a Filter to display pre-defined Event Connection Filters.


You can change the Event Connection refresh timer (default is 5 seconds). You can also click Pause/Resume for generating Event Connection logs.


Click View Detail on a specific Event Connection.




Click Profile (head/user icon) > Profile.



You can change the admin Password, Time Zone and Color Theme. In this case I changed the Color Theme > Tangelo > Save.