A USAGE INTERNE

Installation of FirePower module (SFR) on Cisco ASA

(From ASA 5506-X through ASA 5555)

AUTEUR(S) : BECH Raphal

N DE DOCUMENT : PROC_INST_FIREPOWER
VERSION : 1.2
STATUT : Dcisif
SOURCE : Worldline
DATE DU DOCUMENT : 22 June 2017
NOMBRE DE PAGES : 22

1
Contents

I. Introduction .................................................................................................... 3
1) Traffic Flow: ............................................................................................. 3
2) Licensing Options:........................................................................................ 4
3) Management Options: .................................................................................. 4
4) Compatibility with ASA Features: ................................................................... 5
5) Prerequisites: .............................................................................................. 5
II. Wiring.............................................................................................................. 6
1) Transparent Mode ........................................................................................ 6
2) Sample Network Configuration....................................................................... 7
III. Install and Set Up the ASA FirePower (SFR) Services Module ................................. 7
Step 1: Reset .................................................................................................. 7
Step 2: Download the ASA SFR Module on the ASA. ............................................. 8
Step 3: Configure the ASA SFR Boot image location. ............................................ 9
Step 4: Load the ASA SFR boot image. ............................................................... 9
Step 5: Set up the ASA SFR for basic network connectivity. .................................10
Step 6: Install the ASA SFR system package file from the FTP server. ...................11
Step 7: Final configuration of the FirePower module (SFR) ...................................12
Step 8: Configure and Manage ASA FrePOWER Module Using ASDM ......................13
Step 8: Configure and Manage ASA FirePOWER Module Using Management Center..17
Step 9: Send Traffic to FirePOWER Module to be inspected ...................................19
Step 10: FirePOWER Code Update and Rule Update .............................................20
V. Bibliography .....................................................................................................22

2
 I. Introduction

The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation Intrusion
Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware
Protection (AMP).

The ASA FirePOWER module runs a separate application from the ASA. The module can be a hardware module
(on the ASA 5585-X only) or a software module (all other models). The SFR is the name of the
FirePOWER module on the ASA, its came from the SourceFire Technology bought by Cisco few years
ago.

For ASA model software and hardware compatibility with the ASA FirePOWER module, see Cisco ASA
Compatibility (http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html).

1) Traffic Flow:

Similar to deploying a standalone IPS solution, the integrated FirePOWER module supports inline mode and
passive monitoring mode. Inline mode provides additional benefits than monitoring mode. FirePOWER
deployed in inline mode provides best case deep inspection analysis before packets are returned to the ASA
main plane. It proactively takes action when malicious traffic is detected.

When traffic enters ASAs ingress interface:

1. The ASA decrypts the traffic if it was part of an established VPN tunnel.
2. Packets are checked against firewall policies such as ACL, NAT and Inspection.
3. Optionally, traffic is sent to the FirePOWER Module for deeper level inspection. You may configure to
send all traffic or only high risk traffic to the FirePOWER module to conserve system resources.
4. Traffic passed FirePOWER inspection is returned to the ASA main engine for next step routing
decision.
5. Traffic is then passed to the ASAs egress interface to be forwarded to the rest of the network.

3
2) Licensing Options:

Intrusion detection and prevention (IPS license) contains also Application Visibility with Control
(AVC) and Geolocation
File control and advanced malware protection (AMP)
Application, user, and URL control (URL Filtering)
IPS license is required for the AVC, AMP and URL Filtering license.

3) Management Options:

ASDM: Used when youre running the ASA + Firepower (SFR) O.S. For standalone single site deployment:
Suitable for SOHO customers who do not have more than 3 devices and do not want to manage a separate sever
infrastructure.

FirePOWER Device Manager (FDM): Used when youre running the FTD O.S. Manages Firepower
Threat Defense on Low-End & Mid-Range Platforms (Workflows, Diagrams and Default configuration options)

FirePOWER Management Center (FMC): The Management Console is a hardware or virtual appliance
installed centrally to manage multiple FirePOWER deployments at same time. Suitable for enterprise who have
more than 5 devices deployed with FirePOWER.

FirePOWER Threat Defense (FTD): Unified image of the ASA and Firepower. Same purpose than
ASDM. Feature Highlights: Unified Objects, Migration tool, Unified GUI for identity, NAT, Access, IPS, and
File Policies, Graphical Representation of Policy Deployment, System Health Monitoring Dashboard, Dynamic
Theme, Routed Mode Support.

4
4) Compatibility with ASA Features:

The ASA includes many advanced application inspection features, including HTTP inspection. However, the
ASA FirePOWER module provides more advanced HTTP inspection than the ASA provides, as well as
additional features for other applications, including monitoring and controlling application usage.

You must follow these configuration restrictions on the ASA:

Do not configure ASA inspection on HTTP traffic that you send to the ASA FirePOWER module.

Do not configure Cloud Web Security (ScanSafe) inspection on traffic that you send to the ASA
FirePOWER module. If traffic matches both your Cloud Web Security and ASA FirePOWER service policies,
the traffic is forwarded to the ASA FirePOWER module only. If you want to implement both services, ensure
there is no overlap between the traffic matching criteria for each service.

Do not enable the Mobile User Security (MUS) server; it is not compatible with the ASA FirePOWER
module.

5) Prerequisites:

a) Requirements:

Cisco recommends that your system meet these requirements before you attempt the procedures that are
described in this document:

- Ensure that you have at least 3GB of free space on the flash drive (disk0), in addition to the size of the
boot software.
- Ensure that you have access to the privileged EXEC mode. In order to access the privileged EXEC
mode, enter the enable command into the CLI. If a password was not set, then press Enter:

ciscoasa> enable
Password:
ciscoasa#

b) Components Used

In order to install the FirePOWER Services on a Cisco ASA, these components are required:

- Cisco ASA software Version 9.2.2 or later

- Cisco ASA platforms 5512-X through 5555-X
- FirePOWER Software Version 5.3.1 or later

5
II. Wiring

1) Transparent Mode
These models run the ASA FirePOWER module as a software module, and the ASA FirePOWER module shares
the Management 0/0 or Management 1/1 interface (depending on your model) with the ASA. The default IP
address for the management physical interface is 192.168.45.45. If you are connected to the inside interface:
192.168.1.1

Keep in mind that FirePOWER management interface must have internet access for signature updates and
communication to the Management Center. If there is a FireSIGHT Management Center (FMC) you dont need
to deploy internet access for your managed devices. The following figure shows the recommended network
deployment for the ASA 5500-X or ISA 3000 with the ASA FirePOWER module when you have an inside
router:

If you do not use an inside router, you can manage the ASA over the inside interface (using the BVI IP address)
and not use the Management interface for ASA management:

Note : You can avoid using an external switch if you have extra interfaces that you can assign to the inside
bridge group. Be sure to set all bridge group interfaces to the same security level, allow same security
communication, and configure NAT for each bridge group member. See the ASA interfaces configuration guide
chapter for more information.

6
2) Sample Network Configuration

III. Install and Set Up the ASA FirePower (SFR) Services Module

Step 1: Reset
Shutdown and uninstall the CX or IPS software module on the ASA then reload the ASA if required.

Use the show module command to verify the ASA software modules status. Before you can install the
ASA FirePOWER services module, if the ASA is currently running the CX or the IPS software module already,
shutdown then uninstall the CX or IPS module using the sw-module module vxsc | ips uninstall command. The
ASA can only run one ASA software module at a time.

When you reimage a module, use the same shutdown and uninstall commands that are used in
order to remove an old SFR image. Here is an example:

ciscoasa# sw-module module sfr uninstall

7
Step 2: Download the ASA SFR Module on the ASA.

1. Download the ASA SFR system software from Cisco.com to an HTTP, HTTPS or FTP server that
is accessible from the ASA SFR management interface.
2. Download the boot image to the device. You can use either the Cisco Adaptive Security Device
Manager (ASDM) or the ASA CLI in order to download the boot image to the device.

Complete these steps in order to download the boot image via the ASA CLI:
a. Download the boot image on an FTP, TFTP, HTTP or HTTPS server.
b. Enter a copy command into CLI in order to download the boot immage to the flash drive.
Here is an example that uses HTTP protocol (replace the <HTTP_Server> with your server IP
address or host name):
ciscoasa# copy http://<HTTP_Server>/asasfr-5500x-boot-6.1.0-330.img
disk0:/asasfr-5500x-boot-6.1.0-330.img

If you are using a CoreFTP Server to setup FTP server on your laptop. Connected to the management interface
on ASA

ciscoasa# copy ftp://user:pass@Laptop-IP/asasfr-5500x-boot-6.1.0-330.img

https://software.cisco.com/download/release.html?mdfid=286271171&softwareid=286277393&release=6.1.0&relind=AVAI
LABLE&rellifecycle=&reltype=latest

8
Step 3: Configure the ASA SFR Boot image location.

Enter this command in order to configure the ASA SFR boot image location in the ASA flash drive.

ciscoasa# sw-module module sfr recover configure image disk0:/asasfr:/asasfr-5500x-

boot-6.1.0-330.img

Step 4: Load the ASA SFR boot image.

ciscoasa# sw-module module sfr recover boot

Module sfr will be recovered. This may erase all configuration and all data on that
device and attempt to download/install a new image for it. This may take several
minutes.

Recover module sfr? [confirm]

Recover issued for module sfr.

Confirm the prompt to recover the SFR module. The ASA SFR boot image will take about 10 minutes
to load after you confirm the prompt.

Use the show module SFR command from the ASA CLI to check the status. The status should be
Recover, and the status will stay at the Recover state even after the ASA SFR boot image has been successfully
loaded.

Optionally, the show module SFR log console command can be used to check the ASA SFR logs.
Optionally, the debug module-boot CLI command can be used to debug the module boot process.

Wait few minutes then continue to the next step to console into ASA SFR console. Once you can
console into the ASA SFR, it means the ASA SFR boot image has been successfully loaded.

9
Step 5: Set up the ASA SFR for basic network connectivity.

From the ASA CLI, establish a session into the ASA SFR console. Log in using the default admin
username with the default Admin123 password.

ciscoasa# session sfr console

Opening console session with module sfr.
Connected to module sfr. Escape character sequence is CTRL-^X. Cisco ASA SFR Boot
Image 6.1.0
asasfr login: admin
Password: Admin123

Use the setup command to run the setup dialog to configure the basic network settings as follows, you can
configure both IPv4 and IPv6 management addresses. Here is an example:

Asasfr-boot> setup

Welcome to SFR Setup

[hit Ctrl-C to abort]
Default values are inside [ ]

Enter a hostname [asasfr] : Pod1SFR

Do you want to configure IPv4 address on management interface?(y/n) [Y]: y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n)
[N]: N
Enter an IPv4 address [192.168.8.8]: 10.11.10.10
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 10.11.10.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 10.11.11.250
Do you want to configure Secondary DNS Server? (y/n) [n]: n
Do you want to configure Local Domain Name? (y/n) [n]: y
Enter the local domain name: example.local
Do you want to configure Search domains? (y/n) [n]: n
Do you want to enable the NTP service? [Y]: y
Enter the NTP servers separated by commas: 10.11.11.250
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
Hostname: Pod1SFR
Management Interface Configuration
....
Pod1SFR-boot>

Use the ASA SFR CLI to ping the FTP Server to test connectivity. Use the key sequence Ctrl-C to stop the
pings.

asasfr-boot>ping 10.11.11.250
PING 10.82.60.193 (10.82.60.193): 56 data bytes
64 bytes from 10.18.84.1: seq=0 ttl=255 time=0.583 ms
64 bytes from 10.18.84.1: seq=1 ttl=255 time=0.225 ms
64 bytes from 10.18.84.1: seq=2 ttl=255 time=0.245 ms

10
Step 6: Install the ASA SFR system package file from the FTP server.

The ASA SFR package filename is asasfr-sys-6.1.0-330.pkg. From the ASA SFR CLI, use the system
install FTP://10.11.11.250/asasfr-sys-6.1.0-330.pkg command, as demonstrated below to install the ASA SFR
v6.1.0 system package from the FTP server.

Wait about 15 to 20 minutes for the package to download and extract, then type Y when prompted to
continue with the upgrade.

When the installation is done, press Enter at the prompt to reboot the ASA SFR.

When the ASA SFR reboots, you will be returned to the ASA CLI. Allow for about 40 minutes for the
system package to install and about 40 minutes for the ASA SFR module to reboot (the time depends on the
ASA model)

asasfr-boot> system install FTP://10.11.11.250/asasfr-sys-6.1.0-330.pkg

(it takes about 20 minutes to get to the question below asking you to upgrade !*)
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-SFR 6.1.0-330 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Upgrading
Starting upgrade process ...
Populating new system image
Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.

FWI-FIREPOWER-VDM03# show module sfr

Mod Card Type Model Serial No.

---- -------------------------------------------- ------------------ -----------
sfr FirePOWER Services Software Module ASA5515 FCH20457CK7

Mod MAC Address Range Hw Version Fw Version Sw Version

---- --------------------------------- ------------ ------------ ---------------
sfr 2cd0.2d12.de18 to 2cd0.2d12.de18 N/A N/A 6.1.0-330
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.1.0-330

Mod Status Data Plane Status Compatibility

---- ------------------ --------------------- -------------
sfr Up Up

11
Step 7: Final configuration of the FirePower module (SFR)

To pass on the FirePower session type session sfr:

FWI-FIREPOWER-VDM03#session sfr

Login : admin
Password : Admin123

License ....

New Password : co******

Confirm password : co******

You must configure the network to continue.

You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 10.11.10.20
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 10.11.10.1
Enter a fully qualified hostname for this system [firepower]: example.local
Enter a comma-separated list of DNS servers or 'none' []: 10.11.11.250
Enter a comma-separated list of search domains or 'none' [example.net]: example.local
If your networking information has changed, you will need to reconnect.

For HTTP Proxy configuration, run 'configure network http-proxy'

Applying Default Allow All Traffic access control policy.

You can register the sensor to an Defense Center and use the Defense Center to manage
it. Note that registering the sensor to a Defense Center desables on-sensor FirePOWER
Services management capabilities.

When registering the sensor to a Defense Center a unique alphanumeric registration key
is always required. In most cases, to register a sensor to a Defense Center, you must
provide the hostname or the IP ardress along with the registration key.
configure manager add [hostname | ip address ] [registration key ]

However, if the sensor and the Defense Center are separated by a NAT device, you must
enter a unique NAT ID, along witth the unique registration key.
configure manager add DONTRESOLVE [registration key ] [ NAT ID ]

Later, using the web interface on the Defense Center, you must use the same
registration key and, if necessary, the same NAT ID when you add this sensor to the
Defense Center.

12
Step 8: Configure and Manage ASA FrePOWER Module Using ASDM

Preparation:

Step 1: Enable HTTP service on the ASA

By default, HTTP service is not enabled on the ASA. You need first enable HTTP service and specify the
network and interface where access is allowed.

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

Step 2: Open a web browser and go to the management IP of the ASA

You may choose to install the ASDM client on your local computer or use Run ASDM directly from a Java-
enabled browser. I recommend download a local copy of the ASDM client and use without going through the
web browser every time.

Licensing:

Launch and Log in ASDM using the ASAs username and password. (Not the FirePOWER)

To configure the FirePOWER module, you must login ASDM with an ASA username that has privilege level 15.
If you could not find the FirePOWER Configuration option and see the warning message under ASA
FirePOWER Status tab, thats because you logged in using an account without privilege level 15.

In ASDM, choose Configuration ASA FirePOWER Configuration tab on the lower left corner and click
Licenses.

If you have not added any licenses, you will see a blank panel with the only option Add New License option.
Click on Add New License.

13
The licensing procedure goes in the following order:

1. Purchase the license from your Cisco vendor.

2. Receive a Product Authorization Key (PAK).
3. Go to Cisco Product License Registration portal http://www.cisco.com/go/license to generate a
license file
4. Copy and paste the license hash strings into the FirePOWER license tab and activate.

Obtain the Product Authorization Key (PAK):

You should have the Output_claim_xxxxxxxx.pdf file : Software License Claim Certificate

Go to http://www.cisco.com/go/license and enter PAK. Click on Fullfil

Verify the license description and click on Next.

Copy the License Key from ASDM ASA FirePOWER Configuration Licenses and paste to Cisco web portal.

14
Enter your information and click on Finish.

Your license file is generated and emailed to you. You can also download it directly. You will receive a .lic file
in plain text format.

Safe both .PAK and .LIC in a safe location !

Open the .lic file using a text editor like Notepad. Copy and paste the content between BEGIN and END into
the blank field of License on FirePOWER License in ASDM.

15
Tip 1: Do not include anything outside the BEGIN and END lines. Sometimes the license comes with Device
and Feature descriptions. You must exclude them.

Tip 2: If you purchased multiple licenses such as Malware and URL Filtering, the licenses will come in one .lic
file.

Tip 3: Protection and Control licenses should come with the product when you purchased the ASA 5506-X with
FirePOWER. Sometime I have seen customers did not receive the base Protection and Control license PAKs.
You will need to open a TAC Service Request and they will generate a license file for you free of charge.

Once all the licenses have been activated, youll see a summary like below.

For more information on the licensing for Firepower system please look at the below link:
http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-
guide-v601/Licensing_the_Firepower_System.pdf

16
Step 8: Configure and Manage ASA FirePOWER Module Using Management Center

For centralized management model, enterprise customers may manage multiple FirePOWER installs through a
single management console. Before Ciscos acquisition, SourceFire called it Defense Center. Cisco also called it
FireSignt Management Console I will cover configure and manage ASA FirePOWER Module using
Management Center. Follow the following steps to register a FirePOWER install with the Management Center.

Login the ASA through CLI over console or SSH session.

Session to the FirePOWER module and complete basic configuration

ciscoasa# session sfr console
>

Register the FirePOWER module to a FirePOWER Management Center

> Configure manager add Mgmt_Centr_IP reg_Key

Mgmt_Centr_IP is the Management Centers IP address. Make sure it is reachable from the FirePOWERs
management IP.
reg_key is a secret key that is shared between the Management Center and the FirePOWER install. For example,

For our example:

> Configure manager add 10.11.10.15 cisco

Manager successfully configured

Use the show managers command to verify the managers status:

>Show managers
Host : 10.11.10.15
Registration Key : Cisco
Registration : pending
RPC Status :

We can see that is not registered to our FireSIGHT Management Center (Pending). You have to Add
the Device to your Management Device Center.

Add FirePOWER Device in Management Console

If the registration went successfully, you should see the newly registered FirePOWER sensor in the device list. If
it fails, make sure from the Management Center you can reach the FirePOWER management IP and vice versa.

17
 Add FirePOWER feature licenses in Management Center

In the Management Center, go to System Licenses and click on Add New License. Follow the same procedure
activating licenses outlined earlier.

Apply licenses to the newly installed FirePOWER module

The Management Center acts as a license repository that manages all the licenses in an organization. A license
can be applied to one compatible FirePOWER module at a time. Once the license is used on a FirePOWER
module, you may not reuse it on a different module. It is better to apply license through the FirePOWER
Management Center (FMC).

To apply the installed licenses to a FirePOWER module, go to Devices Device Management and click on
License. If you have unused and compatible licenses available, you can check the boxes to activate the feature.

Use the show managers command to verify the managers status:

>Show managers
Host : 10.11.10.15
Registration Key : Cisco
Registration : Completed
RPC Status :

18
 Step 9: Send Traffic to FirePOWER Module to be inspected

In order to redirect traffic to the ASA SFR module, you must create a service policy that identifies specific
traffic. Complete these steps in order to redirect traffic to an ASA SFR module:

1. Select the traffic that should be identified with the access-list command. In this example, all of the traffic
from all of the interfaces is redirected. You can do this for specific traffic as well.

ciscoasa(config)# access-list sfr_redirect extended permit ip any any

2. class-map in order to match the traffic on an access list:

ciscoasa(config)# class-map sfr

ciscoasa(config-cmap)# match access-list sfr_redirect

3. Specify the deployment mode. You can configure your device in either a passive (monitor-only) or inline
(normal) deployment mode.

You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type
of security policy is allowed.

In an inline deployment, after the undesired traffic is dropped and any other actions that are applied by
policy are performed, the traffic is returned to the ASA for further processing and ultimate transmission.
This example shows how to create a policy-map and configure the ASA SFR module in the inline mode:

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)# class sfr
ciscoasa(config-pmap-c)# sfr fail-open

In a passive deployment, a copy of the traffic is sent to the SFR service module, but it is not returned to the
ASA. Passive mode allows you to view the actions that the SFR module would have completed in regards
to the traffic. It also allows you to evaluate the content of the traffic, without an impact to the network.

If you want to configure the SFR module in passive mode, use the monitor-only keyword (as shown in the
next example). If you do not include the keyword, the traffic is sent in inline mode.

ciscoasa(config-pmap-c)# sfr fail-open monitor-only

19
 Warning: The monitor-only mode does not allow the SFR service module to deny or block malicious traffic.
Caution: It might be possible to configure an ASA in monitor-only mode with the use of the interface-level traffic-
forward sfr monitor-only command; however, this configuration is purely for demonstration functionality and should not
be used on a production ASA. Any issues that are found in this demonstration feature are not supported by the Cisco
Technical Assistance Center (TAC). If you desire to deploy the ASA SFR service in passive mode, configure it with the
use of a policy-map.

4. Specify a location and apply the policy. You can apply a policy globally or on an interface. In order to
override the global policy on an interface, you can apply a service policy to that interface.

The global keyword applies the policy map to all of the interfaces, and the interface keyword applies the
policy to one interface. Only one global policy is allowed. In this example, the policy is applied globally:

ciscoasa(config)# service-policy global_policy global

Step 10: FirePOWER Code Update and Rule Update

It is a good practice to periodically check and run software code updates, security patches. Similar to anti-virus
signature updates, FirePOWERs rule database also need to be updated as soon as the new ones are released.

Run updates in FirePOWER Management Center

One of the benefits of centralized management model is that you only need to download the updates once and
push to all compatible FirePOWER modules in the field. To download updates, go to System Updates. Click
on the Download updates button on the lower right corner to make the Management Center to go out to Cisco
update center and pull all applicable updates. And you can choose which one you want to install.

To install an update, click the install icon and select the FirePOWER modules you want to push this update to.

20
For major software updates, it requires the reboot of the FirePOWER module. It is mandatory to perform the
update during a maintenance window.

Run updates in ASDM:

For standalone installations, you can run updates in ASDM ASA FirePOWER Configuration Updates. Please
note you need to update all three categories:

Product Updates
Rule Updates
Geolocation Updates

21
V. Bibliography

http://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-guides-list.html
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html
http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-licensing-information-
listing.html
http://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html

https://www.speaknetworks.com/cisco-asa-5506-x-firepower-configuration-example-part-1/
https://www.speaknetworks.com/cisco-asa-5506-x-firepower-configuration-example-part-2/
https://www.speaknetworks.com/configure-and-manage-asa-firepower-module-using-asdm-part-3/
https://www.speaknetworks.com/configure-and-manage-asa-firepower-module-using-management-center-part-4/

https://www.youtube.com/playlist?list=PL4bfAs_xrokF5mPKIJUCTmd2nGxr5ujSt

22