FPR2110 Firepower 2110 Network Security Firewall Appliance
“
Specifications:
- Product: Cisco Firepower 2100
- First Published: 2019-09-25
- Last Modified: 2023-01-23
- Manufacturer: Cisco Systems, Inc.
- Headquarters: San Jose, CA, USA
- Website: http://www.cisco.com
- Phone: 408 526-4000
Product Usage Instructions:
Applications:
You can choose to run either the Secure Firewall ASA or the
Secure Firewall Threat Defense application on your Cisco Firepower
2100 hardware platform. The applications provide firewall, VPN
concentrator, and next-generation IPS functionalities. If you wish
to switch between ASA and Threat Defense, refer to the Cisco Secure
Firewall ASA and Secure Firewall Threat Defense Reimage Guide.
Managers:
The Secure Firewall 2100 supports multiple managers for managing
the Threat Defense and ASA applications. The available managers
are:
- Secure Firewall Management Center: A
multi-device manager that can be deployed on its own server
hardware or as a virtual device on a hypervisor. Refer to the
deployment guides for setting up on the Management network or a
remote network. - Secure Firewall Device Manager: A simplified
on-device manager with limited support for certain Threat Defense
features. Check the deployment guide for starting with the Device
Manager. - Cisco Defense Orchestrator (CDO): A
cloud-delivered Firewall Management Center that offers
configuration functionality similar to an on-premises management
center. CDO can also manage other security devices like ASAs. - Secure Firewall Threat Defense REST API:
Allows automation of direct configuration of the Threat Defense.
Not applicable if managing via the management center. - Secure Firewall Management Center REST API:
Enables automation of management center policies that can be
applied to managed threat defenses.
FAQ:
Q: Can I use both ASA and Threat Defense applications
simultaneously?
A: No, you can choose to run either the Secure Firewall ASA or
the Secure Firewall Threat Defense application at a time on your
Cisco Firepower 2100 hardware platform.
Q: Which manager should I choose for managing my Secure
Firewall 2100?
A: The choice of manager depends on your specific requirements.
You can select from the Secure Firewall Management Center, Secure
Firewall Device Manager, Cisco Defense Orchestrator (CDO), or
utilize the REST APIs based on your management needs.
“`
Cisco Firepower 2100 Getting Started Guide
First Published: 2019-09-25 Last Modified: 2023-01-23
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
1 C H A P T E R
Which Application and Manager is Right for You?
Your hardware platform can run one of two applications. For each application, you have a choice of managers. This chapter explains the application and manager choices.
· Applications, on page 1 · Managers, on page 1
Applications
You can use either the Secure Firewall ASA or the Secure Firewall Threat Defense (formerly Firepower Threat Defense) application on your hardware platform:
· ASA–The ASA is a traditional, advanced stateful firewall and VPN concentrator. · Threat Defense–The threat defense is a next-generation firewall that combines an advanced stateful
firewall, VPN concentrator, and next generation IPS. Cisco provides ASA-to-threat defense migration tools to help you convert your ASA to the threat defense if you start with ASA and later reimage to threat defense. To reimage between the ASA and the threat defense, see the Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide.
Managers
The threat defense and ASA support multiple managers.
Cisco Firepower 2100 Getting Started Guide 1
Threat Defense Managers
Which Application and Manager is Right for You?
Threat Defense Managers
Table 1: Threat Defense Managers
Manager
Description
Secure Firewall Management Center
The management center is a multi-device manager that runs on its own server hardware,
(formerly Firepower Management Center) or as a virtual device on a hypervisor.
To get started with the management center on the Management network, see Threat Defense Deployment with the Management Center, on page 5.
To get started with the management center on a remote network, see Threat Defense Deployment with a Remote Management Center, on page 47.
Secure Firewall Device Manager (formerly The device manager is a simplified, on-device manager. Some threat defense features
Firepower Device Manager)
are not supported using the device manager.
To get started with the device manager, see Threat Defense Deployment with the Device Manager, on page 105.
Cisco Defense Orchestrator (CDO) Cloud-delivered Firewall Management Center
CDO’s cloud-delivered Firewall Management Center has all of the configuration functionality of an on-premises management center. For the analytics functionality, you can use a cloud solution or an on-prem management center. CDO also manages other security devices, such as ASAs.
To get started with CDO provisioning, see Threat Defense Deployment with CDO, on page 131.
Secure Firewall Threat Defense REST API The threat defense REST API lets you automate direct configuration of the threat defense. You cannot use this API if you are managing the threat defense using the management center.
The threat defense REST API is not covered in this guide. For more information, see the Cisco Secure Firewall Threat Defense REST API Guide.
Secure Firewall Management Center REST The management center REST API lets you automate configuration of management
API
center policies that can then be applied to managed threat defenses. This API does not
manage the threat defense directly.
The management center REST API is not covered in this guide. For more information, see the Secure Firewall Management Center REST API Quick Start Guide.
ASA Managers
Table 2: ASA Managers
Manager Adaptive Security Device Manager (ASDM)
Description
ASDM is a Java-based, on-device manager that provides full ASA functionality.
To get started with ASDM, see ASA Appliance Mode Deployment with ASDM, on page 187. If you know you want to use the ASA in Platform mode, see ASA Platform Mode Deployment with ASDM and Chassis Manager, on page 207
Cisco Firepower 2100 Getting Started Guide 2
Which Application and Manager is Right for You?
ASA Managers
Manager CLI CDO
Cisco Security Manager (CSM) ASA HTTP Interface
Description
You can use the CLI to configure all ASA functionality.
The CLI is not covered in this guide. For more information, see the ASA configuration guides.
CDO is a cloud-based, multi-device manager. CDO also manages other security devices, such as threat defenses.
CDO for ASA is not covered in this guide. To get started with CDO, see the CDO home page.
CSM is a multi-device manager that runs on its own server hardware. CSM does not support managing the threat defenses.
CSM is not covered in this guide. For more information, see the CSM user guide.
Using HTTP, an automation tool can execute commands on the ASAs by accessing specifically formatted URLs.
The ASA HTTP interface is not covered in this guide. For more information, see the Cisco Secure Firewall ASA HTTP Interface for Automation.
Cisco Firepower 2100 Getting Started Guide 3
ASA Managers
Which Application and Manager is Right for You?
Cisco Firepower 2100 Getting Started Guide 4
2 C H A P T E R
Threat Defense Deployment with the Management Center
Is This Chapter for You?
To see all available applications and managers, see Which Application and Manager is Right for You?, on page 1. This chapter applies to the threat defense with the management center. This chapter explains how to complete the initial configuration of your threat defense and how to register the firewall to the management center located on your management network. For remote branch deployment, where the management center resides at a central headquarters, see Threat Defense Deployment with a Remote Management Center, on page 47. In a typical deployment on a large network, you install multiple managed devices on network segments. Each device controls, inspects, monitors, and analyzes traffic, and then reports to a managing management center. The management center provides a centralized management console with a web interface that you can use to perform administrative, management, analysis, and reporting tasks in service to securing your local network.
About the Firewall
The hardware can run either threat defense software or ASA software. Switching between threat defense and ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS). The firewall does not support the FXOS Secure Firewall chassis manager; only a limited CLI is supported for troubleshooting purposes. See the Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 and Secure Firewall 3100/4200 with Firepower Threat Defense for more information. Privacy Collection Statement–The firewall does not require or actively collect personally identifiable information. However, you can use personally identifiable information in the configuration, for example for usernames. In this case, an administrator might be able to see this information when working with the configuration or when using SNMP.
· Before You Start, on page 6 · End-to-End Tasks, on page 6 · Review the Network Deployment, on page 8 · Cable the Device, on page 10 · Power on the Device, on page 12 · (Optional) Check the Software and Install a New Version, on page 13
Cisco Firepower 2100 Getting Started Guide 5
Before You Start
Threat Defense Deployment with the Management Center
· Complete the Threat Defense Initial Configuration, on page 15 · Log Into the Management Center, on page 23 · Obtain Licenses for the Management Center, on page 23 · Register the Threat Defense with the Management Center, on page 25 · Configure a Basic Security Policy, on page 28 · Access the Threat Defense and FXOS CLI, on page 43 · Power Off the Firewall, on page 44 · What’s Next?, on page 45
Before You Start
Deploy and perform initial configuration of the management center. See the getting started guide for your model.
End-to-End Tasks
See the following tasks to deploy the threat defense with the management center.
Cisco Firepower 2100 Getting Started Guide 6
Threat Defense Deployment with the Management Center
End-to-End Tasks
Pre-Configuration Install the firewall. See the hardware installation guide.
Pre-Configuration Review the Network Deployment, on page 8.
Pre-Configuration Cable the Device, on page 10.
Pre-Configuration Power on the Device, on page 12.
CLI
(Optional) Check the Software and Install a New Version, on page 13.
Cisco Firepower 2100 Getting Started Guide 7
Review the Network Deployment
Threat Defense Deployment with the Management Center
CLI or Device Manager
Complete the Threat Defense Initial Configuration, on page 15
Management Center Log Into the Management Center, on page 23.
Cisco Commerce Workspace
Obtain Licenses for the Management Center, on page 23: Buy feature licenses.
Smart Software Manager
Obtain Licenses for the Management Center, on page 23: Generate a license token for the management center.
Management Center Obtain Licenses for the Management Center, on page 23: Register the Management Center with the Smart Licensing server.
Management Center Register the Threat Defense with the Management Center, on page 25.
Management Center Configure a Basic Security Policy, on page 28.
Review the Network Deployment
Management Interface The management center communicates with the threat defense on the Management interface. The dedicated Management interface is a special interface with its own network settings:
· By default, the Management 1/1 interface is enabled and configured as a DHCP client. If your network does not include a DHCP server, you can set the Management interface to use a static IP address during initial setup at the console port.
· Both the threat defenseand the management center require internet access from their management interfaces for licensing and updates.
Note The management connection is a secure, TLS-1.3-encrypted communication channel between itself and the device. You do not need to run this traffic over an additional encrypted tunnel such as Site-to-Site VPN for security purposes. If the VPN goes down, for example, you will lose your management connection, so we recommend a simple management path.
Data Interfaces You can configure other interfaces after you connect the threat defense to the management center.
Typical Separate Management Network Deployment The following figure shows a typical network deployment for the firewall where:
· The threat defense, management center, and management computer connect to the management network
Cisco Firepower 2100 Getting Started Guide 8
Threat Defense Deployment with the Management Center
Review the Network Deployment
· The management network has a path to the internet for licensing and updates.
Figure 1: Separate Management Network
Typical Edge Network Deployment The following figure shows a typical network deployment for the firewall where:
· The inside interface acts as the internet gateway for Management and for the management center. · Connects Management 1/1 to an inside interface through a Layer 2 switch. · Connects the management center and management computer to the switch. This direct connection is allowed because the Management interface has separate routing from the other interfaces on the threat defense.
Cisco Firepower 2100 Getting Started Guide 9
Cable the Device Figure 2: Edge Network Deployment
Threat Defense Deployment with the Management Center
Cable the Device
To cable one of the above scenarios on the Firepower 2100, see the following steps.
Note Other topologies can be used, and your deployment will vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements.
Procedure
Step 1 Step 2
Install the chassis. See the hardware installation guide. Cable for a separate management network:
Cisco Firepower 2100 Getting Started Guide 10
Threat Defense Deployment with the Management Center Figure 3: Cabling a Separate Management Network
Cable the Device
Step 3
Note
For version 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45.
a) Cable the following to your management network: · Management 1/1 interface · Management Center · Management computer
b) Connect the management computer to the console port. You need to use the console port to access the CLI for initial setup if you do not use SSH to the Management interface or use the device manager for initial setup.
c) Connect the inside interface (for example, Ethernet 1/2) to your inside router. d) Connect the outside interface (for example, Ethernet 1/1) to your outside router. e) Connect other networks to the remaining interfaces.
Cable for an edge deployment:
Cisco Firepower 2100 Getting Started Guide 11
Power on the Device Figure 4: Cabling an Edge Deployment
Threat Defense Deployment with the Management Center
Note
For version 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45.
a) Cable the following to a Layer 2 Ethernet switch: · Inside interface (for example, Ethernet 1/2) · Management 1/1 interface · Management Center · Management computer
b) Connect the management computer to the console port. You need to use the console port to access the CLI for initial setup if you do not use SSH to the Management interface or use the device manager for initial setup.
c) Connect the outside interface (for example, Ethernet 1/1) to your outside router.
d) Connect other networks to the remaining interfaces.
Power on the Device
The power switch is located to the left of power supply module 1 on the rear of the chassis. It is a toggle switch that controls power to the system. If the power switch is in standby position, only the 3.3-V standby power is enabled from the power supply module and the 12-V main power is OFF. When the switch is in the ON position, the 12-V main power is turned on and the system boots.
Note The first time you boot up the threat defense, initialization can take approximately 15 to 30 minutes.
Cisco Firepower 2100 Getting Started Guide 12
Threat Defense Deployment with the Management Center
(Optional) Check the Software and Install a New Version
Before you begin
It’s important that you provide reliable power for your device (for example, using an uninterruptable power supply (UPS)). Loss of power without first shutting down can cause serious file system damage. There are many processes running in the background all the time, and losing power does not allow the graceful shutdown of your system.
Procedure
Step 1 Step 2 Step 3
Attach the power cord to the device and connect it to an electrical outlet. Press the power switch on the back of the device. Check the PWR LED on the front of the device; if it is solid green, the device is powered on.
Step 4
Check the SYS LED on the front of the device; after it is solid green, the system has passed power-on diagnostics.
Note
Before you move the power switch to the OFF position, use the shutdown commands so that the
system can perform a graceful shutdown. This may take several minutes to complete. After the
graceful shutdown is complete, the console displays It is safe to power off now. The front
panel blue locator beacon LED lights up indicating the system is ready to be powered off. You
can now move the switch to the OFF position. The front panel PWR LED flashes momentarily
and turns off. Do not remove the power until the PWR LED is completely off.
See the FXOS Configuration Guide for more information on using the shutdown commands.
(Optional) Check the Software and Install a New Version
To check the software version and, if necessary, install a different version, perform these steps. We recommend that you install your target version before you configure the firewall. Alternatively, you can perform an upgrade after you are up and running, but upgrading, which preserves your configuration, may take longer than using this procedure. What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html; for example, this bulletin describes short-term release numbering (with the latest features), long-term release numbering (maintenance releases and patches for a longer period of time), or extra long-term release numbering (maintenance releases and patches for the longest period of time, for government certification).
Cisco Firepower 2100 Getting Started Guide 13
(Optional) Check the Software and Install a New Version
Threat Defense Deployment with the Management Center
Procedure
Step 1
Connect to the CLI. See Access the Threat Defense and FXOS CLI, on page 43 for more information. This procedure shows using the console port, but you can use SSH instead.
Log in with the admin user and the default password, Admin123.
You connect to the FXOS CLI. The first time you log in, you are prompted to change the password. This password is also used for the threat defense login for SSH.
Note
If the password was already changed, and you do not know it, you must perform a factory reset
to reset the password to the default. See the FXOS troubleshooting guide for the factory reset
procedure.
Example:
firepower login: admin Password: Admin123 Successful login attempts for user ‘admin’ : 1
[…]
Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully.
[…]
firepower#
Step 2
At the FXOS CLI, show the running version. scope ssa show app-instance Example:
Firepower# scope ssa Firepower /ssa # show app-instance
Application Name
Slot ID Admin State
Operational State Running Version Startup
Version Cluster Oper State
——————– ———- ————— ——————– —————
————— ——————
ftd
1
Enabled
Online
7.4.0.65
7.4.0.65
Not Applicable
Step 3
If you want to install a new version, perform these steps. a) If you need to set a static IP address for the Management interface, see Complete the Threat Defense
Initial Configuration Using the CLI, on page 19. By default, the Management interface uses DHCP.
You will need to download the new image from a server accessible from the Management interface.
b) Perform the reimage procedure in the FXOS troubleshooting guide.
After the firewall reboots, you connect to the FXOS CLI again.
Cisco Firepower 2100 Getting Started Guide 14
Threat Defense Deployment with the Management Center
Complete the Threat Defense Initial Configuration
c) At the FXOS CLI, you are prompted to set the admin password again.
Complete the Threat Defense Initial Configuration
You can complete the threat defense initial configuration using the CLI or device manager.
Complete the Threat Defense Initial Configuration Using the Device Manager
Connect to the device manager to perform initial setup of the threat defense. When you perform initial setup using the device manager, all interface configuration completed in the device manager is retained when you switch to the management center for management, in addition to the Management interface and manager access settings. Note that other default configuration settings, such as the access control policy or security zones, are not retained. When you use the CLI, only the Management interface and manager access settings are retained (for example, the default inside interface configuration is not retained).
Before you begin Deploy and perform initial configuration of the management center. You will need to know the management center IP address or hostname before you set up the threat defense.
Procedure
Step 1 Step 2
Log in to the device manager. a) Enter one of the following URLs in your browser.
· Inside (Ethernet 1/2)–https://192.168.95.1.
· Management–https://management_ip. The Management interface is a DHCP client, so the IP address depends on your DHCP server. You might have to set the Management IP address to a static address as part of this procedure, so we recommend that you use the inside interface so you do not become disconnected.
b) Log in with the username admin, and the default password Admin123. c) You are prompted to read and accept the End User License Agreement and change the admin password.
Use the setup wizard when you first log into the device manager to complete the initial configuration. You can optionally skip the setup wizard by clicking Skip device setup at the bottom of the page.
After you complete the setup wizard, in addition to the default configuraton for the inside interface (Ethernet1/2), you will have configuration for an outside (Ethernet1/1) interface that will be maintained when you switch to management center management.
a) Configure the following options for the outside and management interfaces and click Next.
1. Outside Interface Address–This interface is typically the internet gateway, and might be used as your manager access interface. You cannot select an alternative outside interface during initial device setup. The first data interface is the default outside interface.
Cisco Firepower 2100 Getting Started Guide 15
Complete the Threat Defense Initial Configuration Using the Device Manager
Threat Defense Deployment with the Management Center
Step 3 Step 4
Step 5 Step 6
If you want to use a different interface from outside (or inside) for manager access, you will have to configure it manually after completing the setup wizard.
Configure IPv4–The IPv4 address for the outside interface. You can use DHCP or manually enter a static IP address, subnet mask, and gateway. You can also select Off to not configure an IPv4 address. You cannot configure PPPoE using the setup wizard. PPPoE may be required if the interface is connected to a DSL modem, cable modem, or other connection to your ISP, and your ISP uses PPPoE to provide your IP address. You can configure PPPoE after you complete the wizard.
Configure IPv6–The IPv6 address for the outside interface. You can use DHCP or manually enter a static IP address, prefix, and gateway. You can also select Off to not configure an IPv6 address.
2. Management Interface
You will not see Management Interface settings if you performed intial setup at the CLI. Note that setting the Management interface IP address is not part of the setup wizard. See Step Step 3, on page 16 to set the Management IP address.
DNS Servers–The DNS server for the firewall’s Management interface. Enter one or more addresses of DNS servers for name resolution. The default is the OpenDNS public DNS servers. If you edit the fields and want to return to the default, click Use OpenDNS to reload the appropriate IP addresses into the fields.
Firewall Hostname–The hostname for the firewall’s Management interface.
b) Configure the Time Setting (NTP) and click Next.
1. Time Zone–Select the time zone for the system.
2. NTP Time Server–Select whether to use the default NTP servers or to manually enter the addresses of your NTP servers. You can add multiple servers to provide backups.
c) Select Start 90 day evaluation period without registration.
Do not register the threat defense with the Smart Software Manager; all licensing is performed on the management center.
d) Click Finish. e) You are prompted to choose Cloud Management or Standalone. For management center management,
choose Standalone, and then Got It.
(Might be required) Configure a static IP address for the Management interface. Choose Device, then click the System Settings > Management Interface link.
If you want to configure a static IP address, be sure to also set the default gateway to be a unique gateway instead of the data interfaces. If you use DHCP, you do not need to configure anything.
If you want to configure additional interfaces, including an interface other than outside or inside, choose Device, and then click the link in the Interfaces summary.
See Configure the Firewall in the Device Manager, on page 124 for more information about configuring interfaces in the device manager. Other device manager configuration will not be retained when you register the device to the management center.
Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Configure the Management Center/CDO Details.
Cisco Firepower 2100 Getting Started Guide 16
Threat Defense Deployment with the Management Center
Complete the Threat Defense Initial Configuration Using the Device Manager
Figure 5: Management Center/CDO Details
a) For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname.
Cisco Firepower 2100 Getting Started Guide 17
Complete the Threat Defense Initial Configuration Using the Device Manager
Threat Defense Deployment with the Management Center
Step 7 Step 8
At least one of the devices, either the management center or the threat defense device, must have a reachable IP address to establish the two-way, SSL-encrypted communication channel between the two devices.
b) If you chose Yes, then enter the Management Center/CDO Hostname/IP Address. c) Specify the Management Center/CDO Registration Key.
This key is a one-time registration key of your choice that you will also specify on the management center when you register the threat defense device. The registration key must not exceed 37 characters. Valid characters include alphanumerical characters (AZ, az, 09) and the hyphen (-). This ID can be used for multiple devices registering to the management center.
d) Specify a NAT ID.
This ID is a unique, one-time string of your choice that you will also specify on the management center. This field is required if you only specify the IP address on one of the devices; but we recommend that you specify the NAT ID even if you know the IP addresses of both devices. The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (AZ, az, 09) and the hyphen (-). This ID cannot be used for any other devices registering to the management center. The NAT ID is used in combination with the IP address to verify that the connection is coming from the correct device; only after authentication of the IP address/NAT ID will the registration key be checked.
Configure the Connectivity Configuration. a) Specify the FTD Hostname. b) Specify the DNS Server Group.
Choose an existing group, or create a new one. The default DNS group is called CiscoUmbrellaDNSServerGroup, which includes the OpenDNS servers.
c) For the Management Center/CDO Access Interface, choose management.
Click Connect. The Registration Status dialog box shows the current status of the switch to the management center. After the Saving Management Center/CDO Registration Settings step, go to the management center, and add the firewall.
If you want to cancel the switch to the management center, click Cancel Registration. Otherwise, do not close the device manager browser window until after the Saving Management Center/CDO Registration Settings step. If you do, the process will be paused, and will only resume when you reconnect to the device manager.
If you remain connected to the device manager after the Saving Management Center/CDO Registration Settings step, you will eventually see the Successful Connection with Management Center or CDO dialog box, after which you will be disconnected from the device manager.
Cisco Firepower 2100 Getting Started Guide 18
Threat Defense Deployment with the Management Center Figure 6: Successful Connection
Complete the Threat Defense Initial Configuration Using the CLI
Complete the Threat Defense Initial Configuration Using the CLI
Connect to the threat defense CLI to perform initial setup, including setting the Management IP address, gateway, and other basic networking settings using the setup wizard. The dedicated Management interface is a special interface with its own network settings. In 6.7 and later: If you do not want to use the Management interface for the manager access, you can use the CLI to configure a data interface instead. You will also configure the management center communication settings. When you perform initial setup using the device manager (7.1 and later), all interface configuration completed in the device manager is retained when you switch to the management center for management, in addition to the Management interface and manager access interface settings. Note that other default configuration settings, such as the access control policy, are not retained.
Procedure
Step 1 Step 2
Connect to the threat defense CLI, either from the console port or using SSH to the Management interface, which obtains an IP address from a DHCP server by default. If you intend to change the network settings, we recommend using the console port so you do not get disconnected.
The console port connects to the FXOS CLI. The SSH session connects directly to the threat defense CLI.
Log in with the username admin and the password Admin123.
At the console port, you connect to the FXOS CLI. The first time you log in to FXOS, you are prompted to change the password. This password is also used for the threat defense login for SSH.
Note
If the password was already changed, and you do not know it, you must reimage the device to
reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure.
Example:
Cisco Firepower 2100 Getting Started Guide 19
Complete the Threat Defense Initial Configuration Using the CLI
Threat Defense Deployment with the Management Center
firepower login: admin Password: Admin123 Successful login attempts for user ‘admin’ : 1
[…]
Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully.
[…]
firepower#
Step 3
If you connected to FXOS on the console port, connect to the threat defense CLI. connect ftd Example:
firepower# connect ftd >
Step 4
The first time you log in to the threat defense, you are prompted to accept the End User License Agreement (EULA) and, if using an SSH connection, to change the admin password. You are then presented with the CLI setup script.
Note
You cannot repeat the CLI setup wizard unless you clear the configuration; for example, by
reimaging. However, all of these settings can be changed later at the CLI using configure network
commands. See Cisco Secure Firewall Threat Defense Command Reference.
Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
See the following guidelines:
· Do you want to configure IPv4? and/or Do you want to configure IPv6?–Enter y for at least one of these types of addresses.
· Enter the IPv4 default gateway for the management interface and/or Enter the IPv6 gateway for the management interface–Set a gateway IP address for Management 1/1 on the management network. In the edge deployment example shown in the network deployment section, the inside interface acts as the management gateway. In this case, you should set the gateway IP address to be the intended inside interface IP address; you must later use the management center to set the inside IP address. The data-interfaces setting applies only to the remote management center or device manager management.
· If your networking information has changed, you will need to reconnect–If you are connected with SSH but you change the IP address at initial setup, you will be disconnected. Reconnect with the new IP address and password. Console connections are not affected.
· Manage the device locally?–Enter no to use the management center. A yes answer means you will use the device manager instead.
· Configure firewall mode?–We recommend that you set the firewall mode at initial configuration. Changing the firewall mode after initial setup erases your running configuration.
Cisco Firepower 2100 Getting Started Guide 20
Threat Defense Deployment with the Management Center
Complete the Threat Defense Initial Configuration Using the CLI
Example:
You must accept the EULA to continue. Press <ENTER> to display the EULA: End User License Agreement […]
Please enter ‘YES’ or press <ENTER> to AGREE to the EULA:
System initialization in progress. Please stand by. You must change the password for ‘admin’ to continue. Enter new password: ******** Confirm new password: ******** You must configure the network to continue. Configure at least one of IPv4 or IPv6 unless managing via data interfaces. Do you want to configure IPv4? (y/n) [y]: Do you want to configure IPv6? (y/n) [y]:n Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: Enter an IPv4 address for the management interface [192.168.45.45]: 10.10.10.15 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or ‘none’ [208.67.222.222,208.67.220.220,2620:119:35::35]: Enter a comma-separated list of search domains or ‘none’ []:cisco.com If your networking information has changed, you will need to reconnect. Disabling IPv6 configuration: management0 Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35 Setting DNS domains:cisco.com Setting hostname as ftd-1.cisco.com Setting static IPv4: 10.10.10.15 netmask: 255.255.255.192 gateway: 10.10.10.1 on management0 Updating routing tables, please wait… All configurations applied to the system. Took 3 Seconds. Saving a copy of running network configuration to local disk. For HTTP Proxy configuration, run ‘configure network http-proxy’
Manage the device locally? (yes/no) [yes]: no DHCP server is already disabled DHCP Server Disabled Configure firewall mode? (routed/transparent) [routed]: Configuring firewall mode …
Device is in OffBox mode – disabling/removing port 443 from iptables. Update policy deployment information
– add device configuration – add network discovery – add system policy
You can register the sensor to a Firepower Management Center and use the Firepower Management Center to manage it. Note that registering the sensor to a Firepower Management Center disables on-sensor Firepower Services management capabilities.
When registering the sensor to a Firepower Management Center, a unique alphanumeric registration key is always required. In most cases, to register a sensor to a Firepower Management Center, you must provide the hostname or the IP address along with the registration key. ‘configure manager add [hostname | ip address ] [registration key ]’
However, if the sensor and the Firepower Management Center are separated by a NAT device, you must enter a unique NAT ID, along with the unique registration key.
Cisco Firepower 2100 Getting Started Guide 21
Complete the Threat Defense Initial Configuration Using the CLI
Threat Defense Deployment with the Management Center
Step 5
‘configure manager add DONTRESOLVE [registration key ] [ NAT ID ]’
Later, using the web interface on the Firepower Management Center, you must use the same registration key and, if necessary, the same NAT ID when you add this sensor to the Firepower Management Center. >
Identify the management center that will manage this threat defense.
configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE} reg_key [nat_id]
· {hostname | IPv4_address | IPv6_address | DONTRESOLVE}–Specifies either the FQDN or IP address of the management center. If the management center is not directly addressable, use DONTRESOLVE and also specify the nat_id. At least one of the devices, either the management center or the threat defense, must have a reachable IP address to establish the two-way, SSL-encrypted communication channel between the two devices. If you specify DONTRESOLVE in this command, then the threat defense must have a reachable IP address or hostname.
· reg_key–Specifies a one-time registration key of your choice that you will also specify on the management center when you register the threat defense. The registration key must not exceed 37 characters. Valid characters include alphanumerical characters (AZ, az, 09) and the hyphen (-).
· nat_id–Specifies a unique, one-time string of your choice that you will also specify on the management center when you register the threat defense when one side does not specify a reachable IP address or hostname. It is required if you set the management center to DONTRESOLVE. The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (AZ, az, 09) and the hyphen (-). This ID cannot be used for any other devices registering to the management center.
Example:
> configure manager add MC.example.com 123456 Manager successfully configured.
If the management center is behind a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:
Example:
> configure manager add DONTRESOLVE regk3y78 natid90 Manager successfully configured.
If the threat defense is behind a NAT device, enter a unique NAT ID along with the management center IP address or hostname, for example:
Example:
> configure manager add 10.70.45.5 regk3y78 natid56 Manager successfully configured.
What to do next Register your firewall to the management center.
Cisco Firepower 2100 Getting Started Guide 22
Threat Defense Deployment with the Management Center
Log Into the Management Center
Log Into the Management Center
Use the management center to configure and monitor the threat defense.
Before you begin For information on supported browsers, refer to the release notes for the version you are using (see https://www.cisco.com/go/firepower-notes).
Procedure
Step 1
Step 2 Step 3
Using a supported browser, enter the following URL. https://fmc_ip_address
Enter your username and password. Click Log In.
Obtain Licenses for the Management Center
All licenses are supplied to the threat defense by the management center. You can purchase the following licenses:
· Essentials–(Required) Essentials license. · IPS–Security Intelligence and Next-Generation IPS · Malware Defense–Malware defense · URL–URL Filtering · Cisco Secure Client–Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide
Before you begin · Have a master account on the Smart Software Manager. If you do not yet have an account, click the link to set up a new account. The Smart Software Manager lets you create a master account for your organization. · Your Smart Software Licensing account must qualify for the Strong Encryption (3DES/AES) license to use some features (enabled using the export-compliance flag).
Procedure
Step 1 Make sure your Smart Licensing account contains the available licenses you need.
Cisco Firepower 2100 Getting Started Guide 23
Obtain Licenses for the Management Center
Threat Defense Deployment with the Management Center
When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions search field on the Cisco Commerce Workspace. Search for the following license PIDs:
Figure 7: License Search
Step 2
Note
If a PID is not found, you can add the PID manually to your order.
· IPS, Malware Defense, and URL license combination: · L-FPR2110T-TMC= · L-FPR2120T-TMC= · L-FPR2130T-TMC= · L-FPR2140T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:
· L-FPR2110T-TMC-1Y · L-FPR2110T-TMC-3Y · L-FPR2110T-TMC-5Y · L-FPR2120T-TMC-1Y · L-FPR2120T-TMC-3Y · L-FPR2120T-TMC-5Y · L-FPR2130T-TMC-1Y · L-FPR2130T-TMC-3Y · L-FPR2130T-TMC-5Y · L-FPR2140T-TMC-1Y · L-FPR2140T-TMC-3Y · L-FPR2140T-TMC-5Y
· Cisco Secure Client–See the Cisco Secure Client Ordering Guide.
If you have not already done so, register the management center with the Smart Licensing server.
Cisco Firepower 2100 Getting Started Guide 24
Threat Defense Deployment with the Management Center
Register the Threat Defense with the Management Center
Registering requires you to generate a registration token in the Smart Software Manager. See the Cisco Secure Firewall Management Center Administration Guide for detailed instructions.
Register the Threat Defense with the Management Center
Register the threat defense to the management center manually using the device IP address or hostname.
Before you begin · Gather the following information that you set in the threat defense initial configuration: · The threat defense management IP address or hostname, and NAT ID · The management center registration key
Procedure
Step 1 Step 2
In the management center, choose Devices > Device Management. From the Add drop-down list, choose Add Device. The Registration Key method is selected by default.
Cisco Firepower 2100 Getting Started Guide 25
Register the Threat Defense with the Management Center Figure 8: Add Device Using a Registration Key
Threat Defense Deployment with the Management Center
Set the following parameters: · Host–Enter the IP address or hostname of the threat defense you want to add. You can leave this field blank if you specified both the management center IP address and a NAT ID in the threat defense initial configuration.
Cisco Firepower 2100 Getting Started Guide 26
Threat Defense Deployment with the Management Center
Register the Threat Defense with the Management Center
Note
In an HA environment, when both the management centers are behind a NAT, you can
register the threat defense without a host IP or name in the primary management center.
However, for registering the threat defense in a secondary management center, you must
provide the IP address or hostname for the threat defense.
· Display Name–Enter the name for the threat defense as you want it to display in the management center.
· Registration Key–Enter the same registration key that you specified in the threat defense initial configuration.
· Domain–Assign the device to a leaf domain if you have a multidomain environment.
· Group–Assign it to a device group if you are using groups.
· Access Control Policy–Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page 40.
Figure 9: New Policy
Step 3
· Smart Licensing–Assign the Smart Licenses you need for the features you want to deploy. Note: You can apply the Secure Client remote access VPN license after you add the device, from the System > Licenses > Smart Licenses page.
· Unique NAT ID–Specify the NAT ID that you specified in the threat defense initial configuration.
· Transfer Packets–Allow the device to transfer packets to the management center. When events like IPS or Snort are triggered with this option enabled, the device sends event metadata information and packet data to the management center for inspection. If you disable it, only event information will be sent to the management center, but packet data is not sent.
Click Register, and confirm a successful registration.
Cisco Firepower 2100 Getting Started Guide 27
Configure a Basic Security Policy
Threat Defense Deployment with the Management Center
If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the threat defense fails to register, check the following items:
· Ping–Access the threat defense CLI, and ping the management center IP address using the following command:
ping system ip_address
If the ping is not successful, check your network settings using the show network command. If you need to change the threat defense Management IP address, use the configure network {ipv4 | ipv6} manual command.
· Registration key, NAT ID, and the management center IP address–Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the management center using the configure manager add command.
For more troubleshooting information, see https://cisco.com/go/fmc-reg-error.
Configure a Basic Security Policy
This section describes how to configure a basic security policy with the following settings: · Inside and outside interfaces–Assign a static IP address to the inside interface, and use DHCP for the outside interface. · DHCP server–Use a DHCP server on the inside interface for clients. · Default route–Add a default route through the outside interface. · NAT–Use interface PAT on the outside interface. · Access control–Allow traffic from inside to outside.
To configure a basic security policy, complete the following tasks. Configure Interfaces, on page 29.
Configure the DHCP Server, on page 33.
Add the Default Route, on page 35.
Configure NAT, on page 37.
Allow Traffic from Inside to Outside, on page 40.
Deploy the Configuration, on page 41.
Cisco Firepower 2100 Getting Started Guide 28
Threat Defense Deployment with the Management Center
Configure Interfaces
Configure Interfaces
Enable the threat defense interfaces, assign them to security zones, and set the IP addresses. Typically, you must configure at least a minimum of two interfaces to have a system that passes meaningful traffic. Normally, you would have an outside interface that faces the upstream router or internet, and one or more inside interfaces for your organization’s networks. Some of these interfaces might be “demilitarized zones” (DMZs), where you place publically-accessible assets such as your web server.
A typical edge-routing situation is to obtain the outside interface address through DHCP from your ISP, while you define static addresses on the inside interfaces.
The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP.
Procedure
Step 1 Step 2
Choose Devices > Device Management, and click the Edit ( ) for the firewall. Click Interfaces.
Figure 10: Interfaces
Step 3
Click Edit ( ) for the interface that you want to use for inside. The General tab appears.
Cisco Firepower 2100 Getting Started Guide 29
Configure Interfaces Figure 11: General Tab
Threat Defense Deployment with the Management Center
a) Enter a Name up to 48 characters in length. For example, name the interface inside.
b) Check the Enabled check box. c) Leave the Mode set to None. d) From the Security Zone drop-down list, choose an existing inside security zone or add a new one by
clicking New. For example, add a zone called inside_zone. Each interface must be assigned to a security zone and/or interface group. An interface can belong to only one security zone, but can also belong to multiple interface groups. You apply your security policy based on zones or groups. For example, you can assign the inside interface to the inside zone; and the outside interface to the outside zone. Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most policies only support security zones; you can use zones or interface groups in NAT policies, prefilter policies, and QoS policies.
e) Click the IPv4 and/or IPv6 tab. · IPv4–Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24
Cisco Firepower 2100 Getting Started Guide 30
Threat Defense Deployment with the Management Center Figure 12: IPv4 Tab
Configure Interfaces
· IPv6–Check the Autoconfiguration check box for stateless autoconfiguration.
Figure 13: IPv6 Tab
Step 4
f) Click OK. Click the Edit ( ) for the interface that you want to use for outside. The General tab appears.
Cisco Firepower 2100 Getting Started Guide 31
Configure Interfaces Figure 14: General Tab
Threat Defense Deployment with the Management Center
a) Enter a Name up to 48 characters in length. For example, name the interface outside.
b) Check the Enabled check box. c) Leave the Mode set to None. d) From the Security Zone drop-down list, choose an existing outside security zone or add a new one by
clicking New. For example, add a zone called outside_zone. e) Click the IPv4 and/or IPv6 tab.
· IPv4–Choose Use DHCP, and configure the following optional parameters: · Obtain default route using DHCP–Obtains the default route from the DHCP server. · DHCP route metric–Assigns an administrative distance to the learned route, between 1 and 255. The default administrative distance for the learned routes is 1.
Cisco Firepower 2100 Getting Started Guide 32
Threat Defense Deployment with the Management Center Figure 15: IPv4 Tab
Configure the DHCP Server
· IPv6–Check the Autoconfiguration check box for stateless autoconfiguration.
Figure 16: IPv6 Tab
Step 5
f) Click OK. Click Save.
Configure the DHCP Server
Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense.
Procedure
Step 1 Step 2
Choose Devices > Device Management, and click the Edit ( ) for the device. Choose DHCP > DHCP Server.
Cisco Firepower 2100 Getting Started Guide 33
Configure the DHCP Server Figure 17: DHCP Server
Threat Defense Deployment with the Management Center
Step 3
On the Server page, click Add, and configure the following options:
Figure 18: Add Server
Step 4 Step 5
· Interface–Choose the interface from the drop-down list.
· Address Pool–Set the range of IP addresses from lowest to highest that are used by the DHCP server. The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself.
· Enable DHCP Server–Enable the DHCP server on the selected interface.
Click OK. Click Save.
Cisco Firepower 2100 Getting Started Guide 34
Threat Defense Deployment with the Management Center
Add the Default Route
Add the Default Route
The default route normally points to the upstream router reachable from the outside interface. If you use DHCP for the outside interface, your device might have already received a default route. If you need to manually add the route, complete this procedure. If you received a default route from the DHCP server, it will show in the IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route page.
Procedure
Step 1 Step 2
Choose Devices > Device Management, and click the Edit ( ) for the device. Choose Routing > Static Route.
Figure 19: Static Route
Step 3 Click Add Route, and set the following:
Cisco Firepower 2100 Getting Started Guide 35
Add the Default Route Figure 20: Add Static Route Configuration
Threat Defense Deployment with the Management Center
Step 4 Step 5
· Type–Click the IPv4 or IPv6 radio button depending on the type of static route that you are adding. · Interface–Choose the egress interface; typically the outside interface. · Available Network–Choose any-ipv4 for an IPv4 default route, or any-ipv6 for an IPv6 default route
and click Add to move it to the Selected Network list. · Gateway or IPv6 Gateway–Enter or choose the gateway router that is the next hop for this route. You
can provide an IP address or a Networks/Hosts object. · Metric–Enter the number of hops to the destination network. Valid values range from 1 to 255; the
default value is 1.
Click OK. The route is added to the static route table.
Click Save.
Cisco Firepower 2100 Getting Started Guide 36
Threat Defense Deployment with the Management Center
Configure NAT
Configure NAT
A typical NAT rule converts internal addresses to a port on the outside interface IP address. This type of NAT rule is called interface Port Address Translation (PAT).
Procedure
Step 1 Step 2
Choose Devices > NAT, and click New Policy > Threat Defense NAT. Name the policy, select the device(s) that you want to use the policy, and click Save.
Figure 21: New Policy
The policy is added the management center. You still have to add rules to the policy.
Cisco Firepower 2100 Getting Started Guide 37
Configure NAT Figure 22: NAT Policy
Threat Defense Deployment with the Management Center
Step 3 Step 4
Click Add Rule. The Add NAT Rule dialog box appears.
Configure the basic rule options:
Figure 23: Basic Rule Options
Step 5
· NAT Rule–Choose Auto NAT Rule. · Type–Choose Dynamic.
On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area.
Cisco Firepower 2100 Getting Started Guide 38
Threat Defense Deployment with the Management Center Figure 24: Interface Objects
Configure NAT
Step 6
On the Translation page, configure the following options:
Figure 25: Translation
· Original Source–Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0).
Cisco Firepower 2100 Getting Started Guide 39
Allow Traffic from Inside to Outside Figure 26: New Network Object
Threat Defense Deployment with the Management Center
Step 7 Step 8
Note
You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as
part of the object definition, and you cannot edit system-defined objects.
· Translated Source–Choose Destination Interface IP.
Click Save to add the rule. The rule is saved to the Rules table. Click Save on the NAT page to save your changes.
Allow Traffic from Inside to Outside
If you created a basic Block all traffic access control policy when you registered the threat defense, then you need to add rules to the policy to allow traffic through the device. The following procedure adds a rule to allow traffic from the inside zone to the outside zone. If you have other zones, be sure to add rules allowing traffic to the appropriate networks.
Procedure
Step 1 Step 2
Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the threat defense.
Click Add Rule, and set the following parameters:
Cisco Firepower 2100 Getting Started Guide 40
Threat Defense Deployment with the Management Center Figure 27: Add Rule
Deploy the Configuration
Step 3 Step 4
· Name–Name this rule, for example, inside-to-outside. · Selected Sources–Select the inside zone from Zones, and click Add Source Zone. · Selected Destinations and Applications–Select the outside zone from Zones, and click Add Destination
Zone.
Leave the other settings as is. Click Apply. The rule is added to the Rules table. Click Save.
Deploy the Configuration
Deploy the configuration changes to the threat defense; none of your changes are active on the device until you deploy them.
Procedure
Step 1
Click Deploy in the upper right.
Figure 28: Deploy
Step 2 Either click Deploy All to deploy to all devices or click Advanced Deploy to deploy to selected devices.
Cisco Firepower 2100 Getting Started Guide 41
Deploy the Configuration Figure 29: Deploy All
Threat Defense Deployment with the Management Center
Figure 30: Advanced Deploy
Step 3
Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments.
Figure 31: Deployment Status
Cisco Firepower 2100 Getting Started Guide 42
Threat Defense Deployment with the Management Center
Access the Threat Defense and FXOS CLI
Access the Threat Defense and FXOS CLI
Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes.
Note You can alternatively SSH to the Management interface of the threat defense device. Unlike a console session, the SSH session defaults to the threat defense CLI, from which you can connect to the FXOS CLI using the connect fxos command. You can later connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port access, which defaults to the FXOS CLI.
Procedure
Step 1
To log into the CLI, connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you may need a third party DB-9-to-USB serial cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system. The console port defaults to the FXOS CLI. Use the following serial settings:
· 9600 baud
· 8 data bits
· No parity
· 1 stop bit
You connect to the FXOS CLI. Log in to the CLI using the admin username and the password you set at initial setup (the default is Admin123).
Example:
firepower login: admin Password: Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0 Successful login attempts for user ‘admin’ : 1
firepower#
Step 2
Access the threat defense CLI. connect ftd Example:
firepower# connect ftd >
Cisco Firepower 2100 Getting Started Guide 43
Power Off the Firewall
Threat Defense Deployment with the Management Center
Step 3
After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, see Cisco Secure Firewall Threat Defense Command Reference.
To exit the threat defense CLI, enter the exit or logout command. This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS CLI, enter ?. Example:
> exit firepower#
Power Off the Firewall
It’s important that you shut down your system properly. Simply unplugging the power or pressing the power switch can cause serious file system damage. Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your firewall system. You can power off the device using the management center device management page, or you can use the FXOS CLI.
Power Off the Firewall Using the Management Center
It’s important that you shut down your system properly. Simply unplugging the power or pressing the power switch can cause serious file system damage. Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your firewall. You can shut down your system properly using the management center.
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6
Choose Devices > Device Management. Next to the device that you want to restart, click Edit ( ). Click the Device tab.
Click Shut Down Device ( ) in the System section. When prompted, confirm that you want to shut down the device. If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You will see the following prompt:
System is stopped. It is safe to power off now.
Do you want to reboot instead? [y/N]
Cisco Firepower 2100 Getting Started Guide 44
Threat Defense Deployment with the Management Center
Power Off the Device at the CLI
Step 7
If you do not have a console connection, wait approximately 3 minutes to ensure the system has shut down.
You can now turn off the power switch and unplug the power to physically remove power from the chassis if necessary.
Power Off the Device at the CLI
You can use the FXOS CLI to safely shut down the system and power off the device. You access the CLI by connecting to the console port; see Access the Threat Defense and FXOS CLI, on page 43.
Procedure
Step 1 Step 2
Step 3 Step 4
In the FXOS CLI, connect to local-mgmt: firepower # connect local-mgmt
Issue the shutdown command: firepower(local-mgmt) # shutdown Example:
firepower(local-mgmt)# shutdown This command will shutdown the system. Continue? Please enter ‘YES’ or ‘NO’: yes INIT: Stopping Cisco Threat Defense……ok
Monitor the system prompts as the firewall shuts down. You will see the following prompt:
System is stopped. It is safe to power off now. Do you want to reboot instead? [y/N]
You can now turn off the power switch and unplug the power to physically remove power from the chassis if necessary.
What’s Next?
To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation.
For information related to using the management center, see the Firepower Management Center Configuration Guide.
Cisco Firepower 2100 Getting Started Guide 45
What’s Next?
Threat Defense Deployment with the Management Center
Cisco Firepower 2100 Getting Started Guide 46
3 C H A P T E R
Threat Defense Deployment with a Remote Management Center
Is This Chapter for You? To see all available applications and managers, see Which Application and Manager is Right for You?, on page 1. This chapter applies to the threat defense at a remote branch office using the management center at a central headquarters. Each threat defense controls, inspects, monitors, and analyzes traffic, and then reports to a managing management center. The management center provides a centralized management console with a web interface that you can use to perform administrative, management, analysis, and reporting tasks in service to securing your local network. About the Firewall The hardware can run either threat defense software or ASA software. Switching between threat defense and ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS). The firewall does not support the FXOS Secure Firewall chassis manager; only a limited CLI is supported for troubleshooting purposes. See the Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 and Secure Firewall 3100/4200 with Firepower Threat Defense for more information. Privacy Collection Statement–The firewall does not require or actively collect personally identifiable information. However, you can use personally identifiable information in the configuration, for example for usernames. In this case, an administrator might be able to see this information when working with the configuration or when using SNMP.
· How Remote Management Works, on page 48 · Before You Start, on page 51 · End-to-End Tasks: Low-Touch Provisioning, on page 51 · End-to-End Tasks: Manual Provisioning, on page 55 · Central Administrator Pre-Configuration, on page 56 · Branch Office Installation, on page 69 · Central Administrator Post-Configuration, on page 71
Cisco Firepower 2100 Getting Started Guide 47
How Remote Management Works
Threat Defense Deployment with a Remote Management Center
How Remote Management Works
To allow the management center to manage the threat defense over the internet, you use the outside interface for management center manager access instead of the Management interface. Because most remote branch offices only have a single internet connection, outside management center access makes centralized management possible.
Note The management connection is a secure, TLS-1.3-encrypted communication channel between itself and the device. You do not need to run this traffic over an additional encrypted tunnel such as Site-to-Site VPN for security purposes. If the VPN goes down, for example, you will lose your management connection, so we recommend a simple management path.
Registration Methods Use one of the following methods to provision your threat defense: Low-Touch Provisioning (Management Center 7.4 and later, Threat Defense 7.2 and later)
· An administrator at the central headquarters sends the threat defense to the remote branch office. There is no pre-configuration required. In fact, you should not configure anything on the device, because low-touch provisioning may not work with pre-configured devices.
Note The central administrator can preregister the threat defense on the management center using the threat defense serial number before sending the device to the branch office. The management center integrates with SecureX and Cisco Defense Orchestrator (CDO) for this functionality.
· The branch office administrator cables and powers on the threat defense. · The central administrator finishes registering the threat defense using CDO.
Manual Provisioning · An administrator at the central headquarters pre-configures the threat defense at the CLI or using the device manager, and then sends the threat defense to the remote branch office. · The branch office administrator cables and powers on the threat defense. · The central administrator finishes registering the threat defense using the management center.
Threat Defense Manager Access Interface This guide covers outside interface access, because it is the most likely scenario for remote branch offices. Although manager access occurs on the outside interface, the dedicated Management interface is still relevant. The Management interface is a special interface configured separately from the threat defense data interfaces, and it has its own network settings.
Cisco Firepower 2100 Getting Started Guide 48
Threat Defense Deployment with a Remote Management Center
How Remote Management Works
· The Management interface network settings are still used even though you are enabling manager access on a data interface.
· All management traffic continues to be sourced from or destined to the Management interface.
· When you enable manager access on a data interface, the threat defense forwards incoming management traffic over the backplane to the Management interface.
· For outgoing management traffic, the Management interface forwards the traffic over the backplane to the data interface.
Manager Access Requirements Manager access from a data interface has the following limitations:
· You can only enable manager access on a physical, data interface. You cannot use a subinterface or EtherChannel. You can also use the management center to enable manager access on a single secondary interface for redundancy.
· This interface cannot be management-only.
· Routed firewall mode only, using a routed interface.
· PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support between the threat defense and the WAN modem.
· The interface must be in the global VRF only.
· SSH is not enabled by default for data interfaces, so you will have to enable SSH later using the management center. Because the Management interface gateway will be changed to be the data interfaces, you also cannot SSH to the Management interface from a remote network unless you add a static route for the Management interface using the configure network static-routes command.
High Availability Requirements When using a data interface with device high availability, see the following requirements.
· Use the same data interface on both devices for manager access.
· Redundant manager access data interface is not supported.
· You cannot use DHCP; only a static IP address is supported. Features that rely on DHCP cannot be used, including DDNS and low-touch provisioning.
· Have different static IP addresses in the same subnet.
· Use either IPv4 or IPv6; you cannot set both.
· Use the same manager configuration (configure manager add command) to ensure that the connectivity is the same.
· You cannot use the data interface as the failover or state link.
Low-Touch Provisioning Network The following figure shows a typical network deployment for the firewall where:
· The management center is at central headquarters.
Cisco Firepower 2100 Getting Started Guide 49
How Remote Management Works
Threat Defense Deployment with a Remote Management Center
· The threat defense uses the outside interface for manager access.
· Either the threat defense or management center needs a public IP address or hostname to allow the inbound management connection, although you do not need to know the IP address for registration. For pre-7.2(4) and 7.3 threat defense versions, the management center needs to be publicly reachable.
· Both the management center and threat defense initially communicate with CDO to establish the management connection
· After initial establishment, CDO is used to reestablish the management connection if it is disrupted; for example, if the threat defense IP address changes due to a new DHCP assignment, CDO will inform the management center of the change.
Figure 32: Low-Touch Provisioning Network
Manual Provisioning Network The following figure shows a typical network deployment for the firewall where:
· The management center is at central headquarters.
Cisco Firepower 2100 Getting Started Guide 50
Threat Defense Deployment with a Remote Management Center
Before You Start
· The threat defense uses the outside interface for manager access.
· Either the threat defense or management center needs a public IP address or hostname to allow to allow the inbound management connection; you need to know this IP address for initial setup. You can also optionally configure Dynamic DNS (DDNS) for the outside interface to accommodate changing DHCP IP assignments.
Figure 33: Manual Provisioning Network
Before You Start
Deploy and perform initial configuration of the management center. See the getting started guide for your model.
End-to-End Tasks: Low-Touch Provisioning
See the following tasks to deploy the threat defense with the management center using low-touch provisioning.
Cisco Firepower 2100 Getting Started Guide 51
End-to-End Tasks: Low-Touch Provisioning
Threat Defense Deployment with a Remote Management Center
Figure 34: End-to-End Procedure: Low-Touch Provisioning
Cisco Firepower 2100 Getting Started Guide 52
Threat Defense Deployment with a Remote Management Center
End-to-End Tasks: Low-Touch Provisioning
Cisco Firepower 2100 Getting Started Guide 53
End-to-End Tasks: Low-Touch Provisioning
Threat Defense Deployment with a Remote Management Center
CLI
(Central administrator)
(Optional) Check the Software and Install a New Version, on page 56.
Physical Setup
(Branch administrator)
Cable the Firewall, on page 69.
Physical Setup
(Branch administrator)
Power on the Device, on page 70
Management Center Log Into the Management Center, on page 23.
(Central administrator)
Cisco Commerce Workspace
(Central administrator)
Buy feature licenses (Obtain Licenses for the Management Center, on page 71).
Smart Software Manager
(Central administrator)
Generate a license token for the management center (Obtain Licenses for the Management Center, on page 71).
Management Center Register the Management Center with the Smart Licensing server (Obtain
(Central
Licenses for the Management Center, on page 71).
administrator)
Cisco Cloud
(Central administrator)
(Required one time for each management center) Add a Device to the Management Center Using Low-Touch Provisioning, on page 73: Create CDO and SecureX accounts.
Management Center (Required one time for each management center) Add a Device to the
(Central administrator)
Management Center Using Low-Touch Provisioning, on page 73: Integrate the management center with SecureX.
CDO
(Central administrator)
Add a Device to the Management Center Using Low-Touch Provisioning, on page 73.
Management Center Configure a Basic Security Policy, on page 82
(Central
.
administrator)
Cisco Firepower 2100 Getting Started Guide 54
Threat Defense Deployment with a Remote Management Center
End-to-End Tasks: Manual Provisioning
End-to-End Tasks: Manual Provisioning
See the following tasks to deploy the threat defense with the management center using manual provisioning.
Figure 35: End-to-End Tasks: Manual Provisioning
CLI or Device Manager
(Central admin)
· (Optional) Check the Software and Install a New Version, on page 56 · Pre-Configuration Using the Device Manager, on page 58 · Pre-Configuration Using the CLI, on page 63
Cisco Firepower 2100 Getting Started Guide 55
Central Administrator Pre-Configuration
Threat Defense Deployment with a Remote Management Center
Physical Setup (Branch admin)
Install the firewall. See the Cisco Firepower 2100 Series Hardware Installation Guide.
Physical Setup (Branch admin)
Cable the Firewall, on page 69.
Physical Setup (Branch admin)
Power on the Device, on page 70
Management Center Log Into the Management Center, on page 23. (Central admin)
Cisco Commerce Workspace
(Central admin)
Obtain Licenses for the Management Center, on page 71: Buy feature licenses.
Smart Software Manager
(Central admin)
Obtain Licenses for the Management Center, on page 71: Generate a license token for the management center.
Management Center Obtain Licenses for the Management Center, on page 71: Register the
(Central admin)
management center with the Smart Licensing server.
Management Center Add a Device to the Management Center Manually, on page 79. (Central admin)
Management Center Configure a Basic Security Policy, on page 28. (Central admin)
Central Administrator Pre-Configuration
You might need to manually pre-configure the threat defense before you send it to the branch office.
(Optional) Check the Software and Install a New Version
To check the software version and, if necessary, install a different version, perform these steps. We recommend that you install your target version before you configure the firewall. Alternatively, you can perform an upgrade after you are up and running, but upgrading, which preserves your configuration, may take longer than using this procedure.
What Version Should I Run?
Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html; for example, this bulletin describes short-term release numbering (with the latest features), long-term release numbering (maintenance releases and patches
Cisco Firepower 2100 Getting Started Guide 56
Threat Defense Deployment with a Remote Management Center
(Optional) Check the Software and Install a New Version
for a longer period of time), or extra long-term release numbering (maintenance releases and patches for the longest period of time, for government certification).
Procedure
Step 1
Connect to the CLI. See Access the Threat Defense and FXOS CLI, on page 94 for more information. This procedure shows using the console port, but you can use SSH instead.
Log in with the admin user and the default password, Admin123.
You connect to the FXOS CLI. The first time you log in, you are prompted to change the password. This password is also used for the threat defense login for SSH.
Note
If the password was already changed, and you do not know it, you must perform a factory reset
to reset the password to the default. See the FXOS troubleshooting guide for the factory reset
procedure.
Example:
firepower login: admin Password: Admin123 Successful login attempts for user ‘admin’ : 1
[…]
Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully.
[…]
firepower#
Step 2
At the FXOS CLI, show the running version. scope ssa show app-instance Example:
Firepower# scope ssa Firepower /ssa # show app-instance
Application Name
Slot ID Admin State
Operational State Running Version Startup
Version Cluster Oper State
——————– ———- ————— ——————– —————
————— ——————
ftd
1
Enabled
Online
7.4.0.65
7.4.0.65
Not Applicable
Step 3
If you want to install a new version, perform these steps.
a) If you need to set a static IP address for the Management interface, see Complete the Threat Defense Initial Configuration Using the CLI, on page 19. By default, the Management interface uses DHCP.
Cisco Firepower 2100 Getting Started Guide 57
Perform Initial Configuration (Manual Provisioning)
Threat Defense Deployment with a Remote Management Center
You will need to download the new image from a server accessible from the Management interface. b) Perform the reimage procedure in the FXOS troubleshooting guide.
After the firewall reboots, you connect to the FXOS CLI again. c) At the FXOS CLI, you are prompted to set the admin password again.
For low-touch provisioning, when you onboard the device, for the Password Reset area, be sure to choose No… because you already set the password. d) Shut down the device. See Power Off the Device at the CLI, on page 102.
Perform Initial Configuration (Manual Provisioning)
For manual provisioning, perfom initial configuration of the threat defense using the CLI or using the device manager.
Pre-Configuration Using the Device Manager
Connect to the device manager to perform initial setup of the threat defense. When you perform initial setup using the device manager, all interface configuration completed in the device manager is retained when you switch to the management center for management, in addition to the Management interface and manager access settings. Note that other default configuration settings, such as the access control policy or security zones, are not retained. When you use the CLI, only the Management interface and manager access settings are retained (for example, the default inside interface configuration is not retained).
Before you begin
Deploy and perform initial configuration of the management center. You will need to know the management center IP address or hostname before you set up the threat defense.
Procedure
Step 1 Step 2
Step 3
Step 4
Connect your management computer to the Inside (Ethernet 1/2) interface. Power on the firewall.
Note
The first time you boot up the threat defense, initialization can take approximately 15 to 30
minutes.
Log in to the device manager. a) Enter the following URL in your browser: https://192.168.95.1 b) Log in with the username admin, and the default password Admin123. c) You are prompted to read and accept the End User License Agreement and change the admin password.
Use the setup wizard when you first log into the device manager to complete the initial configuration. You can optionally skip the setup wizard by clicking Skip device setup at the bottom of the page.
After you complete the setup wizard, in addition to the default configuraton for the inside interface (Ethernet1/2), you will have configuration for an outside (Ethernet1/1) interface that will be maintained when you switch to management center management.
Cisco Firepower 2100 Getting Started Guide 58
Threat Defense Deployment with a Remote Management Center
Pre-Configuration Using the Device Manager
Step 5
a) Configure the following options for the outside and management interfaces and click Next.
1. Outside Interface Address–This interface is typically the internet gateway, and might be used as your manager access interface. You cannot select an alternative outside interface during initial device setup. The first data interface is the default outside interface.
If you want to use a different interface from outside (or inside) for manager access, you will have to configure it manually after completing the setup wizard.
Configure IPv4–The IPv4 address for the outside interface. You can use DHCP or manually enter a static IP address, subnet mask, and gateway. You can also select Off to not configure an IPv4 address. You cannot configure PPPoE using the setup wizard. PPPoE may be required if the interface is connected to a DSL modem, cable modem, or other connection to your ISP, and your ISP uses PPPoE to provide your IP address. You can configure PPPoE after you complete the wizard.
Configure IPv6–The IPv6 address for the outside interface. You can use DHCP or manually enter a static IP address, prefix, and gateway. You can also select Off to not configure an IPv6 address.
2. Management Interface
You will not see Management Interface settings if you performed intial setup at the CLI.
The Management interface settings are used even though you are enabling the manager access on a data interface. For example, the management traffic that is routed over the backplane through the data interface will resolve FQDNs using the Management interface DNS servers, and not the data interface DNS servers.
DNS Servers–The DNS server for the system’s management address. Enter one or more addresses of DNS servers for name resolution. The default is the OpenDNS public DNS servers. If you edit the fields and want to return to the default, click Use OpenDNS to reload the appropriate IP addresses into the fields.
Firewall Hostname–The hostname for the system’s management address.
b) Configure the Time Setting (NTP) and click Next.
1. Time Zone–Select the time zone for the system.
2. NTP Time Server–Select whether to use the default NTP servers or to manually enter the addresses of your NTP servers. You can add multiple servers to provide backups.
c) Select Start 90 day evaluation period without registration.
Do not register the threat defense with the Smart Software Manager; all licensing is performed on the management center.
d) Click Finish. e) You are prompted to choose Cloud Management or Standalone. For management center management,
choose Standalone, and then Got It.
(Might be required) Configure the Management interface. See the Management interface on Device > Interfaces.
The Management interface must have the gateway set to data interfaces. By default, the Management interface receives an IP address and gateway from DHCP. If you do not receive a gateway from DHCP (for example, you did not connect this interface to a network), then the gateway will default to data interfaces, and you do not need to configure anything. If you did receive a gateway from DHCP, then you need to instead configure this interface with a static IP address and set the gateway to data interfaces.
Cisco Firepower 2100 Getting Started Guide 59
Pre-Configuration Using the Device Manager
Threat Defense Deployment with a Remote Management Center
Step 6
Step 7 Step 8
If you want to configure additional interfaces, including an interface other than outside or inside that you want to use for the manager access, choose Device, and then click the link in the Interfaces summary.
See Configure the Firewall in the Device Manager, on page 124 for more information about configuring interfaces in the device manager. Other device manager configuration will not be retained when you register the device to the management center.
Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Configure the Management Center/CDO Details.
Cisco Firepower 2100 Getting Started Guide 60
Threat Defense Deployment with a Remote Management Center Figure 36: Management Center/CDO Details
Pre-Configuration Using the Device Manager
a) For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname.
Cisco Firepower 2100 Getting Started Guide 61
Pre-Configuration Using the Device Manager
Threat Defense Deployment with a Remote Management Center
Step 9 Step 10
At least one of the devices, either the management center or the threat defense device, must have a reachable IP address to establish the two-way, SSL-encrypted communication channel between the two devices.
b) If you chose Yes, then enter the Management Center/CDO Hostname/IP Address. c) Specify the Management Center/CDO Registration Key.
This key is a one-time registration key of your choice that you will also specify on the management center when you register the threat defense device. The registration key must not exceed 37 characters. Valid characters include alphanumerical characters (AZ, az, 09) and the hyphen (-). This ID can be used for multiple devices registering to the management center.
d) Specify a NAT ID.
This ID is a unique, one-time string of your choice that you will also specify on the management center. This field is required if you only specify the IP address on one of the devices; but we recommend that you specify the NAT ID even if you know the IP addresses of both devices. The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (AZ, az, 09) and the hyphen (-). This ID cannot be used for any other devices registering to the management center. The NAT ID is used in combination with the IP address to verify that the connection is coming from the correct device; only after authentication of the IP address/NAT ID will the registration key be checked.
Configure the Connectivity Configuration. a) Specify the FTD Hostname.
This FQDN will be used for the outside interface, or whichever interface you choose for the Management Center/CDO Access Interface.
b) Specify the DNS Server Group.
Choose an existing group, or create a new one. The default DNS group is called CiscoUmbrellaDNSServerGroup, which includes the OpenDNS servers.
This setting sets the data interface DNS server. The Management DNS server that you set with the setup wizard is used for management traffic. The data DNS server is used for DDNS (if configured) or for security policies applied to this interface. You are likley to choose the same DNS server group that you used for Management, because both management and data traffic reach the DNS server through the outside interface.
On the management center, the data interface DNS servers are configured in the Platform Settings policy that you assign to this threat defense. When you add the threat defense to the management center, the local setting is maintained, and the DNS servers are not added to a Platform Settings policy. However, if you later assign a Platform Settings policy to the threat defense that includes a DNS configuration, then that configuration will overwrite the local setting. We suggest that you actively configure the DNS Platform Settings to match this setting to bring the management center and the threat defense into sync.
Also, local DNS servers are only retained by the management center if the DNS servers were discovered at initial registration.
c) For the Management Center/CDO Access Interface, choose outside.
You can choose any configured interface, but this guide assumes you are using outside.
If you chose a different data interface from outside, then add a default route.
You will see a message telling you to check that you have a default route through the interface. If you chose outside, you already configured this route as part of the setup wizard. If you chose a different interface, then you need to manually configure a default route before you connect to the management center. See Configure
Cisco Firepower 2100 Getting Started Guide 62
Threat Defense Deployment with a Remote Management Center
Pre-Configuration Using the CLI
Step 11 Step 12
the Firewall in the Device Manager, on page 124 for more information about configuring static routes in the device manager.
Click Add a Dynamic DNS (DDNS) method.
DDNS ensures the management center can reach the threat defense at its Fully-Qualified Domain Name (FQDN) if the threat defense’s IP address changes. See Device > System Settings > DDNS Service to configure DDNS.
If you configure DDNS before you add the threat defense to the management center, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
Click Connect. The Registration Status dialog box shows the current status of the switch to the management center. After the Saving Management Center/CDO Registration Settings step, go to the management center, and add the firewall.
If you want to cancel the switch to the management center, click Cancel Registration. Otherwise, do not close the device manager browser window until after the Saving Management Center/CDO Registration Settings step. If you do, the process will be paused, and will only resume when you reconnect to the device manager.
If you remain connected to the device manager after the Saving Management Center/CDO Registration Settings step, you will eventually see the Successful Connection with Management Center or CDO dialog box, after which you will be disconnected from the device manager.
Figure 37: Successful Connection
Pre-Configuration Using the CLI
Connect to the threat defense CLI to perform initial setup. When you use the CLI for initial configuration, only the Management interface and manager access interface settings are retained. When you perform initial setup using the device manager (7.1 and later), all interface configuration completed in the device manager
Cisco Firepower 2100 Getting Started Guide 63
Pre-Configuration Using the CLI
Threat Defense Deployment with a Remote Management Center
is retained when you switch to the management center for management, in addition to the Management interface and manager access interface settings. Note that other default configuration settings, such as the access control policy, are not retained.
Before you begin You will need to know the management center IP address or hostname before you set up the threat defense.
Procedure
Step 1 Step 2 Step 3
Power on the firewall.
Note
The first time you boot up the threat defense, initialization can take approximately 15 to 30
minutes.
Connect to the threat defense CLI on the console port. The console port connects to the FXOS CLI.
Log in with the username admin and the password Admin123.
The first time you log in to the FXOS, you are prompted to change the password. This password is also used for the threat defense login for SSH.
Note
If the password was already changed, and you do not know it, then you must reimage the device
to reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure.
Example:
firepower login: admin Password: Admin123 Successful login attempts for user ‘admin’ : 1
[…]
Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully.
[…]
firepower#
Step 4
Connect to the threat defense CLI. connect ftd Example:
firepower# connect ftd >
Cisco Firepower 2100 Getting Started Guide 64
Threat Defense Deployment with a Remote Management Center
Pre-Configuration Using the CLI
Step 5
The first time you log in to the threat defense, you are prompted to accept the End User License Agreement (EULA) and, if using an SSH connection, to change the admin password. You are then presented with the CLI setup script for the Management interface settings.
The Management interface settings are used even though you are enabling manager access on a data interface.
Note
You cannot repeat the CLI setup wizard unless you clear the configuration; for example, by
reimaging. However, all of these settings can be changed later at the CLI using configure network
commands. See Cisco Secure Firewall Threat Defense Command Reference.
Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
See the following guidelines:
· Do you want to configure IPv4? and/or Do you want to configure IPv6?–Enter y for at least one of these types of addresses. Although you do not plan to use the Management interface, you must set an IP address, for example, a private address.
· Configure IPv4 via DHCP or manually? and/or Configure IPv6 via DHCP, router, or manually?–Choose manual. You cannot configure a data interface for management if the management interface is set to DHCP, because the default route, which must be data-interfaces (see the next bullet), might be overwritten with one received from the DHCP server.
· Enter the IPv4 default gateway for the management interface and/or Enter the IPv6 gateway for the management interface–Set the gateway to be data-interfaces. This setting forwards management traffic over the backplane so it can be routed through the manager access data interface.
· Manage the device locally?–Enter no to use the management center. A yes answer means you will use the device manager instead.
· Configure firewall mode?–Enter routed. Outside manager access is only supported in routed firewall mode.
Example:
You must accept the EULA to continue. Press <ENTER> to display the EULA: End User License Agreement […]
Please enter ‘YES’ or press <ENTER> to AGREE to the EULA:
System initialization in progress. Please stand by. You must configure the network to continue. Configure at least one of IPv4 or IPv6 unless managing via data interfaces. Do you want to configure IPv4? (y/n) [y]: Do you want to configure IPv6? (y/n) [y]: n Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: Enter an IPv4 address for the management interface [192.168.45.61]: 10.89.5.17 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: 1010-3 Enter a comma-separated list of DNS servers or ‘none’ [208.67.222.222,208.67.220.220,2620:119:35::35]: Enter a comma-separated list of search domains or ‘none’ []: cisco.com If your networking information has changed, you will need to reconnect. Disabling IPv6 configuration: management0 Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35 Setting DNS domains:cisco.com Setting hostname as 1010-3
Cisco Firepower 2100 Getting Started Guide 65
Pre-Configuration Using the CLI
Threat Defense Deployment with a Remote Management Center
Setting static IPv4: 10.89.5.17 netmask: 255.255.255.192 gateway: data on management0 Updating routing tables, please wait… All configurations applied to the system. Took 3 Seconds. Saving a copy of running network configuration to local disk. For HTTP Proxy configuration, run ‘configure network http-proxy’
Manage the device locally? (yes/no) [yes]: no DHCP server is already disabled DHCP Server Disabled Configure firewall mode? (routed/transparent) [routed]: Configuring firewall mode …
Step 6
Device is in OffBox mode – disabling/removing port 443 from iptables. Update policy deployment information
– add device configuration – add network discovery – add system policy
You can register the sensor to a Firepower Management Center and use the Firepower Management Center to manage it. Note that registering the sensor to a Firepower Management Center disables on-sensor Firepower Services management capabilities.
When registering the sensor to a Firepower Management Center, a unique alphanumeric registration key is always required. In most cases, to register a sensor to a Firepower Management Center, you must provide the hostname or the IP address along with the registration key. ‘configure manager add [hostname | ip address ] [registration key ]’
However, if the sensor and the Firepower Management Center are separated by a NAT device, you must enter a unique NAT ID, along with the unique registration key. ‘configure manager add DONTRESOLVE [registration key ] [ NAT ID ]’
Later, using the web interface on the Firepower Management Center, you must use the same registration key and, if necessary, the same NAT ID when you add this sensor to the Firepower Management Center. >
Configure the outside interface for manager access.
configure network management-data-interface
You are then prompted to configure basic network settings for the outside interface. See the following details for using this command:
· The Management interface cannot use DHCP if you want to use a data interface for management. If you did not set the IP address manually during initial setup, you can set it beforehand using the configure network {ipv4 | ipv6} manual command. If you did not already set the Management interface gateway to data-interfaces, this command will set it now.
· When you add the threat defense to the management center, the management center discovers and maintains the interface configuration, including the following settings: interface name and IP address, static route to the gateway, DNS servers, and DDNS server. For more information about the DNS server configuration, see below. In the management center, you can later make changes to the manager access interface configuration, but make sure you don’t make changes that can prevent the threat defense or the management center from re-establishing the management connection. If the management connection is disrupted, the threat defense includes the configure policy rollback command to restore the previous deployment.
Cisco Firepower 2100 Getting Started Guide 66
Threat Defense Deployment with a Remote Management Center
Pre-Configuration Using the CLI
· If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
· This command sets the data interface DNS server. The Management DNS server that you set with the setup script (or using the configure network dns servers command) is used for management traffic. The data DNS server is used for DDNS (if configured) or for security policies applied to this interface.
On the management center, the data interface DNS servers are configured in the Platform Settings policy that you assign to this threat defense. When you add the threat defense to the management center, the local setting is maintained, and the DNS servers are not added to a Platform Settings policy. However, if you later assign a Platform Settings policy to the threat defense that includes a DNS configuration, then that configuration will overwrite the local setting. We suggest that you actively configure the DNS Platform Settings to match this setting to bring the management center and the threat defense into sync.
Also, local DNS servers are only retained by the management center if the DNS servers were discovered at initial registration. For example, if you registered the device using the Management interface, but then later configure a data interface using the configure network management-data-interface command, then you must manually configure all of these settings in the management center, including the DNS servers, to match the threat defense configuration.
· You can change the management interface after you register the threat defense to the management center, to either the Management interface or another data interface.
· The FQDN that you set in the setup wizard will be used for this interface.
· You can clear the entire device configuration as part of the command; you might use this option in a recovery scenario, but we do not suggest you use it for initial setup or normal operation.
· To disable data managemement, enter the configure network management-data-interface disable command.
Example:
> configure network management-data-interface Data interface to use for management: ethernet1/1 Specify a name for the interface [outside]: IP address (manual / dhcp) [dhcp]: DDNS server update URL [none]: https://deanwinchester:pa$$w0rd17@domains.example.com/nic/update?hostname=<h>&myip=<a> Do you wish to clear all the device configuration before applying ? (y/n) [n]:
Configuration done with option to allow manager access from any network, if you wish to change the manager access network use the ‘client’ option in the command ‘configure network management-data-interface’.
Setting IPv4 network configuration. Network settings changed.
>
Example:
> configure network management-data-interface Data interface to use for management: ethernet1/1 Specify a name for the interface [outside]: internet IP address (manual / dhcp) [dhcp]: manual
Cisco Firepower 2100 Getting Started Guide 67
Pre-Configuration Using the CLI
Threat Defense Deployment with a Remote Management Center
Step 7 Step 8
Step 9
IPv4/IPv6 address: 10.10.6.7 Netmask/IPv6 Prefix: 255.255.255.0 Default Gateway: 10.10.6.1 Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220 DDNS server update URL [none]: Do you wish to clear all the device configuration before applying ? (y/n) [n]:
Configuration done with option to allow manager access from any network, if you wish to change the manager access network use the ‘client’ option in the command ‘configure network management-data-interface’.
Setting IPv4 network configuration. Network settings changed.
>
(Optional) Limit data interface access to the management center on a specific network.
configure network management-data-interface client ip_address netmask
By default, all networks are allowed.
Identify the management center that will manage this threat defense.
configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE} reg_key [nat_id]
· {hostname | IPv4_address | IPv6_address | DONTRESOLVE}–Specifies either the FQDN or IP address of the management center. If the management center is not directly addressable, use DONTRESOLVE. At least one of the devices, either the management center or the threat defense, must have a reachable IP address to establish the two-way, SSL-encrypted communication channel between the two devices. If you specify DONTRESOLVE in this command, then the threat defense must have a reachable IP address or hostname.
· reg_key–Specifies a one-time registration key of your choice that you will also specify on the management center when you register the threat defense. The registration key must not exceed 37 characters. Valid characters include alphanumerical characters (AZ, az, 09) and the hyphen (-).
· nat_id–Specifies a unique, one-time string of your choice that you will also specify on the management center. When you use a data interface for management, then you must specify the NAT ID on both the threat defense and the management center for registration. The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (AZ, az, 09) and the hyphen (-). This ID cannot be used for any other devices registering to the management center.
Example:
> configure manager add fmc-1.example.com regk3y78 natid56 Manager successfully configured.
Shut down the threat defense so you can send the device to the remote branch office.
It’s important that you shut down your system properly. Simply unplugging the power or pressing the power switch can cause serious file system damage. Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your system.
a) Enter the shutdown command. b) Observe the Power LED and Status LED to verify that the chassis is powered off (appear unlit).
Cisco Firepower 2100 Getting Started Guide 68
Threat Defense Deployment with a Remote Management Center
Branch Office Installation
c) After the chassis has successfully powered off, you can then unplug the power to physically remove power from the chassis if necessary.
Branch Office Installation
After you receive the threat defense from central headquarters, you only need to cable and power on the firewall so that it has internet access from the outside interface. The central administrator can then complete the configuration.
Cable the Firewall
The management center and your management computer reside at a remote headquarters, and can reach the threat defense over the internet. To cable the Firepower 2100, see the following steps.
Figure 38: Cabling a Remote Management Deployment
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Install the chassis. See the Cisco Firepower 2100 Series Hardware Installation Guide. Connect the outside interface (Ethernet 1/1) to your outside router. Connect the inside interface (for example, Ethernet 1/2) to your inside switch or router. Connect other networks to the remaining interfaces. (Optional) Connect the management computer to the console port.
At the branch office, the console connection is not required for everyday use; however, it may be required for troubleshooting purposes.
Cisco Firepower 2100 Getting Started Guide 69
Power on the Device
Threat Defense Deployment with a Remote Management Center
Power on the Device
The power switch is located to the left of power supply module 1 on the rear of the chassis. It is a toggle switch that controls power to the system. If the power switch is in standby position, only the 3.3-V standby power is enabled from the power supply module and the 12-V main power is OFF. When the switch is in the ON position, the 12-V main power is turned on and the system boots.
Note The first time you boot up the threat defense, initialization can take approximately 15 to 30 minutes.
Before you begin It’s important that you provide reliable power for your device (for example, using an uninterruptable power supply (UPS)). Loss of power without first shutting down can cause serious file system damage. There are many processes running in the background all the time, and losing power does not allow the graceful shutdown of your system.
Procedure
Step 1 Step 2 Step 3
Attach the power cord to the device and connect it to an electrical outlet. Press the power switch on the back of the device. Check the PWR LED on the front of the device; if it is solid green, the device is powered on.
Step 4
Check the SYS LED on the front of the device; after it is solid green, the system has passed power-on diagnostics.
Note
Before you move the power switch to the OFF position, use the shutdown commands so that the
system can perform a graceful shutdown. This may take several minutes to complete. After the
graceful shutdown is complete, the console displays It is safe to power off now. The front
panel blue locator beacon LED lights up indicating the system is ready to be powered off. You
can now move the switch to the OFF position. The front panel PWR LED flashes momentarily
and turns off. Do not remove the power until the PWR LED is completely off.
See the FXOS Configuration Guide for more information on using the shutdown commands.
Cisco Firepower 2100 Getting Started Guide 70
Threat Defense Deployment with a Remote Management Center
Central Administrator Post-Configuration
Central Administrator Post-Configuration
After the remote branch administrator cables the threat defense so it has internet access from the outside interface, you can register the threat defense to the management center and complete configuration of the device.
Log Into the Management Center
Use the management center to configure and monitor the threat defense.
Before you begin For information on supported browsers, refer to the release notes for the version you are using (see https://www.cisco.com/go/firepower-notes).
Procedure
Step 1
Step 2 Step 3
Using a supported browser, enter the following URL. https://fmc_ip_address
Enter your username and password. Click Log In.
Obtain Licenses for the Management Center
All licenses are supplied to the threat defense by the management center. You can optionally purchase the following feature licenses:
· Essentials–(Required) Essentials license. · IPS–Security Intelligence and Next-Generation IPS · Malware Defense–Malware defense · URL–URL Filtering · Cisco Secure Client–Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide
Before you begin · Have a master account on the Smart Software Manager. If you do not yet have an account, click the link to set up a new account. The Smart Software Manager lets you create a master account for your organization. · Your Smart Software Licensing account must qualify for the Strong Encryption (3DES/AES) license to use some features (enabled using the export-compliance flag).
Cisco Firepower 2100 Getting Started Guide 71
Obtain Licenses for the Management Center
Threat Defense Deployment with a Remote Management Center
Procedure
Step 1
Make sure your Smart Licensing account contains the available licenses you need.
When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions search field on the Cisco Commerce Workspace. Search for the following license PIDs:
Figure 39: License Search
Note
If a PID is not found, you can add the PID manually to your order.
· IPS, Malware Defense, and URL license combination: · L-FPR2110T-TMC= · L-FPR2120T-TMC= · L-FPR2130T-TMC= · L-FPR2140T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:
· L-FPR2110T-TMC-1Y · L-FPR2110T-TMC-3Y · L-FPR2110T-TMC-5Y · L-FPR2120T-TMC-1Y · L-FPR2120T-TMC-3Y · L-FPR2120T-TMC-5Y · L-FPR2130T-TMC-1Y · L-FPR2130T-TMC-3Y · L-FPR2130T-TMC-5Y · L-FPR2140T-TMC-1Y · L-FPR2140T-TMC-3Y · L-FPR2140T-TMC-5Y
· Cisco Secure Client–See the Cisco Secure Client Ordering Guide.
Cisco Firepower 2100 Getting Started Guide 72
Threat Defense Deployment with a Remote Management Center
Register the Threat Defense with the Management Center
Step 2
If you have not already done so, register the management center with the Smart Software Manager.
Registering requires you to generate a registration token in the Smart Software Manager. See the management center configuration guide for detailed instructions. For Low-Touch Provisioning, you must enable Cloud Assistance for Low-Touch Provisioning either when you register with the Smart Software Manager, or after you register. See the System > Licenses > Smart Licenses page.
Register the Threat Defense with the Management Center
Register the threat defense with the management center depending on which deployment method you are using.
Add a Device to the Management Center Using Low-Touch Provisioning
Low-touch provisioning lets you register devices to the management center by serial number without having to perform any initial setup on the device. The management center integrates with Cisco Defense Orchestrator (CDO) and SecureX for this functionality. Use this procedure to add a single device to the management center. High availability is only supported when you use the Management interface, because DHCP is not supported for data interfaces and high availability. Clustering is not supported.
Note If the management center is configured for high availability, CDO automatically onboards the threat defense to the primary management center.
Low-touch provisioning is only supported on the following models: · Firepower 1000 · Firepower 2100 · Secure Firewall 3100
Threat Defense Feature History: · 7.2.4 (7.3 does not include this enhancement)–Outside and Management interface support. For the outside interface, the management center does not have to be publicly reachable if the device outside interface is reachable. · 7.2, 7.3–Outside interface support only. The management center must be publicly reachable.
Before you begin · Make sure the device is unconfigured or a fresh install. Low-touch provisioning is meant for new devices only. Pre-configuration can disable low-touch provisioning, depending on your settings. · Cable the outside interface or Management interface so it can reach the internet. If you use the outside interface for low-touch provisioning, do not also cable the Management interface; if the Management interface gets an IP address from DHCP, the routing will be incorrect for the outside interface.
Cisco Firepower 2100 Getting Started Guide 73
Add a Device to the Management Center Using Low-Touch Provisioning
Threat Defense Deployment with a Remote Management Center
Step 1
· Make sure you have at least one access control policy configured on the management center so you can assign it to new devices. You cannot add a policy using CDO.
· If the device does not have a public IP address or FQDN, or you use the Management interface, set a public IP address/FQDN for the management center (if different from the management center management interface IP address; for example, it is behind NAT) so the device can initiate the management connection. See . You can also configure the public IP address/FQDN in CDO during this procedure.
Procedure
The first time you add a device using a serial number, you need to complete the following prerequisites. After the first time, you can skip to adding the devices directly in CDO. a) In the management center, choose Devices > Device Management. b) From the Add drop-down menu, choose Device. c) Click Serial Number for the provisioning method.
Figure 40: Add Device by Serial Number
d) Create CDO and SecureX accounts.
Note
If you already have preexisting but separate SecureX and CDO accounts, you need to link
them. See https://cisco.com/go/cdo-securex-link for more information about linking accounts.
If you don’t already have accounts, perform the following:
· Request a CDO tenant. See the CDO documentation for information about requesting a new CDO tenant.
· Create a SecureX account. See the CDO documentation for information about how to create one.
e) Integrate the management center with SecureX. Click the link for step 2 to open the SecureX Integration page in the management center.
Cisco Firepower 2100 Getting Started Guide 74
Threat Defense Deployment with a Remote Management Center
Add a Device to the Management Center Using Low-Touch Provisioning
Step 2 Step 3
See . See also the SecureX integration guide.
By default, CDO onboards the on-prem management center after you integrate the management center with SecureX. CDO needs the management center in its inventory for low-touch provisioning to operate. CDO’s management center support is limited to device onboarding, viewing its managed devices, viewing objects associated with the management center, and cross-launching the management center.
Note
For a management center high-availability pair, you also need to integrate the secondary
management center with SecureX.
f) Click Launch CDO if you do not already have it open, or log in here: https://www.defenseorchestrator.com/ .
Make sure CDO is not blocked by a pop-up blocker.
On the CDO Dashboard (https://www.defenseorchestrator.com/), click Onboard (
).
Click the FTD tile.
Figure 41: FTD Tile
Step 4
On the Onboard FTD Device screen, click Use Serial Number.
Figure 42: Use Serial Number
Step 5
In Select FMC, choose an On-Prem FMC from the list, and click Next.
Cisco Firepower 2100 Getting Started Guide 75
Add a Device to the Management Center Using Low-Touch Provisioning Figure 43: Select FMC
Threat Defense Deployment with a Remote Management Center
If the management center has a public IP address or FQDN set, it will show after you choose it.
Figure 44: Public IP Address/FQDN
The management center needs a public IP address/FQDN if the device does not have a public IP address/FQDN or if you use the Management interface for low-touch provisioning. You can set the management center public IP address/FQDN by clicking the FMC Public IP link. You see the following dialog box.
Figure 45: Configure FMC Public IP/FQDN
Cisco Firepower 2100 Getting Started Guide 76
Threat Defense Deployment with a Remote Management Center
Add a Device to the Management Center Using Low-Touch Provisioning
Step 6
Note
For a management center high-availability pair, you also need to set the public IP address/FQDN
on the secondary management center. You can’t set value this using CDO; you need to set it in
the secondary management center. See .
In Connection, enter the device’s serial number and device name. Click Next.
Figure 46: Connection
Step 7
In Password Reset, click Yes…. Enter a new password and confirm the new password for the device, then click Next.
For low-touch provisioning, the device must be brand new or has been reimaged.
Note
If you did log into the device and reset the password, and you did not change the configuration
in a way that would disable low-touch provisioning, then you should choose the No… option.
There are a number of configurations that disable low-touch provisioning, so we don’t recommend
logging into the device unless you need to, for example, to perform a reimage.
Figure 47: Password Reset
Step 8
In Policy Assignment, use the drop-down menu to select an access control policy for the device. If you have not added a policy on the management center, you should go to the management center and add one now. Click Next.
Cisco Firepower 2100 Getting Started Guide 77
Add a Device to the Management Center Using Low-Touch Provisioning Figure 48: Policy Assignment
Threat Defense Deployment with a Remote Management Center
Step 9
In Subscription License, select the licenses for the device. Click Next.
Figure 49: Subscription License
Step 10
In Done, you can add labels to the device that show in CDO; they are not used on the management center.
Figure 50: Done
In the management center, the device is added to the Device Management page. You can also click Go to Inventory to see the devices in CDO. On-prem management center devices are viewable in CDO inventory for information purposes. When using low-touch provisioning on the outside interface, CDO acts as a DDNS provider and does the following:
· Enables DDNS on outside using the “fmcOnly” method. This method is only supported for low-touch provisioning devices.
· Maps the outside IP address with the following hostname: serial-number.local. · Provides the IP address/hostname mapping to the management center so it can resolve the hostname to
the correct IP address. · Informs the management center if the IP address ever changes, for example, if the DHCP lease renews.
Cisco Firepower 2100 Getting Started Guide 78
Threat Defense Deployment with a Remote Management Center
Add a Device to the Management Center Manually
If you use low-touch provisioning on the Management interface, DDNS is not supported. The management center must be publicly reachable so the device and initiate the management connection.
You can continue to use CDO as the DDNS provider, or you can later change the DDNS configuration in the management center to a different method.
Add a Device to the Management Center Manually
Register the threat defense to the management center.
Before you begin · Gather the following information that you set in the threat defense initial configuration: · The threat defense management IP address or hostname, and NAT ID · The management center registration key
Procedure
Step 1 Step 2
In the management center, choose Devices > Device Management. From the Add drop-down list, choose Add Device. The Registration Key method is selected by default.
Cisco Firepower 2100 Getting Started Guide 79
Add a Device to the Management Center Manually Figure 51: Add Device Using a Registration Key
Threat Defense Deployment with a Remote Management Center
Set the following parameters: · Host–Enter the IP address or hostname of the threat defense you want to add. You can leave this field blank if you specified both the management center IP address and a NAT ID in the threat defense initial configuration.
Cisco Firepower 2100 Getting Started Guide 80
Threat Defense Deployment with a Remote Management Center
Add a Device to the Management Center Manually
Note
In an HA environment, when both the management centers are behind a NAT, you can
register the threat defense without a host IP or name in the primary management center.
However, for registering the threat defense in a secondary management center, you must
provide the IP address or hostname for the threat defense.
· Display Name–Enter the name for the threat defense as you want it to display in the management center.
· Registration Key–Enter the same registration key that you specified in the threat defense initial configuration.
· Domain–Assign the device to a leaf domain if you have a multidomain environment.
· Group–Assign it to a device group if you are using groups.
· Access Control Policy–Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page 40.
Figure 52: New Policy
Step 3
· Smart Licensing–Assign the Smart Licenses you need for the features you want to deploy. Note: You can apply the Secure Client remote access VPN license after you add the device, from the System > Licenses > Smart Licenses page.
· Unique NAT ID–Specify the NAT ID that you specified in the threat defense initial configuration.
· Transfer Packets–Allow the device to transfer packets to the management center. When events like IPS or Snort are triggered with this option enabled, the device sends event metadata information and packet data to the management center for inspection. If you disable it, only event information will be sent to the management center, but packet data is not sent.
Click Register, and confirm a successful registration.
Cisco Firepower 2100 Getting Started Guide 81
Configure a Basic Security Policy
Threat Defense Deployment with a Remote Management Center
If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the threat defense fails to register, check the following items:
· Ping–Access the threat defense CLI, and ping the management center IP address using the following command:
ping system ip_address
If the ping is not successful, check your network settings using the show network command. If you need to change the threat defense Management IP address, use the configure network management-data-interface command.
· Registration key, NAT ID, and management center IP address–Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the threat defense using the configure manager add command.
For more troubleshooting information, see https://cisco.com/go/fmc-reg-error.
Configure a Basic Security Policy
This section describes how to configure a basic security policy with the following settings: · Inside and outside interfaces–Assign a static IP address to the inside interface. You configured basic settings for the outside interface as part of the manager access setup, but you still need to assign it to a security zone. · DHCP server–Use a DHCP server on the inside interface for clients. · NAT–Use interface PAT on the outside interface. · Access control–Allow traffic from inside to outside. · SSH–Enable SSH on the manager access interface.
Configure Interfaces
Enable the threat defense interfaces, assign them to security zones, and set the IP addresses. Typically, you must configure at least a minimum of two interfaces to have a system that passes meaningful traffic. Normally, you would have an outside interface that faces the upstream router or internet, and one or more inside interfaces for your organization’s networks. Some of these interfaces might be “demilitarized zones” (DMZs), where you place publically-accessible assets such as your web server. A typical edge-routing situation is to obtain the outside interface address through DHCP from your ISP, while you define static addresses on the inside interfaces. The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP.
Procedure
Step 1 Choose Devices > Device Management, and click the Edit ( ) for the firewall.
Cisco Firepower 2100 Getting Started Guide 82
Threat Defense Deployment with a Remote Management Center
Step 2
Click Interfaces.
Figure 53: Interfaces
Configure Interfaces
Step 3
Click Edit ( ) for the interface that you want to use for inside. The General tab appears.
Figure 54: General Tab
a) Enter a Name up to 48 characters in length.
Cisco Firepower 2100 Getting Started Guide 83
Configure Interfaces
Threat Defense Deployment with a Remote Management Center
For example, name the interface inside.
b) Check the Enabled check box. c) Leave the Mode set to None. d) From the Security Zone drop-down list, choose an existing inside security zone or add a new one by
clicking New.
For example, add a zone called inside_zone. Each interface must be assigned to a security zone and/or interface group. An interface can belong to only one security zone, but can also belong to multiple interface groups. You apply your security policy based on zones or groups. For example, you can assign the inside interface to the inside zone; and the outside interface to the outside zone. Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most policies only support security zones; you can use zones or interface groups in NAT policies, prefilter policies, and QoS policies.
e) Click the IPv4 and/or IPv6 tab.
· IPv4–Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation.
For example, enter 192.168.1.1/24
Figure 55: IPv4 Tab
· IPv6–Check the Autoconfiguration check box for stateless autoconfiguration.
Figure 56: IPv6 Tab
f) Click OK.
Cisco Firepower 2100 Getting Started Guide 84
Threat Defense Deployment with a Remote Management Center
Step 4
Click the Edit ( ) for the interface that you want to use for outside. The General tab appears.
Figure 57: General Tab
Configure the DHCP Server
Step 5
You already pre-configured this interface for manager access, so the interface will already be named, enabled, and addressed. You should not alter any of these basic settings because doing so will disrupt the management center management connection. You must still configure the Security Zone on this screen for through traffic policies.
a) From the Security Zone drop-down list, choose an existing outside security zone or add a new one by clicking New.
For example, add a zone called outside_zone.
b) Click OK.
Click Save.
Configure the DHCP Server
Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense.
Cisco Firepower 2100 Getting Started Guide 85
Configure the DHCP Server
Threat Defense Deployment with a Remote Management Center
Procedure
Step 1 Step 2
Choose Devices > Device Management, and click the Edit ( ) for the device. Choose DHCP > DHCP Server.
Figure 58: DHCP Server
Step 3
On the Server page, click Add, and configure the following options:
Figure 59: Add Server
Step 4
· Interface–Choose the interface from the drop-down list. · Address Pool–Set the range of IP addresses from lowest to highest that are used by the DHCP server.
The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself. · Enable DHCP Server–Enable the DHCP server on the selected interface.
Click OK.
Cisco Firepower 2100 Getting Started Guide 86
Threat Defense Deployment with a Remote Management Center
Configure NAT
Step 5 Click Save.
Configure NAT
Configure NAT
A typical NAT rule converts internal addresses to a port on the outside interface IP address. This type of NAT rule is called interface Port Address Translation (PAT).
Procedure
Step 1 Step 2
Choose Devices > NAT, and click New Policy > Threat Defense NAT. Name the policy, select the device(s) that you want to use the policy, and click Save.
Figure 60: New Policy
The policy is added the management center. You still have to add rules to the policy.
Cisco Firepower 2100 Getting Started Guide 87
Configure NAT Figure 61: NAT Policy
Threat Defense Deployment with a Remote Management Center
Step 3 Step 4
Click Add Rule. The Add NAT Rule dialog box appears.
Configure the basic rule options:
Figure 62: Basic Rule Options
Step 5
· NAT Rule–Choose Auto NAT Rule. · Type–Choose Dynamic.
On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area.
Cisco Firepower 2100 Getting Started Guide 88
Threat Defense Deployment with a Remote Management Center Figure 63: Interface Objects
Configure NAT
Step 6
On the Translation page, configure the following options:
Figure 64: Translation
· Original Source–Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0).
Cisco Firepower 2100 Getting Started Guide 89
Allow Traffic from Inside to Outside Figure 65: New Network Object
Threat Defense Deployment with a Remote Management Center
Step 7 Step 8
Note
You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as
part of the object definition, and you cannot edit system-defined objects.
· Translated Source–Choose Destination Interface IP.
Click Save to add the rule. The rule is saved to the Rules table. Click Save on the NAT page to save your changes.
Allow Traffic from Inside to Outside
If you created a basic Block all traffic access control policy when you registered the threat defense, then you need to add rules to the policy to allow traffic through the device. The following procedure adds a rule to allow traffic from the inside zone to the outside zone. If you have other zones, be sure to add rules allowing traffic to the appropriate networks.
Procedure
Step 1 Step 2
Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the threat defense.
Click Add Rule, and set the following parameters:
Cisco Firepower 2100 Getting Started Guide 90
Threat Defense Deployment w
Documents / Resources
 |
CISCO FPR2110 Firepower 2110 Network Security Firewall Appliance [pdf] User Guide FPR2110-ASA-K9-CAP, FPR2110 Firepower 2110 Network Security Firewall Appliance, FPR2110, Firepower 2110 Network Security Firewall Appliance, Network Security Firewall Appliance, Security Firewall Appliance, Firewall Appliance |
