background image

Figure 20: New Policy

Smart Licensing

—Assign the Smart Licenses you need for the features you want to deploy:

Malware

(if you intend to use malware inspection),

Threat

(if you intend to use intrusion prevention), and

URL

(if you intend to implement category-based URL filtering).

Note:

You can apply an Secure Client remote

access VPN license after you add the device, from the

System

>

Licenses

>

Smart Licenses

page.

Unique NAT ID

—Specify the NAT ID that you specified in the threat defense initial configuration.

Transfer Packets

—Allow the device to transfer packets to the management center. When events like

IPS or Snort are triggered with this option enabled, the device sends event metadata information and
packet data to the management center for inspection. If you disable it, only event information will be
sent to the management center, but packet data is not sent.

Step 3

Click

Register

, and confirm a successful registration.

If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the threat
defense fails to register, check the following items:

• Ping—Access the threat defense CLI, and ping the management center IP address using the following

command:

ping system ip_address

If the ping is not successful, check your network settings using the

show network

command. If you need

to change the threat defense Management IP address, use the

configure network

management-data-interface

command.

• Registration key, NAT ID, and management center IP address—Make sure you are using the same

registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on
the threat defense using the

configure manager add

command.

Cisco Firepower 1010 Getting Started Guide

68

Threat Defense Deployment with a Remote Management Center

Register the Threat Defense with the Management Center

Summary of Contents for Firepower 1010

Page 1: ...ng Started Guide First Published 2019 06 13 Last Modified 2022 02 28 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ......

Page 3: ...t available on the threat defense Cisco provides ASA to threat defense migration tools to help you convert your ASA to the threat defense if you start with ASA and later reimage to threat defense Threat Defense The threat defense is a next generation firewall that combines an advanced stateful firewall VPN concentrator and next generation IPS In other words the threat defense takes the best of ASA...

Page 4: ...ment center on the Management network see Threat Defense Deployment with the Management Center on page 5 To get started with the management center on a remote network see Threat Defense Deployment with a Remote Management Center on page 47 Secure Firewall Management Center formerly Firepower Management Center The device manager is a web based simplified on device manager Because it is simplified s...

Page 5: ...I is not covered in this guide For more information see the Cisco Secure Firewall Threat Defense REST API Guide Secure Firewall Threat Defense REST API The management center REST API lets you automate configuration of management center policies that can then be applied to managed threat defenses This API does not manage the threat defense directly The management center REST API is not covered in t...

Page 6: ...ith CDO see the CDO home page CDO CSM is a powerful multi device manager that runs on its own server hardware You should use CSM if you need to manage large numbers of ASAs CSM can discover the configuration on the firewall so you can also use the CLI or ASDM CSM does not support managing the threat defenses CSM is not covered in this guide For more information see the CSM user guide Cisco Securit...

Page 7: ...reat defense software or ASA software Switching between threat defense and ASA requires you to reimage the device You should also reimage if you need a different software version than is currently installed See Reimage the Cisco ASA or Firepower Threat Defense Device The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System FXOS The firewall does not s...

Page 8: ... Off the Firewall on page 44 What s Next on page 45 Before You Start Deploy and perform initial configuration of the management center See the Cisco Firepower Management Center 1600 2600 and 4600 Hardware Installation Guide or Cisco Secure Firewall Management Center Virtual Getting Started Guide End to End Procedure See the following tasks to deploy the threat defense with management center on you...

Page 9: ...n Cable the Device 6 5 and Later on page 10 Cable the Device 6 4 on page 12 Pre Configuration Power On the Firewall on page 13 Pre Configuration Optional Check the Software and Install a New Version on page 13 CLI Cisco Firepower 1010 Getting Started Guide 7 Threat Defense Deployment with the Management Center End to End Procedure ...

Page 10: ... a static IP address during initial setup at the console port You can configure other interfaces after you connect the threat defense to the management center Note that Ethernet1 2 through 1 8 are enabled as switch ports by default In 6 5 and earlier the Management interface is configured with an IP address 192 168 45 45 Note The following figure shows the recommended network deployment for the Fi...

Page 11: ...irepower 1010 The management center can only communicate with the threat defense on the Management interface Moreover both the management center and the threat defense require internet access from management for licensing and updates In the following diagram the Firepower 1010 acts as the internet gateway for the Management interface and the management center by connecting Management 1 1 to an ins...

Page 12: ...thernet1 1 as the outside interface and the remaining interfaces as switch ports on the inside network Other topologies can be used and your deployment will vary depending on your requirements For example you can convert the switch ports to firewall interfaces Note Cisco Firepower 1010 Getting Started Guide 10 Threat Defense Deployment with the Management Center Cable the Device 6 5 and Later ...

Page 13: ...ing to the switch ports Ethernet1 2 through 1 8 Management Center Management computer Additional end points Step 4 Connect the management computer to the console port You need to use the console port to access the CLI for initial setup if you do not use SSH to the Management interface or use the device manager for initial setup Step 5 Connect Ethernet 1 1 to your outside router Cisco Firepower 101...

Page 14: ...e Firepower 1010 and the management center both have the same default management IP address 192 168 45 45 This guide assumes that you will set different IP addresses for your devices during initial setup Note that the management center on 6 5 and later defaults to a DHCP client for the management interface however if there is no DHCP server it will default to 192 168 45 45 Note Step 3 Connect the ...

Page 15: ... it to an electrical outlet The power turns on automatically when you plug in the power cord Step 2 Check the Power LED on the back or top of the device if it is solid green the device is powered on Step 3 Check the Status LED on the back or top of the device after it is solid green the system has passed power on diagnostics Optional Check the Software and Install a New Version To check the softwa...

Page 16: ...first time you log in you are prompted to change the password This password is also used for the threat defense login for SSH If the password was already changed and you do not know it you must perform a factory reset to reset the password to the default See the FXOS troubleshooting guide for the factory reset procedure Note Example firepower login admin Password Admin123 Successful login attempts...

Page 17: ... begin Deploy and perform initial configuration of the management center See the Cisco Firepower Management Center 1600 2600 and 4600 Hardware Installation Guide You will need to know the management center IP address or hostname before you set up the threat defense Use a current version of Firefox Chrome Safari Edge or Internet Explorer Procedure Step 1 Log in to the device manager a Enter one of ...

Page 18: ...nagement Interface settings if you performed intial setup at the CLI Note that setting the Management interface IP address is not part of the setup wizard See Step Step 3 on page 16 to set the Management IP address DNS Servers The DNS server for the firewall s Management interface Enter one or more addresses of DNS servers for name resolution The default is the OpenDNS public DNS servers If you ed...

Page 19: ...aces in the device manager Other device manager configuration will not be retained when you register the device to the management center Step 5 Choose Device System Settings Central Management and click Proceed to set up the management center management Step 6 Configure the Management Center CDO Details Cisco Firepower 1010 Getting Started Guide 17 Threat Defense Deployment with the Management Cen...

Page 20: ... reach the management center using an IP address or hostname or No if the management center is behind NAT or does not have a public IP address or hostname Cisco Firepower 1010 Getting Started Guide 18 Threat Defense Deployment with the Management Center Complete the Threat Defense Initial Configuration Using the Device Manager ...

Page 21: ... verify that the connection is coming from the correct device only after authentication of the IP address NAT ID will the registration key be checked Step 7 Configure the Connectivity Configuration a Specify the FTD Hostname b Specify the DNS Server Group Choose an existing group or create a new one The default DNS group is called CiscoUmbrellaDNSServerGroup which includes the OpenDNS servers c Fo...

Page 22: ...nfiguration settings such as the access control policy are not retained Procedure Step 1 Connect to the threat defense CLI either from the console port or using SSH to the Management interface which obtains an IP address from a DHCP server by default If you intend to change the network settings we recommend using the console port so you do not get disconnected The console port connects to the FXOS...

Page 23: ...ting applies only to the remote management center or device manager management you should set a gateway IP address for Management 1 1 when using the management center on the management network In the edge deployment example shown in the network deployment section the inside interface acts as the management gateway In this case you should set the gateway IP address to be the intended inside interfa...

Page 24: ...o manage it Note that registering the sensor to a Firepower Management Center disables on sensor Firepower Services management capabilities When registering the sensor to a Firepower Management Center a unique alphanumeric registration key is always required In most cases to register a sensor to a Firepower Management Center you must provide the hostname or the IP address along with the registrati...

Page 25: ...center Example configure manager add MC example com 123456 Manager successfully configured If the management center is behind a NAT device enter a unique NAT ID along with the registration key and specify DONTRESOLVE instead of the hostname for example Example configure manager add DONTRESOLVE regk3y78 natid90 Manager successfully configured If the threat defense is behind a NAT device enter a uni...

Page 26: ... master account for your organization Your Smart Software Licensing account must qualify for the Strong Encryption 3DES AES license to use some features enabled using the export compliance flag Procedure Step 1 Make sure your Smart Licensing account contains the available licenses you need When you bought your device from Cisco or a reseller your licenses should have been linked to your Smart Soft...

Page 27: ... Administration Guide for detailed instructions Register the Threat Defense with the Management Center Register the threat defense to the management center manually using the device IP address or hostname Before you begin Gather the following information that you set in the threat defense initial configuration The threat defense management IP address or hostname and NAT ID The management center re...

Page 28: ...play Name Enter the name for the threat defense as you want it to display in the management center Registration Key Enter the same registration key that you specified in the threat defense initial configuration Domain Assign the device to a leaf domain if you have a multidomain environment Group Assign it to a device group if you are using groups Access Control Policy Choose an initial policy Unle...

Page 29: ...ot sent Step 3 Click Register or if you want to add another device click Register and Add Another and confirm a successful registration If the registration succeeds the device is added to the list If it fails you will see an error message If the threat defense fails to register check the following items Ping Access the threat defense CLI and ping the management center IP address using the followin...

Page 30: ...e 41 Configure Interfaces 6 5 and Later Add the VLAN1 interface for the switch ports or convert switch ports to firewall interfaces assign interfaces to security zones and set the IP addresses Typically you must configure at least a minimum of two interfaces to have a system that passes meaningful traffic Normally you would have an outside interface that faces the upstream router or internet and o...

Page 31: ...net1 2 through 1 8 by clicking the slider in the SwitchPort column so it shows as disabled Step 4 Enable the switch ports a Click the Edit for the switch port b Enable the interface by checking the Enabled check box c Optional Change the VLAN ID the default is 1 You will next add a VLAN interface to match this ID d Click OK Step 5 Add the inside VLAN interface a Click Add Interfaces VLAN Interface...

Page 32: ...e zone Then you can configure your access control policy to enable traffic to go from inside to outside but not from outside to inside Most policies only support security zones you can use zones or interface groups in NAT policies prefilter policies and QoS policies f Set the VLAN ID to 1 By default all of the switchports are set to VLAN 1 if you choose a different VLAN ID here you need to also ed...

Page 33: ...asic settings because doing so will disrupt the management center management connection You can still configure the Security Zone on this screen for through traffic policies Note a Enter a Name up to 48 characters in length For example name the interface outside b Check the Enabled check box c Leave the Mode set to None d From the Security Zone drop down list choose an existing outside security zo...

Page 34: ...aces to have a system that passes meaningful traffic Normally you would have an outside interface that faces the upstream router or internet and one or more inside interfaces for your organization s networks Some of these interfaces might be demilitarized zones DMZs where you place publically accessible assets such as your web server A typical edge routing situation is to obtain the outside interf...

Page 35: ... interface must be assigned to a security zone and or interface group An interface can belong to only one security zone but can also belong to multiple interface groups You apply your security policy based on zones or groups For example you can assign the inside interface to the inside zone and the outside interface to the outside zone Then you can configure your access control policy to enable tr...

Page 36: ...ration f Click OK Step 4 Click the Edit for the interface that you want to use for outside The General tab appears If you pre configured this interface for manager access then the interface will already be named enabled and addressed You should not alter any of these basic settings because doing so will disrupt the management center management connection You can still configure the Security Zone o...

Page 37: ...te metric Assigns an administrative distance to the learned route between 1 and 255 The default administrative distance for the learned routes is 1 IPv6 Check the Autoconfiguration check box for stateless autoconfiguration f Click OK Step 5 Click Save Configure the DHCP Server Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense Procedure Step 1 Cho...

Page 38: ...e upstream router reachable from the outside interface If you use DHCP for the outside interface your device might have already received a default route If you need to manually add the route complete this procedure If you received a default route from the DHCP server it will show in the IPv4 Routes or IPv6 Routes table on the Devices Device Management Routing Static Route page Procedure Step 1 Cho...

Page 39: ... move it to the Selected Network list Gateway or IPv6 Gateway Enter or choose the gateway router that is the next hop for this route You can provide an IP address or a Networks Hosts object Metric Enter the number of hops to the destination network Valid values range from 1 to 255 the default value is 1 Step 3 Click OK The route is added to the static route table Cisco Firepower 1010 Getting Start...

Page 40: ...New Policy Threat Defense NAT Step 2 Name the policy select the device s that you want to use the policy and click Save The policy is added the management center You still have to add rules to the policy Step 3 Click Add Rule The Add NAT Rule dialog box appears Step 4 Configure the basic rule options NAT Rule Choose Auto NAT Rule Cisco Firepower 1010 Getting Started Guide 38 Threat Defense Deploym...

Page 41: ...bjects area to the Destination Interface Objects area Step 6 On the Translation page configure the following options Original Source Click Add to add a network object for all IPv4 traffic 0 0 0 0 0 Cisco Firepower 1010 Getting Started Guide 39 Threat Defense Deployment with the Management Center Configure NAT ...

Page 42: ...the threat defense then you need to add rules to the policy to allow traffic through the device The following procedure adds a rule to allow traffic from the inside zone to the outside zone If you have other zones be sure to add rules allowing traffic to the appropriate networks Procedure Step 1 Choose Policy Access Policy Access Policy and click the Edit for the access control policy assigned to ...

Page 43: ...ep 4 Click Save Deploy the Configuration Deploy the configuration changes to the threat defense none of your changes are active on the device until you deploy them Procedure Step 1 Click Deploy in the upper right Figure 9 Deploy Step 2 Either click Deploy All to deploy to all devices or click Advanced Deploy to deploy to selected devices Cisco Firepower 1010 Getting Started Guide 41 Threat Defense...

Page 44: ...he deployment succeeds Click the icon to the right of the Deploy button in the menu bar to see status for deployments Figure 12 Deployment Status Cisco Firepower 1010 Getting Started Guide 42 Threat Defense Deployment with the Management Center Deploy the Configuration ...

Page 45: ... port access which defaults to the FXOS CLI Note Procedure Step 1 To log into the CLI connect your management computer to the console port The Firepower 1000 ships with a USB A to B serial cable Be sure to install any necessary USB serial drivers for your operating system see the Firepower 1010 hardware guide The console port defaults to the FXOS CLI Use the following serial settings 9600 baud 8 d...

Page 46: ...r It s important that you shut down your system properly Simply unplugging the power or pressing the power switch can cause serious file system damage Remember that there are many processes running in the background all the time and unplugging or shutting off the power does not allow the graceful shutdown of your firewall You can shut down your system properly using the management center Procedure...

Page 47: ...ontinue Please enter YES or NO yes INIT Stopping Cisco Threat Defense ok Step 3 Monitor the system prompts as the firewall shuts down You will see the following prompt System is stopped It is safe to power off now Do you want to reboot instead y N Step 4 You can now unplug the power to physically remove power from the chassis if necessary What s Next To continue configuring your threat defense see...

Page 48: ...Cisco Firepower 1010 Getting Started Guide 46 Threat Defense Deployment with the Management Center What s Next ...

Page 49: ... the management center Remote branch deployment requires version 6 7 or later Note About the Firewall The hardware can run either threat defense software or ASA software Switching between threat defense and ASA requires you to reimage the device You should also reimage if you need a different software version than is currently installed See Reimage the Cisco ASA or Firepower Threat Defense Device ...

Page 50: ...e threat defense forwards incoming management traffic over the backplane to the Management interface For outgoing management traffic the Management interface forwards the traffic over the backplane to the data interface Manager access from a data interface has the following limitations You can only enable manager access on one physical data interface You cannot use a subinterface or EtherChannel T...

Page 51: ...ssignments Figure 13 Before You Start Deploy and perform initial configuration of the management center See the Cisco Firepower Management Center 1600 2600 and 4600 Hardware Installation Guide or Cisco Secure Firewall Management Center Virtual Getting Started Guide End to End Procedure See the following tasks to deploy the threat defense with management center on your chassis Cisco Firepower 1010 ...

Page 52: ...age 57 Pre Configuration Using the Device Manager on page 53 CLI or Device Manager Central admin Install the firewall See the hardware installation guide Physical Setup Branch admin Cable the Firewall on page 63 Physical Setup Branch admin Cisco Firepower 1010 Getting Started Guide 50 Threat Defense Deployment with a Remote Management Center End to End Procedure ...

Page 53: ...a New Version To check the software version and if necessary install a different version perform these steps We recommend that you install your target version before you configure the firewall Alternatively you can perform an upgrade after you are up and running but upgrading which preserves your configuration may take longer than using this procedure What Version Should I Run Cisco recommends run...

Page 54: ...ord Enter new password Confirm new password Your password was updated successfully firepower Step 2 At the FXOS CLI show the running version scope ssa show app instance Example Firepower scope ssa Firepower ssa show app instance Application Name Slot ID Admin State Operational State Running Version Startup Version Cluster Oper State ftd 1 Enabled Online 7 2 0 65 7 2 0 65 Not Applicable Step 3 If y...

Page 55: ... device manager to complete the initial configuration You can optionally skip the setup wizard by clicking Skip device setup at the bottom of the page After you complete the setup wizard in addition to the default configuraton for the inside interface Ethernet1 2 through 1 8 which are switch ports on VLAN1 you will have configuration for an outside Ethernet1 1 interface that will be maintained whe...

Page 56: ...Cloud Management or Standalone For management center management choose Standalone and then Got It Step 5 Might be required Configure the Management interface See the Management interface on Device Interfaces The Management interface must have the gateway set to data interfaces By default the Management interface receives an IP address and gateway from DHCP If you do not receive a gateway from DHCP...

Page 57: ...Yes if you can reach the management center using an IP address or hostname or No if the management center is behind NAT or does not have a public IP address or hostname Cisco Firepower 1010 Getting Started Guide 55 Threat Defense Deployment with a Remote Management Center Pre Configuration Using the Device Manager ...

Page 58: ...mbrellaDNSServerGroup which includes the OpenDNS servers This setting sets the data interface DNS server The Management DNS server that you set with the setup wizard is used for management traffic The data DNS server is used for DDNS if configured or for security policies applied to this interface You are likley to choose the same DNS server group that you used for Management because both manageme...

Page 59: ...on Settings step go to the management center and add the firewall If you want to cancel the switch to the management center click Cancel Registration Otherwise do not close the device manager browser window until after the Saving Management Center CDO Registration Settings step If you do the process will be paused and will only resume when you reconnect to the device manager If you remain connecte...

Page 60: ...I on the console port The console port connects to the FXOS CLI Step 3 Log in with the username admin and the password Admin123 The first time you log in to the FXOS you are prompted to change the password This password is also used for the threat defense login for SSH If the password was already changed and you do not know it then you must reimage the device to reset the password to the default S...

Page 61: ...d you will need to reconnect If you are connected with SSH you will be disconnected You can reconnect with the new IP address and password if your management computer is on the management network You will not be able to reconnect yet from a remote network due to the default route change through the data interfaces Console connections are not affected Manage the device locally Enter no to use the m...

Page 62: ...ace You are then prompted to configure basic network settings for the outside interface See the following details for using this command The Management interface cannot use DHCP if you want to use a data interface for management If you did not set the IP address manually during initial setup you can set it now using the configure network ipv4 ipv6 manual command If you did not already set the Mana...

Page 63: ... the management center to either the Management interface or another data interface The FQDN that you set in the setup wizard will be used for this interface You can clear the entire device configuration as part of the command you might use this option in a recovery scenario but we do not suggest you use it for initial setup or normal operation To disable data managemement enter the configure netw...

Page 64: ...n key must not exceed 37 characters Valid characters include alphanumerical characters A Z a z 0 9 and the hyphen nat_id Specifies a unique one time string of your choice that you will also specify on the management center When you use a data interface for management then you must specify the NAT ID on both the threat defense and the management center for registration The NAT ID must not exceed 37...

Page 65: ... 1010 see the following steps Figure 18 Cabling a Remote Management Deployment Procedure Step 1 Install the chassis See the hardware installation guide Step 2 Connect the outside interface Ethernet 1 1 to your outside router Step 3 Cable your inside end points to the switch ports Ethernet1 2 through 1 8 Step 4 Optional Connect the management computer to the console port At the branch office the co...

Page 66: ...t to an electrical outlet The power turns on automatically when you plug in the power cord Step 2 Check the Power LED on the back or top of the device if it is solid green the device is powered on Step 3 Check the Status LED on the back or top of the device after it is solid green the system has passed power on diagnostics Central Administrator Post Configuration After the remote branch administra...

Page 67: ... Before you begin Have a master account on the Smart Software Manager If you do not yet have an account click the link to set up a new account The Smart Software Manager lets you create a master account for your organization Your Smart Software Licensing account must qualify for the Strong Encryption 3DES AES license to use some features enabled using the export compliance flag Procedure Step 1 Ma...

Page 68: ...detailed instructions For Low Touch Provisioning you must enable Cloud Assistance for Low Touch Provisioning either when you register with the Smart Software Manager or after you register See the System Licenses Smart Licenses page Register the Threat Defense with the Management Center Register the threat defense to the management center Before you begin Gather the following information that you s...

Page 69: ...y Name Enter the name for the threat defense as you want it to display in the management center Registration Key Enter the same registration key that you specified in the threat defense initial configuration Domain Assign the device to a leaf domain if you have a multidomain environment Group Assign it to a device group if you are using groups Access Control Policy Choose an initial policy Unless ...

Page 70: ...ent center but packet data is not sent Step 3 Click Register and confirm a successful registration If the registration succeeds the device is added to the list If it fails you will see an error message If the threat defense fails to register check the following items Ping Access the threat defense CLI and ping the management center IP address using the following command ping system ip_address If t...

Page 71: ...to have a system that passes meaningful traffic Normally you would have an outside interface that faces the upstream router or internet and one or more inside interfaces for your organization s networks By default Ethernet1 1 is a regular firewall interface that you can use for outside and the remaining interfaces are switch ports on VLAN 1 after you add the VLAN1 interface you can make it your in...

Page 72: ...t for the switch port b Enable the interface by checking the Enabled check box c Optional Change the VLAN ID the default is 1 You will next add a VLAN interface to match this ID d Click OK Step 5 Add the inside VLAN interface a Click Add Interfaces VLAN Interface The General tab appears Cisco Firepower 1010 Getting Started Guide 70 Threat Defense Deployment with a Remote Management Center Configur...

Page 73: ...igure your access control policy to enable traffic to go from inside to outside but not from outside to inside Most policies only support security zones you can use zones or interface groups in NAT policies prefilter policies and QoS policies f Set the VLAN ID to 1 By default all of the switchports are set to VLAN 1 if you choose a different VLAN ID here you need to also edit each switchport to be...

Page 74: ...uld not alter any of these basic settings because doing so will disrupt the management center management connection You must still configure the Security Zone on this screen for through traffic policies a From the Security Zone drop down list choose an existing outside security zone or add a new one by clicking New For example add a zone called outside_zone b Click OK Step 7 Click Save Cisco Firep...

Page 75: ...st be on the same subnet as the selected interface and cannot include the IP address of the interface itself Enable DHCP Server Enable the DHCP server on the selected interface Step 4 Click OK Step 5 Click Save Configure NAT Configure NAT A typical NAT rule converts internal addresses to a port on the outside interface IP address This type of NAT rule is called interface Port Address Translation P...

Page 76: ...p 4 Configure the basic rule options NAT Rule Choose Auto NAT Rule Type Choose Dynamic Step 5 On the Interface Objects page add the outside zone from the Available Interface Objects area to the Destination Interface Objects area Cisco Firepower 1010 Getting Started Guide 74 Threat Defense Deployment with a Remote Management Center Configure NAT ...

Page 77: ...0 0 0 0 You cannot use the system defined any ipv4 object because Auto NAT rules add NAT as part of the object definition and you cannot edit system defined objects Note Translated Source Choose Destination Interface IP Cisco Firepower 1010 Getting Started Guide 75 Threat Defense Deployment with a Remote Management Center Configure NAT ...

Page 78: ...nes be sure to add rules allowing traffic to the appropriate networks Procedure Step 1 Choose Policy Access Policy Access Policy and click the Edit for the access control policy assigned to the threat defense Step 2 Click Add Rule and set the following parameters Name Name this rule for example inside_to_outside Source Zones Select the inside zone from Available Zones and click Add to Source Desti...

Page 79: ...ic for data interfaces uses the regular routing configuration and not any static routes configured at setup or at the CLI For the Management interface to configure an SSH access list see the configure ssh access list command in the Command Reference for Secure Firewall Threat Defense To configure a static route see the configure network static routes command By default you configure the default ro...

Page 80: ...ions and the IP addresses of the clients who are allowed to make those connections You can use network addresses rather than individual IP addresses a Click Add to add a new rule or click Edit to edit an existing rule b Configure the rule properties IP Address The network object or group that identifies the hosts or networks you are allowing to make SSH connections Choose an object from the drop d...

Page 81: ...oy to deploy to selected devices Figure 22 Deploy All Figure 23 Advanced Deploy Step 3 Ensure that the deployment succeeds Click the icon to the right of the Deploy button in the menu bar to see status for deployments Cisco Firepower 1010 Getting Started Guide 79 Threat Defense Deployment with a Remote Management Center Deploy the Configuration ...

Page 82: ...he interface for SSH connections SSH access to data interfaces is disabled by default This procedure describes console port access which defaults to the FXOS CLI Note Procedure Step 1 To log into the CLI connect your management computer to the console port The Firepower 1000 ships with a USB A to B serial cable Be sure to install any necessary USB serial drivers for your operating system see the F...

Page 83: ... management center so you do not disrupt the connection If you change the management interface type after you add the threat defense to the management center from data to Management or from Management to data if the interfaces and network settings are not configured correctly you can lose management connectivity This topic helps you troubleshoot the loss of management connectivity View management ...

Page 84: ...t Received Time Mon Jun 15 09 02 16 2020 UTC View the Threat Defense network information At the threat defense CLI view the Management and the management center access data interface network settings show network show network System Information Hostname 5516X 4 DNS Servers 208 67 220 220 208 67 222 222 Management port 8305 IPv4 Default route Gateway data interfaces IPv6 Default route Gateway data ...

Page 85: ...nagement interface which should route over the backplane to the data interfaces ping system fmc_ip Capture packets on the Threat Defense internal interface At the threat defense CLI capture packets on the internal backplane interface nlp_int_tap to see if management packets are being sent capture name interface nlp_int_tap trace detail match ip any any show capturename trace detail Check the inter...

Page 86: ...onfig status is active Interface state is active Check routing and NAT At the threat defense CLI check that the default route S was added and that internal NAT rules exist for the Management interface nlp_int_tap show route show route Codes L local C connected S static R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2...

Page 87: ...lient show running config ip client ip client outside show conn address fmc_ip show conn address 10 89 5 35 5 in use 16 most used Inspect Snort preserve connection 0 enabled 0 in effect 0 most enabled 0 most in effect TCP nlp_int_tap 10 89 5 29 169 254 1 2 51231 outside 10 89 5 35 8305 idle 0 00 04 bytes 86684 flags UxIO TCP nlp_int_tap 10 89 5 29 169 254 1 2 8305 outside 10 89 5 35 52019 idle 0 0...

Page 88: ...ituation See the following guidelines Only the previous deployment is available locally on the threat defense you cannot roll back to any earlier deployments Rollback is not supported for High Availability or Clustering deployments The rollback only affects configurations that you can set in the management center For example the rollback does not affect any local configuration related to the dedic...

Page 89: ...iguration has been reverted back to transaction id Following is the rollback summary Step 2 Check that the management connection was reestablished In the management center check the management connection status on the Devices Device Management Device Management FMC Access Details Connection Status page At the threat defense CLI enter the sftunnel status brief command to view the management connect...

Page 90: ...t is safe to power off now Do you want to reboot instead y N If you do not have a console connection wait approximately 3 minutes to ensure the system has shut down Step 7 You can now unplug the power to physically remove power from the chassis if necessary What s Next To continue configuring your threat defense see the documents available for your software version at Navigating the Cisco Firepowe...

Page 91: ...e the Cisco ASA or Firepower Threat Defense Device The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System FXOS The firewall does not support the FXOS Secure Firewall chassis manager only a limited CLI is supported for troubleshooting purposes See the Cisco FXOS Troubleshooting Guide for the Firepower 1000 2100 Series Running Firepower Threat Defense...

Page 92: ...ng tasks to deploy threat defense with device manager on your chassis Install the firewall See the hardware installation guide Pre Configuration Review the Network Deployment and Default Configuration on page 91 Pre Configuration Cable the Device on page 94 Pre Configuration Power On the Firewall on page 13 Pre Configuration Cisco Firepower 1010 Getting Started Guide 90 Threat Defense Deployment w...

Page 93: ... for the outside interface to connect to your ISP you can do so after you complete initial setup in device manager If you cannot use the default management IP address for example your management network does not include a DHCP server then you can connect to the console port and perform initial setup at the CLI including setting the Management IP address gateway and other basic networking settings ...

Page 94: ...ration The configuration for the firewall after initial setup includes the following inside IP address 7 0 and later 192 168 95 1 pre 7 0 192 168 1 1 6 5 and later Hardware switch Ethernet 1 2 through 1 8 belong to VLAN 1 6 4 Software switch Integrated Routing and Bridging Ethernet 1 2 through 1 8 belong to bridge group interface BVI 1 outside Ethernet 1 1 IP address from IPv4 DHCP and IPv6 autoco...

Page 95: ...p org 2 sourcefire pool ntp org or servers you specify during setup Default routes Data interfaces Obtained from outside DHCP or a gateway IP address you specify during setup Management interface 6 6 and later Obtained from management DHCP If you do not receive a gateway then the default route is over the backplane and through the data interfaces 6 5 and earlier Over the backplane and through the ...

Page 96: ...net 1 2 through 1 8 The default configuration also configures Ethernet1 1 as outside Procedure Step 1 Install and familiarize yourself with your hardware using the hardware installation guide Step 2 Connect your management computer to one of the following interfaces Ethernet 1 2 through 1 8 Connect your management computer directly to one of the inside switch ports Ethernet 1 2 through 1 8 inside ...

Page 97: ...ation Step 4 Connect inside devices to the remaining switch ports Ethernet 1 2 through 1 8 Ethernet 1 7 and 1 8 are PoE ports Power On the Firewall System power is controlled by the power cord there is no power button The first time you boot up the threat defense initialization can take approximately 15 to 30 minutes Note Before you begin It s important that you provide reliable power for your dev...

Page 98: ...ures long term release numbering maintenance releases and patches for a longer period of time or extra long term release numbering maintenance releases and patches for the longest period of time for government certification Procedure Step 1 Connect to the CLI See Access the Threat Defense and FXOS CLI on page 111 for more information This procedure shows using the console port but you can use SSH ...

Page 99: ...nagement interface b Perform the reimage procedure in the FXOS troubleshooting guide Optional Change Management Network Settings at the CLI If you cannot use the default management IP address then you can connect to the console port and perform initial setup at the CLI including setting the Management IP address gateway and other basic networking settings You can only configure the Management inte...

Page 100: ... CLI setup script Defaults or previously entered values appear in brackets To accept previously entered values press Enter See the following guidelines Enter the IPv4 default gateway for the management interface If you set a manual IP address enter either data interfaces or the IP address of the gateway router The data interfaces setting sends outbound management traffic over the backplane to exit...

Page 101: ...igure IPv6 y n n Configure IPv4 via DHCP or manually dhcp manual manual Enter an IPv4 address for the management interface 192 168 45 45 10 10 10 15 Enter an IPv4 netmask for the management interface 255 255 255 0 255 255 255 192 Enter the IPv4 default gateway for the management interface data interfaces 10 10 10 1 Enter a fully qualified hostname for this system firepower ftd 1 cisco com Enter a ...

Page 102: ...te the setup wizard you should have a functioning device with a few basic policies in place An outside Ethernet1 1 and an inside interface Ethernet1 2 through 1 8 are switch ports on the inside VLAN1 interface 6 5 and later or inside bridge group members on BVI1 6 4 Security zones for the inside and outside interfaces An access rule trusting all inside to outside traffic An interface NAT rule that...

Page 103: ...e fields and want to return to the default click Use OpenDNS to reload the appropriate IP addresses into the fields Firewall Hostname The hostname for the system s management address Step 3 Configure the system time settings and click Next a Time Zone Select the time zone for the system b NTP Time Server Select whether to use the default NTP servers or to manually enter the addresses of your NTP s...

Page 104: ...L URL Filtering RA VPN AnyConnect Plus AnyConnect Apex or AnyConnect VPN Only Before you begin Have a master account on the Smart Software Manager If you do not yet have an account click the link to set up a new account The Smart Software Manager lets you create a master account for your organization Your Smart Software Licensing account must qualify for the Strong Encryption 3DES AES license to u...

Page 105: ...yConnect Ordering Guide Step 2 In the Smart Software Manager request and copy a registration token for the virtual account to which you want to add this device a Click Inventory b On the General tab click New Token c On the Create Registration Token dialog box enter the following settings and then click Create Token Cisco Firepower 1010 Getting Started Guide 103 Threat Defense Deployment with the ...

Page 106: ... your device with a new product key and reload the device If you do not see this option your account does not support export controlled functionality The token is added to your inventory d Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard Keep this token ready for later in the procedure when you need to register the threat de...

Page 107: ...egister Device Then follow the instructions on the Smart License Registration dialog box to paste in your token Step 5 Click Register Device You return to the Smart License page While the device registers you see the following message Cisco Firepower 1010 Getting Started Guide 105 Threat Defense Deployment with the Device Manager Configure Licensing ...

Page 108: ...icense with your Cisco Smart Software Manager account and disables the controlled features You cannot configure the features in new policies nor can you deploy policies that use the feature If you enabled the RA VPN license select the type of license you want to use Plus Apex VPN Only or Plus and Apex After you enable features if you do not have the licenses in your account you will see the follow...

Page 109: ...a bridge group interface 6 4 or want to convert a switch port to a firewall interface 6 5 and later choose Device and then click the link in the Interfaces summary Click the edit icon for each interface to set the mode and define the IP address and other settings The following example configures an interface to be used as a demilitarized zone DMZ where you place publicly accessible assets such as ...

Page 110: ...ws how to create a new dmz zone for the dmz interface Figure 31 Security Zone Object Step 3 If you want internal clients to use DHCP to obtain an IP address from the device choose Device System Settings DHCP Server then select the DHCP Servers tab There is already a DHCP server configured for the inside interface but you can edit the address pool or even delete it If you configured other inside in...

Page 111: ...routes for each IP version you use If you use DHCP to obtain an address for the outside interface you might already have the default routes that you need The routes you define on this page are for the data interfaces only They do not impact the management interface Set the management gateway on Device System Settings Management Interface Note The following example shows a default route for IPv4 In...

Page 112: ...ncrypts the connection after inspecting it Identity If you want to correlate network activity to individual users or control network access based on user or user group membership use the identity policy to determine the user associated with a given source IP address Security Intelligence Use the Security Intelligence policy to quickly drop connections from or to blacklisted IP addresses or URLs By...

Page 113: ...database Step 7 Click the Deploy button in the menu then click the Deploy Now button to deploy your changes to the device Changes are not active on the device until you deploy them Access the Threat Defense and FXOS CLI Use the command line interface CLI to set up the system and do basic system troubleshooting You cannot configure policies through a CLI session You can access the CLI by connecting...

Page 114: ...ample firepower login admin Password Last login Thu May 16 14 01 03 UTC 2019 on ttyS0 Successful login attempts for user admin 1 firepower Step 2 Access the threat defense CLI connect ftd Example firepower connect ftd After logging in for information on the commands available in the CLI enter help or For usage information see Command Reference for Secure Firewall Threat Defense Step 3 To exit the ...

Page 115: ... Example show serial number JMX1943408S This information is also shown in show version system show running config and show inventory output Step 3 To display information about all of the Cisco products installed in the networking device that are assigned a product identifier PID version identifier VID and serial number SN use the show inventory command show inventory a From the threat defense CLI ...

Page 116: ...ettings Reboot Shutdown link b Click Shut Down Step 2 If you have a console connection to the firewall monitor the system prompts as the firewall shuts down You will see the following prompt System is stopped It is safe to power off now Do you want to reboot instead y N If you do not have a console connection wait approximately 3 minutes to ensure the system has shut down Step 3 You can now unplug...

Page 117: ...instead y N Step 4 You can now unplug the power to physically remove power from the chassis if necessary What s Next To continue configuring your threat defense see the documents available for your software version at Navigating the Cisco Firepower Documentation For information related to using the device manager see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager C...

Page 118: ...Cisco Firepower 1010 Getting Started Guide 116 Threat Defense Deployment with the Device Manager What s Next ...

Page 119: ...ed See Reimage the Cisco ASA or Firepower Threat Defense Device The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System FXOS The firewall does not support the FXOS Secure Firewall chassis manager only a limited CLI is supported for troubleshooting purposes See the Cisco FXOS Troubleshooting Guide for the Firepower 1000 2100 Series Running Firepower T...

Page 120: ...lthough that method is not covered in this guide Onboarding wizard using CLI registration Use this manual method if you need to perform any pre configuration or if you are using a manager interface that low touch provisioning does not support Threat Defense Manager Access Interface You can use the Management interface or the outside interface for manager access However this guide covers outside in...

Page 121: ...will be changed to be the data interfaces you also cannot SSH to the Management interface from a remote network unless you add a static route for the Management interface using the configure network static routes command End to End Procedure Low Touch Provisioning See the following tasks to deploy the threat defense with CDO using low touch provisioning Figure 35 End to End Procedure Low Touch Pro...

Page 122: ...dmin Cable the Firewall on page 129 Branch Office Tasks Branch admin Power On the Firewall on page 131 Branch Office Tasks Branch admin Onboard a Device with Low Touch Provisioning on page 132 CDO CDO admin Configure a Basic Security Policy on page 145 CDO CDO admin End to End Procedure Onboarding Wizard See the following tasks to onboard the threat defense to CDO using the onboarding wizard Cisco...

Page 123: ...og Into CDO on page 125 CDO Install the firewall See the hardware installation guide Physical Tasks Cable the Firewall on page 133 Physical Tasks Power on the Firewall on page 134 Physical Tasks Onboard a Device with the Onboarding Wizard on page 134 CDO Cisco Firepower 1010 Getting Started Guide 121 Threat Defense Deployment with CDO End to End Procedure Onboarding Wizard ...

Page 124: ...o to cisco com go licensingguide Before you begin Have a master account on the Smart Software Manager If you do not yet have an account click the link to set up a new account The Smart Software Manager lets you create a master account for your organization Your Smart Software Licensing account must qualify for the Strong Encryption 3DES AES license to use some features enabled using the export com...

Page 125: ... after you are up and running but upgrading which preserves your configuration may take longer than using this procedure What Version Should I Run Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page You can also refer to the release strategy described in https www cisco com c en us products collateral security firewalls bul...

Page 126: ...ple firepower login admin Password Admin123 Successful login attempts for user admin 1 Hello admin You must change your password Enter new password Confirm new password Your password was updated successfully firepower Step 2 At the FXOS CLI show the running version scope ssa show app instance Example Firepower scope ssa Firepower ssa show app instance Application Name Slot ID Admin State Operation...

Page 127: ...ther supported Cisco products If you have a Cisco Secure Sign On account skip ahead to Log Into CDO with Cisco Secure Sign On on page 127 If you don t have a Cisco Secure Sign On account continue to Create a New Cisco Secure Sign On Account on page 125 Create a New Cisco Secure Sign On Account The initial sign on workflow is a four step process You need to complete all four steps Before you begin ...

Page 128: ...click Register Figure 39 Create Account Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company Tip Cisco Firepower 1010 Getting Started Guide 126 Threat Defense Deployment with CDO Create a New Cisco Secure Sign On Account ...

Page 129: ...tional Setup Google Authenticator as a an additional authenticator a Choose the mobile device you are pairing with Google Authenticator and click Next b Follow the prompts in the setup wizard to setup Google Authenticator Step 4 Configure Account Recovery Options for your Cisco Secure Sign On Account a Choose a forgot password question and answer b Choose a recovery phone number for resetting your...

Page 130: ...tep 5 Click the appropriate CDO tile on the Cisco Secure Sign on dashboard The CDO tile directs you to https defenseorchestrator com the CDO EU tile directs you to https defenseorchestrator eu and the CDO APJC tile directs you to to https www apj cdo cisco com Figure 41 Cisco SSO Dashboard Step 6 Click the authenticator logo to choose Duo Security or Google Authenticator if you have set up both au...

Page 131: ... shipping box It can also be found on a sticker on the on the bottom of the firewall chassis Step 3 Send the firewall serial number to the CDO network administrator at your IT department central headquarters Your network administrator needs your firewall serial number to facilitate low touch provisioning connect to the firewall and configure it remotely Communicate with the CDO administrator to de...

Page 132: ... your wide area network WAN modem Your WAN modem is your branch s connection to the internet and will be your firewall s route to the internet as well Step 3 Cable your inside end points to the switch ports Ethernet1 2 through 1 8 Ethernet 1 7 and 1 8 are PoE ports Step 4 Optional Connect the management computer to the console port At the branch office the console connection is not required for ev...

Page 133: ...t amber If this happens call your IT department Step 5 Observe the Status LED on the back or top of the device when the device connects to the Cisco cloud the Status LED slowly flashes green If there is a problem the Status LED flashes amber and green and the device did not reach the Cisco Cloud If this happens make sure that your network cable is connected to the Ethernet 1 1 interface and to you...

Page 134: ...w device has never been logged into or configured for a manager radio button and click Next Step 7 For the Policy Assignment use the drop down menu to choose an access control policy for the device If you have no policies configured choose the Default Access Control Policy Step 8 For the Subscription License check each of the feature licenses you want to enable Click Next Step 9 Optional Add label...

Page 135: ... and 1 8 Note Procedure Step 1 Install the chassis See the hardware installation guide Step 2 Connect the outside interface Ethernet 1 1 to your outside router You can alternatively use the Management interface for manager access However this guide primarily covers outside interface access because it is the most likely scenario for remote branch offices Step 3 Cable your inside end points to the s...

Page 136: ...ting down can cause serious file system damage There are many processes running in the background all the time and losing power does not allow the graceful shutdown of your system Procedure Step 1 Attach the power cord to the device and connect it to an electrical outlet The power turns on automatically when you plug in the power cord Step 2 Check the Power LED on the back or top of the device if ...

Page 137: ...nt to enable Click Next Step 8 For the CLI Registration Key CDO generates a command with the registration key and other parameters You must copy this command and use it in the intial configuration of the threat defense configure manager add cdo_hostname registration_key nat_id display_name Complete initial configuration at the CLI or using the device manager Perform Initial Configuration Using the...

Page 138: ...erform initial setup using the device manager all interface configuration completed in the device manager is retained when you switch to CDO for management in addition to the Management interface and manager access interface settings Note that other default configuration settings such as the access control policy are not retained Procedure Step 1 Connect to the threat defense CLI on the console po...

Page 139: ...elines Configure IPv4 via DHCP or manually Choose manual Although you do not plan to use the Management interface you must set an IP address for example a private address You cannot configure a data interface for management if the management interface is set to DHCP because the default route which must be data interfaces see the next bullet might be overwritten with one received from the DHCP serv...

Page 140: ...the sensor to a Firepower Management Center a unique alphanumeric registration key is always required In most cases to register a sensor to a Firepower Management Center you must provide the hostname or the IP address along with the registration key configure manager add hostname ip address registration key However if the sensor and the Firepower Management Center are separated by a NAT device you...

Page 141: ...nfigure the DNS Platform Settings to match this setting to bring CDO and the threat defense into sync Also local DNS servers are only retained by CDO if the DNS servers were discovered at initial registration For example if you registered the device using the Management interface but then later configure a data interface using the configure network management data interface command then you must m...

Page 142: ...Using the Device Manager Connect to the device manager to perform initial setup of the threat defense When you perform initial setup using the device manager all interface configuration completed in the device manager is retained when you switch to CDO for management in addition to the Management interface and manager access settings Note that other default configuration settings such as the acces...

Page 143: ...face You will not see Management Interface settings if you performed intial setup at the CLI The Management interface settings are used even though you are enabling the manager access on a data interface For example the management traffic that is routed over the backplane through the data interface will resolve FQDNs using the Management interface DNS servers and not the data interface DNS servers...

Page 144: ...configure additional interfaces including an interface other than outside or inside that you want to use for the manager access choose Device and then click the link in the Interfaces summary See Configure the Firewall in the Device Manager on page 107 for more information about configuring interfaces in the device manager Other device manager configuration will not be retained when you register t...

Page 145: ... or IP address click Yes CDO generates the configure manager add command See Onboard a Device with the Onboarding Wizard on page 134 to generate the command Cisco Firepower 1010 Getting Started Guide 143 Threat Defense Deployment with CDO Perform Initial Configuration Using the Device Manager ...

Page 146: ...nd the DNS servers are not added to a Platform Settings policy However if you later assign a Platform Settings policy to the threat defense that includes a DNS configuration then that configuration will overwrite the local setting We suggest that you actively configure the DNS Platform Settings to match this setting to bring CDO and the threat defense into sync Also local DNS servers are only reta...

Page 147: ...d will only resume when you reconnect to the device manager If you remain connected to the device manager after the Saving Management Center CDO Registration Settings step you will eventually see the Successful Connection with Management Center or CDO dialog box after which you will be disconnected from the device manager Figure 49 Successful Connection Configure a Basic Security Policy This secti...

Page 148: ...u can alternatively assign switch ports to other VLANs or convert switch ports to firewall interfaces A typical edge routing situation is to obtain the outside interface address through DHCP from your ISP while you define static addresses on the inside interfaces The following example configures a routed mode inside interface VLAN1 with a static address and a routed mode outside interface using DH...

Page 149: ...LAN interface to match this ID d Click OK Step 5 Add the inside VLAN interface a Click Add Interfaces VLAN Interface The General tab appears b Enter a Name up to 48 characters in length For example name the interface inside Cisco Firepower 1010 Getting Started Guide 147 Threat Defense Deployment with CDO Configure Interfaces ...

Page 150: ...ies only support security zones you can use zones or interface groups in NAT policies prefilter policies and QoS policies f Set the VLAN ID to 1 By default all of the switchports are set to VLAN 1 if you choose a different VLAN ID here you need to also edit each switchport to be on the new VLAN ID You cannot change the VLAN ID after you save the interface the VLAN ID is both the VLAN tag used and ...

Page 151: ...st choose an existing outside security zone or add a new one by clicking New For example add a zone called outside_zone b Click OK Step 7 Click Save Configure the DHCP Server Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense Procedure Step 1 Choose Devices Device Management and click the Edit for the device Step 2 Choose DHCP DHCP Server Step 3 O...

Page 152: ...e the DHCP server on the selected interface Step 4 Click OK Step 5 Click Save Configure NAT A typical NAT rule converts internal addresses to a port on the outside interface IP address This type of NAT rule is called interface Port Address Translation PAT Procedure Step 1 Choose Devices NAT and click New Policy Threat Defense NAT Step 2 Name the policy select the device s that you want to use the ...

Page 153: ...appears Step 4 Configure the basic rule options NAT Rule Choose Auto NAT Rule Type Choose Dynamic Step 5 On the Interface Objects page add the outside zone from the Available Interface Objects area to the Destination Interface Objects area Cisco Firepower 1010 Getting Started Guide 151 Threat Defense Deployment with CDO Configure NAT ...

Page 154: ... traffic 0 0 0 0 0 You cannot use the system defined any ipv4 object because Auto NAT rules add NAT as part of the object definition and you cannot edit system defined objects Note Translated Source Choose Destination Interface IP Cisco Firepower 1010 Getting Started Guide 152 Threat Defense Deployment with CDO Configure NAT ...

Page 155: ...ve other zones be sure to add rules allowing traffic to the appropriate networks Procedure Step 1 Choose Policy Access Policy Access Policy and click the Edit for the access control policy assigned to the threat defense Step 2 Click Add Rule and set the following parameters Name Name this rule for example inside_to_outside Source Zones Select the inside zone from Available Zones and click Add to S...

Page 156: ...n SSH traffic for data interfaces uses the regular routing configuration and not any static routes configured at setup or at the CLI For the Management interface to configure an SSH access list see the configure ssh access list command in the Command Reference for Secure Firewall Threat Defense To configure a static route see the configure network static routes command By default you configure the...

Page 157: ...SSH connections and the IP addresses of the clients who are allowed to make those connections You can use network addresses rather than individual IP addresses a Click Add to add a new rule or click Edit to edit an existing rule b Configure the rule properties IP Address The network object or group that identifies the hosts or networks you are allowing to make SSH connections Choose an object from...

Page 158: ...vanced Deploy to deploy to selected devices Figure 51 Deploy All Figure 52 Advanced Deploy Step 3 Ensure that the deployment succeeds Click the icon to the right of the Deploy button in the menu bar to see status for deployments Cisco Firepower 1010 Getting Started Guide 156 Threat Defense Deployment with CDO Deploy the Configuration ...

Page 159: ...I using the connect fxos command You can later connect to the address on a data interface if you open the interface for SSH connections SSH access to data interfaces is disabled by default This procedure describes console port access which defaults to the FXOS CLI Note Procedure Step 1 To log into the CLI connect your management computer to the console port The Firepower 1000 ships with a USB A to...

Page 160: ...must be careful about changing the interface and network settings for the threat defense in CDO so you do not disrupt the connection If you change the management interface type after you add the threat defense to CDO from data to Management or from Management to data if the interfaces and network settings are not configured correctly you can lose management connectivity This topic helps you troubl...

Page 161: ...nd Time Mon Jun 15 09 02 08 2020 UTC Heartbeat Received Time Mon Jun 15 09 02 16 2020 UTC View the threat defense network information At the threat defense CLI view the Management and manager access data interface network settings show network show network System Information Hostname 5516X 4 DNS Servers 208 67 220 220 208 67 222 222 Management port 8305 IPv4 Default route Gateway data interfaces I...

Page 162: ..._hostname At the threat defense CLI use the following command to ping CDO from the Management interface which should route over the backplane to the data interfaces ping system cdo_hostname Capture packets on the threat defense internal interface At the threat defense CLI capture packets on the internal backplane interface nlp_int_tap to see if management packets are being sent capture name interf...

Page 163: ...e drop rate 0 pkts sec Control Point Interface States Interface number is 14 Interface config status is active Interface state is active Check routing and NAT At the threat defense CLI check that the default route S was added and that internal NAT rules exist for the Management interface nlp_int_tap show route show route Codes L local C connected S static R RIP M mobile B BGP D EIGRP EX EIGRP exte...

Page 164: ...e outside sftunnel port 8305 show running config ip client show running config ip client ip client outside show conn address fmc_ip show conn address 10 89 5 35 5 in use 16 most used Inspect Snort preserve connection 0 enabled 0 in effect 0 most enabled 0 most in effect TCP nlp_int_tap 10 89 5 29 169 254 1 2 51231 outside 10 89 5 35 8305 idle 0 00 04 bytes 86684 flags UxIO TCP nlp_int_tap 10 89 5 ...

Page 165: ... is available locally on the threat defense you cannot roll back to any earlier deployments The rollback only affects configurations that you can set in CDO For example the rollback does not affect any local configuration related to the dedicated Management interface which you can only configure at the threat defense CLI Note that if you changed data interface settings after the last CDO deploymen...

Page 166: ...nt connection status on the Devices Device Management Device Management Manager Access Configuration Details Connection Status page At the threat defense CLI enter the sftunnel status brief command to view the management connection status If it takes more than 10 minutes to reestablish the connection you should troubleshoot the connection See Troubleshoot Management Connectivity on a Data Interfac...

Page 167: ...em is stopped It is safe to power off now Do you want to reboot instead y N If you do not have a console connection wait approximately 3 minutes to ensure the system has shut down Step 7 You can now unplug the power to physically remove power from the chassis if necessary What s Next To continue configuring your threat defense using CDO see the Cisco Defense Orchestrator home page Cisco Firepower ...

Page 168: ...Cisco Firepower 1010 Getting Started Guide 166 Threat Defense Deployment with CDO What s Next ...

Page 169: ...alled the Secure Firewall eXtensible Operating System FXOS The firewall does not support the FXOS Secure Firewall chassis manager only a limited CLI is supported for troubleshooting purposes See the Cisco FXOS Troubleshooting Guide for the Firepower 1000 2100 Series Running Firepower Threat Defense for more information Privacy Collection Statement The firewall does not require or actively collect ...

Page 170: ...ses Unsupported Features General ASA Unsupported Features The following ASA features are not supported on the Firepower 1010 Multiple context mode Active Active failover Redundant interfaces Clustering ASA REST API ASA FirePOWER module Botnet Traffic Filter The following inspections SCTP inspection maps SCTP stateful inspection using ACLs is supported Diameter GTP GPRS VLAN Interface and Switch Po...

Page 171: ... Repeat Password ciscoasa configure terminal ciscoasa config 4 Clear the current configuration using the clear configure all command 5 Paste the modified configuration at the ASA CLI This guide assumes a factory default configuration so if you paste in an existing configuration some of the procedures in this guide will not apply to your ASA Firepower 1010 Configuration ASA 5500 X Configuration Eth...

Page 172: ...nagement 1 1 SSH is not affected Initial ASDM access Make sure you change the interface IDs to match the new hardware IDs For example the ASA 5525 X includes Management 0 0 and GigabitEthernet 0 0 through 0 5 The Firepower 1120 includes Management 1 1 and Ethernet 1 1 through 1 8 Interface IDs The Firepower 1010 only allows a single boot system command so you should remove all but one command befo...

Page 173: ...onfiguration on page 172 Pre Configuration Cable the Device on page 175 Pre Configuration Power On the Firewall on page 13 Pre Configuration Optional Change the IP Address on page 177 ASA CLI Log Into the ASDM on page 178 ASDM Cisco Firepower 1010 Getting Started Guide 171 ASA Deployment with ASDM End to End Procedure ...

Page 174: ...Wizard If you cannot use the default Management IP address for ASDM access you can set the Management IP address at the ASA CLI See Optional Change the IP Address on page 177 If you need to change the inside IP address you can do so using the ASDM Startup Wizard For example you may need to change the inside IP address in the following circumstances If the outside interface tries to obtain an IP ad...

Page 175: ...P address 192 168 1 1 DHCP server on inside interface management interface Default route from outside DHCP ASDM access Management and inside hosts allowed Management hosts are limited to the 192 168 45 0 24 network and inside hosts are limited to the 192 168 1 0 24 network NAT Interface PAT for all traffic from inside to outside DNS servers OpenDNS servers are pre configured The configuration cons...

Page 176: ...t access vlan 1 interface Ethernet1 4 no shutdown switchport switchport mode access switchport access vlan 1 interface Ethernet1 5 no shutdown switchport switchport mode access switchport access vlan 1 interface Ethernet1 6 no shutdown switchport switchport mode access switchport access vlan 1 interface Ethernet1 7 no shutdown switchport switchport mode access switchport access vlan 1 interface Et...

Page 177: ...ation also configures Ethernet 1 1 as outside Procedure Step 1 Install and familiarize yourself with your hardware using the hardware installation guide Step 2 Connect your management computer to one of the following interfaces Ethernet 1 2 through 1 8 Connect your management computer directly to one of the inside switch ports Ethernet 1 2 through 1 8 The inside interface has a default IP address ...

Page 178: ...can access the License Authority Step 4 Connect inside devices to the remaining inside switch ports Ethernet 1 2 through 1 8 Ethernet 1 7 and 1 8 are PoE ports Power On the Firewall System power is controlled by the power cord there is no power button The first time you boot up the threat defense initialization can take approximately 15 to 30 minutes Note Before you begin It s important that you p...

Page 179: ...r chosen IP address configure factory default ip_address mask Example ciscoasa config configure factory default 10 1 1 151 255 255 255 0 Based on the management IP address and mask the DHCP address pool size is reduced to 103 from the platform limit 256 WARNING The boot system configuration will be cleared The first image found in disk0 will be used to boot the system on the next reload Verify the...

Page 180: ...then your HTTPS connection will be dropped on that interface and you cannot reconnect The exception to this rule is if you are connected to a management only interface such as Management 1 1 SSH is not affected If you lose your HTTPS connection you can connect to the console port to reconfigure the ASA connect to a management only interface or connect to an interface not configured for a strong en...

Page 181: ...tion license to your account AnyConnect AnyConnect Plus AnyConnect Apex or AnyConnect VPN Only The ASA includes 3DES capability by default for management access only so you can connect to the Smart Software Manager and also use ASDM immediately You can also use SSH and SCP if you later configure SSH access on the ASA Other features that require strong encryption such as VPN must have Strong Encryp...

Page 182: ...Smart Software Manager account However if you need to add licenses yourself use the Find Products and Solutions search field on the Cisco Commerce Workspace Search for the following license PIDs Figure 54 License Search Standard license L FPR1000 ASA The Standard license is free but you still need to add it to your Smart Software Licensing account Security Plus license L FPR1010 SEC PL The Securit...

Page 183: ...ducts registered with this token Enables the export compliance flag The token is added to your inventory d Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard Keep this token ready for later in the procedure when you need to register the ASA Cisco Firepower 1010 Getting Started Guide 181 ASA Deployment with ASDM Configure Licen...

Page 184: ...t Software Manager Step 6 Click Register The ASA registers with the Smart Software Manager using the pre configured outside interface and requests authorization for the configured license entitlements The Smart Software Manager also applies the Strong Encryption 3DES AES license if your account allows ASDM refreshes the page when the license status is updated You can also choose Monitoring Propert...

Page 185: ...10 Quit ASDM and relaunch it When you change licenses you need to relaunch ASDM to show updated screens Configure the ASA Using ASDM you can use wizards to configure basic and advanced features You can also manually configure features not included in wizards Procedure Step 1 Choose Wizards Startup Wizard and click the Modify existing configuration radio button Cisco Firepower 1010 Getting Started ...

Page 186: ... and enabling interfaces Static routes The DHCP server And more Step 3 Optional From the Wizards menu run other wizards Step 4 To continue configuring your ASA see the documents available for your software version at Navigating the Cisco ASA Series Documentation Cisco Firepower 1010 Getting Started Guide 184 ASA Deployment with ASDM Configure the ASA ...

Page 187: ...o parity 1 stop bit You connect to the ASA CLI There are no user credentials required for console access by default Step 2 Access privileged EXEC mode enable You are prompted to change the password the first time you enter the enable command Example ciscoasa enable Password The enable password is not set Please set it now Enter Password Repeat Password ciscoasa The enable password that you set on ...

Page 188: ...s required To return to the ASA CLI enter exit or type Ctrl Shift 6 x Within FXOS you can view user activity using the scope security show audit logs command Example ciscoasa connect fxos admin Connecting to fxos Connected to fxos Escape character sequence is CTRL X firepower firepower exit Connection with FXOS terminated Type help or for a list of available commands ciscoasa What s Next To contin...

Page 189: ... 2022 Cisco Systems Inc All rights reserved ...

Page 190: ......

Reviews: