background image

If you configure DDNS before you add the threat defense to CDO, the threat defense automatically adds
certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can
validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server
that uses the DynDNS Remote API specification (

https://help.dyn.com/remote-access-api/).

Step 11

Click

Connect

. The

Registration Status

dialog box shows the current status of the switch to CDO. After the

Saving Management Center/CDO Registration Settings

step, go to CDO, and add the firewall.

If you want to cancel the switch to CDO, click

Cancel Registration

. Otherwise, do not close the device

manager browser window until after the

Saving Management Center/CDO Registration Settings

step. If

you do, the process will be paused, and will only resume when you reconnect to the device manager.

If you remain connected to the device manager after the

Saving Management Center/CDO Registration

Settings

step, you will eventually see the

Successful Connection with Management Center or CDO

dialog

box, after which you will be disconnected from the device manager.

Figure 47: Successful Connection

Configure a Basic Security Policy

This section describes how to configure a basic security policy with the following settings:

• Inside and outside interfaces—Assign a static IP address to the inside interface. You configured basic

settings for the outside interface as part of the manager access setup, but you still need to assign it to a
security zone.

• DHCP server—Use a DHCP server on the inside interface for clients.

• NAT—Use interface PAT on the outside interface.

• Access control—Allow traffic from inside to outside.

• SSH—Enable SSH on the manager access interface.

Cisco Firepower 1100 Getting Started Guide

137

Threat Defense Deployment with CDO

Configure a Basic Security Policy

Summary of Contents for Firepower 1100

Page 1: ...ng Started Guide First Published 2019 06 13 Last Modified 2022 06 09 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ......

Page 3: ...t available on the threat defense Cisco provides ASA to threat defense migration tools to help you convert your ASA to the threat defense if you start with ASA and later reimage to threat defense Threat Defense The threat defense is a next generation firewall that combines an advanced stateful firewall VPN concentrator and next generation IPS In other words the threat defense takes the best of ASA...

Page 4: ...ment center on the Management network see Threat Defense Deployment with the Management Center on page 5 To get started with the management center on a remote network see Threat Defense Deployment with a Remote Management Center on page 41 Secure Firewall Management Center formerly Firepower Management Center The device manager is a web based simplified on device manager Because it is simplified s...

Page 5: ...I is not covered in this guide For more information see the Cisco Secure Firewall Threat Defense REST API Guide Secure Firewall Threat Defense REST API The management center REST API lets you automate configuration of management center policies that can then be applied to managed threat defenses This API does not manage the threat defense directly The management center REST API is not covered in t...

Page 6: ...ith CDO see the CDO home page CDO CSM is a powerful multi device manager that runs on its own server hardware You should use CSM if you need to manage large numbers of ASAs CSM can discover the configuration on the firewall so you can also use the CLI or ASDM CSM does not support managing the threat defenses CSM is not covered in this guide For more information see the CSM user guide Cisco Securit...

Page 7: ...ense software or ASA software Switching between threat defense and ASA requires you to reimage the device You should also reimage if you need a different software version than is currently installed See Reimage the Cisco ASA or Firepower Threat Defense Device The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System FXOS The firewall does not support t...

Page 8: ...t s Next on page 40 Before You Start Deploy and perform initial configuration of the management center See the Cisco Firepower Management Center 1600 2600 and 4600 Hardware Installation Guide or Cisco Secure Firewall Management Center Virtual Getting Started Guide End to End Procedure See the following tasks to deploy the threat defense with the management center on your chassis Cisco Firepower 11...

Page 9: ...age 8 Pre Configuration Cable the Firewall on page 10 Pre Configuration Power on the Firewall on page 12 Pre Configuration Optional Check the Software and Install a New Version on page 13 CLI Cisco Firepower 1100 Getting Started Guide 7 Threat Defense Deployment with the Management Center End to End Procedure ...

Page 10: ... is enabled and configured as a DHCP client If your network does not include a DHCP server you can set the Management interface to use a static IP address during initial setup at the console port You can configure other interfaces after you connect the threat defense to the management center In 6 5 and earlier the Management interface is configured with an IP address 192 168 45 45 Note See the fol...

Page 11: ...nse managamement In the following diagram the Firepower 1100 acts as the internet gateway for the management interface and the management center by connecting Management 1 1 to an inside interface through a Layer 2 switch and by connecting the management center and management computer to the switch This direct connection is allowed because the management interface is separate from the other interf...

Page 12: ...nd your deployment will vary depending on your basic logical network connectivity ports addressing and configuration requirements Note Procedure Step 1 Install the chassis See the hardware installation guide Step 2 Cable for a separate management network Cisco Firepower 1100 Getting Started Guide 10 Threat Defense Deployment with the Management Center Cable the Firewall ...

Page 13: ...use the console port to access the CLI for initial setup if you do not use SSH to the Management interface or use the device manager for initial setup c Connect the inside interface for example Ethernet 1 2 to your inside router d Connect the outside interface for example Ethernet 1 1 to your outside router e Connect other networks to the remaining interfaces Step 3 Cable for an edge deployment Ci...

Page 14: ...device manager for initial setup c Connect the outside interface for example Ethernet 1 1 to your outside router d Connect other networks to the remaining interfaces Power on the Firewall System power is controlled by a rocker power switch located on the rear of the device The power switch is implemented as a soft notification switch that supports graceful shutdown of the system to reduce the risk...

Page 15: ...power until the Power LED is completely off Note Optional Check the Software and Install a New Version To check the software version and if necessary install a different version perform these steps We recommend that you install your target version before you configure the firewall Alternatively you can perform an upgrade after you are up and running but upgrading which preserves your configuration...

Page 16: ...password Confirm new password Your password was updated successfully firepower Step 2 At the FXOS CLI show the running version scope ssa show app instance Example Firepower scope ssa Firepower ssa show app instance Application Name Slot ID Admin State Operational State Running Version Startup Version Cluster Oper State ftd 1 Enabled Online 7 2 0 65 7 2 0 65 Not Applicable Step 3 If you want to ins...

Page 17: ...Management interface is a DHCP client so the IP address depends on your DHCP server You might have to set the Management IP address to a static address as part of this procedure so we recommend that you use the inside interface so you do not become disconnected b Log in with the username admin and the default password Admin123 c You are prompted to read and accept the End User License Agreement an...

Page 18: ... Time Server Select whether to use the default NTP servers or to manually enter the addresses of your NTP servers You can add multiple servers to provide backups c Select Start 90 day evaluation period without registration Do not register the threat defense with the Smart Software Manager all licensing is performed on the management center d Click Finish e You are prompted to choose Cloud Manageme...

Page 19: ... reach the management center using an IP address or hostname or No if the management center is behind NAT or does not have a public IP address or hostname Cisco Firepower 1100 Getting Started Guide 17 Threat Defense Deployment with the Management Center Complete the Threat Defense Initial Configuration Using the Device Manager ...

Page 20: ... verify that the connection is coming from the correct device only after authentication of the IP address NAT ID will the registration key be checked Step 7 Configure the Connectivity Configuration a Specify the FTD Hostname b Specify the DNS Server Group Choose an existing group or create a new one The default DNS group is called CiscoUmbrellaDNSServerGroup which includes the OpenDNS servers c Fo...

Page 21: ...nfiguration settings such as the access control policy are not retained Procedure Step 1 Connect to the threat defense CLI either from the console port or using SSH to the Management interface which obtains an IP address from a DHCP server by default If you intend to change the network settings we recommend using the console port so you do not get disconnected The console port connects to the FXOS...

Page 22: ...ting applies only to the remote management center or device manager management you should set a gateway IP address for Management 1 1 when using the management center on the management network In the edge deployment example shown in the network deployment section the inside interface acts as the management gateway In this case you should set the gateway IP address to be the intended inside interfa...

Page 23: ...o manage it Note that registering the sensor to a Firepower Management Center disables on sensor Firepower Services management capabilities When registering the sensor to a Firepower Management Center a unique alphanumeric registration key is always required In most cases to register a sensor to a Firepower Management Center you must provide the hostname or the IP address along with the registrati...

Page 24: ...center Example configure manager add MC example com 123456 Manager successfully configured If the management center is behind a NAT device enter a unique NAT ID along with the registration key and specify DONTRESOLVE instead of the hostname for example Example configure manager add DONTRESOLVE regk3y78 natid90 Manager successfully configured If the threat defense is behind a NAT device enter a uni...

Page 25: ... master account for your organization Your Smart Software Licensing account must qualify for the Strong Encryption 3DES AES license to use some features enabled using the export compliance flag Procedure Step 1 Make sure your Smart Licensing account contains the available licenses you need When you bought your device from Cisco or a reseller your licenses should have been linked to your Smart Soft...

Page 26: ...mart Software Manager See the Cisco Secure Firewall Management Center Administration Guide for detailed instructions Register the Threat Defense with the Management Center Register the threat defense to the management center manually using the device IP address or hostname Before you begin Gather the following information that you set in the threat defense initial configuration The threat defense ...

Page 27: ...play Name Enter the name for the threat defense as you want it to display in the management center Registration Key Enter the same registration key that you specified in the threat defense initial configuration Domain Assign the device to a leaf domain if you have a multidomain environment Group Assign it to a device group if you are using groups Access Control Policy Choose an initial policy Unle...

Page 28: ...ot sent Step 3 Click Register or if you want to add another device click Register and Add Another and confirm a successful registration If the registration succeeds the device is added to the list If it fails you will see an error message If the threat defense fails to register check the following items Ping Access the threat defense CLI and ping the management center IP address using the followin...

Page 29: ... page 35 Deploy the Configuration on page 36 Configure Interfaces Enable the threat defense interfaces assign them to security zones and set the IP addresses Typically you must configure at least a minimum of two interfaces to have a system that passes meaningful traffic Normally you would have an outside interface that faces the upstream router or internet and one or more inside interfaces for yo...

Page 30: ...al tab appears a Enter a Name up to 48 characters in length For example name the interface inside b Check the Enabled check box c Leave the Mode set to None d From the Security Zone drop down list choose an existing inside security zone or add a new one by clicking New Cisco Firepower 1100 Getting Started Guide 28 Threat Defense Deployment with the Management Center Configure Interfaces ...

Page 31: ...rom inside to outside but not from outside to inside Most policies only support security zones you can use zones or interface groups in NAT policies prefilter policies and QoS policies e Click the IPv4 and or IPv6 tab IPv4 Choose Use Static IP from the drop down list and enter an IP address and subnet mask in slash notation For example enter 192 168 1 1 24 IPv6 Check the Autoconfiguration check bo...

Page 32: ...outside_zone e Click the IPv4 and or IPv6 tab IPv4 Choose Use DHCP and configure the following optional parameters Obtain default route using DHCP Obtains the default route from the DHCP server DHCP route metric Assigns an administrative distance to the learned route between 1 and 255 The default administrative distance for the learned routes is 1 IPv6 Check the Autoconfiguration check box for sta...

Page 33: ...default route normally points to the upstream router reachable from the outside interface If you use DHCP for the outside interface your device might have already received a default route If you need to manually add the route complete this procedure If you received a default route from the DHCP server it will show in the IPv4 Routes or IPv6 Routes table on the Devices Device Management Routing Sta...

Page 34: ... move it to the Selected Network list Gateway or IPv6 Gateway Enter or choose the gateway router that is the next hop for this route You can provide an IP address or a Networks Hosts object Metric Enter the number of hops to the destination network Valid values range from 1 to 255 the default value is 1 Step 3 Click OK The route is added to the static route table Cisco Firepower 1100 Getting Start...

Page 35: ...New Policy Threat Defense NAT Step 2 Name the policy select the device s that you want to use the policy and click Save The policy is added the management center You still have to add rules to the policy Step 3 Click Add Rule The Add NAT Rule dialog box appears Step 4 Configure the basic rule options NAT Rule Choose Auto NAT Rule Cisco Firepower 1100 Getting Started Guide 33 Threat Defense Deploym...

Page 36: ...bjects area to the Destination Interface Objects area Step 6 On the Translation page configure the following options Original Source Click Add to add a network object for all IPv4 traffic 0 0 0 0 0 Cisco Firepower 1100 Getting Started Guide 34 Threat Defense Deployment with the Management Center Configure NAT ...

Page 37: ...the threat defense then you need to add rules to the policy to allow traffic through the device The following procedure adds a rule to allow traffic from the inside zone to the outside zone If you have other zones be sure to add rules allowing traffic to the appropriate networks Procedure Step 1 Choose Policy Access Policy Access Policy and click the Edit for the access control policy assigned to ...

Page 38: ...ep 4 Click Save Deploy the Configuration Deploy the configuration changes to the threat defense none of your changes are active on the device until you deploy them Procedure Step 1 Click Deploy in the upper right Figure 9 Deploy Step 2 Either click Deploy All to deploy to all devices or click Advanced Deploy to deploy to selected devices Cisco Firepower 1100 Getting Started Guide 36 Threat Defense...

Page 39: ...he deployment succeeds Click the icon to the right of the Deploy button in the menu bar to see status for deployments Figure 12 Deployment Status Cisco Firepower 1100 Getting Started Guide 37 Threat Defense Deployment with the Management Center Deploy the Configuration ...

Page 40: ...edure Step 1 To log into the CLI connect your management computer to the console port Be sure to install any necessary USB serial drivers for your operating system see the Firepower 1100 hardware guide The console port defaults to the FXOS CLI Use the following serial settings 9600 baud 8 data bits No parity 1 stop bit You connect to the FXOS CLI Log in to the CLI using the admin username and the ...

Page 41: ... power switch can cause serious file system damage Remember that there are many processes running in the background all the time and unplugging or shutting off the power does not allow the graceful shutdown of your firewall You can shut down your system properly using the management center Procedure Step 1 Choose Devices Device Management Step 2 Next to the device that you want to restart click th...

Page 42: ...ontinue Please enter YES or NO yes INIT Stopping Cisco Threat Defense ok Step 3 Monitor the system prompts as the firewall shuts down You will see the following prompt System is stopped It is safe to power off now Do you want to reboot instead y N Step 4 You can now turn off the power switch and unplug the power to physically remove power from the chassis if necessary What s Next To continue confi...

Page 43: ... the management center Remote branch deployment requires version 6 7 or later Note About the Firewall The hardware can run either threat defense software or ASA software Switching between threat defense and ASA requires you to reimage the device You should also reimage if you need a different software version than is currently installed See Reimage the Cisco ASA or Firepower Threat Defense Device ...

Page 44: ...terface the threat defense forwards incoming management traffic over the backplane to the Management interface For outgoing management traffic the Management interface forwards the traffic over the backplane to the data interface Manager access from a data interface has the following limitations You can only enable manager access on one physical data interface You cannot use a subinterface or Ethe...

Page 45: ...re You Start Deploy and perform initial configuration of the management center See the Cisco Firepower Management Center 1600 2600 and 4600 Hardware Installation Guide or Cisco Secure Firewall Management Center Virtual Getting Started Guide End to End Procedure Manual Provisioning See the following tasks to deploy the threat defense with the management center on your chassis using manual provision...

Page 46: ...47 Pre Configuration Using the CLI on page 51 CLI or Device Manager Central admin Install the firewall See the hardware installation guide Physical Setup Branch admin Cable the Firewall on page 57 Physical Setup Branch admin Cisco Firepower 1100 Getting Started Guide 44 Threat Defense Deployment with a Remote Management Center End to End Procedure Manual Provisioning ...

Page 47: ...on To check the software version and if necessary install a different version perform these steps We recommend that you install your target version before you configure the firewall Alternatively you can perform an upgrade after you are up and running but upgrading which preserves your configuration may take longer than using this procedure What Version Should I Run Cisco recommends running a Gold...

Page 48: ...ssword Confirm new password Your password was updated successfully firepower Step 2 At the FXOS CLI show the running version scope ssa show app instance Example Firepower scope ssa Firepower ssa show app instance Application Name Slot ID Admin State Operational State Running Version Startup Version Cluster Oper State ftd 1 Enabled Online 7 2 0 65 7 2 0 65 Not Applicable Step 3 If you want to insta...

Page 49: ...irst log into the device manager to complete the initial configuration You can optionally skip the setup wizard by clicking Skip device setup at the bottom of the page After you complete the setup wizard in addition to the default configuraton for the inside interface Ethernet1 2 you will have configuration for an outside Ethernet1 1 interface that will be maintained when you switch to management ...

Page 50: ...Cloud Management or Standalone For management center management choose Standalone and then Got It Step 5 Might be required Configure the Management interface See the Management interface on Device Interfaces The Management interface must have the gateway set to data interfaces By default the Management interface receives an IP address and gateway from DHCP If you do not receive a gateway from DHCP...

Page 51: ...Yes if you can reach the management center using an IP address or hostname or No if the management center is behind NAT or does not have a public IP address or hostname Cisco Firepower 1100 Getting Started Guide 49 Threat Defense Deployment with a Remote Management Center Pre Configuration Using the Device Manager ...

Page 52: ...mbrellaDNSServerGroup which includes the OpenDNS servers This setting sets the data interface DNS server The Management DNS server that you set with the setup wizard is used for management traffic The data DNS server is used for DDNS if configured or for security policies applied to this interface You are likley to choose the same DNS server group that you used for Management because both manageme...

Page 53: ...on Settings step go to the management center and add the firewall If you want to cancel the switch to the management center click Cancel Registration Otherwise do not close the device manager browser window until after the Saving Management Center CDO Registration Settings step If you do the process will be paused and will only resume when you reconnect to the device manager If you remain connecte...

Page 54: ...I on the console port The console port connects to the FXOS CLI Step 3 Log in with the username admin and the password Admin123 The first time you log in to the FXOS you are prompted to change the password This password is also used for the threat defense login for SSH If the password was already changed and you do not know it then you must reimage the device to reset the password to the default S...

Page 55: ...d you will need to reconnect If you are connected with SSH you will be disconnected You can reconnect with the new IP address and password if your management computer is on the management network You will not be able to reconnect yet from a remote network due to the default route change through the data interfaces Console connections are not affected Manage the device locally Enter no to use the m...

Page 56: ...ace You are then prompted to configure basic network settings for the outside interface See the following details for using this command The Management interface cannot use DHCP if you want to use a data interface for management If you did not set the IP address manually during initial setup you can set it now using the configure network ipv4 ipv6 manual command If you did not already set the Mana...

Page 57: ... the management center to either the Management interface or another data interface The FQDN that you set in the setup wizard will be used for this interface You can clear the entire device configuration as part of the command you might use this option in a recovery scenario but we do not suggest you use it for initial setup or normal operation To disable data managemement enter the configure netw...

Page 58: ...n key must not exceed 37 characters Valid characters include alphanumerical characters A Z a z 0 9 and the hyphen nat_id Specifies a unique one time string of your choice that you will also specify on the management center When you use a data interface for management then you must specify the NAT ID on both the threat defense and the management center for registration The NAT ID must not exceed 37...

Page 59: ... 17 Cabling a Remote Management Deployment Procedure Step 1 Install the chassis See the hardware installation guide Step 2 Connect the outside interface Ethernet 1 1 to your outside router Step 3 Connect the inside interface for example Ethernet 1 2 to your inside switch or router Step 4 Connect other networks to the remaining interfaces Step 5 Optional Connect the management computer to the conso...

Page 60: ... electrical outlet Step 2 Turn the power on using the standard rocker type power on off switch located on the rear of the chassis adjacent to the power cord Step 3 Check the Power LED on the back of the device if it is solid green the device is powered on Step 4 Check the Status LED on the back of the device after it is solid green the system has passed power on diagnostics When the switch is togg...

Page 61: ...iew on Cisco Licensing go to cisco com go licensingguide Before you begin Have a master account on the Smart Software Manager If you do not yet have an account click the link to set up a new account The Smart Software Manager lets you create a master account for your organization Your Smart Software Licensing account must qualify for the Strong Encryption 3DES AES license to use some features enab...

Page 62: ...ep 2 If you have not already done so register the management center with the Smart Software Manager Registering requires you to generate a registration token in the Smart Software Manager See the management center configuration guide for detailed instructions For Low Touch Provisioning you must enable Cloud Assistance for Low Touch Provisioning either when you register with the Smart Software Mana...

Page 63: ...ce Management Step 2 From the Add drop down list choose Add Device Set the following parameters Host Enter the IP address or hostname of the threat defense you want to add You can leave this field blank if you specified both the management center IP address and a NAT ID in the threat defense initial configuration Cisco Firepower 1100 Getting Started Guide 61 Threat Defense Deployment with a Remote...

Page 64: ...m Inside to Outside on page 35 Figure 19 New Policy Smart Licensing Assign the Smart Licenses you need for the features you want to deploy Malware if you intend to use malware inspection Threat if you intend to use intrusion prevention and URL if you intend to implement category based URL filtering Note You can apply an Secure Client remote access VPN license after you add the device from the Syst...

Page 65: ...anager access setup but you still need to assign it to a security zone DHCP server Use a DHCP server on the inside interface for clients NAT Use interface PAT on the outside interface Access control Allow traffic from inside to outside SSH Enable SSH on the manager access interface Configure Interfaces Enable the threat defense interfaces assign them to security zones and set the IP addresses Typi...

Page 66: ...de_zone Each interface must be assigned to a security zone and or interface group An interface can belong to only one security zone but can also belong to multiple interface groups You apply your security policy based on zones or groups For example you can assign the inside interface to the inside zone and the outside interface to the outside zone Then you can configure your access control policy ...

Page 67: ...ration f Click OK Step 4 Click the Edit for the interface that you want to use for outside The General tab appears You already pre configured this interface for manager access so the interface will already be named enabled and addressed You should not alter any of these basic settings because doing so will disrupt the management center management connection You must still configure the Security Zo...

Page 68: ...ace Choose the interface from the drop down list Address Pool Set the range of IP addresses from lowest to highest that are used by the DHCP server The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself Enable DHCP Server Enable the DHCP server on the selected interface Step 4 Click OK Step 5 Click Save Configure NAT...

Page 69: ...d rules to the policy Step 3 Click Add Rule The Add NAT Rule dialog box appears Step 4 Configure the basic rule options NAT Rule Choose Auto NAT Rule Type Choose Dynamic Step 5 On the Interface Objects page add the outside zone from the Available Interface Objects area to the Destination Interface Objects area Cisco Firepower 1100 Getting Started Guide 67 Threat Defense Deployment with a Remote Ma...

Page 70: ...0 0 0 0 You cannot use the system defined any ipv4 object because Auto NAT rules add NAT as part of the object definition and you cannot edit system defined objects Note Translated Source Choose Destination Interface IP Cisco Firepower 1100 Getting Started Guide 68 Threat Defense Deployment with a Remote Management Center Configure NAT ...

Page 71: ...nes be sure to add rules allowing traffic to the appropriate networks Procedure Step 1 Choose Policy Access Policy Access Policy and click the Edit for the access control policy assigned to the threat defense Step 2 Click Add Rule and set the following parameters Name Name this rule for example inside_to_outside Source Zones Select the inside zone from Available Zones and click Add to Source Desti...

Page 72: ...ic for data interfaces uses the regular routing configuration and not any static routes configured at setup or at the CLI For the Management interface to configure an SSH access list see the configure ssh access list command in the Command Reference for Secure Firewall Threat Defense To configure a static route see the configure network static routes command By default you configure the default ro...

Page 73: ...ions and the IP addresses of the clients who are allowed to make those connections You can use network addresses rather than individual IP addresses a Click Add to add a new rule or click Edit to edit an existing rule b Configure the rule properties IP Address The network object or group that identifies the hosts or networks you are allowing to make SSH connections Choose an object from the drop d...

Page 74: ...oy to deploy to selected devices Figure 21 Deploy All Figure 22 Advanced Deploy Step 3 Ensure that the deployment succeeds Click the icon to the right of the Deploy button in the menu bar to see status for deployments Cisco Firepower 1100 Getting Started Guide 72 Threat Defense Deployment with a Remote Management Center Deploy the Configuration ...

Page 75: ...data interface if you open the interface for SSH connections SSH access to data interfaces is disabled by default This procedure describes console port access which defaults to the FXOS CLI Note Procedure Step 1 To log into the CLI connect your management computer to the console port Be sure to install any necessary USB serial drivers for your operating system see the Firepower 1100 hardware guide...

Page 76: ... management center so you do not disrupt the connection If you change the management interface type after you add the threat defense to the management center from data to Management or from Management to data if the interfaces and network settings are not configured correctly you can lose management connectivity This topic helps you troubleshoot the loss of management connectivity View management ...

Page 77: ...t Received Time Mon Jun 15 09 02 16 2020 UTC View the Threat Defense network information At the threat defense CLI view the Management and the management center access data interface network settings show network show network System Information Hostname 5516X 4 DNS Servers 208 67 220 220 208 67 222 222 Management port 8305 IPv4 Default route Gateway data interfaces IPv6 Default route Gateway data ...

Page 78: ...nagement interface which should route over the backplane to the data interfaces ping system fmc_ip Capture packets on the Threat Defense internal interface At the threat defense CLI capture packets on the internal backplane interface nlp_int_tap to see if management packets are being sent capture name interface nlp_int_tap trace detail match ip any any show capturename trace detail Check the inter...

Page 79: ...onfig status is active Interface state is active Check routing and NAT At the threat defense CLI check that the default route S was added and that internal NAT rules exist for the Management interface nlp_int_tap show route show route Codes L local C connected S static R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2...

Page 80: ...lient show running config ip client ip client outside show conn address fmc_ip show conn address 10 89 5 35 5 in use 16 most used Inspect Snort preserve connection 0 enabled 0 in effect 0 most enabled 0 most in effect TCP nlp_int_tap 10 89 5 29 169 254 1 2 51231 outside 10 89 5 35 8305 idle 0 00 04 bytes 86684 flags UxIO TCP nlp_int_tap 10 89 5 29 169 254 1 2 8305 outside 10 89 5 35 52019 idle 0 0...

Page 81: ...ituation See the following guidelines Only the previous deployment is available locally on the threat defense you cannot roll back to any earlier deployments Rollback is not supported for High Availability or Clustering deployments The rollback only affects configurations that you can set in the management center For example the rollback does not affect any local configuration related to the dedic...

Page 82: ...iguration has been reverted back to transaction id Following is the rollback summary Step 2 Check that the management connection was reestablished In the management center check the management connection status on the Devices Device Management Device Management FMC Access Details Connection Status page At the threat defense CLI enter the sftunnel status brief command to view the management connect...

Page 83: ...wer off now Do you want to reboot instead y N If you do not have a console connection wait approximately 3 minutes to ensure the system has shut down Step 7 You can now turn off the power switch and unplug the power to physically remove power from the chassis if necessary What s Next To continue configuring your threat defense see the documents available for your software version at Navigating the...

Page 84: ...Cisco Firepower 1100 Getting Started Guide 82 Threat Defense Deployment with a Remote Management Center What s Next ...

Page 85: ...ge the Cisco ASA or Firepower Threat Defense Device The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System FXOS The firewall does not support the FXOS Secure Firewall chassis manager only a limited CLI is supported for troubleshooting purposes See the Cisco FXOS Troubleshooting Guide for the Firepower 1000 2100 Series Running Firepower Threat Defens...

Page 86: ... Procedure See the following tasks to deploy the threat defense with the device manager on your chassis Install the firewall See the hardware installation guide Pre Configuration Review the Network Deployment and Default Configuration on page 85 Pre Configuration Cisco Firepower 1100 Getting Started Guide 84 Threat Defense Deployment with the Device Manager End to End Procedure ...

Page 87: ...er on page 101 Device Manager Review the Network Deployment and Default Configuration You can manage the threat defense using the device manager from either the Management 1 1 interface or the inside interface The dedicated Management interface is a special interface with its own network settings The following figure shows the recommended network deployment If you connect the outside interface dir...

Page 88: ...mmon default network the DHCP lease will fail and the outside interface will not obtain an IP address This problem occurs because the threat defense cannot have two interfaces on the same network In this case you must change the inside IP address to be on a new network If you add the threat defense to an existing inside network you will need to change the inside IP address to be on the existing ne...

Page 89: ...ring setup DNS servers obtained from DHCP are never used NTP Cisco NTP servers 0 sourcefire pool ntp org 1 sourcefire pool ntp org 2 sourcefire pool ntp org or servers you specify during setup Default routes Data interfaces Obtained from outside DHCP or a gateway IP address you specify during setup Management interface 6 6 and later Obtained from management DHCP If you do not receive a gateway the...

Page 90: ...luding the management computer so make sure these settings do not conflict with any existing inside network settings see Default Configuration on page 87 Management 1 1 labeled MGMT Connect Management 1 1 to your management network and make sure your management computer is on or has access to the management network Management 1 1 obtains an IP address from a DHCP server on your management network ...

Page 91: ... take approximately 15 to 30 minutes Note Before you begin It s important that you provide reliable power for your device for example using an uninterruptable power supply UPS Loss of power without first shutting down can cause serious file system damage There are many processes running in the background all the time and losing power does not allow the graceful shutdown of your firewall system Pro...

Page 92: ... term release numbering maintenance releases and patches for a longer period of time or extra long term release numbering maintenance releases and patches for the longest period of time for government certification Procedure Step 1 Connect to the CLI See Access the Threat Defense and FXOS CLI on page 104 for more information This procedure shows using the console port but you can use SSH instead L...

Page 93: ...ing settings You can only configure the Management interface settings you cannot configure inside or outside interfaces which you can later configure in the GUI You cannot repeat the CLI setup script unless you clear the configuration for example by reimaging However all of these settings can be changed later at the CLI using configure network commands See Command Reference for Secure Firewall Thr...

Page 94: ...s that require internet access If you use data interfaces you can still use the device manager or SSH on the Management interface if you are directly connected to the Management network but for remote management for specific networks or hosts you should add a static route using the configure network static routes command Note that the device manager management on data interfaces is not affected by...

Page 95: ...or HTTP Proxy configuration run configure network http proxy Manage the device locally yes no yes yes Step 4 Log into the device manager on the new Management IP address Log Into the Device Manager Log into the device manager to configure your threat defense Before you begin Use a current version of Firefox Chrome Safari Edge or Internet Explorer Procedure Step 1 Enter the following URL in your br...

Page 96: ...p 2 Configure the following options for the outside and management interfaces and click Next Your settings are deployed to the device when you click Next The interface will be named outside and it will be added to the outside_zone security zone Ensure that your settings are correct Note a Outside Interface This is the data port that you connected to your gateway router You cannot select an alterna...

Page 97: ... 90 day evaluation period without registration Step 5 Click Finish What to do next Although you can continue using the evaluation license we recommend that you register and license your device see Configure Licensing on page 95 You can also choose to configure the device using the device manager see Configure the Firewall in the Device Manager on page 101 Configure Licensing The threat defense use...

Page 98: ...r a reseller your licenses should have been linked to your Smart Software License account However if you need to add licenses yourself use the Find Products and Solutions search field on the Cisco Commerce Workspace Search for the following license PIDs Figure 25 License Search If a PID is not found you can add the PID manually to your order Note Threat Malware and URL license combination L FPR112...

Page 99: ... the virtual account to which you want to add this device a Click Inventory b On the General tab click New Token c On the Create Registration Token dialog box enter the following settings and then click Create Token Description Expire After Cisco recommends 30 days Cisco Firepower 1100 Getting Started Guide 97 Threat Defense Deployment with the Device Manager Configure Licensing ...

Page 100: ...oken is added to your inventory d Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard Keep this token ready for later in the procedure when you need to register the threat defense Figure 26 View Token Figure 27 Copy Token Step 3 In the device manager click Device and then in the Smart License summary click View Configuration Yo...

Page 101: ... the following message After the device successfully registers and you refresh the page you see the following Step 6 Click the Enable Disable control for each optional license as desired Cisco Firepower 1100 Getting Started Guide 99 Threat Defense Deployment with the Device Manager Configure Licensing ...

Page 102: ...an you deploy policies that use the feature If you enabled the RA VPN license select the type of license you want to use Plus Apex VPN Only or Plus and Apex After you enable features if you do not have the licenses in your account you will see the following non compliance message after you refresh the page Step 7 Choose Resync Connection from the gear drop down list to synchronize license informat...

Page 103: ...ble assets such as your web server Click Save when you are finished Figure 28 Edit Interface Step 2 If you configured new interfaces choose Objects then select Security Zones from the table of contents Edit or create new zones as appropriate Each interface must belong to a zone because you configure policies based on security zones not interfaces You cannot put the interfaces in zones when configu...

Page 104: ...s pool 192 168 4 50 192 168 4 240 Figure 30 DHCP Server Step 4 Choose Device then click View Configuration or Create First Static Route in the Routing group and configure a default route The default route normally points to the upstream or ISP router that resides off the outside interface A default IPv4 route is for any ipv4 0 0 0 0 0 whereas a default IPv6 route is for any ipv6 0 0 Create routes ...

Page 105: ...r organization requires You can configure the following policies SSL Decryption If you want to inspect encrypted connections such as HTTPS for intrusions malware and so forth you must decrypt the connections Use the SSL decryption policy to determine which connections need to be decrypted The system re encrypts the connection after inspecting it Identity If you want to correlate network activity t...

Page 106: ...ep 6 Choose Device then click View Configuration in the Updates group and configure the update schedules for the system databases If you are using intrusion policies set up regular updates for the Rules and VDB databases If you use Security Intelligence feeds set an update schedule for them If you use geolocation in any security policies as matching criteria set an update schedule for that databas...

Page 107: ...the following serial settings 9600 baud 8 data bits No parity 1 stop bit You connect to the FXOS CLI Log in to the CLI using the admin username and the password you set at initial setup the default is Admin123 Example firepower login admin Password Last login Thu May 16 14 01 03 UTC 2019 on ttyS0 Successful login attempts for user admin 1 firepower Step 2 Access the threat defense CLI connect ftd ...

Page 108: ...hen click the System Settings Reboot Shutdown link b Click Shut Down Step 2 If you have a console connection to the firewall monitor the system prompts as the firewall shuts down You will see the following prompt System is stopped It is safe to power off now Do you want to reboot instead y N If you do not have a console connection wait approximately 3 minutes to ensure the system has shut down Ste...

Page 109: ...ower off now Do you want to reboot instead y N Step 4 You can now turn off the power switch and unplug the power to physically remove power from the chassis if necessary What s Next To continue configuring your threat defense see the documents available for your software version at Navigating the Cisco Firepower Documentation For information related to using the device manager see Cisco Firepower ...

Page 110: ...Cisco Firepower 1100 Getting Started Guide 108 Threat Defense Deployment with the Device Manager What s Next ...

Page 111: ...ed See Reimage the Cisco ASA or Firepower Threat Defense Device The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System FXOS The firewall does not support the FXOS Secure Firewall chassis manager only a limited CLI is supported for troubleshooting purposes See the Cisco FXOS Troubleshooting Guide for the Firepower 1000 2100 Series Running Firepower T...

Page 112: ... although that method is not covered in this guide Onboarding wizard using CLI registration Use this manual method if you need to perform any pre configuration or if you are using a manager interface that low touch provisioning does not support Threat Defense Manager Access Interface You can use the Management interface or any data interface for manager access However this guide covers outside int...

Page 113: ...will be changed to be the data interfaces you also cannot SSH to the Management interface from a remote network unless you add a static route for the Management interface using the configure network static routes command End to End Procedure Low Touch Provisioning See the following tasks to deploy the threat defense with CDO using low touch provisioning Figure 33 End to End Procedure Low Touch Pro...

Page 114: ...dmin Cable the Firewall on page 121 Branch Office Tasks Branch admin Power On the Firewall on page 122 Branch Office Tasks Branch admin Onboard a Device with Low Touch Provisioning on page 124 CDO CDO admin Configure a Basic Security Policy on page 137 CDO CDO admin End to End Procedure Onboarding Wizard See the following tasks to onboard the threat defense to CDO using the onboarding wizard Cisco...

Page 115: ... See the hardware installation guide Physical Tasks Cable the Firewall on page 125 Physical Tasks Onboard a Device with the Onboarding Wizard on page 126 CDO Perform Initial Configuration Using the CLI on page 128 Perform Initial Configuration Using the Device Manager on page 132 CLI or Device Manager Cisco Firepower 1100 Getting Started Guide 113 Threat Defense Deployment with CDO End to End Proc...

Page 116: ...Software Manager If you do not yet have an account click the link to set up a new account The Smart Software Manager lets you create a master account for your organization Your Smart Software Licensing account must qualify for the Strong Encryption 3DES AES license to use some features enabled using the export compliance flag Procedure Step 1 Make sure your Smart Licensing account contains the ava...

Page 117: ...stall a different version perform these steps We recommend that you install your target version before you configure the firewall Alternatively you can perform an upgrade after you are up and running but upgrading which preserves your configuration may take longer than using this procedure What Version Should I Run Cisco recommends running a Gold Star release indicated by a gold star next to the r...

Page 118: ...o used for the threat defense login for SSH If the password was already changed and you do not know it you must perform a factory reset to reset the password to the default See the FXOS troubleshooting guide for the factory reset procedure Note Example firepower login admin Password Admin123 Successful login attempts for user admin 1 Hello admin You must change your password Enter new password Con...

Page 119: ...tials you can log into CDO from your Cisco Secure Sign On dashboard From the Cisco Secure Sign On dashboard you can also log into any other supported Cisco products If you have a Cisco Secure Sign On account skip ahead to Log Into CDO with Cisco Secure Sign On on page 119 If you don t have a Cisco Secure Sign On account continue to Create a New Cisco Secure Sign On Account on page 117 Create a New...

Page 120: ...click Register Figure 37 Create Account Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company Tip Cisco Firepower 1100 Getting Started Guide 118 Threat Defense Deployment with CDO Create a New Cisco Secure Sign On Account ...

Page 121: ...tional Setup Google Authenticator as a an additional authenticator a Choose the mobile device you are pairing with Google Authenticator and click Next b Follow the prompts in the setup wizard to setup Google Authenticator Step 4 Configure Account Recovery Options for your Cisco Secure Sign On Account a Choose a forgot password question and answer b Choose a recovery phone number for resetting your...

Page 122: ...tep 5 Click the appropriate CDO tile on the Cisco Secure Sign on dashboard The CDO tile directs you to https defenseorchestrator com the CDO EU tile directs you to https defenseorchestrator eu and the CDO APJC tile directs you to to https www apj cdo cisco com Figure 39 Cisco SSO Dashboard Step 6 Click the authenticator logo to choose Duo Security or Google Authenticator if you have set up both au...

Page 123: ...x It can also be found on a sticker on the back of the firewall or on the bottom of the firewall chassis Step 3 Send the firewall serial number to the CDO network administrator at your IT department central headquarters Your network administrator needs your firewall serial number to facilitate low touch provisioning connect to the firewall and configure it remotely Communicate with the CDO adminis...

Page 124: ...p 4 Connect other networks to the remaining interfaces Step 5 Optional Connect the management computer to the console port At the branch office the console connection is not required for everyday use however it may be required for troubleshooting purposes Power On the Firewall System power is controlled by a rocker power switch located on the rear of the device The power switch is implemented as a...

Page 125: ... remove the power until the Power LED is completely off Note Step 5 Observe the Status LED on the back the device when the device is booting correctly the Status LED flashes fast green If there is a problem the Status LED flashes fast amber If this happens call your IT department Step 6 Observe the Status LED on the back when the device connects to the Cisco cloud the Status LED slowly flashes gre...

Page 126: ...w device has never been logged into or configured for a manager radio button and click Next Step 7 For the Policy Assignment use the drop down menu to choose an access control policy for the device If you have no policies configured choose the Default Access Control Policy Step 8 For the Subscription License check each of the feature licenses you want to enable Click Next Step 9 Optional Add label...

Page 127: ...r manager access However this guide primarily covers outside interface access because it is the most likely scenario for remote branch offices Step 3 Connect the inside interface for example Ethernet 1 2 to your inside switch or router You can choose any interface for inside Step 4 Connect other networks to the remaining interfaces Step 5 Connect the management computer to the console port or the ...

Page 128: ...and connect it to an electrical outlet Step 2 Turn the power on using the standard rocker type power on off switch located on the rear of the chassis adjacent to the power cord Step 3 Check the Power LED on the back of the device if it is solid green the device is powered on Step 4 Check the Status LED on the back of the device after it is solid green the system has passed power on diagnostics Whe...

Page 129: ...Key CDO generates a command with the registration key and other parameters You must copy this command and use it in the intial configuration of the threat defense configure manager add cdo_hostname registration_key nat_id display_name Complete initial configuration at the CLI or using the device manager Perform Initial Configuration Using the CLI on page 128 Copy this command at the FTD CLI after ...

Page 130: ...erform initial setup using the device manager all interface configuration completed in the device manager is retained when you switch to CDO for management in addition to the Management interface and manager access interface settings Note that other default configuration settings such as the access control policy are not retained Procedure Step 1 Connect to the threat defense CLI on the console po...

Page 131: ...elines Configure IPv4 via DHCP or manually Choose manual Although you do not plan to use the Management interface you must set an IP address for example a private address You cannot configure a data interface for management if the management interface is set to DHCP because the default route which must be data interfaces see the next bullet might be overwritten with one received from the DHCP serv...

Page 132: ...the sensor to a Firepower Management Center a unique alphanumeric registration key is always required In most cases to register a sensor to a Firepower Management Center you must provide the hostname or the IP address along with the registration key configure manager add hostname ip address registration key However if the sensor and the Firepower Management Center are separated by a NAT device you...

Page 133: ...nfigure the DNS Platform Settings to match this setting to bring CDO and the threat defense into sync Also local DNS servers are only retained by CDO if the DNS servers were discovered at initial registration For example if you registered the device using the Management interface but then later configure a data interface using the configure network management data interface command then you must m...

Page 134: ... Configuration Using the Device Manager Connect to the device manager to perform initial setup of the threat defense When you perform initial setup using the device manager all interface configuration completed in the device manager is retained when you switch to CDO for management in addition to the Management interface and manager access settings Note that other default configuration settings su...

Page 135: ...Management Interface settings if you performed intial setup at the CLI The Management interface settings are used even though you are enabling the manager access on a data interface For example the management traffic that is routed over the backplane through the data interface will resolve FQDNs using the Management interface DNS servers and not the data interface DNS servers DNS Servers The DNS s...

Page 136: ...configure additional interfaces including an interface other than outside or inside that you want to use for the manager access choose Device and then click the link in the Interfaces summary See Configure the Firewall in the Device Manager on page 101 for more information about configuring interfaces in the device manager Other device manager configuration will not be retained when you register t...

Page 137: ... or IP address click Yes CDO generates the configure manager add command See Onboard a Device with the Onboarding Wizard on page 126 to generate the command Cisco Firepower 1100 Getting Started Guide 135 Threat Defense Deployment with CDO Perform Initial Configuration Using the Device Manager ...

Page 138: ...nd the DNS servers are not added to a Platform Settings policy However if you later assign a Platform Settings policy to the threat defense that includes a DNS configuration then that configuration will overwrite the local setting We suggest that you actively configure the DNS Platform Settings to match this setting to bring CDO and the threat defense into sync Also local DNS servers are only reta...

Page 139: ...d will only resume when you reconnect to the device manager If you remain connected to the device manager after the Saving Management Center CDO Registration Settings step you will eventually see the Successful Connection with Management Center or CDO dialog box after which you will be disconnected from the device manager Figure 47 Successful Connection Configure a Basic Security Policy This secti...

Page 140: ...ce publically accessible assets such as your web server A typical edge routing situation is to obtain the outside interface address through DHCP from your ISP while you define static addresses on the inside interfaces The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP Procedure Step 1 Choose Devices Device Management...

Page 141: ...curity policy based on zones or groups For example you can assign the inside interface to the inside zone and the outside interface to the outside zone Then you can configure your access control policy to enable traffic to go from inside to outside but not from outside to inside Most policies only support security zones you can use zones or interface groups in NAT policies prefilter policies and Q...

Page 142: ...agement connection You must still configure the Security Zone on this screen for through traffic policies a From the Security Zone drop down list choose an existing outside security zone or add a new one by clicking New For example add a zone called outside_zone b Click OK Step 5 Click Save Configure the DHCP Server Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from...

Page 143: ...ss of the interface itself Enable DHCP Server Enable the DHCP server on the selected interface Step 4 Click OK Step 5 Click Save Configure NAT A typical NAT rule converts internal addresses to a port on the outside interface IP address This type of NAT rule is called interface Port Address Translation PAT Procedure Step 1 Choose Devices NAT and click New Policy Threat Defense NAT Step 2 Name the p...

Page 144: ...appears Step 4 Configure the basic rule options NAT Rule Choose Auto NAT Rule Type Choose Dynamic Step 5 On the Interface Objects page add the outside zone from the Available Interface Objects area to the Destination Interface Objects area Cisco Firepower 1100 Getting Started Guide 142 Threat Defense Deployment with CDO Configure NAT ...

Page 145: ... traffic 0 0 0 0 0 You cannot use the system defined any ipv4 object because Auto NAT rules add NAT as part of the object definition and you cannot edit system defined objects Note Translated Source Choose Destination Interface IP Cisco Firepower 1100 Getting Started Guide 143 Threat Defense Deployment with CDO Configure NAT ...

Page 146: ...ve other zones be sure to add rules allowing traffic to the appropriate networks Procedure Step 1 Choose Policy Access Policy Access Policy and click the Edit for the access control policy assigned to the threat defense Step 2 Click Add Rule and set the following parameters Name Name this rule for example inside_to_outside Source Zones Select the inside zone from Available Zones and click Add to S...

Page 147: ...n SSH traffic for data interfaces uses the regular routing configuration and not any static routes configured at setup or at the CLI For the Management interface to configure an SSH access list see the configure ssh access list command in the Command Reference for Secure Firewall Threat Defense To configure a static route see the configure network static routes command By default you configure the...

Page 148: ...SSH connections and the IP addresses of the clients who are allowed to make those connections You can use network addresses rather than individual IP addresses a Click Add to add a new rule or click Edit to edit an existing rule b Configure the rule properties IP Address The network object or group that identifies the hosts or networks you are allowing to make SSH connections Choose an object from...

Page 149: ...vanced Deploy to deploy to selected devices Figure 49 Deploy All Figure 50 Advanced Deploy Step 3 Ensure that the deployment succeeds Click the icon to the right of the Deploy button in the menu bar to see status for deployments Cisco Firepower 1100 Getting Started Guide 147 Threat Defense Deployment with CDO Deploy the Configuration ...

Page 150: ...later connect to the address on a data interface if you open the interface for SSH connections SSH access to data interfaces is disabled by default This procedure describes console port access which defaults to the FXOS CLI Note Procedure Step 1 To log into the CLI connect your management computer to the console port Be sure to install any necessary USB serial drivers for your operating system see...

Page 151: ... defense in CDO so you do not disrupt the connection If you change the management interface type after you add the threat defense to CDO from data to Management or from Management to data if the interfaces and network settings are not configured correctly you can lose management connectivity This topic helps you troubleshoot the loss of management connectivity View management connection status In ...

Page 152: ... 2020 UTC Heartbeat Received Time Mon Jun 15 09 02 16 2020 UTC View the threat defense network information At the threat defense CLI view the Management and manager access data interface network settings show network show network System Information Hostname 5516X 4 DNS Servers 208 67 220 220 208 67 222 222 Management port 8305 IPv4 Default route Gateway data interfaces IPv6 Default route Gateway d...

Page 153: ...ng CDO from the Management interface which should route over the backplane to the data interfaces ping system cdo_hostname Capture packets on the threat defense internal interface At the threat defense CLI capture packets on the internal backplane interface nlp_int_tap to see if management packets are being sent capture name interface nlp_int_tap trace detail match ip any any show capturename trac...

Page 154: ...s active Interface state is active Check routing and NAT At the threat defense CLI check that the default route S was added and that internal NAT rules exist for the Management interface nlp_int_tap show route show route Codes L local C connected S static R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF exter...

Page 155: ... running config ip client ip client outside show conn address fmc_ip show conn address 10 89 5 35 5 in use 16 most used Inspect Snort preserve connection 0 enabled 0 in effect 0 most enabled 0 most in effect TCP nlp_int_tap 10 89 5 29 169 254 1 2 51231 outside 10 89 5 35 8305 idle 0 00 04 bytes 86684 flags UxIO TCP nlp_int_tap 10 89 5 29 169 254 1 2 8305 outside 10 89 5 35 52019 idle 0 00 02 bytes...

Page 156: ...locally on the threat defense you cannot roll back to any earlier deployments The rollback only affects configurations that you can set in CDO For example the rollback does not affect any local configuration related to the dedicated Management interface which you can only configure at the threat defense CLI Note that if you changed data interface settings after the last CDO deployment using the co...

Page 157: ...nt connection status on the Devices Device Management Device Management Manager Access Configuration Details Connection Status page At the threat defense CLI enter the sftunnel status brief command to view the management connection status If it takes more than 10 minutes to reestablish the connection you should troubleshoot the connection See Troubleshoot Management Connectivity on a Data Interfac...

Page 158: ...t is safe to power off now Do you want to reboot instead y N If you do not have a console connection wait approximately 3 minutes to ensure the system has shut down Step 7 You can now turn off the power switch and unplug the power to physically remove power from the chassis if necessary What s Next To continue configuring your threat defense using CDO see the Cisco Defense Orchestrator home page C...

Page 159: ...alled the Secure Firewall eXtensible Operating System FXOS The firewall does not support the FXOS Secure Firewall chassis manager only a limited CLI is supported for troubleshooting purposes See the Cisco FXOS Troubleshooting Guide for the Firepower 1000 2100 Series Running Firepower Threat Defense for more information Privacy Collection Statement The firewall does not require or actively collect ...

Page 160: ...ePOWER module Botnet Traffic Filter The following inspections SCTP inspection maps SCTP stateful inspection using ACLs is supported Diameter GTP GPRS Migrating an ASA 5500 X Configuration You can copy and paste an ASA 5500 X configuration into the Firepower 1100 However you will need to modify your configuration Also note some behavioral differences between the platforms 1 To copy the configuratio...

Page 161: ... encryption feature then ASDM and HTTPS traffic like that to and from the Smart Licensing server are blocked The exception to this rule is if you are connected to a management only interface such as Management 1 1 SSH is not affected Initial ASDM access Make sure you change the interface IDs to match the new hardware IDs For example the ASA 5525 X includes Management 0 0 and GigabitEthernet 0 0 th...

Page 162: ...all the firewall See the hardware installation guide Pre Configuration Review the Network Deployment and Default Configuration on page 161 Pre Configuration Cable the Firewall on page 163 Pre Configuration Cisco Firepower 1100 Getting Started Guide 160 ASA Deployment with ASDM End to End Procedure ...

Page 163: ... need to configure PPPoE for the outside interface to connect to your ISP you can do so as part of the ASDM Startup Wizard If you cannot use the default inside IP address for ASDM access you can set the inside IP address at the ASA CLI See Optional Change the IP Address on page 165 For example you may need to change the inside IP address in the following circumstances If the outside interface trie...

Page 164: ... routes from outside DHCP management DHCP ASDM access Management and inside hosts allowed Inside hosts are limited to the 192 168 1 0 24 network NAT Interface PAT for all traffic from inside to outside DNS servers OpenDNS servers are pre configured The configuration consists of the following commands interface Management1 1 management only nameif management security level 100 ip address dhcp setro...

Page 165: ...nside dhcpd auto_config outside dhcpd address 192 168 1 20 192 168 1 254 inside dhcpd enable inside dns domain lookup outside dns server group DefaultDNS name server 208 67 222 222 outside name server 208 67 220 220 outside Cable the Firewall Manage the Firepower 1100 on either Management 1 1 or Ethernet 1 2 The default configuration also configures Ethernet1 1 as outside Procedure Step 1 Install ...

Page 166: ...ult you must also cable your management computer to the console port See Optional Change the IP Address on page 165 You can later configure ASA management access from other interfaces see the ASA general operations configuration guide Step 3 Connect the outside network to the Ethernet1 1 interface For Smart Software Licensing the ASA needs internet access so that it can access the License Authorit...

Page 167: ...y default 10 1 1 151 255 255 255 0 Based on the management IP address and mask the DHCP address pool size is reduced to 103 from the platform limit 256 WARNING The boot system configuration will be cleared The first image found in disk0 will be used to boot the system on the next reload Verify there is a valid image on disk0 or the system will not boot Begin to apply factory default configuration ...

Page 168: ...sole port to reconfigure the ASA connect to a management only interface or connect to an interface not configured for a strong encryption feature Note Before you begin See the ASDM release notes on Cisco com for the requirements to run ASDM Procedure Step 1 Enter the following URL in your browser https 192 168 1 1 Inside Ethernet 1 2 interface IP address https management_ip Management interface IP...

Page 169: ...ly You can also use SSH and SCP if you later configure SSH access on the ASA Other features that require strong encryption such as VPN must have Strong Encryption enabled which requires you to first register to the Smart Software Manager If you attempt to configure any features that can use strong encryption before you register even if you only configure weak encryption then your HTTPS connection ...

Page 170: ...ch for the following license PIDs Figure 52 License Search Standard license L FPR1000 ASA The Standard license is free but you still need to add it to your Smart Software Licensing account 5 context license L FPR1K ASASC 5 Context licenses are additive buy multiple licenses to meet your needs 10 context license L FPR1K ASASC 10 Context licenses are additive buy multiple licenses to meet your needs...

Page 171: ...ducts registered with this token Enables the export compliance flag The token is added to your inventory d Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard Keep this token ready for later in the procedure when you need to register the ASA Cisco Firepower 1100 Getting Started Guide 169 ASA Deployment with ASDM Configure Licen...

Page 172: ... 3 In ASDM choose Configuration Device Management Licensing Smart Licensing Step 4 Click Register Step 5 Enter the registration token in the ID Token field Cisco Firepower 1100 Getting Started Guide 170 ASA Deployment with ASDM Configure Licensing ...

Page 173: ...an also choose Monitoring Properties Smart License to check the license status particularly if the registration fails Step 7 Set the following parameters a Check Enable Smart license configuration b From the Feature Tier drop down list choose Standard Only the Standard tier is available c Optional For the Context license enter the number of contexts You can use 2 contexts without a license The max...

Page 174: ...sing ASDM you can use wizards to configure basic and advanced features You can also manually configure features not included in wizards Procedure Step 1 Choose Wizards Startup Wizard and click the Modify existing configuration radio button Cisco Firepower 1100 Getting Started Guide 172 ASA Deployment with ASDM Configure the ASA ...

Page 175: ...by default See the ASA general operations configuration guide for more information You can also access the FXOS CLI from the ASA CLI for troubleshooting purposes Procedure Step 1 Connect your management computer to the console port Be sure to install any necessary USB serial drivers for your operating system see the Firepower 1100 hardware guide Use the following serial settings 9600 baud 8 data b...

Page 176: ...this option users have read only access Note that no configuration commands are available even in admin mode You are not prompted for user credentials The current ASA username is passed through to FXOS and no additional login is required To return to the ASA CLI enter exit or type Ctrl Shift 6 x Within FXOS you can view user activity using the scope security show audit logs command Example ciscoas...

Page 177: ... 2022 Cisco Systems Inc All rights reserved ...

Page 178: ......

Reviews: