manualshive.com logo in svg

Cisco Firepower 2100, Getting Started Manual

Share
Download
Cisco Firepower 2100 Getting Started Manual Download Page 156

Identity

—If you want to correlate network activity to individual users, or control network access based

on user or user group membership, use the identity policy to determine the user associated with a given
source IP address.

Security Intelligence

—Use the Security Intelligence policy to quickly drop connections from or to

blacklisted IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them
in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs
so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the
policy to add or remove items in the blacklist.

Access Control

—Use the access control policy to determine which connections are allowed on the

network. You can filter by security zone, IP address, protocol, port, application, URL, user or user group.
You also apply intrusion and file (malware) policies using access control rules. Use this policy to
implement URL filtering.

The following example shows how to allow traffic between the inside-zone and dmz-zone in the access control
policy. In this example, no options are set on any of the other tabs except for

Logging

, where

At End of

Connection

is selected.

Figure 48: Access Control Policy

Step 9

Locate the

Security Database Updates

section to create a scheduled task to check and update the security

databases for an FTD device.

When you onboard an FTD device to CDO, part of the onboarding process allows you to

Enable scheduled

recurring updates for databases

. This option is checked by default. When enabled, CDO immediately checks

for and applies any security updates as well as automatically schedules the device to check for additional
updates. You are able to modify the date and time of the scheduled task after the device is onboarded.

If you are using intrusion policies, set up regular updates for the Rules and VDB databases. If you use Security
Intelligence feeds, set an update schedule for them. If you use geolocation in any security policies as matching
criteria, set an update schedule for that database.

Step 10

Click the

Preview and Deploy

button in the menu, then click the

Deploy Now

button, to deploy your changes

to the device.

Changes are not active on the device until you deploy them.

Cisco Firepower 2100 Getting Started Guide

154

Firepower Threat Defense Deployment with CDO

Configure the Device in CDO

Summary of Contents for Firepower 2100

Page 1: ...ng Started Guide First Published 2019 09 25 Last Modified 2021 05 26 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ......

Page 3: ...t is not yet available on the FTD Cisco provides ASA to FTD migration tools to help you convert your ASA to an FTD if you start with ASA and later reimage to FTD FTD FTD also known as Firepower NGFW is a next generation firewall that combines an advanced stateful firewall VPN concentrator and next generation IPS In other words the FTD takes the best of ASA functionality and combines it with the be...

Page 4: ...r the configuration on the firewall so you can use FDM and CDO to manage the same firewall FMC is not compatible with other managers Note To get started with CDO low touch provisioning see Firepower Threat Defense Deployment with CDO and Low Touch Provisioning on page 107 To get started with CDO provisioning see Firepower Threat Defense Deployment with CDO on page 125 Cisco Defense Orchestrator CD...

Page 5: ...DM and Firepower Chassis Manager on page 185 Adaptive Security Device Manager ASDM You should use the ASA CLI if you prefer CLIs over GUIs The CLI is not covered in this guide For more information see the ASA configuration guides CLI CDO is a simplified cloud based multi device manager Because it is simplified some ASA features are not supported using CDO You should use CDO if you want a multi dev...

Page 6: ...API does not include all ASA features and is no longer being enhanced The ASA REST API is not covered in this guide For more information see the ASA REST API guide ASA REST API Cisco Firepower 2100 Getting Started Guide 4 Which Operating System and Manager is Right for You ASA Managers ...

Page 7: ...wer 2100 runs an underlying operating system called the Firepower eXtensible Operating System FXOS The Firepower 2100 does not support the FXOS Firepower Chassis Manager only a limited CLI is supported for troubleshooting purposes See the FXOS troubleshooting guide for more information Privacy Collection Statement The Firepower 2100 Series does not require or actively collect personally identifiab...

Page 8: ...view the Network Deployment and Default Configuration on page 7 Pre Configuration Cable the Device on page 10 Pre Configuration Power on the Device on page 11 Pre Configuration Cisco Firepower 2100 Getting Started Guide 6 Firepower Threat Defense Deployment with FDM End to End Procedure ...

Page 9: ...after you complete initial setup in FDM If you cannot use the default management IP address for example your management network does not include a DHCP server then you can connect to the console port and perform initial setup at the CLI including setting the Management IP address gateway and other basic networking settings If you need to change the inside IP address you can do so after you complet...

Page 10: ...r initial setup includes the following inside Ethernet 1 2 IP address 7 0 and later 192 168 95 1 pre 7 0 192 168 1 1 outside Ethernet 1 1 IP address from IPv4 DHCP and IPv6 autoconfiguration inside outside traffic flow management Management 1 1 management 6 6 and later IP address from DHCP 6 5 and earlier IP address 192 168 45 45 Cisco Firepower 2100 Getting Started Guide 8 Firepower Threat Defens...

Page 11: ...utes Data interfaces Obtained from outside DHCP or a gateway IP address you specify during setup Management interface 6 6 and later Obtained from management DHCP If you do not receive a gateway then the default route is over the backplane and through the data interfaces 6 5 and earlier Over the backplane and through the data interfaces Note that the Management interface requires internet access fo...

Page 12: ...t with any existing inside network settings see Default Configuration on page 8 Management 1 1 labeled MGMT Connect Management 1 1 to your management network and make sure your management computer is on or has access to the management network Management 1 1 obtains an IP address from a DHCP server on your management network if you use this interface you must determine the IP address assigned to th...

Page 13: ...nd losing power does not allow the graceful shutdown of your system Procedure Step 1 Attach the power cord to the device and connect it to an electrical outlet Step 2 Press the power switch on the back of the device Step 3 Check the PWR LED on the front of the device if it is solid green the device is powered on Step 4 Check the SYS LED on the front of the device after it is solid green the system...

Page 14: ... port See Access the FTD and FXOS CLI on page 25 for more information Log in with the admin user and the default password Admin123 You connect to the FXOS CLI The first time you log in you are prompted to change the password This password is also used for the FTD login for SSH If the password was already changed and you do not know it you must reimage the device to reset the password to the defaul...

Page 15: ...with SSH to the default IP address but you change the IP address at initial setup you will be disconnected Reconnect with the new IP address and password Console connections are not affected Manage the device locally Enter yes to use the FDM or the CDO A no answer means you intend to use the FMC to manage the device Example You must accept the EULA to continue Press ENTER to display the EULA End U...

Page 16: ...ss Step 2 Log in with the username admin and thedefault password Admin123 What to do next Run through the FDM setup wizard see Complete the Initial Configuration on page 14 Complete the Initial Configuration Use the setup wizard when you first log into FDM to complete the initial configuration After you complete the setup wizard you should have a functioning device with a few basic policies in pla...

Page 17: ...s You can configure PPPoE after you complete the wizard Configure IPv6 The IPv6 address for the outside interface You can use DHCP or manually enter a static IP address prefix and gateway You can also select Off to not configure an IPv6 address b Management Interface DNS Servers The DNS server for the system s management address Enter one or more addresses of DNS servers for name resolution The de...

Page 18: ...ered with the Smart Software Manager and purchase the license later This allows you to deploy and use a feature and avoid delays due to purchase order approval See the following licenses Threat Security Intelligence and Next Generation IPS Malware Malware URL URL Filtering RA VPN AnyConnect Plus AnyConnect Apex or AnyConnect VPN Only Before you begin Have a master account on the Smart Software Man...

Page 19: ... PIDs L FPR2110T TMC 1Y L FPR2110T TMC 3Y L FPR2110T TMC 5Y L FPR2120T TMC 1Y L FPR2120T TMC 3Y L FPR2120T TMC 5Y L FPR2130T TMC 1Y L FPR2130T TMC 3Y L FPR2130T TMC 5Y L FPR2140T TMC 1Y L FPR2140T TMC 3Y L FPR2140T TMC 5Y RA VPN See the Cisco AnyConnect Ordering Guide Step 2 In the Smart Software Manager request and copy a registration token for the virtual account to which you want to add this de...

Page 20: ... plan to use this functionality If you enable this functionality later you will need to re register your device with a new product key and reload the device If you do not see this option your account does not support export controlled functionality The token is added to your inventory d Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your...

Page 21: ... summary click View Configuration You see the Smart License page Step 4 Click Register Device Then follow the instructions on the Smart License Registration dialog box to paste in your token Cisco Firepower 2100 Getting Started Guide 19 Firepower Threat Defense Deployment with FDM Configure Licensing ...

Page 22: ...ee the following message After the device successfully registers and you refresh the page you see the following Step 6 Click the Enable Disable control for each optional license as desired Cisco Firepower 2100 Getting Started Guide 20 Firepower Threat Defense Deployment with FDM Configure Licensing ...

Page 23: ...r can you deploy policies that use the feature If you enabled the RA VPN license select the type of license you want to use Plus Apex VPN Only or Plus and Apex After you enable features if you do not have the licenses in your account you will see the following non compliance message after you refresh the page Step 7 Choose Resync Connection from the gear drop down list to synchronize license infor...

Page 24: ...essible assets such as your web server Click Save when you are finished Figure 5 Edit Interface Step 2 If you configured new interfaces choose Objects then select Security Zones from the table of contents Edit or create new zones as appropriate Each interface must belong to a zone because you configure policies based on security zones not interfaces You cannot put the interfaces in zones when conf...

Page 25: ...s pool 192 168 4 50 192 168 4 240 Figure 7 DHCP Server Step 4 Choose Device then click View Configuration or Create First Static Route in the Routing group and configure a default route The default route normally points to the upstream or ISP router that resides off the outside interface A default IPv4 route is for any ipv4 0 0 0 0 0 whereas a default IPv6 route is for any ipv6 0 0 Create routes f...

Page 26: ...r organization requires You can configure the following policies SSL Decryption If you want to inspect encrypted connections such as HTTPS for intrusions malware and so forth you must decrypt the connections Use the SSL decryption policy to determine which connections need to be decrypted The system re encrypts the connection after inspecting it Identity If you want to correlate network activity t...

Page 27: ...rol Policy Step 6 Choose Device then click View Configuration in the Updates group and configure the update schedules for the system databases If you are using intrusion policies set up regular updates for the Rules and VDB databases If you use Security Intelligence feeds set an update schedule for them If you use geolocation in any security policies as matching criteria set an update schedule for...

Page 28: ...ting system The console port defaults to the FXOS CLI Use the following serial settings 9600 baud 8 data bits No parity 1 stop bit You connect to the FXOS CLI Log in to the CLI using the admin username and the password you set at initial setup the default is Admin123 Example firepower login admin Password Last login Thu May 16 14 01 03 UTC 2019 on ttyS0 Successful login attempts for user admin 1 f...

Page 29: ...hassis is powered off appear unlit Step 3 After the chassis has successfully powered off you can then unplug the power to physically remove power from the chassis if necessary What s Next To continue configuring your FTD see the documents available for your software version at Navigating the Cisco Firepower Documentation For information related to using FDM see Cisco Firepower Threat Defense Confi...

Page 30: ...Cisco Firepower 2100 Getting Started Guide 28 Firepower Threat Defense Deployment with FDM What s Next ...

Page 31: ...y used for small network deployments The Cisco Firepower 2100 hardware can run either FTD software or ASA software Switching between FTD and ASA requires you to reimage the device See Reimage the Cisco ASA or Firepower Threat Defense Device The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System FXOS The Firepower 2100 does not support the FXOS Firep...

Page 32: ...e 60 What s Next on page 61 Before You Start Deploy and perform initial configuration of the FMC See the FMC getting started guide End to End Procedure See the following tasks to deploy the FTD with FMC on your chassis Cisco Firepower 2100 Getting Started Guide 30 Firepower Threat Defense Deployment with FMC Before You Start ...

Page 33: ...is a special interface with its own network settings By default the Management 1 1 interface is enabled and configured as a DHCP client If your network does not include a DHCP server you can set the Management interface to use a static IP address during initial setup at the console port You can configure other interfaces after you connect the FTD to FMC In 6 5 and earlier the Management interface ...

Page 34: ...managamement In the following diagram the Firepower 2100 acts as the internet gateway for the management interface and the FMC by connecting Management 1 1 to an inside interface through a Layer 2 switch and by connecting the FMC and management computer to the switch This direct connection is allowed because the management interface is separate from the other interfaces on the FTD Cisco Firepower ...

Page 35: ...ps Other topologies can be used and your deployment will vary depending on your basic logical network connectivity ports addressing and configuration requirements Note Procedure Step 1 Cable for a separate management network Cisco Firepower 2100 Getting Started Guide 33 Firepower Threat Defense Deployment with FMC Cable the Device ...

Page 36: ...to the console port You need to use the console port to access the CLI for initial setup if you do not use SSH to the Management interface c Connect the inside interface for example Ethernet 1 2 to your inside router d Connect the outside interface for example Ethernet 1 1 to your outside router e Connect other networks to the remaining interfaces Step 2 Cable for an edge deployment Cisco Firepowe...

Page 37: ...ks to the remaining interfaces Power on the Device The power switch is located to the left of power supply module 1 on the rear of the chassis It is a toggle switch that controls power to the system If the power switch is in standby position only the 3 3 V standby power is enabled from the power supply module and the 12 V main power is OFF When the switch is in the ON position the 12 V main power ...

Page 38: ...s off Do not remove the power until the PWR LED is completely off See the FXOS Configuration Guide for more information on using the shutdown commands Note Complete the FTD Initial Configuration You can complete the FTD initial configuration using the CLI or Firepower Device Manager Complete the FTD Initial Configuration Using FDM Connect to FDM to perform initial setup of the FTD When you perform...

Page 39: ...e first data interface is the default outside interface If you want to use a different interface from outside or inside for FMC access you will have to configure it manually after completing the setup wizard Configure IPv4 The IPv4 address for the outside interface You can use DHCP or manually enter a static IP address subnet mask and gateway You can also select Off to not configure an IPv4 addres...

Page 40: ... static IP address be sure to also set the default gateway to be a unique gateway instead of the data interfaces If you use DHCP you do not need to configure anything Step 4 If you want to configure additional interfaces including an interface other than outside or inside choose Device and then click the link in the Interfaces summary See Configure the Firewall in Firepower Device Manager on page ...

Page 41: ... NAT or does not have a public IP address or hostname At least one of the devices either the FMC or the FTD must have a reachable IP address to establish the two way SSL encrypted communication channel between the two devices Cisco Firepower 2100 Getting Started Guide 39 Firepower Threat Defense Deployment with FMC Complete the FTD Initial Configuration Using FDM ...

Page 42: ...d in combination with the IP address to verify that the connection is coming from the correct device only after authentication of the IP address NAT ID will the registration key be checked Step 7 Configure the Connectivity Configuration a Specify the FTD Hostname b Specify the DNS Server Group Choose an existing group or create a new one The default DNS group is called CiscoUmbrellaDNSServerGroup ...

Page 43: ...e Management and FMC access interface settings Note that other default configuration settings such as the access control policy are not retained Procedure Step 1 Connect to the FTD CLI either from the console port or using SSH to the Management interface which obtains an IP address from a DHCP server by default If you intend to change the network settings we recommend using the console port so you...

Page 44: ...applies only to remote FMC or Firepower Device Manager management you should set a gateway IP address for Management 1 1 when using FMC on the management network In the edge deployment example shown in the network deployment section the inside interface acts as the management gateway In this case you should set the gateway IP address to be the intended inside interface IP address you must later us...

Page 45: ...ing the sensor to a Firepower Management Center disables on sensor Firepower Services management capabilities When registering the sensor to a Firepower Management Center a unique alphanumeric registration key is always required In most cases to register a sensor to a Firepower Management Center you must provide the hostname or the IP address along with the registration key configure manager add h...

Page 46: ... behind a NAT device enter a unique NAT ID along with the registration key and specify DONTRESOLVE instead of the hostname for example Example configure manager add DONTRESOLVE regk3y78 natid90 Manager successfully configured If the FTD is behind a NAT device enter a unique NAT ID along with the FMC IP address or hostname for example Example configure manager add 10 70 45 5 regk3y78 natid56 Manage...

Page 47: ...g account must qualify for the Strong Encryption 3DES AES license to use some features enabled using the export compliance flag Procedure Step 1 Make sure your Smart Licensing account contains the available licenses you need When you bought your device from Cisco or a reseller your licenses should have been linked to your Smart Software License account However if you need to add licenses yourself ...

Page 48: ... have not already done so register the FMC with the Smart Licensing server Registering requires you to generate a registration token in the Smart Software Manager See the FMC configuration guide for detailed instructions Register the FTD with the FMC Register the FTD to the FMC Before you begin Gather the following information that you set in the FTD initial configuration The FTD management IP add...

Page 49: ...tion key that you specified in the FTD initial configuration Domain Assign the device to a leaf domain if you have a multidomain environment Group Assign it to a device group if you are using groups Access Control Policy Choose an initial policy Unless you already have a customized policy you know you need to use choose Create new policy and choose Block all traffic You can change this later to al...

Page 50: ...e FMC but packet data is not sent Step 3 Click Register and confirm a successful registration If the registration succeeds the device is added to the list If it fails you will see an error message If the FTD fails to register check the following items Ping Access the FTD CLI and ping the FMC IP address using the following command ping system ip_address If the ping is not successful check your netw...

Page 51: ...guration on page 58 Configure Interfaces Enable FTD interfaces assign them to security zones and set the IP addresses Typically you must configure at least a minimum of two interfaces to have a system that passes meaningful traffic Normally you would have an outside interface that faces the upstream router or internet and one or more inside interfaces for your organization s networks Some of these...

Page 52: ...eneral tab appears a Enter a Name up to 48 characters in length For example name the interface inside b Check the Enabled check box c Leave the Mode set to None d From the Security Zone drop down list choose an existing inside security zone or add a new one by clicking New Cisco Firepower 2100 Getting Started Guide 50 Firepower Threat Defense Deployment with FMC Configure Interfaces ...

Page 53: ...go from inside to outside but not from outside to inside Most policies only support security zones you can use zones or interface groups in NAT policies prefilter policies and QoS policies e Click the IPv4 and or IPv6 tab IPv4 Choose Use Static IP from the drop down list and enter an IP address and subnet mask in slash notation For example enter 192 168 1 1 24 IPv6 Check the Autoconfiguration chec...

Page 54: ...alled outside_zone e Click the IPv4 and or IPv6 tab IPv4 Choose Use DHCP and configure the following optional parameters Obtain default route using DHCP Obtains the default route from the DHCP server DHCP route metric Assigns an administrative distance to the learned route between 1 and 255 The default administrative distance for the learned routes is 1 IPv6 Check the Autoconfiguration check box f...

Page 55: ...The default route normally points to the upstream router reachable from the outside interface If you use DHCP for the outside interface your device might have already received a default route If you need to manually add the route complete this procedure If you received a default route from the DHCP server it will show in the IPv4 Routes or IPv6 Routes table on the Devices Device Management Routing...

Page 56: ...d to move it to the Selected Network list Gateway or IPv6 Gateway Enter or choose the gateway router that is the next hop for this route You can provide an IP address or a Networks Hosts object Metric Enter the number of hops to the destination network Valid values range from 1 to 255 the default value is 1 Step 3 Click OK The route is added to the static route table Cisco Firepower 2100 Getting S...

Page 57: ... and click New Policy Threat Defense NAT Step 2 Name the policy select the device s that you want to use the policy and click Save The policy is added the FMC You still have to add rules to the policy Step 3 Click Add Rule The Add NAT Rule dialog box appears Step 4 Configure the basic rule options NAT Rule Choose Auto NAT Rule Cisco Firepower 2100 Getting Started Guide 55 Firepower Threat Defense ...

Page 58: ...ce Objects area to the Destination Interface Objects area Step 6 On the Translation page configure the following options Original Source Click Add to add a network object for all IPv4 traffic 0 0 0 0 0 Cisco Firepower 2100 Getting Started Guide 56 Firepower Threat Defense Deployment with FMC Configure NAT ...

Page 59: ...th the FMC then you need to add rules to the policy to allow traffic through the device The following procedure adds a rule to allow traffic from the inside zone to the outside zone If you have other zones be sure to add rules allowing traffic to the appropriate networks See the FMC configuration guide to configure more advanced security settings and rules Procedure Step 1 Choose Policy Access Pol...

Page 60: ... Save Deploy the Configuration Deploy the configuration changes to the FTD none of your changes are active on the device until you deploy them Procedure Step 1 Click Deploy in the upper right Step 2 Select the device in the Deploy Policies dialog box then click Deploy Step 3 Ensure that the deployment succeeds Click the icon to the right of the Deploy button in the menu bar to see status for deplo...

Page 61: ...default This procedure describes console port access which defaults to the FXOS CLI Note Procedure Step 1 To log into the CLI connect your management computer to the console port The Firepower 2100 ships with a DB 9 to RJ 45 serial cable so you will need a third party serial to USB cable to make the connection Be sure to install any necessary USB serial drivers for your operating system The consol...

Page 62: ...Remember that there are many processes running in the background all the time and unplugging or shutting off the power does not allow the graceful shutdown of your firewall You can shut down your system properly using FMC Procedure Step 1 Choose Devices Device Management Step 2 Next to the device that you want to restart click the edit icon Step 3 Click the Device tab Step 4 Click the shut down de...

Page 63: ...le for your software version at Navigating the Cisco Firepower Documentation For information related to using FMC see the Firepower Management Center Configuration Guide Cisco Firepower 2100 Getting Started Guide 61 Firepower Threat Defense Deployment with FMC What s Next ...

Page 64: ...Cisco Firepower 2100 Getting Started Guide 62 Firepower Threat Defense Deployment with FMC What s Next ...

Page 65: ...es not work with pre configured devices The central administrator can preregister the FTD on FMC using the FTD serial number before sending the device to the branch office Note The branch office administrator cables and powers on the FTD The central administrator completes configuration of the FTD using the FMC Low touch provisioning requires Firepower version 7 1 or later Note Manual Provisioning...

Page 66: ...ith the configuration or when using SNMP How Remote Management Works on page 64 Before You Start on page 66 End to End Procedure on page 66 Central Administrator Pre Configuration on page 68 Central Administrator Pre Configuration Using the CLI on page 74 Branch Office Installation on page 79 Central Administrator Post Configuration on page 81 How Remote Management Works To allow the FMC to manage...

Page 67: ...SSH later using FMC Because the Management interface gateway will be changed to be the data interfaces you also cannot SSH to the Management interface from a remote network unless you add a static route for the Management interface using the configure network static routes command The following figure shows the FMC at central headquarters and the FTD with FMC access on the outside interface Either...

Page 68: ...iguration of the FMC See the FMC getting started guide End to End Procedure See the following tasks to deploy the FTD with FMC on your chassis Cisco Firepower 2100 Getting Started Guide 66 Firepower Threat Defense Deployment with a Remote FMC Before You Start ...

Page 69: ...istrator Pre Configuration Using FDM on page 68 FTD CLI Central administrator Cable the Firewall on page 79 Physical Setup Branch administrator Power on the Device on page 80 Physical Setup Branch administrator Cisco Firepower 2100 Getting Started Guide 67 Firepower Threat Defense Deployment with a Remote FMC End to End Procedure ...

Page 70: ...ion You need to manually pre configure the FTD before you send it to the branch office Central Administrator Pre Configuration Using FDM Connect to FDM to perform initial setup of the FTD When you perform initial setup using FDM all interface configuration completed in FDM is retained when you switch to FMC for management in addition to the Management and FMC access settings Note that other defaul...

Page 71: ...e it manually after completing the setup wizard Configure IPv4 The IPv4 address for the outside interface You can use DHCP or manually enter a static IP address subnet mask and gateway You can also select Off to not configure an IPv4 address You cannot configure PPPoE using the setup wizard PPPoE may be required if the interface is connected to a DSL modem cable modem or other connection to your I...

Page 72: ...receive a gateway from DHCP for example you did not connect this interface to a network then the gateway will default to data interfaces and you do not need to configure anything If you did receive a gateway from DHCP then you need to instead configure this interface with a static IP address and set the gateway to data interfaces Step 6 If you want to configure additional interfaces including an i...

Page 73: ... you can reach the FMC using an IP address or hostname or No if the FMC is behind NAT or does not have a public IP address or hostname Cisco Firepower 2100 Getting Started Guide 71 Firepower Threat Defense Deployment with a Remote FMC Central Administrator Pre Configuration Using FDM ...

Page 74: ...sets the data interface DNS server The Management DNS server that you set with the setup wizard is used for management traffic The data DNS server is used for DDNS if configured or for security policies applied to this interface You are likley to choose the same DNS server group that you used for Management because both management and data traffic reach the DNS server through the outside interface...

Page 75: ... The FMC Registration Status dialog box shows the current status of the switch to FMC After the Saving FMC Registration Settings step go to FMC and add the firewall Figure 22 FMC Registration Status If you want to cancel the switch to FMC click Cancel Registration Otherwise do not close the FDM browser window until after the Saving FMC Registration Settings step If you do the process will be pause...

Page 76: ... started guide You will need to know the FMC IP address or hostname before you set up the FTD Procedure Step 1 Power on the firewall The first time you boot up the FTD initialization can take approximately 15 to 30 minutes Note Step 2 Connect to the FTD CLI on the console port The console port connects to the FXOS CLI Step 3 Log in with the username admin and the password Admin123 The first time y...

Page 77: ... the following guidelines Configure IPv4 via DHCP or manually Choose manual Although you do not plan to use the Management interface you must set an IP address for example a private address You cannot configure a data interface for management if the management interface is set to DHCP because the default route which must be data interfaces see the next bullet might be overwritten with one received...

Page 78: ...d to reconnect For HTTP Proxy configuration run configure network http proxy Manage the device locally yes no yes no Configure firewall mode routed transparent routed Configuring firewall mode Update policy deployment information add device configuration add network discovery add system policy You can register the sensor to a Firepower Management Center and use the Firepower Management Center to m...

Page 79: ...ommand is used for management traffic The data DNS server is used for DDNS if configured or for security policies applied to this interface On the FMC the data interface DNS servers are configured in the Platform Settings policy that you assign to this FTD When you add the FTD to the FMC the local setting is maintained and the DNS servers are not added to a Platform Settings policy However if you ...

Page 80: ...management data interface client ip_address netmask By default all networks are allowed Step 8 Identify the FMC that will manage this FTD configure manager add hostname IPv4_address IPv6_address DONTRESOLVE reg_key nat_id hostname IPv4_address IPv6_address DONTRESOLVE Specifies either the FQDN or IP address of the FMC If the FMC is not directly addressable use DONTRESOLVE At least one of the devic...

Page 81: ... that the chassis is powered off appear unlit c After the chassis has successfully powered off you can then unplug the power to physically remove power from the chassis if necessary Branch Office Installation After you receive the FTD from central headquarters you only need to cable and power on the firewall so that it has internet access from the outside interface The central administrator can th...

Page 82: ...power is OFF When the switch is in the ON position the 12 V main power is turned on and the system boots Before you begin It s important that you provide reliable power for your device for example using an uninterruptable power supply UPS Loss of power without first shutting down can cause serious file system damage There are many processes running in the background all the time and losing power d...

Page 83: ... the FTD to the FMC and complete configuration of the device Log Into the Firepower Management Center Use the FMC to configure and monitor the FTD Before you begin For information on supported browsers refer to the release notes for the version you are using see https www cisco com go firepower notes Procedure Step 1 Using a supported browser enter the following URL https fmc_ip_address Step 2 Ent...

Page 84: ...count However if you need to add licenses yourself use the Find Products and Solutions search field on the Cisco Commerce Workspace Search for the following license PIDs Figure 25 License Search If a PID is not found you can add the PID manually to your order Note Threat Malware and URL license combination L FPR2110T TMC L FPR2120T TMC L FPR2130T TMC L FPR2140T TMC When you add one of the above PI...

Page 85: ...ow Touch Provisioning either when you register with the Smart Software Manager or after you register See the System Licenses Smart Licenses page Register the FTD with the FMC Register the FTD to the FMC Before you begin Gather the following information that you set in the FTD initial configuration The FTD management IP address or hostname and NAT ID The FMC registration key Procedure Step 1 In the...

Page 86: ...the FTD initial configuration Domain Assign the device to a leaf domain if you have a multidomain environment Group Assign it to a device group if you are using groups Access Control Policy Choose an initial policy Unless you already have a customized policy you know you need to use choose Create new policy and choose Block all traffic You can change this later to allow traffic see Allow Traffic f...

Page 87: ... packet data is not sent Step 3 Click Register and confirm a successful registration If the registration succeeds the device is added to the list If it fails you will see an error message If the FTD fails to register check the following items Ping Access the FTD CLI and ping the FMC IP address using the following command ping system ip_address If the ping is not successful check your network setti...

Page 88: ...ess Data Interface on page 95 Deploy the Configuration on page 58 Configure Interfaces Enable FTD interfaces assign them to security zones and set the IP addresses Typically you must configure at least a minimum of two interfaces to have a system that passes meaningful traffic Normally you would have an outside interface that faces the upstream router or internet and one or more inside interfaces ...

Page 89: ...l tab appears a Enter a Name up to 48 characters in length For example name the interface inside b Check the Enabled check box c Leave the Mode set to None d From the Security Zone drop down list choose an existing inside security zone or add a new one by clicking New Cisco Firepower 2100 Getting Started Guide 87 Firepower Threat Defense Deployment with a Remote FMC Configure Interfaces ...

Page 90: ...om inside to outside but not from outside to inside Most policies only support security zones you can use zones or interface groups in NAT policies prefilter policies and QoS policies e Click the IPv4 and or IPv6 tab IPv4 Choose Use Static IP from the drop down list and enter an IP address and subnet mask in slash notation For example enter 192 168 1 1 24 IPv6 Check the Autoconfiguration check box...

Page 91: ...or IPv6 tab IPv4 Choose Use DHCP and configure the following optional parameters Obtain default route using DHCP Obtains the default route from the DHCP server DHCP route metric Assigns an administrative distance to the learned route between 1 and 255 The default administrative distance for the learned routes is 1 IPv6 Check the Autoconfiguration check box for stateless autoconfiguration f Click O...

Page 92: ... upstream router reachable from the outside interface If you use DHCP for the outside interface your device might have already received a default route If you need to manually add the route complete this procedure If you received a default route from the DHCP server it will show in the IPv4 Routes or IPv6 Routes table on the Devices Device Management Routing Static Route page Procedure Step 1 Choo...

Page 93: ...move it to the Selected Network list Gateway or IPv6 Gateway Enter or choose the gateway router that is the next hop for this route You can provide an IP address or a Networks Hosts object Metric Enter the number of hops to the destination network Valid values range from 1 to 255 the default value is 1 Step 3 Click OK The route is added to the static route table Cisco Firepower 2100 Getting Starte...

Page 94: ...click New Policy Threat Defense NAT Step 2 Name the policy select the device s that you want to use the policy and click Save The policy is added the FMC You still have to add rules to the policy Step 3 Click Add Rule The Add NAT Rule dialog box appears Step 4 Configure the basic rule options NAT Rule Choose Auto NAT Rule Cisco Firepower 2100 Getting Started Guide 92 Firepower Threat Defense Deplo...

Page 95: ...bjects area to the Destination Interface Objects area Step 6 On the Translation page configure the following options Original Source Click Add to add a network object for all IPv4 traffic 0 0 0 0 0 Cisco Firepower 2100 Getting Started Guide 93 Firepower Threat Defense Deployment with a Remote FMC Configure NAT ...

Page 96: ...he FMC then you need to add rules to the policy to allow traffic through the device The following procedure adds a rule to allow traffic from the inside zone to the outside zone If you have other zones be sure to add rules allowing traffic to the appropriate networks See the FMC configuration guide to configure more advanced security settings and rules Procedure Step 1 Choose Policy Access Policy ...

Page 97: ...the internal and external user list with SSH for the Management interface Other settings are configured separately for data interfaces enable SSH and access lists using this screen SSH traffic for data interfaces uses the regular routing configuration and not any static routes configured at setup or at the CLI For the Management interface to configure an SSH access list see the configure ssh acces...

Page 98: ...dentify the interfaces and IP addresses that allow SSH connections Use this table to limit which interfaces will accept SSH connections and the IP addresses of the clients who are allowed to make those connections You can use network addresses rather than individual IP addresses a Click Add to add a new rule or click Edit to edit an existing rule b Configure the rule properties IP Address The netw...

Page 99: ...lick the icon to the right of the Deploy button in the menu bar to see status for deployments Access the FTD and FXOS CLI Use the command line interface CLI to set up the system and do basic system troubleshooting You cannot configure policies through a CLI session You can access the CLI by connecting to the console port You can also access the FXOS CLI for troubleshooting purposes Cisco Firepower...

Page 100: ... system The console port defaults to the FXOS CLI Use the following serial settings 9600 baud 8 data bits No parity 1 stop bit You connect to the FXOS CLI Log in to the CLI using the admin username and the password you set at initial setup the default is Admin123 Example firepower login admin Password Last login Thu May 16 14 01 03 UTC 2019 on ttyS0 Successful login attempts for user admin 1 firep...

Page 101: ...ion that is down there is no peer channel connected to information nor heartbeat information shown sftunnel status brief PEER 10 10 17 202 Registration Completed Connection to peer 10 10 17 202 Attempted at Mon Jun 15 09 21 57 2020 UTC Last disconnect time Mon Jun 15 09 19 09 2020 UTC Last disconnect reason Both control and event channel connections with peer went down See the following sample out...

Page 102: ...stem Information Data Interfaces DNS Servers Interfaces GigabitEthernet1 1 GigabitEthernet1 1 State Enabled Link Up Name outside MTU 1500 MAC Address 28 6F 7F D3 CB 8F IPv4 Configuration Manual Address 10 89 5 29 Netmask 255 255 255 192 Gateway 10 89 5 1 IPv6 Configuration Disabled Check that the FTD registered with the FMC At the FTD CLI check that the FMC registration was completed Note that thi...

Page 103: ...dress 0000 0100 0001 MTU 1500 IP address 169 254 1 1 subnet mask 255 255 255 248 37 packets input 2822 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 abort 0 pause input 0 resume input 0 L2 decode drops 5 packets output 370 bytes 0 underruns 0 pause output 0 resume output 0 output errors 0 collisions 0 interface resets 0 late collisions ...

Page 104: ...rver_0_sftunnel_intf3 interface service tcp 8305 8305 translate_hits 0 untranslate_hits 6 2 nlp_int_tap to outside source static nlp_server_0_ssh_intf3 interface service tcp ssh ssh translate_hits 0 untranslate_hits 73 3 nlp_int_tap to outside source static nlp_server_0_sftunnel_ipv6_intf3 interface ipv6 service tcp 8305 8305 translate_hits 0 untranslate_hits 0 4 nlp_int_tap to outside source dyna...

Page 105: ... failures check that the root certificates are installed on the device show crypto ca certificates trustpoint_name To check the DDNS operation show ddns update interface fmc_access_ifc_name show ddns update interface outside Dynamic DNS Update on outside Update Method Name Update Destination RBD_DDNS not available Last Update attempted on 04 11 58 083 UTC Thu Jun 11 2020 Status Success FQDN domain...

Page 106: ... the rollback connections will drop because the current configuration will be cleared Before you begin Model Support FTD Procedure Step 1 At the FTD CLI roll back to the previous configuration configure policy rollback After the rollback the FTD notifies the FMC that the rollback was completed successfully In FMC the deployment screen will show a banner stating that the configuration was rolled ba...

Page 107: ...llow the graceful shutdown of your firewall You can shut down your system properly using FMC Procedure Step 1 Choose Devices Device Management Step 2 Next to the device that you want to restart click the edit icon Step 3 Click the Device tab Step 4 Click the shut down device icon in the System section Step 5 When prompted confirm that you want to shut down the device Step 6 Observe the Power LED a...

Page 108: ...Cisco Firepower 2100 Getting Started Guide 106 Firepower Threat Defense Deployment with a Remote FMC What s Next ...

Page 109: ...ates to promote policy consistency across devices This feature requires Firepower version 6 7 or later Note This document assumes the Firepower 2100 hardware has a pre installed FTD image on it The Firepower 2100 hardware can run either FTD software or ASA software Switching between FTD and ASA requires you to reimage the device See Reimage the Cisco ASA or Firepower Threat Defense Device The Fire...

Page 110: ... Tasks Branch Office Employee Cable the Device on page 110 Branch Office Tasks Branch Office Employee Power On the Device on page 111 Branch Office Tasks Branch Office Employee Log Into CDO with Cisco Secure Sign On on page 115 Cisco Defense Orchestrator CDO Admin Cisco Firepower 2100 Getting Started Guide 108 Firepower Threat Defense Deployment with CDO and Low Touch Provisioning End to End Proce...

Page 111: ...ude any key tasks to be completed and provide points of contact for each item Then you need to cable and power on the firewall so that it has internet access from the outside interface The CDO administrator can then complete the onboarding process You can watch this video to see how a Branch employee onboards a firewall using CDO and low touch provisioning Tip Provide the Firewall Serial Number to...

Page 112: ... the CDO network administrator at your IT department central headquarters Your network administrator needs your firewall serial number to facilitate low touch provisioning connect to the firewall and configure it remotely Communicate with the CDO administrator to develop an onboarding timeline Cable the Device This topic describes the how to connect the Firepower 2100 to your network so that it ca...

Page 113: ...ng interfaces as needed Power On the Device The power switch is located to the left of power supply module 1 on the rear of the chassis It is a toggle switch that controls power to the system If the power switch is in standby position only the 3 3 V standby power is enabled from the power supply module and the 12 V main power is OFF When the switch is in the ON position the 12 V main power is turn...

Page 114: ... done CDO Administrator Onboarding and Management After the remote branch administrator sends the serial number information to the central headquarters the CDO administrator onboards the FTD to CDO When you onboard the firewall in CDO using the serial number the firewall is associated with your CDO tenant in the Cisco cloud After the branch office administrator cables and powers on the FTD the fir...

Page 115: ... DUO Security We recommend that you install the Duo Security app on a mobile phone Review Duo Guide to Two Factor Authentication Enrollment Guide if you have questions about installing Duo Time Synchronization You are going to use your mobile device to generate a one time password It is important that your device clock is synchronized with real time as the OTP is time based Make sure your device c...

Page 116: ...re 29 Create Account Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company Tip Cisco Firepower 2100 Getting Started Guide 114 Firepower Threat Defense Deployment with CDO and Low Touch Provisioning Create a New Cisco Secure Sign On Account ...

Page 117: ...le Authenticator as a an additional authenticator a Choose the mobile device you are pairing with Google Authenticator and click Next b Follow the prompts in the setup wizard to setup Google Authenticator Step 4 Configure Account Recovery Options for your Cisco Secure Sign On Account a Choose a forgot password question and answer b Choose a recovery phone number for resetting your account using SM...

Page 118: ...propriate CDO tile on the Cisco Secure Sign on dashboard The CDO tile directs you to https defenseorchestrator com the CDO EU tile directs you to https defenseorchestrator eu and the CDO APJC tile directs you to to https www apj cdo cisco com Figure 31 Cisco SSO Dashboard Step 6 Click the authenticator logo to choose Duo Security or Google Authenticator if you have set up both authenticators If yo...

Page 119: ...he EULA agreement changes in the future you must accept it again when prompted Note Step 3 On the Onboard FTD Device screen click Use Serial Number Step 4 In the Connection area provide the following a Select the Secure Device Connector SDC that this device will communicate with The default SDC is displayed but you can change it by clicking the blue Change link b Device Serial Number Enter the ser...

Page 120: ...s and Services What to do next Communicate with the branch office where the device is being deployed After the branch office administrator cables and powers on the FTD your next steps are to complete the onboarding process and configure manage the device Configure Licensing The FTD uses Smart Software Licensing which lets you purchase and manage a pool of licenses centrally When you register the c...

Page 121: ...nse account However if you need to add licenses yourself use the Find Products and Solutions search field on the Cisco Commerce Workspace Search for the following license PIDs Figure 32 License Search If a PID is not found you can add the PID manually to your order Note Threat Malware and URL license combination L FPR2110T TMC L FPR2120T TMC L FPR2130T TMC L FPR2140T TMC When you add one of the ab...

Page 122: ...tration token for the virtual account to which you want to add this device a Click Inventory b On the General tab click New Token c On the Create Registration Token dialog box enter the following settings and then click Create Token Description Cisco Firepower 2100 Getting Started Guide 120 Firepower Threat Defense Deployment with CDO and Low Touch Provisioning Configure Licensing ...

Page 123: ...ater in the procedure when you need to register the FTD Figure 33 View Token Figure 34 Copy Token Step 3 In CDO click Devices Services and then select the FTD device that you want to license Step 4 In the Device Actions pane click Manage Licenses and follow the on screen instructions to enter the smart license generated from Smart Software Manager Step 5 Click Register Device After synchronizing w...

Page 124: ...y policies that use the feature If you enabled the RA VPN license select the type of license you want to use Plus Apex VPN Only or Plus and Apex After you enable features if you do not have the licenses in your account you will see the following non compliance message after you refresh the page License Issue Out of Compliance Step 7 Choose Refresh Licenses to synchronize license information with C...

Page 125: ...with Cisco Defense Orchestrator for links to common management tasks What to do Next You have now configured the FTD and onboarded it to CDO which provides a simplified management interface and cloud access to your FTDs Use CDO to upgrade software configure high availability and configure device settings and network resources for your FTDs Cisco Firepower 2100 Getting Started Guide 123 Firepower T...

Page 126: ...Cisco Firepower 2100 Getting Started Guide 124 Firepower Threat Defense Deployment with CDO and Low Touch Provisioning Manage the Device with CDO ...

Page 127: ...ice See Reimage the Cisco ASA or Firepower Threat Defense Device Note The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System FXOS The Firepower 2100 does not support the FXOS Firepower Chassis Manager only a limited CLI is supported for troubleshooting purposes See the FXOS troubleshooting guide for more information Privacy Collection Statement The ...

Page 128: ... 160 Power Off the Firewall Using FDM on page 161 What s Next on page 161 End to End Procedure See the following tasks to deploy FTD with CDO on your chassis Cisco Firepower 2100 Getting Started Guide 126 Firepower Threat Defense Deployment with CDO End to End Procedure ...

Page 129: ...loyment and Default Configuration on page 129 Pre Configuration Cable the Device on page 134 Pre Configuration Cisco Firepower 2100 Getting Started Guide 127 Firepower Threat Defense Deployment with CDO End to End Procedure ...

Page 130: ...ter the device with the Smart Licensing Server Configure Licensing on page 155 Cisco Defense Orchestrator Configure the Device in CDO on page 151 Cisco Defense Orchestrator How Cisco Defense Orchestrator Works with Firepower Threat Defense CDO and FDM Co Management After you complete initial configuration in FDM to establish internet connectivity and configure a basic network policy you can onboar...

Page 131: ...preconfigure the device using FDM see the Low Touch Provisioning chapter in this guide You can also onboard using a serial number if you already started configuring the device in FDM although that method is not covered in this guide See Onboard an FTD using the Device s Serial Number for more information Review the Network Deployment and Default Configuration You can perform initial setup of the F...

Page 132: ...ress on the 192 168 1 0 network which is a common default network the DHCP lease will fail and the outside interface will not obtain an IP address This problem occurs because the FTD cannot have two interfaces on the same network In this case you must change the inside IP address to be on a new network If you add the FTD to an existing inside network you will need to change the inside IP address t...

Page 133: ... does not include a DHCP server then you can connect to the console port and perform initial setup at the CLI including setting the Management IP address gateway and other basic networking settings If you need to change the inside IP address you can do so after you complete initial setup in FDM For example you may need to change the inside IP address in the following circumstances 7 0 and later Th...

Page 134: ...e f after initial setup includes the following inside Ethernet 1 2 IP address 7 0 and later 192 168 95 1 pre 7 0 192 168 1 1 outside Ethernet 1 1 IP address from IPv4 DHCP and IPv6 autoconfiguration inside outside traffic flow management Management 1 1 management 6 6 and later IP address from DHCP 6 5 and earlier IP address 192 168 45 45 Cisco Firepower 2100 Getting Started Guide 132 Firepower Thr...

Page 135: ...tes Data interfaces Obtained from outside DHCP or a gateway IP address you specify during setup Management interface 6 6 and later Obtained from management DHCP If you do not receive a gateway then the default route is over the backplane and through the data interfaces 6 5 and earlier Over the backplane and through the data interfaces Note that the Management interface requires internet access for...

Page 136: ...ault IP address 192 168 95 1 and also runs a DHCP server to provide IP addresses to clients including the management computer so make sure these settings do not conflict with any existing inside network settings see Default Configuration on page 8 Management 1 1 labeled MGMT Connect Management 1 1 to your management network and make sure your management computer is on or has access to the manageme...

Page 137: ...e system If the power switch is in standby position only the 3 3 V standby power is enabled from the power supply module and the 12 V main power is OFF When the switch is in the ON position the 12 V main power is turned on and the system boots Before you begin It s important that you provide reliable power for your device for example using an uninterruptable power supply UPS Loss of power without ...

Page 138: ... or outside interfaces which you can later configure in the GUI You cannot repeat the CLI setup script unless you clear the configuration for example by reimaging However all of these settings can be changed later at the CLI using configure network commands See the threat defense command reference Note Procedure Step 1 Connect to the FTD console port See Access the FTD and FXOS CLI on page 160 for...

Page 139: ...by DHCP and uses the data interfaces as a fallback method if DHCP doesn t provide a gateway If your networking information has changed you will need to reconnect If you are connected with SSH to the default IP address but you change the IP address at initial setup you will be disconnected Reconnect with the new IP address and password Console connections are not affected Manage the device locally ...

Page 140: ...nboarding the device to CDO Before you begin Use a current version of Firefox or Chrome Procedure Step 1 Enter the following URL in your browser 7 0 and later Inside Ethernet 1 2 https 192 168 95 1 6 7 and earlier Inside Ethernet 1 2 https 192 168 1 1 6 6 and later Management https management_ip The Management interface is a DHCP client so the IP address depends on your DHCP server If you changed ...

Page 141: ...Ensure that your settings are correct Note a Outside Interface This is the data port that you connected to your gateway router You cannot select an alternative outside interface during initial device setup The first data interface is the default outside interface Configure IPv4 The IPv4 address for the outside interface You can use DHCP or manually enter a static IP address subnet mask and gateway...

Page 142: ... of security in protecting your user identity Two factor authentication a type of MFA requires two components or factors to ensure the identity of the user logging into CDO The first factor is a username and password and the second is a one time password OTP which is generated on demand from Duo Security After you establish your Cisco Secure Sign On credentials you can log into CDO from your Cisco...

Page 143: ... time Use a current version of Firefox or Chrome Procedure Step 1 Sign Up for a New Cisco Secure Sign On Account a Browse to https sign on security cisco com b At the bottom of the Sign In screen click Sign up Figure 37 Cisco SSO Sign Up c Fill in the fields of the Create Account dialog and click Register Cisco Firepower 2100 Getting Started Guide 141 Firepower Threat Defense Deployment with CDO C...

Page 144: ... your device you ll receive an activation code for this account Duo supports multiple accounts on one device c At the end of the wizard click Continue to Login d Log in to Cisco Secure Sign On with the two factor authentication Step 3 Optional Setup Google Authenticator as a an additional authenticator a Choose the mobile device you are pairing with Google Authenticator and click Next b Follow the...

Page 145: ...e Create a New Cisco Secure Sign On Account on page 140 Use a current version of Firefox or Chrome Procedure Step 1 In a web browser navigate to https sign on security cisco com Step 2 Enter your Username and Password Step 3 Click Log in Step 4 Receive another authentication factor using Duo Security and confirm your login The system confirms your login and displays the Cisco Secure Sign On dashbo...

Page 146: ...ess changes for some reason your FTD remains connected to CDO Additionally your FTD does not need to have a public IP address and as long as the device can access the outside network you can onboard it to CDO using this method If you have a SecureX or Cisco Threat Response CTR account you will need to merge your CDO account and SecureX CTR account in order for your devices to be registered with Se...

Page 147: ...l fail Procedure Step 1 In the CDO navigation pane click Devices Services then click the blue plus button to Onboard a device Step 2 Click the FTD card Step 3 Click Use Registration Key Step 4 Complete the Device Name area fields Figure 41 Device Name a Choose the Secure Device Connector that this device will communicate with The default SDC is displayed but you can change it by clicking the SDC n...

Page 148: ...he device you want to onboard to CDO a Under System Settings click Cloud Services b If you already registered the device with Cisco Smart Licensing and this page shows you are already registered with the cloud then click the gear menu and choose Unregister Cloud Services Reload the page to see the unregistered options c In the Enrollment Type area click Security CDO Account For 6 6 this tab is cal...

Page 149: ...seorchestrator com For version 6 4 for the EU region defenseorchestrator eu you can only onboard your FTD device using username password and IP address You cannot use a registration key Your device MUST be managed by Firepower Device Manager FDM Make sure that there are no pending changes waiting on the device Your device should be configured to use the 90 day evaluation license You will need to u...

Page 150: ...te away from the onboarding screen after the key is generated and before the device is fully onboarded you will not be able to return to the onboarding screen However CDO creates a placeholder for that device on the Device Services page Select the device placeholder to see the key for that device Note Step 7 Click the Copy icon to copy the registration key and click Next You can skip copying the r...

Page 151: ... onboard your device with a registration key because it is not dependent on a static IP address and does not require an on premises SDC see Onboard an FTD with a Registration Key Version 6 6 on page 144 Before you begin You can use this method to onboard your device to the US EU or APJ regions Your device MUST be managed by Firepower Device Manager FDM Make sure that there are no pending changes w...

Page 152: ...ber to reflect your device s configuration d Click Next Step 5 In the Database Updates area check or uncheck the Immediately perform security updates and enable recurring updates and click Next This option immediately triggers a security update as well as automatically schedules the device to check for additional updates every Monday at 2AM See Update FTD Security Databases and Schedule a Security...

Page 153: ...give the interface a Logical Name and optionally a Description Unless you configure subinterfaces the interface should have a name If you change the name the change is automatically reflected everywhere you used the old name including security zones syslog server objects and DHCP server definitions However you cannot remove the name until you first remove all configurations that use the name becau...

Page 154: ... then review the DHCP Servers section There is already a DHCP server configured for the inside interface but you can edit the address pool or even delete it If you configured other inside interfaces it is very typical to set up a DHCP server on those interfaces Click to configure the server and address pool for each inside interface You can also review the DNS settings supplied to clients on the D...

Page 155: ...The initial setup enables traffic flow between the inside zone and outside zone and interface NAT for all interfaces when going to the outside interface Even if you configure new interfaces if you add them to the inside zone object the access control rule automatically applies to them However if you have multiple inside interfaces you need an access control rule to allow traffic flow from inside z...

Page 156: ... control policy In this example no options are set on any of the other tabs except for Logging where At End of Connection is selected Figure 48 Access Control Policy Step 9 Locate the Security Database Updates section to create a scheduled task to check and update the security databases for an FTD device When you onboard an FTD device to CDO part of the onboarding process allows you to Enable sche...

Page 157: ...on IPS Malware Malware URL URL Filtering RA VPN AnyConnect Plus AnyConnect Apex or AnyConnect VPN Only Before you begin Have a master account on the Smart Software Manager If you do not yet have an account click the link to set up a new account The Smart Software Manager lets you create a master account for your organization Your Smart Software Licensing account must qualify for the Strong Encrypt...

Page 158: ...120T TMC 1Y L FPR2120T TMC 3Y L FPR2120T TMC 5Y L FPR2130T TMC 1Y L FPR2130T TMC 3Y L FPR2130T TMC 5Y L FPR2140T TMC 1Y L FPR2140T TMC 3Y L FPR2140T TMC 5Y RA VPN See the Cisco AnyConnect Ordering Guide Step 2 In the Smart Software Manager request and copy a registration token for the virtual account to which you want to add this device a Click Inventory b On the General tab click New Token Cisco ...

Page 159: ...unctionality If you enable this functionality later you will need to re register your device with a new product key and reload the device If you do not see this option your account does not support export controlled functionality The token is added to your inventory d Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard Keep thi...

Page 160: ...ick Register Device After synchronizing with the device the connectivity state changes to Online You return to the Manage Licenses page While the device registers you see the following message Step 6 After applying the smart license successfully to the FTD device the device status shows Connected Sufficient License Click the Enable Disable slider control for each optional license as desired Cisco ...

Page 161: ...can you deploy policies that use the feature If you enabled the RA VPN license select the type of license you want to use Plus Apex VPN Only or Plus and Apex After you enable features if you do not have the licenses in your account you will see the following non compliance message after you refresh the page License Issue Out of Compliance Step 7 Choose Refresh Licenses to synchronize license infor...

Page 162: ...faults to the FXOS CLI Note Procedure Step 1 To log into the CLI connect your management computer to the console port The Firepower 2100 ships with a DB 9 to RJ 45 serial cable so you will need a third party serial to USB cable to make the connection Be sure to install any necessary USB serial drivers for your operating system The console port defaults to the FXOS CLI Use the following serial sett...

Page 163: ...r 6 4 and earlier enter the shutdown command at the FDM CLI Note a Click Device then click the System Settings Reboot Shutdown link b Click Shut Down Step 2 Observe the Power LED and Status LED to verify that the chassis is powered off appear unlit Step 3 After the chassis has successfully powered off you can then unplug the power to physically remove power from the chassis if necessary What s Nex...

Page 164: ...Cisco Firepower 2100 Getting Started Guide 162 Firepower Threat Defense Deployment with CDO What s Next ...

Page 165: ...P A R T I ASA Deployment with ASDM ASA Appliance Mode Deployment with ASDM on page 165 ASA Platform Mode Deployment with ASDM and Firepower Chassis Manager on page 185 ...

Page 166: ......

Page 167: ... Appliance mode to use Platform mode see ASA Platform Mode Deployment with ASDM and Firepower Chassis Manager on page 185 This chapter does not cover the following deployments for which you should refer to the ASA configuration guide Failover CLI configuration This chapter also walks you through configuring a basic security policy if you have more advanced requirements refer to the configuration g...

Page 168: ...ooting purposes Unsupported Features The following ASA features are not supported on the Firepower 2100 Integrated Routing and Bridging Redundant interfaces Clustering Clientless SSL VPN with KCD ASA REST API ASA FirePOWER module Botnet Traffic Filter The following inspections SCTP inspection maps SCTP stateful inspection using ACLs is supported Diameter GTP GPRS Migrating an ASA 5500 X Configurat...

Page 169: ...icenses Smart Licensing also affects ASDM or SSH access see below PAK License Remove any VPN or other strong encryption feature configuration even if you only configured weak encryption if you cannot connect to ASDM or register with the Smart Licensing server You can reenable these features after you obtain the Strong Encryption 3DES license The reason for this issue is that the ASA includes 3DES ...

Page 170: ...ed boot image will always run upon reload The boot system command performs an action when you enter it the system validates and unpacks the image and copies it to the boot location an internal location on disk0 managed by FXOS The new image will load when you reload the ASA boot system commands The ASA 5500 X allows up to four boot system commands to specify the booting image to use End to End Pro...

Page 171: ...uration Cable the Device on page 172 Pre Configuration Power on the Device on page 173 Pre Configuration Optional Change the IP Address on page 174 ASA CLI Log Into ASDM on page 175 ASDM Cisco Firepower 2100 Getting Started Guide 169 ASA Deployment with ASDM End to End Procedure ...

Page 172: ...nect to your ISP you can do so as part of the ASDM Startup Wizard If you cannot use the default inside IP address for ASDM access you can set the inside IP address at the ASA CLI See Optional Change the IP Address on page 174 For example you may need to change the inside IP address in the following circumstances If the outside interface tries to obtain an IP address on the 192 168 1 0 network whic...

Page 173: ...rnet 1 2 inside outside IP address from DHCP inside IP address 192 168 1 1 management IP address from DHCP Management 1 1 management DHCP server on inside interface Default routes from outside DHCP management DHCP ASDM access Management and inside hosts allowed Inside hosts are limited to the 192 168 1 0 24 network NAT Interface PAT for all traffic from inside to outside DNS servers OpenDNS server...

Page 174: ...utdown object network obj_any subnet 0 0 0 0 0 0 0 0 nat any outside dynamic interface http server enable http 0 0 0 0 0 0 0 0 management http 192 168 1 0 255 255 255 0 management dhcpd auto_config outside dhcpd address 192 168 1 20 192 168 1 254 inside dhcpd enable inside dns domain lookup outside dns server group DefaultDNS name server 208 67 222 222 outside name server 208 67 220 220 outside Ca...

Page 175: ...100 Appliance Mode Default Configuration on page 171 If you need to change the Ethernet 1 2 IP address from the default you must also cable your management computer to the console port See Optional Change the IP Address on page 174 You can later configure ASA management access from other interfaces see the ASA general operations configuration guide Step 2 Connect the outside network to the Etherne...

Page 176: ...ou cannot use the default IP address for ASDM access you can set the IP address of the inside interface at the ASA CLI This procedure restores the default configuration and also sets your chosen IP address so if you made any changes to the ASA configuration that you want to preserve do not use this procedure Note Procedure Step 1 Connect to the ASA console port and enter global configuration mode ...

Page 177: ...you can configure the ASA The ASA includes 3DES capability by default for management access only so you can connect to the Smart Software Manager and also use ASDM immediately You can also use SSH and SCP if you later configure SSH access on the ASA Other features that require strong encryption such as VPN must have Strong Encryption enabled which requires you to first register to the Smart Softwa...

Page 178: ...es Feature Licenses this guide applies to regular Smart Licensing For a more detailed overview on Cisco Licensing go to cisco com go licensingguide When you register the chassis the Smart Software Manager issues an ID certificate for communication between the firewall and the Smart Software Manager It also assigns the firewall to the appropriate virtual account Until you register with the Smart So...

Page 179: ...etermined that you are allowed to use strong encryption you can manually add a strong encryption license to your account Before you begin Have a master account on the Smart Software Manager If you do not yet have an account click the link to set up a new account The Smart Software Manager lets you create a master account for your organization Your Smart Software Manager account must qualify for th...

Page 180: ...dering Guide You do not enable this license directly in the ASA Step 2 In the Cisco Smart Software Manager request and copy a registration token for the virtual account to which you want to add this device a Click Inventory b On the General tab click New Token c On the Create Registration Token dialog box enter the following settings and then click Create Token Description Cisco Firepower 2100 Get...

Page 181: ...o the right of the token to open the Token dialog box so you can copy the token ID to your clipboard Keep this token ready for later in the procedure when you need to register the ASA Figure 53 View Token Figure 54 Copy Token Step 3 In ASDM choose Configuration Device Management Licensing Smart Licensing Step 4 Click Register Cisco Firepower 2100 Getting Started Guide 179 ASA Deployment with ASDM ...

Page 182: ...gisters with the Smart Software Manager using the pre configured outside interface and requests authorization for the configured license entitlements The Smart Software Manager also applies the Strong Encryption 3DES AES license if your account allows ASDM refreshes the page when the license status is updated You can also choose Monitoring Properties Smart License to check the license status parti...

Page 183: ... of 25 contexts on the Firepower 2110 enter 23 for the number of contexts this value is added to the default of 2 Step 8 Click Apply Step 9 Click the Save icon in the toolbar Step 10 Quit ASDM and relaunch it When you change licenses you need to relaunch ASDM to show updated screens Configure the ASA Using ASDM you can use wizards to configure basic and advanced features You can also manually conf...

Page 184: ... and enabling interfaces Static routes The DHCP server And more Step 3 Optional From the Wizards menu run other wizards Step 4 To continue configuring your ASA see the documents available for your software version at Navigating the Cisco ASA Series Documentation Cisco Firepower 2100 Getting Started Guide 182 ASA Deployment with ASDM Configure the ASA ...

Page 185: ... baud 8 data bits No parity 1 stop bit You connect to the ASA CLI There are no user credentials required for console access by default Step 2 Access privileged EXEC mode enable You are prompted to change the password the first time you enter the enable command Example ciscoasa enable Password The enable password is not set Please set it now Enter Password Repeat Password ciscoasa The enable passwo...

Page 186: ...s required To return to the ASA CLI enter exit or type Ctrl Shift 6 x Within FXOS you can view user activity using the scope security show audit logs command Example ciscoasa connect fxos admin Connecting to fxos Connected to fxos Escape character sequence is CTRL X firepower firepower exit Connection with FXOS terminated Type help or for a list of available commands ciscoasa What s Next To contin...

Page 187: ...ommands or the commands lack the full statistics You must view more detailed interface information using FXOS commands See the FXOS troubleshooting guide for more information Note Appliance mode the default Appliance mode lets you configure all settings in the ASA Only advanced troubleshooting commands are available from the FXOS CLI This chapter describes how to deploy the Firepower 2100 in your ...

Page 188: ... ASA The ASA provides advanced stateful firewall and VPN concentrator functionality in one device The Firepower 2100 is a single application appliance for the ASA You can run the ASA in either Platform mode or Appliance mode the default The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System FXOS When in Platform mode you must configure basic operati...

Page 189: ...ction accesses the FXOS CLI You can access the ASA CLI using the connect asa command You can also allow FXOS management from ASA data interfaces configure SSH HTTPS and SNMP access This feature is useful for remote management Unsupported Features Unsupported ASA Features The following ASA features are not supported on the Firepower 2100 Integrated Routing and Bridging Redundant interfaces Clusteri...

Page 190: ... Note External AAA Authentication for FXOS Note that when you connect to the ASA console from FXOS connect asa then ASA AAA configuration for console access applies aaa authentication serial console End to End Procedure See the following tasks to deploy and configure the ASA on your chassis Cisco Firepower 2100 Getting Started Guide 188 ASA Deployment with ASDM End to End Procedure ...

Page 191: ...Cisco Firepower 2100 Getting Started Guide 189 ASA Deployment with ASDM End to End Procedure ...

Page 192: ...icenses Cisco Commerce Workspace Configure Licensing on page 206 Generate a license token for the chassis Smart Software Manager Configure Licensing on page 206 Configure feature licenses ASDM Configure the ASA on page 211 ASDM Optional Configure Management Access for FXOS on Data Interfaces on page 213 Enable FXOS remote management allow FXOS to initiate management connections from an ASA interfa...

Page 193: ...ss in the following circumstances If the outside interface tries to obtain an IP address on the 192 168 1 0 network which is a common default network the DHCP lease will fail and the outside interface will not obtain an IP address This problem occurs because the ASA cannot have two interfaces on the same network In this case you must change the inside IP address to be on a new network If you add t...

Page 194: ...s can initiate management traffic on the ASA outside interface DNS servers OpenDNS servers are pre configured The configuration consists of the following commands interface Management1 1 management only nameif management security level 100 ip address 192 168 45 1 255 255 255 0 no shutdown interface Ethernet1 1 nameif outside security level 0 ip address dhcp setroute no shutdown interface Ethernet1...

Page 195: ...Default Username admin with the default password Admin123 DHCP server Client IP address range 192 168 45 10 192 168 45 12 NTP server Cisco NTP servers 0 sourcefire pool ntp org 1 sourcefire pool ntp org 2 sourcefire pool ntp org DNS Servers OpenDNS 208 67 222 222 208 67 220 220 Ethernet 1 1 and Ethernet 1 2 Enabled Cable the Device Manage the Firepower 2100 on the Management 1 1 interface You can ...

Page 196: ...ccess the ASA CLI to change from Appliance mode to Platform mode The Firepower 2100 ships with a DB 9 to RJ 45 serial cable so you will need a third party serial to USB cable to make the connection Be sure to install any necessary USB serial drivers for your operating system Step 3 Connect the outside network to the Ethernet1 1 interface labeled WAN For Smart Software Licensing the ASA needs inter...

Page 197: ...hange the mode to Platform mode and optionally how to change it back to Appliance mode When you change the mode the configuration is cleared and you need to reload the system The default configuration is applied upon reload Procedure Step 1 Connect your management computer to the console port The Firepower 2100 ships with a DB 9 to RJ 45 serial cable so you will need a third party serial to USB ca...

Page 198: ...ry reload After you set the mode you need to save the configuration and reload the device Prior to reloading you can set the mode back to the original value without any disruption Example ciscoasa config no fxos mode appliance Mode set to platform mode WARNING This command will take effect after the running config is saved and the system has been rebooted Command accepted ciscoasa config write mem...

Page 199: ... which sends FXOS traffic over the backplane to be routed through the ASA data interfaces If you want to route traffic to a router on the Management 1 1 network instead then you can change the gateway IP address You must also change the access list for management connections to match your new network If you change the gateway from the default 0 0 0 0 the ASA data interfaces then you will not be ab...

Page 200: ...ddress and optionally the gateway a Set the scope for fabric interconnect a scope fabric interconnect a Example firepower 2110 scope fabric interconnect a firepower 2110 fabric interconnect b View the current management IP address show Example firepower 2110 fabric interconnect show Fabric Interconnect ID OOB IP Addr OOB Gateway OOB Netmask OOB IPv6 Address OOB IPv6 Gateway Prefix Operability A 19...

Page 201: ...terface IPv6 Address Prefix IPv6 Gateway c Configure a new management IPv6 address and gateway Firepower chassis fabric interconnect ipv6 config set out of band static ipv6 ipv6_address ipv6 prefix prefix_length ipv6 gw gateway_address To keep the currently set gateway omit the ipv6 gw keyword Similarly to keep the existing management IP address while changing the gateway omit the ipv6 and ipv6 pr...

Page 202: ... 4 0 24 https firepower 2110 system services ip block exit firepower 2110 system services enter ip block 192 168 4 0 24 ssh firepower 2110 system services ip block exit firepower 2110 system services enter ip block 192 168 4 0 24 snmp firepower 2110 system services ip block exit firepower 2110 system services enter ipv6 block 2001 DB8 64 https firepower 2110 system services ip block exit firepower...

Page 203: ...uffer Step 8 Change the ASA address to be on the correct network The default ASA Management 1 1 interface IP address is 192 168 45 1 a From the console connect to the ASA CLI and access global configuration mode connect asa enable configure terminal In ASA version 9 12 1 and later you are prompted to set an enable password In previous versions the default enable password is blank Example firepower...

Page 204: ...P Addr OOB Gateway OOB Netmask OOB IPv6 Address OOB IPv6 Gateway Prefix Operability A 192 168 2 112 192 168 2 1 255 255 255 0 2001 DB8 2 2001 DB8 1 64 Operable firepower 2110 fabric interconnect set out of band static ip 192 168 2 111 netmask 255 255 255 0 gw 192 168 2 1 Warning When committed this change may disconnect the current CLI session firepower 2110 fabric interconnect commit buffer firep...

Page 205: ... password Optional EnableAdditionalInterfacesintheFirepowerChassis Manager By default the Management 1 1 Ethernet 1 1 and Ethernet 1 2 interfaces are physically enabled for the chassis and logically enabled in the ASA configuration To use any additional interfaces you must enable it for the chassis using this procedure and then later enable it in the ASA configuration You can also add EtherChannel...

Page 206: ...etting the connecting switch ports to Active mode for the best compatibility To change the management IP address from the default see Optional Change the FXOS and ASA Management IP Addresses or Gateway on page 197 Procedure Step 1 In Firepower Chassis Manager click Interfaces The All Interfaces page shows a visual representation of the currently installed interfaces at the top of the page and prov...

Page 207: ... choose the duplex for all member interfaces g In the Available Interface list select the interface you want to add and click Add Interface You can add up to 16 interfaces of the same type and speed The first interface added to the channel group determines the correct type and speed You can add multiple interfaces at one time To select multiple individual interfaces click on the desired interfaces...

Page 208: ...rding to the option you chose The Cisco ASDM IDM Launcher appears Step 4 Leave the username empty enter the enable password that you set when you deployed the ASA and click OK The main ASDM window appears Configure Licensing The ASA uses Smart Licensing You can use regular Smart Licensing which requires internet access or for offline management you can configure Permanent License Reservation or a ...

Page 209: ...sis so no additional action is required If your Smart Account is not authorized for strong encryption but Cisco has determined that you are allowed to use strong encryption you can manually add a strong encryption license to your account Unlike the Firepower 4100 9300 chassis you perform all licensing configuration on the ASA and not in the FXOS configuration Note Before you begin Have a master ac...

Page 210: ... AES license L FPR2K ENC K9 Only required if your account is not authorized for strong encryption Anyconnect See the Cisco AnyConnect Ordering Guide You do not enable this license directly in the ASA Step 2 In the Cisco Smart Software Manager request and copy a registration token for the virtual account to which you want to add this device a Click Inventory b On the General tab click New Token c O...

Page 211: ...icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard Keep this token ready for later in the procedure when you need to register the ASA Figure 57 View Token Figure 58 Copy Token Step 3 In ASDM choose Configuration Device Management Licensing Smart Licensing Step 4 Click Register Cisco Firepower 2100 Getting Started Guide 209 ASA Deployment with...

Page 212: ...gisters with the Smart Software Manager using the pre configured outside interface and requests authorization for the configured license entitlements The Smart Software Manager also applies the Strong Encryption 3DES AES license if your account allows ASDM refreshes the page when the license status is updated You can also choose Monitoring Properties Smart License to check the license status parti...

Page 213: ... of 25 contexts on the Firepower 2110 enter 23 for the number of contexts this value is added to the default of 2 Step 8 Click Apply Step 9 Click the Save icon in the toolbar Step 10 Quit ASDM and relaunch it When you change licenses you need to relaunch ASDM to show updated screens Configure the ASA Using ASDM you can use wizards to configure basic and advanced features You can also manually conf...

Page 214: ... and enabling interfaces Static routes The DHCP server And more Step 3 Optional From the Wizards menu run other wizards Step 4 To continue configuring your ASA see the documents available for your software version at Navigating the Cisco ASA Series Documentation Cisco Firepower 2100 Getting Started Guide 212 ASA Deployment with ASDM Configure the ASA ...

Page 215: ...management application you must log in using an FXOS username ASA usernames only apply for ASA management access You can also enable FXOS management traffic initiation on ASA data interfaces which is required for SNMP traps or NTP and DNS server access for example By default FXOS management traffic initiation is enabled for the ASA outside interface for DNS and NTP server communication required fo...

Page 216: ...k by default You need to allow any addresses that you specified in the FXOS Remote Management configuration on the ASA Access the ASA and FXOS CLI This section describes how to connect to the FXOS and ASA console and how to connect to FXOS using SSH Connect to the Console Port to Access FXOS and ASA CLI The Firepower 2100 console port connects you to the FXOS CLI From the FXOS CLI you can then con...

Page 217: ...connect using SSH to the ASA you must first configure SSH access according to the ASA general operations configuration guide You can connect to the ASA CLI from FXOS and vice versa FXOS allows up to 8 SSH connections Before you begin To change the management IP address see Optional Change the FXOS and ASA Management IP Addresses or Gateway on page 197 Procedure Step 1 On the management computer co...

Page 218: ...mmand session Press any key to continue Connection with fxos terminated Type help or for a list of available commands ciscoasa What s Next To continue configuring your ASA see the documents available for your software version at Navigating the Cisco ASA Series Documentation To configure FXOS chassis settings see the FXOS configuration guide For troubleshooting see the FXOS troubleshooting guide Hi...

Page 219: ... the admin password when you first log in to Firepower Chassis Manager Formerly the default password was Admin123 9 13 1 Prompt to set admin password Cisco Firepower 2100 Getting Started Guide 217 ASA Deployment with ASDM History for the Firepower 2100 in Platform Mode ...

Page 220: ...Cisco Firepower 2100 Getting Started Guide 218 ASA Deployment with ASDM History for the Firepower 2100 in Platform Mode ...

Page 221: ... 2021 Cisco Systems Inc All rights reserved ...

Page 222: ......

Reviews:

No comments

Brands by name

Popular brands

Load more brands