hit counter script
Cisco Firepower 1100 Started Manual

Cisco Firepower 1100 Started Manual

Hide thumbs Also See for Firepower 1100:
Table of Contents

Advertisement

Cisco Firepower 1100 Getting Started Guide
First Published: 2019-06-13
Last Modified: 2021-05-26
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Summary of Contents for Cisco Firepower 1100

  • Page 1 Cisco Firepower 1100 Getting Started Guide First Published: 2019-06-13 Last Modified: 2021-05-26 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 3 You may want to use the ASA if you do not need the advanced capabilities of the FTD, or if you need an ASA-only feature that is not yet available on the FTD. Cisco provides ASA-to-FTD migration tools to help you convert your ASA to an FTD if you start with ASA and later reimage to FTD.
  • Page 4 To get started with FMC on the Management network, see Firepower Threat Defense Deployment with FMC, on page To get started with FMC on a remote network, see Firepower Threat Defense Deployment with a Remote FMC, on page 117. Cisco Firepower 1100 Getting Started Guide...
  • Page 5 CLI or ASDM. CSM does not support managing FTDs. CSM is not covered in this guide. For more information, see the CSM user guide. Cisco Firepower 1100 Getting Started Guide...
  • Page 6 The ASA REST API lets you automate ASA configuration. However, the API does not include all ASA features, and is no longer being enhanced. The ASA REST API is not covered in this guide. For more information, see the REST API guide. Cisco Firepower 1100 Getting Started Guide...
  • Page 7 Device. The Firepower 1100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
  • Page 8 Cable the Device, on page (Branch Office Employee) Branch Office Tasks Power On the Device, on page (Branch Office Employee) Cisco Defense Log Into CDO with Cisco Secure Sign-On, on page Orchestrator (CDO Admin) Cisco Firepower 1100 Getting Started Guide...
  • Page 9 Note This procedure assumes you are working with a new firewall running FTD Version 6.7 or later. Procedure Step 1 Unpack the chassis and chassis components. Cisco Firepower 1100 Getting Started Guide...
  • Page 10 Communicate with the CDO administrator to develop an onboarding timeline. Cable the Device This topic describes the how to connect the Firepower 1100 to your network so that it can be managed remotely by a CDO administrator. • If you received a Firepower firewall at your branch office and your job is to plug it in to your network, watch this video.
  • Page 11 Turn the power on using the standard rocker-type power on/off switch located on the rear of the chassis, adjacent to the power cord. Step 3 Check the Power LED on the back of the device; if it is solid green, the device is powered on. Cisco Firepower 1100 Getting Started Guide...
  • Page 12 If there is a problem, the Status LED flashes amber and green, and the device did not reach the Cisco Cloud. If this happens, make sure that your network cable is connected to the Ethernet 1/1 interface and to your WAN modem.
  • Page 13 The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
  • Page 14 Firepower Threat Defense Deployment with CDO and Low-Touch Provisioning Create a New Cisco Secure Sign-On Account Figure 2: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register. Figure 3: Create Account Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company.
  • Page 15 Choose a security image. d) Click Create My Account. You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
  • Page 16 Cisco Defense Orchestrator (CDO) uses Cisco Secure Sign-On as its identity provider and Duo Security for multi-factor authentication (MFA). • To log into CDO, you must first create your account in Cisco Secure Sign-On and configure MFA using Duo; see Create a New Cisco Secure Sign-On Account, on page •...
  • Page 17 Before you begin Low-touch provisioning (LTP) is a feature that allows a new factory-shipped Firepower 1100 series device to be provisioned and configured automatically, eliminating many of the manual tasks involved with onboarding the device to CDO.
  • Page 18 You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval. See the following licenses: •...
  • Page 19 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 20 • Expire After—Cisco recommends 30 days. • Allow export-controlled functionaility on the products registered with this token—Enables the export-compliance flag if you are in a country that allows for strong encryption. The token is added to your inventory. Cisco Firepower 1100 Getting Started Guide...
  • Page 21 You return to the Manage Licenses page. While the device registers, you see the following message: Step 6 After applying the smart license successfully to the FTD device, the device status shows Connected, Sufficient License. Click the Enable/Disable slider control for each optional license as desired. Cisco Firepower 1100 Getting Started Guide...
  • Page 22 Firepower Threat Defense Deployment with CDO and Low-Touch Provisioning Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.
  • Page 23 After onboarding the firewall to CDO, you can manage the firewall with CDO. To manage the FTD with CDO: 1. Browse to https://sign-on.security.cisco.com. 2. Log in as the user you created in Create a New Cisco Secure Sign-On Account, on page 3. Review Managing FTD with Cisco Defense Orchestrator for links to common management tasks.
  • Page 24 Firepower Threat Defense Deployment with CDO and Low-Touch Provisioning Manage the Device with CDO Cisco Firepower 1100 Getting Started Guide...
  • Page 25 Device. The Firepower 1100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
  • Page 26 Access the FTD and FXOS CLI, on page 57 • Power Off the Firewall Using FDM, on page 59 • What's Next, on page 59 End-to-End Procedure See the following tasks to deploy FTD with CDO on your chassis. Cisco Firepower 1100 Getting Started Guide...
  • Page 27 Firepower Threat Defense Deployment with CDO End-to-End Procedure Pre-Configuration Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page Cisco Firepower 1100 Getting Started Guide...
  • Page 28 Firepower Threat Defense Deployment with CDO How Cisco Defense Orchestrator Works with Firepower Threat Defense Pre-Configuration Power on the Device, on page FTD CLI (Optional) Change Management Network Settings at the CLI, on page Firepower Device Log Into FDM, on page...
  • Page 29 FTD performs all routing and NAT for your inside networks. If you need to configure PPPoE for the outside interface to connect to your ISP, you can do so after you complete initial setup in FDM. Cisco Firepower 1100 Getting Started Guide...
  • Page 30 Figure 9: Suggested Network Deployment Cloud SDC Note For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. On-Premises SDC Network, Credentials Onboarding Cisco Firepower 1100 Getting Started Guide...
  • Page 31 IP address to be on a new network. • If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. Cisco Firepower 1100 Getting Started Guide...
  • Page 32 • outside—Ethernet 1/1, IP address from IPv4 DHCP and IPv6 autoconfiguration • inside→outside traffic flow • management—Management 1/1 (management) • (6.6 and later) IP address from DHCP • (6.5 and earlier) IP address 192.168.45.45 Cisco Firepower 1100 Getting Started Guide...
  • Page 33 • DNS server for management—OpenDNS: (IPv4) 208.67.222.222, 208.67.220.220; (IPv6) 2620:119:35::35, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes •...
  • Page 34 For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Manage the Firepower 1100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside.
  • Page 35 Check the Power LED on the back of the device; if it is solid green, the device is powered on. Step 4 Check the Status LED on the back of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 1100 Getting Started Guide...
  • Page 36 Successful login attempts for user 'admin' : 1 [...] Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 2 Connect to the FTD CLI. connect ftd Cisco Firepower 1100 Getting Started Guide...
  • Page 37 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
  • Page 38 • An outside (Ethernet1/1) and an inside interface (Ethernet1/2). • Security zones for the inside and outside interfaces. Cisco Firepower 1100 Getting Started Guide...
  • Page 39 NTP Time Server—Select whether to use the default NTP servers or to manually enter the addresses of your NTP servers. You can add multiple servers to provide backups. Step 4 Select Start 90 day evaluation period without registration. Cisco Firepower 1100 Getting Started Guide...
  • Page 40 The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
  • Page 41 Create a New Cisco Secure Sign-On Account Procedure Step 1 Sign Up for a New Cisco Secure Sign-On Account. a) Browse to https://sign-on.security.cisco.com. b) At the bottom of the Sign In screen, click Sign up. Figure 11: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register.
  • Page 42 Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company. d) After you click Register, Cisco sends you a verification email to the address you registered with. Open the email and click Activate Account.
  • Page 43 Firepower Threat Defense Deployment with CDO Log Into CDO with Cisco Secure Sign-On You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
  • Page 44 CDO using this method. Note If you have a SecureX or Cisco Threat Response (CTR) account, you will need to merge your CDO account and SecureX/CTR account in order for your devices to be registered with SecureX. Until your accounts are merged, you cannot see your device’s events in SecureX or benefit from other SecureX features.
  • Page 45 • Your device can use either a 90-day evaluation license or it can be smart-licensed. You will not need to unregister licenses installed on the device from the Cisco Smart Software Manager. • Make sure DNS is configured properly on your FTD device.
  • Page 46 You can skip copying the registration key and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and later register it, or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
  • Page 47 Firepower Threat Defense Deployment with CDO Onboard an FTD with a Registration Key (Version 6.4 or 6.5) j) (6.6) Refresh the Cloud Services page. If the device successfully registered with the Cisco cloud, on the Cisco Defense Orchestrator tile, click Enable.
  • Page 48 You can skip copying the registration key and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and later register it, or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
  • Page 49 Under System Settings, click Cloud Services. b) Click Get Started in the Cisco Defense Orchestrator group. c) In the Region field, choose the Cisco cloud region to which your tenant is assigned: • Choose US if you log in to defenseorchestrator.com.
  • Page 50 Disabling this option does not affect any previously scheduled updates you may have configured Note through FDM. Step 6 In the Credentials area, enter the username as admin and enter the password that you set during initial setup. Then click Next. Cisco Firepower 1100 Getting Started Guide...
  • Page 51 You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval. See the following licenses: •...
  • Page 52 In the Cisco Smart Software Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. b) On the General tab, click New Token. Cisco Firepower 1100 Getting Started Guide...
  • Page 53 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the FTD. Cisco Firepower 1100 Getting Started Guide...
  • Page 54 You return to the Manage Licenses page. While the device registers, you see the following message: Step 6 After applying the smart license successfully to the FTD device, the device status shows Connected, Sufficient License. Click the Enable/Disable slider control for each optional license as desired. Cisco Firepower 1100 Getting Started Guide...
  • Page 55 Firepower Threat Defense Deployment with CDO Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.
  • Page 56 The following example shows how to create a new dmz-zone for the dmz interface. Cisco Firepower 1100 Getting Started Guide...
  • Page 57 IPv4 route is for any-ipv4 (0.0.0.0/0), whereas a default IPv6 route is for any-ipv6 (::0/0). Create routes for each IP version you use. If you use DHCP to obtain an address for the outside interface, you might already have the default routes that you need. Cisco Firepower 1100 Getting Started Guide...
  • Page 58 • Identity—If you want to correlate network activity to individual users, or control network access based on user or user group membership, use the identity policy to determine the user associated with a given source IP address. Cisco Firepower 1100 Getting Started Guide...
  • Page 59 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.
  • Page 60 Procedure Step 1 To log into the CLI, connect your management computer to the console port. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1100 hardware guide). The console port defaults to the FXOS CLI. Use the following serial settings: •...
  • Page 61 After the chassis has successfully powered off, you can then unplug the power to physically remove power from the chassis if necessary. What's Next To continue configuring your FTD using CDO, see the CDO Configuration Guides. For additional information related to using CDO, see the Cisco Defense Orchestrator home page. Cisco Firepower 1100 Getting Started Guide...
  • Page 62 Firepower Threat Defense Deployment with CDO What's Next Cisco Firepower 1100 Getting Started Guide...
  • Page 63 Device. The Firepower 1100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
  • Page 64 See the following tasks to deploy FTD with FDM on your chassis. Pre-Configuration Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page Pre-Configuration Power on the Device, on page Cisco Firepower 1100 Getting Started Guide...
  • Page 65 • If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. The following figure shows the default network deployment for FTD using FDM with the default configuration. Cisco Firepower 1100 Getting Started Guide...
  • Page 66 • outside—Ethernet 1/1, IP address from IPv4 DHCP and IPv6 autoconfiguration • inside→outside traffic flow • management—Management 1/1 (management) • (6.6 and later) IP address from DHCP • (6.5 and earlier) IP address 192.168.45.45 Cisco Firepower 1100 Getting Started Guide...
  • Page 67 • DNS server for management—OpenDNS: (IPv4) 208.67.222.222, 208.67.220.220; (IPv6) 2620:119:35::35, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes •...
  • Page 68 For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Manage the Firepower 1100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside.
  • Page 69 If you cannot use the default management IP address, then you can connect to the console port and perform initial setup at the CLI, including setting the Management IP address, gateway, and other basic networking Cisco Firepower 1100 Getting Started Guide...
  • Page 70 The first time you log in to FTD, you are prompted to accept the End User License Agreement (EULA). You are then presented with the CLI setup script. Defaults or previously-entered values appear in brackets. To accept previously entered values, press Enter. See the following guidelines: Cisco Firepower 1100 Getting Started Guide...
  • Page 71 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
  • Page 72 (Optional) Change Management Network Settings at the CLI, on page 67 procedure, then some of these tasks, specifically changing the admin password and configuring the outside and management interfaces, should have already been completed. Cisco Firepower 1100 Getting Started Guide...
  • Page 73 If you plan to onboard the device to CDO, we recommend using the evaluation license until you onboard the device. Any additional licenses you register with the Smart Software Manager will have to be unregistered before you can onboard to CDO, and then registered again. Cisco Firepower 1100 Getting Started Guide...
  • Page 74 You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval. See the following licenses: •...
  • Page 75 In the Cisco Smart Software Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. b) On the General tab, click New Token. Cisco Firepower 1100 Getting Started Guide...
  • Page 76 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the FTD. Cisco Firepower 1100 Getting Started Guide...
  • Page 77 In FDM, click Device, and then in the Smart License summary, click View Configuration. You see the Smart License page. Step 4 Click Register Device. Then follow the instructions on the Smart License Registration dialog box to paste in your token: Cisco Firepower 1100 Getting Started Guide...
  • Page 78 You return to the Smart License page. While the device registers, you see the following message: After the device successfully registers and you refresh the page, you see the following: Step 6 Click the Enable/Disable control for each optional license as desired. Cisco Firepower 1100 Getting Started Guide...
  • Page 79 Firepower Threat Defense Deployment with FDM Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.
  • Page 80 You cannot put the interfaces in zones when configuring them, so you must always edit the zone objects after creating new interfaces or changing the purpose of existing interfaces. The following example shows how to create a new dmz-zone for the dmz interface. Cisco Firepower 1100 Getting Started Guide...
  • Page 81 The routes you define on this page are for the data interfaces only. They do not impact the Note management interface. Set the management gateway on Device > System Settings > Management Interface. Cisco Firepower 1100 Getting Started Guide...
  • Page 82 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.
  • Page 83 Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 1100 Getting Started Guide...
  • Page 84 Procedure Step 1 To log into the CLI, connect your management computer to the console port. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1100 hardware guide). The console port defaults to the FXOS CLI. Use the following serial settings: •...
  • Page 85 Access the FTD and FXOS CLI, on page Procedure Step 1 In the FXOS CLI, connect to local-mgmt: firepower # connect local-mgmt Step 2 Issue the shutdown command: firepower(local-mgmt) # shutdown Example: Cisco Firepower 1100 Getting Started Guide...
  • Page 86 To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FDM, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 1100 Getting Started Guide...
  • Page 87 Device. The Firepower 1100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
  • Page 88 What's Next?, on page 115 Before You Start Deploy and perform initial configuration of the FMC. See the FMC getting started guide. End-to-End Procedure See the following tasks to deploy the FTD with FMC on your chassis. Cisco Firepower 1100 Getting Started Guide...
  • Page 89 Review the Network Deployment, on page Pre-Configuration Cable the Device, on page Pre-Configuration Power on the Device, on page FTD CLI Complete the FTD Initial Configuration, on page Firepower Log Into the Firepower Management Center, on page Management Center Cisco Firepower 1100 Getting Started Guide...
  • Page 90 Both the FMC and FTD require internet access from management for licensing and updates. The following figure shows a possible network deployment for the Firepower 1100 where the FMC and management computer connect to the management network. The management network has a path to the internet for licensing and updates.
  • Page 91 FMC and FTD managamement. In the following diagram, the Firepower 1100 acts as the internet gateway for the management interface and the FMC by connecting Management 1/1 to an inside interface through a Layer 2 switch, and by connecting the FMC and management computer to the switch.
  • Page 92 Figure 36: Edge Network Deployment Cable the Device To cable one of the recommended scenarios on the Firepower 1100, see the following steps. Note Other topologies can be used, and your deployment will vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements.
  • Page 93 Connect the inside interface (for example, Ethernet 1/2) to your inside router. d) Connect the outside interface (for example, Ethernet 1/1) to your outside router. e) Connect other networks to the remaining interfaces. Step 2 Cable for an edge deployment: Cisco Firepower 1100 Getting Started Guide...
  • Page 94 (UPS)). Loss of power without first shutting down can cause serious file system damage. There are many processes running in the background all the time, and losing power does not allow the graceful shutdown of your system. Cisco Firepower 1100 Getting Started Guide...
  • Page 95 If the password was already changed, and you do not know it, you must reimage the device to reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: Cisco Firepower 1100 Getting Started Guide...
  • Page 96 • Configure firewall mode?—We recommend that you set the firewall mode at initial configuration. Changing the firewall mode after initial setup erases your running configuration. Example: You must accept the EULA to continue. Press <ENTER> to display the EULA: Cisco Firepower 1100 Getting Started Guide...
  • Page 97 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
  • Page 98 For information on supported browsers, refer to the release notes for the version you are using (see https://www.cisco.com/go/firepower-notes). Procedure Step 1 Using a supported browser, enter the following URL. https://fmc_ip_address Step 2 Enter your username and password. Cisco Firepower 1100 Getting Started Guide...
  • Page 99 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 100 • FTD management IP address or hostname, and NAT ID, if configured • FMC registration key Procedure Step 1 In FMC, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device, and enter the following parameters. Cisco Firepower 1100 Getting Started Guide...
  • Page 101 • Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page 109. Cisco Firepower 1100 Getting Started Guide...
  • Page 102 This section describes how to configure a basic security policy with the following settings: • Inside and outside interfaces—Assign a static IP address to the inside interface, and use DHCP for the outside interface. • DHCP server—Use a DHCP server on the inside interface for clients. Cisco Firepower 1100 Getting Started Guide...
  • Page 103 The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Click Interfaces. Cisco Firepower 1100 Getting Started Guide...
  • Page 104 Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most Cisco Firepower 1100 Getting Started Guide...
  • Page 105 You should not alter any of these basic settings because doing so will disrupt the FMC management connection. You can still configure the Security Zone on this screen for through traffic policies. Cisco Firepower 1100 Getting Started Guide...
  • Page 106 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Step 3 On the Server page, click Add, and configure the following options: Cisco Firepower 1100 Getting Started Guide...
  • Page 107 IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route page. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose Routing > Static Route, click Add Route, and set the following: Cisco Firepower 1100 Getting Started Guide...
  • Page 108 • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 3 Click OK. The route is added to the static route table. Cisco Firepower 1100 Getting Started Guide...
  • Page 109 The policy is added the FMC. You still have to add rules to the policy. Step 3 Click Add Rule. The Add NAT Rule dialog box appears. Step 4 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. Cisco Firepower 1100 Getting Started Guide...
  • Page 110 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Step 6 On the Translation page, configure the following options: • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 1100 Getting Started Guide...
  • Page 111 Step 1 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the FTD. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 1100 Getting Started Guide...
  • Page 112 SSH access according to this section. You can only SSH to a reachable interface; if your SSH host is located on the outside interface, you can only initiate a management connection directly to the outside interface. Cisco Firepower 1100 Getting Started Guide...
  • Page 113 Click OK. Step 4 Click Save. You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Cisco Firepower 1100 Getting Started Guide...
  • Page 114 Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 1100 Getting Started Guide...
  • Page 115 Procedure Step 1 To log into the CLI, connect your management computer to the console port. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1100 hardware guide). The console port defaults to the FXOS CLI. Use the following serial settings: •...
  • Page 116 You can use the FXOS CLI to safely shut down the system and power off the device. You access the CLI by connecting to the console port; see Access the FTD and FXOS CLI, on page 112. Procedure Step 1 In the FXOS CLI, connect to local-mgmt: firepower # connect local-mgmt Cisco Firepower 1100 Getting Started Guide...
  • Page 117 What's Next? To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FMC, see the Firepower Management Center Configuration Guide. Cisco Firepower 1100 Getting Started Guide...
  • Page 118 Firepower Threat Defense Deployment with FMC What's Next? Cisco Firepower 1100 Getting Started Guide...
  • Page 119 Device. The Firepower 1100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
  • Page 120 • SSH is not enabled by default for data interfaces, so you will have to enable SSH later using FMC. Because the Management interface gateway will be changed to be the data interfaces, you also cannot Cisco Firepower 1100 Getting Started Guide...
  • Page 121 IP address for initial setup. You can also optionally configure Dynamic DNS (DDNS) for the outside interface to accommodate changing DHCP IP assignments. Figure 40: Before You Start Deploy and perform initial configuration of the FMC. See the FMC getting started guide. Cisco Firepower 1100 Getting Started Guide...
  • Page 122 Figure 41: End-to-End Procedure: Manual Provisioning FTD CLI Central Administrator Pre-Configuration Using the CLI, on page 121. Physical Setup Branch administrator: Cable the Device, on page 126. Physical Setup Branch administrator: Power on the Device, on page 127 Cisco Firepower 1100 Getting Started Guide...
  • Page 123 If the password was already changed, and you do not know it, then you must reimage the device to Note reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: firepower login: admin Password: Admin123 Successful login attempts for user 'admin' : 1 Cisco Firepower 1100 Getting Started Guide...
  • Page 124 • Manage the device locally?—Enter no to use FMC. A yes answer means you will use Firepower Device Manager instead. • Configure firewall mode?—Enter routed. Outside FMC access is only supported in routed firewall mode. Example: Cisco Firepower 1100 Getting Started Guide...
  • Page 125 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
  • Page 126 • If you configure a DDNS server update URL, the FTD automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the FTD can validate the DDNS server certificate for the HTTPS connection. The FTD supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 127 The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other devices registering to the FMC. Example: > configure manager add fmc-1.example.com regk3y78 natid56 Manager successfully configured. Cisco Firepower 1100 Getting Started Guide...
  • Page 128 The central administrator can then complete the configuration. Cable the Device The FMC and your management computer reside at a remote headquarters, and can reach the FTD over the internet. To cable the Firepower 1100, see the following steps. Figure 42: Cabling a Remote Management Deployment Procedure Step 1 Connect the outside interface (Ethernet 1/1) to your outside router.
  • Page 129 When the switch is toggled from ON to OFF, it may take several seconds for the system to eventually power off. During this time, the Power LED on the front of the chassis blinks green. Do not remove the power until the Power LED is completely off. Cisco Firepower 1100 Getting Started Guide...
  • Page 130 The Smart Software Manager lets you create a master account for your organization. • Your Cisco Smart Software Licensing account must qualify for the Strong Encryption (3DES/AES) license to use some features (enabled using the export-compliance flag). Cisco Firepower 1100 Getting Started Guide...
  • Page 131 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 132 • FTD management IP address or hostname, and NAT ID • FMC registration key Procedure Step 1 In FMC, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device. Set the following parameters: Cisco Firepower 1100 Getting Started Guide...
  • Page 133 Click Register, and confirm a successful registration. If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the FTD fails to register, check the following items: Cisco Firepower 1100 Getting Started Guide...
  • Page 134 Add the Default Route, on page 105. Configure NAT, on page 107. Allow Traffic from Inside to Outside, on page 109. Configure SSH on the FMC Access Data Interface, on page 110. Deploy the Configuration, on page 112. Cisco Firepower 1100 Getting Started Guide...
  • Page 135 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Click Interfaces. Step 3 Click the Edit ( ) for the interface that you want to use for inside. The General tab appears. Cisco Firepower 1100 Getting Started Guide...
  • Page 136 QoS policies. e) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 1100 Getting Started Guide...
  • Page 137 • Obtain default route using DHCP—Obtains the default route from the DHCP server. • DHCP route metric—Assigns an administrative distance to the learned route, between 1 and 255. The default administrative distance for the learned routes is 1. Cisco Firepower 1100 Getting Started Guide...
  • Page 138 The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself. • Enable DHCP Server—Enable the DHCP server on the selected interface. Step 4 Click OK. Step 5 Click Save. Cisco Firepower 1100 Getting Started Guide...
  • Page 139 • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 3 Click OK. The route is added to the static route table. Cisco Firepower 1100 Getting Started Guide...
  • Page 140 Name the policy, select the device(s) that you want to use the policy, and click Save. The policy is added the FMC. You still have to add rules to the policy. Step 3 Click Add Rule. Cisco Firepower 1100 Getting Started Guide...
  • Page 141 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Step 6 On the Translation page, configure the following options: • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 1100 Getting Started Guide...
  • Page 142 Step 1 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the FTD. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 1100 Getting Started Guide...
  • Page 143 The Management interface is separate from the other interfaces on the device. It is used to set up and register the device to the Firepower Management Center. SSH for data interfaces shares the internal and external user list with SSH for the Management interface. Other settings are configured separately: for data interfaces, Cisco Firepower 1100 Getting Started Guide...
  • Page 144 • Security Zones—Add the zones that contain the interfaces to which you will allow SSH connections. For interfaces not in a zone, you can type the interface name into the field below the Selected Security Cisco Firepower 1100 Getting Started Guide...
  • Page 145 Select the device in the Deploy Policies dialog box, then click Deploy. Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 1100 Getting Started Guide...
  • Page 146 Procedure Step 1 To log into the CLI, connect your management computer to the console port. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1100 hardware guide). The console port defaults to the FXOS CLI. Use the following serial settings: •...
  • Page 147 '10.10.17.222' Registration: Completed. IPv4 Connection to peer '10.10.17.202' Start Time: Wed Jun 10 14:27:12 2020 UTC Heartbeat Send Time: Mon Jun 15 09:02:08 2020 UTC Heartbeat Received Time: Mon Jun 15 09:02:16 2020 UTC Cisco Firepower 1100 Getting Started Guide...
  • Page 148 Check that the FTD registered with the FMC At the FTD CLI, check that the FMC registration was completed. Note that this command will not show the current status of the management connection. show managers > show managers Cisco Firepower 1100 Getting Started Guide...
  • Page 149 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec Control Point Interface States: Interface number is 14 Cisco Firepower 1100 Getting Started Guide...
  • Page 150 See the following commands to check that all other settings are present. You can also see many of these commands on the FMC's Devices > Device Management > Device > Management > FMC Access Details > CLI Output page. show running-config sftunnel > show running-config sftunnel sftunnel interface outside sftunnel port 8305 Cisco Firepower 1100 Getting Started Guide...
  • Page 151 If you use a data interface on the FTD for FMC management, and you deploy a configuration change from the FMC that affects the network connectivity, you can roll back the configuration on the FTD to the Cisco Firepower 1100 Getting Started Guide...
  • Page 152 Do you want to continue [Y/N]? Rolling back complete configuration on the FTD. This will take time...... Policy rollback was successful on the FTD. Configuration has been reverted back to transaction id: Following is the rollback summary: ....Cisco Firepower 1100 Getting Started Guide...
  • Page 153 What's Next? To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FMC, see the Firepower Management Center Configuration Guide. Cisco Firepower 1100 Getting Started Guide...
  • Page 154 Firepower Threat Defense Deployment with a Remote FMC What's Next? Cisco Firepower 1100 Getting Started Guide...
  • Page 155 ASA Deployment with ASDM Is This Chapter for You? This chapter describes how to set up the Firepower 1100 for use with the ASA. This chapter does not cover the following deployments, for which you should refer to the ASA configuration guide: •...
  • Page 156 • GTP/GPRS Migrating an ASA 5500-X Configuration You can copy and paste an ASA 5500-X configuration into the Firepower 1100. However, you will need to modify your configuration. Also note some behavioral differences between the platforms. 1. To copy the configuration, enter the more system:running-config command on the ASA 5500-X.
  • Page 157 Firepower 1120 includes Management 1/1 and Ethernet 1/1 through 1/8. boot system commands The Firepower 1100 only allows a single boot system command, so you should remove all but one command before you paste. You The ASA 5500-X allows up to four boot system commands to actually do not need to have any boot system commands present specify the booting image to use.
  • Page 158 See the following tasks to deploy and configure the ASA on your chassis. Pre-Configuration Review the Network Deployment and Default Configuration, on page 157. Pre-Configuration Cable the Device, on page 159. Pre-Configuration Power on the Device, on page 160. Cisco Firepower 1100 Getting Started Guide...
  • Page 159 168. Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 1100 using the default configuration. If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into bridge mode so the ASA performs all routing and NAT for your inside networks.
  • Page 160 ASA Deployment with ASDM Firepower 1100 Default Configuration Firepower 1100 Default Configuration The default factory configuration for the Firepower 1100 configures the following: • inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside) • outside IP address from DHCP, inside IP address—192.168.1.1 •...
  • Page 161 DefaultDNS name-server 208.67.222.222 outside name-server 208.67.220.220 outside Cable the Device Manage the Firepower 1100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside. Procedure Step 1 Connect your management computer to either of the following interfaces:...
  • Page 162 (192.168.1.1) and also runs a DHCP server to provide IP addresses to clients (including the management computer), so make sure these settings do not conflict with any existing inside network settings (see Firepower 1100 Default Configuration, on page 158). If you need to change the Ethernet 1/2 IP address from the default, you must also cable your management computer to the console port.
  • Page 163 Executing command: exit Executing command: http server enable Executing command: http 10.1.1.0 255.255.255.0 management Executing command: dhcpd address 10.1.1.152-10.1.1.254 management Executing command: dhcpd enable management Executing command: logging asdm informational Factory-default configuration is completed ciscoasa(config)# Cisco Firepower 1100 Getting Started Guide...
  • Page 164 HTTP request to HTTPS. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
  • Page 165 The main ASDM window appears. Configure Licensing The ASA uses Cisco Smart Software Licensing. You can use regular Smart Software Licensing, which requires internet access; or for offline management, you can configure Permanent License Reservation or a Satellite server. For more information about these offline licensing methods, see Cisco ASA Series Feature Licenses;...
  • Page 166 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 167 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the ASA. Cisco Firepower 1100 Getting Started Guide...
  • Page 168 Figure 46: View Token Figure 47: Copy Token Step 3 In ASDM, choose Configuration > Device Management > Licensing > Smart Licensing. Step 4 Click Register. Step 5 Enter the registration token in the ID Token field. Cisco Firepower 1100 Getting Started Guide...
  • Page 169 (Optional) The Enable strong-encryption protocol is generally not required; for example, ASAs that use older Satellite Server versions (pre-2.3.0) require this license, but you can check this box if you know you need to, or if you want to track usage of this license in your account. Cisco Firepower 1100 Getting Started Guide...
  • Page 170 Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 1100 Getting Started Guide...
  • Page 171 • And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 1100 Getting Started Guide...
  • Page 172 You can also access the FXOS CLI from the ASA CLI for troubleshooting purposes. Procedure Step 1 Connect your management computer to the console port. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1100 hardware guide). Use the following serial settings: • 9600 baud •...
  • Page 173 Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 1100 Getting Started Guide...
  • Page 174 ASA Deployment with ASDM What's Next? Cisco Firepower 1100 Getting Started Guide...
  • Page 175 © 2021 Cisco Systems, Inc. All rights reserved.

Table of Contents

Save PDF