Page 1
Cisco Firepower 1010 Getting Started Guide First Published: 2019-06-13 Last Modified: 2023-01-23 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
Page 3
You may want to use the ASA if you do not need the advanced capabilities of the threat defense, or if you need an ASA-only feature that is not yet available on the threat defense. Cisco provides ASA-to-threat defense migration tools to help you convert your ASA to the threat defense if you start with ASA and later reimage to threat defense.
Page 4
CDO to manage the same firewall. The management center is not compatible with other managers. To get started with the device manager, see Threat Defense Deployment with the Device Manager, on page Cisco Firepower 1010 Getting Started Guide...
Page 5
You cannot use this API if you are managing the threat defense using the management center. The threat defense REST API is not covered in this guide. For more information, see Cisco Secure Firewall Threat Defense REST API Guide. Secure Firewall Management Center REST The management center REST API lets you automate configuration of management center policies that can then be applied to managed threat defenses.
Page 6
The ASA REST API lets you automate ASA configuration. However, the API does not include all ASA features, and is no longer being enhanced. The ASA REST API is not covered in this guide. For more information, see the Cisco ASA REST API Quick Start Guide. Cisco Firepower 1010 Getting Started Guide...
ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).
Center 1600, 2600, and 4600 Hardware Installation Guide Cisco Secure Firewall Management Center Virtual Getting Started Guide. End-to-End Procedure See the following tasks to deploy the threat defense with management center on your chassis. Cisco Firepower 1010 Getting Started Guide...
Page 9
Cable the Device (6.5 and Later), on page 10 Cable the Device (6.4), on page Pre-Configuration Power On the Firewall, on page (Optional) Check the Software and Install a New Version, on page 13 Cisco Firepower 1010 Getting Started Guide...
Management 1/1 directly to an inside switch port, and by connecting the management center and management computer to other inside switch ports. (This direct connection is allowed because the Management interface is separate from the other interfaces on the threat defense.) Cisco Firepower 1010 Getting Started Guide...
Page 11
Management 1/1 to an inside interface through a Layer 2 switch, and by connecting the management center and management computer to the switch. (This direct connection is allowed because the Management interface is separate from the other interfaces on the threat defense.) Cisco Firepower 1010 Getting Started Guide...
Ethernet1/1 as the outside interface and the remaining interfaces as switch ports on the inside network. Note Other topologies can be used, and your deployment will vary depending on your requirements. For example, you can convert the switch ports to firewall interfaces. Cisco Firepower 1010 Getting Started Guide...
Page 13
Connect the management computer to the console port. You need to use the console port to access the CLI for initial setup if you do not use SSH to the Management interface or use the device manager for initial setup. Step 5 Connect Ethernet 1/1 to your outside router. Cisco Firepower 1010 Getting Started Guide...
Connect the management computer to the console port. You need to use the console port to access the CLI for initial setup if you do not use SSH to the Management interface. Step 4 Connect the outside interface (for example, Ethernet 1/1) to your outside router. Cisco Firepower 1010 Getting Started Guide...
Alternatively, you can perform an upgrade after you are up and running, but upgrading, which preserves your configuration, may take longer than using this procedure. What Version Should I Run? Cisco Firepower 1010 Getting Started Guide...
Page 16
(Optional) Check the Software and Install a New Version Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/...
Use the setup wizard when you first log into the device manager to complete the initial configuration. You can optionally skip the setup wizard by clicking Skip device setup at the bottom of the page. Cisco Firepower 1010 Getting Started Guide...
Page 18
If you want to configure a static IP address, be sure to also set the default gateway to be a unique gateway instead of the data interfaces. If you use DHCP, you do not need to configure anything. Cisco Firepower 1010 Getting Started Guide...
Page 19
Other device manager configuration will not be retained when you register the device to the management center. Step 5 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 6 Configure the Management Center/CDO Details. Cisco Firepower 1010 Getting Started Guide...
Page 20
For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname. Cisco Firepower 1010 Getting Started Guide...
Page 21
If you remain connected to the device manager after the Saving Management Center/CDO Registration Settings step, you will eventually see the Successful Connection with Management Center or CDO dialog box, after which you will be disconnected from the device manager. Cisco Firepower 1010 Getting Started Guide...
Page 22
If the password was already changed, and you do not know it, you must reimage the device to reset Note the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: Cisco Firepower 1010 Getting Started Guide...
Page 23
You cannot repeat the CLI setup wizard unless you clear the configuration; for example, by reimaging. However, all of these settings can be changed later at the CLI using configure network commands. Cisco Secure Firewall Threat Defense Command Reference. Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
Page 24
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
Use the management center to configure and monitor the threat defense. Before you begin For information on supported browsers, refer to the release notes for the version you are using (see https://www.cisco.com/go/firepower-notes). Procedure Step 1 Using a supported browser, enter the following URL. Cisco Firepower 1010 Getting Started Guide...
Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
• The threat defense management IP address or hostname, and NAT ID • The management center registration key Procedure Step 1 In the management center, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device. Cisco Firepower 1010 Getting Started Guide...
Page 28
• Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page Cisco Firepower 1010 Getting Started Guide...
Page 29
• Registration key, NAT ID, and the management center IP address—Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the management center using the configure manager add command. Cisco Firepower 1010 Getting Started Guide...
Threat Defense Deployment with the Management Center Configure a Basic Security Policy For more troubleshooting information, see https://cisco.com/go/fmc-reg-error. Configure a Basic Security Policy This section describes how to configure a basic security policy with the following settings: • Inside and outside interfaces—Assign a static IP address to the inside interface, and use DHCP for the outside interface.
Page 31
(Optional) Change the VLAN ID; the default is 1. You will next add a VLAN interface to match this ID. d) Click OK. Step 5 Add the inside VLAN interface. a) Click Add Interfaces > VLAN Interface. Cisco Firepower 1010 Getting Started Guide...
Page 32
ID in your configuration. g) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. Cisco Firepower 1010 Getting Started Guide...
Page 33
Check the Enabled check box. c) Leave the Mode set to None. d) From the Security Zone drop-down list, choose an existing outside security zone or add a new one by clicking New. Cisco Firepower 1010 Getting Started Guide...
Page 34
The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the firewall. Step 2 Click Interfaces. Cisco Firepower 1010 Getting Started Guide...
Page 35
Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most Cisco Firepower 1010 Getting Started Guide...
Page 36
You should not alter any of these basic settings because doing so will disrupt the management center management connection. You can still configure the Security Zone on this screen for through traffic policies. Cisco Firepower 1010 Getting Started Guide...
Page 37
Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Step 3 On the Server page, click Add, and configure the following options: Cisco Firepower 1010 Getting Started Guide...
Page 38
IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route page. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose Routing > Static Route, click Add Route, and set the following: Cisco Firepower 1010 Getting Started Guide...
Page 39
• Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 3 Click OK. The route is added to the static route table. Cisco Firepower 1010 Getting Started Guide...
Page 40
The policy is added the management center. You still have to add rules to the policy. Step 3 Click Add Rule. The Add NAT Rule dialog box appears. Step 4 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. Cisco Firepower 1010 Getting Started Guide...
Page 41
On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Step 6 On the Translation page, configure the following options: • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 1010 Getting Started Guide...
Page 42
Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the threat defense. Step 2 Click Add Rule, and set the following parameters: • Name—Name this rule, for example, inside_to_outside. Cisco Firepower 1010 Getting Started Guide...
Page 43
Procedure Step 1 Click Deploy in the upper right. Figure 9: Deploy Step 2 Either click Deploy All to deploy to all devices or click Advanced Deploy to deploy to selected devices. Cisco Firepower 1010 Getting Started Guide...
Page 44
Figure 11: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Figure 12: Deployment Status Cisco Firepower 1010 Getting Started Guide...
Password: Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0 Successful login attempts for user 'admin' : 1 firepower# Step 2 Access the threat defense CLI. connect ftd Example: firepower# connect ftd > Cisco Firepower 1010 Getting Started Guide...
Threat Defense Deployment with the Management Center Power Off the Firewall After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, Cisco Secure Firewall Threat Defense Command Reference. Step 3 To exit the threat defense CLI, enter the exit or logout command.
To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the management center, see the Firepower Management Center Configuration Guide. Cisco Firepower 1010 Getting Started Guide...
Page 48
Threat Defense Deployment with the Management Center What's Next? Cisco Firepower 1010 Getting Started Guide...
Page 49
ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).
Page 50
• High Availability is not supported. You must use the Management interface in this case. The following figure shows the management center at central headquarters and the threat defense with the manager access on the outside interface. Cisco Firepower 1010 Getting Started Guide...
Page 51
Center 1600, 2600, and 4600 Hardware Installation Guide Cisco Secure Firewall Management Center Virtual Getting Started Guide. End-to-End Procedure See the following tasks to deploy the threat defense with management center on your chassis. Cisco Firepower 1010 Getting Started Guide...
Page 52
Pre-Configuration Using the CLI, on page 57 (Central admin) • Pre-Configuration Using the Device Manager, on page 53 Physical Setup Install the firewall. See the hardware installation guide. (Branch admin) Physical Setup Cable the Firewall, on page (Branch admin) Cisco Firepower 1010 Getting Started Guide...
Page 53
What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
Page 54
57. By default, the Management interface uses DHCP. You will need to download the new image from a server accessible from the Management interface. b) Perform the reimage procedure in the FXOS troubleshooting guide. Cisco Firepower 1010 Getting Started Guide...
Page 55
IP address. You can configure PPPoE after you complete the wizard. Configure IPv6—The IPv6 address for the outside interface. You can use DHCP or manually enter a static IP address, prefix, and gateway. You can also select Off to not configure an IPv6 address. Cisco Firepower 1010 Getting Started Guide...
Page 56
Other device manager configuration will not be retained when you register the device to the management center. Step 7 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 8 Configure the Management Center/CDO Details. Cisco Firepower 1010 Getting Started Guide...
Page 57
For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname. Cisco Firepower 1010 Getting Started Guide...
Page 58
If you chose a different interface, then you need to manually configure a default route before you connect to the management center. See Configure Cisco Firepower 1010 Getting Started Guide...
Page 59
If you configure DDNS before you add the threat defense to the management center, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
Page 60
Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 4 Connect to the threat defense CLI. connect ftd Example: firepower# connect ftd > Cisco Firepower 1010 Getting Started Guide...
Page 61
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:...
Page 62
• If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
Page 63
IPv4/IPv6 address: 10.10.6.7 Netmask/IPv6 Prefix: 255.255.255.0 Default Gateway: 10.10.6.1 Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220 DDNS server update URL [none]: Do you wish to clear all the device configuration before applying ? (y/n) [n]: Cisco Firepower 1010 Getting Started Guide...
Page 64
Observe the Power LED and Status LED to verify that the chassis is powered off (appear unlit). c) After the chassis has successfully powered off, you can then unplug the power to physically remove power from the chassis if necessary. Cisco Firepower 1010 Getting Started Guide...
Page 65
Cable your inside end points to the switch ports, Ethernet1/2 through 1/8. Step 4 (Optional) Connect the management computer to the console port. At the branch office, the console connection is not required for everyday use; however, it may be required for troubleshooting purposes. Cisco Firepower 1010 Getting Started Guide...
Page 66
After the remote branch administrator cables the threat defense so it has internet access from the outside interface, you can register the threat defense to the management center and complete configuration of the device. Log Into the Management Center Use the management center to configure and monitor the threat defense. Cisco Firepower 1010 Getting Started Guide...
Page 67
Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
Page 68
Before you begin • Gather the following information that you set in the threat defense initial configuration: • The threat defense management IP address or hostname, and NAT ID • The management center registration key Cisco Firepower 1010 Getting Started Guide...
Page 69
• Display Name—Enter the name for the threat defense as you want it to display in the management center. • Registration Key—Enter the same registration key that you specified in the threat defense initial configuration. • Domain—Assign the device to a leaf domain if you have a multidomain environment. Cisco Firepower 1010 Getting Started Guide...
Page 70
If the ping is not successful, check your network settings using the show network command. If you need to change the threat defense Management IP address, use the configure network management-data-interface command. Cisco Firepower 1010 Getting Started Guide...
Page 71
NAT ID, on both devices. You can set the registration key and NAT ID on the threat defense using the configure manager add command. For more troubleshooting information, see https://cisco.com/go/fmc-reg-error. Configure a Basic Security Policy This section describes how to configure a basic security policy with the following settings: •...
Page 72
(Optional) Change the VLAN ID; the default is 1. You will next add a VLAN interface to match this ID. d) Click OK. Step 5 Add the inside VLAN interface. a) Click Add Interfaces > VLAN Interface. The General tab appears. Cisco Firepower 1010 Getting Started Guide...
Page 73
ID in your configuration. g) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 1010 Getting Started Guide...
Page 74
From the Security Zone drop-down list, choose an existing outside security zone or add a new one by clicking New. For example, add a zone called outside_zone. b) Click OK. Step 7 Click Save. Cisco Firepower 1010 Getting Started Guide...
Page 75
Port Address Translation (PAT). Procedure Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT. Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save. Cisco Firepower 1010 Getting Started Guide...
Page 76
Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 1010 Getting Started Guide...
Page 77
) to add a network object for all IPv4 traffic (0.0.0.0/0). Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part of the object definition, and you cannot edit system-defined objects. • Translated Source—Choose Destination Interface IP. Cisco Firepower 1010 Getting Started Guide...
Page 78
• Source Zones—Select the inside zone from Available Zones, and click Add to Source. • Destination Zones—Select the outside zone from Available Zones, and click Add to Destination. Leave the other settings as is. Cisco Firepower 1010 Getting Started Guide...
Page 79
For the Management interface, to configure an SSH access list, see the configure ssh-access-list command in the Cisco Secure Firewall Threat Defense Command Reference. To configure a static route, see the configure network static-routes command. By default, you configure the default route through the Management interface at initial setup.
Page 80
You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Deploy the Configuration Deploy the configuration changes to the threat defense; none of your changes are active on the device until you deploy them. Cisco Firepower 1010 Getting Started Guide...
Page 81
Figure 22: Deploy All Figure 23: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 1010 Getting Started Guide...
Page 82
• No parity • 1 stop bit You connect to the FXOS CLI. Log in to the CLI using the admin username and the password you set at initial setup (the default is Admin123). Example: Cisco Firepower 1010 Getting Started Guide...
Page 83
> After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, Cisco Secure Firewall Threat Defense Command Reference. Step 3 To exit the threat defense CLI, enter the exit or logout command.
Page 84
Netmask : 255.255.255.0 Gateway : 10.99.10.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers Interfaces : GigabitEthernet1/1 Cisco Firepower 1010 Getting Started Guide...
Page 85
> show interface detail [...] Interface Internal-Data0/1 "nlp_int_tap", is up, line protocol is up Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec (Full-duplex), (1000 Mbps) Input flow control is unsupported, output flow control is unsupported Cisco Firepower 1010 Getting Started Guide...
Page 86
0.0.0.0 0.0.0.0 [1/0] via 10.89.5.1, outside 10.89.5.0 255.255.255.192 is directly connected, outside 10.89.5.29 255.255.255.255 is directly connected, outside > show nat > show nat Auto NAT Policies (Section 2) 1 (nlp_int_tap) to (outside) source static nlp_server_0_sftunnel_intf3 interface service Cisco Firepower 1010 Getting Started Guide...
Page 87
DDNS: IDB SB total = 0 If the update failed, use the debug http and debug ssl commands. For certificate validation failures, check that the root certificates are installed on the device: show crypto ca certificates trustpoint_name Cisco Firepower 1010 Getting Started Guide...
Page 88
• Out-of-band SCEP certificate data that was updated during the previous deployment cannot be rolled back. • During the rollback, connections will drop because the current configuration will be cleared. Before you begin Model Support—Threat Defense Cisco Firepower 1010 Getting Started Guide...
Page 89
Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your firewall. You can shut down your system properly using the management center. Cisco Firepower 1010 Getting Started Guide...
Page 90
To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the management center, see the Firepower Management Center Configuration Guide. Cisco Firepower 1010 Getting Started Guide...
Page 91
ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).
See the following tasks to deploy threat defense with device manager on your chassis. Pre-Configuration Install the firewall. See the hardware installation guide. Pre-Configuration Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page Pre-Configuration Power On the Firewall, on page Cisco Firepower 1010 Getting Started Guide...
In this case you must change the inside IP address to be on a new network. • If you add the threat defense to an existing inside network, you will need to change the inside IP address to be on the existing network. Cisco Firepower 1010 Getting Started Guide...
Page 94
• (6.5 and later) Hardware switch—Ethernet 1/2 through 1/8 belong to VLAN 1 • (6.4) Software switch (Integrated Routing and Bridging)—Ethernet 1/2 through 1/8 belong to bridge group interface (BVI) 1 • outside—Ethernet 1/1, IP address from IPv4 DHCP and IPv6 autoconfiguration Cisco Firepower 1010 Getting Started Guide...
Page 95
Diagnostic interface. Diagnostic is a data interface, but is limited to other types of management traffic (to-the-device and from-the-device), such as syslog or SNMP. The Diagnostic interface is not typically used. See the Cisco Secure Firewall Device Manager Configuration Guide for more information.
(Ethernet 1/2 through 1/8). inside has a default IP address (192.168.95.1) and also runs a DHCP server to provide IP addresses to clients (including the management computer), so make sure these settings do not conflict with any existing inside network settings (see Default Configuration, on page 92). Cisco Firepower 1010 Getting Started Guide...
The power turns on automatically when you plug in the power cord. Step 2 Check the Power LED on the back or top of the device; if it is solid green, the device is powered on. Cisco Firepower 1010 Getting Started Guide...
What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
You cannot repeat the CLI setup script unless you clear the configuration; for example, by reimaging. However, all of these settings can be changed later at the CLI using configure network commands. See Cisco Secure Firewall Threat Defense Command Reference.
Page 100
Management network, but for remote management for specific networks or hosts, you should add a static route using the configure network static-routes command. Note that the device manager management on data interfaces is not affected by this setting. If you use DHCP, the Cisco Firepower 1010 Getting Started Guide...
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
You are prompted to read and accept the End User License Agreement and change the admin password. You must complete these steps to continue. Step 2 Configure the following options for the outside and management interfaces and click Next. Cisco Firepower 1010 Getting Started Guide...
Page 103
• Although you can continue using the evaluation license, we recommend that you register and license your device; see Configure Licensing, on page 102. • You can also choose to configure the device using the device manager; see Configure the Firewall in the Device Manager, on page 107. Cisco Firepower 1010 Getting Started Guide...
Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
Page 105
Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: Cisco Firepower 1010 Getting Started Guide...
Page 106
Threat Defense Deployment with the Device Manager Configure Licensing • Description • Expire After—Cisco recommends 30 days. • Allow export-controlled functionality on the products registered with this token—Enables the export-compliance flag if you are in a country that allows for strong encryption. You must select this option now if you plan to use this functionality.
Page 107
Then follow the instructions on the Smart License Registration dialog box to paste in your token: Step 5 Click Register Device. You return to the Smart License page. While the device registers, you see the following message: Cisco Firepower 1010 Getting Started Guide...
Page 108
You cannot configure the features in new policies, nor can you deploy policies that use the feature. • If you enabled the Cisco Secure Client license, select the type of license you want to use: Advantage, Premier, VPN Only, or Premier and Advantage.
Threat Defense Deployment with the Device Manager Configure the Firewall in the Device Manager Step 7 Choose Resync Connection from the gear drop-down list to synchronize license information with Cisco Smart Software Manager. Configure the Firewall in the Device Manager The following steps provide an overview of additional features you might want to configure.
Page 110
If you configured other inside interfaces, it is very typical to set up a DHCP server on those interfaces. Click + to configure the server and address pool for each inside interface. Cisco Firepower 1010 Getting Started Guide...
Page 111
IP address of the ISP gateway (you must obtain the address from your ISP). You can create this object by clicking Create New Network at the bottom of the Gateway drop-down list. Cisco Firepower 1010 Getting Started Guide...
Page 112
IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.
CLI using the connect fxos command. You can later connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port access, which defaults to the FXOS CLI. Cisco Firepower 1010 Getting Started Guide...
Page 114
> After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, Cisco Secure Firewall Threat Defense Command Reference. Step 3 To exit the threat defense CLI, enter the exit or logout command.
This information is also shown in show version system, show running-config, and show inventory output. Step 3 To display information about all of the Cisco products installed in the networking device that are assigned a product identifier (PID), version identifier (VID), and serial number (SN), use the show inventory command.
Access the Threat Defense and FXOS CLI, on page 111. Procedure Step 1 In the FXOS CLI, connect to local-mgmt: firepower # connect local-mgmt Step 2 Issue the shutdown command: firepower(local-mgmt) # shutdown Cisco Firepower 1010 Getting Started Guide...
To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the device manager, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 1010 Getting Started Guide...
Page 118
Threat Defense Deployment with the Device Manager What's Next? Cisco Firepower 1010 Getting Started Guide...
Page 119
Which Operating System and Manager is Right for You?, on page 1. This chapter applies to the threat defense using Cisco Defense Orchestrator (CDO)'s cloud-delivered Secure Firewall Management Center. To use CDO using device manager functionality, see the CDO documentation.
Management interface. For outgoing management traffic, the Management interface forwards the traffic over the backplane to the data interface. Manager access from a data interface has the following limitations: Cisco Firepower 1010 Getting Started Guide...
SSH to the Management interface from a remote network unless you add a static route for the Management interface using the configure network static-routes command. End-to-End Procedure: Low-Touch Provisioning See the following tasks to deploy the threat defense with CDO using low-touch provisioning. Cisco Firepower 1010 Getting Started Guide...
Page 122
Provide the Firewall Serial Number to the Central Administrator, on page 129. (Branch admin) Branch Office Tasks Install the firewall. See the hardware installation guide. (Branch admin) Branch Office Tasks Cable the Firewall, on page 130. (Branch admin) Cisco Firepower 1010 Getting Started Guide...
(CDO admin) End-to-End Procedure: Onboarding Wizard See the following tasks to onboard the threat defense to CDO using the onboarding wizard. Figure 36: End-to-End Procedure: Onboarding Wizard Cisco Commerce Obtain Licenses, on page 122. Workspace Cisco Firepower 1010 Getting Started Guide...
• IPS—Security Intelligence and Next-Generation IPS • Malware Defense—Malware defense • URL—URL Filtering • Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only • Carrier—Diameter, GTP/GPRS, M3UA, SCTP For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide...
Page 125
Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
Page 126
What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
Page 127
The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
Page 128
Create a New Cisco Secure Sign-On Account Procedure Step 1 Sign Up for a New Cisco Secure Sign-On Account. a) Browse to https://sign-on.security.cisco.com. b) At the bottom of the Sign In screen, click Sign up. Figure 38: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register.
Page 129
Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company. d) After you click Register, Cisco sends you a verification email to the address you registered with. Open the email and click Activate Account.
Page 130
Threat Defense Deployment with CDO Log Into CDO with Cisco Secure Sign-On You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
The serial number of the firewall can be found on the shipping box. It can also be found on a sticker on the on the bottom of the firewall chassis. Step 3 Send the firewall serial number to the CDO network administrator at your IT department/central headquarters. Cisco Firepower 1010 Getting Started Guide...
Page 132
Low-touch provisioning supports connecting to CDO on Ethernet 1/1 (outside). Note Ethernet1/2 through 1/8 are configured as hardware switch ports; PoE+ is also available on Ethernet1/7 and 1/8. Procedure Step 1 Install the chassis. See the hardware installation guide. Cisco Firepower 1010 Getting Started Guide...
Page 133
If there is a problem, the Status LED flashes fast amber. If this happens, call your IT department. Step 5 Observe the Status LED on the back or top of the device; when the device connects to the Cisco cloud, the Status LED slowly flashes green.
Page 134
Threat Defense Deployment with CDO Onboard a Device with Low-Touch Provisioning modem. If after adjusting the network cable, the device does not reach the Cisco cloud after about 10 more minutes, call your IT department. What to do next • Communicate with your IT department to confirm your onboarding timeline and activities. You should have a communication plan in place with the CDO administrator at your central headquarters.
You can connect to CDO on the outside interface or the Management interface, depending on which interface you set for manager access during initial setup. This guide shows the outside interface. Note Ethernet1/2 through 1/8 are configured as hardware switch ports; PoE+ is also available on Ethernet1/7 and 1/8. Cisco Firepower 1010 Getting Started Guide...
Page 136
The power turns on automatically when you plug in the power cord. Step 2 Check the Power LED on the back or top of the device; if it is solid green, the device is powered on. Cisco Firepower 1010 Getting Started Guide...
Page 137
Default Access Control Policy. Step 7 For the Subscription License, click the Physical FTD Device radio button, and then check each of the feature licenses you want to enable. Click Next. Cisco Firepower 1010 Getting Started Guide...
Page 138
Connect to the threat defense CLI to perform initial setup. When you use the CLI for initial configuration, only the Management interface and manager access interface settings are retained.When you perform initial setup using the device manager, all interface configuration completed in the device manager is retained when Cisco Firepower 1010 Getting Started Guide...
Page 139
You cannot repeat the CLI setup wizard unless you clear the configuration; for example, by reimaging. However, all of these settings can be changed later at the CLI using configure network commands. Cisco Secure Firewall Threat Defense Command Reference. Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
Page 140
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
Page 141
• If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
Page 142
Identify the CDO that will manage this threat defense using the configure manager add command that CDO generated. See Onboard a Device with the Onboarding Wizard, on page 135 to generate the command. Example: > configure manager add account1.app.us.cdo.cisco.com KPOOP0rgWzaHrnj1V5ha2q5Rf8pKFX9E Lzm1HOynhVUWhXYWz2swmkj2ZWsN3Lb account1.app.us.cdo.cisco.com Manager successfully configured. Cisco Firepower 1010 Getting Started Guide...
Page 143
DNS servers for name resolution. The default is the OpenDNS public DNS servers. If you edit the fields and want to return to the default, click Use OpenDNS to reload the appropriate IP addresses into the fields. Cisco Firepower 1010 Getting Started Guide...
Page 144
Other device manager configuration will not be retained when you register the device to CDO. Step 6 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 7 Configure the Management Center/CDO Details. Cisco Firepower 1010 Getting Started Guide...
Page 145
For Do you know the Management Center/CDO hostname or IP address, click Yes. CDO generates the configure manager add command. See Onboard a Device with the Onboarding Wizard, on page 135 to generate the command. Cisco Firepower 1010 Getting Started Guide...
Page 146
Click Add a Dynamic DNS (DDNS) method. DDNS ensures CDO can reach the threat defense at its Fully-Qualified Domain Name (FQDN) if the threat defense's IP address changes. See Device > System Settings > DDNS Service to configure DDNS. Cisco Firepower 1010 Getting Started Guide...
If you configure DDNS before you add the threat defense to CDO, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
Page 148
(Optional) Disable switch port mode for any of the switch ports (Ethernet1/2 through 1/8) by clicking the slider in the SwitchPort column so it shows as disabled ( Step 4 Enable the switch ports. a) Click the Edit ( ) for the switch port. Cisco Firepower 1010 Getting Started Guide...
Page 149
Step 5 Add the inside VLAN interface. a) Click Add Interfaces > VLAN Interface. The General tab appears. b) Enter a Name up to 48 characters in length. For example, name the interface inside. Cisco Firepower 1010 Getting Started Guide...
Page 150
For example, enter 192.168.1.1/24 • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. h) Click OK. Step 6 Click the Edit ( ) for Ethernet1/1 that you want to use for outside. The General tab appears. Cisco Firepower 1010 Getting Started Guide...
Page 151
Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Step 3 On the Server page, click Add, and configure the following options: Cisco Firepower 1010 Getting Started Guide...
Page 152
Port Address Translation (PAT). Procedure Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT. Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save. Cisco Firepower 1010 Getting Started Guide...
Page 153
Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 1010 Getting Started Guide...
Page 154
) to add a network object for all IPv4 traffic (0.0.0.0/0). Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part of the object definition, and you cannot edit system-defined objects. • Translated Source—Choose Destination Interface IP. Cisco Firepower 1010 Getting Started Guide...
Page 155
• Source Zones—Select the inside zone from Available Zones, and click Add to Source. • Destination Zones—Select the outside zone from Available Zones, and click Add to Destination. Leave the other settings as is. Cisco Firepower 1010 Getting Started Guide...
Page 156
For the Management interface, to configure an SSH access list, see the configure ssh-access-list command in the Cisco Secure Firewall Threat Defense Command Reference. To configure a static route, see the configure network static-routes command. By default, you configure the default route through the Management interface at initial setup.
Page 157
You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Deploy the Configuration Deploy the configuration changes to the threat defense; none of your changes are active on the device until you deploy them. Cisco Firepower 1010 Getting Started Guide...
Page 158
Figure 51: Deploy All Figure 52: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 1010 Getting Started Guide...
Page 159
USB A-to-B serial cable. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1010 hardware guide). The console port defaults to the FXOS CLI. Use the following serial settings: • 9600 baud • 8 data bits • No parity • 1 stop bit Cisco Firepower 1010 Getting Started Guide...
Page 160
> After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, Cisco Secure Firewall Threat Defense Command Reference. Step 3 To exit the threat defense CLI, enter the exit or logout command.
Page 161
Address : 10.99.10.4 Netmask : 255.255.255.0 Gateway : 10.99.10.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers Cisco Firepower 1010 Getting Started Guide...
Page 162
At the threat defense CLI, see information about the internal backplane interface, nlp_int_tap: show interace detail > show interface detail [...] Interface Internal-Data0/1 "nlp_int_tap", is up, line protocol is up Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec (Full-duplex), (1000 Mbps) Cisco Firepower 1010 Getting Started Guide...
Page 163
Gateway of last resort is 10.89.5.1 to network 0.0.0.0 0.0.0.0 0.0.0.0 [1/0] via 10.89.5.1, outside 10.89.5.0 255.255.255.192 is directly connected, outside 10.89.5.29 255.255.255.255 is directly connected, outside > show nat > show nat Auto NAT Policies (Section 2) Cisco Firepower 1010 Getting Started Guide...
Page 164
DDNS: IDB SB total = 0 If the update failed, use the debug http and debug ssl commands. For certificate validation failures, check that the root certificates are installed on the device: show crypto ca certificates trustpoint_name Cisco Firepower 1010 Getting Started Guide...
Page 165
At the threat defense CLI, roll back to the previous configuration. configure policy rollback After the rollback, the threat defense notifies CDO that the rollback was completed successfully. In CDO, the deployment screen will show a banner stating that the configuration was rolled back. Cisco Firepower 1010 Getting Started Guide...
Page 166
You can shut down your system properly using CDO. Procedure Step 1 Choose Devices > Device Management. Step 2 Next to the device that you want to restart, click the edit icon ( Step 3 Click the Device tab. Cisco Firepower 1010 Getting Started Guide...
Page 167
Step 7 You can now unplug the power to physically remove power from the chassis if necessary. What's Next To continue configuring your threat defense using CDO, see the Cisco Defense Orchestrator home page. Cisco Firepower 1010 Getting Started Guide...
Page 168
Threat Defense Deployment with CDO What's Next Cisco Firepower 1010 Getting Started Guide...
Page 169
ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).
• ASDM (covered in this guide)—A single device manager included on the device. • CLI • CDOf—A simplified, cloud-based multi-device manager • Cisco Security Manager—A multi-device manager on a separate server. You can also access the FXOS CLI for troubleshooting purposes. Unsupported Features...
Page 171
These Ethernet ports are configured as switch ports by default. For each interface in your configuration, add the no switchport command to make them regular firewall interfaces. For example: interface ethernet 1/2 no switchport ip address 10.8.7.2 255.255.255.0 nameif inside Cisco Firepower 1010 Getting Started Guide...
(an internal location on disk0 managed by FXOS). The new image will load when you reload the ASA. End-to-End Procedure See the following tasks to deploy and configure the ASA on your chassis. Cisco Firepower 1010 Getting Started Guide...
Page 173
172. Pre-Configuration Cable the Device, on page 175. Pre-Configuration Power On the Firewall, on page 13 ASA CLI (Optional) Change the IP Address, on page 177. ASDM Log Into the ASDM, on page 178. Cisco Firepower 1010 Getting Started Guide...
IP address to be on a new network. • If you add the ASA to an existing inside network, you will need to change the inside IP address to be on the existing network. Cisco Firepower 1010 Getting Started Guide...
Page 175
192.168.45.0/24 network, and inside hosts are limited to the 192.168.1.0/24 network. • NAT—Interface PAT for all traffic from inside to outside. • DNS servers—OpenDNS servers are pre-configured. The configuration consists of the following commands: Cisco Firepower 1010 Getting Started Guide...
DHCP server to provide IP addresses to clients (including the management computer), so make sure these settings do not conflict with any existing inside network settings (see Firepower 1010 Default Configuration, on page 173). Cisco Firepower 1010 Getting Started Guide...
The power turns on automatically when you plug in the power cord. Step 2 Check the Power LED on the back or top of the device; if it is solid green, the device is powered on. Cisco Firepower 1010 Getting Started Guide...
HTTP request to HTTPS. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
• Security Plus—For Active/Standby failover • Strong Encryption (3DES/AES)—If your Smart Account is not authorized for strong encryption, but Cisco has determined that you are allowed to use strong encryption, you can manually add a stong encryption license to your account.
Page 182
Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Essentials license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software Manager account. However, if you need to add licenses yourself, use the Find Products and...
Page 183
Configure Licensing c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: • Description • Expire After—Cisco recommends 30 days. • Allow export-controlled functionaility on the products registered with this token—Enables the export-compliance flag.
Page 185
You can optionally check the Force registration check box to register the ASA that is already registered, but that might be out of sync with the Smart Software Manager. For example, use Force registration if the ASA was accidentally removed from the Smart Software Manager. Step 6 Click Register. Cisco Firepower 1010 Getting Started Guide...
Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 1010 Getting Started Guide...
Page 187
• And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 1010 Getting Started Guide...
All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged EXEC mode, enter the disable, exit, or quit command. Step 3 Access global configuration mode. configure terminal Example: ciscoasa# configure terminal ciscoasa(config)# Cisco Firepower 1010 Getting Started Guide...
Page 189
Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 1010 Getting Started Guide...
Page 190
ASA Deployment with ASDM What's Next? Cisco Firepower 1010 Getting Started Guide...