hit counter script
Cisco Firepower 2100 Getting Started Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Hardware
  5. Firepower 2100
  6. Getting started manual
Cisco Firepower 2100 Getting Started Manual

Cisco Firepower 2100 Getting Started Manual

Hide thumbs Also See for Firepower 2100:
Table of Contents

Advertisement

Quick Links

Download this manual
Cisco Firepower 2100 Getting Started Guide
First Published: 2019-09-25
Last Modified: 2024-04-25
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Related Manuals for Cisco Firepower 2100

Summary of Contents for Cisco Firepower 2100

  • Page 1 Cisco Firepower 2100 Getting Started Guide First Published: 2019-09-25 Last Modified: 2024-04-25 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 3 VPN concentrator, and next generation IPS. • ASA—The ASA is a traditional, advanced stateful firewall and VPN concentrator. Cisco provides ASA-to-threat defense migration tools to help you convert your ASA to the threat defense if you start with ASA and later reimage to threat defense.
  • Page 4 You cannot use this API if you are managing the threat defense using the management center or CDO. The threat defense REST API is not covered in this guide. For more information, see Cisco Secure Firewall Threat Defense REST API Guide. Secure Firewall Management Center REST The management center REST API lets you automate configuration of management center policies that can then be applied to managed threat defenses.
  • Page 5 Using HTTP, an automation tool can execute commands on the ASAs by accessing specifically formatted URLs. The ASA HTTP interface is not covered in this guide. For more information, see the Cisco Secure Firewall ASA HTTP Interface for Automation. Cisco Firepower 2100 Getting Started Guide...
  • Page 6 Which Application and Manager is Right for You? ASA Managers Cisco Firepower 2100 Getting Started Guide...

  • Page 7: Table Of Contents

    ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).

  • Page 8: Before You Start

    Before You Start Deploy and perform initial configuration of the management center. See the getting started guide for your model. End-to-End Tasks See the following tasks to deploy the threat defense with the management center. Cisco Firepower 2100 Getting Started Guide...

  • Page 9: Review The Network Deployment

    DHCP server, you can set the Management interface to use a static IP address during initial setup at the console port. • Both the threat defenseand the management center require internet access from their management interfaces for licensing and updates. Cisco Firepower 2100 Getting Started Guide...
  • Page 10 • The inside interface acts as the internet gateway for Management and for the management center. • Connects Management 1/1 to an inside interface through a Layer 2 switch. • Connects the management center and management computer to the switch. Cisco Firepower 2100 Getting Started Guide...

  • Page 11: Cable The Device

    Figure 2: Edge Network Deployment Cable the Device To cable one of the above scenarios on the Firepower 2100, see the following steps. Note Other topologies can be used, and your deployment will vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements.
  • Page 12 Connect the inside interface (for example, Ethernet 1/2) to your inside router. d) Connect the outside interface (for example, Ethernet 1/1) to your outside router. e) Connect other networks to the remaining interfaces. Step 3 Cable for an edge deployment: Cisco Firepower 2100 Getting Started Guide...

  • Page 13: Power On The Device

    12-V main power is OFF. When the switch is in the ON position, the 12-V main power is turned on and the system boots. Note The first time you boot up the threat defense, initialization can take approximately 15 to 30 minutes. Cisco Firepower 2100 Getting Started Guide...

  • Page 14: (Optional) Check The Software And Install A New Version

    What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
  • Page 15 You will need to download the new image from a server accessible from the Management interface. b) Perform the reimage procedure in the FXOS troubleshooting guide. After the firewall reboots, you connect to the FXOS CLI again. Cisco Firepower 2100 Getting Started Guide...

  • Page 16: Complete The Threat Defense Initial Configuration

    1. Outside Interface Address—This interface is typically the internet gateway, and might be used as your manager access interface. You cannot select an alternative outside interface during initial device setup. The first data interface is the default outside interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 17 Other device manager configuration will not be retained when you register the device to the management center. Step 5 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 6 Configure the Management Center/CDO Details. Cisco Firepower 2100 Getting Started Guide...
  • Page 18 For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname. Cisco Firepower 2100 Getting Started Guide...
  • Page 19 If you remain connected to the device manager after the Saving Management Center/CDO Registration Settings step, you will eventually see the Successful Connection with Management Center or CDO dialog box, after which you will be disconnected from the device manager. Cisco Firepower 2100 Getting Started Guide...
  • Page 20 If the password was already changed, and you do not know it, you must reimage the device to Note reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: Cisco Firepower 2100 Getting Started Guide...
  • Page 21 • Manage the device locally?—Enter no to use the management center. A yes answer means you will use the device manager instead. • Configure firewall mode?—We recommend that you set the firewall mode at initial configuration. Changing the firewall mode after initial setup erases your running configuration. Cisco Firepower 2100 Getting Started Guide...
  • Page 22 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220,2620:119:35::35]:...
  • Page 23 If the threat defense is behind a NAT device, enter a unique NAT ID along with the management center IP address or hostname, for example: Example: > configure manager add 10.70.45.5 regk3y78 natid56 Manager successfully configured. What to do next Register your firewall to the management center. Cisco Firepower 2100 Getting Started Guide...

  • Page 24: Log Into The Management Center

    • IPS—Security Intelligence and Next-Generation IPS • Malware Defense—Malware defense • URL Filtering—URL Filtering • Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide Before you begin •...
  • Page 25 Obtain Licenses for the Management Center When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...

  • Page 26: Register The Threat Defense With The Management Center

    • The management center registration key Procedure Step 1 In the management center, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device. The Registration Key method is selected by default. Cisco Firepower 2100 Getting Started Guide...
  • Page 27 • Host—Enter the IP address or hostname of the threat defense you want to add. You can leave this field blank if you specified both the management center IP address and a NAT ID in the threat defense initial configuration. Cisco Firepower 2100 Getting Started Guide...
  • Page 28 If you disable it, only event information will be sent to the management center, but packet data is not sent. Step 3 Click Register, and confirm a successful registration. Cisco Firepower 2100 Getting Started Guide...

  • Page 29: Configure A Basic Security Policy

    To configure a basic security policy, complete the following tasks. Configure Interfaces, on page Configure the DHCP Server, on page Add the Default Route, on page Configure NAT, on page Allow Traffic from Inside to Outside, on page Deploy the Configuration, on page Cisco Firepower 2100 Getting Started Guide...
  • Page 30 Choose Devices > Device Management, and click the Edit ( ) for the firewall. Step 2 Click Interfaces. Figure 10: Interfaces Step 3 Click Edit ( ) for the interface that you want to use for inside. The General tab appears. Cisco Firepower 2100 Getting Started Guide...
  • Page 31 QoS policies. e) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 2100 Getting Started Guide...
  • Page 32 • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. Figure 13: IPv6 Tab f) Click OK. Step 4 Click the Edit ( ) for the interface that you want to use for outside. The General tab appears. Cisco Firepower 2100 Getting Started Guide...
  • Page 33 • Obtain default route using DHCP—Obtains the default route from the DHCP server. • DHCP route metric—Assigns an administrative distance to the learned route, between 1 and 255. The default administrative distance for the learned routes is 1. Cisco Firepower 2100 Getting Started Guide...
  • Page 34 Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense. Procedure Step 1 Choose Devices > Device Management, and click Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Cisco Firepower 2100 Getting Started Guide...
  • Page 35 The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself. • Enable DHCP Server—Enable the DHCP server on the selected interface. Step 4 Click OK. Step 5 Click Save. Cisco Firepower 2100 Getting Started Guide...
  • Page 36 Step 1 Choose Devices > Device Management, and click Edit ( ) for the device. Step 2 Choose Routing > Static Route. Figure 19: Static Route Step 3 Click Add Route, and set the following: Cisco Firepower 2100 Getting Started Guide...
  • Page 37 • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 4 Click OK. The route is added to the static route table. Step 5 Click Save. Cisco Firepower 2100 Getting Started Guide...
  • Page 38 Name the policy, select the device(s) that you want to use the policy, and click Save. Figure 21: New Policy The policy is added the management center. You still have to add rules to the policy. Cisco Firepower 2100 Getting Started Guide...
  • Page 39 Figure 23: Basic Rule Options • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 2100 Getting Started Guide...
  • Page 40 Configure NAT Figure 24: Interface Objects Step 6 On the Translation page, configure the following options: Figure 25: Translation • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 2100 Getting Started Guide...
  • Page 41 Step 1 Choose Policy > Access Policy > Access Policy, and click Edit ( ) for the access control policy assigned to the threat defense. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 2100 Getting Started Guide...
  • Page 42 Click Deploy in the upper right. Figure 28: Deploy Step 2 For a quick deployment, check specific devices and then click Deploy, or click Deploy All to deploy to all devices. Otherwise, for additional deployment options, click Advanced Deploy. Cisco Firepower 2100 Getting Started Guide...
  • Page 43 Figure 30: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Figure 31: Deployment Status Cisco Firepower 2100 Getting Started Guide...
  • Page 44 Step 1 To log into the CLI, connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you may need a third party DB-9-to-USB serial cable to make the connection.
  • Page 45 If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You will see the following prompt: System is stopped. It is safe to power off now. Do you want to reboot instead? [y/N] Cisco Firepower 2100 Getting Started Guide...
  • Page 46 To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Secure Firewall Threat Defense Documentation. For information related to using the management center, see the Cisco Secure Firewall Management Center Device Configuration Guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 47 ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).

  • Page 48: How Remote Management Works

    You can preregister the threat defense on the management center using the threat defense serial number before sending the device to the branch office. The management center integrates with the Cisco Security Cloud and CDO for this functionality. • At the branch office, cable and power on the threat defense.
  • Page 49 • Either the threat defense or management center needs a public IP address or hostname to allow the inbound management connection, although you do not need to know the IP address for registration. For pre-7.2(4) and 7.3 threat defense versions, the management center needs to be publicly reachable. Cisco Firepower 2100 Getting Started Guide...
  • Page 50 Threat Defense Deployment with a Remote Management Center How Remote Management Works • Both the management center and threat defense initially communicate with the Cisco Security Cloud and CDO to establish the management connection • After initial establishment, CDO is used to reestablish the management connection if it is disrupted; for example, if the threat defense IP address changes due to a new DHCP assignment, CDO will inform the management center of the change.

  • Page 51: Before You Start

    Deploy and perform initial configuration of the management center. See the getting started guide for your model. End-to-End Tasks: Low-Touch Provisioning See the following tasks to deploy the threat defense with the management center using low-touch provisioning. Cisco Firepower 2100 Getting Started Guide...
  • Page 52 Threat Defense Deployment with a Remote Management Center End-to-End Tasks: Low-Touch Provisioning Figure 34: End-to-End Tasks: Low-Touch Provisioning (Optional) Check the Software and Install a New Version, on page (Central administrator) Cisco Firepower 2100 Getting Started Guide...

  • Page 53: End-To-End Tasks: Manual Provisioning

    Management Center Add a Device to the Management Center Using Low-Touch Provisioning, on page 70: Integrate the management center with Cisco Security Cloud, including (Central obtaining a CDO account. administrator) Add a Device to the Management Center Using Low-Touch Provisioning, on...
  • Page 54 Pre-Configuration Using the Device Manager, on page 55 (Central admin) • Pre-Configuration Using the CLI, on page 60 Physical Setup Install the firewall. See the Cisco Firepower 2100 Series Hardware Installation Guide. (Branch admin) Physical Setup Cable the Firewall, on page (Branch admin)

  • Page 55: Central Administrator Pre-Configuration

    What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
  • Page 56 You will need to download the new image from a server accessible from the Management interface. b) Perform the reimage procedure in the FXOS troubleshooting guide. After the firewall reboots, you connect to the FXOS CLI again. Cisco Firepower 2100 Getting Started Guide...
  • Page 57 (Ethernet1/1) interface that will be maintained when you switch to management center management. a) Configure the following options for the outside and management interfaces and click Next. Cisco Firepower 2100 Getting Started Guide...
  • Page 58 If you did receive a gateway from DHCP, then you need to instead configure this interface with a static IP address and set the gateway to data interfaces. Cisco Firepower 2100 Getting Started Guide...
  • Page 59 Other device manager configuration will not be retained when you register the device to the management center. Step 7 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 8 Configure the Management Center/CDO Details. Cisco Firepower 2100 Getting Started Guide...
  • Page 60 For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname. Cisco Firepower 2100 Getting Started Guide...
  • Page 61 If you chose a different interface, then you need to manually configure a default route before you connect to the management center. See Configure Cisco Firepower 2100 Getting Started Guide...
  • Page 62 If you configure DDNS before you add the threat defense to the management center, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 63 Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 4 Connect to the threat defense CLI. connect ftd Example: firepower# connect ftd > Cisco Firepower 2100 Getting Started Guide...
  • Page 64 Enter a fully qualified hostname for this system [firepower]: 1010-3 Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220,2620:119:35::35]: Enter a comma-separated list of search domains or 'none' []: cisco.com If your networking information has changed, you will need to reconnect. Disabling IPv6 configuration: management0 Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35...
  • Page 65 If the management connection is disrupted, the threat defense includes the configure policy rollback command to restore the previous deployment. Cisco Firepower 2100 Getting Started Guide...
  • Page 66 • If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 67 Enter the shutdown command. b) Observe the Power LED and Status LED to verify that the chassis is powered off (appear unlit). Cisco Firepower 2100 Getting Started Guide...

  • Page 68: Branch Office Installation

    Cable the Firewall The management center and your management computer reside at a remote headquarters, and can reach the threat defense over the internet. To cable the Firepower 2100, see the following steps. Figure 38: Cabling a Remote Management Deployment...
  • Page 69 OFF position. The front panel PWR LED flashes momentarily and turns off. Do not remove the power until the PWR LED is completely off. See the FXOS Configuration Guide for more information on using the shutdown commands. Cisco Firepower 2100 Getting Started Guide...

  • Page 70: Central Administrator Post-Configuration

    • IPS—Security Intelligence and Next-Generation IPS • Malware Defense—Malware defense • URL Filtering—URL Filtering • Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide Before you begin •...
  • Page 71 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 72 Add a Device to the Management Center Using Low-Touch Provisioning Low-touch provisioning lets you register devices to the management center by serial number without having to perform any initial setup on the device. The management center integrates with Cisco Defense Orchestrator (CDO) for this functionality.
  • Page 73 SecureX Integration page in the management center. Click the Enable SecureX to open a separate browser tab to log you into your Cisco Security Cloud account and confirm the displayed code. Make sure this page is not blocked by a pop-up blocker.
  • Page 74 Figure 41: FTD Tile Step 4 On the Onboard FTD Device screen, click Use Serial Number. Figure 42: Use Serial Number Step 5 In Select FMC, choose an On-Prem FMC from the list, and click Next. Cisco Firepower 2100 Getting Started Guide...
  • Page 75 Management interface for low-touch provisioning. You can set the management center public IP address/FQDN by clicking the FMC Public IP link. You see the following dialog box. Figure 45: Configure FMC Public IP/FQDN Cisco Firepower 2100 Getting Started Guide...
  • Page 76 In Policy Assignment, use the drop-down menu to select an access control policy for the device. If you have not added a policy on the management center, you should go to the management center and add one now. Click Next. Cisco Firepower 2100 Getting Started Guide...
  • Page 77 • Provides the IP address/hostname mapping to the management center so it can resolve the hostname to the correct IP address. • Informs the management center if the IP address ever changes, for example, if the DHCP lease renews. Cisco Firepower 2100 Getting Started Guide...
  • Page 78 • The management center registration key Procedure Step 1 In the management center, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device. The Registration Key method is selected by default. Cisco Firepower 2100 Getting Started Guide...
  • Page 79 • Host—Enter the IP address or hostname of the threat defense you want to add. You can leave this field blank if you specified both the management center IP address and a NAT ID in the threat defense initial configuration. Cisco Firepower 2100 Getting Started Guide...
  • Page 80 If you disable it, only event information will be sent to the management center, but packet data is not sent. Step 3 Click Register, and confirm a successful registration. Cisco Firepower 2100 Getting Started Guide...
  • Page 81 The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Procedure Step 1 Choose Devices > Device Management, and click Edit ( ) for the firewall. Cisco Firepower 2100 Getting Started Guide...
  • Page 82 Step 3 Click Edit ( ) for the interface that you want to use for inside. The General tab appears. Figure 54: General Tab a) Enter a Name up to 48 characters in length. Cisco Firepower 2100 Getting Started Guide...
  • Page 83 • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Figure 55: IPv4 Tab • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. Figure 56: IPv6 Tab f) Click OK. Cisco Firepower 2100 Getting Started Guide...
  • Page 84 For example, add a zone called outside_zone. b) Click OK. Step 5 Click Save. Configure the DHCP Server Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense. Cisco Firepower 2100 Getting Started Guide...
  • Page 85 The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself. • Enable DHCP Server—Enable the DHCP server on the selected interface. Step 4 Click OK. Cisco Firepower 2100 Getting Started Guide...
  • Page 86 Name the policy, select the device(s) that you want to use the policy, and click Save. Figure 60: New Policy The policy is added the management center. You still have to add rules to the policy. Cisco Firepower 2100 Getting Started Guide...
  • Page 87 Figure 62: Basic Rule Options • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 2100 Getting Started Guide...
  • Page 88 Configure NAT Figure 63: Interface Objects Step 6 On the Translation page, configure the following options: Figure 64: Translation • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 2100 Getting Started Guide...
  • Page 89 Step 1 Choose Policy > Access Policy > Access Policy, and click Edit ( ) for the access control policy assigned to the threat defense. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 2100 Getting Started Guide...
  • Page 90 SSH access according to this section. You can SSH only to a reachable interface ; if your SSH host is located on the outside interface, you can only initiate a management connection directly to the outside interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 91 For interfaces not in a zone, you can type the interface name into the field below the Selected Zones/Interfaces list and click Add. You can also add loopback interfaces. These rules will be applied to a device only if the device includes the selected interfaces or zones. c) Click OK. Cisco Firepower 2100 Getting Started Guide...
  • Page 92 For a quick deployment, check specific devices and then click Deploy, or click Deploy All to deploy to all devices. Otherwise, for additional deployment options, click Advanced Deploy. Figure 68: Deploy All Figure 69: Advanced Deploy Cisco Firepower 2100 Getting Started Guide...
  • Page 93 Step 1 To log into the CLI, connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you may need a third party DB-9-to-USB serial cable to make the connection.
  • Page 94 Management > Device > Management > FMC Access Details > Connection Status page. At the threat defense CLI, enter the sftunnel-status-brief command to view the management connection status. You can also use sftunnel-status to view more complete information. Cisco Firepower 2100 Getting Started Guide...
  • Page 95 : 1500 MAC Address : 28:6F:7F:D3:CB:8D ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 10.99.10.4 Netmask : 255.255.255.0 Gateway : 10.99.10.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Cisco Firepower 2100 Getting Started Guide...
  • Page 96 Check the internal interface status, statistics, and packet count At the threat defense CLI, see information about the internal backplane interface, nlp_int_tap: show interace detail > show interface detail Cisco Firepower 2100 Getting Started Guide...
  • Page 97 SI - Static InterVRF Gateway of last resort is 10.89.5.1 to network 0.0.0.0 0.0.0.0 0.0.0.0 [1/0] via 10.89.5.1, outside 10.89.5.0 255.255.255.192 is directly connected, outside 10.89.5.29 255.255.255.255 is directly connected, outside > show nat Cisco Firepower 2100 Getting Started Guide...
  • Page 98 At the threat defense CLI, check for a successful DDNS update: debug ddns > debug ddns DDNS update request = /v3/update?hostname=domain.example.org&myip=209.165.200.225 Successfuly updated the DDNS sever with current IP addresses DDNS: Another update completed, outstanding = 0 DDNS: IDB SB total = 0 Cisco Firepower 2100 Getting Started Guide...
  • Page 99 When prompted, confirm that you want to shut down the device. Step 6 If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You will see the following prompt: Cisco Firepower 2100 Getting Started Guide...
  • Page 100 To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Secure Firewall Threat Defense Documentation. For information related to using the management center, see the Cisco Secure Firewall Management Center Device Configuration Guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 101 ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).

  • Page 102: End-To-End Tasks

    See the following tasks to deploy the threat defense with the device manager. Pre-Configuration Install the firewall. See the hardware installation guide. Pre-Configuration Review the Network Deployment and Default Configuration, on page 101 Pre-Configuration Cable the Device, on page 104. Cisco Firepower 2100 Getting Started Guide...

  • Page 103: Review The Network Deployment And Default Configuration

    NAT for your inside networks. If you need to configure PPPoE for the outside interface to connect to your ISP, you can do so after you complete initial setup in device manager. Cisco Firepower 2100 Getting Started Guide...
  • Page 104 Figure 71: Suggested Network Deployment Note For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Cisco Firepower 2100 Getting Started Guide...
  • Page 105 • DNS server for management—OpenDNS: (IPv4) 208.67.222.222, 208.67.220.220; (IPv6) 2620:119:35::35, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes •...

  • Page 106: Cable The Device

    For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Manage the Firepower 2100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside.

  • Page 107: Power On The Device

    Check the PWR LED on the front of the device; if it is solid green, the device is powered on. Step 4 Check the SYS LED on the front of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 2100 Getting Started Guide...

  • Page 108: (Optional) Check The Software And Install A New Version

    What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...

  • Page 109: (Optional) Change Management Network Settings At The Cli

    You cannot repeat the CLI setup script unless you clear the configuration; for example, by reimaging. However, all of these settings can be changed later at the CLI using configure network commands. See Cisco Secure Firewall Threat Defense Command Reference. Cisco Firepower 2100 Getting Started Guide...
  • Page 110 Management network, but for remote management for specific networks or hosts, you should add a static route using the configure network static-routes command. Note that the device manager management on data interfaces is not affected by this setting. If you use DHCP, the Cisco Firepower 2100 Getting Started Guide...

  • Page 111: Log Into The Device Manager

    Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 112: Complete The Initial Configuration

    Outside Interface—This is the data port that you connected to your gateway router. You cannot select an alternative outside interface during initial device setup. The first data interface is the default outside interface. Cisco Firepower 2100 Getting Started Guide...

  • Page 113: Configure Licensing

    When you register the chassis, the Smart Software Manager issues an ID certificate for communication between the chassis and the Smart Software Manager. It also assigns the chassis to the appropriate virtual account. Cisco Firepower 2100 Getting Started Guide...
  • Page 114 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 115 Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: Cisco Firepower 2100 Getting Started Guide...
  • Page 116 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the threat defense. Figure 73: View Token Cisco Firepower 2100 Getting Started Guide...
  • Page 117 In the device manager, click Device, and then in the Smart License summary, click View Configuration. You see the Smart License page. Step 4 Click Register Device. Then follow the instructions on the Smart License Registration dialog box to paste in your token: Cisco Firepower 2100 Getting Started Guide...
  • Page 118 You return to the Smart License page. While the device registers, you see the following message: After the device successfully registers and you refresh the page, you see the following: Step 6 Click the Enable/Disable control for each optional license as desired. Cisco Firepower 2100 Getting Started Guide...
  • Page 119 You cannot configure the features in new policies, nor can you deploy policies that use the feature. • If you enabled the Cisco Secure Client license, select the type of license you want to use: Advantage, Premier, VPN Only, or Premier and Advantage.

  • Page 120: Configure The Firewall In The Device Manager

    You cannot put the interfaces in zones when configuring them, so you must always edit the zone objects after creating new interfaces or changing the purpose of existing interfaces. The following example shows how to create a new dmz-zone for the dmz interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 121 The routes you define on this page are for the data interfaces only. They do not impact the Note management interface. Set the management gateway on Device > System Settings > Management Interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 122 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.

  • Page 123: Access The Threat Defense And Fxos Cli

    Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 2100 Getting Started Guide...
  • Page 124 Step 1 To log into the CLI, connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you may need a third party DB-9-to-USB serial cable to make the connection.

  • Page 125: Power Off The Firewall Using The Device Manager

    To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the device manager, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 2100 Getting Started Guide...
  • Page 126 Threat Defense Deployment with the Device Manager What's Next? Cisco Firepower 2100 Getting Started Guide...
  • Page 127 To see all available applications and managers, see Which Application and Manager is Right for You?, on page 1. This chapter applies to the threat defense using Cisco Defense Orchestrator (CDO)'s cloud-delivered Firewall Management Center. Note CDO supports threat defense 7.2 and later.

  • Page 128: About Threat Defense Management By Cdo

    Management interface. • For outgoing management traffic, the Management interface forwards the traffic over the backplane to the data interface. Manager Access Requirements Manager access from a data interface has the following limitations: Cisco Firepower 2100 Getting Started Guide...

  • Page 129: End-To-End Tasks: Low-Touch Provisioning

    • You cannot use the data interface as the failover or state link. End-to-End Tasks: Low-Touch Provisioning See the following tasks to deploy the threat defense with CDO using low-touch provisioning. Cisco Firepower 2100 Getting Started Guide...
  • Page 130 Provide the Firewall Serial Number to the Central Administrator, on page 134. (Branch admin) Branch Office Tasks Install the firewall. See the hardware installation guide. (Branch admin) Branch Office Tasks Cable the Firewall, on page 134. (Branch admin) Cisco Firepower 2100 Getting Started Guide...

  • Page 131: End-To-End Tasks: Onboarding Wizard

    (CDO admin) End-to-End Tasks: Onboarding Wizard See the following tasks to onboard the threat defense to CDO using the onboarding wizard. Figure 81: End-to-End Tasks: Onboarding Wizard Cisco Commerce Obtain Licenses, on page 130. Workspace Cisco Firepower 2100 Getting Started Guide...

  • Page 132: Central Administrator Pre-Configuration

    • IPS—Security Intelligence and Next-Generation IPS • Malware Defense—Malware defense • URL Filtering—URL Filtering • Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide Before you begin •...
  • Page 133 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 134 What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...

  • Page 135: Deploy The Firewall With Low-Touch Provisioning

    After you receive the threat defense from central headquarters, you only need to cable and power on the firewall so that it has internet access from the outside interface. The central administrator can then complete the configuration. Cisco Firepower 2100 Getting Started Guide...
  • Page 136 Cable the Firewall This topic describes how to connect the Firepower 2100 to your network so that it can be managed by CDO. If you received a firewall at your branch office, and your job is to plug it in to your network, watch this video.
  • Page 137 Step 2 Press the power switch on the back of the device. Step 3 Check the PWR LED on the front of the device; if it is solid green, the device is powered on. Cisco Firepower 2100 Getting Started Guide...
  • Page 138 If there is a problem, the SYS LED flashes amber and green, and the device did not reach the Cisco Cloud. If this happens, make sure that your network cable is connected to the Ethernet 1/1 interface and to your WAN modem.
  • Page 139 No... option. There are a number of configurations that disable low-touch provisioning, so we don't recommend logging into the device unless you need to, for example, to perform a reimage. Cisco Firepower 2100 Getting Started Guide...
  • Page 140 Default Access Control Policy. Figure 88: Policy Assignment Step 9 For the Subscription License, check each of the feature licenses you want to enable. Click Next. Figure 89: Subscription License Cisco Firepower 2100 Getting Started Guide...

  • Page 141: Deploy The Firewall With The Onboarding Wizard

    This section describes how to configure the firewall for onboarding using the CDO onboarding wizard. Cable the Firewall This topic describes how to connect the Firepower 2100 to your network so that it can be managed by CDO. Figure 91: Cabling the Firepower 2100 You can connect to CDO on any data interface or the Management interface, depending on which interface you set for manager access during initial setup.
  • Page 142 Step 2 Press the power switch on the back of the device. Step 3 Check the PWR LED on the front of the device; if it is solid green, the device is powered on. Cisco Firepower 2100 Getting Started Guide...
  • Page 143 Step 4 Select Use CLI Registration Key as the onboarding method. Figure 92: Use CLI Registration Key Step 5 Enter the Device Name and click Next. Figure 93: Device Name Cisco Firepower 2100 Getting Started Guide...
  • Page 144 You must copy this command and use it in the intial configuration of the threat defense. Figure 96: CLI Registration Key configure manager add cdo_hostname registration_key nat_id display_name Complete initial configuration at the CLI or using the device manager: Cisco Firepower 2100 Getting Started Guide...
  • Page 145 From the Inventory page, select the device you just onboarded and select any of the option listed under the Management pane located to the right. Perform Initial Configuration Perfom initial configuration of the threat defense using the CLI or using the device manager. Cisco Firepower 2100 Getting Started Guide...
  • Page 146 You cannot repeat the CLI setup wizard unless you clear the configuration; for example, by reimaging. However, all of these settings can be changed later at the CLI using configure network commands. See Cisco Secure Firewall Threat Defense Command Reference. Cisco Firepower 2100 Getting Started Guide...
  • Page 147 Enter a fully qualified hostname for this system [firepower]: 1010-3 Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220,2620:119:35::35]: Enter a comma-separated list of search domains or 'none' []: cisco.com If your networking information has changed, you will need to reconnect. Disabling IPv6 configuration: management0 Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35...
  • Page 148 • If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 149 Configuration done with option to allow manager access from any network, if you wish to change the manager access network use the 'client' option in the command 'configure network management-data-interface'. Setting IPv4 network configuration. Network settings changed. > Cisco Firepower 2100 Getting Started Guide...
  • Page 150 IP address. You can configure PPPoE after you complete the wizard. Configure IPv6—The IPv6 address for the outside interface. You can use DHCP or manually enter a static IP address, prefix, and gateway. You can also select Off to not configure an IPv6 address. Cisco Firepower 2100 Getting Started Guide...
  • Page 151 Other device manager configuration will not be retained when you register the device to CDO. Step 6 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 7 Configure the Management Center/CDO Details. Cisco Firepower 2100 Getting Started Guide...
  • Page 152 For Do you know the Management Center/CDO hostname or IP address, click Yes. CDO generates the configure manager add command. See Onboard a Device with the Onboarding Wizard, on page 141 to generate the command. Cisco Firepower 2100 Getting Started Guide...
  • Page 153 Click Add a Dynamic DNS (DDNS) method. DDNS ensures CDO can reach the threat defense at its Fully-Qualified Domain Name (FQDN) if the threat defense's IP address changes. See Device > System Settings > DDNS Service to configure DDNS. Cisco Firepower 2100 Getting Started Guide...

  • Page 154: Configure A Basic Security Policy

    If you configure DDNS before you add the threat defense to CDO, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 155 Choose Devices > Device Management, and click Edit ( ) for the firewall. Step 2 Click Interfaces. Figure 102: Interfaces Step 3 Click Edit ( ) for the interface that you want to use for inside. The General tab appears. Cisco Firepower 2100 Getting Started Guide...
  • Page 156 QoS policies. e) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 2100 Getting Started Guide...
  • Page 157 • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. Figure 105: IPv6 Tab f) Click OK. Step 4 Click Edit ( ) for the interface that you want to use for outside. The General tab appears. Cisco Firepower 2100 Getting Started Guide...
  • Page 158 For example, add a zone called outside_zone. b) Click OK. Step 5 Click Save. Configure the DHCP Server Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense. Cisco Firepower 2100 Getting Started Guide...
  • Page 159 The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself. • Enable DHCP Server—Enable the DHCP server on the selected interface. Step 4 Click OK. Cisco Firepower 2100 Getting Started Guide...
  • Page 160 Name the policy, select the device(s) that you want to use the policy, and click Save. Figure 109: New Policy The policy is added the management center. You still have to add rules to the policy. Cisco Firepower 2100 Getting Started Guide...
  • Page 161 Figure 111: Basic Rule Options • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 2100 Getting Started Guide...
  • Page 162 Configure NAT Figure 112: Interface Objects Step 6 On the Translation page, configure the following options: Figure 113: Translation • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 2100 Getting Started Guide...
  • Page 163 Step 1 Choose Policy > Access Policy > Access Policy, and click Edit ( ) for the access control policy assigned to the threat defense. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 2100 Getting Started Guide...
  • Page 164 SSH access according to this section. You can SSH only to a reachable interface ; if your SSH host is located on the outside interface, you can only initiate a management connection directly to the outside interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 165 For interfaces not in a zone, you can type the interface name into the field below the Selected Zones/Interfaces list and click Add. You can also add loopback interfaces. These rules will be applied to a device only if the device includes the selected interfaces or zones. c) Click OK. Cisco Firepower 2100 Getting Started Guide...
  • Page 166 For a quick deployment, check specific devices and then click Deploy, or click Deploy All to deploy to all devices. Otherwise, for additional deployment options, click Advanced Deploy. Figure 117: Deploy All Figure 118: Advanced Deploy Cisco Firepower 2100 Getting Started Guide...

  • Page 167: Troubleshooting And Maintenance

    Step 1 To log into the CLI, connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you may need a third party DB-9-to-USB serial cable to make the connection.
  • Page 168 Management > Manager Access - Configuration Details > Connection Status page. At the threat defense CLI, enter the sftunnel-status-brief command to view the management connection status. You can also use sftunnel-status to view more complete information. Cisco Firepower 2100 Getting Started Guide...
  • Page 169 MAC Address : 28:6F:7F:D3:CB:8D ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 10.99.10.4 Netmask : 255.255.255.0 Gateway : 10.99.10.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled Cisco Firepower 2100 Getting Started Guide...
  • Page 170 Check the internal interface status, statistics, and packet count At the threat defense CLI, see information about the internal backplane interface, nlp_int_tap: show interace detail > show interface detail [...] Cisco Firepower 2100 Getting Started Guide...
  • Page 171 SI - Static InterVRF Gateway of last resort is 10.89.5.1 to network 0.0.0.0 0.0.0.0 0.0.0.0 [1/0] via 10.89.5.1, outside 10.89.5.0 255.255.255.192 is directly connected, outside 10.89.5.29 255.255.255.255 is directly connected, outside > show nat Cisco Firepower 2100 Getting Started Guide...
  • Page 172 At the threat defense CLI, check for a successful DDNS update: debug ddns > debug ddns DDNS update request = /v3/update?hostname=domain.example.org&myip=209.165.200.225 Successfuly updated the DDNS sever with current IP addresses DDNS: Another update completed, outstanding = 0 DDNS: IDB SB total = 0 Cisco Firepower 2100 Getting Started Guide...
  • Page 173 When prompted, confirm that you want to shut down the device. Step 6 If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You will see the following prompt: Cisco Firepower 2100 Getting Started Guide...

  • Page 174: What's Next

    You can now turn off the power switch and unplug the power to physically remove power from the chassis if necessary. What's Next To continue configuring your threat defense using CDO, see the Cisco Defense Orchestrator home page. Cisco Firepower 2100 Getting Started Guide...
  • Page 175 P A R T ASA Deployment with ASDM • ASA Appliance Mode Deployment with ASDM, on page 175 • ASA Platform Mode Deployment with ASDM and Chassis Manager, on page 195...
  • Page 177 ASA operating system using ASDM or the ASA CLI. This chapter describes how to deploy the Firepower 2100 in your network in ASA Appliance mode. By default, the Firepower 2100 runs in Appliance mode; to use Platform mode, see...
  • Page 178 • GTP/GPRS Migrating an ASA 5500-X Configuration You can copy and paste an ASA 5500-X configuration into the Firepower 2100 in Appliance Mode. However, you will need to modify your configuration. Also note some behavioral differences between the platforms. 1. To copy the configuration, enter the more system:running-config command on the ASA 5500-X.
  • Page 179 Firepower 1120 includes Management 1/1 and Ethernet 1/1 through 1/8. boot system commands The Firepower 2100 in Appliance Mode only allows a single boot system command, so you should remove all but one command The ASA 5500-X allows up to four boot system commands to before you paste.
  • Page 180 See the following tasks to deploy and configure the ASA. Pre-Configuration Install the firewall. See the hardware installation guide. Pre-Configuration Review the Network Deployment and Default Configuration, on page 179. Pre-Configuration Cable the Device, on page 181. Cisco Firepower 2100 Getting Started Guide...
  • Page 181 IP address to be on a new network. • If you add the ASA to an existing inside network, you will need to change the inside IP address to be on the existing network. Cisco Firepower 2100 Getting Started Guide...
  • Page 182 For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, Platform mode is maintained. The default factory configuration for the Firepower 2100 in Appliance mode configures the following: • inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside) •...
  • Page 183 0.0.0.0 0.0.0.0 management http 192.168.1.0 255.255.255.0 management dhcpd auto_config outside dhcpd address 192.168.1.20-192.168.1.254 inside dhcpd enable inside dns domain-lookup outside dns server-group DefaultDNS name-server 208.67.222.222 outside name-server 208.67.220.220 outside Cable the Device Cisco Firepower 2100 Getting Started Guide...
  • Page 184 ASA Deployment with ASDM Power on the Firewall Manage the Firepower 2100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside. Procedure Step 1 Install the chassis. See the hardware installation guide. Step 2 Connect your management computer to either of the following interfaces: •...

  • Page 185: (Optional) Change The Ip Address

    This command does not clear the currently-set mode, Appliance or Platform, for the Firepower 2100. Example: ciscoasa(config)# configure factory-default 10.1.1.151 255.255.255.0 Based on the management IP address and mask, the DHCP address pool size is reduced to 103 from the platform limit 256 Cisco Firepower 2100 Getting Started Guide...

  • Page 186: Log Into Asdm

    ASA, connect to a management-only interface, or connect to an interface not configured for a strong encryption feature. Before you begin • See the ASDM release notes on Cisco.com for the requirements to run ASDM. Cisco Firepower 2100 Getting Started Guide...

  • Page 187: Configure Licensing

    ASA does not automatically forward an HTTP request to HTTPS. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
  • Page 188 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Essentials license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software Manager account. However, if you need to add licenses yourself, use the Find Products and...
  • Page 189 On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: • Description • Expire After—Cisco recommends 30 days. • Max. Number of Uses Cisco Firepower 2100 Getting Started Guide...
  • Page 190 Keep this token ready for later in the procedure when you need to register the ASA. Figure 121: View Token Figure 122: Copy Token Step 3 In ASDM, choose Configuration > Device Management > Licensing > Smart Licensing. Step 4 Click Register. Cisco Firepower 2100 Getting Started Guide...
  • Page 191 You can optionally check the Force registration check box to register the ASA that is already registered, but that might be out of sync with the Smart Software Manager. For example, use Force registration if the ASA was accidentally removed from the Smart Software Manager. Step 6 Click Register. Cisco Firepower 2100 Getting Started Guide...
  • Page 192 2. Step 8 Click Apply. Step 9 Click the Save icon in the toolbar. Step 10 Quit ASDM and relaunch it. When you change licenses, you need to relaunch ASDM to show updated screens. Cisco Firepower 2100 Getting Started Guide...

  • Page 193: Configure The Asa

    Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Step 2 The Startup Wizard walks you through configuring: • The enable password • Interfaces, including setting the inside and outside interface IP addresses and enabling interfaces. • Static routes Cisco Firepower 2100 Getting Started Guide...

  • Page 194: Access The Asa And Fxos Cli

    FXOS failsafe mode. All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged EXEC mode, enter the disable, exit, or quit command. Cisco Firepower 2100 Getting Started Guide...

  • Page 195: What's Next

    Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 196 ASA Deployment with ASDM What's Next? Cisco Firepower 2100 Getting Started Guide...
  • Page 197 This chapter describes how to deploy the Firepower 2100 in your network in ASA Platform mode. By default, the Firepower 2100 runs in Appliance mode, so this chapter tells you how to set the mode to Platform mode. This chapter does not cover the following deployments, for which you should refer to the...

  • Page 198: About The Asa

    The ASA provides advanced stateful firewall and VPN concentrator functionality in one device. The Firepower 2100 is a single-application appliance for the ASA. You can run the ASA in either Platform mode or Appliance mode (the default). The Firepower 2100 runs an underlying operating system called the FXOS.
  • Page 199 You can also allow FXOS management from ASA data interfaces; configure SSH, HTTPS, and SNMP access. This feature is useful for remote management. Unsupported Features Unsupported ASA Features The following ASA features are not supported on the Firepower 2100: • Integrated Routing and Bridging • Redundant interfaces • Clustering •...

  • Page 200: End-To-End Procedure

    Note that when you connect to the ASA console from FXOS (connect asa), then ASA AAA configuration for console access applies (aaa authentication serial console). End-to-End Procedure See the following tasks to deploy and configure the ASA. Cisco Firepower 2100 Getting Started Guide...
  • Page 201 ASA Deployment with ASDM End-to-End Procedure Cisco Firepower 2100 Getting Started Guide...
  • Page 202 FXOS remote management; allow FXOS to initiate management connections from an ASA interface. Chassis Manager (Optional) Configure Management Access for FXOS on Data Interfaces, on page 224: Configure access lists to allow your management addresses; enable SNMP (HTTPS and SSH are enabled by default). Cisco Firepower 2100 Getting Started Guide...

  • Page 203: Review The Network Deployment And Default Configuration

    Review the Network Deployment and Default Configuration Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 2100 using the default configuration in ASA Platform mode. If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into bridge mode so the ASA performs all routing and NAT for your inside networks.
  • Page 204 Firepower 2100 Platform Mode Default Configuration Firepower 2100 Platform Mode Default Configuration You can set the Firepower 2100 to run in Platform mode; Appliance mode is the default. Note For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, this mode is maintained.
  • Page 205 208.67.222.222 outside name-server 208.67.220.220 outside FXOS Configuration The default factory configuration for FXOS on the Firepower 2100 configures the following: • Management 1/1—IP address 192.168.45.45 • Default gateway—ASA data interfaces • Chassis Manager and SSH access—From the management network only.

  • Page 206: Cable The Device

    Connect your management computer to the console port. You need to access the ASA CLI to change from Appliance mode to Platform mode. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection.

  • Page 207: Power On The Firewall

    Enable Platform Mode The Firepower 2100 runs in Appliance mode by default. This procedure tells you how to change the mode to Platform mode, and optionally how to change it back to Appliance mode.
  • Page 208 Procedure Step 1 Connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system.
  • Page 209 WARNING: This command will take effect after the running-config is saved and the system has been rebooted. Command accepted. ciscoasa(config)# write memory Building configuration... Cryptochecksum: c0532471 648dc7c2 4f2b4175 1f162684 23736 bytes copied in 1.520 secs (23736 bytes/sec) [OK] Cisco Firepower 2100 Getting Started Guide...

  • Page 210: (Optional) Change The Fxos And Asa Management Ip Addresses Or Gateway

    (Optional) Change the FXOS and ASA Management IP Addresses or Gateway You can change the FXOS management IP address on the Firepower 2100 chassis from the FXOS CLI. The default address is 192.168.45.45. You can also change the default gateway for FXOS management traffic.
  • Page 211 Configure an IPv6 management IP address and gateway. a) Set the scope for fabric-interconnect a, and then the IPv6 configuration. scope fabric-interconnect a scope ipv6-config Example: firepower-2110# scope fabric-interconnect a firepower-2110 /fabric-interconnect # scope ipv6-config firepower-2110 /fabric-interconnect/ipv6-config # Cisco Firepower 2100 Getting Started Guide...
  • Page 212 View the current access lists. show ip-block Example: firepower-2110 /system/services # show ip-block Permitted IP Block: IP Address Prefix Length Protocol --------------- ------------- -------- 192.168.45.0 24 https 192.168.45.0 24 ssh firepower-2140 /system/services # c) Add new access lists. Cisco Firepower 2100 Getting Started Guide...
  • Page 213 You can also enable and disable the DHCP server in the chassis manager at Platform Settings > DHCP. Example: firepower-2110# scope system firepower-2110 /system # scope services firepower-2110 /system/services # enable dhcp-server 192.168.4.10 192.168.4.20 Step 7 Save the configuration. Cisco Firepower 2100 Getting Started Guide...
  • Page 214 Change the network that can access ASDM. no http 192.168.45.0 255.255.255.0 management http ip_address mask management Example: ciscoasa(config)# no http 192.168.45.0 255.255.255.0 management ciscoasa(config)# http 10.86.118.0 255.255.255.0 management d) Save the configuration. write memory Cisco Firepower 2100 Getting Started Guide...

  • Page 215: (Optional) Log Into The Chassis Manager

    • For information on supported browsers, refer to the release notes for the version you are using (see http://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-release-notes-list.html). • If you need to change the FXOS and ASA management IP addresses, see (Optional) Change the FXOS and ASA Management IP Addresses or Gateway, on page 208. Cisco Firepower 2100 Getting Started Guide...

  • Page 216: (Optional) Enable Additional Interfaces In The Chassis Manager

    • (local-mgmt)# show lacp • (local-mgmt)# show portchannel See the FXOS troubleshooting guide for more information. Before you begin • Log into the chassis manager. See (Optional) Log Into the Chassis Manager, on page 213. Cisco Firepower 2100 Getting Started Guide...
  • Page 217 (Optional) Enable Additional Interfaces in the Chassis Manager • The Firepower 2100 supports EtherChannels in Link Aggregation Control Protocol (LACP) Active or On mode. By default, the LACP mode is set to Active; you can change the mode to On at the CLI. We suggest setting the connecting switch ports to Active mode for the best compatibility.

  • Page 218: Log Into Asdm

    • management_ip—Identifies the IP address or host name of the ASA management interface (192.168.45.1). The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.

  • Page 219: Configure Licensing

    • Security Contexts • Strong Encryption (3DES/AES)—If your Smart Account is not authorized for strong encryption, but Cisco has determined that you are allowed to use strong encryption, you can manually add a stong encryption license to your account. • Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only.
  • Page 220 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Essentials license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software Manager account. However, if you need to add licenses yourself, use the Find Products and...
  • Page 221 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the ASA. Cisco Firepower 2100 Getting Started Guide...
  • Page 222 ASA Deployment with ASDM Configure Licensing Figure 125: View Token Figure 126: Copy Token Step 3 In ASDM, choose Configuration > Device Management > Licensing > Smart Licensing. Step 4 Click Register. Cisco Firepower 2100 Getting Started Guide...
  • Page 223 You can optionally check the Force registration check box to register the ASA that is already registered, but that might be out of sync with the Smart Software Manager. For example, use Force registration if the ASA was accidentally removed from the Smart Software Manager. Step 6 Click Register. Cisco Firepower 2100 Getting Started Guide...
  • Page 224 2. Step 8 Click Apply. Step 9 Click the Save icon in the toolbar. Step 10 Quit ASDM and relaunch it. When you change licenses, you need to relaunch ASDM to show updated screens. Cisco Firepower 2100 Getting Started Guide...

  • Page 225: Configure The Asa

    Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Step 2 The Startup Wizard walks you through configuring: • The enable password • Interfaces, including setting the inside and outside interface IP addresses and enabling interfaces. • Static routes Cisco Firepower 2100 Getting Started Guide...

  • Page 226: (Optional) Configure Management Access For Fxos On Data Interfaces

    (Optional) Configure Management Access for FXOS on Data Interfaces If you want to manage FXOS on the Firepower 2100 from a data interface, then you can configure SSH, HTTPS, and SNMP access. This feature is useful if you want to manage the device remotely, but you want to keep Management 1/1, which is the native way to access FXOS, on an isolated network.

  • Page 227: Access The Asa And Fxos Cli

    SSH. Connect to the Console Port to Access FXOS and ASA CLI The Firepower 2100 console port connects you to the FXOS CLI. From the FXOS CLI, you can then connect to the ASA console, and back again. You can only have one console connection at a time. When you connect to the ASA console from the FXOS console, this connection is a persistent console connection, not like a Telnet or SSH connection.
  • Page 228 Procedure Step 1 Connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system.

  • Page 229: What's Next

    Password: Admin123 Last login: Sat Jan 23 16:20:16 UTC 2017 on pts/1 Successful login attempts for user 'admin' : 4 Cisco Firepower Extensible Operating System (FX-OS) Software […] firepower-2110# firepower-2110# exit Remote card closed command session. Press any key to continue.

  • Page 230: History For The Firepower 2100 In Platform Mode

    ASA Deployment with ASDM History for the Firepower 2100 in Platform Mode History for the Firepower 2100 in Platform Mode Feature Name Version Feature Information The default mode 9.13(1) With the introduction of Appliance mode, the default mode was changed to Appliance mode. In changed to Appliance earlier releases, the only mode available was Platform mode.
  • Page 231 © 2024 Cisco Systems, Inc. All rights reserved.

Table of Contents