Device Management

This guide applies to an on-premises Secure Firewall Management Center, either as your primary manager or as an analytics-only manager. When using the Cisco Security Cloud Control (Security Cloud Control) Cloud-Delivered Firewall Management Center as your primary manager, you can use an on-prem Firewall Management Center for analytics. Do not use this guide for cloud-delivered Firewall Management Center management; see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Security Cloud Control.

You canmanage devices in the Secure Firewall Management Center.

Log Into the Command-Line Interface on the Device

You can log directly into the command-line interface on Firewall Threat Defense devices. If this is your first time logging in, complete the initial setup process using the default admin user; see Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI.


Note

If a user makes three consecutive failed attempts to log into the CLI via SSH, the system terminates the SSH connection.

Before you begin

  • Create additional user accounts that can log into the CLI using the configure user add command.

  • If you get unreadable characters when connecting to the console port, verify the port settings. If they are correct, try the cable with another device using the same settings. If the cable is good, you might need to replace the hardware for the console port. Also consider trying a different workstation to make the connection.

Procedure

Step 1

Connect to the Firewall Threat Defense CLI, either from the console port or using SSH.

You can SSH to the management interface of the Firewall Threat Defense device. You can also connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. See SSH Access to allow SSH connections to specific data interfaces.

For physical devices, you can directly connect to the console port on the device. See the hardware guide for your device for more information about the console cable. Use the following serial settings:

  • 9600 baud

  • 8 data bits

  • No parity

  • 1 stop bit

The CLI on the console port is FXOS (with the exception of the ISA 3000, where it is the regular Firewall Threat Defense CLI). Use the Firewall Threat Defense CLI for basic configuration, monitoring, and normal system troubleshooting. See the FXOS documentation for information on FXOS commands.

Step 2

Log in with the admin username and password.

Example:


firepower login: admin
Password:
Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0
Successful login attempts for user 'admin' : 1

firepower#

Step 3

If you used the console port, access the Firewall Threat Defense CLI.

connect ftd

Note

 

This step does not apply to the ISA 3000.

Example:


firepower# connect ftd
>

Step 4

At the CLI prompt (>), use any of the commands allowed by your level of command line access.

To return to FXOS on the console port, enter exit .

Step 5

(Optional) If you used SSH, you can connect to FXOS.

connect fxos

To return to the Firewall Threat Defense CLI, enter exit .

Step 6

(Optional) Access the diagnostic CLI:

system support diagnostic-cli

Use this CLI for advanced troubleshooting. This CLI includes additional show and other commands.

This CLI has submodes: user EXEC mode, privileged EXEC mode, and recovery-config mode. More commands are available in privileged EXEC mode than user EXEC mode. To enter privileged EXEC mode, enter the enable command; press enter without entering a password when prompted.

Example:


> system support diagnostic-cli
firepower> enable
Password:
firepower#

To use recovery-config mode, see Access Recovery-Config Mode in the Diagnostic CLI.

To return to the regular CLI, type Ctrl-a, d.

Manage Devices

Register and unregister devices to the Firewall Management Center.

About the Device Management Page

The Devices > Device Management page provides you with range of information and options.

  • View By—View devices based on group, licenses, model, version, or access control policy.

  • Device State—View devices based on state (Error, Warning, etc.). You can click on a state icon to view the devices belonging to it. The number of devices belonging to the states are provided within brackets.

  • Search Device—Search for a device by device name, host name, or IP address.

  • Add—Add devices and other manageable components.

  • Columns—Click the column head to sort by that column.

    • Name

    • Model

    • Version

    • Chassis—For supported models, click Manage to bring up the integrated Chassis Manager. For the Firepower 4100/9300, the link cross-launches the Firewall Chassis Manager.

    • Licenses

    • Access Control Policy—Click on the link in the Access Control Policy column to view the policy that is deployed to the device.

    • Auto-Rollback—Shows whether auto-rollback of the configuration is enabled (auto rollback on icon) or disabled auto rollback off icon) if the deployment causes the management connection to go down. See Edit Deployment Settings.

  • Edit—For each device, use the Edit (edit icon) icon to edit the device settings.

    You can also just click on the device name or IP address.

  • More—For each device, click the More (more icon) icon to execute other actions:

    • Packet Tracer—To navigate to the packet tracer page for examining policy configuration on the device by injecting a model packet into the system.

    • Packet Capture—To navigate to the packet capture page, where, you can view the verdicts and actions the system takes while processing a packet.

    • Revert Upgrade—To revert the upgrade and configuration changes that were made after the last upgrade. This action results in restoring the device to the version that was before the upgrade.

    • Health Monitor—To navigate to the device's health monitoring page.

    • Troubleshoot Files—Generate troubleshooting files, where you can choose the type of data to be included in the report.

    • Generate Template from Device—Generate a new device template from a registered device. The new template has the same configuration as the device from which it is generated. You can generate a new device template from standalone and HA devices. However, if you generate a template from HA devices, the new template will not contain the failover configurations.

Add a Device Group

The Firewall Management Center allows you to group devices so you can easily deploy policies and install updates on multiple devices. You can expand and collapse the list of devices in the group.

If you add the primary device in a high-availability pair to a group, both devices are added to the group. If you break the high-availability pair, both devices remain in that group.

Groups are not supported in a multidomain environment.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

From the Add drop-down menu, choose Add Group.

To edit an existing group, click Edit (edit icon) for the group you want to edit.

Step 3

Enter a Name.

Step 4

Under Available Devices, choose one or more devices to add to the device group. Use Ctrl or Shift while clicking to choose multiple devices.

Step 5

Click Add to include the devices you chose in the device group.

Step 6

Optionally, to remove a device from the device group, click Delete (delete icon) next to the device you want to remove.

Step 7

Click OK to add the device group.

Register With a New Management Center

This procedure shows how to register with a new Firewall Management Center. You should perform these steps even if the new Firewall Management Center uses the old Firewall Management Center's IP address.

Procedure

Step 1

On the old Firewall Management Center, if present, delete the managed device.

You cannot change the Firewall Management Center IP address if you have an active connection with the Firewall Management Center.

Step 2

Connect to the device CLI, for example using SSH.

Step 3

Configure the new Firewall Management Center.

configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE } regkey [nat_id] [display_name]

  • {hostname | IPv4_address | IPv6_address}—Sets the Firewall Management Center hostname, IPv4 address, or IPv6 address.

  • DONTRESOLVE —If the Firewall Management Center is not directly addressable, use DONTRESOLVE instead of a hostname or IP address. If you use DONTRESOLVE , then a nat_id is required. When you add this device to the Firewall Management Center, make sure that you specify both the device IP address and the nat_id ; one side of the connection needs to specify an IP address, and both sides need to specify the same, unique NAT ID.

  • regkey —Make up a registration key to be shared between the Firewall Management Center and the device during registration. You can choose any text string for this key between 1 and 37 characters; you will enter the same key on the Firewall Management Center when you add the Firewall Threat Defense.

  • nat_id —Make up an alphanumeric string from 1 to 37 characters used only during the registration process between the Firewall Management Center and the device when one side does not specify an IP address. This NAT ID is a one-time password used only during registration. Make sure the NAT ID is unique, and not used by any other devices awaiting registration. Specify the same NAT ID on the Firewall Management Center when you add the Firewall Threat Defense.

  • display_name —Provide a display name for showing this manager with the show managers command. This option is useful if you are identifying Security Cloud Control as the primary manager and an on-prem Firewall Management Center for analytics only. If you don't specify this argument, the firewall auto-generates a display name using one of the following methods:

    • hostname | IP_address (if you don't use the DONTRESOLVE keyword)

    • manager-timestamp

Example:


> configure manager add DONTRESOLVE abc123 efg456
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

>

Step 4

Add the device to the Firewall Management Center.

Shut Down or Restart the Device

It's important that you shut down your system properly. Simply unplugging the power or pressing the power switch can cause serious file system damage. Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your firewall.

See the following task to shut down or restart your system properly.


Note

After restarting your device, you may see an error that the management connection could not be reestablished. In some cases, the connection is attempted before the Management interface on the device is ready. The connection will be retried automatically and should come up within 15 minutes.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the device that you want to restart, click Edit (edit icon).

Step 3

Click Device.

Step 4

To restart the device:

  1. Click Restart Device (restart device icon).

  2. When prompted, confirm that you want to restart the device.

Step 5

To shut down the device:

  1. Click Shut Down Device (shut down device icon) in the System section.

  2. When prompted, confirm that you want to shut down the device.

  3. If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You will see the following prompt: 

    
System is stopped.
It is safe to power off now.
Do you want to reboot instead? [y/N]

    If you do not have a console connection, wait approximately 3 minutes to ensure the system has shut down.

    For the ISA 3000, when shutdown is complete, the System LED will turn off. Wait at least 10 seconds before you remove the power.

Download the Managed Device List

You can download a report of all the managed devices.

Before you begin

To perform the following task, you must be an Admin user.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Click the Download Device List Report link.

Step 3

You can download the device list in CSV or PDF format. Choose Download CSV or Download PDF to download the report.

Migrate Firewall Threat Defense Devices

The Secure Firewall Threat Defense model migration wizard enables you to migrate configurations from an earlier Firewall Threat Defense model. After the migration, all routing and interface configurations from the source Firewall Threat Defense device are available in the target Firewall Threat Defense.

The wizard supports multiple models as source and target devices, for more information see Supported Devices for Migration.

When you migrate Firepower 4100 and 9300 Series devices to the supported models, you can now configure interface attributes according to your requirements. You can map the source device interfaces to the target device interfaces. The migration locks the source and target devices.

Supported Devices for Migration

Supported Source Devices

  • Cisco Firepower 1120

  • Cisco Firepower 1140

  • Cisco Firepower 1150

  • Cisco Firepower 2110

  • Cisco Firepower 2120

  • Cisco Firepower 2130

  • Cisco Firepower 2140

  • Cisco Firepower 4110

  • Cisco Firepower 4120

  • Cisco Firepower 4140

  • Cisco Firepower 4150

  • Cisco Firepower 9300 Series SM-24

  • Cisco Firepower 9300 Series SM-36

  • Cisco Firepower 9300 Series SM-44

Supported Target Devices

  • Cisco Secure Firewall 3105

  • Cisco Secure Firewall 3110

  • Cisco Secure Firewall 3120

  • Cisco Secure Firewall 3130

  • Cisco Secure Firewall 3140

  • Cisco Firepower 4215

  • Cisco Firepower 4225

  • Cisco Firepower 4245


Note

The target devices must be Version 7.4.1 and later.
Supported Migration Paths

The following table lists the supported target Firewall Threat Defense models that you can migrate to from your source Firewall Threat Defense model.

Source Model

Target Model

Cisco Secure Firewall 3100 Series

Cisco Secure Firewall 4200 Series

Instance in Secure Firewall 3100 Series

Instance in Secure Firewall 4200 Series
Firepower 1100 Series Yes
Firepower 2100 Series Yes
Firepower 4100 Series Yes Yes
Firepower 9300 Series Yes Yes

Instance from Firepower 4100 Series

 Yes Yes

Instance from Firepower 9300 Series

Yes

Yes

License for Migration

  • Your Smart Licensing account​ must have the license entitlements for the target device.

  • You must register and enroll the device with the Smart Licensing account. The migration copies the source device licenses to the target device.

Prerequisites for Migration

  • General device prerequisites

    • Register the source and the target devices to the Firewall Management Center.

    • Ensure that the target device is a newly registered device without any configurations.

    • Source and target devices must be in the same state and modes:

      • Domain

      • Firewall mode: Routed or Transparent

      • Compliance mode (CC or UCAPL)

      • Management state

        Devices must have the same type of manager access interfaces (management interface or data interface).

      • Multi-instance mode or appliance mode

    • Ensure that you have permission for modifications on the devices.

    • Ensure that the configurations on the source device are valid and have no errors.

    • Deployment, import, or export tasks must not run on either of the devices during the migration. The source device can have pending deployments.

  • Prerequisites for change management

    • Ensure that source and target devices are not locked by a change management ticket.

    • Ensure that shared policies assigned to the source device are not locked by a change management ticket.

  • Prerequisites for HA devices

    • Migrate a device only from an active Firewall Management Center.

  • Prerequisites for devices in multi-instance mode

    • Ensure that the source and target devices are in multi-instance mode.

    • Manually migrate the chassis configurations. Create instances before migrating the instance configuration to the target instances. The target device must have compatible interfaces. For example, on the target device, you must create EtherChannel interfaces, and also create tagged, untagged, dedicated, or shared interfaces for these interfaces on the target device.

  • Prerequisite for devices with out-of-band configurations

    • Ensure that you acknowledge out-of-band changes and match the configurations within the Firewall Management Center. You cannot migrate devices with these configurations. To view out-of-band configurations:

      1. Choose Devices > Device Management.

      2. Click the edit icon next to the device and click the Interfaces tab.

  • Prerequisites for devices with manager access interfaces

    Ensure that the devices are not in Data Transit or Management Transit states. You cannot migrate if devices are in these states.

    • Data Transit state: Device state when the manager access interface changes from data interface to management interface without deploying the changes on the device.

    • Management Transit state: Device state when the manager access interface changes from management interface to data interface without deploying the changes on the device.

  • Prerequisite for devices with merged management and diagnostic interfaces

    Ensure that the target device is always in merged mode.

What Configurations Does the Wizard Migrate?

The migration wizard copies the following configurations from the source device to the target device:

  • Licenses

  • Interface configurations

  • Inline sets configurations

  • Routing configurations

  • DHCP and DDNS configurations

  • Virtual router configurations

  • Policies

  • Associated objects and object overrides

  • Platform settings

  • Remote branch deployment configurations

The migration wizard copies the following policy configurations from the source device to the target device:

  • Health policy

  • NAT policy

  • QoS policy

  • Remote access VPN policy

  • FlexConfig policy

  • Access control policy

  • Prefilter policy

  • IPS policy

  • DNS policy

  • SSL policy

  • Malware and File policy

  • Identity policy

  • Shared policy

The migration wizard copies the following routing configurations from the source device to the target device:

  • ECMP

  • BFD

  • OSPFv2/v3

  • EIGRP

  • RIP

  • BGP

  • Policy Based Routing

  • Static Route

  • Multicast Routing

  • Virtual Router

The migration wizard copies the following interfaces from the source device to the target device:

  • Physical interfaces

  • Sub-interfaces

  • EtherChannel interfaces

    • On a standalone device, the wizard copies the EtherChannels from the source device to the target device.

    • For devices in multi-instance mode, you must create EtherChannels on the chassis and assign them to the instance.

  • Bridge group interfaces

  • VTI interfaces

  • VNI interfaces

  • Loopback interfaces

  • Inline interfaces

  • VXLAN tunnel endpoint (VTEP) interfaces

The migration wizard retains the device group of the target device.

Guidelines and Limitations for Migration

Guidelines

  • For devices in multi-instance mode:

    During migration, ensure that you map the interfaces according to the table below:

    Source Device

    Target Device

    Physical interface

    Physical interface

    EtherChannel interface

    EtherChannel interface

    Supervisor-provisioned subinterface​

    Supervisor-provisioned subinterface​

    Tagged interface

    Tagged interface

    Untagged interface

    Untagged interface

    Shared interface

    Shared and dedicated interface

    Dedicated interface

    Dedicated interface

    You cannot map a supervisor-provisioned subinterface to a subinterface created by an instance.​

  • For HA devices, you can migrate:

    • Source HA device to target HA device.

    • Source HA device to target standalone device.

  • For devices in remote branch deployment:

    • Map the source manager access interface to the target manager access interface.

    • Ensure that the manager access interfaces of the source and target Firewall Management Centers are of the same IP address type (static or DHCP).

    • Both manager access interfaces must have IPv4 or IPv6 addresses.

    • If the manager access interfaces have static IP addresses, ensure that they are in the same subnet.

  • For Snort:

  • For devices using diagnostic interfaces:

    Only merged management interfaces are available on the target devices after migration.

Limitations

  • The migration wizard does not migrate:

    • Site-to-site VPN policies

    • SNMP device configurations for Firepower 2100 Series

      After the migration, you can configure SNMP using the platform settings for the device.

  • You can perform only one migration at a time.

  • Remote access VPN trustpoint certificates are not enrolled after migration.

  • For HA devices:

    • Target device: You cannot migrate a standalone device to an HA device.

  • Clustering is not supported.

  • For devices in remote branch deployment:

    • The wizard does not migrate a single WAN manager access data interface to a dual WAN manager access data interface.

Migrate a Secure Firewall Threat Defense

Before you begin

Ensure you review Prerequisites for Migration and Guidelines and Limitations for Migration.

Procedure

Step 1

Choose Firewall Devices > Device Management.

Step 2

Click Migrate in the top right corner of the page.

Step 3

In Select source and target devices:

  1. From the Source device drop-down list, choose a device.

  2. From the Target device drop-down list, choose a device.

The source and target devices can have these tags:

  • Routed: Devices in routed firewall mode.

  • Transparent: Devices in transparent firewall mode.

  • Container: Devices in multi-instance mode.

  • High Availability: Devices in high availability mode.

  • Analytics Only: Devices managed by Security Cloud Control and the Firewall Management Center only recieves and displays the events (analytics-only Firewall Management Center).

If the device is part of an HA pair, only the HA pair name appears.

Step 4

Click Next.

Step 5

(Only for Firepower 4100 and 9300 Series devices in appliance mode) In Chassis manager details:

  1. Check the Skip chassis manager check box, if required.

  2. In the Chassis hostname or IP address field, enter the values.

    Note

     

    • Verify that the Secure Firewall Chassis Manager is reachable from the Firewall Management Center.

    • Ensure you select the correct chassis manager for the source device, as Firewall Management Center does not validate your choice.

  3. Click Verify certificate to verify the chassis manager's certificate.

  4. In the Username and Password fields, enter the credentials of the chassis manager.

Step 6

Click Next.

Step 7

In Configure interfaces:

By default, the source and target interfaces are mapped using the interface hardware name. You must map named interfaces, logical interfaces, and interfaces that are part of other interfaces. Mapping of all other interfaces is not mandatory. The wizard creates the logical interfaces according to the interface mapping that you provide.

You cannot map interfaces that are part of an HA failover configuration. These interfaces are disabled in the wizard.

Only data interfaces are available for interface mapping. Management, eventing, and diagnostic interfaces are not available for the interface mapping.​

Firepower 4100 and 9300 Series devices in appliance mode:

For these devices, the Firewall Management Center fetches interface attributes such as speed, duplex, and auto-negotiation from the chassis manager.

  1. Click one of the following options to configure these interface attributes on the target device:

    • Retain target device values: (Default) Retains the interface attributes configured on the target device.

    • Copy from source device: Copies the interface attributes from the source device.

      This option is enabled only when Firewall Management Center successfully connects to the chassis manager.​ We recommend that you use this option. The speed, duplex, and auto-negotiation values of physical interfaces are set to default values if they are incompatible in the target device.

    • Customize device values—Allows you to configure the values of the required interface attributes on the target device.

  2. To change the interface mapping from the default ones, choose an interface from the Mapped interface drop-down list.

  3. For EtherChannels, you can configure interface attributes and click Add member interface to add member interfaces.

    Interface attributes of an EtherChannel is configured based on the first member interface's interface attributes.​You can add up to 16 member interfaces.

Firepower 1100 and 2100 Series devices, and Firepower 4100 and 9300 Series devices in multi-instance mode:

For these devices, you must map the source device interfaces to target device interfaces.

For Firepower 4100 and 9300 Series devices in multi-instance mode, you can only perform the interface mapping and you cannot configure the interface attributes such as speed, duplex, auto-negotiation, and FEC mode.

If you want to change the interface mapping from the default ones, choose an interface from the Mapped interface drop-down list.

Click Reset to configure the default interface mappings. For example, the wizard maps Ethernet1/1 in the source device to Ethernet1/1 in the target device.

The interfaces can have the following tags:

  • Tagged: Physical interfaces on the chassis.

  • Untagged: Physical interfaces on the chassis that have sub-interfaces.

  • Dedicated: Interfaces that are assigned to specific instances and are not shared across multiple instances.

  • Shared: Interfaces that are shared by multiple instances.

  • Manager access: Data interface is the manager access interface.

Check the Ignore warning check box, if required.

Step 8

Click Next.

Step 9

Click Submit to start the migration.

Step 10

To view the migration status, click Notifications (Message Center), and then click the Tasks tab.

A Device Model Migration report is generated after the migration is completed. You will see a link to this report in the Notifications > Tasks page.

What to do next

After a successful migration, you must complete these tasks:

In case of a migration failure, the target device is rolled back to the initial state.

Best Practices for Threat Defense Device Migration

After a successful migration, we recommend that you perform the following actions before the deployment:

  • IP addresses of the interfaces are copied to the target device from the source device. Change the IP addresses of the target device interfaces, if the source device is live

  • Ensure that you update your NAT policies with the modified IP addresses.

  • Configure the interface speeds if they are set to default values after migration.

  • Re-enroll the device certificates, if any, on the target device.

  • (Optional) Configure SNMP for Firepower 1100 and 2100 using the platform settings for the device.

  • (Optional) Configure remote branch deployment configurations.

    If the source or target device had manager access through a data interface, after the migration, the manager access will be lost. Update the manager access configuration on the target device. For more information, see the Change the Manager Access Interface from Management to Data topic in the Cisco Secure Firewall Management Center Device Configuration Guide or the Online Help.

  • Configure site-to-site VPN, if required. These configurations are not migrated from the source device.

  • View the deployment preview before the deployment. From the Deploy drop-down menu, click Advanced Deploy, and then click the Preview (preview icon) icon for the device.

  • Monitor the health of the device in the health monitor (choose System (system gear icon) > Health > Monitor). After migration, the health policy of the source device becomes the health policy of the target device. You can also configure a new health policy for the device.

    After migration, the device monitoring dashboard may temporarily display redundant colored lines because the device has different UUIDs before and after migration. This redundancy appears only during the migration time. An hour after migration, the dashboard will show a single line per metric.

Hot Swap an SSD on the Secure Firewall 3100/4200 Series

If you have two SSDs, they form a RAID when you boot up. You can perform the following tasks at the Firewall Threat Defense CLI while the firewall is powered up:

  • Hot swap one of the SSDs—If an SSD is faulty, you can replace it. Note that if you only have one SSD, you cannot remove it while the firewall is powered on.

  • Remove one of the SSDs—If you have two SSDs, you can remove one.

  • Add a second SSD—If you have one SSD, you can add a second SSD and form a RAID.


Caution

Do not remove an SSD without first removing it from the RAID using this procedure. You can cause data loss.

Procedure

Step 1

Remove one of the SSDs.

  1. Remove the SSD from the RAID.

    configure raid remove-secure local-disk {1 | 2}

    The remove-secure keyword removes the SSD from the RAID, disables the self-encrypting disk feature, and performs a secure erase of the SSD. If you only want to remove the SSD from the RAID and want to keep the data intact, you can use the remove keyword.

    Example:

    
> configure raid remove-secure local-disk 2

  2. Monitor the RAID status until the SSD no longer shows in the inventory.

    show raid

    After the SSD is removed from the RAID, the Operability and Drive State will show as degraded. The second drive will no longer be listed as a member disk.

    Example:

    
> show raid
Virtual Drive
ID:                         1
Size (MB):                  858306
Operability:                operable
Presence:                   equipped
Lifecycle:                  available
Drive State:                optimal
Type:                       raid
Level:                      raid1
Max Disks:                  2
Meta Version:               1.0
Array State:                active
Sync Action:                idle
Sync Completed:             unknown
Degraded:                   0
Sync Speed:                 none

RAID member Disk:
Device Name:                nvme0n1
Disk State:                 in-sync
Disk Slot:                  1
Read Errors:                0
Recovery Start:             none
Bad Blocks:
Unacknowledged Bad Blocks:   

Device Name:                nvme1n1
Disk State:                 in-sync
Disk Slot:                  2
Read Errors:                0
Recovery Start:             none
Bad Blocks:
Unacknowledged Bad Blocks:   

> show raid
Virtual Drive
ID:                         1
Size (MB):                  858306
Operability:                degraded
Presence:                   equipped
Lifecycle:                  available
Drive State:                degraded
Type:                       raid
Level:                      raid1
Max Disks:                  2
Meta Version:               1.0
Array State:                active
Sync Action:                idle
Sync Completed:             unknown
Degraded:                   1
Sync Speed:                 none

RAID member Disk:
Device Name:                nvme0n1
Disk State:                 in-sync
Disk Slot:                  1
Read Errors:                0
Recovery Start:             none
Bad Blocks:
Unacknowledged Bad Blocks:

  3. Physically remove the SSD from the chassis.

Step 2

Add an SSD.

  1. Physically add the SSD to the empty slot.

  2. Add the SSD to the RAID.

    configure raid add local-disk {1 | 2}

    It can take several hours to complete syncing the new SSD to the RAID, during which the firewall is completely operational. You can even reboot, and the sync will continue after it powers up. Use the show raid command to show the status.

    If you install an SSD that was previously used on another system, and is still locked, enter the following command:

    configure raid add local-disk {1 | 2} psid

    The psid is printed on the label attached to the back of the SSD. Alternatively, you can reboot the system, and the SSD will be reformatted and added to the RAID.

Disable the USB Port

By default, the type-A USB port is enabled. You might want to disable USB port access for security purposes. Disabling USB is supported on the following models:

  • Firepower 1000 Series

  • Secure Firewall 3100

  • Secure Firewall 4200

Guidelines

  • Enabling or disabling the USB port requires a reboot.

  • If the USB port is disabled and you downgrade to a version that does not support this feature, the port will remain disabled, and you cannot re-enable it without erasing the NVRAM (the FXOS local-mgmt erase secure all command).

  • If you perform a ROMMON factory-reset or FXOS local-mgmt erase secure , the USB port will be re-enabled.

  • For high availability or clustering, you must disable or re-enable the port individually on each unit.


Note

This feature does not affect the USB console port, if present.

Disable the USB Port on a Device

To disable the USB port on a device, you can do so at the Firewall Threat Defense CLI.

Procedure

Step 1

Disable the USB port.

system support usb configure disable

reboot

To re-enable the USB port, enter system support usb configure enable .

Example:


>system support usb configure disable
USB Port Admin State set to 'disabled’.
Please reboot the system to apply any control state changes.

>reboot
This command will reboot the system. Continue?
Please enter 'YES' or 'NO': YES

Step 2

View the port status.

system support usb show

The Admin State shows the USB port configuration. The Oper State shows the current operation. For example, if you disable the USB port but do not reload, the Admin State will show disabled while the Oper State would will enabled.

Example:


>system support usb show
USB Port Info
---------------
Admin State: disabled
Oper State: disabled

Disable the USB Port in Multi-Instance Mode

To disable the USB port in multi-instance mode, you can do so at the FXOS CLI.

Procedure

Step 1

Disable the USB port and reboot for the change to take effect.

  1. Disable the USB port.

    scope fabric-interconnect

    disable usb-port

    commit buffer

  2. Reboot the chassis.

    connect local-mgmt

    reboot

Example:


firepower-4245 /fabric-interconnect # disable usb-port
Note: USB enablement or disablement changes are effected only after FXOS reboot.
Confirm change? (yes/no) [yes]:
device /fabric-interconnect* # commit buffer
Note: USB enablement or disablement changes are effected only after FXOS reboot.
Confirm change? (yes/no) [yes]:yes
firepower-4245 /fabric-interconnect # connect local-mgmt
firepower-4245(local-mgmt)# reboot
Before rebooting, please take a configuration backup.
Do you still want to reboot? (yes/no):yes
Broadcast message from admin@firepower-4245 (Wed Feb 21 05:59:55 2024):
All shells being terminated due to system /sbin/reboot

Step 2

Enable the USB port and reboot for the change to take effect.

  1. Enable the USB port.

    scope fabric-interconnect

    enable usb-port

    commit buffer

  2. Reboot the chassis.

    connect local-mgmt

    reboot

Example:


firepower-4245 /fabric-interconnect # enable usb-port
Note: USB enablement or disablement changes are effected only after FXOS reboot.
Confirm change? (yes/no) [yes]:
device /fabric-interconnect* # commit buffer
Note: USB enablement or disablement changes are effected only after FXOS reboot.
Confirm change? (yes/no) [yes]:yes
firepower-4245 /fabric-interconnect # connect local-mgmt
firepower-4245(local-mgmt)# reboot
Before rebooting, please take a configuration backup.
Do you still want to reboot? (yes/no):yes
Broadcast message from admin@firepower-4245 (Wed Feb 21 05:59:55 2024):
All shells being terminated due to system /sbin/reboot

Step 3

View the USB port status.

scope fabric-interconnect

show usb-port

The Admin State shows the USB port configuration. The Oper State shows the current operation. For example, if you disable the USB port but do not reload, the Admin State will show Disabled while the Oper State would will Enabled.

Example:


firepower-4245# scope fabric-interconnect
firepower-4245 /fabric-interconnect # show usb-port
Usb Port:
Equipment         Admin State Oper State
---------------- -----------  ----------
A                 Disabled    Disabled