Firepower Easy Deployment Guide for Cisco Firepower 1000 or 2100 Firewalls
This document provides information about two easy deployment options for customers of Firepower Threat Defense (FTD) version 6.7 and later: Low-Touch Provisioning for Cisco Defense Orchestrator (CDO) customers and Remote Branch Office Deployment for Firepower Management Center (FMC) customers.
See Low-Touch Provisioning Using CDO if your job is to connect a new Firepower firewall to your network or to manage that new firewall with CDO.
See Remote Branch Office Deployment of FTD Devices for Management by an FMC if you are an FMC administrator and want to manage an FTD at a remote branch using FMC.
Low-Touch Provisioning Using CDO
Low-touch provisioning allows anybody to connect a new Firepower 1000 or 2100 series device to their network so that their IT department can onboard the device to CDO and configure it remotely.
What do you want to do?
Plug in the new firewall and connect it to the network at the branch office.. I work at the branch office.
Onboard a Cisco Firepower firewall to Cisco Defense Orchestrator (CDO) using its serial number. I am the CDO administrator.
Connect a New Cisco Firepower Firewall to Your Network
This topic describes the process of connecting your Firepower firewall to your network so that it can be managed remotely by a CDO administrator.
If you received a Firepower firewall at your branch office and your job is to plug it in to your network, watch this video.
The video describes your firewall and the LED sequences on the device that indicate the device's status. If you need to, you'll be able to confirm the device's status with your IT department just by looking at the LEDs. These are the steps described in the video:
Your Firepower firewall needs to be one of a certain model number and needs to have FTD version 6.7 installed on it for low-touch provisioning to work. The table below shows the Firepower models that support low-touch provisioning.
To make sure the Firepower model has the right software installed, look on the cardboard box the device came in. It should have a plain white sticker on it with a product identifier that looks similar to one in the following table:
Firepower Model Numbers that Support Low-Touch Provisioning
FTD 6.7 Product Identifiers
Firepower 1000 series device models:
1010, 1120, 1140, 1150
SF-F1K-TD6.7-K9 Firepower 2100 series device models:
2110, 2120, 2130, 2140
Before you rack the device or throw the cardboard box away, record your device's serial number and send it to your IT department. They will need it to manage the device. The serial number of the device is located on the cardboard box the device came in and on a sticker affixed to the device itself. See Find Your Device's Serial Number for more information.
Unpack the box and take inventory of the contents.
Keep the cardboard box until you have plugged in the device, you have connected it to your network, and the device has successfully contacted the Cisco cloud.
Connect the device to power.
Connect the network cable from the Ethernet 1/1 interface to your wide area network (WAN) modem. Your WAN modem is your branch's connection to the internet and will be your Firepower firewall's route to the Internet as well.
Do not connect the network cable from the device's Management interface to your WAN.
Observe the Stauts/SYS LED light pattern on the device to determine if the device has reached the Cisco cloud. The table below provides the LED light patterns and the approximate time they occur. It may take a little more time or a little less time for the Firepower device to reach the Cisco cloud based on network conditions and the Firepower model you are working with.
Light pattern of Stauts/SYS LED Description Time this ocurs after the device is powered on.
Fast flashing green The device is booting up correctly. 01:00 Fast flashing amber The device failed to boot correctly. 01:00 Solid green The application is loaded on the device. 10:00 Solid amber The application failed to load correctly on the device. 10:00 Slow flashing green The device is connected to the Cisco cloud. 15:00 Alternating green and amber The device failed to connect to the Cisco cloud. 15:00
After you complete this task, your IT administrator will be able to configure the firewall remotely. You're done.
Onboard a Firepower Firewall to CDO Using its Serial Number
If you are a Cisco Defense Orchestrator (CDO) administrator and someone at a branch office has connected a new Cisco Firepower firewall running Firepower Threat Defense version 6.7 or later device to their network, and your job is to onboard it to CDO using its serial number, see Procedure for Onboarding an FTD using the Device's Serial Number
If you are a CDO administrator and your task is to onboard a fully configured Cisco Firepower firewall running Firepower Threat Defense 6.7 or later, here are two other methods of onboarding the device to CDO:
Find Your Device's Serial Number
Your IT department needs your Firepower firewall's serial number to connect to the device and manage it remotely. You can find the serial number in a couple of different places.
The Sticker on the Cardboard Box
The serial number is printed on the sticker on the cardboard box the firewall came in. Here is an example:
The Sticker on the Chassis
Firepower 1010: The serial number is on a sticker on the bottom of the device:
Firepower 1100: The serial number is on a sticker on the back of the device or on the bottom of the device:
Firepower 2100: The serial number is on a sticker on a pull-out tab on the front of the device:
Connecting to the Firewall Using a Console Cable
You can connect a console cable from a device like a laptop to your Firepower firewall, open up a terminal window, and enter a few commands to display the device's serial number.
This procedure is for advanced users who are comfortable working with a command line interface and, possibly, installing software drivers on their laptops. Here is the procedure to connect a computer to the Firepower firewall using a console cable and to retrieve the device's serial number in a terminal window:
See "Connect to the Console Port" for instructions on how to connect a laptop to your device using a console cable. Though the commands are explained in the Firepower 1010 Hardware Installation Guide, they will be the same for the 1100 series devices and 2100 series devices.
There are two types of console ports for the 1010 and 1100 series devices. You could use either the "USB-A to B" console cable that came with the firewall or a DB-9 to RJ-45 serial cable.
The Firepower 2100 ships with only a DB-9 to RJ-45 serial cable. When using this cable, you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system.
Log in to the device as the admin user. If the device has not been configured, you will be asked to create a new password for the admin.
show chassis detail. Here is an example:
firepower# show chassis detail Chassis: Chassis: 1 Overall Status: Operable Oper qualifier: N/A Operability: Operable Product Name: Cisco Firepower 1010 Security Appliance PID: FPR-1010 VID: V01 Vendor: Cisco Systems, Inc Serial (SN): JMX2405X0R9 HW Revision: 0.6 PCB Serial Number: JAD24040S6L Power State: Ok Thermal Status: Ok Boot Status: OK Current Task: firepower#
The output shows two serial numbers. Report the value of Serial (SN) field to your IT department.
Remote Branch Office Deployment of FTD Devices for Management by an FMC
Firepower version 6.7 or later allows the FMC to manage an FTD at a remote branch office using the outside interface for FMC management:
An administrator at the central headquarters pre-configures the FTD, and then sends the FTD to the remote branch office.
The branch office administrator cables and powers on the FTD.
The central administrator completes configuration of the FTD using the FMC.
See Deploy the FTD at a Remote Branch Office with FMC for more information.