Cisco Firepower 1010 Getting Started Guide

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Firepower 1010 Getting Started Guide

Chapter Title

Threat Defense Deployment with the Management Center

Results

Updated:
October 4, 2023

Chapter: Threat Defense Deployment with the Management Center

Threat Defense Deployment with the Management Center

Is This Chapter for You?

To see all available applications and managers, see Which Application and Manager is Right for You?. This chapter applies to the threat defense with the management center.

This chapter explains how to complete the initial configuration of your threat defense and how to register the firewall to the management center located on your management network. For remote branch deployment, where the management center resides at a central headquarters, see Threat Defense Deployment with a Remote Management Center.

In a typical deployment on a large network, you install multiple managed devices on network segments. Each device controls, inspects, monitors, and analyzes traffic, and then reports to a managing management center. The management center provides a centralized management console with a web interface that you can use to perform administrative, management, analysis, and reporting tasks in service to securing your local network.

About the Firewall

The hardware can run either threat defense software or ASA software. Switching between threat defense and ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide.

The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS). The firewall does not support the FXOS Secure Firewall chassis manager; only a limited CLI is supported for troubleshooting purposes. See the Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 and Secure Firewall 3100/4200 with Firepower Threat Defense for more information.

Privacy Collection Statement—The firewall does not require or actively collect personally identifiable information. However, you can use personally identifiable information in the configuration, for example for usernames. In this case, an administrator might be able to see this information when working with the configuration or when using SNMP.

Before You Start

Deploy and perform initial configuration of the management center. See the getting started guide for your model.

End-to-End Tasks

See the following tasks to deploy the threat defense with the management center.

Pre-Configuration

Install the firewall. See the hardware installation guide.

Pre-Configuration

Review the Network Deployment.

Pre-Configuration

Cable the Device

Pre-Configuration

Power On the Firewall.

CLI

(Optional) Check the Software and Install a New Version

CLI or Device Manager

Complete the Threat Defense Initial Configuration.

Management Center

Log Into the Management Center.

Cisco Commerce Workspace

Obtain Licenses for the Management Center: Buy feature licenses.

Smart Software Manager

Obtain Licenses for the Management Center: Generate a license token for the management center.

Management Center

Obtain Licenses for the Management Center: Register the management center with the Smart Licensing server.

Management Center

Register the Threat Defense with the Management Center

Management Center

Configure a Basic Security Policy

Review the Network Deployment

Management Interface

The management center communicates with the threat defense on the Management interface.

The dedicated Management interface is a special interface with its own network settings:

  • By default, the Management 1/1 interface is enabled and configured as a DHCP client. If your network does not include a DHCP server, you can set the Management interface to use a static IP address during initial setup at the console port.

  • Both the threat defenseand the management center require internet access from their management interfaces for licensing and updates.


Note

The management connection is a secure, TLS-1.3-encrypted communication channel between itself and the device. You do not need to run this traffic over an additional encrypted tunnel such as Site-to-Site VPN for security purposes. If the VPN goes down, for example, you will lose your management connection, so we recommend a simple management path.

Data Interfaces

You can configure other interfaces after you connect the threat defense to the management center.

Note that Ethernet 1/2 through 1/8 are enabled as switch ports by default.

Typical Edge Network Deployment

The following figure shows a typical network deployment for the firewall where:

  • The inside interface acts as the internet gateway for Management and for the management center.

  • Connects Management 1/1 to an inside interface throughan inside switch port.

  • Connects the management center and management computer toother inside switch ports.

This direct connection is allowed because the Management interface has separate routing from the other interfaces on the threat defense.

Figure 1. Suggested Network Deployment

Cable the Device

To cable the Firepower 1010, see the following illustration, which shows a sample topology using Ethernet1/1 as the outside interface and the remaining interfaces as switch ports on the inside network.


Note

Other topologies can be used, and your deployment will vary depending on your requirements. For example, you can convert the switch ports to firewall interfaces.

Figure 2. Cabling the Firepower 1010

Note

PoE is not supported on the Firepower 1010E.

Procedure

Step 1

Install the chassis. See the hardware installation guide.

Step 2

Connect Management1/1 directly to one of the switch ports, Ethernet1/2 through 1/8.

Step 3

Cable the following to the switch ports, Ethernet 1/2 through 1/8:

  • Management Center

  • Management computer

  • Additional end points

Step 4

Connect the management computer to the console port. You need to use the console port to access the CLI for initial setup if you do not use SSH to the Management interface or use the device manager for initial setup.

Step 5

Connect Ethernet 1/1 to your outside router.

Power On the Firewall

System power is controlled by the power cord; there is no power button.


Note

The first time you boot up the threat defense, initialization can take approximately 15 to 30 minutes.

Before you begin

It's important that you provide reliable power for your device (using an uninterruptable power supply (UPS), for example). Loss of power without first shutting down can cause serious file system damage. There are many processes running in the background all the time, and losing power does not allow the graceful shutdown of your system.

Procedure

Step 1

Attach the power cord to the device, and connect it to an electrical outlet.

The power turns on automatically when you plug in the power cord.

Step 2

Check the Power LED on the back or top of the device; if it is solid green, the device is powered on.

Step 3

Check the Status LED on the back or top of the device; after it is solid green, the system has passed power-on diagnostics.

(Optional) Check the Software and Install a New Version

To check the software version and, if necessary, install a different version, perform these steps. We recommend that you install your target version before you configure the firewall. Alternatively, you can perform an upgrade after you are up and running, but upgrading, which preserves your configuration, may take longer than using this procedure.

What Version Should I Run?

Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/us/products/collateral/security/firewalls/bulletin-c25-743178.html; for example, this bulletin describes short-term release numbering (with the latest features), long-term release numbering (maintenance releases and patches for a longer period of time), or extra long-term release numbering (maintenance releases and patches for the longest period of time, for government certification).

Procedure

Step 1

Connect to the CLI. See Access the Threat Defense and FXOS CLI for more information. This procedure shows using the console port, but you can use SSH instead.

Log in with the admin user and the default password, Admin123.

You connect to the FXOS CLI. The first time you log in, you are prompted to change the password. This password is also used for the threat defense login for SSH.

Note

 

If the password was already changed, and you do not know it, you must perform a factory reset to reset the password to the default. See the FXOS troubleshooting guide for the factory reset procedure.

Example:


firepower login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1

[...]

Hello admin. You must change your password.
Enter new password: ********
Confirm new password: ********
Your password was updated successfully.

[...]

firepower#

Step 2

At the FXOS CLI, show the running version.

scope ssa

show app-instance

Example:


Firepower# scope ssa
Firepower /ssa # show app-instance

Application Name     Slot ID    Admin State     Operational State    Running Version Startup Version Cluster Oper State
-------------------- ---------- --------------- -------------------- --------------- --------------- ------------------
ftd                  1          Enabled         Online               7.4.0.65        7.4.0.65        Not Applicable

Step 3

If you want to install a new version, perform these steps.

  1. If you need to set a static IP address for the Management interface, see Complete the Threat Defense Initial Configuration Using the CLI. By default, the Management interface uses DHCP.

    You will need to download the new image from a server accessible from the Management interface.

  2. Perform the reimage procedure in the FXOS troubleshooting guide.

    After the firewall reboots, you connect to the FXOS CLI again.

  3. At the FXOS CLI, you are prompted to set the admin password again.

Complete the Threat Defense Initial Configuration

You can complete the threat defense initial configuration using the CLI or device manager.

Complete the Threat Defense Initial Configuration Using the Device Manager

Connect to the device manager to perform initial setup of the threat defense. When you perform initial setup using the device manager, all interface configuration completed in the device manager is retained when you switch to the management center for management, in addition to the Management interface and manager access settings. Note that other default configuration settings, such as the access control policy or security zones, are not retained. When you use the CLI, only the Management interface and manager access settings are retained (for example, the default inside interface configuration is not retained).

Before you begin

Deploy and perform initial configuration of the management center. You will need to know the management center IP address or hostname before you set up the threat defense.

Procedure

Step 1

Log in to the device manager.

  1. Enter one of the following URLs in your browser.

    • Inside (Ethernet1/2 through 1/8)https://192.168.95.1 .You can connect to the inside address on any inside switch port (Ethernet1/2 through 1/8).

    • Management—https://management_ip . The Management interface is a DHCP client, so the IP address depends on your DHCP server. You might have to set the Management IP address to a static address as part of this procedure, so we recommend that you use the inside interface so you do not become disconnected.

  2. Log in with the username admin, and the default password Admin123.

  3. You are prompted to read and accept the End User License Agreement and change the admin password.

Step 2

Use the setup wizard when you first log into the device manager to complete the initial configuration. You can optionally skip the setup wizard by clicking Skip device setup at the bottom of the page.

After you complete the setup wizard, in addition to the default configuraton for the inside interface (Ethernet1/2 through 1/8, which are switch ports on VLAN1)., you will have configuration for an outside (Ethernet1/1) interface that will be maintained when you switch to management center management.

  1. Configure the following options for the outside and management interfaces and click Next.

    1. Outside Interface Address—This interface is typically the internet gateway, and might be used as your manager access interface. You cannot select an alternative outside interface during initial device setup. The first data interface is the default outside interface.

      If you want to use a different interface from outside (or inside) for manager access, you will have to configure it manually after completing the setup wizard.

      Configure IPv4—The IPv4 address for the outside interface. You can use DHCP or manually enter a static IP address, subnet mask, and gateway. You can also select Off to not configure an IPv4 address. You cannot configure PPPoE using the setup wizard. PPPoE may be required if the interface is connected to a DSL modem, cable modem, or other connection to your ISP, and your ISP uses PPPoE to provide your IP address. You can configure PPPoE after you complete the wizard.

      Configure IPv6—The IPv6 address for the outside interface. You can use DHCP or manually enter a static IP address, prefix, and gateway. You can also select Off to not configure an IPv6 address.

    2. Management Interface

      You will not see Management Interface settings if you performed intial setup at the CLI. Note that setting the Management interface IP address is not part of the setup wizard. See Step Step 3 to set the Management IP address.

      DNS Servers—The DNS server for the firewall's Management interface. Enter one or more addresses of DNS servers for name resolution. The default is the OpenDNS public DNS servers. If you edit the fields and want to return to the default, click Use OpenDNS to reload the appropriate IP addresses into the fields.

      Firewall Hostname—The hostname for the firewall's Management interface.

  2. Configure the Time Setting (NTP) and click Next.

    1. Time Zone—Select the time zone for the system.

    2. NTP Time Server—Select whether to use the default NTP servers or to manually enter the addresses of your NTP servers. You can add multiple servers to provide backups.

  3. Select Start 90 day evaluation period without registration.

    Do not register the threat defense with the Smart Software Manager; all licensing is performed on the management center.

  4. Click Finish.

  5. You are prompted to choose Cloud Management or Standalone. For management center management, choose Standalone, and then Got It.

Step 3

(Might be required) Configure a static IP address for the Management interface. Choose Device, then click the System Settings > Management Interface link.

If you want to configure a static IP address, be sure to also set the default gateway to be a unique gateway instead of the data interfaces. If you use DHCP, you do not need to configure anything.

Step 4

If you want to configure additional interfaces, including an interface other than outside or inside, choose Device, and then click the link in the Interfaces summary.

See Configure the Firewall in the Device Manager for more information about configuring interfaces in the device manager. Other device manager configuration will not be retained when you register the device to the management center.

Step 5

Choose Device > System Settings > Central Management, and click Proceed to set up the management center management.

Step 6

Configure the Management Center/CDO Details.

Figure 3. Management Center/CDO Details
Management Center/CDO Details

  1. For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname.

    At least one of the devices, either the management center or the threat defense device, must have a reachable IP address to establish the two-way, SSL-encrypted communication channel between the two devices.

  2. If you chose Yes, then enter the Management Center/CDO Hostname/IP Address.

  3. Specify the Management Center/CDO Registration Key.

    This key is a one-time registration key of your choice that you will also specify on the management center when you register the threat defense device. The registration key must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID can be used for multiple devices registering to the management center.

  4. Specify a NAT ID.

    This ID is a unique, one-time string of your choice that you will also specify on the management center. This field is required if you only specify the IP address on one of the devices; but we recommend that you specify the NAT ID even if you know the IP addresses of both devices. The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other devices registering to the management center. The NAT ID is used in combination with the IP address to verify that the connection is coming from the correct device; only after authentication of the IP address/NAT ID will the registration key be checked.

Step 7

Configure the Connectivity Configuration.

  1. Specify the FTD Hostname.

  2. Specify the DNS Server Group.

    Choose an existing group, or create a new one. The default DNS group is called CiscoUmbrellaDNSServerGroup, which includes the OpenDNS servers.

  3. For the Management Center/CDO Access Interface, choose management.

Step 8

Click Connect. The Registration Status dialog box shows the current status of the switch to the management center. After the Saving Management Center/CDO Registration Settings step, go to the management center, and add the firewall.

If you want to cancel the switch to the management center, click Cancel Registration. Otherwise, do not close the device manager browser window until after the Saving Management Center/CDO Registration Settings step. If you do, the process will be paused, and will only resume when you reconnect to the device manager.

If you remain connected to the device manager after the Saving Management Center/CDO Registration Settings step, you will eventually see the Successful Connection with Management Center or CDO dialog box, after which you will be disconnected from the device manager.

Figure 4. Successful Connection
Successful Connection

Complete the Threat Defense Initial Configuration Using the CLI

Connect to the threat defense CLI to perform initial setup, including setting the Management IP address, gateway, and other basic networking settings using the setup wizard. The dedicated Management interface is a special interface with its own network settings. In 6.7 and later: If you do not want to use the Management interface for the manager access, you can use the CLI to configure a data interface instead. You will also configure the management center communication settings. When you perform initial setup using the device manager (7.1 and later), all interface configuration completed in the device manager is retained when you switch to the management center for management, in addition to the Management interface and manager access interface settings. Note that other default configuration settings, such as the access control policy, are not retained.

Procedure

Step 1

Connect to the threat defense CLI, either from the console port or using SSH to the Management interface, which obtains an IP address from a DHCP server by default. If you intend to change the network settings, we recommend using the console port so you do not get disconnected.

The console port connects to the FXOS CLI. The SSH session connects directly to the threat defense CLI.

Step 2

Log in with the username admin and the password Admin123.

At the console port, you connect to the FXOS CLI. The first time you log in to FXOS, you are prompted to change the password. This password is also used for the threat defense login for SSH.

Note

 

If the password was already changed, and you do not know it, you must reimage the device to reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure.

Example:


firepower login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1

[...]

Hello admin. You must change your password.
Enter new password: ********
Confirm new password: ********
Your password was updated successfully.

[...]

firepower#

Step 3

If you connected to FXOS on the console port, connect to the threat defense CLI.

connect ftd

Example:


firepower# connect ftd
>

Step 4

The first time you log in to the threat defense, you are prompted to accept the End User License Agreement (EULA) and, if using an SSH connection, to change the admin password. You are then presented with the CLI setup script.

Note

 

You cannot repeat the CLI setup wizard unless you clear the configuration; for example, by reimaging. However, all of these settings can be changed later at the CLI using configure network commands. See Cisco Secure Firewall Threat Defense Command Reference.

Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.

See the following guidelines:

  • Do you want to configure IPv4? and/or Do you want to configure IPv6?—Enter y for at least one of these types of addresses.

  • Enter the IPv4 default gateway for the management interface and/or Enter the IPv6 gateway for the management interface—Set a gateway IP address for Management 1/1 on the management network. In the edge deployment example shown in the network deployment section, the inside interface acts as the management gateway. In this case, you should set the gateway IP address to be the intended inside interface IP address; you must later use the management center to set the inside IP address. The data-interfaces setting applies only to the remote management center or device manager management.

  • If your networking information has changed, you will need to reconnect—If you are connected with SSH but you change the IP address at initial setup, you will be disconnected. Reconnect with the new IP address and password. Console connections are not affected.

  • Manage the device locally?—Enter no to use the management center. A yes answer means you will use the device manager instead.

  • Configure firewall mode?—We recommend that you set the firewall mode at initial configuration. Changing the firewall mode after initial setup erases your running configuration.

Example:


You must accept the EULA to continue.
Press <ENTER> to display the EULA:
End User License Agreement
[...]

Please enter 'YES' or press <ENTER> to AGREE to the EULA: 

System initialization in progress.  Please stand by.
You must change the password for 'admin' to continue.
Enter new password: ********
Confirm new password: ********
You must configure the network to continue.
Configure at least one of IPv4 or IPv6 unless managing via data interfaces.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [y]:n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 10.10.10.15
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192
Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1
Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220,2620:119:35::35]:
Enter a comma-separated list of search domains or 'none' []:cisco.com
If your networking information has changed, you will need to reconnect.
Disabling IPv6 configuration: management0
Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35
Setting DNS domains:cisco.com
Setting hostname as ftd-1.cisco.com
Setting static IPv4: 10.10.10.15 netmask: 255.255.255.192 gateway: 10.10.10.1 on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]: no
DHCP server is already disabled
DHCP Server Disabled
Configure firewall mode? (routed/transparent) [routed]:
Configuring firewall mode ...


Device is in OffBox mode - disabling/removing port 443 from iptables.
Update policy deployment information
    - add device configuration
    - add network discovery
    - add system policy

You can register the sensor to a Firepower Management Center and use the
Firepower Management Center to manage it. Note that registering the sensor
to a Firepower Management Center disables on-sensor Firepower Services
management capabilities.

When registering the sensor to a Firepower Management Center, a unique
alphanumeric registration key is always required.  In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'

However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'

Later, using the web interface on the Firepower Management Center, you must
use the same registration key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.
>

Step 5

Identify the management center that will manage this threat defense.

configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE} reg_key [nat_id]

  • {hostname | IPv4_address | IPv6_address | DONTRESOLVE}—Specifies either the FQDN or IP address of the management center. If the management center is not directly addressable, use DONTRESOLVE and also specify the nat_id. At least one of the devices, either the management center or the threat defense, must have a reachable IP address to establish the two-way, SSL-encrypted communication channel between the two devices. If you specify DONTRESOLVE in this command, then the threat defense must have a reachable IP address or hostname.

  • reg_key—Specifies a one-time registration key of your choice that you will also specify on the management center when you register the threat defense. The registration key must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-).

  • nat_id—Specifies a unique, one-time string of your choice that you will also specify on the management center when you register the threat defense when one side does not specify a reachable IP address or hostname. It is required if you set the management center to DONTRESOLVE. The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other devices registering to the management center.

Example:


> configure manager add MC.example.com 123456
Manager successfully configured.

If the management center is behind a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:

Example:


> configure manager add DONTRESOLVE regk3y78 natid90
Manager successfully configured.

If the threat defense is behind a NAT device, enter a unique NAT ID along with the management center IP address or hostname, for example:

Example:


> configure manager add 10.70.45.5 regk3y78 natid56
Manager successfully configured.

What to do next

Register your firewall to the management center.

Log Into the Management Center

Use the management center to configure and monitor the threat defense.

Before you begin

For information on supported browsers, refer to the release notes for the version you are using (see https://www.cisco.com/go/firepower-notes).

Procedure

Step 1

Using a supported browser, enter the following URL.

https://fmc_ip_address

Step 2

Enter your username and password.

Step 3

Click Log In.

Obtain Licenses for the Management Center

All licenses are supplied to the threat defense by the management center. You can purchase the following licenses:

  • Essentials—(Required) Essentials license.

  • IPS—Security Intelligence and Next-Generation IPS

  • Malware Defense—Malware defense

  • URL—URL Filtering

  • Cisco Secure ClientSecure Client Advantage, Secure Client Premier, or Secure Client VPN Only

For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide

Before you begin

  • Have a master account on the Smart Software Manager.

    If you do not yet have an account, click the link to set up a new account. The Smart Software Manager lets you create a master account for your organization.

  • Your Smart Software Licensing account must qualify for the Strong Encryption (3DES/AES) license to use some features (enabled using the export-compliance flag).

Procedure

Step 1

Make sure your Smart Licensing account contains the available licenses you need.

When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions search field on the Cisco Commerce Workspace. Search for the following license PIDs:

Figure 5. License Search

Note

 

If a PID is not found, you can add the PID manually to your order.

  • IPS, Malware Defense, and URL license combination:

    • L-FPR1010T-TMC=

    When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

    • L-FPR1010T-TMC-1Y

    • L-FPR1010T-TMC-3Y

    • L-FPR1010T-TMC-5Y

  • Cisco Secure Client—See the Cisco Secure Client Ordering Guide.

Step 2

If you have not already done so, register the management center with the Smart Licensing server.

Registering requires you to generate a registration token in the Smart Software Manager. See the Cisco Secure Firewall Management Center Administration Guide for detailed instructions.

Register the Threat Defense with the Management Center

Register the threat defense to the management center manually using the device IP address or hostname.

Before you begin

  • Gather the following information that you set in the threat defense initial configuration:

    • The threat defense management IP address or hostname, and NAT ID

    • The management center registration key

Procedure

Step 1

In the management center, choose Devices > Device Management.

Step 2

From the Add drop-down list, choose Add Device.

The Registration Key method is selected by default.

Figure 6. Add Device Using a Registration Key
Add Device Using a Registration Key

Set the following parameters:

  • Host—Enter the IP address or hostname of the threat defense you want to add. You can leave this field blank if you specified both the management center IP address and a NAT ID in the threat defense initial configuration.

    Note

     

    In an HA environment, when both the management centers are behind a NAT, you can register the threat defense without a host IP or name in the primary management center. However, for registering the threat defense in a secondary management center, you must provide the IP address or hostname for the threat defense.

  • Display Name—Enter the name for the threat defense as you want it to display in the management center.

  • Registration Key—Enter the same registration key that you specified in the threat defense initial configuration.

  • Domain—Assign the device to a leaf domain if you have a multidomain environment.

  • Group—Assign it to a device group if you are using groups.

  • Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside.

    Figure 7. New Policy
    New Policy

  • Smart Licensing—Assign the Smart Licenses you need for the features you want to deploy. Note: You can apply the Secure Client remote access VPN license after you add the device, from the System > Licenses > Smart Licenses page.

  • Unique NAT ID—Specify the NAT ID that you specified in the threat defense initial configuration.

  • Transfer Packets—Allow the device to transfer packets to the management center. When events like IPS or Snort are triggered with this option enabled, the device sends event metadata information and packet data to the management center for inspection. If you disable it, only event information will be sent to the management center, but packet data is not sent.

Step 3

Click Register, and confirm a successful registration.

If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the threat defense fails to register, check the following items:

  • Ping—Access the threat defense CLI, and ping the management center IP address using the following command:

    ping system ip_address

    If the ping is not successful, check your network settings using the show network command. If you need to change the threat defense Management IP address, use the configure network {ipv4 | ipv6} manual command.

  • Registration key, NAT ID, and the management center IP address—Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the management center using the configure manager add command.

For more troubleshooting information, see https://cisco.com/go/fmc-reg-error.

Configure a Basic Security Policy

This section describes how to configure a basic security policy with the following settings:

  • Inside and outside interfaces—Assign a static IP address to the inside interface, and use DHCP for the outside interface.

  • DHCP server—Use a DHCP server on the inside interface for clients.

  • Default route—Add a default route through the outside interface.

  • NAT—Use interface PAT on the outside interface.

  • Access control—Allow traffic from inside to outside.

To configure a basic security policy, complete the following tasks.

Configure Interfaces

Configure the DHCP Server.

Add the Default Route.

Configure NAT.

Allow Traffic from Inside to Outside.

Deploy the Configuration.

Configure Interfaces

Add the VLAN1 interface for the switch ports or convert switch ports to firewall interfaces, assign interfaces to security zones, and set the IP addresses. Typically, you must configure at least a minimum of two interfaces to have a system that passes meaningful traffic. Normally, you would have an outside interface that faces the upstream router or internet, and one or more inside interfaces for your organization’s networks. By default, Ethernet1/1 is a regular firewall interface that you can use for outside, and the remaining interfaces are switch ports on VLAN 1; after you add the VLAN1 interface, you can make it your inside interface. You can alternatively assign switch ports to other VLANs, or convert switch ports to firewall interfaces.

A typical edge-routing situation is to obtain the outside interface address through DHCP from your ISP, while you define static addresses on the inside interfaces.

The following example configures a routed mode inside interface (VLAN1) with a static address and a routed mode outside interface using DHCP (Ethernet1/1).

Procedure

Step 1

Choose Devices > Device Management, and click the Edit (edit icon) for the device.

Step 2

Click Interfaces.

Step 3

(Optional) Disable switch port mode for any of the switch ports (Ethernet1/2 through 1/8) by clicking the slider in the SwitchPort column so it shows as disabled (slider disabled).

Step 4

Enable the switch ports.

  1. Click the Edit (edit icon) for the switch port.

  2. Enable the interface by checking the Enabled check box.

  3. (Optional) Change the VLAN ID; the default is 1. You will next add a VLAN interface to match this ID.

  4. Click OK.

Step 5

Add the inside VLAN interface.

  1. Click Add Interfaces > VLAN Interface.

    The General tab appears.

  2. Enter a Name up to 48 characters in length.

    For example, name the interface inside.

  3. Check the Enabled check box.

  4. Leave the Mode set to None.

  5. From the Security Zone drop-down list, choose an existing inside security zone or add a new one by clicking New.

    For example, add a zone called inside_zone. Each interface must be assigned to a security zone and/or interface group. An interface can belong to only one security zone, but can also belong to multiple interface groups. You apply your security policy based on zones or groups. For example, you can assign the inside interface to the inside zone; and the outside interface to the outside zone. Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most policies only support security zones; you can use zones or interface groups in NAT policies, prefilter policies, and QoS policies.

  6. Set the VLAN ID to 1.

    By default, all of the switchports are set to VLAN 1; if you choose a different VLAN ID here, you need to also edit each switchport to be on the new VLAN ID.

    You cannot change the VLAN ID after you save the interface; the VLAN ID is both the VLAN tag used, and the interface ID in your configuration.

  7. Click the IPv4 and/or IPv6 tab.

    • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation.

      For example, enter 192.168.1.1/24

    • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration.

  8. Click OK.

Step 6

Click the Edit (edit icon) for Ethernet1/1 that you want to use for outside.

The General tab appears.

Note

 

If you pre-configured this interface for manager access, then the interface will already be named, enabled, and addressed. You should not alter any of these basic settings because doing so will disrupt the management center management connection. You can still configure the Security Zone on this screen for through traffic policies.

  1. Enter a Name up to 48 characters in length.

    For example, name the interface outside.

  2. Check the Enabled check box.

  3. Leave the Mode set to None.

  4. From the Security Zone drop-down list, choose an existing outside security zone or add a new one by clicking New.

    For example, add a zone called outside_zone.

  5. Click the IPv4 and/or IPv6 tab.

    • IPv4—Choose Use DHCP, and configure the following optional parameters:

      • Obtain default route using DHCP—Obtains the default route from the DHCP server.

      • DHCP route metric—Assigns an administrative distance to the learned route, between 1 and 255. The default administrative distance for the learned routes is 1.

    • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration.

  6. Click OK.

Step 7

Click Save.

Configure the DHCP Server

Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense.

Procedure

Step 1

Choose Devices > Device Management, and click the Edit (edit icon) for the device.

Step 2

Choose DHCP > DHCP Server.

Figure 8. DHCP Server
DHCP Server

Step 3

On the Server page, click Add, and configure the following options:

Figure 9. Add Server
Add Server

  • Interface—Choose the interface from the drop-down list.

  • Address Pool—Set the range of IP addresses from lowest to highest that are used by the DHCP server. The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself.

  • Enable DHCP Server—Enable the DHCP server on the selected interface.

Step 4

Click OK.

Step 5

Click Save.

Add the Default Route

The default route normally points to the upstream router reachable from the outside interface. If you use DHCP for the outside interface, your device might have already received a default route. If you need to manually add the route, complete this procedure. If you received a default route from the DHCP server, it will show in the IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route page.

Procedure

Step 1

Choose Devices > Device Management, and click the Edit (edit icon) for the device.

Step 2

Choose Routing > Static Route.

Figure 10. Static Route
Static Route

Step 3

Click Add Route, and set the following:

Figure 11. Add Static Route Configuration
Add Static Route Configuration

  • Type—Click the IPv4 or IPv6 radio button depending on the type of static route that you are adding.

  • Interface—Choose the egress interface; typically the outside interface.

  • Available Network—Choose any-ipv4 for an IPv4 default route, or any-ipv6 for an IPv6 default route and click Add to move it to the Selected Network list.

  • Gateway or IPv6 Gateway—Enter or choose the gateway router that is the next hop for this route. You can provide an IP address or a Networks/Hosts object.

  • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1.

Step 4

Click OK.

The route is added to the static route table.

Step 5

Click Save.

Configure NAT

A typical NAT rule converts internal addresses to a port on the outside interface IP address. This type of NAT rule is called interface Port Address Translation (PAT).

Procedure

Step 1

Choose Devices > NAT, and click New Policy > Threat Defense NAT.

Step 2

Name the policy, select the device(s) that you want to use the policy, and click Save.

Figure 12. New Policy
New Policy

The policy is added the management center. You still have to add rules to the policy.

Figure 13. NAT Policy
NAT Policy

Step 3

Click Add Rule.

The Add NAT Rule dialog box appears.

Step 4

Configure the basic rule options:

Figure 14. Basic Rule Options
Basic Rule Options

  • NAT Rule—Choose Auto NAT Rule.

  • Type—Choose Dynamic.

Step 5

On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area.

Figure 15. Interface Objects
Interface Objects

Step 6

On the Translation page, configure the following options:

Figure 16. Translation
Translation

  • Original Source—Click Add (add icon) to add a network object for all IPv4 traffic (0.0.0.0/0).

    Figure 17. New Network Object
    New Network Object

    Note

     

    You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part of the object definition, and you cannot edit system-defined objects.

  • Translated Source—Choose Destination Interface IP.

Step 7

Click Save to add the rule.

The rule is saved to the Rules table.

Step 8

Click Save on the NAT page to save your changes.

Allow Traffic from Inside to Outside

If you created a basic Block all traffic access control policy when you registered the threat defense, then you need to add rules to the policy to allow traffic through the device. The following procedure adds a rule to allow traffic from the inside zone to the outside zone. If you have other zones, be sure to add rules allowing traffic to the appropriate networks.

Procedure

Step 1

Choose Policy > Access Policy > Access Policy, and click the Edit (edit icon) for the access control policy assigned to the threat defense.

Step 2

Click Add Rule, and set the following parameters:

Figure 18. Add Rule
Add Rule

  • Name—Name this rule, for example, inside-to-outside.

  • Selected Sources—Select the inside zone from Zones, and click Add Source Zone.

  • Selected Destinations and Applications—Select the outside zone from Zones, and click Add Destination Zone.

Leave the other settings as is.

Step 3

Click Apply.

The rule is added to the Rules table.

Step 4

Click Save.

Deploy the Configuration

Deploy the configuration changes to the threat defense; none of your changes are active on the device until you deploy them.

Procedure

Step 1

Click Deploy in the upper right.

Figure 19. Deploy
Deploy

Step 2

Either click Deploy All to deploy to all devices or click Advanced Deploy to deploy to selected devices.

Figure 20. Deploy All
Deploy All
Figure 21. Advanced Deploy
Advanced Deploy

Step 3

Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments.

Figure 22. Deployment Status
Deployment Status

Access the Threat Defense and FXOS CLI

Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port.

You can also access the FXOS CLI for troubleshooting purposes.


Note

You can alternatively SSH to the Management interface of the threat defense device. Unlike a console session, the SSH session defaults to the threat defense CLI, from which you can connect to the FXOS CLI using the connect fxos command. You can later connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port access, which defaults to the FXOS CLI.

Procedure

Step 1

To log into the CLI, connect your management computer to the console port. The Firepower 1000 ships with a USB A-to-B serial cable. Be sure to install any necessary USB serial drivers for your operating system. The console port defaults to the FXOS CLI. Use the following serial settings:

  • 9600 baud

  • 8 data bits

  • No parity

  • 1 stop bit

You connect to the FXOS CLI. Log in to the CLI using the admin username and the password you set at initial setup (the default is Admin123).

Example:


firepower login: admin
Password:
Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0
Successful login attempts for user 'admin' : 1

firepower#

Step 2

Access the threat defense CLI.

connect ftd

Example:


firepower# connect ftd
>

After logging in, for information on the commands available in the CLI, enter help or ? . For usage information, see Cisco Secure Firewall Threat Defense Command Reference.

Step 3

To exit the threat defense CLI, enter the exit or logout command.

This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS CLI, enter ? .

Example:


> exit
firepower#

Power Off the Firewall

It's important that you shut down your system properly. Simply unplugging the power can cause serious file system damage. Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your firewall system.

The Firepower 1010 chassis does not have an external power switch.You can power off the device using the management center device management page, or you can use the FXOS CLI.

Power Off the Firewall Using the Management Center

It's important that you shut down your system properly. Simply unplugging the power or pressing the power switch can cause serious file system damage. Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your firewall.

You can shut down your system properly using the management center.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the device that you want to restart, click Edit (edit icon).

Step 3

Click the Device tab.

Step 4

Click Shut Down Device (shut down device icon) in the System section.

Step 5

When prompted, confirm that you want to shut down the device.

Step 6

If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You will see the following prompt: 


System is stopped.
It is safe to power off now.

Do you want to reboot instead? [y/N]

If you do not have a console connection, wait approximately 3 minutes to ensure the system has shut down.

Step 7

You can now unplug the power to physically remove power from the chassis if necessary.

Power Off the Device at the CLI

You can use the FXOS CLI to safely shut down the system and power off the device. You access the CLI by connecting to the console port; see Access the Threat Defense and FXOS CLI.

Procedure

Step 1

In the FXOS CLI, connect to local-mgmt:

firepower # connect local-mgmt

Step 2

Issue the shutdown command:

firepower(local-mgmt) # shutdown

Example:

firepower(local-mgmt)# shutdown 
This command will shutdown the system.  Continue?
Please enter 'YES' or 'NO': yes
INIT: Stopping Cisco Threat Defense......ok

Step 3

Monitor the system prompts as the firewall shuts down. You will see the following prompt: 


System is stopped.
It is safe to power off now.
Do you want to reboot instead? [y/N]

Step 4

You can now unplug the power to physically remove power from the chassis if necessary.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco