This guide explains how to complete the initial configuration of your Firepower Threat Defense security appliance and how to register the appliance to a Firepower Management Center. In a typical deployment on a large network, multiple managed appliances are installed on network segments, monitor traffic for analysis, and report to a managing Firepower Management Center. The Firepower Management Center provides a centralized management console with web interface that you can use to perform administrative, management, analysis, and reporting tasks.
Firepower Threat Defense security appliances require Cisco Smart Licensing. Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, Smart Licenses are not tied to a specific serial number or license key. Smart Licensing lets you assess your license usage and needs at a glance.
In addition, Smart Licensing does not prevent you from using product features that you have not yet purchased. You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval.
When you purchase one or more Smart Licenses for Firepower features, you manage them in the Cisco Smart Software Manager: http://www.cisco.com/web/ordering/smart-software-manager/index.html. The Smart Software Manager lets you create a master account for your organization. For more information about the Cisco Smart Software Manager, see the Cisco Smart Software Manager User Guide.
Your purchase of a Firepower Threat Defense security appliance or Firepower Threat Defense Virtual automatically includes a Base license. All additional licenses (Threat, Malware, or URL Filtering) are optional. For more information about Firepower Threat Defense licensing, see “Licensing the Firepower System” in the Cisco Firepower Management Center Configuration Guide.
Deploy the Firepower Threat Defense in Your Network
The following figure shows the recommended network deployment for Firepower Threat Defense on the Firepower 2100 series.
Figure 1 Example Deployment Scenario
The example configuration enables the above network deployment with the following behavior:
inside --> outside traffic flow
outside IP address from DHCP
DHCP for clients on inside
Management 1/1 is used to set up and register the Firepower Threat Defense to the Firepower Management Center.
The Management interface requires Internet access for updates. When you put Management on the same network as an inside interface, you can deploy the Firepower Threat Defense security appliance with only a switch on the inside and point to the inside interface as its gateway.
The physical management interface is shared between the Management logical interface and the Diagnostic logical interface; see “Interfaces for Firepower Threat Defense” in the Firepower Management Center Configuration Guide.
Firepower Management Center access on the inside interface
Note: If you want to deploy a separate router on the inside network, then you can route between management and inside; see “Interfaces for Firepower Threat Defense” in the Firepower Management Center Configuration Guide for examples of alternate deployment configurations.
Connect the Interfaces
The default configuration assumes that certain interfaces are used for the inside and outside networks. Initial configuration will be easier to complete if you connect network cables to the interfaces based on these expectations. To cable the above scenario on the Firepower 2100 series, see the following illustration.
Note: The following figure shows a simple topology using a Layer 2 switch. Other topologies can be used and your deployment will vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements.
Figure 2 Interface Connections for Default Configuration
1. Cable the following to a Layer 2 Ethernet switch:
–Ethernet 1/2 interface (inside)
–Management 1/1 interface (for the Firepower Management Center)
–A local management computer
–A Firepower Management Center
Note: You can connect inside and management on the same network because the management interface acts like a separate device that belongs only to Firepower Management.
2. Connect the Ethernet 1/1 (outside) interface to your WAN device, for example, your cable modem.
Power on the Firepower 2100 Security Appliance
System power is controlled by a rocker power switch located on the rear of the chassis. The power switch is implemented as a soft notification switch that supports graceful shutdown of the system to reduce the risk of system software and data corruption.
1. Attach the power cable to the Firepower 2100 security appliance and connect it to an electrical outlet.
2. Press the Power switch on the back of the security appliance.
3. Check the PWR LED on the front of the security appliance; if it is solid green, the security appliance is powered on.
4. Check the SYS LED on the front of the security appliance; after it is solid green, the system has passed power-on diagnostics.
Note: When the switch is toggled from ON to OFF, it may take several seconds for the system to eventually power off. During this time, the PWR LED on the front of the chassis blinks green. Do not remove the power until the PWR LED is completely off.
Configure the Security Appliance for Firepower Management
You must complete an initial configuration to make the system function correctly in your network, which includes configuring the addresses needed to insert the security appliance into your network and connect it to the Internet or other upstream router.
At first boot, or after a system reimage, the CLI set up wizard prompts you for basic network configuration parameters that are required to setup your Firepower Threat Defense security appliance and to register with a Firepower Management Center. Note that the management IP address and associated gateway route are not included on the Firepower Management Center web interface in the list of interfaces or static routes for the security appliance; they can only be set by the setup script and at the CLI.
Before You Begin
Ensure that you connect a data interface to your gateway device, for example, a cable modem or router. For edge deployments, this would be your Internet-facing gateway. For data center deployments, this would be a back-bone router.
The Management interface must also be connected to a gateway through which the Internet is accessible. System licensing and database updates require Internet access.
To log into the CLI, do one of the following:
Use the console cable included with the security appliance to connect your PC to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. See the hardware guide for your security appliance for more information about the console cable.
Note: The CLI on the console port defaults to the FXOS CLI login prompt. You can get to the Firepower Threat Defense CLI using the connect ftd command.
Use an SSH client to make a connection to the management IP address (the default is 192.168.45.45). Log in using the admin username (default password is Admin123).
After logging in, for information on the commands available in the CLI, enter help or ?.
1. At the firepower login prompt, log in with the default credentials of username admin and the password Admin123.
firepower login: admin
Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2015, Cisco Systems, Inc. All rights reserved.
2. Connect to the Firepower Threat Defense application.
firepower #: connect ftd
3. When the Firepower Threat Defense system boots, a setup wizard prompts you for the following information required to configure the system:
–New admin password
–IPv4 or IPv6 configuration
–IPv4 or IPv6 DHCP settings
–Management port IPv4 address and subnet mask, or IPv6 address and prefix
–Default gateway IPv4, IPv6, or data interface setup
–Management mode (no local management required)
4. Review the Setup wizard settings. Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
Please enter 'YES' or press <ENTER> to AGREE to the EULA:
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password:
Confirm new password:
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: y
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.0.43
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface [data-interfaces]: data-interfaces
Configure IPv6 via DHCP, router, or manually? (dhcp/router/manual) [disable]: manual
Enter the IPv6 address for the management interface : 2001:420:1402:200f:e400::22
Enter the IPv6 address prefix for the management interface : 76
Enter the IPv6 gateway for the management interface [data-interfaces]: data-interfaces
Enter a fully qualified hostname for this system [firepower]: FMC-FP2100
Enter a comma-separated list of DNS servers or 'none' [22.214.171.124,126.96.36.199]: 188.8.131.52
Enter a comma-separated list of search domains or 'none' : cisco.com
If your networking information has changed, you will need to reconnect.
Setting IPv6: 2001:420:1402:200f:e400::22 prefix: 76 gateway: 2001:420:1402:200f:e400::1 on management0
Setting DNS servers: 184.108.40.206
Setting DNS domains:cisco.com
Setting hostname as FMC-FP2100
DCHP Server Disabled
Setting static IPv4: 192.168.0.43 netmask: 255.255.255.0 gateway: 192.168.0.254 on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]: no
5. Reconnect to your appliance using the new login credentials.
Note: We recommend that you set the firewall mode at initial configuration. Note that the default mode is routed. Changing the firewall mode after initial setup erases your running configuration. For more information, see “Transparent or Routed Firewall Mode” in the Firepower Management Center Configuration Guide.
7. Wait for the default system configuration to be processed. This may take a few minutes.
Update policy deployment information
- add device configuration
You can register the sensor to a Management Center and use the Management Center
to manage it. Note that registering the sensor to a Management Center disables
Later, using the web interface on the Management Center, you must use the same
registration key and, if necessary, the same NAT ID when you add this
sensor to the Management Center.
Note: The registration key is a user-generated one-time use key that must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). You will need to remember this registration key when you add the security appliance to the Firepower Management Center.
8. Identify the Firepower Management Center appliance that will manage this security appliance using the configure manager add command.
Remember that the registration key is a user-generated one-time use key which you need to add the security appliance to the Firepower Management Center’s inventory. The following example shows the simple case:
> configure manager add MC.example.com 123456
Manager successfully configured.
If the security appliance and the Firepower Management Center are separated by a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:
The Firepower Management Center and the security appliance use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration. The NAT ID must be unique among all NAT IDs used to register managed appliances to establish trust for the initial communication and to look up the correct registration key.
Note: At least one of the security appliances, either the Firepower Management Center or the Firepower Threat Defense, must have a public IP address to establish the two-way, SSL-encrypted communication channel between the two appliances.
9. Close the CLI.
What To Do Next
Register your security appliance to a Firepower Management Center as described in the next section.
Register the Security Appliance with the Firepower Management Center and Assign Smart Licenses
Before You Begin
Set up Smart Licensing on your Firepower Management Center. Make sure you have a Cisco Smart Account. You can create one at Cisco Software Central ( https://software.cisco.com/).
Make sure you have a base Firepower Threat Defense license added to your Smart Account; for example, L-FP2100T-BASE=.
1. Log into the Firepower Management Center using an HTTPS connection in a browser and using the hostname or address entered above. For example, https://MC.example.com.
2. Use the Device Management (Devices > Device Management) window to add the security appliance. For more information, see the online help or “Managing Devices” in the Firepower Management Center Configuration Guide.
3. Enter the management IP address configured on the security appliance during the CLI setup.
4. Use the same registration key as specified on the security appliance during the CLI setup.
5. Select your Smart Licensing options (Threat, URL, Advanced Malware).
These licenses need to be present in your Smart Account already. You should have a base license for your appliance in your Smart Account.
6. Click Register and confirm a successful device registration.
What To Do Next
Configure policies and device settings for your security appliance. After you add the security appliance to the Firepower Management Center, you can use the Firepower Management Center user interface to configure device management settings and to configure and apply access control policies and other related policies to manage traffic using your Firepower Threat Defense system.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)