Overview

Features

The Cisco Secure Firewall 1200 Series is a family of network security appliances for enterprise branches. The appliances are powered by a network processor that delivers high performance and power efficiency in modern branch security workloads. The 1200 Series includes three 1U rack-mount models: 1230, 1240 and 1250.

See Product ID Numbers for a list of the product IDs (PIDs) associated with the Secure Firewall 1200 series

The Secure Firewall 1200 series supports Cisco Firepower Threat Defense and Cisco Secure ASA software. See the Cisco Secure Firewall Threat Defense Compatibility Guide and the Cisco Secure Firewall ASA Compatibility guide, which provide Cisco software and hardware compatibility, including operating system and hosting environment requirements, for each supported version.

The following figure shows the Cisco Secure Firewall 1200 series chassis.

Figure 1. CSF-1230, CSF-1240, and CSF-1250

The following table lists the features for the Secure Firewall 1200 series.

Table 1. CSF-1230, CSF-1240, and CSF-1250 Features

Feature

CSF-1230

CSF-1240

CSF-1250

Form factor

1 RU

Mounting

Rack mount

EIA-310D (19-inch) rack (2-post mounting)

Airflow

I/O side to non-I/O side with I/O side air intake

Rear panel to front panel (cold aisle to hot aisle)

System memory

16 GB

32 GB

32 GB

Management port

One 1-Gbps copper RJ-45 Gigabit Ethernet 10/100/1000 BaseT

Restricted to network management access only; connect with an RJ-45 cable

Console ports

One Cisco Serial (RS-232 on RJ-45)

One USB Type C 3.0

Provides management access through an external system; you cannot use both ports at the same time.

USB port

One USB 3.0 Type A

Allows attachment of an external device such as mass storage

Network ports

Eight 1000BaseT1

Eight 1000/2500 BaseT2

Small form-factor pluggable (SFP) ports

Four SFP+ (1/10Gbps)

Port numbering is left to right, top to bottom; ports are named Gigabit Ethernet 1/9 through 1/12. Each port includes a pair of LEDs, one each for connection status and link status.

Supported SFPs

See Supported SFP/SFP+/QSFP+ Transceivers for a list of the supported SFPs.

Power switch

Yes

On rear panel; rocker-type power on/off switch

Note

 
The power switch controls system power and operates as a soft notification switch that supports the graceful shutdown of the system. Graceful shutdown reduces the risk of system software and data corruption.

Caution

 

If you accidentally push the power switch to ON while unpacking your chassis, make sure the power switch is set to OFF before you connect AC power for the first time. The chassis powers on and boots up as soon as the AC power is applied when the power button is in the ON position.

Reset button

Small recessed button

Push and hold with a pin for 5 seconds; resets the chassis to its default state following the next reboot.

Note

 

Configuration variables are reset to factory default, but the flash is not erased and no files are removed.

AC power supply

One AC power supply

Internal component only; not field-replaceable.

You must return the chassis to Cisco for power supply replacement. See the Cisco Returns Portal for more information.

Redundant power

No

Fan

Two fixed fans

The fans are internal; there is no user access.

The fan is not field-replaceable; you must return the chassis to Cisco for fan replacement. See the Cisco Returns Portal for more information.

Storage

One slot

960-GB U.2 NVME

The drive is field-replaceable. See Replace the SSD for more information.

Flash

nternal 16 GB eMMC. Not field-replaceable.
1 Each RJ-45 (8P8C) copper port supports auto Medium Dependent Interface Crossover (MDI/X) as well as auto-negotiation for interface speed, duplex, and other negotiated parameters, and are MDI/X-compliant. Port numbering is left to right, top to bottom; ports are named Gigabit Ethernet 1/1 through 1/8. Each port includes a pair of LEDs, one each for connection status and link status.
2 Each RJ-45 (8P8C) copper port supports auto Medium Dependent Interface Crossover (MDI/X) as well as auto-negotiation for interface speed, duplex, and other negotiated parameters, and are MDI/X-compliant. Port numbering is left to right, top to bottom; ports are named Gigabit Ethernet 1/1 through 1/8. Each port includes a pair of LEDs, one each for connection status and link status
Console Ports
The 1200 series has two external console ports, a Cisco RJ-45 serial port and a Type C USB serial port. Only one serial console port can be active at a time. When a cable is plugged into the USB console port, the RJ-45 port becomes inactive. Conversely, when the USB cable is removed from the USB port, the RJ-45 port becomes active. The console ports do not have any hardware flow control. You can use the CLI to configure the chassis through either serial console port by using a terminal server or a terminal emulation program on a computer.

  • RJ-45 (8P8C) port—Supports RS-232 signaling to an internal UART controller. The RJ-45 console port does not support a remote dial-in modem. You can use an adapter to convert the RJ45-to-DB9 connection if necessary.

  • Type C USB port—Lets you connect to a USB port on an external computer. You can plug and unplug the USB cable from the console port without affecting Windows HyperTerminal operations. We recommend shielded USB cables with properly terminated shields. The default setting is 9600 baud. Use this for the initial connection. Baud rates for the USB console port are 1200, 2400, 4800, 9600, 19200, 38400, 57600, and 115200 bps.

External Flash Storage
The chassis provides a USB Type A port that you can use to attach an external device. The USB port can provide output power of 5 volts and up to a maximum of 1 A (5 W of USB power).

  • External USB drive (optional)—You can use the external USB Type A port to attach a data-storage device. The external USB drive identifier is disk1. When the chassis is powered on, a connected USB drive is mounted as disk1 and is available for you to use. Additionally, the file-system commands that are available to disk0 are also available to disk1, including copy, format, delete, mkdir, pwd, cd, and so on.

  • FAT-32 File System—The 1200 series only supports FAT-32-formatted file systems for the external USB drive. If you insert an external USB drive that is not in FAT-32 format, the system mounting process fails, and you receive an error message. You can enter the command format disk1: to format the partition to FAT-32 and mount the partition to disk1 again; however, data might be lost.

Package Contents

The following figure shows the package contents for the Secure Firewall 1230, 1240, and 1250. Note that the contents are subject to change, and your exact contents might contain additional or fewer items depending on what you ordered.

Figure 2. CSF-1230, CSF-1240, and CSF-1250 Package Contents

1

Chassis

2

Power cord

Optional: in package if ordered

3

Eight 6-32 x 0.25-inch Phillips screws for securing the rack mount brackets to the chassis

4

Two rack-mount brackets

5

Cisco Secure Firewall 1230, 1240, and 1250

This document has links to the hardware installation guide, regulatory and safety information guide, and warranty and licensing information. It also contains a QR code and URL that point to the Digital Documentation Portal. The portal contains links to the product information page, the hardware installation guide, the regulatory and safety information guide, the getting started guide, and the zero-touch provisioning guide.

6

USB console cable (Type C)

PID: CAB-CONS-USB-C

Optional: in package if ordered

Pullout Asset Tag and Compliance Label

The pullout asset card on the front panel of the chassis contains the chassis model name, part number, serial number, the common language equipment identifier (CLEI), and the Digital Documentation Portal QR code that points to the getting started guide, the regulatory and compliance guide, the zero-touch deployment guide, and the hardware installation guide.

The following figure shows an example pullout asset card on the front panel of the chassis.

Figure 3. Pullout Asset Card on the Front Panel of the Chassis

1

Pullout asset tab

2

Label

3

Digital Documentation Portal QR code

4

Chassis serial number

The following figure shows the location of the compliance label on the bottom of the chassis.

Figure 4. Compliance Label on the Bottom of the Chassis

1

Front panel (I/O side)

2

 Compliance label

3

Bottom of the chassis
The following figure shows a sample compliance label found on the bottom of the chassis.
Figure 5. Sample Compliance Label

Front Panel

The following figure shows the front panel of the Secure Firewall 1230, 1240, and 1250. See Front Panel LEDs for descriptions of the front panel LEDs.

Figure 6. CSF-1230, CSF-1240, and CSF-1250 Front Panel

1

Reset button

2

USB Type A

3

USB Type C console

4

Management port RJ-45

5

Eight 1000BASE-T (CSF-1230 and CSF-1240) or 2.5 G BASE-T (CSF-1250) Ethernet ports (numbered 1 through 8)

6

Four SFP+ ports (numbered 9 through 12)

7

RJ-45 (8P8C) console port

8

Status LEDs

9

Pullout asset tag

See Pullout Asset Tag and Compliance Label for more information.

10

SSD LED

11

SSD slot

Front Panel LEDs

The following figure shows the LEDs on the front panel of the Secure Firewall 1230, 1240, and 1250 and describes their states.

Figure 7. CSF-1230, CSF-1240, and CSF-1250 Front Panel LEDs

1

Management

Status of the management ports:

Link status (L):

  • Off—No link, or port is not in use.

  • Green—Link established.

  • Green, flashing—Link activity.

2

Management

Status of the management ports:

Connection-speed status (S):

  • Green, flashing—One flash every three seconds = 10 Mbps.

  • Green, flashing—Two rapid flashes = 100 Mbps.

  • Green, flashing—Three rapid flashes = 1000 Mbps.

3

Network

Status of the network ports (applies to CSF-1230 and CSG-1240):

Link status (L):

  • Off—No link, or port is not in use.

  • Green—Link established.

  • Green, flashing—Link activity.

Status of the network ports (applies to CSF-1250):

Link status (L):

  • Off—No link, or port is not in use.

  • Green, flashing—Link activity.

4

Network

Status of the network ports (applies to CSF-1230 and CAF-1240):

Connection-speed status (S):

  • Green, flashing—One flash every three seconds = 10 Mbps.

  • Green, flashing—Two rapid flashes = 100 Mbps.

  • Green, flashing—Three rapid flashes = 1000 Mbps.

Status of the network ports (applies to CSF-1250):

Connection-speed status (S):

  • Off—No link, or port is not in use.

  • Green—Link established

5

Power

Power supply status:

  • Off —Power supply off.

  • Green—Power supply on.

  • Amber—System is powering up or system firmware is updating.

  • Green, flashing—System in process of a graceful shutdown.

6

System

System operating status:

  • Off—System has not booted up yet.

  • Green, flashing—System is booting up.

  • Green—System has booted up; normal system function.

  • Amber—System failed to boot.

  • Amber, flashing—Boot failed.

7

Security Cloud Control

SCC status:

  • Green, flashing slowly (twice in five seconds)—Cloud connected.

  • Green and amber, flashing—Cloud connection failure.

  • Green—Cloud disconnected.

Note

 
The LED pattern applies to zero-touch provisioning (ZTP). See the Easy Deployment Guide for Cisco Secure Firewall Threat Defense with Cisco Security Cloud Control for more information.

8

Active

Status of the failover pair:

  • Off—System is in standby mode.

  • Green—System is in active mode.

9

Alarm

Status of the alarms:

  • Off—No alarms.

  • Yellow—Power supply, temperature too high, and/or fan failures.

10

SSD

Status of the SSD:

  • Off— No SSD present.

  • Green—SSD detected.

  • Green, flashing—Activity on the SSD.

Note

 

See Replace the SSD for the procedure for replacing a failed SSD.

Rear Panel

The following figure shows the rear panel of the Secure Firewall 1230, 1240, and 1250. See Ground the Chassisfor the procedure for attaching the grounding lug.

Figure 8. CSF-1230, CSF-1240, and CSF-1250 Rear Panel

1

Power switch

Note

 

The power switch provides a way to gracefully shut down the system and place it in standby. The power supply and fan remain active and the fan may continue to spin at slow speed. To achieve total power shut down, unplug the power supply from the chassis.

Caution

 

If you accidentally push the power switch to ON while unpacking your chassis, make sure the power switch is set to OFF before you connect AC power for the first time. The chassis powers on and boots up as soon as the AC power is applied when the power button is in the ON position.

2

Power cord socket

3

Internal fan

4

Internal fan

5

Grounding lug pad

Hardware Specifications

The following table contains hardware specifications for the Secure Firewall CSF-1230, CSF-1240, and CSF-1250.

Table 2. Hardware Specifications

Specification

CSF-1230

CSF-1240

CSF-1250

Dimensions (H x W x D)

1.72 x 11.22 x 17.25 inches (4.37 x 28.49 x 43.81 cm)

Weight

9.35 lb (4.24 kg)

9.52 lb (4.31 kg)

Temperature

Operating: 32 to 104°F (0 to 40°C)

Nonoperating: -13 to 158°F (-25 to 70°C) maximum altitude is 15,000 ft

Humidity

Operating: 5 to 85% noncondensing

Nonoperating: 5 to 95% noncondensing

Altitude

Operating: 0 to 10,000 ft (0 to 3048 m)

Nonoperating: 0 to 15,000 ft (0 to 4572 m)

Acoustic noise

(10,000 ft and 40°C)

52.1 dBa (maximum)

At highest system performance

57.8 dBa (maximum)

At highest system performance
Power consumption (maximum)

57 W

684 W

88 W

Supported SFP/SFP+/QSFP+ Transceivers

The SFP/SFP+/QSFP+ transceiver is a bidirectional device with a transmitter and receiver in the same physical package. It is a hot-swappable optical or electrical (copper) interface that plugs into the SFP/SFP+/QSFP+ ports on the fixed ports and the network module ports, and provides Ethernet connectivity.

The 1-Gbps and 10-Gbps transceivers are supported on the fixed ports for the following models and software versions:

  • CSF-1230, CSF-1240, CSF-1250

  • Threat defense Version 7.7 and ASA Version 9.23.1

See Cisco SFP Modules for Gigabit Ethernet Applications Data Sheet for more information.

The following figure shows the components of a transceiver.

Figure 9. SFP Transceiver

1

Dust plug

2

Bail clasp

3

Receive optical bore

4

Transmit optical bore

Safety Warnings

Take note of the following warnings:


Warning

Statement 1055—Class 1/1M Laser

Invisible laser radiation is present. Do not expose to users of telescopic optics. This applies to Class 1/1M laser products.


Warning

Statement 1056—Unterminated Fiber Cable

Invisible laser radiation may be emitted from the end of the unterminated fiber cable or connector. Do not view directly with optical instruments. Viewing the laser output with certain optical instruments, for example, eye loupes, magnifiers, and microscopes, within a distance of 100 mm, may pose an eye hazard.


Warning

Statement 1057—Hazardous Radiation Exposure

Use of controls, adjustments, or performance of procedures other than those specified may result in hazardous radiation exposure.


Warning

Use appropriate ESD procedures when inserting the transceiver. Avoid touching the contacts at the rear, and keep the contacts and ports free of dust and dirt. Keep unused transceivers in the ESD packing that they were shipped in.


Caution

Although non-Cisco SFPs are allowed, we do not recommend using them because they have not been tested and validated by Cisco. Cisco TAC may refuse support for any interoperability problems that result from using an untested third-party SFP transceiver.

The following table lists the supported 1-Gbps transceivers for the fixed ports (not supported for management port).

Table 3. Supported 1-Gbps SFP Transceivers

Optics Type

PID

Medium

Operating Wavelength (nm)

Maximum Operating Distance

1000Base-T

GLC-T

Cat 5e

328 ft (100 m)

1000Base-T

GLC-TE

Cat 5e

328 ft (100 m)

Multimode

GLC-SX-MMD

multimode

850

1804 ft (550 m)3

Single mode

GLC-LH-SMD

single mode

1310

32,821 ft (10 km)

SM extended

GLC-EX-SMD

single mode

1310

131, 234 ft (40 km)

SM

GLC-ZX-SMD

single mode

1550

229,659 ft (70 km)4
3 Depending on fiber grade and core size, operating distance may vary.
4 Depending on fiber grade and core size, operating distance may vary.

The following table lists the supported transceivers for the fixed ports (not supported for the management port).

Table 4. Supported 10-Gbps SFP Transceivers

Optics Type

PID

Medium

Operating Wavelength (nm)

Maximum Operating Distance

10G-SR

SFP-10G-SR

multimode

850

984 ft (300 m)5

10G-SR

SFP-10G-SR-S

multimode

1310

984 ft (300 m)

10G-LR

SFP-10G-LR

single mode

1310

32,821 ft (10 km)

10G-LR

SFP-10G-LR-S

single mode

850

32,821 ft (10 km)

10G-ER

SFP-10G-ER

single mode

850

131,234 ft (40 km)

10G-ER

SFP-10G-ER-S

single mode

1310

131,234 ft (40 km)

10G-ZR

SFP-10G-ZR

single mode

1550

131,234 ft (40 km)

10G-ZR

 SFP-10G-ZR-S single mode

1550

262,467 ft (80 km)

10G DAC copper

SFP-H10GB-CUxM

Length 1, 1.5, 2, 2.5, 3, 4, 5 m

Twinax cable, passive

10G DAC CU active

SFP-H10GB-ACUxM

Length 7, 10 m

Twinax cable, active

10G AOC

SFP-10G-AOCxM

Length 1, 2, 3, 5, 7, 10 m

Active optical cable

5 Depending on fiber grade and core size, operating distance may vary.

Product ID Numbers

The following table lists the field-replaceable PIDs associated with the Secure Firewall 1230, 1240, and 1250. The spare components are ones that you can order separately from the appliance. If any internal components fail, you must get a return material authorization (RMA) for the entire chassis. See the Cisco Returns Portal for more information.


Note

See the show inventory command in the Cisco Secure Firewall Threat Defense Command Reference or the Cisco Secure Firewall ASA Series Command Reference to display a list of the PIDs for your Secure Firewall 1230, 1240, and 1250.

Table 5. CSF-1230, CSF-1240, and CSF-1250 Series PIDs

PID

Description

CSF1230-ASA-K9

Secure Firewall 1230 appliance, ASA

CSF1240-ASA-K9

Secure Firewall 1240 appliance, ASA

CSF1250-ASA-K9

Secure Firewall 1250 appliance, ASA

CSF1230-TD-K9

Secure Firewall 1230 appliance, Threat Defense

CSF1240-TD-K9

Secure Firewall 1240 appliance, Threat Defense

CSF1250-TD-K9

Secure Firewall 1250 appliance, Threat Defense

CSF1200-SSD960

Secure Firewall 1230, 1240, and 1250 960-GB SSD

CSF1200-SSD960=

Secure Firewall 1230, 1240, and 1250 960-GB SSD (spare)

CSF1200-CBL-MGMT

Secure Firewall 1230, 1240, and 1250 cable-management brackets

CSF1200-CBL-MGMT=

Secure Firewall 1230, 1240, and 1250 cable-management brackets (spare)

FPR1K-RM=

Secure Firewall 1230, 1240, and 1250 rack-mount brackets (spare)

Power Cord Specifications

Standard power cords or jumper power cords are available for connection to the security appliance. The jumper power cords for use in racks are available as an optional alternative to the standard power cords.

If you do not order the optional power cord with the system, you are responsible for selecting the appropriate power cord for the product. Using a incompatible power cord with this product may result in electrical safety hazard. Orders delivered to Argentina, Brazil, and Japan must have the appropriate power cord ordered with the system.


Note

Only the approved power cords or jumper power cords provided with the chassis are supported.

The following power cords are supported.

Figure 10. Argentina (CAB-ACR)

1

Plug: VA2073

2

Cord set rating: 10 A, 250 V

3

Connector: V1625
Figure 11. Australia/New Zealand (CAB-ACA)

1

Plug: AU10LS3

2

Cord set rating: 10 A, 250 V

3

Connector: V1625
Figure 12. Brazil (CAB-C13-ACB)

1

Plug: NBR 14136

2

Cord set rating: 10 A, 250 V

3

Connector: EL 701B (EN 60320/C13)
Figure 13. China (CAB-ACC)

1

Plug: V3203C

2

Cord set rating: 10 A, 250 V

3

Connector: V1625
Figure 14. Europe (CAB-ACE)

1

Plug: M2511

2

Cord set rating: 16 A, 250 V

3

Connector: V1625
Figure 15. India (CAB-IND-10A)

1

Plug: IA16A3-C

2

Cord set rating: 16 A, 250 V

3

Connector: V1625BS-E
Figure 16. Italy (CAB-ACI)

1

Plug: IT10S3

2

Cord set rating: 10 A, 250 V

3

Connector: V1625
Figure 17. Japan (CAB-C13-C14-2M-JP) PSE Mark

1

IEC 60320-2-2/E

2

Cord set rating: 10 A, 250 V

3

Connector: IEC 60320/C13

Figure 18. Japan (CAB-JPN-3PIN)

1

Plug: M744

2

Cord set rating: 12 A, 125 V

3

Connector: V1625
Figure 19. Korea (CAB-AC-C13-KOR)

1

Plug: M2511

2

Cord set rating: 10 A, 250 V

3

Connector: V1625
Figure 20. North America (CAB-AC)

1

Plug: PS204

2

Cord set rating: 10 A, 250 V

3

Connector: V1625
Figure 21. Jumper (CAB-C13-C14-2M)

1

IEC 60320/C14G

2

Cord set rating: 10 A, 250 V

3

Connector: IEC 60320/C13
Figure 22. South Africa (AIR-PWR-CORD-SA)

1

Plug: SA16A

2

Cord set rating: 10 A, 250 V

3

Connector: V1625
Figure 23. Switzerland (CAB-ACS)

1

Plug: SW10ZS3

2

Cord set rating: 10 A, 250 V

3

Connector: V1625
Figure 24. Taiwan (CAB-ACTW)

1

Plug: EL 302 (CNS10917)

2

Cord set rating: 10 A, 125 V

3

Connector: EL 701 (EN 60320/C13)
Figure 25. United Kingdom (CAB-ACU)

1

Plug: 3P BS 1363

2

Cord set rating: 10 A, 250 V

3

Connector: IEC 60320/C13