安装和升级在Firepower伊莱克斯的FTD
目录
简介
本文描述Firepower威胁在Firepower设备的防御(FTD)软件的安装、升级和注册。
先决条件
要求
本文档没有任何特定的要求。
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 思科Firepower 4140运行FXO 2.0(1.37)的安全工具
- Firepower管理中心运行6.1.0.330
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络实际,请保证您了解所有命令潜在影响。
背景信息
FTD是在这些平台可以安装的一个统一的软件镜像:
- ASA5506-X, ASA5506W-X, ASA5506H-X, ASA5508-X, ASA5516-X
- ASA5512-X, ASA5515-X, ASA5525-X, ASA5545-X, ASA5555-X
- Firepower设备(FPR4100, FPR9300等)
- VMware (ESXi)
- 亚马逊网站服务(AW)
- 基于内核的虚拟机(KVM)
- 集成服务路由器(ISR)模块
配置
网络图
任务1. FTD软件下载
导航对下一代防火墙(NGFW)如镜像所显示, > 4100系列的Firepower > Firepower 4140安全工具并且选择Firepower威胁防御软件。
任务2.验证FXOS-FTD兼容性
任务需求
请验证,如果在机箱运行的FXO版本是与您在安全模块要安装的FTD版本兼容。
步骤1:检查compatibiliy的FXOS-FTD
在您配置FTD镜像到模块/刀片前,有需要保证Firepower机箱运行一兼容的FXO软件。在FXO兼容性指南中,请检查逻辑设备兼容性表。运行FTD的最低要求的FXO版本6.1.x 1.1(4.95)如表所显示在这里:
如果FXO镜像不是与目标FTD镜像兼容,有需要首先升级FXO软件。
验证FXO镜像
方法1。从Firepower机箱管理器(FCM) UI如镜像所显示的概述页:
方法2.导航到FCM系统> Update页如镜像所显示:
方法3。从FXO CLI :
FPR4100# show fabric-interconnect firmware
Fabric Interconnect A:
Running-Kern-Vers: 5.0(3)N2(4.01.35)
Running-Sys-Vers: 5.0(3)N2(4.01.35)
Package-Vers: 2.0(1.37)
Startup-Kern-Vers: 5.0(3)N2(4.01.35)
Startup-Sys-Vers: 5.0(3)N2(4.01.35)
Act-Kern-Status: Ready
Act-Sys-Status: Ready
Bootloader-Vers:
任务3.加载FTD镜像到Firepower设备里
任务需求
上载FTD镜像到FPR4100机箱。
方法1 -上载从FCM UI的FTD镜像
登陆到FPR4100机箱管理器并且导航对系统>更新选项卡。如镜像所显示,选择加载镜像上传文件。
如镜像所显示,浏览选择FTD镜像文件并且单击加载:
接受终端用户许可权协定(EULA)。
如镜像所显示,验证是。
方法2 -上载从FXO CLI的FTD镜像
您能上载从FTP、思科安全复制(SCP),安全FTP (SFTP)或TFTP server的FTD镜像。
在您开始图像传送前,推荐验证机箱管理接口和远程服务器之间的连接:
FPR4100# connect local-mgmt FPR4100(local-mgmt)# ping 10.229.24.22 PING 10.229.24.22 (10.229.24.22) from 10.62.148.88 eth0: 56(84) bytes of data. 64 bytes from 10.229.24.22: icmp_seq=1 ttl=124 time=0.385 ms 64 bytes from 10.229.24.22: icmp_seq=2 ttl=124 time=0.577 ms 64 bytes from 10.229.24.22: icmp_seq=3 ttl=124 time=0.347 ms
为了下载FTD镜像,导航到此范围和使用下载镜像命令:
FPR4100# scope ssa FPR4100 /ssa # scope app-software FPR4100 /ssa/app-software # download image ftp://ftp_username@10.229.24.22/cisco-ftd.6.1.0.330.SPA.csp
Password:
为了监控镜像加载进度:
FPR4100 /ssa/app-software # show download-task detail
Downloads for Application Software:
File Name: cisco-ftd.6.1.0.330.SPA.csp
Protocol: Ftp
Server: 10.229.24.22
Port: 0
Userid: ftp
Path:
Downloaded Image Size (KB): 95040
Time stamp: 2016-12-11T20:27:47.856
State: Downloading
Transfer Rate (KB/s): 47520.000000
Current Task: downloading image cisco-ftd.6.1.0.330.SPA.csp from 10.229.24.22(FSM-STAGE:sam:dme:ApplicationDownloaderDownload:Local)
您能也使用此命令验证成功的下载:
FPR4100 /ssa/app-software # show download-task
Downloads for Application Software:
File Name Protocol Server Port Userid State
------------------------------ ---------- ------------- ---------- --------- -----
cisco-ftd.6.1.0.330.SPA.csp Ftp 10.229.24.22 0 ftp Downloaded
关于其他详细信息:
KSEC-FPR4100 /ssa/app-software # show download-task fsm status expand
File Name: cisco-ftd.6.1.0.330.SPA.csp
FSM Status:
Affected Object: sys/app-catalogue/dnld-cisco-ftd.6.1.0.330.SPA.csp/fsm
Current FSM: Download
Status: Success
Completion Time: 2016-12-11T20:28:12.889
Progress (%): 100
FSM Stage:
Order Stage Name Status Try
------ ---------------------------------------- ------------ ---
1 DownloadLocal Success 1
2 DownloadUnpackLocal Success 1
File Name: Cisco_FTD_SSP_Upgrade-6.1.0-330.sh
镜像在机箱信息库显示:
KSEC-FPR4100 /ssa/app-software # exit
KSEC-FPR4100 /ssa # show app Application: Name Version Description Author Deploy Type CSP Type Is Default App ---------- ---------- ----------- ---------- ----------- ----------- -------------- asa 9.6.2.3 N/A cisco Native Application No ftd 6.1.0.330 N/A cisco Native Application No
任务4.配置FTD管理和数据接口
任务需求
配置并且启用管理和数据接口FTD的在Firepower设备。
为了创建您必须登陆到FCM和导航到接口选项卡的新接口。从那里您能看到当前接口。如镜像所显示,为了创建一个新的端口通道接口请选择添加端口通道按钮:
步骤1.创建端口信道数据接口
如镜像所显示,创建一个新的端口通道接口:
| 端口通道ID |
10 |
| 类型 |
数据 |
| Enable (event) |
是 |
| 成员ID |
Ethernet1/1, Ethernet1/2 |
对于端口通道ID您能输入从1的值到47。
如镜像所显示,验证是。
步骤2.创建管理接口。
如镜像所显示,在选项卡选择接口的接口,选择编辑并且配置管理接口:
任务5.创建并且配置新的逻辑设备
任务需求
创建FTD作为一个独立逻辑设备并且部署它。
步骤1.添加一个逻辑设备。
如镜像所显示,导航对逻辑设备选项卡并且选择添加设备按钮创建一个新的逻辑设备:
配置一个FTD设备有这些设置的和如镜像所显示:
| 设备名 |
FTD |
| 模板 |
思科Firepower威胁防御 |
| 镜像版本 |
6.1.0.330 |
步骤2.引导逻辑设备。
当您创建逻辑设备您重新定向对供应– device_name窗口。如镜像所显示,选择设备图标开始配置。
如镜像所显示,配置FTD一般信息选项卡:
| 管理接口 |
Ethernet1/3 |
| 地址类型 |
仅IPv4 |
| 管理IP |
10.62.148.84 |
| 网络掩码 |
255.255.255.128 |
| 网络网关 |
10.62.148.1 |
如镜像所显示,配置FTD设置选项卡和:
| 注册密钥 |
cisco |
| 密码 |
Pa$$w0rd |
| Firepower管理中心IP |
10.62.148.50 |
| 搜索域 |
cisco.com |
| 防火墙模式 |
已路由 |
| DNS 服务器 |
192.168.0.1 |
| 完全合格的主机名 |
FTD4100.cisco.com |
| Eventing接口 |
-- |
保证协议接受和挑选OK。
步骤3.分配数据接口
展开数据港区并且选择您想要分配对FTD的每个接口。在此方案中,一个接口(Port-channel10)如镜像所显示,分配:
选择保存完成配置零件。
步骤4.监控安装过程。
这是FTD安装如何进步如镜像所显示,当您从FCM UI监控:
监控从Firepower CLI的安装过程:
FPR4100# connect module 1 console Telnet escape character is '~'. Trying 127.5.1.1... Connected to 127.5.1.1. Escape character is '~'. CISCO Serial Over LAN: Close Network Connection to Exit Cisco FTD: CMD=-start, CSP-ID=cisco-ftd.6.1.0.330__ftd_001_JAD19500F7YHCNL7715, FLAG='' Cisco FTD starting ... Registering to process manager ... VNICs requested: 9,22 Cisco FTD started successfully. Cisco FTD initializing ... Firepower-module1>Setting up VNICs ... Found Firepower management vnic 18. No Firepower eventing vnic configured. Updating /ngfw/etc/sf/arc.conf ... Deleting previous CGroup Configuration ... Initializing Threat Defense ... [ OK ] Starting system log daemon... [ OK ] Stopping mysql... Dec 12 17:12:17 Firepower-module1 SF-IMS[14629]: [14629] pmtool:pmtool [ERROR] Unable to connect to UNIX socket at /ngfw/var/sf/run/PM_Control.sock: No such file or directory Starting mysql... Dec 12 17:12:17 Firepower-module1 SF-IMS[14641]: [14641] pmtool:pmtool [ERROR] Unable to connect to UNIX socket at /ngfw/var/sf/run/PM_Control.sock: No such file or directory Flushing all current IPv4 rules and user defined chains: ...success Clearing all current IPv4 rules and user defined chains: ...success Applying iptables firewall rules: Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Applying rules successed Flushing all current IPv6 rules and user defined chains: ...success Clearing all current IPv6 rules and user defined chains: ...success Applying ip6tables firewall rules: Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Applying rules successed Starting nscd... mkdir: created directory '/var/run/nscd' [ OK ] Starting , please wait......complete. Firstboot detected, executing scripts Executing S01virtual-machine-reconfigure [ OK ] Executing S02aws-pull-cfg [ OK ] Executing S02configure_onbox [ OK ] Executing S04fix-httpd.sh [ OK ] Executing S06addusers [ OK ] Executing S07uuid-init [ OK ] Executing S08configure_mysql [ OK ] ************ Attention ********* Initializing the configuration database. Depending on available system resources (CPU, memory, and disk), this may take 30 minutes or more to complete. ************ Attention ********* Executing S09database-init [ OK ] Executing S11database-populate [ OK ] Executing S12install_infodb [ OK ] Executing S15set-locale.sh [ OK ] Executing S16update-sensor.pl [ OK ] Executing S19cert-tun-init [ OK ] Executing S20cert-init [ OK ] Executing S21disable_estreamer [ OK ] Executing S25create_default_des.pl [ OK ] Executing S30init_lights_out_mgmt.pl [ OK ] Executing S40install_default_filters.pl [ OK ] Executing S42install_default_dashboards.pl [ OK ] Executing S43install_default_report_templates.pl [ OK ] Executing S44install_default_app_filters.pl [ OK ] Executing S45install_default_realms.pl [ OK ] Executing S47install_default_sandbox_EO.pl [ OK ] Executing S50install-remediation-modules [ OK ] Executing S51install_health_policy.pl [ OK ] Executing S52install_system_policy.pl [ OK ] Executing S53change_reconciliation_baseline.pl [ OK ] Executing S70remove_casuser.pl [ OK ] Executing S70update_sensor_objects.sh [ OK ] Executing S85patch_history-init [ OK ] Executing S90banner-init [ OK ] Executing S96grow_var.sh [ OK ] Executing S96install_vmware_tools.pl [ OK ] ********** Attention ********** Initializing the system's localization settings. Depending on available system resources (CPU, memory, and disk), this may take 10 minutes or more to complete. ********** Attention ********** Executing S96localize-templates [ OK ] Executing S96ovf-data.pl [ OK ] Executing S97compress-client-resources [ OK ] Executing S97create_platinum_forms.pl [ OK ] Executing S97install_cas [ OK ] Executing S97install_cloud_support.pl [ OK ] Executing S97install_geolocation.pl [ OK ] Executing S97install_ssl_inspection.pl [ OK ] Executing S97update_modprobe.pl [ OK ] Executing S98check-db-integrity.sh [ OK ] Executing S98htaccess-init [ OK ] Executing S98is-sru-finished.sh [ OK ] Executing S99correct_ipmi.pl [ OK ] Executing S99start-system [ OK ] Executing S99z_db_restore [ OK ] Executing S99_z_cc-integrity.sh [ OK ] Firstboot scripts finished. Configuring NTP... [ OK ] insmod: ERROR: could not insert module /lib/modules/kernel/drivers/uio/igb_uio.ko: File exists rw console=ttyS0,38400 loglevel=2 auto kstack=128 reboot=force panic=1 ide_generic.probe_mask=0x1 ide1=noprobe pci=nocrs processor.max_cstate=1 iommu=pt platform=sspxru boot_img=disk0:/fxos-lfbff-k8.9.6.1.150.SPA ciscodmasz=786432 cisconrsvsz=2359296 hugepagesz=1g hugepages=24 ssp_mode=0 Fru Size : 512 bytes Done VNIC command successful VNIC command successful fatattr: FAT_IOCTL_GET_ATTRIBUTES: Inappropriate ioctl for device fatattr: can't open '/mnt/disk0/.private2': No such file or directory fatattr: can't open '/mnt/disk0/.ngfw': No such file or directory Model reconfigure detected, executing scripts Pinging mysql Found mysql is running Executing 45update-sensor.pl [ OK ] Executing 55recalculate_arc.pl [ OK ] Mon Dec 12 17:16:15 UTC 2016 Starting MySQL... Pinging mysql Pinging mysql, try 1 Found mysql is running Detecting expanded storage... Running initializeObjects... Stopping MySQL... Killing mysqld with pid 32651 Wait for mysqld to exit\c done Mon Dec 12 17:16:21 UTC 2016 Starting sfifd... [ OK ] Starting Cisco Firepower 4140 Threat Defense, please wait...No PM running! ...started. Cisco FTD initialization finished successfully. ... output omitted ... Reading from flash... ! Cryptochecksum (changed): b1abfa7e 63faee14 affdddb0 9bc9d8cd INFO: Power-On Self-Test in process. ....................................................................... INFO: Power-On Self-Test complete. INFO: Starting HW-DRBG health test (DRBG 0)... INFO: HW-DRBG health test (DRBG 0) passed. INFO: Starting HW-DRBG health test (DRBG 1)... INFO: HW-DRBG health test (DRBG 1) passed. INFO: Starting SW-DRBG health test... INFO: SW-DRBG health test passed. Firepower-module1>
Firepower-module1>show services status
Services currently running:
Feature | Instance ID | State | Up Since
-----------------------------------------------------------
ftd | 001_JAD19500F7YHCNL7715 | RUNNING | :00:08:07
任务6.寄存器FTD到Firepower管理中心(FMC)里
任务需求
对FMC的寄存器FTD。
步骤1.验证FTD和FMC之间的基本连通性。
在您注册FTD对FMC前,请验证FTD和FMC之间的基本连通性:
Firepower-module1>connect ftd
Connecting to ftd console... enter exit to return to bootCLI
> ping system 10.62.148.50
PING 10.62.148.50 (10.62.148.50) 56(84) bytes of data.
64 bytes from 10.62.148.50: icmp_seq=1 ttl=64 time=0.133 ms
64 bytes from 10.62.148.50: icmp_seq=2 ttl=64 time=0.132 ms
64 bytes from 10.62.148.50: icmp_seq=3 ttl=64 time=0.123 ms
由于引导配置FTD有管理器FMC已经配置:
> show managers Host : 10.62.148.50 Registration Key : **** Registration : pending RPC Status :
步骤2.添加FTD到FMC。
如镜像所显示,在FMC请导航到设备- >Device管理选项卡并且导航添加>Add设备。
如镜像所显示,配置FTD设备设置:
选择寄存器按钮。
在FMC请检查任务发现注册如何进步。除注册之外也FMC :
- 发现FTD设备(请获取现有接口配置)。
- 实施最初的策略。
如镜像所显示的成功的注册:
任务7.升级FTD
任务需求
升级从6.1.0.330的FTD到6.1.0.1。
步骤1.验证兼容性
检查FXO版本注释保证目标FTD版本是与FXO软件兼容。若需要首先请升级FXO软件。
步骤2.升级FTD
FTD软件没有由FMC管理没有FCM。如镜像所显示,为了升级FTD模块请连接对FMC,导航对系统> Updatespage并且选择加载更新。
如镜像所显示,安装在FTD模块的更新:
随意地您能启动准备检查:
如镜像所显示的一成功的准备检查:
如镜像所显示,为了开始升级进程,请单击安装:
如镜像所显示,升级要求FTD重新启动:
同样于FTD安装FTD升级进程可以从FMC UI (任务)或FMC CLI (猪尾命令)监控。您能也跟踪从FTD CLI (CLISH模式)的进度。
如镜像所显示后,在那里升级完成是需要实施策略到FTD :
验证
从如镜像所显示的FMC UI :
从如镜像所显示的FCM UI :
从机箱CLI :
FPR4100# scope ssa FPR4100 /ssa # show app-instance Application Name Slot ID Admin State Operational State Running Version Startup Version Cluster Oper State -------------------- ---------- --------------- -------------------- --------------- --------------- ------------------ ftd 1 Enabled Online 6.1.0.1.53 6.1.0.330 Not Applicable
从FTD CLI :
FPR4100# connect module 1 console Telnet escape character is '~'. Trying 127.5.1.1... Connected to 127.5.1.1. Escape character is '~'. CISCO Serial Over LAN: Close Network Connection to Exit > show version ---------------[ FTD4100.cisco.com ]---------------- Model : Cisco Firepower 4140 Threat Defense (76) Version 6.1.0.1 (Build 53) UUID : 22c66994-c08e-11e6-a210-931f3c6bbbea Rules update version : 2016-03-28-001-vrt VDB version : 275 ---------------------------------------------------- >
验证
当前没有可用于此配置的验证过程。
故障排除
目前没有针对此配置的故障排除信息。
反馈