Cisco Firepower 1100 Getting Started Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Gateway
  5. Firepower 1100
  6. Getting started manual

Cisco Firepower 1100 Getting Started Manual

Hide thumbs Also See for Firepower 1100:
Table of Contents

Advertisement

Quick Links

Download this manual
Cisco Firepower 1100 Getting Started Guide
First Published: 2019-06-13
Last Modified: 2022-06-09
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Related Manuals for Cisco Firepower 1100

Summary of Contents for Cisco Firepower 1100

  • Page 1 Cisco Firepower 1100 Getting Started Guide First Published: 2019-06-13 Last Modified: 2022-06-09 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 3 You may want to use the ASA if you do not need the advanced capabilities of the threat defense, or if you need an ASA-only feature that is not yet available on the threat defense. Cisco provides ASA-to-threat defense migration tools to help you convert your ASA to the threat defense if you start with ASA and later reimage to threat defense.
  • Page 4 CDO to manage the same firewall. The management center is not compatible with other managers. To get started with the device manager, see Threat Defense Deployment with the Device Manager, on page Cisco Firepower 1100 Getting Started Guide...
  • Page 5 You cannot use this API if you are managing the threat defense using the management center. The threat defense REST API is not covered in this guide. For more information, see Cisco Secure Firewall Threat Defense REST API Guide. Secure Firewall Management Center REST The management center REST API lets you automate configuration of management center policies that can then be applied to managed threat defenses.
  • Page 6 ASA features, and is no longer being enhanced. The ASA REST API is not covered in this guide. For more information, see the Cisco ASA Secure Firewall REST API Quick Start Guide. Cisco Firepower 1100 Getting Started Guide...

  • Page 7: Table Of Contents

    ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).

  • Page 8: Before You Start

    Center 1600, 2600, and 4600 Hardware Installation Guide Cisco Secure Firewall Management Center Virtual Getting Started Guide. End-to-End Procedure See the following tasks to deploy the threat defense with the management center on your chassis. Cisco Firepower 1100 Getting Started Guide...
  • Page 9 Pre-Configuration Review the Network Deployment, on page Pre-Configuration Cable the Firewall, on page Pre-Configuration Power on the Firewall, on page (Optional) Check the Software and Install a New Version, on page 13 Cisco Firepower 1100 Getting Started Guide...

  • Page 10: Review The Network Deployment

    Both the management center and threat defense require internet access from Management for licensing and updates. The following figure shows a possible network deployment for the Firepower 1100 where the management center and management computer connect to the management network. The management network has a path to the internet for licensing and updates.
  • Page 11 In the following diagram, the Firepower 1100 acts as the internet gateway for the management interface and the management center by connecting Management 1/1 to an inside interface through a Layer 2 switch, and by connecting the management center and management computer to the switch.

  • Page 12: Cable The Firewall

    Figure 2: Edge Network Deployment Cable the Firewall To cable one of the recommended scenarios on the Firepower 1100, see the following steps. Note Other topologies can be used, and your deployment will vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements.
  • Page 13 Connect the inside interface (for example, Ethernet 1/2) to your inside router. d) Connect the outside interface (for example, Ethernet 1/1) to your outside router. e) Connect other networks to the remaining interfaces. Step 3 Cable for an edge deployment: Cisco Firepower 1100 Getting Started Guide...

  • Page 14: Power On The Firewall

    Note The first time you boot up the threat defense, initialization can take approximately 15 to 30 minutes. Cisco Firepower 1100 Getting Started Guide...

  • Page 15: (Optional) Check The Software And Install A New Version

    What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
  • Page 16 19. By default, the Management interface uses DHCP. You will need to download the new image from a server accessible from the Management interface. b) Perform the reimage procedure in the FXOS troubleshooting guide. Cisco Firepower 1100 Getting Started Guide...

  • Page 17: Complete The Threat Defense Initial Configuration

    The first data interface is the default outside interface. If you want to use a different interface from outside (or inside) for manager access, you will have to configure it manually after completing the setup wizard. Cisco Firepower 1100 Getting Started Guide...
  • Page 18 Other device manager configuration will not be retained when you register the device to the management center. Step 5 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 6 Configure the Management Center/CDO Details. Cisco Firepower 1100 Getting Started Guide...
  • Page 19 For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname. Cisco Firepower 1100 Getting Started Guide...
  • Page 20 If you remain connected to the device manager after the Saving Management Center/CDO Registration Settings step, you will eventually see the Successful Connection with Management Center or CDO dialog box, after which you will be disconnected from the device manager. Cisco Firepower 1100 Getting Started Guide...
  • Page 21 If the password was already changed, and you do not know it, you must reimage the device to reset Note the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: Cisco Firepower 1100 Getting Started Guide...
  • Page 22 • Configure firewall mode?—We recommend that you set the firewall mode at initial configuration. Changing the firewall mode after initial setup erases your running configuration. Example: You must accept the EULA to continue. Cisco Firepower 1100 Getting Started Guide...
  • Page 23 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 24: Log Into The Management Center

    Use the management center to configure and monitor the threat defense. Before you begin For information on supported browsers, refer to the release notes for the version you are using (see https://www.cisco.com/go/firepower-notes). Procedure Step 1 Using a supported browser, enter the following URL. Cisco Firepower 1100 Getting Started Guide...

  • Page 25: Obtain Licenses For The Management Center

    Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...

  • Page 26: Register The Threat Defense With The Management Center

    • The threat defense management IP address or hostname, and NAT ID • The management center registration key Procedure Step 1 In the management center, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device. Cisco Firepower 1100 Getting Started Guide...
  • Page 27 • Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page Cisco Firepower 1100 Getting Started Guide...
  • Page 28 • Registration key, NAT ID, and the management center IP address—Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the management center using the configure manager add command. Cisco Firepower 1100 Getting Started Guide...

  • Page 29: Configure A Basic Security Policy

    A typical edge-routing situation is to obtain the outside interface address through DHCP from your ISP, while you define static addresses on the inside interfaces. The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Cisco Firepower 1100 Getting Started Guide...
  • Page 30 Check the Enabled check box. c) Leave the Mode set to None. d) From the Security Zone drop-down list, choose an existing inside security zone or add a new one by clicking New. Cisco Firepower 1100 Getting Started Guide...
  • Page 31 For example, enter 192.168.1.1/24 • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. f) Click OK. Step 4 Click the Edit ( ) for the interface that you want to use for outside. The General tab appears. Cisco Firepower 1100 Getting Started Guide...
  • Page 32 Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Cisco Firepower 1100 Getting Started Guide...
  • Page 33 IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route page. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose Routing > Static Route, click Add Route, and set the following: Cisco Firepower 1100 Getting Started Guide...
  • Page 34 • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 3 Click OK. The route is added to the static route table. Cisco Firepower 1100 Getting Started Guide...
  • Page 35 The policy is added the management center. You still have to add rules to the policy. Step 3 Click Add Rule. The Add NAT Rule dialog box appears. Step 4 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. Cisco Firepower 1100 Getting Started Guide...
  • Page 36 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Step 6 On the Translation page, configure the following options: • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 1100 Getting Started Guide...
  • Page 37 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the threat defense. Step 2 Click Add Rule, and set the following parameters: • Name—Name this rule, for example, inside_to_outside. Cisco Firepower 1100 Getting Started Guide...
  • Page 38 Procedure Step 1 Click Deploy in the upper right. Figure 9: Deploy Step 2 Either click Deploy All to deploy to all devices or click Advanced Deploy to deploy to selected devices. Cisco Firepower 1100 Getting Started Guide...
  • Page 39 Figure 11: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Figure 12: Deployment Status Cisco Firepower 1100 Getting Started Guide...

  • Page 40: Access The Threat Defense And Fxos Cli

    Procedure Step 1 To log into the CLI, connect your management computer to the console port. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1100 hardware guide). The console port defaults to the FXOS CLI. Use the following serial settings: •...

  • Page 41: Power Off The Firewall

    System is stopped. It is safe to power off now. Do you want to reboot instead? [y/N] If you do not have a console connection, wait approximately 3 minutes to ensure the system has shut down. Cisco Firepower 1100 Getting Started Guide...

  • Page 42: What's Next

    To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the management center, see the Firepower Management Center Configuration Guide. Cisco Firepower 1100 Getting Started Guide...
  • Page 43 ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).
  • Page 44 • High Availability is not supported. You must use the Management interface in this case. The following figure shows the management center at central headquarters and the threat defense with the manager access on the outside interface. Cisco Firepower 1100 Getting Started Guide...
  • Page 45 Center 1600, 2600, and 4600 Hardware Installation Guide Cisco Secure Firewall Management Center Virtual Getting Started Guide. End-to-End Procedure: Manual Provisioning See the following tasks to deploy the threat defense with the management center on your chassis using manual provisioning. Cisco Firepower 1100 Getting Started Guide...
  • Page 46 Pre-Configuration Using the Device Manager, on page 47 (Central admin) • Pre-Configuration Using the CLI, on page 51 Physical Setup Install the firewall. See the hardware installation guide. (Branch admin) Physical Setup Cable the Firewall, on page (Branch admin) Cisco Firepower 1100 Getting Started Guide...
  • Page 47 What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
  • Page 48 19. By default, the Management interface uses DHCP. You will need to download the new image from a server accessible from the Management interface. b) Perform the reimage procedure in the FXOS troubleshooting guide. Cisco Firepower 1100 Getting Started Guide...
  • Page 49 IP address. You can configure PPPoE after you complete the wizard. Configure IPv6—The IPv6 address for the outside interface. You can use DHCP or manually enter a static IP address, prefix, and gateway. You can also select Off to not configure an IPv6 address. Cisco Firepower 1100 Getting Started Guide...
  • Page 50 Other device manager configuration will not be retained when you register the device to the management center. Step 7 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 8 Configure the Management Center/CDO Details. Cisco Firepower 1100 Getting Started Guide...
  • Page 51 For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname. Cisco Firepower 1100 Getting Started Guide...
  • Page 52 If you chose a different interface, then you need to manually configure a default route before you connect to the management center. See Configure Cisco Firepower 1100 Getting Started Guide...
  • Page 53 If you configure DDNS before you add the threat defense to the management center, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 54 Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 4 Connect to the threat defense CLI. connect ftd Example: firepower# connect ftd > Cisco Firepower 1100 Getting Started Guide...
  • Page 55 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:...
  • Page 56 • If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 57 IPv4/IPv6 address: 10.10.6.7 Netmask/IPv6 Prefix: 255.255.255.0 Default Gateway: 10.10.6.1 Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220 DDNS server update URL [none]: Do you wish to clear all the device configuration before applying ? (y/n) [n]: Cisco Firepower 1100 Getting Started Guide...
  • Page 58 Observe the Power LED and Status LED to verify that the chassis is powered off (appear unlit). c) After the chassis has successfully powered off, you can then unplug the power to physically remove power from the chassis if necessary. Cisco Firepower 1100 Getting Started Guide...
  • Page 59 Cable the Firewall The management center and your management computer reside at a remote headquarters, and can reach the threat defense over the internet. To cable the Firepower 1100, see the following steps. Figure 17: Cabling a Remote Management Deployment...
  • Page 60 After the remote branch administrator cables the threat defense so it has internet access from the outside interface, you can register the threat defense to the management center and complete configuration of the device. Cisco Firepower 1100 Getting Started Guide...
  • Page 61 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 62 Assistance for Low-Touch Provisioning either when you register with the Smart Software Manager, or after you register. See the System > Licenses > Smart Licenses page. Register the Threat Defense with the Management Center Register the threat defense to the management center. Cisco Firepower 1100 Getting Started Guide...
  • Page 63 • Host—Enter the IP address or hostname of the threat defense you want to add. You can leave this field blank if you specified both the management center IP address and a NAT ID in the threat defense initial configuration. Cisco Firepower 1100 Getting Started Guide...
  • Page 64 If you disable it, only event information will be sent to the management center, but packet data is not sent. Step 3 Click Register, and confirm a successful registration. Cisco Firepower 1100 Getting Started Guide...
  • Page 65 The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the firewall. Cisco Firepower 1100 Getting Started Guide...
  • Page 66 Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most Cisco Firepower 1100 Getting Started Guide...
  • Page 67 You should not alter any of these basic settings because doing so will disrupt the management center management connection. You must still configure the Security Zone on this screen for through traffic policies. Cisco Firepower 1100 Getting Started Guide...
  • Page 68 Click Save. Configure NAT Configure NAT A typical NAT rule converts internal addresses to a port on the outside interface IP address. This type of NAT rule is called interface Port Address Translation (PAT). Cisco Firepower 1100 Getting Started Guide...
  • Page 69 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 1100 Getting Started Guide...
  • Page 70 ) to add a network object for all IPv4 traffic (0.0.0.0/0). Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part of the object definition, and you cannot edit system-defined objects. • Translated Source—Choose Destination Interface IP. Cisco Firepower 1100 Getting Started Guide...
  • Page 71 • Source Zones—Select the inside zone from Available Zones, and click Add to Source. • Destination Zones—Select the outside zone from Available Zones, and click Add to Destination. Leave the other settings as is. Cisco Firepower 1100 Getting Started Guide...
  • Page 72 The device allows a maximum of 5 concurrent SSH connections. Note After a user makes three consecutive failed attempts to log into the CLI via SSH, the device terminates the SSH connection. Cisco Firepower 1100 Getting Started Guide...
  • Page 73 You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Deploy the Configuration Deploy the configuration changes to the threat defense; none of your changes are active on the device until you deploy them. Cisco Firepower 1100 Getting Started Guide...
  • Page 74 Figure 21: Deploy All Figure 22: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 1100 Getting Started Guide...
  • Page 75 Procedure Step 1 To log into the CLI, connect your management computer to the console port. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1100 hardware guide). The console port defaults to the FXOS CLI. Use the following serial settings: •...
  • Page 76 You can also use sftunnel-status to view more complete information. See the following sample output for a connection that is down; there is no peer channel "connected to" information, nor heartbeat information shown: > sftunnel-status-brief Cisco Firepower 1100 Getting Started Guide...
  • Page 77 Netmask : 255.255.255.0 Gateway : 10.99.10.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers Interfaces : GigabitEthernet1/1 Cisco Firepower 1100 Getting Started Guide...
  • Page 78 > show interface detail [...] Interface Internal-Data0/1 "nlp_int_tap", is up, line protocol is up Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec (Full-duplex), (1000 Mbps) Input flow control is unsupported, output flow control is unsupported Cisco Firepower 1100 Getting Started Guide...
  • Page 79 0.0.0.0 0.0.0.0 [1/0] via 10.89.5.1, outside 10.89.5.0 255.255.255.192 is directly connected, outside 10.89.5.29 255.255.255.255 is directly connected, outside > show nat > show nat Auto NAT Policies (Section 2) 1 (nlp_int_tap) to (outside) source static nlp_server_0_sftunnel_intf3 interface service Cisco Firepower 1100 Getting Started Guide...
  • Page 80 DDNS: IDB SB total = 0 If the update failed, use the debug http and debug ssl commands. For certificate validation failures, check that the root certificates are installed on the device: show crypto ca certificates trustpoint_name Cisco Firepower 1100 Getting Started Guide...
  • Page 81 • Out-of-band SCEP certificate data that was updated during the previous deployment cannot be rolled back. • During the rollback, connections will drop because the current configuration will be cleared. Before you begin Model Support—Threat Defense Cisco Firepower 1100 Getting Started Guide...
  • Page 82 Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your firewall. You can shut down your system properly using the management center. Cisco Firepower 1100 Getting Started Guide...
  • Page 83 To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the management center, see the Firepower Management Center Configuration Guide. Cisco Firepower 1100 Getting Started Guide...
  • Page 84 Threat Defense Deployment with a Remote Management Center What's Next? Cisco Firepower 1100 Getting Started Guide...
  • Page 85 ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).

  • Page 86: End-To-End Procedure

    See the following tasks to deploy the threat defense with the device manager on your chassis. Pre-Configuration Install the firewall. See the hardware installation guide. Pre-Configuration Review the Network Deployment and Default Configuration, on page Cisco Firepower 1100 Getting Started Guide...

  • Page 87: Review The Network Deployment And Default Configuration

    NAT for your inside networks. If you need to configure PPPoE for the outside interface to connect to your ISP, you can do so after you complete initial setup in device manager. Cisco Firepower 1100 Getting Started Guide...
  • Page 88 Figure 24: Suggested Network Deployment Note For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Cisco Firepower 1100 Getting Started Guide...
  • Page 89 • DNS server for management—OpenDNS: (IPv4) 208.67.222.222, 208.67.220.220; (IPv6) 2620:119:35::35, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes •...

  • Page 90: Cable The Device

    For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Manage the Firepower 1100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside.

  • Page 91: Power On The Firewall

    Check the Power LED on the back of the device; if it is solid green, the device is powered on. Step 4 Check the Status LED on the back of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 1100 Getting Started Guide...

  • Page 92: (Optional) Check The Software And Install A New Version

    What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...

  • Page 93: (Optional) Change Management Network Settings At The Cli

    If the password was already changed, and you do not know it, you must reimage the device to reset Note the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: Cisco Firepower 1100 Getting Started Guide...
  • Page 94 • Manage the device locally?—Enter yes to use the device manager or the CDO/device manager. A no answer means you intend to use the management center to manage the device. Example: You must accept the EULA to continue. Press <ENTER> to display the EULA: End User License Agreement [...] Cisco Firepower 1100 Getting Started Guide...

  • Page 95: Log Into The Device Manager

    Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 96: Complete The Initial Configuration

    Configure IPv6—The IPv6 address for the outside interface. You can use DHCP or manually enter a static IP address, prefix, and gateway. You can also select Off to not configure an IPv6 address. b) Management Interface Cisco Firepower 1100 Getting Started Guide...

  • Page 97: Configure Licensing

    When you register the chassis, the Smart Software Manager issues an ID certificate for communication between the chassis and the Smart Software Manager. It also assigns the chassis to the appropriate virtual account. For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide The Base license is included automatically.
  • Page 98 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 99 Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: • Description • Expire After—Cisco recommends 30 days. Cisco Firepower 1100 Getting Started Guide...
  • Page 100 In the device manager, click Device, and then in the Smart License summary, click View Configuration. You see the Smart License page. Step 4 Click Register Device. Then follow the instructions on the Smart License Registration dialog box to paste in your token: Cisco Firepower 1100 Getting Started Guide...
  • Page 101 You return to the Smart License page. While the device registers, you see the following message: After the device successfully registers and you refresh the page, you see the following: Step 6 Click the Enable/Disable control for each optional license as desired. Cisco Firepower 1100 Getting Started Guide...
  • Page 102 Threat Defense Deployment with the Device Manager Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.
  • Page 103 You cannot put the interfaces in zones when configuring them, so you must always edit the zone objects after creating new interfaces or changing the purpose of existing interfaces. The following example shows how to create a new dmz-zone for the dmz interface. Cisco Firepower 1100 Getting Started Guide...
  • Page 104 The routes you define on this page are for the data interfaces only. They do not impact the Note management interface. Set the management gateway on Device > System Settings > Management Interface. Cisco Firepower 1100 Getting Started Guide...
  • Page 105 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.
  • Page 106 Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 1100 Getting Started Guide...
  • Page 107 Procedure Step 1 To log into the CLI, connect your management computer to the console port. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1100 hardware guide). The console port defaults to the FXOS CLI. Use the following serial settings: •...
  • Page 108 You can use the FXOS CLI to safely shut down the system and power off the device. You access the CLI by connecting to the console port; see Access the Threat Defense and FXOS CLI, on page 104. Procedure Step 1 In the FXOS CLI, connect to local-mgmt: Cisco Firepower 1100 Getting Started Guide...
  • Page 109 To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the device manager, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 1100 Getting Started Guide...
  • Page 110 Threat Defense Deployment with the Device Manager What's Next? Cisco Firepower 1100 Getting Started Guide...
  • Page 111 Which Operating System and Manager is Right for You?, on page 1. This chapter applies to the threat defense using Cisco Defense Orchestrator (CDO)'s cloud-delivered Secure Firewall Management Center. To use CDO using device manager functionality, see the CDO documentation.

  • Page 112: About Threat Defense Management By Cdo

    Manager access from a data interface has the following limitations: • You can only enable manager access on one physical, data interface. You cannot use a subinterface or EtherChannel. • This interface cannot be management-only. Cisco Firepower 1100 Getting Started Guide...

  • Page 113: End-To-End Procedure: Low-Touch Provisioning

    End-to-End Procedure: Low-Touch Provisioning See the following tasks to deploy the threat defense with CDO using low-touch provisioning. Figure 33: End-to-End Procedure: Low-Touch Provisioning Cisco Commerce Obtain Licenses, on page 114. Workspace (CDO admin) Cisco Firepower 1100 Getting Started Guide...

  • Page 114: End-To-End Procedure: Onboarding Wizard

    Onboard a Device with Low-Touch Provisioning, on page 124. (CDO admin) Configure a Basic Security Policy, on page 137. (CDO admin) End-to-End Procedure: Onboarding Wizard See the following tasks to onboard the threat defense to CDO using the onboarding wizard. Cisco Firepower 1100 Getting Started Guide...
  • Page 115 Onboard a Device with the Onboarding Wizard, on page 126. CLI or Device Manager • Perform Initial Configuration Using the CLI, on page 128. • Perform Initial Configuration Using the Device Manager, on page 132. Cisco Firepower 1100 Getting Started Guide...

  • Page 116: Central Administrator Pre-Configuration

    Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 117 What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
  • Page 118 Operational State Running Version Startup Version Cluster Oper State -------------------- ---------- --------------- -------------------- --------------- --------------- ------------------ Enabled Online 7.2.0.65 7.2.0.65 Not Applicable Step 3 If you want to install a new version, perform these steps. Cisco Firepower 1100 Getting Started Guide...
  • Page 119 The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
  • Page 120 Threat Defense Deployment with CDO Create a New Cisco Secure Sign-On Account Figure 36: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register. Figure 37: Create Account Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company.
  • Page 121 Choose a security image. d) Click Create My Account. You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
  • Page 122 Cisco Defense Orchestrator (CDO) uses Cisco Secure Sign-On as its identity provider and Duo Security for multi-factor authentication (MFA). • To log into CDO, you must first create your account in Cisco Secure Sign-On and configure MFA using Duo; see Create a New Cisco Secure Sign-On Account, on page 117.

  • Page 123: Deploy The Firewall With Low-Touch Provisioning

    Cable the Firewall This topic describes how to connect the Firepower 1100 to your network so that it can be managed by CDO. If you received a firewall at your branch office, and your job is to plug it in to your network, watch this video.
  • Page 124 Threat Defense Deployment with CDO Power On the Firewall Figure 40: Cabling the Firepower 1100 Low-touch provisioning supports connecting to CDO on Ethernet 1/1 (outside). Procedure Step 1 Install the chassis. See the hardware installation guide. Step 2 Connect the network cable from the Ethernet 1/1 interface to your wide area network (WAN) modem. Your WAN modem is your branch's connection to the internet and will be your firewall's route to the internet as well.
  • Page 125 If there is a problem, the Status LED flashes amber and green, and the device did not reach the Cisco Cloud. If this happens, make sure that your network cable is connected to the Ethernet 1/1 interface and to your WAN modem.

  • Page 126: Deploy The Firewall With The Onboarding Wizard

    From the Inventory page, select the device you just onboarded and select any of the option listed under the Management pane located to the right. Deploy the Firewall With the Onboarding Wizard This section describes how to configure the firewall for onboarding using the CDO onboarding wizard. Cisco Firepower 1100 Getting Started Guide...
  • Page 127 Cable the Firewall Cable the Firewall This topic describes how to connect the Firepower 1100 to your network so that it can be managed by CDO. Figure 42: Cabling the Firepower 1100 You can connect to CDO on any data interface or the Management interface, depending on which interface you set for manager access during initial setup.
  • Page 128 Onboard the threat defense using CDO's onbaording wizard using a CLI registration key. Procedure Step 1 In the CDO navigation pane, click Inventory, then click the blue plus button ( ) to Onboard a device. Cisco Firepower 1100 Getting Started Guide...
  • Page 129 Management Center/CDO Hostname/IP Address, Management Center/CDO Registration Key, and NAT ID fields. Example: Sample command for CLI setup: configure manager add account1.app.us.cdo.cisco.com KPOOP0rgWzaHrnj1V5ha2q5Rf8pKFX9E Lzm1HOynhVUWhXYWz2swmkj2ZWsN3Lb account1.app.us.cdo.cisco.com Sample command components for GUI setup: Cisco Firepower 1100 Getting Started Guide...
  • Page 130 If the password was already changed, and you do not know it, then you must reimage the device to Note reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: firepower login: admin Password: Admin123 Successful login attempts for user 'admin' : 1 Cisco Firepower 1100 Getting Started Guide...
  • Page 131 • Configure firewall mode?—Enter routed. Outside manager access is only supported in routed firewall mode. Example: You must accept the EULA to continue. Press <ENTER> to display the EULA: End User License Agreement [...] Please enter 'YES' or press <ENTER> to AGREE to the EULA: Cisco Firepower 1100 Getting Started Guide...
  • Page 132 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
  • Page 133 • If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 134 Use the setup wizard when you first log into the device manager to complete the initial configuration. You can optionally skip the setup wizard by clicking Skip device setup at the bottom of the page. Cisco Firepower 1100 Getting Started Guide...
  • Page 135 Standalone, and then Got It. The Cloud Management option is for legacy CDO/FDM functionality. Step 4 (Might be required) Configure the Management interface. See the Management interface on Device > Interfaces. Cisco Firepower 1100 Getting Started Guide...
  • Page 136 Other device manager configuration will not be retained when you register the device to CDO. Step 6 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 7 Configure the Management Center/CDO Details. Cisco Firepower 1100 Getting Started Guide...
  • Page 137 For Do you know the Management Center/CDO hostname or IP address, click Yes. CDO generates the configure manager add command. See Onboard a Device with the Onboarding Wizard, on page 126 to generate the command. Cisco Firepower 1100 Getting Started Guide...
  • Page 138 Click Add a Dynamic DNS (DDNS) method. DDNS ensures CDO can reach the threat defense at its Fully-Qualified Domain Name (FQDN) if the threat defense's IP address changes. See Device > System Settings > DDNS Service to configure DDNS. Cisco Firepower 1100 Getting Started Guide...

  • Page 139: Configure A Basic Security Policy

    If you configure DDNS before you add the threat defense to CDO, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 140 Choose Devices > Device Management, and click the Edit ( ) for the firewall. Step 2 Click Interfaces. Step 3 Click Edit ( ) for the interface that you want to use for inside. The General tab appears. Cisco Firepower 1100 Getting Started Guide...
  • Page 141 QoS policies. e) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 1100 Getting Started Guide...
  • Page 142 Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Cisco Firepower 1100 Getting Started Guide...
  • Page 143 Port Address Translation (PAT). Procedure Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT. Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save. Cisco Firepower 1100 Getting Started Guide...
  • Page 144 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 1100 Getting Started Guide...
  • Page 145 ) to add a network object for all IPv4 traffic (0.0.0.0/0). Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part of the object definition, and you cannot edit system-defined objects. • Translated Source—Choose Destination Interface IP. Cisco Firepower 1100 Getting Started Guide...
  • Page 146 • Source Zones—Select the inside zone from Available Zones, and click Add to Source. • Destination Zones—Select the outside zone from Available Zones, and click Add to Destination. Leave the other settings as is. Cisco Firepower 1100 Getting Started Guide...
  • Page 147 The device allows a maximum of 5 concurrent SSH connections. Note After a user makes three consecutive failed attempts to log into the CLI via SSH, the device terminates the SSH connection. Cisco Firepower 1100 Getting Started Guide...
  • Page 148 You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Deploy the Configuration Deploy the configuration changes to the threat defense; none of your changes are active on the device until you deploy them. Cisco Firepower 1100 Getting Started Guide...
  • Page 149 Figure 49: Deploy All Figure 50: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 1100 Getting Started Guide...

  • Page 150: Troubleshooting And Maintenance

    Procedure Step 1 To log into the CLI, connect your management computer to the console port. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1100 hardware guide). The console port defaults to the FXOS CLI. Use the following serial settings: •...
  • Page 151 You can also use sftunnel-status to view more complete information. See the following sample output for a connection that is down; there is no peer channel "connected to" information, nor heartbeat information shown: > sftunnel-status-brief Cisco Firepower 1100 Getting Started Guide...
  • Page 152 Netmask : 255.255.255.0 Gateway : 10.99.10.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers Interfaces : GigabitEthernet1/1 Cisco Firepower 1100 Getting Started Guide...
  • Page 153 Interface Internal-Data0/1 "nlp_int_tap", is up, line protocol is up Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec (Full-duplex), (1000 Mbps) Input flow control is unsupported, output flow control is unsupported MAC address 0000.0100.0001, MTU 1500 Cisco Firepower 1100 Getting Started Guide...
  • Page 154 10.89.5.0 255.255.255.192 is directly connected, outside 10.89.5.29 255.255.255.255 is directly connected, outside > show nat > show nat Auto NAT Policies (Section 2) 1 (nlp_int_tap) to (outside) source static nlp_server_0_sftunnel_intf3 interface service tcp 8305 8305 Cisco Firepower 1100 Getting Started Guide...
  • Page 155 If the update failed, use the debug http and debug ssl commands. For certificate validation failures, check that the root certificates are installed on the device: show crypto ca certificates trustpoint_name To check the DDNS operation: Cisco Firepower 1100 Getting Started Guide...
  • Page 156 At the threat defense CLI, roll back to the previous configuration. configure policy rollback After the rollback, the threat defense notifies CDO that the rollback was completed successfully. In CDO, the deployment screen will show a banner stating that the configuration was rolled back. Cisco Firepower 1100 Getting Started Guide...
  • Page 157 You can shut down your system properly using CDO. Procedure Step 1 Choose Devices > Device Management. Step 2 Next to the device that you want to restart, click the edit icon ( Step 3 Click the Device tab. Cisco Firepower 1100 Getting Started Guide...
  • Page 158 You can now turn off the power switch and unplug the power to physically remove power from the chassis if necessary. What's Next To continue configuring your threat defense using CDO, see the Cisco Defense Orchestrator home page. Cisco Firepower 1100 Getting Started Guide...
  • Page 159 ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).

  • Page 160: About The Asa

    • GTP/GPRS Migrating an ASA 5500-X Configuration You can copy and paste an ASA 5500-X configuration into the Firepower 1100. However, you will need to modify your configuration. Also note some behavioral differences between the platforms. 1. To copy the configuration, enter the more system:running-config command on the ASA 5500-X.
  • Page 161 Firepower 1120 includes Management 1/1 and Ethernet 1/1 through 1/8. boot system commands The Firepower 1100 only allows a single boot system command, so you should remove all but one command before you paste. You The ASA 5500-X allows up to four boot system commands to actually do not need to have any boot system commands present specify the booting image to use.

  • Page 162: End-To-End Procedure

    See the following tasks to deploy and configure the ASA on your chassis. Pre-Configuration Install the firewall. See the hardware installation guide. Pre-Configuration Review the Network Deployment and Default Configuration, on page 161. Pre-Configuration Cable the Firewall, on page 163. Cisco Firepower 1100 Getting Started Guide...

  • Page 163: Review The Network Deployment And Default Configuration

    172. Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 1100 using the default configuration. If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into bridge mode so the ASA performs all routing and NAT for your inside networks.
  • Page 164 ASA Deployment with ASDM Firepower 1100 Default Configuration Firepower 1100 Default Configuration The default factory configuration for the Firepower 1100 configures the following: • inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside) • outside IP address from DHCP, inside IP address—192.168.1.1 •...

  • Page 165: Cable The Firewall

    DefaultDNS name-server 208.67.222.222 outside name-server 208.67.220.220 outside Cable the Firewall Manage the Firepower 1100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside. Procedure Step 1 Install the chassis. See the hardware installation guide.

  • Page 166: Power On The Device

    (192.168.1.1) and also runs a DHCP server to provide IP addresses to clients (including the management computer), so make sure these settings do not conflict with any existing inside network settings (see Firepower 1100 Default Configuration, on page 162). If you need to change the Ethernet 1/2 IP address from the default, you must also cable your management computer to the console port.

  • Page 167: (Optional) Change The Ip Address

    Executing command: exit Executing command: http server enable Executing command: http 10.1.1.0 255.255.255.0 management Executing command: dhcpd address 10.1.1.152-10.1.1.254 management Executing command: dhcpd enable management Executing command: logging asdm informational Factory-default configuration is completed ciscoasa(config)# Cisco Firepower 1100 Getting Started Guide...

  • Page 168: Log Into The Asdm

    HTTP request to HTTPS. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.

  • Page 169: Configure Licensing

    • Security Contexts • Strong Encryption (3DES/AES)—If your Smart Account is not authorized for strong encryption, but Cisco has determined that you are allowed to use strong encryption, you can manually add a stong encryption license to your account. • AnyConnect—AnyConnect Plus, AnyConnect Apex, or AnyConnect VPN Only.
  • Page 170 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software Manager account. However, if you need to add licenses yourself, use the Find Products and...
  • Page 171 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the ASA. Cisco Firepower 1100 Getting Started Guide...
  • Page 172 Figure 53: View Token Figure 54: Copy Token Step 3 In ASDM, choose Configuration > Device Management > Licensing > Smart Licensing. Step 4 Click Register. Step 5 Enter the registration token in the ID Token field. Cisco Firepower 1100 Getting Started Guide...
  • Page 173 For example, to use the maximum of 5 contexts on the Firepower 1120, enter 3 for the number of contexts; this value is added to the default of 2. Step 8 Click Apply. Step 9 Click the Save icon in the toolbar. Cisco Firepower 1100 Getting Started Guide...

  • Page 174: Configure The Asa

    Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 1100 Getting Started Guide...

  • Page 175: Access The Asa And Fxos Cli

    You can also access the FXOS CLI from the ASA CLI for troubleshooting purposes. Procedure Step 1 Connect your management computer to the console port. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1100 hardware guide). Use the following serial settings: • 9600 baud •...
  • Page 176 Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 1100 Getting Started Guide...
  • Page 177 © 2022 Cisco Systems, Inc. All rights reserved.

This manual is also suitable for:

Firepower 2100

Table of Contents