Download  Print this page

Cisco Firepower 4110 Preparative Procedures & Operational User Manual

Firepower 4100 series; firepower 9000 series
Hide thumbs

Advertisement

Cisco Preparative Procedures & Operational User Guide
Preparative Procedures & Operational User Guide
for Firepower 4100 and 9300
Version 1.0
June 27, 2017
© 2016 Cisco Systems, Inc. All rights reserved.

Advertisement

Table of Contents
loading

  Also See for Cisco Firepower 4110

  Summary of Contents for Cisco Firepower 4110

  • Page 1 Cisco Preparative Procedures & Operational User Guide Preparative Procedures & Operational User Guide for Firepower 4100 and 9300 Version 1.0 June 27, 2017 © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 2 Cisco Preparative Procedures & Operational User Guide Prepared by: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 3: Table Of Contents

    Configure IPsec Secure Channel ..................37 4.4.10 Configure Static CRL for a Trustpoint................40 4.4.11 Set the LDAP Keyring Certificate ..................43 Management Functions ....................... 46 4.5.1 IP Management and Pre-Login Banner ................46 © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 4 Create a ASA Logical Device via GUI ................70 4.5.7.3 Delete a ASA Logical Device via CLI ................71 4.5.7.4 Delete a ASA Logical Device via GUI ................71 Self-Tests ..........................72 © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 5: Introduction

    The Cisco Firepower eXtensible Operating System (FXOS) chassis is a next-generation platform for network and content security solutions. The FXOS chassis is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.
  • Page 6: Common Criteria (Cc) Evaluated Configuration

     Ensure all the environmental assumptions in section 2 are met.  Ensure that your operational environment is consistent with section 2.  Follow the guidance in this document. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 7 Telnet for management purposes – Telnet passes authentication credentials in clear text and is disabled by default.  FXOS REST API—Allows users to programmatically configure and manage their chassis. The APIs are not evaluated. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 8: References

    (2 x 800 GB solid state drives running RAID1)  Firepower Network Module—Two single-wide network modules or one double-wide network module  Two power supply modules (AC or  Four fan modules © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 9 Cisco Preparative Procedures & Operational User Guide ASDM Included on all ASA 9.6.2 Release 7.6 © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 10 If you have partially typed a command, typing ? lists all available keywords and arguments available at your current position in the command syntax. The most up-to-date versions of the documentation can be accessed on the Cisco Support web site (http://www.cisco.com/c/en/us/support/index.html).
  • Page 11: Operational Environment

    CA, e.g., for TLS connection to syslog server.  NTP server – The system can be configured to obtain time from a trusted time source.  DNS server – The system supports domain name service in the network. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 12: Environmental Assumptions

    The administrator’s credentials (private OE.ADMIN_CREDENTIALS_ Administrators must protect their access SECURE key) used to access the TOE must be credentials where ever they may be. protected on any other platform on which they reside. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 13: Before Installation

    Cisco Preparative Procedures & Operational User Guide 3 Before Installation Before you install your appliance, Cisco highly recommends that the users must consider the following:  Locate the Cisco FirePOWER System appliance in a lockable rack within a secure location that prevents access by unauthorized personnel.
  • Page 14 Cisco Preparative Procedures & Operational User Guide Audience This document is written for administrators configuring the Cisco Firepower system 4100 and 9300. This document assumes you are familiar with networks and network terminology, that you are a trusted individual, and that you are trained to use the Internet and its associated terms and applications.
  • Page 15: Assurance Activity Configuration

    Creation Time: 2015-07-09T08:20:17.030 User: internal Session ID: internal ID: 3330860 Action: Creation Description: Fabric A: local user admin logged in from 172.23.33.113 Affected Object: sys/user-ext/sh-login-admin-pts_5_1_15135 Trigger: Session Modified Properties: id:pts_5_1_15135, name:admin, policyOwner:local © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 16: Login To Cli Remotely

    You can connect to the FXOS CLI using a terminal plugged into the console port. Verify that the console port parameters on the computer terminal (or console server) attached to the console port are as follows: • 9600 baud • 8 data bits • No parity • 1 stop bit © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 17: Logout

    Do NOT rely solely on the inactivity timeout feature. Audit Record: Creation Time: 2015-07-09T08:20:02.769 User: internal Session ID: internal ID: 3330856 Action: Deletion Description: Fabric A: user admin terminated session id pts_4_1_10970 Affected Object: sys/user-ext/user-admin/term-pts_4_1_10970 Trigger: Session Modified Properties: © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 18: Auditable Events

    4.2 Auditable Events The appliances that are part of the Cisco FP 4100 and 9300 System generate an audit record for each user interaction with the web interface, and also record system status messages in the system log. For the CLI, the appliance also generates an audit record for every action executed.
  • Page 19 %USER-6-SYSTEM_MSG: [ssl:info] [pid 8926:tid 1823603600] SSL Library Error: error:14076129:SSL routines:SSL23_GET_CLIENT_HELLO:only tls allowed in fips mode - httpd[8926] %USER-6-SYSTEM_MSG: [ssl:info] [pid 8926:tid 1823603600] [client IP_ADDRESS:60782] AH01998: Connection closed to child 124 with abortive shutdown (server IP_ADDRESS:443) - httpd[8926] © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 20 Fabric A: user USERNAME terminated session id pts_0_1_7451 Affected Object: sys/user-ext/user-admin/term-pts_0_1_7451 FIA_X509_EXT.1 Unsuccessful %AUTHPRIV-6-SYSTEM_MSG: 11[IKE] sending end entity cert "C=US, attempt to ST=CA, O=Cisco, OU=STBU, CN=D_NAME" - charon-custom validate a %AUTHPRIV-6-SYSTEM_MSG: 11[IKE] establishing CHILD_SA test - © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 21 [FSM:STAGE:ASYNC]: unpacking image fxos-k9.2.0.1.135.SPA on primary(FSM- STAGE:sam:dme:FirmwareDownloaderDownload:UnpackLocal) IP_ADDRESS 24/01 16:17:34.001 %FPRM-6-EVENT: [E4195293][181179][transition][internal][] [FSM:STAGE:REMOTE-ERROR]: Result: end-point-failed Code: ERR- DNLD-invalid-image Message: invalid image#(sam:dme:FirmwareDownloaderDownload:Local) IP_ADDRESS 24/01 14:02:54.555 FPT_STM.1 Changes to %AUTHPRIV-5-SYSTEM_MSG: USERNAME : TTY=ttyS0 ; © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 22 DELETE for ESP CHILD_SA with SPI cd365fb3 - char on-custom functions. %AUTHPRIV-6-SYSTEM_MSG: 15[IKE] failed to establish CHILD_SA, keeping IKE_SA - charon-custom %USER-6-SYSTEM_MSG: [ssl:info] [pid 8926:tid 1823603600] [client IP_ADDRESS:60782] AH01964: Connection to child 124 established (server © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 23 Web A: local user USERNAME logged in from IP_ADDRESS %FPRM-6-AUDIT: [session][internal][deletion][internal][1205449][sys/user- ext/user- USERNAME / term-web_27244_A][sys/user-ext/user- USERNAME n/term-web_27244_A][] Fabric A: user USERNAME terminated session id ttyS0_1_3038 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user USERNAME from IP_ADDRESS - httpd[8515] © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 24: Enable Fips And Cc Mode

    4.3.2 Enable Common Criteria (CC) Mode 1) From the FXOS CLI, enter the security mode: scope system scope security 2) Enable FIPS mode: enable cc-mode 3) Commit the configuration: commit-buffer 4) Reboot the system: connect local-mgmt reboot © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 25: Generate The Ssh Host Key

    2048 5) Commit the configuration: commit-buffer 6) Create a new SSH host-key: create ssh-server host-key commit-buffer 7) Confirm the new Host Key size: show ssh-server host-key Host Key Size: 2048 © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 26: Configure Secure Connection With Audit Server And Aaa Server

    Messages at levels below Critical are displayed on the terminal monitor only if terminal monitor you have entered the command. 6) Enable or disable the writing of syslog information to a syslog file: Firepower-chassis /monitoring # {enable | disable} syslog file © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 27 11) Configure the local sources. Enter the following command for each of the local sources you want to enable or disable: Firepower-chassis /monitoring # {enable | disable} syslog source {audits | events | faults} This can be one of the following: © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 28: Configure Syslog Via Gui

    State, select the lowest message level that you want displayed on the monitor. The system displays that level and above on the monitor. This can be one of the following: • Emergencies © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 29 Choose a system log facility for syslog servers to use as a basis to file messages. This can be one of the following: • Local0 • Local1 • Local2 • Local3 • Local4 • Local5 • Local6 • Local7 Click Save. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 30 Firepower chassis logs all audit log events. Events Admin State field Whether system event logging is enabled or not. If the Enable check box is checked, the Firepower chassis logs all system events. Click Save. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 31: Configure Ldap Via Cli

    This value is required unless a default filter has been set for LDAP providers. 8) Specify the password for the LDAP database account specified for Bind DN: Firepower-chassis /security/ldap/server # set password © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 32: Configure Radius Via Cli

    4.4.4 Configure RADIUS via CLI 1) Enter security mode: Firepower-chassis# scope security 2) Enter security RADIUS mode: Firepower-chassis /security # scope radius 3) Create a RADIUS server instance and enter security RADIUS server mode: © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 33: Configure Tacacs+ Via Cli

    6) Specify the time interval that the system should wait for a response from the TACACS+ server before noting the server as down: Firepower-chassis /security/tacacs/server # set timeout seconds 7) (Optional) Specify the port used to communicate with the TACACS+ server: Firepower-chassis /security/tacacs/server # set port port-num © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 34: Configure Ldap Via Gui

    389. Filter field The LDAP search is restricted to those user names that match the defined filter. This value is required unless a default filter has been set on the © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 35: Configure Radius Via Gui

    Enter an integer between 1 and 16, or enter lowest-available or 0 (zero) if you want the Firepower eXtensible Operating System to assign the next available order based on the other providers defined © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 36: Configure Tacacs+ Via Gui

    The SSL encryption key repeated for confirmation purposes. Port field The port through which Firepower Chassis Manager or the FXOS CLI communicates with the TACACS+ database. Enter an integer between 1 and 65535. The default port is 49. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 37: Configure Ipsec Secure Channel

    8) If using tunnel mode, set remote subnet: set remote-subnet ip/mask 9) (Optional) Set remote identity: set remote-ike-ident remote_identity_name 10) Set keyring name: set keyring-name name 11) (Optional) Set keyring password: set keyring-passwd passphrase © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 38 IKE version*: version 2  IPsec Mode: tunnel, transport o set mode {tunnel |transport}  IKEv2 Mode*: main mode  IKEv2 Ciphers*: o Encryption algorithms: AES-CBC-128, AES-CBC-256, AES-GCM-128 o Integrity algorithms: SHA-1 © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 39 Inbound traffic will be dropped if: o the source address (prior to decryption) is on the remote-subnet (in tunnel mode); *or* o the source address is the remote-address, *and* the packets are *not* IKE or ESP. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 40: Configure Static Crl For A Trustpoint

    Full certificate chain is required certificate chain CDP checking for Root CA Not applicable certificate of the peer’s certificate chain Any certificate validation failure Connection fails with syslog Connection fails with syslog © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 41 Any certificate revoked in the Connection fails with syslog Connection fails with syslog peer certificate chain message message One CDP is missing the peer Connection succeeds Connection succeeds certificate chain © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 42 Table 6 Certificate Revocation Check Mode set to Relaxed with a local static CRL With local static CRL LDAP Connection IPSec Connection Checking peer certificate chain Full certificate chain Full certificate chain © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 43: Set The Ldap Keyring Certificate

    2) Enter the LDAP mode: scope ldap 3) Enter the LDAP server: enter server server_ip 4) Set the LDAP keyring: set keyring keyring_name 5) Commit the configuration: commit buffer © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 44 Cisco Preparative Procedures & Operational User Guide © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 45  Check that the audit or AAA server is still running.  Reconfigure the audit or AAA server settings.  If all else fail, reboot the system and audit or AAA server. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 46: Management Functions

    Enter the following command to configure a new management IP address and gateway: Firepower-chassis /fabric-interconnect/ipv6-config # set out-of-band ipv6 ipv6_address ipv6-prefix prefix_length ipv6-gw gateway_address e) Commit the transaction to the system configuration: Firepower-chassis /fabric-interconnect/ipv6-config* # commit-buffer © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 47 9) Change the virtual IP, mask, and gateway values to the exact values used in step 3. set virtual ip ip_address netmask network_mask gw gateway_ip_address For clustered configuration: set virtual ipv ip_address pool start_ip end_ip mask network_mask gateway gateway_ip_address 10) Commit the configuration: commit-buffer © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 48 On the line following your input, type ENDOFBUF and press Enter to finish. Press Ctrl and C to cancel out of the set message dialog. 7) Commit the transaction to the system configuration: Firepower-chassis /security/banner/pre-login-banner* # commit-buffer © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 49: Image Management

    Application—Application images are the software images you want to deploy on the security module/engine of the FXOS chassis. Application images are delivered as Cisco Secure Package files (CSP) and are stored on the supervisor until deployed to a security module/engine as part of logical device creation or in preparation for later logical device creation.
  • Page 50: Copy Platform Bundle Image To The Fxos Chassis Via Cli

    2) Click Upload Image to open the Upload Image dialog box. 3) Click Browse to navigate to and select the image that you want to upload. 4) Click Upload. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 51: Update The Platform Bundle Image Via Cli

    2) Click Upgrade for the FXOS platform bundle to which you want to upgrade. The system will first verify the software package that you want to install. It will inform you of any incompatibility between currently installed applications and the specified FXOS platform software package. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 52: Copy Application Image To Fxos Chassis

    Firepower-chassis /ssa/app-software# up Firepower-chassis /ssa# show app 6) To view details for a specific applications: Firepower-chassis /ssa# scope app application_type image_version Firepower-chassis /ssa/app# show expand Sample: Firepower-chassis /ssa # scope app asa 9.4.1.65 © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 53: Update Application Image Via Cli

    Update Image Version dialog box. 3) For the Version, choose the software version to which you want to update. 4) Click OK. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 54: User And Role Management

    AAA Administrator Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system. Selecting the Default Authentication Service via CLI 1) Enter security mode: Firepower-chassis # scope security © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 55 LDAP—The user account must be defined on the LDAP/MS-AD server specified for the Firepower chassis. • None—If the user account is local to the Firepower • chassis, no password is required when the user logs in remotely. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 56 1) From the FXOS CLI, enter the security mode: scope system scope security 2) Enter the password profile security mode: scope password-profile 3) Specify the minimum password length: set min-password-length min_length 4) Commit the configuration: commit-buffer © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 57 Firepower-chassis /security/local-user # set account-status {active| inactive} 4) Set the password for the user account: Firepower-chassis /security/local-user # set password Enter a password: password Confirm the password: password 5) (Optional) Specify the first name of the user: © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 58 If the status is set to Active, a user can log into Firepower Chassis Manager and the FXOS CLI with this login ID and password. User Role list The role that represents the privileges you want to assign to the user account. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 59 > User Management. 2) Click the Local Users tab. 3) In the row for the user account that you want to delete, click Delete. 4) In the Confirm dialog box, click Yes. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 60: Configure Time Synchronization

    When you have finished specifying the location information, you are prompted to confirm that the correct time zone information is being set. Enter 1 (yes) to confirm, or 2 (no) to cancel the operation. 4) Commit the transaction to the system configuration: © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 61 This section describes how to set the date and time manually on the Firepower chassis. System clock modifications take effect immediately. If the system clock is currently being synchronized with an NTP server, you will not be able to set the date and time manually. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 62 5) Use the corresponding drop-down lists to specify the time as hours, minutes, and AM/PM. 6) Click Save. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 63: Configure Ssh Access

    Firepower-chassis /system/services # set ssh-server kex-algorithm diffie- hellman-group14-sha1 6) Configure the SSH Rekey limit: Firepower /system/services # set ssh-server rekey-limit volume [KB] time [Minutes] 7) Commit the transaction to the system configuration: Firepower /system/services # commit-buffer © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 64: Configure Ssh Via Gui

    4.5.6.2 Creating a Key Ring FXOS supports a maximum of 8 key rings, including the default key ring. 1) Enter security mode: Firepower-chassis# scope security 2) Create and name the key ring: © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 65: Creating A Certificate Request For A Key Ring

    Specify the city or town in which the company requesting the certificate is headquartered: Firepower-chassis /security/keyring/certreq# set locality city-name Specify the organization requesting the certificate: Firepower-chassis /security/keyring/certreq# set org-name org-name 10) Specify the organizational unit: Firepower-chassis /security/keyring/certreq# set org-unit-name org-unit- name © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 66: Creating A Trust Point

    Enter configuration mode for the key ring that will receive the certificate: Firepower-chassis /security# scope keyring keyring-name Specify the trust point for the trust anchor or certificate authority from which the key ring certificate was obtained: Firepower-chassis /security/keyring# set trustpoint name © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 67: Configuring Https

    – Specify a user-defined Cipher Suite specification string. (Optional) If cipher-suite-mode is set to custom, specify a custom level of Cipher Suite security for the domain: Firepower-chassis /system/services# set https cipher-suite cipher-suites © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 68  TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246  TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 as defined in RFC 5246  TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 69: Logical Device Management

    Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # exit e) Configure management IP address: Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv4 slot_id default f) Set gateway address: Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set gateway gateway_address g) Set IP address and mask: © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 70: Create A Asa Logical Device Via Gui

    4 Enter a Network Gateway address. 11) On the Settings tab, enter a password for the "admin" user in the Password field. 12) Click to close the ASA Configuration dialog box. 13) Click Save. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 71: Delete A Asa Logical Device Via Cli

    3) Click to confirm that you want to delete the logical device. 4) Click to confirm that you want to delete the application configuration. © 2016 Cisco Systems, Inc. All rights reserved.
  • Page 72: Self-Tests

    Cisco Preparative Procedures & Operational User Guide 4.6 Self-Tests Cisco products perform a suite of FIPS 140-2 self-tests during power-up and re-boot. If any of the self- test fails, the product will not enter operational state. If this occurs, please re-boot the appliance. If the product still does not enter operational state, please contact Cisco Support (e-mail support@Cisco.com...

This manual is also suitable for:

Firepower 4140Firepower 4120Firepower 9300