Cisco Firepower 1010 Getting Started Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Firewall
  5. Firepower 1010
  6. Getting started manual

Cisco Firepower 1010 Getting Started Manual

Hide thumbs Also See for Firepower 1010:
Table of Contents

Advertisement

Quick Links

Cisco Firepower 1010 Getting Started Guide
First Published: 2019-06-13
Last Modified: 2022-02-28
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Firepower 1010 and is the answer not in the manual?

Questions and answers

Related Manuals for Cisco Firepower 1010

Summary of Contents for Cisco Firepower 1010

  • Page 1 Cisco Firepower 1010 Getting Started Guide First Published: 2019-06-13 Last Modified: 2022-02-28 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 3 You may want to use the ASA if you do not need the advanced capabilities of the threat defense, or if you need an ASA-only feature that is not yet available on the threat defense. Cisco provides ASA-to-threat defense migration tools to help you convert your ASA to the threat defense if you start with ASA and later reimage to threat defense.
  • Page 4 CDO to manage the same firewall. The management center is not compatible with other managers. To get started with the device manager, see Threat Defense Deployment with the Device Manager, on page Cisco Firepower 1010 Getting Started Guide...
  • Page 5 You cannot use this API if you are managing the threat defense using the management center. The threat defense REST API is not covered in this guide. For more information, see Cisco Secure Firewall Threat Defense REST API Guide. Secure Firewall Management Center REST The management center REST API lets you automate configuration of management center policies that can then be applied to managed threat defenses.
  • Page 6 ASA features, and is no longer being enhanced. The ASA REST API is not covered in this guide. For more information, see the Cisco ASA Secure Firewall REST API Quick Start Guide. Cisco Firepower 1010 Getting Started Guide...

  • Page 7: Table Of Contents

    ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).

  • Page 8: Before You Start

    Center 1600, 2600, and 4600 Hardware Installation Guide Cisco Secure Firewall Management Center Virtual Getting Started Guide. End-to-End Procedure See the following tasks to deploy the threat defense with management center on your chassis. Cisco Firepower 1010 Getting Started Guide...
  • Page 9 Cable the Device (6.5 and Later), on page 10 Cable the Device (6.4), on page Pre-Configuration Power On the Firewall, on page (Optional) Check the Software and Install a New Version, on page 13 Cisco Firepower 1010 Getting Started Guide...

  • Page 10: Management Center, On Page

    In the following diagram, the Firepower 1010 acts as the internet gateway for the Management interface and the management center by connecting Management 1/1 directly to an inside switch port, and by connecting the management center and management computer to other inside switch ports.
  • Page 11 In the following diagram, the Firepower 1010 acts as the internet gateway for the Management interface and the management center by connecting Management 1/1 to an inside interface through a Layer 2 switch, and by connecting the management center and management computer to the switch.

  • Page 12: Cable The Device (6.5 And Later)

    Figure 2: Suggested Network Deployment Cable the Device (6.5 and Later) To cable the recommended scenario on the Firepower 1010, see the following illustration, which shows a sample topology using Ethernet1/1 as the outside interface and the remaining interfaces as switch ports on the inside network.
  • Page 13 Threat Defense Deployment with the Management Center Cable the Device (6.5 and Later) Figure 3: Cabling the Firepower 1010 Note For version 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Procedure Step 1 Install the chassis. See the hardware installation guide.

  • Page 14: Cable The Device (6.4)

    Threat Defense Deployment with the Management Center Cable the Device (6.4) Cable the Device (6.4) To cable the recommended scenario on the Firepower 1010, see the following illustration, which shows a sample topology using a Layer 2 switch. Note Other topologies can be used, and your deployment will vary depending on your requirements.

  • Page 15: Power On The Firewall

    Alternatively, you can perform an upgrade after you are up and running, but upgrading, which preserves your configuration, may take longer than using this procedure. What Version Should I Run? Cisco Firepower 1010 Getting Started Guide...
  • Page 16 (Optional) Check the Software and Install a New Version Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/...

  • Page 17: Complete The Threat Defense Initial Configuration

    Use the setup wizard when you first log into the device manager to complete the initial configuration. You can optionally skip the setup wizard by clicking Skip device setup at the bottom of the page. Cisco Firepower 1010 Getting Started Guide...
  • Page 18 If you want to configure a static IP address, be sure to also set the default gateway to be a unique gateway instead of the data interfaces. If you use DHCP, you do not need to configure anything. Cisco Firepower 1010 Getting Started Guide...
  • Page 19 Other device manager configuration will not be retained when you register the device to the management center. Step 5 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 6 Configure the Management Center/CDO Details. Cisco Firepower 1010 Getting Started Guide...
  • Page 20 For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname. Cisco Firepower 1010 Getting Started Guide...
  • Page 21 If you remain connected to the device manager after the Saving Management Center/CDO Registration Settings step, you will eventually see the Successful Connection with Management Center or CDO dialog box, after which you will be disconnected from the device manager. Cisco Firepower 1010 Getting Started Guide...
  • Page 22 If the password was already changed, and you do not know it, you must reimage the device to reset Note the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: Cisco Firepower 1010 Getting Started Guide...
  • Page 23 • Configure firewall mode?—We recommend that you set the firewall mode at initial configuration. Changing the firewall mode after initial setup erases your running configuration. Example: You must accept the EULA to continue. Cisco Firepower 1010 Getting Started Guide...
  • Page 24 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 25: Log Into The Management Center

    Use the management center to configure and monitor the threat defense. Before you begin For information on supported browsers, refer to the release notes for the version you are using (see https://www.cisco.com/go/firepower-notes). Procedure Step 1 Using a supported browser, enter the following URL. Cisco Firepower 1010 Getting Started Guide...

  • Page 26: Obtain Licenses For The Management Center

    Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...

  • Page 27: Register The Threat Defense With The Management Center

    • The threat defense management IP address or hostname, and NAT ID • The management center registration key Procedure Step 1 In the management center, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device. Cisco Firepower 1010 Getting Started Guide...
  • Page 28 • Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page Cisco Firepower 1010 Getting Started Guide...
  • Page 29 • Registration key, NAT ID, and the management center IP address—Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the management center using the configure manager add command. Cisco Firepower 1010 Getting Started Guide...

  • Page 30: Configure A Basic Security Policy

    VLANs, or convert switch ports to firewall interfaces. A typical edge-routing situation is to obtain the outside interface address through DHCP from your ISP, while you define static addresses on the inside interfaces. Cisco Firepower 1010 Getting Started Guide...
  • Page 31 (Optional) Change the VLAN ID; the default is 1. You will next add a VLAN interface to match this ID. d) Click OK. Step 5 Add the inside VLAN interface. a) Click Add Interfaces > VLAN Interface. Cisco Firepower 1010 Getting Started Guide...
  • Page 32 ID in your configuration. g) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. Cisco Firepower 1010 Getting Started Guide...
  • Page 33 Check the Enabled check box. c) Leave the Mode set to None. d) From the Security Zone drop-down list, choose an existing outside security zone or add a new one by clicking New. Cisco Firepower 1010 Getting Started Guide...
  • Page 34 The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the firewall. Step 2 Click Interfaces. Cisco Firepower 1010 Getting Started Guide...
  • Page 35 Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most Cisco Firepower 1010 Getting Started Guide...
  • Page 36 You should not alter any of these basic settings because doing so will disrupt the management center management connection. You can still configure the Security Zone on this screen for through traffic policies. Cisco Firepower 1010 Getting Started Guide...
  • Page 37 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Step 3 On the Server page, click Add, and configure the following options: Cisco Firepower 1010 Getting Started Guide...
  • Page 38 IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route page. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose Routing > Static Route, click Add Route, and set the following: Cisco Firepower 1010 Getting Started Guide...
  • Page 39 • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 3 Click OK. The route is added to the static route table. Cisco Firepower 1010 Getting Started Guide...
  • Page 40 The policy is added the management center. You still have to add rules to the policy. Step 3 Click Add Rule. The Add NAT Rule dialog box appears. Step 4 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. Cisco Firepower 1010 Getting Started Guide...
  • Page 41 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Step 6 On the Translation page, configure the following options: • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 1010 Getting Started Guide...
  • Page 42 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the threat defense. Step 2 Click Add Rule, and set the following parameters: • Name—Name this rule, for example, inside_to_outside. Cisco Firepower 1010 Getting Started Guide...
  • Page 43 Procedure Step 1 Click Deploy in the upper right. Figure 9: Deploy Step 2 Either click Deploy All to deploy to all devices or click Advanced Deploy to deploy to selected devices. Cisco Firepower 1010 Getting Started Guide...
  • Page 44 Figure 11: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Figure 12: Deployment Status Cisco Firepower 1010 Getting Started Guide...

  • Page 45: Access The Threat Defense And Fxos Cli

    Password: Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0 Successful login attempts for user 'admin' : 1 firepower# Step 2 Access the threat defense CLI. connect ftd Example: firepower# connect ftd > Cisco Firepower 1010 Getting Started Guide...

  • Page 46: Power Off The Firewall

    The Firepower 1010 chassis does not have an external power switch.You can power off the device using the management center device management page, or you can use the FXOS CLI.

  • Page 47: What's Next

    To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the management center, see the Firepower Management Center Configuration Guide. Cisco Firepower 1010 Getting Started Guide...
  • Page 48 Threat Defense Deployment with the Management Center What's Next? Cisco Firepower 1010 Getting Started Guide...

  • Page 49: 1000/2100 Series Running Firepower Threat Defense For More Information

    ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).
  • Page 50 • High Availability is not supported. You must use the Management interface in this case. The following figure shows the management center at central headquarters and the threat defense with the manager access on the outside interface. Cisco Firepower 1010 Getting Started Guide...
  • Page 51 Center 1600, 2600, and 4600 Hardware Installation Guide Cisco Secure Firewall Management Center Virtual Getting Started Guide. End-to-End Procedure See the following tasks to deploy the threat defense with management center on your chassis. Cisco Firepower 1010 Getting Started Guide...
  • Page 52 Pre-Configuration Using the CLI, on page 57 (Central admin) • Pre-Configuration Using the Device Manager, on page 53 Physical Setup Install the firewall. See the hardware installation guide. (Branch admin) Physical Setup Cable the Firewall, on page (Branch admin) Cisco Firepower 1010 Getting Started Guide...
  • Page 53 What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
  • Page 54 57. By default, the Management interface uses DHCP. You will need to download the new image from a server accessible from the Management interface. b) Perform the reimage procedure in the FXOS troubleshooting guide. Cisco Firepower 1010 Getting Started Guide...
  • Page 55 IP address. You can configure PPPoE after you complete the wizard. Configure IPv6—The IPv6 address for the outside interface. You can use DHCP or manually enter a static IP address, prefix, and gateway. You can also select Off to not configure an IPv6 address. Cisco Firepower 1010 Getting Started Guide...
  • Page 56 Other device manager configuration will not be retained when you register the device to the management center. Step 7 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 8 Configure the Management Center/CDO Details. Cisco Firepower 1010 Getting Started Guide...
  • Page 57 For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname. Cisco Firepower 1010 Getting Started Guide...
  • Page 58 If you chose a different interface, then you need to manually configure a default route before you connect to the management center. See Configure Cisco Firepower 1010 Getting Started Guide...
  • Page 59 If you configure DDNS before you add the threat defense to the management center, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 60 Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 4 Connect to the threat defense CLI. connect ftd Example: firepower# connect ftd > Cisco Firepower 1010 Getting Started Guide...
  • Page 61 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:...
  • Page 62 • If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 63 IPv4/IPv6 address: 10.10.6.7 Netmask/IPv6 Prefix: 255.255.255.0 Default Gateway: 10.10.6.1 Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220 DDNS server update URL [none]: Do you wish to clear all the device configuration before applying ? (y/n) [n]: Cisco Firepower 1010 Getting Started Guide...
  • Page 64 Observe the Power LED and Status LED to verify that the chassis is powered off (appear unlit). c) After the chassis has successfully powered off, you can then unplug the power to physically remove power from the chassis if necessary. Cisco Firepower 1010 Getting Started Guide...
  • Page 65 Cable the Firewall The management center and your management computer reside at a remote headquarters, and can reach the threat defense over the internet. To cable the Firepower 1010, see the following steps. Figure 18: Cabling a Remote Management Deployment...
  • Page 66 After the remote branch administrator cables the threat defense so it has internet access from the outside interface, you can register the threat defense to the management center and complete configuration of the device. Log Into the Management Center Use the management center to configure and monitor the threat defense. Cisco Firepower 1010 Getting Started Guide...
  • Page 67 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 68 • The threat defense management IP address or hostname, and NAT ID • The management center registration key Procedure Step 1 In the management center, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device. Cisco Firepower 1010 Getting Started Guide...
  • Page 69 • Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page Cisco Firepower 1010 Getting Started Guide...
  • Page 70 • Registration key, NAT ID, and management center IP address—Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the threat defense using the configure manager add command. Cisco Firepower 1010 Getting Started Guide...
  • Page 71 The following example configures a routed mode inside interface (VLAN1) with a static address and a routed mode outside interface using DHCP (Ethernet1/1). Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Click Interfaces. Cisco Firepower 1010 Getting Started Guide...
  • Page 72 (Optional) Change the VLAN ID; the default is 1. You will next add a VLAN interface to match this ID. d) Click OK. Step 5 Add the inside VLAN interface. a) Click Add Interfaces > VLAN Interface. The General tab appears. Cisco Firepower 1010 Getting Started Guide...
  • Page 73 ID in your configuration. g) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 1010 Getting Started Guide...
  • Page 74 From the Security Zone drop-down list, choose an existing outside security zone or add a new one by clicking New. For example, add a zone called outside_zone. b) Click OK. Step 7 Click Save. Cisco Firepower 1010 Getting Started Guide...
  • Page 75 Port Address Translation (PAT). Procedure Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT. Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save. Cisco Firepower 1010 Getting Started Guide...
  • Page 76 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 1010 Getting Started Guide...
  • Page 77 ) to add a network object for all IPv4 traffic (0.0.0.0/0). Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part of the object definition, and you cannot edit system-defined objects. • Translated Source—Choose Destination Interface IP. Cisco Firepower 1010 Getting Started Guide...
  • Page 78 • Source Zones—Select the inside zone from Available Zones, and click Add to Source. • Destination Zones—Select the outside zone from Available Zones, and click Add to Destination. Leave the other settings as is. Cisco Firepower 1010 Getting Started Guide...
  • Page 79 The device allows a maximum of 5 concurrent SSH connections. Note After a user makes three consecutive failed attempts to log into the CLI via SSH, the device terminates the SSH connection. Cisco Firepower 1010 Getting Started Guide...
  • Page 80 You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Deploy the Configuration Deploy the configuration changes to the threat defense; none of your changes are active on the device until you deploy them. Cisco Firepower 1010 Getting Started Guide...
  • Page 81 Figure 22: Deploy All Figure 23: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 1010 Getting Started Guide...
  • Page 82 • No parity • 1 stop bit You connect to the FXOS CLI. Log in to the CLI using the admin username and the password you set at initial setup (the default is Admin123). Example: Cisco Firepower 1010 Getting Started Guide...
  • Page 83 You can also use sftunnel-status to view more complete information. See the following sample output for a connection that is down; there is no peer channel "connected to" information, nor heartbeat information shown: > sftunnel-status-brief Cisco Firepower 1010 Getting Started Guide...
  • Page 84 Netmask : 255.255.255.0 Gateway : 10.99.10.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers Interfaces : GigabitEthernet1/1 Cisco Firepower 1010 Getting Started Guide...
  • Page 85 > show interface detail [...] Interface Internal-Data0/1 "nlp_int_tap", is up, line protocol is up Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec (Full-duplex), (1000 Mbps) Input flow control is unsupported, output flow control is unsupported Cisco Firepower 1010 Getting Started Guide...
  • Page 86 0.0.0.0 0.0.0.0 [1/0] via 10.89.5.1, outside 10.89.5.0 255.255.255.192 is directly connected, outside 10.89.5.29 255.255.255.255 is directly connected, outside > show nat > show nat Auto NAT Policies (Section 2) 1 (nlp_int_tap) to (outside) source static nlp_server_0_sftunnel_intf3 interface service Cisco Firepower 1010 Getting Started Guide...
  • Page 87 DDNS: IDB SB total = 0 If the update failed, use the debug http and debug ssl commands. For certificate validation failures, check that the root certificates are installed on the device: show crypto ca certificates trustpoint_name Cisco Firepower 1010 Getting Started Guide...
  • Page 88 • Out-of-band SCEP certificate data that was updated during the previous deployment cannot be rolled back. • During the rollback, connections will drop because the current configuration will be cleared. Before you begin Model Support—Threat Defense Cisco Firepower 1010 Getting Started Guide...
  • Page 89 Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your firewall. You can shut down your system properly using the management center. Cisco Firepower 1010 Getting Started Guide...
  • Page 90 To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the management center, see the Firepower Management Center Configuration Guide. Cisco Firepower 1010 Getting Started Guide...
  • Page 91 ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).

  • Page 92: End-To-End Procedure

    See the following tasks to deploy threat defense with device manager on your chassis. Pre-Configuration Install the firewall. See the hardware installation guide. Pre-Configuration Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page Pre-Configuration Power On the Firewall, on page Cisco Firepower 1010 Getting Started Guide...

  • Page 93: Review The Network Deployment And Default Configuration

    IP address to be on a new network. • If you add the threat defense to an existing inside network, you will need to change the inside IP address to be on the existing network. Cisco Firepower 1010 Getting Started Guide...
  • Page 94 • (6.5 and later) Hardware switch—Ethernet 1/2 through 1/8 belong to VLAN 1 • (6.4) Software switch (Integrated Routing and Bridging)—Ethernet 1/2 through 1/8 belong to bridge group interface (BVI) 1 • outside—Ethernet 1/1, IP address from IPv4 DHCP and IPv6 autoconfiguration Cisco Firepower 1010 Getting Started Guide...
  • Page 95 • DNS server for management—OpenDNS: (IPv4) 208.67.222.222, 208.67.220.220; (IPv6) 2620:119:35::35, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes •...

  • Page 96: Cable The Device

    Ethernet1/7 and 1/8. In version 6.4, Ethernet1/2 through 1/8 are configured as bridge group members (software switch ports); PoE+ is not available. The initial cabling is the same for both versions. Manage the Firepower 1010 on either Management 1/1 or Ethernet 1/2 through 1/8. The default configuration also configures Ethernet1/1 as outside.

  • Page 97: Power On The Firewall

    The power turns on automatically when you plug in the power cord. Step 2 Check the Power LED on the back or top of the device; if it is solid green, the device is powered on. Cisco Firepower 1010 Getting Started Guide...

  • Page 98: (Optional) Check The Software And Install A New Version

    What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...

  • Page 99: (Optional) Change Management Network Settings At The Cli

    You cannot repeat the CLI setup script unless you clear the configuration; for example, by reimaging. However, all of these settings can be changed later at the CLI using configure network commands. See Command Reference for Secure Firewall Threat Defense. Cisco Firepower 1010 Getting Started Guide...
  • Page 100 Management network, but for remote management for specific networks or hosts, you should add a static route using the configure network static-routes command. Note that the device manager management on data interfaces is not affected by this setting. If you use DHCP, the Cisco Firepower 1010 Getting Started Guide...

  • Page 101: Log Into The Device Manager

    Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 102: Complete The Initial Configuration

    You are prompted to read and accept the End User License Agreement and change the admin password. You must complete these steps to continue. Step 2 Configure the following options for the outside and management interfaces and click Next. Cisco Firepower 1010 Getting Started Guide...
  • Page 103 • Although you can continue using the evaluation license, we recommend that you register and license your device; see Configure Licensing, on page 102. • You can also choose to configure the device using the device manager; see Configure the Firewall in the Device Manager, on page 107. Cisco Firepower 1010 Getting Started Guide...

  • Page 104: Configure Licensing

    Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 105 Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: Cisco Firepower 1010 Getting Started Guide...
  • Page 106 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the threat defense. Figure 28: View Token Figure 29: Copy Token Cisco Firepower 1010 Getting Started Guide...
  • Page 107 Then follow the instructions on the Smart License Registration dialog box to paste in your token: Step 5 Click Register Device. You return to the Smart License page. While the device registers, you see the following message: Cisco Firepower 1010 Getting Started Guide...
  • Page 108 Step 6 Click the Enable/Disable control for each optional license as desired. • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.

  • Page 109: Configure The Firewall In The Device Manager

    Threat Defense Deployment with the Device Manager Configure the Firewall in the Device Manager Step 7 Choose Resync Connection from the gear drop-down list to synchronize license information with Cisco Smart Software Manager. Configure the Firewall in the Device Manager The following steps provide an overview of additional features you might want to configure.
  • Page 110 If you configured other inside interfaces, it is very typical to set up a DHCP server on those interfaces. Click + to configure the server and address pool for each inside interface. Cisco Firepower 1010 Getting Started Guide...
  • Page 111 IP address of the ISP gateway (you must obtain the address from your ISP). You can create this object by clicking Create New Network at the bottom of the Gateway drop-down list. Cisco Firepower 1010 Getting Started Guide...
  • Page 112 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.

  • Page 113: Access The Threat Defense And Fxos Cli

    You can later connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port access, which defaults to the FXOS CLI. Cisco Firepower 1010 Getting Started Guide...
  • Page 114 To exit the threat defense CLI, enter the exit or logout command. This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS CLI, enter ?. Example: > exit firepower# Cisco Firepower 1010 Getting Started Guide...

  • Page 115: View Hardware Information

    This information is also shown in show version system, show running-config, and show inventory output. Step 3 To display information about all of the Cisco products installed in the networking device that are assigned a product identifier (PID), version identifier (VID), and serial number (SN), use the show inventory command.

  • Page 116: Power Off The Firewall

    The Firepower 1010 chassis does not have an external power switch.You can power off the firewall using device manager, or you can use the FXOS CLI.

  • Page 117: What's Next

    To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the device manager, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 1010 Getting Started Guide...
  • Page 118 Threat Defense Deployment with the Device Manager What's Next? Cisco Firepower 1010 Getting Started Guide...
  • Page 119 Which Operating System and Manager is Right for You?, on page 1. This chapter applies to the threat defense using Cisco Defense Orchestrator (CDO)'s cloud-delivered Secure Firewall Management Center. To use CDO using device manager functionality, see the CDO documentation.

  • Page 120: About Threat Defense Management By Cdo

    Manager access from a data interface has the following limitations: • You can only enable manager access on one physical, data interface. You cannot use a subinterface or EtherChannel. • This interface cannot be management-only. Cisco Firepower 1010 Getting Started Guide...

  • Page 121: End-To-End Procedure: Low-Touch Provisioning

    End-to-End Procedure: Low-Touch Provisioning See the following tasks to deploy the threat defense with CDO using low-touch provisioning. Figure 35: End-to-End Procedure: Low-Touch Provisioning Cisco Commerce Obtain Licenses, on page 122. Workspace (CDO admin) Cisco Firepower 1010 Getting Started Guide...

  • Page 122: End-To-End Procedure: Onboarding Wizard

    Onboard a Device with Low-Touch Provisioning, on page 132. (CDO admin) Configure a Basic Security Policy, on page 145. (CDO admin) End-to-End Procedure: Onboarding Wizard See the following tasks to onboard the threat defense to CDO using the onboarding wizard. Cisco Firepower 1010 Getting Started Guide...
  • Page 123 Install the firewall. See the hardware installation guide. Physical Tasks Cable the Firewall, on page 133. Physical Tasks Power on the Firewall, on page 134. Onboard a Device with the Onboarding Wizard, on page 134. Cisco Firepower 1010 Getting Started Guide...

  • Page 124: Central Administrator Pre-Configuration

    Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 125 What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
  • Page 126 If you need to set a static IP address for the Management interface, see Perform Initial Configuration Using the CLI, on page 136. By default, the Management interface uses DHCP. You will need to download the new image from a server accessible from the Management interface. Cisco Firepower 1010 Getting Started Guide...
  • Page 127 The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
  • Page 128 Threat Defense Deployment with CDO Create a New Cisco Secure Sign-On Account Figure 38: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register. Figure 39: Create Account Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company.
  • Page 129 Choose a security image. d) Click Create My Account. You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
  • Page 130 Cisco Defense Orchestrator (CDO) uses Cisco Secure Sign-On as its identity provider and Duo Security for multi-factor authentication (MFA). • To log into CDO, you must first create your account in Cisco Secure Sign-On and configure MFA using Duo; see Create a New Cisco Secure Sign-On Account, on page 125.

  • Page 131: Deploy The Firewall With Low-Touch Provisioning

    Cable the Firewall This topic describes how to connect the Firepower 1010 to your network so that it can be managed by CDO. If you received a firewall at your branch office, and your job is to plug it in to your network, watch this video.
  • Page 132 Threat Defense Deployment with CDO Cable the Firewall Figure 42: Cabling the Firepower 1010 Low-touch provisioning supports connecting to CDO on Ethernet 1/1 (outside). Note Ethernet1/2 through 1/8 are configured as hardware switch ports; PoE+ is also available on Ethernet1/7 and 1/8.
  • Page 133 If there is a problem, the Status LED flashes fast amber. If this happens, call your IT department. Step 5 Observe the Status LED on the back or top of the device; when the device connects to the Cisco cloud, the Status LED slowly flashes green.

  • Page 134: Deploy The Firewall With The Onboarding Wizard

    From the Inventory page, select the device you just onboarded and select any of the option listed under the Management pane located to the right. Deploy the Firewall With the Onboarding Wizard This section describes how to configure the firewall for onboarding using the CDO onboarding wizard. Cisco Firepower 1010 Getting Started Guide...
  • Page 135 Cable the Firewall Cable the Firewall This topic describes how to connect the Firepower 1010 to your network so that it can be managed by CDO. Figure 44: Cabling the Firepower 1010 You can connect to CDO on the outside interface or the Management interface, depending on which interface you set for manager access during initial setup.
  • Page 136 Check the Status LED on the back or top of the device; after it is solid green, the system has passed power-on diagnostics. Onboard a Device with the Onboarding Wizard Onboard the threat defense using CDO's onbaording wizard using a CLI registration key. Cisco Firepower 1010 Getting Started Guide...
  • Page 137 Management Center/CDO Hostname/IP Address, Management Center/CDO Registration Key, and NAT ID fields. Example: Sample command for CLI setup: configure manager add account1.app.us.cdo.cisco.com KPOOP0rgWzaHrnj1V5ha2q5Rf8pKFX9E Lzm1HOynhVUWhXYWz2swmkj2ZWsN3Lb account1.app.us.cdo.cisco.com Sample command components for GUI setup: Cisco Firepower 1010 Getting Started Guide...
  • Page 138 If the password was already changed, and you do not know it, then you must reimage the device to Note reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: firepower login: admin Password: Admin123 Successful login attempts for user 'admin' : 1 Cisco Firepower 1010 Getting Started Guide...
  • Page 139 • Configure firewall mode?—Enter routed. Outside manager access is only supported in routed firewall mode. Example: You must accept the EULA to continue. Press <ENTER> to display the EULA: End User License Agreement [...] Please enter 'YES' or press <ENTER> to AGREE to the EULA: Cisco Firepower 1010 Getting Started Guide...
  • Page 140 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
  • Page 141 • If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 142 Use the setup wizard when you first log into the device manager to complete the initial configuration. You can optionally skip the setup wizard by clicking Skip device setup at the bottom of the page. Cisco Firepower 1010 Getting Started Guide...
  • Page 143 Standalone, and then Got It. The Cloud Management option is for legacy CDO/FDM functionality. Step 4 (Might be required) Configure the Management interface. See the Management interface on Device > Interfaces. Cisco Firepower 1010 Getting Started Guide...
  • Page 144 Other device manager configuration will not be retained when you register the device to CDO. Step 6 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 7 Configure the Management Center/CDO Details. Cisco Firepower 1010 Getting Started Guide...
  • Page 145 For Do you know the Management Center/CDO hostname or IP address, click Yes. CDO generates the configure manager add command. See Onboard a Device with the Onboarding Wizard, on page 134 to generate the command. Cisco Firepower 1010 Getting Started Guide...
  • Page 146 Click Add a Dynamic DNS (DDNS) method. DDNS ensures CDO can reach the threat defense at its Fully-Qualified Domain Name (FQDN) if the threat defense's IP address changes. See Device > System Settings > DDNS Service to configure DDNS. Cisco Firepower 1010 Getting Started Guide...

  • Page 147: Configure A Basic Security Policy

    If you configure DDNS before you add the threat defense to CDO, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
  • Page 148 (Optional) Disable switch port mode for any of the switch ports (Ethernet1/2 through 1/8) by clicking the slider in the SwitchPort column so it shows as disabled ( Step 4 Enable the switch ports. a) Click the Edit ( ) for the switch port. Cisco Firepower 1010 Getting Started Guide...
  • Page 149 Step 5 Add the inside VLAN interface. a) Click Add Interfaces > VLAN Interface. The General tab appears. b) Enter a Name up to 48 characters in length. For example, name the interface inside. Cisco Firepower 1010 Getting Started Guide...
  • Page 150 For example, enter 192.168.1.1/24 • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. h) Click OK. Step 6 Click the Edit ( ) for Ethernet1/1 that you want to use for outside. The General tab appears. Cisco Firepower 1010 Getting Started Guide...
  • Page 151 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Step 3 On the Server page, click Add, and configure the following options: Cisco Firepower 1010 Getting Started Guide...
  • Page 152 Port Address Translation (PAT). Procedure Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT. Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save. Cisco Firepower 1010 Getting Started Guide...
  • Page 153 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 1010 Getting Started Guide...
  • Page 154 ) to add a network object for all IPv4 traffic (0.0.0.0/0). Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part of the object definition, and you cannot edit system-defined objects. • Translated Source—Choose Destination Interface IP. Cisco Firepower 1010 Getting Started Guide...
  • Page 155 • Source Zones—Select the inside zone from Available Zones, and click Add to Source. • Destination Zones—Select the outside zone from Available Zones, and click Add to Destination. Leave the other settings as is. Cisco Firepower 1010 Getting Started Guide...
  • Page 156 The device allows a maximum of 5 concurrent SSH connections. Note After a user makes three consecutive failed attempts to log into the CLI via SSH, the device terminates the SSH connection. Cisco Firepower 1010 Getting Started Guide...
  • Page 157 You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Deploy the Configuration Deploy the configuration changes to the threat defense; none of your changes are active on the device until you deploy them. Cisco Firepower 1010 Getting Started Guide...
  • Page 158 Figure 51: Deploy All Figure 52: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 1010 Getting Started Guide...

  • Page 159: Troubleshooting And Maintenance

    USB A-to-B serial cable. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1010 hardware guide). The console port defaults to the FXOS CLI. Use the following serial settings: • 9600 baud • 8 data bits • No parity • 1 stop bit Cisco Firepower 1010 Getting Started Guide...
  • Page 160 You can also use sftunnel-status to view more complete information. See the following sample output for a connection that is down; there is no peer channel "connected to" information, nor heartbeat information shown: Cisco Firepower 1010 Getting Started Guide...
  • Page 161 Address : 10.99.10.4 Netmask : 255.255.255.0 Gateway : 10.99.10.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers Cisco Firepower 1010 Getting Started Guide...
  • Page 162 At the threat defense CLI, see information about the internal backplane interface, nlp_int_tap: show interace detail > show interface detail [...] Interface Internal-Data0/1 "nlp_int_tap", is up, line protocol is up Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec (Full-duplex), (1000 Mbps) Cisco Firepower 1010 Getting Started Guide...
  • Page 163 Gateway of last resort is 10.89.5.1 to network 0.0.0.0 0.0.0.0 0.0.0.0 [1/0] via 10.89.5.1, outside 10.89.5.0 255.255.255.192 is directly connected, outside 10.89.5.29 255.255.255.255 is directly connected, outside > show nat > show nat Auto NAT Policies (Section 2) Cisco Firepower 1010 Getting Started Guide...
  • Page 164 DDNS: IDB SB total = 0 If the update failed, use the debug http and debug ssl commands. For certificate validation failures, check that the root certificates are installed on the device: show crypto ca certificates trustpoint_name Cisco Firepower 1010 Getting Started Guide...
  • Page 165 At the threat defense CLI, roll back to the previous configuration. configure policy rollback After the rollback, the threat defense notifies CDO that the rollback was completed successfully. In CDO, the deployment screen will show a banner stating that the configuration was rolled back. Cisco Firepower 1010 Getting Started Guide...
  • Page 166 You can shut down your system properly using CDO. Procedure Step 1 Choose Devices > Device Management. Step 2 Next to the device that you want to restart, click the edit icon ( Step 3 Click the Device tab. Cisco Firepower 1010 Getting Started Guide...
  • Page 167 Step 7 You can now unplug the power to physically remove power from the chassis if necessary. What's Next To continue configuring your threat defense using CDO, see the Cisco Defense Orchestrator home page. Cisco Firepower 1010 Getting Started Guide...
  • Page 168 Threat Defense Deployment with CDO What's Next Cisco Firepower 1010 Getting Started Guide...
  • Page 169 ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Reimage the Cisco ASA or Firepower Threat Defense Device. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).

  • Page 170: About The Asa

    • Cisco Security Manager—A multi-device manager on a separate server. You can also access the FXOS CLI for troubleshooting purposes. Unsupported Features General ASA Unsupported Features The following ASA features are not supported on the Firepower 1010: • Multiple context mode • Active/Active failover • Redundant interfaces •...
  • Page 171 • Security group tagging (SGT) Migrating an ASA 5500-X Configuration You can copy and paste an ASA 5500-X configuration into the Firepower 1010. However, you will need to modify your configuration. Also note some behavioral differences between the platforms. 1. To copy the configuration, enter the more system:running-config command on the ASA 5500-X.

  • Page 172: End-To-End Procedure

    Firepower 1120 includes Management 1/1 and Ethernet 1/1 through 1/8. boot system commands The Firepower 1010 only allows a single boot system command, so you should remove all but one command before you paste. You The ASA 5500-X allows up to four boot system commands to actually do not need to have any boot system commands present specify the booting image to use.
  • Page 173 172. Pre-Configuration Cable the Device, on page 175. Pre-Configuration Power On the Firewall, on page 13 ASA CLI (Optional) Change the IP Address, on page 177. ASDM Log Into the ASDM, on page 178. Cisco Firepower 1010 Getting Started Guide...

  • Page 174: Review The Network Deployment And Default Configuration

    183. Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 1010 using the default configuration. If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into bridge mode so the ASA performs all routing and NAT for your inside networks.
  • Page 175 ASA Deployment with ASDM Firepower 1010 Default Configuration Firepower 1010 Default Configuration The default factory configuration for the Firepower 1010 configures the following: • Hardware switch—Ethernet 1/2 through 1/8 belong to VLAN 1 • inside→outside traffic flow—Ethernet 1/1 (outside), VLAN1 (inside) •...
  • Page 176 Ethernet1/7 no shutdown switchport switchport mode access switchport access vlan 1 interface Ethernet1/8 no shutdown switchport switchport mode access switchport access vlan 1 object network obj_any subnet 0.0.0.0 0.0.0.0 nat (any,outside) dynamic interface Cisco Firepower 1010 Getting Started Guide...

  • Page 177: Cable The Device

    DefaultDNS name-server 208.67.222.222 outside name-server 208.67.220.220 outside Cable the Device Manage the Firepower 1010 on either Management 1/1, or on Ethernet 1/2 through 1/8 (inside switch ports). The default configuration also configures Ethernet 1/1 as outside. Procedure Step 1...

  • Page 178: Power On The Firewall

    (see Firepower 1010 Default Configuration, on page 173). If you need to change the Management 1/1 IP address from the default, you must also cable your management computer to the console port.

  • Page 179: (Optional) Change The Ip Address

    Clear all configuration Executing command: interface management1/1 Executing command: nameif management INFO: Security level for "management" set to 0 by default. Executing command: ip address 10.1.1.151 255.255.255.0 Executing command: security-level 100 Executing command: no shutdown Cisco Firepower 1010 Getting Started Guide...

  • Page 180: Log Into The Asdm

    HTTP request to HTTPS. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.

  • Page 181: Configure Licensing

    • Security Plus—For Active/Standby failover • Strong Encryption (3DES/AES)—If your Smart Account is not authorized for strong encryption, but Cisco has determined that you are allowed to use strong encryption, you can manually add a stong encryption license to your account.
  • Page 182 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software Manager account. However, if you need to add licenses yourself, use the Find Products and...
  • Page 183 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the ASA. Cisco Firepower 1010 Getting Started Guide...
  • Page 184 Encryption (3DES/AES) license if your account allows. ASDM refreshes the page when the license status is updated. You can also choose Monitoring > Properties > Smart License to check the license status, particularly if the registration fails. Step 7 Set the following parameters: a) Check Enable Smart license configuration. Cisco Firepower 1010 Getting Started Guide...

  • Page 185: Configure The Asa

    Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 1010 Getting Started Guide...
  • Page 186 • And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 1010 Getting Started Guide...

  • Page 187: Access The Asa And Fxos Cli

    Step 1 Connect your management computer to the console port. The Firepower 1000 ships with a USB A-to-B serial cable. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1010 hardware guide). Use the following serial settings: •...
  • Page 188 Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 1010 Getting Started Guide...
  • Page 189 © 2022 Cisco Systems, Inc. All rights reserved.

Table of Contents

Save PDF