Download
Share
Print this page
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Hardware
  5. Firepower 1010
  6. Getting started

Cisco Firepower 1010 Getting Started

Hide thumbs Also See for Firepower 1010:

Advertisement

Quick Links

Download this manual
Getting Started
The following topics explain how to get started configuring the Firepower Threat Defense (FTD) .
Is This Guide for You?
This guide explains how to configure Firepower Threat Defense using the Firepower Device Manager (FDM)
web-based configuration interface included on the Firepower Threat Defense devices.
The FDM lets you configure the basic features of the software that are most commonly used for small or
mid-size networks. It is especially designed for networks that include a single device or just a few, where you
do not want to use a high-powered multiple-device manager to control a large network containing many
Firepower Threat Defense devices.
If you are managing large numbers of devices, or if you want to use the more complex features and
configurations that Firepower Threat Defense allows, use the Firepower Management Center (FMC) to
configure your devices instead of the integrated FDM.
You can use the FDM on the following devices.
Table 1: FDM Supported Models
Device Model
Firepower 1010, 1120, 1140
Firepower 1150
Firepower 2110, 2120, 2130, 2140
Secure Firewall 3110, 3120, 3130, 3140
Firepower 4110, 4115, 4120, 4125, 4140, 4145, 4150
Firepower 4112
Is This Guide for You?, on page 1
New Features in FDM/FTD Version 7.1.0, on page 2
Logging Into the System, on page 7
Setting Up the System, on page 11
Configuration Basics, on page 32
Minimum FTD Software Version
6.4
6.5
6.2.1
7.1
6.5
6.6
Getting Started
1

Advertisement

loading

Related Manuals for Cisco Firepower 1010

Summary of Contents for Cisco Firepower 1010

  • Page 1 FDM. You can use the FDM on the following devices. Table 1: FDM Supported Models Device Model Minimum FTD Software Version Firepower 1010, 1120, 1140 Firepower 1150 Firepower 2110, 2120, 2130, 2140 6.2.1 Secure Firewall 3110, 3120, 3130, 3140...
  • Page 2 2 SSDs, they form a software RAID. Note that the Version 7.1 device manager does not include online help for these devices. See the documentation posted on Cisco.com. New/Modified screens: Device > Interfaces New/Modified Firepower Threat Defense commands: configure network...
  • Page 3 Getting Started New Features in FDM/FTD Version 7.1.0 Feature Description FTDv for AWS instances. FTDv for AWS adds support for these instances: • c5a.xlarge, c5a.2xlarge, c5a.4xlarge • c5ad.xlarge, c5ad.2xlarge, c5ad.4xlarge • c5d.xlarge, c5d.2xlarge, c5d.4xlarge • c5n.xlarge, c5n.2xlarge, c5n.4xlarge • i3en.xlarge, i3en.2xlarge, i3en.3xlarge •...
  • Page 4 Getting Started New Features in FDM/FTD Version 7.1.0 Feature Description Firewall and IPS Features You can use FDM to configure the Network Analysis Policy (NAP) Network Analysis Policy (NAP) configuration for Snort 3. when running Snort 3. Network analysis policies control traffic preprocessing inspection.
  • Page 5 Getting Started New Features in FDM/FTD Version 7.1.0 Feature Description Password management for remote You can enable password management for remote access VPN. This access VPN (MSCHAPv2). allows AnyConnect to prompt the user to change an expired password. Without password management, users must change expired passwords directly with the AAA server, and AnyConnect does not prompt the user to change passwords.
  • Page 6 Getting Started New Features in FDM/FTD Version 7.1.0 Feature Description DHCP relay configuration using You can use FDM to configure DHCP relay. Using DHCP relay on an FDM. interface, you can direct DHCP requests to a DHCP server that is accessible through the other interface.
  • Page 7 New/Modified screens: System Settings > Management Center Automatically update CA bundles The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates.
  • Page 8 Getting Started Your User Role Controls What You Can See and Do Command Line Interface (CLI, Console) Use the CLI for troubleshooting. You can also use it for initial setup instead of the FDM. The following topics explain how to log into these interfaces and manage your user account. Your User Role Controls What You Can See and Do Your username is assigned a role, and your role determines what you can do or what you can see in the FDM.
  • Page 9 Getting Started Logging Into the Command Line Interface (CLI) Procedure Step 1 Using a browser, open the home page of the system, for example, https://ftd.example.com. You can use any of the following addresses. You can use the IPv4 or IPv6 address or the DNS name, if you have configured one.
  • Page 10 Tips • After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, see Cisco Firepower Threat Defense Command Reference http://www.cisco.com/c/en/ us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense.html. • You can create local user accounts that can log into the CLI using the configure user add command.
  • Page 11 Getting Started Setting User Profile Preferences Procedure Step 1 Select Profile from the user icon drop-down list in the upper right of the menu. Step 2 Click the Password tab. Step 3 Enter your current password. Step 4 Enter your new password and then confirm it. You can click Generate to have a random 16 character password generated for you.
  • Page 12 Getting Started Connect the Interfaces Before you begin Before you start the initial setup, the device includes some default settings. For details, see Default Configuration Prior to Initial Setup, on page Procedure Step 1 Connect the Interfaces, on page 12 Step 2 Complete the Initial Configuration Using the Setup Wizard, on page 23 For details about the resulting configuration, see...
  • Page 13 Cabling for the Firepower 1010 Cabling for the Firepower 1010 Figure 1: Cabling the Firepower 1010 • Connect your management computer to one of the following interfaces: • Ethernet 1/2 through 1/8—Connect your management computer directly to one of the inside switch ports (Ethernet 1/2 through 1/8).
  • Page 14 Getting Started Cabling for the Firepower 1100 Cabling for the Firepower 1100 Figure 2: Cabling the Firepower 1100 • Connect your management computer to either of the following interfaces: • Ethernet 1/2—Connect your management computer directly to Ethernet 1/2 for initial configuration, or connect Ethernet 1/2 to your inside network.
  • Page 15 Getting Started Cabling for the Firepower 2100 Cabling for the Firepower 2100 Figure 3: Cabling the Firepower 2100 • Connect your management computer to either of the following interfaces: • Ethernet 1/2—Connect your management computer directly to Ethernet 1/2 for initial configuration, or connect Ethernet 1/2 to your inside network.
  • Page 16 Getting Started Cabling for the Secure Firewall 3100 Cabling for the Secure Firewall 3100 Figure 4: Cabling the Secure Firewall 3100 Manage the FTD device on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside. •...
  • Page 17 Getting Started Cabling for the Firepower 4100 Cabling for the Firepower 4100 Perform the initial Firepower Threat Defense configuration on the logical device Management interface. You can later enable management from any data interface. The Firepower Threat Defense device requires internet access for licensing and updates, and the default behavior is to route management traffic to the gateway IP address you specified when you deployed the device.
  • Page 18 Getting Started Cabling for the Firepower 9300 Cabling for the Firepower 9300 Perform the initial Firepower Threat Defense configuration on the logical device Management interface. You can later enable management from any data interface. The Firepower Threat Defense device requires internet access for licensing and updates, and the default behavior is to route management traffic to the gateway IP address you specified when you deployed the device.
  • Page 19 Ensure that the Management0-0 source network is associated to a VM network that can access the Internet. This is required so that the system can contact the Cisco Smart Software Manager and also to download system database updates. You assign the networks when you install the OVF. As long as you configure an interface, you can later change the virtual network through the VMware Client.
  • Page 20 Getting Started Cabling for ISA 3000 Destination Network Network Adapter Source Network (Physical Interface Name) Function Network adapter 2 Diagnostic0-0 Diagnostic0/0 Diagnostic Network adapter 3 GigabitEthernet0-0 GigabitEthernet0/0 Outside data Network adapter 4 GigabitEthernet0-1 GigabitEthernet0/1 Inside data Network adapter 5 GigabitEthernet0-2 GigabitEthernet0/2 Data traffic Network adapter 6...
  • Page 21 You cannot repeat the CLI setup script unless you clear the configuration; for example, by reimaging. However, all of these settings can be changed later at the CLI using configure network commands. See Cisco Secure Firewall Threat Defense Command Reference.
  • Page 22 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
  • Page 23 Getting Started Complete the Initial Configuration Using the Setup Wizard Complete the Initial Configuration Using the Setup Wizard When you initially log into the FDM, you are taken through the device setup wizard to complete the initial system configuration. If you plan to use the device in a high availability configuration, please read Prepare the Two Units for High Availability.
  • Page 24 Manager account, generate a new token, and copy the token into the edit box. You must also select your services region, and decide whether to send usage data to the Cisco Success Network. The on-screen text explains these settings in more detail.
  • Page 25 Getting Started What to Do if You Do Not Obtain an IP Address for the Outside Interface What to do next • If you want to use features covered by optional licenses, such as category-based URL filtering, intrusion inspection, or malware prevention, enable the required licenses. See Enabling or Disabling Optional Licenses.
  • Page 26 Getting Started Default Configuration Prior to Initial Setup Step 6 Click the Deploy button in the menu to deploy your changes. Step 7 Click Deploy Now. After deployment completes, the connection graphic should show that the outside interface now has an IP address.
  • Page 27 Getting Started Default Configuration Prior to Initial Setup Can be changed during initial Setting Default configuration? Management gateway. The data interfaces on the device. Typically the outside interface becomes the route to For Firepower 4100/9300: Yes. the Internet. This gateway works for from-the-device traffic only.
  • Page 28 DHCP settings. You must remove an interface from the bridge group before you can configure it as a non-switched interface. FTD device Outside Interface Inside Interface Firepower 1010 Ethernet1/1 VLAN1, which includes all other switch ports except the outside interface, which is a physical firewall interface.
  • Page 29 Getting Started Configuration After Initial Setup Configuration After Initial Setup After you complete the setup wizard, the device configuration will include the following settings. The table shows whether a particular setting is something you explicitly chose or whether it was defined for you based on your other selections.
  • Page 30 System time. The time zone and NTP servers you selected. Explicit. Firepower 4100/9300: System time is inherited from the chassis. ISA 3000: Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org. Smart license. Either registered with a base license, or the evaluation period Explicit.
  • Page 31 Setting Configuration configuration Data interface configuration. • Firepower 1010—The outside interface, Ethernet1/1, is a Default. physical firewall interface. All other interfaces are switch ports that are enabled and part of VLAN1, the inside interface. You can plug end points or switches into these ports and obtain addresses from the DHCP server for the inside interface.
  • Page 32 Getting Started Configuration Basics Explicit, implied, or default Setting Configuration configuration Access control policy. A rule trusting all traffic from the inside_zone to the outside_zone. Implied. This allows without inspection all traffic from users inside your network to get outside, and all return traffic for those connections. The default action for any other traffic is to block it.
  • Page 33 • Backup and Restore—Back up the system configuration or restore a previous backup. See Backing Up and Restoring the System. • Troubleshoot—Generate a troubleshooting file at the request of the Cisco Technical Assistance Center. Creating a Troubleshooting File. • Site-to-Site VPN—The site-to-site virtual private network (VPN) connections between this device and remote devices.
  • Page 34 IP addresses or URLs. By blocking known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence block lists update dynamically. Using feeds, you do not need to edit the policy to add or remove items in the block lists.
  • Page 35 Getting Started Searching for Rules or Objects Step 3 Click the Deploy button in the menu to deploy your changes. Changes are not active on the device until you deploy them. See Deploying Your Changes, on page Searching for Rules or Objects You can use full-text search on lists of policy rules or objects to help you find the item you want to edit.
  • Page 36 Getting Started Deploying Your Changes Caution The FTD device drops traffic when the inspection engines are busy because of a software resource issue, or down because a configuration requires the engines to restart during configuration deployment. For detailed information on changes that require a restart, see Configuration Changes that Restart Inspection Engines, on page Procedure...
  • Page 37 Getting Started Configuration Changes that Restart Inspection Engines • Download Changes—To download the list of changes as a file, click More Options > Download as Text. You are prompted to save the file to your workstation. The file is in YAML format. You can view it in a text editor if you do not have an editor that specifically supports YAML format.
  • Page 38 Getting Started Configuration Changes that Force a Full Deployment Configuration Changes that Force a Full Deployment In most cases, the deployment includes just your changes. However, if necessary, the system will reapply the entire configuration, which might be disruptive to your network. Following are some changes that force a full deployment.
  • Page 39 Getting Started Viewing System Task Status Inside, Outside Network Connections The graphic indicates which port is connected to the outside (or upstream) and inside networks, under the following conditions. • Inside Network—The port for the inside network is shown for the interface named “inside” only. If there are additional inside networks, they are not shown.
  • Page 40 Internet for the device's management IP address. You might need to contact the Cisco Technical Assistance Center (TAC) for some issues as indicted in the task descriptions.
  • Page 41 Getting Started Using FDM and the REST API Together Step 2 Type the commands at the prompt and press Enter. Some commands take longer to produce output than others, please be patient. If you get a message that the command execution timed out, please try again. You will also get a time out error if you enter a command that requires interactive responses, such as show perfstats.
  • Page 42 Getting Started Using FDM and the REST API Together You can view, and try out, the API methods using API Explorer. Click the more options button ( ) and choose API Explorer. Getting Started...

This manual is also suitable for:

Firepower 1120Firepower 1140Firepower 1150Firepower 2110Firepower 2120Firepower 2130 ... Show all