Download
Share
Print this page
Cisco Secure Firewall 3100 Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Server
  5. Secure Firewall 3100
  6. Manual
Cisco Secure Firewall 3100 Manual

Cisco Secure Firewall 3100 Manual

Hide thumbs Also See for Secure Firewall 3100:

Advertisement

Quick Links

Download this manual
Multi-Instance Mode for the Secure Firewall
3100
You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances
(multi-instance mode). This chapter describes how to deploy the device in multi-instance mode.
About Multi-Instance Mode
In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely
independent devices.
Multi-Instance Mode vs. Appliance Mode
You can run the device in either multi-instance mode or appliance mode.
Appliance Mode
Appliance mode is the default. The device runs the native threat defense image and acts as a single device.
The only chassis-level configuration available (on the Chassis Manager page) is for network module
management (breakout ports or enabling/disabling a network module).
Multi-Instance Mode
If you change to multi-instance mode, the device runs the Secure Firewall eXtensible Operating System
(FXOS) on the chassis, while each instance runs separate threat defense images. You can configure the mode
using the FXOS CLI.
Because multiple instances run on the same chassis, you need to perform chassis-level management of:
• CPU and memory resources using resource profiles.
About Multi-Instance Mode, on page 1
Licenses for Instances, on page 14
Requirements and Prerequisites for Instances, on page 14
Guidelines and Limitations for Instances, on page 16
Configure Instances, on page 18
Monitoring Multi-Instance Mode, on page 62
History for Multi-Instance Mode, on page 65
Multi-Instance Mode for the Secure Firewall 3100
1

Advertisement

loading
Need help?

Need help?

Do you have a question about the Secure Firewall 3100 and is the answer not in the manual?

Questions and answers

Related Manuals for Cisco Secure Firewall 3100

Summary of Contents for Cisco Secure Firewall 3100

  • Page 1 Multi-Instance Mode for the Secure Firewall 3100 You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). This chapter describes how to deploy the device in multi-instance mode. • About Multi-Instance Mode, on page 1 •...

  • Page 2: Interface Types

    Multi-Instance Mode for the Secure Firewall 3100 Chassis Management Interface • Interface configuration and assignment. • Deployment and monitoring of instances. For a multi-instance device, you add the chassis to the management center and configure chassis-level settings on the Chassis Manager page.
  • Page 3 Multi-Instance Mode for the Secure Firewall 3100 Chassis Interfaces vs. Instance Interfaces traffic must exit the chassis on one interface and return on another interface to reach another instance. You can add VLAN subinterfaces to a data interface to provide separate failover links per High Availability pair.
  • Page 4 Multi-Instance Mode for the Secure Firewall 3100 Chassis Interfaces vs. Instance Interfaces Figure 1: VLANs in the Chassis vs. the Instance Independent Interface States in the Chassis and in the Instance You can administratively enable and disable interfaces in both the chassis and in the instance. For an interface to be operational, the interface must be enabled in both locations.
  • Page 5 Multi-Instance Mode for the Secure Firewall 3100 Shared Interface Scalability Shared Interface Scalability Instances can share data-sharing type interfaces. This capability lets you conserve physical interface usage as well as support flexible networking deployments. When you share an interface, the chassis uses unique MAC addresses to forward traffic to the correct instance.
  • Page 6 Multi-Instance Mode for the Secure Firewall 3100 Shared Interface Best Practices Port-Channel3, and Port-Channel4. When you share subinterfaces from a single parent, the VLAN group table provides better scaling of the forwarding table than when sharing physical/EtherChannel interfaces or subinterfaces across parents.
  • Page 7 Multi-Instance Mode for the Secure Firewall 3100 How the Chassis Classifies Packets Figure 4: Fair: Shared Subinterfaces on Separate Parents 3. Worst—Share individual parent interfaces (physical or EtherChannel). This method uses the most forwarding table entries. Figure 5: Worst: Shared Parent Interfaces...

  • Page 8: Classification Examples

    Multi-Instance Mode for the Secure Firewall 3100 Classification Examples Classification Examples Packet Classification with a Shared Interface Using MAC Addresses The following figure shows multiple instances sharing an outside interface. The classifier assigns the packet to Instance C because Instance C includes the MAC address to which the router sends the packet.
  • Page 9 Multi-Instance Mode for the Secure Firewall 3100 Classification Examples Figure 7: Incoming Traffic from Inside Networks Transparent Firewall Instances For transparent firewalls, you must use unique interfaces. The following figure shows a packet destined to a host on the Instance C inside network from the internet. The classifier assigns the packet to Instance C because the ingress interface is Ethernet 1/2.3, which is assigned to Instance C.
  • Page 10 Multi-Instance Mode for the Secure Firewall 3100 Classification Examples Figure 8: Transparent Firewall Instances Inline Sets For inline sets, you must use unique interfaces and they must be physical interfaces or EtherChannels. The following figure shows a packet destined to a host on the Instance C inside network from the internet. The classifier assigns the packet to Instance C because the ingress interface is Ethernet 1/5, which is assigned to Instance C.
  • Page 11 Multi-Instance Mode for the Secure Firewall 3100 Cascading Instances Figure 9: Inline Sets Cascading Instances Placing an instance directly in front of another instance is called cascading instances; the outside interface of one instance is the same interface as the inside interface of another instance. You might want to cascade instances if you want to simplify the configuration of some instances by configuring shared parameters in the top instance.
  • Page 12 Multi-Instance Mode for the Secure Firewall 3100 Typical Multi-Instance Deployment Figure 10: Cascading Instances Note Do not use cascading instances (using a shared interface) with High Availability. After a failover occurs and the standby unit rejoins, MAC addresses can overlap temporarily and cause an outage. You should instead use unique interfaces for the gateway instance and inside instance using an external switch to pass traffic between the instances.
  • Page 13 Multi-Instance Mode for the Secure Firewall 3100 Automatic MAC Addresses for Instance Interfaces • Outside—All instances use the Port-Channel2 interface (data-sharing type). This EtherChannel includes two 10 Gigibit Ethernet interfaces. Within each application, the interface uses a unique IP address on the same outside network.
  • Page 14 Multi-Instance Mode for the Secure Firewall 3100 Performance Scaling Factor for Multi-Instance Mode MAC address pool. For example, if the range of MAC addresses shown for module 1 is b0aa.772f.f0b0 to b0aa.772f.f0bf, then the system prefix will be f0b0. The user-defined prefix is an integer that is converted into hexadecimal. For an example of how the user-defined prefix is used, if you set a prefix of 77, then the chassis converts 77 into the hexadecimal value 004D (yyxx).
  • Page 15 Multi-Instance Mode for the Secure Firewall 3100 Requirements and Prerequisites for Instances • Secure Firewall 3120 • Secure Firewall 3130 • Secure Firewall 3140 Note The Secure Firewall 3105 is not supported. Maximum Container Instances and Resources per Model For each container instance, you can specify the number of CPU cores (or more specifically, threads) to assign to the instance.
  • Page 16 Multi-Instance Mode for the Secure Firewall 3100 Guidelines and Limitations for Instances Guidelines and Limitations for Instances General Guidelines • A single management center must manage all instances on a chassis, as well as manage the chassis itself. • For instances, the following features are not supported: •...
  • Page 17 • The chassis does not support LACPDUs that are VLAN-tagged. If you enable native VLAN tagging on the neighboring switch using the Cisco IOS vlan dot1Q tag native command, then the chassis will drop the tagged LACPDUs. Be sure to disable native VLAN tagging on the neighboring switch.
  • Page 18 Multi-Instance Mode for the Secure Firewall 3100 Configure Instances • You cannot use a data-sharing interface for the failover link. Default MAC Addresses • MAC addresses for all interfaces are taken from a MAC address pool. For subinterfaces, if you decide to manually configure MAC addresses, make sure you use unique MAC addresses for all subinterfaces on the same parent interface to ensure proper classification.
  • Page 19 Multi-Instance Mode for the Secure Firewall 3100 Enable Multi-Instance Mode firepower# Step 3 Check your current mode, Native or Container. If the mode is Native, you can continue with this procedure to convert to multi-instance (Container) mode. show system detail...
  • Page 20 Multi-Instance Mode for the Secure Firewall 3100 Add a Multi-Instance Chassis to the Management Center configure multi-instance network ipv4 ip_address network_mask gateway_ip_address manager manager_name {hostname | ipv4_address | DONTRESOLVE} registration_key nat_id IPv6: configure multi-instance network ipv6 ipv6_address prefix_length gateway_ip_address manager...
  • Page 21 Multi-Instance Mode for the Secure Firewall 3100 Add a Multi-Instance Chassis to the Management Center Procedure Step 1 In the management center, add the chassis using the chassis management IP address or hostname. a) Choose Device > Device Management, and then Add > Chassis.
  • Page 22 Multi-Instance Mode for the Secure Firewall 3100 Add a Multi-Instance Chassis to the Management Center The registration key is a one-time-use shared secret. The key can include alphanumeric characters and hyphens (-). e) In a multidomain deployment, regardless of your current domain, assign the chassis to a leaf Domain.
  • Page 23 Multi-Instance Mode for the Secure Firewall 3100 Configure Chassis Interfaces Configure Chassis Interfaces At the chassis-level, you configure basic Ethernet settings of physical interfaces, VLAN subinterfaces for instances, and EtherChannel interfaces. By default, physical interfaces are disabled. Note To configure breakout ports and perform other network module operations, see...
  • Page 24 Multi-Instance Mode for the Secure Firewall 3100 Configure a Physical Interface Figure 16: Interfaces Step 3 Click Edit ( ) for the interface you want to edit. Multi-Instance Mode for the Secure Firewall 3100...
  • Page 25 Multi-Instance Mode for the Secure Firewall 3100 Configure a Physical Interface Figure 17: Edit Physical Interface Step 4 Enable the interface by checking the Enabled check box. Step 5 For the Port Type, choose Data or Data Sharing. Figure 18: Port Type Step 6 Set the Admin Duplex.
  • Page 26 Multi-Instance Mode for the Secure Firewall 3100 Configure an EtherChannel sending a pause frame to stop sending until the condition clears. Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period.
  • Page 27 Multi-Instance Mode for the Secure Firewall 3100 Configure an EtherChannel Procedure Step 1 From Devices > Device Management, click Manage in the Chassis column or click Edit ( ). Figure 19: Manage Chassis The Chassis Manager page opens for the chassis to the Summary page.
  • Page 28 Multi-Instance Mode for the Secure Firewall 3100 Configure an EtherChannel Figure 21: Add EtherChannel Step 4 Set the following Interfaces parameters. Figure 22: Interfaces Settings a) For the EtherChannel ID, specify an ID between 1 and 48. b) Check Enabled.
  • Page 29 Multi-Instance Mode for the Secure Firewall 3100 Configure an EtherChannel Many of these settings (excluding the LACP settings) set the requirements for interfaces to be included in the EtherChannel; they do not override the settings of member interfaces. So if you check LLDP Transmit, for example, you should only add interfaces that have that setting.
  • Page 30 Multi-Instance Mode for the Secure Firewall 3100 Configure a Subinterface The default is Fast. e) Choose the required Link Layer Discovery Protocol (LLDP) settings for member interfaces by checking LLDP Transmit and/or LLDP Receive. f) Check the required Flow Control Send setting for member interfaces.
  • Page 31 Multi-Instance Mode for the Secure Firewall 3100 Configure a Subinterface Figure 25: Interfaces Step 3 Click Add > Subinterface. Figure 26: Add Subinterface Step 4 Set the following parameters. Multi-Instance Mode for the Secure Firewall 3100...
  • Page 32 Multi-Instance Mode for the Secure Firewall 3100 Add an Instance Figure 27: Subinterface Settings Step 5 Click Save and then Save in the top right of the Interfaces page. You can now Deploy the policy to the chassis. The changes are not active until you deploy them.
  • Page 33 Multi-Instance Mode for the Secure Firewall 3100 Add an Instance Figure 29: Instances Step 3 On Agreement, check I understand and accept the agreement, then click Next. Figure 30: Agreement Multi-Instance Mode for the Secure Firewall 3100...
  • Page 34 Devices > Chassis Upgrade. When you upgrade, both the old version and the new version will be listed in the menu. To download an older package, you need to use the FXOS CLI. See Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 and Secure Firewall 3100/4200 with Firepower Threat Defense.
  • Page 35 Expert Mode. We recommend disabling this option to increase isolation between instances. Use Expert Mode only if a documented procedure tells you it is required, or if the Cisco Technical Assistance Center asks you to use it. To enter this mode, use the expert command in the threat defense CLI.
  • Page 36 Multi-Instance Mode for the Secure Firewall 3100 Add an Instance • Device SSH Password—Set the threat defense admin user password for CLI access, either SSH or console. Repeat the password in the Confirm Password field. Step 5 On Interface Assignment, assign the chassis interfaces to the instance, then click Next.
  • Page 37 Multi-Instance Mode for the Secure Firewall 3100 Add an Instance Figure 34: Device Management • Device Group • Access Control Policy—Choose an existing access control policy, or create a new policy. • Platform Settings—Choose an existing platform setting policy, or create a new policy.

  • Page 38: Configure Snmp

    Multi-Instance Mode for the Secure Firewall 3100 Customize the System Configuration Figure 35: Summary You can edit any settings on this screen before saving the instance. After you save, the instance is added to the Instances screen. Step 8 On the Instances screen, click Save.
  • Page 39 Multi-Instance Mode for the Secure Firewall 3100 Import or Export the Chassis Configuration Before you begin Configure SNMP for one of the instances. See SNMP. Procedure Step 1 From Devices > Device Management, click Manage in the Chassis column or click Edit ( ).
  • Page 40 Multi-Instance Mode for the Secure Firewall 3100 Import or Export the Chassis Configuration Before you begin For the chassis where you want to import a configuration, the following characteristics must match: • Same chassis software version • Same threat defense instance images •...
  • Page 41 Multi-Instance Mode for the Secure Firewall 3100 Import or Export the Chassis Configuration Figure 40: Export File Created Successfully c) Download the export file by clicking the notification message (Download Export Package) or by clicking Download. Figure 41: Download The file is saved with the .sfo extension.
  • Page 42 Multi-Instance Mode for the Secure Firewall 3100 Configure Chassis Platform Settings Figure 42: Import Configure Chassis Platform Settings Chassis platform settings configure a range of features for managing the chassis. You can share the policy among multiple chassis. If you want different settings per chassis, you must create multiple policies.

  • Page 43: Configure Dns

    Multi-Instance Mode for the Secure Firewall 3100 Configure DNS Step 4 To change the target chassis for a policy, click Edit ( ) next to the platform settings policy that you want to edit. a) Click Policy Assignment. b) To assign a chassis to the policy, select it in the Available Chassis list and click Add. You can also drag and drop.
  • Page 44 Multi-Instance Mode for the Secure Firewall 3100 Configure SSH and SSH Access List Figure 44: Add DNS Server Group Step 5 Either select an existing DNS server group (see Creating DNS Server Group Objects), or click New Group. If you add a new group, you see the following dialog box. Provide a name and up to four DNS server IP addresses as comma-separated values, and click Add.
  • Page 45 Multi-Instance Mode for the Secure Firewall 3100 Configure SSH and SSH Access List Procedure Step 1 Choose Devices > Platform Settings and create or edit the chassis policy. Step 2 Choose SSH. Step 3 To enable SSH access to the chassis, enable the Enable SSH Server slider.
  • Page 46 Multi-Instance Mode for the Secure Firewall 3100 Configure SSH and SSH Access List Figure 47: Add Algorithms a) Select the Encryption algorithms. b) Select the Key Exchange algorithms. The key exchange provides a shared secret that cannot be determined by either party alone. The key exchange is combined with a signature and the host key to provide host authentication.
  • Page 47 Multi-Instance Mode for the Secure Firewall 3100 Configure SSH and SSH Access List Figure 48: SSH • Strict Host Keycheck—Choose enable, disable, or prompt to control SSH host key checking. • enable—The connection is rejected if the host key is not already in the FXOS known hosts file.
  • Page 48 Multi-Instance Mode for the Secure Firewall 3100 Configure SSH and SSH Access List Figure 49: SSH Access List Step 10 Click Edit ( ) to add network objects and click Save. You can also manually enter IP addresses. Multi-Instance Mode for the Secure Firewall 3100...

  • Page 49: Configure Syslog

    Multi-Instance Mode for the Secure Firewall 3100 Configure Syslog Figure 50: Network Objects Step 11 Click Save to save all policy changes. Configure Syslog You can enable syslogs from the chassis. These syslogs come from the chassis' FXOS operating system.
  • Page 50 Multi-Instance Mode for the Secure Firewall 3100 Configure Syslog Figure 51: Syslog Local Destinations Name Description Console Section Whether the chassis displays syslog messages on the console. Admin State field Check the Enable check box if you want to have syslog messages displayed on the console as well as added to the log.
  • Page 51 Multi-Instance Mode for the Secure Firewall 3100 Configure Syslog Name Description Admin State field Whether the chassis displays syslog messages on the monitor. Check the Enable check box if you want to have syslog messages displayed on the monitor as well as added to the log. If the Enable check box is unchecked, syslog messages are added to the log but are not displayed on the monitor.
  • Page 52 Multi-Instance Mode for the Secure Firewall 3100 Configure Syslog Figure 52: Syslog Remote Destinations By sending syslog messages to a remote destination, you can archive messages according to the available disk space on the external syslog server, and manipulate logging data after it is saved. For example, you could specify actions to be executed when certain types of syslog messages are logged, extract data from the log and save the records to another file for reporting, or track statistics using a site-specific script.
  • Page 53 Multi-Instance Mode for the Secure Firewall 3100 Configure Syslog Name Description Level drop-down list Select the lowest message level that you want the system to store. The system stores that level and above in the remote file. This can be one of the following: •...

  • Page 54: Configure Time Synchronization

    Multi-Instance Mode for the Secure Firewall 3100 Configure Time Synchronization Figure 53: Syslog Local Sources Name Description Faults > Enable Admin State Enable system fault logging. Audits > Enable Admin State Enable audit logging. Events > Enable Admin State Enable system event logging.
  • Page 55 Multi-Instance Mode for the Secure Firewall 3100 Configure Time Synchronization Procedure Step 1 Choose Devices > Platform Settings and create or edit the chassis policy. Step 2 Choose Time Synchronization. Figure 54: Time Synchronization Step 3 If you want to obtain the time from the management center, click Via NTP from Management Center.
  • Page 56 Multi-Instance Mode for the Secure Firewall 3100 Configure Time Zones Figure 56: Add New NTP Server c) For a new server, enter the following fields, and click Add. • NTP Server Name—A name to identify this server. • IP/FQDN—The IP address or hostname of the server.
  • Page 57 Multi-Instance Mode for the Secure Firewall 3100 Manage Multi-Instance Mode Figure 57: Time Zones Step 3 Choose your Time Zone from the drop-down menu. Step 4 Click Save to save all policy changes. Manage Multi-Instance Mode This section describes less common tasks, including changing settings at the FXOS CLI or changing interfaces assigned to the chassis.
  • Page 58 Multi-Instance Mode for the Secure Firewall 3100 Change Interfaces Assigned to an Instance Before you begin • Configure your interfaces according to Configure Instances, on page • If you want to add an already-allocated interface to an EtherChannel, you need to unallocate the interface from the instance first, then add the interface to the EtherChannel.
  • Page 59 Multi-Instance Mode for the Secure Firewall 3100 Change Chassis Management Settings at the FXOS CLI Figure 60: Interface Assignment Shared interfaces show the sharing icon ( Step 4 Make your interface changes, and then click Next. Step 5 Click Save on the Summary screen.
  • Page 60 Multi-Instance Mode for the Secure Firewall 3100 Change Chassis Management Settings at the FXOS CLI The console port connects to the FXOS CLI. We recommend using the console port. You can also connect using SSH to the management Note interface, if configured in the chassis platform settings in the management center; however, if you change the management IP address, you will be disconnected.
  • Page 61 Multi-Instance Mode for the Secure Firewall 3100 Change Chassis Management Settings at the FXOS CLI set the NAT ID even when you specify a hostname or IP address. The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other devices registering to the management center.
  • Page 62 Multi-Instance Mode for the Secure Firewall 3100 Monitoring Multi-Instance Mode Monitoring Multi-Instance Mode This section helps you troubleshoot and diagnose your multi-instance mode chassis and instances. Monitoring Multi-Instance Setup show system detail This FXOS command shows the current mode, Native or Container. If the mode is Native (also known as appliance mode), you can convert to multi-instance (Container) mode.
  • Page 63 Multi-Instance Mode for the Secure Firewall 3100 Monitoring Instance Interfaces Monitoring Instance Interfaces show portmanager switch forward-rules hardware mac-filter This command shows the internal switch-forwarding rule for two instances with a dedicated physical interface assigned to each instance. Ethernet 1/2 is assigned to ftd1 and Ethernet 1/1 is assigned to ftd2.
  • Page 64 Multi-Instance Mode for the Secure Firewall 3100 Monitoring Instance Interfaces Note Physical-Port 18 is the backplane uplink interface between the internal switch and the instance. firepower-3140(local-mgmt)# show portmanager switch ecmp-groups detail ECMP-GROUP VPORT PHYSICAL-PORT 1536 1537 1538 1539 1540 1541...
  • Page 65 Multi-instance mode for 7.4.1 7.4.1 You can deploy the Secure Firewall 3100 as a single device (appliance mode) the Secure Firewall 3100. or as multiple container instances (multi-instance mode). In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices.
  • Page 66 Multi-Instance Mode for the Secure Firewall 3100 History for Multi-Instance Mode Multi-Instance Mode for the Secure Firewall 3100...