Advertisement
Quick Links
Advertisement
Chapters
Subscribe to Our Youtube Channel
Related Manuals for Cisco PR1120-BUN
Summary of Contents for Cisco PR1120-BUN
- Page 1 Cisco Firepower 1100 Getting Started Guide First Published: 2019-06-13 Last Modified: 2023-10-04 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
- Page 3 • Threat Defense—The threat defense is a next-generation firewall that combines an advanced stateful firewall, VPN concentrator, and next generation IPS. Cisco provides ASA-to-threat defense migration tools to help you convert your ASA to the threat defense if you start with ASA and later reimage to threat defense.
- Page 4 You cannot use this API if you are managing the threat defense using the management center. The threat defense REST API is not covered in this guide. For more information, see Cisco Secure Firewall Threat Defense REST API Guide. Secure Firewall Management Center REST The management center REST API lets you automate configuration of management center policies that can then be applied to managed threat defenses.
- Page 5 Using HTTP, an automation tool can execute commands on the ASAs by accessing specifically formatted URLs. The ASA HTTP interface is not covered in this guide. For more information, see the Cisco Secure Firewall ASA HTTP Interface for Automation. Cisco Firepower 1100 Getting Started Guide...
- Page 6 Which Application and Manager is Right for You? ASA Managers Cisco Firepower 1100 Getting Started Guide...
-
Page 7: Table Of Contents
ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS). -
Page 8: Before You Start
Before You Start Deploy and perform initial configuration of the management center. See the getting started guide for your model. End-to-End Tasks See the following tasks to deploy the threat defense with the management center. Cisco Firepower 1100 Getting Started Guide... - Page 9 Pre-Configuration Review the Network Deployment, on page Pre-Configuration Cable the Firewall, on page Pre-Configuration Power on the Firewall, on page (Optional) Check the Software and Install a New Version, on page 13 Cisco Firepower 1100 Getting Started Guide...
-
Page 10: Review The Network Deployment
You can configure other interfaces after you connect the threat defense to the management center. Typical Separate Management Network Deployment The following figure shows a typical network deployment for the firewall where: • The threat defense, management center, and management computer connect to the management network Cisco Firepower 1100 Getting Started Guide... - Page 11 • Connects Management 1/1 to an inside interface through a Layer 2 switch. • Connects the management center and management computer to the switch. This direct connection is allowed because the Management interface has separate routing from the other interfaces on the threat defense. Cisco Firepower 1100 Getting Started Guide...
-
Page 12: Cable The Firewall
Other topologies can be used, and your deployment will vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements. Procedure Step 1 Install the chassis. See the hardware installation guide. Step 2 Cable for a separate management network: Cisco Firepower 1100 Getting Started Guide... - Page 13 Connect the inside interface (for example, Ethernet 1/2) to your inside router. d) Connect the outside interface (for example, Ethernet 1/1) to your outside router. e) Connect other networks to the remaining interfaces. Step 3 Cable for an edge deployment: Cisco Firepower 1100 Getting Started Guide...
-
Page 14: Power On The Firewall
Note The first time you boot up the threat defense, initialization can take approximately 15 to 30 minutes. Cisco Firepower 1100 Getting Started Guide... -
Page 15: (Optional) Check The Software And Install A New Version
What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;... - Page 16 You will need to download the new image from a server accessible from the Management interface. b) Perform the reimage procedure in the FXOS troubleshooting guide. After the firewall reboots, you connect to the FXOS CLI again. Cisco Firepower 1100 Getting Started Guide...
-
Page 17: Complete The Threat Defense Initial Configuration
1. Outside Interface Address—This interface is typically the internet gateway, and might be used as your manager access interface. You cannot select an alternative outside interface during initial device setup. The first data interface is the default outside interface. Cisco Firepower 1100 Getting Started Guide... - Page 18 Other device manager configuration will not be retained when you register the device to the management center. Step 5 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 6 Configure the Management Center/CDO Details. Cisco Firepower 1100 Getting Started Guide...
- Page 19 For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname. Cisco Firepower 1100 Getting Started Guide...
- Page 20 If you remain connected to the device manager after the Saving Management Center/CDO Registration Settings step, you will eventually see the Successful Connection with Management Center or CDO dialog box, after which you will be disconnected from the device manager. Cisco Firepower 1100 Getting Started Guide...
- Page 21 If the password was already changed, and you do not know it, you must reimage the device to Note reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: Cisco Firepower 1100 Getting Started Guide...
- Page 22 However, all of these settings can be changed later at the CLI using configure network commands. See Cisco Secure Firewall Threat Defense Command Reference. Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
- Page 23 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220,2620:119:35::35]:...
- Page 24 If the threat defense is behind a NAT device, enter a unique NAT ID along with the management center IP address or hostname, for example: Example: > configure manager add 10.70.45.5 regk3y78 natid56 Manager successfully configured. What to do next Register your firewall to the management center. Cisco Firepower 1100 Getting Started Guide...
-
Page 25: Log Into The Management Center
• IPS—Security Intelligence and Next-Generation IPS • Malware Defense—Malware defense • URL—URL Filtering • Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide Before you begin •... -
Page 26: Register The Threat Defense With The Management Center
Register the Threat Defense with the Management Center When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions... - Page 27 • The management center registration key Procedure Step 1 In the management center, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device. The Registration Key method is selected by default. Cisco Firepower 1100 Getting Started Guide...
- Page 28 • Host—Enter the IP address or hostname of the threat defense you want to add. You can leave this field blank if you specified both the management center IP address and a NAT ID in the threat defense initial configuration. Cisco Firepower 1100 Getting Started Guide...
- Page 29 If you disable it, only event information will be sent to the management center, but packet data is not sent. Step 3 Click Register, and confirm a successful registration. Cisco Firepower 1100 Getting Started Guide...
-
Page 30: Configure A Basic Security Policy
NAT ID, on both devices. You can set the registration key and NAT ID on the management center using the configure manager add command. For more troubleshooting information, see https://cisco.com/go/fmc-reg-error. Configure a Basic Security Policy This section describes how to configure a basic security policy with the following settings: •... -
Page 31: Configure Interfaces
Choose Devices > Device Management, and click the Edit ( ) for the firewall. Step 2 Click Interfaces. Figure 10: Interfaces Step 3 Click Edit ( ) for the interface that you want to use for inside. The General tab appears. Cisco Firepower 1100 Getting Started Guide... - Page 32 QoS policies. e) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 1100 Getting Started Guide...
- Page 33 • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. Figure 13: IPv6 Tab f) Click OK. Step 4 Click the Edit ( ) for the interface that you want to use for outside. The General tab appears. Cisco Firepower 1100 Getting Started Guide...
- Page 34 • Obtain default route using DHCP—Obtains the default route from the DHCP server. • DHCP route metric—Assigns an administrative distance to the learned route, between 1 and 255. The default administrative distance for the learned routes is 1. Cisco Firepower 1100 Getting Started Guide...
-
Page 35: Configure The Dhcp Server
Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Cisco Firepower 1100 Getting Started Guide... - Page 36 The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself. • Enable DHCP Server—Enable the DHCP server on the selected interface. Step 4 Click OK. Step 5 Click Save. Cisco Firepower 1100 Getting Started Guide...
- Page 37 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose Routing > Static Route. Figure 19: Static Route Step 3 Click Add Route, and set the following: Cisco Firepower 1100 Getting Started Guide...
- Page 38 • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 4 Click OK. The route is added to the static route table. Step 5 Click Save. Cisco Firepower 1100 Getting Started Guide...
-
Page 39: Configure Nat
Name the policy, select the device(s) that you want to use the policy, and click Save. Figure 21: New Policy The policy is added the management center. You still have to add rules to the policy. Cisco Firepower 1100 Getting Started Guide... - Page 40 Figure 23: Basic Rule Options • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 1100 Getting Started Guide...
- Page 41 Configure NAT Figure 24: Interface Objects Step 6 On the Translation page, configure the following options: Figure 25: Translation • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 1100 Getting Started Guide...
- Page 42 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the threat defense. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 1100 Getting Started Guide...
- Page 43 Procedure Step 1 Click Deploy in the upper right. Figure 28: Deploy Step 2 Either click Deploy All to deploy to all devices or click Advanced Deploy to deploy to selected devices. Cisco Firepower 1100 Getting Started Guide...
- Page 44 Figure 30: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Figure 31: Deployment Status Cisco Firepower 1100 Getting Started Guide...
-
Page 45: Access The Threat Defense And Fxos Cli
Access the threat defense CLI. connect ftd Example: firepower# connect ftd > After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, Cisco Secure Firewall Threat Defense Command Reference. Cisco Firepower 1100 Getting Started Guide... -
Page 46: Power Off The Firewall
System is stopped. It is safe to power off now. Do you want to reboot instead? [y/N] If you do not have a console connection, wait approximately 3 minutes to ensure the system has shut down. Cisco Firepower 1100 Getting Started Guide... -
Page 47: What's Next
To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the management center, see the Firepower Management Center Configuration Guide. Cisco Firepower 1100 Getting Started Guide... - Page 48 Threat Defense Deployment with the Management Center What's Next? Cisco Firepower 1100 Getting Started Guide...
- Page 49 ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).
-
Page 50: How Remote Management Works
The central administrator can preregister the threat defense on the management center using the threat defense serial number before sending the device to the branch office. The management center integrates with SecureX and Cisco Defense Orchestrator (CDO) for this functionality. - Page 51 • You cannot use the data interface as the failover or state link. Low-Touch Provisioning Network The following figure shows a typical network deployment for the firewall where: • The management center is at central headquarters. Cisco Firepower 1100 Getting Started Guide...
- Page 52 IP address changes due to a new DHCP assignment, CDO will inform the management center of the change. Figure 32: Low-Touch Provisioning Network Manual Provisioning Network The following figure shows a typical network deployment for the firewall where: • The management center is at central headquarters. Cisco Firepower 1100 Getting Started Guide...
-
Page 53: Before You Start
Deploy and perform initial configuration of the management center. See the getting started guide for your model. End-to-End Tasks: Low-Touch Provisioning See the following tasks to deploy the threat defense with the management center using low-touch provisioning. Cisco Firepower 1100 Getting Started Guide... - Page 54 Threat Defense Deployment with a Remote Management Center End-to-End Tasks: Low-Touch Provisioning Figure 34: End-to-End Tasks: Low-Touch Provisioning Cisco Firepower 1100 Getting Started Guide...
- Page 55 Threat Defense Deployment with a Remote Management Center End-to-End Tasks: Low-Touch Provisioning Cisco Firepower 1100 Getting Started Guide...
- Page 56 73: Integrate the (Central management center with SecureX. administrator) Add a Device to the Management Center Using Low-Touch Provisioning, on page (Central administrator) Management Center Configure a Basic Security Policy, on page (Central administrator) Cisco Firepower 1100 Getting Started Guide...
-
Page 57: End-To-End Tasks: Manual Provisioning
CLI or Device • (Optional) Check the Software and Install a New Version, on page 56 Manager • Pre-Configuration Using the Device Manager, on page 58 (Central admin) • Pre-Configuration Using the CLI, on page 63 Cisco Firepower 1100 Getting Started Guide... -
Page 58: Central Administrator Pre-Configuration
What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;... - Page 59 If you need to set a static IP address for the Management interface, see Complete the Threat Defense Initial Configuration Using the CLI, on page 19. By default, the Management interface uses DHCP. Cisco Firepower 1100 Getting Started Guide...
- Page 60 After you complete the setup wizard, in addition to the default configuraton for the inside interface (Ethernet1/2), you will have configuration for an outside (Ethernet1/1) interface that will be maintained when you switch to management center management. Cisco Firepower 1100 Getting Started Guide...
- Page 61 If you did receive a gateway from DHCP, then you need to instead configure this interface with a static IP address and set the gateway to data interfaces. Cisco Firepower 1100 Getting Started Guide...
- Page 62 Other device manager configuration will not be retained when you register the device to the management center. Step 7 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 8 Configure the Management Center/CDO Details. Cisco Firepower 1100 Getting Started Guide...
- Page 63 For Do you know the Management Center/CDO hostname or IP address, click Yes if you can reach the management center using an IP address or hostname, or No if the management center is behind NAT or does not have a public IP address or hostname. Cisco Firepower 1100 Getting Started Guide...
- Page 64 If you chose a different interface, then you need to manually configure a default route before you connect to the management center. See Configure Cisco Firepower 1100 Getting Started Guide...
- Page 65 If you configure DDNS before you add the threat defense to the management center, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
- Page 66 Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 4 Connect to the threat defense CLI. connect ftd Example: firepower# connect ftd > Cisco Firepower 1100 Getting Started Guide...
- Page 67 Enter a fully qualified hostname for this system [firepower]: 1010-3 Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220,2620:119:35::35]: Enter a comma-separated list of search domains or 'none' []: cisco.com If your networking information has changed, you will need to reconnect. Disabling IPv6 configuration: management0 Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35...
- Page 68 If the management connection is disrupted, the threat defense includes the configure policy rollback command to restore the previous deployment. Cisco Firepower 1100 Getting Started Guide...
- Page 69 • If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
- Page 70 Enter the shutdown command. b) Observe the Power LED and Status LED to verify that the chassis is powered off (appear unlit). Cisco Firepower 1100 Getting Started Guide...
-
Page 71: Branch Office Installation
Connect other networks to the remaining interfaces. Step 5 (Optional) Connect the management computer to the console port. At the branch office, the console connection is not required for everyday use; however, it may be required for troubleshooting purposes. Cisco Firepower 1100 Getting Started Guide... -
Page 72: Central Administrator Post-Configuration
After the remote branch administrator cables the threat defense so it has internet access from the outside interface, you can register the threat defense to the management center and complete configuration of the device. Cisco Firepower 1100 Getting Started Guide... - Page 73 • IPS—Security Intelligence and Next-Generation IPS • Malware Defense—Malware defense • URL—URL Filtering • Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide Before you begin •...
- Page 74 Obtain Licenses for the Management Center When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
- Page 75 Add a Device to the Management Center Using Low-Touch Provisioning Low-touch provisioning lets you register devices to the management center by serial number without having to perform any initial setup on the device. The management center integrates with Cisco Defense Orchestrator (CDO) and SecureX for this functionality.
- Page 76 CDO's management center support is limited to device onboarding, viewing its managed devices, viewing objects associated with the management center, and cross-launching the management center. For a management center high-availability pair, you also need to integrate the secondary Note management center with SecureX. Cisco Firepower 1100 Getting Started Guide...
- Page 77 On the Onboard FTD Device screen, click Use Serial Number. Figure 42: Use Serial Number Step 5 In Select FMC, choose an On-Prem FMC from the list, and click Next. Figure 43: Select FMC Cisco Firepower 1100 Getting Started Guide...
- Page 78 Step 7 In Password Reset, click Yes..Enter a new password and confirm the new password for the device, then click Next. For low-touch provisioning, the device must be brand new or has been reimaged. Cisco Firepower 1100 Getting Started Guide...
- Page 79 Click Next. Figure 48: Policy Assignment Step 9 In Subscription License, select the licenses for the device. Click Next. Cisco Firepower 1100 Getting Started Guide...
- Page 80 You can continue to use CDO as the DDNS provider, or you can later change the DDNS configuration in the management center to a different method. Cisco Firepower 1100 Getting Started Guide...
- Page 81 • The management center registration key Procedure Step 1 In the management center, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device. The Registration Key method is selected by default. Cisco Firepower 1100 Getting Started Guide...
- Page 82 • Host—Enter the IP address or hostname of the threat defense you want to add. You can leave this field blank if you specified both the management center IP address and a NAT ID in the threat defense initial configuration. Cisco Firepower 1100 Getting Started Guide...
- Page 83 If you disable it, only event information will be sent to the management center, but packet data is not sent. Step 3 Click Register, and confirm a successful registration. Cisco Firepower 1100 Getting Started Guide...
- Page 84 NAT ID, on both devices. You can set the registration key and NAT ID on the threat defense using the configure manager add command. For more troubleshooting information, see https://cisco.com/go/fmc-reg-error. Configure a Basic Security Policy This section describes how to configure a basic security policy with the following settings: •...
- Page 85 Step 3 Click Edit ( ) for the interface that you want to use for inside. The General tab appears. Figure 54: General Tab a) Enter a Name up to 48 characters in length. Cisco Firepower 1100 Getting Started Guide...
- Page 86 • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Figure 55: IPv4 Tab • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. Figure 56: IPv6 Tab f) Click OK. Cisco Firepower 1100 Getting Started Guide...
- Page 87 For example, add a zone called outside_zone. b) Click OK. Step 5 Click Save. Configure the DHCP Server Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense. Cisco Firepower 1100 Getting Started Guide...
- Page 88 The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself. • Enable DHCP Server—Enable the DHCP server on the selected interface. Step 4 Click OK. Cisco Firepower 1100 Getting Started Guide...
- Page 89 Name the policy, select the device(s) that you want to use the policy, and click Save. Figure 60: New Policy The policy is added the management center. You still have to add rules to the policy. Cisco Firepower 1100 Getting Started Guide...
- Page 90 Figure 62: Basic Rule Options • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 1100 Getting Started Guide...
- Page 91 Configure NAT Figure 63: Interface Objects Step 6 On the Translation page, configure the following options: Figure 64: Translation • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 1100 Getting Started Guide...
- Page 92 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the threat defense. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 1100 Getting Started Guide...
- Page 93 For the Management interface, to configure an SSH access list, see the configure ssh-access-list command in the Cisco Secure Firewall Threat Defense Command Reference. To configure a static route, see the configure network static-routes command. By default, you configure the default route through the Management interface at initial setup.
- Page 94 Selected Zones/Interfaces list and click Add. You can also add loopback interfaces. These rules will be applied to a device only if the device includes the selected interfaces or zones. c) Click OK. Step 4 Click Save. Cisco Firepower 1100 Getting Started Guide...
- Page 95 Figure 68: Deploy All Figure 69: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 1100 Getting Started Guide...
- Page 96 • No parity • 1 stop bit You connect to the FXOS CLI. Log in to the CLI using the admin username and the password you set at initial setup (the default is Admin123). Example: Cisco Firepower 1100 Getting Started Guide...
- Page 97 > After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, Cisco Secure Firewall Threat Defense Command Reference. Step 3 To exit the threat defense CLI, enter the exit or logout command.
- Page 98 Netmask : 255.255.255.0 Gateway : 10.99.10.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers Interfaces : GigabitEthernet1/1 Cisco Firepower 1100 Getting Started Guide...
- Page 99 > show interface detail [...] Interface Internal-Data0/1 "nlp_int_tap", is up, line protocol is up Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec (Full-duplex), (1000 Mbps) Input flow control is unsupported, output flow control is unsupported Cisco Firepower 1100 Getting Started Guide...
- Page 100 0.0.0.0 0.0.0.0 [1/0] via 10.89.5.1, outside 10.89.5.0 255.255.255.192 is directly connected, outside 10.89.5.29 255.255.255.255 is directly connected, outside > show nat > show nat Auto NAT Policies (Section 2) 1 (nlp_int_tap) to (outside) source static nlp_server_0_sftunnel_intf3 interface service Cisco Firepower 1100 Getting Started Guide...
- Page 101 DDNS: IDB SB total = 0 If the update failed, use the debug http and debug ssl commands. For certificate validation failures, check that the root certificates are installed on the device: show crypto ca certificates trustpoint_name Cisco Firepower 1100 Getting Started Guide...
- Page 102 • Out-of-band SCEP certificate data that was updated during the previous deployment cannot be rolled back. • During the rollback, connections will drop because the current configuration will be cleared. Before you begin Model Support—Threat Defense Cisco Firepower 1100 Getting Started Guide...
- Page 103 You can power off the device using the management center device management page, or you can use the FXOS CLI. Cisco Firepower 1100 Getting Started Guide...
- Page 104 # connect local-mgmt Step 2 Issue the shutdown command: firepower(local-mgmt) # shutdown Example: firepower(local-mgmt)# shutdown This command will shutdown the system. Continue? Please enter 'YES' or 'NO': yes INIT: Stopping Cisco Threat Defense..ok Cisco Firepower 1100 Getting Started Guide...
- Page 105 To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the management center, see the Firepower Management Center Configuration Guide. Cisco Firepower 1100 Getting Started Guide...
- Page 106 Threat Defense Deployment with a Remote Management Center What's Next? Cisco Firepower 1100 Getting Started Guide...
- Page 107 ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).
-
Page 108: End-To-End Tasks
Power Off the Firewall, on page 129 • What's Next?, on page 130 End-to-End Tasks See the following tasks to deploy the threat defense with the device manager. Pre-Configuration Install the firewall. See the hardware installation guide. Cisco Firepower 1100 Getting Started Guide... -
Page 109: Review The Network Deployment And Default Configuration
NAT for your inside networks. If you need to configure PPPoE for the outside interface to connect to your ISP, you can do so after you complete initial setup in device manager. Cisco Firepower 1100 Getting Started Guide... - Page 110 Figure 71: Suggested Network Deployment Note For 6.7 and earlier, the Ethernet 1/2 inside IP address is 192.168.1.1. For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Cisco Firepower 1100 Getting Started Guide...
- Page 111 • DNS server for management—OpenDNS: (IPv4) 208.67.222.222, 208.67.220.220; (IPv6) 2620:119:35::35, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes •...
-
Page 112: Cable The Device
If you need to change the Management 1/1 IP address from the default to configure a static IP address, you must also cable your management computer to the console port. See (Optional) Change Management Network Settings at the CLI, on page 113. Cisco Firepower 1100 Getting Started Guide... -
Page 113: Power On The Firewall
Check the Power LED on the back of the device; if it is solid green, the device is powered on. Step 4 Check the Status LED on the back of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 1100 Getting Started Guide... -
Page 114: (Optional) Check The Software And Install A New Version
What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;... -
Page 115: (Optional) Change Management Network Settings At The Cli
Log in with the admin user and the default password, Admin123. You connect to the FXOS CLI. The first time you log in, you are prompted to change the password. This password is also used for the threat defense login for SSH. Cisco Firepower 1100 Getting Started Guide... - Page 116 Reconnect with the new IP address and password. Console connections are not affected. • Manage the device locally?—Enter yes to use the device manager. A no answer means you intend to use the on-premises or cloud-delivered management center to manage the device. Example: Cisco Firepower 1100 Getting Started Guide...
-
Page 117: Log Into The Device Manager
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect. -
Page 118: Complete The Initial Configuration
You cannot configure PPPoE using the setup wizard. PPPoE may be required if the interface is connected to a DSL modem, cable modem, or other connection to your ISP, and your ISP uses PPPoE to provide your IP address. You can configure PPPoE after you complete the wizard. Cisco Firepower 1100 Getting Started Guide... -
Page 119: Configure Licensing
When you register the chassis, the Smart Software Manager issues an ID certificate for communication between the chassis and the Smart Software Manager. It also assigns the chassis to the appropriate virtual account. For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide The Essentials license is included automatically. - Page 120 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
- Page 121 Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: Cisco Firepower 1100 Getting Started Guide...
- Page 122 Threat Defense Deployment with the Device Manager Configure Licensing • Description • Expire After—Cisco recommends 30 days. • Allow export-controlled functionality on the products registered with this token—Enables the export-compliance flag if you are in a country that allows for strong encryption. You must select this option now if you plan to use this functionality.
- Page 123 Then follow the instructions on the Smart License Registration dialog box to paste in your token: Step 5 Click Register Device. You return to the Smart License page. While the device registers, you see the following message: Cisco Firepower 1100 Getting Started Guide...
- Page 124 You cannot configure the features in new policies, nor can you deploy policies that use the feature. • If you enabled the Cisco Secure Client license, select the type of license you want to use: Advantage, Premier, VPN Only, or Premier and Advantage.
-
Page 125: Configure The Firewall In The Device Manager
Threat Defense Deployment with the Device Manager Configure the Firewall in the Device Manager Step 7 Choose Resync Connection from the gear drop-down list to synchronize license information with Cisco Smart Software Manager. Configure the Firewall in the Device Manager The following steps provide an overview of additional features you might want to configure. - Page 126 If you configured other inside interfaces, it is very typical to set up a DHCP server on those interfaces. Click + to configure the server and address pool for each inside interface. Cisco Firepower 1100 Getting Started Guide...
- Page 127 IP address of the ISP gateway (you must obtain the address from your ISP). You can create this object by clicking Create New Network at the bottom of the Gateway drop-down list. Cisco Firepower 1100 Getting Started Guide...
- Page 128 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.
-
Page 129: Access The Threat Defense And Fxos Cli
You can later connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port access, which defaults to the FXOS CLI. Cisco Firepower 1100 Getting Started Guide... - Page 130 > After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, Cisco Secure Firewall Threat Defense Command Reference. Step 3 To exit the threat defense CLI, enter the exit or logout command.
-
Page 131: Power Off The Firewall
Access the Threat Defense and FXOS CLI, on page 127. Procedure Step 1 In the FXOS CLI, connect to local-mgmt: firepower # connect local-mgmt Step 2 Issue the shutdown command: Cisco Firepower 1100 Getting Started Guide... -
Page 132: What's Next
To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the device manager, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 1100 Getting Started Guide... - Page 133 To see all available applications and managers, see Which Application and Manager is Right for You?, on page 1. This chapter applies to the threat defense using Cisco Defense Orchestrator (CDO)'s cloud-delivered Firewall Management Center. Note The cloud-delivered Firewall Management Center supports threat defense 7.2 and later.
-
Page 134: About Threat Defense Management By Cdo
• When you enable manager access on a data interface, the threat defense forwards incoming management traffic over the backplane to the Management interface. • For outgoing management traffic, the Management interface forwards the traffic over the backplane to the data interface. Manager Access Requirements Cisco Firepower 1100 Getting Started Guide... -
Page 135: End-To-End Tasks: Low-Touch Provisioning
• You cannot use the data interface as the failover or state link. End-to-End Tasks: Low-Touch Provisioning See the following tasks to deploy the threat defense with CDO using low-touch provisioning. Cisco Firepower 1100 Getting Started Guide... - Page 136 Provide the Firewall Serial Number to the Central Administrator, on page 143. (Branch admin) Branch Office Tasks Install the firewall. See the hardware installation guide. (Branch admin) Branch Office Tasks Cable the Firewall, on page 144. (Branch admin) Cisco Firepower 1100 Getting Started Guide...
-
Page 137: End-To-End Tasks: Onboarding Wizard
(CDO admin) End-to-End Tasks: Onboarding Wizard See the following tasks to onboard the threat defense to CDO using the onboarding wizard. Figure 81: End-to-End Tasks: Onboarding Wizard Cisco Commerce Obtain Licenses, on page 136. Workspace Cisco Firepower 1100 Getting Started Guide... -
Page 138: Central Administrator Pre-Configuration
• IPS—Security Intelligence and Next-Generation IPS • Malware Defense—Malware defense • URL—URL Filtering • Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide Before you begin •... - Page 139 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
- Page 140 What Version Should I Run? Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/ us/products/collateral/security/firewalls/bulletin-c25-743178.html;...
- Page 141 The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
- Page 142 • Use a current version of Firefox or Chrome. Procedure Step 1 Sign Up for a New Cisco Secure Sign-On Account. a) Browse to https://sign-on.security.cisco.com. b) At the bottom of the Sign In screen, click Sign up. Figure 83: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register.
- Page 143 Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company. d) After you click Register, Cisco sends you a verification email to the address you registered with. Open the email and click Activate Account.
- Page 144 Threat Defense Deployment with CDO Log Into CDO with Cisco Secure Sign-On You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
-
Page 145: Deploy The Firewall With Low-Touch Provisioning
The serial number of the firewall can be found on the shipping box. It can also be found on a sticker on the back of the firewall or on the bottom of the firewall chassis. Step 3 Send the firewall serial number to the CDO network administrator at your IT department/central headquarters. Cisco Firepower 1100 Getting Started Guide... - Page 146 Connect the inside interface (for example, Ethernet 1/2) to your inside switch or router. You can choose any interface for inside. Step 4 Connect other networks to the remaining interfaces. Step 5 (Optional) Connect the management computer to the console port. Cisco Firepower 1100 Getting Started Guide...
- Page 147 If there is a problem, the Status LED flashes fast amber. If this happens, call your IT department. Step 6 Observe the Status LED on the back; when the device connects to the Cisco cloud, the Status LED slowly flashes green.
- Page 148 Onboard a Device with Low-Touch Provisioning If there is a problem, the Status LED flashes amber and green, and the device did not reach the Cisco Cloud. If this happens, make sure that your network cable is connected to the Ethernet 1/1 interface and to your WAN modem.
- Page 149 No... option. There are a number of configurations that disable low-touch provisioning, so we don't recommend logging into the device unless you need to, for example, to perform a reimage. Cisco Firepower 1100 Getting Started Guide...
- Page 150 Default Access Control Policy. Figure 92: Policy Assignment Step 9 For the Subscription License, check each of the feature licenses you want to enable. Click Next. Figure 93: Subscription License Cisco Firepower 1100 Getting Started Guide...
-
Page 151: Deploy The Firewall With The Onboarding Wizard
This section describes how to configure the firewall for onboarding using the CDO onboarding wizard. Cable the Firewall This topic describes how to connect the Firepower 1100 to your network so that it can be managed by CDO. Figure 95: Cabling the Firepower 1100 Cisco Firepower 1100 Getting Started Guide... - Page 152 Check the Power LED on the back of the device; if it is solid green, the device is powered on. Step 4 Check the Status LED on the back of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 1100 Getting Started Guide...
- Page 153 Figure 97: Device Name Step 6 For the Policy Assignment, use the drop-down menu to choose an access control policy for the device. If you have no policies configured, choose the Default Access Control Policy. Cisco Firepower 1100 Getting Started Guide...
- Page 154 Complete initial configuration at the CLI or using the device manager: • Perform Initial Configuration Using the CLI, on page 153—Copy this command at the threat defense CLI after you complete the startup script. Cisco Firepower 1100 Getting Started Guide...
-
Page 155: Perform Initial Configuration
Perform Initial Configuration Using the CLI Connect to the threat defense CLI to perform initial setup. When you use the CLI for initial configuration, only the Management interface and manager access interface settings are retained.When you perform initial Cisco Firepower 1100 Getting Started Guide... - Page 156 However, all of these settings can be changed later at the CLI using configure network commands. See Cisco Secure Firewall Threat Defense Command Reference. Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
- Page 157 Enter a fully qualified hostname for this system [firepower]: 1010-3 Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220,2620:119:35::35]: Enter a comma-separated list of search domains or 'none' []: cisco.com If your networking information has changed, you will need to reconnect. Disabling IPv6 configuration: management0 Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35...
- Page 158 • If you configure a DDNS server update URL, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
- Page 159 Step 6 Identify the CDO that will manage this threat defense using the configure manager add command that CDO generated. See Onboard a Device with the Onboarding Wizard, on page 151 to generate the command. Cisco Firepower 1100 Getting Started Guide...
- Page 160 Threat Defense Deployment with CDO Perform Initial Configuration Using the Device Manager Example: > configure manager add account1.app.us.cdo.cisco.com KPOOP0rgWzaHrnj1V5ha2q5Rf8pKFX9E Lzm1HOynhVUWhXYWz2swmkj2ZWsN3Lb account1.app.us.cdo.cisco.com Manager successfully configured. Perform Initial Configuration Using the Device Manager Connect to the device manager to perform initial setup of the threat defense. When you perform initial setup using the device manager, all interface configuration completed in the device manager is retained when you switch to CDO for management, in addition to the Management interface and manager access settings.
- Page 161 Other device manager configuration will not be retained when you register the device to CDO. Step 6 Choose Device > System Settings > Central Management, and click Proceed to set up the management center management. Step 7 Configure the Management Center/CDO Details. Cisco Firepower 1100 Getting Started Guide...
- Page 162 For Do you know the Management Center/CDO hostname or IP address, click Yes. CDO generates the configure manager add command. See Onboard a Device with the Onboarding Wizard, on page 151 to generate the command. Cisco Firepower 1100 Getting Started Guide...
- Page 163 Click Add a Dynamic DNS (DDNS) method. DDNS ensures CDO can reach the threat defense at its Fully-Qualified Domain Name (FQDN) if the threat defense's IP address changes. See Device > System Settings > DDNS Service to configure DDNS. Cisco Firepower 1100 Getting Started Guide...
-
Page 164: Configure A Basic Security Policy
If you configure DDNS before you add the threat defense to CDO, the threat defense automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/). -
Page 165: Configure Interfaces
Choose Devices > Device Management, and click the Edit ( ) for the firewall. Step 2 Click Interfaces. Figure 106: Interfaces Step 3 Click Edit ( ) for the interface that you want to use for inside. The General tab appears. Cisco Firepower 1100 Getting Started Guide... - Page 166 QoS policies. e) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 1100 Getting Started Guide...
- Page 167 • IPv6—Check the Autoconfiguration check box for stateless autoconfiguration. Figure 109: IPv6 Tab f) Click OK. Step 4 Click the Edit ( ) for the interface that you want to use for outside. The General tab appears. Cisco Firepower 1100 Getting Started Guide...
-
Page 168: Configure The Dhcp Server
For example, add a zone called outside_zone. b) Click OK. Step 5 Click Save. Configure the DHCP Server Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense. Cisco Firepower 1100 Getting Started Guide... - Page 169 The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself. • Enable DHCP Server—Enable the DHCP server on the selected interface. Step 4 Click OK. Cisco Firepower 1100 Getting Started Guide...
- Page 170 Name the policy, select the device(s) that you want to use the policy, and click Save. Figure 113: New Policy The policy is added the management center. You still have to add rules to the policy. Cisco Firepower 1100 Getting Started Guide...
- Page 171 Figure 115: Basic Rule Options • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 1100 Getting Started Guide...
- Page 172 Configure NAT Figure 116: Interface Objects Step 6 On the Translation page, configure the following options: Figure 117: Translation • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 1100 Getting Started Guide...
- Page 173 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the threat defense. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 1100 Getting Started Guide...
- Page 174 For the Management interface, to configure an SSH access list, see the configure ssh-access-list command in the Cisco Secure Firewall Threat Defense Command Reference. To configure a static route, see the configure network static-routes command. By default, you configure the default route through the Management interface at initial setup.
- Page 175 Selected Zones/Interfaces list and click Add. You can also add loopback interfaces. These rules will be applied to a device only if the device includes the selected interfaces or zones. c) Click OK. Step 4 Click Save. Cisco Firepower 1100 Getting Started Guide...
- Page 176 Figure 121: Deploy All Figure 122: Advanced Deploy Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 1100 Getting Started Guide...
-
Page 177: Troubleshooting And Maintenance
• No parity • 1 stop bit You connect to the FXOS CLI. Log in to the CLI using the admin username and the password you set at initial setup (the default is Admin123). Cisco Firepower 1100 Getting Started Guide... - Page 178 > After logging in, for information on the commands available in the CLI, enter help or ?. For usage information, Cisco Secure Firewall Threat Defense Command Reference. Step 3 To exit the threat defense CLI, enter the exit or logout command.
- Page 179 Netmask : 255.255.255.0 Gateway : 10.99.10.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers Interfaces : Ethernet1/1 Cisco Firepower 1100 Getting Started Guide...
- Page 180 Interface Internal-Data0/1 "nlp_int_tap", is up, line protocol is up Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec (Full-duplex), (1000 Mbps) Input flow control is unsupported, output flow control is unsupported MAC address 0000.0100.0001, MTU 1500 Cisco Firepower 1100 Getting Started Guide...
- Page 181 10.89.5.0 255.255.255.192 is directly connected, outside 10.89.5.29 255.255.255.255 is directly connected, outside > show nat > show nat Auto NAT Policies (Section 2) 1 (nlp_int_tap) to (outside) source static nlp_server_0_sftunnel_intf3 interface service tcp 8305 8305 Cisco Firepower 1100 Getting Started Guide...
- Page 182 If the update failed, use the debug http and debug ssl commands. For certificate validation failures, check that the root certificates are installed on the device: show crypto ca certificates trustpoint_name To check the DDNS operation: Cisco Firepower 1100 Getting Started Guide...
- Page 183 At the threat defense CLI, roll back to the previous configuration. configure policy rollback After the rollback, the threat defense notifies CDO that the rollback was completed successfully. In CDO, the deployment screen will show a banner stating that the configuration was rolled back. Cisco Firepower 1100 Getting Started Guide...
- Page 184 Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your firewall. You can shut down your system properly using the management center. Cisco Firepower 1100 Getting Started Guide...
- Page 185 Step 3 Monitor the system prompts as the firewall shuts down. You will see the following prompt: System is stopped. It is safe to power off now. Do you want to reboot instead? [y/N] Cisco Firepower 1100 Getting Started Guide...
-
Page 186: What's Next
You can now turn off the power switch and unplug the power to physically remove power from the chassis if necessary. What's Next To continue configuring your threat defense using CDO, see the Cisco Defense Orchestrator home page. Cisco Firepower 1100 Getting Started Guide... - Page 187 ASA requires you to reimage the device. You should also reimage if you need a different software version than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide. The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System (FXOS).
-
Page 188: About The Asa
5. Paste the modified configuration at the ASA CLI. This guide assumes a factory default configuration, so if you paste in an existing configuration, some of the procedures in this guide will not apply to your ASA. Cisco Firepower 1100 Getting Started Guide... -
Page 189: End-To-End Tasks
(an internal location on disk0 managed by FXOS). The new image will load when you reload the ASA. End-to-End Tasks See the following tasks to deploy and configure the ASA. Cisco Firepower 1100 Getting Started Guide... - Page 190 Review the Network Deployment and Default Configuration, on page 189. Pre-Configuration Cable the Firewall, on page 191. Pre-Configuration Power on the Device, on page 192. ASA CLI (Optional) Change the IP Address, on page 193. Cisco Firepower 1100 Getting Started Guide...
-
Page 191: Review The Network Deployment And Default Configuration
IP address to be on a new network. • If you add the ASA to an existing inside network, you will need to change the inside IP address to be on the existing network. Cisco Firepower 1100 Getting Started Guide... - Page 192 • NAT—Interface PAT for all traffic from inside to outside. • DNS servers—OpenDNS servers are pre-configured. The configuration consists of the following commands: interface Management1/1 management-only nameif management security-level 100 ip address dhcp setroute no shutdown interface Ethernet1/1 Cisco Firepower 1100 Getting Started Guide...
-
Page 193: Cable The Firewall
208.67.220.220 outside Cable the Firewall Manage the Firepower 1100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside. Procedure Step 1 Install the chassis. See the hardware installation guide. Cisco Firepower 1100 Getting Started Guide... -
Page 194: Power On The Device
Check the Power LED on the back of the device; if it is solid green, the device is powered on. Step 4 Check the Status LED on the back of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 1100 Getting Started Guide... -
Page 195: (Optional) Change The Ip Address
Executing command: exit Executing command: http server enable Executing command: http 10.1.1.0 255.255.255.0 management Executing command: dhcpd address 10.1.1.152-10.1.1.254 management Executing command: dhcpd enable management Executing command: logging asdm informational Factory-default configuration is completed ciscoasa(config)# Cisco Firepower 1100 Getting Started Guide... -
Page 196: Log Into Asdm
ASA does not automatically forward an HTTP request to HTTPS. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page. -
Page 197: Configure Licensing
• Security Contexts • Strong Encryption (3DES/AES)—If your Smart Account is not authorized for strong encryption, but Cisco has determined that you are allowed to use strong encryption, you can manually add a stong encryption license to your account. • Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only. - Page 198 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Essentials license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software Manager account. However, if you need to add licenses yourself, use the Find Products and...
- Page 199 Configure Licensing c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: • Description • Expire After—Cisco recommends 30 days. • Allow export-controlled functionaility on the products registered with this token—Enables the export-compliance flag.
- Page 200 ASA Deployment with ASDM Configure Licensing Figure 125: View Token Figure 126: Copy Token Step 3 In ASDM, choose Configuration > Device Management > Licensing > Smart Licensing. Step 4 Click Register. Cisco Firepower 1100 Getting Started Guide...
- Page 201 You can optionally check the Force registration check box to register the ASA that is already registered, but that might be out of sync with the Smart Software Manager. For example, use Force registration if the ASA was accidentally removed from the Smart Software Manager. Step 6 Click Register. Cisco Firepower 1100 Getting Started Guide...
-
Page 202: Configure The Asa
When you change licenses, you need to relaunch ASDM to show updated screens. Configure the ASA Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Cisco Firepower 1100 Getting Started Guide... - Page 203 • Interfaces, including setting the inside and outside interface IP addresses and enabling interfaces. • Static routes • The DHCP server • And more... Step 3 (Optional) From the Wizards menu, run other wizards. Cisco Firepower 1100 Getting Started Guide...
-
Page 204: Access The Asa And Fxos Cli
All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged EXEC mode, enter the disable, exit, or quit command. Step 3 Access global configuration mode. configure terminal Example: Cisco Firepower 1100 Getting Started Guide... -
Page 205: What's Next
Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 1100 Getting Started Guide... - Page 206 ASA Deployment with ASDM What's Next? Cisco Firepower 1100 Getting Started Guide...
- Page 207 © 2023 Cisco Systems, Inc. All rights reserved.
Need help?
Do you have a question about the PR1120-BUN and is the answer not in the manual?
Questions and answers