Cisco Firepower 4100 Series, Firepower 4110 / 4120 4140 / 4150 Manual

Features

The Cisco Firepower 4100 series security appliance is a standalone modular security services platform. It is capable of running multiple security services simultaneously and so is targeted at the data center as a multiservice platform. The series includes the Firepower 4110, 4120, 4140, and 4150. See Product ID Numbers, for a list of the product IDs (PIDs) associated with the 4100 series.
The Firepower 4100 series supports Cisco Secure Firewall Threat Defense, Cisco Secure Firewall eXtensible Operating System (FXOS), and Cisco Secure Firewall ASA software. See Cisco Firepower 4100/9300 FXOS Compatibility, which lists software and hardware compatibility information for the Firepower 4100 series.
Note
The Firepower 4100 series security appliance is not supported in Secure Firewall Threat Defense 7.3 and later and Secure Firewall ASA 9.19 and later.
The following figure shows the Firepower 4100 series security appliance.

Figure 1: Firepower 4100 Series

The following table lists the features for the Firepower 4100 series.

Table 1: Firepower 4100 Series Features

Feature	4110	4120	4140	4150
Form factor	1 RU
	Fits a standard 19-inch (48.3cm) square-hole rack
Rack mount	Slide rails, mount ears, and screws included
	4-post Electronic Industries Association (EIA)-310-D rack
Airflow	Front to rear Cold aisle to hot aisle
Processor	Single 12-core		Single 18-core	Single 22-core
Memory	64-GB DDR4 DRAM	128-GB DDR4 DRAM	256-GB DDR4 DRAM	256-GB DDR4 DRAM
Maximum number of interfaces	24 With two 8-port network modules installed
Management port	One Gigabit Ethernet Supports 1-Gb fiber or copper small form-factor pluggable (SFP)
Serial port	One RJ-45 console
USB port	One USB 2.0 Type A
Network ports	Eight fixed 1-Gb and 10-Gb SFP+ ports (named Ethernet 1/1 through 1/8)
Small form-factor pluggable (SFP) ports	Eight fixed 1-Gb and 10-Gb SFP+ ports See Supported SFP/SFP+ and QSFP Transceivers for a list of supported transceivers.
Pullout asset card	Displays the serial number; on the front panel
Grounding lug	On rear panel
Locator beacon	On front panel
Power switch	On rear panel
Network modules	Two network module slots (named network module 2 and network module 3)
Supported network modules	8-port 10-Gigabit Ethernet SFP+ 4-port 40-Gigabit Ethernet QSFP+ 8-port 1-Gigabit Ethernet copper with hardware bypass 2-port 40-Gigabit Ethernet QSFP+ (built-in) with hardware bypass 6-port 1-Gigabit Ethernet SX fiber SFP (built-in) with hardware bypass 6-port 10-Gigabit Ethernet SR fiber SFP+ (built-in) with hardware bypass 6-port 10-Gigabit Ethernet LR fiber SFP+ (built-in) with hardware bypass
AC power supply	Two (1+1) power supply module slots Ships with one 400-W AC power supply modules Hot-swappable		Two (1+1) power supply module slots Ships with two 400-W AC power supply modules Hot-swappable
DC power supply	Optional
Redundant power	1+1
Fan	Six fan module slots 3+1 redundancy Hot-swappable
Storage	Two SSD slots Ships with one 200-GB SSD installed in slot 1. Slot 1 is the primary SSD and should always be present. Slot 1 is reserved for the logical device application instance (threat defense or ASA). Note RAID is not supported. The SSD must be installed in slot 1. Slot 2 is optional and is reserved only for the Malware Storage Pack (MSP).		Two SSD slots Ships with one 400-GB SSD installed in slot 1. Slot 1 is the primary SSD and should always be present. Slot 1 is reserved for the logical device application instance (threat defense or ASA). Note RAID is not supported. The SSD must be installed in slot 1. Slot 2 is optional and is reserved only for the MSP.
MSP	Installed in the second SSD slot only
Security standards certifications	Common Criteria certification (CC) for the Network Device Collaborative Protection Profile (NDcPPv2.2E), VPN Gateway Module (VPNGW_MOD_v1.1), and Firewall Module (FW_MOD_v1.4e) for ASA 9.16.x. Common Criteria (CC) and Commercial Solutions for Classified (CSFC) for ASA 9.8.x and FTD 6.2.x. CC for the Network Device Collaborative Protection Profile (NDcPPv2.1) for ASA 9.12.x and FX-OS 2.6.x. Federal Information Processing Standards (FIPS) 140-2 on ASA 9.12.x, FTD 6.4.x, and FX-OS 2.6.x. Department of Defense Information Network Approved Product List (DoDIN APL) for ASA 9.12.x and FTD 6.4.x. US Government Compliance for IPv6 (USGv6) for ASA 9.8.x and FTD 6.2.x. Note See the "Security Certifications Compliance" chapter in the for the procedure to enable security modes.
Network Equipment Building Systems (NEBS) certification	—	Certified	—	—

Deployment Options

Here are some examples of how you can deploy the Firepower 4100:

• In a data center using NGFW and ASA
• At the core/aggregation layer of a 3-tier data center in a high availability configuration
• As a dedicated multifunctional security service within converged infrastructure stacks, for example, vBlock, FlexPod, and so forth, at the access layer
• As a high-performance data center security appliance between the WAN edge and the data center core in a high availability configuration
• Inter-DC clustering deployments
• In newer spine/leaf data center designs, deployment as a leaf that exclusively offers security functions

Package Contents

The following figure shows the package contents for the Firepower 4100. Note that the contents are subject to change and your exact contents might contain additional or fewer items.

Figure 2: Firepower 4100 Package Contents

1. Firepower 4100 chassis
2. Blue console cable PC terminal adapter (part number 72-3383-01)
3. Two power cords (country-specific) See Power Cord Specifications a list of supported power cords.
4. 10/100/1000BASE-T SFP transceiver
5. Ground lug kit (part number 69-1000359-01):

• One ground lug #6 AWG, 90 degree, #10 post (part number 32-0608-01)
• Two 10-32 x 39-8-inch Phillips Head screws (part number 48-0700-01)

6. Cable management bracket kit (part number 69-100376-01)

• Two cable management brackets (part number 700-106377-01)
• Four 8-32 x 0.375-inch Phillips screws (part number 48-2696-01)

Serial Number Location

The serial number for the Firepower 4100 series chassis is located on the pullout asset card on the front panel.

Figure 3: Serial Number on the 4100 Chassis

You can also view additional model information on the compliance label located on the bottom of the chassis.

Front Panel Figure 4: Compliance Label on the 4100 Chassis

Front Panel

The following figure shows the front panel of the Firepower 4100.

Figure 5:Firepower 4100 Front Panel

RJ-45 Console Port
The Firepower 4100 has a standard RJ-45 console port. You can use the CLI to configure your Firepower 4100 through the RJ-45 serial console port by using a terminal server or a terminal emulation program on a computer.
The RJ-45 (8P8C) port supports RS-232 signaling to an internal UART controller. The console port does not have any hardware flow control, and does not support a remote dial-in modem. The baud rate is 9600. You can use the standard cable found in your accessory kit to convert the RJ-45 to DB-9 if necessary.

Type A USB Port
You can use the external USB Type A port to attach a data storage device. The external USB drive identifier is disk1:. The USB Type A port supports the following:

• Hot swapping
• USB drive formatted with FAT32
• Boot kick-start image from the Supervisor ROMMON for discovery recovery purposes
• Copy files to and from workspace:/ and volatile:/ within local-mgmt. The most relevant files are:
• Core files
• Ethanalyzer packet captures
• Tech-support files
• Security module log files
• Platform bundle image upload usingdownload image usbA:

The USB Type A port does not support Cisco Secure Package (CSP) image upload.

Network Ports
The Firepower 4100 chassis has eight fixed ports that require 1-Gb/10-Gb SFP/SFP+ transceivers (fiber or copper). They are numbered from left to right starting with 1 and are named Ethernet 1/1 through Ethernet 1/8. The 4100 also has two network module slots that support different numbers of ports depending on the network module. See Network Modules for the supported network modules. See for Supported SFP/SFP+ and QSFP Transceivers the list of supported transceivers.
Each port has LEDs that represent link/activity status.

Management Port
The Firepower 4100 chassis has a management port that requires a 1-Gb fiber or copper SFP.

Front Panel LEDs

The following figure and table describe the Firepower 4100 front panel LEDs.

Figure 6:Front Panel LEDs

1. Management

• Off—No connection or port is not in use.
• Amber—No link or network failure.
• Green—Link up.
• Green, flashing—Network activity.

2. Health (SYS)

• Off—System is not booting yet.
• Green, flashing—Power-up diagnostics are complete and system is booting up.
• Green—The system has passed power-up diagnostics.
• Amber—Power-up diagnostics has failed.
• Amber, flashing—Alarm; power-up diagnostics are running.

3. SSD

• Off— SSD not present.
• Green—SSD is present; no activity.
• Green, flashing—SSD is active.
• Amber—SSD failure.
• Amber, flashing—Rebuilding, flashes at 1 Hz.
• Amber, flashing—Predictive failure analysis (PFA) and hot spare; two fast flashes at 4 Hz, pause for 0.5 seconds.

4. Power

• Off—Input power not detected.
• Green, flashing—Appears only when you move the power switch from ON to OFF. System is shutting down and powers off once shutdown is completed.
• Amber—System is powering up.
• Green—System fully powered up.
• Amber, flashing—Reserved.

5. Active (ACT) This LED is not supported; reserved for future use.
6. Locator LED

• Off—Locate is off.
• Blue—Locate is on.

Rear Panel

The following figure shows the rear panel of the Firepower 4100.

The power switch is located to the left of power supply module 1 on the rear of the chassis. It is a toggle switch that controls power to the system. If the power switch is in standby position, only the 3.3-V standby power is enabled from the power supply module and the 12-V main power is OFF. When the switch is in the ON position, the 12-V main power is turned on and the system boots.
You can shut down the chassis in one of two ways:

• Perform a graceful shutdown using the shutdown commands. This may take several minutes to complete. Then toggle the power switch to the OFF position. The power LED changes from solid green to off immediately.

If you move the power switch to the OFF position before the shutdown command sequence is complete or if you remove the system power cords before the graceful shutdown is complete, disk corruption can occur.

Network Modules

• Toggle the power switch to the OFF position. The power LED changes from solid green to off.

Note
After removing power from the chassis either by moving the power switch to OFF or unplugging the power cord, wait at least 10 seconds before turning power back ON.

Network Modules

The Firepower 4100 contains two network module slots that provide optical or electrical network interfaces. Network modules are optional, removable I/O modules that provide either additional ports or different interface types (1/10/40 Gb). The Firepower network modules plug into the chassis on the front panel.

For More Information

• See 10-Gb Network Module for a description of the 10-GB network module.
• See 40-Gb Network Module for a description of the 40-GB network module.
• See Hardware Bypass Network Modules for the location and description of the LEDs, and the port configurations for the hardware bypass network modules.
• See Install, Remove, and Replace the Network Module for the procedure for removing and replacing network modules.

10-Gb Network Module
The following figure shows the front panel of the 10-Gb single-wide network module (FPR4K-NM-8X10G). The eight ports are numbered from top to bottom, left to right.
Note
Make sure you have the correct firmware package and software version installed to support this network module.
Note
The FPR4K-NM-8X10G is NEBS-compliant.
Note
You can fit four copper SFPs in either the top row of ports or the bottom row of ports. Both rows cannot be populated at the same time, because of the port row spacing.

Figure 8: FPR4K-NM-8X10G

For More Information

• For a list of copper SFPs, see Supported SFP/SFP+ and QSFP Transceivers.

40-Gb Network Module
The following figure shows the front panel of the 40-Gb network module (FPR4K-NM-4X40G.) The FPR4K-NM-4X40G is a single-wide module that supports hot swapping. The four ports are numbered left to right.
Note
Make sure you have the correct firmware package and software version installed to support this network module.
Note
The FPR4K-NM-4X40G is NEBS-compliant.

Figure 9: FPR4K-NM-4X40G

1. Captive screw/handle
2. Network activity LEDs

• Off—No connection or port is not in use.
• Amber—No link or network failure.
• Green—Link up.
• Green, flashing—Network activity.
• 40Gb—Only the leftmost LED indicates the port status.
• 4x10Gb—Each of the port LEDS indicates the status of respective 10-Gb channel.

3. Ethernet X/1
4. Ethernet X/2
5. Ethernet X/3
6. Ethernet X/4

Hardware Bypass Network Modules

Hardware bypass (also known as fail-to-wire) is a physical layer (Layer 1) bypass that allows paired interfaces to go into bypass mode so that the hardware forwards packets between these port pairs without software intervention. Hardware bypass provides network connectivity when there are software or hardware failures. Hardware bypass is useful on ports where the Firepower security appliance is only monitoring or logging traffic. The hardware bypass network modules have an optical switch that is capable of connecting the two ports when needed. The hardware bypass network modules have built-in SFPs.
Hardware bypass is supported only on a fixed set of ports. You can pair Port 1 with Port 2, Port 3 with Port 4, but you cannot pair Port 1 with Port 4 for example.
Note
When the appliance switches from normal operation to hardware bypass or from hardware bypass back to normal operation, traffic may be interrupted for several seconds. A number of factors can affect the length of the interruption; for example, behavior of the optical link partner such as how it handles link faults and debounce timing; spanning tree protocol convergence; dynamic routing protocol convergence; and so on. During this time, you may experience dropped connections.

There are three configuration options for hardware bypass network modules:

• Passive interfaces—Connection to a single port.
  For each network segment you want to monitor passively, connect the cables to one interface. This is how the nonhardware bypass network modules operate.
• Inline interfaces—Connection to any two like ports (10 Gb to 10 Gb for example) on one network module, across network modules, or fixed ports.
  For each network segment you want to monitor inline, connect the cables to pairs of interfaces.
• Inline with hardware bypass interfaces—Connection of a hardware bypass paired set.
  For each network segment that you want to configure inline with fail-open, connect the cables to the paired interface set.
  For the 40-Gb network module, you connect the two ports to form a paired set. For the 1/10-Gb network modules, you connect the top port to the bottom port to form a hardware bypass paired set. This allows traffic to flow even if the security appliance fails or loses power.

Note
If you have an inline interface set with a mix of hardware bypass and nonhardware bypass interfaces, you cannot enable hardware bypass on this inline interface set. You can only enable hardware bypass on an inline interface set if all the pairs in the inline set are valid hardware bypass pairs.

For More Information

• See 1-Gb Network Module with Hardware Bypass for a description of the 1-Gb network module.
• See 40-Gb Network Module with Hardware Bypass for a description of the 40-Gb network module.
• See 1-Gb SX/10-Gb SR/10-Gb LR Network Module with Hardware Bypass for a description of the 1-Gb SX, 10-Gb SR and LR network modules.
• See Install, Remove, and Replace the Network Module for the procedure for removing and replacing single-wide network modules.

Figure 10: FPR-NM-8X1G-F

1. Captive screw/handle
2. Bypass LEDs B1 through B4

• Green—In standby mode.
• Amber, flashing—Port is in hardware bypass mode, failure event.

40-Gb Network Module with Hardware Bypass
The following figure shows the front panel of the 40-Gb hardware bypass network module
(FPR4K-NM-2X40G-F). The FPR4K-NM-2X40G-F is a single-wide module that does not support hot swapping. The two ports are numbered left to right. Pair the two ports to create a hardware bypass paired set.

Note
Make sure you have the correct firmware package and software version installed to support this network module.

Figure 11: FPR4K-NM-2X40G-F

1. Captive screw/handle
2. Port 1 Ethernet X/1 Ports 1 and 2 are paired together to form a hardware bypass pair.

3. Port 2 Ethernet X/2 Ports 1 and 2 are paired together to form a hardware bypass pair.
4. Port 1 network activity LEDs:

• Amber—No connection, or port is not in use, or no link or network failure.
• Green—Link up, no network activity.
• Green, flashing—Network activity.

5. BP (bypass LED):

• Green—In standby mode.
• Amber, flashing—Port is in hardware bypass mode, failure event.

The following table describes the cable specifications needed to keep the insertion loss as low as possible.

Table 2: 40-Gb BASE-SR Cable Specifications

Note
See the specifications of the QSFP for the 40-Gb BASE-SR-4.
We recommend the following Cisco OM3 MTP/MPO cables.

1-Gb SX/10-Gb SR/10-Gb LR Network Module with Hardware Bypass
The following figure shows the front panel of the 1-Gb SX, 10-Gb SR and 10-Gb LR hardware bypass network modules (FPR4K-NM-6X1SX-F, FPR4K-NM-6X10SR-F, FPR4K-NM-6X10LR-F). This is a single-wide module that does not support hot swapping. The six ports are numbered from top to bottom, left to right. Pair ports 1 and 2, 3 and 4, and 5 and 6 to form hardware bypass paired sets.
Note
Make sure you have the correct firmware package and software version installed to support this network module.

Figure 12: FPR4K-NM-6X1SX-F, FPR4K-NM-6X10SR-F, FPR4K-NM-6X10LR-F

1. Captive screw/handle
2. Six network activity LEDs:

• Amber—No connection, or port is not in use, or no link or network failure.
• Green—Link up, no network activity.
• Green, flashing—Network activity.

The 1-Gb SX /10-Gb SR/10-Gb LR network modules have the following insertion loss measurements. Insertion loss measurements help you to troubleshoot the network by verifying cable installation and performance.

Table 4: 1-Gb SX Network Module (FPR4K-NM-6X1SX-F)

Table 5: 10-Gb SR Network Module (FPR4K-NM-6X10SR-F)

Table 6: 10-Gb LR Network Module (FPR4K-NM-6X10LR-F)

Power Supply Modules

The Firepower 4100 supports two AC or DC power supply modules so that dual power supply redundancy protection is available. Facing the back of the chassis, the power supply modules are numbered left to right, for example, PSU1 and PSU2.
Note
Do not mix AC and DC power supply modules in one chassis.
Note
After removing power from the chassis either by moving the power switch to OFF or unplugging the power cord, wait at least 10 seconds before turning power back ON.
Attention
Make sure that one power supply module is always active.

See Remove and Replace the Power Supply Module for the procedure for removing and replacing the power supply module.

AC Power Supply
The power supplies can supply up to 1100-W power across the input voltage range. The load is shared when both power supply modules are plugged in and running at the same time. The power supply modules are hot-swappable.

Table 7: AC Power Supply Module Hardware Specifications

DC Power Supply
The power supplies can supply up to 950 W of power across the input voltage range. The load is shared when both power supply modules are plugged in and running at the same time. The power supply modules are hot-swappable.

Table 8: DC Power Supply Module Hardware Specifications

Power Supply Module LEDs
The following figure shows the two-color power supply LEDs. The LEDs are located on the upper right side.

Figure 13: Power Supply Module LEDs

1. Amber FAIL LED
2. Green OK LED

The following table describes the power module supply LEDs and their states.

Table 9: Power Supply Module LEDs

Fan Modules

The Firepower 4100 requires six fan modules, which are hot-swappable. They are installed in the rear of the chassis. The system supports operation with a single fan failure (N+1 fan redundancy), but do not run the system for an extended amount of time without all fan modules installed. Keep removal and replacement time at three minutes. Remove and replace one fan module at a time.
If you remove a fan or a fan fails, the other fans operate at full speed, which can be noisy.
The fan modules are numbered left to right, for example, FAN1, FAN2, FAN3, FAN4, FAN5, and FAN6. See Remove and Replace the Fan Module for the procedure for removing and replacing the fan module.
The following figure shows the location of the fan LED.

Figure 14: Fan LED

1. Two-color LED

The fan module has one two-color LED, which is located on the upper left corner of the fan.

• Amber—Fan failure.
• Green—Fan running normally. It may take up to one minute for the LED status to turn green after power is on.

Supported SFP/SFP+ and QSFP Transceivers

The SFP/SFP+ transceivers are bidirectional devices with a transmitter and receiver in the same physical package. It is a hot-swappable optical or electrical (copper) interface that plugs into the SFP/SFP+ ports on the fixed ports and the network module ports, and provides Ethernet connectivity.

Use appropriate ESD procedures when inserting the transceiver. Avoid touching the contacts at the rear, and keep the contacts and ports free of dust and dirt. Keep unused transceivers in the ESD packing that they were shipped in. The following figure shows a sample SFP transceiver.

Safety Warnings
Take note of the following optical connection warnings:

Statement 1051—Laser Radiation
Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not stare into beams or view directly with optical instruments.

Statement 1055—Class 1/1M Laser
Invisible laser radiation is present. Do not expose to users of telescopic optics. This applies to Class 1/1M laser products.


For some earlier production Firepower 4100 chassis, you may experience difficulty using the GLC-TE SFP on the management port or fixed ports. Contact Cisco TAC for support if you encounter problems with the GLC-TE SFP.

The following table lists the Cisco supported transceivers.

Table 10: Supported Cisco SFP/SFP+ Transceivers

Hardware Specifications

The following table contains hardware specifications for the Firepower 4100.

Table 11: Firepower 4100 Hardware Specifications

Product ID Numbers

The following table lists the PIDs associated with the Firepower 4100 series. All of the PIDs in the table are field-replaceable. If you need to get a return material authorization (RMA) for any component, see Cisco Returns Portal for more information.

Table 12: Firepower 4100 Series PIDs

Power Cord Specifications

Each power supply has a separate power cord. Standard power cords are available for connection to the security appliance.
If you do not order the optional power cord with the system, you are responsible for selecting the appropriate power cord for the product. Using a incompatible power cord with this product may result in electrical safety hazard. Orders delivered to Argentina, Brazil, and Japan must have the appropriate power cord ordered with the system.
Note
Only the approved power cords or jumper power cords provided with the security appliance are supported.

The following power cords are supported.

Figure 16: Argentina CAB-9K10A-AR

1. Plug: IRAM 2073
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C15

Figure 17: Australia CAB-9K10A-AU

Figure 18: Brazil CAB-250V-10A-BR

1. Plug: EL223 (NBR 14136)
2. Cord set rating: 10 A, 250 V
3. Connector: EL 701B (EN 60320/C13)

Figure 19: Brazil PWR-CORD-G2A-BZ

1. Plug: NBR 14136
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C13

Figure 20: China CAB-9K10A-CH

1. Plug: CCC GB2099.1, GB1002
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C15

Figure 21: Denmark CAB-TA-DN

1. Plug: DK3
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C13

Figure 22: Europe CAB-AC-EUR

1. Plug: CEE 7/7
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C15

Figure 23: India CAB-250V-10A-ID

1. Plug: IS 6538-1971
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C13

Figure 24: Israel CAB-250V-10A-IS

1. Plug: SI-32
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C13

Figure 25: Italy CAB-9K10A-IT

1. Plug: CEI 23-16/VII
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C15

Figure 26: Korea CAB-9K10A-KOR

1. Plug: CEE 7/7
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C19

Figure 27: Japan CAB-L620P-C13-JPN

1. Plug: NEMA L6-20P
2. Cord set rating: 15 A, 250 V
3. Connector: IEC 60320-C13

Figure 29: North America CAB-TA-NA

1. Plug: NEMA5-15P
2. Cord set rating: 12 A, 125 V
3. Connector: IEC 60320-C15

Figure 30: Saudi Arabia ATA187PWRCORD-SAUD

1. Plug: BS1363A/SS145
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C13

Figure 31: South Africa CAB-9K10A-SA

1. Plug: SABS 164
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C15

Figure 32: Switzerland CAB-9K10A-SW

1. Plug: SEV 1011
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C15

Figure 33: Taiwan CAB-9K10A-TWN

1. Plug: CNS10917-2
2. Cord set rating: 10 A, 125 V
3. Connector: IEC 60320-C15

Figure 34: United Kingdom CP-PWR-CORD-UK

1. Plug: BS1363A/SS145
2. Cord set rating: 10 A, 250 V
3. Connector: IEC 60320-C13