Cisco Firepower 2100 Getting Started Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Gateway
  5. Firepower 2100
  6. Getting started manual

Cisco Firepower 2100 Getting Started Manual

Hide thumbs Also See for Firepower 2100:
Table of Contents

Advertisement

Quick Links

Cisco Firepower 2100 Getting Started Guide
First Published: 2019-09-25
Last Modified: 2020-07-28
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Related Manuals for Cisco Firepower 2100

Summary of Contents for Cisco Firepower 2100

  • Page 1 Cisco Firepower 2100 Getting Started Guide First Published: 2019-09-25 Last Modified: 2020-07-28 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 3 You may want to use the ASA if you do not need the advanced capabilities of the FTD, or if you need an ASA-only feature that is not yet available on the FTD. Cisco provides ASA-to-FTD migration tools to help you convert your ASA to an FTD if you start with ASA and later reimage to FTD.
  • Page 4 You cannot use this API if you are managing the FTD using FMC. The FTD REST API is not covered in this guide. For more information, see the REST API guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 5 The ASA REST API lets you automate ASA configuration. However, the API does not include all ASA features, and is no longer being enhanced. The ASA REST API is not covered in this guide. For more information, see the REST API guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 6 Which Operating System and Manager is Right for You? ASA Managers Cisco Firepower 2100 Getting Started Guide...
  • Page 7 Note The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 2100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.

  • Page 8: Table Of Contents

    Manage the Device with CDO, on page 34 • Additional FTD Management Procedures, on page 34 • What's Next, on page 37 End-to-End Procedure See the following tasks to deploy FTD with CDO on your chassis. Cisco Firepower 2100 Getting Started Guide...
  • Page 9 Firepower Threat Defense Deployment with CDO End-to-End Procedure Pre-Configuration Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page Cisco Firepower 2100 Getting Started Guide...
  • Page 10 Management interface is a special interface with its own network settings. The following figure shows the recommended network deployment for the Firepower 2100. If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into bridge mode so the FTD performs all routing and NAT for your inside networks.
  • Page 11 • If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. The following figure shows the default network deployment for Firepower Threat Defense using Firepower Device Manager on a Firepower 2100 series appliance using the default configuration. Figure 1: Suggested Network Deployment Note For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45.
  • Page 12 • DNS server for management—OpenDNS: 208.67.222.222, 208.67.220.220, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes • Data interfaces—Obtained from outside DHCP, or a gateway IP address you specify during setup •...
  • Page 13 Cable the Device Cable the Device Note For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Manage the Firepower 2100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside. Procedure Step 1 Connect your management computer to either of the following interfaces: •...
  • Page 14 OFF position. The front panel PWR LED flashes momentarily and turns off. Do not remove the power until the PWR LED is completely off. See the FXOS Configuration Guide for more information on using the shutdown commands. Cisco Firepower 2100 Getting Started Guide...
  • Page 15 The first time you log in to FTD, you are prompted to accept the End User License Agreement (EULA). You are then presented with the CLI setup script. Defaults or previously-entered values appear in brackets. To accept previously entered values, press Enter. Cisco Firepower 2100 Getting Started Guide...
  • Page 16 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 17: Complete The Initial Configuration

    Note Your settings are deployed to the device when you click Next. The interface will be named “outside” and it will be added to the “outside_zone” security zone. Ensure that your settings are correct. Cisco Firepower 2100 Getting Started Guide...

  • Page 18: Log Into Cdo

    Log Into CDO CDO uses Cisco Secure Sign-On as its identity provider and Duo Security for multi-factor authentication (MFA). CDO requires MFA which provides an added layer of security in protecting your user identity. Two-factor authentication, a type of MFA, requires two components, or factors, to ensure the identity of the user logging into CDO.
  • Page 19 The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
  • Page 20 Firepower Threat Defense Deployment with CDO Create a New Cisco Secure Sign-On Account Figure 2: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register. Figure 3: Create Account Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company.
  • Page 21 Choose a security image. d) Click Create My Account. You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
  • Page 22 Cisco Defense Orchestrator (CDO) uses Cisco Secure Sign-On as its identity provider and Duo Security for multi-factor authentication (MFA). • To log into CDO, you must first create your account in Cisco Secure Sign-On and configure MFA using Duo; see Create a New Cisco Secure Sign-On Account, on page •...

  • Page 23: Onboard The Device To Cdo

    FTD as the head-end for VPN connections, you will not be able to use the outside interface to manage the device. Connect Cisco Defense Orchestrator to the Secure Device Connector for more information about how to connect CDO to your SDC and what network access needs to be allowed.
  • Page 24 • Your device MUST be managed by Firepower Device Manager (FDM). • Make sure the licenses installed on the device are not registered with Cisco Smart Software Manager. You will need to un-register the FTD if it is already smart-licensed; see...
  • Page 25 You can skip copying the registration key and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and later register it, or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.

  • Page 26: Configure The Device In Cdo

    Configure the Device in CDO The following steps provide an overview of additional features you might want to configure. Please click the help button (?) on a page to get detailed information about each step. Cisco Firepower 2100 Getting Started Guide...
  • Page 27 The following example shows how to create a new dmz-zone for the dmz interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 28 IPv4 route is for any-ipv4 (0.0.0.0/0), whereas a default IPv6 route is for any-ipv6 (::0/0). Create routes for each IP version you use. If you use DHCP to obtain an address for the outside interface, you might already have the default routes that you need. Cisco Firepower 2100 Getting Started Guide...
  • Page 29 • Identity—If you want to correlate network activity to individual users, or control network access based on user or user group membership, use the identity policy to determine the user associated with a given source IP address. Cisco Firepower 2100 Getting Started Guide...
  • Page 30 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.

  • Page 31: Configure Licensing

    You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval. See the following licenses: •...
  • Page 32 • RA VPN—See the Cisco AnyConnect Ordering Guide. Step 2 In the Cisco Smart Software Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. Cisco Firepower 2100 Getting Started Guide...
  • Page 33 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the FTD. Cisco Firepower 2100 Getting Started Guide...
  • Page 34 You return to the Manage Licenses page. While the device registers, you see the following message: Step 6 After applying the smart license successfully to the FTD device, the device status shows Connected, Sufficient License. Click the Enable/Disable slider control for each optional license as desired. Cisco Firepower 2100 Getting Started Guide...
  • Page 35 Firepower Threat Defense Deployment with CDO Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. Cisco Firepower 2100 Getting Started Guide...

  • Page 36: Manage The Device With Cdo

    Firepower Threat Defense Deployment with CDO Manage the Device with CDO • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features. You cannot configure the features in new policies, nor can you deploy policies that use the feature.
  • Page 37 (the default is Admin123). Example: firepower login: admin Password: Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0 Successful login attempts for user 'admin' : 1 firepower# Step 2 Access the FTD CLI. connect ftd Example: Cisco Firepower 2100 Getting Started Guide...
  • Page 38 • After you unregister the device with the Smart Software Manager, you can then onboard the device to CDO using a registration token; see Onboard an FTD with a Registration Key (Recommended), on page Cisco Firepower 2100 Getting Started Guide...

  • Page 39: What's Next

    What's Next To continue configuring your FTD device using CDO, see the CDO Configuration Guides. For additional information related to using CDO, see the Cisco Defense Orchestrator home page. Cisco Firepower 2100 Getting Started Guide...
  • Page 40 Firepower Threat Defense Deployment with CDO What's Next Cisco Firepower 2100 Getting Started Guide...
  • Page 41 Note The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 2100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.

  • Page 42: End-To-End Procedure

    Power Off the Device, on page 61 • What's Next?, on page 61 End-to-End Procedure See the following tasks to deploy FTD with FDM on your chassis. Pre-Configuration Review the Network Deployment and Default Configuration, on page Cisco Firepower 2100 Getting Started Guide...

  • Page 43: Review The Network Deployment And Default Configuration

    Management interface is a special interface with its own network settings. The following figure shows the recommended network deployment for the Firepower 2100. If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into bridge mode so the FTD performs all routing and NAT for your inside networks.
  • Page 44 • If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. The following figure shows the default network deployment for Firepower Threat Defense using Firepower Device Manager on a Firepower 2100 series appliance using the default configuration. Figure 14: Suggested Network Deployment Note For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45.
  • Page 45 • DNS server for management—OpenDNS: 208.67.222.222, 208.67.220.220, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes • Data interfaces—Obtained from outside DHCP, or a gateway IP address you specify during setup •...

  • Page 46: Cable The Device

    Cable the Device Cable the Device Note For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Manage the Firepower 2100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside. Procedure Step 1 Connect your management computer to either of the following interfaces: •...

  • Page 47: Power On The Device

    OFF position. The front panel PWR LED flashes momentarily and turns off. Do not remove the power until the PWR LED is completely off. See the FXOS Configuration Guide for more information on using the shutdown commands. Cisco Firepower 2100 Getting Started Guide...

  • Page 48: (Optional) Change Management Network Settings At The Cli

    The first time you log in to FTD, you are prompted to accept the End User License Agreement (EULA). You are then presented with the CLI setup script. Defaults or previously-entered values appear in brackets. To accept previously entered values, press Enter. Cisco Firepower 2100 Getting Started Guide...

  • Page 49: Log Into Fdm

    Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 50: Complete The Initial Configuration

    Note Your settings are deployed to the device when you click Next. The interface will be named “outside” and it will be added to the “outside_zone” security zone. Ensure that your settings are correct. Cisco Firepower 2100 Getting Started Guide...
  • Page 51 Configure Licensing, on page • You can also choose to onboard the device to CDO. If so, you should register and license your device after you onboard; see Onboard the Device to CDO, on page Cisco Firepower 2100 Getting Started Guide...

  • Page 52: Configure Licensing

    You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval. See the following licenses: •...
  • Page 53 In the Cisco Smart Software Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. b) On the General tab, click New Token. Cisco Firepower 2100 Getting Started Guide...
  • Page 54 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the FTD. Cisco Firepower 2100 Getting Started Guide...
  • Page 55 In FDM, click Device, and then in the Smart License summary, click View Configuration. You see the Smart License page. Step 4 Click Register Device. Then follow the instructions on the Smart License Registration dialog box to paste in your token: Cisco Firepower 2100 Getting Started Guide...
  • Page 56 You return to the Smart License page. While the device registers, you see the following message: After the device successfully registers and you refresh the page, you see the following: Step 6 Click the Enable/Disable control for each optional license as desired. Cisco Firepower 2100 Getting Started Guide...
  • Page 57 Firepower Threat Defense Deployment with FDM Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.

  • Page 58: Configure The Device In Firepower Device Manager

    You cannot put the interfaces in zones when configuring them, so you must always edit the zone objects after creating new interfaces or changing the purpose of existing interfaces. The following example shows how to create a new dmz-zone for the dmz interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 59 The routes you define on this page are for the data interfaces only. They do not impact the Note management interface. Set the management gateway on Device > System Settings > Management Interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 60 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.

  • Page 61: Access The Ftd And Fxos Cli

    Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 2100 Getting Started Guide...
  • Page 62 To exit the FTD CLI, enter the exit or logout command. This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS CLI, enter ?. Example: > exit Cisco Firepower 2100 Getting Started Guide...

  • Page 63: Power Off The Device

    To continue configuring your FTD device, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FDM, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 2100 Getting Started Guide...
  • Page 64 Firepower Threat Defense Deployment with FDM What's Next? Cisco Firepower 2100 Getting Started Guide...
  • Page 65 Note The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 2100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
  • Page 66 What's Next?, on page 91 Before You Start Deploy and perform initial configuration of the FMC. See the FMC getting started guide. End-to-End Procedure See the following tasks to deploy the FTD with FMC on your chassis. Cisco Firepower 2100 Getting Started Guide...
  • Page 67 Review the Network Deployment, on page Pre-Configuration Cable the Device, on page Pre-Configuration Power on the Device, on page FTD CLI Complete the FTD Initial Configuration, on page Firepower Log Into the Firepower Management Center, on page Management Center Cisco Firepower 2100 Getting Started Guide...
  • Page 68 The FMC can only communicate with the FTD on the management interface. Both the FMC and FTD require internet access from management for licensing and updates. The following figure shows a possible network deployment for the Firepower 2100 where the FMC and management computer connect to the management network. The management network has a path to the internet for licensing and updates.
  • Page 69 FMC and FTD managamement. In the following diagram, the Firepower 2100 acts as the internet gateway for the management interface and the FMC by connecting Management 1/1 to an inside interface through a Layer 2 switch, and by connecting the FMC and management computer to the switch.
  • Page 70 Figure 24: Edge Network Deployment Cable the Device To cable one of the above scenarios on the Firepower 2100, see the following steps. Note Other topologies can be used, and your deployment will vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements.
  • Page 71 Connect the inside interface (for example, Ethernet 1/2) to your inside router. d) Connect the outside interface (for example, Ethernet 1/1) to your outside router. e) Connect other networks to the remaining interfaces. Step 2 Cable for an edge deployment: Cisco Firepower 2100 Getting Started Guide...

  • Page 72: Power On The Device

    Before you begin It's important that you provide reliable power for your device (for example, using an uninterruptable power supply (UPS)). Loss of power without first shutting down can cause serious file system damage. There are Cisco Firepower 2100 Getting Started Guide...

  • Page 73: Complete The Ftd Initial Configuration

    You cannot repeat the CLI setup wizard unless you clear the configuration; for example, by reimaging. However, all of these settings can be changed later at the CLI using configure network commands. See the FTD command reference. Cisco Firepower 2100 Getting Started Guide...
  • Page 74 SSH but you change the IP address at initial setup, you will be disconnected. Reconnect with the new IP address and password. Console connections are not affected. • Manage the device locally?—Enter no to use FMC. A yes answer means you will use Firepower Device Manager instead. Cisco Firepower 2100 Getting Started Guide...
  • Page 75 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 76: Log Into The Firepower Management Center

    Log Into the Firepower Management Center Use the FMC to configure and monitor the FTD. Before you begin For information on supported browsers, refer to the release notes for the version you are using (see https://www.cisco.com/go/firepower-notes). Cisco Firepower 2100 Getting Started Guide...

  • Page 77: Obtain Licenses For The Firepower Management Center

    Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...

  • Page 78: Register The Ftd With The Fmc

    Register the FTD to the FMC. Before you begin • Gather the following information that you set in the FTD initial configuration: • FTD management IP address or hostname, and NAT ID, if configured • FMC registration key Cisco Firepower 2100 Getting Started Guide...
  • Page 79 • Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page Cisco Firepower 2100 Getting Started Guide...

  • Page 80: Configure A Basic Security Policy

    • Inside and outside interfaces—Assign a static IP address to the inside interface, and use DHCP for the outside interface. • DHCP server—Use a DHCP server on the inside interface for clients. • Default route—Add a default route through the outside interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 81 The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Click Interfaces. Cisco Firepower 2100 Getting Started Guide...
  • Page 82 Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most Cisco Firepower 2100 Getting Started Guide...
  • Page 83 Click the Edit ( ) for the interface that you want to use for outside. The General tab appears. a) Enter a Name up to 48 characters in length. For example, name the interface outside. b) Check the Enabled check box. c) Leave the Mode set to None. Cisco Firepower 2100 Getting Started Guide...
  • Page 84 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Step 3 On the Server page, click Add, and configure the following options: • Interface—Choose the interface from the drop-down list. Cisco Firepower 2100 Getting Started Guide...
  • Page 85 Choose Routing > Static Route, click Add Route, and set the following: • Type—Click the IPv4 or IPv6 radio button depending on the type of static route that you are adding. • Interface—Choose the egress interface; typically the outside interface. Cisco Firepower 2100 Getting Started Guide...
  • Page 86 Port Address Translation (PAT). Procedure Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT. Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save. Cisco Firepower 2100 Getting Started Guide...
  • Page 87 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 2100 Getting Started Guide...
  • Page 88 ) to add a network object for all IPv4 traffic (0.0.0.0/0). Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part of the object definition, and you cannot edit system-defined objects. • Translated Source—Choose Destination Interface IP. Cisco Firepower 2100 Getting Started Guide...
  • Page 89 • Name—Name this rule, for example, inside_to_outside. • Source Zones—Select the inside zone from Available Zones, and click Add to Source. • Destination Zones—Select the outside zone from Available Zones, and click Add to Destination. Cisco Firepower 2100 Getting Started Guide...
  • Page 90 Select the device in the Deploy Policies dialog box, then click Deploy. Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. Cisco Firepower 2100 Getting Started Guide...

  • Page 91: Access The Ftd And Fxos Cli

    You connect to the FXOS CLI. Log in to the CLI using the admin username and the password you set at initial setup (the default is Admin123). Example: firepower login: admin Password: Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0 Successful login attempts for user 'admin' : 1 Cisco Firepower 2100 Getting Started Guide...

  • Page 92: Power Off The Device

    Observe the Power LED and Status LED to verify that the chassis is powered off (appear unlit). Step 7 After the chassis has successfully powered off, you can then unplug the power to physically remove power from the chassis if necessary. Cisco Firepower 2100 Getting Started Guide...

  • Page 93: What's Next

    What's Next? To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FMC, see the Firepower Management Center Configuration Guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 94 Firepower Threat Defense Deployment with FMC What's Next? Cisco Firepower 2100 Getting Started Guide...
  • Page 95 You can then configure your security policy in the ASA operating system using ASDM or the ASA CLI. This chapter describes how to deploy the Firepower 2100 in your network in ASA Appliance mode. By default, the Firepower 2100 runs in Appliance mode; to use Platform mode, see...
  • Page 96 • Cisco Security Manager—A multi-device manager on a separate server. You can also access the FXOS CLI for troubleshooting purposes. Unsupported Features The following ASA features are not supported on the Firepower 2100: • Integrated Routing and Bridging • Redundant interfaces •...
  • Page 97 Migrating an ASA 5500-X Configuration Migrating an ASA 5500-X Configuration You can copy and paste an ASA 5500-X configuration into the Firepower 2100 in Appliance Mode. However, you will need to modify your configuration. Also note some behavioral differences between the platforms.

  • Page 98: End-To-End Procedure

    Firepower 1120 includes Management 1/1 and Ethernet 1/1 through 1/8. boot system commands The Firepower 2100 in Appliance Mode only allows a single boot system command, so you should remove all but one The ASA 5500-X allows up to four boot system commands to command before you paste.
  • Page 99 Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page 100. Pre-Configuration Power on the Device, on page 101. ASA CLI (Optional) Change the IP Address, on page 102. ASDM Log Into ASDM, on page 103. Cisco Firepower 2100 Getting Started Guide...

  • Page 100: Review The Network Deployment And Default Configuration

    109. Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 2100 using the default configuration in ASA Appliance mode. If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into bridge mode so the ASA performs all routing and NAT for your inside networks.
  • Page 101 For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, Platform mode is maintained. The default factory configuration for the Firepower 2100 in Appliance mode configures the following: • inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside) •...

  • Page 102: Cable The Device

    0.0.0.0 0.0.0.0 management http 192.168.1.0 255.255.255.0 management dhcpd auto_config outside dhcpd address 192.168.1.20-192.168.1.254 inside dhcpd enable inside dns domain-lookup outside dns server-group DefaultDNS name-server 208.67.222.222 outside name-server 208.67.220.220 outside Cable the Device Cisco Firepower 2100 Getting Started Guide...

  • Page 103: Power On The Device

    ASA Appliance Mode Deployment with ASDM Power on the Device Manage the Firepower 2100 on either Management 1/1 or Ethernet 1/2. The default configuration also configures Ethernet1/1 as outside. Procedure Step 1 Connect your management computer to either of the following interfaces: •...

  • Page 104: (Optional) Change The Ip Address

    Based on the management IP address and mask, the DHCP address pool size is reduced to 103 from the platform limit 256 WARNING: The boot system configuration will be cleared. The first image found in disk0:/ will be used to boot the Cisco Firepower 2100 Getting Started Guide...

  • Page 105: Log Into Asdm

    ASA, connect to a management-only interface, or connect to an interface not configured for a strong encryption feature. Before you begin • See the ASDM release notes on Cisco.com for the requirements to run ASDM. Procedure Step 1 Enter the following URL in your browser. Cisco Firepower 2100 Getting Started Guide...

  • Page 106: Configure Licensing

    • https://management_ip—Management interface IP address assigned from DHCP. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
  • Page 107 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 108 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the ASA. Cisco Firepower 2100 Getting Started Guide...
  • Page 109 Figure 29: View Token Figure 30: Copy Token Step 3 In ASDM, choose Configuration > Device Management > Licensing > Smart Licensing. Step 4 Click Register. Step 5 Enter the registration token in the ID Token field. Cisco Firepower 2100 Getting Started Guide...
  • Page 110 • Firepower 2130—30 contexts • Firepower 2140—40 contexts For example, to use the maximum of 25 contexts on the Firepower 2110, enter 23 for the number of contexts; this value is added to the default of 2. Cisco Firepower 2100 Getting Started Guide...

  • Page 111: Configure The Asa

    Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 2100 Getting Started Guide...
  • Page 112 • And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 2100 Getting Started Guide...

  • Page 113: Access The Asa And Fxos Cli

    Procedure Step 1 Connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system .

  • Page 114: What's Next

    Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 2100 Getting Started Guide...
  • Page 115 This chapter describes how to deploy the Firepower 2100 in your network in ASA Platform mode. By default, the Firepower 2100 runs in Appliance mode, so this chapter tells you how to set the mode to Platform mode. This chapter does not cover the following deployments, for which you should refer to the...

  • Page 116: About The Asa

    The ASA provides advanced stateful firewall and VPN concentrator functionality in one device. The Firepower 2100 is a single-application appliance for the ASA. You can run the ASA in either Platform mode or Appliance mode (the default). The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).
  • Page 117 You can also allow FXOS management from ASA data interfaces; configure SSH, HTTPS, and SNMP access. This feature is useful for remote management. Unsupported Features Unsupported ASA Features The following ASA features are not supported on the Firepower 2100: • Integrated Routing and Bridging • Redundant interfaces • Clustering •...

  • Page 118: End-To-End Procedure

    ASA Platform Mode Deployment with ASDM and Firepower Chassis Manager End-to-End Procedure Unsupported FXOS Features The following FXOS features are not supported on the Firepower 2100: • Backup and restore FXOS configuration • External AAA Authentication for FXOS Note that when you connect to the ASA console from FXOS (connect asa), then ASA AAA configuration for console access applies (aaa authentication serial console).
  • Page 119 ASA Platform Mode Deployment with ASDM and Firepower Chassis Manager End-to-End Procedure Cisco Firepower 2100 Getting Started Guide...

  • Page 120: Review The Network Deployment And Default Configuration

    SNMP (HTTPS and SSH are enabled by default); . Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 2100 using the default configuration in ASA Platform mode. Cisco Firepower 2100 Getting Started Guide...
  • Page 121 • If you add the ASA to an existing inside network, you will need to change the inside IP address to be on the existing network. Figure 31: Firepower 2100 in Your Network Firepower 2100 Platform Mode Default Configuration You can set the Firepower 2100 to run in Platform mode; Appliance mode is the default. Cisco Firepower 2100 Getting Started Guide...
  • Page 122 For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, this mode is maintained. ASA Configuration The default factory configuration for the ASA on the Firepower 2100 configures the following: • inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside) • outside IP address from DHCP, inside IP address—192.168.1.1 •...

  • Page 123: Cable The Device

    • Ethernet 1/1 and Ethernet 1/2—Enabled Cable the Device Manage the Firepower 2100 on the Management 1/1 interface. You can use the same management computer for FXOS and ASA. The default configuration also configures Ethernet1/1 as outside. Cisco Firepower 2100 Getting Started Guide...

  • Page 124: Power On The Device

    Connect your management computer to the console port. You need to access the ASA CLI to change from Appliance mode to Platform mode. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection.

  • Page 125: Enable Platform Mode

    Enable Platform Mode The Firepower 2100 runs in Appliance mode by default. This procedure tells you how to change the mode to Platform mode, and optionally how to change it back to Appliance mode.
  • Page 126 23736 bytes copied in 1.520 secs (23736 bytes/sec) [OK] ciscoasa(config)# reload Proceed with reload? [confirm] Step 5 After restart, view the current mode to confirm the change. show fxos mode Example: ciscoasa(config)# show fxos mode Cisco Firepower 2100 Getting Started Guide...

  • Page 127: (Optional) Change Thefxosandasamanagement Ipaddresses Or Gateway

    (Optional) Change theFXOSandASAManagement IPAddresses or Gateway You can change the FXOS management IP address on the Firepower 2100 chassis from the FXOS CLI. The default address is 192.168.45.45. You can also change the default gateway. The default gateway is set to 0.0.0.0, which sends traffic to the ASA over the backplane.
  • Page 128 To keep the currently-set gateway, omit the gw keyword. Similarly, to keep the existing management IP address while changing the gateway, omit the ip and netmask keywords. Cisco Firepower 2100 Getting Started Guide...
  • Page 129 64 ipv6-gw 2001:DB8::1 firepower-2110 /fabric-interconnect/ipv6-config* # Step 5 Delete and add new access lists for HTTPS, SSH, and SNMP to allow management connections from the new network. a) Set the scope for system/services. scope system Cisco Firepower 2100 Getting Started Guide...
  • Page 130 /system/services/ip-block* # exit firepower-2110 /system/services* # a) Delete the old access lists. For IPv4: delete ip-block ip_address prefix [http | snmp | ssh] For IPv6: delete ipv6-block ipv6_address prefix [https | snmp | ssh] Cisco Firepower 2100 Getting Started Guide...
  • Page 131 Type help or '?' for a list of available commands. ciscoasa> enable Password: The enable password is not set. Please set it now. Enter Password: ****** Repeat Password: ****** ciscoasa# configure terminal ciscoasa(config)# b) Change the Management 1/1 IP address. interface management1/1 Cisco Firepower 2100 Getting Started Guide...
  • Page 132 /fabric-interconnect # scope ipv6-config firepower-2110 /fabric-interconnect/ipv6-config # show ipv6-if Management IPv6 Interface: IPv6 Address Prefix IPv6 Gateway ----------------------------------- ---------- ------------ 2001:DB8::2 2001:DB8::1 firepower-2110 /fabric-interconnect/ipv6-config # set out-of-band static ipv6 2001:DB8::2 ipv6-prefix 64 ipv6-gw 2001:DB8::1 Cisco Firepower 2100 Getting Started Guide...

  • Page 133: (Optional) Log Into The Firepower Chassis Manager

    EtherChannel), then the ASA configuration retains the original commands so that you can make any necessary adjustments; removing an interface from the configuration can have wide effects. You can manually remove the old interface configuration in the ASA OS. Cisco Firepower 2100 Getting Started Guide...
  • Page 134 131. • The Firepower 2100 supports EtherChannels in Link Aggregation Control Protocol (LACP) Active or On mode. By default, the LACP mode is set to Active; you can change the mode to On at the CLI. We suggest setting the connecting switch ports to Active mode for the best compatibility.
  • Page 135 Ctrl key. To select a range of interfaces, select the first interface in the range, and then, while holding down the Shift key, click to select the last interface in the range. h) Click OK. Cisco Firepower 2100 Getting Started Guide...

  • Page 136: Log Into Asdm

    • management_ip—Identifies the IP address or host name of the ASA management interface (192.168.45.1). The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
  • Page 137 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 138 Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: • Description Cisco Firepower 2100 Getting Started Guide...
  • Page 139 Keep this token ready for later in the procedure when you need to register the ASA. Figure 33: View Token Figure 34: Copy Token Step 3 In ASDM, choose Configuration > Device Management > Licensing > Smart Licensing. Step 4 Click Register. Cisco Firepower 2100 Getting Started Guide...
  • Page 140 (3DES/AES) license if your account allows. ASDM refreshes the page when the license status is updated. You can also choose Monitoring > Properties > Smart License to check the license status, particularly if the registration fails. Step 7 Set the following parameters: Cisco Firepower 2100 Getting Started Guide...

  • Page 141: Configure The Asa

    Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 2100 Getting Started Guide...
  • Page 142 • And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 2100 Getting Started Guide...

  • Page 143: (Optional) Configure Management Access For Fxos On Data Interfaces

    (Optional) Configure Management Access for FXOS on Data Interfaces If you want to manage FXOS on the Firepower 2100 from a data interface, then you can configure SSH, HTTPS, and SNMP access. This feature is useful if you want to manage the device remotely, and you want to keep Management 1/1, which is the native way to access FXOS, on an isolated network.

  • Page 144: Access The Asa And Fxos Cli

    SSH. Connect to the Console Port to Access FXOS and ASA CLI The Firepower 2100 console port connects you to the FXOS CLI. From the FXOS CLI, you can then connect to the ASA console, and back again. You can only have one console connection at a time. When you connect to the ASA console from the FXOS console, this connection is a persistent console connection, not like a Telnet or SSH connection.
  • Page 145 ASA data interface IP address on port 3022 (the default port). Step 2 Connect to the ASA CLI. connect asa To return to the FXOS CLI, enter Ctrl+a, d. Example: firepower-2110# connect asa Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Cisco Firepower 2100 Getting Started Guide...

  • Page 146: What's Next

    • To configure FXOS chassis settings, see the FXOS configuration guide. • For troubleshooting, see the FXOS troubleshooting guide. History for the Firepower 2100 in Platform Mode Feature Name Version Feature Information The default mode 9.13(1) With the introduction of Appliance mode, the default mode was changed to Appliance mode. In changed to Appliance earlier releases, the only mode available was Platform mode.
  • Page 147 ASA Platform Mode Deployment with ASDM and Firepower Chassis Manager History for the Firepower 2100 in Platform Mode Feature Name Version Feature Information Prompt to set admin 9.13(1) You are not prompted to set the admin password when you first log in to Firepower Chassis password Manager.
  • Page 148 ASA Platform Mode Deployment with ASDM and Firepower Chassis Manager History for the Firepower 2100 in Platform Mode Cisco Firepower 2100 Getting Started Guide...
  • Page 149 © 2020 Cisco Systems, Inc. All rights reserved.

Table of Contents