1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Hardware
  5. Firepower 1010
  6. Getting started manual

Cisco Firepower 1010 Getting Started Manual

Hide thumbs Also See for Firepower 1010:
Table of Contents

Advertisement

Quick Links

Download this manual
Cisco Firepower 1010 Getting Started Guide
First Published: 2019-06-13
Last Modified: 2021-01-29
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Related Manuals for Cisco Firepower 1010

Summary of Contents for Cisco Firepower 1010

  • Page 1 Cisco Firepower 1010 Getting Started Guide First Published: 2019-06-13 Last Modified: 2021-01-29 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 3 You may want to use the ASA if you do not need the advanced capabilities of the FTD, or if you need an ASA-only feature that is not yet available on the FTD. Cisco provides ASA-to-FTD migration tools to help you convert your ASA to an FTD if you start with ASA and later reimage to FTD.
  • Page 4 You cannot use this API if you are managing the FTD using FMC. The FTD REST API is not covered in this guide. For more information, see the REST API guide. Cisco Firepower 1010 Getting Started Guide...
  • Page 5 The ASA REST API lets you automate ASA configuration. However, the API does not include all ASA features, and is no longer being enhanced. The ASA REST API is not covered in this guide. For more information, see the REST API guide. Cisco Firepower 1010 Getting Started Guide...
  • Page 6 Which Operating System and Manager is Right for You? ASA Managers Cisco Firepower 1010 Getting Started Guide...
  • Page 7 P A R T Firepower Threat Defense Deployment with CDO • Firepower Threat Defense Deployment with CDO and Low-Touch Provisioning, on page 7 • Firepower Threat Defense Deployment with CDO Provisioning, on page 25...
  • Page 9 Note The Firepower 1010 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1010 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
  • Page 10 This chapter explains how to deploy a factory-default FTD 1010 device at a remote branch office using the low-touch provisioning feature: 1. Your branch office receives an FTD 6.7+ device that has either been shipped directly from Cisco or one that has been reimaged with FTD 6.7+ software.
  • Page 11 Verify the Device Supports Low-Touch Provisioning from a Branch Office, on page 10: Take inventory of the device and packaging; record the serial number. (Branch Office Employee) Cisco Defense Log Into CDO with Cisco Secure Sign-On, on page Orchestrator (CDO Admin) Cisco Firepower 1010 Getting Started Guide...
  • Page 12 Before you rack the device or discard the shipping box, verify that your Firepower device can be deployabled using low-touch provisioning. Note This procedure assumes you are working with a new Firepower device running FTD Version 6.7 or later. Cisco Firepower 1010 Getting Started Guide...
  • Page 13 The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
  • Page 14 Firepower Threat Defense Deployment with CDO Create a New Cisco Secure Sign-On Account • If you have a Cisco Secure Sign-On account, skip ahead to Log Into CDO with Cisco Secure Sign-On, on page • If you don't have a Cisco Secure Sign-On account, see...
  • Page 15 Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company. d) After you click Register, Cisco sends you a verification email to the address you registered with. Open the email and click Activate Account.
  • Page 16 Firepower Threat Defense Deployment with CDO Log Into CDO with Cisco Secure Sign-On You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
  • Page 17 Before you begin Low-touch provisioning (LTP) is a feature that allows a new factory-shipped Firepower 1010 series device to be provisioned and configured automatically, eliminating many of the manual tasks involved with onboarding the device to CDO.
  • Page 18 • Apply Smart License: Select this option if your device is not smart licensed already. You have to generate a token using the Cisco Smart Software Manager and copy in this field. • Device Already Licensed: Select this option if your device has already been licensed.
  • Page 19 Cable the Device This topic describes the how to connect the Firepower 1010 to your network so that it can be managed remotely by a CDO administrator. • If you received a Firepower firewall at your branch office and your job is to plug it in to your network, watch this video.
  • Page 20 Check the Power LED on the back or top of the device; if it is solid green, the device is powered on. Step 3 Check the Status LED on the back or top of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 1010 Getting Started Guide...
  • Page 21 If there is a problem, the Status LED flashes fast amber. If this happens, call your IT department. Step 5 Observe the Status LED on the back or top of the device; when the device connects to the Cisco cloud, the Status LED slowly flashes green.
  • Page 22 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 23 • Expire After—Cisco recommends 30 days. • Allow export-controlled functionaility on the products registered with this token—Enables the export-compliance flag if you are in a country that allows for strong encryption. The token is added to your inventory. Cisco Firepower 1010 Getting Started Guide...
  • Page 24 You return to the Manage Licenses page. While the device registers, you see the following message: Step 6 After applying the smart license successfully to the FTD device, the device status shows Connected, Sufficient License. Click the Enable/Disable slider control for each optional license as desired. Cisco Firepower 1010 Getting Started Guide...
  • Page 25 Firepower Threat Defense Deployment with CDO Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. Cisco Firepower 1010 Getting Started Guide...
  • Page 26 Firepower Threat Defense Deployment with CDO Manage the Device with CDO • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features. You cannot configure the features in new policies, nor can you deploy policies that use the feature.
  • Page 27 Note The Firepower 1010 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1010 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.

  • Page 28: Table Of Contents

    Access the FTD and FXOS CLI, on page 55 • Power Off the Device Using FDM, on page 56 • What's Next, on page 57 End-to-End Procedure See the following tasks to deploy FTD with CDO on your chassis. Cisco Firepower 1010 Getting Started Guide...
  • Page 29 Firepower Threat Defense Deployment with CDO End-to-End Procedure Pre-Configuration Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page Cisco Firepower 1010 Getting Started Guide...
  • Page 30 Log Into FDM, on page Manager Firepower Device Complete the Initial Configuration, on page 35 Manager Cisco Defense Log Into CDO with Cisco Secure Sign-On, on page Orchestrator Cisco Defense Onboard the Device to CDO, on page Orchestrator Cisco Defense...
  • Page 31 • If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. Figure 9: Suggested Network Deployment Note For 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Cisco Firepower 1010 Getting Started Guide...
  • Page 32 • DNS server for management—OpenDNS: 208.67.222.222, 208.67.220.220, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes • Data interfaces—Obtained from outside DHCP, or a gateway IP address you specify during setup •...
  • Page 33 (software switch ports); PoE+ is not available. The initial cabling is the same for both versions. Note For version 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Manage the Firepower 1010 on either Management 1/1 or Ethernet 1/2 through 1/8. The default configuration also configures Ethernet1/1 as outside. Procedure...
  • Page 34 Check the Power LED on the back or top of the device; if it is solid green, the device is powered on. Step 3 Check the Status LED on the back or top of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 1010 Getting Started Guide...

  • Page 35: (Optional) Change Management Network Settings At The Cli

    Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 2 Connect to the FTD CLI. connect ftd Example: firepower# connect ftd > Cisco Firepower 1010 Getting Started Guide...
  • Page 36 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 37: Log Into Fdm

    • An access rule trusting all inside to outside traffic. • An interface NAT rule that translates all inside to outside traffic to unique ports on the IP address of the outside interface. • A DHCP server running on the inside interface. Cisco Firepower 1010 Getting Started Guide...
  • Page 38 Choose to use the 90 day evaluation license even if you have a Smart Software Manager account and available licences. You can Smart License the FTD after you have onboarded it to CDO. Making this choice avoids having to unregister and re-register the license. Cisco Firepower 1010 Getting Started Guide...

  • Page 39: Log Into Cdo

    The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
  • Page 40 Firepower Threat Defense Deployment with CDO Create a New Cisco Secure Sign-On Account b) At the bottom of the Sign In screen, click Sign up. Figure 11: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register.
  • Page 41 Choose a security image. d) Click Create My Account. You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
  • Page 42 Cisco Defense Orchestrator (CDO) uses Cisco Secure Sign-On as its identity provider and Duo Security for multi-factor authentication (MFA). • To log into CDO, you must first create your account in Cisco Secure Sign-On and configure MFA using Duo; see Create a New Cisco Secure Sign-On Account, on page •...

  • Page 43: Onboard The Device To Cdo

    FTD as the head-end for VPN connections, you will not be able to use the outside interface to manage the device. Connect Cisco Defense Orchestrator to the Secure Device Connector for more information about how to connect CDO to your SDC and what network access needs to be allowed.
  • Page 44 • Your device MUST be managed by Firepower Device Manager (FDM). • Make sure the licenses installed on the device are not registered with Cisco Smart Software Manager. You will need to unregister the FTD if it is already smart-licensed; see...
  • Page 45 Note device and later, register the device. This option is useful when you're attempting to create the device first and later register it, or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
  • Page 46 In the Smart License area, you can apply a smart-license to the FTD device and click Next. For more information, see Configure Licensing, on page 49. Click Skip to continue the onboarding with a 90-day evaluation license. Cisco Firepower 1010 Getting Started Guide...

  • Page 47: Configure The Device In Cdo

    The following example shows how to create a new dmz-zone for the dmz interface. Cisco Firepower 1010 Getting Started Guide...
  • Page 48 IPv4 route is for any-ipv4 (0.0.0.0/0), whereas a default IPv6 route is for any-ipv6 (::0/0). Create routes for each IP version you use. If you use DHCP to obtain an address for the outside interface, you might already have the default routes that you need. Cisco Firepower 1010 Getting Started Guide...
  • Page 49 • Identity—If you want to correlate network activity to individual users, or control network access based on user or user group membership, use the identity policy to determine the user associated with a given source IP address. Cisco Firepower 1010 Getting Started Guide...
  • Page 50 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.

  • Page 51: Configure Licensing

    You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval. See the following licenses: •...
  • Page 52 In the Cisco Smart Software Manager, request and copy a registration token for the virtual account to which you want to add this device. a) Click Inventory. b) On the General tab, click New Token. Cisco Firepower 1010 Getting Started Guide...
  • Page 53 Keep this token ready for later in the procedure when you need to register the FTD. Figure 21: View Token Figure 22: Copy Token Step 3 In CDO, click Devices & Services, and then select the FTD device that you want to license. Cisco Firepower 1010 Getting Started Guide...
  • Page 54 You return to the Manage Licenses page. While the device registers, you see the following message: Step 6 After applying the smart license successfully to the FTD device, the device status shows Connected, Sufficient License. Click the Enable/Disable slider control for each optional license as desired. Cisco Firepower 1010 Getting Started Guide...
  • Page 55 Firepower Threat Defense Deployment with CDO Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. Cisco Firepower 1010 Getting Started Guide...
  • Page 56 Firepower Threat Defense Deployment with CDO Unregister a Smart-Licensed FTD • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features. You cannot configure the features in new policies, nor can you deploy policies that use the feature.

  • Page 57: Manage The Device With Cdo

    After having onboarded the device to CDO, you can manage the device with CDO. To manage the FTD with CDO: 1. Browse to https://sign-on.security.cisco.com. 2. Log in as the user you created in Create a New Cisco Secure Sign-On Account, on page 3. Review Managing FTD with Cisco Defense Orchestrator for links to common management tasks.

  • Page 58: Power Off The Device Using Fdm

    Observe the Power LED and Status LED to verify that the chassis is powered off (appear unlit). Step 3 After the chassis has successfully powered off, you can then unplug the power to physically remove power from the chassis if necessary. Cisco Firepower 1010 Getting Started Guide...

  • Page 59: What's Next

    Firepower Threat Defense Deployment with CDO What's Next What's Next To continue configuring your FTD device using CDO, see the CDO Configuration Guides. For additional information related to using CDO, see the Cisco Defense Orchestrator home page. Cisco Firepower 1010 Getting Started Guide...
  • Page 60 Firepower Threat Defense Deployment with CDO What's Next Cisco Firepower 1010 Getting Started Guide...
  • Page 61 P A R T Firepower Threat Defense Deployment with FDM • Firepower Threat Defense Deployment with FDM, on page 61...
  • Page 63 Note The Firepower 1010 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1010 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.

  • Page 64: End-To-End Procedure

    Power Off the Device, on page 84 • What's Next?, on page 85 End-to-End Procedure See the following tasks to deploy FTD with FDM on your chassis. Pre-Configuration Review the Network Deployment and Default Configuration, on page Cisco Firepower 1010 Getting Started Guide...

  • Page 65: Review The Network Deployment And Default Configuration

    IP address to be on a new network. • If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. Cisco Firepower 1010 Getting Started Guide...
  • Page 66 • (6.4) Software switch (Integrated Routing and Bridging)—Ethernet 1/2 through 1/8 belong to bridge group interface (BVI) 1 • outside—Ethernet 1/1, IP address from IPv4 DHCP • inside→outside traffic flow • management—Management 1/1 (management) Cisco Firepower 1010 Getting Started Guide...
  • Page 67 • DNS server for management—OpenDNS: 208.67.222.222, 208.67.220.220, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes • Data interfaces—Obtained from outside DHCP, or a gateway IP address you specify during setup •...

  • Page 68: Cable The Device

    Ethernet1/7 and 1/8. In version 6.4, Ethernet1/2 through 1/8 are configured as bridge group members (software switch ports); PoE+ is not available. The initial cabling is the same for both versions. Manage the Firepower 1010 on either Management 1/1 or Ethernet 1/2 through 1/8. The default configuration also configures Ethernet1/1 as outside.

  • Page 69: Power On The Device

    Check the Power LED on the back or top of the device; if it is solid green, the device is powered on. Step 3 Check the Status LED on the back or top of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 1010 Getting Started Guide...

  • Page 70: (Optional) Change Management Network Settings At The Cli

    Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 2 Connect to the FTD CLI. connect ftd Example: firepower# connect ftd > Cisco Firepower 1010 Getting Started Guide...
  • Page 71 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.

  • Page 72: Log Into Fdm

    • An access rule trusting all inside to outside traffic. • An interface NAT rule that translates all inside to outside traffic to unique ports on the IP address of the outside interface. • A DHCP server running on the inside interface. Cisco Firepower 1010 Getting Started Guide...
  • Page 73 90-day evaluation license and set up smart licensing later. To register the device now, click the link to log into your Smart Software Manager account, and see Configure Licensing, on page Cisco Firepower 1010 Getting Started Guide...

  • Page 74: Configure Licensing

    You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval. See the following licenses: •...
  • Page 75 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 76 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the FTD. Cisco Firepower 1010 Getting Started Guide...
  • Page 77 In FDM, click Device, and then in the Smart License summary, click View Configuration. You see the Smart License page. Step 4 Click Register Device. Then follow the instructions on the Smart License Registration dialog box to paste in your token: Cisco Firepower 1010 Getting Started Guide...
  • Page 78 You return to the Smart License page. While the device registers, you see the following message: After the device successfully registers and you refresh the page, you see the following: Step 6 Click the Enable/Disable control for each optional license as desired. Cisco Firepower 1010 Getting Started Guide...
  • Page 79 Firepower Threat Defense Deployment with FDM Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.

  • Page 80: Configure The Device In Firepower Device Manager

    You cannot put the interfaces in zones when configuring them, so you must always edit the zone objects after creating new interfaces or changing the purpose of existing interfaces. Cisco Firepower 1010 Getting Started Guide...
  • Page 81 The routes you define on this page are for the data interfaces only. They do not impact the Note management interface. Set the management gateway on Device > System Settings > Management Interface. Cisco Firepower 1010 Getting Started Guide...
  • Page 82 IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.

  • Page 83: Access The Ftd And Fxos Cli

    Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 1010 Getting Started Guide...
  • Page 84 Step 3 To exit the FTD CLI, enter the exit or logout command. This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS CLI, enter ?. Example: Cisco Firepower 1010 Getting Started Guide...

  • Page 85: View Hardware Information

    This information is also shown in show version system, show running-config, and show inventory output. Step 3 To display information about all of the Cisco products installed in the networking device that are assigned a product identifier (PID), version identifier (VID), and serial number (SN), use the show inventory command.

  • Page 86: Power Off The Device

    Firepower system. The Firepower 1010 chassis does not have an external power switch.You can power off the device using FDM, or you can use the FXOS CLI.

  • Page 87: What's Next

    To continue configuring your FTD device, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FDM, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 1010 Getting Started Guide...
  • Page 88 Firepower Threat Defense Deployment with FDM What's Next? Cisco Firepower 1010 Getting Started Guide...
  • Page 89 P A R T Firepower Threat Defense Deployment with FMC • Firepower Threat Defense Deployment with FMC, on page 89...
  • Page 91 Note The Firepower 1010 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1010 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.

  • Page 92: Before You Start

    What's Next?, on page 131 Before You Start Deploy and perform initial configuration of the FMC. See the FMC getting started guide. End-to-End Procedure See the following tasks to deploy the FTD with FMC on your chassis. Cisco Firepower 1010 Getting Started Guide...
  • Page 93 Cable the Device (6.7 and Later), on page 97 Cable the Device (6.5 and 6.6), on page 99 Cable the Device (6.4), on page 101. Pre-Configuration Power On the Device, on page FTD CLI Complete the FTD Initial Configuration, on page 102. Cisco Firepower 1010 Getting Started Guide...

  • Page 94: Review The Network Deployment

    You can configure other data interfaces after you connect the FTD to the FMC. Note that Ethernet1/2 through 1/8 are enabled as switch ports by default. Cisco Firepower 1010 Getting Started Guide...
  • Page 95 See the following sample network deployments for ideas on how to place your FTD device in your network. Inside Management Deployment The following figure shows the recommended network deployment for the Firepower 1010 using the inside interface for management. Cisco Firepower 1010 Getting Started Guide...
  • Page 96 The following figure shows the recommended network deployment for the Firepower 1010 using the outside interface for management. This scenario is ideal for managing branch offices from a central headquarters. You can perform initial setup of the FTD at headquarters and then send a pre-configured device to a branch location.
  • Page 97 In 6.5 and earlier, the Management interface is configured with an IP address (192.168.45.45). The following figure shows the recommended network deployment for the Firepower 1010. You can also use this scenario in 6.7 and later for a High Availability deployment, for example.
  • Page 98 Firepower Threat Defense Deployment with FMC Review the Network Deployment In the following diagram, the Firepower 1010 acts as the internet gateway for the Management interface and the FMC by connecting Management 1/1 directly to an inside switch port, and by connecting the FMC and management computer to other inside switch ports.

  • Page 99: Cable The Device (6.7 And Later)

    Figure 36: Suggested Network Deployment Cable the Device (6.7 and Later) To cable one of the recommended scenarios on the Firepower 1010, see the following steps. Note Other topologies can be used, and your deployment will vary depending on your requirements. For example, you can convert the switch ports to firewall interfaces.
  • Page 100 Firepower Threat Defense Deployment with FMC Cable the Device (6.7 and Later) Figure 37: Cabling the Firepower 1010 for Inside FMC Access The FMC and your management computer reside on the inside network with your other inside end points. a) Connect the management computer to the console port. You need to use the console port to access the CLI for initial setup.

  • Page 101: Cable The Device (6.5 And 6.6)

    Connect Ethernet 1/1 to your outside router. Cable the Device (6.5 and 6.6) To cable the recommended scenario on the Firepower 1010, see the following illustration, which shows a sample topology using Ethernet1/1 as the outside interface and the remaining interfaces as switch ports on the inside network.
  • Page 102 Firepower Threat Defense Deployment with FMC Cable the Device (6.5 and 6.6) Figure 39: Cabling the Firepower 1010 Note For version 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Procedure Step 1 Connect Management1/1 directly to one of the switch ports, Ethernet1/2 through 1/8.

  • Page 103: Cable The Device (6.4)

    Firepower Threat Defense Deployment with FMC Cable the Device (6.4) Cable the Device (6.4) To cable the recommended scenario on the Firepower 1010, see the following illustration, which shows a sample topology using a Layer 2 switch. Note Other topologies can be used, and your deployment will vary depending on your requirements.

  • Page 104: Power On The Device

    In 6.7 and later: If you do not want to use the Management interface for FMC access, you can use the CLI to configure a data interface instead. You will also configure FMC communication settings. Cisco Firepower 1010 Getting Started Guide...
  • Page 105 For example, the management traffic that is routed over the backplane through the data interface will resolve FQDNs using the Management interface DNS servers, and not the data interface DNS servers. Cisco Firepower 1010 Getting Started Guide...
  • Page 106 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
  • Page 107 If the FMC is behind a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example: Example: > configure manager add DONTRESOLVE regk3y78 natid90 Manager successfully configured. Cisco Firepower 1010 Getting Started Guide...
  • Page 108 • If you configure a DDNS server update URL, the FTD automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the FTD can validate the DDNS server certificate Cisco Firepower 1010 Getting Started Guide...
  • Page 109 Data interface to use for management: ethernet1/1 Specify a name for the interface [outside]: internet IP address (manual / dhcp) [dhcp]: manual IPv4/IPv6 address: 10.10.6.7 Netmask/IPv6 Prefix: 255.255.255.0 Default Gateway: 10.10.6.1 Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220 Cisco Firepower 1010 Getting Started Guide...

  • Page 110: Log Into The Firepower Management Center

    Obtain Licenses for the Firepower Management Center All licenses are supplied to the FTD by the FMC. You can optionally purchase the following feature licenses: • Threat—Security Intelligence and Cisco Firepower Next-Generation IPS • Malware—Advanced Malware Protection for Networks (AMP) •...
  • Page 111 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...

  • Page 112: Register The Ftd With The Fmc

    • FTD management IP address or hostname, and NAT ID • FMC registration key Procedure Step 1 In FMC, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device, and enter the following parameters. Cisco Firepower 1010 Getting Started Guide...
  • Page 113 • Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page 125. Cisco Firepower 1010 Getting Started Guide...

  • Page 114: Configure A Basic Security Policy

    This section describes how to configure a basic security policy with the following settings: • Inside and outside interfaces—Assign a static IP address to the inside interface, and use DHCP for the outside interface. • DHCP server—Use a DHCP server on the inside interface for clients. Cisco Firepower 1010 Getting Started Guide...
  • Page 115 • NAT—Use interface PAT on the outside interface. • Access control—Allow traffic from inside to outside. To configure a basic security policy, complete the following tasks. (Firepower 1010) Configure Interfaces, on page 113 (All Other Models) Configure Interfaces, on page 117.
  • Page 116 (Optional) Change the VLAN ID; the default is 1. You will next add a VLAN interface to match this ID. d) Click OK. Step 5 Add the inside VLAN interface. a) Click Add Interfaces > VLAN Interface. The General tab appears. Cisco Firepower 1010 Getting Started Guide...
  • Page 117 ID in your configuration. g) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 1010 Getting Started Guide...
  • Page 118 Leave the Mode set to None. d) From the Security Zone drop-down list, choose an existing outside security zone or add a new one by clicking New. For example, add a zone called outside_zone. Cisco Firepower 1010 Getting Started Guide...
  • Page 119 The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Click Interfaces. Cisco Firepower 1010 Getting Started Guide...
  • Page 120 Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most Cisco Firepower 1010 Getting Started Guide...
  • Page 121 You should not alter any of these basic settings because doing so will disrupt the FMC management connection. You can still configure the Security Zone on this screen for through traffic policies. Cisco Firepower 1010 Getting Started Guide...
  • Page 122 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Step 3 On the Server page, click Add, and configure the following options: Cisco Firepower 1010 Getting Started Guide...
  • Page 123 IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route page. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose Routing > Static Route, click Add Route, and set the following: Cisco Firepower 1010 Getting Started Guide...
  • Page 124 • Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 3 Click OK. The route is added to the static route table. Cisco Firepower 1010 Getting Started Guide...
  • Page 125 The policy is added the FMC. You still have to add rules to the policy. Step 3 Click Add Rule. The Add NAT Rule dialog box appears. Step 4 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. Cisco Firepower 1010 Getting Started Guide...
  • Page 126 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Step 6 On the Translation page, configure the following options: • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 1010 Getting Started Guide...
  • Page 127 Step 1 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the FTD. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 1010 Getting Started Guide...
  • Page 128 SSH access according to this section. You can only SSH to a reachable interface; if your SSH host is located on the outside interface, you can only initiate a management connection directly to the outside interface. Cisco Firepower 1010 Getting Started Guide...
  • Page 129 Click OK. Step 4 Click Save. You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Cisco Firepower 1010 Getting Started Guide...

  • Page 130: Access The Ftd And Fxos Cli

    Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 1010 Getting Started Guide...
  • Page 131 Step 3 To exit the FTD CLI, enter the exit or logout command. This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS CLI, enter ?. Example: Cisco Firepower 1010 Getting Started Guide...

  • Page 132: Power Off The Device

    Firepower system. The Firepower 1010 chassis does not have an external power switch.You can power off the device using the FMC device management page, or you can use the FXOS CLI.

  • Page 133: What's Next

    What's Next? To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FMC, see the Firepower Management Center Configuration Guide. Cisco Firepower 1010 Getting Started Guide...
  • Page 134 Firepower Threat Defense Deployment with FMC What's Next? Cisco Firepower 1010 Getting Started Guide...
  • Page 135 P A R T ASA Deployment with ASDM • ASA Deployment with ASDM, on page 135...
  • Page 137 ASA Deployment with ASDM Is This Chapter for You? This chapter describes how to set up the Firepower 1010 for use with the ASA. This chapter does not cover the following deployments, for which you should refer to the ASA configuration guide: •...

  • Page 138: About The Asa

    • Cisco Security Manager—A multi-device manager on a separate server. You can also access the FXOS CLI for troubleshooting purposes. Unsupported Features General ASA Unsupported Features The following ASA features are not supported on the Firepower 1010: • Multiple context mode • Active/Active failover • Redundant interfaces •...
  • Page 139 • Security group tagging (SGT) Migrating an ASA 5500-X Configuration You can copy and paste an ASA 5500-X configuration into the Firepower 1010. However, you will need to modify your configuration. Also note some behavioral differences between the platforms. 1. To copy the configuration, enter the more system:running-config command on the ASA 5500-X.

  • Page 140: End-To-End Procedure

    Firepower 1120 includes Management 1/1 and Ethernet 1/1 through 1/8. boot system commands The Firepower 1010 only allows a single boot system command, so you should remove all but one command before you paste. You The ASA 5500-X allows up to four boot system commands to actually do not need to have any boot system commands present specify the booting image to use.
  • Page 141 Review the Network Deployment and Default Configuration, on page 140. Pre-Configuration Cable the Device, on page 143. Pre-Configuration Power On the Device, on page 32 ASA CLI (Optional) Change the IP Address, on page 145. ASDM Log Into ASDM, on page 146. Cisco Firepower 1010 Getting Started Guide...

  • Page 142: Review The Network Deployment And Default Configuration

    151. Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 1010 using the default configuration. If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into bridge mode so the ASA performs all routing and NAT for your inside networks.
  • Page 143 ASA Deployment with ASDM Firepower 1010 Default Configuration Firepower 1010 Default Configuration The default factory configuration for the Firepower 1010 configures the following: • Hardware switch—Ethernet 1/2 through 1/8 belong to VLAN 1 • inside→outside traffic flow—Ethernet 1/1 (outside), VLAN1 (inside) •...
  • Page 144 Ethernet1/7 no shutdown switchport switchport mode access switchport access vlan 1 interface Ethernet1/8 no shutdown switchport switchport mode access switchport access vlan 1 object network obj_any subnet 0.0.0.0 0.0.0.0 nat (any,outside) dynamic interface Cisco Firepower 1010 Getting Started Guide...

  • Page 145: Cable The Device

    DefaultDNS name-server 208.67.222.222 outside name-server 208.67.220.220 outside Cable the Device Manage the Firepower 1010 on either Management 1/1, or on Ethernet 1/2 through 1/8 (inside switch ports). The default configuration also configures Ethernet 1/1 as outside. Procedure Step 1 Connect your management computer to one of the following interfaces: •...

  • Page 146: Power On The Device

    (see Firepower 1010 Default Configuration, on page 141). If you need to change the Management 1/1 IP address from the default, you must also cable your management computer to the console port.

  • Page 147: (Optional) Change The Ip Address

    Executing command: http 10.1.1.0 255.255.255.0 management Executing command: dhcpd address 10.1.1.152-10.1.1.254 management Executing command: dhcpd enable management Executing command: logging asdm informational Factory-default configuration is completed ciscoasa(config)# Step 3 Save the default configuration to flash memory. Cisco Firepower 1010 Getting Started Guide...

  • Page 148: Log Into Asdm

    HTTP request to HTTPS. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
  • Page 149 Configure Licensing Configure Licensing The ASA uses Cisco Smart Software Licensing. You can use regular Smart Software Licensing, which requires internet access; or for offline management, you can configure Permanent License Reservation or a Satellite server. For more information about these offline licensing methods, see Cisco ASA Series Feature Licenses;...
  • Page 150 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
  • Page 151 Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the ASA. Cisco Firepower 1010 Getting Started Guide...
  • Page 152 (3DES/AES) license if your account allows. ASDM refreshes the page when the license status is updated. You can also choose Monitoring > Properties > Smart License to check the license status, particularly if the registration fails. Step 7 Set the following parameters: a) Check Enable Smart license configuration. Cisco Firepower 1010 Getting Started Guide...
  • Page 153 Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 1010 Getting Started Guide...
  • Page 154 • And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 1010 Getting Started Guide...
  • Page 155 Step 1 Connect your management computer to the console port. The Firepower 1000 ships with a USB A-to-B serial cable. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1010 hardware guide). Use the following serial settings: •...
  • Page 156 Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 1010 Getting Started Guide...
  • Page 157 © 2021 Cisco Systems, Inc. All rights reserved.

Table of Contents