Cisco Firepower 4120 Security Appliance Hardware Firewall Installation Guide
Add to my manuals
10 Pages
advertisement
Cisco Firepower Threat Defense for
Firepower 4100 Quick Start Guide
First Published: March 10, 2016
1. About Firepower Threat Defense Security Services
The Cisco Firepower 4100 security appliance is a standalone security services platform for network and content security solutions that can run the Firepower Threat Defense application.
You can deploy the Firepower 4100 in a data center using Firepower Threat Defense to provide next-generation firewall services, including stateful firewalling, routing, Next-Generation Intrusion Prevention System (NGIPS),
Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP). You can use a
Threat Defense device in single context mode, and in routed or transparent mode.
How Firepower Threat Defense Works with the Firepower 4100
The Firepower 4100 security appliance runs its own operating system on the supervisor called the Firepower eXtensible Operating System (FXOS). The Firepower Chassis Manager provides simple, GUI-based management capabilities. You can configure hardware interface settings, smart licensing, and other basic operating parameters on the supervisor using the Firepower Chassis Manager web interface or CLI.
All physical interface operations are owned by the supervisor, including establishing external EtherChannels. You can assign interfaces to a logical device running Firepower Threat Defense. Three types of interfaces are supported: Data, Management, and Firepower Eventing. The Firepower Eventing interface is dedicated to carrying only event traffic. You can assign interfaces to the Firepower 4100 with Firepower Threat Defense either at the time of deployment or later as needed. These interfaces use the same IDs in the supervisor as in the Firepower 4100 with Firepower Threat Defense configuration.
When you deploy the Firepower 4100 with Firepower Threat Defense, the supervisor downloads an application image of your choice, and establishes a default configuration. You can only deploy the Firepower 4100 with
Firepower Threat Defense as a standalone logical device; clustering is not supported.
Firepower Management Center Support and CLI Access
When you deploy the Firepower 4100 with Firepower Threat Defense, you specify a management interface and registration information for the managing Firepower Management Center to allow for Firepower Management
Center access. You register Firepower Threat Defense devices as you would any managed device, and you can do policy configuration and deployment.
You can also access the Firepower Threat Defense CLI from the Firepower 4100 supervisor CLI using an internal
Telnet connection. From within the Firepower 4100 security appliance, you can later configure SSH or Telnet access over any of its management or data interfaces; see
6. Access the Firepower Threat Defense CLI, page 9
.
Cisco Systems, Inc.
www.cisco.com
1
Cisco Firepower Threat Defense for Firepower 4100 Quick Start Guide
Management/Diagnostic Interface and Network Deployment
The physical management interface is shared between the Management logical interface and the Diagnostic logical interface.
The Firepower Threat Defense device uses the setup IP address, and associated route to the gateway, for management by the Firepower Management Center. The management IP address and route are not included on the Firepower Management Center web interface in the list of interfaces or static routes for the device; they can only be set by the setup script and at the CLI. After you perform the initial setup, configure the security and access policies, device settings, and interfaces using the Firepower Management Center.
If you choose to do syslog or SNMP reporting over the physical management port, note that you must configure a separate IP address and route and external authentication for the Diagnostic 0/0 or Diagnostic 1/1 interface using the Firepower Management Center web interface. However, Cisco recommends you use a data port for reporting purposes to simplify deployment.
See the Firepower Threat Defense Interfaces chapter of the Firepower Management Center Configuration Guide for more information about the management/diagnostic interface.
Licensing Requirements for Firepower Threat Defense
Firepower Threat Defense running on the Firepower 4100 requires Smart Software Licensing, configurable from the Firepower Management Center. See the Firepower Management Center Configuration Guide or the online help in Firepower Management Center for more information.
For Firepower Threat Defense running on the Firepower 4100 security module, Smart Software Licensing configuration is split between the Firepower 4100 supervisor and the security module.
Firepower 4100 - Configure all Smart Software Licensing infrastructure in the supervisor, including parameters for communicating with the License Authority. The Firepower 4100 itself does not require any licenses to operate.
Firepower Threat Defense - Configure all license entitlements for the security services from the Firepower
Management Center.
The Firepower 4100 chassis registers as a device, while Firepower Threat Defense on the security module in the chassis request its own license. See the Cisco FXOS Firepower Chassis Manager Configuration Guide for more information about license management for the Firepower 4100.
See “Licensing the Firepower System” in the Firepower Management Center Configuration Guide for more information about how to manage licenses on the Firepower Management Center.
Access the Firepower Chassis Manager Web Interface
You can manage application images, configure hardware interface settings, and other basic operating parameters on the supervisor using the Firepower Chassis Manager web interface.
Procedure
1.
To log in to the Firepower Chassis Manager Web Interface: a.
Using a supported browser, enter the following URL in the address bar: https:// <chassis_mgmt_ip_address> where < chassis_mgmt_ip_address > is the IP address or host name of the Firepower 4100 that you entered during initial configuration. See
Initial Configuration, page 3 for more information.
b.
Enter your username and password.
c.
Click Login .
2
Cisco Firepower Threat Defense for Firepower 4100 Quick Start Guide
You are logged in and the Firepower Chassis Manager Web Interface opens to show the Overview page.
2.
To log out of Firepower Chassis Manager Web Interface, choose admin > Logout . You are logged out of the
Firepower Chassis Manager Web Interface and are returned to the login screen.
2. Deploy the Firepower Threat Defense
The Firepower 4100 uses two basic types of images: platform bundles and applications. A platform bundle contains the Firepower FXOS software package required for the supervisor. An application image is the software image you want to deploy on the security engine.
Firepower Threat Defense is deployed as an application image on the security engine of the Firepower 4100.
Application images are delivered as Cisco Secure Package files (CSP) and are stored on the supervisor until deployed to a security engine as part of logical device creation or in preparation for later logical device creation.
You can have multiple different versions of the same application image type stored on the supervisor.
From the Updates page of the System menu you can download FXOS platform bundles, Firepower Threat Defense application images and the latest updates from Cisco.com. Then you can upload a Firepower Threat Defense image to the Firepower 4100 to use when you create or update a logical device. Make sure you are using a
Firepower Threat Defense image version that is compatible with the FXOS version running on the supervisor.
For more information see the Cisco FXOS Firepower Chassis Manager Configuration Guide .
Task Overview
Before you begin the Firepower Threat Defense deployment on the Firepower 4100 security appliance, review the following guidelines and requirements.
Perform the initial configuration for your Firepower 4100 security appliance using the initial setup wizard as described in
Initial Configuration, page 3 .
Configure NTP on the Firepower Chassis Manager as described in
Configure a Firepower Threat Defense standalone logical device as described in
Defense Logical Device, page 5 .
Discover the Firepower Threat Defense unit in the Firepower Management Center as described in
3. Register with the Firepower Management Center, page 6
.
If this is a Firepower Threat Defense or FXOS upgrade, or if you want to deploy another application, you need to obtain the latest FXOS platform bundles, application images, and the latest updates from Cisco.com; see
Upgrade Considerations, page 7 .
Initial Configuration
Before you can use Firepower Chassis Manager or the FXOS CLI to configure and manage your system, you must perform some initial configuration tasks using the FXOS CLI accessed through the console port. The first time that you access the FXOS chassis using the FXOS CLI, you will encounter a setup wizard that you can use to configure the system.
Before You Begin
Verify the following physical connections on the FXOS chassis:
3
Cisco Firepower Threat Defense for Firepower 4100 Quick Start Guide
— The console port is physically connected to a computer terminal or console server.
— The 1 Gbps Ethernet management port is connected to an external hub, switch, or router.
For more information, see the Cisco Firepower Chassis Manager Configuration Guide .
Procedure
1.
Connect to the Firepower 4100 CLI, either from the console port or using SSH, for example.
2.
Log in with the username admin
and the password cisco123
.
3.
Complete the system configuration as prompted.
For example:
Enter the setup mode; setup newly or restore from backup. (setup/restore) ? setup
You have chosen to setup a new Security Appliance. Continue? (y/n): y
Enforce strong password? (y/n): n
Enter the password for “admin”: <new password>
Confirm the password for “admin”: <repeat password>
Enter the system name: FTD-SSP-4100
Physical Switch Mgmt0 IP address : 10.127.56.61
Physical Switch Mgmt0 IPv4 netmask : 255.255.255.0
IPv4 address of default gateway : 10.127.56.1
Configure the DNS Server IP address? (yes/no) [n]: n
Configure the default domain name? (yes/no) [n]: n
Following configurations will be applied:
Switch Fabic=A
System Name=FTD-SSP-4100
Enforced Strong Password=no
Physical Switch Mgmt0 IP Address=10.127.56.61
Physical Switch Mgmt0 IP Netmask=255.255.255.0
Default Gateway=10.127.56.1
Ipv6 value=0
Apply and save the configuration (select ‘n’ if you want to re-enter)? (yes/no): yes
Applying configuration. Please wait.
4.
Launch the Firepower Chassis Manager Web Interface to verify connectivity using the new log in credentials. a.
Using a supported browser, enter the following URL in the address bar: https:// <chassis_mgmt_ip_address> where < chassis_mgmt_ip_address > is the IP address or host name of the Firepower 4100 that you entered during initial configuration.
b.
Enter your username and password.
c.
Click Login .
You are logged in and the Firepower Chassis Manager Web Interface opens to show the Overview page.
Configure NTP
Your Firepower Threat Defense deployment on the Firepower 4100 requires that you configure NTP on the
Firepower Chassis Manager. The NTP server must be set on the Firepower Chassis Manager for Smart Licensing to work properly and to ensure proper timestamps on device registrations.
4
Cisco Firepower Threat Defense for Firepower 4100 Quick Start Guide
Procedure
1.
From the Firepower Chassis Manager interface, choose Platform Settings > NTP .
2.
Choose the appropriate time zone for the Firepower chassis from the Time Zone drop-down list.
3.
Under Set Time Source , click Use NTP Server and then enter the IP address or hostname of the NTP server you want to use in the NTP Server field.
4.
Click Save .
The Firepower chassis is configured with the NTP server specified.
Note: If you modify the system time by more than 10 minutes, the system will log you out and you will need to log in to the Firepower Chassis Manager again.
Configure Interfaces
Configure a Management type interface on the supervisor that you can include in the deployment configuration for the Firepower 4100 Firepower Threat Defense. You must also configure at least one Data type interface.
Procedure
1.
From the Firepower Chassis Manager interface, choose Interfaces to open the Interfaces page.
2.
To add an EtherChannel: a.
Click Add Port Channel .
b.
For the Port Channel ID, enter a value between 1 and 47.
c.
Leave Enable checked.
d.
For the Type, choose Management or Data or Firepower Eventing . You can only include one management interface per logical device.
Note: Interface types cannot be changed once they are assigned to a provisioned logical device.
e.
Add member interfaces as desired.
f.
Click OK .
3.
For a single interface: a.
Click the Edit icon in the interface row to open the Edit Interface dialog box.
b.
Check Enable .
c.
For the Type, click Management or Data or Firepower Eventing . You can only include one management interface per logical device.
d.
Click OK .
Deploy a Firepower Threat Defense Logical Device
You can configure Firepower Threat Defense as a standalone logical device. You configure logical device information including:
Device information and addressing
Device settings, including Firepower Management Center registration information, firewall mode, and eventing
5
Cisco Firepower Threat Defense for Firepower 4100 Quick Start Guide
Interface information and addressing
End-user license agreement
Procedure
1.
From the Firepower Chassis Manager interface, choose Logical Devices to open the Logical Devices page.
2.
Click Add Device to open the Add Device dialog box.
3.
For the Device Name , provide a name for the logical device. This name is used by the Firepower 4100 supervisor to configure management settings and assign interfaces; it is not the device name used in the security module configuration.
4.
For the Template , choose Firepower Threat Defense .
5.
For the Image Version , choose the Firepower Threat Defense software version.
6.
For the Device Mode , click the Standalone radio button.
7.
Click OK . You see the Provisioning - device name window.
8.
Expand the Data Ports area, and click each interface that you want to assign to the Firepower Threat Defense.
9.
Click the device icon in the center of the screen. The configuration dialog box appears.
10.
Configure the deployment options for each tab of the configuration dialog box: a.
Logical Device Information—Enter the management settings for this logical device.
Note: Virtual IPv4 or IPv6 addresses can be configured from the Firepower Management Center after device registration. This is important if you want to use syslog.
b.
Settings—Enter a registration key and password and IP address for the managing Firepower Management
Center; also choose the firewall mode, Firepower eventing interface (if configured), and DNS information.
Note: The registration key is a user-generated one-time use key that must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). You will need to remember this registration key when you add the device to the Firepower Management Center.
c.
Interface Information—Enter the management settings for this logical device.
Note: A security module requires its own IP address, which the Firepower Management Center uses when registering the device. This IP is mandatory to add the module to the Firepower Management Center. d.
Agreement—Read and accept the end user license agreement (EULA).
11.
Click OK to close the configuration dialog box.
12.
Click Save . The Firepower 4100 supervisor deploys the logical device by downloading the specified software version and pushing the bootstrap configuration and management interface settings to the security module.
3. Register with the Firepower Management Center
Before You Begin
For the Firepower Threat Defense security module that you plan to register, verify the settings from the
Firepower Chassis Manager.
Firepower Threat Defense running on the Firepower 4100 requires Smart Software Licensing, configurable from the Firepower Management Center.
6
Cisco Firepower Threat Defense for Firepower 4100 Quick Start Guide
Procedure
1.
Log into the Firepower Management Center using an HTTPS connection in a browser, using the hostname or address of the configured Firepower Management Center. For example, https://MC.example.com.
2.
On the web interface for the Management Center, select Devices > Device Management .
3.
From the Add drop-down menu, select Add Device .
4.
In the Host field, type the IP address of the Firepower Threat Defense device you want to add.
5.
In the Display Name field, type a name for the Firepower Threat Defense device as you want it to display in the Management Center.
6.
In the Registration Key field, type the same registration key that you used when you configured the Firepower
Threat Defense device in the Firepower Chassis Manager.
7.
If you are adding a device in a multidomain environment, assign the device to a leaf domain by selecting a value from the Domain drop-down list.
8.
From the Access Control Policy drop-down list, select an initial policy to deploy to the security module:
— The Default Access Control policy blocks all traffic from entering your network.
— The Default Intrusion Prevention policy allows all traffic that is also passed by the Balanced Security and
Connectivity intrusion policy.
— The Default Network Discovery policy allows all traffic, which is inspected by network discovery only.
— You can select any existing user-defined access control policy. For more information, see “Managing
Access Control Policies” in the Firepower Management Center Configuration Guide .
9.
Select licenses to apply to the device. Note that:
— Control, Malware, and URL Filtering licenses require a Protection license.
10.
Click Register and confirm a successful registration.
4. Configure Policies and Device Settings
After you install Firepower Threat Defense and add the device to the Management Center, you can use the
Firepower Management Center user interface to configure device management settings for Firepower Threat
Defense running on a Firepower 4100 and to configure and apply access control policies and other related policies to manage traffic using your Firepower Threat Defense security module.
The security policy controls the services provided by the Firepower Threat Defense, such as Next Generation IPS filtering and application filtering. You configure the security policy on the Firepower Threat Defense using the
Firepower Management Center. For information about how to configure the security policy, see the Cisco
Firepower Configuration Guide or the online help in Firepower Management Center.
5. Upgrade Considerations
If you want to upgrade your Firepower Threat Defense deployment or the Firepower supervisor, or if you want to deploy another application, you need to obtain the latest FXOS platform bundles, application images, and the latest updates from Cisco.com.
7
Cisco Firepower Threat Defense for Firepower 4100 Quick Start Guide
Note: You cannot directly upgrade a Firepower Threat Defense logical device. To upgrade a Firepower Threat
Defense logical device, you must delete the existing device and then create a new one using the updated image.
If you are upgrading both the FXOS platform bundle image and one or more Application images, you must upgrade the FXOS platform bundle first.
The following procedures describe how to use the Updates page of the System menu to download FXOS platform bundles, application images (such as Firepower Threat Defense or other applications), and the latest updates from
Cisco.com, as well as how to upload images and upgrade the supervisor.
To upload an application or platform bundle, see
Upload Software Images to the Firepower 4100, page 8 .
To upgrade the supervisor software bundle, see Upgrade the Firepower Supervisor Platform, page 9
.
Download Software Images from Cisco.com
Before You Begin
You must have a Cisco.com account.
You should be familiar with the compatible platform bundle and Firepower Threat Defense application image versions that are required for your setup.
You must have Internet access.
Procedure
1.
From the Firepower Chassis Manager interface, choose System > Updates . The Available Updates page shows a list of the Firepower 4100 platform bundle images and application images that are available on the chassis.
2.
Click the Download latest updates from CCO link at the bottom of the page. The software download page for the Firepower 4100 is opened in a new tab within the browser.
3.
Find and download the appropriate software images to your local computer.
Upload Software Images to the Firepower 4100
Before You Begin
Make sure any image you want to upload is available on your local computer.
Procedure
1.
From the Firepower Chassis Manager interface, choose System > Updates . The Available Updates page shows a list of the Firepower 4100 platform bundle images and application images that are available on the chassis.
2.
Click Upload Image to open the Upload Image dialog box.
3.
Click Browse to navigate to and select the images that you want to upload.
4.
Click Upload . The selected image is uploaded to the Firepower 4100.
5.
Follow the system prompts and accept any end-user license agreements to continue.
8
Cisco Firepower Threat Defense for Firepower 4100 Quick Start Guide
Delete Existing Logical Devices and Application Configurations
To upgrade a Firepower Threat Defense logical device or to deploy a different logical device, you must delete the existing device and then create a new one using the updated image. If you are upgrading both the FXOS platform bundle image and an application, you must upgrade the FXOS platform bundle first.
Procedure
1.
From the Firepower Chassis Manager interface, choose Logical Devices to open the Logical Devices page.
The Logical Devices page shows a list of configured logical devices on the chassis. If no logical devices have been configured, a message stating so is shown instead.
2.
Click the Delete icon associated with each logical device.
3.
Click Yes when prompted to delete the logical device.
4.
Click Yes when prompted to delete the application configuration. This final step is necessary for a successful installation of Firepower Threat Defense.
What To Do Next
Check the running version of the Firepower FXOS software running on the chassis to determine if it needs to be upgraded to support running Firepower Threat Defense or any other application on the security engine.
Upgrade the Firepower Supervisor Platform
The running version of FXOS is displayed at the top of the Overview page on the Firepower Chassis Manager web interface. You need to determine if the current version of the FXOS running on the chassis is sufficient to support running your application on the security engine. You upgrade the FXOS platform bundle from the Updates page of the System menu.
Procedure
1.
From the Firepower Chassis Manager interface, choose System > Updates . The Available Updates page shows a list of the Firepower 4100 platform bundle images and application images that are available on the chassis.
2.
Browse the Image Name column to locate the FXOS platform bundle you need to load.
3.
Click the upload/download icon associated with the FXOS platform bundle you need to load.
4.
Click Yes on the Update Bundle Image dialog for the selected version. When you click yes, the selected version will be installed and the device will reboot.
6. Access the Firepower Threat Defense CLI
For initial configuration or for troubleshooting, you can access the Firepower Threat Defense CLI from the
Firepower 4100 FXOS supervisor CLI.
Procedure
1.
Connect to the supervisor CLI, either from the console port or using SSH, for example.
2.
Connect to one of the security modules.
connect module slot console
Example:
9
Cisco Firepower Threat Defense for Firepower 4100 Quick Start Guide cisco-ssp-A# connect module 1 console firepower>
3.
The first time you connect to the module, you enter the Firepower Chassis Manager module CLI (at the firepower prompt). You must then connect to the Firepower Threat Defense CLI: connect ftd
Example: firepower> connect ftd
>
Subsequent connections place you directly in the Firepower Threat Defense CLI.
4.
To exit the Firepower Threat Defense connection, type exit .
Example:
> exit firepower>
5.
To access the system diagnostics, type system support diagnostic-cli .
Example: firepower> system support diagnostic-cli
6.
To exit the console connection, type ~ . You exit to the Telnet application. Enter quit to exit to the supervisor
CLI.
Example: firepower> ~ telnet> quit cisco-ssp-A#
7. Where to Go Next
You can find links to all Firepower 4100 documentation at Firepower 4100 documentation .
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2016 Cisco Systems, Inc. All rights reserved.
10
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project