Page 1
Cisco Firepower 1010 Getting Started Guide First Published: 2019-06-13 Last Modified: 2021-05-26 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
Page 3
You may want to use the ASA if you do not need the advanced capabilities of the FTD, or if you need an ASA-only feature that is not yet available on the FTD. Cisco provides ASA-to-FTD migration tools to help you convert your ASA to an FTD if you start with ASA and later reimage to FTD.
Page 4
To get started with FMC on the Management network, see Firepower Threat Defense Deployment with FMC, on page To get started with FMC on a remote network, see Firepower Threat Defense Deployment with a Remote FMC, on page 123. Cisco Firepower 1010 Getting Started Guide...
Page 5
CLI or ASDM. CSM does not support managing FTDs. CSM is not covered in this guide. For more information, see the CSM user guide. Cisco Firepower 1010 Getting Started Guide...
Page 6
The ASA REST API lets you automate ASA configuration. However, the API does not include all ASA features, and is no longer being enhanced. The ASA REST API is not covered in this guide. For more information, see the REST API guide. Cisco Firepower 1010 Getting Started Guide...
Page 7
Device. The Firepower 1010 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1010 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
Page 8
Cable the Device, on page (Branch Office Employee) Branch Office Tasks Power On the Device, on page (Branch Office Employee) Cisco Defense Log Into CDO with Cisco Secure Sign-On, on page Orchestrator (CDO Admin) Cisco Firepower 1010 Getting Started Guide...
Page 9
Note This procedure assumes you are working with a new firewall running FTD Version 6.7 or later. Procedure Step 1 Unpack the chassis and chassis components. Cisco Firepower 1010 Getting Started Guide...
Page 10
Communicate with the CDO administrator to develop an onboarding timeline. Cable the Device This topic describes the how to connect the Firepower 1010 to your network so that it can be managed remotely by a CDO administrator. • If you received a Firepower firewall at your branch office and your job is to plug it in to your network, watch this video.
Page 11
Firepower Threat Defense Deployment with CDO and Low-Touch Provisioning Cable the Device Figure 1: Cabling the Firepower 1010 Note For 6.7, the inside IP address is 192.168.1.1. Note Ethernet1/2 through 1/8 are configured as hardware switch ports; PoE+ is also available on Ethernet1/7 and 1/8.
Page 12
If there is a problem, the Status LED flashes fast amber. If this happens, call your IT department. Step 5 Observe the Status LED on the back or top of the device; when the device connects to the Cisco cloud, the Status LED slowly flashes green.
Page 13
CDO administrator onboards the FTD to CDO. When you onboard the firewall in CDO using the serial number, the firewall is associated with your CDO tenant in the Cisco cloud. After the branch office administrator cables and powers on the FTD, the firewall connects to the Cisco cloud, and CDO syncs the firewall's configuration automatically.
Page 14
Create a New Cisco Secure Sign-On Account Procedure Step 1 Sign Up for a New Cisco Secure Sign-On Account. a) Browse to https://sign-on.security.cisco.com. b) At the bottom of the Sign In screen, click Sign up. Figure 2: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register.
Page 15
Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company. d) After you click Register, Cisco sends you a verification email to the address you registered with. Open the email and click Activate Account.
Page 16
Firepower Threat Defense Deployment with CDO and Low-Touch Provisioning Log Into CDO with Cisco Secure Sign-On You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
Page 17
Before you begin Low-touch provisioning (LTP) is a feature that allows a new factory-shipped Firepower 1010 series device to be provisioned and configured automatically, eliminating many of the manual tasks involved with onboarding the device to CDO.
Page 18
• Apply Smart License: Select this option if your device is not smart licensed already. You have to generate a token using the Cisco Smart Software Manager and copy in this field. • Device Already Licensed: Select this option if your device has already been licensed.
Page 19
You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval. See the following licenses: •...
Page 20
Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: Cisco Firepower 1010 Getting Started Guide...
Page 21
In CDO, click Devices & Services, and then select the FTD device that you want to license. Step 4 In the Device Actions pane, click Manage Licenses, and follow the on-screen instructions to enter the smart-license generated from Smart Software Manager. Cisco Firepower 1010 Getting Started Guide...
Page 22
After applying the smart license successfully to the FTD device, the device status shows Connected, Sufficient License. Click the Enable/Disable slider control for each optional license as desired. • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license.
Page 23
Manage the Device with CDO Step 7 Choose Refresh Licenses to synchronize license information with Cisco Smart Software Manager. Manage the Device with CDO After onboarding the firewall to CDO, you can manage the firewall with CDO. To manage the FTD with CDO: 1.
Page 24
Firepower Threat Defense Deployment with CDO and Low-Touch Provisioning Manage the Device with CDO Cisco Firepower 1010 Getting Started Guide...
Device. The Firepower 1010 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1010 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
Access the FTD and FXOS CLI, on page 57 • Power Off the Firewall Using FDM, on page 59 • What's Next, on page 59 End-to-End Procedure See the following tasks to deploy FTD with CDO on your chassis. Cisco Firepower 1010 Getting Started Guide...
Page 27
Firepower Threat Defense Deployment with CDO End-to-End Procedure Pre-Configuration Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page Cisco Firepower 1010 Getting Started Guide...
Firepower Threat Defense Deployment with CDO How Cisco Defense Orchestrator Works with Firepower Threat Defense Pre-Configuration Power On the Device, on page FTD CLI (Optional) Change Management Network Settings at the CLI, on page Firepower Device Log Into FDM, on page...
FTD performs all routing and NAT for your inside networks. If you need to configure PPPoE for the outside interface to connect to your ISP, you can do so after you complete initial setup in FDM. Cisco Firepower 1010 Getting Started Guide...
Page 30
IP address to be on a new network. • If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. Figure 9: Suggested Network Deployment Cloud SDC Cisco Firepower 1010 Getting Started Guide...
Page 31
IP address to be on a new network. • If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. Cisco Firepower 1010 Getting Started Guide...
Page 32
• (6.5 and later) Hardware switch—Ethernet 1/2 through 1/8 belong to VLAN 1 • (6.4) Software switch (Integrated Routing and Bridging)—Ethernet 1/2 through 1/8 belong to bridge group interface (BVI) 1 • outside—Ethernet 1/1, IP address from IPv4 DHCP and IPv6 autoconfiguration • inside→outside traffic flow Cisco Firepower 1010 Getting Started Guide...
Page 33
• DNS server for management—OpenDNS: (IPv4) 208.67.222.222, 208.67.220.220; (IPv6) 2620:119:35::35, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes •...
For 6.7 and earlier, the inside IP address is 192.168.1.1. For version 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Manage the Firepower 1010 on either Management 1/1 or Ethernet 1/2 through 1/8. The default configuration also configures Ethernet1/1 as outside.
The power turns on automatically when you plug in the power cord. Step 2 Check the Power LED on the back or top of the device; if it is solid green, the device is powered on. Cisco Firepower 1010 Getting Started Guide...
Password: Admin123 Successful login attempts for user 'admin' : 1 [...] Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. Cisco Firepower 1010 Getting Started Guide...
Page 37
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: Enter an IPv4 address for the management interface [192.168.45.45]: 10.10.10.15 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Cisco Firepower 1010 Getting Started Guide...
Firepower Threat Defense Deployment with CDO Log Into FDM Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
Page 39
Use OpenDNS to reload the appropriate IP addresses into the fields. Firewall Hostname—The hostname for the system's management address. Step 3 Configure the system time settings and click Next. a) Time Zone—Select the time zone for the system. Cisco Firepower 1010 Getting Started Guide...
The first factor is a username and password, and the second is a one-time password (OTP), which is generated on demand from Duo Security. After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported Cisco products.
Page 41
• Use a current version of Firefox or Chrome. Procedure Step 1 Sign Up for a New Cisco Secure Sign-On Account. a) Browse to https://sign-on.security.cisco.com. b) At the bottom of the Sign In screen, click Sign up. Figure 12: Cisco SSO Sign Up c) Fill in the fields of the Create Account dialog and click Register.
Page 42
Enter the email address that you plan to use to log in to CDO and add an Organization name to represent your company. d) After you click Register, Cisco sends you a verification email to the address you registered with. Open the email and click Activate Account.
Page 43
Firepower Threat Defense Deployment with CDO Log Into CDO with Cisco Secure Sign-On You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles. You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
CDO using this method. Note If you have a SecureX or Cisco Threat Response (CTR) account, you will need to merge your CDO account and SecureX/CTR account in order for your devices to be registered with SecureX. Until your accounts are merged, you cannot see your device’s events in SecureX or benefit from other SecureX features.
Page 45
• Your device can use either a 90-day evaluation license or it can be smart-licensed. You will not need to unregister licenses installed on the device from the Cisco Smart Software Manager. • Make sure DNS is configured properly on your FTD device.
Page 46
You can skip copying the registration key and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and later register it, or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
Page 47
Firepower Threat Defense Deployment with CDO Onboard an FTD with a Registration Key (Version 6.4 or 6.5) j) (6.6) Refresh the Cloud Services page. If the device successfully registered with the Cisco cloud, on the Cisco Defense Orchestrator tile, click Enable.
Page 48
You can skip copying the registration key and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and later register it, or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
Page 49
Under System Settings, click Cloud Services. b) Click Get Started in the Cisco Defense Orchestrator group. c) In the Region field, choose the Cisco cloud region to which your tenant is assigned: • Choose US if you log in to defenseorchestrator.com.
Page 50
Disabling this option does not affect any previously scheduled updates you may have configured Note through FDM. Step 6 In the Credentials area, enter the username as admin and enter the password that you set during initial setup. Then click Next. Cisco Firepower 1010 Getting Started Guide...
You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval. See the following licenses: •...
Page 52
Click Inventory. b) On the General tab, click New Token. c) On the Create Registration Token dialog box enter the following settings, and then click Create Token: Cisco Firepower 1010 Getting Started Guide...
Page 53
In CDO, click Devices & Services, and then select the FTD device that you want to license. Step 4 In the Device Actions pane, click Manage Licenses, and follow the on-screen instructions to enter the smart-license generated from Smart Software Manager. Cisco Firepower 1010 Getting Started Guide...
Page 54
After applying the smart license successfully to the FTD device, the device status shows Connected, Sufficient License. Click the Enable/Disable slider control for each optional license as desired. • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license.
Page 55
Configure the Device in CDO Step 7 Choose Refresh Licenses to synchronize license information with Cisco Smart Software Manager. Configure the Device in CDO The following steps provide an overview of additional features you might want to configure. Please click the help button (?) on a page to get detailed information about each step.
Page 56
If you configured other inside interfaces, it is very typical to set up a DHCP server on those interfaces. Click + to configure the server and address pool for each inside interface. Cisco Firepower 1010 Getting Started Guide...
Page 57
IP address of the ISP gateway (you must obtain the address from your ISP). You can create this object by clicking Create New Object at the bottom of the Gateway drop-down list. Cisco Firepower 1010 Getting Started Guide...
Page 58
IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.
Page 59
You can later connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port access, which defaults to the FXOS CLI. Cisco Firepower 1010 Getting Started Guide...
Page 60
To exit the FTD CLI, enter the exit or logout command. This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS CLI, enter ?. Example: > exit firepower# Cisco Firepower 1010 Getting Started Guide...
Page 61
After the chassis has successfully powered off, you can then unplug the power to physically remove power from the chassis if necessary. What's Next To continue configuring your FTD using CDO, see the CDO Configuration Guides. For additional information related to using CDO, see the Cisco Defense Orchestrator home page. Cisco Firepower 1010 Getting Started Guide...
Page 62
Firepower Threat Defense Deployment with CDO What's Next Cisco Firepower 1010 Getting Started Guide...
Page 63
Device. The Firepower 1010 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1010 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
See the following tasks to deploy FTD with FDM on your chassis. Pre-Configuration Review the Network Deployment and Default Configuration, on page Pre-Configuration Cable the Device, on page Pre-Configuration Power On the Device, on page Cisco Firepower 1010 Getting Started Guide...
• If you add the FTD to an existing inside network, you will need to change the inside IP address to be on the existing network. The following figure shows the default network deployment for FTD using FDM with the default configuration. Cisco Firepower 1010 Getting Started Guide...
Page 66
• (6.5 and later) Hardware switch—Ethernet 1/2 through 1/8 belong to VLAN 1 • (6.4) Software switch (Integrated Routing and Bridging)—Ethernet 1/2 through 1/8 belong to bridge group interface (BVI) 1 • outside—Ethernet 1/1, IP address from IPv4 DHCP and IPv6 autoconfiguration • inside→outside traffic flow Cisco Firepower 1010 Getting Started Guide...
Page 67
• DNS server for management—OpenDNS: (IPv4) 208.67.222.222, 208.67.220.220; (IPv6) 2620:119:35::35, or servers you specify during setup. DNS servers obtained from DHCP are never used. • NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, or servers you specify during setup • Default routes •...
Ethernet1/7 and 1/8. In version 6.4, Ethernet1/2 through 1/8 are configured as bridge group members (software switch ports); PoE+ is not available. The initial cabling is the same for both versions. Manage the Firepower 1010 on either Management 1/1 or Ethernet 1/2 through 1/8. The default configuration also configures Ethernet1/1 as outside.
The power turns on automatically when you plug in the power cord. Step 2 Check the Power LED on the back or top of the device; if it is solid green, the device is powered on. Cisco Firepower 1010 Getting Started Guide...
Successful login attempts for user 'admin' : 1 [...] Hello admin. You must change your password. Enter new password: ******** Confirm new password: ******** Your password was updated successfully. [...] firepower# Step 2 Connect to the FTD CLI. connect ftd Example: Cisco Firepower 1010 Getting Started Guide...
Page 71
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
• Security zones for the inside and outside interfaces. • An access rule trusting all inside to outside traffic. • An interface NAT rule that translates all inside to outside traffic to unique ports on the IP address of the outside interface. Cisco Firepower 1010 Getting Started Guide...
Page 73
You must have a smart license account to obtain and apply the licenses that the system requires. Initially, you can use the 90-day evaluation license and set up smart licensing later. Cisco Firepower 1010 Getting Started Guide...
You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval. See the following licenses: •...
Page 75
Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
Page 76
Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the FTD. Cisco Firepower 1010 Getting Started Guide...
Page 77
In FDM, click Device, and then in the Smart License summary, click View Configuration. You see the Smart License page. Step 4 Click Register Device. Then follow the instructions on the Smart License Registration dialog box to paste in your token: Cisco Firepower 1010 Getting Started Guide...
Page 78
You return to the Smart License page. While the device registers, you see the following message: After the device successfully registers and you refresh the page, you see the following: Step 6 Click the Enable/Disable control for each optional license as desired. Cisco Firepower 1010 Getting Started Guide...
Page 79
Firepower Threat Defense Deployment with FDM Configure Licensing • Enable—Registers the license with your Cisco Smart Software Manager account and enables the controlled features. You can now configure and deploy policies controlled by the license. • Disable—Unregisters the license with your Cisco Smart Software Manager account and disables the controlled features.
You cannot put the interfaces in zones when configuring them, so you must always edit the zone objects after creating new interfaces or changing the purpose of existing interfaces. Cisco Firepower 1010 Getting Started Guide...
Page 81
The routes you define on this page are for the data interfaces only. They do not impact the Note management interface. Set the management gateway on Device > System Settings > Management Interface. Cisco Firepower 1010 Getting Started Guide...
Page 82
IP addresses or URLs. By blacklisting known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need to edit the policy to add or remove items in the blacklist.
Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 1010 Getting Started Guide...
Page 84
Step 3 To exit the FTD CLI, enter the exit or logout command. This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS CLI, enter ?. Example: Cisco Firepower 1010 Getting Started Guide...
This information is also shown in show version system, show running-config, and show inventory output. Step 3 To display information about all of the Cisco products installed in the networking device that are assigned a product identifier (PID), version identifier (VID), and serial number (SN), use the show inventory command.
Firepower system. The Firepower 1010 chassis does not have an external power switch.You can power off the firewall using FDM, or you can use the FXOS CLI.
To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FDM, see Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager. Cisco Firepower 1010 Getting Started Guide...
Page 88
Firepower Threat Defense Deployment with FDM What's Next? Cisco Firepower 1010 Getting Started Guide...
Page 89
Device. The Firepower 1010 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1010 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
What's Next?, on page 121 Before You Start Deploy and perform initial configuration of the FMC. See the FMC getting started guide. End-to-End Procedure See the following tasks to deploy the FTD with FMC on your chassis. Cisco Firepower 1010 Getting Started Guide...
Page 91
Cable the Device (6.5 and Later), on page 92 Cable the Device (6.4), on page Pre-Configuration Power On the Device, on page FTD CLI Complete the FTD Initial Configuration, on page Firepower Log Into the Firepower Management Center, on page Management Center Cisco Firepower 1010 Getting Started Guide...
FTD require internet access from management for licensing and updates. In the following diagram, the Firepower 1010 acts as the internet gateway for the Management interface and the FMC by connecting Management 1/1 directly to an inside switch port, and by connecting the FMC and management computer to other inside switch ports.
Page 93
FTD require internet access from management for licensing and updates. In the following diagram, the Firepower 1010 acts as the internet gateway for the Management interface and the FMC by connecting Management 1/1 to an inside interface through a Layer 2 switch, and by connecting the FMC and management computer to the switch.
Figure 38: Suggested Network Deployment Cable the Device (6.5 and Later) To cable the recommended scenario on the Firepower 1010, see the following illustration, which shows a sample topology using Ethernet1/1 as the outside interface and the remaining interfaces as switch ports on the inside network.
Page 95
Firepower Threat Defense Deployment with FMC Cable the Device (6.5 and Later) Figure 39: Cabling the Firepower 1010 Note For version 6.5 and earlier, the Management 1/1 default IP address is 192.168.45.45. Procedure Step 1 Connect Management1/1 directly to one of the switch ports, Ethernet1/2 through 1/8.
Firepower Threat Defense Deployment with FMC Cable the Device (6.4) Cable the Device (6.4) To cable the recommended scenario on the Firepower 1010, see the following illustration, which shows a sample topology using a Layer 2 switch. Note Other topologies can be used, and your deployment will vary depending on your requirements.
In 6.7 and later: If you do not want to use the Management interface for FMC access, you can use the CLI to configure a data interface instead. You will also configure FMC communication settings. Cisco Firepower 1010 Getting Started Guide...
Page 98
• Enter the IPv4 default gateway for the management interface—The data-interfaces setting applies only to remote FMC or Firepower Device Manager management; you should set a gateway IP address for Management 1/1 when using FMC on the management network. In the edge deployment example Cisco Firepower 1010 Getting Started Guide...
Page 99
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1 Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
Page 100
If the FTD is behind a NAT device, enter a unique NAT ID along with the FMC IP address or hostname, for example: Example: > configure manager add 10.70.45.5 regk3y78 natid56 Manager successfully configured. What to do next Register your device to a FMC. Cisco Firepower 1010 Getting Started Guide...
Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
• FTD management IP address or hostname, and NAT ID, if configured • FMC registration key Procedure Step 1 In FMC, choose Devices > Device Management. Step 2 From the Add drop-down list, choose Add Device, and enter the following parameters. Cisco Firepower 1010 Getting Started Guide...
Page 103
• Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page 115. Cisco Firepower 1010 Getting Started Guide...
This section describes how to configure a basic security policy with the following settings: • Inside and outside interfaces—Assign a static IP address to the inside interface, and use DHCP for the outside interface. • DHCP server—Use a DHCP server on the inside interface for clients. Cisco Firepower 1010 Getting Started Guide...
Page 105
The following example configures a routed mode inside interface (VLAN1) with a static address and a routed mode outside interface using DHCP (Ethernet1/1). Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Click Interfaces. Cisco Firepower 1010 Getting Started Guide...
Page 106
(Optional) Change the VLAN ID; the default is 1. You will next add a VLAN interface to match this ID. d) Click OK. Step 5 Add the inside VLAN interface. a) Click Add Interfaces > VLAN Interface. The General tab appears. Cisco Firepower 1010 Getting Started Guide...
Page 107
ID in your configuration. g) Click the IPv4 and/or IPv6 tab. • IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in slash notation. For example, enter 192.168.1.1/24 Cisco Firepower 1010 Getting Started Guide...
Page 108
Leave the Mode set to None. d) From the Security Zone drop-down list, choose an existing outside security zone or add a new one by clicking New. For example, add a zone called outside_zone. Cisco Firepower 1010 Getting Started Guide...
Page 109
The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Click Interfaces. Cisco Firepower 1010 Getting Started Guide...
Page 110
Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most Cisco Firepower 1010 Getting Started Guide...
Page 111
You should not alter any of these basic settings because doing so will disrupt the FMC management connection. You can still configure the Security Zone on this screen for through traffic policies. Cisco Firepower 1010 Getting Started Guide...
Page 112
Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Step 3 On the Server page, click Add, and configure the following options: Cisco Firepower 1010 Getting Started Guide...
Page 113
IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route page. Procedure Step 1 Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose Routing > Static Route, click Add Route, and set the following: Cisco Firepower 1010 Getting Started Guide...
Page 114
• Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. Step 3 Click OK. The route is added to the static route table. Cisco Firepower 1010 Getting Started Guide...
Page 115
The policy is added the FMC. You still have to add rules to the policy. Step 3 Click Add Rule. The Add NAT Rule dialog box appears. Step 4 Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. Cisco Firepower 1010 Getting Started Guide...
Page 116
On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Step 6 On the Translation page, configure the following options: • Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0). Cisco Firepower 1010 Getting Started Guide...
Page 117
Step 1 Choose Policy > Access Policy > Access Policy, and click the Edit ( ) for the access control policy assigned to the FTD. Step 2 Click Add Rule, and set the following parameters: Cisco Firepower 1010 Getting Started Guide...
Page 118
SSH access according to this section. You can only SSH to a reachable interface; if your SSH host is located on the outside interface, you can only initiate a management connection directly to the outside interface. Cisco Firepower 1010 Getting Started Guide...
Page 119
Click OK. Step 4 Click Save. You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Cisco Firepower 1010 Getting Started Guide...
Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session. You can access the CLI by connecting to the console port. You can also access the FXOS CLI for troubleshooting purposes. Cisco Firepower 1010 Getting Started Guide...
Page 121
Step 3 To exit the FTD CLI, enter the exit or logout command. This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS CLI, enter ?. Example: Cisco Firepower 1010 Getting Started Guide...
Firepower system. The Firepower 1010 chassis does not have an external power switch.You can power off the device using the FMC device management page, or you can use the FXOS CLI.
What's Next? To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FMC, see the Firepower Management Center Configuration Guide. Cisco Firepower 1010 Getting Started Guide...
Page 124
Firepower Threat Defense Deployment with FMC What's Next? Cisco Firepower 1010 Getting Started Guide...
Page 125
Device. The Firepower 1010 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). The Firepower 1010 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
Page 126
• SSH is not enabled by default for data interfaces, so you will have to enable SSH later using FMC. Because the Management interface gateway will be changed to be the data interfaces, you also cannot Cisco Firepower 1010 Getting Started Guide...
Page 127
IP address for initial setup. You can also optionally configure Dynamic DNS (DDNS) for the outside interface to accommodate changing DHCP IP assignments. Before You Start Deploy and perform initial configuration of the FMC. See the FMC getting started guide. Cisco Firepower 1010 Getting Started Guide...
Page 128
Figure 42: End-to-End Procedure: Manual Provisioning FTD CLI Central Administrator Pre-Configuration Using the CLI, on page 127. Physical Setup Branch administrator: Cable the Device, on page 132. Physical Setup Branch administrator: Power on the Device, on page 133 Cisco Firepower 1010 Getting Started Guide...
Page 129
If the password was already changed, and you do not know it, then you must reimage the device to Note reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure. Example: firepower login: admin Password: Admin123 Successful login attempts for user 'admin' : 1 Cisco Firepower 1010 Getting Started Guide...
Page 130
• Manage the device locally?—Enter no to use FMC. A yes answer means you will use Firepower Device Manager instead. • Configure firewall mode?—Enter routed. Outside FMC access is only supported in routed firewall mode. Example: Cisco Firepower 1010 Getting Started Guide...
Page 131
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192 Enter the IPv4 default gateway for the management interface [data-interfaces]: Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: Enter a comma-separated list of search domains or 'none' []: If your networking information has changed, you will need to reconnect.
Page 132
• If you configure a DDNS server update URL, the FTD automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the FTD can validate the DDNS server certificate for the HTTPS connection. The FTD supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
Page 133
The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other devices registering to the FMC. Example: > configure manager add fmc-1.example.com regk3y78 natid56 Manager successfully configured. Cisco Firepower 1010 Getting Started Guide...
Page 134
Cable the Device The FMC and your management computer reside at a remote headquarters, and can reach the FTD over the internet. To cable the Firepower 1010, see the following steps. Figure 43: Cabling a Remote Management Deployment Cisco Firepower 1010 Getting Started Guide...
Page 135
Check the Power LED on the back or top of the device; if it is solid green, the device is powered on. Step 3 Check the Status LED on the back or top of the device; after it is solid green, the system has passed power-on diagnostics. Cisco Firepower 1010 Getting Started Guide...
Page 136
The Smart Software Manager lets you create a master account for your organization. • Your Cisco Smart Software Licensing account must qualify for the Strong Encryption (3DES/AES) license to use some features (enabled using the export-compliance flag). Cisco Firepower 1010 Getting Started Guide...
Page 137
Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
Page 138
• Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside, on page 115. Cisco Firepower 1010 Getting Started Guide...
Page 139
• Registration key, NAT ID, and FMC IP address—Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the FTD using the configure manager add command. Cisco Firepower 1010 Getting Started Guide...
Page 140
Ethernet1/1 is a regular firewall interface that you can use for outside, and the remaining interfaces are switch ports on VLAN 1; after you add the VLAN1 interface, you can make it your inside interface. You can alternatively assign switch ports to other VLANs, or convert switch ports to firewall interfaces. Cisco Firepower 1010 Getting Started Guide...
Page 141
Enable the interface by checking the Enabled check box. c) (Optional) Change the VLAN ID; the default is 1. You will next add a VLAN interface to match this ID. d) Click OK. Step 5 Add the inside VLAN interface. Cisco Firepower 1010 Getting Started Guide...
Page 142
You cannot change the VLAN ID after you save the interface; the VLAN ID is both the VLAN tag used, and the interface ID in your configuration. g) Click the IPv4 and/or IPv6 tab. Cisco Firepower 1010 Getting Started Guide...
Page 143
FMC management connection. You can still configure the Security Zone on this screen for through traffic policies. a) Enter a Name up to 48 characters in length. For example, name the interface outside. b) Check the Enabled check box. Cisco Firepower 1010 Getting Started Guide...
Page 144
Choose Devices > Device Management, and click the Edit ( ) for the device. Step 2 Choose DHCP > DHCP Server. Step 3 On the Server page, click Add, and configure the following options: • Interface—Choose the interface from the drop-down list. Cisco Firepower 1010 Getting Started Guide...
Page 145
Choose Routing > Static Route, click Add Route, and set the following: • Type—Click the IPv4 or IPv6 radio button depending on the type of static route that you are adding. • Interface—Choose the egress interface; typically the outside interface. Cisco Firepower 1010 Getting Started Guide...
Page 146
Port Address Translation (PAT). Procedure Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT. Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save. Cisco Firepower 1010 Getting Started Guide...
Page 147
Configure the basic rule options: • NAT Rule—Choose Auto NAT Rule. • Type—Choose Dynamic. Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the Destination Interface Objects area. Cisco Firepower 1010 Getting Started Guide...
Page 148
) to add a network object for all IPv4 traffic (0.0.0.0/0). Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part of the object definition, and you cannot edit system-defined objects. • Translated Source—Choose Destination Interface IP. Cisco Firepower 1010 Getting Started Guide...
Page 149
• Source Zones—Select the inside zone from Available Zones, and click Add to Source. • Destination Zones—Select the outside zone from Available Zones, and click Add to Destination. Leave the other settings as is. Cisco Firepower 1010 Getting Started Guide...
Page 150
The device allows a maximum of 5 concurrent SSH connections. Note On all appliances, after a user makes three consecutive failed attempts to log into the CLI via SSH, the system terminates the SSH connection. Cisco Firepower 1010 Getting Started Guide...
Page 151
You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them. Deploy the Configuration Deploy the configuration changes to the FTD; none of your changes are active on the device until you deploy them. Cisco Firepower 1010 Getting Started Guide...
Page 152
You can later connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port access, which defaults to the FXOS CLI. Cisco Firepower 1010 Getting Started Guide...
Page 153
This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS CLI, enter ?. Example: > exit firepower# Troubleshoot Management Connectivity on a Data Interface Model Support—FTD Cisco Firepower 1010 Getting Started Guide...
Page 154
> show network ===============[ System Information ]=============== Hostname : 5516X-4 DNS Servers : 208.67.220.220,208.67.222.222 Management port : 8305 IPv4 Default route Gateway : data-interfaces IPv6 Default route Gateway : data-interfaces ======================[ br1 ]======================= State : Enabled Cisco Firepower 1010 Getting Started Guide...
Page 155
At the FTD CLI, use the following command to ping the FMC from the data interfaces: ping fmc_ip At the FTD CLI, use the following command to ping the FMC from the Management interface, which should route over the backplane to the data interfaces: ping system fmc_ip Cisco Firepower 1010 Getting Started Guide...
Page 156
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 Cisco Firepower 1010 Getting Started Guide...
Page 157
5 in use, 16 most used Inspect Snort: preserve-connection: 0 enabled, 0 in effect, 0 most enabled, 0 most in effect TCP nlp_int_tap 10.89.5.29(169.254.1.2):51231 outside 10.89.5.35:8305, idle 0:00:04, bytes 86684, flags UxIO TCP nlp_int_tap 10.89.5.29(169.254.1.2):8305 outside 10.89.5.35:52019, idle 0:00:02, Cisco Firepower 1010 Getting Started Guide...
Page 158
• The rollback only affects configurations that you can set in FMC. For example, the rollback does not affect any local configuration related to the dedicated Management interface, which you can only configure at the FTD CLI. Note that if you changed data interface settings after the last FMC deployment using Cisco Firepower 1010 Getting Started Guide...
Page 159
At the FTD CLI, enter the sftunnel-status-brief command to view the management connection status. If it takes more than 10 minutes to reestablish the connection, you should troubleshoot the connection. See Troubleshoot Management Connectivity on a Data Interface, on page 151. Cisco Firepower 1010 Getting Started Guide...
Page 160
What's Next? To continue configuring your FTD, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using FMC, see the Firepower Management Center Configuration Guide. Cisco Firepower 1010 Getting Started Guide...
Page 161
ASA Deployment with ASDM Is This Chapter for You? This chapter describes how to set up the Firepower 1010 for use with the ASA. This chapter does not cover the following deployments, for which you should refer to the ASA configuration guide: •...
• Cisco Security Manager—A multi-device manager on a separate server. You can also access the FXOS CLI for troubleshooting purposes. Unsupported Features General ASA Unsupported Features The following ASA features are not supported on the Firepower 1010: • Multiple context mode • Active/Active failover • Redundant interfaces •...
Page 163
• Security group tagging (SGT) Migrating an ASA 5500-X Configuration You can copy and paste an ASA 5500-X configuration into the Firepower 1010. However, you will need to modify your configuration. Also note some behavioral differences between the platforms. 1. To copy the configuration, enter the more system:running-config command on the ASA 5500-X.
Firepower 1120 includes Management 1/1 and Ethernet 1/1 through 1/8. boot system commands The Firepower 1010 only allows a single boot system command, so you should remove all but one command before you paste. You The ASA 5500-X allows up to four boot system commands to actually do not need to have any boot system commands present specify the booting image to use.
Page 165
Review the Network Deployment and Default Configuration, on page 164. Pre-Configuration Cable the Device, on page 167. Pre-Configuration Power On the Device, on page 33 ASA CLI (Optional) Change the IP Address, on page 169. ASDM Log Into ASDM, on page 170. Cisco Firepower 1010 Getting Started Guide...
175. Review the Network Deployment and Default Configuration The following figure shows the default network deployment for the Firepower 1010 using the default configuration. If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into bridge mode so the ASA performs all routing and NAT for your inside networks.
Page 167
ASA Deployment with ASDM Firepower 1010 Default Configuration Firepower 1010 Default Configuration The default factory configuration for the Firepower 1010 configures the following: • Hardware switch—Ethernet 1/2 through 1/8 belong to VLAN 1 • inside→outside traffic flow—Ethernet 1/1 (outside), VLAN1 (inside) •...
DefaultDNS name-server 208.67.222.222 outside name-server 208.67.220.220 outside Cable the Device Manage the Firepower 1010 on either Management 1/1, or on Ethernet 1/2 through 1/8 (inside switch ports). The default configuration also configures Ethernet 1/1 as outside. Procedure Step 1 Connect your management computer to one of the following interfaces: •...
(see Firepower 1010 Default Configuration, on page 165). If you need to change the Management 1/1 IP address from the default, you must also cable your management computer to the console port.
HTTP request to HTTPS. The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have a certificate installed; you can safely ignore these warnings and visit the web page.
Configure Licensing Configure Licensing The ASA uses Cisco Smart Software Licensing. You can use regular Smart Software Licensing, which requires internet access; or for offline management, you can configure Permanent License Reservation or a Satellite server. For more information about these offline licensing methods, see Cisco ASA Series Feature Licenses;...
Page 174
Make sure your Smart Licensing account contains the available licenses you need, including at a minimum the Standard license. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions...
Page 175
Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the ASA. Cisco Firepower 1010 Getting Started Guide...
Page 176
(3DES/AES) license if your account allows. ASDM refreshes the page when the license status is updated. You can also choose Monitoring > Properties > Smart License to check the license status, particularly if the registration fails. Step 7 Set the following parameters: a) Check Enable Smart license configuration. Cisco Firepower 1010 Getting Started Guide...
Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure features not included in wizards. Procedure Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button. Cisco Firepower 1010 Getting Started Guide...
Page 178
• And more... Step 3 (Optional) From the Wizards menu, run other wizards. Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. Cisco Firepower 1010 Getting Started Guide...
Step 1 Connect your management computer to the console port. The Firepower 1000 ships with a USB A-to-B serial cable. Be sure to install any necessary USB serial drivers for your operating system (see the Firepower 1010 hardware guide). Use the following serial settings: •...
Type help or '?' for a list of available commands. ciscoasa# What's Next? • To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation. • For troubleshooting, see the FXOS troubleshooting guide. Cisco Firepower 1010 Getting Started Guide...