hit counter script
Cisco Secure Firewall 4200 Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Hardware
  5. Secure Firewall 4200
  6. Manual
Cisco Secure Firewall 4200 Manual

Cisco Secure Firewall 4200 Manual

Multi-instance mode for the secure firewall
Hide thumbs

Advertisement

Table of Contents

Multi-Instance Mode for the Secure Firewall
3100/4200
You can deploy the Secure Firewall 3100/4200 as a single device (appliance mode) or as multiple container
instances (multi-instance mode). This chapter describes how to deploy the device in multi-instance mode.

About Multi-Instance Mode

In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely
independent devices.
Multi-Instance Mode vs. Appliance Mode
You can run the device in either multi-instance mode or appliance mode.
Appliance Mode
Appliance mode is the default. The device runs the native threat defense image and acts as a single device.
The only chassis-level configuration available (on the Chassis Manager page) is for network module
management (breakout ports or enabling/disabling a network module).
Multi-Instance Mode
If you change to multi-instance mode, the device runs the Secure Firewall eXtensible Operating System
(FXOS) on the chassis, while each instance runs separate threat defense images. You can configure the mode
using the FXOS CLI.
Because multiple instances run on the same chassis, you need to perform chassis-level management of:
• CPU and memory resources using resource profiles.
Multi-Instance Mode for the Secure Firewall 3100/4200
1

Advertisement

Table of Contents
loading

Related Manuals for Cisco Secure Firewall 4200

Summary of Contents for Cisco Secure Firewall 4200

  • Page 1: Table Of Contents

    Multi-Instance Mode for the Secure Firewall 3100/4200 You can deploy the Secure Firewall 3100/4200 as a single device (appliance mode) or as multiple container instances (multi-instance mode). This chapter describes how to deploy the device in multi-instance mode. • About Multi-Instance Mode, on page 1 •...
  • Page 2 Instance Eventing Interface The Secure Firewall 4200 includes a second dedicated interface, Management 1/2, that you can use for events. You can configure this interface at the threat defense CLI in each instance. Assign an IP address on the same network for each instance.
  • Page 3 Multi-Instance Mode for the Secure Firewall 3100/4200 Interface Types Interface Types Physical interfaces, VLAN subinterfaces, and EtherChannel interfaces can be one of the following types: • Data—Use for regular data or the failover link. Data interfaces cannot be shared between instances, and instances cannot communicate over the backplane to other instances.
  • Page 4 Multi-Instance Mode for the Secure Firewall 3100/4200 Chassis Interfaces vs. Instance Interfaces Figure 1: VLANs in the Chassis vs. the Instance Independent Interface States in the Chassis and in the Instance You can administratively enable and disable interfaces in both the chassis and in the instance. For an interface to be operational, the interface must be enabled in both locations.
  • Page 5 Multi-Instance Mode for the Secure Firewall 3100/4200 Shared Interface Scalability Shared Interface Scalability Instances can share data-sharing type interfaces. This capability lets you conserve physical interface usage as well as support flexible networking deployments. When you share an interface, the chassis uses unique MAC addresses to forward traffic to the correct instance.
  • Page 6 Multi-Instance Mode for the Secure Firewall 3100/4200 Shared Interface Best Practices Port-Channel3, and Port-Channel4. When you share subinterfaces from a single parent, the VLAN group table provides better scaling of the forwarding table than when sharing physical/EtherChannel interfaces or subinterfaces across parents. Figure 2: Best: Shared Subinterface Group on One Parent If you do not share the same set of subinterfaces with a group of instances, your configuration can cause more resource usage (more VLAN groups).
  • Page 7 Multi-Instance Mode for the Secure Firewall 3100/4200 How the Chassis Classifies Packets Figure 4: Fair: Shared Subinterfaces on Separate Parents 3. Worst—Share individual parent interfaces (physical or EtherChannel). This method uses the most forwarding table entries. Figure 5: Worst: Shared Parent Interfaces How the Chassis Classifies Packets Each packet that enters the chassis must be classified, so that the chassis can determine to which instance to send a packet.
  • Page 8 Multi-Instance Mode for the Secure Firewall 3100/4200 Classification Examples Classification Examples Packet Classification with a Shared Interface Using MAC Addresses The following figure shows multiple instances sharing an outside interface. The classifier assigns the packet to Instance C because Instance C includes the MAC address to which the router sends the packet. Figure 6: Packet Classification with a Shared Interface Using MAC Addresses Incoming Traffic from Inside Networks Note that all new incoming traffic must be classified, even from inside networks.
  • Page 9 Multi-Instance Mode for the Secure Firewall 3100/4200 Classification Examples Figure 7: Incoming Traffic from Inside Networks Transparent Firewall Instances For transparent firewalls, you must use unique interfaces. The following figure shows a packet destined to a host on the Instance C inside network from the internet. The classifier assigns the packet to Instance C because the ingress interface is Ethernet 1/2.3, which is assigned to Instance C.
  • Page 10 Multi-Instance Mode for the Secure Firewall 3100/4200 Classification Examples Figure 8: Transparent Firewall Instances Inline Sets For inline sets, you must use unique interfaces and they must be physical interfaces or EtherChannels. The following figure shows a packet destined to a host on the Instance C inside network from the internet. The classifier assigns the packet to Instance C because the ingress interface is Ethernet 1/5, which is assigned to Instance C.
  • Page 11 Multi-Instance Mode for the Secure Firewall 3100/4200 Cascading Instances Figure 9: Inline Sets Cascading Instances Placing an instance directly in front of another instance is called cascading instances; the outside interface of one instance is the same interface as the inside interface of another instance. You might want to cascade instances if you want to simplify the configuration of some instances by configuring shared parameters in the top instance.
  • Page 12 Multi-Instance Mode for the Secure Firewall 3100/4200 Typical Multi-Instance Deployment Figure 10: Cascading Instances Note Do not use cascading instances (using a shared interface) with High Availability. After a failover occurs and the standby unit rejoins, MAC addresses can overlap temporarily and cause an outage. You should instead use unique interfaces for the gateway instance and inside instance using an external switch to pass traffic between the instances.
  • Page 13 Multi-Instance Mode for the Secure Firewall 3100/4200 Automatic MAC Addresses for Instance Interfaces • Outside—All instances use the Port-Channel2 interface (data-sharing type). This EtherChannel includes two 10 Gigibit Ethernet interfaces. Within each application, the interface uses a unique IP address on the same outside network.

  • Page 14: Licenses For Instances

    50% of the throughput. Moreover, the throughput available to an instance may be less than that available to an appliance. For detailed instructions on calculating the throughput for instances, see https://www.cisco.com/c/en/us/ products/collateral/security/firewalls/white-paper-c11-744750.html. Instances and High Availability You can use High Availability using an instance on 2 separate chassis; for example, if you have 2 chassis, each with 10 instances, you can create 10 High Availability pairs.
  • Page 15 Multi-Instance Mode for the Secure Firewall 3100/4200 Requirements and Prerequisites for Instances • Secure Firewall 3120 • Secure Firewall 3130 • Secure Firewall 3140 • Secure Firewall 4215 • Secure Firewall 4225 • Secure Firewall 4245 Note The Secure Firewall 3105 is not supported. Maximum Container Instances and Resources per Model For each container instance, you can specify the number of CPU cores (or more specifically, threads) to assign to the instance.

  • Page 16: Guidelines And Limitations For Instances

    Multi-Instance Mode for the Secure Firewall 3100/4200 Guidelines and Limitations for Instances • Use the same resource profile attributes. The profile names can be different, but the definitions need to match. Management Center Requirements For chassis management and all instances on the chassis, you must use the same management center due to the licensing implementation.
  • Page 17 • The chassis does not support LACPDUs that are VLAN-tagged. If you enable native VLAN tagging on the neighboring switch using the Cisco IOS vlan dot1Q tag native command, then the chassis will drop the tagged LACPDUs. Be sure to disable native VLAN tagging on the neighboring switch.

  • Page 18: Configure Instances

    Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Instances • You cannot use a data-sharing interface with a transparent firewall mode instance. • You cannot use a data-sharing interface with inline sets or passive interfaces. • You cannot use a data-sharing interface for the failover link. Default MAC Addresses •...
  • Page 19 Multi-Instance Mode for the Secure Firewall 3100/4200 Convert a Device to Multi-Instance Mode with the exception of the Management network settings and the admin password. The chassis hostname is set to "firepower-model." The Management IP address is assigned to the chassis for the management connection with the management center.
  • Page 20 Multi-Instance Mode for the Secure Firewall 3100/4200 Convert a Device to Multi-Instance Mode Figure 13: Bulk Conversion Step 2 Confirm that you want to perform the conversion and click Continue. Figure 14: Conversion Confirmation A readiness check is performed. The check might fail if, for example, a deployment is in progress. Step 3 Optionally change the name of the chassis, and click Convert to Multi-Instance.
  • Page 21 Multi-Instance Mode for the Secure Firewall 3100/4200 Convert a Device to Multi-Instance Mode Figure 15: Rename Chassis Wait for approximately 15 minutes, during which the device is removed from the device list, and then after conversion, it is re-added as a chassis. Step 4 To view and configure the chassis, click Manage in the Chassis column, or click Edit ( ).
  • Page 22 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Chassis Interfaces Configure Chassis Interfaces At the chassis-level, you configure basic Ethernet settings of physical interfaces, VLAN subinterfaces for instances, and EtherChannel interfaces. By default, physical interfaces are disabled. Note To configure breakout ports and perform other network module operations, see Manage the Network Module for the Secure Firewall 3100/4200.
  • Page 23 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure a Physical Interface Figure 18: Interfaces Step 3 Click Edit ( ) for the interface you want to edit. Multi-Instance Mode for the Secure Firewall 3100/4200...
  • Page 24 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure a Physical Interface Figure 19: Edit Physical Interface Step 4 Enable the interface by checking the Enabled check box. Step 5 For the Port Type, choose Data or Data Sharing. Figure 20: Port Type Step 6 Set the Admin Duplex.
  • Page 25 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure an EtherChannel sending a pause frame to stop sending until the condition clears. Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period. Note The threat defense supports transmitting pause frames so that the remote peer can rate-control the traffic.
  • Page 26 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure an EtherChannel Procedure Step 1 From Devices > Device Management, click Manage in the Chassis column or click Edit ( ). Figure 21: Manage Chassis The Chassis Manager page opens for the chassis to the Summary page. Step 2 Click Interfaces.
  • Page 27 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure an EtherChannel Figure 23: Add EtherChannel Step 4 Set the following Interfaces parameters. Figure 24: Interfaces Settings a) For the EtherChannel ID, specify an ID between 1 and 48. b) Check Enabled. c) For the Port Type, choose Data or Data Shared.
  • Page 28 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure an EtherChannel Many of these settings (excluding the LACP settings) set the requirements for interfaces to be included in the EtherChannel; they do not override the settings of member interfaces. So if you check LLDP Transmit, for example, you should only add interfaces that have that setting.
  • Page 29 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure a Subinterface The default is Fast. e) Choose the required Link Layer Discovery Protocol (LLDP) settings for member interfaces by checking LLDP Transmit and/or LLDP Receive. f) Check the required Flow Control Send setting for member interfaces. Step 6 Click Save and then Save in the top right of the Interfaces page.
  • Page 30 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure a Subinterface Figure 27: Interfaces Step 3 Click Add > Subinterface. Figure 28: Add Subinterface Step 4 Set the following parameters. Multi-Instance Mode for the Secure Firewall 3100/4200...
  • Page 31 Multi-Instance Mode for the Secure Firewall 3100/4200 Add an Instance Figure 29: Subinterface Settings Step 5 Click Save and then Save in the top right of the Interfaces page. You can now Deploy the policy to the chassis. The changes are not active until you deploy them. Add an Instance You can add one or more instances to a chassis in multi-instance mode.
  • Page 32 Multi-Instance Mode for the Secure Firewall 3100/4200 Add an Instance Figure 31: Instances Step 3 On Agreement, check I understand and accept the agreement, then click Next. Figure 32: Agreement Multi-Instance Mode for the Secure Firewall 3100/4200...
  • Page 33 Devices > Chassis Upgrade. When you upgrade, both the old version and the new version will be listed in the menu. To download an older package, you need to use the FXOS CLI. See Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 and Secure Firewall 3100/4200 with Firepower Threat Defense.
  • Page 34 Expert Mode. We recommend disabling this option to increase isolation between instances. Use Expert Mode only if a documented procedure tells you it is required, or if the Cisco Technical Assistance Center asks you to use it. To enter this mode, use the expert command in the threat defense CLI.
  • Page 35 Multi-Instance Mode for the Secure Firewall 3100/4200 Add an Instance • Device SSH Password—Set the threat defense admin user password for CLI access, either SSH or console. Repeat the password in the Confirm Password field. Step 5 On Interface Assignment, assign the chassis interfaces to the instance, then click Next. Figure 35: Interface Assignment Shared interfaces show the sharing icon ( Step 6...
  • Page 36 Multi-Instance Mode for the Secure Firewall 3100/4200 Add an Instance Figure 36: Device Management • Device Group • Access Control Policy—Choose an existing access control policy, or create a new policy. • Platform Settings—Choose an existing platform setting policy, or create a new policy. •...
  • Page 37 Multi-Instance Mode for the Secure Firewall 3100/4200 Customize the System Configuration Figure 37: Summary You can edit any settings on this screen before saving the instance. After you save, the instance is added to the Instances screen. Step 8 On the Instances screen, click Save. Step 9 Deploy the chassis configuration.
  • Page 38 Multi-Instance Mode for the Secure Firewall 3100/4200 Import or Export the Chassis Configuration Before you begin Configure SNMP for one of the instances. See SNMP. Procedure Step 1 From Devices > Device Management, click Manage in the Chassis column or click Edit ( ). Figure 38: Manage Chassis The Chassis Manager page opens for the chassis to the Summary page.
  • Page 39 Multi-Instance Mode for the Secure Firewall 3100/4200 Import or Export the Chassis Configuration Before you begin For the chassis where you want to import a configuration, the following characteristics must match: • Same chassis software version • Same threat defense instance images •...
  • Page 40 Multi-Instance Mode for the Secure Firewall 3100/4200 Import or Export the Chassis Configuration Figure 42: Export File Created Successfully c) Download the export file by clicking the notification message (Download Export Package) or by clicking Download. Figure 43: Download The file is saved with the .sfo extension. Step 5 To import a configuration, drag the .sfo file on the Import >...
  • Page 41 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Chassis Platform Settings Figure 44: Import Configure Chassis Platform Settings Chassis platform settings configure a range of features for managing the chassis. You can share the policy among multiple chassis. If you want different settings per chassis, you must create multiple policies. Create a Chassis Platform Settings Policy Use the Platform Settings page (Devices >...
  • Page 42 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure DNS Step 4 To change the target chassis for a policy, click Edit ( ) next to the platform settings policy that you want to edit. a) Click Policy Assignment. b) To assign a chassis to the policy, select it in the Available Chassis list and click Add. You can also drag and drop.
  • Page 43 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure SSH and SSH Access List Figure 46: Add DNS Server Group Step 5 Either select an existing DNS server group (see Creating DNS Server Group Objects), or click New Group. If you add a new group, you see the following dialog box. Provide a name and up to four DNS server IP addresses as comma-separated values, and click Add.
  • Page 44 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure SSH and SSH Access List Procedure Step 1 Choose Devices > Platform Settings and create or edit the chassis policy. Step 2 Choose SSH. Step 3 To enable SSH access to the chassis, enable the Enable SSH Server slider. Figure 48: SSH Step 4 To set the allowed Algorithms, click Edit ( ).
  • Page 45 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure SSH and SSH Access List Figure 49: Add Algorithms a) Select the Encryption algorithms. b) Select the Key Exchange algorithms. The key exchange provides a shared secret that cannot be determined by either party alone. The key exchange is combined with a signature and the host key to provide host authentication.
  • Page 46 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure SSH and SSH Access List Figure 50: SSH • Strict Host Keycheck—Choose enable, disable, or prompt to control SSH host key checking. • enable—The connection is rejected if the host key is not already in the FXOS known hosts file. You must manually add hosts at the FXOS CLI using the enter ssh-host command in the system/services scope.
  • Page 47 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure SSH and SSH Access List Figure 51: SSH Access List Step 10 Click Edit ( ) to add network objects and click Save. You can also manually enter IP addresses. Multi-Instance Mode for the Secure Firewall 3100/4200...
  • Page 48 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Syslog Figure 52: Network Objects Step 11 Click Save to save all policy changes. Configure Syslog You can enable syslogs from the chassis. These syslogs come from the chassis' FXOS operating system. Procedure Step 1 Choose Devices >...
  • Page 49 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Syslog Figure 53: Syslog Local Destinations Name Description Console Section Whether the chassis displays syslog messages on the console. Admin State field Check the Enable check box if you want to have syslog messages displayed on the console as well as added to the log.
  • Page 50 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Syslog Name Description Admin State field Whether the chassis displays syslog messages on the monitor. Check the Enable check box if you want to have syslog messages displayed on the monitor as well as added to the log. If the Enable check box is unchecked, syslog messages are added to the log but are not displayed on the monitor.
  • Page 51 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Syslog Figure 54: Syslog Remote Destinations By sending syslog messages to a remote destination, you can archive messages according to the available disk space on the external syslog server, and manipulate logging data after it is saved. For example, you could specify actions to be executed when certain types of syslog messages are logged, extract data from the log and save the records to another file for reporting, or track statistics using a site-specific script.
  • Page 52 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Syslog Name Description Level drop-down list Select the lowest message level that you want the system to store. The system stores that level and above in the remote file. This can be one of the following: •...
  • Page 53 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Time Synchronization Figure 55: Syslog Local Sources Name Description Faults > Enable Admin State Enable system fault logging. Audits > Enable Admin State Enable audit logging. Events > Enable Admin State Enable system event logging. Step 6 Click Save to save all policy changes.
  • Page 54 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Time Synchronization Procedure Step 1 Choose Devices > Platform Settings and create or edit the chassis policy. Step 2 Choose Time Synchronization. Figure 56: Time Synchronization Step 3 If you want to obtain the time from the management center, click Via NTP from Management Center. This option ensures both the chassis and the management center have the same time.
  • Page 55 Multi-Instance Mode for the Secure Firewall 3100/4200 Configure Time Zones Figure 58: Add New NTP Server c) For a new server, enter the following fields, and click Add. • NTP Server Name—A name to identify this server. • IP/FQDN—The IP address or hostname of the server. •...
  • Page 56 Multi-Instance Mode for the Secure Firewall 3100/4200 Manage Multi-Instance Mode Figure 59: Time Zones Step 3 Choose your Time Zone from the drop-down menu. Step 4 Click Save to save all policy changes. Manage Multi-Instance Mode This section describes less common tasks, including changing settings at the FXOS CLI or changing interfaces assigned to the chassis.
  • Page 57 Multi-Instance Mode for the Secure Firewall 3100/4200 Enable Multi-Instance Mode at the CLI The console port connects to the FXOS CLI. Step 2 Log in with the username admin and the password Admin123. The first time you log in to FXOS, you are prompted to change the password. Note If the password was already changed, and you do not know it, you must reimage the device to reset the password to the default.
  • Page 58 Multi-Instance Mode for the Secure Firewall 3100/4200 Enable Multi-Instance Mode at the CLI The setup script lets you set the Management interface IP address and other settings. However, when you convert to multi-instance mode, the only settings that are retained are the following. •...
  • Page 59 Multi-Instance Mode for the Secure Firewall 3100/4200 Change Interfaces Assigned to an Instance be re-initialized. Type ERASE to confirm:ERASE Exit... > Step 7 Add the chassis to the management center. See Add a Chassis to the Management Center. Change Interfaces Assigned to an Instance You can allocate or unallocate an interface on the instance.
  • Page 60 Multi-Instance Mode for the Secure Firewall 3100/4200 Change Interfaces Assigned to an Instance Figure 61: Instances Step 3 Click Next until you get to the Interface Assignment screen. Figure 62: Interface Assignment Multi-Instance Mode for the Secure Firewall 3100/4200...
  • Page 61 Multi-Instance Mode for the Secure Firewall 3100/4200 Change Chassis Management Settings at the FXOS CLI Shared interfaces show the sharing icon ( Step 4 Make your interface changes, and then click Next. Step 5 Click Save on the Summary screen. Step 6 For high availability, you need to make the same interface changes for the other unit.
  • Page 62 Multi-Instance Mode for the Secure Firewall 3100/4200 Change Chassis Management Settings at the FXOS CLI firepower-3110 / fabric-interconnect /ipv6-config # set out-of-band static ipv6 2001:DB8::34 ipv6-prefix 64 ipv6-gw 2001:DB8::1 Step 4 Change the management center. You should first unregister the chassis from the current management center. enter device-manager manager_name [hostname {hostname | ipv4_address | ipv6_address}] [nat-id nat_id] You are prompted for the registration key.

  • Page 63: Monitoring Multi-Instance Mode

    Multi-Instance Mode for the Secure Firewall 3100/4200 Monitoring Multi-Instance Mode set deploymode native You are prompted to reboot. Example: firepower-3110# scope system firepower-3110 /system # set deploymode native All configuration and bootable images will be lost and system will reboot. If there was out of band upgrade, it might reboot with the base version and need to re-image to get the expected running version.
  • Page 64 Multi-Instance Mode for the Secure Firewall 3100/4200 Monitoring Instance Interfaces firepower-3110 /system # show Systems: Name Mode Deploy Mode System IP Address System IPv6 Address ---------- ----------- ----------- ----------------- ------------------- firepower-3110 Stand Alone Container 10.89.5.42 3110-1# scope system 3110-1 /system # show Systems: Name Mode...
  • Page 65 Multi-Instance Mode for the Secure Firewall 3100/4200 Monitoring Instance Interfaces MCAST group 4097 is used for replicating broadcast traffic between ftd1 and ftd2. firepower-3140(local-mgmt)# show portmanager switch forward-rules hardware mac-filter VLAN SRC_PORT PC_ID SRC_ID DST_PORT PKT_CNT DMAC 21305 0:0:0:0:0:0 50976 0:0:0:0:0:0 2452 1541...

  • Page 66: History For Multi-Instance Mode

    • Devices > Device Management > Select Bulk Action > Convert to Multi-Instance Multi-instance mode for 7.6.0 7.6.0 Multi-instance mode is now supported for the Secure Firewall 4200. the Secure Firewall 4200 Multi-instance mode for 7.4.1 7.4.1 You can deploy the Secure Firewall 3100 as a single device (appliance mode) the Secure Firewall 3100.

This manual is also suitable for:

Secure firewall 3100Secure firewall 3110Secure firewall 3120Secure firewall 3130Secure firewall 3140Secure firewall 4215 ... Show all

Table of Contents