Step 1 |
Connect to the
Firewall Threat Defense
CLI, either from the console port or using SSH to the Management interface,
which obtains an IP address from a DHCP server by default. If you intend to
change the network settings, we recommend using the console port so you do not
get disconnected.
The console port connects to the FXOS CLI. The SSH session connects directly to the
Firewall Threat Defense
CLI. The exception is for the ISA 3000, where the console connection
connects to the
Firewall Threat Defense
CLI.
|
Step 2 |
Log in with the username
admin
and the password
Admin123
.
At the console port, you connect to the FXOS CLI. The first time you log in to FXOS, you are
prompted to change the password. This password is also used for the
Firewall Threat Defense
login for SSH.
Example:
firepower login:
admin
Password:
Admin123
Successful login attempts for user 'admin' : 1
[...]
Hello admin. You must change your password.
Enter new password:
********
Confirm new password:
********
Your password was updated successfully.
[...]
firepower#
|
Step 3 |
If you connected to FXOS on the console port, connect to the
Firewall Threat Defense
CLI.
Example:
firepower# connect ftd
>
|
Step 4 |
The first time you log in to the
Firewall Threat Defense
, you are prompted to accept the End User License Agreement (EULA) and, if
using an SSH connection, to change the admin password. You are then presented
with the CLI setup script.
Note |
You cannot repeat the CLI setup wizard unless you clear the
configuration; for example, by reimaging. However, all of these settings
can be changed later at the CLI using
configure
network
commands. See the
threat defense command reference
.
|
Defaults or previously entered values appear in brackets. To accept
previously entered values, press
Enter
.
Note |
The Management interface settings are used even when you enable manager
access on a data interface. For example, the management traffic that is
routed over the backplane through the data interface will resolve FQDNs
using the Management interface DNS servers, and not the data interface
DNS servers.
|
See the following guidelines:
-
Do you want to configure IPv4?
and/or
Do you want to configure IPv6?
—Enter
y
for at least one of these types of
addresses.
-
Enter the IPv4 default gateway for the management
interface
and/or
Enter the IPv6 gateway
for the management interface
—If you want to use a
data interface for manager access instead of the Management
interface, choose
manual
. Although you do not
plan to use the Management interface, you must set an IP address,
for example, a private address. Make sure this interface is on a
different subnet from the manager access interface to prevent
routing issues. You cannot configure a data interface for management
if the management interface is set to DHCP, because the default
route, which must be
data-interfaces
(see the
next bullet), might be overwritten with one received from the DHCP
server.
-
Enter the IPv4 default gateway for the management
interface
and/or
Configure IPv6 via DHCP,
router, or manually?
—
If you want to use a data
interface for manager access instead of the management
interface, set the gateway to be
data-interfaces
. This setting
forwards management traffic over the backplane so it can be
routed through the manager access data interface. If you want to
use the Management interface for manager access, you should set
a gateway IP address on the Management 1/1 network.
-
If your networking information has changed, you will need
to reconnect
—If you are connected with SSH but you
change the IP address at initial setup, you will be disconnected.
Reconnect with the new IP address and password. Console connections
are not affected.
-
Manage the device locally? —Enter no to use the . A yes answer means you will use Secure Firewall Device Manager instead.
-
Configure firewall mode?
—We recommend that you
set the firewall mode at initial configuration. Changing the
firewall mode after initial setup erases your running configuration.
Note that data interface manager access is only supported in routed
firewall mode.
Example:
You must accept the EULA to continue.
Press <ENTER> to display the EULA:
Cisco General Terms
[...]
Please enter 'YES' or press <ENTER> to AGREE to the EULA:
System initialization in progress. Please stand by.
You must configure the network to continue.
Configure at least one of IPv4 or IPv6 unless managing via data interfaces.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [y]:
n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.61]:
10.89.5.17
Enter an IPv4 netmask for the management interface [255.255.255.0]:
255.255.255.192
Enter the IPv4 default gateway for the management interface [data-interfaces]:
10.89.5.1
Enter a fully qualified hostname for this system [firepower]:
1010-3
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220,2620:119:35::35]:
Enter a comma-separated list of search domains or 'none' []:
cisco.com
If your networking information has changed, you will need to reconnect.
Disabling IPv6 configuration: management0
Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35
Setting DNS domains:cisco.com
Setting hostname as 1010-3
Setting static IPv4: 10.89.5.17 netmask: 255.255.255.192 gateway: 10.89.5.1 on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]:
no
DHCP server is already disabled
DHCP Server Disabled
Configure firewall mode? (routed/transparent) [routed]:
Configuring firewall mode ...
Device is in OffBox mode - disabling/removing port 443 from iptables.
Update policy deployment information
- add device configuration
- add network discovery
- add system policy
You can register the sensor to a Firepower Management Center and use the
Firepower Management Center to manage it. Note that registering the sensor
to a Firepower Management Center disables on-sensor Firepower Services
management capabilities.
When registering the sensor to a Firepower Management Center, a unique
alphanumeric registration key is always required. In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'
However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'
Later, using the web interface on the Firepower Management Center, you must
use the same registration key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.
>
|
Step 5 |
Identify the
that will manage this
Firewall Threat Defense
.
configure manager add
{
hostname
|
IPv4_address
|
IPv6_address
|
DONTRESOLVE
}
reg_key
[
nat_id
]
-
{
hostname | IPv4_address | IPv6_address | DONTRESOLVE
}—Specifies either the FQDN or IP address of the . If the is not directly addressable, use
DONTRESOLVE
and also specify the
nat_id
. At least one of the devices, either the or the Firewall Threat Defense , must have a reachable IP address to establish the two-way, TLS-1.3-encrypted communication channel between the two devices. If you specify
DONTRESOLVE
in this command, then the Firewall Threat Defense must have a reachable IP address or hostname.
-
reg_key
—Specifies a one-time registration key of your choice that you will also specify on the when you register the Firewall Threat Defense . The registration key must be between 2 and 36 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-).
-
nat_id
—Specifies a unique, one-time string of your choice that you will also specify on the when you register the Firewall Threat Defense . The NAT ID must be between 2 and 36 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other devices registering to the . The NAT ID is used in combination with the IP address to verify that the connection is coming from the correct device; only after authentication of the IP address/NAT ID will the registration key be checked. We recommended that you always use the NAT ID even when it is optional, but it is required if:
-
You set the IP address to DONTRESOLVE .
-
When adding the device on the
, you do not specify a reachable device IP
address or hostname.
-
You use the data interface for management, even if you
specify IP addresses on both sides.
-
The
uses multiple management interfaces.
Example:
>
configure manager add MC.example.com 123456
Manager successfully configured.
Example:
If the
is behind a NAT device, enter a unique NAT ID along with the registration
key, and specify DONTRESOLVE instead of the hostname, for example:
>
configure manager add DONTRESOLVE regk3y78 natid90
Manager successfully configured.
Example:
If the
Firewall Threat Defense
is behind a NAT device, enter a unique NAT ID along with the
IP address or hostname, for example:
>
configure manager add 10.70.45.5 regk3y78 natid56
Manager successfully configured.
|
Step 6 | (Optional) Configure a data interface for manager access.
configure network management-data-interface
After pressing Enter, you are prompted to configure basic network settings for the data interface.
Note |
You should use the console port when using this command. If you use SSH
to the Management interface, you might get disconnected and have to
reconnect to the console port. See below for more information about SSH
usage.
|
See the following details for using this command. See also
Using the Firewall Threat Defense data interface for management
.
-
The original Management interface cannot use DHCP if you want to use a data interface for
management. If you did not set the IP address manually during
initial setup, you can set it now using the
configure
network
{
ipv4
|
ipv6
}
manual
command. Make sure this interface
is on a different subnet from the manager access interface to
prevent routing issues. If you did not already set the Management
interface gateway to
data-interfaces
, this
command will set it now.
-
When you add the
Firewall Threat Defense
to the
, the
discovers and maintains the interface configuration,
including the following settings: interface name and IP address,
static route to the gateway, DNS servers, and DDNS server. For more
information about the DNS server configuration, see below. In the
, you can later make changes to the manager access
interface configuration, but make sure you don't make changes that
can prevent the
Firewall Threat Defense
or
from re-establishing the management connection. If
the management connection is disrupted, the
Firewall Threat Defense
includes the
configure policy rollback
command to restore the previous deployment.
-
DDNS ensures the
can reach the
Firewall Threat Defense
at its Fully-Qualified Domain Name (FQDN) if the IP address
changes. If you configure a DDNS server update URL, the
Firewall Threat Defense
automatically adds certificates for all of the major CAs from the
Cisco Trusted Root CA bundle so that the
Firewall Threat Defense
can validate the DDNS server certificate for the HTTPS
connection. The
Firewall Threat Defense
supports any DDNS server that uses the DynDNS Remote API
specification (
https://help.dyn.com/remote-access-api/).
-
This command sets the data interface DNS server. The Management DNS server that you set with the setup script (or using the
configure network dns servers
command) is used for management traffic. The data DNS server is used for DDNS (if configured) or for security policies applied to this interface.
On the , the data interface DNS servers are configured in the Platform Settings policy that you assign to this Firewall Threat Defense . When you add the Firewall Threat Defense to the , the local setting is maintained, and the DNS servers are not added to a Platform Settings policy. However, if you later assign a Platform Settings policy to the Firewall Threat Defense that includes a DNS configuration, then that configuration will overwrite the local setting. We suggest that you actively configure the DNS Platform Settings to match this setting to bring the and the Firewall Threat Defense into sync.
Also, local DNS servers are only retained by the
if the DNS servers were discovered at initial
registration. For example, if you registered the device using the
Management interface, but then later configure a data interface
using the
configure network
management-data-interface
command, then you
must manually configure all of these settings in the
, including the DNS servers, to match the FTD
configuration.
-
You can change the management interface after you register the
Firewall Threat Defense
to the
, to either the Management interface or another data
interface.
-
The FQDN that you set in the setup wizard will be used for this
interface.
-
You can clear the entire device configuration as part of the command;
you might use this option in a recovery scenario, but we do not
suggest you use it for initial setup or normal operation.
-
To disable data management, enter the
configure network management-data-interface disable
command.
Example:
>
configure network management-data-interface
Data interface to use for management:
ethernet1/1
Specify a name for the interface [outside]:
IP address (manual / dhcp) [dhcp]:
DDNS server update URL [none]:
https://dwinchester:pa$$w0rd17@domains.example.com/nic/update?hostname=<h>&myip=<a>
Do you wish to clear all the device configuration before applying ? (y/n) [n]:
Configuration done with option to allow manager access from any network,
if you wish to change the manager access network
use the 'client' option in the command 'configure network management-data-interface'.
Setting IPv4 network configuration.
Network settings changed.
>
Example:
>
configure network management-data-interface
Data interface to use for management:
ethernet1/1
Specify a name for the interface [outside]:
internet
IP address (manual / dhcp) [dhcp]:
manual
IPv4/IPv6 address:
10.10.6.7
Netmask/IPv6 Prefix:
255.255.255.0
Default Gateway:
10.10.6.1
Comma-separated list of DNS servers [none]:
208.67.222.222,208.67.220.220
DDNS server update URL [none]:
Do you wish to clear all the device configuration before applying ? (y/n) [n]:
Configuration done with option to allow manager access from any network,
if you wish to change the manager access network
use the 'client' option in the command 'configure network management-data-interface'.
Setting IPv4 network configuration.
Network settings changed.
>
|
Step 7 | (Optional) Limit data interface access to a manager on a specific network.
configure network management-data-interface client
ip_address netmask
By default, all networks are allowed.
|