Cisco Firepower 2100 series User manual

Cisco Firepower 2100 Getting Started Guide

First Published: 2019-09-25

Last Modified: 2019-09-25

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

CHAPTER 1

Firepower Threat Defense Deployment with FDM

Is This Chapter for You?

This chapter explains how to complete the initial set up and configuration of your Firepower Threat Defense

(FTD) device using the Firepower Device Manager (FDM) web-based device setup wizard.

FDM lets you configure the basic features of the software that are most commonly used for small networks.

It is especially designed for networks that include a single device or just a few, where you do not want to use

a high-powered multiple-device manager to control a large network containing many FDM devices.

If you are managing large numbers of devices, or if you want to use the more complex features and

configurations that FTD allows, use the Firepower Management Center (FMC) instead.

The Firepower 2100 Series hardware can run either FTD software or ASA software. Switching between FTD

and ASA requires you to reimage the device. See Reimage the Cisco ASA or Firepower Threat Defense

Device.

Note

Privacy Collection Statement—The Firepower 2100 Series does not require or actively collect

personally-identifiable information. However, you can use personally-identifiable information in the

configuration, for example for usernames. In this case, an administrator might be able to see this information

when working with the configuration or when using SNMP.

Note

•End-to-End Procedure, on page 2

•Review the Network Deployment and Default Configuration, on page 3

•Cable the Device, on page 5

•Power on the Device, on page 6

•(Optional) Change Management Network Settings at the CLI, on page 7

•Log Into FDM, on page 8

•Complete the Initial Configuration, on page 9

•Configure Licensing, on page 10

•Configure the Device in Firepower Device Manager, on page 16

•Access the FTD and FXOS CLI, on page 19

•Power Off the Device, on page 21

•What's Next?, on page 21

Cisco Firepower 2100 Getting Started Guide

End-to-End Procedure

See the following tasks to deploy FTD with FDM on your chassis.

Review the Network Deployment and Default Configuration, on page 3.Pre-Configuration

Cable the Device, on page 5.Pre-Configuration

Power on the Device, on page 6.Pre-Configuration

Cisco Firepower 2100 Getting Started Guide

Firepower Threat Defense Deployment with FDM

End-to-End Procedure

(Optional) Change Management Network Settings at the CLI, on page 7.FTD CLI

Log Into FDM, on page 8.Firepower Device

Manager

Complete the Initial Configuration, on page 9.Firepower Device

Manager

(Optional) Configure Licensing, on page 10: Obtain feature licenses.Cisco Commerce

Workspace

Configure Licensing, on page 10: Generate a license token.Smart Software

Manager

Configure Licensing, on page 10: Register the device with the Smart Licensing

Server.

Firepower Device

Manager

Configure the Device in Firepower Device Manager, on page 16.Firepower Device

Manager

Review the Network Deployment and Default Configuration

The following figure shows the default network deployment for Firepower Threat Defense using Firepower

Device Manager on a Firepower 2100 series appliance using the default configuration.

If cannot use the default IP address (for example, you are adding your device to an existing network), then

you can connect to the console port and perform initial setup at the CLI, including setting the Management

IP address, gateway, and other basic networking settings. See (Optional) Change Management Network

Settings at the CLI, on page 7.

Note

Cisco Firepower 2100 Getting Started Guide

Firepower Threat Defense Deployment with FDM

Review the Network Deployment and Default Configuration

Figure 1: Suggested Network Deployment

Default Configuration

The configuration for the Firepower device after initial setup includes the following:

•inside—Ethernet 1/2, IP address 192.168.1.1

•outside—Ethernet 1/1, IP address from DHCP or an address you specify during setup

•inside→outside traffic flow

•management—Management 1/1 (management)

• IP address 192.168.45.45

The Management 1/1 interface is a special interface separate from data interfaces

that is used for management, Smart Licensing, and database updates. The physical

interface is shared with a second logical interface, the Diagnostic interface.

Diagnostic is a data interface, but is limited to other types of management traffic

(to-the-device and from-the-device), such as syslog or SNMP. The Diagnostic

interface is not typically used. See the FDM configuration guide for more

information.

Note

•DNS server for management

• OpenDNS: 208.67.222.222, 208.67.220.220, or servers you specify during setup

Cisco Firepower 2100 Getting Started Guide

Firepower Threat Defense Deployment with FDM

Default Configuration

•NTP—Cisco NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org,

or servers you specify during setup

•Default routes

•Data interfaces—Obtained from outside DHCP, or a gateway IP address you specify during setup

•Management interface—Over the backplane and through the data interfaces

Note that the FTD requires internet access for licensing and updates.

•DHCP server—Enabled on the inside interface and management interface

•FDM access—Management and inside hosts allowed

•NAT—Interface PAT for all traffic from inside to outside

Cable the Device

Manage the Firepower 2100 on either Management 1/1 or Ethernet 1/2. The default configuration also

configures Ethernet1/1 as outside.

Procedure

Step 1 Connect your management computer to either of the following interfaces:

• Management 1/1 (labeled MGMT)—Connect your management computer directly to Management 1/1

for initial configuration, or connect Management 1/1 to your management network. Management 1/1 has

a default IP address (192.168.45.45) and also runs a DHCP server to provide IP addresses to clients

(including the management computer), so make sure these settings do not conflict with any existing

inside network settings (see Default Configuration, on page 4).

Cisco Firepower 2100 Getting Started Guide

Firepower Threat Defense Deployment with FDM

Cable the Device

If you need to change the Management 1/1 IP address from the default, you must also cable your

management computer to the console port. See (Optional) Change Management Network Settings at the

CLI, on page 7.

• Ethernet 1/2—Connect your management computer directly to Ethernet 1/2 for initial configuration, or

connect Ethernet 1/2 to your inside network. Ethernet 1/2 has a default IP address (192.168.1.1) and also

runs a DHCP server to provide IP addresses to clients (including the management computer), so make

sure these settings do not conflict with any existing inside network settings (see Default Configuration,

on page 4).

You can later configure FDM management access from other interfaces; see the FDM configuration guide.

Step 2 Connect the outside network to the Ethernet1/1 interface (labeled WAN).

Step 3 Connect other networks to the remaining interfaces.

Power on the Device

System power is controlled by a rocker power switch located on the rear of the device. The power switch is

implemented as a soft notification switch that supports graceful shutdown of the system to reduce the risk of

system software and data corruption.

Before you begin

It's important that you provide reliable power for your device (for example, using an uninterruptable power

supply (UPS)). Loss of power without first shutting down can cause serious file system damage. There are

many processes running in the background all the time, and losing power does not allow the graceful shutdown

of your system.

Procedure

Step 1 Attach the power cord to the device and connect it to an electrical outlet.

Step 2 Press the power switch on the back of the device.

Step 3 Check the PWR LED on the front of the device; if it is solid green, the device is powered on.

Step 4 Check the SYS LED on the front of the device; after it is solid green, the system has passed power-on

diagnostics.

Cisco Firepower 2100 Getting Started Guide

Firepower Threat Defense Deployment with FDM

Power on the Device

When the switch is toggled from ON to OFF, it may take several seconds for the system to eventually

power off. During this time, the PWR LED on the front of the device blinks green. Do not remove

the power until the PWR LED is completely off.

Note

(Optional) Change Management Network Settings at the CLI

If you cannot use the default management or inside IP address (for example, you are adding your device to

an existing network), then you can connect to the console port and perform initial setup at the CLI, including

setting the Management IP address, gateway, and other basic networking settings. You can only configure

the Management interface settings; you must configure data interface settings in FDM.

You cannot repeat the CLI setup script unless you clear the configuration; for example, by reimaging. However,

all of these settings can be changed later at the CLI using configure network commands. See the FTD

command reference.

Note

Procedure

Step 1 Connect to the FTD console port. See Access the FTD and FXOS CLI, on page 19 for more information.

Step 2 Log in with the username admin and the password Admin123.

Step 3 The first time you log in to FTD, you are prompted to accept the End User License Agreement (EULA) and

to change the admin password. You are then presented with the CLI setup script.

Defaults or previously-entered values appear in brackets. To accept previously entered values, press Enter.

See the following guidelines:

•Enter the IPv4 default gateway for the management interface—Enter either data-interfaces or the

IP address of the gateway router. The data-interfaces setting sends outgoing management traffic over

the backplane to exit a data interface. This setting is useful if you do not have a separate Management

network that can access the internet. Traffic originating on the Management interface includes license

registration and database updates that require internet access. If you use data-interfaces, you can still

use FDM on the Management interface if you are directly-connected to the Management network, but

for remote management on Management, you need to enter the IP address of a gateway router on the

Management network. Note that FDM management on data interfaces is not affected by this setting.

•If your networking information has changed, youwill need to reconnect—If you are connected with

SSH to the default IP address but you change the IP address at initial setup, you will be disconnected.

Reconnect with the new IP address and password. Console connections are not affected. Note also that

the DHCP server on Management will be disabled if you change the IP address.

•Manage the device locally?—Enter yes to use FDM. A no answer means you will use FMC instead.

Example:

You must accept the EULA to continue.

Press <ENTER> to display the EULA:

Cisco Firepower 2100 Getting Started Guide

Firepower Threat Defense Deployment with FDM

(Optional) Change Management Network Settings at the CLI

End User License Agreement

[...]

Please enter 'YES' or press <ENTER> to AGREE to the EULA:

System initialization in progress. Please stand by.

You must change the password for 'admin' to continue.

Enter new password: ********

Confirm new password: ********

You must configure the network to continue.

You must configure at least one of IPv4 or IPv6.

Do you want to configure IPv4? (y/n) [y]:

Do you want to configure IPv6? (y/n) [n]:

Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:

Enter an IPv4 address for the management interface [192.168.45.45]: 10.10.10.15

Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192

Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1

Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com

Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:

Enter a comma-separated list of search domains or 'none' []:

If your networking information has changed, you will need to reconnect.

DHCP Server Disabled

The DHCP server has been disabled. You may re-enable with configure network ipv4

dhcp-server-enable

For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]: yes

Step 4 Log into FDM on the new Management IP address.

Log Into FDM

Log into FDM to configure your FTD.

Before you begin

• Use a current version of Firefox, Chrome, Safari, Edge, or Internet Explorer.

Procedure

Step 1 Enter the following URL in your browser.

• Inside (Ethernet 1/2)—https://192.168.1.1.

•

• Management—https://192.168.45.45. If you changed the Management IP address at the CLI setup, then

enter that address.

Step 2 Log in with the username admin, and thedefault password Admin123.

Cisco Firepower 2100 Getting Started Guide

Firepower Threat Defense Deployment with FDM

Log Into FDM

Other manuals for Firepower 2100 Series

This manual suits for next models

Table of contents

Other Cisco Firewall manuals

Cisco

Cisco RV120W Instruction Manual

Cisco

Cisco MEREAKI MX65W User manual

Cisco

Cisco Firepower 1010 Manual

Cisco

Cisco PIX 501 - Security Appliance User manual

Cisco

Cisco ISA3000-4C-K9 Manual

Cisco

Cisco Small Business RV220W User manual

Cisco

Cisco Small Business RV215W User manual

Cisco

Cisco Firepower 4100 Series Manual

Cisco

Cisco LightStream 1010 Instruction Manual

Cisco

Cisco FPR1010-ASA-K9 User manual

Cisco

Cisco 5505 - ASA Firewall Edition Bundle User manual

Cisco

Cisco C690 User manual

Cisco

Cisco Meraki MX100 User manual

Cisco

Cisco 2100 Series User manual

Cisco

Cisco PIX 501 User manual

Cisco

Cisco ASA 5585-X User manual

Cisco

Cisco Firepower 7010, Firepower 7020, Firepower 7030, Firepower 7050, Firepower 7110, Firepower 7120, Firepower 7115, Firepower... User manual

Cisco

Cisco MX400 User manual

Cisco

Cisco PIX 506 - Firewall User manual

Cisco

Cisco PIX 506E - Security Appliance User manual

Cisco

Cisco Firepower 4100 Series User manual

Cisco

Cisco ASA 5506-X User manual

Cisco

Cisco Firepower 1600 Manual

Cisco

Cisco Cisco ASA Series Installation instructions

Popular Firewall manuals by other brands

Fortinet

Fortinet FSM-500F Configuration guide

Fortinet

Fortinet FortiGate Voice Series install guide

SecureLogix

SecureLogix ETM System installation guide

Huawei

Huawei USG6000 Series Upgrade guide

NETGEAR

NETGEAR ProSafe FVX538 Reference manual

Lanner

Lanner FW-8877 user manual

Nexcom

Nexcom DNA 1150 user manual

Fortinet

Fortinet FortiGate-60 series install guide

ADTRAN

ADTRAN NetVanta 2300 Specifications

Swisscom

Swisscom Internet Backup manual

SonicWALL

SonicWALL NSa 5700 quick start guide

DPtech

DPtech FW1000 SERIES Maintenance manual

FEITIAN

FEITIAN MultiPass FIDO product manual

Trend Micro

Trend Micro Deep Edge quick start guide

Smoothwall

Smoothwall S10 Appliance Getting started guide

Draytek

Draytek Vigor 5510Gi user guide

Secure Computing

Secure Computing Sidewinder 7.0 quick start

GTA

GTA GB-200 Product guide

Cisco Firepower 2100 Series User manual

Popular Firewall manuals by other brands