Cisco Telepresence server 7010 User manual

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide.

Addresses, phone numbers, and fax numbers

are listed on the Cisco website at

www.cisco.com/go/offices.

Firepower 7000 and 8000 Series

Installation Guide

Ver sion 6.0

November 5, 2015

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this

URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1721R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display

output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in

illustrative content is unintentional and coincidental.

Firepower 7000 and 8000 Series Installation Guide

CONTENTS

Introduction to the Firepower System 1-1

Firepower System Appliances 1-2

7000 and 8000 Series Appliances 1-3

Virtual Appliances 1-3

Cisco ASA with FirePOWER Services 1-3

Appliances Delivered with Version 6.0 1-4

Supported Capabilities by Firepower Management Center Model 1-5

Supported Capabilities by Managed Device Model 1-7

7000 and 8000 Series Device Chassis Designations 1-8

Firepower System Components 1-9

Licensing the Firepower System 1-11

Security, Internet Access, and Communication Ports 1-13

Internet Access Requirements 1-13

Communication Ports Requirements 1-14

Preconfiguring Appliances 1-16

Deploying on a Management Network 2-1

Management Deployment Considerations 2-1

Understanding Management Interfaces 2-2

Single Management Interface 2-2

Multiple Management Interfaces 2-2

Deployment Options 2-3

Deploying with Traffic Channels 2-3

Deploying with Network Routes 2-4

Security Considerations 2-5

Special Case: Connecting 8000 Series Devices 2-5

Deploying Firepower Managed Devices 3-1

Sensing Deployment Considerations 3-1

Understanding Sensing Interfaces 3-2

Passive Interfaces 3-2

Inline Interfaces 3-2

Switched Interfaces 3-3

Contents

Firepower 7000 and 8000 Series Installation Guide

Routed Interfaces 3-3

Hybrid Interfaces 3-4

Connecting Devices to Your Network 3-4

Using a Hub 3-4

Using a Span Port 3-5

Using a Network Tap 3-5

Cabling Inline Deployments on Copper Interfaces 3-5

Special Case: Connecting Firepower 8000 Series Devices 3-6

Deployment Options 3-7

Deploying with a Virtual Switch 3-7

Deploying with a Virtual Router 3-8

Deploying with Hybrid Interfaces 3-9

Deploying a Gateway VPN 3-10

Deploying with Policy-Based NAT 3-11

Deploying with Access Control 3-11

Using Multiple Sensing Interfaces on a Managed Device 3-16

Complex Network Deployments 3-18

Integrating with VPNs 3-18

Detecting Intrusions on Other Points of Entry 3-19

Deploying in Multi-Site Environments 3-20

Integrating Multiple Management Interfaces within a Complex Network 3-22

Integrating Managed Devices within Complex Networks 3-23

Installing a Firepower Managed Device 4-1

Included Items 4-1

Security Considerations 4-1

Identifying the Management Interfaces 4-2

Firepower 7000 Series 4-2

Firepower 8000 Series 4-2

Identifying the Sensing Interfaces 4-3

Firepower 7000 Series 4-3

Firepower 8000 Series 4-7

Using Devices in a Stacked Configuration 4-13

Connecting the Firepower 8140 4-14

Connecting the Firepower 82xx Family and Firepower and AMP 83xx Family 4-15

Using the 8000 Series Stacking Cable 4-18

Managing Stacked Devices 4-19

Rack-Mounting a Firepower Device 4-20

Redirecting Console Output 4-22

Contents

Firepower 7000 and 8000 Series Installation Guide

Using the Shell 4-22

Using the Web Interface 4-23

Testing an Inline Bypass Interface Installation 4-24

Setting Up Firepower Managed Devices 5-1

Understanding the Setup Process 5-2

Beginning the Setup 5-2

Performing Initial Setup on a Firepower Device Using the CLI 5-3

Registering a Firepower Device to a Management Center Using the CLI 5-4

Initial Setup Page: Firepower Devices 5-5

Next Steps 5-9

Using the LCD Panel on a Firepower Device 6-1

Understanding LCD Panel Components 6-2

Using the LCD Multi-Function Keys 6-3

Idle Display Mode 6-4

Network Configuration Mode 6-4

Allowing Network Reconfiguration Using the LCD Panel 6-6

System Status Mode 6-7

Information Mode 6-8

Error Alert Mode 6-9

Hardware Specifications 7-1

Rack and Cabinet Mounting Options 7-1

Firepower 7000 Series Devices 7-1

Firepower 7010, 7020, 7030, and 7050 7-1

Firepower 7110 and 7120 7-6

Firepower 7115, 7125, and AMP7150 7-13

Firepower 8000 Series Devices 7-21

Firepower 8000 Series Chassis Front View 7-22

Firepower 8000 Series Chassis Rear View 7-26

Firepower 8000 Series Physical and Environmental Parameters 7-29

Firepower 8000 Series Modules 7-32

Restoring a Firepower System Appliance to Factory Defaults 8-1

Before You Begin 8-1

Configuration and Event Backup Guidelines 8-1

Traffic Flow During the Restore Process 8-1

Understanding the Restore Process 8-2

Contents

Firepower 7000 and 8000 Series Installation Guide

Obtaining the Restore ISO and Update Files 8-3

Beginning the Restore Process 8-4

Starting the Restore Utility Using KVM or Physical Serial Port 8-4

Starting the Restore Utility Using Lights-Out Management 8-5

Using the Interactive Menu to Restore an Appliance 8-6

Identifying the Appliance’s Management Interface 8-8

Specifying ISO Image Location and Transport Method 8-8

Updating System Software and Intrusion Rules During Restore 8-10

Downloading the ISO and Update Files and Mounting the Image 8-10

Invoking the Restore Process 8-11

Saving and Loading Restore Configurations 8-13

Next Steps 8-14

Setting Up Lights-Out Management 8-14

Enabling LOM and LOM Users 8-16

Installing an IPMI Utility 8-17

Power Requirements for Firepower Devices A-1

Warnings and Cautions A-1

Static Control A-1

Firepower 70xx Family Appliances A-1

Installation A-2

Grounding/Earthing Requirements A-2

Firepower 71xx Family Appliances A-3

Installation A-4

Grounding/Earthing Requirements A-5

Firepower 81xx Family Appliances A-5

AC Installation A-6

DC Installation A-7

Grounding/Earthing Requirements A-8

Firepower 82xx Family Appliances A-9

AC Installation A-10

DC Installation A-11

Grounding/Earthing Requirements A-12

Firepower and AMP 83xx Family Appliances A-13

AC Installation A-14

DC Installation A-15

Grounding/Earthing Requirements A-16

Contents

Firepower 7000 and 8000 Series Installation Guide

Using SFP Transceivers in 3D71x5

and AMP7150 Devices B-1

3D71x5 and AMP7150 SFP Sockets and Transceivers B-1

Inserting an SFP Transceiver B-2

To insert an SFP transceiver: B-2

Removing an SFP Transceiver B-3

Inserting and Removing Firepower 8000 Series Modules C-1

Module Slots on the Firepower 8000 Series Devices C-1

Firepower 81xx Family C-1

Firepower 82xx Family and 83xx Family C-2

Included Items C-2

Identifying the Module Parts C-3

Before You Begin C-4

Removing a Module or Slot Cover C-5

Inserting a Module or Slot Cover C-6

Scrubbing the Hard Drive D-1

Scrubbing the Contents of the Hard Drive D-1

Preconfiguring Firepower Managed Devices E-1

Before You Begin E-1

Required Preconfiguration Information E-1

Optional Preconfiguration Information E-2

Preconfiguring Time Management E-2

Installing the System E-3

Registering a Device E-3

Preparing the Appliance for Shipment E-4

Deleting Devices from a Management Center E-4

Deleting a License from a Management Center E-5

Powering Down the Appliance E-5

Shipping Considerations E-5

Troubleshooting the Appliance Preconfiguration E-6

Contents

Firepower 7000 and 8000 Series Installation Guide

CHAPTER

1-1

Firepower 7000 and 8000 Series Installation Guide

Introduction to the Firepower System

The Cisco Firepower System combines the security of an industry-leading network intrusion protection

system with the power to control access to your network based on detected applications, users, and

URLs. You can also use Firepower System appliances to serve in a switched, routed, or hybrid (switched

and routed) environment; to perform network address translation (NAT); and to build secure virtual

private network (VPN) tunnels between the virtual routers of Firepower managed devices.

The Cisco Firepower Management Center provides a centralized management console and database

repository for the Firepower System. Managed devices installed on network segments monitor traffic for

analysis.

Devices in a passive deployment monitor traffic flowing across a network, for example, using a switch

SPAN, virtual switch, or mirror port. Passive sensing interfaces receive all traffic unconditionally and no

traffic received on these interfaces is retransmitted.

Devices in an inline deployment allow you to protect your network from attacks that might affect the

availability, integrity, or confidentiality of hosts on the network. Inline interfaces receive all traffic

unconditionally, and traffic received on these interfaces is retransmitted unless explicitly dropped by

some configuration in your deployment. Inline devices can be deployed as a simple intrusion prevention

system. You can also configure inline devices to perform access control as well as manage network

traffic in other ways.

This installation guide provides information about deploying, installing, and setting up Firepower

System appliances (devices and Management Centers). It also contains hardware specifications and

safety and regulatory information for Firepower System appliances.

Tip You can host virtual Firepower Management Centers and devices, which can manage and be managed

by physical appliances. However, virtual appliances do not support any of the system’s hardware-based

features: redundancy, switching, routing, and so on. See the Firepower NGIPSv for VMware Quick Start

Guide for more information.

The topics that follow introduce you to the Firepower System and describe its key components:

•Firepower System Appliances, page 1-2

•Firepower System Components, page 1-9

•Licensing the Firepower System, page 1-11

•Security, Internet Access, and Communication Ports, page 1-13

•Preconfiguring Appliances, page 1-16

1-2

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Firepower System Appliances

A Firepower System appliance is either a traffic-sensing managed device or a managing Firepower

Management Center:

Physical devices are fault-tolerant, purpose-built network appliances available with a range of

throughputs and capabilities. Firepower Management Centers serve as central management points for

these devices, and automatically aggregate and correlate the events they generate. There are several

models of each physical appliance type; these models are further grouped into series and family. Many

Firepower System capabilities are appliance dependent.

Firepower Management Centers

A Firepower Management Center provides a centralized management point and event database for your

Firepower System deployment. Firepower Management Centers aggregate and correlate intrusion, file,

malware, discovery, connection, and performance data, assessing the impact of events on particular hosts

and tagging hosts with indications of compromise. This allows you to monitor the information that your

devices report in relation to one another, and to assess and control the overall activity that occurs on your

network.

Key features of the Firepower Management Center include:

•device, license, and policy management

•display of event and contextual information using tables, graphs, and charts

•health and performance monitoring

•external notification and alerting

•correlation, indications of compromise, and remediation features for real-time threat response

•custom and template-based reporting

Managed Devices

Devices deployed on network segments within your organization monitor traffic for analysis. Devices

deployed passively help you gain insight into your network traffic. Deployed inline, you can use

Firepower devices to affect the flow of traffic based on multiple criteria. Depending on model and

license, devices:

•gather detailed information about your organization’s hosts, operating systems, applications, users,

files, networks, and vulnerabilities

•block or allow network traffic based on various network-based criteria, as well as other criteria

including applications, users, URLs, IP address reputations, and the results of intrusion or malware

inspections

•have switching, routing, DHCP, NAT, and VPN capabilities, as well as configurable bypass

interfaces, fast-path rules, and strict TCP enforcement

•have high availability (redundancy) to help you ensure continuity of operations, and stacking to

combine resources from multiple devices

Yo u must manage Firepower devices with a Firepower Management Center.

Appliance Types

The Firepower System can run on fault-tolerant, purpose-built physical network appliances available

from Cisco. There are several models of each Firepower Management Center and managed device; these

models are further grouped into series and family.

1-3

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Firepower System Appliances

Physical managed devices come in a range of throughputs and have a range of capabilities. Physical

Firepower Management Centers also have a range of device management, event storage, and host and

user monitoring capabilities.

You can also deploy 64-bit virtual Firepower Management Centers and virtual Firepower managed

devices as ESXi hosts using the VMware vSphere Hypervisor or vCloud Director environment.

Either type of Management Center (physical or virtual) can manage any type of device: physical, virtual,

and Cisco ASA with FirePOWER Services. Note, however, that many Firepower System capabilities are

appliance dependent.

For more information on Firepower System appliances, including the features and capabilities they

support, see:

•7000 and 8000 Series Appliances, page 1-3

•Virtual Appliances, page 1-3

•Cisco ASA with FirePOWER Services, page 1-3

•Appliances Delivered with Version 6.0, page 1-4

•Supported Capabilities by Firepower Management Center Model, page 1-5

•Supported Capabilities by Managed Device Model, page 1-7

7000 and 8000 Series Appliances

The 7000 and 8000 Series are Firepower physical appliances. Firepower 8000 Series devices are more

powerful and support a few features that Firepower 7000 Series devices do not. For detailed information

on 7000 and 8000 Series appliances, see the Firepower 7000 and 8000 Series Installation Guide.

Virtual Appliances

You can deploy 64-bit virtual Firepower Management Center and managed devices as ESXi hosts using

the VMware vSphere Hypervisor or vCloud Director environments.

Regardless of the licenses installed and applied, virtual appliances do not support any of the system’s

hardware-based features: redundancy and resource sharing, switching, routing, and so on. Also, virtual

devices do not have web interfaces. For detailed information on virtual appliances, see the Firepower

NGIPSv for VMware Quick Start Guide.

Cisco ASA with FirePOWER Services

Cisco ASA with FirePOWER Services (ASA FirePOWER devices) functions similarly to a managed

device. In this deployment, the ASA device provides the first-line system policy and passes traffic to the

Firepower System for access control, intrusion detection and prevention, discovery, and advanced

malware protection. See the Version 6.0 Firepower System Appliances table for a list of supported ASA

models.

Regardless of the licenses installed and applied, ASA FirePOWER devices do not support any of the

following Firepower System features:

1-4

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Firepower System Appliances

•ASA FirePOWER devices do not support the Firepower System’s hardware-based features: high

availability, stacking, switching, routing, VPN, NAT, and so on. However, the ASA platform does

provide these features, which you can configure using the ASA CLI and ASDM. See the ASA

documentation for more information.

•You cannot use the Firepower Management Center web interface to configure ASA FirePOWER

interfaces. The Firepower Management Center does not display ASA interfaces when the

ASA FirePOWER device is deployed in SPAN port mode.

•You cannot use the Firepower Management Center to shut down, restart, or otherwise manage

ASA FirePOWER processes.

ASA FirePOWER devices have a software and command line interface (CLI) unique to the ASA

platform. You use these ASA-specific tools to install the system and to perform other platform-specific

administrative tasks.

Note If you edit an ASA FirePOWER device and switch from multiple context mode to single context mode

(or visa versa), the device renames all of its interfaces. You must reconfigure all Firepower System

security zones, correlation rules, and related configurations to use the updated ASA FirePOWER

interface names.

Appliances Delivered with Version 6.0

The following table lists the appliances that Cisco delivers with Version 6.0 of the Firepower System.

Table 1-1 Version 6.0 Firepower System Appliances

Models/Family Firepower Series Form Type

70xx Family:

•7010, 7020, 7030, 7050

7000 Series hardware device

71xx Family:

•7110, 7120

•7115, 7125

•AMP7150

7000 Series hardware device

80xx Family:

•AMP8050

8000 Series hardware device

81xx Family:

•8120, 8130, 8140

•AMP8150

8000 Series hardware device

82xx Family:

•8250

•8260, 8270, 8290

8000 Series hardware device

1-5

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Firepower System Appliances

Note that reimaging results in the loss of all configuration and event data on the appliance. See Restoring

a Firepower System Appliance to Factory Defaults, page 8-1 for more information.

Tip You can migrate specific configuration and event data from a Version 4.10.3 deployment to a Version 5.2

deployment. Then, you can update through a series of procedures to Version 6.0. For more information,

see the Firepower System Migration Guide for Version 5.2.

Supported Capabilities by Firepower Management Center Model

When running Version 6.0, all Firepower Management Centers have similar capabilities, with only a few

model-based restrictions. The following table matches the major capabilities of the system with the

Firepower Management Centers that support those capabilities, assuming you are managing devices that

support those features and have the correct licenses installed and applied.

In addition to the capabilities listed in the table, Firepower Management Center models vary in terms of

how many devices they can manage, how many events they can store, and how many hosts and users they

can monitor. For more information, see the Firepower Management Center Configuration Guide.

Also, keep in mind that although you can use any model of Firepower Management Center running

Version 6.0 of the system to manage any Version 6.0 device, many system capabilities are limited by the

device model. For more information, see Supported Capabilities by Managed Device Model, page 1-7.

83xx Family:

•8350

•8360, 8370, 8390

•AMP8350

•AMP8360, AMP8370, AMP8390

8000 Series hardware device

64-bit virtual NGIPSv n/a software device

ASA FirePOWER:

•ASA5585-X-SSP-10,

ASA5585-X-SSP-20,

ASA5585-X-SSP-40,

ASA5585-X-SSP-60

n/a hardware device

ASA FirePOWER:

•ASA5506-X ASA5506H-X, 5506W-X,

5508-X, ASA5512-X, ASA5515-X,

ASA5518-X, ASA5525-X,

ASA5545-X, ASA5555-X

n/a software device

Firepower Management Centers:

•MC750, MC1500, MC2000, MC3500,

MC2000, MC4000

n/a hardware Management

Center

64-bit Firepower Management Center

Virtual

n/a software Management

Center

Table 1-1 Version 6.0 Firepower System Appliances (continued)

Models/Family Firepower Series Form Type

1-6

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Firepower System Appliances

Table 1-2 Supported Capabilities by Firepower Management Center Model

Feature or Capability Management Center

Management Center

Virtual

collect discovery data (host, application, and user) reported by managed

devices and build a network map for your organization

yes yes

view geolocation data for your network traffic yes yes

manage an intrusion detection and prevention (IPS) deployment yes yes

manage devices performing Security Intelligence filtering yes yes

manage devices performing simple network-based control, including

geolocation-based filtering

yes yes

manage devices performing application control yes yes

manage devices performing user control yes yes

manage devices that filter network traffic by literal URL yes yes

manage devices performing URL Filtering by category and reputation yes yes

manage devices performing simple file control by file type yes yes

manage devices performing network-based advanced malware protection

(AMP)

yes yes

receive endpoint-based malware (FireAMP) events from your FireAMP

deployment

yes yes

manage device-based hardware-based features:

•fast-path rules

•strict TCP enforcement

•configurable bypass interfaces

•tap mode

•switching and routing

•NAT policies

•VPN

yes yes

manage device-based redundancy and resource sharing:

•device stacks

•device high availability

•stacks in high-availability pairs

yes yes

separate and manage internal and external traffic using traffic channels yes yes

isolate and manage traffic on different networks using multiple management

interfaces

yes yes

install a malware storage pack yes no

connect to an eStreamer, host input, or database client yes yes

1-7

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Firepower System Appliances

Supported Capabilities by Managed Device Model

Devices are the appliances that handle network traffic; therefore, many Firepower System capabilities

are dependent on the model of your managed devices.

The following table matches the major capabilities of the system with the devices that support those

capabilities, assuming you have the correct licenses installed and applied from the managing Firepower

Management Center.

Keep in mind that although you can use any model of Firepower Management Center running Version

6.0 of the system to manage any Version 6.0 device, a few system capabilities are limited by the

Firepower Management Center model. For more information, see Supported Capabilities by Firepower

Management Center Model, page 1-5.

Table 1-3 Supported Capabilities by Managed Device Model

Feature or Capability

7000 and 8000 Series

Device ASA FirePOWER

Virtual

Device

network discovery: host, application, and user yes yes yes

intrusion detection and prevention (IPS) yes yes yes

Security Intelligence filtering yes yes yes

access control: basic network control yes yes yes

access control: geolocation-based filtering yes yes yes

access control: application control yes yes yes

access control: user control yes yes yes

access control: literal URLs yes yes yes

access control: URL Filtering by category and reputation yes yes yes

file control: by file type yes yes yes

network-based advanced malware protection (AMP) yes yes yes

Automatic Application Bypass yes no yes

fast-path rules 8000 Series no no

strict TCP enforcement yes no no

configurable bypass interfaces except where hardware

limited

no no

tap mode yes no no

switching and routing yes no no

NAT policies yes no no

VPN yes no no

device stacking 8140

82xx Family

83xx Family

no no

device high availability yes no no

stacks in high-availability pairs 8140

82xx Family

83xx Family

no no

1-8

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Firepower System Appliances

7000 and 8000 Series Device Chassis Designations

The following section lists the 7000 Series and 8000 Series devices and their respective chassis hardware

codes. The chassis code appears on the regulatory label on the outside of the chassis, and is the official

reference code for hardware certifications and safety.

7000 Series Chassis Designations

The following table lists the chassis designations for the 7000 Series models available world-wide.

8000 Series Chassis Designations

The following table lists the chassis designations for the 7000 and 8000 Series models available

world-wide.

traffic channels yes no no

multiple management interfaces yes no no

malware storage pack yes no no

restricted command line interface (CLI) yes yes yes

external authentication yes no no

connect to an eStreamer client yes yes no

Table 1-3 Supported Capabilities by Managed Device Model (continued)

Feature or Capability

7000 and 8000 Series

Device ASA FirePOWER

Virtual

Device

Table 1-4 7000 Series Chassis Models

Firepower and AMP Device

Model Hardware Chassis Code

7010, 7020, 7030 CHRY-1U-AC

7050 NEME-1U-AC

7110, 7120 (Copper) GERY-1U-8-C-AC

7110, 7120 (Fiber) GERY-1U-8-FM-AC

7115, 7125, AMP7150 GERY-1U-4C8S-AC

Table 1-5 8000 Series Chassis Models

Firepower and AMP Device Model Hardware Chassis Code

AMP8050 (AC or DC power) CHAS-1U-AC/DC

8120, 8130, 8140, AMP8150

(AC or DC power)

CHAS-1U-AC/DC

8250, 8260, 8270, 8290

(AC or DC power)

CHAS-2U-AC/DC

1-9

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Firepower System Components

The sections that follow describe some of the key capabilities of the Firepower System that contribute

to your organization’s security, acceptable use policy, and traffic management strategy.

Tip Many Firepower System capabilities are appliance model, license, and user role dependent. Where

needed, Firepower System documentation outlines the requirements for each feature and task.

Redundancy and Resource Sharing

The redundancy and resource-sharing features of the Firepower System allow you to ensure continuity

of operations and to combine the processing resources of multiple physical devices:

•Device stacking allows you to increase the amount of traffic inspected on a network segment by

connecting two to four physical devices in a stacked configuration.

•Device high availability allows you to establish redundancy of networking functionality and

configuration data between two or more 7000 and 8000 Series devices or stacks.

Multiple Management Interfaces

You can use multiple management interfaces on a Firepower Management Center, device, or both, to

improve performance by separating traffic into two traffic channels: the management traffic channel

carries inter-device communication and the event traffic channel carries high volume event traffic such

as intrusion events. Both traffic channels can be carried on the same management interface or split

between two management interfaces, each interface carrying one traffic channel.

You can also create a route from a specific management interface on your Firepower Management Center

to a different network, allowing your Firepower Management Center to isolate and manage device traffic

on one network separately from device traffic on another network.

Additional management interfaces have many of the same capabilities as the default management

interface with the following exceptions:

•You can configure DHCP on the default (eth0) management interface only. Additional (eth1 and so

on) interfaces require unique static IP addresses and hostnames.

•You must configure both traffic channels to use the same non-default management interface when

your Firepower Management Center and managed device are separated by a NAT device.

•You can use Lights-Out Management on the default management interface only.

•On the 70xx Family, you can separate traffic into two channels and configure those channels to send

traffic to one or more management interfaces on the Firepower Management Center. However,

because the 70xx Family contains only one management interface, the device receives traffic sent

from the Firepower Management Center on only one management interface.

8350, 8360, 8370, 8390

(AC or DC power)

PG35-2U-AC/DC

AMP830, AMP8360, AMP8370, AMP8390

(AC or DC power)

PG35-2U-AC/DC

Table 1-5 8000 Series Chassis Models (continued)

Firepower and AMP Device Model Hardware Chassis Code

1-10

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Firepower System Components

After your appliance is installed, use the web browser to configure multiple management interfaces. See

Multiple Management Interfaces in the Firepower Management Center Configuration Guide for more

information.

Network Traffic Management

The Firepower System’s network traffic management features allow 7000 and 8000 Series devices to act

as part of your organization’s network infrastructure. You can:

•configure a Layer 2 deployment to perform packet switching between two or more network

segments

•configure a Layer 3 deployment to route traffic between two or more interfaces

•perform network address translation (NAT)

•build secure VPN tunnels from virtual routers on managed devices to remote devices or other

third-party VPN endpoints

Discovery and Identity

Cisco’s discovery and identity technology collects information about hosts, operating systems,

applications, users, files, networks, geolocation information, and vulnerabilities, in order to provide you

with a complete view of your network.

You can use the Firepower Management Center’s web interface to view and analyze data collected by

the system. You can also use discovery and identity to help you perform access control and modify

intrusion rule states.

Access Control

Access control is a policy-based feature that allows you to specify, inspect, and log the traffic that

traverses your network. As part of access control, the Security Intelligence feature allows you to

blacklist—deny traffic to and from—specific IP addresses before the traffic is subjected to deeper

analysis.

After Security Intelligence filtering occurs, you can define which and how traffic is handled by targeted

devices, from simple IP address matching to complex scenarios involving different users, applications,

ports, and URLs. You can trust, monitor, or block traffic, or perform further analysis, such as:

•intrusion detection and prevention

•file control

•file tracking and network-based advanced malware protection (AMP)

Intrusion Detection and Prevention

Intrusion detection and prevention is a policy-based feature, integrated into access control, that allows

you to monitor your network traffic for security violations and, in inline deployments, to block or alter

malicious traffic. An intrusion policy contains a variety of components, including:

•rules that inspect the protocol header values, payload content, and certain packet size characteristics

•rule state configuration based on FireSIGHT recommendations

•advanced settings, such as preprocessors and other detection and performance features

•preprocessor rules that allow you to generate events for associated preprocessors and preprocessor

options

1-11

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Licensing the Firepower System

File Tracking, Control, and Network-Based Advanced Malware Protection (AMP)

To help you identify and mitigate the effects of malware, the Firepower System’s file control, network

file trajectory, and advanced malware protection components can detect, track, capture, analyze, and

optionally block the transmission of files (including malware files) in network traffic.

File control is a policy-based feature, integrated into access control, that allows managed devices to

detect and block your users from uploading (sending) or downloading (receiving) files of specific types

over specific application protocols.

Network-based advanced malware protection (AMP) allows the system to inspect network traffic for

malware in several types of files. Appliances can store detected files for further analysis, either to their

hard drive or (for some models) a malware storage pack.

Regardless of whether you store a detected file, you can submit it to the Cisco cloud for a simple

known-disposition lookup using the files SHA-256 hash value. You can also submit files for dynamic

analysis, which produces a threat score. Using this contextual information, you can configure the system

to block or allow specific files.

FireAMP is Cisco’s enterprise-class, advanced malware analysis and protection solution that discovers,

understands, and blocks advanced malware outbreaks, advanced persistent threats, and targeted attacks.

If your organization has a FireAMP subscription, individual users install FireAMP Connectors on their

computers and mobile devices (also called endpoints). These lightweight agents communicate with the

Cisco cloud, which in turn communicates with the Firepower Management Center.

After you configure the Firepower Management Center to connect to the cloud, you can use the

Firepower Management Center web interface to view endpoint-based malware events generated as a

result of scans, detections, and quarantines on the endpoints in your organization. The Firepower

Management Center also uses FireAMP data to generate and track indications of compromise on hosts,

as well as display network file trajectories.

The network file trajectory feature allows you to track a file’s transmission path across a network. The

system uses SHA-256 hash values to track files. Each file has an associated trajectory map, which

contains a visual display of the file’s transfers over time as well as additional information about the file.

Application Programming Interfaces

There are several ways to interact with the system using application programming interfaces (APIs):

•The Event Streamer (eStreamer) allows you to stream several kinds of event data from a Firepower

System appliance to a custom-developed client application.

•The database access feature allows you to query several database tables on a Firepower Management

Center, using a third-party client that supports JDBC SSL connections.

•The host input feature allows you to augment the information in the network map by importing data

from third-party sources using scripts or command-line files.

•Remediations are programs that your Firepower Management Center can automatically launch when

certain conditions on your network are met. This can not only automatically mitigate attacks when

you are not immediately available to address them, but can also ensure that your system remains

compliant with your organization’s security policy.

Licensing the Firepower System

You can license a variety of features to create an optimal Firepower System deployment for your

organization. You use the Firepower Management Center to manage licenses for itself and the devices it

manages. The license types offered by the Firepower System depend upon the type of device you want

to manage:

1-12

Firepower 7000 and 8000 Series Installation Guide

Chapter 1 Introduction to the Firepower System

Licensing the Firepower System

•For Firepower, ASA FirePOWER, and NGIPSv devices, you must use Classic Licenses.

By default, your Firepower Management Center can perform domain control, host, application, and user

discovery, as well as decrypting and inspecting SSL- and TLS-encrypted traffic.

Feature-specific classic licenses allow your managed devices to perform a variety of functions including:

•intrusion detection and prevention

•Security Intelligence filtering

•file control and AMP for Firepower

•application, user, and URL control

•switching and routing

•device high availability

•network address translation (NAT)

•virtual private network (VPN) deployments

There are a few ways you may lose access to licensed features in the Firepower System. You can remove

licenses from the Firepower Management Center, which affects all of its managed devices. You can also

disable licensed capabilities on specific managed devices. Finally, some licenses may expire. Though

there are some exceptions, you cannot use the features associated with an expired or deleted license.

The following summarizes Firepower System Classic Licenses:

Protection

A Protection license allows managed devices to perform intrusion detection and prevention, file

control, and Security Intelligence filtering.

Control

A Control license allows managed devices to perform user and application control, switching and

routing (including DHCP relay), and NAT. It also allows configuring devices and stacks into

high-availability pairs. A Control license requires a Protection license.

URL Filtering

A URL Filtering license allows managed devices to use regularly updated cloud-based category and

reputation data to determine which traffic can traverse your network, based on the URLs requested

by monitored hosts. A URL Filtering license requires a Protection license.

Malware

A Malware license allows managed devices to perform network-based advanced malware protection

(AMP), that is, to detect and block malware in files transmitted over your network. It also allows

you to view trajectories, which track files transmitted over your network. A Malware license

requires a Protection license.

VPN

A VPN license allows you to build secure VPN tunnels among the virtual routers on Cisco managed

devices, or from managed devices to remote devices or other third-party VPN endpoints. A VPN

license requires Protection and Control licenses.

See the Firepower Management Center Configuration Guide for complete information about classic

license types and restrictions.

Other manuals for TelePresence Server 7010

This manual suits for next models

Table of contents

Other Cisco Firewall manuals

Cisco

Cisco Meraki MX64W User manual

Cisco

Cisco PIX 501 - Security Appliance User manual

Cisco

Cisco FMC 1600 Manual

Cisco

Cisco Small Business Pro SA 520W Instruction Manual

Cisco

Cisco Firepower 4100 Series Installation and operation manual

Cisco

Cisco C170 User manual

Cisco

Cisco RV120W Instruction Manual

Cisco

Cisco 5510 - ASA SSL / IPsec VPN Edition User manual

Cisco

Cisco Firepower 3500 Technical document

Cisco

Cisco Small Business RV220W User manual

Cisco

Cisco Firepower 7010, Firepower 7020, Firepower 7030, Firepower 7050, Firepower 7110, Firepower 7120, Firepower 7115, Firepower... User manual

Cisco

Cisco 5510 - ASA SSL / IPsec VPN Edition User manual

Cisco

Cisco PIX 520 - PIX Firewall 520 User manual

Cisco

Cisco PIX 501 User manual

Cisco

Cisco Firepower 2120 Manual

Cisco

Cisco Firepower 4110 User manual

Cisco

Cisco M195 Manual

Cisco

Cisco Cisco ASA Series User manual

Cisco

Cisco Small Business RV215W User manual

Cisco

Cisco Small Business RV220W Instruction Manual

Cisco

Cisco PIX-525-UR-BUN - PIX 525 Unrestricted Bundle User manual

Cisco

Cisco Cisco ASA 5510 User manual

Cisco

Cisco 5505 - ASA Firewall Edition Bundle Manual

Cisco

Cisco Firepower 4100 Series Installation manual

Popular Firewall manuals by other brands

Fortinet

Fortinet FortiGate 500A installation guide

D-Link

D-Link DFL-200 - Security Appliance Quick installation guide

PaloAlto Networks

PaloAlto Networks PA-220 Hardware reference

Fortinet

Fortinet FortiGate 3000 quick start guide

ZyXEL Communications

ZyXEL Communications ZyWALL 110 Series user guide

Fortinet

Fortinet FortiTester 2000E quick start guide

NETGEAR

NETGEAR ProSafe VPN Firewall 200 FVX538 Reference manual

SonicWALL

SonicWALL Email Security 7.0 8000 Getting started guide

Sophos

Sophos XG 106w operating instructions

Fortinet

Fortinet FortiGate FortiGate-4000 quick start guide

ZyXEL Communications

ZyXEL Communications ZyWall quick start guide

Sophos

Sophos XGS 2100 operating instructions

NETGEAR

NETGEAR FVG318 - ProSafe 802.11g Wireless VPN Firewall 8... Reference manual

Palo Alto

Palo Alto PA-220 Hardware reference

PaloAlto Networks

PaloAlto Networks VM series Deployment guide

Hirschmann

Hirschmann EAGLE 20 TX/TX user manual

NETGEAR

NETGEAR ProSafe FVS114 Specifications

finjan

finjan Vital Security NG-1000 Installation and setup guide

Cisco TelePresence Server 7010 User manual

Popular Firewall manuals by other brands