Cisco Firepower 2100 User manual

Cisco Firepower 2100 Getting Started Guide

First Published: 2019-09-25

Last Modified: 2020-07-28

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

CHAPTER 1

Which Operating System and Manager is Right

for You?

Your hardware platform can run one of two operating systems. For each operating system, you have a choice

of managers. This chapter explains the operating system and manager choices.

•Operating Systems, on page 1

•Managers, on page 1

Operating Systems

You can use either ASA or Firepower Threat Defense (FTD) operating systems on your hardware platform:

• ASA—The ASA is a traditional, advanced stateful firewall and VPN concentrator.

You may want to use the ASA if you do not need the advanced capabilities of the FTD, or if you need

an ASA-only feature that is not yet available on the FTD. Cisco provides ASA-to-FTD migration tools

to help you convert your ASA to an FTD if you start with ASA and later reimage to FTD.

• FTD—FTD, also known as Firepower NGFW, is a next-generation firewall that combines an advanced

stateful firewall, VPN concentrator, and next generation IPS. In other words, the FTD takes the best of

ASA functionality and combines it with the best next-generation firewall and IPS functionality.

We recommend using the FTD over the ASA because it contains most of the major functionality of the

ASA, plus additional next generation firewall and IPS functionality.

To reimage between the ASA and the FTD, see Reimage the Cisco ASA or Firepower Threat Defense Device.

Managers

The FTD and ASA support multiple managers.

Cisco Firepower 2100 Getting Started Guide

FTD Managers

Table 1: FTD Managers

DescriptionManager

FDM is a web-based, simplified, on-device manager. Because it is simplified, some

FTD features are not supported using FDM. You should use FDM if you are only

managing a small number of devices and don't need a multi-device manager.

Both FDM and CDO can discover the configuration on the device, so you

can use FDM and CDO to manage the same device. FMC is not compatible

with other managers.

Note

To get started with FDM, see Firepower Threat Defense Deployment with FDM, on

page 39.

Firepower Device Manager (FDM)

CDO is a simplified, cloud-based multi-device manager. Because it is simplified, some

FTD features are not supported using CDO. You should use CDO if you want a

multi-device manager that offers a simplified management experience (similar to FDM).

And because CDO is cloud-based, there is no overhead of running CDO on your own

servers. CDO also manages other security devices, such as ASAs, so you can use a

single manager for all of your security devices.

Both FDM and CDO can discover the configuration on the device, so you

can use FDM and CDO to manage the same device. FMC is not compatible

with other managers.

Note

To get started with CDO, see Firepower Threat Defense Deployment with CDO, on

page 5.

Cisco Defense Orchestrator (CDO)

FMC is a powerful, web-based, multi-device manager that runs on its own server

hardware, or as a virtual device on a hypervisor. You should use FMC if you want a

multi-device manager, and you require all features on the FTD. FMC also provides

powerful analysis and monitoring of traffic and events.

FMC is not compatible with other managers because the FMC owns the FTD

configuration, and you are not allowed to configure the FTD directly,

bypassing the FMC.

Note

To get started with FMC, see Firepower Threat Defense Deployment with FMC, on

page 63.

Firepower Management Center (FMC)

The FTD REST API lets you automate direct configuration of the FTD. This API is

compatible with FDM and CDO use because they can both discover the configuration

on the device. You cannot use this API if you are managing the FTD using FMC.

The FTD REST API is not covered in this guide. For more information, see the FTD

REST API guide.

FTD REST API

Cisco Firepower 2100 Getting Started Guide

Which Operating System and Manager is Right for You?

FTD Managers

DescriptionManager

The FMC REST API lets you automate configuration of FMC policies that can then be

applied to managed FTDs. This API does not manage an FTD directly.

The FMC REST API is not covered in this guide. For more information, see the FMC

REST API guide.

FMC REST API

ASA Managers

Table 2: ASA Managers

DescriptionManager

ASDM is a Java-based, on-device manager that provides full ASA functionality. You

should use ASDM if you prefer using a GUI over the CLI, and you only need to manage

a small number of ASAs. ASDM can discover the configuration on the device, so you

can also use the CLI, CDO, or CSM with ASDM.

To get started with ASDM, see ASA Appliance Mode Deployment with ASDM, on

page 93. If you know you want to use the ASA in Platform mode, see ASA Platform

Mode Deployment with ASDM and Firepower Chassis Manager, on page 113

Adaptive Security Device Manager

(ASDM)

You should use the ASA CLI if you prefer CLIs over GUIs.

The CLI is not covered in this guide. For more information, see the ASA configuration

guides.

CLI

CDO is a simplified, cloud-based multi-device manager. Because it is simplified, some

ASA features are not supported using CDO. You should use CDO if you want a

multi-device manager that offers a simplified management experience. And because

CDO is cloud-based, there is no overhead of running CDO on your own servers. CDO

also manages other security devices, such as FTDs, so you can use a single manager

for all of your security devices. CDO can discover the configuration on the device, so

you can also use the CLI or ASDM.

CDO is not covered in this guide. To get started with CDO, see the CDO home page.

Cisco Defense Orchestrator (CDO)

CSM is a powerful, multi-device manager that runs on its own server hardware. You

should use CSM if you need to manage large numbers of ASAs. CSM can discover the

configuration on the device, so you can also use the CLI or ASDM. CSM does not

support managing FTDs.

CSM is not covered in this guide. For more information, see the CSM user guide.

Cisco Security Manager (CSM)

The ASA REST API lets you automate ASA configuration. However, the API does not

include all ASA features, and is no longer being enhanced.

The ASA REST API is not covered in this guide. For more information, see the ASA

REST API guide.

ASA REST API

Cisco Firepower 2100 Getting Started Guide

Which Operating System and Manager is Right for You?

ASA Managers

Cisco Firepower 2100 Getting Started Guide

Which Operating System and Manager is Right for You?

ASA Managers

CHAPTER 2

Firepower Threat Defense Deployment with CDO

Is This Chapter for You?

This chapter explains how to onboard your Firepower Threat Defense (FTD) device to Cisco Defense

Orchestrator (CDO) using CDO's onboarding wizard. Before you onboard your FTD device, you need to

complete the initial system configuration using the local Firepower Device Manager (FDM), which is hosted

directly on the device.

CDO is a cloud-based multi-device manager that facilitates management of security policies in highly distributed

environments to achieve consistent policy implementation. CDO helps you optimize your security policies

by identifying inconsistencies with them and by giving you tools to fix them. CDO gives you ways to share

objects and policies, as well as make configuration templates, to promote policy consistency across devices.

This document assumes the Firepower 2100 hardware has a pre-installed FTD image on it. The Firepower

2100 hardware can run either FTD software or ASA software. Switching between FTD and ASA requires

you to reimage the device. See Reimage the Cisco ASA or Firepower Threat Defense Device.

Note

The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System

(FXOS). The Firepower 2100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is

supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.

Note

Privacy Collection Statement—The Firepower 1100 Series does not require or actively collect

personally-identifiable information. However, you can use personally-identifiable information in the

configuration, for example for usernames. In this case, an administrator might be able to see this information

when working with the configuration or when using SNMP.

Note

•End-to-End Procedure, on page 6

•Review the Network Deployment and Default Configuration, on page 8

•Cable the Device, on page 11

•Power on the Device, on page 12

•(Optional) Change Management Network Settings at the CLI, on page 13

•Log Into FDM, on page 14

Cisco Firepower 2100 Getting Started Guide

•Complete the Initial Configuration, on page 15

•Log Into CDO, on page 16

•Onboard the Device to CDO, on page 21

•Configure the Device in CDO, on page 24

•Configure Licensing, on page 29

•Manage the Device with CDO, on page 34

•Additional FTD Management Procedures, on page 34

•What's Next, on page 37

End-to-End Procedure

See the following tasks to deploy FTD with CDO on your chassis.

Cisco Firepower 2100 Getting Started Guide

Firepower Threat Defense Deployment with CDO

End-to-End Procedure

Review the Network Deployment and Default Configuration, on page 8.Pre-Configuration

Cable the Device, on page 11.Pre-Configuration

Cisco Firepower 2100 Getting Started Guide

Firepower Threat Defense Deployment with CDO

End-to-End Procedure

Power on the Device, on page 12.Pre-Configuration

(Optional) Change Management Network Settings at the CLI, on page 13.FTD CLI

Log Into FDM, on page 14.Firepower Device

Manager

Complete the Initial Configuration, on page 15.Firepower Device

Manager

Log Into CDO with Cisco Secure Sign-On , on page 19.Cisco Defense

Orchestrator

Onboard the Device to CDO, on page 21.Cisco Defense

Orchestrator

Configure the Device in CDO, on page 24.Cisco Defense

Orchestrator

(Optional) Configure Licensing, on page 29: Obtain feature licenses.Cisco Commerce

Workspace

Configure Licensing, on page 29: Generate a license token.Smart Software

Manager

Configure Licensing, on page 29: Register the device with the Smart Licensing

Server.

Cisco Defense

Orchestrator

Manage the Device with CDO, on page 34.Cisco Defense

Orchestrator

Review the Network Deployment and Default Configuration

You can manage the FTD using FDM from either the Management 1/1 interface or the inside interface. The

dedicated Management interface is a special interface with its own network settings.

The following figure shows the recommended network deployment for the Firepower 2100. If you connect

the outside interface directly to a cable modem or DSL modem, we recommend that you put the modem into

bridge mode so the FTD performs all routing and NAT for your inside networks. If you need to configure

PPPoE for the outside interface to connect to your ISP, you can do so after you complete initial setup in FDM.

Cisco Firepower 2100 Getting Started Guide

Firepower Threat Defense Deployment with CDO

Review the Network Deployment and Default Configuration

Other manuals for Firepower 2100

Table of contents

Other Cisco Gateway manuals

Cisco

Cisco DPC2434 User manual

Cisco

Cisco TES301 User manual

Cisco

Cisco Explorer 4250 User manual

Cisco

Cisco Explorer 9800 User manual

Cisco

Cisco Small Business SPA8800 User manual

Cisco

Cisco TelePresence ISDN GW MSE 8321 User manual

Cisco

Cisco DPC3825 User manual

Cisco

Cisco DPC3829 User manual

Cisco

Cisco Linksys WPG12 User manual

Cisco

Cisco UPWL6028F User manual

Cisco

Cisco DPQ2425 User manual

Cisco

Cisco Intelligent Wireless Access Gateway User manual

Cisco

Cisco VG310 Instruction Manual

Cisco

Cisco DPC2325 User manual

Cisco

Cisco Firepower Management Center 1000 User manual

Cisco

Cisco AS5350 - Universal Access Server User manual

Cisco

Cisco VG30D User manual

Cisco

Cisco Small Business SPA8000 Original operating instructions

Cisco

Cisco IC3000 Manual

Cisco

Cisco VG224 - Analog Phone Gateway Manual

Cisco

Cisco EPC3925 User manual

Cisco

Cisco Physical Access CIAC-GW-K9 Instruction Manual

Cisco

Cisco Comcast Xfinity DPC3939 User manual

Cisco

Cisco Firepower 1600 User manual

Popular Gateway manuals by other brands

LST

LST M500RFE-AS Specification sheet

Kinnex

Kinnex Media Gateway quick start guide

2N Telekomunikace

2N Telekomunikace 2N StarGate user manual

Mitsubishi Heavy Industries

Mitsubishi Heavy Industries Superlink SC-WBGW256 Original instructions

ZyXEL Communications

ZyXEL Communications ZYWALL2 ET 2WE user guide

Telsey

Telsey CPVA 500 - SIP Technical manual

RTA

RTA 460A-NNA4 Product user guide

Shaw

Shaw Gateway HDPVR user manual

ABB

ABB VSN900 Commissioning manual

Commander

Commander Pulse owner's manual

2N Telekomunikace

2N Telekomunikace ATEUS EasyGate 501309E manual

NETGEAR

NETGEAR C6300BD installation guide

Amit

Amit CDW531AM user guide

HMS

HMS Netbiter EasyConnect EC150 user manual

Huawei

Huawei EchoLife HG620 user guide

AT&T

AT&T U-verse 3801 Replacement self-installation guide

Logic IO

Logic IO RTCU MX2 turbo Technical manual

Suttle

Suttle MediaMAX MXM-521 installation instructions