Cisco Firepower 1010 User manual
Cisco Firepower 1010 Getting Started Guide
First Published: 2019-06-13
Last Modified: 2021-01-29
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
CHAPTER 1
Which Operating System and Manager is Right
for You?
Your hardware platform can run one of two operating systems. For each operating system, you have a choice
of managers. This chapter explains the operating system and manager choices.
•Operating Systems, on page 1
•Managers, on page 1
Operating Systems
You can use either ASA or Firepower Threat Defense (FTD) operating systems on your hardware platform:
• ASA—The ASA is a traditional, advanced stateful firewall and VPN concentrator.
You may want to use the ASA if you do not need the advanced capabilities of the FTD, or if you need
an ASA-only feature that is not yet available on the FTD. Cisco provides ASA-to-FTD migration tools
to help you convert your ASA to an FTD if you start with ASA and later reimage to FTD.
• FTD—FTD, also known as Firepower NGFW, is a next-generation firewall that combines an advanced
stateful firewall, VPN concentrator, and next generation IPS. In other words, the FTD takes the best of
ASA functionality and combines it with the best next-generation firewall and IPS functionality.
We recommend using the FTD over the ASA because it contains most of the major functionality of the
ASA, plus additional next generation firewall and IPS functionality.
To reimage between the ASA and the FTD, see Reimage the Cisco ASA or Firepower Threat Defense Device.
Managers
The FTD and ASA support multiple managers.
Cisco Firepower 1010 Getting Started Guide
1
FTD Managers
Table 1: FTD Managers
DescriptionManager
FDM is a web-based, simplified, on-device manager. Because it is simplified, some
FTD features are not supported using FDM. You should use FDM if you are only
managing a small number of devices and don't need a multi-device manager.
Both FDM and CDO can discover the configuration on the device, so you
can use FDM and CDO to manage the same device. FMC is not compatible
with other managers.
Note
To get started with FDM, see Firepower Threat Defense Deployment with FDM, on
page 61.
Firepower Device Manager (FDM)
CDO is a simplified, cloud-based multi-device manager. Because it is simplified, some
FTD features are not supported using CDO. You should use CDO if you want a
multi-device manager that offers a simplified management experience (similar to FDM).
And because CDO is cloud-based, there is no overhead of running CDO on your own
servers. CDO also manages other security devices, such as ASAs, so you can use a
single manager for all of your security devices.
In 6.7 and later, CDO offers Low Touch Provisioning that lets branch offices plug in
their hardware and leave it alone: the device will automtically register with CDO.
Both FDM and CDO can discover the configuration on the device, so you
can use FDM and CDO to manage the same device. FMC is not compatible
with other managers.
Note
To get started with CDO provisioning, see Firepower Threat Defense Deployment with
CDO Provisioning, on page 25.
Cisco Defense Orchestrator (CDO)
FMC is a powerful, web-based, multi-device manager that runs on its own server
hardware, or as a virtual device on a hypervisor. You should use FMC if you want a
multi-device manager, and you require all features on the FTD. FMC also provides
powerful analysis and monitoring of traffic and events.
FMC is not compatible with other managers because the FMC owns the FTD
configuration, and you are not allowed to configure the FTD directly,
bypassing the FMC.
Note
To get started with FMC, see Firepower Threat Defense Deployment with FMC, on
page 89.
For a remote branch setup, we recommend that you use the standalone document specific
to that deployment.
Firepower Management Center (FMC)
The FTD REST API lets you automate direct configuration of the FTD. This API is
compatible with FDM and CDO use because they can both discover the configuration
on the device. You cannot use this API if you are managing the FTD using FMC.
The FTD REST API is not covered in this guide. For more information, see the FTD
REST API guide.
FTD REST API
Cisco Firepower 1010 Getting Started Guide
2
Which Operating System and Manager is Right for You?
FTD Managers
DescriptionManager
The FMC REST API lets you automate configuration of FMC policies that can then be
applied to managed FTDs. This API does not manage an FTD directly.
The FMC REST API is not covered in this guide. For more information, see the FMC
REST API guide.
FMC REST API
ASA Managers
Table 2: ASA Managers
DescriptionManager
ASDM is a Java-based, on-device manager that provides full ASA functionality. You
should use ASDM if you prefer using a GUI over the CLI, and you only need to manage
a small number of ASAs. ASDM can discover the configuration on the device, so you
can also use the CLI, CDO, or CSM with ASDM.
To get started with ASDM, see ASA Deployment with ASDM, on page 135.
Adaptive Security Device Manager
(ASDM)
You should use the ASA CLI if you prefer CLIs over GUIs.
The CLI is not covered in this guide. For more information, see the ASA configuration
guides.
CLI
CDO is a simplified, cloud-based multi-device manager. Because it is simplified, some
ASA features are not supported using CDO. You should use CDO if you want a
multi-device manager that offers a simplified management experience. And because
CDO is cloud-based, there is no overhead of running CDO on your own servers. CDO
also manages other security devices, such as FTDs, so you can use a single manager
for all of your security devices. CDO can discover the configuration on the device, so
you can also use the CLI or ASDM.
CDO is not covered in this guide. To get started with CDO, see the CDO home page.
Cisco Defense Orchestrator (CDO)
CSM is a powerful, multi-device manager that runs on its own server hardware. You
should use CSM if you need to manage large numbers of ASAs. CSM can discover the
configuration on the device, so you can also use the CLI or ASDM. CSM does not
support managing FTDs.
CSM is not covered in this guide. For more information, see the CSM user guide.
Cisco Security Manager (CSM)
The ASA REST API lets you automate ASA configuration. However, the API does not
include all ASA features, and is no longer being enhanced.
The ASA REST API is not covered in this guide. For more information, see the ASA
REST API guide.
ASA REST API
Cisco Firepower 1010 Getting Started Guide
3
Which Operating System and Manager is Right for You?
ASA Managers
Cisco Firepower 1010 Getting Started Guide
4
Which Operating System and Manager is Right for You?
ASA Managers
CHAPTER 2
Firepower Threat Defense Deployment with CDO
and Low-Touch Provisioning
Is This Chapter for You?
Low-Touch Provisioning (LTP) simplifies and automates the onboarding of new Firepower Threat Defense
(FTD) devices to Cisco Defense Orchestrator (CDO). LTP streamlines the deployment of new Firepower
devices by allowing network administrators to deliver the devices directly to a branch office, add the devices
to the CDO cloud-based device manager, and then manage the devices after the FTD device successfully
connects to the Cisco Cloud.
This chapter explains how to onboard your Firepower devices to CDO using low-touch provisioning. CDO
is a cloud-based multi-device manager that facilitates management of security policies in highly distributed
environments to achieve consistent policy implementation. CDO helps you optimize your security policies
by identifying inconsistencies with them and by giving you tools to fix them. CDO gives you ways to share
objects and policies, as well as make configuration templates, to promote policy consistency across devices.
This feature requires Firepower version 6.7 or later.
Note
This document assumes the Firepower 1010 hardware has a pre-installed FTD image on it. The Firepower
1010 hardware can run either FTD software or ASA software. Switching between FTD and ASA requires
you to reimage the device. See Reimage the Cisco ASA or Firepower Threat Defense Device.
Note
The Firepower 1010 runs an underlying operating system called the Firepower eXtensible Operating System
(FXOS). The Firepower 1010 does not support the FXOS Firepower Chassis Manager; only a limited CLI is
supported for troubleshooting purposes. See the FXOS troubleshooting guide for more information.
Note
Cisco Firepower 1010 Getting Started Guide
7
Privacy Collection Statement—The Firepower 1010 Series does not require or actively collect
personally-identifiable information. However, you can use personally-identifiable information in the
configuration, for example for usernames. In this case, an administrator might be able to see this information
when working with the configuration or when using SNMP.
Note
•End-to-End Procedure, on page 8
•Branch Office - Receive the Device, on page 10
•CDO Administrator - Central Headquarters, on page 11
•Branch Office - Install the Device, on page 17
•CDO Administrator - Complete the Onboarding, on page 19
End-to-End Procedure
This chapter explains how to deploy a factory-default FTD 1010 device at a remote branch office using the
low-touch provisioning feature:
1. Your branch office receives an FTD 6.7+ device that has either been shipped directly from Cisco or one
that has been reimaged with FTD 6.7+ software.
2. An administrator at the central headquarters onboards the device to CDO using the device's serial number.
3. The branch office employee cables and powers on the FTD.
4. The administrator at the central headquarters completes onboarding and configuration of the FTD using
CDO.
See the following tasks to deploy FTD with CDO using low-touch provisioning on your chassis.
Cisco Firepower 1010 Getting Started Guide
8
Firepower Threat Defense Deployment with CDO
End-to-End Procedure
Verify the Device Supports Low-Touch Provisioning from a Branch Office, on
page 10: Receive the device from corporate IT or managed service provider.
Branch Office Tasks
(Branch Office
Employee)
Verify the Device Supports Low-Touch Provisioning from a Branch Office, on
page 10: Take inventory of the device and packaging; record the serial number.
Branch Office Tasks
(Branch Office
Employee)
Log Into CDO with Cisco Secure Sign-On, on page 14.Cisco Defense
Orchestrator
(CDO Admin)
Cisco Firepower 1010 Getting Started Guide
9
Firepower Threat Defense Deployment with CDO
End-to-End Procedure
Onboard the Device Using Low-Touch Provisioning and the Serial Number,
on page 15.
Cisco Defense
Orchestrator
(CDO Admin)
Cable the Device, on page 17.Branch Office Tasks
(Branch Office
Employee)
Power On the Device, on page 18: Attach the power cord to the device, and
connect it to an electrical outlet.
Branch Office Tasks
(Branch Office
Employee)
Power On the Device, on page 18: Observe the Status LED on the device for
connection to the Cisco cloud.
Cisco Cloud
Manage the Device with CDO, on page 24.Cisco Defense
Orchestrator
(CDO Admin)
Configure Licensing, on page 19: Optionally, register the device with the Smart
Licensing Server; or continue to use the 90-day evaluation license.
Smart Software
Manager
(CDO Admin)
Configure Licensing, on page 19: Optionally, generate a license token.Cisco Commerce
Workspace
(CDO Admin)
Branch Office - Receive the Device
After you receive the FTD from your corporate IT department, you need to record the device's serial number
and send it to the CDO administrator. Outline a communication plan for the onboarding process. Include any
key tasks to be completed and provide points of contact for each item.
You can watch this video to see how a Branch employee onboards a Firepower device using CDO and
low-touch provisioning.
Tip
Verify the Device Supports Low-Touch Provisioning from a Branch Office
Before you rack the device or discard the shipping box, verify that your Firepower device can be deployabled
using low-touch provisioning.
This procedure assumes you are working with a new Firepower device running FTD Version 6.7 or later.
Note
Cisco Firepower 1010 Getting Started Guide
10
Firepower Threat Defense Deployment with CDO
Branch Office - Receive the Device
Before you begin
• Unpack the chassis and chassis components.
• Take inventory of your Firepower device and packaging before you connect any cables or power on the
device.
• Your IT department needs your device serial number to connect to the device and manage it remotely.
• You should also familiarize yourself with the chassis layout, components, and LEDs.
Procedure
Step 1 Verify the product ID (PID) on the shipping box. The cardboard box in which the device was shipped should
have a plain white sticker on it that indicates the shipped version of Firepower software (6.7 or later).
The PID should be similar to this example of a Firepower 1010 PID: SF-F1K-TD6.7-K9.
Step 2 Record the device's serial number. The serial number of the device can be found on the shipping box. It can
also be found on a sticker on the on the bottom of the device chassis.
Step 3 Send the device serial number to the CDO network administrator at your IT department/central headquarters.
Your network administrator needs your device serial number to facilitate low-touch provisioning,
connect to the device, and configure it remotely.
Note
What to do next
Communicate with the CDO administrator at your IT department/central headquarters to develop an onboarding
timeline. Your next steps are to cable the device and connect power after your network administrator onboards
the device to CDO.
CDO Administrator - Central Headquarters
After the remote branch administrator sends the serial number information to the central headquarters, the
CDO administrator onboards the FTD to CDO.
Log Into CDO
CDO uses Cisco Secure Sign-On as its identity provider and Duo Security for multi-factor authentication
(MFA). CDO requires MFA which provides an added layer of security in protecting your user identity.
Two-factor authentication, a type of MFA, requires two components, or factors, to ensure the identity of the
user logging into CDO.
The first factor is a username and password, and the second is a one-time password (OTP), which is generated
on demand from Duo Security.
After you establish your Cisco Secure Sign-On credentials, you can log into CDO from your Cisco Secure
Sign-On dashboard. From the Cisco Secure Sign-On dashboard, you can also log into any other supported
Cisco products.
Cisco Firepower 1010 Getting Started Guide
11
Firepower Threat Defense Deployment with CDO
CDO Administrator - Central Headquarters
• If you have a Cisco Secure Sign-On account, skip ahead to Log Into CDO with Cisco Secure Sign-On,
on page 14.
• If you don't have a Cisco Secure Sign-On account, see Create a New Cisco Secure Sign-On Account, on
page 12.
Create a New Cisco Secure Sign-On Account
The initial sign-on workflow is a four-step process. You need to complete all four steps.
Before you begin
•Install DUO Security―We recommend that you install the Duo Security app on a mobile phone. Review
Duo Guide to Two Factor Authentication: Enrollment Guide if you have questions about installing Duo.
•Time Synchronization―You are going to use your mobile device to generate a one-time password. It
is important that your device clock is synchronized with real time as the OTP is time-based. Make sure
your device clock is set to the correct time.
• Use a current version of Firefox or Chrome.
Procedure
Step 1 Sign Up for a New Cisco Secure Sign-On Account.
a) Browse to https://sign-on.security.cisco.com.
b) At the bottom of the Sign In screen, click Sign up.
Figure 1: Cisco SSO Sign Up
c) Fill in the fields of the Create Account dialog and click Register.
Cisco Firepower 1010 Getting Started Guide
12
Firepower Threat Defense Deployment with CDO
Create a New Cisco Secure Sign-On Account
Figure 2: Create Account
Enter the email address that you plan to use to log in to CDO and add an Organization name to
represent your company.
Tip
d) After you click Register, Cisco sends you a verification email to the address you registered with. Open
the email and click Activate Account.
Step 2 Set up Multi-factor Authentication Using Duo.
a) In the Set up multi-factor authentication screen, click Configure.
b) Click Start setup and follow the prompts to choose a device and verify the pairing of that device with
your account.
For more information, see Duo Guide to Two Factor Authentication: Enrollment Guide. If you already
have the Duo app on your device, you'll receive an activation code for this account. Duo supports multiple
accounts on one device.
c) At the end of the wizard click Continue to Login.
d) Log in to Cisco Secure Sign-On with the two-factor authentication.
Step 3 (Optional) Setup Google Authenticator as a an additional authenticator.
a) Choose the mobile device you are pairing with Google Authenticator and click Next.
b) Follow the prompts in the setup wizard to setup Google Authenticator.
Step 4 Configure Account Recovery Options for your Cisco Secure Sign-On Account.
a) Choose a "forgot password" question and answer.
b) Choose a recovery phone number for resetting your account using SMS.
c) Choose a security image.
d) Click Create My Account.
Cisco Firepower 1010 Getting Started Guide
13
Firepower Threat Defense Deployment with CDO
Create a New Cisco Secure Sign-On Account
You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app
tiles.
You can drag the tiles around on the dashboard to order them as you like, create tabs to group
tiles, and rename tabs.
Tip
Figure 3: Cisco SSO Dashboard
Log Into CDO with Cisco Secure Sign-On
Log into CDO to onboard and manage your FTD.
Before you begin
Cisco Defense Orchestrator (CDO) uses Cisco Secure Sign-On as its identity provider and Duo Security for
multi-factor authentication (MFA).
• To log into CDO, you must first create your account in Cisco Secure Sign-On and configure MFA using
Duo; see Create a New Cisco Secure Sign-On Account, on page 12.
• Use a current version of Firefox or Chrome.
Procedure
Step 1 In a web browser, navigate to https://sign-on.security.cisco.com/.
Step 2 Enter your Username and Password.
Step 3 Click Log in.
Step 4 Receive another authentication factor using Duo Security, and confirm your login. The system confirms your
login and displays the Cisco Secure Sign-On dashboard.
Step 5 Click the appropriate CDO tile on the Cisco Secure Sign-on dashboard. The CDO tile directs you to
https://defenseorchestrator.com, the CDO (EU) tile directs you to https://defenseorchestrator.eu, and the CDO
(APJC) tile directs you to to https://www.apj.cdo.cisco.com.
Cisco Firepower 1010 Getting Started Guide
14
Firepower Threat Defense Deployment with CDO
Log Into CDO with Cisco Secure Sign-On
Figure 4: Cisco SSO Dashboard
Step 6 Click the authenticator logo to choose Duo Security or Google Authenticator, if you have set up both
authenticators.
• If you already have a user record on an existing tenant, you are logged into that tenant.
• If you already have a user record on several tenants, you will be able to choose which CDO tenant to
connect to.
• If you do not already have a user record on an existing tenant, you will be able to learn more about CDO
or request a trial account.
Onboard the Device Using Low-Touch Provisioning and the Serial Number
To onboard a Firepower device to CDO using LTP, you complete this procedure, connect the device to a
network that can reach the internet, and power on the device.
Before you begin
Low-touch provisioning (LTP) is a feature that allows a new factory-shipped Firepower 1010 series device
to be provisioned and configured automatically, eliminating many of the manual tasks involved with onboarding
the device to CDO.
Your device needs to have Version 6.7 or greater installed to use LTP. If you want to use this method to
onboard an FTD device running on an older software version (6.4, 6.5, and 6.6), you need to perform a fresh
installation of the software on that device, not an upgrade.
Note
Procedure
Step 1 In the navigation pane, click Devices & Services and click the blue plus button to Onboard a device.
Step 2 Click on the FTD card.
Cisco Firepower 1010 Getting Started Guide
15
Firepower Threat Defense Deployment with CDO
Onboard the Device Using Low-Touch Provisioning and the Serial Number
When you attempt to onboard an FTD device, CDO prompts you to read and accept the Firepower
Threat Defense End User License Agreement (EULA), which is a one-time activity in your tenant.
Once you accept this agreement, CDO doesn't prompt it again in subsequent FTD onboarding. If
the EULA agreement changes in the future, you must accept it again when prompted.
Note
Step 3 On the Onboard FTD Device screen, click Use Serial Number.
Step 4 In the Connection area, provide the following:
a) Select the Secure Device Connector (SDC) that this device will communicate with.
The default SDC is displayed, but you can change it by clicking the blue Change link.
b) Device Serial Number: Enter the serial number or the PCA number of the device you want to onboard.
c) Device Name: Provide a name for the device.
Step 5 Click Next.
Step 6 In the Password Reset area, provide the following:
a) Default Password Not Changed: Select this option to change the default password of a new device.
• Enter a New Password for the device and Confirm Password.
• Ensure that the new password meets the requirements mentioned onscreen.
If the device's default password is already changed, the entries made in this field will be ignored.
Note
b) Default Password Changed: Select this option only for the device whose default password has already
been changed using FDM or on Firepower eXtensible Operating System (FXOS) Console.
Step 7 Click Next.
Step 8 In the Smart License area, select one of the required options.
•Apply Smart License: Select this option if your device is not smart licensed already. You have to generate
a token using the Cisco Smart Software Manager and copy in this field.
•Device Already Licensed: Select this option if your device has already been licensed.
If the default password has already been changed, this radio button will be selected
automatically. However, you can choose another option that you want.
Note
•Use 90-day Evaluation License: Apply a 90-day evaluation license.
Step 9 Click Next.
Step 10 In the Subscription Licenses area, perform the following:
• If the smart license is applied, you can enable the additional licenses you want and click Next.
• If the evaluation license is enabled, all other licenses are available except for the RA VPN license. Select
the licenses that you want and click Next to continue.
• You can choose to continue only with the base license.
If the Device Already Licensed is selected in the Smart License step, you cannot perform any
selection here. CDO displays Keep Existing Subscription and moves to the Labels step.
Note
Step 11 (Optional) In the Labels area, you can enter a label name if required.
Step 12 Click Go to Devices and Services.
Cisco Firepower 1010 Getting Started Guide
16
Firepower Threat Defense Deployment with CDO
Onboard the Device Using Low-Touch Provisioning and the Serial Number
What to do next
Communicate with the branch office where the device is being deployed. After the branch office administrator
cables and powers on the FTD, your next steps are to complete the onboarding process and configure/manage
the device.
Branch Office - Install the Device
After the CDO administrator onboards the FTD to CDO, you need to cable and power on the device so that
it has internet access from the outside interface. The CDO administrator can then complete the onboarding
process.
Cable the Device
This topic describes the how to connect the Firepower 1010 to your network so that it can be managed remotely
by a CDO administrator.
• If you received a Firepower firewall at your branch office and your job is to plug it in to your network,
watch this video.
The video describes your Firepower device and the LED sequences on the device that indicate the device's
status. If you need to, you'll be able to confirm the device's status with your IT department just by looking
at the LEDs.
Figure 5: Cabling the Firepower 1010
Ethernet1/2 through 1/8 are configured as hardware switch ports; PoE+ is also available on Ethernet1/7 and
1/8.
Note
Cisco Firepower 1010 Getting Started Guide
17
Firepower Threat Defense Deployment with CDO
Branch Office - Install the Device
Low-touch provisioning supports connecting to CDO on Ethernet 1/1 (outside). You can alternatively use
low-touch provisioning on the Management 1/1 interface.
Procedure
Step 1 Connect the network cable from the Ethernet 1/1 interface to your wide area network (WAN) modem. Your
WAN modem is your branch's connection to the internet and will be your Firepower firewall's route to the
internet as well.
Alternatively, you can connect the network cable from the device's Management 1/1 interface to
your WAN. Whichever interface you use must have a route to the internet. The Management interface
supports IPv6 if you manually set the IP address at the CLI. See (Optional) Change Management
Network Settings at the CLI, on page 33. To use IPv6 on Management, make sure you also keep
or set an IPv4 address; dual stack is required for IPv6 to work. The outside Ethernet 1/1 interface
only supports IPv4 for low-touch provisioning.
Note
Step 2 Connect inside devices to the remaining switch ports, Ethernet 1/2 through 1/8.
Ethernet 1/7 and 1/8 are PoE+ ports.
What to do next
Proceed to the next task, Power On the Device, on page 18.
Power On the Device
System power is controlled by the power cord; there is no power button.
Procedure
Step 1 Attach the power cord to the device, and connect it to an electrical outlet.
The power turns on automatically when you plug in the power cord.
Step 2 Check the Power LED on the back or top of the device; if it is solid green, the device is powered on.
Step 3 Check the Status LED on the back or top of the device; after it is solid green, the system has passed power-on
diagnostics.
Cisco Firepower 1010 Getting Started Guide
18
Firepower Threat Defense Deployment with CDO
Power On the Device
Other manuals for Firepower 1010
4
Table of contents
Other Cisco Network Hardware manuals
Cisco
Cisco IDS 4210 - Intrusion Detection Sys 4210... User manual
Cisco
Cisco NAC3350-PROF-K9 - NAC Profiler Server User manual
Cisco
Cisco EXPLORER 3100 User manual
Cisco
Cisco PC4000 User manual
Cisco
Cisco Content Engine 510 User manual
Cisco
Cisco Catalyst 2960-XR User manual
Cisco
Cisco Aironet 1400 Series User manual
Cisco
Cisco Network Storage System NSS3000 Series User manual
Cisco
Cisco TELEPRESENCE MCU ACCESSING CONFERENCES - User manual
Cisco
Cisco Content Delivery Engine 100/200/300/400 Manual
Cisco
Cisco DOC 785983 User manual
Cisco
Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control... User manual
Cisco
Cisco Octal-Port DMT ATU-C Line Card Technical manual
Cisco
Cisco NSS2000 - Gigabit Storage System Chassis How to use
Cisco
Cisco ONS 15310-MA User manual
Cisco
Cisco Fourth-Generation Versatile Interface Processor... Operator's manual
Cisco
Cisco ONS 15454 SDH Manual
Cisco
Cisco ASR 9000 Series User manual
Cisco
Cisco SA520-K9 - SA 500 Series Security Appliances User manual
Cisco
Cisco N540X-6Z18G-SYS-A User manual
