The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared default configuration. If your network is live, make sure that you understand the potential impact of any command. On FTD devices running software version 6.
However, on FTD devices running software version 6. Note : On FTD devices running software version 6. Either e dit the policy which exists as you click on the pencil icon or create a new FTD policy as you click the New Policy button and s elect type as Threat Defense Settingsas shown in the image:. Select the FTD appliance to apply this policy and click Saveas shown in the image:.
Step 4. Step 5. This is a necessary step because locally configured users do not have direct access to the diagnostic CLI. Step 2. Step 3. Navigate to the External Authentication tab, as shown in the image:. As you click on Adda dialogue box appears as shown in the image:. These steps are performed on FTD devices with software version less than 6. Navigate to the Secure Shell Section.
A page appears, as shown in the image:. There are three options:. These steps are configured to limit the management access via SSH to specific interfaces and to specific IP addresses. Select the type as Firepower Threat Defense. As you navigate to the HTTP section, a page appears as shown in the image.
Step 6. Once all the required information has been entered click Save and then deploy the policy to the device. Ensure that an External Authentication works as configured and its reachability from the appropriate interface specified in the External Authentication section of the Platform Settings. Ensure routing on the FTD is accurate.
In FTD software version 6. Run the commands show route and show route management-only to see the routes for the FTD and the management interfaces respectively. Skip to content Skip to footer. Available Languages. Download Options.Use the CLI for basic system setup and troubleshooting. When you deploy a configuration change using the Firepower Management Center or Firepower Device Managerdo not use the FTD CLI for long-running commands such as ping with a huge repeat count or size ; these commands could cause a deployment failure.
Log in using the admin username default password is Admin or another CLI user account. You can also connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. You cannot SSH to the Diagnostic interface. You can create user accounts that can log into the CLI using the configure user add command. However, these users can log into the CLI only. They cannot log into the Firepower Device Manager web interface.
The CLI supports local authentication only. You cannot access the CLI using external authentication. In addition to SSH, you can directly connect to the Console port on the device. Use the console cable included with the device to connect your PC to the console using a terminal emulator set for baud, 8 data bits, no parity, 1 stop bit, no flow control.
See the hardware guide for your device for more information about the console cable. You can tell which mode you are in by looking at the command prompt.
Use this CLI for advanced troubleshooting. The prompt reflects the system hostname as defined in the running configuration. Enter the enable command to enter this mode press enter without entering a password when prompted for a password. Note that you cannot set a password for this mode. However, users cannot enter configuration mode within Privileged EXEC mode, so the extra password protection is not necessary.
Use Expert Mode only if a documented procedure tells you it is required, or if the Cisco Technical Assistance Center asks you to use it. The prompt is username hostname if you log in using the admin user. If you use a different user, only the hostname is shown.
The hostname is the name configured for the management interface. For example. On Firepower, and series devices, FXOS is the operating system that controls the overall chassis. Depending on the model, you use FXOS for configuration and troubleshooting. The FXOS command prompt looks like the following, but the prompt changes based on mode.
Command text indicates commands and keywords that you enter literally as shown. Variable text indicates arguments for which you supply values.Cisco ASA with FirePOWER Services vs Palo Alto Next-Generation Firewall
Square brackets enclose an optional element keyword or argument. Square brackets enclosing keywords or arguments separated by a vertical bar indicate an optional choice.
Braces enclosing keywords or arguments separated by a vertical bar indicate a required choice. Nested sets of square brackets or braces indicate optional or required choices within optional or required elements. Braces and a vertical bar within square brackets indicate a required choice within an optional element.
When you log into the CLI through the console port or an SSH session, you are presented with the following command prompt:. You type the command at the prompt and press Enter to execute the command. Additional features include:.The following topics explain how to perform system management tasks such as updating system databases and backing up and restoring the system.
You can install updates to the system databases and to the system software. The following topics explain how to install these updates. The system uses several databases to provide advanced services. Cisco provides updates to these databases so that your security policies use the latest information available. Firepower Threat Defense uses the following databases to provide advanced services. As new vulnerabilities become known, the Cisco Talos Intelligence Group Talos releases intrusion rule updates that you can import.
These updates affect intrusion rules, preprocessor rules, and the policies that use the rules. Intrusion rule updates provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings.
Rule updates may also delete rules, provide new rule categories and default variables, and modify default variable values. For changes made by an intrusion rule update to take effect, you must redeploy the configuration.
Configuration of Management access to FTD (HTTPS and SSH) via FMC
Intrusion rule updates may be large, so import rules during periods of low network use. On slow networks, an update attempt might fail, and you will need to retry. The Cisco Geolocation Database GeoDB is a database of geographical data such as country, city, coordinates and connection-related data such as Internet service provider, domain name, connection type associated with routable IP addresses. GeoDB updates provide updated information on physical locations, connection types, and so on that your system can associate with detected routable IP addresses.
You can use geolocation data as a condition in access control rules. The time needed to update the GeoDB depends on your appliance; the installation usually takes 30 to 40 minutes. Although a GeoDB update does not interrupt any other system functions including the ongoing collection of geolocation informationthe update does consume system resources while it completes. Consider this when planning your updates. The Cisco Vulnerability Database VDB is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications.
The Firepower System correlates the fingerprints with the vulnerabilities to help you determine whether a particular host increases your risk of network compromise. The time it takes to update vulnerability mappings depends on the number of hosts in your network map. You may want to schedule the update during low system usage times to minimize the impact of any system downtime. As a rule of thumb, divide the number of hosts on your network by to determine the approximate number of minutes to perform the update.
After you update the VDB, you must redeploy configurations before updated application detectors and operating system fingerprints can take effect. If you configure URL filtering access control rules that filter on category and reputation, requested URLs are matched against the database.
You can manually retrieve and apply system database updates at your convenience. Updates are retrieved from the Cisco support site. Thus, there must be a path to the Internet from the system's management address. You can also set up a regular schedule to retrieve and apply database updates.
Because these updates can be large, schedule them for times of low network activity. While a database update is in progress, you might find that the user interface is sluggish to respond to your actions. To avoid any potential impact to pending changes, deploy the configuration to the device before manually updating these databases. You need to update any access control or SSL decryption rules that use these deprecated items before you can deploy changes. Click the name of the device in the menuthen click View Configuration in the Updates summary.
This opens the Updates page. Information on the page shows the current version for each database and the last date and time each database was updated.The information in this document was created from the devices in a specific lab environment.
All of the devices used in this document started with a cleared default configuration. If your network is live, ensure that you understand the potential impact of any command. Note : You can mix interface modes on a single FTD appliance. Step 1.
Next, Specify Name and Tick Enabled for the interface as shown in the image. Note : The Name is the the nameif of the interface. Note : Failsafe allows the traffic to pass through the inline pair uninspected in case the interface buffers are full typically seen when the device is overloaded or the Snort engine is overloaded.
The interface buffer size is dynamically allocated. Step 4. Link state propagation automatically brings down the second interface in the inline interface pair when one of the interfaces in the inline set goes down.
If Tap Mode is on then it is 0. Note : Only physical interfaces can be members of an Inline pair set. The packet-tracer output which emulates a packet that traverses the inline pair with the important points highlighted:.
With the Trace of the first capture packet reveals some additional information like the Snort engine verdict:. With the Trace of the second captured packet shows that the packet matches an existing connection so it bypasses the ACL check, but still is inspected by the Snort engine:. The traffic is blocked:. Inline Pair with Tap Mode doesn't drop the transit traffic.
With the trace of a packet it confirms this:. Note : In case of an FTD failover event the traffic outage depends mainly on the time it takes on the switches to learn the MAC address of the remote peer. Caution : In this scenario in case of an FTD failover event the convergence time mainly depends on the Etherchannel LACP negotiation and depending on the time it takes the outage can be quite longer. Skip to content Skip to footer. Available Languages.
Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.4.0
Download Options. Updated: December 31, Contents Introduction. Verification 2. Prerequisites Requirements There are not specific requirements for this document. Components Used The information in this document is based on these software and hardware versions: Firepower FTD code 6.
The final result is as shown in the image. Step 2. Configure the Inline Pair. Step 3. Configure the General settings as per the requirements as shown in the image. Step 5. Save the changes and Deploy. Verify Use this section in order to confirm that your configuration works properly. With the use of packet-tracer Verification 2.The following topics explain how to get started configuring Firepower Threat Defense. This guide explains how to configure Firepower Threat Defense using the Firepower Device Manager web-based configuration interface included on Firepower Threat Defense devices.
Firepower Device Manager lets you configure the basic features of the software that are most commonly used for small or mid-size networks. It is especially designed for networks that include a single device or just a few, where you do not want to use a high-powered multiple-device manager to control a large network containing many Firepower Threat Defense devices.
If you are managing large numbers of devices, or if you want to use the more complex features and configurations that Firepower Threat Defense allows, use Firepower Management Center to configure your devices instead of the integrated Firepower Device Manager.
You can use Firepower Device Manager on the following devices. Support for these models ends with 6. You cannot install version 6. The following table lists the new features available in FTD 6. A high availability or failover setup joins two devices so that if the primary device fails, the secondary device can take over. This helps you keep your network operational in case of device failure. The devices must be of the same model, with the same number and type of interfaces, and they must run the same software version.
You can configure high availability from the Device page. You can configure identity policies to use passive authentication. Passive authentication gathers user identity without prompting the user for username and password. You can now create users directly through Firepower Device Manager. You can then use these local user accounts to authenticate connections to a remote access VPN. You can use the local user database as either the primary or fallback authentication source.
In addition, you can configure passive authentication rules in the identity policy so that local usernames are reflected in the dashboards and so they are available for traffic matching in policies.
Changed default behavior for VPN traffic handling in the access control policy sysopt connection permit-vpn. The default behavior for how VPN traffic is handled by the access control policy has changed. Starting in 6. This allows you to apply advanced inspections, including URL filtering, intrusion protection, and file policies, to VPN traffic. You must configure access control rules to allow VPN traffic.
Alternatively, you can use FlexConfig to configure the sysopt connection permit-vpn command, which tells the system to bypass the access control policy and any advanced inspections for VPN-terminated traffic. You can now create network objects and groups that specify a host by fully-qualified domain name FQDN rather than a static IP address. You can use these objects in access control rules only. Support for TCP syslog and the ability to send diagnostic syslog messages through the management interface.
In previous releases, diagnostic syslog messages as opposed to connection and intrusion messages always used a data interface. You can now configure syslog so that all messages use the management interface. The ultimate source IP address depends on whether you use the data interfaces as the gateway for the management interface, in which case the IP address will be the one from the data interface.
You can give external users administrative, read-write, or read-only access. Firepower Device Manager can support 5 simultaneous logins; the sixth session automatically logs off the oldest session. You can forcefully end a Firepower Device Manager user session if necessary.
The deployment window has changed to provide a clearer view of the pending changes that will be deployed. In addition, you now have the option to discard changes, copy changes to the clipboard, and download changes in a YAML formatted file. You can also name deployment jobs so they are easier to find in the audit log.The following topics explain how to get started configuring Firepower Threat Defense. This guide explains how to configure Firepower Threat Defense using the Firepower Device Manager web-based configuration interface included on Firepower Threat Defense devices.
Firepower Device Manager lets you configure the basic features of the software that are most commonly used for small or mid-size networks.
Configure FTD Interfaces in Inline-Pair Mode
It is especially designed for networks that include a single device or just a few, where you do not want to use a high-powered multiple-device manager to control a large network containing many Firepower Threat Defense devices. If you are managing large numbers of devices, or if you want to use the more complex features and configurations that Firepower Threat Defense allows, use Firepower Management Center to configure your devices instead of the integrated Firepower Device Manager.
You can use Firepower Device Manager on the following devices. You can also manage the device, or multiple devices, using Cisco Defense Orchestrator, a cloud-based application. The following table lists the new features available in FTD 6. Note that you can configure and use the Power over Ethernet PoE ports as regular Ethernet ports, but you cannot enable or configure any PoE-related properties. In release 6. If you are using FlexConfig, please redo the configuring on the Interfaces page and remove the hardware bypass commands from FlexConfig.
However, the portion of the FlexConfig devoted to disabling TCP sequence number randomization is still recommended. Previously, you needed to open a separate SSH session to the device to reboot or shut down the system.
You must have Administrator privileges to use these commands. You can give external users config administrator or basic read-only access. You can now create network objects that specify a range of IPv4 or IPv6 addresses, and network group objects that include other network groups that is, nested groups. You can do a full-text search on objects and rules. By searching a policy or object list that has a large number of items, you can find all items that include your search string anywhere within the rule or object.
We added a search box to all policies that have rules, and to all pages on the Objects list. You can use your API client to communicate and configure the device using commands and syntax valid for any of the supported versions.
The v3 API includes many new resources that cover all features added in software version 6. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using.
You can now view hit counts for access control rules. The hit counts indicate how often connections matched the rule. We updated the access control policy to include hit count information. You can now configure site-to-site VPN connections to use certificates instead of preshared keys to authenticate the peers.
You can also configure connections where the remote peer has an unknown dynamic IP address. You can configure more than one connection profile, and create group policies to use with the profiles. Some items that were previously configured in the wizard are now configured in the group policy. Support for certificate-based, second authentication source, and two-factor authentication in remote access VPN. You can use certificates for user authentication, and configure secondary authentication sources so that users must authenticate twice before establishing a connection.
You can also configure two-factor authentication using RSA tokens or Duo passcodes as the second factor. You can now configure address pools that have more than one address range by selecting multiple network objects that specify subnets.
You can optionally configure the address pool in the group policy instead of the connection profile. You can now include up to 10 redundant Active Directory AD servers in a single realm. You can also create multiple realms and delete realms that you no longer need. In addition, the limit for downloading users in a realm is increased to 50, from the 2, limit in previous releases. You can select the realm in the user criteria of access control and SSL decryption rules, to apply the rule to all users within the realm.Both are running 6.
TAR file. Looks good! When I go to "Managed device backup" however, I am greeted with a blank box of "managed devices", and cannot kick off a backup. So, Questions:. Go to Solution. View solution in original post. You're right the configuration is indeed all there on the managed device. Unfortunately it cannot be retrieved in any usable way to restore to a rebuilt FMC. I'm not positive about what the chassis backup includes.
I don't think it gets logical device platform settings. Basically, older versions of FTD don't have a sound backup strategy. That's why Cisco is enhancing those features going forward. I dont really understand the use case for backing up FTD devices if we still would need the FMC to restore the backup.
Buy or Renew. Find A Community. We're here for you! Turn on suggestions. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Showing results for. Search instead for. Did you mean:.
So, Questions: 1. Accepted Solutions. Marvin Rhoads. Hall of Fame Guru. Hello Marvin. First of all, thank you for all your effort with the Firepower. You are doing a great job! Things such as device interfaces, routing etc. Thank You for the reply So pre 6. Note that version 6. Latest Contents.