Hướng dẫn cấu hình cisco firepower ftd 4110
Firepower Management Center Configuration Guide. Show
In a typical deployment on a large network, you install multiple managed devices on network segments. Each device controls, inspects, monitors, and analyzes traffic, and then reports to a managing the management center. The management center provides a centralized management console with a web interface that you can use to perform administrative, management, analysis, and reporting tasks in service to securing your local network. For networks that include only a single device or just a few, where you do not need to use a high-powered multiple-device manager like the management center, you can use the integrated device manager. Use the device manager web-based device setup wizard to configure the basic features of the software that are most commonly used for small network deployments. Privacy Collection Statement—The Firepower 4100 does not require or actively collect personally-identifiable information. However, you can use personally-identifiable information in the configuration, for example for usernames. In this case, an administrator might be able to see this information when working with the configuration or when using SNMP. Before You StartDeploy and perform initial configuration of the management center. See the Cisco Firepower Management Center 1600, 2600, and 4600 Hardware Installation Guide or Cisco Secure Firewall Management Center Virtual Getting Started Guide. End-to-End ProcedureSee the following tasks to deploy and configure the threat defense on your chassis. Workspace Steps Chassis Manager . Management Center . Cisco Commerce Workspace : Buy feature licenses. Smart Software Manager : Generate a license token for the management center. Management Center : Register the management center with the Smart Licensing server. Management Center . Management Center . Chassis Manager: Add the Threat Defense Logical DeviceYou can deploy the threat defense from the Firepower 4100 as either a native or container instance. You can deploy multiple container instances per security engine, but only one native instance. See for the maximum container instances per model. To add a High Availability pair or a cluster, see the Firepower Management Center Configuration Guide. This procedure lets you configure the logical device characteristics, including the bootstrap configuration used by the application. Before you begin
ProcedureStep 1 In the chassis manager, choose Logical Devices. Step 2 Click , and set the following parameters:
Step 3 Expand the Data Ports area, and click each interface that you want to assign to the device. You can only assign Data and Data-sharing interfaces that you previously enabled on the Interfaces page. You will later enable and configure these interfaces in the management center, including setting the IP addresses. You can only assign up to 10 Data-sharing interfaces to a container instance. Also, each Data-sharing interface can be assigned to at most 14 container instances. A Data-sharing interface is indicated by the sharing icon ( ).Hardware Bypass–capable ports are shown with the following icon: . For certain interface modules, you can enable the Hardware Bypass feature for Inline Set interfaces only (see the Firepower Management Center Configuration Guide for information about Inline Sets). Hardware Bypass ensures that traffic continues to flow between an inline interface pair during a power outage. This feature can be used to maintain network connectivity in the case of software or hardware failures. If you do not assign both interfaces in a Hardware Bypass pair, you see a warning message to make sure your assignment is intentional. You do not need to use the Hardware Bypass feature, so you can assign single interfaces if you prefer.Step 4 Click the device icon in the center of the screen. A dialog box appears where you can configure initial bootstrap settings. These settings are meant for initial deployment only, or for disaster recovery. For normal operation, you can later change most values in the application CLI configuration. Step 5 On the General Information page, complete the following:
Step 6 On the Settings tab, complete the following:
Step 7 On the Agreement tab, read and accept the end user license agreement (EULA). Step 8 Click OK to close the configuration dialog box. Step 9 Click Save. The chassis deploys the logical device by downloading the specified software version and pushing the bootstrap configuration and management interface settings to the application instance. Check the Logical Devices page for the status of the new logical device. When the logical device shows its Status as online, you can start configuring the security policy in the application. Log Into the Management CenterUse the management center to configure and monitor the threat defense. Before you beginFor information on supported browsers, refer to the release notes for the version you are using (see https://www.cisco.com/go/firepower-notes). ProcedureStep 1 Using a supported browser, enter the following URL. https://fmc_ip_address Step 2 Enter your username and password. Step 3 Click Log In. Obtain Licenses for the Management CenterAll licenses are supplied to the threat defense by the management center. You can purchase the following licenses:
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide Before you begin
ProcedureStep 1 Make sure your Smart Licensing account contains the available licenses you need. When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use theFind Products and Solutions search field on the Cisco Commerce Workspace. Search for the following license PIDs: Figure 1. License Search Note If a PID is not found, you can add the PID manually to your order.
Step 2 If you have not already done so, register the management center with the Smart Licensing server. Registering requires you to generate a registration token in the Smart Software Manager. See the Cisco Secure Firewall Management Center Administration Guide for detailed instructions. Register the Threat Defense with the Management CenterRegister each logical device individually to the same management center. Before you begin
ProcedureStep 1 In the management center, choose . Step 2 From the Add drop-down list, choose Add Device. Set the following parameters:
Step 3 Click Register, or if you want to add another device, click Register and Add Another and confirm a successful registration. If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the threat defense fails to register, check the following items:
For more troubleshooting information, see https://cisco.com/go/fmc-reg-error. Configure a Basic Security PolicyThis section describes how to configure a basic security policy with the following settings:
To configure a basic security policy, complete the following tasks. . . . . . . Configure InterfacesEnable the threat defense interfaces, assign them to security zones, and set the IP addresses. Typically, you must configure at least a minimum of two interfaces to have a system that passes meaningful traffic. Normally, you would have an outside interface that faces the upstream router or internet, and one or more inside interfaces for your organization’s networks. Some of these interfaces might be “demilitarized zones” (DMZs), where you place publically-accessible assets such as your web server. A typical edge-routing situation is to obtain the outside interface address through DHCP from your ISP, while you define static addresses on the inside interfaces. The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. ProcedureStep 1 Choose , and click the Edit ( ) for the firewall.Step 2 Click Interfaces. Step 3 Click Edit ( ) for the interface that you want to use for inside.The General tab appears.
Step 4 Click the Edit ( ) for the interface that you want to use for outside.The General tab appears. Note If you pre-configured this interface for manager access, then the interface will already be named, enabled, and addressed. You should not alter any of these basic settings because doing so will disrupt the management center management connection. You can still configure the Security Zone on this screen for through traffic policies.
Step 5 Click Save. Configure the DHCP ServerEnable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense. ProcedureStep 1 Choose , and click the Edit ( ) for the device.Step 2 Choose . Step 3 On the Server page, click Add, and configure the following options:
Step 4 Click OK. Step 5 Click Save. Add the Default RouteThe default route normally points to the upstream router reachable from the outside interface. If you use DHCP for the outside interface, your device might have already received a default route. If you need to manually add the route, complete this procedure. If you received a default route from the DHCP server, it will show in the IPv4 Routes or IPv6 Routes table on the page. ProcedureStep 1 Choose , and click the Edit ( ) for the device.Step 2 Choose , click Add Route, and set the following:
Step 3 Click OK. The route is added to the static route table. Step 4 Click Save. Configure NATA typical NAT rule converts internal addresses to a port on the outside interface IP address. This type of NAT rule is called interface Port Address Translation (PAT). ProcedureStep 1 Choose , and click . Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save. The policy is added the management center. You still have to add rules to the policy. Step 3 Click Add Rule. The Add NAT Rule dialog box appears. Step 4 Configure the basic rule options:
Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to theDestination Interface Objects area. Step 6 On the Translation page, configure the following options:
Step 7 Click Save to add the rule. The rule is saved to the Rules table. Step 8 Click Save on the NAT page to save your changes. Allow Traffic from Inside to OutsideIf you created a basic Block all traffic access control policy when you registered the threat defense, then you need to add rules to the policy to allow traffic through the device. The following procedure adds a rule to allow traffic from the inside zone to the outside zone. If you have other zones, be sure to add rules allowing traffic to the appropriate networks. ProcedureStep 1 Choose , and click the Edit ( ) for the access control policy assigned to the threat defense.Step 2 Click Add Rule, and set the following parameters:
Leave the other settings as is. Step 3 Click Add. The rule is added to the Rules table. Step 4 Click Save. Deploy the ConfigurationDeploy the configuration changes to the threat defense; none of your changes are active on the device until you deploy them. ProcedureStep 1 Click Deploy in the upper right. Figure 3. Deploy Step 2 Either click Deploy All to deploy to all devices or click Advanced Deploy to deploy to selected devices. Figure 4. Deploy All Figure 5. Advanced DeployStep 3 Ensure that the deployment succeeds. Click the icon to the right of theDeploy button in the menu bar to see status for deployments. Figure 6. Deployment Status Access the Threat Defense CLIYou can use the threat defense CLI to change management interface parameters and for troubleshooting purposes. You can access the CLI using SSH to the Management interface, or by connecting from the FXOS CLI. ProcedureStep 1 (Option 1) SSH directly to the threat defense management interface IP address. You set the management IP address when you deployed the logical device. Log into the threat defense with the admin account and the password you set during initial deployment. If you forgot the password, you can change it by editing the logical device in the chassis manager. Step 2 (Option 2) From the FXOS CLI, connect to the module CLI using a console connection or a Telnet connection.
ExampleThe following example connects to the threat defense and then exits back to the supervisor level of the FXOS CLI.
What's Next?To continue configuring your threat defense, see the documents available for your software version at Navigating the Cisco Firepower Documentation. For information related to using the management center, see the Firepower Management Center Configuration Guide. History for Threat Defense with the Management CenterFeature Name Version Feature Information Support for ASA and threat defense on separate modules of the same Firepower 9300 6.4 You can now deploy the ASA and the threat defense logical devices on the same Firepower 9300. Note Requires FXOS 2.6.1. Threat Defense for the Firepower 4115, 4125, and 4145 6.4 We introduced the Firepower 4115, 4125, and 4145. Note Requires FXOS 2.6.1. Multi-instance capability for threat defense on the Firepower 4100/9300 6.3.0 You can now deploy multiple logical devices, each with the threat defense container instance, on a single security engine/module. Formerly, you could only deploy a single native application instance. To provide flexible physical interface use, you can create VLAN subinterfaces in FXOS and also share interfaces between multiple instances. Resource management lets you customize performance capabilities for each instance. You can use High Availability using a container instance on 2 separate chassis. Clustering is not supported. |