Cisco Secure Firewall 4200 Getting Started Guide

First Published: 2023-09-07

Last Modified: 2024-06-21

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
 CHAPTER 1
Which Application and Manager is Right for You?
Your hardware platform can run one of two applications: Secure Firewall Threat Defense or ASA. For each
application, you have a choice of managers. This chapter explains the application and manager choices.
• Applications, on page 1
• Managers, on page 1

Applications
You can use either of the following applications on your hardware platform:
• Threat Defense—The threat defense (formerly Firepower Threat Defense) is a next-generation firewall
that combines an advanced stateful firewall, VPN concentrator, and next generation IPS.
• ASA—The ASA is a traditional, advanced stateful firewall and VPN concentrator.

Cisco provides ASA-to-threat defense migration tools to help you convert your ASA to the threat defense if
you start with ASA and later reimage to threat defense.
To reimage between the ASA and the threat defense, see the Cisco Secure Firewall ASA and Secure Firewall
Threat Defense Reimage Guide.

Managers
The threat defense and ASA support multiple managers.

Threat Defense Managers

Note Secure Firewall Device Manager (formerly Firepower Device Manager) is not supported on the Secure Firewall
4200.

Cisco Secure Firewall 4200 Getting Started Guide

1
 Which Application and Manager is Right for You?
ASA Managers

Table 1: Threat Defense Managers

Manager Description

Secure Firewall Management Center The management center is a multi-device manager that runs on its own server hardware,
(formerly Firepower Management Center) or as a virtual device on a hypervisor.
For a local management center, see Threat Defense Deployment with the Management
Center, on page 5.
For a remote management center, see Threat Defense Deployment with a Remote
Management Center, on page 43.

Cisco Defense Orchestrator (CDO)
Cloud-delivered Firewall Management
Center
CDO's cloud-delivered Firewall Management Center has all of the configuration
functionality of an on-premises management center. For the analytics functionality, you
can use a cloud solution or an on-prem management center. CDO also manages other
security devices, such as ASAs.
See Threat Defense Deployment with CDO, on page 79.

Secure Firewall Threat Defense REST API The threat defense REST API lets you automate direct configuration of the threat defense.
You cannot use this API if you are managing the threat defense using the management
center or CDO.
The threat defense REST API is not covered in this guide. For more information, see
the Cisco Secure Firewall Threat Defense REST API Guide.

Secure Firewall Management Center REST The management center REST API lets you automate configuration of management
API center policies that can then be applied to managed threat defenses. This API does not
manage the threat defense directly.
The management center REST API is not covered in this guide. For more information,
see the Secure Firewall Management Center REST API Quick Start Guide.

ASA Managers
Table 2: ASA Managers

Manager Description

CLI You can use the CLI to configure all ASA functionality.
The CLI is not covered in this guide. For more information, see the ASA configuration
guides.

Adaptive Security Device Manager ASDM is a Java-based, on-device manager that provides full ASA functionality.
(ASDM)
See ASA Deployment with ASDM, on page 111.

CDO CDO is a cloud-based, multi-device manager. CDO also manages other security devices,
such as threat defenses.
CDO for ASA is not covered in this guide. To get started with CDO, see the CDO home
page.

Cisco Secure Firewall 4200 Getting Started Guide

2
 Which Application and Manager is Right for You?
ASA Managers

Manager Description

Cisco Security Manager (CSM) CSM is a multi-device manager that runs on its own server hardware. CSM does not
support managing the threat defenses.
CSM is not covered in this guide. For more information, see the CSM user guide.

ASA HTTP Interface Using HTTP, an automation tool can execute commands on the ASAs by accessing
specifically formatted URLs.
The ASA HTTP interface is not covered in this guide. For more information, see the
Cisco Secure Firewall ASA HTTP Interface for Automation.

Cisco Secure Firewall 4200 Getting Started Guide

3
 Which Application and Manager is Right for You?
ASA Managers

Cisco Secure Firewall 4200 Getting Started Guide

4
 CHAPTER 2
Threat Defense Deployment with the
Management Center
Is This Chapter for You?
To see all available applications and managers, see Which Application and Manager is Right for You?, on
page 1. This chapter applies to the threat defense with the management center.
This chapter explains how to manage the threat defense with a management center located on your management
network. For remote branch deployment, where the management center resides at a central headquarters, see
Threat Defense Deployment with a Remote Management Center, on page 43.
About the Firewall
The hardware can run either threat defense software or ASA software. Switching between threat defense and
ASA requires you to reimage the device. You should also reimage if you need a different software version
than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage
Guide.
The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System
(FXOS). The firewall does not support the FXOS Secure Firewall chassis manager; only a limited CLI is
supported for troubleshooting purposes. See the Cisco FXOS Troubleshooting Guide for the Firepower
1000/2100 and Secure Firewall 3100/4200 with Firepower Threat Defense for more information.
Privacy Collection Statement—The firewall does not require or actively collect personally identifiable
information. However, you can use personally identifiable information in the configuration, for example for
usernames. In this case, an administrator might be able to see this information when working with the
configuration or when using SNMP.
• Before You Start, on page 6
• End-to-End Tasks, on page 6
• Review the Network Deployment, on page 8
• Cable the Firewall, on page 10
• Power on the Firewall, on page 12
• (Optional) Check the Software and Install a New Version, on page 13
• Complete the Threat Defense Initial Configuration Using the CLI, on page 15
• Log Into the Management Center, on page 18
• Obtain Licenses for the Management Center, on page 18
• Register the Threat Defense with the Management Center, on page 20
• Configure a Basic Security Policy, on page 24

Cisco Secure Firewall 4200 Getting Started Guide

5
 Threat Defense Deployment with the Management Center
Before You Start

• Access the Threat Defense and FXOS CLI, on page 39

• Power Off the Firewall, on page 40
• What's Next?, on page 41

Before You Start

Deploy and perform initial configuration of the management center. See the getting started guide for your
model.

End-to-End Tasks
See the following tasks to deploy the threat defense with management center.

Cisco Secure Firewall 4200 Getting Started Guide

6
 Threat Defense Deployment with the Management Center
End-to-End Tasks

Figure 1: End-to-End Tasks

Pre-Configuration Install the firewall. See the hardware installation guide.

Pre-Configuration Review the Network Deployment, on page 8.

Pre-Configuration Cable the Firewall, on page 10.

Pre-Configuration Power on the Firewall, on page 12.

CLI (Optional) Check the Software and Install a New Version, on page 13.

Cisco Secure Firewall 4200 Getting Started Guide

7
 Threat Defense Deployment with the Management Center
Review the Network Deployment

CLI Complete the Threat Defense Initial Configuration Using the CLI, on page 15.

Management Center Log Into the Management Center, on page 18.

Cisco Commerce Buy Base license and optional feature licenses (Obtain Licenses for the Management Center,
Workspace on page 18).

Smart Software Manager Generate a license token for the management center (Obtain Licenses for the Management
Center, on page 18).

Management Center Register the management center with the Smart Licensing server (Obtain Licenses for the
Management Center, on page 18).

Management Center Register the Threat Defense with the Management Center, on page 20.

Management Center Configure a Basic Security Policy, on page 24.

Review the Network Deployment

Management Interface
The management center communicates with the threat defense on the Management interface.
The dedicated Management interface is a special interface with its own network settings:
• By default, the Management 1/1 interface is enabled and configured as a DHCP client. If your network
does not include a DHCP server, you can set the Management interface to use a static IP address during
initial setup at the console port.
• Both the threat defenseand the management center require internet access from their management interfaces
for licensing and updates.

Note The management connection is a secure, TLS-1.3-encrypted communication channel between itself and the
device. You do not need to run this traffic over an additional encrypted tunnel such as Site-to-Site VPN for
security purposes. If the VPN goes down, for example, you will lose your management connection, so we
recommend a simple management path.

Data Interfaces
You can configure other interfaces after you connect the threat defense to the management center.

Typical Separate Management Network Deployment

The following figure shows a typical network deployment for the firewall where the threat defense, management
center, and management computer connect to the management network.

Cisco Secure Firewall 4200 Getting Started Guide

8
Threat Defense Deployment with the Management Center
Review the Network Deployment

The management network has a path to the internet for licensing and updates.
Figure 2: Separate Management Network

Typical Edge Network Deployment

The following figure shows a typical network deployment for the firewall where:
• Inside acts as the internet gateway for Management and for the management center.
• Management 1/1 connects to an inside interface through a Layer 2 switch.
• The management center and management computer connect to the switch.

This direct connection is allowed because the Management interface has separate routing from the other
interfaces on the threat defense.

Cisco Secure Firewall 4200 Getting Started Guide

9
 Threat Defense Deployment with the Management Center
Cable the Firewall

Figure 3: Edge Network Deployment

Cable the Firewall

To cable one of the recommended scenarios on the Secure Firewall 4200, see the following steps.

Note Other topologies can be used, and your deployment will vary depending on your basic logical network
connectivity, ports, addressing, and configuration requirements.

Before you begin

• Install SFPs into the Management and data interface ports—The built-in ports are 1/10/25-Gb SFP ports
that require SFP modules.
• Obtain a console cable—The firewall does not ship with a console cable by default, so you will need to
buy a third-party USB-to-RJ-45 serial cable, for example.

Procedure

Step 1 Install the chassis. See the hardware installation guide.

Step 2 Cable for a separate management network:

Cisco Secure Firewall 4200 Getting Started Guide

10
Threat Defense Deployment with the Management Center
Cable the Firewall

Figure 4: Cabling a Separate Management Network

a) Cable the following to your management network:

• Management 1/1 interface
The Management 1/2 interface can be used as a separate eventing interface if the management center
has a dedicated eventing interface. See the management center admin and device configuration guides
for more information.
• Secure Firewall Management Center
• Management computer

b) Connect the management computer to the console port. You need to use the console port to access the
CLI for initial setup if you do not use SSH to the Management interface.
c) Connect the inside interface (for example, Ethernet 1/2) to your inside router.
d) Connect the outside interface (for example, Ethernet 1/1) to your outside router.
e) Connect other networks to the remaining interfaces.
Step 3 Cable for an edge deployment:

Cisco Secure Firewall 4200 Getting Started Guide

11
 Threat Defense Deployment with the Management Center
Power on the Firewall

Figure 5: Cabling an Edge Deployment

a) Cable the following to a Layer 2 Ethernet switch:

• Inside interface (for example, Ethernet 1/2)
• Management 1/1 interface
The Management 1/2 interface can be used as a separate eventing interface if the management center
has a dedicated eventing interface. See the management center admin and device configuration guides
for more information.
• Secure Firewall Management Center
• Management computer

b) Connect the management computer to the console port. You need to use the console port to access the
CLI for initial setup if you do not use SSH to the Management interface.
c) Connect the outside interface (for example, Ethernet 1/1) to your outside router.
d) Connect other networks to the remaining interfaces.

Power on the Firewall

System power is controlled by a rocker power switch located on the rear of the firewall. The power switch is
implemented as a soft notification switch that supports graceful shutdown of the system to reduce the risk of
system software and data corruption.

Note The first time you boot up the threat defense, initialization can take approximately 15 to 30 minutes.

Cisco Secure Firewall 4200 Getting Started Guide

12
 Threat Defense Deployment with the Management Center
(Optional) Check the Software and Install a New Version

Before you begin

It's important that you provide reliable power for your firewall (for example, using an uninterruptable power
supply (UPS)). Loss of power without first shutting down can cause serious file system damage. There are
many processes running in the background all the time, and losing power does not allow the graceful shutdown
of your system.

Procedure

Step 1 Attach the power cord to the firewall, and connect it to an electrical outlet.
Step 2 Turn the power on using the standard rocker-type power on/off switch located on the rear of the chassis,
adjacent to the power cord.
Step 3 Check the Power LED on the back of the firewall; if it is solid green, the firewall is powered on.
Figure 6: System and Power LEDs

Step 4 Check the System LED on the back of the firewall; after it is solid green, the system has passed power-on
diagnostics.
Note When the switch is toggled from ON to OFF, it may take several seconds for the system to eventually
power off. During this time, the Power LED on the front of the chassis blinks green. Do not remove
the power until the Power LED is completely off.

(Optional) Check the Software and Install a New Version

To check the software version and, if necessary, install a different version, perform these steps. We recommend
that you install your target version before you configure the firewall. Alternatively, you can perform an upgrade
after you are up and running, but upgrading, which preserves your configuration, may take longer than using
this procedure.
What Version Should I Run?
Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the
software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/
us/products/collateral/security/firewalls/bulletin-c25-743178.html; for example, this bulletin describes short-term
release numbering (with the latest features), long-term release numbering (maintenance releases and patches
for a longer period of time), or extra long-term release numbering (maintenance releases and patches for the
longest period of time, for government certification).

Cisco Secure Firewall 4200 Getting Started Guide

13
 Threat Defense Deployment with the Management Center
(Optional) Check the Software and Install a New Version

Procedure

Step 1 Connect to the console port. See Access the Threat Defense and FXOS CLI, on page 39 for more information.
Log in with the admin user and the default password, Admin123.
You connect to the FXOS CLI. The first time you log in, you are prompted to change the password. This
password is also used for the threat defense login for SSH.
Note If the password was already changed, and you do not know it, you must perform a factory reset to
reset the password to the default. See the FXOS troubleshooting guide for the factory reset procedure.

Example:

firepower login: admin

Password: Admin123
Successful login attempts for user 'admin' : 1

[...]

Hello admin. You must change your password.

Enter new password: ********
Confirm new password: ********
Your password was updated successfully.

[...]

firepower#

Step 2 At the FXOS CLI, show the running version.

scope ssa
show app-instance
Example:

Firepower# scope ssa

Firepower /ssa # show app-instance

Application Name Slot ID Admin State Operational State Running Version Startup
Version Cluster Oper State
-------------------- ---------- --------------- -------------------- ---------------
--------------- ------------------
ftd 1 Enabled Online 7.6.0.65 7.6.0.65
Not Applicable

Step 3 If you want to install a new version, perform these steps.

a) If you need to set a static IP address for the Management interface, see Complete the Threat Defense
Initial Configuration Using the CLI, on page 15. By default, the Management interface uses DHCP.
You will need to download the new image from a server accessible from the Management interface.
b) Perform the reimage procedure in the FXOS troubleshooting guide.

Cisco Secure Firewall 4200 Getting Started Guide

14
 Threat Defense Deployment with the Management Center
Complete the Threat Defense Initial Configuration Using the CLI

After the firewall reboots, you connect to the FXOS CLI again.

Complete the Threat Defense Initial Configuration Using the CLI

Set the Management IP address, gateway, and other basic networking settings using the setup wizard. The
dedicated Management interface is a special interface with its own network settings. If you do not want to
use the Management interface for the manager access, you can use the CLI to configure a data interface instead.
You will also configure the management center communication settings.

Procedure

Step 1 Connect to the threat defense CLI, either from the console port or using SSH to the Management interface,
which obtains an IP address from a DHCP server by default. If you intend to change the network settings, we
recommend using the console port so you do not get disconnected.
The console port connects to the FXOS CLI. The SSH session connects directly to the threat defense CLI.

Step 2 Log in with the username admin and the password Admin123.
At the console port, you connect to the FXOS CLI. The first time you log in to FXOS, you are prompted to
change the password. This password is also used for the threat defense login for SSH.
Note If the password was already changed, and you do not know it, you must reimage the device to reset
the password to the default. See the FXOS troubleshooting guide for the reimage procedure.

Example:

firepower login: admin

Password: Admin123
Successful login attempts for user 'admin' : 1

[...]

Hello admin. You must change your password.

Enter new password: ********
Confirm new password: ********
Your password was updated successfully.

[...]

firepower#

Step 3 If you connected to FXOS on the console port, connect to the threat defense CLI.
connect ftd
Example:

firepower# connect ftd

>

Cisco Secure Firewall 4200 Getting Started Guide

15
 Threat Defense Deployment with the Management Center
Complete the Threat Defense Initial Configuration Using the CLI

Step 4 The first time you log in to the threat defense, you are prompted to accept the End User License Agreement
(EULA) and, if using an SSH connection, to change the admin password. You are then presented with the
CLI setup script.
Note You cannot repeat the CLI setup wizard unless you clear the configuration; for example, by reimaging.
However, all of these settings can be changed later at the CLI using configure network commands.
See Cisco Secure Firewall Threat Defense Command Reference.

Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
See the following guidelines:
• Do you want to configure IPv4? and/or Do you want to configure IPv6?—Enter y for at least one of
these types of addresses. For the edge deployment example shown in the network deployment section,
set a static IP address because the gateway inside interface does not yet have a DHCP server running.
• Enter the IPv4 default gateway for the management interface and/or Enter the IPv6 gateway for
the management interface—Set a gateway IP address for Management 1/1 on the management network.
In the edge deployment example shown in the network deployment section, the inside interface acts as
the management gateway. In this case, you should set the gateway IP address to be the intended inside
interface IP address; you must later use the management center to set the inside IP address. The
data-interfaces setting applies only to the remote management center management.
• If your networking information has changed, you will need to reconnect—If you are connected with
SSH but you change the IP address at initial setup, you will be disconnected. Reconnect with the new
IP address and password. Console connections are not affected.
• Configure firewall mode?—We recommend that you set the firewall mode at initial configuration.
Changing the firewall mode after initial setup erases your running configuration.

Example:

You must accept the EULA to continue.

Press <ENTER> to display the EULA:
End User License Agreement
[...]

Please enter 'YES' or press <ENTER> to AGREE to the EULA:

System initialization in progress. Please stand by.

You must change the password for 'admin' to continue.
Enter new password: ********
Confirm new password: ********
You must configure the network to continue.
Configure at least one of IPv4 or IPv6 unless managing via data interfaces.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [y]:n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 10.10.10.15
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192
Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1
Enter a fully qualified hostname for this system [firepower]: ftd-1.cisco.com
Enter a comma-separated list of DNS servers or 'none'
[208.67.222.222,208.67.220.220,2620:119:35::35]:
Enter a comma-separated list of search domains or 'none' []:cisco.com
If your networking information has changed, you will need to reconnect.
Disabling IPv6 configuration: management0
Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35
Setting DNS domains:cisco.com

Cisco Secure Firewall 4200 Getting Started Guide

16
Threat Defense Deployment with the Management Center
Complete the Threat Defense Initial Configuration Using the CLI

Setting hostname as ftd-1.cisco.com

Setting static IPv4: 10.10.10.15 netmask: 255.255.255.192 gateway: 10.10.10.1 on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'

DHCP server is already disabled

DHCP Server Disabled
Configure firewall mode? (routed/transparent) [routed]:
Configuring firewall mode ...

Device is in OffBox mode - disabling/removing port 443 from iptables.

Update policy deployment information
- add device configuration
- add network discovery
- add system policy

You can register the sensor to a Firepower Management Center and use the
Firepower Management Center to manage it. Note that registering the sensor
to a Firepower Management Center disables on-sensor Firepower Services
management capabilities.

When registering the sensor to a Firepower Management Center, a unique

alphanumeric registration key is always required. In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'

However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'

Later, using the web interface on the Firepower Management Center, you must
use the same registration key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.
>

Step 5 Identify the management center that will manage this threat defense.
configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE} reg_key [nat_id]
• {hostname | IPv4_address | IPv6_address | DONTRESOLVE}—Specifies either the FQDN or IP address
of the management center. If the management center is not directly addressable, use DONTRESOLVE
and also specify the nat_id. At least one of the devices, either the management center or the threat defense,
must have a reachable IP address to establish the two-way, SSL-encrypted communication channel
between the two devices. If you specify DONTRESOLVE in this command, then the threat defense
must have a reachable IP address or hostname.
• reg_key—Specifies a one-time registration key of your choice that you will also specify on the management
center when you register the threat defense. The registration key must not exceed 37 characters. Valid
characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-).
• nat_id—Specifies a unique, one-time string of your choice that you will also specify on the management
center when you register the threat defense when one side does not specify a reachable IP address or
hostname. It is required if you set the management center to DONTRESOLVE. The NAT ID must not
exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen
(-). This ID cannot be used for any other devices registering to the management center.

Cisco Secure Firewall 4200 Getting Started Guide

17
 Threat Defense Deployment with the Management Center
Log Into the Management Center

Example:

> configure manager add MC.example.com 123456

Manager successfully configured.

If the management center is behind a NAT device, enter a unique NAT ID along with the registration key,
and specify DONTRESOLVE instead of the hostname, for example:
Example:

> configure manager add DONTRESOLVE regk3y78 natid90

Manager successfully configured.

If the threat defense is behind a NAT device, enter a unique NAT ID along with the management center IP
address or hostname, for example:
Example:

> configure manager add 10.70.45.5 regk3y78 natid56

Manager successfully configured.

What to do next
Register your firewall to the management center.

Log Into the Management Center

Use the management center to configure and monitor the threat defense.

Procedure

Step 1 Using a supported browser, enter the following URL.

https://fmc_ip_address

Step 2 Enter your username and password.

Step 3 Click Log In.

Obtain Licenses for the Management Center

All licenses are supplied to the threat defense by the management center. You can purchase the following
licenses:
• Essentials—(Required) Essentials license.
• IPS—Security Intelligence and Next-Generation IPS
• Malware Defense—Malware defense

Cisco Secure Firewall 4200 Getting Started Guide

18
Threat Defense Deployment with the Management Center
Obtain Licenses for the Management Center

• URL Filtering—URL Filtering

• Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only
• Carrier—Diameter, GTP/GPRS, M3UA, SCTP

For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide

Before you begin

• Have an account on the Smart Software Manager.
If you do not yet have an account, click the link to set up a new account. The Smart Software Manager
lets you create an account for your organization.
• Your Smart Software Licensing account must qualify for the Strong Encryption (3DES/AES) license to
use some features (enabled using the export-compliance flag).

Procedure

Step 1 Make sure your Smart Licensing account contains the available licenses you need.
When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart
Software License account. However, if you need to add licenses yourself, use the Search All field on the
Cisco Commerce Workspace.
Figure 7: License Search

Choose Products & Services from the results.

Figure 8: Results

Search for the following license PIDs:

Note If a PID is not found, you can add the PID manually to your order.

• Essentials license:
• L-FPR4215-BSE=

Cisco Secure Firewall 4200 Getting Started Guide

19
 Threat Defense Deployment with the Management Center
Register the Threat Defense with the Management Center

• L-FPR4225-BSE=
• L-FPR4245-BSE=

• IPS, Malware Defense, and URL license combination:

• L-FPR4215T-TMC=
• L-FPR4225T-TMC=
• L-FPR4245T-TMC=

When you add one of the above PIDs to your order, you can then choose a term-based subscription
corresponding with one of the following PIDs:
• L-FPR4215T-TMC-1Y
• L-FPR4215T-TMC-3Y
• L-FPR4215T-TMC-5Y
• L-FPR4225T-TMC-1Y
• L-FPR4225T-TMC-3Y
• L-FPR4225T-TMC-5Y
• L-FPR4245T-TMC-1Y
• L-FPR4245T-TMC-3Y
• L-FPR4245T-TMC-5Y

• Carrier license:
• L-FPR4200-FTD-CAR=

• Cisco Secure Client—See the Cisco Secure Client Ordering Guide.

Step 2 If you have not already done so, register the management center with the Smart Licensing server.
Registering requires you to generate a registration token in the Smart Software Manager. See the Cisco Secure
Firewall Management Center Administration Guide for detailed instructions.

Register the Threat Defense with the Management Center

Register the threat defense to the management center manually using the device IP address or hostname.

Cisco Secure Firewall 4200 Getting Started Guide

20
Threat Defense Deployment with the Management Center
Register the Threat Defense with the Management Center

Before you begin

Procedure

Step 1 In the management center, choose Devices > Device Management.

Step 2 From the Add drop-down list, choose Add Device.
The Registration Key method is selected by default.

Cisco Secure Firewall 4200 Getting Started Guide

21
 Threat Defense Deployment with the Management Center
Register the Threat Defense with the Management Center

Figure 9: Add Device Using a Registration Key

Set the following parameters:

• Host—Enter the IP address or hostname of the threat defense you want to add. You can leave this field
blank if you specified both the management center IP address and a NAT ID in the threat defense initial
configuration.

Cisco Secure Firewall 4200 Getting Started Guide

22
Threat Defense Deployment with the Management Center
Register the Threat Defense with the Management Center

Note In an HA environment, when both the management centers are behind a NAT, you can register
the threat defense without a host IP or name in the primary management center. However, for
registering the threat defense in a secondary management center, you must provide the IP address
or hostname for the threat defense.

• Display Name—Enter the name for the threat defense as you want it to display in the management center.
• Registration Key—Enter the same registration key that you specified in the threat defense initial
configuration.
• Domain—Assign the device to a leaf domain if you have a multidomain environment.
• Group—Assign it to a device group if you are using groups.
• Access Control Policy—Choose an initial policy. Unless you already have a customized policy you
know you need to use, choose Create new policy, and choose Block all traffic. You can change this
later to allow traffic; see Allow Traffic from Inside to Outside, on page 36.
Figure 10: New Policy

• Smart Licensing—Assign the Smart Licenses you need for the features you want to deploy. Note: You
can apply the Secure Client remote access VPN license after you add the device, from the System >
Licenses > Smart Licenses page.
• Unique NAT ID—Specify the NAT ID that you specified in the threat defense initial configuration.
• Transfer Packets—Allow the device to transfer packets to the management center. When events like
IPS or Snort are triggered with this option enabled, the device sends event metadata information and
packet data to the management center for inspection. If you disable it, only event information will be
sent to the management center, but packet data is not sent.

Step 3 Click Register, and confirm a successful registration.

Cisco Secure Firewall 4200 Getting Started Guide

23
 Threat Defense Deployment with the Management Center
Configure a Basic Security Policy

If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the threat
defense fails to register, check the following items:
• Ping—Access the threat defense CLI, and ping the management center IP address using the following
command:
ping system ip_address
If the ping is not successful, check your network settings using the show network command. If you need
to change the threat defense Management IP address, use the configure network {ipv4 | ipv6} manual
command.
• Registration key, NAT ID, and the management center IP address—Make sure you are using the same
registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on
the threat defense using the configure manager add command.

For more troubleshooting information, see https://cisco.com/go/fmc-reg-error.

Configure a Basic Security Policy

This section describes how to configure a basic security policy with the following settings:
• Inside and outside interfaces—Assign a static IP address to the inside interface, and use DHCP for the
outside interface.
• DHCP server—Use a DHCP server on the inside interface for clients.
• Default route—Add a default route through the outside interface.
• NAT—Use interface PAT on the outside interface.
• Access control—Allow traffic from inside to outside.

To configure a basic security policy, complete the following tasks.

Configure Interfaces, on page 25.

Configure the DHCP Server, on page 29.

Add the Default Route, on page 31.

Configure NAT, on page 33.

Allow Traffic from Inside to Outside, on page 36.

Deploy the Configuration, on page 37.

Cisco Secure Firewall 4200 Getting Started Guide

24
 Threat Defense Deployment with the Management Center
Configure Interfaces

Configure Interfaces
Enable the threat defense interfaces, assign them to security zones, and set the IP addresses. Also configure
breakout interfaces. .
The following example configures a routed mode inside interface with a static address and a routed mode
outside interface using DHCP.

Procedure

Step 1 Choose Devices > Device Management, and click the Edit ( ) for the firewall.
Step 2 Click Interfaces.
Figure 11: Interfaces

Step 3 To create breakout ports from a 40-Gb or larger interface, click the Break icon for the interface.
If you already used the full interface in your configuration, you will have to remove the configuration before
you can proceed with the breakout.

Step 4 Click Edit ( ) for the interface that you want to use for inside.
The General tab appears.

Cisco Secure Firewall 4200 Getting Started Guide

25
 Threat Defense Deployment with the Management Center
Configure Interfaces

Figure 12: General Tab

a) Enter a Name up to 48 characters in length.

For example, name the interface inside.
b) Check the Enabled check box.
c) Leave the Mode set to None.
d) From the Security Zone drop-down list, choose an existing inside security zone or add a new one by
clicking New.
For example, add a zone called inside_zone. Each interface must be assigned to a security zone and/or
interface group. An interface can belong to only one security zone, but can also belong to multiple interface
groups. You apply your security policy based on zones or groups. For example, you can assign the inside
interface to the inside zone; and the outside interface to the outside zone. Then you can configure your
access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most
policies only support security zones; you can use zones or interface groups in NAT policies, prefilter
policies, and QoS policies.
e) Click the IPv4 and/or IPv6 tab.
• IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in
slash notation.
For example, enter 192.168.1.1/24

Cisco Secure Firewall 4200 Getting Started Guide

26
Threat Defense Deployment with the Management Center
Configure Interfaces

Figure 13: IPv4 Tab

• IPv6—Check the Autoconfiguration check box for stateless autoconfiguration.

Figure 14: IPv6 Tab

f) Click OK.

Step 5 Click the Edit ( ) for the interface that you want to use for outside.
The General tab appears.

Cisco Secure Firewall 4200 Getting Started Guide

27
 Threat Defense Deployment with the Management Center
Configure Interfaces

Figure 15: General Tab

a) Enter a Name up to 48 characters in length.

For example, name the interface outside.
b) Check the Enabled check box.
c) Leave the Mode set to None.
d) From the Security Zone drop-down list, choose an existing outside security zone or add a new one by
clicking New.
For example, add a zone called outside_zone.
e) Click the IPv4 and/or IPv6 tab.
• IPv4—Choose Use DHCP, and configure the following optional parameters:
• Obtain default route using DHCP—Obtains the default route from the DHCP server.
• DHCP route metric—Assigns an administrative distance to the learned route, between 1 and
255. The default administrative distance for the learned routes is 1.

Cisco Secure Firewall 4200 Getting Started Guide

28
 Threat Defense Deployment with the Management Center
Configure the DHCP Server

Figure 16: IPv4 Tab

• IPv6—Check the Autoconfiguration check box for stateless autoconfiguration.

Figure 17: IPv6 Tab

f) Click OK.
Step 6 Click Save.

Configure the DHCP Server

Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense.

Procedure

Step 1 Choose Devices > Device Management, and click Edit ( ) for the device.
Step 2 Choose DHCP > DHCP Server.

Cisco Secure Firewall 4200 Getting Started Guide

29
 Threat Defense Deployment with the Management Center
Configure the DHCP Server

Figure 18: DHCP Server

Step 3 On the Server page, click Add, and configure the following options:
Figure 19: Add Server

• Interface—Choose the interface from the drop-down list.

• Address Pool—Set the range of IP addresses from lowest to highest that are used by the DHCP server.
The range of IP addresses must be on the same subnet as the selected interface and cannot include the
IP address of the interface itself.
• Enable DHCP Server—Enable the DHCP server on the selected interface.

Step 4 Click OK.

Step 5 Click Save.

Cisco Secure Firewall 4200 Getting Started Guide

30
 Threat Defense Deployment with the Management Center
Add the Default Route

Add the Default Route

The default route normally points to the upstream router reachable from the outside interface. If you use DHCP
for the outside interface, your device might have already received a default route. If you need to manually
add the route, complete this procedure. If you received a default route from the DHCP server, it will show in
the IPv4 Routes or IPv6 Routes table on the Devices > Device Management > Routing > Static Route
page.

Procedure

Step 1 Choose Devices > Device Management, and click Edit ( ) for the device.
Step 2 Choose Routing > Static Route.
Figure 20: Static Route

Step 3 Click Add Route, and set the following:

Cisco Secure Firewall 4200 Getting Started Guide

31
 Threat Defense Deployment with the Management Center
Add the Default Route

Figure 21: Add Static Route Configuration

• Type—Click the IPv4 or IPv6 radio button depending on the type of static route that you are adding.
• Interface—Choose the egress interface; typically the outside interface.
• Available Network—Choose any-ipv4 for an IPv4 default route, or any-ipv6 for an IPv6 default route,
and click Add to move it to the Selected Network list.
• Gateway or IPv6 Gateway—Enter or choose the gateway router that is the next hop for this route. You
can provide an IP address or a Networks/Hosts object.
• Metric—Enter the number of hops to the destination network. Valid values range from 1 to 255; the
default value is 1.

Step 4 Click OK.

The route is added to the static route table.

Step 5 Click Save.

Cisco Secure Firewall 4200 Getting Started Guide

32
 Threat Defense Deployment with the Management Center
Configure NAT

Configure NAT
A typical NAT rule converts internal addresses to a port on the outside interface IP address. This type of NAT
rule is called interface Port Address Translation (PAT).

Procedure

Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT.
Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save.
Figure 22: New Policy

The policy is added the management center. You still have to add rules to the policy.

Cisco Secure Firewall 4200 Getting Started Guide

33
 Threat Defense Deployment with the Management Center
Configure NAT

Figure 23: NAT Policy

Step 3 Click Add Rule.

The Add NAT Rule dialog box appears.

Step 4 Configure the basic rule options:

Figure 24: Basic Rule Options

• NAT Rule—Choose Auto NAT Rule.

• Type—Choose Dynamic.

Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the
Destination Interface Objects area.

Cisco Secure Firewall 4200 Getting Started Guide

34
Threat Defense Deployment with the Management Center
Configure NAT

Figure 25: Interface Objects

Step 6 On the Translation page, configure the following options:

Figure 26: Translation

• Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0).

Cisco Secure Firewall 4200 Getting Started Guide

35
 Threat Defense Deployment with the Management Center
Allow Traffic from Inside to Outside

Figure 27: New Network Object

Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part
of the object definition, and you cannot edit system-defined objects.

• Translated Source—Choose Destination Interface IP.

Step 7 Click Save to add the rule.

The rule is saved to the Rules table.

Step 8 Click Save on the NAT page to save your changes.

Allow Traffic from Inside to Outside

If you created a basic Block all traffic access control policy when you registered the threat defense, then you
need to add rules to the policy to allow traffic through the device. The following procedure adds a rule to
allow traffic from the inside zone to the outside zone. If you have other zones, be sure to add rules allowing
traffic to the appropriate networks.

Procedure

Step 1 Choose Policy > Access Policy > Access Policy, and click Edit ( ) for the access control policy assigned
to the threat defense.
Step 2 Click Add Rule, and set the following parameters:

Cisco Secure Firewall 4200 Getting Started Guide

36
 Threat Defense Deployment with the Management Center
Deploy the Configuration

Figure 28: Add Rule

• Name—Name this rule, for example, inside-to-outside.

• Selected Sources—Select the inside zone from Zones, and click Add Source Zone.
• Selected Destinations and Applications—Select the outside zone from Zones, and click Add Destination
Zone.

Leave the other settings as is.

Step 3 Click Apply.

The rule is added to the Rules table.

Step 4 Click Save.

Deploy the Configuration

Deploy the configuration changes to the threat defense; none of your changes are active on the device until
you deploy them.

Procedure

Step 1 Click Deploy in the upper right.

Figure 29: Deploy

Step 2 For a quick deployment, check specific devices and then click Deploy, or click Deploy All to deploy to all
devices. Otherwise, for additional deployment options, click Advanced Deploy.

Cisco Secure Firewall 4200 Getting Started Guide

37
 Threat Defense Deployment with the Management Center
Deploy the Configuration

Figure 30: Deploy All

Figure 31: Advanced Deploy

Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see
status for deployments.
Figure 32: Deployment Status

Cisco Secure Firewall 4200 Getting Started Guide

38
 Threat Defense Deployment with the Management Center
Access the Threat Defense and FXOS CLI

Access the Threat Defense and FXOS CLI

Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot
configure policies through a CLI session. You can access the CLI by connecting to the console port.
You can also access the FXOS CLI for troubleshooting purposes.

Note You can alternatively SSH to the Management interface of the threat defense device. Unlike a console session,
the SSH session defaults to the threat defense CLI, from which you can connect to the FXOS CLI using the
connect fxos command. You can later connect to the address on a data interface if you open the interface for
SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port
access, which defaults to the FXOS CLI.

Procedure

Step 1 To log into the CLI, connect your management computer to the console port. The Secure Firewall 4200 does
not ship with a console cable by default, so you will need to buy a third-party USB-to-RJ-45 serial cable, for
example. Be sure to install any necessary USB serial drivers for your operating system. The console port
defaults to the FXOS CLI. Use the following serial settings:
• 9600 baud
• 8 data bits
• No parity
• 1 stop bit

You connect to the FXOS CLI. Log in to the CLI using the admin username and the password you set at
initial setup (the default is Admin123).
Example:

firepower login: admin

Password:
Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0
Successful login attempts for user 'admin' : 1

firepower#

Step 2 Access the threat defense CLI.

connect ftd
Example:

firepower# connect ftd

>

Cisco Secure Firewall 4200 Getting Started Guide

39
 Threat Defense Deployment with the Management Center
Power Off the Firewall

After logging in, for information on the commands available in the CLI, enter help or ?. For usage information,
see Cisco Secure Firewall Threat Defense Command Reference.

Step 3 To exit the threat defense CLI, enter the exit or logout command.
This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS
CLI, enter ?.
Example:

> exit
firepower#

Power Off the Firewall

It's important that you shut down your system properly. Simply unplugging the power or pressing the power
switch can cause serious file system damage. Remember that there are many processes running in the
background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of
your firewall system.
You can power off the device using the management center device management page, or you can use the
FXOS CLI.

Power Off the Firewall Using the Management Center

It's important that you shut down your system properly. Simply unplugging the power or pressing the power
switch can cause serious file system damage. Remember that there are many processes running in the
background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of
your firewall.
You can shut down your system properly using the management center.

Procedure

Step 1 Choose Devices > Device Management.

Step 2 Next to the device that you want to restart, click Edit ( ).
Step 3 Click the Device tab.
Step 4 Click Shut Down Device ( ) in the System section.
Step 5 When prompted, confirm that you want to shut down the device.
Step 6 If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You
will see the following prompt:

System is stopped.
It is safe to power off now.

Do you want to reboot instead? [y/N]

Cisco Secure Firewall 4200 Getting Started Guide

40
 Threat Defense Deployment with the Management Center
Power Off the Firewall at the CLI

If you do not have a console connection, wait approximately 3 minutes to ensure the system has shut down.

Step 7 You can now turn off the power switch and unplug the power to physically remove power from the chassis
if necessary.

Power Off the Firewall at the CLI

You can use the FXOS CLI to safely shut down the system and power off the device. You access the CLI by
connecting to the console port; see Access the Threat Defense and FXOS CLI, on page 39.

Procedure

Step 1 In the FXOS CLI, connect to local-mgmt:

firepower # connect local-mgmt

Step 2 Issue the shutdown command:

firepower(local-mgmt) # shutdown
Example:
firepower(local-mgmt)# shutdown
This command will shutdown the system. Continue?
Please enter 'YES' or 'NO': yes
INIT: Stopping Cisco Threat Defense......ok

Step 3 Monitor the system prompts as the firewall shuts down. You will see the following prompt:

System is stopped.
It is safe to power off now.
Do you want to reboot instead? [y/N]

Step 4 You can now turn off the power switch and unplug the power to physically remove power from the chassis
if necessary.

What's Next?
To continue configuring your threat defense, see the documents available for your software version at Navigating
the Cisco Secure Firewall Threat Defense Documentation.
For information related to using the management center, see the Cisco Secure Firewall Management Center
Device Configuration Guide.

Cisco Secure Firewall 4200 Getting Started Guide

41
 Threat Defense Deployment with the Management Center
What's Next?

Cisco Secure Firewall 4200 Getting Started Guide

42
 CHAPTER 3
Threat Defense Deployment with a Remote
Management Center
Is This Chapter for You?
To see all available applications and managers, see Which Application and Manager is Right for You?, on
page 1. This chapter applies to the threat defense with the management center.
This chapter explains how to manage the threat defense with a management center located at a central
headquarters. For local deployment, where the management center resides on your local management network,
see Threat Defense Deployment with the Management Center, on page 5.
About the Firewall
The hardware can run either threat defense software or ASA software. Switching between threat defense and
ASA requires you to reimage the device. You should also reimage if you need a different software version
than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage
Guide.
The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System
(FXOS). The firewall does not support the FXOS Secure Firewall chassis manager; only a limited CLI is
supported for troubleshooting purposes. See the Cisco FXOS Troubleshooting Guide for the Firepower
1000/2100 and Secure Firewall 3100/4200 with Firepower Threat Defense for more information.
Privacy Collection Statement—The firewall does not require or actively collect personally identifiable
information. However, you can use personally identifiable information in the configuration, for example for
usernames. In this case, an administrator might be able to see this information when working with the
configuration or when using SNMP.
• How Remote Management Works, on page 44
• Before You Start, on page 46
• End-to-End Tasks, on page 46
• Central Administrator Pre-Configuration, on page 48
• Branch Office Installation, on page 55
• Central Administrator Post-Configuration, on page 56

Cisco Secure Firewall 4200 Getting Started Guide

43
 Threat Defense Deployment with a Remote Management Center
How Remote Management Works

How Remote Management Works

To allow the management center to manage the threat defense over the internet, use the outside interface for
management center manager access instead of the Management interface. Because most remote branch offices
only have a single internet connection, outside manager access makes centralized management possible.

Note The management connection is a secure, TLS-1.3-encrypted communication channel between itself and the
device. You do not need to run this traffic over an additional encrypted tunnel such as Site-to-Site VPN for
security purposes. If the VPN goes down, for example, you will lose your management connection, so we
recommend a simple management path.

1. Pre-configure the threat defense at the CLI, and then send the threat defense to the remote branch office.
2. At the branch office, cable and power on the threat defense.
3. Finish registering the threat defense using the management center.

Threat Defense Manager Access Interface

This guide covers outside interface access because it is the most likely scenario for remote branch offices.
Although manager access occurs on the outside interface, the dedicated Management interface is still relevant.
The Management interface is a special interface configured separately from the threat defense data interfaces,
and it has its own network settings.
• The Management interface network settings are still used even though you are enabling manager access
on a data interface.
• All management traffic continues to be sourced from or destined to the Management interface.
• When you enable manager access on a data interface, the threat defense forwards incoming management
traffic over the backplane to the Management interface.
• For outgoing management traffic, the Management interface forwards the traffic over the backplane to
the data interface.

Manager Access Requirements

Manager access from a data interface has the following limitations:
• You can only enable manager access on a physical, data interface. You cannot use a subinterface or
EtherChannel. You can also use the management center to enable manager access on a single secondary
interface for redundancy.
• This interface cannot be management-only.
• Routed firewall mode only, using a routed interface.
• PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support
between the threat defense and the WAN modem.
• The interface must be in the global VRF only.

Cisco Secure Firewall 4200 Getting Started Guide

44
Threat Defense Deployment with a Remote Management Center
How Remote Management Works

• SSH is not enabled by default for data interfaces, so you will have to enable SSH later using the
management center. Because the Management interface gateway will be changed to be the data interfaces,
you also cannot SSH to the Management interface from a remote network unless you add a static route
for the Management interface using the configure network static-routes command.
• You cannot use separate management and event-only interfaces.
• Clustering is not supported. You must use the Management interface in this case.

High Availability Requirements

When using a data interface with device high availability, see the following requirements.
• Use the same data interface on both devices for manager access.
• Redundant manager access data interface is not supported.
• You cannot use DHCP; only a static IP address is supported. Features that rely on DHCP cannot be used,
including DDNS and zero-touch provisioning.
• Have different static IP addresses in the same subnet.
• Use either IPv4 or IPv6; you cannot set both.
• Use the same manager configuration (configure manager add command) to ensure that the connectivity
is the same.
• You cannot use the data interface as the failover or state link.

Remote Branch Network

The following figure shows a typical network deployment for the firewall where:
• The management center is at central headquarters.
• The threat defense uses the outside interface for manager access.
• Either the threat defense or management center needs a public IP address or hostname to allow to allow
the inbound management connection; you need to know this IP address for initial setup. You can also
optionally configure Dynamic DNS (DDNS) for the outside interface to accommodate changing DHCP
IP assignments.

Cisco Secure Firewall 4200 Getting Started Guide

45
 Threat Defense Deployment with a Remote Management Center
Before You Start

Figure 33:

Before You Start

Deploy and perform initial configuration of the management center. See the getting started guide for your
model.

End-to-End Tasks
See the following tasks to deploy the threat defense with the management center.

Cisco Secure Firewall 4200 Getting Started Guide

46
 Threat Defense Deployment with a Remote Management Center
End-to-End Tasks

Figure 34: End-to-End Tasks

CLI • (Optional) Check the Software and Install a New Version, on page 48
(Central admin) • Pre-Configuration Using the CLI, on page 50.

Physical Setup Install the firewall. See the hardware installation guide.
(Branch admin)

Physical Setup Cable the Firewall, on page 55.

(Branch admin)

Physical Setup Power on the Firewall, on page 56

(Branch admin)

Cisco Secure Firewall 4200 Getting Started Guide

47
 Threat Defense Deployment with a Remote Management Center
Central Administrator Pre-Configuration

Management Center Log Into the Management Center, on page 18.

(Central admin)

Cisco Commerce Buy a Base license and optional feature licenses (Obtain Licenses for the Management Center,
Workspace on page 57).
(Central admin)

Smart Software Manager Generate a license token for the management center (Obtain Licenses for the Management Center,
on page 57).
(Central admin)

Management Center Register the management center with the Smart Licensing server (Obtain Licenses for the
Management Center, on page 57).
(Central admin)

Management Center Add a Device to the Management Center, on page 59.

(Central admin)

Management Center Configure a Basic Security Policy, on page 62.

(Central admin)

Central Administrator Pre-Configuration

You might need to manually pre-configure the threat defense before you send it to the branch office.

(Optional) Check the Software and Install a New Version

To check the software version and, if necessary, install a different version, perform these steps. We recommend
that you install your target version before you configure the firewall. Alternatively, you can perform an upgrade
after you are up and running, but upgrading, which preserves your configuration, may take longer than using
this procedure.
What Version Should I Run?
Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the
software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/
us/products/collateral/security/firewalls/bulletin-c25-743178.html; for example, this bulletin describes short-term
release numbering (with the latest features), long-term release numbering (maintenance releases and patches
for a longer period of time), or extra long-term release numbering (maintenance releases and patches for the
longest period of time, for government certification).

Procedure

Step 1 Connect to the console port. See Access the Threat Defense and FXOS CLI, on page 75 for more information.
Log in with the admin user and the default password, Admin123.
You connect to the FXOS CLI. The first time you log in, you are prompted to change the password. This
password is also used for the threat defense login for SSH.

Cisco Secure Firewall 4200 Getting Started Guide

48
Threat Defense Deployment with a Remote Management Center
(Optional) Check the Software and Install a New Version

Note If the password was already changed, and you do not know it, you must perform a factory reset to
reset the password to the default. See the FXOS troubleshooting guide for the factory reset procedure.

Example:

firepower login: admin

Password: Admin123
Successful login attempts for user 'admin' : 1

[...]

Hello admin. You must change your password.

Enter new password: ********
Confirm new password: ********
Your password was updated successfully.

[...]

firepower#

Step 2 At the FXOS CLI, show the running version.

scope ssa
show app-instance
Example:

Firepower# scope ssa

Firepower /ssa # show app-instance

Application Name Slot ID Admin State Operational State Running Version Startup
Version Cluster Oper State
-------------------- ---------- --------------- -------------------- ---------------
--------------- ------------------
ftd 1 Enabled Online 7.6.0.65 7.6.0.65
Not Applicable

Step 3 If you want to install a new version, perform these steps.

a) If you need to set a static IP address for the Management interface, see Pre-Configuration Using the CLI,
on page 50. By default, the Management interface uses DHCP.
You will need to download the new image from a server accessible from the Management interface.
b) Perform the reimage procedure in the FXOS troubleshooting guide.
After the firewall reboots, you connect to the FXOS CLI again.
c) At the FXOS CLI, you are prompted to set the admin password again.
For zero-touch provisioning, when you onboard the device, for the Password Reset area, be sure to choose
No... because you already set the password.
d) Shut down the device. See Power Off the Firewall at the CLI, on page 77.

Cisco Secure Firewall 4200 Getting Started Guide

49
 Threat Defense Deployment with a Remote Management Center
Pre-Configuration Using the CLI

Pre-Configuration Using the CLI

Set the Management IP address, gateway, and other basic networking settings using the setup wizard.

Procedure

Step 1 Power on the firewall.

Note The first time you boot up the threat defense, initialization can take approximately 15 to 30 minutes.

Step 2 Connect to the threat defense CLI on the console port.

The console port connects to the FXOS CLI.

Step 3 Log in with the username admin and the password Admin123.
The first time you log in to the FXOS, you are prompted to change the password. This password is also used
for the threat defense login for SSH.
Note If the password was already changed, and you do not know it, then you must reimage the device to
reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure.

Example:

firepower login: admin

Password: Admin123
Successful login attempts for user 'admin' : 1

[...]

Hello admin. You must change your password.

Enter new password: ********
Confirm new password: ********
Your password was updated successfully.

[...]

firepower#

Step 4 Connect to the threat defense CLI.

connect ftd
Example:

firepower# connect ftd

>

Step 5 The first time you log in to the threat defense, you are prompted to accept the End User License Agreement
(EULA) and, if using an SSH connection, to change the admin password. You are then presented with the
CLI setup script for the Management interface settings.
The Management interface settings are used even though you are enabling manager access on a data interface.

Cisco Secure Firewall 4200 Getting Started Guide

50
Threat Defense Deployment with a Remote Management Center
Pre-Configuration Using the CLI

Note You cannot repeat the CLI setup wizard unless you clear the configuration; for example, by reimaging.
However, all of these settings can be changed later at the CLI using configure network commands.
See Cisco Secure Firewall Threat Defense Command Reference.

Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
See the following guidelines:
• Do you want to configure IPv4? and/or Do you want to configure IPv6?—Enter y for at least one of
these types of addresses. Although you do not plan to use the Management interface, you must set an IP
address, for example, a private address.
• Configure IPv4 via DHCP or manually? and/or Configure IPv6 via DHCP, router, or
manually?—Choose manual. You cannot configure a data interface for management if the management
interface is set to DHCP, because the default route, which must be data-interfaces (see the next bullet),
might be overwritten with one received from the DHCP server.
• Enter the IPv4 default gateway for the management interface and/or Enter the IPv6 gateway for
the management interface—Set the gateway to be data-interfaces. This setting forwards management
traffic over the backplane so it can be routed through the manager access data interface.
• Configure firewall mode?—Enter routed. Outside manager access is only supported in routed firewall
mode.

Example:

You must accept the EULA to continue.

Press <ENTER> to display the EULA:
End User License Agreement
[...]

Please enter 'YES' or press <ENTER> to AGREE to the EULA:

System initialization in progress. Please stand by.

You must configure the network to continue.
Configure at least one of IPv4 or IPv6 unless managing via data interfaces.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [y]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.61]: 10.89.5.17
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192
Enter the IPv4 default gateway for the management interface [data-interfaces]:
Enter a fully qualified hostname for this system [firepower]: 1010-3
Enter a comma-separated list of DNS servers or 'none'
[208.67.222.222,208.67.220.220,2620:119:35::35]:
Enter a comma-separated list of search domains or 'none' []: cisco.com
If your networking information has changed, you will need to reconnect.
Disabling IPv6 configuration: management0
Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35
Setting DNS domains:cisco.com
Setting hostname as 1010-3
Setting static IPv4: 10.89.5.17 netmask: 255.255.255.192 gateway: data on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'

DHCP server is already disabled

DHCP Server Disabled

Cisco Secure Firewall 4200 Getting Started Guide

51
 Threat Defense Deployment with a Remote Management Center
Pre-Configuration Using the CLI

Configure firewall mode? (routed/transparent) [routed]:

Configuring firewall mode ...

Device is in OffBox mode - disabling/removing port 443 from iptables.

Update policy deployment information
- add device configuration
- add network discovery
- add system policy

You can register the sensor to a Firepower Management Center and use the
Firepower Management Center to manage it. Note that registering the sensor
to a Firepower Management Center disables on-sensor Firepower Services
management capabilities.

When registering the sensor to a Firepower Management Center, a unique

alphanumeric registration key is always required. In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'

However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'

Later, using the web interface on the Firepower Management Center, you must
use the same registration key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.
>

Step 6 Configure the outside interface for manager access.

configure network management-data-interface
You are then prompted to configure basic network settings for the outside interface. See the following details
for using this command:
• The Management interface cannot use DHCP if you want to use a data interface for management. If you
did not set the IP address manually during initial setup, you can set it beforehand using the configure
network {ipv4 | ipv6} manual command. If you did not already set the Management interface gateway
to data-interfaces, this command will set it now.
• When you add the threat defense to the management center, the management center discovers and
maintains the interface configuration, including the following settings: interface name and IP address,
static route to the gateway, DNS servers, and DDNS server. For more information about the DNS server
configuration, see below. In the management center, you can later make changes to the manager access
interface configuration, but make sure you don't make changes that can prevent the threat defense or the
management center from re-establishing the management connection. If the management connection is
disrupted, the threat defense includes the configure policy rollback command to restore the previous
deployment.
• If you configure a DDNS server update URL, the threat defense automatically adds certificates for all
of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the
DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that
uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
• This command sets the data interface DNS server. The Management DNS server that you set with the
setup script (or using the configure network dns servers command) is used for management traffic.
The data DNS server is used for DDNS (if configured) or for security policies applied to this interface.

Cisco Secure Firewall 4200 Getting Started Guide

52
Threat Defense Deployment with a Remote Management Center
Pre-Configuration Using the CLI

On the management center, the data interface DNS servers are configured in the Platform Settings policy
that you assign to this threat defense. When you add the threat defense to the management center, the
local setting is maintained, and the DNS servers are not added to a Platform Settings policy. However,
if you later assign a Platform Settings policy to the threat defense that includes a DNS configuration,
then that configuration will overwrite the local setting. We suggest that you actively configure the DNS
Platform Settings to match this setting to bring the management center and the threat defense into sync.
Also, local DNS servers are only retained by the management center if the DNS servers were discovered
at initial registration. For example, if you registered the device using the Management interface, but then
later configure a data interface using the configure network management-data-interface command,
then you must manually configure all of these settings in the management center, including the DNS
servers, to match the threat defense configuration.
• You can change the management interface after you register the threat defense to the management center,
to either the Management interface or another data interface.
• The FQDN that you set in the setup wizard will be used for this interface.
• You can clear the entire device configuration as part of the command; you might use this option in a
recovery scenario, but we do not suggest you use it for initial setup or normal operation.
• To disable data managemement, enter the configure network management-data-interface disable
command.

Example:

> configure network management-data-interface

Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]:
IP address (manual / dhcp) [dhcp]:
DDNS server update URL [none]:
https://dwinchester:[email protected]/nic/update?hostname=<h>&myip=<a>
Do you wish to clear all the device configuration before applying ? (y/n) [n]:

Configuration done with option to allow manager access from any network, if you wish to
change the manager access network
use the 'client' option in the command 'configure network management-data-interface'.

Setting IPv4 network configuration.

Network settings changed.

>

Example:

> configure network management-data-interface

Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]: internet
IP address (manual / dhcp) [dhcp]: manual
IPv4/IPv6 address: 10.10.6.7
Netmask/IPv6 Prefix: 255.255.255.0
Default Gateway: 10.10.6.1
Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220
DDNS server update URL [none]:
Do you wish to clear all the device configuration before applying ? (y/n) [n]:

Configuration done with option to allow manager access from any network, if you wish to
change the manager access network
use the 'client' option in the command 'configure network management-data-interface'.

Cisco Secure Firewall 4200 Getting Started Guide

53
 Threat Defense Deployment with a Remote Management Center
Pre-Configuration Using the CLI

Setting IPv4 network configuration.

Network settings changed.

>

Step 7 (Optional) Limit data interface access to the management center on a specific network.
configure network management-data-interface client ip_address netmask
By default, all networks are allowed.

Step 8 Identify the management center that will manage this threat defense.
configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE} reg_key [nat_id]
• {hostname | IPv4_address | IPv6_address | DONTRESOLVE}—Specifies either the FQDN or IP address
of the management center. If the management center is not directly addressable, use DONTRESOLVE.
At least one of the devices, either the management center or the threat defense, must have a reachable
IP address to establish the two-way, SSL-encrypted communication channel between the two devices.
If you specify DONTRESOLVE in this command, then the threat defense must have a reachable IP
address or hostname.
• reg_key—Specifies a one-time registration key of your choice that you will also specify on the management
center when you register the threat defense. The registration key must not exceed 37 characters. Valid
characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-).
• nat_id—Specifies a unique, one-time string of your choice that you will also specify on the management
center. When you use a data interface for management, then you must specify the NAT ID on both the
threat defense and the management center for registration. The NAT ID must not exceed 37 characters.
Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot
be used for any other devices registering to the management center.

Example:

> configure manager add fmc-1.example.com regk3y78 natid56

Manager successfully configured.

Step 9 Shut down the threat defense so you can send the device to the remote branch office.
It's important that you shut down your system properly. Simply unplugging the power or pressing the power
switch can cause serious file system damage. Remember that there are many processes running in the
background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of
your system.
a) Enter the shutdown command.
b) Observe the Power LED and Status LED to verify that the chassis is powered off (appear unlit).
c) After the chassis has successfully powered off, you can then unplug the power to physically remove power
from the chassis if necessary.

Cisco Secure Firewall 4200 Getting Started Guide

54
 Threat Defense Deployment with a Remote Management Center
Branch Office Installation

Branch Office Installation

After you receive the threat defense from central headquarters, you only need to cable and power on the
firewall so that it has internet access from the outside interface. The central administrator can then complete
the configuration.

Cable the Firewall

The management center and your management computer reside at a remote headquarters and can reach the
threat defense over the internet. To cable the Secure Firewall 4200, see the following steps.
Figure 35: Cabling a Remote Management Deployment

Before you begin

• Install SFPs into the data interface ports—The built-in ports are 1/10/25-Gb SFP ports that require SFP
modules.
• (Optional) Obtain a console cable—The firewall does not ship with a console cable by default, so you
will need to buy a third-party USB-to-RJ-45 serial cable, for example.

Procedure

Step 1 Install the chassis. See the hardware installation guide.

Step 2 Connect the outside interface (for example, Ethernet 1/1) to your outside router.
Step 3 Connect the inside interface (for example, Ethernet 1/2) to your inside switch or router.
Step 4 Connect other networks to the remaining interfaces.
Step 5 (Optional) Connect the management computer to the console port.
At the branch office, the console connection is not required for everyday use; however, it may be required
for troubleshooting purposes.

Cisco Secure Firewall 4200 Getting Started Guide

55
 Threat Defense Deployment with a Remote Management Center
Power on the Firewall

Power on the Firewall

System power is controlled by a rocker power switch located on the rear of the firewall. The power switch is
implemented as a soft notification switch that supports graceful shutdown of the system to reduce the risk of
system software and data corruption.

Note The first time you boot up the threat defense, initialization can take approximately 15 to 30 minutes.

Before you begin

It's important that you provide reliable power for your firewall (for example, using an uninterruptable power
supply (UPS)). Loss of power without first shutting down can cause serious file system damage. There are
many processes running in the background all the time, and losing power does not allow the graceful shutdown
of your system.

Procedure

Step 1 Attach the power cord to the firewall, and connect it to an electrical outlet.
Step 2 Turn the power on using the standard rocker-type power on/off switch located on the rear of the chassis,
adjacent to the power cord.
Step 3 Check the Power LED on the back of the firewall; if it is solid green, the firewall is powered on.
Figure 36: System and Power LEDs

Step 4 Check the System LED on the back of the firewall; after it is solid green, the system has passed power-on
diagnostics.
Note When the switch is toggled from ON to OFF, it may take several seconds for the system to eventually
power off. During this time, the Power LED on the front of the chassis blinks green. Do not remove
the power until the Power LED is completely off.

Central Administrator Post-Configuration

After the remote branch administrator cables the threat defense so it has internet access from the outside
interface, you can register the threat defense to the management center and complete configuration of the
device.

Cisco Secure Firewall 4200 Getting Started Guide

56
 Threat Defense Deployment with a Remote Management Center
Log Into the Management Center

Log Into the Management Center

Use the management center to configure and monitor the threat defense.

Procedure

Step 1 Using a supported browser, enter the following URL.

https://fmc_ip_address

Step 2 Enter your username and password.

Step 3 Click Log In.

Obtain Licenses for the Management Center

All licenses are supplied to the threat defense by the management center. You can optionally purchase the
following feature licenses:
• Essentials—(Required) Essentials license.
• IPS—Security Intelligence and Next-Generation IPS
• Malware Defense—Malware defense
• URL Filtering—URL Filtering
• Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only
• Carrier—Diameter, GTP/GPRS, M3UA, SCTP

For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide

Before you begin

• Have an account on the Smart Software Manager.
If you do not yet have an account, click the link to set up a new account. The Smart Software Manager
lets you create an account for your organization.
• Your Smart Software Licensing account must qualify for the Strong Encryption (3DES/AES) license to
use some features (enabled using the export-compliance flag).

Procedure

Step 1 Make sure your Smart Licensing account contains the available licenses you need.
When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart
Software License account. However, if you need to add licenses yourself, use the Search All field on the
Cisco Commerce Workspace.

Cisco Secure Firewall 4200 Getting Started Guide

57
 Threat Defense Deployment with a Remote Management Center
Obtain Licenses for the Management Center

Figure 37: License Search

Choose Products & Services from the results.

Figure 38: Results

Search for the following license PIDs:

Note If a PID is not found, you can add the PID manually to your order.

• Essentials license:
• L-FPR4215-BSE=
• L-FPR4225-BSE=
• L-FPR4245-BSE=

• IPS, Malware Defense, and URL license combination:

• L-FPR4215T-TMC=
• L-FPR4225T-TMC=
• L-FPR4245T-TMC=

When you add one of the above PIDs to your order, you can then choose a term-based subscription
corresponding with one of the following PIDs:
• L-FPR4215T-TMC-1Y
• L-FPR4215T-TMC-3Y
• L-FPR4215T-TMC-5Y
• L-FPR4225T-TMC-1Y
• L-FPR4225T-TMC-3Y
• L-FPR4225T-TMC-5Y
• L-FPR4245T-TMC-1Y
• L-FPR4245T-TMC-3Y

Cisco Secure Firewall 4200 Getting Started Guide

58
 Threat Defense Deployment with a Remote Management Center
Add a Device to the Management Center

• L-FPR4245T-TMC-5Y

• Carrier license:
• L-FPR4200-FTD-CAR=

• Cisco Secure Client—See the Cisco Secure Client Ordering Guide.

Step 2 If you have not already done so, register the management center with the Smart Software Manager.
Registering requires you to generate a registration token in the Smart Software Manager. See the management
center configuration guide for detailed instructions.

Add a Device to the Management Center

Register the threat defense to the management center.

Procedure

Step 1 In the management center, choose Devices > Device Management.

Step 2 From the Add drop-down list, choose Add Device.
The Registration Key method is selected by default.

Cisco Secure Firewall 4200 Getting Started Guide

59
 Threat Defense Deployment with a Remote Management Center
Add a Device to the Management Center

Figure 39: Add Device Using a Registration Key

Set the following parameters:

• Host—Enter the IP address or hostname of the threat defense you want to add. You can leave this field
blank if you specified both the management center IP address and a NAT ID in the threat defense initial
configuration.

Cisco Secure Firewall 4200 Getting Started Guide

60
Threat Defense Deployment with a Remote Management Center
Add a Device to the Management Center

Note In an HA environment, when both the management centers are behind a NAT, you can register
the threat defense without a host IP or name in the primary management center. However, for
registering the threat defense in a secondary management center, you must provide the IP address
or hostname for the threat defense.

• Display Name—Enter the name for the threat defense as you want it to display in the management center.
• Registration Key—Enter the same registration key that you specified in the threat defense initial
configuration.
• Domain—Assign the device to a leaf domain if you have a multidomain environment.
• Group—Assign it to a device group if you are using groups.
• Access Control Policy—Choose an initial policy. Unless you already have a customized policy you
know you need to use, choose Create new policy, and choose Block all traffic. You can change this
later to allow traffic; see Allow Traffic from Inside to Outside, on page 36.
Figure 40: New Policy

• Smart Licensing—Assign the Smart Licenses you need for the features you want to deploy. Note: You
can apply the Secure Client remote access VPN license after you add the device, from the System >
Licenses > Smart Licenses page.
• Unique NAT ID—Specify the NAT ID that you specified in the threat defense initial configuration.
• Transfer Packets—Allow the device to transfer packets to the management center. When events like
IPS or Snort are triggered with this option enabled, the device sends event metadata information and
packet data to the management center for inspection. If you disable it, only event information will be
sent to the management center, but packet data is not sent.

Step 3 Click Register, and confirm a successful registration.

Cisco Secure Firewall 4200 Getting Started Guide

61
 Threat Defense Deployment with a Remote Management Center
Configure a Basic Security Policy

If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the threat
defense fails to register, check the following items:
• Ping—Access the threat defense CLI, and ping the management center IP address using the following
command:
ping system ip_address
If the ping is not successful, check your network settings using the show network command. If you need
to change the threat defense Management IP address, use the configure network
management-data-interface command.
• Registration key, NAT ID, and management center IP address—Make sure you are using the same
registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on
the threat defense using the configure manager add command.

For more troubleshooting information, see https://cisco.com/go/fmc-reg-error.

Configure a Basic Security Policy

This section describes how to configure a basic security policy with the following settings:
• Inside and outside interfaces—Assign a static IP address to the inside interface. You configured basic
settings for the outside interface as part of the manager access setup, but you still need to assign it to a
security zone.
• DHCP server—Use a DHCP server on the inside interface for clients.
• NAT—Use interface PAT on the outside interface.
• Access control—Allow traffic from inside to outside.
• SSH—Enable SSH on the manager access interface.

Configure Interfaces
Enable the threat defense interfaces, assign them to security zones, and set the IP addresses. Also configure
breakout interfaces. .
The following example configures a routed mode inside interface with a static address and a routed mode
outside interface using DHCP.

Procedure

Step 1 Choose Devices > Device Management, and click Edit ( ) for the firewall.
Step 2 Click Interfaces.

Cisco Secure Firewall 4200 Getting Started Guide

62
Threat Defense Deployment with a Remote Management Center
Configure Interfaces

Figure 41: Interfaces

Step 3 To create 4 x 10-Gb breakout interfaces from a 40-Gb interface (available on some models), click the breakout
icon for the interface.
If you already used the 40-Gb interface in your configuration, you will have to remove the configuration
before you can proceed with the breakout.

Step 4 Click Edit ( ) for the interface that you want to use for inside.
The General tab appears.

Cisco Secure Firewall 4200 Getting Started Guide

63
 Threat Defense Deployment with a Remote Management Center
Configure Interfaces

Figure 42: General Tab

a) Enter a Name up to 48 characters in length.

For example, name the interface inside.
b) Check the Enabled check box.
c) Leave the Mode set to None.
d) From the Security Zone drop-down list, choose an existing inside security zone or add a new one by
clicking New.
For example, add a zone called inside_zone. Each interface must be assigned to a security zone and/or
interface group. An interface can belong to only one security zone, but can also belong to multiple interface
groups. You apply your security policy based on zones or groups. For example, you can assign the inside
interface to the inside zone; and the outside interface to the outside zone. Then you can configure your
access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most
policies only support security zones; you can use zones or interface groups in NAT policies, prefilter
policies, and QoS policies.
e) Click the IPv4 and/or IPv6 tab.
• IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in
slash notation.
For example, enter 192.168.1.1/24

Cisco Secure Firewall 4200 Getting Started Guide

64
Threat Defense Deployment with a Remote Management Center
Configure Interfaces

Figure 43: IPv4 Tab

• IPv6—Check the Autoconfiguration check box for stateless autoconfiguration.

Figure 44: IPv6 Tab

f) Click OK.

Step 5 Click Edit ( ) for the interface that you want to use for outside.
The General tab appears.

Cisco Secure Firewall 4200 Getting Started Guide

65
 Threat Defense Deployment with a Remote Management Center
Configure the DHCP Server

Figure 45: General Tab

You already pre-configured this interface for manager access, so the interface will already be named, enabled,
and addressed. You should not alter any of these basic settings because doing so will disrupt the management
center management connection. You must still configure the Security Zone on this screen for through traffic
policies.
a) From the Security Zone drop-down list, choose an existing outside security zone or add a new one by
clicking New.
For example, add a zone called outside_zone.
b) Click OK.
Step 6 Click Save.

Configure the DHCP Server

Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense.

Cisco Secure Firewall 4200 Getting Started Guide

66
Threat Defense Deployment with a Remote Management Center
Configure the DHCP Server

Procedure

Step 1 Choose Devices > Device Management, and click Edit ( ) for the device.
Step 2 Choose DHCP > DHCP Server.
Figure 46: DHCP Server

Step 3 On the Server page, click Add, and configure the following options:
Figure 47: Add Server

• Interface—Choose the interface from the drop-down list.

• Address Pool—Set the range of IP addresses from lowest to highest that are used by the DHCP server.
The range of IP addresses must be on the same subnet as the selected interface and cannot include the
IP address of the interface itself.
• Enable DHCP Server—Enable the DHCP server on the selected interface.

Step 4 Click OK.

Cisco Secure Firewall 4200 Getting Started Guide

67
 Threat Defense Deployment with a Remote Management Center
Configure NAT

Step 5 Click Save.

Configure NAT
A typical NAT rule converts internal addresses to a port on the outside interface IP address. This type of NAT
rule is called interface Port Address Translation (PAT).

Procedure

Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT.
Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save.
Figure 48: New Policy

The policy is added the management center. You still have to add rules to the policy.

Cisco Secure Firewall 4200 Getting Started Guide

68
Threat Defense Deployment with a Remote Management Center
Configure NAT

Figure 49: NAT Policy

Step 3 Click Add Rule.

The Add NAT Rule dialog box appears.

Step 4 Configure the basic rule options:

Figure 50: Basic Rule Options

• NAT Rule—Choose Auto NAT Rule.

• Type—Choose Dynamic.

Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the
Destination Interface Objects area.

Cisco Secure Firewall 4200 Getting Started Guide

69
 Threat Defense Deployment with a Remote Management Center
Configure NAT

Figure 51: Interface Objects

Step 6 On the Translation page, configure the following options:

Figure 52: Translation

• Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0).

Cisco Secure Firewall 4200 Getting Started Guide

70
 Threat Defense Deployment with a Remote Management Center
Allow Traffic from Inside to Outside

Figure 53: New Network Object

Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part
of the object definition, and you cannot edit system-defined objects.

• Translated Source—Choose Destination Interface IP.

Step 7 Click Save to add the rule.

The rule is saved to the Rules table.

Step 8 Click Save on the NAT page to save your changes.

Allow Traffic from Inside to Outside

If you created a basic Block all traffic access control policy when you registered the threat defense, then you
need to add rules to the policy to allow traffic through the device. The following procedure adds a rule to
allow traffic from the inside zone to the outside zone. If you have other zones, be sure to add rules allowing
traffic to the appropriate networks.

Procedure

Step 1 Choose Policy > Access Policy > Access Policy, and click Edit ( ) for the access control policy assigned
to the threat defense.
Step 2 Click Add Rule, and set the following parameters:

Cisco Secure Firewall 4200 Getting Started Guide

71
 Threat Defense Deployment with a Remote Management Center
Configure SSH on the Manager Access Data Interface

Figure 54: Add Rule

• Name—Name this rule, for example, inside-to-outside.

• Selected Sources—Select the inside zone from Zones, and click Add Source Zone.
• Selected Destinations and Applications—Select the outside zone from Zones, and click Add Destination
Zone.

Leave the other settings as is.

Step 3 Click Apply.

The rule is added to the Rules table.

Step 4 Click Save.

Configure SSH on the Manager Access Data Interface

If you enabled management center access on a data interface, such as outside, you should enable SSH on that
interface using this procedure. This section describes how to enable SSH connections to one or more data
interfaces on the threat defense.

Note SSH is enabled by default on the Management interface; however, this screen does not affect Management
SSH access.

The Management interface is separate from the other interfaces on the device. It is used to set up and register
the device to the management center. SSH for data interfaces shares the internal and external user list with
SSH for the Management interface. Other settings are configured separately: for data interfaces, enable SSH
and access lists using this screen; SSH traffic for data interfaces uses the regular routing configuration, and
not any static routes configured at setup or at the CLI.
For the Management interface, to configure an SSH access list, see the configure ssh-access-list command
in the Cisco Secure Firewall Threat Defense Command Reference. To configure a static route, see the configure
network static-routes command. By default, you configure the default route through the Management interface
at initial setup.
To use SSH, you do not also need an access rule allowing the host IP address. You only need to configure
SSH access according to this section.
You can SSH only to a reachable interface ; if your SSH host is located on the outside interface, you can only
initiate a management connection directly to the outside interface.

Cisco Secure Firewall 4200 Getting Started Guide

72
Threat Defense Deployment with a Remote Management Center
Configure SSH on the Manager Access Data Interface

SSH supports the following ciphers and key exchange:

• Encryption—aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr
• Integrity—hmac-sha2-256
• Key exchange—dh-group14-sha256

Note After you make three consecutive failed attempts to log into the CLI using SSH, the device terminates the
SSH connection.

Before you begin

• You can configure SSH internal users at the CLI using the configure user add command. By default,
there is an admin user for which you configured the password during initial setup. You can also configure
external users on LDAP or RADIUS by configuring External Authentication in platform settings.
• You need network objects that define the hosts or networks you will allow to make SSH connections to
the device. You can add objects as part of the procedure, but if you want to use object groups to identify
a group of IP addresses, ensure that the groups needed in the rules already exist. Select Objects > Object
Management to configure objects.

Note You cannot use the system-provided any network object. Instead, use any-ipv4
or any-ipv6.

Procedure

Step 1 Choose Devices > Platform Settings and create or edit the threat defense policy.
Step 2 Select SSH Access.
Step 3 Identify the interfaces and IP addresses that allow SSH connections.
Use this table to limit which interfaces will accept SSH connections, and the IP addresses of the clients who
are allowed to make those connections. You can use network addresses rather than individual IP addresses.
a) Click Add to add a new rule, or click Edit to edit an existing rule.
b) Configure the rule properties:
• IP Address—The network object or group that identifies the hosts or networks you are allowing to
make SSH connections. Choose an object from the drop-down menu, or click + to add a new network
object.
• Available Zones/Interfaces—Add the zones that contain the interfaces to which you will allow SSH
connections. For interfaces not in a zone, you can type the interface name into the field below the
Selected Zones/Interfaces list and click Add. You can also add loopback interfaces. These rules
will be applied to a device only if the device includes the selected interfaces or zones.

c) Click OK.

Cisco Secure Firewall 4200 Getting Started Guide

73
 Threat Defense Deployment with a Remote Management Center
Deploy the Configuration

Step 4 Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not
active until you deploy them.

Deploy the Configuration

Deploy the configuration changes to the threat defense; none of your changes are active on the device until
you deploy them.

Procedure

Step 1 Click Deploy in the upper right.

Figure 55: Deploy

Step 2 For a quick deployment, check specific devices and then click Deploy, or click Deploy All to deploy to all
devices. Otherwise, for additional deployment options, click Advanced Deploy.
Figure 56: Deploy All

Figure 57: Advanced Deploy

Cisco Secure Firewall 4200 Getting Started Guide

74
 Threat Defense Deployment with a Remote Management Center
Access the Threat Defense and FXOS CLI

Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see
status for deployments.
Figure 58: Deployment Status

Access the Threat Defense and FXOS CLI

Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot
configure policies through a CLI session. You can access the CLI by connecting to the console port.
You can also access the FXOS CLI for troubleshooting purposes.

Note You can alternatively SSH to the Management interface of the threat defense device. Unlike a console session,
the SSH session defaults to the threat defense CLI, from which you can connect to the FXOS CLI using the
connect fxos command. You can later connect to the address on a data interface if you open the interface for
SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port
access, which defaults to the FXOS CLI.

Procedure

Step 1 To log into the CLI, connect your management computer to the console port. The Secure Firewall 4200 does
not ship with a console cable by default, so you will need to buy a third-party USB-to-RJ-45 serial cable, for
example. Be sure to install any necessary USB serial drivers for your operating system. The console port
defaults to the FXOS CLI. Use the following serial settings:
• 9600 baud
• 8 data bits
• No parity
• 1 stop bit

Cisco Secure Firewall 4200 Getting Started Guide

75
 Threat Defense Deployment with a Remote Management Center
Power Off the Firewall

You connect to the FXOS CLI. Log in to the CLI using the admin username and the password you set at
initial setup (the default is Admin123).
Example:

firepower login: admin

Password:
Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0
Successful login attempts for user 'admin' : 1

firepower#

Step 2 Access the threat defense CLI.

connect ftd
Example:

firepower# connect ftd

>

After logging in, for information on the commands available in the CLI, enter help or ?. For usage information,
see Cisco Secure Firewall Threat Defense Command Reference.

Step 3 To exit the threat defense CLI, enter the exit or logout command.
This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS
CLI, enter ?.
Example:

> exit
firepower#

Power Off the Firewall

It's important that you shut down your system properly. Simply unplugging the power or pressing the power
switch can cause serious file system damage. Remember that there are many processes running in the
background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of
your firewall system.
You can power off the device using the management center device management page, or you can use the
FXOS CLI.

Power Off the Firewall Using the Management Center

It's important that you shut down your system properly. Simply unplugging the power or pressing the power
switch can cause serious file system damage. Remember that there are many processes running in the
background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of
your firewall.
You can shut down your system properly using the management center.

Cisco Secure Firewall 4200 Getting Started Guide

76
 Threat Defense Deployment with a Remote Management Center
Power Off the Firewall at the CLI

Procedure

Step 1 Choose Devices > Device Management.

Step 2 Next to the device that you want to restart, click Edit ( ).
Step 3 Click the Device tab.
Step 4 Click Shut Down Device ( ) in the System section.
Step 5 When prompted, confirm that you want to shut down the device.
Step 6 If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You
will see the following prompt:

System is stopped.
It is safe to power off now.

Do you want to reboot instead? [y/N]

If you do not have a console connection, wait approximately 3 minutes to ensure the system has shut down.

Step 7 You can now turn off the power switch and unplug the power to physically remove power from the chassis
if necessary.

Power Off the Firewall at the CLI

You can use the FXOS CLI to safely shut down the system and power off the device. You access the CLI by
connecting to the console port; see Access the Threat Defense and FXOS CLI, on page 75.

Procedure

Step 1 In the FXOS CLI, connect to local-mgmt:

firepower # connect local-mgmt

Step 2 Issue the shutdown command:

firepower(local-mgmt) # shutdown
Example:
firepower(local-mgmt)# shutdown
This command will shutdown the system. Continue?
Please enter 'YES' or 'NO': yes
INIT: Stopping Cisco Threat Defense......ok

Step 3 Monitor the system prompts as the firewall shuts down. You will see the following prompt:

System is stopped.
It is safe to power off now.
Do you want to reboot instead? [y/N]

Step 4 You can now turn off the power switch and unplug the power to physically remove power from the chassis
if necessary.

Cisco Secure Firewall 4200 Getting Started Guide

77
 Threat Defense Deployment with a Remote Management Center
What's Next?

What's Next?
To continue configuring your threat defense, see the documents available for your software version at Navigating
the Cisco Secure Firewall Threat Defense Documentation.
For information related to using the management center, see the Cisco Secure Firewall Management Center
Device Configuration Guide.

Cisco Secure Firewall 4200 Getting Started Guide

78
 CHAPTER 4
Threat Defense Deployment with CDO
Is This Chapter for You?
To see all available applications and managers, see Which Application and Manager is Right for You?, on
page 1. This chapter applies to the threat defense using Cisco Defense Orchestrator (CDO)'s cloud-delivered
Firewall Management Center.
About the Firewall
The hardware can run either threat defense software or ASA software. Switching between threat defense and
ASA requires you to reimage the device. You should also reimage if you need a different software version
than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage
Guide.
The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System
(FXOS). The firewall does not support the FXOS Secure Firewall chassis manager; only a limited CLI is
supported for troubleshooting purposes. See the Cisco FXOS Troubleshooting Guide for the Firepower
1000/2100 and Secure Firewall 3100/4200 with Firepower Threat Defense for more information.
Privacy Collection Statement—The firewall does not require or actively collect personally identifiable
information. However, you can use personally identifiable information in the configuration, for example for
usernames. In this case, an administrator might be able to see this information when working with the
configuration or when using SNMP.
• About Threat Defense Management by CDO, on page 79
• End-to-End Tasks, on page 81
• Central Administrator Pre-Configuration, on page 82
• Deploy the Firewall With the Onboarding Wizard, on page 86
• Configure a Basic Security Policy, on page 94
• Access the Threat Defense and FXOS CLI, on page 107
• Power Off the Firewall, on page 108
• What's Next, on page 110

About Threat Defense Management by CDO

About the Cloud-delivered Firewall Management Center
The cloud-delivered Firewall Management Center offers many of the same functions as an on-premises
management center and has the same look and feel. When you use CDO as the primary manager, you can use

Cisco Secure Firewall 4200 Getting Started Guide

79
 Threat Defense Deployment with CDO
About Threat Defense Management by CDO

an on-prem management center for analytics only. The on-prem management center does not support policy
configuration or upgrading.
You can onboard a device using the onboarding wizard and CLI registration.

Threat Defense Manager Access Interface

This guide covers outside interface access because it is the most likely scenario for remote branch offices.
Although manager access occurs on the outside interface, the dedicated Management interface is still relevant.
The Management interface is a special interface configured separately from the threat defense data interfaces,
and it has its own network settings.
• The Management interface network settings are still used even though you are enabling manager access
on a data interface.
• All management traffic continues to be sourced from or destined to the Management interface.
• When you enable manager access on a data interface, the threat defense forwards incoming management
traffic over the backplane to the Management interface.
• For outgoing management traffic, the Management interface forwards the traffic over the backplane to
the data interface.

Manager Access Requirements

Manager access from a data interface has the following limitations:
• You can only enable manager access on a physical, data interface. You cannot use a subinterface or
EtherChannel. You can also use the management center to enable manager access on a single secondary
interface for redundancy.
• This interface cannot be management-only.
• Routed firewall mode only, using a routed interface.
• PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support
between the threat defense and the WAN modem.
• The interface must be in the global VRF only.
• SSH is not enabled by default for data interfaces, so you will have to enable SSH later using the
management center. Because the Management interface gateway will be changed to be the data interfaces,
you also cannot SSH to the Management interface from a remote network unless you add a static route
for the Management interface using the configure network static-routes command.
• You cannot use separate management and event-only interfaces.
• Clustering is not supported. You must use the Management interface in this case.

High Availability Requirements

When using a data interface with device high availability, see the following requirements.
• Use the same data interface on both devices for manager access.
• Redundant manager access data interface is not supported.
• You cannot use DHCP; only a static IP address is supported. Features that rely on DHCP cannot be used,
including DDNS and zero-touch provisioning.

Cisco Secure Firewall 4200 Getting Started Guide

80
 Threat Defense Deployment with CDO
End-to-End Tasks

• Have different static IP addresses in the same subnet.

• Use either IPv4 or IPv6; you cannot set both.
• Use the same manager configuration (configure manager add command) to ensure that the connectivity
is the same.
• You cannot use the data interface as the failover or state link.

End-to-End Tasks
See the following tasks to onboard the threat defense to CDO using the onboarding wizard.
Figure 59: End-to-End Tasks

Cisco Commerce Obtain Licenses, on page 82.

Workspace

CLI (Optional) Check the Software and Install a New Version, on page 84.

Cisco Secure Firewall 4200 Getting Started Guide

81
 Threat Defense Deployment with CDO
Central Administrator Pre-Configuration

CDO Log Into CDO, on page 85.

Physical Tasks Install the firewall. See the hardware installation guide.

Physical Tasks Cable the Firewall, on page 86.

Physical Tasks Power on the Firewall, on page 87.

CDO Onboard a Device with the Onboarding Wizard, on page 87.

CLI Perform Initial Configuration Using the CLI, on page 90.

CDO Configure a Basic Security Policy, on page 94.

Central Administrator Pre-Configuration

This section describes how to obtain feature licenses for your firewall; how to install a new software version
before you deploy; and how to log into CDO.

Obtain Licenses
All licenses are supplied to the threat defense by CDO. You can optionally purchase the following feature
licenses:
• Essentials—(Required) Essentials license.
• IPS—Security Intelligence and Next-Generation IPS
• Malware Defense—Malware defense
• URL Filtering—URL Filtering
• Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only
• Carrier—Diameter, GTP/GPRS, M3UA, SCTP

For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide

Before you begin

• Have an account on the Smart Software Manager.
If you do not yet have an account, click the link to set up a new account. The Smart Software Manager
lets you create an account for your organization.

Cisco Secure Firewall 4200 Getting Started Guide

82
Threat Defense Deployment with CDO
Obtain Licenses

• Your Smart Software Licensing account must qualify for the Strong Encryption (3DES/AES) license to
use some features (enabled using the export-compliance flag).

Procedure

Step 1 Make sure your Smart Licensing account contains the available licenses you need.
When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart
Software License account. However, if you need to add licenses yourself, use the Search All field on the
Cisco Commerce Workspace.
Figure 60: License Search

Choose Products & Services from the results.

Figure 61: Results

Search for the following license PIDs:

Note If a PID is not found, you can add the PID manually to your order.

• Essentials license:
• L-FPR4215-BSE=
• L-FPR4225-BSE=
• L-FPR4245-BSE=

• IPS, Malware Defense, and URL license combination:

• L-FPR4215T-TMC=
• L-FPR4225T-TMC=
• L-FPR4245T-TMC=

When you add one of the above PIDs to your order, you can then choose a term-based subscription
corresponding with one of the following PIDs:

Cisco Secure Firewall 4200 Getting Started Guide

83
 Threat Defense Deployment with CDO
(Optional) Check the Software and Install a New Version

• L-FPR4215T-TMC-1Y
• L-FPR4215T-TMC-3Y
• L-FPR4215T-TMC-5Y
• L-FPR4225T-TMC-1Y
• L-FPR4225T-TMC-3Y
• L-FPR4225T-TMC-5Y
• L-FPR4245T-TMC-1Y
• L-FPR4245T-TMC-3Y
• L-FPR4245T-TMC-5Y

• Carrier license:
• L-FPR4200-FTD-CAR=

• Cisco Secure Client—See the Cisco Secure Client Ordering Guide.

Step 2 If you have not already done so, register CDO with the Smart Software Manager.
Registering requires you to generate a registration token in the Smart Software Manager. See the CDO
documentation for detailed instructions.

(Optional) Check the Software and Install a New Version

To check the software version and, if necessary, install a different version, perform these steps. We recommend
that you install your target version before you configure the firewall. Alternatively, you can perform an upgrade
after you are up and running, but upgrading, which preserves your configuration, may take longer than using
this procedure.
What Version Should I Run?
Cisco recommends running a Gold Star release indicated by a gold star next to the release number on the
software download page. You can also refer to the release strategy described in https://www.cisco.com/c/en/
us/products/collateral/security/firewalls/bulletin-c25-743178.html; for example, this bulletin describes short-term
release numbering (with the latest features), long-term release numbering (maintenance releases and patches
for a longer period of time), or extra long-term release numbering (maintenance releases and patches for the
longest period of time, for government certification).

Procedure

Step 1 Power on the firewall and connect to the console port. See Power on the Firewall, on page 87 and Access the
Threat Defense and FXOS CLI, on page 107 for more information.
Log in with the admin user and the default password, Admin123.

Cisco Secure Firewall 4200 Getting Started Guide

84
 Threat Defense Deployment with CDO
Log Into CDO

You connect to the FXOS CLI. The first time you log in, you are prompted to change the password. This
password is also used for the threat defense login for SSH.
Note If the password was already changed, and you do not know it, you must perform a factory reset to
reset the password to the default. See the FXOS troubleshooting guide for the factory reset procedure.

Example:

firepower login: admin

Password: Admin123
Successful login attempts for user 'admin' : 1

[...]

Hello admin. You must change your password.

Enter new password: ********
Confirm new password: ********
Your password was updated successfully.

[...]

firepower#

Step 2 At the FXOS CLI, show the running version.

scope ssa
show app-instance
Example:

Firepower# scope ssa

Firepower /ssa # show app-instance

Application Name Slot ID Admin State Operational State Running Version Startup
Version Cluster Oper State
-------------------- ---------- --------------- -------------------- ---------------
--------------- ------------------
ftd 1 Enabled Online 7.6.0.65 7.6.0.65
Not Applicable

Step 3 If you want to install a new version, perform these steps.

a) If you need to set a static IP address for the Management interface, see Perform Initial Configuration
Using the CLI, on page 90. By default, the Management interface uses DHCP.
You will need to download the new image from a server accessible from the Management interface.
b) Perform the reimage procedure in the FXOS troubleshooting guide.
After the firewall reboots, you connect to the FXOS CLI again.

Log Into CDO

For details on creating a CDO tenant and logging in, see the CDO doucmentation:
https://docs.defenseorchestrator.com.

Cisco Secure Firewall 4200 Getting Started Guide

85
 Threat Defense Deployment with CDO
Deploy the Firewall With the Onboarding Wizard

Deploy the Firewall With the Onboarding Wizard

This section describes how to configure the firewall for onboarding using the CDO onboarding wizard.

Cable the Firewall

This topic describes how to connect the Secure Firewall 4200 to your network so that it can be managed by
CDO.
Figure 62: Cabling the Secure Firewall 4200

Before you begin

• Install SFPs into the data interface ports—The built-in ports are 1/10/25-Gb SFP ports that require SFP
modules.
• Obtain a console cable—The firewall does not ship with a console cable by default, so you will need to
buy a third-party USB-to-RJ-45 serial cable, for example.

Procedure

Step 1 Install the chassis. See the hardware installation guide.

Step 2 Connect the outside interface (for example, Ethernet 1/1) to your outside router.
Step 3 Connect the inside interface (for example, Ethernet 1/2) to your inside switch or router.
Step 4 Connect other networks to the remaining interfaces.
Step 5 Connect the management computer to the console port.
You need to perform intial setup using the CLI. The console port may also be required for troubleshooting
purposes.

Cisco Secure Firewall 4200 Getting Started Guide

86
 Threat Defense Deployment with CDO
Power on the Firewall

Power on the Firewall

System power is controlled by a rocker power switch located on the rear of the firewall. The power switch is
implemented as a soft notification switch that supports graceful shutdown of the system to reduce the risk of
system software and data corruption.

Note The first time you boot up the threat defense, initialization can take approximately 15 to 30 minutes.

Before you begin

It's important that you provide reliable power for your firewall (for example, using an uninterruptable power
supply (UPS)). Loss of power without first shutting down can cause serious file system damage. There are
many processes running in the background all the time, and losing power does not allow the graceful shutdown
of your system.

Procedure

Step 1 Attach the power cord to the firewall, and connect it to an electrical outlet.
Step 2 Turn the power on using the standard rocker-type power on/off switch located on the rear of the chassis,
adjacent to the power cord.
Step 3 Check the Power LED on the back of the firewall; if it is solid green, the firewall is powered on.
Figure 63: System and Power LEDs

Step 4 Check the System LED on the back of the firewall; after it is solid green, the system has passed power-on
diagnostics.
Note When the switch is toggled from ON to OFF, it may take several seconds for the system to eventually
power off. During this time, the Power LED on the front of the chassis blinks green. Do not remove
the power until the Power LED is completely off.

Onboard a Device with the Onboarding Wizard

Onboard the threat defense using CDO's onboarding wizard using a CLI registration key.

Cisco Secure Firewall 4200 Getting Started Guide

87
 Threat Defense Deployment with CDO
Onboard a Device with the Onboarding Wizard

Procedure

Step 1 In the CDO navigation pane, click Inventory, then click the blue plus button ( ) to Onboard a device.
Step 2 Click the FTD tile.
Step 3 Under Management Mode, be sure FTD is selected.
At any point after selecting FTD as the management mode, you can click Manage Smart License to enroll
in or modify the existing smart licenses available for your device. See Obtain Licenses, on page 82 to see
which licenses are available.

Step 4 Select Use CLI Registration Key as the onboarding method.

Figure 64: Use CLI Registration Key

Step 5 Enter the Device Name and click Next.

Figure 65: Device Name

Step 6 For the Policy Assignment, use the drop-down menu to choose an access control policy for the device. If you
have no policies configured, choose the Default Access Control Policy.
Figure 66: Access Control Policy

Step 7 For the Subscription License, click the Physical FTD Device radio button, and then check each of the feature
licenses you want to enable. Click Next.

Cisco Secure Firewall 4200 Getting Started Guide

88
Threat Defense Deployment with CDO
Onboard a Device with the Onboarding Wizard

Figure 67: Subscription License

Step 8 For the CLI Registration Key, CDO generates a command with the registration key and other parameters.
You must copy this command and use it in the intial configuration of the threat defense.
Figure 68: CLI Registration Key

configure manager add cdo_hostname registration_key nat_id display_name

Copy this command at the threat defense CLI after you complete the startup script. See Perform Initial
Configuration Using the CLI, on page 90.
Example:
Sample command for CLI setup:

configure manager add account1.app.us.cdo.cisco.com KPOOP0rgWzaHrnj1V5ha2q5Rf8pKFX9E

Lzm1HOynhVUWhXYWz2swmkj2ZWsN3Lb account1.app.us.cdo.cisco.com

Step 9 Click Next in the onboarding wizard to start registering the device.
Step 10 (Optional) Add labels to your device to help sort and filter the Inventory page. Enter a label and select the

blue plus button ( ). Labels are applied to the device after it's onboarded to CDO.

Cisco Secure Firewall 4200 Getting Started Guide

89
 Threat Defense Deployment with CDO
Perform Initial Configuration Using the CLI

Figure 69: Done

What to do next
From the Inventory page, select the device you just onboarded and select any of the option listed under the
Management pane located to the right.

Perform Initial Configuration Using the CLI

Connect to the threat defense CLI to perform initial setup.

Procedure

Step 1 Connect to the threat defense CLI on the console port.

The console port connects to the FXOS CLI.

Step 2 Log in with the username admin and the password Admin123.
The first time you log in to FXOS, you are prompted to change the password. This password is also used for
the threat defense login for SSH.
Note If the password was already changed, and you do not know it, then you must reimage the device to
reset the password to the default. See the FXOS troubleshooting guide for the reimage procedure.

Example:

firepower login: admin

Password: Admin123
Successful login attempts for user 'admin' : 1

[...]

Hello admin. You must change your password.

Enter new password: ********
Confirm new password: ********
Your password was updated successfully.

[...]

firepower#

Step 3 Connect to the threat defense CLI.

Cisco Secure Firewall 4200 Getting Started Guide

90
Threat Defense Deployment with CDO
Perform Initial Configuration Using the CLI

connect ftd
Example:

firepower# connect ftd

>

Step 4 The first time you log in to the threat defense, you are prompted to accept the End User License Agreement
(EULA). You are then presented with the CLI setup script for the Management interface settings.
The Management interface settings are used even though you are enabling manager access on a data interface.
Note You cannot repeat the CLI setup wizard unless you clear the configuration; for example, by reimaging.
However, all of these settings can be changed later at the CLI using configure network commands.
See Cisco Secure Firewall Threat Defense Command Reference.

Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.
See the following guidelines:
• Do you want to configure IPv4? and/or Do you want to configure IPv6?—Enter y for at least one of
these types of addresses. Although you do not plan to use the Management interface, you must set an IP
address, for example, a private address.
• Configure IPv4 via DHCP or manually? and/or Configure IPv6 via DHCP, router, or
manually?—Choose manual. You cannot configure a data interface for management if the management
interface is set to DHCP, because the default route, which must be data-interfaces (see the next bullet),
might be overwritten with one received from the DHCP server.
• Enter the IPv4 default gateway for the management interface and/or Enter the IPv6 gateway for
the management interface—Set the gateway to be data-interfaces. This setting forwards management
traffic over the backplane so it can be routed through the manager access data interface.
• Configure firewall mode?—Enter routed. Outside manager access is only supported in routed firewall
mode.

Example:

You must accept the EULA to continue.

Press <ENTER> to display the EULA:
End User License Agreement
[...]

System initialization in progress. Please stand by.

You must configure the network to continue.
Configure at least one of IPv4 or IPv6 unless managing via data interfaces.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [y]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.61]: 10.89.5.17
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.192
Enter the IPv4 default gateway for the management interface [data-interfaces]:
Enter a fully qualified hostname for this system [firepower]: 1010-3
Enter a comma-separated list of DNS servers or 'none'
[208.67.222.222,208.67.220.220,2620:119:35::35]:
Enter a comma-separated list of search domains or 'none' []: cisco.com
If your networking information has changed, you will need to reconnect.
Disabling IPv6 configuration: management0
Setting DNS servers: 208.67.222.222,208.67.220.220,2620:119:35::35

Cisco Secure Firewall 4200 Getting Started Guide

91
 Threat Defense Deployment with CDO
Perform Initial Configuration Using the CLI

Setting DNS domains:cisco.com

Setting hostname as 1010-3
Setting static IPv4: 10.89.5.17 netmask: 255.255.255.192 gateway: data on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'

DHCP server is already disabled

DHCP Server Disabled
Configure firewall mode? (routed/transparent) [routed]:
Configuring firewall mode ...

Device is in OffBox mode - disabling/removing port 443 from iptables.

Update policy deployment information
- add device configuration
- add network discovery
- add system policy

You can register the sensor to a Firepower Management Center and use the
Firepower Management Center to manage it. Note that registering the sensor
to a Firepower Management Center disables on-sensor Firepower Services
management capabilities.

When registering the sensor to a Firepower Management Center, a unique

alphanumeric registration key is always required. In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'

However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'

Later, using the web interface on the Firepower Management Center, you must
use the same registration key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.
>

Step 5 Configure the outside interface for manager access.

configure network management-data-interface
You are then prompted to configure basic network settings for the outside interface. See the following details
for using this command:
• The Management interface cannot use DHCP if you want to use a data interface for management. If you
did not set the IP address manually during initial setup, you can set it now using the configure network
{ipv4 | ipv6} manual command. If you did not already set the Management interface gateway to
data-interfaces, this command will set it now.
• When you add the threat defense to CDO, CDO discovers and maintains the interface configuration,
including the following settings: interface name and IP address, static route to the gateway, DNS servers,
and DDNS server. For more information about the DNS server configuration, see below. In CDO, you
can later make changes to the manager access interface configuration, but make sure you don't make
changes that can prevent the threat defense or CDO from re-establishing the management connection. If
the management connection is disrupted, the threat defense includes the configure policy rollback
command to restore the previous deployment.

Cisco Secure Firewall 4200 Getting Started Guide

92
Threat Defense Deployment with CDO
Perform Initial Configuration Using the CLI

• If you configure a DDNS server update URL, the threat defense automatically adds certificates for all
of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the
DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that
uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
• This command sets the data interface DNS server. The Management DNS server that you set with the
setup script (or using the configure network dns servers command) is used for management traffic.
The data DNS server is used for DDNS (if configured) or for security policies applied to this interface.
On CDO, the data interface DNS servers are configured in the Platform Settings policy that you assign
to this threat defense. When you add the threat defense to CDO, the local setting is maintained, and the
DNS servers are not added to a Platform Settings policy. However, if you later assign a Platform Settings
policy to the threat defense that includes a DNS configuration, then that configuration will overwrite the
local setting. We suggest that you actively configure the DNS Platform Settings to match this setting to
bring CDO and the threat defense into sync.
Also, local DNS servers are only retained by CDO if the DNS servers were discovered at initial registration.
For example, if you registered the device using the Management interface, but then later configure a data
interface using the configure network management-data-interface command, then you must manually
configure all of these settings in CDO, including the DNS servers, to match the threat defense
configuration.
• You can change the management interface after you register the threat defense to CDO, to either the
Management interface or another data interface.
• The FQDN that you set in the setup wizard will be used for this interface.
• You can clear the entire device configuration as part of the command; you might use this option in a
recovery scenario, but we do not suggest you use it for initial setup or normal operation.
• To disable data managemement, enter the configure network management-data-interface disable
command.

Example:

> configure network management-data-interface

Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]:
IP address (manual / dhcp) [dhcp]:
DDNS server update URL [none]:
https://deanwinchester:[email protected]/nic/update?hostname=<h>&myip=<a>
Do you wish to clear all the device configuration before applying ? (y/n) [n]:

Configuration done with option to allow manager access from any network, if you wish to
change the manager access network
use the 'client' option in the command 'configure network management-data-interface'.

Setting IPv4 network configuration.

Network settings changed.

>

Example:

> configure network management-data-interface

Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]: internet
IP address (manual / dhcp) [dhcp]: manual

Cisco Secure Firewall 4200 Getting Started Guide

93
 Threat Defense Deployment with CDO
Configure a Basic Security Policy

IPv4/IPv6 address: 10.10.6.7

Netmask/IPv6 Prefix: 255.255.255.0
Default Gateway: 10.10.6.1
Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220
DDNS server update URL [none]:
Do you wish to clear all the device configuration before applying ? (y/n) [n]:

Configuration done with option to allow manager access from any network, if you wish to
change the manager access network
use the 'client' option in the command 'configure network management-data-interface'.

Setting IPv4 network configuration.

Network settings changed.

>

Step 6 Identify the CDO that will manage this threat defense using the configure manager add command that CDO
generated. See Onboard a Device with the Onboarding Wizard, on page 87 to generate the command.
Example:

> configure manager add account1.app.us.cdo.cisco.com KPOOP0rgWzaHrnj1V5ha2q5Rf8pKFX9E

Lzm1HOynhVUWhXYWz2swmkj2ZWsN3Lb account1.app.us.cdo.cisco.com
Manager successfully configured.

Configure a Basic Security Policy

This section describes how to configure a basic security policy with the following settings:
• Inside and outside interfaces—Assign a static IP address to the inside interface. You configured basic
settings for the outside interface as part of the manager access setup, but you still need to assign it to a
security zone.
• DHCP server—Use a DHCP server on the inside interface for clients.
• NAT—Use interface PAT on the outside interface.
• Access control—Allow traffic from inside to outside.
• SSH—Enable SSH on the manager access interface.

Configure Interfaces
Enable the threat defense interfaces, assign them to security zones, and set the IP addresses. Also configure
breakout interfaces. .
The following example configures a routed mode inside interface with a static address and a routed mode
outside interface using DHCP.

Cisco Secure Firewall 4200 Getting Started Guide

94
Threat Defense Deployment with CDO
Configure Interfaces

Procedure

Step 1 Choose Devices > Device Management, and click Edit ( ) for the firewall.
Step 2 Click Interfaces.
Figure 70: Interfaces

Step 3 To create 4 x 10-Gb breakout interfaces from a 40-Gb interface (available on some models), click the breakout
icon for the interface.
If you already used the 40-Gb interface in your configuration, you will have to remove the configuration
before you can proceed with the breakout.

Step 4 Click Edit ( ) for the interface that you want to use for inside.
The General tab appears.

Cisco Secure Firewall 4200 Getting Started Guide

95
 Threat Defense Deployment with CDO
Configure Interfaces

Figure 71: General Tab

a) Enter a Name up to 48 characters in length.

For example, name the interface inside.
b) Check the Enabled check box.
c) Leave the Mode set to None.
d) From the Security Zone drop-down list, choose an existing inside security zone or add a new one by
clicking New.
For example, add a zone called inside_zone. Each interface must be assigned to a security zone and/or
interface group. An interface can belong to only one security zone, but can also belong to multiple interface
groups. You apply your security policy based on zones or groups. For example, you can assign the inside
interface to the inside zone; and the outside interface to the outside zone. Then you can configure your
access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most
policies only support security zones; you can use zones or interface groups in NAT policies, prefilter
policies, and QoS policies.
e) Click the IPv4 and/or IPv6 tab.
• IPv4—Choose Use Static IP from the drop-down list, and enter an IP address and subnet mask in
slash notation.
For example, enter 192.168.1.1/24

Cisco Secure Firewall 4200 Getting Started Guide

96
Threat Defense Deployment with CDO
Configure Interfaces

Figure 72: IPv4 Tab

• IPv6—Check the Autoconfiguration check box for stateless autoconfiguration.

Figure 73: IPv6 Tab

f) Click OK.

Step 5 Click Edit ( ) for the interface that you want to use for outside.
The General tab appears.

Cisco Secure Firewall 4200 Getting Started Guide

97
 Threat Defense Deployment with CDO
Configure the DHCP Server

Figure 74: General Tab

You already pre-configured this interface for manager access, so the interface will already be named, enabled,
and addressed. You should not alter any of these basic settings because doing so will disrupt the management
center management connection. You must still configure the Security Zone on this screen for through traffic
policies.
a) From the Security Zone drop-down list, choose an existing outside security zone or add a new one by
clicking New.
For example, add a zone called outside_zone.
b) Click OK.
Step 6 Click Save.

Configure the DHCP Server

Enable the DHCP server if you want clients to use DHCP to obtain IP addresses from the threat defense.

Cisco Secure Firewall 4200 Getting Started Guide

98
Threat Defense Deployment with CDO
Configure the DHCP Server

Procedure

Step 1 Choose Devices > Device Management, and click Edit ( ) for the device.
Step 2 Choose DHCP > DHCP Server.
Figure 75: DHCP Server

Step 3 On the Server page, click Add, and configure the following options:
Figure 76: Add Server

• Interface—Choose the interface from the drop-down list.

• Address Pool—Set the range of IP addresses from lowest to highest that are used by the DHCP server.
The range of IP addresses must be on the same subnet as the selected interface and cannot include the
IP address of the interface itself.
• Enable DHCP Server—Enable the DHCP server on the selected interface.

Step 4 Click OK.

Cisco Secure Firewall 4200 Getting Started Guide

99
 Threat Defense Deployment with CDO
Configure NAT

Step 5 Click Save.

Configure NAT
A typical NAT rule converts internal addresses to a port on the outside interface IP address. This type of NAT
rule is called interface Port Address Translation (PAT).

Procedure

Step 1 Choose Devices > NAT, and click New Policy > Threat Defense NAT.
Step 2 Name the policy, select the device(s) that you want to use the policy, and click Save.
Figure 77: New Policy

The policy is added the management center. You still have to add rules to the policy.

Cisco Secure Firewall 4200 Getting Started Guide

100
Threat Defense Deployment with CDO
Configure NAT

Figure 78: NAT Policy

Step 3 Click Add Rule.

The Add NAT Rule dialog box appears.

Step 4 Configure the basic rule options:

Figure 79: Basic Rule Options

• NAT Rule—Choose Auto NAT Rule.

• Type—Choose Dynamic.

Step 5 On the Interface Objects page, add the outside zone from the Available Interface Objects area to the
Destination Interface Objects area.

Cisco Secure Firewall 4200 Getting Started Guide

101
 Threat Defense Deployment with CDO
Configure NAT

Figure 80: Interface Objects

Step 6 On the Translation page, configure the following options:

Figure 81: Translation

• Original Source—Click Add ( ) to add a network object for all IPv4 traffic (0.0.0.0/0).

Cisco Secure Firewall 4200 Getting Started Guide

102
 Threat Defense Deployment with CDO
Allow Traffic from Inside to Outside

Figure 82: New Network Object

Note You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part
of the object definition, and you cannot edit system-defined objects.

• Translated Source—Choose Destination Interface IP.

Step 7 Click Save to add the rule.

The rule is saved to the Rules table.

Step 8 Click Save on the NAT page to save your changes.

Allow Traffic from Inside to Outside

If you created a basic Block all traffic access control policy when you registered the threat defense, then you
need to add rules to the policy to allow traffic through the device. The following procedure adds a rule to
allow traffic from the inside zone to the outside zone. If you have other zones, be sure to add rules allowing
traffic to the appropriate networks.

Procedure

Step 1 Choose Policy > Access Policy > Access Policy, and click Edit ( ) for the access control policy assigned
to the threat defense.
Step 2 Click Add Rule, and set the following parameters:

Cisco Secure Firewall 4200 Getting Started Guide

103
 Threat Defense Deployment with CDO
Configure SSH on the Manager Access Data Interface

Figure 83: Add Rule

• Name—Name this rule, for example, inside-to-outside.

• Selected Sources—Select the inside zone from Zones, and click Add Source Zone.
• Selected Destinations and Applications—Select the outside zone from Zones, and click Add Destination
Zone.

Leave the other settings as is.

Step 3 Click Apply.

The rule is added to the Rules table.

Step 4 Click Save.

Configure SSH on the Manager Access Data Interface

If you enabled management center access on a data interface, such as outside, you should enable SSH on that
interface using this procedure. This section describes how to enable SSH connections to one or more data
interfaces on the threat defense.

Note SSH is enabled by default on the Management interface; however, this screen does not affect Management
SSH access.

The Management interface is separate from the other interfaces on the device. It is used to set up and register
the device to the management center. SSH for data interfaces shares the internal and external user list with
SSH for the Management interface. Other settings are configured separately: for data interfaces, enable SSH
and access lists using this screen; SSH traffic for data interfaces uses the regular routing configuration, and
not any static routes configured at setup or at the CLI.
For the Management interface, to configure an SSH access list, see the configure ssh-access-list command
in the Cisco Secure Firewall Threat Defense Command Reference. To configure a static route, see the configure
network static-routes command. By default, you configure the default route through the Management interface
at initial setup.
To use SSH, you do not also need an access rule allowing the host IP address. You only need to configure
SSH access according to this section.
You can SSH only to a reachable interface ; if your SSH host is located on the outside interface, you can only
initiate a management connection directly to the outside interface.

Cisco Secure Firewall 4200 Getting Started Guide

104
Threat Defense Deployment with CDO
Configure SSH on the Manager Access Data Interface

SSH supports the following ciphers and key exchange:

• Encryption—aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr
• Integrity—hmac-sha2-256
• Key exchange—dh-group14-sha256

Note After you make three consecutive failed attempts to log into the CLI using SSH, the device terminates the
SSH connection.

Before you begin

• You can configure SSH internal users at the CLI using the configure user add command. By default,
there is an admin user for which you configured the password during initial setup. You can also configure
external users on LDAP or RADIUS by configuring External Authentication in platform settings.
• You need network objects that define the hosts or networks you will allow to make SSH connections to
the device. You can add objects as part of the procedure, but if you want to use object groups to identify
a group of IP addresses, ensure that the groups needed in the rules already exist. Select Objects > Object
Management to configure objects.

Note You cannot use the system-provided any network object. Instead, use any-ipv4
or any-ipv6.

Procedure

Step 1 Choose Devices > Platform Settings and create or edit the threat defense policy.
Step 2 Select SSH Access.
Step 3 Identify the interfaces and IP addresses that allow SSH connections.
Use this table to limit which interfaces will accept SSH connections, and the IP addresses of the clients who
are allowed to make those connections. You can use network addresses rather than individual IP addresses.
a) Click Add to add a new rule, or click Edit to edit an existing rule.
b) Configure the rule properties:
• IP Address—The network object or group that identifies the hosts or networks you are allowing to
make SSH connections. Choose an object from the drop-down menu, or click + to add a new network
object.
• Available Zones/Interfaces—Add the zones that contain the interfaces to which you will allow SSH
connections. For interfaces not in a zone, you can type the interface name into the field below the
Selected Zones/Interfaces list and click Add. You can also add loopback interfaces. These rules
will be applied to a device only if the device includes the selected interfaces or zones.

c) Click OK.

Cisco Secure Firewall 4200 Getting Started Guide

105
 Threat Defense Deployment with CDO
Deploy the Configuration

Step 4 Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not
active until you deploy them.

Deploy the Configuration

Deploy the configuration changes to the threat defense; none of your changes are active on the device until
you deploy them.

Procedure

Step 1 Click Deploy in the upper right.

Figure 84: Deploy

Step 2 For a quick deployment, check specific devices and then click Deploy, or click Deploy All to deploy to all
devices. Otherwise, for additional deployment options, click Advanced Deploy.
Figure 85: Deploy All

Figure 86: Advanced Deploy

Cisco Secure Firewall 4200 Getting Started Guide

106
 Threat Defense Deployment with CDO
Access the Threat Defense and FXOS CLI

Step 3 Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see
status for deployments.
Figure 87: Deployment Status

Access the Threat Defense and FXOS CLI

Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot
configure policies through a CLI session. You can access the CLI by connecting to the console port.
You can also access the FXOS CLI for troubleshooting purposes.

Note You can alternatively SSH to the Management interface of the threat defense device. Unlike a console session,
the SSH session defaults to the threat defense CLI, from which you can connect to the FXOS CLI using the
connect fxos command. You can later connect to the address on a data interface if you open the interface for
SSH connections. SSH access to data interfaces is disabled by default. This procedure describes console port
access, which defaults to the FXOS CLI.

Procedure

Step 1 To log into the CLI, connect your management computer to the console port. The Secure Firewall 4200 does
not ship with a console cable by default, so you will need to buy a third-party USB-to-RJ-45 serial cable, for
example. Be sure to install any necessary USB serial drivers for your operating system. The console port
defaults to the FXOS CLI. Use the following serial settings:
• 9600 baud
• 8 data bits
• No parity
• 1 stop bit

Cisco Secure Firewall 4200 Getting Started Guide

107
 Threat Defense Deployment with CDO
Power Off the Firewall

You connect to the FXOS CLI. Log in to the CLI using the admin username and the password you set at
initial setup (the default is Admin123).
Example:

firepower login: admin

Password:
Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0
Successful login attempts for user 'admin' : 1

firepower#

Step 2 Access the threat defense CLI.

connect ftd
Example:

firepower# connect ftd

>

After logging in, for information on the commands available in the CLI, enter help or ?. For usage information,
see Cisco Secure Firewall Threat Defense Command Reference.

Step 3 To exit the threat defense CLI, enter the exit or logout command.
This command returns you to the FXOS CLI prompt. For information on the commands available in the FXOS
CLI, enter ?.
Example:

> exit
firepower#

Power Off the Firewall

It's important that you shut down your system properly. Simply unplugging the power or pressing the power
switch can cause serious file system damage. Remember that there are many processes running in the
background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of
your firewall system.
You can power off the device using the management center device management page, or you can use the
FXOS CLI.

Power Off the Firewall Using CDO

It's important that you shut down your system properly. Simply unplugging the power or pressing the power
switch can cause serious file system damage. Remember that there are many processes running in the
background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of
your firewall.

Cisco Secure Firewall 4200 Getting Started Guide

108
 Threat Defense Deployment with CDO
Power Off the Firewall Using CDO

You can shut down your system properly using the management center.

Procedure

Step 1 Choose Devices > Device Management.

Step 2 Next to the device that you want to restart, click Edit ( ).
Step 3 Click the Device tab.
Step 4 Click Shut Down Device ( ) in the System section.
Step 5 When prompted, confirm that you want to shut down the device.
Step 6 If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You
will see the following prompt:

System is stopped.
It is safe to power off now.

Do you want to reboot instead? [y/N]

If you do not have a console connection, wait approximately 3 minutes to ensure the system has shut down.

Step 7 You can now turn off the power switch and unplug the power to physically remove power from the chassis
if necessary.

Power Off the Firewall Using CDO

It's important that you shut down your system properly. Simply unplugging the power or pressing the power
switch can cause serious file system damage. Remember that there are many processes running in the
background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of
your firewall.
You can shut down your system properly using the management center.

Procedure

Step 1 Choose Devices > Device Management.

Step 2 Next to the device that you want to restart, click Edit ( ).
Step 3 Click the Device tab.
Step 4 Click Shut Down Device ( ) in the System section.
Step 5 When prompted, confirm that you want to shut down the device.
Step 6 If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You
will see the following prompt:

System is stopped.
It is safe to power off now.

Do you want to reboot instead? [y/N]

Cisco Secure Firewall 4200 Getting Started Guide

109
 Threat Defense Deployment with CDO
What's Next

If you do not have a console connection, wait approximately 3 minutes to ensure the system has shut down.

Step 7 You can now turn off the power switch and unplug the power to physically remove power from the chassis
if necessary.

What's Next
To continue configuring your threat defense using CDO, see the Cisco Defense Orchestrator home page.

Cisco Secure Firewall 4200 Getting Started Guide

110
 CHAPTER 5
ASA Deployment with ASDM
Is This Chapter for You?
To see all available operating systems and managers, see Which Application and Manager is Right for You?,
on page 1. This chapter applies to ASA using ASDM.
About the Firewall
The hardware can run either threat defense software or ASA software. Switching between threat defense and
ASA requires you to reimage the device. You should also reimage if you need a different software version
than is currently installed. See Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage
Guide.
The firewall runs an underlying operating system called the Secure Firewall eXtensible Operating System
(FXOS). The firewall does not support the FXOS Secure Firewall chassis manager; only a limited CLI is
supported for troubleshooting purposes. See the Cisco FXOS Troubleshooting Guide for the Firepower
1000/2100 and Secure Firewall 3100/4200 with Firepower Threat Defense for more information.
Privacy Collection Statement—The firewall does not require or actively collect personally identifiable
information. However, you can use personally identifiable information in the configuration, for example for
usernames. In this case, an administrator might be able to see this information when working with the
configuration or when using SNMP.
• About the ASA, on page 111
• End-to-End Tasks, on page 113
• Review the Network Deployment and Default Configuration, on page 115
• Cable the Firewall, on page 117
• Power on the Firewall, on page 118
• (Optional) Change the IP Address, on page 119
• Log Into ASDM, on page 120
• Configure Licensing, on page 121
• Configure the ASA, on page 127
• Access the ASA and FXOS CLI, on page 129
• What's Next?, on page 130

About the ASA

The ASA provides advanced stateful firewall and VPN concentrator functionality in one device.

Cisco Secure Firewall 4200 Getting Started Guide

111
 ASA Deployment with ASDM
Migrating an ASA 5500-X Configuration

Migrating an ASA 5500-X Configuration

You can copy and paste an ASA 5500-X configuration into the Secure Firewall 4200. However, you will need
to modify your configuration. Also note some behavioral differences between the platforms.
1. To copy the configuration, enter the more system:running-config command on the ASA 5500-X.
2. Edit the configuration as necessary (see below).
3. Connect to the console port of the Secure Firewall 4200, and enter global configuration mode:

ciscoasa> enable
Password:
The enable password is not set. Please set it now.
Enter Password: ******
Repeat Password: ******
ciscoasa# configure terminal
ciscoasa(config)#

4. Clear the current configuration using the clear configure all command.
5. Paste the modified configuration at the ASA CLI.

This guide assumes a factory default configuration, so if you paste in an existing configuration, some of the
procedures in this guide will not apply to your ASA.

ASA 5500-X Configuration Secure Firewall 4200 Configuration

PAK License Smart License

PAK licensing is not applied when you copy and paste your
configuration. There are no licenses installed by default. Smart
Licensing requires that you connect to the Smart Licensing server
to obtain your licenses. Smart Licensing also affects ASDM or
SSH access (see below).

Initial ASDM access Remove any VPN or other strong encryption feature
configuration—even if you only configured weak encryption—if
you cannot connect to ASDM or register with the Smart Licensing
server.
You can reenable these features after you obtain the Strong
Encryption (3DES) license.
The reason for this issue is that the ASA includes 3DES capability
by default for management access only. If you enable a strong
encryption feature, then ASDM and HTTPS traffic (like that to
and from the Smart Licensing server) are blocked. The exception
to this rule is if you are connected to a management-only interface,
such as Management 1/1. SSH is not affected.

Interface IDs Make sure you change the interface IDs to match the new
hardware IDs. For example, the ASA 5525-X includes
Management 0/0, and GigabitEthernet 0/0 through 0/5. The
Firepower 1120 includes Management 1/1 and Ethernet 1/1
through 1/8.

Cisco Secure Firewall 4200 Getting Started Guide

112
 ASA Deployment with ASDM
End-to-End Tasks

ASA 5500-X Configuration Secure Firewall 4200 Configuration

boot system commands
The ASA 5500-X allows up to four boot system commands to
specify the booting image to use.
The Secure Firewall 4200 only allows a single boot system
command, so you should remove all but one command before
you paste. You actually do not need to have any boot system
commands present in your configuration, as it is not read at startup
to determine the booting image. The last-loaded boot image will
always run upon reload.
The boot system command performs an action when you enter
it: the system validates and unpacks the image and copies it to
the boot location (an internal location on disk0 managed by
FXOS). The new image will load when you reload the ASA.

End-to-End Tasks
See the following tasks to deploy and configure the ASA on your chassis.

Cisco Secure Firewall 4200 Getting Started Guide

113
 ASA Deployment with ASDM
End-to-End Tasks

Figure 88: End-to-End Tasks

Pre-Configuration Install the firewall. See the hardware installation guide.

Pre-Configuration Review the Network Deployment and Default Configuration, on page 115.

Pre-Configuration Cable the Firewall, on page 117.

Pre-Configuration Power on the Firewall, on page 118.

ASA CLI (Optional) Change the IP Address, on page 119.

Cisco Secure Firewall 4200 Getting Started Guide

114
 ASA Deployment with ASDM
Review the Network Deployment and Default Configuration

ASDM Log Into ASDM, on page 120.

Cisco Commerce Obtain Standard license and optional feature licenses (Configure Licensing, on page 121).
Workspace

Smart Software Manager Generate a license token for the chassis (Configure Licensing, on page 121).

ASDM Configure feature licenses (Configure Licensing, on page 121).

ASDM Configure the ASA, on page 127.

Review the Network Deployment and Default Configuration

The following figure shows the default network deployment for the ASA using the default configuration.
If you connect the outside interface directly to a cable modem or DSL modem, we recommend that you put
the modem into bridge mode so the ASA performs all routing and NAT for your inside networks. If you need
to configure PPPoE for the outside interface to connect to your ISP, you can do so as part of the ASDM Startup
Wizard.

Note If you cannot use the default Management IP address for ASDM access, you can set the Management IP
address at the ASA CLI. See (Optional) Change the IP Address, on page 119.
If you need to change the inside IP address, you can do so using the ASDM Startup Wizard. For example,
you may need to change the inside IP address in the following circumstances:
• If the outside interface tries to obtain an IP address on the 192.168.1.0 network, which is a common
default network, the DHCP lease will fail, and the outside interface will not obtain an IP address. This
problem occurs because the ASA cannot have two interfaces on the same network. In this case you must
change the inside IP address to be on a new network.
• If you add the ASA to an existing inside network, you will need to change the inside IP address to be on
the existing network.

Cisco Secure Firewall 4200 Getting Started Guide

115
 ASA Deployment with ASDM
Secure Firewall 4200 Default Configuration

Secure Firewall 4200 Default Configuration

The default factory configuration for the Secure Firewall 4200 configures the following:
• inside→outside traffic flow—Ethernet 1/1 (outside), Ethernet 1/2 (inside)
• outside IP address from DHCP, inside IP address—192.168.1.1
• management—Management 1/1 (management), IP address from DHCP
• DHCP server on inside interface
• Default routes from outside DHCP, management DHCP
• ASDM access—Management and inside hosts allowed. Inside hosts are limited to the 192.168.1.0/24
network.
• NAT—Interface PAT for all traffic from inside to outside.
• DNS servers—OpenDNS servers are pre-configured.

The configuration consists of the following commands:

interface Management1/1
management-only
nameif management
security-level 100
ip address dhcp setroute
no shutdown
!
interface Ethernet1/1

Cisco Secure Firewall 4200 Getting Started Guide

116
 ASA Deployment with ASDM
Cable the Firewall

nameif outside
security-level 0
ip address dhcp setroute
no shutdown
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic interface
!
http server enable
http 0.0.0.0 0.0.0.0 management
http 192.168.1.0 255.255.255.0 inside
!
dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd enable inside
!
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222 outside
name-server 208.67.220.220 outside
!

Cable the Firewall

Figure 89: Cabling the Secure Firewall 4200

Manage the Secure Firewall 4200 on either Management 1/1 or Ethernet 1/2. The default configuration also
configures Ethernet1/1 as outside.

Before you begin

• Install SFPs into the data interface and optional Management ports—The built-in ports are 1/10/25-Gb
SFP ports that require SFP modules.

Cisco Secure Firewall 4200 Getting Started Guide

117
 ASA Deployment with ASDM
Power on the Firewall

• (Optional) Obtain a console cable—The firewall does not ship with a console cable by default, so you
will need to buy a third-party USB-to-RJ-45 serial cable, for example.

Procedure

Step 1 Install the chassis. See the hardware installation guide.

Step 2 Connect your management computer to either of the following interfaces:
• Ethernet 1/2—Ethernet 1/2 has a default IP address (192.168.1.1) and also runs a DHCP server to provide
IP addresses to clients (including the management computer), so make sure these settings do not conflict
with any existing inside network settings (see Secure Firewall 4200 Default Configuration, on page 116).
Only clients on 192.168.1.0/24 can access the ASA.
If you need to change the Ethernet 1/2 IP address from the default, you must also cable your management
computer to the console port. See (Optional) Change the IP Address, on page 119.
• Management 1/1—Management 1/1 obtains an IP address from a DHCP server on your management
network; if you use this interface, you must determine the IP address assigned to the ASA so that you
can connect to the IP address from your management computer.
You can later set up Management 1/2 if you need another management interface.

You can later configure ASA management access from other interfaces; see the ASA general operations
configuration guide.

Step 3 Connect the outside network to the Ethernet1/1 interface.

For Smart Software Licensing, the ASA needs internet access.

Step 4 Connect other networks to the remaining interfaces.

Power on the Firewall

System power is controlled by a rocker power switch located on the rear of the firewall. The power switch is
implemented as a soft notification switch that supports graceful shutdown of the system to reduce the risk of
system software and data corruption.

Procedure

Step 1 Attach the power cord to the firewall, and connect it to an electrical outlet.
Step 2 Turn the power on using the standard rocker-type power on/off switch located on the rear of the chassis,
adjacent to the power cord.
Step 3 Check the Power LED on the back of the firewall; if it is solid green, the firewall is powered on.

Cisco Secure Firewall 4200 Getting Started Guide

118
 ASA Deployment with ASDM
(Optional) Change the IP Address

Figure 90: System and Power LEDs

Step 4 Check the System LED on the back of the firewall; after it is solid green, the system has passed power-on
diagnostics.
Note When the switch is toggled from ON to OFF, it may take several seconds for the system to eventually
power off. During this time, the Power LED on the front of the chassis blinks green. Do not remove
the power until the Power LED is completely off.

(Optional) Change the IP Address

If you cannot use the default IP address for ASDM access, you can set the IP address of the inside interface
at the ASA CLI.

Note This procedure restores the default configuration and also sets your chosen IP address, so if you made any
changes to the ASA configuration that you want to preserve, do not use this procedure.

Procedure

Step 1 Connect to the ASA console port, and enter global configuration mode. See Access the ASA and FXOS CLI,
on page 129 for more information.
Step 2 Restore the default configuration with your chosen IP address.
configure factory-default [ip_address [mask]]
Example:

ciscoasa(config)# configure factory-default 10.1.1.151 255.255.255.0

Based on the management IP address and mask, the DHCP address
pool size is reduced to 103 from the platform limit 256

WARNING: The boot system configuration will be cleared.

The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:

Clear all configuration

Cisco Secure Firewall 4200 Getting Started Guide

119
 ASA Deployment with ASDM
Log Into ASDM

Executing command: interface ethernet1/2

Executing command: nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command: ip address 10.1.1.151 255.255.255.0
Executing command: security-level 100
Executing command: no shutdown
Executing command: exit
Executing command: http server enable
Executing command: http 10.1.1.0 255.255.255.0 management
Executing command: dhcpd address 10.1.1.152-10.1.1.254 management
Executing command: dhcpd enable management
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#

Step 3 Save the default configuration to flash memory.

write memory

Log Into ASDM

Launch ASDM so you can configure the ASA.
The ASA includes 3DES capability by default for management access only, so you can connect to the Smart
Software Manager and also use ASDM immediately. You can also use SSH and SCP if you later configure
SSH access on the ASA. Other features that require strong encryption (such as VPN) must have Strong
Encryption enabled, which requires you to first register to the Smart Software Manager.

Note If you attempt to configure any features that can use strong encryption before you register—even if you only
configure weak encryption—then your HTTPS connection will be dropped on that interface, and you cannot
reconnect. The exception to this rule is if you are connected to a management-only interface, such as
Management 1/1. SSH is not affected. If you lose your HTTPS connection, you can connect to the console
port to reconfigure the ASA, connect to a management-only interface, or connect to an interface not configured
for a strong encryption feature.

Before you begin

• See the ASDM release notes on Cisco.com for the requirements to run ASDM.

Procedure

Step 1 Enter the following URL in your browser.

• https://192.168.1.1—Inside (Ethernet 1/2) interface IP address.
• https://management_ip—Management interface IP address assigned from DHCP.

Cisco Secure Firewall 4200 Getting Started Guide

120
 ASA Deployment with ASDM
Configure Licensing

Note Be sure to specify https://, and not http:// or just the IP address (which defaults to HTTP); the ASA
does not automatically forward an HTTP request to HTTPS.

The Cisco ASDM web page appears. You may see browser security warnings because the ASA does not have
a certificate installed; you can safely ignore these warnings and visit the web page.

Step 2 Click Install ASDM Launcher.

Step 3 Follow the onscreen instructions to launch ASDM.
The Cisco ASDM-IDM Launcher appears.

Step 4 Leave the username and password fields empty, and click OK.
The main ASDM window appears.

Configure Licensing
The ASA uses Smart Licensing. You can use regular Smart Licensing, which requires internet access; or for
offline management, you can configure Permanent License Reservation or a Smart Software Manager On-Prem
(formerly known as a Satellite server). For more information about these offline licensing methods, see Cisco
ASA Series Feature Licenses; this guide applies to regular Smart Licensing.
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide
When you register the chassis, the Smart Software Manager issues an ID certificate for communication between
the firewall and the Smart Software Manager. It also assigns the firewall to the appropriate virtual account.
Until you register with the Smart Software Manager, you will not be able to make configuration changes to
features requiring special licenses, but operation is otherwise unaffected. Licensed features include:
• Essentials
• Security Contexts
• Carrier—Diameter, GTP/GPRS, M3UA, SCTP
• Strong Encryption (3DES/AES)—If your Smart Account is not authorized for strong encryption, but
Cisco has determined that you are allowed to use strong encryption, you can manually add a stong
encryption license to your account.
• Cisco Secure Client—Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only.

The ASA includes 3DES capability by default for management access only, so you can connect to the Smart
Software Manager and also use ASDM immediately. You can also use SSH and SCP if you later configure
SSH access on the ASA. Other features that require strong encryption (such as VPN) must have Strong
Encryption enabled, which requires you to first register to the Smart Software Manager.

Cisco Secure Firewall 4200 Getting Started Guide

121
 ASA Deployment with ASDM
Configure Licensing

Note If you attempt to configure any features that can use strong encryption before you register—even if you only
configure weak encryption—then your HTTPS connection will be dropped on that interface, and you cannot
reconnect. The exception to this rule is if you are connected to a management-only interface, such as
Management 1/1. SSH is not affected. If you lose your HTTPS connection, you can connect to the console
port to reconfigure the ASA, connect to a management-only interface, or connect to an interface not configured
for a strong encryption feature.

When you request the registration token for the ASA from the Smart Software Manager, check the Allow
export-controlled functionality on the products registered with this token check box so that the full Strong
Encryption license is applied (your account must be qualified for its use). The Strong Encryption license is
automatically enabled for qualified customers when you apply the registration token on the chassis, so no
additional action is required. If your Smart Account is not authorized for strong encryption, but Cisco has
determined that you are allowed to use strong encryption, you can manually add a strong encryption license
to your account.

Before you begin

• Have a master account on the Smart Software Manager.
If you do not yet have an account, click the link to set up a new account. The Smart Software Manager
lets you create a master account for your organization.
• Your Smart Software Manager account must qualify for the Strong Encryption (3DES/AES) license to
use some features (enabled using the export-compliance flag).

Procedure

Step 1 Make sure your Smart Licensing account contains the available licenses you need, including at a minimum
the Essentials license.
When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart
Software License account. However, if you need to add licenses yourself, use the Search All field on the
Cisco Commerce Workspace.
Figure 91: License Search

Choose Products & Services from the results.

Cisco Secure Firewall 4200 Getting Started Guide

122
ASA Deployment with ASDM
Configure Licensing

Figure 92: Results

Search for the following license PIDs:

Note If a PID is not found, you can add the PID manually to your order.

• Essentials license—L-FPR4215-BSE=. The Essentials license is a required license.

• Essentials license—L-FPR4225-BSE=. The Essentials license is a required license.
• Essentials license—L-FPR4245-BSE=. The Essentials license is a required license.
• 5 context license—L-FPR4200-ASASC-5=. Context licenses are additive; buy multiple licenses to meet
your needs.
• 10 context license—L-FPR4200-ASASC-10=. Context licenses are additive; buy multiple licenses to
meet your needs.
• Carrier (Diameter, GTP/GPRS, M3UA, SCTP)—L-FPR4200-ASA-CAR=
• Strong Encryption (3DES/AES) license—L-FPR4200-ENC-K9=. Only required if your account is not
authorized for strong encryption.

• Cisco Secure Client—See the Cisco Secure Client Ordering Guide. You do not enable this license directly
in the ASA.

Step 2 In the Cisco Smart Software Manager, request and copy a registration token for the virtual account to which
you want to add this device.
a) Click Inventory.

b) On the General tab, click New Token.

Cisco Secure Firewall 4200 Getting Started Guide

123
 ASA Deployment with ASDM
Configure Licensing

c) On the Create Registration Token dialog box enter the following settings, and then click Create Token:

• Description
• Expire After—Cisco recommends 30 days.
• Max. Number of Uses
• Allow export-controlled functionaility on the products registered with this token—Enables the
export-compliance flag.

The token is added to your inventory.

d) Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID
to your clipboard. Keep this token ready for later in the procedure when you need to register the ASA.

Cisco Secure Firewall 4200 Getting Started Guide

124
ASA Deployment with ASDM
Configure Licensing

Figure 93: View Token

Figure 94: Copy Token

Step 3 In ASDM, choose Configuration > Device Management > Licensing > Smart Licensing.
Step 4 Click Register.

Cisco Secure Firewall 4200 Getting Started Guide

125
 ASA Deployment with ASDM
Configure Licensing

Step 5 Enter the registration token in the ID Token field.

You can optionally check the Force registration check box to register the ASA that is already registered, but
that might be out of sync with the Smart Software Manager. For example, use Force registration if the ASA
was accidentally removed from the Smart Software Manager.

Step 6 Click Register.

Cisco Secure Firewall 4200 Getting Started Guide

126
 ASA Deployment with ASDM
Configure the ASA

The ASA registers with the Smart Software Manager using the pre-configured outside interface, and requests
authorization for the configured license entitlements. The Smart Software Manager also applies the Strong
Encryption (3DES/AES) license if your account allows. ASDM refreshes the page when the license status is
updated. You can also choose Monitoring > Properties > Smart License to check the license status,
particularly if the registration fails.

Step 7 Set the following parameters:

a) Check Enable Smart license configuration.

b) From the Feature Tier drop-down list, choose Essentials.
Only the Essentials tier is available.
c) (Optional) For the Context license, enter the number of contexts.
• Secure Firewall 4200—100 contexts

For example, to use the maximum of 100 contexts on the Secure Firewall 4215, enter 98 for the number
of contexts; this value is added to the default of 2.

Step 8 Click Apply.

Step 9 Click the Save icon in the toolbar.
Step 10 Quit ASDM and relaunch it.
When you change licenses, you need to relaunch ASDM to show updated screens.

Configure the ASA

Using ASDM, you can use wizards to configure basic and advanced features. You can also manually configure
features not included in wizards.

Procedure

Step 1 Choose Wizards > Startup Wizard, and click the Modify existing configuration radio button.

Cisco Secure Firewall 4200 Getting Started Guide

127
 ASA Deployment with ASDM
Configure the ASA

Step 2 The Startup Wizard walks you through configuring:

• The enable password
• Interfaces, including setting the inside and outside interface IP addresses and enabling interfaces.
• Static routes
• The DHCP server
• And more...

Step 3 (Optional) From the Wizards menu, run other wizards.

Step 4 To continue configuring your ASA, see the documents available for your software version at Navigating the
Cisco ASA Series Documentation.

Cisco Secure Firewall 4200 Getting Started Guide

128
 ASA Deployment with ASDM
Access the ASA and FXOS CLI

Access the ASA and FXOS CLI

You can use the ASA CLI to troubleshoot or configure the ASA instead of using ASDM. You can access the
CLI by connecting to the console port. You can later configure SSH access to the ASA on any interface; SSH
access is disabled by default. See the ASA general operations configuration guide for more information.
You can also access the FXOS CLI from the ASA CLI for troubleshooting purposes.

Procedure

Step 1 Connect your management computer to the console port. Be sure to install any necessary serial drivers for
your operating system. Use the following serial settings:
• 9600 baud
• 8 data bits
• No parity
• 1 stop bit

You connect to the ASA CLI. There are no user credentials required for console access by default.

Step 2 Access privileged EXEC mode.

enable
You are prompted to change the password the first time you enter the enable command.
Example:

ciscoasa> enable
Password:
The enable password is not set. Please set it now.
Enter Password: ******
Repeat Password: ******
ciscoasa#

The enable password that you set on the ASA is also the FXOS admin user password if the ASA fails to boot
up, and you enter FXOS failsafe mode.
All non-configuration commands are available in privileged EXEC mode. You can also enter configuration
mode from privileged EXEC mode.
To exit privileged EXEC mode, enter the disable, exit, or quit command.

Step 3 Access global configuration mode.

configure terminal
Example:

ciscoasa# configure terminal

ciscoasa(config)#

Cisco Secure Firewall 4200 Getting Started Guide

129
 ASA Deployment with ASDM
What's Next?

You can begin to configure the ASA from global configuration mode. To exit global configuration mode,
enter the exit, quit, or end command.

Step 4 (Optional) Connect to the FXOS CLI.

connect fxos [admin]
• admin—Provides admin-level access. Without this option, users have read-only access. Note that no
configuration commands are available even in admin mode.

You are not prompted for user credentials. The current ASA username is passed through to FXOS, and no
additional login is required. To return to the ASA CLI, enter exit or type Ctrl-Shift-6, x.
Within FXOS, you can view user activity using the scope security/show audit-logs command.
Example:

ciscoasa# connect fxos admin

Connecting to fxos.
Connected to fxos. Escape character sequence is 'CTRL-^X'.
firepower#
firepower# exit
Connection with FXOS terminated.
Type help or '?' for a list of available commands.
ciscoasa#

What's Next?
• To continue configuring your ASA, see the documents available for your software version at Navigating
the Cisco ASA Series Documentation.
• For troubleshooting, see the FXOS troubleshooting guide.

Cisco Secure Firewall 4200 Getting Started Guide

130
© 2024 Cisco Systems, Inc. All rights reserved.