Friday, September 18, 2020

Cisco Firepower 1010 Initial Configuration via Setup Wizard

Here's a Cisco link for the Cisco Firepower 1010 setup guide and videos for configuring Cisco FTD via Firepower Device Manager (FDM). The Firepower 1010 security appliance is the replacement for the Cisco ASA 5506-X. There are also free tranining videos from Cisco for their Next-Generation Firewall (NGFW).

Below is the front panel and the chassis looks similar to a Cisco WLC 3504 wireless controller.

You'll find the chassis serial number in the bottom.

The Status LED for Power, Status (System OS) and Active (Failover) are located on the top chassis.

In the back panel, you'll find the power socket, 8x GE ports, Management port, 2x console ports: RJ45 and USB Mini B, External USB 3.0 Type A (for disk1 storage), Kensington lock slot and the reset button.

The 8x GE ports are used as follows: Ethernet1/1 (WAN/ISP), Ethernet1/2 - 8 (Layer 2 switch ports) with ports 7 and 8 that supports PoE+ (30 watts per port).

The Firepower 1010 uses an AC power adapter (FPR1K-DT-PWR-AC) with an IEC 60320/C5 connector (shaped like a Mickey Mouse head). I used a Europe plug (CAB-AC-C5-UK).


In FTD 6.4 and earlier, the Management1/1, FMC or FDM machines are connected using a Layer 2 switch. This is in contrast with FTD 6.5 and above wherein you can directly use the FTD Layer 2 ports to connect Management1/1 without the need for an additional Layer 2 switch.

Below is the Firepower 1010 initial bootup.

 

*******************************************************************************

Cisco System ROMMON, Version 1.0.05, RELEASE SOFTWARE

Copyright (c) 1994-2019  by Cisco Systems, Inc.

Compiled Wed 04/03/2019 18:07:24.29 by builder

*******************************************************************************

 

Current image running: Boot ROM0

Last reset cause: PowerOn (0x00000001)

DIMM0 : Present

 

Platform FPR-1010 with 8192 MBytes of main memory

BIOS has been successfully locked !!

MAC Address: 5c:5a:c7:b8:f7:80

 

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 6 seconds.   // SIMILAR TO ASA 10 SECONDS COUNTER TO INTERRUPT BOOTUP AND ENTER ROMMON

 

Use SPACE to begin boot immediately.

                  

 

File size is 0x0000003b

Located .boot_string

Image size 59 inode num 16, bks cnt 1 blk size 8*512

 

Attempt autoboot: "boot disk0:installables/switch/fxos-k8-fp2k-lfbff.2.6.1.133.SPA"

File size is 0x0a270820

Located installables/switch/fxos-k8-fp2k-lfbff.2.6.1.133.SPA

Image size 170330144 inode num 114027, bks cnt 41585 blk size 8*512

########################################################################################################################################################################################

 

<OUTPUT TRUNCATED>

 

###############################################################################################################################################################################################

 

+-------------------------------------------------------------------+

+------------------------- SUCCESS ---------------------------------+

+-------------------------------------------------------------------+

|                                                                   |

|             LFBFF signature authentication passed !!!             |

|                                                                   |

+-------------------------------------------------------------------+

LFBFF signature verified.

+-------------------------------------------------------------------+

+------------------------- SUCCESS ---------------------------------+

+-------------------------------------------------------------------+

|                                                                   |

|              LFBFF controller type check passed !!!               |

|                                                                   |

+-------------------------------------------------------------------+

INIT: version 2.88 booting

Starting udev

Configuring network interfaces... done.

Populating dev cache

Primary SSD discovered

fsck from util-linux 2.26.2

[/sbin/fsck.ext3 (1) -- /dev/sda1] fsck.ext3 -a /dev/sda1

/dev/sda1: clean, 8827/488640 files, 409748/1953024 blocks

fsck(/dev/sda1) returned 0

fsck from util-linux 2.26.2

[/sbin/fsck.ext3 (1) -- /dev/sda2] fsck.ext3 -a /dev/sda2

/dev/sda2: clean, 137/61056 files, 36376/244224 blocks

fsck(/dev/sda2) returned 0

fsck from util-linux 2.26.2

[/sbin/fsck.ext3 (1) -- /dev/sda3] fsck.ext3 -a /dev/sda3

/dev/sda3: clean, 145/61056 files, 13258/244224 blocks

fsck(/dev/sda3) returned 0

fsck from util-linux 2.26.2

[/sbin/fsck.ext3 (1) -- /dev/sda4] fsck.ext3 -a /dev/sda4

/dev/sda4: clean, 13/1831424 files, 158996/7324160 blocks

fsck(/dev/sda4) returned 0

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

FIPS POST Test Script

NOTICE: The FIPS POST is not run because the FIPS feature is not enabled

Running postinst /etc/rpm-postinsts/100-dnsmasq...

Running postinst /etc/rpm-postinsts/101-dnsmasq...

INIT: Entering runlevel: 3

Starting system message bus: dbus.

Stopping all devices.

Starting all devices.

Processing /etc/c3xxx_dev0.conf

Checking status of all devices.

There is 1 QAT acceleration device(s) in the system:

 qat_dev0 - type: c3xxx,  inst_id: 0,  node_id: 0,  bsf: 01:00.0,  #accel: 3 #engines: 6 state: up

ip6tables: Applying firewall rules: [  OK  ]

iptables: Applying firewall rules: [  OK  ]

Starting OpenBSD Secure Shell server: sshd

done.

Starting rpcbind daemon...done.

starting statd: done

Starting Advanced Configuration and Power Interface daemon: acpid.

acpid: starting up with netlink and the input layer

acpid: 1 rule loaded

acpid: waiting for events: event logging is off

starting 8 nfsd kernel threads: done

starting mountd: done

Starting ntpd: done

Starting internet superserver: xinetd.

No makedumpfile found.

Starting fan control daemon: fancontrol... done.

INFO: in validating image ...

INFO: manager_validate_image: fxmgr_absfilename /mnt/boot/installables/switch/fxos-k9-fp2k-manager.2.6.1.133.SPA

INFO: Validating image /mnt/boot/installables/switch/fxos-k9-fp2k-manager.2.6.1.133.SPA signature ...

: File /mnt/boot/installables/switch/fxos-k9-fp2k-manager.2.6.1.133.SPA size 26206720

Computed Hash   SHA2: 408939ad0cb649d8b5522446f36c5287

                      6e1ec865fae6f11b273242a50b79871b

                      71d91931543658a9c9a12a4e69073a8f

                      8bae413f2b4953a7d4a3d01ee5043c8e

                     

Embedded Hash   SHA2: 408939ad0cb649d8b5522446f36c5287

                      6e1ec865fae6f11b273242a50b79871b

                      71d91931543658a9c9a12a4e69073a8f

                      8bae413f2b4953a7d4a3d01ee5043c8e

                     

The digital signature of the file: fxos-k9-fp2k-manager.2.6.1.133.SPA verified successfully

INFO: beginning of manager_install

INFO: manager_install: fxmgr=/mnt/boot/installables/switch/fxos-k9-fp2k-manager.2.6.1.133.SPA chmgr= update=false

INFO: mkdir -p /tmp/fxmgr

INFO: /bin/tar -xvzf /tmp/fxmgr/fxos-kp-manager.2.6.1.133.tgz ...

INFO: manager_install: shutting down the old version ...

INFO: Terminating DME and all AGs ...

INFO: --

INFO: manager_install: Unlinking a old libraries ...

INFO: manager_install: Deleting the old manager image ...

INFO: manager_install: Installing the new image ...

INFO: deleting unnecessary xml file..!!

INFO: deleted unnecessary xml file..!!

INFO: manager_post_install ...

INFO: manager_post_install: fxmgr=/mnt/boot/installables/switch/fxos-k9-fp2k-manager.2.6.1.133.SPA chmgr= update=false

INFO: manager_post_install: Linking libraries ...

INFO: manager_post_install: Linking binaries ...

INFO: Trying to add iptables and ip6tables rules ...

INFO: Set up Application Diagnostic Interface ...

INFO: Configure management interface ...

Firepower 1xxx platform..

RTNETLINK answers: File exists

RTNETLINK answers: File exists

Assigning ip to eth0 in FPR-1xxx platform

INFO: Configure rmu interface ...

Bring up rmu and swp1-swp10 switch interfaces

create and bringup lldp sub-interface on lldp-swp7, lldp-swp8

create and bringup lacp and mgmt sub-interface on (lacp-swp1 to lacp-swp8), (mgmt-swp1 to mgmt-swp8)

Stopping rpcbind daemon...

done.

stopping mountd: done

stopping nfsd: .done

INFO: Configure system files ...

INFO: System Name is: firepower

Starting sensors logging daemon: sensord... done.

INFO: manager_startup: setting up fxmgr apache ...

INFO: manager_startup: Start manager httpd setup...

INFO: manager_startup: using HTTPD_INFO persistent cache

/bin/rm: cannot remove '/tmp/openssl.conf': No such file or directory

 httpdRegister INFO: [httpd.3520 -s -4 172.16.2.14 -n localhost]

 httpdRegister INFO: SKIP httpd syntax check

 httpdRegister INFO: Starting httpd setup/registration...

 httpdRegister INFO: Completed httpd setup/registration!

 INFO: httpdRegister [httpd.3520 script exit]

INFO: manager_startup: Completed manager httpd setup!

Starting crond: OK

1:/opt/cisco/csp/cores

/opt/cisco/csp/cores 31457280

Threat Defense System: CMD=-bootup, CSP-ID=cisco-ftd.6.4.0.102__ftd_001_JMX2324G1THA28AI31, FLAG=''

System is booting up ...

Cisco FTD booted up successfully.

INFO: System Disk /dev/sda present. Status: Operable.

 

Cisco FPR Series Security Appliance

 

firepower login:

Waiting for Application infrastructure to be ready...

Verifying the signature of the Application image...

Creating FXOS swap file ...

Sep  7 02:16:01 firepower port-manager  : Alert: Internal1/2 link changed to UP

Sep  7 02:16:01 firepower port-manager  : Alert: Internal1/1 link changed to UP

ipsec_starter[9666]: Starting strongSwan 5.3.3 IPsec [starter]...

 

scepclient[9915]:   fingerprint:    c51d46087deeb88c00d78860ac138702

 

scepclient[9915]:   transaction ID: 11665FBA795D1DC911B4A98A188BC252

 

ipsec_starter[9945]: charon (9947) started after 160 ms

 

Sep  7 02:17:28 firepower port-manager  : Alert: Ethernet1/1 link changed to UP

Cisco FTD initializing ...

Verify FSIC, File System Integrity Check

Obtained uid 501 and gid 501 for external user

verify_fsic(start)

Do not run FSIC twice for SSP systems...

Initializing Threat Defense ...                                       [  OK  ]

Starting system log daemon...                                         [  OK  ]

Adding swapfile /ngfw/Volume/.swaptwo

Flushing all current IPv4 rules and user defined chains: ...success

Clearing all current IPv4 rules and user defined chains: ...success

Applying iptables firewall rules:

Flushing chain `PREROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Flushing chain `POSTROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Applying rules successed

Flushing all current IPv6 rules and user defined chains: ...success

Clearing all current IPv6 rules and user defined chains: ...success

Applying ip6tables firewall rules:

Flushing chain `PREROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Flushing chain `POSTROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Applying rules successed

Starting nscd...

mkdir: created directory '/var/run/nscd'                              [  OK  ]

Starting , please wait......complete.

cleaning up *.TMM and *.TMD files

Configuring NTP...                                                    [  OK  ]

Stopping all devices.

Starting all devices.

Processing /etc/c3xxx_dev0.conf

Checking status of all devices.

There is 1 QAT acceleration device(s) in the system:

 qat_dev0 - type: c3xxx,  inst_id: 0,  node_id: 0,  bsf: 01:00.0,  #accel: 3 #engines: 6 state: up

SIOCSIFADDR: No such device

br0: ERROR while getting interface flags: No such device

SIOCSIFNETMASK: No such device

br0: ERROR while getting interface flags: No such device

Not reconfigurating

Mon Sep 7 02:18:16 UTC 2020

Starting MySQL...

Pinging mysql

Pinging mysql, try 1

Found mysql is running

Running initializeObjects...

Stopping MySQL...

Killing mysqld with pid 15033

Wait for mysqld to exit\c

 done

Mon Sep 7 02:18:26 UTC 2020

Skipping sfifd for this platform...

Starting Cisco Firepower 1010 Threat Defense, please wait...No PM running!

...started.

Cisco FTD initialization finished successfully.

memif is not enabled.

IO Memory Nodes: 1

IO Memory Per Node: 549453824 bytes num_pages = 134144 page_size = 4096

Global Reserve Memory Per Node: 786432000 bytes Nodes=1

LCMB: got 1073741824 bytes on numa-id=0, phys=0x200000000, virt=0x2b7e00000000

LCMB: HEAP-CACHE POOL got 784334848 bytes on numa-id=0, virt=0x2b7e40000000

total mem 3079146512 new 3079146512 old 659707216 reserv 1858076672 pri new 1233403878 pri old 0 system 8394846208 kernel 12334038 image 110253392

Processor memory:   3079146512

POST started...

POST finished, result is 0 (hint: 1 means it failed)

 

Compiled on Tue 02-Jul-19 17:13 PDT by builders

SSL Hardware Offload is Enabled

Using configured value (300000) from /mnt/disk0/.private/ctm_scb_handles.conf

FPR-1010 platformpci_do_probe_wc(): Adding WC-NIC vid = 0x8086 did = 0x15c2

Total NICs found: 6

x550em_kr rev 0x11 10 Gigabit Ethernet, index 00 MAC: 00a0.c900.0000

en_vtun rev00 Backplane Ext-Mgmt Interface     @ index 02 MAC: 5c5a.c7b8.f781

en_vtun rev00 Backplane Tap Interface     @ index 03 MAC: 0000.0100.0001

en_vtun rev00 Backplane Control Interface  @ index 05 MAC: 0000.0300.0101

WARNING: Attribute already exists in the dictionary.

*** Intel QAT Crypto on-board accelerator detected

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

 

  ****************************** Warning *******************************

  This product contains cryptographic features and is

  subject to United States and local country laws

  governing, import, export, transfer, and use.

  Delivery of Cisco cryptographic products does not

  imply third-party authority to import, export,

  distribute, or use encryption. Importers, exporters,

  distributors and users are responsible for compliance

  with U.S. and local country laws. By using this

  product you agree to comply with applicable laws and

  regulations. If you are unable to comply with U.S.

  and local laws, return the enclosed items immediately.

 

  A summary of U.S. laws governing Cisco cryptographic

  products may be found at:

  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

  If you require further assistance please contact us by

  sending email to export@cisco.com.

  ******************************* Warning *******************************

 

Copyright (c) 1996-2017 by Cisco Systems, Inc.

 

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

 

                Cisco Systems, Inc.

                170 West Tasman Drive

                San Jose, California 95134-1706

 

Error No such device in set_linux_mac_address: Failed to assign MAC address for br0

Reading from flash...

!..

Cryptochecksum (unchanged): 219d676b d19c7cb2 38101f20 513e3534

 

INFO: Power-On Self-Test in process.

.......................................................................

INFO: Power-On Self-Test complete.

 

INFO: Starting SW-DRBG health test...

INFO: SW-DRBG health test passed.

M_MMAP_THRESHOLD 65536, M_MMAP_MAX 46984

User enable_1 logged in to firepower

Logins over the last 1 days: 1. 

Failed logins since the last login: 0. 

Type help o '?.

               list of available commands.

firepower>    // FTD INITIALIZED AROUND 5 MINS

firepower login: admin    // DEFAULT LOGIN: admin / Admin123

Password:

Last login: Wed Aug 26 05:45:41 UTC 2020 on ttyS0

Successful login attempts for user 'admin' : 1

 

Copyright 2004-2019, Cisco and/or its affiliates. All rights reserved.

Cisco is a registered trademark of Cisco Systems, Inc.

All other trademarks are property of their respective owners.

 

Cisco Fire Linux OS v6.4.0 (build 2)

Cisco Firepower 1010 Threat Defense v6.4.0.3 (build 29)

 

Cisco Firepower Extensible Operating System (FX-OS) Software

TAC support: http://www.cisco.com/tac

Copyright (c) 2009-2019, Cisco Systems, Inc. All rights reserved.

 

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license.

 

Certain components of this software are licensed under the "GNU General Public

License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of

"GNU General Public License, Version 3", available here:

http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for

details.

 

Certain components of this software are licensed under the "GNU General Public

License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of

"GNU General Public License, version 2", available here:

http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. See User Manual

(''Licensing'') for details.

 

Certain components of this software are licensed under the "GNU LESSER GENERAL

PUBLIC LICENSE, version 3" provided with ABSOLUTELY NO WARRANTY under the terms

of "GNU LESSER GENERAL PUBLIC LICENSE" Version 3", available here:

http://www.gnu.org/licenses/lgpl.html. See User Manual (''Licensing'') for

details.

 

Certain components of this software are licensed under the "GNU Lesser General

Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the

terms of "GNU Lesser General Public License, version 2", available here:

http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. See User Manual

(''Licensing'') for details.

 

Certain components of this software are licensed under the "GNU Library General

Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms

of "GNU Library General Public License, version 2", available here:

http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html. See User Manual

(''Licensing'') for details.

 

firepower# connect ftd   // CONNECT TO FTD CLI (# PROMPT IS FOR FXOS CLI)

 

> ?    // CLISH PROMPT (REGULAR FTD CLI)
  aaa-server                     Specify a AAA server
  activate-tunnel-group-scripts  Reload ASDM generated scripts for username-from-certificate
  app-agent                      Configure appagent features
  asp                            Configure ASP parameters
  attribute                      Modify a monitored attribute
  blocks                         Set block diagnostic parameters
  capture                        Capture inbound and outbound packets on one or more interfaces
  capture-traffic                Display traffic or save to specified file
  clear                          Reset functions
  cluster                        Cluster exec mode commands
  configure                      Change to Configuration mode
  connect                        Connect to another component.
  copy                           Copy from one file to another
  cpu                            general CPU stats collection tools
  crypto                         Execute crypto Commands
  debug                          Debugging functions (see also 'undebug')
  delete                         Delete a file
  dir                            List files on a filesystem
  dns                            List files on a filesystem
  dynamic-access-policy-config   Activates the DAP selection configuration file.
  eotool                         Change to Enterprise Object Tool Mode
  exit                           Exit this CLI session
  expert                         Invoke a shell
  failover                       Perform failover operation in Exec mode
  file                           Change to File Mode
  fips                           Execute FIPS tests
  fsck                           Filesystem check
  help                           Interactive help for commands
  history                        Display the current session's command line history
  ldapsearch                     Test LDAP configuration
  logging                        Configure flash file name to save logging buffer
  logout                         Logout of the current CLI session
  memory                         Memory tools
  more                           Display the contents of a file
  no                             Negate a command or set its defaults
  nslookup                       Look up an IP address or host name with the DNS servers
  packet-tracer                  trace packets in F1 data path
  perfmon                        Change or view performance monitoring options
  pigtail                        Tail log files for debugging (pigtail)
  ping                           Test connectivity from specified interface to an IP address
  pmtool                         Change to PMTool Mode
  reboot                         Reboot the sensor
  redundant-interface            Redundant interface
  restore                        This command is used to restore FTD from sfr prompt
  sftunnel-status                Show sftunnel status
  show                           Show running system information
  shun                           Manages the filtering of packets from undesired hosts
  shutdown                       Shutdown the sensor
  system                         Change to System Mode
  tail-logs                      Tails the logs selected by the user
  test                           Test subsystems, memory, interfaces, and configurations
  traceroute                     Find route to remote network
  undebug                        Disable debugging functions (see also 'debug')
  verify                         Verify a file
  vpn-sessiondb                  Configure the VPN Session Manager
  webvpn-cache                   Remove cached object

 

> show ?

access-control-config audit-cert            audit-log

coredump              cpu                   database

disk                  disk-manager          dns

high-availability     https-access-list     ipv6-icmp

log-events-to-ramdisk managers              memory

model                 network               network-dhcp-server

network-static-routes ntp                   packet

perfstats             process-tree          processes

serial-number         snort                 ssh-access-list

ssl-policy-config     ssl-protocol          summary

syslog-config         tech-support          time

unified-logging       user                  version

aaa                   aaa-server            access-list

app-agent             arp                   arp-inspection

as-path-access-list   asp                   banner

bfd                   bgp                   blocks

bootvar               bridge-group          capture

chassis               checkheaps            checksum

chunkstat             clns                  cluster

community-list        config-cli            configuration

conn                  console-output        counters

crashinfo             crypto                ctiqbe

ctl-provider          curpriv               ddns

debug                 dhcpd                 dhcprelay

diameter              disk0:                disk1:

eigrp                 failover              file

firewall              flash:                flow-export

fqdn                  fragment              gc

h225                  h245                  h323

idb                   igmp                  inline-set

interface             inventory             ip

ipv6                  isakmp                isis

kernel                key                   lisp

local-host            logging               mac-address-table

mac-learn             message-layer         mfib

mgcp                  mode                  monitor-interface

mrib                  mroute                nameif

nat                   object-group          ospf

packet-tracer         pager                 parser

password              pclu                  perfmon

pim                   policy-list           policy-route

prefix-list           priority-queue        quota

resource              rip                   rollback-status

route                 route-map             rule

running-config        sctp                  service-policy

shun                  sip                   skinny

sla                   snmp-server           snort

ssl                   startup-config        sunrpc-server

tcpstat               threat-detection      time-range

tls-proxy             track                 traffic

vlan                  vpdn                  vpn

vpn-sessiondb         wccp                  webvpn

xlate                 zone

 

> show interface ip brief

Interface                  IP-Address      OK?           Method Status      Protocol

Internal-Data0/0           unassigned      YES           unset  up          up 

Ethernet1/1                unassigned      YES           unset  up          up 

Ethernet1/2                unassigned      YES           unset  admin down  down

Ethernet1/3                unassigned      YES           unset  admin down  down

Ethernet1/4                unassigned      YES           unset  admin down  down

Ethernet1/5                unassigned      YES           unset  admin down  down

Ethernet1/6                unassigned      YES           unset  admin down  down

Ethernet1/7                unassigned      YES           unset  admin down  down

Ethernet1/8                unassigned      YES           unset  admin down  down

Internal-Control1/1        unassigned      YES           unset  up          up 

Internal-Data1/1           169.254.1.1     YES           unset  up          up 

Internal-Data1/2           unassigned      YES           unset  up          up 

Management1/1              unassigned      YES           unset  up          up

  

> show interface Management 1/1

Interface Management1/1 "diagnostic", is up, line protocol is up   // DIAGNOSTIC IS A LOGICAL INTERFACE; ONLY ALLOWS MANAGEMENT TRAFFIC; IT DOESN'T SUPPORT SSH; USED FOR SNMP AND SYSLOG

  Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        MAC address 5c5a.c7b8.f781, MTU 1500

        IP address unassigned

        1730 packets input, 149633 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        1 L2 decode drops, 0 demux drops

        0 packets output, 0 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops

        input queue (blocks free curr/low): hardware (0/0)

        output queue (blocks free curr/low): hardware (0/0)

  Traffic Statistics for "diagnostic":

        1728 packets input, 125257 bytes

        0 packets output, 0 bytes

        1309 packets dropped

      1 minute input rate 1 pkts/sec,  58 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  91 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

        Management-only interface. Blocked 0 through-the-device packets

 

 

There are various FTD CLI modes: FTD CLI (> prompt), expert mode ($ prompt) and FXOS CLI mode (# prompt). Just type exit to return to FXOS CLI.


> exit
firepower# ?
  acknowledge     Acknowledge
  backup          Backup
  commit-buffer   Commit transaction buffer
  connect         Connect to Another CLI
  discard-buffer  Discard transaction buffer
  end             Go to exec mode
  exit            Exit from command interpreter
  scope           Changes the current mode
  set             Set property values
  show            Show system information
  terminal        Set terminal line parameters
  top             Go to the top mode
  up              Go up one mode
  where           Show information about the current mode


firepower# show ?
  chassis              Chassis
  cli                  CLI Information
  clock                Clock
  configuration        Configuration
  eth-uplink           Ethernet Uplink
  event                Event Management
  fabric-interconnect  Show NGFW
  fault                Fault
  fxos-mode            Fxos-mode
  identity             Identity
  ntp-overall-status   NTP Overall Time-Sync Status
  registry-repository  Registry Repository
  security             security mode
  server               Server
  system               Systems
  timezone             Set timezone
  version              System version 



I was unable to initially access the management IP address 192.168.45.45 via HTTPS so I performed a "factory reset" using the reset button. Just press and hold for 10 seconds using a pen or pencil point then release.

 

> 2020-09-07 02:38:50 logmonitor[15948]: syslog-ng not running. starting it.

(®+‘…Íсmessage from root@firepower (Mon Sep  7 02:38:54 2020)2020-09-07 02:38:55 logmonitor[15948]: Failed to start syslog-ng.

Stopping all devices.

device busy

Stopping OpenBSD Secure Shell server: sshd

stopped /usr/sbin/sshd (pid 9932)

done.

Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 1655)

acpid.

Stopping system message bus: dbus.

stopping mountd: done

stopping nfsd: done

Stopping ntpd: stopped process in pidfile '/var/run/ntp.pid' (pid 10253)

done

Stopping internet superserver: xinetd.

stopping statd: done

no /etc/sysconfig/kdump.conf

Stopping rpcbind daemon...

not running.

Stopping fan control daemon: fancontrol... no process in pidfile '/var/run/fancontrol.pid' found; none killed

done.

Stopping sensors logging daemon: sensord... stopped /usr/sbin/sensord (pid 3495)

done.

Deconfiguring network interfaces... done.

ip6tables: Setting chains to policy ACCEPT: mangle filter [  OK  ]

ip6tables: Flushing firewall rules: [  OK  ]

ip6tables: Unloading modules: [  OK  ]

iptables: Setting chains to policy ACCEPT: mangle filter [  OK  ]

iptables: Flushing firewall rules: [  OK  ]

iptables: Unloading modules: [  OK  ]

SSP-Security-Module is shutting down ...

Mon Sep  7 02:38:57 UTC 2020 SHUTDOWN WARNING: Beginning System Shutdown request for CSP Apps

Mon Sep  7 02:38:57 UTC 2020 SHUTDOWN WARNING: Continue System Shutdown request for CSP Apps

/bin/ls: cannot access /opt/cisco/config/heimdall/etc: No such file or directory

/bin/ls: cannot access /opt/cisco/csp/applications/configs: No such file or directory

ls: cannot access /opt/cisco/config/heimdall/etc: No such file or directory

Mon Sep  7 02:38:57 UTC 2020 SHUTDOWN WARNING: Nothing to do for Apps-Services-Down

Sending ALL processes the TERM signal ...

ipsec_starter[9945]: charon stopped after 400 ms

ipsec_starter[9945]: ipsec starter stopped

Note: SIGKILL_ALL will be triggered after after 0 + 2 secs ...

Sending ALL processes the KILL signal ...

Deactivating swap...

Unmounting local filesystems...

Rebooting... [ 1467.752977] reboot: Restarting system

 

firepower-1010# connect ftd

Error: Application is not installed.

firepower-1010#

Threat Defense System: CMD=-install, CSP-ID=cisco-ftd.6.4.0.102__ftd_001_JMX2324G1THPHT8K11, FLAG=''

System begins installation ...

Cisco FTD installation finished successfully.

Verifying signature for cisco-ftd.6.4.0.102 ...

Verifying signature for cisco-ftd.6.4.0.102 ... success

Threat Defense System: CMD=-start, CSP-ID=cisco-ftd.6.4.0.102__ftd_001_JMX2324G1THPHT8K11, FLAG=''

System starting ...

Registering to process manager ...

Cisco FTD started successfully.

Cisco FTD initializing ...

Verify FSIC, File System Integrity Check

Configuring model to 78A...

firepower-1010#

Obtained uid 501 and gid 501 for external user

/ngfw/usr/bin/clish: error while loading shared libraries: libclish.so.1: cannot open shared object file: No such file or directory

firepower-1010# verify_fsic(start)

Do not run FSIC twice for SSP systems...

Initializing Threat Defense ...                                       [  OK  ]

Starting system log daemon...                                         [  OK  ]

Disk free check passed, creating swap...

Building swapfile /ngfw/Volume/.swaptwo of size 5508236kb

firepower-1010#

5508236+0 records in

5508236+0 records out

5640433664 bytes (5.6 GB) copied, 19.3411 s, 292 MB/s

Setting up swapspace version 1, size = 5.3 GiB (5640429568 bytes)

no label, UUID=fea3f797-62d5-4a65-ab19-a3316ba05ec6

Adding swapfile /ngfw/Volume/.swaptwo

Flushing all current IPv4 rules and user defined chains: ...success

Clearing all current IPv4 rules and user defined chains: ...success

Applying iptables firewall rules:

Flushing chain `PREROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Flushing chain `POSTROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Applying rules successed

Flushing all current IPv6 rules and user defined chains: ...success

Clearing all current IPv6 rules and user defined chains: ...success

Applying ip6tables firewall rules:

Flushing chain `PREROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Flushing chain `POSTROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Applying rules successed

Starting nscd...

mkdir: created directory '/var/run/nscd'                              [  OK  ]

Starting , please wait......complete.

cleaning up *.TMM and *.TMD files

Firstboot detected, executing scripts

Executing S01virtual-machine-reconfigure                              [  OK  ]

Executing S01z_copy_startup-config                                    [  OK  ]

Executing S02aws-pull-cfg                                             [  OK  ]

Executing S02configure_onbox                                          [  OK  ]

Executing S04fix-httpd.sh                                             [  OK  ]

Executing S05set-default-ipv4.pl

You must accept the EULA to continue.

Press <ENTER> to display the EULA: <HIT ENTER TO CONTINUE>

 

<OUTPUT TRUNCATED - HIT SPACE BAR>

 

18. Integration. If any portion of this EULA is found to be void or

unenforceable, the remaining provisions of the EULA shall remain in full force

and effect. Except as expressly stated or as expressly amended in a signed

agreement, the EULA constitutes the entire agreement between the parties with

respect to the license of the Software and supersedes any conflicting or

additional terms contained in any purchase order or elsewhere, all of which

terms are excluded. The parties agree that the English version of the EULA will

govern in the event of a conflict between it and any version translated into

another language.

 

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco

and/or its affiliates in the U.S. and other countries. To view a list of Cisco

trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks

mentioned are the property of their respective owners. The use of the word

partner does not imply a partnership relationship between Cisco and any other

company.

 

System initialization in progress.  Please stand by.  |

 

********** Attention **********

 

   Initializing the system's localization settings.  Depending on available

   system resources (CPU, memory, and disk), this may take 10 minutes

   or more to complete.

 

********** Attention **********

 

Executing S97update_modprobe.pl                                       [  OK  ]

Executing S98check-db-integrity.sh                                    [  OK  ]

Executing S98htaccess-init                                            [  OK  ]

Executing S99configure_mysql                                          [  OK  ]

Executing S99correct_ipmi.pl                                          [  OK  ]

Executing S99ssl_hw_mode.sh                                           [  OK  ]

Executing S99start-system                                             [  OK  ]

Executing S99z_db_restore                                             [  OK  ]

Firstboot scripts finished.

Configuring NTP...                                                    [  OK  ]

Stopping all devices.

Starting all devices.

Processing /etc/c3xxx_dev0.conf

Checking status of all devices.

There is 1 QAT acceleration device(s) in the system:

 qat_dev0 - type: c3xxx,  inst_id: 0,  node_id: 0,  bsf: 01:00.0,  #accel: 3 #engines: 6 state: up

SIOCSIFADDR: No such device

br0: ERROR while getting interface flags: No such device

SIOCSIFNETMASK: No such device

br0: ERROR while getting interface flags: No such device

Model reconfigure detected, executing scripts

Pinging mysql

Found mysql is running

Executing 45update-sensor.pl                                          [  OK  ]

Executing 55recalculate_arc.pl                                        [  OK  ]

Mon Sep 7 03:00:45 UTC 2020

Starting MySQL...

Pinging mysql

Pinging mysql, try 1

Found mysql is running

Running initializeObjects...

Stopping MySQL...

Killing mysqld with pid 7993

Wait for mysqld to exit\c

 done

Mon Sep 7 03:00:56 UTC 2020

Skipping sfifd for this platform...

Starting Cisco Firepower 1010 Threat Defense, please wait...No PM running!

...started.

Cisco FTD initialization finished successfully.

memif is not enabled.

IO Memory Nodes: 1

IO Memory Per Node: 549453824 bytes num_pages = 134144 page_size = 4096

Global Reserve Memory Per Node: 786432000 bytes Nodes=1

LCMB: got 1073741824 bytes on numa-id=0, phys=0x200000000, virt=0x2b8740000000

LCMB: HEAP-CACHE POOL got 784334848 bytes on numa-id=0, virt=0x2b8705400000

total mem 3079146512 new 3079146512 old 659684624 reserv 1858076672 pri new 1233403878 pri old 0 system 8394846208 kernel 12334038 image 110230800

Processor memory:   3079146512

POST started...

POST finished, result is 0 (hint: 1 means it failed)

Compiled on Mon 22-Apr-19 08:39 PDT by builders

SSL Hardware Offload is Enabled

FPR-1010 platformpci_do_probe_wc(): Adding WC-NIC vid = 0x8086 did = 0x15c2

Total NICs found: 6

x550em_kr rev 0x11 10 Gigabit Ethernet, index 00 MAC: 00a0.c900.0000

en_vtun rev00 Backplane Ext-Mgmt Interface     @ index 02 MAC: 5c5a.c7b8.f781

en_vtun rev00 Backplane Tap Interface     @ index 03 MAC: 0000.0100.0001

en_vtun rev00 Backplane Control Interface  @ index 05 MAC: 0000.0300.0101

WARNING: Attribute already exists in the dictionary.

License mode file was not found. Assuming this is the initial bootup. Setting the license mode to Smart Licensing.

 

INFO: Unable to read firewall mode from flash

       Writing default firewall mode (single) to flash

 

INFO: Unable to read cluster interface-mode from flash

        Writing default mode "None" to flash

*** Intel QAT Crypto on-board accelerator detected

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

-

  ****************************** Warning *******************************

  This product contains cryptographic features and is

  subject to United States and local country laws

  governing, import, export, transfer, and use.

  Delivery of Cisco cryptographic products does not

  imply third-party authority to import, export,

  distribute, or use encryption. Importers, exporters,

  distributors and users are responsible for compliance

  with U.S. and local country laws. By using this

  product you agree to comply with applicable laws and

  regulations. If you are unable to comply with U.S.

  and local laws, return the enclosed items immediately.

 

  A summary of U.S. laws governing Cisco cryptographic

  products may be found at:

  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

  If you require further assistance please contact us by

  sending email to export@cisco.com.

  ******************************* Warning *******************************

 

Copyright (c) 1996-2017 by Cisco Systems, Inc.

 

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

 

                Cisco Systems, Inc.

                170 West Tasman Drive

                San Jose, California 95134-1706

 

Error No such device in set_linux_mac_address: Failed to assign MAC address for br0

Reading from flash...

!

Cryptochecksum (changed): 6929aede 6646bb60 e7c2f077 d48e4bc9

 

INFO: Power-On Self-Test in process.

.......................................................................

INFO: Power-On Self-Test complete.

 

INFO: Starting SW-DRBG health test...

INFO: SW-DRBG health test passed.

User enable_1 logged in to firepower

Logins over the last 1 days: 1. 

Failed logins since the last login: 0. 

Type help o '?' for a list of available commands.

firepower> \

You must change the password for 'admin' to continue.

Sep  7 03:02:54 firepower port-manager  : Alert: Ethernet1/1 link changed to DOWN

Enter new password:   

Confirm new password:

You must configure the network to continue.

Unable To Read Running Config: Unable to get current network information:SF::Util::getApplianceUUID: NO APPLIANCE UUID DEFINED......INVALID STATE at /usr/local/sf/lib/perl/5.10.1/SF/NetworkConf.pm line 81.

 

Printing stack trace:

        called from /ngfw/usr/lib/perl5/site_perl/5.10.1/Error.pm (150)

        called from /ngfw/usr/lib/perl5/site_perl/5.10.1/Error.pm (396)

        called from /usr/local/sf/lib/perl/5.10.1/SF/NetworkConf.pm (82)

        called from /usr/local/sf/bin/cli_firstboot (219)

        called from /usr/local/sf/bin/cli_firstboot (1085)

 

 

I'm still unable to access FDM (HTTPS) even though i can ping the Management IP.

 

C:\Windows\System32>ipconfig

 

Windows IP Configuration

 

 

Ethernet adapter Local Area Connection:

 

   Connection-specific DNS Suffix  . :

   IPv4 Address. . . . . . . . . . . : 192.168.45.2

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

 

 

C:\Windows\System32>ping 192.168.45.45   // DEFAULT MANAGEMENT IP ADDRESS

 

Pinging 192.168.45.45 with 32 bytes of data:

Reply from 192.168.45.45: bytes=32 time<1ms TTL=64

Reply from 192.168.45.45: bytes=32 time=1ms TTL=64

Reply from 192.168.45.45: bytes=32 time=1ms TTL=64

Reply from 192.168.45.45: bytes=32 time=1ms TTL=64

 

Ping statistics for 192.168.45.45:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms

 


You can access the FTD CLI using the connect ftd command and to begin the initial configuration setup wizard.

firepower# connect ftd

 

System initialization in progress.  Please stand by. 

You must configure the network to continue.

You must configure at least one of IPv4 or IPv6.

Do you want to configure IPv4? (y/n) [y]:  < HIT ENTER TO ACCEPT DEFAULT OPTION>

Do you want to configure IPv6? (y/n) [n]:   < HIT ENTER TO ACCEPT DEFAULT OPTION>

Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:   < HIT ENTER TO ACCEPT DEFAULT OPTION>

Enter an IPv4 address for the management interface [192.168.45.45]:   < HIT ENTER TO ACCEPT DEFAULT OPTION>

Enter an IPv4 netmask for the management interface [255.255.255.0]:   < HIT ENTER TO ACCEPT DEFAULT OPTION>

Enter the IPv4 default gateway for the management interface [data-interfaces]: 192.168.45.1

Enter a fully qualified hostname for this system [firepower]: fpr1010-ftd-lab

Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:   < HIT ENTER TO ACCEPT DEFAULT OPTION>

Enter a comma-separated list of search domains or 'none' []: lab.com

If your networking information has changed, you will need to reconnect.

Setting DNS servers: 208.67.222.222 208.67.220.220

Setting DNS domains:lab.com

Setting hostname as fpr1010-ftd-lab

DHCP server is enabled with pool: 192.168.45.46-192.168.45.254. You may disable with configure network ipv4 dhcp-server-disable

Setting static IPv4: 192.168.45.45 netmask: 255.255.255.0 gateway: 192.168.45.1 on management0

Updating routing tables, please wait...

All configurations applied to the system. Took 3 Seconds.

Saving a copy of running network configuration to local disk.

For HTTP Proxy configuration, run 'configure network http-proxy'

 

Sep  7 03:11:22 fpr1010-ftd-lab port-manager  : Alert: Ethernet1/1 link changed to UP

Manage the device locally? (yes/no) [yes]: < HIT ENTER TO ACCEPT DEFAULT OPTION>   // FOR FDM ACCESS INSTEAD OF FMC

 

Configuring firewall mode to routed

 

 

Update policy deployment information

    - add device configuration

Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.

 

> show managers

Managed locally.

 

> show interface ip brief

Interface                  IP-Address      OK?           Method Status      Protocol

Internal-Data0/0           unassigned      YES           unset  up          up 

Ethernet1/1                116.87.123.45   YES           DHCP   up          up    // ISP WAN

Ethernet1/2                192.168.1.1     YES           unset  down        down

Ethernet1/3                192.168.1.1     YES           unset  down        down

Ethernet1/4                192.168.1.1     YES           unset  down        down

Ethernet1/5                192.168.1.1     YES           unset  down        down

Ethernet1/6                192.168.1.1     YES           unset  down        down

Ethernet1/7                192.168.1.1     YES           unset  down        down

Ethernet1/8                192.168.1.1     YES           unset  down        down

Internal-Control1/1        unassigned      YES           unset  up          up 

Internal-Data1/1           169.254.1.1     YES           unset  up          up 

Internal-Data1/2           unassigned      YES           unset  up          up 

Management1/1              unassigned      YES           unset  up          up 

BVI1                       192.168.1.1     YES           manual up          up

 

> show route

 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 116.87.123.45 to network 0.0.0.0

 

S*       0.0.0.0 0.0.0.0 [1/0] via 116.87.123.45, outside    // OBTAINED VIA DHCP FROM ISP

C        116.87.192.0 255.255.192.0 is directly connected, outside

L        116.87.195.156 255.255.255.255 is directly connected, outside

C        192.168.1.0 255.255.255.0 is directly connected, inside

L        192.168.1.1 255.255.255.255 is directly connected, inside

 

> configure password   // CHANGE THE PASSWORD FOR "admin" ACCOUNT

Enter current password:

Enter new password:

Confirm new password:

 

Password Update successful.

 

 

It took around 5 mins to access FDM after the FTD had fully initialized. Just accept the self-signed certificate on the web browser to continue. 

 

Login using the changed password for admin account.

You first need to configure the Internet Connection (WAN IP address on Ethernet1/1).

Configure IPv4 > Using DHCP (default). I chose DHCP since I get a Dynamic IP address from my ISP.

IPv6 is disabled/Off by default.

I left the Management Interface settings since these were configured during the initial setup wizard. Click Next.

Select a Time Zone: UTC+08:00 Asia/Singapore > select NTP Time Server: Default NTP Servers (Cisco/Sourcefire public NTP servers) > click Next.

I'll skip the Register the FTD device with Cisco Smart Software Manager for now.

Select Start 90-day evaluation period without registration > click Finish.

 

This would allow me to test all the FTD Smart License features: Threat, Malware and URL.

 

You can reconfigure the inside interface IP address (default is 192.168.1.0/24) and other system settings in the next steps.


1 comment:

  1. This is pretty good to get me started. Thanks, I just bought one.

    ReplyDelete