Friday, February 5, 2021

Cisco Firepower 1010 Reimage ASA to FTD

It's almost Chinese New Year 2021 (also known as Spring Festival or Lunar New Year) and I was craving for some Chinese food. So I went to Hawker Chan in Chinatown Singapore to try out the world's cheapest Michelin-starred meal, which is their famous Soya Sauce Chicken rice. I also ordered a two combination platter that includes Char Siew and Roasted Pork. The meal isn't complete without the chili sauce.


I visited the Buddha Tooth Relic Temple, which is just a few blocks away. It's a Buddhist temple and got its name from a relic which claimed to be the left canine tooth of Buddha. The entrance is free and there's a museum in the upper floor (Buddha's tooth chamber is in the fourth floor). Taking photos and video inside the temple premise isn't allowed.




You can reimage an FTD appliance from ASA software back to FTD OS. Below are the steps for the FTD ASA to FTD conversion. I'm running a TFTP server in my laptop with static IP address 192.168.1.10/24.

Transfer the FTD image (version 6.5) to the flash (disk0:) memory.

ciscoasa# dir                                                        

 

Directory of disk0:/

 

203    drwx  72           08:14:14 Sep 27 2020  log

268435725  drwx  4096         08:28:18 Sep 27 2020  .private

217    -rw-  35741420     20:15:16 Apr 01 2020  asdm.bin

805306554  -rw-  0            08:13:19 Sep 27 2020  coredumpfsysimage.bin

2      drwx  4096         02:38:46 Sep 07 2020  coredumpfsys

538294939  drwx  21           08:14:15 Sep 27 2020  smart-log

805309474  drw-  25           08:14:32 Sep 27 2020  coredumpinfo

2      drwx  4096         02:38:46 Sep 07 2020  cores

538294937  drwx  6            08:13:18 Sep 27 2020  fxos

268435721  -rw-  1462         08:13:18 Sep 27 2020  cspCfg.xml

 

3 file(s) total size: 35742882 bytes

16106127360 bytes total (15797760000 bytes free/98% free)

 

 

ciscoasa# ping 192.168.1.10   // ENSURE TFTP/FTP SERVER IS REACHABLE

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

 

ciscoasa# copy tftp://192.168.1.10/cisco-ftd-fp1k.6.5.0-115.SPA disk0:

 

Address or name of remote host [192.168.1.10]?

 

Source filename [cisco-ftd-fp1k.6.5.0-115.SPA]?

 

Destination filename [cisco-ftd-fp1k.6.5.0-115.SPA]?

 

Accessing tftp://192.168.1.10/cisco-ftd-fp1k.6.5.0-115.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

<OUTPUT TRUNCATED>

 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Verifying file disk0:/cisco-ftd-fp1k.6.5.0-115.SPA...

 

Writing file disk0:/cisco-ftd-fp1k.6.5.0-115.SPA...

 

1055923072 bytes copied in 607.740 secs (1739576 bytes/sec)

 

ciscoasa# dir

 

Directory of disk0:/

 

203    drwx  72           08:14:14 Sep 27 2020  log

268435725  drwx  4096         08:28:18 Sep 27 2020  .private

217    -rw-  35741420     20:15:16 Apr 01 2020  asdm.bin

805306554  -rw-  0            08:13:19 Sep 27 2020  coredumpfsysimage.bin

2      drwx  4096         02:38:46 Sep 07 2020  coredumpfsys

538294939  drwx  21           08:14:15 Sep 27 2020  smart-log

805309474  drw-  25           08:14:32 Sep 27 2020  coredumpinfo

2      drwx  4096         02:38:46 Sep 07 2020  cores

538294937  drwx  6            08:13:18 Sep 27 2020  fxos

268435721  -rw-  1462         08:13:18 Sep 27 2020  cspCfg.xml

805309488  -rwx  1055923072   00:24:18 Oct 03 2020  cisco-ftd-fp1k.6.5.0-115.SPA

 

4 file(s) total size: 1091665954 bytes

16106127360 bytes total (14741835776 bytes free/91% free)

 

Configure the ASA to boot the downloaded FTD image.

 

ciscoasa# configure terminal

ciscoasa(config)#

 

***************************** NOTICE *****************************

 

Help to improve the ASA platform by enabling anonymous reporting,

which allows Cisco to securely receive minimal error and health

information from the device. To learn more about this feature,

please visit: http://www.cisco.com/go/smartcall

 

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later:

ciscoasa(config)# boot system disk0:/cisco-ftd-fp1k.6.5.0-115.SPA     // AUTO INSTALL FTD OS AFTER PRESSING ENTER

 

The system is currently installed with security software package 9.14.1, which has:

   - The platform version:  2.8.1.105

   - The CSP (asa) version: 9.14.1

Preparing new image for install...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Image download complete (Successful unpack the image).

Attention:

   If you proceed, the system will be re-imaged and then reboot automatically.

   All existing configuration will be lost and the default configuration will be applied.

Installation of version 6.5.0-115 will do the following:

   - upgrade to the new platform version 2.7.1.107

   - upgrade to the CSP FTD version 6.5.0-115

Do you want to proceed? [confirm]   <ENTER>

Finalizing image install process...

 

Install_status: ready....

Install_status: validating-images............................................

Install_status: upgrading-system..(®+‘…Íсmessage from root@firepower-1010 (Sat Oct  3 01:02:28 Stopping all devices.

device busy

Stopping OpenBSD Secure Shell server: sshd

stopped /usr/sbin/sshd (pid 11545)

done.

Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 1988)

acpid.

Stopping system message bus: dbus.

stopping mountd: done

stopping nfsd: done

Stopping ntpd: stopped process in pidfile '/var/run/ntp.pid' (pid 22501)

done

Stopping random number generator daemon.

Stopping internet superserver: xinetd.

stopping statd: done

Failed to stop kdump!

Stopping crond: OK

Stopping rpcbind daemon...

not running.

Stopping fan control daemon: fancontrol... no process in pidfile '/var/run/fancontrol.pid' found; none killed

done.

Stopping sensors logging daemon: sensord... stopped /usr/sbin/sensord (pid 4043)

done.

Deconfiguring network interfaces... done.

ip6tables: Setting chains to policy ACCEPT: filter [  OK  ]

ip6tables: Flushing firewall rules: [  OK  ]

ip6tables: Unloading modules: [  OK  ]

iptables: Setting chains to policy ACCEPT: filter raw [  OK  ]

iptables: Flushing firewall rules: [  OK  ]

iptables: Unloading modules: [  OK  ]

Sat Oct  3 01:02:31 UTC 2020

SSP-Security-Module is shutting down ...

Sat Oct  3 01:02:31 UTC 2020 SHUTDOWN WARNING: Beginning System Shutdown request for CSP Apps

Sat Oct  3 01:02:31 UTC 2020 SHUTDOWN WARNING: Continue System Shutdown request for CSP Apps

/bin/ls: cannot access /opt/cisco/config/heimdall/etc: No such file or directory

/bin/ls: cannot access /opt/cisco/csp/applications/configs: No such file or directory

ls: cannot access /opt/cisco/config/heimdall/etc: No such file or directory

Sat Oct  3 01:02:31 UTC 2020 SHUTDOWN WARNING: Nothing to do for Apps-Services-Down

Sat Oct  3 01:02:31 UTC 2020

FPR-1xxx platform rebooting ...

Note: SIGKILL_ALL will be triggered after after 0 + 2 secs ...

Sat Oct  3 01:02:32 UTC 2020

Sending ALL processes the KILL signal ...

Error: poshd was not running... Starting ...

Sat Oct  3 01:02:33 UTC 2020

Deactivating swap...

Unmounting local filesystems...

Rebooting... [ 3915.645843] reboot: Restarting system    // FTD WILL AUTO REBOOT

 

 

*******************************************************************************

Cisco System ROMMON, Version 1.0.08, RELEASE SOFTWARE

Copyright (c) 1994-2019  by Cisco Systems, Inc.

Compiled Mon 06/17/2019 15:54:21.43 by builder

*******************************************************************************

 

Current image running: Boot ROM1

Last reset cause: ResetRequest (0x00001000)

DIMM0 : Present

 

Platform FPR-1010 with 8192 MBytes of main memory

BIOS has been successfully locked !!

MAC Address: 5c:5a:c7:b8:f7:80

 

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 4 seconds.

 

Use SPACE to begin boot immediately.

                  

 

Located .boot_string

Image size 59 inode num 16, bks cnt 1 blk size 8*512

 

Attempt autoboot: "boot disk0:installables/switch/fxos-k8-fp1k-lfbff.2.7.1.107.SPA"

Located installables/switch/fxos-k8-fp1k-lfbff.2.7.1.107.SPA

Image size 176580624 inode num 114030, bks cnt 43111 blk size 8*512

#####################################################################

 

<OUTPUT TRUNCATED>

 

#####################################################################

 

+-------------------------------------------------------------------+

+------------------------- SUCCESS ---------------------------------+

+-------------------------------------------------------------------+

|                                                                   |

|             LFBFF signature authentication passed !!!             |

|                                                                   |

+-------------------------------------------------------------------+

LFBFF signature verified.

+-------------------------------------------------------------------+

+------------------------- SUCCESS ---------------------------------+

+-------------------------------------------------------------------+

|                                                                   |

|              LFBFF controller type check passed !!!               |

|                                                                   |

+-------------------------------------------------------------------+

 

Linux version: 4.1.21-WR8.0.0.25_standard (builders@sjc-releng14) #1 SMP Sat Sep 21 10:25:19 PDT 2019

kernel_image = 0x73bf3c58, kernel_size=0x50abd0

Image validated

INIT: version 2.88 booting

Starting udev

Configuring network interfaces... done.

Populating dev cache

Primary SSD discovered

fsck from util-linux 2.26.2

[/sbin/fsck.ext3 (1) -- /dev/sda1] fsck.ext3 -a /dev/sda1

/dev/sda1: clean, 8743/488640 files, 758579/1953024 blocks

fsck(/dev/sda1) returned 0

fsck from util-linux 2.26.2

[/sbin/fsck.ext3 (1) -- /dev/sda2] fsck.ext3 -a /dev/sda2

/dev/sda2: clean, 12/61056 files, 8242/244224 blocks

fsck(/dev/sda2) returned 0

fsck from util-linux 2.26.2

[/sbin/fsck.ext3 (1) -- /dev/sda3] fsck.ext3 -a /dev/sda3

/dev/sda3: clean, 14/61056 files, 8244/244224 blocks

fsck(/dev/sda3) returned 0

fsck from util-linux 2.26.2

[/sbin/fsck.ext3 (1) -- /dev/sda4] fsck.ext3 -a /dev/sda4

/dev/sda4: clean, 12/1831424 files, 158992/7324160 blocks

fsck(/dev/sda4) returned 0

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

FIPS POST Test Script

NOTICE: The FIPS POST is not run because the FIPS feature is not enabled

Running postinst /etc/rpm-postinsts/100-dnsmasq...

Running postinst /etc/rpm-postinsts/101-dnsmasq...

INIT: Entering runlevel: 3

Starting system message bus: dbus.

Stopping all devices.

Starting all devices.

Processing /etc/c3xxx_dev0.conf

Checking status of all devices.

There is 1 QAT acceleration device(s) in the system:

 qat_dev0 - type: c3xxx,  inst_id: 0,  node_id: 0,  bsf: 01:00.0,  #accel: 3 #engines: 6 state: up

ip6tables: Applying firewall rules: [  OK  ]

iptables: Applying firewall rules: [  OK  ]

Starting OpenBSD Secure Shell server: sshd

  generating ssh ed25519 key...

done.

Starting rpcbind daemon...done.

starting statd: done

Starting Advanced Configuration and Power Interface daemon: acpid: starting up with netlink and the input layer

acpid.

acpid: 1 rule loaded

acpid: waiting for events: event logging is off

starting 8 nfsd kernel threads: done

starting mountd: done

Starting ntpd: done

Starting random number generator daemonUnable to open file: /dev/tpm0

.

Starting internet superserver: xinetd.

No makedumpfile found.

Starting fan control daemon: fancontrol... done.

INFO: in validating image ...

INFO: manager_validate_image: fxmgr_absfilename /mnt/boot/installables/switch/fxos-k9-manager.2.7.1.107.SPA

INFO: Validating image /mnt/boot/installables/switch/fxos-k9-manager.2.7.1.107.SPA signature ...

: File /mnt/boot/installables/switch/fxos-k9-manager.2.7.1.107.SPA size 26368896

Done!

Computed Hash   SHA2: 1434b368fd187e7dd366e44b8e9d382c

                      7ef4d0e803ca4c6eadd510f4ee7213f7

                      de1b8ffa2bba0722ccb1e5dca1665803

                      2902019adf38b942babec942329cfd54

                     

Embedded Hash   SHA2: 1434b368fd187e7dd366e44b8e9d382c

                      7ef4d0e803ca4c6eadd510f4ee7213f7

                      de1b8ffa2bba0722ccb1e5dca1665803

                      2902019adf38b942babec942329cfd54

                     

The digital signature of the file: fxos-k9-manager.2.7.1.107.SPA verified successfully

INFO: beginning of manager_install

INFO: manager_install: fxmgr=/mnt/boot/installables/switch/fxos-k9-manager.2.7.1.107.SPA chmgr= update=false

INFO: Creating directory /tmp/fxmgr

INFO: /bin/tar -xvzf /tmp/fxmgr/fxos-kp-manager.2.7.1.107.tgz ...

INFO: manager_install: shutting down the old version ...

INFO: Terminating DME and all AGs ...

INFO: --

INFO: manager_install: Unlinking a old libraries ...

INFO: manager_install: Deleting the old manager image ...

INFO: manager_install: Installing the new image ...

INFO: deleting unnecessary xml file..!!

INFO: deleted unnecessary xml file..!!

INFO: manager_post_install ...

INFO: manager_post_install: fxmgr=/mnt/boot/installables/switch/fxos-k9-manager.2.7.1.107.SPA chmgr= update=false

INFO: manager_post_install: Linking libraries ...

INFO: manager_post_install: Linking binaries ...

Completed system initial setup.

INFO: Trying to add iptables and ip6tables rules ...

INFO: Set up Application Diagnostic Interface ...

INFO: Configure management interface ...

Firepower 1xxx platform..

RTNETLINK answers: File exists

RTNETLINK answers: File exists

Assigning ip to eth0 in FPR-1xxx platform

ERROR: interface management0 is not ready after waiting for 60 seconds.

Current link status: [19: management0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \    link/ether 5c:5a:c7:b8:f7:80 brd ff:ff:ff:ff:ff:ff]

INFO: Configure rmu interface ...

Bring up rmu and swp1-swp10 switch interfaces

create and bringup lldp sub-interface on lldp-swp7, lldp-swp8

create and bringup lacp and mgmt sub-interface on (lacp-swp1 to lacp-swp8), (mgmt-swp1 to mgmt-swp8)

 

 

Stopping rpcbind daemon...

done.

stopping mountd: done

stopping nfsd: .done

INFO: Configure system files ...

INFO: System Name is: firepower-1010

Starting sensors logging daemon: sensord... done.

INFO: console : ttyS0, speed : 9600

INFO: manager_startup: setting up fxmgr apache ...

INFO: manager_startup: Start manager httpd setup...

INFO: manager_startup: /opt/cisco/config/certstore/default.key not found on platform, re-generating files

INFO: manager_startup: reset httpd app config to default

 httpdRegister INFO: [httpd.3886 -4 192.168.45.45 -n localhost]

 httpdRegister INFO: Starting httpd setup/registration...

 httpdRegister INFO: Completed httpd setup/registration!

 INFO: httpdRegister [httpd.3886 script exit]

INFO: manager_startup: Completed manager httpd setup!

Starting crond: OK

INFO: System Disk /dev/sda present. Status: Operable.

 

 

firepower-1010 login:

Waiting for Application infrastructure to be ready...

Verifying the signature of the Application image...

Creating FXOS swap file ...

Oct  3 01:05:46 firepower-1010 FPRM: <<%FPRM-2-DEFAULT_INFRA_VERSION_MISSING>> [F1309][critical][default-infra-version-missing][org-root/fw-infra-pack-default] Bundle version in firmware package is empty, need to re-install

Oct  3 01:05:49 firepower-1010 port-manager: Alert: Internal1/2 link changed to UP

Oct  3 01:05:49 firepower-1010 port-manager: Alert: Internal1/1 link changed to UP

Oct  3 01:06:19 firepower-1010 port-manager: Alert: Ethernet1/2 link changed to UP

Oct  3 01:06:20 firepower-1010 port-manager: Alert: Ethernet1/2 link changed to DOWN

Oct  3 01:06:23 firepower-1010 port-manager: Alert: Ethernet1/2 link changed to UP

Oct  3 01:07:15 firepower-1010 FPRM: <<%FPRM-2-DEFAULT_INFRA_VERSION_MISSING>> [F1309][cleared][default-infra-version-missing][org-root/fw-infra-pack-default] Bundle version in firmware package is empty, need to re-install

Oct  3 01:09:20 firepower-1010 port-manager: Alert: Ethernet1/2 link changed to DOWN

 

Threat Defense System: CMD=-install, CSP-ID=cisco-ftd.6.5.0.115__ftd_001_JMX2324G1THBG7ZUP1, FLAG=''

System begins installation ...

Cisco FTD installation finished successfully.

Verifying signature for cisco-ftd.6.5.0.115 ...

Verifying signature for cisco-ftd.6.5.0.115 ... success

 

Threat Defense System: CMD=-start, CSP-ID=cisco-ftd.6.5.0.115__ftd_001_JMX2324G1THBG7ZUP1, FLAG=''

System starting ...

Registering to process manager ...

Cisco FTD started successfully.

Cisco FTD initializing ...

Verify FSIC, File System Integrity Check

Configuring model to 78A...

Obtained uid 501 and gid 501 for external user

verify_fsic(start)

Do not run FSIC twice for SSP systems...

Initializing Threat Defense ...                                       [  OK  ]

Starting system log daemon...                                         [  OK  ]

Disk free check passed, creating swap...

Building swapfile /ngfw/Volume/.swaptwo of size 5494382kb

5494382+0 records in

5494382+0 records out

5626247168 bytes (5.6 GB) copied, 19.6011 s, 287 MB/s

Setting up swapspace version 1, size = 5.2 GiB (5626241024 bytes)

no label, UUID=4388fe75-ad4e-4747-a9e9-459db271b723

Adding swapfile /ngfw/Volume/.swaptwo

Flushing all current IPv4 rules and user defined chains: ...success

Clearing all current IPv4 rules and user defined chains: ...success

Applying iptables firewall rules:

Flushing chain `PREROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Flushing chain `POSTROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Applying rules successed

Flushing all current IPv6 rules and user defined chains: ...success

Clearing all current IPv6 rules and user defined chains: ...success

Applying ip6tables firewall rules:

Flushing chain `PREROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Flushing chain `POSTROUTING'

Flushing chain `INPUT'

Flushing chain `FORWARD'

Flushing chain `OUTPUT'

Applying rules successed

Starting nscd...                                                      [  OK  ]

Starting , please wait......complete.

cleaning up *.TMM and *.TMD files

Firstboot detected, executing scripts

Executing S01virtual-machine-reconfigure                              [  OK  ]

Executing S01z_copy_startup-config                                    [  OK  ]

Executing S02aws-pull-cfg                                             [  OK  ]

Executing S02configure_onbox                                          [  OK  ]

Executing S03generate_db_access.sh                                    [  OK  ]

Executing S04fix-httpd.sh                                             [  OK  ]

Executing S05set-default-ipv4.pl                                      [  OK  ]

Executing S06addusers                                                 [  OK  ]

Executing S07uuid-init                                                [  OK  ]

Executing S08configure_mysql                                          [  OK  ]

 

************ Attention *********

 

   Initializing the configuration database.  Depending on available

   system resources (CPU, memory, and disk), this may take 30 minutes

   or more to complete.

 

************ Attention *********

 

Executing S09database-init                                            [  OK  ]

Executing S11database-populate                                        [  OK  ]

Executing S12install_infodb                                           [  OK  ]

Executing S15set-locale.sh                                            [  OK  ]

Executing S16update-sensor.pl                                         [  OK  ]

Executing S19cert-tun-init                                            [  OK  ]

Executing S20cert-init                                                [  OK  ]

Executing S21disable_estreamer                                        [  OK  ]

Executing S25create_default_des.pl                                    [  OK  ]

Executing S30init_lights_out_mgmt.pl                                  [  OK  ]

Executing S33azure-waagent                                            [  OK  ]

Executing S40install_default_filters.pl                               [  OK  ]

Executing S41install_default_app_filters.pl                           [  OK  ]

Executing S43install_default_report_templates.pl                      [  OK  ]

Executing S44install_analysis_objects.pl                              [  OK  ]

Executing S45install_default_realms.pl                                [  OK  ]

Executing S47install_default_sandbox_EO.pl                            [  OK  ]

Executing S50install-remediation-modules                              [  OK  ]

Executing S51install_health_policy.pl                                 [  OK  ]

Executing S52install_system_policy.pl                                 [  OK  ]

Executing S53change_reconciliation_baseline.pl                        [  OK  ]

Executing S70remove_casuser.pl                                        [  OK  ]

Executing S70update_sensor_objects.sh                                 [  OK  ]

Executing S85patch_history-init                                       [  OK  ]

Executing S96grow_var.sh                                              [  OK  ]

Executing S96install_vmware_tools.pl                                  [  OK  ]

 

********** Attention **********

 

   Initializing the system's localization settings.  Depending on available

   system resources (CPU, memory, and disk), this may take 10 minutes

   or more to complete.

 

********** Attention **********

Executing S96localize-templates                                       [  OK  ]

Executing S96ovf-data.pl                                              [  OK  ]

Executing S97compress-client-resources                                [  OK  ]

Executing S97create_platinum_forms.pl                                 [  OK  ]

Executing S97install_cas                                              [  OK  ]

Executing S97install_cloud_support.pl                                 [  OK  ]

Executing S97install_geolocation.pl                                   [  OK  ]

Executing S97install_ssl_inspection.pl                                [  OK  ]

Executing S97update_modprobe.pl                                       [  OK  ]

Executing S98check-db-integrity.sh                                    [  OK  ]

Executing S98htaccess-init                                            [  OK  ]

Executing S99configure_mysql                                          [  OK  ]

Executing S99correct_ipmi.pl                                          [  OK  ]

Executing S99ngfw_onbox                                               [  OK  ]

Executing S99ssl_hw_mode.sh                                           [  OK  ]

Executing S99start-system                                             [  OK  ]

Executing S99z_db_restore                                             [  OK  ]

Firstboot scripts finished.

Configuring NTP...                                                    [  OK  ]

Stopping all devices.

Starting all devices.

Processing /etc/c3xxx_dev0.conf

Checking status of all devices.

There is 1 QAT acceleration device(s) in the system:

 qat_dev0 - type: c3xxx,  inst_id: 0,  node_id: 0,  bsf: 01:00.0,  #accel: 3 #engines: 6 state: up

SIOCSIFADDR: No such device

br0: ERROR while getting interface flags: No such device

SIOCSIFNETMASK: No such device

br0: ERROR while getting interface flags: No such device

Model reconfigure detected, executing scripts

Pinging mysql

Found mysql is running

Executing 45update-sensor.pl                                          [  OK  ]

Executing 55recalculate_arc.pl                                        [  OK  ]

Sat Oct 3 01:27:33 UTC 2020

Starting MySQL...

Pinging mysql

Pinging mysql, try 1

Found mysql is running

Running initializeObjects...

Stopping MySQL...

Killing mysqld with pid 14511

Wait for mysqld to exit\c

 done

Sat Oct 3 01:27:44 UTC 2020

Skipping sfifd for this platform...

Starting Cisco Firepower 1010 Threat Defense, please wait...No PM running!

...started.

Cisco FTD initialization finished successfully.

memif is not enabled.

IO Memory Nodes: 1

IO Memory Per Node: 549453824 bytes num_pages = 134144 page_size = 4096

 

Global Reserve Memory Per Node: 786432000 bytes Nodes=1

 

LCMB: got 1073741824 bytes on numa-id=0, phys=0x200000000, virt=0x2b8c80000000

LCMB: HEAP-CACHE POOL got 782237696 bytes on numa-id=0, virt=0x2b8cc0000000

total mem 2948718463 system 8394874880 kernel 11037767 image 111086672

new 2948718463 old 660540496 reserve 1855979520 priv new 1103776710 priv old 0

Processor memory:   2948718463

POST started...

POST finished, result is 0 (hint: 1 means it failed)

 

Compiled on Thu 19-Sep-19 17:23 PDT by builders

SSL Hardware Offload is Enabled

Snort trust pinhole is NOT Enabled

FPR-1010 platform

Total NICs found: 6

x550em_kr rev 0x11 10 Gigabit Ethernet, index 00 MAC: 00a0.c900.0000

en_vtun rev00 Backplane Ext-Mgmt Interface     @ index 02 MAC: 5c5a.c7b8.f781

en_vtun rev00 Backplane Tap Interface     @ index 03 MAC: 0000.0100.0001

en_vtun rev00 Backplane Control Interface  @ index 05 MAC: 0000.0300.0101

WARNING: Attribute already exists in the dictionary.

License mode file was not found. Assuming this is the initial bootup. Setting the license mode to Smart Licensing.

 

INFO: Unable to read firewall mode from flash

       Writing default firewall mode (single) to flash

 

INFO: Unable to read cluster interface-mode from flash

        Writing default mode "None" to flash

*** Intel QAT Crypto on-board accelerator detected

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x11)

                             Driver version        : 4.1.0

 

  ****************************** Warning *******************************

  This product contains cryptographic features and is

  subject to United States and local country laws

  governing, import, export, transfer, and use.

  Delivery of Cisco cryptographic products does not

  imply third-party authority to import, export,

  distribute, or use encryption. Importers, exporters,

  distributors and users are responsible for compliance

  with U.S. and local country laws. By using this

  product you agree to comply with applicable laws and

  regulations. If you are unable to comply with U.S.

  and local laws, return the enclosed items immediately.

 

  A summary of U.S. laws governing Cisco cryptographic

  products may be found at:

  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

  If you require further assistance please contact us by

  sending email to export@cisco.com.

  ******************************* Warning *******************************

 

Copyright (c) 1996-2017 by Cisco Systems, Inc.

 

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

 

                Cisco Systems, Inc.

                170 West Tasman Drive

                San Jose, California 95134-1706

 

Error No such device in set_linux_mac_address: Failed to assign MAC address for br0

Reading from flash...

!

Cryptochecksum (changed): 6929aede 6646bb60 e7c2f077 d48e4bc9

 

INFO: Power-On Self-Test in process.

.......................................................................

INFO: Power-On Self-Test complete.

 

INFO: Starting SW-DRBG health test...

INFO: SW-DRBG health test passed.

M_MMAP_THRESHOLD 65536, M_MMAP_MAX 44993

User enable_1 logged in to firepower

Logins over the last 1 days: 1. 

Failed logins since the last login: 0. 

Type help o '?' for a list of availabl¥+¹‘͹

firepower>

firepower login:

 

 

The ASA to FTD reimage completed around 35 minutes. I've assigned my laptop with a static IP 192.168.45.10/24 and HTTPS to 192.168.45.45 (FTD default Management IP address).

 

firepower login: admin

Password:  <Admin123>   // FTD DEFAULT PASSWORD

Successful login attempts for user 'admin' : 1

 

Copyright 2004-2019, Cisco and/or its affiliates. All rights reserved.

Cisco is a registered trademark of Cisco Systems, Inc.

All other trademarks are property of their respective owners.

 

Cisco Fire Linux OS v6.5.0 (build 4)

Cisco Firepower 1010 Threat Defense v6.5.0 (build 115)

 

Cisco Firepower Extensible Operating System (FX-OS) Software

TAC support: http://www.cisco.com/tac

Copyright (c) 2009-2019, Cisco Systems, Inc. All rights reserved.

 

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license.

 

Certain components of this software are licensed under the "GNU General Public

License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of

"GNU General Public License, Version 3", available here:

http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for

details.

 

Certain components of this software are licensed under the "GNU General Public

License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of

"GNU General Public License, version 2", available here:

http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. See User Manual

(''Licensing'') for details.

 

Certain components of this software are licensed under the "GNU LESSER GENERAL

PUBLIC LICENSE, version 3" provided with ABSOLUTELY NO WARRANTY under the terms

of "GNU LESSER GENERAL PUBLIC LICENSE" Version 3", available here:

http://www.gnu.org/licenses/lgpl.html. See User Manual (''Licensing'') for

details.

 

Certain components of this software are licensed under the "GNU Lesser General

Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the

terms of "GNU Lesser General Public License, version 2", available here:

http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. See User Manual

(''Licensing'') for details.

 

Certain components of this software are licensed under the "GNU Library General

Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms

of "GNU Library General Public License, version 2", available here:

http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html. See User Manual

(''Licensing'') for details.

 

firepower# connect ftd

You must accept the EULA to continue.

Press <ENTER> to display the EULA:  <ENTER>

End User License Agreement

 

Effective: May 22, 2017

 

This is an agreement between You and Cisco Systems, Inc. or its affiliates

("Cisco") and governs your Use of Cisco Software. "You" and "Your" means the

individual or legal entity licensing the Software under this EULA. "Use" or

"Using" means to download, install, activate, access or otherwise use the

Software. "Software" means the Cisco computer programs and any Upgrades made

available to You by an Approved Source and licensed to You by Cisco.

"Documentation" is the Cisco user or technical manuals, training materials,

specifications or other documentation applicable to the Software and made

available to You by an Approved Source. "Approved Source" means (i) Cisco or

(ii) the Cisco authorized reseller, distributor or systems integrator from whom

you acquired the Software. "Entitlement" means the license detail; including

license metric, duration, and quantity provided in a product ID (PID) published

on Cisco's price list, claim certificate or right to use notification.

"Upgrades" means all updates, upgrades, bug fixes, error corrections,

enhancements and other modifications to the Software and backup copies thereof.

 

This agreement, any supplemental license terms and any specific product terms

at www.cisco.com/go/softwareterms (collectively, the "EULA") govern Your Use of

the Software.

 

1. Acceptance of Terms. By Using the Software, You agree to be bound by the

terms of the EULA. If you are entering into this EULA on behalf of an entity,

you represent that you have authority to bind that entity. If you do not have

such authority or you do not agree to the terms of the EULA, neither you nor

the entity may Use the Software and it may be returned to the Approved Source

for a refund within thirty (30) days of the date you acquired the Software or

Cisco product. Your right to return and refund applies only if you are the

original end user licensee of the Software.

 

2. License. Subject to payment of the applicable fees and compliance with this

EULA, Cisco grants You a limited, non-exclusive and non-transferable license to

Use object code versions of the Software and the Documentation solely for Your

internal operations and in accordance with the Entitlement and the

Documentation. Cisco licenses You the right to Use only the Software You

acquire from an Approved Source. Unless contrary to applicable law, You are not

licensed to Use the Software on secondhand or refurbished Cisco equipment not

authorized by Cisco, or on Cisco equipment not purchased through an Approved

Source. In the event that Cisco requires You to register as an end user, Your

license is valid only if the registration is complete and accurate. The

Software may contain open source software, subject to separate license terms

made available with the Cisco Software or Documentation.

 

If the Software is licensed for a specified term, Your license is valid solely

for the applicable term in the Entitlement. Your right to Use the Software

begins on the date the Software is made available for download or installation

and continues until the end of the specified term, unless otherwise terminated

in accordance with this Agreement.

 

3. Evaluation License. If You license the Software or receive Cisco product(s)

for evaluation purposes or other limited, temporary use as authorized by Cisco

("Evaluation Product"), Your Use of the Evaluation Product is only permitted

for the period limited by the license key or otherwise stated by Cisco in

writing. If no evaluation period is identified by the license key or in

writing, then the evaluation license is valid for thirty (30) days from the

date the Software or Cisco product is made available to You. You will be

invoiced for the list price of the Evaluation Product if You fail to return or

stop Using it by the end of the evaluation period. The Evaluation Product is

licensed "AS-IS" without support or warranty of any kind, expressed or implied.

Cisco does not assume any liability arising from any use of the Evaluation

Product. You may not publish any results of benchmark tests run on the

Evaluation Product without first obtaining written approval from Cisco. You

authorize Cisco to use any feedback or ideas You provide Cisco in connection

with Your Use of the Evaluation Product.

 

4. Ownership. Cisco or its licensors retain ownership of all intellectual

property rights in and to the Software, including copies, improvements,

enhancements, derivative works and modifications thereof. Your rights to Use

the Software are limited to those expressly granted by this EULA. No other

rights with respect to the Software or any related intellectual property rights

are granted or implied.

 

5. Limitations and Restrictions. You will not and will not allow a third party

to:

 

a. transfer, sublicense, or assign Your rights under this license to any other

person or entity (except as expressly provided in Section 12 below), unless

expressly authorized by Cisco in writing;

 

b. modify, adapt or create derivative works of the Software or Documentation;

 

c. reverse engineer, decompile, decrypt, disassemble or otherwise attempt to

derive the source code for the Software, except as provided in Section 16

below;

 

d. make the functionality of the Software available to third parties, whether

as an application service provider, or on a rental, service bureau, cloud

service, hosted service, or other similar basis unless expressly authorized by

Cisco in writing;

 

e. Use Software that is licensed for a specific device, whether physical or

virtual, on another device, unless expressly authorized by Cisco in writing; or

 

f. remove, modify, or conceal any product identification, copyright,

proprietary, intellectual property notices or other marks on or within the

Software.

 

6. Third Party Use of Software. You may permit a third party to Use the

Software licensed to You under this EULA if such Use is solely (i) on Your

behalf, (ii) for Your internal operations, and (iii) in compliance with this

EULA. You agree that you are liable for any breach of this EULA by that third

party.

 

7. Limited Warranty and Disclaimer.

 

a. Limited Warranty. Cisco warrants that the Software will substantially

conform to the applicable Documentation for the longer of (i) ninety (90) days

following the date the Software is made available to You for your Use or (ii)

as otherwise set forth at www.cisco.com/go/warranty. This warranty does not

apply if the Software, Cisco product or any other equipment upon which the

Software is authorized to be used: (i) has been altered, except by Cisco or its

authorized representative, (ii) has not been installed, operated, repaired, or

maintained in accordance with instructions supplied by Cisco, (iii) has been

subjected to abnormal physical or electrical stress, abnormal environmental

conditions, misuse, negligence, or accident; (iv) is licensed for beta,

evaluation, testing or demonstration purposes or other circumstances for which

the Approved Source does not receive a payment of a purchase price or license

fee; or (v) has not been provided by an Approved Source. Cisco will use

commercially reasonable efforts to deliver to You Software free from any

viruses, programs, or programming devices designed to modify, delete, damage or

disable the Software or Your data.

 

b. Exclusive Remedy. At Cisco's option and expense, Cisco shall repair,

replace, or cause the refund of the license fees paid for the non-conforming

Software. This remedy is conditioned on You reporting the non-conformance in

writing to Your Approved Source within the warranty period. The Approved Source

may ask You to return the Software, the Cisco product, and/or Documentation as

a condition of this remedy. This Section is Your exclusive remedy under the

warranty.

 

c. Disclaimer.

 

Except as expressly set forth above, Cisco and its licensors provide Software

"as is" and expressly disclaim all warranties, conditions or other terms,

whether express, implied or statutory, including without limitation,

warranties, conditions or other terms regarding merchantability, fitness for a

particular purpose, design, condition, capacity, performance, title, and

non-infringement. Cisco does not warrant that the Software will operate

uninterrupted or error-free or that all errors will be corrected. In addition,

Cisco does not warrant that the Software or any equipment, system or network on

which the Software is used will be free of vulnerability to intrusion or

attack.

 

8. Limitations and Exclusions of Liability. In no event will Cisco or its

licensors be liable for the following, regardless of the theory of liability or

whether arising out of the use or inability to use the Software or otherwise,

even if a party been advised of the possibility of such damages: (a) indirect,

incidental, exemplary, special or consequential damages; (b) loss or corruption

of data or interrupted or loss of business; or (c) loss of revenue, profits,

goodwill or anticipated sales or savings. All liability of Cisco, its

affiliates, officers, directors, employees, agents, suppliers and licensors

collectively, to You, whether based in warranty, contract, tort (including

negligence), or otherwise, shall not exceed the license fees paid by You to any

Approved Source for the Software that gave rise to the claim. This limitation

of liability for Software is cumulative and not per incident. Nothing in this

Agreement limits or excludes any liability that cannot be limited or excluded

under applicable law.

 

9. Upgrades and Additional Copies of Software. Notwithstanding any other

provision of this EULA, You are not permitted to Use Upgrades unless You, at

the time of acquiring such Upgrade:

 

a. already hold a valid license to the original version of the Software, are in

compliance with such license, and have paid the applicable fee for the Upgrade;

and

 

b. limit Your Use of Upgrades or copies to Use on devices You own or lease; and

 

c. unless otherwise provided in the Documentation, make and Use additional

copies solely for backup purposes, where backup is limited to archiving for

restoration purposes.

 

10. Audit. During the license term for the Software and for a period of three

(3) years after its expiration or termination, You will take reasonable steps

to maintain complete and accurate records of Your use of the Software

sufficient to verify compliance with this EULA. No more than once per twelve

(12) month period, You will allow Cisco and its auditors the right to examine

such records and any applicable books, systems (including Cisco product(s) or

other equipment), and accounts, upon reasonable advanced notice, during Your

normal business hours. If the audit discloses underpayment of license fees, You

will pay such license fees plus the reasonable cost of the audit within thirty

(30) days of receipt of written notice.

 

11. Term and Termination. This EULA shall remain effective until terminated or

until the expiration of the applicable license or subscription term. You may

terminate the EULA at any time by ceasing use of or destroying all copies of

Software. This EULA will immediately terminate if You breach its terms, or if

You fail to pay any portion of the applicable license fees and You fail to cure

that payment breach within thirty (30) days of notice. Upon termination of this

EULA, You shall destroy all copies of Software in Your possession or control.

 

12. Transferability. You may only transfer or assign these license rights to

another person or entity in compliance with the current Cisco

Relicensing/Transfer Policy (www.cisco.com/c/en/us/products/

cisco_software_transfer_relicensing_policy.html). Any attempted transfer or,

assignment not in compliance with the foregoing shall be void and of no effect.

 

13. US Government End Users. The Software and Documentation are "commercial

items," as defined at Federal Acquisition Regulation ("FAR") (48 C.F.R.) 2.101,

consisting of "commercial computer software" and "commercial computer software

documentation" as such terms are used in FAR 12.212. Consistent with FAR 12.211

(Technical Data) and FAR 12.212 (Computer Software) and Defense Federal

Acquisition Regulation Supplement ("DFAR") 227.7202-1 through 227.7202-4, and

notwithstanding any other FAR or other contractual clause to the contrary in

any agreement into which this EULA may be incorporated, Government end users

will acquire the Software and Documentation with only those rights set forth in

this EULA. Any license provisions that are inconsistent with federal

procurement regulations are not enforceable against the U.S. Government.

 

14. Export. Cisco Software, products, technology and services are subject to

local and extraterritorial export control laws and regulations. You and Cisco

each will comply with such laws and regulations governing use, export,

re-export, and transfer of Software, products and technology and will obtain

all required local and extraterritorial authorizations, permits or licenses.

Specific export information may be found at: tools.cisco.com/legal/export/pepd/

Search.do

 

15. Survival. Sections 4, 5, the warranty limitation in 7(a), 7(b) 7(c), 8, 10,

11, 13, 14, 15, 17 and 18 shall survive termination or expiration of this EULA.

 

16. Interoperability. To the extent required by applicable law, Cisco shall

provide You with the interface information needed to achieve interoperability

between the Software and another independently created program. Cisco will

provide this interface information at Your written request after you pay

Cisco's licensing fees (if any). You will keep this information in strict

confidence and strictly follow any applicable terms and conditions upon which

Cisco makes such information available.

 

17. Governing Law, Jurisdiction and Venue.

 

If You acquired the Software in a country or territory listed below, as

determined by reference to the address on the purchase order the Approved

Source accepted or, in the case of an Evaluation Product, the address where

Product is shipped, this table identifies the law that governs the EULA

(notwithstanding any conflict of laws provision) and the specific courts that

have exclusive jurisdiction over any claim arising under this EULA.

 

 

Country or Territory     | Governing Law           | Jurisdiction and Venue

=========================|=========================|===========================

United States, Latin     | State of California,    | Federal District Court,

America or the           | United States of        | Northern District of

Caribbean                | America                 | California or Superior

                         |                         | Court of Santa Clara

                         |                         | County, California

-------------------------|-------------------------|---------------------------

Canada                   | Province of Ontario,    | Courts of the Province of

                         | Canada                  | Ontario, Canada

-------------------------|-------------------------|---------------------------

Europe (excluding        | Laws of England         | English Courts

Italy), Middle East,     |                         |

Africa, Asia or Oceania  |                         |

(excluding Australia)    |                         |

-------------------------|-------------------------|---------------------------

Japan                    | Laws of Japan           | Tokyo District Court of

                         |                         | Japan

-------------------------|-------------------------|---------------------------

Australia                | Laws of the State of    | State and Federal Courts

                         | New South Wales         | of New South Wales

-------------------------|-------------------------|---------------------------

Italy                    | Laws of Italy           | Court of Milan

-------------------------|-------------------------|---------------------------

China                    | Laws of the People's    | Hong Kong International

                         | Republic of China       | Arbitration Center

-------------------------|-------------------------|---------------------------

All other countries or   | State of California     | State and Federal Courts

territories              |                         | of California

-------------------------------------------------------------------------------

 

 

The parties specifically disclaim the application of the UN Convention on

Contracts for the International Sale of Goods. In addition, no person who is

not a party to the EULA shall be entitled to enforce or take the benefit of any

of its terms under the Contracts (Rights of Third Parties) Act 1999. Regardless

of the above governing law, either party may seek interim injunctive relief in

any court of appropriate jurisdiction with respect to any alleged breach of

such party's intellectual property or proprietary rights.

 

18. Integration. If any portion of this EULA is found to be void or

unenforceable, the remaining provisions of the EULA shall remain in full force

and effect. Except as expressly stated or as expressly amended in a signed

agreement, the EULA constitutes the entire agreement between the parties with

respect to the license of the Software and supersedes any conflicting or

additional terms contained in any purchase order or elsewhere, all of which

terms are excluded. The parties agree that the English version of the EULA will

govern in the event of a conflict between it and any version translated into

another language.

 

 

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco

and/or its affiliates in the U.S. and other countries. To view a list of Cisco

trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks

mentioned are the property of their respective owners. The use of the word

partner does not imply a partnership relationship between Cisco and any other

company. (1110R)

 

Please enter 'YES' or press <ENTER> to AGREE to the EULA: <ENTER>

 

System initialization in progress.  Please stand by. 

You must configure the network to continue.

You must configure at least one of IPv4 or IPv6.

Do you want to configure IPv4? (y/n) [y]:

Do you want to configure IPv6? (y/n) [n]:

Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:

Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.1.45

Enter an IPv4 netmask for the management interface [255.255.255.0]:

Enter the IPv4 default gateway for the management interface [data-interfaces]: 192.168.1.1

Enter a fully qualified hostname for this system [firepower]: fpr1010-lab

Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:

Enter a comma-separated list of search domains or 'none' []:

If your networking information has changed, you will need to reconnect.

Setting DNS servers: 208.67.222.222 208.67.220.220

No domain name specified to configure.

Setting hostname as fpr1010-lab

DHCP Server Disabled

Setting static IPv4: 192.168.1.45 netmask: 255.255.255.0 gateway: 192.168.1.1 on management0

Updating routing tables, please wait...

All configurations applied to the system. Took 3 Seconds.

Saving a copy of running network configuration to local disk.

For HTTP Proxy configuration, run 'configure network http-proxy'

 

Manage the device locally? (yes/no) [yes]:    // HIT ENTER TO ACCESS FTD VIA FDM

Configuring firewall mode to routed

 

 

Update policy deployment information

    - add device configuration

Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.

 

>

 

 

Re-login to FDM using the new Management IP address 192.168.1.45 and continue to the initial setup wizard.

 


 

No comments:

Post a Comment