You cannot upgrade a device past the FMC. Below, we list FMC versions and the devices they can manage. Find your current version in the first column, then read across to determine which devices you can manage. Remember, within a major version, the FMC must be running the same or newer maintenance third-digit release as its managed devices. FMC Version. If your FMC does not meet the requirements, apply the appropriate hotfix. Upgrading the software does not accomplish this task, nor does reimaging to a later version.
If the FMC is already up to date, the hotfix has no effect. Use the regular upgrade process to apply hotfixes. The FMC web interface may display these hotfixes with a version that is different from ususally later than the current software version.
This is expected behavior and the hotfixes are safe to apply. BIOS: sudo dmidecode -t bios -q. The bold versions listed below are specially-qualified companion releases. You should use these software combinations whenever possible because Cisco performs enhanced testing for these combinations.
FXOS 2. Other releases that are paired with 2. You can now run ASA 9. The following table lists the supported Radware DefensePro version for each Firepower security appliance and associated logical device. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. PDF - Complete Book 3. Updated: December 12, Chapter: Compatibility. Compatibility For general compatibility information see: Cisco Firepower Compatibility Guide : Detailed compatibility information for all supported versions, including versions and builds of bundled operating systems and other components, as well as links to end-of-sale and end-of-life announcements for deprecated platforms.
This means: You can manage older devices with a newer FMC , usually a few major versions back. Table 1. Unless you already have a customized policy you know you need to use, choose Create new policy , and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside. Smart Licensing —Assign the Smart Licenses you need for the features you want to deploy: Malware if you intend to use malware inspection , Threat if you intend to use intrusion prevention , and URL if you intend to implement category-based URL filtering.
When events like IPS or Snort are triggered with this option enabled, the device sends event metadata information and packet data to the FMC for inspection. If you disable it, only event information will be sent to the FMC , but packet data is not sent.
Click Register , and confirm a successful registration. If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the FTD fails to register, check the following items:. If the ping is not successful, check your network settings using the show network command. If you configured a data interface for FMC access, use the configure network management-data-interface command. This section describes how to configure a basic security policy with the following settings:.
Typically, you must configure at least a minimum of two interfaces to have a system that passes meaningful traffic. A typical edge-routing situation is to obtain the outside interface address through DHCP from your ISP, while you define static addresses on the inside interfaces.
The following example configures a routed mode inside interface with a static address and a routed mode outside interface using DHCP. Click Interfaces. Click Edit for the interface that you want to use for inside.
Check the Enabled check box. Leave the Mode set to None. From the Security Zone drop-down list, choose an existing inside security zone or add a new one by clicking New. An interface can belong to only one security zone, but can also belong to multiple interface groups. You apply your security policy based on zones or groups.
For example, you can assign the inside interface to the inside zone; and the outside interface to the outside zone. Then you can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside. Most policies only support security zones; you can use zones or interface groups in NAT policies, prefilter policies, and QoS policies.
For example, enter IPv6 —Check the Autoconfiguration check box for stateless autoconfiguration. Click the Edit for the interface that you want to use for outside. If you pre-configured this interface for FMC access management, then the interface will already be named, enabled, and addressed. You should not alter any of these basic settings because doing so will disrupt the FMC management connection. You can still configure the Security Zone on this screen for through traffic policies. From the Security Zone drop-down list, choose an existing outside security zone or add a new one by clicking New.
DHCP route metric —Assigns an administrative distance to the learned route, between 1 and The default administrative distance for the learned routes is 1. On the Server page, click Add , and configure the following options:.
Interface —Choose the interface from the drop-down list. The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself.
The default route normally points to the upstream router reachable from the outside interface. If you use DHCP for the outside interface, your device might have already received a default route. If you need to manually add the route, complete this procedure. Interface —Choose the egress interface; typically the outside interface. Gateway or IPv6 Gateway —Enter or choose the gateway router that is the next hop for this route. Metric —Enter the number of hops to the destination network.
Valid values range from 1 to ; the default value is 1. Name the policy, select the device s that you want to use the policy, and click Save. The policy is added the FMC. You still have to add rules to the policy. Type —Choose Dynamic. On the Translation page, configure the following options:. You cannot use the system-defined any-ipv4 object, because Auto NAT rules add NAT as part of the object definition, and you cannot edit system-defined objects. Click Save on the NAT page to save your changes.
If you created a basic Block all traffic access control policy when you registered the FTD with the FMC , then you need to add rules to the policy to allow traffic through the device. The following procedure adds a rule to allow traffic from the inside zone to the outside zone. If you have other zones, be sure to add rules allowing traffic to the appropriate networks. See the FMC configuration guide to configure more advanced security settings and rules.
Click Add Rule , and set the following parameters:. Deploy the configuration changes to the FTD ; none of your changes are active on the device until you deploy them. Select the device in the Deploy Policies dialog box, then click Deploy.
Ensure that the deployment succeeds. Click the icon to the right of the Deploy button in the menu bar to see status for deployments. You set the management IP address when you deployed the logical device. Log into the FTD with the admin account and the password you set during initial deployment.
If you forgot the password, you can change it by editing the logical device in the Firepower Chassis Manager. The benefits of using a Telnet connection is that you can have multiple sessions to the module at the same time, and the connection speed is faster. If you have multiple application instances, you must specify the name of the instance. To view the instance names, enter the command without a name.
To continue configuring your FTD , see the documents available for your software version at Navigating the Cisco Firepower Documentation. FTD for the Firepower , , and Formerly, you could only deploy a single native application instance. Resource management lets you customize performance capabilities for each instance. You can use High Availability using a container instance on 2 separate chassis.
Clustering is not supported. Multi-instance capability is similar to ASA multiple context mode, although the implementation is different. Multiple context mode is not available on the Firepower Threat Defense. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Which Application and Manager is Right for You? Find Matches in This Book. PDF - Complete Book Updated: December 15, You must also configure at least one Data interface. Choose the Image Version.
Click OK. You see the Provisioning - device name window. Step 3 Expand the Data Ports area, and click each interface that you want to assign to the device. Step 4 Click the device icon in the center of the screen. Step 5 On the General Information page, complete the following: For a container instance, specify the Resource Profile. Choose the Management Interface. Configure the Management IP address. Set a unique IP address for this interface. Enter a Network Gateway address. Step 6 On the Settings tab, complete the following: For a native instance, in the Management type of application instance drop-down list, choose FMC.
This interface must be defined as a Firepower-eventing interface. This setting enables TLS crypto acceleration in hardware, and improves performance for certain types of traffic. For more information, see the FMC configuration guide. This feature is not supported for native instances. To view the percentage of hardware crypto resources allocated to this instance, enter the show hw-crypto command. Step 8 Click OK to close the configuration dialog box.
Step 9 Click Save. Step 3 Click Log In. Procedure Step 1 Make sure your Smart Licensing account contains the available licenses you need.
Search for the following license PIDs: Figure 1. Step 2 From the Add drop-down list, choose Add Device. Figure 2. New Policy Smart Licensing —Assign the Smart Licenses you need for the features you want to deploy: Malware if you intend to use malware inspection , Threat if you intend to use intrusion prevention , and URL if you intend to implement category-based URL filtering. Step 3 Click Register , and confirm a successful registration. Configure a Basic Security Policy This section describes how to configure a basic security policy with the following settings: Inside and outside interfaces—Assign a static IP address to the inside interface, and use DHCP for the outside interface.
Default route—Add a default route through the outside interface. Access control—Allow traffic from inside to outside. To configure a basic security policy, complete the following tasks. Configure Interfaces. Add the Default Route.
Configure NAT. Allow Traffic from Inside to Outside. Deploy the Configuration. Step 2 Click Interfaces. Step 3 Click Edit for the interface that you want to use for inside. The General tab appears. Enter a Name up to 48 characters in length. For example, name the interface inside. Step 4 Click the Edit for the interface that you want to use for outside. Note If you pre-configured this interface for FMC access management, then the interface will already be named, enabled, and addressed.
For example, name the interface outside. Step 5 Click Save. Step 3 On the Server page, click Add , and configure the following options: Interface —Choose the interface from the drop-down list. Step 4 Click OK. Add the Default Route The default route normally points to the upstream router reachable from the outside interface. Step 3 Click OK. The route is added to the static route table. Step 4 Click Save.
0コメント