Cisco Firepower Threat Defense for the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X Using Firepower Management Center Quick Start Guide

Cisco Firepower Threat Defense for the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X Using Firepower Management Center Quick Start Guide

First Published: August 10, 2016

Last Updated: November 2, 2020

End of Support Notices

Note: You cannot install Firepower Threat Defense 6.7 or subsequent releases on the ASA 5515-X, 5525-X, 5545-X, and 5555-X. The final supported Firepower Threat Defense release for these platforms is 6.6.0

Note: You cannot install Firepower Threat Defense 6.3 or subsequent releases on the ASA 5512-X. The final supported Firepower Threat Defense release for this platforms is 6.2.3.

1. Is This Guide for You?

This guide explains how to complete the initial configuration of your Firepower Threat Defense device and how to register the device to a Firepower Management Center. In a typical deployment on a large network, multiple managed devices are installed on network segments, monitor traffic for analysis, and report to a managing Firepower Management Center. The Firepower Management Center provides a centralized management console with web interface that you can use to perform administrative, management, analysis, and reporting tasks.

For networks that include only a single device or just a few, where you do not need to use a high-powered multiple-device manager like the Firepower Management Center, you can use the integrated Firepower Device Manager. Use the Firepower Device Manager web-based device setup wizard to configure the basic features of the software that are most commonly used for small network deployments as described in http://www.cisco.com/go/fdm-quick.

3. License Requirements

Firepower Threat Defense devices require Cisco Smart Licensing. Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, Smart Licenses are not tied to a specific serial number or license key. Smart Licensing lets you assess your license usage and needs at a glance.

In addition, Smart Licensing does not prevent you from using product features that you have not yet purchased. You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager, and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order approval.

When you purchase one or more Smart Licenses for Firepower features, you manage them in the Cisco Smart Software Manager: http://www.cisco.com/web/ordering/smart-software-manager/index.html. The Smart Software Manager lets you create a master account for your organization. For more information about the Cisco Smart Software Manager, see the Cisco Smart Software Manager User Guide.

Your purchase of a Firepower Threat Defense device or Firepower Threat Defense Virtual automatically includes a Base license. All additional licenses (Threat, Malware, or URL Filtering) are optional. For more information about Firepower Threat Defense licensing, see the Licensing the System chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager.

4. Deploy the Firepower Threat Defense in Your Network

The following figure shows the recommended network deployment for Firepower Threat Defense on the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X.

 

Note: You must use a separate inside switch in your deployment.

The example configuration enables the above network deployment with the following behavior.

• inside --> outside traffic flow
• outside IP address from DHCP
• DHCP for clients on inside.
• Management 0/0 is used to set up and manage the device using the Firepower Management Center.

The Management interface requires Internet access for updates. When you put Management on the same network as an inside interface, you can deploy the Firepower Threat Defense device with only a switch on the inside and point to the inside interface as its gateway.

The physical management interface is shared between the Management logical interface and the Diagnostic logical interface; see the Interfaces chapter of the Firepower Threat Defense Configuration Guide for Firepower Device Manager.

To cable the above scenario on a ASA 5500-X device, see the following illustration.

Note: The following illustration shows a simple topology using a Layer 2 switch. Other topologies can be used and your deployment will vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements.

Procedure

 

1. Cable the following to a Layer 2 Ethernet switch:

–GigabitEthernet 0/1 interface (inside)

–Management 0/0 interface (for the Firepower Management Center)

–A local management computer

–A Firepower Management Center

Note: You can connect inside and management on the same network because the management interface acts like a separate device that belongs only to the Firepower Management.

2. Connect the GigabitEthernet 0/0 (outside) interface to your WAN device, for example, your cable modem.

5. Power on the Firepower Threat Defense Device

1. Attach the power cable to the Firepower Threat Defense device and connect it to an electrical outlet.

The power turns on automatically when you plug in the power cable; do not press the power button on the front panel. (For older models, the power does not turn on automatically; check the hardware installation guide for more information).

2. Check the Power LED on the front of the Firepower Threat Defense device; if it is solid green, the device is powered on.

3. Check the Status LED on the front of the Firepower Threat Defense device; after it is solid green, the system has passed power-on diagnostics.

6. Configure the Device for Firepower Management

The first time you access the CLI, a setup wizard prompts you for basic network configuration parameters that are required to setup your Firepower Threat Defense device and to register with a Firepower Management Center. Note that the management IP address and associated gateway route are not included on the Firepower Management Center web interface in the list of interfaces or static routes for the device; they can only be set by the setup script and at the CLI.

Before You Begin

Ensure that you connect a data interface to your gateway device, for example, a cable modem or router. For edge deployments, this would be your Internet-facing gateway. For data center deployments, this would be a back-bone router.

The Management interface must also be connected to a gateway through which the Internet is accessible. System licensing and database updates require Internet access.

Procedure

1. Connect to the device, either from the console port or using SSH, for example.

–For a device attached to a monitor and keyboard, log in at the console.

–For access to the management interface of the device, SSH to the Management interface’s default IPv4 address: 192.168.45.45.

2. Log in with the username admin and the password Admin123.

3. When the Firepower Threat Defense system boots, a setup wizard prompts you for the following information required to configure the system:

–Accept EULA

–New admin password

–IPv4 or IPv6 configuration

–IPv4 or IPv6 DHCP settings

–Management port IPv4 address and subnet mask, or IPv6 address and prefix

–System name

–Default gateway IPv4, IPv6, or both

–DNS setup

–HTTP proxy

–Management mode

4. Review the setup wizard settings. Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.

Example:

5. Reconnect to your appliance using the new log in credentials.

6. Configure the firewall mode. For example:

Note: We recommend that you set the firewall mode at initial configuration. Note that the default mode is routed. Changing the firewall mode after initial setup erases your running configuration. For more information, see the Transparent or Routed Firewall Mode chapter in the Firepower Management Center Configuration Guide.

7. Wait for the default system configuration to be processed. This may take a few minutes.

–

Note: The registration key is a user-generated one-time use key that must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). You will need to remember this registration key when you add the device to the Firepower Management Center.

8. Identify the Firepower Management Center appliance that will manage this device using the configure manager add command.

Remember that the registration key is a user-generated one-time use key which you need to add the device to the Firepower Management Center’s inventory. The following example shows the simple case:

If the device and the Firepower Management Center are separated by a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:

The Firepower Management Center and the security appliance use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration. The NAT ID must be unique among all NAT IDs used to register managed appliances to establish trust for the initial communication and to look up the correct registration key.

Note: At least one of the security appliances, either the Firepower Management Center or the Firepower Threat Defense, must have a public IP address to establish the two-way, SSL-encrypted communication channel between the two appliances.

9. Close the CLI.

What To Do Next

• Register your device to a Firepower Management Center as described in the next section.

7. Register the Device with the Firepower Management Center and Assign Smart Licenses

Before You Begin

• Set up Smart Licensing on your Firepower Management Center. Make sure you have the following a Cisco Smart Account. You can create one at Cisco Software Central ( https://software.cisco.com/).
• Make sure you have a base Firepower Threat Defense license added to your Smart Account; for example, L-ASA5516T-BASE=.

Procedure

1. Log into the Firepower Management Center using an HTTPS connection in a browser, using the hostname or address entered above. For example, https://MC.example.com.

2. Use the Device Management (Devices > Device Management) page to add the device. For more information, see the online help or the Managing Devices chapter in the Firepower Management Center Configuration Guide.

3. Enter the management IP address configured on the device during the CLI setup.

4. Use the same registration key as specified on the device during the CLI setup.

5. Select your Smart Licensing options (Threat, URL, Advanced Malware).

These licenses need to be present in your Smart Account already. You should have a base license for your appliance in your Smart Account.

6. Click Register and confirm a successful device registration.

What To Do Next

• Configure policies and device settings for your device. After you add the device to the Firepower Management Center, you can use the Firepower Management Center user interface to configure device management settings and to configure and apply access control policies and other related policies to manage traffic using your Firepower Threat Defense system.

8. Where to Go Next

• For more information about Firepower Threat Defense, see the Firepower Management Center configuration guide, or the Firepower Management Center online help.