Configure Multi-Instance in Secure Firewall 3100 Series

Available Languages

Download Options

  • PDF     (685.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (688.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (848.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 26, 2024
Document ID:222230

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure Multi-Instacne in Secure Firewall 3100 Series running version 7.4+.

    Prerequisites

    Knowledge of Firewall eXtensible Operating System (FXOS) and Firewall Management Center (FMC) Graphical User Interface (GUI).

    Requirements

    Access to:

    • Console access to the Secure Firewall 3100 Series
    • FMC GUI Access

    Components Used

    • Cisco Secure Firewall Management Center running 7.4+
    • Cisco Secure Firewall Series 3100
      • Except 3105*

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices.

    Configure for 7.4.1+ Version

    Step 1.Connect to the chassis console port.

      The console port connects to the FXOS CLI.

    Step 2. Log in with the username adminand the passwordAdmin123.

      You are prompted to change the password the first time you log in to FXOS.

    Note: If the password was already changed, and you do not know it, you must reimage the device to reset the password to the default. See theFXOStroubleshooting guidefor thereimage procedure.

    Step 3. Check your current mode, Native or Container. If the mode is Native, you can continue with this procedure to convert to multi-instance (Container) mode.

      firepower# show system detail

    Example:

    Show Multi-Instance StateShow multi-instance state

    Step 4. Connect to theTthreat Defense CLI.

    firepower# connect ftd

    Example:

    Connecting to FTDConnecting to FTD

    Step 5. The first time you log in to the threat defense, you are prompted to accept the End User License Agreement (EULA). You are then presented with the CLI setup script.

    The setup script lets you set the Management interface IP address and other settings. However, when you convert to multi-instance mode, the only settings that are retained are the following.

    • Admin password (that you set at initial login)

    • DNS servers

    • Search domains

    You reset the Management IP address and gateway as part of the multi-instance mode command. After you convert to multi-instance mode, you can change Management settings at the FXOS CLI. SeeChange Chassis Management Settings at the FXOS CLI.

    Step 6. Enable multi-instance mode, set the chassis management interface settings, and identify themanagement center. You can use IPv4 and/or IPv6. After you enter the command,you are prompted to erase the configuration and reboot. EnterERASE(all caps). The system reboots and, as part of changing the mode, erases the configuration with the exception of the Management network settings you set in the command and the admin password. The chassis hostname is set to "firepower-model."

    IPv4:

    configure multi-instance network ipv4ip_addressnetwork_maskgateway_ip_addressmanagermanager_name {hostname | ipv4_address | DONTRESOLVEregistration_keynat_id

    IPv6:

    configure multi-instance network ipv6ipv6_addressprefix_lengthgateway_ip_addressmanagermanager_name {hostname | ipv6_address | DONTRESOLVEregistration_keynat_id

    See these managercomponents:

    • {hostname | ipv4_address | DONTRESOLVE—Specifies either the FQDN or IP address of themanagement center. At least one of the devices, either themanagement centeror the chassis, must have a reachable IP address to establish the two-way, SSL-encrypted communication channel between the two devices. If you do not specify a manager hostname or IP address in this command, then enterDONTRESOLVE; in this case, the chassis must have a reachable IP address or hostname, and you must specify thenat_id.

    • registration_key—Enter a one-time registration key of your choice that you also specify on themanagement centerwhen you register the chassis. The registration key must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-).

    • nat_id—Specifies a unique, one-time string of your choice that you also also specify on themanagement centerwhen you register the chassis when one side does not specify a reachable IP address or hostname. It is required if you do not specify a manager address or hostname, however, we recommend that you always set the NAT ID even when you specify a hostname or IP address. The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other devices registering to themanagement center.

    To change the mode back to appliance mode, you must use the FXOS CLI and enterscope systemand thenset deploymode native. SeeChange Chassis Management Settings at the FXOS CLI.

    Example:

    Changing to Multi-Instance ModeChanging to Multi-Instance Mode

    NoteAdd the multi-instance chassis to the management center. The management center and the chassis share a separate management connection using the chassis MGMT interface. You can use the management center to configure all chassis settings as well as instances. The Secure Firewall chassis manager or configuration at the FXOS CLI is not supported.

    Step 7. In the management center, add the chassis using the chassis management IP address or hostname.

    • Choose Devices>Device Management, and then Add>Chassis.

    Adding the Chassis to the FMCAdding the Chassis to the FMC

    Setup Parameters of the ChassisSetup parameters of the Chassis

    •  Once the Chassis is added to the FMC, see the device in the list of the devices on the FMC.

    Chassis Added in the FMCChassis added in the FMC

    Step 8. To view and configure the chassis, click Manage in the Chassis column, or click Edit(✎).

      The Chassis Manager page opens for the chassis to the Summary page.

    Chassis ManagementChassis Management

    Step 9. Select the Instances button and then Add Instance to create a new Instance in the chassis.

    Creating an InstanceCreating an Instance

    Step 10. Follow the wizard to finish the installation of the Instance.

    1. Accept the agreement

      Accept AgreementAccept agreement
    2. Configure the Instance parameters

      Instance ParametersInstance Parameters
    3. Interface Selection.

      Interface AssigmentInterface Assigment
    4. Device Management.

      Device ManagementDevice Management
    5. Summary

      Summary of the InstanceSummary of the Instance

    Revision History

    Revision Publish Date Comments
    1.0
    26-Jul-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Eder Pacheco
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products