Logical Devices for the Firepower 4100/9300

The Firepower 4100/9300 is a flexible security platform on which you can install one or more logical devices. This chapter describes basic interface configuration and how to add a standalone or High Availability logical device using the Firepower Chassis Manager. To add a clustered logical device, see ASA Cluster for the Firepower 4100/9300 Chassis. To use the FXOS CLI, see the FXOS CLI configuration guide. For more advanced FXOS procedures and troubleshooting, see the FXOS configuration guide.

About Firepower Interfaces

The Firepower 4100/9300 chassis supports physical interfaces and EtherChannel (port-channel) interfaces. EtherChannel interfaces can include up to 16 member interfaces of the same type.

Chassis Management Interface

The chassis management interface is used for management of the FXOS Chassis by SSH or Firepower Chassis Manager. This interface is separate from the mgmt-type interface that you assign to the logical devices for application management.

To configure parameters for this interface, you must configure them from the CLI. To view information about this interface in the FXOS CLI, connect to local management and show the management port:

Firepower # connect local-mgmt

Firepower(local-mgmt) # show mgmt-port

Note that the chassis management interface remains up even if the physical cable or SFP module are unplugged, or if the mgmt-port shut command is performed.


Note

The chassis management interface does not support jumbo frames.


Interface Types

Each interface can be one of the following types:

  • Data—Use for regular data. Data interfaces cannot be shared between logical devices, and logical devices cannot communicate over the backplane to other logical devices. For traffic on Data interfaces, all traffic must exit the chassis on one interface and return on another interface to reach another logical device.

  • Mgmt—Use to manage application instances. These interfaces can be shared by one or more logical devices to access external hosts; logical devices cannot communicate over this interface with other logical devices that share the interface. You can only assign one management interface per logical device. For ASA: You can later enable management from a data interface; but you must assign a Management interface to the logical device even if you don't intend to use it after you enable data management. For information about the separate chassis management interface, see Chassis Management Interface.

  • Firepower-eventing—Use as a secondary management interface for FTD devices. To use this interface, you must configure its IP address and other parameters at the FTD CLI. For example, you can separate management traffic from events (such as web events). See the FMC configuration guide for more information. Firepower-eventing interfaces can be shared by one or more logical devices to access external hosts; logical devices cannot communicate over this interface with other logical devices that share the interface.

  • Cluster—Use as the cluster control link for a clustered logical device. By default, the cluster control link is automatically created on Port-channel 48. The Cluster type is only supported on EtherChannel interfaces.

FXOS Interfaces vs. Application Interfaces

The Firepower 4100/9300 manages the basic Ethernet settings of physical interfaces and EtherChannel (port-channel) interfaces. Within the application, you configure higher level settings. For example, you can only create EtherChannels in FXOS; but you can assign an IP address to the EtherChannel within the application.

The following sections describe the interaction between FXOS and the application for interfaces.

VLAN Subinterfaces

For all logical devices, you can create VLAN subinterfaces within the application.

Independent Interface States in the Chassis and in the Application

You can administratively enable and disable interfaces in both the chassis and in the application. For an interface to be operational, the interface must be enabled in both operating systems. Because the interface state is controlled independently, you may have a mismatch between the chassis and application.

About Logical Devices

A logical device lets you run one application instance (either ASA or Firepower Threat Defense) and also one optional decorator application (Radware DefensePro) to form a service chain.

When you add a logical device, you also define the application instance type and version, assign interfaces, and configure bootstrap settings that are pushed to the application configuration.


Note

For the Firepower 9300, you must install the same application instance type (ASA or FTD) on all modules in the chassis; different types are not supported at this time. Note that modules can run different versions of an application instance type.

For the Firepower 9300, you must install the same application instance type (ASA or FTD) on all modules in the chassis; different types are not supported at this time. Note that modules can run different versions of an application instance type.


Standalone and Clustered Logical Devices

You can add the following logical device types:

  • Standalone—A standalone logical device operates as a standalone unit or as a unit in a High Availability pair.

  • Cluster—A clustered logical device lets you group multiple units together, providing all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. Multiple module devices, like the Firepower 9300, support intra-chassis clustering. For the Firepower 9300, all three modules must participate in the cluster.

Requirements and Prerequisites for Hardware and Software Combinations

The Firepower 4100/9300 supports multiple models, security modules, application types, and high availability and scalability features. See the following requirements for allowed combinations.

Firepower 9300 Requirements

The Firepower 9300 includes 3 security module slots and multiple types of security modules. See the following requirements:

  • Security Module Types—All modules in the Firepower 9300 must be the same type.

  • Clustering—All security modules in the cluster, whether it is intra-chassis or inter-chassis, must be the same type. You can have different quantities of installed security modules in each chassis, although all modules present in the chassis must belong to the cluster including any empty slots. For example, you can install 2 SM-36s in chassis 1, and 3 SM-36s in chassis 2.

  • High Availability—High Availability is only supported between same-type modules on the Firepower 9300.

  • ASA and FTD application types—You can only install one application type on the chassis, ASA or FTD.

  • ASA or FTD versions—You can run different versions of an application instance type on separate modules. For example, you can install FTD 6.3 on module 1, FTD 6.4 on module 2, and FTD 6.5 on module 3.

Firepower 4100 Requirements

The Firepower 4100 comes in multiple models. See the following requirements:

  • Clustering—All chassis in the cluster must be the same model.

  • High Availability—High Availability is only supported between same-type models.

  • ASA and FTD application types—The Firepower 4100 can only run a single application type.

Guidelines and Limitations for Logical Devices

See the following sections for guidelines and limitations.

Guidelines and Limitations for Firepower Interfaces

Inline Sets for FTD

  • Supported for physical interfaces (both regular and breakout ports) and EtherChannels.

  • Link state propagation is supported.

Hardware Bypass

  • Supported for the FTD; you can use them as regular interfaces for the ASA.

  • The FTD only supports Hardware Bypass with inline sets.

  • Hardware Bypass-capable interfaces cannot be configured for breakout ports.

  • You cannot include Hardware Bypass interfaces in an EtherChannel and use them for Hardware Bypass; you can use them as regular interfaces in an EtherChannel.

  • Hardware Bypass is not supported with High Availability.

Default MAC Addresses

Default MAC address assignments depend on the type of interface.

  • Physical interfaces—The physical interface uses the burned-in MAC address.

  • EtherChannels—For an EtherChannel, all interfaces that are part of the channel group share the same MAC address. This feature makes the EtherChannel transparent to network applications and users, because they only see the one logical connection; they have no knowledge of the individual links. The port-channel interface uses a unique MAC address from a pool; interface membership does not affect the MAC address.

General Guidelines and Limitations

Firewall Mode

You can set the firewall mode to routed or transparent in the bootstrap configuration for the FTD. For the ASA, you can change the firewall mode to transparent after you deploy. See Change the ASA to Transparent Firewall Mode.

High Availability

  • Configure high availability within the application configuration.

  • You can use any data interfaces as the failover and state links.

Context Mode

  • Enable multiple context mode in the ASA after you deploy.

Requirements and Prerequisites for High Availability

  • The two units in a High Availability Failover configuration must:

    • Be on a separate chassis; intra-chassis High Availability for the Firepower 9300 is not supported.

    • Be the same model.

    • Have the same interfaces assigned to the High Availability logical devices.

    • Have the same number and types of interfaces. All interfaces must be preconfigured in FXOS identically before you enable High Availability.

  • For High Availability system requirements, see Failover System Requirements.

Configure Interfaces

By default, physical interfaces are disabled. You can enable interfaces, add EtherChannels, and edit interface properties.


Note

If you remove an interface in FXOS (for example, if you remove a network module, remove an EtherChannel, or reassign an interface to an EtherChannel), then the ASA configuration retains the original commands so that you can make any necessary adjustments; removing an interface from the configuration can have wide effects. You can manually remove the old interface configuration in the ASA OS.


Configure a Physical Interface

You can physically enable and disable interfaces, as well as set the interface speed and duplex. To use an interface, it must be physically enabled in FXOS and logically enabled in the application.

Before you begin

  • Interfaces that are already a member of an EtherChannel cannot be modified individually. Be sure to configure settings before you add it to the EtherChannel.

Procedure


Step 1

Enter interface mode.

scope eth-uplink

scope fabric a

Step 2

Enable the interface.

enter interface interface_id

enable

Example:


Firepower /eth-uplink/fabric # enter interface Ethernet1/8
Firepower /eth-uplink/fabric/interface # enable

Note 

Interfaces that are already a member of a port-channel cannot be modified individually. If you use the enter interface or scope interface command on an interface that is a member of a port channel, you will receive an error stating that the object does not exist. You should edit interfaces using the enter interface command before you add them to a port-channel.

Step 3

(Optional) Set the interface type.

set port-type {data | mgmt | firepower-eventing | cluster}

Example:


Firepower /eth-uplink/fabric/interface # set port-type mgmt

The data keyword is the default type. Do not choose the cluster keyword; by default, the cluster control link is automatically created on Port-channel 48.

Step 4

Enable or disable autonegotiation, if supported for your interface.

set auto-negotiation {on | off}

Example:


Firepower /eth-uplink/fabric/interface* # set auto-negotiation off

Step 5

Set the interface speed.

set admin-speed {10mbps | 100mbps | 1gbps | 10gbps | 40gbps | 100gbps}

Example:


Firepower /eth-uplink/fabric/interface* # set admin-speed 1gbps

Step 6

Set the interface duplex mode.

set admin-duplex {fullduplex | halfduplex}

Example:


Firepower /eth-uplink/fabric/interface* # set admin-duplex halfduplex

Step 7

If you edited the default flow control policy, it is already applied to interfaces. If you created a new policy, apply it to the interface.

set flow-control-policy name

Example:


Firepower /eth-uplink/fabric/interface* # set flow-control-policy flow1

Step 8

Save the configuration.

commit-buffer

Example:


Firepower /eth-uplink/fabric/interface* # commit-buffer
Firepower /eth-uplink/fabric/interface #


Add an EtherChannel (Port Channel)

An EtherChannel (also known as a port channel) can include up to 16 member interfaces of the same media type and capacity, and must be set to the same speed and duplex. The media type can be either RJ-45 or SFP; SFPs of different types (copper and fiber) can be mixed. You cannot mix interface capacities (for example 1GB and 10GB interfaces) by setting the speed to be lower on the larger-capacity interface. The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link Aggregation Control Protocol Data Units (LACPDUs) between two network devices.

The Firepower 4100/9300 chassis only supports EtherChannels in Active LACP mode so that each member interface sends and receives LACP updates. An active EtherChannel can establish connectivity with either an active or a passive EtherChannel. You should use the active mode unless you need to minimize the amount of LACP traffic.

LACP coordinates the automatic addition and deletion of links to the EtherChannel without user intervention. It also handles misconfigurations and checks that both ends of member interfaces are connected to the correct channel group.

When the Firepower 4100/9300 chassis creates an EtherChannel, the EtherChannel stays in a Suspended state until you assign it to a logical device, even if the physical link is up. The EtherChannel will be brought out of this Suspended state in the following situations:

  • The EtherChannel is added as a data or management interface for a standalone logical device

  • The EtherChannel is added as a management interface or cluster control link for a logical device that is part of a cluster

  • The EtherChannel is added as a data interface for a logical device that is part of a cluster and at least one unit has joined the cluster

Note that the EtherChannel does not come up until you assign it to a logical device. If the EtherChannel is removed from the logical device or the logical device is deleted, the EtherChannel will revert to a Suspended state.

Procedure


Step 1

Enter interface mode:

scope eth-uplink

scope fabric a

Step 2

Create the port-channel:

create port-channel id

enable

Step 3

Assign member interfaces:

create member-port interface_id

You can add up to 16 member interfaces of the same media type and capacity. The member interfaces must be set to the same speed and duplex, and must match the speed and duplex that you configured for this port channel. The media type can be either RJ-45 or SFP; SFPs of different types (copper and fiber) can be mixed. You cannot mix interface capacities (for example 1GB and 10GB interfaces) by setting the speed to be lower on the larger-capacity interface.

Example:


Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/1
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/2 
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/3 
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/4
Firepower /eth-uplink/fabric/port-channel/member-port* # exit

Step 4

(Optional) Set the interface type.

set port-type {data | mgmt | firepower-eventing | cluster}

Example:


Firepower /eth-uplink/fabric/port-channel # set port-type data

The data keyword is the default type. Do not choose the cluster keyword unless you want to use this port-channel as the cluster control link instead of the default.

Step 5

Set the required interface speed for members of the port-channel.

set speed {10mbps | 100mbps | 1gbps | 10gbps | 40gbps | 100gbps}

If you add a member interface that is not at the specified speed, it will not successfully join the port channel. The default is 10gbps .

Example:


Firepower /eth-uplink/fabric/port-channel* # set speed 1gbps

Step 6

(Optional) Set the required duplex for members of the port-channel.

set duplex {fullduplex | halfduplex}

If you add a member interface that is configured with the specified duplex, it will not successfully join the port channel. The default is fullduplex .

Example:


Firepower /eth-uplink/fabric/port-channel* # set duplex fullduplex

Step 7

Enable or disable autonegotiation, if supported for your interface.

set auto-negotiation {on | off}

Example:


Firepower /eth-uplink/fabric/interface* # set auto-negotiation off

Step 8

If you edited the default flow control policy, it is already applied to interfaces. If you created a new policy, apply it to the interface.

set flow-control-policy name

Example:


Firepower /eth-uplink/fabric/interface* # set flow-control-policy flow1

Step 9

Commit the configuration:

commit-buffer

Configure Logical Devices

Add a standalone logical device or a High Availability pair on the Firepower 4100/9300 chassis.

For clustering, see .

Add a Standalone ASA

Standalone logical devices work either alone or in a High Availability pair. On the Firepower 9300 with multiple security modules, you can deploy either a cluster or standalone devices. The cluster must use all modules, so you cannot mix and match a 2-module cluster plus a single standalone device, for example.

You can deploy a routed firewall mode ASA from the Firepower 4100/9300 chassis. To change the ASA to transparent firewall mode, complete this procedure, and then see Change the ASA to Transparent Firewall Mode.

For multiple context mode, you must first deploy the logical device, and then enable multiple context mode in the ASA application.

Before you begin

  • Download the application image you want to use for the logical device from Cisco.com, and then download that image to the Firepower 4100/9300 chassis.


    Note

    For the Firepower 9300, you must install the same application instance type (ASA or FTD) on all modules in the chassis; different types are not supported at this time. Note that modules can run different versions of an application instance type.

    For the Firepower 9300, you must install the same application instance type (ASA or FTD) on all modules in the chassis; different types are not supported at this time. Note that modules can run different versions of an application instance type.


  • Configure a management interface to use with the logical device. The management interface is required. Note that this management interface is not the same as the chassis management port that is used only for chassis management (in FXOS, you might see it displayed as MGMT, management0, or other similar names).

  • Gather the following information:

    • Interface IDs for this device

    • Management interface IP address and network mask

    • Gateway IP address

Procedure


Step 1

Enter security services mode.

scope ssa

Example:


Firepower# scope ssa
Firepower /ssa # 

Step 2

Set the application instance image version.

  1. View available images. Note the Version number that you want to use.

    show app

    Example:

    
    Firepower /ssa # show app
        Name       Version         Author     Supported Deploy Types CSP Type    Is Default App
        ---------- --------------- ---------- ---------------------- ----------- --------------
        asa        9.9.1           cisco      Native                 Application No
        asa        9.10.1          cisco      Native                 Application Yes
        ftd        6.2.3           cisco      Native                 Application Yes
        
    
  2. Set the scope to the security module/engine slot.

    scope slot slot_id

    The slot_id is always 1 for the Firepower 4100, and 1, 2, or 3 for the Firepower 9300.

    Example:

    
    Firepower /ssa # scope slot 1
    Firepower /ssa/slot # 
    
    
  3. Create the application instance.

    enter app-instance asa

    Example:

    
    Firepower /ssa/slot # enter app-instance asa
    Firepower /ssa/slot/app-instance* # 
    
    
  4. Set the ASA image version.

    set startup-version version

    Example:

    
    Firepower /ssa/slot/app-instance* # set startup-version 9.10.1
    
    
  5. Exit to slot mode.

    exit

    Example:

    
    Firepower /ssa/slot/app-instance* # exit
    Firepower /ssa/slot* # 
    
    
  6. Exit to ssa mode.

    exit

    Example:

    
    Firepower /ssa/slot* # exit
    Firepower /ssa* # 
    
    

Example:


Firepower /ssa # scope slot 1
Firepower /ssa/slot # enter app-instance asa
Firepower /ssa/slot/app-instance* # set startup-version 9.10.1
Firepower /ssa/slot/app-instance* # exit
Firepower /ssa/slot* # exit
Firepower /ssa* # 

Step 3

Create the logical device.

enter logical-device device_name asa slot_id standalone

Example:


Firepower /ssa # enter logical-device ASA1 asa 1 standalone
Firepower /ssa/logical-device* #

Step 4

Assign the management and data interfaces to the logical device. Repeat for each interface.

create external-port-link name interface_id asa

set description description

exit

  • name —The name is used by the Firepower 4100/9300 chassis supervisor; it is not the interface name used in the ASA configuration.

  • description —Use quotes (") around phrases with spaces.

The management interface is not the same as the chassis management port. You will later enable and configure the data interfaces on the ASA, including setting the IP addresses.

Example:



Firepower /ssa/logical-device* # create external-port-link inside Ethernet1/1 asa
Firepower /ssa/logical-device/external-port-link* # set description "inside link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link management Ethernet1/7 asa
Firepower /ssa/logical-device/external-port-link* # set description "management link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link outside Ethernet1/2 asa
Firepower /ssa/logical-device/external-port-link* # set description "external link"
Firepower /ssa/logical-device/external-port-link* # exit

Step 5

Configure the management bootstrap information.

  1. Create the bootstrap object.

    create mgmt-bootstrap asa

    Example:

    
    Firepower /ssa/logical-device* # create mgmt-bootstrap asa
    Firepower /ssa/logical-device/mgmt-bootstrap* # 
    
    
  2. Specify the admin password.

    create bootstrap-key-secret PASSWORD

    set value

    Enter a value: password

    Confirm the value: password

    exit

    Example:

    The pre-configured ASA admin user is useful for password recovery; if you have FXOS access, you can reset the admin user password if you forget it.

    Example:

    
    Firepower /ssa/logical-device/mgmt-bootstrap* # create bootstrap-key-secret PASSWORD
    Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # set value
    Enter a value: floppylampshade
    Confirm the value: floppylampshade
    Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # exit
    Firepower /ssa/logical-device/mgmt-bootstrap* #
    
    
  3. Configure the IPv4 management interface settings.

    create ipv4 slot_id default

    set ip ip_address mask network_mask

    set gateway gateway_address

    exit

    Example:

    
    Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv4 1 default
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set ip 10.10.10.34 mask 255.255.255.0
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set gateway 10.10.10.1
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # exit
    Firepower /ssa/logical-device/mgmt-bootstrap* #
    
    
  4. Configure the IPv6 management interface settings.

    create ipv6 slot_id default

    set ip ip_address prefix-length prefix

    set gateway gateway_address

    exit

    Example:

    
    Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv6 1 default
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # set ip 2001:0DB8:BA98::3210 prefix-length 64
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # set gateway 2001:0DB8:BA98::3211
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # exit
    Firepower /ssa/logical-device/mgmt-bootstrap* #
    
    
  5. Exit the management bootstrap mode.

    exit

    Example:

    
    Firepower /ssa/logical-device/mgmt-bootstrap* # exit
    Firepower /ssa/logical-device* # 
    
    
Step 6

Save the configuration.

commit-buffer

The chassis deploys the logical device by downloading the specified software version and pushing the bootstrap configuration and management interface settings to the application instance. Check the status of the deployment using the show app-instance command. The application instance is running and ready to use when the Admin State is Enabled and the Oper State is Online.

Example:


Firepower /ssa/logical-device* # commit-buffer
Firepower /ssa/logical-device # exit
Firepower /ssa # show app-instance
App Name   Identifier Slot ID    Admin State Oper State       Running Version Startup Version Deploy Type Profile Name Cluster State   Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ------------ --------------- ------------
asa        asa1       2          Disabled    Not Installed                    9.12.1          Native                   Not Applicable  None
ftd        ftd1       1          Enabled     Online           6.4.0.49        6.4.0.49        Container   Default-Small Not Applicable  None

Step 7

See the ASA configuration guide to start configuring your security policy.


Example


Firepower# scope ssa
Firepower /ssa # scope slot 1
Firepower /ssa/slot # enter app-instance asa
Firepower /ssa/slot/app-instance* # set startup-version 9.10.1
Firepower /ssa/slot/app-instance* # exit
Firepower /ssa/slot* # exit
Firepower /ssa* # create logical-device MyDevice1 asa 1 standalone
Firepower /ssa/logical-device* # create external-port-link inside Ethernet1/1 asa
Firepower /ssa/logical-device/external-port-link* # set description "inside link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link management Ethernet1/7 asa
Firepower /ssa/logical-device/external-port-link* # set description "management link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link outside Ethernet1/2 asa
Firepower /ssa/logical-device/external-port-link* # set description "external link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create mgmt-bootstrap asa
Firepower /ssa/logical-device/mgmt-bootstrap* # create bootstrap-key-secret PASSWORD
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # set value
Enter a value: secretglassine
Confirm the value: secretglassine
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv4 1 default
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set gateway 10.0.0.1
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set ip 10.0.0.31 mask 255.255.255.0
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # exit
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key* # commit-buffer
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key # 

Add a High Availability Pair

or ASA High Availability (also known as failover) is configured within the application, not in FXOS. However, to prepare your chassis for high availability, see the following steps.

Before you begin

See Failover System Requirements.

Procedure


Step 1

Allocate the same interfaces to each logical device.

Step 2

Allocate 1 or 2 data interfaces for the failover and state link(s).

These interfaces exchange high availability traffic between the 2 chassis. We recommend that you use a 10 GB data interface for a combined failover and state link. If you have available interfaces, you can use separate failover and state links; the state link requires the most bandwidth. You cannot use the management-type interface for the failover or state link. We recommend that you use a switch between the chassis, with no other device on the same network segment as the failover interfaces.

Step 3

Enable High Availability on the logical devices. See Failover for High Availability.

Step 4

If you need to make interface changes after you enable High Availability, perform the changes on the standby unit first, and then perform the changes on the active unit.

Note 

For the ASA, if you remove an interface in FXOS (for example, if you remove a network module, remove an EtherChannel, or reassign an interface to an EtherChannel), then the ASA configuration retains the original commands so that you can make any necessary adjustments; removing an interface from the configuration can have wide effects. You can manually remove the old interface configuration in the ASA OS.


Change the ASA to Transparent Firewall Mode

You can only deploy a routed firewall mode ASA from the Firepower 4100/9300 chassis. To change the ASA to transparent firewall mode, complete the initial deployment, and then change the firewall mode within the ASA CLI. For standalone ASAs, because changing the firewall mode erases the configuration, you must then redeploy the configuration from the Firepower 4100/9300 chassis to regain the bootstrap configuration. The ASA then remains in transparent mode with a working bootstrap configuration. For clustered ASAs, the configuration is not erased, so you do not need to redeploy the bootstrap configuration from FXOS.

Procedure


Step 1

Connect to the ASA console according to Connect to the Console of the Application. For a cluster, connect to the primary unit. For a failover pair, connect to the active unit.

Step 2

Enter configuration mode:

enable

configure terminal

By default, the enable password is blank.

Step 3

Set the firewall mode to transparent:

firewall transparent

Step 4

Save the configuration:

write memory

For a cluster or failover pair, this configuration is replicated to secondary units:


asa(config)# firewall transparent
asa(config)# write memory
Building configuration...
Cryptochecksum: 9f831dfb 60dffa8c 1d939884 74735b69

3791 bytes copied in 0.160 secs
[OK]
asa(config)#
Beginning configuration replication to unit-1-2
 End Configuration Replication to data unit.

asa(config)#                                                      

Step 5

On the Firepower Chassis Manager Logical Devices page, click the Edit icon to edit the ASA.

The Provisioning page appears.

Step 6

Click the device icon to edit the bootstrap configuration. Change any value in your configuration, and click OK.

You must change the value of at least one field, for example, the Password field.

You see a warning about changing the bootstrap configuration; click Yes.

Step 7

Click Save to redeploy the configuration to the ASA. For an inter-chassis cluster or for a failover pair, repeat steps 5 through 7 to redeploy the bootstrap configuration on each chassis.

Wait several minutes for the chassis/security modules to reload, and for the ASA to become operational again. The ASA now has an operational bootstrap configuration, but remains in transparent mode.


Change an Interface on an ASA Logical Device

You can allocate, unallocate, or replace a management interface on an ASA logical device. ASDM discovers the new interfaces automatically.

Adding a new interface, or deleting an unused interface has minimal impact on the ASA configuration. However, if you remove an allocated interface in FXOS (for example, if you remove a network module, remove an EtherChannel, or reassign an allocated interface to an EtherChannel), and the interface is used in your security policy, removal will impact the ASA configuration. In this case, the ASA configuration retains the original commands so that you can make any necessary adjustments. You can manually remove the old interface configuration in the ASA OS.


Note

You can edit the membership of an allocated EtherChannel without impacting the logical device.


Before you begin

  • Configure your interfaces and add any EtherChannels according to Configure a Physical Interface and Add an EtherChannel (Port Channel).

  • If you want to add an already-allocated interface to an EtherChannel (for example, all interfaces are allocated by default to a cluster), you need to unallocate the interface from the logical device first, then add the interface to the EtherChannel. For a new EtherChannel, you can then allocate the EtherChannel to the device.

  • For clustering or failover, make sure you add or remove the interface on all units. We recommend that you make the interface changes on the data/standby unit(s) first, and then on the control/active unit. New interfaces are added in an administratively down state, so they do not affect interface monitoring.

Procedure


Step 1

Enter security services mode:

Firepower# scope ssa

Step 2

Edit the logical device:

Firepower /ssa # scope logical-device device_name

Step 3

Unallocate an interface from the logical device:

Firepower /ssa/logical-device # delete external-port-link name

Enter the show external-port-link command to view interface names.

For a management interface, delete the current interface then commit your change using the commit-buffer command before you add the new management interface.

Step 4

Allocate a new interface to the logical device:

Firepower /ssa/logical-device* # create external-port-link name interface_id asa

Step 5

Commit the configuration:

commit-buffer

Commits the transaction to the system configuration.


Connect to the Console of the Application

Use the following procedure to connect to the console of the application.

Procedure


Step 1

Connect to the module CLI.

connect module slot_number console

To connect to the security engine of a device that does not support multiple security modules, always use 1 as the slot_number .

Example:


Firepower# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:
Close Network Connection to Exit

Firepower-module1> 

Step 2

Connect to the application console. Enter the appropriate command for your device.

connect asa

connect ftd

connect vdp

Example:


Firepower-module1> connect asa 
Connecting to asa(asa1) console... hit Ctrl + A + D  to return to bootCLI
[...]
asa>

Step 3

Exit the application console to the FXOS module CLI.

  • ASA—Enter Ctrl-a, d

  • FTD—Enter

  • vDP—Enter Ctrl-], .

Step 4

Return to the supervisor level of the FXOS CLI.

  1. Enter ~

    You exit to the Telnet application.

  2. To exit the Telnet application, enter:

    telnet>quit


History for Logical Devices

Feature

Version

Details

Inter-site clustering improvement for the ASA on the Firepower 4100/9300 chassis

9.7(1)

You can now configure the site ID for each Firepower 4100/9300 chassis when you deploy the ASA cluster. Previously, you had to configure the site ID within the ASA application; this new feature eases initial deployment. Note that you can no longer set the site ID within the ASA configuration. Also, for best compatibility with inter-site clustering, we recommend that you upgrade to ASA 9.7(1) and FXOS 2.1.1, which includes several improvements to stability and performance.

We modified the following command: site-id

Support for the Firepower 4100 series

9.6(1)

With FXOS 1.1.4, the ASA supports inter-chassis clustering on the Firepower 4100 series.

We did not modify any commands.

Inter-chassis clustering for 6 modules, and inter-site clustering for the Firepower 9300 ASA application

9.5(2.1)

With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering. You can include up to 6 modules in up to 6 chassis.

We did not modify any commands.

Intra-chassis ASA Clustering for the Firepower 9300

9.4(1.150)

You can cluster up to 3 security modules within the Firepower 9300 chassis. All modules in the chassis must belong to the cluster.

We introduced the following commands: cluster replication delay, debug service-module, management-only individual, show cluster chassis