Cisco Secure Firewall Threat Defense Virtual Getting Started Guide, Version 7.6
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
About Secure Firewall
Threat Defense Virtual with the Secure
Firewall Device Manager
The Secure Firewall
Threat Defense Virtual is the virtualized component of the Cisco NGFW solution. The threat
defense virtual provides next-generation firewall services, including stateful firewalling, routing, VPN, Next-Generation Intrusion Prevention
System (NGIPS), Application Visibility and Control (AVC), URL filtering, and malware defense.
You can manage the threat
defense virtual using the Secure Firewall
device manager, a web-based device setup wizard included on some of the threat
defense models. The device
manager lets you configure the basic features of the software that are most commonly used for small networks. It is especially designed
for networks that include a single device or just a few, where you do not want to use a high-powered multiple-device manager
to control a large network containing many of the threat
defense devices.
For troubleshooting purposes, you can access the threat
defense CLI using SSH on the Management interface, or you can connect to the threat
defense from the device
manager CLI.
Default Configuration
The threat
defense virtual default configuration puts the management interface and inside interface on the same subnet. You must have Internet connectivity
on the management interface in order to use Smart Licensing and to obtain updates to system databases.
Thus, the default configuration is designed so that you can connect both the Management0-0 and GigabitEthernet0-1 (inside)
to the same network on the virtual switch. The default management address uses the inside IP address as the gateway. Thus,
the management interface routes through the inside interface, then through the outside interface, to get to the Internet.
You also have the option of attaching Management0-0 to a different subnet than the one used for the inside interface, as long
as you use a network that has access to the Internet. Ensure that you configure the management interface IP address and gateway
appropriately for the network.
The threat
defense virtual must be powered up on firstboot with at least four interfaces:
The first interface on the virtual machine is the management interface (Management0-0).
The second interface on the
virtual machine is reserved for internal
use.
The third interface on the virtual machine (GigabitEthernet0-0) is the outside interface.
The fourth interface on the virtual machine (GigabitEthernet0-1) is the inside interface.
You can add up to six more interfaces for data traffic, for a total of eight data interfaces. For additional data interfaces,
make sure that the Source Networks map to the correct Destination Networks, and that each data interface maps to a unique
subnet or VLAN. See Configuring VMware Interfaces.
Initial Configuration
You must complete an initial configuration to have the threat
defense virtual function correctly in your network, which includes configuring the addresses needed to insert the security appliance into
your network and connect it to the Internet or other upstream router. You can do the initial configuration of the system in
one of two ways:
Using the device manager web interface (recommended). Device Manager runs in your web browser. You use this interface to configure, manage, and monitor the system.
Using the Command Line Interface (CLI) setup wizard (optional). You can use the CLI setup wizard for initial configuration
instead of device manager, and you can use the CLI for troubleshooting. You still use the device manager to configure, manage, and monitor the system; see (Optional) Launch the threat
defense CLI Wizard.
The following topics explain how to use these interfaces to do the initial configuration of your system.
Launch the Device Manager
When you initially log into device manager, you are taken through the device setup wizard to complete the initial system configuration.
Procedure
Step 1
Open a browser and log into device manager. Assuming you did not go through initial configuration in the CLI, open the device manager at https://FTDv pubic IPv4 address or [FTDv IPv6 public address].
Step 2
Log in with the username admin, password Admin123.
Step 3
If this is the first time logging into the system, and you did not use the CLI setup wizard, you are prompted to read and
accept the End User License Agreement and change the admin password. You must complete these steps to continue.
Step 4
Configure the following options for the outside and management interfaces and click Next.
Note
Your settings are deployed to the device when you click Next. The interface will be named “outside” and it will be added to the “outside_zone” security zone. Ensure that your settings
are correct.
Outside Interface—This is the data port that you connected to your gateway mode or router. You cannot select an alternative outside interface
during initial device setup. The first data interface is the default outside interface.
Configure IPv4—The IPv4 address for the outside interface. You can use DHCP or manually enter a static IP address, subnet mask, and gateway.
You can also select Off to not configure an IPv4 address.
Configure IPv6—The IPv6 address for the outside interface. You can use DHCP or manually enter a static IP address, prefix, and gateway.
You can also select Off to not configure an IPv6 address.
Management Interface
DNS Servers—The DNS server for the system's management address. Enter one or more addresses of DNS servers for name resolution. The default
is the OpenDNS public DNS servers. If you edit the fields and want to return to the default, click Use OpenDNS to reload the appropriate IP addresses into the fields.
Firewall Hostname—The hostname for the system's management address.
Note
When you configure the threat
defense device using the device setup wizard, the system provides two default access rules for outbound and inbound traffic. You
can go back and edit these access rules after initial setup.
Step 5
Configure the system time settings and click Next.
Time Zone—Select the time zone for the system.
NTP Time Server—Select whether to use the default NTP servers or to manually enter the addresses of your NTP servers. You can add multiple
servers to provide backups.
Step 6
Configure the smart licenses for the system.
You must have a smart license account to obtain and apply the licenses that the system requires. Initially, you can use the
90-day evaluation license and set up smart licensing later.
To register the device now, click the link to log into your Smart Software Manager account, generate a new token, and copy
the token into the edit box.
To use the evaluation license, select Start 90 day evaluation period without registration. To later register the device and obtain smart licenses, click the name of the device in the menu to get to the Device Dashboard, then click the link in the Smart Licenses group.
How to Configure the Device in the Secure
Firewall Device Manager
After you complete the setup wizard, you should have a functioning device with a few basic policies in place:
Security zones for the inside and outside interfaces.
An access rule trusting all inside to outside traffic.
An interface NAT rule that translates all inside to outside traffic to unique ports on the IP address of the outside interface.
A DHCP server running on the inside interface or bridge group.
The following steps provide an overview of additional features you might want to configure. Please click the help button
(?) on a page to get detailed information about each step.
Procedure
Step 1
Choose Device, then click View Configuration in the Smart License group.
Click Enable for each of the optional licenses you want to use: IPS, malware defense, URL filtering. If you registered the device during
setup, you can also enable the RA VPN license desired. Read the explanation of each license if you are unsure of whether you
need it.
If you have not registered, you can do so from this page. Click Request Register and follow the instructions. Please register before the evaluation license expires.
For example, an enabled IPS license should look like the following:
Step 2
If you configured other interfaces, choose Device, then click View Configuration in the Interfaces group and configure each interface.
You can create a bridge group for the other interfaces, or configure separate networks, or some combination of both. Click
the edit icon () for each interface to define the IP address and other settings.
The following example configures an interface to be used as a “demilitarized zone” (DMZ), where you place publically-accessible
assets such as your web server. Click Save when you are finished.
Note
To enable the IPv6 address, select the IPv6 tab and configure the IPv6 address using static or DHCP.
Step 3
If you configured new interfaces, choose Objects, then select Security Zones from the table of contents.
Edit or create new zones as appropriate. Each interface must belong to a zone, because you configure policies based on security
zones, not interfaces. You cannot put the interfaces in zones when configuring them, so you must always edit the zone objects
after creating new interfaces or changing the purpose of existing interfaces.
The following example shows how to create a new dmz-zone for the dmz interface.
Step 4
If you want internal clients to use DHCP to obtain an IP address from the device, choose Device > System Settings > DHCP Server, then select the DHCP Servers tab.
There is already a DHCP server configured for the inside interface, but you can edit the address pool or even delete it. If
you configured other inside interfaces, it is very typical to set up a DHCP server on those interfaces. Click + to configure
the server and address pool for each inside interface.
You can also fine-tune the WINS and DNS list supplied to clients on the Configuration tab. The following example shows how to set up a DHCP server on the inside2 interface with the address pool 192.168.4.50-192.168.4.240.
Step 5
Choose Device, then click View Configuration (or Create First Static Route) in the Routing group and configure a default route.
The default route normally points to the upstream or ISP router that resides off the outside interface. A default IPv4 route
is for any-ipv4 (0.0.0.0/0), whereas a default IPv6 route is for any-ipv6 (::0/0). Create routes for each IP version you use. If you use DHCP to obtain an address for the outside interface, you might already
have the default routes that you need.
Note
The routes you define on this page are for the data interfaces only. They do not impact the management interface. Set the
management gateway on Device > System Settings > Management Interface.
The following example shows a default route for IPv4. In this example, isp-gateway is a network object that identifies the
IP address of the ISP gateway (you must obtain the address from your ISP). You can create this object by clicking Create New Network at the bottom of the Gateway drop-down list.
Note
Similarly, you can configure the IPv6 routes by selecting the IPv6 radio button.
Step 6
Choose Policies and configure the security policies for the network.
The device setup wizard enables traffic flow between the inside-zone and outside-zone, and interface NAT for all interfaces
when going to the outside interface. Even if you configure new interfaces, if you add them to the inside-zone object, the
access control rule automatically applies to them.
However, if you have multiple inside interfaces, you need an access control rule to allow traffic flow from inside-zone to
inside-zone. If you add other security zones, you need rules to allow traffic to and from those zones. These would be your
minimum changes.
In addition, you can configure other policies to provide additional services, and fine-tune NAT and access rules to get the
results that your organization requires. You can configure the following policies:
SSL Decryption—If you want to inspect encrypted connections (such as HTTPS) for intrusions, malware, and so forth, you must decrypt the
connections. Use the SSL decryption policy to determine which connections need to be decrypted. The system re-encrypts the
connection after inspecting it.
Identity—If you want to correlate network activity to individual users, or control network access based on user or user group membership,
use the identity policy to determine the user associated with a given source IP address.
Security Intelligence—Use the Security Intelligence policy to quickly drop connections from or to blacklisted IP addresses or URLs. By blacklisting
known bad sites, you do not need to account for them in your access control policy. Cisco provides regularly updated feeds
of known bad addresses and URLs so that the Security Intelligence blacklist updates dynamically. Using feeds, you do not need
to edit the policy to add or remove items in the blacklist.
NAT (Network Address Translation)—Use the NAT policy to convert internal IP addresses to externally routeable addresses.
Access Control—Use the access control policy to determine which connections are allowed on the network. You can filter by security zone,
IP address, protocol, port, application, URL, user or user group. You also apply intrusion and file (malware) policies using
access control rules. Use this policy to implement URL filtering.
Intrusion—Use the intrusion policies to inspect for known threats. Although you apply intrusion policies using access control rules,
you can edit the intrusion policies to selectively enable or disable specific intrusion rules.
The following example shows how to allow traffic between the inside-zone and dmz-zone in the access control policy. In this
example, no options are set on any of the other tabs except for Logging, where At End of Connection is selected.
Step 7
Choose Device, then click View Configuration in the Updates group and configure the update schedules for the system databases.
If you are using intrusion policies, set up regular updates for the Rules and VDB databases. If you use Security Intelligence
feeds, set an update schedule for them. If you use geolocation in any security policies as matching criteria, set an update
schedule for that database.
Step 8
Click the Deploy button in the menu, then click the Deploy Now button (), to deploy your changes to the device.
Changes are not active on the device until you deploy them.