在FP9300(機箱內)上配置FTD集群
目錄
簡介
本文檔介紹如何在FPR9300裝置上配置和驗證集群功能。
必要條件
需求
本文件沒有特定需求。
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- 執行1.1(4.95)的Cisco Firepower 9300安全裝置
- 執行6.0.1的Firepower威脅防禦(FTD)(內部版本1213)
- 運行6.0.1.1的FireSIGHT管理中心(FMC)(內部版本1023)
實驗完成時間:1小時。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
- 在搭載FTD裝置的FPR9300上,您可以在所有支援的版本上設定機箱內集群。
- 6.2引入了機箱間集群。
- 埠通道48建立為集群控制鏈路。對於機箱內集群,此連結利用Firepower 9300背板進行集群通訊。
- 除管理介面外,不支援單個資料介面。
- 管理介面分配給集群中的所有裝置。
設定
網路圖表
任務1.為FTD集群建立必要的介面
工作需求:
建立集群、管理介面和埠通道資料介面。
解決方案:
步驟1.建立埠通道資料介面。
要建立新介面,您必須登入到FPR9300 Chassis Manager並導航到Interfaces頁籤。
選擇Add Port Channel,然後使用以下引數建立新的埠通道介面:
| 埠通道ID |
5 |
| 類型 |
資料 |
| 啟用 |
是 |
| 成員ID |
Ethernet1/3、Ethernet 1/4 |
選擇OK以儲存配置,如下圖所示。
步驟2.建立管理介面。
在Interfaces頁籤上,選擇介面,按一下Edit並配置管理型別介面。
按一下「OK」以儲存組態,如下圖所示。
步驟3.建立集群控制鏈路介面。
按一下「Add Port Channel」按鈕,用這些引數建立一個新的連線埠通道介面,如下圖所示。
| 埠通道ID |
48 |
| 類型 |
叢集 |
| 啟用 |
是 |
| 成員ID |
- |
任務2.建立FTD集群
工作需求:
建立FTD集群裝置。
解決方案:
步驟1.導覽至Logical Devices,然後按一下Add Device按鈕。
建立FTD集群,如下所示:
| 裝置名稱 |
FTD_cluster |
| 模板 |
Cisco Firepower威脅防禦 |
| 映像版本 |
6.0.1.1213 |
| 裝置模式 |
叢集 |
若要新增裝置,請按一下OK,如下圖所示。
步驟2.配置和部署FTD集群。
建立FTD裝置後,系統會將您重新導向至Provisioning- device_name視窗。
按一下裝置圖示以啟動組態,如下圖所示。
使用以下設定設定FTD Cluster Information索引標籤,如下圖所示。
| 群集金鑰 |
思科 |
| 群集組名稱 |
FTD_cluster |
| 管理介面 |
Ethernet1/1 |
使用以下設定設定FTD Settings索引標籤,如下圖所示。
| 註冊金鑰 |
思科 |
| 密碼 |
Admin123 |
| Firepower管理中心IP |
10.62.148.73 |
| 搜尋域 |
cisco.com |
| 防火牆模式 |
循路 |
| DNS伺服器 |
173.38.200.100 |
| 完全限定主機名 |
ksec-fpr9k-1-1-3.cisco.com |
| 事件介面 |
無 |
使用這些設定設定FTD Interface Information索引標籤,如下圖所示。
| 地址型別 |
僅限IPv4 |
| 安全模組1 |
|
| 管理IP |
10.62.148.67 |
| 網路掩碼 |
255.255.255.128 |
| 閘道 |
10.62.148.1 |
| 安全模組2 |
|
| 管理IP |
10.62.148.68 |
| 網路掩碼 |
255.255.255.128 |
| 閘道 |
10.62.148.1 |
| 安全模組3 |
|
| 管理IP |
10.62.148.69 |
| 網路掩碼 |
255.255.255.128 |
| 閘道 |
10.62.148.1 |
接受「Agreement」頁籤上的「Agreement」,然後按一下OK,如下圖所示。
步驟3.將資料介面分配給FTD。
展開「Data Ports(資料埠)」區域,然後點選要分配給FTD的每個介面。完成後,選擇Save以建立FTD集群,如下圖所示。
等待幾分鐘以部署集群,然後進行主裝置選擇。
驗證:
- ,如下圖所示。
- 從FPR9300 CLI
FPR9K-1-A# FPR9K-1-A# scope ssa FPR9K-1-A /ssa # show app-instance Application Name Slot ID Admin State Operational State Running Version Startup Version Cluster Oper State -------------------- ---------- --------------- -------------------- --------------- --------------- ------------------ ftd 1 Enabled Online 6.0.1.1213 6.0.1.1213 In Cluster ftd 2 Enabled Online 6.0.1.1213 6.0.1.1213 In Cluster ftd 3 Enabled Online 6.0.1.1213 6.0.1.1213 In Cluster
- 在LINA(ASA)CLI上
firepower# show cluster info
Cluster FTD_cluster: On
Interface mode: spanned
This is "unit-1-1" in state MASTER
ID : 0
Version : 9.6(1)
Serial No.: FLM19216KK6
CCL IP : 127.2.1.1
CCL MAC : 0015.c500.016f
Last join : 21:51:03 CEST Aug 8 2016
Last leave: N/A
Other members in the cluster:
Unit "unit-1-3" in state SLAVE
ID : 1
Version : 9.6(1)
Serial No.: FLM19206H7T
CCL IP : 127.2.1.3
CCL MAC : 0015.c500.018f
Last join : 21:51:05 CEST Aug 8 2016
Last leave: N/A
Unit "unit-1-2" in state SLAVE
ID : 2
Version : 9.6(1)
Serial No.: FLM19206H71
CCL IP : 127.2.1.2
CCL MAC : 0015.c500.019f
Last join : 21:51:30 CEST Aug 8 2016
Last leave: N/A
firepower# cluster exec show cluster interface-mode cluster interface-mode spanned unit-1-3:************************************************************* cluster interface-mode spanned unit-1-2:************************************************************* cluster interface-mode spanned firepower#
firepower# cluster exec show cluster history
==========================================================================
From State To State Reason
==========================================================================
21:49:25 CEST Aug 8 2016
DISABLED DISABLED Disabled at startup
21:50:18 CEST Aug 8 2016
DISABLED ELECTION Enabled from CLI
21:51:03 CEST Aug 8 2016
ELECTION MASTER_POST_CONFIG Enabled from CLI
21:51:03 CEST Aug 8 2016
MASTER_POST_CONFIG MASTER Master post config done and waiting for ntfy
==========================================================================
unit-1-3:*************************************************************
==========================================================================
From State To State Reason
==========================================================================
21:49:44 CEST Aug 8 2016
DISABLED DISABLED Disabled at startup
21:50:37 CEST Aug 8 2016
DISABLED ELECTION Enabled from CLI
21:50:37 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:41 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:41 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:46 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:46 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:51 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:51 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:56 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:56 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:51:01 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:51:01 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:51:04 CEST Aug 8 2016
ONCALL SLAVE_COLD Received cluster control message
21:51:04 CEST Aug 8 2016
SLAVE_COLD SLAVE_APP_SYNC Client progression done
21:51:05 CEST Aug 8 2016
SLAVE_APP_SYNC SLAVE_CONFIG Slave application configuration sync done
21:51:17 CEST Aug 8 2016
SLAVE_CONFIG SLAVE_BULK_SYNC Configuration replication finished
21:51:29 CEST Aug 8 2016
SLAVE_BULK_SYNC SLAVE Configuration replication finished
==========================================================================
unit-1-2:*************************************************************
==========================================================================
From State To State Reason
==========================================================================
21:49:24 CEST Aug 8 2016
DISABLED DISABLED Disabled at startup
21:50:16 CEST Aug 8 2016
DISABLED ELECTION Enabled from CLI
21:50:17 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:21 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:21 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:26 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:26 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:31 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:31 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:36 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:36 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:41 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:41 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:46 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:46 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:51 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:51 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:50:56 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:50:56 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:51:01 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:51:01 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:51:06 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:51:06 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:51:12 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:51:12 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:51:17 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:51:17 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:51:22 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:51:22 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:51:27 CEST Aug 8 2016
ONCALL ELECTION Received cluster control message
21:51:27 CEST Aug 8 2016
ELECTION ONCALL Received cluster control message
21:51:30 CEST Aug 8 2016
ONCALL SLAVE_COLD Received cluster control message
21:51:30 CEST Aug 8 2016
SLAVE_COLD SLAVE_APP_SYNC Client progression done
21:51:31 CEST Aug 8 2016
SLAVE_APP_SYNC SLAVE_CONFIG Slave application configuration sync done
21:51:43 CEST Aug 8 2016
SLAVE_CONFIG SLAVE_BULK_SYNC Configuration replication finished
21:51:55 CEST Aug 8 2016
SLAVE_BULK_SYNC SLAVE Configuration replication finished
==========================================================================
firepower#
任務3.向FMC註冊FTD集群
工作需求:
將邏輯裝置新增到FMC,然後將它們分組到集群中。
解決方案:
步驟1.將邏輯裝置新增到FMC。自FMC版本6.3起,您只能註冊一個FTD裝置(建議作為主裝置)。 其餘FTD由FMC自動發現。
登入FMC並導覽至Devices > Device Management索引標籤,然後按一下Add Device。
使用映像中提到的設定新增第一個邏輯裝置。
按一下Register開始註冊。
驗證如下圖所示。
任務4.在FMC上配置埠通道子介面
工作需求:
為埠通道資料介面配置子介面。
解決方案:
步驟1.在FMC GUI中選擇FTD_cluster Edit按鈕。
導覽至Interfaces索引標籤,然後按一下Add Interfaces> Sub Interface,如下圖所示。
使用這些詳細資訊配置第一個子介面。選擇OK以應用更改,如下圖所示。
| 名稱 |
INSIDE |
| 常規頁籤 |
|
| 介面 |
Port-channel5 |
| 子介面ID |
201 |
| VLAN ID |
201 |
| IPv4頁籤 |
|
| IP型別 |
使用靜態IP |
| IP 位址 |
192.168.75.10/24 |
使用這些詳細資訊配置第二個子介面。
| 名稱 |
OUTSIDE |
| 常規頁籤 |
|
| 介面 |
Port-channel5 |
| 子介面ID |
210 |
| VLAN ID |
210 |
| IPv4頁籤 |
|
| IP型別 |
使用靜態IP |
| IP 位址 |
192.168.76.10/24 |
按一下OK建立子介面。按一下「Save」,然後「Deploy」變更至FTD_cluster,如下圖所示。
驗證:
任務5.檢驗基本連通性
工作需求:
建立捕獲並檢查兩個VM之間的連線。
解決方案:
步驟1.在所有集群裝置上建立捕獲。
導航到主裝置的LINA(ASA)CLI並為內部和外部介面建立捕獲。
firepower# firepower# cluster exec capture capi interface inside match icmp any any unit-1-1(LOCAL):****************************************************** unit-1-3:************************************************************* unit-1-2:************************************************************* firepower# firepower# cluster exec capture capo interface outside match icmp any any unit-1-1(LOCAL):****************************************************** unit-1-3:************************************************************* unit-1-2:************************************************************* firepower#
驗證:
firepower# cluster exec show capture unit-1-1(LOCAL):****************************************************** capture capi type raw-data interface Inside [Capturing - 0 bytes] match icmp any any capture capo type raw-data interface Outside [Capturing - 0 bytes] match icmp any any unit-1-3:************************************************************* capture capi type raw-data interface Inside [Capturing - 0 bytes] match icmp any any capture capo type raw-data interface Outside [Capturing - 0 bytes] match icmp any any unit-1-2:************************************************************* capture capi type raw-data interface Inside [Capturing - 0 bytes] match icmp any any capture capo type raw-data interface Outside [Capturing - 0 bytes] match icmp any any firepower#
步驟2.執行從VM1到VM2的ping測試。
使用4個資料包進行測試。測試後檢查捕獲輸出:
firepower# cluster exec show capture unit-1-1(LOCAL):****************************************************** capture capi type raw-data interface Inside [Capturing - 0 bytes] match icmp any any capture capo type raw-data interface Outside [Capturing - 0 bytes] match icmp any any unit-1-3:************************************************************* capture capi type raw-data interface Inside [Capturing - 752 bytes] match icmp any any capture capo type raw-data interface Outside [Capturing - 752 bytes] match icmp any any unit-1-2:************************************************************* capture capi type raw-data interface Inside [Capturing - 0 bytes] match icmp any any capture capo type raw-data interface Outside [Capturing - 0 bytes] match icmp any any firepower#
運行命令以檢查特定裝置上的捕獲輸出:
firepower# cluster exec unit unit-1-3 show capture capi 8 packets captured 1: 12:58:36.162253 802.1Q vlan#201 P0 192.168.75.100 > 192.168.76.100: icmp: echo request 2: 12:58:36.162955 802.1Q vlan#201 P0 192.168.76.100 > 192.168.75.100: icmp: echo reply 3: 12:58:37.173834 802.1Q vlan#201 P0 192.168.75.100 > 192.168.76.100: icmp: echo request 4: 12:58:37.174368 802.1Q vlan#201 P0 192.168.76.100 > 192.168.75.100: icmp: echo reply 5: 12:58:38.187642 802.1Q vlan#201 P0 192.168.75.100 > 192.168.76.100: icmp: echo request 6: 12:58:38.188115 802.1Q vlan#201 P0 192.168.76.100 > 192.168.75.100: icmp: echo reply 7: 12:58:39.201832 802.1Q vlan#201 P0 192.168.75.100 > 192.168.76.100: icmp: echo request 8: 12:58:39.202321 802.1Q vlan#201 P0 192.168.76.100 > 192.168.75.100: icmp: echo reply 8 packets shown firepower# cluster exec unit unit-1-3 show capture capo 8 packets captured 1: 12:58:36.162543 802.1Q vlan#210 P0 192.168.75.100 > 192.168.76.100: icmp: echo request 2: 12:58:36.162894 802.1Q vlan#210 P0 192.168.76.100 > 192.168.75.100: icmp: echo reply 3: 12:58:37.174002 802.1Q vlan#210 P0 192.168.75.100 > 192.168.76.100: icmp: echo request 4: 12:58:37.174307 802.1Q vlan#210 P0 192.168.76.100 > 192.168.75.100: icmp: echo reply 5: 12:58:38.187764 802.1Q vlan#210 P0 192.168.75.100 > 192.168.76.100: icmp: echo request 6: 12:58:38.188085 802.1Q vlan#210 P0 192.168.76.100 > 192.168.75.100: icmp: echo reply 7: 12:58:39.201954 802.1Q vlan#210 P0 192.168.75.100 > 192.168.76.100: icmp: echo request 8: 12:58:39.202290 802.1Q vlan#210 P0 192.168.76.100 > 192.168.75.100: icmp: echo reply 8 packets shown firepower#
完成此任務後,使用下一命令刪除捕獲:
firepower# cluster exec no capture capi unit-1-1(LOCAL):****************************************************** unit-1-3:************************************************************* unit-1-2:************************************************************* firepower# cluster exec no capture capo unit-1-1(LOCAL):****************************************************** unit-1-3:************************************************************* unit-1-2:*************************************************************
步驟3.將檔案從VM2下載到VM1。
VM1預配置為FTP伺服器,VM2預配置為FTP客戶端。
使用以下內容建立新捕獲:
firepower# cluster exec capture capi interface inside match ip host 192.168.75.100 host 192.168.76.100 unit-1-1(LOCAL):****************************************************** unit-1-3:************************************************************* unit-1-2:************************************************************* firepower# cluster exec capture capo interface outside match ip host 192.168.775.100 host 192.168.76.100 unit-1-1(LOCAL):****************************************************** unit-1-3:************************************************************* unit-1-2:*************************************************************
使用FTP客戶端將檔案從VM2下載到VM1。
檢查show conn輸出:
firepower# cluster exec show conn all
unit-1-1(LOCAL):******************************************************
20 in use, 21 most used
Cluster:
fwd connections: 0 in use, 2 most used
dir connections: 0 in use, 52 most used
centralized connections: 0 in use, 6 most used
TCP Outside 192.168.76.100:49175 Inside 192.168.75.100:21, idle 0:00:32, bytes 665, flags UIOeN
UDP cluster 255.255.255.255:49495 NP Identity Ifc 127.2.1.1:49495, idle 0:00:00, bytes 17858058, flags -
TCP cluster 127.2.1.3:10844 NP Identity Ifc 127.2.1.1:38296, idle 0:00:33, bytes 5496, flags UI
…….
TCP cluster 127.2.1.3:59588 NP Identity Ifc 127.2.1.1:10850, idle 0:00:33, bytes 132, flags UO
unit-1-3:*************************************************************
12 in use, 16 most used
Cluster:
fwd connections: 0 in use, 4 most used
dir connections: 1 in use, 10 most used
centralized connections: 0 in use, 0 most used
TCP Outside 192.168.76.100:49175 Inside 192.168.75.100:21, idle 0:00:34, bytes 0, flags y
TCP cluster 127.2.1.1:10851 NP Identity Ifc 127.2.1.3:48493, idle 0:00:52, bytes 224, flags UI
……..
TCP cluster 127.2.1.1:64070 NP Identity Ifc 127.2.1.3:10847, idle 0:00:11, bytes 806, flags UO
unit-1-2:*************************************************************
12 in use, 15 most used
Cluster:
fwd connections: 0 in use, 2 most used
dir connections: 0 in use, 3 most used
centralized connections: 0 in use, 0 most used
TCP cluster 127.2.1.1:10851 NP Identity Ifc 127.2.1.2:64136, idle 0:00:53, bytes 224, flags UI
……..
TCP cluster 127.2.1.1:15859 NP Identity Ifc 127.2.1.2:10847, idle 0:00:11, bytes 807, flags UO
Show capture output:
firepower# cluster exec show cap unit-1-1(LOCAL):****************************************************** capture capi type raw-data interface Inside [Buffer Full - 523954 bytes] match ip host 192.168.75.100 host 192.168.76.100 capture capo type raw-data interface Outside [Buffer Full - 524028 bytes] match ip host 192.168.75.100 host 192.168.76.100 unit-1-3:************************************************************* capture capi type raw-data interface Inside [Buffer Full - 524062 bytes] match ip host 192.168.75.100 host 192.168.76.100 capture capo type raw-data interface Outside [Buffer Full - 524228 bytes] match ip host 192.168.75.100 host 192.168.76.100 unit-1-2:************************************************************* capture capi type raw-data interface Inside [Capturing - 0 bytes] match ip host 192.168.75.100 host 192.168.76.100 capture capo type raw-data interface Outside [Capturing - 0 bytes] match ip host 192.168.75.100 host 192.168.76.100
從機箱管理器UI捕獲群集
在下面的影象中,您可以看到具有2個埠通道(8和48)的FPR9300上的3單元群集。 邏輯裝置是ASA,但在FTD的情況下將採用相同的概念。需要記住的重要一點是,儘管有3個集群單元,但從捕獲的角度來看,只有一個邏輯設備:
任務6.從群集中刪除從屬裝置
工作需求:
登入到FMC並從群集中刪除從屬裝置。
解決方案:
步驟1.登入FMC並導航至Device > Device Management。
按一下從屬裝置旁邊的垃圾桶圖示,如下圖所示。
此時將顯示確認視窗。選擇Yes進行確認,如下圖所示。
驗證:
- ,如下圖所示。
- 在FXOS CLI上。
FPR9K-1-A# scope ssa FPR9K-1-A /ssa # show app-instance Application Name Slot ID Admin State Operational State Running Version Startup Version Cluster Oper State -------------------- ---------- --------------- -------------------- --------------- --------------- ------------------ ftd 1 Enabled Online 6.0.1.1213 6.0.1.1213 In Cluster ftd 2 Enabled Online 6.0.1.1213 6.0.1.1213 In Cluster ftd 3 Enabled Online 6.0.1.1213 6.0.1.1213 In Cluster
- 在LINA(ASA)CLI上。
firepower# show cluster info
Cluster FTD_cluster: On
Interface mode: spanned
This is "unit-1-1" in state MASTER
ID : 0
Version : 9.6(1)
Serial No.: FLM19216KK6
CCL IP : 127.2.1.1
CCL MAC : 0015.c500.016f
Last join : 21:51:03 CEST Aug 8 2016
Last leave: N/A
Other members in the cluster:
Unit "unit-1-3" in state SLAVE
ID : 1
Version : 9.6(1)
Serial No.: FLM19206H7T
CCL IP : 127.2.1.3
CCL MAC : 0015.c500.018f
Last join : 21:51:05 CEST Aug 8 2016
Last leave: N/A
Unit "unit-1-2" in state SLAVE
ID : 2
Version : 9.6(1)
Serial No.: FLM19206H71
CCL IP : 127.2.1.2
CCL MAC : 0015.c500.019f
Last join : 21:51:30 CEST Aug 8 2016
Last leave: N/A
firepower#
驗證
使用本節內容,確認您的組態是否正常運作。
驗證已完成並涵蓋在單個任務中。
疑難排解
目前尚無適用於此組態的具體疑難排解資訊。
相關資訊
- 所有版本的Cisco Firepower Management Center配置指南都可以在以下位置找到:
https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html#id_47280。
- 所有版本的FXOS Chassis Manager和CLI配置指南都可以在以下位置找到:
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/roadmap/fxos-roadmap.html#pgfId-121950。
- 思科全球技術協助中心(TAC)強烈建議使用以下視覺指南,深入瞭解Cisco Firepower下一代安全技術(包括本文中提到的技術):
http://www.ciscopress.com/title/9781587144806。
- 有關與Firepower技術相關的所有配置和故障排除技術說明。
https://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html。
意見