cisco firepower 2100 fxos cli configuration guide cisco firepower 2100 fxos cli configuration guide

The system contact name can be any alphanumeric string up to 255 characters, such as an email address or name and telephone days Set the number of days before you can reuse a password, between 1 and 365. For example, the password must not be based on a standard dictionary word. mode (Optional) Specify the user e-mail address. You can configure up to four NTP servers. fips-mode, enable The Paste in the certificate chain. of your device. You are prompted to enter the SNMP community name. But if you manually chose a different ASDM image that you uploaded (for example, asdm-782.bin), then you continue to use that image even after a bundle upgrade. You can configure the network time protocol (NTP), set the date and time manually, or view the current system time. If you enable both commands, then both requirements must be met. enter the command, you are queried for remote server name or IP address, user You must configure DNS (see Configure DNS Servers) if you enable this feature. HTTPS uses components of the Public Key Infrastructure (PKI) to establish secure communications between two devices, such You must configure a valid Remote IKE ID (set remote-ike-id ) in FQDN format. If the passphrases are specified in clear text, you can specify a maximum of 80 characters. ip/mask, set configuration, Secure Firewall chassis We recommend a value of 2048. The ASA does not support LACP rate fast; LACP always uses the normal rate. (Optional) Enable or disable the certificate revocation list check. The default configuration is only applied during a reimage, not kb Sets the maximum amount of traffic between 100 and 4194303 KB. You do not need to commit the buffer. show commands Press Ctrl+c to cancel out of the set message dialog. ip_address mask The exception is for ASDM, which you can upgrade from within the ASA operating system, so you do not need to only use the (Optional) Set the interface speed for all members of the port-channel to override the properties set on the individual interfaces. (Optional) Add the existing trustpoint name to IPsec: create previously-used passwords. At the prompt, type a pre-login banner message. output to the appropriate text file, which must already exist. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Formerly, only RSA keys were supported. (Optional) Specify the user phone number. set ssh-server rekey-limit volume {kb | none} time {minutes | none}. For RJ-45 interfaces, the default setting is on. with the username: admin and password: Admin123). To provide stronger authentication for FXOS, you can obtain and install a third-party certificate from a trusted source, or trusted point, that affirms the identity password-profile, set guide. For copper interfaces, this duplex is only used if you disable autonegotiation. Provides authentication based on the HMAC Secure Hash Algorithm (SHA). (Optional) Set the number of retransmission sequences to perform during initial connect: set You can log in with any username (see Add a User). An attacker could exploit these vulnerabilities by including crafted arguments to specific CLI . (Optional) If you select v3 for the version, specify the privilege associated with the trap. (Optional) Specify the date that the user account expires. requests be sent from the SNMP manager. The privilege level If you are doing remote management (Firepower Management Center) then you set the other interface addresses via that tool. Connect to the FXOS CLI, either the console port (preferred) or using SSH. FXOS comes up first, but you still need to wait for the ASA to come up. connections to match your new network. prefix [http | snmp | ssh], delete At the prompt, paste the certificate text that you received from the trust anchor or certificate authority. name. Failed commands are reported in an error message. management. Set the absolute session timeout for all forms of access including serial console, SSH, and HTTPS. You can use the enter keyring-passwd The following example configures an NTP server with the IP address 192.168.200.101. scope ntp-sha1-key-string, enable You can configure FQDN enforcement so that the FDQN of the peer needs to match the DNS Name in the X.509 Certificate presented To send an encrypted message, the sender encrypts the message with the receiver's public key, and the ip_address set https cipher-suite-mode System clock modifications take The chassis generates SNMP notifications as either traps or informs. You are prompted to enter and confirm the privacy password. If you enable the minimum password length check, you must create passwords with the specified minimum number of characters. It cannot start with a number or a special character, such as an underscore. We recommend that you first set FIPS mode on the ASA, wait for the device to reload, and then set FIPS mode in FXOS. timezone. Existing ciphers include: aes128, aes256, aes128gcm16. Both ASA and FXOS has its own authentication, same with SNMP, Syslog and tech-support logs. enter snmp-user This command is required using an FQDN if you enforce FQDN usage with the set fqdn-enforce command. min_num_hours This name must be unique and meet the guidelines and restrictions a. Configure a new management IP address, and optionally a new default gateway. the following address range: 192.168.45.10-192.168.45.12. seconds. pass_change_num Sets the maximum number of times that a locally-authenticated user can change their password during the change interval, min_num_hours Set the minimum number of hours that a locally-authenticated user must wait before changing a newly created password, between On the management computer connected to Management 1/1, SSH to the management IP address (by default https://192.168.45.45, algorithms. set history-count defining a certification path to the root certificate authority (CA). Use the following serial settings: You connect to the FXOS CLI. This identity certificate allows a client browser to trust the connection, and bring up the web interface with no warnings. email-addr. (Optional) (ASA 9.10(1) and later) Configure NTP authentication. The system stores this level and above in the syslog file. Must include at least one lowercase alphabetic character. to the SNMP manager. show command traps Sets the type to traps if you select v2c or v3 for the version. the getting started guide for information When you enter a configuration command in the CLI, the command is not applied until you save the configuration. and privileges. Must include at least one uppercase alphabetic character. Only Ethernet 1/1 and Ethernet 1/2 are enabled by default in both FXOS and the ASA. Configure the local sources that generate syslog messages. An SNMP manager that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU). To keep the currently-set gateway, omit the ipv6-gw keyword. Must not contain the following symbols: $ (dollar sign), ? Strong password check is enabled by default. Up to 16 characters are allowed in the file name. If you change the gateway from the default Show commands do not show the secrets (password fields), so if you want to paste a configuration command. enter the commit-buffer command. | workspace:}. firepower# connect ftd Configure the FTD management IP address. set password-expiration {days | never} Set the expiration between 1 and 9999 days. Copy and paste the entire text block at the FXOS CLI. ASDM images that you upload manually do not appear in the FXOS image list; you must manage ASDM images from the ASA. -M This setting is the default. View the synchronization status for a specific NTP server. To allow changes, set the set no-change-interval to disabled . enable. You must delete the user account and create a new one. set expiration To filter the output prefix_length For IPv4, the prefix length is from 0 to 32. length, with typical lengths from 512 bits to 2048 bits. for FXOS management traffic. ip The chassis provides the following support for SNMP: The chassis supports read-only access to MIBs. set port the public key in question, the sender's possession of the corresponding private key is proven. As another example, with show configuration | sort, you can add the option -u to remove duplicate lines from the output. download image admin-state to authentication based on the Cipher Block Chaining (CBC) DES (DES-56) standard. This section describes how to set the date and time manually on the Firepower 2100 chassis. object, scope Firepower 2100 uses NTP version 3. scope (Optional) Configure the enforcement of matching cryptographic key strength between IKE and SA connections: set individual interfaces. By default, the minumum number is 0, which disables the history count and allows users to reuse You can connect to the ASA CLI from FXOS, and vice versa. These notifications do not require that gateway_address. The default ASA Management 1/1 interface IP address is 192.168.45.1. If a pre-login banner is not configured, the From FXOS, you can enter the Firepower Threat Defense CLI using the connect ftd command. detail. Cisco Firepower 4100/9300 FXOS Compatibility ASA Compatibility Guide ASA and FTD Compatibility Guides PSIRT & Field Notice Security Advisory Page Security Advisories, Responses and Notices Datasheets Cisco Firepower 1000 Series Data Sheet Cisco Firepower 2100 Series Data Sheet Cisco Firepower 4100 Series Data Sheet and HTTPS sessions are closed without warning as soon as you save or commit the transaction. keyring_name. be physically enabled in FXOS and logically enabled in the ASA. The configuration will setting, set the value to 0. The Firepower 2100 supports the following ciphers and algorithms: modp2048, curve25519, ecp256, ecp384, ecp521, modp3072, modp4096. regenerate yes. If you use the no-prompt keyword, the chassis will reboot immediately after entering the command. Select the lowest message level that you want displayed in an SSH session. local-user-name Sets the account name to be used when logging into this account. long an SSH session can be idle) before FXOS disconnects the session. system-location-name. ike-rekey-time show command | { begin expression| count| cut expression| egrep expression| end expression| exclude expression| grep expression| head| include expression| last| less| no-more| sort expression| tr expression| uniq expression| wc}. The filtering options are entered after the commands initial If you connect to the ASA management IP address using SSH, enter connect fxos to access FXOS. By default, a self-signed SSL certificate is generated for use with the chassis manager. object command exists. An EtherChannel (also known as a port-channel) can include up to 8 member interfaces of the ipv6 first-name. (Optional) Enable or disable the certificate revocation list check: set output to a specified text file using the selected transport protocol. For SFP interfaces, the default setting is off, and you cannot enable autonegotiation. tr Translates, squeezes, and/or deletes ntp-sha1-key-id EtherChannel member ports are visible on the ASA, but you can only configure EtherChannels and port membership in FXOS. When you configure multiple revoke-policy To use an interface, it must be physically enabled in FXOS and logically enabled in the ASA. specified pattern, and display that line and all subsequent lines. set a device's public key along with signed information about the device's identity. ip in multiple command modes and apply them together. days Set the number of days a user has to change their password after expiration, between 0 and 9999. mode for the best compatibility. ConfiguringtheRolePolicyforRemoteUsers 43 EnablingPasswordStrengthCheckforLocallyAuthenticatedUsers 44 SettheMaximumNumberofLoginAttempts 44 . manager, chassis manager or the FXOS Specify the 2-letter country code of the country in which the company resides. Because the DHCP server is enabled by default on Management 1/1, you must disable DHCP before you change the management IP (Optional) Specify the first name of the user: set firstname show ntp-server [hostname | ip_addr | ip6_addr]. enter snmp-trap {hostname | ip-addr | ip6-addr}. clock. gw interface name, set The security model combines with the selected security set By default, expiration is disabled (never ). Enable or disable the password strength check. The documentation set for this product strives to use bias-free language. Note that in the following syntax description, not be erased, and the default configuration is not applied. Set the interface speed if you disable autonegotiation. Enter the appropriate information minutes Sets the maximum time between 10 and 1440 minutes. output of The username is used as the login ID for the Secure Firewall chassis The following example These syslog messages apply only to the FXOS chassis. Make sure the image you want to upload is available on an FTP, SCP, SFTP, TFTP server, or a USB drive. certchain [certchain]. Enter the user credentials; by default, you can log in with the admin user and the default password, Admin123. The admin account is a default user account and cannot be modified or deleted. default-auth, set absolute-session-timeout ASA fxos permit command), you can also connect to the data interface IP address on the non-standard port, by default, 3022. ConfiguringtheRolePolicyforRemoteUsers 43 EnablingPasswordStrengthCheckforLocallyAuthenticatedUsers 44 SettheMaximumNumberofLoginAttempts 44 . exclude Excludes all lines that match the pattern The retry_number value can be any integer between 1-5, inclusive. to route traffic to a router on the Management 1/1 network instead, then you can The following example shows how the prompts change during the command entry process: You can save the effect immediately. Specify the SNMP version and model used for the trap. The You can also change the default gateway For example, chassis, network modules, ports, and processors are physical entities represented as managed ipv6-block egrep Displays only those lines that match the ipv6-gw last-name. In order to enable the FDM On-Box management on the firepower 2100 series proceed as follows. set Perform these steps to enable FIPS or Common Criteria (CC) mode on your Firepower 2100. On the line following your input, type ENDOFBUF and press Enter to finish. ipv6-block data interface nor will FXOS be able to initiate traffic on a data interface. A managed information base (MIB)The collection of managed objects on the You are prompted to enter a number corresponding to your continent, country, and time zone region. SNMP, you must add or change the Access Lists. You can then reenable DHCP for the new network. The following example sets many user requirements: You can upgrade the ASA package, reload, or power off the chassis. You can now configure SHA1 NTP server authentication in FXOS. dns {ipv4_addr | ipv6_addr}. You cannot create an all-numeric login ID. retry_number. The default is no limit (none). yes If the IKE-negotiated key size is less then the ESP-negotiated key size, then the connection fails. netmask If you SSH to FXOS, you can also connect to the ASA CLI; a connection from SSH is not a console connection, name (asdm.bin). NTP is configured by default so that the ASA can reach the licensing server. network_mask set https keyring Operating System, show cut Removes (cut) portions of each line. prefix_length {https | snmp | ssh}, enter manager, Secure Firewall eXtensible terminal monitor Enter Password: ****** All users are assigned the read-only role by default, and this role cannot be removed. An SNMP agentThe software component within the chassis that maintains the data for the chassis and reports the data, as needed, We added password security improvements, including the following: User passwords can be up to 127 characters. compliance must be configured in accordance with Cisco security policy documents. The following example sets the domain name to example.com: You need to specify a DNS server if the system requires resolution of hostnames to IP addresses. ipsec, set show command Toggle between FXOS & ASA prompt: The following example configures an IPv4 management interface and gateway: The following example configures an IPv6 management interface and gateway: You can set the SSL/TLS versions for HTTPS acccess. pattern. url. ipv6_address (For RSA) Set the SSL key length in bits. The third-party certificate is signed by the issuing trusted point, which can be a root certificate authority Multiple vulnerabilities in the CLI of Cisco FXOS Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute commands on the underlying operating system (OS) with root privileges. object. You can view the pending commands in any command mode. You can also enable and disable Encryption keys can vary in can show all or parts of the configuration by using the show pass-change-num. Enter the FXOS login credentials. 0.0.0.0 (the ASA data interfaces), then you will not be able to access FXOS on a The certificate must be in Base64 encoded X.509 (CER) format. If You can manage physical interfaces in FXOS. same speed and duplex. set syslog monitor level {emergencies | alerts | critical | errors | warnings | notifications | information | debugging}. To return to the ASA CLI, enter exit or type Ctrl-Shift-6, x. Before generating the Certificate Signing Request, all hostnames are resolved using DNS. default level is Critical. You cannot use any spaces or For example, if you set the history count to 3, and the reuse To obtain a new certificate, revoke-policy {relaxed | strict}. If you want to allow access from other networks, or to allow SNMP is an application-layer protocol that provides a message format for If you configure remote management (the local-user-name. When Firepower 2100 series platform running ASA, has two software, FXOS and ASA. chassis You must manually regenerate default key ring certificate if the certificate expires. scope set Some links below may open a new browser window to display the document you selected. We added the following IKE and ESP ciphers and algorithms (not configurable): Ciphersaes192. security, scope Otherwise, the chassis will not shut down until interface_id. Provide the CSR output to the Certificate Authority in accordance with the Certificate Authority's enrollment process. Set one or more of the following protocols, separated by spaces or commas: set ssh-server kex-algorithm CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.17 01/Dec/2021; ASDM Book 1: . The default is 3 days. console, SSH session, or a local file. Only SHA1 is supported for NTP server authentication. See Install a Trusted Identity Certificate. Port 443 is the default port. prefix [https | snmp | ssh]. New/Modified FXOS commands: enable ntp-authentication, set ntp-sha1-key-id, set ntp-sha1-key-string. the CA's private key. This account is the system administrator or A user with admin privileges can configure the system The system displays this level and above. protocols, set ssh-server host-key rsa port_num. a configuration command is pending and can be discarded. scope When you connect to the ASA console from the FXOS console, this connection scope set syslog file name If you want the command errors out. accesses the chassis manager, the browser shows an SSL warning, which requires the user to accept the certificate before accessing the chassis manager. a device can generate its own key pair and its own self-signed certificate. modulus {mod1536 | mod2048 | mod2560 | mod3072 | mod3584 | mod4096}, set elliptic-curve {secp256r1 | secp384r1 | secp384r1}. We added the following SSH server encryption algoritghms: We added the following SSH server key exchange methods: New/Modified commands: set ssh-server encrypt-algorithm , set ssh-server kex-algorithm. tunnel_or_transport, set To change the management IP address, see Change the FXOS Management IP Addresses or Gateway. by piping the output to filtering commands. You can send syslog messages to the Firepower 2100 DNS is required to communicate with the NTP server. set characters. If you want to upgrade a failover pair, see the Cisco ASA Upgrade Guide. the initial vertical bar We recommend that each user have a strong password. A security model is an authentication strategy that is set up disabled}, set password-reuse-interval {days | disabled}. enter . To make sure that you are running a compatible version For example, the medium strength specification string FXOS uses as the default is: ALL:!ADH:!EXPORT56:!LOW:RC4+RSA:+HIGH:+MEDIUM:+EXP:+eNULL, set https access-protocols Select the lowest message level that you want displayed on the console. SNMP security levels support one or more of the following privileges: noAuthNoPrivNo authentication or encryption, authNoPrivAuthentication but no encryption. The security level determines the privileges required to view the message associated with an SNMP trap. ntp-authentication, set Enforcement is enabled by default, except for connections created prior to 9.13(1); you must { num_of_passwords You can now use EDCS keys for certificates. ntp-server {hostname | ip_addr | ip6_addr}, show Set one or more of the following algorithms, separated by spaces or commas: set ssh-server mac-algorithm configuration into a new device, you will have to modify the show output to include SSH is enabled by default. You must manually regenerate the default key ring certificate if the certificate expires. Interfaces that are already a member of an EtherChannel cannot be modified individually. set syslog file size If any command fails, the successful commands are applied To set the gateway to the ASA data interfaces, set the gw to ::. ntp-server {hostname | ip_addr | ip6_addr}. eth-uplink, scope trustpoint Cisco Firepower 2100 Series Forensic Investigation Procedures for First Responders Introduction Prerequisites Step One - Cisco Firepower Device Problem Description Step Two - Document the Cisco Firepower Runtime Environment Step Three - Verify the Integrity of System Files Step Four - Verify Digitally Signed Image Authenticity If you do not specify certificate information in the command, you are prompted to enter a certificate or a list of trustpoints The following example enables HTTPS, sets the port number to 4443, sets the key ring name to kring7984, and sets the Cipher By default, the LACP User accounts are used to access the Firepower 2100 chassis. The If you or pattern, is typically a simple text string. SNMPv3 provides for both security models and security levels. Message origin authenticationEnsures that the claimed identity of the user on whose behalf received data was originated is You can configure up to 48 local user accounts. level to determine the security mechanism applied when the SNMP message is processed. types (copper and fiber) can be mixed. trustpoint Appends For IPv4, enter 0.0.0.0 and a prefix of 0 to allow all networks. use the following subcommands. fabric-interconnect keyringtries If you only specify SSLv3, you may see an The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will are most useful when dealing with commands that produce a lot of text.