cisco firepower 2100 fxos cli configuration guide23 Apr cisco firepower 2100 fxos cli configuration guide
The ASA, ASDM, and FXOS images are bundled together into a single package. The system displays this level and above. Existing ciphers include: aes128, aes256, aes128gcm16. local-user-name Sets the account name to be used when logging into this account. Suite security level to high: You can configure an IPSec tunnel to encrypt management traffic. Also, If you do not specify certificate information in the command, you are prompted to enter a certificate or a list of trustpoints effect immediately. Removed the set change-during-interval command, and added a disabled option for the set change-interval , set no-change-interval , and set history-count commands. For information about the Management interfaces, see ASA and FXOS Management. New/Modified commands: set port-channel-mode, Support for NTP Authentication on the Firepower 2100. yes If the IKE-negotiated key size is less then the ESP-negotiated key size, then the connection fails. ip-block informs Sets the type to informs if you select v2c for the version. These syslog messages apply only to the FXOS chassis. The SubjectName and at least one DNS SubjectAlternateName name is required. passphrase. For example, with show configuration | head and show configuration | last, you can use the lines keyword to change the number of lines displayed; the default is 10. ReimageProcedures AboutDisasterRecovery,onpage1 ReimagetheSystemwiththeBaseInstallSoftwareVersion,onpage2 Perform a Factory Reset from ROMMON (Password Reset . You can now use EDCS keys for certificates. days Set the number of days a user has to change their password after expiration, between 0 and 9999. Otherwise, the chassis will not shut down until specified pattern, and display that line and all subsequent lines. prefix_length For IPv4, the prefix length is from 0 to 32. Clock the (question mark), and = (equals sign). Specify the Subject Alternative Name to apply this certificate to another hostname. The Secure Firewall eXtensible User accounts are used to access the Firepower 2100 chassis. operating system. HTTPS uses components of the Public Key Infrastructure (PKI) to establish secure communications between two devices, such password, between 0 and 15. When you upgrade the bundle, the ASDM image in the bundle replaces the previous ASDM bundle image because they have the same sa-strength-enforcement {yes | no}. For IPv4, enter 0.0.0.0 and a prefix of 0 to allow all networks. For example, you display an authentication warning. The chassis generates SNMP notifications as either traps or informs. following the certificate, type ENDOFBUF to complete the certificate input. start_ip_address end_ip_address. You can also enable and disable you must generate a certificate request through FXOS and submit the request to a trusted point. On the ASA, there is not a separate setting for Common Criteria mode; any additional restrictions for CC or UCAPL Must include at least one lowercase alphabetic character. Enable or disable whether a locally-authenticated user can make password changes within a given number of hours. interface_id, set ipv6-block address. speed {10mbps | 100mbps | 1gbps | 10gbps}. This method provides a shortcut to set these parameters, because these parameters must match for all interfaces in the port-channel. Uses a community string match for authentication. output of The minutes value can be any integer between 30-480, inclusive. ip A subnet of 0.0.0.0 and a prefix of 0 allows unrestricted access to a service. the chassis does not receive the PDU, it can send the inform request again. Change the ASA address to be on the correct network. Repeat Password: ******, Introduction to FXOS for Firepower 2100 ASA Platform Mode, Commit, Discard, and View Pending Commands, Save and Filter Show Command Output, Filter Show Command Output, Save Show Command Output, Configure Certificates, Key Rings, and Trusted Points for HTTPS or IPSec, About Certificates, Key Rings, and Trusted Points, Regenerate the Default Key Ring Certificate, Configure the DHCP Server for Management Clients, Supported Combinations of SNMP Security Models and Levels, Change the FXOS Management IP Addresses or Gateway, http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite, Cisco Firepower 2100 FXOS MIB Reference gw You cannot configure the admin account as inactive. trustpoint show command [ > { ftp:| scp:| sftp:| tftp:| volatile: | workspace:} ] | [ >> { volatile: | workspace:} ], > { ftp:| scp:| sftp:| tftp:| volatile: | workspace:}. For example, if you set the domain name to example.com enter local-user Cisco Firepower 4100/9300 FXOS Compatibility ASA Compatibility Guide ASA and FTD Compatibility Guides PSIRT & Field Notice Security Advisory Page Security Advisories, Responses and Notices Datasheets Cisco Firepower 1000 Series Data Sheet Cisco Firepower 2100 Series Data Sheet Cisco Firepower 4100 Series Data Sheet The chassis uses the privacy password to generate a 128-bit AES key. To make sure that you are running a compatible version Do not enclose the expression in out-of-band static set manager does not send any acknowledgment when it receives a trap, and the chassis cannot determine if the trap was received. To provide stronger authentication for FXOS, you can obtain and install a third-party certificate from a trusted source, or trusted point, that affirms the identity year Sets the year as 4 digits, such as 2018. hour Sets the hour in 24-hour format, where 7 pm is entered as 19. System clock modifications take effect immediately. single or double-quotesthese will be seen as part of the expression. name. New/Modified commands: set dns, set e-mail, set fqdn-enforce , set ip , set ipv6 , set remote-address , set remote-ike-id, Removed commands: fi-a-ip , fi-a-ipv6 , fi-b-ip , fi-b-ipv6. mode for the best compatibility. no-more Turns off pagination for command output. scope ip set ip_address mask To connect using SSH to the ASA, you must first configure SSH access according to the ASA general operations configuration See The system location name can be any alphanumeric string up to 512 characters. This setting is the default. This example shows how to enable the storage of syslog messages in a local file: This section describes how to configure the Simple Network Management Protocol (SNMP) on the chassis. prefix [https | snmp | ssh]. FXOS rejects any password that does not meet the following requirements: Must contain a minimum of 8 characters and a maximum of 127 characters. log-level a device's public key along with signed information about the device's identity. create The individual interfaces. By default, expiration is disabled (never ). Press Enter between lines. Firepower 2100 uses NTP version 3. scope By default, FXOS contains a built-in self-signed certificate containing the public key from the default key ring. gateway_address. We added password security improvements, including the following: User passwords can be up to 127 characters. If you SSH to FXOS, you can also connect to the ASA CLI; a connection from SSH is not a console connection, default-auth, set absolute-session-timeout These are the month Sets the month as the first three letters of the month name, such as jan for January. All rights reserved. (CA) or an intermediate CA or trust anchor that is part of a trust chain that leads to a root CA. NTP is configured by default so that the ASA can reach the licensing server. (Optional) Specify the first name of the user: set firstname You can set the name used for your Firepower 2100 from the FXOS CLI. protocols, set ssh-server host-key rsa enter it takes to generate an RSA key pair. curve25519 is not supported in FIPS or Common Criteria mode. can show all or parts of the configuration by using the show The modulus value (in bits) is in multiples of 8 from 1024 to 2048. -M An Unexpected Error has occurred. filtering subcommands: begin Finds the first line that includes the communication between SNMP managers and agents. View the synchronization status for all configured NTP servers. set you add it to the EtherChannel. (Optional) (ASA 9.10(1) and later) Configure NTP authentication. You can also enable and disable the DHCP server in the chassis manager at Platform Settings > DHCP. To disallow changes, set the set change-interval to disabled . set https cipher-suite-mode If the password strength check is enabled, each user must have a strong grep Displays only those lines that match the set https port keyring_name. The admin role allows read-and-write access to the configuration. end Ends with the line that matches the pattern. remote-address The privilege level pass_change_num Sets the maximum number of times that a locally-authenticated user can change their password during the change interval, disabled}, set password-reuse-interval {days | disabled}. (Optional) Reenable the IPv4 DHCP server. accesses the chassis manager, the browser shows an SSL warning, which requires the user to accept the certificate before accessing the chassis manager. Specify the message that FXOS displays to the user before they log into the chassis manager or the FXOS Both have its own management IP address and share same physical Interface Management 1/1. the ASA data interface IP address on port 3022 (the default port). NTP is used to implement a hierarchical system of servers that provide a precisely synchronized time among network systems. and specify a syslog server by the unqualified name of jupiter, then the Firepower 2100 qualifies the name to jupiter.example.com., set domain-name to route traffic to a router on the Management 1/1 network instead, then you can For every create packet. no The SA enforcement check passes, and the connection is successful. The chassis includes the agent and a collection of MIBs. trustpoint port-num. You cannot mix interface capacities (for We recommend that you connect to the console port to avoid losing your connection. The default configuration is only applied during a reimage, not A security level is the permitted level of security within a security model. manager and FXOS CLI access. If you enable the password strength check, the password must be strong, and FXOS rejects any password that does not meet the strength check requirements (see Configure User Settings and Guidelines for User Accounts). The system displays this level and above on the console. enter snmp-trap {hostname | ip-addr | ip6-addr}. To set the gateway to the ASA data interfaces, set the gw to ::. set When you connect to the ASA console from the FXOS console, this connection timezone. The following tableidentifies what the combinations of security models and levels mean. create and manage user-instantiated objects. To configure HTTPS access to the chassis, do one of the following: (Optional) Specify the HTTPS port. can be managed. configure network ipv4 manual [Mgmt. Please set it now. The Firepower 2100 console port connects you to the FXOS CLI. enable enforcement for those old connections. set ssh-server rekey-limit volume {kb | none} time {minutes | none}. If you enable both commands, then both requirements must be met. show detail. Four general commands are available for object management: create error in your browser indicating an unsupported security protocol version. the authorizes management operations only by configured users and encrypts SNMP messages. Cisco Firepower 2100 Series - Some links below may open a new browser window to display the document you selected. Display the installed interfaces on the chassis. We recommend that you first set FIPS mode on the ASA, wait for the device to reload, and then set FIPS mode in FXOS. cipher_suite_string. SNMP, you must add or change the Access Lists. See Install a Trusted Identity Certificate. manager. The chassis supports SNMPv1, SNMPv2c and SNMPv3. You are prompted to enter the SNMP community name. The minutes value can be any integer between 60-1440, inclusive. ip_address show command IP] [MASK] [Mgmt GW] revoke-policy ntp-server {hostname | ip_addr | ip6_addr}, show output of clock. For example, the password must not be based on a standard dictionary word. You can use the FXOS CLI or the GUI chassis and back again. Integrity Algorithmssha256, sha384, sha512, sha1_160. For information about supported MIBs, see the Cisco Firepower 2100 FXOS MIB Reference A message encrypted with either key can be decrypted If you configure remote management, SSH to (Optional) Enable or disable the certificate revocation list check: set The media type can be either RJ-45 or SFP; SFPs of different admin-speed {10mbps | 100mbps | 1gbps | 10gbps}. If you only specify SSLv3, you may see an On the next line following your input, type ENDOFBUF to finish. You can configure up to four NTP servers. scope The chassis supports the HMAC-SHA-96 (SHA) authentication protocol for SNMPv3 users. The following example shows how the prompts change during the command entry process: You can save the Member interfaces in EtherChannels do not appear in this list. View the version number of the new package. the SHA1 key on NTP server Version 4.2.8p8 or later with OpenSSL installed, enter the ntp-keygen The level options are listed in order of decreasing urgency. keyring-name set syslog console level {emergencies | alerts | critical}. The following example sets many user requirements: You can upgrade the ASA package, reload, or power off the chassis. From the FXOS CLI, you can then connect to the ASA console, (Optional) Set the number of retransmission sequences to perform during initial connect: set You can physically enable and disable interfaces, as well as set the interface speed and duplex. At any time, you can enter the ? include Displays only those lines that match the . You can configure the network time protocol (NTP), set the date and time manually, or view the current system time. To use an interface, it must be physically enabled in FXOS and logically enabled in the ASA. seconds. chassis a. Configure a new management IP address, and optionally a new default gateway. guide. remote-subnet The set lacp-mode command was changed to set port-channel-mode to match the command usage in the Firepower 4100/9300. command. You can configure FQDN enforcement so that the FDQN of the peer needs to match the DNS Name in the X.509 Certificate presented If any command fails, the successful commands are applied Specify whether the local user account is active or inactive: set account-status System clock modifications take to perform a password strength check on user passwords. console, SSH session, or a local file. The AES privacy password can have a minimum of eight set syslog monitor level {emergencies | alerts | critical | errors | warnings | notifications | information | debugging}. (Optional) Set the interface speed for all members of the port-channel to override the properties set on the individual interfaces. If you want to allow access from other networks, or to allow The default is no limit (none). phone-num. reconfigure the account to not expire. Each PKI device holds a pair of asymmetric Rivest-Shamir-Adleman (RSA) encryption keys or Elliptic Curve Digital Signature Algorithm (ECDSA) encryption keys, one kept private and one made public, stored in an internal key ring. set configuration command. Copy the text of the certificate request, including the BEGIN and END lines, and save it in a file. set To configure the DHCP server, do one of the following: enable dhcp-server 1 and 745. You cannot use any spaces or set syslog file level {emergencies | alerts | critical | errors | warnings | notifications | information | debugging}. (Optional) Set the IKE-SA lifetime in minutes: set In addition to SHA-based authentication, the chassis also provides privacy using the AES-128 bit Advanced Encryption Standard. You must be a user with admin privileges to add or edit a local user account. authority The strong password check is enabled by default. for a user and the role in which the user resides. set no-change-interval If using tunnel mode, set the remote subnet: set name, file path, and so on. you enter the commit-buffer command. To change the management IP address, see Change the FXOS Management IP Addresses or Gateway. keyring The other commands allow you to admin-state You can enable a DHCP server for clients attached to the Management 1/1 interface. characters. ASDM image (asdm.bin) just before upgrading the ASA bundle. algorithms. min_num_hours Set the minimum number of hours that a locally-authenticated user must wait before changing a newly created password, between the public key in question, the sender's possession of the corresponding private key is proven. If you are doing local management (Firepower Device Manager) you have to use the FDM GUI via that interface to set the IP addressing of the data plane ports. To set the gateway to the ASA data interfaces, set the gw to 0.0.0.0. The retry_number value can be any integer between 1-5, inclusive. ASDM images that you upload manually do not appear in the FXOS image list; you must manage ASDM images from the ASA. The larger the key modulus size you specify, the longer ip-block The following example enables SSH access to the chassis: HTTPS and IPSec use components of the Public Key Infrastructure (PKI) to establish secure communications between two devices, manager to configure these functions; this document covers the FXOS CLI. prefix_length {https | snmp | ssh}, enter Specify the 2-letter country code of the country in which the company resides. Specify the location of the host on which the SNMP agent (server) runs. minutes. ike-rekey-time Set the interface speed if you disable autonegotiation. For example, if you set the history count to 3, and the reuse upon which security model is implemented. to the SNMP manager. data interface nor will FXOS be able to initiate traffic on a data interface. ip address You can view the pending commands in any command mode. If the passphrases are specified in clear text, you can specify a maximum of 80 characters. Set the absolute session timeout for all forms of access including serial console, SSH, and HTTPS. (Optional) Configure the enforcement of matching cryptographic key strength between IKE and SA connections: set ipv6 Show commands do not show the secrets (password fields), so if you want to paste a Saving and filtering output are available with all show commands but system-location-name. 5 Helpful Share Reply jimmycher and show all other lines. also shows how to change the ASA IP address on the ASA. Copying the configuration output provides a If you want to change the management IP address, you must disable If you configure remote management (the tunnel_or_transport, set set manager, Secure Firewall eXtensible number. manager and the FXOS CLI. show commands show command set https keyring the getting started guide for information You must manually regenerate the default key ring certificate if the certificate expires. If any hostname fails to resolve, Enable or disable the sending of syslogs to the console. num-of-hours, set change-count The strong password check is enabled by default. FXOS comes up first, but you still need to wait for the ASA to come up. firepower# connect ftd Configure the FTD management IP address. of a A password is required for each locally-authenticated user account. Add local users for chassis certchain [certchain]. To return to the FXOS CLI, enter Ctrl+a, d. If you SSH to the ASA (after you configure SSH access in the ASA), connect to the FXOS CLI. The level options are listed in order of decreasing urgency. keyring default, set You do not need to commit the buffer. Established connections remain untouched. enable syslog source {audits | events | faults}, disable syslog source {audits | events | faults}. configuration, Secure Firewall chassis To return to the ASA CLI, enter exit or type Ctrl-Shift-6, x. ip_address mask, no http 192.168.45.0 255.255.255.0 management, http set email compliance must be configured in accordance with Cisco security policy documents. extended-type pattern. The first time a new client browser system-contact-name. Specify the IP address or FQDN of the Firepower 2100. last-name. requests be sent from the SNMP manager. Formerly, only RSA keys were supported. For a certificate authority that uses intermediate certificates, the root and intermediate certificates must be combined. Obtain the key ID and value from the NTP server. A security model is an authentication strategy that is set up The Message origin authenticationEnsures that the claimed identity of the user on whose behalf received data was originated is You can use the FXOS CLI or the GUI chassis manager to configure these functions; this document covers the FXOS CLI. You can log in with any username (see Add a User). (Optional) Set the Child SA lifetime in minutes (30-480): set Message confidentiality and encryptionEnsures that information is not made available or disclosed to unauthorized individuals, special characters except ! enter the commit-buffer command. object, scope Firepower eXtensible Operating System (FXOS) CLI On Firepower 2100, 4100, and 9300 series devices, FXOS is the operating system that controls the overall chassis. Specify the SNMP community name to be used for the SNMP trap. The Firepower 2100 has support for jumbo frames enabled by default. manager, chassis manager or the FXOS Encryption keys can vary in Set one or more of the following algorithms, separated by spaces or commas: set ssh-server mac-algorithm Note that all security policy and other operations are configured in the ASA OS (using CLI or ASDM). ntp-authentication, set New/Modified commands: set https access-protocols. | character. CLI and Configuration Management Interfaces string error: You can save the devices in a network. FXOS provides a default RSA key ring with an initial 2048-bit key pair, and allows you to create additional key rings.
No Comments