Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.
Chassis FXOS and FTD share same management IP (default 192.168.45.45)
Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface.
SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the connect fxos command
Console to Chassis is on FXOS CLI prompt, go to FTD using the connect ftd command
The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes.
The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).
If you run ASA on Firepower 2100, ASA can be in the following modes:
Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the FXOS troubleshooting guide for more information. Firepower Chassis Manager is not supported.
ciscoasa# connect fxos [admin] Connecting to fxos. Connected to fxos. Escape character sequence is 'CTRL-^X'. firepower# firepower# exit Connection with FXOS terminated. Type help or '?' for a list of available commands. ciscoasa#
Platform mode—When in Platform mode, you must configure basic operating parameters and hardware interface settings in FXOS. These settings include enabling interfaces, establishing EtherChannels, NTP, image management, and more. You can use the Firepower Chassis Manager web interface or FXOS CLI. You can then configure your security policy in the ASA operating system using ASDM or the ASA CLI.
For pre-9.13(1) versions, Platform mode was the default and only option. If you upgrade from Platform mode, Platform mode is maintained.
ciscoasa(config)# show fxos mode
Enabling interfacesscope eth-uplink
scope fabric a
interface Ethernet n/n
enable
commit-bufferAdding an EtherChannel:
scope eth-uplink
scope fabric aenter port-channel 1en
enable
enter member-port ethernet1/3
enable
exit
enter member-port ethernet1/4enable
exit
set port-channel-mode on
set speed 1gbps
set duplex fullduplex
commit-buffer
https://www.cisco.com/c/en/us/td/docs/security/asa/fxos/config/asa-2100-fxos-config/cli.html
Following seems for 2100 in platform mode.
Firepower 2100
FXOS CLI:
show chassis detail
show chassis inventory
console in FPR2100
1a. when deive is running ASA image, configure and verify management IP
firepower#scope fabric-interconnect a
firepower /abric-interconnect#set out-of-band static ip 10.106.143.40 netmask 255.255.255.0 gw 10.106.143.1
firepower /abric-interconnect*#commit-buffer !! take a little bit time
firepower /abric-interconnect#connect local-mgmt
firepower(local-mgmt)#show mgmt-ip-debug
firepower(local-mgmt)#ping 10.106.143.47
1b. when device is running FTD image, configure management IP in FTD
firepower#connect ftd
> configure network ipv4 manual 10.106.143.40 255.255.255.0 10.106.143.1
> write
> connect fxos !! or exit
firepower#connect local-mgmt
firepower(local-mgmt)#show mgmt-ip-debug
firepower(local-mgmt)#ping 10.106.143.47
2. Upload FTD/ASA image
firepower#scope firmware
firepower /firmware#show package
firepower /firmware#download image ftp://username@10.106.143.47/cisco-ftd-fp2k.6.2.2.-81.SPA !!support ftp,scp,sftp,tftp,usbA
firepower /firmware#show download-task [detail]
3. Install FTD/ASA
firepower /firmware#scope auto-install
firepower /firmware/auto-install#install secuirty-pack version
wait for ftd/asa installation or upgrade completed with message "Cisco FTD [ASA] started successfully"
connect asa [ftd]
https://www.youtube.com/watch?v=tzKrETboYmQ
===============
set management subnet
firepower /system /services#create ip-block
==========
Reimage a Secure Firewall Threat Defense for 1000, 2100 and 3100 Series
https://www.cisco.com/c/en/us/support/docs/security/firepower-1000-series/220642-reimage-a-secure-firewall-threat-defense.html
https://www.youtube.com/watch?v=WR4w-3BEe2Q
Comments
Post a Comment