Cisco FTD Deploy AnyConnect (from FDM)

KB ID 0001682

Problem

In this article I will focus on ‘Remote Access’ VPN, which for Cisco FTD means using the AnyConnect client. Ive spent years deploying this solution for ASA so it’s a product I know well. As with all things Cisco, there are a couple of things that could trip you up. Let’s get them out of the way first.

If you are used to AnyConnect then you probably have the client software. It’s the same software package that’s installed with Cisco ASA. Sometimes just getting access to the download is a trial! Anyway you will need the AnyConnect ‘Package’ files, these typically have a .pkg extension, (Cisco refer to these as Head-End packages). Theres one for macOS, one for Windows, (well another one now for ARM processors, but I’ve not needed it yet), and one for Linux. You will need to download a package for each platform your users will need to connect with.

AnyConnect Licence! After years of getting a few free with a Cisco ASA, I was unhappy to find that’s not the case with Cisco FTD. If you want to use AnyConnect you need to have a licence, and it needs to be in your Smart Licensing Account, (before you enable Remote Access VPN). 

Final Gotcha! Make sure you HAVE NOT enabled HTTPS management on the outside interface of the FTD before you start configuring AnyConnect, or you will get all the way to the end, and it will fall over and you will have to start again (thanks Cisco! How hard would it be to say, if you enable this, I will disable https outside management is this OK?) 

Solution

If you haven’t already done so enable the Remote Access VPN licence > Smart Licence > Fire Configuration > RA VPN  License > Enable > Change to licence type (mines Apex). Have a coffee and recheck everything is licensed OK.

AnyConnect 4 – Plus and Apex Licensing Explained

Remote Access VPN > Configure > Create Connection Profile.

Give the profile a name, a group alias, and group URL > I’m using the FTD as my AAA Identity source (so my username and passwords are held on the firewall) that’s fine for small deployments, but in production you should think about deploying an AAA solution (called a Special Identities Realm in FTD). Scroll down.

I typically create a new network object for my remote clients to use, you can select your internal DHCP server to send out addresses if you wish > Next.

I’m using Cisco Umbrella DNS servers, (or the DNS servers formally known as OpenDNS) > I’m setting a ‘welcome banner’ but you dont need to, (some people find them annoying!) > Scroll down.

Split tunnelling: As always Cisco assume you want to tunnel everything, in most cases that’s NOT the requirement (BUT it IS the most secure!) I setup split tunnelling by Excluding my internal networks > Next.

Client Profiles: If you have one you can set it here, if you want to create one, see the following article;

Cisco FTD (and ASA) Creating AnyConnect Profiles

Select the certificate the FTD will present (don’t choose the web one it will error!) > Select the interface your client will connect to (typically outside) > Enter the FQDN of the device > I allow bypass for VPN traffic, if you want to scan remote traffic with firepower etc DON’T select this > Enable NAT Exemption (select the internal interface) > Internal Networks: Then add in the internal network, I’ve already got an object for that, (you may need to create one.) > Scroll down.

Here you upload your .pkg files (I mentioned above) when you have finished > Next.

Review the settings > Finish.

Cisco FTD Create User (via FDM)

You will need a username and password to authenticate (skip this as you are not using the FTD’s internal user database.) Objects > Users > Add > Supply a username and password > OK

Pending Changes > Deploy Now.

Go and have a coffee again, keep clicking pending changes until it looks like this. (Quite why it takes so long, I have no idea?) It’s even more fun, if you made a mistake, because it will just error and fall over, so you have to find the error (if you can) > then remove the pending change and start all over again. Cheers Cisco!

Finally go to an external client and give it a try, if your clients don’t have the client software installed simply ‘browse’ to the FTD to get it.

Related Articles, References, Credits, or External Links

Cisco Firepower 1010 Configuration

Cisco FTD Site to Site VPN

KB ID 0001681

Problem

While working out how to create a VPN on the Cisco FTD (Firepower 1010), I thought I might as well set it up to the Cisco ASA that I have in the Data Center on my test network. This is what I’m connecting;

 

Create Site to Site VPN On Cisco FTD (using FDM)

Using a web browser connect to the devices FDM > Site to Site VPN > View Configuration.

Create Site-to-site-connection.

  • Connection profile name: Something sensible like VPN-To-HQ or VPN-To-Datacentre.
  • Local VPN Access Interface: outside.
  • Local Network: Crete new network.

  • Name: This will be your local LAN so give it a recognisable name.
  • Type: Network
  • Network: Your local (behind the FTD) network i.e. 10.254.254.0/24
  • OK.

  • Remote IP Address: The public IP address of the other device (in my case the Cisco ASA).
  • Remote Network: Add
  • Crete new network

  • Name: This will be the remote sites LAN so give it a recognisable name.
  • Type: Network
  • Network: The remote (behind the ASA) network i.e. 192.168.100.0/24
  • OK.

 

Check the settings are correct > Next.

I’m using IKEv2 (if your ASA is older than version 8.4 you will need to use IKEv1) > IKE Version 2 Globally Applied > Edit.

Create new IKE Policy.

 

  • Priority: 1
  • Name: S2S-IKEv2-Policy
  • Encryption: DES Really! (Why is that the default?) Remove DES and replace with AES256

I leave the rest of the settings as they are some people might not like Sha1 if you want to change it to sha254 for example then do so, but remember to change it on the IKEv2 policy on the ASA also. Also DON’T CONFUSE PRF with PFS, we will get the chance to set PFS later. > OK.

IPsec Proposal > Edit.

Add in AES-SHA > OK. 

Enter (and confirm) the local and remote Pre-Shared Key (I usually set these the same, but they don’t have to be). Scroll down.

  • Nat Exempt: inside
  • Diffie Helman Group for Perfect Forward Secrecy (PFS): Leave disabled.
  • Next

Review the settings > Finish.

FTD VPN One Way VPN Traffic Warning!

At this point if you configure the ASA, the tunnel will come up, and if you’re behind the FTD everything will work. But If you’re behind the ASA and you want to talk to anything behind the FTD, it wont work. This confused me for a while, I could ping from my house to my servers at the DC but they could not ping me!

Resolution: What you need to do is (on the FTD) ALLOW traffic ‘inbound’ on the outside interface, for the subnet behind the ASA. (Yes that’s bobbins I know, it should do that for you, but at the moment it does not).

Policies > Access Control > Add.

  • Title: Allow-VPN-Traffic
  • Source Zone: outside_zone
  • Source Networks: The Network behind the ASA
  • Source Ports: ANY
  • Destination Zone: inside_zone
  • Destination Networks: ANY
  • Destination Ports/Protocols: ANY
  • OK

Pending changes > Deploy Now.

It can take a while to deploy, I recheck pending changes, and wait until it says it’s finished.

Create ASA Config for VPN to Cisco FTD

I’ve covered Cisco ASA IKEv2 VPN configs elsewhere, so I’ll just post the config here and you can change the details (in red) and copy and paste it into your ASA.

[box]

object network OBJ-SITE-A
 subnet 192.168.100.0 255.255.255.0
object network OBJ-SITE-B
 subnet 10.254.254.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
!
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 14
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco123
 ikev2 local-authentication pre-shared-key cisco123
!

[/box]

Troubleshooting and debugging FTD VPN

All the traditional command line tools we used to use for VPN troubleshooting are available to you, you will need to SSH into the ‘Management Port’ before you can use them though! Or you can simply do the debugging and troubleshooting on the ASA!

Troubleshoot phase 1 (IKE)

[box]

show crypto isa
debug crypto ikev2 protocol

[/box]

Troubleshoot phase 2 (IPSec)

[box]

show crypto ipsec sa
debug crypto ipsec 255

[/box]

Related Articles, References, Credits, or External Links

NA

Remove and Reinstall Microsoft WSUS

KB ID 0001679

Problem

I don’t like WSUS, the product is OK (ish) the problem with it is, every time it’s deployed, typically the person it was deployed for never looks after it, or manages it properly, and months/years later it becomes a massive ‘bag of spanners’, which is never the client’s fault, it’s always the poor guy who built it, or the support company’s fault.

If you run WSUS, log into the the thing at least once a week, sort out reporting problems, approve updates accordingly. If I look at your WSUS and see ‘This machine has not reported in for 12 months”. Then I’m going to care as much as you do!

Solution

So let’s say your a conscientious tech and you’ve taken over WSUS from someone else who let it get into a state! There comes a point when its simpler to wipe it out and start again, it might be simpler to create a new server/VM and reinstall from scratch, if that’s the case, do that instead of this! (Remember any GPO’s pointing client to WSUS will need updating, unless the new server has the same FQDN as the old one though!)

Here I’m removing WSUS and re-installing it on the same server, I already have multiple GPOs setup pointing my clients to the WSUS server so I don’t need to do that part.

Warning: If you have ‘Computer Groups’ setup in your GPOs telling client machines that they should be in different computer group object in your WSUS deployment, then take a screenshot of all the group names before you start so you can manually add them back in after rebuild. Note if you have computer groups but don’t reference them with your GPOs you don’t need to do this.

WSUS Removal Procedure

Mine’s a small typical deployment using WID (Windows Internal DataBase), to prove this navigate to C:\Windows\WID, and look for SUSDB. If yours is using SQL you will need to remove that independently, (assuming SQL is only doing WSUS of course!)

Remove WID and WSUS from an administrative Powershell window;

[box]

Uninstall-WindowsFeature -Name UpdateServices,Windows-Internal-Database -Restart

[/box]

KEEP THIS WINDOW OPEN!

Now locate the folder containing all your updates, usually called WSUS (unless it was named something bizarre!) Then delete it.

Now delete the C:\Windows\WID directory.

Now to remove the IIS AppPool for WSUS, 

[box]

Import-Module WebAdministration
IIS:
cd AppPools
del WsusPool

[/box]

Whilst still in web administration, jump up a directory and go to sites, then delete the WSUS Adminisration website;

[box]

cd..
cd .\Sites\
del ".\WSUS Administration\"

[/box]

Reinstall the WSUS components;

[box]I

nstall-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI

[/box]

Now launch WSUS and complete the configuration. Recreate your WSUS directory, (make sure theres plenty of space for the updates!) In production I would not have this on the C:\ Drive!

Select your new folder.

Next > Untick (if not required) > Next.

Next (Unless you have an upstream WSUS server) > Next (Unless you have a proxy server).

Start connecting > Wait for a while until it will let you continue.

Select the languages you require > Next > select the products you want to update > Next.

Select the ‘type‘ of updates you require, (I typically never select Service Packs, Update Rollups, or drivers, (but that’s my preference.)) > Next > Select automatically and set it for early in the morning > Next.

Let it begin synchronisation > Next > Finish.

You can view synchronisation progress from the main WSUS window

At this point you can setup any computer/server ‘test’ groups you require, and start authorising updates for those groups, or setting auto-authorise if that’s your preferred option.

Computers Not Reporting Into WSUS or Erroring

For the most part manually visiting ‘problem client’ and manually running though the update procedure and rebooting a few times will fix the problem, (assuming that the GPO telling it to get its updates from WSUS is correct!)

But sometimes clients flatly refuses to check in at all, for those run the following Powershell commands on them;

 [box]

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

wuauclt /reportnow

[/box]

 

Related Articles, References, Credits, or External Links

Windows Server Update Services – Install and Configure

Windows Client(s) not ‘appearing’ in WSUS

Configure Cisco FTD Port Forwarding (via FDM)

KB ID 0001680

Problem

You have a Cisco FTD device that you manage via FDM, and you would like to setup port forwarding. In the example below I will forward TCP Port 80 (HTTP) traffic from the outside interface of my FTD Device (Firepower 1010) to an internal web server on 10.254.254.212

Solution (Step 1: Create an FTD NAT Policy)

Using a web browser connect to the FDM > Polices > NAT > Add.

 

Set the following options;

  • Title: Give the NAT rule a title e.g. Webserver-01
  • Create Rule for: Manual NAT
  • Status: Enable
  • Placement: Above a Specific Rule
  • Rule: InsideOutsideNATRule
  • Type: Static
  • Original Packet: Source Interface: inside
  • Original Packet: Source Address: Select ‘Create New Network’

In the Add new Network Object Window;

  • Name: Name of the server/object you are port forwarding to e.g. Webserver-01
  • Host: IP address of the server/object you are port forwarding to
  • OK

Back At the NAT Rule Window;

  • Source Address: Ensure it’s set to the object you just created
  • Original Packet: Source Port: HTTP (or whatever port you wish to forward) 
  • Translated Packet: Destination Interface: outside
  • Translated PacketSource Address: Interface
  • Translated Packet: Source Port:HTTP (or whatever port you wish to forward)
  • OK.

Solution (Step 2: Create an FTD Access Control Policy Rule)

Policies > Access Control > Add.

Set the access rule as follows;

  • Title: Give the access rule a title e.g. Webserver-Access
  • Source Zone: outside_zone
  • Source Networks:  any-ipv4
  • Source Ports: ANY
  • Destination Zone: inside_zone
  • Destination Networks:  The Object you created (above)
  • Destination: Ports/Protocols: HTTP
  • OK

You can expand the rule, and see a diagram version if you wish.

Pending Changes > Deploy Now.

Wait! The changes probably haven’t deployed yet, you can check progress by clicking the pending changes button again.

Related Articles, References, Credits, or External Links

NA

Cisco Firepower 1010 (FTD) Initial Setup

KB ID 0001678

 

If you’re here you’ve either purchased a new Cisco Firepower device running FTD (FirePower Threat Defence) or have re-imaged your Firepower device from ASA to FTD code.

On its factory defaults, the unit will have the following settings.

  • Inside IP address (VLAN 1) 192.168.1.1 (on all interfaces from 2 to 8).
  • Outside IP Address set to DHCP in interface 1.
  • Management IP address 192.168.45.1 on the Management Interface.
  • DHCP Scopes on both the inside and management interfaces (192.168.1.x and 192.168.45.x respectively).

  1. Power Connector.
  2. 8 x Gigabit Ethernet ports: Normally GigabitEthernet 1/1 will be for the WAN, GigabitEthernet 1/2 though 1/8 will be for the LAN (with 1/7 and 1/8 being PoE).
  3. Management Port.
  4. Console Port (RJ45).
  5. Console Port (Mini USB).
  6. USB Port (useful for upgrades, and backups).
  7. Kensington Lock: Seriously? I’ve not seen one of these since about 2005, does anyone still use them?
  8. Reset Button: Depress for 3 seconds reverts the firewall to its factory settings, (and preserves the config apparently).
  9. Status Lights, (another reason not to put things on top of it!) Though you will notice there’s some on the back also. Note: When all lights are solid the firewall is operational, when the centre light is blinking, it’s still booting).

FirePower 1010 Setup

I will be deploying this as a stand alone FTD firewall, that will be managed locally on the device itself via FDM (Firepower Device Manager) and not via an FMC (Firepower Management Center) appliance.

Smart Licensing: If you’re not already familiar with Cisco Smart Licensing, I’ve covered it in more depth here. Set yourself up a free Smart License Account, and generate a token, copy it to the clipboard, (we will need it in a minute).

Connect to the firewall via a LAN port on https://192.168.1.1, or via the Management port on https://192.168.45.1 (unless you have ran though the FTD setup at command line, and have already changed the management IP).

Default usernames, (you will be asked to change them) are;

  • Username: admin
  • Password: Admin 123

Scroll down.

Here I’m accepting the default Outside/Public Interface settings of DHCP enabled, with IPv6 disabled, if yours has a static IP, or you want to user IPv6 then change the settings accordingly > Next.

I’ll accept the defaults here, be advised those NTP servers may take a little while to ‘go-green’ (you will see what I mean later) > Next.

I’m going to do this manually in a minute, so we can skip this > Next.

Note: The unit will have a default policy of let everything out (sourced from inside), and nothing in (sourced from outside) we will leave that as it is, as a decent start point.

Stanalone device > Configure Interfaces.

Note: Below I’m going to REMOVE the DHCP Scope, then change the ‘inside’ IP address (to avoid errors). Then later I will add the new DHCP scope back in again.

VLANs > Vlan1 > Edit. > DHCP section > Edit > Remove.

You can now set the inside IP address accordingly. (Don’t panic you wont lose connectivity yet!) > OK.

Now you need to Save/Commit the changes, and Deploy them. Now you will lose connectivity, if you have changed the inside IP address, so manually give yourself an IP address on the new network, and reconnect to the firewall.

Note: Update: Pleas ensure tha management is allowed in VLAN1 before proceeding (System Settings -> Management Access -> Data Interfaces.)

Cisco Firepower Setup DHCP

Create a new DHCP Scope: Should you require the firewall to be a DHCP server, log back in to the new internal IP address > System Settings > DHCP Server.

Create DHCP Server > Enable DHCP Server > Enter the new scope > OK.

Remember to commit the changes, and deploy them again!

Cisco Firepower FTD Licensing

Thankfully this is MUCH easier than doing the same thing while running ASA Code (on the same hardware!) > Smart Licence > View Configuration.

Register Device.

Paste in your token, (from above) > Set your location > Register Device. Go and have a coffee, it will look like it’s broken/not worked for a few minutes.

After a while you should see this;

There will be some outstanding changes to save and deploy also, now the unit is registered.

Back in the Cisco Smart Licence portal, it should look a bit like this;

Once fully complete and operational, all connected interfaces should have all the options ‘go-green’. For me the NTP servers took a while!

Note: Obviously the interfaces in orange are not in use!

 

Related Articles, References, Credits, or External Links

NA

Reimage Cisco 1010 ASA to FTD

KB ID 0001677

Problem

Sorry it’s taken me a while to get round to this, every time I do some work on the firewall I need to kill the internet at home, and I’ve got a wife and two daughters, who live online! So if you follow the site you will know I’ve got a Cisco Firepower 1010 device, and I’ve been looking at it running the ASA code.

Now here’s how to ‘re-image’ the device with the FTD (Firepower Threat Defence) operating system.

Warning this can take a while, if you are performing this in production equipment, plan in at least a couple of hours downtime.

Solution

Firstly this is a lot easier than it was on the old ASA 5500-x platform, If you have ever updated the OS on a Cisco ASA, then the process is pretty much the same.

Before proceeding, you need to unregister the firewall from its Smart Licence (assuming it’s registered correctly). You can do this with the following command;

[box]

licence smart deregister

[/box]

Or from the ASDM;

Then connect the firewall via console cable, I’m going to copy the operating system in from a TFTP server on my mac, (you can use FTP or HTTP if you prefer).

[box]

Petes-ASA# copy tftp flash

Address or name of remote host []? 192.168.1.20

Source filename []? cisco-ftd-fp1k.6.6.0-90.SPA

Destination filename [cisco-ftd-fp1k.6.6.0-90.SPA]? {Enter}
Accessing tftp://192.168.1.20/cisco-ftd-fp1k.6.6.0-90.SPA...!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/cisco-ftd-fp1k.6.6.0-90.SPA...

Writing file disk0:/cisco-ftd-fp1k.6.6.0-90.SPA...

1097176240 bytes copied in 331.300 secs (3314731 bytes/sec)
Petes-ASA#

[/box]

Now we simply need to set the image as the primary boot OS.

[box]

Petes-ASA# configure terminal
ciscoasa(config)# boot system disk0:/cisco-ftd-fp1k.6.6.0-90.SPA

The system is currently installed with security software package 9.13.1.2, which has:
   - The platform version:  2.7.1.107
   - The CSP (asa) version: 9.13.1.2
Preparing new image for install...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image download complete (Successful unpack the image).
Attention:
   If you proceed, the system will be re-imaged and then reboot automatically.
   All existing configuration will be lost and the default configuration will be applied.
Installation of version 6.6.0-90 will do the following:
   - upgrade to the new platform version 2.8.1.105
   - upgrade to the CSP FTD version 6.6.0-90
Do you want to proceed? [confirm] {Enter}

[/box]

The firewall will install the new OS then reboot itself, it will take a while, be patient! Once rebooted the FTD software will ask you to login, the default username and password is admin and Admin123, upon logging in, you are asked to change the password.

[box]

firepower login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1

Copyright 2004-2020, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.6.0 (build 37)
Cisco Firepower 1010 Threat Defense v6.6.0 (build 90)

Hello admin. You must change your password.
Enter new password: {new-password}
Confirm new password: {new-password}
Your password was updated successfully.

Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2019, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license.

[/box]

Now you can carry out an initial configuration of the Firepower. 

[box]

firepower# connect ftd

[/box]

Here I set the basic IPv4 settings, and tell the firewall it will be managed locally via FDM (Firepower Device Manager), that’s the web management interface on the device, rather than FMC (Firepower Management Center) a separate management appliance.

[box]

You must accept the EULA to continue.
Press  to display the EULA:
End User License Agreement

Effective: May 22, 2017

This is an agreement between You and Cisco Systems, Inc. or its affiliates
("Cisco") and governs your Use of Cisco Software. "You" and "Your" means the
individual or legal entity licensing the Software under this EULA. "Use" or
"Using" means to download, install, activate, access or otherwise use the
Software. "Software" means the Cisco computer programs and any Upgrades made

PRESS THE SPACE BAR A LOT!
---------------Output removed for the sake of Brevity---------------------
mentioned are the property of their respective owners. The use of the word
partner does not imply a partnership relationship between Cisco and any other
company. (1110R)

Please enter 'YES' or press Enter to AGREE to the EULA: YES

System initialization in progress.  Please stand by.
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [y]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: {Enter}
Enter an IPv4 address for the management interface []: 10.254.254.254
Enter an IPv4 netmask for the management interface []: 255.255.255.0
Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.254.254.1
Enter a fully qualified hostname for this system [firepower]: FTD-1
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: 8.8.8.8,8.8.4.4,194.168.4.100
Enter a comma-separated list of search domains or 'none' []: {Enter}
If your networking information has changed, you will need to reconnect.
Setting DNS servers: 8.8.8.8 8.8.4.4 194.168.4.100
No domain name specified to configure.
Setting hostname as FTD-1
Setting static IPv4: 10.254.254.254 netmask: 255.255.255.0 gateway: 10.254.254.1 on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]: {Enter}
Configuring firewall mode to routed


Update policy deployment information
    - add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.

>

[/box]

At this point I reboot the unit, but be prepared, it can take a LONG time before it comes back online, (wait at least 40 minutes). 

IMPORTANT you have configured the IP address on the MANAGEMENT interface (1) , to configure further, and complete the Firepower 1010 initial setup, connect to any one of the LAN interfaces (2), and navigate to https://192.168.1.1 (you should get an DHCP address, if you don’t, then you’ve not waited long enough!)

Related Articles, References, Credits, or External Links

Cisco FPR – Re-image from FTD to ASA Code

Microsoft Outlook ‘Search’ Not Working

KB ID 0001676

Problem

When attempting to perform a ‘Search’ whilst in Microsoft Outlook, you encounter a problem (it’s not working).

Something went wrong and your search couldn’t be completed.

Solution

Let’s be clear here, I’m dealing a problem on the ‘client side‘ either with Outlook itself, or with Windows indexing. If you have multiple clients with their mailboxes in an ‘on-premise Exchange Server’ then the problem is probably indexing on their mailbox database, (as long as it’s not Exchange 2019 (or newer) as indexing in new versions of Exchange is done at mailbox level). If that is your problem and you are running Exchange 2016 (or earlier), then see the following article first.

Exchange ContentIndexState ‘Failed’

Each of the following may work, or you may need to work though the list, but BE AWARE once indexing is fixed it can take some time (depending on how much email you have) to index it all, be patient.

Incomplete Missing Outlook Search Results

Before we start ‘fixing’ search, are you sure you are not just missing emails because modern Outlook will only cache 3 months of email locally, so emails older than that, simply cannot be seen by the index? If so you may need to change the following setting.

Microsoft Outlook: Check Indexing, and Rebuild Index

Within Outlook > File > Options > Search > Indexing Options.

Make sure Microsoft Outlook is listed.

Note: You can get to the same options in ‘Control Panel’ > Indexing options.

If Microsoft Outlook is NOT listed: Modify > Select it > OK.

If Microsoft Outlook is IS listed: Advanced > Rebuild > OK.

While in this window, go to the ‘File Types‘ tab, and ensure .msg files are selected.

This might take a while! You can see progress, by clicking in the search box > Search Options > Indexing Status.

 

Windows Search Service

Outlook indexing relies on the Windows Search Service, Run services.msc > Locate the Windows Search Service, ensure it’s running, and it should be set to Automatic (Delayed Start).

Repairing Windows Search Service

Sometimes it wont start, or you simply want to flush its contents and start again. Occasionally you may need to set the service to ‘disabled’ and reboot before it will let you manipulate it, but I simply opened an administrative Powershell window, and ran the following Powershell commands;

[box]

Set-Service WSearch -StartupType Disabled
Stop-Service WSearch
Get-ChildItem -Path C:\ProgramData\Microsoft\Search\Data\Applications\Windows -Include *.* -File -Recurse | foreach { $_.Delete()}
Get-ChildItem -Path C:\ProgramData\Microsoft\Search\Data\Temp -Include *.* -File -Recurse | foreach { $_.Delete()}
sc.exe config WSearch start= delayed-auto
Start-Service WSearch

[/box]

Note, Before I’m Asked: I used sc.exe and not set-service, because you need Powershell v6 to set a service as ‘Automatic Delayed Start’, and all the visitors may not have Powershell version 6.

Don’t Panic if the service takes a long time to start, (it’s recreating a lot of files!)

Make Sure Outlook Indexing Has NOT Been Disabled In the Registry

To save you poking about in the Regisry just run the following TWO Powershell commands;

[box]

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\" -Name "Windows Search" –Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "PreventIndexingOutlook" -Value 0 -PropertyType "DWord"

[/box]

Microsoft Outlook Repairing PST Files

I detest PST files with a passion! Please stop using them, there’s far more efficient ways of storing old emails for those of you that simply need to keep ‘every‘ email you’ve ever received, sent, or deleted. A broken or corrupt PST file can also break search/indexing.

If you are using PST file(s) then firstly you need to know where it/they are. You can get that from their properties > Advanced > Filename.

Secondly you need to run the scanpst.exe program to scan and fix them. Each version of Office puts this in a different place annoyingly, but here I’ll tech you some old-school search ninja skills to find it on your PC, (this also saves me listing all the versions and locations, and having to keep updating them!)

Open an administrative Command Window > Execute the following two commands;

[box]

cd c:\
dir scanpst.exe /s

[/box]

After while it should show you where scanpst.exe is, (this is still how I search for files, it’s a lot quicker);

You can now run scanpst.exe and point it at your PST files.

Check Indexing has NOT been disabled by Group Policy

You can get a group policy enforced on you remotely by your IT admins, or on your local PC with local group policy (unless you run a ‘Home’ version of windows where there is no group policy. You can run winver from command line or Powershell and that will tell you, if you’re unsure).

Here I’m going to use Resultant  Set Of Policy, to show me the sum total of ALL policies being applied to make sure some doofus hasn’t disabled indexing for the drive/location. My outlook Index should be in (C:\ProrgamData\Microsoft by default, Note: That’s a hidden folder so you may not see it if you try and browse to it).

Run > mmc.exe > File > Add/Remove Snap-in > Resultant Set of Policy > Add > OK.

Right click Resultant Set of Policy > Generate RSoPData > Next.

Accept all the defaults (keep clicking next) > Finish.

Below, someone has disabled Indexing, (on the C drive!) You should NOT be able to see this. In fact you may not even see administrative templates.

Note: Above it’s been set in ‘Local‘ policy, if yours has been set by ‘Domain‘ group policy, you will need to speak to your IT department.

Repair Microsoft Office

Run appwiz.cpl > Locate Microsoft Office > Change > Yes.

Try Quick Repair first (you can rerun and try Online Repair if you wish afterwards) > Repair > Close.

Update Microsoft Office

You should be able to update office from File > Office Account > Update eOptions > Update Now.

I cant see that option! If you have a retail or volume copy of Windows you may need to manually download the updates. To find out your version of office see the following link;

Finding Out Your Microsoft Office Licence Version

Outlook 2016 and 2019 (Office 365 Version)

You may need to create a DWORD registry value called ServerAssistedSearchTimeout and set its value to 5000 (decimal), in the following key;

[box]

HKEY_CURRENT_USER > Software > Microsoft > Office > {version} > Outlook > Search

[/box]

 

Please feel free to comment any ‘fixes’ I’ve missed, below!

Related Articles, References, Credits, or External Links

macOS: Microsoft Outlook Search Broken