KB ID 0001678
If you’re here you’ve either purchased a new Cisco Firepower device running FTD (FirePower Threat Defence) or have re-imaged your Firepower device from ASA to FTD code.
On its factory defaults, the unit will have the following settings.
- Inside IP address (VLAN 1) 192.168.1.1 (on all interfaces from 2 to 8).
- Outside IP Address set to DHCP in interface 1.
- Management IP address 192.168.45.1 on the Management Interface.
- DHCP Scopes on both the inside and management interfaces (192.168.1.x and 192.168.45.x respectively).
- Power Connector.
- 8 x Gigabit Ethernet ports: Normally GigabitEthernet 1/1 will be for the WAN, GigabitEthernet 1/2 though 1/8 will be for the LAN (with 1/7 and 1/8 being PoE).
- Management Port.
- Console Port (RJ45).
- Console Port (Mini USB).
- USB Port (useful for upgrades, and backups).
- Kensington Lock: Seriously? I’ve not seen one of these since about 2005, does anyone still use them?
- Reset Button: Depress for 3 seconds reverts the firewall to its factory settings, (and preserves the config apparently).
- Status Lights, (another reason not to put things on top of it!) Though you will notice there’s some on the back also. Note: When all lights are solid the firewall is operational, when the centre light is blinking, it’s still booting).
FirePower 1010 Setup
I will be deploying this as a stand alone FTD firewall, that will be managed locally on the device itself via FDM (Firepower Device Manager) and not via an FMC (Firepower Management Center) appliance.
Smart Licensing: If you’re not already familiar with Cisco Smart Licensing, I’ve covered it in more depth here. Set yourself up a free Smart License Account, and generate a token, copy it to the clipboard, (we will need it in a minute).
Connect to the firewall via a LAN port on https://192.168.1.1, or via the Management port on https://192.168.45.1 (unless you have ran though the FTD setup at command line, and have already changed the management IP).
Default usernames, (you will be asked to change them) are;
- Username: admin
- Password: Admin 123
Scroll down.
Here I’m accepting the default Outside/Public Interface settings of DHCP enabled, with IPv6 disabled, if yours has a static IP, or you want to user IPv6 then change the settings accordingly > Next.
I’ll accept the defaults here, be advised those NTP servers may take a little while to ‘go-green’ (you will see what I mean later) > Next.
I’m going to do this manually in a minute, so we can skip this > Next.
Note: The unit will have a default policy of let everything out (sourced from inside), and nothing in (sourced from outside) we will leave that as it is, as a decent start point.
Stanalone device > Configure Interfaces.
Note: Below I’m going to REMOVE the DHCP Scope, then change the ‘inside’ IP address (to avoid errors). Then later I will add the new DHCP scope back in again.
VLANs > Vlan1 > Edit. > DHCP section > Edit > Remove.
You can now set the inside IP address accordingly. (Don’t panic you wont lose connectivity yet!) > OK.
Now you need to Save/Commit the changes, and Deploy them. Now you will lose connectivity, if you have changed the inside IP address, so manually give yourself an IP address on the new network, and reconnect to the firewall.
Note: Update: Pleas ensure tha management is allowed in VLAN1 before proceeding (System Settings -> Management Access -> Data Interfaces.)
Cisco Firepower Setup DHCP
Create a new DHCP Scope: Should you require the firewall to be a DHCP server, log back in to the new internal IP address > System Settings > DHCP Server.
Create DHCP Server > Enable DHCP Server > Enter the new scope > OK.
Remember to commit the changes, and deploy them again!
Cisco Firepower FTD Licensing
Thankfully this is MUCH easier than doing the same thing while running ASA Code (on the same hardware!) > Smart Licence > View Configuration.
Register Device.
Paste in your token, (from above) > Set your location > Register Device. Go and have a coffee, it will look like it’s broken/not worked for a few minutes.
After a while you should see this;
There will be some outstanding changes to save and deploy also, now the unit is registered.
Back in the Cisco Smart Licence portal, it should look a bit like this;
Once fully complete and operational, all connected interfaces should have all the options ‘go-green’. For me the NTP servers took a while!
Note: Obviously the interfaces in orange are not in use!
Related Articles, References, Credits, or External Links
NA