KB ID 0001666
What Is It?
I’ve been trying to get my hands on one of these for a while. So thanks to my employer for sending me one to take a look at. The Firepower 1010 appliance is aimed at Small Office / Home Office, and possibly Small Remote Branch offices. But like its predecessors it will probably get put in EVERYWHERE because it’s ‘cheap’, (Note: for cheap, read possibly under-specced* and the wrong size!)
*Seriously, I’ve deployed a LOT of 5506-X (and 5508-X) firewalls, and then clients enabled every inspection, IDS/AMP/Web Filtering etc. Then complained that their internet connection was then terrible, ‘Why is my new firewall slower than the old one!’ So look at the throughput for these things, with inspection enabled before deciding to buy the cheapest one!
A Brief History
The Firepower 1010, will end up being the replacement for the ASA5506-X, which in turn was the replacements for the ASA5505
Left to Right: ASA 5505, ASA 5506-X, Firepower 1010
The 5505, was brilliant, I still see them everywhere, tucked in the bottom of comms cabinets, and balanced on top of other things in Data Centers. I know of 5505s that I installed new over 15 years ago that are still chugging away. It had built in PoE, a 7 port switch, (you need one port for the WAN.) The only thing that ever let the 5505 down, was, the earlier versions didn’t have enough RAM to update past version 8.3. It replaced the earlier PIX 501 and the PIX506E (I do have both of these models also tucked away somewhere, I was just too lazy to dig them out).
The 5506-X was, (to be honest), a massive let down, it shipped with 8 Ports on it, but those ports were independent, so you needed to buy a switch as well, and it didn’t have PoE. Cisco tried to ‘Fix’ the switch problem by introducing the BVI interface with version 9.7. the problem with that was, it was ‘horrifically terrible in the extreme‘. If you wanted to do anything even vaguely ‘firewall-ish’ with your firewall, the config would extend in size with a ratio like it was getting multiplied by the Fibonacci numbers. 🙁 The final nail in its coffin was, if you updated it past version 9.10 the FirePOWER module was disabled, (Regardless of the fact you had bought licences for it or not).
So Now the Firepower 1010
Is it FirePOWER or Firepower? : Good question, the rule was, if it was in an ASA it was FirePOWER if it was a dedicated device it was Firepower. But as the Firepower 1010 can run ASA code, it breaks the rules! So I’ll stick with Firepower for the new ones.
It runs ASA Code? : Yes Cisco firewall techs of the world rejoice! The Firepower 1010 model comes in two flavours;
- FPR1010-ASA-K9: Good old Cisco ASA code, with an ASDM!
- FPR1010-NGFW-K9: Runs the FTD (Firepower Threat Management) code.
I’ve written briefly about FTD on the Cisco ASA, I wasn’t really a fan, but I know we live in a ‘point and click’ society now, so maybe this version will win out in the end, but I hope not.
Oh Bugger! I’ve Ordered the wrong one! No problem, you can swap between versions, but you will need to ‘re-image’ the device completely (losing all settings).
What Do You Get With the Firepower 1010?
Out of the box you get the unit itself, a ‘Power Brick’ (with an annoying ‘Clover Leaf’ / ‘Mickey Mouse Ears’ / ‘IEC C5’ connector.) So if like me you get one with a Euro (2 pin) plug in the box and you live in the UK unless you have one spare you will have a problem. Luckily I’ve got most things at home, but if you unbox this in a Data Centre at 11 o’clock at night, good luck finding one of those Power Cables! You also get a USB console cable. There’s a quick setup card, mine was in French and Spanish, but the picture was self explanatory. Theres a licence envelope in there as well, on inspection, it’s just instructions on how to setup a ‘Smart’ License account.
It’s Fan-less: Like the 5506-X it’s fan-less (that’s why its covered in holes). So IT”S NOT SUPPOSED TO GO IN A RACK! If you want a rack mountable firewall buy a Firepower 1120.
But You Can Get Rack Mounting Kits For It? : I know, but then the world is full of people who sell the wrong stuff. If you put this thing in a rack, and impede airflow though it, it’s more likely to break, (lecture over).
It’s a Proper Switch! Yep even better than the 5505, it’s got proper switchports with proper switch commands! By default all Ports from GigabitEthernet 1/2 to 1/8 are in VLAN 1. Gigabit Ethernet 1/1 is a routed (no switchport) port.
PoE: The unit has PoE on ports GigabitEthernet 1/7 and GigabitEthernet 1/8 (only).
Throughput: Cisco state with NGFW inspection ‘or’ IDS turned on 650Mbps (notice they don’t say ‘and’!)
AnyConnect: Comes with 75 ‘Premium’ Licences, (without extra licensing!)
Licensing: Smart License model only, so no more ‘classic’ licences, and activation-keys any more.
Failover? here’s a GOTCHA for failover you need to add an additional licence to BOTH units, (on the 1010 only) and they are not cheap! But if you want enterprise solutions, then buy enterprise class firewalls guys!
- Power: Much better than the 5506-x and the terrible 5505 power connector, you could probably swing on this and it wont come out. Just a pity about the IEC C5 connector on the power brick.
- 8 x Gigabit Ethernet ports: Normally GigabitEthernet 1/1 will be for the WAN, GigabitEthernet 1/2 though 1/8 will be for the LAN (with 1/7 and 1/8 being PoE).
- Management Port.
- Console Port (RJ45).
- Console Port (Mini USB).
- USB port (useful for upgrades, and backups).
- Kensington Lock: Seriously? I’ve not seen one of these since about 2005, does anyone still use them?
- Reset Button: Depress for 3 seconds reverts the firewall to its factory settings, (and preserves the config apparently).
- Status Lights, (another reason not to put things on top of it!) Though you will notice there’s some on the back also.
Firepower 1010 Initial Setup (ASA Version)
It takes ages to boot! Like its predecessors the WAN Port will be set to get an IP address via DHCP, and the internal ports have DHCP enabled (192.168.1.0/24). The Management Port also has DHCP enabled 192.168.45.0/24) So be careful before connecting it to a live network. ASDM is enabled to the entire inside and management networks.
The only thing I can see different from its predecessor, (apart form the fact its got a working switch setup that isn’t terrible,) is the DNS servers are set to Ciscos, I’m assuming this is so that licensing and updates will ‘just work’ though some people will want to change this.
Annoyingly ICMP inspection is still disabled by default, and ESMTP inspection is enabled by default (If you have an Exchange server turn that off!)
All traffic is set to translate to the outside interfaces IP address (This is actually PAT translation, that’s why I didn’t say NATTED to the outside interfaces IP address).
Next Step: Cisco Firepower 1010 Licensing
Related Articles, References, Credits, or External Links
NA
So if you run FP1010 with ASA code (FPR1010-ASA-K9), is there still a place to run ‘with FirePOWER Services’ with it, like ASA5506 and other same generation boxes; there is the “sfr module” visible and you then have two different management planes for firewall and L7 filtering, or not?
Great Question: No! If you try and execute a ‘show module’ or a ‘Session sfr’ it will simply error, in ASA mode they are ASA firewalls only, so no FirePower services.
so what youre saying is, you will need to run FTD to add these devices to your FMC console?
For these Devices Yes! If you run ASA Code on them they DONT DO Firepower like the old ASA 5500-X series, as in ASA mode theres no access to the internal SFR module.
Great article! Thanks a lot.
If I bought FPR1010-NGFW-K9 and also have the compatable ASA image. How do I get the FPR1010 to boot from ASA image as previously in ASA hardware I would use CLI and use boot system flash:/Xxxx command. Also how do I bring it back to boot from FTD.
Many thanks
Sam
Hi Sam,
Thanks! Unlike the ASA 5500-X you simply copy the required code to flash and set the boot variable and bounce it.
I have the FTD version – is there a way to manage it via the outside interface? For a branch office we would usually manage from the Internet (from a configured remote IP address).
Yes – it’s on the management access tab, you need to. enable it on the outside interface though.
What do you mean by 75 premium AnyConnect license?
Does that mean I get free 75 anyconnect sessions without extra Plus or Apex license?
Connections yes, rights to download the software no.
Hi Pete, looking to replace 2x 5506-x with failover, what would you recommend that run ASA and would give you failover without paying extra for that license?
FPR1120! or Fortigate 60F
Does it make sense to change 5508-X to any of the Firepower models, if yes then which one will be better?
If you want a Cisco firewall yes – either the FPR-1010 or the FPR-1120 (if you want to rack mount it), buy it running the ASA code NOT the FTD code, and remember despite the name when running ASA code theres no firepower available (yes that makes no sense, but its still true!) Alternatively buy a Fortigate 100F
Hi Pete,
helping our a customer who just purchased a FPR1010-ASA-K9. when i run the sho license nothing shows. should i have the customer purchase or what is the best practice or your recommendation?
thank you…