Logical Devices for the Firepower 4100/9300

The Firepower 4100/9300 is a flexible security platform on which you can install one or more logical devices. This chapter describes basic interface configuration and how to add a standalone or High Availability logical device using the chassis manager. To add a clustered logical device, see ASA Cluster for the Firepower 4100/9300. To use the FXOS CLI, see the FXOS CLI configuration guide. For more advanced FXOS procedures and troubleshooting, see the FXOS configuration guide.

About Interfaces

The Firepower 4100/9300 chassis supports physical interfaces and EtherChannel (port-channel) interfaces. EtherChannel interfaces can include up to 16 member interfaces of the same type.

Chassis Management Interface

The chassis management interface is used for management of the FXOS Chassis by SSH or chassis manager. This interface is separate from the mgmt-type interface that you assign to the logical devices for application management.

To configure parameters for this interface, you must configure them from the CLI. To view information about this interface in the FXOS CLI, connect to local management and show the management port:

Firepower # connect local-mgmt

Firepower(local-mgmt) # show mgmt-port

Note that the chassis management interface remains up even if the physical cable or SFP module are unplugged, or if the mgmt-port shut command is performed.


Note


The chassis management interface does not support jumbo frames.


Interface Types

Physical interfaces and EtherChannel (port-channel) interfaces can be one of the following types:

  • Data—Use for regular data. Data interfaces cannot be shared between logical devices, and logical devices cannot communicate over the backplane to other logical devices. For traffic on Data interfaces, all traffic must exit the chassis on one interface and return on another interface to reach another logical device.

  • Data-sharing—Use for regular data. Only supported with container instances, these data interfaces can be shared by one or more logical devices/container instances (threat defense-using-management center only).

  • Mgmt—Use to manage application instances. These interfaces can be shared by one or more logical devices to access external hosts; logical devices cannot communicate over this interface with other logical devices that share the interface. You can only assign one management interface per logical device. Depending on your application and manager, you can later enable management from a data interface; but you must assign a Management interface to the logical device even if you don't intend to use it after you enable data management. For information about the separate chassis management interface, see Chassis Management Interface.


    Note


    Mgmt interface change will cause reboot of the logical device, for example one change mgmt from e1/1 to e1/2 will cause the logical device to reboot to apply the new management.


  • Eventing—Use as a secondary management interface for threat defense-using-management center devices.


    Note


    A virtual Ethernet interface is allocated when each application instance is installed. If the application does not use an eventing interface, then the virtual interface will be in an admin down state.

    Firepower # show interface Vethernet775
    Firepower # Vethernet775 is down (Administratively down)
    Bound Interface is Ethernet1/10
    Port description is server 1/1, VNIC ext-mgmt-nic5
    

  • Cluster—Use as the cluster control link for a clustered logical device. By default, the cluster control link is automatically created on Port-channel 48. The Cluster type is only supported on EtherChannel interfaces.

See the following table for interface type support for the threat defense and ASA applications in standalone and cluster deployments.

Table 1. Interface Type Support

Application

Data

Data: Subinterface

Data-Sharing

Data-Sharing: Subinterface

Mgmt

Eventing

Cluster (EtherChannel only)

Cluster: Subinterface

Threat Defense

Standalone Native Instance

Yes

Yes

Yes

Standalone Container Instance

Yes

Yes

Yes

Yes

Yes

Yes

Cluster Native Instance

Yes

(EtherChannel only for inter-chassis cluster)

Yes

Yes

Yes

Cluster Container Instance

Yes

(EtherChannel only for inter-chassis cluster)

Yes

Yes

Yes

Yes

ASA

Standalone Native Instance

Yes

Yes

Yes

Cluster Native Instance

Yes

(EtherChannel only for inter-chassis cluster)

Yes

Yes

FXOS Interfaces vs. Application Interfaces

The Firepower 4100/9300 manages the basic Ethernet settings of physical interfaces and EtherChannel (port-channel) interfaces. Within the application, you configure higher level settings. For example, you can only create EtherChannels in FXOS; but you can assign an IP address to the EtherChannel within the application.

The following sections describe the interaction between FXOS and the application for interfaces.

VLAN Subinterfaces

For all logical devices, you can create VLAN subinterfaces within the application.

Independent Interface States in the Chassis and in the Application

You can administratively enable and disable interfaces in both the chassis and in the application. For an interface to be operational, the interface must be enabled in both operating systems. Because the interface state is controlled independently, you may have a mismatch between the chassis and application.

About Logical Devices

A logical device lets you run one application instance (either ASA or threat defense) and also one optional decorator application (Radware DefensePro) to form a service chain.

When you add a logical device, you also define the application instance type and version, assign interfaces, and configure bootstrap settings that are pushed to the application configuration.


Note


For the Firepower 9300, you can install different application types (ASA and threat defense) on separate modules in the chassis. You can also run different versions of an application instance type on separate modules.


Standalone and Clustered Logical Devices

You can add the following logical device types:

  • Standalone—A standalone logical device operates as a standalone unit or as a unit in a High Availability pair.

  • Cluster—A clustered logical device lets you group multiple units together, providing all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. Multiple module devices, like the Firepower 9300, support intra-chassis clustering. For the Firepower 9300, all three modules must participate in the cluster, for both native and container instances.

Requirements and Prerequisites for Hardware and Software Combinations

The Firepower 4100/9300 supports multiple models, security modules, application types, and high availability and scalability features. See the following requirements for allowed combinations.

Firepower 9300 Requirements

The Firepower 9300 includes 3 security module slots and multiple types of security modules. See the following requirements:

  • Security Module Types—You can install modules of different types in the Firepower 9300. For example, you can install the SM-48 as module 1, SM-40 as module 2, and SM-56 as module 3.

  • Native and Container instances—When you install a container instance on a security module, that module can only support other container instances. A native instance uses all of the resources for a module, so you can only install a single native instance on a module. You can use native instances on some modules, and container instances on the other module. For example, you can install a native instance on module 1 and module 2, but container instances on module 3.

  • Clustering—All security modules in the cluster, whether it is intra-chassis or inter-chassis, must be the same type. You can have different quantities of installed security modules in each chassis, although all modules present in the chassis must belong to the cluster including any empty slots. For example, you can install 2 SM-40s in chassis 1, and 3 SM-40s in chassis 2. You cannot use clustering if you install 1 SM-48 and 2 SM-40s in the same chassis.

  • High Availability—High Availability is only supported between same-type modules on the Firepower 9300. However, the two chassis can include mixed modules. For example, each chassis has an SM-40, SM-48, and SM-56. You can create High Availability pairs between the SM-40 modules, between the SM-48 modules, and between the SM-56 modules.

  • ASA and threat defense application types—You can install different application types on separate modules in the chassis. For example, you can install ASA on module 1 and module 2, and threat defense on module 3.

  • ASA or threat defense versions—You can run different versions of an application instance type on separate modules, or as separate container instances on the same module. For example, you can install the threat defense 6.3 on module 1, threat defense 6.4 on module 2, and threat defense 6.5 on module 3.

Firepower 4100 Requirements

The Firepower 4100 comes in multiple models. See the following requirements:

  • Native and Container instances—When you install a container instance on a Firepower 4100, that device can only support other container instances. A native instance uses all of the resources for a device, so you can only install a single native instance on the device.

  • Clustering—All chassis in the cluster must be the same model.

  • High Availability—High Availability is only supported between same-type models.

  • ASA and threat defense application types—The Firepower 4100 can only run a single application type.

Guidelines and Limitations for Logical Devices

See the following sections for guidelines and limitations.

Guidelines and Limitations for Interfaces

Default MAC Addresses

Default MAC address assignments depend on the type of interface.

  • Physical interfaces—The physical interface uses the burned-in MAC address.

  • EtherChannels—For an EtherChannel, all interfaces that are part of the channel group share the same MAC address. This feature makes the EtherChannel transparent to network applications and users, because they only see the one logical connection; they have no knowledge of the individual links. The port-channel interface uses a unique MAC address from a pool; interface membership does not affect the MAC address.

General Guidelines and Limitations

Firewall Mode

You can set the firewall mode to routed or transparent in the bootstrap configuration for the threat defense and ASA.

High Availability

  • Configure high availability within the application configuration.

  • You can use any data interfaces as the failover and state links. Data-sharing interfaces are not supported.

Context Mode

  • Enable multiple context mode in the ASA after you deploy.

Requirements and Prerequisites for High Availability

  • The two units in a High Availability Failover configuration must:

    • Be on a separate chassis; intra-chassis High Availability for the Firepower 9300 is not supported.

    • Be the same model.

    • Have the same interfaces assigned to the High Availability logical devices.

    • Have the same number and types of interfaces. All interfaces must be preconfigured in FXOS identically before you enable High Availability.

  • High Availability is only supported between same-type modules on the Firepower 9300; but the two chassis can include mixed modules. For example, each chassis has an SM-56, SM-48, and SM-40. You can create High Availability pairs between the SM-56 modules, between the SM-48 modules, and between the SM-40 modules.

  • For other High Availability system requirements, see Failover System Requirements.

Configure Interfaces

By default, physical interfaces are disabled. You can enable interfaces, add EtherChannels, and edit interface properties.


Note


If you remove an interface in FXOS (for example, if you remove a network module, remove an EtherChannel, or reassign an interface to an EtherChannel), then the ASA configuration retains the original commands so that you can make any necessary adjustments; removing an interface from the configuration can have wide effects. You can manually remove the old interface configuration in the ASA OS.


Configure a Physical Interface

You can physically enable and disable interfaces, as well as set the interface speed and duplex. To use an interface, it must be physically enabled in FXOS and logically enabled in the application.


Note


For QSFPH40G-CUxM, auto-negotiation is always enabled by default and you cannot disable it.


Before you begin

  • Interfaces that are already a member of an EtherChannel cannot be modified individually. Be sure to configure settings before you add it to the EtherChannel.

Procedure


Step 1

Enter interface mode.

scope eth-uplink

scope fabric a

Step 2

Enable the interface.

enter interface interface_id

enable

Example:


Firepower /eth-uplink/fabric # enter interface Ethernet1/8
Firepower /eth-uplink/fabric/interface # enable

Note

 

Interfaces that are already a member of a port-channel cannot be modified individually. If you use the enter interface or scope interface command on an interface that is a member of a port channel, you will receive an error stating that the object does not exist. You should edit interfaces using the enter interface command before you add them to a port-channel.

Step 3

(Optional) Set Debounce Time.

set debounce-time 5000 {Enter a value between 0-15000 milli-seconds}

Example:


Firepower /eth-uplink/fabric/interface # set debounce-time 5000

Step 4

(Optional) Set the interface type.

set port-type {data | mgmt | cluster}

Example:


Firepower /eth-uplink/fabric/interface # set port-type mgmt

The data keyword is the default type. Do not choose the cluster keyword; by default, the cluster control link is automatically created on Port-channel 48.

Step 5

Enable or disable autonegotiation, if supported for your interface.

set auto-negotiation {on | off}

Example:


Firepower /eth-uplink/fabric/interface* # set auto-negotiation off

Step 6

Set the interface speed.

set admin-speed {1gbps | 10gbps | 40gbps | 100gbps}

Example:


Firepower /eth-uplink/fabric/interface* # set admin-speed 1gbps

Step 7

Set the interface duplex mode.

set admin-duplex {fullduplex | halfduplex}

Example:


Firepower /eth-uplink/fabric/interface* # set admin-duplex halfduplex

Step 8

If you edited the default flow control policy, it is already applied to interfaces. If you created a new policy, apply it to the interface.

set flow-control-policy name

Example:


Firepower /eth-uplink/fabric/interface* # set flow-control-policy flow1

Step 9

Save the configuration.

commit-buffer

Example:


Firepower /eth-uplink/fabric/interface* # commit-buffer
Firepower /eth-uplink/fabric/interface #


Add an EtherChannel (Port Channel)

An EtherChannel (also known as a port channel) can include up to 16 member interfaces of the same media type and capacity, and must be set to the same speed and duplex. The media type can be either RJ-45 or SFP; SFPs of different types (copper and fiber) can be mixed. You cannot mix interface capacities (for example 1GB and 10GB interfaces) by setting the speed to be lower on the larger-capacity interface. The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link Aggregation Control Protocol Data Units (LACPDUs) between two network devices.

You can configure each physical Data interface in an EtherChannel to be:

  • Active—Sends and receives LACP updates. An active EtherChannel can establish connectivity with either an active or a passive EtherChannel. You should use the active mode unless you need to minimize the amount of LACP traffic.

  • On—The EtherChannel is always on, and LACP is not used. An “on” EtherChannel can only establish a connection with another “on” EtherChannel.


Note


It may take up to three minutes for an EtherChannel to come up to an operational state if you change its mode from On to Active or from Active to On.


Non-data interfaces only support active mode.

LACP coordinates the automatic addition and deletion of links to the EtherChannel without user intervention. It also handles misconfigurations and checks that both ends of member interfaces are connected to the correct channel group. “On” mode cannot use standby interfaces in the channel group when an interface goes down, and the connectivity and configurations are not checked.

When the Firepower 4100/9300 chassis creates an EtherChannel, the EtherChannel stays in a Suspended state for Active LACP mode or a Down state for On LACP mode until you assign it to a logical device, even if the physical link is up. The EtherChannel will be brought out of this Suspended state in the following situations:

  • The EtherChannel is added as a data or management interface for a standalone logical device

  • The EtherChannel is added as a management interface or cluster control link for a logical device that is part of a cluster

  • The EtherChannel is added as a data interface for a logical device that is part of a cluster and at least one unit has joined the cluster

Note that the EtherChannel does not come up until you assign it to a logical device. If the EtherChannel is removed from the logical device or the logical device is deleted, the EtherChannel will revert to a Suspended or Down state.

Procedure


Step 1

Enter interface mode:

scope eth-uplink

scope fabric a

Step 2

Create the port-channel:

create port-channel id

enable

Step 3

Assign member interfaces:

create member-port interface_id

You can add up to 16 member interfaces of the same media type and capacity. The member interfaces must be set to the same speed and duplex, and must match the speed and duplex that you configured for this port channel. The media type can be either RJ-45 or SFP; SFPs of different types (copper and fiber) can be mixed. You cannot mix interface capacities (for example 1GB and 10GB interfaces) by setting the speed to be lower on the larger-capacity interface.

Example:


Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/1
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/2 
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/3 
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/4
Firepower /eth-uplink/fabric/port-channel/member-port* # exit

Step 4

(Optional) Set the interface type.

set port-type {data | mgmt | cluster}

Example:


Firepower /eth-uplink/fabric/port-channel # set port-type data

The data keyword is the default type. Do not choose the cluster keyword unless you want to use this port-channel as the cluster control link instead of the default.

Step 5

Set the required interface speed for members of the port-channel.

set speed {10mbps | 100mbps | 1gbps | 10gbps | 40gbps | 100gbps}

If you add a member interface that is not at the specified speed, it will not successfully join the port channel. The default is 10gbps .

Example:


Firepower /eth-uplink/fabric/port-channel* # set speed 1gbps

Step 6

(Optional) Set the required duplex for members of the port-channel.

set duplex {fullduplex | halfduplex}

If you add a member interface that is configured with the specified duplex, it will not successfully join the port channel. The default is fullduplex .

Example:


Firepower /eth-uplink/fabric/port-channel* # set duplex fullduplex

Step 7

Enable or disable autonegotiation, if supported for your interface.

set auto-negotiation {on | off}

Example:


Firepower /eth-uplink/fabric/interface* # set auto-negotiation off

Step 8

Set the LACP port-channel mode for data interfaces.

For non-Data interfaces, the mode is always active.

set port-channel-mode {active | on}

Example:


Firepower /eth-uplink/fabric/port-channel* # set port-channel-mode on

Step 9

If you edited the default flow control policy, it is already applied to interfaces. If you created a new policy, apply it to the interface.

set flow-control-policy name

Example:


Firepower /eth-uplink/fabric/interface* # set flow-control-policy flow1

Step 10

Commit the configuration:

commit-buffer

Configure Logical Devices

Add a standalone logical device or a High Availability pair on the Firepower 4100/9300 chassis.

For clustering, see .

Add a Standalone ASA

Standalone logical devices work either alone or in a High Availability pair. On the Firepower 9300 with multiple security modules, you can deploy either a cluster or standalone devices. The cluster must use all modules, so you cannot mix and match a 2-module cluster plus a single standalone device, for example.

You can deploy a routed or transparent firewall mode ASA from the Firepower 4100/9300 chassis.

For multiple context mode, you must first deploy the logical device, and then enable multiple context mode in the ASA application.

Before you begin

  • Download the application image you want to use for the logical device from Cisco.com, and then download that image to the Firepower 4100/9300 chassis.


    Note


    For the Firepower 9300, you can install different application types (ASA and threat defense) on separate modules in the chassis. You can also run different versions of an application instance type on separate modules.


  • Configure a management interface to use with the logical device. The management interface is required. Note that this management interface is not the same as the chassis management port that is used only for chassis management (in FXOS, you might see it displayed as MGMT, management0, or other similar names).

  • Gather the following information:

    • Interface IDs for this device

    • Management interface IP address and network mask

    • Gateway IP address

Procedure


Step 1

Enter security services mode.

scope ssa

Example:


Firepower# scope ssa
Firepower /ssa # 

Step 2

Set the application instance image version.

  1. View available images. Note the Version number that you want to use.

    show app

    Example:

    
    Firepower /ssa # show app
        Name       Version         Author     Supported Deploy Types CSP Type    Is Default App
        ---------- --------------- ---------- ---------------------- ----------- --------------
        asa        9.9.1           cisco      Native                 Application No
        asa        9.10.1          cisco      Native                 Application Yes
        ftd        6.2.3           cisco      Native                 Application Yes
        
    
  2. Set the scope to the security module/engine slot.

    scope slot slot_id

    The slot_id is always 1 for the Firepower 4100, and 1, 2, or 3 for the Firepower 9300.

    Example:

    
    Firepower /ssa # scope slot 1
    Firepower /ssa/slot # 
    
    
  3. Create the application instance.

    enter app-instance asa device_name

    The device_name can be between 1 and 64 characters. You will use this device name when you create the logical device for this instance.

    Example:

    
    Firepower /ssa/slot # enter app-instance asa ASA1
    Firepower /ssa/slot/app-instance* # 
    
    
  4. Set the ASA image version.

    set startup-version version

    Example:

    
    Firepower /ssa/slot/app-instance* # set startup-version 9.10.1
    
    
  5. Exit to slot mode.

    exit

    Example:

    
    Firepower /ssa/slot/app-instance* # exit
    Firepower /ssa/slot* # 
    
    
  6. Exit to ssa mode.

    exit

    Example:

    
    Firepower /ssa/slot* # exit
    Firepower /ssa* # 
    
    

Example:


Firepower /ssa # scope slot 1
Firepower /ssa/slot # enter app-instance asa ASA1
Firepower /ssa/slot/app-instance* # set startup-version 9.10.1
Firepower /ssa/slot/app-instance* # exit
Firepower /ssa/slot* # exit
Firepower /ssa* # 

Step 3

Create the logical device.

enter logical-device device_name asa slot_id standalone

Use the same device_name as the application instance you added earlier.

Example:


Firepower /ssa # enter logical-device ASA1 asa 1 standalone
Firepower /ssa/logical-device* #

Step 4

Assign the management and data interfaces to the logical device. Repeat for each interface.

create external-port-link name interface_id asa

set description description

exit

  • name —The name is used by the Firepower 4100/9300 chassis supervisor; it is not the interface name used in the ASA configuration.

  • description —Use quotes (") around phrases with spaces.

The management interface is not the same as the chassis management port. You will later enable and configure the data interfaces on the ASA, including setting the IP addresses.

Example:



Firepower /ssa/logical-device* # create external-port-link inside Ethernet1/1 asa
Firepower /ssa/logical-device/external-port-link* # set description "inside link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link management Ethernet1/7 asa
Firepower /ssa/logical-device/external-port-link* # set description "management link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link outside Ethernet1/2 asa
Firepower /ssa/logical-device/external-port-link* # set description "external link"
Firepower /ssa/logical-device/external-port-link* # exit

Step 5

Configure the management bootstrap information.

  1. Create the bootstrap object.

    create mgmt-bootstrap asa

    Example:

    
    Firepower /ssa/logical-device* # create mgmt-bootstrap asa
    Firepower /ssa/logical-device/mgmt-bootstrap* # 
    
    
  2. Specify the firewall mode, routed or transparent.

    create bootstrap-key FIREWALL_MODE

    set value {routed | transparent}

    exit

    In routed mode, the device is considered to be a router hop in the network. Each interface that you want to route between is on a different subnet. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.

    The firewall mode is only set at initial deployment. If you re-apply the bootstrap settings, this setting is not used.

    Example:

    
    Firepower /ssa/logical-device/mgmt-bootstrap* # create bootstrap-key FIREWALL_MODE
    Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key* # set value routed
    Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key* # exit
    Firepower /ssa/logical-device/mgmt-bootstrap* #
    
    
  3. Specify the admin and enable password.

    create bootstrap-key-secret PASSWORD

    set value

    Enter a value: password

    Confirm the value: password

    exit

    Example:

    The pre-configured ASA admin user and enable password is useful for password recovery; if you have FXOS access, you can reset the admin user password if you forget it.

    Example:

    
    Firepower /ssa/logical-device/mgmt-bootstrap* # create bootstrap-key-secret PASSWORD
    Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # set value
    Enter a value: floppylampshade
    Confirm the value: floppylampshade
    Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # exit
    Firepower /ssa/logical-device/mgmt-bootstrap* #
    
    
  4. Configure the IPv4 management interface settings.

    create ipv4 slot_id default

    set ip ip_address mask network_mask

    set gateway gateway_address

    exit

    Example:

    
    Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv4 1 default
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set ip 10.10.10.34 mask 255.255.255.0
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set gateway 10.10.10.1
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # exit
    Firepower /ssa/logical-device/mgmt-bootstrap* #
    
    
  5. Configure the IPv6 management interface settings.

    create ipv6 slot_id default

    set ip ip_address prefix-length prefix

    set gateway gateway_address

    exit

    Example:

    
    Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv6 1 default
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # set ip 2001:0DB8:BA98::3210 prefix-length 64
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # set gateway 2001:0DB8:BA98::3211
    Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # exit
    Firepower /ssa/logical-device/mgmt-bootstrap* #
    
    
  6. Exit the management bootstrap mode.

    exit

    Example:

    
    Firepower /ssa/logical-device/mgmt-bootstrap* # exit
    Firepower /ssa/logical-device* # 
    
    

Step 6

Save the configuration.

commit-buffer

The chassis deploys the logical device by downloading the specified software version and pushing the bootstrap configuration and management interface settings to the application instance. Check the status of the deployment using the show app-instance command. The application instance is running and ready to use when the Admin State is Enabled and the Oper State is Online.

Example:


Firepower /ssa/logical-device* # commit-buffer
Firepower /ssa/logical-device # exit
Firepower /ssa # show app-instance
App Name   Identifier Slot ID    Admin State Oper State       Running Version Startup Version Deploy Type Profile Name Cluster State   Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ------------ --------------- ------------
asa        asa1       2          Disabled    Not Installed                    9.12.1          Native                   Not Applicable  None
ftd        ftd1       1          Enabled     Online           6.4.0.49        6.4.0.49        Container   Default-Small Not Applicable  None

Step 7

See the ASA configuration guide to start configuring your security policy.


Example


Firepower# scope ssa
Firepower /ssa # scope slot 1
Firepower /ssa/slot # enter app-instance asa MyDevice1
Firepower /ssa/slot/app-instance* # set startup-version 9.10.1
Firepower /ssa/slot/app-instance* # exit
Firepower /ssa/slot* # exit
Firepower /ssa* # create logical-device MyDevice1 asa 1 standalone
Firepower /ssa/logical-device* # create external-port-link inside Ethernet1/1 asa
Firepower /ssa/logical-device/external-port-link* # set description "inside link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link management Ethernet1/7 asa
Firepower /ssa/logical-device/external-port-link* # set description "management link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link outside Ethernet1/2 asa
Firepower /ssa/logical-device/external-port-link* # set description "external link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create mgmt-bootstrap asa
Firepower /ssa/logical-device/mgmt-bootstrap* # enter bootstrap-key FIREWALL_MODE
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key* # set value transparent
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* # create bootstrap-key-secret PASSWORD
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # set value
Enter a value: secretglassine
Confirm the value: secretglassine
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv4 1 default
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set gateway 10.0.0.1
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set ip 10.0.0.31 mask 255.255.255.0
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # exit
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key* # commit-buffer
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key # 

Add a High Availability Pair

Threat DefenseASA High Availability (also known as failover) is configured within the application, not in FXOS. However, to prepare your chassis for high availability, see the following steps.

Before you begin

See Failover System Requirements.

Procedure


Step 1

Allocate the same interfaces to each logical device.

Step 2

Allocate 1 or 2 data interfaces for the failover and state link(s).

These interfaces exchange high availability traffic between the 2 chassis. We recommend that you use a 10 GB data interface for a combined failover and state link. If you have available interfaces, you can use separate failover and state links; the state link requires the most bandwidth. You cannot use the management-type interface for the failover or state link. We recommend that you use a switch between the chassis, with no other device on the same network segment as the failover interfaces.

Step 3

Enable High Availability on the logical devices. See Failover for High Availability.

Step 4

If you need to make interface changes after you enable High Availability, perform the changes on the standby unit first, and then perform the changes on the active unit.

Note

 

For the ASA, if you remove an interface in FXOS (for example, if you remove a network module, remove an EtherChannel, or reassign an interface to an EtherChannel), then the ASA configuration retains the original commands so that you can make any necessary adjustments; removing an interface from the configuration can have wide effects. You can manually remove the old interface configuration in the ASA OS.


Change an Interface on an ASA Logical Device

You can allocate, unallocate, or replace a management interface on an ASA logical device. ASDM discovers the new interfaces automatically.

Adding a new interface, or deleting an unused interface has minimal impact on the ASA configuration. However, if you remove an allocated interface in FXOS (for example, if you remove a network module, remove an EtherChannel, or reassign an allocated interface to an EtherChannel), and the interface is used in your security policy, removal will impact the ASA configuration. In this case, the ASA configuration retains the original commands so that you can make any necessary adjustments. You can manually remove the old interface configuration in the ASA OS.


Note


You can edit the membership of an allocated EtherChannel without impacting the logical device.


Before you begin

  • Configure your interfaces and add any EtherChannels according to Configure a Physical Interface and Add an EtherChannel (Port Channel).

  • If you want to add an already-allocated interface to an EtherChannel (for example, all interfaces are allocated by default to a cluster), you need to unallocate the interface from the logical device first, then add the interface to the EtherChannel. For a new EtherChannel, you can then allocate the EtherChannel to the device.

  • For clustering or failover, make sure you add or remove the interface on all units. We recommend that you make the interface changes on the data/standby unit(s) first, and then on the control/active unit. New interfaces are added in an administratively down state, so they do not affect interface monitoring.

Procedure


Step 1

Enter security services mode:

Firepower# scope ssa

Step 2

Edit the logical device:

Firepower /ssa # scope logical-device device_name

Step 3

Unallocate an interface from the logical device:

Firepower /ssa/logical-device # delete external-port-link name

Enter the show external-port-link command to view interface names.

For a management interface, delete the current interface then commit your change using the commit-buffer command before you add the new management interface.

Step 4

Allocate a new interface to the logical device:

Firepower /ssa/logical-device* # create external-port-link name interface_id asa

Step 5

Commit the configuration:

commit-buffer

Commits the transaction to the system configuration.


Connect to the Console of the Application

Use the following procedure to connect to the console of the application.

Procedure


Step 1

Connect to the module CLI using a console connection or a Telnet connection.

connect module slot_number { console | telnet}

To connect to the security engine of a device that does not support multiple security modules, always use 1 as the slot_number .

The benefits of using a Telnet connection is that you can have multiple sessions to the module at the same time, and the connection speed is faster.

Example:


Firepower# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:
Close Network Connection to Exit

Firepower-module1> 

Step 2

Connect to the application console.

connect asa name

To view the instance names, enter the command without a name.

Example:


Firepower-module1> connect asa asa1
Connecting to asa(asa1) console... hit Ctrl + A + D  to return to bootCLI
[...]
asa>

Step 3

Exit the application console to the FXOS module CLI.

  • ASA—Enter Ctrl-a, d

Step 4

Return to the supervisor level of the FXOS CLI.

Exit the console:

  1. Enter ~

    You exit to the Telnet application.

  2. To exit the Telnet application, enter:

    telnet>quit

Exit the Telnet session:

  1. Enter Ctrl-], .


Example

The following example connects to an ASA on security module 1 and then exits back to the supervisor level of the FXOS CLI.

Firepower# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:
Close Network Connection to Exit

Firepower-module1>connect asa asa1
asa> ~
telnet> quit
Connection closed.
Firepower#

History for Logical Devices

Feature

Version

Details

ASA for the Firepower 4112

9.14(1)

We introduced the Firepower 4112.

Note

 

Requires FXOS 2.8.1.

Firepower 9300 SM-56 support

9.12.2

We introduced the SM-56 security module.

Note

 

Requires FXOS 2.6.1.157.

ASA for the Firepower 4115, 4125, and 4145

9.12(1)

We introduced the Firepower 4115, 4125, and 4145.

Note

 

Requires FXOS 2.6.1.

Firepower 9300 SM-40 and SM-48 support

9.12.1

We introduced the SM-40 and SM-48 security modules.

Note

 

Requires FXOS 2.6.1.

Support for ASA and threat defense on separate modules of the same Firepower 9300

9.12.1

You can now deploy ASA and threat defense logical devices on the same Firepower 9300.

Note

 

Requires FXOS 2.6.1.

Cluster control link customizable IP Address for the Firepower 4100/9300

9.10.1

By default, the cluster control link uses the 127.2.0.0/16 network. You can now set the network when you deploy the cluster in FXOS. The chassis auto-generates the cluster control link interface IP address for each unit based on the chassis ID and slot ID: 127.2.chassis_id.slot_id. However, some networking deployments do not allow 127.2.0.0/16 traffic to pass. Therefore, you can now set a custom /16 subnet for the cluster control link in FXOS except for loopback (127.0.0.0/8) and multicast (224.0.0.0/4) addresses.

Note

 

Requires FXOS 2.4.1.

New/Modified FXOS commands: set cluster-control-link network

Support for data EtherChannels in On mode

9.10.1

You can now set data and data-sharing EtherChannels to either Active LACP mode or to On mode. Other types of EtherChannels only support Active mode.

Note

 

Requires FXOS 2.4.1.

New/Modified FXOS commands: set port-channel-mode

Inter-site clustering improvement for the ASA on the Firepower 4100/9300 chassis

9.7(1)

You can now configure the site ID for each Firepower 4100/9300 chassis when you deploy the ASA cluster. Previously, you had to configure the site ID within the ASA application; this new feature eases initial deployment. Note that you can no longer set the site ID within the ASA configuration. Also, for best compatibility with inter-site clustering, we recommend that you upgrade to ASA 9.7(1) and FXOS 2.1.1, which includes several improvements to stability and performance.

We modified the following command: site-id

Support for the Firepower 4100 series

9.6(1)

With FXOS 1.1.4, the ASA supports inter-chassis clustering on the Firepower 4100 series.

We did not modify any commands.

Inter-chassis clustering for 6 modules, and inter-site clustering for the Firepower 9300 ASA application

9.5(2.1)

With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering. You can include up to 6 modules in up to 6 chassis.

We did not modify any commands.

Intra-chassis ASA Clustering for the Firepower 9300

9.4(1.150)

You can cluster up to 3 security modules within the Firepower 9300 chassis. All modules in the chassis must belong to the cluster.

We introduced the following commands: cluster replication delay, debug service-module, management-only individual, show cluster chassis