Cisco 4100 Firepower Threat Defense. Part 1: FXOS

One of the projects I was involved in was the setup of two 4100 series Firepower Chassis Managers (FCM) in the data-center environment where high-availability and redundancy played a key role. I did my research and found no good document that would have taken me through all the steps to setup such pair. There were a few Cisco configuration guides, great Cisco Live presentations and bits and pieces on the Internet so I decided to write up a few posts about configuration and different ways of redundant pair deployment. The first post is about FXOS setup.

FCM: 2.1.1
FTD: 6.2

I assume you already know 4100 chassis has FXOS that runs chassis itself and FTD which is a software module that runs on top of it. First, you need to setup management IP for the chassis to have remote configuration management capabilities. When you console in for the first time Setup Guide will take you through initial configuration steps.

—- Basic System Configuration Dialog —-

This setup utility will guide you through the basic configuration of
the system. Only minimal configuration including IP connectivity to
the Fabric interconnect and its clustering mode is performed through these steps.

Type Ctrl-C at any time to abort configuration and reboot system.
To back track or make modifications to already entered values,
complete input till end of section and answer no when prompted
to apply configuration.

You have chosen to setup a new Security Appliance. Continue? (y/n): y

If for some reason you need to change management IP address of the device later, you do it on CLI. Login to chassis (console or SSH) and switch into fabric interconnect mode.

4110# scope fabric-interconnect a

View existing Management IP address.

4110/fabric-interconnect # show

Fabric Interconnect:
ID   OOB IP Addr     OOB Gateway     OOB Netmask     OOB IPv6 Address OOB IP
v6 Gateway Prefix Operability
—- ————— ————— ————— —————- ——
———- —— ———–
A   ::               ::
64     Operable

Change Management IP address to the new one.

4110/fabric-interconnect # set out-of-band ip netmask gw

4110/fabric-interconnect # commit

Once you have IP connectivity next step is to check FXOS version and upgrade if necessary. Use web browser and login to https://<FCM_ip_address>. In case GUI login fails check this post for possible solution.

Go to System > Updates to check current and upload the latest image with Upload Image button. Check with FXOS Compatibility Guide to confirm FTD to FXOS versions mapping.

If you have no access to the GUI (or if upload fails) you can use CLI to upload the image.

4110# scope firmware

4110/firmware # download image tftp://<TFTP_server_IP_address>/fxos-k9.

Check upload status with the following command.

show download-task detail

When the download completes under System > Updates select Install button.

Once you hit Yes, not much will happen. GUI will eventually time out indicating upgrade/reboot process started which should not take more than 3-5 minutes. Once GUI is back up, log back in.

I noticed system may restart again after upgrade for no apparent reason so just keep that in mind and wait till it comes back up.

If you get validation errors after the upgrade just close the browser, open it back up and login.

If you are upgrading production unit you may come across this error.

If you ignore and proceed your FTD module will become unsupported so take extra caution and read release notes when upgrading FXOS.

Now, once you have got the latest FXOS installed you can proceed with FTD image upgrade. On the GUI from System > Updates upload required version.

Image uploaded here can only be used to initialize new FTD module.

Production FTD module can not be upgraded from FCM. Upgrade process will have be done from FMC.

If GUI upload fails it can be restarted from CLI.

4100# scope ssa

4100 /ssa # scope app-software

4100 /ssa/app-software # download image ftp://ftp_username@<ftp_server_ip_address>cisco-ftd.

Password: ftp_password

Check upload status with the following command.

show download-task detail

When finished, uploaded FTD image will show up on Updates tab.

Once image was uploaded before proceeding to FTD configuration we need to allocate Data, Cluster or Failover and Management interfaces on the chassis. Chassis Management interface can not be used for FTD so we need to use one of the Data ports. This is also a good time to plan your FTD deployment modes and scenarios.

In my case for layer 2 bridge mode deployment, I needed one Data Port-channel (PO), Cluster PO and Management Interfaces on FTD module.

From cabling perspective FCM will accept TWINAX and copper SFP. If you plan on doing Clustering you should match Data up-links with Cluster up-links. So for example for 2 FCM chassis connecting to 2 Nexus switches you will need 4 Data up-links, 4 Cluster up-links and 4 Copper SFP modules for Management connectivity.

Start with creating PO interface under Interfaces tab for Data traffic.

Assign PO id (PO 48 is reserved for Clustering), set Type to Data and add Available Interfaces.

If you are building a Cluster add Available Interfaces to Port-channel 48. I’ll go into more details regarding Cluster interface in the upcoming posts.

For Management select any unused port, in this case, port Ethernet 1/7 is selected.

If you are not deploying Cluster then most likely you are deploying Active/Standby pair so designate a fail-over port for example Ethernet1/8. No special configuration needed, just set it to Data type.

If ports properly connected they will light up green on management console except Data ports. They will stay disabled until assigned to FTD module.

Now the system is ready for FTD provisioning.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar