Cisco Firepower 3100 Firewall initialization & config OOB mgmt ip & software upgrading

1 description

onsite we got 2 cisco firepower 3120 appliance
which need run FTD image , and software upgrading , and register to FMC

what does it looks like
在这里插入图片描述
在这里插入图片描述

2 initialization

2.1 console connect to firepower 3120

在设备第1次加电后,会进入初始化向导
缺省用户名admin 密码Admin123


firepower login: admin
Password: Admin123
Last login: Sun Jan 14 00:10:36 UTC 2024 on ttyS0
Successful login attempts for user 'admin' : 1
Last failed login: Sat Mar 23 13:15:02 UTC 2024 on ttyS0
There was 1 failed login attempt since the last successful login.

2.2 提示第1次必须修改密码

输入新的密码即可

Hello admin. You must change your password.
Enter new password: Admin@123
Confirm new password:  Admin@123
Your password was updated successfully.

2.3 连接FTD

提示需要接受EULA
what is EULA
End User License Agreement, 这没啥说的,只能同意,就一直敲空格翻到最后,再按下回车表示 accept即可。(会翻一大堆,看的眼花)

firepower# conn ftd
You must accept the EULA to continue.
Press <ENTER> to display the EULA: 
End User License Agreement

Effective: May 22, 2017
........
.............
Please enter 'YES' or press <ENTER> to AGREE to the EULA:

2.4 提示初始化相关参数

按提示, step by step进行配置即可

You must configure the network to continue.
Configure at least one of IPv4 or IPv6 unless managing via data interfaces.
Do you want to configure IPv4? (y/n) [n]: y       !!配置ipv4, 输入Y
Do you want to configure IPv6? (y/n) [n]: n       !!不配置ipv6,输入n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:       !!手工指定Ip     
Enter an IPv4 address for the management interface []: 10.19.254.45  !!管理IP
Enter an IPv4 netmask for the management interface []: 255.255.255.0  !! netmask
Enter the IPv4 default gateway for the management interface []: 10.19.254.254  !!default gateway
Enter a fully qualified hostname for this system [firepower]: FW-FPR3120-2  !! hostname
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220,2620:119:35::35]:    !!just press Enter use the default DNS
Enter a comma-separated list of search domains or 'none' []: none
If your networking information has changed, you will need to reconnect.
firstboot and FTDonbox, setting internal route at /usr/local/sf/lib/perl/5.24.4/SF/NetworkConf/NetworkSettings.pm line 1198.
Disabling IPv6 configuration: management0
Setting DNS servers: 208.67.222.222 208.67.220.220 2620:119:35::35
No domain name specified to configure.
Setting hostname as Q02-8U-XYF-DMZ-FW-FPR3120-2
Setting static IPv4: 10.19.254.46 netmask: 255.255.255.0 gateway: 10.19.254.254 on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 9 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'

2.5 询问用何种方式管理

科普: when firepower appliance run FTD, it has 2 type of mangement

  • locallly ** 指的是本地管理**
  • manager 指的是注册到FMC
    这里我们先用locally管理
Manage the device locally? (yes/no) [yes]: yes
Configuring firewall mode to routed
Update policy deployment information
    - add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.

2.6 这时就可以通过https登录FDM了

在这里插入图片描述

3 Software upgrade

当前FTD版本为7.1.0 ,需要升级到7.2.5

3.1 download 7.2.5 package

在这里插入图片描述## 3.2 updates
在这里插入图片描述选择前面下载的升级包
在这里插入图片描述勾选 这一项,继续
即升级包上传完成后,立即自动升级。
在这里插入图片描述

这时可能会收到一个报警,当前的配置没有deploy,所以需要先deploy完成,再升级

在这里插入图片描述

console可以看到升级最终完成 ,新版本7.2.5

wait_pm_bootup.sh (background process) running...
POST_UPGRADE_VALIDATION is requested with parameters: 7.1.0-90 7.2.5-208 /ngfw/var/log/sf/Cisco_FTD_SSP_FP3K_Upgrade-7.2.5
POST_UPGRADE_VALIDATION: Begin. (FTD was previously upgraded successfully from 7.1.0-90 to 7.2.5-208)
Starting Cisco Secure Firewall 3120 Threat Defense, please wait...No PM running!
...started.
Cisco FTD initialization finished successfully.
FTD process manager is running. Waiting for managed processes to be up...

ssh连接后, show version也能检查版本

> show version 
----------[ FW-FPR3120-1 ]-----------
Model                     : Cisco Secure Firewall 3120 Threat Defense (80) Version 7.2.5 (Build 208)
UUID                      : b0de1f1a-b271-11ee-9e0f-abcdefghhij
LSP version               : lsp-rel-20240320-1930
VDB version               : 353
--

4 config oob mgmt IP later on

如果在第1次初始化时跳过了向导,没有设置MGMT IP, 后面可以通过命令进行配置
需要进入FTD模式
命令格式

connect FTD
configure network ipv4 manual <IP> <netmask> <gateway>

实际配置示例

firepower#conn ftd

> configure network ipv4 manual 10.248.1.45 255.255.255.0 10.248.1.254
Setting IPv4 network configuration.
Network settings changed.

查看是否配置成功

> show network
==================[ management0 ]===================
Admin State               : enabled
Admin Speed               : sfpDetect
Operation Speed           : 1gbps
Link                      : up
Channels                  : Management & Events
Mode                      : Non-Autonegotiation 
MDI/MDIX                  : Auto/MDIX 
MTU                       : 1500
MAC Address               : AA:CC:DD:EE:FF:GG
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 10.248.1.45     !!here is the mgmt IP
Netmask                   : 255.255.255.0
Gateway                   : 10.248.1.254
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled