Cisco Firepower Threat Defense (FTD) firewall can be managed centrally using either Firepower Management Centre (FMC) or Cisco Defense Orchestrator (CDO), or locally using Firepower Device Manager. This post will describe how to configure the FTD using FDM and setup basic outbound internet access and permit inbound access to a hosted webserver.
FTD Initial Configuration
Login to the device using the default username is admin and the password is Admin123. Once logged into the device you can configure the device.
- When prompted ENTER to accept the EULA
The video shows you how to configure Cisco FTD 6.1 using Firepower Device Manager for some of the most commonly use functions to allow inbound and outbound traffic. We will configure Network Address Translation (NAT), Access Control, Intrusion Policy, File Policy, Application Control, URL Filtering, Geolocation, and Identity Rule. Each function will be tested and validated. This video show how to install or re-image FP2100 with FTD 6.2.2 image from FXOS. Linkedin: For Latest Update of Ci. Normally, you configure the FMC access data interface as part of initial FTD setup before you add the FTD to the FMC. When you add the FTD to the FMC, the FMC discovers and maintains the interface configuration, including the following settings: interface name and IP address, static route to the gateway, DNS servers, and DDNS server. In order to configure FTD failover, navigate to Devices Device Management and select Add High Availability as shown in the image. Enter the Primary Peer and the Secondary Peer and select Continue as shown in the image.
Established in 1910, FTD has been a premier provider of beautiful floral arrangements and gorgeous flower bouquets for over 100 years. Whatever the occasion, our evergreen collection of colorful stems, blossoming plants, and fragrant arrangements have warmed hearts all across the country.
- Press any key until prompted to “Please enter “YES” or press <ENTER> to AGREE to the EULA:”
- Enter a new password
- Do you want to configure IPv4? (y/n): y
- Do you want to configure IPv6? (y/n): n
- Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
- Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.10.24
- Enter an IPv4 netmask for the management interface [255.255.255.0]:
- Enter the IPv4 default gateway for the management interface [192.168.45.1]: 192.168.10.1
- Enter a fully qualified hostname for this system [firepower]: FTD64
- Enter a comma-separated list of DNS servers or “none” [208.67.222.222,208.67.220.200]:
- Enter a comma-separated list of search domains or “none” []: lab.local
- When prompted to Manage the device locally> (yes/no) [yes]: select yes
Run the command show network to display the configuration of the management interface
Once the setup has complete run the command ping system <default gateway ip> to test connectivity. If the gateway response you can login to the GUI
FDM Configuration
- Login to the FDM UI using the URL https://management-ip e.g https://192.168.10.24
- Accept any certificate errors presented by the web browser
- Enter the username of admin and the password you set previous
The Device Setup wizard will be display, as default the GigabitEthernet0/0 interface configured as the OUTSIDE interface, with DHCP enabled and the GigabitEthernet0/1 interface will be configured as the INSIDE interface, with a static IP address of 192.168.45.1.
- If OUTSIDE interface requires a static IPv4 address, select Manually Input from the Configure IPv4 drop-down list
- Scroll down to the Management Interface section
- Configure the DNS Servers if required (by default from FTD 6.4 Cisco OpenDNS/Umbrella DNS Servers will be defined)
- Change the Firewall Hostname if required.
- Click Next
- Amend the Time Settings (NTP) if required
- Click Next
- Select either Register device with Cisco Smart Software Manager or Start 90-day evaluation period without registration
- Click Finish
- When prompted click Configure Interfaces
- Edit the configuration of the GigabitEthernet0/1 interface, to change the IP address to match your internal network
- Change the IP Address and Subnet Mask as required
- Click Edit/Delete in order to Edit or Delete the DHCP server address pool
- Click Ok once complete
- From the top menu select Policies
The default Access Control policy trusts all outbound traffic and blocks all inbound traffic.
- Click NAT
- A default NAT rule should already be in place NATTING traffic from “any-ipv4” address on the INSIDE network behind the OUTSIDE interface.
Routing
Optional – If your FTD is connected to a switch with multiple VLANs, then static routes will need to be defined on the FTD in order to route traffic accordingly.
- Click the Device: <DEVICE NAME> from the top menu
- Click Routing
- Click Create Static Route
- Select IPv4
- Click the Gateway drop-down list, then select Create New Network
- Create a new object for the local switch
- Click Ok
- Select the inside Interface
- Define the local Networks, click the +
- Click Create New Network
- Create an object or objects that represents the internal networks
- Repeat in order create multiple networks
- Once complete select the local networks and click Ok
- Click Ok
Configuration is now complete, and the changes can be deployed to the device.
- Click the on the top menu
- Click Deploy Now
Deployment can take anywhere from 20seconds to a couple of minutes depending on the number of changes.
Inbound Access
Optional – if you want to access a webserver or RDP server (not recommended, a Remote Access VPN is more secure for RDP access) directly, you can configure a static NAT and permit inbound traffic over the internet. In this configuration example below, if someone from outside the network were to browse to the outside interface IP address on https (tcp/443) this will translate to the private IP address of the object SERVER01 on https.
Configure Ftd For Fmc
- Navigate to Policies
- Click NAT
- Click the + button on the right of the page to create a new NAT rule
- Define a Title e.g WebServer
- Select Create Rule for Manual NAT
- Define Placement as Above a Specific Rule
InsideOutsideNATRule - Type Static
- Define Original Packet: Source Interface as inside
- Click Original Packet: Source Address, click Create New Network and define an object for the webserver
- Define Original Packet: Source Port as HTTPS (replace this with the listening port of the application you wish to connect to)
- Define Translated Packet: Destination Interface as outside
- Define Translated Packet:
Source Address as Interface - Define Translated Packet: Source Port as HTTPS
- Click Ok
- Click Access Control
- Click + to create a new rule
- Define an appropriate name for the rule, e.g. WebServer
- Define the Source Zone as outside_zone
- Leave the Source: Networks as ANY
- Leave the Source: Ports as ANY
- Define the Destination Zone as inside_zone
- Define the Destination: Networks as SERVER01
- Define the Destination: Ports/Protocols as HTTPS
- Click Ok
Configuration is now complete, and the changes can be deployed to the device.
- Click the on the top menu
- Click Deploy Now
Testing/Verification
Configure Ftd High Availability
From a computer on the local network, browse the internet to generate traffic, hopefully this will be successful.
Configure Ftd Ha
- Connect to the CLI of the FTD using a console cable or via SSH
- Enter the command show route to confirm the presence of the static routes, via the next hop switch
- Enter the command show nat detail. Outbound internet traffic should hit the default NAT rule in Manual NAT Policies (section 1). Notice the translate_hits = 121, which confirms outbound traffic is matching this rule. You can confirm the NAT rule for Inbound access to the WebServer on https has translate_hits = 3
Configure Ftd Transparent Mode
- Enter the command show conn detail, this will list all active connections on the FTD.