Cisco Firepower 4110, Preparative Procedures & Operational User Manual

Page 1: ...Cisco Preparative Procedures Operational User Guide 2016 Cisco Systems Inc All rights reserved Preparative Procedures Operational User Guide for Firepower 4100 and 9300 Version 1 0 June 27 2017 ...

Page 2: ...Cisco Preparative Procedures Operational User Guide 2016 Cisco Systems Inc All rights reserved Prepared by Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA ...

Page 3: ...16 4 1 4 Logout 17 4 2 Auditable Events 18 4 3 Enable FIPS and CC Mode 24 4 3 1 Enable FIPS Mode 24 4 3 2 Enable Common Criteria CC Mode 24 4 3 3 Generate the SSH Host Key 25 4 4 Configure Secure Connection with Audit Server and AAA Server 26 4 4 1 Configure Syslog via CLI 26 4 4 2 Configure Syslog via GUI 28 4 4 3 Configure LDAP via CLI 31 4 4 4 Configure RADIUS via CLI 32 4 4 5 Configure TACACS ...

Page 4: ...3 4 5 2 9 Update Application Image via GUI 53 4 5 3 User and Role Management 54 4 5 4 Configure Time Synchronization 60 4 5 5 Configure SSH Access 63 4 5 5 1 Configure SSH via CLI 63 4 5 5 2 Configure SSH via GUI 64 4 5 6 Configure PKI 64 4 5 6 1 Certificates and Trust Points 64 4 5 6 2 Creating a Key Ring 64 4 5 6 3 Creating a Certificate Request for a Key Ring 65 4 5 6 4 Creating a Trust Point 6...

Page 5: ...appliance that includes the Chassis including fans and power supply Supervisor Blade to manage the security application running on the security module network module optional and security module that contains the security application which in this evaluation is the ASA The FP4100 Series appliance is a complete standalone bundle unit that contains everything required above in one appliance To manag...

Page 6: ...cure deployment To ensure the system is in the CC evaluated configuration the users must do the following Configure all the required system settings and default policy as documented in this guide Disable all the features that would violate the cPP requirements or would make the system vulnerable to attacks as documented in this guide Ensure all the environmental assumptions in section 2 are met En...

Page 7: ...the evaluated configuration It means that the features were not evaluated and or validated by an independent third party and the functional correctness of the implementation is vendor assertion The following features and protocols are not evaluated Telnet for management purposes Telnet passes authentication credentials in clear text and is disabled by default FXOS REST API Allows users to programm...

Page 8: ...s network module 2 and network module 3 Two 1 1 redundant power supply module slots Six fan module slots Two SSD bays FXOS release 2 0 1 and ASA release 9 6 2 FP 9300 The Firepower 9300 chassis contains the following components Firepower 9300 Supervisor Chassis supervisor module Management port RJ 45 console port Type A USB port Eight ports for 1 or 10 Gigabit Ethernet SFPs fiber and copper Firepo...

Page 9: ...Cisco Preparative Procedures Operational User Guide 2016 Cisco Systems Inc All rights reserved ASDM Included on all ASA 9 6 2 Release 7 6 ...

Page 10: ...d April 6 2016 Cisco Firepower 9300 Hardware Installation Guide Last Updated August 23 2016 Cisco Adaptive Security Appliance ASA 9 6 Preparative Procedures Operational User Guide for the Common Criteria Certified configuration Version 0 2 August 28 2016 Cisco Common Criteria Supplemental User Guide Version 0 1 September 8 2016 This Document At any time you can type the character to display the op...

Page 11: ... web access and as such an administrator would need a terminal emulator or SSH client supporting SSHv2 or web browser supporting HTTPS to utilize those administrative interfaces Audit server The system can be configured to deliver audit records to an external log server Authentication servers The system can be configured to utilize external authentication servers Certificate Authority CA server Th...

Page 12: ...lities e g compilers or user applications available on the TOE other than those services necessary for the operation administration and support of the TOE Administrators must not add any general purpose computing capabilities e g compilers or user applications to the system OE TRUSTED_ADMIN TOE Administrators are trusted to follow and apply all guidance documentation in a trusted manner Administra...

Page 13: ... must consider the following Locate the Cisco FirePOWER System appliance in a lockable rack within a secure location that prevents access by unauthorized personnel Allow only trained and qualified personnel to install replace administer or service the Cisco appliance Always connect the management interface to a secure internal management network that is protected from unauthorized access ...

Page 14: ...ience This document is written for administrators configuring the Cisco Firepower system 4100 and 9300 This document assumes you are familiar with networks and network terminology that you are a trusted individual and that you are trained to use the Internet and its associated terms and applications ...

Page 15: ... host name of the FXOS chassis that you entered during initial configuration Supported Web Browser Mozilla Firefox Version 42 and later Google Chrome Version 47 and later b Enter your username and password NOTE Observe the password is not displayed c Click Login The Overview page appears if the authentication was successful If authentication fails access will be denied Audit Record Creation Time 2...

Page 16: ...ddress ipv6 address hostname l ucs auth domain username ssh 192 0 20 11 l ucs example jsmith ssh 2001 1 l ucs example jsmith 2 Type your password and press Enter NOTE Observe the password is not displayed The standard command prompt appears if the authentication was successful If authentication fails access will be denied Audit Record Creation Time 2015 07 09T08 20 17 030 User internal Session ID ...

Page 17: ...it IMPORTANT For security purpose always logout as instructed above when you are finished using the management interface Do NOT rely solely on the inactivity timeout feature Audit Record Creation Time 2015 07 09T08 20 02 769 User internal Session ID internal ID 3330856 Action Deletion Description Fabric A user admin terminated session id pts_4_1_10970 Affected Object sys user ext user admin term p...

Page 18: ...er Session ID and ID The session ID associated with the session Action The type of action Description More information about the audit event including user component if applicable event type success or failure etc See table below for examples Affected Object if any The component that is affected Trigger The user role associated with the user Modified Properties if any The system properties that we...

Page 19: ...shd 25700 AUTHPRIV 3 SYSTEM_MSG pam_aaa Authentication failed for user USERNAME from IP_ADDRESS sshd 3094 Successful SSH rekey DAEMON 7 SYSTEM_MSG debug1 set_newkeys rekeying sshd 29140 FCS_TLSC_EXT 2 Failure to establish an TLS Session USER 6 SYSTEM_MSG ssl info pid 8926 tid 1823603600 client IP_ADDRESS 60782 AH01964 Connection to child 124 established server IP_ADDRESS 443 httpd 8926 USER 6 SYST...

Page 20: ...sl info pid 8926 tid 1823603600 client IP_ADDRESS 60782 AH02008 SSL library error 1 in handshake server IP_ADDRESS 443 httpd 8926 USER 6 SYSTEM_MSG ssl info pid 8926 tid 1823603600 SSL Library Error error 14076129 SSL routines SSL23_GET_CLIENT_HELLO only tls allowed in fips mode httpd 8926 USER 6 SYSTEM_MSG ssl info pid 8926 tid 1823603600 client IP_ADDRESS 60782 AH01998 Connection closed to child...

Page 21: ...d New disabled Syslog Remote Destination IP_ADDRESS modified FMT_MTD 1 All management activities of TSF data FPRM 6 AUDIT USERNAME USERNAME creation pts_0_1_16141 229312 sys user ext pre login banner message This is a CC test banner policyOwner local PreLoginBanner created AUTHPRIV 5 SYSTEM_MSG USERNAME TTY ttyS0 PWD bootflash sysdebug coremgmt sam_dump USER root COMMAND command sudo FPT_TUD_EXT 1...

Page 22: ...SERNAME term web_16073_A Web A system terminated Web session id web_16073_A of user USERNAME due to idle timeout FTA_SSL 4 The termination of an interactive session FPRM 6 AUDIT session internal deletion internal 1204385 sys user ext user USERNAME term pts_0_1_12413 sys user ext user USERNAME term pts_0_1_12413 Fabric A system terminated session id pts_0_1_12413 of user USERNAME due to idle timeou...

Page 23: ... login admin pts_0_1_4614 id pts_0_1_4614 name USERNAME policyOwner local Fabric A local user USERNAME logged in from IP_ADDRESS AUTHPRIV 6 SYSTEM_MSG pam_unix sshd session session closed for user USERNAME sshd 25700 AUTHPRIV 3 SYSTEM_MSG pam_aaa Authentication failed for user USERNAME from IP_ADDRESS sshd 3094 DAEMON 6 SYSTEM_MSG input_userauth_request invalid user temp sshd 31864 HTTPS FPRM 6 AU...

Page 24: ...r the security mode scope system scope security 2 Enable FIPS mode enable fips mode 3 Commit the configuration commit buffer 4 Reboot the system connect local mgmt reboot IMPORTANT Prior to FXOS release 2 0 1 the existing SSH host key created during first time setup of a device was set to 1024 bits To comply with FIPS and Common Criteria certification requirements you must destroy this old host ke...

Page 25: ...e system scope services 2 Delete the SSH Host key delete ssh server host key 3 Commit the configuration commit buffer 4 Set the SSH Host Key size to 2048 bits set ssh server host key rsa 2048 5 Commit the configuration commit buffer 6 Create a new SSH host key create ssh server host key commit buffer 7 Confirm the new Host Key size show ssh server host key Host Key Size 2048 ...

Page 26: ...onitoring 2 Enable or disable the sending of syslogs to the console Firepower chassis monitoring enable disable syslog console 3 Optional Select the lowest message level that you want displayed If syslogs are enabled the system displays that level and above on the console The level options are listed in order of decreasing urgency The default level is Critical Firepower chassis monitoring set sysl...

Page 27: ...ver 1 server 2 server 3 b Optional Select the lowest message level that you want stored to the external log If the remote destination is enabled the system sends that level and above to the external server The level options are listed in order of decreasing urgency The default level is Critical Firepower chassis monitoring set syslog remote destination server 1 server 2 server 3 level emergencies ...

Page 28: ...o the log If the Enable check box is unchecked syslog messages are added to the log but are not displayed on the console Level field If you checked the Enable check box for Console Admin State select the lowest message level that you want displayed on the console The Firepower chassis displays that level and above on the console This can be one of the following Emergencies Alerts Critical Monitor ...

Page 29: ...iption Admin State field Check the Enable check box if you want to have syslog messages stored in a remote log file Level drop down list Select the lowest message level that you want the system to store The system stores that level and above in the remote file This can be one of the following Emergencies Alerts Critical Errors Warnings Notifications Information Debugging Hostname IP Address field ...

Page 30: ...field Whether system fault logging is enabled or not If the Enable check box is checked the Firepower chassis logs all system faults Audits Admin State field Whether audit logging is enabled or not If the Enable check box is checked the Firepower chassis logs all audit log events Events Admin State field Whether system event logging is enabled or not If the Enable check box is checked the Firepowe...

Page 31: ... attribute attr name This property is always a name value pair The system queries the user record for the value that matches this attribute name This value is required unless a default attribute has been set for LDAP providers 5 Optional Set the specific distinguished name in the LDAP hierarchy where the server should begin a search when a remote user logs in and the system attempts to get the use...

Page 32: ...uthentication information is sent as clear text LDAP uses STARTTLS This allows encrypted communication using port 389 NOTE In the evaluated configuration LDAP must be tunneled over IPsec 12 Specify the length of time in seconds the system should spend trying to contact the LDAP database before it times out Firepower chassis security ldap server set timeout timeout num Enter an integer from 1 to 60...

Page 33: ...er as down Firepower chassis security radius server set timeout seconds 9 Commit the transaction to the system configuration Firepower chassis security radius server commit buffer 4 4 5 Configure TACACS via CLI 1 Enter security mode Firepower chassis scope security 2 Enter security TACACS mode Firepower chassis security scope tacacs 3 Create a TACACS server instance and enter security TACACS serve...

Page 34: ...d The distinguished name DN for an LDAP database account that has read and search permissions for all objects under the base DN The maximum supported string length is 255 ASCII characters Base DN field The specific distinguished name in the LDAP hierarchy where the server should begin a search when a remote user logs in and the system attempts to get the user s DN based on their username The lengt...

Page 35: ...eout value specified on the LDAP tab The default is 30 seconds Vendor field This selection identifies the vendor that is providing the LDAP provider or server details If the LDAP provider is Microsoft Active Directory select MS AD If the LDAP provider is not Microsoft Active Directory select Open LDAP The default is Open LDAP c Click OK to close the Add LDAP Provider dialog box 4 Click Save 4 4 7 ...

Page 36: ...er uses the value specified on the RADIUS tab c Click OK to close the Add RADIUS Provider dialog box 4 Click Save 4 4 8 Configure TACACS via GUI 1 Choose Platform Settings AAA 2 Click the TACACS tab 3 For each TACACS provider that you want to add a In the TACACS Providers area click Add b In the Add TACACS Provider dialog box complete the following fields Name Description Hostname FDQN or IP Addre...

Page 37: ...on Criteria certification compliance on your system In the evaluation configuration you must send syslog traffic over IPsec as configured below In addition the following protocols should also be protected using IPsec LDAP TACACS and RADIUS 1 From the FXOS CLI enter the security mode scope system scope security 2 Enter the IPSec mode scope ipsec 3 Set the log verbose level set log level log_level 4...

Page 38: ...state enable 17 Reload all connections reload conns 18 Optional Add existing trustpoint name to IPsec create authority trustpoint_name 19 Configure the enforcement of matching cryptographic key strength between IKE and SA connections set sa strength enforcement yes no If SA enforcement is enabled yes When IKE negotiated key size is less then ESP negotiated key size the connection fails When IKE ne...

Page 39: ...a VPN gateway and the SPDs are just based on IP addresses so the type of traffic being tunneled syslog LDAP etc is irrelevant to the tunneling decisions The local addr is the local management IP The remote addr is the IP of the IPsec peer in tunnel mode or transport mode A remote subnet is applicable only in tunnel mode and defines the subnet that would be reachable beyond the remote addr Outbound...

Page 40: ...es dynamic CRL information Static CRL information is downloaded by system administration manually and indicates local CRL information in the FXOS system The dynamic CRL information is only processed against the current processing certificate in the certificate chain The static CRL is applied to the whole peer certificate chain For steps to enable or disable certificate revocation checks for your s...

Page 41: ...Connection fails with syslog message Intermediate CAs connection succeeds Certificate has CDP server is up and CRL is on CDP but the CRL has an invalid signature Connection fails with syslog message Peer certificate Connection fails with syslog message Intermediate CAs connection succeeds Table 4 Certificate Revocation Check Mode set to Strict with a local static CRL With local static CRL LDAP Con...

Page 42: ...certificate of the peer certificate chain Yes Not applicable Any certificate validation failure in the peer certificate chain Connection fails with syslog message Connection fails with syslog message Any certificate revoked in the peer certificate chain Connection fails with syslog message Connection fails with syslog message One CDP is missing the peer certificate chain Connection succeeds Connec...

Page 43: ...L is empty in the peer certificate chain with valid signature Connection succeeds Connection succeeds Any CDP in the peer certificate chain cannot be downloaded Connection succeeds Connection succeeds Certificate has CDP but the CDP server is down Connection succeeds Connection succeeds Certificate has CDP server is up and CRL is on CDP but the CRL has an invalid signature Connection succeeds Conn...

Page 44: ...Cisco Preparative Procedures Operational User Guide 2016 Cisco Systems Inc All rights reserved ...

Page 45: ... between the system and audit AAA server If the connection is unintentionally broken the administrator should perform the following steps to diagnose and fix the problem Check the physical network cables Check that the audit or AAA server is still running Reconfigure the audit or AAA server settings If all else fail reboot the system and audit or AAA server ...

Page 46: ...of band ip ip_address netmask network_mask gw gateway_ip_address d Commit the transaction to the system configuration Firepower chassis fabric interconnect commit buffer 3 To configure an IPv6 management IP address a Set the scope for fabric interconnect a Firepower chassis scope fabric interconnect a b Set the scope for management IPv6 configuration Firepower chassis fabric interconnect scope ipv...

Page 47: ...3 Configure the new management bootstrap parameters set virtual ip ip_address mask network_mask gateway gateway_ip_address For clustered configuration set virtual ip ip_address pool start_ip end_ip mask network_mask gateway gateway_ip_address 4 Scope the application scope app instance asa_or_ftd 5 Clear the management bootstrap information clear mgmt bootstrap 6 Exit management bootstrap configura...

Page 48: ...ing command to create a pre login banner Firepower chassis security banner create pre login banner To modify existing login banner use scope instead of create To delete existing login banner use delete instead of create 5 Specify the message that FXOS should display to the user before they log into Firepower Chassis Manager or the FXOS CLI Firepower chassis security banner pre login banner set mes...

Page 49: ...o a security module engine as part of logical device creation or in preparation for later logical device creation You can have multiple different versions of the same application image type stored on the Firepower Supervisor NOTE If you are upgrading both the Platform Bundle image and one or more Application images you must upgrade the Platform Bundle first WARNING All images are digitally signed ...

Page 50: ...nter firmware mode Firepower chassis scope firmware 3 List images Firepower chassis firmware show package 4 Verify the image Firepower chassis firmware verify platform pack version version_number 5 The system will warn you that verification could take several minutes Enter yes 6 To check the status of the image verification Firepower chassis firmware show validate task 4 5 2 4Upload Platform Bundl...

Page 51: ...ed applications and the specified FXOS platform software package It will also warn you that any existing sessions will be terminated and that the system will need to be rebooted as part of the upgrade Enter yes to confirm that you want to proceed with verification 6 Enter yes to confirm that you want to proceed with installation or enter no to cancel the installation The Firepower eXtensible Opera...

Page 52: ...Application Software mode Firepower chassis ssa scope app software 3 Download the logical device software image Firepower chassis ssa app software download image URL Specify the URL for the file being imported using one of the following syntax ftp username hostname path scp username hostname path sftp username hostname path tftp hostname port num path 4 To monitor the download process Firepower ch...

Page 53: ...p version to the version you want to update Firepower chassis ssa slot app instance set startup version version_number 5 Commit the configuration commit buffer 4 5 2 9Update Application Image via GUI 1 Choose Logical Devices to open the Logical Devices page The Logical Devices page shows a list of configured logical devices on the chassis If no logical devices have been configured a message statin...

Page 54: ...y the database If you re enable a disabled local user account the account becomes active again with the existing configuration including username and password Remotely Authenticated User Accounts A remotely authenticated user account is any user account that is authenticated through LDAP RADIUS or TACACS If a user maintains a local user account and a remote user account simultaneously the roles de...

Page 55: ... set session timeout seconds Specify an integer between 0 and 600 The default is 600 seconds 5 Commit the transaction to the system configuration commit buffer Selecting the Default Authentication Service via GUI 1 Choose System User Management 2 Click the Settings tab 3 Complete the following fields with the required information Name Description Default Authentication field The default method by ...

Page 56: ...he maximum number of login attemps is 30 minutes 3600 seconds 1 From the FXOS CLI enter the security mode scope system scope security 2 Set the maximum number of unsuccessful login attempts set max login attempts max_login The max_login value can be any integer from 0 10 3 Specify the amount of time in seconds the user should remain locked out of the system after reaching the maximum number of log...

Page 57: ...e numbers or letters in any order such as ABC or 321 Must not be identical to the username or reverse of the username Must pass a password dictionary check Must not contain the following symbols dollar sign question mark and equals sign Must be between 8 to 80 characters long Create a Local User Account via CLI 1 Enter security mode Firepower chassis scope security 2 Create the user account Firepo...

Page 58: ...he previous roles and privileges 9 To remove an assigned role from the user Firepower chassis security local user delete role role name All users are assigned the read only role by default and this role cannot be removed 10 Commit the transaction Firepower chassis security local user commit buffer Create a Local User Account via GUI 1 Choose System User Management 2 Click the Local Users tab 3 Cli...

Page 59: ...Delete the local user account Firepower chassis security delete local user local user name 3 Commit the transaction to the system configuration Firepower chassis security commit buffer Delete a Local User Account via GUI 1 Choose System User Management 2 Click the Local Users tab 3 In the row for the user account that you want to delete click Delete 4 In the Confirm dialog box click Yes ...

Page 60: ... settings on the Firepower chassis and on the applications running on the chassis View the Configured Date and Time via CLI 1 Connect to the FXOS CLI 2 To view the configured time zone Firepower chassis show timezone 3 To view the configured date and time Firepower chassis show clock View the Configured Date and Time via GUI 1 Choose Platform Settings NTP 2 Click the Current Time tab The system sh...

Page 61: ...tem to use the NTP server with the specified hostname IPv4 or IPv6 address Firepower chassis system services create ntp server hostname ip addr ip6 addr 4 Commit the transaction to the system configuration Firepower chassis system services commit buffer 5 To view the synchronization status for all configured NTP servers Firepower chassis system services show ntp server Set the Date and Time Using ...

Page 62: ...f the month Hours must be entered using the 24 hour format where 7 pm would be entered as 19 System clock modifications take effect immediately You do not need to commit the buffer Set the Date and Time Manually via GUI 1 Choose Platform Settings NTP 2 Click the Time Synchronization tab 3 Under Set Time Source click Set Time Manually 4 Click the Date drop down list to display a calendar and then s...

Page 63: ... to the Firepower chassis enter the following command Firepower chassis system services enable ssh server To disallow SSH access to the Firepower chassis enter the following command Firepower chassis system services disable ssh server 4 Display the SSH settings Firepower chassis system services show ssh sever 5 Set the Approved algorithms only Firepower chassis system services set ssh server aes12...

Page 64: ...r and its own self signed certificate When a remote user connects to a device that presents a self signed certificate the user has no easy method to verify the identity of the device and the user s browser will initially display an authentication warning By default FXOS contains a built in self signed certificate containing the public key from the default key ring Trust Points To provide stronger ...

Page 65: ...ch the company resides Firepower chassis security keyring certreq set country country name 5 Specify the Domain Name Server DNS address associated with the request Firepower chassis security keyring certreq set dns DNS name 6 Specify the email address associated with the certificate request Firepower chassis security keyring certreq set e mail email name 7 Specify the IP address of the FXOS chassi...

Page 66: ...to a trust anchor or certificate authority Firepower chassis security keyring certreq show certreq 4 5 6 4Creating a Trust Point 1 Enter services mode Firepower chassis scope security 2 Create a trust point Firepower chassis security create trustpoint name 3 Specify certificate information for this trust point Firepower chassis security trustpoint set certchain certchain 4 Commit the transaction F...

Page 67: ...system services mode Firepower chassis system scope services 3 Enter the HTTPS service Firepower chassis system services enable https 4 Optional Specify the port to be used for the HTTPS connection Firepower chassis system services set https port port number Specify an integer between 1 and 65535 for port number HTTPS is enabled on port 443 by default 5 Optional Specify the name of the key ring yo...

Page 68: ...s system services commit buffer When CC mode is enabled the FXOS will restrict the TLS versions to 1 1 and 1 2 and ciphersuites to only the ones allowed below TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 3268 TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 3268 TLS_DHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 3268 TLS_DHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 3268 TLS_RSA_WITH_AES_128_CBC_...

Page 69: ...iption for the logical device Firepower ssa logical device set description logical device description 4 Assign the management and data interfaces to the logical device Firepower ssa logical device create external port link name interface_name asa Firepower chassis ssa logical device external port link exit 5 Configure the management bootstrap information a Create bootstrap object Firepower ssa log...

Page 70: ...n 7 Click OK You see the Provisioning device name window 8 Expand the Data Ports area and click each port that you want to assign to the device 9 Click the device icon in the center of the screen The ASA Configuration dialog box appears 10 On the General Information tab complete the following a On multiple module devices like the Firepower 9300 choose the security module that you want to use for t...

Page 71: ...For each application that you want to delete enter the following commands a Firepower ssa scope slot slot_number b Firepower ssa slot delete app instance application_name c Firepower ssa slot exit 6 Commit the configuration commit buffer 4 5 7 4Delete a ASA Logical Device via GUI 1 Choose Logical Devices to open the Logical Devices page The Logical Devices page shows a list of configured logical d...

Page 72: ...lf test fails the product will not enter operational state If this occurs please re boot the appliance If the product still does not enter operational state please contact Cisco Support e mail support Cisco com or call us at 1 800 917 4134 or 1 410 423 1901 The following possible errors that can occur during this self test are Known Answer Test KAT failures Zeroization Test failure Software integr...