Cisco Firepower 7010, Firepower 7020, Firepower 7030, Firepower 7050, Firepower 7110, Firepower 7120, Firepower 7115, Firepower 7125,, Installation Manual

Page 1: ...has more than 200 offices worldwide Addresses phone numbers and fax numbers are listed on the Cisco website at www cisco com go offices Firepower 7000 Series Hardware Installation Guide First Published July 22 2016 Last Updated July 12 2018 ...

Page 2: ... IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE T...

Page 3: ...ounting Options 2 1 Firepower 7000 Series Devices 2 1 Firepower 7010 7020 7030 and 7050 2 1 Firepower 7110 and 7120 2 6 Firepower 7115 7125 and AMP7150 2 13 Installing a Firepower 7000 Series Managed Device 3 1 Unpacking and Inspecting the Appliance 3 1 Security Considerations 3 2 Identifying the Management Interfaces 3 2 Firepower 7000 Series 3 2 Identifying the Sensing Interfaces 3 3 Firepower 7...

Page 4: ...irepower Managed Devices 6 1 Sensing Deployment Considerations 6 1 Understanding Sensing Interfaces 6 2 Passive Interfaces 6 2 Inline Interfaces 6 2 Switched Interfaces 6 3 Routed Interfaces 6 3 Hybrid Interfaces 6 4 Connecting Devices to Your Network 6 4 Using a Hub 6 4 Using a Span Port 6 5 Using a Network Tap 6 5 Cabling Inline Deployments on Copper Interfaces 6 5 Special Case Connecting Firepo...

Page 5: ...6 23 Power Requirements for Firepower 7000 Series Devices A 1 Warnings and Cautions A 1 Static Control A 1 Firepower 70xx Family Appliances A 1 Installation A 2 Grounding Earthing Requirements A 2 Firepower 71xx Family Appliances A 3 Installation A 4 Grounding Earthing Requirements A 5 Using SFP Transceivers in Firepower 71x5 and AMP7150 Devices B 1 Firepower 71x5 and AMP7150 SFP Sockets and Trans...

Page 6: ...Contents iv Firepower 7000 Series Hardware Installation Guide ...

Page 7: ...r Title Description Chapter 1 About the Firepower 7000 Series Provides an overview of the devices included in the 7000 Series Chapter 2 Hardware Specifications Describes the hardware specifications for the Firepower 7000 Series models Chapter 3 Installing a Firepower 7000 Series Managed Device Describes how to install a Firepower 7000 Series device in a rack how to connect the management interface...

Page 8: ...and keywords and user entered text appear in bold type italic type Document titles new or emphasized terms and arguments for which you supply values are in italic type Elements in square brackets are optional x y z Required alternative keywords are grouped in braces and separated by vertical bars x y z Optional alternative keywords are grouped in brackets and separated by vertical bars string An u...

Page 9: ...Warning page viii Chassis Warning for Rack Mounting and Servicing page viii Short Circuit Protection Warning page viii SELV Circuit Warning page viii Ground Conductor Warning page viii Faceplates and Cover Panels Warning page ix Product Disposal Warning page ix Compliance with Local and National Electrical Codes Warning page ix Grounded Equipment Warning page ix Safety Cover Requirement page ix Po...

Page 10: ...mounting this unit in a partially filled rack load the rack from the bottom to the top with the heaviest component at the bottom of the rack If the rack is provided with stabilizing devices install the stabilizers before mounting or servicing the unit in the rack Statement 1006 Short Circuit Protection Warning Warning This product requires short circuit overcurrent protection to be provided as par...

Page 11: ...des Warning Warning Installation of the equipment must comply with local and national electrical codes Statement 1074 Grounded Equipment Warning Warning This equipment is intended to be grounded Ensure that the host is connected to earth ground during normal use Statement 39 Safety Cover Requirement Warning The safety cover is an integral part of the product Do not operate the unit without the saf...

Page 12: ... Documentation and Submitting a Service Request For information on obtaining documentation using the Cisco Bug Search Tool BST submitting a service request and gathering additional information see What s New in Cisco Product Documentation at http www cisco com c en us td docs general whatsnew whatsnew html Subscribe to What s New in Cisco Product Documentation which lists all new and revised Cisco...

Page 13: ... a Firepower Management Center Warning Only trained and qualified personnel should install replace or service this equipment Statement 49 Firepower 7000 Series Managed Devices Delivered with the Firepower System The following table lists the managed devices that Cisco delivers with the Firepower System 7000 Series Device Chassis Designations The following table lists the chassis designations for t...

Page 14: ...out the Firepower 7000 Series Table 1 2 7000 Series Chassis Models Firepower and AMP Device Model Hardware Chassis Code 7010 7020 7030 CHRY 1U AC 7050 NEME 1U AC 7110 7120 Copper GERY 1U 8 C AC 7110 7120 Fiber GERY 1U 8 FM AC 7115 7125 AMP7150 GERY 1U 4C8S AC ...

Page 15: ...s All Firepower 7000 Series devices have an LCD panel on the front of the appliance where you can view and if enabled configure your appliance See the following sections for information Firepower 7010 7020 7030 and 7050 page 2 1 Firepower 7110 and 7120 page 2 7 Firepower 7115 7125 and AMP7150 page 2 13 Firepower 7010 7020 7030 and 7050 The Firepower 7010 7020 7030 and 7050 devices also called the ...

Page 16: ...ages and view system status For more information see Using the LCD Panel on a Firepower Device page 4 1 Sensing interfaces Contain the sensing interfaces that connect to the network For information see Sensing Interfaces page 2 4 10 100 1000 Ethernet management interface Provides for an out of band management network connection The management interface is used for maintenance and configuration pur...

Page 17: ...assis Power button and LED Indicates whether the appliance has power A green light indicates that the appliance has power and the system is on No light indicates the system is shut down or does not have power Table 2 4 Firepower 70xx Family System Status Condition Description Critical Any critical or non recoverable threshold crossing associated with the following events temperature voltage or fan...

Page 18: ...ve link Link amber The speed of the traffic on the interface is 10Mb or 100Mb Link green The speed of the traffic on the interface is 1Gb Activity blinking green The interface has link and is passing traffic Table 2 6 Firepower 70xx Family Copper Bypass LEDs Status Description Off The interface pair is not in bypass mode or has no power Steady green The interface pair is ready to enter bypass mode...

Page 19: ...ght is off there is no activity 7050 For 10Mbps links if the light is on there is link and activity If the light is off there is no link or activity Table 2 7 Firepower 70xx Family Management Interface LEDs continued LED Description Table 2 8 Firepower 70xx Family System Components Rear View Feature Description System ID LED Helps identify a system installed in a high density rack with other simil...

Page 20: ...emperature 7010 20 30 32 F to 104 F 0 C to 40 C 7050 23 F to 104 F 5 C to 40 C Non operating temperature 7010 20 30 4 F to 158 F 20 C to 70 C 7050 14 F to 140 F 10 C to 60 C Operating humidity 7010 20 30 5 to 95 non condensing Operation beyond these limits is not guaranteed and not recommended 7050 5 to 85 non condensing Operation beyond these limits is not guaranteed and not recommended Non opera...

Page 21: ...USB port front panel and either copper or fiber sensing interfaces Figure 2 5 Firepower 7110 and 7120 with Copper Interfaces Chassis GERY 1U 8 C AC Figure 2 6 Firepower 7110 and 7120 with Fiber Interfaces Chassis GERY 1U 8 FM AC The following table describes the features on the front of the appliance Table 2 10 Firepower 7110 and 7120 System Components Front View Feature Description LCD panel Oper...

Page 22: ...s the system is operating normally or is powered off A red light indicates a system error See the Table 2 13Firepower 7110 and 7120 System Status page 2 9 for more information Reset button Allows you to reboot the appliance without disconnecting it from the power supply Solid state drive SSD activity Indicates the SSD status A blinking green light indicates the fixed disk drive is active An amber ...

Page 23: ...logging errors including System Memory Uncorrectable ECC error and fatal uncorrectable bus errors such as PCI SERR and PERR Non critical A non critical condition is a threshold crossing associated with the following events temperature voltage or fan non critical threshold crossing chassis intrusion Set fault indication command from system BIOS the BIOS may use the command to indicate additional no...

Page 24: ...nk and is passing traffic Table 2 15 Firepower 7110 and 7120 Copper Bypass LED Status Description Off The interface pair is not in bypass mode or has no power Steady green The interface pair is ready to enter bypass mode Steady amber The interface pair has been placed in bypass mode and is not inspecting traffic Blinking amber The interface pair is in bypass mode that is it has failed open Table 2...

Page 25: ...irepower 7110 and 7120 System Components Rear View Features Description VGA port USB port Allows you to attach a monitor keyboard and mouse to the device to establish a direct workstation to appliance connection 10 100 1000 Ethernet management interface Provides for an out of band management network connection The management interface is used for maintenance and configuration purposed only and is ...

Page 26: ... 7120 Power Supply LED LED Description Off The power cord is not plugged in Red No power supplied to this module or A power supply critical event such as module failure a blown fuse or a fan failure the power supply shuts down Blinking red A power supply warning event such as high temperature or a slow fan the power supply continues to operate Blinking green AC input is present volts on standby th...

Page 27: ...32 VAC per supply 1 5A maximum for 187 VAC to 264 VAC per supply Frequency range 47 Hz to 63 Hz Solid state drive SSD 240GB 2 5 inch SSD Operating temperature 41o F to 104o F 5o C to 40o C Non operating temperature 29o F to 158o F 20o C to 70o C Operating humidity 5 to 85 non condensing Non operating humidity 5 to 90 non condensing with a maximum wet bulb of 82o F 28o C at temperatures from 77o F ...

Page 28: ...nents Front View Feature Description LCD panel Operates in multiple modes to configure the device display error messages and view system status For more information see Using the LCD Panel on a Firepower Device page 4 1 Front panel USB 2 0 port Allows you to attach a keyboard to the device Front panel Houses LEDs that display the system s operating state as well as various controls such as the pow...

Page 29: ...2 16 for more information Reset button Allows you to reboot the appliance without disconnecting it from the power supply Solid state drive SSD activity Indicates the SSD status A blinking green light indicates the fixed disk drive is active An amber light indicates a fixed disk drive fault If the light is off there is no drive activity or the system is powered off System ID Helps identify a system...

Page 30: ...errors including System Memory Uncorrectable ECC error and fatal uncorrectable bus errors such as PCI SERR and PERR Non critical A non critical condition is a threshold crossing associated with the following events temperature voltage or fan non critical threshold crossing chassis intrusion Set Fault Indication command from system BIOS the BIOS may use the command to indicate additional non critic...

Page 31: ...ceivers Use the following table to understand the fiber LEDs Table 2 26 Firepower 7115 7125 and AMP7150 Copper Link Activity LEDs Status Description Both LEDs off The interface does not have link Link amber The speed of the traffic on the interface is 10Mb or 100Mb Link green The speed of the traffic on the interface is 1Gb Activity blinking green The interface has link and is passing traffic Tabl...

Page 32: ...interface has activity If dark there is no activity For a passive interface the light is non functional Bottom link For an inline or passive interface the light is on when the interface has link If dark there is no link Table 2 29 Firepower 7115 7125 and AMP7150 SFP Optical Parameters Parameter 1000BASE SX 1000BASE LX Optical connectors LC duplex LC duplex Bit rate 1000Mbps 1000Mbps Baud rate enco...

Page 33: ... button is pressed Grounding studs Allows you to connect the appliance to the Common Bonding Network See the Power Requirements for Firepower 7000 Series Devices page A 1 for more information Redundant power supplies Provides power to the device through an AC power source Looking at the rear of the chassis power supply 1 is on the left and power supply 2 is on the right Power supply LEDs Indicates...

Page 34: ... distance Cat5E at 50 m Fiber 1000BASE SX SFP Fiber non bypass capable interfaces with LC connectors Cable and distance SX is multimode fiber 850 nm at 550 m standard 656 ft 200 m for 62 5 µm 125 µm fiber 1640 ft 500 m for 50 µm 125 µm fiber Fiber 1000BASE LX SFP Fiber non bypass capable interfaces with LC connectors Cable and distance LX is single mode fiber 1310 nm at 10 km for 9 µm 125 µm fiber...

Page 35: ...e to do this may cause a malfunction or damage to the appliance Acoustic noise 64 dBA at full processor load normal fan operation Meets GR 63 CORE 4 6 Acoustic Noise Operating shock Complies with Bellecore GR 63 CORE standards Airflow 140 ft3 3 9 m3 per minute Airflow through the appliance enters at the front and exits at the rear with no side ventilation Table 2 33 Firepower 7115 7125 and AMP7150...

Page 36: ...2 22 Firepower 7000 Series Hardware Installation Guide Chapter 2 Hardware Specifications Firepower 7000 Series Devices ...

Page 37: ...om the user interface For more information see Firepower Management Center Configuration Guide You can pre configure multiple appliances at one location to be used in different deployment locations For guidance on pre configuring see the Firepower 7000 Series Getting Started Guide Unpacking and Inspecting the Appliance Tip Keep the shipping container in case the server requires shipping in the fut...

Page 38: ... connect the management interface to a secure internal management network that is protected from unauthorized access Identify the specific workstation IP addresses that can be allowed to access appliances Restrict access to the appliance to only those specific hosts using Access Lists within the appliance s system policy For more information see the Firepower Management Center Configuration Guide ...

Page 39: ...wing configurations 1U device one half the width of the rack tray with eight copper interfaces each with configurable bypass capability 1U device with either eight copper interfaces or eight fiber interfaces each with configurable bypass capability 1U device with four copper interfaces with configurable bypass capability and eight small form factor pluggable SFP ports without bypass capability Fir...

Page 40: ...aces each with configurable bypass capability The following illustration of the front of the chassis indicates the location of the sensing interfaces Figure 3 2 Firepower 7110 and 7120 Copper Interfaces Figure 3 3 Eight Port 1000BASE T Copper Interfaces You can use these connections to passively monitor up to eight separate network segments You can also use paired interfaces in inline or inline wi...

Page 41: ... interfaces you may experience degraded performance If you want to take advantage of the device s automatic bypass capability you must connect either the two interfaces on the left or the two interfaces on the right to a network segment Automatic bypass capability allows traffic to flow even if the device fails or loses power After you cable the interfaces you use the web interface to configure a ...

Page 42: ...web interface to configure a pair of interfaces as an inline set and enable bypass mode on the inline set SFP Interfaces When you install Cisco SFP transceivers into the SFP sockets you can passively monitor up to eight separate network segments You can also use paired interfaces in inline non bypass mode to deploy the device as an intrusion detection system on up to four networks Cisco SFP transc...

Page 43: ...cal computer to the management interface on the appliance Note that the management interface is preconfigured with a default IPv4 address However you can reconfigure the management interface with an IPv6 address as part of the setup process After initial setup you can access the console in the following additional ways Serial Connection Laptop You can connect a computer to any Firepower device usi...

Page 44: ...rotected network when you finish setup Step 4 For a Firepower device connect the sensing interfaces to the network segments you want to analyze using the appropriate cables for your interfaces Copper Sensing Interfaces If your device includes copper sensing interfaces make sure you use the appropriate cables to connect them to your network see Cabling Inline Deployments on Copper Interfaces page 6...

Page 45: ...n cause a 30 second traffic delay Cisco recommends that you disable the spanning tree during the following procedure The following procedure applicable only to copper interfaces describes how to test the installation and ping latency of an inline bypass interface You will need to connect to the network to run ping tests and connect to the managed device console Before You Begin Ensure that the int...

Page 46: ...witching and the device going into hardware bypass Step 8 Wait 30 seconds Verify that your ping traffic resumes Step 9 Power the device back on and verify that your ping traffic continues to pass Step 10 For Firepower devices that support tap mode you can test and record ping latency results under the following sets of conditions device powered off device powered on policy with no rules applied in...

Page 47: ...tion Mode page 4 4 explains how to use the LCD panel to configure the network configuration for the device s management interface the IPv4 or IPv6 address subnet mask or prefix and default gateway Caution Allowing reconfiguration using the LCD panel may present a security risk You need only physical access not authentication to configure using the LCD panel System Status Mode page 4 6 explains how...

Page 48: ...Display mode which does not include a key map Figure 4 1 LCD Panel Idle Display mode In Idle Display mode the panel alternates between displaying the CPU utilization and free memory available and the chassis serial number Press any key to interrupt the Idle Display mode and enter the LCD panel s main menu where you can access Network Configuration System Status and Information modes The following ...

Page 49: ...lti function key functions Idle Display Mode The LCD panel enters Idle Display mode after 60 seconds of inactivity you have not pressed any multi function keys with no detected errors If the system detects an error the panel enters Error Alert mode see Error Alert Mode page 4 9 until the error is resolved Idle Display mode is also disabled when you are editing your network configuration or running...

Page 50: ...ult gateway If you edit the IP address of a Firepower device using the LCD panel confirm that the changes are reflected on the managing Management Center In some cases you may need to edit the device management settings manually See the for more information By default the ability to change network configuration using the LCD panel is disabled You can enable it during the initial setup process or u...

Page 51: ...IP address To edit the digit press the minus or plus keys on the top row to decrease or increase the digit by one To move to the next digit in the IP address press the right arrow key on the bottom row to move the cursor to the next digit to the right With the cursor on the first digit the LCD panel displays the cancel and right arrow symbols at the end of the IP address With the cursor on any oth...

Page 52: ...eb interface as described in the following procedure To allow network reconfiguration using a device s LCD panel Access Admin Step 1 After you complete the initial setup of the device log into the device s web interface using an account with Administrator privileges Step 2 Select System Local Configuration The Information page appears Step 3 Click Network The Network Settings page appears Step 4 U...

Page 53: ... scroll through the options by pressing the down arrow â key until the LCD panel displays the LCD Brightness and LCD Contrast options LCD Brightness Table 4 2 System Status Mode Options Option Description Resources Displays the CPU utilization and free memory available Note that Idle Display mode also shows this information Link State Displays a list of any inline sets currently in use and the lin...

Page 54: ...ber IP address model and software and firmware versions Support may require this information if you call for assistance The following table describes the information available in this mode To enter Information mode and view identifying system information Step 1 In Idle Display mode press any multi function key to enter the main menu The main menu appears Network Config System Status Step 2 Scroll ...

Page 55: ...tions are resolved The LCD panel always displays the platform daemon error message first followed by a list of other hardware error messages The following table provides basic information on Firepower device error messages where X indicates the NFE accelerator card 0 or 1 that generated the alert Table 4 4 LCD Panel Error Alerts Error Description Hardware alarm Alerts on hardware alarms Link state...

Page 56: ...message daemon fails NFEHardware hardware status Alerts when one or more accelerator cards is not communicating NFEcount cards detected Alerts when the number of accelerator cards detected on the device does not match the expected accelerator card count for the platform 7000 Series only GerChr_comm 8000 Series only NMSB_comm communications Alerts when the media assembly is not present or not commu...

Page 57: ...tallation Guide Chapter 4 Using the LCD Panel on a Firepower Device Error Alert Mode If you exit Error Alert mode before you resolve the error that triggered the alert the LCD panel returns to Error Alert mode Contact Support for assistance ...

Page 58: ...4 12 Firepower 7000 Series Hardware Installation Guide Chapter 4 Using the LCD Panel on a Firepower Device Error Alert Mode ...

Page 59: ...fficient and effective system Will you use the default single management interface to connect your device to your Management Center Will you enable additional management interfaces to improve performance or to isolate traffic received on the Management Center from different networks See Understanding Management Interfaces page 5 2 for more information Do you want to enable traffic channels to crea...

Page 60: ...he default configuration to enable traffic channels and multiple management interfaces using the web interface on each appliance For configuration information see Configuring Appliance Settings in the Firepower Management Center Configuration Guide Management interfaces are often located on the back of the appliance See Identifying the Management Interfaces page 3 2 for more information Single Man...

Page 61: ...or more management interfaces on the Management Center However because the 70xx Family contains only one management interface the device receives traffic sent from the Management Center on only one management interface Deployment Options You can manage traffic flow using traffic channels to improve performance on your system using one or more management interfaces In addition you can create a rout...

Page 62: ...erface for event traffic channels Deploying with Network Routes You can create a route from a specific management interface on your Management Center to a different network When you register a device from that network to the specified management interface on the Management Center you provide an isolated connection between the Management Center and the device on a different network Configure both t...

Page 63: ... network that is protected from unauthorized access Identify the specific workstation IP addresses that can be allowed to access appliances Restrict access to the appliance to only those specific hosts using Access Lists within the appliance s system policy For more information see the Firepower Management Center Configuration Guide Special Case Connecting 8000 Series Devices Supported Devices 800...

Page 64: ...5 6 Firepower 7000 Series Hardware Installation Guide Chapter 5 Deploying on a Management Network Special Case Connecting 8000 Series Devices ...

Page 65: ...at penetrate your firewall Do you have specific assets on your network such as financial accounting or personnel records production code or other sensitive protected information that require special security policies See Deployment Options page 6 7 for more information Will you use multiple sensing interfaces on your managed device to recombine the separate connections from a network tap or to cap...

Page 66: ...ment you cannot permit uninspected traffic Using configurable bypass inline sets you can manage the traffic flow of your network traffic in one of the following ways Bypass an interface pair configured for bypass allows all traffic to flow if the device fails The traffic bypasses the device and any inspection or other processing by the device Bypass allows uninspected traffic across the network se...

Page 67: ...u can configure your device as a virtual switch and use the remaining interfaces to connect to network segments you want to monitor To use a virtual switch on your device create physical switched interfaces and then follow the instructions for Setting Up Virtual Switches in the Firepower Management Center Configuration Guide Routed Interfaces You can configure routed interfaces on a Firepower devi...

Page 68: ...aces with network address translation NAT to pass traffic between networks For more information see Deploying with Policy Based NAT page 6 11 If you want to use hybrid interfaces on your device define a hybrid interface on the device and then follow the instructions for Setting Up Hybrid Interfaces in the Firepower Management Center Configuration Guide Connecting Devices to Your Network You can co...

Page 69: ...he switch By design network taps divide incoming and outgoing traffic into two different streams over two different cables Managed devices offer multiple sensing interface options that recombine the two sides of the conversation so that the entire traffic stream is evaluated by the decoders the preprocessors and the detection engine Cabling Inline Deployments on Copper Interfaces If you deploy you...

Page 70: ...ould repeat the process of ensuring that the endpoints can communicate with the new device powered down to protect against the case where the original device and its replacement have different bypass characteristics The Auto MDI X setting functions correctly only if you allow the network interfaces to auto negotiate If your network environment requires that you turn off the Auto Negotiate option o...

Page 71: ...l switch to allow traffic you configure two or more switched interfaces on a physical port add and configure a virtual switch and then assign the virtual switch to the switched interfaces The system drops any traffic received on an external physical interface that does not have a switched interface waiting for it If the system receives a packet with no VLAN tag and you have not configured a physic...

Page 72: ... use a virtual router with a gateway VPN For more information see Deploying a Gateway VPN page 6 10 A virtual router can contain either physical or logical routed configurations from one or more individual devices within the same broadcast domain You must associate each logical interface with a VLAN tag to handle traffic received by the physical interface with that specific tag You must assign a l...

Page 73: ... See Deploying with Policy Based NAT page 6 11 A hybrid interface must contain one or more switched interfaces and one or more routed interfaces A common deployment consists of two switched interfaces configured as a virtual switch to pass traffic on a local network and virtual routers to route traffic to networks either private or public To create a hybrid interface you first configure a virtual ...

Page 74: ...nd the local gateway can connect to the hosts behind the remote gateway through the secure VPN tunnel The VPN endpoints authenticate each other with either the Internet Key Exchange IKE version 1 or version 2 protocol to create a security association for the tunnel The system runs in either IPSec authentication header AH mode or the IPSec encapsulating security payload ESP mode Both AH and ESP pro...

Page 75: ... the public network Allow access to a private network service When a public network accesses your private network NAT translates your public address to your private network address The public network can access your specific private network address Redirect traffic between multiple private networks When a server on a private network accesses a server on a connected private network NAT translates t...

Page 76: ...e 6 12 explains how access control functions on traffic that passes through the firewall On the DMZ page 6 13 explains how access control within the DMZ can protect outward facing servers On the Internal Network page 6 14 explains how access control can protect your internal network from intentional or accidental attack On the Core Network page 6 14 explains how an access control policy with stric...

Page 77: ...ecific criteria On the DMZ The DMZ contains outward facing servers for example web FTP DNS and mail and may also provide services such as mail relay and web proxy to users on the internal network Content stored in the DMZ is static and changes are planned and executed with clear communication and advance notice Attacks in this segment are typically inbound and become immediately apparent because o...

Page 78: ...ition to outbound traffic Add access control rules to tightly control traffic between users and applications On the Core Network Core assets are those assets critical to the success of your business that must be protected at all cost Although core assets vary depending on the nature of your business typical core assets include financial and management centers or intellectual property repositories ...

Page 79: ...al devices for business purposes for example using a smart phone to access corporate email are becoming increasingly common These networks can be highly dynamic environments with rapid and continual change Deploying a managed device on a dedicated mobile or remote network allows you to create a strict access control policy to monitor and manage traffic to and from unknown external sources Your pol...

Page 80: ...put for which the device is rated the total traffic on the managed device cannot exceed its bandwidth rating without some packet loss Deploying multiple sensing interfaces on a managed device with a network tap is a straightforward process The following diagram shows a network tap installed on a high traffic network segment In this scenario the tap transmits incoming and outgoing traffic through s...

Page 81: ...at if you replace the tap with a virtual switch you lose the tap packet delivery guarantee You can also create interfaces to capture data from separate networks The following diagram shows a single device with a dual sensing interface adapter and two interfaces connected to two networks In addition to using one device to monitor both network segments you can use the virtual switch capability of th...

Page 82: ...ader is unencrypted so that the packet can be transmitted over public networks in much the same way as any other packet When the packet arrives at its destination network the payload is decrypted and the packet is directed to the proper host Because network appliances cannot analyze the encrypted payload of a VPN packet placing managed devices outside the terminating endpoints of the VPN connectio...

Page 83: ... of the Internet modem banks and direct links to business partner networks In general you should deploy managed devices near firewalls either inside the firewall outside the firewall or both and on network segments that are important to the integrity and confidentiality of your business data The following diagram shows how managed devices can be installed at key locations on a complex network with...

Page 84: ...rom managed devices deployed throughout the organization s many locations Unlike deploying multiple managed devices and Firepower Management Centers in the same geographic location on the same network when deploying managed devices in disparate geographic locations you must take precautions to ensure the security of the managed devices and the data stream To secure the data you must isolate the ma...

Page 85: ...r 7000 Series Hardware Installation Guide Chapter 6 Deploying Firepower Managed Devices Complex Network Deployments You can replace the firewalls and routers with the managed device deployed in each network segment ...

Page 86: ... allow you to add a management interface with a unique IP address IPv4 or IPv6 to your Firepower Management Center and create a route from that management interface to a network that contains the device you want to manage When you register your device to the new management interface traffic on that device is isolated from traffic on devices registered to the default management interface on the Fir...

Page 87: ... or NAT device In this case Cisco recommends that you position managed devices inside the network segment protected by the proxy or NAT device to ensure that hosts are correctly detected Integrating with Load Balancing Methods In some network environments server farm configurations are used to perform network load balancing for services such as web hosting FTP storage sites and so on In load balan...

Page 88: ...6 24 Firepower 7000 Series Hardware Installation Guide Chapter 6 Deploying Firepower Managed Devices Complex Network Deployments ...

Page 89: ... as described in GR 1089 CORE Issue 4 and require isolation from the exposed OSP cabling The addition of the primary protectors is not sufficient protection to connect these interfaces metallically to OSP wiring Static Control Caution Electrostatic discharge control procedures such as using grounded wrist straps and an ESD work surface must be in place before unpacking installing or moving the app...

Page 90: ... the full rating of the appliance Voltage The power supply works with 100VAC to 240VAC nominal 90VAC to 264VAC maximum Use of voltages outside this range may cause damage to the appliance Current The labeled current rating is 2A maximum over the full range Appropriate wire and breakers must be used to reduce the potential for fire Frequency Range The frequency range of the AC power supply is 47 Hz...

Page 91: ...ase of a single fault The size of the ground wire should be equal to the current of the breaker used to protect the circuit See Current page A 2 Bare conductors must be coated with antioxidant before crimp connections are made Only copper cables can be used for grounding purposes Firepower 71xx Family Appliances This section describes the power requirements for Firepower 7110 and 7120 GERY 1U 8 AC...

Page 92: ...he appliance This configuration provides for circuit failure and power supply failure Example Each supply is attached to a different 220V circuit Each circuit must be capable of supplying 5A as stated on the label Same Circuit Installation If the same circuit is used to feed both supplies then the power rating of one supply applies to the whole box This configuration only provides protection from ...

Page 93: ...4 studs are provided Outside toothed lock washers are provided for attaching ring terminals A standard ground symbol is available by each stud The following illustration indicates the bonding locations on the chassis Recommended Terminals You must use UL Approved terminals for the ground connection Ring terminals with a clearance hole for 4mm or 8 studs may be used For 10 12 AWG wire Tyco 34853 is...

Page 94: ...A 6 Firepower 7000 Series Hardware Installation Guide Appendix A Power Requirements for Firepower 7000 Series Devices Firepower 71xx Family Appliances ...

Page 95: ... to eight SFP transceivers Figure B 1 Firepower 71x5 and AMP7150 Front View Firepower 71x5 and AMP7150 SFP Sockets The eight SFP sockets are numbered from 5 through 12 in a vertical pattern and oriented in a tab to center configuration the upper row faces up and the lower row faces down The accompanying LEDs to the left of the sockets display information on activity and link for each interface See...

Page 96: ...example virtual switches virtual routers and some access control policies For a passive deployment you can use any combination of transceivers in up to eight sockets to monitor up to eight network segments For an inline deployment you can use any combination copper fiber or mixed of transceivers in vertically sequential sockets 5 and 6 7 and 8 9 and 10 or 11 and 12 to monitor up to four network se...

Page 97: ...er to view the change Removing an SFP Transceiver Use appropriate electrostatic discharge ESD procedures when removing the transceiver Avoid touching the contacts at the rear and keep the contacts and ports free of dust and dirt To remove an SFP transceiver Step 1 Disconnect all cables from the transceiver you want to remove from the device Step 2 Using your fingers gently pull the bale of the tra...

Page 98: ...B 4 Firepower 7000 Series Hardware Installation Guide Appendix B Using SFP Transceivers in Firepower 71x5 and AMP7150 Devices Removing an SFP Transceiver ...