Scribd
Upload
196 views

Intro Logical Devices PDF

The document discusses logical devices for the Firepower 4100/9300 chassis. It describes how the chassis allows installing one or more logical devices to run application instances. It covers defining interfaces, adding standalone or clustered logical devices, and guidelines for logical device and interface configuration.

Uploaded by

Jesus Garcia
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
196 views

Intro Logical Devices PDF

The document discusses logical devices for the Firepower 4100/9300 chassis. It describes how the chassis allows installing one or more logical devices to run application instances. It covers defining interfaces, adding standalone or clustered logical devices, and guidelines for logical device and interface configuration.

Uploaded by

Jesus Garcia
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Logical Devices for the Firepower 4100/9300

The Firepower 4100/9300 is a flexible security platform on which you can install one or more logical devices.
This chapter describes basic interface configuration and how to add a standalone or High Availability logical
device using the Firepower Chassis Manager. To add a clustered logical device, see ASA Cluster for the
Firepower 4100/9300 Chassis. To use the FXOS CLI, see the FXOS CLI configuration guide. For more
advanced FXOS procedures and troubleshooting, see the FXOS configuration guide.
• About Firepower Interfaces, on page 1
• About Logical Devices, on page 2
• Guidelines and Limitations for Logical Devices, on page 3
• Configure Interfaces, on page 4
• Configure Logical Devices, on page 8
• History for Logical Devices, on page 17

About Firepower Interfaces


The Firepower 4100/9300 chassis supports physical interfaces and EtherChannel (port-channel) interfaces.
EtherChannel interfaces can include up to 16 member interfaces of the same type.

Chassis Management Interface


The chassis management interface is used for management of the FXOS Chassis by SSH or Firepower Chassis
Manager. This interface is separate from the mgmt-type interface that you assign to the logical devices for
application management.
To configure parameters for this interface, you must configure them from the CLI. To view information about
this interface in the FXOS CLI, connect to local management and show the management port:
Firepower # connect local-mgmt
Firepower(local-mgmt) # show mgmt-port
Note that the chassis management interface remains up even if the physical cable or SFP module are unplugged,
or if the mgmt-port shut command is performed.

Interface Types
Each interface can be one of the following types:

Logical Devices for the Firepower 4100/9300


1
Logical Devices for the Firepower 4100/9300
About Logical Devices

• Data—Data interfaces cannot be shared between logical devices.


• Mgmt—Use management interfaces to manage application instances. They can be shared by one or more
logical devices to access external hosts; logical devices cannot communicate over this interface with
other logical devices that share the interface. You can only assign one management interface per logical
device. For information about the separate chassis management interface, see Chassis Management
Interface, on page 1.
Within the FTD application, the physical management interface is shared between the Diagnostic logical
interface and the Management logical interface. The Management logical interface is separate from the
other interfaces on the device. It is used to set up and register the device to the Firepower Management
Center. It uses its own local authentication, IP address, and static routing. See the "Management Interfaces"
section in the Firepower Management Center configuration guide System Configuration chapter.
The Diagnostic logical interface can be configured along with the rest of the data interfaces on the FMC
Devices > Device Management > Interfaces screen. Using the Diagnostic interface is optional. The
Diagnostic interface only allows management traffic, and does not allow through traffic.
• Firepower-eventing—This interface is a secondary management interface for FTD devices. To use this
interface, you must configure its IP address and other parameters at the FTD CLI. For example, you can
separate management traffic from events (such as web events). See the "Management Interfaces" section
in the Firepower Management Center configuration guide System Configuration chapter.
Firepower-eventing interfaces can be shared by one or more logical devices to access external hosts;
logical devices cannot communicate over this interface with other logical devices that share the interface.
• Cluster—Special interface type used for a clustered logical device. This type is automatically assigned
to the cluster control link for inter-unit cluster communications. By default, the cluster control link is
automatically created on Port-channel 48.

About Logical Devices


A logical device lets you run one application instance (either ASA or Firepower Threat Defense) and also one
optional decorator application (Radware DefensePro) to form a service chain.
When you add a logical device, you also define the application instance type and version, assign interfaces,
and configure bootstrap settings that are pushed to the application configuration.

Note For the Firepower 9300, you must install the same application instance type (ASA or Firepower Threat
Defense) on all modules in the chassis; different types are not supported at this time. Note that modules can
run different versions of an application instance type.

Standalone and Clustered Logical Devices


You can add the following logical device types:
• Standalone—A standalone logical device operates as a standalone unit or as a unit in a High Availability
pair.
• Cluster—A clustered logical device lets you group multiple units together, providing all the convenience
of a single device (management, integration into a network) while achieving the increased throughput

Logical Devices for the Firepower 4100/9300


2
Logical Devices for the Firepower 4100/9300
Guidelines and Limitations for Logical Devices

and redundancy of multiple devices. Multiple module devices, like the Firepower 9300, support
intra-chassis clustering. For the Firepower 9300, all three module application instances belong to a single
logical device.

Note For the Firepower 9300, all modules must belong to the cluster. You cannot create
a standalone logical device on one security module and then create a cluster using
the remaining 2 security modules.

Guidelines and Limitations for Logical Devices


See the following sections for guidelines and limitations.

Guidelines and Limitations for Firepower Interfaces


Inline Sets for FTD
• Link state propagation is supported.

Hardware Bypass
• Supported for the FTD; you can use them as regular interfaces for the ASA.
• The FTD only supports Hardware Bypass with inline sets.
• Hardware Bypass-capable interfaces cannot be configured for breakout ports.
• You cannot include Hardware Bypass interfaces in an EtherChannel and use them for Hardware Bypass;
you can use them as regular interfaces in an EtherChannel.

Default MAC Addresses


Default MAC address assignments depend on the type of interface.
• Physical interfaces—The physical interface uses the burned-in MAC address.
• Redundant interfaces—A redundant interface uses the MAC address of the first physical interface that
you add. If you change the order of the member interfaces in the configuration, then the MAC address
changes to match the MAC address of the interface that is now listed first. If you assign a MAC address
to the redundant interface, then it is used regardless of the member interface MAC addresses.
• EtherChannels (Firepower Models)—For an EtherChannel, all interfaces that are part of the channel
group share the same MAC address. This feature makes the EtherChannel transparent to network
applications and users, because they only see the one logical connection; they have no knowledge of the
individual links. The port-channel interface uses a unique MAC address from a pool; interface membership
does not affect the MAC address.
• EtherChannels (ASA Models)—The port-channel interface uses the lowest-numbered channel group
interface MAC address as the port-channel MAC address. Alternatively you can configure a MAC address

Logical Devices for the Firepower 4100/9300


3
Logical Devices for the Firepower 4100/9300
General Guidelines and Limitations

for the port-channel interface. We recommend configuring a unique MAC address in case the group
channel interface membership changes. If you remove the interface that was providing the port-channel
MAC address, then the port-channel MAC address changes to the next lowest numbered interface, thus
causing traffic disruption.
• Subinterfaces—All subinterfaces of a physical interface use the same burned-in MAC address. You
might want to assign unique MAC addresses to subinterfaces. For example, your service provider might
perform access control based on the MAC address. Also, because IPv6 link-local addresses are generated
based on the MAC address, assigning unique MAC addresses to subinterfaces allows for unique IPv6
link-local addresses.
• ASASM VLANs—For the ASASM, all VLANs use the same MAC address provided by the backplane.

General Guidelines and Limitations


Firewall Mode
You can set the firewall mode to routed or transparent in the bootstrap configuration for the FTD. For the
ASA, you can change the firewall mode to transparent after you deploy. See Change the ASA to Transparent
Firewall Mode, on page 13.

High Availability
• Configure high availability within the application configuration.
• You can use any data interfaces as the failover and state links.
• For more information, see Failover System Requirements

Context Mode
• Multiple context mode is only supported on the ASA.
• Enable multiple context mode in the ASA after you deploy.

Configure Interfaces
By default, physical interfaces are disabled. You can enable interfaces, add EtherChannels, and edit interface
properties.

Configure a Physical Interface


You can physically enable and disable interfaces, as well as set the interface speed and duplex. To use an
interface, it must be physically enabled in FXOS and logically enabled in the application.

Before you begin


• Interfaces that are already a member of an EtherChannel cannot be modified individually. Be sure to
configure settings before you add it to the EtherChannel.

Logical Devices for the Firepower 4100/9300


4
Logical Devices for the Firepower 4100/9300
Configure a Physical Interface

Procedure

Step 1 Enter interface mode.


scope eth-uplink

scope fabric a

Step 2 Enable the interface.


enter interface interface_id

enable

Example:

Firepower /eth-uplink/fabric # enter interface Ethernet1/8


Firepower /eth-uplink/fabric/interface # enable

Note Interfaces that are already a member of a port-channel cannot be modified individually. If you use
the enter interface or scope interface command on an interface that is a member of a port channel,
you will receive an error stating that the object does not exist. You should edit interfaces using the
enter interface command before you add them to a port-channel.

Step 3 (Optional) Set the interface type.


set port-type {data | mgmt | firepower-eventing | cluster}
Example:

Firepower /eth-uplink/fabric/interface # set port-type mgmt

The data keyword is the default type. Do not choose the cluster keyword; by default, the cluster control link
is automatically created on Port-channel 48.

Step 4 Enable or disable autonegotiation, if supported for your interface.


set auto-negotiation {on | off}
Example:

Firepower /eth-uplink/fabric/interface* # set auto-negotiation off

Step 5 Set the interface speed.


set admin-speed {10mbps | 100mbps | 1gbps | 10gbps | 40gbps | 100gbps}
Example:

Firepower /eth-uplink/fabric/interface* # set admin-speed 1gbps

Step 6 Set the interface duplex mode.


set admin-duplex {fullduplex | halfduplex}

Logical Devices for the Firepower 4100/9300


5
Logical Devices for the Firepower 4100/9300
Add an EtherChannel (Port Channel)

Example:

Firepower /eth-uplink/fabric/interface* # set admin-duplex halfduplex

Step 7 Save the configuration.


commit-buffer
Example:

Firepower /eth-uplink/fabric/interface* # commit-buffer


Firepower /eth-uplink/fabric/interface #

Add an EtherChannel (Port Channel)


An EtherChannel (also known as a port channel) can include up to 16 member interfaces of the same type.
The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link Aggregation
Control Protocol Data Units (LACPDUs) between two network devices.
The Firepower 4100/9300 chassis only supports EtherChannels in Active LACP mode so that each member
interface sends and receives LACP updates. An active EtherChannel can establish connectivity with either
an active or a passive EtherChannel. You should use the active mode unless you need to minimize the amount
of LACP traffic.
LACP coordinates the automatic addition and deletion of links to the EtherChannel without user intervention.
It also handles misconfigurations and checks that both ends of member interfaces are connected to the correct
channel group.
When the Firepower 4100/9300 chassis creates an EtherChannel, the EtherChannel stays in a Suspended
state until you assign it to a logical device, even if the physical link is up. The EtherChannel will be brought
out of this Suspended state in the following situations:
• The EtherChannel is added as a data or management interface for a standalone logical device
• The EtherChannel is added as a management interface or cluster control link for a logical device that is
part of a cluster
• The EtherChannel is added as a data interface for a logical device that is part of a cluster and at least one
unit has joined the cluster

Note that the EtherChannel does not come up until you assign it to a logical device. If the EtherChannel is
removed from the logical device or the logical device is deleted, the EtherChannel will revert to a Suspended
state.

Procedure

Step 1 Enter interface mode:


scope eth-uplink

scope fabric a

Logical Devices for the Firepower 4100/9300


6
Logical Devices for the Firepower 4100/9300
Add an EtherChannel (Port Channel)

Step 2 Create the port-channel:


create port-channel id

enable

Step 3 Assign member interfaces:


create member-port interface_id
Example:

Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/1


Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/2
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/3
Firepower /eth-uplink/fabric/port-channel/member-port* # exit
Firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/4
Firepower /eth-uplink/fabric/port-channel/member-port* # exit

Step 4 (Optional) Set the interface type.


set port-type {data | mgmt | firepower-eventing | cluster}
Example:

Firepower /eth-uplink/fabric/port-channel # set port-type data

The data keyword is the default type. Do not choose the cluster keyword unless you want to use this
port-channel as the cluster control link instead of the default.

Step 5 (Optional) Set the interface speed for all members of the port-channel.
set speed {10mbps | 100mbps | 1gbps | 10gbps | 40gbps | 100gbps}
Example:

Firepower /eth-uplink/fabric/port-channel* # set speed 1gbps

Step 6 (Optional) Set the duplex for all members of the port-channel.
set duplex {fullduplex | halfduplex}
Example:

Firepower /eth-uplink/fabric/port-channel* # set duplex fullduplex

Step 7 Enable or disable autonegotiation, if supported for your interface.


set auto-negotiation {on | off}
Example:

Firepower /eth-uplink/fabric/interface* # set auto-negotiation off

Step 8 Commit the configuration:

Logical Devices for the Firepower 4100/9300


7
Logical Devices for the Firepower 4100/9300
Configure Logical Devices

commit-buffer

Configure Logical Devices


Add a standalone logical device or a High Availability pair on the Firepower 4100/9300 chassis.
For clustering, see ASA Cluster for the Firepower 4100/9300 Chassis.

Add a Standalone ASA


Standalone logical devices work either alone or in a High Availability pair. On multiple module devices, like
the Firepower 9300, you can deploy either a cluster or standalone devices. The cluster must use all modules,
so you cannot mix and match a 2-module cluster plus a single standalone device, for example.
You can deploy a routed firewall mode ASA from the Firepower 4100/9300 chassis. To change the ASA to
transparent firewall mode, complete this procedure, and then see Change the ASA to Transparent Firewall
Mode, on page 13.
For multiple context mode, you must first deploy the logical device, and then enable multiple context mode
in the ASA application.

Before you begin


• Download the application image you want to use for the logical device from Cisco.com, and then download
that image to the Firepower 4100/9300 chassis.

Note You must install the same application instance type on all modules in a chassis,
either ASA or Firepower Threat Defense; different application types are not
supported at this time. Note that modules can run different versions of a particular
application type, but all modules must be configured as the same type of
application instance.

• Configure a management interface to use with the logical device. The management interface is required.
Note that this management interface is not the same as the chassis management interface that is used
only for chassis management (in FXOS, you might see it displayed as MGMT, management0, or other
similar names).

Procedure

Step 1 Enter security services mode.


scope ssa
Example:

Firepower# scope ssa

Logical Devices for the Firepower 4100/9300


8
Logical Devices for the Firepower 4100/9300
Add a Standalone ASA

Firepower /ssa #

Step 2 Set the application instance image version.


a) View available images. Note the Version number that you want to use.
show app
Example:

Firepower /ssa # show app


Name Version Author Supported Deploy Types CSP Type Is Default
App
---------- --------------- ---------- ---------------------- -----------
--------------
asa 9.9.1 cisco Native Application No
asa 9.10.1 cisco Native Application Yes
ftd 6.2.3 cisco Native Application Yes

b) Set the scope to the security module/engine slot.


scope slot slot_id
The slot_id is always 1 for the Firepower 4100, and 1, 2, or 3 for the Firepower 9300.
Example:

Firepower /ssa # scope slot 1


Firepower /ssa/slot #

c) Create the application instance.


enter app-instance asa
Example:

Firepower /ssa/slot # enter app-instance asa


Firepower /ssa/slot/app-instance* #

d) Set the ASA image version.


set startup-version version
Example:

Firepower /ssa/slot/app-instance* # set startup-version 9.10.1

e) Exit to slot mode.


exit
Example:

Firepower /ssa/slot/app-instance* # exit


Firepower /ssa/slot* #

f) Exit to ssa mode.

Logical Devices for the Firepower 4100/9300


9
Logical Devices for the Firepower 4100/9300
Add a Standalone ASA

exit
Example:

Firepower /ssa/slot* # exit


Firepower /ssa* #

Example:

Firepower /ssa # scope slot 1


Firepower /ssa/slot # enter app-instance asa ASA1
Firepower /ssa/slot/app-instance* # set startup-version 9.10.1
Firepower /ssa/slot/app-instance* # exit
Firepower /ssa/slot* # exit
Firepower /ssa* #

Step 3 Create the logical device.


enter logical-device device_name asa slot_id standalone
Example:

Firepower /ssa # enter logical-device ASA1 asa 1 standalone


Firepower /ssa/logical-device* #

Step 4 Assign the management and data interfaces to the logical device. Repeat for each interface.
create external-port-link name interface_id asa
set description description
exit
• name—The name is used by the Firepower 4100/9300 chassis supervisor; it is not the interface name
used in the ASA configuration.
• description—Use quotes (") around phrases with spaces.

Example:

Firepower /ssa/logical-device* # create external-port-link inside Ethernet1/1 asa


Firepower /ssa/logical-device/external-port-link* # set description "inside link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link management Ethernet1/7 asa
Firepower /ssa/logical-device/external-port-link* # set description "management link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link outside Ethernet1/2 asa
Firepower /ssa/logical-device/external-port-link* # set description "external link"
Firepower /ssa/logical-device/external-port-link* # exit

Step 5 Configure the management bootstrap information:


a) Create the bootstrap object.
create mgmt-bootstrap asa
Example:

Logical Devices for the Firepower 4100/9300


10
Logical Devices for the Firepower 4100/9300
Add a Standalone ASA

Firepower /ssa/logical-device* # create mgmt-bootstrap asa


Firepower /ssa/logical-device/mgmt-bootstrap* #

b) Specify the admin password.


create bootstrap-key-secret PASSWORD
set value
Enter a value: password
Confirm the value: password
exit
Example:
The pre-configured ASA admin user is useful for password recovery; if you have FXOS access, you can
reset the admin user password if you forget it.
Example:

Firepower /ssa/logical-device/mgmt-bootstrap* # create bootstrap-key-secret PASSWORD


Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # set value
Enter a value: floppylampshade
Confirm the value: floppylampshade
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* #

c) Configure the IPv4 management interface settings.


create ipv4 slot_id default
set ip ip_address mask network_mask
set gateway gateway_address
exit
Example:

Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv4 1 default


Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set ip 10.10.10.34 mask 255.255.255.0
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set gateway 10.10.10.1
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* #

d) Configure the IPv6 management interface settings.


create ipv6 slot_id default
set ip ip_address prefix-length prefix
set gateway gateway_address
exit
Example:

Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv6 1 default


Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # set ip 2001:0DB8:BA98::3210

Logical Devices for the Firepower 4100/9300


11
Logical Devices for the Firepower 4100/9300
Add a Standalone ASA

prefix-length 64
Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # set gateway 2001:0DB8:BA98::3211
Firepower /ssa/logical-device/mgmt-bootstrap/ipv6* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* #

e) Exit the management bootstrap mode.


exit
Example:

Firepower /ssa/logical-device/mgmt-bootstrap* # exit


Firepower /ssa/logical-device* #

Step 6 Save the configuration.


commit-buffer
Example:

Firepower /ssa/logical-device* # commit-buffer


Firepower /ssa/logical-device #

Example

Firepower# scope ssa


Firepower /ssa # scope slot 1
Firepower /ssa/slot # enter app-instance asa MyDevice1
Firepower /ssa/slot/app-instance* # set startup-version 9.10.1
Firepower /ssa/slot/app-instance* # exit
Firepower /ssa/slot* # exit
Firepower /ssa* # create logical-device MyDevice1 asa 1 standalone
Firepower /ssa/logical-device* # create external-port-link inside Ethernet1/1 asa
Firepower /ssa/logical-device/external-port-link* # set description "inside link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link management Ethernet1/7 asa
Firepower /ssa/logical-device/external-port-link* # set description "management link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create external-port-link outside Ethernet1/2 asa
Firepower /ssa/logical-device/external-port-link* # set description "external link"
Firepower /ssa/logical-device/external-port-link* # exit
Firepower /ssa/logical-device* # create mgmt-bootstrap asa
Firepower /ssa/logical-device/mgmt-bootstrap* # create bootstrap-key-secret PASSWORD
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # set value
Enter a value: secretglassine
Confirm the value: secretglassine
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key-secret* # exit
Firepower /ssa/logical-device/mgmt-bootstrap* # create ipv4 1 default
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set gateway 10.0.0.1
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # set ip 10.0.0.31 mask 255.255.255.0
Firepower /ssa/logical-device/mgmt-bootstrap/ipv4* # exit
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key* # commit-buffer
Firepower /ssa/logical-device/mgmt-bootstrap/bootstrap-key #

Logical Devices for the Firepower 4100/9300


12
Logical Devices for the Firepower 4100/9300
Add a High Availability Pair

Add a High Availability Pair


Firepower Threat Defense or ASA High Availability (also known as failover) is configured within the
application, not in FXOS. However, to prepare your chassis for high availability, see the following steps.

Before you begin


• For High Availability system requirements, see Failover System Requirements.

Procedure

Step 1 Each logical device should be on a separate chassis; intra-chassis High Availability for the Firepower 9300
is not recommended and may not be supported.
Step 2 Allocate the same interfaces to each logical device.
Step 3 Allocate 1 or 2 data interfaces for the failover and state link(s).
These interfaces exchange high availibility traffic between the 2 chassis. We recommend that you use a 10
GB data interface for a combined failover and state link. If you have available interfaces, you can use separate
failover and state links; the state link requires the most bandwidth. You cannot use the management-type
interface for the failover or state link. We recommend that you use a switch between the chassis, with no other
device on the same network segment as the failover interfaces.

Step 4 Enable High Availability on the logical devices. See Failover for High Availability.
Step 5 If you need to make interface changes after you enable High Availability, perform the changes on the standby
unit first, and then perform the changes on the active unit.
Note For the ASA, if you remove an interface in FXOS (for example, if you remove a network module,
remove an EtherChannel, or reassign an interface to an EtherChannel), then the ASA configuration
retains the original commands so that you can make any necessary adjustments; removing an interface
from the configuration can have wide effects. You can manually remove the old interface
configuration in the ASA OS.

Change the ASA to Transparent Firewall Mode


You can only deploy a routed firewall mode ASA from the Firepower 4100/9300 chassis. To change the ASA
to transparent firewall mode, complete the initial deployment, and then change the firewall mode within the
ASA CLI. For standalone ASAs, because changing the firewall mode erases the configuration, you must then
redeploy the configuration from the Firepower 4100/9300 chassis to regain the bootstrap configuration. The
ASA then remains in transparent mode with a working bootstrap configuration. For clustered ASAs, the
configuration is not erased, so you do not need to redeploy the bootstrap configuration from FXOS.

Procedure

Step 1 Connect to the ASA console according to Connect to the Console of the Application, on page 15. For a cluster,
connect to the primary unit. For a failover pair, connect to the active unit.

Logical Devices for the Firepower 4100/9300


13
Logical Devices for the Firepower 4100/9300
Change an Interface on an ASA Logical Device

Step 2 Enter configuration mode:


enable
configure terminal
By default, the enable password is blank.

Step 3 Set the firewall mode to transparent:


firewall transparent

Step 4 Save the configuration:


write memory
For a cluster or failover pair, this configuration is replicated to secondary units:

asa(config)# firewall transparent


asa(config)# write memory
Building configuration...
Cryptochecksum: 9f831dfb 60dffa8c 1d939884 74735b69

3791 bytes copied in 0.160 secs


[OK]
asa(config)#
Beginning configuration replication to Slave unit-1-2
End Configuration Replication to slave.

asa(config)#

Step 5 On the Firepower Chassis Manager Logical Devices page, click the Edit icon to edit the ASA.
The Provisioning page appears.

Step 6 Click the device icon to edit the bootstrap configuration. Change any value in your configuration, and click
OK.
You must change the value of at least one field, for example, the Password field.
You see a warning about changing the bootstrap configuration; click Yes.

Step 7 Click Save to redeploy the configuration to the ASA. For an inter-chassis cluster or for a failover pair, repeat
steps 5 through 7 to redeploy the bootstrap configuration on each chassis.
Wait several minutes for the chassis/security modules to reload, and for the ASA to become operational again.
The ASA now has an operational bootstrap configuration, but remains in transparent mode.

Change an Interface on an ASA Logical Device


You can allocate, unallocate, or replace a management interface on an ASA logical device. ASDM discovers
the new interfaces automatically.

Logical Devices for the Firepower 4100/9300


14
Logical Devices for the Firepower 4100/9300
Connect to the Console of the Application

Before you begin


• Configure your interfaces and add any EtherChannels according to Configure a Physical Interface, on
page 4 and Add an EtherChannel (Port Channel), on page 6.
• You can edit the membership of an allocated EtherChannel without impacting the logical device.
• If you want to add an already-allocated interface to an EtherChannel (for example, all interfaces are
allocated by default to a cluster), you need to unallocate the interface from the logical device first, then
add the interface to the EtherChannel. For a new EtherChannel, you can then allocate the EtherChannel
to the device.
• If you remove an allocated interface in FXOS (for example, if you remove a network module, remove
an EtherChannel, or reassign an allocated interface to an EtherChannel), then the ASA configuration
retains the original commands so that you can make any necessary adjustments; removing an interface
from the configuration can have wide effects. You can manually remove the old interface configuration
in the ASA OS.
• For clustering or failover, make sure you add or remove the interface on all units. We recommend that
you make the interface changes on the slave/standby unit(s) first, and then on the master/active unit. New
interfaces are added in an administratively down state, so they do not affect interface monitoring.

Procedure

Step 1 Enter security services mode:


Firepower# scope ssa

Step 2 Edit the logical device:


Firepower /ssa # scope logical-device device_name

Step 3 Unallocate an interface from the logical device:


Firepower /ssa/logical-device # delete external-port-link name
Enter the show external-port-link command to view interface names.
For a management interface, delete the current interface then commit your change using the commit-buffer
command before you add the new management interface.

Step 4 Allocate a new interface to the logical device:


Firepower /ssa/logical-device* # create external-port-link name interface_id asa

Step 5 Commit the configuration:


commit-buffer
Commits the transaction to the system configuration.

Connect to the Console of the Application


Use the following procedure to connect to the console of the application.

Logical Devices for the Firepower 4100/9300


15
Logical Devices for the Firepower 4100/9300
Connect to the Console of the Application

Procedure

Step 1 Connect to the module CLI.


connect module slot_number console
To connect to the security engine of a device that does not support multiple security modules, always use 1
as the slot_number.
Example:

Firepower# connect module 1 console


Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:


Close Network Connection to Exit

Firepower-module1>

Step 2 Connect to the application console. Enter the appropriate command for your device.
connect asa
connect ftd
connect vdp name
Example:

Firepower-module1> connect asa


Connecting to asa(asa1) console... hit Ctrl + A + D to return to bootCLI
[...]
asa>

Step 3 Exit the application console to the FXOS module CLI.


• ASA—Type Ctrl-a, d
• FTD—Type
• vDP—Type Ctrl-], .

You might want to use the FXOS module CLI for troubleshooting purposes.

Step 4 Return to the supervisor level of the FXOS CLI.


a) Type ~.
You exit to the Telnet application.
b) To exit the Telnet application, enter:
telnet>quit

Logical Devices for the Firepower 4100/9300


16
Logical Devices for the Firepower 4100/9300
History for Logical Devices

Example
The following example connects to an ASA on security module 1 and then exits back to the supervisor
level of the FXOS CLI.
Firepower# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:


Close Network Connection to Exit

Firepower-module1>connect asa
asa> ~
telnet> quit
Connection closed.
Firepower#

History for Logical Devices


Feature Version Details

Support for the Firepower 4100 series 9.6(1) With FXOS 1.1.4, the ASA supports
inter-chassis clustering on the Firepower
4100 series.
We did not modify any commands.

Inter-chassis clustering for 6 modules, and 9.5(2.1) With FXOS 1.1.3, you can now enable
inter-site clustering for the Firepower 9300 inter-chassis, and by extension inter-site
ASA application clustering. You can include up to 6 modules
in up to 6 chassis.
We did not modify any commands.

Intra-chassis ASA Clustering for the 9.4(1.150) You can cluster up to 3 security modules
Firepower 9300 within the Firepower 9300 chassis. All
modules in the chassis must belong to the
cluster.
We introduced the following commands:
cluster replication delay, debug
service-module, management-only
individual, show cluster chassis

Logical Devices for the Firepower 4100/9300


17
Logical Devices for the Firepower 4100/9300
History for Logical Devices

Logical Devices for the Firepower 4100/9300


18

You might also like