cisco firepower 2100 fxos cli configuration guide cisco firepower 2100 fxos cli configuration guide

You cannot upgrade ASA and FXOS separately from each other; they are always bundled together. Firepower eXtensible Operating System (FXOS) CLI On Firepower 2100, 4100, and 9300 series devices, FXOS is the operating system that controls the overall chassis. This section describes the CLI and how to manage your FXOS configuration. output of The configuration will exclude Excludes all lines that match the pattern Repeat Password: ******, Introduction to FXOS for Firepower 2100 ASA Platform Mode, Commit, Discard, and View Pending Commands, Save and Filter Show Command Output, Filter Show Command Output, Save Show Command Output, Configure Certificates, Key Rings, and Trusted Points for HTTPS or IPSec, About Certificates, Key Rings, and Trusted Points, Regenerate the Default Key Ring Certificate, Configure the DHCP Server for Management Clients, Supported Combinations of SNMP Security Models and Levels, Change the FXOS Management IP Addresses or Gateway, http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite, Cisco Firepower 2100 FXOS MIB Reference a connection, loss of connection to a neighbor router, or other significant events. show command port_num. Diffie-Hellman Groupscurve25519, ecp256, ecp384, ecp521,modp3072, modp4096. Specify the IP address or FQDN of the Firepower 2100. no-more Turns off pagination for command output. New/Modified commands: set change-during-interval , set expiration-grace-period , set expiration-warning-period , set history-count , set no-change-interval , set password , set password-expiration , set password-reuse-interval, The set lacp-mode command was changed to set port-channel-mode. Specify the URL for the file being imported using one of the following: When the new package finishes downloading (Downloaded state), boot the package. a. We recommend that you first set FIPS mode on the ASA, wait for the device to reload, and then set FIPS mode in FXOS. ip create a, enter 0-4. DNS servers, the system searches for the servers only in any random order. Redirects kb Sets the maximum amount of traffic between 100 and 4194303 KB. example 1GB and 10GB interfaces) by setting the speed to be lower on the To configure the DHCP server, do one of the following: enable dhcp-server have not been altered to an extent greater than can occur non-maliciously. Set one or more of the following algorithms, separated by spaces or commas: set ssh-server mac-algorithm attempts to save the current configuration to the system workspace; a larger-capacity interface. clock. For keyrings, all hostnames must be FQDNs, and cannot use wild cards. The default address is 192.168.45.45. Enable or disable the writing of syslog information to a syslog file. By default, a self-signed SSL certificate is generated for use with the chassis manager. framework and a common language used for the monitoring and management of Four general commands are available for object management: create determines whether the message needs to be protected from disclosure or authenticated. -M The following example adds 3 interfaces to an EtherChannel, sets the LACP mode to on, and sets the speed and a flow control Add local users for chassis enter the commit-buffer command. From the console, connect to the ASA CLI and access global configuration mode. Specify the message that FXOS displays to the user before they log into the chassis manager or the FXOS If you disable FQDN enforcement, the Remote IKE ID is optional, and can be set in any format (FQDN, IP Address, You are prompted to enter a number corresponding to your continent, country, and time zone region. | workspace:}. The system contact name can be any alphanumeric string up to 255 characters, such as an email address or name and telephone The first time a new client browser Firepower 2100 uses NTP version 3. scope The following example enables SSH access to the chassis: HTTPS and IPSec use components of the Public Key Infrastructure (PKI) to establish secure communications between two devices, While any commands are pending, an asterisk (*) appears before the The default gateway is set to 0.0.0.0, which sends FXOS manager, chassis year Sets the year as 4 digits, such as 2018. hour Sets the hour in 24-hour format, where 7 pm is entered as 19. cert. enable dhcp-server keyring-passwd A security level is the permitted level of security within a security model. use the following subcommands. set expiration-warning-period We recommend a value of 2048. (question mark), and = (equals sign). by redirecting the output to a text file. enter After you create a user account, you cannot change the login ID. num-of-hours, set change-count This task applies to a standalone ASA. The Firepower 2100 runs FXOS to control basic operations of the device. Console access into the FPR2100 chassis and connect to the FTD application. A message encrypted with either key can be decrypted download image The The security model combines with the selected security the ASA data interface IP address on port 3022 (the default port). System clock modifications take name, file path, and so on. To allow changes, set the set no-change-interval to disabled . For FIPS mode, the IPSec peer must support RFC 7427. scope Member interfaces in EtherChannels do not appear in this list. The filtering options are entered after the commands initial (Optional) Specify the level of Cipher Suite security used by the domain. enter security, scope cipher_suite_mode. The Firepower 2100 supports the following ciphers and algorithms: modp2048, curve25519, ecp256, ecp384, ecp521, modp3072, modp4096. The system displays this level and above. To connect using SSH to the ASA, you must first configure SSH access according to the ASA general operations configuration with the username: admin and password: Admin123). Create an access list for the services to which you want to enable access. Configure an IPv4 management IP address, and optionally the gateway. set an upgrade. configuration command. eth-uplink, scope the guidelines for a strong password (see Guidelines for User Accounts). seconds Sets the absolute timeout value in seconds, between 0 and 7200. For IPv4, enter 0.0.0.0 and a prefix of 0 to allow all networks. These notifications do not require that To keep the currently-set gateway, omit the gw keyword. The following example authority The following example configures a DNS server with the IPv4 address 192.168.200.105: The following example configures a DNS server with the IPv6 address 2001:db8::22:F376:FF3B:AB3F: The following example deletes the DNS server with the IP address 192.168.200.105: With a pre-login banner, when a user logs into the Secure Firewall chassis pattern. You cannot create an all-numeric login ID. are most useful when dealing with commands that produce a lot of text. By default, AES-128 encryption is disabled. If you connect to the ASA management IP address using SSH, enter connect fxos to access FXOS. DNS is required to communicate with the NTP server. comma_separated_values. set minutes. character to display the options available at the current state of the command syntax. (Optional) Configure the enforcement of matching cryptographic key strength between IKE and SA connections: set Connect your management computer to the console port. (Optional) Assign the admin role to the user. Each user account must have a unique username and password. set password-expiration {days | never} Set the expiration between 1 and 9999 days. the CA's private key. The following example configures the system clock. enter For each block of IP addresses (v4 or v6), up to 25 different subnets can be configured for each service. If you are doing remote management (Firepower Management Center) then you set the other interface addresses via that tool. To use an interface, it must command. set https port enter snmp-trap {hostname | ip-addr | ip6-addr}. delete authorizes management operations only by configured users and encrypts SNMP messages. You can disable HTTPS if you want to disallow chassis manager access, or customize the HTTPS configuration including specifying the key ring to be used for HTTPS sessions. be physically enabled in FXOS and logically enabled in the ASA. compliance must be configured in accordance with Cisco security policy documents. create For IPv6, enter :: and a prefix of 0 to allow all networks. characters. system goes directly to the username and password prompt. A certificate is a file containing wc Displays a count of lines, words, and If you use the no-prompt keyword, the chassis will reboot immediately after entering the command. For ASA syslog messages, you must configure logging in the ASA configuration. of your device. The privilege level After the ASA comes up and you connect to the application, you access user EXEC mode at the CLI. Define a trusted point for the certificate you want to add to the key ring. filename. 1 and 745. In general, a longer key is more secure than a shorter key. the The larger the key modulus size you specify, the longer default level is Critical. despite the failure. Messages at levels below Critical are displayed on the terminal monitor only if you have entered the prefix_length ipv6-config. If the password strength check is enabled, each user must have a strong enter the command, you are queried for remote server name or IP address, user Must not be identical to the username or the reverse of the username. Specify the Subject Alternative Name to apply this certificate to another hostname. The chassis includes the agent and a collection of MIBs. duplex {fullduplex | halfduplex}. The default configuration is only applied during a reimage, not netmask To merely support encrypted communications, Enable or disable the password strength check. CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.17 01/Dec/2021; ASDM Book 1: . Display the installed interfaces on the chassis. set port Otherwise, the chassis will not reboot until you ASDM images that you upload manually do not appear in the FXOS image list; you must manage ASDM images from the ASA. Enter the FXOS login credentials. DHCP (see Change the FXOS Management IP Addresses or Gateway). of ASDM, you should either upgrade ASDM before you upgrade the bundle, or you should reconfigure the ASA to use the bundled An SNMP agentThe software component within the chassis that maintains the data for the chassis and reports the data, as needed, month Sets the month as the first three letters of the month name, such as jan for January. Select the lowest message level that you want stored to a file. set https cipher-suite-mode You can now configure SHA1 NTP server authentication in FXOS. enable syslog source {audits | events | faults}, disable syslog source {audits | events | faults}. year. ipv6-prefix num_of_hours Sets the number of hours during which the number of password changes are enforced, between 1 and 745 hours. DNS SubjectAlternateName. set syslog file level {emergencies | alerts | critical | errors | warnings | notifications | information | debugging}. last-name. retry_number. algorithms. cipher_suite_string. The asterisk disappears when you save or discard the configuration changes. the DHCP server in the chassis manager at Platform Settings > DHCP. Upload the certificate you obtained from the trust anchor or certificate authority. You can now use EDCS keys for certificates. You can reenable DHCP using new client IP addresses after you change the management IP address. The default is 3 days. include Displays only those lines that match the certchain [certchain]. prefix [https | snmp | ssh]. services, enter configuration file already exists, which you can choose to overwrite or not. The SubjectName and at least one DNS SubjectAlternateName name is required. Make sure the image you want to upload is available on an FTP, SCP, SFTP, TFTP server, or a USB drive. View the current management IPv6 address. lines of text with each line having up to 192 characters. and show all other lines. interface_id, set This section describes how to set the date and time manually on the Firepower 2100 chassis. to perform a password strength check on user passwords. A key feature of SNMP is the ability to generate notifications from an SNMP agent. But if you manually chose a different ASDM image that you uploaded (for example, asdm-782.bin), then you continue to use that image even after a bundle upgrade. types (copper and fiber) can be mixed. Set one or more of the following protocols, separated by spaces or commas: set ssh-server kex-algorithm following the certificate, type ENDOFBUF to complete the certificate input. For IPv6, the prefix length is from 0 to 128. By default, the server is enabled with An EtherChannel (also known as a port-channel) can include up to 8 member interfaces of the The documentation set for this product strives to use bias-free language. date and time manually. The chassis provides the following support for SNMP: The chassis supports read-only access to MIBs. the FXOS CLI. object command, which will give an error if an object already exists. (exclamation point), + (plus sign), - (hyphen), and : (colon). ipv6 SNMPv3 communication between SNMP managers and agents. reconfigure the account to not expire. ViewingCurrentSNMPSettings 73 ConfiguringHTTPS 74 Certificates,KeyRings,andTrustedPoints 74 CreatingaKeyRing 75 RegeneratingtheDefaultKeyRing 75 . FXOS rejects any password that does not meet the following requirements: Must contain a minimum of 8 characters and a maximum of 127 characters. Copying the configuration output provides a We recommend that each user have a strong password. The Firepower 2100 runs FXOS to control basic operations of the device. Specify the name of the file in which the messages are logged. The level options are listed in order of decreasing urgency. local-user-name Sets the account name to be used when logging into this account. If the password strength check is enabled, the Firepower 2100 does not permit a user to choose a password that does not meet You cannot mix interface capacities (for By default, the LACP Must not contain a character that is repeated more than 3 times consecutively, such as aaabbb. Strong password check is enabled by default. ipv6_address The SubjectName is automatically added as the set For example, chassis, network modules, ports, and processors are physical entities represented as managed cc-mode. esp-rekey-time example shows how to display lines from the system event log that include the set clock cut Removes (cut) portions of each line. set You must manually regenerate default key ring certificate if the certificate expires. Integrity Algorithmssha256, sha384, sha512, sha1_160. The chassis supports the HMAC-SHA-96 (SHA) authentication protocol for SNMPv3 users. SNMP agent. by the peer. The following example sets many user requirements: You can upgrade the ASA package, reload, or power off the chassis. Some links below may open a new browser window to display the document you selected. traffic over the backplane to be routed through the ASA data interfaces. egrep Displays only those lines that match the Existing algorithms incldue: sha1. Press Enter between lines. The default is 3600 seconds (60 minutes). You can configure FQDN enforcement so that the FDQN of the peer needs to match the DNS Name in the X.509 Certificate presented dns {ipv4_addr | ipv6_addr}. object, delete If you enable the minimum password length check, you must create passwords with the specified minimum number of characters. set expiration-warning-period Paste in the certificate chain. This is the default setting. about FXOS access on a data interface. can be managed. A password is required for each locally-authenticated user account.