The following example changes the device name: The Firepower 2100 appends the domain name as a suffix to unqualified names. mode for the best compatibility. You can use the FXOS CLI or the GUI chassis manager to configure these functions; this document covers the FXOS CLI. Create an access list for the services to which you want to enable access. For ASA syslog messages, you must configure logging in the ASA configuration. keyring Specify the URL for the file being imported using one of the following: When the new package finishes downloading (Downloaded state), boot the package. Specify the email address associated with the certificate request. This setting is the default. You can use the scope command with any managed object, whether a permanent object or a user-instantiated object. single or double-quotesthese will be seen as part of the expression. CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.17 01/Dec/2021; ASDM Book 1: . Specify the 2-letter country code of the country in which the company resides. default-auth, set absolute-session-timeout Formerly, only RSA keys were supported. To use an interface, it must be physically enabled in FXOS and logically enabled in the ASA. The other commands allow you to ip_address mask, no http 192.168.45.0 255.255.255.0 management, http You can connect to the ASA CLI from FXOS, and vice versa. and HTTPS sessions are closed without warning as soon as you save or commit the transaction. The following example configures an IPv4 management interface and gateway: The following example configures an IPv6 management interface and gateway: You can set the SSL/TLS versions for HTTPS acccess. network devices using SNMP. SNMPv3 provides for both security models and security levels. ip/mask, set set org-unit-name organizational_unit_name. By default, the Firepower 2100 allows HTTPS access to the chassis manager and SSH access on the Management 1/1 192.168.45.0/24 network. You must manually regenerate the default key ring certificate if the certificate expires. a configuration command is pending and can be discarded. The modulus value (in bits) is in multiples of 8 from 1024 to 2048. Configure the local sources that generate syslog messages. A password is required for each locally-authenticated user account. SNMPv1, SNMPv2c, and SNMPv3 each represent a different security model. bundled ASDM image. password, between 0 and 15. dns {ipv4_addr | ipv6_addr}. The chassis provides the following support for SNMP: The chassis supports read-only access to MIBs. configuration file already exists, which you can choose to overwrite or not. Removed the set change-during-interval command, and added a disabled option for the set change-interval , set no-change-interval , and set history-count commands. For example, if you set the history count to 3, and the reuse (Optional) Specify the last name of the user: set lastname 3 times. Operating System (FXOS) operates differently from the ASA CLI. You cannot use any spaces or way to backup and restore a configuration. port-num. min-password-length Several of these subcommands have additional options that let you further control the filtering. gateway_address. configuration command. Enable or disable whether a locally-authenticated user can make password changes within a given number of hours. You can view the pending commands in any command mode. To obtain a new certificate, The minutes value can be any integer between 60-1440, inclusive. You can disable HTTPS if you want to disallow chassis manager access, or customize the HTTPS configuration including specifying the key ring to be used for HTTPS sessions. You must configure a valid Remote IKE ID (set remote-ike-id ) in FQDN format. set The chassis generates SNMP notifications as either traps or informs. On the ASA, there is not a separate setting for Common Criteria mode; any additional restrictions for CC or UCAPL ip A subnet of 0.0.0.0 and a prefix of 0 allows unrestricted access to a service. enable dhcp-server interface by redirecting the output to a text file. is a persistent console connection, not like a Telnet or SSH connection. scope need a third party serial-to-USB cable to make the connection. The account cannot be used after the date specified. Must pass a password dictionary check. The cipher_suite_mode can be one of the following keywords: custom Lets you specify a user-defined Cipher Suite specification string using the set https cipher-suite command. For example, with show configuration | head and show configuration | last, you can use the lines keyword to change the number of lines displayed; the default is 10. min_num_hours Because the DHCP server is enabled by default on Management 1/1, you must disable DHCP before you change the management IP Must not contain the following symbols: $ (dollar sign), ? Make sure the image you want to upload is available on an FTP, SCP, SFTP, TFTP server, or a USB drive. Pseudo-Random Function (PRF) (IKE only)prfsha384, prfsha512, prfsha256. days. An expression, The default level is larger-capacity interface. console, SSH session, or a local file. Specify the trusted point that you created earlier. interface. month phone-num. set expiration-grace-period ASDM image (asdm.bin) just before upgrading the ASA bundle. The security model combines with the selected security To configure HTTPS access to the chassis, do one of the following: (Optional) Specify the HTTPS port. You must configure DNS (see Configure DNS Servers) if you enable this feature. enter snmp-trap {hostname | ip-addr | ip6-addr}. CreatingaKeyRing 73 RegeneratingtheDefaultKeyRing 73 CreatingaCertificateRequestforaKeyRing 74 CreatingaCertificateRequestforaKeyRingwithBasicOptions 74 . set https cipher-suite-mode Configure an IPv6 management IP address and gateway. log-level If a user is logged in when set change-interval ipv6_address system-location-name. the DHCP server in the chassis manager at Platform Settings > DHCP. Cisco Firepower 4100/9300 FXOS Compatibility ASA Compatibility Guide ASA and FTD Compatibility Guides PSIRT & Field Notice Security Advisory Page Security Advisories, Responses and Notices Datasheets Cisco Firepower 1000 Series Data Sheet Cisco Firepower 2100 Series Data Sheet Cisco Firepower 4100 Series Data Sheet example shows how to display lines from the system event log that include the The certificate must be in Base64 encoded X.509 (CER) format. This is the default setting. We added password security improvements, including the following: User passwords can be up to 127 characters. This command is required using an FQDN if you enforce FQDN usage with the set fqdn-enforce command. All users are assigned the read-only role by default, and this role cannot be removed. For each block of IP addresses (v4 or v6), up to 25 different subnets can be configured for each service. From FXOS, you can enter the Firepower Threat Defense CLI using the connect ftd command. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP certchain [certchain]. The minutes value can be any integer between 30-480, inclusive. set The admin role allows read-and-write access to the configuration. Press Ctrl+c to cancel out of the set message dialog. This kind of accuracy is required for time-sensitive operations, such as validating CRLs, which include a precise time stamp. By default, AES-128 encryption is disabled. FXOS supports a maximum of 8 key rings, including the default key ring. If you change the gateway from the default set history-count uniq Discards all but one of successive identical You can use the FXOS CLI or the GUI chassis enable netmask is the pipe character and is part of the command, not part of the syntax prefix [https | snmp | ssh]. Uses a community string match for authentication. the getting started guide for information The community name can be any alphanumeric string up to 32 characters. interface_id. and back again. confirmed. Specify the organization requesting the certificate. ip_address mask Press Enter between lines. set accesses the chassis manager, the browser shows an SSL warning, which requires the user to accept the certificate before accessing the chassis manager. After you create the user, the login ID cannot be changed. show command CLI, or Elliptic Curve Digital Signature Algorithm (ECDSA) encryption keys, , curve25519, ecp256, ecp384, ecp521, modp3072, modp4096, Secure Firewall chassis If any hostname fails to resolve, Because that certificate is self-signed, client browsers do not automatically trust it. by redirecting the output to a text file. for a user and the role in which the user resides. Message origin authenticationEnsures that the claimed identity of the user on whose behalf received data was originated is If you use the no-prompt keyword, the chassis will shut down immediately after entering the command. with the other key. and privileges. Perform these steps to enable FIPS or Common Criteria (CC) mode on your Firepower 2100. keyring_name. Copy the text of the certificate request, including the BEGIN and END lines, and save it in a file. For example, to generate The chassis includes the agent and a collection of MIBs. keyring default, set requests be sent from the SNMP manager. Specify the state or province in which the company requesting the certificate is headquartered. grep Displays only those lines that match the For IPv6, the prefix length is from 0 to 128. system, scope following the certificate, type ENDOFBUF to complete the certificate input. If you connect to the ASA management IP address using SSH, enter connect fxos to access FXOS. You can specify the remote address as an FQDN if you configured the DNS server (see Configure DNS Servers). ip_address, set Note that in the following syntax description, You can use the enter To filter the output You must manually regenerate default key ring certificate if the certificate expires. shows how to determine the number of lines currently in the system event log: The following BEGIN CERTIFICATE and END CERTIFICATE flags. ip-block To configure the DHCP server, do one of the following: enable dhcp-server (Optional) If you set the cipher suite mode to custom , specify the custom cipher suite. These notifications do not require that Connect your management computer to the console port. All rights reserved. scope When you enter a configuration command in the CLI, the command is not applied until you save the configuration. name, set you enter the commit-buffer command. Redirects set snmp syslocation By default, a self-signed SSL certificate is generated for use with the chassis manager. When you upgrade the bundle, the ASDM image in the bundle replaces the previous ASDM bundle image because they have the same Strong password check is enabled by default. show commands object, delete the initial vertical bar admin-duplex {fullduplex | halfduplex}. Interfaces that are already a member of an EtherChannel cannot be modified individually. set min_num_hours Set the minimum number of hours that a locally-authenticated user must wait before changing a newly created password, between The system stores this level and above in the syslog file. You are prompted to enter the SNMP community name. set https port remote-subnet Up to 16 characters are allowed in the file name. The set lacp-mode command was changed to set port-channel-mode to match the command usage in the Firepower 4100/9300. previously-used passwords. detail. If you want to change the management IP address, you must disable If the password strength check is enabled, the Firepower 2100 does not permit a user to choose a password that does not meet manager and FXOS CLI access. For SFP interfaces, the default setting is off, and you cannot enable autonegotiation. You can also change the default gateway You must also change the access list for management On the next line following your input, type ENDOFBUF to finish. ip address character to display the options available at the current state of the command syntax. You can configure up to 48 local user accounts. connections to match your new network. Paste in the certificate chain. For RJ-45 interfaces, the default setting is on. The default is 3 days. The SubjectName is automatically added as the duplex {fullduplex | halfduplex}. For information about the Management interfaces, see ASA and FXOS Management. admin-state Subject Name, and so on). To configure SSH access to the chassis, do one of the following: set ssh-server encrypt-algorithm set port Must include at least one uppercase alphabetic character. superuser account and has full privileges. While any commands are pending, an asterisk (*) appears before the network_mask Show commands do not show the secrets (password fields), so if you want to paste a eth-uplink, scope The cipher_suite_string can contain up to 256 characters and must conform to the OpenSSL Cipher Suite specifications. esp-rekey-time Configure an IPv4 management IP address, and optionally the gateway. despite the failure. long an SSH session can be idle) before FXOS disconnects the session. The chassis supports SNMPv1, SNMPv2c and SNMPv3. trustpoint_name. In a text file, paste the root certificate at the top, followed by each intermediate certificate in the chain, including all You must be a user with admin privileges to add or edit a local user account. set ssh-server rekey-limit volume {kb | none} time {minutes | none}. To connect using SSH to the ASA, you must first configure SSH access according to the ASA general operations configuration The Secure Firewall eXtensible get to the threat defense cli using the connect command use the fxos cli for chassis level configuration and troubleshooting only for the firepower 2100 the request is successful, the Certificate Authority sends back an identity certificate that has been digitally signed using in multiple command modes and apply them together. about FXOS access on a data interface. Do not enclose the expression in After the ASA comes up and you connect to the application, you access user EXEC mode at the CLI. a device's public key along with signed information about the device's identity. system, set If you do not specify certificate information in the command, you are prompted to enter a certificate or a list of trustpoints (Optional) Specify the type of trap to send. The Firepower 2100 supports EtherChannels in Active or On Link Aggregation Control Protocol (LACP) mode. and specify a syslog server by the unqualified name of jupiter, then the Firepower 2100 qualifies the name to jupiter.example.com., set domain-name object and enter You can log in with any username (see Add a User). set https cipher-suite Typically, the FXOS Management 1/1 IP address will be on the same network as the ASA Management 1/1 IP address, so this procedure For copper interfaces, this speed is only used if you disable autonegotiation. enter enable syslog source {audits | events | faults}, disable syslog source {audits | events | faults}. filesize. The default is 3600 seconds (60 minutes). receiver decrypts the message using its own private key. Traps are less reliable than informs because the SNMP same speed and duplex. compliance must be configured in accordance with Cisco security policy documents. types (copper and fiber) can be mixed. This section describes how to set the date and time manually on the Firepower 2100 chassis. When you connect to the ASA console from the FXOS console, this connection you must generate a certificate request through FXOS and submit the request to a trusted point. extended-type pattern. Depending on the model, you use FXOS for configuration and troubleshooting. show Must not contain three consecutive numbers or letters in any order, such as passwordABC or password321. tunnel_or_transport, set ConfiguringtheRolePolicyforRemoteUsers 43 EnablingPasswordStrengthCheckforLocallyAuthenticatedUsers 44 SettheMaximumNumberofLoginAttempts 44 . The entities, or processes. System clock modifications take effect immediately. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames over the network. A certificate is a file containing Established connections remain untouched. The following example creates the pre-login banner: The following procedure describes how to enable or disable SSH access to FXOS. set expiration-warning-period SNMP is an application-layer protocol that provides a message format for password-profile, set Suite security level to high: You can configure an IPSec tunnel to encrypt management traffic. scope enter snmp-user keyringtries See name. Failed commands are reported in an error message. If you authority output of ipv6-prefix prefix [https | snmp | ssh]. remote-ike-id The following example configures an NTP server with the IP address 192.168.200.101. For every create The system displays this level and above on the console. Multiple vulnerabilities in the CLI of Cisco FXOS Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute commands on the underlying operating system (OS) with root privileges. DNS is required to communicate with the NTP server. mode is set to Active; you can change the mode to On at the CLI. The SNMP framework consists of three parts: An SNMP managerThe system used to control and monitor the activities of You can enable a DHCP server for clients attached to the Management 1/1 interface. individual interfaces. Cisco Secure Firewall Device Manager Configuration Guide, Version 7.3, Cisco Secure Firewall Device Manager Configuration Guide, Version 7.2, Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 7.1, Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 7.0, Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.7, Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6, Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.5.0, Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.4, Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.3, Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3, Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.2, Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.1, Cisco Secure Firewall Management Center Administration Guide, 7.3, Cisco Secure Firewall Management Center Device Configuration Guide, 7.3, Cisco Secure Firewall Management Center Snort 3 Configuration Guide, Version 7.3, Cisco Secure Firewall Management Center Administration Guide, 7.2, Cisco Secure Firewall Management Center Device Configuration Guide, 7.2, Cisco Secure Firewall Management Center Snort 3 Configuration Guide, Version 7.2, Firepower Management Center Administration Guide, 7.1, Firepower Management Center Device Configuration Guide, 7.1, Cisco Secure Firewall Management Center Snort 3 Configuration Guide, Version 7.1, Firepower Management Center Configuration Guide, Version 7.0, Firepower Management Center Snort 3 Configuration Guide, Version 7.0, Firepower Management Center Configuration Guide, Version 6.7, Firepower Management Center Configuration Guide, Version 6.6, Firepower Management Center Configuration Guide, Version 6.5, Firepower Management Center Configuration Guide, Version 6.4, Firepower Management Center Configuration Guide, Version 6.3, Firepower Management Center Configuration Guide, Version 6.2.3, Firepower Management Center Configuration Guide, Version 6.2.2, Firepower Management Center Configuration Guide, Version 6.2.1, Advanced AnyConnect VPN Deployments for Firepower Threat Defense with FMC, Cisco Secure Firewall Management Center (Version 7.2 and later) and SecureX Integration Guide, Cisco Secure Firewall Threat Defense and SecureX Integration Guide, Cisco Secure Firewall Threat Defense and Cisco SecureX Threat Response Integration Guide, Cisco Secure Firewall Threat Defense Hardening Guide, Version 7.2, Cisco Firepower Threat Defense Hardening Guide, Version 7.0, Cisco Firepower Threat Defense Hardening Guide, Version 6.4, CLI Book 1: Cisco Secure Firewall ASA Series General Operations CLI Configuration Guide, 9.19, CLI Book 2: Cisco Secure Firewall ASA Series Firewall CLI Configuration Guide, 9.19, CLI Book 3: Cisco Secure Firewall ASA Series VPN CLI Configuration Guide, 9.19, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.19, ASDM Book 2: Cisco Secure Firewall ASA Series Firewall ASDM Configuration Guide, 7.19, ASDM Book 3: Cisco Secure Firewall ASA Series VPN ASDM Configuration Guide, 7.19, CLI Book 1: Cisco Secure Firewall ASA Series General Operations CLI Configuration Guide, 9.18, CLI Book 2: Cisco Secure Firewall ASA Series Firewall CLI Configuration Guide, 9.18, CLI Book 3: Cisco Secure Firewall ASA Series VPN CLI Configuration Guide, 9.18, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.18, ASDM Book 2: Cisco Secure Firewall ASA Series Firewall ASDM Configuration Guide, 7.18, ASDM Book 3: Cisco Secure Firewall ASA Series VPN ASDM Configuration Guide, 7.18, CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.17, CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.17, CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.17, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.17, ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.17, ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.17, CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.16, CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.16, CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.16, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16, ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.16, ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.16, CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.15, CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.15, CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.15, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15, ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.15, ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.15, CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.14, CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.14, CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.14, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.14, ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.14, ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.14, CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.13, CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.13, CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.13, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.13, ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.13, ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.13, CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.12, CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.12, CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.12, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.12, ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.12, ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.12, CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.10, CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.10, CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.10, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.10, ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.10, ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.10, CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.9, CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.9, CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.9, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.9, ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.9, ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.9, CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.8, CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.8, CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8, ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.8, ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.8, ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.8, Cisco Firepower 2100 ASA Platform Mode FXOS Configuration Guide, Integrating Cisco ASA and Cisco Security Analytics and Logging (SaaS) using CLI and ASDM, Cisco Secure Firewall ASA Legacy Feature Guide, Cisco Secure Firewall ASA NetFlow Implementation Guide, Cisco Secure Firewall ASA Unified Communications Guide, Cisco Secure Firewall ASA HTTP Interface for Automation, SNMP Version 3 Tools Implementation Guide, All Support Documentation for this Series.