Page 1
Firepower 8000 Series Hardware Installation Guide First Published: July 22, 2016 Last Updated: May 5, 2017 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
C O N T E N T S About This Guide Organization Document Conventions Installation Warnings Where to Find Safety and Warning Information Related Documentation Obtaining Documentation and Submitting a Service Request About the Firepower 8000 Series Firepower 8000 Series Managed Devices Delivered with Firepower System Firepower 8000 Series Device Chassis Designations Hardware Specifications Rack and Cabinet Mounting Options...
Page 4
Contents Testing an Inline Bypass Interface Installation 3-18 Using the LCD Panel on a Firepower Device Understanding LCD Panel Components Using the LCD Multi-Function Keys Idle Display Mode Network Configuration Mode Allowing Network Reconfiguration Using the LCD Panel System Status Mode Information Mode Error Alert Mode Deploying on a Management Network...
Page 5
Contents Deploying with a Virtual Router Deploying with Hybrid Interfaces Deploying a Gateway VPN 6-10 Deploying with Policy-Based NAT 6-11 Deploying with Access Control 6-11 Using Multiple Sensing Interfaces on a Managed Device 6-16 Complex Network Deployments 6-18 Integrating with VPNs 6-18 Detecting Intrusions on Other Points of Entry 6-19...
Page 6
Contents Verify the NetMod from the Firepower Management Center Apply Changes to the Appliance Installing a Malware Storage Pack Malware Storage Pack Overview Supported Devices Before You Begin Malware Storage Pack Kit for 1U Devices Malware Storage Pack Kit for 2U Devices Installation Installing a Malware Storage Pack During an Upgrade Installing a Malware Storage Pack on a Version 6.0.1 Device...
Updated: July 22, 2016 This guide describes how to install and maintain the Cisco Firepower 8000 Series appliances. Information in this guide applies to the Cisco 80xx Family, 81xx Family, and the 83xx Family models. This preface includes the following sections:...
About This Guide Document Conventions Chapter Title Description Chapter 6 Describes how different sensing interfaces Deploying Firepower Managed Devices affect the capabilities of the Firepower System, including passive, inline, routed, switched, and hybrid interfaces. Appendix A Describes AC and DC power requirements Power Requirements for Firepower for Firepower 8000 Series devices.
Means reader be careful. In this situation, you might perform an action that could result in equipment Caution damage or loss of data. Installation Warnings Be sure to read the Regulatory Compliance and Safety Information document (http://www.cisco.com/c/en/us/td/docs/security/firesight/hw-docs/regulatory/compliance/firesight-firep ower-rcsi.html) before installing the device. This section presents these important safety warnings: • Power Supply Disconnection Warning, page vii Jewelry Removal Warning, page vii •...
Page 10
About This Guide Installation Warnings Wrist Strap Warning Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly touch the backplane with your hand or any metal tool, or you could receive a shock. Statement 94 Work During Lightning Warning Warning Do not work on the system, or connect or disconnect cables during periods of lightning.
For safety and warning information, see the Regulatory Compliance and Safety Information document at the following URL: http://www.cisco.com/c/en/us/td/docs/security/firesight/hw-docs/regulatory/compliance/firesight-firep ower-rcsi.html This RCSI document describes the international agency compliance and safety information for the Cisco Firepower series. Firepower 8000 Series Hardware Installation Guide...
About This Guide Related Documentation Related Documentation For a complete list of the Cisco Firepower series documentation and where to find it, see the documentation roadmap at the following URL: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation...
Only trained and qualified personnel should install, replace, or service this equipment. Statement 49 Warning Firepower 8000 Series Managed Devices Delivered with Firepower System The following table lists the Firepower 8000 Series managed devices that Cisco delivers with the Firepower System. Table 1-1...
Table 1-2 8000 Series Chassis Models Firepower and AMP Device Model Hardware Chassis Code AMP8050 (AC or DC power) CHAS-1U-AC/DC 8120, 8130, 8140, AMP8150 CHAS-1U-AC/DC (AC or DC power) 8250, 8260, 8270, 8290...
The Firepower 8000 Series device can be delivered on a variety of chassis: • AMP8050 is a 1U chassis and can contain up to three modules. Firepower 8120, 8130, 8140, and AMP8150, also known as the 81xx Family, is a 1U chassis and can •...
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Firepower 8290, part of the 82xx Family, is an 8U configuration with four 2U chassis. The primary • chassis contains three stacking modules and up to four sensing modules. Each secondary chassis contains one stacking module.
Page 17
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Firepower 82xx Family and Firepower and AMP 83xx Family Chassis Front View The front view of the chassis contains the LCD panel, front panel, and seven module slots. Figure 2-2 Firepower 82xx Family (Chassis: CHAS-2U-AC/DC) and Firepower and AMP 83xx Family (PG35-2U-AC/DC) Front View The following table describes the features on the front of the appliance.
Page 18
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Figure 2-4 Firepower 82xx Family and Firepower and AMP 83xx Family Front Panel Table 2-2 Firepower 8000 Series Front Panel Components NIC activity LED Reset button Reserved ID button Hard drive activity LED Power button and LED System status LED USB 2.0 connector...
Page 19
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Table 2-3 Firepower 8000 Series Front Panel LEDs (continued) Description System ID Helps identify a system installed in a high-density rack with other similar systems: A blue light indicates the ID button is pressed and a blue light is on at the rear of the •...
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Firepower 8000 Series Chassis Rear View The Firepower 8000 Series chassis can be in the 81xx Family, 82xx Family, or 83xx Family. AMP8x50 and Firepower 81xx Family Chassis Rear View The rear view of the chassis contains connection ports, the management interface, and the power supplies.
Page 21
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Figure 2-7 Firepower and AMP 83xx Family (Chassis: PG35-2U-AC/DC) Rear View The following table describes the features that appear on the rear of the appliance. Table 2-5 Firepower 8000 Series System Components: Rear View Feature Description VGA port...
Page 22
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Table 2-6 Firepower 8000 Series Management Interface LEDs Description Left (activity) Indicates activity on the port: • A blinking light indicates activity. • No light indicates there is no activity. Right (link) Indicates whether the link is up: A light indicates the link is up.
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Firepower 8000 Series Physical and Environmental Parameters The following table describes the physical attributes and environmental parameters for AMP8x50 and 81xx Family devices. Table 2-9 AMP8x50 and 81xx Family Physical and Environmental Parameters Parameter Description Form factor...
Page 24
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Table 2-9 AMP8x50 and 81xx Family Physical and Environmental Parameters (continued) Parameter Description Cooling requirements 1725 BTU/hour You must provide sufficient cooling to maintain the appliance within its required operating temperature range. Failure to do this may cause a malfunction or damage to the appliance. Acoustic noise Max normal operating noise is 87.6 dB LWAd (high temperature).
Page 25
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Table 2-10 Firepower 82xx Family and Firepower and AMP 83xx Family Physical and Environmental Parameters Parameter Description Fiber 10GBASE Quad-port fiber non-bypass interfaces with LC connectors non-bypass Cable and distance: MMSR or SMLR NetMod LR is single-mode at 5000 m (available) SR is multimode fiber (850 nm) at 550 m (standard) Fiber 1000BASE-SX...
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Table 2-10 Firepower 82xx Family and Firepower and AMP 83xx Family Physical and Environmental Parameters Parameter Description Acoustic noise Max normal operating noise is 81.6 dB LWAd (high temperature). Typical normal operating noise is 81.4 dB LWAd. Operating shock No errors with half a sine wave shock of 2G (with 11 ms duration) Airflow...
Page 27
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Quad-Port 1000BASE-T Copper Configurable Bypass NetMod The quad-port 1000BASE-T copper configurable bypass NetMod contains four copper ports and link, activity, and bypass LEDs. Use the following table to understand the link and activity LEDs on copper interfaces. Table 2-11 Copper Link/Activity LEDs Status...
Page 28
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Table 2-13 Fiber Link/Activity LEDs Status Description For an inline or passive interface: • A blinking light indicates the interface has activity. • No light indicates there is no activity. Bottom For an inline interface: A light indicates the interface has activity.
Page 29
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Dual-Port 10GBASE (MMSR or SMLR) Fiber Configurable Bypass NetMod The dual-port 10GBASE (MMSR or SMLR) fiber configurable bypass NetMod contains two fiber ports and link, activity, and bypass LEDs. Use the following table to understand link and activity LEDs of the fiber interfaces. Table 2-16 Fiber Link/Activity LEDs Status...
Page 30
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Table 2-18 10GBASE MMSR and SMLR NetMod Optical Parameters (continued) Parameter 10GBASE MMSR 10GBASE SMLR Optical interface Multimode Single mode only Operating distance 840-860 nm 1270-1355 nm (850 nm typical) (1310 nm typical) 85 ft (26 m) to 108 ft (33 m) for 62.5 6 ft to 6.2 miles (2 m to 10 km) for µm/125 µm fiber (modal BW 160 to 200...
Page 31
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Firepower and AMP 8350 (must be 40G-capable) • Caution If you attempt to create a 40G interface on a device that is not 40G-capable, the 40G interface screen on its managing Firepower Management Center web interface displays red. A 40G-capable 8250 displays “8250-40G”...
Page 32
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Table 2-21 40GBASE-SR4 NetMod Optical Parameters (continued) Parameter 40GBASE-SR4 Minimum average launch power -7.8 dBm Maximum average power at receiver 2.4 dBm Receiver sensitivity -9.5 dBm Quad-Port 1000BASE-T Copper Non-Bypass NetMod The quad-port 1000BASE-T copper non-bypass NetMod contains four copper ports, and link and activity LEDs.
Page 33
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Table 2-23 Non-Bypass Fiber Link/Activity LEDs Status Description For an inline or passive interface: the light flashes when the interface (Activity) has activity. If dark, there is no activity. Bottom For an inline interface: the light is on when the interface has link. If (Link) dark, there is no link.
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Table 2-25 Fiber Link/Activity LEDs Status Description For an inline or passive interface: the light flashes when the interface has activity. If dark, there is no activity. Bottom For an inline interface: the light is on when the interface has link. If dark, there is no link.
Page 35
Chapter 2 Hardware Specifications Firepower 8000 Series Devices You can use the stacking module optionally in the following 8000 Series models: Firepower 8140 and 8250 • Firepower and AMP 8350 • The stacking module is included in the following 8000 Series stacked configurations: Firepower 8260, 8270, and 8290 •...
Page 36
Chapter 2 Hardware Specifications Firepower 8000 Series Devices Firepower 8000 Series Hardware Installation Guide 2-22...
C H A P T E R Installing a Firepower 8000 Series Device Firepower System appliances are easily installed on your network as part of a larger Firepower System deployment. You install devices on network segments to inspect traffic and generate intrusion events based on the intrusion policy applied to it.
• Effect of damage on the installation • Security Considerations Before you install your appliance, Cisco recommends that you consider the following: Locate your appliance in a lockable rack within a secure location that prevents access by • unauthorized personnel.
Chapter 3 Installing a Firepower 8000 Series Device Identifying the Sensing Interfaces The Firepower and AMP 8350 is available as a 2U appliance. The Firepower and AMP 8360, 8370, and 8390 are available as 2U appliances with one, two, or three secondary 2U appliances. The following illustration of the rear of the chassis indicates the location of the default management interface for each 2U appliance.
Page 40
Chapter 3 Installing a Firepower 8000 Series Device Identifying the Sensing Interfaces a quad-port 1000BASE-SX fiber interface with configurable bypass capability • a dual-port 10GBASE (MMSR or SMLR) fiber interface with configurable bypass capability • a dual-port 40GBASE-SR4 fiber interface with configurable bypass capability (2U devices only) •...
Page 41
Chapter 3 Installing a Firepower 8000 Series Device Identifying the Sensing Interfaces a quad-port 1000BASE-SX fiber interface with configurable bypass capability. See • Figure 3-4Quad-Port 1000BASE-SX Fiber Configurable Bypass NetMod, page 3-6 for more information. a dual-port 10GBASE (MMSR or SMLR) fiber interface with configurable bypass capability. See •...
Page 42
Chapter 3 Installing a Firepower 8000 Series Device Identifying the Sensing Interfaces Figure 3-4 Quad-Port 1000BASE-SX Fiber Configurable Bypass NetMod The quad-port 1000BASE-SX fiber configurable bypass configuration uses LC-type (Local Connector) optical transceivers. You can use this configuration to passively monitor up to four separate network segments. You also can use paired interfaces in inline or inline with bypass mode, which allows you to deploy the managed device as an intrusion prevention system on up to two separate networks.
Page 43
Chapter 3 Installing a Firepower 8000 Series Device Identifying the Sensing Interfaces Figure 3-6 Dual-Port 40GBASE-SR4 Fiber Configurable Bypass NetMod The dual-port 40GBASE-SR4 fiber configurable bypass configuration uses MPO (Multiple-Fiber Push On) connector optical transceivers. You can use the 40G NetMod only in the following 8000 Series models: Firepower 8270 and 8290 •...
Page 44
Chapter 3 Installing a Firepower 8000 Series Device Identifying the Sensing Interfaces Figure 3-8 Quad-Port 1000BASE-T Copper Non-Bypass NetMod You can use these connections to passively monitor up to four separate network segments. You also can use paired interfaces in inline configuration on up to two network segments. Figure 3-9 Quad-Port 1000BASE-SX Fiber Non-Bypass NetMod The quad-port 1000BASE-SX fiber non-bypass configuration uses LC-type (Local Connector) optical...
Page 45
Chapter 3 Installing a Firepower 8000 Series Device Identifying the Sensing Interfaces For best performance, use the interface sets consecutively. If you skip interfaces, you may experience degraded performance. Firepower 8000 Series Stacking Module A stacking module combines the resources of two or more identically configured appliances. The stacking module is optional on the following 8000 Series models: Firepower 8140 and 8250 •...
Chapter 3 Installing a Firepower 8000 Series Device Using Devices in a Stacked Configuration Using Devices in a Stacked Configuration You can increase the amount of traffic inspected on network segments by combining the resources of identically configured devices in a stacked configuration. One device is designated as the primary device and is connected to the network segments.
Chapter 3 Installing a Firepower 8000 Series Device Using Devices in a Stacked Configuration Managing Stacked Devices, page 3-15 • Connecting the Firepower 8140 You can connect two Firepower 8140s in a stacked configuration. You must use one 8000 Series stacking cable to create the physical connection between the primary device and the secondary device.
Page 48
Chapter 3 Installing a Firepower 8000 Series Device Using Devices in a Stacked Configuration You can stack additional devices for a total of four devices in the stack for the following configurations: Firepower 8260 and 8270 • Firepower or AMP 8360 •...
Page 49
Chapter 3 Installing a Firepower 8000 Series Device Using Devices in a Stacked Configuration 8270 or 8370 Primary Device (40G) and Two Secondary Devices The following example shows a Firepower 8270 or a 8370 (Firepower or AMP) configuration. The Firepower 8270 includes a 40G-capable 8250 primary device and two dedicated secondary devices. The Firepower or AMP 8370 includes a 40G-capable 8350 primary device and two dedicated secondary devices.
Chapter 3 Installing a Firepower 8000 Series Device Using Devices in a Stacked Configuration To connect a 8250 or a 8350 secondary device: Use an 8000 Series stacking cable to connect the left interface on the stacking module on the primary Step 1 device to the left interface on the stacking module on the secondary device.
Firepower 8140 requires one cable • Devices do not need to be powered down to insert or remove the stacking cable. Use only the Cisco 8000 Series stacking cable when cabling your devices. Using unsupported cables can Caution create unforeseen errors.
You can connect a computer to any Firepower device using the physical serial port. Connect the appropriate rollover serial cable (also known as a NULL modem cable or Cisco console cable) at any time, then configure the remote management console to redirect the default VGA output to the serial port.
Page 53
Chapter 3 Installing a Firepower 8000 Series Device Installing the Firepower Device in a Rack To use LOM to restore the appliance to factory settings, do not delete network settings. Deleting the network settings also drops the LOM connection. For more information, see the Firepower 8000 Series Getting Started Guide.
It is important to ensure that you properly install these devices and quantify any latency introduced by their installation. Your switch’s spanning tree discovery protocol can cause a 30-second traffic delay. Cisco recommends Note that you disable the spanning tree during the following procedure.
Page 55
Chapter 3 Installing a Firepower 8000 Series Device Testing an Inline Bypass Interface Installation Verify that your ping traffic resumes. Power the device back on, and verify that your ping traffic continues to pass. Step 9 For Firepower devices that support tap mode, you can test and record ping latency results under the Step 10 following sets of conditions: device powered off...
Page 56
Chapter 3 Installing a Firepower 8000 Series Device Testing an Inline Bypass Interface Installation Firepower 8000 Series Hardware Installation Guide 3-20...
C H A P T E R Using the LCD Panel on a Firepower Device Firepower devices allow you to view device information or configure certain settings using an LCD panel on the front of the device instead of the system’s web interface. The LCD panel has a display and four multi-function keys, and operates in multiple modes that show different information and allow different configurations depending on the state of the device.
Chapter 4 Using the LCD Panel on a Firepower Device Understanding LCD Panel Components Understanding LCD Panel Components The LCD panel on the front of a Firepower device has a display and four multi-function keys: The display contains two lines of text (up to 17 characters each), as well as the multi-function key •...
Chapter 4 Using the LCD Panel on a Firepower Device Using the LCD Multi-Function Keys Pressing a multi-function key as the LCD panel enters Idle Display mode can cause the panel to display Note an unexpected menu. Using the LCD Multi-Function Keys Four multi-function keys allow you navigate the menus and options on the LCD panel.
Chapter 4 Using the LCD Panel on a Firepower Device Network Configuration Mode In Idle Display mode, the panel alternates (at five second intervals) between displaying the CPU utilization and free memory available and the chassis serial number. A sample of each display might look like this: CPU: 50% FREE MEM: 1024 MB Serial Number:...
Page 61
Chapter 4 Using the LCD Panel on a Firepower Device Network Configuration Mode For IPv6, the LCD panel might display the following: • IPv6 Disabled. Enable Manual? Press the right arrow key to manually configure the network: Step 4 For IPv4, the LCD panel displays the IPv4 address. For example: •...
Chapter 4 Using the LCD Panel on a Firepower Device System Status Mode The LCD panel displays the following: Default Gateway 000.000.000.000 Edit the default gateway the same way you edited the IP address, and press the check mark key to accept Step 9 the changes.
Page 63
Chapter 4 Using the LCD Panel on a Firepower Device System Status Mode The following table describes the information and options available in this mode. Table 4-2 System Status Mode Options Option Description Resources Displays the CPU utilization and free memory available. Note that Idle Display mode also shows this information.
Chapter 4 Using the LCD Panel on a Firepower Device Information Mode LCD Contrast Press the right arrow key in the row next to the LCD display feature (brightness or contrast) you want to Step 2 adjust. The LCD panel displays the following: Increase Decrease Press the right arrow key to increase or decrease the display feature you have selected.
Chapter 4 Using the LCD Panel on a Firepower Device Error Alert Mode Information Press the right arrow ( ) key on the bottom row to access Information mode. Step 3 Scroll through the options by pressing the down arrow (â) key. Press the right arrow key in the row next Step 4 to the information you want to view.
Page 66
Chapter 4 Using the LCD Panel on a Firepower Device Error Alert Mode Table 4-5 Hardware Alarm Error Messages (continued) Error Message Condition Monitored Description message daemon Alerts when the message daemon fails. NFEMessDX hardware status Alerts when one or more accelerator cards is not communicating. NFEHardware cards detected Alerts when the number of accelerator cards detected on the device...
C H A P T E R Deploying on a Management Network The Firepower System can be deployed to accommodate the needs of each unique network architecture. The Management Center provides a centralized management console and database repository for the Firepower System.
Chapter 5 Deploying on a Management Network Understanding Management Interfaces Understanding Management Interfaces Management interfaces provide the means of communication between the Management Center and all devices it manages. Maintaining good traffic control between the appliances is essential to the success of your deployment.
• eth0 eth1 on) interfaces require unique static IP addresses and hostnames. Cisco recommends that you do not set up DNS entries for additional management interfaces but instead register Management Centers and devices by IP addresses only for these interfaces.
Chapter 5 Deploying on a Management Network Deploying with Network Routes The following graphic shows the management traffic channel and the event traffic channel over two management interfaces. You can use a dedicated management interface to carry only event traffic from multiple devices. In this configuration, each device is registered to a different management interface to carry the management traffic channel, and one management interface on the Management Center carries all event traffic channels from all devices.
You can add more management interfaces to configure separate management and event traffic channel interfaces for each device. Security Considerations To deploy your management interfaces in a secure environment, Cisco recommends that you consider the following: Always connect the management interface to a trusted internal management network that is •...
Page 72
Chapter 5 Deploying on a Management Network Special Case: Connecting 8000 Series Devices Firepower 8000 Series Hardware Installation Guide...
C H A P T E R Deploying Firepower Managed Devices After you register a device to a Firepower Management Center, you deploy the sensing interfaces of the device on a network segment to monitor traffic using an intrusion detection system or protect your network from threats using an intrusion prevention system.
Chapter 6 Deploying Firepower Managed Devices Understanding Sensing Interfaces Sensing interfaces are located on the front of the device. To identify your sensing interfaces, see Identifying the Sensing Interfaces, page 3-3. Passive Interfaces You can configure a passive deployment to monitor traffic flowing across a network using a switch SPAN, virtual switch, or mirror port, allowing traffic to be copied from other ports on the switch.
Chapter 6 Deploying Firepower Managed Devices Understanding Sensing Interfaces You cannot configure bypass interfaces on an ASA FirePOWER device using the Firepower Management Center. For information on configuring an ASA FirePOWER device in inline mode, see the ASA documentation. Switched Interfaces You can configure switched interfaces on a Firepower device in a Layer 2 deployment to provide packet switching between two or more networks.
Chapter 6 Deploying Firepower Managed Devices Connecting Devices to Your Network You can configure your device as a virtual router and use the remaining interfaces to connect to network segments you want to monitor. You can also enable strict TCP enforcement for maximum TCP security. To use a virtual router on your device, create physical routed interfaces on your device and then follow the instructions for Setting Up Virtual Routers in the Firepower Management Center Configuration Guide.
Chapter 6 Deploying Firepower Managed Devices Connecting Devices to Your Network Using a Span Port Many network switches include a span port that mirrors traffic from one or more ports. By connecting an interface set to the span port, you can monitor the combined traffic from all ports, generally both incoming and outgoing.
Chapter 6 Deploying Firepower Managed Devices Connecting Devices to Your Network Figure 6-1 Crossover Bypass Connection Cabling The following table indicates where you should use crossover or straight-through cables in your hardware bypass configurations. Note that a Layer 2 port functions as a straight-through (MDI) endpoint in the deployment, and a Layer 3 port functions as a crossover (MDIX) endpoint in the deployment.
Chapter 6 Deploying Firepower Managed Devices Deployment Options Deployment Options When you place your managed device on a network segment, you can monitor traffic using an intrusion detection system or protect your network from threats using an intrusion prevention system. You can also deploy your managed device to function as a virtual switch, virtual router, or gateway VPN.
Chapter 6 Deploying Firepower Managed Devices Deployment Options Figure 6-2 Virtual Switches on a Managed Device In this example, the managed device monitors traffic from two separate networks, 172.16.1.0/20 and 192.168.1.0/24. Although both networks are monitored by the same managed device, the virtual switch passes traffic only to those computers or servers on the same network.
Chapter 6 Deploying Firepower Managed Devices Deployment Options When you deploy a virtual router on your managed device, you can use one appliance to connect multiple networks to each other, and to the Internet. Figure 6-3 Virtual Routers on a Managed Device In this example, the managed device contains a virtual router to allow traffic to travel between the computers on network 172.16.1.0/20 and the servers on network 192.168.1.0/24 (indicated by the blue and green lines).
The secure tunnel between the gateways protects communication between them. You configure the Firepower System to build secure VPN tunnels from the virtual routers of Cisco managed devices to remote devices or other third-party VPN endpoints using the Internet Protocol Security (IPSec) protocol suite.
Chapter 6 Deploying Firepower Managed Devices Deployment Options Mesh deployments connect all endpoints together by means of VPN tunnels. This offers redundancy • in that when one endpoint fails, the remaining endpoints can still communicate with each other. Use a mesh deployment to connect a group of decentralized branch office locations to ensure that traffic can travel even if one or more VPN tunnels fails.
Page 84
Chapter 6 Deploying Firepower Managed Devices Deployment Options allow all traffic to enter your network, and inspect the traffic with a network discovery policy only • allow all traffic to enter your network, and inspect the traffic with intrusion and network discovery •...
Page 85
Chapter 6 Deploying Firepower Managed Devices Deployment Options An incoming packet is first checked against any fast-path rules. If there is a match, the traffic is fast-pathed. If there is no match, Security Intelligence-based filtering determines if the packet is blacklisted.
Page 86
Chapter 6 Deploying Firepower Managed Devices Deployment Options On the Internal Network A malicious attack can originate from a computer on your internal network. This can be a deliberate act (for example, an unknown computer appears unexpectedly on your network), or an accidental infection (for example, a work laptop infected off-site is connected to the network and spreads a virus).
Page 87
Chapter 6 Deploying Firepower Managed Devices Deployment Options On a Remote or Mobile Network Remote networks, located off-site, often use a virtual private network (VPN) to provide access to the primary network. Mobile devices and the use of personal devices for business purposes (for example, using a “smart phone”...
Chapter 6 Deploying Firepower Managed Devices Using Multiple Sensing Interfaces on a Managed Device Using Multiple Sensing Interfaces on a Managed Device The managed device offers multiple sensing interfaces on its network modules. You can use multiple sensing interfaces on managed devices to: recombine the separate connections from a network tap •...
Page 89
Chapter 6 Deploying Firepower Managed Devices Using Multiple Sensing Interfaces on a Managed Device You can use the virtual switch to replace both the tap and the switch in your deployment. Note that if you replace the tap with a virtual switch, you lose the tap packet delivery guarantee. You can also create interfaces to capture data from separate networks.
Chapter 6 Deploying Firepower Managed Devices Complex Network Deployments Complex Network Deployments Your enterprise’s network may require remote access, such as using a VPN, or have multiple entry points, such as a business partner or banking connection. Integrating with VPNs Virtual private networks, or VPNs, use IP tunneling techniques to provide the security of a local network to remote users over the Internet.
Chapter 6 Deploying Firepower Managed Devices Complex Network Deployments Detecting Intrusions on Other Points of Entry Many networks include more than one access point. Instead of a single border router that connects to the Internet, some enterprises use a combination of the Internet, modem banks, and direct links to business partner networks.
Chapter 6 Deploying Firepower Managed Devices Complex Network Deployments Deploying in Multi-Site Environments Many organizations want to extend intrusion detection across a geographically disparate enterprise and then analyze all the data from one location. The Firepower System supports this by offering the Firepower Management Center, which aggregates and correlates events from managed devices deployed throughout the organization’s many locations.
Page 93
Chapter 6 Deploying Firepower Managed Devices Complex Network Deployments You can replace the firewalls and routers with the managed device deployed in each network segment. Firepower 8000 Series Hardware Installation Guide 6-21...
Chapter 6 Deploying Firepower Managed Devices Complex Network Deployments Integrating Multiple Management Interfaces within a Complex Network You can configure multiple management interfaces in any deployment to isolate traffic from devices that monitor different networks and are managed by the same Firepower Management Center. Multiple management interfaces allow you to add a management interface with a unique IP address (IPv4 or IPv6) to your Firepower Management Center, and create a route from that management interface to a network that contains the device you want to manage.
NAT device. In this case, Cisco recommends that you position managed devices inside the network segment protected by the proxy or NAT device to ensure that hosts are correctly detected.
These appliances are suitable for installation by qualified personnel in network telecommunication facilities and locations where the National Electric Code applies. Cisco recommends that you save the packing materials in case a return is necessary. For more information, see the following sections: •...
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower 81xx Family Appliances DC Installation, page A-3 for circuit installation, voltage, current, ground references, terminals, • breaker requirements, and minimum wire size. • Grounding/Earthing Requirements, page A-4 for bonding locations, recommended terminals, ground wire requirements, and DC supplies.
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower 81xx Family Appliances Frequency Range The frequency range of the AC power supply is 47 Hz to 63 Hz. Frequencies outside this range may cause the appliance to not operate or to operate incorrectly. Power Cords The power connections on the power supplies are IEC C14 connectors and they will accept IEC C13 connectors.
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower 81xx Family Appliances -40VDC to -72VDC maximum • Use of voltages outside this range may cause damage to the appliance. DC Current 11A maximum, per supply Ground Reference The DC power supplies are fully isolated from the ground reference. Recommended Terminals Power is connected to the DC supplies through screw terminals.
These appliances are suitable for installation by qualified personnel in network telecommunication facilities and locations where the National Electric Code applies. Cisco recommends that you save the packing materials in case a return is necessary. For more information, see the following sections:...
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower 82xx Family Appliances DC Installation, page A-7 for circuit installation, voltage, current, ground references, terminals, • breaker requirements, and minimum wire size. • Grounding/Earthing Requirements, page A-8 for bonding locations, recommended terminals, ground wire requirements, and DC supplies.
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower 82xx Family Appliances Frequency Range The frequency range of the AC power supply is 47 Hz to 63 Hz. Frequencies outside this range may cause the appliance to not operate or to operate incorrectly. Power Cords The power connections on the power supplies are IEC C14 connectors and they will accept IEC C13 connectors.
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower 82xx Family Appliances -40VDC to -72VDC maximum • Use of voltages outside this range may cause damage to the appliance. DC Current 18A maximum, per supply Ground Reference The DC power supplies are fully isolated from the ground reference. Recommended Terminals Power is connected to the DC supplies through screw terminals.
These appliances are suitable for installation by qualified personnel in network telecommunication facilities and locations where the National Electric Code applies. Cisco recommends that you save the packing materials in case a return is necessary. For more information, see the following sections:...
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower and AMP 83xx Family Appliances AC Installation, page A-10 for circuit installation, voltage, current, and frequency range, and • power cord information. • DC Installation, page A-11 for circuit installation, voltage, current, ground references, terminals, breaker requirements, and minimum wire size.
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower and AMP 83xx Family Appliances Frequency Range The frequency range of the AC power supply is 47 Hz to 63 Hz. Frequencies outside this range may cause the appliance to not operate or to operate incorrectly. Power Cords The power connections on the power supplies are IEC C14 connectors and they will accept IEC C13 connectors.
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower and AMP 83xx Family Appliances -40VDC to -72VDC maximum • Use of voltages outside this range may cause damage to the appliance. DC Current 25A maximum, per supply Ground Reference The DC power supplies are fully isolated from the ground reference.
Page 109
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower and AMP 83xx Family Appliances Bonding Locations Ground bonding locations are provided on the rear of the chassis. M4 studs are provided. Outside-toothed lock washers are provided for attaching ring terminals. A standard ground symbol is available by each stud.
Page 110
Appendix A Power Requirements for Firepower 8000 Series Devices Firepower and AMP 83xx Family Appliances Firepower 8000 Series Hardware Installation Guide A-14...
A P P E N D I X Inserting and Removing Firepower 8000 Series Network Modules The Firepower 8000 Series devices use network modules (NetMods) that contain either copper or fiber sensing interfaces, allowing for modular flexibility in your deployment. The devices can be shipped fully assembled or you can install the modules.
Appendix B Inserting and Removing Firepower 8000 Series Network Modules About Firepower 8000 Series Modules Figure B-1 Example NetMod or Slot Cover (open) Figure B-2 Example NetMod Lever (closed with screw in hole) Firepower 8000 Series Modules, page 2-12 for complete information about Firepower 8000 Series modules.
Use this dual-slot NetMod only on the 40G-capacity Firepower 8250 or Firepower or AMP 8350. If you Note need to upgrade your device, see the Cisco 8000 Series Device 40G Capacity Upgrade Guide. quad-port 1000BASE-T copper non-bypass NetMod. For more information, see Quad-Port •...
Appendix B Inserting and Removing Firepower 8000 Series Network Modules Power Down the Appliance quad-port 1000BASE-SX fiber non-bypass NetMod.quad-port 1000BASE-SX fiber non-bypass • NetMod. For more information, see Quad-Port 1000BASE-SX Fiber Non-Bypass NetMod, page 2-18. quad-port 10GBASE (MMSR or SMLR) fiber non-bypass NetMod. For more information, see •...
Appendix B Inserting and Removing Firepower 8000 Series Network Modules Remove the Module or Slot Cover Unplug all power cords from the appliance. Step 4 Related Topics “Placing a High-Availability Peer into Maintenance Mode” chapter in the Firepower Management • Center Configuration Guide.
Appendix B Inserting and Removing Firepower 8000 Series Network Modules Insert the Module or Slot Cover Insert the Module or Slot Cover Use proper electrostatic discharge (ESD) practices such as wearing wrist straps and using an ESD work surface when handling the modules. Store unused modules in an ESD bag or box to prevent damage. Procedure Remove and reserve the T8 Torx screw from the lever of the module using the included screwdriver.
Page 117
Appendix B Inserting and Removing Firepower 8000 Series Network Modules Insert the Module or Slot Cover Insert the module into the slot until the far end of the latch is inside the slot and the near end of the latch Step 3 touches the outside of the module slot.
Page 118
Appendix B Inserting and Removing Firepower 8000 Series Network Modules Insert the Module or Slot Cover Do not use excessive force. If the latch does not engage, remove and realign the module, then try again. Caution Press firmly on the screw hole to push the lever fully against the module to secure the latch. Step 5 The lever is fully against the module, and the module is flush with the chassis.
Appendix B Inserting and Removing Firepower 8000 Series Network Modules Restart the Appliance Restart the Appliance Before You Begin Plug in all power cords to the appliance. • Wait until the appliance is fully powered up. This could take several minutes. •...
Page 120
Appendix B Inserting and Removing Firepower 8000 Series Network Modules Apply Changes to the Appliance You can apply device changes from the Device Management page or from the Interfaces tab of the appliance editor. Procedure Select Devices > Device Management. Step 1 Next to the device where you want to apply changes, click the apply icon ( Step 2...
SSD tray and an installation tool. You remove the empty second SSD tray and replace it with the compatible malware storage pack. Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an Caution unsupported hard drive may damage the device.
You must be running version 5.3 or greater of the Firepower System software before you install the malware storage pack. For additional guidance, contact Cisco Support. Before you update any part of the Firepower System, you must read the release notes or advisory text Caution that accompanies the update.
Examine both your kit and your device to ensure that you have the appropriate malware storage pack kit for your device. Contact Cisco Support if you have any questions or concerns about your kit. See the following sections for more information: Malware Storage Pack Kit for 1U Devices, page C-3 •...
For 82xx Family and 83xx Family devices, refer to <Blue>Instructions for the 82xx Family and 83xx Family Devices on page 8. Reimage the device. Follow the instructions in the Cisco Firepower 8000 Series Getting Started Guide Step 4 and the release notes or advisory text that accompanies the software update.
Appendix C Installing a Malware Storage Pack Installation Turn on the system. Step 5 Refer to <Blue>Post Installation on page 11 for information on restarting a device after a malware storage pack has been installed. Installing a Malware Storage Pack on a Version 6.0.1 Device Use the following procedure to install a malware storage pack in a device already configured and running Firepower System version 5.3 or greater.
Page 126
Appendix C Installing a Malware Storage Pack Installation Figure C-2 SSD Detail The following steps describe how to install a malware storage pack in the 81xx Family of devices. Install the malware storage pack in the SSD bay labeled Malware Storage Pack. Remove the empty SSD tray and replace it with the appropriate malware storage pack.
Page 127
Appendix C Installing a Malware Storage Pack Installation Align the malware storage pack with the SSD bay and insert the malware storage pack into the device. Step 5 Tighten the thumb screw on the malware storage pack to secure the storage pack into the device. Step 6 Step 7 Use the T8 Torx driver to replace the screw removed in Step 1.
Appendix C Installing a Malware Storage Pack Installation Instructions for the 82xx Family and 83xx Family Devices The following sections describe how to install a malware storage pack SSD in the following 8000 Series devices with 2U chassis: • 82xx Family devices (Firepower 8250, 8260, 8270, 8290) •...
Page 129
Appendix C Installing a Malware Storage Pack Installation Figure C-5 SSD Detail The following steps describe how to install a malware storage pack in the 82xx Family and the 83xx Family of devices. Install the malware storage pack in the SSD bay labeled Malware Storage Pack. Remove the empty SSD tray and replace it with the appropriate malware storage pack.
Page 130
Appendix C Installing a Malware Storage Pack Installation Pull the latch handle to remove the SSD tray from the device. Step 4 Retain the empty SSD tray. If you need to remove the malware storage pack at any time, re-install the Note empty tray in the device.
Appendix C Installing a Malware Storage Pack Post Installation Align the malware storage pack with the SSD bay and insert the malware storage pack into the appliance. Step 7 Push the latch handle on the SSD tray to secure the malware storage pack into the appliance. Step 8 Use the 3 mm hex wrench to lock the latch release on the malware storage pack by turning the hex screw Step 9...
Appendix C Installing a Malware Storage Pack Post Installation When you restart the device, the Firepower System automatically checks for the addition of the new storage pack. Before you restart the device, be aware of the following conditions: • If a new (unformatted/unused) malware storage pack is detected, the Firepower System formats and mounts the disk for storage of suspected malware files and configures the malware storage pack with one partition that uses the entire drive space for file storage.
Appendix C Installing a Malware Storage Pack Post Installation Removing a malware storage pack will trigger a health alert. For more information, see the Using Health Monitoring chapter in the Firepower Management Center Configuration Guide. Monitoring a Malware Storage Pack Use the Firepower System to monitor your malware storage pack.
Page 134
Appendix C Installing a Malware Storage Pack Post Installation Firepower 8000 Series Hardware Installation Guide C-14...