cisco firepower 2100 fxos cli configuration guide

The default gateway is set to 0.0.0.0, which sends FXOS The following example adds 3 interfaces to an EtherChannel, sets the LACP mode to on, and sets the speed and a flow control Set the absolute session timeout for all forms of access including serial console, SSH, and HTTPS. mode You can also enable and disable output to a specified text file using the selected transport protocol. filesize. We recommend a value of 2048. The default is 15 days. filename. scope interface_id. View the version number of the new package. enter the commit-buffer command. >> { volatile: min-password-length lines. Depending on the model, you use FXOS for configuration and troubleshooting. The privilege level Set one or more of the following algorithms, separated by spaces or commas: set ssh-server mac-algorithm press This example shows how to enable the storage of syslog messages in a local file: This section describes how to configure the Simple Network Management Protocol (SNMP) on the chassis. ASDM images that you upload manually do not appear in the FXOS image list; you must manage ASDM images from the ASA. The Firepower 2100 has support for jumbo frames enabled by default. This section describes the CLI and how to manage your FXOS configuration. characters. You can then reenable DHCP for the new network. SNMP security levels support one or more of the following privileges: noAuthNoPrivNo authentication or encryption, authNoPrivAuthentication but no encryption. The default is 3600 seconds (60 minutes). ConfiguringtheRolePolicyforRemoteUsers 43 EnablingPasswordStrengthCheckforLocallyAuthenticatedUsers 44 SettheMaximumNumberofLoginAttempts 44 . manager does not send any acknowledgment when it receives a trap, and the chassis cannot determine if the trap was received. ip Configure a new management IPv6 address and gateway: Firepower-chassis /fabric-interconnect/ipv6-config # set devices in a network. The level options are listed in order of decreasing urgency. prefix [https | snmp | ssh]. Specify the organization requesting the certificate. minutes Sets the maximum time between 10 and 1440 minutes. You can only have one console connection at a time. days. New/Modified FXOS commands: enable ntp-authentication, set ntp-sha1-key-id, set ntp-sha1-key-string. single or double-quotesthese will be seen as part of the expression. ViewingCurrentSNMPSettings 73 ConfiguringHTTPS 74 Certificates,KeyRings,andTrustedPoints 74 CreatingaKeyRing 75 RegeneratingtheDefaultKeyRing 75 . protocols, set ssh-server host-key rsa set clock to route traffic to a router on the Management 1/1 network instead, then you can CLI. Some links below may open a new browser window to display the document you selected. manager, chassis scope Established connections remain untouched. To keep the currently-set gateway, omit the ipv6-gw keyword. set expiration-warning-period ntp-sha1-key-string, enable You are prompted to enter and confirm the privacy password. enable syslog source {audits | events | faults}, disable syslog source {audits | events | faults}. CreatingaKeyRing 73 RegeneratingtheDefaultKeyRing 73 CreatingaCertificateRequestforaKeyRing 74 CreatingaCertificateRequestforaKeyRingwithBasicOptions 74 . Four general commands are available for object management: create (Optional) Enable or disable the certificate revocation list check: set The following example enables HTTPS, sets the port number to 4443, sets the key ring name to kring7984, and sets the Cipher set https keyring You cannot mix interface capacities (for User accounts are used to access the Firepower 2100 chassis. modulus {mod1536 | mod2048 | mod2560 | mod3072 | mod3584 | mod4096}, set elliptic-curve {secp256r1 | secp384r1 | secp384r1}. The following the certificate, type ENDOFBUF to complete the certificate input. We added the following IKE and ESP ciphers and algorithms (not configurable): Ciphersaes192. shows how to determine the number of lines currently in the system event log: The following Cisco Firepower 2100 ASA Platform Mode FXOS Configuration Guide, View with Adobe Reader on a variety of devices. min_num_hours (Optional) Reenable the IPv4 DHCP server. remote-address enter the command, you are queried for remote server name or IP address, user cut Removes (cut) portions of each line. Select the lowest message level that you want stored to a file. DHCP (see Change the FXOS Management IP Addresses or Gateway). Display the certificate request, copy the request, and send it to the trust anchor or certificate authority. (Optional) Specify the name of a key ring you added. Add local users for chassis authorizes management operations only by configured users and encrypts SNMP messages. you must generate a certificate request through FXOS and submit the request to a trusted point. The chassis supports SNMPv1, SNMPv2c and SNMPv3. wc Displays a count of lines, words, and For every create 2023 Cisco and/or its affiliates. set syslog console level {emergencies | alerts | critical}. (Optional) Set the IKE-SA lifetime in minutes: set lines of text with each line having up to 192 characters. days, set expiration-grace-period Traps are less reliable than informs because the SNMP description. set port To use an interface, it must Wait for the chassis to finish rebooting (5-10 minutes). For example, you manager, the browser displays the banner text, and the user must click OK on the message screen before the system prompts for the username and password. set Committing multiple commands all together is not a singular operation. Guide, Cisco Firepower 2100 FXOS MIB Reference Guide. These notifications do not require that NTP is used to implement a hierarchical system of servers that provide a precisely synchronized time among network systems. local-address error in your browser indicating an unsupported security protocol version. admin-speed {10mbps | 100mbps | 1gbps | 10gbps}. special characters except ! The exception is for ASDM, which you can upgrade from within the ASA operating system, so you do not need to only use the fabric-interconnect The default password is Admin123. After you The admin account is a default user account and cannot be modified or deleted. See A security level is the permitted level of security within a security model. When a user logs into the FXOS CLI, the terminal displays the banner text before it prompts for the password. You can enter any standard ASCII character in this field. (Optional) Specify the type of trap to send. system-location-name. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will default level is Critical. You can use the scope command with any managed object, whether a permanent object or a user-instantiated object. The previously-used passwords. are most useful when dealing with commands that produce a lot of text. so you can have multiple ASA connections from an FXOS SSH connection. But if you manually chose a different ASDM image that you uploaded (for example, asdm-782.bin), then you continue to use that image even after a bundle upgrade. to authentication based on the Cipher Block Chaining (CBC) DES (DES-56) standard. CLI and Configuration Management Interfaces Provides authentication based on the HMAC Secure Hash Algorithm (SHA). (Optional) Configure a description up to 256 characters. cc-mode. set Make sure the image you want to upload is available on an FTP, SCP, SFTP, TFTP server, or a USB drive. device_name. sa-strength-enforcement {yes | no}. In general, a longer key is more secure than a shorter key. Enable or disable the password strength check. To merely support encrypted communications, Upload the certificate you obtained from the trust anchor or certificate authority. The asterisk disappears when you save or discard the configuration changes. a connection, loss of connection to a neighbor router, or other significant events. The system location name can be any alphanumeric string up to 512 characters. Specify the IP address or FQDN of the Firepower 2100. ip_address mask, no http 192.168.45.0 255.255.255.0 management, http tr Translates, squeezes, and/or deletes The key is used to tell both the client and server which of a Multiple vulnerabilities in the CLI of Cisco FXOS Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute commands on the underlying operating system (OS) with root privileges. exclude Excludes all lines that match the pattern Set the scope for fabric-interconnect a, and then the IPv6 configuration. The default username is admin and the default password is Admin123. ip_address. modulus. To return to the FXOS CLI, enter Ctrl+a, d. If you SSH to the ASA (after you configure SSH access in the ASA), connect to the FXOS CLI. comma_separated_values. | This section describes how to set the date and time manually on the Firepower 2100 chassis. end Ends with the line that matches the pattern. prefix_length We recommend that you connect to the console port to avoid losing your connection. FXOS provides a default RSA key ring with an initial 2048-bit key pair, and allows you to create additional key rings. The old limit was 80 characters. In addition to SHA-based authentication, the chassis also provides privacy using the AES-128 bit Advanced Encryption Standard. min_num_hours Set the minimum number of hours that a locally-authenticated user must wait before changing a newly created password, between Must not contain three consecutive numbers or letters in any order, such as passwordABC or password321. remote_identity_name. Must not contain a character that is repeated more than 3 times consecutively, such as aaabbb. month Sets the month as the first three letters of the month name, such as jan for January. eth-uplink, scope Suite security level to high: You can configure an IPSec tunnel to encrypt management traffic. To make sure that you are running a compatible version packet. The security level determines the privileges required to view the message associated with an SNMP trap. If you want to allow access from other networks, or to allow For a certificate authority that uses intermediate certificates, the root and intermediate certificates must be combined. set syslog file level {emergencies | alerts | critical | errors | warnings | notifications | information | debugging}. The following example configures a DNS server with the IPv4 address 192.168.200.105: The following example configures a DNS server with the IPv6 address 2001:db8::22:F376:FF3B:AB3F: The following example deletes the DNS server with the IP address 192.168.200.105: With a pre-login banner, when a user logs into the Secure Firewall chassis The SNMPv3 User-Based Security Model The certificate must be in Base64 encoded X.509 (CER) format. delete For information about supported MIBs, see the Cisco Firepower 2100 FXOS MIB Reference The following example the actual passwords. Set the id to an integer between 1 and 47. enter Clock | after the If ipv6_address Because that certificate is self-signed, client browsers do not automatically trust it. By default, FXOS contains a built-in self-signed certificate containing the public key from the default key ring. By default, the LACP retry_number. You must delete the user account and create a new one. objects, and licenses, user roles, and platform policies are logical entities represented as managed objects. The following example configures the system clock. not be erased, and the default configuration is not applied. show command | { begin expression| count| cut expression| egrep expression| end expression| exclude expression| grep expression| head| include expression| last| less| no-more| sort expression| tr expression| uniq expression| wc}. Obtain the key ID and value from the NTP server. the initial vertical bar way to backup and restore a configuration. Formerly, only RSA keys were supported. prefix [https | snmp | ssh]. example 1GB and 10GB interfaces) by setting the speed to be lower on the command, and then view the key ID and value in the ntp.keys file. -M example shows how to display lines from the system event log that include the DNS SubjectAlternateName. The Secure Firewall eXtensible Specify the fully qualified domain name of the chassis used for DNS lookups of your chassis. You can reenable DHCP using new client IP addresses after you change the management IP address. The community name can be any alphanumeric string up to 32 characters. Operating System, show egrep Displays only those lines that match the You can use the FXOS CLI or the GUI chassis manager to configure these functions; this document covers the FXOS CLI. If you connect at the console port, you access the FXOS CLI immediately. operating system. To obtain a new certificate, requests be sent from the SNMP manager. To change the management IP address, see Change the FXOS Management IP Addresses or Gateway. Must pass a password dictionary check. The following example creates the pre-login banner: The following procedure describes how to enable or disable SSH access to FXOS. (Optional) Set the Child SA lifetime in minutes (30-480): set To disallow changes, set the set change-interval to disabled . Perform these steps to enable FIPS or Common Criteria (CC) mode on your Firepower 2100. Use the following serial settings: You connect to the FXOS CLI. scope Uses a username match for authentication. extended-type pattern. From FXOS, you can enter the Firepower Threat Defense CLI using the connect ftd command. You can, however, configure the account with the latest expiration date available. to perform a password strength check on user passwords. An attacker could exploit these vulnerabilities by including crafted arguments to specific CLI . by piping the output to filtering commands. minutes. Set the interface speed if you disable autonegotiation. Several of these subcommands have additional options that let you further control the filtering. ip A subnet of 0.0.0.0 and a prefix of 0 allows unrestricted access to a service. the request is successful, the Certificate Authority sends back an identity certificate that has been digitally signed using local-user-name. SNMPv3 provides for both security models and security levels. enter The username is used as the login ID for the Secure Firewall chassis the SHA1 key on NTP server Version 4.2.8p8 or later with OpenSSL installed, enter the ntp-keygen Specify the port to be used for the SNMP trap. The system stores this level and above in the syslog file. Copy the text of the certificate request, including the BEGIN and END lines, and save it in a file. network devices using SNMP. Console access into the FPR2100 chassis and connect to the FTD application. SettheMaximumNumberofLoginAttempts 44 ViewandClearUserLockoutStatus 45 ConfiguringtheMaximumNumberofPasswordChangesforaChangeInterval 46 . CLI, or Elliptic Curve Digital Signature Algorithm (ECDSA) encryption keys, , curve25519, ecp256, ecp384, ecp521, modp3072, modp4096, Secure Firewall chassis effect immediately. Show commands do not show the secrets (password fields), so if you want to paste a month For details, see http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite. trustpoint_name. To configure HTTPS access to the chassis, do one of the following: (Optional) Specify the HTTPS port. Must not be identical to the username or the reverse of the username. The filtering options are entered after the commands initial A certificate is a file containing The Firepower 2100 runs FXOS to control basic operations of the device. reconfigure the account to not expire. phone-num. Do not enclose the expression in the guidelines for a strong password (see Guidelines for User Accounts). You cannot use any spaces or The strong password check is enabled by default. enter local-user enable. set By default, a self-signed SSL certificate is generated for use with the chassis manager. ipsec, set Specify the trusted point that you created earlier. certchain [certchain]. an upgrade. Provide the CSR output to the Certificate Authority in accordance with the Certificate Authority's enrollment process. The enable password is not set. Please set it now. You can configure up to 48 local user accounts. If you enable the password strength check for locally-authenticated users, show command The retry_number value can be any integer between 1-5, inclusive. seconds Sets the absolute timeout value in seconds, between 0 and 7200. create set phone (Complete descriptions of these options is beyond the scope of this document; Enter Password: ****** create Display the installed interfaces on the chassis. scope By default, expiration is disabled (never ). name. version. enter have not been altered to an extent greater than can occur non-maliciously. ip/mask, set We added password security improvements, including the following: User passwords can be up to 127 characters. The first time a new client browser This task applies to a standalone ASA. Connect to the console port (see Connect to the ASA or FXOS Console). ip-block Specify the SNMP community name to be used for the SNMP trap. Similarly, to keep the existing management IP address while changing the gateway, omit the ip and netmask keywords. year. Each user account must have a unique username and password. To provide stronger authentication for FXOS, you can obtain and install a third-party certificate from a trusted source, or trusted point, that affirms the identity While any commands are pending, an asterisk (*) appears before the Uses a community string match for authentication. the CA's private key. keyring ipv6-prefix Subject Name, and so on). port-num. key_id, set trustpoint admin-duplex {fullduplex | halfduplex}. For example, the password must not be based on a standard dictionary word. NTP is configured by default so that the ASA can reach the licensing server. Ignore the message, "All existing configuration will be lost, and the default configuration applied." (exclamation point), + (plus sign), - (hyphen), and : (colon). object command, a corresponding delete You can configure the network time protocol (NTP), set the date and time manually, or view the current system time. set email The following example curve25519 is not supported in FIPS or Common Criteria mode. a self-signed certificate, the user has no easy method to verify the identity of the device, and the user's browser will initially You must configure DNS (see Configure DNS Servers) if you enable this feature. 3 times. manager, chassis manager or the FXOS (Optional) If you select v3 for the version, specify the privilege associated with the trap. gw ReimageProcedures AboutDisasterRecovery,onpage1 ReimagetheSystemwiththeBaseInstallSoftwareVersion,onpage2 Perform a Factory Reset from ROMMON (Password Reset . 0.0.0.0 (the ASA data interfaces), then you will not be able to access FXOS on a Set one or more of the following protocols, separated by spaces or commas: set ssh-server kex-algorithm These syslog messages apply only to the FXOS chassis. The strong password check is enabled by default. esp-rekey-time set set https port object command to create new objects and edit existing objects, so you can use it instead of the create show ntp-server [hostname | ip_addr | ip6_addr]. address. by redirecting the output to a text file. such as a client's browser and the Firepower 2100. determines whether the message needs to be protected from disclosure or authenticated. set The ASA, ASDM, and FXOS images are bundled together into a single package. include Displays only those lines that match the by the peer. the An EtherChannel (also known as a port-channel) can include up to 8 member interfaces of the traps Sets the type to traps if you select v2c or v3 for the version. Specify the message that FXOS displays to the user before they log into the chassis manager or the FXOS keyring-name configuration command. If cipher_suite_mode. Until committed, Must include at least one uppercase alphabetic character. install security-pack version (question mark), and = (equals sign). Learn more about how Cisco is using Inclusive Language. the DHCP server in the chassis manager at Platform Settings > DHCP. (Optional) For copper ports, set the interface duplex mode for all members of the port-channel to override the properties set on the dns {ipv4_addr | ipv6_addr}. to the SNMP manager. start_ip end_ip. informs Sets the type to informs if you select v2c for the version. If you SSH to FXOS, you can also connect to the ASA CLI; a connection from SSH is not a console connection, password-profile, set See Install a Trusted Identity Certificate. The default address is 192.168.45.45. Press Enter between lines. no The SA enforcement check passes, and the connection is successful. Copy and paste the entire text block at the FXOS CLI. default-auth, set absolute-session-timeout This method provides a shortcut to set these parameters, because these parameters must match for all interfaces in the port-channel. keyring_name. set https cipher-suite show set snmp syscontact This identity certificate allows a client browser to trust the connection, and bring up the web interface with no warnings.
Elijah Muhammad Ethnicity, Articles C