2017-12-12 08:51 AM 2019-03-22 07:33 AM 更新
本手順では、参考に ASA5508-Xの FTD 6.1.0 から FTD6.2.2 へのリイメージ手順、及び、管理アクセスのための初期セットアップ手順を示します。
FTD ブートイメージを、Download Software から事前にダウンロードします。 FTD の管理インターフェイスからアクセス可能な、任意 TFTP サーバにアップロードしておきます。 ASA5506-X/ASA5508-X/ASA5516-Xの場合、FTDブートイメージは 以下のファイル名です。
ftd-boot-9.8.2.3.lfbff
FTD のインストールパッケージを Download Software から事前にダウンロードします。 FTD の管理インターフェイスからアクセス可能な、任意 FTP サーバ、もしくは HTTP サーバにアップロードしておきます。 ASA5508-X の場合、インストールパッケージは 以下のファイル名です。
ftd-6.2.2-81.pkg
"reboot"コマンドを実行し、ROMMON起動時に "ESC" キーを押下し、ROMMONプロンプトにアクセスします。
> reboot This command will reboot the system. Continue? Please enter 'YES' or 'NO': YES Broadcast messagStopping Cisco ASA5508-X Threat Defense......ok Shutting down sfifd... [ OK ] Clearing static routes Unconfiguring default route [ OK ] Unconfiguring address on br1 [ OK ] Unconfiguring IPv6 [ OK ] Downing interface [ OK ] Stopping nscd... [ OK ] Stopping system log daemon... [ OK ] Stopping Threat Defense ... cp: cannot stat '/etc/ssh': No such file or directory Stopping system message bus: dbus. rmdir: failed to remove directory '/etc': Directory not empty [ OK ] Un-mounting disk partitions ... device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy device-mapper: remove ioctl on root failed: Device or resource busy Device root is still in use. mdadm: Cannot get exclusive access to /dev/md0:Perhaps a running process, mounted filesystem or active volume group? Stopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 4279) . Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 4283) acpid: exiting acpid. Stopping system message bus: dbus. Deconfiguring network interfaces... ifdown: interface br1 not configured done. Sending all processes the TERM signal... Sending all processes the KILL signal... Deactivating swap... Unmounting local filesystems... Rebooting... Rom image verified correctly Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE Copyright (c) 1994-2015 by Cisco Systems, Inc. Compiled Thu 06/18/2015 12:15:56.43 by builders Current image running: Boot ROM0 Last reset cause: PowerCycleRequest DIMM Slot 0 : Present DIMM Slot 1 : Present Platform ASA5508 with 8192 Mbytes of main memory MAC Address: 2c:5a:0f:d2:e4:ea Use BREAK or ESC to interrupt boot. <----- !! Press ESC !! Use SPACE to begin boot immediately. Boot in 10 seconds. Boot in 9 seconds. Boot in 8 seconds. Boot in 7 seconds. Boot interrupted. rommon 1 >
ブート用イメージを置いているTFTPサーバにアクセスするため、IP アドレスやファイル名情報を入力します。 "set"コマンドで設定を確認し、"ping"コマンドで任意宛先(TFTPサーバなど)と疎通性を確認します。
rommon 1 > address 1.0.0.46
rommon 2 > netmask 255.0.0.0
rommon 3 > server 1.0.0.1
rommon 4 > file tac/ftd-boot-9.6.2.0.lfbff
rommon 5 > set
ADDRESS=1.0.0.46
NETMASK=255.0.0.0
GATEWAY=1.0.0.1
SERVER=1.0.0.1
IMAGE=ftd-boot-9.8.2.3.lfbff
CONFIG=
PS1="rommon ! > "
rommon 6 > ping 1.0.0.1
Sending 10, 32-byte ICMP Echoes to 1.0.0.1 timeout is 4 seconds
!!!!!!!!!!
Success rate is 100 percent (10/10)
rommon 7 >
rommon 7 > sync
"tftpdnld"コマンドで TFTP サーバからブート用イメージのダウンロード、及び セットアップを実行します。
rommon 8 > tftpdnld ADDRESS: 1.0.0.46 NETMASK: 255.0.0.0 GATEWAY: 1.0.0.1 SERVER: 1.0.0.1 IMAGE: ftd-boot-9.8.2.3.lfbff MACADDR: 00:f2:8b:fc:12:43 VERBOSITY: Progress RETRY: 40 PKTTIMEOUT: 7200 BLKSIZE: 1460 CHECKSUM: Yes PORT: GbE/1 PHYMODE: Auto Detect Receiving ftd-boot-9.8.2.3.lfbff from 1.0.0.1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!File reception completed. File reception completed.
Boot buffer bigbuf=348bd018
Boot image size = 104813248 (0x63f52c0) bytes
[image size] 104813248
[MD5 signaure] 914afb2d31d061910d22933d679aabb3
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
Detected PID ASA5508.
--- snip ---
Cisco FTD Boot 6.0.0 (9.8.2.3)
Type ? for list of commands
firepower-boot>
firepower-boot>setup Welcome to Cisco FTD Setup [hit Ctrl-C to abort] Default values are inside [] Enter a hostname [firepower]: ftd5508 Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [Y]: N Enter an IPv4 address: 1.0.0.46 Enter the netmask: 255.0.0.0 Enter the gateway: 1.0.0.1 Do you want to configure static IPv6 address on management interface?(y/n) [N]: N Stateless autoconfiguration will be enabled for IPv6 addresses. Enter the primary DNS server IP address [171.70.168.183]: 1.0.0.1 Do you want to configure Secondary DNS Server? (y/n) [y]: n Any previously configured secondary DNS servers will be removed. Do you want to configure Local Domain Name? (y/n) [n]: n Do you want to configure Search domains? (y/n) [n]: n Do you want to enable the NTP service? [Y]: n Please review the final configuration: Hostname: ftd5508 Management Interface Configuration IPv4 Configuration: static IP Address: 1.0.0.46 Netmask: 255.0.0.0 Gateway: 1.0.0.1 IPv6 Configuration: Stateless autoconfiguration DNS Configuration: DNS Server: 1.0.0.1 NTP configuration: Disabled CAUTION: You have selected IPv6 stateless autoconfiguration, which assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly. We suggest you use static addressing instead. Apply the changes?(y,n) [Y]: y Configuration saved successfully! Applying... Restarting network services... Done. Press ENTER to continue... firepower-boot>
firepower-boot>ping 1.0.0.1
PING 1.0.0.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=255 time=0.557 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=255 time=0.512 ms
"system install [url]"コマンドで FTD のインストールパッケージのダウンロード、およびインストールを実行します。
[URL]は、FTP や HTTP、HTTPS を指定できます。 [URL] でユーザ名とパスワードを指定する事も可能です。
例えば、FTPサーバのユーザ名・パスワードを指定する場合は、
"system install ftp://[ユーザID]:[パスワード]@[FTPサーバIP]/ftd-6.2.2-81.pkg"
コマンドを実行します。
以下はFTPサーバからファイルダウンロード時のコマンド実行例です。
firepower-boot>system install noconfirm ftp://user:pass@1.0.0.1/ftd-6.2.2-81.pkg ######################## WARNING ############################ # The content of disk0: will be erased during installation! # ############################################################# Do you want to continue? [y/N] y Erasing disk0 ... Extracting ... Verifying. ... Downloading
Extracting
Package Detail
Description: Cisco ASA-FTD 6.2.2-81 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]:y <----- !! Input y !!
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Starting upgrade process ....
Populating new system image
Reboot is required to complete the upgrade. Press 'Enter' to reboot the system. <----- !! Press Enter !!
Stopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 1824)
.
Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 1828)
acpid.
Stopping system message bus: dbus.
Stopping ntpd: start-stop-daemon: warning: killing process 1832: No such process
done
Stopping crond: OK
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting...
************ Attention ********* Initializing the configuration database. Depending on available system resources (CPU, memory, and disk), this may take 30 minutes
or more to complete. ************ Attention ********* Executing S09database-init [ OK ] Executing S11database-populate [ OK ] Executing S12install_infodb
2 までの手順終了後、しばらくすると、コンソールアクセス可能になるので、ユーザ名/パスワードは admin/Admin123 でログインします。 EULA に同意するか確認の後、任意の新規パスワード設定や 管理設定を行います。FDM によるローカル管理を行う場合 "Manage the device locally?"の問いには "yes"を入力します。
Copyright (c) 1996-2016 by Cisco Systems, Inc. Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Reading from flash...
!WARNING: This command will not take effect until interface 'diagnostic' has been initialized with at least one global IPv6 address
*** Output from config line 36, "ip-client diagnostic ipv..."
WARNING: This command will not take effect until interface 'diagnostic' has been assigned an IPv4 address
*** Output from config line 37, "ip-client diagnostic"
WARNING: This command will not take effect until interface 'inside' has been initialized with at least one global IPv6 address
*** Output from config line 38, "ip-client inside ipv6"
WARNING: This command will not take effect until interface 'outside' has been initialized with at least one global IPv6 address
*** Output from config line 40, "ip-client outside ipv6"
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
*** Output from config line 41, "ip-client outside"
ERROR: Inspection not installed or parameters do not match
*** Output from config line 57, "no inspect esmtp"
Cryptochecksum (changed): a5939d80 45cddd58 bf729a5c e614f6f3
INFO: Power-On Self-Test in process.
.......................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to firepower
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Cisco ASA5508-X Threat Defense v6.2.2 (build 81)
firepower login: admin
Password: <----- !! Input Admin123 !!
Last login: Tue Dec 5 16:51:55 UTC 2017 on ttyS1
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.2 (build 11)
Cisco ASA5508-X Threat Defense v6.2.2 (build 81)
You must accept the EULA to continue.
Press <ENTER> to display the EULA: <----- !! Press Enter !!
END USER LICENSE AGREEMENT
- snip -
Product warranty terms and other information applicable to Cisco products are
available at the following URL: http://www.cisco.com/go/warranty.
Please enter 'YES' or press <ENTER> to AGREE to the EULA: yes <---- !! Enter YES or Press Enter !!
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: <----- !! input new admin Password !!
Confirm new password: <----- !! input new admin Password, again!!
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [n]:
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 1.0.0.46
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.0.0.0
Enter the IPv4 default gateway for the management interface [data-interfaces]: 1.0.0.1
Enter a fully qualified hostname for this system [firepower]: ftd5508
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: none
Enter a comma-separated list of search domains or 'none' []: none
If your networking information has changed, you will need to reconnect.
Interface br1 is not reporting link speed... count:0 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 3012.
IFTOOL did not report proper interface speed for br1: 'N/A' at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 885.
Interface br1 is not reporting link speed... count:0 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 3012.
IFTOOL did not report proper interface speed for br1: 'N/A' at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 885.
DCHP Server Disabled
The DHCP server has been disabled. You may re-enable with configure network ipv4 dhcp-server-enable
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]: yes <----- !! ローカル管理有効化 !!
Configuring firewall mode to routed
Update policy deployment information
- add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.
Device Dashboard の画面右下の "Smart License" をクリックすることで、スマートライセンスの有効化や評価ライセンスの有効化が可能です。
初期セットアップ後 FDM での設定や管理方法について詳しくは、以下の設定ガイドなどを参照してください。
Cisco Firepower Threat Defense バージョン 6.2 コンフィギュレーション ガイド(Firepower Device Manager 用)
2 までの手順終了後、しばらくすると、コンソールアクセス可能になるので、ユーザ名/パスワードは admin/Admin123 でログインします。 EULA に同意するか確認の後、任意の新規パスワード設定や 管理設定を行います。FDM によるローカル管理を行う場合 "Manage the device locally?"の問いには "no"を入力します。
Copyright (c) 1996-2016 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!WARNING: This command will not take effect until interface 'diagnostic' has been initialized with at least one global IPv6 address
*** Output from config line 36, "ip-client diagnostic ipv..."
WARNING: This command will not take effect until interface 'diagnostic' has been assigned an IPv4 address
*** Output from config line 37, "ip-client diagnostic"
WARNING: This command will not take effect until interface 'inside' has been initialized with at least one global IPv6 address
*** Output from config line 38, "ip-client inside ipv6"
WARNING: This command will not take effect until interface 'outside' has been initialized with at least one global IPv6 address
*** Output from config line 40, "ip-client outside ipv6"
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
*** Output from config line 41, "ip-client outside"
ERROR: Inspection not installed or parameters do not match
*** Output from config line 57, "no inspect esmtp"
Cryptochecksum (changed): a5939d80 45cddd58 bf729a5c e614f6f3
INFO: Power-On Self-Test in process.
.......................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to firepower
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Cisco ASA5508-X Threat Defense v6.2.2 (build 81)
firepower login: admin
Password: <----- !! Input Admin123 !!
Last login: Wed Dec 6 01:22:08 UTC 2017 on ttyS1
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.2 (build 11)
Cisco ASA5508-X Threat Defense v6.2.2 (build 81)
You must accept the EULA to continue.
Press <ENTER> to display the EULA: <---- !! Press Enter !!
- snip -
Product warranty terms and other information applicable to Cisco products are
available at the following URL: http://www.cisco.com/go/warranty.
Please enter 'YES' or press <ENTER> to AGREE to the EULA: <---- !! Enter YES or Press Enter !!
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: <----- !! input new admin Password !!
Confirm new password: <----- !! input new admin Password, again!!
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 1.158.158.45
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.0.0.0
Enter the IPv4 default gateway for the management interface [data-interfaces]: 1.0.0.1
Enter a fully qualified hostname for this system [firepower]: FTD5508
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: none
Enter a comma-separated list of search domains or 'none' []: none
If your networking information has changed, you will need to reconnect.
Interface br1 is not reporting link speed... count:0 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 3012.
IFTOOL did not report proper interface speed for br1: 'N/A' at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 885.
Interface br1 is not reporting link speed... count:0 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 3012.
IFTOOL did not report proper interface speed for br1: 'N/A' at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 885.
DCHP Server Disabled
The DHCP server has been disabled. You may re-enable with configure network ipv4 dhcp-server-enable
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]: no <---- !! ローカル監視化無効 !!
DCHP Server Disabled
Configure firewall mode? (routed/transparent) [routed]: routed
Configuring firewall mode ...
Update policy deployment information
- add device configuration
- add network discovery
- add system policy
You can register the sensor to a Firepower Management Center and use the
Firepower Management Center to manage it. Note that registering the sensor
to a Firepower Management Center disables on-sensor Firepower Services
management capabilities.
When registering the sensor to a Firepower Management Center, a unique
alphanumeric registration key is always required. In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'
However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'
Later, using the web interface on the Firepower Management Center, you must
use the same registration key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.
>
Manager(FMC)の接続設定を入力します。
> > configure manager add 1.0.0.2 12345 <---- !! Enter Manager information !! Manager successfully configured. Please make note of reg_key as this will be required while adding Device in FMC. > show managers Host : 1.0.0.2 Registration Key : **** Registration : pending RPC Status : >
Manager(FMC)の GUI にログインし、5508-X を Device に追加します。(Device 情報を追加して、Register を押下します。)
登録完了後、FMC 上に 5508-X が表示されます。
5508-X の CLI からも Manager が確認可能です。
> show managers Type : Manager Host : 1.0.0.2 Registration : Completed >
検索バーにキーワード、フレーズ、または質問を入力し、お探しのものを見つけましょう
シスコ コミュニティをいち早く使いこなしていただけるよう役立つリンクをまとめました。みなさんのジャーニーがより良いものとなるようお手伝いします