1. はじめに
本手順では、参考に ASA5508-Xの FTD 6.1.0 から FTD6.2.2 へのリイメージ手順、及び、管理アクセスのための初期セットアップ手順を示します。
2. FTD6.1.0 から FTD 6.2.2 へのリイメージ
FTD ブートイメージを、Download Software から事前にダウンロードします。 FTD の管理インターフェイスからアクセス可能な、任意 TFTP サーバにアップロードしておきます。 ASA5506-X/ASA5508-X/ASA5516-Xの場合、FTDブートイメージは 以下のファイル名です。
ftd-boot-9.8.2.3.lfbff
FTD のインストールパッケージを Download Software から事前にダウンロードします。 FTD の管理インターフェイスからアクセス可能な、任意 FTP サーバ、もしくは HTTP サーバにアップロードしておきます。 ASA5508-X の場合、インストールパッケージは 以下のファイル名です。
ftd-6.2.2-81.pkg
"reboot"コマンドを実行し、ROMMON起動時に "ESC" キーを押下し、ROMMONプロンプトにアクセスします。
> reboot
This command will reboot the system. Continue?
Please enter 'YES' or 'NO': YES
Broadcast messagStopping Cisco ASA5508-X Threat Defense......ok
Shutting down sfifd...
[ OK ]
Clearing static routes
Unconfiguring default route
[ OK ]
Unconfiguring address on br1
[ OK ]
Unconfiguring IPv6
[ OK ]
Downing interface
[ OK ]
Stopping nscd...
[ OK ]
Stopping system log daemon...
[ OK ]
Stopping Threat Defense ...
cp: cannot stat '/etc/ssh': No such file or directory
Stopping system message bus: dbus.
rmdir: failed to remove directory '/etc': Directory not empty
[ OK ]
Un-mounting disk partitions ...
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
device-mapper: remove ioctl on root failed: Device or resource busy
Device root is still in use.
mdadm: Cannot get exclusive access to /dev/md0:Perhaps a running process, mounted filesystem or active volume group?
Stopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 4279)
.
Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 4283)
acpid: exiting
acpid.
Stopping system message bus: dbus.
Deconfiguring network interfaces... ifdown: interface br1 not configured
done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting...
Rom image verified correctly
Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
Copyright (c) 1994-2015 by Cisco Systems, Inc.
Compiled Thu 06/18/2015 12:15:56.43 by builders
Current image running: Boot ROM0
Last reset cause: PowerCycleRequest
DIMM Slot 0 : Present
DIMM Slot 1 : Present
Platform ASA5508 with 8192 Mbytes of main memory
MAC Address: 2c:5a:0f:d2:e4:ea
Use BREAK or ESC to interrupt boot. <----- !! Press ESC !!
Use SPACE to begin boot immediately.
Boot in 10 seconds. Boot in 9 seconds. Boot in 8 seconds. Boot in 7 seconds. Boot interrupted.
rommon 1 >
ブート用イメージを置いているTFTPサーバにアクセスするため、IP アドレスやファイル名情報を入力します。 "set"コマンドで設定を確認し、"ping"コマンドで任意宛先(TFTPサーバなど)と疎通性を確認します。
rommon 1 > address 1.0.0.46
rommon 2 > netmask 255.0.0.0
rommon 3 > server 1.0.0.1
rommon 4 > file tac/ftd-boot-9.6.2.0.lfbff
rommon 5 > set
ADDRESS=1.0.0.46
NETMASK=255.0.0.0
GATEWAY=1.0.0.1
SERVER=1.0.0.1
IMAGE=ftd-boot-9.8.2.3.lfbff
CONFIG=
PS1="rommon ! > "
rommon 6 > ping 1.0.0.1
Sending 10, 32-byte ICMP Echoes to 1.0.0.1 timeout is 4 seconds
!!!!!!!!!!
Success rate is 100 percent (10/10)
rommon 7 >
rommon 7 > sync
"tftpdnld"コマンドで TFTP サーバからブート用イメージのダウンロード、及び セットアップを実行します。
rommon 8 > tftpdnld
ADDRESS: 1.0.0.46
NETMASK: 255.0.0.0
GATEWAY: 1.0.0.1
SERVER: 1.0.0.1
IMAGE: ftd-boot-9.8.2.3.lfbff
MACADDR: 00:f2:8b:fc:12:43
VERBOSITY: Progress
RETRY: 40
PKTTIMEOUT: 7200
BLKSIZE: 1460
CHECKSUM: Yes
PORT: GbE/1
PHYMODE: Auto Detect
Receiving ftd-boot-9.8.2.3.lfbff from 1.0.0.1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!File reception completed.
File reception completed.
Boot buffer bigbuf=348bd018
Boot image size = 104813248 (0x63f52c0) bytes
[image size] 104813248
[MD5 signaure] 914afb2d31d061910d22933d679aabb3
LFBFF signature verified.
INIT: version 2.88 booting
Starting udev
Configuring network interfaces... done.
Populating dev cache
Detected PID ASA5508.
--- snip ---
Cisco FTD Boot 6.0.0 (9.8.2.3)
Type ? for list of commands
firepower-boot>
ブート用プロンプトに移行後 "setup"コマンドで FTP or HTTP(Web) サーバへアクセスするための IP や管理設定を行います。("ping"コマンドで任意宛先と疎通性を確認します。)
firepower-boot>setup
Welcome to Cisco FTD Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [firepower]: ftd5508
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [Y]: N
Enter an IPv4 address: 1.0.0.46
Enter the netmask: 255.0.0.0
Enter the gateway: 1.0.0.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address [171.70.168.183]: 1.0.0.1
Do you want to configure Secondary DNS Server? (y/n) [y]: n
Any previously configured secondary DNS servers will be removed.
Do you want to configure Local Domain Name? (y/n) [n]: n
Do you want to configure Search domains? (y/n) [n]: n
Do you want to enable the NTP service? [Y]: n
Please review the final configuration:
Hostname: ftd5508
Management Interface Configuration
IPv4 Configuration: static
IP Address: 1.0.0.46
Netmask: 255.0.0.0
Gateway: 1.0.0.1
IPv6 Configuration: Stateless autoconfiguration
DNS Configuration:
DNS Server: 1.0.0.1
NTP configuration: Disabled
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address based on network prefix and a device identifier. Although this address is unlikely to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.
Apply the changes?(y,n) [Y]: y
Configuration saved successfully!
Applying...
Restarting network services...
Done.
Press ENTER to continue...
firepower-boot>
firepower-boot>ping 1.0.0.1
PING 1.0.0.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=255 time=0.557 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=255 time=0.512 ms
"system install [url]"コマンドで FTD のインストールパッケージのダウンロード、およびインストールを実行します。
[URL]は、FTP や HTTP、HTTPS を指定できます。 [URL] でユーザ名とパスワードを指定する事も可能です。
例えば、FTPサーバのユーザ名・パスワードを指定する場合は、
"system install ftp://[ユーザID]:[パスワード]@[FTPサーバIP]/ftd-6.2.2-81.pkg"
コマンドを実行します。
以下はFTPサーバからファイルダウンロード時のコマンド実行例です。
firepower-boot>system install noconfirm ftp://user:pass@1.0.0.1/ftd-6.2.2-81.pkg
######################## WARNING ############################
# The content of disk0: will be erased during installation! #
#############################################################
Do you want to continue? [y/N] y
Erasing disk0 ...
Extracting ...
Verifying. ...
Downloading
Extracting
Package Detail
Description: Cisco ASA-FTD 6.2.2-81 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]:y <----- !! Input y !!
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
Starting upgrade process ....
Populating new system image
Reboot is required to complete the upgrade. Press 'Enter' to reboot the system. <----- !! Press Enter !!
Stopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 1824)
.
Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 1828)
acpid.
Stopping system message bus: dbus.
Stopping ntpd: start-stop-daemon: warning: killing process 1832: No such process
done
Stopping crond: OK
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting...
パッケージインストール中は以下のようなコンソールが表示されます。 自動的にインストールは完了するので、しばらく待ちます。 セットアップデバイスの処理性能にもよりますが、ASA5508-X の場合、おおよそ 30 分前後で完了します。
************ Attention *********
Initializing the configuration database. Depending on available
system resources (CPU, memory, and disk), this may take 30 minutes
or more to complete.
************ Attention *********
Executing S09database-init [ OK ]
Executing S11database-populate [ OK ]
Executing S12install_infodb
3. FDM による管理を行う場合
2 までの手順終了後、しばらくすると、コンソールアクセス可能になるので、ユーザ名/パスワードは admin/Admin123 でログインします。 EULA に同意するか確認の後、任意の新規パスワード設定や 管理設定を行います。FDM によるローカル管理を行う場合 "Manage the device locally?"の問いには "yes"を入力します。
Copyright (c) 1996-2016 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!WARNING: This command will not take effect until interface 'diagnostic' has been initialized with at least one global IPv6 address
*** Output from config line 36, "ip-client diagnostic ipv..."
WARNING: This command will not take effect until interface 'diagnostic' has been assigned an IPv4 address
*** Output from config line 37, "ip-client diagnostic"
WARNING: This command will not take effect until interface 'inside' has been initialized with at least one global IPv6 address
*** Output from config line 38, "ip-client inside ipv6"
WARNING: This command will not take effect until interface 'outside' has been initialized with at least one global IPv6 address
*** Output from config line 40, "ip-client outside ipv6"
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
*** Output from config line 41, "ip-client outside"
ERROR: Inspection not installed or parameters do not match
*** Output from config line 57, "no inspect esmtp"
Cryptochecksum (changed): a5939d80 45cddd58 bf729a5c e614f6f3
INFO: Power-On Self-Test in process.
.......................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to firepower
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Cisco ASA5508-X Threat Defense v6.2.2 (build 81)
firepower login: admin
Password: <----- !! Input Admin123 !!
Last login: Tue Dec 5 16:51:55 UTC 2017 on ttyS1
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.2 (build 11)
Cisco ASA5508-X Threat Defense v6.2.2 (build 81)
You must accept the EULA to continue.
Press <ENTER> to display the EULA: <----- !! Press Enter !!
END USER LICENSE AGREEMENT
- snip -
Product warranty terms and other information applicable to Cisco products are
available at the following URL: http://www.cisco.com/go/warranty.
Please enter 'YES' or press <ENTER> to AGREE to the EULA: yes <---- !! Enter YES or Press Enter !!
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: <----- !! input new admin Password !!
Confirm new password: <----- !! input new admin Password, again!!
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [n]:
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 1.0.0.46
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.0.0.0
Enter the IPv4 default gateway for the management interface [data-interfaces]: 1.0.0.1
Enter a fully qualified hostname for this system [firepower]: ftd5508
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: none
Enter a comma-separated list of search domains or 'none' []: none
If your networking information has changed, you will need to reconnect.
Interface br1 is not reporting link speed... count:0 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 3012.
IFTOOL did not report proper interface speed for br1: 'N/A' at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 885.
Interface br1 is not reporting link speed... count:0 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 3012.
IFTOOL did not report proper interface speed for br1: 'N/A' at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 885.
DCHP Server Disabled
The DHCP server has been disabled. You may re-enable with configure network ipv4 dhcp-server-enable
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]: yes <----- !! ローカル管理有効化 !!
Configuring firewall mode to routed
Update policy deployment information
- add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.
任意 Web ブラウザから FTD デバイスの管理 IP に https でアクセスします。 初回アクセス時は「初期デバイスセットアップ画面」になりますので、不要時は "Skip device setup" をクリックしスキップします。
Device Dashboard の画面右下の "Smart License" をクリックすることで、スマートライセンスの有効化や評価ライセンスの有効化が可能です。
初期セットアップ後 FDM での設定や管理方法について詳しくは、以下の設定ガイドなどを参照してください。
Cisco Firepower Threat Defense バージョン 6.2 コンフィギュレーション ガイド(Firepower Device Manager 用)
4. FMC による管理を行う場合
2 までの手順終了後、しばらくすると、コンソールアクセス可能になるので、ユーザ名/パスワードは admin/Admin123 でログインします。 EULA に同意するか確認の後、任意の新規パスワード設定や 管理設定を行います。FDM によるローカル管理を行う場合 "Manage the device locally?"の問いには "no"を入力します。
Copyright (c) 1996-2016 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!WARNING: This command will not take effect until interface 'diagnostic' has been initialized with at least one global IPv6 address
*** Output from config line 36, "ip-client diagnostic ipv..."
WARNING: This command will not take effect until interface 'diagnostic' has been assigned an IPv4 address
*** Output from config line 37, "ip-client diagnostic"
WARNING: This command will not take effect until interface 'inside' has been initialized with at least one global IPv6 address
*** Output from config line 38, "ip-client inside ipv6"
WARNING: This command will not take effect until interface 'outside' has been initialized with at least one global IPv6 address
*** Output from config line 40, "ip-client outside ipv6"
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
*** Output from config line 41, "ip-client outside"
ERROR: Inspection not installed or parameters do not match
*** Output from config line 57, "no inspect esmtp"
Cryptochecksum (changed): a5939d80 45cddd58 bf729a5c e614f6f3
INFO: Power-On Self-Test in process.
.......................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to firepower
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Cisco ASA5508-X Threat Defense v6.2.2 (build 81)
firepower login: admin
Password: <----- !! Input Admin123 !!
Last login: Wed Dec 6 01:22:08 UTC 2017 on ttyS1
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.2 (build 11)
Cisco ASA5508-X Threat Defense v6.2.2 (build 81)
You must accept the EULA to continue.
Press <ENTER> to display the EULA: <---- !! Press Enter !!
- snip -
Product warranty terms and other information applicable to Cisco products are
available at the following URL: http://www.cisco.com/go/warranty.
Please enter 'YES' or press <ENTER> to AGREE to the EULA: <---- !! Enter YES or Press Enter !!
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: <----- !! input new admin Password !!
Confirm new password: <----- !! input new admin Password, again!!
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 1.158.158.45
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.0.0.0
Enter the IPv4 default gateway for the management interface [data-interfaces]: 1.0.0.1
Enter a fully qualified hostname for this system [firepower]: FTD5508
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]: none
Enter a comma-separated list of search domains or 'none' []: none
If your networking information has changed, you will need to reconnect.
Interface br1 is not reporting link speed... count:0 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 3012.
IFTOOL did not report proper interface speed for br1: 'N/A' at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 885.
Interface br1 is not reporting link speed... count:0 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 3012.
IFTOOL did not report proper interface speed for br1: 'N/A' at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 885.
DCHP Server Disabled
The DHCP server has been disabled. You may re-enable with configure network ipv4 dhcp-server-enable
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]: no <---- !! ローカル監視化無効 !!
DCHP Server Disabled
Configure firewall mode? (routed/transparent) [routed]: routed
Configuring firewall mode ...
Update policy deployment information
- add device configuration
- add network discovery
- add system policy
You can register the sensor to a Firepower Management Center and use the
Firepower Management Center to manage it. Note that registering the sensor
to a Firepower Management Center disables on-sensor Firepower Services
management capabilities.
When registering the sensor to a Firepower Management Center, a unique
alphanumeric registration key is always required. In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'
However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'
Later, using the web interface on the Firepower Management Center, you must
use the same registration key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.
>
Manager(FMC)の接続設定を入力します。
>
> configure manager add 1.0.0.2 12345 <---- !! Enter Manager information !!
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.
> show managers
Host : 1.0.0.2
Registration Key : ****
Registration : pending
RPC Status :
>
Manager(FMC)の GUI にログインし、5508-X を Device に追加します。(Device 情報を追加して、Register を押下します。)
登録完了後、FMC 上に 5508-X が表示されます。
5508-X の CLI からも Manager が確認可能です。
> show managers
Type : Manager
Host : 1.0.0.2
Registration : Completed
>
参考情報
Cisco ASA または Firepower Threat Defense デバイスの再イメージ化
ASAから FTD へのリイメージと 初期セットアップ手順 (FDM利用時)
