Cisco Firepower 1010 First Look – Unboxing to Basic Setup

I recently acquired a Cisco Firepower 1010, which is the latest version of Cisco’s unified threat management (UTM) or you could say next generation (term that I’m not a fan of) security appliance. Basically, it does the following:

  • Stateful Firewall (Base license)
  • Application Visibility and Controls (Base license)
  • Content Filtering (URL license)
  • Reputation Security (URL license)
  • VPN concentrator (RA VPN license)
  • IDS/IPS (Threat license)
  • Antimalware / Breach Analysist (Malware License)

Some features come out of the box while others are based on certain licenses. The idea is you license what you need however, out of the box, you can enable everything for 90 days (which is what I did for this walkthrough). Here is a shot of the license page once enabled. Each license is explained. I tagged the features above with the associated licenses. 

At first look, the size of the appliance is pretty nice. There isn’t a fan so its quiet. Here is an image of the Firepower 1010 placed next to my Meraki MX64. They are both about the same size however the meraki is a little thinner. The 1010 is basically a similar size to a ASA5506.

The setup for a new Firepower 1010 looks like this. The assumption is I’m using the cloud management option for this appliance. I could also use a local manager (Firepower manager) however, I want to keep things simple and check out the newer cloud management interface for this post known as Firepower Device Manager (FDM).

I plugged in the Firepower 1010 behind my Meraki via port 1/1 via a DHCP port for setup purposes aka modem to meraki to this bad boy with the goal of replacing the Meraki with the 1010 once things were configured. Upon powering on the Firepower 1010 and receiving a link light on my laptop connected to port 1/2, I tried to access the management GUI and got a screen asking me to wait a few minutes via “maintenance mode”. BTW, for those old school ASA people, the setup is all GUI aka you plug into the Firepower appliance ethernet port, wait for DHCP and go to the management IP of https://192.168.1.1 rather than having to go straight in with a console cable (even though a console port still exists). After about 5 minutes or so, I saw the fancy new login screen.

The default login in admin Admin123. I put that in and was asked for a few things following the Device Setup script as shown.

This image has an empty alt attribute; its file name is FP6-1024x632.png

First, I had to change the password, which had some pain in the A#$# criteria but the right thing for security purposes. Then I changed the NTP.

After answering the startup questions, I had to choose my license. I selected the 90 day demo so I could try everytihng out. Once licensed, a ton of things opened up on the dashboard as shown.

At this point, I was ready to configure my Firepower. The first step was looking at what type of access I should permit and deny. By default, I had NAT setup to permit everything from the inside out. The next image represents this basic policy.

Here I could apply any personal policy filtering such as denying adult material as well as security filtering such as preventing a fake website that is known for provisioning malware. Stats such as how long the website has been online, where its hosted, if the domain owner is associated with malware are just a few of the aspects used to “credit score” a website. Both content filter and reputation security categories are part of the URL license.

Next, I wanted to add IPS and Breach / File analysis. Before doing so, it made sense to update all subscriptions to ensure I have the latest threat intelligence. I was surprised by the number of updates that were available as shown.

Regarding IPS, I had some default categories to use, which I went with connectivity over security. My goal would be to tune this at a later time once my Firepower 1010 learns more about my network through application visibility.

I didn’t tackle SSL, but have plans later this week to enable SSL so all traffic can be evaluated by the IPS. (Quick note on this. SSL would only apply to traffic evaluated by the IPS. The reputation and content filter would be applied before a encrypted session would occur. Anything post encryption such as files evaluated by AMP would also not be impacted by SSL.).

My malware policy was pretty straight forward. I chose to have files evaluated regardless of type. I plan to go back later this week and break down my malware policy into local and cloud evaluation of specific file types. I’ll post both about the SSL setup and Malware configuration for a part 2 of this post. Look out for that next week.

VN:F [1.9.22_1171]
Rating: 2.8/5 (5 votes cast)
Cisco Firepower 1010 First Look – Unboxing to Basic Setup, 2.8 out of 5 based on 5 ratings

One thought on “Cisco Firepower 1010 First Look – Unboxing to Basic Setup”

  1. Do you know which software version will enable the poe+ feature on ports 7/8 (and erase the false advertisement of the FP1010)?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.