Cisco Firepower 4110, Firepower 4140, Firepower 4120, Firepower 9300 Preparative Procedures & Operational User Manual

Cisco Preparative Procedures & Operational User Guide

Preparative Procedures & Operational User Guide for Firepower 4100 and 9300

Version 1.0 June 27, 2017

Cisco Preparative Procedures & Operational User Guide

Prepared by:

Cisco Systems, Inc.,

170 West Tasman Drive, San Jose,

CA 95134-1706 USA

Cisco Preparative Procedures & Operational User Guide

Table of Contents

1 Introduction ........................................................................................................................................... 5

1.1 Common Criteria (CC) Evaluated Configuration ......................................................................... 6

1.2 References ..................................................................................................................................... 8

2 Operational Environment .................................................................................................................... 11

2.1 Operational Environment Components ....................................................................................... 11

2.2 Environmental Assumptions ....................................................................................................... 12

3 Before Installation ............................................................................................................................... 13

4 Assurance Activity Configuration ...................................................................................................... 15

4.1 Logging into the Appliance......................................................................................................... 15

4.1.1 Log In or Out of the Firepower Chassis Manager ............................................................... 15

4.1.2 Login to CLI Remotely ....................................................................................................... 16

4.1.3 Login to CLI Locally .......................................................................................................... 16

4.1.4 Logout ................................................................................................................................. 17

4.2 Auditable Events ......................................................................................................................... 18

4.3 Enable FIPS and CC Mode ......................................................................................................... 24

4.3.1 Enable FIPS Mode .............................................................................................................. 24

4.3.2 Enable Common Criteria (CC) Mode ................................................................................. 24

4.3.3 Generate the SSH Host Key ................................................................................................ 25

4.4 Configure Secure Connection with Audit Server and AAA Server ............................................ 26

4.4.1 Configure Syslog via CLI ................................................................................................... 26

4.4.2 Configure Syslog via GUI ................................................................................................... 28

4.4.3 Configure LDAP via CLI .................................................................................................... 31

4.4.4 Configure RADIUS via CLI ............................................................................................... 32

4.4.5 Configure TACACS+ via CLI ............................................................................................ 33

4.4.6 Configure LDAP via GUI ................................................................................................... 34

4.4.7 Configure RADIUS via GUI ............................................................................................... 35

4.4.8 Configure TACACS+ via GUI ........................................................................................... 36

4.4.9 Configure IPsec Secure Channel ......................................................................................... 37

4.4.10 Configure Static CRL for a Trustpoint................................................................................ 40

4.4.11 Set the LDAP Keyring Certificate ...................................................................................... 43

4.5 Management Functions ............................................................................................................... 46

4.5.1 IP Management and Pre-Login Banner ............................................................................... 46

Cisco Preparative Procedures & Operational User Guide

4.5.2 Image Management ............................................................................................................. 49

4.5.2.1 Download Images from Cisco.com ..................................................................................... 49

4.5.2.2 Copy Platform Bundle Image to the FXOS Chassis via CLI .............................................. 50

4.5.2.3 Verifying the Integrity of an Image .................................................................................... 50

4.5.2.4 Upload Platform Bundle Image via GUI ............................................................................ 50

4.5.2.5 Update the Platform Bundle Image via CLI ....................................................................... 51

4.5.2.6 Update the Platform Bundle Image via GUI ....................................................................... 51

4.5.2.7 Copy Application Image to FXOS Chassis ......................................................................... 52

4.5.2.8 Update Application Image via CLI ..................................................................................... 53

4.5.2.9 Update Application Image via GUI .................................................................................... 53

4.5.3 User and Role Management ................................................................................................ 54

4.5.4 Configure Time Synchronization ........................................................................................ 60

4.5.5 Configure SSH Access ........................................................................................................ 63

4.5.5.1 Configure SSH via CLI ....................................................................................................... 63

4.5.5.2 Configure SSH via GUI ...................................................................................................... 64

4.5.6 Configure PKI ..................................................................................................................... 64

4.5.6.1 Certificates and Trust Points ............................................................................................... 64

4.5.6.2 Creating a Key Ring ............................................................................................................ 64

4.5.6.3 Creating a Certificate Request for a Key Ring .................................................................... 65

4.5.6.4 Creating a Trust Point ......................................................................................................... 66

4.5.6.5 Importing a Certificate into a Key Ring .............................................................................. 66

4.5.6.6 Configuring HTTPS ............................................................................................................ 67

4.5.7 Logical Device Management .............................................................................................. 69

4.5.7.1 Create a ASA Logical Device via CLI ................................................................................ 69

4.5.7.2 Create a ASA Logical Device via GUI ............................................................................... 70

4.5.7.3 Delete a ASA Logical Device via CLI ................................................................................ 71

4.5.7.4 Delete a ASA Logical Device via GUI ............................................................................... 71

4.6 Self-Tests ................................................................................................................................ 72

Cisco Preparative Procedures & Operational User Guide

1 Introduction

The Cisco Firepower eXtensible Operating System (FXOS) chassis1 is a next-generation platform for network and content security solutions. The FXOS chassis is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.

The FXOS chassis provides the following features:

• Modular chassis-based security system—provides high performance, flexible input/output

configurations, and scalability.

• Firepower Chassis Manager—graphical user interface provides streamlined, visual representation

of current chassis status and simplified configuration of chassis features.

• FXOS CLI—provides command-based interface for configuring features, monitoring chassis

status, and accessing advanced troubleshooting features.

The Cisco firepower (FP) 9300 security appliance is a modular, scalable, carrier-grade appliance that includes the Chassis (including fans and power supply), Supervisor Blade (to manage the security application running on the security module), network module (optional) and security module that contains the security application which in this evaluation is the ASA. The FP4100 Series appliance is a complete standalone, bundle unit that contains everything required above in one appliance. To manage the FP 9300 and 4100 Series appliances, FXOS provides a command-line interface (CLI) and a web GUI known as the firepower chassis manager. The ASA installed on the security module is managed separately and is described in the corresponding document specified in section 1.3.

This document is a supplement to the Cisco administrative guidance, which is comprised of the installation and administration documents identified in section 1.3. This document supplements those manuals by specifying how to install, configure and operate this product in the Common Criteria evaluated configuration. This document is referred to as the operational user guide in the Network Devices collaborative Protection Profile (NDcPP) v1.0 and meets all the required guidance assurance activities from the NDcPP.

Also known as the Supervisor Blade

Cisco Preparative Procedures & Operational User Guide

1.1 Common Criteria (CC) Evaluated Configuration

The following sections describe the scope of evaluation, required configuration, assumptions, and operational environment that the system must be in to ensure a secure deployment. To ensure the system is in the CC evaluated configuration, the users must do the following:

 Configure all the required system settings and default policy as documented in this guide.  Disable all the features that would violate the cPP requirements or would make the system

vulnerable to attacks as documented in this guide.

 Ensure all the environmental assumptions in section 2 are met.  Ensure that your operational environment is consistent with section 2.  Follow the guidance in this document.

Cisco Preparative Procedures & Operational User Guide

Scope of Evaluation

The list below identifies features or protocols that are not evaluated and the rationale why. Note that this does not mean the features cannot be used in the evaluated configuration. It means that the features were not evaluated and/or validated by an independent third party and the functional correctness of the implementation is vendor assertion.

The following features and protocols are not evaluated:

 Telnet for management purposes – Telnet passes authentication credentials in clear text and is

disabled by default.

 FXOS REST API—Allows users to programmatically configure and manage their chassis. The

APIs are not evaluated.

Cisco Preparative Procedures & Operational User Guide

TOE Configuration

Hardware Configurations

Software Version

FP 4110

FP 4120

FP 4140

FP 4150

The Firepower 4100 chassis contains the

following components:

 Network module 1 with eight fixed

SFP+ ports (1G and 10G connectivity), the management port, RJ-45 console port, Type A USB port, PID and S/N card, locator indicator, and power switch

 Two network modules slots

(network module 2 and network module 3)

 Two (1+1) redundant power supply

module slots

 Six fan module slots  Two SSD bays

FXOS release 2.0.1 and ASA

release 9.6.2

FP 9300

The Firepower 9300 chassis contains the

following components:

 Firepower 9300 Supervisor—

Chassis supervisor module

◦ Management port

◦ RJ-45 console port

◦ Type A USB port

◦ Eight ports for 1 or 10 Gigabit

Ethernet SFPs (fiber and copper)

 Firepower 9300 Security

Module—Up to three security modules

◦ 800 GB of solid state storage per

security blade (2 x 800 GB solid state drives running RAID1)

 Firepower Network Module—Two

single-wide network modules or one double-wide network module

 Two power supply modules (AC or

DC)

 Four fan modules

FXOS release 2.0.1 and ASA

release 9.6.2

1.2 References

TOE (Target of Evaluation) References

Table 1: TOE Series and Models

Cisco Preparative Procedures & Operational User Guide

ASDM

Included on all ASA 9.6.2

Release 7.6

Cisco Preparative Procedures & Operational User Guide

Cisco ASA for Firepower 4100 Quick Start Guide, Last Updated: May 9, 2016

Cisco ASA for Firepower 9300 Quick Start Guide, Last Updated: May 9, 2016

Cisco FXOS CLI Configuration Guide, 2.0(1), First Published: April 12, 2016

Cisco FXOS Firepower Chassis Manager Configuration Guide, 2.0(1), First Published: April 12, 2016

Cisco Firepower 4100 Series Hardware Installation Guide, Last Updated: April 6, 2016

Cisco Firepower 9300 Hardware Installation Guide, Last Updated: August 23, 2016

Cisco Adaptive Security Appliance (ASA) 9.6 Preparative Procedures & Operational User Guide for the Common Criteria Certified configuration, Version 0.2, August 28, 2016

Cisco Common Criteria Supplemental User Guide, Version 0.1, September 8, 2016 [This Document]

Documentation References

The Cisco Firepower System documentation set includes online help and PDF files. The following product guidance documents are provided online or by request:

At any time, you can type the ? character to display the options available at the current state of the command syntax.

If you have not typed anything at the prompt, typing ? lists all available commands for the mode you are in. If you have partially typed a command, typing ? lists all available keywords and arguments available at your current position in the command syntax.

The most up-to-date versions of the documentation can be accessed on the Cisco Support web site (http://www.cisco.com/c/en/us/support/index.html).

Cisco Preparative Procedures & Operational User Guide

2 Operational Environment

This section describes the components in the environment and assumptions made about the environment.

2.1 Operational Environment Components

The system can be configured to rely on and utilize a number of other components in its operational environment.

 Management Workstation (Required) – The system supports Command Line Interface (CLI) and

web access and as such an administrator would need a terminal emulator or SSH client (supporting SSHv2) or web browser (supporting HTTPS) to utilize those administrative interfaces.

 Audit server – The system can be configured to deliver audit records to an external log server.  Authentication servers – The system can be configured to utilize external authentication servers.  Certificate Authority (CA) server – The system can be configured to import X.509v3 certificates

from a CA, e.g., for TLS connection to syslog server.

 NTP server – The system can be configured to obtain time from a trusted time source.  DNS server – The system supports domain name service in the network.

Cisco Preparative Procedures & Operational User Guide

Environment Security

Objective

Operational Environment

Security Objective Definition

Administrator Responsibility

OE.PHYSICAL

Physical security, commensurate with the value of the TOE and the data it contains, is provided by the environment.

Administrators must ensure the system is installed and maintained within a secure physical location. This can include a secured building with key card access or within the physical control of an authorized administrator in a mobile environment.

OE.NO_GENERAL_PURPOSE

There are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE.

Administrators must not add any generalpurpose computing capabilities (e.g., compilers or user applications) to the system.

OE.TRUSTED_ADMIN

TOE Administrators are trusted to follow and apply all guidance documentation in a trusted manner.

Administrators must be properly trained in the usage and proper operation of the system and all the enabled functionality. These administrators must follow the provided guidance.

OE.UPDATES

The TOE firmware and software is updated by an administrator on a regular basis in response to the release of product updates due to known vulnerabilities.

Administrators must regularly update the system to address any known vulnerabilities.

OE.ADMIN_CREDENTIALS_ SECURE

The administrator’s credentials (private

key) used to access the TOE must be protected on any other platform on which they reside.

Administrators must protect their access credentials where ever they may be.

2.2 Environmental Assumptions

The assumptions state the specific conditions that are expected to be met by the operational environment and administrators.

Table 2: Operational Environment Security Measures

Cisco Preparative Procedures & Operational User Guide

3 Before Installation

Before you install your appliance, Cisco highly recommends that the users must consider the following:

 Locate the Cisco FirePOWER System appliance in a lockable rack within a secure location that

prevents access by unauthorized personnel.

 Allow only trained and qualified personnel to install, replace, administer, or service the Cisco

appliance.

 Always connect the management interface to a secure internal management network that is

protected from unauthorized access.

Cisco Preparative Procedures & Operational User Guide

Audience

This document is written for administrators configuring the Cisco Firepower system 4100 and 9300. This document assumes you are familiar with networks and network terminology, that you are a trusted individual, and that you are trained to use the Internet and its associated terms and applications.

Cisco Preparative Procedures & Operational User Guide

Supported Web Browser

Mozilla Firefox – Version 42 and later

Google Chrome – Version 47 and later

4 Assurance Activity Configuration

This section has the required guidance and settings as specified in the NDcPP.

4.1 Logging into the Appliance

4.1.1 Log In or Out of the Firepower Chassis Manager

1) To log in to the Firepower Chassis Manager: a. Using a supported browser, enter the following URL in the address bar:

https://<chassis_mgmt_ip_address>

where <chassis_mgmt_ip_address> is the IP address or host name of the FXOS chassis that you entered during initial configuration.

b. Enter your username and password.

NOTE! Observe the password is not displayed.

c. Click Login

The Overview page appears if the authentication was successful.

If authentication fails, access will be denied.

Audit Record:

Creation Time: 2015-07-09T08:20:17.030 User: internal Session ID: internal ID: 3330860 Action: Creation Description: Fabric A: local user admin logged in from 172.23.33.113 Affected Object: sys/user-ext/sh-login-admin-pts_5_1_15135 Trigger: Session Modified Properties: id:pts_5_1_15135, name:admin, policyOwner:local

Cisco Preparative Procedures & Operational User Guide

4.1.2 Login to CLI Remotely

You can also connect to the FXOS CLI using SSH. The Firepower eXtensible Operating System supports up to eight simultaneous SSH connections. To connect with SSH, you need to know the hostname or IP address of the FXOS chassis.

Use one of the following syntax examples to log in with SSH client:

1) Initiate a SSHv2 connection to the appliance at hostname, where hostname corresponds to the

host name of the appliance. You can also use the IP address of the appliance.

ssh ucs-auth-domain\\username@{ip-address | ipv6-address | hostname}

ssh ucs-example\\jsmith@192.0.20.11 ssh ucs-example\\jsmith@2001::1

ssh {ip-address | ipv6-address | hostname} -l ucs-auth-domain\\username

ssh 192.0.20.11 -l ucs-example\\jsmith ssh 2001::1 -l ucs-example\\jsmith

2) Type your password and press Enter.

NOTE! Observe the password is not displayed.

The standard command prompt appears if the authentication was successful. If authentication fails, access will be denied.

Audit Record:

4.1.3 Login to CLI Locally

You can connect to the FXOS CLI using a terminal plugged into the console port. Verify that the console port parameters on the computer terminal (or console server) attached to the console port are as follows:

• 9600 baud

• 8 data bits

• No parity

• 1 stop bit

Cisco Preparative Procedures & Operational User Guide

4.1.4 Logout

1) For web session, point at your username in the navigation bar and then select Logout.

2) Close the web browser.

3) For CLI, type the command exit.

IMPORTANT! For security purpose, always logout as instructed above when you are

finished using the management interface. Do NOT rely solely on the inactivity timeout feature.

Audit Record:

Creation Time: 2015-07-09T08:20:02.769 User: internal Session ID: internal ID: 3330856 Action: Deletion Description: Fabric A: user admin terminated session id pts_4_1_10970 Affected Object: sys/user-ext/user-admin/term-pts_4_1_10970 Trigger: Session Modified Properties:

Cisco Preparative Procedures & Operational User Guide

Name

Description

Creation Time

The date and time of the audit event.

User

The type of user.

Session ID and ID

The session ID associated with the session.

Action

The type of action.

Description

More information about the audit event including user, component (if applicable), event type (success or failure), etc. See table below for examples.

Affected Object (if any)

The component that is affected.

Trigger

The user role associated with the user.

Modified Properties (if any)

The system properties that were changed by the event.

SFR

Auditable Event

Actual Audited Event

FAU_GEN.1

Startup and shutdown events

%FPRM-6-AUDIT: [USERNAME][USERNAME][modification][web_45842_A][1385040][sys/svcext/syslog/client-secondary][adminState(Old:disabled, New:enabled)][] Syslog Remote Destination IP_ADDRESS modified

%FPRM-6-AUDIT: [USERNAME][USERNAME][modification][web_42962_A][1383935][sys/svcext/syslog/client-primary][adminState(Old:enabled, New:disabled)][] Syslog Remote Destination IP_ADDRESS modified

FCS_HTTPS_EXT.1

Failure to establish an HTTPS session.

See FCS_TLSS_EXT.1.

FCS_IPSEC_EXT.1

Failure to

%AUTHPRIV-6-SYSTEM_MSG: 05[IKE] IKE_SA test2[3] established

4.2 Auditable Events

The appliances that are part of the Cisco FP 4100 and 9300 System generate an audit record for each user interaction with the web interface, and also record system status messages in the system log. For the CLI, the appliance also generates an audit record for every action executed.

Each appliance generates an audit event for each user interaction with the web interface and CLI command executed. Each event includes at least a timestamp, the user name of the user whose action generated the event, a source IP, and text describing the event. The common fields are described in the table below. The required auditable events are also provided in the table below.

Actual date and time are not shown.

Cisco Preparative Procedures & Operational User Guide

SFR

Auditable Event

Actual Audited Event

establish an IPsec SA.

between IP_ADDRESS [C=US, ST=CA, O=cisco, OU=STBU, CN=D_NAME]...IP_ADDRESS [C=US, O=Luo, CN=D_NAME] - charon- custom

%AUTHPRIV-6-SYSTEM_MSG: 15[IKE] IKE SA key size (128) is less then CHILD SA key size (256), sa strength violation - charon-custom %AUTHPRIV-6-SYSTEM_MSG: 15[IKE] failed to establish CHILD_SA, keeping IKE_SA - charon-custom %AUTHPRIV-6-SYSTEM_MSG: 15[IKE] received AUTH_LIFETIME of 9850s, scheduling reauthentication in 8410s - charon-custom 2017 Jan 31 10:10:04 mio4-A %AUTHPRIV-6-SYSTEM_MSG: 15[IKE] sending DELETE for ESP CHILD_SA with SPI cd365fb3 - char on-custom

FCS_SSHS_EXT.1

Failure to establish an SSH session

%FPRM-6-AUDIT: [session][internal][creation][internal][213987][sys/userext/sh-login-admin-pts_0_1_4614][id:pts_0_1_4614, name: USERNAME, policyOwner:local][] Fabric A: local user USERNAME logged in from IP_ADDRESS

%AUTHPRIV-6-SYSTEM_MSG: pam_unix(sshd:session): session closed for user USERNAME – sshd[25700]

%AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user USERNAME from IP_ADDRESS - sshd[3094]

Successful SSH rekey

%DAEMON-7-SYSTEM_MSG: debug1: set_newkeys: rekeying sshd[29140]

FCS_TLSC_EXT.2

Failure to establish an TLS Session

%USER-6-SYSTEM_MSG: [ssl:info] [pid 8926:tid 1823603600] [client

IP_ADDRESS:60782] AH01964: Connection to child 124 established (server IP_ADDRESS:443) - httpd[8926]

%USER-6-SYSTEM_MSG: [ssl:info] [pid 19718:tid 1953270672] [client

IP_ADDRESS:60106] AH02008: SSL library error 1 in handshake (server IP_ADDRESS:443) - httpd[19718]

%USER-6-SYSTEM_MSG: [ssl:info] [pid 19718:tid 1953270672] SSL Library Error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher -- Too restrictive SSLCipherSuite or using DSA server certificate? httpd[19718]

%USER-6-SYSTEM_MSG: [ssl:info] [pid 8926:tid 1823603600] [client

IP_ADDRESS:60782] AH02008: SSL library error 1 in handshake (server IP_ADDRESS:443) - httpd[8926]

%USER-6-SYSTEM_MSG: [ssl:info] [pid 8926:tid 1823603600] SSL Library Error: error:14076129:SSL routines:SSL23_GET_CLIENT_HELLO:only tls allowed in fips mode - httpd[8926] %USER-6-SYSTEM_MSG: [ssl:info] [pid 8926:tid 1823603600] [client IP_ADDRESS:60782] AH01998: Connection closed to child 124 with abortive shutdown (server IP_ADDRESS:443) - httpd[8926]

Cisco Preparative Procedures & Operational User Guide

SFR

Auditable Event

Actual Audited Event

FCS_TLSS_EXT.1

Failure to establish an TLS Session

%FPRM-6-AUDIT: [session][internal][creation][internal][211634][sys/userext/web-login-admin-web_60027_A][id:web_60027_A, name: USERNAME policyOwner:local][] Web A: local user USERNAME logged in from IP_ADDRESS

%FPRM-6-AUDIT: [session][internal][deletion][internal][1205449][sys/userext/user- USERNAME / term-web_27244_A][sys/user-ext/user- USERNAME /term-web_27244_A][] Fabric A: user USERNAME terminated session id ttyS0_1_3038

%AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user USERNAME from IP_ADDRESS - httpd[8515]

%AUTHPRIV-5-SYSTEM_MSG: pam_unix(aaa:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user= USERNAME - aaad %LOCAL0-6-SYSTEM_MSG: authentication failed - httpd[8501] %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user USERNAME from IP_ADDRESS - httpd[8501] %AUTHPRIV-5-SYSTEM_MSG: Login failed for user USERNAME httpd[8501]

%USER-6-SYSTEM_MSG: [ssl:info] [pid 8926:tid 1823603600] [client

IP_ADDRESS:60782] AH02008: SSL library error 1 in handshake (server IP_ADDRESS:443) - httpd[8926]

FIA_UIA_EXT.1

All use of the identification and authentication mechanism.

See FIA_UAU_EXT.2.

FIA_UAU_EXT.2

All use of the identification and authentication mechanism.

%FPRM-6-AUDIT: [session][internal][creation][internal][213524][sys/userext/sh-login-admin-ttyS0_1_6336][id:ttyS0_1_6336, name: USERNAME, policyOwner:local][] Fabric A: local user USERNAME logged in from console

%AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user USERNAME from console - login

Fabric A: user USERNAME terminated session id pts_0_1_7451 Affected Object: sys/user-ext/user-admin/term-pts_0_1_7451

FIA_X509_EXT.1

Unsuccessful attempt to validate a

%AUTHPRIV-6-SYSTEM_MSG: 11[IKE] sending end entity cert "C=US, ST=CA, O=Cisco, OU=STBU, CN=D_NAME" - charon-custom %AUTHPRIV-6-SYSTEM_MSG: 11[IKE] establishing CHILD_SA test -

Cisco Preparative Procedures & Operational User Guide

SFR

Auditable Event

Actual Audited Event

certificate

charon-custom %AUTHPRIV-6-SYSTEM_MSG: 07[IKE] received AUTHENTICATION_FAILED notify error - charon-custom

FMT_MOF.1(1)/ TrustedUpdate

Any attempt to initiate a manual update

%FPRM-6-EVENT: [E4197594][213626][transition][internal][] [FSM:STAGE:SKIP]: Request to upgrade software on server 1/1(FSMSTAGE:sam:dme:ComputePhysicalAssociate:updateSspOsSoftware) IP_ADDRESS 24/01 14:32:21.966

FMT_MOF.1(1)/ AdminAct

Modification of the behaviour of the TSF.

See FMT_MTD.1.

FMT_MOF.1(2)/ AdminAct

Starting and stopping of services.

FPRM-6-AUDIT: [USERNAME][USERNAME][modification][web_45842_A][1385040][sys/svcext/syslog/client-secondary][adminState(Old:disabled, New:enabled)][] Syslog Remote Destination IP_ADDRESS modified

%FPRM-6-AUDIT: [USERNAME][USERNAME][modification][web_42962_A][1383935][sys/svcext/syslog/client-primary][adminState(Old:enabled, New:disabled)][] Syslog Remote Destination IP_ADDRESS modified

FMT_MTD.1

All management activities of TSF data.

%FPRM-6-AUDIT: [USERNAME][USERNAME][creation][pts_0_1_16141][229312][sys/userext/pre-login-banner][message:This is a CC test banner , policyOwner:local][] PreLoginBanner created

%AUTHPRIV-5-SYSTEM_MSG: USERNAME : TTY=ttyS0 ; PWD=/bootflash/sysdebug/coremgmt/sam_dump ; USER=root ; COMMAND=command – sudo

FPT_TUD_EXT.1

Initiation of update; result of the update attempt (success or failure)

%FPRM-6-EVENT: [E4195294][315220][transition][internal][] [FSM:STAGE:ASYNC]: unpacking image fxos-k9.2.0.1.135.SPA on primary(FSMSTAGE:sam:dme:FirmwareDownloaderDownload:UnpackLocal) IP_ADDRESS 24/01 16:17:34.001

%FPRM-6-EVENT: [E4195293][181179][transition][internal][] [FSM:STAGE:REMOTE-ERROR]: Result: end-point-failed Code: ERRDNLD-invalid-image Message: invalid image#(sam:dme:FirmwareDownloaderDownload:Local) IP_ADDRESS 24/01 14:02:54.555 FPT_STM.1

Changes to

%AUTHPRIV-5-SYSTEM_MSG: USERNAME : TTY=ttyS0 ;

Cisco Preparative Procedures & Operational User Guide

SFR

Auditable Event

Actual Audited Event

the time.

PWD=/bootflash/sysdebug/coremgmt/sam_dump ; USER=root ; COMMAND=/bin/date -s Sat Aug 15 12:30:00 2020 – sudo

%AUTHPRIV-5-SYSTEM_MSG: USERNAME : TTY=ttyS0 ; PWD=/bootflash/sysdebug/coremgmt/sam_dump ; USER=root ; COMMAND=/isan/bin/check_ntp_server.sh - sudo

switch A: cmd: set clock oct 31 2016 6 20 0 from 2016-11-01T01:17:30.679, logged in from console on term /dev/ttyS0: Local mgmt command executed

FTA_SSL_EXT.1

Any attempts at unlocking of an interactive session.

%FPRM-6-AUDIT: [session][internal][deletion][internal][1313572][sys/userext/user- USERNAME /term-ttyS0_1_7995][sys/user-ext/user-admin/termttyS0_1_7995][] Fabric A: system terminated session id ttyS0_1_7995 of user USERNAME due to idle timeout

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

%FPRM-6-AUDIT: [session][internal][deletion][internal][1204232][sys/userext/remoteuser- USERNAME /term-web_16073_A][sys/user-ext/remoteuserUSERNAME /term-web_16073_A][] Web A: system terminated Web session id web_16073_A of user USERNAME due to idle timeout

FTA_SSL.4

The termination of an interactive session.

%FPRM-6-AUDIT: [session][internal][deletion][internal][1204385][sys/userext/user- USERNAME /term-pts_0_1_12413][sys/user-ext/user- USERNAME /term-pts_0_1_12413][] Fabric A: system terminated session id pts_0_1_12413 of user USERNAME due to idle timeout

%FPRM-6-AUDIT: [session][internal][deletion][internal][1205445][sys/userext/user- USERNAME /term-ttys0_1_3038][sys/user-ext/user- USERNAME /term-ttys0_1_3038][] Fabric A: user USERNAME terminated session id ttyS0_1_3038

FTP_ITC.1

Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions.

IPSec

%AUTHPRIV-6-SYSTEM_MSG: 05[IKE] IKE_SA test2[3] established between IP_ADDRESS [C=US, ST=CA, O=cisco, OU=STBU, CN=D_NAME]...IP_ADDRESS [C=US, O=Luo, CN=D_NAME] - charon- custom

2017 Jan 31 10:10:04 mio4-A %AUTHPRIV-6-SYSTEM_MSG: 15[IKE] sending DELETE for ESP CHILD_SA with SPI cd365fb3 - char on-custom

%AUTHPRIV-6-SYSTEM_MSG: 15[IKE] failed to establish CHILD_SA, keeping IKE_SA - charon-custom

TLS

%USER-6-SYSTEM_MSG: [ssl:info] [pid 8926:tid 1823603600] [client IP_ADDRESS:60782] AH01964: Connection to child 124 established (server

+ 50 hidden pages

Cisco Firepower 4110, Firepower 4140, Firepower 4120, Firepower 9300 Preparative Procedures & Operational User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual