The information in this document is based on these hardware and software versions:
FireAMP Private Cloud 3.0.1
VMWare ESXi 5.0 or greater
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Installation and Initial Setup
This section provides detailed instructions on how to install the FireAMP Private Cloud on VMWare ESXi and perform initial setup of it.
1. Deploy an OVA File on an ESX Server
Step 1. Navigate to File > Deploy OVF Template to open the Deploy OVF Template wizard, as shown in the image.
Step 2. Click on Browse… to select an OVA file, and then click on Next. You notice the default OVA settings on the OVF Template Details page, as shown in the image. Click on Next.
Step 3. After you provide a name for your FireAMP Private Cloud, provision your virtual disk. Thick Provisioning reserves space when a disk is created. If you select this option, it may improve the performance over Thin Provisioned. However, this is not mandatory. Now click on Next, as shown in the image.
Step 4. Select a virtual network adapter, as shown in the image. The wizard does not display a selection for both adapters, it is expected behavior. You manually configure a virtual network after the OVA is imported. Click on Next.
Step 5. Confirm the virtual appliance settings and continue to configure the appliance after an OVA is imported, as shown in the image. Click on Finish.
Caution: Do not check the box Power on after deployment.
Step 6. Allow time for the OVA to deploy. This may take 5 to 15 minutes, it depends on your network. Click on Close when the deployment is completed.
2. Additional Configuration on ESXi
Once the deployment is completed, you need to configure the Memory and Network Adapter 1 on the FireAMP Private Cloud Virtual Machine (VM) on ESXi.
Step 1. Choose Edit Settings for the VM.
Step 2. Increase the memory for the virtual appliance to a minimum of 16GB.
Step 3. Change the virtual networks for the adapters. The Network Adapter 1 work as a Management interface which you connect to for the configuration, setup, and installation of the appliance. The Network Adapter 2 works as a Production interface and connects to the Internet for updates. Also, the endpoints connect to this interface.
Step 4. As shown in the image, click on OK to save changes. It reconfigures the virtual machine on ESXi.
3. Initial Setup of the vPC Management Interface from the VMWare Console
Step 1. Power on the FireAMP Private Cloud VM when you configured the settings on the VMWare ESXi. It starts the initial startup process, as shown in the image.
Step 2. After the startup is completed, the Main Menu window appears on the console, as shown in the image.
Note: You notice that the URL shows [UNCONFIGURED] if the interface did not receive an IP address from the DHCP server. Please note that this interface is the Management interface. This is not the Production interface.
You can navigate through Tab, Enter, and Arrow keys.
Step 3. Navigate to CONFIG_NETWORK and click the Enter key on your keyboard to begin the configuration of the management IP address for the FireAMP Private Cloud. If you do not want to use DHCP, select No and click Enter key.
Step 4. Enter the IP address, Network Mask and Default Gateway (optional). Navigate to OK, as shown in the image. Click Enter key.
Step 5. In the appeared window choose Yes and click Enter key.
Step 6. After a minute or two, the main console menu reappears, as shown in the image. This time you see an IP address on the URL line. Also, note that a Password is displayed. This is a one-time password which is used on the web-based setup.
4. Initial Configuration of the vPC via web GUI
Step 1. Open a web browser and navigate to the management IP address of the appliance. You may receive a certificate error as the FireAMP Private Cloud initially generates its own HTTPS certificate, as shown in the image. Configure your browser to trust the self-signed HTTPS certificate of the FireAMP Private Cloud.
Step 2. You get a screen to enter a password, as shown in the image. Use the initial password from the console. Click on Login.
Step 3. After you log in, you are required to reset the password. Use the initial password from the console in the Old Password field. Use your new password in the New Password field. Re-enter your new password in the New Password field. Click on Change Password.
Step 4. On the next page scroll down to the bottom to accept the license agreement. Click on I have read and agree.
Step 5. After you accept the agreement, you get the installation screen, as shown in the image. If you want to restore from a backup, you can do that here, however, this guide proceeds with the Clean Installation option. Click on Start in the Clean Installation section.
Step 6. You receive a license and passphrase when you purchase the product. Click on +Upload License File. Choose the license file and enter the passphrase. Click on Upload License. If the upload is unsuccessful, please check if the passphrase is correct. If the upload is successful, a screen with valid license information is displayed. Click on Next. If you still cannot install your license, contact Cisco Technical Support.
Step 7. You receive the Welcome Page, as shown in the image. This page shows you the information you must have before the configuration of the Private Cloud. Read the requirements attentively. Click on Next to start the pre-installation configuration.
Step 8. You get the FireAMP Console Account page. An administrative user is used for the console to create policies, computer groups, and add additional users. Enter Name, Email Address and Password for the Console Account. Click on Next.
Step 9. You get the Hardware Requirements page. During the installation process the installer checks numbers of CPU Cores and Memory. If your hardware does not meet the requirements, you receive a warning. In order to shut down the VM, click on the Shutdown button and reconfigure the VM to meet the requirements, or click on I understand the risks button to continue the installation. If you choose to continue with hardware requirements not met, your Private Cloud device may experience performance issues and instability.
Step 10. You get the Network Configuration page. On this page, you perform the network configuration for the Production interface, which connects to the Internet for updates, and to your endpoints.
Select an appropriate option from the IP Assignment dropdown menu. If you do not use DHCP, change the dropdown for IP Assignment to Static and enter the desired IP information: the IP address, subnet mask, gateway, and DNS servers in the appropriate fields, as shown in the image. Click on Next (Applies Configuration).
Caution: you should never configure your device to use DHCP unless you have created MAC address reservations for the interfaces. If the IP addresses of your interfaces change this can cause serious problems with your deployed FireAMP Connectors.
Step 11. You get the Date and Time page. Enter the addresses of one or more NTP servers you want to use for Date and Time synchronization. You can use internal or external NTP servers and specify more than one through a comma or space delimited list. Synchronize the time with your browser or run amp-ctl ntpdate from the device console to force an immediate time synchronization with your NTP servers. Click on Next.
Step 12. You get the Certificate Authorities page, as shown in the image. Click on Add Certificate Authority to add your root certificate.
Step 13. You get the Add Certificate Authority page, as shown in the image. Click on +Add Certificate Root and select your root certificate. Click on Upload once you have selected the correct certificate.
Step 14. On the Certificate Authorities page, click on Next once you have uploaded your certificate authority.
Step 15. You get the Cisco Cloud page, as shown in the image. Select the appropriate Cisco Cloud Region. Expand View Hostnames if you need to create firewall exceptions for your FireAMP Private Cloud device to communicate with the Cisco Cloud for file lookups and device updates. Click on Next.
Step 16. You get the Notifications page, as shown in the image. Select the frequency for critical and regular Notifications. Enter the email addresses you want to receive alert notifications for the FireAMP device. You can use email aliases or specify multiple addresses through a comma-separated list. You can also specify the sender name and email address used by the device. These notifications are not the same as FireAMP Console subscriptions. You can also specify a unique Device Name if you have multiple FireAMP Private Cloud devices. Click on Next.
Step 17. You get the SSH Keys page, as shown in the image. Click on Add SSH Key to enter any public keys you want to add to the device. SSH keys allow you to access the device via a remote shell with root privileges. Only trusted users should be granted access. Your Private Cloud device requires an OpenSSH formatted RSA key. You can add more SSH keys later through Configuration > SSH in your Administration Portal. Click on Next.
Step 18. You get the Services section. On the next pages you need to assign hostnames and upload the appropriate certificate and key pairs for these device services:
The Authentication service will be used in future versions of Private Cloud to handle user authentication.
Disposition Server - Extended Protocol
Disposition Update Service
Firepower Management Center
Caution: hostnames cannot be changed once the device has finished the installation.
Make a note of the required host names. You need to create six unique DNS A records for the FireAMP Private Cloud. Each record points to the same IP Address and must be resolved by both the FireAMP Private Cloud and the FireAMP endpoints.
On the page for each service, enter the fully qualified domain name of the host, then click Replace Certificate. Click on +Choose Certificate and +Choose Key to upload your matching certificate and key pair for each host. Click on Next to continue.
Note: You can create a separate certificate for each service or use a wildcard certificate for all services.
The Authentication service will be used in future versions of Private Cloud to handle user authentication.
FireAMP Console is the DNS name where the FireAMP administrator can access the FireAMP Console and FireAMP Connectors receive new policies and updates.
Disposition Server is the DNS name where the FireAMP Connectors send and retrieve cloud lookup information.
Disposition Server - Extended Protocol:
Disposition Server - Extended Protocol is the DNS name where newer FireAMP Connectors send and retrieve cloud lookup information.
Disposition Update Service:
Disposition Update Service is used when you link a Cisco Threat Grid appliance to your Private Cloud device. The Threat Grid appliance is used to send files for analysis from the FireAMP Console and the Disposition Update Service is used by Threat Grid to update the disposition (clean or malicious) of files after they have been analyzed.
Firepower Management Center:
Firepower Management Center Link lets you link a Cisco Firepower Management Center (FMC) device to your Private Cloud device. This allows you to display FireAMP data in your FMC dashboard. For more information on FMC integration with FireAMP see your FMC documentation.
Step 19. You get the Recovery page, as shown in the image. You must download and verify a backup of your configuration before the start of the installation. The recovery file contains all of the configuration as well as the server keys. If you lose a recovery file, you are unable to restore your configuration and ALL FireAMP connectors have to be reinstalled. Without an original key, you have to reconfigure the entire private cloud infrastructure with new keys. The recovery file contains all the configurations related to the opadmin portal. The backup file contains the contents of recovery file as well as any dashboard portal data like events, connector history etc. If you would like to restore just the opadmin settings without the event data and all, you can use the recovery file. If you restore from the backup file, then the opadmin settings and dashboard portal data will be restored.
Click on Download to save the backup to your local computer. Once the file has been downloaded, click on Choose File to upload the backup file and verify that it is not corrupt. Click on Next to verify the file and proceed.
Step 20. You get the Review and Install page, as shown in the image. Review your FireAMP settings before the start of the installation. You can go back to previous steps to change settings through the navigation bar on the left. If you edit any settings you have to download a new backup file with the new settings and verify it. Once you are satisfied with your configuration settings click on Start Installation.
At the time of the installation, you can see an output of the commands that have been performed. This process may take some time and depends on the performance of your ESXi host.
Caution: When you are on this page do not refresh as it may cause issues.
At any time you can download the output log or error log in case you need to contact support due to an installation issue. To do so click on Download Output, as shown in the image.
Step 21. When the installation is completed, you receive a message to reboot the FireAMP device, as shown in the picture. Click on Reboot. When the device has rebooted, you get the FireAMP Administration Portal landing page.
5. Access the vPC Console through a Browser
Once your appliance has rebooted you can log in to the console web interface. You received an email to activate the initial account you created, however since it is the initial account, it is active already.
Step 1. Open a web browser and navigate to the FireAMP Console FQDN. Enter the email address and password from step 8 of section 4, as shown in the image. Click on Log In.
Step 2. You get the End User License Agreement page, as shown in the image. Scroll down to the bottom, select I agree to the terms of the Subscription Agreement and click on Continue.
Step 3. You get the initial FireAMP policy wizard for your environment. It walks you through the selection of anti-virus product you use, if any, as well as proxy settings, and the types of policies you wish to deploy. Click on appropriate Set Up... button depends on the operating system of the connector.
Step 4. You get the Existing Security Products page, as shown in the image. Choose the security products you use. It automatically generates applicable exclusions to prevent performance issues on your endpoints. Click on Next.
Step 5. You get the Set Up Proxy page, as shown in the image. Configure proxy settings if you have a proxy. Be sure that you can resolve DNS through your proxy.
Caution: vPC does not support NTLM through proxies.
Step 6. You get the Download Connector page, as shown in the image. Click on Download under the necessary policy to save your connector installation file to your workstation. By default, you download the bootstrap file, which determines system architecture and downloads necessary files to install. Click on Next.
Step 7. You get the Verify, Contain, and Protect page, as shown in the image. To enable Demo Data (optional), click on Enable Demo Data. Demo data is populated on your dashboard with events, detections, and computers so that you can learn how to navigate and use the FireAMP Private Cloud interface. This option can be disabled later. Click on Finished.
Step 8. You get the Setup Complete page, as shown in the image. Click on Finished to exit the wizard.
Step 9. You get the Dashboard page of the vPC Console, as shown in the image. Now you are able to use all of the features of your FireAMP Private Cloud. You can visit the production IP address of the vPC via a web browser to access the vPC Console for policy, connector, and detection management.
You can visit the management IP of vPC through a web browser to configure system settings such as update schedules and backups, as well as monitor performance of the FireAMP Private Cloud.