Device Management

This guide applies to an on-premises Secure Firewall Management Center, either as your primary manager or as an analytics-only manager. When using the Cisco Security Cloud Control (Security Cloud Control) Cloud-Delivered Firewall Management Center as your primary manager, you can use an on-prem Firewall Management Center for analytics. Do not use this guide for cloud-delivered Firewall Management Center management; see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Security Cloud Control.

You canmanage devices in the Secure Firewall Management Center.

Log Into the Command-Line Interface on the Device

You can log directly into the command-line interface on Firewall Threat Defense devices. If this is your first time logging in, complete the initial setup process using the default admin user; see Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI.


Note

If a user makes three consecutive failed attempts to log into the CLI via SSH, the system terminates the SSH connection.

Before you begin

  • Create additional user accounts that can log into the CLI using the configure user add command.

  • If you get unreadable characters when connecting to the console port, verify the port settings. If they are correct, try the cable with another device using the same settings. If the cable is good, you might need to replace the hardware for the console port. Also consider trying a different workstation to make the connection.

Procedure

Step 1

Connect to the Firewall Threat Defense CLI, either from the console port or using SSH.

You can SSH to the management interface of the Firewall Threat Defense device. You can also connect to the address on a data interface if you open the interface for SSH connections. SSH access to data interfaces is disabled by default. See SSH Access to allow SSH connections to specific data interfaces.

For physical devices, you can directly connect to the console port on the device. See the hardware guide for your device for more information about the console cable. Use the following serial settings:

  • 9600 baud

  • 8 data bits

  • No parity

  • 1 stop bit

The CLI on the console port is FXOS (with the exception of the ISA 3000, where it is the regular Firewall Threat Defense CLI). Use the Firewall Threat Defense CLI for basic configuration, monitoring, and normal system troubleshooting. See the FXOS documentation for information on FXOS commands.

Step 2

Log in with the admin username and password.

Example:


firepower login: admin
Password:
Last login: Thu May 16 14:01:03 UTC 2019 on ttyS0
Successful login attempts for user 'admin' : 1

firepower#

Step 3

If you used the console port, access the Firewall Threat Defense CLI.

connect ftd

Note

 

This step does not apply to the ISA 3000.

Example:


firepower# connect ftd
>

Step 4

At the CLI prompt (>), use any of the commands allowed by your level of command line access.

To return to FXOS on the console port, enter exit .

Step 5

(Optional) If you used SSH, you can connect to FXOS.

connect fxos

To return to the Firewall Threat Defense CLI, enter exit .

Step 6

(Optional) Access the diagnostic CLI:

system support diagnostic-cli

Use this CLI for advanced troubleshooting. This CLI includes additional show and other commands.

This CLI has submodes: user EXEC mode, privileged EXEC mode. More commands are available in privileged EXEC mode than user EXEC mode. To enter privileged EXEC mode, enter the enable command; press enter without entering a password when prompted.

Example:


> system support diagnostic-cli
firepower> enable
Password:
firepower#

To return to the regular CLI, type Ctrl-a, d.

Manage Devices

Register and unregister devices to the Firewall Management Center.

About the Device Management Page

The Devices > Device Management page provides you with range of information and options.

  • View By—View devices based on group, licenses, model, version, or access control policy.

  • Device State—View devices based on state (Error, Warning, etc.). You can click on a state icon to view the devices belonging to it. The number of devices belonging to the states are provided within brackets.

  • Search Device—Search for a device by device name, host name, or IP address.

  • Add—Add devices and other manageable components.

  • Columns—Click the column head to sort by that column.

    • Name

    • Model

    • Version

    • Chassis—For supported models, click Manage to bring up the integrated Chassis Manager. For the Firepower 4100/9300, the link cross-launches the Firewall Chassis Manager.

    • Licenses

    • Access Control Policy—Click on the link in the Access Control Policy column to view the policy that is deployed to the device.

    • Auto-Rollback—Shows whether auto-rollback of the configuration is enabled (auto rollback on icon) or disabled auto rollback off icon) if the deployment causes the management connection to go down. See Edit Deployment Settings.

  • Edit—For each device, use the Edit (edit icon) icon to edit the device settings.

    You can also just click on the device name or IP address.

  • More—For each device, click the More (more icon) icon to execute other actions:

    • Packet Tracer—To navigate to the packet tracer page for examining policy configuration on the device by injecting a model packet into the system.

    • Packet Capture—To navigate to the packet capture page, where, you can view the verdicts and actions the system takes while processing a packet.

    • Revert Upgrade—To revert the upgrade and configuration changes that were made after the last upgrade. This action results in restoring the device to the version that was before the upgrade.

    • Health Monitor—To navigate to the device's health monitoring page.

    • Troubleshoot Files—Generate troubleshooting files, where you can choose the type of data to be included in the report.

Add a Device Group

The Firewall Management Center allows you to group devices so you can easily deploy policies and install updates on multiple devices. You can expand and collapse the list of devices in the group.

If you add the primary device in a high-availability pair to a group, both devices are added to the group. If you break the high-availability pair, both devices remain in that group.

Groups are not supported in a multidomain environment.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

From the Add drop-down menu, choose Add Group.

To edit an existing group, click Edit (edit icon) for the group you want to edit.

Step 3

Enter a Name.

Step 4

Under Available Devices, choose one or more devices to add to the device group. Use Ctrl or Shift while clicking to choose multiple devices.

Step 5

Click Add to include the devices you chose in the device group.

Step 6

Optionally, to remove a device from the device group, click Delete (delete icon) next to the device you want to remove.

Step 7

Click OK to add the device group.

Register With a New Management Center

This procedure shows how to register with a new Firewall Management Center. You should perform these steps even if the new Firewall Management Center uses the old Firewall Management Center's IP address.

Procedure

Step 1

On the old Firewall Management Center, if present, delete the managed device.

You cannot change the Firewall Management Center IP address if you have an active connection with the Firewall Management Center.

Step 2

Connect to the device CLI, for example using SSH.

Step 3

Configure the new Firewall Management Center.

configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE } regkey [nat_id] [display_name]

  • {hostname | IPv4_address | IPv6_address}—Sets the Firewall Management Center hostname, IPv4 address, or IPv6 address.

  • DONTRESOLVE —If the Firewall Management Center is not directly addressable, use DONTRESOLVE instead of a hostname or IP address. If you use DONTRESOLVE , then a nat_id is required. When you add this device to the Firewall Management Center, make sure that you specify both the device IP address and the nat_id ; one side of the connection needs to specify an IP address, and both sides need to specify the same, unique NAT ID.

  • regkey —Make up a registration key to be shared between the Firewall Management Center and the device during registration. You can choose any text string for this key between 1 and 37 characters; you will enter the same key on the Firewall Management Center when you add the Firewall Threat Defense.

  • nat_id —Make up an alphanumeric string from 1 to 37 characters used only during the registration process between the Firewall Management Center and the device when one side does not specify an IP address. This NAT ID is a one-time password used only during registration. Make sure the NAT ID is unique, and not used by any other devices awaiting registration. Specify the same NAT ID on the Firewall Management Center when you add the Firewall Threat Defense.

  • display_name —Provide a display name for showing this manager with the show managers command. This option is useful if you are identifying Security Cloud Control as the primary manager and an on-prem Firewall Management Center for analytics only. If you don't specify this argument, the firewall auto-generates a display name using one of the following methods:

    • hostname | IP_address (if you don't use the DONTRESOLVE keyword)

    • manager-timestamp

Example:


> configure manager add DONTRESOLVE abc123 efg456
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

>

Step 4

Add the device to the Firewall Management Center.

Shut Down or Restart the Device

It's important that you shut down your system properly. Simply unplugging the power or pressing the power switch can cause serious file system damage. Remember that there are many processes running in the background all the time, and unplugging or shutting off the power does not allow the graceful shutdown of your firewall.

See the following task to shut down or restart your system properly.


Note

After restarting your device, you may see an error that the management connection could not be reestablished. In some cases, the connection is attempted before the Management interface on the device is ready. The connection will be retried automatically and should come up within 15 minutes.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the device that you want to restart, click Edit (edit icon).

Step 3

Click Device.

Step 4

To restart the device:

  1. Click Restart Device (restart device icon).

  2. When prompted, confirm that you want to restart the device.

Step 5

To shut down the device:

  1. Click Shut Down Device (shut down device icon) in the System section.

  2. When prompted, confirm that you want to shut down the device.

  3. If you have a console connection to the firewall, monitor the system prompts as the firewall shuts down. You will see the following prompt: 

    
System is stopped.
It is safe to power off now.
Do you want to reboot instead? [y/N]

    If you do not have a console connection, wait approximately 3 minutes to ensure the system has shut down.

    For the ISA 3000, when shutdown is complete, the System LED will turn off. Wait at least 10 seconds before you remove the power.

Download the Managed Device List

You can download a report of all the managed devices.

Before you begin

To perform the following task, you must be an Admin user.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Click the Download Device List Report link.

Step 3

You can download the device list in CSV or PDF format. Choose Download CSV or Download PDF to download the report.

Migrate Firewall Threat Defense Devices

The Secure Firewall Threat Defense model migration wizard enables you to migrate configurations from an earlier Firewall Threat Defense model. After the migration, all routing and interface configurations from the source Firewall Threat Defense device are available in the target Firewall Threat Defense.

The wizard supports multiple models as source and target devices, for more information see Supported Devices for Migration.

Supported Devices for Migration

Supported Source Devices

  • Cisco Firepower 1120

  • Cisco Firepower 1140

  • Cisco Firepower 1150

  • Cisco Firepower 2110

  • Cisco Firepower 2120

  • Cisco Firepower 2130

  • Cisco Firepower 2140

Supported Target Devices

  • Cisco Secure Firewall 3105

  • Cisco Secure Firewall 3110

  • Cisco Secure Firewall 3120

  • Cisco Secure Firewall 3130

  • Cisco Secure Firewall 3140

Supported Migration Paths

The following table lists the supported target Firewall Threat Defense models that you can migrate to from your source Firewall Threat Defense model.

License for Migration

  • Your Smart Licensing account​ must have the license entitlements for the target device.

  • You must register and enroll the device with the Smart Licensing account. The migration copies the source device licenses to the target device.

Prerequisites for Migration

  • General device prerequisites

    • Register the source and the target devices to the Firewall Management Center.

    • Ensure that the target device is a newly registered device without any configurations.

    • Source and target devices must be in the same state and modes:

      • Domain

      • Firewall mode: Routed or Transparent

      • Compliance mode (CC or UCAPL)

    • Ensure that you have permission for modifications on the devices.

    • Ensure that the configurations on the source device are valid and have no errors.

    • Deployment, import, or export tasks must not run on either of the devices during the migration. The source device can have pending deployments.

  • Prerequisites for HA devices

What Configurations Does the Wizard Migrate?

The migration wizard copies the following configurations from the source device to the target device:

  • Licenses

  • Interface configurations

  • Inline sets configurations

  • Routing configurations

  • DHCP and DDNS configurations

  • Virtual router configurations

  • Policies

  • Associated objects and object overrides

  • Platform settings

  • Remote branch deployment configurations

The migration wizard copies the following policy configurations from the source device to the target device:

  • Health policy

  • NAT policy

  • QoS policy

  • Remote access VPN policy

  • FlexConfig policy

  • Access control policy

  • Prefilter policy

  • IPS policy

  • DNS policy

  • SSL policy

  • Malware and File policy

  • Identity policy

The migration wizard copies the following routing configurations from the source device to the target device:

  • ECMP

  • BFD

  • OSPFv2/v3

  • EIGRP

  • RIP

  • BGP

  • Policy Based Routing

  • Static Route

  • Multicast Routing

  • Virtual Router

The migration wizard copies the following interfaces from the source device to the target device:

  • Physical interfaces

  • Sub-interfaces

  • EtherChannel interfaces

  • Bridge group interfaces

  • VTI interfaces

  • VNI interfaces

  • Loopback interfaces

The migration wizard retains the device group of the target device.

Limitations for Migration

Limitations

  • The migration wizard does not migrate:

    • Site-to-site VPN policies

  • You can perform only one migration at a time.

  • Remote access VPN trustpoint certificates are not enrolled after migration.

  • For HA devices:

    • Target device: You cannot migrate a standalone device to an HA device.

Best Practices for Threat Defense Device Migration

After a successful migration, we recommend that you perform the following actions before the deployment:

  • IP addresses of the interfaces are copied to the target device from the source device. Change the IP addresses of the target device interfaces, if the source device is live

  • Ensure that you update your NAT policies with the modified IP addresses.

  • Configure the interface speeds if they are set to default values after migration.

  • Re-enroll the device certificates, if any, on the target device.

  • (Optional) Configure SNMP for Firepower 1100 and 2100 using the platform settings for the device.

  • (Optional) Configure remote branch deployment configurations.

    If the source or target device had manager access through a data interface, after the migration, the manager access will be lost. Update the manager access configuration on the target device. For more information, see the Change the Manager Access Interface from Management to Data topic in the Cisco Secure Firewall Management Center Device Configuration Guide or the Online Help.

  • Configure site-to-site VPN, if required. These configurations are not migrated from the source device.

  • View the deployment preview before the deployment. From the Deploy drop-down menu, click Advanced Deploy, and then click the Preview (preview icon) icon for the device.

  • Monitor the health of the device in the health monitor (choose System (system gear icon) > Health > Monitor). After migration, the health policy of the source device becomes the health policy of the target device. You can also configure a new health policy for the device.

    After migration, the device monitoring dashboard may temporarily display redundant colored lines because the device has different UUIDs before and after migration. This redundancy appears only during the migration time. An hour after migration, the dashboard will show a single line per metric.

Hot Swap an SSD on the Secure Firewall 3100 Series

If you have two SSDs, they form a RAID when you boot up. You can perform the following tasks at the Firewall Threat Defense CLI while the firewall is powered up:

  • Hot swap one of the SSDs—If an SSD is faulty, you can replace it. Note that if you only have one SSD, you cannot remove it while the firewall is powered on.

  • Remove one of the SSDs—If you have two SSDs, you can remove one.

  • Add a second SSD—If you have one SSD, you can add a second SSD and form a RAID.


Caution

Do not remove an SSD without first removing it from the RAID using this procedure. You can cause data loss.

Procedure

Step 1

Remove one of the SSDs.

  1. Remove the SSD from the RAID.

    configure raid remove-secure local-disk {1 | 2}

    The remove-secure keyword removes the SSD from the RAID, disables the self-encrypting disk feature, and performs a secure erase of the SSD. If you only want to remove the SSD from the RAID and want to keep the data intact, you can use the remove keyword.

    Example:

    
> configure raid remove-secure local-disk 2

  2. Monitor the RAID status until the SSD no longer shows in the inventory.

    show raid

    After the SSD is removed from the RAID, the Operability and Drive State will show as degraded. The second drive will no longer be listed as a member disk.

    Example:

    
> show raid
Virtual Drive
ID:                         1
Size (MB):                  858306
Operability:                operable
Presence:                   equipped
Lifecycle:                  available
Drive State:                optimal
Type:                       raid
Level:                      raid1
Max Disks:                  2
Meta Version:               1.0
Array State:                active
Sync Action:                idle
Sync Completed:             unknown
Degraded:                   0
Sync Speed:                 none

RAID member Disk:
Device Name:                nvme0n1
Disk State:                 in-sync
Disk Slot:                  1
Read Errors:                0
Recovery Start:             none
Bad Blocks:
Unacknowledged Bad Blocks:   

Device Name:                nvme1n1
Disk State:                 in-sync
Disk Slot:                  2
Read Errors:                0
Recovery Start:             none
Bad Blocks:
Unacknowledged Bad Blocks:   

> show raid
Virtual Drive
ID:                         1
Size (MB):                  858306
Operability:                degraded
Presence:                   equipped
Lifecycle:                  available
Drive State:                degraded
Type:                       raid
Level:                      raid1
Max Disks:                  2
Meta Version:               1.0
Array State:                active
Sync Action:                idle
Sync Completed:             unknown
Degraded:                   1
Sync Speed:                 none

RAID member Disk:
Device Name:                nvme0n1
Disk State:                 in-sync
Disk Slot:                  1
Read Errors:                0
Recovery Start:             none
Bad Blocks:
Unacknowledged Bad Blocks:

  3. Physically remove the SSD from the chassis.

Step 2

Add an SSD.

  1. Physically add the SSD to the empty slot.

  2. Add the SSD to the RAID.

    configure raid add local-disk {1 | 2}

    It can take several hours to complete syncing the new SSD to the RAID, during which the firewall is completely operational. You can even reboot, and the sync will continue after it powers up. Use the show raid command to show the status.

    If you install an SSD that was previously used on another system, and is still locked, enter the following command:

    configure raid add local-disk {1 | 2} psid

    The psid is printed on the label attached to the back of the SSD. Alternatively, you can reboot the system, and the SSD will be reformatted and added to the RAID.