Firepower Management Center Configuration Guide, Version 6.0

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Firepower Management Center Configuration Guide, Version 6.0

Chapter Title

Logging into the Firepower System

Results

Updated:
April 28, 2019

Chapter: Logging into the Firepower System

Logging into the Firepower System

The following topics describe how to log into the Firepower System:

Firepower System User Accounts

You must provide a username and password to obtain local access to the web interface, shell, or CLI on an appliance. The features you can access on login are controlled by the privileges granted to your user account. Some appliances can be configured to use external authorization, storing user credentials on an external LDAP or RADIUS server.


Note

Because the system audits user activity based on user accounts, make sure that users log into the system with the correct account.


Caution

On all devices, users with CLI or shell access can obtain root privileges in the shell, which can present a security risk. For system security reasons, we strongly recommend:

  • If you establish external authentication, make sure that you restrict the list of users with shell access appropriately.

  • When granting CLI access privileges, restrict the list of users with Config level access.

  • Do not establish shell users in addition to the pre-defined admin on any Firepower device.


Caution

We strongly recommend that you do not access Firepower devices using the shell or CLI expert mode, unless directed by Cisco TAC.

Different devices support different types of user accounts, each with different capabilities.

Firepower Management Centers

Firepower Management Centers support the following user account types:

  • A pre-defined admin account for web interface access, which has the administrator role and can be managed through the web interface.

  • A pre-defined admin account for shell access, which can obtain root privileges.

  • Custom user accounts, which admin users and users with the administrator role can create and manage.


Caution

For system security reasons, Cisco strongly recommends that you not establish additional shell users on the Firepower Management Center. If you accept that risk, you can use external authentication to grant any user shell access to the Firepower Management Center. You cannot enable shell access for internal web interface users.

7000 & 8000 Series Devices

7000 & 8000 Series devices support the following user account types:

  • A pre-defined admin account which can be used for all forms of access to the device.

  • Custom user accounts, which admin users and users with the administrator role can create and manage.

The 7000 & 8000 Series supports external authentication for users.

NGIPSv Devices

NGIPSv devices support the following user account types:

  • A pre-defined admin account which can be used for all forms of access to the device.

  • Custom user accounts, which admin users and users with Config access can create and manage.

The NGIPSv does not support external authentication for users.

ASA FirePOWER Devices

The ASA FirePOWER module supports the following user account types:

  • A pre-defined admin account.

  • Custom user accounts, which admin users and users with Configu access can create and manage.

The ASA FirePOWER module does not support external authentication for users. Accessing ASA devices via the ASA CLI and ASDM is described in the Cisco ASA Series General Operations CLI Configuration Guide and the Cisco ASA Series General Operations ASDM Configuration Guide.

User Interfaces in Firepower Management Center Deployments

Depending on device type, you can access Firepower appliances using a web-based GUI, auxiliary CLI, or the Linux shell. In a Firepower Management Center deployment, you perform most configuration tasks from the Firepower Management Center's GUI. Only a few tasks require that you access the device directly.

For information on browser requirements, see the Firepower Release Notes.

Appliance

Web-Based GUI

Auxiliary CLI

Linux Shell

Firepower Management Center

  • Supported for predefined admin user and custom user accounts

  • Can be used for administrative, management, and analysis tasks

None

  • Supported for predefined admin user and custom external user accounts

  • Accessible using an SSH, serial, or keyboard and monitor connection

  • Should be used only for administration and troubleshooting directed by Cisco TAC

7000 & 8000 Series devices

  • Supported for predefined admin user and custom user accounts

  • Can be used for initial setup, basic analysis, and configuration tasks only

  • Supported for predefined admin user and custom user accounts

  • Accessible using an SSH, serial, or keyboard and monitor connection

  • Can be used for setup and troubleshooting directed by Cisco TAC

  • Supported for predefined admin user and custom user accounts

  • Accessible by CLI users with Config access using the expert command

  • Should be used only for administration and troubleshooting directed by Cisco TAC

NGIPSv

None

  • Supported for predefined admin user and custom user accounts

  • Accessible using an SSH connection or VM console

  • Can be used for setup and troubleshooting directed by Cisco TAC

  • Supported for predefined admin user and custom user accounts

  • Accessible by CLI users with Config access using the expert command

  • Should be used only for administration and troubleshooting directed by Cisco TAC

ASA FirePOWER module

None

  • Supported for predefined admin user and custom user accounts

  • Accessible using an SSH connection. Also accessible using keyboard and monitor connection for ASA-5585-X (hardware module), or console port for ASA 5512-X through ASA 5555-X and ASA 5506-X through 5516-X (software modules)

  • Can be used for configuration and management tasks

None

Web Interface Considerations

  • If your organization uses Common Access Cards (CACs) for authentication, you can use your CAC credentials to obtain access to the web interface of an appliance.

  • The first time you visit the appliance home page during a web session, you can view information about your last login session for that appliance. You can see the following information about your last login:

    • the day of the week, month, date, and year of the login

    • the appliance-local time of the login in 24-hour notation

    • the host and domain name last used to access the appliance

  • The menus and menu options listed at the top of the default home page are based on the privileges for your user account. However, the links on the default home page include options that span the range of user account privileges. If you click a link that requires different privileges from those granted to your account, the system displays a warning message and logs the activity.

  • Some processes that take a significant amount of time may cause your web browser to display a message that a script has become unresponsive. If this occurs, make sure you allow the script to continue until it finishes.

Session Timeout

By default, the Firepower System automatically logs you out of a session after 1 hour of inactivity, unless you are otherwise configured to be exempt from session timeout.

Users with the Administrator role can change the session timeout interval for an appliance via the following settings:

Appliance

Setting

Firepower Management Center

System > Configuration > Shell Timeout

7000 & 8000 Series devices

Devices > Platform Settings > Shell Timeout

Logging Into the Firepower Management Center Web Interface

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

FMC

Any

Any

Users are restricted to a single active session. If you try to log in with a user account that already has an active session, the system prompts you to terminate the other session or log in as a different user.

Before you begin

  • If you do not have access to the web interface, contact your system administrator to modify your account privileges, or log in as a user with Administrator access and modify the privileges for the account.

  • Create user accounts as described in Creating a User Account.

Procedure

Step 1

Direct your browser to https://hostname/, where hostname corresponds to the host name of the Firepower Management Center.

Step 2

In the Username and Password fields, enter your user name and password. Pay attention to the following guidelines:

  • User names are not case-sensitive.

  • In a multidomain deployment, prepend the user name with the domain where your user account was created. You are not required to prepend any ancestor domains. For example, if your user account was created in SubdomainB, which has an ancestor DomainA, enter your user name in the following format: 

    SubdomainB\username

  • If your organization uses SecurID® tokens when logging in, append the token to your SecurID PIN and use that as your password to log in. For example, if your PIN is 1111 and the SecurID token is 222222, enter 1111222222. You must have already generated your SecurID PIN before you can log into the Firepower System.

Step 3

Click Login.

Logging Into the Web Interface of a 7000 or 8000 Series Device

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

7000 & 8000 Series

N/A

Any

Users are restricted to a single active session. If you try to log in with a user account that already has an active session, the system prompts you to terminate the other session or log in as a different user.

Before you begin

  • If you do not have access to the web interface, contact your system administrator to modify your account privileges, or log in as a user with Administrator access and modify the privileges for the account.

  • Complete the initial setup process and create user accounts as described in the Firepower getting started guide appropriate to the device, and Creating a User Account.

Procedure

Step 1

Direct your browser to https://hostname/, where hostname corresponds to the host name of the managed device you want to access.

Step 2

In the Username and Password fields, enter your user name and password. Pay attention to the following guidelines:

  • User names are not case-sensitive.

  • If your organization uses SecurID® tokens when logging in, append the token to your SecurID PIN and use that as your password to log in. For example, if your PIN is 1111 and the SecurID token is 222222, enter 1111222222. You must have already generated your SecurID PIN before you can log into the Firepower System.

Step 3

Click Login.

Logging Into the Firepower Management Center with CAC Credentials

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

FMC

Any

Any

Users are restricted to a single active session.


Caution

Do not remove a CAC during an active browsing session. If you remove or replace a CAC during a session, your web browser terminates the session and the system logs you out of the web interface.

Before you begin

  • If you do not have access to the web interface, contact your system administrator to modify your account privileges, or log in as a user with Administrator access and modify the privileges for the account.

  • Create user accounts as described in the Creating a User Account.

  • Configure CAC authentication and authorization as described in Configuring CAC Authentication.

Procedure

Step 1

Insert a CAC as instructed by your organization.

Step 2

Direct your browser to https://hostname/, where hostname corresponds to the host name of the Firepower Management Center.

Step 3

If prompted, enter the PIN associated with the CAC you inserted in step 1.

Step 4

If prompted, choose the appropriate certificate from the drop-down list.

Step 5

Click Continue.

Logging Into a 7000 or 8000 Series Device with CAC Credentials

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

7000 & 8000 Series

N/A

Any

Users are restricted to a single active session.


Caution

Do not remove a CAC during an active browsing session. If you remove or replace a CAC during a session, your web browser terminates the session and the system logs you out of the web interface.

Before you begin

  • If you do not have access to the web interface, contact your system administrator to modify your account privileges, or log in as a user with Administrator access and modify the privileges for the account.

  • Create user accounts as described in Creating a User Account.

  • Configure CAC authentication and authorization as described in Configuring CAC Authentication.

Procedure

Step 1

Insert a CAC as instructed by your organization.

Step 2

Direct your browser to https://hostname/, where hostname corresponds to the host name of the appliance you want to access.

Step 3

If prompted, enter the PIN associated with the CAC you inserted in step 1.

Step 4

If prompted, choose the appropriate certificate from the drop-down list.

Step 5

Click Continue.

Logging Into the Command Line Interface

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

7000 & 8000 Series

ASA FirePOWER

NGIPSv

N/A

CLI Basic Configuration

You can log directly into the command line interface on Classic managed devices (7000 & 8000 Series, NGIPSv, and ASA FirePOWER).

Before you begin

Complete the initial setup process using the default admin user for the initial login.

  • For the 7000 & 8000 Series devices, create user accounts at the web interface as described in Creating a User Account.

  • For all devices, create additional user accounts that can log into the CLI using the configure user add command.

Procedure

Step 1

Use SSH to connect to the hostname or IP address of the management interface. Alternatively, you can connect to the console port.

Step 2

At the login as: command prompt, enter your user name and press Enter.

Step 3

At the Password: prompt, enter your password and press Enter.

If your organization uses SecurID® tokens when logging in, append the token to your SecurID PIN and use that as your password to log in. For example, if your PIN is 1111 and the SecurID token is 222222, enter 1111222222. You must have already generated your SecurID PIN before you can log into the Firepower System.

Step 4

At the CLI prompt, use any of the commands allowed by your level of command line access.

Viewing Basic System Information in the Web Interface

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

Any

Any

Any

The About page displays information about your appliance, including the model, serial number, and version information for various components of the Firepower System. It also includes Cisco copyright information.

Procedure

Step 1

Click Help in the toolbar at the top of the page.

Step 2

Choose About.

Switching Domains on the Firepower Management Center

Smart License

Classic License

Supported Device

Supported Domains

Access

N/A

Any

FMC

Any

Any

In a multidomain deployment, user role privileges determine which domains a user can access and which privileges the user has within each of those domains. You can associate a single user account with multiple domains and assign different privileges for that user in each domain. For example, you can assign a user read-only privileges in the Global domain, but Administrator privileges in a descendant domain.

Users associated with multiple domains can switch between domains within the same web interface session.

Under your user name in the toolbar, the system displays a tree of available domains. The tree:

  • Displays ancestor domains, but may disable access to them based on the privileges assigned to your user account.

  • Hides any other domain your user account cannot access, including sibling and descendant domains.

When you switch to a domain, the system displays:

  • Data that is relevant to that domain only.

  • Menu options determined by the user role assigned to you for that domain.

Procedure

From the drop-down list under your user name, choose the domain you want to access.

Logging Out of a Firepower System Web Interface

Smart License

Classic License

Supported Devices

Supported Domains

Access

N/A

Any

Any

Any

Any

When you are no longer actively using a Firepower System web interface, Cisco recommends that you log out, even if you are only stepping away from your web browser for a short period of time. Logging out ends your web session and ensures that no one can use the interface with your credentials.

Procedure

From the drop-down list under your user name, choose Logout.

The Context Menu

Certain pages in the Firepower System web interface support a right-click (most common) or left-click context menu that you can use as a shortcut for accessing other features in the Firepower System. The contents of the context menu depend where you access it—not only the page but also the specific data.

For example:

  • IP address hotspots provide information about the host associated with that address, including any available whois and host profile information.

  • SHA-256 hash value hotspots allow you to add a file’s SHA-256 hash value to the clean list or custom detection list, or view the entire hash value for copying.

On pages or locations that do not support the Firepower System context menu, the normal context menu for your browser appears.

Policy Editors

Many policy editors contain hotspots over each rule. You can insert new rules and categories; cut, copy, and paste rules; set the rule state; and edit the rule.

Intrusion Rules Editor

The intrusion rules editor contains hotspots over each intrusion rule. You can edit the rule, set the rule state, configure thresholding and suppression options, and view rule documentation.

Event Viewer

Event pages (the drill-down pages and table views available under the Analysis menu) contain hotspots over each event, IP address, URL, DNS query, and certain files’ SHA-256 hash values. While viewing most event types, you can:

  • View related information in the Context Explorer.

  • Drill down into event information in a new window.

  • View the full text in places where an event field contains text too long to fully display in the event view, such as a file’s SHA-256 hash value, a vulnerability description, or a URL.

While viewing connection events, you can add items to the default Security Intelligence whitelists and blacklists:

  • An IP address, from an IP address hotspot.

  • A URL or domain name, from a URL hotspot.

  • A DNS query, from a DNS query hotspot.

While viewing captured files, file events, and malware events, you can:

  • Add a file to or remove a file from the clean list or custom detection list.

  • Download a copy of the file.

  • View nested files inside an archive file.

  • Download the parent archive file for a nested file.

  • View the file composition.

  • Submit the file for local malware and dynamic analysis.

While viewing intrusion events, you can perform similar tasks to those in the intrusion rules editor or an intrusion policy:

  • Edit the triggering rule.

  • Set the rule state, including disabling the rule.

  • Configure thresholding and suppression options.

  • View rule documentation.

Intrusion Event Packet View

Intrusion event packet views contain IP address hotspots. The packet view uses a left-click context menu.

Dashboard

Many dashboard widgets contain hotspots to view related information in the Context Explorer. Dashboard widgets can also contain IP address and SHA-256 hash value hotspots.

Context Explorer

The Context Explorer contains hotspots over its charts, tables, and graphs. If you want to examine data from graphs or lists in more detail than the Context Explorer allows, you can drill down to the table views of the relevant data. You can also view related host, user, application, file, and intrusion rule information.

The Context Explorer uses a left-click context menu, which also contains filtering and other options unique to the Context Explorer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco