Firepower Management Center Configuration Guide, Version 6.0

Introduction to System Configuration

System configuration settings apply to either a Firepower Management Center or a Classic managed device (7000 and 8000 Series, ASA FirePOWER, NGIPSv):

For the Firepower Management Center these configuration settings are part of a "local" system configuration. Note that system configuration on the Firepower Management Center is specific to a single system, and changes to a FMC's system configuration affect only that system.

For a Classic managed device, you apply a configuration from the Firepower Management Center as part of a platform settings policy. You create a shared policy to configure a subset of the system configuration settings, appropriate for managed devices, that are likely to be similar across a deployment.

Tip

For 7000 and 8000 Series devices, you can perform limited system configuration tasks from the local web interface, such as console configuration and remote management. These are not the same configurations that you apply to a 7000 or 8000 Series device using a platform settings policy.

Navigating the Firepower Management Center System Configuration


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

The system configuration identifies basic settings for a Firepower Management Center.

Procedure

Step 1	Choose System > Configuration.
Step 2	Use the navigation panel to choose configurations to change; see Table 1 for more information.

System Configuration Settings

The following table describes the system configuration settings for the Firepower Management Center. For 7000 and 8000 Series devices, the table also identifies which settings you configure from the device's local web interface, and which you configure using a platform settings policy deployed from the Firepower Management Center.

Table 1. System Configuration Settings
Setting	Description	Also configurable from:
Setting	Description	Platform Settings	7000 & 8000 Series
Information	View current information about the appliance and edit the display name; see Appliance Information.	no	yes
HTTPS Certificate	Request an HTTPS server certificate, if needed, from a trusted authority and upload certificates to the system; see HTTPS Certificates .	no	yes
External Database Access	Enable external read-only access to the database, and provide a client driver to download; see External Database Access Settings.	no	no
Database	Specify the maximum number of each type of event that the Firepower Management Center can store; see Database Event Limits.	no	no
Management Interfaces	Change options such as the IP address, hostname, and proxy settings of the appliance; see Management Interfaces.	no	yes
Process	Shut down, reboot, or restart Firepower System-related processes; see System Shut Down and Restart.	no	yes
Remote Storage Device	Configure remote storage for backups and reports; see Remote Storage Management.	no	no
Change Reconciliation	Configure the system to send a detailed report of changes to the system over the last 24 hours; see Change Reconciliation.	no	yes
Access Control Preferences	Configure the system to prompt users for a comment when they add or modify an access control policy; see Policy Change Comments.	no	no
Access List	Control which computers can access the system on specific ports; see The Access List.	yes	no
Audit Log	Configure the system to send an audit log to an external host; see Audit Logs.	yes	no
Dashboard	Enable Custom Analysis widgets on the dashboard; see Dashboard Settings.	no	no
DNS Cache	Configure the system to resolve IP addresses automatically on event view pages; see DNS Cache.	no	no
Email Notification	Configure a mail host, select an encryption method, and supply authentication credentials for email-based notifications and reporting; see Email Notifications.	no	no
External Authentication	Set the default user role for any user who is authenticated by an external RADIUS, LDAP or Microsoft Active Directory repository; see External Authentication Settings	yes	no
Intrusion Policy Preferences	Configure the system to prompt users for a comment when they modify an intrusion policy; see Policy Change Comments.	no	no
Language	Specify a different language for the web interface; see Language Selection.	yes	no
Login Banner	Create a custom login banner that appears when users log in; see Login Banners.	yes	no
Network Analysis Policy Preferences	Configure the system to prompt users for a comment when they modify a network analysis policy; see Policy Change Comments.	no	no
SNMP	Enable Simple Network Management Protocol (SNMP) polling; see SNMP Polling.	yes	no
STIG Compliance	Enable compliance with specific requirements set out by the United States Department of Defense; see STIG Compliance.	yes	no
Time	View the current time setting and, if the time synchronization setting in the current system configuration is set to Manually in Local Configuration, change the time; see Time and Time Synchronization.	no	yes
Time Synchronization	Manage time synchronization on the system; see Time and Time Synchronization.	yes	no
Shell Timeout	Configure the amount of idle time, in minutes, before a user’s login session times out due to inactivity; see Session Timeouts.	yes	no
Vulnerability Mapping	Map vulnerabilities to a host IP address for any application protocol traffic received or sent from that address; see Vulnerability Mapping.	no	no
Console Configuration	Configure console access via VGA or serial port, or via Lights-Out Management (LOM); see Remote Console Access Management.	no	limited
VMware Tools	Enable and use VMware Tools on a Firepower Management Center Virtual; see VMware Tools and Virtual Systems.	n/a	n/a

Appliance Information

The Information page of the web interface includes the information listed in the table below. Unless otherwise noted, all fields are read-only.


Field	Description
Name	A name you assign to the appliance. Note that this name is only used within the context of the Firepower System. Although you can use the host name as the name of the appliance, entering a different name in this field does not change the host name.
Product Model	The model name of the appliance.
Serial Number	The serial number of the appliance.
Software Version	The version of the software currently installed on the appliance.
Prohibit Packet Transfer to the Firepower Management Center	Specifies whether the managed device sends packet data with events, allowing the data to be stored on the Firepower Management Center. This setting is available on the local web interface on 7000 and 8000 Series devices.
Operating System	The operating system currently running on the appliance.
Operating System Version	The version of the operating system currently running on the appliance.
IPv4 Address	The IPv4 address of the default (`eth0`) management interface. If IPv4 management is disabled, this field indicates that.
IPv6 Address	The IPv6 address of the default (`eth0`) management interface. If IPv6 management is disabled, this field indicates that.
Current Policies	The system-level policies currently deployed . If a policy has been updated since it was last deployed, the name of the policy appears in italics.
Model Number	The appliance-specific model number stored on the internal flash drive. This number may be important for troubleshooting.

Viewing and Modifying the System Information


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC 7000 & 8000 Series	Global only	Admin

The Information page on the Firepower Management Center’s web interface or on the 7000 and 8000 Series local web interface provides information about your system, including read-only information such as the product name and model number. The page also provides you with an option to change the display name of the system and, for 7000 and 8000 Series devices, prohibit packet transfer.

Note

Prohibiting packet transfer can be a good idea in a low-bandwidth deployment where you are not concerned about the specific content of the packet that triggered the intrusion policy violation.

Procedure

Step 1

Choose System > Configuration.

Step 2

Optionally, change the system information settings:

Name—To change the display name, enter a name in the Name field.
Prohibit packet transfer—To prevent sending packet data to the Firepower Management Center, check the Prohibit Packet Transfer to the Management Center check box. This option is only available from a 7000 or 8000 Series device's local web interface.

Step 3

Click Save.

HTTPS Certificates

Secure Sockets Layer (SSL) certificates enable Firepower Management Centers and 7000 and 8000 Series devices to establish an encrypted channel between the system and a web browser. A default certificate is included with all Firepower devices, but it is not generated by a certificate authority (CA) trusted by any globally known CA. For this reason, consider replacing it with a custom certificate signed by a globally known or internally trusted CA.

Default HTTPS Server Certificates

If you use the default server certificate provided with an appliance, do not configure the system to require a valid HTTPS client certificate for web interface access because the default server certificate is not signed by the CA that signs your client certificate.

Custom HTTPS Server Certificates

You can use the Firepower Management Center web interface to generate a server certificate request based on your system information and the identification information you supply. You can use that request to sign a certificate if you have an internal certificate authority (CA) installed that is trusted by your browser. You can also send the resulting request to a certificate authority to request a server certificate. After you have a signed certificate from a certificate authority (CA), you can import it.

HTTPS Client Certificates

You can restrict access to the Firepower System web server using client browser certificate checking. When you enable user certificates, the web server checks that a user’s browser client has a valid user certificate selected. That user certificate must be generated by the same trusted certificate authority that is used for the server certificate. The browser cannot load the web interface under any of the following circumstances:

The user selects a certificate in the browser that is not valid.
The user selects a certificate in the browser that is not generated by the certificate authority that signed the server certificate.
The user selects a certificate in the browser that is not generated by a certificate authority in the certificate chain on the device.

You can also load a certificate revocation list (CRL) for the server. The CRL lists any certificates that the certificate authority has revoked, so the web server can verify that the client browser certificate is valid. If the user selects a certificate that is listed in the CRL as a revoked certificate, the browser cannot load the web interface.

Viewing the Current Server Certificate


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC 7000 & 8000 Series	Global only	Admin

You can only view server certificates for the appliance you are logged into.

Procedure

Step 1	Choose System > Configuration.
Step 2	Click HTTPS Certificate.

Generating and Submitting a Certificate Signing Request


Smart License	Classic License	Supported Devices	Supported Domains	Access
N/A	Any	Classic	Global only	Admin

When you generate a certificate request through the local configuration HTTPS Certificate page using this procedure, you can only generate a certificate for a single system. Similarly, if you install a certificate that is not signed by a globally known or internally trusted CA, you receive a security warning when you connect to the system.

The key generated for the certificate request is in Base-64 encoded PEM format.

Procedure

Step 1

Choose System > Configuration.

Step 2

Click HTTPS Certificate.

Step 3

Click Generate New CSR.

Step 4

Enter a country code in the Country Name (two-letter code) field.

Step 5

Enter a state or province postal abbreviation in the State or Province field.

Step 6

Enter a Locality or City.

Step 7

Enter an Organization name.

Step 8

Enter an Organizational Unit (Department) name.

Step 9

Enter the fully qualified domain name of the server for which you want to request a certificate in the Common Name field.

Note

You must enter the fully qualified domain name of the server exactly as it should appear in the certificate in the Common Name field. If the common name and the DNS host name do not match, you receive a warning when connecting to the appliance.

Step 10

Click Generate.

Step 11

Open a text editor.

Step 12

Copy the entire block of text in the certificate request, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines, and paste it into a blank text file.

Step 13

Save the file as servername.csr, where servername is the name of the server where you plan to use the certificate.

Step 14

Click Save.

What to do next

Upload the signed server certificate; see Uploading Server Certificates.

Server Certificate Upload

If the signing authority that generated the certificate requires you to trust an intermediate CA, you must also supply a certificate chain, sometimes referred to as a certificate path. If you require user certificates, they must be generated by a certificate authority whose intermediate authority is included in the certificate chain.

Uploading Server Certificates


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC 7000 & 8000 Series	Global only	Admin

If the signing authority that generated the certificate requires you to trust an intermediate CA, you must also supply a certificate chain, sometimes referred to as a certificate path. If you require user certificates, they must be generated by a certificate authority whose intermediate authority is included in the certificate chain.

Before you begin

Generate a certificate signing request; see Generating and Submitting a Certificate Signing Request.
Upload the CSR file to the certificate authority where you want to request a certificate, or use the CSR to create a self-signed certificate.

Procedure

Step 1	Choose System > Configuration.
Step 2	Click HTTPS Certificate.
Step 3	Click Import HTTPS Certificate.
Step 4	Open the server certificate in a text editor, copy the entire block of text, including the `BEGIN CERTIFICATE` and `END CERTIFICATE` lines, and paste it into the Server Certificate field.
Step 5	If you want to upload a private key, open the private key file, copy the entire block of text, including the `BEGIN RSA PRIVATE KEY` and `END RSA PRIVATE KEY` lines, and paste it into the Private Key field.
Step 6	Open any intermediate certificates you need to provide, copy the entire block of text, for each, and paste it into the Certificate Chain field.
Step 7	Click Save.

Requiring Valid User Certificates


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC 7000 & 8000 Series	Global only	Admin

The system supports upload of CRLs in Distinguished Encoding Rules (DER) format. You can only load one CRL for a server.

To ensure that the list of revoked certificates stays current, you can create a scheduled task to update the CRL. The most recent refresh of the CRL is listed in the interface.

Note

You must have a valid user certificate present in your browser (or a CAC inserted in your reader) to enable user certificates and to access the web interface after doing so.

Before you begin

Use the same certificate authority used for the server certificate to generate the user certificate.
Upload the intermediate certificate for the certificates; see Server Certificate Upload.

Procedure

Step 1

Choose System > Configuration.

Step 2

Click HTTPS Certificate.

Step 3

Choose Enable User Certificates. If prompted, select the appropriate certificate from the drop-down list.

Step 4

If you want to retrieve the CRL, choose Enable Fetching of CRL.

Step 5

Enter a valid URL to an existing CRL file and click Refresh CRL. The current CRL at the supplied URL loads to the server.

Note

Enabling fetching of the CRL creates a scheduled task to update the CRL on a regular basis. Edit the task to set the frequency of the update.

Step 6

Verify that you have a valid user certificate generated by the same certificate authority that created the server certificate.

Caution

If you save a configuration with enabled user certificates, but you do not have a valid user certificate in your browser certificate store, you disable all web server access to the appliance. Make sure you have a valid certificate installed before saving settings.

Step 7

Click Save.

External Database Access Settings

You can configure the Firepower Management Center to allow read-only access to its database by a third-party client. This allows you to query the database using SQL using any of the following:

industry-standard reporting tools such as Actuate BIRT, JasperSoft iReport, or Crystal Reports
any other reporting application (including a custom application) that supports JDBC SSL connections
the Cisco-provided command-line Java application called RunQuery, which you can either run interactively or use to obtain comma-separated results for a single query

Use the Firepower Management Center's system configuration to enable database access and create an access list that allows selected hosts to query the database. Note that this access list does not also control appliance access.

You can also download a package that contains the following:

RunQuery, the Cisco-provided database query tool
InstallCert, a tool you can use to retrieve and accept the SSL certificate from the Firepower Management Center you want to access
the JDBC driver you must use to connect to the database

See the Firepower System Database Access Guide for information on using the tools in the package you downloaded to configure database access.

Enabling External Access to the Database


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

Procedure

Step 1

Choose System > Configuration.

Step 2

Click External Database Access.

Step 3

Select the Allow External Database Access check box.

Step 4

Enter an appropriate value in the Server Hostname field. Depending on your third-party application requirements, this value can be either the fully qualified domain name (FQDN), IPv4 address, or IPv6 address of the Firepower Management Center.

Step 5

Next to Client JDBC Driver, click Download and follow your browser’s prompts to download the client.zip package.

Step 6

To add database access for one or more IP addresses, click Add Hosts. An IP Address field appears in the Access List field.

Step 7

In the IP Address field, enter an IP address or address range, or any.

Step 8

Click Add.

Step 9

Click Save.

Tip

If you want to revert to the last saved database settings, click Refresh.

Database Event Limits

You can specify the maximum number of each type of event that the Firepower Management Center can store. To improve performance, you should tailor event limits to the number of events you regularly work with. For some event types, you can disable storage.

The system automatically prunes intrusion events, discovery events, audit records, security intelligence data, or URL filtering data from the appliance's database. You can configure the system to generate automated email notifications when events are automatically pruned. You can also manually prune the discovery and user databases to remove selected discovery data; and you can purge discovery and connection data from the Firepower Management Center database.

Configuring Database Event Limits


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

Before you begin

If you want to receive email notifications when events are pruned from the Firepower Management Center's database, you must configure an email server; see Configuring a Mail Relay Host and Notification Address.

Procedure

Step 1	Choose System > Configuration.
Step 2	Choose Database.
Step 3	For each of the databases, enter the number of records you want to store. For information on how many records each database can maintain, see Database Event Limits.
Step 4	Optionally, in the Data Pruning Notification Address field, enter the email address where you want to receive pruning notifications.
Step 5	Click Save.

Database Event Limits

The following table lists the minimum and maximum number of records for each event type that you can store on a Firepower Management Center.

Table 2. Database Event Limits
Event Type	Upper Limit	Lower Limit
Intrusion events	10 million (FMC Virtual)  20 million (MC750)  30 million (MC1500) 60 million (MC2000) 150 million (MC3500)  300 million (MC4000)	10,000
Discovery events	10 million   20 million (MC2000, MC4000)	Zero (disables storage)
Connection events Security Intelligence events	50 million (FMC Virtual)  50 million (MC750)  100 million (MC1500)  300 million (MC2000) 500 million (MC3500)  1 billion (MC4000) Limit is shared between connection events and Security Intelligence events. The sum of the configured maximums cannot exceed this limit.	Zero (disables storage)
Connection summaries (aggregated connection events)	50 million (FMC Virtual)  50 million (MC750)  100 million (MC1500)  300 million (MC2000) 500 million (MC3500)  1 billion (MC4000)	Zero (disables storage)
Correlation events and compliance white list events	1 million   2 million (MC2000, MC4000)	One
Malware events	10 million   20 million (MC2000, MC4000)	10,000
File events	10 million  20 million (MC2000, MC4000)	Zero (disables storage)
Health events	1 million	Zero (disables storage)
Audit records	100,000	One
Remediation status events	10 million	One
White list violation history	a 30-day history of violations	One day’s history
User activity (user events)	10 million	One
User logins (user history)	10 million	One
Intrusion rule update import log records	1 million	One

Management Interfaces

After setup, you can change the management network settings, including adding more management interfaces, hostname, search domains, DNS servers, and HTTP proxy on both the FMC and the managed devices.

About Management Interfaces

By default, the Firepower Management Center manages all devices on a single management interface. Each device includes a single management interface for communicating with the FMC.

You also perform initial setup on the management interface (for both the FMC and managed devices), and log into the FMC on this interface as an administrator.

Management interfaces are also used to communicate with the Smart Licensing server, to download updates, and to perform other management functions.

Management Interfaces on the Firepower Management Center

The Firepower Management Center uses the eth0 interface for initial setup, HTTP access for administrators, management of devices, as well as other management functions such as licensing and updates.

You can also configure additional management interfaces on the same network, or on different networks. When the FMC manages large numbers of devices, adding more management interfaces can improve throughput and performance. You can also use these interfaces for all other management functions. You might want to use each management interface for particular functions; for example, you might want to use one interface for HTTP administrator access and another for device management.

For device management, the management interface carries two separate traffic channels: the management traffic channel carries all internal traffic (such as inter-device traffic specific to managing the device), and the event traffic channel carries all event traffic (such as web events). You can optionally configure a separate event-only interface on the FMC to handle event traffic; you can configure only one event interface. Event traffic can use a large amount of bandwidth, so separating event traffic from management traffic can improve the performance of the FMC. For example, you can assign a 10 GigabitEthernet interface to be the event interface, if available, while using 1 GigabitEthernet interfaces for management. You might want to configure an event-only interface on a completely secure, private network while using the regular management interface on a network that includes Internet access, for example. You can also use both management and event interfaces on the same network if the goal is only to take advantage of increased throughput. If you configure an event-only interface on the FMC, you can support devices with separate management and event-only interfaces, but also devices that do not have separate interfaces. For devices with a single combined management/event interface, all traffic goes to the FMC management interface.

Note

All management interfaces support HTTP administrator access as controlled by your Access List configuration (Configuring the Access List for Your System). Conversely, you cannot restrict an interface to only HTTP access; management interfaces always support device management (management traffic, event traffic, or both).

Note

Only the eth0 interface supports DHCP IP addressing. Other management interfaces only support static IP addresses.

Management Interfaces on Managed Devices

Some models include an additional management interface that you can configure for event-only traffic, so you can separate management and event traffic when communicating with the FMC.

When you set up your device, you specify the FMC IP address that you want to connect to. Both management and event traffic go to this address at initial registration. Note: In some situations, the FMC might establish the initial connection on a different management interface; subsequent connections should use the management interface with the specified IP address.

If both the device and the FMC have separate event interfaces, then after they learn about each other's event interfaces during management communication, subsequent event traffic is sent between these interfaces if the network allows. If the event network goes down, then event traffic reverts to the regular management interface. The device uses a separate event interface when possible, but the management interface is always the backup. If you use only one management interface on the managed device, then you cannot send management traffic to the FMC management interface, and then send event traffic to the separate FMC event interface; both FMC and managed device must have separate event interfaces. In this case, both management and event traffic go to the FMC management interface, and the FMC event interface is not used for this device.

Management Interface Support

See the hardware installation guide for your model for the management interface locations.

See the following tables for supported management interfaces on each Firepower Management Center and managed device model.

Table 3. Management Interface Support on the Firepower Management Center
Model	Management Interfaces
MC750, MC1500, MC3500	eth0 (Default) eth1
MC2000, MC4000	eth0 (Default) eth1 eth2 eth3
Firepower Management Center Virtual	eth0 (Default)

Table 4. Management Interface Support on Managed Devices

Model

Management Interface

Optional Event Interface

7000 series

eth0

No support

8000 series

eth0

eth1

NGIPSv

eth0

No support

ASA FirePOWER services module on the ASA 5585-X

eth0

Note

eth0 is the internal name of the Management 1/0 interface.

eth1

Note

eth1 is the internal name of the Management 1/1 interface.

ASA FirePOWER services module on the ASA 5506-X, 5508-X, or 5516-X

eth0

Note

eth0 is the internal name of the Management 1/1 interface.

No support

ASA FirePOWER services module on the ASA 5512-X-X through 5555-X

eth0

Note

eth0 is the internal name of the Management 0/0 interface.

No support

Network Routes on Management Interfaces

Management interfaces (including event-only interfaces) support only static routes to reach remote networks. When you set up your FMC or managed device, the setup process creates a default route to the gateway IP address that you specify. You cannot delete this route; you can only modify the gateway address.

The default route always uses the lowest-numbered management interface (e.g. eth0).

At least 1 static route is recommended per management interface to access remote networks, including when multiple interfaces are on the same network.

For example, on the FMC both eth0 and eth1 are on the same network, but you want to manage a different group of devices on each interface. The default gateway is 192.168.45.1. If you want eth1 to manage devices on the remote 10.6.6.0/24 destination network, you can create a static route for 10.6.6.0/24 through eth1 with the same gateway of 192.168.45.1. Traffic to 10.6.6.0/24 will hit this route before it hits the default route, so eth1 will be used as expected.

If you want to use 2 FMC interfaces to manage remote devices that are on the same network, then static routing on the FMC may not scale well, because you need separate static routes per device IP address.

Another example includes separate management and event-only interfaces on both the FMC and the managed device. The event-only interfaces are on a separate network from the management interfaces. In this case, add a static route through the event-only interface for traffic destined for the remote event-only network, and vice versa.

Note

The routing for management interfaces is completely separate from routing that you configure for data interfaces.

Management and Event Traffic Channel Examples

The following example shows the Firepower Management Center and managed devices using only the default management interfaces.

Figure 1. Single Management Interface on the Firepower Management Center

The following example shows the Firepower Management Center using separate management interfaces for devices; and each managed device using 1 management interface.

Figure 2. Mutliple Management Interfaces on the Firepower Management Center

The following example shows the Firepower Management Center and managed devices using a separate event interface.

Figure 3. Separate Event Interface on the Firepower Management Center and Managed Devices

The following example shows a mix of multiple management interfaces and a separate event interface on the Firepower Management Center and a mix of managed devices using a separate event interface, or using a single management interface.

Figure 4. Mixed Management and Event Interface Usage

Configure Management Interfaces

You can change management interface settings for Firepower appliances:

Firepower Management Center—Use the web interface. (The Firepower Management Center supports Linux shell access only under Cisco TAC supervision.)
NGIPSv, ASA FirePOWER—Use the CLI
7000 & 8000 Series devices—Use the limited web interface or the CLI.

See the following sections.

Configure Firepower Management Center Management Interfaces


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

Modify the management interface settings on the Firepower Management Center. You can optionally enable additional management interfaces or configure an event-only interface.

Caution

Be careful when making changes to the management interface to which you are connected; if you cannot re-connect because of a configuration error, you need to access the FMC console port to re-configure the network settings in the Linux shell. You must contact Cisco TAC to guide you in this operation.

Before you begin

If you use a proxy:

Proxies that use NT LAN Manager (NTLM) authentication are not supported.
If you use or will use Smart Licensing, the proxy FQDN cannot have more than 64 characters.

Procedure

Step 1

Choose System > Configuration, and then choose Management Interfaces.

Step 2

In the Interfaces area, click Edit next to the interface that you want to configure.

All available interfaces are listed in this section. You cannot add more interfaces.

You can configure the following options on each management interface:

Enabled—Enable the management interface. Do not disable the default eth0 management interface. Some processes require the eth0 interface.
Channels—Configure an event-only interface; you can configure only one event interface on the FMC. To do so, uncheck the Management Traffic check box, and leave the Event Traffic check box checked. You can optionally disable Event Traffic for the management interface(s). In either case, the device will try to send events to the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel. You cannot disable both event and management channels on an interface.
Mode—Specify a link mode. Note that any changes you make to auto-negotiation are ignored for GigabitEthernet interfaces.
MDI/MDIX—Set the Auto-MDIX setting.
MTU—Set the maximum transmission unit (MTU). The default is 1500. The range within which you can set the MTU can vary depending on the model and interface type.

Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298 does not comply with the minimum IPv6 MTU setting of 1280, and any value below 594 does not comply with the minimum IPv4 MTU setting of 576. For example, the system automatically trims a configured value of 576 to 558.
IPv4 Configuration—Set the IPv4 IP address. Choose:
- Static—Manually enter the IPv4 Management IP address and IPv4 Netmask.
- DHCP—Set the interface to use DHCP (eth0 only).
- Disabled—Disable IPv4. Do not disable both IPv4 and IPv6.
IPv6 Configuration—Set the IPv6 IP address. Choose:
- Static—Manually enter the IPv6 Management IP address and IPv6 Prefix Length.
- DHCP—Set the interface to use DHCPv6 (eth0 only).
- Router Assigned—Enable stateless autoconfiguration.
- Disabled—Disable IPv6. Do not disable both IPv4 and IPv6.

Step 3

In the Routes area, edit a static route by clicking the edit icon (), or add a route by clicking the add icon (). View the route statistics by clicking the view icon ().

You need a static route for each additional interface to reach remote networks. For more information about when new routes are needed, see Network Routes on Management Interfaces.

Note

For the default route, you can change only the gateway IP address. The default route always uses the eth0 interface.

You can configure the following settings for a static route:

Destination—Set the destination address of the network to which you want to create a route.
Netmask or Prefix Length—Set the netmask (IPv4) or prefix length (IPv6) for the network.
Interface—Set the egress management interface.
Gateway—Set the gateway IP address.

Step 4

In the Shared Settings area, set network parameters shared by all interfaces.

Note

If you selected DHCP for the eth0 interface, you cannot manually specify some shared settings derived from the DHCP server.

You can configure the following shared settings:

Hostname—Set the FMC hostname. If you change the hostname, reboot the FMC if you want the new hostname reflected in syslog messages. Syslog messages do not reflect a new hostname until after a reboot.
Domains—Set the search domain(s) for the FMC, separated by commas. These domains are added to hostnames when you do not specify a fully-qualified domain name in a command, for example, ping system . The domains are used only on the management interface, or for commands that go through the management interface.
Primary DNS Server, Secondary DNS Server, Tertiary DNS Server—Set the DNS servers to be used in order of preference.

Remote Management Port—Set the remote management port for communication with managed devices. The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

Note

Cisco strongly recommends that you keep the default settings for the remote management port, but if the management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.

Step 5

In the Proxy area, configure HTTP proxy settings.

The FMC is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest.

See proxy requirements in the prerequisites to this topic.

Check the Enabled check box.
In the HTTP Proxy field, enter the IP address or fully-qualified domain name of your proxy server.

See requirements in the prerequisites to this topic.
In the Port field, enter a port number.
Supply authentication credentials by choosing Use Proxy Authentication, and then provide a User Name and Password.

Step 6

Click Save.

Step 7

If you changed the management IP address, it might affect communication between the FMC and managed devices.

Changing the IP address will not affect the current connection. However, if the device or FMC reloads, then the connection needs to be reestablished. You need at least one of the devices (FMC or managed device) to have the correct IP address of the peer. For example, if you added the device on the FMC and specified a NAT ID (instead of an IP address), then the FMC IP address that you defined on the device at setup will be wrong, and the device will not be able to reestablish communications. Moreover, you cannot update the FMC IP address on a device; you can only replace the IP address and re-register as a new device (configure manager add ). On the other hand, if the FMC knows the correct IP address of the managed device, then even if the managed device has the wrong IP address for the FMC, then the FMC can successfully establish the connection.

Configure Classic Device Management Interfaces at the Web Interface


Smart License	Classic License	Supported Devices	Supported Domains	Access
N/A	Any	7000 & 8000 Series	Global only	Admin

Modify the management interface settings on the managed device using the web interface. You can optionally enable an event interface if your model supports it.

Caution

Be careful when making changes to the management interface; if you cannot re-connect because of a configuration error, you will need to access the device console port and reconfigure the settings at the CLI.

Procedure

Step 1

Choose System > Configuration, and then choose Management Interfaces.

Step 2

In the Interfaces area, click Edit next to the interface that you want to configure.

All available interfaces are listed in this section. You cannot add more interfaces.

You can configure the following options on each management interface:

Enabled—Enable the management interface. Do not disable the default eth0 management interface. Some processes require the eth0 interface.
Channels—(8000 series only) Configure an event-only interface. You can enable the eth1 management interface on your 8000 series device to act as an event interface. To do so, uncheck the Management Traffic check box, and leave the Event Traffic check box checked. For the eth0 management interface, leave both check boxes checked.

The Firepower Management Center event-only interface cannot accept management channel traffic, so you should simply disable the management channel on the device event interface.

You can optionally disable Event Traffic for the management interface. In either case, the device will try to send events on the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel.

You cannot disable both event and management channels on an interface.
Mode—Specify a link mode. Note that any changes you make to auto-negotiation are ignored for GigabitEthernet interfaces.
MTU—Set the maximum transmission unit (MTU). The default is 1500. The range within which you can set the MTU can vary depending on the model and interface type.

Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298 does not comply with the minimum IPv6 MTU setting of 1280, and any value below 594 does not comply with the minimum IPv4 MTU setting of 576. For example, the system automatically trims a configured value of 576 to 558.
MDI/MDIX—Set the Auto-MDIX setting.
IPv4 Configuration—Set the IPv4 IP address. Choose:
- Static—Manually enter the IPv4 Management IP address and IPv4 Netmask.
- DHCP—Set the interface to use DHCP (eth0 only).
- Disabled—Disable IPv4. Do not disable both IPv4 and IPv6.
IPv6 Configuration—Set the IPv6 IP address. Choose:
- Static—Manually enter the IPv6 Management IP address and IPv6 Prefix Length.
- DHCP—Set the interface to use DHCPv6 (eth0 only).
- Router Assigned—Enable stateless autoconfiguration.
- Disabled—Disable IPv6. Do not disable both IPv4 and IPv6.

Step 3

In the Routes area, edit a static route by clicking the edit icon (), or add a route by clicking the add icon (). View the route statistics by clicking the view icon ().

Note

You need to add a static route for the event-only interface if the Firepower Management Center is on a remote network; otherwise, all traffic will match the default route through the management interface. For the default route, you can change only the gateway IP address. The default route always uses the eth0 interface. For information about routing, see Network Routes on Management Interfaces.

You can configure the following settings for a static route:

Destination—Set the destination address of the network to which you want to create a route.
Netmask or Prefix Length—Set the netmask (IPv4) or prefix length (IPv6) for the network.
Interface—Set the egress management interface.
Gateway—Set the gateway IP address.

Step 4

In the Shared Settings area, set network parameters shared by all interfaces.

Note

If you selected DHCP for the eth0 interface, you cannot manually specify some shared settings derived from the DHCP server.

You can configure the following shared settings:

Hostname—Set the device hostname. If you change the hostname, reboot the device if you want the new hostname reflected in syslog messages. Syslog messages do not reflect a new hostname until after a reboot.
Domains—Set the search domain(s) for the device, separated by commas. These domains are added to hostnames when you do not specify a fully-qualified domain name in a command, for example, ping system . The domains are used only on the management interface, or for commands that go through the management interface.
Primary DNS Server, Secondary DNS Server, Tertiary DNS Server—Set the DNS servers to be used in order of preference.

Remote Management Port—Set the remote management port for communication with the FMC. The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

Note

Cisco strongly recommends that you keep the default settings for the remote management port, but if the management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.

Step 5

In the LCD Panel area, check the Allow reconfiguration of network settings check box to enable changing network settings using the device’s LCD panel.

You can use the LCD panel to edit the IP address for the device. Confirm that any changes you make are reflected on the managing Firepower Management Center. In some cases, you may need to update the data manually on the Firepower Management Center as well.

Caution

Allowing reconfiguration using the LCD panel can present a security risk. You need only physical access, not authentication, to configure network settings using the LCD panel. The web interface warns you that enabling this option is a potential security issue.

Step 6

In the Proxy area, configure HTTP proxy settings.

The device is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest.

Note

Proxies that use NT LAN Manager (NTLM) authentication are not supported.

Check the Enabled check box.
In the HTTP Proxy field, enter the IP address or fully-qualified domain name of your proxy server.
In the Port field, enter a port number.
Supply authentication credentials by choosing Use Proxy Authentication, and then provide a User Name and Password.

Step 7

Click Save.

Step 8

If you changed the management IP address, it might affect communication between the FMC and the managed device.

Changing the IP address will not affect the current connection. However, if the device or FMC reloads, then the connection needs to be reestablished. You need at least one of the devices (FMC or managed device) to have the correct IP address of the peer. For example, if you specified a NAT ID (instead of an IP address) for the FMC during device setup, then the device IP address that you defined on the FMC when you added the device will be wrong, and the FMC will not be able to reestablish communications. In this case, you must change the management IP address of the device in the FMC; see Editing Device Management Settings.

Configure Classic Device Management Interfaces at the CLI


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Classic	Global only	Admin

Modify the management interface settings on the managed device using the CLI. Many of these settings are ones that you set when you performed the initial setup; this procedure lets you change those settings, and set additional settings such as enabling an event interface if your model supports it, or adding static routes. For information about the CLI, see Command Line Referencein this guide.

Note

When using SSH, be careful when making changes to the management interface; if you cannot re-connect because of a configuration error, you will need to access the device console port.

Before you begin

For the 7000 & 8000 Series devices, you can create user accounts at the web interface as described in Creating a User Account.

Procedure

Step 1

Connect to the device CLI, either from the console port or using SSH.

See Logging Into the Command Line Interface.

Step 2

Log in with the Admin username and password.

Step 3

Enable an event-only interface (for supported models; see Management Interface Support):

configure network management-interface enable management_interface

configure network management-interface disable-management-channel management_interface

Example:


> configure network management-interface enable management1
Configuration updated successfully

> configure network management-interface disable-management-channel management1
Preserve existing configuration- currently no IP addresses on eth1 to update (bootproto IPv4:,bootproto IPv6:
at /usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm line 821.
Configuration updated successfully

>

The Firepower Management Center event-only interface cannot accept management channel traffic, so you should simply disable the management channel on the device event interface.

You can optionally disable events for the management interface using the configure network management-interface disable-events-channel command. In either case, the device will try to send events on the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel.

You cannot disable both event and management channels on an interface.

Step 4

Configure the network settings of the management interface and/or event interface:

If you do not specify the management_interface argument, then you change the network settings for the default management interface. When configuring an event interface, be sure to specify the management_interface argument. The event interface can be on a separate network from the management interface, or on the same network. If you are connected to the interface you are configuring, you will be disconnected. You can re-connect to the new IP address.

Configure the IPv4 address:
- Manual configuration:
  
  configure network ipv4 manual ip_address netmask gateway_ip [management_interface]
  
  Note that the gateway_ip in this command is only used to create the default route for the primary management interface. If you set the gateway for an event-only interface, then this command ignores the gateway and does not create a default or static route for it. You must create a static route separately using the configure network static-routes command.
  
  Example:
```
> configure network ipv4 manual 10.10.10.45 255.255.255.0 management1
Setting IPv4 network configuration.
Network settings changed.

>
```
- DHCP (supported on the default management interface only):
  
  configure network ipv4 dhcp
Configure the IPv6 address:
- Stateless autoconfiguration:
  
  configure network ipv6 router [management_interface]
  
  Example:
```
> configure network ipv6 router management0
Setting IPv6 network configuration.
Network settings changed.

>
```
- Manual configuration:
  
  configure network ipv6 manual ip6_address ip6_prefix_length [ip6_gateway_ip] [management_interface]
  
  Note that the ipv6_gateway_ip in this command is only used to create the default route for the primary management interface. If you set the gateway for an event-only interface, then this command ignores the gateway and does not create a default or static route for it. You must create a static route separately using the configure network static-routes command.
  
  Example:
```
> configure network ipv6 manual 2001:0DB8:BA98::3210 64 management1
Setting IPv6 network configuration.
Network settings changed.

>
```
- DHCPv6 (supported on the default management interface only):
  
  configure network ipv6 dhcp

Step 5

Add a static route for the event-only interface if the Firepower Management Center is on a remote network; otherwise, all traffic will match the default route through the management interface.

configure network static-routes {ipv4 | ipv6 }add management_interface destination_ip netmask_or_prefix gateway_ip

For the default route, do not use this command; you can only change the default route gateway IP address when you use the configure network ipv4 or ipv6 commands for the default management interface (see step 4).

For information about routing, see Network Routes on Management Interfaces.

Example:


> configure network static-routes ipv4 add management1 192.168.6.0 255.255.255.0 10.10.10.1
Configuration updated successfully

> configure network static-routes ipv6 add management1 2001:0DB8:AA89::5110 64 2001:0DB8:BA98::3211
Configuration updated successfully

>

To display static routes, enter show network-static-routes (the default route is not shown):


> show network-static-routes
---------------[ IPv4 Static Routes ]---------------
Interface                 : management1
Destination               : 192.168.6.0
Gateway                   : 10.10.10.1
Netmask                   : 255.255.255.0
[…]

Step 6

Set the hostname:

configure network hostname name

Example:


> configure network hostname farscape1

Syslog messages do not reflect a new hostname until after a reboot.

Step 7

Set the search domains:

configure network dns searchdomains domain_list

Example:


> configure network dns searchdomains example.com,cisco.com

Set the search domain(s) for the device, separated by commas. These domains are added to hostnames when you do not specify a fully-qualified domain name in a command, for example, ping system . The domains are used only on the management interface, or for commands that go through the management interface.

Step 8

Set up to 3 DNS servers, separated by commas:

configure network dns servers dns_ip_list

Example:


> configure network dns servers 10.10.6.5,10.20.89.2,10.80.54.3

Step 9

Set the remote management port for communication with the FMC:

configure network management-interface tcpport number

Example:


> configure network management-interface tcpport 8555

The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

Note

Cisco strongly recommends that you keep the default settings for the remote management port, but if the management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.

Step 10

Configure an HTTP proxy. The device is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest. After issuing the command, you are prompted for the HTTP proxy address and port, whether proxy authentication is required, and if it is required, the proxy username, proxy password, and confirmation of the proxy password.

configure network http-proxy

Example:


> configure network http-proxy
Manual proxy configuration
Enter HTTP Proxy address: 10.100.10.10
Enter HTTP Proxy Port: 80
Use Proxy Authentication? (y/n) [n]: Y
Enter Proxy Username: proxyuser
Enter Proxy Password: proxypassword
Confirm Proxy Password: proxypassword

Step 11

If you changed the management IP address, change the managed device IP address in the FMC according to Editing Device Management Settings.

If you specified a NAT ID (instead of an IP address) for the device in the FMC, then you can skip this step.

System Shut Down and Restart

Use your Firepower System's web interface to control the shut down and restart of processes on your appliance. Shutting down the appliance prepares the system to be safely powered off and restarted without losing configuration data.

You have several options for controlling the processes on Firepower Management Centers. You can:

Shut down the system — Initiates a graceful shutdown of the Firepower system.
Reboot the system — Shuts down and restarts the system in an orderly manner.
Restart the console — Restarts the communications, database, and HTTP server processes. This is typically used during troubleshooting.

These same options are available for 7000 and 8000 Series managed devices. You can also restart the Snort process on these devices.

Caution

Do not shut off appliances using the power button; it may cause a loss of data. Shut down appliances completely via the web interface.

Caution

Restarting the Snort process temporarily interrupts traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

For Firepower virtual managed devices, the virtual infrastructure, such as VMware, typically provides configurable power options to define the way a virtual machine is shut down, restarted, or suspended. Consult the documentation for your virtual platform to determine how to set these options.

Note

For Firepower virtual managed devices running on VMware, custom power options are part of VMware Tools, so you must have VMware Tools installed on your virtual machines to configure graceful shut down.

Shutting Down and Restarting the System


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC 7000 & 8000 Series	Global only	Admin

Procedure

Step 1

Choose System > Configuration.

Step 2

Choose Process.

Step 3

To shut down the appliance:

FMC—Click Run Command next to Shutdown Management Center.
Managed device—Click Run Command next to Shutdown Appliance.

Step 4

To reboot the appliance:

FMC—Click Run Command next to Reboot Management Center.
Managed device—Click Run Command next to Reboot Appliance.

Note

When you reboot your Firepower Management Center or managed device, this logs you out of your appliance, and the system runs a database check that can take up to an hour to complete.

Step 5

To restart the appliance:

FMC—Click Run Command next to Restart Management Center.
Managed device—Click Run Command next to Restart Appliance Console.

Note

Restarting the Firepower Management Center may cause deleted hosts to reappear in the network map.

Step 6

To restart the Snort process on a managed device, click Run Command next to Restart Snort.

Note

This command is only available from the 7000 and 8000 Series device’s local web interface.

Caution

Restarting the Snort process temporarily interrupts traffic inspection. Whether traffic drops during this interruption or passes without inspection depends on how the device is configured. See Snort® Restart Traffic Behavior for more information.

Remote Storage Management

On Firepower Management Centers, you can use the following for local or remote storage for backups and reports:

Network File System (NFS)
Server Message Block (SMB)/Common Internet File System (CIFS)
Secure Shell (SSH)

Note

The system supports only SMBv1 for backup and remote storage.

You cannot send backups to one remote system and reports to another, but you can choose to send either to a remote system and store the other on the Firepower Management Center.

Tip

After configuring and selecting remote storage, you can switch back to local storage only if you have not increased the connection database limit.

Configuring Local Storage


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

Procedure

Step 1	Choose System > Configuration.
Step 2	Choose Remote Storage Device.
Step 3	Choose Local (No Remote Storage) from the Storage Type drop-down list.
Step 4	Click Save.

Configuring NFS for Remote Storage


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

Before you begin

Ensure that your external remote storage system is functional and accessible from your FMC.

Procedure

Step 1	Choose System > Configuration.
Step 2	Click Remote Storage Device.
Step 3	Choose NFS from the Storage Type drop-down list.
Step 4	Add the connection information: Enter the IPv4 address or hostname of the storage system in the Host field. Enter the path to your storage area in the Directory field.
Step 5	Optionally, check the Use Advanced Options check box and enter any required command line options; see Remote Storage Management Advanced Options.
Step 6	Under System Usage: Choose Use for Backups to store backups on the designated host. Choose Use for Reports to store reports on the designated host. Enter Disk Space Threshold for backup to remote storage. Default is 90%.
Step 7	To test the settings, click Test.
Step 8	Click Save.

Configuring SMB for Remote Storage


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

Before you begin

Ensure that your external remote storage system is functional and accessible from your FMC.

Procedure

Step 1	Choose System > Configuration.
Step 2	Click Remote Storage Device.
Step 3	Choose SMB from the Storage Type drop-down list.
Step 4	Add the connection information: Enter the IPv4 address or hostname of the storage system in the Host field. Enter the share of your storage area in the Share field. Note that the system only recognizes top-level shares and not full file paths. To use the specified Share directory as a remote backup destination, it must be shared on the Windows system. Optionally, enter the domain name for the remote storage system in the Domain field. Enter the user name for the storage system in the Username field and the password for that user in the Password field.
Step 5	Optionally, check the Use Advanced Options check box and enter any required command line options; see Remote Storage Management Advanced Options.
Step 6	Under System Usage: Choose Use for Backups to store backups on the designated host. Choose Use for Reports to store reports on the designated host.
Step 7	To test the settings, click Test.
Step 8	Click Save.

Configuring SSH for Remote Storage


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

Caution

If you enable STIG compliance on an appliance, you cannot use SSH for remote storage for that appliance.

Before you begin

Ensure that your external remote storage system is functional and accessible from your Firepower Management Center.

Procedure

Step 1	Choose System > Configuration.
Step 2	Click Remote Storage Device.
Step 3	Choose SSH from the Storage Type drop-down list.
Step 4	Add the connection information: Enter the IP address or host name of the storage system in the Host field. Enter the path to your storage area in the Directory field. Enter the storage system’s user name in the Username field and the password for that user in the Password field. To specify a network domain as part of the connection user name, precede the user name with the domain followed by a forward slash (/). To use SSH keys, copy the content of the SSH Public Key field and place it in your authorized_keys file.
Step 5	Optionally, check the Use Advanced Options check box and enter any required command line options; see Remote Storage Management Advanced Options.
Step 6	Under System Usage: Choose Use for Backups to store backups on the designated host. Choose Use for Reports to store reports on the designated host.
Step 7	If you want to test the settings, you must click Test.
Step 8	Click Save.

Remote Storage Management Advanced Options

If you select the Network File System (NFS) protocol, Server Message Block (SMB) protocol, or SSH to use secure file transfer protocol (SFTP) to store your reports and backups, you can select the Use Advanced Options check box to use one of the mount binary options as documented in an NFS, SMB, or SSH mount man page.

If you select SMB, you can enter the security mode in the Command Line Options field using the following format:


sec=mode

where mode is the security mode you want to use for remote storage.

Table 5. SMB Security Mode Settings
Mode	Description
[none]	Attempt to connect as null user (no name).
`krb5`	Use Kerberos version 5 authentication.
`krb5i`	Use Kerberos authentication and packet signing.
`ntlm`	Use NTLM password hashing. (Default)
`ntlmi`	Use NTLM password hashing with signing (may be Default if `/proc/fs/cifs/PacketSigningEnabled` is on or if server requires signing).
`ntlmv2`	Use NTLMv2 password hashing.
`ntlmv2i`	Use NTLMv2 password hashing with packet signing.

Change Reconciliation

To monitor the changes that users make and ensure that they follow your organization’s preferred standard, you can configure the system to send, via email, a detailed report of changes made over the past 24 hours. Whenever a user saves changes to the system configuration, a snapshot is taken of the changes. The change reconciliation report combines information from these snapshots to present a clear summary of recent system changes.

The following sample graphic displays a User section of an example change reconciliation report and lists both the previous value for each configuration and the value after changes. When users make multiple changes to the same configuration, the report lists summaries of each distinct change in chronological order, beginning with the most recent.

You can view changes made during the previous 24 hours.

Configuring Change Reconciliation


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC 7000 & 8000 Series	Global only	Admin

Before you begin

Configure an email server to receive emailed reports of changes made to the system over a 24 hour period; see Configuring a Mail Relay Host and Notification Address for more information.

Procedure

Step 1

Choose System > Configuration.

Step 2

Click Change Reconciliation.

Step 3

Check the Enable check box.

Step 4

Choose the time of day you want the system to send out the change reconciliation report from the Time to Run drop-down lists.

Step 5

Enter email addresses in the Email to field.

Tip

Once you have added email addresses, click Resend Last Report to send recipients another copy of the most recent change reconciliation report.

Step 6

If you want to include policy changes, check the Include Policy Configuration check box.

Step 7

If you want to include all changes over the past 24 hours, check the Show Full Change History check box.

Step 8

Click Save.

Change Reconciliation Options

The Include Policy Configuration option controls whether the system includes records of policy changes in the change reconciliation report. This includes changes to access control, intrusion, system, health, and network discovery policies. If you do not select this option, the report will not show changes to any policies. This option is available on Firepower Management Centers only.

The Show Full Change History option controls whether the system includes records of all changes over the past 24 hours in the change reconciliation report. If you do not select this option, the report includes only a consolidated view of changes for each category.

Policy Change Comments

You can configure the Firepower System to track several policy-related changes using the comment functionality when users modify access control, intrusion, or network analysis policies.

With policy change comments enabled, administrators can quickly assess why critical policies in a deployment were modified. Optionally, you can have changes to intrusion and network analysis policies written to the audit log.

Configuring Comments to Track Policy Changes


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

You can configure the Firepower System to prompt users for comments when they modify an access control policy, intrusion policy, or network analysis policy. You can use comments to track users’ reasons for policy changes. If you enable comments on policy changes, you can make the comment optional or mandatory. The system prompts the user for a comment when each new change to a policy is saved.

Procedure

Step 1	Choose System > Configuration. The system configuration options appear in the left navigation panel.
Step 2	Configure the policy comment preferences for any of the following: Click Access Control Preferences for comment preferences for access control policies. Click Intrusion Policy Preferences for comment preferences for intrusion policies. Click Network Analysis Policy Preferences for comment preferences for network analysis policies.
Step 3	You have the following choices for each policy type: Disabled—Disables change comments. Optional—Gives users the option to describe their changes in a comment. Required—Requires users to describe their changes in a comment before saving.
Step 4	Optionally for intrusion or network analysis policy comments: Check Write changes in Intrusion Policy to audit log to write all intrusion policy changes to the audit log. Check Write changes in Network Analysis Policy to audit log to write all network analysis policy changes to the audit log.
Step 5	Click Save.

The Access List

On Firepower Management Center and Classic managed devices, you can use access lists to limit access to the system by IP address and port. By default, the following ports are enabled for any IP address:

443 (HTTPS)—Used for web interface access.
22 (SSH)—Used for command line access.

You can also add access to poll for SNMP information over port 161.

Caution

By default, access is not restricted. To operate in a more secure environment, consider adding access for specific IP addresses and then deleting the default any option.

Configuring the Access List for Your System


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC Classic	Any	Admin

This configuration applies to either a Firepower Management Center or a Classic managed device (7000 and 8000 Series, ASA FirePOWER, and NGIPSv):

For the Firepower Management Center, this configuration is part of the system configuration.
For a Classic managed device, you apply this configuration from the Firepower Management Center as part of a platform settings policy.

In either case, the configuration does not take effect until you save your system configuration changes or deploy the shared platform settings policy.

Note that this access list does not control external database access.

Procedure

Step 1

Depending on whether you are configuring a Firepower Management Center or a Classic managed device:

FMC—Choose System > Configuration.
Managed device—Choose Devices > Platform Settings and create or edit a Firepower policy.

Step 2

Click Access List.

Step 3

Optionally, to delete one of the current settings, click the delete icon ().

Caution

If you delete access for the IP address that you are currently using to connect to the appliance interface, and there is no entry for “IP=any port=443”, you will lose access to the system when you deploy the policy.

Step 4

To add access for one or more IP addresses, click Add Rules.

Step 5

In the IP Address field, enter an IP address or address range, or any.

Step 6

Choose SSH, HTTPS, SNMP, or a combination of these options to specify which ports you want to enable for these IP addresses.

Step 7

Click Add.

Step 8

Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Audit Logs

Firepower Management Center records the activity of management center users in read-only audit logs.

Classic devices also maintain audit logs. See Audit Logs on Classic Devices.

You can review audit log data in several ways:

Audit logs are presented in a standard event view in the web interface. From this event view, you can view, sort, and filter audit log messages based on any item in the audit view. You can easily delete and report on audit information and you can view detailed reports of the changes that users make. See Auditing the System.
You can configure Firepower Management Center to send audit log messages to the syslog.
You can configure Firepower Management Center to stream audit log messages to an HTTP server.

Streaming audit log data to an external syslog or HTTP server allows you to conserve space on the local appliance. See Configure the Audit Log for External Streaming.

Configure the Audit Log for External Streaming


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Any	Admin

The following is an example of the output structure:

Date Time Host [Tag] Sender: [User_Name]@[User_IP], [Subsystem], [Action]

where the local date, time, and hostname precede the bracketed optional tag, and the sending device name precedes the audit log message.

For example:

Mar 01 14:45:24 localhost [TAG] Dev-DC3500: admin@10.1.1.2, Operations > Monitoring, Page View

Before you begin

Ensure that the external host is functional and accessible from the system sending the audit log.

Procedure

Step 1

Choose System > Configuration.

Step 2

Click Audit Log.

Step 3

Choose Enabled from the Send Audit Log to Syslog drop-down menu.

Step 4

Designate the destination host for the audit information by using the IP address or the fully qualified name of the host in the Host field. The default port (514) is used.

Caution

If the computer you configure to receive an audit log is not set up to accept remote messages, the host will not accept the audit log.

Step 5

Choose a syslog Facility.

Step 6

Choose a Severity.

Step 7

Optionally, insert a reference tag in the Tag (optional) field.

Step 8

To send regular audit log updates to an external HTTP server, choose Enabled from the Send Audit Log to HTTP Server drop-down list.

Step 9

In the URL to Post Audit field, designate the URL where you want to send audit information. You must enter an URL that corresponds to a listener program that expects the HTTP POST variables as listed:

subsystem
actor
event_type
message
action_source_ip
action_destination_ip
result
time
tag (if defined, as above)

Caution

To allow encrypted posts, you must use an HTTPS URL. Note that sending audit information to an external URL may affect system performance.

Step 10

Click Save.

Dashboard Settings

Dashboards provide you with at-a-glance views of current system status through the use of widgets: small, self-contained components that provide insight into different aspects of the Firepower System. The Firepower System is delivered with several predefined dashboard widgets.

You can configure the Firepower Management Center so that Custom Analysis widgets are enabled on the dashboard.

Enabling Custom Analysis Widgets for Dashboards


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

Use Custom Analysis dashboard widgets to create a visual representation of events based on a flexible, user-configurable query.

Procedure

Step 1	Choose System > Configuration.
Step 2	Click Dashboard.
Step 3	Check the Enable Custom Analysis Widgets check box to allow users to add Custom Analysis widgets to dashboards.
Step 4	Click Save.

DNS Cache

You can configure the system to resolve IP addresses automatically on the event view pages. You can also configure basic properties for DNS caching performed by the appliance. Configuring DNS caching allows you to identify IP addresses you previously resolved without performing additional lookups. This can reduce the amount of traffic on your network and speed the display of event pages when IP address resolution is enabled.

Configuring DNS Cache Properties


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

DNS resolution caching is a system-wide setting that allows the caching of previously resolved DNS lookups.

Procedure

Step 1	Choose System > Configuration.
Step 2	Choose DNS Cache.
Step 3	From the DNS Resolution Caching drop-down list, choose one of the following: Enabled—Enable caching. Disabled—Disable caching.
Step 4	In the DNS Cache Timeout (in minutes) field, enter the number of minutes a DNS entry remains cached in memory before it is removed for inactivity. The default setting is 300 minutes (five hours).
Step 5	Click Save.

Email Notifications

Configure a mail host if you plan to:

Email event-based reports
Email status reports for scheduled tasks
Email change reconciliation reports
Email data-pruning notifications
Use email for discovery event, impact flag, correlation event alerting, intrusion event alerting, and health event alerting

When you configure email notification, you can select an encryption method for the communication between the system and mail relay host, and can supply authentication credentials for the mail server if needed. After configuring, you can test the connection.

Configuring a Mail Relay Host and Notification Address


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC	Global only	Admin

Procedure

Step 1

Choose System > Configuration.

Step 2

Click Email Notification.

Step 3

In the Mail Relay Host field, enter the hostname or IP address of the mail server you want to use. The mail host you enter must allow access from the appliance.

Step 4

In the Port Number field, enter the port number to use on the email server.

Typical ports include:

25, when using no encryption
465, when using SSLv3
587, when using TLS

Step 5

Choose an Encryption Method:

TLS—Encrypt communications using Transport Layer Security.
SSLv3—Encrypt communications using Secure Socket Layers.
None—Allow unencrypted communication.

Note

Certificate validation is not required for encrypted communication between the appliance and mail server.

Step 6

In the From Address field, enter the valid email address you want to use as the source email address for messages sent by the appliance.

Step 7

Optionally, to supply a user name and password when connecting to the mail server, choose Use Authentication. Enter a user name in the Username field. Enter a password in the Password field.

Step 8

To send a test email using the configured mail server, click Test Mail Server Settings.

A message appears next to the button indicating the success or failure of the test.

Step 9

Click Save.

Language Selection

You can use the Language page to specify a different language for the web interface.

Specifying a Different Language


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC 7000 & 8000 Series	Any	Admin

This configuration applies to either a Firepower Management Center or a 7000 and 8000 Series managed device.

For the Firepower Management Center, this configuration is part of the system configuration.
For a 7000 and 8000 Series managed device, you apply this configuration from the Firepower Management Center as part of a platform settings policy.

In either case, the configuration does not take effect until you save your system configuration changes or deploy the shared platform settings policy.

Caution

The language you specify here is used for the web interface for every user who logs into the appliance.

Procedure

Step 1	Depending on whether you are configuring a Firepower Management Center or a Classic managed device: FMC—Choose System > Configuration. Managed device—Choose Devices > Platform Settings and create or edit a Firepower policy.
Step 2	Click Language.
Step 3	Choose the language you want to use.
Step 4	Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Login Banners

You can use the Login Banner page to specify session, login, or custom message banners for a security appliance or shared policy.

You can use spaces but not tabs in banner text. You can specify multiple lines of text for the banner. If your text includes empty lines, the system displays this as a carriage return (CR) in the banner. You can only use ASCII characters, including new-line (press the Enter key), which counts as two characters.

When you access the security appliance through Telnet or SSH, the session closes if there is not enough system memory available to process the banner messages, or if a TCP write error occurs when attempting to display the banner messages.

Adding a Custom Login Banner


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC Classic	Any	Admin

You can create a custom login banner that appears to users logging in via either SSH or the web interface.

This configuration applies to either a Firepower Management Center or a Classic managed device (7000 and 8000 Series, ASA FirePOWER, and NGIPSv):

For the Firepower Management Center, this configuration is part of the system configuration.
For a Classic managed device, you apply this configuration from the Firepower Management Center as part of a platform settings policy.

In either case, the configuration does not take effect until you save your system configuration changes or deploy the shared platform settings policy.

Procedure

Step 1	Depending on whether you are configuring a Firepower Management Center or a Classic managed device: FMC—Choose System > Configuration. Managed device—Choose Devices > Platform Settings and create or edit a Firepower policy.
Step 2	Choose Login Banner.
Step 3	In the Custom Login Banner field, enter the login banner text you want to use.
Step 4	Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

SNMP Polling

You can enable Simple Network Management Protocol (SNMP) polling for Firepower Management Centers and Classic managed devices. This feature supports use of versions 1, 2, and 3 of the SNMP protocol.

This feature allows access to:

The standard management information base (MIB), which includes system details such as contact, administrative, location, service information, IP addressing and routing information, and transmission protocol usage statistics
Additional MIBs for 7000 and 8000 Series managed devices that include statistics on traffic passing through physical interfaces, logical interfaces, virtual interfaces, ARP, NDP, virtual bridges, and virtual routers

Note

When selecting SNMP versions for the SNMP protocol, note that SNMPv2 only supports read-only communities and SNMPv3 only supports read-only users. SNMPv3 also supports encryption with AES128.

Note that enabling the SNMP feature does not cause the system to send SNMP traps; it only makes the information in the MIBs available for polling by your network management system.

Configuring SNMP Polling


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC Classic	Any	Admin

This configuration applies to either a Firepower Management Center or a Classic managed device (7000 and 8000 Series, ASA FirePOWER, and NGIPSv):

For the Firepower Management Center, this configuration is part of the system configuration.
For a Classic managed device, you apply this configuration from the Firepower Management Center as part of a platform settings policy.

In either case, the configuration does not take effect until you save your system configuration changes or deploy the shared platform settings policy.

Note

You must add SNMP access for any computer you plan to use to poll the system. Note that the SNMP MIB contains information that could be used to attack your deployment. Cisco recommends that you restrict your access list for SNMP access to the specific hosts that will be used to poll for the MIB. Cisco also recommends you use SNMPv3 and use strong passwords for network management access.

SNMPv3 only supports read-only users and encryption with AES128.

Before you begin

Add SNMP access for each computer you plan to use to poll the system as described in Configuring the Access List for Your System.

Procedure

Step 1

Depending on whether you are configuring a Firepower Management Center or a Classic managed device:

FMC—Choose System > Configuration.
Managed device—Choose Devices > Platform Settings and create or edit a Firepower policy.

Step 2

Click SNMP.

Step 3

From the SNMP Version drop-down list, choose the SNMP version you want to use.

Step 4

You have the following choices:

If you chose Version 1 or Version 2, enter the SNMP community name in the Community String field. Go to step 13.

Note

SNMPv2 only supports read-only communities.

If you chose Version 3, click Add User to display the user definition page.

Note

SNMPv3 only supports read-only users and encryption with AES128.

Step 5

Enter a Username.

Step 6

Choose the protocol you want to use for authentication from the Authentication Protocol drop-down list.

Step 7

Enter the password required for authentication with the SNMP server in the Authentication Password field.

Step 8

Re-enter the authentication password in the Verify Password field.

Step 9

Choose the privacy protocol you want to use from the Privacy Protocol list, or choose None to not use a privacy protocol.

Step 10

Enter the SNMP privacy key required by the SNMP server in the Privacy Password field.

Step 11

Re-enter the privacy password in the Verify Password field.

Step 12

Click Add.

Step 13

Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

STIG Compliance

Organizations within the United States federal government sometimes need to comply with a series of security checklists set out in Security Technical Implementation Guides (STIGs). The Firepower System supports compliance with STIG requirements established by the United States Department of Defense.

If you enable STIG compliance on any appliances in your deployment, you must enable it on all appliances. Non-compliant managed devices cannot be registered to STIG-compliant Firepower Management Centers and STIG-compliant devices cannot be registered to non-compliant Firepower Management Centers.

Enabling STIG compliance does not guarantee strict compliance to all applicable STIGs. .

When you enable STIG compliance, password complexity and retention rules for local shell access accounts change. In addition, you cannot use SSH remote storage when in STIG compliance mode.

Caution

You cannot disable this setting without assistance from Support. In addition, this setting may substantially impact the performance of your system. Cisco does not recommend enabling STIG compliance except to comply with Department of Defense security requirements.

Enabling STIG Compliance


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC Classic	Any	Admin

This configuration applies to either a Firepower Management Center or a Classic managed device (7000 and 8000 Series, ASA FirePOWER, and NGIPSv):

For the Firepower Management Center, this configuration is part of the system configuration.
For a Classic managed device, you apply this configuration from the Firepower Management Center as part of a platform settings policy.

In either case, the configuration does not take effect until you save your system configuration changes or deploy the shared platform settings policy.

Caution

If you enable STIG compliance on any appliances in your deployment, you must enable it on all appliances. You cannot disable this setting without assistance from Support. In addition, this setting may substantially impact the performance of your system. Cisco does not recommend enabling STIG compliance except to comply with Department of Defense security requirements.

Procedure

Step 1

Depending on whether you are configuring a Firepower Management Center or a Classic managed device:

FMC—Choose System > Configuration.
Managed device—Choose Devices > Platform Settings and create or edit a Firepower policy.

Step 2

Click STIG Compliance.

Note

Appliances reboot when you enable STIG compliance. The Firepower Management Center reboots when you save the system configuration; managed devices reboot when you deploy configuration changes.

Step 3

If you want to permanently enable STIG compliance on the appliance, choose Enable STIG Compliance.

Step 4

Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.
If your appliances were updated from versions earlier than Version 5.2.0, enabling STIG compliance regenerates appliance certificates. After you enable STIG compliance across your deployment, re-register managed devices to the Firepower Management Center.

Time and Time Synchronization

Synchronizing the system time on your Firepower Management Center and its managed devices is essential to successful operation of your Firepower System.

Use a Network Time Protocol (NTP) server to synchronize system time on FMC and all devices.

Caution

Unintended consequences may occur when time is not synchronized between the Firepower Management Center and managed devices.

Synchronize Time Using a Network NTP Server


Smart License	Classic License	Supported Devices	Supported Domains	Access
N/A	Any	FMC	Global only	Admin

The best way to ensure proper synchronization between Firepower Management Center and all managed devices is to use an NTP server on your network.

Before you begin

Note the following:

If your FMC and managed devices cannot access a network NTP server, do not use this procedure. Instead, see Synchronize Time Without Access to a Network NTP Server.
Do not specify an untrusted NTP server.
Connections to NTP servers do not use configured proxy settings.

Caution

If the Firepower Management Center is rebooted and your DHCP server sets an NTP server record different than the one you specify here, the DHCP-provided NTP server will be used instead. To avoid this situation, configure your DHCP server to set the same NTP server.

Procedure

Step 1	Choose System > Configuration.
Step 2	Click Time Synchronization.
Step 3	If Serve Time via NTP is Enabled, choose Disabled.
Step 4	For the Set My Clock option, choose Via NTP from and enter the hostname or IP address of an NTP server. If your organization has corroborative NTP servers, enter multiple NTP servers as a comma-separated list.
Step 5	Click Save.
Step 6	Set managed devices to synchronize with the same NTP server: In the Time Synchronization settings for the platform settings policy assigned to your managed devices, set the clock to synchronize Via NTP from and specify the same NTP server that you specified above. Deploy the change to the devices. For instructions: See Synchronizing Time on Classic Devices.

Synchronize Time Without Access to a Network NTP Server


Smart License	Classic License	Supported Devices	Supported Domains	Access
N/A	Any	FMC	Global only	Admin

If your devices cannot directly reach the network NTP server, or your organization does not have a network NTP server, a physical-hardware Firepower Management Center can serve as an NTP server.

Important

Do not use a virtual Firepower Management Center as an NTP server.

Procedure

Step 1

Manually set the system time on the Firepower Management Center:

Choose System > Configuration.
Click Time Synchronization.
If Serve Time via NTP is Enabled, choose Disabled.
Click Save.
For Set My Clock, choose Manually in Local Configuration.
Click Save.
In the navigation panel at the left side of the screen, click Time.
Use the Set Time drop-down lists to set the time.
If the time zone displayed is not UTC, click it and set the time zone to UTC.
Click Save.
Click Done.
Click Apply.

Step 2

Set the Firepower Management Center to serve as an NTP server:

In the navigation panel at the left side of the screen, click Time Synchronization.
For Serve Time via NTP, choose Enabled.
Click Save.

Step 3

Set managed devices to synchronize with the Firepower Management Center NTP server:

In the Time Synchronization settings for the platform settings policy assigned to your managed devices, set the clock to synchronize Via NTP from Management Center.
Deploy the change to managed devices.

For instructions:

See Synchronizing Time on Classic Devices.

About Changing Time Synchronization Settings

If you configure the FMC to serve time using NTP, and then later disable it, the NTP service on managed devices still attempts to synchronize time with the FMC. You must update and redeploy any applicable platform settings policies to establish a new time source.
If you need to change the time manually after configuring the Firepower Management Center as an NTP server, you need to disable the NTP option, change the time manually, and then re-enable the NTP option.

View Current System Time, Source, and NTP Server Connection Status


Smart License	Classic License	Supported Devices	Supported Domains	Access
N/A	Any	FMC	Global only	Admin

Time settings are displayed on most pages in local time using the time zone you set on the Time Zone page in User Preferences (the default is America/New York), but are stored on the appliance using UTC time.

In addition, the current time appears in UTC at the top of the Time Synchronization page (local time is displayed in the Manual clock setting option, if enabled).

Restriction

The Time Zone function (in User Preferences) assumes that the default system clock is set to UTC time. DO NOT ATTEMPT TO CHANGE THE SYSTEM TIME. Be advised that changing the system time from UTC is NOT supported, and doing so will require you to reimage the device to recover from an unsupported state.

Note

To view time and time source information on your NGIPS hardware device, see View Current System Time, Source, and NTP Server Connection Status for NGIPS Devices.

Procedure

Step 1

Choose System > Configuration.

Step 2

Click Time.

If your appliance uses an NTP server: For information about the table entries, see NTP Server Status.

NTP Server Status

When the system is synchronizing time from an NTP server, you can view the NTP Status from the Firepower Management Center's Time page (under the System > Configuration menu) and from the local web interface of 7000 and 8000 Series devices:

Table 6. NTP Status
Column	Description
NTP Server	The IP address and name of the configured NTP server.
Status	The status of the NTP server time synchronization: Being Used indicates that the appliance is synchronized with the NTP server. Available indicates that the NTP server is available for use, but time is not yet synchronized. Not Available indicates that the NTP server is in your configuration, but the NTP daemon is unable to use it. Pending indicates that the NTP server is new or the NTP daemon was recently restarted. Over time, its value should change to Being Used, Available, or Not Available. Unknown indicates that the status of the NTP server is unknown.
Offset	The number of milliseconds of difference between the time on the appliance and the configured NTP server. Negative values indicate that the appliance is behind the NTP server, and positive values indicate that it is ahead.
Last Update	The number of seconds that have elapsed since the time was last synchronized with the NTP server. The NTP daemon automatically adjusts the synchronization times based on a number of conditions. For example, if you see larger update times such as 300 seconds, that indicates that the time is relatively stable and the NTP daemon has determined that it does not need to use a lower update increment.

Session Timeouts

Unattended login sessions of the Firepower System web interface or auxiliary command line interface may be security risks. You can configure, in minutes, the amount of idle time before a user’s login session times out due to inactivity. You can also set a similar timeout for shell (command line) sessions.

Your deployment may have users who plan to passively, securely monitor the web interface for long periods of time. You can exempt users from the web interface session timeout with a user configuration option. Users with the Administrator role, whose complete access to menu options poses an extra risk if compromised, cannot be made exempt from session timeouts.

Configuring Session Timeouts


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC Classic	Any	Admin

This configuration applies to either a Firepower Management Center or a Classic managed device (7000 and 8000 Series, ASA FirePOWER, and NGIPSv):

For the Firepower Management Center, this configuration is part of the system configuration.
For a Classic managed device, you apply this configuration from the Firepower Management Center as part of a platform settings policy.

In either case, the configuration does not take effect until you save your system configuration changes or deploy the shared platform settings policy.

Procedure

Step 1	Depending on whether you are configuring a Firepower Management Center or a Classic managed device: FMC—Choose System > Configuration. Managed device—Choose Devices > Platform Settings and create or edit a Firepower policy.
Step 2	Click Shell Timeout.
Step 3	You have the following choices: To configure session timeout for the web interface, enter a number (of minutes) in the Browser Session Timeout (Minutes) field. The default value is `60`; the maximum value is `1440` (24 hours). For information on how to exempt users from this session timeout, see User Account Login Options. To configure session timeout for the command line interface, enter a number (of minutes) in the Shell Timeout (Minutes) field. The default value is `0`; the maximum value is `1440` (24 hours).
Step 4	Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Vulnerability Mapping

The Firepower System automatically maps vulnerabilities to a host IP address for any application protocol traffic received or sent from that address, when the server has an application ID in the discovery event database and the packet header for the traffic includes a vendor and version.

For any servers which do not include vendor or version information in their packets, you can configure whether the system associates vulnerabilities with server traffic for these vendor and versionless servers.

For example, a host serves SMTP traffic that does not have a vendor or version in the header. If you enable the SMTP server on the Vulnerability Mapping page of a system configuration, then save that configuration to the Firepower Management Center managing the device that detects the traffic, all vulnerabilities associated with SMTP servers are added to the host profile for the host.

Although detectors collect server information and add it to host profiles, the application protocol detectors will not be used for vulnerability mapping, because you cannot specify a vendor or version for a custom application protocol detector and cannot select the server for vulnerability mapping.

Mapping Vulnerabilities for Servers


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Protection	FMC	Global only	Admin

Procedure

Step 1

Choose System > Configuration.

Step 2

Choose Vulnerability Mapping.

Step 3

You have the following choices:

To prevent vulnerabilities for a server from being mapped to hosts that receive application protocol traffic without vendor or version information, clear the check box for that server.
To cause vulnerabilities for a server to be mapped to hosts that receive application protocol traffic without vendor or version information, check the check box for that server.

Tip

You can check or clear all check boxes at once using the check box next to Enabled.

Step 4

Click Save.

Remote Console Access Management

You can use a Linux system console for remote access on supported systems via either the VGA port (which is the default) or the serial port on the physical appliance. Use the Console Configuration page to choose the option most suitable to the physical layout of your organization’s Cisco deployment.

On supported physical-hardware-based Firepower systems, you can use Lights-Out Management (LOM) on the default (eth0) management interface on a Serial Over LAN (SOL) connection to remotely monitor or manage the system without logging into the management interface of the system. You can perform limited tasks, such as viewing the chassis serial number or monitoring such conditions as fan speed and temperature, using a command line interface on an out-of-band management connection.

You must enable LOM for both the system and the user you want to manage the system. After you enable the system and the user, you use a third-party Intelligent Platform Management Interface (IPMI) utility to access and manage your system.

Configuring Remote Console Settings on the System


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC and 7000 & 8000 Series	Global only	Admin with LOM access

Before you begin

Disable Spanning Tree Protocol (STP) on any third-party switching equipment connected to the device’s management interface.

Procedure

Step 1

Choose System > Configuration.

Step 2

Click Console Configuration.

Step 3

Choose a remote console access option:

Choose VGA to use the appliance’s VGA port.
Choose Physical Serial Port to use the appliance’s serial port, or to use LOM/SOL on a Firepower Management Center, Firepower 7050, or 8000 Series device.
Choose Lights-Out Management to use LOM/SOL on a 7000 Series device (except the Firepower 7050). On these devices, you cannot use SOL and a regular serial connection at the same time.

Note

When you change your remote console from Physical Serial Port to Lights-Out Management or from Lights-Out Management to Physical Serial Port on the 70xx Family of devices (except the Firepower 7050), you may have to reboot the appliance twice to see the expected boot prompt.

Step 4

To configure LOM via SOL, enter the necessary IPv4 settings:

Choose the address Configuration for the system (DHCP or Manual)

Enter the IP Address to be used for LOM.

Note

The LOM IP address must be different from the management interface IP address of the system.

Enter the Netmask for the system.
Enter the Default Gateway for the system.

Step 5

Click Save.

What to do next

If you configured Lights-Out Management, enable a Lights-Out Management user; see Lights-Out Management User Access Configuration.

Lights-Out Management User Access Configuration

You must explicitly grant Lights-Out Management permissions to users who will use the feature. LOM users also have the following restrictions:

You must assign the Administrator role to the user.
The username may have up to 16 alphanumeric characters. Hyphens and longer user names are not supported for LOM users.
The password may have up to 20 alphanumeric characters, except when set on 71xx Family devices. If LOM is enabled on a Firepower 7110, 7115, 7120, or 7125 device, the password may have up to 16 alphanumeric characters. Passwords longer than 20 or 16 characters, respectively, are not supported for LOM users. A user’s LOM password is the same as that user’s system password. Cisco recommends that you use a complex, non-dictionary-based password of the maximum supported length for your appliance and change it every three months.
Physical Firepower Management Centers and 8000 Series devices can have up to 13 LOM users. 8000 Series devices can have up to eight LOM users.

Note that if you deactivate, then reactivate, a role with LOM while a user with that role is logged in, or restore a user or user role from a backup during that user’s login session, that user must log back into the web interface to regain access to IPMItool commands.

Enabling Lights-Out Management User Access


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC and 7000 & 8000 Series	Global only	Admin with LOM access

You configure LOM and LOM users on a per-system basis using each system’s local web interface. You cannot use the Firepower Management Center to configure LOM on a managed device. Similarly, because users are managed independently per appliance, enabling or creating a LOM-enabled user on the Firepower Management Center does not transfer that capability to users on managed devices.

Procedure

Step 1	Choose System > Configuration.
Step 2	Click Console Configuration.
Step 3	Click Lights Out Management.
Step 4	You have the following choices: To grant LOM user access to an existing user, click the edit icon () next to a user name in the list. To grant LOM user access to a new user, click Create User.
Step 5	Under User Configuration, enable the Administrator role.
Step 6	Check the Allow Lights-Out Management Access check box.
Step 7	Click Save.

Serial Over LAN Connection Configuration

You use a third-party IPMI utility on your computer to create a Serial Over LAN connection to the appliance. If your computer uses a Linux-like or Mac environment, use IPMItool; for Windows environments, use IPMIutil.

Note

Cisco recommends using IPMItool version 1.8.12 or greater.

Linux

IPMItool is standard with many distributions and is ready to use.

Mac

You must install IPMItool on a Mac. First, confirm that your Mac has Apple's XCode Developer tools installed, making sure that the optional components for command line development are installed (UNIX Development and System Tools in newer versions, or Command Line Support in older versions). Then you can install macports and the IPMItool. Use your favorite search engine for more information or try these sites:


	https://developer.apple.com/technologies/tools/
	http://www.macports.org/

Windows

You must compile IPMIutil on Windows. If you do not have access to a compiler, you can use IPMIutil itself to compile. Use your favorite search engine for more information or try this site:


	http://ipmiutil.sourceforge.net/

Understanding IPMI Utility Commands

Commands used for IPMI utilities are composed of segments as in the following IPMItool example:


ipmitool -I lanplus -H IP_address -U user_name command

where:

ipmitool invokes the utility
-I lanplus enables encryption for the session
-H IP_address indicates the IP address of the appliance you want to access
-U user_name is the name of an authorized user

- command is the name of the command you want to give

Note

Cisco recommends using IPMItool version 1.8.12 or greater.

The same command for Windows looks like this:


ipmiutil command -V 4 -J 3 -N IP_address -Uuser_name

This command connects you to the command line on the appliance where you can log in as if you were physically present at the appliance. You may be prompted to enter a password.

Configuring Serial Over LAN with IPMItool


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC and 7000 & 8000 Series	Any	Admin with LOM access

Procedure

Using IPMItool, enter the following command, and a password if prompted:


ipmitool -I lanplus -H IP_address -U user_name sol activate

Configuring Serial Over LAN with IPMIutil


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC and 7000 & 8000 Series	Any	Admin with LOM access

Procedure

Using IPMIutil, enter the following command, and a password if prompted:


ipmiutil -J 3 -H IP_address -U username sol -a

Lights-Out Management Overview

Lights-Out Management (LOM) provides the ability to perform a limited set of actions over an SOL connection on the default (eth0) management interface without the need to log into the system. You use the command to create a SOL connection followed by one of the LOM commands. After the command is completed, the connection ends. Note that not all power control commands are valid on 70xx Family devices.

Note

The baseboard management controller (BMC) for a Firepower 71xx, Firepower 82xx, or a Firepower 83xx device is only accessible via 1Gbps link speeds when the host is powered on. When the device is powered down, the BMC can only establish Ethernet link at 10 and 100Mbps. Therefore if LOM is being used to remotely power the device, connect the device to the network using 10 and 100Mbps link speeds only.

Caution

In rare cases, if your computer is on a different subnet than the system's management interface and the system is configured for DHCP, attempting to access LOM features can fail. If this occurs, you can either disable and then re-enable LOM on the system, or use a computer on the same subnet as the system to ping its management interface. You should then be able to use LOM.

Caution

Cisco is aware of a vulnerability inherent in the Intelligent Platform Management Interface (IPMI) standard (CVE-2013-4786). Enabling Lights-Out Management (LOM) on an system exposes this vulnerability. To mitigate this vulnerability, deploy your systems on a secure management network accessible only to trusted users and use a complex, non-dictionary-based password of the maximum supported length for your system and change it every three months. To prevent exposure to this vulnerability, do not enable LOM.

If all attempts to access your system have failed, you can use LOM to restart your system remotely. Note that if a system is restarted while the SOL connection is active, the LOM session may disconnect or time out.

Caution

Do not restart your system unless it does not respond to any other attempts to restart. Remotely restarting does not gracefully reboot the system and you may lose data.

Table 7. Lights-Out Management Commands
IPMItool	IPMIutil	Description
(not applicable)	`-V 4`	Enables admin privileges for the IPMI session
`-I lanplus`	`-J 3`	Enables encryption for the IPMI session
`-H`	`-N`	Indicates the IP address of the remote appliance
`-U`	`-U`	Indicates the username of an authorized LOM account
`sol activate`	`sol -a`	Starts the SOL session
`sol deactivate`	`sol -d`	Ends the SOL session
`chassis power cycle`	`power -c`	Restarts the appliance (not valid on 70xx Family devices)
`chassis power on`	`power -u`	Powers up the appliance
`chassis power off`	`power -d`	Powers down the appliance (not valid on  70xx Family devices)
`sdr`	`sensor`	Displays appliance information, such as fan speeds and temperatures

For example, to display a list of appliance information, the IPMItool command is:


ipmitool -I lanplus -H IP_address -U user_name sdr

Note

Cisco recommends using IPMItool version 1.8.12 or greater.

The same command with the IPMIutil utility is:


ipmiutil sensor -V 4 -J 3 -N IP_address -U user_name

Configuring Lights-Out Management with IPMItool


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC and 7000 & 8000 Series	Any	Admin with LOM access

Procedure

Enter the following command for IPMItool and a password if prompted:


ipmitool -I lanplus -H IP_address -U user_name command

Configuring Lights-Out Management with IPMIutil


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	FMC and 7000 & 8000 Series	Any	Admin with LOM access

Procedure

Enter the following command for IPMIutil and a password if prompted:


ipmiutil -J 3 -H IP_address -U username command

VMware Tools and Virtual Systems

VMware Tools is a suite of performance-enhancing utilities intended for virtual machines. These utilities allow you to make full use of the convenient features of VMware products. Firepower virtual appliances running on VMware support the following plugins:

guestInfo
powerOps
timeSync
vmbackup

You can also enable VMware Tools on all supported versions of ESXi. For a list of supported versions, see the Cisco Firepower NGIPSv for VMware Quick Start Guide. For information on the full functionality of VMware Tools, see the VMware website (http://www.vmware.com/).

Enabling VMware Tools on the Firepower Management Center for VMware


Smart License	Classic License	Supported Devices	Supported Domains

Bias-Free Language

Results

Chapter: System Configuration

System Configuration

Introduction to System Configuration

Navigating the Firepower Management Center System Configuration

Procedure

System Configuration Settings

Appliance Information

Viewing and Modifying the System Information

Procedure

HTTPS Certificates

Default HTTPS Server Certificates

Custom HTTPS Server Certificates

HTTPS Client Certificates

Viewing the Current Server Certificate

Procedure

Generating and Submitting a Certificate Signing Request

Procedure

What to do next

Server Certificate Upload

Uploading Server Certificates

Before you begin

Procedure

Requiring Valid User Certificates

Before you begin

Procedure

External Database Access Settings

Enabling External Access to the Database

Procedure

Database Event Limits

Configuring Database Event Limits

Before you begin

Procedure

Database Event Limits

Management Interfaces

About Management Interfaces

Management Interfaces on the Firepower Management Center

Management Interfaces on Managed Devices

Management Interface Support

Network Routes on Management Interfaces

Management and Event Traffic Channel Examples

Configure Management Interfaces

Configure Firepower Management Center Management Interfaces

Before you begin

Procedure

Configure Classic Device Management Interfaces at the Web Interface

Procedure

Configure Classic Device Management Interfaces at the CLI

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

System Shut Down and Restart

Shutting Down and Restarting the System

Procedure

Remote Storage Management

Configuring Local Storage

Procedure

Configuring NFS for Remote Storage

Before you begin

Procedure

Configuring SMB for Remote Storage

Before you begin

Procedure

Configuring SSH for Remote Storage

Before you begin

Procedure

Remote Storage Management Advanced Options

Change Reconciliation

Configuring Change Reconciliation

Before you begin

Procedure

Change Reconciliation Options