Firepower Management Center Configuration Guide, Version 6.0
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The following topics
explain how to configure system configuration settings on
Firepower Management Centers
and managed devices:
Requirements and Prerequisites for the System Configuration
Model Support
FMC
Some settings also apply to 7000 & 8000 Series devices.
Supported Domains
Global
User Roles
Admin
About System Configuration
System configuration settings apply to either a Firepower Management Center or a Classic managed device (7000 and 8000 Series, ASA FirePOWER, NGIPSv):
For the Firepower Management Center these configuration settings are part of a "local" system configuration. Note that system configuration on the Firepower Management Center is specific to a single system, and changes to a FMC's system configuration affect only that system.
For a Classic managed device, you apply a configuration from the Firepower Management Center as part of a platform settings policy. You create a shared policy to configure a subset of the system configuration settings,
appropriate for managed devices, that are likely to be similar across a deployment.
Tip
For 7000 and 8000 Series devices, you can perform limited system configuration tasks from the local web interface, such as console configuration and
remote management. These are not the same configurations that you apply to a 7000 or 8000 Series device using a platform settings policy.
Navigating the
Firepower Management Center
System Configuration
The system
configuration identifies basic settings for a
Firepower Management Center.
Procedure
Step 1
Choose System > Configuration.
Step 2
Use the navigation panel to choose configurations to change; see
Table 1
for more information.
System Configuration
Settings
Note that for managed devices, many of these configurations are handled by a platform settings policy applied from the FMC; see Platform Settings Policies. For 7000/8000 series devices, you can also log into the local web interface for non-policy based system configurations; see
Local System Configuration for 7000/8000 Series Devices.
Table 1. System Configuration Settings
Setting
Description
Access Control Preferences
Configure the system to prompt users for a comment when they add or modify an access control policy; see Policy Change Comments.
Access List
Control which computers can access the system on specific ports; see Access List.
Audit Log
Configure the system to send an audit log to an external host; see Audit Logs.
Change Reconciliation
Configure the system to send a detailed report of changes to the system over the last 24 hours; see Change Reconciliation.
Enable Custom Analysis widgets on the dashboard; see Dashboard Settings.
Database
Specify the maximum number of each type of event that the Firepower Management Center can store; see Database Event Limits.
DNS Cache
Configure the system to resolve IP addresses automatically on event view pages; see DNS Cache.
Email Notification
Configure a mail host, select an encryption method, and supply authentication credentials for email-based notifications and
reporting; see Email Notifications.
Map vulnerabilities to a host IP address for any application protocol traffic received or sent from that address; see Vulnerability Mapping.
Appliance
Information
The System > Configuration page of the web interface includes the information listed in the table below. Unless otherwise noted, all fields are read-only.
Note
See also the Help > About page, which includes similar but slightly different information.
Field
Description
Name
A descriptive name you assign to the FMCappliance. Although you can use the host name as the name of the appliance, entering a different name in this field does not
change the host name.
Product Model
The model name of the appliance.
Serial
Number
The serial
number of the appliance.
Software Version
The version of the software currently installed on the
appliance.
Prohibit Packet Transfer to the Firepower Management Center
Specifies whether the managed device sends packet data with events, allowing the data to be stored on the Firepower Management Center. This setting is available on the local web interface on 7000 and 8000 Series devices.
Operating System
The operating system currently running on the appliance.
Operating System Version
The version of the operating system currently running on the
appliance.
IPv4 Address
The IPv4 address of the default (eth0) management
interface. If IPv4 management is disabled, this field indicates that.
IPv6 Address
The IPv6 address of the default (eth0) management
interface. If IPv6 management is disabled, this field indicates that.
Current Policies
The system-level policies currently deployed. If a policy has been updated since it was last deployed, the name of the policy
appears in italics.
Model Number
The appliance-specific model number stored on the internal flash
drive. This number may be important for troubleshooting.
View Appliance Information
Procedure
Choose
System > Configuration.
View Basic System Information
The About page
displays information about your appliance, including the model, serial number,
and version information for various components of the Firepower System. It also
includes Cisco copyright information.
Procedure
Step 1
Click Help in the toolbar at the top of the page.
Step 2
Choose
About.
HTTPS Certificates
Secure Sockets Layer (SSL)/TLS certificates enable Firepower Management Centers and 7000 and 8000 Series devices to establish an encrypted channel between the system and a web browser. A default certificate is included with all Firepower
devices, but it is not generated by a certificate authority (CA) trusted by any globally known CA. For this reason, consider
replacing it with a custom certificate signed by a globally known or internally trusted CA.
Default HTTPS Server Certificates
If you use the default server certificate provided with an appliance, do not configure the system to require a valid HTTPS
client certificate for web interface access because the default server certificate is not signed by the CA that signs your
client certificate.
The default server certificate provided with an
appliance expires 20 years from when it was first generated.
Custom HTTPS Server Certificates
You can use the Firepower Management Center web interface to generate a server certificate request based on your system information and the identification information
you supply. You can use that request to sign a certificate if you have an internal certificate authority (CA) installed that
is trusted by your browser. You can also send the resulting request to a certificate authority to request a server certificate.
After you have a signed certificate from a certificate authority (CA), you can import it.
HTTPS Client Certificates
You can restrict access to the Firepower System web server using client browser certificate checking. When you enable user
certificates, the web server checks that a user’s browser client has a valid user certificate selected. That user certificate
must be generated by the same trusted certificate authority that is used for the server certificate. The browser cannot load
the web interface under any of the following circumstances:
The user selects a certificate in the browser that is not valid.
The user selects a certificate in the browser that is not generated by the certificate authority that signed the server certificate.
The user selects a certificate in the browser that is not generated by a certificate authority in the certificate chain on
the device.
You can also load a certificate revocation list (CRL) for the server. The CRL lists any certificates that the certificate
authority has revoked, so the web server can verify that the client browser certificate is valid. If the user selects a certificate
that is listed in the CRL as a revoked certificate, the browser cannot load the web interface.
Viewing the Current
Server Certificate
You can only view server certificates for the appliance you are
logged into.
Procedure
Step 1
Choose
System > Configuration.
Step 2
Click
HTTPS Certificate.
Generating and
Submitting a Certificate Signing Request
When
you generate a certificate request through the local configuration HTTPS
Certificate page using this procedure, you can only generate a certificate for
a single system. Similarly, if you install a certificate that is not signed by
a globally known or internally trusted CA, you receive a security warning when
you connect to the system.
The key generated
for the certificate request is in Base-64 encoded PEM format.
Procedure
Step 1
Choose
System > Configuration.
Step 2
Click
HTTPS Certificate.
Step 3
Click
Generate New CSR.
Step 4
Enter a country code in the
Country Name (two-letter code) field.
Step 5
Enter a state or province postal abbreviation in the
State or Province field.
Step 6
Enter a
Locality or City.
Step 7
Enter an
Organization name.
Step 8
Enter an
Organizational Unit (Department)
name.
Step 9
Enter the fully qualified domain name of the server for which
you want to request a certificate in the
Common Name field.
Note
You must
enter the fully qualified domain name of the server exactly as it should appear
in the certificate in the
Common Name field. If the common name and the DNS
host name do not match, you receive a warning when connecting to the appliance.
Step 10
Click
Generate.
Step 11
Open a text editor.
Step 12
Copy the entire block of text in the certificate request,
including the
BEGIN CERTIFICATE REQUEST and
END CERTIFICATE REQUEST lines, and paste it into a
blank text file.
Step 13
Save the file as
servername.csr, where
servername is the name of the server where you plan to
use the certificate.
If the signing authority that generated the certificate requires
you to trust an intermediate CA, you must also supply a certificate chain,
sometimes referred to as a certificate path. If you require user certificates,
they must be generated by a certificate authority whose intermediate authority
is included in the certificate chain.
Uploading Server
Certificates
If the signing authority that generated the certificate requires
you to trust an intermediate CA, you must also supply a certificate chain,
sometimes referred to as a certificate path. If you require user certificates,
they must be generated by a certificate authority whose intermediate authority
is included in the certificate chain.
Upload the CSR file to the certificate authority where you want
to request a certificate, or use the CSR to create a self-signed certificate.
Procedure
Step 1
Choose
System > Configuration.
Step 2
Click
HTTPS Certificate.
Step 3
Click
Import HTTPS Certificate.
Step 4
Open the server certificate in a text editor, copy the entire
block of text, including the
BEGIN CERTIFICATE and
END CERTIFICATE lines, and paste it into the
Server Certificate field.
Step 5
If you want to upload a private key, open the private key file,
copy the entire block of text, including the
BEGIN RSA PRIVATE KEY and
END RSA PRIVATE KEY lines, and paste it into the
Private Key field.
Step 6
Open any intermediate certificates you need to provide, copy the
entire block of text, for each, and paste it into the
Certificate Chain field.
Step 7
Click
Save.
Requiring Valid User
Certificates
The system supports upload of CRLs in Distinguished Encoding
Rules (DER) format. You can only load one CRL for a server.
To ensure that the list of revoked certificates stays current,
you can create a scheduled task to update the CRL. The most recent refresh of
the CRL is listed in the interface.
Note
You
must have a valid user certificate present in your browser
(or a CAC inserted in your reader) to enable user certificates and to access
the web interface after doing so.
Before you begin
Use the same certificate authority used for the server
certificate to generate the user certificate.
Choose
Enable User Certificates. If prompted, select the
appropriate certificate from the drop-down list.
Step 4
If you want to retrieve the CRL, choose
Enable Fetching of CRL.
Step 5
Enter a valid URL to an existing CRL file and click
Refresh CRL. The current CRL at the supplied URL
loads to the server.
Note
Enabling fetching of the CRL creates a scheduled task to update
the CRL on a regular basis. Edit the task to set the frequency of the update.
Step 6
Verify that you have a valid user certificate generated by the
same certificate authority that created the server certificate.
Caution
If you save a configuration with enabled user certificates, but
you do not have a valid user certificate in your browser certificate store, you
disable all web server access to the appliance. Make sure you have a valid
certificate installed before saving settings.
Step 7
Click
Save.
External Database
Access Settings
You can configure the
Firepower Management Center
to allow read-only access to its database by a third-party client. This allows
you to query the database using SQL using any of the following:
industry-standard reporting tools such as Actuate BIRT,
JasperSoft iReport, or Crystal Reports
any other reporting application (including a custom application)
that supports JDBC SSL connections
the Cisco-provided command-line Java application called
RunQuery, which you can either run interactively or use to obtain
comma-separated results for a single query
Use the
Firepower Management Center's
system configuration to enable database access and create an access list that
allows selected hosts to query the database. Note that this access list does
not also control appliance access.
You can also download a package that contains the following:
RunQuery, the Cisco-provided database query tool
InstallCert, a tool you can use to retrieve and accept the SSL
certificate from the
Firepower Management Center
you want to access
the JDBC driver you must use to connect to the database
See the
Firepower System Database
Access Guide
for information on using the tools in the package you downloaded to configure
database access.
Enabling External
Access to the Database
Procedure
Step 1
Choose
System > Configuration.
Step 2
Click
External Database Access.
Step 3
Select the
Allow External Database Access check box.
Step 4
Enter an appropriate value in the Server Hostname field. Depending on your third-party application requirements, this value can be either the fully qualified domain name (FQDN),
IPv4 address, or IPv6 address of the Firepower Management Center.
Note
In an FMC high availability setup, enter only the active peer details. We do not recommend entering details of the standby
peer.
Step 5
Next to
Client JDBC Driver, click
Download and follow your browser’s prompts to
download the
client.zip package.
Step 6
To add database access for one or more IP addresses, click
Add Hosts. An
IP Address field appears in the
Access List field.
Step 7
In the
IP Address field, enter an IP address or address
range, or
any.
Step 8
Click
Add.
Step 9
Click
Save.
Tip
If you want to revert to the last saved database settings, click
Refresh.
Database Event
Limits
To manage disk space, the FMC periodically prunes the oldest intrusion events, audit records, Security Intelligence
data, and URL filtering data from the event database. For each event type, you can
specify how many records the FMC retains after pruning; never rely on the event database containing more records of
any type than the retention limit configured for that type. To improve performance,
tailor the event limits to the number of events you regularly work with. You can
optionally choose to receive email notifications when pruning occurs. For some event
types, you can disable storage.
To manually delete individual events, use the event viewer. You can also manually purge the database; see
Data Storage.
For each of the databases, enter the number of records you want to store.
For information on how many records each database can maintain, see Database Event Limits.
Step 4
Optionally, in the
Data Pruning Notification Address field, enter the
email address where you want to receive pruning notifications.
Step 5
Click
Save.
Database Event
Limits
The following table lists the minimum and maximum number of records for each event type that you can store on a Firepower Management Center.
Table 2. Database Event Limits
Event Type
Upper Limit
Lower Limit
Intrusion events
10 million (FMC Virtual)
20 million (FMC750)
30 million (FMC1500, )
60 million (FMC2000,)
150 million (FMC3500)
300 million (FMC4000, )
10,000
Discovery events
10 million (FMC Virtual)
20 million (FMC2000, FMC4000, )
Zero (disables storage)
Connection events
Security Intelligence events
50 million (FMC Virtual, FMC750)
100 million (FMC1500, )
300 million (FMC2000, )
500 million (FMC3500)
1 billion (FMC4000, )
Limit is shared between connection events and Security Intelligence
events. The sum of the configured maximums cannot exceed this
limit.
Zero (disables storage)
Setting Maximum Connection Events to zero
immediately purges existing connection
events.
Note that disabling connection event storage on the Firepower Management Center does not affect connection summaries or
correlation. The system still uses connection event information
for features like traffic profiles, correlation policies, and
dashboard displays.
Correlation events and compliance white list events
1 million (FMC Virtual)
2 million (FMC2000, , FMC4000)
One
Malware events
10 million (FMC Virtual)
20 million (FMC2000,, FMC4000)
10,000
File events
10 million (FMC Virtual)
20 million (FMC2000, , FMC4000)
Zero (disables storage)
Health events
1 million
Zero (disables storage)
Audit records
100,000
One
Remediation status events
10 million
One
White list violation history
a 30-day history of violations
One day’s history
User activity (user events)
10 million
One
User logins (user history)
10 million
One
Intrusion rule update import log records
1 million
One
Management Interfaces
After setup, you can change the management network settings, including
adding more management interfaces, hostname, search domains, DNS servers, and HTTP proxy
on the FMC.
About FMC Management Interfaces
By default, the FMC manages all devices on a single management interface. You can also perform initial
setup on the management interface and log into the FMC on this interface as an administrator. The management interface is also used to
communicate with the Smart Licensing server, to download updates, and to perform other
management functions.
The FMC uses the eth0 interface for initial setup, HTTP access for administrators, management
of devices, as well as other management functions such as licensing and updates.
You can also configure additional management interfaces on the same network, or on different networks. When the FMC manages large numbers of devices, adding more management interfaces can improve throughput and performance. You can also
use these interfaces for all other management functions. You might want to use each management interface for particular functions;
for example, you might want to use one interface for HTTP administrator access and another for device management.
For device management, the management interface carries two separate traffic channels: the management traffic channel carries all internal traffic
(such as inter-device traffic specific to managing the device), and the event traffic channel carries all event traffic (such as
web events). You can optionally configure a separate event-only interface on the FMC to handle event traffic; you can configure only one event interface. Event traffic
can use a large amount of bandwidth, so separating event traffic from management traffic
can improve the performance of the FMC. For example, you can assign a 10 GigabitEthernet interface to be the event
interface, if available, while using 1 GigabitEthernet interfaces for management. You
might want to configure an event-only interface on a completely secure, private network
while using the regular management interface on a network that includes Internet access,
for example. You can also use both management and event interfaces on the same network
if the goal is only to take advantage of increased throughput. Managed devices will send
management traffic to the FMC management interface and event traffic to the FMCs
event-only interface. If the managed device cannot reach the event-only interface, then
it will fall back to sending events to the management interface.
Note
All management interfaces support HTTP administrator access as controlled by your Access List
configuration. Conversely, you cannot restrict an
interface to only HTTP access; management interfaces always support device
management (management traffic, event traffic, or both).
Note
Only the eth0 interface supports DHCP IP addressing. Other management interfaces only support static IP addresses.
Management Interface Support Per FMC Model
See the hardware installation guide for your model for the
management interface locations.
See the following table for supported management interfaces on each FMC model.
Table 3. Management Interface Support on the FMC
Model
Management Interfaces
MC750, MC1500, MC3500
eth0 (Default)
eth1
MC2000, MC4000
eth0 (Default)
eth1
eth2
eth3
Firepower Management Center Virtual
eth0 (Default)
Network Routes on FMC Management Interfaces
Management interfaces (including event-only interfaces) support only static routes to reach
remote networks. When you set up your FMC, the setup process creates a default route to the gateway IP address that you
specify. You cannot delete this route; you can only modify the gateway address.
The default route always uses the lowest-numbered management interface (e.g. eth0).
At least one static route is recommended per management interface to access remote networks. We
recommend placing each interface on a separate network to avoid potential routing
problems, including routing problems from other devices to the FMC. If you do not
experience problems with interfaces on the same network, then be sure to configure
static routes correctly. For example, on the FMC both eth0 and eth1 are on the same
network, but you want to manage a different group of devices on each interface. The
default gateway is 192.168.45.1. If you want eth1 to manage devices on the remote
10.6.6.0/24 destination network, you can create a static route for 10.6.6.0/24 through
eth1 with the same gateway of 192.168.45.1. Traffic to 10.6.6.0/24 will hit this route
before it hits the default route, so eth1 will be used as expected.
If you want to use two FMC interfaces to manage remote devices that are on the same network, then static routing
on the FMC may not scale well, because you need separate static routes per device IP
address.
Another example includes separate management and event-only interfaces on both the FMC
and the managed device. The event-only interfaces are on a separate network from the
management interfaces. In this case, add a static route through the event-only interface
for traffic destined for the remote event-only network, and vice versa.
NAT Environments
Network address translation (NAT) is a method of transmitting and
receiving network traffic through a router that involves reassigning the source or
destination IP address. The most common use for NAT is to allow private networks to
communicate with the internet. Static NAT performs a 1:1 translation, which does not
pose a problem for FMC communication with devices, but port address translation (PAT) is more common. PAT
lets you use a single public IP address and unique ports to access the public network;
these ports are dynamically assigned as needed, so you cannot initiate a connection to a
device behind a PAT router.
Normally, you need both IP addresses (along with a registration
key) for both routing purposes and for authentication: the FMC specifies the device IP address when you add a device, and the device specifies the
FMC IP address. However, if you only know one of the IP addresses, which is the minimum
requirement for routing purposes, then you must also specify a unique NAT ID on both
sides of the connection to establish trust for the initial communication and to look up
the correct registration key. The FMC and device use the registration key and NAT ID (instead of IP addresses) to
authenticate and authorize for initial registration.
For example, you add a device to the FMC, and you do not know the device IP address (for example, the device is behind a PAT
router), so you specify only the NAT ID and the registration key on the FMC; leave the IP address blank. On the device, you specify the FMC IP address, the same NAT ID, and the same registration key. The device registers to
the FMC's IP address. At this point, the FMC uses the NAT ID instead of IP address to authenticate the device.
Although the use of a NAT ID is most common for NAT environments, you might choose to use
the NAT ID to simplify adding many devices to the FMC. On the FMC, specify a unique NAT ID for each device you want to add while leaving the IP address
blank, and then on each device, specify both the FMC IP address and the NAT ID. Note: The NAT ID must be unique per device.
The following example shows three devices behind a PAT IP address. In this case, specify
a unique NAT ID per device on both the FMC and the devices, and specify the FMC IP address on the devices.
Figure 1. NAT ID for Managed Devices Behind PAT
The following example shows the FMC behind a PAT IP address. In this case, specify a unique NAT ID per device on both the
FMC and the devices, and specify the device IP addresses on the FMC.
Figure 2. NAT ID for FMC Behind PAT
Management and Event Traffic Channel Examples
The following example shows the Firepower Management Center and managed devices using only the default management interfaces.
Figure 3. Single Management Interface on the Firepower Management Center
The following example shows the Firepower Management Center using separate management interfaces for devices; and each managed device using 1
management interface.
Figure 4. Mutliple Management Interfaces on the Firepower Management Center
The following example shows the Firepower Management Center and managed devices using a separate event interface.
Figure 5. Separate Event Interface on the Firepower Management Center and Managed Devices
The following example shows a mix of multiple management interfaces and a separate event
interface on the Firepower Management Center and a mix of managed devices using a separate event interface, or using a single
management interface.
Figure 6. Mixed Management and Event Interface Usage
Modify FMC Management Interfaces
Caution
Do NOT push the FMC deployments over a VPN tunnel that is terminating directly on the Firepower Threat Defense. Pushing the FMC deployments can potentially inactivate the tunnel and disconnect the FMC and the Firepower Threat Defense.
Recovering the device from this situation can be very disruptive and require executing the disaster recovery procedure. This
procedure resets the Firepower Threat Defense configuration to factory defaults by changing manager from FMC to local and configuring the device from beginning. For more information, see Deploying the FMC Policy Configuration over VPN Tunnel.
Modify the management interface settings on the Firepower Management Center. You can optionally enable additional management interfaces or configure an event-only interface.
Caution
Be careful when making changes to the management interface to which you are connected; if you cannot re-connect because of
a configuration error, you need to access the FMC console port to re-configure the network settings in the Linux shell. You must contact Cisco TAC to guide you in this operation.
Note
If you change the FMC IP address, then see the following tasks to ensure device
management connectivity depending on how you added the device to the
FMC:
IP address—No action. If you added the device to the FMC
using a reachable device IP address, then the management connection will
be reestablished automatically after several minutes even though the IP
address identified on the FTD is the old IP address. Note: If you
specified a device IP address that is unreachable, then you must contact
Cisco TAC, who can advise you how to restore connectivity for your
devices.
NAT ID only—Contact Cisco TAC. If you added the device
using only the NAT ID, then the connection cannot be reestablished. In
this case, you must contact Cisco TAC, who can advise you how to restore
connectivity for your devices.
Proxies that use NT LAN Manager (NTLM)
authentication are not supported.
If you use or will use Smart Licensing, the proxy FQDN cannot have
more than 64 characters.
Procedure
Step 1
Choose System > Configuration, and then choose Management Interfaces.
Step 2
In the Interfaces area, click Edit next to the interface that you want to configure.
All available interfaces are listed in this section. You cannot add more interfaces.
You can configure the following options on each management interface:
Enabled—Enable the management interface. Do not disable the default eth0 management interface. Some processes require the eth0 interface.
Channels—Configure an event-only interface; you can configure only one event interface on the FMC. To do so, uncheck the Management Traffic check box, and leave the Event Traffic check box checked. You can optionally disable Event Traffic for the management interface(s). In either case, the device will try to send events to the event-only interface, and if that
interface is down, it will send events on the management interface even if you disable the event channel. You cannot disable
both event and management channels on an interface.
Mode—Specify a link mode. Note that any changes you make to auto-negotiation are ignored for GigabitEthernet interfaces.
MDI/MDIX—Set the Auto-MDIX setting.
MTU—Set the maximum transmission unit (MTU). The default is 1500. The range within which you can set the MTU can vary depending
on the model and interface type.
Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298 does not comply with the
minimum IPv6 MTU setting of 1280, and any value below 594 does not comply with the minimum IPv4 MTU setting of 576. For example,
the system automatically trims a configured value of 576 to 558.
IPv4 Configuration—Set the IPv4 IP address. Choose:
Static—Manually enter the IPv4 Management IP address and IPv4 Netmask.
DHCP—Set the interface to use DHCP (eth0 only).
Disabled—Disable IPv4. Do not disable both IPv4 and IPv6.
IPv6 Configuration—Set the IPv6 IP address. Choose:
Static—Manually enter the IPv6 Management IP address and IPv6 Prefix Length.
Disabled—Disable IPv6. Do not disable both IPv4 and IPv6.
Step 3
In the Routes area, edit a static route by clicking Edit (), or add a route by clicking Add ().
View the route table by clicking .
You need a static route for each additional interface to reach remote
networks. For more information about when new routes are needed, see Network Routes on FMC Management Interfaces.
Note
For the default route, you can change only the gateway IP address. The default route always
uses the eth0 interface.
You can configure the following settings for a static
route:
Destination—Set the destination address of the
network to which you want to create a route.
Netmask or Prefix
Length—Set the netmask (IPv4) or prefix length
(IPv6) for the network.
Interface—Set the egress management interface.
Gateway—Set the gateway IP address.
Step 4
In the Shared Settings area, set network parameters shared by all interfaces.
Note
If you selected DHCP for the eth0 interface, you cannot manually specify some shared settings derived from the DHCP server.
You can configure the following shared settings:
Hostname—Set the FMC hostname. The hostname must start and end with a letter or digit,
and have only letters, digits, or a hyphen. If you change the
hostname, reboot the FMC if you want the new hostname reflected in syslog messages. Syslog
messages do not reflect a new hostname until after a reboot.
Domains—Set the search domain(s) for the FMC, separated by commas. These domains are added to hostnames when you do not specify a fully-qualified domain name in a command,
for example, ping system. The domains are used only on the management interface, or for commands that go through the management interface.
Primary DNS Server, Secondary DNS Server, Tertiary DNS Server—Set the DNS servers to be used in order of preference.
Remote Management Port—Set the remote management port for communication with managed devices. The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.
Note
Cisco strongly recommends that you keep the default settings for the remote management port, but if the management port conflicts with other
communications on your network, you can choose a different port. If you change the management port, you must change it for
all devices in your deployment that need to communicate with each other.
Step 5
In the Proxy area, configure HTTP proxy settings.
The FMC is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and TCP/80 (HTTP). You can use a proxy server,
to which you can authenticate via HTTP Digest.
See proxy requirements in the prerequisites to this topic.
Check the Enabled check box.
In the HTTP Proxy field, enter the IP address or fully-qualified domain name of your proxy server.
See requirements in the prerequisites to this topic.
In the Port field, enter a port number.
Supply authentication credentials by choosing Use Proxy Authentication, and then provide a User Name and Password.
Step 6
Click
Save.
Step 7
If you change the FMC IP address, then see If you change the FMC IP address,
then see the following tasks to ensure device
management connectivity depending on how you added the device to the
FMC:
IP address—No action. If you added the device to the
FMC using a reachable device IP address, then the management
connection will be reestablished automatically after several minutes
even though the IP address identified on the FTD is the old IP
address. Note: If you specified a device IP address that is
unreachable, then you must contact Cisco TAC, who can advise you how
to restore connectivity for your devices.
NAT ID only—Contact Cisco TAC. If you added the device
using only the NAT ID, then the connection cannot be reestablished.
In this case, you must contact Cisco TAC, who can advise you how to
restore connectivity for your devices.
Shut Down or Restart
Use the web interface to control the shut down and restart of processes on the FMC. You can:
Shut down: Initiate a graceful shutdown of the appliance.
Caution
Do not shut off Firepower appliances using the power button; it may cause a loss of data. Using the web interface (or CLI) prepares
the system to be safely powered off and restarted without losing configuration data.
Reboot: Shut down and restart gracefully.
Restart the console: Restart the communications, database, and HTTP server processes. This is typically used during troubleshooting.
Tip
For information on shutting down/restarting a 7000/8000 series device, including restarting the Snort process, see Shut Down or Restart a 7000/8000 Series Device. For virtual devices, refer to the documentation for your virtual platform. For VMware in particular, custom power options
are part of VMware Tools.
Shut Down or Restart the FMC
Procedure
Step 1
Choose
System > Configuration.
Step 2
Choose
Process.
Step 3
Do one of the following:
Shut down
Click Run Command next to Shutdown Management Center.
Reboot
Click Run Command next to Reboot Management Center.
Note
Rebooting logs you out, and the system runs a database check that can take up to an hour to complete.
Restart the console
Click Run Command next to Restart Management Center
Console.
Note
Restarting may cause deleted hosts to reappear in the network map.
Remote Storage
Management
On
Firepower Management Centers,
you can use the following for local or remote storage for backups and reports:
Network File System (NFS)
Server Message Block (SMB)/Common Internet File System (CIFS)
Secure Shell (SSH)
You cannot send
backups to one remote system and reports to another, but you can choose to send
either to a remote system and store the other on the
Firepower Management Center.
Tip
After configuring and selecting remote storage, you can switch back to local storage
only if you have not
increased the connection database limit.
Configuring Local
Storage
Procedure
Step 1
Choose
System > Configuration.
Step 2
Choose Remote Storage Device.
Step 3
Choose Local (No Remote Storage) from the Storage Type drop-down list.
Step 4
Click
Save.
Configuring NFS for
Remote Storage
Before you begin
Ensure that your external remote storage system is functional
and accessible from your
FMC.
Procedure
Step 1
Choose
System > Configuration.
Step 2
Click
Remote Storage Device.
Step 3
Choose NFS from the Storage Type drop-down list.
Step 4
Add the connection information:
Enter the IPv4 address or hostname of the storage system in the
Host field.
Enter the path to your storage area in the
Directory field.
Choose Use for Backups to store backups on the designated host.
Choose Use for Reports to store reports on the designated host.
Step 7
To test the settings, click
Test.
Step 8
Click
Save.
Configuring SSH for
Remote Storage
Caution
If you enable
STIG compliance on an appliance, you cannot use SSH for remote storage for that
appliance.
Before you begin
Ensure that your external remote storage system is functional
and accessible from your
Firepower Management Center.
Procedure
Step 1
Choose
System > Configuration.
Step 2
Click
Remote Storage Device.
Step 3
Choose
SSH from the
Storage Type drop-down list.
Step 4
Add the connection information:
Enter the IP address or host name of the storage system in the
Host field.
Enter the path to your storage area in the
Directory field.
Enter the storage system’s user name in the
Username field
and the password for that user in the
Password field.
To specify a network domain as part of the connection user name, precede the
user name with the domain followed by a forward slash (/).
To use SSH keys, copy the content of the
SSH Public Key
field and place it in your authorized_keys file.
Choose
Use for Backups to store backups on the designated
host.
Choose
Use for Reports to store reports on the designated
host.
Step 7
If you want to test the settings, you must click
Test.
Step 8
Click
Save.
Remote Storage
Management Advanced Options
If you select the Network File System (NFS) protocol, Server Message Block (SMB) protocol, or SSH to use secure file transfer protocol (SFTP) to store your reports and backups, you can select the Use Advanced Options check box to use one of the mount binary options as documented in an NFS, SMB, or SSH mount main page.
If you select SMB or NFS storage type, you can specify the version number of the remote storage in the Command Line Option field using the following format:
vers=version
where version is the version number of SMB or NFS remote storage you want to use. For example, to select NFSv4, enter vers=4.0.
If SMB encryption is enabled for a file server, only SMB version 3.0 clients are allowed to access the file server. To access
encrypted SMB file server from the FMC, type the following in the Command Line Option field:
vers=3.0
where you select encrypted SMBv3 to copy or save backup files from the FMC to the encrypted SMB file server.
Change
Reconciliation
To monitor the changes that users make and ensure that they
follow your organization’s preferred standard, you can configure the system to
send, via email, a detailed report of changes made over the past 24 hours.
Whenever a user saves changes to the system configuration, a snapshot is taken
of the changes. The change reconciliation report combines information from
these snapshots to present a clear summary of recent system changes.
The following sample graphic displays a User section of an
example change reconciliation report and lists both the previous value for each
configuration and the value after changes. When users make multiple changes to
the same configuration, the report lists summaries of each distinct change in
chronological order, beginning with the most recent.
You can view changes made during the previous 24 hours.
Choose the time of day you want the system to send out the change reconciliation report from the Time to Run drop-down lists.
Step 5
Enter email addresses in the Email to field.
Tip
Once you have added email addresses, click
Resend Last
Report to send recipients another copy of the most recent change
reconciliation report.
Step 6
If you want to include policy changes, check the Include Policy Configuration check box.
Step 7
If you want to include all changes over the past 24 hours, check the Show Full Change History check box.
Step 8
Click
Save.
Change
Reconciliation Options
The
Include Policy Configuration option controls whether
the system includes records of policy changes in the change reconciliation
report. This includes changes to access control, intrusion, system, health, and
network discovery policies. If you do not select this option, the report will
not show changes to any policies. This option is available on
Firepower Management Centers
only.
The
Show Full Change History option controls whether the
system includes records of all changes over the past 24 hours in the change
reconciliation report. If you do not select this option, the report includes
only a consolidated view of changes for each category.
Note
The change reconciliation report does not include changes to Firepower Threat Defense interfaces and routing settings.
Policy Change
Comments
You can configure the
Firepower System to track several policy-related changes using the comment
functionality when users modify access control, intrusion, or network analysis
policies.
With policy change comments enabled, administrators can quickly assess
why critical policies in a deployment were modified. Optionally, you can have
changes to intrusion and network analysis policies written to the audit log.
Configuring Comments
to Track Policy Changes
You can configure the Firepower System to prompt users for comments when they modify an access control policy, intrusion policy,
or network analysis policy. You can use comments to track users’ reasons for policy changes. If you enable comments on policy
changes, you can make the comment optional or mandatory. The system prompts the user for a comment when each new change to
a policy is saved.
Procedure
Step 1
Choose
System > Configuration.
The system
configuration options appear in the left navigation panel.
Step 2
Configure the policy comment preferences for any of the following:
Click
Access Control
Preferences for comment preferences for access control policies.
Click
Intrusion Policy Preferences for comment preferences
for intrusion policies.
Click
Network Analysis Policy
Preferences for comment preferences for network analysis policies.
Step 3
You have the following choices for each policy type:
Disabled—Disables change comments.
Optional—Gives users the option to describe their changes in a comment.
Required—Requires users to describe their changes in a comment before saving.
Step 4
Optionally for intrusion or network analysis policy comments:
Check
Write changes in Intrusion
Policy to audit log to write all intrusion policy changes to the
audit log.
Check
Write changes in Network Analysis Policy to audit
log to write all network analysis policy changes to the audit log.
Step 5
Click
Save.
Access List
You can limit access to the FMC by IP address and port. By default, the following ports are enabled for any IP address:
443 (HTTPS) for web interface access.
22 (SSH) for CLI access.
You can also add access to poll for SNMP information over port 161. Because SNMP is disabled by default, you must first enable
SNMP before you can add SNMP access rules. For more information, see Configure SNMP Polling.
Caution
By default, access is not restricted. To operate in a more secure environment, consider adding access for specific IP addresses
and then deleting the default any option.
If you delete access for the IP address that you are currently using to connect
to the FMC, and there is no entry for “IP=any
port=443”, you will lose access when you save.
By default, the access list includes rules for HTTPS and SSH. To add SNMP rules to the access list, you must first enable
SNMP. For more information, see Configure SNMP Polling.
Procedure
Step 1
Choose System > Configuration.
Step 2
(Optional) Click SNMP to configure SNMP if you want to add SNMP rules to the access list. By default, SNMP is disabled; see Configure SNMP Polling.
Step 3
Click Access List.
Step 4
To add access for one or more IP addresses, click Add Rules.
Step 5
In the IP Address field, enter an IP address or address range, or any.
Step 6
Choose SSH, HTTPS, SNMP, or a combination of these options to specify which ports you want to enable for these IP addresses.
Step 7
Click Add.
Step 8
Click Save.
Audit Logs
The Firepower Management Center records user activity in read-only audit logs. You can review audit log data in several ways:
Audit logs are presented in a standard event view where you can view, sort, and filter audit log messages based on any item
in the audit view. You can easily delete and report on audit information and you can view detailed reports of the changes
that users make.
Stream audit log messages to the syslog.
Stream audit log messages to an HTTP server.
Streaming audit log data to an external server allows you to conserve space on the FMC; see Configure Audit Log Streaming.
Ensure that the external host is functional and accessible from
the system sending the audit log.
Procedure
Step 1
Choose System > Configuration.
Step 2
Click
Audit Log.
Step 3
Choose
Enabled from the
Send Audit Log to Syslog drop-down menu.
Step 4
Designate the destination host for the audit information by
using the IP address or the fully qualified name of the host in the
Host field. The default port (514) is used.
Caution
If the computer you configure to receive an audit log is not set up to accept remote messages, the host will not accept the
audit log.
Step 5
Choose a syslog
Facility.
Step 6
Choose a
Severity.
Step 7
Optionally, insert a reference tag in the
Tag (optional)
field.
Step 8
To send regular audit log updates to an external HTTP server,
choose
Enabled from the
Send Audit Log to HTTP Server drop-down list.
Step 9
In the
URL to Post Audit field, designate the URL where you
want to send audit information. You must enter an URL that corresponds to a
listener program that expects the HTTP POST variables as listed:
subsystem
actor
event_type
message
action_source_ip
action_destination_ip
result
time
tag (if defined, as above)
Caution
To allow encrypted posts, you must use an HTTPS URL. Note that sending
audit information to an external URL may affect system performance.
Step 10
Click
Save.
Dashboard
Settings
Dashboards provide you
with at-a-glance views of current system status through the use of widgets:
small, self-contained components that provide insight into different aspects of
the Firepower System. The Firepower System is delivered with several predefined
dashboard widgets.
You can configure the
Firepower Management Center
so that Custom Analysis widgets are enabled on the dashboard.
Enabling Custom
Analysis Widgets for Dashboards
Use Custom Analysis dashboard widgets to create a visual
representation of events based on a flexible, user-configurable query.
Procedure
Step 1
Choose
System > Configuration.
Step 2
Click
Dashboard.
Step 3
Check the Enable Custom Analysis Widgets check box to allow users to add Custom Analysis widgets to dashboards.
Step 4
Click
Save.
DNS Cache
You can configure the
system to resolve IP addresses automatically on the event view pages. You can
also configure basic properties for DNS caching performed by the appliance.
Configuring DNS caching allows you to identify IP addresses you previously
resolved without performing additional lookups. This can reduce the amount of
traffic on your network and speed the display of event pages when IP address
resolution is enabled.
Configuring DNS
Cache Properties
DNS resolution
caching is a system-wide setting that allows the caching of previously resolved
DNS lookups.
Procedure
Step 1
Choose
System > Configuration.
Step 2
Choose DNS Cache.
Step 3
From the DNS Resolution Caching drop-down list, choose one of the following:
Enabled—Enable caching.
Disabled—Disable caching.
Step 4
In the DNS Cache Timeout (in minutes) field, enter the number of minutes a DNS entry remains cached in memory before it is removed for inactivity.
The default setting is 300 minutes (five hours).
Step 5
Click
Save.
Email
Notifications
Configure a mail host
if you plan to:
Email event-based reports
Email status reports for scheduled tasks
Email change reconciliation reports
Email data-pruning notifications
Use email for discovery event, impact flag, correlation event
alerting, intrusion event alerting, and health event alerting
When you configure email notification, you can
select an encryption method for the communication between the system and mail
relay host, and can supply authentication credentials for the mail server if
needed. After configuring, you can test the connection.
Configuring a Mail Relay Host and Notification Address
Procedure
Step 1
Choose System > Configuration.
Step 2
Click Email Notification.
Step 3
In the Mail Relay Host field, enter the hostname or IP address of the mail server you want to use. The mail host you enter must allow access from the appliance.
Step 4
In the Port Number field, enter the port number to use on the email server.
Typical ports include:
25, when using no encryption
465, when using SSLv3
587, when using TLS
Step 5
Choose an Encryption Method:
TLS—Encrypt communications using Transport Layer Security.
SSLv3—Encrypt communications using Secure Socket Layers.
None—Allow unencrypted communication.
Note
Certificate validation is not required for encrypted communication
between the appliance and mail server.
Step 6
In the From Address field, enter the valid email address you want to use as the source email address for messages sent by the appliance.
Step 7
Optionally, to supply a user name and password when connecting to the mail server, choose Use Authentication. Enter a user name in the Username field. Enter a password in the Password field.
Step 8
To send a test email using the configured mail server, click Test Mail Server Settings.
A message appears next to the button indicating the success or failure of the
test.
Step 9
Click Save.
Language
Selection
You can use the
Language page to specify a different language for the web interface.
Set the Language for the Web Interface
The language you specify here is used for the web interface for every user. You can choose from:
You can use the Login
Banner page to specify session, login, or custom message banners for a security
appliance or shared policy.
You can use ASCII characters and carriage returns to create a custom login banner. The system
does not preserve tab spacing. If your login banner is too large or causes errors,
Telnet or SSH sessions can fail when the system attempts to display the banner.
In the
Custom Login Banner field, enter the login banner
text you want to use.
Step 4
Click
Save.
SNMP Polling
You can enable Simple Network Management Protocol (SNMP) polling. This feature supports use of versions 1, 2, and 3 of the
SNMP protocol. This feature allows access to the standard management information base (MIB), which includes system details
such as contact, administrative, location, service information, IP addressing and routing information, and transmission protocol
usage statistics.
Note
When selecting SNMP versions for the SNMP protocol, note that SNMPv2 only supports read-only communities and SNMPv3 only supports
read-only users. SNMPv3 also supports encryption with AES128.
Enabling SNMP polling does not cause the system to send SNMP traps; it only makes the information in the MIBs available for
polling by your network management system.
Add SNMP access for each computer you plan to use to poll the system. See Configure an Access List.
Note
The SNMP MIB contains information that could be used to attack your deployment.
We recommend that you restrict your access list for SNMP access to the specific
hosts that will be used to poll for the MIB. We also recommend you use SNMPv3
and use strong passwords for network management access.
Procedure
Step 1
Choose System > Configuration.
Step 2
Click SNMP.
Step 3
From the SNMP Version drop-down list, choose the SNMP version you want to use:
Version 1 or Version 2: Enter a read-only SNMP community name in the Community String field, then skip to the end of the procedure.
Note
Do not include special characters (< > / % # & ? ', etc.) in the SNMP community string name.
Version 3: Click Add User to display the user definition page. SNMPv3 only supports read-only users and encryption with AES128.
Step 4
Enter a Username.
Step 5
Choose the protocol you want to use for authentication from the Authentication Protocol drop-down list.
Step 6
Enter the password required for authentication with the SNMP server in the Authentication Password field.
Step 7
Re-enter the authentication password in the Verify Password field.
Step 8
Choose the privacy protocol you want to use from the Privacy Protocol list, or choose None to not use a privacy protocol.
Step 9
Enter the SNMP privacy key required by the SNMP server in the Privacy Password field.
Step 10
Re-enter the privacy password in the Verify Password field.
Step 11
Click Add.
Step 12
Click Save.
STIG
Compliance
Organizations within the United States federal government sometimes need to comply with a series of security checklists set
out in Security Technical Implementation Guides (STIGs). Firepower supports compliance with STIG requirements established
by the United States Department of Defense.
If you enable STIG compliance on any appliances in your deployment, you must enable it on all appliances. Non-compliant managed
devices cannot be registered to STIG-compliant Firepower Management Centers and STIG-compliant devices cannot be registered to non-compliant FMCs.
Enabling STIG compliance does not guarantee strict compliance to all applicable STIGs.
When you enable STIG compliance, password complexity and retention rules for local shell access accounts change. In addition,
you cannot use SSH remote storage when in STIG compliance mode.
Caution
You cannot disable this setting without assistance from Cisco TAC. In addition, this setting may substantially impact the
performance of your system. We do not recommend enabling STIG compliance except to comply with Department of Defense security
requirements.
Enabling STIG
Compliance
This configuration applies to either a
Firepower Management Center
or a Classic managed device (7000 and 8000 Series,
ASA FirePOWER,
and
NGIPSv):
For the
Firepower Management Center,
this configuration is part of the system configuration.
For a Classic
managed device, you apply this configuration from the
Firepower Management Center
as part of a platform settings policy.
In either case,
the configuration does not take effect until you save your system configuration
changes or deploy the shared platform settings policy.
Caution
If you enable STIG compliance on any appliances in your
deployment, you must enable it on all appliances. You cannot disable this
setting without assistance from Support. In addition, this setting may
substantially impact the performance of your system. Cisco does not recommend
enabling STIG compliance except to comply with Department of Defense security
requirements.
Procedure
Step 1
Depending on
whether you are configuring a
Firepower Management Center
or a Classic managed device:
FMC—Choose
System > Configuration.
Managed device—Choose Devices > Platform Settings and create or edit a Firepower policy.
Step 2
Click
STIG Compliance.
Note
Appliances
reboot when you enable STIG compliance. The
Firepower Management Center
reboots when you save the system configuration; managed devices reboot when you
deploy configuration changes.
Step 3
If you want to permanently enable STIG compliance on the appliance, choose Enable STIG Compliance.
If your
appliances were updated from versions earlier than Version 5.2.0, enabling STIG
compliance regenerates appliance certificates. After you enable STIG compliance
across your deployment, re-register managed devices to the
Firepower Management Center.
Time and Time
Synchronization
Synchronizing the system time on your Firepower Management Center (FMC) and its managed devices is essential to successful operation of your Firepower
System. We recommend that you specify NTP servers during FMC initial configuration, but you can use the information in this section to
establish or change time sychronization settings after intial configuration is
complete.
Use a Network Time Protocol (NTP) server to synchronize system time on the FMC and all devices.
Caution
Unintended consequences can occur when time is not synchronized between
the FMC and managed devices.
To synchronize time on FMC and managed devices, see:
This topic provides instructions for configuring your FMC to synchronize with an NTP server or servers and includes links to
instructions on configuring managed devices to synchronize with the same NTP
server or servers.
This topic provides instructions for setting the time on your FMC, configuring your FMC to serve as an NTP server, and links to instructions on configuring managed
devices to synchronize with the FMC NTP server.
Synchronize Time on the FMC with an NTP Server
Time synchronization among all of the components of your system is critically important.
The best way to ensure proper time synchronization between FMC and all managed devices is to use an NTP server on your network.
The FMC supports NTPv4.
You must have Admin or Network Admin privileges to do this procedure.
Connections to NTP servers do not use configured proxy settings.
Firepower 4100 Series devices and Firepower 9300 devices cannot use this procedure to set the system time. Instead, configure
those devices to use the same NTP server(s) that you configure using this procedure. For instructions, see the documentation
for your hardware model.
Caution
If the FMC is rebooted and your DHCP server sets an NTP server record different than the one you specify here, the DHCP-provided NTP
server will be used instead. To avoid this situation, configure your DHCP server to use the same NTP server.
Procedure
Step 1
Choose System > Configuration.
Step 2
Click Time Synchronization.
Step 3
If Serve Time via NTP is Enabled, choose Disabled to disable the FMC as an NTP server.
Step 4
For the Set My Clock option, choose Via NTP from and enter the hostname or IP address of an NTP server.
If your organization has corroborative NTP servers, enter multiple NTP servers as a comma-separated list.
Step 5
Click Save.
What to do next
Set managed devices to synchronize with the same NTP server or servers:
Synchronize Time Without Access to a Network NTP Server
If your devices cannot directly reach the network NTP server, or your organization does not have a network NTP server, a physical-hardware
FMC can serve as an NTP server.
To change the time manually after configuring the FMC as an NTP server, you must disable the NTP option, change the time manually, and then re-enable the NTP option.
Procedure
Step 1
Manually set the system time on the FMC:
Choose System > Configuration.
Click Time Synchronization.
If Serve Time via NTP is Enabled, choose Disabled.
Click Save.
For Set My Clock, choose Manually in Local Configuration.
Click Save.
In the navigation panel at the left side of the screen, click Time.
Use the Set Time drop-down lists to set the time.
If the time zone displayed is not UTC, click it and set the time zone to UTC.
Click Save.
Click Done.
Click Apply.
Step 2
Set the FMC to serve as an NTP server:
In the navigation panel at the left side of the screen, click Time Synchronization.
For Serve Time via NTP, choose Enabled.
Click Save.
Step 3
Set managed devices to synchronize with the FMC NTP server:
In the Time Synchronization settings for the platform settings policy assigned to your managed devices, set the clock to synchronize
Via NTP from Management Center.
Your Firepower Management Center and its managed devices are heavily dependent on accurate time. The system clock is a system
facility that maintains the time of the Firepower System. The system clock is set to Universal Coordinated Time (UTC), which
is the primary time standard by which the world regulates clocks and time.
DO NOT ATTEMPT TO CHANGE THE SYSTEM TIME. Changing the system time zone from UTC is NOT supported, and doing so will require
you to reimage the device to recover from an unsupported state.
If you configure the FMC to serve time using NTP, and then later disable it, the NTP service on managed devices still attempts to synchronize time
with the FMC. You must update and redeploy any applicable platform settings policies to establish a new time source.
To change the time manually after configuring the
Firepower Management Center as an NTP server, you must disable the NTP option, change the time manually,
and then re-enable the NTP option.
View Current System Time, Source, and NTP Server Connection Status
Time settings are displayed on most pages in local time using the time zone you set on the Time Zone page in User Preferences
(the default is America/New York), but are stored on the appliance using UTC time.
Restriction
The Time Zone function (in User Preferences) assumes that the default system clock is set to UTC time. DO NOT ATTEMPT TO CHANGE
THE SYSTEM TIME. Be advised that changing the system time from UTC is NOT supported, and doing so will require you to reimage
the device to recover from an unsupported state.
The current time is displayed using the time zone specified for your account in User Preferences.
If your appliance uses an NTP server: For information about the table entries, see NTP Server Status.
NTP Server Status
If you are synchronizing time from an NTP server, you can view connection status on the Time page (choose System > Configuration).
Table 4. NTP Status
Column
Description
NTP Server
The IP address or name of the configured NTP server.
Status
The status of the NTP server time synchronization:
Being Used indicates that the appliance is synchronized with the NTP server.
Available indicates that the NTP server is available for use, but time is not yet synchronized.
Not Available indicates that the NTP server is in your configuration, but the NTP daemon is unable to use it.
Pending indicates that the NTP server is new or the NTP daemon was recently restarted. Over time, its value should change to Being Used, Available, or Not Available.
Unknown indicates that the status of the NTP server is unknown.
Offset
The number of milliseconds of difference between the time on the appliance and the configured NTP server. Negative values
indicate that the appliance is behind the NTP server, and positive values indicate that it is ahead.
Last Update
The number of seconds that have elapsed since the time was last synchronized with the NTP server. The NTP daemon automatically
adjusts the synchronization times based on a number of conditions. For example, if you see larger update times such as 300
seconds, that indicates that the time is relatively stable and the NTP daemon has determined that it does not need to use
a lower update increment.
Session Timeouts
Unattended login sessions may be security risks. You can configure the amount of idle time before a user’s login session times
out due to inactivity.
Note that you can exempt specific web interface users from timeout, for scenarios where you plan to passively, securely monitor
the system for long periods of time. Users with the Administrator role, whose complete access to menu options poses an extra
risk if compromised, cannot be made exempt from session timeouts.
CLI: Configure the Shell Timeout (Minutes)
field. The default value is 0; the maximum value is 1440 (24 hours).
Step 4
Click
Save.
Vulnerability
Mapping
The Firepower System
automatically maps vulnerabilities to a host IP address for any application
protocol traffic received or sent from that address, when the server has an
application ID in the discovery event database and the packet header for the
traffic includes a vendor and version.
For any servers which
do not include vendor or version information in their packets, you can
configure whether the system associates vulnerabilities with server traffic for
these vendor and versionless servers.
For example, a host
serves SMTP traffic that does not have a vendor or version in the header. If
you enable the SMTP server on the Vulnerability Mapping page of a system
configuration, then save that configuration to the
Firepower Management Center
managing the device that detects the traffic, all vulnerabilities associated
with SMTP servers are added to the host profile for the host.
Although detectors
collect server information and add it to host profiles, the application
protocol detectors will not be used for vulnerability mapping, because you
cannot specify a vendor or version for a custom application protocol detector
and cannot select the server for vulnerability mapping.
Mapping
Vulnerabilities for Servers
This procedure requires any Smart License or the Protection classic license.
Procedure
Step 1
Choose System > Configuration.
Step 2
Choose Vulnerability Mapping.
Step 3
You have the following choices:
To prevent vulnerabilities for a server from being mapped to hosts that receive application protocol traffic without vendor
or version information, clear the check box for that server.
To cause vulnerabilities for a server to be mapped to hosts that receive application protocol traffic without vendor or version
information, check the check box for that server.
Tip
You can check or clear all check boxes at once using the check box next to Enabled.
Step 4
Click
Save.
Remote Console
Access Management
You can use a Linux system console for remote access on supported systems via either the VGA port (which is the default) or
the serial port on the physical appliance. Use the Console Configuration page to choose the option most suitable to the physical
layout of your organization’s Firepower deployment.
On supported physical-hardware-based
Firepower systems, you can use Lights-Out Management (LOM) on a Serial Over LAN (SOL)
connection on the default (eth0) management
interface to remotely monitor or manage the system without logging into the management
interface of the system. You can perform limited tasks, such as viewing the chassis
serial number or monitoring such conditions as fan speed and temperature, using a
command line interface on an out-of-band management connection. For information about
the cable connection to support LOM, see the Firepower Management Center Getting
Started Guide for your hardware model.
You must enable LOM for both the system and the user you want to
manage the system. After you enable the system and the user, you use a
third-party Intelligent Platform Management Interface (IPMI) utility to access
and manage your system.
Configuring Remote
Console Settings on the System
You must be an Admin user to perform this procedure.
Before you begin
Disable Spanning Tree Protocol (STP) on any third-party
switching equipment connected to the device’s management interface.
If you plan to enable Lights-Out Management see the Getting Started Guide
for your appliance for information about installing and using an Intelligent
Platform Management Interface (IPMI) utility.
Procedure
Step 1
Choose
System > Configuration.
Step 2
Click
Console Configuration.
Step 3
Click
Save.
Step 4
The system displays the following warning: "You will have to reboot your system
for these changes to take effect." Click OK to reboot now
or Cancel to reboot later.
What to do next
If you configured serial access, be sure the rear-panel serial port is connected to a local
computer, terminal server, or other device that can support remote serial
access over ethernet as described in the Getting Started Guide
for your FMC model.
You must explicitly grant Lights-Out Management permissions to
users who will use the feature. LOM users also have the following restrictions:
You must assign the Administrator role to the user.
The username may have up to 16 alphanumeric characters. Hyphens
and longer user names are not supported for LOM users.
A user’s LOM password is the same as that user’s system password. Cisco recommends
that you use a complex, non-dictionary-based password of the maximum
supported length for your appliance and change it every three months.
If LOM is enabled on a Firepower 7110, 7115, 7120, or 7125 device, the
password may have up to 16 alphanumeric characters.
Physical Firepower Management Centers and 8000 Series devices can have up to 13 LOM users. 7000 Series devices can have up to eight LOM users.
Note that if you deactivate, then reactivate, a user with LOM while a
that user is logged in, or restore a user from a backup during that user’s login
session, that user may need to log back into the web interface to regain access to
impitool commands.
Enabling Lights-Out
Management User Access
You must be an Admin user to perform this procedure.
You configure LOM and LOM
users on a per-system basis using each system’s local web interface. You cannot use
the Firepower Management Center to configure LOM on a managed device. Similarly, because users are managed
independently per appliance, enabling or creating a LOM-enabled user on the Firepower Management Center does not transfer that capability to users on managed devices.
Procedure
Step 1
Choose System > Users > Users.
Step 2
To grant LOM user access to an existing user, click Edit () next to a user name in the list.
Step 3
Under User Configuration, enable
the Administrator role.
Step 4
Check the Allow
Lights-Out Management Access check box.
Step 5
Click Save.
Serial Over LAN
Connection Configuration
You use a third-party IPMI utility on your computer to create a Serial
Over LAN connection to the appliance. If your computer uses a Linux-like or Mac
environment, use IPMItool; for Windows environments, you can use IPMIutil or
IPMItool, depending on your Windows version.
Note
Cisco recommends using IPMItool version 1.8.12 or greater.
Linux
IPMItool is standard with many distributions and is ready to
use.
Mac
You must install IPMItool on a Mac. First, confirm that your Mac
has Apple's XCode Developer tools installed, making sure that the optional
components for command line development are installed (UNIX Development and
System Tools in newer versions, or Command Line Support in older versions).
Then you can install macports and the IPMItool. Use your favorite search engine
for more information or try these sites:
For Windows Versions 10 and greater with Windows Subsystem for Linux
(WSL) enabled, as well as some older versions of Windows Server, you can use
IPMItool. Otherwise, you must compile IPMIutil on your Windows system; you can use
IPMIutil itself to compile. Use your favorite search engine for more information or
try this site:
http://ipmiutil.sourceforge.net/man.html#ipmiutil
Understanding
IPMI Utility Commands
Commands used for IPMI utilities are composed of segments as in the
following example for IPMItool on Mac:
This command connects you to the command line on the appliance
where you can log in as if you were physically present at the appliance. You
may be prompted to enter a password.
Configuring Serial
Over LAN with IPMItool
You must be an Admin user with LOM access to perform this procedure.
Procedure
Using IPMItool, enter the following command, and a password if prompted:
You must be an Admin user with LOM access to perform this procedure.
Procedure
Using IPMIutil, enter the following command, and a password if prompted:
ipmiutil -J 3 -NIP_address-Uusernamesol -a
Lights-Out
Management Overview
Lights-Out Management (LOM) provides the ability to perform a limited set of actions over an SOL connection on the default
(eth0) management interface without the need to log into the system. You use the command to create a SOL connection followed by
one of the LOM commands. After the command is completed, the connection ends. Note that not all power control commands are valid on 70xx Family devices.
Note
The baseboard management controller (BMC) for a Firepower 71xx, Firepower 82xx, or a Firepower 83xx device is only accessible
via 1 Gbps link speeds when the host is powered on. When the device is powered down, the BMC can only establish Ethernet link
at 10 and 100 Mbps. Therefore if LOM is being used to remotely power the device, connect the device to the network using 10
and 100 Mbps link speeds only.
Caution
In rare cases, if your computer is on a different subnet than
the system's management interface and the system is configured for DHCP,
attempting to access LOM features can fail. If this occurs, you can either
disable and then re-enable LOM on the system, or use a computer on the same
subnet as the system to ping its management interface. You should then be able
to use LOM.
Caution
Cisco is aware of a vulnerability inherent in the Intelligent
Platform Management Interface (IPMI) standard (CVE-2013-4786). Enabling
Lights-Out Management (LOM) on an system exposes this vulnerability. To
mitigate this vulnerability, deploy your systems on a secure management network
accessible only to trusted users and use a complex, non-dictionary-based
password of the maximum supported length for your system and change it every
three months. To prevent exposure to this vulnerability, do not enable LOM.
If all attempts to access your system have failed, you can use
LOM to restart your system remotely. Note that if a system is restarted while
the SOL connection is active, the LOM session may disconnect or time out.
Caution
Do
not restart your system unless it does not respond to any
other attempts to restart. Remotely restarting does not gracefully reboot the
system and you may lose data.
Table 5. Lights-Out Management Commands
IPMItool
IPMIutil
Description
(not applicable)
-V 4
Enables admin privileges for the IPMI session
-I lanplus
-J 3
Enables encryption for the IPMI session
-H hostname/IP address
-N nodename/IP address
Indicates the LOM IP address or hostname for the FMC
-U
-U
Indicates the username of an authorized LOM account
sol activate
sol -a
Starts the SOL session
sol deactivate
sol -d
Ends the SOL session
chassis power cycle
power -c
Restarts the appliance (not valid on 70xx Family devices)
chassis power on
power -u
Powers up the appliance
chassis power off
power -d
Powers down the appliance (not valid on 70xx Family devices)
sdr
sensor
Displays appliance information, such as fan speeds and
temperatures
For example, to display a list of appliance information, the
IPMItool command is:
ipmitool -I lanplus -HIP_address-Uuser_namesdr
Note
Cisco recommends using IPMItool version 1.8.12 or greater.
The same command with the IPMIutil utility is:
ipmiutil sensor -V 4 -J 3 -NIP_address-Uuser_name
Configuring
Lights-Out Management with IPMItool
You must be an Admin user with LOM access to perform this procedure.
Procedure
Enter the following command for IPMItool and a password if
prompted:
You must be an Admin user with LOM access to perform this procedure.
Procedure
Enter the following command for IPMIutil and a password if
prompted:
ipmiutil -J 3 -NIP_address-Uusernamecommand
VMware Tools and
Virtual Systems
VMware Tools is a suite of performance-enhancing utilities intended for
virtual machines. These utilities allow you to make full use of the convenient features
of VMware products. Firepower virtual appliances running on VMware support the following
plugins:
)
)
.
Feedback