Firepower Management Center Configuration Guide, Version 6.2.3
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The following topics describe
Firepower Management Center
basics:
The
Firepower Management Center
You can use the
Firepower Management Center
to manage the full range of devices that are a part of the Firepower System.
When you manage a device, you set up a two-way, SSL-encrypted communication
channel between the
Firepower Management Center
and the device. The
Firepower Management Center
uses this channel to send information to the device about how you want to
analyze and manage your network traffic to the device. As the device evaluates
the traffic, it generates events and sends them to the
Firepower Management Center
using the same channel.
Device
Management
The
Firepower Management Center
is a key component in the Firepower System. You can use the
Firepower Management Center
to manage the full range of devices that comprise the Firepower System, and to
aggregate, analyze, and respond to the threats they detect on your network.
By using the
Firepower Management Center
to manage devices, you can:
configure policies for all your devices from a single location,
making it easier to change configurations
install various types of software updates on devices
push health policies to your managed devices and monitor their
health status from the
Firepower Management Center
The
Firepower Management Center
aggregates and correlates intrusion events, network discovery information, and
device performance data, allowing you to monitor the information that your
devices are reporting in relation to one another, and to assess the overall
activity occurring on your network.
You can use a Firepower Management Center to manage nearly every aspect of a device’s behavior.
What Can Be Managed
by a
Firepower Management Center?
You can use the
Firepower Management Center
as a central management point in a Firepower System deployment to manage the
following devices:
7000
and 8000 Series
devices
ASA FirePOWER
modules
NGIPSv
devices
Firepower Threat Defense and
Firepower Threat Defense Virtual
When you manage a device, information is transmitted between the
Firepower Management Center
and the device over a secure, SSL-encrypted TCP tunnel.
The following illustration lists what is transmitted between a
Firepower Management Center
and its managed devices. Note that the types of events and policies that are
sent between the appliances are based on the device type.
Beyond Policies and
Events
In addition to deploying policies to devices and receiving
events from them, you can also perform other device-related tasks on the
Firepower Management Center.
Backing Up a
Device
You
cannot create or restore backup files for
NGIPSv
devices or
ASA FirePOWER
modules.
When you perform a backup of a physical managed device from the
device itself, you back up the device configuration
only. To back up configuration data and, optionally, unified
files, perform a backup of the device using the managing
Firepower Management Center.
To back up event data, perform a backup of the managing
Firepower Management Center.
Updating
Devices
From time to time, Cisco releases updates to the Firepower
System, including:
intrusion rule updates, which may contain new and updated
intrusion rules
vulnerability database (VDB) updates
geolocation updates
software patches and updates
You can use the
Firepower Management Center
to install an update on the devices it manages.
NAT
Environments
Network address translation (NAT) is a method of transmitting and receiving network traffic through a router that involves
reassigning the source or destination IP address. The most common use for NAT is to allow private networks to communicate
with the internet. Static NAT performs a 1:1 translation, which does not pose a problem for FMC communication with devices, but port address translation (PAT) is more common. PAT lets you use a single public IP address
and unique ports to access the public network; these ports are dynamically assigned as needed, so you cannot initiate a connection
to a device behind a PAT router.
Normally, you need both IP addresses (along with a registration key) for both routing purposes and for authentication: the
FMC specifies the device IP address, and the device specifies the FMC IP address. However, if you only know one of the IP addresses, which is the minimum requirement for routing purposes, then
you must also specify a unique NAT ID on both sides of the connection to establish trust for the initial communication and
to look up the correct registration key. The FMC and device use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration.
For example, you add a device to the FMC, and you do not know the device IP address (for example, the device is behind a PAT router), so you specify only the NAT
ID and the registration key on the FMC; leave the IP address blank. On the device, you specify the FMC IP address, the same NAT ID, and the same registration key. The device registers to the FMC's IP address. At this point, the FMC uses the NAT ID instead of IP address to authenticate the device.
Although the use of a NAT ID is most common for NAT environments, you might choose to use the NAT ID to simplify adding many
devices to the FMC. On the FMC, specify a unique NAT ID for each device you want to add while leaving the IP address blank, and then on each device, specify
both the FMC IP address and the NAT ID. Note: The NAT ID must be unique per device.
The following example shows three devices behind a PAT IP address. In this case, specify a unique NAT ID per device on both
the FMC and the devices, and specify the FMC IP address on the devices.
The following example shows the FMC behind a PAT IP address. In this case, specify a unique NAT ID per device on both the FMC and the devices, and specify the device IP addresses on the FMC.