Cable and Register the Firewall
Cable the Firewall
Perform Initial Configuration (Manual Provisioning)
- Initial Configuration: Device Manager
- Initial Configuration: CLI
Register the Firewall with the Management Center
- Add a Device Using the Serial Number (Zero-Touch Provisioning)
- Add a Device Using Manual Provisioning

Cable and Register the Firewall

Cable the firewall and then register the firewall to the Firewall Management Center.

Cable the Firewall

(Optional) Obtain a console adapter—The firewall ships with a DB-9 to RJ-45 serial cable, so you may need to buy a third party DB-9-to-USB serial cable to make the connection.
Install SFP/SFP+ modules into ports Ethernet 1/9 and higher.
See the hardware installation guide for more information.
If you use zero-touch provisioning, do not cable both the outside and the Management interface. This guide covers management on the outside interface, but you may want to use zero-touch provisioning on Management with high availability. If you use zero-touch provisioning on outside and want to use high availability, you will have to change the outside IP address to a static address after registration.

Cabling for a Management Center at a Central Headquarters

Perform Initial Configuration (Manual Provisioning)

For manual provisioning, perfom initial configuration of the firewall using the Secure Firewall Device Manager or using the CLI.

Initial Configuration: Device Manager

Using this method, after you register the firewall, the following interfaces will be preconfigured in addition to the Management interface:

Ethernet 1/1—outside, IP address from DHCP, IPv6 autoconfiguration
Ethernet 1/2— inside, 192.168.95.1/24
Default route—Obtained through DHCP on the outside interface
Additional interfaces—Any interface configuration from the Firewall Device Manager is preserved.

Other settings, such as the DHCP server on inside, access control policy, or security zones, are not preserved.

Procedure

Step 1

Connect your computer to the inside interface (Ethernet 1/2).

Step 2

Log into the Firewall Device Manager.

Go to https://192.168.95.1.
Log in with the username admin and the default password Admin123.
You are prompted to read and accept the General Terms and change the admin password.

Step 3

Use the setup wizard.

Note

The exact port configuration depends on your model.

Configure the outside and management interfaces.

Figure 2. Connect firewall to internet
1. Outside Interface Address—Use a static IP address if you plan for high availability. You cannot configure PPPoE using the setup wizard; you can configure PPPoE after you complete the wizard.
2. Management Interface—The Management interface settings are used even though you are using manager access on the outside interface. For example, management traffic that is routed over the backplane through the outside interface will resolve FQDNs using these Management interface DNS servers, and not the outside interface DNS servers.
  
  DNS Servers—The DNS server for the system's management address. The default is the OpenDNS public DNS servers. These will probably match the outside interface DNS servers you set later since they are both accessed from the outside interface.
  
  Firewall Hostname
Configure the Time Setting (NTP) and click Next.

Figure 3. Time Setting (NTP)
Select Start 90 day evaluation period without registration.

Do not register the Firewall Threat Defense with the Smart Software Manager; all licensing is performed on the Firewall Management CenterCDO.
Click Finish.

Figure 4. What's Next
Choose Standalone Device, and then Got It.

Step 4

If you want to configure additional interfaces, choose Device, and then click the link in the Interfaces summary.

Step 5

Register with the Firewall Management CenterCDO by choosing Device > System Settings > Central Management and clicking Proceed

Configure the Management Center/SCC/Details.

Note

Older versions may show "CDO" instead of "SCC."

Management Center/CDO Details — Figure 5. Management Center/SCC Details

For Do you know the Management Center/SCC Hostname or IP address, click Yes if you can reach the Firewall Management Center using an IP address or hostname or No if the Firewall Management Center is behind NAT or does not have a public IP address or hostname.
If you chose Yes, enter the Management Center/SCC Hostname/IP Address.
Specify the Management Center/SCC Registration Key.

This key is a one-time registration key of your choice that you will also specify on the Firewall Management Center when you register the firewall. The registration key must be between 2 and 36 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID can be used for multiple firewalls registering to the Firewall Management Center.
Specify a NAT ID.

This ID is a unique, one-time string of your choice that you will also specify on the Firewall Management Center. We recommend that you specify the NAT ID even if you know the IP addresses of both devices. The NAT ID must be between 2 and 36 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other firewalls registering to the Firewall Management Center. The NAT ID is used in combination with the IP address to verify that the connection is coming from the correct device; only after authentication of the IP address/NAT ID will the registration key be checked.

Step 6

Configure the Connectivity Configuration.

Specify the Threat Defense Hostname.

This FQDN will be used for the outside interface.
Specify the DNS Server Group.

Choose an existing group, or create a new one. The default DNS group is called CiscoUmbrellaDNSServerGroup, which includes the OpenDNS servers.

To retain the outside DNS server setting after registration, you need to re-configure the DNS Platform Settings in the Firewall Management Center.
For the Management Center/SCC Access Interface, click Data Interface, and then choose outside.

Step 7

(Optional) Click Add a Dynamic DNS (DDNS) method.

DDNS ensures the Firewall Management Center can reach the Firewall Threat Defense at its FQDN if the Firewall Threat Defense's IP address changes.

Step 8

Click Connect.

The Registration Status dialog box shows the current status of the Firewall Management CenterCDO registration.

Step 9

After the Saving Management Center/SCC Registration Settings step on the status screen, go to the Firewall Management CenterCDO and add the firewall. See Add a Device Using Manual Provisioning.

Initial Configuration: CLI

Set the dedicated Management IP address, gateway, and other basic networking settings using the CLI setup script.

Procedure

Connect to the console port and access the Firewall Threat Defense CLI. See Access the Firewall Threat Defense CLI.

Register the Firewall with the Management Center

Add a Device Using the Serial Number (Zero-Touch Provisioning)

Zero-Touch Provisioning lets you register devices to the Firewall Management Center by serial number without having to perform any initial setup on the device. The Firewall Management Center integrates with CDO for this functionality.

Note

For Firewall Management Center version 7.4, you need to add the device using CDO; see the 7.4 guide for more information. The native Firewall Management Center workflow was added in 7.6. Also, for cloud integration in 7.4, see the SecureX Integration page in the Firewall Management Center.

Default Configuration After Registration

When you use zero-touch provisioning, the following interfaces are preconfigured. Note that other settings, such as the DHCP server on inside, access control policy, or security zones, are not configured.

Ethernet 1/1—"outside", IP address from DHCP, IPv6 autoconfiguration
Ethernet 1/2 (or for the , the VLAN1 interface)— "inside", 192.168.95.1/24
Default route—Obtained through DHCP on the outside interface

Requirements

Zero-Touch Provisioning is not supported with clustering or multi-instance mode.

When you use the outside interface for manager access, it uses DHCP by default. Before you can enable high availability, you need to change the IP address to a static address. Alternatively, you can use the Management interface instead; DHCP is supported on Management with high availability.

Before you begin

If the device does not have a public IP address or FQDN, set a public IP address/FQDN for the Firewall Management Center (for example, if it is behind NAT), so the device can initiate the management connection. See Administration > Configuration > Manager Remote Access.
DHCP server for either Management or Ethernet 1/1 that provides an IP address and default gateway.

Network access to the OpenDNS public DNS servers. IPv4: 208.67.220.220 and 208.67.222.222; IPv6: 2620:119:35::35. DNS servers obtained from DHCP are never used.

The following names need to be resolved:

Table 1. FQDNs for zero-touch provisioning
FQDNs
*.cisco.com (many FQDNs)
*.defenseorchestrator.com (many FQDNs)
*.defenseorchestrator.eu (for the EU, many FQDNs)
0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org
1.200.159.162.in-addr.arpa
60.19.239.178.in-addr.arpa
connected.by.freedominter.net
time.cloudflare.com
udc.neo4j.org

Procedure

Step 1

The first time you add a device using a serial number, integrate the Firewall Management Center with CDO.

Note

For a Firewall Management Center high-availability pair, you also need to integrate the secondary Firewall Management Center with CDO.

Choose Integrations > Security Cloud Control.
Click Enable Security Cloud Control to open a separate browser tab to log you into your CDO account and confirm the displayed code.

Make sure this page is not blocked by a pop-up blocker. If you do not already have a CDO account, you can add one during this procedure.

For detailed information about this integration, see the "System Configuration" chapter in the Cisco Secure Firewall Management Center Administration Guide.

CDO onboards the on-prem Firewall Management Center after you integrate the Firewall Management Center with CDO. CDO needs the Firewall Management Center in its inventory for zero-touch provisioning to operate. However, you do not need to use CDO directly. If you do use CDO, its Firewall Management Center support is limited to device onboarding, viewing its managed devices, viewing objects associated with the Firewall Management Center, and cross-launching the Firewall Management Center.
Make sure Enable Zero-Touch Provisioning is checked.
Click Save.

Step 2

Obtain your device's serial number.

If you have the shipping box, you can see the serial number on the label.
The serial number is on a label on a pull-out tab at the front of the device.
If you have console access, in FXOS, enter show chassis detail . Note that the correct serial number is called Serial (SN). Do not use the PCB Serial Number. At the Firewall Threat Defense CLI, enter show inventory (not show serial-number , which shows the PCB serial number). Be careful not to disable zero-touch provisioning by entering certain settings at the Firewall Threat Defense startup script.

Step 3

Check your LEDs to make sure the firewall is ready for registration.

Table 2. Zero-Touch Provisioning: Managed (M) LED behavior
M LED	Description	Time after firewall powered on (minutes:seconds)
Slow flashing green	Connected to the Cisco cloud and ready for onboarding	15:00 - 30:00
Alternating green and amber (error condition)	Failed to connect to the Cisco cloud	15:00 - 30:00
Solid green	Onboarded	20:00 - 45:00

Step 4

Choose Devices > Device Management.

Step 5

From the Add drop-down menu, choose Device.

Step 6

Click Serial Number, click Basic, and then click Next.

Step 7

Configure the device details and click Next.

Domain—In a multidomain environment, choose the leaf domain.
Device group—In a single domain environment, add the device to a Device group.
Serial number—Enter the IP address or the hostname of the device you want to add. Leave this field blank if you don't know the device IP address (for example, it's behind NAT).
Display name—Enter a name for the device as you want it to display in the Firewall Management Center. You cannot change this name later.
Device password—If this device is unconfigured or a fresh install, then you need to set a New Password and confirm the password.

Check I already changed the password on the device only if you already logged in and changed the password. Otherwise, registration will fail.

Step 8

Configure the initial device configuration.

Access control policy—Choose an initial policy to deploy to the device at registration, or create a new policy. Unless you already have a customized policy you know you need to use, choose Add (), and choose Block all traffic. You can change this later to allow traffic; see Configure an Access Control Rule.
Smart licensing—Choose your licenses.
- Is this device physical or virtual?—Choose Physical device
- License type—Check each license type to assign to the device.
You can also apply licenses after you add the device.
Transfer packets—Enable this option so that for each intrusion event, the device transfers the packet to the Firewall Management Center for inspection.

For each intrusion event, the device sends event information and the packet that triggered the event to the Firewall Management Center for inspection. If you disable it, only event information will be sent to the Firewall Management Center; the packet will not be sent.

Step 9

Click Add device.

It may take up to two minutes for the Firewall Management Center to verify the device’s heartbeat and establish communication.

When using zero-touch provisioning on the outside interface, CDO acts as a DDNS provider and does the following:

Enables DDNS on outside using the FMC Only method. This method is only supported for zero-touch provisioning devices.
Maps the outside IP address with the following hostname: serial-number.local.
Provides the IP address/hostname mapping to the Firewall Management Center so it can resolve the hostname to the correct IP address.
Informs the Firewall Management Center if the IP address ever changes, for example, if the DHCP lease renews.

If you use zero-touch provisioning on the Management interface, DDNS is not supported. The Firewall Management Center must be publicly reachable so the device can initiate the management connection.

You can continue to use CDO as the DDNS provider, or you can later change the DDNS configuration in the Firewall Management Center to a different method.

Add a Device Using Manual Provisioning

Register the firewall to the Firewall Management Center manually using the device IP address or hostname and a registration key.

Procedure

Step 1	Log into the Firewall Management Center. Enter the following URL. https://`fmc_ip_address` Enter your username and password. Click Log In.
Step 2	Choose Devices > Device Management.
Step 3	From the Add drop-down menu, choose Device.
Step 4	Click Registration Key, click Basic, and then click Next. Figure 10. Device Registration Method
Step 5	Configure the device details and click Next. Figure 11. Device Details Domain—In a multidomain environment, choose the leaf domain. Device group—In a single domain environment, add the device to a Device group. Hostname or IP address—Enter the IP address or the hostname of the device you want to add. Leave this field blank if you don't know the device IP address (for example, it's behind NAT). Display name—Enter a name for the device as you want it to display in the Firewall Management Center. You cannot change this name later. Registration key—Enter the same registration key from your initial configuration. Unique NAT ID—Enter the same ID from your initial configuration. Analytics-only management center—Leave this unchecked.
Step 6	Configure the initial device configuration. Figure 12. Initial Device Configuration Access control policy—Choose an initial policy to deploy to the device at registration, or create a new policy. Unless you already have a customized policy you know you need to use, choose Add (), and choose Block all traffic. You can change this later to allow traffic; see Configure an Access Control Rule. Smart licensing—Choose your licenses. Is this device physical or virtual?—Choose Physical device License type—Check each license type to assign to the device. You can also apply licenses after you add the device. Transfer packets—Enable this option so that for each intrusion event, the device transfers the packet to the Firewall Management Center for inspection. For each intrusion event, the device sends event information and the packet that triggered the event to the Firewall Management Center for inspection. If you disable it, only event information will be sent to the Firewall Management Center; the packet will not be sent.
Step 7	Click Add device. It may take up to two minutes for the Firewall Management Center to verify the device’s heartbeat and establish communication. If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the device fails to register, check the following items: Ping—Access the device CLI, and ping the Firewall Management Center IP address using the following command: ping system `ip_address` If the ping is not successful, check your network settings using the show network command. If you need to change the device IP address, use the configure network {ipv4 \| ipv6} manual command. Registration key, NAT ID, and Firewall Management Center IP address—Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the device using the configure manager add command. For more troubleshooting information, see https://cisco.com/go/fmc-reg-error.

Secure Firewall 3100 Threat Defense Getting Started: Management Center at a Central Headquarters

Bias-Free Language

Book Title

Secure Firewall 3100 Threat Defense Getting Started: Management Center at a Central Headquarters

Chapter Title