- Computers & electronics
- Software
- Computer utilities
- General utility software
- Cisco
- Secure Firewall Management Center Virtual
- User guide
- 1050 Pages
Cisco Secure Firewall Management Center Virtual Guide
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
Cisco Secure Firewall Management Center Administration Guide, 7.2
First Published: 2022-06-06
Last Modified: 2022-06-28
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on standards documentation, or language that is used by a referenced third-party product.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html
. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 2022 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
P A R T I
C H A P T E R 1
Installing and Performing Initial Setup on Physical Appliances 2
Deploying Virtual Appliances 2
Logging In for the First Time 3
Setting Up Basic Policies and Configurations 4
Appliance and System Management Features 7
High Availability and Scalability Features by Platform 8
Features for Detecting, Preventing, and Processing Potential Threats 9
Integration with External Tools 11
Search the Management Center 11
Search for Web Interface Menu Options 14
Search for How To Walkthroughs 20
Switching Domains on the Secure Firewall Management Center 20
Online Help, How To, and Documentation 23
License Statements in the Documentation 25
Supported Devices Statements in the Documentation 25
Cisco Secure Firewall Management Center Administration Guide, 7.2
iii
Contents
C H A P T E R 2
P A R T I I
C H A P T E R 3
Access Statements in the Documentation 26
Logging into the Management Center 27
Web Interface Considerations 30
Logging Into the Secure Firewall Management Center Web Interface 31
Logging Into the Management Center Web Interface Using SSO 32
Logging Into the Secure Firewall Management Center with CAC Credentials 33
Logging Into the Management Center Command Line Interface 33
Logging Out of the Management Center Web Interface 35
History for Logging into the Management Center 35
Requirements and Prerequisites for the System Configuration 40
Navigating the Secure Firewall Management Center System Configuration 40
System Configuration Settings 40
Default HTTPS Server Certificates 43
Custom HTTPS Server Certificates 44
HTTPS Server Certificate Requirements 44
Viewing the Current HTTPS Server Certificate 46
Generating an HTTPS Server Certificate Signing Request 46
Importing HTTPS Server Certificates 48
Requiring Valid HTTPS Client Certificates 49
iv
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
Renewing the Default HTTPS Server Certificate 50
External Database Access Settings 50
Enabling External Access to the Database 51
Configuring Database Event Limits 52
About Management Center Management Interfaces 55
Management Interfaces on the Management Center 55
Management Interface Support Per Management Center Model 56
Network Routes on Management Center Management Interfaces 56
Management and Event Traffic Channel Examples 59
Modify Management Center Management Interfaces 60
Shut Down or Restart the Management Center 64
Management Center Remote Storage - Supported Protocols and Versions 65
Configuring NFS for Remote Storage 66
Configuring SMB for Remote Storage 66
Configuring SSH for Remote Storage 67
Remote Storage Management Advanced Options 68
Configuring Change Reconciliation 69
Change Reconciliation Options 69
Configuring Comments to Track Policy Changes 70
Stream Audit Logs to Syslog 72
Stream Audit Logs to an HTTP Server 74
Cisco Secure Firewall Management Center Administration Guide, 7.2
v
Contents
Obtain a Signed Audit Log Client Certificate for the Management Center 76
Import an Audit Log Client Certificate into the Management Center 77
Require Valid Audit Log Server Certificates 78
View the Audit Log Client Certificate on the Management Center 79
Enabling Custom Analysis Widgets for Dashboards 79
Configuring DNS Cache Properties 80
Configuring a Mail Relay Host and Notification Address 81
Set the Language for the Web Interface 82
Time and Time Synchronization 84
Synchronize Time on the Management Center with an NTP Server 85
Synchronize Time Without Access to a Network NTP Server 86
About Changing Time Synchronization Settings 87
View Current System Time, Source, and NTP Server Connection Status 87
Global User Configuration Settings 89
Enabling Temporary Lockouts 91
Set Maximum Number of Concurrent Sessions 91
Mapping Vulnerabilities for Servers 93
Remote Console Access Management 93
Configuring Remote Console Settings on the System 94
vi
Cisco Secure Firewall Management Center Administration Guide, 7.2
C H A P T E R 4
Lights-Out Management User Access Configuration 95
Enabling Lights-Out Management User Access 95
Serial Over LAN Connection Configuration 96
Configuring Serial Over LAN with IPMItool 97
Configuring Serial Over LAN with IPMIutil 97
Lights-Out Management Overview 97
Configuring Lights-Out Management with IPMItool 99
Configuring Lights-Out Management with IPMIutil 99
VMware Tools and Virtual Systems 100
Enabling VMware Tools on the Secure Firewall Management Center for VMware 100
(Optional) Opt Out of Web Analytics Tracking 101
History for System Configuration 101
Internal and External Users 105
Web Interface and CLI Access 106
Guidelines and Limitations for User Accounts for Management Center 110
Requirements and Prerequisites for User Accounts for Management Center 111
Configure External Authentication for the Management Center 113
About External Authentication for the Management Center 113
Add an LDAP External Authentication Object for Management Center 115
Add a RADIUS External Authentication Object for Management Center 122
Enable External Authentication for Users on the Management Center 127
Configure Common Access Card Authentication with LDAP 128
Configure SAML Single Sign-On 129
Contents
Cisco Secure Firewall Management Center Administration Guide, 7.2
vii
Contents
SSO Guidelines for the Management Center 130
User Role Mapping for SSO Users 131
Enable Single Sign-On at the Management Center 132
Configure Single Sign-On with Okta 133
Configure the Management Center Service Provider Application for Okta 134
Configure the Management Center for Okta SSO 136
Configure User Role Mapping for Okta at the Management Center 137
Configure User Role Mapping at the Okta IdP 138
Okta User Role Mapping Examples 140
Configure Single Sign-On with OneLogin 145
Review the OneLogin Subdomain 146
Configure the Management Center Service Provider Application for OneLogin 146
Configure the Management Center for OneLogin SSO 148
Configure User Role Mapping for OneLogin at the Management Center 149
Configure User Role Mapping at the OneLogin IdP 150
OneLogin User Role Mapping Examples 153
Configure Single Sign-On with Azure AD 157
Configure the Management Center Service Provider Application for Azure 158
Configure the Management Center for Azure SSO 160
Configure User Role Mapping for Azure at the Management Center 161
Configure User Role Mapping at the Azure IdP 162
Azure User Role Mapping Examples 165
Configure Single Sign-On with PingID 170
Review the PingID PingOne for Customers Environment 171
Configure the Management Center Service Provider Application for PingID PingOne for
Configure the Management Center for SSO with PingID PingOne for Customers 173
Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider 174
Familiarize Yourself with the SSO Identity Provider and the SSO Federation 175
Configure Management Center Service Provider Application for Any SAML 2.0-Compliant SSO
viii
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
C H A P T E R 5
Configure the Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider 177
Configure User Role Mapping at the Management Center for SAML 2.0-Compliant SSO
Configure Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO
Customize User Roles for the Web Interface 180
Enable User Role Escalation 183
Set the Escalation Target Role 183
Configure a Custom User Role for Escalation 184
Troubleshooting LDAP Authentication Connections 185
Configure User Preferences 186
Changing an Expired Password 187
Change the Web Interface Appearance 188
Configuring Event View Settings 189
Setting Your Default Time Zone 193
Specifying Your Default Dashboard 193
Introduction to Multitenancy Using Domains 195
Requirements and Prerequisites for Domains 198
Cisco Secure Firewall Management Center Administration Guide, 7.2
ix
Contents
C H A P T E R 6
C H A P T E R 7
Moving Data Between Domains 200
Moving Devices Between Domains 201
History for Domain Management 202
Requirements and Prerequisites for System Updates 205
Guidelines and Limitations for System Updates 205
Update the Vulnerability Database (VDB) 206
Update the Geolocation Database 208
Manually Update the GeoDB (Internet Connection) 209
Manually Update the GeoDB (No Internet Connection) 209
Update Intrusion Rules One-Time Manually 211
Update Intrusion Rules One-Time Automatically 212
Schedule Intrusion Rule Updates 213
Best Practices for Importing Local Intrusion Rules 213
Import Local Intrusion Rules 215
Intrusion Rule Update Log Table 216
Viewing the Intrusion Rule Update Log 216
Fields in an Intrusion Rule Update Log 217
Viewing Details of the Intrusion Rule Update Import Log 218
Maintain Your Air-Gapped Deployment 219
History for System Updates 220
Smart Software Manager and Accounts 230
Licensing Options for Air-Gapped Deployments 230
x
Cisco Secure Firewall Management Center Administration Guide, 7.2
How Licensing Works for the Management Center and Devices 230
Periodic Communication with the Smart Software Manager 231
End-User License Agreement 232
License Types and Restrictions 232
Management Center Virtual Licenses 234
Licensing for Export-Controlled Functionality 237
Threat Defense Virtual Licenses 238
Requirements and Prerequisites for Licensing 245
Requirements and Prerequisites for Licensing for High Availability, Clustering, and
Licensing for Management Center High Availability 246
Licensing for Device High-Availability 246
Licensing for Device Clusters 247
Licensing for Multi-Instance Deployments 247
Create a Smart Account and Add Licenses 248
Register the Management Center for Smart Licensing 249
Register the Management Center with the Smart Software Manager 249
Register the Management Center with the Smart Software Manager On-Prem 252
Enable the Export Control Feature for Accounts Without Global Permission 253
Assign Licenses to Devices 254
Assign Licenses to a Single Device 254
Assign Licenses to Multiple Managed Devices 255
Deregister the Management Center 256
Contents
Cisco Secure Firewall Management Center Administration Guide, 7.2
xi
Contents
C H A P T E R 8
Synchronize or Reauthorize the Management Center 256
Monitoring Smart License Status 257
Troubleshooting Smart Licensing 258
Configure Specific License Reservation (SLR) 261
Requirements and Prerequisites for Specific License Reservation 261
Verify that your Smart Account is Ready to Deploy Specific License Reservation 261
Enable the Specific Licensing Menu Option 262
Enter the Specific License Reservation Authorization Code into the Management Center 263
Assign Specific Licenses to Managed Devices 264
Manage Specific License Reservation 265
Important! Maintain Your Specific License Reservation Deployment 265
Update a Specific License Reservation 265
Deactivate and Return the Specific License Reservation 267
Monitoring Specific License Reservation Status 269
Troubleshoot Specific License Reservation 270
Configure Legacy Management Center PAK-Based Licenses 271
Additional Information about Licensing 272
About Secure Firewall Management Center High Availability 275
Roles v. Status in Management Center High Availability 276
Event Processing on Management Center High Availability Pairs 277
AMP Cloud Connections and Malware Information 277
URL Filtering and Security Intelligence 277
User Data Processing During Management Center Failover 277
Configuration Management on Management Center High Availability Pairs 277
Management Center High Availability Disaster Recovery 277
Single Sign-On and High Availability Pairs 278
Management Center High Availability Behavior During a Backup 278
Management Center High Availability Split-Brain 278
Upgrading Management Centers in a High Availability Pair 279
Troubleshooting Management Center High Availability 280
xii
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
C H A P T E R 9
P A R T I I I
Requirements for Management Center High Availability 281
Virtual Platform Requirements 282
License Requirements for Management Center High Availability Configurations 282
Prerequisites for Management Center High Availability 283
Establishing Management Center High Availability 284
Viewing Management Center High Availability Status 285
Configuration Data Synced between Firepower Management Centers during High Availability 286
Configuring External Access to the Management Center Database in a High Availability Pair 287
Using CLI to Resolve Device Registration in Management Center High Availability 287
Switching Peers in a Management Center High Availability Pair 288
Pausing Communication Between Paired Firepower Management Centers 288
Restarting Communication Between Paired Firepower Management Centers 288
Changing the IP Address of a Management Center in a High Availability Pair 289
Disabling Management Center High Availability 289
Replacing Management Centers in a High Availability Pair 290
Replace a Failed Primary Management Center (Successful Backup) 290
Replace a Failed Primary Management Center (Unsuccessful Backup) 291
Replace a Failed Secondary Management Center (Successful Backup) 292
Replace a Failed Secondary Management Center (Unsuccessful Backup) 293
Management Center High Availability Disaster Recovery 294
History for Management Center High Availability 294
Security Certifications Compliance 295
Security Certifications Compliance Modes 295
Security Certifications Compliance Characteristics 296
Security Certifications Compliance Recommendations 297
Enable Security Certifications Compliance 300
Cisco Secure Firewall Management Center Administration Guide, 7.2
xiii
Contents
C H A P T E R 1 0
Dashboard Widget Availability by User Role 307
Predefined Dashboard Widgets 308
The Appliance Information Widget 308
The Appliance Status Widget 309
The Correlation Events Widget 309
The Current Interface Status Widget 309
The Current Sessions Widget 310
The Custom Analysis Widget 310
The Interface Traffic Widget 315
The Intrusion Events Widget 315
The Network Compliance Widget 316
The Product Licensing Widget 316
The Product Updates Widget 317
The Allow List Events Widget 318
Adding Widgets to a Dashboard 319
Configuring Widget Preferences 320
Creating Custom Dashboards 321
Customizing the Widget Display 322
Editing Dashboards Options 323
Modifying Dashboard Time Settings 323
xiv
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
C H A P T E R 1 1
Requirements and Prerequisites for Health Monitoring 327
Configuring Health Monitoring 339
Device Exclusion in Health Monitoring 343
Excluding Appliances from Health Monitoring 344
Excluding Health Policy Modules 344
Expired Health Monitor Exclusions 345
Health Monitor Alert Information 346
Creating Health Monitor Alerts 347
Editing Health Monitor Alerts 348
Deleting Health Monitor Alerts 348
Using the Management Center Health Monitor 350
Running All Modules for an Appliance 351
Running a Specific Health Module 351
Generating Health Module Alert Graphs 352
Viewing System Details and Troubleshooting 353
Viewing the Device Health Monitor 354
Health Monitor Status Categories 364
Viewing Health Events by Module and Appliance 365
Viewing the Health Events Table 366
Cisco Secure Firewall Management Center Administration Guide, 7.2
xv
Contents
C H A P T E R 1 2
C H A P T E R 1 3
C H A P T E R 1 4
History for Health Monitoring 368
Syntax for System Log Filters 374
About Sending Audit Logs to an External Location 382
The Host Statistics Section 383
Executables and System Utilities 388
The SFDataCorrelator Process Statistics Section 391
The Intrusion Event Information Section 392
First Steps for Troubleshooting 395
View Basic System Information 398
View Appliance Information 398
Viewing Deployment Messages 399
xvi
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
P A R T I V
C H A P T E R 1 5
Configuring Notification Behavior 401
Memory Usage Thresholds for Health Monitor Alerts 402
Disk Usage and Drain of Events Health Monitor Alerts 403
Health Monitor Reports for Troubleshooting 406
Producing Troubleshooting Files for Specific System Functions 407
Downloading Advanced Troubleshooting Files 408
Connection-based Troubleshooting 408
Advanced Troubleshooting for the Secure Firewall Threat Defense Device 409
Using the Threat Defense CLI from the Web Interface 410
Feature-Specific Troubleshooting 416
Requirements for Backup and Restore 423
Guidelines and Limitations for Backup and Restore 424
Configuration Import/Export Guidelines for Firepower 4100/9300 425
Best Practices for Backup and Restore 425
Backing Up Management Centers or Managed Devices 429
Back up the Management Center 429
Back up a Device from the Management Center 431
Exporting an FXOS Configuration File 432
Restoring Management Centers and Managed Devices 433
Cisco Secure Firewall Management Center Administration Guide, 7.2
xvii
Contents
C H A P T E R 1 6
Restore Management Center from Backup 434
Restore Threat Defense from Backup: Firepower 1000/2100/3100, ISA 3000 (Non-Zero-Touch) 435
Zero-Touch Restore Threat Defense from Backup: ISA 3000 438
Restore Threat Defense from Backup: Firepower 4100/9300 Chassis 440
Importing a Configuration File 443
Restore Threat Defense from Backup: Threat Defense Virtual 445
Manage Backups and Remote Storage 447
History for Backup and Restore 450
Requirements and Prerequisites for Task Scheduling 452
Configuring a Recurring Task 452
Schedule Management Center Backups 454
Schedule Remote Device Backups 454
Configuring Certificate Revocation List Downloads 455
Automating Policy Deployment 456
Automating Report Generation 459
Specify Report Generation Settings for a Scheduled Report 460
Automating Cisco Recommendations 460
Software Update Automation 461
Automating Software Downloads 463
Automating Software Pushes 463
Automating Software Installs 464
Vulnerability Database Update Automation 465
Automating VDB Update Downloads 466
Automating VDB Update Installs 466
Automating URL Filtering Updates Using a Scheduled Task 467
xviii
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
C H A P T E R 1 7
C H A P T E R 1 8
P A R T V
C H A P T E R 1 9
Viewing Scheduled Tasks on the Calendar 469
History for Scheduled Tasks 471
About Configuration Import/Export 473
Configurations that Support Import/Export 473
Special Considerations for Configuration Import/Export 474
Requirements and Prerequisites for Configuration Import/Export 475
Import Conflict Resolution 477
Data Stored on the Management Center 479
Purging Data from the Management Center Database 480
Comparison of Security Analytics and Logging Remote Event Storage Options 481
Remote Data Storage in Cisco Secure Cloud Analytics 482
Remote Data Storage on a Secure Network Analytics Appliance 482
Requirements and Prerequisites for Reports 489
Generating, Viewing, and Printing Risk Reports 490
Cisco Secure Firewall Management Center Administration Guide, 7.2
xix
Contents
C H A P T E R 2 0
C H A P T E R 2 1
Report Template Configuration 497
Distributing Reports by Email at Generation Time 511
About Working with Generated Reports 512
Moving Reports to Remote Storage 514
External Alerting with Alert Responses 517
Secure Firewall Management Center Alert Responses 517
Configurations Supporting Alert Responses 518
Requirements and Prerequisites for Alert Responses 518
Creating an SNMP Alert Response 519
Creating a Syslog Alert Response 520
Creating an Email Alert Response 523
Configuring Impact Flag Alerting 523
Configuring Discovery Event Alerting 524
Configuring Malware defense Alerting 524
External Alerting for Intrusion Events 527
About External Alerting for Intrusion Events 527
License Requirements for External Alerting for Intrusion Events 528
Requirements and Prerequisites for External Alerting for Intrusion Events 528
xx
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
P A R T V I
C H A P T E R 2 2
Configuring SNMP Alerting for Intrusion Events 528
Intrusion SNMP Alert Options 529
Configuring Syslog Alerting for Intrusion Events 530
Facilities and Severities for Intrusion Syslog Alerts 531
Configuring Email Alerting for Intrusion Events 532
Intrusion Email Alert Options 532
Event and Asset Analysis Tools 535
About the Context Explorer 537
Differences Between the Dashboard and the Context Explorer 538
The Traffic and Intrusion Event Counts Time Graph 538
The Indications of Compromise Section 539
The Hosts by Indication Graph 539
The Indications by Host Graph 539
The Network Information Section 539
The Operating Systems Graph 539
The Traffic by Source IP Graph 540
The Traffic by Source User Graph 540
The Connections by Access Control Action Graph 540
The Traffic by Destination IP Graph 541
The Traffic by Ingress/Egress Security Zone Graph 541
The Application Information Section 541
Focusing the Application Information Section 542
The Traffic by Risk/Business Relevance and Application Graph 542
The Intrusion Events by Risk/Business Relevance and Application Graph 542
The Hosts by Risk/Business Relevance and Application Graph 543
The Application Details List 543
The Security Intelligence Section 543
The Security Intelligence Traffic by Category Graph 544
The Security Intelligence Traffic by Source IP Graph 544
The Security Intelligence Traffic by Destination IP Graph 544
The Intrusion Information Section 544
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxi
Contents
The Intrusion Events by Impact Graph 545
The Intrusion Events by Priority Graph 545
The Top Ingress/Egress Security Zones Graph 545
The Intrusion Event Details List 546
The Files Information Section 546
The Files by Disposition Graph 547
The Top Hosts Sending Files Graph 547
The Top Hosts Receiving Files Graph 547
The Top Malware Detections Graph 548
The Geolocation Information Section 548
The Connections by Initiator/Responder Country Graph 548
The Intrusion Events by Source/Destination Country Graph 548
The File Events by Sending/Receiving Country Graph 549
The URL Information Section 549
The Traffic by URL Category Graph 549
The Traffic by URL Reputation Graph 550
Requirements and Prerequisites for the Context Explorer 550
Refreshing the Context Explorer 550
Setting the Context Explorer Time Range 551
Minimizing and Maximizing Context Explorer Sections 551
Drilling Down on Context Explorer Data 552
Filters in the Context Explorer 553
Creating a Filter from the Add Filter Window 556
Creating a Quick Filter from the Context Menu 557
Saving Filtered Context Explorer Views 557
xxii
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
C H A P T E R 2 3
C H A P T E R 2 4
C H A P T E R 2 5
Requirements and Prerequisites for the Network Map 559
The Network Devices Network Map 561
The Mobile Devices Network Map 561
The Indications of Compromise Network Map 562
The Application Protocols Network Map 562
The Vulnerabilities Network Map 563
The Host Attributes Network Map 564
Creating Custom Topologies 565
Importing Networks from the Network Discovery Policy 566
Manually Adding Networks to Your Custom Topology 567
Activating and Deactivating Custom Topologies 567
Finding URL Category and Reputation 570
Finding Geolocation Information for an IP Address 571
Event Analysis Using External Tools 573
Integrate with Cisco SecureX 573
Configure the Management Center Devices to Send Events to the Cisco Cloud 573
Configure Cisco Success Network Enrollment 575
Configure Cisco Support Diagnostics Enrollment 576
Access SecureX Using the Ribbon 577
Event Analysis with SecureX Threat Response 577
View Event Data in SecureX Threat Response 578
Event Investigation Using Web-Based Resources 578
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxiii
Contents
P A R T V I I
C H A P T E R 2 6
About Managing Contextual Cross-Launch Resources 579
Requirements for Custom Contextual Cross-Launch Resources 579
Add Contextual Cross-Launch Resources 579
Investigate Events Using Contextual Cross-Launch 581
Configure Cross-Launch Links for Secure Network Analytics 581
About Sending Syslog Messages for Security Events 582
About Configuring the System to Send Security Event Data to Syslog 583
Best Practices for Configuring Security Event Syslog Messaging 583
Send Security Event Syslog Messages from Threat Defense Devices 583
Send Security Event Syslog Messages from Classic Devices 586
Configuration Locations for Security Event Syslogs 587
Anatomy of Security Event Syslog Messages 591
Facility in Security Event Syslog Messages 593
Firepower Syslog Message Types 594
Limitations of Syslog for Security Events 595 eStreamer Server Streaming 595
Comparison of Syslog and eStreamer for Security Eventing 596
Data Sent Only via eStreamer, Not via Syslog 596
Choosing eStreamer Event Types 597
Configuring eStreamer Client Communications 598
Event Analysis in IBM QRadar 599
History for Analyzing Event Data Using External Tools 599
Predefined Intrusion Event Workflows 608
Predefined Malware Workflows 609
Predefined Captured File Workflows 610
Predefined Connection Data Workflows 611
xxiv
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
Predefined Security Intelligence Workflows 613
Predefined Indications of Compromise Workflows 613
Predefined Applications Workflows 614
Predefined Application Details Workflows 615
Predefined Servers Workflows 615
Predefined Host Attributes Workflows 615
The Predefined Discovery Events Workflow 616
Predefined Vulnerabilities Workflows 616
Predefined Third-Party Vulnerabilities Workflows 617
Predefined Correlation and Allow List Workflows 617
Predefined System Workflows 617
Workflow Access by User Role 620
Workflow Page Navigation Tools 623
Workflow Page Traversal Tools 623
Work in Secure Firewall Management Center with Connection Events Stored on a Secure Network
Using Connection Event Graphs 629
Per-Session Time Window Customization for Events 636
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxv
Contents
C H A P T E R 2 7
C H A P T E R 2 8
The Default Time Window for Events 639
Compound Event View Constraints 643
Using Compound Event View Constraints 643
Working with the Unified Event Viewer 645
Unified Event Viewer Column Descriptions 647
General Search Constraints 654
Wildcards and Symbols in Searches 654
Objects and Application Filters in Searches 655
Time Constraints in Searches 655
Managed Devices in Searches 657
Query Overrides Via the Shell 661
Shell-Based Query Management Syntax 661
Stopping Long-Running Queries 662
History for Searching for Events 662
xxvi
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
C H A P T E R 2 9
P A R T V I I I
C H A P T E R 3 0
Introduction to Custom Workflows 663
Creating Custom Workflows Based on Non-Connection Data 665
Creating Custom Connection Data Workflows 666
Custom Workflow Use and Management 667
Viewing Custom Workflows Based on Predefined Tables 667
Viewing Custom Workflows Based on Custom Tables 668
Introduction to Custom Tables 669
Possible Table Combinations 670
User-Defined Custom Tables 673
Viewing a Workflow Based on a Custom Table 675
Connections That Are Always Logged 682
Other Connections You Can Log 682
How Rules and Policy Actions Affect Logging 683
Logging for Fastpathed Connections 684
Logging for Monitored Connections 684
Logging for Trusted Connections 684
Logging for Blocked Connections 684
Logging for Allowed Connections 686
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxvii
Contents
C H A P T E R 3 1
Beginning vs End-of-Connection Logging 687
Secure Firewall Management Center vs External Logging 688
Limitations of Connection Logging 689
When Events Appear in the Event Viewer 689
Best Practices for Connection Logging 690
Requirements and Prerequisites for Connection Logging 692
Configure Connection Logging 692
Logging Connections with Tunnel and Prefilter Rules 692
Logging Decryptable Connections with TLS/SSL Rules 693
Logging Connections with Security Intelligence 694
Logging Connections with Access Control Rules 694
Logging Connections with a Policy Default Action 695
Limiting Logging of Long URLs 696
Connection and Security Intelligence Events 699
Connection vs. Security Intelligence Events 700
Connection Summaries (Aggregated Data for Graphs) 700
Combined Connection Summaries from External Responders 701
Connection and Security Intelligence Event Fields 701
About Connection and Security Intelligence Event Fields 716
A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields 716
Requirements for Populating Connection Event Fields 718
Information Available in Connection Event Fields 720
Using Connection and Security Intelligence Event Tables 724
Viewing Files and Malware Detected in a Connection 726
Viewing Intrusion Events Associated with a Connection 727
Encrypted Connection Certificate Details 727
Viewing the Connection Summary Page 728
History for Connection and Security Intelligence Events 729
xxviii
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
C H A P T E R 3 2
Tools for Reviewing and Evaluating Intrusion Events 733
License Requirements for Intrusion Events 734
Requirements and Prerequisites for Intrusion Events 734
About Intrusion Event Fields 735
Intrusion Event Impact Levels 747
Viewing Connection Data Associated with Intrusion Events 749
Marking Intrusion Events Reviewed 749
Viewing Previously Reviewed Intrusion Events 750
Marking Reviewed Intrusion Events Unreviewed 750
Preprocessor Generator IDs 751
Intrusion Event Workflow Pages 753
Using Intrusion Event Workflows 754
Intrusion Event Drill-Down Page Constraints 756
Intrusion Event Table View Constraints 757
Using the Intrusion Event Packet View 757
Data Link Layer Information Fields 766
Viewing Network Layer Information 766
Viewing Transport Layer Information 769
Viewing Packet Byte Information 771
Internally Sourced Intrusion Events 771
Viewing Intrusion Event Statistics 771
Viewing Intrusion Event Performance Graphs 774
Intrusion Event Performance Statistics Graph Types 774
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxix
Contents
C H A P T E R 3 3
C H A P T E R 3 4
Viewing Intrusion Event Graphs 778
History for Intrusion Events 780
File/Malware Events and Network File Trajectory 781
About File/Malware Events and Network File Trajectory 781
File and Malware Event Types 782
Retrospective Malware Events 783
Malware Events Generated by Secure Endpoint 784
Using File and Malware Event Workflows 785
File and Malware Event Fields 786
Information Available in File and Malware Event Fields 797
View Details About Analyzed Files 800
View File Details in AMP Private Cloud 800
Threat Scores and Dynamic Analysis Summary Reports 801
Viewing Dynamic Analysis Results in the Cisco Secure Malware Analytics Cloud 802
Using Captured File Workflows 802
Manually Submit Files for Analysis 808
Recently Detected Malware and Analyzed Trajectories 809
Network File Trajectory Detailed View 809
Network File Trajectory Summary Information 810
Network File Trajectory Map and Related Events List 811
Using a Network File Trajectory 812
Work with Event Data in the Secure Endpoint Console 814
History for File and Malware Events and Network File Trajectory 815
xxx
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
Requirements and Prerequisites for Host Profiles 817
Basic Host Information in the Host Profile 819
Operating Systems in the Host Profile 821
Viewing Operating System Identities 823
Setting the Current Operating System Identity 824
Operating System Identity Conflicts 824
Making a Conflicting Operating System Identity Current 825
Resolving an Operating System Identity Conflict 825
Servers in the Host Profile 825
Server Details in the Host Profile 827
Resolving Server Identity Conflicts 829
Web Applications in the Host Profile 829
Deleting Web Applications from the Host Profile 831
Host Protocols in the Host Profile 831
Deleting a Protocol From the Host Profile 831
Indications of Compromise in the Host Profile 832
VLAN Tags in the Host Profile 832
User History in the Host Profile 832
Host Attributes in the Host Profile 833
Predefined Host Attributes 833
Allow List Host Attributes 833
User-Defined Host Attributes 834
Creating Text- or URL-Based Host Attributes 835
Creating Integer-Based Host Attributes 835
Creating List-Based Host Attributes 835
Setting Host Attribute Values 836
Allow List Violations in the Host Profile 836
Creating Shared Allow List Host Profiles 837
Malware Detections in the Host Profile 837
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxi
Contents
C H A P T E R 3 5
Vulnerabilities in the Host Profile 838
Downloading Patches for Vulnerabilities 839
Deactivating Vulnerabilities for Individual Hosts 839
Deactivating Individual Vulnerabilities 840
Scan Results in the Host Profile 841
Scanning a Host from the Host Profile 841
Requirements and Prerequisites for Discovery Events 843
Discovery and Identity Data in Discovery Events 843
Viewing Discovery Event Statistics 844
The Statistics Summary Section 845
The Event Breakdown Section 846
The Protocol Breakdown Section 846
The Application Protocol Breakdown Section 847
Viewing Discovery Performance Graphs 847
Discovery Performance Graph Types 848
Using Discovery and Identity Workflows 848
Discovery and Host Input Events 850
Viewing Discovery and Host Input Events 856
Creating a Traffic Profile for Selected Hosts 862
Creating a Compliance Allow List Based on Selected Hosts 863
Host Attribute Data Fields 864
Setting Host Attributes for Selected Hosts 865
xxxii
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
C H A P T E R 3 6
Indications of Compromise Data 865
View and Work with Indications of Compromise Data 866
Indications of Compromise Data Fields 868
Editing Indication of Compromise Rule States for a Single Host or User 868
Viewing Source Events for Indication of Compromise Tags 869
Resolving Indication of Compromise Tags 869
Application and Application Details Data 873
Viewing Application Detail Data 875
Application Detail Data Fields 876
Vulnerability Deactivation 879
Viewing Vulnerability Data 879
Viewing Vulnerability Details 880
Deactivating Multiple Vulnerabilities 881
Third-Party Vulnerability Data 881
Viewing Third-Party Vulnerability Data 881
Third-Party Vulnerability Data Fields 882
Active Sessions, Users, and User Activity Data 883
User Profile and Host History 896
History for Working with Discovery Events 898
Correlation and Compliance Events 899
Viewing Correlation Events 899
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxiii
Contents
P A R T I X
C H A P T E R 3 7
C H A P T E R 3 8
Using Compliance Allow List Workflows 903
Viewing Allow List Violations 906
Allow List Violation Fields 907
Viewing Remediation Status Events 908
Remediation Status Table Fields 909
Using the Remediation Status Events Table 910
Correlation and Compliance 913
Introduction to Compliance Allow Lists 915
Compliance Allow List Target Networks 916
Compliance Allow List Host Profiles 917
Operating System-Specific Host Profiles 918
Requirements and Prerequisites for Compliance 920
Creating a Compliance Allow List 920
Setting Target Networks for a Compliance Allow List 922
Building Allow List Host Profiles 922
Adding an Application Protocol to a Compliance Allow List 924
Adding a Client to a Compliance Allow List 924
Adding a Web Application to a Compliance Allow List 925
Adding a Protocol to a Compliance Allow List 925
Managing Compliance Allow Lists 926
Editing a Compliance Allow List 926
Managing Shared Host Profiles 928
Introduction to Correlation Policies and Rules 929
Requirements and Prerequisites for Compliance 930
xxxiv
Cisco Secure Firewall Management Center Administration Guide, 7.2
Contents
C H A P T E R 3 9
Configuring Correlation Policies 931
Adding Responses to Rules and Allow Lists 931
Managing Correlation Policies 932
Configuring Correlation Rules 933
Syntax for Intrusion Event Trigger Criteria 934
Syntax for Malware Event Trigger Criteria 937
Syntax for Discovery Event Trigger Criteria 938
Syntax for User Activity Event Trigger Criteria 941
Syntax for Host Input Event Trigger Criteria 942
Syntax for Connection Event Trigger Criteria 943
Syntax for Traffic Profile Changes 946
Syntax for Correlation Host Profile Qualifications 948
Syntax for User Qualifications 951
Adding a Connection Tracker 953
Syntax for Connection Trackers 953
Syntax for Connection Tracker Events 956
Sample Configuration for Excessive Connections From External Hosts 956
Sample Configuration for Excessive BitTorrent Data Transfers 958
Snooze and Inactive Periods 960
Correlation Rule Building Mechanics 960
Adding and Linking Conditions in Correlation Rules 962
Using Multiple Values in Correlation Rule Conditions 963
Managing Correlation Rules 963
Configuring Correlation Response Groups 964
Managing Correlation Response Groups 965
Introduction to Traffic Profiles 967
Traffic Profile Conditions 969
Requirements and Prerequisites for Traffic Profiles 971
Configuring Traffic Profiles 972
Adding Traffic Profile Conditions 973
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxv
Contents
C H A P T E R 4 0
P A R T X
C H A P T E R 4 1
Adding Host Profile Qualifications to a Traffic Profile 973
Syntax for Traffic Profile Conditions 974
Syntax for Host Profile Qualifications in a Traffic Profile 975
Using Multiple Values in a Traffic Profile Condition 977
Requirements and Prerequisites for Remediations 979
Introduction to Remediations 979
Cisco ISE EPS Remediations 980
Configuring ISE EPS Remediations 981
Cisco IOS Null Route Remediations 982
Configuring Remediations for Cisco IOS Routers 983
Set Attribute Value Remediations 988
Configuring Set Attribute Remediations 988
Managing Remediation Modules 989
Managing Remediation Instances 990
Managing Instances for a Single Remediation Module 990
Secure Firewall Management Center Command Line Reference 995
About the Secure Firewall Management Center CLI 995
Secure Firewall Management Center CLI Modes 996
Secure Firewall Management Center CLI Management Commands 996 exit 996 expert 996
Secure Firewall Management Center CLI Show Commands 997 version 997
Secure Firewall Management Center CLI Configuration Commands 998 password 998
Secure Firewall Management Center CLI System Commands 998 generate-troubleshoot 998
xxxvi
Cisco Secure Firewall Management Center Administration Guide, 7.2
C H A P T E R 4 2
reboot 1000 restart 1000 shutdown 1000
History for the Secure Firewall Management Center CLI 1001
Security, Internet Access, and Communication Ports 1003
Internet Access Requirements 1004
Communication Port Requirements 1007
Contents
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxvii
Contents xxxviii
Cisco Secure Firewall Management Center Administration Guide, 7.2
P A R T
I
Getting Started
•
Management Center Overview, on page 1
•
Logging into the Management Center, on page 27
C H A P T E R
1
Management Center Overview
The Secure Firewall Management Center is a powerful, web-based, multi-device manager that runs on its own server hardware, or as a virtual device on a hypervisor. You should use the management center if you want a multi-device manager, and you require all features on the threat defense. The management center also provides powerful analysis and monitoring of traffic and events.
Cisco Defense Orchestrator (CDO) can act as the primary manager using a full-featured, cloud-delivered management center. In this use case, you can use an on-premises management center for analytics only. The on-prem management center does not support policy configuration or upgrading. Chapters and procedures in this guide related to configuration and other unsupported features do not apply to CDO-managed devices.
For the management center used as the primary manager: The management center is not compatible with other managers because the management center owns the threat defense configuration, and you are not allowed to configure the threat defense directly, bypassing the management center.
•
Quick Start: Basic Setup, on page 1
•
Threat Defense Devices, on page 6
•
•
Search the Management Center, on page 11
•
Switching Domains on the Secure Firewall Management Center, on page 20
•
•
Sharing Data with Cisco, on page 23
•
Online Help, How To, and Documentation, on page 23
•
IP Address Conventions, on page 26
•
Additional Resources, on page 26
Quick Start: Basic Setup
The Firepower feature set is powerful and flexible enough to support basic and advanced configurations. Use the following sections to quickly set up a Secure Firewall Management Center and its managed devices to begin controlling and analyzing traffic.
Cisco Secure Firewall Management Center Administration Guide, 7.2
1
Getting Started
Installing and Performing Initial Setup on Physical Appliances
Installing and Performing Initial Setup on Physical Appliances
Procedure
Install and perform initial setup on all physical appliances using the documentation for your appliance:
• Management Center
• Cisco Firepower Management Center Getting Started Guide for your hardware model, available from http://www.cisco.com/go/firepower-mc-install
• Threat Defense managed devices
• Cisco Firepower 1010 Getting Started Guide
• Cisco Firepower 1100 Getting Started Guide
• Cisco Firepower 2100 Getting Started Guide
• Cisco Secure Firewall 3100 Getting Started Guide
• Cisco Firepower 4100 Getting Started Guide
• Cisco Firepower 9300 Getting Started Guide
• Cisco Firepower Threat Defense for the ISA 3000 Using Firepower Management Center Quick
Start Guide
Deploying Virtual Appliances
Follow these steps if your deployment includes virtual appliances. Use the documentation roadmap to locate the documents listed below: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/ firepower-roadmap.html
.
Procedure
Step 1
Step 2
Determine the supported virtual platforms you will use for the Management Center and devices (these may not be the same). See the Cisco Firepower Compatibility Guide .
Deploy virtual Firepower Management Centers using the documentation for your environment:
• management center virtual running on VMware: Cisco Secure Firewall Management Center Virtual
Getting Started Guide
• management center virtual running on AWS: Cisco Secure Firewall Management Center Virtual Getting
Started Guide
• management center virtual running on KVM: Cisco Secure Firewall Management Center Virtual Getting
Started Guide
2
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Logging In for the First Time
Step 3 Deploy virtual devices using the documentation for your appliance:
• threat defense virtual running on VMware: Cisco Secure Firewall Threat Defense Virtual for VMware
Getting Started Guide
• threat defense virtual running on AWS: Cisco Secure Firewall Threat Defense Virtual for AWS Getting
Started Guide
• threat defense virtual running on KVM: Cisco Secure Firewall Threat Defense Virtual for KVM Getting
Started Guide
• threat defense virtual running on Azure: Cisco Secure Firewall Threat Defense Virtual for Azure Getting
Started Guide
Logging In for the First Time
Before logging in to a new management center for the first time, prepare the appliance as described in
Installing and Performing Initial Setup on Physical Appliances, on page 2
or
Deploying Virtual Appliances, on page
The first time you log in to a new management center (or an management center newly restored to factory defaults), use the admin account for either the CLI or the web interface and follow the instructions in the
Cisco Firepower Management Center Getting Started Guide for your management center model. Once you complete the initial configuration process, the following aspects of your system will be configured:
• The passwords for the two admin accounts (one for web interface access and the other for CLI access) will be set to the same value, complying with strong password requirements as described in
passwords for the two admin accounts only during the initial configuration process. If you change the password for either admin account thereafter, they will no longer be the same and the strong password requirement can be removed from the web interface admin account. (See
.)
• The following network settings the management center uses for network communication through its management interface (eth0) will be set to default values or values you supply:
• Fully qualified domain name (
<hostname>.<domain>
)
• Boot protocol for IPv4 configuration (DHCP or Static/Manual)
• IPv4 address
• Network mask
• Gateway
• DNS Servers
• NTP Servers
Values for these settings can be viewed and changed through the management center web interface; see
Modify Management Center Management Interfaces, on page 60
and
Time and Time Synchronization, on page 84
for more information.
Cisco Secure Firewall Management Center Administration Guide, 7.2
3
Getting Started
Setting Up Basic Policies and Configurations
• As a part of initial configuration, the system configures a weekly automatic GeoDB update. If configuring the update fails and the management center has internet access, we recommend you configure regular
GeoDB updates as described in
Schedule GeoDB Updates, on page 208
.
• As a part of initial configuration, the system schedules a weekly task to download the latest software updates. If the task scheduling fails and the management center has internet access, we recommend you schedule a recurring task for downloading software updates as described in
.
Important This task downloads software updates to the management center. It is your responsibility to install any updates this task downloads.
• As a part of initial configuration, the system schedules a weekly task to perform a locally stored configuration-only management center backup. If the task scheduling fails we recommend you schedule a recurring task to perform a backup as described in
Schedule Management Center Backups, on page
• As a part of initial configuration the system downloads and installs the latest vulnerability database
(VDB) update from the Cisco Support & Download site. This is a one-time operation. To keep the system up to date, if the management center has internet access, we recommend you schedule tasks to perform automatic recurring VDB update downloads and installations as described in
Update Automation, on page 465 .
• As a part of initial configuration the system configures a daily automatic intrusion rule update from the
Cisco Support & Download site. (The system deploys automatic intrusion rule updates to affected managed devices when it next deploys affected policies.) If configuring the update fails and the management center has internet access, we recommend you configure regular intrusion rule updates as described in
Intrusion Rule Updates, on page 213 .
On completion of management center initial configuration, the web interface displays the device management page, described in Cisco Secure Firewall Management Center Device Configuration Guide .
(This is the default login page only for the first time the admin user logs in. On subsequent logins by the admin or any user, the default login page is determined as described in
Specifying Your Home Page, on page
Once you have completed the initial configuration, begin controlling and analyzing traffic by configuring basic policies as described in
Setting Up Basic Policies and Configurations, on page 4 .
Setting Up Basic Policies and Configurations
You must configure and deploy basic policies in order to see data in the dashboard, Context Explorer, and event tables.
Note This is not a full discussion of policy or feature capabilities. For guidance on other features and more advanced configurations, see the rest of this guide.
4
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Setting Up Basic Policies and Configurations
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Before you begin
• Log into the web interface using the admin account for either the web interface or CLI and perform the initial configuration as described in the Cisco Firepower Management Center Getting Started Guide for your hardware model, available from https://www.cisco.com/c/en/us/support/security/defense-center/ products-installation-guides-list.html
.
Procedure
Set a time zone for this account as described in
Setting Your Default Time Zone, on page 193 .
If needed, add licenses as described in
.
Add managed devices to your deployment as described in Add a Device to the Management Center in the
Cisco Secure Firewall Management Center Device Configuration Guide .
Configure your managed devices as described in:
• Interface Overview in the Cisco Secure Firewall Management Center Device Configuration Guide , to configure transparent or routed mode on Firepower Threat Defense devices
• Interface Overview in the Cisco Secure Firewall Management Center Device Configuration Guide , to configure interfaces on threat defense devices
Configure an access control policy as described in Creating a Basic Access Control Policy in the Cisco Secure
Firewall Management Center Device Configuration Guide .
• In most cases, Cisco suggests setting the Balanced Security and Connectivity intrusion policy as your default action. For more information, see Access Control Policy Default Action and System-Provided
Network Analysis and Intrusion Policies in the Cisco Secure Firewall Management Center Device
Configuration Guide .
• In most cases, Cisco suggests enabling connection logging to meet the security and compliance needs of your organization. Consider the traffic on your network when deciding which connections to log so that you do not clutter your displays or overwhelm your system. For more information, see
Connection Logging, on page 681
.
Apply the system-provided default health policy as described in
Applying Health Policies, on page 341 .
Customize a few of your system configuration settings:
• If you want to allow inbound connections for a service (for example, SNMP or the syslog), modify the ports in the access list as described in
Configure an Access List, on page 71
.
• Understand and consider editing your database event limits as described in
.
• If you want to change the display language, edit the language setting as described in
Set the Language for the Web Interface, on page 82
.
• If your organization restricts network access using a proxy server, edit your proxy settings as described in
Modify Management Center Management Interfaces, on page 60 .
Customize your network discovery policy as described in Configuring the Network Discovery Policy in the
Cisco Secure Firewall Management Center Device Configuration Guide . By default, the network discovery
Cisco Secure Firewall Management Center Administration Guide, 7.2
5
Getting Started
Threat Defense Devices
Step 9
Step 10 policy analyzes all traffic on your network. In most cases, Cisco suggests restricting discovery to the addresses in RFC 1918.
Consider customizing these other common settings:
• If you do not want to display message center pop-ups, disable notifications as described in
Notification Behavior, on page 401
.
• If you want to customize the default values for system variables, understand their use as described in
Variable Sets in the Cisco Secure Firewall Management Center Device Configuration Guide .
• If you want to create additional locally authenticated user accounts to access the management center, see
Add an Internal User, on page 111
.
• If you want to use LDAP or RADIUS external authentication to allow access to the management center, see
Configure External Authentication for the Management Center, on page 113 .
Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management
Center Device Configuration Guide .
What to do next
• Review and consider configuring other features described in
and the rest of this guide.
Threat Defense Devices
In a typical deployment, multiple traffic-handling devices report to one Secure Firewall Management Center, which you use to perform administrative, management, analysis, and reporting tasks.
A threat defense device is a next-generation firewall (NGFW) that also has NGIPS capabilities. NGFW and platform features include site-to-site and remote access VPN, robust routing, NAT, clustering, and other optimizations in application inspection and access control.
Threat Defense is available on a wide range of physical and virtual platforms.
Compatibility
For details on manager-device compatibility, including the software compatible with specific device models, virtual hosting environments, operating systems, and so on, see the Cisco Secure Firewall Threat Defense
Release Notes and Cisco Firepower Compatibility Guide .
Features
These tables list some commonly used features.
6
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Appliance and System Management Features
Appliance and System Management Features
To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/ firepower-roadmap.html
.
If you want to...
Manage user accounts for logging in to your Firepower appliances
Configure...
Firepower authentication
Monitor the health of system hardware and software
Health monitoring policy
Back up data on your appliance
Upgrade to a new Firepower version
Backup and restore
System updates
As described in...
and Users for
Devices in the Cisco Secure
Firewall Management Center
Device Configuration Guide
About Health Monitoring, on page 327
Cisco Firepower Management
Center Upgrade Guide, Version
6.0–7.0
Firepower Release Notes
Baseline your physical appliance Restore to factory defaults
(reimage)
Apply licenses in order to take advantage of license-controlled functionality
Smart licensing
The Cisco Firepower
Management Center Upgrade
Guide, Version 6.0–7.0
, for a list of links to instructions on performing fresh installations.
Update the VDB, intrusion rule updates, or GeoDB on your appliance
Vulnerability Database (VDB) updates, intrusion rule updates, or Geolocation Database
(GeoDB) updates
Ensure continuity of appliance operations Managed device high availability and/or management center high availability
About Firepower Threat Defense
High Availability in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Configure a device to route traffic between two or more interfaces
Routing Reference for Routing in the
Cisco Secure Firewall
Management Center Device
Configuration Guide
Cisco Secure Firewall Management Center Administration Guide, 7.2
7
Getting Started
High Availability and Scalability Features by Platform
If you want to...
Configure packet switching between two or more networks
Translate private addresses into public addresses for internet connections
Network Address Translation
(NAT)
Establish a secure tunnel between managed threat defense devices
Establish secure tunnels between remote users and managed threat defense devices
Segment user access to managed devices, configurations, and events
View and manage appliance configuration using a REST API client
Troubleshoot issues
Configure...
Device switching
Site-to-Site virtual private network (VPN)
Remote Access VPN
Multitenancy using domains
REST API and REST API
Explorer
N/A
As described in...
Configure Bridge Group
Interfaces in the Cisco Secure
Firewall Management Center
Device Configuration Guide
Network Address Translation in the Cisco Secure Firewall
Management Center Device
Configuration Guide
VPN Overview in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
VPN Overview in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Firepower REST API Quick
Start Guide
High Availability and Scalability Features by Platform
High availability configurations (sometimes called failover) ensure continuity of operations. Clustered configurations group multiple devices together as a single logical device, achieving increased throughput and redundancy.
Platform
Management Center
Management Center Virtual
High Availability
Yes
Yes (See
for important details)
Clustering
—
—
Secure Firewall Threat Defense:
• Firepower 1000
• Firepower 2100
• ISA 3000
Yes —
8
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Features for Detecting, Preventing, and Processing Potential Threats
Platform High Availability
Secure Firewall Threat Defense:
• Firepower 4100/9300 chassis
Yes
Secure Firewall Threat Defense
Virtual:
• VMware
• KVM
Yes
Secure Firewall Threat Defense
Virtual (public cloud):
• AWS
• Azure
—
Clustering
Yes
—
—
Related Topics
About Secure Firewall Threat Defense High Availability
About Secure Firewall Management Center High Availability
, on page 275
Features for Detecting, Preventing, and Processing Potential Threats
To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/ firepower-roadmap.html
.
If you want to...
Configure...
As described in...
Inspect, log, and take action on network traffic
Access control policy, the parent of several other policies
Introduction to Access Control in the Cisco Secure Firewall
Management Center Device
Configuration Guide
Block or monitor connections to or from
IP addresses, URLs, and/or domain names
Security Intelligence within your access control policy
About Security Intelligence in the Cisco Secure Firewall
Management Center Device
Configuration Guide
Control the websites that users on your network can access
URL filtering within your policy rules
URL Filtering in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Monitor malicious traffic and intrusions on your network
Intrusion policy Intrusion Policy Basics in the
Cisco Secure Firewall
Management Center Device
Configuration Guide
Cisco Secure Firewall Management Center Administration Guide, 7.2
9
Getting Started
Features for Detecting, Preventing, and Processing Potential Threats
If you want to...
Block encrypted traffic without inspection
Inspect encrypted or decrypted traffic
Configure...
SSL policy
As described in...
SSL Policies Overview in the
Cisco Secure Firewall
Management Center Device
Configuration Guide
Tailor deep inspection to encapsulated traffic and improve performance with fastpathing
Prefilter policy About Prefiltering in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Rate limit network traffic that is allowed or trusted by access control
Quality of Service (QoS) policy About QoS Policies in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Allow or block files (including malware) on your network
File/malware policy
Operationalize data from threat intelligence sources
Cisco Threat Intelligence
Director (TID)
Network Malware Protection and File Policies in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Secure Firewall threat intelligence director Overview in the Cisco Secure Firewall
Management Center Device
Configuration Guide
Configure passive or active user authentication to perform user awareness and user control
User awareness, user identity, identity policies
Collect host, application, and user data from traffic on your network to perform user awareness
Use tools beyond your Firepower system to collect and analyze data about network traffic and potential threats
Network Discovery policies
Integration with external tools
Perform application detection and control Application detectors
About User Identity Sources in the Cisco Secure Firewall
Management Center Device
Configuration Guide
About Identity Policies in the
Cisco Secure Firewall
Management Center Device
Configuration Guide
Network Discovery Policies in the Cisco Secure Firewall
Management Center Device
Configuration Guide
Troubleshoot issues N/A
Application Detection in the
Cisco Secure Firewall
Management Center Device
Configuration Guide
10
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Integration with External Tools
Integration with External Tools
To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/ firepower-roadmap.html
.
If you want to...
Configure...
Automatically launch remediations when conditions on your network violate an associated policy
Remediations
Stream event data from a management center to a custom-developed client application eStreamer integration
Query database tables on a management center using a third-party client
External database access
As described in...
Introduction to Remediations, on page 979
Firepower System Remediation
API Guide
eStreamer Server Streaming, on page 595
Firepower System eStreamer
Integration Guide
Firepower System Database
Access Guide
Augment discovery data by importing data from third-party sources
Host input Host Input Data in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Firepower System Host Input
API Guide
Investigate events using external event data storage tools and other data resources
Integration with external event analysis tools
Troubleshoot issues N/A
Search the Management Center
You can use the global search feature to quickly locate and navigate to elements of your Secure Firewall
Management Center configuration.
Note This feature is supported in Light and Dusk themes only. To change the theme, see
.
You can search the management center configuration for the following entities:
• Names of web interface pages in top-level menus. (See
Search for Web Interface Menu Options, on page
Cisco Secure Firewall Management Center Administration Guide, 7.2
11
Getting Started
Search the Management Center
• For certain policy types:
• Policy names
• Policy descriptions
• Rule names
• Rule comments
(See
Search for Policies, on page 15
.)
• For certain object types:
• Object names
• Object descriptions
• Configured values
(See
Search for Objects, on page 17
.)
• How To walkthroughs.
The search returns a list of walkthroughs that contain the search term, with links to each. (See
Search for How To Walkthroughs, on page 20 .)
Keep the following in mind when using global search:
• When you open the global search tool, the most recent ten searches appear in a history list below the search text box. You can select an item from this list to re-execute a search.
• When you type a search expression, the interface replaces the search history with search results that update as you type your search; you do not need to press Enter to execute the search.
• You can navigate the history list or the search results using the mouse or the keyboard arrow keys and the Enter key. Pressing the Enter key selects the currently highlighted item in the search results. In the case of results for web interface pages, this causes the management center interface to display the highlighted page. For objects and policies, this displays details about the found entity.
• Search is not case-sensitive.
• You can use the following wildcard characters in your search:
• ? matches any single character.
• * matches any 0 or more characters.
• ^ anchors the search term it preceeds to the beginning of matched entities.
• $ anchors the search term it follows to the end of matched entitites
Wildcards cannot be escaped.
• For greater effciency, global search does not return indirect search results; that is, global search does not return policies or objects that reference objects where a search term is found. However, you can determine which policies or objects reference many found objects by viewing the Usages tab for the found object in the search detail pane.
12
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Search the Management Center
• Global search returns the top results for your search expression determined by its relevance to the most commonly used configuration entities in the management center. If global search fails to return something you are expecting to find, try refining your search, try using the search or filter tool that appears at the top of many GUI pages, or try some of the configuration-specific search features the web interface offers:
• Searching for Rules in the Cisco Secure Firewall Management Center Device Configuration Guide
• Searching and Filtering the NAT Rule Table in the Cisco Secure Firewall Management Center
Device Configuration Guide
•
•
Global Search in a Multidomain Deployment
In a multidomain deployment, by default search returns only objects and policies defined within the current domain and its ancestor domains. You can see objects and policies in child domains by toggling an option in the search results dialog.
For an object search, if your search expression is found in objects defined in domains other than your current domain, the search results display the names of the domains within which those objects reside. If your search expression is found in objects defined within your current domain, the search results display the object values.
In the example screenshot below, the deployment consists of three domains at three levels: Global, Domain1, and SubDomainA. The user, whose current domain is Domain1, has entered a search for the string “example” in both ancestor and child domains.
Figure 1: Example of Global Search in a Multidomain Environment
Cisco Secure Firewall Management Center Administration Guide, 7.2
13
Getting Started
Search for Web Interface Menu Options
1 The user has chosen to search child domains
(SubDomainA) as well as the current domain
(Domain1) and its ancestor (Global).
2 A matching network object ExampleHostOne defined in the parent domain Global is displayed with the domain name, and the External Domain
( ) icon indicating the user must switch domains to edit details.
3 The matching network object ExampleHostThree defined in the child domain SubDomainA is displayed with the domain name, and the
4
External Domain ( ) icon indicating the user must switch domains to edit details. This object is currently selected.
The matching network object ExampleHostThree is currently selected, and information is provided in the right pane. The External Domain ( ) icon indicates that when the user clicks Edit ( ), the system will prompt the user to confirm a domain change before allowing edit access to the object.
5 The matching network object ExampleHostTwo, defined in the current domain, is displayed with the object value, and with the Current Domain
6
( ) icon indicating the user may edit this object without switching domains.
The matching access control policy
ExampleACPolicyOne defined in the parent domain Global is displayed with the domain name, and the External Domain ( ) icon indicating the user must switch domains to edit details.
7 The matching access control policy
ExampleACPolicyThree defined in the child domain SubDomainA is displayed with the domain name, and the External Domain ( ) icon indicating the user must switch domains to edit details.
8 The matching access control policy
ExampleACPolicyTwo defined in the current domain is displayed with the Current Domain
( ) icon indicating the user may edit details without switching domains.
Search for Web Interface Menu Options
You can search to find locations of pages in the top-level menus of the web interface. For example, to view or configure Quality of Service settings, search for QoS .
Before you begin
This feature is not available in the Classic theme. To change the theme, see
Procedure
Step 1
Step 2
Use one of two methods to initiate a search:
• In the menu bar at the top of the management center web interface, click Search ( ).
• With focus outside of a text box, type
/
(forward slash).
Enter one or more letters of the name of the menu option you seek. Search results appear below the text box and update as you type; you do not need to press Enter to execute the search.
14
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Search for Policies
Step 3 Search results appear grouped by category. To go to a page listed under Navigation , click the menu path in the search results list.
Search for Policies
The following table indicates which policy types you can search for by name:
In Scope Out of Scope
Access Control Policy
Prefilter Policy
Threat Defense NAT
Policy
Intrusion category
• Intrusion Policy
• Network Analysis
Policy
Threat Defense Platform Settings
Firepower Settings Policy
Firepower NAT Policy
QoS Policy
FlexConfig Policy
DNS Policy
Malware & File Policy
SSL Policy
Identity Policy
Network Discovery
Application Detector
Correlation Policy
VPN category
• Dynamic Access Policy
• Site To Site
• Remote Access
Global search returns polices whose names match the search term, as well as access control policies using rules whose name or comments match the search term. If you see an access control policy in the search result list whose name does not match the search, the match was made on the name or comments for a rule configured within the policy.
Cisco Secure Firewall Management Center Administration Guide, 7.2
15
Getting Started
Search for Policies
Important Global search returns the top results for your search expression determined by its relevance to the most commonly used configuration entities in the management center. Your search term may exist in policy types that are not in scope for this search feature. For a full description of the global search feature and alternative search methods, see
Search the Management Center .
Before you begin
This feature is not available in the Classic theme. To change the theme, see
Procedure
Step 1
Step 2
Step 3
Step 4
Use one of two methods to initiate a search:
• In the menu bar at the top of the management center web interface, click Search ( ).
• With focus outside of a text box, type
/
(forward slash).
Enter a search expression in the search text box. Search results appear below the text box and update as you type; you do not need to press Enter to execute the search.
(Optional) In a multidomain deployment, if your current domain has descendant domains, you can toggle
Include child domains in search results to see policies in those descendant domains.
Search results appear grouped by category. In a multidomain deployment, within the Policies category the search results are grouped by the domains within which found policies are defined. Under the Policies category you can do the following:
To:
View search results for a single policy type.
Do this:
Click the policy type in the search results, such as
Access Control Policy.
View details about a policy.
View the Access Control policies that reference
Intrusion and Network Analysis policies.
Click the policy name in the search results list to view the details pane and display the General tab.
Click the name of the Intrusion or Network Analysis policy in the search results to view the details pane and display the Usages tab.
Open the policy configuration page for a policy in a separate browser window.
Click the policy name in the search results, and in the details pane click Edit ( ).
In a multidomain deployment, if you choose to edit a policy not defined within your current domain the system will prompt you to change your current domain.
16
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Search for Objects
Search for Objects
The following table indicates which object types listed on the Object Management page ( Objects > Object
Management ) are in scope for the Global Search feature:
In Scope Out of Scope
AAA Server category
• RADIUS Server Group
• Single Sign-On Server
Application Filters
Cipher Suite List
Community List Category
• Community
Access List category
• Extended Access List
• Standard Access List
Address Pools category
• IPv4 Pools
• IPv6 Pools
Distinguished Name category
• Individual Distinguished Name
Objects
• Distinguised Name Object Groups
AS Path
Community List category
• Extended Community
File List
FlexConfig category
• FlexConfig Object
• Text Object
DNS Server Group
External Attributes Category
• Dynamic Object
• Security Group Tag
Geolocation
Interface category
• Security Zone
• Interface Group
PKI category
• External Cert Groups
• External Certs
• Internal CA Groups
• Internal CAs
• Internal Cert Groups
• Internal Certs
• Trusted CA Groups
• Trusted CAs
Key Chain
Network (includes Network, Host, Range, FQDN, Network Group)
Security Intelligence category
• DNS Lists and Feeds
PKI category
• Network Lists and Feeds
Cert Enrollment
• URL Lists and Feeds
Policy List Sinkhole
Cisco Secure Firewall Management Center Administration Guide, 7.2
17
Getting Started
Search for Objects
In Scope
Port (objects and groups, TCP, UDP, ICMP, ICMP6, other)
Prefix List category
• IPV4 Prefix List
• IPV6 Prefix List
Route Map
SLA Monitor
Time Range
Time Zone
Tunnel Zone
URL (Objects, groups)
VLAN Tag (Objects, groups)
VPN category
• Certificate Map
• Group Policy
• IKEv1 IPsec Proposal
• IKEv1 Policy
• IKEv2 IPSec Proposal
• IKEv2 Policy
Out of Scope
Variable Set
VPN category
• AnyConnect File
• Custom Attribute
Global search returns objects whose names or description match the search term, as well as objects with configured values that match the search term. If you see an object in the search result list whose name does not match the search, the match was made on the description or a configured value within the object.
Important Global search returns the top results for your search expression determined by its relevance to the most commonly used configuration entities in the management center. Your search term may exist in object types that are not in scope for this search feature. For a full description of the global search feature and alternative search methods, see
Search the Management Center .
Object searches can be particularly useful when you need to locate network information within your deployment.
You can search for the following in object names, descriptions, or configured values:
• IPv4 and IPv6 address information, including the following formats:
• Full addresses (For example,
194.164.0.23
,
2001:0db8:85a3:0000:0000:8a2e:0370:7334
.)
• Partial addresses (For example,
194.164, 2001:db8
.)
18
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Search for Objects
• Ranges (For example,
192.164.1.1-192.168.1.5
or
2001:db8::0202-2001:db8::8329
. Do not add a space before or after the hyphen.) Global search returns objects using network addresses that match any within the specified range.
• CIDR notation. (For example
192.168.1.0/24
,
2002::1234:abcd:ffff:101/64
.) Global search returns objects using network addresses that match any within the specified CIDR block.
• Port information:
• Port numbers (For example,
22 or
80
.)
• Protocols. (For example, https or ssh
.)
• Fully qualified domain names. (For example, www.cisco.com.
)
• URLs. (For example, http://www.cisco.com.
)
• Encryption standards or hash types. (For example,
AES-128 or
SHA
.)
• VLAN tag numbers. (For example,
568
.)
Before you begin
This feature is not available in the Classic theme. To change the theme, see
.
Procedure
Step 1
Step 2
Step 3
Step 4
Use one of two methods to initiate a search:
• In the menu bar at the top of the management center web interface, click Search ( ).
• With focus outside of a text box, type
/
(forward slash).
Enter a search expression in the search text box. Search results appear below the text box and update as you type; you do not need to press Enter to execute the search.
If your search expression is found in objects defined in domains other than your current default domain, the search results display the names of the domains within which those objects reside. If your search expression is found in objects defined within your current domain, the search results display the object values.
(Optional) In a multidomain deployment, if your current domain has descendant domains, you can toggle
Include child domains in search results to see objects in those descendant domains.
Search results appear divided by category. In a multidomain deployment, within the Objects category the search results are grouped by the domains within which found objects are defined. Under the Objects category you can do the following:
To:
View search results for a single object type.
Do this:
Click on the object type in the search results, such as
Network .
View details about an object in the search results.
Click the object name in the search results to view the details pane and display the General tab.
Cisco Secure Firewall Management Center Administration Guide, 7.2
19
Getting Started
Search for How To Walkthroughs
To: Do this:
View a list of polices or objects that use an object in the search results.
Click the object name in the search results to view the details pane and display the Usages tab.
Note Global Search does not provide usage information for all object types.
Open the object configuration page for an object in a separate browser window.
Click the object name in the search results, and in the details pane click Edit ( ).
In a multidomain deployment, if you choose to edit an object not defined within your current domain the system will prompt you to change your current domain.
Search for How To Walkthroughs
You can search for How To walkthroughs that address tasks of interest. For example, to find walkthroughs that describe device set up procedures, you can search for the term "device."
Before you begin
This feature is not available in the Classic theme. To change the theme, see
Procedure
Step 1
Step 2
Step 3
Use one of two methods to initiate a search:
• In the menu bar at the top of the management center web interface, click Search ( ).
• With focus outside of a text box, type
/
(forward slash).
Enter a search term associated with a task for which you would like to see a walkthrough. Search results appear below the text box and update as you type; you do not need to press Enter to execute the search.
Search results appear grouped by category. To view a walkthrough listed under How-Tos , click the walkthrough title in the search results list. For more information on How To walkthroughs, see
.
Switching Domains on the Secure Firewall Management Center
In a multidomain deployment, user role privileges determine which domains a user can access and which privileges the user has within each of those domains. You can associate a single user account with multiple
20
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
The Context Menu domains and assign different privileges for that user in each domain. For example, you can assign a user read-only privileges in the Global domain, but Administrator privileges in a descendant domain.
Users associated with multiple domains can switch between domains within the same web interface session.
Under your user name in the toolbar, the system displays a tree of available domains. The tree:
• Displays ancestor domains, but may disable access to them based on the privileges assigned to your user account.
• Hides any other domain your user account cannot access, including sibling and descendant domains.
When you switch to a domain, the system displays:
• Data that is relevant to that domain only.
• Menu options determined by the user role assigned to you for that domain.
Procedure
From the drop-down list under your user name, choose the domain you want to access.
The Context Menu
Certain pages in the web interface support a right-click (most common) or left-click context menu that you can use as a shortcut for accessing other features. The contents of the context menu depend where you access it—not only the page but also the specific data.
For example:
• IP address hotspots provide information about the host associated with that address, including any available whois and host profile information.
• SHA-256 hash value hotspots allow you to add a file’s SHA-256 hash value to the clean list or custom detection list, or view the entire hash value for copying.
On pages or locations that do not support the context menu, the normal context menu for your browser appears.
Policy Editors
Many policy editors contain hotspots over each rule. You can insert new rules and categories; cut, copy, and paste rules; set the rule state; and edit the rule.
Intrusion Rules Editor
The intrusion rules editor contains hotspots over each intrusion rule. You can edit the rule, set the rule state, configure thresholding and suppression options, and view rule documentation. Optionally, after clicking Rule documentation in the context menu, you can click Rule Documentation in the documentation pop-up window to view more-specific rule details.
Cisco Secure Firewall Management Center Administration Guide, 7.2
21
The Context Menu
Getting Started
Event Viewer
Event pages (the drill-down pages and table views available under the Analysis menu) contain hotspots over each event, IP address, URL, DNS query, and certain files’ SHA-256 hash values. While viewing most event types, you can:
• View related information in the Context Explorer.
• Drill down into event information in a new window.
• View the full text in places where an event field contains text too long to fully display in the event view, such as a file’s SHA-256 hash value, a vulnerability description, or a URL.
• Open a web browser window with detailed information about the element from an external source, using the Contextual Cross-Launch feature. For more information, see
Web-Based Resources, on page 578 .
While viewing connection events, you can add items to the default Security Intelligence Block and Do
Not Block lists:
• An IP address, from an IP address hotspot.
• A URL or domain name, from a URL hotspot.
• A DNS query, from a DNS query hotspot.
While viewing captured files, file events, and malware events, you can:
• Add a file to or remove a file from the clean list or custom detection list.
• Download a copy of the file.
• View nested files inside an archive file.
• Download the parent archive file for a nested file.
• View the file composition.
• Submit the file for local malware and dynamic analysis.
While viewing intrusion events, you can perform similar tasks to those in the intrusion rules editor or an intrusion policy:
• Edit the triggering rule.
• Set the rule state, including disabling the rule.
• Configure thresholding and suppression options.
• View rule documentation. Optionally, after clicking Rule documentation in the context menu, you can click Rule Documentation in the documentation pop-up window to view more-specific rule details.
Intrusion Event Packet View
Intrusion event packet views contain IP address hotspots. The packet view uses a left-click context menu.
22
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Sharing Data with Cisco
Dashboard
Many dashboard widgets contain hotspots to view related information in the Context Explorer. Dashboard widgets can also contain IP address and SHA-256 hash value hotspots.
Context Explorer
The Context Explorer contains hotspots over its charts, tables, and graphs. If you want to examine data from graphs or lists in more detail than the Context Explorer allows, you can drill down to the table views of the relevant data. You can also view related host, user, application, file, and intrusion rule information.
The Context Explorer uses a left-click context menu, which also contains filtering and other options unique to the Context Explorer.
Sharing Data with Cisco
You can opt to share data with Cisco using the following features:
• Cisco Success Network
See
Configure Cisco Success Network Enrollment, on page 575
• Web analytics
See
(Optional) Opt Out of Web Analytics Tracking, on page 101
Online Help, How To, and Documentation
You can reach the online help from the web interface:
• By clicking the context-sensitive help link on each page
• By choosing Help > Online
How To is a widget that provides walkthroughs to navigate through tasks on management center. The walkthroughs guide you to perform the steps required to achieve a task by taking you through each step, one after the other irrespective of the various UI screens that you may have to navigate, to complete the task. The
How To widget is enabled by default. To disable the widget, choose User Preferences from the drop-down list under your user name, and uncheck the Enable How-Tos check box in How-To Settings . To open the walkthroughs, choose Help > How-Tos .
Note The walkthroughs are generally available for all UI pages, and are not user role sensitive. However, depending on the privileges of the user, some of the menu items will not appear on the management center interface.
Thereby, the walkthroughs will not execute on such pages.
The following walkthroughs are available on management center:
• Register management center with Cisco Smart Account: This walkthrough guides you to register management center with Cisco Smart Account.
• Set up a Device and add it to management center: This walkthrough guides you to set up a device and to add the device to management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
23
Getting Started
User Guides on Cisco.com
• Configure Date and Time: This walkthrough guides you to configure the date and time of the threat defense devices using a platform settings policy.
• Configure Interface Settings: This walkthrough guides you to configure the interfaces on the threat defense devices.
• Create an Access Control Policy: An access control policy consists of a set of ordered rules, which are evaluated from top to bottom. This walkthrough guides you to create an access control policy.
• Add an Access Control Rule - A Feature Walkthrough: This walkthrough describes the components of an access control rule, and how you can use them in management center.
• Configure Routing Settings: Various routing protocols are supported by threat defense. A static route defines where to send traffic for specific destination networks. This walkthrough guides you to configure static routing for the devices.
• Create a NAT Policy - A Feature Walkthrough: This walkthrough guides you to create a NAT policy and walks you through the various features of a NAT rule.
You can find additional documentation using the documentation roadmap: http://www.cisco.com/c/en/us/td/ docs/security/firepower/roadmap/firepower-roadmap.html
.
User Guides on Cisco.com
The following documents may be helpful when configuring Secure Firewall Management Center deployments,
Version 6.0+.
Note Some of the linked documents are not applicable to Secure Firewall Management Center deployments. For example, some links on Secure Firewall Threat Defense pages are specific to deployments managed by Secure
Firewall device manager, and some links on hardware pages are unrelated to management center. To avoid confusion, pay careful attention to document titles. Also, some documents cover multiple products and therefore may appear on multiple product pages.
Secure Firewall Management Center
• Secure Firewall Management Center hardware appliances: http://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html
• Secure Firewall Management Center Virtual appliances:
• http://www.cisco.com/c/en/us/support/security/defense-center-virtual-appliance/ tsd-products-support-series-home.html
• http://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html
Secure Firewall Threat Defense, also called NGFW (Next Generation Firewall) devices
• Secure Firewall Threat Defense software: http://www.cisco.com/c/en/us/support/security/firepower-ngfw/tsd-products-support-series-home.html
24
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
License Statements in the Documentation
• Secure Firewall Threat Defense Virtual: http://www.cisco.com/c/en/us/support/security/firepower-ngfw-virtual/ tsd-products-support-series-home.html
• Firepower 1000 series: https://www.cisco.com/c/en/us/support/security/firepower-1000-series/ tsd-products-support-series-home.html
• Firepower 2100 series: https://www.cisco.com/c/en/us/support/security/firepower-2100-series/ tsd-products-support-series-home.html
• Secure Firewall 3100: https://www.cisco.com/c/en/us/support/security/secure-firewall-3100-series/series.html
• Firepower 4100 series: https://www.cisco.com/c/en/us/support/security/firepower-4100-series/ tsd-products-support-series-home.html
• Firepower 9300: https://www.cisco.com/c/en/us/support/security/firepower-9000-series/ tsd-products-support-series-home.html
• ISA 3000: https://www.cisco.com/c/en/us/support/security/industrial-security-appliance-isa/ tsd-products-support-series-home.html
License Statements in the Documentation
The License statement at the beginning of a section indicates which Classic or Smart license you must assign to a managed device to enable the feature described in the section.
Because licensed capabilities are often additive, the license statement provides only the highest required license for each feature.
An “or” statement in a License statement indicates that you must assign a particular license to the managed device to enable the feature described in the section, but an additional license can add functionality. For example, within a file policy, some file rule actions require that you assign a Protection license to the device while others require that you assign a Malware license.
For more information about licenses, see
Related Topics
Supported Devices Statements in the Documentation
The Supported Devices statement at the beginning of a chapter or topic indicates that a feature is supported only on the specified device series, family, or model. For example, many features are supported only on Secure
Firewall Threat Defense devices.
Cisco Secure Firewall Management Center Administration Guide, 7.2
25
Getting Started
Access Statements in the Documentation
For more information on platforms supported by this release, see the release notes.
Access Statements in the Documentation
The Access statement at the beginning of each procedure in this documentation indicates the predefined user roles required to perform the procedure. Any of the listed roles can perform the procedure.
Users with custom roles may have permission sets that differ from those of the predefined roles. When a predefined role is used to indicate access requirements for a procedure, a custom role with similar permissions also has access. Some users with custom roles may use slightly different menu paths to reach configuration pages. For example, users who have a custom role with only intrusion policy privileges access the network analysis policy via the intrusion policy instead of the standard path through the access control policy.
IP Address Conventions
You can use IPv4 Classless Inter-Domain Routing (CIDR) notation and the similar IPv6 prefix length notation to define address blocks in many places in the system.
When you use CIDR or prefix length notation to specify a block of IP addresses, the system uses only the portion of the network IP address specified by the mask or prefix length. For example, if you type 10.1.2.3/8, the system uses 10.0.0.0/8.
In other words, although Cisco recommends the standard method of using a network IP address on the bit boundary when using CIDR or prefix length notation, the system does not require it.
Additional Resources
The Firewalls Community is an exhaustive repository of reference material that complements our extensive documentation. This includes links to 3D models of our hardware, hardware configuration selector, product collateral, configuration examples, troubleshooting tech notes, training videos, lab and Cisco Live sessions, social media channels, Cisco Blogs and all the documentation published by the Technical Publications team.
Some of the individuals posting to community sites or video sharing sites, including the moderators, work for Cisco Systems. Opinions expressed on those sites and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party.
Note Some of the videos, technical notes, and reference material in the Firewalls Community points to older versions of the management center. Your version of the management center and the version referenced in the videos or technical notes might have differences in the user interface that cause the procedures not to be identical.
26
Cisco Secure Firewall Management Center Administration Guide, 7.2
C H A P T E R
2
Logging into the Management Center
The following topics describe how to log into the system:
•
•
System User Interfaces, on page 29
•
Logging Into the Secure Firewall Management Center Web Interface, on page 31
•
Logging Into the Management Center Web Interface Using SSO, on page 32
•
Logging Into the Secure Firewall Management Center with CAC Credentials, on page 33
•
Logging Into the Management Center Command Line Interface, on page 33
•
View Your Last Login, on page 34
•
Logging Out of the Management Center Web Interface, on page 35
•
History for Logging into the Management Center, on page 35
User Accounts
You must provide a username and password to obtain local access to the web interface or CLI on management center or a managed device. On managed devices, CLI users with Config level access can use the expert command to access the Linux shell. On the management center, all CLI users can use the expert command.
The threat defense and management center can be configured to use external authentication, storing user credentials on an external LDAP or RADIUS server; you can withhold or provide CLI access rights to external users. The management center can be configured to support Single Sign-On (SSO) using any SSO provider conforming to the Security Assertion Markup Language (SAML) 2.0 open standard for authentication and authorization.
The management center CLI provides a single admin user who has access to all commands. The features management center web interface users can access are controlled by the privileges an administrator grants to the user account. On managed devices, the features that users can access for both the CLI and the web interface are controlled by the privileges an administrator grants to the user account.
Note The system audits user activity based on user accounts; make sure that users log into the system with the correct account.
Cisco Secure Firewall Management Center Administration Guide, 7.2
27
Getting Started
User Accounts
Caution All management center CLI users and, on managed devices, users with Config level CLI access can obtain root privileges in the Linux shell, which can present a security risk. For system security reasons, we strongly recommend:
• If you establish external authentication, make sure that you restrict the list of users with CLI access appropriately.
• When granting CLI access privileges on managed devices, restrict the list of internal users with Config level CLI access.
• Do not establish Linux shell users; use only the pre-defined admin user and users created by the admin user within the CLI.
Caution We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the Firepower user documentation.
Different appliances support different types of user accounts, each with different capabilities.
Secure Firewall Management Centers
Secure Firewall Management Centers support the following user account types:
• A pre-defined admin account for web interface access, which has the administrator role and can be managed through the web interface.
• Custom user accounts, which provide web interface access and which admin users and users with administrator privileges can create and manage.
• A pre-defined admin account for CLI access. Users logging in with this account can use the expert command to gain access to the Linux shell.
During initial configuration, the passwords for the CLI admin account and the web interface admin account are synchronized but, optionally, thereafter you can configure separate passwords for the two admin accounts.
Caution For system security reasons, Cisco strongly recommends that you not establish additional Linux shell users on any appliance.
Secure Firewall Threat Defense and Secure Firewall Threat Defense Virtual Devices
Secure Firewall Threat Defense and Secure Firewall Threat Defense Virtual devices support the following user account types:
• A pre-defined admin account which can be used for all forms of access to the device.
• Custom user accounts, which admin users and users with Config access can create and manage.
The Secure Firewall Threat Defense supports external authentication for SSH users.
28
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
System User Interfaces
System User Interfaces
Depending on appliance type, you can interact with appliances using a web-based GUI, auxiliary CLI, or the
Linux shell. In a Secure Firewall Management Center deployment, you perform most configuration tasks from the management center GUI. Only a few tasks require that you access the appliance directly using the
CLI or Linux shell. We strongly discourage using the Linux shell unless directed by Cisco TAC or explicit instructions in the user documentation.
For information on browser requirements, see the Firepower Release Notes .
Note On all appliances, after a user makes three consecutive failed attempts to log into the CLI via SSH, the system terminates the SSH connection.
Appliance
Secure Firewall Management
Center
Web-Based GUI
• Supported for predefined admin user and custom user accounts.
• Can be used for administrative, management, and analysis tasks.
Auxiliary CLI
• Supported for predefined admin user and custom external user accounts.
• Accessible using an SSH, serial, or keyboard and monitor connection.
• Should be used only for administration and troubleshooting directed by
Cisco TAC.
Linux Shell
• Supported for predefined admin user.
• Must be accessed via expert command from the
Secure Firewall
Management Center CLI.
• Accessible using an SSH, serial, or keyboard and monitor connection.
• Should be used only for administration and troubleshooting directed by
Cisco TAC or by explicit instructions in the management center documentation.
Secure Firewall Threat Defense —
Secure Firewall Threat Defense
Virtual
• Supported for predefined admin user and custom user accounts.
• Accessible in physical devices using an SSH, serial, or keyboard and monitor connection.
Accessible in virtual devices via SSH or VM console.
• Can be used for setup and troubleshooting directed by
Cisco TAC.
• Supported for predefined admin user and custom user accounts.
• Accessible by CLI users with Config access using the expert command.
• Should be used only for administration and troubleshooting directed by
Cisco TAC or by explicit instructions in the management center documentation..
Cisco Secure Firewall Management Center Administration Guide, 7.2
29
Getting Started
Web Interface Considerations
Related Topics
Add an Internal User , on page 111
Web Interface Considerations
• If your organization uses Common Access Cards (CACs) for authentication, external users authenticated with LDAP can use CAC credentials to obtain access to the web interface of an appliance.
• The menus and menu options listed at the top of the default home page are based on the privileges for your user account. However, the links on the default home page include options that span the range of user account privileges. If you click a link that requires different privileges from those granted to your account, the system displays a warning message and logs the activity.
• Some processes that take a significant amount of time may cause your web browser to display a message that a script has become unresponsive. If this occurs, make sure you allow the script to continue until it finishes.
Related Topics
Specifying Your Home Page , on page 188
Session Timeout
By default, the system automatically logs you out of a session after 1 hour of inactivity, unless you are otherwise configured to be exempt from session timeout.
Note For SSO users, when the management center session times out, the display briefly redirects to the IdP interface, and then the management center login page. Unless the SSO session has been terminated from elsewhere, anyone can access the management center without providing login credentials simply by clicking on the Single
Sign-On link on the login page. To ensure management center security and prevent others from accessing the management center using your SSO account, we recommend you not leave an management center login session unattended, and log out of the SSO federation at the IdP when you log out of the management center.
Users with the Administrator role can change the session timeout interval for an appliance via the following settings:
System > Configuration > Shell Timeout
Related Topics
Configure Session Timeouts , on page 92
, on page 129
30
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Logging Into the Secure Firewall Management Center Web Interface
Logging Into the Secure Firewall Management Center Web
Interface
Note This task applies to internal users and external users authenticated by LDAP or RADIUS servers. For SSO login, see
Logging Into the Management Center Web Interface Using SSO, on page 32
.
Users are restricted to a single active session. If you try to log in with a user account that already has an active session, the system prompts you to terminate the other session or log in as a different user.
In a NAT environment where multiple management centers share the same IP address:
• Each management center can support only one login session at a time.
• To access different management centers, use a different browser for each login (for example Firefox and
Chrome), or set the browser to incognito or private mode.
Before you begin
• If you do not have access to the web interface, contact your system administrator to modify your account privileges, or log in as a user with Administrator access and modify the privileges for the account.
• Create user accounts as described in
Add an Internal User, on page 111
.
Procedure
Step 1
Step 2
Step 3
Direct your browser to https://ipaddress_or_hostname/ , where ipaddress or hostname corresponds to your management center.
In the Username and Password fields, enter your user name and password. Pay attention to the following guidelines:
• User names are not case-sensitive.
• In a multidomain deployment, prepend the user name with the domain where your user account was created. You are not required to prepend any ancestor domains. For example, if your user account was created in SubdomainB, which has an ancestor DomainA, enter your user name in the following format:
SubdomainB\username
• If your organization uses SecurID ® tokens when logging in, append the token to your SecurID PIN and use that as your password to log in. For example, if your PIN is
1111 and the SecurID token is
222222
, enter
1111222222
. You must have already generated your SecurID PIN before you can log into the system.
Click Login .
Related Topics
Cisco Secure Firewall Management Center Administration Guide, 7.2
31
Getting Started
Logging Into the Management Center Web Interface Using SSO
Logging Into the Management Center Web Interface Using SSO
The management center can be configured to participate in any Single-Sign On (SSO) federation implemented with an SSO provider conforming to the Security Assertion Markup Language (SAML) 2.0 open standard.
SSO user accounts must be established at the identitiy provider (IdP) and must use email addresses for their account names. If your user name is not an email address, or SSO login fails, contact your system administrator.
Note The management center does not support logging in with CAC credentials for SSO accounts.
Users are restricted to a single active session. If you try to log in with a user account that already has an active session, the system prompts you to terminate the other session or log in as a different user.
In a NAT environment where multiple management centers share the same IP address:
• Each management center can support only one login session at a time.
• To access different management centers, use a different browser for each login (for example Firefox and
Chrome), or set the browser to incognito or private mode.
Before you begin
• Configure the management center for SSO access. See
Configure SAML Single Sign-On, on page 129 .
• If you do not have access to the web interface, contact your system administrator to configure your account at the SSO IdP.
Procedure
Step 1
Step 2
Step 3
Direct your browser to https://ipaddress_or_hostname/ , where ipaddress or hostname corresponds to your management center.
Note SSO users must consistently access the management center using the login URL specifically configured for SSO access; ask your administrator for this information.
Click on the Single Sign-On link.
The system responds in one of two ways:
• If you are already logged into the SSO federation, the management center default home page appears.
• If you are not already logged into the SSO federation, the management center redirects your browser to the login page for your IdP. After you complete the login process at the IdP, the management center default home page appears.
Related Topics
, on page 30
, on page 129
32
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Logging Into the Secure Firewall Management Center with CAC Credentials
Logging Into the Secure Firewall Management Center with CAC
Credentials
Users are restricted to a single active session. If you try to log in with a user account that already has an active session, the system prompts you to terminate the other session or log in as a different user.
In a NAT environment where multiple management centers share the same IP address:
• Each management center can support only one login session at a time.
• To access different management centers, use a different browser for each login (for example Firefox and
Chrome), or set the browser to incognito or private mode.
Caution Do not remove a CAC during an active browsing session. If you remove or replace a CAC during a session, your web browser terminates the session and the system logs you out of the web interface.
Before you begin
• If you do not have access to the web interface, contact your system administrator to modify your account privileges, or log in as a user with Administrator access and modify the privileges for the account.
• Create user accounts as described in the
Add an Internal User, on page 111
.
• Configure CAC authentication and authorization as described in
Authentication with LDAP, on page 128 .
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Insert a CAC as instructed by your organization.
Direct your browser to https://ipaddress_or_hostname/ , where ipaddress or hostname corresponds to your management center.
If prompted, enter the PIN associated with the CAC you inserted in step 1.
If prompted, choose the appropriate certificate from the drop-down list.
Click Continue .
Related Topics
Configure Common Access Card Authentication with LDAP
, on page 128
SSO Guidelines for the Management Center
, on page 130
Logging Into the Management Center Command Line Interface
The admin CLI user and certain custom external users can log into the management center CLI.
Cisco Secure Firewall Management Center Administration Guide, 7.2
33
Getting Started
View Your Last Login
Caution We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the management center documentation.
Note For all appliances, after a user makes three consecutive failed attempts to log into the CLI via SSH, the system terminates the SSH connection.
Before you begin
Complete the initial configuration process as the admin user. See
Logging In for the First Time, on page 3
.
Procedure
Step 1
Step 2
Use the admin user name and password to connect to the management center via SSH or the console port.
If your organization uses SecurID ® tokens when logging in, append the token to your SecurID PIN and use that as your password to log in. For example, if your PIN is
1111 and the SecurID token is
222222
, enter
1111222222
. You must have already generated your SecurID PIN before you can log in.
Use any of the available CLI commands.
View Your Last Login
If you suspect that an unauthorized user has used your credentials to sign in to the Secure Firewall Management
Center, you can see the date, time, and IP address from which your credentials were last used to log in:
Before you begin
This feature is not available if you are using the Classic theme. You can select a UI theme in User Preferences.
Procedure
Step 1
Step 2
Step 3
Step 4
Sign in to the Secure Firewall Management Center.
At the top right corner of your browser window, look for the User ID that you used to sign in.
Click your user name.
Information about your previous login is shown at the bottom of the menu that appears.
34
Cisco Secure Firewall Management Center Administration Guide, 7.2
Getting Started
Logging Out of the Management Center Web Interface
Logging Out of the Management Center Web Interface
When you are no longer actively using the management center web interface, Cisco recommends that you log out, even if you are only stepping away from your web browser for a short period of time. Logging out ends your web session and ensures that no one can use the interface with your credentials.
Note If you are logging out of an SSO session at the management center, when you log out the system redirects your browser to the SSO IdP for your organization. To ensure management center security and prevent others from accessing the management center using your SSO account, we recommend you log out of the SSO federation at the IdP.
Procedure
Step 1
Step 2
From the drop-down list under your user name, choose Logout .
If you are logging out of an SSO session at the management center, the system redirects you to the SSO IdP for your organization. Log out at the IdP to ensure management center security.
Related Topics
History for Logging into the Management Center
Feature Version Details
Added support for Single
Sign-On (SSO) using any
SAML 2.0-compliant
SSO provider.
6.7
Added the ability for users configured at any third-party SAML 2.0-compliant identity provider
(IdP) to log into the management center using a new
New/Modified screen:
Login screen
Single Sign-On link on the login page.
View information about the last time you signed in to the Secure Firewall
Management Center
6.5
Automatic CLI access for the management center
6.5
View the date, time, and IP address from which you last logged in.
New/Modified menus:
The menu at the top right of the window that shows the username that you used to log in.
Supported platforms: management center
When you use SSH to log into the management center, you automatically access the CLI. Although strongly discouraged, you can then use the CLI expert command to access the Linux shell.
Note This feature deprecates the Version 6.3 ability to enable and disable CLI access for the management center. As a consequence of deprecating this option, the virtual management center no longer displays the System > Configuration > Console
Configuration page, which still appears on physical management centers.
Cisco Secure Firewall Management Center Administration Guide, 7.2
35
Getting Started
History for Logging into the Management Center
Feature
Limit number of SSH login failures
Ability to enable and disable CLI access for the management center
6.3
Version Details
6.3
When a user accesses any device via SSH and fails three successive login attempts, the device terminates the SSH session.
New/Modified screens:
New check box available to administrators in management center web interface: Enable CLI
Access on the System ( ) > Configuration > Console Configuration page.
• Checked: Logging into the management center using SSH accesses the CLI.
• Unchecked: Logging into management center using SSH accesses the Linux shell. This is the default state for fresh Version 6.3 installations as well as upgrades to Version 6.3 from a previous release.
Supported platforms: management center
36
Cisco Secure Firewall Management Center Administration Guide, 7.2
P A R T
II
System Settings
•
System Configuration, on page 39
•
•
•
•
•
High Availability, on page 275
•
Security Certifications Compliance, on page 295
C H A P T E R
3
System Configuration
The following topics explain how to configure system configuration settings on Secure Firewall Management
Centers and managed devices:
•
Requirements and Prerequisites for the System Configuration, on page 40
•
About System Configuration, on page 40
•
Appliance Information, on page 42
•
HTTPS Certificates, on page 43
•
External Database Access Settings, on page 50
•
Database Event Limits, on page 52
•
Management Interfaces, on page 55
•
Shut Down or Restart, on page 64
•
Remote Storage Management, on page 64
•
Change Reconciliation, on page 69
•
Policy Change Comments, on page 70
•
•
•
Audit Log Certificate, on page 75
•
Dashboard Settings, on page 79
•
•
Email Notifications, on page 80
•
Language Selection, on page 81
•
•
•
Time and Time Synchronization, on page 84
•
Global User Configuration Settings, on page 89
•
•
Vulnerability Mapping, on page 92
•
Remote Console Access Management, on page 93
•
REST API Preferences, on page 99
•
VMware Tools and Virtual Systems, on page 100
•
(Optional) Opt Out of Web Analytics Tracking, on page 101
•
History for System Configuration, on page 101
Cisco Secure Firewall Management Center Administration Guide, 7.2
39
System Settings
Requirements and Prerequisites for the System Configuration
Requirements and Prerequisites for the System Configuration
Model Support
Management Center
Supported Domains
Global
User Roles
Admin
About System Configuration
System Configuration settings apply to your Secure Firewall Management Center.
Navigating the Secure Firewall Management Center System Configuration
The system configuration identifies basic settings for a Secure Firewall Management Center.
Procedure
Step 1
Step 2
Choose System ( ) > Configuration .
Use the navigation panel to choose configurations to change; see
Table 1: System Configuration Settings , on page 40
for more information.
System Configuration Settings
Note that for managed devices, many of these configurations are handled by a platform settings policy applied from the management center; see .
Table 1: System Configuration Settings
Setting
Access Control
Preferences
Access List
Audit Log
Description
Configure the system to prompt users for a comment when they add or modify an access control policy; see
Policy Change Comments, on page 70 .
Control which computers can access the system on specific ports; see
Configure the system to send an audit log to an external host; see
40
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
System Configuration Settings
Setting
Audit Log Certificate
Change Reconciliation
Console Configuration
Dashboard
Database
DNS Cache
Description
Configure the system to secure the channel when streaming the audit log to an external host; see
.
Configure the system to send a detailed report of changes to the system over the last 24 hours; see
.
Configure console access via VGA or serial port, or via Lights-Out Management (LOM); see
Console Access Management, on page 93
.
Enable Custom Analysis widgets on the dashboard; see
Dashboard Settings, on page 79 .
Specify the maximum number of each type of event that the Secure Firewall Management Center can store; see
Database Event Limits, on page 52
.
Configure the system to resolve IP addresses automatically on event view pages; see
Email Notification
External Database Access Enable external read-only access to the database, and provide a client driver to download; see
Database Access Settings, on page 50
.
HTTPS Certificate
Configure a mail host, select an encryption method, and supply authentication credentials for email-based notifications and reporting; see
Email Notifications, on page 80 .
Information
Request an HTTPS server certificate, if needed, from a trusted authority and upload certificates to the system; see
HTTPS Certificates, on page 43
.
View current information about the appliance and edit the display name; see
Appliance Information, on page 42 .
Intrusion Policy
Preferences
Language
Login Banner
Configure the system to prompt users for a comment when they modify an intrusion policy; see
Specify a different language for the web interface; see
Language Selection, on page 81 .
Create a custom login banner that appears when users log in; see
Management Interfaces Change options such as the IP address, hostname, and proxy settings of the appliance; see
.
Network Analysis Policy
Preferences
Configure the system to prompt users for a comment when they modify a network analysis policy; see
Policy Change Comments, on page 70 .
Process Shut down, reboot, or restart Firepower processes; see
Shut Down or Restart, on page 64
.
Remote Storage Device Configure remote storage for backups and reports; see
Remote Storage Management, on page 64 .
REST API Preferences Enable or disable access to the Secure Firewall Management Center via the Firepower REST API; see
REST API Preferences, on page 99
.
Shell Timeout
SNMP
Configure the amount of idle time, in minutes, before a user’s login session times out due to inactivity; see
Session Timeouts, on page 92 .
Enable Simple Network Management Protocol (SNMP) polling; see
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
41
System Settings
Appliance Information
Setting
Time
Time Synchronization
Description
View and change the current time setting; see
Time and Time Synchronization, on page 84 .
Manage time synchronization on the system; see
Time and Time Synchronization, on page 84 .
UCAPL/CC Compliance Enable compliance with specific requirements set out by the United States Department of Defense; see
Enable Security Certifications Compliance, on page 300 .
User Configuration Configure the Secure Firewall Management Center to track successful login history and password history for all users, or enforce temporary lockouts on users who enter invalid login credentials; see
Configuration Settings, on page 89
VMware Tools
Vulnerability Mapping
Enable and use VMware Tools on a Secure Firewall Management Center Virtual; see
.
Map vulnerabilities to a host IP address for any application protocol traffic received or sent from that address; see
Vulnerability Mapping, on page 92
.
Web Analytics Enable and disable collection of non-personally-identifiable information from your system. See
Opt Out of Web Analytics Tracking, on page 101
.
Appliance Information
The System > Configuration page of the web interface includes the information listed in the table below.
Unless otherwise noted, all fields are read-only.
Note See also the Help > About page, which includes similar but slightly different information.
Field
Name
Product Model
Serial Number
Software Version
Description
A descriptive name you assign to the management centerappliance. Although you can use the host name as the name of the appliance, entering a different name in this field does not change the host name.
This name is used in certain integrations. For example, it appears in the Devices list for integrations with
SecureX and SecureX threat response.
If you change the name, all registered devices are marked out of date and deployment is required to push the new name to the devices.
The model name of the appliance.
The serial number of the appliance.
The version of the software currently installed on the appliance.
42
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
HTTPS Certificates
Field
Operating System
Operating System Version
IPv4 Address
IPv6 Address
Current Policies
Model Number
Description
The operating system currently running on the appliance.
The version of the operating system currently running on the appliance.
The IPv4 address of the default ( eth0
) management interface. If IPv4 management is disabled, this field indicates that.
The IPv6 address of the default ( eth0
) management interface. If IPv6 management is disabled, this field indicates that.
The system-level policies currently deployed. If a policy has been updated since it was last deployed, the name of the policy appears in italics.
The appliance-specific model number stored on the internal flash drive. This number may be important for troubleshooting.
HTTPS Certificates
Secure Sockets Layer (SSL)/TLS certificates enable Secure Firewall Management Centers to establish an encrypted channel between the system and a web browser. A default certificate is included with all Firepower devices, but it is not generated by a certificate authority (CA) trusted by any globally known CA. For this reason, consider replacing it with a custom certificate signed by a globally known or internally trusted CA.
Caution The management center supports 4096-bit HTTPS certificates. If the certificate used by the management center was generated using a public server key larger than 4096 bits, you will not be able to log in to the management center web interface. If this happens, contact Cisco TAC.
Default HTTPS Server Certificates
If you use the default server certificate provided with an appliance, do not configure the system to require a valid HTTPS client certificate for web interface access because the default server certificate is not signed by the CA that signs your client certificate.
The lifetime of the default server certificate depends on when the certificate was generated. To view your default server certificate expiration date, choose System ( ) > Configuration > HTTPS Certificate .
Note that some Firepower software upgrades can automatically renew the certificate. For more information, see the appropriate version of the Cisco Firepower Release Notes .
On the Secure Firewall Management Center, you can renew the default certificate on the System ( ) >
Configuration > HTTPS Certificate page.
Cisco Secure Firewall Management Center Administration Guide, 7.2
43
System Settings
Custom HTTPS Server Certificates
Custom HTTPS Server Certificates
You can use the Secure Firewall Management Center web interface to generate a server certificate request based on your system information and the identification information you supply. You can use that request to sign a certificate if you have an internal certificate authority (CA) installed that is trusted by your browser.
You can also send the resulting request to a certificate authority to request a server certificate. After you have a signed certificate from a certificate authority (CA), you can import it.
HTTPS Server Certificate Requirements
When you use HTTPS certificates to secure the connection between your web browser and the Firepower appliance web interface, you must use certificates that comply with the Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile (RFC 5280) . When you import a server certificate to the appliance, the system rejects the certificate if it does not comply with version 3 (X.509 v3) of that standard.
Before importing an HTTPS server certificate, be certain it includes the following fields:
Certificate Field Description
Version
Serial number
Signature
Issuer
Validity
Subject
Subject Alternative Name
Subject Public Key Info
Version of the encoded certificate. Use version
3
. See
RFC 5280, section 4.1.2.1
.
A positive integer assigned to the certificate by the issuing CA. Issuer and serial number together uniquely identify the certificate. See RFC 5280, section 4.1.2.2
.
Identifier for the algorithm used by the CA to sign the certificate. Must match the signatureAlgorithm field.
See RFC 5280, section 4.1.2.3
.
Identifies the entity that signed and issued the certificate. See RFC 5280, section 4.1.2.4
.
Interval during which the CA warrants that it will maintain information about the status of the certificate.
See RFC 5280, section 4.1.2.5
.
Identifies the entitity associated with the public key stored in the subject public key field; must be an
X.500 disinguished name (DN). See RFC 5280, section 4.1.2.6
.
Domain names and IP addresses secured by the certificate. Subject Alternative Name is defined in section RFC 5280, section 4.2.1.6
.
We recommend you use this field if the certificate is used for multiple domains or IP addresses.
Public key and an identifier for its algorithm. See RFC
5280, section 4.1.2.7
.
44
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
HTTPS Client Certificates
Certificate Field
Authority Key Identifier
Subject Key Identifier
Key Usage
Basic Constraints
Extended Key Usage extension signatureAlgorithm signatureValue
Description
Provides a means of identifying the public key corresponding to the private key used to sign a certificate. See RFC 5280, section 4.2.1.1
.
Provides a means of identifying certificates that contain a particular public key. See RFC 5280, section
4.2.1.2
.
Defines the purpose of the key contained in the certificates. See RFC 5280, section 4.2.1.3
.
Identifies whether the certificate Subject is a CA, and the maximum depth of validation certification paths that include this certificate. See RFC 5280, section
4.2.1.9
. This field is not strictly required for server certificates used in Firepower appliances, but we strongly recommend including this field and specifying critical CA:FALSE
.
Indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the Key Usage extension. See RFC 5280, section 4.2.1.12
. Be certain you import certificates that can be used as server certificates.
Identifier for the algorithm the CA used to sign the certificate. Must match the Signature field. See RFC
5280, section 4.1.1.2
.
Digital signature. See RFC 5280, section 4.1.1.3
.
HTTPS Client Certificates
You can restrict access to the system web server using client browser certificate checking. When you enable user certificates, the web server checks that a user’s browser client has a valid user certificate selected. That user certificate must be generated by the same trusted certificate authority that is used for the server certificate.
The browser cannot load the web interface under any of the following circumstances:
• The user selects a certificate in the browser that is not valid.
• The user selects a certificate in the browser that is not generated by the certificate authority that signed the server certificate.
• The user selects a certificate in the browser that is not generated by a certificate authority in the certificate chain on the device.
To verify client browser certificates, configure the system to use the online certificate status protocol (OCSP) or load one or more certificate revocation lists (CRLs). Using the OCSP, when the web server receives a connection request it communicates with the certificate authority to confirm the client certificate's validity before establishing the connection. If you configure the server to load one or more CRLs, the web server
Cisco Secure Firewall Management Center Administration Guide, 7.2
45
System Settings
Viewing the Current HTTPS Server Certificate compares the client certificate against those listed in the CRLs. If a user selects a certificate that is listed in a
CRL as a revoked certificate, the browser cannot load the web interface.
Note If you choose to verify certificates using CRLs, the system uses the same CRLs to validate both client browser certificates and audit log server certificates.
Viewing the Current HTTPS Server Certificate
Procedure
Step 1
Step 2
Choose System ( ) > Configuration .
Click HTTPS Certificate .
Generating an HTTPS Server Certificate Signing Request
If you install a certificate that is not signed by a globally known or internally trusted CA, the user's browser displays a security warning when they try to connect to the web interface.
A certificate signing request (CSR) is unique to the appliance or device from which you generated it. You cannot generate a CSR for multiple devices from a single appliance. Although all fields are optional, we recommend entering values for the following: CN, Organization, Organization Unit, City/Locality,
State/Province, Country/Region, and Subject Alternative Name.
The key generated for the certificate request is in Base-64 encoded PEM format.
Procedure
Step 1
Step 2
Step 3
Choose System ( ) > Configuration .
Click HTTPS Certificate .
Click Generate New CSR .
46
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Generating an HTTPS Server Certificate Signing Request
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
The following figure shows an example.
Enter a country code in the Country Name (two-letter code) field.
Enter a state or province postal abbreviation in the State or Province field.
Enter a Locality or City .
Enter an Organization name.
Enter an Organizational Unit (Department) name.
Enter the fully qualified domain name of the server for which you want to request a certificate in the Common
Name field.
Note Enter the fully qualified domain name of the server exactly as it should appear in the certificate in the Common Name field. If the common name and the DNS hostname do not match, you receive a warning when connecting to the appliance.
To request a certificate that secures multiple domain names or IP addresses, enter the folowing information in the Subject Alternative Name section: a) Domain Names : Enter the fully qualified domains and subdomains (if any) secured by the Subject
Alternative Name.
b) IP Addresses : Enter the IP addresses secured by the Subject Alternative Name.
Click Generate .
Open a text editor.
Copy the entire block of text in the certificate request, including the
BEGIN CERTIFICATE REQUEST and
END
CERTIFICATE REQUEST lines, and paste it into a blank text file.
Save the file as servername .csr
, where servername is the name of the server where you plan to use the certificate.
Click Close .
What to do next
• Submit the certificate request to the certificate authority.
Cisco Secure Firewall Management Center Administration Guide, 7.2
47
System Settings
Importing HTTPS Server Certificates
• When you receive the signed certificate, import it to the Secure Firewall Management Center; see
Importing HTTPS Server Certificates, on page 48 .
Importing HTTPS Server Certificates
If the signing authority that generated the certificate requires you to trust an intermediate CA, you must also supply a certificate chain (or certificate path).
If you require client certificates, accessing an appliance via the web interface will fail when the server certificate does not meet either of the following criteria:
• The certificate is signed by the same CA that signed the client certificate.
• The certificate is signed by a CA that has signed an intermediate certificate in the certificate chain.
Caution The Secure Firewall Management Center supports 4096-bit HTTPS certificates. If the certificate used by the
Secure Firewall Management Center was generated using a public server key larger than 4096 bits, you will not be able to log in to the management center web interface. For more information about updating HTTPS
Certificates to Version 6.0.0, see "Update Management Center HTTPS Certificates to Version 6.0" in Firepower
System Release Notes, Version 6.0
. If you generate or import an HTTPS Certificate and cannot log in to the management center web interface, contact Support.
Before you begin
• Generate a certificate signing request; see
Generating an HTTPS Server Certificate Signing Request, on page 46
.
• Upload the CSR file to the certificate authority where you want to request a certificate, or use the CSR to create a self-signed certificate.
• Confirm that the certificate meets the requirements described in
HTTPS Server Certificate Requirements, on page 44 .
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Configuration .
Click HTTPS Certificate .
Click Import HTTPS Server Certificate .
Open the server certificate in a text editor, copy the entire block of text, including the
BEGIN CERTIFICATE and
END CERTIFICATE lines. Paste this text into the Server Certificate field.
Whether you must supply a Private Key depends on how you generated the Certificate Signing Request:
• If you generated the Certificate Signing Request using the Secure Firewall Management Center web interface (as described in
Generating an HTTPS Server Certificate Signing Request, on page 46 ), the
system already has the private key and you need not enter one here.
48
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Requiring Valid HTTPS Client Certificates
Step 6
Step 7
• If you generated the Certificate Signing Request using some other means, you must supply the private key here. Open the private key file and copy the entire block of text, include the
BEGIN RSA PRIVATE
KEY and
END RSA PRIVATE KEY lines. Paste this text into the Private Key field.
Open any required intermediate certificates, copy the entire block of text for each, and paste it into the
Certificate Chain field. If you received a root certificate, paste it here. If you received an intermediate certificate, paste it below the root certificate. In both cases, copy the entire block of text, including the
BEGIN
CERTIFICATE and
END CERTIFICATE lines.
Click Save .
Requiring Valid HTTPS Client Certificates
Use this procedure to require users connecting to the management center web interface to supply a user certificate. The system supports validating HTTPS client certificates using either OCSP or imported CRLs in
Privacy-enhanced Electronic Mail (PEM) format.
If you choose to use CRLs, to ensure that the list of revoked certificates stays current, you can create a scheduled task to update the CRLs. The system displays the most recent refresh of the CRLs.
Note To access the web interface after enabling client certificates, you must have a valid client certificate present in your browser (or a CAC inserted in your reader).
Before you begin
• Import a server certificate signed by the same certificate authority that signed the client certificate to be used for the connection; see
Importing HTTPS Server Certificates, on page 48
.
• Import the server certificate chain if needed; see
Importing HTTPS Server Certificates, on page 48
.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Choose System ( ) > Configuration .
Click HTTPS Certificate .
Choose Enable Client Certificates . If prompted, select the appropriate certificate from the drop-down list.
You have three options:
• To verify client certificates using one or more CRLS, select Enable Fetching of CRL and continue with
Step 5.
• To verify client certificates using OCSP, select Enable OCSP and skip to Step 7.
• To accept client certificates without checking for revocation, skip to Step 8.
Enter a valid URL to an existing CRL file and click Add CRL . Repeat to add up to 25 CRLs.
Click Refresh CRL to load the current CRL or CRLs from the specified URL or URLs.
Note Enabling fetching of the CRL creates a scheduled task to regularly update the CRL or CRLs. Edit the task to set the frequency of the update.
Cisco Secure Firewall Management Center Administration Guide, 7.2
49
System Settings
Renewing the Default HTTPS Server Certificate
Step 7
Step 8
Verify that the client certificate is signed by the certificate authority loaded onto the appliance and the server certificate is signed by a certificate authority loaded in the browser certificate store. (These should be the same certificate authority.)
Caution Saving a configuration with enabled client certificates, with no valid client certificate in your browser certificate store, disables all web server access to the appliance. Make sure that you have a valid client certificate installed before saving settings.
Click Save .
Related Topics
Configuring Certificate Revocation List Downloads , on page 455
Renewing the Default HTTPS Server Certificate
You can only view server certificates for the appliance you are logged in to.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Configuration .
Click HTTPS Certificate .
The button appears only if your system is configured to use the default HTTPS server certificate.
Click Renew HTTPS Certificate . (This option appears on the display below the certificate information only if your system is configured to used the default HTTPS server certificate.)
(Optional) In the Renew HTTPS Certificate dialog box, select Generate New Key to generate a new key for the certificate.
In the Renew HTTPS Certificate dialog box, click Save .
What to do next
You can confirm that the certificate has been renewed by checking that that certificate validity dates displayed on the HTTPS Certificate page have updated.
External Database Access Settings
You can configure the Secure Firewall Management Center to allow read-only access to its database by a third-party client. This allows you to query the database using SQL using any of the following:
• industry-standard reporting tools such as Actuate BIRT, JasperSoft iReport, or Crystal Reports
• any other reporting application (including a custom application) that supports JDBC SSL connections
• the Cisco-provided command-line Java application called RunQuery, which you can either run interactively or use to obtain comma-separated results for a single query
50
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Enabling External Access to the Database
Use the Secure Firewall Management Center's system configuration to enable database access and create an access list that allows selected hosts to query the database. Note that this access list does not also control appliance access.
You can also download a package that contains the following:
• RunQuery, the Cisco-provided database query tool
• InstallCert, a tool you can use to retrieve and accept the SSL certificate from the Secure Firewall
Management Center you want to access
• the JDBC driver you must use to connect to the database
See the Firepower System Database Access Guide for information on using the tools in the package you downloaded to configure database access.
Enabling External Access to the Database
Procedure
Step 5
Step 6
Step 7
Step 8
Step 9
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Click External Database Access .
Select the Allow External Database Access check box.
Enter an appropriate value in the Server Hostname field. Depending on your third-party application requirements, this value can be either the fully qualified domain name (FQDN), IPv4 address, or IPv6 address of the Secure Firewall Management Center.
Note In management center high availability setups, enter only the active peer details. We do not recommend entering details of the standby peer.
Next to Client JDBC Driver , click Download and follow your browser’s prompts to download the client.zip
package.
To add database access for one or more IP addresses, click Add Hosts . An IP Address field appears in the
Access List field.
In the IP Address field, enter an IP address or address range, or any.
Click Add .
Click Save .
Tip If you want to revert to the last saved database settings, click Refresh .
Related Topics
IP Address Conventions , on page 26
Cisco Secure Firewall Management Center Administration Guide, 7.2
51
System Settings
Database Event Limits
Database Event Limits
To manage disk space, the management center periodically prunes the oldest intrusion events, audit records,
Security Intelligence data, and URL filtering data from the event database. For each event type, you can specify how many records the management center retains after pruning; never rely on the event database containing more records of any type than the retention limit configured for that type. To improve performance, tailor the event limits to the number of events you regularly work with. You can optionally choose to receive email notifications when pruning occurs. For some event types, you can disable storage.
To manually delete individual events, use the event viewer. (Note that in Versions 6.6.0+, you cannot manually delete connection or security Intelligence events in this way.)You can also manually purge the database; see
Data Purge and Storage, on page 479 .
Configuring Database Event Limits
Before you begin
• If you want to receive email notifications when events are pruned from the Secure Firewall Management
Center's database, you must configure an email server; see
Configuring a Mail Relay Host and Notification
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Configuration .
Choose Database .
For each of the databases, enter the number of records you want to store.
For information on how many records each database can maintain, see
Database Event Limits, on page 52
.
Optionally, in the Data Pruning Notification Address field, enter the email address where you want to receive pruning notifications.
Click Save .
Database Event Limits
The following table lists the minimum and maximum number of records for each event type that you can store on a Secure Firewall Management Center.
52
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Database Event Limits
Table 2: Database Event Limits
Event Type Upper Limit Lower Limit
Intrusion events
Discovery events
10 million (management center Virtual)
30 million (management center1000, management center1600)
60 million (management center2500, management center2600, FMCv 300)
300 million (management center4500, management center4600)
10 million (management center Virtual)
20 million (management center2500, management center2600, management center4500, management center4600,
FMCv 300)
10,000
Zero (disables storage)
Connection events 50 million (management center Virtual) Zero (disables storage)
Security Intelligence events
100 million (management center1000, management center1600)
300 million (management center2500, management center2600, FMCv 300)
1 billion (management center4500, management center4600)
If you set the Maximum Connection
Events value to zero, then connection events that are not associated with Security
Intelligence, intrusion, file, and malware events are not stored on the management center.
Limit is shared between connection events and Security Intelligence events. The sum of the configured maximums cannot exceed this limit.
Caution Setting
Events
Maximum Connection to zero immediately purges existing connection events other than Security
Intelligence events.
Connection summaries
(aggregated connection events)
50 million (management center Virtual)
100 million (management center1000, management center1600)
300 million (management center2500, management center2600, FMCv 300)
1 billion (management center4500, management center4600)
See below for the effect of this setting on
Maximum Flow Rate.
These settings do not affect connection summaries.
Zero (disables storage)
Cisco Secure Firewall Management Center Administration Guide, 7.2
53
System Settings
Database Event Limits
Event Type
Correlation events and compliance allow list events
Malware events
Upper Limit
1 million (management center Virtual)
2 million (management center2500, management center2600, management center4500, management center4600,
FMCv 300)
10 million (management center Virtual)
20 million (management center2500, management center2600, management center4500, management center4600,
FMCv 300)
File events
Health events
Audit records
10 million (management center Virtual)
20 million (management center2500, management center2600, management center4500, management center4600,
FMCv 300)
1 million
100,000
Remediation status events
10 million
Allow list violation history a 30-day history of violations
10 million User activity (user events)
User logins (user history)
10 million
Intrusion rule update import log records
1 million
VPN
Troubleshooting database
10 million
Lower Limit
One
10,000
Zero (disables storage)
Zero (disables storage)
One
One
One day’s history
One
One
One
Zero (disables storage)
Maximum Flow Rate
The Maximum flow rate (flows per second) value for your management center hardware model is specified in the Platform Specifications section of the management center datasheet at https://www.cisco.com/c/en/ us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html?cachemode=refresh
If you set the Maximum Connection Events value in platform settings to zero, then connection events that are not associated with Security Intelligence, intrusion, file, and malware events are not counted toward the maximum flow rate for your management center hardware.
54
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Management Interfaces
Any non-zero value in this field causes ALL connection events to be counted against the maximum flow rate.
Other event types on this page do not count against the maximum flow rate.
Management Interfaces
After setup, you can change the management network settings, including adding more management interfaces, hostname, search domains, DNS servers, and HTTP proxy on the management center.
About Management Center Management Interfaces
By default, the management center manages all devices on a single management interface. You can also perform initial setup on the management interface and log into the management center on this interface as an administrator. The management interface is also used to communicate with the Smart Licensing server, to download updates, and to perform other management functions.
For information about device management interfaces, see About Device Management Interfaces in the Cisco
Secure Firewall Management Center Device Configuration Guide .
Management Interfaces on the Management Center
The management center uses the eth0 interface for initial setup, HTTP access for administrators, management of devices, as well as other management functions such as licensing and updates.
You can also configure additional management interfaces on the same network, or on different networks.
When the management center manages large numbers of devices, adding more management interfaces can improve throughput and performance. You can also use these interfaces for all other management functions.
You might want to use each management interface for particular functions; for example, you might want to use one interface for HTTP administrator access and another for device management.
For device management, the management interface carries two separate traffic channels: the management traffic channel carries all internal traffic (such as inter-device traffic specific to managing the device), and the event traffic channel carries all event traffic (such as web events). You can optionally configure a separate event-only interface on the management center to handle event traffic; you can configure only one event interface. Event traffic can use a large amount of bandwidth, so separating event traffic from management traffic can improve the performance of the management center. For example, you can assign a 10
GigabitEthernet interface to be the event interface, if available, while using 1 GigabitEthernet interfaces for management. You might want to configure an event-only interface on a completely secure, private network while using the regular management interface on a network that includes Internet access, for example. You can also use both management and event interfaces on the same network if the goal is only to take advantage of increased throughput. Managed devices will send management traffic to the management center's management interface and event traffic to the management center's event-only interface. If the managed device cannot reach the event-only interface, then it will fall back to sending events to the management interface.
Note All management interfaces support HTTP administrator access as controlled by your Access List configuration
(
Configure an Access List, on page 71 ). Conversely, you cannot restrict an interface to
only HTTP access; management interfaces always support device management (management traffic, event traffic, or both).
Cisco Secure Firewall Management Center Administration Guide, 7.2
55
System Settings
Management Interface Support Per Management Center Model
Note Only the eth0 interface supports DHCP IP addressing. Other management interfaces only support static IP addresses.
Management Interface Support Per Management Center Model
See the hardware installation guide for your model for the management interface locations.
See the following table for supported management interfaces on each management center model.
Table 3: Management Interface Support on the Management Center
Model
MC1000
MC2500, MC4500
MC1600, MC2600, MC4600
Management Center Virtual
Management Interfaces eth0 (Default) eth1 eth0 (Default) eth1 eth2 eth3 eth0 (Default) eth1 eth2 eth3
CIMC (Supported for Lights-Out Management only.) eth0 (Default)
Network Routes on Management Center Management Interfaces
Management interfaces (including event-only interfaces) support only static routes to reach remote networks.
When you set up your management center, the setup process creates a default route to the gateway IP address that you specify. You cannot delete this route; you can only modify the gateway address.
You can configure multiple management interfaces on some platforms. The default route does not include an egress interface, so the interface chosen depends on the gateway address you specify, and which interface's network the gateway belongs to. In the case of multiple interfaces on the default network, the device uses the lower-numbered interface as the egress interface.
At least one static route is recommended per management interface to access remote networks. We recommend placing each interface on a separate network to avoid potential routing problems, including routing problems from other devices to the management center. If you do not experience problems with interfaces on the same network, then be sure to configure static routes correctly. For example, on the management center both eth0 and eth1 are on the same network, but you want to manage a different group of devices on each interface. The default gateway is 192.168.45.1. If you want eth1 to manage devices on the remote 10.6.6.0/24 destination
56
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
NAT Environments network, you can create a static route for 10.6.6.0/24 through eth1 with the same gateway of 192.168.45.1.
Traffic to 10.6.6.0/24 will hit this route before it hits the default route, so eth1 will be used as expected.
If you want to use two management center interfaces to manage remote devices that are on the same network, then static routing on the management center may not scale well, because you need separate static routes per device IP address.
Another example includes separate management and event-only interfaces on both the management center and the managed device. The event-only interfaces are on a separate network from the management interfaces.
In this case, add a static route through the event-only interface for traffic destined for the remote event-only network, and vice versa.
NAT Environments
Network address translation (NAT) is a method of transmitting and receiving network traffic through a router that involves reassigning the source or destination IP address. The most common use for NAT is to allow private networks to communicate with the internet. Static NAT performs a 1:1 translation, which does not pose a problem for management center communication with devices, but port address translation (PAT) is more common. PAT lets you use a single public IP address and unique ports to access the public network; these ports are dynamically assigned as needed, so you cannot initiate a connection to a device behind a PAT router.
Normally, you need both IP addresses (along with a registration key) for both routing purposes and for authentication: the management center specifies the device IP address when you add a device, and the device specifies the management center IP address. However, if you only know one of the IP addresses, which is the minimum requirement for routing purposes, then you must also specify a unique NAT ID on both sides of the connection to establish trust for the initial communication and to look up the correct registration key. The management center and device use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration.
For example, you add a device to the management center, and you do not know the device IP address (for example, the device is behind a PAT router), so you specify only the NAT ID and the registration key on the management center; leave the IP address blank. On the device, you specify the management center IP address, the same NAT ID, and the same registration key. The device registers to the management center's IP address.
At this point, the management center uses the NAT ID instead of IP address to authenticate the device.
Although the use of a NAT ID is most common for NAT environments, you might choose to use the NAT
ID to simplify adding many devices to the management center. On the management center, specify a unique
NAT ID for each device you want to add while leaving the IP address blank, and then on each device, specify both the management center IP address and the NAT ID. Note: The NAT ID must be unique per device.
The following example shows three devices behind a PAT IP address. In this case, specify a unique NAT ID per device on both the management center and the devices, and specify the management center IP address on the devices.
Cisco Secure Firewall Management Center Administration Guide, 7.2
57
NAT Environments
Figure 2: NAT ID for Managed Devices Behind PAT
System Settings
The following example shows the management center behind a PAT IP address. In this case, specify a unique
NAT ID per device on both the management center and the devices, and specify the device IP addresses on the management center.
Figure 3: NAT ID for Management Center Behind PAT
58
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Management and Event Traffic Channel Examples
Management and Event Traffic Channel Examples
Note If you use a data interface for management on an threat defense, you cannot use separate management and event interfaces for that device.
The following example shows the Secure Firewall Management Center and managed devices using only the default management interfaces.
Figure 4: Single Management Interface on the Secure Firewall Management Center
The following example shows the Secure Firewall Management Center using separate management interfaces for devices; and each managed device using 1 management interface.
Figure 5: Mutliple Management Interfaces on the Secure Firewall Management Center
The following example shows the Secure Firewall Management Center and managed devices using a separate event interface.
Figure 6: Separate Event Interface on the Secure Firewall Management Center and Managed Devices
Cisco Secure Firewall Management Center Administration Guide, 7.2
59
System Settings
Modify Management Center Management Interfaces
The following example shows a mix of multiple management interfaces and a separate event interface on the
Secure Firewall Management Center and a mix of managed devices using a separate event interface, or using a single management interface.
Figure 7: Mixed Management and Event Interface Usage
Modify Management Center Management Interfaces
Caution Do NOT push the management center deployments over a VPN tunnel that is terminating directly on the threat defense. Pushing the management center deployments can potentially inactivate the tunnel and disconnect the management center and the threat defense.
Recovering the device from this situation can be very disruptive and require executing the disaster recovery procedure. This procedure resets the threat defense configuration to factory defaults by changing manager from management center to local and configuring the device from beginning. For more information, see Best
Practices for Deploying Configuration Changes in the Firepower Management Center Device Configuration
Guide .
Modify the management interface settings on the Secure Firewall Management Center. You can optionally enable additional management interfaces or configure an event-only interface.
Caution Be careful when making changes to the management interface to which you are connected; if you cannot re-connect because of a configuration error, you need to access the management center console port to re-configure the network settings in the Linux shell. You must contact Cisco TAC to guide you in this operation.
Note If you change the management center IP address, then see Edit the management center IP Address or Hostname on the Device in the Cisco Secure Firewall Management Center Device Configuration Guide . If you change the management center IP address or hostname, you should also change the value at the device CLI so the configurations match. Although in most cases, the management connection will be reestablished without changing the management center IP address or hostname on the device, in at least one case, you must perform this task for the connection to be reestablished: when you added the device to the management center and you specified the NAT ID only. Even in other cases, we recommend keeping the management center IP address or hostname up to date for extra network resiliency.
60
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Modify Management Center Management Interfaces
Note In a high availability configuration, when you modify the management IP address of a registered Firepower device from the device CLI or from management center, the secondary management center does not reflect the changes even after an HA synchronization. To ensure that the secondary management center is also updated, switch roles between the two management centers, making the secondary management center as the active unit. Modify the management IP address of the registered Firepower device on the device management page of the now active management center.
Before you begin
• For information about how device management works, see About Device Management Interfaces in the
Cisco Secure Firewall Management Center Device Configuration Guide .
• If you use a proxy:
• Proxies that use NT LAN Manager (NTLM) authentication are not supported.
• If you use or will use Smart Licensing, the proxy FQDN cannot have more than 64 characters.
Procedure
Step 1
Step 2
Choose System ( ) > Configuration , and then choose Management Interfaces .
In the Interfaces area, click Edit next to the interface that you want to configure.
All available interfaces are listed in this section. You cannot add more interfaces.
You can configure the following options on each management interface:
• Enabled —Enable the management interface. Do not disable the default eth0 management interface.
Some processes require the eth0 interface.
• Channels —Configure an event-only interface; you can configure only one event interface on the management center. To do so, uncheck the Management Traffic check box, and leave the Event Traffic check box checked. You can optionally disable Event Traffic for the management interface(s). In either case, the device will try to send events to the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel. You cannot disable both event and management channels on an interface.
• Mode —Specify a link mode. Note that any changes you make to auto-negotiation are ignored for
GigabitEthernet interfaces.
• MDI/MDIX —Set the Auto-MDIX setting.
• MTU —Set the maximum transmission unit (MTU). The default is 1500. The range within which you can set the MTU can vary depending on the model and interface type.
Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298 does not comply with the minimum IPv6 MTU setting of 1280, and any value below 594 does not comply with the minimum IPv4 MTU setting of 576. For example, the system automatically trims a configured value of 576 to 558.
• IPv4 Configuration —Set the IPv4 IP address. Choose:
Cisco Secure Firewall Management Center Administration Guide, 7.2
61
System Settings
Modify Management Center Management Interfaces
• Static —Manually enter the IPv4 Management IP address and IPv4 Netmask .
• DHCP —Set the interface to use DHCP (eth0 only).
• Disabled —Disable IPv4. Do not disable both IPv4 and IPv6.
• IPv6 Configuration —Set the IPv6 IP address. Choose:
• Static —Manually enter the IPv6 Management IP address and IPv6 Prefix Length .
• DHCP —Set the interface to use DHCPv6 (eth0 only).
• Router Assigned —Enable stateless autoconfiguration.
• Disabled —Disable IPv6. Do not disable both IPv4 and IPv6.
• IPv6 DAD —When you enable IPv6, enable or disable duplicate address detection (DAD). You might want to disable DAD because the use of DAD opens up the possibility of denial of service attacks. If you disable this setting, you need check manually that this interface is not using an already-assigned address.
Step 3
Step 4
In the Routes area, edit a static route by clicking Edit ( ), or add a route by clicking Add ( ).
View the route table by clicking .
You need a static route for each additional interface to reach remote networks. For more information about when new routes are needed, see
Network Routes on Management Center Management Interfaces, on page
.
Note For the default route, you can change only the gateway IP address. The egress interface is chosen automatically by matching the specified gateway to the interface's network.
You can configure the following settings for a static route:
• Destination —Set the destination address of the network to which you want to create a route.
• Netmask or Prefix Length —Set the netmask (IPv4) or prefix length (IPv6) for the network.
• Interface —Set the egress management interface.
• Gateway —Set the gateway IP address.
In the Shared Settings area, set network parameters shared by all interfaces.
Note If you selected DHCP for the eth0 interface, you cannot manually specify some shared settings derived from the DHCP server.
You can configure the following shared settings:
• Hostname —Set the management center hostname. The hostname must start and end with a letter or digit, and have only letters, digits, or a hyphen. If you change the hostname, reboot the management center if you want the new hostname reflected in syslog messages. Syslog messages do not reflect a new hostname until after a reboot.
• Domains —Set the search domain(s) for the management center, separated by commas. These domains are added to hostnames when you do not specify a fully-qualified domain name in a command, for
62
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Modify Management Center Management Interfaces example, ping system . The domains are used only on the management interface, or for commands that go through the management interface.
• Primary DNS Server , Secondary DNS Server , Tertiary DNS Server —Set the DNS servers to be used in order of preference.
• Remote Management Port —Set the remote management port for communication with managed devices.
The management center and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.
Note Cisco strongly recommends that you keep the default settings for the remote management port, but if the management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.
Step 5
Step 6
Step 7
Step 8
In the ICMPv6 area, configure ICMPv6 settings.
• Allow Sending Echo Reply Packets —Enable or disable Echo Reply packets. You might want to disable these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the management center management interfaces for testing purposes.
• Allow Sending Destination Unreachable Packets —Enable or disable Destination Unreachable packets.
You might want to disable these packets to guard against potential denial of service attacks.
In the Proxy area, configure HTTP proxy settings.
The management center is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and
TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest.
See proxy requirements in the prerequisites to this topic.
a) Check the Enabled check box.
b) In the HTTP Proxy field, enter the IP address or fully-qualified domain name of your proxy server.
See requirements in the prerequisites to this topic.
c) In the Port field, enter a port number.
d) Supply authentication credentials by choosing Use Proxy Authentication , and then provide a User Name and Password .
Click Save .
If you change the management center IP address, then see If you change the management center IP address, then see Edit the management center IP Address or Hostname on the Device in the Cisco Secure Firewall
Management Center Device Configuration Guide .
If you change the management center IP address or hostname, you should also change the value at the device
CLI so the configurations match. Although in most cases, the management connection will be reestablished without changing the management center IP address or hostname on the device, in at least one case, you must perform this task for the connection to be reestablished: when you added the device to the management center and you specified the NAT ID only. Even in other cases, we recommend keeping the management center IP address or hostname up to date for extra network resiliency.
Cisco Secure Firewall Management Center Administration Guide, 7.2
63
System Settings
Shut Down or Restart
Shut Down or Restart
Use the web interface to control the shut down and restart of processes on the management center. You can:
• Shut down: Initiate a graceful shutdown of the appliance.
Caution Do not shut off Firepower appliances using the power button; it may cause a loss of data. Using the web interface (or CLI) prepares the system to be safely powered off and restarted without losing configuration data.
• Reboot: Shut down and restart gracefully.
• Restart the console: Restart the communications, database, and HTTP server processes. This is typically used during troubleshooting.
Tip For virtual devices, refer to the documentation for your virtual platform. For VMware in particular, custom power options are part of VMware Tools.
Shut Down or Restart the Management Center
Procedure
Step 1
Step 2
Step 3
Choose System ( ) > Configuration .
Choose Process .
Do one of the following:
Shut down
Reboot
Click Run Command next to Shutdown Management Center .
Click Run Command next to Reboot Management Center .
Note Rebooting logs you out, and the system runs a database check that can take up to an hour to complete.
Restart the console Click Run Command next to Restart Management Center Console .
Note Restarting may cause deleted hosts to reappear in the network map.
Remote Storage Management
On Secure Firewall Management Centers, you can use the following for local or remote storage for backups and reports:
64
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Management Center Remote Storage - Supported Protocols and Versions
• Network File System (NFS)
• Server Message Block (SMB)/Common Internet File System (CIFS)
• Secure Shell (SSH)
You cannot send backups to one remote system and reports to another, but you can choose to send either to a remote system and store the other on the Secure Firewall Management Center.
Tip After configuring and selecting remote storage, you can switch back to local storage only if you have not increased the connection database limit.
Management Center Remote Storage - Supported Protocols and Versions
NFS Version SSH Version SMB Version Mangement Center
Version
6.4
6.5
6.6
6.7
V3/V4
V3/V4
V3/V4
V3/V4 openssh 7.3p1
ciscossh 1.6.20
ciscossh 1.6.20
ciscossh 1.6.20
V2/V3
V2/V3
V2/V3
V2/V3
Commands to Enable Protocol Version
Run the following commands as a root user to enable the protocol version:
• NFS —
/bin/mount -t nfs '10.10.4.225':'/home/manual-check' '/mnt/remote-storage' -o
'rw,vers=4.0'
• SMB —
/usr/bin/mount.cifs //10.10.0.100/pyallapp-share/testing-smb /mnt/remote-storage
-o username=administrator,password=******,vers=3.0
Configuring Local Storage
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Choose Remote Storage Device .
Choose Local (No Remote Storage) from the Storage Type drop-down list.
Click Save .
Cisco Secure Firewall Management Center Administration Guide, 7.2
65
System Settings
Configuring NFS for Remote Storage
Configuring NFS for Remote Storage
Before you begin
• Ensure that your external remote storage system is functional and accessible from your management center.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Choose System ( ) > Configuration .
Click Remote Storage Device .
Choose NFS from the Storage Type drop-down list.
Add the connection information:
• Enter the IPv4 address or hostname of the storage system in the Host field.
• Enter the path to your storage area in the Directory field.
Optionally, check the Use Advanced Options check box and enter any required command line options; see
Remote Storage Management Advanced Options, on page 68 .
Under System Usage :
• Choose Use for Backups to store backups on the designated host.
• Choose Use for Reports to store reports on the designated host.
• Enter Disk Space Threshold for backup to remote storage. Default is 90%.
To test the settings, click Test .
Click Save .
Configuring SMB for Remote Storage
Before you begin
Ensure that your external remote storage system is functional and accessible from your management center:
• The system recognizes top-level SMB shares, not full file paths. You must use Windows to share the exact directory you want to use.
• Make sure the Windows user you will use to access the SMB share from the management center has ownership of and read/change access to the share location.
• To ensure security, you should install SMB 2.0 or greater.
66
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configuring SSH for Remote Storage
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Choose System ( ) > Configuration .
Click Remote Storage Device .
Choose SMB from the Storage Type drop-down list.
Add the connection information:
• Enter the IPv4 address or hostname of the storage system in the Host field.
• Enter the share of your storage area in the Share field.
• Optionally, enter the domain name for the remote storage system in the Domain field.
• Enter the user name for the storage system in the Username field and the password for that user in the
Password field.
Optionally, check the Use Advanced Options check box and enter any required command line options; see
Remote Storage Management Advanced Options, on page 68
.
Under System Usage :
• Choose Use for Backups to store backups on the designated host.
• Choose Use for Reports to store reports on the designated host.
To test the settings, click Test .
Click Save .
Configuring SSH for Remote Storage
Before you begin
• Ensure that your external remote storage system is functional and accessible from your Secure Firewall
Management Center.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Click Remote Storage Device .
Choose SSH from the Storage Type drop-down list.
Add the connection information:
• Enter the IP address or host name of the storage system in the Host field.
• Enter the path to your storage area in the Directory field.
• Enter the storage system’s user name in the Username field and the password for that user in the Password field. To specify a network domain as part of the connection user name, precede the user name with the domain followed by a forward slash (/).
Cisco Secure Firewall Management Center Administration Guide, 7.2
67
System Settings
Remote Storage Management Advanced Options
Step 5
Step 6
Step 7
Step 8
• To use SSH keys, copy the content of the SSH Public Key field and place it in your authorized_keys file.
Optionally, check the Use Advanced Options check box and enter any required command line options; see
Remote Storage Management Advanced Options, on page 68 .
Under System Usage:
• Choose Use for Backups to store backups on the designated host.
• Choose Use for Reports to store reports on the designated host.
If you want to test the settings, you must click Test .
Click Save .
Remote Storage Management Advanced Options
If you select the Network File System (NFS) protocol, Server Message Block (SMB) protocol, or
SSH to use secure file transfer protocol (SFTP) to store your reports and backups, you can select the Use Advanced
Options check box to use one of the mount binary options as documented in an NFS, SMB, or SSH mount man page.
If you select SMB, you can enter the security mode in the Command Line Options field using the following format: sec= mode where mode is the security mode you want to use for remote storage.
Table 4: SMB Security Mode Settings
Mode
[none] krb5 krb5i ntlm ntlmi ntlmv2 ntlmv2i
Description
Attempt to connect as null user (no name).
Use Kerberos version 5 authentication.
Use Kerberos authentication and packet signing.
Use NTLM password hashing. (Default)
Use NTLM password hashing with signing (may be
Default if
/proc/fs/cifs/PacketSigningEnabled is on or if server requires signing).
Use NTLMv2 password hashing.
Use NTLMv2 password hashing with packet signing.
68
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Change Reconciliation
Change Reconciliation
To monitor the changes that users make and ensure that they follow your organization’s preferred standard, you can configure the system to send, via email, a detailed report of changes made over the past 24 hours.
Whenever a user saves changes to the system configuration, a snapshot is taken of the changes. The change reconciliation report combines information from these snapshots to present a clear summary of recent system changes.
The following sample graphic displays a User section of an example change reconciliation report and lists both the previous value for each configuration and the value after changes. When users make multiple changes to the same configuration, the report lists summaries of each distinct change in chronological order, beginning with the most recent.
You can view changes made during the previous 24 hours.
Configuring Change Reconciliation
Before you begin
• Configure an email server to receive emailed reports of changes made to the system over a 24 hour period; see
Configuring a Mail Relay Host and Notification Address, on page 81
for more information.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Choose System ( ) > Configuration .
Click Change Reconciliation .
Check the Enable check box.
Choose the time of day you want the system to send out the change reconciliation report from the Time to
Run drop-down lists.
Enter email addresses in the Email to field.
Tip Once you have added email addresses, click Resend Last Report to send recipients another copy of the most recent change reconciliation report.
If you want to include policy changes, check the Include Policy Configuration check box.
If you want to include all changes over the past 24 hours, check the Show Full Change History check box.
Click Save .
Related Topics
Using the Audit Log to Examine Changes
, on page 378
Change Reconciliation Options
The Include Policy Configuration option controls whether the system includes records of policy changes in the change reconciliation report. This includes changes to access control, intrusion, system, health, and network
Cisco Secure Firewall Management Center Administration Guide, 7.2
69
System Settings
Policy Change Comments discovery policies. If you do not select this option, the report will not show changes to any policies. This option is available on Secure Firewall Management Centers only.
The Show Full Change History option controls whether the system includes records of all changes over the past 24 hours in the change reconciliation report. If you do not select this option, the report includes only a consolidated view of changes for each category.
Note The change reconciliation report does not include changes to threat defense interfaces and routing settings.
Policy Change Comments
You can configure the system to track several policy-related changes using the comment functionality when users modify access control, intrusion, or network analysis policies.
With policy change comments enabled, administrators can quickly assess why critical policies in a deployment were modified. Optionally, you can have changes to intrusion and network analysis policies written to the audit log.
Configuring Comments to Track Policy Changes
You can configure the system to prompt users for comments when they modify an access control policy, intrusion policy, or network analysis policy. You can use comments to track users’ reasons for policy changes.
If you enable comments on policy changes, you can make the comment optional or mandatory. The system prompts the user for a comment when each new change to a policy is saved.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
The system configuration options appear in the left navigation panel.
Configure the policy comment preferences for any of the following:
• Click Access Control Preferences for comment preferences for access control policies.
• Click Intrusion Policy Preferences for comment preferences for intrusion policies.
• Click Network Analysis Policy Preferences for comment preferences for network analysis policies.
You have the following choices for each policy type:
• Disabled —Disables change comments.
• Optional —Gives users the option to describe their changes in a comment.
• Required —Requires users to describe their changes in a comment before saving.
Optionally for intrusion or network analysis policy comments:
• Check Write changes in Intrusion Policy to audit log to write all intrusion policy changes to the audit log.
70
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Access List
Step 5
Step 6
• Check Write changes in Network Analysis Policy to audit log to write all network analysis policy changes to the audit log.
To get notifications for changes to any overridden system-defined rules during LSP updates, ensure that the
Retain user overrides for deleted Snort 3 rules check box is checked. As a system default, this check box is checked. When this check box is checked, the system retains the rule overrides in the new replacement rules that are added as part of the LSP update. The notifications are shown in the Tasks tab under the Notifications icon that is located next to Cog ( ).
Click Save .
Access List
You can limit access to the management center by IP address and port. By default, the following ports are enabled for any IP address:
• 443 (HTTPS) for web interface access.
• 22 (SSH) for CLI access.
You can also add access to poll for SNMP information over port 161. Because SNMP is disabled by default, you must first enable SNMP before you can add SNMP access rules. For more information, see
.
Caution By default, access is not restricted. To operate in a more secure environment, consider adding access for specific IP addresses and then deleting the default any option.
Configure an Access List
This access list does not control external database access. See
Enabling External Access to the Database, on page 51
.
Caution If you delete access for the IP address that you are currently using to connect to the management center, and there is no entry for “
IP=any port=443
”, you will lose access when you save.
Before you begin
By default, the access list includes rules for HTTPS and SSH. To add SNMP rules to the access list, you must first enable SNMP. For more information, see
Configure SNMP Polling, on page 83
.
Procedure
Step 1 Choose System ( ) > Configuration .
Cisco Secure Firewall Management Center Administration Guide, 7.2
71
System Settings
Audit Logs
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
(Optional) Click SNMP to configure SNMP if you want to add SNMP rules to the access list. By default,
SNMP is disabled; see
Configure SNMP Polling, on page 83
.
Click Access List .
To add access for one or more IP addresses, click Add Rules .
In the IP Address field, enter an IP address or address range, or any.
Choose SSH , HTTPS , SNMP , or a combination of these options to specify which ports you want to enable for these IP addresses.
Click Add .
Click Save .
Related Topics
, on page 26
Audit Logs
The Secure Firewall Management Center records user activity in read-only audit logs. You can review audit log data in several ways:
• Use the web interface:
.
Audit logs are presented in a standard event view where you can view, sort, and filter audit log messages based on any item in the audit view. You can easily delete and report on audit information and you can view detailed reports of the changes that users make.
• Stream audit log messages to the syslog:
Stream Audit Logs to Syslog, on page 72
..
• Stream audit log messages to an HTTP server:
Stream Audit Logs to an HTTP Server, on page 74
.
Streaming audit log data to an external server allows you to conserve space on the management center. Note that sending audit information to an external URL may affect system performance.
Optionally, you can secure the channel for audit log streaming, enable TLS and mutual authentication using
TLS certificates ; see
Audit Log Certificate, on page 75
.
Streaming to Multiple Syslog Servers
You can stream audit log data to a maximum of five syslog servers. However, if you have enabled TLS for secured audit log streaming, you can stream only to a single syslog server.
Stream Audit Logs to Syslog
When this feature is enabled, audit log records appear in the syslog in the following format :
Date Time Host [ Tag ] Sender : User_Name @ User_IP , Subsystem , Action
Where the local date, time, and originating hostname precede the bracketed optional tag, and the sending device name precedes the audit log message.
For example, if you specify a tag of
FMC-AUDIT-LOG for audit log messages from your management center, a sample audit log message from your management center could appear as follows:
72
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Stream Audit Logs to Syslog
Mar 01 14:45:24 localhost [FMC-AUDIT-LOG] Dev-MC7000: [email protected], Operations > Monitoring,
Page View
If you specify a severity and facility, these values do not appear in syslog messages; instead, they tell the system that receives the syslog messages how to categorize them.
Before you begin
Make sure the management center can communicate with the syslog server. When you save your configuration, the system uses ICMP/ARP and TCP SYN packets to verify that the syslog server is reachable. Then, the system uses port 514/UDP to stream audit logs. If you secure the channel (optional, see
Audit Log Certificate, on page 75 ), the system uses 6514/TCP.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Configuration .
Click Audit Log .
Choose Enabled from the Send Audit Log to Syslog drop-down menu.
The following fields are applicable only for audit logs sent to syslog:
Option
Host
Description
The IP address or the fully qualified name of the syslog server to which you will send audit logs. You can add a maximum of five syslog hosts, seperated by commas.
Note You can specify multiple syslog hosts, only when TLS is disabled for the
Audit Server Certificate.
Facility
Severity
Tag
The subsystem that creates the message.
Choose a facility described in
Syslog Alert Facilities, on page 521 . For example, choose
AUDIT.
The severity of the message.
Choose a severity described in
Syslog Severity Levels, on page 522 .
An optional tag to include in audit log syslog messages.
Best practice: Enter a value in this field to easily differentiate audit log messages from other, similar syslog messages such as health alerts.
For example, if you want all audit log records sent to the syslog to be labeled with
FMC-AUDIT-LOG
, enter
FMC-AUDIT-LOG in the field.
(Optional) To test whether the IP address of the syslog servers are valid, click Test Syslog Server .
The system sends the following packets to verify whether the syslog server is reachable: a.
ICMP echo request b.
TCP SYN on 443 and 80 ports c.
ICMP time stamp query
Cisco Secure Firewall Management Center Administration Guide, 7.2
73
System Settings
Stream Audit Logs to an HTTP Server
Step 6 d.
TCP SYN on random ports
Note If the Management Center and syslog server are in the same subnet, ARP is used instead of ICMP.
The system displays the result for each server.
Click Save .
Stream Audit Logs to an HTTP Server
When this feature is enabled, the appliance sends audit log records to an HTTP server in the following format:
Date Time Host [ Tag ] Sender : User_Name @ User_IP , Subsystem , Action
Where the local date, time, and originating hostname precede the bracketed optional tag, and the sending appliance name precedes the audit log message.
For example, if you specify a tag of
FROMMC
, a sample audit log message could appear as follows:
Mar 01 14:45:24 localhost [FROMMC] Dev-MC7000: [email protected], Operations > Monitoring,
Page View
Before you begin
Make sure the device can communicate with the HTTP server. Optionally, secure the channel; see
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Configuration .
Click Audit Log .
Optionally, in the Tag field, enter the tag name that you want to appear with the message. For example, if you want all audit log records to be preceded with
FROMMC
, enter
FROMMC in the field.
Choose Enabled from the Send Audit Log to HTTP Server drop-down list.
In the URL to Post Audit field, designate the URL where you want to send the audit information. Enter a
URL that corresponds to a Listener program that expects the HTTP POST variables as listed:
• subsystem
• actor
• event_type
• message
• action_source_ip
• action_destination_ip
• result
• time
74
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Audit Log Certificate
Step 6
• tag
(if defined; see Step 3)
Caution To allow encrypted posts, use an HTTPS URL. Sending audit information to an external URL may affect system performance.
Click Save .
Audit Log Certificate
You can use Transport Layer Security (TLS) certificates to secure communications between the management center and a trusted audit log server.
Client Certificates (Required)
Generate a certificate signing request (CSR), submit it to a Certificate Authority (CA) for signing, then import the signed certificate onto the management center. Use the local system configuration:
Log Client Certificate for the Management Center, on page 76
and
Import an Audit Log Client Certificate into the Management Center, on page 77
.
Server Certificates (Optional)
For additional security, we recommend you require mutual authentication between the management center and the audit log server. To accomplish this, load one or more certificate revocation lists (CRLs). You cannot stream audit logs to servers with revoked certificates listed in those CRLs.
Firepower supports CRLs encoded in Distinguished Encoding Rules (DER) format. Note that these are the same CRLs that the system uses to validate HTTPS client certificates for the management center web interface.
Use the local system configuration:
Require Valid Audit Log Server Certificates, on page 78 .
Securely Stream Audit Logs
If you stream the audit log to a trusted HTTP server or syslog server, you can use Transport Layer Security
(TLS) certificates to secure the channel between the management center and the server. You must generate a unique client certificate for each appliance you want to audit.
Before you begin
See ramifications of requiring client and server certificates at
Audit Log Certificate, on page 75
.
Procedure
Step 1 Obtain and install a signed client certificate on the management center: a)
Obtain a Signed Audit Log Client Certificate for the Management Center, on page 76 :
Generate a Certificate Signing Request (CSR) from the management center based on your system information and the identification information you supply.
Submit the CSR to a recognized, trusted certificate authority (CA) to request a signed client certificate.
Cisco Secure Firewall Management Center Administration Guide, 7.2
75
System Settings
Obtain a Signed Audit Log Client Certificate for the Management Center
Step 2
Step 3
If you will require mutual authentication between the management center and the audit log server, the client certificate must be signed by the same CA that signed the server certificate to be used for the connection.
b) After you receive the signed certificate from the certificate authority, import it into the management center.
See
Import an Audit Log Client Certificate into the Management Center, on page 77 .
Configure the communication channel with the server to use Transport Layer Security (TLS) and enable mutual authentication.
See
Require Valid Audit Log Server Certificates, on page 78
.
Configure audit log streaming if you have not yet done so.
See
Stream Audit Logs to Syslog, on page 72
or
Stream Audit Logs to an HTTP Server, on page 74 .
Obtain a Signed Audit Log Client Certificate for the Management Center
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Important The Audit Log Certificate page is not available on a standby Secure Firewall Management Center in a high availability setup. You cannot perform this task from a standby Secure Firewall Management Center.
The system generates certificate request keys in Base-64 encoded PEM format.
Before you begin
Keep the following in mind:
• To ensure security, use a globally recognized and trusted Certificate Authority (CA) to sign your certificate.
• If you will require mutual authentication between the appliance and the audit log server, the same
Certificate Authority must sign both the client certificate and the server certificate.
Procedure
Choose System ( ) > Configuration .
Click Audit Log Certificate .
Click Generate New CSR .
Enter a country code in the Country Name (two-letter code) field.
Enter a state or province postal abbreviation in the State or Province field.
Enter a Locality or City .
Enter an Organization name.
Enter an Organizational Unit (Department) name.
Enter the fully qualified domain name of the server for which you want to request a certificate in the Common
Name field.
Note If the common name and the DNS hostname do not match, audit log streaming will fail.
76
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Import an Audit Log Client Certificate into the Management Center
Step 10
Step 11
Step 12
Step 13
Step 14
Click Generate .
Open a new blank file with a text editor.
Copy the entire block of text in the certificate request, including the
BEGIN CERTIFICATE REQUEST and
END
CERTIFICATE REQUEST lines, and paste it into a blank text file.
Save the file as clientname .csr
, where clientname is the name of the appliance where you plan to use the certificate.
Click Close .
What to do next
• Submit the certificate signing request to the certificate authority that you selected using the guidelines in the "Before You Begin" section of this procedure.
• When you receive the signed certificate, import it to the appliance; see
Certificate into the Management Center, on page 77 .
Import an Audit Log Client Certificate into the Management Center
In the management center high availability setup, you must use the active peer.
Before you begin
•
Obtain a Signed Audit Log Client Certificate for the Management Center, on page 76 .
• Make sure you are importing the signed certificate for the correct management center.
• If the signing authority that generated the certificate requires you to trust an intermediate CA, be prepared to provide the necessary certificate chain (or certificate path). The CA that signed the client certificate must be the same CA that signed any intermediate certificates in the certificate chain.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
On the management center, choose System ( ) > Configuration .
Click Audit Log Certificate .
Click Import Audit Client Certificate .
Open the client certificate in a text editor, copy the entire block of text, including the
BEGIN CERTIFICATE and
END CERTIFICATE lines. Paste this text into the Client Certificate field.
To upload a private key, open the private key file and copy the entire block of text, including the
BEGIN RSA
PRIVATE KEY and
END RSA PRIVATE KEY lines. Paste this text into the Private Key field.
Open any required intermediate certificates, copy the entire block of text for each, and paste it into the
Certificate Chain field.
Click Save .
Cisco Secure Firewall Management Center Administration Guide, 7.2
77
System Settings
Require Valid Audit Log Server Certificates
Require Valid Audit Log Server Certificates
The system supports validating audit log server certificates using imported CRLs in Distinguished Encoding
Rules (DER) format.
Note If you choose to verify certificates using CRLs, the system uses the same CRLs to validate both audit log server certificates and certificates used to secure the HTTP connection between an appliance and a web browser.
Important You cannot perform this procedure on the standby Secure Firewall Management Center in a high availablity pair.
Before you begin
• Understand the ramifications of requiring mutual authentication and of using certificate revocation lists
(CRLs) to ensure that certificates are still valid. See
Audit Log Certificate, on page 75
.
• Obtain and import the client certificate following the steps in
Securely Stream Audit Logs, on page 75
and the topics referenced in that procedure.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
On the management center, choose System ( ) > Configuration .
Click Audit Log Certificate .
To use Transport Layer Security to securely stream the audit log to an external server, choose Enable TLS .
If you want to accept server certificates without verification (not recommended): a) Deselect Enable Mutual Authentication .
b) Click Save and skip the remainder of this procedure.
To verify the certificate of the audit log server, choose Enable Mutual Authentication .
(If you enabled mutual authentication) To automatically recognize certificates that are no longer valid: a) Select Enable Fetching of CRL .
Note Enabling fetching of the CRL creates a scheduled task to regularly update the CRL or CRLs.
b) Enter a valid URL to an existing CRL file and click Add CRL .
Repeat to add up to 25 CRLs.
c) Click Refresh CRL to load the current CRL or CRLs from the specified URL or URLs.
Verify that you have a valid server certificate generated by the same certificate authority that created the client certificate.
Click Save .
78
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
View the Audit Log Client Certificate on the Management Center
What to do next
(Optional) Set the frequency of CRL updates. See
Configuring Certificate Revocation List Downloads, on page 455 .
View the Audit Log Client Certificate on the Management Center
You can view the audit log client certificate only for the appliance that you are logged in to. In management center high availability pairs, you can view the certificate only on the active peer.
Procedure
Step 1
Step 2
Choose System ( ) > Configuration .
Click Audit Log Certificate .
Dashboard Settings
Dashboards provide you with at-a-glance views of current system status through the use of widgets: small, self-contained components that provide insight into different aspects of the system. The system is delivered with several predefined dashboard widgets.
You can configure the Secure Firewall Management Center so that Custom Analysis widgets are enabled on the dashboard.
Related Topics
, on page 305
Enabling Custom Analysis Widgets for Dashboards
Use Custom Analysis dashboard widgets to create a visual representation of events based on a flexible, user-configurable query.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Click Dashboard .
Check the Enable Custom Analysis Widgets check box to allow users to add Custom Analysis widgets to dashboards.
Click Save .
Related Topics
, on page 305
Cisco Secure Firewall Management Center Administration Guide, 7.2
79
System Settings
DNS Cache
DNS Cache
You can configure the system to resolve IP addresses automatically on the event view pages. You can also configure basic properties for DNS caching performed by the appliance. Configuring DNS caching allows you to identify IP addresses you previously resolved without performing additional lookups. This can reduce the amount of traffic on your network and speed the display of event pages when IP address resolution is enabled.
Configuring DNS Cache Properties
DNS resolution caching is a system-wide setting that allows the caching of previously resolved DNS lookups.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Configuration .
Choose DNS Cache .
From the DNS Resolution Caching drop-down list, choose one of the following:
• Enabled —Enable caching.
• Disabled —Disable caching.
In the DNS Cache Timeout (in minutes) field, enter the number of minutes a DNS entry remains cached in memory before it is removed for inactivity.
The default setting is 300 minutes (five hours).
Click Save .
Related Topics
Configuring Event View Settings , on page 189
Email Notifications
Configure a mail host if you plan to:
• Email event-based reports
• Email status reports for scheduled tasks
• Email change reconciliation reports
• Email data-pruning notifications
• Use email for discovery event, impact flag, correlation event alerting, intrusion event alerting, and health event alerting
80
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configuring a Mail Relay Host and Notification Address
When you configure email notification, you can select an encryption method for the communication between the system and mail relay host, and can supply authentication credentials for the mail server if needed. After configuring, you can test the connection.
Configuring a Mail Relay Host and Notification Address
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Choose System ( ) > Configuration .
Click Email Notification .
In the Mail Relay Host field, enter the hostname or IP address of the mail server you want to use. The mail host you enter must allow access from the appliance.
In the Port Number field, enter the port number to use on the email server.
Typical ports include:
• 25, when using no encryption
• 465, when using SSLv3
• 587, when using TLS
Choose an Encryption Method :
• TLS —Encrypt communications using Transport Layer Security.
• SSLv3 —Encrypt communications using Secure Socket Layers.
• None —Allow unencrypted communication.
Note Certificate validation is not required for encrypted communication between the appliance and mail server.
In the From Address field, enter the valid email address you want to use as the source email address for messages sent by the appliance.
Optionally, to supply a user name and password when connecting to the mail server, choose Use
Authentication . Enter a user name in the Username field. Enter a password in the Password field.
To send a test email using the configured mail server, click Test Mail Server Settings .
A message appears next to the button indicating the success or failure of the test.
Click Save .
Language Selection
You can use the Language page to specify a different language for the web interface.
Cisco Secure Firewall Management Center Administration Guide, 7.2
81
System Settings
Set the Language for the Web Interface
Set the Language for the Web Interface
The language you specify here is used for the web interface for every user. You can choose from:
• English
• French
• Chinese (simplified)
• Chinese (traditional)
• Japanese
• Korean
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Click Language .
Choose the language you want to use.
Click Save .
Login Banners
You can use the Login Banner page to specify session, login, or custom message banners for a security appliance or shared policy.
You can use ASCII characters and carriage returns to create a custom login banner. The system does not preserve tab spacing. If your login banner is too large or causes errors, Telnet or SSH sessions can fail when the system attempts to display the banner.
Customize the Login Banner
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Choose Login Banner .
In the Custom Login Banner field, enter the login banner text you want to use.
Click Save .
82
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
SNMP Polling
SNMP Polling
You can enable Simple Network Management Protocol (SNMP) polling. This feature supports use of versions
1, 2, and 3 of the SNMP protocol. This feature allows access to the standard management information base
(MIB), which includes system details such as contact, administrative, location, service information, IP addressing and routing information, and transmission protocol usage statistics.
Note When selecting SNMP versions for the SNMP protocol, note that SNMPv2 only supports read-only communities and SNMPv3 only supports read-only users. SNMPv3 also supports encryption with AES128.
Enabling SNMP polling does not cause the system to send SNMP traps; it only makes the information in the
MIBs available for polling by your network management system.
Configure SNMP Polling
Before you begin
Add SNMP access for each computer you plan to use to poll the system. See
Configure an Access List, on page 71
.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Note The SNMP MIB contains information that could be used to attack your deployment. We recommend that you restrict your access list for SNMP access to the specific hosts that will be used to poll for the MIB. We also recommend you use SNMPv3 and use strong passwords for network management access.
Procedure
Choose System ( ) > Configuration .
Click SNMP .
From the SNMP Version drop-down list, choose the SNMP version you want to use:
• Version 1 or Version 2 : Enter a read-only SNMP community name in the Community String field, then skip to the end of the procedure.
Note Do not include special characters (< > / % # & ? ', etc.) in the SNMP community string name.
• Version 3 : Click Add User to display the user definition page. SNMPv3 only supports read-only users and encryption with AES128.
Enter a Username .
Choose the protocol you want to use for authentication from the Authentication Protocol drop-down list.
Enter the password required for authentication with the SNMP server in the Authentication Password field.
Re-enter the authentication password in the Verify Password field.
Cisco Secure Firewall Management Center Administration Guide, 7.2
83
System Settings
Time and Time Synchronization
Step 8
Step 9
Step 10
Step 11
Step 12
Choose the privacy protocol you want to use from the Privacy Protocol list, or choose None to not use a privacy protocol.
Enter the SNMP privacy key required by the SNMP server in the Privacy Password field.
Re-enter the privacy password in the Verify Password field.
Click Add .
Click Save .
Time and Time Synchronization
Synchronizing the system time on your Secure Firewall Management Center (management center) and its managed devices is essential to successful operation of your Firepower System. We recommend that you specify NTP servers during management center initial configuration, but you can use the information in this section to establish or change time sychronization settings after intial configuration is complete.
Use a Network Time Protocol (NTP) server to synchronize system time on the management center and all devices. The management center supports secure communications with NTP servers using MD5, SHA-1, or
AES-128 CMAC symmetric key authentication; for system security, we recommend using this feature.
The management center can also be configured to connect solely with authenticated NTP servers; using this option improves security in a mixed-authentication environment, or when migrating your system to different
NTP servers. It is redundant to use this setting in an environment where all reachable NTP servers are authenticated.
Note If you specified an NTP server for the management center during initial configuration, the connection with that NTP server is not secured. You must edit the configuration for that connection to specify MD5, SHA-1, or AES-128 CMAC keys.
Caution Unintended consequences can occur when time is not synchronized between the management center and managed devices.
To synchronize time on management center and managed devices, see:
• Recommended:
Synchronize Time on the Management Center with an NTP Server, on page 85
This topic provides instructions for configuring your management center to synchronize with an NTP server or servers and includes links to instructions on configuring managed devices to synchronize with the same NTP server or servers.
• Otherwise:
Synchronize Time Without Access to a Network NTP Server, on page 86
This topic provides instructions for setting the time on your management center, configuring your management center to serve as an NTP server, and links to instructions on configuring managed devices to synchronize with the management center NTP server.
84
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Synchronize Time on the Management Center with an NTP Server
Synchronize Time on the Management Center with an NTP Server
Time synchronization among all of the components of your system is critically important.
The best way to ensure proper time synchronization between Secure Firewall Management Center and all managed devices is to use an NTP server on your network.
The management center supports NTPv4.
You must have Admin or Network Admin privileges to do this procedure.
Before you begin
Note the following:
• If your management center and managed devices cannot access a network NTP server, do not use this procedure. Instead, see
Synchronize Time Without Access to a Network NTP Server, on page 86
.
• Do not specify an untrusted NTP server.
• If you plan to establish a secure connection with an NTP server (recommended for system security), obtain an SHA-1, MD5, or AES-128 CMAC key number and value configured on that NTP server.
• Connections to NTP servers do not use configured proxy settings.
• Firepower 4100 Series devices and Firepower 9300 devices cannot use this procedure to set the system time. Instead, configure those devices to use the same NTP server(s) that you configure using this procedure. For instructions, see the documentation for your hardware model.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Caution If the Secure Firewall Management Center is rebooted and your DHCP server sets an NTP server record different than the one you specify here, the DHCP-provided NTP server will be used instead. To avoid this situation, configure your DHCP server to use the same NTP server.
Procedure
Choose System ( ) > Configuration .
Click Time Synchronization .
If Serve Time via NTP is Enabled , choose Disabled to disable the management center as an NTP server.
For the Set My Clock option, choose Via NTP .
Click Add .
In the Add NTP Server dialog box, enter the host name or IPv4 or IPv6 address of an NTP server.
(Optional) To secure communication between your management center and the NTP server: a) Select MD5 , SHA-1 or AES-128 CMAC from the Key Type drop-down list.
b) Enter an the corresponding MD5, SHA-1, or AES-128 CMAC Key Number and Key Value from the specified NTP server.
Click Add .
To add more NTP servers, repeat Steps 5 through 8.
Cisco Secure Firewall Management Center Administration Guide, 7.2
85
System Settings
Synchronize Time Without Access to a Network NTP Server
Step 10
Step 11
(Optional) To force the management center to use only an NTP server that successfully authenticates, check the Use the authenticated NTP server only check box.
Click Save .
What to do next
Set managed devices to synchronize with the same NTP server or servers:
• Configure device platform settings: Configure NTP Time Synchronization for Threat Defense in the
Cisco Secure Firewall Management Center Device Configuration Guide .
Note that even if you force the management center to make a secure connection with an NTP server ( Use the authenticated NTP server only ), device connections to that server do not use authentication.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide .
Synchronize Time Without Access to a Network NTP Server
If your devices cannot directly reach the network NTP server, or your organization does not have a network
NTP server, a physical-hardware Secure Firewall Management Center can serve as an NTP server.
Important • Do not use this procedure unless you have no other NTP server. Instead, use the procedure in
Time on the Management Center with an NTP Server, on page 85 .
• Do not use a virtual Secure Firewall Management Center as an NTP server.
To change the time manually after configuring the Secure Firewall Management Center as an NTP server, you must disable the NTP option, change the time manually, and then re-enable the NTP option.
Procedure
Step 1 Manually set the system time on the Secure Firewall Management Center: a) Choose System ( ) > Configuration .
b) Click Time Synchronization .
c) If Serve Time via NTP is Enabled , choose Disabled .
d) Click Save .
e) For Set My Clock , choose Manually in Local Configuration .
f) Click Save .
g) In the navigation panel at the left side of the screen, click Time .
h) Use the Set Time drop-down lists to set the time.
i) If the time zone displayed is not UTC, click it and set the time zone to UTC .
j) Click Save .
k) Click Done .
l) Click Apply .
86
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
About Changing Time Synchronization Settings
Step 2
Step 3
Set the Secure Firewall Management Center to serve as an NTP server: a) In the navigation panel at the left side of the screen, click Time Synchronization .
b) For Serve Time via NTP , choose Enabled .
c) Click Save .
Set managed devices to synchronize with the Secure Firewall Management Center NTP server: a) In the Time Synchronization settings for the platform settings policy assigned to your managed devices, set the clock to synchronize Via NTP from Management Center .
b) Deploy the change to managed devices.
For instructions:
For threat defense devices, see Configure NTP Time Synchronization for Threat Defense in the Cisco Secure
Firewall Management Center Device Configuration Guide .
About Changing Time Synchronization Settings
• Your management center and its managed devices are heavily dependent on accurate time. The system clock is a system facility that maintains the time of the system. The system clock is set to Universal
Coordinated Time (UTC), which is the primary time standard by which the world regulates clocks and time.
DO NOT ATTEMPT TO CHANGE THE SYSTEM TIME. Changing the system time zone from UTC is NOT supported, and doing so will require you to reimage the device to recover from an unsupported state.
• If you configure the management center to serve time using NTP, and then later disable it, the NTP service on managed devices still attempts to synchronize time with the management center. You must update and redeploy any applicable platform settings policies to establish a new time source.
• To change the time manually after configuring the Secure Firewall Management Center as an NTP server, you must disable the NTP option, change the time manually, and then re-enable the NTP option.
View Current System Time, Source, and NTP Server Connection Status
Time settings are displayed on most pages in local time using the time zone you set on the Time Zone page in User Preferences (the default is America/New York), but are stored on the appliance using UTC time.
Restriction The Time Zone function (in User Preferences) assumes that the default system clock is set to UTC time. DO
NOT ATTEMPT TO CHANGE THE SYSTEM TIME. Be advised that changing the system time from UTC is NOT supported, and doing so will require you to reimage the device to recover from an unsupported state.
Procedure
Step 1 Choose System ( ) > Configuration .
Cisco Secure Firewall Management Center Administration Guide, 7.2
87
System Settings
NTP Server Status
Step 2 Click Time .
The current time is displayed using the time zone specified for your account in User Preferences.
If your appliance uses an NTP server: For information about the table entries, see
.
NTP Server Status
If you are synchronizing time from an NTP server, you can view connection status on the Time page (choose
System > Configuration ).
Table 5: NTP Status
Column
NTP Server
Status
Description
The IP address or name of the configured NTP server.
The status of the NTP server time synchronization:
• Being Used indicates that the appliance is synchronized with the NTP server.
• Available indicates that the NTP server is available for use, but time is not yet synchronized.
• Not Available indicates that the NTP server is in your configuration, but the NTP daemon is unable to use it.
• Pending indicates that the NTP server is new or the NTP daemon was recently restarted. Over time, its value should change to Being Used , Available , or Not
Available .
• Unknown indicates that the status of the NTP server is unknown.
Authentication
Offset
The authentication status for communication between the management center and the
NTP server:
• none indicates no authentication is configured.
• bad indicates authentication is configured but has failed.
• ok indicates authentication is successful.
If authentication has been configured, the system displays the key number and key type (SHA-1, MD5, or AES-128 CMAC) following the status value. For example: bad, key 2, MD5 .
The number of milliseconds of difference between the time on the appliance and the configured NTP server. Negative values indicate that the appliance is behind the NTP server, and positive values indicate that it is ahead.
88
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Global User Configuration Settings
Column
Last Update
Description
The number of seconds that have elapsed since the time was last synchronized with the NTP server. The NTP daemon automatically adjusts the synchronization times based on a number of conditions. For example, if you see larger update times such as
300 seconds, that indicates that the time is relatively stable and the NTP daemon has determined that it does not need to use a lower update increment.
Global User Configuration Settings
Global User Configuration settings affect all users on the Secure Firewall Management Center. Configure these settings on the User Configuration page ( System ( ) > Configuration > User Configuration ):
• Password Reuse Limit : The number of passwords in a user’s most recent history that cannot be reused.
This limit applies to web interface access for all users. For the admin user, this applies to CLI access as well; the system maintains separate password lists for each form of access. Setting the limit to zero (the default) places no restrictions on password reuse. See
Set Password Reuse Limit, on page 90
.
• Track Successful Logins : The number of days that the system tracks successful logins to the Secure
Firewall Management Center, per user, per access method (web interface or CLI). When users log in, the system displays their successful login count for the interface being used. When Track Successful
Logins is set to zero (the default), the system does not track or report successful login activity. See
Successful Logins, on page 90 .
• Max Number of Login Failures : The number of times in a row that users can enter incorrect web interface login credentials before the system temporarily blocks the account from access for a configurable time period. If a user continues login attempts while the temporary lockout is in force:
• The system refuses access for that account (even with a valid password) without informing the user that a temporary lockout is in force.
• The system continues to increment the failed login count for that account with each login attempt.
• If the user exceeds the Maximum Number of Failed Logins configured for that account on the individual User Configuration page, the account is locked out until an admin user reactivates it.
• Set Time in Minutes to Temporarily Lockout Users : The duration in minutes for a temporary web interface user lockout if Max Number of Failed Logins is non-zero.
• Max Concurrent Sessions Allowed : The number of sessions of a particular type (read-only or read/write) that can be open at the same time. The type of session is determined by the roles assigned to a user. If a user is assigned only read-only roles, that user's session is counted toward the (Read Only) session limit.
If a user has any roles with write privileges, the session is counted toward the Read/Write session limit.
For example, if a user is assigned the Admin role and the Maximum sessions for users with Read/Write privileges/CLI users is set to 5, the user will not be allowed to log in if there are already five other users logged in that have read/write privileges.
Cisco Secure Firewall Management Center Administration Guide, 7.2
89
System Settings
Set Password Reuse Limit
Note Predefined user roles and custom user roles that the system considers read-only for the purposes of concurrent session limits, are labeled with (Read Only) in the role name on the System ( ) > Users > Users and the System ( ) > Users >
User Roles . If a user role does not contain (Read Only) in the role name, the system considers the role to be read/write. The system automatically applies
(Read Only) to roles that meet the required criteria. You cannot make a role read-only by adding that text string manually to the role name.
For each type of session, you can set a maximum limit ranging from 1 to 1024. When Max Concurrent
Sessions Allowed is set to zero (the default), the number of concurrent sessions is unlimited.
If you change the concurrent session limit to a value more restrictive, the system will not close any currently open sessions; it will, however, prevent new sessions beyond the number specified from being opened.
Set Password Reuse Limit
If you enable the Password Reuse Limit , the system keeps encrypted password histories for management center users. Users cannot reuse passwords in their histories. You can specify the number of stored passwords for each user, per access method (web interface or CLI). A user's current password counts towards this number.
If you lower the limit, the system deletes older passwords from the history. Increasing the limit does not restore deleted passwords.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Click User Configuration .
Set the Password Reuse Limit to the number of passwords you want to maintain in the history (maximum
256).
To disable password reuse checking, enter 0.
Click Save .
Track Successful Logins
Use this procedure to enable tracking successful logins for each user for a specified number of days. When this tracking is enabled, the system displays the successful login count when users log into the web interface or the CLI.
Note If you lower the number of days, the system deletes records of older logins. If you then increase the limit, the system does not restore the count from those days. In that case, the reported number of successful logins may be temporarily lower than the actual number.
90
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Enabling Temporary Lockouts
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Click User Configuration .
Set Track Successful Login Days to the number of days to track successful logins (maximum 365).
To disable login tracking, enter 0.
Click Save .
Enabling Temporary Lockouts
Enable the temporary timed lockout feature by specifying the number of failed login attempts in a row that the system allows before the lockout goes into effect.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Configuration .
Click User Configuration .
Set the Max Number of Login Failures to the maximum number of consecutive failed login attempts before the user is temporarily locked out.
To disable the temporary lockout, enter zero.
Set the Time in Minutes to Temporarily Lockout Users to the number of minutes to lock out users who have triggered a temporary lockout.
When this value is zero, users do not have to wait to retry to log in, even if the Max Number of Login Failures is non-zero.
Click Save .
Set Maximum Number of Concurrent Sessions
You can specify the maximum number of sessions of a particular type (read-only or read/write) that can be open at the same time. The type of session is determined by the roles assigned to a user. If a user is assigned only read-only roles, that user's session is counted toward the Read Only session limit. If a user has any roles with write privileges, the session is counted toward the Read/Write session limit.
Procedure
Step 1
Step 2
Choose System ( ) > Configuration .
Click User Configuration .
Cisco Secure Firewall Management Center Administration Guide, 7.2
91
System Settings
Session Timeouts
Step 3
Step 4
For each type of session ( Read Only and Read/Write ), set the Max Concurrent Sessions Allowed to the maximum number of sessions of that type that can be open at the same time.
To apply no limits on concurrent users by session type, enter zero.
Note If you change the concurrent session limit to a value more restrictive, the system will not close any currently open sessions; it will, however, prevent new sessions beyond the number specified from being opened.
Click Save .
Session Timeouts
Unattended login sessions may be security risks. You can configure the amount of idle time before a user’s login session times out due to inactivity.
Note that you can exempt specific web interface users from timeout, for scenarios where you plan to passively, securely monitor the system for long periods of time. Users with the Administrator role, whose complete access to menu options poses an extra risk if compromised, cannot be made exempt from session timeouts.
Configure Session Timeouts
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Click CLI Timeout .
Configure session timeouts:
• Web interface (management center only): Configure the Browser Session Timeout (Minutes) . The default value is
60
; the maximum value is
1440
(24 hours).
To exempt users from this session timeout, see
Add an Internal User, on page 111
.
• CLI: Configure the CLI Timeout (Minutes) field. The default value is
0
; the maximum value is
1440
(24 hours).
Click Save .
Vulnerability Mapping
The system automatically maps vulnerabilities to a host IP address for any application protocol traffic received or sent from that address, when the server has an application ID in the discovery event database and the packet header for the traffic includes a vendor and version.
92
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Mapping Vulnerabilities for Servers
For any servers which do not include vendor or version information in their packets, you can configure whether the system associates vulnerabilities with server traffic for these vendor and versionless servers.
For example, a host serves SMTP traffic that does not have a vendor or version in the header. If you enable the SMTP server on the Vulnerability Mapping page of a system configuration, then save that configuration to the Secure Firewall Management Center managing the device that detects the traffic, all vulnerabilities associated with SMTP servers are added to the host profile for the host.
Although detectors collect server information and add it to host profiles, the application protocol detectors will not be used for vulnerability mapping, because you cannot specify a vendor or version for a custom application protocol detector and cannot select the server for vulnerability mapping.
Mapping Vulnerabilities for Servers
This procedure requires any Smart License or the Protection classic license.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Choose Vulnerability Mapping .
You have the following choices:
Tip
• To prevent vulnerabilities for a server from being mapped to hosts that receive application protocol traffic without vendor or version information, clear the check box for that server.
• To cause vulnerabilities for a server to be mapped to hosts that receive application protocol traffic without vendor or version information, check the check box for that server.
You can check or clear all check boxes at once using the check box next to Enabled .
Click Save .
Remote Console Access Management
You can use a Linux system console for remote access on supported systems via either the VGA port (which is the default) or the serial port on the physical appliance. Use the Console Configuration page to choose the option most suitable to the physical layout of your organization’s Firepower deployment.
On supported physical-hardware-based systems, you can use Lights-Out Management (LOM) on a Serial
Over LAN (SOL) connection to remotely monitor or manage the system without logging into the management interface of the system. You can perform limited tasks, such as viewing the chassis serial number or monitoring such conditions as fan speed and temperature, using a command line interface on an out-of-band management connection. The cable connection to support LOM varies by management center model:
• For management center models MC1600, MC2600, and MC4600, use a connection with the CIMC port to support LOM. See the Cisco Firepower Managemenet Center 1600, 2600, and 4600 Getting Started
Guide for more information.
Cisco Secure Firewall Management Center Administration Guide, 7.2
93
System Settings
Configuring Remote Console Settings on the System
• For all other management center hardware models, use a connection with the default (eth0) management port to support LOM. See the Cisco Firepower Management Center Getting Started Guide for your hardware model.
You must enable LOM for both the system and the user you want to manage the system. After you enable the system and the user, you use a third-party Intelligent Platform Management Interface (IPMI) utility to access and manage your system.
Configuring Remote Console Settings on the System
You must be an Admin user to perform this procedure.
Before you begin
• Disable Spanning Tree Protocol (STP) on any third-party switching equipment connected to the device’s management interface.
• If you plan to enable Lights-Out Management see the Getting Started Guide for your appliance for information about installing and using an Intelligent Platform Management Interface (IPMI) utility.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Click Console Configuration .
Choose a remote console access option:
• Choose VGA to use the appliance's VGA port.
• Choose Physical Serial Port to use the appliance's serial port.
• Choose Lights-Out Management to use an SOL connection on the management center. (This may use the default management port or the CIMC port depending on your management center model. See the
Getting Started Guide for your model for more information.)
To configure LOM via SOL:
• Choose the address Configuration for the system ( DHCP or Manual ).
• If you chose manual configuration, enter the necessary IPv4 settings:
• Enter the IP Address to be used for LOM.
Note The LOM IP address must be different from and in the same subnet as the management center management interface IP address.
• Enter the Netmask for the system.
• Enter the Default Gateway for the system.
Step 5 Click Save .
94
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Lights-Out Management User Access Configuration
Step 6 The system displays the following warning: "You will have to reboot your system for these changes to take effect." Click OK to reboot now or Cancel to reboot later.
What to do next
• If you configured serial access, be sure the rear-panel serial port is connected to a local computer, terminal server, or other device that can support remote serial access over ethernet as described in the Getting
Started Guide for your management center model.
• If you configured Lights-Out Management, enable a Lights-Out Management user; see
Management User Access Configuration, on page 95
.
Lights-Out Management User Access Configuration
You must explicitly grant Lights-Out Management permissions to users who will use the feature. LOM users also have the following restrictions:
• You must assign the Administrator role to the user.
• The username may have up to 16 alphanumeric characters. Hyphens and longer user names are not supported for LOM users.
• A user’s LOM password is the same as that user’s system password. The password must comply with the requirements described in
. Cisco recommends that you use a complex, non-dictionary-based password of the maximum supported length for your appliance and change it every three months.
• Physical Secure Firewall Management Centers can have up to 13 LOM users.
Note that if you deactivate, then reactivate, a user with LOM while a that user is logged in, or restore a user from a backup during that user’s login session, that user may need to log back into the web interface to regain access to impitool commands.
Enabling Lights-Out Management User Access
You must be an Admin user to perform this procedure.
Use this task to grant LOM access to an existing user. To grant LOM access to a new user, see
.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Users > Users .
To grant LOM user access to an existing user, click Edit ( ) next to a user name in the list.
Under User Configuration , enable the Administrator role.
Check the Allow Lights-Out Management Access check box.
Click Save .
Cisco Secure Firewall Management Center Administration Guide, 7.2
95
System Settings
Serial Over LAN Connection Configuration
Serial Over LAN Connection Configuration
You use a third-party IPMI utility on your computer to create a Serial Over LAN connection to the appliance.
If your computer uses a Linux-like or Mac environment, use IPMItool; for Windows environments, you can use IPMIutil or IPMItool, depending on your Windows version.
Note Cisco recommends using IPMItool version 1.8.12 or greater.
Linux
IPMItool is standard with many distributions and is ready to use.
Mac
You must install IPMItool on a Mac. First, confirm that your Mac has Apple's XCode Developer tools installed, making sure that the optional components for command line development are installed (UNIX Development and System Tools in newer versions, or Command Line Support in older versions). Then you can install macports and the IPMItool. Use your favorite search engine for more information or try these sites: https://developer.apple.com/technologies/tools/ http://www.macports.org/ http://github.com/ipmitool/ipmitool/
Windows
For Windows Versions 10 and greater with Windows Subsystem for Linux (WSL) enabled, as well as some older versions of Windows Server, you can use IPMItool. Otherwise, you must compile IPMIutil on your
Windows system; you can use IPMIutil itself to compile. Use your favorite search engine for more information or try this site: http://ipmiutil.sourceforge.net/man.html#ipmiutil
Understanding IPMI Utility Commands
Commands used for IPMI utilities are composed of segments as in the following example for IPMItool on
Mac: ipmitool -I lanplus -H IP_address -U user_name command where:
• ipmitool invokes the utility.
•
-I lanplus specifies to use an encrypted IPMI v2.0 RMCP+ LAN Interface for the session.
•
-H IP_address indicates the IP address you have configured for Lights-Out Management on the appliance you want to access.
•
-U user_name is the name of an authorized remote session user.
• command is the name of the command you want to use.
96
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configuring Serial Over LAN with IPMItool
Note Cisco recommends using IPMItool version 1.8.12 or greater.
The same command for IMPIutil on Windows looks like this: ipmiutil command -V 4 -J 3 -N IP_address -U user_name
This command connects you to the command line on the appliance where you can log in as if you were physically present at the appliance. You may be prompted to enter a password.
Configuring Serial Over LAN with IPMItool
You must be an Admin user with LOM access to perform this procedure.
Procedure
Using IPMItool, enter the following command, and a password if prompted: ipmitool -I lanplus -H IP_address -U user_name sol activate
Configuring Serial Over LAN with IPMIutil
You must be an Admin user with LOM access to perform this procedure.
Procedure
Using IPMIutil, enter the following command, and a password if prompted: ipmiutil -J 3 -N IP_address -U username sol -a
Lights-Out Management Overview
Lights-Out Management (LOM) provides the ability to perform a limited set of actions over an SOL connection on the default ( eth0
) management interface without the need to log into the system. You use the command to create a SOL connection followed by one of the LOM commands. After the command is completed, the connection ends.
Caution In rare cases, if your computer is on a different subnet than the system's management interface and the system is configured for DHCP, attempting to access LOM features can fail. If this occurs, you can either disable and then re-enable LOM on the system, or use a computer on the same subnet as the system to ping its management interface. You should then be able to use LOM.
Cisco Secure Firewall Management Center Administration Guide, 7.2
97
System Settings
Lights-Out Management Overview
Caution Cisco is aware of a vulnerability inherent in the Intelligent Platform Management Interface (IPMI) standard
(CVE-2013-4786). Enabling Lights-Out Management (LOM) on an system exposes this vulnerability. To mitigate this vulnerability, deploy your systems on a secure management network accessible only to trusted users and use a complex, non-dictionary-based password of the maximum supported length for your system and change it every three months. To prevent exposure to this vulnerability, do not enable LOM.
If all attempts to access your system have failed, you can use LOM to restart your system remotely. Note that if a system is restarted while the SOL connection is active, the LOM session may disconnect or time out.
Caution Do not restart your system unless it does not respond to any other attempts to restart. Remotely restarting does not gracefully reboot the system and you may lose data.
Table 6: Lights-Out Management Commands
IPMItool
(not applicable)
-I lanplus
-H hostname/IP address
-U sol activate sol deactivate chassis power cycle chassis power on chassis power off sdr
IPMIutil
-V 4
-J 3
-N nodename/IP address
-U sol -a sol -d power -c power -u power -d sensor
Description
Enables admin privileges for the
IPMI session
Enables encryption for the IPMI session
Indicates the LOM IP address or hostname for the management center
Indicates the username of an authorized LOM account
Starts the SOL session
Ends the SOL session
Restarts the appliance
Powers up the appliance
Powers down the appliance
Displays appliance information, such as fan speeds and temperatures
For example, to display a list of appliance information, the IPMItool command is: ipmitool -I lanplus -H IP_address -U user_name sdr
Note Cisco recommends using IPMItool version 1.8.12 or greater.
98
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configuring Lights-Out Management with IPMItool
The same command with the IPMIutil utility is: ipmiutil sensor -V 4 -J 3 -N IP_address -U user_name
Configuring Lights-Out Management with IPMItool
You must be an Admin user with LOM access to perform this procedure.
Procedure
Enter the following command for IPMItool and a password if prompted: ipmitool -I lanplus -H IP_address -U user_name command
Configuring Lights-Out Management with IPMIutil
You must be an Admin user with LOM access to perform this procedure.
Procedure
Enter the following command for IPMIutil and a password if prompted: ipmiutil -J 3 -N IP_address -U username command
REST API Preferences
The Firepower REST API provides a lightweight interface for third-party applications to view and manage appliance configuration using a REST client and standard HTTP methods. For more information on the
Firepower REST API, see the Firepower REST API Quick Start Guide .
By default, the Secure Firewall Management Center allows requests from applications using the REST API.
You can configure the Secure Firewall Management Center to block this access.
Enabling REST API Access
Note In deployments using the management center high availability, this feature is available only in the active management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
99
System Settings
VMware Tools and Virtual Systems
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose the Cog ( ) in the upper right corner to open the system menu.
Click REST API Preferences .
To enable or disable REST API access to the management center, check or uncheck the Enable REST API check box.
Click Save .
Access the REST API Explorer at: https://<management_center_IP_or_name>:<https_port>/api/api-explorer
VMware Tools and Virtual Systems
VMware Tools is a suite of performance-enhancing utilities intended for virtual machines. These utilities allow you to make full use of the convenient features of VMware products. Firepower virtual appliances running on VMware support the following plugins:
• guestInfo
• powerOps
• timeSync
• vmbackup
You can also enable VMware Tools on all supported versions of ESXi. For information on the full functionality of VMware Tools, see the VMware website ( http://www.vmware.com/ ).
Enabling VMware Tools on the Secure Firewall Management Center for
VMware
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Configuration .
Click VMware Tools .
Click Enable VMware Tools .
Click Save .
100
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
(Optional) Opt Out of Web Analytics Tracking
(Optional) Opt Out of Web Analytics Tracking
By default, in order to improve Firepower products, Cisco collects non-personally-identifiable usage data, including but not limited to page interactions, browser versions, product versions, user location, and management
IP addresses or hostnames of your management center appliances.
Data collection begins after you accept the End User License Agreement. If you do not want Cisco to continue to collect this data, you can opt out using the following procedure.
Procedure
Step 1
Step 2
Step 3
Choose System > Configuration .
Click Web Analytics .
Make your choice and click Save .
What to do next
(Optional) Determine whether to share data via the
Configure Cisco Success Network Enrollment .
History for System Configuration
Feature
French language option
Version
7.2
Details
Exempt most connection events from event rate limits
7.0
Support for AES-128
CMAC authentication for
NTP servers
7.0
Subject Alternative Name
(SAN)
6.6
You can now switch the management center web interface to French from System ( )
> Configuration > Language .
Setting the Maximum Connection Events value for the Connection Database to zero now exempts low priority connection events from counting towards the flow rate limit for your management center hardware. Previously, setting this value to zero applied only to event storage, and did not affect the flow rate limit.
New/modified screens: System > Configuration > Database
Supported platforms: Hardware management centers.
Connections between the management center and NTP servers can be secured with
AES-128 CMAC keys as well as previously-supported MD5 and SHA-1 keys.
New/modified screens: System ( ) > Configuration > Time Synchronization
When creating an HTTPS certificate for the management center, you can specify SAN fields. We recommend you use SAN if the certificate secures multiple domain names or IP addresses. For more information about SAN, see RFC 5280, section 4.2.1.6
.
New/modified screens: System ( ) > Configuration > HTTPS Certificate
Cisco Secure Firewall Management Center Administration Guide, 7.2
101
System Settings
History for System Configuration
Feature
HTTPS Certificates
Secure NTP
Web analytics
Automatic CLI access for the management center
Configurable session limits for read-only and read/write access
Ability to disable Duplicate
Address Detection (DAD) on management interfaces
Version
6.6
6.5
6.5
6.5
6.5
6.4
Details
The default HTTPS server certificate provided with the system now expires in 800 days.
If your appliance uses a default certificate that was generated before you upgraded to
Version 6.6, the certificate lifetime varies depending on the Firepower version being used when the certificate was generated. See
Default HTTPS Server Certificates, on page 43
for more information.
Supported platforms: Hardware management centers.
The management center supports secure communications with NTP servers using SHA1 or MD5 symmetric key authentication.
New/modified screens: System ( ) > Configuration > Time Synchronization
Web analytics data collection begins after you accept the EULA. As before, you can opt not to continue to share data. See
(Optional) Opt Out of Web Analytics Tracking, on page 101 .
When you use SSH to log into the management center, you automatically access the
CLI. Although strongly discouraged, you can then use the CLI expert command to access the Linux shell.
Note This feature deprecates the Version 6.3 ability to enable and disable CLI access for the management center. As a consequence of deprecating this option, the virtual management center no longer displays the System >
Configuration > Console Configuration page, which still appears on physical management centers.
Added the Max Concurrent Sessions Allowed setting. This setting allows the administrator to specify the maximum number of sessions of a particular type (read-only or read/write) that can be open at the same time.
Note Predefined user roles and custom user roles that the system considers readonly for the purposes of concurrent session limits, are labeled with (Read
Only) in the role name on the System > Users > Users and the System >
Users > User Roles . If a user role does not contain (Read Only) in the role name, the system considers the role to be read/write.
New/modified screens:
• System > Configuration > User Configuration
• System > Users > User Roles
When you enable IPv6, you can disable DAD. You might want to disable DAD because the use of DAD opens up the possibility of denial of service attacks. If you disable this setting, you need check manually that this interface is not using an already-assigned address.
New/modified screens: System > Configuration > Management Interfaces >
Interfaces > Edit Interface dialog box > IPv6 DAD check box
Supported platforms: management center
102
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
History for System Configuration
Feature Version
Ability to disable ICMPv6
Echo Reply and Destination
Unreachable messages on management interfaces
6.4
Global User Configuration
Settings
HTTPS Certificates
6.3
6.3
Details
When you enable IPv6, you can now disable ICMPv6 Echo Reply and Destination
Unreachable messages. You might want to disable these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the device management interfaces for testing purposes.
New/modified screens: System > Configuration > Management Interfaces > ICMPv6
New/modified commands: configure network ipv6 destination-unreachable , configure network ipv6 echo-reply
Supported platforms: management center (web interface only), threat defense (CLI only)
Added the Track Successful Logins setting. The system can track the number of successful logins each management center account has performed within a selected number of days. When this feature is enabled, on log in users see a message reporting how many times they have successfully logged in to the system in the past configured number of days. (Applies to web interface as well as shell/CLI access.)
Added the Password Reuse Limit setting. The system can track the password history for each account for a configurable number of previous passwords. The system prevents all users from re-using passwords that appear in that history. (Applies to web interface as well as shell/CLI access.)
Added the Max Number of Login Failures and Set Time in Minutes to Temporarily
Lockout Users settings. These allow the administrator to limit the number of times in a row a user can enter incorrect web interface login credentials before the system temporarily blocks the account for a configurable period of time.
New/modified screens: System > Configuration > User Configuration
Supported platforms: management center
The default HTTPS server certificate provided with the system now expires in three years. If your appliance uses a default server certificate that was generated before you upgraded to Version 6.3, the server certificate will expire 20 years from when it was first generated. If you are using the default HTTPS server certificate the system now provides the ability to renew it.
New/modified screens: System > Configuration > HTTPS Certificate page > Renew
HTTPS Certificate .
Supported platforms: management center
Cisco Secure Firewall Management Center Administration Guide, 7.2
103
System Settings
History for System Configuration
Feature Version
Ability to enable and disable
CLI access for the management center
6.3
Details
There is a new check box available to administrators in management center web interface:
Enable CLI Access on the System ( ) > Configuration > Console Configuration page.
• Checked: Logging into the management center using SSH accesses the CLI.
• Unchecked: Logging into management center using SSH accesses the Linux shell.
This is the default state for fresh Version 6.3 installations as well as upgrades to
Version 6.3 from a previous release.
Previous to Version 6.3, there was only one setting on the Console Configuration page, and it applied to physical devices only. So the Console Configuration page was not available on virtual management centers. With the addition of this new option, the
Console Configuration page now appears on virtual management centers as well as physical. However, for virtual management centers, this check box is the only thing that appears on the page.
Supported platforms: management center
104
Cisco Secure Firewall Management Center Administration Guide, 7.2
C H A P T E R
4
Users
The management center includes default admin accounts for web and CLI access. This chapter discusses how to create custom user accounts. See
Logging into the Management Center, on page 27
for detailed information about logging into the management center with a user account.
•
•
Guidelines and Limitations for User Accounts for Management Center, on page 110
•
Requirements and Prerequisites for User Accounts for Management Center, on page 111
•
Add an Internal User, on page 111
•
Configure External Authentication for the Management Center, on page 113
•
Configure SAML Single Sign-On, on page 129
•
Customize User Roles for the Web Interface, on page 180
•
Troubleshooting LDAP Authentication Connections, on page 185
•
Configure User Preferences, on page 186
•
History for Users, on page 194
About Users
You can add custom user accounts on managed devices, either as internal users or as external users on a LDAP or RADIUS server. Each managed device maintains separate user accounts. For example, when you add a user to the management center, that user only has access to the management center; you cannot then use that username to log directly into a managed device. You must separately add a user on the managed device.
Internal and External Users
Managed devices support two types of users:
• Internal user—The device checks a local database for user authentication.
• External user—If the user is not present in the local database, the system queries an external LDAP or
RADIUS authentication server.
Cisco Secure Firewall Management Center Administration Guide, 7.2
105
System Settings
Web Interface and CLI Access
Web Interface and CLI Access
The management center has a web interface, CLI (accessible from the console (either the serial port or the keyboard and monitor) or using SSH to the management interface), and Linux shell. For detailed information about the management UIs, see
System User Interfaces, on page 29
.
See the following information about management center user types, and which UI they can access:
• admin user—The management center supports two different internal admin users: one for the web interface, and another with CLI access. The system initialization process synchronizes the passwords for these two admin accounts so they start out the same, but they are tracked by different internal mechanisms and may diverge after initial configuration. See the Getting Started Guide for your model for more information on system initialization. (To change the password for the web interface admin , use
Integration > Users > Users . To change the password for the CLI admin , use the management center
CLI command configure password .)
• Internal users—Internal users added in the web interface have web interface access only.
• External users—External users have web interface access, and you can optionally configure CLI access.
• SSO users—SSO users have web interface access only.
User Roles
Caution CLI users can access the Linux shell using the expert command. We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the management center documentation. CLI users can obtain sudoers privileges in the Linux shell, which can present a security risk.
For system security reasons, we strongly recommend that you:
• Restrict the list of external users with CLI access appropriately.
• Do not add users directly in the Linux shell; only use the procedures in this chapter.
CLI User Role
CLI external users on the management center do not have a user role; they can use all available commands.
Web Interface User Roles
User privileges are based on the assigned user role. For example, you can grant analysts predefined roles such as Security Analyst and Discovery Admin and reserve the Administrator role for the security administrator managing the device. You can also create custom user roles with access privileges tailored to your organization’s needs.
The management center includes the following predefined user roles:
106
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
User Roles
Note Predefined user roles that the system considers read-only for the purposes of concurrent session limits, are labeled with (Read Only) in the role name under System ( ) > Users > Users and System ( ) > Users >
User Roles . If a user role does not contain (Read Only) in the role name, the system considers the role to be read/write. For more information on concurrent session limits, see
Global User Configuration Settings, on page 89 .
Access Admin
Provides access to access control policy and associated features in the Policies menu. Access Admins cannot deploy policies.
Administrator
Administrators have access to everything in the product; their sessions present a higher security risk if compromised, so you cannot make them exempt from login session timeouts.
You should limit use of the Administrator role for security reasons.
Discovery Admin
Provides access to network discovery, application detection, and correlation features in the Policies menu. Discovery Admins cannot deploy policies.
External Database User (Read Only)
Provides read-only access to the database using an application that supports JDBC SSL connections. For the third-party application to authenticate to the appliance, you must enable database access in the system settings. On the web interface, External Database Users have access only to online help-related options in the Help menu. Because this role’s function does not involve the web interface, access is provided only for ease of support and password changes.
Intrusion Admin
Provides access to all intrusion policy, intrusion rule, and network analysis policy features in the Policies and Objects menus. Intrusion Admins cannot deploy policies.
Maintenance User
Provides access to monitoring and maintenance features. Maintenance Users have access to maintenance-related options in the Health and System menus.
Network Admin
Provides access to access control, SSL inspection, DNS policy, and identity policy features in the Policies menu, as well as device configuration features in the Devices menus. Network Admins can deploy configuration changes to devices.
Security Analyst
Provides access to security event analysis features, and read-only access to health events, in the Overview ,
Analysis , Health , and System menus.
Security Analyst (Read Only)
Provides read-only access to security event analysis features and health event features in the Overview ,
Analysis , Health , and System menus.
User with this role can also:
Cisco Secure Firewall Management Center Administration Guide, 7.2
107
System Settings
User Passwords
• From the health monitor pages for specific devices, generate and download troubleshooting files.
• Under user preferences, set file download preferences.
• Under user preferences, set the default time window for event views (with the exception of the
Audit Log Time Window ).
Security Approver
Provides limited access to access control and associated policies and network discovery policies in the
Policies menu. Security Approvers can view and deploy these policies, but cannot make policy changes.
Threat Intelligence Director (TID) User
Provides access to Threat Intelligence Director configurations in the Intelligence menu. Threat Intelligence
Director (TID) Users can view and configure TID.
User Passwords
The following rules apply to passwords for internal user accounts on the management center, with Lights-Out
Management (LOM) enabled or disabled. Different password requirements apply for externally authenticated accounts or in systems with security certifications compliance enabled. See
Configure External Authentication for the Management Center, on page 113
and
Security Certifications Compliance, on page 295
for more information.
During management center initial configuration, the system requires the admin user to set the account password to comply with strong password requirements described in the table below. For physical management centers, the strong password requirements with LOM enabled are used, and for virtual management centers, the strong password requirements with LOM not enabled are used. At this time the system synchronizes the passwords for the web interface admin and the CLI access admin . After initial configuration, the web interface admin can remove the strong password requirement, but the CLI access admin must always comply with strong password requirements with LOM not enabled.
108
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
User Passwords
LOM Not Enabled LOM Enabled
Password Strength
Checking On
Passwords must include:
• At least eight characters, or the number of characters configured for the user by the administrator, whichever is greater.
Passwords must include:
• Between eight and twenty characters
(On MC 1000, MC 2500, and MC
4500 the upper limit is fourteen characters rather than twenty.)
• No more than two sequentially repeating characters
• No more than two sequentially repeating characters
• At least one lower case letter
• At least one upper case letter
• At least one digit
• At least one special character such as
! @ # * - _ +
• At least one lower case letter
• At least one upper case letter
• At least one digit
• At least one special character such as
! @ # * - _ +
The system checks passwords against a special dictionary containing not only many English dictionary words, but also other character strings that could be easily cracked with common password hacking techniques.
The rules for special characters vary between different series of physical management centers. We recommend restricting your choice of special characters to those listed in the final bullet above.
Do not include the user name in the password.
The system checks passwords against a special dictionary containing not only many English dictionary words, but also other character strings that could be easily cracked with common password hacking techniques.
Cisco Secure Firewall Management Center Administration Guide, 7.2
109
System Settings
Guidelines and Limitations for User Accounts for Management Center
LOM Not Enabled
Password Strength
Checking Off
Passwords must include the minimum number of characters configured for the user by the administrator. (See
for more information.)
LOM Enabled
Passwords must include:
• Between eight and twenty characters
(On MC 1000, MC 2500, and MC
4500 the upper limit is fourteen characters rather than twenty.)
• Characters from at least three of the following four categories:
• Uppercase letters
• Lowercase letters
• Digits
• Special characters such as ! @ #
* - _ +
The rules for special characters vary between different series of physical management centers. We recommend restricting your choice of special characters to those listed in the final bullet above.
Do not include the user name in the password.
Guidelines and Limitations for User Accounts for Management
Center
Defaults
• The management center includes an admin user as a local user account for all forms of access; you cannot delete the admin user. The default initial password is Admin123 ; the system forces you to change this during the initialization process. See the Getting Started Guide for your model for more information about system initialization.
• By default the following settings apply to all user accounts on the management center:
• There are no limits on password reuse.
• The system does not track successful logins.
• The system does not enforce a timed temporary lockout for users who enter incorrect login credentials.
• There are no user-defined limits on the number of read-only and read/write sessions that can be open at the same time.
110
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Requirements and Prerequisites for User Accounts for Management Center
You can change these settings for all users as a system configuration. ( System ( ) > Configuration >
User Configuration ) See
Global User Configuration Settings, on page 89
.
Requirements and Prerequisites for User Accounts for
Management Center
Model Support
Management Center
Supported Domains
• SSO configuration—Global only.
• All other features—Any.
User Roles
• SSO configuration—Only users with the Admin role authenticated internally or by LDAP or RADIUS can configure SSO.
• All other features—Any user with the Admin role.
•
Configure Common Access Card Authentication with LDAP, on page 128
also supports the Network
Admin role.
Add an Internal User
This procedure describes how to add custom internal user accounts for the management center.
The System > Users > Users shows both internal users that you added manually and external users that were added automatically when a user logged in with LDAP or RADIUS authentication. For external users, you can modify the user role on this screen if you assign a role with higher privileges; you cannot modify the password settings.
In a multidomain deployment on the management center, users are only visible in the domain in which they are created. Note that if you add a user in the Global domain, but then assign a user role for a leaf domain, then that user still shows on the Global Users page where it was added, even though the user "belongs" to a leaf domain.
If you enable security certifications compliance or Lights-Out Management (LOM) on a device, different password restrictions apply. For more information on security certifications compliance, see
Certifications Compliance, on page 295
.
When you add a user in a leaf domain, that user is not visible from the global domain.
Cisco Secure Firewall Management Center Administration Guide, 7.2
111
System Settings
Add an Internal User
Note Avoid having multiple Admin users simultaneously creating new users on the management center, as this may cause an error resulting from a conflict in user database access.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Choose Integration > Users .
Click Create User .
Enter a User Name .
The username must comply with the following restrictions:
• Maximum 32 alphanumeric characters, plus hyphen (-), underscore (_) and period (.).
• Letters may be upper or lower case.
• Cannot include any punctuation or special characters other than hyphen (-), underscore (_) and period
(.).
Real Name : Enter descriptive information to identify the user or department to whom the account belongs.
The Use External Authentication Method checkbox is checked for users that were added automatically when they logged in with LDAP or RADIUS. You do not need to pre-configure external users, so you can ignore this field. For an external user, you can revert this user to an internal user by unchecking the check box.
Enter values in the Password and Confirm Password fields.
The values must conform to the password options you set for this user.
Set the Maximum Number of Failed Logins .
Enter an integer, without spaces, that determines the maximum number of times each user can try to log in after a failed login attempt before the account is locked. The default setting is 5 tries; use 0 to allow an unlimited number of failed logins. The admin account is exempt from being locked out after a maximum number of failed logins unless you enabled security certification compliance.
Set the Minimum Password Length .
Enter an integer, without spaces, that determines the minimum required length, in characters, of a user's password. The default setting is 8 . A value of 0 indicates that no minimum length is required.
Set the Days Until Password Expiration .
Enter the number of days after which the user’s password expires. The default setting is 0 , which indicates that the password never expires. If you change from the default, then the Password Lifetime column of the
Users list indicates the days remaining on each user’s password.
Set the Days Before Password Expiration Warning .
Enter the number of warning days users have to change their password before their password actually expires.
The default setting is 0 days.
Set user Options .
112
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure External Authentication for the Management Center
Step 12
Step 13
Step 14
• Force Password Reset on Login —Forces users to change their passwords the next time they log in.
• Check Password Strength —Requires strong passwords. When password strength checking is enabled, passwords must comply with the strong password requirements described in
.
• Exempt from Browser Session Timeout —Exempts a user’s login sessions from termination due to inactivity. Users with the Administrator role cannot be made exempt.
In the User Role Configuration area, assign user role(s). For more information about user roles, see
User Roles for the Web Interface, on page 180
.
For external users, if the user role is assigned through group membership (LDAP), or based on a user attribute
(RADIUS), you cannot remove the minimum access rights. You can, however, assign additional rights. If the user role is the default user role that you set on the device, then you can modify the role in the user account without limitations. When you modify the user role, the Authentication Method column on the Users tab provides a status of External - Locally Modified .
The options you see depend on whether the device is in a single domain or multidomain deployment.
• Single domain—Check the user role(s) you want to assign the user.
• Multidomain—In a multidomain deployment, you can create user accounts in any domain in which you have been assigned Administrator access. Users can have different privileges in each domain. You can assign user roles in both ancestor and descendant domains. For example, you can assign read-only privileges to a user in the Global domain, but Administrator privileges in a descendant domain. See the following steps: a.
Click Add Domain .
b.
Choose a domain from the Domain drop-down list.
c.
Check the user roles you want to assign the user.
d.
Click Save .
(Optional, for physical management centers only.) If you have assigned the user the Administrator role, the
Administrator Options appear. You can select Allow Lights-Out Management Access to grant Lights-Out
Management access to the user. See
Lights-Out Management Overview, on page 97
for more information about Lights-Out Management.
Click Save .
Configure External Authentication for the Management Center
To enable external authentication, you need to add one or more external authentication objects.
About External Authentication for the Management Center
When you enable external authentication, the management center verifies the user credentials with an LDAP or RADIUS server as specified in an external authentication object .
Cisco Secure Firewall Management Center Administration Guide, 7.2
113
System Settings
About LDAP
You can configure multiple external authentication objects for web interface access. For example, if you have
5 external authentication objects, users from any of them can be authenticated to access the web interface.
You can use only one external authentication object for CLI access. If you have more than one external authentication object enabled, then users can authenticate using only the first object in the list.
External authentication objects can be used by the management center and threat defense devices. You can share the same object between the different appliance/device types, or create separate objects.
Note The timeout range is different for the threat defense and the management center, so if you share an object, be sure not to exceed the threat defense's smaller timeout range (1-30 seconds for LDAP, and 1-300 seconds for
RADIUS). If you set the timeout to a higher value, the threat defense external authentication configuration will not work.
For the management center, enable the external authentication objects directly on the System > Users >
External Authentication tab; this setting only affects management center usage, and it does not need to be enabled on this tab for managed device usage. For threat defense devices, you must enable the external authentication object in the platform settings that you deploy to the devices.
Web interface users are defined separately from CLI users in the external authentication object. For CLI users on RADIUS, you must pre-configure the list of RADIUS usernames in the external authentication object. For
LDAP, you can specify a filter to match CLI users on the LDAP server.
You cannot use an LDAP object for CLI access that is also configured for CAC authentication.
Note Users with CLI access can gain Linux shell access with the expert command. Linux shell users can obtain root privileges, which can present a security risk. Make sure that you:
• Restrict the list of users with CLI or Linux shell access.
• Do not create Linux shell users.
About LDAP
The Lightweight Directory Access Protocol (LDAP) allows you to set up a directory on your network that organizes objects, such as user credentials, in a centralized location. Multiple applications can then access those credentials and the information used to describe them. If you ever need to change a user's credentials, you can change them in one place.
Microsoft has announced that Active Directory servers will start enforcing LDAP binding and LDAP signing in 2020. Microsoft is making these a requirement because when using default settings, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server. For more information, see 2020 LDAP channel binding and LDAP signing requirement for Windows on the Microsoft support site.
If you have not done so already, we recommend you start using TLS/SSL encryption to authenticate with an
Active Directory server.
114
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
About RADIUS
About RADIUS
Remote Authentication Dial In User Service (RADIUS) is an authentication protocol used to authenticate, authorize, and account for user access to network resources. You can create an authentication object for any
RADIUS server that conforms to RFC 2865 .
Firepower devices support the use of SecurID tokens. When you configure authentication by a server using
SecurID, users authenticated against that server append the SecurID token to the end of their SecurID PIN and use that as their password when they log in. You do not need to configure anything extra on the Firepower device to support SecurID.
Add an LDAP External Authentication Object for Management Center
Add an LDAP server to support external users for device management.
In a multidomain deployment, external authentication objects are only available in the domain in which they are created.
Before you begin
• You must specify DNS server(s) for domain name lookup on your device. Even if you specify an IP address and not a hostname for the LDAP server on this procedure, the LDAP server may return a URI for authentication that can include a hostname. A DNS lookup is required to resolve the hostname. See
Modify Management Center Management Interfaces, on page 60
to add DNS servers.
• If you are configuring an LDAP authentication object for use with CAC authentication, do not remove the CAC inserted in your computer. You must have a CAC inserted at all times after enabling user certificates.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Choose Integration > Users .
Click the External Authentication tab.
Click Add External Authentication Object .
Set the Authentication Method to LDAP .
(Optional) Check the check box for CAC if you plan to use this authentication object for CAC authentication and authorization.
You must also follow the procedure in
Configure Common Access Card Authentication with LDAP, on page
to fully configure CAC authentication and authorization. You cannot use this object for CLI users.
Enter a Name and optional Description .
Choose a Server Type from the drop-down list.
Tip If you click Set Defaults , the device populates the User Name Template , UI Access Attribute ,
CLI Access Attribute , Group Member Attribute , and Group Member URL Attribute fields with default values for the server type.
For the Primary Server , enter a Host Name/IP Address .
Cisco Secure Firewall Management Center Administration Guide, 7.2
115
System Settings
Add an LDAP External Authentication Object for Management Center
Step 9
Step 10
Step 11
If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host name used in this field. In addition, IPv6 addresses are not supported for encrypted connections.
(Optional) Change the Port from the default.
(Optional) Enter the Backup Server parameters.
Enter LDAP-Specific Parameters .
a) Enter the Base DN for the LDAP directory you want to access. For example, to authenticate names in the
Security organization at the Example company, enter ou=security,dc=example,dc=com
. Alternatively click Fetch DNs , and choose the appropriate base distinguished name from the drop-down list.
b) (Optional) Enter the Base Filter . For example, if the user objects in a directory tree have a physicalDeliveryOfficeName attribute and users in the New York office have an attribute value of
NewYork for that attribute, to retrieve only users in the New York office, enter
(physicalDeliveryOfficeName=NewYork)
.
If you are using CAC authentication, to filter only active user accounts (excluding the disabled user accounts), enter
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
. This criteria retrieves user accounts within AD belonging to ldpgrp group and with userAccountControl attribute value that is not
2
(disabled).
c) Enter a User Name for a user who has sufficient credentials to browse the LDAP server. For example, if you are connecting to an OpenLDAP server where user objects have a uid attribute, and the object for the administrator in the Security division at your example company has a uid value of
NetworkAdmin
, you might enter uid=NetworkAdmin,ou=security,dc=example,dc=com.
d) Enter the user password in the Password and the Confirm Password fields.
e) (Optional) Click Show Advanced Options to configure the following advanced options.
• Encryption —Click None , TLS , or SSL .
If you change the encryption method after specifying a port, you reset the port to the default value for that method. For None or TLS , the port resets to the default value of 389. If you choose SSL encryption, the port resets to 636.
• SSL Certificate Upload Path —For SSL or TLS encryption, you must choose a certificate by clicking
Choose File .
If you previously uploaded a certificate and want to replace it, upload the new certificate and redeploy the configuration to your devices to copy over the new certificate.
Note TLS encryption requires a certificate on all platforms. We recommend that you upload a certificate for SSL to prevent man-in-the-middle attacks.
always
• User Name Template —Provide a template that corresponds with your UI Access Attribute . For example, to authenticate all users who work in the Security organization of the Example company by connecting to an OpenLDAP server where the UI access attribute is uid
, you might enter uid=%s,ou=security,dc=example,dc=com in the User Name Template field. For a Microsoft Active
Directory server, you could enter
.
This field is required for CAC authentication.
• Shell User Name Template —Provide a template that corresponds with your CLI Access Attribute to authenticate CLI users. For example, to authenticate all users who work in the Security organization by connecting to an OpenLDAP server where the CLI access attribute is sAMAccountName
, you might enter
%s in the Shell User Name Template field.
116
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Add an LDAP External Authentication Object for Management Center
Step 12
Step 13
• Timeout —Enter the number of seconds before rolling over to the backup connection, between 1 and
1024. The default is 30.
Note The timeout range is different for threat defense and the management center, so if you share an object, be sure not to exceed the threat defense's smaller timeout range (1-30 seconds). If you set the timeout to a higher value, the threat defense LDAP configuration will not work.
(Optional) Configure Attribute Mapping to retrieve users based on an attribute.
• Enter a UI Access Attribute , or click Fetch Attrs to retrieve a list of available attributes. For example, on a Microsoft Active Directory Server, you may want to use the UI access attribute to retrieve users, because there may not be a uid attribute on Active Directory Server user objects. Instead, you can search the userPrincipalName attribute by typing userPrincipalName in the UI Access Attribute field.
This field is required for CAC authentication.
• Set the CLI Access Attribute if you want to use a shell access attribute other than the user distinguished type. For example, on a Microsoft Active Directory Server, use the sAMAccountName
CLI access attribute to retrieve CLI access users by typing sAMAccountName
.
(Optional) Configure Group Controlled Access Roles .
If you do not configure a user’s privileges using group-controlled access roles, a user has only the privileges granted by default in the external authentication policy.
a) (Optional) In the fields that correspond to user roles, enter the distinguished name for the LDAP groups that contain users who should be assigned to those roles.
Any group you reference must exist on the LDAP server. You can reference static LDAP groups or dynamic LDAP groups. Static LDAP groups are groups where membership is determined by group object attributes that point to specific users, and dynamic LDAP groups are groups where membership is determined by creating an LDAP search that retrieves group users based on user object attributes. Group access rights for a role only affect users who are members of the group.
If you use a dynamic group, the LDAP query is used exactly as it is configured on the LDAP server. For this reason, the Firepower device limits the number of recursions of a search to 4 to prevent search syntax errors from causing infinite loops.
Example:
Enter the following in the Administrator field to authenticate names in the information technology organization at the Example company: cn=itgroup,ou=groups, dc=example,dc=com b) Choose a Default User Role for users that do not belong to any of the specified groups.
c) If you use static groups, enter a Group Member Attribute .
Example:
If the member attribute is used to indicate membership in the static group for default Security Analyst access, enter member
.
d) If you use dynamic groups, enter a Group Member URL Attribute .
Cisco Secure Firewall Management Center Administration Guide, 7.2
117
System Settings
Add an LDAP External Authentication Object for Management Center
Step 14
Step 15
Step 16
Example:
If the memberURL attribute contains the LDAP search that retrieves members for the dynamic group you specified for default Admin access, enter memberURL
.
If you change a user's role, you must save/deploy the changed external authentication object and also remove the user from the Users screen. The user will be re-added automatically the next time they log in.
(Optional) Set the CLI Access Filter to allow CLI users.
To prevent LDAP authentication of CLI access, leave this field blank. To specify CLI users, choose one of the following methods:
• To use the same filter you specified when configuring authentication settings, choose Same as Base
Filter .
• To retrieve administrative user entries based on attribute value, enter the attribute name, a comparison operator, and the attribute value you want to use as a filter, enclosed in parentheses. For example, if all network administrators have a manager attribute which has an attribute value of shell
, you can set a base filter of
(manager=shell)
.
The usernames must be Linux-valid:
• Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)
• All lowercase
• Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)
Note
Note
Users with CLI access can gain Linux shell access with the expert command. Linux shell users can obtain root privileges, which can present a security risk. Make sure that you restrict the list of users with CLI or Linux shell access.
Do not create any internal users that have the same user name as users included in the CLI Access
Filter . The only internal management center user should be admin ; do not include an admin user in the CLI Access Filter .
(Optional) Click Test to test connectivity to the LDAP server.
The test output lists valid and invalid user names. Valid user names are unique, and can include underscores
(
_
), periods (
.
), hyphens (
-
), and alphanumeric characters. Note that testing the connection to servers with more than 1000 users only returns 1000 users because of UI page size limitations. If the test fails, see
Troubleshooting LDAP Authentication Connections, on page 185
.
(Optional) You can also enter Additional Test Parameters to test user credentials for a user who should be able to authenticate: enter a User Name uid and Password , and then click Test .
If you are connecting to a Microsoft Active Directory Server and supplied a UI access attribute in place of uid
, use the value for that attribute as the user name. You can also specify a fully qualified distinguished name for the user.
Tip If you mistype the name or password of the test user, the test fails even if the server configuration is correct. To verify that the server configuration is correct, click Test without entering user information in the Additional Test Parameters field first. If that succeeds, supply a user name and password to test with the specific user.
118
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Add an LDAP External Authentication Object for Management Center
Step 17
Step 18
Example:
To test if you can retrieve the
JSmith user credentials at the Example company, enter
JSmith and the correct password.
Click Save .
Enable use of this server. See
Enable External Authentication for Users on the Management Center, on page
Examples
Basic Example
The following figures illustrate a basic configuration of an LDAP login authentication object for a
Microsoft Active Directory Server. The LDAP server in this example has an IP address of 10.11.3.4.
The connection uses port 389 for access.
Cisco Secure Firewall Management Center Administration Guide, 7.2
119
System Settings
Add an LDAP External Authentication Object for Management Center
This example shows a connection using a base distinguished name of
OU=security,DC=it,DC=example,DC=com for the security organization in the information technology domain of the Example company.
However, because this server is a Microsoft Active Directory server, it uses the sAMAccountName attribute to store user names rather than the uid attribute. Choosing the MS Active Directory server type and clicking Set Defaults sets the UI Access Attribute to sAMAccountName
. As a result, the system checks the sAMAccountName attribute for each object for matching user names when a user attempts to log into the system.
In addition, a CLIAccess Attribute of sAMAccountName causes each sAMAccountName attribute to be checked for all objects in the directory for matches when a user logs into a CLI account on the appliance.
Note that because no base filter is applied to this server, the system checks attributes for all objects in the directory indicated by the base distinguished name. Connections to the server time out after the default time period (or the timeout period set on the LDAP server).
Advanced Example
This example illustrates an advanced configuration of an LDAP login authentication object for a
Microsoft Active Directory Server. The LDAP server in this example has an IP address of 10.11.3.4.
The connection uses port 636 for access.
120
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Add an LDAP External Authentication Object for Management Center
This example shows a connection using a base distinguished name of
OU=security,DC=it,DC=example,DC=com for the security organization in the information technology domain of the Example company. However, note that this server has a base filter of
(cn=*smith)
.
The filter restricts the users retrieved from the server to those with a common name ending in smith
.
The connection to the server is encrypted using SSL and a certificate named certificate.pem
is used for the connection. In addition, connections to the server time out after 60 seconds because of the Timeout setting.
Because this server is a Microsoft Active Directory server, it uses the sAMAccountName attribute to store user names rather than the uid attribute. Note that the configuration includes a UI Access
Attribute of sAMAccountName
. As a result, the system checks the sAMAccountName attribute for each object for matching user names when a user attempts to log into the system.
In addition, a CLI Access Attribute of sAMAccountName causes each sAMAccountName attribute to be checked for all objects in the directory for matches when a user logs into a CLI account on the appliance.
This example also has group settings in place. The Maintenance User role is automatically assigned to all members of the group with a member group attribute and the base domain name of
CN=SFmaintenance,DC=it,DC=example,DC=com
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
121
Add a RADIUS External Authentication Object for Management Center
System Settings
The CLI Access Filter is set to be the same as the base filter, so the same users can access the appliance through the CLI as through the web interface.
Add a RADIUS External Authentication Object for Management Center
Add a RADIUS server to support external users for device management.
In a multidomain deployment, external authentication objects are only available in the domain in which they are created.
Procedure
Step 1 Choose Integration > Users .
122
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Add a RADIUS External Authentication Object for Management Center
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Click External Authentication .
Click Add External Authentication Object .
Set the Authentication Method to RADIUS .
Enter a Name and optional Description .
For the Primary Server , enter a Host Name/IP Address .
(Optional) Change the Port from the default.
Enter the RADIUS Secret Key .
(Optional) Enter the Backup Server parameters.
(Optional) Enter RADIUS-Specific Parameters .
a) Enter the Timeout in seconds before retrying the primary server, between 1 and 1024. The default is 30.
Note The timeout range is different for the threat defense and the management center, so if you share an object, be sure not to exceed the threat defense's smaller timeout range (1-300 seconds). If you set the timeout to a higher value, the threat defense RADIUS configuration will not work.
b) Enter the Retries before rolling over to the backup server. The default is 3.
c) In the fields that correspond to user roles, enter the name of each user or identifying attribute-value pair that should be assigned to those roles.
Separate usernames and attribute-value pairs with commas.
Example:
If you know all users who should be Security Analysts have the value
Analyst for their
User-Category attribute, you can enter
User-Category=Analyst in the Security Analyst field to grant that role to those users.
Example:
To grant the Administrator role to the users jsmith and jdoe
, enter jsmith, jdoe in the Administrator field.
Example:
To grant the Maintenance User role to all users with a
User-Category value of
Maintenance
, enter
User-Category=Maintenance in the Maintenance User field.
d) Select the Default User Role for users that do not belong to any of the specified groups.
If you change a user's role, you must save/deploy the changed external authentication object and also remove the user from the Users screen. The user will be re-added automatically the next time they log in.
(Optional) Define Custom RADIUS Attributes .
If your RADIUS server returns values for attributes not included in the dictionary file in
/etc/radiusclient/
, and you plan to use those attributes to set roles for users with those attributes, you need to define those attributes. You can locate the attributes returned for a user by looking at the user’s profile on your RADIUS server.
a) Enter an Attribute Name .
When you define an attribute, you provide the name of the attribute, which consists of alphanumeric characters. Note that words in an attribute name should be separated by dashes rather than spaces.
b) Enter the Attribute ID as an integer.
Cisco Secure Firewall Management Center Administration Guide, 7.2
123
System Settings
Add a RADIUS External Authentication Object for Management Center
Step 12
Step 13
Step 14
The attribute ID should be an integer and should not conflict with any existing attribute IDs in the etc/radiusclient/dictionary file.
c) Choose the Attribute Type from the drop-down list.
You also specify the type of attribute: string, IP address, integer, or date.
d) Click Add to add the custom attribute.
When you create a RADIUS authentication object, a new dictionary file for that object is created on the device in the
/var/sf/userauth directory. Any custom attributes you add are added to the dictionary file.
Example:
If a RADIUS server is used on a network with a Cisco router, you might want to use the
Ascend-Assign-IP-Pool attribute to grant a specific role to all users logging in from a specific IP address pool.
Ascend-Assign-IP-Pool is an integer attribute that defines the address pool where the user is allowed to log in, with the integer indicating the number of the assigned IP address pool.
To declare that custom attribute, you create a custom attribute with an attribute name of
Ascend-IP-Pool-Definition
, an attribute ID of
218
, and an attribute type of integer
.
You could then enter
Ascend-Assign-IP-Pool=2 in the Security Analyst (Read Only) field to grant read-only security analyst rights to all users with an
Ascend-IP-Pool-Definition attribute value of
2.
(Optional) In the CLI Access Filter area Administrator CLI Access User List field, enter the user names that should have CLI access, separated by commas.
Make sure that these usernames match usernames on the RADIUS server. The names must be Linux-valid usernames:
• Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)
• All lowercase
• Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)
To prevent RADIUS authentication of CLI access, leave the field blank.
Note Users with CLI access can gain Linux shell access with the obtain root privileges, which can present a security risk. Make sure that you restrict the list of users with CLI or Linux shell access.
expert command. Linux shell users can
Note Remove any internal users that have the same user name as users included in the shell access filter.
For the management center, the only internal CLI user is admin , so do not also create an admin external user.
(Optional) Click Test to test management center connectivity to the RADIUS server.
(Optional) You can also enter Additional Test Parameters to test user credentials for a user who should be able to authenticate: enter a User Name and Password , and then click Test .
Tip If you mistype the name or password of the test user, the test fails even if the server configuration is correct. To verify that the server configuration is correct, click Test without entering user information in the Additional Test Parameters field first. If that succeeds, supply a user name and password to test with the specific user.
Example:
124
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Add a RADIUS External Authentication Object for Management Center
Step 15
Step 16
To test if you can retrieve the
JSmith user credentials at the Example company, enter
JSmith and the correct password.
Click Save .
Enable use of this server. See
Enable External Authentication for Users on the Management Center, on page
Examples
Simple User Role Assignments
The following figure illustrates a sample RADIUS login authentication object for a server running
Cisco Identity Services Engine (ISE) with an IP address of 10.10.10.98 on port 1812. No backup server is defined.
The following example shows RADIUS-specific parameters, including the timeout (30 seconds) and number of failed retries before the Firepower System attempts to contact the backup server, if any.
This example illustrates important aspects of RADIUS user role configuration:
Users ewharton and gsand are granted web interface Administrative access.
The user cbronte is granted web interface Maintenance User access.
The user jausten is granted web interface Security Analyst access.
The user ewharton can log into the device using a CLI account.
The following graphic depicts the role configuration for the example:
Cisco Secure Firewall Management Center Administration Guide, 7.2
125
Add a RADIUS External Authentication Object for Management Center
System Settings
Roles for Users Matching an Attribute-Value Pair
You can use an attribute-value pair to identify users who should receive a particular user role. If the attribute you use is a custom attribute, you must define the custom attribute.
The following figure illustrates the role configuration and custom attribute definition in a sample
RADIUS login authentication object for the same ISE server as in the previous example.
In this example, however, the
MS-RAS-Version custom attribute is returned for one or more of the users because a Microsoft remote access server is in use. Note the
MS-RAS-Version custom attribute is a string. In this example, all users logging in to RADIUS through a Microsoft v. 5.00 remote access server should receive the Security Analyst (Read Only) role, so you enter the attribute-value pair of
MS-RAS-Version=MSRASV5.00
in the Security Analyst (Read Only) field.
126
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Enable External Authentication for Users on the Management Center
Enable External Authentication for Users on the Management Center
When you enable external authentication for management users, the management center verifies the user credentials with an LDAP or RADIUS server as specified in an External Authentication object.
Before you begin
Add one or more external authentication objects according to
Add an LDAP External Authentication Object for Management Center, on page 115
and
Add a RADIUS External Authentication Object for Management
Procedure
Step 1
Step 2
Step 3
Step 4
Choose Integration > Users .
Click External Authentication .
Set the default user role for external web interface users.
Users without a role cannot perform any actions. Any user roles defined in the external authentication object overrides this default user role.
a) Click the Default User Roles value (by default, none selected).
a) In the Default User Role Configuration dialog box, check the role(s) that you want to use.
b) Click Save .
Click the Slider enabled ( ) next to the each external authentication object that you want to use. If you enable more than 1 object, then users are compared against servers in the order specified. See the next step to reorder servers.
If you enable shell authentication, you must enable an external authentication object that includes a CLI
Access Filter . Also, CLI access users can only authenticate against the server whose authentication object is highest in the list.
Cisco Secure Firewall Management Center Administration Guide, 7.2
127
System Settings
Configure Common Access Card Authentication with LDAP
Step 5
Step 6
Step 7
(Optional) Drag and drop servers to change the order in which authentication they are accessed when an authentication request occurs.
Choose Shell Authentication > Enabled if you want to allow CLI access for external users.
The first external authentication object name is shown next to the Enabled option to remind you that only the first object is used for CLI.
Click Save and Apply .
Configure Common Access Card Authentication with LDAP
If your organization uses Common Access Cards (CACs), you can configure LDAP authentication to authenticate management center users logging into the web interface. With CAC authentication, users have the option to log in directly without providing a separate username and password for the device.
CAC-authenticated users are identified by their electronic data interchange personal identifier (EDIPI) numbers.
After 24 hours of inactivity, the device deletes CAC-authenticated users from the Users tab. The users are re-added after each subsequent login, but you must reconfigure any manual changes to their user roles.
Before you begin
You must have a valid user certificate present in your browser (in this case, a certificate passed to your browser via your CAC) to enable user certificates as part of the CAC configuration process. After you configure CAC authentication and authorization, users on your network must maintain the CAC connection for the duration of their browsing session. If you remove or replace a CAC during a session, your web browser terminates the session and the system logs you out of the web interface.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Insert a CAC as directed by your organization.
Direct your browser to https://ipaddress_or_hostname/ , where ipaddress or hostname corresponds to your device.
If prompted, enter the PIN associated with the CAC you inserted in step 1.
If prompted, choose the appropriate certificate from the drop-down list.
On the Login page, in the Username and Password fields, log in as a user with Administrator privileges.
You cannot yet log in using your CAC credentials.
Choose System > Users > External Authentication .
Create an LDAP authentication object exclusively for CAC, following the procedure in
Authentication Object for Management Center, on page 115 . You must configure the following:
• CAC check box.
• LDAP-Specific Parameters > Show Advanced Options > User Name Template .
• Attribute Mapping > UI Access Attribute .
Click Save .
128
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure SAML Single Sign-On
Step 9
Step 10
Step 11
Step 12
Step 13
Enable external authentication and CAC authentication as described in
Enable External Authentication for
Users on the Management Center, on page 127
.
Choose System ( ) > Configuration , and click HTTPS Certificate .
Import a HTTPS server certificate, if necessary, following the procedure outlined in
.
The same certificate authority (CA) must issue the HTTPS server certificate and the user certificates on the
CACs you plan to use.
Under HTTPS User Certificate Settings , choose Enable User Certificates . For more information, see
Requiring Valid HTTPS Client Certificates, on page 49
.
Log into the device according to
Logging Into the Secure Firewall Management Center with CAC Credentials, on page 33 .
Configure SAML Single Sign-On
You can configure your management center to use Single Sign-On, a system by which a central identity provider (IdP) provides authentication and authorization for users logging into the management center as well as other applications within an organization. The applications configured to take part in such an SSO arrangement are said to be federated service provider applications. SSO users can log in once to gain access to all service provider applications that are members of the same federation.
About SAML Single Sign-On
An management center configured for SSO presents a link for single sign-on on the Login page. Users configured for SSO access click on this link and are redirected to the IdP for authentication and authorization, rather than supplying a username and password on the management center Login page. Once successfully authenticated by the IdP, SSO users are redirected back to the management center web interface and logged in. All the communication between the management center and the IdP to accomplish this takes place using the browser as an intermediary; as a result, the management center does not require a network connection to directly access the identity provider.
The management center supports SSO using any SSO provider conforming to the Security Assertion Markup
Language (SAML) 2.0 open standard for authentication and authorization. The management center web interface offers configuration options for the following SSO providers:
• Okta
• OneLogin
• Azure
• PingID's PingOne for Customers cloud solution
Note The Cisco Secure Sign On SSO product does not recognize the management center as a pre-integrated service provider.
Cisco Secure Firewall Management Center Administration Guide, 7.2
129
System Settings
SSO Guidelines for the Management Center
SSO Guidelines for the Management Center
Keep the following in mind when you configure an management center to be a member of an SSO federation:
• The management center can support SSO with only one SSO provider at a time—you cannot configure the management center to use, for instance, both Okta and OneLogin for SSO.
• management centers in a high availability configuration can support SSO, but you must keep the following considerations in mind:
• SSO configuration is not synchronized between the members of the high availability pair; you must configure SSO separately on each member of the pair.
• Both management centers in a high availability pair must use the same IdP for SSO. You must configure a service provider application at the IdP for each management center configured for SSO.
• In a high availability pair of management centers where both are configured to support SSO, before a user can use SSO to access the secondary management center for the first time, that user must first use SSO to log into the primary management center at least once.
• When configuring SSO for management centers in a high availability pair:
• If you configure SSO on the primary management center, you are not required to configure
SSO on the secondary management center.
• If you configure SSO on the secondary management center, you are required to configure SSO on the primary management center as well. (This is because SSO users must login into the primary management center at least once before logging into the secondary management center.)
• In an management center that uses multi-tenancy, the SSO configuration can be applied only at the global domain level, and applies to the global domain and all subdomains.
• Only users with the Admin role authenticated internally or by LDAP or RADIUS can configure SSO.
• The management center does not support SSO initiated from the IdP.
• The management center does not support logging in with CAC credentials for SSO accounts.
• Do not configure SSO in deployments using CC mode.
• SSO activities are logged in the management center audit log with Login or Logout specified in the
Subsystem field.
Related Topics
High Availability , on page 275
Logging Into the Secure Firewall Management Center with CAC Credentials , on page 33
Security Certifications Compliance , on page 295
, on page 375
SSO User Accounts
Identity providers can support user and group configuration directly, or they often can import users and groups from other user management applications such as Active Directory, RADIUS, or LDAP. This documentation focuses on configuring the management center to work with the IdP to support SSO assuming that IdP users
130
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
User Role Mapping for SSO Users and groups are already established; to configure an IdP to support users and groups from other user management applications, consult the IdP vendor documentation.
Most account characteristics for SSO users, including the user name and password, are established at the IdP.
SSO accounts do not appear on the management center web interface Users page until those accounts log in the first time.
Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.
The following account characteristics for SSO users can be configured from the management center web interface under System > User > Edit User :
• Real Name
• Exempt from Browser Session Timeout
User Role Mapping for SSO Users
By default, all users given SSO access to an management center are assigned the Security Analyst (Read
Only) role. You can change this default, as well as override it for specific SSO users or groups with user role mapping . After you have established and successfully tested the management center SSO configuration, you can configure user role mapping to establish what management center user roles SSO users are assigned when they log in.
User role mapping requires coordinating configuration settings at the management center with settings at the
SSO IdP application. User roles can be assigned to users or to groups defined at the IdP application. Users may or may not be members of groups, and user or group definitions may or may not be imported to the IdP from other user management systems within your organization, such as Active Directory. For this reason, to effectively configure management center SSO user role mapping you must be familiar with how your SSO federation is organized and how users, groups and their roles are assigned at the SSO IdP application. This documentation focuses on configuring the management center to work with the IdP to support user role mapping; to create users or groups within the IdP, or import users or groups into the IdP from a user management application, consult the IdP vendor documentation.
In user role mapping, the IdP maintains a role attribute for the management center service provider application, and each user or group with access to that management center is configured with a string or expression for the role attribute (requirements for the attribute value are different for each IdP). At the management center the name of the that role attribute is part of the SSO configuration. The management center SSO configuration also contains a list of expressions assigned to a list of management center user roles. When a user logs into the management center using SSO, the management center compares the value of the role attribute for that user (or that user's group, depending upon configuration) against the expressions for each management center user role. The management center assigns the user all the roles where the expression matches the attribute value the user has provided.
Cisco Secure Firewall Management Center Administration Guide, 7.2
131
System Settings
Enable Single Sign-On at the Management Center
Note You can configure management center roles to be mapped based on individual user permissions or based on group permissions, but a single management center application cannot support role mapping for both groups and individual users.
Enable Single Sign-On at the Management Center
Before you begin
• At the SAML SSO management application, configure a service provider application for the management center and assign users or groups to the service provider application:
• To configure an management center service provider application for Okta, see
Management Center Service Provider Application for Okta, on page 134
.
• To configure an management center service provider application for OneLogin, see
Management Center Service Provider Application for OneLogin, on page 146 .
• To configure an management center service provider application for Azure, see
Management Center Service Provider Application for Azure, on page 158 .
• To configure an management center service provider application for PingID's PingOne for Customers cloud solution, see
Configure the Management Center Service Provider Application for PingID
PingOne for Customers, on page 171
.
• To configure an management center service provider application for any SAML 2.0-compliant SSO provider, see
Configure Management Center Service Provider Application for Any SAML
2.0-Compliant SSO Provider, on page 175
.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Users > Single Sign-On .
Click the Single Sign-On (SSO) Configuration slider to enable SSO.
Click the Configure SSO button.
At the Select FMC SAML Provider dialog, click the radio button for the SSO IdP of your choice and click
Next .
What to do next
Proceed with the instructions appropriate to your choice of SSO provider:
• Configure the management center for Okta SSO; see
Configure the Management Center for Okta SSO, on page 136
.
• Configure the management center for SSO using PingID's PingOne for Customers cloud solution; see
Configure the Management Center for SSO with PingID PingOne for Customers, on page 173 .
132
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure Single Sign-On with Okta
• Configure the management center for Azure SSO; see
Configure the Management Center for Azure SSO, on page 160
.
• Configure the management center for OneLogin SSO; see
Configure the Management Center for OneLogin
.
• Configure the management center for SSO using any SAML 2.0-compliant provider; see
Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider, on page 177 .
Configure Single Sign-On with Okta
See the following tasks to configure SSO using Okta:
Okta UI Admin
Console
Okta UI Admin
Console
Review the Okta Org, on page 133
Configure the Management Center Service Provider Application for Okta, on page 134
management center
Enable Single Sign-On at the Management Center, on page 132
management center
Configure the Management Center for Okta SSO, on page 136
management center
Configure User Role Mapping for Okta at the Management Center, on page 137
Okta UI Admin
Console
Configure User Role Mapping at the Okta IdP, on page 138
Review the Okta Org
In Okta, the entity that encompasses all the federated devices and applications that a user can access with the same SSO account is called an org . Before adding the management center to an Okta org, be familiar with its configuration; consider the following questions:
• How many users will have access to the management center?
Cisco Secure Firewall Management Center Administration Guide, 7.2
133
System Settings
Configure the Management Center Service Provider Application for Okta
• Are users within the Okta org members of groups?
• Are user and group definitions native to Okta or imported from a user management application such as
Active Directory, RADIUS, or LDAP?
• Do you need to add more users or groups to the Okta org to support SSO on the management center?
• What kind of user role assignments do you want to make? (If you choose not to assign user roles, the management center automatically assigns a configurable default user role to all SSO users.)
• How must users and groups within the Okta org be organized to support the required user role mapping?
Keep in mind that you can configure management center roles to be mapped based on individual user permissions or based on group permissions, but a single management center application cannot support role mapping for both groups and individual users.
This documentation assumes you are already familiar with the Okta Classic UI Admin Console, and have an account that can perform configuration functions requiring Super Admin permissions. If you need more information, see Okta's documentation available online.
Configure the Management Center Service Provider Application for Okta
Use these instructions at the Okta Classic UI Admin Console to create an management center service provider application within Okta and assign users or groups to that application. You should be familiar with SAML
SSO concepts and the Okta admin console. This documentation does not describe all the Okta functions you need to establish a fully functional SSO org; for instance, to create users and groups, or to import user and group definitions from another user management application, see the Okta documentation.
Note If you plan to assign user groups to the management center application, do not also assign users within those groups as individuals.
Note The management center cannot support role mapping using multiple SSO attributes; you must select either user role mapping or group role mapping and configure a single attribute to convey user role information from
OneLogin to the management center.
Before you begin
• Familiarize yourself with the SSO federation and its user and groups; see
• Create user accounts and/or groups in your Okta org if necessary.
134
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure the Management Center Service Provider Application for Okta
Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.
• Confirm the login URL for the target management center ( https:// ipaddress_or_hostname
).
Note If your management center web interface can be reached with multiple URLs
(for instance, a fully-qualified domain name as well as an IP address), SSO users must consistently access the management center using the login URL that you configure in this task.
Procedure
Step 1
Step 2
Step 3
From the Okta Classic UI Admin Console, create a service provider application for the management center.
Configure the management center application with the following selections:
• Select
Web for the Platform .
• Select
SAML 2.0
for the Sign on method .
• Provide a Single sign on URL .
This is the management center URL to which the browser sends information on behalf of the IdP.
Append the string saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs
.
• Enable Use this for Recipient URL and Destination URL .
• Enter an Audience URI (SP Entity ID) .
This is a globally unique name for the service provider (the management center), often formatted as a
URL.
Append the string
/saml/metadata to the management center login URL. For example: https://ExampleFMC/saml/metadata
.
• For Name ID Format choose
Unspecified
.
(Optional if you are assigning groups to the application.) Assign individual Okta users to the management center application. (If you plan to assign groups to the management center application, do not assign users that are members of those groups as individuals.)
(Optional if you are assigning individual users to the application.) Assign Okta groups to the management center application.
Cisco Secure Firewall Management Center Administration Guide, 7.2
135
System Settings
Configure the Management Center for Okta SSO
Step 4 (Optional) To make SSO setup at the management center easier, you can download the SAML XML metadata file for the management center service provider application from Okta to your local computer.
What to do next
Enable single sign-on; see
Enable Single Sign-On at the Management Center, on page 132
.
Configure the Management Center for Okta SSO
Use these instructions at the management center web interface.
Before you begin
• Create an management center service provider application at the Okta Classic UI Admin Console; see
Configure the Management Center Service Provider Application for Okta, on page 134
.
• Enable single sign-on; see
Enable Single Sign-On at the Management Center, on page 132
.
Procedure
Step 1 (This step continues directly from
Enable Single Sign-On at the Management Center, on page 132 .) At the
Configure Okta Metadata dialog, you have two choices:
• To enter the SSO configuration information manually: a.
Click the Manual Configuration radio button.
b.
Enter the following values from the Okta SSO Service Provider application. (Retrieve these values from the Okta Classic UI Admin Console.)
• Identity Provider Single Sign-On URL
• Identity Provider Issuer
• X.509 Certificate
• If you saved the XML metadata file generated by Okta to your local computer (Step 4 in
Management Center Service Provider Application for Okta, on page 134
), you can upload the file to the management center: a.
Click the Upload XML File radio button.
b.
Follow the on-screen instructions to navigate to and choose the XML metadata file on your local computer.
Step 2
Step 3
Step 4
Click Next .
At the Verify Metadata dialog, review the configuration parameters and click Save .
Click Test Configuration . If the system displays an error message, review the SSO configuration for the management center as well as the Okta service provider application configuration, correct any errors, and try again.
136
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure User Role Mapping for Okta at the Management Center
Step 5 When the system reports a successful configuration test, click Apply .
What to do next
You may optionally configure user role mapping for SSO users; see
Configure User Role Mapping for Okta at the Management Center, on page 137
. If you choose not to configure role mapping, by default all SSO users that log into the management center are assigned the user role you configure in Step 4 of
Mapping for Okta at the Management Center, on page 137
.
Configure User Role Mapping for Okta at the Management Center
The fields to configure for user role mapping at the management center web interface are the same regardless of your choice of SSO provider. But the values you configure must take into account how the SAML SSO provider you use implements user role mapping.
Before you begin
• Review the Okta user group mapping information; see
Review the Okta Org, on page 133 .
• Configure an SSO service provider application for the management center; see
Center Service Provider Application for Okta, on page 134
.
• Enable and configure single sign-on at the management center; see
Management Center, on page 132
, and
Configure the Management Center for Okta SSO, on page 136
.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Choose System > Users .
Click the Single Sign-On tab.
Expand Advanced Configuration (Role Mapping) .
Select an management center user role to assign users as a default value from the Default User Role drop-down.
Enter a Group Member Attribute . This string must match an attribute name configured at the Okta management center provider application for user role mapping for either users or groups. (See Step 1 of
Configure a User Attribute for Role Mapping at the Okta IdP, on page 138
or Step 1 of
Attribute for Role Mapping at the Okta IdP, on page 139
.)
Next to each management center user role you wish to assign to SSO users, enter a regular expression. (The management center uses a restricted version of Google's RE2 regular expression standard supported by Golang and Perl.) The management center compares these values against the user role mapping attribute value the
IdP sends to the management center with SSO user information. The management center grants users a union of all the roles for which a match is found.
What to do next
• Configure user role mapping at the service provider application; see
Configure User Role Mapping at the Okta IdP, on page 138
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
137
System Settings
Configure User Role Mapping at the Okta IdP
Configure User Role Mapping at the Okta IdP
You can configure SSO user role mapping at the Okta Classic UI Admin Console based on individual user permissions or based on group permissions.
• To map based on individual user permissions, see
Configure a User Attribute for Role Mapping at the
• To map based on group permissions, see
Configure a Group Attribute for Role Mapping at the Okta IdP, on page 139
.
When an SSO user logs in to the management center, Okta presents to the management center a user or group role attribute value configured at the Okta IdP. The management center compares that attribute value against the regular expressions assigned to each management center user role in the SSO configuration, and grants the user all the roles for which a match is found. (If no match is found, the management center grants the user a configurable default user role.) The expression you assign to each management center user role must comply with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl. The management center treats the attribute value received from Okta as a regular expression using that same standard for purposes of comparison with the management center user role expressions.
Note A single management center cannot support role mapping for both groups and individual users; you must choose one mapping method for the management center service provider application and use it consistently.
Furthermore, the management center can support group role mapping using only one group attribute statement per management center service provider application configured in Okta. Generally group-based roll mapping is more efficient for an management center with many users. You should take into account user and group definitions established throughout your Okta org.
Configure a User Attribute for Role Mapping at the Okta IdP
Use these instructions at the Okta Classic UI Admin Console to add a custom role mapping attribute to the
Okta default user profile.
Okta service provider applications may use one of two types of user profiles:
• Okta user profiles, which can be extended with any custom attribute.
• App user profiles, which can be extended only with attributes from a predefined list that Okta generates by querying a third-party application or directory (such as Active directory, LDAP, or Radius) for supported attributes.
You may use either type of user profile in your Okta org; consult Okta documentation for information on how to configure them. Whichever type of user profile you use, to support user role mapping with the management center you must configure a custom attribute in the profile to convey each user's role mapping expression to the management center.
This documentation describes role mapping using Okta user profiles; mapping with App profiles requires familiarity with the third-party user management application in use at your organization to set up custom attributes. See the Okta documentation for details.
Before you begin
• Configure an management center service provider application at the Okta IdP as described in
Configure the Management Center Service Provider Application for Okta, on page 134 .
138
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure a Group Attribute for Role Mapping at the Okta IdP
• Configure SSO user role mapping at the management center as described in
Configure User Role Mapping for Okta at the Management Center, on page 137
.
Procedure
Step 1
Step 2
Add a new attribute to the default Okta user profile:
• For Data type choose string
.
• Provide the Variable name the Okta IdP will send to the management center, containing an expression to match for user role mapping. This variable name must match the string you entered at the management center SSO configuration for Group Member Attribute . (See Step 5 in
Configure User Role Mapping for Okta at the Management Center, on page 137
.)
For each user assigned to the management center service provider application using this profile, assign a value to the user role attribute you have just created.
Use an expression to represent the role or roles the management center will assign to the user. The management center compares this string against the expressions you assigned to each management center user role in Step
6 of
Configure User Role Mapping for Okta at the Management Center, on page 137
. (For purposes of comparison with the management center user role expressions, the management center treats the attribute value received from Okta as an expression complying with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl.)
Configure a Group Attribute for Role Mapping at the Okta IdP
Use these instructions at the Okta Classic UI Admin Console to add a custom role mapping group attribute to the management center service provider application. The management center can support group role mapping using only one group attribute statement per Okta management center service provider application.
Okta service provider applications may use one of two types of groups:
• Okta groups, which can be extended with any custom attribute.
• Application groups, which can be extended only with attributes from a predefined list that Okta generates by querying a third-party application or directory (such as Active directory, LDAP, or Radius) for supported attributes.
You may use either type of group in your Okta org; consult Okta documentation for information on how to configure them. Whichever type of group you use, to support user role mapping with the management center you must configure a custom attribute for the group to convey its role mapping expression to the management center.
This documentation describes role mapping using Okta groups; mapping with application groups requires familiarity with the third-party user management application in use at your organization to set up custom attributes. See the Okta documentation for details.
Before you begin
• Configure an management center service provider application at the Okta IdP; see
Management Center Service Provider Application for Okta, on page 134
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
139
System Settings
Okta User Role Mapping Examples
• Configure user role mapping at the management center;
Configure User Role Mapping for Okta at the
Management Center, on page 137 .
Procedure
Create a new SAML group attribute for the management center service provider application:
• For Name , use the same string you entered at the management center SSO configuration for Group
Member Attribute . (See Step 5 in
Configure User Role Mapping for Okta at the Management Center, on page 137
.)
• For Filter , specify an expression to represent the role or roles the management center will assign to the members of the group. Okta compares this value against the names of the group(s) of which a user is a member, and sends the management center the group names that match. The management center in turn compares those group names against the regular expressions you assigned to each management center user role in Step 6 of
Configure User Role Mapping for Okta at the Management Center, on page 137
.
Okta User Role Mapping Examples
As the following examples demonstrate, the SSO configurations at the management center to support user role mapping are the same for both individual users and for groups. The difference lies in the settings at the management center service provider application in Okta.
Note You can configure management center roles to be mapped based on individual user permissions or based on group permissions, but a single management center application cannot support role mapping for both groups and individual users. Furthermore, the management center can support group role mapping using only one group attribute statement per management center service provider application configured in Okta.
Okta Role Mapping Example for Individual User Accounts
In role mapping for individual users, the Okta management center service application has a custom attribute whose name matches the name of the Group Member Attribute on the management center. (In this example,
UserRole
). The user profile in Okta also has a custom attribute (in this example, a variable named
FMCrole
.)
The definition for the application custom attribute
UserRole establishes that when Okta passes user role mapping information to the management center, it will use the custom attribute value assigned for the user in question.
The following diagrams illustrate how the relevant fields and values in the management center and Okta configurations correspond to each other in user role mapping for individual accounts. Each diagram uses the same SSO configurations at the management center and at the Okta UI Admin Console, but the configuration for each user at the Okta UI Admin Console differs to assign each user different roles at the management center.
• In this diagram [email protected] uses the
FMCrole value
FMCAdmin and the management center assigns her the Administrator role.
140
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Okta Role Mapping Example for Individual User Accounts
• In this diagram [email protected] uses the
FMCrole value
PolicyAdmin
, and the management center assigns him the roles Access Admin, Discovery Admin, and Intrusion Admin.
Cisco Secure Firewall Management Center Administration Guide, 7.2
141
System Settings
Okta Role Mapping Example for Groups
• Other users assigned to the Okta service application for this management center are assigned the default user role Security Analyst (Read Only) for one of the following reasons:
• They have no value assigned to the
FMCrole variable in their Okta user profile.
• The value assigned to the
FMCrole variable in their Okta user profile does not match any expression configured for a user role in the SSO configuration at the management center.
Okta Role Mapping Example for Groups
In role mapping for groups, the Okta management center service application has a custom group attribute whose name matches the name of the Group Member Attribute on the management center (in this example,
UserRole
). When Okta processes a request for management center SSO login, it compares the user's group membership against the expression assigned to the management center service application group attribute (in this case
^(.*)Admin$
). Okta sends to the management center the user's group membership(s) that match the group attribute. The management center compares the group names it receives against the regular expressions it has configured for each user role, and assigns user roles accordingly.
The following diagrams illustrate how the relevant fields and values in the management center and Okta configurations correspond to each other in user role mapping for groups. Each diagram uses the same SSO configurations at the management center and at the Okta UI Admin Console, but the configuration for each user at the Okta UI Admin Console differs to assign each user different roles at the management center.
• In this diagram [email protected] is a member of the Okta IdP group
Admin
, which matches the expression
^(.*)Admin$
. Okta sends the management center Fred's
Admin group membership, and the management center assigns him the Administrator role.
142
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Okta Role Mapping Example for Groups
• In this diagram [email protected] is a member of the Okta IdP group
PolicyAdmin
, which matches the expression
^(.*)Admin$
. Okta sends the management center Sue's
PolicyAdmin group membership, and the management center assigns her the roles Access Admin, Discovery Admin, and Intrusion Admin.
Sue is also a member of the Okta group
Maint
, but because this group name does not match the expression assigned to the group membership attribute in the Okta management center service application, Okta does not send information about Sue's
Maint group membership to the management center, and her membership in the
Maint group plays no part in the roles the management center assigns to her.
Cisco Secure Firewall Management Center Administration Guide, 7.2
143
Okta Role Mapping Example for Groups
System Settings
• In this diagram [email protected] is a member of the Okta IdP group
Maint
. This group name does not match the expression
^(.*)Admin$
, so, when [email protected] logs into the management center,
Okta does not send information about Sean's
Maint group membership to the management center and
Sean is assigned the default user role (Security Analyst (Read Only)) rather than the Maintenance User role.
144
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure Single Sign-On with OneLogin
These diagrams illustrate the importance of advance planning when establishing a role mapping strategy. In this example, any Okta user with access to this management center who is a member of only the
Maint group can be assigned only the default user role. The management center supports using only one custom group attribute in its Okta Service Application configuration. The expression you assign to that attribute and the group names you establish to match against it must be carefully crafted. You can add more flexibility to role mapping by using regular expressions in the user role assignment strings in the management center SSO configuration. (The expression you assign to each management center user role must comply with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl.)
Configure Single Sign-On with OneLogin
See the following tasks to configure SSO using OneLogin:
Cisco Secure Firewall Management Center Administration Guide, 7.2
145
System Settings
Review the OneLogin Subdomain management center
Review the OneLogin Subdomain, on page 146
management center
Configure the Management Center Service Provider Application for OneLogin, on page 146
Enable Single Sign-On at the Management Center, on page 132
OneLogin Admin
Portal
OneLogin Admin
Portal
OneLogin Admin
Portal
Configure the Management Center for OneLogin SSO, on page 148
Configure User Role Mapping for OneLogin at the Management Center, on page 149
management center
Configure User Role Mapping at the OneLogin IdP, on page 150
Review the OneLogin Subdomain
In OneLogin, the entity that encompasses all the federated devices and applications that a user can access with the same SSO account is called a subdomain. Before adding the management center to a OneLogin subdomain, be familiar with its configuration; consider the following questions:
• How many users will have access to the management center?
• Are users within the OneLogin subdomain members of groups?
• Are users and groups from a third-party directory such as Active Directory, Google Apps, or LDAP synchronized with the OneLogin subdomain?
• Do you need to add more users or groups to the OneLogin subdomain to support SSO on the management center?
• What kind of management center user role assignments do you want to make? (If you choose not to assign user roles, the management center automatically assigns a configurable default user role to all
SSO users.)
• How must users and groups within the OneLogin subdomain be organized to support the required user role mapping?
Keep in mind that you can configure management center roles to be mapped based on individual users or based on groups, but a single management center application cannot support role mapping for both groups and individual users.
This documentation assumes you are already familiar with the OneLogin Admin Portal, and have an account with Super User privilege. To configure user role mapping, you will also need a subscription to the OneLogin
Unlimited plan, which supports Custom User Fields. If you need more information, see the OneLogin documentation available online.
Configure the Management Center Service Provider Application for OneLogin
Use these instructions at the OneLogin Admin Portal to create an management center service provider application within OneLogin and assign users or groups to that application. You should be familiar with
SAML SSO concepts and the OneLogin Admin Portal. This documentation does not describe all the OneLogin
146
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure the Management Center Service Provider Application for OneLogin functions you need to establish a fully functional SSO org; for instance, to create users and groups, or to import user and group definitions from another user management application, see the OneLogin documentation.
Note If you plan to assign user groups to the management center application, do not also assign users within those groups as individuals.
Note The management center cannot support role mapping using multiple SSO attributes; you must select either user role mapping or grup role mapping and configure a single attribute to convey user role information from
OneLogin to the management center.
Before you begin
• Familiarize yourself with the OneLogin subdomain and its users and groups; see
• Create user accounts in your OneLogin subdomain if necessary.
Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.
• Confirm the login URL for the target management center ( https:// ipaddress_or_hostname /
).
Note If your management center web interface can be reached with multiple URLs.
(for instance, a fully-qualified domain name as well as an IP address), SSO users must consistently access the management center using the login URL that you configure in this task.
Procedure
Step 1
Step 2
Create the management center service provider application using the SAML Test Connector (Advanced) as its basis.
Configure the application with the following settings:
• For the Audience (Entity ID) , append the string
/saml/metadata to the management center login URL.
For example: https://ExampleFMC/saml/metadata
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
147
System Settings
Configure the Management Center for OneLogin SSO
Step 3
Step 4
• For Recipient , append the string / saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs
.
• For ACS (Consumer) URL Validator , enter an expression that OneLogin uses to confirm it is using the correct management center URL. You can create a simple validator by using the ACS URL and altering it as follows:
• Append a
^ to the beginning of the ACS URL.
• Append a
$ to the end of the ACS URL.
• Insert a
\ preceding every
/ and
?
within the ACS URL.
For example, for the ACS URL https://ExampleFMC/saml/acs
, an appropriate URL validator would be
^https:\/\/ExampleFMC\/saml\/acs$
.
• For ACS (Consumer) URL , append the string
/saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs
.
• For Login URL , append the string
/saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs
.
• For the SAML Initiator , choose
Service Provider
.
Assign OneLogin users to the management center service provider application.
(Optional) To make SSO setup at the management center easier, you can download the SAML XML metadata for the management center service provider application from OneLogin to your local computer.
What to do next
Enable single sign-on; see
Enable Single Sign-On at the Management Center, on page 132
.
Configure the Management Center for OneLogin SSO
Use these instructions at the management center web interface.
Before you begin
• Create an management center service provider application at the OneLogin Admin Portal; see
Configure the Management Center Service Provider Application for OneLogin, on page 146
.
• Enable single sign-on; see
Enable Single Sign-On at the Management Center, on page 132
.
Procedure
Step 1 (This step continues directly from
Enable Single Sign-On at the Management Center, on page 132 .) At the
Configure OneLogin Metadata dialog, you have two choices:
• To enter the SSO configuration information manually: a.
Click the Manual Configuration radio button.
148
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure User Role Mapping for OneLogin at the Management Center b.
Enter the following SSO configuration values from the OneLogin service provide application:
• Identity Provider Single Sign-On URL : Enter the SAML 2.0 Endpoint (HTTP) from
OneLogin.
• Identity Provider Issuer : Enter the Issuer URL from OneLogin.
• X.509 Certificate : Enter the X.509 Certificate from OneLogin.
• If you saved the XML metadata file generated by OneLogin to your local computer (Step 4 in
file to the management center: a.
Click the Upload XML File radio button.
b.
Follow the on-screen instructions to navigate to and choose the XML metadata file on your local computer.
Step 2
Step 3
Step 4
Step 5
Click Next .
At the Verify Metadata dialog, review the configuration parameters and click Save .
Click Test Configuration . If the system displays an error message, review the SSO configuration for the management center as well as the OneLogin service provider application configuration, correct any errors, and try again.
When the system reports a successful configuration test, click Apply .
What to do next
You may optionally configure user role mapping for SSO users; see
Configure User Role Mapping for
all SSO users that log into the management center are assigned the user role you configure in Step 4 of
Configure User Role Mapping for OneLogin at the Management Center, on page 149 .
Configure User Role Mapping for OneLogin at the Management Center
The fields to configure for user role mapping at the management center web interface are the same regardless of your choice of SSO provider. But the values you configure must take into account how the SAML SSO provider you use implements user role mapping.
Before you begin
• Review the OneLogin users and groups, see
Review the OneLogin Subdomain, on page 146
.
• Configure an SSO service provider application for the management center; see
Center Service Provider Application for OneLogin, on page 146 .
• Enable and configure single sign-on at the management center; see
Management Center, on page 132
, and
Configure the Management Center Service Provider Application for OneLogin, on page 146 .
Cisco Secure Firewall Management Center Administration Guide, 7.2
149
System Settings
Configure User Role Mapping at the OneLogin IdP
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Users > Single Sign-OnSystem > Users .
Expand Advanced Configuration (Role Mapping) .
Select an management center user role to assign to users as a default value from the Default User Role drop-down.
Enter a Group Member Attribute . This string must match the field name for a custom parameter you define for role mapping at the management center service provider application in OneLogin. (See Step 1 of
User Role Mapping for Individual Users at the OneLogin IdP, on page 151
or Step 1 of
Mapping for Groups at the OneLogin IdP, on page 152
.)
Next to each management center user roll you wish to assign to SSO users, enter a regular expression. The management center compares these values against the user role mapping attribute the IdP sends to the management center with SSO user information. The management center grants users a union of all the roles for which a match is found.
What to do next
Configure user role mapping at the service provider application; see
Configure User Role Mapping at the
Configure User Role Mapping at the OneLogin IdP
You can configure SSO user role mapping at the Onelogin Admin Portal based on individual permissions or based on group permissions.
• To map based on individual user permissions, see
Configure User Role Mapping for Individual Users at the OneLogin IdP, on page 151
.
• To map based on group permissions, see
Configure User Role Mapping for Groups at the OneLogin IdP, on page 152
.
When an SSO user logs into the management center, OneLogin presents to the management center a user or group role attribute value that gets its value from a custom user field configured at the OneLogin IdP. The management center compares that attribute value against the regular expression assigned to each management center user role in the SSO configuration, and grants the user all the roles for which a match is found. (If no match is found, the management center grants the user a configurable default user role.) The expression you assign to each management center user role must comply with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl. The management center treats the attribute value received from OneLogin as a regular expression using that same standard for purposes of comparison with the management center user role expressions.
Note A single management center cannot support role mapping for both groups and individual users; you must choose one mapping method for the management center service provider application and use it consistently.
The management center can support role mapping using only one custom user field configured in OneLogin.
Generally group-based role mapping is more efficient for an management center with many users. You should take into account user and group definitions established throughout your OneLogin subdomain.
150
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure User Role Mapping for Individual Users at the OneLogin IdP
Configure User Role Mapping for Individual Users at the OneLogin IdP
Use the OneLogin Admin Portal to create a custom parameter for the management center service provider application and a custom user field. These provide the means for OneLogin to pass user role information to the management center during the SSO login process.
Before you begin
• Review the OneLogin subdomain and its users and groups; see
Review the OneLogin Subdomain, on page 146
.
• Create and configure an management center service provider application in OneLogin; see
Configure the Management Center Service Provider Application for OneLogin, on page 146 .
• Configure SSO user role mapping as described in
Configure User Role Mapping for OneLogin at the
Management Center, on page 149
.
Procedure
Step 1
Step 2
Step 3
Create a custom parameter for the management center service provider application.
• For the Field Name , use the same name you used for the Group Member Attribute in the management center SSO configuration. (See Step 4 in
Configure User Role Mapping for OneLogin at the Management
.)
• For the Value , provide a mnemonic name such as
FMCUserRole
. This must match the name of the customer user field you will configure in Step 2 of this procedure.
Create a custom user field to contain user role information for each OneLogin user with access the management center.
• For the field Name , provide a mnemonic name such as
FMCUserRole
. This must match the value provided for the application custom parameter described in Step 1 of this procedure.
• For the Short name , provide an abbreviated alternate name for the field. (This is used for OneLogin programmatic interfaces.)
For each user with access to the management center service provider application, assign a value to the custom user field you created in Step 2 of this procedure.
When a user logs into the management center using SSO, the value you assign to this field for that user is the value the management center compares against the expressions you assigned to management center user roles in the SSO configuration. (See Step 5 in
Configure User Role Mapping for OneLogin at the Management
What to do next
• Test your role mapping scheme by logging into the management center using SSO from various accounts and confirming that users are assigned management center user roles as you expect.
Cisco Secure Firewall Management Center Administration Guide, 7.2
151
System Settings
Configure User Role Mapping for Groups at the OneLogin IdP
Configure User Role Mapping for Groups at the OneLogin IdP
Use the OneLogin Admin Portal to create a custom parameter for the management center service provider application and a custom user field. Assign OneLogin users to groups. Then create one or more mappings between the custom user field and the user group so OneLogin assigns a value to the custom user field based on the user's group membership. These provide the means for OneLogin to pass group-based user role information to the management center during the SSO login process.
OneLogin service provider applications may use one of two types of groups:
• Groups native to OneLogin.
• Groups synchronized from third-party applications such as Active Directory, Google Apps, or LDAP.
You may user either type of group for management center group role mapping. This documentation describes role mapping using OneLogin groups; using third-party application groups requires familiarity with the third-party user management application in use at your organization. See the OneLogin documentation for details.
Before you begin
• Review the OneLogin subdomain and its users and groups; see
Review the OneLogin Subdomain, on page 146 .
• Create and configure an management center service provider application in OneLogin; see
Configure the Management Center Service Provider Application for OneLogin, on page 146
.
• Configure SSO user role mapping as described in
Configure User Role Mapping for OneLogin at the
Management Center, on page 149 .
Procedure
Step 1
Step 2
Step 3
Create a custom parameter for the management center service provider application.
• For the Field Name , use the same name you used for the Group Member Attribute in the management center SSO configuration. (See Step 4 in
Configure User Role Mapping for OneLogin at the Management
• For the Value , provide a mnemonic name such as
FMCUserRole
. This must match the name of the customer user field you will configure in Step 2 of this procedure.
Create a custom user field to contain user role information for each OneLogin user with access the management center.
• For the field Name , provide a mnemonic name such as
FMCUserRole
. This must match the value provided for the application custom parameter described in Step 1 of this procedure.
• For the Short name , provide an abbreviated alternate name for the field. (This is used for OneLogin programmatic interfaces.)
Create one or more user field mappings to assign group-based values to the custom user field you created in
Step 2 of this procedure. Create as many mappings as you need to assign the correct management center user role to each OneLogin user group.
152
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
OneLogin User Role Mapping Examples
• Create one or more Conditions for the mapping, comparing the user Group field against group names.
• If you create multiple Conditions , choose whether a user's group must match any or all of the conditions for the mapping to take place.
• Create an Action for the mapping, to assign a value to the custom user field you created in Step 2 of this procedure. Provide the field Name , and the string that OneLogin assigns to this custom user field for all users that meet the Conditions you specified.
The management center compares this string against the expressions you assign to each management center user role in Step 5 of
Configure User Role Mapping for OneLogin at the Management Center, on page 149
.
• Reapply All Mappings when you have completed your changes.
What to do next
• Test your role mapping scheme by logging into the management center using SSO from various accounts and confirming that users are assigned management center user roles as you expect.
OneLogin User Role Mapping Examples
As the following examples demonstrate, the SSO configurations at the management center to support user role mapping are the same for both individual users and for groups. The difference lies in the settings at the management center service provider application in OneLogin.
Note A single management center cannot support role mapping for both groups and individual users; you must choose one mapping method for the management center service provider application and use it consistently.
The management center can support role mapping using only one custom user field configured in OneLogin.
Generally group-based role mapping is more efficient for an management center with many users. You should take into account user and group definitions established throughout your OneLogin subdomain.
OneLogin Role Mapping Example for Individual User Accounts
In role mapping for individual users, the OneLogin management center service application has a custom parameter whose name matches the name of the Group Member attribute on the management center (in this example,
UserRole
). OneLogin also has a custom user field defined (in this example,
FMCUserRole
). The definition for the application custom parameter
UserRole establishes that when OneLogin passes user role mapping information to the management center, it will use the value of the custom user field
FMCUserRole for the user in question.
The following diagrams illustrate how the relevant fields and values in the management center and OneLogin configurations correspond to each other in user role mapping for individual accounts. Each diagram uses the same SSO configurations at the management center and at the OneLogin Admin portal, but the configuration for each user at the OneLogin Admin portal differs to assign each user different roles at the management center.
• In this diagram [email protected] uses the
FMCUserRole value
PolicyAdmin and the management center assigns him the roles Access Admin, Discovery Admin, and Intrusion Admin.
Cisco Secure Firewall Management Center Administration Guide, 7.2
153
OneLogin Role Mapping Example for Individual User Accounts
System Settings
• In this diagram [email protected] uses the
FMCUserRole value
FMCAdmin
, and the management center assigns her the Administrator role.
• Other users assigned to the OneLogin service application for this management center are assigned the default user role Security Analyst (Read Only) for one of the following reasons:
154
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
OneLogin Role Mapping Example for Groups
• They have no value assigned to the
FMCUserRole custom user field.
• The value assigned to the
FMCUserRole custom user field does not match any expression configured for a user role in the SSO configuration at the management center.
OneLogin Role Mapping Example for Groups
In role mapping for groups, the OneLogin management center service application has a has a custom parameter whose name matches the name of the Group Member attribute on the management center (in this example,
UserRole
). OneLogin also has a custom user field defined (in this example,
FMCUserRole
). The definition for the application custom parameter
UserRole establishes that when OneLogin passes user role mapping information to the management center, it will use the value of the custom user field
FMCUserRole for the user in question. To support user group mapping, you must establish a mapping within OneLogin to assign a value for each user's
FMCUserRole field based on that user's OneLogin group membership.
The following diagrams illustrate how the relevant fields and values in the management center and OneLogin configurations correspond to each other in user role mapping for groups. Each diagram uses the same SSO configurations at the management center and at the OneLogin Admin portal, but the configuration for each user at the OneLogin Admin portal differs to assign each user different roles at the management center.
• In this diagram [email protected] is a member of the OneLogin IdP group
FMCPolicyAdminGroup
. A
OneLogin mapping assigns the value
PolicyAdmin to the custom user field
FMCUserRole for members of the
FMCPolicyAdminGroup
. The management center assigns Fred and other members of the
FMCPolicyAdminGroup the roles Access Admin, Discovery Admin, and Intrusion Admin.
Cisco Secure Firewall Management Center Administration Guide, 7.2
155
System Settings
OneLogin Role Mapping Example for Groups
• In this diagram [email protected] is a member of the OneLogin IdP group
FMCAdminGroup
. A OneLogin mapping assigns the value FMCAdmin to the custom user field
FMCUserRole for members of the
FMCAdminGroup
. The management center assigns Sue and other members of the
FMCAdminGroup the
Administrator role.
• In this diagram [email protected] is a member of the Idp group
FMCMaintGroup
. There is no OneLogin mapping associated with this group, so OneLogin does not assign a value to the custom user field
FMCUserRole for Sean. The management center assigns Sean the default user role (Security Analyst
(Read Only)) rather than the Maintenance User role.
156
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure Single Sign-On with Azure AD
Configure Single Sign-On with Azure AD
See the following tasks to configure SSO using Azure:
Azure AD Portal
Azure AD Portal
Review the Azure Tenant, on page 158
Configure the Management Center Service Provider Application for Azure, on page 158
Cisco Secure Firewall Management Center Administration Guide, 7.2
157
System Settings
Review the Azure Tenant management center
Enable Single Sign-On at the Management Center, on page 132
management center
Configure the Management Center for Azure SSO, on page 160
management center
Azure AD Portal
Configure User Role Mapping for Azure at the Management Center, on page
Configure User Role Mapping at the Azure IdP, on page 162
Review the Azure Tenant
Azure AD is Microsoft's multitenant cloud based identity and access management service. In Azure, the entity that encompasses all the federated devices that a user can access with the same SSO account is called a tenant .
Before adding the management center to an Azure tenant, be familiar with its organization; consider the following questions:
• How many users will have access to the management center?
• Are users within the Azure tenant members of groups?
• Are users and groups from another directory product?
• Do you need to add more users or groups to the Azure tenant to support SSO on the management center?
• What kind of management center user role assignments do you want to make? (If you choose not to assign user roles, the management center automatically assigns a configurable default user role to all
SSO users.)
• How must users and groups within the Azure tenant be organized to support the required user role mapping?
• Keep in mind that you can configure management center roles to be mapped based on individual users or based on groups, but a single management center application cannot support role mapping for both groups and individual users.
This documentation assumes you are already familiar with the Azure Active Directory Portal and have an account with application admin privileges for the Azure AD tenant. Keep in mind that the management center supports Azure SSO only with tenant-specific single sign-on and single sign-out endpoints. You must have an Azure AD Premium P1 or above license and Global Administrator permissions; see Azure documentation for more information.
Configure the Management Center Service Provider Application for Azure
Use the Azure Active Directory Portal to create an management center service provider application within your Azure Active Directory tenant and establish basic configuration settings.
Note If you plan to assign user groups to the management center application, do not also assign users within those groups as individuals.
158
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure the Management Center Service Provider Application for Azure
Note The management center cannot support role mapping using multiple SSO attributes; you must select either user role mapping or grup role mapping and configure a single attribute to convey user role information from
OneLogin to the management center.
Before you begin
• Familiarize yourself with your Azure tenant and its users and groups; see
Review the Azure Tenant, on page 158
.
• Create user accounts and/or groups in your Azure tenant if necessary.
Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.
• Confirm the login URL for the target management center ( https:// ipaddress_or_hostname
)
Note If your management center web interface can be reached with multiple URLs
(for instance, a fully-qualified domain name as well as an IP address), SSO users must consistently access the management center using the login URL that you configure in this task.
Procedure
Step 1
Step 2
Step 3
Create the management center service provider application using the Azure AD SAML Toolkit as its basis.
Configure the application with the following setttings for Basic SAML Configuration :
• For the Identifier (Entity ID) append the string
/saml/metadata to the management center login URL.
For example: https://ExampleFMC/saml/metadata
.
• For the Reply URL (Assertion Consumer Service URL) append the string
/saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs
.
• For the Sign on URL append the string
/saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs
.
Edit the Unique User Identifier Name (Name ID) claim for the application to force the username for sign-on at the management center to be the email address associated with the user account:
• For Source choose
Attribute
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
159
System Settings
Configure the Management Center for Azure SSO
Step 4
Step 5
Step 6
Step 7
Step 8
• For Source attribute : Choose user.mail.
Generate a certificate to secure SSO on the management center. Use the following options for the certificate:
• Select Sign SAML Response and Assertion for the Signing Option.
• Select SHA-256 for the Signing Algorithm.
Download the Base-64 version of the certificate to your local computer; you will need it when you configure
Azure SSO at the management center web interface
In the SAML-based Sign-on information for the application, note the following values:
• Login URL
• Azure AD Identifier
You will need these values when you configure Azure SSO at the management center web interface.
(Optional) to make SSO setup at the management center easier, you can download the SAML XML metadata file for the management center service provider application (called the Federation Metadata XML in the
Azure Portal) to your local computer.
Assign existing Azure users and groups to the management center service application.
Note
Note
If you plan to assign user groups to the management center Application, do not also assign users within those groups as individuals.
If you plan to configure user role mapping, you can configure roles to be mapped based on individual user permissions or based on group permissions, but a single management center application cannot support role mapping for both groups and individual users.
What to do next
Enable single sign-on; see
Enable Single Sign-On at the Management Center, on page 132
.
Configure the Management Center for Azure SSO
Use these instructions at the management center web interface.
Before you begin
• Create an management center service provider application at the Azure AD Portal; see
Management Center Service Provider Application for Azure, on page 158
.
• Enable single sign-on; see
Enable Single Sign-On at the Management Center, on page 132
.
Procedure
Step 1 (This step continues directly from
Enable Single Sign-On at the Management Center, on page 132 .) At the
Configure Azure Metadata dialog, you have two choices:
• To enter the SSO configuration information manually:
160
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure User Role Mapping for Azure at the Management Center a.
Click the Manual Configuration radio button.
b.
Enter the values you retrieved from the Azure SSO Service Provider application:
• For Identity Provider Single Sign-On URL enter the Login URL you noted in Step 6 of
Configure the Management Center Service Provider Application for Azure, on page 158
.
• For Identity Provider Issuer enter the Azure AD Identifier you noted in Step 6 of
Management Center Service Provider Application for Azure, on page 158
.
• For the X.509 Certificate , use the certificate you downloaded from Azure in Step 5 of
Configure the Management Center Service Provider Application for Azure, on page 158
. (Use a text editor to open the certificate file, copy the contents, and paste it into the X.509 Certificate field.)
• If you saved the XML metadata file generated by Azure to your local computer (Step 7 of
Management Center Service Provider Application for Azure, on page 158 ), you can upload the file the
management center: a.
Click the Upload XML File radio button.
b.
Follow the on-screen instructions to navigate to and choose the XML metadata file on your local computer.
Step 2
Step 3
Step 4
Step 5
Click Next .
At the Verify Metadata dialog, review the configuration parameters and click Save .
Click Test Configuration . If the System displays an error message, review the SSO configuration for the management center as well as the Azure service provider application, correct any errors, and try again.
When the system reports a successful configuration test, click Apply .
What to do next
You may optionally configure role mapping for SSO users; see
Configure User Role Mapping for Azure at the Management Center, on page 161
. If you choose not to configure role mapping, by default all SSO users that log into the management center are assigned the default user role you configure in Step 4 of
User Role Mapping for Azure at the Management Center, on page 161 .
Configure User Role Mapping for Azure at the Management Center
The fields to configure for user role mapping at the management center web interface are the same regardless of your choice of SSO provider. But the values you configure must take into account how the SAML SSO provider you use implements user role mapping.
Before you begin
• Review the existing Azure users and groups; see
Review the Azure Tenant, on page 158 .
• Configure an SSO service provider application for the management center; see
Center Service Provider Application for Azure, on page 158 .
• Enable and configure single sign-on at the management center; see
Management Center, on page 132 , and
Configure the Management Center for Azure SSO, on page 160
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
161
System Settings
Configure User Role Mapping at the Azure IdP
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Choose System > Users .
Click the Single Sign-On tab.
Expand Advanced Configuration (Role Mapping) .
Select an management center user role to assign users as a default value from the Default User Role drop-down.
Enter a Group Member Attribute . This string must match the name of the user claim you create for the management center service provider application in Azure; see Step 1 of
Configure User Role Mapping for
Individual Users at the Azure IdP, on page 163
or Step 1 of
Configure User Role Mapping for Groups at the
.
Next to each management center user role you wish to assign to SSO users, enter a regular expression. (The management center uses a restricted version of Google's RE2 regular expression standard supported by Golang and Perl.) The management center compares these values against the user role mapping attribute value the
IdP sends to the management center with SSO user information. The management center grants users a union of all the roles for which a match is found.
What to do next
Configure user role mapping at the service provider application; see
Configure User Role Mapping at the
.
Configure User Role Mapping at the Azure IdP
You can configure SSO user role mapping at the Azure AD Portal based on individual user permissions or based on group permissions.
• To map based on individual user permissions, see
Configure User Role Mapping for Individual Users at the Azure IdP
.
• To map based on group permissions, see
Configure User Role Mapping for Groups at the Azure IdP .
When an SSO user logs into the management center, Azure presents to the management center a user or group role attribute value that gets its value from an application role configured at the Azure AD Portal. The management center compares that attribute value against the regular expression assigned to each management center user role in the SSO configuration, and grants the user all the roles for which a match is found. (If no match is found, the management center grants the user a configurable default user role.) The expression you assign to each management center user role must comply with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl. The management center treats the attribute value received from Azure as a regular expression using that same standard for purposes of comparison with the management center user role expressions.
Note A single management center cannot support role mapping for both groups and individual users; you must choose one mapping method for the management center service provider application and use it consistently.
The management center can support role mapping using only one claim configured in Azure. Generally group-based role mapping is more efficient for an management center with many users. You should take into account user and group definitions established throughout your Azure tenant.
162
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure User Role Mapping for Individual Users at the Azure IdP
Configure User Role Mapping for Individual Users at the Azure IdP
To establish role mapping for individual users of the management center service application in Azure, use the
Azure AD Portal to add a claim to the application, add roles to the application's registration manifest, and assign roles to users.
Before you begin
• Review the Azure tenant; see
Review the Azure Tenant, on page 158
.
• Create and configure an management center service provider application in Azure; see
Management Center Service Provider Application for Azure, on page 158 .
• Configure SSO user role mapping as described in
Configure User Role Mapping for Azure at the
Management Center, on page 161
.
Procedure
Step 1
Step 2
Step 3
Add a user claim to the SSO configuration for the management center service application with the following characteristics:
• Name : Use the same string you entered for the Group Member Attribute in the management center
SSO configuration. (See Step 5 in
Configure User Role Mapping for Azure at the Management Center, on page 161
.)
• Source : Choose
Attribute
.
• Source attribute : Choose user.assignedroles
.
Edit the manifest for the management center service application (in JSON format) and add application roles to represent management center user roles you wish to assign to SSO users. The simplest approach is to copy an existing application role definition and change the following properties:
• displayName
: The name for the role that will appear in the AD Azure Portal.
• description
: A brief description of the role.
•
Id
: An alphanumeric string that must be unique among ID properties within the manifest.
• value
: A string to represent one or more management center user roles. (Note: Azure does not permit spaces in this string.)
For each user assigned to the management center Service application, assign one of the application roles you have added to the manifest for that application. When a user logs in to the management center using SSO, the application role you assign to that user is the value Azure sends to the management center in the claim for the service application. The management center compares the claim against the expressions you assigned to management center user roles in the SSO configuration (See Step 6 of
Configure User Role Mapping for
Azure at the Management Center, on page 161
.), and assigns the user all the management center user roles for which there is a match.
Cisco Secure Firewall Management Center Administration Guide, 7.2
163
System Settings
Configure User Role Mapping for Groups at the Azure IdP
What to do next
• Test your role mapping scheme by logging into the management center using SSO from various accounts and confirming that users are assigned management center user roles as you expect.
Configure User Role Mapping for Groups at the Azure IdP
To establish role mapping for user groups for the management center service application in Azure, use the
Azure AD Portal to add a claim to the application, add roles to the application's registration manifest, and assign roles to groups.
Before you begin
• Review the Azure tenant; see
Review the Azure Tenant, on page 158 .
• Create and configure an management center service provider application in Azure; see
Management Center Service Provider Application for Azure, on page 158
.
• Configure SSO user role mapping as described in
Configure User Role Mapping for Azure at the
Management Center, on page 161 .
Procedure
Step 1
Step 2
Step 3
Add a user claim to the SSO configuration for the management center service application with the following characteristics:
• Name : Use the same string you entered for the Group Member Attribute in the management center
SSO configuration. (See Step 5 in
Configure User Role Mapping for Azure at the Management Center, on page 161
.)
• Source : Choose
Attribute
.
• Source attribute : Choose user.assignedroles
.
Edit the manifest for the management center service application (in JSON format) and add application roles to represent management center user roles you wish to assign to SSO users. The simplest approach is to copy an existing application role definition and change the following properties:
• displayName
: The name for the role that will appear in the Ad Azure Portal.
• description
: A brief description of the role.
•
Id
: An alphanumeric string that must be unique among id properties within the manifest.
• value
: A string to represent one or more management center user roles. (Azure does not permit spaces in this string.)
For each group assigned to the management center Service application, assign one of the application roles you have added to the manifest for that application. When a user logs in to the management center using SSO, the application role you assign to that user's group is the value Azure sends to the management center in the claim for the service application. The management center compares the claim against the expressions you assigned to management center user roles in the SSO configuration (see Step 6 of
164
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Azure User Role Mapping Examples
for Azure at the Management Center, on page 161
), and assigns the user all the management center user roles for which there is a match.
What to do next
Test your role mapping scheme by logging into the management center using SSO from various accounts and confirming that users are assigned management center user roles as you expect.
Azure User Role Mapping Examples
As the following examples demonstrate, the SSO configurations at the management center to support user role mapping are the same for both individual users and for groups. The difference lies in the settings at the management center service provider application in Azure.
Note You can configure management center roles to be mapped based on individual permissions or based on group permissions, but a single management center application cannot support role mapping for both groups and individual users. The management center can support role mapping using only one claim configured in Azure.
Azure Role Mapping Example for Individual User Accounts
In role mapping for individual users, the Azure management center service application has custom roles defined within its manifest. (In this case, FMCAdmin and PolicyAdmin.) These roles can be assigned to users;
Azure stores role assignments for each user in that user's assignedroles attribute. The application also has a custom user claim defined, and this claim is configured to get its value from the assigned user role for a user logging into the management center using SSO. Azure passes the claim value to the management center during the SSO login process, and the management center compares the claim value against strings assigned to each management center user role in the management center SSO configuration.
The following diagrams illustrate how the relevant fields and values in the management center and Azure configurations correspond to each other in user role mapping for individual accounts. Each diagram uses the same SSO configurations at the management center and at the Azure AD portal, but the configuration for each user at the Azure AD portal differs to assign each user different roles at the management center.
• In this diagram sue@ example.com uses the assignedroles attribute value
FMCAdmin
, and the management center assigns her the management center Administrator role.
Cisco Secure Firewall Management Center Administration Guide, 7.2
165
Azure Role Mapping Example for Individual User Accounts
System Settings
• In this diagram fred @ example .com uses the assignedroles attribute value
PolicyAdmin
, and the management center assigns him the roles Access Admin, Discovery Admin, and Intrusion Admin.
• Other users assigned to the Azure service application for this management center are assigned the default user role Security Analyst (Read Only) for one of the following reasons:
166
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Azure Role Mapping Example for Groups
• They have no value assigned to their assignedroles attribute.
• The value assigned to their assignedroles attribute does not match any expression configured for a user role in the SSO configuration at the management center.
Azure Role Mapping Example for Groups
In role mapping for groups, the Azure management center service application has custom roles defined within its manifest. (In this case, FMCAdmin, AccessAdmin, Discovery Admin, and Maint.) These roles can be assigned to groups; Azure passes role assignments for each group to group members' assignedroles attribute.
The application also has a custom user claim defined, and this claim is configured to get its value from the assigned user role for a user logging into the management center using SSO. Azure passes the claim value to the management center during the SSO login process, and the management center compares the claim value against strings assigned to each management center user role in the management center SSO configuration.
The following diagrams illustrate how the relevant fields and values in the management center and Azure configurations correspond to each other in user role mapping for groups. Each diagram uses the same SSO configurations at the management center and at the Azure AD portal, but the configuration for each user at the Azure AD portal differs to assign each user different roles at the management center.
• In this diagram [email protected] is a member of the groups
FMCAccessAdmins and
FMCDiscoveryAdmins
.
From these groups she inherits the custom roles
AccessAdmin and
DiscoveryAdmin
. When Sue logs into the management center using SSO the management center assigns her the roles Access Admin and
Discovery Admin.
Cisco Secure Firewall Management Center Administration Guide, 7.2
167
Azure Role Mapping Example for Groups
System Settings
• In this diagram [email protected] is a member of the
FMCAdmins group, from which he inherits the custom role
FMCAdmin
. When Fred logs into the management center using SSO the management center assigns him the Administrator role.
168
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Azure Role Mapping Example for Groups
• In this diagram [email protected] is a member of the
FMCMaintUsers group, but because no custom role has been assigned to
FMCMaintUsers within the Azure management center service provider application,
Sean has no roles assigned to him, and when he logs into the management center using SSO, the management center assigns him the default role Security Analyst (Read Only).
Cisco Secure Firewall Management Center Administration Guide, 7.2
169
Configure Single Sign-On with PingID
System Settings
Configure Single Sign-On with PingID
See the following tasks to configure SSO using PingID's PingOne for Customers product:
170
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Review the PingID PingOne for Customers Environment
PingOne for
Customers
Administrator's
Console
PingOne for
Customers
Administrator's
Console management center
Review the PingID PingOne for Customers Environment, on page 171
.
Configure the Management Center Service Provider Application for PingID
PingOne for Customers, on page 171
.
Enable Single Sign-On at the Management Center, on page 132
.
management center
Configure the Management Center for SSO with PingID PingOne for Customers, on page 173
.
Review the PingID PingOne for Customers Environment
PingOne for Customers is PingID's cloud-hosted identity-as-a-service (IDaaS) product. In PingOne for
Customers, the entity that encompasses all the federated devices that a user can access with the same SSO account is called an environment. Before adding the management center to a PingOne environment, be familiar with its organization; consider the following questions:
• How many users will have access to the management center?
• Do you need to add more users to support SSO access to the management center?
This documentation assumes you are already familiar with the PingOne for Customers Administrator Console and have an account with the Organization Admin role.
Configure the Management Center Service Provider Application for PingID PingOne for Customers
Use the PingOne for Customers Administrator Console to create an management center service provider application within your PingOne for Customers environment and establish basic configuration settings. This documentation does not describe all the PingOne for Customers functions you need to establish a fully functional SSO environment; for instance, to create users see the PingOne for Customers documentation.
Before you begin
• Familiarize yourself with your PingOne for Customers environment and its users.
• Create additional users if necessary.
Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
171
System Settings
Configure the Management Center Service Provider Application for PingID PingOne for Customers
• Confirm the login URL for the target management center ( https:// ipaddress_or_hostname
)
Note If your management center web interface can be reached with multiple URLs
(for instance, a fully-qualified domain name as well as an IP address), SSO users must consistently access the management center using the login URL that you configure in this task.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Use the PingOne for Customer Administrator Console to create the application in your environment using these settings:
• Choose the Web App application type.
• Choose the SAML connection type.
Configure the application with the following settings for the SAML Connection:
• For the ACS URL , append the string
/sam/acs to the management center login URL. For example: https://ExampleFMC/saml/acs
.
• For the Signing Certificate , choose Sign Assertion & Response.
• For the Signing Algorithm choose RSA_SHA256.
• For the Entity ID , append the string
/saml/metadata to the management center login URL. For example: https://ExampleFMC/saml/metadata
.
• For the SLO Binding select HTTP POST.
• For the Assertion Validity Duration enter 300.
In the SAMLConnection information for the application, note the following values:
• Single Sign-On Service
• Issuer ID
You will need these values when you configure SSO using PingID's PingOne for Customers product at the management center web interface.
For SAML ATTRIBUTES , make the following selections for a single required attribute:
• PINGONE USER ATTRIBUTE:
Email Address
• APPLICATION ATTRIBUTE: saml_subject
Download the signing certificate in X509 PEM (
.crt
) format and save it to your local computer.
(Optional) to make SSO setup at the management center easier, you can download the SAML XML metadata file for the management center service provider application to your local computer.
172
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure the Management Center for SSO with PingID PingOne for Customers
Step 7 Enable the application.
What to do next
Enable single sign-on; see
Enable Single Sign-On at the Management Center, on page 132 .
Configure the Management Center for SSO with PingID PingOne for Customers
Use these instructions at the management center web interface.
Before you begin
• Create an management center service provider application at the PingOne for Customers Administrator
Console; see
Configure the Management Center Service Provider Application for PingID PingOne for
• Enable single sign-on; see
Enable Single Sign-On at the Management Center, on page 132 .
Procedure
Step 1 (This step continues directly from
Enable Single Sign-On at the Management Center, on page 132
.) At the
Configure PingID Metadata dialog, you have two choices:
• To enter the SSO configuration information manually: a.
Click the Manual Configuration radio button.
b.
Enter the values you retrieved from the PingOne for Customers Administrator Console:
• For Identity Provider Single Sign-On URL enter the Single Signon Service you noted in Step
3 of
Configure the Management Center Service Provider Application for PingID PingOne for
.
• For Identity Provider Issuer enter the Issuer ID you noted in Step 3 of
Management Center Service Provider Application for PingID PingOne for Customers, on page
.
• For the X.509 Certificate , use the certificate you downloaded from PingOne for Customers in
Step 5 of
paste it into the X.509 Certificate field.)
• If you saved the XML metadata file generated by PingOne for Customers to your local computer (Step
6 of
), you can upload the file to the management center: a.
Click the Upload XML File radio button.
b.
Follow the on-screen instructions to navigate to and choose the XML metadata file on your local computer.
Cisco Secure Firewall Management Center Administration Guide, 7.2
173
System Settings
Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Click Next .
At the Verify Metadata dialog, review the configuration parameters and click Save .
Expand Advanced Configuration (Role Mapping) .
Select an management center user role to assign users as a default value from the Default User Role drop-down.
Click Test Configuration . If the System displays an error message, review the SSO configuration for the management center as well as the PingOne for Customers service provider application, correct any errors, and try again.
When the system reports a successful configuration test, click Apply .
Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider
The management center supports single sign-on with any SSO identity provider (IdP) compliant with the
SAML 2.0 SSO protocol. Generic instructions to use a wide range of SSO providers must address the tasks to be performed at a high level; establishing SSO using a provider not specifically addressed in this documentation requires that you be proficient with the IdP of your choice. These tasks help you determine the steps to configure the management center for single sign-on using any SAML 2.0-compliant SSO provider:
IdP Administration Application
IdP Administration Application management center management center
Familiarize Yourself with the SSO
Service Provider Application for
.
Management Center, on page 132 .
Configure the Management Center for SSO Using Any SAML
2.0-Compliant SSO Provider, on page 177
.
174
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Familiarize Yourself with the SSO Identity Provider and the SSO Federation management center
IdP Administration Application
Configure User Role Mapping at the Management Center for SAML
2.0-Compliant SSO Providers, on page 178
.
User Role Mapping at the IdP for
Familiarize Yourself with the SSO Identity Provider and the SSO Federation
Read the IdP vendor documentation with the following considerations in mind:
• Does the SSO provider require that users subscribe to or register with any services before using the IdP?
• What terminology does the SSO provider use for common SSO concepts? For instance, to refer to a group of federated service provider applications, Okta uses "org" where Azure uses "tenant."
• Does the SSO provider support SSO exclusively, or a suite of functions—for instance, multifactor authentication or domain management? (This can affect configuration of some elements shared between features—especially users and groups.)
• What permissions does an IdP user account need to configure SSO?
• What configurations does the SSO provider require you to establish for a service provider application?
For instance, Okta automatically generates an X509 Certificate to secure its communications with the management center, while Azure requires that you generate that certificate using the Azure portal interface.
• How are users and groups created and configured? How are users assigned to groups? How are users and groups granted access to service provider applications?
• Does the SSO provider require that at least one user be assigned to a service provider application before the SSO connection can be tested?
• Does the SSO provider support user groups? How are user and group attributes configured? How can you map attributes to management center user roles in the SSO configuration?
• Do you need to add more users or groups to the federation to support SSO on the management center?
• Are users within the federation members of groups?
• Are user and group definition native to the IdP or imported from a user management application such as
Active Directory, RADIUS, or LDAP?
• What kind of user role assignments do you want to make? (If you choose not to assign user roles, the management center automatically assigns the user a configurable default user role role to all SSO users.)
• How must users and groups within the federation be organized to support your plan for user role mapping?
Configure Management Center Service Provider Application for Any SAML 2.0-Compliant SSO
Provider
Generally SSO providers require that you configure a service provider application at the IdP for each federated application. All IdPs that support SAML 2.0 SSO need the same configuration information for service provider
Cisco Secure Firewall Management Center Administration Guide, 7.2
175
System Settings
Configure Management Center Service Provider Application for Any SAML 2.0-Compliant SSO Provider applications, but some IdP's automatically generate some configuration settings for you, while others require that you configure all settings yourself.
Note If you plan to assign user groups to the management center Application, do not also assign users within those groups as individuals.
Note The management center cannot support role mapping using multiple SSO attributes; you must select either user role mapping or group role mapping and configure a single attribute to convey user role information from the IdP to the management center.
Before you begin
• Familiarize yourself with the SSO federation and its users and groups; see
SSO Identity Provider and the SSO Federation, on page 175 .
• Confirm your IdP account has the necessary permissions to perform this task.
• Create user accounts and/or groups in your SSO federation if necessary.
Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.
• Confirm the login URL for the target management center ( https:// ipaddress_or_hostname
)
Note If your management center web interface can be reached with multiple URLs.
(for instance, a full-qualified domain name as well as an IP address), SSO users must consistently access the management center using the login URL that you configure in this task.
Procedure
Step 1
Step 2
Create a new service provider application at the IdP.
Configure values required by the IdP. Be sure to include the fields listed below, required to support SAML
2.0 SSO functionality with the management center. (Because different SSO service providers use different terminology for SAML concepts, this list provides alternate names for these fields to help you find the right settings in the IdP application.):
176
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure the Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider
Step 3
Step 4
Step 5
• Service Provider Entity ID, Service Provider Identifier, Audience URI: A globally unique name for the service provider (the management center), formatted as a URL. To create this, append the string
/saml/metadata to the management center login URL, such as https://ExampleFMC/saml/metadata
.
• Single Sign on URL, Recipient URL, Assertion Consumer Service URL: The service provider
(management center) address to which the browser sends information on behalf of the IdP. To create this, append the string saml/acs to the management center login URL, such as https://ExampleFMC/saml/acs
.
• X.509 Certificate: Certificate to secure communications between the management center and the IdP.
Some IdP's may automatically generate the certificate, and some may require that you explicitly generate it using the IDP interface.
(Optional if you are assigning groups to the application) Assign individual users to the management center application. (If you plan to assign groups to the management center application, do not assign members of those groups as individuals.)
(Optional if you are assigning individual users to the application.) Assign user groups to the management center application.
(Optional) Some IdP's provide the ability to generate a SAML XML metadata file containing the information you have configured in this task formatted to comply with SAML 2.0 standards. If your IdP provides this ability, you can download the file to your local computer to ease the SSO configuration process at the management center.
What to do next
Enable single sign-on; see
Enable Single Sign-On at the Management Center, on page 132 .
Configure the Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider
Use these instructions at the management center web interface. To configure the management center for SSO using any SAML 2.0-compliant SSO provider, you need information from the IdP.
Before you begin
• Review the organization of your SSO federation, and its users and groups.
• Configure an management center service provider application at the IdP; see
Center for SSO Using Any SAML 2.0-Compliant SSO Provider, on page 177 .
• Gather the following SSO configuration information for the service provider application from the IdP.
Because different SSO service providers use different terminology for SAML concepts, this list provides alternate names for these fields to help you find the right values in the IdP application:
• Identity Provider Single Sign-On URL, Login URL: The IdP URL where the browser sends information on behalf of the management center.
• Identity Provider Issuer, Identity Provider Issuer URL, Issuer URL: A globally unique name for the
IdP, often formatted as a URL.
• An X.509 digital certificate to secure communications between the management center and the IdP.
• Enable single sign-on; see
Enable Single Sign-On at the Management Center, on page 132 .
Cisco Secure Firewall Management Center Administration Guide, 7.2
177
System Settings
Configure User Role Mapping at the Management Center for SAML 2.0-Compliant SSO Providers
Procedure
Step 1 (This step continues directly from
Enable Single Sign-On at the Management Center, on page 132 .) At the
Configure SAML Metadata dialog, you have two choices:
• To enter the SSO configuration information manually: a.
Click the Manual Configuration radio button.
b.
Enter the following values previously obtained from the SSO Service Provider application:
• Identity Provider Single Sign-On URL
• Identity Provider Issuer
• X.509 Certificate
• If you saved an the XML metadata file generated at the IdP (Step 5 in
Service Provider Application for Any SAML 2.0-Compliant SSO Provider, on page 175
), you can upload the file to the management center: a.
Click the Upload XML File radio button.
b.
Follow the on-screen instructions to navigate to and choose the XML metadata file on your local computer.
Step 2
Step 3
Step 4
Step 5
Click Next .
At the Verify Metadata dialog, review the configuration parameters and click Save .
Click Test Configuration . If the system displays an error message, review the SSO configuration for the management center as well as the service provider application configuration at the IdP, correct any errors, and try again.
When the system reports a successful configuration test, click Apply .
What to do next
You may optionally configure user role mapping for SSO users; see
Configure User Role Mapping at the
Management Center for SAML 2.0-Compliant SSO Providers, on page 178 . If you choose not to configure
role mapping, by default all SSO users that log into the management center are assigned the default user role you configure in Step 4 of
Configure User Role Mapping at the Management Center for SAML 2.0-Compliant
Configure User Role Mapping at the Management Center for SAML 2.0-Compliant SSO Providers
To implement SAML SSO user role mapping you must establish coordinating configurations at the IdP and at the management center.
• At the IdP, establish user or group attributes to convey user role information and assign values to them; the IdP sends these to the management center once it has authenticated and authorized an SSO user.
• At the management center, associate values with each of the management center user roles you want to assign to users.
178
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO Providers
When the IdP sends the management center the user or group attribute associated with an authorized user, the management center compares the attribute value against values associated with each management center user role, and assigns the user all the roles that produce a match. The management center performs this comparison treating both values as regular expressions complying with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl.
The fields to configure for user role mapping at the management center web interface are the same regardless of your choice of SSO provider. But the values you configure must take into account how the SAML SSO provider you use implements user role mapping. Your IdP may enforce syntactical limitations on user or group attributes; if so, you must devise a user role mapping scheme using role names and regular expressions compatible with those requirements.
Before you begin
• Configure an SSO service provider application for the management center; see
Center Service Provider Application for Any SAML 2.0-Compliant SSO Provider, on page 175 .
• Enable and configure single sign-on at the management center, see
Management Center, on page 132
, and
Configure the Management Center for SSO Using Any SAML
2.0-Compliant SSO Provider, on page 177
.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Choose System > Users .
Click the Single Sign-On tab.
Expand Advanced Configuration (Role Mapping) .
Select an management center user role to assign users as a default value from the Default User Role drop-down.
Enter a Group Member Attribute . This string must match an attribute name configured at the IdP management center service provider application for user role mapping using either users or groups. (See Step 1 of
Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO Providers, on page 179 .)
Next to each management center user role you wish to assign to SSO users, enter a regular expression. (The management center uses a restricted version of Google's RE2 regular expression standard supported by Golang and Perl.) The management center compares these values against the user role mapping attribute value the
IdP sends to the management center with SSO user information. The management center grants users a union of all the roles for which a match is found.
What to do next
Configure user role mapping at the service provider application; see
Configure Management Center User Role
Mapping at the IdP for SAML 2.0-Compliant SSO Providers, on page 179 .
Configure Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO Providers
The detailed steps for configuring user role mapping are different for each IdP. You must determine how to create a custom user or group attribute for the service provider application, and assign values to the attribute for each user or group at the IdP to convey user or group privileges to the management center. Keep in mind the following:
Cisco Secure Firewall Management Center Administration Guide, 7.2
179
System Settings
Customize User Roles for the Web Interface
• If your IdP imports user or group profiles from a third-party user management application (such as Active directory, LDAP, or Radius), this may affect how you can use attributes for role mapping.
• Take into account user and group role definitions throughout your SSO federation.
• The management center cannot support role mapping using multiple SSO attributes; you must select either user role mapping or group role mapping and configure a single attribute to convey user role information from the IdP to the management center.
• Group role mapping is generally more efficient for an management center with many users.
• If you assign user groups to management center applications, do not also assign users within those groups as individuals.
• For the purpose of determining a match with management center user roles, the management center treats user and group role attribute values received from the IdP as regular expressions complying with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl. Your IdP may enforce certain syntactical limitations on user or group attributes. if so, you must devise a user role mapping scheme using role names and regular expressions compatible with those requirements.
Before you begin
• Confirm your IdP account has the necessary permissions to perform this task.
• Configure an management center service provider application at the IdP (see
Center Service Provider Application for Any SAML 2.0-Compliant SSO Provider, on page 175
).
Procedure
Step 1
Step 2
At the IdP, create or designate an attribute to be sent to the management center to contain role mapping information for each user sign-in. This may be a user attribute, a group attribute, or a different attribute that obtains its value from a source such as user or group definitions maintained by the IdP or a third party user management application.
Configure how the attribute gets its value. Coordinate the possible values with the values associated with the user roles in the management center SSO configuration.
Customize User Roles for the Web Interface
Each user account must be defined with a user role. This section describes how to manage user roles and how to configure a custom user role for web interface access. For default user roles, see
Create Custom User Roles
Custom user roles can have any set of menu-based and system permissions, and may be completely original, copied from a predefined or another custom user role, or imported from another device.
180
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Create Custom User Roles
Note Custom user roles that the system considers read-only for the purposes of concurrent session limits, are automatically labeled by the system with (Read Only) in the role name on the System ( ) > Users > Users tab and the System ( ) > Users > User Roles tab. If a user role does not contain (Read Only) in the role name, the system considers the role to be read/write.
When you create a custom role or modify an existing custom role, the system automatically applies (Read
Only) to the role name if all of the selected permissions for that role meet the required criteria for being read-only. You cannot make a role read-only by adding that text string manually to the role name. For more information on concurrent session limits, see
Global User Configuration Settings, on page 89
.
Caution Users with menu-based User Management permissions have the ability to elevate their own privileges or create new user accounts with extensive privileges, including the Administrator user role. For system security reasons we strongly recommend you restrict the list of users with User Management permissions appropriately.
Procedure
Step 1
Step 2
Step 3
Choose Integration > Users .
Click User Roles .
Add a new user role with one of the following methods:
• Click Create User Role .
• Click the Copy ( ) next to the user role you want to copy.
• Import a custom user role from another device: a.
On the old device, click the Export ( ) to save the role to your PC.
b.
On the new device, choose System > Tools > Import/Export .
c.
Click Upload Package , then follow the instructions to import the saved user role to the new device.
Step 4
Step 5
Step 6
Enter a Name for the new user role. User role names are case sensitive.
(Optional) Add a Description .
Choose Menu-Based Permissions for the new role.
When you choose a permission, all of its children are chosen, and the multi-value permissions use the first value. If you clear a high-level permission, all of its children are cleared also. If you choose a permission but not its children, it appears in italic text.
Copying a predefined user role to use as the base for your custom role preselects the permissions associated with that predefined role.
You can apply restrictive searches to a custom user role. These searches constrain the data a user can see in the tables on the pages available under the Analysis menu. You can configure a restrictive search by first creating a private saved search and selecting it from the Restrictive Search drop-down menu under the appropriate menu-based permission.
Cisco Secure Firewall Management Center Administration Guide, 7.2
181
System Settings
Deactivate User Roles
Step 7
Step 8
Step 9
(Optional) Check the External Database Access check box to set database access permissions for the new role.
This option provides read-only access to the database using an application that supports JDBC SSL connections.
For the third-party application to authenticate to the device, you must enable database access in the system settings.
(Optional) To set escalation permissions for the new user role, see
Enable User Role Escalation, on page 183 .
Click Save .
Example
You can create custom user roles for access control-related features to designate whether users can view and modify access control and associated policies.
The following table lists custom roles that you could create and user permissions granted for each example. The table lists the privileges required for each custom role. In this example, Policy Approvers can view (but not modify) access control and intrusion policies. They can also deploy configuration changes to devices.
Table 7: Sample Access Control Custom Roles
Custom Role Permission
Access Control
Access Control Policy yes yes
Modify Access Control Policy yes
Intrusion Policy no
Modify Intrusion Policy
Deploy Configuration to
Devices
Example: Access Control Editor Example: Intrusion & Network
Analysis Editor
Example: Policy Approver no no no no no yes yes no yes yes no yes no yes
Deactivate User Roles
Deactivating a role removes that role and all associated permissions from any user who is assigned that role.
You cannot delete predefined user roles, but you can deactivate them.
In a multidomain deployment, the system displays custom user roles created in the current domain, which you can edit. It also displays custom user roles created in ancestor domains, which you cannot edit. To view and edit custom user roles in a lower domain, switch to that domain.
Procedure
Step 1 Choose Integration > Users .
182
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Enable User Role Escalation
Step 2
Step 3
Click User Roles .
Click the slider next to the user role you want to activate or deactivate.
If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
If you deactivate, then reactivate, a role with Lights-Out Management while a user with that role is logged in, or restore a user or user role from a backup during that user’s login session, that user must log back into the web interface to regain access to IPMItool commands.
Enable User Role Escalation
You can give custom user roles the permission, with a password, to temporarily gain the privileges of another, targeted user role in addition to those of the base role. This feature allows you to easily substitute one user for another during an absence, or to more closely track the use of advanced user privileges. Default user roles do not support escalation.
For example, a user whose base role has very limited privileges can escalate to the Administrator role to perform administrative actions. You can configure this feature so that users can use their own passwords, or so they use the password of another user that you specify. The second option allows you to easily manage one escalation password for all applicable users.
To configure user role escalation, see the following workflow.
Procedure
Step 1
Step 2
Step 3
Configure a Custom User Role for Escalation, on page 184 .
(For the logged in user)
Escalate Your User Role, on page 184
.
Set the Escalation Target Role
You can assign any of your user roles, predefined or custom, to act as the system-wide escalation target role.
This is the role to which a custom role can escalate, if it has the ability. Only one user role at a time can be the escalation target role. Each escalation lasts for the duration of a login session and is recorded in the audit log.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose Integration > Users .
Click User Roles .
Click Configure Permission Escalation .
Choose a user role from the Escalation Target drop-down list.
Click OK to save your changes.
Cisco Secure Firewall Management Center Administration Guide, 7.2
183
System Settings
Configure a Custom User Role for Escalation
Changing the escalation target role is effective immediately. Users in escalated sessions now have the permissions of the new escalation target.
Configure a Custom User Role for Escalation
Users for whom you want to enable escalation must belong to a custom user role with escalation enabled.
This procedure describes how to enable escaltion for a custom user role.
Consider the needs of your organization when you configure the escalation password for a custom role. If you want to easily manage many escalating users, you might want to choose another user whose password serves as the escalation password. If you change that user’s password or deactivate that user, all escalating users who require that password are affected. This action allows you to manage user role escalation more efficiently, especially if you choose an externally-authenticated user that you can manage centrally.
Before you begin
Set a target user role according to
Set the Escalation Target Role, on page 183 .
Procedure
Step 1
Step 2
Step 3
Begin configuring your custom user role as described in
Create Custom User Roles, on page 180 .
In System Permissions , choose the Set this role to escalate to: Maintenance User check box.
The current escalation target role is listed beside the check box.
Choose the password that this role uses to escalate. You have two options:
• Choose Authenticate with the assigned user’s password if you want users with this role to use their own passwords when they escalate, .
• Choose Authenticate with the specified user’s password and enter that username if you want users with this role to use the password of another user.
Note When authenticating with another user’s password, you can enter any username, even that of a deactivated or nonexistent user. Deactivating the user whose password is used for escalation makes escalation impossible for users with the role that requires it. You can use this feature to quickly remove escalation powers if necessary.
Step 4 Click Save .
Escalate Your User Role
When a user has an assigned custom user role with permission to escalate, that user can escalate to the target role’s permissions at any time. Note that escalation has no effect on user preferences.
Procedure
Step 1 From the drop-down list under your user name, choose Escalate Permissions .
184
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Troubleshooting LDAP Authentication Connections
Step 2
Step 3
If you do not see this option, your administrator did not enable escalation for your user role.
Enter the authentication password.
Click Escalate . You now have all permissions of the escalation target role in addition to your current role.
Escalation lasts for the remainder of your login session. To return to the privileges of your base role only, you must log out, then begin a new session.
Troubleshooting LDAP Authentication Connections
If you create an LDAP authentication object and it either does not succeed in connecting to the server you select, or does not retrieve the list of users you want, you can tune the settings in the object.
If the connection fails when you test it, try the following suggestions to troubleshoot your configuration:
• Use the messages displayed at the top of the web interface screen and in the test output to determine which areas of the object are causing the issue.
• Check that the user name and password you used for the object are valid:
• Check that you have the rights to browse to the directory indicated in your base-distinguished name by connecting to the LDAP server using a third-party LDAP browser.
• Check that the user name is unique to the directory information tree for the LDAP server.
• If you see an LDAP bind error 49 in the test output, the user binding for the user failed. Try authenticating to the server through a third-party application to see if the binding fails through that connection as well.
• Check that you have correctly identified the server:
• Check that the server IP address or host name is correct.
• Check that you have TCP/IP access from your local appliance to the authentication server where you want to connect.
• Check that access to the server is not blocked by a firewall and that the port you have configured in the object is open.
• If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host name used for the server.
• Check that you have not used an IPv6 address for the server connection if you are authenticating
CLI access.
• If you used server type defaults, check that you have the correct server type and click Set Defaults again to reset the default values.
• If you typed in your base-distinguished name, click Fetch DNs to retrieve all the available base distinguished names on the server, and select the name from the list.
• If you are using any filters, access attributes, or advanced settings, check that each is valid and typed correctly.
Cisco Secure Firewall Management Center Administration Guide, 7.2
185
System Settings
Configure User Preferences
• If you are using any filters, access attributes, or advanced settings, try removing each setting and testing the object without it.
• If you are using a base filter or a CLI access filter, make sure that the filter is enclosed in parentheses and that you are using a valid comparison operator (maximum 450 characters, including the enclosing parentheses).
• To test a more restricted base filter, try setting it to the base distinguished name for the user to retrieve just that user.
• If you are using an encrypted connection:
• Check that the name of the LDAP server in the certificate matches the host name that you use to connect.
• Check that you have not used an IPv6 address with an encrypted server connection.
• If you are using a test user, make sure that the user name and password are typed correctly.
• If you are using a test user, remove the user credentials and test the object.
• Test the query that you are using by connecting to the LDAP server and using this syntax: ldapsearch -x -b 'base_distinguished_name'
-h LDAPserver_ip_address -p port -v -D
'user_distinguished_name' -W 'base_filter'
For example, if you are trying to connect to the security domain on myrtle.example.com
using the [email protected]
user and a base filter of ( cn=*
), you could test the connection using this statement: ldapsearch -x -b 'CN=security,DC=myrtle,DC=example,DC=com'
-h myrtle.example.com -p 389 -v -D
'[email protected]' -W '(cn=*)'
If you can test your connection successfully but authentication does not work after you deploy a platform settings policy, check that authentication and the object you want to use are both enabled in the platform settings policy that is applied to the device.
If you connect successfully but want to adjust the list of users retrieved by your connection, you can add or change a base filter or CLI access filter or use a more restrictive or less restrictive base DN.
While authenticating a connection to Active Directory (AD) server, rarely the connection event log indicates blocked LDAP traffic although the connection to AD server is successful. This incorrect connection log occurs when the AD server sends a duplicate reset packet. The threat defense device identifies the second reset packet as part of a new connection request and logs the connection with Block action.
Configure User Preferences
Depending on your user role, you can specify certain preferences for your user account.
186
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Changing Your Password
In a multidomain deployment, user preferences apply to all domains where your account has access. When specifying home page and dashboard preferences, keep in mind that certain pages and dashboard widgets are constrained by domain.
Changing Your Password
All user accounts are protected with a password. You can change your password at any time, and depending on the settings for your user account, you may have to change your password periodically.
When password strength checking is enabled, passwords must comply with the strong password requirements described in
Guidelines and Limitations for User Accounts for Management Center, on page 110
.
If you are an LDAP or a RADIUS user, you cannot change your password through the web interface.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
From the drop-down list under your user name, choose User Preferences .
Click Change Password .
Optionally, check the Show password check box to see the password while using this dialog.
Enter your Current Password .
You have two options:
• Enter your new password for New Password and Confirm Password .
• Click Generate Password to have the system create a password for you which complies with the listed criteria. (Generated passwords are non-mnemonic; take careful note of the password if you choose this option.)
Click Apply .
Changing an Expired Password
Depending on the settings for your user account, your password may expire. The password expiration time period is set when your account is created. If your password has expired, the Password Expiration Warning page appears.
Procedure
On the Password Expiration Warning page, you have two choices:
• Click Change Password to change your password now. If you have zero warning days left, you must change your password.
Tip When password strength checking is enabled, passwords must comply with the strong password requirements described in
Guidelines and Limitations for User Accounts for Management
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
187
System Settings
Change the Web Interface Appearance
• Click Skip to change your password later.
Change the Web Interface Appearance
You can change the way the web interface appears.
Procedure
Step 1
Step 2
From the drop-down list under your user name, choose User Preferences . The General tab displays by default.
Select a theme:
• Light
• Dusk
• Classic (the look and feel of releases earlier than 6.6)
Specifying Your Home Page
You can specify the page within the web interface to use as your home page for the appliance. The default home page is the default dashboard ( Overview > Dashboards ), except for user accounts with no dashboard access, such as External Database users. (See
Specifying Your Default Dashboard, on page 193
to set the default dashboard.)
In a multidomain deployment, the home page you choose applies to all domains where your user account has access. When choosing a home page for an account that frequently accesses multiple domains, keep in mind that certain pages are constrained to the Global domain.
Procedure
Step 1
Step 2
Step 3
Step 4
From the drop-down list under your user name, choose User Preferences .
Click Home Page .
Choose the page you want to use as your home page from the drop-down list.
The options in the drop-down list are based on the access privileges for your user account. For more information, see
.
Click Save .
188
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configuring Event View Settings
Configuring Event View Settings
Use the Event View Settings page to configure characteristics of event views on the Secure Firewall
Management Center. Note that some event view configurations are available only for specific user roles. Users with the External Database User role can view parts of the event view settings user interface, but changing those settings has no meaningful result.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
From the drop-down list under your user name, choose User Preferences .
Click Event View Settings .
In the Event Preferences section, configure the basic characteristics of event views; see
In the File Preferences section, configure file download preferences; see
File Download Preferences, on page
In the Default Time Windows section, configure the default time window or windows; see
In the Default Workflow sections, configure default workflows; see
Default Workflows, on page 192 .
Click Save .
Event View Preferences
Use the Event Preferences section of the Event View Settings page to configure basic characteristics of event views. This section is available for all user roles, although it has little to no significance for users who cannot view events.
The following fields appear in the Event Preferences section:
• The Confirm “All” Actions field controls whether the appliance forces you to confirm actions that affect all events in an event view.
For example, if this setting is enabled and you click Delete All on an event view, you must confirm that you want to delete all the events that meet the current constraints (including events not displayed on the current page) before the appliance will delete them from the database.
• The Resolve IP Addresses field allows the appliance, whenever possible, to display host names instead of IP addresses in event views.
Note that an event view may be slow to display if it contains a large number of IP addresses and you have enabled this option. Note also that for this setting to take effect, you must use management interfaces configuration to establish a DNS server in the system settings.
• The Expand Packet View field allows you to configure how the packet view for intrusion events appears.
By default, the appliance displays a collapsed version of the packet view:
• None - collapse all subsections of the Packet Information section of the packet view
• Packet Text - expand only the Packet Text subsection
• Packet Bytes - expand only the Packet Bytes subsection
Cisco Secure Firewall Management Center Administration Guide, 7.2
189
System Settings
File Download Preferences
• All - expand all sections
Regardless of the default setting, you can always manually expand the sections in the packet view to view detailed information about a captured packet.
• The Rows Per Page field controls how many rows of events per page you want to appear in drill-down pages and table views.
• The Refresh Interval field sets the refresh interval for event views in minutes. Entering
0 disables the refresh option. Note that this interval does not apply to dashboards.
• The Statistics Refresh Interval controls the refresh interval for event summary pages such as the Intrusion
Event Statistics and Discovery Statistics pages. Entering
0 disables the refresh option. Note that this interval does not apply to dashboards.
• The Deactivate Rules field controls which links appear on the packet view of intrusion events generated by standard text rules:
• All Policies - a single link that deactivates the standard text rule in all the locally defined custom intrusion policies
• Current Policy - a single link that deactivates the standard text rule in only the currently deployed intrusion policy. Note that you cannot deactivate rules in the default policies.
• Ask - links for each of these options
To see these links on the packet view, your user account must have either Administrator or Intrusion Admin access.
File Download Preferences
Use the File Preferences section of the Event View Settings page to configure basic characteristics of local file downloads. This section is only available to users with the Administrator, Security Analyst, or Security
Analyst (Read Only) user roles.
Note that if your appliance does not support downloading captured files, these options are disabled.
The following fields appear in the File Preferences section:
• The Confirm ‘Download File’ Actions check box controls whether a File Download pop-up window appears each time you download a file, displaying a warning and prompting you to continue or cancel.
Caution Cisco strongly recommends you do not download malware, as it can cause adverse consequences. Exercise caution when downloading any file, as it may contain malware. Ensure you have taken any necessary precautions to secure the download destination before downloading files.
Note that you can disable this option any time you download a file.
• When you download a captured file, the system creates a password-protected .zip archive containing the file. The Zip File Password field defines the password you want to use to restrict access to the .zip file.
If you leave this field blank, the system creates archive files without passwords.
190
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Default Time Windows
• The Show Zip File Password check box toggles displaying plain text or obfuscated characters in the
Zip File Password field. When this field is cleared, the Zip File Password displays obfuscated characters.
Default Time Windows
The time window, sometimes called the time range, imposes a time constraint on the events in any event view.
Use the Default Time Windows section of the Event View Settings page to control the default behavior of the time window.
User role access to this section is as follows:
• Administrators and Maintenance Users can access the full section.
• Security Analysts and Security Analysts (Read Only) can access all options except Audit Log Time
Window .
• Access Admins, Discovery Admins, External Database Users, Intrusion Admins, Network Admins, and
Security Approvers can access only the Events Time Window option.
Note that, regardless of the default time window setting, you can always manually change the time window for individual event views during your event analysis. Also, keep in mind that time window settings are valid for only the current session. When you log out and then log back in, time windows are reset to the defaults you configured on this page.
There are three types of events for which you can set the default time window:
• The Events Time Window sets a single default time window for most events that can be constrained by time.
• The Audit Log Time Window sets the default time window for the audit log.
• The Health Monitoring Time Window sets the default time window for health events.
You can only set time windows for event types your user account can access. All user types can set event time windows. Administrators, Maintenance Users, and Security Analysts can set health monitoring time windows. Administrators and Maintenance Users can set audit log time windows.
Note that because not all event views can be constrained by time, time window settings have no effect on event views that display hosts, host attributes, applications, clients, vulnerabilities, user identity, or compliance allow list violations.
You can either use Multiple time windows, one for each of these types of events, or you can use a Single time window that applies to all events. If you use a single time window, the settings for the three types of time window disappear and a new Global Time Window setting appears.
There are three types of time window:
• static , which displays all the events generated from a specific start time to a specific end time
• expanding , which displays all the events generated from a specific start time to the present; as time moves forward, the time window expands and new events are added to the event view
• sliding , which displays all the events generated from a specific start time (for example, one day ago) to the present; as time moves forward, the time window “slides” so that you see only the events for the range you configured (in this example, for the last day)
Cisco Secure Firewall Management Center Administration Guide, 7.2
191
System Settings
Default Workflows
The maximum time range for all time windows is from midnight on January 1, 1970 (UTC) to 3:14:07 AM on January 19, 2038 (UTC).
The following options appear in the Time Window Settings drop-down list:
• The Show the Last - Sliding option allows you configure a sliding default time window of the length you specify.
The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the present. As you change event views, the time window “slides” so that you always see events from the last hour.
• The Show the Last - Static/Expanding option allows you to configure either a static or expanding default time window of the length you specify.
For static time windows, enable the Use End Time check box. The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.
For expanding time windows, disable the Use End Time check box. The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the present. As you change event views, the time window expands to the present time.
• The Current Day - Static/Expanding option allows you to configure either a static or expanding default time window for the current day. The current day begins at midnight, based on the time zone setting for your current session.
For static time windows, enable the Use End Time check box. The appliance displays all the events generated from midnight to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.
For expanding time windows, disable the Use End Time check box. The appliance displays all the events generated from midnight to the present. As you change event views, the time window expands to the present time. Note that if your analysis continues for over 24 hours before you log out, this time window can be more than 24 hours.
• The Current Week - Static/Expanding option allows you to configure either a static or expanding default time window for the current week. The current week begins at midnight on the previous Sunday, based on the time zone setting for your current session.
For static time windows, enable the Use End Time check box. The appliance displays all the events generated from midnight to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.
For expanding time windows, disable the Use End Time check box. The appliance displays all the events generated from midnight Sunday to the present. As you change event views, the time window expands to the present time. Note that if your analysis continues for over 1 week before you log out, this time window can be more than 1 week.
Default Workflows
A workflow is a series of pages displaying data that analysts use to evaluate events. For each event type, the appliance ships with at least one predefined workflow. For example, as a Security Analyst, depending on the type of analysis you are performing, you can choose among ten different intrusion event workflows, each of which presents intrusion event data in a different way.
192
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Setting Your Default Time Zone
The appliance is configured with a default workflow for each event type. For example, the Events by Priority and Classification workflow is the default for intrusion events. This means whenever you view intrusion events (including reviewed intrusion events), the appliance displays the Events by Priority and Classification workflow.
You can, however, change the default workflow for each event type. The default workflows you are able to configure depend on your user role. For example, intrusion event analysts cannot set default discovery event workflows.
Setting Your Default Time Zone
This setting determines the times displayed in the web interface for your user account only, for things like task scheduling and viewing dashboards. This setting does not change the system time or affect any other user, and does not affect data stored in the system, which generally uses UTC.
Warning The Time Zone function (in User Preferences) assumes that the system clock is set to UTC time. DO NOT
ATTEMPT TO CHANGE THE SYSTEM TIME. Changing the system time from UTC is NOT supported, and doing so will require you to reimage the device to recover from an unsupported state.
Note This feature does not affect the time zone used for time-based policy application. Set the time zone for a device in Devices > Platform Settings .
Procedure
Step 1
Step 2
Step 3
Step 4
From the drop-down list under your user name, choose User Preferences .
Click Time Zone .
Choose the continent or area that contains the time zone you want to use.
Choose the country and state name that corresponds with the time zone you want to use.
Specifying Your Default Dashboard
The default dashboard appears when you choose Overview > Dashboards . Unless changed, the default dashboard for all users is the Summary dashboard. You can change the default dashboard if your user role is
Administrator, Maintenance, or Security Analyst.
In a multidomain deployment, the default dashboard you choose applies to all domains where your user account has access. When choosing a dashboard for an account that frequently accesses multiple domains, keep in mind that certain dashboard widgets are constrained by domain.
Procedure
Step 1 From the drop-down list under your user name, choose User Preferences .
Cisco Secure Firewall Management Center Administration Guide, 7.2
193
System Settings
History for Users
Step 2
Step 3
Step 4
Click Dashboard Settings .
Choose the dashboard you want to use as your default from the drop-down list. If you choose None , when you select Overview > Dashboards , you can then choose a dashboard to view.
Click Save .
History for Users
Feature Version
Support for the Service-Type attribute for threat defense users defined on the
RADIUS server
6.4
External Authentication for threat defense
SSH Access
6.2.3
Details
For RADIUS authentication of threat defense CLI users, you used to have to pre-define the usernames in the RADIUS external authentication object and manually make sure that the list matched usernames defined on the RADIUS server. You can now define CLI users on the RADIUS server using the Service-Type attribute and also define both Basic and Config user roles. To use this method, be sure to leave the shell access filter blank in the external authentication object.
New/Modified screens:
System > Users > External
Authentication > Add External
Authentication Object > Shell Access
Filter
Supported platforms: threat defense
You can now configure external authentication for SSH access to the threat defense using LDAP or RADIUS.
New/Modified screens:
Devices > Platform Settings > External
Authentication
Supported platforms: threat defense
194
Cisco Secure Firewall Management Center Administration Guide, 7.2
C H A P T E R
5
Domains
The following topics describe how to manage multitenancy using domains:
•
Introduction to Multitenancy Using Domains, on page 195
•
Requirements and Prerequisites for Domains, on page 198
•
•
Creating New Domains, on page 199
•
Moving Data Between Domains, on page 200
•
Moving Devices Between Domains, on page 201
•
History for Domain Management, on page 202
Introduction to Multitenancy Using Domains
The management center allows you to implement multitenancy using domains . Domains segment user access to managed devices, configurations, and events. You can create up to 100 subdomains under a top-level Global domain, in two or three levels.
When you log into the management center, you log into a single domain, called the current domain . Depending on your user account, you may be able to switch to other domains.
In addition to any restrictions imposed by your user role, your current domain level can also limit your ability to modify various configurations. The management center limits most management tasks, like system software updates, to the Global domain.
The management center limits other tasks to leaf domains , which are domains with no subdomains. For example, you must associate each managed device with a leaf domain, and perform device management tasks from the context of that leaf domain. Note that each device can only belong to a single domain.
Each leaf domain builds its own network map, based on the discovery data collected by that leaf domain’s devices. Events reported by a managed device (connection, intrusion, malware, and so on) are also associated with the device's leaf domain.
One Domain Level: Global
If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain, which in this scenario is also a leaf domain. Except for domain management, the system hides domain-specific configurations and analysis options until you add subdomains.
Cisco Secure Firewall Management Center Administration Guide, 7.2
195
System Settings
Domains Terminology
Two Domain Levels: Global and Second-Level
In a two-level multidomain deployment, the Global domain has direct descendant domains only. For example, a managed security service provider (MSSP) can use a single management center to manage network security for multiple customers:
• Administrators at the MSSP logging into the Global domain, cannot view or edit customers’ deployments.
They must log into respective second-level named subdomains to manage the customers' deployment.
• Administrators for each customer can log into second-level named subdomains to manage only the devices, configurations, and events applicable to their organizations. These local administrators cannot view or affect the deployments of other customers of the MSSP.
Three Domain Levels: Global, Second-Level, and Third-Level
In a three-level multidomain deployment, the Global domain has subdomains, at least one of which has its own subdomain. To extend the previous example, consider a scenario where an MSSP customer—already restricted to a subdomain—wants to further segment its deployment. This customer wants to separately manage two classes of device: devices placed on network edges and devices placed internally:
• Administrators for the customer logging into the second-level subdomain cannot view or edit the customer's edge network deployments. They must log into the respective leaf domain to manage the devices deployed on the network edge.
• Administrators for the customer’s edge network can log into a third-level (leaf) domain to manage only the devices, configurations, and events applicable to devices deployed on the network edge. Similarly, administrators for the customer’s internal network can log into a different third-level domain to manage internal devices, configurations, and events. Edge and internal administrators cannot view each other's deployment.
Note In the management center that uses multi-tenancy, the SSO configuration can be applied only at the global domain level, and applies to the global domain and all subdomains.
Related Topics
, on page 129
Domains Terminology
This documentation uses the following terms when describing domains and multidomain deployments:
Global Domain
In a multidomain deployment, the top-level domain. If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain. Administrators in the Global domain can manage the entire Firepower System deployment.
Subdomain
A second or third-level domain.
Second-level domain
A child of the Global domain. Second-level domains can be leaf domains, or they can have subdomains.
196
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Domain Properties
Third-level domain
A child of a second-level domain. Third-level domains are always leaf domains.
Leaf domain
A domain with no subdomains. Each device must belong to a leaf domain.
Descendant domain
A domain descending from the current domain in the hierarchy.
Child domain
A domain’s direct descendant.
Ancestor domain
A domain from which the current domain descends.
Parent domain
A domain’s direct ancestor.
Sibling domain
A domain with the same parent.
Current domain
The domain you are logged into now. The system displays the name of the current domain before your user name at the top right of the web interface. Unless your user role is restricted, you can edit configurations in the current domain.
Domain Properties
To modify a domain's properties, you must have Administrator access in that domain's parent domain.
Name and Description
Each domain must have a unique name within its hierarchy. A description is optional.
Parent Domain
Second- and third-level domains have a parent domain. You cannot change a domain's parent after you create the domain.
Devices
Only leaf domains may contain devices. In other words, a domain may contain subdomains or devices, but not both. You cannot save a deployment where a non-leaf domain directly controls a device.
In the domain editor, the web interface displays available and selected devices according to their current place in your domain hierarchy.
Host Limit
The number of hosts the management center can monitor, and therefore store in network maps, depends on its model. In a multidomain deployment, leaf domains share the available pool of monitored hosts, but have separate network maps.
To ensure that each leaf domain can populate its network map, you can set host limits at each subdomain level. If you set a domain's host limit to 0 , the domain shares in the general pool.
Cisco Secure Firewall Management Center Administration Guide, 7.2
197
System Settings
Requirements and Prerequisites for Domains
Setting the host limit has a different effect at each domain level:
• Leaf — For a leaf domain, a host limit is a simple limit on the number of hosts the leaf domain can monitor.
• Second Level — For a second-level domain that manages third-level leaf domains, a host limit represents the total number of hosts that the leaf domains can monitor. The leaf domains share the pool of available hosts.
• Global — For the Global domain, the host limit is equal to the total number of hosts the management center can monitor. You cannot change it
The sum of subdomains' host limits can add up to more than their parent domain's host limit. For example, if the Global domain host limit is 150,000, you can configure multiple subdomains each with a host limit of 100,000. Any of those domains, but not all, can monitor 100,000 hosts.
The network discovery policy controls what happens when you detect a new host after you reach the host limit; you can drop the new host, or replace the host that has been inactive for the longest time.
Because each leaf domain has its own network discovery policy, each leaf domain governs its own behavior when the system discovers a new host.
If you reduce the host limit for a domain and its network map contains more hosts than the new limit, the system deletes the hosts that have been inactive the longest.
Related Topics
Host Limit
Network Discovery Data Storage Settings
Requirements and Prerequisites for Domains
Model Support
Any.
Supported Domains
Any
User Roles
• Admin
Managing Domains
To modify a domain's properties, you must have Administrator access in that domain's parent domain.
Procedure
Step 1 Choose System ( ) > Domains .
198
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Creating New Domains
Step 2
Step 3
Step 4
Manage your domains:
• Add — Click Add Domain , or click Add Subdomain next to the parent domain; see
• Edit — Click Edit ( ) next to the domain you want to modify; see
Domain Properties, on page 197 .
• Delete — Click Delete ( ) next to the empty domain you want to delete, then confirm your choice.
Move devices from domains you want to delete by editing their destination domain.
When you are done making changes to the domain structure and all devices are associated with leaf domains, click Save to implement your changes.
If prompted, make additional changes:
• If you changed a leaf domain to a parent domain, move or delete the old network map; see
Between Domains, on page 200 .
• If you moved devices between domains and must assign new policies and security zones or interface groups, see
Moving Devices Between Domains, on page 201
.
What to do next
• Configure user roles and policies (access control, network discovery, and so on) for any new domains.
Update device properties as needed.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide .
Creating New Domains
You can create up to 100 subdomains under a top-level Global domain, in two or three levels.
You must assign all devices to a leaf domain before you can implement the domain configuration. When you add a subdomain to a leaf domain, the domain stops being a leaf domain and you must reassign its devices.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
In a Global or a second-level domain, choose System ( ) > Domains .
Click Add Domain , or click Add Subdomain next to the parent domain.
Enter a Name and Description .
Choose a Parent Domain .
On Devices , choose the Available Devices to add to the domain, then click Add to Domain or drag and drop into the list of Selected Devices .
Optionally, click Advanced to limit the number of hosts the new domain may monitor; see
Domain Properties, on page 197
.
Click Save to return to the domain management page.
The system warns you if any devices are assigned to non-leaf domains. Click Create New Domain to create a new domain for those devices. Click Keep Unassigned if you plan to move the devices to existing domains.
Cisco Secure Firewall Management Center Administration Guide, 7.2
199
System Settings
Moving Data Between Domains
Step 8
Step 9
When you are done making changes to the domain structure and all devices are associated with leaf domains, click Save to implement your changes.
If prompted, make additional changes:
• If you changed a leaf domain to a parent domain, move or delete the old network map; see
.
• If you moved devices between domains and must assign new policies and security zones or interface groups, see
Moving Devices Between Domains, on page 201 .
What to do next
• Configure user roles and policies (access control, network discovery, and so on) for any new domains.
Update device properties as needed.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide .
Moving Data Between Domains
Because events and network maps are associated with leaf domains, when you change a leaf domain to a parent domain, you have two choices:
• Move the network map and associated events to a new leaf domain.
• Delete the network map but retain the events. In this case, the events remain associated with the parent domain until the system prunes events as needed or as configured. Or, you can delete old events manually.
Before you begin
Implement a domain configuration where a former leaf domain is now a parent domain; see
Managing Domains, on page 198 .
Procedure
Step 1
Step 2
For each former leaf domain that is now a parent domain:
• Choose a new Leaf Domain to inherit the Parent Domain 's events and network map.
• Choose None to delete the parent domain's network map, but retain old events.
Click Save .
What to do next
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide .
200
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Moving Devices Between Domains
Moving Devices Between Domains
You can move devices between domains when you are in the global domain or a second-level domain. Moving a device between domains can affect the configurations and policies applied to the device. The system automatically retains and updates what it can. It deletes what it cannot update, namely, object overrides, dynamic routing configuration, static routes, IP pool associated with the diagnostic interface,and DDNS.
When you assign a remote access VPN policy to a device, you can move the device from one domain to another, only if the target domain is a descendant of the domain in which remote access VPN is configured.
You can move the device into any child domain without deleting the enrolled certificate on the device.
Specifically:
• If the health policy applied to a moved device is inaccessible in the new domain, you can choose a new health policy.
• If the access control policy assigned to a moved device is not valid or accessible in the new domain, choose a new policy. Every device must have an assigned access control policy.
• If the interfaces on the moved device belong to a security zone that is inaccessible in the new domain, you can choose a new zone.
• Interfaces are removed from:
• Security zones that are inaccessible in the new domain and not used in an access control policy.
• All interface groups.
If devices require a policy update but you do not need to move interfaces between zones, the system displays a message stating that zone configurations are up to date. For example, if a device's interfaces belong to a security zone configured in a common ancestor domain, you do not need to update zone configurations when you move devices from subdomain to subdomain.
Before you begin
• Implement a domain configuration where you moved a device from domain to domain and now must assign new policies and security zones; see
Managing Domains, on page 198 .
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
In the Move Devices dialog box, under Select Device(s) to Configure , check the device you want to configure.
Check multiple devices to assign the same health and access control policies.
Choose an Access Control Policy to apply to the device, or choose New Policy to create a new policy.
Choose a Health Policy to apply to the device, or choose None to leave the device without a health policy.
If prompted to assign interfaces to new zones, choose a New Security Zone for each listed interface, or choose
None to assign it later.
After you configure all affected devices, click Save to save policy and zone assignments.
Cisco Secure Firewall Management Center Administration Guide, 7.2
201
System Settings
History for Domain Management
Step 6 Click Save to implement the domain configuration.
What to do next
• Update other configurations on the moved device that were affected by the move.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide .
History for Domain Management
Feature
Increased maximum number of supported domains
Version
6.5
Details
You can now add up to to 100 domains. Previously, the maximum was 50 domains.
Supported platforms: Secure
Firewall Management Center
202
Cisco Secure Firewall Management Center Administration Guide, 7.2
C H A P T E R
6
Updates
The following topics explain how to update Firepower deployments:
•
About System Updates, on page 203
•
Requirements and Prerequisites for System Updates, on page 205
•
Guidelines and Limitations for System Updates, on page 205
•
Upgrade System Software, on page 206
•
Update the Vulnerability Database (VDB), on page 206
•
Update the Geolocation Database, on page 208
•
Update Intrusion Rules, on page 210
•
Maintain Your Air-Gapped Deployment, on page 219
•
History for System Updates, on page 220
About System Updates
You can use the management center to upgrade the system software for itself and the devices it manages. You can also update various databases and feeds that provide advanced services.
For management centers with internet access, the system can often obtain updates directly from Cisco. We recommend you schedule or enable automatic updates whenever possible. Some updates are auto-enabled by the initial setup process or when you enable the related feature. Other updates you must schedule yourself.
After initial setup, we recommend you review all auto-updates and adjust them if necessary.
Cisco Secure Firewall Management Center Administration Guide, 7.2
203
System Settings
About System Updates
Table 8: Upgrades and Updates
Component Description Details
System software Major software releases contain new features, functionality, and enhancements.
They may include infrastructure or architectural changes.
Direct Download: Select releases only, usually some time after the release is available for manual download. The length of the delay depends on release type, release adoption, and other factors.
Maintenance releases contain general bug and security related fixes. Behavior changes are rare, and are related to those fixes.
Schedule: Patches only, on System ( ) > Tools > Scheduling .
Uninstall: Patches only.
Revert/Reimage: Major and maintenance releases only.
Patches are on-demand updates limited to critical fixes with time urgency.
See:
Upgrade System Software, on page 206
Hotfixes can address specific customer issues.
Vulnerability database
(VDB)
The Cisco vulnerability database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The system uses the VDB to help determine whether a particular host increases your risk of compromise.
Direct Download: Yes.
Schedule: Yes, on System ( ) > Tools > Scheduling .
Uninstall: No.
See:
Update the Vulnerability Database (VDB), on page 206
Geolocation database
(GeoDB)
The Cisco geolocation database (GeoDB) is a database of geographical and connection-related data associated with routable IP addresses.
Direct Download: Yes.
Schedule:
Uninstall:
Yes, on
No.
System ( ) > Updates .
See:
Update the Geolocation Database, on page 208
Intrusion rules
(SRU/LSP)
Security Intelligence feeds
Intrusion rule updates provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings.
Direct Download: Yes.
Schedule: Yes, on System ( ) > Updates .
Uninstall: No.
Rule updates may also delete rules, provide new rule categories and default variables, and modify default variable values.
See:
Update Intrusion Rules, on page 210
Security Intelligence feeds are collections of IP addresses, domain names, and URLs that you can use to quickly filter traffic that matches an entry.
Direct Download: Yes.
Schedule: Yes, on Objects > Object Management .
Uninstall: No.
See: Cisco Secure Firewall Management Center Device
Configuration Guide
204
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Requirements and Prerequisites for System Updates
Component
URL categories and reputations
Description Details
URL filtering allows you to control access to websites based on the URL’s general classification (category) and risk level
(reputation).
(
Direct Download: Yes.
Schedule:
) >
Yes, on >
Tools >
Integration > Cloud Services or System
Scheduling , depending on your requirements.
Uninstall: No.
See: Cisco Secure Firewall Management Center Device
Configuration Guide
Requirements and Prerequisites for System Updates
Model Support
Any
Supported Domains
Global unless indicated otherwise.
User Roles
Admin
Guidelines and Limitations for System Updates
Before You Update
Before you update any component of your Firepower deployment (including intrusion rules, VDB, or GeoDB) read the release notes or advisory text that accompanies the update. These provide critical and release-specific information, including compatibility, prerequisites, new capabilities, behavior changes, and warnings.
Scheduled Updates
The system schedules tasks — including updates — in UTC. This means that when they occur locally depends on the date and your specific location. Also, because updates are scheduled in UTC, they do not adjust for
Daylight Saving Time, summer time, or any such seasonal adjustments that you may observe in your location.
If you are affected, scheduled updates occur one hour "later" in the summer than in the winter, according to local time.
Important We strongly recommend you review scheduled updates to be sure they occur when you intend.
Cisco Secure Firewall Management Center Administration Guide, 7.2
205
System Settings
Upgrade System Software
Bandwidth Guidelines
To upgrade a Firepower appliance (or perform a readiness check), the upgrade package must be on the appliance. Firepower upgrade package sizes vary. Make sure you have the bandwidth to perform a large data transfer to your managed devices. See Guidelines for Downloading Data from the Firepower Management
Center to Managed Devices (Troubleshooting TechNote).
Upgrade System Software
This guide does not contain detailed upgrade instructions for either system software or companion operating systems. Instead, see the Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for your version.
For information on scheduling downloads and installations for system software patches, see
After setup, you should review the auto-scheduled configurations and adjust them if necessary.
Update the Vulnerability Database (VDB)
The Cisco vulnerability database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The system uses the VDB to help determine whether a particular host increases your risk of compromise.
Cisco issues periodic updates to the VDB. The time it takes to update the VDB and its associated mappings on the Secure Firewall Management Center depends on the number of hosts in your network map. As a rule of thumb, divide the number of hosts by 1000 to determine the approximate number of minutes to perform the update.
When you set up a new or reimaged management center, the system automatically attempts to update the vulnerability database (VDB). This is a one-time operation. If the management center has internet access, we recommend you schedule tasks to perform automatic recurring VDB update downloads and installations.
Caution In most cases, the first deploy after updating the VDB restarts the Snort process on managed devices. The system warns you that this can happen — warnings can appear after manual VDB updates, when you schedule
VDB updates, during background VDB updates, when you deploy, and so on. Snort restarts cause an interruption in traffic inspection and, depending on how the managed device handles traffic, possibly interrupts traffic flow. For more information, see Snort Restart Traffic Behavior .
Manually Update the VDB
To update the VDB, the VDB update package must be on the management center.
If the management center cannot access the internet, or you want to manually upload the VDB update to the management center, use this procedure. To automate VDB updates, use task scheduling ( System ( ) > Tools >
Scheduling ). For details, see
Vulnerability Database Update Automation, on page 465 .
206
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Manually Update the VDB
Before you begin
• Download the update from https://www.cisco.com/go/firepower-software .
Note Beginning with VDB Release 343, all application detector information is available through Cisco Secure Firewall Application Detectors . This site includes a searchable database of application detectors. The release notes provide information on changes for a particular VDB release.
• Consider the update's effect on traffic flow and inspection due to Snort restarts. We recommend performing updates in a maintenance window.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Updates , then click Product Updates .
Choose how you want to upload the VDB update to the management center.
• Download directly from Cisco.com: Click Download Updates . If it can access the Cisco Support &
Download site, the management center downloads the latest VDB. Note that the management center also downloads a package for each patch and hotfix (but not major release) associated with the version your appliances are currently running.
• Upload manually: Click Upload Update , then Choose File . Browse to the update you downloaded earlier, and click Upload .
VDB updates appear on the same page as Firepower software upgrade and uninstaller packages.
Install the update.
a) Click Install next to the Vulnerability and Fingerprint Database update.
b) Choose the management center.
c) Click Install .
(Optional) Monitor update progress in the Message Center.
Do not perform tasks related to mapped vulnerabilities until the update completes. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the update. Instead, contact Cisco TAC.
After the update completes, the system uses the new vulnerability information. However, you must deploy before updated application detectors and operating system fingerprints can take effect.
Verify update success.
Choose Help > About to view the current VDB version.
What to do next
Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management
Center Administration Guide .
Cisco Secure Firewall Management Center Administration Guide, 7.2
207
System Settings
Schedule VDB Updates
Schedule VDB Updates
If your management center has internet access, we recommend you schedule regular VDB updates. See
Vulnerability Database Update Automation, on page 465
.
Update the Geolocation Database
The geolocation database (GeoDB) is a database that you can leverage to view and filter traffic based on geographical location.
The system comes with an initial GeoDB country code package that maps IP addresses to countries/continents, so that information should always be available. If you update the GeoDB, the system also downloads an IP package with contextual data. This contextual data includes additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. We also issue periodic updates to the GeoDB, and you must regularly update the GeoDB to have accurate geolocation information.
As a part of initial configuration, the system configures a weekly automatic GeoDB update. If configuring the update fails and the management center has internet access, we recommend you configure regular GeoDB updates as described in
Schedule GeoDB Updates, on page 208 .
The time needed to update the GeoDB depends on your appliance, but can take up to 45 minutes depending on the size of the update—for example, if this is the first time you are downloading the full GeoDB. Although a GeoDB update does not interrupt any other system functions (including the ongoing collection of geolocation information), the update does consume system resources while it completes. Consider this when planning your updates.
The GeoDB update overrides any previous versions of the GeoDB and is effective immediately. When you update the GeoDB, the management center automatically updates the related data on its managed devices. It may take a few minutes for a GeoDB update to take effect throughout your deployment. You do not need to re-deploy after you update.
The System ( ) > Updates > Geolocation Updates page and the Help ( ) > About page both list the current version.
Schedule GeoDB Updates
As a part of initial configuration, the system configures a weekly automatic GeoDB update. If configuring the update fails and the management center has internet access, we recommend you configure regular GeoDB updates as described in this procedure.
Before you begin
Make sure the management center can access the internet.
Procedure
Step 1
Step 2
Step 3
Choose System ( ) > Updates > Geolocation Updates .
Under Recurring Geolocation Updates, check Enable Recurring Weekly Updates from the Support Site .
Specify the Update Start Time .
208
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Manually Update the GeoDB (Internet Connection)
Step 4 Click Save .
Manually Update the GeoDB (Internet Connection)
Use this procedure to perform an on-demand update of the GeoDB if the management center has internet access.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Updates > Geolocation Updates .
Under One-Time Geolocation Update, choose Download and install geolocation update from the Support
Site .
Click Import .
You can monitor update progress in the Message Center.
Verify update success.
The Geolocation Updates page and the Help ( ) > About page both list the current version.
Manually Update the GeoDB (No Internet Connection)
Use this procedure to perform an on-demand update of the GeoDB if the management center does not have internet access.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Download the GeoDB from the Cisco Support & Download site: https://www.cisco.com/go/firepower-software .
Select or search for your model (or choose any model—you use the same GeoDB for all management centers), then browse to the Coverage and Content Updates page.
Make sure you download both the country code and the IP packages.
Choose System ( ) > Updates > Geolocation Updates .
Under One-Time Geolocation Update, choose Upload and install geolocation update .
Click Choose File , then browse to the country code package you downloaded earlier.
Click Import .
You can monitor update progress in the Message Center.
Repeat steps 4 and 5 for the IP package.
Verify update success.
Cisco Secure Firewall Management Center Administration Guide, 7.2
209
System Settings
Update Intrusion Rules
The Geolocation Updates page and the Help ( ) > About page both list the current version.
Update Intrusion Rules
As new vulnerabilities become known, the Talos Intelligence Group releases intrusion rule updates that you can import onto your Secure Firewall Management Center, and then implement by deploying the changed configuration to your managed devices. These updates affect intrusion rules, preprocessor rules, and the policies that use the rules.
Intrusion rule updates are cumulative, and Cisco recommends you always import the latest update. You cannot import an intrusion rule update that either matches or predates the version of the currently installed rules.
An intrusion rule update may provide the following:
• New and modified rules and rule states —Rule updates provide new and updated intrusion and preprocessor rules. For new rules, the rule state may be different in each system-provided intrusion policy.
For example, a new rule may be enabled in the Security over Connectivity intrusion policy and disabled in the Connectivity over Security intrusion policy. Rule updates may also change the default state of existing rules, or delete existing rules entirely.
• New rule categories —Rule updates may include new rule categories, which are always added.
• Modified preprocessor and advanced settings �� Rule updates may change the advanced settings in the system-provided intrusion policies and the preprocessor settings in system-provided network analysis policies. They can also update default values for the advanced preprocessing and performance options in your access control policies.
• New and modified variables —Rule updates may modify default values for existing default variables, but do not override your changes. New variables are always added.
In a multidomain deployment, you can import local intrusion rules in any domain, but you can import intrusion rule updates from Talos in the Global domain only.
Understanding When Intrusion Rule Updates Modify Policies
Intrusion rule updates can affect both system-provided and custom network analysis policies, as well as all access control policies:
• system provided —Changes to system-provided network analysis and intrusion policies, as well as any changes to advanced access control settings, automatically take effect when you re-deploy the policies after the update.
• custom —Because every custom network analysis and intrusion policy uses a system-provided policy as its base, or as the eventual base in a policy chain, rule updates can affect custom network analysis and intrusion policies. However, you can prevent rule updates from automatically making those changes.
This allows you to update system-provided base policies manually, on a schedule independent of rule update imports. Regardless of your choice (implemented on a per-custom-policy basis), updates to system-provided policies do not override any settings you customized.
210
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Update Intrusion Rules One-Time Manually
Note that importing a rule update discards all cached changes to network analysis and intrusion policies. For your convenience, the Rule Updates page lists policies with cached changes and the users who made those changes.
Deploying Intrusion Rule Updates
For changes made by an intrusion rule update to take effect, you must redeploy configurations. When importing a rule update, you can configure the system to automatically redeploy to affected devices. This approach is especially useful if you allow the intrusion rule update to modify system-provided base intrusion policies.
Recurring Intrusion Rule Updates
You can import rule updates on a daily, weekly, or monthly basis, using the Rule Updates page.
If your deployment includes a high availability pair of Secure Firewall Management Centers, import the update on the primary only. The secondary Secure Firewall Management Center receives the rule update as part of the regular synchronization process.
Applicable subtasks in the intrusion rule update import occur in the following order: download, install, base policy update, and configuration deploy. When one subtask completes, the next subtask begins.
At the scheduled time, the system installs the rule update and deploys the changed configuration as you specified in the previous step. You can log off or use the web interface to perform other tasks before or during the import. When accessed during an import, the Rule Update Log displays a Red Status ( ), and you can view messages as they occur in the Rule Update Log detailed view. Depending on the rule update size and content, several minutes may pass before status messages appear.
As a part of initial configuration the system configures a daily automatic intrusion rule update from the Cisco
Support & Download site. (The system deploys automatic intrusion rule updates to affected managed devices when it next deploys affected policies.) If configuring the update fails and the management center has internet access, we recommend you configure regular intrusion rule updates as described in
Importing Local Intrusion Rules
A local intrusion rule is a custom standard text rule that you import from a local machine as a plain text file with ASCII or UTF-8 encoding. You can create local rules using the instructions in the Snort users manual, which is available at http://www.snort.org
.
In a multidomain deployment, you can import local intrusion rules in any domain. You can view local intrusion rules imported in the current domain and ancestor domains.
Update Intrusion Rules One-Time Manually
Import a new intrusion rule update manually if your Secure Firewall Management Center does not have
Internet access.
Procedure
Step 1
Step 2
Manually download the update from the Cisco Support Site
( http://www.cisco.com/cisco/web/support/index.html
).
Choose System ( ) > Updates , then click Rule Updates .
Cisco Secure Firewall Management Center Administration Guide, 7.2
211
System Settings
Update Intrusion Rules One-Time Automatically
Step 3
Step 4
Step 5
Step 6
If you want to move all user-defined rules that you have created or imported to the deleted folder, you must click Delete All Local Rules in the toolbar, then click OK .
Choose Rule Update or text rule file to upload and install and click Browse to navigate to and choose the rule update file.
If you want to automatically re-deploy policies to your managed devices after the update completes, choose
Reapply all policies after the rule update import completes .
Click Import . The system installs the rule update and displays the Rule Update Log detailed view.
Note Contact Support if you receive an error message while installing the rule update.
Update Intrusion Rules One-Time Automatically
Note This section applies only to Snort 2.
To import a new intrusion rule update automatically, your appliance must have Internet access to connect to the Support Site.
Before you begin
• Ensure the management center has internet access; see
Security, Internet Access, and Communication
.
Procedure
Step 2
Step 3
Step 4
Step 5
Step 6
Step 1 Choose System ( ) > Updates .
Note You can also click Import Rules on the intrusion rules editor page ( Objects > Intrusion Rules ).
Click Rule Updates .
If you want to move all user-defined rules that you have created or imported to the deleted folder, click Delete
All Local Rules in the toolbar, then click OK .
Choose Download new Rule Update from the Support Site .
If you want to automatically re-deploy the changed configuration to managed devices after the update completes, check the Reapply all policies after the rule update import completes check box.
Click Import .
The system installs the rule update and displays the Rule Update Log detailed view.
Caution Contact Support if you receive an error message while installing the rule update.
212
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Schedule Intrusion Rule Updates
Schedule Intrusion Rule Updates
Note This section applies only to Snort 2.
As a part of initial configuration the system configures a daily automatic intrusion rule update from the Cisco
Support & Download site. (The system deploys automatic intrusion rule updates to affected managed devices when it next deploys affected policies.) If configuring the update fails and the management center has internet access, we recommend you configure regular intrusion rule updates as described in this section.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Choose System ( ) > Updates .
Note You can also click Import Rules on the intrusion rules editor page ( Objects > Intrusion Rules ).
Click Rule Updates .
If you want to move all user-defined rules that you have created or imported to the deleted folder, click Delete
All Local Rules in the toolbar, then click OK .
Check Enable Recurring Rule Update Imports from the Support Site check box.
Import status messages appear beneath the Recurring Rule Update Imports section heading.
In the Import Frequency field, specify:
• The frequency of the update ( Daily , Weekly , or Monthly )
• The day of the week or month you want the update to occur
• The time you want the update to start
If you want to automatically re-deploy the changed configuration to your managed devices after the update completes, check the Deploy updated policies to targeted devices after rule update completes check box.
Click Save .
Caution Contact Support if you receive an error message while installing the intrusion rule update.
The status message under the Recurring Rule Update Imports section heading changes to indicate that the rule update has not yet run.
Best Practices for Importing Local Intrusion Rules
Observe the following guidelines when importing a local rule file:
• The rules importer requires that all custom rules are imported in a plain text file encoded in ASCII or
UTF-8.
• The text file name can include alphanumeric characters, spaces, and no special characters other than underscore (
_
), period (
.
), and dash (
-
).
• The system imports local rules preceded with a single pound character (#), but they are flagged as deleted.
Cisco Secure Firewall Management Center Administration Guide, 7.2
213
System Settings
Best Practices for Importing Local Intrusion Rules
• The system imports local rules preceded with a single pound character (#), and does not import local rules preceded with two pound characters (##).
• Rules cannot contain any escape characters.
• In a multidomain deployment, the system assigns a GID of 1 to a rule imported into or created in the
Global domain, and a domain-specific GID between 1000 and 2000 for all other domains.
• You do not have to specify a Generator ID (GID) when importing a local rule. If you do, specify only
GID 1 for a standard text rule.
• When importing a rule for the first time, do not specify a Snort ID (SID) or revision number. This avoids collisions with SIDs of other rules, including deleted rules. The system will automatically assign the rule the next available custom rule SID of 1000000 or greater, and a revision number of 1.
If you must import rules with SIDs, a SID can be any unique number 1,000,000 or greater.
In a multidomain deployment, if multiple administrators are importing local rules at the same time, SIDs within an individual domain might appear to be non-sequential because the system assigned the intervening numbers in the sequence to another domain.
• When importing an updated version of a local rule you have previously imported, or when reinstating a local rule you have deleted, you must include the SID assigned by the system and a revision number greater than the current revision number. You can determine the revision number for a current or deleted rule by editing the rule.
Note The system automatically increments the revision number when you delete a local rule; this is a device that allows you to reinstate local rules. All deleted local rules are moved from the local rule category to the deleted rule category.
• Import local rules on the primary management center in a high availability pair to avoid SID numbering issues.
• The import fails if a rule contains any of the following: .
• A SID greater than 2147483647.
• A list of source or destination ports that is longer than 64 characters.
• When importing into the Global domain in a multidomain deployment, a GID:SID combination uses GID 1 and a SID that already exists in another domain; this indicates that the combination existed before Version 6.2.1. You can reimport the rule using GID 1 and a unique SID.
• Policy validation fails if you enable an imported local rule that uses the deprecated threshold keyword in combination with the intrusion event thresholding feature in an intrusion policy.
• All imported local rules are automatically saved in the local rule category.
• The system always sets local rules that you import to the disabled rule state. You must manually set the state of local rules before you can use them in your intrusion policy.
214
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Import Local Intrusion Rules
Import Local Intrusion Rules
• Make sure your local rule file follows the guidelines described in
Best Practices for Importing Local
Intrusion Rules, on page 213 .
• Make sure your process for importing local intrusion rules complies with your security policies.
• Consider the import's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts.
We recommend scheduling rule updates during maintenance windows.
• You can perform this task in any domain.
Use this procedure to import local intrusion rules. Imported intrusion rules appear in the local rule category in a disabled state.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Updates , then click Rule Updates .
(Optional) Delete existing local rules.
Click Delete All Local Rules , then confirm that you want to move all created and imported intrusion rules to the deleted folder.
Under One-Time Rule Update/Rules Import , choose Rule update or text rule file to upload and install , then click Choose File and browse to your local rule file.
Click Import .
Monitor import progress in the Message Center.
To display the Message Center, click System Status on the menu bar. Even if the Message Center shows no progress for several minutes or indicates that the import has failed, do not restart the import. Instead, contact
Cisco TAC.
What to do next
• Edit intrusion policies and enable the rules you imported.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Device Configuration Guide
Rule Update Log
The Secure Firewall Management Center generates a record for each rule update and local rule file that you import.
Each record includes a time stamp, the name of the user who imported the file, and a status icon indicating whether the import succeeded or failed. You can maintain a list of all rule updates and local rule files that you import, delete any record from the list, and access detailed records for all imported rules and rule update components.
Cisco Secure Firewall Management Center Administration Guide, 7.2
215
System Settings
Intrusion Rule Update Log Table
The Rule Update Import Log detailed view lists a detailed record for each object imported in a rule update or local rule file. You can also create a custom workflow or report from the records listed that includes only the information that matches your specific needs.
Intrusion Rule Update Log Table
Table 9: Intrusion Rule Update Log Fields
Field
Summary
Time
User ID
Status
Description
The name of the import file. If the import fails, a brief statement of the reason for the failure appears under the file name.
The time and date that the import started.
The user name of the user that triggered the import.
Whether the import:
• Succeeded ( )
• failed or is currently in progress Red Status ( )
The red status icon indicating an unsuccessful or incomplete import appears on the
Rule Update Log page during the import and is replaced by the green icon only when the import has successfully completed.
Tip You can view import details as they appear while an intrusion rule update import is in progress.
Viewing the Intrusion Rule Update Log
In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Updates .
Tip You can also click Import Rules on the intrusion rules editor page ( Objects > Intrusion Rules ).
Click Rule Updates .
Click Rule Update Log .
You have two options:
• View — To view details for each object imported in a rule update or local rule file, click View ( ) next to the file you want to view; see
Viewing Details of the Intrusion Rule Update Import Log, on page 218 .
• Delete — To delete an import file record from the import log, including detailed records for all objects included with the file, click Delete ( ) next to the import file name.
216
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Fields in an Intrusion Rule Update Log
Note Deleting the file from the log does not delete any object imported in the import file, but only deletes the import log records.
Fields in an Intrusion Rule Update Log
Tip You search the entire Rule Update Import Log database even when you initiate a search by clicking Search on the toolbar from the Rule Update Import Log detailed view with only the records for a single import file displayed. Make sure you set your time constraints to include all objects you want to include in the search.
Table 10: Rule Update Import Log Detailed View Fields
Field
Action
Description
An indication that one of the following has occurred for the object type:
• new
(for a rule, this is the first time the rule has been stored on this appliance)
• changed
(for a rule update component or rule, the rule update component has been modified, or the rule has a higher revision number and the same GID and SID)
• collision
(for a rule update component or rule, import was skipped because its revision conflicts with an existing component or rule on the appliance)
• deleted
(for rules, the rule has been deleted from the rule update)
• enabled
(for a rule update edit, a preprocessor, rule, or other feature has been enabled in a default policy provided with the system)
• disabled
(for rules, the rule has been disabled in a default policy provided with the system)
• drop
(for rules, the rule has been set to Drop and Generate Events in a default policy provided with the system)
• error
(for a rule update or local rule file, the import failed)
• apply
(the Reapply all policies after the rule update import completes option was enabled for the import)
Default Action
Details
Domain
GID
The default action defined by the rule update. When the imported object type is rule
, the default action is
Pass
,
Alert
, or
Drop
. For all other imported object types, there is no default action.
A string unique to the component or rule. For rules, the GID, SID, and previous revision number for a changed rule, displayed as previously (GID:SID:Rev)
. This field is blank for a rule that has not changed.
The domain whose intrusion policies can use the updated rule. Intrusion policies in descendant domains can also use the rule. This field is only present in a multidomain deployment.
The generator ID for a rule. For example,
1
(standard text rule, Global domain or legacy GID) or
3
(shared object rule).
Cisco Secure Firewall Management Center Administration Guide, 7.2
217
System Settings
Viewing Details of the Intrusion Rule Update Import Log
Field
Name
Policy
Rev
Rule Update
SID
Time
Type
Count
Description
The name of the imported object, which for rules corresponds to the rule Message field, and for rule update components is the component name.
For imported rules, this field displays
All
. This means that the rule was imported successfully, and can be enabled in all appropriate default intrusion policies. For other types of imported objects, this field is blank.
The revision number for a rule.
The rule update file name.
The SID for a rule.
The time and date the import began.
The type of imported object, which can be one of the following:
• rule update component
(an imported component such as a rule pack or policy pack)
• rule
(for rules, a new or updated rule; note that in Version 5.0.1 this value replaced the update value, which is deprecated)
• policy apply
(the Reapply all policies after the rule update import completes option was enabled for the import)
The count (
1
) for each record. The Count field appears in a table view when the table is constrained, and the
Rule Update Log detailed view is constrained by default to rule update records. This field is not searchable.
Viewing Details of the Intrusion Rule Update Import Log
In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Updates .
Tip You can also click Import Rules on the intrusion rules editor page ( Objects > Intrusion Rules ).
Click Rule Updates .
Click Rule Update Log .
Click View ( ) next to the file whose detailed records you want to view.
You can take any of the following actions:
• Bookmark—To bookmark the current page, click Bookmark This Page .
• Edit Search—To open a search page prepopulated with the current single constraint, choose Edit Search or Save Search next to Search Constraints.
• Manage bookmarks—To navigate to the bookmark management page, click Report Designer .
218
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Maintain Your Air-Gapped Deployment
• Report—To generate a report based on the data in the current view, click Report Designer .
• Search—To search the entire Rule Update Import Log database for rule update import records, click
Search .
• Sort—To sort and constain records on the current workflow page, see
Using Drill-Down Pages, on page
for more information.
• Switch workflows—To temporarily use a different workflow, click (switch workflows) .
Maintain Your Air-Gapped Deployment
If your management center is not connected to the internet, essential updates will not occur automatically.
You must manually obtain and install these updates. See the following information:
•
Manually Update the VDB, on page 206
•
Update Intrusion Rules One-Time Manually, on page 211
•
Manually Update the GeoDB (No Internet Connection), on page 209
• The upgrade guide at https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/ fpmc-upgrade-guide.html
Cisco Secure Firewall Management Center Administration Guide, 7.2
219
System Settings
History for System Updates
History for System Updates
Feature Version
Copy upgrade packages
("peer-to-peer sync") from device to device.
7.2
Details
Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers.
This feature is supported for Version 7.2+ standalone devices managed by the same standalone management center. It is not supported for:
• Container instances.
• Device high availability pairs and clusters.
Note that Version 7.1+ group members can get the package from each other as part of their normal sync process. Copying the upgrade package to one group member automatically syncs it to all group members.
• Devices managed by high availability management centers.
• Devices in different domains, or devices separated by a NAT gateway.
• CDO-managed devices added to the management center in analytics mode.
• Devices upgrading from Version 7.1 or earlier, regardless of management center version.
Auto-upgrade to Snort 3 after successful threat defense upgrade.
7.2
New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status
When you use a Version 7.2+ management center to upgrade threat defense, you can now choose whether to Upgrade Snort 2 to Snort 3 .
After the software upgrade, eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For migration assistance, see the
Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.
This option is supported for major and maintenance threat defense upgrades to Version
7.2+. It is not supported for threat defense upgrades to Version 7.0 or 7.1, or for patches to any version.
220
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
History for System Updates
Feature
Upgrade for single-node clusters.
Version
7.2
Revert threat defense upgrades from the CLI.
GeoDB is split into two packages.
Upgrade does not automatically generate troubleshooting files.
7.2
7.2
7.2
Details
You can now use the device upgrade page ( Devices > Device Upgrade ) to upgrade clusters with only one active node. Any deactivated nodes are also upgraded. Previously, this type of upgrade would fail. This feature is not supported from the system updates page ( System > Updates ).
Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices.
Supported platforms: Firepower 4100/9300, Secure Firewall 3100
You can now revert threat defense upgrades from the device CLI if communications between the management center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.
Caution Reverting from the CLI can cause configurations between the device and the management center to go out of sync, depending on what you changed post-upgrade. This can cause further communication and deployment issues.
New/modified CLI commands: upgrade revert , show upgrade revert-info .
In May 2022, shortly before the Version 7.2 release, we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on.
If your Version 7.2+ management center has internet access and you enable recurring updates or you manually kick off a one-time update from the Cisco Support & Download site, the system automatically obtains and imports both packages. However, if you manually download updates—for example, in an air-gapped deployment—make sure you get and import both GeoDB packages:
• Country code package: Cisco_GEODB_Updatedate build .sh.REL.tar
• IP package: Cisco_IP_GEODB_Updatedate build .sh.REL.tar
The Geolocation Updates ( System ( ) > Updates > Geolocation Updates ) page and the About page ( Help > About ) list the versions of the packages currently being used by the system.
To save time and disk space, the management center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files.
To manually generate troubleshooting files for the management center, choose System
( ) > Health > Monitor , click Firewall Management Center in the left panel, then
View System & Troubleshoot Details , then Generate Troubleshooting Files .
Cisco Secure Firewall Management Center Administration Guide, 7.2
221
System Settings
History for System Updates
Feature Version
Revert a successful device upgrade.
7.1
Improvements to the upgrade workflow for clustered and high availability devices.
Improved threat defense upgrade performance and status reporting.
7.1
7.0
Details
You can now revert major and maintenance upgrades to threat defense from the management center web interface. Reverting returns the software to its state just before the last upgrade, also called a snapshot . Reverting after patching necessarily removes patches as well.
If you think you might need to revert, you must use the System > Updates page to upgrade threat defense. The System Updates page is the only place you can enable the
Enable revert after successful upgrade option, which configures the system to save a revert snapshot when you initiate the upgrade. This is in contrast to our usual recommendation to use the wizard on the Devices > Device Upgrade page.
This is not supported for container instances on the Firepower 4100/9300.
The threat defense upgrade wizard now correctly displays clustered and high availability unit as groups, rather than as individual devices. The system can identify, report, and preemptively require fixes for group-related issues you might have. For example, you cannot upgrade a cluster on the Firepower 4100/9300 if you have made unsynced changes on chassis manager.
You can also specify the upgrade order of data units in a cluster.
Upgrading threat defense is now easier faster, more reliable, and takes up less disk space. A new Upgrades tab in the Message Center provides further enhancements to upgrade status and error reporting.
222
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
History for System Updates
Feature Version
Easy-to-follow threat defense upgrade workflow.
7.0
Details
A new device upgrade page ( Devices > Device Upgrade ) provides an easy-to-follow workflow for upgrading Version 6.4+ threat defense.
The system walks you through important pre-upgrade stages, including:
• Selecting devices to upgrade.
• Copying the upgrade package to the devices.
• Compatibility and readiness checks.
To begin, use the new Upgrade Firepower Software action on the Device Management page ( Devices > Device Management > Select Action ).
Note You must still use the System Updates page ( System > Updates ) page to upload or specify the location of threat defense upgrade packages. You must also use the System Updates page to upgrade the management center itself, as well as all non-threat defense managed devices.
As you proceed with the upgrade workflow, the system displays basic information about your selected devices, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a device does not "pass" a stage in the workflow, it does not appear in the next stage.
If you navigate away from workflow, your progress is preserved, although other users with Administrator access can reset, modify, or continue the workflow.
Note In Version 7.0, the Device Upgrade page does not correctly display devices in clusters or high availability pairs. Even though you must select and upgrade these devices as a unit, the workflow displays them as standalone devices.
Device status and upgrade readiness are evaluated and reported on an individual basis. This means it is possible for one unit to appear to "pass" to the next stage while the other unit or units do not. However, these devices are still grouped. Running a readiness check on one, runs it on all. Starting the upgrade on one, starts it on all.
To avoid possible time-consuming upgrade failures, manually ensure all group members are ready to move on to the next step of the workflow before you click Next .
Cisco Secure Firewall Management Center Administration Guide, 7.2
223
System Settings
History for System Updates
Feature Version
Upgrade more threat defense devices at once.
7.0
Details
The threat defense upgrade workflow lifts the following restrictions:
• Simultaneous device upgrades.
The number of devices you can upgrade at once is now limited by your management network bandwidth—not the system's ability to manage simultaneous upgrades.
Previously, we recommended against upgrading more than five devices at a time.
Important Only upgrades to threat defense Version 6.7+ see this improvement. If you are upgrading devices to an older threat defense release—even if you are using the new upgrade workflow—we still recommend you limit to five devices at a time.
• Grouping upgrades by device model.
You can now queue and invoke upgrades for all threat defense models at the same time, as long as the system has access to the appropriate upgrade packages.
Previously, you would choose an upgrade package, then choose the devices to upgrade using that package. That meant that you could upgrade multiple devices at the same time only if they shared an upgrade package. For example, you could upgrade two Firepower 2100 series devices at the same time, but not a Firepower
2100 series and a Firepower 1000 series.
224
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
History for System Updates
Feature Version
Improved threat defense upgrade status reporting and cancel/retry options.
6.7
Upgrades remove PCAP files to save disk space.
Custom intrusion rule import warns when rules collide.
6.7
6.7
Details
You can now view the status of threat defense device upgrades and readiness checks in progress on the Device Management page, as well as a 7-day history of upgrade success/failures. The Message Center also provides enhanced status and error messages.
A new Upgrade Status pop-up, accessible from both Device Management and the
Message Center with a single click, shows detailed upgrade information, including percentage/time remaining, specific upgrade stage, success/failure data, upgrade logs, and so on.
Also on this pop-up, you can manually cancel failed or in-progress upgrades ( Cancel
Upgrade ), or retry failed upgrades ( Retry Upgrade ). Canceling an upgrade reverts the device to its pre-upgrade state.
Note To be able to manually cancel or retry a failed upgrade, you must disable the new auto-cancel option, which appears when you use the management center to upgrade an threat defense device: Automatically cancel on upgrade failure and roll back to the previous version . With the option enabled, the device automatically reverts to its pre-upgrade state upon upgrade failure.
Auto-cancel is not supported for patches. In an HA or clustered deployment, auto-cancel applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted.
New/modified screens:
• System > Update > Product Updates > Available Updates > Install icon for the threat defense upgrade package
• Devices > Device Management > Upgrade
• Message Center > Tasks
New/modified CLI commands: show upgrade status detail , show upgrade status continuous , show upgrade status , upgrade cancel , upgrade retry
Upgrades now remove locally stored PCAP files. You must have enough free disk space or the upgrade fails.
The management center now warns you of rule collisions when you import custom
(local) intrusion rules. Previously, the system would silently skip the rules that cause collisions—with the exception of Version 6.6.0.1, where a rule import with collisions would fail entirely.
On the Rule Updates page, if a rule import had collisions, a warning icon is displayed in the Status column. For more information, hover your pointer over the warning icon and read the tooltip.
Note that a collision occurs when you try to import an intrusion rule that has the same
SID/revision number as an existing rule. You should always make sure that updated versions of custom rules have new revision numbers; for more best practices, see
Practices for Importing Local Intrusion Rules, on page 213
.
New/modified screens: We added a warning icon to System > Updates > Rule Updates .
Cisco Secure Firewall Management Center Administration Guide, 7.2
225
System Settings
History for System Updates
Feature
Get threat defense upgrade packages from an internal web server.
The management center downloads and installs the latest VDB during initial setup.
The management center schedules software downloads and GeoDB updates during initial setup.
Version
6.6
6.6
6.5
Scheduled tasks postponed during management center upgrades.
6.7
6.6.3
6.4.0.10
Details threat defense devices can now get upgrade packages from your own internal web server, rather than from the management center. This is especially useful if you have limited bandwidth between the management center and its devices. It also saves space on the management center.
Note This feature is supported only for threat defense devices running Version
6.6+. It is not supported for upgrades to Version 6.6, nor is it supported for the management center or Classic devices.
New/modified screens: We added a Specify software update source option to the page where you upload upgrade packages.
When you set up a new or reimaged management center, the system automatically attempts to update the vulnerability database (VDB).
This is a one-time operation. If the management center has internet access, we recommend you schedule tasks to perform automatic recurring VDB update downloads and installations.
When you set up a new or reimaged management center, the system automatically schedules:
• A weekly task to download software updates for the management center and its managed devices.
• Weekly updates for the GeoDB.
The tasks are scheduled in UTC, which means that when they occur locally depends on the date and your specific location. Also, because tasks are scheduled in UTC, they do not adjust for Daylight Saving Time, summer time, or any such seasonal adjustments that you may observe in your location. If you are affected, scheduled tasks occur one hour “later” in the summer than in the winter, according to local time. We recommend you review the auto-scheduled configurations and adjust them if necessary.
Scheduled tasks are now postponed during management center upgrades. Any task scheduled to begin during the upgrade will begin five minutes after the post-upgrade reboot.
Note Before you begin any upgrade, you must still make sure running tasks are complete. Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed.
Note that this feature is supported for all upgrades from a supported version. This includes
Version 6.4.0.10 and later patches, Version 6.6.3 and later maintenance releases, and
Version 6.7+. This feature is not supported for upgrades to a supported version from an unsupported version.
226
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
History for System Updates
Feature
Signed SRU, VDB, and
GeoDB updates.
Version
6.4
Faster upgrade.
Copy upgrade packages to managed devices before the upgrade.
The management center warns of Snort restart before
VDB updates.
6.4
6.2.3
6.2.3
Details
So the system can verify that you are using the correct update files, the system now uses signed updates for intrusion rules (SRU), the vulnerability database (VDB), and the geolocation database (GeoDB). Earlier versions continue to use unsigned updates.
Unless you manually download updates from the Cisco Support & Download site—for example, in an air-gapped deployment—you should not notice any difference in functionality.
If, however, you do manually download and install SRU, VDB, and GeoDB updates, make sure you download the correct package for your current version. Signed update files begin with 'Cisco' instead of 'Sourcefire,' and terminate in .sh.REL.tar instead of
.sh:
• SRU: Cisco_Firepower_SRUdate build -vrt.sh.REL.tar
• VDB: Cisco_VDB_Fingerprint_Database-4.5.0version .sh.REL.tar
• GeoDB: Cisco_GEODB_Updatedate build .sh.REL.tar
Do not untar signed (.tar) packages.
Improvements to the event database allow faster upgrade.
You can now copy (or push) an upgrade package from the management center to a managed device before you run the actual upgrade. This is useful because you can push during times of low bandwidth use, outside of the upgrade maintenance window.
When you push to high availability, clustered, or stacked devices, the system sends the upgrade package to the active/control/primary first, then to the standby/data/secondary.
New/modified screens: System > Updates
The management center now warns you that Vulnerability Database (VDB) updates restart the Snort process. This interrupts traffic inspection and, depending on how the managed device handles traffic, possibly interrupts traffic flow. You can cancel the install until a more convenient time, such as during a maintenance window.
These warnings can appear:
• After you download and manually install a VDB.
• When you create a scheduled task to install the VDB.
• When the VDB installs in the background, such as during a previously scheduled task or as part of a software upgrade.
Cisco Secure Firewall Management Center Administration Guide, 7.2
227
History for System Updates
System Settings
228
Cisco Secure Firewall Management Center Administration Guide, 7.2
C H A P T E R
7
Licenses
This chapter provides in-depth information about the different license types, service subscriptions, licensing requirements and more.
Note The Management Center supports either a Smart License or a legacy PAK (Product Activation Keys) license for its platform license. For more information about using the PAK license, see
Center PAK-Based Licenses, on page 271 .
•
•
Requirements and Prerequisites for Licensing, on page 245
•
Create a Smart Account and Add Licenses, on page 248
•
Configure Smart Licensing, on page 249
•
Configure Specific License Reservation (SLR), on page 261
•
Configure Legacy Management Center PAK-Based Licenses, on page 271
•
Additional Information about Licensing, on page 272
•
History for Licenses, on page 273
About Licenses
Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure—you control what users can access. With Smart Licensing you get:
• Easy Activation: Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more PAKs (Product Activation Keys).
• Unified Management: My Cisco Entitlements (MCE) provides a complete view into all of your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.
• License Flexibility: Your software is not node-locked to your hardware, so you can easily use and transfer licenses as needed.
To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide
Cisco Secure Firewall Management Center Administration Guide, 7.2
229
System Settings
Smart Software Manager and Accounts
Smart Software Manager and Accounts
When you purchase one or more licenses, you manage them in the Smart Software Manager: https://software.cisco.com/#module/SmartLicensing . The Smart Software Manager lets you create a master account for your organization. If you do not yet have an account, click the link to set up a new account . The
Smart Software Manager lets you create a master account for your organization.
By default, your licenses are assigned to the Default Virtual Account under your master account. As the account administrator, you can create additional virtual accounts; for example, for regions, departments, or subsidiaries. Multiple virtual accounts help you manage large numbers of licenses and devices.
You manage licenses by virtual account. Only that virtual account’s devices can use the licenses assigned to the account. If you need additional licenses, you can transfer an unused license from another virtual account.
You can also transfer devices between virtual accounts.
Licensing Options for Air-Gapped Deployments
The following table compares the available licensing options for environments without internet access. Your sales representative may have additional advice for your specific situation.
Table 11: Comparison of Licensing Options for Air-Gapped Networks
Smart Software Manager On-Prem
Scalable for a large number of products
Specific License Reservation
Best for a small number of devices
Automated licensing management, usage and asset management visibility
No incremental operational costs to add devices
Flexible, easier to use, less overhead
Limited usage and asset management visibility
Linear operational costs over time to add devices
Significant administrative and manual overhead for moves, adds, and changes
Out-of-compliance status is allowed initially and at various expiration states
Out-of-compliance status impacts system functioning
For more information, see
Center with the Smart Software Manager On-Prem, on page 252
For more information, see
Reservation (SLR), on page 261
How Licensing Works for the Management Center and Devices
The management center registers with the Smart Software Manager, and then assigns licenses for each managed device. Devices do not register directly with the Smart Software Manager.
A physical management center does not require a license for its own use. The management center virtual does require a platform license.
230
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Periodic Communication with the Smart Software Manager
Periodic Communication with the Smart Software Manager
In order to maintain your product license entitlement, your product must communicate periodically with the
Smart Software Manager.
You use a Product Instance Registration Token to register the management center with the Smart Software
Manager. The Smart Software Manager issues an ID certificate for communication between the management center and the Smart Software Manager. This certificate is valid for one year, although it will be renewed every six months. If an ID certificate expires (after a year with no communication), the management center may be removed from your account.
The management center communicates with the Smart Software Manager on a periodic basis. If you make changes in the Smart Software Manager, you can refresh the authorization on the management center so the changes immediately take effect. You also can wait for the management center to communicate as scheduled.
Your management center must either have direct internet access to the management center, or use one of the options described in
Licensing Options for Air-Gapped Deployments, on page 230 . In non-airgapped
deployments, normal license communication occurs every 30 days, but with the grace period, your management center will operate for up to 90 days without calling home. You must contact the management center before
90 days have passed, or else the management center will revert to an unregistered state.
Evaluation Mode
Before the management center registers with the Smart Software Manager, it operates for 90 days in evaluation mode. You can assign feature licenses to managed devices, and they will remain in compliance for the duration of evaluation mode. When this period ends, the management center becomes unregistered.
If you register the management center with the Smart Software Manager, the evaluation mode ends. If you later deregister the management center, you cannot resume evaluation mode, even if you did not initially use all 90 days.
For more information about the unregistered state, see
Unregistered State, on page 232
.
Note You cannot receive an evaluation license for Strong Encryption (3DES/AES); you must register with the
Smart Software Manager to receive the export-compliance token that enables the Strong Encryption
(3DES/AES) license.
Out-of-Compliance State
The management center can become out of compliance in the following situations:
• Over-utilization—When the managed devices or the management center virtual uses unavailable licenses.
• License expiration—When a managed device term-based license expires.
In an out-of-compliance state, see the following effects:
• Management Center Virtual platform license—Operation is not affected.
• All managed device licenses—Operation is not affected.
Cisco Secure Firewall Management Center Administration Guide, 7.2
231
System Settings
Unregistered State
After you resolve the licensing problem, the management center will show that it is now in compliance after its regularly scheduled authorization with the Smart Software Manager. To force an authorization, click
Re-Authorize on the System ( ) > Licenses > Smart Licenses page.
Unregistered State
The management center can become unregistered in the following situations:
• Evaluation mode expiration—Evaluation mode expires after 90 days.
• Manual deregistration of the management center
• Lack of communication with the Smart Software Manager—The management center does not communicate with the Smart Software Manager for 1 year. Note: After 90 days, the management center authorization expires, but it can successfully resume communication within one year to automatically re-authorize.
After a year, the ID certificate expires, and the management center is removed from your account so you will have to manually re-register the management center.
In an unregistered state, the management center cannot deploy any configuration changes to devices for features that require licenses .
End-User License Agreement
The Cisco end-user license agreement (EULA) and any applicable supplemental agreement (SEULA) that governs your use of this product are available from http://www.cisco.com/go/softwareterms .
License Types and Restrictions
This section describes the types of licenses available.
Table 12: Smart Licenses
Duration License You
Assign
Base
Subscription You
Purchase
Based on license type
Granted Capabilities
Perpetual or Subscription
Note Base subscription licenses are supported only on Threat
Defense
Virtual.
Except for Specific License
Reservation and the Secure Firewall
3100, base perpetual licenses are automatically assigned with all threat defenses.
User and application control
Switching and routing
NAT
For details, see
.
232
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
License Types and Restrictions
License You
Assign
Threat
Malware defense
Subscription You
Purchase
Duration
• T
• TC (Threat + URL)
Subscription
• TMC (Threat +
Malware defense +
URL)
• TM (Threat +
Malware defense)
• TMC (Threat +
Malware defense +
URL)
• AMP
Subscription
URL Filtering
Management
Center Virtual
• TC (Threat + URL) Subscription
• TMC (Threat +
Malware defense +
URL)
• URL
Based on license type • Regular Smart
Licensing—
Perpetual
• Specific License
Reservation—
Subscription
Export-Controlled
Features
No subscription required Perpetual
Granted Capabilities
Intrusion detection and prevention
File control
Security Intelligence filtering
For details, see
Malware defense
Secure Malware Analytics
File storage
For details, see
and License
Requirements for File and Malware
Policies in the Cisco Secure
Firewall Management Center
Device Configuration Guide .
Category and reputation-based
URL filtering
For details, see
The platform license determines the number of devices the management center virtual can manage.
For details, see
Virtual Licenses, on page 234 .
Features that are subject to national security, foreign policy, and anti-terrorism laws and regulations; see
Licensing for Export-Controlled
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
233
System Settings
Management Center Virtual Licenses
License You
Assign
Subscription You
Purchase
Remote Access
VPN:
• AnyConnect
Apex
Based on license type
• AnyConnect
Plus
• AnyConnect
VPN Only
Duration Granted Capabilities
Subscription or perpetual Remote access VPN configuration.
Your account must allow export-controlled functionality to configure remote access VPN. You select whether you meet export requirements when you register the device. The threat defense can use any valid Secure Client license. The available features do not differ based on license type.
For more information, see
and
VPN Licensing in the Cisco Secure
Firewall Management Center
Device Configuration Guide .
Note Subscription licenses are term-based licenses.
Management Center Virtual Licenses
The management center virtual requires a platform license that correlates with the number of devices it can manage.
The management center virtual supports Smart Licensing.
In regular Smart Licensing, these licenses are perpetual.
In Specific License Reservation, these licenses are subscription-based.
Base Licenses
The Base license allows you to:
• Configure your devices to perform switching and routing (including DHCP relay and NAT)
• Configure devices as a high availability pair
• Configure clustering
• Implement user and application control by adding user and application conditions to access control rules
Secure Firewall 3100
You obtain a Base license when you purchase the Secure Firewall 3100.
234
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Malware Defense Licenses
Other Models
Except in deployments using Specific License Reservation, a Base license is automatically added to your account when you register a device to the management center. For Specific License Reservation, you need to add the Base license to your account.
Malware Defense Licenses
A Malware defense license lets you perform malware defense and Secure Malware Analytics. With this feature, you can use devices to detect and block malware in files transmitted over your network. To support this feature license, you can purchase the Malware defense (AMP) service subscription as a stand-alone subscription or in combination with Threat (TM) or Threat and URL Filtering (TMC) subscriptions.
Threat Licenses
Note Managed devices with Malware defense licenses enabled periodically attempt to connect to the Secure Malware
Analytics Cloud even if you have not configured dynamic analysis. Because of this, the device’s Interface
Traffic dashboard widget shows transmitted traffic; this is expected behavior.
You configure malware defense as part of a file policy, which you then associate with one or more access control rules. File policies can detect your users uploading or downloading files of specific types over specific application protocols. Malware defense allows you to use local malware analysis and file preclassification to inspect a restricted set of those file types for malware. You can also download and submit specific file types to the Secure Malware Analytics Cloud for dynamic and Spero analysis to determine whether they contain malware. For these files, you can view the network file trajectory, which details the path the file has taken through your network. The Malware license also allows you to add specific files to a file list and enable the file list within a file policy, allowing those files to be automatically allowed or blocked on detection.
If you disable all your Malware defense licenses, the system stops querying the Secure Malware Analytics
Cloud, and also stops acknowledging retrospective events sent from the Secure Malware Analytics Cloud.
You cannot re-deploy existing access control policies if they include malware defense configurations. Note that for a very brief time after a Malware defense license is disabled, the system can use existing cached file dispositions. After the time window expires, the system assigns a disposition of
Unavailable to those files.
Note that a Malware defense license is required only if you deploy malware defense and Secure Malware
Analytics. Without a Malware defense license, the management center can receive Secure Endpoint malware events and indications of compromise (IOC) from the Secure Malware Analytics Cloud.
See also important information at License Requirements for File and Malware Policies in the Cisco Secure
Firewall Management Center Device Configuration Guide .
A Threat license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering:
• Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
• File control allows you to detect and, optionally, block users from uploading (sending) or downloading
(receiving) files of specific types over specific application protocols.
Malware defense , which requires a Malware defense license, allows you to inspect and block a restricted set of those file types based on their dispositions.
Cisco Secure Firewall Management Center Administration Guide, 7.2
235
System Settings
URL Filtering Licenses
• Security Intelligence filtering allows you to block —deny traffic to and from—specific IP addresses,
URLs, and DNS domain names, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately block connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.
You can purchase a Threat license as a stand-alone subscription (T) or in combination with URL Filtering
(TC), Malware defense (TM), or both (TMC).
If you disable Threat on managed devices, the management center stops acknowledging intrusion and file events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria stop firing. Additionally, the management center will not contact the internet for either Cisco-provided or third-party Security Intelligence information. You cannot re-deploy existing intrusion policies until you re-enable Threat.
URL Filtering Licenses
The URL Filtering license allows you to write access control rules that determine the traffic that can traverse your network based on URLs requested by monitored hosts, correlated with information about those URLs.
To support this feature license, you can purchase the URL Filtering (URL) service subscription as a stand-alone subscription or in combination with Threat (TC) or Threat and Malware defense (TMC) subscriptions.
Tip Without a URL Filtering license, you can specify individual URLs or groups of URLs to allow or block. This gives you granular, custom control over web traffic, but does not allow you to use URL category and reputation data to filter network traffic.
Although you can add category and reputation-based URL conditions to access control rules without a URL
Filtering license, the management center will not download URL information. You cannot deploy the access control policy until you first add a URL Filtering license to the management center, then enable it on the devices targeted by the policy.
If you disable the URL Filtering license on managed devices, you may lose access to URL filtering. If your license expires or if you disable it, access control rules with URL conditions immediately stop filtering URLs, and your management center can no longer download updates to URL data. You cannot re-deploy existing access control policies if they include rules with category and reputation-based URL conditions.
Secure Client Licenses
You can configure remote access VPN using the Secure Client and standards-based IPSec/IKEv2.
To enable remote cccess VPN, you must purchase and enable one of the following licenses: AnyConnect
Plus , AnyConnect Apex , or AnyConnect VPN Only . You can select AnyConnect Plus and AnyConnect
Apex if you have both licenses and you want to use them both. The Any Connect VPN only license cannot be used with Apex or Plus . The Secure Client license must be shared with the Smart Account. For more instructions, see http://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf
.
You cannot deploy the remote access VPN configuration to the device if the specified device does not have the entitlement for a minimum of one of the specified Secure Client license types. If the registered license moves out of compliance or entitlements expire, the system displays licensing alerts and health events.
While using remote access VPN, your Smart Account must have the export controlled features (strong encryption) enabled. The threat defense requires strong encryption (which is higher than DES) for successfully establishing remote access VPN connections with Secure Clients.
236
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Licensing for Export-Controlled Functionality
You cannot deploy remote access VPN if the following are true:
• Smart Licensing on the management center is running in evaluation mode.
• Your Smart Account is not configured to use export-controlled features (strong encryption).
Licensing for Export-Controlled Functionality
Features that require export-controlled functionality
Certain software features are subject to national security, foreign policy, and anti-terrorism laws and regulations.
These export-controlled features include:
• Security certifications compliance
• Remote access VPN
• Site-to-site VPN with strong encryption
• SSH platform policy with strong encryption
• SSL policy with strong encryption
• Functionality such as SNMPv3 with strong encryption
How to determine whether export-controlled functionality is currently enabled for your system
To determine whether export-controlled functionality is currently enabled for your system: Go to System >
Licenses > Smart Licenses and see if Export-Controlled Features displays Enabled .
About enabling export-controlled functionality
If Export-Controlled Features shows Disabled and you want to use features that require strong encryption, there are two ways to enable strong cryptographic features. Your organization may be eligible for one or the other (or neither), but not both.
• If there is no option to enable export-controlled functionality when you generate a new Product Instance
Registration Token in the Smart Software Manager, contact your account representative.
When approved by Cisco, you can manually add a strong encryption license to your account so you can use export-controlled features. For more information, see
Enable the Export Control Feature for Accounts
Without Global Permission, on page 253
• If the option “Allow export-controlled functionality on the products registered with this token” appears when you generate a new Product Instance Registration Token in the Smart Software Manager, make sure you check it before generating the token.
If you did not enable export-controlled functionality for the Product Instance Registration Token that you used to register the management center, then you must deregister and then re-register the management center using a new Product Instance Registration Token with export-controlled functionality enabled.
If you registered devices to the management center in evaluation mode or before you enabled strong encryption on the management center, reboot each managed device to make strong encryption available. In a high availability deployment, the active and standby devices must be rebooted together to avoid an Active-Active condition.
Cisco Secure Firewall Management Center Administration Guide, 7.2
237
System Settings
Threat Defense Virtual Licenses
The entitlement is perpetual and does not require a subscription.
More Information
For general information about export controls, see https://www.cisco.com/c/en/us/about/legal/ global-export-trade.html
.
Threat Defense Virtual Licenses
This section describes the performance-tiered license entitlements available for the threat defense virtual.
Any threat defense virtual license can be used on any supported threat defense virtual vCPU/memory configuration. This allows threat defense virtual customers to run on a wide variety of VM resource footprints.
This also increases the number of supported AWS and Azure instances types. When configuring the threat defense virtual VM, the maximum supported number of cores (vCPUs) is 16 ; and the maximum supported memory is 32 GB RAM .
Performance Tiers for Threat Defense Virtual Smart Licensing
Session limits for RA VPNs are determined by the installed threat defense virtual platform entitlement tier, and enforced via a rate limiter. The following table summarizes the session limits based on the entitlement tier and rate limiter.
Table 13: Threat Defense Virtual Licensed Feature Limits Based on Entitlement
Performance Tier Rate Limit RA VPN Session Limit
FTDv5, 100Mbps
FTDv10, 1Gbps
FTDv20, 3Gbps
FTDv30, 5Gbps
FTDv50, 10Gbps
FTDv100, 16Gbps
Device Specifications
(Core/RAM)
4 core/8 GB
4 core/8 GB
4 core/8 GB
8 core/16 GB
12 core/24 GB
16 core/32 GB
100Mbps
1Gbps
3Gbps
5Gbps
10Gbps
16Gbps
50
250
250
250
750
10,000
Threat Defense Virtual Performance Tier Licensing Guidelines and Limitations
Please keep the following guidelines and limitations in mind when licensing your threat defense virtual device.
• The threat defense virtual supports performance-tiered licensing that provides different throughput levels and VPN connection limits based on deployment requirements.
• Any threat defense virtual license can be used on any supported threat defense virtual core/memory configuration. This allows the threat defense virtual customers to run on a wide variety of VM resource footprints.
• You can select a performance tier when you deploy the threat defense virtual, whether your device is in evaluation mode or is already registered with Cisco Smart Software Manager.
238
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
License PIDs
Note Make sure your Smart Licensing account contains the available licenses you need.
It’s important to choose the tier that matches the license you have in your account.
If you are upgrading your threat defense virtual to Version 7.0, you can choose
FTDv - Variable to maintain your current license compliance. Your threat defense virtual continues to perform with session limits based on your device capabilities
(number of cores/RAM).
• The default performance tier is FTDv50 when deploying a new threat defense virtual device, or when provisioning the threat defense virtual using the REST API.
• Base licenses are subscription-based and mapped to performance tiers. Your virtual account needs to have the Base license entitlements for the threat defense virtual devices, as well as for IPS , malware defense, and Secure Firewall Threat Defense URL Filtering licenses.
• Each HA peer consumes one entitlement, and the entitlements on each HA peer must match, including
Base license.
• A change in performance tier for an HA pair should be applied to the primary peer.
• You assign feature licenses to the cluster as a whole, not to individual nodes. However, each node of the cluster consumes a separate license for each feature. The clustering feature itself does not require any licenses.
• Universal PLR licensing is applied to each device in an HA pair separately. The secondary device will not automatically mirror the performance tier of the primary device. It must be updated manually.
License PIDs
When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart
Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions search field on the Cisco Commerce Workspace . Search for the following license Product IDs (PIDs).
Figure 8: License Search
Management Center Virtual PIDs
• VMware:
• SF-FMC-VMW-2-K9—2 devices
• SF-FMC-VMW-10-K9—10 devices
• SF-FMC-VMW-K9—25 devices
• SF-FMC-VMW-300-K9—300 devices
Cisco Secure Firewall Management Center Administration Guide, 7.2
239
License PIDs
System Settings
• KVM:
• SF-FMC-KVM-2-K9—2 devices
• SF-FMC-KVM-10-K9—10 devices
• SF-FMC-KVM-K9—25 devices
• PAK-based VMware:
• FS-VMW-2-SW-K9—2 devices
• FS-VMW-10-SW-K9—10 devices
• FS-VMW-SW-K9—25 devices
Threat Defense Virtual PIDs
When you order FTDV-SEC-SUB, you must choose a base license and optional feature licenses (12 month term):
• Base license:
• FTD-V-5S-BSE-K9
• FTD-V-10S-BSE-K9
• FTD-V-20S-BSE-K9
• FTD-V-30S-BSE-K9
• FTD-V-50S-BSE-K9
• FTD-V-100S-BSE-K9
• Threat, Malware defense, and URL license combination:
• FTD-V-5S-TMC
• FTD-V-10S-TMC
• FTD-V-20S-TMC
• FTD-V-30S-TMC
• FTD-V-50S-TMC
• FTD-V-100S-TMC
• RA VPN—See the Cisco AnyConnect Ordering Guide .
Firepower 1010 PIDs
• Threat, Malware defense, and URL license combination:
• L-FPR1010T-TMC=
240
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
License PIDs
When you add the above PID to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:
• L-FPR1010T-TMC-1Y
• L-FPR1010T-TMC-3Y
• L-FPR1010T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide .
Firepower 1100 PIDs
• Threat, Malware defense, and URL license combination:
• L-FPR1120T-TMC=
• L-FPR1140T-TMC=
• L-FPR1150T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:
• L-FPR1120T-TMC-1Y
• L-FPR1120T-TMC-3Y
• L-FPR1120T-TMC-5Y
• L-FPR1140T-TMC-1Y
• L-FPR1140T-TMC-3Y
• L-FPR1140T-TMC-5Y
• L-FPR1150T-TMC-1Y
• L-FPR1150T-TMC-3Y
• L-FPR1150T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide .
Firepower 2100 PIDs
• Threat, Malware defense, and URL license combination:
• L-FPR2110T-TMC=
• L-FPR2120T-TMC=
• L-FPR2130T-TMC=
• L-FPR2140T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:
Cisco Secure Firewall Management Center Administration Guide, 7.2
241
System Settings
License PIDs
• L-FPR2110T-TMC-1Y
• L-FPR2110T-TMC-3Y
• L-FPR2110T-TMC-5Y
• L-FPR2120T-TMC-1Y
• L-FPR2120T-TMC-3Y
• L-FPR2120T-TMC-5Y
• L-FPR2130T-TMC-1Y
• L-FPR2130T-TMC-3Y
• L-FPR2130T-TMC-5Y
• L-FPR2140T-TMC-1Y
• L-FPR2140T-TMC-3Y
• L-FPR2140T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide .
Secure Firewall 3100 PIDs
• Base license:
• L-FPR3110-BSE=
• L-FPR3120-BSE=
• L-FPR3130-BSE=
• L-FPR3140-BSE=
• Threat, Malware defense, and URL license combination:
• L-FPR3110T-TMC=
• L-FPR3120T-TMC=
• L-FPR3130T-TMC=
• L-FPR3140T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:
• L-FPR3110T-TMC-1Y
• L-FPR3110T-TMC-3Y
• L-FPR3110T-TMC-5Y
• L-FPR3120T-TMC-1Y
• L-FPR3120T-TMC-3Y
242
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
License PIDs
• L-FPR3120T-TMC-5Y
• L-FPR3130T-TMC-1Y
• L-FPR3130T-TMC-3Y
• L-FPR3130T-TMC-5Y
• L-FPR3140T-TMC-1Y
• L-FPR3140T-TMC-3Y
• L-FPR3140T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide .
Firepower 4100 PIDs
• Threat, Malware defense, and URL license combination:
• L-FPR4110T-TMC=
• L-FPR4112T-TMC=
• L-FPR4115T-TMC=
• L-FPR4120T-TMC=
• L-FPR4125T-TMC=
• L-FPR4140T-TMC=
• L-FPR4145T-TMC=
• L-FPR4150T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:
• L-FPR4110T-TMC-1Y
• L-FPR4110T-TMC-3Y
• L-FPR4110T-TMC-5Y
• L-FPR4112T-TMC-1Y
• L-FPR4112T-TMC-3Y
• L-FPR4112T-TMC-5Y
• L-FPR4115T-TMC-1Y
• L-FPR4115T-TMC-3Y
• L-FPR4115T-TMC-5Y
• L-FPR4120T-TMC-1Y
• L-FPR4120T-TMC-3Y
Cisco Secure Firewall Management Center Administration Guide, 7.2
243
License PIDs
System Settings
• L-FPR4120T-TMC-5Y
• L-FPR4125T-TMC-1Y
• L-FPR4125T-TMC-3Y
• L-FPR4125T-TMC-5Y
• L-FPR4140T-TMC-1Y
• L-FPR4140T-TMC-3Y
• L-FPR4140T-TMC-5Y
• L-FPR4145T-TMC-1Y
• L-FPR4145T-TMC-3Y
• L-FPR4145T-TMC-5Y
• L-FPR4150T-TMC-1Y
• L-FPR4150T-TMC-3Y
• L-FPR4150T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide .
Firepower 9300 PIDs
• Threat, Malware defense, and URL license combination:
• L-FPR9K-24T-TMC=
• L-FPR9K-36T-TMC=
• L-FPR9K-40T-TMC=
• L-FPR9K-44T-TMC=
• L-FPR9K-48T-TMC=
• L-FPR9K-56T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:
• L-FPR9K-24T-TMC-1Y
• L-FPR9K-24T-TMC-3Y
• L-FPR9K-24T-TMC-5Y
• L-FPR9K-36T-TMC-1Y
• L-FPR9K-36T-TMC-3Y
• L-FPR9K-36T-TMC-5Y
• L-FPR9K-40T-TMC-1Y
244
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Requirements and Prerequisites for Licensing
• L-FPR9K-40T-TMC-3Y
• L-FPR9K-40T-TMC-5Y
• L-FPR9K-44T-TMC-1Y
• L-FPR9K-44T-TMC-3Y
• L-FPR9K-44T-TMC-5Y
• L-FPR9K-48T-TMC-1Y
• L-FPR9K-48T-TMC-3Y
• L-FPR9K-48T-TMC-5Y
• L-FPR9K-56T-TMC-1Y
• L-FPR9K-56T-TMC-3Y
• L-FPR9K-56T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide .
ISA 3000 PIDs
• Threat, Malware defense, and URL license combination:
• L-ISA3000T-TMC=
When you add the above PID to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:
• L-ISA3000T-TMC-1Y
• L-ISA3000T-TMC-3Y
• L-ISA3000T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide .
Requirements and Prerequisites for Licensing
For Specific License Reservation requirements, see
Requirements and Prerequisites for Specific License
.
General Prerequisites
• Make sure NTP is configured on the management center and managed devices. Time must be synchronized for registration to succeed.
For a Firepower 4100/9300, you must configure NTP on the chassis using the same NTP server for the chassis as for the management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
245
System Settings
Requirements and Prerequisites for Licensing for High Availability, Clustering, and Multi-Instance
Supported Domains
Global, except where indicated.
User Roles
• Admin
Requirements and Prerequisites for Licensing for High Availability, Clustering, and Multi-Instance
This section describes the licensing requirements for High Availability (for device High Availability and also management center virtual High Availability), clustering, and multi-instance deployments.
Licensing for Management Center High Availability
Each device requires the same licenses whether managed by a single management center or by management centers in a high availability pair (hardware or virtual).
Example: If you want to enable advanced malware protection for two devices managed by a management center pair, buy two Malware licenses and two TM subscriptions, register the active management center with the Smart Software Manager, then assign the licenses to the two devices on the active management center.
Only the active management center is registered with the Smart Software Manager. When failover occurs, the system communicates with Smart Software Manager to release the license entitlements from the originally-active management center and assign them to the newly-active management center.
In Specific License Reservation deployments, only the primary management center requires a Specific License
Reservation.
Hardware Management Center
No special license is required for hardware management centers in a high availability pair.
Management Center Virtual
You will need two identically licensed management center virtuals.
Example: For the management center virtual high availability pair managing 10 devices, you can use:
• Two (2) management center virtual 10 entitlements
• 10 device licenses
If you break the high availability pair, the management center virtual entitlements associated with the secondary management center virtual are released. (In the example, you would then have two standalone management center virtual 10s.)
Licensing for Device High-Availability
Both threat defense units in a high availability configuration must have the same licenses.
High availability configurations require two license entitlements: one for each device in the pair.
246
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Licensing for Device Clusters
Before high availability is established, it does not matter which licenses are assigned to the secondary/standby device. During high availability configuration, the management center releases any unnecessary licenses assigned to the standby unit and replaces them with identical licenses assigned to the primary/active unit. For example, if the active unit has a Base license and a Threat license, and the standby unit has only a Base license, the management center communicates with the Smart Software Manager to obtain an available Threat license from your account for the standby unit. If your license account does not include enough purchased entitlements, your account becomes Out-of-Compliance until you purchase the correct number of licenses.
Licensing for Device Clusters
Each threat defense virtual cluster node requires the same performance tier license. We recommend using the same number of CPUs and memory for all members, or else peformance will be limited on all nodes to match the least capable member. The throughput level will be replicated from the control node to each data node so they match.
You assign feature licenses to the cluster as a whole, not to individual nodes. However, each node of the cluster consumes a separate license for each feature. The clustering feature itself does not require any licenses.
When you add the control node to the management center, you can specify the feature licenses you want to use for the cluster. Before you create the cluster, it doesn't matter which licenses are assigned to the data nodes; the license settings for the control node are replicated to each of the data nodes. You can modify licenses for the cluster in the Devices > Device Management > Cluster > License area.
Note If you add the cluster before the management center is licensed (and running in Evaluation mode), then when you license the management center, you can experience traffic disruption when you deploy policy changes to the cluster. Changing to licensed mode causes all data units to leave the cluster and then rejoin.
Licensing for Multi-Instance Deployments
All licenses are consumed per security engine/chassis (for the Firepower 4100) or per security module (for the Firepower 9300), and not per container instance. See the following details:
• Base licenses are automatically assigned: one per security module/engine.
• Feature licenses are manually assigned to each instance; but you only consume one license per feature per security module/engine. For example, for the Firepower 9300 with 3 security modules, you only need one URL Filtering license per module for a total of 3 licenses, regardless of the number of instances in use.
• For High Availability, see License Requirements for Threat Defense Devices in a High Availability Pair .
For example:
Table 14: License Usage for Container Instances on a Firepower 9300
Firepower 9300
Security Module 1
Instance
Instance 1
Instance 2
Instance 3
Licenses
Base, URL Filtering, Malware
Base, URL Filtering
Base, URL Filtering
Cisco Secure Firewall Management Center Administration Guide, 7.2
247
System Settings
Create a Smart Account and Add Licenses
Firepower 9300
Security Module 2
Instance
Instance 4
Instance 5
Security Module 3 Instance 6
Instance 7
Table 15: Total Number of Licenses
Base
3
URL Filtering
2
Malware
3
Licenses
Base, Threat
Base, URL Filtering, Malware,
Threat
Base, Malware, Threat
Base, Threat
Threat
2
Create a Smart Account and Add Licenses
You should set up this account before you purchase licenses.
Before you begin
Your account representative or reseller may have set up a Smart Account on your behalf. If so, obtain the necessary information to access the account from that person instead of using this procedure, then verify that you can access the account.
For general information about Smart Accounts, see http://www.cisco.com/go/smartaccounts .
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Request a Smart Account:
For instructions, see https://community.cisco.com/t5/licensing-enterprise-agreements/ request-a-smart-account-for-customers/ta-p/3636515?attachment-id=150577 .
For additional information, see https://communities.cisco.com/docs/DOC-57261 .
Wait for an email telling you that your Smart Account is ready to set up. When it arrives, click the link it contains, as directed.
Set up your Smart Account:
Go here: https://software.cisco.com/software/company/smartaccounts/home?route=module/accountcreation .
For instructions, see https://community.cisco.com/t5/licensing-enterprise-agreements/ complete-smart-account-setup-for-customers/ta-p/3636631?attachment-id=132604 .
Verify that you can access the account in the Smart Software Manager.
Go to https://software.cisco.com/#module/SmartLicensing and sign in.
Make sure your Smart Licensing account contains the available licenses you need.
248
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure Smart Licensing
When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart
Account. However, if you need to add licenses yourself, see Cisco Commerce Workspace . For license PIDs, see
Configure Smart Licensing
This section describes how to use Smart Licensing using the Smart Software Manager or the Smart Software
Manager On-Prem. To use Specific License Reservation, see
Configure Specific License Reservation (SLR), on page 261
.
Register the Management Center for Smart Licensing
You can register the management center directly to the Smart Software Manager over the internet, or when using an air-gapped network, with the Smart Software Manager On-Prem.
Register the Management Center with the Smart Software Manager
Register the management center with the Smart Software Manager.
Before you begin
• Make sure your Smart Licensing account contains the available licenses you need.
When you bought your device from Cisco or a reseller, your licenses should have been linked to your
Smart Account. However, if you need to add licenses yourself, see Cisco Commerce Workspace . For license PIDs, see
• Ensure that the management center can reach the Smart Software Manager at tools.cisco.com:443.
• Make sure you configure NTP. During registration, a key exchange occurs between the Smart Agent and the Smart Software Manager, so time must be in sync for proper registration.
For the Firepower 4100/9300, you must configure NTP on the chassis using the same NTP server for the chassis as for the management center.
• If your organization has multiple management centers, make sure each management center has a unique name that clearly identifies and distinguishes it from other management centers that may be registered to the same virtual account. This name is critical for managing your Smart License entitlements and ambiguous names will lead to problems later.
Procedure
Step 1 In the Smart Software Manager , request and copy a registration token for the virtual account to which you want to add this device.
a) Click Inventory .
Cisco Secure Firewall Management Center Administration Guide, 7.2
249
System Settings
Register the Management Center with the Smart Software Manager b) On the General tab, click New Token .
c) On the Create Registration Token dialog box enter the following settings, and then click Create Token :
• Description
• Expire After —Cisco recommends 30 days.
• Allow export-controlled functionaility on the products registered with this token —Enables the export-compliance flag if you are in a country that allows for strong encryption. You must select this option now if you plan to use this functionality. If you enable this functionality later, you will need to re-register your device with a new product key and reload the device. If you do not see this option, your account does not support export-controlled functionality.
The token is added to your inventory.
d) Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the threat defense.
250
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Figure 9: View Token
Register the Management Center with the Smart Software Manager
Figure 10: Copy Token
Step 2
Step 3
Step 4
Step 5
In the management center, choose System ( ) > Licenses > Smart Licenses .
Click Register .
Paste the token you generated from Smart Software Manager into the Product Instance Registration Token field.
Make sure there are no empty spaces or blank lines at the beginning or end of the text.
Decide whether to send usage data to Cisco.
• Enable Cisco Success Network is enabled by default. You can click sample data to see the kind of data Cisco collects. For more information, see
Configure Cisco Success Network Enrollment, on page
.
• Enable Cisco Support Diagnostics is disabled by default. You can review the kind of data Cisco collects in the link provided above the check box. For more information, see
Configure Cisco Support Diagnostics
Note • When enabled, Cisco Support Diagnostics is enabled in the devices in the next sync cycle.
The management center sync with the device runs once every 30 minutes.
• When enabled, Cisco Support Diagnostics is enabled automatically on any new device registered in this management center.
Step 6 Click Apply Changes .
Cisco Secure Firewall Management Center Administration Guide, 7.2
251
System Settings
Register the Management Center with the Smart Software Manager On-Prem
What to do next
• Add your devices to the management center; see Add a Device to the Management Center .
• Assign licenses to your devices; see
Assign Licenses to Multiple Managed Devices, on page 255 .
Register the Management Center with the Smart Software Manager On-Prem
As described in
Periodic Communication with the Smart Software Manager, on page 231
, the management center must communicate regularly with Cisco to maintain your license entitlement. If you have one of the following situations, you might want to use a Smart Software Manager On-Prem (formerly known as "Smart
Software Satellite Server") as a proxy for connections to the Smart Software Manager:
• Your management center is offline or otherwise has limited or no connectivity (in other words, is deployed in an air-gapped network.)
(For an alternate solution for air-gapped networks, see
Licensing Options for Air-Gapped Deployments, on page 230
.)
• Your management center has permanent connectivity, but you want to manage your Smart Licenses via a single connection from your network.
The Smart Software Manager On-Prem allows you to schedule synchronization or manually synchronize
Smart License authorization with the Smart Software Manager.
For more information about the Smart Software Manager On-Prem, see https://www.cisco.com/c/en/us/buy/ smart-accounts/software-manager.html#~on-prem
Procedure
Step 1
Step 2
Deploy and set up Smart Software Manager On-Prem.
• See the documentation for the Smart Software Manager On-Prem, available from https://www.cisco.com/ c/en/us/buy/smart-accounts/software-manager.html#~on-prem .
• Make a note of the CN of the TLS/SSL certificate on your Smart Software Manager On-Prem.
• Go to http://www.cisco.com/security/pki/certs/clrca.cer
and copy the entire body of the TLS/SSL certificate
(from "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----") into a place you can access during configuration.
Register the management center with the Smart Software Manager On-Prem.
a) Choose > Integration .
b) Click Smart Software Satellite .
c) Select Connect to Cisco Smart Software Satellite Server .
d) Enter the URL of your Smart Software Manager On-Prem, using the CN value you collected in the prerequisites of this procedure, in the following format: https://FQDN_or_hostname_of_your_SSM_On-Prem/Transportgateway/services/DeviceRequestHandler
The FQDN or hostname must match the CN value of the certificate presented by your Smart Software
Manager On-Prem.
e) Add a new SSL Certificate and paste the certificate text that you copied earlier.
252
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Enable the Export Control Feature for Accounts Without Global Permission
Step 3
Step 4 f) Click Apply .
g) Select System > Licenses > Smart Licenses and click Register .
h) Create a new token on Smart Software Manager On-Prem.
i) Copy the token.
j) Paste the token into the form on the management center page.
k) Click Apply Changes .
The management center is now registered to Smart Software Manager On-Prem.
After you assign licenses to devices, synchronize Smart Software Manager On-Prem to the Smart Software
Manager.
See the Smart Software Manager On-Prem documentation, above.
Schedule ongoing synchronization times.
Enable the Export Control Feature for Accounts Without Global Permission
If your Smart Account is not authorized for strong encryption, but Cisco has determined that you are allowed to use strong encryption, you can manually add a stong encryption license to your account.
Before you begin
• Make sure that your deployment does not already support the export-controlled functionality.
If your deployment supports export-controlled features, you will see an option that allows you to enable export-controlled functionality in the Create Registration Token page in the Smart Software Manager.
For more information, see https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html
.
• Make sure your deployment is not using an evaluation license.
• In the Smart Software Manager , on the Inventory > Licenses page, verify that you have the license that corresponds to your management center:
Management Center Model
All management center virtuals
Export Control License
Cisco Virtual FMC Series Strong Encryption
(3DES/AES)
Cisco FMC 1K Series Strong Encryption
(3DES/AES)
Cisco FMC 2K Series Strong Encryption
(3DES/AES)
Cisco FMC 4K Series Strong Encryption
(3DES/AES)
1000, 1600
2500, 2600
4500, 4600
Cisco Secure Firewall Management Center Administration Guide, 7.2
253
System Settings
Assign Licenses to Devices
Procedure
Step 1
Step 2
Choose System > Licenses > Smart Licenses .
Note If you see the Request Export Key , your account is approved for the export-controlled functionality and you can proceed to use the required feature.
Click Request Export Key to generate an export key.
Tip If the export control key request fails, make sure that your virtual account has a valid Export Control license.
Disable the export control license by clicking Return Export Key
What to do next
You can now deploy configurations or policies that use the export-controlled features.
Remember The new export-controlled licenses and all features enabled by it do not take effect on the threat defense devices until the devices are rebooted. Until then, only the features supported by the older license will be active.
In High Availability deployments both the threat defense devices need to be rebooted simultaneously, to avoid an Active-Active condition.
Assign Licenses to Devices
You can assign most licenses when you register a device to the management center. You can also assign licenses per device, or for multiple devices.
Assign Licenses to a Single Device
Although there are some exceptions, you cannot use the features associated with a license if you disable it on a managed device.
Note For container instances on the same security module/engine, you apply the license to each instance; note that the security module/engine consumes only one license per feature for all instances on the security module/engine.
Note For the threat defense cluster, you apply the licenses to the cluster as a whole; note that each unit in the cluster consumes a separate license per feature.
254
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Assign Licenses to Multiple Managed Devices
Before you begin
You must have Admin or Network Admin privileges to perform this task. When operating with multiple domains, you must do this task in leaf domains.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Choose Devices > Device Management .
Next to the device where you want to assign or disable a license, click Edit ( ).
In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.
Click Device .
Next to the License section, click Edit ( ).
Check or clear the appropriate check boxes to assign or disable licenses for the device.
Click Save .
Deploy configuration changes; see Deploy Configuration Changes .
What to do next
Verify license status: Go to System ( ) > Licenses > Smart Licenses , enter the hostname or IP address of the device into the filter at the top of the Smart Licenses table, and verify that only a green circle with a Check
Mark ( ) appears for each device, for each license type. If you see any other icon, hover over the icon for more information.
Assign Licenses to Multiple Managed Devices
Devices managed by the management center obtain their licenses via the management center, not directly from the Smart Software Manager.
Use this procedure to enable licensing on multiple devices at once.
Note For container instances on the same security module/engine, you apply the license to each instance; note that the security module/engine consumes only one license per feature for all instances on the security module/engine.
Note For the threat defense cluster, you apply the licenses to the cluster as a whole; note that each unit in the cluster consumes a separate license per feature.
Procedure
Step 1 Choose System ( ) > Licenses > Smart Licenses or Specific Licenses .
Cisco Secure Firewall Management Center Administration Guide, 7.2
255
System Settings
Manage Smart Licensing
Step 2
Step 3
Click Edit Licenses .
For each type of license you want to add to a device: a) Click the tab for that type of license.
b) Click a device in the list on the left.
c) Click Add to move that device to the list on the right.
d) Repeat for each device to receive that type of license.
For now, don't worry about whether you have licenses for all of the devices you want to add.
e) Repeat this subprocedure for each type of license you want to add.
f) To remove a license, click the Delete ( ) next to the device.
g) Click Apply .
What to do next
Verify that your licenses are correctly installed. Follow the procedure in
Monitoring Smart Licenses, on page
Manage Smart Licensing
This section describes how to manage Smart Licensing.
Deregister the Management Center
Deregister your management center from the Smart Software Manager to release all of the license entitlements back to your Smart Account so they can be used for other devices. For example, deregister if you need to decommission the management center or reimage it.
See
Unregistered State, on page 232
for more information about license enforcement in an unregistered state.
Procedure
Step 1
Step 2
Choose System ( ) > Licenses > Smart Licenses .
Click Deregister ( ).
Synchronize or Reauthorize the Management Center
By default, the ID certificate is automatically renewed every 6 months, and the license entitlement is renewed every 30 days. You might want to manually renew the registration for either of these items if you have a limited window for internet access, or if you make any licensing changes in the Smart Software Manager, for example.
256
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Monitoring Smart License Status
Procedure
Step 1
Step 2
Step 3
Choose System ( ) > Licenses > Smart Licenses .
To renew the ID certificate, click Synchronize ( )
To renew the license entitlements, click Re-Authorize .
Monitoring Smart License Status
The Smart License Status section of the System > Licenses > Smart Licenses page provides an overview of license usage on the management center, as described below.
Usage Authorization
Possible status values are:
• In-compliance ( ) — All licenses assigned to managed devices are in compliance and the management center is communicating successfully with the Smart Software Manager.
• License is in compliance but communication with licensing authority has failed — Device licenses are in compliance, but the management center is not able to communicate with the Cisco licensing authority.
• Out-of-compliance icon or unable to communicate with License Authority — One or more managed devices is using a license that is out of compliance, or the management center has not communicated with the Smart Software Manager in more than 90 days.
Product Registration
Specifies the last date when the management center contacted the Smart Software Manager and registered.
Assigned Virtual Account
Specifies the Virtual Account under the Smart Account that you used to generate the Product Instance
Registration Token and register the management center. If this deployment is not associated with a particular virtual account within your Smart Account, this information is not displayed.
Export-Controlled Features
If this option is enabled, you can deploy restricted features. For details, see
Licensing for Export-Controlled
Cisco Success Network
Specifies whether you have enabled Cisco Success Network for the management center. If this option is enabled, you provide usage information and statistics to Cisco which are essential to provide you with technical support. This information also allows Cisco to improve the product and make you aware of unused available features so that you can maximize the value of the product in your network. See
Network Enrollment, on page 575
for more information.
Cisco Secure Firewall Management Center Administration Guide, 7.2
257
System Settings
Monitoring Smart Licenses
Monitoring Smart Licenses
To view the license status for the management center and its managed devices, use the Smart Licenses page.
For each type of license in your deployment, the page lists the total number of licenses consumed, whether the license is in compliance or out of compliance, the device type, and the domain and group where the device is deployed. You can also view the management center's Smart License Status. Container instances on the same security module/engine only consume one license per security module/engine. Therefore, even though the management center lists each container instance separately under each license type, the number of licenses consumed for feature license types will only be one.
Other than the Smart Licenses page, there are a few other ways you can view licenses:
• The Product Licensing dashboard widget provides an at-a-glance overview of your licenses.
See
Adding Widgets to a Dashboard, on page 319
and
Dashboard Widget Availability by User Role, on page 307
and
The Product Licensing Widget, on page 316
.
• The Device Management page ( Devices > Device Management ) lists the licenses applied to each of your managed devices.
• The Smart License Monitor health module communicates license status when used in a health policy.
Procedure
Step 1
Step 2
Step 3
Choose System ( ) > Licenses > Smart Licenses .
In the Smart Licenses table, click the arrow at the left side of each License Type folder to expand that folder.
In each folder, verify that each device has a green circle with a Check Mark ( ) in the License Status column.
Note If you see duplicate management center virtual licenses, each represents one managed device.
If all devices show a green circle with a Check Mark ( ), your devices are properly licensed and ready to use.
If you see any License Status other than a green circle with a Check Mark ( ), hover over the status icon to view the message.
What to do next
• If you had any devices that did not have a green circle with a Check Mark ( ), you may need to purchase more licenses.
Troubleshooting Smart Licensing
Expected Licenses Do Not Appear in My Smart Account
If the licenses you expect to see are not in your Smart Account, try the following:
258
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Convert a Classic License for Use on the Threat Defense
• Make sure they are not in a different Virtual Account. Your organization's license administrator may need to assist you with this.
• Check with the person who sold you the licenses to be sure that transfer to your account is complete.
Unable to Connect to Smart License Server
Check the obvious causes first. For example, make sure your management center has outside connectivity.
See
Internet Access Requirements, on page 1004
.
Unexpected Out-of-Compliance Notification or Other Error
• If a device is already registered to a different management center, you need to deregister the original management center before you can license the device under a new management center. See
Deregister the Management Center, on page 256 .
• Management Center Virtual instance only - Make sure that the virtual account does not have only perpetual tags when you switch to subscription licensing.
• Check if the term of the subscription license has expired.
Troubleshoot Other Issues
For solutions to other common issues, see https://www.cisco.com/c/en/us/support/docs/security/ firepower-management-center/215838-fmc-and-ftd-smart-license-registration-a.html
Convert a Classic License for Use on the Threat Defense
You can convert licenses using either the License Registration Portal or the Smart Software Manager, and you can convert an unused Product Authorization Key (PAK) or a Classic license that has already been assigned to a device.
Note You cannot undo this process. You cannot convert a Smart License to a Classic license, even if the license was originally a Classic license.
In documentation on Cisco.com, Classic licenses may also be referred to as "traditional" licenses.
Before you begin
• It is easiest to convert a Classic license to a Smart License when it is still an unused PAK that has not yet been assigned to a product instance.
• Your hardware must be able to run threat defense. See the Cisco Firepower Compatibility Guide at https://www.cisco.com/c/en/us/support/security/defense-center/products-device-support-tables-list.html
.
• You must have a Smart Account. If you do not have one, create one. See
• The PAKs or licenses that you want to convert must appear in your Smart Account.
• If you convert using the License Registration Portal instead of the Smart Software Manager, you must have your Smart Account credentials in order to initiate the conversion process.
Cisco Secure Firewall Management Center Administration Guide, 7.2
259
System Settings
Convert a Classic License for Use on the Threat Defense
Procedure
Step 1
Step 2
The conversion process you follow depends on whether or not the license has been consumed:
• If the PAK that you want to convert has never been used, follow instructions for converting a PAK.
• If the PAK you want to convert has already been assigned to a device, follow instructions for converting a Classic license.
Make sure your existing classic license is still registered to your device.
See instructions for your type of conversion (PAK or installed Classic license) in the following documentation:
• To convert PAKs or licenses using the License Registration Portal:
• To view a video that steps you through the License Registration Portal part of the conversion process, click https://salesconnect.cisco.com/#/content-detail/7da52358-0fc1-4d85-8920-14a1b7721780 .
• Search for "Convert" in the following document: https://cisco.app.box.com/s/ mds3ab3fctk6pzonq5meukvcpjizt7wu .
There are three conversion procedures. Choose the conversion procedure applicable to your situation.
• Sign in to the License Registration Portal at https://tools.cisco.com/SWIFT/LicensingUI/Home and follow the instructions in the documentation above.
• To convert PAKs or licenses using the Smart Software Manager:
• Converting Hybrid Licenses to Smart Software Licenses QRG : https://community.cisco.com/t5/licensing-enterprise-agreements/ converting-hybrid-licenses-to-smart-software-licenses-qrg/ta-p/3628609?attachment-id=134907
• Sign in to the Smart Software Manager at https://software.cisco.com/
#SmartLicensing-LicenseConversion and follow the instructions for your type of conversion (PAK or installed Classic license) in the documentation above.
Step 3
Step 4
Step 5
Freshly install threat defense on your hardware.
See the instructions for your hardware at https://www.cisco.com/c/en/us/support/security/firepower-ngfw/ products-installation-guides-list.html
.
If you will use the device manager to manage this device as a standalone device:
See information about licensing the device in the device manager configuration guide at https://www.cisco.com/ c/en/us/support/security/firepower-ngfw/products-installation-and-configuration-guides-list.html
.
Skip the rest of this procedure.
If you have already deployed Smart Licensing on your management center: a) Set up Smart Licensing on your new threat defense.
See
Assign Licenses to Multiple Managed Devices, on page 255 .
b) Verify that the new Smart License has been successfully applied to the device.
See
Monitoring Smart Licenses, on page 258 .
260
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure Specific License Reservation (SLR)
Step 6 If you have not yet deployed Smart Licensing on your management center:
See
Configure Smart Licensing, on page 249
. (Skip any steps that do not apply or that you have already completed.)
Configure Specific License Reservation (SLR)
You can use the Specific License Reservation feature to deploy Smart Licensing in an air-gapped network.
Note Various names are used at Cisco for Specific License Reservation, including SLR, SPLR, PLR, and Permanent
License Reservation. These terms may also be used at Cisco to refer to similar but not necessarily identical licensing models.
When Specific License Reservation is enabled, the management center reserves licenses from your virtual account for a specified duration without accessing the Smart Software Manager or using Smart Software
Manager On-Prem.
Features that require access to the internet, such as URL Lookups or contextual cross-launch to public web sites, will not work.
Cisco does not collect web analytics or telemetry data for deployments that use Specific License Reservation.
Requirements and Prerequisites for Specific License Reservation
• Work with your account representative to obtain approval for Specific License Reservation for your products.
Obtain confirmation from your account representative that the Specific License Reservation is ready for use and reflected in your Smart Account.
• If you are currently using regular Smart Licensing, de-register the management center before you implement Specific License Reservation. For information, see
Deregister the Management Center, on page 256
.
All Smart Licenses that are currently deployed to the management center will be returned to the pool of available licenses in your account, and you can re-use them when you implement Specific License
Reservation.
• Specific License Reservation uses the same licenses as regular Smart Licensing.
• (Recommended) If you deploy the management center pair in a high availability configuration, configure high availability before you assign licenses. If you already assigned licenses to devices on the secondary management center, be sure to unassign them.
Verify that your Smart Account is Ready to Deploy Specific License Reservation
To prevent problems when deploying your Specific License Reservation, complete this procedure before you make any changes in your management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
261
System Settings
Enable the Specific Licensing Menu Option
Before you begin
• Ensure that you have met the requirements described in
Requirements and Prerequisites for Specific
License Reservation, on page 261 .
• Make sure you have your Smart Software Manager credentials.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Sign in to the Smart Software Manager: https://software.cisco.com/#SmartLicensing-Inventory
If applicable, select the correct account from the top right corner of the page.
If necessary, click Inventory .
Click Licenses .
Verify the following:
• There is a License Reservation button.
• There are enough platform and feature licenses for the devices and features you will deploy, including management center virtual entitlements for your devices, if applicable.
If any of these items is missing or incorrect, contact your account representative to resolve the problem.
Note Do not continue with this process until any problems are corrected.
Enable the Specific Licensing Menu Option
This procedure changes the "Smart Licenses" menu option to "Specific Licenses" in the management center.
Procedure
Step 1
Step 2
Step 3
Step 4
Access the management center console using a USB keyboard and VGA monitor, or use SSH to access the management interface.
Log into the management center CLI admin account.
Enter the expert command to access the Linux shell.
Execute the following command to access the Specific License Reservation options: sudo manage_slr.pl
Example: admin@fmc63betaslr: ~$ sudo manage_slr.pl
Password:
**************** Configuration Utility **************
262
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Enter the Specific License Reservation Authorization Code into the Management Center
Step 5
Step 6
Step 7
Step 8
Step 9
1 Show SLR Status
2 Enable SLR
3 Disable SLR
0 Exit
**************************************************************
Enter choice:
Enable Specific License Reservation by selecting option 2 .
Select option 0 to exit the manage_slr utility.
Type exit to exit the Linux shell.
Enter exit to exit the command line interface.
Verify that you can access the Specific License Reservation page in the management center web interface:
• If the System > Licenses > Smart Licenses page is currently displayed, refresh the page.
• Otherwise, choose System > Licenses > Specific Licenses .
Enter the Specific License Reservation Authorization Code into the
Management Center
Procedure
Step 1
Step 2
Generate the reservation request code.
a) In the management center, choose System > Licenses > Specific Licenses .
b) Click Generate .
c) Make a note of the Reservation Request Code .
Generate the reservation authorization code.
a) Go to the Cisco Smart Software Manager: https://software.cisco.com/#SmartLicensing-Inventory b) If necessary, select the correct account from the top right of the page.
c) If necessary, click Inventory .
d) Click Licenses .
e) Click License Reservation .
f) Enter the code that you generated from management center into the Reservation Request Code box.
g) Click Next .
h) Select Reserve a specific license .
i) Scroll down to display the entire License grid.
j) Under Quantity To Reserve , enter the number of each platform and feature license needed for your deployment.
Cisco Secure Firewall Management Center Administration Guide, 7.2
263
System Settings
Assign Specific Licenses to Managed Devices
Note • You must explicitly include a Base license for each managed device, or, for multi-instance deployments, for each container.
• If you are using the management center virtual, you must include a platform entitlement for each container (in multi-instance deployments) or each managed device (all other deployments).
• If you use strong encryption functionality:
• If your entire Smart Account is enabled for export-controlled functionality, you do not need to do anything here.
• If your organization's entitlement is per-management center, you must select the appropriate license.
For the correct license name to choose for your management center, see the prerequisites in
Enable the Export Control Feature for Accounts Without Global
.
Step 3
Step 4 k) Click Next .
l) Click Generate Authorization Code .
At this point, the license is now in use according to the Smart Software Manager.
m) Download the Authorization Code in preparation for entering it into the management center.
Enter the authorization code in the management center.
a) In the management center, click Browse to upload the text file with the authorization code that you generated from the Smart Software Manager.
b) Click Install .
c) Verify that the Specific License Reservation page shows the Usage Authorization status as authorized.
d)
Click the Reserved License tab to verify the licenses selected while generating the Authorization Code .
If you do not see the licenses you require, then add the necessary licenses. For more info, see
.
Assign Specific Licenses to Managed Devices
Use this procedure to quickly assign licenses to multiple managed devices at one time.
You can also use this procedure to disable or move licenses from one device to another. If you disable a license for a device, you cannot use the features associated with that license on that device.
Procedure
Step 1
Step 2
Step 3
Choose System > Licenses > Specific Licenses .
Click Edit Licenses .
Click each tab and assign licenses to devices as needed.
264
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Manage Specific License Reservation
Step 4
Step 5
Step 6
Click Apply .
Click the Assigned Licenses tab and verify that your licenses are correctly installed on each device.
Deploy configuration changes; see Deploy Configuration Changes .
Manage Specific License Reservation
This section describes how to manage Specific License Reservation.
Important! Maintain Your Specific License Reservation Deployment
To update the threat data and software that keep your deployment effective, see
To ensure that all functionality continues to work without interruption, monitor your license expiration dates
(on the Reserved Licenses tab).
Update a Specific License Reservation
After you have successfully deployed Specific Licenses on your management center, you can add or remove entitlements at any time using this procedure.
Use this procedure if you need to renew your licenses after they expire. If you do not have the required licenses, the following actions are restricted:
• Device registration
• Policy deployment
Procedure
Step 1
Step 2
In the management center, obtain the unique product instance identifier of this management center: a) Select System > Licenses > Specific Licenses .
b) Make a note of the Product Instance value.
You will need this value several times during this process.
In the Smart Software Manager, identify the management center to update: a) Go to the Smart Software Manager: https://software.cisco.com/#SmartLicensing-Inventory b) If necessary, click Inventory .
c) Click Product Instances .
d) Look for a product instance that has FP in the Type column and a generic SKU (not a hostname) in the
Name column. You may also be able to use the values in other table columns to help determine which management center is the correct management center. Click the name.
e) Look at the UUID and see if it is the UUID of the management center that you are trying to modify.
If not, you must repeat these steps until you find the correct management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
265
System Settings
Update a Specific License Reservation
Step 3 When you have located the correct management center in the Smart Software Manager, update the reserved licenses and generate a new authorization code: a) On the page that shows the correct UUID, choose Actions > Update Reserved Licenses .
b) Update the reserved licenses as needed.
Note • You must explicitly include a Base license for each managed device, or, for multi-instance deployments, for each container.
• If you are using the management center virtual, you must include a platform entitlement for each container (in multi-instance deployments) or each managed device (all other deployments).
• If you use strong encryption functionality:
• If your entire Smart Account is enabled for export-controlled functionality, you do not need to do anything here.
• If your organization's entitlement is per-management center, you must select the appropriate license.
For the correct license name to choose for your management center, see the prerequisites in
Enable the Export Control Feature for Accounts Without Global
.
Step 4
Step 5 c) Click Next and verify the details.
d) Click Generate Authorization Code .
e) Download the Authorization Code in preparation for entering it into the management center.
f) Leave the Update Reservation page open. You will return to it later in this procedure.
Update the Specific Licenses in the management center.
a) Choose System > Licenses > Specific Licenses .
b) Click Edit SLR .
c) Click Browse to upload the newly generated authorization code.
d) Click Install to update the licenses.
After successful installation of the authorization code, ensure that the licenses shown in the Reserved column ofmanagement center, matches with the licenses that you have reserved in the Smart Software
Manager.
e) Make a note of the Confirmation Code .
Enter the confirmation code in the Smart Software Manager: a) Return to the Smart Software Manager page that you left open earlier in this procedure.
b) Choose Actions > Enter Confirmation Code :
266
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Deactivate and Return the Specific License Reservation
Step 6
Step 7 c) Enter the confirmation code that you generated from the management center.
In the management center, verify that your licenses are reserved as you expect them, and that each feature for each managed device shows a green circle with a Check Mark ( ).
If necessary, see
Monitoring Specific License Reservation Status, on page 269
for more information.
Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management
Center Device Configuration Guide .
Deactivate and Return the Specific License Reservation
If you no longer need a specific license, you must return it to your Smart Account.
Important If you do not follow all of the steps in this procedure, the license remains in an in-use state and cannot be re-used.
This procedure releases all license entitlements associated with the management center back to your virtual account. After you de-register, no updates or changes on licensed features are allowed.
Cisco Secure Firewall Management Center Administration Guide, 7.2
267
Deactivate and Return the Specific License Reservation
Procedure
Step 1
Step 2
Step 3
In the management center Web interface, select System > Licenses > Specific Licenses .
Make a note of the Product Instance identifier for this management center.
Generate a return code from the management center.
a) Click Return SLR .
The following figure shows Return SLR.
System Settings
Step 4
Step 5
Devices become unlicensed and the management center moves to the de-registered state.
b) Make a note of the Return Code .
In the Smart Software Manager, identify the management center to deregister: a) Go to the Smart Software Manager: https://software.cisco.com/#SmartLicensing-Inventory b) If necessary, click Inventory .
c) Click Product Instances .
d) Look for a product instance that has FP in the Type column and a generic SKU (not a hostname) in the
Name column. You may also be able to use the values in other table columns to help determine which management center is the correct management center. Click the name.
e) Look at the UUID and see if it is the UUID of the management center that you are trying to modify.
If not, you must repeat these steps until you find the correct management center.
When you have identified the correct management center, return the licenses to your Smart Account: a) On the page that shows the correct UUID, choose Actions > Remove .
b) Enter the reservation return code that you generated from the management center into the Remove Product
Instance dialog box.
c) Click Remove Product Instance .
The specific reserved licenses are returned to the available pool in your Smart Account and this management center is removed from the Smart Software Manager Product Instances list.
268
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Monitoring Specific License Reservation Status
Step 6 Disable the Specific License in the management center Linux shell: a) Access the management center console using a USB keyboard and VGA monitor, or use SSH to access the management interface.
b) Log in to the management center CLI admin account. This gives you access to the command line interface.
c) Enter the expert command to access the Linux shell.
d) Execute the following command: sudo manage_slr.pl
Example: admin@fmc63betaslr: ~$ sudo manage_slr.pl
Password:
**************** Configuration Utility **************
1 Show SLR Status
2 Enable SLR
3 Disable SLR
0 Exit
**************************************************************
Enter choice: e) Select menu option 3 to disable the Specific License Reservation.
f) Select option 0 to exit the manage_slr utility.
g) Enter exit to exit the Linux shell.
h) Enter exit to exit the command line interface.
Monitoring Specific License Reservation Status
The System > Licenses > Specific Licenses page provides an overview of license usage on the management center, as described below.
Usage Authorization
Possible status values are:
• Authorized — The management center is in compliance and registered successfully with the License
Authority, which has authorized the license entitlements for the appliance.
• Out-of-compliance — If licenses are expired or if the management center has overused licenses even though they are not reserved, status shows as Out-of-Compliance. License entitlements are enforced in
Specific License Reservation, so you must take action.
Product Registration
Specifies registration status and the date that an authorization code was last installed or renewed on the management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
269
System Settings
Troubleshoot Specific License Reservation
Export-Controlled Features
Specifies whether you have enabled export-controlled functionality for the management center.
For more information about Export-Controlled Features, see
Licensing for Export-Controlled Functionality, on page 237 .
Product Instance
The Universally Unique Identifier (UUID) of this management center. This value identifies this device in the
Smart Software Manager.
Confirmation Code
The Confirmation Code is needed if you update or deactivate and return Specific Licenses.
Assigned Licenses Tab
Shows the licenses assigned to each device and the status of each.
Reserved Licenses Tab
Shows the number of licenses used and available to be assigned, and license expiration dates.
Troubleshoot Specific License Reservation
How do I identify a particular management center in the Product Instance list in Smart Software Manager?
On the Product Instances page in Smart Software Manager, if you cannot identify the product instance based on a value in one of the columns in the table, you must click the name of each generic product instance of type FP to view the product instance details page. The UUID value on this page uniquely identifies one management center.
In the management center web interface, the UUID for the management center is the Product Instance value displayed on the System > Licenses > Specific Licenses page.
I do not see a License Reservation button in the Smart Software Manager
If you do not see the License Reservation button, then your account is not authorized for Specific License
Reservation. If you have already enabled Specific License Reservation in the Linux shell and generated a request code, perform the following:
1.
If you have already generated a Request Code in the management center web interface, cancel the request code.
2.
Disable Specific License Reservation in the management center Linux shell as described within the section
Deactivate and Return the Specific License Reservation, on page 267 .
3.
Register the management center with the Smart Software Manager in regular mode using smart token.
4.
Contact Cisco TAC to enable Specific License for your smart account.
270
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configure Legacy Management Center PAK-Based Licenses
I was interrupted in the middle of the licensing process. How can I pick up where I left off?
If you have generated but not yet downloaded an Authorization code from the Smart Software Manager, you can go to the Product Instance page in the Smart Software Manager, click the product instance, then click
Download Reservation Authorization Code .
I am unable to register devices to the management center virtual
Make sure you have enough management center virtual entitlements in your Smart Account to cover the devices you want to register, then update your deployment to add the necessary entitlements.
See
Update a Specific License Reservation, on page 265
.
I have enabled Specific Licensing, but now I do not see a Smart License page.
This is the expected behavior. When you enable Specific Licensing, Smart Licensing is disabled. You can use the Specific License page to perform licensing operations.
If you want to use Smart Licensing, you must return the Specific License. For more information see,
Deactivate and Return the Specific License Reservation, on page 267
.
What if I do not see a Specific License page in the management center virtual?
You need to enable Specific License to view the Specific License page. For more information see,
Specific Licensing Menu Option, on page 262 .
I have disabled Specific Licensing, but forgot to copy the Return Code. What should I do?
The Return Code is saved in the management center virtual. You must re-enable the Specific License from the Linux shell (see
Enable the Specific Licensing Menu Option, on page 262 ), then refresh the management
center virtual web interface. Your Return Code will be displayed.
Configure Legacy Management Center PAK-Based Licenses
The management center supports either a Smart License or a legacy PAK (Product Activation Key) license for its platform license. This procedure describes how to apply a PAK-based license.
Before you begin
• Make sure you have the product activation key (PAK) from the Software Claim Certificate that Cisco provided when you purchased the license. If you have a legacy, pre-Cisco license, contact Support.
Procedure
Step 1 The license key uniquely identifies the management center in the Smart Software Manager. It is composed of a product code (for example, 66) and the MAC address of the management port (eth0) of the management center; for example, 66:00:00:77:FF:CC:88.
a) Choose System ( ) > Licenses > Classic Licenses .
b) Click Add New License .
c) Note the value in the License Key field at the top of the Add Feature License dialog.
Cisco Secure Firewall Management Center Administration Guide, 7.2
271
System Settings
Additional Information about Licensing
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Choose System ( ) > Licenses > Classic Licenses .
Click Add New License .
Continue as appropriate:
• If you have already obtained the license text, skip to Step 8.
• If you still need to obtain the license text, go to the next step.
Click Get License to open the License Registration Portal.
Note If you cannot access the Internet using your current computer, switch to a computer that can, and browse to http://cisco.com/go/license .
Generate a license from the PAK in the License Registration Portal: https://cisco.com/go/license .
This step requires the PAK you received during the purchase process, as well as the license key for the management center.
For more information on using this portal, see: https://slexui.cloudapps.cisco.com/SWIFT/LicensingUI/Quickstart
You will need your account credentials in order to access these links.
Copy the license text from either the License Registration Portal display, or the email the License Registration
Portal sends you.
Important The licensing text block in the portal or email message may include more than one license. Each license is bounded by a BEGIN LICENSE line and an END LICENSE line. Make sure that you copy and paste only one license at a time.
Return to the Add Feature License page in the management center virtual’s web interface.
Paste the license text into the License field.
Click Verify License .
If the license is invalid, make sure that you correctly copied the license text.
Click Submit License .
Additional Information about Licensing
For additional information to help resolve common licensing questions, see the following documents:
• FAQ— https://www.cisco.com/c/en/us/td/docs/security/firepower/licensing/faq/firepower-license-FAQ.html
• License Roadmap— https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/ firepower-licenseroadmap.html
272
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
History for Licenses
History for Licenses
Feature Version
Performance tier licensing for the threat defense virtual
7.0
Licensing for multi-instance capability for the threat defense on the Firepower
4100/9300
6.3
Specific License
Reservation for air-gapped deployments
6.3
Export-controlled functionality for restricted customers
6.3
Details
Performance-tiered licensing provides different throughput levels and VPN connection limits based on deployment requirements. License tiers map to new threat defense virtual models.
You can now deploy multiple threat defense container instances on a Firepower
4100/9300. You only need a single license per feature per security module/engine. The base license is automatically assigned to each instance.
New/Modified screens: System > Licenses > Smart Licenses
Supported platforms: threat defense on the Firepower 4100/9300
Customers whose deployments cannot connect to the internet to communicate with the
Cisco License Authority can use a Specific License Reservation.
New/Modified screens: System > Licenses > Specific Licenses (This option is not available by default.)
Supported platforms: management center, threat defense
Certain customers whose Smart Accounts are not otherwise eligible to use restricted functionality can purchase term-based licenses, with approval.
Supported platforms: management center, threat defense
Cisco Secure Firewall Management Center Administration Guide, 7.2
273
History for Licenses
System Settings
274
Cisco Secure Firewall Management Center Administration Guide, 7.2
C H A P T E R
8
High Availability
The following topics describe how to configure Active/Standby high availability of Cisco Secure Firewall
Management Centers:
•
About Secure Firewall Management Center High Availability, on page 275
•
Requirements for Management Center High Availability, on page 281
•
Prerequisites for Management Center High Availability, on page 283
•
Establishing Management Center High Availability, on page 284
•
Viewing Management Center High Availability Status, on page 285
•
Configurations Synced on Management Center High Availability Pairs, on page 286
•
Configuring External Access to the Management Center Database in a High Availability Pair, on page
•
Using CLI to Resolve Device Registration in Management Center High Availability, on page 287
•
Switching Peers in a Management Center High Availability Pair, on page 288
•
Pausing Communication Between Paired Firepower Management Centers, on page 288
•
Restarting Communication Between Paired Firepower Management Centers, on page 288
•
Changing the IP Address of a Management Center in a High Availability Pair, on page 289
•
Disabling Management Center High Availability, on page 289
•
Replacing Management Centers in a High Availability Pair, on page 290
•
History for Management Center High Availability, on page 294
About Secure Firewall Management Center High Availability
To ensure the continuity of operations, the high availability feature allows you to designate redundant Secure
Firewall Management Centers to manage devices. Secure Firewall Management Centers support Active/Standby high availability where one appliance is the active unit and manages devices. The standby unit does not actively manage devices. The active unit writes configuration data into a data store and replicates data for both units, using synchronization where necessary to share some information with the standby unit.
Active/Standby high availability lets you configure a secondary Secure Firewall Management Center to take over the functionality of a primary Secure Firewall Management Center if the primary fails. When the primary
Secure Firewall Management Center fails, you must promote the secondary Secure Firewall Management
Center to become the active unit.
Event data streams from managed devices to both Secure Firewall Management Centers in the high availability pair. If one Secure Firewall Management Center fails, you can monitor your network without interruption using the other Secure Firewall Management Center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
275
System Settings
Roles v. Status in Management Center High Availability
Note that Secure Firewall Management Centers configured as a high availability pair do not need to be on the same trusted management network, nor do they have to be in the same geographic location.
Caution Because the system restricts some functionality to the active Secure Firewall Management Center, if that appliance fails, you must promote the standby Secure Firewall Management Center to active.
Note Triggering a switchover on management center immediately after a successful change deployment can lead to preview configuration not working on the new active management center. This does not impact policy deploy functionality. It is recommended to trigger a switchover on the management center after the necessary sync is completed.
About Remote Access VPN High Availability
If the primary device has Remote Access VPN configuration with an identity certificate enrolled using a
CertEnrollment object, the secondary device must have an identity certificate enrolled using the same
CertEnrollment object. The CertEnrollment object can have different values for the primary and secondary devices due to device-specific overriddes. The limitation is only to have the same CertEnrollment object enrolled on the two devices before the high availability formation.
SNMP Behavior in Secure Firewall Management Center High Availability
In an SNMP-configured HA pair, when you deploy an alert policy, the primary Secure Firewall Management
Center sends the SNMP traps. When the primary Secure Firewall Management Center fails, the secondary
Secure Firewall Management Center which becomes the active unit, sends the SNMP traps without the need for any additional configuration.
Roles v. Status in Management Center High Availability
Primary/Secondary Roles
When setting up Secure Firewall Management Centers in a high availability pair, you configure one Secure
Firewall Management Center to be primary and the other as secondary. During configuration, the primary unit's policies are synchronized to the secondary unit. After this synchronization, the primary Secure Firewall
Management Center becomes the active peer, while the secondary Secure Firewall Management Center becomes the standby peer, and the two units act as a single appliance for managed device and policy configuration.
Active/Standby Status
The main differences between the two Secure Firewall Management Centers in a high availability pair are related to which peer is active and which peer is standby. The active Secure Firewall Management Center remains fully functional, where you can manage devices and policies. On the standby Secure Firewall
Management Center, functionality is hidden; you cannot make any configuration changes.
276
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Event Processing on Management Center High Availability Pairs
Event Processing on Management Center High Availability Pairs
Since both Secure Firewall Management Centers in a high availability pair receive events from managed devices, the management IP addresses for the appliances are not shared. This means that you do not need to intervene to ensure continuous processing of events if a Secure Firewall Management Center fails.
AMP Cloud Connections and Malware Information
Although they share file policies and related configurations, Secure Firewall Management Centers in a high availability pair share neither Cisco AMP cloud connections nor malware dispositions. To ensure continuity of operations, and to ensure that detected files’ malware dispositions are the same on both Secure Firewall
Management Centers, both primary and secondary Secure Firewall Management Centers must have access to the AMP cloud.
URL Filtering and Security Intelligence
URL filtering and Security Intelligence configurations and information are synchronized between Secure
Firewall Management Centers in a high availability deployment. However, only the primary Secure Firewall
Management Center downloads URL category and reputation data for updates to Security Intelligence feeds.
If the primary Secure Firewall Management Center fails, not only must you make sure that the secondary
Secure Firewall Management Center can access the internet to update threat intelligence data, but you must also use the web interface on the secondary Secure Firewall Management Center to promote it to active.
User Data Processing During Management Center Failover
If the primary Secure Firewall Management Center fails, the Secondary Secure Firewall Management Center propagates to managed devices user-to-IP mappings from the TS Agent identity source; and propagates SGT mappings from the ISE/ISE-PIC identity source. Users not yet seen by identity sources are identified as
Unknown.
After the downtime, the Unknown users are re identified and processed according to the rules in your identity policy.
Configuration Management on Management Center High Availability Pairs
In a high availability deployment, only the active Secure Firewall Management Center can manage devices and apply policies. Both Secure Firewall Management Centers remain in a state of continuous synchronization.
If the active Secure Firewall Management Center fails, the high availability pair enters a degraded state until you manually promote the standby appliance to the active state. Once the promotion is complete, the appliances leave maintenance mode.
Management Center High Availability Disaster Recovery
In case of a disaster recovery situation, a manual switchover must be performed. When the primary management center - FMC1 fails, access the web interface of the secondary management center - FMC2 and switch peers.
This is applicable conversely also in case the secondary (FMC2) fails. For more information, see
Peers in a Management Center High Availability Pair, on page 288 .
For restoring a failed management center, refer to
Replacing Management Centers in a High Availability Pair, on page 290
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
277
System Settings
Single Sign-On and High Availability Pairs
Single Sign-On and High Availability Pairs management centers in a high availability configuration can support Single Sign-On, but you must keep the following considerations in mind:
• SSO configuration is not synchronized between the members of the high availability pair; you must configure SSO separately on each member of the pair.
• Both management centers in a high availability pari must use the same identity provider (IdP) for SSO.
You must configure a service provider application at the IdP for each management center configured for
SSO.
• In a high availabilty pair of management centers where both are configured to support SSO, before a user can use SSO to access the secondary management center for the first time, that user must first use
SSO to log into the primary management center at least once.
• When configuring SSO for management centers in a high availability pair:
• If you configure SSO on the primary management center, you are not required to configure SSO on the secondary management center.
• If you configure SSO on the secondary management center, you are required to configure SSO on the primary management center as well. (This is because SSO users must log in to the primary management center at least once before logging into the secondary management center.)
Related Topics
, on page 129
Management Center High Availability Behavior During a Backup
When you perform a Backup on a management center high availability pair, the Backup operation pauses synchronization between the peers. During this operation, you may continue using the active management center, but not the standby peer.
After Backup is completed, synchronization resumes, which briefly disables processes on the active peer.
During this pause, the High Availability page briefly displays a holding page until all processes resume.
Management Center High Availability Split-Brain
If the active Secure Firewall Management Center in a high-availability pair goes down (due to power issues, network/connectivity issues), you can promote the standby Secure Firewall Management Center to an active state. When the original active peer comes up, both peers can assume they are active. This state is defined as
'split-brain'. When this situation occurs, the system prompts you to choose an active appliance, which demotes the other appliance to standby.
If the active Secure Firewall Management Center goes down (or disconnects due to a network failure), you may either break high availability or switch roles. The standby Secure Firewall Management Center enters a degraded state.
278
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Upgrading Management Centers in a High Availability Pair
Note Whichever appliance you use as the secondary loses all of its device registrations and policy configurations when you resolve split-brain. For example, you would lose modifications to any policies that existed on the secondary but not on the primary. If the Secure Firewall Management Center is in a high availability split-brain scenario where both appliances are active, and you register managed devices and deploy policies before you resolve split-brain, you must export any policies and unregister any managed devices from the intended standby
Secure Firewall Management Center before re-establishing high availability. You may then register the managed devices and import the policies to the intended active Secure Firewall Management Center.
Upgrading Management Centers in a High Availability Pair
Cisco electronically distributes several different types of updates periodically. These include major and minor upgrades to the system software. You may need to install these updates on Secure Firewall Management
Centers in a high availability setup.
Warning Make sure that there is at least one operational Secure Firewall Management Center during an upgrade.
Before you begin
Read the release notes or advisory text that accompanies the upgrade. The release notes provide important information, including supported platforms, compatibility, prerequisites, warnings, and specific installation and uninstallation instructions.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Access the web interface of the active Secure Firewall Management Center and pause data synchronization; see
Pausing Communication Between Paired Firepower Management Centers, on page 288
.
Upgrade the standby Secure Firewall Management Center.
When the upgrade completes, the standby unit becomes active. When both peers are active, the high availability pair is in a degraded state (split-brain).
Upgrade the other Secure Firewall Management Center.
Decide which Secure Firewall Management Center you want to use as the standby. Any additional devices or policies added to the standby after pausing synchronization are not synced to the active Secure Firewall
Management Center. Unregister only those additional devices and export any configurations you want to preserve.
When you choose a new active Secure Firewall Management Center, the Secure Firewall Management Center you designate as secondary will lose device registrations and deployed policy configurations, which are not synced.
Resolve split-brain by choosing the new active Secure Firewall Management Center which has all the latest required configurations for policies and devices.
Cisco Secure Firewall Management Center Administration Guide, 7.2
279
System Settings
Troubleshooting Management Center High Availability
Troubleshooting Management Center High Availability
This section lists troubleshooting information for some common management center high availability operation errors.
Error Description Solution
You must reset your password on the active management center before you can log into the standby
You attempted to log into the standby management center when a force password reset is enabled for your account.
As the database is read-only for a standby management center, reset the password on the login page of the active management center.
500 Internal
System processes are starting, please wait
Also, the web interface does not respond.
May appear when attempting to access the web interface while performing critical management center high availability operations, including switching peer roles or pausing and resuming synchronization.
Wait until the operation completes before using the web interface.
May appear when the management center reboots (manually or while recovering from a power down) during a high availability or data synchronization operation.
1.
Access the management center shell and use the manage_hadc.pl
command to access the management center high availability configuration utility.
Note Run the utility as a root user, using sudo
.
2.
Pause mirroring operations by using option 5.
Reload the management center web interface.
3.
Use the web interface to resume synchronization. Choose System >
Integration , then click the High
Availability tab and choose Resume
Synchronization .
280
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Requirements for Management Center High Availability
Error Description Solution
Device Registration
Status:Host
<string> is not reachable
During the initial configuration of a threat defense, if the management center IP address and NAT ID are specified, the
Host field can be left blank. However, in an HA environment with both the management centers behind a NAT, this error occurs when you add the threat defense on the secondary management center.
1.
Delete the threat defense from primary management center. See Delete a
Device from the Management Center in Cisco Secure Firewall Management
Center Device Configuration Guide .
2.
Remove managers from threat defense using the configure manager delete command. See Command Reference for Secure Firewall Threat Defense .
3.
Add threat defense to the management center with the IP address or name of the threat defense device in the Host field. See Add a Device to the
Management Center in Cisco Secure
Firewall Management Center Device
Configuration Guide .
Requirements for Management Center High Availability
Model Support
See
Hardware Requirements, on page 281
.
Virtual Model Support
See
Virtual Platform Requirements, on page 282 .
Supported Domains
Global
User Roles
Admin
Hardware Requirements
• Supported hardware models:
MC1000, MC1600, MC2500, MC2600, MC4500, MC4600
• The two Secure Firewall Management Centers in a high availability configuration must be the same model.
• The primary Secure Firewall Management Center backup must not be restored to the secondary Secure
Firewall Management Center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
281
System Settings
Virtual Platform Requirements
• Bandwidth Requirements : There must be atleast a 5Mbps network bandwidth between two Secure
Firewall Management Centers to setup a high availability configuration between them.
• The two Secure Firewall Management Centers in a high availability configuration may be physically and geographically separated from each other in different data centers.
• See also
License Requirements for Management Center High Availability Configurations, on page 282 .
Virtual Platform Requirements
Requirements for establishing high availability (HA) using two management center virtual virtual appliances:
• management center virtual must be running on VMware ESXi.
• management center virtual-HA is supported on management center virtual 10, 25, and 300.
• The two management center virtual appliances in a high availability configuration must have the same device management capacity. For example, you cannot pair an management center virtual 25 with an management center virtual 300.
• High availability licensing requirements are different for virtual vs hardware management center. See
License Requirements for Management Center High Availability Configurations, on page 282 .
Software Requirements
Access the Appliance Information widget to verify the software version, the intrusion rule update version and the vulnerability database update. By default, the widget appears on the Status tab of the Detailed
Dashboard and the Summary Dashboard . For more information, see
The Appliance Information Widget, on page 308
• The two Secure Firewall Management Centers in a high availability configuration must have the same major (first number), minor (second number), and maintenance (third number) software version.
• The two Secure Firewall Management Centers in a high availability configuration must have the same version of the intrusion rule update installed.
• The two Secure Firewall Management Centers in a high availability configuration must have the same version of the vulnerability database update installed.
• The two Secure Firewall Management Centers in a high availability configuration must have the same version of the LSP (Lightweight Security Package) installed.
Warning If the software versions, intrusion rule update versions and vulnerability database update versions are not identical on both Secure Firewall Management Centers, you cannot establish high availability.
LicenseRequirementsforManagementCenterHighAvailabilityConfigurations
Each device requires the same licenses whether managed by a single management center or by management centers in a high availability pair (hardware or virtual).
282
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Prerequisites for Management Center High Availability
Example: If you want to enable advanced malware protection for two devices managed by a management center pair, buy two Malware licenses and two TM subscriptions, register the active management center with the Smart Software Manager, then assign the licenses to the two devices on the active management center.
Only the active management center is registered with the Smart Software Manager. When failover occurs, the system communicates with Smart Software Manager to release the license entitlements from the originally-active management center and assign them to the newly-active management center.
In Specific License Reservation deployments, only the primary management center requires a Specific License
Reservation.
Hardware Management Center
No special license is required for hardware management centers in a high availability pair.
Management Center Virtual
You will need two identically licensed management center virtuals.
Example: For the management center virtual high availability pair managing 10 devices, you can use:
• Two (2) management center virtual 10 entitlements
• 10 device licenses
If you break the high availability pair, the management center virtual entitlements associated with the secondary management center virtual are released. (In the example, you would then have two standalone management center virtual 10s.)
Prerequisites for Management Center High Availability
Before establishing a Secure Firewall Management Center high availability pair:
• Export required policies from the intended secondary Secure Firewall Management Center to the intended primary Secure Firewall Management Center. For more information, see
Exporting Configurations, on page 475
.
• Make sure that the intended secondary Secure Firewall Management Center does not have any devices added to it. Delete devices from the intended secondary Secure Firewall Management Center and register these devices to the intended primary Secure Firewall Management Center. For more information see
Delete a Device from the Management Center and Add a Device to the Management Center .
• Import the policies into the intended primary Secure Firewall Management Center. For more information, see
Importing Configurations, on page 476
.
• On the intended primary Secure Firewall Management Center, verify the imported policies, edit them as needed and deploy them to the appropriate device. For more information, see Deploy Configuration
Changes in the Cisco Secure Firewall Management Center Device Configuration Guide .
• On the intended primary Secure Firewall Management Center, associate the appropriate licenses to the newly added devices. For more information see
Assign Licenses to a Single Device, on page 254
.
You can now proceed to establish high availability. For more information, see
Center High Availability, on page 284 .
Cisco Secure Firewall Management Center Administration Guide, 7.2
283
System Settings
Establishing Management Center High Availability
Establishing Management Center High Availability
Establishing high availability can take a significant amount of time, even several hours, depending on the bandwidth between the peers and the number of policies. It also depends on the number of devices registered to the active Secure Firewall Management Center, which need to be synced to the standby Secure Firewall
Management Center. You can view the High Availability page to check the status of the high availability peers.
Before you begin
• Confirm that both the Secure Firewall Management Centers adhere to the high availability system requirements. For more information , see
Requirements for Management Center High Availability, on page 281 .
• Confirm that you completed the prerequisites for establishing high availability. For more information, see
Prerequisites for Management Center High Availability, on page 283
.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Log into the Secure Firewall Management Center that you want to designate as the secondary.
Choose > Integration .
Choose High Availability .
Under Role for this Secure Firewall Management Center, choose Secondary .
Enter the hostname or IP address of the primary Secure Firewall Management Center in the Primary Firepower
Management Center Host text box.
You can leave this empty if the primary Secure Firewall Management Center does not have an IP address reachable from the peer management center (which can be public or private IP address). In this case, use both the Registration Key and the Unique NAT ID fields. You need to specify the IP address of at least one management center to enable HA connection.
Enter a one-time-use registration key in the Registration Key text box.
The registration key is any user-defined alphanumeric value up to 37 characters in length. This registration key will be used to register both -the secondary and the primary Secure Firewall Management Centers.
If you did not specify the primary IP address, or if you do not plan to specify the secondary IP address on the primary Secure Firewall Management Center, then in the Unique NAT ID field, enter a unique alphanumeric
ID. See
for more information.
Click Register .
Using an account with Admin access, log into the Secure Firewall Management Center that you want to designate as the primary.
Choose > Integration .
Choose High Availability .
Under Role for this Secure Firewall Management Center, choose Primary .
Enter the hostname or IP address of the secondary Secure Firewall Management Center in the Secondary
Firepower Management Center Host text box.
284
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Viewing Management Center High Availability Status
Step 14
Step 15
Step 16
You can leave this empty if the secondary Secure Firewall Management Center does not have an IP address reachable from the peer management center (which can be public or private IP address). In this case, use both the Registration Key and the Unique NAT ID fields. You need to specify the IP address of at least one management center to enable HA connection.
Enter the same one-time-use registration key in the Registration Key text box you used in step 6.
If required, enter the same NAT ID that you used in step 7 in the Unique NAT ID text box.
Click Register .
What to do next
After establishing a Secure Firewall Management Center high availability pair, devices registered to the active
Secure Firewall Management Center are automatically registered to the standby Secure Firewall Management
Center.
Note When a registered device has a NAT IP address, automatic device registration fails and the secondary Secure
Firewall Management Center High Availablity page lists the device as local, pending. You can then assign a different NAT IP address to the device on the standby Secure Firewall Management Center High Availability page. If automatic registration otherwise fails on the standby Secure Firewall Management Center, but the device appears to be registered to the active Firepower Management Center, see
Registration in Management Center High Availability, on page 287 .
Viewing Management Center High Availability Status
After you identify your active and standby management centers, you can view information about the local management center and its peer.
Note In this context, Local Peer refers to the appliance where you are viewing the system status. Remote Peer refers to the other appliance, regardless of active or standby status.
Procedure
Step 1
Step 2
Step 3
Log into one of the management centers that you paired using high availability.
Choose > Integration .
Choose High Availability .
You can view:
Summary Information
• The health status of the high availability pair. The status of a correctly functioning system will oscillate between "Healthy" and "Synchronization task is in progress" as the standby unit receives configuration changes from the active unit.
Cisco Secure Firewall Management Center Administration Guide, 7.2
285
System Settings
Configurations Synced on Management Center High Availability Pairs
• The current synchronization status of the high availability pair
• The IP address of the active peer and the last time it was synchronized
• The IP address of the standby peer and the last time it was synchronized
System Status
• The IP addresses for both peers
• The operating system for both peers
• The software version for both peers
• The appliance model of both peers
Note You can view export control and compliance status only on the active management center.
ConfigurationsSyncedonManagementCenterHighAvailability
Pairs
When you establish high availability between two management centers, the following configuration data is synced between them:
• License entitlements
• Access control policies
• Intrusion rules
• Malware and file policies
• DNS policies
• Identity policies
• SSL policies
• Prefilter policies
• Network discovery rules
• Application detectors
• Correlation policy rules
• Alerts
• Scanners
• Response groups
• Contextual cross-launch of external resources for investigating events
286
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Configuring External Access to the Management Center Database in a High Availability Pair
• Remediation settings, although you must install custom modules on both management centers. For more information on remediation settings, see
Managing Remediation Modules, on page 989 .
Configuring External Access to the Management Center
Database in a High Availability Pair
In a high availability setup, we recommend you to use only the active peer to configure the external access to the database. When you configure the standby peer for external database access, it leads to frequent disconnections. To restore the connectivity, you must
Pausing Communication Between Paired Firepower
and
Restarting Communication Between Paired Firepower Management Centers
the synchronization of the standby peer. For information on how to enable external database access to Secure
Firewall Management Centers, see
Enabling External Access to the Database, on page 51
.
Using CLI to Resolve Device Registration in Management Center
High Availability
If automatic device registration fails on the standby Secure Firewall Management Center, but appears to be registered to the active Secure Firewall Management Center, complete the following steps:
Warning If you do an RMA of Secondary Secure Firewall Management Center or add a Secondary Secure Firewall
Management Center, the managed FTDs are unregistered and as a result, their configuration may be deleted.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Unregister the device from the active Secure Firewall Management Center.
Log into the CLI for the affected device.
Run the CLI command: configure manager delete .
This command disables and removes the current Secure Firewall Management Center.
Run the CLI command: configure manager add .
This command configures the device to initiate a connection to a Secure Firewall Management Center.
Tip Configure remote management on the device, only for the active Secure Firewall Management
Center. When high availability is established, devices are automatically added to be managed by the standby Secure Firewall Management Center.
Log into the active Secure Firewall Management Center and register the device.
Cisco Secure Firewall Management Center Administration Guide, 7.2
287
System Settings
Switching Peers in a Management Center High Availability Pair
Switching Peers in a Management Center High Availability Pair
Because the system restricts some functionality to the active Secure Firewall Management Center, if that appliance fails, you must promote the standby Secure Firewall Management Center to active:
Procedure
Step 1
Step 2
Step 3
Step 4
Log into one of the Secure Firewall Management Centers that you paired using high availability.
Choose > Integration .
Choose High Availability .
Choose Switch Peer Roles to change the local role from Active to Standby, or Standby to Active. With the
Primary or Secondary designation unchanged, the roles are switched between the two peers.
Pausing Communication Between Paired Firepower
Management Centers
If you want to temporarily disable high availability, you can disable the communications channel between the Secure Firewall Management Centers. If you pause synchronization on the active peer, you can resume synchronization on either the standby or active peer. However, if you pause synchronization on the standby peer, you only can resume synchronization on the standby peer.
Procedure
Step 1
Step 2
Step 3
Step 4
Log into one of the Secure Firewall Management Centers that you paired using high availability.
Choose > Integration .
Choose High Availability .
Choose Pause Synchronization .
Restarting Communication Between Paired Firepower
Management Centers
If you temporarily disable high availability, you can restart high availability by enabling the communications channel between the Secure Firewall Management Centers. If you paused synchronization on the active unit, you can resume synchronization on either the standby or active unit. However, if you paused synchronization on the standby unit, you only can resume synchronization on the standby unit.
288
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Changing the IP Address of a Management Center in a High Availability Pair
Procedure
Step 1
Step 2
Step 3
Step 4
Log into one of the Secure Firewall Management Centers that you paired using high availability.
Choose > Integration .
Choose High Availability .
Choose Resume Synchronization .
Changing the IP Address of a Management Center in a High
Availability Pair
If the IP address for one of the high availability peers changes, high availability enters a degraded state. To recover high availability, you must manually change the IP address.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Log into one of the Secure Firewall Management Centers that you paired using high availability.
Choose > Integration .
Choose High Availability .
Choose Peer Manager .
Choose Edit ( ).
Enter the display name of the appliance, which is used only within the context of the system.
Entering a different display name does not change the host name for the appliance.
Enter the fully qualified domain name or the name that resolves through the local DNS to a valid IP address
(that is, the host name), or the host IP address.
Click Save .
Disabling Management Center High Availability
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Log into one of the Secure Firewall Management Centers in the high availability pair.
Choose > Integration .
Choose High Availability .
Choose Break High Availability .
Choose one of the following options for handling managed devices:
Cisco Secure Firewall Management Center Administration Guide, 7.2
289
System Settings
Replacing Management Centers in a High Availability Pair
Step 6
Note
• To control all managed devices with this Secure Firewall Management Center, choose Manage registered devices from this console . All devices will be unregistered from the peer.
• To control all managed devices with the other Secure Firewall Management Center, choose Manage registered devices from peer console . All devices will be unregistered from this Secure Firewall
Management Center.
• To stop managing devices altogether, choose Stop managing registered devices from both consoles .
All devices will be unregistered from both Secure Firewall Management Centers.
If you choose to manage the registered devices from the secondary Secure Firewall Management
Center, the devices will be unregistered from the primary Secure Firewall Management Center. The devices are now registered to be managed by the secondary Secure Firewall Management Center.
However the licenses that were applied to these devices are deregistered on account of the high availability break operation. You must now proceed to re-register (enable) the licenses on the devices from the secondary Secure Firewall Management Center. For more information see
Assign Licenses to Devices, on page 254 .
Click OK .
Replacing Management Centers in a High Availability Pair
If you need to replace a failed unit in a Secure Firewall Management Center high availability pair, you must follow one of the procedures listed below. The table lists four possible failure scenarios and their corresponding replacement procedures.
Failure Status
Primary management center failed
Secondary management center failed
Data Backup Status
Data backup successful
Replacement Procedure
Replace a Failed Primary Management Center (Successful
Data backup not successful
Replace a Failed Primary Management Center
(Unsuccessful Backup), on page 291
Data backup successful
Replace a Failed Secondary Management Center
(Successful Backup), on page 292
Data backup not successful
Replace a Failed Secondary Management Center
(Unsuccessful Backup), on page 293
Replace a Failed Primary Management Center (Successful Backup)
Two Secure Firewall Management Centers, FMC1 and FMC2, are part of a high availability pair. FMC1 is the primary and FMC2 is the secondary. This task describes the steps to replace a failed primary Secure
Firewall Management Center, FMC1, when data backup from the primary is successful.
Before you begin
Verify that the data backup from the failed primary Secure Firewall Management Center is successful.
290
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Replace a Failed Primary Management Center (Unsuccessful Backup)
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC1.
When the primary Secure Firewall Management Center - FMC1 fails, access the web interface of the secondary
Secure Firewall Management Center - FMC2 and switch peers. For more information, see
Switching Peers in a Management Center High Availability Pair, on page 288
.
This promotes the secondary Secure Firewall Management Center - FMC2 to active.
You can use FMC2 as the active Secure Firewall Management Center until the primary Secure Firewall
Management Center - FMC1 is replaced.
Caution Do not break Secure Firewall Management Center High Availability from FMC2, since licenses that were synced to FMC2 from FMC1 (before failure ), will be removed from FMC2 and you will be unable to perform any deploy actions from FMC2.
Reimage the replacement Secure Firewall Management Center with the same software version as FMC1.
Restore the data backup retrieved from FMC1 to the new Secure Firewall Management Center.
Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates, vulnerability database (VDB) updates and system software updates to match FMC2.
The new Secure Firewall Management Center and FMC2 will now both be active peers, resulting in a high availability split-brain.
When the Secure Firewall Management Center web interface prompts you to choose an active appliance, select FMC2 as active.
This syncs the latest configuration from FMC2 to the newSecure Firewall Management Center - FMC1.
When the configuration syncs successfully, access the web interface of the secondary Secure Firewall
Management Center - FMC2 and switch roles to make the primarySecure Firewall Management Center -
FMC1 active. For more information, see
Switching Peers in a Management Center High Availability Pair, on page 288 .
What to do next
High availability has now been re-established and the primary and the secondary Secure Firewall Management
Centers will now work as expected.
Replace a Failed Primary Management Center (Unsuccessful Backup)
Two Secure Firewall Management Centers - FMC1 and FMC2 are part of a high availability pair. FMC1 is the primary and FMC2 is the secondary. This task describes the steps to replace a failed primary Secure
Firewall Management Center -FMC1 when data backup from the primary is unsuccessful.
Procedure
Step 1 Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC1.
Cisco Secure Firewall Management Center Administration Guide, 7.2
291
System Settings
Replace a Failed Secondary Management Center (Successful Backup)
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
When the primary Secure Firewall Management Center - FMC1 fails, access the web interface of the secondary
Secure Firewall Management Center - FMC2 and switch peers. For more information, see
Switching Peers in a Management Center High Availability Pair, on page 288 .
This promotes the secondary Secure Firewall Management Center - FMC2 to active.
You can use FMC2 as the active Secure Firewall Management Center until the primary Secure Firewall
Management Center - FMC1 is replaced.
Caution Do not break Secure Firewall Management Center High Availability from FMC2, since licenses that were synced to FMC2 from FMC1 (before failure ), will be removed from FMC2 and you will be unable to perform any deploy actions from FMC2.
Reimage the replacement Secure Firewall Management Center with the same software version as FMC1.
Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates, vulnerability database (VDB) updates and system software updates to match FMC2.
Deregister the Secure Firewall Management Center - FMC2 from the Cisco Smart Software Manager. For more information, see
Deregister the Management Center, on page 256 .
Deregistering a Secure Firewall Management Center from the Cisco Smart Software Manager removes the
Management Center from your virtual account. All license entitlements associated with the Secure Firewall
Management Center release back to your virtual account. After deregistration, the Secure Firewall Management
Center enters Enforcement mode where no update or changes on licensed features are allowed.
Access the web interface of the secondary Secure Firewall Management Center - FMC2 and break Secure
Firewall Management Center high availability. For more information, see
Disabling Management Center High
Availability, on page 289 . When prompted to select an option for handling managed devices, choose
Manage registered devices from this console .
As a result, licenses that were synced to the secondary Secure Firewall Management Center- FMC2, will be removed and you cannot perform deployment activities from FMC2.
Re-establish Secure Firewall Management Center high availability, by setting up the Secure Firewall
Management Center - FMC2 as the primary and Secure Firewall Management Center - FMC1 as the secondary.
For more information , see
Establishing Management Center High Availability, on page 284 .
Register a Smart License to the primary Secure Firewall Management Center - FMC2. For more information see
Register the Management Center with the Smart Software Manager, on page 249 .
What to do next
High availability has now been re-established and the primary and the secondary Secure Firewall Management
Centers will now work as expected.
Replace a Failed Secondary Management Center (Successful Backup)
Two Secure Firewall Management Centers - FMC1 and FMC2 are part of a high availability pair. FMC1 is the primary and FMC2 is the secondary. This task describes the steps to replace a failed secondary Secure
Firewall Management Center -FMC2 when data backup from the secondary is successful.
Before you begin
Verify that the data backup from the failed secondary Secure Firewall Management Center is successful.
292
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Replace a Failed Secondary Management Center (Unsuccessful Backup)
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC2.
Continue to use the primary Secure Firewall Management Center - FMC1 as the active Secure Firewall
Management Center.
Reimage the replacement Secure Firewall Management Center with the same software version as FMC2.
Restore the data backup from FMC2 to the new Secure Firewall Management Center.
Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates, vulnerability database (VDB) updates and system software updates to match FMC1.
Resume data synchronization (if paused) from the web interface of the new Secure Firewall Management
Center - FMC2, to synchronize the latest configuration from the primary Secure Firewall Management Center
- FMC1. For more information, see
Restarting Communication Between Paired Firepower Management
Classic and Smart Licenses work seamlessly.
What to do next
High availability has now been re-established and the primary and the secondary Secure Firewall Management
Centers will now work as expected.
Replace a Failed Secondary Management Center (Unsuccessful Backup)
Two Secure Firewall Management Centers - FMC1 and FMC2 are part of a high availability pair. FMC1 is the primary and FMC2 is the secondary. This task describes the steps to replace a failed secondary Secure
Firewall Management Center -FMC2 when data backup from the secondary is unsuccessful.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC2.
Continue to use the primary Secure Firewall Management Center - FMC1 as the active Secure Firewall
Management Center.
Reimage the replacement Secure Firewall Management Center with the same software version as FMC2.
Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates, vulnerability database (VDB) updates and system software updates to match FMC1.
Access the web interface of the primary Secure Firewall Management Center - FMC1 and break Secure
Firewall Management Center high availability. For more information, see
Disabling Management Center High
. When prompted to select an option for handling managed devices, choose Manage registered devices from this console .
Re-establish Secure Firewall Management Center high availability, by setting up the Secure Firewall
Management Center - FMC1 as the primary and Secure Firewall Management Center - FMC2 as the secondary.
For more information , see
Establishing Management Center High Availability, on page 284
.
• When high availability is successfully established, the latest configuration from the primary Secure
Firewall Management Center - FMC1 is synchronized to the secondary Secure Firewall Management
Center - FMC2.
Cisco Secure Firewall Management Center Administration Guide, 7.2
293
System Settings
Management Center High Availability Disaster Recovery
• Classic and Smart Licenses work seamlessly.
What to do next
High availability has now been re-established and the primary and the secondary Secure Firewall Management
Centers will now work as expected.
Management Center High Availability Disaster Recovery
In case of a disaster recovery situation, a manual switchover must be performed. When the primary management center - FMC1 fails, access the web interface of the secondary management center - FMC2 and switch peers.
This is applicable conversely also in case the secondary (FMC2) fails. For more information, see
Peers in a Management Center High Availability Pair, on page 288 .
For restoring a failed management center, refer to
Replacing Management Centers in a High Availability Pair, on page 290 .
History for Management Center High Availability
Feature Version
Management Center high availability with management center virtual on VMWare
6.7
Single Sign-On 6.7
Details
You can now achieve management center high availability using management center virtual running on VMWare.
See requirements at
Virtual Platform Requirements, on page 282
.
Supported platforms: management center virtual 10, 25, and 300 for
VMWare
When configuring one or both members of a high-availability pair for single sign-on, you must take into account special considerations.
Supported platforms: management center.
294
Cisco Secure Firewall Management Center Administration Guide, 7.2
C H A P T E R
9
Security Certifications Compliance
The following topics describe how to configure your system to comply with security certifications standards:
•
Security Certifications Compliance Modes, on page 295
•
Security Certifications Compliance Characteristics, on page 296
•
Security Certifications Compliance Recommendations, on page 297
•
Enable Security Certifications Compliance, on page 300
Security Certifications Compliance Modes
Your organization might be required to use only equipment and software complying with security standards established by the U.S. Department of Defense and global certification organizations. Firepower supports compliance with the following security certifications standards:
• Common Criteria (CC): a global standard established by the international Common Criteria Recognition
Arrangement, defining properties for security products
• Unified Capabilities Approved Products List (UCAPL): a list of products meeting security requirements established by the U.S. Defense Information Systems Agency (DISA)
Note The U.S. Government has changed the name of the Unified Capabilities Approved
Products List (UCAPL) to the Department of Defense Information Network
Approved Products List (DODIN APL). References to UCAPL in this documentation and the Secure Firewall Management Center web interface can be interpreted as references to DODIN APL.
• Federal Information Processing Standards (FIPS) 140: a requirements specification for encryption modules
You can enable security certifications compliance in CC mode or UCAPL mode. Enabling security certifications compliance does not guarantee strict compliance with all requirements of the security mode selected. For more information on hardening procedures, refer to the guidelines for this product provided by the certifying entity.
Caution After you enable this setting, you cannot disable it. If you need to take an appliance out of CC or UCAPL mode, you must reimage.
Cisco Secure Firewall Management Center Administration Guide, 7.2
295
System Settings
Security Certifications Compliance Characteristics
Security Certifications Compliance Characteristics
The following table describes behavior changes when you enable CC or UCAPL mode. (Restrictions on login accounts refers to command line access, not web interface access. )
System Change Secure Firewall
Management Center
Classic Managed
Devices
Secure Firewall Threat
Defense
CC Mode UCAPL
Mode
Yes
Yes
CC Mode
Yes
—
UCAPL
Mode
Yes
—
CC Mode
Yes
—
UCAPL
Mode
Yes
—
FIPS compliance is enabled.
The system does not allow remote storage for backups or reports.
Yes
Yes
The system starts an additional system audit daemon.
No
The system boot loader is secured.
The system applies additional security to login accounts.
No
No
The system disables the reboot key sequence
Ctrl+Alt+Del.
No
The system enforces a maximum of ten simultaneous login sessions.
No
Passwords must be at least 15 characters long, and must consist of alphanumeric characters of mixed case and must include at least one numeric character.
No
The minimum required password length for the local admin user can be configured using the local device
CLI.
No
Passwords cannot be a word that appears in a dictionary or include consecutive repeating characters.
No
The system locks out users other than admin after three failed login attempts in a row. In this case, the password must be reset by an administrator.
No
The system stores password history by default.
No
The admin user can be locked out after a maximum number of failed login attempts configurable through the web interface.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
No
No
No
No
No
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
No
No
No
No
No
No
Yes
No
No
No
—
No
No
No
No
No
No
Yes
No
No
No
—
296
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Security Certifications Compliance Recommendations
System Change Secure Firewall
Management Center
CC Mode UCAPL
Mode
The admin user can be locked out after a maximum number of failed login attempts configurable through the local appliance CLI.
No No
Yes
Classic Managed
Devices
CC Mode UCAPL
Mode
Yes, regardless of security certifications compliance enablement.
Yes, regardless of security certifications compliance enablement.
Yes
Secure Firewall Threat
Defense
CC Mode UCAPL
Mode
Yes
Yes Yes Yes Yes The system automtically rekeys an SSH session with an appliance:
Yes
• After a key has been in use for one hour of session activity
• After a key has been used to transmit 1 GB of data over the connection
The system performs a file system integrity check
(FSIC) at boot-time. If the FSIC fails, Firepower software does not start, remote SSH access is disabled, and you can access the appliance only via local console. If this happens, contact Cisco TAC.
Yes Yes Yes Yes Yes Yes
Security Certifications Compliance Recommendations
Cisco recommends that you observe the following best practices when using a system with security certifications compliance enabled:
• To enable security certifications compliance in your deployment, enable it first on the Secure Firewall
Management Center, then enable it in the same mode on all managed devices.
Caution The Secure Firewall Management Center will not receive event data from a managed device unless both are operating in the same security certifications compliance mode.
• For all users, enable password strength checking and set the minimum password length to the value required by the certifying agency.
• If you are using Secure Firewall Management Centers in a high-availability configuration, configure them both to use the same security certifications compliance mode.
• When you configure Secure Firewall Threat Defense on a Firepower 4100/9300 to operate in CC or
UCAPL mode, you should also configure the Firepower 4100/9300 to operate in CC mode. For more
Cisco Secure Firewall Management Center Administration Guide, 7.2
297
System Settings
Appliance Hardening information, see the Cisco Firepower 4100/9300 FXOS Firepower Chassis Manager Configuration
Guide .
• Do not configure the system to use any of the following features:
• Email reports, alerts, or data pruning notifications.
• Nmap Scan, Cisco IOS Null Route, Set Attribute Value, or ISE EPS remediations.
• Remote storage for backups or reports.
• Third-party client access to the system database.
• External notifications or alerts transmitted via email (SMTP), SNMP trap, or syslog.
• Audit log messages transmitted to an HTTP server or to a syslog server without using SSL certificates to secure the channel between the appliance and the server.
• Do not enable external authentication using LDAP or RADIUS in deployments using CC mode.
• Do not enable CACs in deployments using CC mode.
• Disable access to the Secure Firewall Management Center and managed devices via the Firepower REST
API in deployments using CC or UCAPL mode.
• Enable CACs in deployments using UCAPL mode.
• Do not configure SSO in deployments using CC mode.
• Do not configure Secure Firewall Threat Defense devices into a high availability pair unless they are both using the same security certifications compliance mode.
Note The system does not support CC or UCAPL mode for:
• Secure Firewall Threat Defense devices in clusters
• Secure Firewall Threat Defense container instances on the Firepower 4100/9300
Appliance Hardening
For information about features you can use to further harden your system, see the latest versions of the Cisco
Firepower Mangement Center Hardening Guide and the Cisco Secure Firewall Threat Defense Hardening
Guide , as well as the following topics within this document:
•
•
•
Logging into the Management Center, on page 27
•
•
Audit Log Certificate, on page 75
•
Time and Time Synchronization, on page 84
298
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Protecting Your Network
• Configure NTP Time Synchronization for Threat Defense in the Cisco Secure Firewall Management
Center Device Configuration Guide
•
Creating an Email Alert Response, on page 523
•
Configuring Email Alerting for Intrusion Events, on page 532
• Configure SMTP in the Cisco Secure Firewall Management Center Device Configuration Guide
• About SNMP for the Firepower 1000/2100 Series in the Cisco Secure Firewall Management Center
Device Configuration Guide
• Configure SNMP in the Cisco Secure Firewall Management Center Device Configuration Guide
•
Creating an SNMP Alert Response, on page 519
• Configure Dynamic DNS in the Cisco Secure Firewall Management Center Device Configuration Guide
•
•
•
•
Security Certifications Compliance, on page 295
•
Configuring SSH for Remote Storage, on page 67
•
Audit Log Certificate, on page 75
•
HTTPS Certificates, on page 43
•
Customize User Roles for the Web Interface, on page 180
•
Add an Internal User, on page 111
•
• About Configuring Syslog in the Cisco Secure Firewall Management Center Device Configuration Guide
•
Schedule Management Center Backups, on page 454
• Site-to-Site VPNs for Threat Defense in the Cisco Secure Firewall Management Center Device
Configuration Guide
• Remote Access VPN in the Cisco Secure Firewall Management Center Device Configuration Guide
• FlexConfig Policies in the Cisco Secure Firewall Management Center Device Configuration Guide
Protecting Your Network
See the following topics to learn about features you can configure to protect your network:
• Access Control Policies
• Security Intelligence in the Cisco Secure Firewall Management Center Device Configuration Guide
• Getting Started with Intrusion Policies in the Cisco Secure Firewall Management Center Device
Configuration Guide
Cisco Secure Firewall Management Center Administration Guide, 7.2
299
System Settings
Enable Security Certifications Compliance
• Tuning Intrusion Policies Using Rules in the Cisco Secure Firewall Management Center Device
Configuration Guide
• Custom Intrusion Rules in the Cisco Secure Firewall Management Center Device Configuration Guide
•
Update Intrusion Rules, on page 210
• Global Limit for Intrusion Event Logging in the Cisco Secure Firewall Management Center Device
Configuration Guide
• Transport and Network Layer Preprocessors in the Cisco Secure Firewall Management Center Device
Configuration Guide
• Specific Threat Detection in the Cisco Secure Firewall Management Center Device Configuration Guide
• Application Layer Preprocessors in the Cisco Secure Firewall Management Center Device Configuration
Guide
•
•
•
•
•
•
•
Enable Security Certifications Compliance
This configuration applies to either a Secure Firewall Management Center or managed device:
• For the Secure Firewall Management Center, this configuration is part of the system configuration.
• For a managed device, you apply this configuration from the management center as part of a platform settings policy.
In either case, the configuration does not take effect until you save your system configuration changes or deploy the shared platform settings policy.
Caution After you enable this setting, you cannot disable it. If you need to take the appliance out of CC or UCAPL mode, you must reimage.
Before you begin
• We recommend you register all devices that you plan to be part of your deployment to the management center before enabling security certifications compliance on any appliances.
• Secure Firewall Threat Defense devices cannot use an evaluation license; your Smart Software Manager account must be enabled for export-controlled features.
300
Cisco Secure Firewall Management Center Administration Guide, 7.2
System Settings
Enable Security Certifications Compliance
• Secure Firewall Threat Defense devices must be deployed in routed mode.
• You must be an Admin user to perform this task.
Procedure
Step 1
Step 2
Step 3
Step 4
Depending on whether you are configuring an management center or a managed device:
• management center: Choose System ( ) > Configuration .
• threat defense device: Choose Devices > Platform Settings and create or edit a Secure Firewall Threat
Defense policy.
Click UCAPL/CC Compliance .
Note Appliances reboot when you enable UCAPL or CC compliance. The management center reboots when you save the system configuration; managed devices reboot when you deploy configuration changes.
To permanently enable security certifications compliance on the appliance, you have two choices:
• To enable security certifications compliance in Common Criteria mode, choose CC from the drop-down list.
• To enable security certifications compliance in Unified Capabilities Approved Products List mode, choose
UCAPL from the drop-down list.
Click Save .
What to do next
• Establish additional configuration changes as described in the guidelines for this product provided by the certifying entity.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide .
Cisco Secure Firewall Management Center Administration Guide, 7.2
301
Enable Security Certifications Compliance
System Settings
302
Cisco Secure Firewall Management Center Administration Guide, 7.2
P A R T
III
Health and Monitoring
•
•
•
•
•
C H A P T E R
10
Dashboards
The following topics describe how to use dashboards:
•
•
Dashboard Widgets, on page 306
•
Managing Dashboards, on page 318
About Dashboards
Dashboards provide you with at-a-glance views of current system status, including data about the events collected and generated by the system. You can also use dashboards to see information about the status and overall health of the appliances in your deployment. Keep in mind that the information the dashboard provides depends on how you license, configure, and deploy the system.
Note Ensure that you have enabled REST API ( Settings > Configuration > REST API Preferences ) to view the correlated device metrics on the dashboard.
Tip The dashboard is a complex, highly customizable monitoring feature that provides exhaustive data. For a broad, brief, and colorful picture of your monitored network, use the Context Explorer.
A dashboard uses tabs to display widgets: small, self-contained components that provide insight into different aspects of the system. For example, the predefined Appliance Information widget tells you the appliance name, model, and currently running software version. The system constrains widgets by the dashboard time range, which you can change to reflect a period as short as the last hour or as long as the last year.
The system is delivered with several predefined dashboards, which you can use and modify. If your user role has access to dashboards (Administrator, Maintenance User, Security Analyst, Security Analyst [Read Only], and custom roles with the Dashboards permission), by default your home page is the predefined Summary
Dashboard. However, you can configure a different default home page, including non-dashboards. You can also change the default dashboard. Note that if your user role cannot access dashboards, your default home page is relevant to the role; for example, a Discovery Admin sees the Network Discovery page.
You can also use predefined dashboards as the base for custom dashboards, which you can either share or restrict as private. Unless you have Administrator access, you cannot view or modify private dashboards created by other users.
Cisco Secure Firewall Management Center Administration Guide, 7.2
305
Health and Monitoring
Dashboard Widgets
Note Some drill-down pages and table views of events include a Dashboard toolbar link that you can click to view a relevant predefined dashboard. If you delete a predefined dashboard or tab, the associated toolbar links do not function.
In a multidomain deployment, you cannot view dashboards from ancestor domains; however, you can create new dashboards that are copies of the higher-level dashboards.
Dashboard Widgets
A dashboard has one or more tabs, each of which can display one or more widgets in a three-column layout.
The system is delivered with many predefined dashboard widgets, each of which provides insight into a different aspect of the system. Widgets are grouped into three categories:
• Analysis & Reporting widgets display data about the events collected and generated by the system.
• Miscellaneous widgets display neither event data nor operations data. Currently, the only widget in this category displays an RSS feed.
• Operations widgets display information about the status and overall health of the system.
The dashboard widgets that you can view depend on:
• the type of appliance you are using
• your user role
• your current domain (in a multidomain deployment)
In addition, each dashboard has a set of preferences that determines its behavior.
You can minimize and maximize widgets, add and remove widgets from tabs, as well as rearrange the widgets on a tab.
Note For widgets that display event counts over a time range, the total number of events may not reflect the number of events for which detailed data is available in the tables on pages under the Analysis menu. This occurs because the system sometimes prunes older event details to manage disk space usage. To minimize the occurrence of event detail pruning, you can fine-tune event logging to log only those events most important to your deployment.
Widget Availability
The dashboard widgets that you can view depend on the type of appliance you are using, your user role, and your current domain (in a multidomain deployment).
In a multidomain deployment, if you do not see a widget that you expect to see, switch to the Global domain.
See
Switching Domains on the Secure Firewall Management Center, on page 20
.
Note that:
306
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Dashboard Widget Availability by User Role
• An invalid widget is one that you cannot view because you are using the wrong type of appliance.
• An unauthorized widget is one that you cannot view because your user account does not have the necessary privileges.
For example, the Appliance Status widget is available only on the management center for users with
Administrator, Maintenance User, Security Analyst, or Security Analyst (Read Only) account privileges.
Although you cannot add an unauthorized or invalid widget to a dashboard, an imported dashboard may contain unauthorized or invalid widgets. For example, such widgets can be present if the imported dashboard:
• Was created by a user with different access privileges, or
• Belongs to an ancestor domain.
Unavailable widgets are disabled and display error messages that indicate why you cannot view them.
Individual widgets also display error messages when those widgets have timed out or are otherwise experiencing problems.
Note You can delete or minimize unauthorized and invalid widgets, as well as widgets that display no data, keeping in mind that modifying a widget on a shared dashboard modifies it for all users of the appliance.
Dashboard Widget Availability by User Role
The following table lists the user account privileges required to view each widget. Only user accounts with
Administrator, Maintenance User, Security Analyst, or Security Analyst (Read Only) access can use dashboards.
Users with custom roles may have access to any combination of widgets, or none at all, as their user roles permit.
Table 16: User Roles and Dashboard Widget Availability
Widget Administrator Maintenance User Security Analyst yes yes
Security Analyst
(RO) yes Appliance
Information
Appliance Status
Disk Usage
Interface Traffic yes yes
Correlation Events yes
Current Interface
Status yes
Current Sessions
Custom Analysis yes yes yes yes no no yes yes yes no yes no yes yes yes yes yes yes no yes yes yes no yes yes
Cisco Secure Firewall Management Center Administration Guide, 7.2
307
Health and Monitoring
Predefined Dashboard Widgets
Widget Administrator
Intrusion Events
Network
Compliance
Product Licensing
Product Updates
RSS Feed
System Load
System Time
Allow List Events yes yes yes yes yes yes yes yes yes yes yes yes yes no
Maintenance User Security Analyst no no yes yes
Security Analyst
(RO) yes yes no no yes yes yes yes no no yes yes yes yes
Predefined Dashboard Widgets
The system is delivered with several predefined widgets that, when used on dashboards, can provide you with at-a-glance views of current system status. These views include:
• data about the events collected and generated by the system
• information about the status and overall health of the appliances in your deployment
Note The dashboard widgets you can view depend on the type of appliance you are using, your user role, and your current domain in a multidomain deployment.
The Appliance Information Widget
The Appliance Information widget provides a snapshot of the appliance. It appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard .
The Appliance Information Widget in management center displays information about the management center
High Availability if management center is configured in High Availability. For instance, it shows information about management center Role, Status, Detail Status, and Last Contact. The widget provides:
• The name, IPv4 address, IPv6 address, and model of the appliance
• The versions of the system software, operating system, Snort, rule update, rule pack, module pack, vulnerability database (VDB), and geolocation update installed on the appliances with dashboards, except for virtual Secure Firewall Management Center
• For managed appliances, the name and status of the communications link with the managing appliance
You can configure the widget to display more or less information by modifying the widget preferences to display a simple or an advanced view; the preferences also control how often the widget updates.
308
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
The Appliance Status Widget
The Appliance Status Widget
The Appliance Status widget indicates the health of the appliance and of any appliances it is managing. Note that because the Secure Firewall Management Center does not automatically apply a health policy to managed devices, you must manually apply a health policy to devices or their status appears as
Disabled
. This widget appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.
You can configure the widget to display appliance status as a pie chart or in a table by modifying the widget preferences.
The preferences also control how often the widget updates.
You can click a section on the pie chart or one of the numbers on the appliance status table to go to the Health
Monitor page and view the compiled health status of the appliance and of any appliances it is managing.
The Correlation Events Widget
The Correlation Events widget shows the average number of correlation events per second, by priority, over the dashboard time range. It appears by default on the Correlation tab of the Detailed Dashboard.
You can configure the widget to display correlation events of different priorities by modifying the widget preferences, as well as to choose a linear (incremental) or logarithmic (factor of ten) scale.
Check one or more Priorities check boxes to display separate graphs for events of specific priorities, including events that do not have a priority. Choose Show All to display an additional graph for all correlation events, regardless of priority. The preferences also control how often the widget updates.
You can click a graph to view correlation events of a specific priority, or click the All graph to view all correlation events. In either case, the events are constrained by the dashboard time range; accessing correlation events via the dashboard changes the events (or global) time window for the appliance.
The Current Interface Status Widget
The Current Interface Status widget shows the status of all interfaces on the appliance, enabled or unused. On a Secure Firewall Management Center, you can display the management ( eth0
, eth1
, and so on) interfaces.
On a managed device, you can choose to show only sensing ( s1p1 and so on) interfaces or both management and sensing interfaces. Interfaces are grouped by type: management, inline, passive, switched, routed, and unused.
For each interface, the widget provides:
• the name of the interface
• the link state of the interface
• the link mode (for example, 100Mb full duplex, or 10Mb half duplex) of the interface
• the type of interface, that is, copper or fiber
• the amount of data received (Rx) and transmitted (Tx) by the interface
The color of the ball representing link state indicates the current status, as follows:
• green: link is up and at full speed
• yellow: link is up but not at full speed
• red: link is not up
Cisco Secure Firewall Management Center Administration Guide, 7.2
309
Health and Monitoring
The Current Sessions Widget
• gray: link is administratively disabled
• blue: link state information is not available (for example, ASA)
The widget preferences control how often the widget updates.
The Current Sessions Widget
The Current Sessions widget shows which users are currently logged into the appliance, the IP address associated with the machine where the session originated, and the last time each user accessed a page on the appliance (based on the local time for the appliance). The user that represents you, that is, the user currently viewing the widget, is marked with a User icon and rendered in bold type. Sessions are pruned from this widget’s data within one hour of logoff or inactivity. This widget appears by default on the Status tabs of the
Detailed Dashboard and the Summary Dashboard.
On the Current Sessions widget, you can:
• click any user name to manage user accounts on the User Management page.
• click the Host icon or Compromised Host icon next to any IP address to view the host profile for the associated machine.
• click any IP address or access time to view the audit log constrained by that IP address and by the time that the user associated with that IP address logged on to the web interface.
The widget preferences control how often the widget updates.
The Custom Analysis Widget
The Custom Analysis widget is a highly customizable widget that allows you to display detailed information on the events collected and generated by the system.
The widget is delivered with multiple presets that provide quick access to information about your deployment.
The predefined dashboards make extensive use of these presets. You can use these presets or create a custom configuration. At a minimum, a custom configuration specifies the data you are interested in (table and field), and an aggregation method for that data. You can also set other display-related preferences, including whether you want to show events as relative occurences (bar graph) or over time (line graph).
The widget displays the last time it updated, based on local time. The widget updates with a frequency that depends on the dashboard time range. For example, if you set the dashboard time range to an hour, the widget updates every five minutes. On the other hand, if you set the dashboard time range to a year, the widget updates once a week. To determine when the dashboard will update next, hover your pointer over the Last updated notice in the bottom left corner of the widget.
Note A red-shaded Custom Analysis widget indicates that its use is harming system performance. If the widget continues to stay red over time, remove the widget. You can also disable all Custom Analysis widgets from the Dashboard settings in your system configuration ( System > Configuration > Dashboard )
Displaying Relative Occurrences of Events (Bar Graphs)
For bar graphs in the Custom Analysis widget, the colored bars in the widget background show the relative number of occurrences of each event. Read the bars from right to left.
310
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
The Custom Analysis Widget
The Direction icon indicates and controls the sort order of the display. A downward-pointing icon indicates descending order; an upward-pointing icon indicates ascending order. To change the sort order, click the icon.
Next to each event, the widget can display one of three icons to indicate any changes from the most recent results:
• The new event icon Add ( ) signifies that the event is new to the results.
• The Up Arrow icon indicates that the event has moved up in the standings since the last time the widget updated. A number indicating how many places the event has moved up appears next to the icon.
• The Down Arrow icon indicates that the event has moved down in the standings since the last time the widget updated. A number indicating how many places the event has moved down appears next to the icon.
Displaying Events Over Time (Line Graphs)
If you want information on events or other collected data over time, you can configure the Custom Analysis widget to display a line graph, such as one that displays the total number of intrusion events generated in your deployment over time.
Limitations to the Custom Analysis Widget
A Custom Analysis widget may indicate that you are unauthorized to view the data that is configured to display. For example, Maintenance Users are not authorized to view discovery events. As another example, the widget does not display information related to unlicensed features. However, you (and any other users who share the dashboard) can modify the widget preferences to display data that you can see, or even delete the widget. If you want to make sure that this does not happen, save the dashboard as private.
When viewing user data, the system displays only authoritative users.
When viewing URL category information, the system does not display uncategorized URLs.
When viewing intrusion events aggregated by Count , the count includes reviewed events for intrusion events; if you view the count in tables on pages under the Analysis menus, the count will not include reviewed events.
Note In a multidomain deployment, the system builds a separate network map for each leaf domain. As a result, a leaf domain can contain an IP address that is unique within its network, but identical to an IP address in another leaf domain. When you view Custom Analysis widgets in an ancestor domain, multiple instances of that repeated IP address can be displayed. At first glance, they might appear to be duplicate entries. However, if you drill down to the host profile information for each IP address, the system shows that they belong to different leaf domains.
How to Create Dashboard Widgets for a Device
Any widgets that show events from devices can be configured to use a filter that limits the display of events for a given device or a set of devices.
1.
Create and save a search: Go to Analysis > Search and enter the search parameters to match the specific device names.
Cisco Secure Firewall Management Center Administration Guide, 7.2
311
Health and Monitoring
Custom Analysis Widget Preferences
Note You must provide exact text match as there is no drop-down listing the deployed device names.
2.
Go to Overview > Dashboards > Add Widgets to create a Custom Analysis widget.
3.
Return to Overview > Dashboards and modify the new widget to customize with the scope of search.
Preset
Table (required)
Example: Configuration of Custom Analysis Widget
You can configure the Custom Analysis widget to display a list of recent intrusion events by configuring the widget to display data from the Intrusion Events table. Choosing the Classification field and aggregating this data by Count displays the number of events that were generated for each type.
On the other hand, aggregating by Unique Events displays the number of unique intrusion events of each type (for example, how many detections of network trojans, potential violations of corporate policy, attempted denial-of-service attacks, and so on).
You can further customize the widget using a saved search, either one of the predefined searches delivered with your appliance or a custom search that you created. For example, constraining the first example (intrusion events using the Classification field, aggregated by Count ) using the Dropped
Events search displays the number of intrusion events that were dropped for each type.
Related Topics
Modifying Dashboard Time Settings
, on page 323
Custom Analysis Widget Preferences
The following table describes the preferences you can set in the Custom Analysis widget.
Different preferences appear depending on how you configure the widget. For example, a different set of preferences appears if you configure the widget to show relative occurrences of events (a bar graph) vs a graph over time (a line graph). Some preferences, such as Filter, only appear if you choose a specific table from which to display data.
Table 17: Custom Analysis Widget Preferences
Preference
Title
Details
If you do not specify a title for the widget, the system uses the configured event type as the title.
Custom Analysis presets provide quick access to information about your deployment. The predefined dashboards make extensive use of these presets. You can use these presets or you can create a custom configuration.
The table of events or assets that contains the data the widget displays.
312
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Viewing Associated Events from the Custom Analysis Widget
Preference
Field (required)
Aggregate (required)
Filter
Search
Show
Results
Show Movers
Time Zone
Color
Details
The specific field of the event type you want to display. To show data over time (line graphs), choose Time . To show relative occurrences of events (bar graphs), choose another option.
The aggregation method configures how the widget groups the data it displays. For most event types, the default option is Count .
You can use application filters to constrain data from the
Application Statistics and Intrusion Event Statistics by Application tables.
You can use a saved search to constrain the data that the widget displays. You do not have to specify a search, although some presets use predefined searches.
Only you can access searches that you have saved as private. If you configure the widget on a shared dashboard and constrain its events using a private search, the widget resets to not using the search when another user logs in. This affects your view of the widget as well. If you want to make sure that this does not happen, save the dashboard as private.
Only fields that constrain connection summaries can constrain
Custom Analysis dashboard widgets based on connection events.
Invalid saved searches are dimmed.
If you constrain a Custom Analysis widget using a saved search, then edit the search, the widget does not reflect your changes until the next time it updates.
Choose whether you want to display the most ( Top ) or the least
( Bottom ) frequently occurring events.
Choose the number of result rows to display.
Choose whether you want to display the icons that indicate changes from the most recent results.
Choose the time zone you want to use to display results.
You can change the color of the bars in the widget's bar graph.
Related Topics
Configuring Widget Preferences
, on page 320
Viewing Associated Events from the Custom Analysis Widget
From a Custom Analysis widget, you can invoke an event view (workflow) that provides detailed information about the events displayed in the widget. The events appear in the default workflow for that event type, constrained by the dashboard time range. This also changes the appropriate time window on the Secure Firewall
Management Center, depending on how many time windows you configured and on the event type.
For example:
Cisco Secure Firewall Management Center Administration Guide, 7.2
313
Health and Monitoring
The Disk Usage Widget
• If you configure multiple time windows, then access health events from a Custom Analysis widget, the events appear in the default health events workflow, and the health monitoring time window changes to the dashboard time range.
• If you configure a single time window and then access any type of event from the Custom Analysis widget, the events appear in the default workflow for that event type, and the global time window changes to the dashboard time range.
Procedure
You have the following choices:
• On any Custom Analysis widget, click View ( ) in the lower right corner of the widget to view all associated events, constrained by the widget preferences.
• On a Custom Analysis widget showing relative occurrences of events (bar graph), click any event to view associated events constrained by the widget preferences, as well as by that event.
The Disk Usage Widget
The Disk Usage widget displays the percentage of space used on the hard drive, based on disk usage category.
It also indicates the percentage of space used on and capacity of each partition of the appliance’s hard drive.
The Disk Usage widget displays the same information for the malware storage pack if installed in the device, or if the Secure Firewall Management Center manages a device containing a malware storage pack. This widget appears by default on the Status tabs of the Default Dashboard and the Summary Dashboard.
The By Category stacked bar displays each disk usage category as a proportion of the total available disk space used. The following table describes the available categories.
Table 18: Disk Usage Categories
Disk Usage Category
Events
Files
Backups
Updates
Other
Description all events logged by the system all files stored by the system all backup files all files related to updates, such as rule updates and system updates system troubleshooting files and other miscellaneous files free space remaining on the appliance Free
You can hover your pointer over a disk usage category in the By Category stacked bar to view the percentage of available disk space used by that category, the actual storage space on the disk, and the total disk space available for that category. Note that if you have a malware storage pack installed, the total disk space available for the Files category is the available disk space on the malware storage pack.
314
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
The Interface Traffic Widget
You can configure the widget to display only the By Category stacked bar, or you can show the stacked bar plus the admin (
/
),
/Volume
, and
/boot partition usage, as well as the
/var/storage partition if the malware storage pack is installed, by modifying the widget preferences.
The widget preferences also control how often the widget updates, as well as whether it displays the current disk usage or collected disk usage statistics over the dashboard time range.
The Interface Traffic Widget
The Interface Traffic widget shows the rate of traffic received (Rx) and transmitted (Tx) on the appliance’s management interface. The widget does not appear by default on any of the predefined dashboards.
Devices with Malware licenses enabled periodically attempt to connect to the AMP cloud even if you have not configured dynamic analysis. Because of this, these devices show transmitted traffic; this is expected behavior.
The widget preferences control how often the widget updates.
The Intrusion Events Widget
The Intrusion Events widget shows the intrusion events that occurred over the dashboard time range, organized by priority. This includes statistics on intrusion events with dropped packets and different impacts. This widget appears by default on the Intrusion Events tab of the Summary Dashboard.
In the widget preferences, you can choose:
• Event Flags to display separate graphs for events with dropped packets, would have dropped packets, or specific impacts. Choose All to display an additional graph for all intrusion events, regardless of impact or rule state.
For explanations of the icons, see
Intrusion Events, on page 733 . The arrow (if any) that appears above
the impact level numbers describes the inline result and is defined as follows:
Table 19: Inline Result Field Contents in Workflow and Table Views
This Icon Indicates
The system dropped the packet that triggered the rule.
IPS would have dropped the packet if you enabled the Drop when Inline intrusion policy option (in an inline deployment), or if a Drop and Generate rule generated the event while the system was pruning.
IPS may have transmitted or delivered the packet to the destination, but the connection that contained this packet is now blocked.
The triggered rule was not set to Drop and Generate Events No icon (blank)
In a passive deployment, the system does not drop packets, including when an inline interface is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion policy.
• Show to specify Average Events Per Second (EPS) or Total Events .
• Vertical Scale to specify Linear (incremental) or Logarithmic (factor of ten) scale.
• How often the widget updates.
Cisco Secure Firewall Management Center Administration Guide, 7.2
315
Health and Monitoring
The Network Compliance Widget
On the widget, you can:
• Click a graph corresponding to dropped packets, to would have dropped packets, or to a specific impact to view intrusion events of that type.
• Click the graph corresponding to dropped events to view dropped events.
• Click the graph corresponding to would have dropped events to view would have dropped events.
• Click the All graph to view all intrusion events.
The resulting event view is constrained by the dashboard time range; accessing intrusion events via the dashboard changes the events (or global) time window for the appliance. Note that packets in a passive deployment are not dropped, regardless of intrusion rule state or the inline drop behavior of the intrusion policy.
The Network Compliance Widget
The Network Compliance widget summarizes your hosts’ compliance with the allow lists you configured. By default, the widget displays a pie chart that shows the number of hosts that are compliant, non-compliant, and that have not been evaluated, for all compliance allow lists in active correlation policies. This widget appears by default on the Correlation tab of the Detailed Dashboard.
You can configure the widget to display network compliance either for all allow lists or for a specific allow list by modifying the widget preferences.
If you choose to display network compliance for all allow lists, the widget considers a host to be non-compliant if it is not compliant with any allow list in an active correlation policy.
You can also use the widget preferences to specify which of three different styles you want to use to display network compliance.
The Network Compliance style (the default) displays a pie chart that shows the number of hosts that are compliant, non-compliant, and that have not been evaluated. You can click the pie chart to view the host violation count, which lists the hosts that violate at least one allow list.
The Network Compliance over Time (%) style displays a stacked area graph showing the relative proportion of hosts that are compliant, non-compliant, and that have not yet been evaluated, over the dashboard time range.
The Network Compliance over Time style displays a line graph that shows the number of hosts that are compliant, non-compliant, and that have not yet been evaluated, over the dashboard time range.
The preferences control how often the widget updates. You can check the Show Not Evaluated box to hide events which have not been evaluated.
The Product Licensing Widget
The Product Licensing widget shows the device and feature licenses currently installed on the Secure Firewall
Management Center. It also indicates the number of items licensed and the number of remaining licensed items allowed. It does not appear by default on any of the predefined dashboards.
The top section of the widget displays all device and feature licenses installed on the Secure Firewall
Management Center, including temporary licenses, while the Expiring Licenses section displays only temporary and expired licenses.
The bars in the widget background show the percentage of each type of license that is being used; you should read the bars from right to left. Expired licenses are marked with a strikethrough.
316
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
The Product Updates Widget
You can configure the widget to display either the features that are currently licensed, or all the features that you can license, by modifying the widget preferences. The preferences also control how often the widget updates.
You can click any of the license types to go to the License page of the local configuration and add or delete feature licenses.
The Product Updates Widget
The Product Updates widget provides you with a summary of the software currently installed on the appliance as well as information on updates that you have downloaded, but not yet installed. This widget appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.
Because the widget uses scheduled tasks to determine the latest version, it displays Unknown until you configure a scheduled task to download, push or install updates.
You can configure the widget to hide the latest versions by modifying the widget preferences. The preferences also control how often the widget updates.
The widget also provides you with links to pages where you can update the software. You can:
• Manually update an appliance by clicking the current version.
• Create a scheduled task to download an update by clicking the latest version.
The RSS Feed Widget
The RSS Feed widget adds an RSS feed to a dashboard. By default, the widget shows a feed of Cisco security news. It appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.
You can also configure the widget to display a preconfigured feed of company news, the Snort.org blog, or the Cisco Threat Research blog, or you can create a custom connection to any other RSS feed by specifying its URL in the widget preferences. The management center can display encrypted RSS feeds only if they use trusted server certificates signed by a certificate authority (CA) that the management center recognizes. If you configure the RSS Feed widget to display an encrypted RSS feed that uses a CA the management center does not recognize, or that uses a self-signed certificate, the verification fails and the widget does not display the feed.
Feeds update every 24 hours (although you can manually update the feed), and the widget displays the last time the feed was updated based on the local time of the appliance. Keep in mind that the appliance must have access to the web site (for the two preconfigured feeds) or to any custom feed you configure.
When you configure the widget, you can also choose how many stories from the feed you want to show in the widget, as well as whether you want to show descriptions of the stories along with the headlines; keep in mind that not all RSS feeds use descriptions.
On the RSS Feed widget, you can:
• click one of the stories in the feed to view the story
• click the more link to go to the feed’s web site
• click Update ( ) to manually update the feed
Cisco Secure Firewall Management Center Administration Guide, 7.2
317
Health and Monitoring
The System Load Widget
The System Load Widget
The System Load widget shows the CPU usage (for each CPU), memory (RAM) usage, and system load (also called the load average, measured by the number of processes waiting to execute) on the appliance, both currently and over the dashboard time range. It appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.
You can configure the widget to show or hide the load average by modifying the widget preferences. The preferences also control how often the widget updates.
The System Time Widget
The System Time widget shows the local system time, uptime, and boot time for the appliance. It appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.
You can configure the widget to hide the boot time by modifying the widget preferences. The preferences also control how often the widget synchronizes with the appliance’s clock.
The Allow List Events Widget
The Allow List Events widget shows the average events per second by priority, over the dashboard time range.
It appears by default on the Correlation tab of the Default Dashboard.
You can configure the widget to display allow list events of different priorities by modifying the widget preferences.
In the widget preferences, you can:
• choose one or more Priorities check boxes to display separate graphs for events of specific priorities, including events that do not have a priority
• choose Show All to display an additional graph for all allow list events, regardless of priority
• choose Vertical Scale to choose Linear (incremental) or Logarithmic (factor of ten) scale
The preferences also control how often the widget updates.
You can click a graph to view allow list events of a specific priority, or click the All graph to view all allow list events. In either case, the events are constrained by the dashboard time range; accessing allow list events via the dashboard changes the events (or global) time window for the Secure Firewall Management Center.
Managing Dashboards
Procedure
Step 1
Step 2
Choose Overview > Dashboards , and then choose the dashboard you want to modify from the menu.
Manage your dashboards:
• Create Dashboards — Create a custom dashboard; see
Creating Custom Dashboards, on page 321
.
• Delete Dashboards — To delete a dashboard, click Delete ( ) next to the dashboard you want to delete.
If you delete your default dashboard, you must define a new default or the appliance prompts you to choose a dashboard every time you attempt to view a dashboard.
318
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Adding a Dashboard
Step 3
Step 4
• Edit Options — Edit custom dashboard options; see
Editing Dashboards Options, on page 323
.
• Modify Time Constraints — Modify the time display or pause/unpause the dashboard as described in
Modifying Dashboard Time Settings, on page 323
.
Add (see
Adding a Dashboard, on page 319
), Delete (click Close ( )), and Rename (see
Dashboard, on page 324 ) dashboards.
Note You cannot change the order of dashboards.
Manage dashboard widgets:
Tip
• Add Widgets — Add widgets to a dashboard; see
Adding Widgets to a Dashboard, on page 319 .
• Configure Preferences — Configure widget preferences; see
Configuring Widget Preferences, on page
.
• Customize Display — Customize the widget display; see
Customizing the Widget Display, on page 322
.
• View Events — View associated events from the Custom Analysis Widget; see
Events from the Custom Analysis Widget, on page 313
.
Every configuration of the Custom Analysis widget in the Cisco predefined dashboards corresponds to a system preset for that widget. If you change or delete one of these widgets, you can restore it by creating a new Custom Analysis widget based on the appropriate preset.
Adding a Dashboard
Procedure
Step 1
Step 2
Step 3
Step 4
View the dashboard you want to modify; see
Viewing Dashboards, on page 325
.
Click Add ( ).
Enter a name.
Click OK .
Adding Widgets to a Dashboard
Each tab can display one or more widgets in a three-column layout. When adding a widget to a dashboard, you choose the tab to which you want to add the widget. The system automatically adds it to the column with the fewest widgets. If all columns have an equal number of widgets, the new widget is added to the leftmost column. You can add a maximum of 15 widgets to a dashboard tab.
Tip After you add widgets, you can move them to any location on the tab. You cannot, however, move widgets from tab to tab.
Cisco Secure Firewall Management Center Administration Guide, 7.2
319
Health and Monitoring
Configuring Widget Preferences
The dashboard widgets you can view depend on the type of appliance you are using, your user role, and your current domain (in a multidomain deployment). Keep in mind that because not all user roles have access to all dashboard widgets, users with fewer permissions viewing a dashboard created by a user with more permissions may not be able to use all of the widgets on the dashboard. Although the unauthorized widgets still appear on the dashboard, they are disabled.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
View the dashboard where you want to add a widget; see
Viewing Dashboards, on page 325
.
Click the tab where you want to add the widget.
Click Add Widgets . You can view the widgets in each category by clicking on the category name, or you can view all widgets by clicking All Categories .
Click Add next to the widgets you want to add. The Add Widgets page indicates how many widgets of each type are on the tab, including the widget you want to add.
Tip To add multiple widgets of the same type (for example, you may want to add multiple RSS Feed widgets, or multiple Custom Analysis widgets), click Add again.
When you are finished adding widgets, click Done to return to the dashboard.
What to do next
• If you added a Custom Analysis widget, configure the widget preferences; see
Related Topics
, on page 306
Configuring Widget Preferences
Each widget has a set of preferences that determines its behavior.
Procedure
Step 1
Step 2
Step 3
On the title bar of the widget whose preferences you want to change, click Show Preferences ( ).
Make changes as needed.
On the widget title bar, click Hide Preferences ( ) to hide the preferences section.
320
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Creating Custom Dashboards
Creating Custom Dashboards
Tip Instead of creating a new dashboard, you can export a dashboard from another appliance, then import it onto your appliance. You can then edit the imported dashboard to suit your needs.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose Overview > Dashboards > Management .
Click Create Dashboard .
Modify the custom dashboard options as described in
Custom Dashboard Options, on page 321
.
Click Save .
Custom Dashboard Options
The table below describes options you can use when creating or editing custom dashboards.
Table 20: Custom Dashboard Options
Option
Copy Dashboard
Name
Description
Change Tabs Every
Description
When you create a custom dashboard, you can choose to base it on any existing dashboard, whether user-created or system-defined. This option makes a copy of the preexisting dashboard, which you can modify to suit your needs. Optionally, you can create a blank new dashboard by choosing None . This option is available only when you create a new dashboard.
In a multidomain deployment, you can copy any non-private dashboards from ancestor domains.
A unique name for the custom dashboard.
A brief description of the custom dashboard.
Specifies (in minutes) how often the dashboard should cycle through its tabs. Unless you pause the dashboard or your dashboard has only one tab, this setting advances your view to the next tab at the interval you specify. To disable tab cycling, enter
0 in the Change Tabs Every field.
Cisco Secure Firewall Management Center Administration Guide, 7.2
321
Health and Monitoring
Customizing the Widget Display
Option
Refresh Page Every
Save As Private
Description
Determines how often the entire dashboard page automatically refreshes.
Refreshing the entire dashboard allows you to see any preference or layout changes that were made to a shared dashboard by another user, or that you made to a private dashboard on another computer, since the last time the dashboard refreshed. A frequent refresh can be useful, for example, in a networks operations center (NOC) where a dashboard is displayed at all times. If you make changes to the dashboard at a local computer, the dashboard in the NOC automatically refreshes at the interval you specify, and no manual refresh is required.
This refresh does not update the data, and you do not need to refresh the entire dashboard to see data updates; individual widgets update according to their preferences.
This value must be greater than the Change Tabs Every setting.
Unless you pause the dashboard, this setting will refresh the entire dashboard at the interval you specify. To disable the periodic page refresh, enter
0 in the Refresh Page Every field.
Note This setting is separate from the update interval available on many individual widgets; although refreshing the dashboard page resets the update interval on individual widgets, widgets will update according to their individual preferences even if you disable the
Refresh Page Every setting.
Determines whether the custom dashboard can be viewed and modified by all users of the appliance or is associated with your user account and reserved solely for your own use. Keep in mind that any user with dashboard access, regardless of role, can modify shared dashboards. If you want to make sure that only you can modify a particular dashboard, save it as private.
Customizing the Widget Display
You can minimize and maximize widgets, as well as rearrange the widgets on a tab.
Procedure
Step 1
Step 2
View a dashboard; see
Viewing Dashboards, on page 325 .
Customize the widget display:
• To rearrange a widget on a tab, click the title bar of the widget you want to move, then drag it to its new location.
322
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Editing Dashboards Options
Note You cannot move widgets from tab to tab. If you want a widget to appear on a different tab, you must delete it from the existing tab and add it to the new tab.
• To minimize or maximize a widget on the dashboard, click Minimize ( ) or Maximize ( ) in a widget’s title bar.
• To delete a widget if you no longer want to view it on a tab, click Close ( ) in the title bar of the widget.
Editing Dashboards Options
Procedure
Step 1
Step 2
Step 3
Step 4
View the dashboard you want to edit; see
Viewing Dashboards, on page 325 .
Click Edit ( ).
Change the options as described in
Custom Dashboard Options, on page 321 .
Click Save .
Modifying Dashboard Time Settings
You can change the time range to reflect a period as short as the last hour (the default) or as long as the last year. When you change the time range, the widgets that can be constrained by time automatically update to reflect the new time range.
The maximum number of data points in any graph is 300, and the time setting determines how much time is summarized within each data point. Following is the number of data points, and the time span covered, in the dashboards for each time range:
• 1 hour = 12 data points, 5 minutes each
• 6 hours = 72 data points, 5 minutes each
• 1 day = 288 data points, 5 minutes each
• 1 week = 300 data points, 33.6 minutes each
• 2 weeks = 300 data points, 67.2 minutes each
• 30 days = 300 data points, 144 minutes each
• 90 days = 300 data points, 432 minutes each
• 180 days = 300 data points, 864 minutes each
• 1 year = 300 data points, 1752 minutes each
Note that not all widgets can be constrained by time. For example, the dashboard time range has no effect on the Appliance Information widget, which provides information that includes the appliance name, model, and current version of the software.
Cisco Secure Firewall Management Center Administration Guide, 7.2
323
Health and Monitoring
Renaming a Dashboard
Keep in mind that for enterprise deployments of the Firepower System, changing the time range to a long period may not be useful for widgets like the Custom Analysis widget, depending on how often newer events replace older events.
You can also pause a dashboard, which allows you to examine the data provided by the widgets without the display changing and interrupting your analysis. Pausing a dashboard has the following effects:
• Individual widgets stop updating, regardless of any Update Every widget preference.
• Dashboard tabs stop cycling, regardless of the Cycle Tabs Every setting in the dashboard properties.
• Dashboard pages stop refreshing, regardless of the Refresh Page Every setting in the dashboard properties.
• Changing the time range has no effect.
When you are finished with your analysis, you can unpause the dashboard. Unpausing the dashboard causes all appropriate widgets on the page to update to reflect the current time range. In addition, dashboard tabs resume cycling and the dashboard page resumes refreshing according to the settings you specified in the dashboard properties.
If you experience connectivity problems or other issues that interrupt the flow of system information to the dashboard, the dashboard automatically pauses and an error notice appears until the problem is resolved.
Note Your session normally logs you out after 1 hour of inactivity (or another configured interval), regardless of whether the dashboard is paused. If you plan to passively monitor the dashboard for long periods of time, consider exempting some users from session timeout, or changing the system timeout settings.
Procedure
Step 1
Step 2
Step 3
View the dashboard where you want to add a widget; see
Viewing Dashboards, on page 325
.
Optionally, to change the dashboard time range, choose a time range from the Show the Last drop-down list.
Optionally, pause or unpause the dashboard on the time range control, using Pause ( ) or Play ( ).
Renaming a Dashboard
Procedure
Step 1
Step 2
Step 3
Step 4
View the dashboard you want to modify; see
Viewing Dashboards, on page 325 .
Click the dasboard title you want to rename.
Type a name.
Click OK .
324
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Viewing Dashboards
Viewing Dashboards
By default, the home page for your appliance displays the default dashboard. If you do not have a default dashboard defined, the home page shows the Dashboard Management page, where you can choose a dashboard to view.
Procedure
At any time, you can do one of the following:
• To view the default dashboard for your appliance, choose Overview > Dashboards .
• To view a specific dashboard, choose Overview > Dashboards , and choose the dashboard from the menu.
• To view all available dashboards, choose Overview > Dashboards > Management . You can then choose
View ( ) next to an individual dashboard to view it.
Cisco Secure Firewall Management Center Administration Guide, 7.2
325
Viewing Dashboards
Health and Monitoring
326
Cisco Secure Firewall Management Center Administration Guide, 7.2
C H A P T E R
11
Health
The following topics describe how to use health monitoring:
•
Requirements and Prerequisites for Health Monitoring, on page 327
•
About Health Monitoring, on page 327
•
•
Device Exclusion in Health Monitoring, on page 343
•
Health Monitor Alerts, on page 346
•
About the Health Monitor, on page 348
•
Health Event Views, on page 365
•
History for Health Monitoring, on page 368
Requirements and Prerequisites for Health Monitoring
Model Support
Any
Supported Domains
Any
User Roles
Admin
Maintenace User
About Health Monitoring
The health monitor on the Secure Firewall Management Center tracks a variety of health indicators to ensure that the hardware and software in the system are working correctly. You can use the health monitor to check the status of critical functionality across your deployment.
You can configure the frequency for running the health modules for alerting. Secure Firewall Management
Center also supports time series data collection. You can configure the frequency of collecting the time series data on the device and its health modules. The device monitor reports these metrics in several predefined
Cisco Secure Firewall Management Center Administration Guide, 7.2
327
Health and Monitoring
About Health Monitoring health monitor dashboards by default. The metric data is collected for analysis and hence no alerting is associated with it.
You can use the health monitor to create a collection of tests, referred to as a health policy , and apply the health policy to one or more appliances. The tests, referred to as health modules , are scripts that test for criteria you specify. You can modify a health policy by enabling or disabling tests or by changing test settings, and you can delete health policies that you no longer need. You can also suppress messages from selected appliances by excluding them.
The tests in a health policy run automatically at the interval you configure. You can also run all tests, or a specific test, on demand. The health monitor collects health events based on the test conditions configured.
Note All appliances automatically report their hardware status via the Hardware Alarms health module. The Secure
Firewall Management Center also automatically reports status using the modules configured in the default health policy. Some health modules, such as the Appliance Heartbeat module, run on the Secure Firewall
Management Center and report the status of the Secure Firewall Management Center's managed devices. For the health modules to provide managed device status, you must deploy all health policies to the device.
You can use the health monitor to access health status information for the entire system, for a particular appliance, or, in a multidomain deployment, a particular domain. Hexagon charts and status tables on the
Health Monitor page provide a visual summary of the status of all appliances on your network, including the
Secure Firewall Management Center. Individual appliance health monitors let you drill down into health details for a specific appliance.
Fully customizable event views allow you to quickly and easily analyze the health status events gathered by the health monitor. These event views allow you to search and view event data and to access other information that may be related to the events you are investigating. For example, if you want to see all the occurrences of
CPU usage with a certain percentage, you can search for the CPU usage module and enter the percentage value.
You can also configure email, SNMP, or syslog alerting in response to health events. A health alert is an association between a standard alert and a health status level. For example, if you need to make sure an appliance never fails due to hardware overload, you can set up an email alert. You can then create a health alert that triggers that email alert whenever CPU, disk, or memory usage reaches the Warning level you configure in the health policy applied to that appliance. You can set alerting thresholds to minimize the number of repeating alerts you receive.
You can also generate troubleshooting files for an appliance if you are asked to do so by Support.
Because health monitoring is an administrative activity, only users with administrator user role privileges can access system health data.
328
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Health Modules
Health Modules
Health modules, or health tests, test for the criteria you specify in a health policy.
Table 21: Health Modules
Module
AMP Connection
Status
AMP for Endpoints
Status
AMP for Firepower
Status
Appliances threat defense management center management center
AMP Threat Grid
Connectivity
Appliance Heartbeat threat defense management center
ASP Drop threat defense
Automatic Application
Bypass threat defense
Event Backlog Status management center
Description
The module alerts if the threat defense cannot connect to the AMP cloud or
Cisco AMP Private Cloud after an initial successful connection, or if the private cloud cannot contact the public AMP cloud. Disabled by default.
The module alerts if the management center cannot connect to the AMP cloud or Cisco AMP Private Cloud after an initial successful connection, or if the private cloud cannot contact the public AMP cloud. It also alerts if you deregister an AMP cloud connection using the Secure Endpoint management console.
This module alerts if:
• The management center cannot contact the AMP cloud (public or private) or the Secure Malware Analytics Cloud or Appliance, or the AMP private cloud cannot contact the public AMP cloud.
• The encryption keys used for the connection are invalid.
• A device cannot contact the Secure Malware Analytics Cloud or Secure
Malware Analytics Appliance to submit files for dynamic analysis.
• An excessive number of files are detected in network traffic based on the file policy configuration.
If your management center loses connectivity to the Internet, the system may take up to 30 minutes to generate a health alert.
The module alerts if the threat defense cannot connect to the AMP Threat
Grid cloud after an initial successful connection.
This module determines if an appliance heartbeat is being heard from the appliance and alerts based on the appliance heartbeat status.
This module monitors the connections dropped by the data plane accelerated security path.
This module monitors bypassed detection applications
This module alerts if the backlog of event data awaiting transmission from the device to the management center has grown continuously for more than
30 minutes.
To reduce the backlog, evaluate your bandwidth and consider logging fewer events.
Cisco Secure Firewall Management Center Administration Guide, 7.2
329
Health and Monitoring
Health Modules
Module Appliances
CPU Usage (per core) management center and threat defense
CPU Usage Data Plane
CPU Usage Snort
CPU Usage System
Network Card Reset
Chassis Environment
Status
Cluster/HA Failover
Status
Database Size threat defense threat defense threat defense
Sensor threat defense threat defense management center
Description
This module checks that the CPU usage on all of the cores is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is
80
. The Critical
Threshold % default value is
90
.
This module checks that the average CPU usage of all data plane processes on the device is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is
80
. The Critical Threshold % default value is
90
.
This module checks that the average CPU usage of the Snort processes on the device is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is
80
. The Critical Threshold % default value is
90
.
This module checks that the average CPU usage of all system processes on the device is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is
80
. The Critical Threshold % default value is
90
.
This module checks for network cards which have restarted due to hardware failure and alerts when a reset occurs.
This module monitors chassis parameters such as fan speed and chassis temperature, and enables you to set a warning threshold and critical threshold for temperature. The Critical Chassis Temperature (Celsius) default value is
85
. The Warning Chassis Temperature (Celsius) default value is
75
.
This module monitors the status of device clusters. The module alerts if:
• A new primary unit is elected to a cluster.
• A new secondary unit joins a cluster.
• A primary or secondary unit leaves a cluster.
This module checks the size of the configuration database and alerts when the size exceeds the values (in gigabytes) configured for the module.
330
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Health Modules
Module
Configuration
Resource Utilization
Appliances threat defense
Connection Statistics threat defense
Critical Process
Statistics threat defense
Deployed
Configuration Statistics threat defense
Disk Status management center and threat defense
Description
This module alerts if the size of your deployed configurations puts a device at risk of running out of memory.
The alert shows you how much memory your configurations require, and by how much this exceeds the available memory. If this happens, re-evaluate your configurations. Most often you can reduce the number or complexity of access control rules or intrusion policies.
Snort Memory Allocation
• Total Snort Memory indicates the memory allotted for the Snort 2 instances running on the threat defense device.
• Available Memory indicates the memory allotted by the system for a
Snort 2 instance. Note that this value is not just the difference between the Total Snort Memory and the combined memory reserved for other modules. This value is derived after few other computations and then divided by the number of Snort 2 processes.
A negative Available Memory value indicates that Snort 2 instance does not have enough memory for the deployed configuration. For support, contact Cisco Technical Assistance Center (TAC).
This module monitors the connection statistics and NAT translation counts.
This module monitors the state of critical processes, their resource consumption, and the restart counts.
This module monitors statistics about the deployed configuration, such as the number of ACEs and IPS rules.
This module examines performance of the hard disk, and malware storage pack (if installed) on the appliance.
This module generates a Warning (yellow) health alert when the hard disk and RAID controller (if installed) are in danger of failing, or if an additional hard drive is installed that is not a malware storage pack. This module generates an Alert (red) health alert when an installed malware storage pack cannot be detected.
Cisco Secure Firewall Management Center Administration Guide, 7.2
331
Health and Monitoring
Health Modules
Module
Disk Usage
Event Monitor
Event Stream Status
Management Center
Access Configuration
Changes
Management Center
HA Status
Threat Defense HA
(Split-brain check)
File System Integrity
Check
Appliances management center and threat defense management center management center management center management center threat defense management center and threat defense
Flow Offload Statistics threat defense
Hardware Alarms threat defense
Description
This module compares disk usage on the appliance’s hard drive and malware storage pack to the limits configured for the module and alerts when usage exceeds the percentages configured for the module. This module also alerts when the system excessively deletes files in monitored disk usage categories, or when disk usage excluding those categories reaches excessive levels, based on module thresholds. See
Disk Usage and Drain of Events Health Monitor
for information about troubleshooting scenarios for Disk
Usage alerts.
Use the Disk Usage health status module to monitor disk usage for the
/ and
/volume partitions on the appliance and track draining frequency. Although the disk usage module lists the
/boot partition as a monitored partition, the size of the partition is static so the module does not alert on the boot partition.
Attention If you receive alerts for high unmanaged disk usage for the partition
/volume even though the usage is below the critical or warning threshold specified in the health policy, this could indicate that there are files which need to be deleted manually from the system.
Contact TAC if you receive these alerts.
This module monitors overall incoming event rate to management center.
This module monitors connections to third-party client applications that use the Event Streamer on the management center.
This module monitors access configuration changes made on the management center directly using the configure network management-data-interface command.
This module monitors and alerts on the high availability status of the management center. If you have not established management center high availability, the HA Status is Not in HA .
Note This module replaces the HA Status module, which previously provided HA status for the management center. In Version 7.0, we added HA status for managed devices.
This module monitors and alerts on the high availability status of the threat defense and provides a health alert for a split brain scenario. If you have not established threat defense high availability, the HA Status is Not in HA .
This module performs a file system integrity check and runs if the system has CC mode or UCAPL mode enabled, or if the system runs an image signed with a DEV key. This module is enabled by default.
This module monitors hardware flow offload statistics for a managed device.
This module determines if hardware needs to be replaced on a physical managed device and alerts based on the hardware status. The module also reports on the status of hardware-related daemons.
332
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Health Modules
Module
Health Monitor Process
Health Monitor Process
Discovery Host Limit
ISE Connection
Monitor
Appliances
Any
Any management center management center
Inline Link Mismatch
Alarms
Any managed device
Interface Status Any
Intrusion and File
Event Rate
License Monitor
Any managed device management center
Description
This module monitors the status of the health monitor itself and alerts if the number of minutes since the last health event received by the management center exceeds the Warning or Critical limits.
This module monitors the status of the health monitor itself and alerts if the number of minutes since the last health event received by the management center exceeds the Warning or Critical limits.
This module determines if the number of hosts the management center can monitor is approaching the limit and alerts based on the warning level configured for the module. For more information, see Host Limit .
This module monitors the status of the server connections between the Cisco
Identity Services Engine (ISE) and the management center. ISE provides additional user data, device type data, device location data, SGTs (Security
Group Tags), and SXP (Security Exchange Protocol) services.
This module monitors the ports associated with inline sets and alerts if the two interfaces of an inline pair negotiate different speeds.
This module determines if the device currently collects traffic and alerts based on the traffic status of physical interfaces and aggregate interfaces. For physical interfaces, the information includes interface name, link state, and bandwidth. For aggregate interfaces, the information includes interface name, number of active links, and total aggregate bandwidth.
This module compares the number of intrusion events per second to the limits configured for this module and alerts if the limits are exceeded. If the Intrusion and File Event Rate is zero, the intrusion process may be down or the managed device may not be sending events. Select Analysis > Intrusions > Events to check if events are being received from the device.
Typically, the event rate for a network segment averages 20 events per second.
For a network segment with this average rate, Events per second (Critical) should be set to
50 and Events per second (Warning) should be set to
30
. To determine limits for your system, find the Events/Sec value on the Statistics page for your device ( System ( ) > Monitoring > Statistics ), then calculate the limits using these formulas:
• Events per second (Critical) = Events/Sec * 2.5
• Events per second (Warning) = Events/Sec * 1.5
The maximum number of events you can set for either limit is 999, and the
Critical limit must be higher than the Warning limit.
This module monitors license expiration.
Cisco Secure Firewall Management Center Administration Guide, 7.2
333
Health and Monitoring
Health Modules
Module
Link State Propagation
Local Malware
Analysis
Memory Usage
Memory Usage Data
Plane
Memory Usage Snort
MySQL Statistics
Appliances
ISA 3000 management center and threat defense
Any threat defense threat defense management center
Description
This module determines when a link in a paired inline set fails and triggers the link state propagation mode.
If a link state propagates to the pair, the status classification for that module changes to Critical and the state reads:
Module Link State Propagation: ethx_ethy is Triggered where x and y are the paired interface numbers.
This module monitors ClamAV updates for Local Malware Analysis.
This module compares memory usage on the appliance to the limits configured for the module and alerts when usage exceeds the levels configured for the module.
For appliances with more than 4 GB of memory, the preset alert thresholds are based on a formula that accounts for proportions of available memory likely to cause system problems. On >4 GB appliances, because the interval between Warning and Critical thresholds may be very narrow, Cisco recommends that you manually set the Warning Threshold % value to
50
.
This will further ensure that you receive memory alerts for your appliance in time to address the issue. See
Memory Usage Thresholds for Health Monitor
for additional information about how thresholds are calculated.
Beginning with Version 6.6.0, the minimum required RAM for management center virtual upgrades to Version 6.6.0+ is 28 GB, and the recommended
RAM for management center virtual deployments is 32 GB. We recommend you do not decrease the default settings: 32 GB RAM for most management center virtual instances, 64 GB for the management center virtual 300
(VMware only).
Attention A critical alert is generated by the health monitor when insufficient
RAM is allocated to an management center virtual deployment.
Complex access control policies and rules can command significant resources and negatively affect performance.
This module checks the percentage of allocated memory used by the Data
Plane processes and alerts when memory usage exceeds the percentages configured for the module. The Warning Threshold % default value is
80
.
The Critical Threshold % default value is
90
.
This module checks the percentage of allocated memory used by the Snort process and alerts when memory usage exceeds the percentages configured for the module. The Warning Threshold % default value is
80
. The Critical
Threshold % default value is
90
.
This module monitors the status of the MySQL database, including the database size, number of active connections, and memory use. Disabled by default.
334
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Health Modules
Module
NTP Statistics
Firepower Platform
Faults
Power Supply
Process Status
RRD Server Process
RabbitMQ Status
Appliances threat defense threat defense
Description
This module monitors the NTP clock synchronization status of the managed device. Disabled by default.
This module generates an alert for platforms faults for Firepower 1000, 2100, and 3000 series devices, a fault is a mutable object that is managed by the management center. Each fault represents a failure in the Firepower 1000,
2100, and 3000 instance or an alarm threshold that has been raised. During the lifecycle of a fault, it can change from one state or severity to another.
Each fault includes information about the operational state of the affected object at the time the fault was raised. If the fault is transitional and the failure is resolved, then the object transitions to a functional state.
For more information, see the Cisco Firepower 1000/2100 FXOS Faults and
Error Messages Guide .
Physical management centers This module determines if power supplies on the device require replacement and alerts based on the power supply status.
Any This module determines if processes on the appliance exit or terminate outside of the process manager.
If a process is deliberately exited outside of the process manager, the module status changes to Warning and the health event message indicates which process exited, until the module runs again and the process has restarted. If a process terminates abnormally or crashes outside of the process manager, the module status changes to Critical and the health event message indicates the terminated process, until the module runs again and the process has restarted.
management center This module determines if the round robin data server that stores time series data is running properly. The module will alert If the RRD server has restarted since the last time it updated; it will enter Critical or Warning status if the number of consecutive updates with an RRD server restart reaches the numbers specified in the module configuration.
management center This module collects various statistics for RabbitMQ.
Cisco Secure Firewall Management Center Administration Guide, 7.2
335
Health and Monitoring
Health Modules
Module
Realm
Snort Reconfiguring
Detection
Routing Statistics
Any managed device threat defense
SSE Connection Status threat defense
Security Intelligence management center
Smart License Monitor
Appliances
Any managed device management center
Description
Enables you to set a warning threshold for realm or user mismatches, which are:
• User mismatch: A user is reported to the management centerwithout being downloaded.
A typical reason for a user mismatch is that the user belongs to a group you have excluded from being downloaded to the management center.
Review the information discussed in Cisco Secure Firewall Management
Center Device Configuration Guide .
• Realm mismatch: A user logs into a domain that corresponds to a realm not known to the management center.
For more information, Cisco Secure Firewall Management Center Device
Configuration Guide .
This module alerts if a device reconfiguration has failed.
This module monitors the current state of routing table.
The module alerts if the threat defense cannot connect to the SSE cloud after an initial successful connection. Disabled by default.
This module alerts if Security Intelligence is in use and the management center cannot update a feed, or feed data is corrupt or contains no recognizable
IP addresses.
See also the Threat Data Updates on Devices module.
This module alerts if:
• There is a communication error between the Smart Licensing Agent
(Smart Agent) and the Smart Software Manager.
• The Product Instance Registration Token has expired.
• The Smart License usage is out of compliance.
• The Smart License authorization or evaluation mode has expired.
336
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Health Modules
Module
Snort Identity Memory
Usage
Appliances threat defense
Snort Statistics
Snort3 Statistics threat defense threat defense
Smart License Monitor management center
Sybase Statistics management center
Description
Enables you to set a warning threshold for Snort identity processing and alerts when memory usage exceeds the level configured for the module. The Critical
Threshold % default value is
80
.
This health module specifically keeps track of the total space used for the user identity information in Snort. It displays the current memory usage details, the total number of user-to-IP bindings, and user-group mapping details. Snort records these details in a file. If the memory usage file is not available, the Health Alert for this module displays Waiting for data . This could happen during a Snort restart due to a new install or a major update, switch from Snort2 to Snort3 or back, or major policy deployment. Depending on the health monitoring cycle, and when the file is available, the warning disappears, and the health monitor displays the details for this module with its status turned Green.
This module monitors the Snort statistics for events, flows, and packets.
This module collects and monitors the Snort3 statistics for events, flows, and packets.
This module monitors Smart Licensing status.
This module monitors the status of the Sybase database on the management center, including the database size, number of active connections, and memory use.
Cisco Secure Firewall Management Center Administration Guide, 7.2
337
Health and Monitoring
Health Modules
Module
Threat Data Updates on Devices
Appliances
Any
Time Series Data
(RRD) Monitor management center
Time Synchronization
Status management center
Description
Certain intelligence data and configurations that devices use to detect threats are updated on the management center from the cloud every 30 minutes.
This module alerts you if this information has not been updated on the devices within the time period you have specified.
Monitored updates include:
• Local URL category and reputation data
• Security Intelligence URL lists and feeds, including global Block and
Do Not Block lists and URLs from Threat Intelligence Director
• Security Intelligence network lists and feeds (IP addresses), including global Block and Do Not Block lists and IP addresses from Threat
Intelligence Director
• Security Intelligence DNS lists and feeds, including global Block and
Do Not Block lists and domains from Threat Intelligence Director
• Local malware analysis signatures (from ClamAV)
• SHA lists from Threat Intelligence Director, as listed on the Objects >
Object Management > Security Intelligence > Network Lists and
Feeds page
• Dynamic analysis settings configured on the Integration > AMP >
Dynamic Analysis Connections page
• Threat Configuration settings related to expiration of cached URLs, including the Cached URLs Expire setting on the System > Integration
> Cloud Services page. (Updates to the URL cache are not monitored by this module.)
• Communication issues with the Cisco cloud for sending events. See the
Cisco Cloud box on the System > Integration > Cloud Services page.
Note Threat Intelligence Director updates are included only if TID is configured on your system and you have feeds.
By default, this module sends a warning after 1 hour and a critical alert after
24 hours.
If this module indicates failure on the management center or on any devices, verify that the management center can reach the devices.
This module tracks the presence of corrupt files in the directory where time series data (such as correlation event counts) are stored and alerts when files are flagged as corrupt and removed.
This module tracks the synchronization of a device clock that obtains time using NTP with the clock on the NTP server and alerts if the difference in the clocks is more than ten seconds.
338
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Configuring Health Monitoring
Module Appliances
URL Filtering Monitor management center
Unresolved Groups
Monitor
VPN Statistics management center management center
VPN Status management center
XTLS Counters threat defense
Description
This module alerts if the management center fails to:
• Register with the Cisco cloud.
• Download URL threat data updates from the Cisco cloud.
• Complete URL lookups.
You can configure time thresholds for these alerts.
See also the Threat Data Updates on Devices module.
Monitors unresolved groups used in policies.
This module monitors Site to Site and RA VPN tunnels between Firepower devices.
This module alerts when one or more VPN tunnels between Firepower devices are down.
This module tracks:
• Site-to-site VPN for Secure Firewall Threat Defense
Attention Site-to-site VPN tunnels created with Virtual Tunnel
Interfaces (VTIs) do not generate health alerts when the tunnel goes down. If you experience packet loss over a VPN with
VTIs, check your VPN configuration.
• Remote access VPN for Secure Firewall Threat Defense
This module monitors XTLS/SSL flows, memory and cache effectiveness.
Disabled by default.
Configuring Health Monitoring
Procedure
Step 1
Step 2
Step 3
Determine which health modules you want to monitor as discussed in
You can set up specific policies for each kind of appliance, enabling only the appropriate tests for that appliance.
Tip To quickly enable health monitoring without customizing the monitoring behavior, you can apply the default policy provided for that purpose.
Apply a health policy to each appliance where you want to track health status as discussed in
.
(Optional.) Configure health monitor alerts as discussed in
Creating Health Monitor Alerts, on page 347
.
Cisco Secure Firewall Management Center Administration Guide, 7.2
339
Health and Monitoring
Health Policies
You can set up email, syslog, or SNMP alerts that trigger when the health status level reaches a particular severity level for specific health modules.
Health Policies
A health policy contains configured health test criteria for several modules. You can control which health modules run against each of your appliances and configure the specific limits used in the tests run by each module.
When you configure a health policy, you decide whether to enable each health module for that policy. You also select the criteria that control which health status each enabled module reports each time it assesses the health of a process.
You can create one health policy that can be applied to every appliance in your system, customize each health policy to the specific appliance where you plan to apply it, or use the default health policy provided for you.
In a multidomain deployment, administrators in ancestor domains can apply health policies to devices in descendant domains, which descendant domains can use or replace with customized local policies.
Default Health Policy
The Secure Firewall Management Center setup process creates and applies an initial health policy, in which most—but not all—available health modules are enabled. The system also applies this initial policy to devices added to the Secure Firewall Management Center.
This initial health policy is based on a default health policy, which you can neither view nor edit, but which you can copy when you create a custom health policy.
Upgrades and the Default Health Policy
When you upgrade the management center, any new health modules are added to all health policies, including the initial health policy, default health policy, and any other custom health policies. Usually, new health modules are added in an enabled state.
Note For a new health module to begin monitoring and alerting, reapply health policies after upgrade.
Creating Health Policies
If you want to customize a health policy to use with your appliances, you can create a new policy. The settings in the policy initially populate with the settings from the health policy you choose as a basis for the new policy.
You can edit the policy to specify your preferences, such as enable or disable modules within the policy, change the alerting criteria for each module as needed, and specify the run time intervals.
In a multidomain deployment, the system displays policies created in the current domain, which you can edit.
It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain. Administrators in ancestor domains can apply health policies to devices in descendant domains, which descendant domains can use or replace with customized local policies.
340
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Applying Health Policies
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Choose System ( ) > Health > Policy .
Click Create Policy .
Enter a name for the policy.
Choose the existing policy that you want to use as the basis for the new policy from the Base Policy drop-down list.
Enter a description for the policy.
Choose Save .
What to do next
• Apply the health policy on devices as described in
Applying Health Policies, on page 341
.
• Edit the policy to specify the module-level policy settings as described in
Editing Health Policies, on page 342
.
Applying Health Policies
When you apply a health policy to an appliance, the health tests for all the modules you enabled in the policy automatically monitor the health of the processes and hardware on the appliance. Health tests then continue to run at the intervals you configured in the policy, collecting health data for the appliance and forwarding that data to the Secure Firewall Management Center.
If you enable a module in a health policy and then apply the policy to an appliance that does not require that health test, the health monitor reports the status for that health module as disabled.
If you apply a policy with all modules disabled to an appliance, it removes all applied health policies from the appliance so no health policy is applied.
When you apply a different policy to an appliance that already has a policy applied, expect some latency in the display of new data based on the newly applied tests.
In a multidomain deployment, the system displays policies created in the current domain, which you can edit.
It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain. Administrators in ancestor domains can apply health policies to devices in descendant domains, which descendant domains can use or replace with customized local policies.
Procedure
Step 1
Step 2
Step 3
Choose System ( ) > Health > Policy .
Click the Deploy health policy ( ) next to the policy you want to apply.
Choose the appliances where you want to apply the health policy.
Note You cannot remove the policy from an appliance after you have deployed it. To stop health monitoring for an appliance, create a health policy with all modules disabled and apply it to the appliance.
Cisco Secure Firewall Management Center Administration Guide, 7.2
341
Health and Monitoring
Editing Health Policies
Step 4 Click Apply to apply the policy to the appliances you chose.
What to do next
• Optionally, monitor the task status; see
Viewing Task Messages, on page 400
.
Monitoring of the appliance starts as soon as the policy is successfully applied.
Editing Health Policies
In a multidomain deployment, the system displays policies created in the current domain, which you can edit.
It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain. Administrators in ancestor domains can apply health policies to devices in descendant domains, which descendant domains can use or replace with customized local policies.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Health > Policy .
Click Edit ( ) next to the policy you want to modify.
To edit the policy name and its description, click the Edit ( ) icon provided against the policy name.
The Health Modules tab displays all the device modules and its attributes. Click the toggle button that is provided against the module and its attributes—turn on ( ) or turn off ( ) to enable or disable testing of health status respectively. To execute a bulk enable or disable testing on the health modules, click the Select
All toggle button. For information on the modules, see
.
Note • The modules and attributes are flagged with the supporting appliances—threat defense, management center, or both.
• You cannot choose to include or exclude the individual attributes of CPU and Memory modules.
Step 5
Step 6
Step 7
Where appropriate, set the Critical and Warning threshold percentages.
In the Run Time Intervals tab, enter the relevant values in the fields:
• Health Module Run Interval —The frequency for running the health modules. The minimum interval is 5 minutes.
• Metric Collection Interval —The frequency of collecting the time series data on the device and its health modules. The device monitor reports these metrics in several predefined health monitor dashboards by default. For detailed information on the dashboard, see
About Dashboards, on page 305 . The metric data
is collected for analysis and hence no alerting is associated with it.
Click Save .
342
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Deleting Health Policies
What to do next
• Apply the health policy to each appliance as described in
Applying Health Policies, on page 341
. This option allows you to apply the changes and update the policy status for all affected policies.
Deleting Health Policies
You can delete health policies that you no longer need. If you delete a policy that is still applied to an appliance, the policy settings remain in effect until you apply a different policy. In addition, if you delete a health policy that is applied to a device, any health monitoring alerts in effect for the device remain active until you disable the underlying associated alert response.
In a multidomain deployment, you can only delete health policies created in the current domain.
Tip To stop health monitoring for an appliance, create a health policy with all modules disabled and apply it to the appliance.
Procedure
Step 1
Step 2
Choose System ( ) > Health > Policy .
Click Delete ( ) next to the policy you want to delete, and then click Delete health policy to delete it.
A message appears, indicating if the deletion was successful.
Device Exclusion in Health Monitoring
In the course of normal network maintenance, you disable appliances or make them temporarily unavailable.
Because those outages are deliberate, you do not want the health status from those appliances to affect the summary health status on your Secure Firewall Management Center.
You can use the health monitor exclude feature to disable health monitoring status reporting on an appliance or module. For example, if you know that a segment of your network will be unavailable, you can temporarily disable health monitoring for a managed device on that segment to prevent the health status on the Secure
Firewall Management Center from displaying a warning or critical state because of the lapsed connection to the device.
When you disable health monitoring status, health events are still generated, but they have a disabled status and do not affect the health status for the health monitor. If you remove the appliance or module from the excluded list, the events that were generated during the exclusion continue to show a status of disabled.
To temporarily disable health events from an appliance, go to the exclusion configuration page and add an appliance to the device exclude list. After the setting takes effect, the system no longer considers the excluded appliance when calculating the overall health status. The Health Monitor Appliance Status Summary lists the appliance as disabled.
You can also disable an individual health module. For example, when you reach the host limit on a Secure
Firewall Management Center, you can disable Host Limit status messages.
Cisco Secure Firewall Management Center Administration Guide, 7.2
343
Health and Monitoring
Excluding Appliances from Health Monitoring
Note that on the main Health Monitor page you can distinguish between appliances that are excluded if you expand to view the list of appliances with a particular status by clicking the arrow in that status row.
Note On a Secure Firewall Management Center, Health Monitor exclusion settings are local configuration settings.
Therefore, if you exclude a device, then delete it and later re-register it with the Secure Firewall Management
Center, the exclusion settings remain persistent. The newly re-registered device remains excluded.
In a multidomain deployment, administrators in ancestor domains can exclude an appliance or health module in descendant domains. However, administrators in the descendant domains can override the ancestor configuration and clear the exclusion for devices in their domain.
Excluding Appliances from Health Monitoring
You can exclude appliances individually or by group, model, or associated health policy.
If you need to set the events and health status for an individual appliance to disabled, you can exclude the appliance. After the exclusion settings take effect, the appliance shows as disabled in the Health Monitor
Appliance Module Summary, and health events for the appliance have a status of disabled.
In a multidomain deployment, excluding an appliance in an ancestor domain excludes it for all descendant domains. Descendant domains can override this inherited configuration and clear the exclusion. You can only exclude the Secure Firewall Management Center at the Global level.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Choose System ( ) > Health > Exclude .
Click Add Device .
In the Device Exclusion dialog box, under Available Devices , click Add ( ) against the device that you want to exclude from health monitoring.
Click Exclude . The selected device is displayed in the exclusion main page.
To remove the device from the exclusion list, click Delete ( ).
Click Apply .
What to do next
To exclude individual health policy modules on appliances, see
Excluding Health Policy Modules, on page
Excluding Health Policy Modules
You can exclude individual health policy modules on appliances. You may want to do this to prevent events from the module from changing the status for the appliance to warning or critical.
After the exclusion settings take effect, the appliance shows the number of modules being exluded in the device from health monitoring.
344
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Expired Health Monitor Exclusions
Tip Make sure that you keep track of individually excluded modules so you can reactivate them when you need them. You may miss necessary warning or critical messages if you accidentally leave a module disabled.
In a multidomain deployment, administrators in ancestor domains can exclude health modules in descendant domains. However, administrators in descendant domains can override this ancestor configuration and clear the exclusion for policies applied in their domains. You can only exclude Secure Firewall Management Center health modules at the Global level.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Choose System ( ) > Health > Exclude .
Click Edit ( ) next to the appliance you want to modify.
In the Exclude Health Modules dialog box, by default, all the modules of the device are excluded from health monitoring. Certain modules are applicable to specific devices only; for more information, see
.
To specify the duration of the exclusion for the device, from the Exclude Period drop-down list, select the duration.
To choose modules to be excluded from health monitoring, click the Enable Module Level Exclusion link.
The Exclude Health Modules dialog box displays all the modules of the device. The modules that are not applicable for the associated health policies are disabled by default. To exclude a module, perform the following: a.
Click the Slider ( ) button next to the desired module.
b.
To specify the duration of the exclusion for the selected modules, from the Exclude Period drop-down list, select the duration.
If you select an Exclude Period other than Permanent , for your exclusion configuration, you can choose to automatically delete the configuration when it expires. To enable this setting, check the Auto-delete expired configurations check box.
Click OK .
In the device exclusion main page, click Apply .
Expired Health Monitor Exclusions
When the exclusion period for a device or modules lapses, you can choose to clear or renew the exclusion.
Procedure
Step 1 Choose System ( ) > Health > Exclude .
The Warning ( ) icon is displayed against the device indicating the expiry of the duration of exclusion of the device or the modules from alerting.
Cisco Secure Firewall Management Center Administration Guide, 7.2
345
Health and Monitoring
Health Monitor Alerts
Step 2
Step 3
Step 4
To renew the exclusion of the device, click Edit ( ) next to the appliance. In the Exclude Health Modules dialog box, click the Renew link. The exclusion period of the device is extended with the current value.
To clear the device from being excluded, click Delete ( ) next to the appliance, click Remove the device from exclusion , and then click Apply .
To renew or clear the modules from exclusion, click Edit ( ) next to the appliance. In the Exclude Health
Modules dialog box, click the Enable Module Level Exclusion link, and then click the Renew or Clear link against the modules. When you click Renew , the exclusion period is extended on the module with the current value.
Health Monitor Alerts
You can set up alerts to notify you through email, through SNMP, or through the syslog when the status changes for the modules in a health policy. You can associate an existing alert response with health event levels to trigger and alert when health events of a particular level occur.
For example, if you are concerned that your appliances may run out of hard disk space, you can automatically send an email to a system administrator when the remaining disk space reaches the warning level. If the hard drive continues to fill, you can send a second email when the hard drive reaches the critical level.
In a multidomain deployment, you can view and modify health monitor alerts created in the current domain only.
Health Monitor Alert Information
The alerts generated by the health monitor contain the following information:
• Severity, which indicates the severity level of the alert.
• Module, which specifies the health module whose test results triggered the alert.
• Description, which includes the health test results that triggered the alert.
The table below describes these severity levels.
Table 22: Alert Severities
Severity
Critical
Warning
Normal
Error
Description
The health test results met the criteria to trigger a Critical alert status.
The health test results met the criteria to trigger a Warning alert status.
The health test results met the criteria to trigger a Normal alert status.
The health test did not run.
346
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Creating Health Monitor Alerts
Severity
Recovered
Description
The health test results met the criteria to return to a normal alert status, following a Critical or Warning alert status.
Creating Health Monitor Alerts
You must be an Admin user to perform this procedure.
When you create a health monitor alert, you create an association between a severity level, a health module, and an alert response. You can use an existing alert or configure a new one specifically to report on system health. When the severity level occurs for the selected module, the alert triggers.
If you create or update a threshold in a way that duplicates an existing threshold, you are notified of the conflict. When duplicate thresholds exist, the health monitor uses the threshold that generates the fewest alerts and ignores the others. The timeout value for the threshold must be between 5 and 4,294,967,295 minutes.
In a multidomain deployment, you can view and modify health monitor alerts created in the current domain only.
Before you begin
• Configure an alert response that governs the Secure Firewall Management Center's communication with the SNMP, syslog, or email server where you send the health alert; see
Center Alert Responses, on page 517
.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Choose System ( ) > Health > Monitor Alerts .
Click Add .
In the Add Health Alert dialog box, enter a name for the health alert in the Health Alert Name field.
From the Severity drop-down list, choose the severity level you want to use to trigger the alert.
From the Alert drop-down list, choose the alert response that you want to trigger when the specified severity level is reached. If you have not yet
Secure Firewall Management Center Alert Responses
, click Alerts to visit the Alerts page and set them.
From the Health Modules list, choose the health policy modules for which you want the alert to apply.
Optionally, in the Threshold Timeout field, enter the number of minutes that should elapse before each threshold period ends and the threshold count resets.
Even if the policy run time interval value is less than the threshold timeout value, the interval between two reported health events from a given module is always greater. For example, if you change the threshold timeout to 8 minutes and the policy run time interval is 5 minutes, there is a 10-minute interval (5 x 2) between reported events.
Click Save to save the health alert.
Cisco Secure Firewall Management Center Administration Guide, 7.2
347
Health and Monitoring
Editing Health Monitor Alerts
Editing Health Monitor Alerts
You must be an Admin user to perform this procedure.
You can edit existing health monitor alerts to change the severity level, health module, or alert response associated with the health monitor alert.
In a multidomain deployment, you can view and modify health monitor alerts created in the current domain only.
Procedure
Step 1
Step 2
Step 3
Step 4
Choose System ( ) > Health > Monitor Alerts .
Click the Edit ( ) icon that is provided against the required health alert that you want to modify.
In the Edit Health Alert dialog box, from the Alert drop-down list, select the required alert entry, or click
Alerts link to configure a new alert entry.
Click Save .
Deleting Health Monitor Alerts
In a multidomain deployment, you can view and modify health monitor alerts created in the current domain only.
Procedure
Step 1
Step 2
Choose System ( ) > Health > Monitor Alerts .
Click Delete ( ) next to the health alert you want to delete, and then click Delete health alert to delete it.
What to do next
• Disable or delete the underlying alert response to ensure that alerting does not continue; see
Firewall Management Center Alert Responses, on page 517
.
About the Health Monitor
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The health monitor provides the compiled health status for all devices managed by the Secure Firewall
Management Center, plus the Secure Firewall Management Center itself. The health monitor is composed of:
• The Health Status summary page ― Provides you with an at-a-glance view of the health of the Secure
Firewall Management Center and all of the devices that the management center manages. Devices are
348
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
About the Health Monitor listed individually, or grouped according to their geolocation, high availability, or cluster status where applicable.
• View the health summary of the management center and any device when you hover on the hexagon that represents the device health.
• The dot to the left of a device indicates its health:
• Green ― No alarms.
• Orange ― At least one health warning.
• Red ― At least one critical health alarm.
• The Monitoring navigation pane ― Allows you to navigate the device hierarchy. You can view health monitors for individual devices from the navigation pane.
In a multidomain deployment, the health monitor in an ancestor domain displays data from all descendant domains. In the descendant domains, it displays data from the current domain only.
Procedure
Step 1
Step 2
Step 3
Choose System ( ) > Health > Monitor .
View the status of the management center and its managed devices in the Health Status landing page.
a) Hover your pointer over a hexagon to view the health summary of a device. The popup window shows a truncated summary of the top five health alerts. Click on the popup to open a detailed view of the health alert summary.
b) In the device list, click Expand ( ) and Collapse ( ) to expand and collapse the list of health alerts for a device.
When you expand the row, all of the health alerts are listed, including the status, title, and details.
Note Health alerts are sorted by their severity level.
Use the Monitoring navigation pane to access device-specific health monitors. When you use the Monitoring navigation pane: a) Click Home to return Health Status summary page.
b) Click Firewall Management Center to view the health monitor for the Secure Firewall Management
Center itself.
c) In the device list, click Expand ( ) and Collapse ( ) to expand and collapse the list of managed devices.
When you expand the row, all of the devices are listed.
d) Click on a device to view a device-specific health monitor.
Cisco Secure Firewall Management Center Administration Guide, 7.2
349
Health and Monitoring
Using the Management Center Health Monitor
What to do next
• See
Device Health Monitors, on page 352
for information about the compiled health status and metrics for any device managed by the Secure Firewall Management Center.
• See
Using the Management Center Health Monitor, on page 350
for information about the health status of the Secure Firewall Management Center.
To return to the Health Status landing page at any time, click Home .
Using the Management Center Health Monitor
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The management center monitor provides a detailed view of the health status of the Secure Firewall Management
Center. The health monitor is composed of:
• High Availability (if configured)―The High Availability (HA) panel displays the current HA status, including the status of the Active and Standby units, the last sync time, and overall device health.
• Event Rate―The Event Rate panel shows the maximum event rate as a base line as well as the overall event rate received by the management center.
• Event Capacity―The Event Capacity panel shows the current consumption by event categories, including the retention time of events, the current vs. maximum event capacity, and a capacity overflow mechanism where you are alerted when events are stored beyond the configured maximum capacity of the management center.
• Process Health―The Process Health panel has an at-a-glace view of the critical processes as well as a tab that lets you see state of all processed, including the CPU and memory usage for each process.
• CPU―The CPU panel lets you toggle between the average CPU usage (default) and the CPU usage of all cores.
• Memory―The Memory panel shows the overall memory usage on the management center.
• Interface―The Interface panel shows avaerage input and output rate of all interfaces.
• Disk Usage―The Disk Usage panel shows the use of entire disk, and the use of the critical partitions where management center data is stored.
Tip Your session normally logs you out after 1 hour of inactivity (or another configured interval). If you plan to passively monitor health status for long periods of time, consider exempting some users from session timeout, or changing the system timeout settings. See
Add an Internal User, on page 111
and
Configure Session Timeouts, on page 92
for more information.
Procedure
Step 1
Step 2
Choose System ( ) > Health > Monitor .
Use the Monitoring navigation pane to access the management center and device-specific health monitors.
350
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Running All Modules for an Appliance
Step 3
• A standalone management center is shown as a single node; a high-availability management center is shown as a pair of nodes.
• The health monitor is available to both the active and standby management center in an HA pair.
Explore the management center dashboard.
The management center dashboard includes a summary view of the HA state of the management center (if configured), as well as at-a-glance views of management center processes and device metrics such as CPU, memory, and disk usage.
Running All Modules for an Appliance
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
Health module tests run automatically at the policy run time interval you configure when you create a health policy. However, you can also run all health module tests on demand to collect up-to-date health information for the appliance.
In a multidomain deployment, you can run health module tests for appliances in the current domain and in any descendant domains.
Procedure
Step 1
Step 2
View the health monitor for the appliance.
Click Run All Modules . The status bar indicates the progress of the tests, then the Health Monitor Appliance page refreshes.
Note When you manually run health modules, the first refresh that automatically occurs may not reflect the data from the manually run tests. If the value has not changed for a module that you just ran manually, wait a few seconds, then refresh the page by clicking the device name. You can also wait for the page to refresh again automatically.
Running a Specific Health Module
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
Health module tests run automatically at the policy run time interval you configure when you create a health policy. However, you can also run a health module test on demand to collect up-to-date health information for that module.
In a multidomain deployment, you can run health module tests for appliances in the current domain and in any descendant domains.
Procedure
Step 1 View the health monitor for the appliance.
Cisco Secure Firewall Management Center Administration Guide, 7.2
351
Health and Monitoring
Generating Health Module Alert Graphs
Step 2
Step 3
In the Module Status Summary graph, click the color for the health alert status category you want to view.
In the Alert Detail row for the alert for which you want to view a list of events, click Run .
The status bar indicates the progress of the test, then the Health Monitor Appliance page refreshes.
Note When you manually run health modules, the first refresh that automatically occurs may not reflect the data from the manually run tests. If the value has not changed for a module that you just manually ran, wait a few seconds, then refresh the page by clicking the device name. You can also wait for the page to refresh automatically again.
Generating Health Module Alert Graphs
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
You can graph the results over a period of time of a particular health test for a specific appliance.
Procedure
Step 1
Step 2
Step 3
View the health monitor for the appliance.
In the Module Status Summary graph of the Health Monitor Appliance page, click the color for the health alert status category you want to view.
In the Alert Detail row for the alert for which you want to view a list of events, click Graph .
Tip If no events appear, you may need to adjust the time range.
Device Health Monitors
The device health monitor provides the compiled health status for any device managed by the Secure Firewall
Management Center. The device health monitor collects health metrics for Firepower devices in order to predict and repond to system events. The device health monitor is comprised of the following components:
• System Details ― Displays information about the managed device, including the installed Firepower version and other deployment details.
• Troubleshooting & Links ― Provides convenient links to frequently used troubleshooting topics and procedures.
• Health alerts ― A health alert monitor provides an at-a-glance view of the health of the device.
• Time range ― An adjustable time window to constrain the information that appears in the various device metrics windows.
• Device metrics ― An array of key Firepower device health metrics catagorized across predefined dashboards, including:
• CPU ― CPU utilization, including the CPU usage by process and by physical cores.
• Memory ― Device memory utilization, including data plane and Snort memory usage.
352
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Viewing System Details and Troubleshooting
• Interfaces ― Interface status and aggregate traffic statistics.
• Connections ― Connection statistics (such as elephant flows, active connections, peak connections, and so on) and NAT translation counts.
• Snort ― Statistics related to the Snort process.
• Disk Usage ― Device disk usage, including the disk size and disk utilization per partition.
• Critical Processes ― Statistics related to managed processes, including process restarts and other select health monitors such as CPU and memory utilization.
Viewing System Details and Troubleshooting
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The System Details section provides a general system information for a selected device. You can also launch troubleshooting tasks for that device.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Choose System ( ) > Health > Monitor .
Use the Monitoring navigation pane to access device-specific health monitors.
In the device list, click Expand ( ) and Collapse ( ) to expand and collapse the list of managed devices.
Click on a device to view a device-specific health monitor.
Click the link for View System & Troubleshoot Details …
This panel is collapsed by default. Clicking on the link expands the collapsed section to see System Details and Troubleshooting & Links for the device. The system details include:
• Version: The Firepower software version.
• Model: The device model.
• Mode: The firewall mode. The threat defense device supports two firewall modes for regular firewall interfaces: Routed mode and Transparent mode.
• VDB: The Cisco vulnerability database (VDB) version.
• SRU: The intrusion rule set version.
• Snort: The Snort version.
You have the following troubleshoot choices:
• Generate troubleshooting files; see
Producing Troubleshooting Files for Specific System Functions, on page 407
• Generate and download advanced troubleshooting files; see
Downloading Advanced Troubleshooting
• Create and modify health policies; see
Creating Health Policies, on page 340 .
Cisco Secure Firewall Management Center Administration Guide, 7.2
353
Health and Monitoring
Viewing the Device Health Monitor
• Create and modify health monitor alerts; see
Creating Health Monitor Alerts, on page 347 .
Viewing the Device Health Monitor
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The device health monitor provides a detailed view of the health status of a Firepower device. The device health monitor compiles device metrics and provides health status and trends of the device in an array of dashboards.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Choose System ( ) > Health > Monitor .
Use the Monitoring navigation pane to access device-specific health monitors.
In the device list, click Expand ( ) and Collapse ( ) to expand and collapse the list of managed devices.
View the Health Alerts for the device in the alert notification at the top of page, directly to the right of the device name.
Hover your pointer over the Health Alerts to view the health summary of the device. The popup window shows a truncated summary of the top five health alerts. Click on the popup to open a detailed view of the health alert summary.
You can configure the time range from the drop-down in the upper-right corner. The time range can reflect a period as short as the last hour (the default) or as long as two weeks. Select Custom from the drop-down to configure a custom start and end date.
Click the refresh icon to set auto refresh to 5 minutes or to toggle off auto refresh.
Click on deployment icon for a deployment overlay on the trend graph, with respect to the selected time range.
The deployment icon indicates the number of deployments during the selected time-range. A vertical band indicates the deployment start and end time. In the case of multiple deployments, multiple bands/lines will appear. Click on the icon on top of the dotted line to view the deployment details.
The device monitor reports health and performance metrics in several predefined dashboards by default. The metrics dashboards include:
• Overview ― Highlights key metrics from the other predefined dashboards, including CPU, memory, interfaces, connection statistics; plus disk usage and critical process information.
• CPU ― CPU utilization, including the CPU usage by process and by physical cores.
• Memory ― Device memory utilization, including data plane and Snort memory usage.
• Interfaces ― Interface status and aggregate traffic statistics.
• Connections ― Connection statistics (such as elephant flows, active connections, peak connections, and so on) and NAT translation counts.
• Snort ― Statistics related to the Snort process.
354
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Correlating Device Metrics
Step 7
You can navigate through the various metrics dashboards by clicking on the labels. See
Threat Defense Metrics, on page 356
for a comprehensive list of the supported device metrics.
Click the plus sign ( + ) in the upper right corner of the device monitor to create a custom correlation dashboard by building your own variable set from the available metric groups; see
Correlating Device Metrics, on page
Correlating Device Metrics
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The device health monitor includes an array of key Firepower device metrics that serve to predict and repond to system events. The health of any Firepower device can be determined by these reported metrics.
The device monitor reports these metrics in several predefined dashboards by default. These dashboards include:
• Overview ― Highlights key metrics from the other predefined dashboards, including CPU, memory, interfaces, connection statistics; plus disk usage and critical process information.
• CPU ― CPU utilization, including the CPU usage by process and by physical cores.
• Memory ― Device memory utilization, including data plane and Snort memory usage.
• Interfaces ― Interface status and aggregate traffic statistics.
• Connections ― Connection statistics (such as elephant flows, active connections, peak connections, and so on) and NAT translation counts.
• Snort ― Statistics related to the Snort process.
• ASP Drops ― Statistics related to the Accelerated Security Path (ASP) performance and behavior.
You can add custom dashboards to correlate metrics that are interrelated. Select from predefined correlation groups, such as CPU and Snort; or create a custom correlation dashboard by building your own variable set from the available metric groups.
Before you begin
To view and correlate the time series data (device metrics) in the health monitor dashboard, enable REST API
( Settings > Configuration > REST API Preferences ).
Step 1
Note Correlating device metrics is available only for threat defense 6.7 and later versions. Hence, for threat defense versions earlier than 6.7, the health monitor dashboard does not display these metrics even if you enable REST
API.
Procedure
Choose System ( ) > Health > Monitor .
Use the Monitoring navigation pane to access device-specific health monitors.
Cisco Secure Firewall Management Center Administration Guide, 7.2
355
Health and Monitoring
Threat Defense Metrics
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
In the device list, click Expand ( ) and Collapse ( ) to expand and collapse the list of managed devices.
Click the plus sign ( + ) in the upper right corner of the device monitor to add a new dashboard.
From the Select Correlation Group drop-down, choose a predefined correlation group or or create a custom group.
To create a dashboard from a predefined correlation group, select the group and click Add .
• CPU - Data Plane
• CPU - Snort
• CPU - Others
• Memory - Data Plane
• Packet drops
To create a custom correlation dashboard: a) Choose Custom .
b) Optionally, enter a unique name in the Dashboard Name field or accept the default.
c) Next, select a group from the Select Metric Group drop-down, then select corresponding metrics from the Select Metrics drop-down.
• Connections; see
Connection Group Metrics, on page 358
for available metrics.
• CPU; see
CPU Group Metrics, on page 356
for available metrics.
• Critical Process; see
Critical Process Group Metrics, on page 363
for available metrics.
• Deployed Configuration; see
Deployed Configuration Group Metrics, on page 362
for available metrics.
• Disk; see
Disk Group Metrics, on page 363
for available metrics.
• Interface; see
Interface Group Metrics, on page 358
for available metrics.
• Snort; see
Snort Group Metrics, on page 359
for available metrics.
• ASP Drops; see
for available metrics.
Click Add Metrics to add and select metrics from another group.
To remove an individual metric, click the x on the right side of the item. Click the delete icon (a trash can) to remove the entire group.
Click Add to complete the workflow and add the dashboard to the health monitor.
You can Edit or Delete custom correlation dashboards.
Threat Defense Metrics
The following sections describe the health metrics available from threat defense devices.
CPU Group Metrics
The health monitor tracks statistics related to the CPU utilization, including the CPU usage by process and by physical cores.
Table 23: CPU Group Metrics
Metric
Control Plane
Description Format
The average CPU utilization for the control plane, for the last one minute.
percent
356
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Memory Group Metrics
Metric
Data Plane
Snort
System
Physical cores
Description
The average CPU utilization for the data plane, for the last one minute.
The average CPU utilization for the Snort process, for the last one minute.
Format percent percent
The average CPU utilization for the system processes, for the last one minute.
percent
The average CPU utilization for all the cores, for the last one minute.
percent
Memory Group Metrics
The health monitor tracks statistics related to the device memory utilization, including data plane and Snort memory usage.
Table 24: Memory Group Metrics
Metric
Buffer cache
Free
Maximum Data Plane
Maximum Snort
Maximum Swap for Snort
Description
The buffer cache.
The total free memory.
The maximum memory used by the data plane.
The maximum memory used by the Snort process.
The maximum swap memory used by the Snort process.
Remaining Memory Block (1550) The free memory in a 1550 byte block.
Remaining Memory Block (256)
System Used
Total
The free memory in a 256 byte block.
The total memory used by the system.
The total memory available.
Total Swap
Data Plane
Percent Used by Data Plane
Percent Used by Snort
Percent Used for Swap
Percent Used by System
The total memory available for swap.
The total memory used by the data plane.
The percent of memory used by the data plane.
The percent of memory used by the Snort process.
The percent of memory used for swap.
The percent of memory used by the system.
Format bytes bytes bytes bytes bytes number number bytes bytes bytes bytes percent percent percent percent
Cisco Secure Firewall Management Center Administration Guide, 7.2
357
Health and Monitoring
Interface Group Metrics
Metric
Snort
Description
The total memory used by the Snort process.
Format
Percent Used by System and Swap The percent of memory used by the system and swap combined.
percent bytes
Used Swap
Used Swap by Snort
The total memory used for swap.
The total swap memory used by the Snort process.
bytes bytes
Interface Group Metrics
The health monitor tracks statistics related to the device interfaces, including the interface status and aggregate traffic statistics.
Table 25: Interface Group Metrics
Metric
Drop Packets
Average Input Packet Size
Input Rate
Input Packets
Average Output Packet Size
Output Rate
Output Packets
Status
Description
The number of packets dropped.
The average size of incoming packets.
The total incoming bytes.
The total incoming packets.
The average size of outgoing packets.
Format number bytes bytes number bytes
The total outgoing bytes.
The total outgoing packets.
bytes number
The status of an interface; 1 for up and 0 for down.
1 or 0
Connection Group Metrics
The health monitor tracks statistics related to the connections and NAT translation counts.
358
Cisco Secure Firewall Management Center Administration Guide, 7.2
Health and Monitoring
Snort Group Metrics
Table 26: Connection Group Metrics
Metric
Elephant Flows
Connections in use
Peak Connections
Total Connections per second
TCP Connections per second
UDP Connections per second
Preserve Connections Enabled
Connections Preserved
Description Format
Shows the number of active elephant flows.
Elephant flows are connections that are large enough to affect overall system performance. By default, elephant flows are those larger than 1GB/10 seconds.
You can adjust the byte and time thresholds for identifying elephant flows in the threat defense CLI using the system support elephant-flow-detection command.
Note A flow is considered an elephant flow only when both the byte and time thresholds are surpassed.
number
Shows the number of connections in use.
Shows the maximum number of simultaneous connections.
number number
The connections-per-second for all connection types.
number
The connections-per-second for TCP connection types.
The connections-per-second for UDP connection types.
number number
Preserves existing TCP/UDP connections on routed and transparent interfaces in case the Snort process goes down.
number
Connections for which preserve-connection is currently enabled.
number
The most number of connections ever preserved.
number Preserve Connections Most
Enabled
Peak Connections Preserved
NAT Translations
Peak NAT Translations
The most number of peak connections ever preserved.
number
Displays the translation count.
Displays the historic maximum of concurrent translations at a time.
number number
Snort Group Metrics
The health monitor tracks statistics related to the Snort process.
Cisco Secure Firewall Management Center Administration Gui