Cisco Secure Firewall Management Center Administration Guide, 7.2
First Published: 2022-06-06
Last Modified: 2022-06-28
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on
age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that
is hardcoded in the user interfaces of the product software, language used based on standards documentation, or language that is used by a referenced third-party product.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2022
Cisco Systems, Inc. All rights reserved.
CONTENTS
PART I
Getting Started
CHAPTER 1
Management Center Overview 1
39
Quick Start: Basic Setup 1
Installing and Performing Initial Setup on Physical Appliances 2
Deploying Virtual Appliances 2
Logging In for the First Time 3
Setting Up Basic Policies and Configurations 4
Threat Defense Devices 6
Features 6
Appliance and System Management Features 7
High Availability and Scalability Features by Platform 8
Features for Detecting, Preventing, and Processing Potential Threats 9
Integration with External Tools 11
Search the Management Center 11
Search for Web Interface Menu Options 14
Search for Policies 15
Search for Objects 17
Search for How To Walkthroughs 20
Switching Domains on the Secure Firewall Management Center 20
The Context Menu 21
Sharing Data with Cisco 23
Online Help, How To, and Documentation 23
User Guides on Cisco.com 24
License Statements in the Documentation 25
Supported Devices Statements in the Documentation 25
Cisco Secure Firewall Management Center Administration Guide, 7.2
iii
Contents
Access Statements in the Documentation 26
IP Address Conventions 26
Additional Resources 26
CHAPTER 2
Logging into the Management Center
27
User Accounts 27
System User Interfaces 29
Web Interface Considerations 30
Session Timeout 30
Logging Into the Secure Firewall Management Center Web Interface 31
Logging Into the Management Center Web Interface Using SSO 32
Logging Into the Secure Firewall Management Center with CAC Credentials 33
Logging Into the Management Center Command Line Interface 33
View Your Last Login 34
Logging Out of the Management Center Web Interface 35
History for Logging into the Management Center 35
PART II
System Settings 37
CHAPTER 3
System Configuration
39
Requirements and Prerequisites for the System Configuration 40
About System Configuration 40
Navigating the Secure Firewall Management Center System Configuration 40
System Configuration Settings 40
Appliance Information 42
HTTPS Certificates 43
Default HTTPS Server Certificates 43
Custom HTTPS Server Certificates 44
HTTPS Server Certificate Requirements 44
HTTPS Client Certificates 45
Viewing the Current HTTPS Server Certificate 46
Generating an HTTPS Server Certificate Signing Request 46
Importing HTTPS Server Certificates 48
Requiring Valid HTTPS Client Certificates 49
Cisco Secure Firewall Management Center Administration Guide, 7.2
iv
Contents
Renewing the Default HTTPS Server Certificate 50
External Database Access Settings 50
Enabling External Access to the Database 51
Database Event Limits 52
Configuring Database Event Limits 52
Database Event Limits 52
Management Interfaces 55
About Management Center Management Interfaces 55
Management Interfaces on the Management Center 55
Management Interface Support Per Management Center Model 56
Network Routes on Management Center Management Interfaces 56
NAT Environments 57
Management and Event Traffic Channel Examples 59
Modify Management Center Management Interfaces 60
Shut Down or Restart 64
Shut Down or Restart the Management Center 64
Remote Storage Management 64
Management Center Remote Storage - Supported Protocols and Versions 65
Configuring Local Storage 65
Configuring NFS for Remote Storage 66
Configuring SMB for Remote Storage 66
Configuring SSH for Remote Storage 67
Remote Storage Management Advanced Options 68
Change Reconciliation 69
Configuring Change Reconciliation 69
Change Reconciliation Options 69
Policy Change Comments 70
Configuring Comments to Track Policy Changes 70
Access List 71
Configure an Access List 71
Audit Logs 72
Stream Audit Logs to Syslog 72
Stream Audit Logs to an HTTP Server 74
Audit Log Certificate 75
Cisco Secure Firewall Management Center Administration Guide, 7.2
v
Contents
Securely Stream Audit Logs 75
Obtain a Signed Audit Log Client Certificate for the Management Center 76
Import an Audit Log Client Certificate into the Management Center 77
Require Valid Audit Log Server Certificates 78
View the Audit Log Client Certificate on the Management Center 79
Dashboard Settings 79
Enabling Custom Analysis Widgets for Dashboards
79
DNS Cache 80
Configuring DNS Cache Properties 80
Email Notifications 80
Configuring a Mail Relay Host and Notification Address 81
Language Selection 81
Set the Language for the Web Interface 82
Login Banners 82
Customize the Login Banner 82
SNMP Polling 83
Configure SNMP Polling 83
Time and Time Synchronization 84
Synchronize Time on the Management Center with an NTP Server 85
Synchronize Time Without Access to a Network NTP Server 86
About Changing Time Synchronization Settings 87
View Current System Time, Source, and NTP Server Connection Status 87
NTP Server Status 88
Global User Configuration Settings 89
Set Password Reuse Limit 90
Track Successful Logins 90
Enabling Temporary Lockouts 91
Set Maximum Number of Concurrent Sessions 91
Session Timeouts 92
Configure Session Timeouts 92
Vulnerability Mapping 92
Mapping Vulnerabilities for Servers 93
Remote Console Access Management 93
Configuring Remote Console Settings on the System 94
Cisco Secure Firewall Management Center Administration Guide, 7.2
vi
Contents
Lights-Out Management User Access Configuration 95
Enabling Lights-Out Management User Access 95
Serial Over LAN Connection Configuration 96
Configuring Serial Over LAN with IPMItool 97
Configuring Serial Over LAN with IPMIutil 97
Lights-Out Management Overview 97
Configuring Lights-Out Management with IPMItool 99
Configuring Lights-Out Management with IPMIutil 99
REST API Preferences 99
Enabling REST API Access 99
VMware Tools and Virtual Systems 100
Enabling VMware Tools on the Secure Firewall Management Center for VMware 100
(Optional) Opt Out of Web Analytics Tracking 101
History for System Configuration 101
CHAPTER 4
Users
105
About Users 105
Internal and External Users 105
Web Interface and CLI Access 106
User Roles 106
User Passwords 108
Guidelines and Limitations for User Accounts for Management Center 110
Requirements and Prerequisites for User Accounts for Management Center 111
Add an Internal User 111
Configure External Authentication for the Management Center 113
About External Authentication for the Management Center 113
About LDAP 114
About RADIUS 115
Add an LDAP External Authentication Object for Management Center 115
Add a RADIUS External Authentication Object for Management Center 122
Enable External Authentication for Users on the Management Center 127
Configure Common Access Card Authentication with LDAP 128
Configure SAML Single Sign-On 129
About SAML Single Sign-On 129
Cisco Secure Firewall Management Center Administration Guide, 7.2
vii
Contents
SSO Guidelines for the Management Center 130
SSO User Accounts 130
User Role Mapping for SSO Users 131
Enable Single Sign-On at the Management Center 132
Configure Single Sign-On with Okta 133
Review the Okta Org
133
Configure the Management Center Service Provider Application for Okta 134
Configure the Management Center for Okta SSO 136
Configure User Role Mapping for Okta at the Management Center 137
Configure User Role Mapping at the Okta IdP 138
Okta User Role Mapping Examples 140
Configure Single Sign-On with OneLogin 145
Review the OneLogin Subdomain 146
Configure the Management Center Service Provider Application for OneLogin 146
Configure the Management Center for OneLogin SSO 148
Configure User Role Mapping for OneLogin at the Management Center 149
Configure User Role Mapping at the OneLogin IdP 150
OneLogin User Role Mapping Examples 153
Configure Single Sign-On with Azure AD 157
Review the Azure Tenant 158
Configure the Management Center Service Provider Application for Azure 158
Configure the Management Center for Azure SSO 160
Configure User Role Mapping for Azure at the Management Center 161
Configure User Role Mapping at the Azure IdP 162
Azure User Role Mapping Examples 165
Configure Single Sign-On with PingID 170
Review the PingID PingOne for Customers Environment 171
Configure the Management Center Service Provider Application for PingID PingOne for
Customers 171
Configure the Management Center for SSO with PingID PingOne for Customers 173
Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider 174
Familiarize Yourself with the SSO Identity Provider and the SSO Federation 175
Configure Management Center Service Provider Application for Any SAML 2.0-Compliant SSO
Provider 175
Cisco Secure Firewall Management Center Administration Guide, 7.2
viii
Contents
Configure the Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider 177
Configure User Role Mapping at the Management Center for SAML 2.0-Compliant SSO
Providers 178
Configure Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO
Providers 179
Customize User Roles for the Web Interface 180
Create Custom User Roles 180
Deactivate User Roles 182
Enable User Role Escalation 183
Set the Escalation Target Role 183
Configure a Custom User Role for Escalation 184
Escalate Your User Role 184
Troubleshooting LDAP Authentication Connections 185
Configure User Preferences 186
Changing Your Password 187
Changing an Expired Password 187
Change the Web Interface Appearance 188
Specifying Your Home Page 188
Configuring Event View Settings 189
Event View Preferences 189
File Download Preferences 190
Default Time Windows 191
Default Workflows 192
Setting Your Default Time Zone 193
Specifying Your Default Dashboard 193
History for Users 194
CHAPTER 5
Domains
195
Introduction to Multitenancy Using Domains 195
Domains Terminology 196
Domain Properties 197
Requirements and Prerequisites for Domains 198
Managing Domains 198
Creating New Domains 199
Cisco Secure Firewall Management Center Administration Guide, 7.2
ix
Contents
Moving Data Between Domains 200
Moving Devices Between Domains 201
History for Domain Management 202
CHAPTER 6
Updates
203
About System Updates 203
Requirements and Prerequisites for System Updates 205
Guidelines and Limitations for System Updates 205
Upgrade System Software 206
Update the Vulnerability Database (VDB) 206
Manually Update the VDB 206
Schedule VDB Updates 208
Update the Geolocation Database 208
Schedule GeoDB Updates 208
Manually Update the GeoDB (Internet Connection) 209
Manually Update the GeoDB (No Internet Connection) 209
Update Intrusion Rules 210
Update Intrusion Rules One-Time Manually 211
Update Intrusion Rules One-Time Automatically 212
Schedule Intrusion Rule Updates 213
Best Practices for Importing Local Intrusion Rules 213
Import Local Intrusion Rules 215
Rule Update Log 215
Intrusion Rule Update Log Table 216
Viewing the Intrusion Rule Update Log 216
Fields in an Intrusion Rule Update Log 217
Viewing Details of the Intrusion Rule Update Import Log 218
Maintain Your Air-Gapped Deployment 219
History for System Updates 220
CHAPTER 7
Licenses
229
About Licenses 229
Smart Software Manager and Accounts 230
Licensing Options for Air-Gapped Deployments 230
Cisco Secure Firewall Management Center Administration Guide, 7.2
x
Contents
How Licensing Works for the Management Center and Devices 230
Periodic Communication with the Smart Software Manager 231
Evaluation Mode 231
Out-of-Compliance State 231
Unregistered State 232
End-User License Agreement 232
License Types and Restrictions 232
Management Center Virtual Licenses 234
Base Licenses 234
Malware Defense Licenses 235
Threat Licenses 235
URL Filtering Licenses 236
Secure Client Licenses 236
Licensing for Export-Controlled Functionality 237
Threat Defense Virtual Licenses 238
License PIDs 239
Requirements and Prerequisites for Licensing 245
Requirements and Prerequisites for Licensing for High Availability, Clustering, and
Multi-Instance 246
Licensing for Management Center High Availability 246
Licensing for Device High-Availability 246
Licensing for Device Clusters 247
Licensing for Multi-Instance Deployments 247
Create a Smart Account and Add Licenses 248
Configure Smart Licensing 249
Register the Management Center for Smart Licensing 249
Register the Management Center with the Smart Software Manager 249
Register the Management Center with the Smart Software Manager On-Prem 252
Enable the Export Control Feature for Accounts Without Global Permission 253
Assign Licenses to Devices 254
Assign Licenses to a Single Device 254
Assign Licenses to Multiple Managed Devices 255
Manage Smart Licensing 256
Deregister the Management Center 256
Cisco Secure Firewall Management Center Administration Guide, 7.2
xi
Contents
Synchronize or Reauthorize the Management Center 256
Monitoring Smart License Status 257
Monitoring Smart Licenses 258
Troubleshooting Smart Licensing 258
Configure Specific License Reservation (SLR) 261
Requirements and Prerequisites for Specific License Reservation 261
Verify that your Smart Account is Ready to Deploy Specific License Reservation 261
Enable the Specific Licensing Menu Option 262
Enter the Specific License Reservation Authorization Code into the Management Center 263
Assign Specific Licenses to Managed Devices 264
Manage Specific License Reservation 265
Important! Maintain Your Specific License Reservation Deployment 265
Update a Specific License Reservation 265
Deactivate and Return the Specific License Reservation 267
Monitoring Specific License Reservation Status 269
Troubleshoot Specific License Reservation 270
Configure Legacy Management Center PAK-Based Licenses 271
Additional Information about Licensing 272
History for Licenses 273
CHAPTER 8
High Availability 275
About Secure Firewall Management Center High Availability 275
Roles v. Status in Management Center High Availability 276
Event Processing on Management Center High Availability Pairs 277
AMP Cloud Connections and Malware Information 277
URL Filtering and Security Intelligence 277
User Data Processing During Management Center Failover 277
Configuration Management on Management Center High Availability Pairs 277
Management Center High Availability Disaster Recovery 277
Single Sign-On and High Availability Pairs 278
Management Center High Availability Behavior During a Backup 278
Management Center High Availability Split-Brain 278
Upgrading Management Centers in a High Availability Pair 279
Troubleshooting Management Center High Availability 280
Cisco Secure Firewall Management Center Administration Guide, 7.2
xii
Contents
Requirements for Management Center High Availability 281
Hardware Requirements 281
Virtual Platform Requirements 282
Software Requirements 282
License Requirements for Management Center High Availability Configurations 282
Prerequisites for Management Center High Availability 283
Establishing Management Center High Availability 284
Viewing Management Center High Availability Status 285
Configuration Data Synced between Firepower Management Centers during High Availability 286
Configuring External Access to the Management Center Database in a High Availability Pair 287
Using CLI to Resolve Device Registration in Management Center High Availability 287
Switching Peers in a Management Center High Availability Pair 288
Pausing Communication Between Paired Firepower Management Centers 288
Restarting Communication Between Paired Firepower Management Centers 288
Changing the IP Address of a Management Center in a High Availability Pair 289
Disabling Management Center High Availability 289
Replacing Management Centers in a High Availability Pair 290
Replace a Failed Primary Management Center (Successful Backup) 290
Replace a Failed Primary Management Center (Unsuccessful Backup) 291
Replace a Failed Secondary Management Center (Successful Backup) 292
Replace a Failed Secondary Management Center (Unsuccessful Backup) 293
Management Center High Availability Disaster Recovery 294
History for Management Center High Availability 294
CHAPTER 9
Security Certifications Compliance
295
Security Certifications Compliance Modes 295
Security Certifications Compliance Characteristics 296
Security Certifications Compliance Recommendations 297
Appliance Hardening 298
Protecting Your Network 299
Enable Security Certifications Compliance 300
PART III
Health and Monitoring
303
Cisco Secure Firewall Management Center Administration Guide, 7.2
xiii
Contents
CHAPTER 10
Dashboards
305
About Dashboards 305
Dashboard Widgets 306
Widget Availability 306
Dashboard Widget Availability by User Role 307
Predefined Dashboard Widgets 308
The Appliance Information Widget 308
The Appliance Status Widget 309
The Correlation Events Widget 309
The Current Interface Status Widget 309
The Current Sessions Widget 310
The Custom Analysis Widget 310
The Disk Usage Widget 314
The Interface Traffic Widget 315
The Intrusion Events Widget 315
The Network Compliance Widget 316
The Product Licensing Widget 316
The Product Updates Widget 317
The RSS Feed Widget 317
The System Load Widget 318
The System Time Widget 318
The Allow List Events Widget 318
Managing Dashboards 318
Adding a Dashboard 319
Adding Widgets to a Dashboard 319
Configuring Widget Preferences 320
Creating Custom Dashboards 321
Custom Dashboard Options 321
Customizing the Widget Display 322
Editing Dashboards Options 323
Modifying Dashboard Time Settings 323
Renaming a Dashboard 324
Viewing Dashboards 325
Cisco Secure Firewall Management Center Administration Guide, 7.2
xiv
Contents
CHAPTER 11
Health
327
Requirements and Prerequisites for Health Monitoring 327
About Health Monitoring 327
Health Modules 329
Configuring Health Monitoring 339
Health Policies 340
Default Health Policy 340
Creating Health Policies 340
Applying Health Policies 341
Editing Health Policies 342
Deleting Health Policies 343
Device Exclusion in Health Monitoring 343
Excluding Appliances from Health Monitoring 344
Excluding Health Policy Modules 344
Expired Health Monitor Exclusions 345
Health Monitor Alerts 346
Health Monitor Alert Information 346
Creating Health Monitor Alerts 347
Editing Health Monitor Alerts 348
Deleting Health Monitor Alerts 348
About the Health Monitor 348
Using the Management Center Health Monitor 350
Running All Modules for an Appliance 351
Running a Specific Health Module 351
Generating Health Module Alert Graphs 352
Device Health Monitors 352
Viewing System Details and Troubleshooting 353
Viewing the Device Health Monitor 354
Health Monitor Status Categories 364
Health Event Views 365
Viewing Health Events 365
Viewing Health Events by Module and Appliance 365
Viewing the Health Events Table 366
Cisco Secure Firewall Management Center Administration Guide, 7.2
xv
Contents
The Health Events Table 367
History for Health Monitoring 368
CHAPTER 12
Audit and Syslog
373
The System Log 373
Viewing the System Log 373
Syntax for System Log Filters 374
About System Auditing 375
Audit Records 375
Viewing Audit Records 375
Suppressing Audit Records 378
About Sending Audit Logs to an External Location 382
CHAPTER 13
Statistics
383
About System Statistics 383
The Host Statistics Section 383
The Disk Usage Section 384
The Processes Section 384
Process Status Fields 384
System Daemons 386
Executables and System Utilities 388
The SFDataCorrelator Process Statistics Section 391
The Intrusion Event Information Section 392
Viewing System Statistics 392
CHAPTER 14
Troubleshooting
395
First Steps for Troubleshooting 395
System Messages 395
Message Types 396
Message Management 397
View Basic System Information 398
View Appliance Information 398
Managing System Messages 398
Viewing Deployment Messages 399
Cisco Secure Firewall Management Center Administration Guide, 7.2
xvi
Contents
Viewing Health Messages 400
Viewing Task Messages 400
Managing Task Messages 401
Configuring Notification Behavior 401
Memory Usage Thresholds for Health Monitor Alerts 402
Disk Usage and Drain of Events Health Monitor Alerts 403
Health Monitor Reports for Troubleshooting 406
Producing Troubleshooting Files for Specific System Functions 407
Downloading Advanced Troubleshooting Files 408
General Troubleshooting 408
Connection-based Troubleshooting 408
Troubleshoot a Connection
409
Advanced Troubleshooting for the Secure Firewall Threat Defense Device 409
Using the Threat Defense CLI from the Web Interface 410
Packet Tracer Overview 410
Use the Packet Tracer 411
Packet Capture Overview 413
Use the Capture Trace 415
Feature-Specific Troubleshooting 416
PART IV
Tools
CHAPTER 15
Backup/Restore
419
421
About Backup and Restore 421
Requirements for Backup and Restore 423
Guidelines and Limitations for Backup and Restore 424
Configuration Import/Export Guidelines for Firepower 4100/9300
425
Best Practices for Backup and Restore 425
Backing Up Management Centers or Managed Devices 429
Back up the Management Center 429
Back up a Device from the Management Center 431
Exporting an FXOS Configuration File 432
Create a Backup Profile 432
Restoring Management Centers and Managed Devices 433
Cisco Secure Firewall Management Center Administration Guide, 7.2
xvii
Contents
Restore Management Center from Backup 434
Restore Threat Defense from Backup: Firepower 1000/2100/3100, ISA 3000 (Non-Zero-Touch) 435
Zero-Touch Restore Threat Defense from Backup: ISA 3000
438
Restore Threat Defense from Backup: Firepower 4100/9300 Chassis 440
Importing a Configuration File 443
Restore Threat Defense from Backup: Threat Defense Virtual 445
Manage Backups and Remote Storage 447
Backup Storage Locations 448
History for Backup and Restore 450
CHAPTER 16
Scheduling
451
About Task Scheduling 451
Requirements and Prerequisites for Task Scheduling 452
Configuring a Recurring Task 452
Scheduled Backups 453
Schedule Management Center Backups 454
Schedule Remote Device Backups 454
Configuring Certificate Revocation List Downloads 455
Automating Policy Deployment 456
Nmap Scan Automation 457
Scheduling an Nmap Scan 458
Automating Report Generation 459
Specify Report Generation Settings for a Scheduled Report 460
Automating Cisco Recommendations 460
Software Update Automation 461
Automating Software Downloads 463
Automating Software Pushes 463
Automating Software Installs 464
Vulnerability Database Update Automation 465
Automating VDB Update Downloads 466
Automating VDB Update Installs 466
Automating URL Filtering Updates Using a Scheduled Task 467
Scheduled Task Review 468
Task List Details 469
Cisco Secure Firewall Management Center Administration Guide, 7.2
xviii
Contents
Viewing Scheduled Tasks on the Calendar 469
Editing Scheduled Tasks 470
Deleting Scheduled Tasks 470
History for Scheduled Tasks 471
CHAPTER 17
Import/Export
473
About Configuration Import/Export 473
Configurations that Support Import/Export 473
Special Considerations for Configuration Import/Export 474
Requirements and Prerequisites for Configuration Import/Export 475
Exporting Configurations 475
Importing Configurations 476
Import Conflict Resolution 477
CHAPTER 18
Data Purge and Storage
479
Data Stored on the Management Center 479
Purging Data from the Management Center Database 480
External Data Storage 481
Comparison of Security Analytics and Logging Remote Event Storage Options 481
Remote Data Storage in Cisco Secure Cloud Analytics 482
Remote Data Storage on a Secure Network Analytics Appliance 482
History for Data Storage 483
PART V
Reporting and Alerting 487
CHAPTER 19
Reports
489
Requirements and Prerequisites for Reports 489
Introduction to Reports 489
Risk Reports 490
Risk Report Templates 490
Generating, Viewing, and Printing Risk Reports 490
Standard Reports 491
About Designing Reports 492
Report Templates 492
Cisco Secure Firewall Management Center Administration Guide, 7.2
xix
Contents
Report Template Fields 492
Report Template Creation 494
Report Template Configuration 497
Managing Report Templates 508
About Generating Reports 510
Generating Reports 510
Report Generation Options 511
Distributing Reports by Email at Generation Time 511
Schedule Future Reports 512
About Working with Generated Reports 512
Viewing Reports 512
Downloading Reports 513
Storing Reports Remotely 513
Moving Reports to Remote Storage 514
Deleting Reports 515
History for Reporting 515
CHAPTER 20
External Alerting with Alert Responses
517
Secure Firewall Management Center Alert Responses 517
Configurations Supporting Alert Responses 518
Requirements and Prerequisites for Alert Responses 518
Creating an SNMP Alert Response 519
Creating a Syslog Alert Response 520
Syslog Alert Facilities 521
Syslog Severity Levels 522
Creating an Email Alert Response 523
Configuring Impact Flag Alerting 523
Configuring Discovery Event Alerting 524
Configuring Malware defense Alerting 524
CHAPTER 21
External Alerting for Intrusion Events
527
About External Alerting for Intrusion Events 527
License Requirements for External Alerting for Intrusion Events 528
Requirements and Prerequisites for External Alerting for Intrusion Events 528
Cisco Secure Firewall Management Center Administration Guide, 7.2
xx
Contents
Configuring SNMP Alerting for Intrusion Events 528
Intrusion SNMP Alert Options 529
Configuring Syslog Alerting for Intrusion Events 530
Facilities and Severities for Intrusion Syslog Alerts 531
Configuring Email Alerting for Intrusion Events 532
Intrusion Email Alert Options 532
PART VI
Event and Asset Analysis Tools
CHAPTER 22
Context Explorer
535
537
About the Context Explorer 537
Differences Between the Dashboard and the Context Explorer 538
The Traffic and Intrusion Event Counts Time Graph 538
The Indications of Compromise Section 539
The Hosts by Indication Graph 539
The Indications by Host Graph 539
The Network Information Section 539
The Operating Systems Graph 539
The Traffic by Source IP Graph 540
The Traffic by Source User Graph 540
The Connections by Access Control Action Graph 540
The Traffic by Destination IP Graph 541
The Traffic by Ingress/Egress Security Zone Graph 541
The Application Information Section 541
Focusing the Application Information Section 542
The Traffic by Risk/Business Relevance and Application Graph 542
The Intrusion Events by Risk/Business Relevance and Application Graph 542
The Hosts by Risk/Business Relevance and Application Graph 543
The Application Details List 543
The Security Intelligence Section 543
The Security Intelligence Traffic by Category Graph 544
The Security Intelligence Traffic by Source IP Graph 544
The Security Intelligence Traffic by Destination IP Graph 544
The Intrusion Information Section 544
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxi
Contents
The Intrusion Events by Impact Graph 545
The Top Attackers Graph 545
The Top Users Graph 545
The Intrusion Events by Priority Graph 545
The Top Targets Graph 545
The Top Ingress/Egress Security Zones Graph 545
The Intrusion Event Details List 546
The Files Information Section 546
The Top File Types Graph 546
The Top File Names Graph 546
The Files by Disposition Graph 547
The Top Hosts Sending Files Graph 547
The Top Hosts Receiving Files Graph 547
The Top Malware Detections Graph 548
The Geolocation Information Section 548
The Connections by Initiator/Responder Country Graph 548
The Intrusion Events by Source/Destination Country Graph 548
The File Events by Sending/Receiving Country Graph 549
The URL Information Section 549
The Traffic by URL Graph 549
The Traffic by URL Category Graph 549
The Traffic by URL Reputation Graph 550
Requirements and Prerequisites for the Context Explorer 550
Refreshing the Context Explorer 550
Setting the Context Explorer Time Range 551
Minimizing and Maximizing Context Explorer Sections 551
Drilling Down on Context Explorer Data 552
Filters in the Context Explorer 553
Data Type Field Options 554
Creating a Filter from the Add Filter Window 556
Creating a Quick Filter from the Context Menu 557
Saving Filtered Context Explorer Views 557
Viewing Filter Data 557
Deleting a Filter 558
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxii
Contents
CHAPTER 23
Network Map
559
Requirements and Prerequisites for the Network Map 559
The Network Map 559
The Hosts Network Map 560
The Network Devices Network Map 561
The Mobile Devices Network Map 561
The Indications of Compromise Network Map 562
The Application Protocols Network Map 562
The Vulnerabilities Network Map 563
The Host Attributes Network Map 564
Viewing Network Maps 564
Custom Network Topologies 565
Creating Custom Topologies 565
Importing Networks from the Network Discovery Policy 566
Manually Adding Networks to Your Custom Topology 567
Activating and Deactivating Custom Topologies 567
Editing Custom Topologies 567
CHAPTER 24
Lookups
569
Introduction to Lookups 569
Performing Whois Lookups 569
Finding URL Category and Reputation 570
Finding Geolocation Information for an IP Address 571
CHAPTER 25
Event Analysis Using External Tools
573
Integrate with Cisco SecureX 573
Configure the Management Center Devices to Send Events to the Cisco Cloud 573
Configure Cisco Success Network Enrollment 575
Configure Cisco Support Diagnostics Enrollment 576
Access SecureX Using the Ribbon 577
Event Analysis with SecureX Threat Response 577
View Event Data in SecureX Threat Response 578
Event Investigation Using Web-Based Resources 578
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxiii
Contents
About Managing Contextual Cross-Launch Resources 579
Requirements for Custom Contextual Cross-Launch Resources 579
Add Contextual Cross-Launch Resources 579
Investigate Events Using Contextual Cross-Launch 581
Configure Cross-Launch Links for Secure Network Analytics 581
About Sending Syslog Messages for Security Events 582
About Configuring the System to Send Security Event Data to Syslog 583
Best Practices for Configuring Security Event Syslog Messaging 583
Send Security Event Syslog Messages from Threat Defense Devices 583
Send Security Event Syslog Messages from Classic Devices 586
Configuration Locations for Security Event Syslogs 587
Anatomy of Security Event Syslog Messages 591
Facility in Security Event Syslog Messages 593
Firepower Syslog Message Types 594
Limitations of Syslog for Security Events 595
eStreamer Server Streaming 595
Comparison of Syslog and eStreamer for Security Eventing 596
Data Sent Only via eStreamer, Not via Syslog 596
Choosing eStreamer Event Types 597
Configuring eStreamer Client Communications 598
Event Analysis in Splunk 598
Event Analysis in IBM QRadar 599
History for Analyzing Event Data Using External Tools 599
PART VII
Workflows and Tables
CHAPTER 26
Workflows
605
607
Overview: Workflows 607
Predefined Workflows 608
Predefined Intrusion Event Workflows 608
Predefined Malware Workflows 609
Predefined File Workflows 610
Predefined Captured File Workflows 610
Predefined Connection Data Workflows 611
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxiv
Contents
Predefined Security Intelligence Workflows 613
Predefined Host Workflows 613
Predefined Indications of Compromise Workflows 613
Predefined Applications Workflows 614
Predefined Application Details Workflows 615
Predefined Servers Workflows 615
Predefined Host Attributes Workflows 615
The Predefined Discovery Events Workflow 616
Predefined User Workflows 616
Predefined Vulnerabilities Workflows 616
Predefined Third-Party Vulnerabilities Workflows 617
Predefined Correlation and Allow List Workflows 617
Predefined System Workflows 617
Custom Table Workflows 618
Using Workflows 618
Workflow Access by User Role 620
Workflow Selection 620
Workflow Pages 622
Workflow Page Navigation Tools 623
Workflow Page Traversal Tools 623
File Trajectory Icons 624
Host Profile Icons 624
Threat Score Icons 624
User Icons 625
The Workflow Toolbar 625
Using Drill-Down Pages 626
Using Table View Pages 626
Work in Secure Firewall Management Center with Connection Events Stored on a Secure Network
Analytics Appliance 627
Geolocation 628
Connection Event Graphs 629
Using Connection Event Graphs 629
Event Time Constraints 635
Per-Session Time Window Customization for Events 636
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxv
Contents
The Default Time Window for Events 639
Event View Constraints 641
Constraining Events 642
Compound Event View Constraints 643
Using Compound Event View Constraints 643
Inter-Workflow Navigation 644
Working with the Unified Event Viewer 645
Unified Event Viewer Column Descriptions 647
Bookmarks 648
Creating Bookmarks 649
Viewing Bookmarks 649
History for Workflows 650
CHAPTER 27
Event Search
653
Event Searches 653
Search Constraints 653
General Search Constraints 654
Wildcards and Symbols in Searches 654
Objects and Application Filters in Searches 655
Time Constraints in Searches 655
IP Addresses in Searches 655
URLs in Searches 657
Managed Devices in Searches 657
Ports in Searches 657
Event Fields in Searches 658
Performing a Search 658
Saving a Search 660
Loading a Saved Search 660
Query Overrides Via the Shell 661
Shell-Based Query Management Syntax 661
Stopping Long-Running Queries 662
History for Searching for Events 662
CHAPTER 28
Custom Workflows
663
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxvi
Contents
Introduction to Custom Workflows 663
Saved Custom Workflows 663
Custom Workflow Creation 664
Creating Custom Workflows Based on Non-Connection Data 665
Creating Custom Connection Data Workflows 666
Custom Workflow Use and Management 667
Viewing Custom Workflows Based on Predefined Tables 667
Viewing Custom Workflows Based on Custom Tables 668
Editing Custom Workflows 668
CHAPTER 29
Custom Tables
669
Introduction to Custom Tables 669
Predefined Custom Tables 669
Possible Table Combinations 670
User-Defined Custom Tables 673
Creating a Custom Table 673
Modifying a Custom Table 674
Deleting a Custom Table 675
Viewing a Workflow Based on a Custom Table 675
Searching Custom Tables 675
History for Custom Tables 677
PART VIII
Events and Assets
CHAPTER 30
Connection Logging
679
681
About Connection Logging 681
Connections That Are Always Logged 682
Other Connections You Can Log 682
How Rules and Policy Actions Affect Logging 683
Logging for Fastpathed Connections
684
Logging for Monitored Connections 684
Logging for Trusted Connections 684
Logging for Blocked Connections 684
Logging for Allowed Connections 686
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxvii
Contents
Beginning vs End-of-Connection Logging 687
Secure Firewall Management Center vs External Logging 688
Limitations of Connection Logging 689
When Events Appear in the Event Viewer 689
Best Practices for Connection Logging 690
Requirements and Prerequisites for Connection Logging 692
Configure Connection Logging 692
Logging Connections with Tunnel and Prefilter Rules 692
Logging Decryptable Connections with TLS/SSL Rules 693
Logging Connections with Security Intelligence 694
Logging Connections with Access Control Rules 694
Logging Connections with a Policy Default Action 695
Limiting Logging of Long URLs 696
CHAPTER 31
Connection and Security Intelligence Events
699
About Connection Events 699
Connection vs. Security Intelligence Events 700
NetFlow Connections 700
Connection Summaries (Aggregated Data for Graphs) 700
Long-Running Connections 701
Combined Connection Summaries from External Responders 701
Connection and Security Intelligence Event Fields 701
About Connection and Security Intelligence Event Fields 716
A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields 716
Connection Event Reasons 717
Requirements for Populating Connection Event Fields 718
Information Available in Connection Event Fields 720
Using Connection and Security Intelligence Event Tables 724
Viewing Files and Malware Detected in a Connection 726
Viewing Intrusion Events Associated with a Connection 727
Encrypted Connection Certificate Details 727
Viewing the Connection Summary Page 728
History for Connection and Security Intelligence Events 729
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxviii
Contents
CHAPTER 32
Intrusion Events
733
About Intrusion Events 733
Tools for Reviewing and Evaluating Intrusion Events 733
License Requirements for Intrusion Events 734
Requirements and Prerequisites for Intrusion Events 734
Viewing Intrusion Events 735
About Intrusion Event Fields 735
Intrusion Event Fields 736
Intrusion Event Impact Levels 747
Viewing Connection Data Associated with Intrusion Events 749
Marking Intrusion Events Reviewed 749
Viewing Previously Reviewed Intrusion Events 750
Marking Reviewed Intrusion Events Unreviewed 750
Preprocessor Events 750
Preprocessor Generator IDs 751
Intrusion Event Workflow Pages 753
Using Intrusion Event Workflows 754
Intrusion Event Drill-Down Page Constraints 756
Intrusion Event Table View Constraints 757
Using the Intrusion Event Packet View 757
Event Information Fields 759
Frame Information Fields 765
Data Link Layer Information Fields 766
Viewing Network Layer Information 766
Viewing Transport Layer Information 769
Viewing Packet Byte Information 771
Internally Sourced Intrusion Events 771
Viewing Intrusion Event Statistics 771
Host Statistics 772
Event Overview 773
Event Statistics 773
Viewing Intrusion Event Performance Graphs 774
Intrusion Event Performance Statistics Graph Types 774
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxix
Contents
Viewing Intrusion Event Graphs 778
History for Intrusion Events 780
CHAPTER 33
File/Malware Events and Network File Trajectory
781
About File/Malware Events and Network File Trajectory 781
File and Malware Events 782
File and Malware Event Types 782
File Events 782
Malware Events
783
Retrospective Malware Events
783
Malware Events Generated by Secure Endpoint 784
Using File and Malware Event Workflows 785
File and Malware Event Fields 786
Malware Event Sub-Types 796
Information Available in File and Malware Event Fields 797
View Details About Analyzed Files 800
File Composition Report 800
View File Details in AMP Private Cloud 800
Threat Scores and Dynamic Analysis Summary Reports 801
Viewing Dynamic Analysis Results in the Cisco Secure Malware Analytics Cloud 802
Using Captured File Workflows 802
Captured File Fields 803
Stored Files Download 807
Manually Submit Files for Analysis 808
Network File Trajectory 809
Recently Detected Malware and Analyzed Trajectories 809
Network File Trajectory Detailed View 809
Network File Trajectory Summary Information 810
Network File Trajectory Map and Related Events List 811
Using a Network File Trajectory 812
Work with Event Data in the Secure Endpoint Console 814
History for File and Malware Events and Network File Trajectory 815
CHAPTER 34
Host Profiles
817
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxx
Contents
Requirements and Prerequisites for Host Profiles 817
Host Profiles 818
Host Profile Limitations 819
Viewing Host Profiles 819
Basic Host Information in the Host Profile 819
Operating Systems in the Host Profile 821
Viewing Operating System Identities 823
Setting the Current Operating System Identity 824
Operating System Identity Conflicts 824
Making a Conflicting Operating System Identity Current 825
Resolving an Operating System Identity Conflict 825
Servers in the Host Profile 825
Server Details in the Host Profile 827
Viewing Server Details 828
Editing Server Identities 828
Resolving Server Identity Conflicts 829
Web Applications in the Host Profile 829
Deleting Web Applications from the Host Profile 831
Host Protocols in the Host Profile 831
Deleting a Protocol From the Host Profile 831
Indications of Compromise in the Host Profile 832
VLAN Tags in the Host Profile 832
User History in the Host Profile 832
Host Attributes in the Host Profile 833
Predefined Host Attributes 833
Allow List Host Attributes 833
User-Defined Host Attributes 834
Creating Text- or URL-Based Host Attributes 835
Creating Integer-Based Host Attributes 835
Creating List-Based Host Attributes 835
Setting Host Attribute Values 836
Allow List Violations in the Host Profile 836
Creating Shared Allow List Host Profiles 837
Malware Detections in the Host Profile 837
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxi
Contents
Vulnerabilities in the Host Profile 838
Downloading Patches for Vulnerabilities 839
Deactivating Vulnerabilities for Individual Hosts 839
Deactivating Individual Vulnerabilities 840
Scan Results in the Host Profile 841
Scanning a Host from the Host Profile 841
History for Host Profiles 842
CHAPTER 35
Discovery Events
843
Requirements and Prerequisites for Discovery Events 843
Discovery and Identity Data in Discovery Events 843
Viewing Discovery Event Statistics 844
The Statistics Summary Section 845
The Event Breakdown Section 846
The Protocol Breakdown Section 846
The Application Protocol Breakdown Section 847
The OS Breakdown Section 847
Viewing Discovery Performance Graphs 847
Discovery Performance Graph Types 848
Using Discovery and Identity Workflows 848
Discovery and Host Input Events 850
Discovery Event Types 850
Host Input Event Types 854
Viewing Discovery and Host Input Events 856
Discovery Event Fields 856
Host Data 858
Viewing Host Data 858
Host Data Fields 858
Creating a Traffic Profile for Selected Hosts 862
Creating a Compliance Allow List Based on Selected Hosts 863
Host Attribute Data 863
Viewing Host Attributes 864
Host Attribute Data Fields 864
Setting Host Attributes for Selected Hosts 865
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxii
Contents
Indications of Compromise Data 865
View and Work with Indications of Compromise Data 866
Indications of Compromise Data Fields 868
Editing Indication of Compromise Rule States for a Single Host or User 868
Viewing Source Events for Indication of Compromise Tags 869
Resolving Indication of Compromise Tags 869
Server Data 869
Viewing Server Data 870
Server Data Fields 870
Application and Application Details Data 873
Viewing Application Data 873
Application Data Fields 874
Viewing Application Detail Data 875
Application Detail Data Fields 876
Vulnerability Data 877
Vulnerability Data Fields 877
Vulnerability Deactivation 879
Viewing Vulnerability Data 879
Viewing Vulnerability Details 880
Deactivating Multiple Vulnerabilities 881
Third-Party Vulnerability Data 881
Viewing Third-Party Vulnerability Data 881
Third-Party Vulnerability Data Fields 882
Active Sessions, Users, and User Activity Data 883
User-Related Fields 884
Active Sessions Data 890
User Data 891
User Activity Data 894
User Profile and Host History 896
History for Working with Discovery Events 898
CHAPTER 36
Correlation and Compliance Events
899
Viewing Correlation Events 899
Correlation Event Fields 900
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxiii
Contents
Using Compliance Allow List Workflows 903
Viewing Allow List Events 904
Allow List Event Fields 905
Viewing Allow List Violations 906
Allow List Violation Fields 907
Remediation Status Events 908
Viewing Remediation Status Events 908
Remediation Status Table Fields 909
Using the Remediation Status Events Table 910
PART IX
Correlation and Compliance
CHAPTER 37
Compliance Lists
913
915
Introduction to Compliance Allow Lists 915
Compliance Allow List Target Networks 916
Compliance Allow List Host Profiles 917
Operating System-Specific Host Profiles 918
Shared Host Profiles 918
Allow Violation Triggers 919
Requirements and Prerequisites for Compliance 920
Creating a Compliance Allow List 920
Setting Target Networks for a Compliance Allow List 922
Building Allow List Host Profiles 922
Adding an Application Protocol to a Compliance Allow List 924
Adding a Client to a Compliance Allow List 924
Adding a Web Application to a Compliance Allow List 925
Adding a Protocol to a Compliance Allow List 925
Managing Compliance Allow Lists 926
Editing a Compliance Allow List 926
Managing Shared Host Profiles 928
CHAPTER 38
Correlation Policies
929
Introduction to Correlation Policies and Rules 929
Requirements and Prerequisites for Compliance 930
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxiv
Contents
Configuring Correlation Policies 931
Adding Responses to Rules and Allow Lists 931
Managing Correlation Policies 932
Configuring Correlation Rules 933
Syntax for Intrusion Event Trigger Criteria 934
Syntax for Malware Event Trigger Criteria 937
Syntax for Discovery Event Trigger Criteria 938
Syntax for User Activity Event Trigger Criteria 941
Syntax for Host Input Event Trigger Criteria 942
Syntax for Connection Event Trigger Criteria 943
Syntax for Traffic Profile Changes 946
Syntax for Correlation Host Profile Qualifications 948
Syntax for User Qualifications 951
Connection Trackers 952
Adding a Connection Tracker 953
Syntax for Connection Trackers 953
Syntax for Connection Tracker Events 956
Sample Configuration for Excessive Connections From External Hosts 956
Sample Configuration for Excessive BitTorrent Data Transfers 958
Snooze and Inactive Periods 960
Correlation Rule Building Mechanics 960
Adding and Linking Conditions in Correlation Rules 962
Using Multiple Values in Correlation Rule Conditions 963
Managing Correlation Rules 963
Configuring Correlation Response Groups 964
Managing Correlation Response Groups 965
CHAPTER 39
Traffic Profiling
967
Introduction to Traffic Profiles 967
Traffic Profile Conditions 969
Requirements and Prerequisites for Traffic Profiles 971
Managing Traffic Profiles 971
Configuring Traffic Profiles 972
Adding Traffic Profile Conditions 973
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxv
Contents
Adding Host Profile Qualifications to a Traffic Profile 973
Syntax for Traffic Profile Conditions 974
Syntax for Host Profile Qualifications in a Traffic Profile 975
Using Multiple Values in a Traffic Profile Condition 977
CHAPTER 40
Remediations
979
Requirements and Prerequisites for Remediations 979
Introduction to Remediations 979
Cisco ISE EPS Remediations 980
Configuring ISE EPS Remediations 981
Cisco IOS Null Route Remediations 982
Configuring Remediations for Cisco IOS Routers 983
Nmap Scan Remediations 987
Set Attribute Value Remediations 988
Configuring Set Attribute Remediations 988
Managing Remediation Modules 989
Managing Remediation Instances 990
Managing Instances for a Single Remediation Module 990
PART X
Reference
CHAPTER 41
Secure Firewall Management Center Command Line Reference 995
993
About the Secure Firewall Management Center CLI 995
Secure Firewall Management Center CLI Modes 996
Secure Firewall Management Center CLI Management Commands 996
exit 996
expert 996
? (question mark) 997
Secure Firewall Management Center CLI Show Commands 997
version 997
Secure Firewall Management Center CLI Configuration Commands 998
password 998
Secure Firewall Management Center CLI System Commands 998
generate-troubleshoot 998
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxvi
Contents
lockdown 999
reboot 1000
restart 1000
shutdown 1000
History for the Secure Firewall Management Center CLI 1001
CHAPTER 42
Security, Internet Access, and Communication Ports
1003
Security Requirements 1003
Cisco Clouds 1003
Internet Access Requirements 1004
Communication Port Requirements 1007
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxvii
Contents
Cisco Secure Firewall Management Center Administration Guide, 7.2
xxxviii
PA R T
I
Getting Started
• Management Center Overview, on page 1
• Logging into the Management Center, on page 27
CHAPTER
1
Management Center Overview
The Secure Firewall Management Center is a powerful, web-based, multi-device manager that runs on its
own server hardware, or as a virtual device on a hypervisor. You should use the management center if you
want a multi-device manager, and you require all features on the threat defense. The management center also
provides powerful analysis and monitoring of traffic and events.
Cisco Defense Orchestrator (CDO) can act as the primary manager using a full-featured, cloud-delivered
management center. In this use case, you can use an on-premises management center for analytics only. The
on-prem management center does not support policy configuration or upgrading. Chapters and procedures in
this guide related to configuration and other unsupported features do not apply to CDO-managed devices.
For the management center used as the primary manager: The management center is not compatible with other
managers because the management center owns the threat defense configuration, and you are not allowed to
configure the threat defense directly, bypassing the management center.
• Quick Start: Basic Setup, on page 1
• Threat Defense Devices, on page 6
• Features, on page 6
• Search the Management Center, on page 11
• Switching Domains on the Secure Firewall Management Center, on page 20
• The Context Menu, on page 21
• Sharing Data with Cisco, on page 23
• Online Help, How To, and Documentation, on page 23
• IP Address Conventions, on page 26
• Additional Resources, on page 26
Quick Start: Basic Setup
The Firepower feature set is powerful and flexible enough to support basic and advanced configurations. Use
the following sections to quickly set up a Secure Firewall Management Center and its managed devices to
begin controlling and analyzing traffic.
Cisco Secure Firewall Management Center Administration Guide, 7.2
1
Getting Started
Installing and Performing Initial Setup on Physical Appliances
Installing and Performing Initial Setup on Physical Appliances
Procedure
Install and perform initial setup on all physical appliances using the documentation for your appliance:
• Management Center
• Cisco Firepower Management Center Getting Started Guide for your hardware model, available
from
http://www.cisco.com/go/firepower-mc-install
• Threat Defense managed devices
• Cisco Firepower 1010 Getting Started Guide
• Cisco Firepower 1100 Getting Started Guide
• Cisco Firepower 2100 Getting Started Guide
• Cisco Secure Firewall 3100 Getting Started Guide
• Cisco Firepower 4100 Getting Started Guide
• Cisco Firepower 9300 Getting Started Guide
• Cisco Firepower Threat Defense for the ISA 3000 Using Firepower Management Center Quick
Start Guide
Deploying Virtual Appliances
Follow these steps if your deployment includes virtual appliances. Use the documentation roadmap to locate
the documents listed below: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/
firepower-roadmap.html.
Procedure
Step 1
Determine the supported virtual platforms you will use for the Management Center and devices (these may
not be the same). See the Cisco Firepower Compatibility Guide.
Step 2
Deploy virtual Firepower Management Centers using the documentation for your environment:
• management center virtual running on VMware: Cisco Secure Firewall Management Center Virtual
Getting Started Guide
• management center virtual running on AWS: Cisco Secure Firewall Management Center Virtual Getting
Started Guide
• management center virtual running on KVM: Cisco Secure Firewall Management Center Virtual Getting
Started Guide
Cisco Secure Firewall Management Center Administration Guide, 7.2
2
Getting Started
Logging In for the First Time
Step 3
Deploy virtual devices using the documentation for your appliance:
• threat defense virtual running on VMware: Cisco Secure Firewall Threat Defense Virtual for VMware
Getting Started Guide
• threat defense virtual running on AWS: Cisco Secure Firewall Threat Defense Virtual for AWS Getting
Started Guide
• threat defense virtual running on KVM: Cisco Secure Firewall Threat Defense Virtual for KVM Getting
Started Guide
• threat defense virtual running on Azure: Cisco Secure Firewall Threat Defense Virtual for Azure Getting
Started Guide
Logging In for the First Time
Before logging in to a new management center for the first time, prepare the appliance as described in Installing
and Performing Initial Setup on Physical Appliances, on page 2 or Deploying Virtual Appliances, on page
2.
The first time you log in to a new management center (or an management center newly restored to factory
defaults), use the admin account for either the CLI or the web interface and follow the instructions in the
Cisco Firepower Management Center Getting Started Guide for your management center model. Once you
complete the initial configuration process, the following aspects of your system will be configured:
• The passwords for the two admin accounts (one for web interface access and the other for CLI access)
will be set to the same value, complying with strong password requirements as described in Guidelines
and Limitations for User Accounts for Management Center, on page 110. The system synchronizes the
passwords for the two admin accounts only during the initial configuration process. If you change the
password for either admin account thereafter, they will no longer be the same and the strong password
requirement can be removed from the web interface admin account. (See Add an Internal User, on page
111.)
• The following network settings the management center uses for network communication through its
management interface (eth0) will be set to default values or values you supply:
• Fully qualified domain name (<hostname>.<domain>)
• Boot protocol for IPv4 configuration (DHCP or Static/Manual)
• IPv4 address
• Network mask
• Gateway
• DNS Servers
• NTP Servers
Values for these settings can be viewed and changed through the management center web interface; see
Modify Management Center Management Interfaces, on page 60 and Time and Time Synchronization,
on page 84 for more information.
Cisco Secure Firewall Management Center Administration Guide, 7.2
3
Getting Started
Setting Up Basic Policies and Configurations
• As a part of initial configuration, the system configures a weekly automatic GeoDB update. If configuring
the update fails and the management center has internet access, we recommend you configure regular
GeoDB updates as described in Schedule GeoDB Updates, on page 208.
• As a part of initial configuration, the system schedules a weekly task to download the latest software
updates. If the task scheduling fails and the management center has internet access, we recommend you
schedule a recurring task for downloading software updates as described in Automating Software
Downloads, on page 463.
Important
This task downloads software updates to the management center. It is your
responsibility to install any updates this task downloads.
• As a part of initial configuration, the system schedules a weekly task to perform a locally stored
configuration-only management center backup. If the task scheduling fails we recommend you schedule
a recurring task to perform a backup as described in Schedule Management Center Backups, on page
454.
• As a part of initial configuration the system downloads and installs the latest vulnerability database
(VDB) update from the Cisco Support & Download site. This is a one-time operation. To keep the system
up to date, if the management center has internet access, we recommend you schedule tasks to perform
automatic recurring VDB update downloads and installations as described in Vulnerability Database
Update Automation, on page 465.
• As a part of initial configuration the system configures a daily automatic intrusion rule update from the
Cisco Support & Download site. (The system deploys automatic intrusion rule updates to affected managed
devices when it next deploys affected policies.) If configuring the update fails and the management center
has internet access, we recommend you configure regular intrusion rule updates as described in Schedule
Intrusion Rule Updates, on page 213.
On completion of management center initial configuration, the web interface displays the device management
page, described in Cisco Secure Firewall Management Center Device Configuration Guide.
(This is the default login page only for the first time the admin user logs in. On subsequent logins by the
admin or any user, the default login page is determined as described in Specifying Your Home Page, on page
188.)
Once you have completed the initial configuration, begin controlling and analyzing traffic by configuring
basic policies as described in Setting Up Basic Policies and Configurations, on page 4.
Setting Up Basic Policies and Configurations
You must configure and deploy basic policies in order to see data in the dashboard, Context Explorer, and
event tables.
Note
This is not a full discussion of policy or feature capabilities. For guidance on other features and more advanced
configurations, see the rest of this guide.
Cisco Secure Firewall Management Center Administration Guide, 7.2
4
Getting Started
Setting Up Basic Policies and Configurations
Before you begin
• Log into the web interface using the admin account for either the web interface or CLI and perform the
initial configuration as described in the Cisco Firepower Management Center Getting Started Guide for
your hardware model, available from https://www.cisco.com/c/en/us/support/security/defense-center/
products-installation-guides-list.html.
Procedure
Step 1
Set a time zone for this account as described in Setting Your Default Time Zone, on page 193.
Step 2
If needed, add licenses as described in Licenses, on page 229.
Step 3
Add managed devices to your deployment as described in Add a Device to the Management Center in the
Cisco Secure Firewall Management Center Device Configuration Guide.
Step 4
Configure your managed devices as described in:
• Interface Overview in the Cisco Secure Firewall Management Center Device Configuration Guide, to
configure transparent or routed mode on Firepower Threat Defense devices
• Interface Overview in the Cisco Secure Firewall Management Center Device Configuration Guide, to
configure interfaces on threat defense devices
Step 5
Configure an access control policy as described in Creating a Basic Access Control Policy in the Cisco Secure
Firewall Management Center Device Configuration Guide.
• In most cases, Cisco suggests setting the Balanced Security and Connectivity intrusion policy as your
default action. For more information, see Access Control Policy Default Action and System-Provided
Network Analysis and Intrusion Policies in the Cisco Secure Firewall Management Center Device
Configuration Guide.
• In most cases, Cisco suggests enabling connection logging to meet the security and compliance needs
of your organization. Consider the traffic on your network when deciding which connections to log so
that you do not clutter your displays or overwhelm your system. For more information, see About
Connection Logging, on page 681.
Step 6
Apply the system-provided default health policy as described in Applying Health Policies, on page 341.
Step 7
Customize a few of your system configuration settings:
• If you want to allow inbound connections for a service (for example, SNMP or the syslog), modify the
ports in the access list as described in Configure an Access List, on page 71.
• Understand and consider editing your database event limits as described in Configuring Database Event
Limits, on page 52.
• If you want to change the display language, edit the language setting as described in Set the Language
for the Web Interface, on page 82.
• If your organization restricts network access using a proxy server, edit your proxy settings as described
in Modify Management Center Management Interfaces, on page 60.
Step 8
Customize your network discovery policy as described in Configuring the Network Discovery Policy in the
Cisco Secure Firewall Management Center Device Configuration Guide. By default, the network discovery
Cisco Secure Firewall Management Center Administration Guide, 7.2
5
Getting Started
Threat Defense Devices
policy analyzes all traffic on your network. In most cases, Cisco suggests restricting discovery to the addresses
in RFC 1918.
Step 9
Consider customizing these other common settings:
• If you do not want to display message center pop-ups, disable notifications as described in Configuring
Notification Behavior, on page 401.
• If you want to customize the default values for system variables, understand their use as described in
Variable Sets in the Cisco Secure Firewall Management Center Device Configuration Guide.
• If you want to create additional locally authenticated user accounts to access the management center, see
Add an Internal User, on page 111.
• If you want to use LDAP or RADIUS external authentication to allow access to the management center,
see Configure External Authentication for the Management Center, on page 113.
Step 10
Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management
Center Device Configuration Guide.
What to do next
• Review and consider configuring other features described in Features, on page 6 and the rest of this
guide.
Threat Defense Devices
In a typical deployment, multiple traffic-handling devices report to one Secure Firewall Management Center,
which you use to perform administrative, management, analysis, and reporting tasks.
A threat defense device is a next-generation firewall (NGFW) that also has NGIPS capabilities. NGFW and
platform features include site-to-site and remote access VPN, robust routing, NAT, clustering, and other
optimizations in application inspection and access control.
Threat Defense is available on a wide range of physical and virtual platforms.
Compatibility
For details on manager-device compatibility, including the software compatible with specific device models,
virtual hosting environments, operating systems, and so on, see the Cisco Secure Firewall Threat Defense
Release Notes and Cisco Firepower Compatibility Guide.
Features
These tables list some commonly used features.
Cisco Secure Firewall Management Center Administration Guide, 7.2
6
Getting Started
Appliance and System Management Features
Appliance and System Management Features
To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/
firepower-roadmap.html.
If you want to...
Configure...
As described in...
Manage user accounts for logging in to Firepower authentication
your Firepower appliances
Users, on page 105 and Users for
Devices in the Cisco Secure
Firewall Management Center
Device Configuration Guide
Monitor the health of system hardware
and software
Health monitoring policy
About Health Monitoring, on
page 327
Back up data on your appliance
Backup and restore
Backup/Restore, on page 421
Upgrade to a new Firepower version
System updates
Cisco Firepower Management
Center Upgrade Guide, Version
6.0–7.0
Firepower Release Notes
Baseline your physical appliance
Restore to factory defaults
(reimage)
The Cisco Firepower
Management Center Upgrade
Guide, Version 6.0–7.0, for a list
of links to instructions on
performing fresh installations.
Update the VDB, intrusion rule updates, Vulnerability Database (VDB) Updates, on page 203
or GeoDB on your appliance
updates, intrusion rule updates,
or Geolocation Database
(GeoDB) updates
Apply licenses in order to take advantage Smart licensing
of license-controlled functionality
About Licenses, on page 229
Ensure continuity of appliance operations Managed device high
About Firepower Threat Defense
availability and/or management High Availability in the Cisco
center high availability
Secure Firewall Management
Center Device Configuration
Guide
About Secure Firewall
Management Center High
Availability, on page 275
Configure a device to route traffic
between two or more interfaces
Routing
Reference for Routing in the
Cisco Secure Firewall
Management Center Device
Configuration Guide
Cisco Secure Firewall Management Center Administration Guide, 7.2
7
Getting Started
High Availability and Scalability Features by Platform
If you want to...
Configure...
As described in...
Configure packet switching between two Device switching
or more networks
Configure Bridge Group
Interfaces in the Cisco Secure
Firewall Management Center
Device Configuration Guide
Translate private addresses into public
addresses for internet connections
Network Address Translation
(NAT)
Network Address Translation in
the Cisco Secure Firewall
Management Center Device
Configuration Guide
Establish a secure tunnel between
managed threat defense devices
Site-to-Site virtual private
network (VPN)
VPN Overview in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Establish secure tunnels between remote Remote Access VPN
users and managed threat defense devices
VPN Overview in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Segment user access to managed devices, Multitenancy using domains
configurations, and events
Introduction to Multitenancy
Using Domains, on page 195
View and manage appliance
configuration using a REST API client
REST API Preferences, on page
99
REST API and REST API
Explorer
Firepower REST API Quick
Start Guide
Troubleshoot issues
N/A
Troubleshooting, on page 395
High Availability and Scalability Features by Platform
High availability configurations (sometimes called failover) ensure continuity of operations. Clustered
configurations group multiple devices together as a single logical device, achieving increased throughput and
redundancy.
Platform
High Availability
Clustering
Management Center
Yes
—
Management Center Virtual
Yes (See Virtual Platform
Requirements, on page 282 for
important details)
—
Secure Firewall Threat Defense:
Yes
—
• Firepower 1000
• Firepower 2100
• ISA 3000
Cisco Secure Firewall Management Center Administration Guide, 7.2
8
Getting Started
Features for Detecting, Preventing, and Processing Potential Threats
Platform
High Availability
Clustering
Secure Firewall Threat Defense:
Yes
Yes
Yes
—
—
—
• Firepower 4100/9300 chassis
Secure Firewall Threat Defense
Virtual:
• VMware
• KVM
Secure Firewall Threat Defense
Virtual (public cloud):
• AWS
• Azure
Related Topics
About Secure Firewall Threat Defense High Availability
About Secure Firewall Management Center High Availability, on page 275
Features for Detecting, Preventing, and Processing Potential Threats
To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/
firepower-roadmap.html.
If you want to...
Configure...
As described in...
Inspect, log, and take action on network Access control policy, the parent Introduction to Access Control
traffic
of several other policies
in the Cisco Secure Firewall
Management Center Device
Configuration Guide
Block or monitor connections to or from Security Intelligence within your About Security Intelligence in
IP addresses, URLs, and/or domain
access control policy
the Cisco Secure Firewall
names
Management Center Device
Configuration Guide
Control the websites that users on your
network can access
URL filtering within your policy URL Filtering in the Cisco
rules
Secure Firewall Management
Center Device Configuration
Guide
Monitor malicious traffic and intrusions Intrusion policy
on your network
Intrusion Policy Basics in the
Cisco Secure Firewall
Management Center Device
Configuration Guide
Cisco Secure Firewall Management Center Administration Guide, 7.2
9
Getting Started
Features for Detecting, Preventing, and Processing Potential Threats
If you want to...
Configure...
As described in...
Block encrypted traffic without
inspection
SSL policy
SSL Policies Overview in the
Cisco Secure Firewall
Management Center Device
Configuration Guide
Prefilter policy
About Prefiltering in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Inspect encrypted or decrypted traffic
Tailor deep inspection to encapsulated
traffic and improve performance with
fastpathing
Rate limit network traffic that is allowed Quality of Service (QoS) policy About QoS Policies in the Cisco
or trusted by access control
Secure Firewall Management
Center Device Configuration
Guide
Allow or block files (including malware) File/malware policy
on your network
Network Malware Protection
and File Policies in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Operationalize data from threat
intelligence sources
Secure Firewall threat
intelligence director Overview
in the Cisco Secure Firewall
Management Center Device
Configuration Guide
Cisco Threat Intelligence
Director (TID)
Configure passive or active user
User awareness, user identity,
authentication to perform user awareness identity policies
and user control
About User Identity Sources in
the Cisco Secure Firewall
Management Center Device
Configuration Guide
About Identity Policies in the
Cisco Secure Firewall
Management Center Device
Configuration Guide
Collect host, application, and user data Network Discovery policies
from traffic on your network to perform
user awareness
Network Discovery Policies in
the Cisco Secure Firewall
Management Center Device
Configuration Guide
Use tools beyond your Firepower system Integration with external tools
to collect and analyze data about network
traffic and potential threats
Event Analysis Using External
Tools, on page 573
Perform application detection and control Application detectors
Application Detection in the
Cisco Secure Firewall
Management Center Device
Configuration Guide
Troubleshoot issues
Troubleshooting, on page 395
N/A
Cisco Secure Firewall Management Center Administration Guide, 7.2
10
Getting Started
Integration with External Tools
Integration with External Tools
To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/
firepower-roadmap.html.
If you want to...
Configure...
As described in...
Automatically launch remediations when Remediations
conditions on your network violate an
associated policy
Introduction to Remediations,
on page 979
Stream event data from a management
center to a custom-developed client
application
eStreamer Server Streaming, on
page 595
eStreamer integration
Firepower System Remediation
API Guide
Firepower System eStreamer
Integration Guide
Query database tables on a management External database access
center using a third-party client
External Database Access
Settings, on page 50
Firepower System Database
Access Guide
Augment discovery data by importing
data from third-party sources
Host input
Host Input Data in the Cisco
Secure Firewall Management
Center Device Configuration
Guide
Firepower System Host Input
API Guide
Investigate events using external event
data storage tools and other data
resources
Integration with external event
analysis tools
Event Analysis Using External
Tools, on page 573
Troubleshoot issues
N/A
Troubleshooting, on page 395
Search the Management Center
You can use the global search feature to quickly locate and navigate to elements of your Secure Firewall
Management Center configuration.
Note
This feature is supported in Light and Dusk themes only. To change the theme, see Change the Web Interface
Appearance, on page 188.
You can search the management center configuration for the following entities:
• Names of web interface pages in top-level menus. (See Search for Web Interface Menu Options, on page
14.)
Cisco Secure Firewall Management Center Administration Guide, 7.2
11
Getting Started
Search the Management Center
• For certain policy types:
• Policy names
• Policy descriptions
• Rule names
• Rule comments
(See Search for Policies, on page 15.)
• For certain object types:
• Object names
• Object descriptions
• Configured values
(See Search for Objects, on page 17 .)
• How To walkthroughs.
The search returns a list of walkthroughs that contain the search term, with links to each. (See Search
for How To Walkthroughs, on page 20.)
Keep the following in mind when using global search:
• When you open the global search tool, the most recent ten searches appear in a history list below the
search text box. You can select an item from this list to re-execute a search.
• When you type a search expression, the interface replaces the search history with search results that
update as you type your search; you do not need to press Enter to execute the search.
• You can navigate the history list or the search results using the mouse or the keyboard arrow keys and
the Enter key. Pressing the Enter key selects the currently highlighted item in the search results. In the
case of results for web interface pages, this causes the management center interface to display the
highlighted page. For objects and policies, this displays details about the found entity.
• Search is not case-sensitive.
• You can use the following wildcard characters in your search:
• ? matches any single character.
• * matches any 0 or more characters.
• ^ anchors the search term it preceeds to the beginning of matched entities.
• $ anchors the search term it follows to the end of matched entitites
Wildcards cannot be escaped.
• For greater effciency, global search does not return indirect search results; that is, global search does not
return policies or objects that reference objects where a search term is found. However, you can determine
which policies or objects reference many found objects by viewing the Usages tab for the found object
in the search detail pane.
Cisco Secure Firewall Management Center Administration Guide, 7.2
12
Getting Started
Search the Management Center
• Global search returns the top results for your search expression determined by its relevance to the most
commonly used configuration entities in the management center. If global search fails to return something
you are expecting to find, try refining your search, try using the search or filter tool that appears at the
top of many GUI pages, or try some of the configuration-specific search features the web interface offers:
• Searching for Rules in the Cisco Secure Firewall Management Center Device Configuration Guide
• Searching and Filtering the NAT Rule Table in the Cisco Secure Firewall Management Center
Device Configuration Guide
• Event Search
• Searching Custom Tables
Global Search in a Multidomain Deployment
In a multidomain deployment, by default search returns only objects and policies defined within the current
domain and its ancestor domains. You can see objects and policies in child domains by toggling an option in
the search results dialog.
For an object search, if your search expression is found in objects defined in domains other than your current
domain, the search results display the names of the domains within which those objects reside. If your search
expression is found in objects defined within your current domain, the search results display the object values.
In the example screenshot below, the deployment consists of three domains at three levels: Global, Domain1,
and SubDomainA. The user, whose current domain is Domain1, has entered a search for the string “example”
in both ancestor and child domains.
Figure 1: Example of Global Search in a Multidomain Environment
Cisco Secure Firewall Management Center Administration Guide, 7.2
13
Getting Started
Search for Web Interface Menu Options
1
The user has chosen to search child domains
(SubDomainA) as well as the current domain
(Domain1) and its ancestor (Global).
2
A matching network object ExampleHostOne
defined in the parent domain Global is displayed
with the domain name, and the External Domain
( ) icon indicating the user must switch domains
to edit details.
3
5
7
The matching network object ExampleHostThree 4
defined in the child domain SubDomainA is
displayed with the domain name, and the
The matching network object ExampleHostThree
is currently selected, and information is provided
External Domain ( ) icon indicating the user
must switch domains to edit details. This object
is currently selected.
icon indicates that when the user clicks Edit ( ),
the system will prompt the user to confirm a
domain change before allowing edit access to the
object.
The matching network object ExampleHostTwo, 6
defined in the current domain, is displayed with
the object value, and with the Current Domain
The matching access control policy
ExampleACPolicyOne defined in the parent
domain Global is displayed with the domain
( ) icon indicating the user may edit this object
without switching domains.
name, and the External Domain ( ) icon
indicating the user must switch domains to edit
details.
The matching access control policy
ExampleACPolicyThree defined in the child
domain SubDomainA is displayed with the
domain name, and the External Domain ( )
icon indicating the user must switch domains to
edit details.
8
in the right pane. The External Domain (
)
The matching access control policy
ExampleACPolicyTwo defined in the current
domain is displayed with the Current Domain
( ) icon indicating the user may edit details
without switching domains.
Search for Web Interface Menu Options
You can search to find locations of pages in the top-level menus of the web interface. For example, to view
or configure Quality of Service settings, search for QoS.
Before you begin
This feature is not available in the Classic theme. To change the theme, see Change the Web Interface
Appearance, on page 188.
Procedure
Step 1
Use one of two methods to initiate a search:
• In the menu bar at the top of the management center web interface, click Search (
• With focus outside of a text box, type / (forward slash).
Step 2
Enter one or more letters of the name of the menu option you seek. Search results appear below the text box
and update as you type; you do not need to press Enter to execute the search.
Cisco Secure Firewall Management Center Administration Guide, 7.2
14
).
Getting Started
Search for Policies
Step 3
Search results appear grouped by category. To go to a page listed under Navigation, click the menu path in
the search results list.
Search for Policies
The following table indicates which policy types you can search for by name:
In Scope
Out of Scope
Access Control Policy
Threat Defense Platform Settings
Prefilter Policy
Firepower Settings Policy
Threat Defense NAT
Policy
Firepower NAT Policy
Intrusion category
QoS Policy
• Intrusion Policy
FlexConfig Policy
• Network Analysis
Policy
DNS Policy
Malware & File Policy
SSL Policy
Identity Policy
Network Discovery
Application Detector
Correlation Policy
VPN category
• Dynamic Access Policy
• Site To Site
• Remote Access
Global search returns polices whose names match the search term, as well as access control policies using
rules whose name or comments match the search term. If you see an access control policy in the search result
list whose name does not match the search, the match was made on the name or comments for a rule configured
within the policy.
Cisco Secure Firewall Management Center Administration Guide, 7.2
15
Getting Started
Search for Policies
Important
Global search returns the top results for your search expression determined by its relevance to the most
commonly used configuration entities in the management center. Your search term may exist in policy types
that are not in scope for this search feature. For a full description of the global search feature and alternative
search methods, see Search the Management Center.
Before you begin
This feature is not available in the Classic theme. To change the theme, see Change the Web Interface
Appearance, on page 188.
Procedure
Step 1
Use one of two methods to initiate a search:
• In the menu bar at the top of the management center web interface, click Search (
• With focus outside of a text box, type / (forward slash).
).
Step 2
Enter a search expression in the search text box. Search results appear below the text box and update as you
type; you do not need to press Enter to execute the search.
Step 3
(Optional) In a multidomain deployment, if your current domain has descendant domains, you can toggle
Include child domains in search results to see policies in those descendant domains.
Step 4
Search results appear grouped by category. In a multidomain deployment, within the Policies category the
search results are grouped by the domains within which found policies are defined. Under the Policies category
you can do the following:
To:
Do this:
View search results for a single policy type.
Click the policy type in the search results, such as
Access Control Policy.
View details about a policy.
Click the policy name in the search results list to view
the details pane and display the General tab.
View the Access Control policies that reference
Intrusion and Network Analysis policies.
Click the name of the Intrusion or Network Analysis
policy in the search results to view the details pane
and display the Usages tab.
Open the policy configuration page for a policy in a Click the policy name in the search results, and in the
separate browser window.
details pane click Edit ( ).
In a multidomain deployment, if you choose to edit a
policy not defined within your current domain the
system will prompt you to change your current
domain.
Cisco Secure Firewall Management Center Administration Guide, 7.2
16
Getting Started
Search for Objects
Search for Objects
The following table indicates which object types listed on the Object Management page (Objects > Object
Management) are in scope for the Global Search feature:
In Scope
Out of Scope
AAA Server category
Application Filters
• RADIUS Server Group
Cipher Suite List
• Single Sign-On Server
Community List Category
• Community
Access List category
• Extended Access List
Distinguished Name category
• Standard Access List
• Individual Distinguished Name
Objects
Address Pools category
• Distinguised Name Object Groups
• IPv4 Pools
File List
• IPv6 Pools
FlexConfig category
AS Path
• FlexConfig Object
Community List category
• Text Object
• Extended Community
PKI category
DNS Server Group
• External Cert Groups
External Attributes Category
• External Certs
• Dynamic Object
• Internal CA Groups
• Security Group Tag
• Internal CAs
Geolocation
• Internal Cert Groups
Interface category
• Internal Certs
• Security Zone
• Trusted CA Groups
• Interface Group
• Trusted CAs
Key Chain
Security Intelligence category
Network (includes Network, Host, Range, FQDN, Network Group)
• DNS Lists and Feeds
PKI category
• Network Lists and Feeds
Cert Enrollment
• URL Lists and Feeds
Policy List
Sinkhole
Cisco Secure Firewall Management Center Administration Guide, 7.2
17
Getting Started
Search for Objects
In Scope
Out of Scope
Port (objects and groups, TCP, UDP, ICMP, ICMP6, other)
Variable Set
Prefix List category
VPN category
• IPV4 Prefix List
• AnyConnect File
• IPV6 Prefix List
• Custom Attribute
Route Map
SLA Monitor
Time Range
Time Zone
Tunnel Zone
URL (Objects, groups)
VLAN Tag (Objects, groups)
VPN category
• Certificate Map
• Group Policy
• IKEv1 IPsec Proposal
• IKEv1 Policy
• IKEv2 IPSec Proposal
• IKEv2 Policy
Global search returns objects whose names or description match the search term, as well as objects with
configured values that match the search term. If you see an object in the search result list whose name does
not match the search, the match was made on the description or a configured value within the object.
Important
Global search returns the top results for your search expression determined by its relevance to the most
commonly used configuration entities in the management center. Your search term may exist in object types
that are not in scope for this search feature. For a full description of the global search feature and alternative
search methods, see Search the Management Center.
Object searches can be particularly useful when you need to locate network information within your deployment.
You can search for the following in object names, descriptions, or configured values:
• IPv4 and IPv6 address information, including the following formats:
• Full addresses (For example, 194.164.0.23, 2001:0db8:85a3:0000:0000:8a2e:0370:7334.)
• Partial addresses (For example, 194.164,
Cisco Secure Firewall Management Center Administration Guide, 7.2
18
2001:db8.)
Getting Started
Search for Objects
• Ranges (For example, 192.164.1.1-192.168.1.5 or 2001:db8::0202-2001:db8::8329. Do not
add a space before or after the hyphen.) Global search returns objects using network addresses that
match any within the specified range.
• CIDR notation. (For example 192.168.1.0/24, 2002::1234:abcd:ffff:101/64.) Global search
returns objects using network addresses that match any within the specified CIDR block.
• Port information:
• Port numbers (For example, 22 or 80.)
• Protocols. (For example, https or ssh.)
• Fully qualified domain names. (For example, www.cisco.com.)
• URLs. (For example, http://www.cisco.com.)
• Encryption standards or hash types. (For example, AES-128 or SHA.)
• VLAN tag numbers. (For example, 568.)
Before you begin
This feature is not available in the Classic theme. To change the theme, see Change the Web Interface
Appearance, on page 188.
Procedure
Step 1
Use one of two methods to initiate a search:
• In the menu bar at the top of the management center web interface, click Search (
• With focus outside of a text box, type / (forward slash).
Step 2
).
Enter a search expression in the search text box. Search results appear below the text box and update as you
type; you do not need to press Enter to execute the search.
If your search expression is found in objects defined in domains other than your current default domain, the
search results display the names of the domains within which those objects reside. If your search expression
is found in objects defined within your current domain, the search results display the object values.
Step 3
(Optional) In a multidomain deployment, if your current domain has descendant domains, you can toggle
Include child domains in search results to see objects in those descendant domains.
Step 4
Search results appear divided by category. In a multidomain deployment, within the Objects category the
search results are grouped by the domains within which found objects are defined. Under the Objects category
you can do the following:
To:
Do this:
View search results for a single object type.
Click on the object type in the search results, such as
Network.
View details about an object in the search results.
Click the object name in the search results to view the
details pane and display the General tab.
Cisco Secure Firewall Management Center Administration Guide, 7.2
19
Getting Started
Search for How To Walkthroughs
To:
Do this:
View a list of polices or objects that use an object in Click the object name in the search results to view the
the search results.
details pane and display the Usages tab.
Note
Global Search does not provide usage
information for all object types.
Open the object configuration page for an object in a Click the object name in the search results, and in the
separate browser window.
details pane click Edit ( ).
In a multidomain deployment, if you choose to edit
an object not defined within your current domain the
system will prompt you to change your current
domain.
Search for How To Walkthroughs
You can search for How To walkthroughs that address tasks of interest. For example, to find walkthroughs
that describe device set up procedures, you can search for the term "device."
Before you begin
This feature is not available in the Classic theme. To change the theme, see Change the Web Interface
Appearance, on page 188.
Procedure
Step 1
Use one of two methods to initiate a search:
• In the menu bar at the top of the management center web interface, click Search (
• With focus outside of a text box, type / (forward slash).
).
Step 2
Enter a search term associated with a task for which you would like to see a walkthrough. Search results
appear below the text box and update as you type; you do not need to press Enter to execute the search.
Step 3
Search results appear grouped by category. To view a walkthrough listed under How-Tos, click the walkthrough
title in the search results list. For more information on How To walkthroughs, see Online Help, How To, and
Documentation, on page 23.
Switching Domains on the Secure Firewall Management Center
In a multidomain deployment, user role privileges determine which domains a user can access and which
privileges the user has within each of those domains. You can associate a single user account with multiple
Cisco Secure Firewall Management Center Administration Guide, 7.2
20
Getting Started
The Context Menu
domains and assign different privileges for that user in each domain. For example, you can assign a user
read-only privileges in the Global domain, but Administrator privileges in a descendant domain.
Users associated with multiple domains can switch between domains within the same web interface session.
Under your user name in the toolbar, the system displays a tree of available domains. The tree:
• Displays ancestor domains, but may disable access to them based on the privileges assigned to your user
account.
• Hides any other domain your user account cannot access, including sibling and descendant domains.
When you switch to a domain, the system displays:
• Data that is relevant to that domain only.
• Menu options determined by the user role assigned to you for that domain.
Procedure
From the drop-down list under your user name, choose the domain you want to access.
The Context Menu
Certain pages in the web interface support a right-click (most common) or left-click context menu that you
can use as a shortcut for accessing other features. The contents of the context menu depend where you access
it—not only the page but also the specific data.
For example:
• IP address hotspots provide information about the host associated with that address, including any
available whois and host profile information.
• SHA-256 hash value hotspots allow you to add a file’s SHA-256 hash value to the clean list or custom
detection list, or view the entire hash value for copying.
On pages or locations that do not support the context menu, the normal context menu for your browser appears.
Policy Editors
Many policy editors contain hotspots over each rule. You can insert new rules and categories; cut, copy,
and paste rules; set the rule state; and edit the rule.
Intrusion Rules Editor
The intrusion rules editor contains hotspots over each intrusion rule. You can edit the rule, set the rule
state, configure thresholding and suppression options, and view rule documentation. Optionally, after
clicking Rule documentation in the context menu, you can click Rule Documentation in the
documentation pop-up window to view more-specific rule details.
Cisco Secure Firewall Management Center Administration Guide, 7.2
21
Getting Started
The Context Menu
Event Viewer
Event pages (the drill-down pages and table views available under the Analysis menu) contain hotspots
over each event, IP address, URL, DNS query, and certain files’ SHA-256 hash values. While viewing
most event types, you can:
• View related information in the Context Explorer.
• Drill down into event information in a new window.
• View the full text in places where an event field contains text too long to fully display in the event
view, such as a file’s SHA-256 hash value, a vulnerability description, or a URL.
• Open a web browser window with detailed information about the element from an external source,
using the Contextual Cross-Launch feature. For more information, see Event Investigation Using
Web-Based Resources, on page 578.
While viewing connection events, you can add items to the default Security Intelligence Block and Do
Not Block lists:
• An IP address, from an IP address hotspot.
• A URL or domain name, from a URL hotspot.
• A DNS query, from a DNS query hotspot.
While viewing captured files, file events, and malware events, you can:
• Add a file to or remove a file from the clean list or custom detection list.
• Download a copy of the file.
• View nested files inside an archive file.
• Download the parent archive file for a nested file.
• View the file composition.
• Submit the file for local malware and dynamic analysis.
While viewing intrusion events, you can perform similar tasks to those in the intrusion rules editor or an
intrusion policy:
• Edit the triggering rule.
• Set the rule state, including disabling the rule.
• Configure thresholding and suppression options.
• View rule documentation. Optionally, after clicking Rule documentation in the context menu,
you can click Rule Documentation in the documentation pop-up window to view more-specific
rule details.
Intrusion Event Packet View
Intrusion event packet views contain IP address hotspots. The packet view uses a left-click context menu.
Cisco Secure Firewall Management Center Administration Guide, 7.2
22
Getting Started
Sharing Data with Cisco
Dashboard
Many dashboard widgets contain hotspots to view related information in the Context Explorer. Dashboard
widgets can also contain IP address and SHA-256 hash value hotspots.
Context Explorer
The Context Explorer contains hotspots over its charts, tables, and graphs. If you want to examine data
from graphs or lists in more detail than the Context Explorer allows, you can drill down to the table views
of the relevant data. You can also view related host, user, application, file, and intrusion rule information.
The Context Explorer uses a left-click context menu, which also contains filtering and other options
unique to the Context Explorer.
Sharing Data with Cisco
You can opt to share data with Cisco using the following features:
• Cisco Success Network
See Configure Cisco Success Network Enrollment, on page 575
• Web analytics
See (Optional) Opt Out of Web Analytics Tracking, on page 101
Online Help, How To, and Documentation
You can reach the online help from the web interface:
• By clicking the context-sensitive help link on each page
• By choosing Help > Online
How To is a widget that provides walkthroughs to navigate through tasks on management center. The
walkthroughs guide you to perform the steps required to achieve a task by taking you through each step, one
after the other irrespective of the various UI screens that you may have to navigate, to complete the task. The
How To widget is enabled by default. To disable the widget, choose User Preferences from the drop-down
list under your user name, and uncheck the Enable How-Tos check box in How-To Settings. To open the
walkthroughs, choose Help > How-Tos.
Note
The walkthroughs are generally available for all UI pages, and are not user role sensitive. However, depending
on the privileges of the user, some of the menu items will not appear on the management center interface.
Thereby, the walkthroughs will not execute on such pages.
The following walkthroughs are available on management center:
• Register management center with Cisco Smart Account: This walkthrough guides you to register
management center with Cisco Smart Account.
• Set up a Device and add it to management center: This walkthrough guides you to set up a device and
to add the device to management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
23
Getting Started
User Guides on Cisco.com
• Configure Date and Time: This walkthrough guides you to configure the date and time of the threat
defense devices using a platform settings policy.
• Configure Interface Settings: This walkthrough guides you to configure the interfaces on the threat
defense devices.
• Create an Access Control Policy: An access control policy consists of a set of ordered rules, which are
evaluated from top to bottom. This walkthrough guides you to create an access control policy.
• Add an Access Control Rule - A Feature Walkthrough: This walkthrough describes the components of
an access control rule, and how you can use them in management center.
• Configure Routing Settings: Various routing protocols are supported by threat defense. A static route
defines where to send traffic for specific destination networks. This walkthrough guides you to configure
static routing for the devices.
• Create a NAT Policy - A Feature Walkthrough: This walkthrough guides you to create a NAT policy
and walks you through the various features of a NAT rule.
You can find additional documentation using the documentation roadmap: http://www.cisco.com/c/en/us/td/
docs/security/firepower/roadmap/firepower-roadmap.html.
User Guides on Cisco.com
The following documents may be helpful when configuring Secure Firewall Management Center deployments,
Version 6.0+.
Note
Some of the linked documents are not applicable to Secure Firewall Management Center deployments. For
example, some links on Secure Firewall Threat Defense pages are specific to deployments managed by Secure
Firewall device manager, and some links on hardware pages are unrelated to management center. To avoid
confusion, pay careful attention to document titles. Also, some documents cover multiple products and therefore
may appear on multiple product pages.
Secure Firewall Management Center
• Secure Firewall Management Center hardware appliances:
http://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html
• Secure Firewall Management Center Virtual appliances:
• http://www.cisco.com/c/en/us/support/security/defense-center-virtual-appliance/
tsd-products-support-series-home.html
• http://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html
Secure Firewall Threat Defense, also called NGFW (Next Generation Firewall) devices
• Secure Firewall Threat Defense software:
http://www.cisco.com/c/en/us/support/security/firepower-ngfw/tsd-products-support-series-home.html
Cisco Secure Firewall Management Center Administration Guide, 7.2
24
Getting Started
License Statements in the Documentation
• Secure Firewall Threat Defense Virtual:
http://www.cisco.com/c/en/us/support/security/firepower-ngfw-virtual/
tsd-products-support-series-home.html
• Firepower 1000 series:
https://www.cisco.com/c/en/us/support/security/firepower-1000-series/
tsd-products-support-series-home.html
• Firepower 2100 series:
https://www.cisco.com/c/en/us/support/security/firepower-2100-series/
tsd-products-support-series-home.html
• Secure Firewall 3100:
https://www.cisco.com/c/en/us/support/security/secure-firewall-3100-series/series.html
• Firepower 4100 series:
https://www.cisco.com/c/en/us/support/security/firepower-4100-series/
tsd-products-support-series-home.html
• Firepower 9300:
https://www.cisco.com/c/en/us/support/security/firepower-9000-series/
tsd-products-support-series-home.html
• ISA 3000:
https://www.cisco.com/c/en/us/support/security/industrial-security-appliance-isa/
tsd-products-support-series-home.html
License Statements in the Documentation
The License statement at the beginning of a section indicates which Classic or Smart license you must assign
to a managed device to enable the feature described in the section.
Because licensed capabilities are often additive, the license statement provides only the highest required
license for each feature.
An “or” statement in a License statement indicates that you must assign a particular license to the managed
device to enable the feature described in the section, but an additional license can add functionality. For
example, within a file policy, some file rule actions require that you assign a Protection license to the device
while others require that you assign a Malware license.
For more information about licenses, see About Licenses, on page 229.
Related Topics
About Licenses, on page 229
Supported Devices Statements in the Documentation
The Supported Devices statement at the beginning of a chapter or topic indicates that a feature is supported
only on the specified device series, family, or model. For example, many features are supported only on Secure
Firewall Threat Defense devices.
Cisco Secure Firewall Management Center Administration Guide, 7.2
25
Getting Started
Access Statements in the Documentation
For more information on platforms supported by this release, see the release notes.
Access Statements in the Documentation
The Access statement at the beginning of each procedure in this documentation indicates the predefined user
roles required to perform the procedure. Any of the listed roles can perform the procedure.
Users with custom roles may have permission sets that differ from those of the predefined roles. When a
predefined role is used to indicate access requirements for a procedure, a custom role with similar permissions
also has access. Some users with custom roles may use slightly different menu paths to reach configuration
pages. For example, users who have a custom role with only intrusion policy privileges access the network
analysis policy via the intrusion policy instead of the standard path through the access control policy.
IP Address Conventions
You can use IPv4 Classless Inter-Domain Routing (CIDR) notation and the similar IPv6 prefix length notation
to define address blocks in many places in the system.
When you use CIDR or prefix length notation to specify a block of IP addresses, the system uses only the
portion of the network IP address specified by the mask or prefix length. For example, if you type 10.1.2.3/8,
the system uses 10.0.0.0/8.
In other words, although Cisco recommends the standard method of using a network IP address on the bit
boundary when using CIDR or prefix length notation, the system does not require it.
Additional Resources
The Firewalls Community is an exhaustive repository of reference material that complements our extensive
documentation. This includes links to 3D models of our hardware, hardware configuration selector, product
collateral, configuration examples, troubleshooting tech notes, training videos, lab and Cisco Live sessions,
social media channels, Cisco Blogs and all the documentation published by the Technical Publications team.
Some of the individuals posting to community sites or video sharing sites, including the moderators, work
for Cisco Systems. Opinions expressed on those sites and in any corresponding comments are the personal
opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is
not meant to be an endorsement or representation by Cisco or any other party.
Note
Some of the videos, technical notes, and reference material in the Firewalls Community points to older versions
of the management center. Your version of the management center and the version referenced in the videos
or technical notes might have differences in the user interface that cause the procedures not to be identical.
Cisco Secure Firewall Management Center Administration Guide, 7.2
26
CHAPTER
2
Logging into the Management Center
The following topics describe how to log into the system:
• User Accounts, on page 27
• System User Interfaces, on page 29
• Logging Into the Secure Firewall Management Center Web Interface, on page 31
• Logging Into the Management Center Web Interface Using SSO, on page 32
• Logging Into the Secure Firewall Management Center with CAC Credentials, on page 33
• Logging Into the Management Center Command Line Interface, on page 33
• View Your Last Login, on page 34
• Logging Out of the Management Center Web Interface, on page 35
• History for Logging into the Management Center, on page 35
User Accounts
You must provide a username and password to obtain local access to the web interface or CLI on management
center or a managed device. On managed devices, CLI users with Config level access can use the expert
command to access the Linux shell. On the management center, all CLI users can use the expert command.
The threat defense and management center can be configured to use external authentication, storing user
credentials on an external LDAP or RADIUS server; you can withhold or provide CLI access rights to external
users. The management center can be configured to support Single Sign-On (SSO) using any SSO provider
conforming to the Security Assertion Markup Language (SAML) 2.0 open standard for authentication and
authorization.
The management center CLI provides a single admin user who has access to all commands. The features
management center web interface users can access are controlled by the privileges an administrator grants to
the user account. On managed devices, the features that users can access for both the CLI and the web interface
are controlled by the privileges an administrator grants to the user account.
Note
The system audits user activity based on user accounts; make sure that users log into the system with the
correct account.
Cisco Secure Firewall Management Center Administration Guide, 7.2
27
Getting Started
User Accounts
Caution
All management center CLI users and, on managed devices, users with Config level CLI access can obtain
root privileges in the Linux shell, which can present a security risk. For system security reasons, we strongly
recommend:
• If you establish external authentication, make sure that you restrict the list of users with CLI access
appropriately.
• When granting CLI access privileges on managed devices, restrict the list of internal users with Config
level CLI access.
• Do not establish Linux shell users; use only the pre-defined admin user and users created by the admin
user within the CLI.
Caution
We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit
instructions in the Firepower user documentation.
Different appliances support different types of user accounts, each with different capabilities.
Secure Firewall Management Centers
Secure Firewall Management Centers support the following user account types:
• A pre-defined admin account for web interface access, which has the administrator role and can be
managed through the web interface.
• Custom user accounts, which provide web interface access and which admin users and users with
administrator privileges can create and manage.
• A pre-defined admin account for CLI access. Users logging in with this account can use the expert
command to gain access to the Linux shell.
During initial configuration, the passwords for the CLI admin account and the web interface admin
account are synchronized but, optionally, thereafter you can configure separate passwords for the two
admin accounts.
Caution
For system security reasons, Cisco strongly recommends that you not establish additional Linux shell users
on any appliance.
Secure Firewall Threat Defense and Secure Firewall Threat Defense Virtual Devices
Secure Firewall Threat Defense and Secure Firewall Threat Defense Virtual devices support the following
user account types:
• A pre-defined adminaccount which can be used for all forms of access to the device.
• Custom user accounts, which admin users and users with Config access can create and manage.
The Secure Firewall Threat Defense supports external authentication for SSH users.
Cisco Secure Firewall Management Center Administration Guide, 7.2
28
Getting Started
System User Interfaces
System User Interfaces
Depending on appliance type, you can interact with appliances using a web-based GUI, auxiliary CLI, or the
Linux shell. In a Secure Firewall Management Center deployment, you perform most configuration tasks
from the management center GUI. Only a few tasks require that you access the appliance directly using the
CLI or Linux shell. We strongly discourage using the Linux shell unless directed by Cisco TAC or explicit
instructions in the user documentation.
For information on browser requirements, see the Firepower Release Notes.
Note
On all appliances, after a user makes three consecutive failed attempts to log into the CLI via SSH, the system
terminates the SSH connection.
Appliance
Web-Based GUI
Secure Firewall Management
Center
Secure Firewall Threat Defense —
Secure Firewall Threat Defense
Virtual
Auxiliary CLI
• Supported for predefined
admin user and custom
user accounts.
• Supported for predefined
admin user and custom
external user accounts.
• Can be used for
administrative,
management, and analysis
tasks.
• Accessible using an SSH,
serial, or keyboard and
monitor connection.
Linux Shell
• Supported for predefined
admin user.
• Must be accessed via
expert command from the
Secure Firewall
Management Center CLI.
• Should be used only for
administration and
troubleshooting directed by
Cisco TAC.
• Accessible using an SSH,
serial, or keyboard and
monitor connection.
• Supported for predefined
admin user and custom
user accounts.
• Supported for predefined
admin user and custom
user accounts.
• Accessible in physical
devices using an SSH,
serial, or keyboard and
monitor connection.
Accessible in virtual
devices via SSH or VM
console.
• Accessible by CLI users
with Config access using
the expert command.
• Can be used for setup and
troubleshooting directed by
Cisco TAC.
• Should be used only for
administration and
troubleshooting directed by
Cisco TAC or by explicit
instructions in the
management center
documentation.
• Should be used only for
administration and
troubleshooting directed by
Cisco TAC or by explicit
instructions in the
management center
documentation..
Cisco Secure Firewall Management Center Administration Guide, 7.2
29
Getting Started
Web Interface Considerations
Related Topics
Add an Internal User, on page 111
Web Interface Considerations
• If your organization uses Common Access Cards (CACs) for authentication, external users authenticated
with LDAP can use CAC credentials to obtain access to the web interface of an appliance.
• The menus and menu options listed at the top of the default home page are based on the privileges for
your user account. However, the links on the default home page include options that span the range of
user account privileges. If you click a link that requires different privileges from those granted to your
account, the system displays a warning message and logs the activity.
• Some processes that take a significant amount of time may cause your web browser to display a message
that a script has become unresponsive. If this occurs, make sure you allow the script to continue until it
finishes.
Related Topics
Specifying Your Home Page, on page 188
Session Timeout
By default, the system automatically logs you out of a session after 1 hour of inactivity, unless you are otherwise
configured to be exempt from session timeout.
Note
For SSO users, when the management center session times out, the display briefly redirects to the IdP interface,
and then the management center login page. Unless the SSO session has been terminated from elsewhere,
anyone can access the management center without providing login credentials simply by clicking on the Single
Sign-On link on the login page. To ensure management center security and prevent others from accessing
the management center using your SSO account, we recommend you not leave an management center login
session unattended, and log out of the SSO federation at the IdP when you log out of the management center.
Users with the Administrator role can change the session timeout interval for an appliance via the following
settings:
System > Configuration > Shell Timeout
Related Topics
Configure Session Timeouts, on page 92
Configure SAML Single Sign-On, on page 129
Cisco Secure Firewall Management Center Administration Guide, 7.2
30
Getting Started
Logging Into the Secure Firewall Management Center Web Interface
Logging Into the Secure Firewall Management Center Web
Interface
Note
This task applies to internal users and external users authenticated by LDAP or RADIUS servers. For SSO
login, see Logging Into the Management Center Web Interface Using SSO, on page 32.
Users are restricted to a single active session. If you try to log in with a user account that already has an active
session, the system prompts you to terminate the other session or log in as a different user.
In a NAT environment where multiple management centers share the same IP address:
• Each management center can support only one login session at a time.
• To access different management centers, use a different browser for each login (for example Firefox and
Chrome), or set the browser to incognito or private mode.
Before you begin
• If you do not have access to the web interface, contact your system administrator to modify your account
privileges, or log in as a user with Administrator access and modify the privileges for the account.
• Create user accounts as described in Add an Internal User, on page 111.
Procedure
Step 1
Direct your browser to https://ipaddress_or_hostname/, where ipaddress or hostname corresponds to your
management center.
Step 2
In the Username and Password fields, enter your user name and password. Pay attention to the following
guidelines:
• User names are not case-sensitive.
• In a multidomain deployment, prepend the user name with the domain where your user account was
created. You are not required to prepend any ancestor domains. For example, if your user account was
created in SubdomainB, which has an ancestor DomainA, enter your user name in the following format:
SubdomainB\username
• If your organization uses SecurID® tokens when logging in, append the token to your SecurID PIN and
use that as your password to log in. For example, if your PIN is 1111 and the SecurID token is 222222,
enter 1111222222. You must have already generated your SecurID PIN before you can log into the system.
Step 3
Click Login.
Related Topics
Session Timeout, on page 30
Cisco Secure Firewall Management Center Administration Guide, 7.2
31
Getting Started
Logging Into the Management Center Web Interface Using SSO
Logging Into the Management Center Web Interface Using SSO
The management center can be configured to participate in any Single-Sign On (SSO) federation implemented
with an SSO provider conforming to the Security Assertion Markup Language (SAML) 2.0 open standard.
SSO user accounts must be established at the identitiy provider (IdP) and must use email addresses for their
account names. If your user name is not an email address, or SSO login fails, contact your system administrator.
Note
The management center does not support logging in with CAC credentials for SSO accounts.
Users are restricted to a single active session. If you try to log in with a user account that already has an active
session, the system prompts you to terminate the other session or log in as a different user.
In a NAT environment where multiple management centers share the same IP address:
• Each management center can support only one login session at a time.
• To access different management centers, use a different browser for each login (for example Firefox and
Chrome), or set the browser to incognito or private mode.
Before you begin
• Configure the management center for SSO access. See Configure SAML Single Sign-On, on page 129.
• If you do not have access to the web interface, contact your system administrator to configure your
account at the SSO IdP.
Procedure
Step 1
Direct your browser to https://ipaddress_or_hostname/, where ipaddress or hostname corresponds to your
management center.
Note
SSO users must consistently access the management center using the login URL specifically
configured for SSO access; ask your administrator for this information.
Step 2
Click on the Single Sign-On link.
Step 3
The system responds in one of two ways:
• If you are already logged into the SSO federation, the management center default home page appears.
• If you are not already logged into the SSO federation, the management center redirects your browser to
the login page for your IdP. After you complete the login process at the IdP, the management center
default home page appears.
Related Topics
Session Timeout, on page 30
Configure SAML Single Sign-On, on page 129
Cisco Secure Firewall Management Center Administration Guide, 7.2
32
Getting Started
Logging Into the Secure Firewall Management Center with CAC Credentials
Logging Into the Secure Firewall Management Center with CAC
Credentials
Users are restricted to a single active session. If you try to log in with a user account that already has an active
session, the system prompts you to terminate the other session or log in as a different user.
In a NAT environment where multiple management centers share the same IP address:
• Each management center can support only one login session at a time.
• To access different management centers, use a different browser for each login (for example Firefox and
Chrome), or set the browser to incognito or private mode.
Caution
Do not remove a CAC during an active browsing session. If you remove or replace a CAC during a session,
your web browser terminates the session and the system logs you out of the web interface.
Before you begin
• If you do not have access to the web interface, contact your system administrator to modify your account
privileges, or log in as a user with Administrator access and modify the privileges for the account.
• Create user accounts as described in the Add an Internal User, on page 111.
• Configure CAC authentication and authorization as described in Configure Common Access Card
Authentication with LDAP, on page 128.
Procedure
Step 1
Insert a CAC as instructed by your organization.
Step 2
Direct your browser to https://ipaddress_or_hostname/, where ipaddress or hostname corresponds to your
management center.
Step 3
If prompted, enter the PIN associated with the CAC you inserted in step 1.
Step 4
If prompted, choose the appropriate certificate from the drop-down list.
Step 5
Click Continue.
Related Topics
Configure Common Access Card Authentication with LDAP, on page 128
Session Timeout, on page 30
SSO Guidelines for the Management Center, on page 130
Logging Into the Management Center Command Line Interface
The admin CLI user and certain custom external users can log into the management center CLI.
Cisco Secure Firewall Management Center Administration Guide, 7.2
33
Getting Started
View Your Last Login
Caution
Note
We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit
instructions in the management center documentation.
For all appliances, after a user makes three consecutive failed attempts to log into the CLI via SSH, the system
terminates the SSH connection.
Before you begin
Complete the initial configuration process as the admin user. See Logging In for the First Time, on page 3.
Procedure
Step 1
Use the admin user name and password to connect to the management center via SSH or the console port.
If your organization uses SecurID® tokens when logging in, append the token to your SecurID PIN and use
that as your password to log in. For example, if your PIN is 1111 and the SecurID token is 222222, enter
1111222222. You must have already generated your SecurID PIN before you can log in.
Step 2
Use any of the available CLI commands.
View Your Last Login
If you suspect that an unauthorized user has used your credentials to sign in to the Secure Firewall Management
Center, you can see the date, time, and IP address from which your credentials were last used to log in:
Before you begin
This feature is not available if you are using the Classic theme. You can select a UI theme in User Preferences.
Procedure
Step 1
Sign in to the Secure Firewall Management Center.
Step 2
At the top right corner of your browser window, look for the User ID that you used to sign in.
Step 3
Click your user name.
Step 4
Information about your previous login is shown at the bottom of the menu that appears.
Cisco Secure Firewall Management Center Administration Guide, 7.2
34
Getting Started
Logging Out of the Management Center Web Interface
Logging Out of the Management Center Web Interface
When you are no longer actively using the management center web interface, Cisco recommends that you log
out, even if you are only stepping away from your web browser for a short period of time. Logging out ends
your web session and ensures that no one can use the interface with your credentials.
Note
If you are logging out of an SSO session at the management center, when you log out the system redirects
your browser to the SSO IdP for your organization. To ensure management center security and prevent others
from accessing the management center using your SSO account, we recommend you log out of the SSO
federation at the IdP.
Procedure
Step 1
From the drop-down list under your user name, choose Logout.
Step 2
If you are logging out of an SSO session at the management center, the system redirects you to the SSO IdP
for your organization. Log out at the IdP to ensure management center security.
Related Topics
Session Timeout, on page 30
History for Logging into the Management Center
Feature
Version Details
Added support for Single 6.7
Sign-On (SSO) using any
SAML 2.0-compliant
SSO provider.
Added the ability for users configured at any third-party SAML 2.0-compliant identity provider
(IdP) to log into the management center using a new Single Sign-On link on the login page.
New/Modified screen:
Login screen
View information about 6.5
the last time you signed
in to the Secure Firewall
Management Center
View the date, time, and IP address from which you last logged in.
New/Modified menus:
The menu at the top right of the window that shows the username that you used to log in.
Supported platforms: management center
Automatic CLI access for 6.5
the management center
When you use SSH to log into the management center, you automatically access the CLI. Although
strongly discouraged, you can then use the CLI expert command to access the Linux shell.
Note
This feature deprecates the Version 6.3 ability to enable and disable CLI access for
the management center. As a consequence of deprecating this option, the virtual
management center no longer displays the System > Configuration > Console
Configuration page, which still appears on physical management centers.
Cisco Secure Firewall Management Center Administration Guide, 7.2
35
Getting Started
History for Logging into the Management Center
Feature
Version Details
Limit number of SSH
login failures
6.3
Ability to enable and
6.3
disable CLI access for the
management center
When a user accesses any device via SSH and fails three successive login attempts, the device
terminates the SSH session.
New/Modified screens:
New check box available to administrators in management center web interface: Enable CLI
Access on the System ( ) > Configuration > Console Configuration page.
• Checked: Logging into the management center using SSH accesses the CLI.
• Unchecked: Logging into management center using SSH accesses the Linux shell. This is
the default state for fresh Version 6.3 installations as well as upgrades to Version 6.3 from
a previous release.
Supported platforms: management center
Cisco Secure Firewall Management Center Administration Guide, 7.2
36
PA R T
II
System Settings
• System Configuration, on page 39
• Users, on page 105
• Domains, on page 195
• Updates, on page 203
• Licenses, on page 229
• High Availability, on page 275
• Security Certifications Compliance, on page 295
CHAPTER
3
System Configuration
The following topics explain how to configure system configuration settings on Secure Firewall Management
Centers and managed devices:
• Requirements and Prerequisites for the System Configuration, on page 40
• About System Configuration, on page 40
• Appliance Information, on page 42
• HTTPS Certificates, on page 43
• External Database Access Settings, on page 50
• Database Event Limits, on page 52
• Management Interfaces, on page 55
• Shut Down or Restart, on page 64
• Remote Storage Management, on page 64
• Change Reconciliation, on page 69
• Policy Change Comments, on page 70
• Access List, on page 71
• Audit Logs, on page 72
• Audit Log Certificate, on page 75
• Dashboard Settings, on page 79
• DNS Cache, on page 80
• Email Notifications, on page 80
• Language Selection, on page 81
• Login Banners, on page 82
• SNMP Polling, on page 83
• Time and Time Synchronization, on page 84
• Global User Configuration Settings, on page 89
• Session Timeouts, on page 92
• Vulnerability Mapping, on page 92
• Remote Console Access Management, on page 93
• REST API Preferences, on page 99
• VMware Tools and Virtual Systems, on page 100
• (Optional) Opt Out of Web Analytics Tracking, on page 101
• History for System Configuration, on page 101
Cisco Secure Firewall Management Center Administration Guide, 7.2
39
System Settings
Requirements and Prerequisites for the System Configuration
Requirements and Prerequisites for the System Configuration
Model Support
Management Center
Supported Domains
Global
User Roles
Admin
About System Configuration
System Configuration settings apply to your Secure Firewall Management Center.
Navigating the Secure Firewall Management Center System Configuration
The system configuration identifies basic settings for a Secure Firewall Management Center.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Use the navigation panel to choose configurations to change; see Table 1: System Configuration Settings ,
on page 40 for more information.
System Configuration Settings
Note that for managed devices, many of these configurations are handled by a platform settings policy applied
from the management center; see .
Table 1: System Configuration Settings
Setting
Description
Access Control
Preferences
Configure the system to prompt users for a comment when they add or modify an access control policy;
see Policy Change Comments, on page 70.
Access List
Control which computers can access the system on specific ports; see Access List, on page 71.
Audit Log
Configure the system to send an audit log to an external host; see Audit Logs, on page 72.
Cisco Secure Firewall Management Center Administration Guide, 7.2
40
System Settings
System Configuration Settings
Setting
Description
Audit Log Certificate
Configure the system to secure the channel when streaming the audit log to an external host; see Audit
Log Certificate, on page 75 .
Change Reconciliation
Configure the system to send a detailed report of changes to the system over the last 24 hours; see Change
Reconciliation, on page 69.
Console Configuration
Configure console access via VGA or serial port, or via Lights-Out Management (LOM); see Remote
Console Access Management, on page 93.
Dashboard
Enable Custom Analysis widgets on the dashboard; see Dashboard Settings, on page 79.
Database
Specify the maximum number of each type of event that the Secure Firewall Management Center can
store; see Database Event Limits, on page 52.
DNS Cache
Configure the system to resolve IP addresses automatically on event view pages; see DNS Cache, on
page 80.
Email Notification
Configure a mail host, select an encryption method, and supply authentication credentials for email-based
notifications and reporting; see Email Notifications, on page 80.
External Database Access Enable external read-only access to the database, and provide a client driver to download; see External
Database Access Settings, on page 50.
HTTPS Certificate
Request an HTTPS server certificate, if needed, from a trusted authority and upload certificates to the
system; see HTTPS Certificates, on page 43.
Information
View current information about the appliance and edit the display name; see Appliance Information, on
page 42.
Intrusion Policy
Preferences
Configure the system to prompt users for a comment when they modify an intrusion policy; see Policy
Change Comments, on page 70.
Language
Specify a different language for the web interface; see Language Selection, on page 81.
Login Banner
Create a custom login banner that appears when users log in; see Login Banners, on page 82.
Management Interfaces
Change options such as the IP address, hostname, and proxy settings of the appliance; see Management
Interfaces, on page 55.
Network Analysis Policy Configure the system to prompt users for a comment when they modify a network analysis policy; see
Preferences
Policy Change Comments, on page 70.
Process
Shut down, reboot, or restart Firepower processes; see Shut Down or Restart, on page 64.
Remote Storage Device
Configure remote storage for backups and reports; see Remote Storage Management, on page 64.
REST API Preferences
Enable or disable access to the Secure Firewall Management Center via the Firepower REST API; see
REST API Preferences, on page 99.
Shell Timeout
Configure the amount of idle time, in minutes, before a user’s login session times out due to inactivity;
see Session Timeouts, on page 92.
SNMP
Enable Simple Network Management Protocol (SNMP) polling; see SNMP Polling, on page 83.
Cisco Secure Firewall Management Center Administration Guide, 7.2
41
System Settings
Appliance Information
Setting
Description
Time
View and change the current time setting; see Time and Time Synchronization, on page 84.
Time Synchronization
Manage time synchronization on the system; see Time and Time Synchronization, on page 84.
UCAPL/CC Compliance Enable compliance with specific requirements set out by the United States Department of Defense; see
Enable Security Certifications Compliance, on page 300.
User Configuration
Configure the Secure Firewall Management Center to track successful login history and password history
for all users, or enforce temporary lockouts on users who enter invalid login credentials; see Global User
Configuration Settings, on page 89
VMware Tools
Enable and use VMware Tools on a Secure Firewall Management Center Virtual; see VMware Tools and
Virtual Systems, on page 100.
Vulnerability Mapping
Map vulnerabilities to a host IP address for any application protocol traffic received or sent from that
address; see Vulnerability Mapping, on page 92.
Web Analytics
Enable and disable collection of non-personally-identifiable information from your system. See (Optional)
Opt Out of Web Analytics Tracking, on page 101.
Appliance Information
The System > Configuration page of the web interface includes the information listed in the table below.
Unless otherwise noted, all fields are read-only.
Note
See also the Help > About page, which includes similar but slightly different information.
Field
Description
Name
A descriptive name you assign to the management
centerappliance. Although you can use the host name
as the name of the appliance, entering a different name
in this field does not change the host name.
This name is used in certain integrations. For example,
it appears in the Devices list for integrations with
SecureX and SecureX threat response.
If you change the name, all registered devices are
marked out of date and deployment is required to push
the new name to the devices.
Product Model
The model name of the appliance.
Serial Number
The serial number of the appliance.
Software Version
The version of the software currently installed on the
appliance.
Cisco Secure Firewall Management Center Administration Guide, 7.2
42
System Settings
HTTPS Certificates
Field
Description
Operating System
The operating system currently running on the
appliance.
Operating System Version
The version of the operating system currently running
on the appliance.
IPv4 Address
The IPv4 address of the default (eth0) management
interface. If IPv4 management is disabled, this field
indicates that.
IPv6 Address
The IPv6 address of the default (eth0) management
interface. If IPv6 management is disabled, this field
indicates that.
Current Policies
The system-level policies currently deployed. If a
policy has been updated since it was last deployed,
the name of the policy appears in italics.
Model Number
The appliance-specific model number stored on the
internal flash drive. This number may be important
for troubleshooting.
HTTPS Certificates
Secure Sockets Layer (SSL)/TLS certificates enable Secure Firewall Management Centers to establish an
encrypted channel between the system and a web browser. A default certificate is included with all Firepower
devices, but it is not generated by a certificate authority (CA) trusted by any globally known CA. For this
reason, consider replacing it with a custom certificate signed by a globally known or internally trusted CA.
Caution
The management center supports 4096-bit HTTPS certificates. If the certificate used by the management
center was generated using a public server key larger than 4096 bits, you will not be able to log in to the
management center web interface. If this happens, contact Cisco TAC.
Default HTTPS Server Certificates
If you use the default server certificate provided with an appliance, do not configure the system to require a
valid HTTPS client certificate for web interface access because the default server certificate is not signed by
the CA that signs your client certificate.
The lifetime of the default server certificate depends on when the certificate was generated. To view your
default server certificate expiration date, choose System ( ) > Configuration > HTTPS Certificate.
Note that some Firepower software upgrades can automatically renew the certificate. For more information,
see the appropriate version of the Cisco Firepower Release Notes.
On the Secure Firewall Management Center, you can renew the default certificate on the System ( ) >
Configuration > HTTPS Certificate page.
Cisco Secure Firewall Management Center Administration Guide, 7.2
43
System Settings
Custom HTTPS Server Certificates
Custom HTTPS Server Certificates
You can use the Secure Firewall Management Center web interface to generate a server certificate request
based on your system information and the identification information you supply. You can use that request to
sign a certificate if you have an internal certificate authority (CA) installed that is trusted by your browser.
You can also send the resulting request to a certificate authority to request a server certificate. After you have
a signed certificate from a certificate authority (CA), you can import it.
HTTPS Server Certificate Requirements
When you use HTTPS certificates to secure the connection between your web browser and the Firepower
appliance web interface, you must use certificates that comply with the Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile (RFC 5280). When you import a server certificate
to the appliance, the system rejects the certificate if it does not comply with version 3 (X.509 v3) of that
standard.
Before importing an HTTPS server certificate, be certain it includes the following fields:
Certificate Field
Description
Version
Version of the encoded certificate. Use version 3. See
RFC 5280, section 4.1.2.1.
Serial number
A positive integer assigned to the certificate by the
issuing CA. Issuer and serial number together uniquely
identify the certificate. See RFC 5280, section 4.1.2.2.
Signature
Identifier for the algorithm used by the CA to sign the
certificate. Must match the signatureAlgorithm field.
See RFC 5280, section 4.1.2.3.
Issuer
Identifies the entity that signed and issued the
certificate. See RFC 5280, section 4.1.2.4.
Validity
Interval during which the CA warrants that it will
maintain information about the status of the certificate.
See RFC 5280, section 4.1.2.5.
Subject
Identifies the entitity associated with the public key
stored in the subject public key field; must be an
X.500 disinguished name (DN). See RFC 5280,
section 4.1.2.6.
Subject Alternative Name
Domain names and IP addresses secured by the
certificate. Subject Alternative Name is defined in
section RFC 5280, section 4.2.1.6.
We recommend you use this field if the certificate is
used for multiple domains or IP addresses.
Subject Public Key Info
Cisco Secure Firewall Management Center Administration Guide, 7.2
44
Public key and an identifier for its algorithm. See RFC
5280, section 4.1.2.7.
System Settings
HTTPS Client Certificates
Certificate Field
Description
Authority Key Identifier
Provides a means of identifying the public key
corresponding to the private key used to sign a
certificate. See RFC 5280, section 4.2.1.1.
Subject Key Identifier
Provides a means of identifying certificates that
contain a particular public key. See RFC 5280, section
4.2.1.2.
Key Usage
Defines the purpose of the key contained in the
certificates. See RFC 5280, section 4.2.1.3.
Basic Constraints
Identifies whether the certificate Subject is a CA, and
the maximum depth of validation certification paths
that include this certificate. See RFC 5280, section
4.2.1.9. This field is not strictly required for server
certificates used in Firepower appliances, but we
strongly recommend including this field and
specifying critical CA:FALSE.
Extended Key Usage extension
Indicates one or more purposes for which the certified
public key may be used, in addition to or in place of
the basic purposes indicated in the Key Usage
extension. See RFC 5280, section 4.2.1.12. Be certain
you import certificates that can be used as server
certificates.
signatureAlgorithm
Identifier for the algorithm the CA used to sign the
certificate. Must match the Signature field. See RFC
5280, section 4.1.1.2.
signatureValue
Digital signature. See RFC 5280, section 4.1.1.3.
HTTPS Client Certificates
You can restrict access to the system web server using client browser certificate checking. When you enable
user certificates, the web server checks that a user’s browser client has a valid user certificate selected. That
user certificate must be generated by the same trusted certificate authority that is used for the server certificate.
The browser cannot load the web interface under any of the following circumstances:
• The user selects a certificate in the browser that is not valid.
• The user selects a certificate in the browser that is not generated by the certificate authority that signed
the server certificate.
• The user selects a certificate in the browser that is not generated by a certificate authority in the certificate
chain on the device.
To verify client browser certificates, configure the system to use the online certificate status protocol (OCSP)
or load one or more certificate revocation lists (CRLs). Using the OCSP, when the web server receives a
connection request it communicates with the certificate authority to confirm the client certificate's validity
before establishing the connection. If you configure the server to load one or more CRLs, the web server
Cisco Secure Firewall Management Center Administration Guide, 7.2
45
System Settings
Viewing the Current HTTPS Server Certificate
compares the client certificate against those listed in the CRLs. If a user selects a certificate that is listed in a
CRL as a revoked certificate, the browser cannot load the web interface.
Note
If you choose to verify certificates using CRLs, the system uses the same CRLs to validate both client browser
certificates and audit log server certificates.
Viewing the Current HTTPS Server Certificate
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click HTTPS Certificate.
Generating an HTTPS Server Certificate Signing Request
If you install a certificate that is not signed by a globally known or internally trusted CA, the user's browser
displays a security warning when they try to connect to the web interface.
A certificate signing request (CSR) is unique to the appliance or device from which you generated it. You
cannot generate a CSR for multiple devices from a single appliance. Although all fields are optional, we
recommend entering values for the following: CN, Organization, Organization Unit, City/Locality,
State/Province, Country/Region, and Subject Alternative Name.
The key generated for the certificate request is in Base-64 encoded PEM format.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click HTTPS Certificate.
Step 3
Click Generate New CSR.
Cisco Secure Firewall Management Center Administration Guide, 7.2
46
System Settings
Generating an HTTPS Server Certificate Signing Request
The following figure shows an example.
Step 4
Enter a country code in the Country Name (two-letter code) field.
Step 5
Enter a state or province postal abbreviation in the State or Province field.
Step 6
Enter a Locality or City.
Step 7
Enter an Organization name.
Step 8
Enter an Organizational Unit (Department) name.
Step 9
Enter the fully qualified domain name of the server for which you want to request a certificate in the Common
Name field.
Note
Enter the fully qualified domain name of the server exactly as it should appear in the certificate in
the Common Name field. If the common name and the DNS hostname do not match, you receive
a warning when connecting to the appliance.
Step 10
To request a certificate that secures multiple domain names or IP addresses, enter the folowing information
in the Subject Alternative Name section:
a) Domain Names: Enter the fully qualified domains and subdomains (if any) secured by the Subject
Alternative Name.
b) IP Addresses: Enter the IP addresses secured by the Subject Alternative Name.
Step 11
Click Generate.
Step 12
Open a text editor.
Step 13
Copy the entire block of text in the certificate request, including the BEGIN
CERTIFICATE REQUEST lines, and paste it into a blank text file.
Step 14
Save the file as servername.csr, where servername is the name of the server where you plan to use the
certificate.
Step 15
Click Close.
CERTIFICATE REQUEST
and END
What to do next
• Submit the certificate request to the certificate authority.
Cisco Secure Firewall Management Center Administration Guide, 7.2
47
System Settings
Importing HTTPS Server Certificates
• When you receive the signed certificate, import it to the Secure Firewall Management Center; see
Importing HTTPS Server Certificates, on page 48.
Importing HTTPS Server Certificates
If the signing authority that generated the certificate requires you to trust an intermediate CA, you must also
supply a certificate chain (or certificate path).
If you require client certificates, accessing an appliance via the web interface will fail when the server certificate
does not meet either of the following criteria:
• The certificate is signed by the same CA that signed the client certificate.
• The certificate is signed by a CA that has signed an intermediate certificate in the certificate chain.
Caution
The Secure Firewall Management Center supports 4096-bit HTTPS certificates. If the certificate used by the
Secure Firewall Management Center was generated using a public server key larger than 4096 bits, you will
not be able to log in to the management center web interface. For more information about updating HTTPS
Certificates to Version 6.0.0, see "Update Management Center HTTPS Certificates to Version 6.0" in Firepower
System Release Notes, Version 6.0. If you generate or import an HTTPS Certificate and cannot log in to the
management center web interface, contact Support.
Before you begin
• Generate a certificate signing request; see Generating an HTTPS Server Certificate Signing Request, on
page 46.
• Upload the CSR file to the certificate authority where you want to request a certificate, or use the CSR
to create a self-signed certificate.
• Confirm that the certificate meets the requirements described in HTTPS Server Certificate Requirements,
on page 44.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click HTTPS Certificate.
Step 3
Click Import HTTPS Server Certificate.
Step 4
Open the server certificate in a text editor, copy the entire block of text, including the BEGIN
and END CERTIFICATE lines. Paste this text into the Server Certificate field.
Step 5
Whether you must supply a Private Key depends on how you generated the Certificate Signing Request:
CERTIFICATE
• If you generated the Certificate Signing Request using the Secure Firewall Management Center web
interface (as described in Generating an HTTPS Server Certificate Signing Request, on page 46), the
system already has the private key and you need not enter one here.
Cisco Secure Firewall Management Center Administration Guide, 7.2
48
System Settings
Requiring Valid HTTPS Client Certificates
• If you generated the Certificate Signing Request using some other means, you must supply the private
key here. Open the private key file and copy the entire block of text, include the BEGIN RSA PRIVATE
KEY and END RSA PRIVATE KEY lines. Paste this text into the Private Key field.
Step 6
Open any required intermediate certificates, copy the entire block of text for each, and paste it into the
Certificate Chain field. If you received a root certificate, paste it here. If you received an intermediate
certificate, paste it below the root certificate. In both cases, copy the entire block of text, including the BEGIN
CERTIFICATE and END CERTIFICATE lines.
Step 7
Click Save.
Requiring Valid HTTPS Client Certificates
Use this procedure to require users connecting to the management center web interface to supply a user
certificate. The system supports validating HTTPS client certificates using either OCSP or imported CRLs in
Privacy-enhanced Electronic Mail (PEM) format.
If you choose to use CRLs, to ensure that the list of revoked certificates stays current, you can create a scheduled
task to update the CRLs. The system displays the most recent refresh of the CRLs.
Note
To access the web interface after enabling client certificates, you must have a valid client certificate present
in your browser (or a CAC inserted in your reader).
Before you begin
• Import a server certificate signed by the same certificate authority that signed the client certificate to be
used for the connection; see Importing HTTPS Server Certificates, on page 48.
• Import the server certificate chain if needed; see Importing HTTPS Server Certificates, on page 48.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click HTTPS Certificate.
Step 3
Choose Enable Client Certificates. If prompted, select the appropriate certificate from the drop-down list.
Step 4
You have three options:
• To verify client certificates using one or more CRLS, select Enable Fetching of CRL and continue with
Step 5.
• To verify client certificates using OCSP, select Enable OCSP and skip to Step 7.
• To accept client certificates without checking for revocation, skip to Step 8.
Step 5
Enter a valid URL to an existing CRL file and click Add CRL. Repeat to add up to 25 CRLs.
Step 6
Click Refresh CRL to load the current CRL or CRLs from the specified URL or URLs.
Note
Enabling fetching of the CRL creates a scheduled task to regularly update the CRL or CRLs. Edit
the task to set the frequency of the update.
Cisco Secure Firewall Management Center Administration Guide, 7.2
49
System Settings
Renewing the Default HTTPS Server Certificate
Step 7
Verify that the client certificate is signed by the certificate authority loaded onto the appliance and the server
certificate is signed by a certificate authority loaded in the browser certificate store. (These should be the same
certificate authority.)
Caution
Step 8
Saving a configuration with enabled client certificates, with no valid client certificate in your browser
certificate store, disables all web server access to the appliance. Make sure that you have a valid
client certificate installed before saving settings.
Click Save.
Related Topics
Configuring Certificate Revocation List Downloads, on page 455
Renewing the Default HTTPS Server Certificate
You can only view server certificates for the appliance you are logged in to.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click HTTPS Certificate.
The button appears only if your system is configured to use the default HTTPS server certificate.
Step 3
Click Renew HTTPS Certificate. (This option appears on the display below the certificate information only
if your system is configured to used the default HTTPS server certificate.)
Step 4
(Optional) In the Renew HTTPS Certificate dialog box, select Generate New Key to generate a new key
for the certificate.
Step 5
In the Renew HTTPS Certificate dialog box, click Save.
What to do next
You can confirm that the certificate has been renewed by checking that that certificate validity dates displayed
on the HTTPS Certificate page have updated.
External Database Access Settings
You can configure the Secure Firewall Management Center to allow read-only access to its database by a
third-party client. This allows you to query the database using SQL using any of the following:
• industry-standard reporting tools such as Actuate BIRT, JasperSoft iReport, or Crystal Reports
• any other reporting application (including a custom application) that supports JDBC SSL connections
• the Cisco-provided command-line Java application called RunQuery, which you can either run interactively
or use to obtain comma-separated results for a single query
Cisco Secure Firewall Management Center Administration Guide, 7.2
50
System Settings
Enabling External Access to the Database
Use the Secure Firewall Management Center's system configuration to enable database access and create an
access list that allows selected hosts to query the database. Note that this access list does not also control
appliance access.
You can also download a package that contains the following:
• RunQuery, the Cisco-provided database query tool
• InstallCert, a tool you can use to retrieve and accept the SSL certificate from the Secure Firewall
Management Center you want to access
• the JDBC driver you must use to connect to the database
See the Firepower System Database Access Guide for information on using the tools in the package you
downloaded to configure database access.
Enabling External Access to the Database
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click External Database Access.
Step 3
Select the Allow External Database Access check box.
Step 4
Enter an appropriate value in the Server Hostname field. Depending on your third-party application
requirements, this value can be either the fully qualified domain name (FQDN), IPv4 address, or IPv6 address
of the Secure Firewall Management Center.
Note
In management center high availability setups, enter only the active peer details. We do not
recommend entering details of the standby peer.
Step 5
Next to Client JDBC Driver, click Download and follow your browser’s prompts to download the client.zip
package.
Step 6
To add database access for one or more IP addresses, click Add Hosts. An IP Address field appears in the
Access List field.
Step 7
In the IP Address field, enter an IP address or address range, or any.
Step 8
Click Add.
Step 9
Click Save.
Tip
If you want to revert to the last saved database settings, click Refresh.
Related Topics
IP Address Conventions, on page 26
Cisco Secure Firewall Management Center Administration Guide, 7.2
51
System Settings
Database Event Limits
Database Event Limits
To manage disk space, the management center periodically prunes the oldest intrusion events, audit records,
Security Intelligence data, and URL filtering data from the event database. For each event type, you can
specify how many records the management center retains after pruning; never rely on the event database
containing more records of any type than the retention limit configured for that type. To improve performance,
tailor the event limits to the number of events you regularly work with. You can optionally choose to receive
email notifications when pruning occurs. For some event types, you can disable storage.
To manually delete individual events, use the event viewer. (Note that in Versions 6.6.0+, you cannot manually
delete connection or security Intelligence events in this way.)You can also manually purge the database; see
Data Purge and Storage, on page 479.
Configuring Database Event Limits
Before you begin
• If you want to receive email notifications when events are pruned from the Secure Firewall Management
Center's database, you must configure an email server; see Configuring a Mail Relay Host and Notification
Address, on page 81.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Choose Database.
Step 3
For each of the databases, enter the number of records you want to store.
For information on how many records each database can maintain, see Database Event Limits, on page 52.
Step 4
Optionally, in the Data Pruning Notification Address field, enter the email address where you want to
receive pruning notifications.
Step 5
Click Save.
Database Event Limits
The following table lists the minimum and maximum number of records for each event type that you can store
on a Secure Firewall Management Center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
52
System Settings
Database Event Limits
Table 2: Database Event Limits
Event Type
Upper Limit
Lower Limit
Intrusion events
10 million (management center Virtual)
10,000
30 million (management center1000,
management center1600)
60 million (management center2500,
management center2600, FMCv 300)
300 million (management center4500,
management center4600)
Discovery events
10 million (management center Virtual)
Zero (disables storage)
20 million (management center2500,
management center2600, management
center4500, management center4600,
FMCv 300)
Connection events
50 million (management center Virtual)
Security Intelligence 100 million (management center1000,
events
management center1600)
300 million (management center2500,
management center2600, FMCv 300)
1 billion (management center4500,
management center4600)
Limit is shared between connection events
and Security Intelligence events. The sum
of the configured maximums cannot
exceed this limit.
Zero (disables storage)
If you set the Maximum Connection
Events value to zero, then connection
events that are not associated with Security
Intelligence, intrusion, file, and malware
events are not stored on the management
center.
Caution
Setting Maximum Connection
Events to zero immediately
purges existing connection
events other than Security
Intelligence events.
See below for the effect of this setting on
Maximum Flow Rate.
These settings do not affect connection
summaries.
Connection
summaries
(aggregated
connection events)
50 million (management center Virtual)
Zero (disables storage)
100 million (management center1000,
management center1600)
300 million (management center2500,
management center2600, FMCv 300)
1 billion (management center4500,
management center4600)
Cisco Secure Firewall Management Center Administration Guide, 7.2
53
System Settings
Database Event Limits
Event Type
Upper Limit
Lower Limit
Correlation events
and compliance
allow list events
1 million (management center Virtual)
One
Malware events
10 million (management center Virtual)
2 million (management center2500,
management center2600, management
center4500, management center4600,
FMCv 300)
10,000
20 million (management center2500,
management center2600, management
center4500, management center4600,
FMCv 300)
File events
10 million (management center Virtual)
Zero (disables storage)
20 million (management center2500,
management center2600, management
center4500, management center4600,
FMCv 300)
Health events
1 million
Zero (disables storage)
Audit records
100,000
One
Remediation status
events
10 million
One
Allow list violation a 30-day history of violations
history
One day’s history
User activity (user
events)
10 million
One
User logins (user
history)
10 million
One
Intrusion rule update 1 million
import log records
One
VPN
Troubleshooting
database
Zero (disables storage)
10 million
Maximum Flow Rate
The Maximum flow rate (flows per second) value for your management center hardware model is specified
in the Platform Specifications section of the management center datasheet at https://www.cisco.com/c/en/
us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html?cachemode=refresh
If you set the Maximum Connection Events value in platform settings to zero, then connection events that
are not associated with Security Intelligence, intrusion, file, and malware events are not counted toward the
maximum flow rate for your management center hardware.
Cisco Secure Firewall Management Center Administration Guide, 7.2
54
System Settings
Management Interfaces
Any non-zero value in this field causes ALL connection events to be counted against the maximum flow rate.
Other event types on this page do not count against the maximum flow rate.
Management Interfaces
After setup, you can change the management network settings, including adding more management interfaces,
hostname, search domains, DNS servers, and HTTP proxy on the management center.
About Management Center Management Interfaces
By default, the management center manages all devices on a single management interface. You can also
perform initial setup on the management interface and log into the management center on this interface as an
administrator. The management interface is also used to communicate with the Smart Licensing server, to
download updates, and to perform other management functions.
For information about device management interfaces, see About Device Management Interfaces in the Cisco
Secure Firewall Management Center Device Configuration Guide.
Management Interfaces on the Management Center
The management center uses the eth0 interface for initial setup, HTTP access for administrators, management
of devices, as well as other management functions such as licensing and updates.
You can also configure additional management interfaces on the same network, or on different networks.
When the management center manages large numbers of devices, adding more management interfaces can
improve throughput and performance. You can also use these interfaces for all other management functions.
You might want to use each management interface for particular functions; for example, you might want to
use one interface for HTTP administrator access and another for device management.
For device management, the management interface carries two separate traffic channels: the management
traffic channel carries all internal traffic (such as inter-device traffic specific to managing the device), and
the event traffic channel carries all event traffic (such as web events). You can optionally configure a separate
event-only interface on the management center to handle event traffic; you can configure only one event
interface. Event traffic can use a large amount of bandwidth, so separating event traffic from management
traffic can improve the performance of the management center. For example, you can assign a 10
GigabitEthernet interface to be the event interface, if available, while using 1 GigabitEthernet interfaces for
management. You might want to configure an event-only interface on a completely secure, private network
while using the regular management interface on a network that includes Internet access, for example. You
can also use both management and event interfaces on the same network if the goal is only to take advantage
of increased throughput. Managed devices will send management traffic to the management center's management
interface and event traffic to the management center's event-only interface. If the managed device cannot
reach the event-only interface, then it will fall back to sending events to the management interface.
Note
All management interfaces support HTTP administrator access as controlled by your Access List configuration
(Configure an Access List, on page 71). Conversely, you cannot restrict an interface to only HTTP access;
management interfaces always support device management (management traffic, event traffic, or both).
Cisco Secure Firewall Management Center Administration Guide, 7.2
55
System Settings
Management Interface Support Per Management Center Model
Note
Only the eth0 interface supports DHCP IP addressing. Other management interfaces only support static IP
addresses.
Management Interface Support Per Management Center Model
See the hardware installation guide for your model for the management interface locations.
See the following table for supported management interfaces on each management center model.
Table 3: Management Interface Support on the Management Center
Model
Management Interfaces
MC1000
eth0 (Default)
eth1
MC2500, MC4500
eth0 (Default)
eth1
eth2
eth3
MC1600, MC2600, MC4600
eth0 (Default)
eth1
eth2
eth3
CIMC (Supported for Lights-Out Management only.)
Management Center Virtual
eth0 (Default)
Network Routes on Management Center Management Interfaces
Management interfaces (including event-only interfaces) support only static routes to reach remote networks.
When you set up your management center, the setup process creates a default route to the gateway IP address
that you specify. You cannot delete this route; you can only modify the gateway address.
You can configure multiple management interfaces on some platforms. The default route does not include an
egress interface, so the interface chosen depends on the gateway address you specify, and which interface's
network the gateway belongs to. In the case of multiple interfaces on the default network, the device uses the
lower-numbered interface as the egress interface.
At least one static route is recommended per management interface to access remote networks. We recommend
placing each interface on a separate network to avoid potential routing problems, including routing problems
from other devices to the management center. If you do not experience problems with interfaces on the same
network, then be sure to configure static routes correctly. For example, on the management center both eth0
and eth1 are on the same network, but you want to manage a different group of devices on each interface. The
default gateway is 192.168.45.1. If you want eth1 to manage devices on the remote 10.6.6.0/24 destination
Cisco Secure Firewall Management Center Administration Guide, 7.2
56
System Settings
NAT Environments
network, you can create a static route for 10.6.6.0/24 through eth1 with the same gateway of 192.168.45.1.
Traffic to 10.6.6.0/24 will hit this route before it hits the default route, so eth1 will be used as expected.
If you want to use two management center interfaces to manage remote devices that are on the same network,
then static routing on the management center may not scale well, because you need separate static routes per
device IP address.
Another example includes separate management and event-only interfaces on both the management center
and the managed device. The event-only interfaces are on a separate network from the management interfaces.
In this case, add a static route through the event-only interface for traffic destined for the remote event-only
network, and vice versa.
NAT Environments
Network address translation (NAT) is a method of transmitting and receiving network traffic through a router
that involves reassigning the source or destination IP address. The most common use for NAT is to allow
private networks to communicate with the internet. Static NAT performs a 1:1 translation, which does not
pose a problem for management center communication with devices, but port address translation (PAT) is
more common. PAT lets you use a single public IP address and unique ports to access the public network;
these ports are dynamically assigned as needed, so you cannot initiate a connection to a device behind a PAT
router.
Normally, you need both IP addresses (along with a registration key) for both routing purposes and for
authentication: the management center specifies the device IP address when you add a device, and the device
specifies the management center IP address. However, if you only know one of the IP addresses, which is the
minimum requirement for routing purposes, then you must also specify a unique NAT ID on both sides of
the connection to establish trust for the initial communication and to look up the correct registration key. The
management center and device use the registration key and NAT ID (instead of IP addresses) to authenticate
and authorize for initial registration.
For example, you add a device to the management center, and you do not know the device IP address (for
example, the device is behind a PAT router), so you specify only the NAT ID and the registration key on the
management center; leave the IP address blank. On the device, you specify the management center IP address,
the same NAT ID, and the same registration key. The device registers to the management center's IP address.
At this point, the management center uses the NAT ID instead of IP address to authenticate the device.
Although the use of a NAT ID is most common for NAT environments, you might choose to use the NAT
ID to simplify adding many devices to the management center. On the management center, specify a unique
NAT ID for each device you want to add while leaving the IP address blank, and then on each device, specify
both the management center IP address and the NAT ID. Note: The NAT ID must be unique per device.
The following example shows three devices behind a PAT IP address. In this case, specify a unique NAT ID
per device on both the management center and the devices, and specify the management center IP address on
the devices.
Cisco Secure Firewall Management Center Administration Guide, 7.2
57
System Settings
NAT Environments
Figure 2: NAT ID for Managed Devices Behind PAT
The following example shows the management center behind a PAT IP address. In this case, specify a unique
NAT ID per device on both the management center and the devices, and specify the device IP addresses on
the management center.
Figure 3: NAT ID for Management Center Behind PAT
Cisco Secure Firewall Management Center Administration Guide, 7.2
58
System Settings
Management and Event Traffic Channel Examples
Management and Event Traffic Channel Examples
Note
If you use a data interface for management on an threat defense, you cannot use separate management and
event interfaces for that device.
The following example shows the Secure Firewall Management Center and managed devices using only the
default management interfaces.
Figure 4: Single Management Interface on the Secure Firewall Management Center
The following example shows the Secure Firewall Management Center using separate management interfaces
for devices; and each managed device using 1 management interface.
Figure 5: Mutliple Management Interfaces on the Secure Firewall Management Center
The following example shows the Secure Firewall Management Center and managed devices using a separate
event interface.
Figure 6: Separate Event Interface on the Secure Firewall Management Center and Managed Devices
Cisco Secure Firewall Management Center Administration Guide, 7.2
59
System Settings
Modify Management Center Management Interfaces
The following example shows a mix of multiple management interfaces and a separate event interface on the
Secure Firewall Management Center and a mix of managed devices using a separate event interface, or using
a single management interface.
Figure 7: Mixed Management and Event Interface Usage
Modify Management Center Management Interfaces
Caution
Do NOT push the management center deployments over a VPN tunnel that is terminating directly on the threat
defense. Pushing the management center deployments can potentially inactivate the tunnel and disconnect
the management center and the threat defense.
Recovering the device from this situation can be very disruptive and require executing the disaster recovery
procedure. This procedure resets the threat defense configuration to factory defaults by changing manager
from management center to local and configuring the device from beginning. For more information, see Best
Practices for Deploying Configuration Changes in the Firepower Management Center Device Configuration
Guide.
Modify the management interface settings on the Secure Firewall Management Center. You can optionally
enable additional management interfaces or configure an event-only interface.
Caution
Be careful when making changes to the management interface to which you are connected; if you cannot
re-connect because of a configuration error, you need to access the management center console port to
re-configure the network settings in the Linux shell. You must contact Cisco TAC to guide you in this operation.
Note
If you change the management center IP address, then see Edit the management center IP Address or Hostname
on the Device in the Cisco Secure Firewall Management Center Device Configuration Guide. If you change
the management center IP address or hostname, you should also change the value at the device CLI so the
configurations match. Although in most cases, the management connection will be reestablished without
changing the management center IP address or hostname on the device, in at least one case, you must perform
this task for the connection to be reestablished: when you added the device to the management center and you
specified the NAT ID only. Even in other cases, we recommend keeping the management center IP address
or hostname up to date for extra network resiliency.
Cisco Secure Firewall Management Center Administration Guide, 7.2
60
System Settings
Modify Management Center Management Interfaces
Note
In a high availability configuration, when you modify the management IP address of a registered Firepower
device from the device CLI or from management center, the secondary management center does not reflect
the changes even after an HA synchronization. To ensure that the secondary management center is also updated,
switch roles between the two management centers, making the secondary management center as the active
unit. Modify the management IP address of the registered Firepower device on the device management page
of the now active management center.
Before you begin
• For information about how device management works, see About Device Management Interfaces in the
Cisco Secure Firewall Management Center Device Configuration Guide.
• If you use a proxy:
• Proxies that use NT LAN Manager (NTLM) authentication are not supported.
• If you use or will use Smart Licensing, the proxy FQDN cannot have more than 64 characters.
Procedure
Step 1
Choose System ( ) > Configuration, and then choose Management Interfaces.
Step 2
In the Interfaces area, click Edit next to the interface that you want to configure.
All available interfaces are listed in this section. You cannot add more interfaces.
You can configure the following options on each management interface:
• Enabled—Enable the management interface. Do not disable the default eth0 management interface.
Some processes require the eth0 interface.
• Channels—Configure an event-only interface; you can configure only one event interface on the
management center. To do so, uncheck the Management Traffic check box, and leave the Event Traffic
check box checked. You can optionally disable Event Traffic for the management interface(s). In either
case, the device will try to send events to the event-only interface, and if that interface is down, it will
send events on the management interface even if you disable the event channel. You cannot disable both
event and management channels on an interface.
• Mode—Specify a link mode. Note that any changes you make to auto-negotiation are ignored for
GigabitEthernet interfaces.
• MDI/MDIX—Set the Auto-MDIX setting.
• MTU—Set the maximum transmission unit (MTU). The default is 1500. The range within which you
can set the MTU can vary depending on the model and interface type.
Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298
does not comply with the minimum IPv6 MTU setting of 1280, and any value below 594 does not comply
with the minimum IPv4 MTU setting of 576. For example, the system automatically trims a configured
value of 576 to 558.
• IPv4 Configuration—Set the IPv4 IP address. Choose:
Cisco Secure Firewall Management Center Administration Guide, 7.2
61
System Settings
Modify Management Center Management Interfaces
• Static—Manually enter the IPv4 Management IP address and IPv4 Netmask.
• DHCP—Set the interface to use DHCP (eth0 only).
• Disabled—Disable IPv4. Do not disable both IPv4 and IPv6.
• IPv6 Configuration—Set the IPv6 IP address. Choose:
• Static—Manually enter the IPv6 Management IP address and IPv6 Prefix Length.
• DHCP—Set the interface to use DHCPv6 (eth0 only).
• Router Assigned—Enable stateless autoconfiguration.
• Disabled—Disable IPv6. Do not disable both IPv4 and IPv6.
• IPv6 DAD—When you enable IPv6, enable or disable duplicate address detection (DAD). You
might want to disable DAD because the use of DAD opens up the possibility of denial of service
attacks. If you disable this setting, you need check manually that this interface is not using an
already-assigned address.
Step 3
In the Routes area, edit a static route by clicking Edit (
View the route table by clicking
), or add a route by clicking Add (
).
.
You need a static route for each additional interface to reach remote networks. For more information about
when new routes are needed, see Network Routes on Management Center Management Interfaces, on page
56.
Note
For the default route, you can change only the gateway IP address. The egress interface is chosen
automatically by matching the specified gateway to the interface's network.
You can configure the following settings for a static route:
• Destination—Set the destination address of the network to which you want to create a route.
• Netmask or Prefix Length—Set the netmask (IPv4) or prefix length (IPv6) for the network.
• Interface—Set the egress management interface.
• Gateway—Set the gateway IP address.
Step 4
In the Shared Settings area, set network parameters shared by all interfaces.
Note
If you selected DHCP for the eth0 interface, you cannot manually specify some shared settings
derived from the DHCP server.
You can configure the following shared settings:
• Hostname—Set the management center hostname. The hostname must start and end with a letter or
digit, and have only letters, digits, or a hyphen. If you change the hostname, reboot the management
center if you want the new hostname reflected in syslog messages. Syslog messages do not reflect a new
hostname until after a reboot.
• Domains—Set the search domain(s) for the management center, separated by commas. These domains
are added to hostnames when you do not specify a fully-qualified domain name in a command, for
Cisco Secure Firewall Management Center Administration Guide, 7.2
62
System Settings
Modify Management Center Management Interfaces
example, ping system. The domains are used only on the management interface, or for commands that
go through the management interface.
• Primary DNS Server, Secondary DNS Server, Tertiary DNS Server—Set the DNS servers to be used
in order of preference.
• Remote Management Port—Set the remote management port for communication with managed devices.
The management center and managed devices communicate using a two-way, SSL-encrypted
communication channel, which by default is on port 8305.
Note
Step 5
Cisco strongly recommends that you keep the default settings for the remote management
port, but if the management port conflicts with other communications on your network, you
can choose a different port. If you change the management port, you must change it for all
devices in your deployment that need to communicate with each other.
In the ICMPv6 area, configure ICMPv6 settings.
• Allow Sending Echo Reply Packets—Enable or disable Echo Reply packets. You might want to disable
these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means
you cannot use IPv6 ping to the management center management interfaces for testing purposes.
• Allow Sending Destination Unreachable Packets—Enable or disable Destination Unreachable packets.
You might want to disable these packets to guard against potential denial of service attacks.
Step 6
In the Proxy area, configure HTTP proxy settings.
The management center is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and
TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest.
See proxy requirements in the prerequisites to this topic.
a) Check the Enabled check box.
b) In the HTTP Proxy field, enter the IP address or fully-qualified domain name of your proxy server.
See requirements in the prerequisites to this topic.
c) In the Port field, enter a port number.
d) Supply authentication credentials by choosing Use Proxy Authentication, and then provide a User Name
and Password.
Step 7
Click Save.
Step 8
If you change the management center IP address, then see If you change the management center IP address,
then see Edit the management center IP Address or Hostname on the Device in the Cisco Secure Firewall
Management Center Device Configuration Guide.
If you change the management center IP address or hostname, you should also change the value at the device
CLI so the configurations match. Although in most cases, the management connection will be reestablished
without changing the management center IP address or hostname on the device, in at least one case, you must
perform this task for the connection to be reestablished: when you added the device to the management center
and you specified the NAT ID only. Even in other cases, we recommend keeping the management center IP
address or hostname up to date for extra network resiliency.
Cisco Secure Firewall Management Center Administration Guide, 7.2
63
System Settings
Shut Down or Restart
Shut Down or Restart
Use the web interface to control the shut down and restart of processes on the management center. You can:
• Shut down: Initiate a graceful shutdown of the appliance.
Caution
Do not shut off Firepower appliances using the power button; it may cause a loss
of data. Using the web interface (or CLI) prepares the system to be safely powered
off and restarted without losing configuration data.
• Reboot: Shut down and restart gracefully.
• Restart the console: Restart the communications, database, and HTTP server processes. This is typically
used during troubleshooting.
Tip
For virtual devices, refer to the documentation for your virtual platform. For VMware in particular, custom
power options are part of VMware Tools.
Shut Down or Restart the Management Center
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Choose Process.
Step 3
Do one of the following:
Shut down
Click Run Command next to Shutdown Management Center.
Reboot
Click Run Command next to Reboot Management Center.
Note
Restart the console
Rebooting logs you out, and the system runs a database check that can
take up to an hour to complete.
Click Run Command next to Restart Management Center Console.
Note
Restarting may cause deleted hosts to reappear in the network map.
Remote Storage Management
On Secure Firewall Management Centers, you can use the following for local or remote storage for backups
and reports:
Cisco Secure Firewall Management Center Administration Guide, 7.2
64
System Settings
Management Center Remote Storage - Supported Protocols and Versions
• Network File System (NFS)
• Server Message Block (SMB)/Common Internet File System (CIFS)
• Secure Shell (SSH)
You cannot send backups to one remote system and reports to another, but you can choose to send either to
a remote system and store the other on the Secure Firewall Management Center.
Tip
After configuring and selecting remote storage, you can switch back to local storage only if you have not
increased the connection database limit.
Management Center Remote Storage - Supported Protocols and Versions
Mangement Center
Version
NFS Version
SSH Version
SMB Version
6.4
V3/V4
openssh 7.3p1
V2/V3
6.5
V3/V4
ciscossh 1.6.20
V2/V3
6.6
V3/V4
ciscossh 1.6.20
V2/V3
6.7
V3/V4
ciscossh 1.6.20
V2/V3
Commands to Enable Protocol Version
Run the following commands as a root user to enable the protocol version:
• NFS—/bin/mount
-t nfs '10.10.4.225':'/home/manual-check' '/mnt/remote-storage' -o
'rw,vers=4.0'
• SMB—/usr/bin/mount.cifs
//10.10.0.100/pyallapp-share/testing-smb /mnt/remote-storage
-o username=administrator,password=******,vers=3.0
Configuring Local Storage
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Choose Remote Storage Device.
Step 3
Choose Local (No Remote Storage) from the Storage Type drop-down list.
Step 4
Click Save.
Cisco Secure Firewall Management Center Administration Guide, 7.2
65
System Settings
Configuring NFS for Remote Storage
Configuring NFS for Remote Storage
Before you begin
• Ensure that your external remote storage system is functional and accessible from your management
center.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Remote Storage Device.
Step 3
Choose NFS from the Storage Type drop-down list.
Step 4
Add the connection information:
• Enter the IPv4 address or hostname of the storage system in the Host field.
• Enter the path to your storage area in the Directory field.
Step 5
Optionally, check the Use Advanced Options check box and enter any required command line options; see
Remote Storage Management Advanced Options, on page 68.
Step 6
Under System Usage:
• Choose Use for Backups to store backups on the designated host.
• Choose Use for Reports to store reports on the designated host.
• Enter Disk Space Threshold for backup to remote storage. Default is 90%.
Step 7
To test the settings, click Test.
Step 8
Click Save.
Configuring SMB for Remote Storage
Before you begin
Ensure that your external remote storage system is functional and accessible from your management center:
• The system recognizes top-level SMB shares, not full file paths. You must use Windows to share the
exact directory you want to use.
• Make sure the Windows user you will use to access the SMB share from the management center has
ownership of and read/change access to the share location.
• To ensure security, you should install SMB 2.0 or greater.
Cisco Secure Firewall Management Center Administration Guide, 7.2
66
System Settings
Configuring SSH for Remote Storage
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Remote Storage Device.
Step 3
Choose SMB from the Storage Type drop-down list.
Step 4
Add the connection information:
• Enter the IPv4 address or hostname of the storage system in the Host field.
• Enter the share of your storage area in the Share field.
• Optionally, enter the domain name for the remote storage system in the Domain field.
• Enter the user name for the storage system in the Username field and the password for that user in the
Password field.
Step 5
Optionally, check the Use Advanced Options check box and enter any required command line options; see
Remote Storage Management Advanced Options, on page 68.
Step 6
Under System Usage:
• Choose Use for Backups to store backups on the designated host.
• Choose Use for Reports to store reports on the designated host.
Step 7
To test the settings, click Test.
Step 8
Click Save.
Configuring SSH for Remote Storage
Before you begin
• Ensure that your external remote storage system is functional and accessible from your Secure Firewall
Management Center.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Remote Storage Device.
Step 3
Choose SSH from the Storage Type drop-down list.
Step 4
Add the connection information:
• Enter the IP address or host name of the storage system in the Host field.
• Enter the path to your storage area in the Directory field.
• Enter the storage system’s user name in the Username field and the password for that user in the Password
field. To specify a network domain as part of the connection user name, precede the user name with the
domain followed by a forward slash (/).
Cisco Secure Firewall Management Center Administration Guide, 7.2
67
System Settings
Remote Storage Management Advanced Options
• To use SSH keys, copy the content of the SSH Public Key field and place it in your authorized_keys
file.
Step 5
Optionally, check the Use Advanced Options check box and enter any required command line options; see
Remote Storage Management Advanced Options, on page 68.
Step 6
Under System Usage:
• Choose Use for Backups to store backups on the designated host.
• Choose Use for Reports to store reports on the designated host.
Step 7
If you want to test the settings, you must click Test.
Step 8
Click Save.
Remote Storage Management Advanced Options
If you select the Network File System (NFS) protocol, Server Message Block (SMB) protocol, or SSH to use
secure file transfer protocol (SFTP) to store your reports and backups, you can select the Use Advanced
Options check box to use one of the mount binary options as documented in an NFS, SMB, or SSH mount
man page.
If you select SMB, you can enter the security mode in the Command Line Options field using the following
format:
sec=mode
where mode is the security mode you want to use for remote storage.
Table 4: SMB Security Mode Settings
Mode
Description
[none]
Attempt to connect as null user (no name).
krb5
Use Kerberos version 5 authentication.
krb5i
Use Kerberos authentication and packet signing.
ntlm
Use NTLM password hashing. (Default)
ntlmi
Use NTLM password hashing with signing (may be
Default if /proc/fs/cifs/PacketSigningEnabled
is on or if server requires signing).
ntlmv2
Use NTLMv2 password hashing.
ntlmv2i
Use NTLMv2 password hashing with packet signing.
Cisco Secure Firewall Management Center Administration Guide, 7.2
68
System Settings
Change Reconciliation
Change Reconciliation
To monitor the changes that users make and ensure that they follow your organization’s preferred standard,
you can configure the system to send, via email, a detailed report of changes made over the past 24 hours.
Whenever a user saves changes to the system configuration, a snapshot is taken of the changes. The change
reconciliation report combines information from these snapshots to present a clear summary of recent system
changes.
The following sample graphic displays a User section of an example change reconciliation report and lists
both the previous value for each configuration and the value after changes. When users make multiple changes
to the same configuration, the report lists summaries of each distinct change in chronological order, beginning
with the most recent.
You can view changes made during the previous 24 hours.
Configuring Change Reconciliation
Before you begin
• Configure an email server to receive emailed reports of changes made to the system over a 24 hour period;
see Configuring a Mail Relay Host and Notification Address, on page 81 for more information.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Change Reconciliation.
Step 3
Check the Enable check box.
Step 4
Choose the time of day you want the system to send out the change reconciliation report from the Time to
Run drop-down lists.
Step 5
Enter email addresses in the Email to field.
Tip
Once you have added email addresses, click Resend Last Report to send recipients another copy
of the most recent change reconciliation report.
Step 6
If you want to include policy changes, check the Include Policy Configuration check box.
Step 7
If you want to include all changes over the past 24 hours, check the Show Full Change History check box.
Step 8
Click Save.
Related Topics
Using the Audit Log to Examine Changes, on page 378
Change Reconciliation Options
The Include Policy Configuration option controls whether the system includes records of policy changes in
the change reconciliation report. This includes changes to access control, intrusion, system, health, and network
Cisco Secure Firewall Management Center Administration Guide, 7.2
69
System Settings
Policy Change Comments
discovery policies. If you do not select this option, the report will not show changes to any policies. This
option is available on Secure Firewall Management Centers only.
The Show Full Change History option controls whether the system includes records of all changes over the
past 24 hours in the change reconciliation report. If you do not select this option, the report includes only a
consolidated view of changes for each category.
Note
The change reconciliation report does not include changes to threat defense interfaces and routing settings.
Policy Change Comments
You can configure the system to track several policy-related changes using the comment functionality when
users modify access control, intrusion, or network analysis policies.
With policy change comments enabled, administrators can quickly assess why critical policies in a deployment
were modified. Optionally, you can have changes to intrusion and network analysis policies written to the
audit log.
Configuring Comments to Track Policy Changes
You can configure the system to prompt users for comments when they modify an access control policy,
intrusion policy, or network analysis policy. You can use comments to track users’ reasons for policy changes.
If you enable comments on policy changes, you can make the comment optional or mandatory. The system
prompts the user for a comment when each new change to a policy is saved.
Procedure
Step 1
Choose System ( ) > Configuration.
The system configuration options appear in the left navigation panel.
Step 2
Configure the policy comment preferences for any of the following:
• Click Access Control Preferences for comment preferences for access control policies.
• Click Intrusion Policy Preferences for comment preferences for intrusion policies.
• Click Network Analysis Policy Preferences for comment preferences for network analysis policies.
Step 3
You have the following choices for each policy type:
• Disabled—Disables change comments.
• Optional—Gives users the option to describe their changes in a comment.
• Required—Requires users to describe their changes in a comment before saving.
Step 4
Optionally for intrusion or network analysis policy comments:
• Check Write changes in Intrusion Policy to audit log to write all intrusion policy changes to the audit
log.
Cisco Secure Firewall Management Center Administration Guide, 7.2
70
System Settings
Access List
• Check Write changes in Network Analysis Policy to audit log to write all network analysis policy
changes to the audit log.
Step 5
To get notifications for changes to any overridden system-defined rules during LSP updates, ensure that the
Retain user overrides for deleted Snort 3 rules check box is checked. As a system default, this check box
is checked. When this check box is checked, the system retains the rule overrides in the new replacement rules
that are added as part of the LSP update. The notifications are shown in the Tasks tab under the Notifications
icon that is located next to Cog (
Step 6
).
Click Save.
Access List
You can limit access to the management center by IP address and port. By default, the following ports are
enabled for any IP address:
• 443 (HTTPS) for web interface access.
• 22 (SSH) for CLI access.
You can also add access to poll for SNMP information over port 161. Because SNMP is disabled by default,
you must first enable SNMP before you can add SNMP access rules. For more information, see Configure
SNMP Polling, on page 83.
Caution
By default, access is not restricted. To operate in a more secure environment, consider adding access for
specific IP addresses and then deleting the default any option.
Configure an Access List
This access list does not control external database access. See Enabling External Access to the Database, on
page 51.
Caution
If you delete access for the IP address that you are currently using to connect to the management center, and
there is no entry for “IP=any port=443”, you will lose access when you save.
Before you begin
By default, the access list includes rules for HTTPS and SSH. To add SNMP rules to the access list, you must
first enable SNMP. For more information, see Configure SNMP Polling, on page 83.
Procedure
Step 1
Choose System ( ) > Configuration.
Cisco Secure Firewall Management Center Administration Guide, 7.2
71
System Settings
Audit Logs
Step 2
(Optional) Click SNMP to configure SNMP if you want to add SNMP rules to the access list. By default,
SNMP is disabled; see Configure SNMP Polling, on page 83.
Step 3
Click Access List.
Step 4
To add access for one or more IP addresses, click Add Rules.
Step 5
In the IP Address field, enter an IP address or address range, or any.
Step 6
Choose SSH, HTTPS, SNMP, or a combination of these options to specify which ports you want to enable
for these IP addresses.
Step 7
Click Add.
Step 8
Click Save.
Related Topics
IP Address Conventions, on page 26
Audit Logs
The Secure Firewall Management Center records user activity in read-only audit logs. You can review audit
log data in several ways:
• Use the web interface: Audit and Syslog, on page 373.
Audit logs are presented in a standard event view where you can view, sort, and filter audit log messages
based on any item in the audit view. You can easily delete and report on audit information and you can
view detailed reports of the changes that users make.
• Stream audit log messages to the syslog: Stream Audit Logs to Syslog, on page 72..
• Stream audit log messages to an HTTP server: Stream Audit Logs to an HTTP Server, on page 74.
Streaming audit log data to an external server allows you to conserve space on the management center. Note
that sending audit information to an external URL may affect system performance.
Optionally, you can secure the channel for audit log streaming, enable TLS and mutual authentication using
TLS certificates ; see Audit Log Certificate, on page 75.
Streaming to Multiple Syslog Servers
You can stream audit log data to a maximum of five syslog servers. However, if you have enabled TLS for
secured audit log streaming, you can stream only to a single syslog server.
Stream Audit Logs to Syslog
When this feature is enabled, audit log records appear in the syslog in the following format :
Date Time Host [Tag] Sender: User_Name@User_IP, Subsystem, Action
Where the local date, time, and originating hostname precede the bracketed optional tag, and the sending
device name precedes the audit log message.
For example, if you specify a tag of FMC-AUDIT-LOG for audit log messages from your management center, a
sample audit log message from your management center could appear as follows:
Cisco Secure Firewall Management Center Administration Guide, 7.2
72
System Settings
Stream Audit Logs to Syslog
Mar 01 14:45:24 localhost [FMC-AUDIT-LOG] Dev-MC7000: [email protected], Operations > Monitoring,
Page View
If you specify a severity and facility, these values do not appear in syslog messages; instead, they tell the
system that receives the syslog messages how to categorize them.
Before you begin
Make sure the management center can communicate with the syslog server. When you save your configuration,
the system uses ICMP/ARP and TCP SYN packets to verify that the syslog server is reachable. Then, the
system uses port 514/UDP to stream audit logs. If you secure the channel (optional, see Audit Log Certificate,
on page 75), the system uses 6514/TCP.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Audit Log.
Step 3
Choose Enabled from the Send Audit Log to Syslog drop-down menu.
Step 4
The following fields are applicable only for audit logs sent to syslog:
Option
Description
Host
The IP address or the fully qualified name of the syslog server to which you will send
audit logs. You can add a maximum of five syslog hosts, seperated by commas.
Note
Facility
You can specify multiple syslog hosts, only when TLS is disabled for the
Audit Server Certificate.
The subsystem that creates the message.
Choose a facility described in Syslog Alert Facilities, on page 521. For example, choose
AUDIT.
Severity
The severity of the message.
Choose a severity described in Syslog Severity Levels, on page 522.
Tag
An optional tag to include in audit log syslog messages.
Best practice: Enter a value in this field to easily differentiate audit log messages from
other, similar syslog messages such as health alerts.
For example, if you want all audit log records sent to the syslog to be labeled with
FMC-AUDIT-LOG, enter FMC-AUDIT-LOG in the field.
Step 5
(Optional) To test whether the IP address of the syslog servers are valid, click Test Syslog Server.
The system sends the following packets to verify whether the syslog server is reachable:
a. ICMP echo request
b. TCP SYN on 443 and 80 ports
c. ICMP time stamp query
Cisco Secure Firewall Management Center Administration Guide, 7.2
73
System Settings
Stream Audit Logs to an HTTP Server
d. TCP SYN on random ports
Note
If the Management Center and syslog server are in the same subnet, ARP is used instead of ICMP.
The system displays the result for each server.
Step 6
Click Save.
Stream Audit Logs to an HTTP Server
When this feature is enabled, the appliance sends audit log records to an HTTP server in the following format:
Date Time Host [Tag] Sender: User_Name@User_IP, Subsystem, Action
Where the local date, time, and originating hostname precede the bracketed optional tag, and the sending
appliance name precedes the audit log message.
For example, if you specify a tag of FROMMC, a sample audit log message could appear as follows:
Mar 01 14:45:24 localhost [FROMMC] Dev-MC7000: [email protected], Operations > Monitoring,
Page View
Before you begin
Make sure the device can communicate with the HTTP server. Optionally, secure the channel; see Audit Log
Certificate, on page 75.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Audit Log.
Step 3
Optionally, in the Tag field, enter the tag name that you want to appear with the message. For example, if
you want all audit log records to be preceded with FROMMC, enter FROMMC in the field.
Step 4
Choose Enabled from the Send Audit Log to HTTP Server drop-down list.
Step 5
In the URL to Post Audit field, designate the URL where you want to send the audit information. Enter a
URL that corresponds to a Listener program that expects the HTTP POST variables as listed:
• subsystem
• actor
• event_type
• message
• action_source_ip
• action_destination_ip
• result
• time
Cisco Secure Firewall Management Center Administration Guide, 7.2
74
System Settings
Audit Log Certificate
• tag (if defined; see Step 3)
Caution
Step 6
To allow encrypted posts, use an HTTPS URL. Sending audit information to an external URL may
affect system performance.
Click Save.
Audit Log Certificate
You can use Transport Layer Security (TLS) certificates to secure communications between the management
center and a trusted audit log server.
Client Certificates (Required)
Generate a certificate signing request (CSR), submit it to a Certificate Authority (CA) for signing, then import
the signed certificate onto the management center. Use the local system configuration: Obtain a Signed Audit
Log Client Certificate for the Management Center, on page 76 and Import an Audit Log Client Certificate
into the Management Center, on page 77.
Server Certificates (Optional)
For additional security, we recommend you require mutual authentication between the management center
and the audit log server. To accomplish this, load one or more certificate revocation lists (CRLs). You cannot
stream audit logs to servers with revoked certificates listed in those CRLs.
Firepower supports CRLs encoded in Distinguished Encoding Rules (DER) format. Note that these are the
same CRLs that the system uses to validate HTTPS client certificates for the management center web interface.
Use the local system configuration: Require Valid Audit Log Server Certificates, on page 78.
Securely Stream Audit Logs
If you stream the audit log to a trusted HTTP server or syslog server, you can use Transport Layer Security
(TLS) certificates to secure the channel between the management center and the server. You must generate a
unique client certificate for each appliance you want to audit.
Before you begin
See ramifications of requiring client and server certificates at Audit Log Certificate, on page 75.
Procedure
Step 1
Obtain and install a signed client certificate on the management center:
a) Obtain a Signed Audit Log Client Certificate for the Management Center, on page 76:
Generate a Certificate Signing Request (CSR) from the management center based on your system
information and the identification information you supply.
Submit the CSR to a recognized, trusted certificate authority (CA) to request a signed client certificate.
Cisco Secure Firewall Management Center Administration Guide, 7.2
75
System Settings
Obtain a Signed Audit Log Client Certificate for the Management Center
If you will require mutual authentication between the management center and the audit log server, the
client certificate must be signed by the same CA that signed the server certificate to be used for the
connection.
b) After you receive the signed certificate from the certificate authority, import it into the management center.
See Import an Audit Log Client Certificate into the Management Center, on page 77.
Step 2
Configure the communication channel with the server to use Transport Layer Security (TLS) and enable
mutual authentication.
See Require Valid Audit Log Server Certificates, on page 78.
Step 3
Configure audit log streaming if you have not yet done so.
See Stream Audit Logs to Syslog, on page 72 or Stream Audit Logs to an HTTP Server, on page 74.
Obtain a Signed Audit Log Client Certificate for the Management Center
Important
The Audit Log Certificate page is not available on a standby Secure Firewall Management Center in a high
availability setup. You cannot perform this task from a standby Secure Firewall Management Center.
The system generates certificate request keys in Base-64 encoded PEM format.
Before you begin
Keep the following in mind:
• To ensure security, use a globally recognized and trusted Certificate Authority (CA) to sign your certificate.
• If you will require mutual authentication between the appliance and the audit log server, the same
Certificate Authority must sign both the client certificate and the server certificate.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Audit Log Certificate.
Step 3
Click Generate New CSR.
Step 4
Enter a country code in the Country Name (two-letter code) field.
Step 5
Enter a state or province postal abbreviation in the State or Province field.
Step 6
Enter a Locality or City.
Step 7
Enter an Organization name.
Step 8
Enter an Organizational Unit (Department) name.
Step 9
Enter the fully qualified domain name of the server for which you want to request a certificate in the Common
Name field.
Note
If the common name and the DNS hostname do not match, audit log streaming will fail.
Cisco Secure Firewall Management Center Administration Guide, 7.2
76
System Settings
Import an Audit Log Client Certificate into the Management Center
Step 10
Click Generate.
Step 11
Open a new blank file with a text editor.
Step 12
Copy the entire block of text in the certificate request, including the BEGIN
CERTIFICATE REQUEST lines, and paste it into a blank text file.
Step 13
Save the file as clientname.csr, where clientname is the name of the appliance where you plan to use the
certificate.
Step 14
Click Close.
CERTIFICATE REQUEST
and END
What to do next
• Submit the certificate signing request to the certificate authority that you selected using the guidelines
in the "Before You Begin" section of this procedure.
• When you receive the signed certificate, import it to the appliance; see Import an Audit Log Client
Certificate into the Management Center, on page 77.
Import an Audit Log Client Certificate into the Management Center
In the management center high availability setup, you must use the active peer.
Before you begin
• Obtain a Signed Audit Log Client Certificate for the Management Center, on page 76.
• Make sure you are importing the signed certificate for the correct management center.
• If the signing authority that generated the certificate requires you to trust an intermediate CA, be prepared
to provide the necessary certificate chain (or certificate path). The CA that signed the client certificate
must be the same CA that signed any intermediate certificates in the certificate chain.
Procedure
Step 1
On the management center, choose System ( ) > Configuration.
Step 2
Click Audit Log Certificate.
Step 3
Click Import Audit Client Certificate.
Step 4
Open the client certificate in a text editor, copy the entire block of text, including the BEGIN
and END CERTIFICATE lines. Paste this text into the Client Certificate field.
Step 5
To upload a private key, open the private key file and copy the entire block of text, including the BEGIN
PRIVATE KEY and END RSA PRIVATE KEY lines. Paste this text into the Private Key field.
Step 6
Open any required intermediate certificates, copy the entire block of text for each, and paste it into the
Certificate Chain field.
Step 7
Click Save.
CERTIFICATE
Cisco Secure Firewall Management Center Administration Guide, 7.2
77
RSA
System Settings
Require Valid Audit Log Server Certificates
Require Valid Audit Log Server Certificates
The system supports validating audit log server certificates using imported CRLs in Distinguished Encoding
Rules (DER) format.
Note
Important
If you choose to verify certificates using CRLs, the system uses the same CRLs to validate both audit log
server certificates and certificates used to secure the HTTP connection between an appliance and a web
browser.
You cannot perform this procedure on the standby Secure Firewall Management Center in a high availablity
pair.
Before you begin
• Understand the ramifications of requiring mutual authentication and of using certificate revocation lists
(CRLs) to ensure that certificates are still valid. See Audit Log Certificate, on page 75.
• Obtain and import the client certificate following the steps in Securely Stream Audit Logs, on page 75
and the topics referenced in that procedure.
Procedure
Step 1
On the management center, choose System ( ) > Configuration.
Step 2
Click Audit Log Certificate.
Step 3
To use Transport Layer Security to securely stream the audit log to an external server, choose Enable TLS.
Step 4
If you want to accept server certificates without verification (not recommended):
a) Deselect Enable Mutual Authentication.
b) Click Save and skip the remainder of this procedure.
Step 5
To verify the certificate of the audit log server, choose Enable Mutual Authentication.
Step 6
(If you enabled mutual authentication) To automatically recognize certificates that are no longer valid:
a) Select Enable Fetching of CRL.
Note
Enabling fetching of the CRL creates a scheduled task to regularly update the CRL or CRLs.
b) Enter a valid URL to an existing CRL file and click Add CRL.
Repeat to add up to 25 CRLs.
c) Click Refresh CRL to load the current CRL or CRLs from the specified URL or URLs.
Step 7
Verify that you have a valid server certificate generated by the same certificate authority that created the client
certificate.
Step 8
Click Save.
Cisco Secure Firewall Management Center Administration Guide, 7.2
78
System Settings
View the Audit Log Client Certificate on the Management Center
What to do next
(Optional) Set the frequency of CRL updates. See Configuring Certificate Revocation List Downloads, on
page 455.
View the Audit Log Client Certificate on the Management Center
You can view the audit log client certificate only for the appliance that you are logged in to. In management
center high availability pairs, you can view the certificate only on the active peer.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Audit Log Certificate.
Dashboard Settings
Dashboards provide you with at-a-glance views of current system status through the use of widgets: small,
self-contained components that provide insight into different aspects of the system. The system is delivered
with several predefined dashboard widgets.
You can configure the Secure Firewall Management Center so that Custom Analysis widgets are enabled on
the dashboard.
Related Topics
About Dashboards, on page 305
Enabling Custom Analysis Widgets for Dashboards
Use Custom Analysis dashboard widgets to create a visual representation of events based on a flexible,
user-configurable query.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Dashboard.
Step 3
Check the Enable Custom Analysis Widgets check box to allow users to add Custom Analysis widgets to
dashboards.
Step 4
Click Save.
Related Topics
About Dashboards, on page 305
Cisco Secure Firewall Management Center Administration Guide, 7.2
79
System Settings
DNS Cache
DNS Cache
You can configure the system to resolve IP addresses automatically on the event view pages. You can also
configure basic properties for DNS caching performed by the appliance. Configuring DNS caching allows
you to identify IP addresses you previously resolved without performing additional lookups. This can reduce
the amount of traffic on your network and speed the display of event pages when IP address resolution is
enabled.
Configuring DNS Cache Properties
DNS resolution caching is a system-wide setting that allows the caching of previously resolved DNS lookups.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Choose DNS Cache.
Step 3
From the DNS Resolution Caching drop-down list, choose one of the following:
• Enabled—Enable caching.
• Disabled—Disable caching.
Step 4
In the DNS Cache Timeout (in minutes) field, enter the number of minutes a DNS entry remains cached in
memory before it is removed for inactivity.
The default setting is 300 minutes (five hours).
Step 5
Click Save.
Related Topics
Configuring Event View Settings, on page 189
Email Notifications
Configure a mail host if you plan to:
• Email event-based reports
• Email status reports for scheduled tasks
• Email change reconciliation reports
• Email data-pruning notifications
• Use email for discovery event, impact flag, correlation event alerting, intrusion event alerting, and health
event alerting
Cisco Secure Firewall Management Center Administration Guide, 7.2
80
System Settings
Configuring a Mail Relay Host and Notification Address
When you configure email notification, you can select an encryption method for the communication between
the system and mail relay host, and can supply authentication credentials for the mail server if needed. After
configuring, you can test the connection.
Configuring a Mail Relay Host and Notification Address
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Email Notification.
Step 3
In the Mail Relay Host field, enter the hostname or IP address of the mail server you want to use. The mail
host you enter must allow access from the appliance.
Step 4
In the Port Number field, enter the port number to use on the email server.
Typical ports include:
• 25, when using no encryption
• 465, when using SSLv3
• 587, when using TLS
Step 5
Choose an Encryption Method:
• TLS—Encrypt communications using Transport Layer Security.
• SSLv3—Encrypt communications using Secure Socket Layers.
• None—Allow unencrypted communication.
Note
Certificate validation is not required for encrypted communication between the appliance and mail
server.
Step 6
In the From Address field, enter the valid email address you want to use as the source email address for
messages sent by the appliance.
Step 7
Optionally, to supply a user name and password when connecting to the mail server, choose Use
Authentication. Enter a user name in the Username field. Enter a password in the Password field.
Step 8
To send a test email using the configured mail server, click Test Mail Server Settings.
A message appears next to the button indicating the success or failure of the test.
Step 9
Click Save.
Language Selection
You can use the Language page to specify a different language for the web interface.
Cisco Secure Firewall Management Center Administration Guide, 7.2
81
System Settings
Set the Language for the Web Interface
Set the Language for the Web Interface
The language you specify here is used for the web interface for every user. You can choose from:
• English
• French
• Chinese (simplified)
• Chinese (traditional)
• Japanese
• Korean
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Language.
Step 3
Choose the language you want to use.
Step 4
Click Save.
Login Banners
You can use the Login Banner page to specify session, login, or custom message banners for a security
appliance or shared policy.
You can use ASCII characters and carriage returns to create a custom login banner. The system does not
preserve tab spacing. If your login banner is too large or causes errors, Telnet or SSH sessions can fail when
the system attempts to display the banner.
Customize the Login Banner
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Choose Login Banner.
Step 3
In the Custom Login Banner field, enter the login banner text you want to use.
Step 4
Click Save.
Cisco Secure Firewall Management Center Administration Guide, 7.2
82
System Settings
SNMP Polling
SNMP Polling
You can enable Simple Network Management Protocol (SNMP) polling. This feature supports use of versions
1, 2, and 3 of the SNMP protocol. This feature allows access to the standard management information base
(MIB), which includes system details such as contact, administrative, location, service information, IP
addressing and routing information, and transmission protocol usage statistics.
Note
When selecting SNMP versions for the SNMP protocol, note that SNMPv2 only supports read-only communities
and SNMPv3 only supports read-only users. SNMPv3 also supports encryption with AES128.
Enabling SNMP polling does not cause the system to send SNMP traps; it only makes the information in the
MIBs available for polling by your network management system.
Configure SNMP Polling
Before you begin
Add SNMP access for each computer you plan to use to poll the system. See Configure an Access List, on
page 71.
Note
The SNMP MIB contains information that could be used to attack your deployment. We recommend that you
restrict your access list for SNMP access to the specific hosts that will be used to poll for the MIB. We also
recommend you use SNMPv3 and use strong passwords for network management access.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click SNMP.
Step 3
From the SNMP Version drop-down list, choose the SNMP version you want to use:
• Version 1 or Version 2: Enter a read-only SNMP community name in the Community String field,
then skip to the end of the procedure.
Note
Do not include special characters (< > / % # & ? ', etc.) in the SNMP community string name.
• Version 3: Click Add User to display the user definition page. SNMPv3 only supports read-only users
and encryption with AES128.
Step 4
Enter a Username.
Step 5
Choose the protocol you want to use for authentication from the Authentication Protocol drop-down list.
Step 6
Enter the password required for authentication with the SNMP server in the Authentication Password field.
Step 7
Re-enter the authentication password in the Verify Password field.
Cisco Secure Firewall Management Center Administration Guide, 7.2
83
System Settings
Time and Time Synchronization
Step 8
Choose the privacy protocol you want to use from the Privacy Protocol list, or choose None to not use a
privacy protocol.
Step 9
Enter the SNMP privacy key required by the SNMP server in the Privacy Password field.
Step 10
Re-enter the privacy password in the Verify Password field.
Step 11
Click Add.
Step 12
Click Save.
Time and Time Synchronization
Synchronizing the system time on your Secure Firewall Management Center (management center) and its
managed devices is essential to successful operation of your Firepower System. We recommend that you
specify NTP servers during management center initial configuration, but you can use the information in this
section to establish or change time sychronization settings after intial configuration is complete.
Use a Network Time Protocol (NTP) server to synchronize system time on the management center and all
devices. The management center supports secure communications with NTP servers using MD5, SHA-1, or
AES-128 CMAC symmetric key authentication; for system security, we recommend using this feature.
The management center can also be configured to connect solely with authenticated NTP servers; using this
option improves security in a mixed-authentication environment, or when migrating your system to different
NTP servers. It is redundant to use this setting in an environment where all reachable NTP servers are
authenticated.
Note
Caution
If you specified an NTP server for the management center during initial configuration, the connection with
that NTP server is not secured. You must edit the configuration for that connection to specify MD5, SHA-1,
or AES-128 CMAC keys.
Unintended consequences can occur when time is not synchronized between the management center and
managed devices.
To synchronize time on management center and managed devices, see:
• Recommended: Synchronize Time on the Management Center with an NTP Server, on page 85
This topic provides instructions for configuring your management center to synchronize with an NTP
server or servers and includes links to instructions on configuring managed devices to synchronize with
the same NTP server or servers.
• Otherwise: Synchronize Time Without Access to a Network NTP Server, on page 86
This topic provides instructions for setting the time on your management center, configuring your
management center to serve as an NTP server, and links to instructions on configuring managed devices
to synchronize with the management center NTP server.
Cisco Secure Firewall Management Center Administration Guide, 7.2
84
System Settings
Synchronize Time on the Management Center with an NTP Server
Synchronize Time on the Management Center with an NTP Server
Time synchronization among all of the components of your system is critically important.
The best way to ensure proper time synchronization between Secure Firewall Management Center and all
managed devices is to use an NTP server on your network.
The management center supports NTPv4.
You must have Admin or Network Admin privileges to do this procedure.
Before you begin
Note the following:
• If your management center and managed devices cannot access a network NTP server, do not use this
procedure. Instead, see Synchronize Time Without Access to a Network NTP Server, on page 86.
• Do not specify an untrusted NTP server.
• If you plan to establish a secure connection with an NTP server (recommended for system security),
obtain an SHA-1, MD5, or AES-128 CMAC key number and value configured on that NTP server.
• Connections to NTP servers do not use configured proxy settings.
• Firepower 4100 Series devices and Firepower 9300 devices cannot use this procedure to set the system
time. Instead, configure those devices to use the same NTP server(s) that you configure using this
procedure. For instructions, see the documentation for your hardware model.
Caution
If the Secure Firewall Management Center is rebooted and your DHCP server sets an NTP server record
different than the one you specify here, the DHCP-provided NTP server will be used instead. To avoid this
situation, configure your DHCP server to use the same NTP server.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Time Synchronization.
Step 3
If Serve Time via NTP is Enabled, choose Disabled to disable the management center as an NTP server.
Step 4
For the Set My Clock option, choose Via NTP.
Step 5
Click Add.
Step 6
In the Add NTP Server dialog box, enter the host name or IPv4 or IPv6 address of an NTP server.
Step 7
(Optional) To secure communication between your management center and the NTP server:
a) Select MD5, SHA-1 or AES-128 CMAC from the Key Type drop-down list.
b) Enter an the corresponding MD5, SHA-1, or AES-128 CMAC Key Number and Key Value from the
specified NTP server.
Step 8
Click Add.
Step 9
To add more NTP servers, repeat Steps 5 through 8.
Cisco Secure Firewall Management Center Administration Guide, 7.2
85
System Settings
Synchronize Time Without Access to a Network NTP Server
Step 10
(Optional) To force the management center to use only an NTP server that successfully authenticates, check
the Use the authenticated NTP server only check box.
Step 11
Click Save.
What to do next
Set managed devices to synchronize with the same NTP server or servers:
• Configure device platform settings: Configure NTP Time Synchronization for Threat Defense in the
Cisco Secure Firewall Management Center Device Configuration Guide.
Note that even if you force the management center to make a secure connection with an NTP server (Use
the authenticated NTP server only), device connections to that server do not use authentication.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide.
Synchronize Time Without Access to a Network NTP Server
If your devices cannot directly reach the network NTP server, or your organization does not have a network
NTP server, a physical-hardware Secure Firewall Management Center can serve as an NTP server.
Important
• Do not use this procedure unless you have no other NTP server. Instead, use the procedure in Synchronize
Time on the Management Center with an NTP Server, on page 85.
• Do not use a virtual Secure Firewall Management Center as an NTP server.
To change the time manually after configuring the Secure Firewall Management Center as an NTP server,
you must disable the NTP option, change the time manually, and then re-enable the NTP option.
Procedure
Step 1
Manually set the system time on the Secure Firewall Management Center:
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)
l)
Choose System ( ) > Configuration.
Click Time Synchronization.
If Serve Time via NTP is Enabled, choose Disabled.
Click Save.
For Set My Clock, choose Manually in Local Configuration.
Click Save.
In the navigation panel at the left side of the screen, click Time.
Use the Set Time drop-down lists to set the time.
If the time zone displayed is not UTC, click it and set the time zone to UTC.
Click Save.
Click Done.
Click Apply.
Cisco Secure Firewall Management Center Administration Guide, 7.2
86
System Settings
About Changing Time Synchronization Settings
Step 2
Set the Secure Firewall Management Center to serve as an NTP server:
a) In the navigation panel at the left side of the screen, click Time Synchronization.
b) For Serve Time via NTP, choose Enabled.
c) Click Save.
Step 3
Set managed devices to synchronize with the Secure Firewall Management Center NTP server:
a) In the Time Synchronization settings for the platform settings policy assigned to your managed devices,
set the clock to synchronize Via NTP from Management Center.
b) Deploy the change to managed devices.
For instructions:
For threat defense devices, see Configure NTP Time Synchronization for Threat Defense in the Cisco Secure
Firewall Management Center Device Configuration Guide.
About Changing Time Synchronization Settings
• Your management center and its managed devices are heavily dependent on accurate time. The system
clock is a system facility that maintains the time of the system. The system clock is set to Universal
Coordinated Time (UTC), which is the primary time standard by which the world regulates clocks and
time.
DO NOT ATTEMPT TO CHANGE THE SYSTEM TIME. Changing the system time zone from UTC
is NOT supported, and doing so will require you to reimage the device to recover from an unsupported
state.
• If you configure the management center to serve time using NTP, and then later disable it, the NTP
service on managed devices still attempts to synchronize time with the management center. You must
update and redeploy any applicable platform settings policies to establish a new time source.
• To change the time manually after configuring the Secure Firewall Management Center as an NTP
server, you must disable the NTP option, change the time manually, and then re-enable the NTP option.
View Current System Time, Source, and NTP Server Connection Status
Time settings are displayed on most pages in local time using the time zone you set on the Time Zone page
in User Preferences (the default is America/New York), but are stored on the appliance using UTC time.
Restriction
The Time Zone function (in User Preferences) assumes that the default system clock is set to UTC time. DO
NOT ATTEMPT TO CHANGE THE SYSTEM TIME. Be advised that changing the system time from UTC
is NOT supported, and doing so will require you to reimage the device to recover from an unsupported state.
Procedure
Step 1
Choose System ( ) > Configuration.
Cisco Secure Firewall Management Center Administration Guide, 7.2
87
System Settings
NTP Server Status
Step 2
Click Time.
The current time is displayed using the time zone specified for your account in User Preferences.
If your appliance uses an NTP server: For information about the table entries, see NTP Server Status, on page
88.
NTP Server Status
If you are synchronizing time from an NTP server, you can view connection status on the Time page (choose
System > Configuration).
Table 5: NTP Status
Column
Description
NTP Server
The IP address or name of the configured NTP server.
Status
The status of the NTP server time synchronization:
• Being Used indicates that the appliance is synchronized with the NTP server.
• Available indicates that the NTP server is available for use, but time is not yet
synchronized.
• Not Available indicates that the NTP server is in your configuration, but the NTP
daemon is unable to use it.
• Pending indicates that the NTP server is new or the NTP daemon was recently
restarted. Over time, its value should change to Being Used, Available, or Not
Available.
• Unknown indicates that the status of the NTP server is unknown.
Authentication
The authentication status for communication between the management center and the
NTP server:
• none indicates no authentication is configured.
• bad indicates authentication is configured but has failed.
• ok indicates authentication is successful.
If authentication has been configured, the system displays the key number and key
type (SHA-1, MD5, or AES-128 CMAC) following the status value. For example:
bad, key 2, MD5.
Offset
The number of milliseconds of difference between the time on the appliance and the
configured NTP server. Negative values indicate that the appliance is behind the NTP
server, and positive values indicate that it is ahead.
Cisco Secure Firewall Management Center Administration Guide, 7.2
88
System Settings
Global User Configuration Settings
Column
Description
Last Update
The number of seconds that have elapsed since the time was last synchronized with
the NTP server. The NTP daemon automatically adjusts the synchronization times
based on a number of conditions. For example, if you see larger update times such as
300 seconds, that indicates that the time is relatively stable and the NTP daemon has
determined that it does not need to use a lower update increment.
Global User Configuration Settings
Global User Configuration settings affect all users on the Secure Firewall Management Center. Configure
these settings on the User Configuration page (System ( ) > Configuration > User Configuration):
• Password Reuse Limit: The number of passwords in a user’s most recent history that cannot be reused.
This limit applies to web interface access for all users. For the admin user, this applies to CLI access as
well; the system maintains separate password lists for each form of access. Setting the limit to zero (the
default) places no restrictions on password reuse. See Set Password Reuse Limit, on page 90.
• Track Successful Logins: The number of days that the system tracks successful logins to the Secure
Firewall Management Center, per user, per access method (web interface or CLI). When users log in,
the system displays their successful login count for the interface being used. When Track Successful
Logins is set to zero (the default), the system does not track or report successful login activity. See Track
Successful Logins, on page 90.
• Max Number of Login Failures: The number of times in a row that users can enter incorrect web
interface login credentials before the system temporarily blocks the account from access for a configurable
time period. If a user continues login attempts while the temporary lockout is in force:
• The system refuses access for that account (even with a valid password) without informing the user
that a temporary lockout is in force.
• The system continues to increment the failed login count for that account with each login attempt.
• If the user exceeds the Maximum Number of Failed Logins configured for that account on the
individual User Configuration page, the account is locked out until an admin user reactivates it.
• Set Time in Minutes to Temporarily Lockout Users: The duration in minutes for a temporary web
interface user lockout if Max Number of Failed Logins is non-zero.
• Max Concurrent Sessions Allowed: The number of sessions of a particular type (read-only or read/write)
that can be open at the same time. The type of session is determined by the roles assigned to a user. If a
user is assigned only read-only roles, that user's session is counted toward the (Read Only) session limit.
If a user has any roles with write privileges, the session is counted toward the Read/Write session limit.
For example, if a user is assigned the Admin role and the Maximum sessions for users with Read/Write
privileges/CLI users is set to 5, the user will not be allowed to log in if there are already five other users
logged in that have read/write privileges.
Cisco Secure Firewall Management Center Administration Guide, 7.2
89
System Settings
Set Password Reuse Limit
Note
Predefined user roles and custom user roles that the system considers read-only
for the purposes of concurrent session limits, are labeled with (Read Only) in
the role name on the System ( ) > Users > Users and the System ( ) > Users >
User Roles. If a user role does not contain (Read Only) in the role name, the
system considers the role to be read/write. The system automatically applies
(Read Only) to roles that meet the required criteria. You cannot make a role
read-only by adding that text string manually to the role name.
For each type of session, you can set a maximum limit ranging from 1 to 1024. When Max Concurrent
Sessions Allowed is set to zero (the default), the number of concurrent sessions is unlimited.
If you change the concurrent session limit to a value more restrictive, the system will not close any
currently open sessions; it will, however, prevent new sessions beyond the number specified from being
opened.
Set Password Reuse Limit
If you enable the Password Reuse Limit, the system keeps encrypted password histories for management
center users. Users cannot reuse passwords in their histories. You can specify the number of stored passwords
for each user, per access method (web interface or CLI). A user's current password counts towards this number.
If you lower the limit, the system deletes older passwords from the history. Increasing the limit does not
restore deleted passwords.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click User Configuration.
Step 3
Set the Password Reuse Limit to the number of passwords you want to maintain in the history (maximum
256).
To disable password reuse checking, enter 0.
Step 4
Click Save.
Track Successful Logins
Use this procedure to enable tracking successful logins for each user for a specified number of days. When
this tracking is enabled, the system displays the successful login count when users log into the web interface
or the CLI.
Note
If you lower the number of days, the system deletes records of older logins. If you then increase the limit, the
system does not restore the count from those days. In that case, the reported number of successful logins may
be temporarily lower than the actual number.
Cisco Secure Firewall Management Center Administration Guide, 7.2
90
System Settings
Enabling Temporary Lockouts
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click User Configuration.
Step 3
Set Track Successful Login Days to the number of days to track successful logins (maximum 365).
To disable login tracking, enter 0.
Step 4
Click Save.
Enabling Temporary Lockouts
Enable the temporary timed lockout feature by specifying the number of failed login attempts in a row that
the system allows before the lockout goes into effect.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click User Configuration.
Step 3
Set the Max Number of Login Failures to the maximum number of consecutive failed login attempts before
the user is temporarily locked out.
To disable the temporary lockout, enter zero.
Step 4
Set the Time in Minutes to Temporarily Lockout Users to the number of minutes to lock out users who
have triggered a temporary lockout.
When this value is zero, users do not have to wait to retry to log in, even if the Max Number of Login Failures
is non-zero.
Step 5
Click Save.
Set Maximum Number of Concurrent Sessions
You can specify the maximum number of sessions of a particular type (read-only or read/write) that can be
open at the same time. The type of session is determined by the roles assigned to a user. If a user is assigned
only read-only roles, that user's session is counted toward the Read Only session limit. If a user has any roles
with write privileges, the session is counted toward the Read/Write session limit.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click User Configuration.
Cisco Secure Firewall Management Center Administration Guide, 7.2
91
System Settings
Session Timeouts
Step 3
For each type of session (Read Only and Read/Write), set the Max Concurrent Sessions Allowed to the
maximum number of sessions of that type that can be open at the same time.
To apply no limits on concurrent users by session type, enter zero.
Note
Step 4
If you change the concurrent session limit to a value more restrictive, the system will not close any
currently open sessions; it will, however, prevent new sessions beyond the number specified from
being opened.
Click Save.
Session Timeouts
Unattended login sessions may be security risks. You can configure the amount of idle time before a user’s
login session times out due to inactivity.
Note that you can exempt specific web interface users from timeout, for scenarios where you plan to passively,
securely monitor the system for long periods of time. Users with the Administrator role, whose complete
access to menu options poses an extra risk if compromised, cannot be made exempt from session timeouts.
Configure Session Timeouts
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click CLI Timeout.
Step 3
Configure session timeouts:
• Web interface (management center only): Configure the Browser Session Timeout (Minutes). The
default value is 60; the maximum value is 1440 (24 hours).
To exempt users from this session timeout, see Add an Internal User, on page 111.
• CLI: Configure the CLI Timeout (Minutes) field. The default value is 0; the maximum value is 1440
(24 hours).
Step 4
Click Save.
Vulnerability Mapping
The system automatically maps vulnerabilities to a host IP address for any application protocol traffic received
or sent from that address, when the server has an application ID in the discovery event database and the packet
header for the traffic includes a vendor and version.
Cisco Secure Firewall Management Center Administration Guide, 7.2
92
System Settings
Mapping Vulnerabilities for Servers
For any servers which do not include vendor or version information in their packets, you can configure whether
the system associates vulnerabilities with server traffic for these vendor and versionless servers.
For example, a host serves SMTP traffic that does not have a vendor or version in the header. If you enable
the SMTP server on the Vulnerability Mapping page of a system configuration, then save that configuration
to the Secure Firewall Management Center managing the device that detects the traffic, all vulnerabilities
associated with SMTP servers are added to the host profile for the host.
Although detectors collect server information and add it to host profiles, the application protocol detectors
will not be used for vulnerability mapping, because you cannot specify a vendor or version for a custom
application protocol detector and cannot select the server for vulnerability mapping.
Mapping Vulnerabilities for Servers
This procedure requires any Smart License or the Protection classic license.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Choose Vulnerability Mapping.
Step 3
You have the following choices:
• To prevent vulnerabilities for a server from being mapped to hosts that receive application protocol traffic
without vendor or version information, clear the check box for that server.
• To cause vulnerabilities for a server to be mapped to hosts that receive application protocol traffic without
vendor or version information, check the check box for that server.
Tip
Step 4
You can check or clear all check boxes at once using the check box next to Enabled.
Click Save.
Remote Console Access Management
You can use a Linux system console for remote access on supported systems via either the VGA port (which
is the default) or the serial port on the physical appliance. Use the Console Configuration page to choose the
option most suitable to the physical layout of your organization’s Firepower deployment.
On supported physical-hardware-based systems, you can use Lights-Out Management (LOM) on a Serial
Over LAN (SOL) connection to remotely monitor or manage the system without logging into the management
interface of the system. You can perform limited tasks, such as viewing the chassis serial number or monitoring
such conditions as fan speed and temperature, using a command line interface on an out-of-band management
connection. The cable connection to support LOM varies by management center model:
• For management center models MC1600, MC2600, and MC4600, use a connection with the CIMC port
to support LOM. See the Cisco Firepower Managemenet Center 1600, 2600, and 4600 Getting Started
Guide for more information.
Cisco Secure Firewall Management Center Administration Guide, 7.2
93
System Settings
Configuring Remote Console Settings on the System
• For all other management center hardware models, use a connection with the default (eth0) management
port to support LOM. See the Cisco Firepower Management Center Getting Started Guide for your
hardware model.
You must enable LOM for both the system and the user you want to manage the system. After you enable the
system and the user, you use a third-party Intelligent Platform Management Interface (IPMI) utility to access
and manage your system.
Configuring Remote Console Settings on the System
You must be an Admin user to perform this procedure.
Before you begin
• Disable Spanning Tree Protocol (STP) on any third-party switching equipment connected to the device’s
management interface.
• If you plan to enable Lights-Out Management see the Getting Started Guide for your appliance for
information about installing and using an Intelligent Platform Management Interface (IPMI) utility.
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click Console Configuration.
Step 3
Choose a remote console access option:
• Choose VGA to use the appliance's VGA port.
• Choose Physical Serial Port to use the appliance's serial port.
• Choose Lights-Out Management to use an SOL connection on the management center. (This may use
the default management port or the CIMC port depending on your management center model. See the
Getting Started Guide for your model for more information.)
Step 4
To configure LOM via SOL:
• Choose the address Configuration for the system (DHCP or Manual).
• If you chose manual configuration, enter the necessary IPv4 settings:
• Enter the IP Address to be used for LOM.
Note
The LOM IP address must be different from and in the same subnet as the management
center management interface IP address.
• Enter the Netmask for the system.
• Enter the Default Gateway for the system.
Step 5
Click Save.
Cisco Secure Firewall Management Center Administration Guide, 7.2
94
System Settings
Lights-Out Management User Access Configuration
Step 6
The system displays the following warning: "You will have to reboot your system for these changes to take
effect." Click OK to reboot now or Cancel to reboot later.
What to do next
• If you configured serial access, be sure the rear-panel serial port is connected to a local computer, terminal
server, or other device that can support remote serial access over ethernet as described in the Getting
Started Guide for your management center model.
• If you configured Lights-Out Management, enable a Lights-Out Management user; see Lights-Out
Management User Access Configuration, on page 95.
Lights-Out Management User Access Configuration
You must explicitly grant Lights-Out Management permissions to users who will use the feature. LOM users
also have the following restrictions:
• You must assign the Administrator role to the user.
• The username may have up to 16 alphanumeric characters. Hyphens and longer user names are not
supported for LOM users.
• A user’s LOM password is the same as that user’s system password. The password must comply with
the requirements described in User Passwords, on page 108. Cisco recommends that you use a complex,
non-dictionary-based password of the maximum supported length for your appliance and change it every
three months.
• Physical Secure Firewall Management Centers can have up to 13 LOM users.
Note that if you deactivate, then reactivate, a user with LOM while a that user is logged in, or restore a user
from a backup during that user’s login session, that user may need to log back into the web interface to regain
access to impitool commands.
Enabling Lights-Out Management User Access
You must be an Admin user to perform this procedure.
Use this task to grant LOM access to an existing user. To grant LOM access to a new user, see Add an Internal
User, on page 111.
Procedure
Step 1
Choose System ( ) > Users > Users.
Step 2
To grant LOM user access to an existing user, click Edit (
Step 3
Under User Configuration, enable the Administrator role.
Step 4
Check the Allow Lights-Out Management Access check box.
Step 5
Click Save.
) next to a user name in the list.
Cisco Secure Firewall Management Center Administration Guide, 7.2
95
System Settings
Serial Over LAN Connection Configuration
Serial Over LAN Connection Configuration
You use a third-party IPMI utility on your computer to create a Serial Over LAN connection to the appliance.
If your computer uses a Linux-like or Mac environment, use IPMItool; for Windows environments, you can
use IPMIutil or IPMItool, depending on your Windows version.
Note
Cisco recommends using IPMItool version 1.8.12 or greater.
Linux
IPMItool is standard with many distributions and is ready to use.
Mac
You must install IPMItool on a Mac. First, confirm that your Mac has Apple's XCode Developer tools installed,
making sure that the optional components for command line development are installed (UNIX Development
and System Tools in newer versions, or Command Line Support in older versions). Then you can install
macports and the IPMItool. Use your favorite search engine for more information or try these sites:
https://developer.apple.com/technologies/tools/
http://www.macports.org/
http://github.com/ipmitool/ipmitool/
Windows
For Windows Versions 10 and greater with Windows Subsystem for Linux (WSL) enabled, as well as some
older versions of Windows Server, you can use IPMItool. Otherwise, you must compile IPMIutil on your
Windows system; you can use IPMIutil itself to compile. Use your favorite search engine for more information
or try this site:
http://ipmiutil.sourceforge.net/man.html#ipmiutil
Understanding IPMI Utility Commands
Commands used for IPMI utilities are composed of segments as in the following example for IPMItool on
Mac:
ipmitool -I lanplus -H IP_address -U user_name command
where:
• ipmitool invokes the utility.
• -I
lanplus
specifies to use an encrypted IPMI v2.0 RMCP+ LAN Interface for the session.
• -H IP_address indicates the IP address you have configured for Lights-Out Management on the appliance
you want to access.
• -U user_name is the name of an authorized remote session user.
• command is the name of the command you want to use.
Cisco Secure Firewall Management Center Administration Guide, 7.2
96
System Settings
Configuring Serial Over LAN with IPMItool
Note
Cisco recommends using IPMItool version 1.8.12 or greater.
The same command for IMPIutil on Windows looks like this:
ipmiutil command -V 4 -J 3 -N IP_address -Uuser_name
This command connects you to the command line on the appliance where you can log in as if you were
physically present at the appliance. You may be prompted to enter a password.
Configuring Serial Over LAN with IPMItool
You must be an Admin user with LOM access to perform this procedure.
Procedure
Using IPMItool, enter the following command, and a password if prompted:
ipmitool -I lanplus -H IP_address -U user_name sol activate
Configuring Serial Over LAN with IPMIutil
You must be an Admin user with LOM access to perform this procedure.
Procedure
Using IPMIutil, enter the following command, and a password if prompted:
ipmiutil -J 3 -N IP_address -U username sol -a
Lights-Out Management Overview
Lights-Out Management (LOM) provides the ability to perform a limited set of actions over an SOL connection
on the default (eth0) management interface without the need to log into the system. You use the command
to create a SOL connection followed by one of the LOM commands. After the command is completed, the
connection ends.
Caution
In rare cases, if your computer is on a different subnet than the system's management interface and the system
is configured for DHCP, attempting to access LOM features can fail. If this occurs, you can either disable and
then re-enable LOM on the system, or use a computer on the same subnet as the system to ping its management
interface. You should then be able to use LOM.
Cisco Secure Firewall Management Center Administration Guide, 7.2
97
System Settings
Lights-Out Management Overview
Caution
Cisco is aware of a vulnerability inherent in the Intelligent Platform Management Interface (IPMI) standard
(CVE-2013-4786). Enabling Lights-Out Management (LOM) on an system exposes this vulnerability. To
mitigate this vulnerability, deploy your systems on a secure management network accessible only to trusted
users and use a complex, non-dictionary-based password of the maximum supported length for your system
and change it every three months. To prevent exposure to this vulnerability, do not enable LOM.
If all attempts to access your system have failed, you can use LOM to restart your system remotely. Note that
if a system is restarted while the SOL connection is active, the LOM session may disconnect or time out.
Caution
Do not restart your system unless it does not respond to any other attempts to restart. Remotely restarting
does not gracefully reboot the system and you may lose data.
Table 6: Lights-Out Management Commands
IPMItool
IPMIutil
Description
(not applicable)
-V 4
Enables admin privileges for the
IPMI session
-I lanplus
-J 3
Enables encryption for the IPMI
session
-H hostname/IP address
-N nodename/IP address
Indicates the LOM IP address or
hostname for the management
center
-U
-U
Indicates the username of an
authorized LOM account
sol activate
sol -a
Starts the SOL session
sol deactivate
sol -d
Ends the SOL session
chassis power cycle
power -c
Restarts the appliance
chassis power on
power -u
Powers up the appliance
chassis power off
power -d
Powers down the appliance
sdr
sensor
Displays appliance information,
such as fan speeds and temperatures
For example, to display a list of appliance information, the IPMItool command is:
ipmitool -I lanplus -H IP_address -U user_name sdr
Note
Cisco recommends using IPMItool version 1.8.12 or greater.
Cisco Secure Firewall Management Center Administration Guide, 7.2
98
System Settings
Configuring Lights-Out Management with IPMItool
The same command with the IPMIutil utility is:
ipmiutil sensor -V 4 -J 3 -N IP_address -U user_name
Configuring Lights-Out Management with IPMItool
You must be an Admin user with LOM access to perform this procedure.
Procedure
Enter the following command for IPMItool and a password if prompted:
ipmitool -I lanplus -H IP_address -U user_name command
Configuring Lights-Out Management with IPMIutil
You must be an Admin user with LOM access to perform this procedure.
Procedure
Enter the following command for IPMIutil and a password if prompted:
ipmiutil -J 3 -N IP_address -U username command
REST API Preferences
The Firepower REST API provides a lightweight interface for third-party applications to view and manage
appliance configuration using a REST client and standard HTTP methods. For more information on the
Firepower REST API, see the Firepower REST API Quick Start Guide.
By default, the Secure Firewall Management Center allows requests from applications using the REST API.
You can configure the Secure Firewall Management Center to block this access.
Enabling REST API Access
Note
In deployments using the management center high availability, this feature is available only in the active
management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
99
System Settings
VMware Tools and Virtual Systems
Procedure
Step 1
Choose the Cog (
Step 2
Click REST API Preferences.
Step 3
To enable or disable REST API access to the management center, check or uncheck the Enable REST API
check box.
Step 4
Click Save.
Step 5
Access the REST API Explorer at:
) in the upper right corner to open the system menu.
https://<management_center_IP_or_name>:<https_port>/api/api-explorer
VMware Tools and Virtual Systems
VMware Tools is a suite of performance-enhancing utilities intended for virtual machines. These utilities
allow you to make full use of the convenient features of VMware products. Firepower virtual appliances
running on VMware support the following plugins:
• guestInfo
• powerOps
• timeSync
• vmbackup
You can also enable VMware Tools on all supported versions of ESXi. For information on the full functionality
of VMware Tools, see the VMware website (http://www.vmware.com/).
Enabling VMware Tools on the Secure Firewall Management Center for
VMware
Procedure
Step 1
Choose System ( ) > Configuration.
Step 2
Click VMware Tools.
Step 3
Click Enable VMware Tools.
Step 4
Click Save.
Cisco Secure Firewall Management Center Administration Guide, 7.2
100
System Settings
(Optional) Opt Out of Web Analytics Tracking
(Optional) Opt Out of Web Analytics Tracking
By default, in order to improve Firepower products, Cisco collects non-personally-identifiable usage data,
including but not limited to page interactions, browser versions, product versions, user location, and management
IP addresses or hostnames of your management center appliances.
Data collection begins after you accept the End User License Agreement. If you do not want Cisco to continue
to collect this data, you can opt out using the following procedure.
Procedure
Step 1
Choose System > Configuration.
Step 2
Click Web Analytics.
Step 3
Make your choice and click Save.
What to do next
(Optional) Determine whether to share data via the Configure Cisco Success Network Enrollment.
History for System Configuration
Feature
Version
Details
French language option
7.2
You can now switch the management center web interface to French from System ( )
> Configuration > Language.
Exempt most connection
7.0
events from event rate limits
Setting the Maximum Connection Events value for the Connection Database to zero
now exempts low priority connection events from counting towards the flow rate limit
for your management center hardware. Previously, setting this value to zero applied
only to event storage, and did not affect the flow rate limit.
New/modified screens: System > Configuration > Database
Supported platforms: Hardware management centers.
Support for AES-128
CMAC authentication for
NTP servers
7.0
Subject Alternative Name
(SAN)
6.6
Connections between the management center and NTP servers can be secured with
AES-128 CMAC keys as well as previously-supported MD5 and SHA-1 keys.
New/modified screens: System ( ) > Configuration > Time Synchronization
When creating an HTTPS certificate for the management center, you can specify SAN
fields. We recommend you use SAN if the certificate secures multiple domain names
or IP addresses. For more information about SAN, see RFC 5280, section 4.2.1.6.
New/modified screens: System ( ) > Configuration > HTTPS Certificate
Cisco Secure Firewall Management Center Administration Guide, 7.2
101
System Settings
History for System Configuration
Feature
Version
Details
HTTPS Certificates
6.6
The default HTTPS server certificate provided with the system now expires in 800 days.
If your appliance uses a default certificate that was generated before you upgraded to
Version 6.6, the certificate lifetime varies depending on the Firepower version being
used when the certificate was generated. See Default HTTPS Server Certificates, on
page 43 for more information.
Supported platforms: Hardware management centers.
Secure NTP
6.5
The management center supports secure communications with NTP servers using SHA1
or MD5 symmetric key authentication.
New/modified screens: System ( ) > Configuration > Time Synchronization
Web analytics
6.5
Web analytics data collection begins after you accept the EULA. As before, you can
opt not to continue to share data. See (Optional) Opt Out of Web Analytics Tracking,
on page 101.
Automatic CLI access for
the management center
6.5
When you use SSH to log into the management center, you automatically access the
CLI. Although strongly discouraged, you can then use the CLI expert command to
access the Linux shell.
Note
Configurable session limits 6.5
for read-only and read/write
access
This feature deprecates the Version 6.3 ability to enable and disable CLI
access for the management center. As a consequence of deprecating this
option, the virtual management center no longer displays the System >
Configuration > Console Configuration page, which still appears on
physical management centers.
Added the Max Concurrent Sessions Allowed setting. This setting allows the
administrator to specify the maximum number of sessions of a particular type (read-only
or read/write) that can be open at the same time.
Note
Predefined user roles and custom user roles that the system considers readonly for the purposes of concurrent session limits, are labeled with (Read
Only) in the role name on the System > Users > Users and the System >
Users > User Roles. If a user role does not contain (Read Only) in the role
name, the system considers the role to be read/write.
New/modified screens:
• System > Configuration > User Configuration
• System > Users > User Roles
Ability to disable Duplicate 6.4
Address Detection (DAD)
on management interfaces
When you enable IPv6, you can disable DAD. You might want to disable DAD because
the use of DAD opens up the possibility of denial of service attacks. If you disable this
setting, you need check manually that this interface is not using an already-assigned
address.
New/modified screens: System > Configuration > Management Interfaces >
Interfaces > Edit Interface dialog box > IPv6 DAD check box
Supported platforms: management center
Cisco Secure Firewall Management Center Administration Guide, 7.2
102
System Settings
History for System Configuration
Feature
Version
Ability to disable ICMPv6 6.4
Echo Reply and Destination
Unreachable messages on
management interfaces
Details
When you enable IPv6, you can now disable ICMPv6 Echo Reply and Destination
Unreachable messages. You might want to disable these packets to guard against potential
denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6
ping to the device management interfaces for testing purposes.
New/modified screens: System > Configuration > Management Interfaces > ICMPv6
New/modified commands: configure network ipv6 destination-unreachable, configure
network ipv6 echo-reply
Supported platforms: management center (web interface only), threat defense (CLI only)
Global User Configuration 6.3
Settings
Added the Track Successful Logins setting. The system can track the number of
successful logins each management center account has performed within a selected
number of days. When this feature is enabled, on log in users see a message reporting
how many times they have successfully logged in to the system in the past configured
number of days. (Applies to web interface as well as shell/CLI access.)
Added the Password Reuse Limit setting. The system can track the password history
for each account for a configurable number of previous passwords. The system prevents
all users from re-using passwords that appear in that history. (Applies to web interface
as well as shell/CLI access.)
Added the Max Number of Login Failures and Set Time in Minutes to Temporarily
Lockout Users settings. These allow the administrator to limit the number of times in
a row a user can enter incorrect web interface login credentials before the system
temporarily blocks the account for a configurable period of time.
New/modified screens: System > Configuration > User Configuration
Supported platforms: management center
HTTPS Certificates
6.3
The default HTTPS server certificate provided with the system now expires in three
years. If your appliance uses a default server certificate that was generated before you
upgraded to Version 6.3, the server certificate will expire 20 years from when it was
first generated. If you are using the default HTTPS server certificate the system now
provides the ability to renew it.
New/modified screens: System > Configuration > HTTPS Certificate page > Renew
HTTPS Certificate.
Supported platforms: management center
Cisco Secure Firewall Management Center Administration Guide, 7.2
103
System Settings
History for System Configuration
Feature
Version
Ability to enable and disable 6.3
CLI access for the
management center
Details
There is a new check box available to administrators in management center web interface:
Enable CLI Access on the System ( ) > Configuration > Console Configuration
page.
• Checked: Logging into the management center using SSH accesses the CLI.
• Unchecked: Logging into management center using SSH accesses the Linux shell.
This is the default state for fresh Version 6.3 installations as well as upgrades to
Version 6.3 from a previous release.
Previous to Version 6.3, there was only one setting on the Console Configuration page,
and it applied to physical devices only. So the Console Configuration page was not
available on virtual management centers. With the addition of this new option, the
Console Configuration page now appears on virtual management centers as well as
physical. However, for virtual management centers, this check box is the only thing that
appears on the page.
Supported platforms: management center
Cisco Secure Firewall Management Center Administration Guide, 7.2
104
CHAPTER
4
Users
The management center includes default admin accounts for web and CLI access. This chapter discusses how
to create custom user accounts. See Logging into the Management Center, on page 27 for detailed information
about logging into the management center with a user account.
• About Users, on page 105
• Guidelines and Limitations for User Accounts for Management Center, on page 110
• Requirements and Prerequisites for User Accounts for Management Center, on page 111
• Add an Internal User, on page 111
• Configure External Authentication for the Management Center, on page 113
• Configure SAML Single Sign-On, on page 129
• Customize User Roles for the Web Interface, on page 180
• Troubleshooting LDAP Authentication Connections, on page 185
• Configure User Preferences, on page 186
• History for Users, on page 194
About Users
You can add custom user accounts on managed devices, either as internal users or as external users on a LDAP
or RADIUS server. Each managed device maintains separate user accounts. For example, when you add a
user to the management center, that user only has access to the management center; you cannot then use that
username to log directly into a managed device. You must separately add a user on the managed device.
Internal and External Users
Managed devices support two types of users:
• Internal user—The device checks a local database for user authentication.
• External user—If the user is not present in the local database, the system queries an external LDAP or
RADIUS authentication server.
Cisco Secure Firewall Management Center Administration Guide, 7.2
105
System Settings
Web Interface and CLI Access
Web Interface and CLI Access
The management center has a web interface, CLI (accessible from the console (either the serial port or the
keyboard and monitor) or using SSH to the management interface), and Linux shell. For detailed information
about the management UIs, see System User Interfaces, on page 29.
See the following information about management center user types, and which UI they can access:
• admin user—The management center supports two different internal admin users: one for the web
interface, and another with CLI access. The system initialization process synchronizes the passwords for
these two admin accounts so they start out the same, but they are tracked by different internal mechanisms
and may diverge after initial configuration. See the Getting Started Guide for your model for more
information on system initialization. (To change the password for the web interface admin, use
Integration > Users > Users. To change the password for the CLI admin, use the management center
CLI command configure password.)
• Internal users—Internal users added in the web interface have web interface access only.
• External users—External users have web interface access, and you can optionally configure CLI access.
• SSO users—SSO users have web interface access only.
Caution
CLI users can access the Linux shell using the expert command. We strongly recommend that you do not
use the Linux shell unless directed by Cisco TAC or explicit instructions in the management center
documentation. CLI users can obtain sudoers privileges in the Linux shell, which can present a security risk.
For system security reasons, we strongly recommend that you:
• Restrict the list of external users with CLI access appropriately.
• Do not add users directly in the Linux shell; only use the procedures in this chapter.
User Roles
CLI User Role
CLI external users on the management center do not have a user role; they can use all available commands.
Web Interface User Roles
User privileges are based on the assigned user role. For example, you can grant analysts predefined roles such
as Security Analyst and Discovery Admin and reserve the Administrator role for the security administrator
managing the device. You can also create custom user roles with access privileges tailored to your organization’s
needs.
The management center includes the following predefined user roles:
Cisco Secure Firewall Management Center Administration Guide, 7.2
106
System Settings
User Roles
Note
Predefined user roles that the system considers read-only for the purposes of concurrent session limits, are
labeled with (Read Only) in the role name under System ( ) > Users > Users and System ( ) > Users >
User Roles. If a user role does not contain (Read Only) in the role name, the system considers the role to be
read/write. For more information on concurrent session limits, see Global User Configuration Settings, on
page 89.
Access Admin
Provides access to access control policy and associated features in the Policies menu. Access Admins
cannot deploy policies.
Administrator
Administrators have access to everything in the product; their sessions present a higher security risk if
compromised, so you cannot make them exempt from login session timeouts.
You should limit use of the Administrator role for security reasons.
Discovery Admin
Provides access to network discovery, application detection, and correlation features in the Policies
menu. Discovery Admins cannot deploy policies.
External Database User (Read Only)
Provides read-only access to the database using an application that supports JDBC SSL connections. For
the third-party application to authenticate to the appliance, you must enable database access in the system
settings. On the web interface, External Database Users have access only to online help-related options
in the Help menu. Because this role’s function does not involve the web interface, access is provided
only for ease of support and password changes.
Intrusion Admin
Provides access to all intrusion policy, intrusion rule, and network analysis policy features in the Policies
and Objects menus. Intrusion Admins cannot deploy policies.
Maintenance User
Provides access to monitoring and maintenance features. Maintenance Users have access to
maintenance-related options in the Health and System menus.
Network Admin
Provides access to access control, SSL inspection, DNS policy, and identity policy features in the Policies
menu, as well as device configuration features in the Devices menus. Network Admins can deploy
configuration changes to devices.
Security Analyst
Provides access to security event analysis features, and read-only access to health events, in the Overview,
Analysis, Health, and System menus.
Security Analyst (Read Only)
Provides read-only access to security event analysis features and health event features in the Overview,
Analysis, Health, and System menus.
User with this role can also:
Cisco Secure Firewall Management Center Administration Guide, 7.2
107
System Settings
User Passwords
• From the health monitor pages for specific devices, generate and download troubleshooting files.
• Under user preferences, set file download preferences.
• Under user preferences, set the default time window for event views (with the exception of the
Audit Log Time Window).
Security Approver
Provides limited access to access control and associated policies and network discovery policies in the
Policies menu. Security Approvers can view and deploy these policies, but cannot make policy changes.
Threat Intelligence Director (TID) User
Provides access to Threat Intelligence Director configurations in the Intelligence menu. Threat Intelligence
Director (TID) Users can view and configure TID.
User Passwords
The following rules apply to passwords for internal user accounts on the management center, with Lights-Out
Management (LOM) enabled or disabled. Different password requirements apply for externally authenticated
accounts or in systems with security certifications compliance enabled. See Configure External Authentication
for the Management Center, on page 113 and Security Certifications Compliance, on page 295 for more
information.
During management center initial configuration, the system requires the admin user to set the account password
to comply with strong password requirements described in the table below. For physical management centers,
the strong password requirements with LOM enabled are used, and for virtual management centers, the strong
password requirements with LOM not enabled are used. At this time the system synchronizes the passwords
for the web interface admin and the CLI access admin. After initial configuration, the web interface admin
can remove the strong password requirement, but the CLI access admin must always comply with strong
password requirements with LOM not enabled.
Cisco Secure Firewall Management Center Administration Guide, 7.2
108
System Settings
User Passwords
LOM Not Enabled
LOM Enabled
Password Strength Passwords must include:
Passwords must include:
Checking On
• At least eight characters, or the
• Between eight and twenty characters
number of characters configured for
(On MC 1000, MC 2500, and MC
the user by the administrator,
4500 the upper limit is fourteen
whichever is greater.
characters rather than twenty.)
• No more than two sequentially
repeating characters
• No more than two sequentially
repeating characters
• At least one lower case letter
• At least one lower case letter
• At least one upper case letter
• At least one upper case letter
• At least one digit
• At least one digit
• At least one special character such as
!@#*-_+
• At least one special character such as
!@#*-_+
The system checks passwords against a
special dictionary containing not only
many English dictionary words, but also
other character strings that could be easily
cracked with common password hacking
techniques.
The rules for special characters vary
between different series of physical
management centers. We recommend
restricting your choice of special characters
to those listed in the final bullet above.
Do not include the user name in the
password.
The system checks passwords against a
special dictionary containing not only
many English dictionary words, but also
other character strings that could be easily
cracked with common password hacking
techniques.
Cisco Secure Firewall Management Center Administration Guide, 7.2
109
System Settings
Guidelines and Limitations for User Accounts for Management Center
LOM Not Enabled
Password Strength Passwords must include the minimum
number of characters configured for the
Checking Off
user by the administrator. (See Add an
Internal User, on page 111 for more
information.)
LOM Enabled
Passwords must include:
• Between eight and twenty characters
(On MC 1000, MC 2500, and MC
4500 the upper limit is fourteen
characters rather than twenty.)
• Characters from at least three of the
following four categories:
• Uppercase letters
• Lowercase letters
• Digits
• Special characters such as ! @ #
*-_+
The rules for special characters vary
between different series of physical
management centers. We recommend
restricting your choice of special characters
to those listed in the final bullet above.
Do not include the user name in the
password.
Guidelines and Limitations for User Accounts for Management
Center
Defaults
• The management center includes an admin user as a local user account for all forms of access; you
cannot delete the admin user. The default initial password is Admin123; the system forces you to change
this during the initialization process. See the Getting Started Guide for your model for more information
about system initialization.
• By default the following settings apply to all user accounts on the management center:
• There are no limits on password reuse.
• The system does not track successful logins.
• The system does not enforce a timed temporary lockout for users who enter incorrect login credentials.
• There are no user-defined limits on the number of read-only and read/write sessions that can be
open at the same time.
Cisco Secure Firewall Management Center Administration Guide, 7.2
110
System Settings
Requirements and Prerequisites for User Accounts for Management Center
You can change these settings for all users as a system configuration. (System ( ) > Configuration >
User Configuration) See Global User Configuration Settings, on page 89.
Requirements and Prerequisites for User Accounts for
Management Center
Model Support
Management Center
Supported Domains
• SSO configuration—Global only.
• All other features—Any.
User Roles
• SSO configuration—Only users with the Admin role authenticated internally or by LDAP or RADIUS
can configure SSO.
• All other features—Any user with the Admin role.
• Configure Common Access Card Authentication with LDAP, on page 128 also supports the Network
Admin role.
Add an Internal User
This procedure describes how to add custom internal user accounts for the management center.
The System > Users > Users shows both internal users that you added manually and external users that were
added automatically when a user logged in with LDAP or RADIUS authentication. For external users, you
can modify the user role on this screen if you assign a role with higher privileges; you cannot modify the
password settings.
In a multidomain deployment on the management center, users are only visible in the domain in which they
are created. Note that if you add a user in the Global domain, but then assign a user role for a leaf domain,
then that user still shows on the Global Users page where it was added, even though the user "belongs" to a
leaf domain.
If you enable security certifications compliance or Lights-Out Management (LOM) on a device, different
password restrictions apply. For more information on security certifications compliance, see Security
Certifications Compliance, on page 295.
When you add a user in a leaf domain, that user is not visible from the global domain.
Cisco Secure Firewall Management Center Administration Guide, 7.2
111
System Settings
Add an Internal User
Note
Avoid having multiple Admin users simultaneously creating new users on the management center, as this
may cause an error resulting from a conflict in user database access.
Procedure
Step 1
Choose Integration > Users.
Step 2
Click Create User.
Step 3
Enter a User Name.
The username must comply with the following restrictions:
• Maximum 32 alphanumeric characters, plus hyphen (-), underscore (_) and period (.).
• Letters may be upper or lower case.
• Cannot include any punctuation or special characters other than hyphen (-), underscore (_) and period
(.).
Step 4
Real Name: Enter descriptive information to identify the user or department to whom the account belongs.
Step 5
The Use External Authentication Method checkbox is checked for users that were added automatically
when they logged in with LDAP or RADIUS. You do not need to pre-configure external users, so you can
ignore this field. For an external user, you can revert this user to an internal user by unchecking the check
box.
Step 6
Enter values in the Password and Confirm Password fields.
The values must conform to the password options you set for this user.
Step 7
Set the Maximum Number of Failed Logins.
Enter an integer, without spaces, that determines the maximum number of times each user can try to log in
after a failed login attempt before the account is locked. The default setting is 5 tries; use 0 to allow an
unlimited number of failed logins. The admin account is exempt from being locked out after a maximum
number of failed logins unless you enabled security certification compliance.
Step 8
Set the Minimum Password Length.
Enter an integer, without spaces, that determines the minimum required length, in characters, of a user's
password. The default setting is 8. A value of 0 indicates that no minimum length is required.
Step 9
Set the Days Until Password Expiration.
Enter the number of days after which the user’s password expires. The default setting is 0, which indicates
that the password never expires. If you change from the default, then the Password Lifetime column of the
Users list indicates the days remaining on each user’s password.
Step 10
Set the Days Before Password Expiration Warning.
Enter the number of warning days users have to change their password before their password actually expires.
The default setting is 0 days.
Step 11
Set user Options.
Cisco Secure Firewall Management Center Administration Guide, 7.2
112
System Settings
Configure External Authentication for the Management Center
• Force Password Reset on Login—Forces users to change their passwords the next time they log in.
• Check Password Strength—Requires strong passwords. When password strength checking is enabled,
passwords must comply with the strong password requirements described in User Passwords, on page
108.
• Exempt from Browser Session Timeout—Exempts a user’s login sessions from termination due to
inactivity. Users with the Administrator role cannot be made exempt.
Step 12
In the User Role Configuration area, assign user role(s). For more information about user roles, see Customize
User Roles for the Web Interface, on page 180.
For external users, if the user role is assigned through group membership (LDAP), or based on a user attribute
(RADIUS), you cannot remove the minimum access rights. You can, however, assign additional rights. If the
user role is the default user role that you set on the device, then you can modify the role in the user account
without limitations. When you modify the user role, the Authentication Method column on the Users tab
provides a status of External - Locally Modified.
The options you see depend on whether the device is in a single domain or multidomain deployment.
• Single domain—Check the user role(s) you want to assign the user.
• Multidomain—In a multidomain deployment, you can create user accounts in any domain in which you
have been assigned Administrator access. Users can have different privileges in each domain. You can
assign user roles in both ancestor and descendant domains. For example, you can assign read-only
privileges to a user in the Global domain, but Administrator privileges in a descendant domain. See the
following steps:
a. Click Add Domain.
b. Choose a domain from the Domain drop-down list.
c. Check the user roles you want to assign the user.
d. Click Save.
Step 13
(Optional, for physical management centers only.) If you have assigned the user the Administrator role, the
Administrator Options appear. You can select Allow Lights-Out Management Access to grant Lights-Out
Management access to the user. See Lights-Out Management Overview, on page 97 for more information
about Lights-Out Management.
Step 14
Click Save.
Configure External Authentication for the Management Center
To enable external authentication, you need to add one or more external authentication objects.
About External Authentication for the Management Center
When you enable external authentication, the management center verifies the user credentials with an LDAP
or RADIUS server as specified in an external authentication object.
Cisco Secure Firewall Management Center Administration Guide, 7.2
113
System Settings
About LDAP
You can configure multiple external authentication objects for web interface access. For example, if you have
5 external authentication objects, users from any of them can be authenticated to access the web interface.
You can use only one external authentication object for CLI access. If you have more than one external
authentication object enabled, then users can authenticate using only the first object in the list.
External authentication objects can be used by the management center and threat defense devices. You can
share the same object between the different appliance/device types, or create separate objects.
Note
The timeout range is different for the threat defense and the management center, so if you share an object, be
sure not to exceed the threat defense's smaller timeout range (1-30 seconds for LDAP, and 1-300 seconds for
RADIUS). If you set the timeout to a higher value, the threat defense external authentication configuration
will not work.
For the management center, enable the external authentication objects directly on the System > Users >
External Authentication tab; this setting only affects management center usage, and it does not need to be
enabled on this tab for managed device usage. For threat defense devices, you must enable the external
authentication object in the platform settings that you deploy to the devices.
Web interface users are defined separately from CLI users in the external authentication object. For CLI users
on RADIUS, you must pre-configure the list of RADIUS usernames in the external authentication object. For
LDAP, you can specify a filter to match CLI users on the LDAP server.
You cannot use an LDAP object for CLI access that is also configured for CAC authentication.
Note
Users with CLI access can gain Linux shell access with the expert command. Linux shell users can obtain
root privileges, which can present a security risk. Make sure that you:
• Restrict the list of users with CLI or Linux shell access.
• Do not create Linux shell users.
About LDAP
The Lightweight Directory Access Protocol (LDAP) allows you to set up a directory on your network that
organizes objects, such as user credentials, in a centralized location. Multiple applications can then access
those credentials and the information used to describe them. If you ever need to change a user's credentials,
you can change them in one place.
Microsoft has announced that Active Directory servers will start enforcing LDAP binding and LDAP signing
in 2020. Microsoft is making these a requirement because when using default settings, an elevation of privilege
vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully
forward an authentication request to a Windows LDAP server. For more information, see 2020 LDAP channel
binding and LDAP signing requirement for Windows on the Microsoft support site.
If you have not done so already, we recommend you start using TLS/SSL encryption to authenticate with an
Active Directory server.
Cisco Secure Firewall Management Center Administration Guide, 7.2
114
System Settings
About RADIUS
About RADIUS
Remote Authentication Dial In User Service (RADIUS) is an authentication protocol used to authenticate,
authorize, and account for user access to network resources. You can create an authentication object for any
RADIUS server that conforms to RFC 2865.
Firepower devices support the use of SecurID tokens. When you configure authentication by a server using
SecurID, users authenticated against that server append the SecurID token to the end of their SecurID PIN
and use that as their password when they log in. You do not need to configure anything extra on the Firepower
device to support SecurID.
Add an LDAP External Authentication Object for Management Center
Add an LDAP server to support external users for device management.
In a multidomain deployment, external authentication objects are only available in the domain in which they
are created.
Before you begin
• You must specify DNS server(s) for domain name lookup on your device. Even if you specify an IP
address and not a hostname for the LDAP server on this procedure, the LDAP server may return a URI
for authentication that can include a hostname. A DNS lookup is required to resolve the hostname. See
Modify Management Center Management Interfaces, on page 60 to add DNS servers.
• If you are configuring an LDAP authentication object for use with CAC authentication, do not remove
the CAC inserted in your computer. You must have a CAC inserted at all times after enabling user
certificates.
Procedure
Step 1
Choose Integration > Users.
Step 2
Click the External Authentication tab.
Step 3
Click Add External Authentication Object.
Step 4
Set the Authentication Method to LDAP.
Step 5
(Optional) Check the check box for CAC if you plan to use this authentication object for CAC authentication
and authorization.
You must also follow the procedure in Configure Common Access Card Authentication with LDAP, on page
128 to fully configure CAC authentication and authorization. You cannot use this object for CLI users.
Step 6
Enter a Name and optional Description.
Step 7
Choose a Server Type from the drop-down list.
Tip
Step 8
If you click Set Defaults, the device populates the User Name Template, UI Access Attribute,
CLI Access Attribute, Group Member Attribute, and Group Member URL Attribute fields
with default values for the server type.
For the Primary Server, enter a Host Name/IP Address.
Cisco Secure Firewall Management Center Administration Guide, 7.2
115
System Settings
Add an LDAP External Authentication Object for Management Center
If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host
name used in this field. In addition, IPv6 addresses are not supported for encrypted connections.
Step 9
(Optional) Change the Port from the default.
Step 10
(Optional) Enter the Backup Server parameters.
Step 11
Enter LDAP-Specific Parameters.
a) Enter the Base DN for the LDAP directory you want to access. For example, to authenticate names in the
Security organization at the Example company, enter ou=security,dc=example,dc=com. Alternatively
click Fetch DNs, and choose the appropriate base distinguished name from the drop-down list.
b) (Optional) Enter the Base Filter. For example, if the user objects in a directory tree have a
physicalDeliveryOfficeName attribute and users in the New York office have an attribute value of
NewYork for that attribute, to retrieve only users in the New York office, enter
(physicalDeliveryOfficeName=NewYork).
If you are using CAC authentication, to filter only active user accounts (excluding the disabled user
accounts), enter (!(userAccountControl:1.2.840.113556.1.4.803:=2)). This criteria retrieves user
accounts within AD belonging to ldpgrp group and with userAccountControl attribute value that is not
2 (disabled).
c) Enter a User Name for a user who has sufficient credentials to browse the LDAP server. For example, if
you are connecting to an OpenLDAP server where user objects have a uid attribute, and the object for
the administrator in the Security division at your example company has a uid value of NetworkAdmin,
you might enter uid=NetworkAdmin,ou=security,dc=example,dc=com.
d) Enter the user password in the Password and the Confirm Password fields.
e) (Optional) Click Show Advanced Options to configure the following advanced options.
• Encryption—Click None, TLS, or SSL.
If you change the encryption method after specifying a port, you reset the port to the default value
for that method. For None or TLS, the port resets to the default value of 389. If you choose SSL
encryption, the port resets to 636.
• SSL Certificate Upload Path—For SSL or TLS encryption, you must choose a certificate by clicking
Choose File.
If you previously uploaded a certificate and want to replace it, upload the new certificate and redeploy
the configuration to your devices to copy over the new certificate.
Note
TLS encryption requires a certificate on all platforms. We recommend that you always
upload a certificate for SSL to prevent man-in-the-middle attacks.
• User Name Template—Provide a template that corresponds with your UI Access Attribute. For
example, to authenticate all users who work in the Security organization of the Example company
by connecting to an OpenLDAP server where the UI access attribute is uid, you might enter
uid=%s,ou=security,dc=example,dc=com in the User Name Template field. For a Microsoft Active
Directory server, you could enter %[email protected].
This field is required for CAC authentication.
• Shell User Name Template—Provide a template that corresponds with your CLI Access Attribute
to authenticate CLI users. For example, to authenticate all users who work in the Security organization
by connecting to an OpenLDAP server where the CLI access attribute is sAMAccountName, you might
enter %s in the Shell User Name Template field.
Cisco Secure Firewall Management Center Administration Guide, 7.2
116
System Settings
Add an LDAP External Authentication Object for Management Center
• Timeout—Enter the number of seconds before rolling over to the backup connection, between 1 and
1024. The default is 30.
Note
Step 12
The timeout range is different for threat defense and the management center, so if you
share an object, be sure not to exceed the threat defense's smaller timeout range (1-30
seconds). If you set the timeout to a higher value, the threat defense LDAP configuration
will not work.
(Optional) Configure Attribute Mapping to retrieve users based on an attribute.
• Enter a UI Access Attribute, or click Fetch Attrs to retrieve a list of available attributes. For example,
on a Microsoft Active Directory Server, you may want to use the UI access attribute to retrieve users,
because there may not be a uid attribute on Active Directory Server user objects. Instead, you can search
the userPrincipalName attribute by typing userPrincipalName in the UI Access Attribute field.
This field is required for CAC authentication.
• Set the CLI Access Attribute if you want to use a shell access attribute other than the user distinguished
type. For example, on a Microsoft Active Directory Server, use the sAMAccountName CLI access attribute
to retrieve CLI access users by typing sAMAccountName.
Step 13
(Optional) Configure Group Controlled Access Roles.
If you do not configure a user’s privileges using group-controlled access roles, a user has only the privileges
granted by default in the external authentication policy.
a) (Optional) In the fields that correspond to user roles, enter the distinguished name for the LDAP groups
that contain users who should be assigned to those roles.
Any group you reference must exist on the LDAP server. You can reference static LDAP groups or
dynamic LDAP groups. Static LDAP groups are groups where membership is determined by group object
attributes that point to specific users, and dynamic LDAP groups are groups where membership is
determined by creating an LDAP search that retrieves group users based on user object attributes. Group
access rights for a role only affect users who are members of the group.
If you use a dynamic group, the LDAP query is used exactly as it is configured on the LDAP server. For
this reason, the Firepower device limits the number of recursions of a search to 4 to prevent search syntax
errors from causing infinite loops.
Example:
Enter the following in the Administrator field to authenticate names in the information technology
organization at the Example company:
cn=itgroup,ou=groups, dc=example,dc=com
b) Choose a Default User Role for users that do not belong to any of the specified groups.
c) If you use static groups, enter a Group Member Attribute.
Example:
If the member attribute is used to indicate membership in the static group for default Security Analyst
access, enter member.
d) If you use dynamic groups, enter a Group Member URL Attribute.
Cisco Secure Firewall Management Center Administration Guide, 7.2
117
System Settings
Add an LDAP External Authentication Object for Management Center
Example:
If the memberURL attribute contains the LDAP search that retrieves members for the dynamic group you
specified for default Admin access, enter memberURL.
If you change a user's role, you must save/deploy the changed external authentication object and also remove
the user from the Users screen. The user will be re-added automatically the next time they log in.
Step 14
(Optional) Set the CLI Access Filter to allow CLI users.
To prevent LDAP authentication of CLI access, leave this field blank. To specify CLI users, choose one of
the following methods:
• To use the same filter you specified when configuring authentication settings, choose Same as Base
Filter.
• To retrieve administrative user entries based on attribute value, enter the attribute name, a comparison
operator, and the attribute value you want to use as a filter, enclosed in parentheses. For example, if all
network administrators have a manager attribute which has an attribute value of shell, you can set a
base filter of (manager=shell).
The usernames must be Linux-valid:
• Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)
• All lowercase
• Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)
Step 15
Note
Users with CLI access can gain Linux shell access with the expert command. Linux shell users can
obtain root privileges, which can present a security risk. Make sure that you restrict the list of users
with CLI or Linux shell access.
Note
Do not create any internal users that have the same user name as users included in the CLI Access
Filter. The only internal management center user should be admin; do not include an admin user
in the CLI Access Filter.
(Optional) Click Test to test connectivity to the LDAP server.
The test output lists valid and invalid user names. Valid user names are unique, and can include underscores
(_), periods (.), hyphens (-), and alphanumeric characters. Note that testing the connection to servers with
more than 1000 users only returns 1000 users because of UI page size limitations. If the test fails, see
Troubleshooting LDAP Authentication Connections, on page 185.
Step 16
(Optional) You can also enter Additional Test Parameters to test user credentials for a user who should be
able to authenticate: enter a User Name uid and Password, and then click Test.
If you are connecting to a Microsoft Active Directory Server and supplied a UI access attribute in place of
uid, use the value for that attribute as the user name. You can also specify a fully qualified distinguished name
for the user.
Tip
If you mistype the name or password of the test user, the test fails even if the server configuration
is correct. To verify that the server configuration is correct, click Test without entering user
information in the Additional Test Parameters field first. If that succeeds, supply a user name and
password to test with the specific user.
Cisco Secure Firewall Management Center Administration Guide, 7.2
118
System Settings
Add an LDAP External Authentication Object for Management Center
Example:
To test if you can retrieve the JSmith user credentials at the Example company, enter JSmith and the correct
password.
Step 17
Click Save.
Step 18
Enable use of this server. See Enable External Authentication for Users on the Management Center, on page
127.
Examples
Basic Example
The following figures illustrate a basic configuration of an LDAP login authentication object for a
Microsoft Active Directory Server. The LDAP server in this example has an IP address of 10.11.3.4.
The connection uses port 389 for access.
Cisco Secure Firewall Management Center Administration Guide, 7.2
119
System Settings
Add an LDAP External Authentication Object for Management Center
This example shows a connection using a base distinguished name of
OU=security,DC=it,DC=example,DC=com for the security organization in the information technology
domain of the Example company.
However, because this server is a Microsoft Active Directory server, it uses the sAMAccountName
attribute to store user names rather than the uid attribute. Choosing the MS Active Directory server
type and clicking Set Defaults sets the UI Access Attribute to sAMAccountName. As a result, the
system checks the sAMAccountName attribute for each object for matching user names when a user
attempts to log into the system.
In addition, a CLIAccess Attribute of sAMAccountName causes each sAMAccountName attribute to be
checked for all objects in the directory for matches when a user logs into a CLI account on the
appliance.
Note that because no base filter is applied to this server, the system checks attributes for all objects
in the directory indicated by the base distinguished name. Connections to the server time out after
the default time period (or the timeout period set on the LDAP server).
Advanced Example
This example illustrates an advanced configuration of an LDAP login authentication object for a
Microsoft Active Directory Server. The LDAP server in this example has an IP address of 10.11.3.4.
The connection uses port 636 for access.
Cisco Secure Firewall Management Center Administration Guide, 7.2
120
System Settings
Add an LDAP External Authentication Object for Management Center
This example shows a connection using a base distinguished name of
OU=security,DC=it,DC=example,DC=com for the security organization in the information technology
domain of the Example company. However, note that this server has a base filter of (cn=*smith).
The filter restricts the users retrieved from the server to those with a common name ending in smith.
The connection to the server is encrypted using SSL and a certificate named certificate.pem is
used for the connection. In addition, connections to the server time out after 60 seconds because of
the Timeout setting.
Because this server is a Microsoft Active Directory server, it uses the sAMAccountName attribute to
store user names rather than the uid attribute. Note that the configuration includes a UI Access
Attribute of sAMAccountName. As a result, the system checks the sAMAccountName attribute for each
object for matching user names when a user attempts to log into the system.
In addition, a CLI Access Attribute of sAMAccountName causes each sAMAccountName attribute to
be checked for all objects in the directory for matches when a user logs into a CLI account on the
appliance.
This example also has group settings in place. The Maintenance User role is automatically assigned
to all members of the group with a member group attribute and the base domain name of
CN=SFmaintenance,DC=it,DC=example,DC=com.
Cisco Secure Firewall Management Center Administration Guide, 7.2
121
System Settings
Add a RADIUS External Authentication Object for Management Center
The CLI Access Filter is set to be the same as the base filter, so the same users can access the
appliance through the CLI as through the web interface.
Add a RADIUS External Authentication Object for Management Center
Add a RADIUS server to support external users for device management.
In a multidomain deployment, external authentication objects are only available in the domain in which they
are created.
Procedure
Step 1
Choose Integration > Users.
Cisco Secure Firewall Management Center Administration Guide, 7.2
122
System Settings
Add a RADIUS External Authentication Object for Management Center
Step 2
Click External Authentication.
Step 3
Click Add External Authentication Object.
Step 4
Set the Authentication Method to RADIUS.
Step 5
Enter a Name and optional Description.
Step 6
For the Primary Server, enter a Host Name/IP Address.
Step 7
(Optional) Change the Port from the default.
Step 8
Enter the RADIUS Secret Key.
Step 9
(Optional) Enter the Backup Server parameters.
Step 10
(Optional) Enter RADIUS-Specific Parameters.
a) Enter the Timeout in seconds before retrying the primary server, between 1 and 1024. The default is 30.
Note
The timeout range is different for the threat defense and the management center, so if you share
an object, be sure not to exceed the threat defense's smaller timeout range (1-300 seconds). If
you set the timeout to a higher value, the threat defense RADIUS configuration will not work.
b) Enter the Retries before rolling over to the backup server. The default is 3.
c) In the fields that correspond to user roles, enter the name of each user or identifying attribute-value pair
that should be assigned to those roles.
Separate usernames and attribute-value pairs with commas.
Example:
If you know all users who should be Security Analysts have the value Analyst for their User-Category
attribute, you can enter User-Category=Analyst in the Security Analyst field to grant that role to those
users.
Example:
To grant the Administrator role to the users jsmith and jdoe, enter jsmith,
field.
jdoe
in the Administrator
Example:
To grant the Maintenance User role to all users with a User-Category value of Maintenance, enter
User-Category=Maintenance in the Maintenance User field.
d) Select the Default User Role for users that do not belong to any of the specified groups.
If you change a user's role, you must save/deploy the changed external authentication object and also remove
the user from the Users screen. The user will be re-added automatically the next time they log in.
Step 11
(Optional) Define Custom RADIUS Attributes.
If your RADIUS server returns values for attributes not included in the dictionary file in /etc/radiusclient/,
and you plan to use those attributes to set roles for users with those attributes, you need to define those
attributes. You can locate the attributes returned for a user by looking at the user’s profile on your RADIUS
server.
a) Enter an Attribute Name.
When you define an attribute, you provide the name of the attribute, which consists of alphanumeric
characters. Note that words in an attribute name should be separated by dashes rather than spaces.
b) Enter the Attribute ID as an integer.
Cisco Secure Firewall Management Center Administration Guide, 7.2
123
System Settings
Add a RADIUS External Authentication Object for Management Center
The attribute ID should be an integer and should not conflict with any existing attribute IDs in the
etc/radiusclient/dictionary file.
c) Choose the Attribute Type from the drop-down list.
You also specify the type of attribute: string, IP address, integer, or date.
d) Click Add to add the custom attribute.
When you create a RADIUS authentication object, a new dictionary file for that object is created on the device
in the /var/sf/userauth directory. Any custom attributes you add are added to the dictionary file.
Example:
If a RADIUS server is used on a network with a Cisco router, you might want to use the
Ascend-Assign-IP-Pool attribute to grant a specific role to all users logging in from a specific IP address
pool. Ascend-Assign-IP-Pool is an integer attribute that defines the address pool where the user is allowed
to log in, with the integer indicating the number of the assigned IP address pool.
To declare that custom attribute, you create a custom attribute with an attribute name of
Ascend-IP-Pool-Definition, an attribute ID of 218, and an attribute type of integer.
You could then enter Ascend-Assign-IP-Pool=2 in the Security Analyst (Read Only) field to grant read-only
security analyst rights to all users with an Ascend-IP-Pool-Definition attribute value of 2.
Step 12
(Optional) In the CLI Access Filter area Administrator CLI Access User List field, enter the user names
that should have CLI access, separated by commas.
Make sure that these usernames match usernames on the RADIUS server. The names must be Linux-valid
usernames:
• Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)
• All lowercase
• Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)
To prevent RADIUS authentication of CLI access, leave the field blank.
Note
Users with CLI access can gain Linux shell access with the expert command. Linux shell users can
obtain root privileges, which can present a security risk. Make sure that you restrict the list of users
with CLI or Linux shell access.
Note
Remove any internal users that have the same user name as users included in the shell access filter.
For the management center, the only internal CLI user is admin, so do not also create an admin
external user.
Step 13
(Optional) Click Test to test management center connectivity to the RADIUS server.
Step 14
(Optional) You can also enter Additional Test Parameters to test user credentials for a user who should be
able to authenticate: enter a User Name and Password, and then click Test.
Tip
If you mistype the name or password of the test user, the test fails even if the server configuration
is correct. To verify that the server configuration is correct, click Test without entering user
information in the Additional Test Parameters field first. If that succeeds, supply a user name and
password to test with the specific user.
Example:
Cisco Secure Firewall Management Center Administration Guide, 7.2
124
System Settings
Add a RADIUS External Authentication Object for Management Center
To test if you can retrieve the JSmith user credentials at the Example company, enter JSmith and the correct
password.
Step 15
Click Save.
Step 16
Enable use of this server. See Enable External Authentication for Users on the Management Center, on page
127.
Examples
Simple User Role Assignments
The following figure illustrates a sample RADIUS login authentication object for a server running
Cisco Identity Services Engine (ISE) with an IP address of 10.10.10.98 on port 1812. No backup
server is defined.
The following example shows RADIUS-specific parameters, including the timeout (30 seconds) and
number of failed retries before the Firepower System attempts to contact the backup server, if any.
This example illustrates important aspects of RADIUS user role configuration:
Users ewharton and gsand are granted web interface Administrative access.
The user cbronte is granted web interface Maintenance User access.
The user jausten is granted web interface Security Analyst access.
The user ewharton can log into the device using a CLI account.
The following graphic depicts the role configuration for the example:
Cisco Secure Firewall Management Center Administration Guide, 7.2
125
System Settings
Add a RADIUS External Authentication Object for Management Center
Roles for Users Matching an Attribute-Value Pair
You can use an attribute-value pair to identify users who should receive a particular user role. If the
attribute you use is a custom attribute, you must define the custom attribute.
The following figure illustrates the role configuration and custom attribute definition in a sample
RADIUS login authentication object for the same ISE server as in the previous example.
In this example, however, the MS-RAS-Version custom attribute is returned for one or more of the
users because a Microsoft remote access server is in use. Note the MS-RAS-Version custom attribute
is a string. In this example, all users logging in to RADIUS through a Microsoft v. 5.00 remote access
server should receive the Security Analyst (Read Only) role, so you enter the attribute-value pair of
MS-RAS-Version=MSRASV5.00 in the Security Analyst (Read Only) field.
Cisco Secure Firewall Management Center Administration Guide, 7.2
126
System Settings
Enable External Authentication for Users on the Management Center
Enable External Authentication for Users on the Management Center
When you enable external authentication for management users, the management center verifies the user
credentials with an LDAP or RADIUS server as specified in an External Authentication object.
Before you begin
Add one or more external authentication objects according to Add an LDAP External Authentication Object
for Management Center, on page 115 and Add a RADIUS External Authentication Object for Management
Center, on page 122.
Procedure
Step 1
Choose Integration > Users.
Step 2
Click External Authentication.
Step 3
Set the default user role for external web interface users.
Users without a role cannot perform any actions. Any user roles defined in the external authentication object
overrides this default user role.
a) Click the Default User Roles value (by default, none selected).
a) In the Default User Role Configuration dialog box, check the role(s) that you want to use.
b) Click Save.
Step 4
Click the Slider enabled (
) next to the each external authentication object that you want to use. If you
enable more than 1 object, then users are compared against servers in the order specified. See the next step
to reorder servers.
If you enable shell authentication, you must enable an external authentication object that includes a CLI
Access Filter. Also, CLI access users can only authenticate against the server whose authentication object is
highest in the list.
Cisco Secure Firewall Management Center Administration Guide, 7.2
127
System Settings
Configure Common Access Card Authentication with LDAP
Step 5
(Optional) Drag and drop servers to change the order in which authentication they are accessed when an
authentication request occurs.
Step 6
Choose Shell Authentication > Enabled if you want to allow CLI access for external users.
The first external authentication object name is shown next to the Enabled option to remind you that only
the first object is used for CLI.
Step 7
Click Save and Apply.
Configure Common Access Card Authentication with LDAP
If your organization uses Common Access Cards (CACs), you can configure LDAP authentication to
authenticate management center users logging into the web interface. With CAC authentication, users have
the option to log in directly without providing a separate username and password for the device.
CAC-authenticated users are identified by their electronic data interchange personal identifier (EDIPI) numbers.
After 24 hours of inactivity, the device deletes CAC-authenticated users from the Users tab. The users are
re-added after each subsequent login, but you must reconfigure any manual changes to their user roles.
Before you begin
You must have a valid user certificate present in your browser (in this case, a certificate passed to your browser
via your CAC) to enable user certificates as part of the CAC configuration process. After you configure CAC
authentication and authorization, users on your network must maintain the CAC connection for the duration
of their browsing session. If you remove or replace a CAC during a session, your web browser terminates the
session and the system logs you out of the web interface.
Procedure
Step 1
Insert a CAC as directed by your organization.
Step 2
Direct your browser to https://ipaddress_or_hostname/, where ipaddress or hostname corresponds to your
device.
Step 3
If prompted, enter the PIN associated with the CAC you inserted in step 1.
Step 4
If prompted, choose the appropriate certificate from the drop-down list.
Step 5
On the Login page, in the Username and Password fields, log in as a user with Administrator privileges.
You cannot yet log in using your CAC credentials.
Step 6
Choose System > Users > External Authentication.
Step 7
Create an LDAP authentication object exclusively for CAC, following the procedure in Add an LDAP External
Authentication Object for Management Center, on page 115. You must configure the following:
• CAC check box.
• LDAP-Specific Parameters > Show Advanced Options > User Name Template.
• Attribute Mapping > UI Access Attribute.
Step 8
Click Save.
Cisco Secure Firewall Management Center Administration Guide, 7.2
128
System Settings
Configure SAML Single Sign-On
Step 9
Enable external authentication and CAC authentication as described in Enable External Authentication for
Users on the Management Center, on page 127.
Step 10
Choose System ( ) > Configuration, and click HTTPS Certificate.
Step 11
Import a HTTPS server certificate, if necessary, following the procedure outlined in Importing HTTPS Server
Certificates, on page 48.
The same certificate authority (CA) must issue the HTTPS server certificate and the user certificates on the
CACs you plan to use.
Step 12
Under HTTPS User Certificate Settings, choose Enable User Certificates. For more information, see
Requiring Valid HTTPS Client Certificates, on page 49.
Step 13
Log into the device according to Logging Into the Secure Firewall Management Center with CAC Credentials,
on page 33.
Configure SAML Single Sign-On
You can configure your management center to use Single Sign-On, a system by which a central identity
provider (IdP) provides authentication and authorization for users logging into the management center as well
as other applications within an organization. The applications configured to take part in such an SSO
arrangement are said to be federated service provider applications. SSO users can log in once to gain access
to all service provider applications that are members of the same federation.
About SAML Single Sign-On
An management center configured for SSO presents a link for single sign-on on the Login page. Users
configured for SSO access click on this link and are redirected to the IdP for authentication and authorization,
rather than supplying a username and password on the management center Login page. Once successfully
authenticated by the IdP, SSO users are redirected back to the management center web interface and logged
in. All the communication between the management center and the IdP to accomplish this takes place using
the browser as an intermediary; as a result, the management center does not require a network connection to
directly access the identity provider.
The management center supports SSO using any SSO provider conforming to the Security Assertion Markup
Language (SAML) 2.0 open standard for authentication and authorization. The management center web
interface offers configuration options for the following SSO providers:
• Okta
• OneLogin
• Azure
• PingID's PingOne for Customers cloud solution
Note
The Cisco Secure Sign On SSO product does not recognize the management center as a pre-integrated service
provider.
Cisco Secure Firewall Management Center Administration Guide, 7.2
129
System Settings
SSO Guidelines for the Management Center
SSO Guidelines for the Management Center
Keep the following in mind when you configure an management center to be a member of an SSO federation:
• The management center can support SSO with only one SSO provider at a time—you cannot configure
the management center to use, for instance, both Okta and OneLogin for SSO.
• management centers in a high availability configuration can support SSO, but you must keep the following
considerations in mind:
• SSO configuration is not synchronized between the members of the high availability pair; you must
configure SSO separately on each member of the pair.
• Both management centers in a high availability pair must use the same IdP for SSO. You must
configure a service provider application at the IdP for each management center configured for SSO.
• In a high availability pair of management centers where both are configured to support SSO, before
a user can use SSO to access the secondary management center for the first time, that user must first
use SSO to log into the primary management center at least once.
• When configuring SSO for management centers in a high availability pair:
• If you configure SSO on the primary management center, you are not required to configure
SSO on the secondary management center.
• If you configure SSO on the secondary management center, you are required to configure SSO
on the primary management center as well. (This is because SSO users must login into the
primary management center at least once before logging into the secondary management center.)
• In an management center that uses multi-tenancy, the SSO configuration can be applied only at the global
domain level, and applies to the global domain and all subdomains.
• Only users with the Admin role authenticated internally or by LDAP or RADIUS can configure SSO.
• The management center does not support SSO initiated from the IdP.
• The management center does not support logging in with CAC credentials for SSO accounts.
• Do not configure SSO in deployments using CC mode.
• SSO activities are logged in the management center audit log with Login or Logout specified in the
Subsystem field.
Related Topics
High Availability, on page 275
Domains, on page 195
Logging Into the Secure Firewall Management Center with CAC Credentials, on page 33
Security Certifications Compliance, on page 295
Audit Records, on page 375
SSO User Accounts
Identity providers can support user and group configuration directly, or they often can import users and groups
from other user management applications such as Active Directory, RADIUS, or LDAP. This documentation
focuses on configuring the management center to work with the IdP to support SSO assuming that IdP users
Cisco Secure Firewall Management Center Administration Guide, 7.2
130
System Settings
User Role Mapping for SSO Users
and groups are already established; to configure an IdP to support users and groups from other user management
applications, consult the IdP vendor documentation.
Most account characteristics for SSO users, including the user name and password, are established at the IdP.
SSO accounts do not appear on the management center web interface Users page until those accounts log in
the first time.
Note
The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the
management center during the SAML login process must be both be valid email addresses. Many IdP's
automatically use the username of the user trying to logon as the NameID attribute, but you should confirm
this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP
and creating IdP user accounts that are to be granted SSO access to the management center.
The following account characteristics for SSO users can be configured from the management center web
interface under System > User > Edit User:
• Real Name
• Exempt from Browser Session Timeout
User Role Mapping for SSO Users
By default, all users given SSO access to an management center are assigned the Security Analyst (Read
Only) role. You can change this default, as well as override it for specific SSO users or groups with user role
mapping. After you have established and successfully tested the management center SSO configuration, you
can configure user role mapping to establish what management center user roles SSO users are assigned when
they log in.
User role mapping requires coordinating configuration settings at the management center with settings at the
SSO IdP application. User roles can be assigned to users or to groups defined at the IdP application. Users
may or may not be members of groups, and user or group definitions may or may not be imported to the IdP
from other user management systems within your organization, such as Active Directory. For this reason, to
effectively configure management center SSO user role mapping you must be familiar with how your SSO
federation is organized and how users, groups and their roles are assigned at the SSO IdP application. This
documentation focuses on configuring the management center to work with the IdP to support user role
mapping; to create users or groups within the IdP, or import users or groups into the IdP from a user
management application, consult the IdP vendor documentation.
In user role mapping, the IdP maintains a role attribute for the management center service provider application,
and each user or group with access to that management center is configured with a string or expression for
the role attribute (requirements for the attribute value are different for each IdP). At the management center
the name of the that role attribute is part of the SSO configuration. The management center SSO configuration
also contains a list of expressions assigned to a list of management center user roles. When a user logs into
the management center using SSO, the management center compares the value of the role attribute for that
user (or that user's group, depending upon configuration) against the expressions for each management center
user role. The management center assigns the user all the roles where the expression matches the attribute
value the user has provided.
Cisco Secure Firewall Management Center Administration Guide, 7.2
131
System Settings
Enable Single Sign-On at the Management Center
Note
You can configure management center roles to be mapped based on individual user permissions or based on
group permissions, but a single management center application cannot support role mapping for both groups
and individual users.
Enable Single Sign-On at the Management Center
Before you begin
• At the SAML SSO management application, configure a service provider application for the management
center and assign users or groups to the service provider application:
• To configure an management center service provider application for Okta, see Configure the
Management Center Service Provider Application for Okta, on page 134.
• To configure an management center service provider application for OneLogin, see Configure the
Management Center Service Provider Application for OneLogin, on page 146.
• To configure an management center service provider application for Azure, see Configure the
Management Center Service Provider Application for Azure, on page 158.
• To configure an management center service provider application for PingID's PingOne for Customers
cloud solution, see Configure the Management Center Service Provider Application for PingID
PingOne for Customers, on page 171.
• To configure an management center service provider application for any SAML 2.0-compliant SSO
provider, see Configure Management Center Service Provider Application for Any SAML
2.0-Compliant SSO Provider, on page 175.
Procedure
Step 1
Choose System ( ) > Users > Single Sign-On.
Step 2
Click the Single Sign-On (SSO) Configuration slider to enable SSO.
Step 3
Click the Configure SSO button.
Step 4
At the Select FMC SAML Provider dialog, click the radio button for the SSO IdP of your choice and click
Next.
What to do next
Proceed with the instructions appropriate to your choice of SSO provider:
• Configure the management center for Okta SSO; see Configure the Management Center for Okta SSO,
on page 136.
• Configure the management center for SSO using PingID's PingOne for Customers cloud solution; see
Configure the Management Center for SSO with PingID PingOne for Customers, on page 173.
Cisco Secure Firewall Management Center Administration Guide, 7.2
132
System Settings
Configure Single Sign-On with Okta
• Configure the management center for Azure SSO; see Configure the Management Center for Azure SSO,
on page 160.
• Configure the management center for OneLogin SSO; see Configure the Management Center for OneLogin
SSO, on page 148.
• Configure the management center for SSO using any SAML 2.0-compliant provider; see Configure the
Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider, on page 177.
Configure Single Sign-On with Okta
See the following tasks to configure SSO using Okta:
Okta UI Admin
Console
Review the Okta Org, on page 133
Okta UI Admin
Console
Configure the Management Center Service Provider Application for Okta, on
page 134
management center
Enable Single Sign-On at the Management Center, on page 132
management center
Configure the Management Center for Okta SSO, on page 136
management center
Configure User Role Mapping for Okta at the Management Center, on page 137
Okta UI Admin
Console
Configure User Role Mapping at the Okta IdP, on page 138
Review the Okta Org
In Okta, the entity that encompasses all the federated devices and applications that a user can access with the
same SSO account is called an org. Before adding the management center to an Okta org, be familiar with its
configuration; consider the following questions:
• How many users will have access to the management center?
Cisco Secure Firewall Management Center Administration Guide, 7.2
133
System Settings
Configure the Management Center Service Provider Application for Okta
• Are users within the Okta org members of groups?
• Are user and group definitions native to Okta or imported from a user management application such as
Active Directory, RADIUS, or LDAP?
• Do you need to add more users or groups to the Okta org to support SSO on the management center?
• What kind of user role assignments do you want to make? (If you choose not to assign user roles, the
management center automatically assigns a configurable default user role to all SSO users.)
• How must users and groups within the Okta org be organized to support the required user role mapping?
Keep in mind that you can configure management center roles to be mapped based on individual user
permissions or based on group permissions, but a single management center application cannot support role
mapping for both groups and individual users.
This documentation assumes you are already familiar with the Okta Classic UI Admin Console, and have an
account that can perform configuration functions requiring Super Admin permissions. If you need more
information, see Okta's documentation available online.
Configure the Management Center Service Provider Application for Okta
Use these instructions at the Okta Classic UI Admin Console to create an management center service provider
application within Okta and assign users or groups to that application. You should be familiar with SAML
SSO concepts and the Okta admin console. This documentation does not describe all the Okta functions you
need to establish a fully functional SSO org; for instance, to create users and groups, or to import user and
group definitions from another user management application, see the Okta documentation.
Note
If you plan to assign user groups to the management center application, do not also assign users within those
groups as individuals.
Note
The management center cannot support role mapping using multiple SSO attributes; you must select either
user role mapping or group role mapping and configure a single attribute to convey user role information from
OneLogin to the management center.
Before you begin
• Familiarize yourself with the SSO federation and its user and groups; see Review the Okta Org, on page
133.
• Create user accounts and/or groups in your Okta org if necessary.
Cisco Secure Firewall Management Center Administration Guide, 7.2
134
System Settings
Configure the Management Center Service Provider Application for Okta
Note
The system requires that user names for SSO accounts as well as the NameID
attribute the IdP sends to the management center during the SAML login process
must be both be valid email addresses. Many IdP's automatically use the username
of the user trying to logon as the NameID attribute, but you should confirm this
is the case for your IdP. Keep this in mind when configuring a service provider
application at your IdP and creating IdP user accounts that are to be granted SSO
access to the management center.
• Confirm the login URL for the target management center (https://ipaddress_or_hostname).
Note
If your management center web interface can be reached with multiple URLs
(for instance, a fully-qualified domain name as well as an IP address), SSO users
must consistently access the management center using the login URL that you
configure in this task.
Procedure
Step 1
From the Okta Classic UI Admin Console, create a service provider application for the management center.
Configure the management center application with the following selections:
• Select Web for the Platform.
• Select SAML
2.0
for the Sign on method.
• Provide a Single sign on URL.
This is the management center URL to which the browser sends information on behalf of the IdP.
Append the string saml/acs to the management center login URL. For example:
https://ExampleFMC/saml/acs.
• Enable Use this for Recipient URL and Destination URL.
• Enter an Audience URI (SP Entity ID).
This is a globally unique name for the service provider (the management center), often formatted as a
URL.
Append the string /saml/metadata to the management center login URL. For example:
https://ExampleFMC/saml/metadata.
• For Name ID Format choose Unspecified.
Step 2
(Optional if you are assigning groups to the application.) Assign individual Okta users to the management
center application. (If you plan to assign groups to the management center application, do not assign users
that are members of those groups as individuals.)
Step 3
(Optional if you are assigning individual users to the application.) Assign Okta groups to the management
center application.
Cisco Secure Firewall Management Center Administration Guide, 7.2
135
System Settings
Configure the Management Center for Okta SSO
Step 4
(Optional) To make SSO setup at the management center easier, you can download the SAML XML metadata
file for the management center service provider application from Okta to your local computer.
What to do next
Enable single sign-on; see Enable Single Sign-On at the Management Center, on page 132.
Configure the Management Center for Okta SSO
Use these instructions at the management center web interface.
Before you begin
• Create an management center service provider application at the Okta Classic UI Admin Console; see
Configure the Management Center Service Provider Application for Okta, on page 134.
• Enable single sign-on; see Enable Single Sign-On at the Management Center, on page 132.
Procedure
Step 1
(This step continues directly from Enable Single Sign-On at the Management Center, on page 132.) At the
Configure Okta Metadata dialog, you have two choices:
• To enter the SSO configuration information manually:
a. Click the Manual Configuration radio button.
b. Enter the following values from the Okta SSO Service Provider application. (Retrieve these values
from the Okta Classic UI Admin Console.)
• Identity Provider Single Sign-On URL
• Identity Provider Issuer
• X.509 Certificate
• If you saved the XML metadata file generated by Okta to your local computer (Step 4 in Configure the
Management Center Service Provider Application for Okta, on page 134), you can upload the file to the
management center:
a. Click the Upload XML File radio button.
b. Follow the on-screen instructions to navigate to and choose the XML metadata file on your local
computer.
Step 2
Click Next.
Step 3
At the Verify Metadata dialog, review the configuration parameters and click Save.
Step 4
Click Test Configuration. If the system displays an error message, review the SSO configuration for the
management center as well as the Okta service provider application configuration, correct any errors, and try
again.
Cisco Secure Firewall Management Center Administration Guide, 7.2
136
System Settings
Configure User Role Mapping for Okta at the Management Center
Step 5
When the system reports a successful configuration test, click Apply.
What to do next
You may optionally configure user role mapping for SSO users; see Configure User Role Mapping for Okta
at the Management Center, on page 137. If you choose not to configure role mapping, by default all SSO users
that log into the management center are assigned the user role you configure in Step 4 of Configure User Role
Mapping for Okta at the Management Center, on page 137.
Configure User Role Mapping for Okta at the Management Center
The fields to configure for user role mapping at the management center web interface are the same regardless
of your choice of SSO provider. But the values you configure must take into account how the SAML SSO
provider you use implements user role mapping.
Before you begin
• Review the Okta user group mapping information; see Review the Okta Org, on page 133.
• Configure an SSO service provider application for the management center; see Configure the Management
Center Service Provider Application for Okta, on page 134.
• Enable and configure single sign-on at the management center; see Enable Single Sign-On at the
Management Center, on page 132, and Configure the Management Center for Okta SSO, on page 136.
Procedure
Step 1
Choose System > Users.
Step 2
Click the Single Sign-On tab.
Step 3
Expand Advanced Configuration (Role Mapping).
Step 4
Select an management center user role to assign users as a default value from the Default User Role drop-down.
Step 5
Enter a Group Member Attribute. This string must match an attribute name configured at the Okta
management center provider application for user role mapping for either users or groups. (See Step 1 of
Configure a User Attribute for Role Mapping at the Okta IdP, on page 138 or Step 1 of Configure a Group
Attribute for Role Mapping at the Okta IdP, on page 139 .)
Step 6
Next to each management center user role you wish to assign to SSO users, enter a regular expression. (The
management center uses a restricted version of Google's RE2 regular expression standard supported by Golang
and Perl.) The management center compares these values against the user role mapping attribute value the
IdP sends to the management center with SSO user information. The management center grants users a union
of all the roles for which a match is found.
What to do next
• Configure user role mapping at the service provider application; see Configure User Role Mapping at
the Okta IdP, on page 138.
Cisco Secure Firewall Management Center Administration Guide, 7.2
137
System Settings
Configure User Role Mapping at the Okta IdP
Configure User Role Mapping at the Okta IdP
You can configure SSO user role mapping at the Okta Classic UI Admin Console based on individual user
permissions or based on group permissions.
• To map based on individual user permissions, see Configure a User Attribute for Role Mapping at the
Okta IdP, on page 138.
• To map based on group permissions, see Configure a Group Attribute for Role Mapping at the Okta IdP,
on page 139.
When an SSO user logs in to the management center, Okta presents to the management center a user or group
role attribute value configured at the Okta IdP. The management center compares that attribute value against
the regular expressions assigned to each management center user role in the SSO configuration, and grants
the user all the roles for which a match is found. (If no match is found, the management center grants the user
a configurable default user role.) The expression you assign to each management center user role must comply
with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl. The
management center treats the attribute value received from Okta as a regular expression using that same
standard for purposes of comparison with the management center user role expressions.
Note
A single management center cannot support role mapping for both groups and individual users; you must
choose one mapping method for the management center service provider application and use it consistently.
Furthermore, the management center can support group role mapping using only one group attribute statement
per management center service provider application configured in Okta. Generally group-based roll mapping
is more efficient for an management center with many users. You should take into account user and group
definitions established throughout your Okta org.
Configure a User Attribute for Role Mapping at the Okta IdP
Use these instructions at the Okta Classic UI Admin Console to add a custom role mapping attribute to the
Okta default user profile.
Okta service provider applications may use one of two types of user profiles:
• Okta user profiles, which can be extended with any custom attribute.
• App user profiles, which can be extended only with attributes from a predefined list that Okta generates
by querying a third-party application or directory (such as Active directory, LDAP, or Radius) for
supported attributes.
You may use either type of user profile in your Okta org; consult Okta documentation for information on how
to configure them. Whichever type of user profile you use, to support user role mapping with the management
center you must configure a custom attribute in the profile to convey each user's role mapping expression to
the management center.
This documentation describes role mapping using Okta user profiles; mapping with App profiles requires
familiarity with the third-party user management application in use at your organization to set up custom
attributes. See the Okta documentation for details.
Before you begin
• Configure an management center service provider application at the Okta IdP as described in Configure
the Management Center Service Provider Application for Okta, on page 134.
Cisco Secure Firewall Management Center Administration Guide, 7.2
138
System Settings
Configure a Group Attribute for Role Mapping at the Okta IdP
• Configure SSO user role mapping at the management center as described in Configure User Role Mapping
for Okta at the Management Center, on page 137.
Procedure
Step 1
Add a new attribute to the default Okta user profile:
• For Data type choose string.
• Provide the Variable name the Okta IdP will send to the management center, containing an expression
to match for user role mapping. This variable name must match the string you entered at the management
center SSO configuration for Group Member Attribute. (See Step 5 in Configure User Role Mapping
for Okta at the Management Center, on page 137.)
Step 2
For each user assigned to the management center service provider application using this profile, assign a value
to the user role attribute you have just created.
Use an expression to represent the role or roles the management center will assign to the user. The management
center compares this string against the expressions you assigned to each management center user role in Step
6 of Configure User Role Mapping for Okta at the Management Center, on page 137. (For purposes of
comparison with the management center user role expressions, the management center treats the attribute
value received from Okta as an expression complying with the restricted version of Google's RE2 regular
expression standard supported by Golang and Perl.)
Configure a Group Attribute for Role Mapping at the Okta IdP
Use these instructions at the Okta Classic UI Admin Console to add a custom role mapping group attribute
to the management center service provider application. The management center can support group role mapping
using only one group attribute statement per Okta management center service provider application.
Okta service provider applications may use one of two types of groups:
• Okta groups, which can be extended with any custom attribute.
• Application groups, which can be extended only with attributes from a predefined list that Okta generates
by querying a third-party application or directory (such as Active directory, LDAP, or Radius) for
supported attributes.
You may use either type of group in your Okta org; consult Okta documentation for information on how to
configure them. Whichever type of group you use, to support user role mapping with the management center
you must configure a custom attribute for the group to convey its role mapping expression to the management
center.
This documentation describes role mapping using Okta groups; mapping with application groups requires
familiarity with the third-party user management application in use at your organization to set up custom
attributes. See the Okta documentation for details.
Before you begin
• Configure an management center service provider application at the Okta IdP; see Configure the
Management Center Service Provider Application for Okta, on page 134.
Cisco Secure Firewall Management Center Administration Guide, 7.2
139
System Settings
Okta User Role Mapping Examples
• Configure user role mapping at the management center; Configure User Role Mapping for Okta at the
Management Center, on page 137.
Procedure
Create a new SAML group attribute for the management center service provider application:
• For Name, use the same string you entered at the management center SSO configuration for Group
Member Attribute. (See Step 5 in Configure User Role Mapping for Okta at the Management Center,
on page 137.)
• For Filter, specify an expression to represent the role or roles the management center will assign to the
members of the group. Okta compares this value against the names of the group(s) of which a user is a
member, and sends the management center the group names that match. The management center in turn
compares those group names against the regular expressions you assigned to each management center
user role in Step 6 of Configure User Role Mapping for Okta at the Management Center, on page 137.
Okta User Role Mapping Examples
As the following examples demonstrate, the SSO configurations at the management center to support user
role mapping are the same for both individual users and for groups. The difference lies in the settings at the
management center service provider application in Okta.
Note
You can configure management center roles to be mapped based on individual user permissions or based on
group permissions, but a single management center application cannot support role mapping for both groups
and individual users. Furthermore, the management center can support group role mapping using only one
group attribute statement per management center service provider application configured in Okta.
Okta Role Mapping Example for Individual User Accounts
In role mapping for individual users, the Okta management center service application has a custom attribute
whose name matches the name of the Group Member Attribute on the management center. (In this example,
UserRole). The user profile in Okta also has a custom attribute (in this example, a variable named FMCrole.)
The definition for the application custom attribute UserRole establishes that when Okta passes user role
mapping information to the management center, it will use the custom attribute value assigned for the user in
question.
The following diagrams illustrate how the relevant fields and values in the management center and Okta
configurations correspond to each other in user role mapping for individual accounts. Each diagram uses the
same SSO configurations at the management center and at the Okta UI Admin Console, but the configuration
for each user at the Okta UI Admin Console differs to assign each user different roles at the management
center.
• In this diagram [email protected] uses the FMCrole value FMCAdmin and the management center assigns
her the Administrator role.
Cisco Secure Firewall Management Center Administration Guide, 7.2
140
System Settings
Okta Role Mapping Example for Individual User Accounts
• In this diagram [email protected] uses the FMCrole value PolicyAdmin, and the management center
assigns him the roles Access Admin, Discovery Admin, and Intrusion Admin.
Cisco Secure Firewall Management Center Administration Guide, 7.2
141
System Settings
Okta Role Mapping Example for Groups
• Other users assigned to the Okta service application for this management center are assigned the default
user role Security Analyst (Read Only) for one of the following reasons:
• They have no value assigned to the FMCrole variable in their Okta user profile.
• The value assigned to the FMCrole variable in their Okta user profile does not match any expression
configured for a user role in the SSO configuration at the management center.
Okta Role Mapping Example for Groups
In role mapping for groups, the Okta management center service application has a custom group attribute
whose name matches the name of the Group Member Attribute on the management center (in this example,
UserRole). When Okta processes a request for management center SSO login, it compares the user's group
membership against the expression assigned to the management center service application group attribute (in
this case ^(.*)Admin$ ). Okta sends to the management center the user's group membership(s) that match the
group attribute. The management center compares the group names it receives against the regular expressions
it has configured for each user role, and assigns user roles accordingly.
The following diagrams illustrate how the relevant fields and values in the management center and Okta
configurations correspond to each other in user role mapping for groups. Each diagram uses the same SSO
configurations at the management center and at the Okta UI Admin Console, but the configuration for each
user at the Okta UI Admin Console differs to assign each user different roles at the management center.
• In this diagram [email protected] is a member of the Okta IdP group Admin, which matches the
expression ^(.*)Admin$. Okta sends the management center Fred's Admin group membership, and the
management center assigns him the Administrator role.
Cisco Secure Firewall Management Center Administration Guide, 7.2
142
System Settings
Okta Role Mapping Example for Groups
• In this diagram [email protected] is a member of the Okta IdP group PolicyAdmin, which matches the
expression ^(.*)Admin$. Okta sends the management center Sue's PolicyAdmin group membership, and
the management center assigns her the roles Access Admin, Discovery Admin, and Intrusion Admin.
Sue is also a member of the Okta group Maint, but because this group name does not match the expression
assigned to the group membership attribute in the Okta management center service application, Okta
does not send information about Sue's Maint group membership to the management center, and her
membership in the Maint group plays no part in the roles the management center assigns to her.
Cisco Secure Firewall Management Center Administration Guide, 7.2
143
System Settings
Okta Role Mapping Example for Groups
• In this diagram [email protected] is a member of the Okta IdP group Maint. This group name does
not match the expression ^(.*)Admin$, so, when [email protected] logs into the management center,
Okta does not send information about Sean's Maint group membership to the management center and
Sean is assigned the default user role (Security Analyst (Read Only)) rather than the Maintenance User
role.
Cisco Secure Firewall Management Center Administration Guide, 7.2
144
System Settings
Configure Single Sign-On with OneLogin
These diagrams illustrate the importance of advance planning when establishing a role mapping strategy. In
this example, any Okta user with access to this management center who is a member of only the Maint group
can be assigned only the default user role. The management center supports using only one custom group
attribute in its Okta Service Application configuration. The expression you assign to that attribute and the
group names you establish to match against it must be carefully crafted. You can add more flexibility to role
mapping by using regular expressions in the user role assignment strings in the management center SSO
configuration. (The expression you assign to each management center user role must comply with the restricted
version of Google's RE2 regular expression standard supported by Golang and Perl.)
Configure Single Sign-On with OneLogin
See the following tasks to configure SSO using OneLogin:
Cisco Secure Firewall Management Center Administration Guide, 7.2
145
System Settings
Review the OneLogin Subdomain
management center
Review the OneLogin Subdomain, on page 146
management center
Configure the Management Center Service Provider Application for OneLogin,
on page 146
OneLogin Admin
Portal
Enable Single Sign-On at the Management Center, on page 132
OneLogin Admin
Portal
Configure the Management Center for OneLogin SSO, on page 148
OneLogin Admin
Portal
Configure User Role Mapping for OneLogin at the Management Center, on
page 149
management center
Configure User Role Mapping at the OneLogin IdP, on page 150
Review the OneLogin Subdomain
In OneLogin, the entity that encompasses all the federated devices and applications that a user can access
with the same SSO account is called a subdomain. Before adding the management center to a OneLogin
subdomain, be familiar with its configuration; consider the following questions:
• How many users will have access to the management center?
• Are users within the OneLogin subdomain members of groups?
• Are users and groups from a third-party directory such as Active Directory, Google Apps, or LDAP
synchronized with the OneLogin subdomain?
• Do you need to add more users or groups to the OneLogin subdomain to support SSO on the management
center?
• What kind of management center user role assignments do you want to make? (If you choose not to
assign user roles, the management center automatically assigns a configurable default user role to all
SSO users.)
• How must users and groups within the OneLogin subdomain be organized to support the required user
role mapping?
Keep in mind that you can configure management center roles to be mapped based on individual users or
based on groups, but a single management center application cannot support role mapping for both groups
and individual users.
This documentation assumes you are already familiar with the OneLogin Admin Portal, and have an account
with Super User privilege. To configure user role mapping, you will also need a subscription to the OneLogin
Unlimited plan, which supports Custom User Fields. If you need more information, see the OneLogin
documentation available online.
Configure the Management Center Service Provider Application for OneLogin
Use these instructions at the OneLogin Admin Portal to create an management center service provider
application within OneLogin and assign users or groups to that application. You should be familiar with
SAML SSO concepts and the OneLogin Admin Portal. This documentation does not describe all the OneLogin
Cisco Secure Firewall Management Center Administration Guide, 7.2
146
System Settings
Configure the Management Center Service Provider Application for OneLogin
functions you need to establish a fully functional SSO org; for instance, to create users and groups, or to
import user and group definitions from another user management application, see the OneLogin documentation.
Note
If you plan to assign user groups to the management center application, do not also assign users within those
groups as individuals.
Note
The management center cannot support role mapping using multiple SSO attributes; you must select either
user role mapping or grup role mapping and configure a single attribute to convey user role information from
OneLogin to the management center.
Before you begin
• Familiarize yourself with the OneLogin subdomain and its users and groups; see Review the OneLogin
Subdomain, on page 146.
• Create user accounts in your OneLogin subdomain if necessary.
Note
The system requires that user names for SSO accounts as well as the NameID
attribute the IdP sends to the management center during the SAML login process
must be both be valid email addresses. Many IdP's automatically use the username
of the user trying to logon as the NameID attribute, but you should confirm this
is the case for your IdP. Keep this in mind when configuring a service provider
application at your IdP and creating IdP user accounts that are to be granted SSO
access to the management center.
• Confirm the login URL for the target management center (https://ipaddress_or_hostname/).
Note
If your management center web interface can be reached with multiple URLs.
(for instance, a fully-qualified domain name as well as an IP address), SSO users
must consistently access the management center using the login URL that you
configure in this task.
Procedure
Step 1
Create the management center service provider application using the SAML Test Connector (Advanced)
as its basis.
Step 2
Configure the application with the following settings:
• For the Audience (Entity ID), append the string /saml/metadata to the management center login URL.
For example: https://ExampleFMC/saml/metadata.
Cisco Secure Firewall Management Center Administration Guide, 7.2
147
System Settings
Configure the Management Center for OneLogin SSO
• For Recipient, append the string /saml/acs to the management center login URL. For example:
https://ExampleFMC/saml/acs.
• For ACS (Consumer) URL Validator, enter an expression that OneLogin uses to confirm it is using
the correct management center URL. You can create a simple validator by using the ACS URL and
altering it as follows:
• Append a ^ to the beginning of the ACS URL.
• Append a $ to the end of the ACS URL.
• Insert a \ preceding every / and ? within the ACS URL.
For example, for the ACS URL https://ExampleFMC/saml/acs, an appropriate URL validator would be
^https:\/\/ExampleFMC\/saml\/acs$.
• For ACS (Consumer) URL, append the string /saml/acs to the management center login URL. For
example: https://ExampleFMC/saml/acs.
• For Login URL, append the string /saml/acs to the management center login URL. For example:
https://ExampleFMC/saml/acs.
• For the SAML Initiator, choose Service
Provider.
Step 3
Assign OneLogin users to the management center service provider application.
Step 4
(Optional) To make SSO setup at the management center easier, you can download the SAML XML metadata
for the management center service provider application from OneLogin to your local computer.
What to do next
Enable single sign-on; see Enable Single Sign-On at the Management Center, on page 132.
Configure the Management Center for OneLogin SSO
Use these instructions at the management center web interface.
Before you begin
• Create an management center service provider application at the OneLogin Admin Portal; see Configure
the Management Center Service Provider Application for OneLogin, on page 146.
• Enable single sign-on; see Enable Single Sign-On at the Management Center, on page 132.
Procedure
Step 1
(This step continues directly from Enable Single Sign-On at the Management Center, on page 132.) At the
Configure OneLogin Metadata dialog, you have two choices:
• To enter the SSO configuration information manually:
a. Click the Manual Configuration radio button.
Cisco Secure Firewall Management Center Administration Guide, 7.2
148
System Settings
Configure User Role Mapping for OneLogin at the Management Center
b. Enter the following SSO configuration values from the OneLogin service provide application:
• Identity Provider Single Sign-On URL: Enter the SAML 2.0 Endpoint (HTTP) from
OneLogin.
• Identity Provider Issuer: Enter the Issuer URL from OneLogin.
• X.509 Certificate: Enter the X.509 Certificate from OneLogin.
• If you saved the XML metadata file generated by OneLogin to your local computer (Step 4 in Configure
the Management Center Service Provider Application for OneLogin, on page 146), you can upload the
file to the management center:
a. Click the Upload XML File radio button.
b. Follow the on-screen instructions to navigate to and choose the XML metadata file on your local
computer.
Step 2
Click Next.
Step 3
At the Verify Metadata dialog, review the configuration parameters and click Save.
Step 4
Click Test Configuration. If the system displays an error message, review the SSO configuration for the
management center as well as the OneLogin service provider application configuration, correct any errors,
and try again.
Step 5
When the system reports a successful configuration test, click Apply.
What to do next
You may optionally configure user role mapping for SSO users; see Configure User Role Mapping for
OneLogin at the Management Center, on page 149. If you choose not to configure role mapping, by default
all SSO users that log into the management center are assigned the user role you configure in Step 4 of
Configure User Role Mapping for OneLogin at the Management Center, on page 149.
Configure User Role Mapping for OneLogin at the Management Center
The fields to configure for user role mapping at the management center web interface are the same regardless
of your choice of SSO provider. But the values you configure must take into account how the SAML SSO
provider you use implements user role mapping.
Before you begin
• Review the OneLogin users and groups, see Review the OneLogin Subdomain, on page 146.
• Configure an SSO service provider application for the management center; see Configure the Management
Center Service Provider Application for OneLogin, on page 146.
• Enable and configure single sign-on at the management center; see Enable Single Sign-On at the
Management Center, on page 132, and Configure the Management Center Service Provider Application
for OneLogin, on page 146.
Cisco Secure Firewall Management Center Administration Guide, 7.2
149
System Settings
Configure User Role Mapping at the OneLogin IdP
Procedure
Step 1
Choose System ( ) > Users > Single Sign-OnSystem > Users.
Step 2
Expand Advanced Configuration (Role Mapping).
Step 3
Select an management center user role to assign to users as a default value from the Default User Role
drop-down.
Step 4
Enter a Group Member Attribute. This string must match the field name for a custom parameter you define
for role mapping at the management center service provider application in OneLogin. (See Step 1 of Configure
User Role Mapping for Individual Users at the OneLogin IdP, on page 151 or Step 1 of Configure User Role
Mapping for Groups at the OneLogin IdP, on page 152.)
Step 5
Next to each management center user roll you wish to assign to SSO users, enter a regular expression. The
management center compares these values against the user role mapping attribute the IdP sends to the
management center with SSO user information. The management center grants users a union of all the roles
for which a match is found.
What to do next
Configure user role mapping at the service provider application; see Configure User Role Mapping at the
OneLogin IdP, on page 150.
Configure User Role Mapping at the OneLogin IdP
You can configure SSO user role mapping at the Onelogin Admin Portal based on individual permissions or
based on group permissions.
• To map based on individual user permissions, see Configure User Role Mapping for Individual Users at
the OneLogin IdP, on page 151.
• To map based on group permissions, see Configure User Role Mapping for Groups at the OneLogin IdP,
on page 152.
When an SSO user logs into the management center, OneLogin presents to the management center a user or
group role attribute value that gets its value from a custom user field configured at the OneLogin IdP. The
management center compares that attribute value against the regular expression assigned to each management
center user role in the SSO configuration, and grants the user all the roles for which a match is found. (If no
match is found, the management center grants the user a configurable default user role.) The expression you
assign to each management center user role must comply with the restricted version of Google's RE2 regular
expression standard supported by Golang and Perl. The management center treats the attribute value received
from OneLogin as a regular expression using that same standard for purposes of comparison with the
management center user role expressions.
Note
A single management center cannot support role mapping for both groups and individual users; you must
choose one mapping method for the management center service provider application and use it consistently.
The management center can support role mapping using only one custom user field configured in OneLogin.
Generally group-based role mapping is more efficient for an management center with many users. You should
take into account user and group definitions established throughout your OneLogin subdomain.
Cisco Secure Firewall Management Center Administration Guide, 7.2
150
System Settings
Configure User Role Mapping for Individual Users at the OneLogin IdP
Configure User Role Mapping for Individual Users at the OneLogin IdP
Use the OneLogin Admin Portal to create a custom parameter for the management center service provider
application and a custom user field. These provide the means for OneLogin to pass user role information to
the management center during the SSO login process.
Before you begin
• Review the OneLogin subdomain and its users and groups; see Review the OneLogin Subdomain, on
page 146.
• Create and configure an management center service provider application in OneLogin; see Configure
the Management Center Service Provider Application for OneLogin, on page 146.
• Configure SSO user role mapping as described in Configure User Role Mapping for OneLogin at the
Management Center, on page 149.
Procedure
Step 1
Create a custom parameter for the management center service provider application.
• For the Field Name, use the same name you used for the Group Member Attribute in the management
center SSO configuration. (See Step 4 in Configure User Role Mapping for OneLogin at the Management
Center, on page 149.)
• For the Value, provide a mnemonic name such as FMCUserRole. This must match the name of the customer
user field you will configure in Step 2 of this procedure.
Step 2
Create a custom user field to contain user role information for each OneLogin user with access the management
center.
• For the field Name, provide a mnemonic name such as FMCUserRole. This must match the value provided
for the application custom parameter described in Step 1 of this procedure.
• For the Short name, provide an abbreviated alternate name for the field. (This is used for OneLogin
programmatic interfaces.)
Step 3
For each user with access to the management center service provider application, assign a value to the custom
user field you created in Step 2 of this procedure.
When a user logs into the management center using SSO, the value you assign to this field for that user is the
value the management center compares against the expressions you assigned to management center user roles
in the SSO configuration. (See Step 5 in Configure User Role Mapping for OneLogin at the Management
Center, on page 149.)
What to do next
• Test your role mapping scheme by logging into the management center using SSO from various accounts
and confirming that users are assigned management center user roles as you expect.
Cisco Secure Firewall Management Center Administration Guide, 7.2
151
System Settings
Configure User Role Mapping for Groups at the OneLogin IdP
Configure User Role Mapping for Groups at the OneLogin IdP
Use the OneLogin Admin Portal to create a custom parameter for the management center service provider
application and a custom user field. Assign OneLogin users to groups. Then create one or more mappings
between the custom user field and the user group so OneLogin assigns a value to the custom user field based
on the user's group membership. These provide the means for OneLogin to pass group-based user role
information to the management center during the SSO login process.
OneLogin service provider applications may use one of two types of groups:
• Groups native to OneLogin.
• Groups synchronized from third-party applications such as Active Directory, Google Apps, or LDAP.
You may user either type of group for management center group role mapping. This documentation describes
role mapping using OneLogin groups; using third-party application groups requires familiarity with the
third-party user management application in use at your organization. See the OneLogin documentation for
details.
Before you begin
• Review the OneLogin subdomain and its users and groups; see Review the OneLogin Subdomain, on
page 146.
• Create and configure an management center service provider application in OneLogin; see Configure
the Management Center Service Provider Application for OneLogin, on page 146.
• Configure SSO user role mapping as described in Configure User Role Mapping for OneLogin at the
Management Center, on page 149.
Procedure
Step 1
Create a custom parameter for the management center service provider application.
• For the Field Name, use the same name you used for the Group Member Attribute in the management
center SSO configuration. (See Step 4 in Configure User Role Mapping for OneLogin at the Management
Center, on page 149.)
• For the Value, provide a mnemonic name such as FMCUserRole. This must match the name of the customer
user field you will configure in Step 2 of this procedure.
Step 2
Create a custom user field to contain user role information for each OneLogin user with access the management
center.
• For the field Name, provide a mnemonic name such as FMCUserRole. This must match the value provided
for the application custom parameter described in Step 1 of this procedure.
• For the Short name, provide an abbreviated alternate name for the field. (This is used for OneLogin
programmatic interfaces.)
Step 3
Create one or more user field mappings to assign group-based values to the custom user field you created in
Step 2 of this procedure. Create as many mappings as you need to assign the correct management center user
role to each OneLogin user group.
Cisco Secure Firewall Management Center Administration Guide, 7.2
152
System Settings
OneLogin User Role Mapping Examples
• Create one or more Conditions for the mapping, comparing the user Group field against group names.
• If you create multiple Conditions, choose whether a user's group must match any or all of the conditions
for the mapping to take place.
• Create an Action for the mapping, to assign a value to the custom user field you created in Step 2 of this
procedure. Provide the field Name, and the string that OneLogin assigns to this custom user field for all
users that meet the Conditions you specified.
The management center compares this string against the expressions you assign to each management
center user role in Step 5 of Configure User Role Mapping for OneLogin at the Management Center, on
page 149.
• Reapply All Mappings when you have completed your changes.
What to do next
• Test your role mapping scheme by logging into the management center using SSO from various accounts
and confirming that users are assigned management center user roles as you expect.
OneLogin User Role Mapping Examples
As the following examples demonstrate, the SSO configurations at the management center to support user
role mapping are the same for both individual users and for groups. The difference lies in the settings at the
management center service provider application in OneLogin.
Note
A single management center cannot support role mapping for both groups and individual users; you must
choose one mapping method for the management center service provider application and use it consistently.
The management center can support role mapping using only one custom user field configured in OneLogin.
Generally group-based role mapping is more efficient for an management center with many users. You should
take into account user and group definitions established throughout your OneLogin subdomain.
OneLogin Role Mapping Example for Individual User Accounts
In role mapping for individual users, the OneLogin management center service application has a custom
parameter whose name matches the name of the Group Member attribute on the management center (in this
example, UserRole). OneLogin also has a custom user field defined (in this example, FMCUserRole). The
definition for the application custom parameter UserRole establishes that when OneLogin passes user role
mapping information to the management center, it will use the value of the custom user field FMCUserRole
for the user in question.
The following diagrams illustrate how the relevant fields and values in the management center and OneLogin
configurations correspond to each other in user role mapping for individual accounts. Each diagram uses the
same SSO configurations at the management center and at the OneLogin Admin portal, but the configuration
for each user at the OneLogin Admin portal differs to assign each user different roles at the management
center.
• In this diagram [email protected] uses the FMCUserRole value PolicyAdmin and the management center
assigns him the roles Access Admin, Discovery Admin, and Intrusion Admin.
Cisco Secure Firewall Management Center Administration Guide, 7.2
153
System Settings
OneLogin Role Mapping Example for Individual User Accounts
• In this diagram [email protected] uses the FMCUserRole value FMCAdmin, and the management center
assigns her the Administrator role.
• Other users assigned to the OneLogin service application for this management center are assigned the
default user role Security Analyst (Read Only) for one of the following reasons:
Cisco Secure Firewall Management Center Administration Guide, 7.2
154
System Settings
OneLogin Role Mapping Example for Groups
• They have no value assigned to the FMCUserRole custom user field.
• The value assigned to the FMCUserRole custom user field does not match any expression configured
for a user role in the SSO configuration at the management center.
OneLogin Role Mapping Example for Groups
In role mapping for groups, the OneLogin management center service application has a has a custom parameter
whose name matches the name of the Group Member attribute on the management center (in this example,
UserRole). OneLogin also has a custom user field defined (in this example, FMCUserRole). The definition for
the application custom parameter UserRole establishes that when OneLogin passes user role mapping
information to the management center, it will use the value of the custom user field FMCUserRole for the user
in question. To support user group mapping, you must establish a mapping within OneLogin to assign a value
for each user's FMCUserRole field based on that user's OneLogin group membership.
The following diagrams illustrate how the relevant fields and values in the management center and OneLogin
configurations correspond to each other in user role mapping for groups. Each diagram uses the same SSO
configurations at the management center and at the OneLogin Admin portal, but the configuration for each
user at the OneLogin Admin portal differs to assign each user different roles at the management center.
• In this diagram [email protected] is a member of the OneLogin IdP group FMCPolicyAdminGroup. A
OneLogin mapping assigns the value PolicyAdmin to the custom user field FMCUserRole for members
of the FMCPolicyAdminGroup. The management center assigns Fred and other members of the
FMCPolicyAdminGroup the roles Access Admin, Discovery Admin, and Intrusion Admin.
Cisco Secure Firewall Management Center Administration Guide, 7.2
155
System Settings
OneLogin Role Mapping Example for Groups
• In this diagram [email protected] is a member of the OneLogin IdP group FMCAdminGroup. A OneLogin
mapping assigns the value FMCAdmin to the custom user field FMCUserRole for members of the
FMCAdminGroup. The management center assigns Sue and other members of the FMCAdminGroup the
Administrator role.
• In this diagram [email protected] is a member of the Idp group FMCMaintGroup. There is no OneLogin
mapping associated with this group, so OneLogin does not assign a value to the custom user field
FMCUserRole for Sean. The management center assigns Sean the default user role (Security Analyst
(Read Only)) rather than the Maintenance User role.
Cisco Secure Firewall Management Center Administration Guide, 7.2
156
System Settings
Configure Single Sign-On with Azure AD
Configure Single Sign-On with Azure AD
See the following tasks to configure SSO using Azure:
Azure AD Portal
Review the Azure Tenant, on page 158
Azure AD Portal
Configure the Management Center Service Provider Application for Azure, on
page 158
Cisco Secure Firewall Management Center Administration Guide, 7.2
157
System Settings
Review the Azure Tenant
management center
Enable Single Sign-On at the Management Center, on page 132
management center
Configure the Management Center for Azure SSO, on page 160
management center
Configure User Role Mapping for Azure at the Management Center, on page
161
Azure AD Portal
Configure User Role Mapping at the Azure IdP, on page 162
Review the Azure Tenant
Azure AD is Microsoft's multitenant cloud based identity and access management service. In Azure, the entity
that encompasses all the federated devices that a user can access with the same SSO account is called a tenant.
Before adding the management center to an Azure tenant, be familiar with its organization; consider the
following questions:
• How many users will have access to the management center?
• Are users within the Azure tenant members of groups?
• Are users and groups from another directory product?
• Do you need to add more users or groups to the Azure tenant to support SSO on the management center?
• What kind of management center user role assignments do you want to make? (If you choose not to
assign user roles, the management center automatically assigns a configurable default user role to all
SSO users.)
• How must users and groups within the Azure tenant be organized to support the required user role
mapping?
• Keep in mind that you can configure management center roles to be mapped based on individual users
or based on groups, but a single management center application cannot support role mapping for both
groups and individual users.
This documentation assumes you are already familiar with the Azure Active Directory Portal and have an
account with application admin privileges for the Azure AD tenant. Keep in mind that the management center
supports Azure SSO only with tenant-specific single sign-on and single sign-out endpoints. You must have
an Azure AD Premium P1 or above license and Global Administrator permissions; see Azure documentation
for more information.
Configure the Management Center Service Provider Application for Azure
Use the Azure Active Directory Portal to create an management center service provider application within
your Azure Active Directory tenant and establish basic configuration settings.
Note
If you plan to assign user groups to the management center application, do not also assign users within those
groups as individuals.
Cisco Secure Firewall Management Center Administration Guide, 7.2
158
System Settings
Configure the Management Center Service Provider Application for Azure
Note
The management center cannot support role mapping using multiple SSO attributes; you must select either
user role mapping or grup role mapping and configure a single attribute to convey user role information from
OneLogin to the management center.
Before you begin
• Familiarize yourself with your Azure tenant and its users and groups; see Review the Azure Tenant, on
page 158.
• Create user accounts and/or groups in your Azure tenant if necessary.
Note
The system requires that user names for SSO accounts as well as the NameID
attribute the IdP sends to the management center during the SAML login process
must be both be valid email addresses. Many IdP's automatically use the username
of the user trying to logon as the NameID attribute, but you should confirm this
is the case for your IdP. Keep this in mind when configuring a service provider
application at your IdP and creating IdP user accounts that are to be granted SSO
access to the management center.
• Confirm the login URL for the target management center (https://ipaddress_or_hostname)
Note
If your management center web interface can be reached with multiple URLs
(for instance, a fully-qualified domain name as well as an IP address), SSO users
must consistently access the management center using the login URL that you
configure in this task.
Procedure
Step 1
Create the management center service provider application using the Azure AD SAML Toolkit as its basis.
Step 2
Configure the application with the following setttings for Basic SAML Configuration:
• For the Identifier (Entity ID) append the string /saml/metadata to the management center login URL.
For example: https://ExampleFMC/saml/metadata.
• For the Reply URL (Assertion Consumer Service URL) append the string /saml/acs to the management
center login URL. For example: https://ExampleFMC/saml/acs.
• For the Sign on URL append the string /saml/acs to the management center login URL. For example:
https://ExampleFMC/saml/acs.
Step 3
Edit the Unique User Identifier Name (Name ID) claim for the application to force the username for sign-on
at the management center to be the email address associated with the user account:
• For Source choose Attribute.
Cisco Secure Firewall Management Center Administration Guide, 7.2
159
System Settings
Configure the Management Center for Azure SSO
• For Source attribute: Choose
Step 4
user.mail.
Generate a certificate to secure SSO on the management center. Use the following options for the certificate:
• Select Sign SAML Response and Assertion for the Signing Option.
• Select SHA-256 for the Signing Algorithm.
Step 5
Download the Base-64 version of the certificate to your local computer; you will need it when you configure
Azure SSO at the management center web interface
Step 6
In the SAML-based Sign-on information for the application, note the following values:
• Login URL
• Azure AD Identifier
You will need these values when you configure Azure SSO at the management center web interface.
Step 7
(Optional) to make SSO setup at the management center easier, you can download the SAML XML metadata
file for the management center service provider application (called the Federation Metadata XML in the
Azure Portal) to your local computer.
Step 8
Assign existing Azure users and groups to the management center service application.
Note
If you plan to assign user groups to the management center Application, do not also assign users
within those groups as individuals.
Note
If you plan to configure user role mapping, you can configure roles to be mapped based on individual
user permissions or based on group permissions, but a single management center application cannot
support role mapping for both groups and individual users.
What to do next
Enable single sign-on; see Enable Single Sign-On at the Management Center, on page 132.
Configure the Management Center for Azure SSO
Use these instructions at the management center web interface.
Before you begin
• Create an management center service provider application at the Azure AD Portal; see Configure the
Management Center Service Provider Application for Azure, on page 158.
• Enable single sign-on; see Enable Single Sign-On at the Management Center, on page 132.
Procedure
Step 1
(This step continues directly from Enable Single Sign-On at the Management Center, on page 132.) At the
Configure Azure Metadata dialog, you have two choices:
• To enter the SSO configuration information manually:
Cisco Secure Firewall Management Center Administration Guide, 7.2
160
System Settings
Configure User Role Mapping for Azure at the Management Center
a. Click the Manual Configuration radio button.
b. Enter the values you retrieved from the Azure SSO Service Provider application:
• For Identity Provider Single Sign-On URL enter the Login URL you noted in Step 6 of Configure
the Management Center Service Provider Application for Azure, on page 158.
• For Identity Provider Issuer enter the Azure AD Identifier you noted in Step 6 of Configure the
Management Center Service Provider Application for Azure, on page 158.
• For the X.509 Certificate, use the certificate you downloaded from Azure in Step 5 of Configure
the Management Center Service Provider Application for Azure, on page 158. (Use a text editor to
open the certificate file, copy the contents, and paste it into the X.509 Certificate field.)
• If you saved the XML metadata file generated by Azure to your local computer (Step 7 of Configure the
Management Center Service Provider Application for Azure, on page 158), you can upload the file the
management center:
a. Click the Upload XML File radio button.
b. Follow the on-screen instructions to navigate to and choose the XML metadata file on your local
computer.
Step 2
Click Next.
Step 3
At the Verify Metadata dialog, review the configuration parameters and click Save.
Step 4
Click Test Configuration. If the System displays an error message, review the SSO configuration for the
management center as well as the Azure service provider application, correct any errors, and try again.
Step 5
When the system reports a successful configuration test, click Apply.
What to do next
You may optionally configure role mapping for SSO users; see Configure User Role Mapping for Azure at
the Management Center, on page 161. If you choose not to configure role mapping, by default all SSO users
that log into the management center are assigned the default user role you configure in Step 4 of Configure
User Role Mapping for Azure at the Management Center, on page 161.
Configure User Role Mapping for Azure at the Management Center
The fields to configure for user role mapping at the management center web interface are the same regardless
of your choice of SSO provider. But the values you configure must take into account how the SAML SSO
provider you use implements user role mapping.
Before you begin
• Review the existing Azure users and groups; see Review the Azure Tenant, on page 158.
• Configure an SSO service provider application for the management center; see Configure the Management
Center Service Provider Application for Azure, on page 158.
• Enable and configure single sign-on at the management center; see Enable Single Sign-On at the
Management Center, on page 132, and Configure the Management Center for Azure SSO, on page 160.
Cisco Secure Firewall Management Center Administration Guide, 7.2
161
System Settings
Configure User Role Mapping at the Azure IdP
Procedure
Step 1
Choose System > Users.
Step 2
Click the Single Sign-On tab.
Step 3
Expand Advanced Configuration (Role Mapping).
Step 4
Select an management center user role to assign users as a default value from the Default User Role drop-down.
Step 5
Enter a Group Member Attribute. This string must match the name of the user claim you create for the
management center service provider application in Azure; see Step 1 of Configure User Role Mapping for
Individual Users at the Azure IdP, on page 163 or Step 1 of Configure User Role Mapping for Groups at the
Azure IdP, on page 164.
Step 6
Next to each management center user role you wish to assign to SSO users, enter a regular expression. (The
management center uses a restricted version of Google's RE2 regular expression standard supported by Golang
and Perl.) The management center compares these values against the user role mapping attribute value the
IdP sends to the management center with SSO user information. The management center grants users a union
of all the roles for which a match is found.
What to do next
Configure user role mapping at the service provider application; see Configure User Role Mapping at the
Azure IdP, on page 162.
Configure User Role Mapping at the Azure IdP
You can configure SSO user role mapping at the Azure AD Portal based on individual user permissions or
based on group permissions.
• To map based on individual user permissions, see Configure User Role Mapping for Individual Users at
the Azure IdP.
• To map based on group permissions, see Configure User Role Mapping for Groups at the Azure IdP.
When an SSO user logs into the management center, Azure presents to the management center a user or group
role attribute value that gets its value from an application role configured at the Azure AD Portal. The
management center compares that attribute value against the regular expression assigned to each management
center user role in the SSO configuration, and grants the user all the roles for which a match is found. (If no
match is found, the management center grants the user a configurable default user role.) The expression you
assign to each management center user role must comply with the restricted version of Google's RE2 regular
expression standard supported by Golang and Perl. The management center treats the attribute value received
from Azure as a regular expression using that same standard for purposes of comparison with the management
center user role expressions.
Note
A single management center cannot support role mapping for both groups and individual users; you must
choose one mapping method for the management center service provider application and use it consistently.
The management center can support role mapping using only one claim configured in Azure. Generally
group-based role mapping is more efficient for an management center with many users. You should take into
account user and group definitions established throughout your Azure tenant.
Cisco Secure Firewall Management Center Administration Guide, 7.2
162
System Settings
Configure User Role Mapping for Individual Users at the Azure IdP
Configure User Role Mapping for Individual Users at the Azure IdP
To establish role mapping for individual users of the management center service application in Azure, use the
Azure AD Portal to add a claim to the application, add roles to the application's registration manifest, and
assign roles to users.
Before you begin
• Review the Azure tenant; see Review the Azure Tenant, on page 158.
• Create and configure an management center service provider application in Azure; see Configure the
Management Center Service Provider Application for Azure, on page 158.
• Configure SSO user role mapping as described in Configure User Role Mapping for Azure at the
Management Center, on page 161.
Procedure
Step 1
Add a user claim to the SSO configuration for the management center service application with the following
characteristics:
• Name: Use the same string you entered for the Group Member Attribute in the management center
SSO configuration. (See Step 5 in Configure User Role Mapping for Azure at the Management Center,
on page 161.)
• Source: Choose Attribute.
• Source attribute: Choose user.assignedroles.
Step 2
Edit the manifest for the management center service application (in JSON format) and add application roles
to represent management center user roles you wish to assign to SSO users. The simplest approach is to copy
an existing application role definition and change the following properties:
• displayName: The name for the role that will appear in the AD Azure Portal.
• description: A brief description of the role.
• Id: An alphanumeric string that must be unique among ID properties within the manifest.
• value: A string to represent one or more management center user roles. (Note: Azure does not permit
spaces in this string.)
Step 3
For each user assigned to the management center Service application, assign one of the application roles you
have added to the manifest for that application. When a user logs in to the management center using SSO, the
application role you assign to that user is the value Azure sends to the management center in the claim for the
service application. The management center compares the claim against the expressions you assigned to
management center user roles in the SSO configuration (See Step 6 of Configure User Role Mapping for
Azure at the Management Center, on page 161.), and assigns the user all the management center user roles for
which there is a match.
Cisco Secure Firewall Management Center Administration Guide, 7.2
163
System Settings
Configure User Role Mapping for Groups at the Azure IdP
What to do next
• Test your role mapping scheme by logging into the management center using SSO from various accounts
and confirming that users are assigned management center user roles as you expect.
Configure User Role Mapping for Groups at the Azure IdP
To establish role mapping for user groups for the management center service application in Azure, use the
Azure AD Portal to add a claim to the application, add roles to the application's registration manifest, and
assign roles to groups.
Before you begin
• Review the Azure tenant; see Review the Azure Tenant, on page 158.
• Create and configure an management center service provider application in Azure; see Configure the
Management Center Service Provider Application for Azure, on page 158.
• Configure SSO user role mapping as described in Configure User Role Mapping for Azure at the
Management Center, on page 161.
Procedure
Step 1
Add a user claim to the SSO configuration for the management center service application with the following
characteristics:
• Name: Use the same string you entered for the Group Member Attribute in the management center
SSO configuration. (See Step 5 in Configure User Role Mapping for Azure at the Management Center,
on page 161.)
• Source: Choose Attribute.
• Source attribute: Choose user.assignedroles.
Step 2
Edit the manifest for the management center service application (in JSON format) and add application roles
to represent management center user roles you wish to assign to SSO users. The simplest approach is to copy
an existing application role definition and change the following properties:
• displayName: The name for the role that will appear in the Ad Azure Portal.
• description: A brief description of the role.
• Id: An alphanumeric string that must be unique among id properties within the manifest.
• value: A string to represent one or more management center user roles. (Azure does not permit spaces
in this string.)
Step 3
For each group assigned to the management center Service application, assign one of the application roles
you have added to the manifest for that application. When a user logs in to the management center using SSO,
the application role you assign to that user's group is the value Azure sends to the management center in the
claim for the service application. The management center compares the claim against the expressions you
assigned to management center user roles in the SSO configuration (see Step 6 of Configure User Role Mapping
Cisco Secure Firewall Management Center Administration Guide, 7.2
164
System Settings
Azure User Role Mapping Examples
for Azure at the Management Center, on page 161), and assigns the user all the management center user roles
for which there is a match.
What to do next
Test your role mapping scheme by logging into the management center using SSO from various accounts and
confirming that users are assigned management center user roles as you expect.
Azure User Role Mapping Examples
As the following examples demonstrate, the SSO configurations at the management center to support user
role mapping are the same for both individual users and for groups. The difference lies in the settings at the
management center service provider application in Azure.
Note
You can configure management center roles to be mapped based on individual permissions or based on group
permissions, but a single management center application cannot support role mapping for both groups and
individual users. The management center can support role mapping using only one claim configured in Azure.
Azure Role Mapping Example for Individual User Accounts
In role mapping for individual users, the Azure management center service application has custom roles
defined within its manifest. (In this case, FMCAdmin and PolicyAdmin.) These roles can be assigned to users;
Azure stores role assignments for each user in that user's assignedroles attribute. The application also has a
custom user claim defined, and this claim is configured to get its value from the assigned user role for a user
logging into the management center using SSO. Azure passes the claim value to the management center during
the SSO login process, and the management center compares the claim value against strings assigned to each
management center user role in the management center SSO configuration.
The following diagrams illustrate how the relevant fields and values in the management center and Azure
configurations correspond to each other in user role mapping for individual accounts. Each diagram uses the
same SSO configurations at the management center and at the Azure AD portal, but the configuration for each
user at the Azure AD portal differs to assign each user different roles at the management center.
• In this diagram sue@ example.com uses the assignedroles attribute value FMCAdmin, and the management
center assigns her the management center Administrator role.
Cisco Secure Firewall Management Center Administration Guide, 7.2
165
System Settings
Azure Role Mapping Example for Individual User Accounts
• In this diagram fred @ example .com uses the assignedroles attribute value PolicyAdmin, and the
management center assigns him the roles Access Admin, Discovery Admin, and Intrusion Admin.
• Other users assigned to the Azure service application for this management center are assigned the default
user role Security Analyst (Read Only) for one of the following reasons:
Cisco Secure Firewall Management Center Administration Guide, 7.2
166
System Settings
Azure Role Mapping Example for Groups
• They have no value assigned to their assignedroles attribute.
• The value assigned to their assignedroles attribute does not match any expression configured for a
user role in the SSO configuration at the management center.
Azure Role Mapping Example for Groups
In role mapping for groups, the Azure management center service application has custom roles defined within
its manifest. (In this case, FMCAdmin, AccessAdmin, Discovery Admin, and Maint.) These roles can be
assigned to groups; Azure passes role assignments for each group to group members' assignedroles attribute.
The application also has a custom user claim defined, and this claim is configured to get its value from the
assigned user role for a user logging into the management center using SSO. Azure passes the claim value to
the management center during the SSO login process, and the management center compares the claim value
against strings assigned to each management center user role in the management center SSO configuration.
The following diagrams illustrate how the relevant fields and values in the management center and Azure
configurations correspond to each other in user role mapping for groups. Each diagram uses the same SSO
configurations at the management center and at the Azure AD portal, but the configuration for each user at
the Azure AD portal differs to assign each user different roles at the management center.
• In this diagram [email protected] is a member of the groups FMCAccessAdmins and FMCDiscoveryAdmins.
From these groups she inherits the custom roles AccessAdmin and DiscoveryAdmin. When Sue logs into
the management center using SSO the management center assigns her the roles Access Admin and
Discovery Admin.
Cisco Secure Firewall Management Center Administration Guide, 7.2
167
System Settings
Azure Role Mapping Example for Groups
• In this diagram [email protected] is a member of the FMCAdmins group, from which he inherits the
custom role FMCAdmin. When Fred logs into the management center using SSO the management center
assigns him the Administrator role.
Cisco Secure Firewall Management Center Administration Guide, 7.2
168
System Settings
Azure Role Mapping Example for Groups
• In this diagram [email protected] is a member of the FMCMaintUsers group, but because no custom
role has been assigned to FMCMaintUsers within the Azure management center service provider application,
Sean has no roles assigned to him, and when he logs into the management center using SSO, the
management center assigns him the default role Security Analyst (Read Only).
Cisco Secure Firewall Management Center Administration Guide, 7.2
169
System Settings
Configure Single Sign-On with PingID
Configure Single Sign-On with PingID
See the following tasks to configure SSO using PingID's PingOne for Customers product:
Cisco Secure Firewall Management Center Administration Guide, 7.2
170
System Settings
Review the PingID PingOne for Customers Environment
PingOne for
Customers
Administrator's
Console
Review the PingID PingOne for Customers Environment, on page 171.
PingOne for
Customers
Administrator's
Console
Configure the Management Center Service Provider Application for PingID
PingOne for Customers, on page 171.
management center
Enable Single Sign-On at the Management Center, on page 132.
management center
Configure the Management Center for SSO with PingID PingOne for Customers,
on page 173.
Review the PingID PingOne for Customers Environment
PingOne for Customers is PingID's cloud-hosted identity-as-a-service (IDaaS) product. In PingOne for
Customers, the entity that encompasses all the federated devices that a user can access with the same SSO
account is called an environment. Before adding the management center to a PingOne environment, be familiar
with its organization; consider the following questions:
• How many users will have access to the management center?
• Do you need to add more users to support SSO access to the management center?
This documentation assumes you are already familiar with the PingOne for Customers Administrator Console
and have an account with the Organization Admin role.
Configure the Management Center Service Provider Application for PingID PingOne for Customers
Use the PingOne for Customers Administrator Console to create an management center service provider
application within your PingOne for Customers environment and establish basic configuration settings. This
documentation does not describe all the PingOne for Customers functions you need to establish a fully
functional SSO environment; for instance, to create users see the PingOne for Customers documentation.
Before you begin
• Familiarize yourself with your PingOne for Customers environment and its users.
• Create additional users if necessary.
Note
The system requires that user names for SSO accounts as well as the NameID
attribute the IdP sends to the management center during the SAML login process
must be both be valid email addresses. Many IdP's automatically use the username
of the user trying to logon as the NameID attribute, but you should confirm this
is the case for your IdP. Keep this in mind when configuring a service provider
application at your IdP and creating IdP user accounts that are to be granted SSO
access to the management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
171
System Settings
Configure the Management Center Service Provider Application for PingID PingOne for Customers
• Confirm the login URL for the target management center (https://ipaddress_or_hostname)
Note
If your management center web interface can be reached with multiple URLs
(for instance, a fully-qualified domain name as well as an IP address), SSO users
must consistently access the management center using the login URL that you
configure in this task.
Procedure
Step 1
Use the PingOne for Customer Administrator Console to create the application in your environment using
these settings:
• Choose the Web App application type.
• Choose the SAML connection type.
Step 2
Configure the application with the following settings for the SAML Connection:
• For the ACS URL, append the string /sam/acs to the management center login URL. For example:
https://ExampleFMC/saml/acs.
• For the Signing Certificate, choose Sign Assertion & Response.
• For the Signing Algorithm choose RSA_SHA256.
• For the Entity ID, append the string /saml/metadata to the management center login URL. For example:
https://ExampleFMC/saml/metadata.
• For the SLO Binding select HTTP POST.
• For the Assertion Validity Duration enter 300.
Step 3
In the SAMLConnection information for the application, note the following values:
• Single Sign-On Service
• Issuer ID
You will need these values when you configure SSO using PingID's PingOne for Customers product at the
management center web interface.
Step 4
For SAML ATTRIBUTES, make the following selections for a single required attribute:
• PINGONE USER ATTRIBUTE: Email
Address
• APPLICATION ATTRIBUTE: saml_subject
Step 5
Download the signing certificate in X509 PEM (.crt) format and save it to your local computer.
Step 6
(Optional) to make SSO setup at the management center easier, you can download the SAML XML metadata
file for the management center service provider application to your local computer.
Cisco Secure Firewall Management Center Administration Guide, 7.2
172
System Settings
Configure the Management Center for SSO with PingID PingOne for Customers
Step 7
Enable the application.
What to do next
Enable single sign-on; see Enable Single Sign-On at the Management Center, on page 132.
Configure the Management Center for SSO with PingID PingOne for Customers
Use these instructions at the management center web interface.
Before you begin
• Create an management center service provider application at the PingOne for Customers Administrator
Console; see Configure the Management Center Service Provider Application for PingID PingOne for
Customers, on page 171.
• Enable single sign-on; see Enable Single Sign-On at the Management Center, on page 132.
Procedure
Step 1
(This step continues directly from Enable Single Sign-On at the Management Center, on page 132.) At the
Configure PingID Metadata dialog, you have two choices:
• To enter the SSO configuration information manually:
a. Click the Manual Configuration radio button.
b. Enter the values you retrieved from the PingOne for Customers Administrator Console:
• For Identity Provider Single Sign-On URL enter the Single Signon Service you noted in Step
3 of Configure the Management Center Service Provider Application for PingID PingOne for
Customers, on page 171.
• For Identity Provider Issuer enter the Issuer ID you noted in Step 3 of Configure the
Management Center Service Provider Application for PingID PingOne for Customers, on page
171.
• For the X.509 Certificate, use the certificate you downloaded from PingOne for Customers in
Step 5 of Configure the Management Center Service Provider Application for PingID PingOne
for Customers, on page 171. (Use a text editor to open the certificate file, copy the contents, and
paste it into the X.509 Certificate field.)
• If you saved the XML metadata file generated by PingOne for Customers to your local computer (Step
6 of Configure the Management Center Service Provider Application for PingID PingOne for Customers,
on page 171), you can upload the file to the management center:
a. Click the Upload XML File radio button.
b. Follow the on-screen instructions to navigate to and choose the XML metadata file on your local
computer.
Cisco Secure Firewall Management Center Administration Guide, 7.2
173
System Settings
Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider
Step 2
Click Next.
Step 3
At the Verify Metadata dialog, review the configuration parameters and click Save.
Step 4
Expand Advanced Configuration (Role Mapping).
Step 5
Select an management center user role to assign users as a default value from the Default User Role drop-down.
Step 6
Click Test Configuration. If the System displays an error message, review the SSO configuration for the
management center as well as the PingOne for Customers service provider application, correct any errors,
and try again.
Step 7
When the system reports a successful configuration test, click Apply.
Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider
The management center supports single sign-on with any SSO identity provider (IdP) compliant with the
SAML 2.0 SSO protocol. Generic instructions to use a wide range of SSO providers must address the tasks
to be performed at a high level; establishing SSO using a provider not specifically addressed in this
documentation requires that you be proficient with the IdP of your choice. These tasks help you determine
the steps to configure the management center for single sign-on using any SAML 2.0-compliant SSO provider:
IdP Administration Application
Familiarize Yourself with the SSO
Identity Provider and the SSO
Federation, on page 175.
IdP Administration Application
Configure Management Center
Service Provider Application for
Any SAML 2.0-Compliant SSO
Provider, on page 175.
management center
Enable Single Sign-On at the
Management Center, on page 132.
management center
Configure the Management Center
for SSO Using Any SAML
2.0-Compliant SSO Provider, on
page 177.
Cisco Secure Firewall Management Center Administration Guide, 7.2
174
System Settings
Familiarize Yourself with the SSO Identity Provider and the SSO Federation
management center
Configure User Role Mapping at
the Management Center for SAML
2.0-Compliant SSO Providers, on
page 178.
IdP Administration Application
Configure Management Center
User Role Mapping at the IdP for
SAML 2.0-Compliant SSO
Providers, on page 179.
Familiarize Yourself with the SSO Identity Provider and the SSO Federation
Read the IdP vendor documentation with the following considerations in mind:
• Does the SSO provider require that users subscribe to or register with any services before using the IdP?
• What terminology does the SSO provider use for common SSO concepts? For instance, to refer to a
group of federated service provider applications, Okta uses "org" where Azure uses "tenant."
• Does the SSO provider support SSO exclusively, or a suite of functions—for instance, multifactor
authentication or domain management? (This can affect configuration of some elements shared between
features—especially users and groups.)
• What permissions does an IdP user account need to configure SSO?
• What configurations does the SSO provider require you to establish for a service provider application?
For instance, Okta automatically generates an X509 Certificate to secure its communications with the
management center, while Azure requires that you generate that certificate using the Azure portal interface.
• How are users and groups created and configured? How are users assigned to groups? How are users
and groups granted access to service provider applications?
• Does the SSO provider require that at least one user be assigned to a service provider application before
the SSO connection can be tested?
• Does the SSO provider support user groups? How are user and group attributes configured? How can
you map attributes to management center user roles in the SSO configuration?
• Do you need to add more users or groups to the federation to support SSO on the management center?
• Are users within the federation members of groups?
• Are user and group definition native to the IdP or imported from a user management application such as
Active Directory, RADIUS, or LDAP?
• What kind of user role assignments do you want to make? (If you choose not to assign user roles, the
management center automatically assigns the user a configurable default user role role to all SSO users.)
• How must users and groups within the federation be organized to support your plan for user role mapping?
Configure Management Center Service Provider Application for Any SAML 2.0-Compliant SSO
Provider
Generally SSO providers require that you configure a service provider application at the IdP for each federated
application. All IdPs that support SAML 2.0 SSO need the same configuration information for service provider
Cisco Secure Firewall Management Center Administration Guide, 7.2
175
System Settings
Configure Management Center Service Provider Application for Any SAML 2.0-Compliant SSO Provider
applications, but some IdP's automatically generate some configuration settings for you, while others require
that you configure all settings yourself.
Note
If you plan to assign user groups to the management center Application, do not also assign users within those
groups as individuals.
Note
The management center cannot support role mapping using multiple SSO attributes; you must select either
user role mapping or group role mapping and configure a single attribute to convey user role information from
the IdP to the management center.
Before you begin
• Familiarize yourself with the SSO federation and its users and groups; see Familiarize Yourself with the
SSO Identity Provider and the SSO Federation, on page 175.
• Confirm your IdP account has the necessary permissions to perform this task.
• Create user accounts and/or groups in your SSO federation if necessary.
Note
The system requires that user names for SSO accounts as well as the NameID
attribute the IdP sends to the management center during the SAML login process
must be both be valid email addresses. Many IdP's automatically use the username
of the user trying to logon as the NameID attribute, but you should confirm this
is the case for your IdP. Keep this in mind when configuring a service provider
application at your IdP and creating IdP user accounts that are to be granted SSO
access to the management center.
• Confirm the login URL for the target management center (https://ipaddress_or_hostname)
Note
If your management center web interface can be reached with multiple URLs.
(for instance, a full-qualified domain name as well as an IP address), SSO users
must consistently access the management center using the login URL that you
configure in this task.
Procedure
Step 1
Create a new service provider application at the IdP.
Step 2
Configure values required by the IdP. Be sure to include the fields listed below, required to support SAML
2.0 SSO functionality with the management center. (Because different SSO service providers use different
terminology for SAML concepts, this list provides alternate names for these fields to help you find the right
settings in the IdP application.):
Cisco Secure Firewall Management Center Administration Guide, 7.2
176
System Settings
Configure the Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider
• Service Provider Entity ID, Service Provider Identifier, Audience URI: A globally unique name for the
service provider (the management center), formatted as a URL. To create this, append the string
/saml/metadata to the management center login URL, such as https://ExampleFMC/saml/metadata.
• Single Sign on URL, Recipient URL, Assertion Consumer Service URL: The service provider
(management center) address to which the browser sends information on behalf of the IdP. To create
this, append the string saml/acs to the management center login URL, such as
https://ExampleFMC/saml/acs.
• X.509 Certificate: Certificate to secure communications between the management center and the IdP.
Some IdP's may automatically generate the certificate, and some may require that you explicitly generate
it using the IDP interface.
Step 3
(Optional if you are assigning groups to the application) Assign individual users to the management center
application. (If you plan to assign groups to the management center application, do not assign members of
those groups as individuals.)
Step 4
(Optional if you are assigning individual users to the application.) Assign user groups to the management
center application.
Step 5
(Optional) Some IdP's provide the ability to generate a SAML XML metadata file containing the information
you have configured in this task formatted to comply with SAML 2.0 standards. If your IdP provides this
ability, you can download the file to your local computer to ease the SSO configuration process at the
management center.
What to do next
Enable single sign-on; see Enable Single Sign-On at the Management Center, on page 132.
Configure the Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider
Use these instructions at the management center web interface. To configure the management center for SSO
using any SAML 2.0-compliant SSO provider, you need information from the IdP.
Before you begin
• Review the organization of your SSO federation, and its users and groups.
• Configure an management center service provider application at the IdP; see Configure the Management
Center for SSO Using Any SAML 2.0-Compliant SSO Provider, on page 177.
• Gather the following SSO configuration information for the service provider application from the IdP.
Because different SSO service providers use different terminology for SAML concepts, this list provides
alternate names for these fields to help you find the right values in the IdP application:
• Identity Provider Single Sign-On URL, Login URL: The IdP URL where the browser sends
information on behalf of the management center.
• Identity Provider Issuer, Identity Provider Issuer URL, Issuer URL: A globally unique name for the
IdP, often formatted as a URL.
• An X.509 digital certificate to secure communications between the management center and the IdP.
• Enable single sign-on; see Enable Single Sign-On at the Management Center, on page 132.
Cisco Secure Firewall Management Center Administration Guide, 7.2
177
System Settings
Configure User Role Mapping at the Management Center for SAML 2.0-Compliant SSO Providers
Procedure
Step 1
(This step continues directly from Enable Single Sign-On at the Management Center, on page 132.) At the
Configure SAML Metadata dialog, you have two choices:
• To enter the SSO configuration information manually:
a. Click the Manual Configuration radio button.
b. Enter the following values previously obtained from the SSO Service Provider application:
• Identity Provider Single Sign-On URL
• Identity Provider Issuer
• X.509 Certificate
• If you saved an the XML metadata file generated at the IdP (Step 5 in Configure Management Center
Service Provider Application for Any SAML 2.0-Compliant SSO Provider, on page 175), you can upload
the file to the management center:
a. Click the Upload XML File radio button.
b. Follow the on-screen instructions to navigate to and choose the XML metadata file on your local
computer.
Step 2
Click Next.
Step 3
At the Verify Metadata dialog, review the configuration parameters and click Save.
Step 4
Click Test Configuration. If the system displays an error message, review the SSO configuration for the
management center as well as the service provider application configuration at the IdP, correct any errors,
and try again.
Step 5
When the system reports a successful configuration test, click Apply.
What to do next
You may optionally configure user role mapping for SSO users; see Configure User Role Mapping at the
Management Center for SAML 2.0-Compliant SSO Providers, on page 178. If you choose not to configure
role mapping, by default all SSO users that log into the management center are assigned the default user role
you configure in Step 4 of Configure User Role Mapping at the Management Center for SAML 2.0-Compliant
SSO Providers, on page 178.
Configure User Role Mapping at the Management Center for SAML 2.0-Compliant SSO Providers
To implement SAML SSO user role mapping you must establish coordinating configurations at the IdP and
at the management center.
• At the IdP, establish user or group attributes to convey user role information and assign values to them;
the IdP sends these to the management center once it has authenticated and authorized an SSO user.
• At the management center, associate values with each of the management center user roles you want to
assign to users.
Cisco Secure Firewall Management Center Administration Guide, 7.2
178
System Settings
Configure Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO Providers
When the IdP sends the management center the user or group attribute associated with an authorized user, the
management center compares the attribute value against values associated with each management center user
role, and assigns the user all the roles that produce a match. The management center performs this comparison
treating both values as regular expressions complying with the restricted version of Google's RE2 regular
expression standard supported by Golang and Perl.
The fields to configure for user role mapping at the management center web interface are the same regardless
of your choice of SSO provider. But the values you configure must take into account how the SAML SSO
provider you use implements user role mapping. Your IdP may enforce syntactical limitations on user or
group attributes; if so, you must devise a user role mapping scheme using role names and regular expressions
compatible with those requirements.
Before you begin
• Configure an SSO service provider application for the management center; see Configure Management
Center Service Provider Application for Any SAML 2.0-Compliant SSO Provider, on page 175.
• Enable and configure single sign-on at the management center, see Enable Single Sign-On at the
Management Center, on page 132, and Configure the Management Center for SSO Using Any SAML
2.0-Compliant SSO Provider, on page 177.
Procedure
Step 1
Choose System > Users.
Step 2
Click the Single Sign-On tab.
Step 3
Expand Advanced Configuration (Role Mapping).
Step 4
Select an management center user role to assign users as a default value from the Default User Role drop-down.
Step 5
Enter a Group Member Attribute. This string must match an attribute name configured at the IdP management
center service provider application for user role mapping using either users or groups. (See Step 1 of Configure
Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO Providers, on page 179.)
Step 6
Next to each management center user role you wish to assign to SSO users, enter a regular expression. (The
management center uses a restricted version of Google's RE2 regular expression standard supported by Golang
and Perl.) The management center compares these values against the user role mapping attribute value the
IdP sends to the management center with SSO user information. The management center grants users a union
of all the roles for which a match is found.
What to do next
Configure user role mapping at the service provider application; see Configure Management Center User Role
Mapping at the IdP for SAML 2.0-Compliant SSO Providers, on page 179.
Configure Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO Providers
The detailed steps for configuring user role mapping are different for each IdP. You must determine how to
create a custom user or group attribute for the service provider application, and assign values to the attribute
for each user or group at the IdP to convey user or group privileges to the management center. Keep in mind
the following:
Cisco Secure Firewall Management Center Administration Guide, 7.2
179
System Settings
Customize User Roles for the Web Interface
• If your IdP imports user or group profiles from a third-party user management application (such as Active
directory, LDAP, or Radius), this may affect how you can use attributes for role mapping.
• Take into account user and group role definitions throughout your SSO federation.
• The management center cannot support role mapping using multiple SSO attributes; you must select
either user role mapping or group role mapping and configure a single attribute to convey user role
information from the IdP to the management center.
• Group role mapping is generally more efficient for an management center with many users.
• If you assign user groups to management center applications, do not also assign users within those groups
as individuals.
• For the purpose of determining a match with management center user roles, the management center treats
user and group role attribute values received from the IdP as regular expressions complying with the
restricted version of Google's RE2 regular expression standard supported by Golang and Perl. Your IdP
may enforce certain syntactical limitations on user or group attributes. if so, you must devise a user role
mapping scheme using role names and regular expressions compatible with those requirements.
Before you begin
• Confirm your IdP account has the necessary permissions to perform this task.
• Configure an management center service provider application at the IdP (see Configure Management
Center Service Provider Application for Any SAML 2.0-Compliant SSO Provider, on page 175).
Procedure
Step 1
At the IdP, create or designate an attribute to be sent to the management center to contain role mapping
information for each user sign-in. This may be a user attribute, a group attribute, or a different attribute that
obtains its value from a source such as user or group definitions maintained by the IdP or a third party user
management application.
Step 2
Configure how the attribute gets its value. Coordinate the possible values with the values associated with the
user roles in the management center SSO configuration.
Customize User Roles for the Web Interface
Each user account must be defined with a user role. This section describes how to manage user roles and how
to configure a custom user role for web interface access. For default user roles, see User Roles, on page 106.
Create Custom User Roles
Custom user roles can have any set of menu-based and system permissions, and may be completely original,
copied from a predefined or another custom user role, or imported from another device.
Cisco Secure Firewall Management Center Administration Guide, 7.2
180
System Settings
Create Custom User Roles
Note
Custom user roles that the system considers read-only for the purposes of concurrent session limits, are
automatically labeled by the system with (Read Only) in the role name on the System ( ) > Users > Users
tab and the System ( ) > Users > User Roles tab. If a user role does not contain (Read Only) in the role
name, the system considers the role to be read/write.
When you create a custom role or modify an existing custom role, the system automatically applies (Read
Only) to the role name if all of the selected permissions for that role meet the required criteria for being
read-only. You cannot make a role read-only by adding that text string manually to the role name. For more
information on concurrent session limits, see Global User Configuration Settings, on page 89.
Caution
Users with menu-based User Management permissions have the ability to elevate their own privileges or
create new user accounts with extensive privileges, including the Administrator user role. For system security
reasons we strongly recommend you restrict the list of users with User Management permissions appropriately.
Procedure
Step 1
Choose Integration > Users.
Step 2
Click User Roles.
Step 3
Add a new user role with one of the following methods:
• Click Create User Role.
• Click the Copy (
) next to the user role you want to copy.
• Import a custom user role from another device:
a. On the old device, click the Export (
) to save the role to your PC.
b. On the new device, choose System > Tools > Import/Export.
c. Click Upload Package, then follow the instructions to import the saved user role to the new device.
Step 4
Enter a Name for the new user role. User role names are case sensitive.
Step 5
(Optional) Add a Description.
Step 6
Choose Menu-Based Permissions for the new role.
When you choose a permission, all of its children are chosen, and the multi-value permissions use the first
value. If you clear a high-level permission, all of its children are cleared also. If you choose a permission but
not its children, it appears in italic text.
Copying a predefined user role to use as the base for your custom role preselects the permissions associated
with that predefined role.
You can apply restrictive searches to a custom user role. These searches constrain the data a user can see in
the tables on the pages available under the Analysis menu. You can configure a restrictive search by first
creating a private saved search and selecting it from the Restrictive Search drop-down menu under the
appropriate menu-based permission.
Cisco Secure Firewall Management Center Administration Guide, 7.2
181
System Settings
Deactivate User Roles
Step 7
(Optional) Check the External Database Access check box to set database access permissions for the new
role.
This option provides read-only access to the database using an application that supports JDBC SSL connections.
For the third-party application to authenticate to the device, you must enable database access in the system
settings.
Step 8
(Optional) To set escalation permissions for the new user role, see Enable User Role Escalation, on page 183.
Step 9
Click Save.
Example
You can create custom user roles for access control-related features to designate whether users can
view and modify access control and associated policies.
The following table lists custom roles that you could create and user permissions granted for each
example. The table lists the privileges required for each custom role. In this example, Policy Approvers
can view (but not modify) access control and intrusion policies. They can also deploy configuration
changes to devices.
Table 7: Sample Access Control Custom Roles
Custom Role Permission
Example: Access Control Editor Example: Intrusion & Network Example: Policy Approver
Analysis Editor
Access Control
yes
no
yes
Access Control Policy
yes
no
yes
Modify Access Control Policy yes
no
no
Intrusion Policy
no
yes
yes
Modify Intrusion Policy
no
yes
no
Deploy Configuration to
Devices
no
no
yes
Deactivate User Roles
Deactivating a role removes that role and all associated permissions from any user who is assigned that role.
You cannot delete predefined user roles, but you can deactivate them.
In a multidomain deployment, the system displays custom user roles created in the current domain, which
you can edit. It also displays custom user roles created in ancestor domains, which you cannot edit. To view
and edit custom user roles in a lower domain, switch to that domain.
Procedure
Step 1
Choose Integration > Users.
Cisco Secure Firewall Management Center Administration Guide, 7.2
182
System Settings
Enable User Role Escalation
Step 2
Click User Roles.
Step 3
Click the slider next to the user role you want to activate or deactivate.
If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission
to modify the configuration.
If you deactivate, then reactivate, a role with Lights-Out Management while a user with that role is logged
in, or restore a user or user role from a backup during that user’s login session, that user must log back into
the web interface to regain access to IPMItool commands.
Enable User Role Escalation
You can give custom user roles the permission, with a password, to temporarily gain the privileges of another,
targeted user role in addition to those of the base role. This feature allows you to easily substitute one user
for another during an absence, or to more closely track the use of advanced user privileges. Default user roles
do not support escalation.
For example, a user whose base role has very limited privileges can escalate to the Administrator role to
perform administrative actions. You can configure this feature so that users can use their own passwords, or
so they use the password of another user that you specify. The second option allows you to easily manage
one escalation password for all applicable users.
To configure user role escalation, see the following workflow.
Procedure
Step 1
Set the Escalation Target Role, on page 183. Only one user role at a time can be the escalation target role.
Step 2
Configure a Custom User Role for Escalation, on page 184.
Step 3
(For the logged in user) Escalate Your User Role, on page 184.
Set the Escalation Target Role
You can assign any of your user roles, predefined or custom, to act as the system-wide escalation target role.
This is the role to which a custom role can escalate, if it has the ability. Only one user role at a time can be
the escalation target role. Each escalation lasts for the duration of a login session and is recorded in the audit
log.
Procedure
Step 1
Choose Integration > Users.
Step 2
Click User Roles.
Step 3
Click Configure Permission Escalation.
Step 4
Choose a user role from the Escalation Target drop-down list.
Step 5
Click OK to save your changes.
Cisco Secure Firewall Management Center Administration Guide, 7.2
183
System Settings
Configure a Custom User Role for Escalation
Changing the escalation target role is effective immediately. Users in escalated sessions now have the
permissions of the new escalation target.
Configure a Custom User Role for Escalation
Users for whom you want to enable escalation must belong to a custom user role with escalation enabled.
This procedure describes how to enable escaltion for a custom user role.
Consider the needs of your organization when you configure the escalation password for a custom role. If
you want to easily manage many escalating users, you might want to choose another user whose password
serves as the escalation password. If you change that user’s password or deactivate that user, all escalating
users who require that password are affected. This action allows you to manage user role escalation more
efficiently, especially if you choose an externally-authenticated user that you can manage centrally.
Before you begin
Set a target user role according to Set the Escalation Target Role, on page 183.
Procedure
Step 1
Begin configuring your custom user role as described in Create Custom User Roles, on page 180.
Step 2
In System Permissions, choose the Set this role to escalate to: Maintenance User check box.
The current escalation target role is listed beside the check box.
Step 3
Choose the password that this role uses to escalate. You have two options:
• Choose Authenticate with the assigned user’s password if you want users with this role to use their
own passwords when they escalate, .
• Choose Authenticate with the specified user’s password and enter that username if you want users
with this role to use the password of another user.
Note
Step 4
When authenticating with another user’s password, you can enter any username, even that of
a deactivated or nonexistent user. Deactivating the user whose password is used for escalation
makes escalation impossible for users with the role that requires it. You can use this feature to
quickly remove escalation powers if necessary.
Click Save.
Escalate Your User Role
When a user has an assigned custom user role with permission to escalate, that user can escalate to the target
role’s permissions at any time. Note that escalation has no effect on user preferences.
Procedure
Step 1
From the drop-down list under your user name, choose Escalate Permissions.
Cisco Secure Firewall Management Center Administration Guide, 7.2
184
System Settings
Troubleshooting LDAP Authentication Connections
If you do not see this option, your administrator did not enable escalation for your user role.
Step 2
Enter the authentication password.
Step 3
Click Escalate. You now have all permissions of the escalation target role in addition to your current role.
Escalation lasts for the remainder of your login session. To return to the privileges of your base role only, you
must log out, then begin a new session.
Troubleshooting LDAP Authentication Connections
If you create an LDAP authentication object and it either does not succeed in connecting to the server you
select, or does not retrieve the list of users you want, you can tune the settings in the object.
If the connection fails when you test it, try the following suggestions to troubleshoot your configuration:
• Use the messages displayed at the top of the web interface screen and in the test output to determine
which areas of the object are causing the issue.
• Check that the user name and password you used for the object are valid:
• Check that you have the rights to browse to the directory indicated in your base-distinguished name
by connecting to the LDAP server using a third-party LDAP browser.
• Check that the user name is unique to the directory information tree for the LDAP server.
• If you see an LDAP bind error 49 in the test output, the user binding for the user failed. Try
authenticating to the server through a third-party application to see if the binding fails through that
connection as well.
• Check that you have correctly identified the server:
• Check that the server IP address or host name is correct.
• Check that you have TCP/IP access from your local appliance to the authentication server where
you want to connect.
• Check that access to the server is not blocked by a firewall and that the port you have configured
in the object is open.
• If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match
the host name used for the server.
• Check that you have not used an IPv6 address for the server connection if you are authenticating
CLI access.
• If you used server type defaults, check that you have the correct server type and click Set Defaults
again to reset the default values.
• If you typed in your base-distinguished name, click Fetch DNs to retrieve all the available base
distinguished names on the server, and select the name from the list.
• If you are using any filters, access attributes, or advanced settings, check that each is valid and typed
correctly.
Cisco Secure Firewall Management Center Administration Guide, 7.2
185
System Settings
Configure User Preferences
• If you are using any filters, access attributes, or advanced settings, try removing each setting and testing
the object without it.
• If you are using a base filter or a CLI access filter, make sure that the filter is enclosed in parentheses
and that you are using a valid comparison operator (maximum 450 characters, including the enclosing
parentheses).
• To test a more restricted base filter, try setting it to the base distinguished name for the user to retrieve
just that user.
• If you are using an encrypted connection:
• Check that the name of the LDAP server in the certificate matches the host name that you use to
connect.
• Check that you have not used an IPv6 address with an encrypted server connection.
• If you are using a test user, make sure that the user name and password are typed correctly.
• If you are using a test user, remove the user credentials and test the object.
• Test the query that you are using by connecting to the LDAP server and using this syntax:
ldapsearch -x -b 'base_distinguished_name'
-h LDAPserver_ip_address -p port -v -D
'user_distinguished_name' -W 'base_filter'
For example, if you are trying to connect to the security domain on myrtle.example.com using the
domainadmin@myrtle.example.com user and a base filter of (cn=*), you could test the connection using
this statement:
ldapsearch -x -b 'CN=security,DC=myrtle,DC=example,DC=com'
-h myrtle.example.com -p 389 -v -D
'[email protected]' -W '(cn=*)'
If you can test your connection successfully but authentication does not work after you deploy a platform
settings policy, check that authentication and the object you want to use are both enabled in the platform
settings policy that is applied to the device.
If you connect successfully but want to adjust the list of users retrieved by your connection, you can add or
change a base filter or CLI access filter or use a more restrictive or less restrictive base DN.
While authenticating a connection to Active Directory (AD) server, rarely the connection event log indicates
blocked LDAP traffic although the connection to AD server is successful. This incorrect connection log occurs
when the AD server sends a duplicate reset packet. The threat defense device identifies the second reset packet
as part of a new connection request and logs the connection with Block action.
Configure User Preferences
Depending on your user role, you can specify certain preferences for your user account.
Cisco Secure Firewall Management Center Administration Guide, 7.2
186
System Settings
Changing Your Password
In a multidomain deployment, user preferences apply to all domains where your account has access. When
specifying home page and dashboard preferences, keep in mind that certain pages and dashboard widgets are
constrained by domain.
Changing Your Password
All user accounts are protected with a password. You can change your password at any time, and depending
on the settings for your user account, you may have to change your password periodically.
When password strength checking is enabled, passwords must comply with the strong password requirements
described in Guidelines and Limitations for User Accounts for Management Center, on page 110.
If you are an LDAP or a RADIUS user, you cannot change your password through the web interface.
Procedure
Step 1
From the drop-down list under your user name, choose User Preferences.
Step 2
Click Change Password.
Step 3
Optionally, check the Show password check box to see the password while using this dialog.
Step 4
Enter your Current Password.
Step 5
You have two options:
• Enter your new password for New Password and Confirm Password.
• Click Generate Password to have the system create a password for you which complies with the listed
criteria. (Generated passwords are non-mnemonic; take careful note of the password if you choose this
option.)
Step 6
Click Apply.
Changing an Expired Password
Depending on the settings for your user account, your password may expire. The password expiration time
period is set when your account is created. If your password has expired, the Password Expiration Warning
page appears.
Procedure
On the Password Expiration Warning page, you have two choices:
• Click Change Password to change your password now. If you have zero warning days left, you must
change your password.
Tip
When password strength checking is enabled, passwords must comply with the strong password
requirements described in Guidelines and Limitations for User Accounts for Management
Center, on page 110.
Cisco Secure Firewall Management Center Administration Guide, 7.2
187
System Settings
Change the Web Interface Appearance
• Click Skip to change your password later.
Change the Web Interface Appearance
You can change the way the web interface appears.
Procedure
Step 1
From the drop-down list under your user name, choose User Preferences. The General tab displays by
default.
Step 2
Select a theme:
• Light
• Dusk
• Classic (the look and feel of releases earlier than 6.6)
Specifying Your Home Page
You can specify the page within the web interface to use as your home page for the appliance. The default
home page is the default dashboard (Overview > Dashboards), except for user accounts with no dashboard
access, such as External Database users. (See Specifying Your Default Dashboard, on page 193 to set the
default dashboard.)
In a multidomain deployment, the home page you choose applies to all domains where your user account has
access. When choosing a home page for an account that frequently accesses multiple domains, keep in mind
that certain pages are constrained to the Global domain.
Procedure
Step 1
From the drop-down list under your user name, choose User Preferences.
Step 2
Click Home Page.
Step 3
Choose the page you want to use as your home page from the drop-down list.
The options in the drop-down list are based on the access privileges for your user account. For more information,
see User Roles, on page 106.
Step 4
Click Save.
Cisco Secure Firewall Management Center Administration Guide, 7.2
188
System Settings
Configuring Event View Settings
Configuring Event View Settings
Use the Event View Settings page to configure characteristics of event views on the Secure Firewall
Management Center. Note that some event view configurations are available only for specific user roles. Users
with the External Database User role can view parts of the event view settings user interface, but changing
those settings has no meaningful result.
Procedure
Step 1
From the drop-down list under your user name, choose User Preferences.
Step 2
Click Event View Settings.
Step 3
In the Event Preferences section, configure the basic characteristics of event views; see Event View
Preferences, on page 189.
Step 4
In the File Preferences section, configure file download preferences; see File Download Preferences, on page
190.
Step 5
In the Default Time Windows section, configure the default time window or windows; see Default Time
Windows, on page 191.
Step 6
In the Default Workflow sections, configure default workflows; see Default Workflows, on page 192.
Step 7
Click Save.
Event View Preferences
Use the Event Preferences section of the Event View Settings page to configure basic characteristics of event
views. This section is available for all user roles, although it has little to no significance for users who cannot
view events.
The following fields appear in the Event Preferences section:
• The Confirm “All” Actions field controls whether the appliance forces you to confirm actions that affect
all events in an event view.
For example, if this setting is enabled and you click Delete All on an event view, you must confirm that
you want to delete all the events that meet the current constraints (including events not displayed on the
current page) before the appliance will delete them from the database.
• The Resolve IP Addresses field allows the appliance, whenever possible, to display host names instead
of IP addresses in event views.
Note that an event view may be slow to display if it contains a large number of IP addresses and you
have enabled this option. Note also that for this setting to take effect, you must use management interfaces
configuration to establish a DNS server in the system settings.
• The Expand Packet View field allows you to configure how the packet view for intrusion events appears.
By default, the appliance displays a collapsed version of the packet view:
• None - collapse all subsections of the Packet Information section of the packet view
• Packet Text - expand only the Packet Text subsection
• Packet Bytes - expand only the Packet Bytes subsection
Cisco Secure Firewall Management Center Administration Guide, 7.2
189
System Settings
File Download Preferences
• All - expand all sections
Regardless of the default setting, you can always manually expand the sections in the packet view to view
detailed information about a captured packet.
• The Rows Per Page field controls how many rows of events per page you want to appear in drill-down
pages and table views.
• The Refresh Interval field sets the refresh interval for event views in minutes. Entering 0 disables the
refresh option. Note that this interval does not apply to dashboards.
• The Statistics Refresh Interval controls the refresh interval for event summary pages such as the Intrusion
Event Statistics and Discovery Statistics pages. Entering 0 disables the refresh option. Note that this
interval does not apply to dashboards.
• The Deactivate Rules field controls which links appear on the packet view of intrusion events generated
by standard text rules:
• All Policies - a single link that deactivates the standard text rule in all the locally defined custom
intrusion policies
• Current Policy - a single link that deactivates the standard text rule in only the currently deployed
intrusion policy. Note that you cannot deactivate rules in the default policies.
• Ask - links for each of these options
To see these links on the packet view, your user account must have either Administrator or Intrusion Admin
access.
File Download Preferences
Use the File Preferences section of the Event View Settings page to configure basic characteristics of local
file downloads. This section is only available to users with the Administrator, Security Analyst, or Security
Analyst (Read Only) user roles.
Note that if your appliance does not support downloading captured files, these options are disabled.
The following fields appear in the File Preferences section:
• The Confirm ‘Download File’ Actions check box controls whether a File Download pop-up window
appears each time you download a file, displaying a warning and prompting you to continue or cancel.
Caution
Cisco strongly recommends you do not download malware, as it can cause adverse
consequences. Exercise caution when downloading any file, as it may contain
malware. Ensure you have taken any necessary precautions to secure the download
destination before downloading files.
Note that you can disable this option any time you download a file.
• When you download a captured file, the system creates a password-protected .zip archive containing the
file. The Zip File Password field defines the password you want to use to restrict access to the .zip file.
If you leave this field blank, the system creates archive files without passwords.
Cisco Secure Firewall Management Center Administration Guide, 7.2
190
System Settings
Default Time Windows
• The Show Zip File Password check box toggles displaying plain text or obfuscated characters in the
Zip File Password field. When this field is cleared, the Zip File Password displays obfuscated characters.
Default Time Windows
The time window, sometimes called the time range, imposes a time constraint on the events in any event view.
Use the Default Time Windows section of the Event View Settings page to control the default behavior of
the time window.
User role access to this section is as follows:
• Administrators and Maintenance Users can access the full section.
• Security Analysts and Security Analysts (Read Only) can access all options except Audit Log Time
Window.
• Access Admins, Discovery Admins, External Database Users, Intrusion Admins, Network Admins, and
Security Approvers can access only the Events Time Window option.
Note that, regardless of the default time window setting, you can always manually change the time window
for individual event views during your event analysis. Also, keep in mind that time window settings are valid
for only the current session. When you log out and then log back in, time windows are reset to the defaults
you configured on this page.
There are three types of events for which you can set the default time window:
• The Events Time Window sets a single default time window for most events that can be constrained by
time.
• The Audit Log Time Window sets the default time window for the audit log.
• The Health Monitoring Time Window sets the default time window for health events.
You can only set time windows for event types your user account can access. All user types can set event
time windows. Administrators, Maintenance Users, and Security Analysts can set health monitoring time
windows. Administrators and Maintenance Users can set audit log time windows.
Note that because not all event views can be constrained by time, time window settings have no effect on
event views that display hosts, host attributes, applications, clients, vulnerabilities, user identity, or compliance
allow list violations.
You can either use Multiple time windows, one for each of these types of events, or you can use a Single
time window that applies to all events. If you use a single time window, the settings for the three types of
time window disappear and a new Global Time Window setting appears.
There are three types of time window:
• static, which displays all the events generated from a specific start time to a specific end time
• expanding, which displays all the events generated from a specific start time to the present; as time moves
forward, the time window expands and new events are added to the event view
• sliding, which displays all the events generated from a specific start time (for example, one day ago) to
the present; as time moves forward, the time window “slides” so that you see only the events for the
range you configured (in this example, for the last day)
Cisco Secure Firewall Management Center Administration Guide, 7.2
191
System Settings
Default Workflows
The maximum time range for all time windows is from midnight on January 1, 1970 (UTC) to 3:14:07 AM
on January 19, 2038 (UTC).
The following options appear in the Time Window Settings drop-down list:
• The Show the Last - Sliding option allows you configure a sliding default time window of the length
you specify.
The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to
the present. As you change event views, the time window “slides” so that you always see events from
the last hour.
• The Show the Last - Static/Expanding option allows you to configure either a static or expanding
default time window of the length you specify.
For static time windows, enable the Use End Time check box. The appliance displays all the events
generated from a specific start time (for example, 1 hour ago) to the time when you first viewed the
events. As you change event views, the time window stays fixed so that you see only the events that
occurred during the static time window.
For expanding time windows, disable the Use End Time check box. The appliance displays all the
events generated from a specific start time (for example, 1 hour ago) to the present. As you change event
views, the time window expands to the present time.
• The Current Day - Static/Expanding option allows you to configure either a static or expanding default
time window for the current day. The current day begins at midnight, based on the time zone setting for
your current session.
For static time windows, enable the Use End Time check box. The appliance displays all the events
generated from midnight to the time when you first viewed the events. As you change event views, the
time window stays fixed so that you see only the events that occurred during the static time window.
For expanding time windows, disable the Use End Time check box. The appliance displays all the
events generated from midnight to the present. As you change event views, the time window expands to
the present time. Note that if your analysis continues for over 24 hours before you log out, this time
window can be more than 24 hours.
• The Current Week - Static/Expanding option allows you to configure either a static or expanding
default time window for the current week. The current week begins at midnight on the previous Sunday,
based on the time zone setting for your current session.
For static time windows, enable the Use End Time check box. The appliance displays all the events
generated from midnight to the time when you first viewed the events. As you change event views, the
time window stays fixed so that you see only the events that occurred during the static time window.
For expanding time windows, disable the Use End Time check box. The appliance displays all the
events generated from midnight Sunday to the present. As you change event views, the time window
expands to the present time. Note that if your analysis continues for over 1 week before you log out, this
time window can be more than 1 week.
Default Workflows
A workflow is a series of pages displaying data that analysts use to evaluate events. For each event type, the
appliance ships with at least one predefined workflow. For example, as a Security Analyst, depending on the
type of analysis you are performing, you can choose among ten different intrusion event workflows, each of
which presents intrusion event data in a different way.
Cisco Secure Firewall Management Center Administration Guide, 7.2
192
System Settings
Setting Your Default Time Zone
The appliance is configured with a default workflow for each event type. For example, the Events by Priority
and Classification workflow is the default for intrusion events. This means whenever you view intrusion
events (including reviewed intrusion events), the appliance displays the Events by Priority and Classification
workflow.
You can, however, change the default workflow for each event type. The default workflows you are able to
configure depend on your user role. For example, intrusion event analysts cannot set default discovery event
workflows.
Setting Your Default Time Zone
This setting determines the times displayed in the web interface for your user account only, for things like
task scheduling and viewing dashboards. This setting does not change the system time or affect any other
user, and does not affect data stored in the system, which generally uses UTC.
Warning
Note
The Time Zone function (in User Preferences) assumes that the system clock is set to UTC time. DO NOT
ATTEMPT TO CHANGE THE SYSTEM TIME. Changing the system time from UTC is NOT supported,
and doing so will require you to reimage the device to recover from an unsupported state.
This feature does not affect the time zone used for time-based policy application. Set the time zone for a device
in Devices > Platform Settings.
Procedure
Step 1
From the drop-down list under your user name, choose User Preferences.
Step 2
Click Time Zone.
Step 3
Choose the continent or area that contains the time zone you want to use.
Step 4
Choose the country and state name that corresponds with the time zone you want to use.
Specifying Your Default Dashboard
The default dashboard appears when you choose Overview > Dashboards. Unless changed, the default
dashboard for all users is the Summary dashboard. You can change the default dashboard if your user role is
Administrator, Maintenance, or Security Analyst.
In a multidomain deployment, the default dashboard you choose applies to all domains where your user
account has access. When choosing a dashboard for an account that frequently accesses multiple domains,
keep in mind that certain dashboard widgets are constrained by domain.
Procedure
Step 1
From the drop-down list under your user name, choose User Preferences.
Cisco Secure Firewall Management Center Administration Guide, 7.2
193
System Settings
History for Users
Step 2
Click Dashboard Settings.
Step 3
Choose the dashboard you want to use as your default from the drop-down list. If you choose None, when
you select Overview > Dashboards, you can then choose a dashboard to view.
Step 4
Click Save.
History for Users
Feature
Version
Support for the Service-Type attribute for 6.4
threat defense users defined on the
RADIUS server
Details
For RADIUS authentication of threat
defense CLI users, you used to have to
pre-define the usernames in the RADIUS
external authentication object and manually
make sure that the list matched usernames
defined on the RADIUS server. You can
now define CLI users on the RADIUS
server using the Service-Type attribute and
also define both Basic and Config user
roles. To use this method, be sure to leave
the shell access filter blank in the external
authentication object.
New/Modified screens:
System > Users > External
Authentication > Add External
Authentication Object > Shell Access
Filter
Supported platforms: threat defense
External Authentication for threat defense 6.2.3
SSH Access
You can now configure external
authentication for SSH access to the threat
defense using LDAP or RADIUS.
New/Modified screens:
Devices > Platform Settings > External
Authentication
Supported platforms: threat defense
Cisco Secure Firewall Management Center Administration Guide, 7.2
194
CHAPTER
5
Domains
The following topics describe how to manage multitenancy using domains:
• Introduction to Multitenancy Using Domains, on page 195
• Requirements and Prerequisites for Domains, on page 198
• Managing Domains, on page 198
• Creating New Domains, on page 199
• Moving Data Between Domains, on page 200
• Moving Devices Between Domains, on page 201
• History for Domain Management, on page 202
Introduction to Multitenancy Using Domains
The management center allows you to implement multitenancy using domains. Domains segment user access
to managed devices, configurations, and events. You can create up to 100 subdomains under a top-level Global
domain, in two or three levels.
When you log into the management center, you log into a single domain, called the current domain. Depending
on your user account, you may be able to switch to other domains.
In addition to any restrictions imposed by your user role, your current domain level can also limit your ability
to modify various configurations. The management center limits most management tasks, like system software
updates, to the Global domain.
The management center limits other tasks to leaf domains, which are domains with no subdomains. For
example, you must associate each managed device with a leaf domain, and perform device management tasks
from the context of that leaf domain. Note that each device can only belong to a single domain.
Each leaf domain builds its own network map, based on the discovery data collected by that leaf domain’s
devices. Events reported by a managed device (connection, intrusion, malware, and so on) are also associated
with the device's leaf domain.
One Domain Level: Global
If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain,
which in this scenario is also a leaf domain. Except for domain management, the system hides domain-specific
configurations and analysis options until you add subdomains.
Cisco Secure Firewall Management Center Administration Guide, 7.2
195
System Settings
Domains Terminology
Two Domain Levels: Global and Second-Level
In a two-level multidomain deployment, the Global domain has direct descendant domains only. For example,
a managed security service provider (MSSP) can use a single management center to manage network security
for multiple customers:
• Administrators at the MSSP logging into the Global domain, cannot view or edit customers’ deployments.
They must log into respective second-level named subdomains to manage the customers' deployment.
• Administrators for each customer can log into second-level named subdomains to manage only the
devices, configurations, and events applicable to their organizations. These local administrators cannot
view or affect the deployments of other customers of the MSSP.
Three Domain Levels: Global, Second-Level, and Third-Level
In a three-level multidomain deployment, the Global domain has subdomains, at least one of which has its
own subdomain. To extend the previous example, consider a scenario where an MSSP customer—already
restricted to a subdomain—wants to further segment its deployment. This customer wants to separately manage
two classes of device: devices placed on network edges and devices placed internally:
• Administrators for the customer logging into the second-level subdomain cannot view or edit the customer's
edge network deployments. They must log into the respective leaf domain to manage the devices deployed
on the network edge.
• Administrators for the customer’s edge network can log into a third-level (leaf) domain to manage only
the devices, configurations, and events applicable to devices deployed on the network edge. Similarly,
administrators for the customer’s internal network can log into a different third-level domain to manage
internal devices, configurations, and events. Edge and internal administrators cannot view each other's
deployment.
Note
In the management center that uses multi-tenancy, the SSO configuration can be applied only at the global
domain level, and applies to the global domain and all subdomains.
Related Topics
Configure SAML Single Sign-On, on page 129
Domains Terminology
This documentation uses the following terms when describing domains and multidomain deployments:
Global Domain
In a multidomain deployment, the top-level domain. If you do not configure multitenancy, all devices,
configurations, and events belong to the Global domain. Administrators in the Global domain can manage
the entire Firepower System deployment.
Subdomain
A second or third-level domain.
Second-level domain
A child of the Global domain. Second-level domains can be leaf domains, or they can have subdomains.
Cisco Secure Firewall Management Center Administration Guide, 7.2
196
System Settings
Domain Properties
Third-level domain
A child of a second-level domain. Third-level domains are always leaf domains.
Leaf domain
A domain with no subdomains. Each device must belong to a leaf domain.
Descendant domain
A domain descending from the current domain in the hierarchy.
Child domain
A domain’s direct descendant.
Ancestor domain
A domain from which the current domain descends.
Parent domain
A domain’s direct ancestor.
Sibling domain
A domain with the same parent.
Current domain
The domain you are logged into now. The system displays the name of the current domain before your
user name at the top right of the web interface. Unless your user role is restricted, you can edit
configurations in the current domain.
Domain Properties
To modify a domain's properties, you must have Administrator access in that domain's parent domain.
Name and Description
Each domain must have a unique name within its hierarchy. A description is optional.
Parent Domain
Second- and third-level domains have a parent domain. You cannot change a domain's parent after you
create the domain.
Devices
Only leaf domains may contain devices. In other words, a domain may contain subdomains or devices,
but not both. You cannot save a deployment where a non-leaf domain directly controls a device.
In the domain editor, the web interface displays available and selected devices according to their current
place in your domain hierarchy.
Host Limit
The number of hosts the management center can monitor, and therefore store in network maps, depends
on its model. In a multidomain deployment, leaf domains share the available pool of monitored hosts,
but have separate network maps.
To ensure that each leaf domain can populate its network map, you can set host limits at each subdomain
level. If you set a domain's host limit to 0, the domain shares in the general pool.
Cisco Secure Firewall Management Center Administration Guide, 7.2
197
System Settings
Requirements and Prerequisites for Domains
Setting the host limit has a different effect at each domain level:
• Leaf — For a leaf domain, a host limit is a simple limit on the number of hosts the leaf domain can
monitor.
• Second Level — For a second-level domain that manages third-level leaf domains, a host limit
represents the total number of hosts that the leaf domains can monitor. The leaf domains share the
pool of available hosts.
• Global — For the Global domain, the host limit is equal to the total number of hosts the management
center can monitor. You cannot change it
The sum of subdomains' host limits can add up to more than their parent domain's host limit. For example,
if the Global domain host limit is 150,000, you can configure multiple subdomains each with a host limit
of 100,000. Any of those domains, but not all, can monitor 100,000 hosts.
The network discovery policy controls what happens when you detect a new host after you reach the
host limit; you can drop the new host, or replace the host that has been inactive for the longest time.
Because each leaf domain has its own network discovery policy, each leaf domain governs its own
behavior when the system discovers a new host.
If you reduce the host limit for a domain and its network map contains more hosts than the new limit,
the system deletes the hosts that have been inactive the longest.
Related Topics
Host Limit
Network Discovery Data Storage Settings
Requirements and Prerequisites for Domains
Model Support
Any.
Supported Domains
Any
User Roles
• Admin
Managing Domains
To modify a domain's properties, you must have Administrator access in that domain's parent domain.
Procedure
Step 1
Choose System ( ) > Domains.
Cisco Secure Firewall Management Center Administration Guide, 7.2
198
System Settings
Creating New Domains
Step 2
Manage your domains:
• Add — Click Add Domain, or click Add Subdomain next to the parent domain; see Creating New
Domains, on page 199.
• Edit — Click Edit (
) next to the domain you want to modify; see Domain Properties, on page 197.
• Delete — Click Delete ( ) next to the empty domain you want to delete, then confirm your choice.
Move devices from domains you want to delete by editing their destination domain.
Step 3
When you are done making changes to the domain structure and all devices are associated with leaf domains,
click Save to implement your changes.
Step 4
If prompted, make additional changes:
• If you changed a leaf domain to a parent domain, move or delete the old network map; see Moving Data
Between Domains, on page 200.
• If you moved devices between domains and must assign new policies and security zones or interface
groups, see Moving Devices Between Domains, on page 201.
What to do next
• Configure user roles and policies (access control, network discovery, and so on) for any new domains.
Update device properties as needed.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide.
Creating New Domains
You can create up to 100 subdomains under a top-level Global domain, in two or three levels.
You must assign all devices to a leaf domain before you can implement the domain configuration. When you
add a subdomain to a leaf domain, the domain stops being a leaf domain and you must reassign its devices.
Procedure
Step 1
In a Global or a second-level domain, choose System ( ) > Domains.
Step 2
Click Add Domain, or click Add Subdomain next to the parent domain.
Step 3
Enter a Name and Description.
Step 4
Choose a Parent Domain.
Step 5
On Devices, choose the Available Devices to add to the domain, then click Add to Domain or drag and drop
into the list of Selected Devices.
Step 6
Optionally, click Advanced to limit the number of hosts the new domain may monitor; see Domain Properties,
on page 197.
Click Save to return to the domain management page.
Step 7
The system warns you if any devices are assigned to non-leaf domains. Click Create New Domain to create
a new domain for those devices. Click Keep Unassigned if you plan to move the devices to existing domains.
Cisco Secure Firewall Management Center Administration Guide, 7.2
199
System Settings
Moving Data Between Domains
Step 8
When you are done making changes to the domain structure and all devices are associated with leaf domains,
click Save to implement your changes.
Step 9
If prompted, make additional changes:
• If you changed a leaf domain to a parent domain, move or delete the old network map; see Moving Data
Between Domains, on page 200.
• If you moved devices between domains and must assign new policies and security zones or interface
groups, see Moving Devices Between Domains, on page 201.
What to do next
• Configure user roles and policies (access control, network discovery, and so on) for any new domains.
Update device properties as needed.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide.
Moving Data Between Domains
Because events and network maps are associated with leaf domains, when you change a leaf domain to a
parent domain, you have two choices:
• Move the network map and associated events to a new leaf domain.
• Delete the network map but retain the events. In this case, the events remain associated with the parent
domain until the system prunes events as needed or as configured. Or, you can delete old events manually.
Before you begin
Implement a domain configuration where a former leaf domain is now a parent domain; see Managing Domains,
on page 198.
Procedure
Step 1
For each former leaf domain that is now a parent domain:
• Choose a new Leaf Domain to inherit the Parent Domain's events and network map.
• Choose None to delete the parent domain's network map, but retain old events.
Step 2
Click Save.
What to do next
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide.
Cisco Secure Firewall Management Center Administration Guide, 7.2
200
System Settings
Moving Devices Between Domains
Moving Devices Between Domains
You can move devices between domains when you are in the global domain or a second-level domain. Moving
a device between domains can affect the configurations and policies applied to the device. The system
automatically retains and updates what it can. It deletes what it cannot update, namely, object overrides,
dynamic routing configuration, static routes, IP pool associated with the diagnostic interface,and DDNS.
When you assign a remote access VPN policy to a device, you can move the device from one domain to
another, only if the target domain is a descendant of the domain in which remote access VPN is configured.
You can move the device into any child domain without deleting the enrolled certificate on the device.
Specifically:
• If the health policy applied to a moved device is inaccessible in the new domain, you can choose a new
health policy.
• If the access control policy assigned to a moved device is not valid or accessible in the new domain,
choose a new policy. Every device must have an assigned access control policy.
• If the interfaces on the moved device belong to a security zone that is inaccessible in the new domain,
you can choose a new zone.
• Interfaces are removed from:
• Security zones that are inaccessible in the new domain and not used in an access control policy.
• All interface groups.
If devices require a policy update but you do not need to move interfaces between zones, the system displays
a message stating that zone configurations are up to date. For example, if a device's interfaces belong to a
security zone configured in a common ancestor domain, you do not need to update zone configurations when
you move devices from subdomain to subdomain.
Before you begin
• Implement a domain configuration where you moved a device from domain to domain and now must
assign new policies and security zones; see Managing Domains, on page 198.
Procedure
Step 1
In the Move Devices dialog box, under Select Device(s) to Configure, check the device you want to configure.
Check multiple devices to assign the same health and access control policies.
Step 2
Choose an Access Control Policy to apply to the device, or choose New Policy to create a new policy.
Step 3
Choose a Health Policy to apply to the device, or choose None to leave the device without a health policy.
Step 4
If prompted to assign interfaces to new zones, choose a New Security Zone for each listed interface, or choose
None to assign it later.
Step 5
After you configure all affected devices, click Save to save policy and zone assignments.
Cisco Secure Firewall Management Center Administration Guide, 7.2
201
System Settings
History for Domain Management
Step 6
Click Save to implement the domain configuration.
What to do next
• Update other configurations on the moved device that were affected by the move.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide.
History for Domain Management
Feature
Version
Details
Increased maximum number of
supported domains
6.5
You can now add up to to 100
domains. Previously, the maximum
was 50 domains.
Supported platforms: Secure
Firewall Management Center
Cisco Secure Firewall Management Center Administration Guide, 7.2
202
CHAPTER
6
Updates
The following topics explain how to update Firepower deployments:
• About System Updates, on page 203
• Requirements and Prerequisites for System Updates, on page 205
• Guidelines and Limitations for System Updates, on page 205
• Upgrade System Software, on page 206
• Update the Vulnerability Database (VDB), on page 206
• Update the Geolocation Database, on page 208
• Update Intrusion Rules, on page 210
• Maintain Your Air-Gapped Deployment, on page 219
• History for System Updates, on page 220
About System Updates
You can use the management center to upgrade the system software for itself and the devices it manages. You
can also update various databases and feeds that provide advanced services.
For management centers with internet access, the system can often obtain updates directly from Cisco. We
recommend you schedule or enable automatic updates whenever possible. Some updates are auto-enabled by
the initial setup process or when you enable the related feature. Other updates you must schedule yourself.
After initial setup, we recommend you review all auto-updates and adjust them if necessary.
Cisco Secure Firewall Management Center Administration Guide, 7.2
203
System Settings
About System Updates
Table 8: Upgrades and Updates
Component
Description
Details
System software
Major software releases contain new
features, functionality, and enhancements.
They may include infrastructure or
architectural changes.
Direct Download: Select releases only, usually some time after
the release is available for manual download. The length of the
delay depends on release type, release adoption, and other
factors.
Maintenance releases contain general bug Schedule: Patches only, on System ( ) > Tools > Scheduling.
and security related fixes. Behavior changes
Uninstall: Patches only.
are rare, and are related to those fixes.
Patches are on-demand updates limited to Revert/Reimage: Major and maintenance releases only.
critical fixes with time urgency.
See: Upgrade System Software, on page 206
Hotfixes can address specific customer
issues.
Vulnerability database The Cisco vulnerability database (VDB) is
(VDB)
a database of known vulnerabilities to
which hosts may be susceptible, as well as
fingerprints for operating systems, clients,
and applications. The system uses the VDB
to help determine whether a particular host
increases your risk of compromise.
Direct Download: Yes.
Schedule: Yes, on System ( ) > Tools > Scheduling.
Uninstall: No.
See: Update the Vulnerability Database (VDB), on page 206
Geolocation database The Cisco geolocation database (GeoDB) Direct Download: Yes.
(GeoDB)
is a database of geographical and
Schedule: Yes, on System ( ) > Updates.
connection-related data associated with
routable IP addresses.
Uninstall: No.
See: Update the Geolocation Database, on page 208
Intrusion rules
(SRU/LSP)
Intrusion rule updates provide new and
Direct Download: Yes.
updated intrusion rules and preprocessor
rules, modified states for existing rules, and Schedule: Yes, on System ( ) > Updates.
modified default intrusion policy settings. Uninstall: No.
Rule updates may also delete rules, provide See: Update Intrusion Rules, on page 210
new rule categories and default variables,
and modify default variable values.
Security Intelligence
feeds
Security Intelligence feeds are collections Direct Download: Yes.
of IP addresses, domain names, and URLs
Schedule: Yes, on Objects > Object Management.
that you can use to quickly filter traffic that
matches an entry.
Uninstall: No.
See: Cisco Secure Firewall Management Center Device
Configuration Guide
Cisco Secure Firewall Management Center Administration Guide, 7.2
204
System Settings
Requirements and Prerequisites for System Updates
Component
Description
Details
URL categories and
reputations
URL filtering allows you to control access Direct Download: Yes.
to websites based on the URL’s general
Schedule: Yes, on > Integration > Cloud Services or System
classification (category) and risk level
( ) > Tools > Scheduling, depending on your requirements.
(reputation).
Uninstall: No.
See: Cisco Secure Firewall Management Center Device
Configuration Guide
Requirements and Prerequisites for System Updates
Model Support
Any
Supported Domains
Global unless indicated otherwise.
User Roles
Admin
Guidelines and Limitations for System Updates
Before You Update
Before you update any component of your Firepower deployment (including intrusion rules, VDB, or GeoDB)
read the release notes or advisory text that accompanies the update. These provide critical and release-specific
information, including compatibility, prerequisites, new capabilities, behavior changes, and warnings.
Scheduled Updates
The system schedules tasks — including updates — in UTC. This means that when they occur locally depends
on the date and your specific location. Also, because updates are scheduled in UTC, they do not adjust for
Daylight Saving Time, summer time, or any such seasonal adjustments that you may observe in your location.
If you are affected, scheduled updates occur one hour "later" in the summer than in the winter, according to
local time.
Important
We strongly recommend you review scheduled updates to be sure they occur when you intend.
Cisco Secure Firewall Management Center Administration Guide, 7.2
205
System Settings
Upgrade System Software
Bandwidth Guidelines
To upgrade a Firepower appliance (or perform a readiness check), the upgrade package must be on the
appliance. Firepower upgrade package sizes vary. Make sure you have the bandwidth to perform a large data
transfer to your managed devices. See Guidelines for Downloading Data from the Firepower Management
Center to Managed Devices (Troubleshooting TechNote).
Upgrade System Software
This guide does not contain detailed upgrade instructions for either system software or companion operating
systems. Instead, see the Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for
your version.
For information on scheduling downloads and installations for system software patches, see Software Update
Automation, on page 461. Note that the initial setup process automatically schedules a weekly patch download.
After setup, you should review the auto-scheduled configurations and adjust them if necessary.
Update the Vulnerability Database (VDB)
The Cisco vulnerability database (VDB) is a database of known vulnerabilities to which hosts may be
susceptible, as well as fingerprints for operating systems, clients, and applications. The system uses the VDB
to help determine whether a particular host increases your risk of compromise.
Cisco issues periodic updates to the VDB. The time it takes to update the VDB and its associated mappings
on the Secure Firewall Management Center depends on the number of hosts in your network map. As a rule
of thumb, divide the number of hosts by 1000 to determine the approximate number of minutes to perform
the update.
When you set up a new or reimaged management center, the system automatically attempts to update the
vulnerability database (VDB). This is a one-time operation. If the management center has internet access, we
recommend you schedule tasks to perform automatic recurring VDB update downloads and installations.
Caution
In most cases, the first deploy after updating the VDB restarts the Snort process on managed devices. The
system warns you that this can happen — warnings can appear after manual VDB updates, when you schedule
VDB updates, during background VDB updates, when you deploy, and so on. Snort restarts cause an interruption
in traffic inspection and, depending on how the managed device handles traffic, possibly interrupts traffic
flow. For more information, see Snort Restart Traffic Behavior.
Manually Update the VDB
To update the VDB, the VDB update package must be on the management center.
If the management center cannot access the internet, or you want to manually upload the VDB update to the
management center, use this procedure. To automate VDB updates, use task scheduling (System ( ) > Tools >
Scheduling). For details, see Vulnerability Database Update Automation, on page 465.
Cisco Secure Firewall Management Center Administration Guide, 7.2
206
System Settings
Manually Update the VDB
Before you begin
• Download the update from https://www.cisco.com/go/firepower-software.
Note
Beginning with VDB Release 343, all application detector information is available
through Cisco Secure Firewall Application Detectors. This site includes a
searchable database of application detectors. The release notes provide information
on changes for a particular VDB release.
• Consider the update's effect on traffic flow and inspection due to Snort restarts. We recommend performing
updates in a maintenance window.
Procedure
Step 1
Choose System ( ) > Updates, then click Product Updates.
Step 2
Choose how you want to upload the VDB update to the management center.
• Download directly from Cisco.com: Click Download Updates. If it can access the Cisco Support &
Download site, the management center downloads the latest VDB. Note that the management center also
downloads a package for each patch and hotfix (but not major release) associated with the version your
appliances are currently running.
• Upload manually: Click Upload Update, then Choose File. Browse to the update you downloaded
earlier, and click Upload.
VDB updates appear on the same page as Firepower software upgrade and uninstaller packages.
Step 3
Install the update.
a) Click Install next to the Vulnerability and Fingerprint Database update.
b) Choose the management center.
c) Click Install.
Step 4
(Optional) Monitor update progress in the Message Center.
Do not perform tasks related to mapped vulnerabilities until the update completes. Even if the Message Center
shows no progress for several minutes or indicates that the update has failed, do not restart the update. Instead,
contact Cisco TAC.
After the update completes, the system uses the new vulnerability information. However, you must deploy
before updated application detectors and operating system fingerprints can take effect.
Step 5
Verify update success.
Choose Help > About to view the current VDB version.
What to do next
Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management
Center Administration Guide.
Cisco Secure Firewall Management Center Administration Guide, 7.2
207
System Settings
Schedule VDB Updates
Schedule VDB Updates
If your management center has internet access, we recommend you schedule regular VDB updates. See
Vulnerability Database Update Automation, on page 465.
Update the Geolocation Database
The geolocation database (GeoDB) is a database that you can leverage to view and filter traffic based on
geographical location.
The system comes with an initial GeoDB country code package that maps IP addresses to countries/continents,
so that information should always be available. If you update the GeoDB, the system also downloads an IP
package with contextual data. This contextual data includes additional location details, as well as connection
information such as ISP, connection type, proxy type, domain name, and so on. We also issue periodic updates
to the GeoDB, and you must regularly update the GeoDB to have accurate geolocation information.
As a part of initial configuration, the system configures a weekly automatic GeoDB update. If configuring
the update fails and the management center has internet access, we recommend you configure regular GeoDB
updates as described in Schedule GeoDB Updates, on page 208.
The time needed to update the GeoDB depends on your appliance, but can take up to 45 minutes depending
on the size of the update—for example, if this is the first time you are downloading the full GeoDB. Although
a GeoDB update does not interrupt any other system functions (including the ongoing collection of geolocation
information), the update does consume system resources while it completes. Consider this when planning
your updates.
The GeoDB update overrides any previous versions of the GeoDB and is effective immediately. When you
update the GeoDB, the management center automatically updates the related data on its managed devices. It
may take a few minutes for a GeoDB update to take effect throughout your deployment. You do not need to
re-deploy after you update.
The System ( ) > Updates > Geolocation Updates page and the Help (
current version.
) > About page both list the
Schedule GeoDB Updates
As a part of initial configuration, the system configures a weekly automatic GeoDB update. If configuring
the update fails and the management center has internet access, we recommend you configure regular GeoDB
updates as described in this procedure.
Before you begin
Make sure the management center can access the internet.
Procedure
Step 1
Choose System ( ) > Updates > Geolocation Updates.
Step 2
Under Recurring Geolocation Updates, check Enable Recurring Weekly Updates from the Support Site.
Step 3
Specify the Update Start Time.
Cisco Secure Firewall Management Center Administration Guide, 7.2
208
System Settings
Manually Update the GeoDB (Internet Connection)
Step 4
Click Save.
Manually Update the GeoDB (Internet Connection)
Use this procedure to perform an on-demand update of the GeoDB if the management center has internet
access.
Procedure
Step 1
Choose System ( ) > Updates > Geolocation Updates.
Step 2
Under One-Time Geolocation Update, choose Download and install geolocation update from the Support
Site.
Step 3
Click Import.
You can monitor update progress in the Message Center.
Step 4
Verify update success.
The Geolocation Updates page and the Help (
) > About page both list the current version.
Manually Update the GeoDB (No Internet Connection)
Use this procedure to perform an on-demand update of the GeoDB if the management center does not have
internet access.
Procedure
Step 1
Download the GeoDB from the Cisco Support & Download site: https://www.cisco.com/go/firepower-software.
Select or search for your model (or choose any model—you use the same GeoDB for all management centers),
then browse to the Coverage and Content Updates page.
Make sure you download both the country code and the IP packages.
Step 2
Choose System ( ) > Updates > Geolocation Updates.
Step 3
Under One-Time Geolocation Update, choose Upload and install geolocation update.
Step 4
Click Choose File, then browse to the country code package you downloaded earlier.
Step 5
Click Import.
You can monitor update progress in the Message Center.
Step 6
Repeat steps 4 and 5 for the IP package.
Step 7
Verify update success.
Cisco Secure Firewall Management Center Administration Guide, 7.2
209
System Settings
Update Intrusion Rules
The Geolocation Updates page and the Help (
) > About page both list the current version.
Update Intrusion Rules
As new vulnerabilities become known, the Talos Intelligence Group releases intrusion rule updates that you
can import onto your Secure Firewall Management Center, and then implement by deploying the changed
configuration to your managed devices. These updates affect intrusion rules, preprocessor rules, and the
policies that use the rules.
Intrusion rule updates are cumulative, and Cisco recommends you always import the latest update. You cannot
import an intrusion rule update that either matches or predates the version of the currently installed rules.
An intrusion rule update may provide the following:
• New and modified rules and rule states—Rule updates provide new and updated intrusion and
preprocessor rules. For new rules, the rule state may be different in each system-provided intrusion policy.
For example, a new rule may be enabled in the Security over Connectivity intrusion policy and disabled
in the Connectivity over Security intrusion policy. Rule updates may also change the default state of
existing rules, or delete existing rules entirely.
• New rule categories—Rule updates may include new rule categories, which are always added.
• Modified preprocessor and advanced settings��Rule updates may change the advanced settings in
the system-provided intrusion policies and the preprocessor settings in system-provided network analysis
policies. They can also update default values for the advanced preprocessing and performance options
in your access control policies.
• New and modified variables—Rule updates may modify default values for existing default variables,
but do not override your changes. New variables are always added.
In a multidomain deployment, you can import local intrusion rules in any domain, but you can import intrusion
rule updates from Talos in the Global domain only.
Understanding When Intrusion Rule Updates Modify Policies
Intrusion rule updates can affect both system-provided and custom network analysis policies, as well as all
access control policies:
• system provided—Changes to system-provided network analysis and intrusion policies, as well as any
changes to advanced access control settings, automatically take effect when you re-deploy the policies
after the update.
• custom—Because every custom network analysis and intrusion policy uses a system-provided policy as
its base, or as the eventual base in a policy chain, rule updates can affect custom network analysis and
intrusion policies. However, you can prevent rule updates from automatically making those changes.
This allows you to update system-provided base policies manually, on a schedule independent of rule
update imports. Regardless of your choice (implemented on a per-custom-policy basis), updates to
system-provided policies do not override any settings you customized.
Cisco Secure Firewall Management Center Administration Guide, 7.2
210
System Settings
Update Intrusion Rules One-Time Manually
Note that importing a rule update discards all cached changes to network analysis and intrusion policies. For
your convenience, the Rule Updates page lists policies with cached changes and the users who made those
changes.
Deploying Intrusion Rule Updates
For changes made by an intrusion rule update to take effect, you must redeploy configurations. When importing
a rule update, you can configure the system to automatically redeploy to affected devices. This approach is
especially useful if you allow the intrusion rule update to modify system-provided base intrusion policies.
Recurring Intrusion Rule Updates
You can import rule updates on a daily, weekly, or monthly basis, using the Rule Updates page.
If your deployment includes a high availability pair of Secure Firewall Management Centers, import the update
on the primary only. The secondary Secure Firewall Management Center receives the rule update as part of
the regular synchronization process.
Applicable subtasks in the intrusion rule update import occur in the following order: download, install, base
policy update, and configuration deploy. When one subtask completes, the next subtask begins.
At the scheduled time, the system installs the rule update and deploys the changed configuration as you
specified in the previous step. You can log off or use the web interface to perform other tasks before or during
the import. When accessed during an import, the Rule Update Log displays a Red Status ( ), and you can
view messages as they occur in the Rule Update Log detailed view. Depending on the rule update size and
content, several minutes may pass before status messages appear.
As a part of initial configuration the system configures a daily automatic intrusion rule update from the Cisco
Support & Download site. (The system deploys automatic intrusion rule updates to affected managed devices
when it next deploys affected policies.) If configuring the update fails and the management center has internet
access, we recommend you configure regular intrusion rule updates as described in Schedule Intrusion Rule
Updates, on page 213.
Importing Local Intrusion Rules
A local intrusion rule is a custom standard text rule that you import from a local machine as a plain text file
with ASCII or UTF-8 encoding. You can create local rules using the instructions in the Snort users manual,
which is available at http://www.snort.org.
In a multidomain deployment, you can import local intrusion rules in any domain. You can view local intrusion
rules imported in the current domain and ancestor domains.
Update Intrusion Rules One-Time Manually
Import a new intrusion rule update manually if your Secure Firewall Management Center does not have
Internet access.
Procedure
Step 1
Manually download the update from the Cisco Support Site
(http://www.cisco.com/cisco/web/support/index.html).
Step 2
Choose System ( ) > Updates, then click Rule Updates.
Cisco Secure Firewall Management Center Administration Guide, 7.2
211
System Settings
Update Intrusion Rules One-Time Automatically
Step 3
If you want to move all user-defined rules that you have created or imported to the deleted folder, you must
click Delete All Local Rules in the toolbar, then click OK.
Step 4
Choose Rule Update or text rule file to upload and install and click Browse to navigate to and choose the
rule update file.
Step 5
If you want to automatically re-deploy policies to your managed devices after the update completes, choose
Reapply all policies after the rule update import completes.
Step 6
Click Import. The system installs the rule update and displays the Rule Update Log detailed view.
Contact Support if you receive an error message while installing the rule update.
Note
Update Intrusion Rules One-Time Automatically
Note
This section applies only to Snort 2.
To import a new intrusion rule update automatically, your appliance must have Internet access to connect to
the Support Site.
Before you begin
• Ensure the management center has internet access; see Security, Internet Access, and Communication
Ports, on page 1003.
Procedure
Step 1
Choose System ( ) > Updates.
Note
You can also click Import Rules on the intrusion rules editor page (Objects > Intrusion Rules).
Step 2
Click Rule Updates.
Step 3
If you want to move all user-defined rules that you have created or imported to the deleted folder, click Delete
All Local Rules in the toolbar, then click OK.
Step 4
Choose Download new Rule Update from the Support Site.
Step 5
If you want to automatically re-deploy the changed configuration to managed devices after the update completes,
check the Reapply all policies after the rule update import completes check box.
Step 6
Click Import.
The system installs the rule update and displays the Rule Update Log detailed view.
Caution
Contact Support if you receive an error message while installing the rule update.
Cisco Secure Firewall Management Center Administration Guide, 7.2
212
System Settings
Schedule Intrusion Rule Updates
Schedule Intrusion Rule Updates
Note
This section applies only to Snort 2.
As a part of initial configuration the system configures a daily automatic intrusion rule update from the Cisco
Support & Download site. (The system deploys automatic intrusion rule updates to affected managed devices
when it next deploys affected policies.) If configuring the update fails and the management center has internet
access, we recommend you configure regular intrusion rule updates as described in this section.
Procedure
Step 1
Choose System ( ) > Updates.
Note
You can also click Import Rules on the intrusion rules editor page (Objects > Intrusion Rules).
Step 2
Click Rule Updates.
Step 3
If you want to move all user-defined rules that you have created or imported to the deleted folder, click Delete
All Local Rules in the toolbar, then click OK.
Step 4
Check Enable Recurring Rule Update Imports from the Support Site check box.
Import status messages appear beneath the Recurring Rule Update Imports section heading.
Step 5
In the Import Frequency field, specify:
• The frequency of the update (Daily, Weekly, or Monthly)
• The day of the week or month you want the update to occur
• The time you want the update to start
Step 6
If you want to automatically re-deploy the changed configuration to your managed devices after the update
completes, check the Deploy updated policies to targeted devices after rule update completes check box.
Step 7
Click Save.
Caution
Contact Support if you receive an error message while installing the intrusion rule update.
The status message under the Recurring Rule Update Imports section heading changes to indicate that the
rule update has not yet run.
Best Practices for Importing Local Intrusion Rules
Observe the following guidelines when importing a local rule file:
• The rules importer requires that all custom rules are imported in a plain text file encoded in ASCII or
UTF-8.
• The text file name can include alphanumeric characters, spaces, and no special characters other than
underscore (_), period (.), and dash (-).
• The system imports local rules preceded with a single pound character (#), but they are flagged as deleted.
Cisco Secure Firewall Management Center Administration Guide, 7.2
213
System Settings
Best Practices for Importing Local Intrusion Rules
• The system imports local rules preceded with a single pound character (#), and does not import local
rules preceded with two pound characters (##).
• Rules cannot contain any escape characters.
• In a multidomain deployment, the system assigns a GID of 1 to a rule imported into or created in the
Global domain, and a domain-specific GID between 1000 and 2000 for all other domains.
• You do not have to specify a Generator ID (GID) when importing a local rule. If you do, specify only
GID 1 for a standard text rule.
• When importing a rule for the first time, do not specify a Snort ID (SID) or revision number. This avoids
collisions with SIDs of other rules, including deleted rules. The system will automatically assign the rule
the next available custom rule SID of 1000000 or greater, and a revision number of 1.
If you must import rules with SIDs, a SID can be any unique number 1,000,000 or greater.
In a multidomain deployment, if multiple administrators are importing local rules at the same time, SIDs
within an individual domain might appear to be non-sequential because the system assigned the intervening
numbers in the sequence to another domain.
• When importing an updated version of a local rule you have previously imported, or when reinstating a
local rule you have deleted, you must include the SID assigned by the system and a revision number
greater than the current revision number. You can determine the revision number for a current or deleted
rule by editing the rule.
Note
The system automatically increments the revision number when you delete a local
rule; this is a device that allows you to reinstate local rules. All deleted local rules
are moved from the local rule category to the deleted rule category.
• Import local rules on the primary management center in a high availability pair to avoid SID numbering
issues.
• The import fails if a rule contains any of the following: .
• A SID greater than 2147483647.
• A list of source or destination ports that is longer than 64 characters.
• When importing into the Global domain in a multidomain deployment, a GID:SID combination
uses GID 1 and a SID that already exists in another domain; this indicates that the combination
existed before Version 6.2.1. You can reimport the rule using GID 1 and a unique SID.
• Policy validation fails if you enable an imported local rule that uses the deprecated threshold keyword
in combination with the intrusion event thresholding feature in an intrusion policy.
• All imported local rules are automatically saved in the local rule category.
• The system always sets local rules that you import to the disabled rule state. You must manually set the
state of local rules before you can use them in your intrusion policy.
Cisco Secure Firewall Management Center Administration Guide, 7.2
214
System Settings
Import Local Intrusion Rules
Import Local Intrusion Rules
• Make sure your local rule file follows the guidelines described in Best Practices for Importing Local
Intrusion Rules, on page 213.
• Make sure your process for importing local intrusion rules complies with your security policies.
• Consider the import's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts.
We recommend scheduling rule updates during maintenance windows.
• You can perform this task in any domain.
Use this procedure to import local intrusion rules. Imported intrusion rules appear in the local rule category
in a disabled state.
Procedure
Step 1
Choose System ( ) > Updates, then click Rule Updates.
Step 2
(Optional) Delete existing local rules.
Click Delete All Local Rules, then confirm that you want to move all created and imported intrusion rules
to the deleted folder.
Step 3
Under One-Time Rule Update/Rules Import, choose Rule update or text rule file to upload and install,
then click Choose File and browse to your local rule file.
Step 4
Click Import.
Step 5
Monitor import progress in the Message Center.
To display the Message Center, click System Status on the menu bar. Even if the Message Center shows no
progress for several minutes or indicates that the import has failed, do not restart the import. Instead, contact
Cisco TAC.
What to do next
• Edit intrusion policies and enable the rules you imported.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Device Configuration Guide
Rule Update Log
The Secure Firewall Management Center generates a record for each rule update and local rule file that you
import.
Each record includes a time stamp, the name of the user who imported the file, and a status icon indicating
whether the import succeeded or failed. You can maintain a list of all rule updates and local rule files that you
import, delete any record from the list, and access detailed records for all imported rules and rule update
components.
Cisco Secure Firewall Management Center Administration Guide, 7.2
215
System Settings
Intrusion Rule Update Log Table
The Rule Update Import Log detailed view lists a detailed record for each object imported in a rule update or
local rule file. You can also create a custom workflow or report from the records listed that includes only the
information that matches your specific needs.
Intrusion Rule Update Log Table
Table 9: Intrusion Rule Update Log Fields
Field
Description
Summary
The name of the import file. If the import fails, a brief statement of the reason for the
failure appears under the file name.
Time
The time and date that the import started.
User ID
The user name of the user that triggered the import.
Status
Whether the import:
• Succeeded (
)
• failed or is currently in progress Red Status (
)
The red status icon indicating an unsuccessful or incomplete import appears on the
Rule Update Log page during the import and is replaced by the green icon only when
the import has successfully completed.
Tip
You can view import details as they appear while an intrusion rule update import is in progress.
Viewing the Intrusion Rule Update Log
In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.
Procedure
Step 1
Choose System ( ) > Updates.
Tip
You can also click Import Rules on the intrusion rules editor page (Objects > Intrusion Rules).
Step 2
Click Rule Updates.
Step 3
Click Rule Update Log.
Step 4
You have two options:
• View — To view details for each object imported in a rule update or local rule file, click View ( ) next
to the file you want to view; see Viewing Details of the Intrusion Rule Update Import Log, on page 218.
• Delete — To delete an import file record from the import log, including detailed records for all objects
included with the file, click Delete (
) next to the import file name.
Cisco Secure Firewall Management Center Administration Guide, 7.2
216
System Settings
Fields in an Intrusion Rule Update Log
Note
Deleting the file from the log does not delete any object imported in the import file, but only
deletes the import log records.
Fields in an Intrusion Rule Update Log
Tip
You search the entire Rule Update Import Log database even when you initiate a search by clicking Search
on the toolbar from the Rule Update Import Log detailed view with only the records for a single import file
displayed. Make sure you set your time constraints to include all objects you want to include in the search.
Table 10: Rule Update Import Log Detailed View Fields
Field
Description
Action
An indication that one of the following has occurred for the object type:
• new (for a rule, this is the first time the rule has been stored on this appliance)
• changed (for a rule update component or rule, the rule update component has been modified, or the rule
has a higher revision number and the same GID and SID)
• collision (for a rule update component or rule, import was skipped because its revision conflicts with
an existing component or rule on the appliance)
• deleted (for rules, the rule has been deleted from the rule update)
• enabled (for a rule update edit, a preprocessor, rule, or other feature has been enabled in a default policy
provided with the system)
• disabled (for rules, the rule has been disabled in a default policy provided with the system)
• drop (for rules, the rule has been set to Drop and Generate Events in a default policy provided with the
system)
• error (for a rule update or local rule file, the import failed)
• apply (the Reapply all policies after the rule update import completes option was enabled for the
import)
Default Action
The default action defined by the rule update. When the imported object type is rule, the default action is
Pass, Alert, or Drop. For all other imported object types, there is no default action.
Details
A string unique to the component or rule. For rules, the GID, SID, and previous revision number for a changed
rule, displayed as previously (GID:SID:Rev). This field is blank for a rule that has not changed.
Domain
The domain whose intrusion policies can use the updated rule. Intrusion policies in descendant domains can
also use the rule. This field is only present in a multidomain deployment.
GID
The generator ID for a rule. For example, 1 (standard text rule, Global domain or legacy GID) or 3 (shared
object rule).
Cisco Secure Firewall Management Center Administration Guide, 7.2
217
System Settings
Viewing Details of the Intrusion Rule Update Import Log
Field
Description
Name
The name of the imported object, which for rules corresponds to the rule Message field, and for rule update
components is the component name.
Policy
For imported rules, this field displays All. This means that the rule was imported successfully, and can be
enabled in all appropriate default intrusion policies. For other types of imported objects, this field is blank.
Rev
The revision number for a rule.
Rule Update
The rule update file name.
SID
The SID for a rule.
Time
The time and date the import began.
Type
The type of imported object, which can be one of the following:
• rule
update component
(an imported component such as a rule pack or policy pack)
• rule (for rules, a new or updated rule; note that in Version 5.0.1 this value replaced the update value,
which is deprecated)
• policy apply (the Reapply all policies after the rule update import completes option was enabled
for the import)
Count
The count (1) for each record. The Count field appears in a table view when the table is constrained, and the
Rule Update Log detailed view is constrained by default to rule update records. This field is not searchable.
Viewing Details of the Intrusion Rule Update Import Log
In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.
Procedure
Step 1
Choose System ( ) > Updates.
Tip
You can also click Import Rules on the intrusion rules editor page (Objects > Intrusion Rules).
Step 2
Click Rule Updates.
Step 3
Click Rule Update Log.
Step 4
Click View (
Step 5
You can take any of the following actions:
) next to the file whose detailed records you want to view.
• Bookmark—To bookmark the current page, click Bookmark This Page.
• Edit Search—To open a search page prepopulated with the current single constraint, choose Edit Search
or Save Search next to Search Constraints.
• Manage bookmarks—To navigate to the bookmark management page, click Report Designer.
Cisco Secure Firewall Management Center Administration Guide, 7.2
218
System Settings
Maintain Your Air-Gapped Deployment
• Report—To generate a report based on the data in the current view, click Report Designer.
• Search—To search the entire Rule Update Import Log database for rule update import records, click
Search.
• Sort—To sort and constain records on the current workflow page, see Using Drill-Down Pages, on page
626 for more information.
• Switch workflows—To temporarily use a different workflow, click (switch workflows).
Maintain Your Air-Gapped Deployment
If your management center is not connected to the internet, essential updates will not occur automatically.
You must manually obtain and install these updates. See the following information:
• Manually Update the VDB, on page 206
• Update Intrusion Rules One-Time Manually, on page 211
• Manually Update the GeoDB (No Internet Connection), on page 209
• The upgrade guide at https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/
fpmc-upgrade-guide.html
Cisco Secure Firewall Management Center Administration Guide, 7.2
219
System Settings
History for System Updates
History for System Updates
Feature
Version
Details
Copy upgrade packages
("peer-to-peer sync") from
device to device.
7.2
Instead of copying upgrade packages to each device from the management center or
internal web server, you can use the threat defense CLI to copy upgrade packages
between devices ("peer to peer sync"). This secure and reliable resource-sharing goes
over the management network but does not rely on the management center. Each device
can accommodate 5 package concurrent transfers.
This feature is supported for Version 7.2+ standalone devices managed by the same
standalone management center. It is not supported for:
• Container instances.
• Device high availability pairs and clusters.
Note that Version 7.1+ group members can get the package from each other as part
of their normal sync process. Copying the upgrade package to one group member
automatically syncs it to all group members.
• Devices managed by high availability management centers.
• Devices in different domains, or devices separated by a NAT gateway.
• CDO-managed devices added to the management center in analytics mode.
• Devices upgrading from Version 7.1 or earlier, regardless of management center
version.
New/modified CLI commands: configure p2psync enable, configure p2psync disable,
show peers, show peer details, sync-from-peer, show p2p-sync-status
Auto-upgrade to Snort 3
after successful threat
defense upgrade.
7.2
When you use a Version 7.2+ management center to upgrade threat defense, you can
now choose whether to Upgrade Snort 2 to Snort 3.
After the software upgrade, eligible devices will upgrade from Snort 2 to Snort 3 when
you deploy configurations. For devices that are ineligible because they use custom
intrusion or network analysis policies, we strongly recommend you manually upgrade
to Snort 3 for improved detection and performance. For migration assistance, see the
Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.
This option is supported for major and maintenance threat defense upgrades to Version
7.2+. It is not supported for threat defense upgrades to Version 7.0 or 7.1, or for patches
to any version.
Cisco Secure Firewall Management Center Administration Guide, 7.2
220
System Settings
History for System Updates
Feature
Version
Details
Upgrade for single-node
clusters.
7.2
You can now use the device upgrade page (Devices > Device Upgrade) to upgrade
clusters with only one active node. Any deactivated nodes are also upgraded. Previously,
this type of upgrade would fail. This feature is not supported from the system updates
page (System > Updates).
Hitless upgrades are also not supported in this case. Interruptions to traffic flow and
inspection depend on the interface configurations of the lone active unit, just as with
standalone devices.
Supported platforms: Firepower 4100/9300, Secure Firewall 3100
Revert threat defense
upgrades from the CLI.
7.2
You can now revert threat defense upgrades from the device CLI if communications
between the management center and device are disrupted. Note that in high
availability/scalability deployments, revert is more successful when all units are reverted
simultaneously. When reverting with the CLI, open sessions with all units, verify that
revert is possible on each, then start the processes at the same time.
Caution
Reverting from the CLI can cause configurations between the device and the
management center to go out of sync, depending on what you changed
post-upgrade. This can cause further communication and deployment issues.
New/modified CLI commands: upgrade revert, show upgrade revert-info.
GeoDB is split into two
packages.
7.2
In May 2022, shortly before the Version 7.2 release, we split the GeoDB into two
packages: a country code package that maps IP addresses to countries/continents, and
an IP package that contains additional contextual data associated with routable IP
addresses. The contextual data in the IP package can include additional location details,
as well as connection information such as ISP, connection type, proxy type, domain
name, and so on.
If your Version 7.2+ management center has internet access and you enable recurring
updates or you manually kick off a one-time update from the Cisco Support & Download
site, the system automatically obtains and imports both packages. However, if you
manually download updates—for example, in an air-gapped deployment—make sure
you get and import both GeoDB packages:
• Country code package: Cisco_GEODB_Update-date-build.sh.REL.tar
• IP package: Cisco_IP_GEODB_Update-date-build.sh.REL.tar
The Geolocation Updates (System ( ) > Updates > Geolocation Updates) page and
the About page (Help > About) list the versions of the packages currently being used
by the system.
Upgrade does not
automatically generate
troubleshooting files.
7.2
To save time and disk space, the management center upgrade process no longer
automatically generates troubleshooting files before the upgrade begins. Note that device
upgrades are unaffected and continue to generate troubleshooting files.
To manually generate troubleshooting files for the management center, choose System
( ) > Health > Monitor, click Firewall Management Center in the left panel, then
View System & Troubleshoot Details, then Generate Troubleshooting Files.
Cisco Secure Firewall Management Center Administration Guide, 7.2
221
System Settings
History for System Updates
Feature
Version
Details
Revert a successful device
upgrade.
7.1
You can now revert major and maintenance upgrades to threat defense from the
management center web interface. Reverting returns the software to its state just before
the last upgrade, also called a snapshot. Reverting after patching necessarily removes
patches as well.
If you think you might need to revert, you must use the System > Updates page to
upgrade threat defense. The System Updates page is the only place you can enable the
Enable revert after successful upgrade option, which configures the system to save
a revert snapshot when you initiate the upgrade. This is in contrast to our usual
recommendation to use the wizard on the Devices > Device Upgrade page.
This is not supported for container instances on the Firepower 4100/9300.
Improvements to the
upgrade workflow for
clustered and high
availability devices.
7.1
The threat defense upgrade wizard now correctly displays clustered and high availability
unit as groups, rather than as individual devices. The system can identify, report, and
preemptively require fixes for group-related issues you might have. For example, you
cannot upgrade a cluster on the Firepower 4100/9300 if you have made unsynced changes
on chassis manager.
You can also specify the upgrade order of data units in a cluster.
Improved threat defense
upgrade performance and
status reporting.
7.0
Upgrading threat defense is now easier faster, more reliable, and takes up less disk
space. A new Upgrades tab in the Message Center provides further enhancements to
upgrade status and error reporting.
Cisco Secure Firewall Management Center Administration Guide, 7.2
222
System Settings
History for System Updates
Feature
Version
Easy-to-follow threat
7.0
defense upgrade workflow.
Details
A new device upgrade page (Devices > Device Upgrade) provides an easy-to-follow
workflow for upgrading Version 6.4+ threat defense.
The system walks you through important pre-upgrade stages, including:
• Selecting devices to upgrade.
• Copying the upgrade package to the devices.
• Compatibility and readiness checks.
To begin, use the new Upgrade Firepower Software action on the Device Management
page (Devices > Device Management > Select Action).
Note
You must still use the System Updates page (System > Updates) page to
upload or specify the location of threat defense upgrade packages. You must
also use the System Updates page to upgrade the management center itself,
as well as all non-threat defense managed devices.
As you proceed with the upgrade workflow, the system displays basic information about
your selected devices, as well as the current upgrade-related status. This includes any
reasons why you cannot upgrade. If a device does not "pass" a stage in the workflow,
it does not appear in the next stage.
If you navigate away from workflow, your progress is preserved, although other users
with Administrator access can reset, modify, or continue the workflow.
Note
In Version 7.0, the Device Upgrade page does not correctly display devices
in clusters or high availability pairs. Even though you must select and upgrade
these devices as a unit, the workflow displays them as standalone devices.
Device status and upgrade readiness are evaluated and reported on an
individual basis. This means it is possible for one unit to appear to "pass" to
the next stage while the other unit or units do not. However, these devices
are still grouped. Running a readiness check on one, runs it on all. Starting
the upgrade on one, starts it on all.
To avoid possible time-consuming upgrade failures, manually ensure all
group members are ready to move on to the next step of the workflow before
you click Next.
Cisco Secure Firewall Management Center Administration Guide, 7.2
223
System Settings
History for System Updates
Feature
Version
Upgrade more threat defense 7.0
devices at once.
Details
The threat defense upgrade workflow lifts the following restrictions:
• Simultaneous device upgrades.
The number of devices you can upgrade at once is now limited by your management
network bandwidth—not the system's ability to manage simultaneous upgrades.
Previously, we recommended against upgrading more than five devices at a time.
Important Only upgrades to threat defense Version 6.7+ see this improvement. If
you are upgrading devices to an older threat defense release—even if
you are using the new upgrade workflow—we still recommend you
limit to five devices at a time.
• Grouping upgrades by device model.
You can now queue and invoke upgrades for all threat defense models at the same
time, as long as the system has access to the appropriate upgrade packages.
Previously, you would choose an upgrade package, then choose the devices to
upgrade using that package. That meant that you could upgrade multiple devices
at the same time only if they shared an upgrade package. For example, you could
upgrade two Firepower 2100 series devices at the same time, but not a Firepower
2100 series and a Firepower 1000 series.
Cisco Secure Firewall Management Center Administration Guide, 7.2
224
System Settings
History for System Updates
Feature
Version
Improved threat defense
6.7
upgrade status reporting and
cancel/retry options.
Details
You can now view the status of threat defense device upgrades and readiness checks in
progress on the Device Management page, as well as a 7-day history of upgrade
success/failures. The Message Center also provides enhanced status and error messages.
A new Upgrade Status pop-up, accessible from both Device Management and the
Message Center with a single click, shows detailed upgrade information, including
percentage/time remaining, specific upgrade stage, success/failure data, upgrade logs,
and so on.
Also on this pop-up, you can manually cancel failed or in-progress upgrades (Cancel
Upgrade), or retry failed upgrades (Retry Upgrade). Canceling an upgrade reverts the
device to its pre-upgrade state.
Note
To be able to manually cancel or retry a failed upgrade, you must disable the
new auto-cancel option, which appears when you use the management center
to upgrade an threat defense device: Automatically cancel on upgrade
failure and roll back to the previous version. With the option enabled, the
device automatically reverts to its pre-upgrade state upon upgrade failure.
Auto-cancel is not supported for patches. In an HA or clustered deployment,
auto-cancel applies to each device individually. That is, if the upgrade fails
on one device, only that device is reverted.
New/modified screens:
• System > Update > Product Updates > Available Updates > Install icon for the
threat defense upgrade package
• Devices > Device Management > Upgrade
• Message Center > Tasks
New/modified CLI commands: show upgrade status detail, show upgrade status
continuous, show upgrade status, upgrade cancel, upgrade retry
Upgrades remove PCAP
files to save disk space.
6.7
Upgrades now remove locally stored PCAP files. You must have enough free disk space
or the upgrade fails.
Custom intrusion rule
import warns when rules
collide.
6.7
The management center now warns you of rule collisions when you import custom
(local) intrusion rules. Previously, the system would silently skip the rules that cause
collisions—with the exception of Version 6.6.0.1, where a rule import with collisions
would fail entirely.
On the Rule Updates page, if a rule import had collisions, a warning icon is displayed
in the Status column. For more information, hover your pointer over the warning icon
and read the tooltip.
Note that a collision occurs when you try to import an intrusion rule that has the same
SID/revision number as an existing rule. You should always make sure that updated
versions of custom rules have new revision numbers; for more best practices, see Best
Practices for Importing Local Intrusion Rules, on page 213.
New/modified screens: We added a warning icon to System > Updates > Rule Updates.
Cisco Secure Firewall Management Center Administration Guide, 7.2
225
System Settings
History for System Updates
Feature
Version
Get threat defense upgrade 6.6
packages from an internal
web server.
Details
threat defense devices can now get upgrade packages from your own internal web server,
rather than from the management center. This is especially useful if you have limited
bandwidth between the management center and its devices. It also saves space on the
management center.
Note
This feature is supported only for threat defense devices running Version
6.6+. It is not supported for upgrades to Version 6.6, nor is it supported for
the management center or Classic devices.
New/modified screens: We added a Specify software update source option to the page
where you upload upgrade packages.
The management center
downloads and installs the
latest VDB during initial
setup.
6.6
The management center
6.5
schedules software
downloads and GeoDB
updates during initial setup.
When you set up a new or reimaged management center, the system automatically
attempts to update the vulnerability database (VDB).
This is a one-time operation. If the management center has internet access, we
recommend you schedule tasks to perform automatic recurring VDB update downloads
and installations.
When you set up a new or reimaged management center, the system automatically
schedules:
• A weekly task to download software updates for the management center and its
managed devices.
• Weekly updates for the GeoDB.
The tasks are scheduled in UTC, which means that when they occur locally depends on
the date and your specific location. Also, because tasks are scheduled in UTC, they do
not adjust for Daylight Saving Time, summer time, or any such seasonal adjustments
that you may observe in your location. If you are affected, scheduled tasks occur one
hour “later” in the summer than in the winter, according to local time. We recommend
you review the auto-scheduled configurations and adjust them if necessary.
Scheduled tasks postponed 6.7
during management center
6.6.3
upgrades.
6.4.0.10
Scheduled tasks are now postponed during management center upgrades. Any task
scheduled to begin during the upgrade will begin five minutes after the post-upgrade
reboot.
Note
Before you begin any upgrade, you must still make sure running tasks are
complete. Tasks running when the upgrade begins are stopped, become failed
tasks, and cannot be resumed.
Note that this feature is supported for all upgrades from a supported version. This includes
Version 6.4.0.10 and later patches, Version 6.6.3 and later maintenance releases, and
Version 6.7+. This feature is not supported for upgrades to a supported version from
an unsupported version.
Cisco Secure Firewall Management Center Administration Guide, 7.2
226
System Settings
History for System Updates
Feature
Version
Details
Signed SRU, VDB, and
GeoDB updates.
6.4
So the system can verify that you are using the correct update files, the system now uses
signed updates for intrusion rules (SRU), the vulnerability database (VDB), and the
geolocation database (GeoDB). Earlier versions continue to use unsigned updates.
Unless you manually download updates from the Cisco Support & Download site—for
example, in an air-gapped deployment—you should not notice any difference in
functionality.
If, however, you do manually download and install SRU, VDB, and GeoDB updates,
make sure you download the correct package for your current version. Signed update
files begin with 'Cisco' instead of 'Sourcefire,' and terminate in .sh.REL.tar instead of
.sh:
• SRU: Cisco_Firepower_SRU-date-build-vrt.sh.REL.tar
• VDB: Cisco_VDB_Fingerprint_Database-4.5.0-version.sh.REL.tar
• GeoDB: Cisco_GEODB_Update-date-build.sh.REL.tar
Do not untar signed (.tar) packages.
Faster upgrade.
6.4
Copy upgrade packages to 6.2.3
managed devices before the
upgrade.
Improvements to the event database allow faster upgrade.
You can now copy (or push) an upgrade package from the management center to a
managed device before you run the actual upgrade. This is useful because you can push
during times of low bandwidth use, outside of the upgrade maintenance window.
When you push to high availability, clustered, or stacked devices, the system sends the
upgrade package to the active/control/primary first, then to the standby/data/secondary.
New/modified screens: System > Updates
The management center
6.2.3
warns of Snort restart before
VDB updates.
The management center now warns you that Vulnerability Database (VDB) updates
restart the Snort process. This interrupts traffic inspection and, depending on how the
managed device handles traffic, possibly interrupts traffic flow. You can cancel the
install until a more convenient time, such as during a maintenance window.
These warnings can appear:
• After you download and manually install a VDB.
• When you create a scheduled task to install the VDB.
• When the VDB installs in the background, such as during a previously scheduled
task or as part of a software upgrade.
Cisco Secure Firewall Management Center Administration Guide, 7.2
227
System Settings
History for System Updates
Cisco Secure Firewall Management Center Administration Guide, 7.2
228
CHAPTER
7
Licenses
This chapter provides in-depth information about the different license types, service subscriptions, licensing
requirements and more.
Note
The Management Center supports either a Smart License or a legacy PAK (Product Activation Keys) license
for its platform license. For more information about using the PAK license, see Configure Legacy Management
Center PAK-Based Licenses, on page 271.
• About Licenses, on page 229
• Requirements and Prerequisites for Licensing, on page 245
• Create a Smart Account and Add Licenses, on page 248
• Configure Smart Licensing, on page 249
• Configure Specific License Reservation (SLR), on page 261
• Configure Legacy Management Center PAK-Based Licenses, on page 271
• Additional Information about Licensing, on page 272
• History for Licenses, on page 273
About Licenses
Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent
way to purchase and manage software across the Cisco portfolio and across your organization. And it’s
secure—you control what users can access. With Smart Licensing you get:
• Easy Activation: Smart Licensing establishes a pool of software licenses that can be used across the
entire organization—no more PAKs (Product Activation Keys).
• Unified Management: My Cisco Entitlements (MCE) provides a complete view into all of your Cisco
products and services in an easy-to-use portal, so you always know what you have and what you are
using.
• License Flexibility: Your software is not node-locked to your hardware, so you can easily use and
transfer licenses as needed.
To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide
Cisco Secure Firewall Management Center Administration Guide, 7.2
229
System Settings
Smart Software Manager and Accounts
Smart Software Manager and Accounts
When you purchase one or more licenses, you manage them in the Smart Software Manager:
https://software.cisco.com/#module/SmartLicensing. The Smart Software Manager lets you create a master
account for your organization. If you do not yet have an account, click the link to set up a new account. The
Smart Software Manager lets you create a master account for your organization.
By default, your licenses are assigned to the Default Virtual Account under your master account. As the
account administrator, you can create additional virtual accounts; for example, for regions, departments, or
subsidiaries. Multiple virtual accounts help you manage large numbers of licenses and devices.
You manage licenses by virtual account. Only that virtual account’s devices can use the licenses assigned to
the account. If you need additional licenses, you can transfer an unused license from another virtual account.
You can also transfer devices between virtual accounts.
Licensing Options for Air-Gapped Deployments
The following table compares the available licensing options for environments without internet access. Your
sales representative may have additional advice for your specific situation.
Table 11: Comparison of Licensing Options for Air-Gapped Networks
Smart Software Manager On-Prem
Specific License Reservation
Scalable for a large number of products
Best for a small number of devices
Automated licensing management, usage and asset
management visibility
Limited usage and asset management visibility
No incremental operational costs to add devices
Linear operational costs over time to add devices
Flexible, easier to use, less overhead
Significant administrative and manual overhead for
moves, adds, and changes
Out-of-compliance status is allowed initially and at
various expiration states
Out-of-compliance status impacts system functioning
For more information, see Register the Management For more information, see Configure Specific License
Center with the Smart Software Manager On-Prem, Reservation (SLR), on page 261
on page 252
How Licensing Works for the Management Center and Devices
The management center registers with the Smart Software Manager, and then assigns licenses for each managed
device. Devices do not register directly with the Smart Software Manager.
A physical management center does not require a license for its own use. The management center virtual does
require a platform license.
Cisco Secure Firewall Management Center Administration Guide, 7.2
230
System Settings
Periodic Communication with the Smart Software Manager
Periodic Communication with the Smart Software Manager
In order to maintain your product license entitlement, your product must communicate periodically with the
Smart Software Manager.
You use a Product Instance Registration Token to register the management center with the Smart Software
Manager. The Smart Software Manager issues an ID certificate for communication between the management
center and the Smart Software Manager. This certificate is valid for one year, although it will be renewed
every six months. If an ID certificate expires (after a year with no communication), the management center
may be removed from your account.
The management center communicates with the Smart Software Manager on a periodic basis. If you make
changes in the Smart Software Manager, you can refresh the authorization on the management center so the
changes immediately take effect. You also can wait for the management center to communicate as scheduled.
Your management center must either have direct internet access to the management center, or use one of the
options described in Licensing Options for Air-Gapped Deployments, on page 230. In non-airgapped
deployments, normal license communication occurs every 30 days, but with the grace period, your management
center will operate for up to 90 days without calling home. You must contact the management center before
90 days have passed, or else the management center will revert to an unregistered state.
Evaluation Mode
Before the management center registers with the Smart Software Manager, it operates for 90 days in evaluation
mode. You can assign feature licenses to managed devices, and they will remain in compliance for the duration
of evaluation mode. When this period ends, the management center becomes unregistered.
If you register the management center with the Smart Software Manager, the evaluation mode ends. If you
later deregister the management center, you cannot resume evaluation mode, even if you did not initially use
all 90 days.
For more information about the unregistered state, see Unregistered State, on page 232.
Note
You cannot receive an evaluation license for Strong Encryption (3DES/AES); you must register with the
Smart Software Manager to receive the export-compliance token that enables the Strong Encryption
(3DES/AES) license.
Out-of-Compliance State
The management center can become out of compliance in the following situations:
• Over-utilization—When the managed devices or the management center virtual uses unavailable licenses.
• License expiration—When a managed device term-based license expires.
In an out-of-compliance state, see the following effects:
• Management Center Virtual platform license—Operation is not affected.
• All managed device licenses—Operation is not affected.
Cisco Secure Firewall Management Center Administration Guide, 7.2
231
System Settings
Unregistered State
After you resolve the licensing problem, the management center will show that it is now in compliance after
its regularly scheduled authorization with the Smart Software Manager. To force an authorization, click
Re-Authorize on the System ( ) > Licenses > Smart Licenses page.
Unregistered State
The management center can become unregistered in the following situations:
• Evaluation mode expiration—Evaluation mode expires after 90 days.
• Manual deregistration of the management center
• Lack of communication with the Smart Software Manager—The management center does not communicate
with the Smart Software Manager for 1 year. Note: After 90 days, the management center authorization
expires, but it can successfully resume communication within one year to automatically re-authorize.
After a year, the ID certificate expires, and the management center is removed from your account so you
will have to manually re-register the management center.
In an unregistered state, the management center cannot deploy any configuration changes to devices for
features that require licenses.
End-User License Agreement
The Cisco end-user license agreement (EULA) and any applicable supplemental agreement (SEULA) that
governs your use of this product are available from http://www.cisco.com/go/softwareterms.
License Types and Restrictions
This section describes the types of licenses available.
Table 12: Smart Licenses
License You
Assign
Subscription You
Purchase
Duration
Granted Capabilities
Base
Based on license type
Perpetual or Subscription Except for Specific License
Reservation and the Secure Firewall
Note
Base
3100, base perpetual licenses are
subscription
automatically assigned with all
licenses are
threat defenses.
supported only
on Threat
User and application control
Defense
Switching and routing
Virtual.
NAT
For details, see Base Licenses, on
page 234.
Cisco Secure Firewall Management Center Administration Guide, 7.2
232
System Settings
License Types and Restrictions
License You
Assign
Threat
Malware defense
Subscription You
Purchase
•T
Duration
Granted Capabilities
Subscription
Intrusion detection and prevention
• TC (Threat + URL)
File control
• TMC (Threat +
Malware defense +
URL)
Security Intelligence filtering
• TM (Threat +
Malware defense)
For details, see Threat Licenses, on
page 235
Subscription
Secure Malware Analytics
• TMC (Threat +
Malware defense +
URL)
File storage
For details, see Malware Defense
Licenses, on page 235 and License
Requirements for File and Malware
Policies in the Cisco Secure
Firewall Management Center
Device Configuration Guide.
• AMP
URL Filtering
Malware defense
• TC (Threat + URL) Subscription
• TMC (Threat +
Malware defense +
URL)
Category and reputation-based
URL filtering
For details, see URL Filtering
Licenses, on page 236.
• URL
Management
Center Virtual
Based on license type
• Regular Smart
Licensing—
Perpetual
The platform license determines the
number of devices the management
center virtual can manage.
• Specific License
Reservation—
Subscription
For details, see Management Center
Virtual Licenses, on page 234.
Export-Controlled No subscription required Perpetual
Features
Features that are subject to national
security, foreign policy, and
anti-terrorism laws and regulations;
see Licensing for Export-Controlled
Functionality, on page 237.
Cisco Secure Firewall Management Center Administration Guide, 7.2
233
System Settings
Management Center Virtual Licenses
License You
Assign
Subscription You
Purchase
Duration
Remote Access
VPN:
Based on license type
Subscription or perpetual Remote access VPN configuration.
Your account must allow
export-controlled functionality to
configure remote access VPN. You
select whether you meet export
requirements when you register the
device. The threat defense can use
any valid Secure Client license. The
available features do not differ
based on license type.
• AnyConnect
Apex
• AnyConnect
Plus
• AnyConnect
VPN Only
Granted Capabilities
For more information, see Secure
Client Licenses, on page 236 and
VPN Licensing in the Cisco Secure
Firewall Management Center
Device Configuration Guide.
Note
Subscription licenses are term-based licenses.
Management Center Virtual Licenses
The management center virtual requires a platform license that correlates with the number of devices it can
manage.
The management center virtual supports Smart Licensing.
In regular Smart Licensing, these licenses are perpetual.
In Specific License Reservation, these licenses are subscription-based.
Base Licenses
The Base license allows you to:
• Configure your devices to perform switching and routing (including DHCP relay and NAT)
• Configure devices as a high availability pair
• Configure clustering
• Implement user and application control by adding user and application conditions to access control rules
Secure Firewall 3100
You obtain a Base license when you purchase the Secure Firewall 3100.
Cisco Secure Firewall Management Center Administration Guide, 7.2
234
System Settings
Malware Defense Licenses
Other Models
Except in deployments using Specific License Reservation, a Base license is automatically added to your
account when you register a device to the management center. For Specific License Reservation, you need to
add the Base license to your account.
Malware Defense Licenses
A Malware defense license lets you perform malware defense and Secure Malware Analytics. With this feature,
you can use devices to detect and block malware in files transmitted over your network. To support this feature
license, you can purchase the Malware defense (AMP) service subscription as a stand-alone subscription or
in combination with Threat (TM) or Threat and URL Filtering (TMC) subscriptions.
Note
Managed devices with Malware defense licenses enabled periodically attempt to connect to the Secure Malware
Analytics Cloud even if you have not configured dynamic analysis. Because of this, the device’s Interface
Traffic dashboard widget shows transmitted traffic; this is expected behavior.
You configure malware defense as part of a file policy, which you then associate with one or more access
control rules. File policies can detect your users uploading or downloading files of specific types over specific
application protocols. Malware defense allows you to use local malware analysis and file preclassification to
inspect a restricted set of those file types for malware. You can also download and submit specific file types
to the Secure Malware Analytics Cloud for dynamic and Spero analysis to determine whether they contain
malware. For these files, you can view the network file trajectory, which details the path the file has taken
through your network. The Malware license also allows you to add specific files to a file list and enable the
file list within a file policy, allowing those files to be automatically allowed or blocked on detection.
If you disable all your Malware defense licenses, the system stops querying the Secure Malware Analytics
Cloud, and also stops acknowledging retrospective events sent from the Secure Malware Analytics Cloud.
You cannot re-deploy existing access control policies if they include malware defense configurations. Note
that for a very brief time after a Malware defense license is disabled, the system can use existing cached file
dispositions. After the time window expires, the system assigns a disposition of Unavailable to those files.
Note that a Malware defense license is required only if you deploy malware defense and Secure Malware
Analytics. Without a Malware defense license, the management center can receive Secure Endpoint malware
events and indications of compromise (IOC) from the Secure Malware Analytics Cloud.
See also important information at License Requirements for File and Malware Policies in the Cisco Secure
Firewall Management Center Device Configuration Guide.
Threat Licenses
A Threat license allows you to perform intrusion detection and prevention, file control, and Security Intelligence
filtering:
• Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits and,
optionally, drop offending packets.
• File control allows you to detect and, optionally, block users from uploading (sending) or downloading
(receiving) files of specific types over specific application protocols. Malware defense, which requires
a Malware defense license, allows you to inspect and block a restricted set of those file types based on
their dispositions.
Cisco Secure Firewall Management Center Administration Guide, 7.2
235
System Settings
URL Filtering Licenses
• Security Intelligence filtering allows you to block —deny traffic to and from—specific IP addresses,
URLs, and DNS domain names, before the traffic is subjected to analysis by access control rules. Dynamic
feeds allow you to immediately block connections based on the latest intelligence. Optionally, you can
use a “monitor-only” setting for Security Intelligence filtering.
You can purchase a Threat license as a stand-alone subscription (T) or in combination with URL Filtering
(TC), Malware defense (TM), or both (TMC).
If you disable Threat on managed devices, the management center stops acknowledging intrusion and file
events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria
stop firing. Additionally, the management center will not contact the internet for either Cisco-provided or
third-party Security Intelligence information. You cannot re-deploy existing intrusion policies until you
re-enable Threat.
URL Filtering Licenses
The URL Filtering license allows you to write access control rules that determine the traffic that can traverse
your network based on URLs requested by monitored hosts, correlated with information about those URLs.
To support this feature license, you can purchase the URL Filtering (URL) service subscription as a stand-alone
subscription or in combination with Threat (TC) or Threat and Malware defense (TMC) subscriptions.
Tip
Without a URL Filtering license, you can specify individual URLs or groups of URLs to allow or block. This
gives you granular, custom control over web traffic, but does not allow you to use URL category and reputation
data to filter network traffic.
Although you can add category and reputation-based URL conditions to access control rules without a URL
Filtering license, the management center will not download URL information. You cannot deploy the access
control policy until you first add a URL Filtering license to the management center, then enable it on the
devices targeted by the policy.
If you disable the URL Filtering license on managed devices, you may lose access to URL filtering. If your
license expires or if you disable it, access control rules with URL conditions immediately stop filtering URLs,
and your management center can no longer download updates to URL data. You cannot re-deploy existing
access control policies if they include rules with category and reputation-based URL conditions.
Secure Client Licenses
You can configure remote access VPN using the Secure Client and standards-based IPSec/IKEv2.
To enable remote cccess VPN, you must purchase and enable one of the following licenses: AnyConnect
Plus, AnyConnect Apex, or AnyConnect VPN Only. You can select AnyConnect Plus and AnyConnect
Apex if you have both licenses and you want to use them both. The Any Connect VPN only license cannot
be used with Apex or Plus. The Secure Client license must be shared with the Smart Account. For more
instructions, see http://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf.
You cannot deploy the remote access VPN configuration to the device if the specified device does not have
the entitlement for a minimum of one of the specified Secure Client license types. If the registered license
moves out of compliance or entitlements expire, the system displays licensing alerts and health events.
While using remote access VPN, your Smart Account must have the export controlled features (strong
encryption) enabled. The threat defense requires strong encryption (which is higher than DES) for successfully
establishing remote access VPN connections with Secure Clients.
Cisco Secure Firewall Management Center Administration Guide, 7.2
236
System Settings
Licensing for Export-Controlled Functionality
You cannot deploy remote access VPN if the following are true:
• Smart Licensing on the management center is running in evaluation mode.
• Your Smart Account is not configured to use export-controlled features (strong encryption).
Licensing for Export-Controlled Functionality
Features that require export-controlled functionality
Certain software features are subject to national security, foreign policy, and anti-terrorism laws and regulations.
These export-controlled features include:
• Security certifications compliance
• Remote access VPN
• Site-to-site VPN with strong encryption
• SSH platform policy with strong encryption
• SSL policy with strong encryption
• Functionality such as SNMPv3 with strong encryption
How to determine whether export-controlled functionality is currently enabled for your system
To determine whether export-controlled functionality is currently enabled for your system: Go to System >
Licenses > Smart Licenses and see if Export-Controlled Features displays Enabled.
About enabling export-controlled functionality
If Export-Controlled Features shows Disabled and you want to use features that require strong encryption,
there are two ways to enable strong cryptographic features. Your organization may be eligible for one or the
other (or neither), but not both.
• If there is no option to enable export-controlled functionality when you generate a new Product Instance
Registration Token in the Smart Software Manager, contact your account representative.
When approved by Cisco, you can manually add a strong encryption license to your account so you can
use export-controlled features. For more information, see Enable the Export Control Feature for Accounts
Without Global Permission, on page 253
• If the option “Allow export-controlled functionality on the products registered with this token” appears
when you generate a new Product Instance Registration Token in the Smart Software Manager, make
sure you check it before generating the token.
If you did not enable export-controlled functionality for the Product Instance Registration Token that
you used to register the management center, then you must deregister and then re-register the management
center using a new Product Instance Registration Token with export-controlled functionality enabled.
If you registered devices to the management center in evaluation mode or before you enabled strong encryption
on the management center, reboot each managed device to make strong encryption available. In a high
availability deployment, the active and standby devices must be rebooted together to avoid an Active-Active
condition.
Cisco Secure Firewall Management Center Administration Guide, 7.2
237
System Settings
Threat Defense Virtual Licenses
The entitlement is perpetual and does not require a subscription.
More Information
For general information about export controls, see https://www.cisco.com/c/en/us/about/legal/
global-export-trade.html.
Threat Defense Virtual Licenses
This section describes the performance-tiered license entitlements available for the threat defense virtual.
Any threat defense virtual license can be used on any supported threat defense virtual vCPU/memory
configuration. This allows threat defense virtual customers to run on a wide variety of VM resource footprints.
This also increases the number of supported AWS and Azure instances types. When configuring the threat
defense virtual VM, the maximum supported number of cores (vCPUs) is 16 ; and the maximum supported
memory is 32 GB RAM .
Performance Tiers for Threat Defense Virtual Smart Licensing
Session limits for RA VPNs are determined by the installed threat defense virtual platform entitlement tier,
and enforced via a rate limiter. The following table summarizes the session limits based on the entitlement
tier and rate limiter.
Table 13: Threat Defense Virtual Licensed Feature Limits Based on Entitlement
Performance Tier
Device Specifications
(Core/RAM)
Rate Limit
RA VPN Session Limit
FTDv5, 100Mbps
4 core/8 GB
100Mbps
50
FTDv10, 1Gbps
4 core/8 GB
1Gbps
250
FTDv20, 3Gbps
4 core/8 GB
3Gbps
250
FTDv30, 5Gbps
8 core/16 GB
5Gbps
250
FTDv50, 10Gbps
12 core/24 GB
10Gbps
750
FTDv100, 16Gbps
16 core/32 GB
16Gbps
10,000
Threat Defense Virtual Performance Tier Licensing Guidelines and Limitations
Please keep the following guidelines and limitations in mind when licensing your threat defense virtual device.
• The threat defense virtual supports performance-tiered licensing that provides different throughput levels
and VPN connection limits based on deployment requirements.
• Any threat defense virtual license can be used on any supported threat defense virtual core/memory
configuration. This allows the threat defense virtual customers to run on a wide variety of VM resource
footprints.
• You can select a performance tier when you deploy the threat defense virtual, whether your device is in
evaluation mode or is already registered with Cisco Smart Software Manager.
Cisco Secure Firewall Management Center Administration Guide, 7.2
238
System Settings
License PIDs
Note
Make sure your Smart Licensing account contains the available licenses you need.
It’s important to choose the tier that matches the license you have in your account.
If you are upgrading your threat defense virtual to Version 7.0, you can choose
FTDv - Variable to maintain your current license compliance. Your threat defense
virtual continues to perform with session limits based on your device capabilities
(number of cores/RAM).
• The default performance tier is FTDv50 when deploying a new threat defense virtual device, or when
provisioning the threat defense virtual using the REST API.
• Base licenses are subscription-based and mapped to performance tiers. Your virtual account needs to
have the Base license entitlements for the threat defense virtual devices, as well as for IPS , malware
defense, and Secure Firewall Threat Defense URL Filtering licenses.
• Each HA peer consumes one entitlement, and the entitlements on each HA peer must match, including
Base license.
• A change in performance tier for an HA pair should be applied to the primary peer.
• You assign feature licenses to the cluster as a whole, not to individual nodes. However, each node of the
cluster consumes a separate license for each feature. The clustering feature itself does not require any
licenses.
• Universal PLR licensing is applied to each device in an HA pair separately. The secondary device will
not automatically mirror the performance tier of the primary device. It must be updated manually.
License PIDs
When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart
Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions
search field on the Cisco Commerce Workspace. Search for the following license Product IDs (PIDs).
Figure 8: License Search
Management Center Virtual PIDs
• VMware:
• SF-FMC-VMW-2-K9—2 devices
• SF-FMC-VMW-10-K9—10 devices
• SF-FMC-VMW-K9—25 devices
• SF-FMC-VMW-300-K9—300 devices
Cisco Secure Firewall Management Center Administration Guide, 7.2
239
System Settings
License PIDs
• KVM:
• SF-FMC-KVM-2-K9—2 devices
• SF-FMC-KVM-10-K9—10 devices
• SF-FMC-KVM-K9—25 devices
• PAK-based VMware:
• FS-VMW-2-SW-K9—2 devices
• FS-VMW-10-SW-K9—10 devices
• FS-VMW-SW-K9—25 devices
Threat Defense Virtual PIDs
When you order FTDV-SEC-SUB, you must choose a base license and optional feature licenses (12 month
term):
• Base license:
• FTD-V-5S-BSE-K9
• FTD-V-10S-BSE-K9
• FTD-V-20S-BSE-K9
• FTD-V-30S-BSE-K9
• FTD-V-50S-BSE-K9
• FTD-V-100S-BSE-K9
• Threat, Malware defense, and URL license combination:
• FTD-V-5S-TMC
• FTD-V-10S-TMC
• FTD-V-20S-TMC
• FTD-V-30S-TMC
• FTD-V-50S-TMC
• FTD-V-100S-TMC
• RA VPN—See the Cisco AnyConnect Ordering Guide.
Firepower 1010 PIDs
• Threat, Malware defense, and URL license combination:
• L-FPR1010T-TMC=
Cisco Secure Firewall Management Center Administration Guide, 7.2
240
System Settings
License PIDs
When you add the above PID to your order, you can then choose a term-based subscription corresponding
with one of the following PIDs:
• L-FPR1010T-TMC-1Y
• L-FPR1010T-TMC-3Y
• L-FPR1010T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide.
Firepower 1100 PIDs
• Threat, Malware defense, and URL license combination:
• L-FPR1120T-TMC=
• L-FPR1140T-TMC=
• L-FPR1150T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription
corresponding with one of the following PIDs:
• L-FPR1120T-TMC-1Y
• L-FPR1120T-TMC-3Y
• L-FPR1120T-TMC-5Y
• L-FPR1140T-TMC-1Y
• L-FPR1140T-TMC-3Y
• L-FPR1140T-TMC-5Y
• L-FPR1150T-TMC-1Y
• L-FPR1150T-TMC-3Y
• L-FPR1150T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide.
Firepower 2100 PIDs
• Threat, Malware defense, and URL license combination:
• L-FPR2110T-TMC=
• L-FPR2120T-TMC=
• L-FPR2130T-TMC=
• L-FPR2140T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription
corresponding with one of the following PIDs:
Cisco Secure Firewall Management Center Administration Guide, 7.2
241
System Settings
License PIDs
• L-FPR2110T-TMC-1Y
• L-FPR2110T-TMC-3Y
• L-FPR2110T-TMC-5Y
• L-FPR2120T-TMC-1Y
• L-FPR2120T-TMC-3Y
• L-FPR2120T-TMC-5Y
• L-FPR2130T-TMC-1Y
• L-FPR2130T-TMC-3Y
• L-FPR2130T-TMC-5Y
• L-FPR2140T-TMC-1Y
• L-FPR2140T-TMC-3Y
• L-FPR2140T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide.
Secure Firewall 3100 PIDs
• Base license:
• L-FPR3110-BSE=
• L-FPR3120-BSE=
• L-FPR3130-BSE=
• L-FPR3140-BSE=
• Threat, Malware defense, and URL license combination:
• L-FPR3110T-TMC=
• L-FPR3120T-TMC=
• L-FPR3130T-TMC=
• L-FPR3140T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription
corresponding with one of the following PIDs:
• L-FPR3110T-TMC-1Y
• L-FPR3110T-TMC-3Y
• L-FPR3110T-TMC-5Y
• L-FPR3120T-TMC-1Y
• L-FPR3120T-TMC-3Y
Cisco Secure Firewall Management Center Administration Guide, 7.2
242
System Settings
License PIDs
• L-FPR3120T-TMC-5Y
• L-FPR3130T-TMC-1Y
• L-FPR3130T-TMC-3Y
• L-FPR3130T-TMC-5Y
• L-FPR3140T-TMC-1Y
• L-FPR3140T-TMC-3Y
• L-FPR3140T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide.
Firepower 4100 PIDs
• Threat, Malware defense, and URL license combination:
• L-FPR4110T-TMC=
• L-FPR4112T-TMC=
• L-FPR4115T-TMC=
• L-FPR4120T-TMC=
• L-FPR4125T-TMC=
• L-FPR4140T-TMC=
• L-FPR4145T-TMC=
• L-FPR4150T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription
corresponding with one of the following PIDs:
• L-FPR4110T-TMC-1Y
• L-FPR4110T-TMC-3Y
• L-FPR4110T-TMC-5Y
• L-FPR4112T-TMC-1Y
• L-FPR4112T-TMC-3Y
• L-FPR4112T-TMC-5Y
• L-FPR4115T-TMC-1Y
• L-FPR4115T-TMC-3Y
• L-FPR4115T-TMC-5Y
• L-FPR4120T-TMC-1Y
• L-FPR4120T-TMC-3Y
Cisco Secure Firewall Management Center Administration Guide, 7.2
243
System Settings
License PIDs
• L-FPR4120T-TMC-5Y
• L-FPR4125T-TMC-1Y
• L-FPR4125T-TMC-3Y
• L-FPR4125T-TMC-5Y
• L-FPR4140T-TMC-1Y
• L-FPR4140T-TMC-3Y
• L-FPR4140T-TMC-5Y
• L-FPR4145T-TMC-1Y
• L-FPR4145T-TMC-3Y
• L-FPR4145T-TMC-5Y
• L-FPR4150T-TMC-1Y
• L-FPR4150T-TMC-3Y
• L-FPR4150T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide.
Firepower 9300 PIDs
• Threat, Malware defense, and URL license combination:
• L-FPR9K-24T-TMC=
• L-FPR9K-36T-TMC=
• L-FPR9K-40T-TMC=
• L-FPR9K-44T-TMC=
• L-FPR9K-48T-TMC=
• L-FPR9K-56T-TMC=
When you add one of the above PIDs to your order, you can then choose a term-based subscription
corresponding with one of the following PIDs:
• L-FPR9K-24T-TMC-1Y
• L-FPR9K-24T-TMC-3Y
• L-FPR9K-24T-TMC-5Y
• L-FPR9K-36T-TMC-1Y
• L-FPR9K-36T-TMC-3Y
• L-FPR9K-36T-TMC-5Y
• L-FPR9K-40T-TMC-1Y
Cisco Secure Firewall Management Center Administration Guide, 7.2
244
System Settings
Requirements and Prerequisites for Licensing
• L-FPR9K-40T-TMC-3Y
• L-FPR9K-40T-TMC-5Y
• L-FPR9K-44T-TMC-1Y
• L-FPR9K-44T-TMC-3Y
• L-FPR9K-44T-TMC-5Y
• L-FPR9K-48T-TMC-1Y
• L-FPR9K-48T-TMC-3Y
• L-FPR9K-48T-TMC-5Y
• L-FPR9K-56T-TMC-1Y
• L-FPR9K-56T-TMC-3Y
• L-FPR9K-56T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide.
ISA 3000 PIDs
• Threat, Malware defense, and URL license combination:
• L-ISA3000T-TMC=
When you add the above PID to your order, you can then choose a term-based subscription corresponding
with one of the following PIDs:
• L-ISA3000T-TMC-1Y
• L-ISA3000T-TMC-3Y
• L-ISA3000T-TMC-5Y
• RA VPN—See the Cisco AnyConnect Ordering Guide.
Requirements and Prerequisites for Licensing
For Specific License Reservation requirements, see Requirements and Prerequisites for Specific License
Reservation, on page 261.
General Prerequisites
• Make sure NTP is configured on the management center and managed devices. Time must be synchronized
for registration to succeed.
For a Firepower 4100/9300, you must configure NTP on the chassis using the same NTP server for the
chassis as for the management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
245
System Settings
Requirements and Prerequisites for Licensing for High Availability, Clustering, and Multi-Instance
Supported Domains
Global, except where indicated.
User Roles
• Admin
Requirements and Prerequisites for Licensing for High Availability, Clustering,
and Multi-Instance
This section describes the licensing requirements for High Availability (for device High Availability and also
management center virtual High Availability), clustering, and multi-instance deployments.
Licensing for Management Center High Availability
Each device requires the same licenses whether managed by a single management center or by management
centers in a high availability pair (hardware or virtual).
Example: If you want to enable advanced malware protection for two devices managed by a management
center pair, buy two Malware licenses and two TM subscriptions, register the active management center with
the Smart Software Manager, then assign the licenses to the two devices on the active management center.
Only the active management center is registered with the Smart Software Manager. When failover occurs,
the system communicates with Smart Software Manager to release the license entitlements from the
originally-active management center and assign them to the newly-active management center.
In Specific License Reservation deployments, only the primary management center requires a Specific License
Reservation.
Hardware Management Center
No special license is required for hardware management centers in a high availability pair.
Management Center Virtual
You will need two identically licensed management center virtuals.
Example: For the management center virtual high availability pair managing 10 devices, you can use:
• Two (2) management center virtual 10 entitlements
• 10 device licenses
If you break the high availability pair, the management center virtual entitlements associated with the secondary
management center virtual are released. (In the example, you would then have two standalone management
center virtual 10s.)
Licensing for Device High-Availability
Both threat defense units in a high availability configuration must have the same licenses.
High availability configurations require two license entitlements: one for each device in the pair.
Cisco Secure Firewall Management Center Administration Guide, 7.2
246
System Settings
Licensing for Device Clusters
Before high availability is established, it does not matter which licenses are assigned to the secondary/standby
device. During high availability configuration, the management center releases any unnecessary licenses
assigned to the standby unit and replaces them with identical licenses assigned to the primary/active unit. For
example, if the active unit has a Base license and a Threat license, and the standby unit has only a Base license,
the management center communicates with the Smart Software Manager to obtain an available Threat license
from your account for the standby unit. If your license account does not include enough purchased entitlements,
your account becomes Out-of-Compliance until you purchase the correct number of licenses.
Licensing for Device Clusters
Each threat defense virtual cluster node requires the same performance tier license. We recommend using the
same number of CPUs and memory for all members, or else peformance will be limited on all nodes to match
the least capable member. The throughput level will be replicated from the control node to each data node so
they match.
You assign feature licenses to the cluster as a whole, not to individual nodes. However, each node of the
cluster consumes a separate license for each feature. The clustering feature itself does not require any licenses.
When you add the control node to the management center, you can specify the feature licenses you want to
use for the cluster. Before you create the cluster, it doesn't matter which licenses are assigned to the data
nodes; the license settings for the control node are replicated to each of the data nodes. You can modify licenses
for the cluster in the Devices > Device Management > Cluster > License area.
Note
If you add the cluster before the management center is licensed (and running in Evaluation mode), then when
you license the management center, you can experience traffic disruption when you deploy policy changes
to the cluster. Changing to licensed mode causes all data units to leave the cluster and then rejoin.
Licensing for Multi-Instance Deployments
All licenses are consumed per security engine/chassis (for the Firepower 4100) or per security module (for
the Firepower 9300), and not per container instance. See the following details:
• Base licenses are automatically assigned: one per security module/engine.
• Feature licenses are manually assigned to each instance; but you only consume one license per feature
per security module/engine. For example, for the Firepower 9300 with 3 security modules, you only need
one URL Filtering license per module for a total of 3 licenses, regardless of the number of instances in
use.
• For High Availability, see License Requirements for Threat Defense Devices in a High Availability Pair.
For example:
Table 14: License Usage for Container Instances on a Firepower 9300
Firepower 9300
Instance
Licenses
Security Module 1
Instance 1
Base, URL Filtering, Malware
Instance 2
Base, URL Filtering
Instance 3
Base, URL Filtering
Cisco Secure Firewall Management Center Administration Guide, 7.2
247
System Settings
Create a Smart Account and Add Licenses
Firepower 9300
Instance
Licenses
Security Module 2
Instance 4
Base, Threat
Instance 5
Base, URL Filtering, Malware,
Threat
Instance 6
Base, Malware, Threat
Instance 7
Base, Threat
Security Module 3
Table 15: Total Number of Licenses
Base
URL Filtering
Malware
Threat
3
2
3
2
Create a Smart Account and Add Licenses
You should set up this account before you purchase licenses.
Before you begin
Your account representative or reseller may have set up a Smart Account on your behalf. If so, obtain the
necessary information to access the account from that person instead of using this procedure, then verify that
you can access the account.
For general information about Smart Accounts, see http://www.cisco.com/go/smartaccounts.
Procedure
Step 1
Request a Smart Account:
For instructions, see https://community.cisco.com/t5/licensing-enterprise-agreements/
request-a-smart-account-for-customers/ta-p/3636515?attachment-id=150577 .
For additional information, see https://communities.cisco.com/docs/DOC-57261.
Step 2
Wait for an email telling you that your Smart Account is ready to set up. When it arrives, click the link it
contains, as directed.
Step 3
Set up your Smart Account:
Go here: https://software.cisco.com/software/company/smartaccounts/home?route=module/accountcreation.
For instructions, see https://community.cisco.com/t5/licensing-enterprise-agreements/
complete-smart-account-setup-for-customers/ta-p/3636631?attachment-id=132604.
Step 4
Verify that you can access the account in the Smart Software Manager.
Go to https://software.cisco.com/#module/SmartLicensing and sign in.
Step 5
Make sure your Smart Licensing account contains the available licenses you need.
Cisco Secure Firewall Management Center Administration Guide, 7.2
248
System Settings
Configure Smart Licensing
When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart
Account. However, if you need to add licenses yourself, see Cisco Commerce Workspace. For license PIDs,
see License PIDs, on page 239.
Configure Smart Licensing
This section describes how to use Smart Licensing using the Smart Software Manager or the Smart Software
Manager On-Prem. To use Specific License Reservation, see Configure Specific License Reservation (SLR),
on page 261.
Register the Management Center for Smart Licensing
You can register the management center directly to the Smart Software Manager over the internet, or when
using an air-gapped network, with the Smart Software Manager On-Prem.
Register the Management Center with the Smart Software Manager
Register the management center with the Smart Software Manager.
Before you begin
• Make sure your Smart Licensing account contains the available licenses you need.
When you bought your device from Cisco or a reseller, your licenses should have been linked to your
Smart Account. However, if you need to add licenses yourself, see Cisco Commerce Workspace. For
license PIDs, see License PIDs, on page 239.
• Ensure that the management center can reach the Smart Software Manager at tools.cisco.com:443.
• Make sure you configure NTP. During registration, a key exchange occurs between the Smart Agent and
the Smart Software Manager, so time must be in sync for proper registration.
For the Firepower 4100/9300, you must configure NTP on the chassis using the same NTP server for
the chassis as for the management center.
• If your organization has multiple management centers, make sure each management center has a unique
name that clearly identifies and distinguishes it from other management centers that may be registered
to the same virtual account. This name is critical for managing your Smart License entitlements and
ambiguous names will lead to problems later.
Procedure
Step 1
In the Smart Software Manager, request and copy a registration token for the virtual account to which you
want to add this device.
a) Click Inventory.
Cisco Secure Firewall Management Center Administration Guide, 7.2
249
System Settings
Register the Management Center with the Smart Software Manager
b) On the General tab, click New Token.
c) On the Create Registration Token dialog box enter the following settings, and then click Create Token:
• Description
• Expire After—Cisco recommends 30 days.
• Allow export-controlled functionaility on the products registered with this token—Enables the
export-compliance flag if you are in a country that allows for strong encryption. You must select this
option now if you plan to use this functionality. If you enable this functionality later, you will need
to re-register your device with a new product key and reload the device. If you do not see this option,
your account does not support export-controlled functionality.
The token is added to your inventory.
d) Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID
to your clipboard. Keep this token ready for later in the procedure when you need to register the threat
defense.
Cisco Secure Firewall Management Center Administration Guide, 7.2
250
System Settings
Register the Management Center with the Smart Software Manager
Figure 9: View Token
Figure 10: Copy Token
Step 2
In the management center, choose System ( ) > Licenses > Smart Licenses.
Step 3
Click Register.
Step 4
Paste the token you generated from Smart Software Manager into the Product Instance Registration Token
field.
Make sure there are no empty spaces or blank lines at the beginning or end of the text.
Step 5
Decide whether to send usage data to Cisco.
• Enable Cisco Success Network is enabled by default. You can click sample data to see the kind of
data Cisco collects. For more information, see Configure Cisco Success Network Enrollment, on page
575.
• Enable Cisco Support Diagnostics is disabled by default. You can review the kind of data Cisco collects
in the link provided above the check box. For more information, see Configure Cisco Support Diagnostics
Enrollment, on page 576.
Note
• When enabled, Cisco Support Diagnostics is enabled in the devices in the next sync cycle.
The management center sync with the device runs once every 30 minutes.
• When enabled, Cisco Support Diagnostics is enabled automatically on any new device
registered in this management center.
Step 6
Click Apply Changes.
Cisco Secure Firewall Management Center Administration Guide, 7.2
251
System Settings
Register the Management Center with the Smart Software Manager On-Prem
What to do next
• Add your devices to the management center; see Add a Device to the Management Center.
• Assign licenses to your devices; see Assign Licenses to Multiple Managed Devices, on page 255.
Register the Management Center with the Smart Software Manager On-Prem
As described in Periodic Communication with the Smart Software Manager, on page 231, the management
center must communicate regularly with Cisco to maintain your license entitlement. If you have one of the
following situations, you might want to use a Smart Software Manager On-Prem (formerly known as "Smart
Software Satellite Server") as a proxy for connections to the Smart Software Manager:
• Your management center is offline or otherwise has limited or no connectivity (in other words, is deployed
in an air-gapped network.)
(For an alternate solution for air-gapped networks, see Licensing Options for Air-Gapped Deployments,
on page 230.)
• Your management center has permanent connectivity, but you want to manage your Smart Licenses via
a single connection from your network.
The Smart Software Manager On-Prem allows you to schedule synchronization or manually synchronize
Smart License authorization with the Smart Software Manager.
For more information about the Smart Software Manager On-Prem, see https://www.cisco.com/c/en/us/buy/
smart-accounts/software-manager.html#~on-prem
Procedure
Step 1
Deploy and set up Smart Software Manager On-Prem.
• See the documentation for the Smart Software Manager On-Prem, available from https://www.cisco.com/
c/en/us/buy/smart-accounts/software-manager.html#~on-prem.
• Make a note of the CN of the TLS/SSL certificate on your Smart Software Manager On-Prem.
• Go to http://www.cisco.com/security/pki/certs/clrca.cer and copy the entire body of the TLS/SSL certificate
(from "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----") into a place you can access
during configuration.
Step 2
Register the management center with the Smart Software Manager On-Prem.
a) Choose > Integration.
b) Click Smart Software Satellite.
c) Select Connect to Cisco Smart Software Satellite Server.
d) Enter the URL of your Smart Software Manager On-Prem, using the CN value you collected in the
prerequisites of this procedure, in the following format:
https://FQDN_or_hostname_of_your_SSM_On-Prem/Transportgateway/services/DeviceRequestHandler
The FQDN or hostname must match the CN value of the certificate presented by your Smart Software
Manager On-Prem.
e) Add a new SSL Certificate and paste the certificate text that you copied earlier.
Cisco Secure Firewall Management Center Administration Guide, 7.2
252
System Settings
Enable the Export Control Feature for Accounts Without Global Permission
f)
g)
h)
i)
j)
k)
Click Apply.
Select System > Licenses > Smart Licenses and click Register.
Create a new token on Smart Software Manager On-Prem.
Copy the token.
Paste the token into the form on the management center page.
Click Apply Changes.
The management center is now registered to Smart Software Manager On-Prem.
Step 3
After you assign licenses to devices, synchronize Smart Software Manager On-Prem to the Smart Software
Manager.
See the Smart Software Manager On-Prem documentation, above.
Step 4
Schedule ongoing synchronization times.
Enable the Export Control Feature for Accounts Without Global Permission
If your Smart Account is not authorized for strong encryption, but Cisco has determined that you are allowed
to use strong encryption, you can manually add a stong encryption license to your account.
Before you begin
• Make sure that your deployment does not already support the export-controlled functionality.
If your deployment supports export-controlled features, you will see an option that allows you to enable
export-controlled functionality in the Create Registration Token page in the Smart Software Manager.
For more information, see https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html.
• Make sure your deployment is not using an evaluation license.
• In the Smart Software Manager, on the Inventory > Licenses page, verify that you have the license that
corresponds to your management center:
Export Control License
Management Center Model
Cisco Virtual FMC Series Strong Encryption
(3DES/AES)
All management center virtuals
Cisco FMC 1K Series Strong Encryption
(3DES/AES)
1000, 1600
Cisco FMC 2K Series Strong Encryption
(3DES/AES)
2500, 2600
Cisco FMC 4K Series Strong Encryption
(3DES/AES)
4500, 4600
Cisco Secure Firewall Management Center Administration Guide, 7.2
253
System Settings
Assign Licenses to Devices
Procedure
Step 1
Choose System > Licenses > Smart Licenses .
Note
Step 2
If you see the Request Export Key, your account is approved for the export-controlled functionality
and you can proceed to use the required feature.
Click Request Export Key to generate an export key.
Tip
If the export control key request fails, make sure that your virtual account has a valid Export Control
license.
Disable the export control license by clicking Return Export Key
What to do next
You can now deploy configurations or policies that use the export-controlled features.
Remember
The new export-controlled licenses and all features enabled by it do not take effect on the threat defense
devices until the devices are rebooted. Until then, only the features supported by the older license will be
active.
In High Availability deployments both the threat defense devices need to be rebooted simultaneously, to avoid
an Active-Active condition.
Assign Licenses to Devices
You can assign most licenses when you register a device to the management center. You can also assign
licenses per device, or for multiple devices.
Assign Licenses to a Single Device
Although there are some exceptions, you cannot use the features associated with a license if you disable it on
a managed device.
Note
For container instances on the same security module/engine, you apply the license to each instance; note that
the security module/engine consumes only one license per feature for all instances on the security
module/engine.
Note
For the threat defense cluster, you apply the licenses to the cluster as a whole; note that each unit in the cluster
consumes a separate license per feature.
Cisco Secure Firewall Management Center Administration Guide, 7.2
254
System Settings
Assign Licenses to Multiple Managed Devices
Before you begin
You must have Admin or Network Admin privileges to perform this task. When operating with multiple
domains, you must do this task in leaf domains.
Procedure
Step 1
Choose Devices > Device Management.
Step 2
Next to the device where you want to assign or disable a license, click Edit (
).
In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.
Step 3
Click Device.
Step 4
Next to the License section, click Edit (
Step 5
Check or clear the appropriate check boxes to assign or disable licenses for the device.
Step 6
Click Save.
Step 7
Deploy configuration changes; see Deploy Configuration Changes.
).
What to do next
Verify license status: Go to System ( ) > Licenses > Smart Licenses, enter the hostname or IP address of
the device into the filter at the top of the Smart Licenses table, and verify that only a green circle with a Check
Mark ( ) appears for each device, for each license type. If you see any other icon, hover over the icon for
more information.
Assign Licenses to Multiple Managed Devices
Devices managed by the management center obtain their licenses via the management center, not directly
from the Smart Software Manager.
Use this procedure to enable licensing on multiple devices at once.
Note
For container instances on the same security module/engine, you apply the license to each instance; note that
the security module/engine consumes only one license per feature for all instances on the security
module/engine.
Note
For the threat defense cluster, you apply the licenses to the cluster as a whole; note that each unit in the cluster
consumes a separate license per feature.
Procedure
Step 1
Choose System ( ) > Licenses > Smart Licenses or Specific Licenses.
Cisco Secure Firewall Management Center Administration Guide, 7.2
255
System Settings
Manage Smart Licensing
Step 2
Click Edit Licenses.
Step 3
For each type of license you want to add to a device:
a) Click the tab for that type of license.
b) Click a device in the list on the left.
c) Click Add to move that device to the list on the right.
d) Repeat for each device to receive that type of license.
For now, don't worry about whether you have licenses for all of the devices you want to add.
e) Repeat this subprocedure for each type of license you want to add.
f) To remove a license, click the Delete (
g) Click Apply.
) next to the device.
What to do next
Verify that your licenses are correctly installed. Follow the procedure in Monitoring Smart Licenses, on page
258.
Manage Smart Licensing
This section describes how to manage Smart Licensing.
Deregister the Management Center
Deregister your management center from the Smart Software Manager to release all of the license entitlements
back to your Smart Account so they can be used for other devices. For example, deregister if you need to
decommission the management center or reimage it.
See Unregistered State, on page 232 for more information about license enforcement in an unregistered state.
Procedure
Step 1
Choose System ( ) > Licenses > Smart Licenses.
Step 2
Click Deregister (
).
Synchronize or Reauthorize the Management Center
By default, the ID certificate is automatically renewed every 6 months, and the license entitlement is renewed
every 30 days. You might want to manually renew the registration for either of these items if you have a
limited window for internet access, or if you make any licensing changes in the Smart Software Manager, for
example.
Cisco Secure Firewall Management Center Administration Guide, 7.2
256
System Settings
Monitoring Smart License Status
Procedure
Step 1
Choose System ( ) > Licenses > Smart Licenses.
Step 2
To renew the ID certificate, click Synchronize (
Step 3
To renew the license entitlements, click Re-Authorize.
)
Monitoring Smart License Status
The Smart License Status section of the System > Licenses > Smart Licenses page provides an overview
of license usage on the management center, as described below.
Usage Authorization
Possible status values are:
• In-compliance ( ) — All licenses assigned to managed devices are in compliance and the management
center is communicating successfully with the Smart Software Manager.
• License is in compliance but communication with licensing authority has failed— Device licenses
are in compliance, but the management center is not able to communicate with the Cisco licensing
authority.
• Out-of-compliance icon or unable to communicate with License Authority— One or more managed
devices is using a license that is out of compliance, or the management center has not communicated
with the Smart Software Manager in more than 90 days.
Product Registration
Specifies the last date when the management center contacted the Smart Software Manager and registered.
Assigned Virtual Account
Specifies the Virtual Account under the Smart Account that you used to generate the Product Instance
Registration Token and register the management center. If this deployment is not associated with a particular
virtual account within your Smart Account, this information is not displayed.
Export-Controlled Features
If this option is enabled, you can deploy restricted features. For details, see Licensing for Export-Controlled
Functionality, on page 237.
Cisco Success Network
Specifies whether you have enabled Cisco Success Network for the management center. If this option is
enabled, you provide usage information and statistics to Cisco which are essential to provide you with technical
support. This information also allows Cisco to improve the product and make you aware of unused available
features so that you can maximize the value of the product in your network. See Configure Cisco Success
Network Enrollment, on page 575 for more information.
Cisco Secure Firewall Management Center Administration Guide, 7.2
257
System Settings
Monitoring Smart Licenses
Monitoring Smart Licenses
To view the license status for the management center and its managed devices, use the Smart Licenses page.
For each type of license in your deployment, the page lists the total number of licenses consumed, whether
the license is in compliance or out of compliance, the device type, and the domain and group where the device
is deployed. You can also view the management center's Smart License Status. Container instances on the
same security module/engine only consume one license per security module/engine. Therefore, even though
the management center lists each container instance separately under each license type, the number of licenses
consumed for feature license types will only be one.
Other than the Smart Licenses page, there are a few other ways you can view licenses:
• The Product Licensing dashboard widget provides an at-a-glance overview of your licenses.
See Adding Widgets to a Dashboard, on page 319 and Dashboard Widget Availability by User Role, on
page 307 and The Product Licensing Widget, on page 316.
• The Device Management page (Devices > Device Management) lists the licenses applied to each of
your managed devices.
• The Smart License Monitor health module communicates license status when used in a health policy.
Procedure
Step 1
Choose System ( ) > Licenses > Smart Licenses.
Step 2
In the Smart Licenses table, click the arrow at the left side of each License Type folder to expand that folder.
Step 3
In each folder, verify that each device has a green circle with a Check Mark (
column.
Note
) in the License Status
If you see duplicate management center virtual licenses, each represents one managed device.
If all devices show a green circle with a Check Mark (
use.
), your devices are properly licensed and ready to
If you see any License Status other than a green circle with a Check Mark (
to view the message.
), hover over the status icon
What to do next
• If you had any devices that did not have a green circle with a Check Mark (
purchase more licenses.
Troubleshooting Smart Licensing
Expected Licenses Do Not Appear in My Smart Account
If the licenses you expect to see are not in your Smart Account, try the following:
Cisco Secure Firewall Management Center Administration Guide, 7.2
258
), you may need to
System Settings
Convert a Classic License for Use on the Threat Defense
• Make sure they are not in a different Virtual Account. Your organization's license administrator may
need to assist you with this.
• Check with the person who sold you the licenses to be sure that transfer to your account is complete.
Unable to Connect to Smart License Server
Check the obvious causes first. For example, make sure your management center has outside connectivity.
See Internet Access Requirements, on page 1004.
Unexpected Out-of-Compliance Notification or Other Error
• If a device is already registered to a different management center, you need to deregister the original
management center before you can license the device under a new management center. See Deregister
the Management Center, on page 256.
• Management Center Virtual instance only - Make sure that the virtual account does not have only perpetual
tags when you switch to subscription licensing.
• Check if the term of the subscription license has expired.
Troubleshoot Other Issues
For solutions to other common issues, see https://www.cisco.com/c/en/us/support/docs/security/
firepower-management-center/215838-fmc-and-ftd-smart-license-registration-a.html
Convert a Classic License for Use on the Threat Defense
You can convert licenses using either the License Registration Portal or the Smart Software Manager, and
you can convert an unused Product Authorization Key (PAK) or a Classic license that has already been
assigned to a device.
Note
You cannot undo this process. You cannot convert a Smart License to a Classic license, even if the license
was originally a Classic license.
In documentation on Cisco.com, Classic licenses may also be referred to as "traditional" licenses.
Before you begin
• It is easiest to convert a Classic license to a Smart License when it is still an unused PAK that has not
yet been assigned to a product instance.
• Your hardware must be able to run threat defense. See the Cisco Firepower Compatibility Guide at
https://www.cisco.com/c/en/us/support/security/defense-center/products-device-support-tables-list.html.
• You must have a Smart Account. If you do not have one, create one. See Create a Smart Account and
Add Licenses, on page 248.
• The PAKs or licenses that you want to convert must appear in your Smart Account.
• If you convert using the License Registration Portal instead of the Smart Software Manager, you must
have your Smart Account credentials in order to initiate the conversion process.
Cisco Secure Firewall Management Center Administration Guide, 7.2
259
System Settings
Convert a Classic License for Use on the Threat Defense
Procedure
Step 1
The conversion process you follow depends on whether or not the license has been consumed:
• If the PAK that you want to convert has never been used, follow instructions for converting a PAK.
• If the PAK you want to convert has already been assigned to a device, follow instructions for converting
a Classic license.
Make sure your existing classic license is still registered to your device.
Step 2
See instructions for your type of conversion (PAK or installed Classic license) in the following documentation:
• To convert PAKs or licenses using the License Registration Portal:
• To view a video that steps you through the License Registration Portal part of the conversion process,
click https://salesconnect.cisco.com/#/content-detail/7da52358-0fc1-4d85-8920-14a1b7721780.
• Search for "Convert" in the following document: https://cisco.app.box.com/s/
mds3ab3fctk6pzonq5meukvcpjizt7wu.
There are three conversion procedures. Choose the conversion procedure applicable to your situation.
• Sign in to the License Registration Portal at https://tools.cisco.com/SWIFT/LicensingUI/Home and
follow the instructions in the documentation above.
• To convert PAKs or licenses using the Smart Software Manager:
• Converting Hybrid Licenses to Smart Software Licenses QRG:
https://community.cisco.com/t5/licensing-enterprise-agreements/
converting-hybrid-licenses-to-smart-software-licenses-qrg/ta-p/3628609?attachment-id=134907
• Sign in to the Smart Software Manager at https://software.cisco.com/
#SmartLicensing-LicenseConversion and follow the instructions for your type of conversion (PAK
or installed Classic license) in the documentation above.
Step 3
Freshly install threat defense on your hardware.
See the instructions for your hardware at https://www.cisco.com/c/en/us/support/security/firepower-ngfw/
products-installation-guides-list.html.
Step 4
If you will use the device manager to manage this device as a standalone device:
See information about licensing the device in the device manager configuration guide at https://www.cisco.com/
c/en/us/support/security/firepower-ngfw/products-installation-and-configuration-guides-list.html.
Skip the rest of this procedure.
Step 5
If you have already deployed Smart Licensing on your management center:
a) Set up Smart Licensing on your new threat defense.
See Assign Licenses to Multiple Managed Devices, on page 255.
b) Verify that the new Smart License has been successfully applied to the device.
See Monitoring Smart Licenses, on page 258.
Cisco Secure Firewall Management Center Administration Guide, 7.2
260
System Settings
Configure Specific License Reservation (SLR)
Step 6
If you have not yet deployed Smart Licensing on your management center:
See Configure Smart Licensing, on page 249. (Skip any steps that do not apply or that you have already
completed.)
Configure Specific License Reservation (SLR)
You can use the Specific License Reservation feature to deploy Smart Licensing in an air-gapped network.
Note
Various names are used at Cisco for Specific License Reservation, including SLR, SPLR, PLR, and Permanent
License Reservation. These terms may also be used at Cisco to refer to similar but not necessarily identical
licensing models.
When Specific License Reservation is enabled, the management center reserves licenses from your virtual
account for a specified duration without accessing the Smart Software Manager or using Smart Software
Manager On-Prem.
Features that require access to the internet, such as URL Lookups or contextual cross-launch to public web
sites, will not work.
Cisco does not collect web analytics or telemetry data for deployments that use Specific License Reservation.
Requirements and Prerequisites for Specific License Reservation
• Work with your account representative to obtain approval for Specific License Reservation for your
products.
Obtain confirmation from your account representative that the Specific License Reservation is ready for
use and reflected in your Smart Account.
• If you are currently using regular Smart Licensing, de-register the management center before you
implement Specific License Reservation. For information, see Deregister the Management Center, on
page 256.
All Smart Licenses that are currently deployed to the management center will be returned to the pool of
available licenses in your account, and you can re-use them when you implement Specific License
Reservation.
• Specific License Reservation uses the same licenses as regular Smart Licensing.
• (Recommended) If you deploy the management center pair in a high availability configuration, configure
high availability before you assign licenses. If you already assigned licenses to devices on the secondary
management center, be sure to unassign them.
Verify that your Smart Account is Ready to Deploy Specific License Reservation
To prevent problems when deploying your Specific License Reservation, complete this procedure before you
make any changes in your management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
261
System Settings
Enable the Specific Licensing Menu Option
Before you begin
• Ensure that you have met the requirements described in Requirements and Prerequisites for Specific
License Reservation, on page 261.
• Make sure you have your Smart Software Manager credentials.
Procedure
Step 1
Sign in to the Smart Software Manager:
https://software.cisco.com/#SmartLicensing-Inventory
Step 2
If applicable, select the correct account from the top right corner of the page.
Step 3
If necessary, click Inventory.
Step 4
Click Licenses.
Step 5
Verify the following:
• There is a License Reservation button.
• There are enough platform and feature licenses for the devices and features you will deploy, including
management center virtual entitlements for your devices, if applicable.
Step 6
If any of these items is missing or incorrect, contact your account representative to resolve the problem.
Note
Do not continue with this process until any problems are corrected.
Enable the Specific Licensing Menu Option
This procedure changes the "Smart Licenses" menu option to "Specific Licenses" in the management center.
Procedure
Step 1
Access the management center console using a USB keyboard and VGA monitor, or use SSH to access the
management interface.
Step 2
Log into the management center CLI admin account.
Step 3
Enter the expert command to access the Linux shell.
Step 4
Execute the following command to access the Specific License Reservation options:
sudo manage_slr.pl
Example:
admin@fmc63betaslr: ~$ sudo manage_slr.pl
Password:
**************** Configuration Utility **************
Cisco Secure Firewall Management Center Administration Guide, 7.2
262
System Settings
Enter the Specific License Reservation Authorization Code into the Management Center
1
2
3
0
Show SLR Status
Enable SLR
Disable SLR
Exit
**************************************************************
Enter choice:
Step 5
Enable Specific License Reservation by selecting option 2.
Step 6
Select option 0 to exit the manage_slr utility.
Step 7
Type exit to exit the Linux shell.
Step 8
Enter exit to exit the command line interface.
Step 9
Verify that you can access the Specific License Reservation page in the management center web interface:
• If the System > Licenses > Smart Licenses page is currently displayed, refresh the page.
• Otherwise, choose System > Licenses > Specific Licenses.
Enter the Specific License Reservation Authorization Code into the
Management Center
Procedure
Step 1
Generate the reservation request code.
a) In the management center, choose System > Licenses > Specific Licenses.
b) Click Generate.
c) Make a note of the Reservation Request Code.
Step 2
Generate the reservation authorization code.
a) Go to the Cisco Smart Software Manager: https://software.cisco.com/#SmartLicensing-Inventory
b) If necessary, select the correct account from the top right of the page.
c) If necessary, click Inventory.
d) Click Licenses.
e) Click License Reservation.
f) Enter the code that you generated from management center into the Reservation Request Code box.
g) Click Next.
h) Select Reserve a specific license.
i) Scroll down to display the entire License grid.
j) Under Quantity To Reserve, enter the number of each platform and feature license needed for your
deployment.
Cisco Secure Firewall Management Center Administration Guide, 7.2
263
System Settings
Assign Specific Licenses to Managed Devices
Note
• You must explicitly include a Base license for each managed device, or, for multi-instance
deployments, for each container.
• If you are using the management center virtual, you must include a platform entitlement
for each container (in multi-instance deployments) or each managed device (all other
deployments).
• If you use strong encryption functionality:
• If your entire Smart Account is enabled for export-controlled functionality, you do
not need to do anything here.
• If your organization's entitlement is per-management center, you must select the
appropriate license.
For the correct license name to choose for your management center, see the
prerequisites in Enable the Export Control Feature for Accounts Without Global
Permission, on page 253.
k) Click Next.
l) Click Generate Authorization Code.
At this point, the license is now in use according to the Smart Software Manager.
m) Download the Authorization Code in preparation for entering it into the management center.
Step 3
Enter the authorization code in the management center.
a) In the management center, click Browse to upload the text file with the authorization code that you
generated from the Smart Software Manager.
b) Click Install.
c) Verify that the Specific License Reservation page shows the Usage Authorization status as authorized.
d)
Step 4
Click the Reserved License tab to verify the licenses selected while generating the Authorization Code.
If you do not see the licenses you require, then add the necessary licenses. For more info, see Update a Specific
License Reservation.
Assign Specific Licenses to Managed Devices
Use this procedure to quickly assign licenses to multiple managed devices at one time.
You can also use this procedure to disable or move licenses from one device to another. If you disable a license
for a device, you cannot use the features associated with that license on that device.
Procedure
Step 1
Choose System > Licenses > Specific Licenses.
Step 2
Click Edit Licenses.
Step 3
Click each tab and assign licenses to devices as needed.
Cisco Secure Firewall Management Center Administration Guide, 7.2
264
System Settings
Manage Specific License Reservation
Step 4
Click Apply.
Step 5
Click the Assigned Licenses tab and verify that your licenses are correctly installed on each device.
Step 6
Deploy configuration changes; see Deploy Configuration Changes.
Manage Specific License Reservation
This section describes how to manage Specific License Reservation.
Important! Maintain Your Specific License Reservation Deployment
To update the threat data and software that keep your deployment effective, see Maintain Your Air-Gapped
Deployment, on page 219.
To ensure that all functionality continues to work without interruption, monitor your license expiration dates
(on the Reserved Licenses tab).
Update a Specific License Reservation
After you have successfully deployed Specific Licenses on your management center, you can add or remove
entitlements at any time using this procedure.
Use this procedure if you need to renew your licenses after they expire. If you do not have the required licenses,
the following actions are restricted:
• Device registration
• Policy deployment
Procedure
Step 1
In the management center, obtain the unique product instance identifier of this management center:
a) Select System > Licenses > Specific Licenses.
b) Make a note of the Product Instance value.
You will need this value several times during this process.
Step 2
In the Smart Software Manager, identify the management center to update:
a) Go to the Smart Software Manager:
https://software.cisco.com/#SmartLicensing-Inventory
b) If necessary, click Inventory.
c) Click Product Instances.
d) Look for a product instance that has FP in the Type column and a generic SKU (not a hostname) in the
Name column. You may also be able to use the values in other table columns to help determine which
management center is the correct management center. Click the name.
e) Look at the UUID and see if it is the UUID of the management center that you are trying to modify.
If not, you must repeat these steps until you find the correct management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
265
System Settings
Update a Specific License Reservation
Step 3
When you have located the correct management center in the Smart Software Manager, update the reserved
licenses and generate a new authorization code:
a) On the page that shows the correct UUID, choose Actions > Update Reserved Licenses.
b) Update the reserved licenses as needed.
Note
• You must explicitly include a Base license for each managed device, or, for multi-instance
deployments, for each container.
• If you are using the management center virtual, you must include a platform entitlement
for each container (in multi-instance deployments) or each managed device (all other
deployments).
• If you use strong encryption functionality:
• If your entire Smart Account is enabled for export-controlled functionality, you do
not need to do anything here.
• If your organization's entitlement is per-management center, you must select the
appropriate license.
For the correct license name to choose for your management center, see the
prerequisites in Enable the Export Control Feature for Accounts Without Global
Permission, on page 253.
c)
d)
e)
f)
Step 4
Click Next and verify the details.
Click Generate Authorization Code.
Download the Authorization Code in preparation for entering it into the management center.
Leave the Update Reservation page open. You will return to it later in this procedure.
Update the Specific Licenses in the management center.
a) Choose System > Licenses > Specific Licenses.
b) Click Edit SLR.
c) Click Browse to upload the newly generated authorization code.
d) Click Install to update the licenses.
After successful installation of the authorization code, ensure that the licenses shown in the Reserved
column ofmanagement center, matches with the licenses that you have reserved in the Smart Software
Manager.
e) Make a note of the Confirmation Code.
Step 5
Enter the confirmation code in the Smart Software Manager:
a) Return to the Smart Software Manager page that you left open earlier in this procedure.
b) Choose Actions > Enter Confirmation Code:
Cisco Secure Firewall Management Center Administration Guide, 7.2
266
System Settings
Deactivate and Return the Specific License Reservation
c) Enter the confirmation code that you generated from the management center.
Step 6
In the management center, verify that your licenses are reserved as you expect them, and that each feature for
each managed device shows a green circle with a Check Mark (
).
If necessary, see Monitoring Specific License Reservation Status, on page 269 for more information.
Step 7
Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management
Center Device Configuration Guide.
Deactivate and Return the Specific License Reservation
If you no longer need a specific license, you must return it to your Smart Account.
Important
If you do not follow all of the steps in this procedure, the license remains in an in-use state and cannot be
re-used.
This procedure releases all license entitlements associated with the management center back to your virtual
account. After you de-register, no updates or changes on licensed features are allowed.
Cisco Secure Firewall Management Center Administration Guide, 7.2
267
System Settings
Deactivate and Return the Specific License Reservation
Procedure
Step 1
In the management center Web interface, select System > Licenses > Specific Licenses.
Step 2
Make a note of the Product Instance identifier for this management center.
Step 3
Generate a return code from the management center.
a) Click Return SLR.
The following figure shows Return SLR.
Devices become unlicensed and the management center moves to the de-registered state.
b) Make a note of the Return Code.
Step 4
In the Smart Software Manager, identify the management center to deregister:
a) Go to the Smart Software Manager:
https://software.cisco.com/#SmartLicensing-Inventory
b) If necessary, click Inventory.
c) Click Product Instances.
d) Look for a product instance that has FP in the Type column and a generic SKU (not a hostname) in the
Name column. You may also be able to use the values in other table columns to help determine which
management center is the correct management center. Click the name.
e) Look at the UUID and see if it is the UUID of the management center that you are trying to modify.
If not, you must repeat these steps until you find the correct management center.
Step 5
When you have identified the correct management center, return the licenses to your Smart Account:
a) On the page that shows the correct UUID, choose Actions > Remove.
b) Enter the reservation return code that you generated from the management center into the Remove Product
Instance dialog box.
c) Click Remove Product Instance.
The specific reserved licenses are returned to the available pool in your Smart Account and this management
center is removed from the Smart Software Manager Product Instances list.
Cisco Secure Firewall Management Center Administration Guide, 7.2
268
System Settings
Monitoring Specific License Reservation Status
Step 6
Disable the Specific License in the management center Linux shell:
a) Access the management center console using a USB keyboard and VGA monitor, or use SSH to access
the management interface.
b) Log in to the management center CLI admin account. This gives you access to the command line interface.
c) Enter the expert command to access the Linux shell.
d) Execute the following command:
sudo manage_slr.pl
Example:
admin@fmc63betaslr: ~$ sudo manage_slr.pl
Password:
**************** Configuration Utility **************
1
2
3
0
Show SLR Status
Enable SLR
Disable SLR
Exit
**************************************************************
Enter choice:
e)
f)
g)
h)
Select menu option 3 to disable the Specific License Reservation.
Select option 0 to exit the manage_slr utility.
Enter exit to exit the Linux shell.
Enter exit to exit the command line interface.
Monitoring Specific License Reservation Status
The System > Licenses > Specific Licenses page provides an overview of license usage on the management
center, as described below.
Usage Authorization
Possible status values are:
• Authorized — The management center is in compliance and registered successfully with the License
Authority, which has authorized the license entitlements for the appliance.
• Out-of-compliance — If licenses are expired or if the management center has overused licenses even
though they are not reserved, status shows as Out-of-Compliance. License entitlements are enforced in
Specific License Reservation, so you must take action.
Product Registration
Specifies registration status and the date that an authorization code was last installed or renewed on the
management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
269
System Settings
Troubleshoot Specific License Reservation
Export-Controlled Features
Specifies whether you have enabled export-controlled functionality for the management center.
For more information about Export-Controlled Features, see Licensing for Export-Controlled Functionality,
on page 237.
Product Instance
The Universally Unique Identifier (UUID) of this management center. This value identifies this device in the
Smart Software Manager.
Confirmation Code
The Confirmation Code is needed if you update or deactivate and return Specific Licenses.
Assigned Licenses Tab
Shows the licenses assigned to each device and the status of each.
Reserved Licenses Tab
Shows the number of licenses used and available to be assigned, and license expiration dates.
Troubleshoot Specific License Reservation
How do I identify a particular management center in the Product Instance list in Smart Software Manager?
On the Product Instances page in Smart Software Manager, if you cannot identify the product instance based
on a value in one of the columns in the table, you must click the name of each generic product instance of
type FP to view the product instance details page. The UUID value on this page uniquely identifies one
management center.
In the management center web interface, the UUID for the management center is the Product Instance value
displayed on the System > Licenses > Specific Licenses page.
I do not see a License Reservation button in the Smart Software Manager
If you do not see the License Reservation button, then your account is not authorized for Specific License
Reservation. If you have already enabled Specific License Reservation in the Linux shell and generated a
request code, perform the following:
1. If you have already generated a Request Code in the management center web interface, cancel the request
code.
2. Disable Specific License Reservation in the management center Linux shell as described within the section
Deactivate and Return the Specific License Reservation, on page 267.
3. Register the management center with the Smart Software Manager in regular mode using smart token.
4. Contact Cisco TAC to enable Specific License for your smart account.
Cisco Secure Firewall Management Center Administration Guide, 7.2
270
System Settings
Configure Legacy Management Center PAK-Based Licenses
I was interrupted in the middle of the licensing process. How can I pick up where I left off?
If you have generated but not yet downloaded an Authorization code from the Smart Software Manager, you
can go to the Product Instance page in the Smart Software Manager, click the product instance, then click
Download Reservation Authorization Code.
I am unable to register devices to the management center virtual
Make sure you have enough management center virtual entitlements in your Smart Account to cover the
devices you want to register, then update your deployment to add the necessary entitlements.
See Update a Specific License Reservation, on page 265.
I have enabled Specific Licensing, but now I do not see a Smart License page.
This is the expected behavior. When you enable Specific Licensing, Smart Licensing is disabled. You can
use the Specific License page to perform licensing operations.
If you want to use Smart Licensing, you must return the Specific License. For more information see, Deactivate
and Return the Specific License Reservation, on page 267.
What if I do not see a Specific License page in the management center virtual?
You need to enable Specific License to view the Specific License page. For more information see, Enable the
Specific Licensing Menu Option, on page 262.
I have disabled Specific Licensing, but forgot to copy the Return Code. What should I do?
The Return Code is saved in the management center virtual. You must re-enable the Specific License from
the Linux shell (see Enable the Specific Licensing Menu Option, on page 262), then refresh the management
center virtual web interface. Your Return Code will be displayed.
Configure Legacy Management Center PAK-Based Licenses
The management center supports either a Smart License or a legacy PAK (Product Activation Key) license
for its platform license. This procedure describes how to apply a PAK-based license.
Before you begin
• Make sure you have the product activation key (PAK) from the Software Claim Certificate that Cisco
provided when you purchased the license. If you have a legacy, pre-Cisco license, contact Support.
Procedure
Step 1
The license key uniquely identifies the management center in the Smart Software Manager. It is composed
of a product code (for example, 66) and the MAC address of the management port (eth0) of the management
center; for example, 66:00:00:77:FF:CC:88.
a) Choose System ( ) > Licenses > Classic Licenses.
b) Click Add New License.
c) Note the value in the License Key field at the top of the Add Feature License dialog.
Cisco Secure Firewall Management Center Administration Guide, 7.2
271
System Settings
Additional Information about Licensing
Step 2
Choose System ( ) > Licenses > Classic Licenses.
Step 3
Click Add New License.
Step 4
Continue as appropriate:
• If you have already obtained the license text, skip to Step 8.
• If you still need to obtain the license text, go to the next step.
Step 5
Click Get License to open the License Registration Portal.
Note
Step 6
If you cannot access the Internet using your current computer, switch to a computer that can, and
browse to http://cisco.com/go/license.
Generate a license from the PAK in the License Registration Portal: https://cisco.com/go/license.
This step requires the PAK you received during the purchase process, as well as the license key for the
management center.
For more information on using this portal, see:
https://slexui.cloudapps.cisco.com/SWIFT/LicensingUI/Quickstart
You will need your account credentials in order to access these links.
Step 7
Copy the license text from either the License Registration Portal display, or the email the License Registration
Portal sends you.
Important The licensing text block in the portal or email message may include more than one license. Each
license is bounded by a BEGIN LICENSE line and an END LICENSE line. Make sure that you
copy and paste only one license at a time.
Step 8
Return to the Add Feature License page in the management center virtual’s web interface.
Step 9
Paste the license text into the License field.
Step 10
Click Verify License.
If the license is invalid, make sure that you correctly copied the license text.
Step 11
Click Submit License.
Additional Information about Licensing
For additional information to help resolve common licensing questions, see the following documents:
• FAQ—https://www.cisco.com/c/en/us/td/docs/security/firepower/licensing/faq/firepower-license-FAQ.html
• License Roadmap—https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/
firepower-licenseroadmap.html
Cisco Secure Firewall Management Center Administration Guide, 7.2
272
System Settings
History for Licenses
History for Licenses
Feature
Version
Details
Performance tier licensing 7.0
for the threat defense virtual
Performance-tiered licensing provides different throughput levels and VPN connection
limits based on deployment requirements. License tiers map to new threat defense virtual
models.
Licensing for multi-instance 6.3
capability for the threat
defense on the Firepower
4100/9300
You can now deploy multiple threat defense container instances on a Firepower
4100/9300. You only need a single license per feature per security module/engine. The
base license is automatically assigned to each instance.
New/Modified screens: System > Licenses > Smart Licenses
Supported platforms: threat defense on the Firepower 4100/9300
Specific License
6.3
Reservation for air-gapped
deployments
Customers whose deployments cannot connect to the internet to communicate with the
Cisco License Authority can use a Specific License Reservation.
New/Modified screens: System > Licenses > Specific Licenses (This option is not
available by default.)
Supported platforms: management center, threat defense
Export-controlled
functionality for restricted
customers
6.3
Certain customers whose Smart Accounts are not otherwise eligible to use restricted
functionality can purchase term-based licenses, with approval.
Supported platforms: management center, threat defense
Cisco Secure Firewall Management Center Administration Guide, 7.2
273
System Settings
History for Licenses
Cisco Secure Firewall Management Center Administration Guide, 7.2
274
CHAPTER
8
High Availability
The following topics describe how to configure Active/Standby high availability of Cisco Secure Firewall
Management Centers:
• About Secure Firewall Management Center High Availability, on page 275
• Requirements for Management Center High Availability, on page 281
• Prerequisites for Management Center High Availability, on page 283
• Establishing Management Center High Availability, on page 284
• Viewing Management Center High Availability Status, on page 285
• Configurations Synced on Management Center High Availability Pairs, on page 286
• Configuring External Access to the Management Center Database in a High Availability Pair, on page
287
• Using CLI to Resolve Device Registration in Management Center High Availability, on page 287
• Switching Peers in a Management Center High Availability Pair, on page 288
• Pausing Communication Between Paired Firepower Management Centers, on page 288
• Restarting Communication Between Paired Firepower Management Centers, on page 288
• Changing the IP Address of a Management Center in a High Availability Pair, on page 289
• Disabling Management Center High Availability, on page 289
• Replacing Management Centers in a High Availability Pair, on page 290
• History for Management Center High Availability, on page 294
About Secure Firewall Management Center High Availability
To ensure the continuity of operations, the high availability feature allows you to designate redundant Secure
Firewall Management Centers to manage devices. Secure Firewall Management Centers support Active/Standby
high availability where one appliance is the active unit and manages devices. The standby unit does not actively
manage devices. The active unit writes configuration data into a data store and replicates data for both units,
using synchronization where necessary to share some information with the standby unit.
Active/Standby high availability lets you configure a secondary Secure Firewall Management Center to take
over the functionality of a primary Secure Firewall Management Center if the primary fails. When the primary
Secure Firewall Management Center fails, you must promote the secondary Secure Firewall Management
Center to become the active unit.
Event data streams from managed devices to both Secure Firewall Management Centers in the high availability
pair. If one Secure Firewall Management Center fails, you can monitor your network without interruption
using the other Secure Firewall Management Center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
275
System Settings
Roles v. Status in Management Center High Availability
Note that Secure Firewall Management Centers configured as a high availability pair do not need to be on the
same trusted management network, nor do they have to be in the same geographic location.
Caution
Note
Because the system restricts some functionality to the active Secure Firewall Management Center, if that
appliance fails, you must promote the standby Secure Firewall Management Center to active.
Triggering a switchover on management center immediately after a successful change deployment can lead
to preview configuration not working on the new active management center. This does not impact policy
deploy functionality. It is recommended to trigger a switchover on the management center after the necessary
sync is completed.
About Remote Access VPN High Availability
If the primary device has Remote Access VPN configuration with an identity certificate enrolled using a
CertEnrollment object, the secondary device must have an identity certificate enrolled using the same
CertEnrollment object. The CertEnrollment object can have different values for the primary and secondary
devices due to device-specific overriddes. The limitation is only to have the same CertEnrollment object
enrolled on the two devices before the high availability formation.
SNMP Behavior in Secure Firewall Management Center High Availability
In an SNMP-configured HA pair, when you deploy an alert policy, the primary Secure Firewall Management
Center sends the SNMP traps. When the primary Secure Firewall Management Center fails, the secondary
Secure Firewall Management Center which becomes the active unit, sends the SNMP traps without the need
for any additional configuration.
Roles v. Status in Management Center High Availability
Primary/Secondary Roles
When setting up Secure Firewall Management Centers in a high availability pair, you configure one Secure
Firewall Management Center to be primary and the other as secondary. During configuration, the primary
unit's policies are synchronized to the secondary unit. After this synchronization, the primary Secure Firewall
Management Center becomes the active peer, while the secondary Secure Firewall Management Center
becomes the standby peer, and the two units act as a single appliance for managed device and policy
configuration.
Active/Standby Status
The main differences between the two Secure Firewall Management Centers in a high availability pair are
related to which peer is active and which peer is standby. The active Secure Firewall Management Center
remains fully functional, where you can manage devices and policies. On the standby Secure Firewall
Management Center, functionality is hidden; you cannot make any configuration changes.
Cisco Secure Firewall Management Center Administration Guide, 7.2
276
System Settings
Event Processing on Management Center High Availability Pairs
Event Processing on Management Center High Availability Pairs
Since both Secure Firewall Management Centers in a high availability pair receive events from managed
devices, the management IP addresses for the appliances are not shared. This means that you do not need to
intervene to ensure continuous processing of events if a Secure Firewall Management Center fails.
AMP Cloud Connections and Malware Information
Although they share file policies and related configurations, Secure Firewall Management Centers in a high
availability pair share neither Cisco AMP cloud connections nor malware dispositions. To ensure continuity
of operations, and to ensure that detected files’ malware dispositions are the same on both Secure Firewall
Management Centers, both primary and secondary Secure Firewall Management Centers must have access
to the AMP cloud.
URL Filtering and Security Intelligence
URL filtering and Security Intelligence configurations and information are synchronized between Secure
Firewall Management Centers in a high availability deployment. However, only the primary Secure Firewall
Management Center downloads URL category and reputation data for updates to Security Intelligence feeds.
If the primary Secure Firewall Management Center fails, not only must you make sure that the secondary
Secure Firewall Management Center can access the internet to update threat intelligence data, but you must
also use the web interface on the secondary Secure Firewall Management Center to promote it to active.
User Data Processing During Management Center Failover
If the primary Secure Firewall Management Center fails, the Secondary Secure Firewall Management Center
propagates to managed devices user-to-IP mappings from the TS Agent identity source; and propagates SGT
mappings from the ISE/ISE-PIC identity source. Users not yet seen by identity sources are identified as
Unknown.
After the downtime, the Unknown users are re identified and processed according to the rules in your identity
policy.
Configuration Management on Management Center High Availability Pairs
In a high availability deployment, only the active Secure Firewall Management Center can manage devices
and apply policies. Both Secure Firewall Management Centers remain in a state of continuous synchronization.
If the active Secure Firewall Management Center fails, the high availability pair enters a degraded state until
you manually promote the standby appliance to the active state. Once the promotion is complete, the appliances
leave maintenance mode.
Management Center High Availability Disaster Recovery
In case of a disaster recovery situation, a manual switchover must be performed. When the primary management
center - FMC1 fails, access the web interface of the secondary management center - FMC2 and switch peers.
This is applicable conversely also in case the secondary (FMC2) fails. For more information, see Switching
Peers in a Management Center High Availability Pair, on page 288.
For restoring a failed management center, refer to Replacing Management Centers in a High Availability Pair,
on page 290.
Cisco Secure Firewall Management Center Administration Guide, 7.2
277
System Settings
Single Sign-On and High Availability Pairs
Single Sign-On and High Availability Pairs
management centers in a high availability configuration can support Single Sign-On, but you must keep the
following considerations in mind:
• SSO configuration is not synchronized between the members of the high availability pair; you must
configure SSO separately on each member of the pair.
• Both management centers in a high availability pari must use the same identity provider (IdP) for SSO.
You must configure a service provider application at the IdP for each management center configured for
SSO.
• In a high availabilty pair of management centers where both are configured to support SSO, before a
user can use SSO to access the secondary management center for the first time, that user must first use
SSO to log into the primary management center at least once.
• When configuring SSO for management centers in a high availability pair:
• If you configure SSO on the primary management center, you are not required to configure SSO
on the secondary management center.
• If you configure SSO on the secondary management center, you are required to configure SSO on
the primary management center as well. (This is because SSO users must log in to the primary
management center at least once before logging into the secondary management center.)
Related Topics
Configure SAML Single Sign-On, on page 129
Management Center High Availability Behavior During a Backup
When you perform a Backup on a management center high availability pair, the Backup operation pauses
synchronization between the peers. During this operation, you may continue using the active management
center, but not the standby peer.
After Backup is completed, synchronization resumes, which briefly disables processes on the active peer.
During this pause, the High Availability page briefly displays a holding page until all processes resume.
Management Center High Availability Split-Brain
If the active Secure Firewall Management Center in a high-availability pair goes down (due to power issues,
network/connectivity issues), you can promote the standby Secure Firewall Management Center to an active
state. When the original active peer comes up, both peers can assume they are active. This state is defined as
'split-brain'. When this situation occurs, the system prompts you to choose an active appliance, which demotes
the other appliance to standby.
If the active Secure Firewall Management Center goes down (or disconnects due to a network failure), you
may either break high availability or switch roles. The standby Secure Firewall Management Center enters a
degraded state.
Cisco Secure Firewall Management Center Administration Guide, 7.2
278
System Settings
Upgrading Management Centers in a High Availability Pair
Note
Whichever appliance you use as the secondary loses all of its device registrations and policy configurations
when you resolve split-brain. For example, you would lose modifications to any policies that existed on the
secondary but not on the primary. If the Secure Firewall Management Center is in a high availability split-brain
scenario where both appliances are active, and you register managed devices and deploy policies before you
resolve split-brain, you must export any policies and unregister any managed devices from the intended standby
Secure Firewall Management Center before re-establishing high availability. You may then register the
managed devices and import the policies to the intended active Secure Firewall Management Center.
Upgrading Management Centers in a High Availability Pair
Cisco electronically distributes several different types of updates periodically. These include major and minor
upgrades to the system software. You may need to install these updates on Secure Firewall Management
Centers in a high availability setup.
Warning
Make sure that there is at least one operational Secure Firewall Management Center during an upgrade.
Before you begin
Read the release notes or advisory text that accompanies the upgrade. The release notes provide important
information, including supported platforms, compatibility, prerequisites, warnings, and specific installation
and uninstallation instructions.
Procedure
Step 1
Access the web interface of the active Secure Firewall Management Center and pause data synchronization;
see Pausing Communication Between Paired Firepower Management Centers, on page 288.
Step 2
Upgrade the standby Secure Firewall Management Center.
When the upgrade completes, the standby unit becomes active. When both peers are active, the high availability
pair is in a degraded state (split-brain).
Step 3
Upgrade the other Secure Firewall Management Center.
Step 4
Decide which Secure Firewall Management Center you want to use as the standby. Any additional devices
or policies added to the standby after pausing synchronization are not synced to the active Secure Firewall
Management Center. Unregister only those additional devices and export any configurations you want to
preserve.
When you choose a new active Secure Firewall Management Center, the Secure Firewall Management Center
you designate as secondary will lose device registrations and deployed policy configurations, which are not
synced.
Step 5
Resolve split-brain by choosing the new active Secure Firewall Management Center which has all the latest
required configurations for policies and devices.
Cisco Secure Firewall Management Center Administration Guide, 7.2
279
System Settings
Troubleshooting Management Center High Availability
Troubleshooting Management Center High Availability
This section lists troubleshooting information for some common management center high availability operation
errors.
Error
Description
You must reset your You attempted to log into the standby
password on the
management center when a force password
active management reset is enabled for your account.
center before you
can log into the
standby
Solution
As the database is read-only for a standby
management center, reset the password on
the login page of the active management
center.
500 Internal
May appear when attempting to access the Wait until the operation completes before
web interface while performing critical
using the web interface.
management center high availability
operations, including switching peer roles
or pausing and resuming synchronization.
System processes
are starting, please
wait
May appear when the management center 1. Access the management center shell
reboots (manually or while recovering
and use the manage_hadc.pl command
from a power down) during a high
to access the management center high
availability or data synchronization
availability configuration utility.
operation.
Note
Run the utility as a root
user, using sudo.
Also, the web
interface does not
respond.
2. Pause mirroring operations by using
option 5.
Reload the management center web
interface.
3. Use the web interface to resume
synchronization. Choose System >
Integration, then click the High
Availability tab and choose Resume
Synchronization.
Cisco Secure Firewall Management Center Administration Guide, 7.2
280
System Settings
Requirements for Management Center High Availability
Error
Description
Solution
Device Registration
Status:Host
<string> is not
reachable
During the initial configuration of a threat 1. Delete the threat defense from primary
defense, if the management center IP
management center. See Delete a
address and NAT ID are specified, the
Device from the Management Center
Host field can be left blank. However, in
in Cisco Secure Firewall Management
an HA environment with both the
Center Device Configuration Guide.
management centers behind a NAT, this
2. Remove managers from threat defense
error occurs when you add the threat
using the configure manager delete
defense on the secondary management
command. See Command Reference
center.
for Secure Firewall Threat Defense.
3. Add threat defense to the management
center with the IP address or name of
the threat defense device in the Host
field. See Add a Device to the
Management Center in Cisco Secure
Firewall Management Center Device
Configuration Guide.
Requirements for Management Center High Availability
Model Support
See Hardware Requirements, on page 281.
Virtual Model Support
See Virtual Platform Requirements, on page 282.
Supported Domains
Global
User Roles
Admin
Hardware Requirements
• Supported hardware models:
MC1000, MC1600, MC2500, MC2600, MC4500, MC4600
• The two Secure Firewall Management Centers in a high availability configuration must be the same
model.
• The primary Secure Firewall Management Center backup must not be restored to the secondary Secure
Firewall Management Center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
281
System Settings
Virtual Platform Requirements
• Bandwidth Requirements: There must be atleast a 5Mbps network bandwidth between two Secure
Firewall Management Centers to setup a high availability configuration between them.
• The two Secure Firewall Management Centers in a high availability configuration may be physically
and geographically separated from each other in different data centers.
• See also License Requirements for Management Center High Availability Configurations, on page 282.
Virtual Platform Requirements
Requirements for establishing high availability (HA) using two management center virtual virtual appliances:
• management center virtual must be running on VMware ESXi.
• management center virtual-HA is supported on management center virtual 10, 25, and 300.
• The two management center virtual appliances in a high availability configuration must have the same
device management capacity. For example, you cannot pair an management center virtual 25 with an
management center virtual 300.
• High availability licensing requirements are different for virtual vs hardware management center. See
License Requirements for Management Center High Availability Configurations, on page 282.
Software Requirements
Access the Appliance Information widget to verify the software version, the intrusion rule update version
and the vulnerability database update. By default, the widget appears on the Status tab of the Detailed
Dashboard and theSummary Dashboard. For more information, see The Appliance Information Widget,
on page 308
• The two Secure Firewall Management Centers in a high availability configuration must have the same
major (first number), minor (second number), and maintenance (third number) software version.
• The two Secure Firewall Management Centers in a high availability configuration must have the same
version of the intrusion rule update installed.
• The two Secure Firewall Management Centers in a high availability configuration must have the same
version of the vulnerability database update installed.
• The two Secure Firewall Management Centers in a high availability configuration must have the same
version of the LSP (Lightweight Security Package) installed.
Warning
If the software versions, intrusion rule update versions and vulnerability database update versions are not
identical on both Secure Firewall Management Centers, you cannot establish high availability.
LicenseRequirementsforManagementCenterHighAvailabilityConfigurations
Each device requires the same licenses whether managed by a single management center or by management
centers in a high availability pair (hardware or virtual).
Cisco Secure Firewall Management Center Administration Guide, 7.2
282
System Settings
Prerequisites for Management Center High Availability
Example: If you want to enable advanced malware protection for two devices managed by a management
center pair, buy two Malware licenses and two TM subscriptions, register the active management center with
the Smart Software Manager, then assign the licenses to the two devices on the active management center.
Only the active management center is registered with the Smart Software Manager. When failover occurs,
the system communicates with Smart Software Manager to release the license entitlements from the
originally-active management center and assign them to the newly-active management center.
In Specific License Reservation deployments, only the primary management center requires a Specific License
Reservation.
Hardware Management Center
No special license is required for hardware management centers in a high availability pair.
Management Center Virtual
You will need two identically licensed management center virtuals.
Example: For the management center virtual high availability pair managing 10 devices, you can use:
• Two (2) management center virtual 10 entitlements
• 10 device licenses
If you break the high availability pair, the management center virtual entitlements associated with the secondary
management center virtual are released. (In the example, you would then have two standalone management
center virtual 10s.)
Prerequisites for Management Center High Availability
Before establishing a Secure Firewall Management Center high availability pair:
• Export required policies from the intended secondary Secure Firewall Management Center to the intended
primary Secure Firewall Management Center. For more information, see Exporting Configurations, on
page 475.
• Make sure that the intended secondary Secure Firewall Management Center does not have any devices
added to it. Delete devices from the intended secondary Secure Firewall Management Center and register
these devices to the intended primary Secure Firewall Management Center. For more information see
Delete a Device from the Management Center and Add a Device to the Management Center.
• Import the policies into the intended primary Secure Firewall Management Center. For more information,
see Importing Configurations, on page 476.
• On the intended primary Secure Firewall Management Center, verify the imported policies, edit them as
needed and deploy them to the appropriate device. For more information, see Deploy Configuration
Changes in the Cisco Secure Firewall Management Center Device Configuration Guide.
• On the intended primary Secure Firewall Management Center, associate the appropriate licenses to the
newly added devices. For more information see Assign Licenses to a Single Device, on page 254.
You can now proceed to establish high availability. For more information, see Establishing Management
Center High Availability, on page 284.
Cisco Secure Firewall Management Center Administration Guide, 7.2
283
System Settings
Establishing Management Center High Availability
Establishing Management Center High Availability
Establishing high availability can take a significant amount of time, even several hours, depending on the
bandwidth between the peers and the number of policies. It also depends on the number of devices registered
to the active Secure Firewall Management Center, which need to be synced to the standby Secure Firewall
Management Center. You can view the High Availability page to check the status of the high availability
peers.
Before you begin
• Confirm that both the Secure Firewall Management Centers adhere to the high availability system
requirements. For more information , see Requirements for Management Center High Availability, on
page 281.
• Confirm that you completed the prerequisites for establishing high availability. For more information,
see Prerequisites for Management Center High Availability, on page 283.
Procedure
Step 1
Log into the Secure Firewall Management Center that you want to designate as the secondary.
Step 2
Choose > Integration.
Step 3
Choose High Availability.
Step 4
Under Role for this Secure Firewall Management Center, choose Secondary.
Step 5
Enter the hostname or IP address of the primary Secure Firewall Management Center in the Primary Firepower
Management Center Host text box.
You can leave this empty if the primary Secure Firewall Management Center does not have an IP address
reachable from the peer management center (which can be public or private IP address). In this case, use both
the Registration Key and the Unique NAT ID fields. You need to specify the IP address of at least one
management center to enable HA connection.
Step 6
Enter a one-time-use registration key in the Registration Key text box.
The registration key is any user-defined alphanumeric value up to 37 characters in length. This registration
key will be used to register both -the secondary and the primary Secure Firewall Management Centers.
Step 7
If you did not specify the primary IP address, or if you do not plan to specify the secondary IP address on the
primary Secure Firewall Management Center, then in the Unique NAT ID field, enter a unique alphanumeric
ID. See NAT Environments, on page 57 for more information.
Step 8
Click Register.
Step 9
Using an account with Admin access, log into the Secure Firewall Management Center that you want to
designate as the primary.
Step 10
Choose > Integration.
Step 11
Choose High Availability.
Step 12
Under Role for this Secure Firewall Management Center, choose Primary.
Step 13
Enter the hostname or IP address of the secondary Secure Firewall Management Center in the Secondary
Firepower Management Center Host text box.
Cisco Secure Firewall Management Center Administration Guide, 7.2
284
System Settings
Viewing Management Center High Availability Status
You can leave this empty if the secondary Secure Firewall Management Center does not have an IP address
reachable from the peer management center (which can be public or private IP address). In this case, use both
the Registration Key and the Unique NAT ID fields. You need to specify the IP address of at least one
management center to enable HA connection.
Step 14
Enter the same one-time-use registration key in the Registration Key text box you used in step 6.
Step 15
If required, enter the same NAT ID that you used in step 7 in the Unique NAT ID text box.
Step 16
Click Register.
What to do next
After establishing a Secure Firewall Management Center high availability pair, devices registered to the active
Secure Firewall Management Center are automatically registered to the standby Secure Firewall Management
Center.
Note
When a registered device has a NAT IP address, automatic device registration fails and the secondary Secure
Firewall Management Center High Availablity page lists the device as local, pending. You can then assign a
different NAT IP address to the device on the standby Secure Firewall Management Center High Availability
page. If automatic registration otherwise fails on the standby Secure Firewall Management Center, but the
device appears to be registered to the active Firepower Management Center, see Using CLI to Resolve Device
Registration in Management Center High Availability, on page 287.
Viewing Management Center High Availability Status
After you identify your active and standby management centers, you can view information about the local
management center and its peer.
Note
In this context, Local Peer refers to the appliance where you are viewing the system status. Remote Peer refers
to the other appliance, regardless of active or standby status.
Procedure
Step 1
Log into one of the management centers that you paired using high availability.
Step 2
Choose > Integration.
Step 3
Choose High Availability.
You can view:
Summary Information
• The health status of the high availability pair. The status of a correctly functioning system will oscillate
between "Healthy" and "Synchronization task is in progress" as the standby unit receives configuration
changes from the active unit.
Cisco Secure Firewall Management Center Administration Guide, 7.2
285
System Settings
Configurations Synced on Management Center High Availability Pairs
• The current synchronization status of the high availability pair
• The IP address of the active peer and the last time it was synchronized
• The IP address of the standby peer and the last time it was synchronized
System Status
• The IP addresses for both peers
• The operating system for both peers
• The software version for both peers
• The appliance model of both peers
Note
You can view export control and compliance status only on the active management center.
ConfigurationsSyncedonManagementCenterHighAvailability
Pairs
When you establish high availability between two management centers, the following configuration data is
synced between them:
• License entitlements
• Access control policies
• Intrusion rules
• Malware and file policies
• DNS policies
• Identity policies
• SSL policies
• Prefilter policies
• Network discovery rules
• Application detectors
• Correlation policy rules
• Alerts
• Scanners
• Response groups
• Contextual cross-launch of external resources for investigating events
Cisco Secure Firewall Management Center Administration Guide, 7.2
286
System Settings
Configuring External Access to the Management Center Database in a High Availability Pair
• Remediation settings, although you must install custom modules on both management centers. For more
information on remediation settings, see Managing Remediation Modules, on page 989.
Configuring External Access to the Management Center
Database in a High Availability Pair
In a high availability setup, we recommend you to use only the active peer to configure the external access
to the database. When you configure the standby peer for external database access, it leads to frequent
disconnections. To restore the connectivity, you must Pausing Communication Between Paired Firepower
Management Centers and Restarting Communication Between Paired Firepower Management Centers the
synchronization of the standby peer. For information on how to enable external database access to Secure
Firewall Management Centers, see Enabling External Access to the Database, on page 51 .
Using CLI to Resolve Device Registration in Management Center
High Availability
If automatic device registration fails on the standby Secure Firewall Management Center, but appears to be
registered to the active Secure Firewall Management Center, complete the following steps:
Warning
If you do an RMA of Secondary Secure Firewall Management Center or add a Secondary Secure Firewall
Management Center, the managed FTDs are unregistered and as a result, their configuration may be deleted.
Procedure
Step 1
Unregister the device from the active Secure Firewall Management Center.
Step 2
Log into the CLI for the affected device.
Step 3
Run the CLI command: configure manager delete.
This command disables and removes the current Secure Firewall Management Center.
Step 4
Run the CLI command: configure manager add.
This command configures the device to initiate a connection to a Secure Firewall Management Center.
Tip
Step 5
Configure remote management on the device, only for the active Secure Firewall Management
Center. When high availability is established, devices are automatically added to be managed by
the standby Secure Firewall Management Center.
Log into the active Secure Firewall Management Center and register the device.
Cisco Secure Firewall Management Center Administration Guide, 7.2
287
System Settings
Switching Peers in a Management Center High Availability Pair
Switching Peers in a Management Center High Availability Pair
Because the system restricts some functionality to the active Secure Firewall Management Center, if that
appliance fails, you must promote the standby Secure Firewall Management Center to active:
Procedure
Step 1
Log into one of the Secure Firewall Management Centers that you paired using high availability.
Step 2
Choose > Integration.
Step 3
Choose High Availability.
Step 4
Choose Switch Peer Roles to change the local role from Active to Standby, or Standby to Active. With the
Primary or Secondary designation unchanged, the roles are switched between the two peers.
Pausing Communication Between Paired Firepower
Management Centers
If you want to temporarily disable high availability, you can disable the communications channel between
the Secure Firewall Management Centers. If you pause synchronization on the active peer, you can resume
synchronization on either the standby or active peer. However, if you pause synchronization on the standby
peer, you only can resume synchronization on the standby peer.
Procedure
Step 1
Log into one of the Secure Firewall Management Centers that you paired using high availability.
Step 2
Choose > Integration.
Step 3
Choose High Availability.
Step 4
Choose Pause Synchronization.
Restarting Communication Between Paired Firepower
Management Centers
If you temporarily disable high availability, you can restart high availability by enabling the communications
channel between the Secure Firewall Management Centers. If you paused synchronization on the active unit,
you can resume synchronization on either the standby or active unit. However, if you paused synchronization
on the standby unit, you only can resume synchronization on the standby unit.
Cisco Secure Firewall Management Center Administration Guide, 7.2
288
System Settings
Changing the IP Address of a Management Center in a High Availability Pair
Procedure
Step 1
Log into one of the Secure Firewall Management Centers that you paired using high availability.
Step 2
Choose > Integration.
Step 3
Choose High Availability.
Step 4
Choose Resume Synchronization.
Changing the IP Address of a Management Center in a High
Availability Pair
If the IP address for one of the high availability peers changes, high availability enters a degraded state. To
recover high availability, you must manually change the IP address.
Procedure
Step 1
Log into one of the Secure Firewall Management Centers that you paired using high availability.
Step 2
Choose > Integration.
Step 3
Choose High Availability.
Step 4
Choose Peer Manager.
Step 5
Choose Edit (
Step 6
Enter the display name of the appliance, which is used only within the context of the system.
).
Entering a different display name does not change the host name for the appliance.
Step 7
Enter the fully qualified domain name or the name that resolves through the local DNS to a valid IP address
(that is, the host name), or the host IP address.
Step 8
Click Save.
Disabling Management Center High Availability
Procedure
Step 1
Log into one of the Secure Firewall Management Centers in the high availability pair.
Step 2
Choose > Integration.
Step 3
Choose High Availability.
Step 4
Choose Break High Availability.
Step 5
Choose one of the following options for handling managed devices:
Cisco Secure Firewall Management Center Administration Guide, 7.2
289
System Settings
Replacing Management Centers in a High Availability Pair
• To control all managed devices with this Secure Firewall Management Center, choose Manage registered
devices from this console. All devices will be unregistered from the peer.
• To control all managed devices with the other Secure Firewall Management Center, choose Manage
registered devices from peer console. All devices will be unregistered from this Secure Firewall
Management Center.
• To stop managing devices altogether, choose Stop managing registered devices from both consoles.
All devices will be unregistered from both Secure Firewall Management Centers.
Note
Step 6
If you choose to manage the registered devices from the secondary Secure Firewall Management
Center, the devices will be unregistered from the primary Secure Firewall Management Center. The
devices are now registered to be managed by the secondary Secure Firewall Management Center.
However the licenses that were applied to these devices are deregistered on account of the high
availability break operation. You must now proceed to re-register (enable) the licenses on the devices
from the secondary Secure Firewall Management Center. For more information see Assign Licenses
to Devices, on page 254.
Click OK.
Replacing Management Centers in a High Availability Pair
If you need to replace a failed unit in a Secure Firewall Management Center high availability pair, you must
follow one of the procedures listed below. The table lists four possible failure scenarios and their corresponding
replacement procedures.
Failure Status
Data Backup Status
Replacement Procedure
Primary
management
center failed
Data backup successful
Replace a Failed Primary Management Center (Successful
Backup), on page 290
Data backup not successful Replace a Failed Primary Management Center
(Unsuccessful Backup), on page 291
Secondary
management
center failed
Data backup successful
Replace a Failed Secondary Management Center
(Successful Backup), on page 292
Data backup not successful Replace a Failed Secondary Management Center
(Unsuccessful Backup), on page 293
Replace a Failed Primary Management Center (Successful Backup)
Two Secure Firewall Management Centers, FMC1 and FMC2, are part of a high availability pair. FMC1 is
the primary and FMC2 is the secondary. This task describes the steps to replace a failed primary Secure
Firewall Management Center, FMC1, when data backup from the primary is successful.
Before you begin
Verify that the data backup from the failed primary Secure Firewall Management Center is successful.
Cisco Secure Firewall Management Center Administration Guide, 7.2
290
System Settings
Replace a Failed Primary Management Center (Unsuccessful Backup)
Procedure
Step 1
Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC1.
Step 2
When the primary Secure Firewall Management Center - FMC1 fails, access the web interface of the secondary
Secure Firewall Management Center - FMC2 and switch peers. For more information, see Switching Peers
in a Management Center High Availability Pair, on page 288.
This promotes the secondary Secure Firewall Management Center - FMC2 to active.
You can use FMC2 as the active Secure Firewall Management Center until the primary Secure Firewall
Management Center - FMC1 is replaced.
Caution
Do not break Secure Firewall Management Center High Availability from FMC2, since licenses
that were synced to FMC2 from FMC1 (before failure ), will be removed from FMC2 and you will
be unable to perform any deploy actions from FMC2.
Step 3
Reimage the replacement Secure Firewall Management Center with the same software version as FMC1.
Step 4
Restore the data backup retrieved from FMC1 to the new Secure Firewall Management Center.
Step 5
Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates,
vulnerability database (VDB) updates and system software updates to match FMC2.
The new Secure Firewall Management Center and FMC2 will now both be active peers, resulting in a high
availability split-brain.
Step 6
When the Secure Firewall Management Center web interface prompts you to choose an active appliance,
select FMC2 as active.
This syncs the latest configuration from FMC2 to the newSecure Firewall Management Center - FMC1.
Step 7
When the configuration syncs successfully, access the web interface of the secondary Secure Firewall
Management Center - FMC2 and switch roles to make the primarySecure Firewall Management Center FMC1 active. For more information, see Switching Peers in a Management Center High Availability Pair, on
page 288.
What to do next
High availability has now been re-established and the primary and the secondary Secure Firewall Management
Centers will now work as expected.
Replace a Failed Primary Management Center (Unsuccessful Backup)
Two Secure Firewall Management Centers - FMC1 and FMC2 are part of a high availability pair. FMC1 is
the primary and FMC2 is the secondary. This task describes the steps to replace a failed primary Secure
Firewall Management Center -FMC1 when data backup from the primary is unsuccessful.
Procedure
Step 1
Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC1.
Cisco Secure Firewall Management Center Administration Guide, 7.2
291
System Settings
Replace a Failed Secondary Management Center (Successful Backup)
Step 2
When the primary Secure Firewall Management Center - FMC1 fails, access the web interface of the secondary
Secure Firewall Management Center - FMC2 and switch peers. For more information, see Switching Peers
in a Management Center High Availability Pair, on page 288.
This promotes the secondary Secure Firewall Management Center - FMC2 to active.
You can use FMC2 as the active Secure Firewall Management Center until the primary Secure Firewall
Management Center - FMC1 is replaced.
Caution
Do not break Secure Firewall Management Center High Availability from FMC2, since licenses
that were synced to FMC2 from FMC1 (before failure ), will be removed from FMC2 and you will
be unable to perform any deploy actions from FMC2.
Step 3
Reimage the replacement Secure Firewall Management Center with the same software version as FMC1.
Step 4
Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates,
vulnerability database (VDB) updates and system software updates to match FMC2.
Step 5
Deregister the Secure Firewall Management Center - FMC2 from the Cisco Smart Software Manager. For
more information, see Deregister the Management Center, on page 256.
Deregistering a Secure Firewall Management Center from the Cisco Smart Software Manager removes the
Management Center from your virtual account. All license entitlements associated with the Secure Firewall
Management Center release back to your virtual account. After deregistration, the Secure Firewall Management
Center enters Enforcement mode where no update or changes on licensed features are allowed.
Step 6
Access the web interface of the secondary Secure Firewall Management Center - FMC2 and break Secure
Firewall Management Center high availability. For more information, see Disabling Management Center High
Availability, on page 289. When prompted to select an option for handling managed devices, choose Manage
registered devices from this console.
As a result, licenses that were synced to the secondary Secure Firewall Management Center- FMC2, will be
removed and you cannot perform deployment activities from FMC2.
Step 7
Re-establish Secure Firewall Management Center high availability, by setting up the Secure Firewall
Management Center - FMC2 as the primary and Secure Firewall Management Center - FMC1 as the secondary.
For more information , see Establishing Management Center High Availability, on page 284.
Step 8
Register a Smart License to the primary Secure Firewall Management Center - FMC2. For more information
see Register the Management Center with the Smart Software Manager, on page 249.
What to do next
High availability has now been re-established and the primary and the secondary Secure Firewall Management
Centers will now work as expected.
Replace a Failed Secondary Management Center (Successful Backup)
Two Secure Firewall Management Centers - FMC1 and FMC2 are part of a high availability pair. FMC1 is
the primary and FMC2 is the secondary. This task describes the steps to replace a failed secondary Secure
Firewall Management Center -FMC2 when data backup from the secondary is successful.
Before you begin
Verify that the data backup from the failed secondary Secure Firewall Management Center is successful.
Cisco Secure Firewall Management Center Administration Guide, 7.2
292
System Settings
Replace a Failed Secondary Management Center (Unsuccessful Backup)
Procedure
Step 1
Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC2.
Step 2
Continue to use the primary Secure Firewall Management Center - FMC1 as the active Secure Firewall
Management Center.
Step 3
Reimage the replacement Secure Firewall Management Center with the same software version as FMC2.
Step 4
Restore the data backup from FMC2 to the new Secure Firewall Management Center.
Step 5
Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates,
vulnerability database (VDB) updates and system software updates to match FMC1.
Step 6
Resume data synchronization (if paused) from the web interface of the new Secure Firewall Management
Center - FMC2, to synchronize the latest configuration from the primary Secure Firewall Management Center
- FMC1. For more information, see Restarting Communication Between Paired Firepower Management
Centers, on page 288.
Classic and Smart Licenses work seamlessly.
What to do next
High availability has now been re-established and the primary and the secondary Secure Firewall Management
Centers will now work as expected.
Replace a Failed Secondary Management Center (Unsuccessful Backup)
Two Secure Firewall Management Centers - FMC1 and FMC2 are part of a high availability pair. FMC1 is
the primary and FMC2 is the secondary. This task describes the steps to replace a failed secondary Secure
Firewall Management Center -FMC2 when data backup from the secondary is unsuccessful.
Procedure
Step 1
Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC2.
Step 2
Continue to use the primary Secure Firewall Management Center - FMC1 as the active Secure Firewall
Management Center.
Step 3
Reimage the replacement Secure Firewall Management Center with the same software version as FMC2.
Step 4
Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates,
vulnerability database (VDB) updates and system software updates to match FMC1.
Step 5
Access the web interface of the primary Secure Firewall Management Center - FMC1 and break Secure
Firewall Management Center high availability. For more information, see Disabling Management Center High
Availability, on page 289. When prompted to select an option for handling managed devices, choose Manage
registered devices from this console.
Step 6
Re-establish Secure Firewall Management Center high availability, by setting up the Secure Firewall
Management Center - FMC1 as the primary and Secure Firewall Management Center - FMC2 as the secondary.
For more information , see Establishing Management Center High Availability, on page 284.
• When high availability is successfully established, the latest configuration from the primary Secure
Firewall Management Center - FMC1 is synchronized to the secondary Secure Firewall Management
Center - FMC2.
Cisco Secure Firewall Management Center Administration Guide, 7.2
293
System Settings
Management Center High Availability Disaster Recovery
• Classic and Smart Licenses work seamlessly.
What to do next
High availability has now been re-established and the primary and the secondary Secure Firewall Management
Centers will now work as expected.
Management Center High Availability Disaster Recovery
In case of a disaster recovery situation, a manual switchover must be performed. When the primary management
center - FMC1 fails, access the web interface of the secondary management center - FMC2 and switch peers.
This is applicable conversely also in case the secondary (FMC2) fails. For more information, see Switching
Peers in a Management Center High Availability Pair, on page 288.
For restoring a failed management center, refer to Replacing Management Centers in a High Availability Pair,
on page 290.
History for Management Center High Availability
Feature
Version
Details
Management Center
high availability with
management center
virtual on VMWare
6.7
You can now achieve management center high availability using
management center virtual running on VMWare.
See requirements at Virtual Platform Requirements, on page 282.
Supported platforms: management center virtual 10, 25, and 300 for
VMWare
Single Sign-On
6.7
When configuring one or both members of a high-availability pair for
single sign-on, you must take into account special considerations.
Supported platforms: management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
294
CHAPTER
9
Security Certifications Compliance
The following topics describe how to configure your system to comply with security certifications standards:
• Security Certifications Compliance Modes, on page 295
• Security Certifications Compliance Characteristics, on page 296
• Security Certifications Compliance Recommendations, on page 297
• Enable Security Certifications Compliance, on page 300
Security Certifications Compliance Modes
Your organization might be required to use only equipment and software complying with security standards
established by the U.S. Department of Defense and global certification organizations. Firepower supports
compliance with the following security certifications standards:
• Common Criteria (CC): a global standard established by the international Common Criteria Recognition
Arrangement, defining properties for security products
• Unified Capabilities Approved Products List (UCAPL): a list of products meeting security requirements
established by the U.S. Defense Information Systems Agency (DISA)
Note
The U.S. Government has changed the name of the Unified Capabilities Approved
Products List (UCAPL) to the Department of Defense Information Network
Approved Products List (DODIN APL). References to UCAPL in this
documentation and the Secure Firewall Management Center web interface can
be interpreted as references to DODIN APL.
• Federal Information Processing Standards (FIPS) 140: a requirements specification for encryption modules
You can enable security certifications compliance in CC mode or UCAPL mode. Enabling security certifications
compliance does not guarantee strict compliance with all requirements of the security mode selected. For
more information on hardening procedures, refer to the guidelines for this product provided by the certifying
entity.
Caution
After you enable this setting, you cannot disable it. If you need to take an appliance out of CC or UCAPL
mode, you must reimage.
Cisco Secure Firewall Management Center Administration Guide, 7.2
295
System Settings
Security Certifications Compliance Characteristics
Security Certifications Compliance Characteristics
The following table describes behavior changes when you enable CC or UCAPL mode. (Restrictions on login
accounts refers to command line access, not web interface access. )
System Change
Secure Firewall
Management Center
Classic Managed
Devices
Secure Firewall Threat
Defense
CC Mode
UCAPL
Mode
CC Mode
UCAPL
Mode
CC Mode
UCAPL
Mode
FIPS compliance is enabled.
Yes
Yes
Yes
Yes
Yes
Yes
The system does not allow remote storage for
backups or reports.
Yes
Yes
—
—
—
—
The system starts an additional system audit daemon. No
Yes
No
Yes
No
No
The system boot loader is secured.
No
Yes
No
Yes
No
No
The system applies additional security to login
accounts.
No
Yes
No
Yes
No
No
The system disables the reboot key sequence
Ctrl+Alt+Del.
No
Yes
No
Yes
No
No
The system enforces a maximum of ten simultaneous No
login sessions.
Yes
No
Yes
No
No
Passwords must be at least 15 characters long, and No
must consist of alphanumeric characters of mixed
case and must include at least one numeric character.
Yes
No
Yes
No
No
The minimum required password length for the local No
admin user can be configured using the local device
CLI.
No
No
No
Yes
Yes
Passwords cannot be a word that appears in a
dictionary or include consecutive repeating
characters.
No
Yes
No
Yes
No
No
The system locks out users other than admin after No
three failed login attempts in a row. In this case, the
password must be reset by an administrator.
Yes
No
Yes
No
No
The system stores password history by default.
No
Yes
No
Yes
No
No
The admin user can be locked out after a maximum Yes
number of failed login attempts configurable through
the web interface.
Yes
Yes
Yes
—
—
Cisco Secure Firewall Management Center Administration Guide, 7.2
296
System Settings
Security Certifications Compliance Recommendations
System Change
Secure Firewall
Management Center
Classic Managed
Devices
Secure Firewall Threat
Defense
CC Mode
UCAPL
Mode
CC Mode
UCAPL
Mode
CC Mode
The admin user can be locked out after a maximum No
number of failed login attempts configurable through
the local appliance CLI.
No
Yes,
regardless
of security
certifications
compliance
enablement.
Yes,
Yes
regardless
of security
certifications
compliance
enablement.
Yes
The system automtically rekeys an SSH session with Yes
an appliance:
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
UCAPL
Mode
• After a key has been in use for one hour of
session activity
• After a key has been used to transmit 1 GB of
data over the connection
The system performs a file system integrity check Yes
(FSIC) at boot-time. If the FSIC fails, Firepower
software does not start, remote SSH access is
disabled, and you can access the appliance only via
local console. If this happens, contact Cisco TAC.
Security Certifications Compliance Recommendations
Cisco recommends that you observe the following best practices when using a system with security certifications
compliance enabled:
• To enable security certifications compliance in your deployment, enable it first on the Secure Firewall
Management Center, then enable it in the same mode on all managed devices.
Caution
The Secure Firewall Management Center will not receive event data from a
managed device unless both are operating in the same security certifications
compliance mode.
• For all users, enable password strength checking and set the minimum password length to the value
required by the certifying agency.
• If you are using Secure Firewall Management Centers in a high-availability configuration, configure
them both to use the same security certifications compliance mode.
• When you configure Secure Firewall Threat Defense on a Firepower 4100/9300 to operate in CC or
UCAPL mode, you should also configure the Firepower 4100/9300 to operate in CC mode. For more
Cisco Secure Firewall Management Center Administration Guide, 7.2
297
System Settings
Appliance Hardening
information, see the Cisco Firepower 4100/9300 FXOS Firepower Chassis Manager Configuration
Guide.
• Do not configure the system to use any of the following features:
• Email reports, alerts, or data pruning notifications.
• Nmap Scan, Cisco IOS Null Route, Set Attribute Value, or ISE EPS remediations.
• Remote storage for backups or reports.
• Third-party client access to the system database.
• External notifications or alerts transmitted via email (SMTP), SNMP trap, or syslog.
• Audit log messages transmitted to an HTTP server or to a syslog server without using SSL certificates
to secure the channel between the appliance and the server.
• Do not enable external authentication using LDAP or RADIUS in deployments using CC mode.
• Do not enable CACs in deployments using CC mode.
• Disable access to the Secure Firewall Management Center and managed devices via the Firepower REST
API in deployments using CC or UCAPL mode.
• Enable CACs in deployments using UCAPL mode.
• Do not configure SSO in deployments using CC mode.
• Do not configure Secure Firewall Threat Defense devices into a high availability pair unless they are
both using the same security certifications compliance mode.
Note
The system does not support CC or UCAPL mode for:
• Secure Firewall Threat Defense devices in clusters
• Secure Firewall Threat Defense container instances on the Firepower 4100/9300
Appliance Hardening
For information about features you can use to further harden your system, see the latest versions of the Cisco
Firepower Mangement Center Hardening Guide and the Cisco Secure Firewall Threat Defense Hardening
Guide, as well as the following topics within this document:
• Licenses, on page 229
• Users, on page 105
• Logging into the Management Center, on page 27
• Audit Logs, on page 72
• Audit Log Certificate, on page 75
• Time and Time Synchronization, on page 84
Cisco Secure Firewall Management Center Administration Guide, 7.2
298
System Settings
Protecting Your Network
• Configure NTP Time Synchronization for Threat Defense in the Cisco Secure Firewall Management
Center Device Configuration Guide
• Creating an Email Alert Response, on page 523
• Configuring Email Alerting for Intrusion Events, on page 532
• Configure SMTP in the Cisco Secure Firewall Management Center Device Configuration Guide
• About SNMP for the Firepower 1000/2100 Series in the Cisco Secure Firewall Management Center
Device Configuration Guide
• Configure SNMP in the Cisco Secure Firewall Management Center Device Configuration Guide
• Creating an SNMP Alert Response, on page 519
• Configure Dynamic DNS in the Cisco Secure Firewall Management Center Device Configuration Guide
• DNS Cache, on page 80
• Audit and Syslog, on page 373
• Access List, on page 71
• Security Certifications Compliance, on page 295
• Configuring SSH for Remote Storage, on page 67
• Audit Log Certificate, on page 75
• HTTPS Certificates, on page 43
• Customize User Roles for the Web Interface, on page 180
• Add an Internal User, on page 111
• Session Timeouts, on page 92
• About Configuring Syslog in the Cisco Secure Firewall Management Center Device Configuration Guide
• Schedule Management Center Backups, on page 454
• Site-to-Site VPNs for Threat Defense in the Cisco Secure Firewall Management Center Device
Configuration Guide
• Remote Access VPN in the Cisco Secure Firewall Management Center Device Configuration Guide
• FlexConfig Policies in the Cisco Secure Firewall Management Center Device Configuration Guide
Protecting Your Network
See the following topics to learn about features you can configure to protect your network:
• Access Control Policies
• Security Intelligence in the Cisco Secure Firewall Management Center Device Configuration Guide
• Getting Started with Intrusion Policies in the Cisco Secure Firewall Management Center Device
Configuration Guide
Cisco Secure Firewall Management Center Administration Guide, 7.2
299
System Settings
Enable Security Certifications Compliance
• Tuning Intrusion Policies Using Rules in the Cisco Secure Firewall Management Center Device
Configuration Guide
• Custom Intrusion Rules in the Cisco Secure Firewall Management Center Device Configuration Guide
• Update Intrusion Rules, on page 210
• Global Limit for Intrusion Event Logging in the Cisco Secure Firewall Management Center Device
Configuration Guide
• Transport and Network Layer Preprocessors in the Cisco Secure Firewall Management Center Device
Configuration Guide
• Specific Threat Detection in the Cisco Secure Firewall Management Center Device Configuration Guide
• Application Layer Preprocessors in the Cisco Secure Firewall Management Center Device Configuration
Guide
• Audit and Syslog, on page 373
• Intrusion Events, on page 733
• Event Search, on page 653
• Workflows, on page 607
•
• Login Banners, on page 82
• Updates, on page 203
Enable Security Certifications Compliance
This configuration applies to either a Secure Firewall Management Center or managed device:
• For the Secure Firewall Management Center, this configuration is part of the system configuration.
• For a managed device, you apply this configuration from the management center as part of a platform
settings policy.
In either case, the configuration does not take effect until you save your system configuration changes or
deploy the shared platform settings policy.
Caution
After you enable this setting, you cannot disable it. If you need to take the appliance out of CC or UCAPL
mode, you must reimage.
Before you begin
• We recommend you register all devices that you plan to be part of your deployment to the management
center before enabling security certifications compliance on any appliances.
• Secure Firewall Threat Defense devices cannot use an evaluation license; your Smart Software Manager
account must be enabled for export-controlled features.
Cisco Secure Firewall Management Center Administration Guide, 7.2
300
System Settings
Enable Security Certifications Compliance
• Secure Firewall Threat Defense devices must be deployed in routed mode.
• You must be an Admin user to perform this task.
Procedure
Step 1
Depending on whether you are configuring an management center or a managed device:
• management center: Choose System ( ) > Configuration.
• threat defense device: Choose Devices > Platform Settings and create or edit a Secure Firewall Threat
Defense policy.
Step 2
Click UCAPL/CC Compliance.
Note
Step 3
Appliances reboot when you enable UCAPL or CC compliance. The management center reboots
when you save the system configuration; managed devices reboot when you deploy configuration
changes.
To permanently enable security certifications compliance on the appliance, you have two choices:
• To enable security certifications compliance in Common Criteria mode, choose CC from the drop-down
list.
• To enable security certifications compliance in Unified Capabilities Approved Products List mode, choose
UCAPL from the drop-down list.
Step 4
Click Save.
What to do next
• Establish additional configuration changes as described in the guidelines for this product provided by
the certifying entity.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide.
Cisco Secure Firewall Management Center Administration Guide, 7.2
301
System Settings
Enable Security Certifications Compliance
Cisco Secure Firewall Management Center Administration Guide, 7.2
302
PA R T
III
Health and Monitoring
• Dashboards, on page 305
• Health, on page 327
• Audit and Syslog, on page 373
• Statistics, on page 383
• Troubleshooting, on page 395
CHAPTER
10
Dashboards
The following topics describe how to use dashboards:
• About Dashboards, on page 305
• Dashboard Widgets, on page 306
• Managing Dashboards, on page 318
About Dashboards
Dashboards provide you with at-a-glance views of current system status, including data about the events
collected and generated by the system. You can also use dashboards to see information about the status and
overall health of the appliances in your deployment. Keep in mind that the information the dashboard provides
depends on how you license, configure, and deploy the system.
Note
Tip
Ensure that you have enabled REST API (Settings > Configuration > REST API Preferences) to view the
correlated device metrics on the dashboard.
The dashboard is a complex, highly customizable monitoring feature that provides exhaustive data. For a
broad, brief, and colorful picture of your monitored network, use the Context Explorer.
A dashboard uses tabs to display widgets: small, self-contained components that provide insight into different
aspects of the system. For example, the predefined Appliance Information widget tells you the appliance
name, model, and currently running software version. The system constrains widgets by the dashboard time
range, which you can change to reflect a period as short as the last hour or as long as the last year.
The system is delivered with several predefined dashboards, which you can use and modify. If your user role
has access to dashboards (Administrator, Maintenance User, Security Analyst, Security Analyst [Read Only],
and custom roles with the Dashboards permission), by default your home page is the predefined Summary
Dashboard. However, you can configure a different default home page, including non-dashboards. You can
also change the default dashboard. Note that if your user role cannot access dashboards, your default home
page is relevant to the role; for example, a Discovery Admin sees the Network Discovery page.
You can also use predefined dashboards as the base for custom dashboards, which you can either share or
restrict as private. Unless you have Administrator access, you cannot view or modify private dashboards
created by other users.
Cisco Secure Firewall Management Center Administration Guide, 7.2
305
Health and Monitoring
Dashboard Widgets
Note
Some drill-down pages and table views of events include a Dashboard toolbar link that you can click to view
a relevant predefined dashboard. If you delete a predefined dashboard or tab, the associated toolbar links do
not function.
In a multidomain deployment, you cannot view dashboards from ancestor domains; however, you can create
new dashboards that are copies of the higher-level dashboards.
Dashboard Widgets
A dashboard has one or more tabs, each of which can display one or more widgets in a three-column layout.
The system is delivered with many predefined dashboard widgets, each of which provides insight into a
different aspect of the system. Widgets are grouped into three categories:
• Analysis & Reporting widgets display data about the events collected and generated by the system.
• Miscellaneous widgets display neither event data nor operations data. Currently, the only widget in this
category displays an RSS feed.
• Operations widgets display information about the status and overall health of the system.
The dashboard widgets that you can view depend on:
• the type of appliance you are using
• your user role
• your current domain (in a multidomain deployment)
In addition, each dashboard has a set of preferences that determines its behavior.
You can minimize and maximize widgets, add and remove widgets from tabs, as well as rearrange the widgets
on a tab.
Note
For widgets that display event counts over a time range, the total number of events may not reflect the number
of events for which detailed data is available in the tables on pages under the Analysis menu. This occurs
because the system sometimes prunes older event details to manage disk space usage. To minimize the
occurrence of event detail pruning, you can fine-tune event logging to log only those events most important
to your deployment.
Widget Availability
The dashboard widgets that you can view depend on the type of appliance you are using, your user role, and
your current domain (in a multidomain deployment).
In a multidomain deployment, if you do not see a widget that you expect to see, switch to the Global domain.
See Switching Domains on the Secure Firewall Management Center, on page 20.
Note that:
Cisco Secure Firewall Management Center Administration Guide, 7.2
306
Health and Monitoring
Dashboard Widget Availability by User Role
• An invalid widget is one that you cannot view because you are using the wrong type of appliance.
• An unauthorized widget is one that you cannot view because your user account does not have the necessary
privileges.
For example, the Appliance Status widget is available only on the management center for users with
Administrator, Maintenance User, Security Analyst, or Security Analyst (Read Only) account privileges.
Although you cannot add an unauthorized or invalid widget to a dashboard, an imported dashboard may
contain unauthorized or invalid widgets. For example, such widgets can be present if the imported dashboard:
• Was created by a user with different access privileges, or
• Belongs to an ancestor domain.
Unavailable widgets are disabled and display error messages that indicate why you cannot view them.
Individual widgets also display error messages when those widgets have timed out or are otherwise experiencing
problems.
Note
You can delete or minimize unauthorized and invalid widgets, as well as widgets that display no data, keeping
in mind that modifying a widget on a shared dashboard modifies it for all users of the appliance.
Dashboard Widget Availability by User Role
The following table lists the user account privileges required to view each widget. Only user accounts with
Administrator, Maintenance User, Security Analyst, or Security Analyst (Read Only) access can use dashboards.
Users with custom roles may have access to any combination of widgets, or none at all, as their user roles
permit.
Table 16: User Roles and Dashboard Widget Availability
Widget
Administrator
Maintenance User
Security Analyst
Security Analyst
(RO)
Appliance
Information
yes
yes
yes
yes
Appliance Status
yes
yes
yes
no
Correlation Events
yes
no
yes
yes
Current Interface
Status
yes
yes
yes
yes
Current Sessions
yes
no
no
no
Custom Analysis
yes
no
yes
yes
Disk Usage
yes
yes
yes
yes
Interface Traffic
yes
yes
yes
yes
Cisco Secure Firewall Management Center Administration Guide, 7.2
307
Health and Monitoring
Predefined Dashboard Widgets
Widget
Administrator
Maintenance User
Security Analyst
Security Analyst
(RO)
Intrusion Events
yes
no
yes
yes
Network
Compliance
yes
no
yes
yes
Product Licensing
yes
yes
no
no
Product Updates
yes
yes
no
no
RSS Feed
yes
yes
yes
yes
System Load
yes
yes
yes
yes
System Time
yes
yes
yes
yes
Allow List Events
yes
no
yes
yes
Predefined Dashboard Widgets
The system is delivered with several predefined widgets that, when used on dashboards, can provide you with
at-a-glance views of current system status. These views include:
• data about the events collected and generated by the system
• information about the status and overall health of the appliances in your deployment
Note
The dashboard widgets you can view depend on the type of appliance you are using, your user role, and your
current domain in a multidomain deployment.
The Appliance Information Widget
The Appliance Information widget provides a snapshot of the appliance. It appears by default on the Status
tabs of the Detailed Dashboard and the Summary Dashboard.
The Appliance Information Widget in management center displays information about the management center
High Availability if management center is configured in High Availability. For instance, it shows information
about management center Role, Status, Detail Status, and Last Contact. The widget provides:
• The name, IPv4 address, IPv6 address, and model of the appliance
• The versions of the system software, operating system, Snort, rule update, rule pack, module pack,
vulnerability database (VDB), and geolocation update installed on the appliances with dashboards, except
for virtual Secure Firewall Management Center
• For managed appliances, the name and status of the communications link with the managing appliance
You can configure the widget to display more or less information by modifying the widget preferences to
display a simple or an advanced view; the preferences also control how often the widget updates.
Cisco Secure Firewall Management Center Administration Guide, 7.2
308
Health and Monitoring
The Appliance Status Widget
The Appliance Status Widget
The Appliance Status widget indicates the health of the appliance and of any appliances it is managing. Note
that because the Secure Firewall Management Center does not automatically apply a health policy to managed
devices, you must manually apply a health policy to devices or their status appears as Disabled. This widget
appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.
You can configure the widget to display appliance status as a pie chart or in a table by modifying the widget
preferences.
The preferences also control how often the widget updates.
You can click a section on the pie chart or one of the numbers on the appliance status table to go to the Health
Monitor page and view the compiled health status of the appliance and of any appliances it is managing.
The Correlation Events Widget
The Correlation Events widget shows the average number of correlation events per second, by priority, over
the dashboard time range. It appears by default on the Correlation tab of the Detailed Dashboard.
You can configure the widget to display correlation events of different priorities by modifying the widget
preferences, as well as to choose a linear (incremental) or logarithmic (factor of ten) scale.
Check one or more Priorities check boxes to display separate graphs for events of specific priorities, including
events that do not have a priority. Choose Show All to display an additional graph for all correlation events,
regardless of priority. The preferences also control how often the widget updates.
You can click a graph to view correlation events of a specific priority, or click the All graph to view all
correlation events. In either case, the events are constrained by the dashboard time range; accessing correlation
events via the dashboard changes the events (or global) time window for the appliance.
The Current Interface Status Widget
The Current Interface Status widget shows the status of all interfaces on the appliance, enabled or unused. On
a Secure Firewall Management Center, you can display the management (eth0, eth1, and so on) interfaces.
On a managed device, you can choose to show only sensing (s1p1 and so on) interfaces or both management
and sensing interfaces. Interfaces are grouped by type: management, inline, passive, switched, routed, and
unused.
For each interface, the widget provides:
• the name of the interface
• the link state of the interface
• the link mode (for example, 100Mb full duplex, or 10Mb half duplex) of the interface
• the type of interface, that is, copper or fiber
• the amount of data received (Rx) and transmitted (Tx) by the interface
The color of the ball representing link state indicates the current status, as follows:
• green: link is up and at full speed
• yellow: link is up but not at full speed
• red: link is not up
Cisco Secure Firewall Management Center Administration Guide, 7.2
309
Health and Monitoring
The Current Sessions Widget
• gray: link is administratively disabled
• blue: link state information is not available (for example, ASA)
The widget preferences control how often the widget updates.
The Current Sessions Widget
The Current Sessions widget shows which users are currently logged into the appliance, the IP address
associated with the machine where the session originated, and the last time each user accessed a page on the
appliance (based on the local time for the appliance). The user that represents you, that is, the user currently
viewing the widget, is marked with a User icon and rendered in bold type. Sessions are pruned from this
widget’s data within one hour of logoff or inactivity. This widget appears by default on the Status tabs of the
Detailed Dashboard and the Summary Dashboard.
On the Current Sessions widget, you can:
• click any user name to manage user accounts on the User Management page.
• click the Host icon or Compromised Host icon next to any IP address to view the host profile for the
associated machine.
• click any IP address or access time to view the audit log constrained by that IP address and by the time
that the user associated with that IP address logged on to the web interface.
The widget preferences control how often the widget updates.
The Custom Analysis Widget
The Custom Analysis widget is a highly customizable widget that allows you to display detailed information
on the events collected and generated by the system.
The widget is delivered with multiple presets that provide quick access to information about your deployment.
The predefined dashboards make extensive use of these presets. You can use these presets or create a custom
configuration. At a minimum, a custom configuration specifies the data you are interested in (table and field),
and an aggregation method for that data. You can also set other display-related preferences, including whether
you want to show events as relative occurences (bar graph) or over time (line graph).
The widget displays the last time it updated, based on local time. The widget updates with a frequency that
depends on the dashboard time range. For example, if you set the dashboard time range to an hour, the widget
updates every five minutes. On the other hand, if you set the dashboard time range to a year, the widget updates
once a week. To determine when the dashboard will update next, hover your pointer over the Last updated
notice in the bottom left corner of the widget.
Note
A red-shaded Custom Analysis widget indicates that its use is harming system performance. If the widget
continues to stay red over time, remove the widget. You can also disable all Custom Analysis widgets from
the Dashboard settings in your system configuration (System > Configuration > Dashboard)
Displaying Relative Occurrences of Events (Bar Graphs)
For bar graphs in the Custom Analysis widget, the colored bars in the widget background show the relative
number of occurrences of each event. Read the bars from right to left.
Cisco Secure Firewall Management Center Administration Guide, 7.2
310
Health and Monitoring
The Custom Analysis Widget
The Direction icon indicates and controls the sort order of the display. A downward-pointing icon indicates
descending order; an upward-pointing icon indicates ascending order. To change the sort order, click the icon.
Next to each event, the widget can display one of three icons to indicate any changes from the most recent
results:
• The new event icon Add (
) signifies that the event is new to the results.
• The Up Arrow icon indicates that the event has moved up in the standings since the last time the widget
updated. A number indicating how many places the event has moved up appears next to the icon.
• The Down Arrow icon indicates that the event has moved down in the standings since the last time the
widget updated. A number indicating how many places the event has moved down appears next to the
icon.
Displaying Events Over Time (Line Graphs)
If you want information on events or other collected data over time, you can configure the Custom Analysis
widget to display a line graph, such as one that displays the total number of intrusion events generated in your
deployment over time.
Limitations to the Custom Analysis Widget
A Custom Analysis widget may indicate that you are unauthorized to view the data that is configured to
display. For example, Maintenance Users are not authorized to view discovery events. As another example,
the widget does not display information related to unlicensed features. However, you (and any other users
who share the dashboard) can modify the widget preferences to display data that you can see, or even delete
the widget. If you want to make sure that this does not happen, save the dashboard as private.
When viewing user data, the system displays only authoritative users.
When viewing URL category information, the system does not display uncategorized URLs.
When viewing intrusion events aggregated by Count, the count includes reviewed events for intrusion events;
if you view the count in tables on pages under the Analysis menus, the count will not include reviewed events.
Note
In a multidomain deployment, the system builds a separate network map for each leaf domain. As a result, a
leaf domain can contain an IP address that is unique within its network, but identical to an IP address in another
leaf domain. When you view Custom Analysis widgets in an ancestor domain, multiple instances of that
repeated IP address can be displayed. At first glance, they might appear to be duplicate entries. However, if
you drill down to the host profile information for each IP address, the system shows that they belong to
different leaf domains.
How to Create Dashboard Widgets for a Device
Any widgets that show events from devices can be configured to use a filter that limits the display of events
for a given device or a set of devices.
1. Create and save a search: Go to Analysis > Search and enter the search parameters to match the specific
device names.
Cisco Secure Firewall Management Center Administration Guide, 7.2
311
Health and Monitoring
Custom Analysis Widget Preferences
Note
You must provide exact text match as there is no drop-down listing the deployed device names.
2. Go to Overview > Dashboards > Add Widgets to create a Custom Analysis widget.
3. Return to Overview > Dashboards and modify the new widget to customize with the scope of search.
Example: Configuration of Custom Analysis Widget
You can configure the Custom Analysis widget to display a list of recent intrusion events by
configuring the widget to display data from the Intrusion Events table. Choosing the Classification
field and aggregating this data by Count displays the number of events that were generated for each
type.
On the other hand, aggregating by Unique Events displays the number of unique intrusion events
of each type (for example, how many detections of network trojans, potential violations of corporate
policy, attempted denial-of-service attacks, and so on).
You can further customize the widget using a saved search, either one of the predefined searches
delivered with your appliance or a custom search that you created. For example, constraining the
first example (intrusion events using the Classification field, aggregated by Count) using the Dropped
Events search displays the number of intrusion events that were dropped for each type.
Related Topics
Modifying Dashboard Time Settings, on page 323
Custom Analysis Widget Preferences
The following table describes the preferences you can set in the Custom Analysis widget.
Different preferences appear depending on how you configure the widget. For example, a different set of
preferences appears if you configure the widget to show relative occurrences of events (a bar graph) vs a graph
over time (a line graph). Some preferences, such as Filter, only appear if you choose a specific table from
which to display data.
Table 17: Custom Analysis Widget Preferences
Preference
Details
Title
If you do not specify a title for the widget, the system uses the
configured event type as the title.
Preset
Custom Analysis presets provide quick access to information
about your deployment. The predefined dashboards make
extensive use of these presets. You can use these presets or you
can create a custom configuration.
Table (required)
The table of events or assets that contains the data the widget
displays.
Cisco Secure Firewall Management Center Administration Guide, 7.2
312
Health and Monitoring
Viewing Associated Events from the Custom Analysis Widget
Preference
Details
Field (required)
The specific field of the event type you want to display. To show
data over time (line graphs), choose Time. To show relative
occurrences of events (bar graphs), choose another option.
Aggregate (required)
The aggregation method configures how the widget groups the
data it displays. For most event types, the default option is Count.
Filter
You can use application filters to constrain data from the
Application Statistics and Intrusion Event Statistics by Application
tables.
Search
You can use a saved search to constrain the data that the widget
displays. You do not have to specify a search, although some
presets use predefined searches.
Only you can access searches that you have saved as private. If
you configure the widget on a shared dashboard and constrain its
events using a private search, the widget resets to not using the
search when another user logs in. This affects your view of the
widget as well. If you want to make sure that this does not happen,
save the dashboard as private.
Only fields that constrain connection summaries can constrain
Custom Analysis dashboard widgets based on connection events.
Invalid saved searches are dimmed.
If you constrain a Custom Analysis widget using a saved search,
then edit the search, the widget does not reflect your changes until
the next time it updates.
Show
Choose whether you want to display the most (Top) or the least
(Bottom) frequently occurring events.
Results
Choose the number of result rows to display.
Show Movers
Choose whether you want to display the icons that indicate
changes from the most recent results.
Time Zone
Choose the time zone you want to use to display results.
Color
You can change the color of the bars in the widget's bar graph.
Related Topics
Configuring Widget Preferences, on page 320
Viewing Associated Events from the Custom Analysis Widget
From a Custom Analysis widget, you can invoke an event view (workflow) that provides detailed information
about the events displayed in the widget. The events appear in the default workflow for that event type,
constrained by the dashboard time range. This also changes the appropriate time window on the Secure Firewall
Management Center, depending on how many time windows you configured and on the event type.
For example:
Cisco Secure Firewall Management Center Administration Guide, 7.2
313
Health and Monitoring
The Disk Usage Widget
• If you configure multiple time windows, then access health events from a Custom Analysis widget, the
events appear in the default health events workflow, and the health monitoring time window changes to
the dashboard time range.
• If you configure a single time window and then access any type of event from the Custom Analysis
widget, the events appear in the default workflow for that event type, and the global time window changes
to the dashboard time range.
Procedure
You have the following choices:
• On any Custom Analysis widget, click View ( ) in the lower right corner of the widget to view all
associated events, constrained by the widget preferences.
• On a Custom Analysis widget showing relative occurrences of events (bar graph), click any event to
view associated events constrained by the widget preferences, as well as by that event.
The Disk Usage Widget
The Disk Usage widget displays the percentage of space used on the hard drive, based on disk usage category.
It also indicates the percentage of space used on and capacity of each partition of the appliance’s hard drive.
The Disk Usage widget displays the same information for the malware storage pack if installed in the device,
or if the Secure Firewall Management Center manages a device containing a malware storage pack. This
widget appears by default on the Status tabs of the Default Dashboard and the Summary Dashboard.
The By Category stacked bar displays each disk usage category as a proportion of the total available disk
space used. The following table describes the available categories.
Table 18: Disk Usage Categories
Disk Usage Category
Description
Events
all events logged by the system
Files
all files stored by the system
Backups
all backup files
Updates
all files related to updates, such as rule updates and
system updates
Other
system troubleshooting files and other miscellaneous
files
Free
free space remaining on the appliance
You can hover your pointer over a disk usage category in the By Category stacked bar to view the percentage
of available disk space used by that category, the actual storage space on the disk, and the total disk space
available for that category. Note that if you have a malware storage pack installed, the total disk space available
for the Files category is the available disk space on the malware storage pack.
Cisco Secure Firewall Management Center Administration Guide, 7.2
314
Health and Monitoring
The Interface Traffic Widget
You can configure the widget to display only the By Category stacked bar, or you can show the stacked bar
plus the admin (/), /Volume, and /boot partition usage, as well as the /var/storage partition if the malware
storage pack is installed, by modifying the widget preferences.
The widget preferences also control how often the widget updates, as well as whether it displays the current
disk usage or collected disk usage statistics over the dashboard time range.
The Interface Traffic Widget
The Interface Traffic widget shows the rate of traffic received (Rx) and transmitted (Tx) on the appliance’s
management interface. The widget does not appear by default on any of the predefined dashboards.
Devices with Malware licenses enabled periodically attempt to connect to the AMP cloud even if you have
not configured dynamic analysis. Because of this, these devices show transmitted traffic; this is expected
behavior.
The widget preferences control how often the widget updates.
The Intrusion Events Widget
The Intrusion Events widget shows the intrusion events that occurred over the dashboard time range, organized
by priority. This includes statistics on intrusion events with dropped packets and different impacts. This widget
appears by default on the Intrusion Events tab of the Summary Dashboard.
In the widget preferences, you can choose:
• Event Flags to display separate graphs for events with dropped packets, would have dropped packets,
or specific impacts. Choose All to display an additional graph for all intrusion events, regardless of impact
or rule state.
For explanations of the icons, see Intrusion Events, on page 733. The arrow (if any) that appears above
the impact level numbers describes the inline result and is defined as follows:
Table 19: Inline Result Field Contents in Workflow and Table Views
This Icon
Indicates
The system dropped the packet that triggered the rule.
IPS would have dropped the packet if you enabled the Drop when Inline
intrusion policy option (in an inline deployment), or if a Drop and Generate
rule generated the event while the system was pruning.
IPS may have transmitted or delivered the packet to the destination, but the
connection that contained this packet is now blocked.
No icon (blank)
The triggered rule was not set to Drop and Generate Events
In a passive deployment, the system does not drop packets, including when an inline interface is in tap
mode, regardless of the rule state or the inline drop behavior of the intrusion policy.
• Show to specify Average Events Per Second (EPS) or Total Events.
• Vertical Scale to specify Linear (incremental) or Logarithmic (factor of ten) scale.
• How often the widget updates.
Cisco Secure Firewall Management Center Administration Guide, 7.2
315
Health and Monitoring
The Network Compliance Widget
On the widget, you can:
• Click a graph corresponding to dropped packets, to would have dropped packets, or to a specific impact
to view intrusion events of that type.
• Click the graph corresponding to dropped events to view dropped events.
• Click the graph corresponding to would have dropped events to view would have dropped events.
• Click the All graph to view all intrusion events.
The resulting event view is constrained by the dashboard time range; accessing intrusion events via the
dashboard changes the events (or global) time window for the appliance. Note that packets in a passive
deployment are not dropped, regardless of intrusion rule state or the inline drop behavior of the intrusion
policy.
The Network Compliance Widget
The Network Compliance widget summarizes your hosts’ compliance with the allow lists you configured. By
default, the widget displays a pie chart that shows the number of hosts that are compliant, non-compliant, and
that have not been evaluated, for all compliance allow lists in active correlation policies. This widget appears
by default on the Correlation tab of the Detailed Dashboard.
You can configure the widget to display network compliance either for all allow lists or for a specific allow
list by modifying the widget preferences.
If you choose to display network compliance for all allow lists, the widget considers a host to be non-compliant
if it is not compliant with any allow list in an active correlation policy.
You can also use the widget preferences to specify which of three different styles you want to use to display
network compliance.
The Network Compliance style (the default) displays a pie chart that shows the number of hosts that are
compliant, non-compliant, and that have not been evaluated. You can click the pie chart to view the host
violation count, which lists the hosts that violate at least one allow list.
The Network Compliance over Time (%) style displays a stacked area graph showing the relative proportion
of hosts that are compliant, non-compliant, and that have not yet been evaluated, over the dashboard time
range.
The Network Compliance over Time style displays a line graph that shows the number of hosts that are
compliant, non-compliant, and that have not yet been evaluated, over the dashboard time range.
The preferences control how often the widget updates. You can check the Show Not Evaluated box to hide
events which have not been evaluated.
The Product Licensing Widget
The Product Licensing widget shows the device and feature licenses currently installed on the Secure Firewall
Management Center. It also indicates the number of items licensed and the number of remaining licensed
items allowed. It does not appear by default on any of the predefined dashboards.
The top section of the widget displays all device and feature licenses installed on the Secure Firewall
Management Center, including temporary licenses, while the Expiring Licenses section displays only temporary
and expired licenses.
The bars in the widget background show the percentage of each type of license that is being used; you should
read the bars from right to left. Expired licenses are marked with a strikethrough.
Cisco Secure Firewall Management Center Administration Guide, 7.2
316
Health and Monitoring
The Product Updates Widget
You can configure the widget to display either the features that are currently licensed, or all the features that
you can license, by modifying the widget preferences. The preferences also control how often the widget
updates.
You can click any of the license types to go to the License page of the local configuration and add or delete
feature licenses.
The Product Updates Widget
The Product Updates widget provides you with a summary of the software currently installed on the appliance
as well as information on updates that you have downloaded, but not yet installed. This widget appears by
default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.
Because the widget uses scheduled tasks to determine the latest version, it displays Unknown until you
configure a scheduled task to download, push or install updates.
You can configure the widget to hide the latest versions by modifying the widget preferences. The preferences
also control how often the widget updates.
The widget also provides you with links to pages where you can update the software. You can:
• Manually update an appliance by clicking the current version.
• Create a scheduled task to download an update by clicking the latest version.
The RSS Feed Widget
The RSS Feed widget adds an RSS feed to a dashboard. By default, the widget shows a feed of Cisco security
news. It appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.
You can also configure the widget to display a preconfigured feed of company news, the Snort.org blog, or
the Cisco Threat Research blog, or you can create a custom connection to any other RSS feed by specifying
its URL in the widget preferences. The management center can display encrypted RSS feeds only if they use
trusted server certificates signed by a certificate authority (CA) that the management center recognizes. If you
configure the RSS Feed widget to display an encrypted RSS feed that uses a CA the management center does
not recognize, or that uses a self-signed certificate, the verification fails and the widget does not display the
feed.
Feeds update every 24 hours (although you can manually update the feed), and the widget displays the last
time the feed was updated based on the local time of the appliance. Keep in mind that the appliance must have
access to the web site (for the two preconfigured feeds) or to any custom feed you configure.
When you configure the widget, you can also choose how many stories from the feed you want to show in
the widget, as well as whether you want to show descriptions of the stories along with the headlines; keep in
mind that not all RSS feeds use descriptions.
On the RSS Feed widget, you can:
• click one of the stories in the feed to view the story
• click the more link to go to the feed’s web site
• click Update (
) to manually update the feed
Cisco Secure Firewall Management Center Administration Guide, 7.2
317
Health and Monitoring
The System Load Widget
The System Load Widget
The System Load widget shows the CPU usage (for each CPU), memory (RAM) usage, and system load (also
called the load average, measured by the number of processes waiting to execute) on the appliance, both
currently and over the dashboard time range. It appears by default on the Status tabs of the Detailed Dashboard
and the Summary Dashboard.
You can configure the widget to show or hide the load average by modifying the widget preferences. The
preferences also control how often the widget updates.
The System Time Widget
The System Time widget shows the local system time, uptime, and boot time for the appliance. It appears by
default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.
You can configure the widget to hide the boot time by modifying the widget preferences. The preferences
also control how often the widget synchronizes with the appliance’s clock.
The Allow List Events Widget
The Allow List Events widget shows the average events per second by priority, over the dashboard time range.
It appears by default on the Correlation tab of the Default Dashboard.
You can configure the widget to display allow list events of different priorities by modifying the widget
preferences.
In the widget preferences, you can:
• choose one or more Priorities check boxes to display separate graphs for events of specific priorities,
including events that do not have a priority
• choose Show All to display an additional graph for all allow list events, regardless of priority
• choose Vertical Scale to choose Linear (incremental) or Logarithmic (factor of ten) scale
The preferences also control how often the widget updates.
You can click a graph to view allow list events of a specific priority, or click the All graph to view all allow
list events. In either case, the events are constrained by the dashboard time range; accessing allow list events
via the dashboard changes the events (or global) time window for the Secure Firewall Management Center.
Managing Dashboards
Procedure
Step 1
Choose Overview > Dashboards, and then choose the dashboard you want to modify from the menu.
Step 2
Manage your dashboards:
• Create Dashboards — Create a custom dashboard; see Creating Custom Dashboards, on page 321.
• Delete Dashboards — To delete a dashboard, click Delete ( ) next to the dashboard you want to delete.
If you delete your default dashboard, you must define a new default or the appliance prompts you to
choose a dashboard every time you attempt to view a dashboard.
Cisco Secure Firewall Management Center Administration Guide, 7.2
318
Health and Monitoring
Adding a Dashboard
• Edit Options — Edit custom dashboard options; see Editing Dashboards Options, on page 323.
• Modify Time Constraints — Modify the time display or pause/unpause the dashboard as described in
Modifying Dashboard Time Settings, on page 323.
Step 3
Add (see Adding a Dashboard, on page 319), Delete (click Close (
Dashboard, on page 324) dashboards.
Note
Step 4
)), and Rename (see Renaming a
You cannot change the order of dashboards.
Manage dashboard widgets:
• Add Widgets — Add widgets to a dashboard; see Adding Widgets to a Dashboard, on page 319.
• Configure Preferences — Configure widget preferences; see Configuring Widget Preferences, on page
320.
• Customize Display — Customize the widget display; see Customizing the Widget Display, on page 322.
• View Events — View associated events from the Custom Analysis Widget; see Viewing Associated
Events from the Custom Analysis Widget, on page 313.
Tip
Every configuration of the Custom Analysis widget in the Cisco predefined dashboards corresponds
to a system preset for that widget. If you change or delete one of these widgets, you can restore it
by creating a new Custom Analysis widget based on the appropriate preset.
Adding a Dashboard
Procedure
Step 1
View the dashboard you want to modify; see Viewing Dashboards, on page 325.
Step 2
Click Add (
Step 3
Enter a name.
Step 4
Click OK.
).
Adding Widgets to a Dashboard
Each tab can display one or more widgets in a three-column layout. When adding a widget to a dashboard,
you choose the tab to which you want to add the widget. The system automatically adds it to the column with
the fewest widgets. If all columns have an equal number of widgets, the new widget is added to the leftmost
column. You can add a maximum of 15 widgets to a dashboard tab.
Tip
After you add widgets, you can move them to any location on the tab. You cannot, however, move widgets
from tab to tab.
Cisco Secure Firewall Management Center Administration Guide, 7.2
319
Health and Monitoring
Configuring Widget Preferences
The dashboard widgets you can view depend on the type of appliance you are using, your user role, and your
current domain (in a multidomain deployment). Keep in mind that because not all user roles have access to
all dashboard widgets, users with fewer permissions viewing a dashboard created by a user with more
permissions may not be able to use all of the widgets on the dashboard. Although the unauthorized widgets
still appear on the dashboard, they are disabled.
Procedure
Step 1
View the dashboard where you want to add a widget; see Viewing Dashboards, on page 325.
Step 2
Click the tab where you want to add the widget.
Step 3
Click Add Widgets. You can view the widgets in each category by clicking on the category name, or you
can view all widgets by clicking All Categories.
Step 4
Click Add next to the widgets you want to add. The Add Widgets page indicates how many widgets of each
type are on the tab, including the widget you want to add.
Tip
Step 5
To add multiple widgets of the same type (for example, you may want to add multiple RSS Feed
widgets, or multiple Custom Analysis widgets), click Add again.
When you are finished adding widgets, click Done to return to the dashboard.
What to do next
• If you added a Custom Analysis widget, configure the widget preferences; see Configuring Widget
Preferences, on page 320.
Related Topics
Widget Availability, on page 306
Configuring Widget Preferences
Each widget has a set of preferences that determines its behavior.
Procedure
Step 1
On the title bar of the widget whose preferences you want to change, click Show Preferences (
Step 2
Make changes as needed.
Step 3
On the widget title bar, click Hide Preferences (
) to hide the preferences section.
Cisco Secure Firewall Management Center Administration Guide, 7.2
320
).
Health and Monitoring
Creating Custom Dashboards
Creating Custom Dashboards
Tip
Instead of creating a new dashboard, you can export a dashboard from another appliance, then import it onto
your appliance. You can then edit the imported dashboard to suit your needs.
Procedure
Step 1
Choose Overview > Dashboards > Management.
Step 2
Click Create Dashboard.
Step 3
Modify the custom dashboard options as described in Custom Dashboard Options, on page 321.
Step 4
Click Save.
Custom Dashboard Options
The table below describes options you can use when creating or editing custom dashboards.
Table 20: Custom Dashboard Options
Option
Description
Copy Dashboard
When you create a custom dashboard, you can choose to base it
on any existing dashboard, whether user-created or
system-defined. This option makes a copy of the preexisting
dashboard, which you can modify to suit your needs. Optionally,
you can create a blank new dashboard by choosing None. This
option is available only when you create a new dashboard.
In a multidomain deployment, you can copy any non-private
dashboards from ancestor domains.
Name
A unique name for the custom dashboard.
Description
A brief description of the custom dashboard.
Change Tabs Every
Specifies (in minutes) how often the dashboard should cycle
through its tabs. Unless you pause the dashboard or your
dashboard has only one tab, this setting advances your view to
the next tab at the interval you specify. To disable tab cycling,
enter 0 in the Change Tabs Every field.
Cisco Secure Firewall Management Center Administration Guide, 7.2
321
Health and Monitoring
Customizing the Widget Display
Option
Description
Refresh Page Every
Determines how often the entire dashboard page automatically
refreshes.
Refreshing the entire dashboard allows you to see any preference
or layout changes that were made to a shared dashboard by another
user, or that you made to a private dashboard on another computer,
since the last time the dashboard refreshed. A frequent refresh
can be useful, for example, in a networks operations center (NOC)
where a dashboard is displayed at all times. If you make changes
to the dashboard at a local computer, the dashboard in the NOC
automatically refreshes at the interval you specify, and no manual
refresh is required.
This refresh does not update the data, and you do not need to
refresh the entire dashboard to see data updates; individual widgets
update according to their preferences.
This value must be greater than the Change Tabs Every setting.
Unless you pause the dashboard, this setting will refresh the entire
dashboard at the interval you specify. To disable the periodic page
refresh, enter 0 in the Refresh Page Every field.
Note
Save As Private
This setting is separate from the update interval
available on many individual widgets; although
refreshing the dashboard page resets the update interval
on individual widgets, widgets will update according
to their individual preferences even if you disable the
Refresh Page Every setting.
Determines whether the custom dashboard can be viewed and
modified by all users of the appliance or is associated with your
user account and reserved solely for your own use. Keep in mind
that any user with dashboard access, regardless of role, can modify
shared dashboards. If you want to make sure that only you can
modify a particular dashboard, save it as private.
Customizing the Widget Display
You can minimize and maximize widgets, as well as rearrange the widgets on a tab.
Procedure
Step 1
View a dashboard; see Viewing Dashboards, on page 325.
Step 2
Customize the widget display:
• To rearrange a widget on a tab, click the title bar of the widget you want to move, then drag it to its new
location.
Cisco Secure Firewall Management Center Administration Guide, 7.2
322
Health and Monitoring
Editing Dashboards Options
Note
You cannot move widgets from tab to tab. If you want a widget to appear on a different tab,
you must delete it from the existing tab and add it to the new tab.
• To minimize or maximize a widget on the dashboard, click Minimize (
widget’s title bar.
) or Maximize (
) in a
• To delete a widget if you no longer want to view it on a tab, click Close (
) in the title bar of the widget.
Editing Dashboards Options
Procedure
Step 1
View the dashboard you want to edit; see Viewing Dashboards, on page 325.
Step 2
Click Edit (
Step 3
Change the options as described in Custom Dashboard Options, on page 321.
Step 4
Click Save.
).
Modifying Dashboard Time Settings
You can change the time range to reflect a period as short as the last hour (the default) or as long as the last
year. When you change the time range, the widgets that can be constrained by time automatically update to
reflect the new time range.
The maximum number of data points in any graph is 300, and the time setting determines how much time is
summarized within each data point. Following is the number of data points, and the time span covered, in the
dashboards for each time range:
• 1 hour = 12 data points, 5 minutes each
• 6 hours = 72 data points, 5 minutes each
• 1 day = 288 data points, 5 minutes each
• 1 week = 300 data points, 33.6 minutes each
• 2 weeks = 300 data points, 67.2 minutes each
• 30 days = 300 data points, 144 minutes each
• 90 days = 300 data points, 432 minutes each
• 180 days = 300 data points, 864 minutes each
• 1 year = 300 data points, 1752 minutes each
Note that not all widgets can be constrained by time. For example, the dashboard time range has no effect on
the Appliance Information widget, which provides information that includes the appliance name, model, and
current version of the software.
Cisco Secure Firewall Management Center Administration Guide, 7.2
323
Health and Monitoring
Renaming a Dashboard
Keep in mind that for enterprise deployments of the Firepower System, changing the time range to a long
period may not be useful for widgets like the Custom Analysis widget, depending on how often newer events
replace older events.
You can also pause a dashboard, which allows you to examine the data provided by the widgets without the
display changing and interrupting your analysis. Pausing a dashboard has the following effects:
• Individual widgets stop updating, regardless of any Update Every widget preference.
• Dashboard tabs stop cycling, regardless of the Cycle Tabs Every setting in the dashboard properties.
• Dashboard pages stop refreshing, regardless of the Refresh Page Every setting in the dashboard properties.
• Changing the time range has no effect.
When you are finished with your analysis, you can unpause the dashboard. Unpausing the dashboard causes
all appropriate widgets on the page to update to reflect the current time range. In addition, dashboard tabs
resume cycling and the dashboard page resumes refreshing according to the settings you specified in the
dashboard properties.
If you experience connectivity problems or other issues that interrupt the flow of system information to the
dashboard, the dashboard automatically pauses and an error notice appears until the problem is resolved.
Note
Your session normally logs you out after 1 hour of inactivity (or another configured interval), regardless of
whether the dashboard is paused. If you plan to passively monitor the dashboard for long periods of time,
consider exempting some users from session timeout, or changing the system timeout settings.
Procedure
Step 1
View the dashboard where you want to add a widget; see Viewing Dashboards, on page 325.
Step 2
Optionally, to change the dashboard time range, choose a time range from the Show the Last drop-down list.
Step 3
Optionally, pause or unpause the dashboard on the time range control, using Pause (
Renaming a Dashboard
Procedure
Step 1
View the dashboard you want to modify; see Viewing Dashboards, on page 325.
Step 2
Click the dasboard title you want to rename.
Step 3
Type a name.
Step 4
Click OK.
Cisco Secure Firewall Management Center Administration Guide, 7.2
324
) or Play (
).
Health and Monitoring
Viewing Dashboards
Viewing Dashboards
By default, the home page for your appliance displays the default dashboard. If you do not have a default
dashboard defined, the home page shows the Dashboard Management page, where you can choose a dashboard
to view.
Procedure
At any time, you can do one of the following:
• To view the default dashboard for your appliance, choose Overview > Dashboards.
• To view a specific dashboard, choose Overview > Dashboards, and choose the dashboard from the
menu.
• To view all available dashboards, choose Overview > Dashboards > Management. You can then choose
View ( ) next to an individual dashboard to view it.
Cisco Secure Firewall Management Center Administration Guide, 7.2
325
Health and Monitoring
Viewing Dashboards
Cisco Secure Firewall Management Center Administration Guide, 7.2
326
CHAPTER
11
Health
The following topics describe how to use health monitoring:
• Requirements and Prerequisites for Health Monitoring, on page 327
• About Health Monitoring, on page 327
• Health Policies, on page 340
• Device Exclusion in Health Monitoring, on page 343
• Health Monitor Alerts, on page 346
• About the Health Monitor, on page 348
• Health Event Views, on page 365
• History for Health Monitoring, on page 368
Requirements and Prerequisites for Health Monitoring
Model Support
Any
Supported Domains
Any
User Roles
Admin
Maintenace User
About Health Monitoring
The health monitor on the Secure Firewall Management Center tracks a variety of health indicators to ensure
that the hardware and software in the system are working correctly. You can use the health monitor to check
the status of critical functionality across your deployment.
You can configure the frequency for running the health modules for alerting. Secure Firewall Management
Center also supports time series data collection. You can configure the frequency of collecting the time series
data on the device and its health modules. The device monitor reports these metrics in several predefined
Cisco Secure Firewall Management Center Administration Guide, 7.2
327
Health and Monitoring
About Health Monitoring
health monitor dashboards by default. The metric data is collected for analysis and hence no alerting is
associated with it.
You can use the health monitor to create a collection of tests, referred to as a health policy, and apply the
health policy to one or more appliances. The tests, referred to as health modules, are scripts that test for criteria
you specify. You can modify a health policy by enabling or disabling tests or by changing test settings, and
you can delete health policies that you no longer need. You can also suppress messages from selected appliances
by excluding them.
The tests in a health policy run automatically at the interval you configure. You can also run all tests, or a
specific test, on demand. The health monitor collects health events based on the test conditions configured.
Note
All appliances automatically report their hardware status via the Hardware Alarms health module. The Secure
Firewall Management Center also automatically reports status using the modules configured in the default
health policy. Some health modules, such as the Appliance Heartbeat module, run on the Secure Firewall
Management Center and report the status of the Secure Firewall Management Center's managed devices. For
the health modules to provide managed device status, you must deploy all health policies to the device.
You can use the health monitor to access health status information for the entire system, for a particular
appliance, or, in a multidomain deployment, a particular domain. Hexagon charts and status tables on the
Health Monitor page provide a visual summary of the status of all appliances on your network, including the
Secure Firewall Management Center. Individual appliance health monitors let you drill down into health
details for a specific appliance.
Fully customizable event views allow you to quickly and easily analyze the health status events gathered by
the health monitor. These event views allow you to search and view event data and to access other information
that may be related to the events you are investigating. For example, if you want to see all the occurrences of
CPU usage with a certain percentage, you can search for the CPU usage module and enter the percentage
value.
You can also configure email, SNMP, or syslog alerting in response to health events. A health alert is an
association between a standard alert and a health status level. For example, if you need to make sure an
appliance never fails due to hardware overload, you can set up an email alert. You can then create a health
alert that triggers that email alert whenever CPU, disk, or memory usage reaches the Warning level you
configure in the health policy applied to that appliance. You can set alerting thresholds to minimize the number
of repeating alerts you receive.
You can also generate troubleshooting files for an appliance if you are asked to do so by Support.
Because health monitoring is an administrative activity, only users with administrator user role privileges can
access system health data.
Cisco Secure Firewall Management Center Administration Guide, 7.2
328
Health and Monitoring
Health Modules
Health Modules
Health modules, or health tests, test for the criteria you specify in a health policy.
Table 21: Health Modules
Module
Appliances
Description
AMP Connection
Status
threat defense
The module alerts if the threat defense cannot connect to the AMP cloud or
Cisco AMP Private Cloud after an initial successful connection, or if the
private cloud cannot contact the public AMP cloud. Disabled by default.
AMP for Endpoints
Status
management center
The module alerts if the management center cannot connect to the AMP cloud
or Cisco AMP Private Cloud after an initial successful connection, or if the
private cloud cannot contact the public AMP cloud. It also alerts if you
deregister an AMP cloud connection using the Secure Endpoint management
console.
AMP for Firepower
Status
management center
This module alerts if:
• The management center cannot contact the AMP cloud (public or private)
or the Secure Malware Analytics Cloud or Appliance, or the AMP private
cloud cannot contact the public AMP cloud.
• The encryption keys used for the connection are invalid.
• A device cannot contact the Secure Malware Analytics Cloud or Secure
Malware Analytics Appliance to submit files for dynamic analysis.
• An excessive number of files are detected in network traffic based on
the file policy configuration.
If your management center loses connectivity to the Internet, the system may
take up to 30 minutes to generate a health alert.
AMP Threat Grid
Connectivity
threat defense
The module alerts if the threat defense cannot connect to the AMP Threat
Grid cloud after an initial successful connection.
Appliance Heartbeat
management center
This module determines if an appliance heartbeat is being heard from the
appliance and alerts based on the appliance heartbeat status.
ASP Drop
threat defense
This module monitors the connections dropped by the data plane accelerated
security path.
Automatic Application threat defense
Bypass
This module monitors bypassed detection applications
Event Backlog Status
This module alerts if the backlog of event data awaiting transmission from
the device to the management center has grown continuously for more than
30 minutes.
management center
To reduce the backlog, evaluate your bandwidth and consider logging fewer
events.
Cisco Secure Firewall Management Center Administration Guide, 7.2
329
Health and Monitoring
Health Modules
Module
Appliances
Description
CPU Usage (per core) management center and
threat defense
This module checks that the CPU usage on all of the cores is not overloaded
and alerts when CPU usage exceeds the percentages configured for the
module. The Warning Threshold % default value is 80. The Critical
Threshold % default value is 90.
CPU Usage Data Plane threat defense
This module checks that the average CPU usage of all data plane processes
on the device is not overloaded and alerts when CPU usage exceeds the
percentages configured for the module. The Warning Threshold % default
value is 80. The Critical Threshold % default value is 90.
CPU Usage Snort
threat defense
This module checks that the average CPU usage of the Snort processes on
the device is not overloaded and alerts when CPU usage exceeds the
percentages configured for the module. The Warning Threshold % default
value is 80. The Critical Threshold % default value is 90.
CPU Usage System
threat defense
This module checks that the average CPU usage of all system processes on
the device is not overloaded and alerts when CPU usage exceeds the
percentages configured for the module. The Warning Threshold % default
value is 80. The Critical Threshold % default value is 90.
Network Card Reset
Sensor
This module checks for network cards which have restarted due to hardware
failure and alerts when a reset occurs.
Chassis Environment
Status
threat defense
This module monitors chassis parameters such as fan speed and chassis
temperature, and enables you to set a warning threshold and critical threshold
for temperature. The Critical Chassis Temperature (Celsius) default value
is 85. The Warning Chassis Temperature (Celsius) default value is 75.
Cluster/HA Failover
Status
threat defense
This module monitors the status of device clusters. The module alerts if:
• A new primary unit is elected to a cluster.
• A new secondary unit joins a cluster.
• A primary or secondary unit leaves a cluster.
Database Size
management center
This module checks the size of the configuration database and alerts when
the size exceeds the values (in gigabytes) configured for the module.
Cisco Secure Firewall Management Center Administration Guide, 7.2
330
Health and Monitoring
Health Modules
Module
Appliances
Description
Configuration
Resource Utilization
threat defense
This module alerts if the size of your deployed configurations puts a device
at risk of running out of memory.
The alert shows you how much memory your configurations require, and by
how much this exceeds the available memory. If this happens, re-evaluate
your configurations. Most often you can reduce the number or complexity of
access control rules or intrusion policies.
Snort Memory Allocation
• Total Snort Memory indicates the memory allotted for the Snort 2
instances running on the threat defense device.
• Available Memory indicates the memory allotted by the system for a
Snort 2 instance. Note that this value is not just the difference between
the Total Snort Memory and the combined memory reserved for other
modules. This value is derived after few other computations and then
divided by the number of Snort 2 processes.
A negative Available Memory value indicates that Snort 2 instance does
not have enough memory for the deployed configuration. For support,
contact Cisco Technical Assistance Center (TAC).
Connection Statistics
threat defense
This module monitors the connection statistics and NAT translation counts.
Critical Process
Statistics
threat defense
This module monitors the state of critical processes, their resource
consumption, and the restart counts.
Deployed
threat defense
Configuration Statistics
This module monitors statistics about the deployed configuration, such as the
number of ACEs and IPS rules.
Disk Status
This module examines performance of the hard disk, and malware storage
pack (if installed) on the appliance.
management center and
threat defense
This module generates a Warning (yellow) health alert when the hard disk
and RAID controller (if installed) are in danger of failing, or if an additional
hard drive is installed that is not a malware storage pack. This module
generates an Alert (red) health alert when an installed malware storage pack
cannot be detected.
Cisco Secure Firewall Management Center Administration Guide, 7.2
331
Health and Monitoring
Health Modules
Module
Appliances
Description
Disk Usage
management center and
threat defense
This module compares disk usage on the appliance’s hard drive and malware
storage pack to the limits configured for the module and alerts when usage
exceeds the percentages configured for the module. This module also alerts
when the system excessively deletes files in monitored disk usage categories,
or when disk usage excluding those categories reaches excessive levels, based
on module thresholds. See Disk Usage and Drain of Events Health Monitor
Alerts, on page 403 for information about troubleshooting scenarios for Disk
Usage alerts.
Use the Disk Usage health status module to monitor disk usage for the / and
/volume partitions on the appliance and track draining frequency. Although
the disk usage module lists the /boot partition as a monitored partition, the
size of the partition is static so the module does not alert on the boot partition.
Attention If you receive alerts for high unmanaged disk usage for the partition
even though the usage is below the critical or warning
threshold specified in the health policy, this could indicate that
there are files which need to be deleted manually from the system.
Contact TAC if you receive these alerts.
/volume
Event Monitor
management center
This module monitors overall incoming event rate to management center.
Event Stream Status
management center
This module monitors connections to third-party client applications that use
the Event Streamer on the management center.
Management Center
management center
Access Configuration
Changes
This module monitors access configuration changes made on the management
center directly using the configure network management-data-interface
command.
Management Center
HA Status
This module monitors and alerts on the high availability status of the
management center. If you have not established management center high
availability, the HA Status is Not in HA.
management center
Note
This module replaces the HA Status module, which previously
provided HA status for the management center. In Version 7.0,
we added HA status for managed devices.
Threat Defense HA
(Split-brain check)
threat defense
This module monitors and alerts on the high availability status of the threat
defense and provides a health alert for a split brain scenario. If you have not
established threat defense high availability, the HA Status is Not in HA.
File System Integrity
Check
management center and
threat defense
This module performs a file system integrity check and runs if the system
has CC mode or UCAPL mode enabled, or if the system runs an image signed
with a DEV key. This module is enabled by default.
Flow Offload Statistics threat defense
This module monitors hardware flow offload statistics for a managed device.
Hardware Alarms
This module determines if hardware needs to be replaced on a physical
managed device and alerts based on the hardware status. The module also
reports on the status of hardware-related daemons.
threat defense
Cisco Secure Firewall Management Center Administration Guide, 7.2
332
Health and Monitoring
Health Modules
Module
Appliances
Description
Health Monitor Process Any
This module monitors the status of the health monitor itself and alerts if the
number of minutes since the last health event received by the management
center exceeds the Warning or Critical limits.
Health Monitor Process Any
This module monitors the status of the health monitor itself and alerts if the
number of minutes since the last health event received by the management
center exceeds the Warning or Critical limits.
Discovery Host Limit management center
This module determines if the number of hosts the management center can
monitor is approaching the limit and alerts based on the warning level
configured for the module. For more information, see Host Limit.
ISE Connection
Monitor
This module monitors the status of the server connections between the Cisco
Identity Services Engine (ISE) and the management center. ISE provides
additional user data, device type data, device location data, SGTs (Security
Group Tags), and SXP (Security Exchange Protocol) services.
management center
Inline Link Mismatch Any managed device
Alarms
This module monitors the ports associated with inline sets and alerts if the
two interfaces of an inline pair negotiate different speeds.
Interface Status
Any
This module determines if the device currently collects traffic and alerts based
on the traffic status of physical interfaces and aggregate interfaces. For
physical interfaces, the information includes interface name, link state, and
bandwidth. For aggregate interfaces, the information includes interface name,
number of active links, and total aggregate bandwidth.
Intrusion and File
Event Rate
Any managed device
This module compares the number of intrusion events per second to the limits
configured for this module and alerts if the limits are exceeded. If the Intrusion
and File Event Rate is zero, the intrusion process may be down or the managed
device may not be sending events. Select Analysis > Intrusions > Events
to check if events are being received from the device.
Typically, the event rate for a network segment averages 20 events per second.
For a network segment with this average rate, Events per second (Critical)
should be set to 50 and Events per second (Warning) should be set to 30. To
determine limits for your system, find the Events/Sec value on the Statistics
page for your device (System ( ) > Monitoring > Statistics), then calculate
the limits using these formulas:
• Events per second (Critical) = Events/Sec * 2.5
• Events per second (Warning) = Events/Sec * 1.5
The maximum number of events you can set for either limit is 999, and the
Critical limit must be higher than the Warning limit.
License Monitor
management center
This module monitors license expiration.
Cisco Secure Firewall Management Center Administration Guide, 7.2
333
Health and Monitoring
Health Modules
Module
Appliances
Link State Propagation ISA 3000
Description
This module determines when a link in a paired inline set fails and triggers
the link state propagation mode.
If a link state propagates to the pair, the status classification for that module
changes to Critical and the state reads:
Module Link State Propagation: ethx_ethy is Triggered
where x and y are the paired interface numbers.
Local Malware
Analysis
management center and
threat defense
This module monitors ClamAV updates for Local Malware Analysis.
Memory Usage
Any
This module compares memory usage on the appliance to the limits configured
for the module and alerts when usage exceeds the levels configured for the
module.
For appliances with more than 4 GB of memory, the preset alert thresholds
are based on a formula that accounts for proportions of available memory
likely to cause system problems. On >4 GB appliances, because the interval
between Warning and Critical thresholds may be very narrow, Cisco
recommends that you manually set the Warning Threshold % value to 50.
This will further ensure that you receive memory alerts for your appliance in
time to address the issue. See Memory Usage Thresholds for Health Monitor
Alerts, on page 402 for additional information about how thresholds are
calculated.
Beginning with Version 6.6.0, the minimum required RAM for management
center virtual upgrades to Version 6.6.0+ is 28 GB, and the recommended
RAM for management center virtual deployments is 32 GB. We recommend
you do not decrease the default settings: 32 GB RAM for most management
center virtual instances, 64 GB for the management center virtual 300
(VMware only).
Attention A critical alert is generated by the health monitor when insufficient
RAM is allocated to an management center virtual deployment.
Complex access control policies and rules can command significant resources
and negatively affect performance.
Memory Usage Data
Plane
threat defense
This module checks the percentage of allocated memory used by the Data
Plane processes and alerts when memory usage exceeds the percentages
configured for the module. The Warning Threshold % default value is 80.
The Critical Threshold % default value is 90.
Memory Usage Snort
threat defense
This module checks the percentage of allocated memory used by the Snort
process and alerts when memory usage exceeds the percentages configured
for the module. The Warning Threshold % default value is 80. The Critical
Threshold % default value is 90.
MySQL Statistics
management center
This module monitors the status of the MySQL database, including the
database size, number of active connections, and memory use. Disabled by
default.
Cisco Secure Firewall Management Center Administration Guide, 7.2
334
Health and Monitoring
Health Modules
Module
Appliances
Description
NTP Statistics
threat defense
This module monitors the NTP clock synchronization status of the managed
device. Disabled by default.
Firepower Platform
Faults
threat defense
This module generates an alert for platforms faults for Firepower 1000, 2100,
and 3000 series devices, a fault is a mutable object that is managed by the
management center. Each fault represents a failure in the Firepower 1000,
2100, and 3000 instance or an alarm threshold that has been raised. During
the lifecycle of a fault, it can change from one state or severity to another.
Each fault includes information about the operational state of the affected
object at the time the fault was raised. If the fault is transitional and the failure
is resolved, then the object transitions to a functional state.
For more information, see the Cisco Firepower 1000/2100 FXOS Faults and
Error Messages Guide.
Power Supply
Physical management centers This module determines if power supplies on the device require replacement
and alerts based on the power supply status.
Process Status
Any
This module determines if processes on the appliance exit or terminate outside
of the process manager.
If a process is deliberately exited outside of the process manager, the module
status changes to Warning and the health event message indicates which
process exited, until the module runs again and the process has restarted. If
a process terminates abnormally or crashes outside of the process manager,
the module status changes to Critical and the health event message indicates
the terminated process, until the module runs again and the process has
restarted.
RRD Server Process
management center
This module determines if the round robin data server that stores time series
data is running properly. The module will alert If the RRD server has restarted
since the last time it updated; it will enter Critical or Warning status if the
number of consecutive updates with an RRD server restart reaches the numbers
specified in the module configuration.
RabbitMQ Status
management center
This module collects various statistics for RabbitMQ.
Cisco Secure Firewall Management Center Administration Guide, 7.2
335
Health and Monitoring
Health Modules
Module
Appliances
Description
Realm
Any managed device
Enables you to set a warning threshold for realm or user mismatches, which
are:
• User mismatch: A user is reported to the management centerwithout
being downloaded.
A typical reason for a user mismatch is that the user belongs to a group
you have excluded from being downloaded to the management center.
Review the information discussed in Cisco Secure Firewall Management
Center Device Configuration Guide.
• Realm mismatch: A user logs into a domain that corresponds to a realm
not known to the management center.
For more information, Cisco Secure Firewall Management Center Device
Configuration Guide.
Snort Reconfiguring
Detection
Any managed device
This module alerts if a device reconfiguration has failed.
Routing Statistics
threat defense
This module monitors the current state of routing table.
SSE Connection Status threat defense
The module alerts if the threat defense cannot connect to the SSE cloud after
an initial successful connection. Disabled by default.
Security Intelligence
This module alerts if Security Intelligence is in use and the management
center cannot update a feed, or feed data is corrupt or contains no recognizable
IP addresses.
management center
See also the Threat Data Updates on Devices module.
Smart License Monitor management center
This module alerts if:
• There is a communication error between the Smart Licensing Agent
(Smart Agent) and the Smart Software Manager.
• The Product Instance Registration Token has expired.
• The Smart License usage is out of compliance.
• The Smart License authorization or evaluation mode has expired.
Cisco Secure Firewall Management Center Administration Guide, 7.2
336
Health and Monitoring
Health Modules
Module
Appliances
Snort Identity Memory threat defense
Usage
Description
Enables you to set a warning threshold for Snort identity processing and alerts
when memory usage exceeds the level configured for the module. The Critical
Threshold % default value is 80.
This health module specifically keeps track of the total space used for the
user identity information in Snort. It displays the current memory usage
details, the total number of user-to-IP bindings, and user-group mapping
details. Snort records these details in a file. If the memory usage file is not
available, the Health Alert for this module displays Waiting for data. This
could happen during a Snort restart due to a new install or a major update,
switch from Snort2 to Snort3 or back, or major policy deployment. Depending
on the health monitoring cycle, and when the file is available, the warning
disappears, and the health monitor displays the details for this module with
its status turned Green.
Snort Statistics
threat defense
This module monitors the Snort statistics for events, flows, and packets.
Snort3 Statistics
threat defense
This module collects and monitors the Snort3 statistics for events, flows, and
packets.
Smart License Monitor management center
This module monitors Smart Licensing status.
Sybase Statistics
This module monitors the status of the Sybase database on the management
center, including the database size, number of active connections, and memory
use.
management center
Cisco Secure Firewall Management Center Administration Guide, 7.2
337
Health and Monitoring
Health Modules
Module
Appliances
Description
Threat Data Updates
on Devices
Any
Certain intelligence data and configurations that devices use to detect threats
are updated on the management center from the cloud every 30 minutes.
This module alerts you if this information has not been updated on the devices
within the time period you have specified.
Monitored updates include:
• Local URL category and reputation data
• Security Intelligence URL lists and feeds, including global Block and
Do Not Block lists and URLs from Threat Intelligence Director
• Security Intelligence network lists and feeds (IP addresses), including
global Block and Do Not Block lists and IP addresses from Threat
Intelligence Director
• Security Intelligence DNS lists and feeds, including global Block and
Do Not Block lists and domains from Threat Intelligence Director
• Local malware analysis signatures (from ClamAV)
• SHA lists from Threat Intelligence Director, as listed on the Objects >
Object Management > Security Intelligence > Network Lists and
Feeds page
• Dynamic analysis settings configured on the Integration > AMP >
Dynamic Analysis Connections page
• Threat Configuration settings related to expiration of cached URLs,
including the Cached URLs Expire setting on the System > Integration
> Cloud Services page. (Updates to the URL cache are not monitored
by this module.)
• Communication issues with the Cisco cloud for sending events. See the
Cisco Cloud box on the System > Integration > Cloud Services page.
Note
Threat Intelligence Director updates are included only if TID is
configured on your system and you have feeds.
By default, this module sends a warning after 1 hour and a critical alert after
24 hours.
If this module indicates failure on the management center or on any devices,
verify that the management center can reach the devices.
Time Series Data
(RRD) Monitor
management center
Time Synchronization management center
Status
This module tracks the presence of corrupt files in the directory where time
series data (such as correlation event counts) are stored and alerts when files
are flagged as corrupt and removed.
This module tracks the synchronization of a device clock that obtains time
using NTP with the clock on the NTP server and alerts if the difference in
the clocks is more than ten seconds.
Cisco Secure Firewall Management Center Administration Guide, 7.2
338
Health and Monitoring
Configuring Health Monitoring
Module
Appliances
URL Filtering Monitor management center
Description
This module alerts if the management center fails to:
• Register with the Cisco cloud.
• Download URL threat data updates from the Cisco cloud.
• Complete URL lookups.
You can configure time thresholds for these alerts.
See also the Threat Data Updates on Devices module.
Unresolved Groups
Monitor
management center
Monitors unresolved groups used in policies.
VPN Statistics
management center
This module monitors Site to Site and RA VPN tunnels between Firepower
devices.
VPN Status
management center
This module alerts when one or more VPN tunnels between Firepower devices
are down.
This module tracks:
• Site-to-site VPN for Secure Firewall Threat Defense
Attention Site-to-site VPN tunnels created with Virtual Tunnel
Interfaces (VTIs) do not generate health alerts when the tunnel
goes down. If you experience packet loss over a VPN with
VTIs, check your VPN configuration.
• Remote access VPN for Secure Firewall Threat Defense
XTLS Counters
threat defense
This module monitors XTLS/SSL flows, memory and cache effectiveness.
Disabled by default.
Configuring Health Monitoring
Procedure
Step 1
Determine which health modules you want to monitor as discussed in Health Modules, on page 329.
You can set up specific policies for each kind of appliance, enabling only the appropriate tests for that appliance.
Tip
To quickly enable health monitoring without customizing the monitoring behavior, you can apply
the default policy provided for that purpose.
Step 2
Apply a health policy to each appliance where you want to track health status as discussed in Creating Health
Policies, on page 340.
Step 3
(Optional.) Configure health monitor alerts as discussed in Creating Health Monitor Alerts, on page 347.
Cisco Secure Firewall Management Center Administration Guide, 7.2
339
Health and Monitoring
Health Policies
You can set up email, syslog, or SNMP alerts that trigger when the health status level reaches a particular
severity level for specific health modules.
Health Policies
A health policy contains configured health test criteria for several modules. You can control which health
modules run against each of your appliances and configure the specific limits used in the tests run by each
module.
When you configure a health policy, you decide whether to enable each health module for that policy. You
also select the criteria that control which health status each enabled module reports each time it assesses the
health of a process.
You can create one health policy that can be applied to every appliance in your system, customize each health
policy to the specific appliance where you plan to apply it, or use the default health policy provided for you.
In a multidomain deployment, administrators in ancestor domains can apply health policies to devices in
descendant domains, which descendant domains can use or replace with customized local policies.
Default Health Policy
The Secure Firewall Management Center setup process creates and applies an initial health policy, in which
most—but not all—available health modules are enabled. The system also applies this initial policy to devices
added to the Secure Firewall Management Center.
This initial health policy is based on a default health policy, which you can neither view nor edit, but which
you can copy when you create a custom health policy.
Upgrades and the Default Health Policy
When you upgrade the management center, any new health modules are added to all health policies, including
the initial health policy, default health policy, and any other custom health policies. Usually, new health
modules are added in an enabled state.
Note
For a new health module to begin monitoring and alerting, reapply health policies after upgrade.
Creating Health Policies
If you want to customize a health policy to use with your appliances, you can create a new policy. The settings
in the policy initially populate with the settings from the health policy you choose as a basis for the new policy.
You can edit the policy to specify your preferences, such as enable or disable modules within the policy,
change the alerting criteria for each module as needed, and specify the run time intervals.
In a multidomain deployment, the system displays policies created in the current domain, which you can edit.
It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created
in a lower domain, switch to that domain. Administrators in ancestor domains can apply health policies to
devices in descendant domains, which descendant domains can use or replace with customized local policies.
Cisco Secure Firewall Management Center Administration Guide, 7.2
340
Health and Monitoring
Applying Health Policies
Procedure
Step 1
Choose System ( ) > Health > Policy .
Step 2
Click Create Policy.
Step 3
Enter a name for the policy.
Step 4
Choose the existing policy that you want to use as the basis for the new policy from the Base Policy drop-down
list.
Step 5
Enter a description for the policy.
Step 6
Choose Save.
What to do next
• Apply the health policy on devices as described in Applying Health Policies, on page 341.
• Edit the policy to specify the module-level policy settings as described in Editing Health Policies, on
page 342.
Applying Health Policies
When you apply a health policy to an appliance, the health tests for all the modules you enabled in the policy
automatically monitor the health of the processes and hardware on the appliance. Health tests then continue
to run at the intervals you configured in the policy, collecting health data for the appliance and forwarding
that data to the Secure Firewall Management Center.
If you enable a module in a health policy and then apply the policy to an appliance that does not require that
health test, the health monitor reports the status for that health module as disabled.
If you apply a policy with all modules disabled to an appliance, it removes all applied health policies from
the appliance so no health policy is applied.
When you apply a different policy to an appliance that already has a policy applied, expect some latency in
the display of new data based on the newly applied tests.
In a multidomain deployment, the system displays policies created in the current domain, which you can edit.
It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created
in a lower domain, switch to that domain. Administrators in ancestor domains can apply health policies to
devices in descendant domains, which descendant domains can use or replace with customized local policies.
Procedure
Step 1
Choose System ( ) > Health > Policy .
Step 2
Click the Deploy health policy ( ) next to the policy you want to apply.
Step 3
Choose the appliances where you want to apply the health policy.
Note
You cannot remove the policy from an appliance after you have deployed it. To stop health monitoring
for an appliance, create a health policy with all modules disabled and apply it to the appliance.
Cisco Secure Firewall Management Center Administration Guide, 7.2
341
Health and Monitoring
Editing Health Policies
Step 4
Click Apply to apply the policy to the appliances you chose.
What to do next
• Optionally, monitor the task status; see Viewing Task Messages, on page 400.
Monitoring of the appliance starts as soon as the policy is successfully applied.
Editing Health Policies
In a multidomain deployment, the system displays policies created in the current domain, which you can edit.
It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created
in a lower domain, switch to that domain. Administrators in ancestor domains can apply health policies to
devices in descendant domains, which descendant domains can use or replace with customized local policies.
Procedure
Step 1
Choose System ( ) > Health > Policy .
Step 2
Click Edit (
Step 3
To edit the policy name and its description, click the Edit (
Step 4
The Health Modules tab displays all the device modules and its attributes. Click the toggle button that is
) next to the policy you want to modify.
) icon provided against the policy name.
provided against the module and its attributes—turn on (
) or turn off (
) to enable or disable testing
of health status respectively. To execute a bulk enable or disable testing on the health modules, click the Select
All toggle button. For information on the modules, see Health Modules, on page 329.
Note
• The modules and attributes are flagged with the supporting appliances—threat defense,
management center, or both.
• You cannot choose to include or exclude the individual attributes of CPU and Memory modules.
Step 5
Where appropriate, set the Critical and Warning threshold percentages.
Step 6
In the Run Time Intervals tab, enter the relevant values in the fields:
• Health Module Run Interval—The frequency for running the health modules. The minimum interval
is 5 minutes.
• Metric Collection Interval—The frequency of collecting the time series data on the device and its health
modules. The device monitor reports these metrics in several predefined health monitor dashboards by
default. For detailed information on the dashboard, see About Dashboards, on page 305. The metric data
is collected for analysis and hence no alerting is associated with it.
Step 7
Click Save.
Cisco Secure Firewall Management Center Administration Guide, 7.2
342
Health and Monitoring
Deleting Health Policies
What to do next
• Apply the health policy to each appliance as described in Applying Health Policies, on page 341. This
option allows you to apply the changes and update the policy status for all affected policies.
Deleting Health Policies
You can delete health policies that you no longer need. If you delete a policy that is still applied to an appliance,
the policy settings remain in effect until you apply a different policy. In addition, if you delete a health policy
that is applied to a device, any health monitoring alerts in effect for the device remain active until you disable
the underlying associated alert response.
In a multidomain deployment, you can only delete health policies created in the current domain.
Tip
To stop health monitoring for an appliance, create a health policy with all modules disabled and apply it to
the appliance.
Procedure
Step 1
Choose System ( ) > Health > Policy .
Step 2
Click Delete ( ) next to the policy you want to delete, and then click Delete health policy to delete it.
A message appears, indicating if the deletion was successful.
Device Exclusion in Health Monitoring
In the course of normal network maintenance, you disable appliances or make them temporarily unavailable.
Because those outages are deliberate, you do not want the health status from those appliances to affect the
summary health status on your Secure Firewall Management Center.
You can use the health monitor exclude feature to disable health monitoring status reporting on an appliance
or module. For example, if you know that a segment of your network will be unavailable, you can temporarily
disable health monitoring for a managed device on that segment to prevent the health status on the Secure
Firewall Management Center from displaying a warning or critical state because of the lapsed connection to
the device.
When you disable health monitoring status, health events are still generated, but they have a disabled status
and do not affect the health status for the health monitor. If you remove the appliance or module from the
excluded list, the events that were generated during the exclusion continue to show a status of disabled.
To temporarily disable health events from an appliance, go to the exclusion configuration page and add an
appliance to the device exclude list. After the setting takes effect, the system no longer considers the excluded
appliance when calculating the overall health status. The Health Monitor Appliance Status Summary lists the
appliance as disabled.
You can also disable an individual health module. For example, when you reach the host limit on a Secure
Firewall Management Center, you can disable Host Limit status messages.
Cisco Secure Firewall Management Center Administration Guide, 7.2
343
Health and Monitoring
Excluding Appliances from Health Monitoring
Note that on the main Health Monitor page you can distinguish between appliances that are excluded if you
expand to view the list of appliances with a particular status by clicking the arrow in that status row.
Note
On a Secure Firewall Management Center, Health Monitor exclusion settings are local configuration settings.
Therefore, if you exclude a device, then delete it and later re-register it with the Secure Firewall Management
Center, the exclusion settings remain persistent. The newly re-registered device remains excluded.
In a multidomain deployment, administrators in ancestor domains can exclude an appliance or health module
in descendant domains. However, administrators in the descendant domains can override the ancestor
configuration and clear the exclusion for devices in their domain.
Excluding Appliances from Health Monitoring
You can exclude appliances individually or by group, model, or associated health policy.
If you need to set the events and health status for an individual appliance to disabled, you can exclude the
appliance. After the exclusion settings take effect, the appliance shows as disabled in the Health Monitor
Appliance Module Summary, and health events for the appliance have a status of disabled.
In a multidomain deployment, excluding an appliance in an ancestor domain excludes it for all descendant
domains. Descendant domains can override this inherited configuration and clear the exclusion. You can only
exclude the Secure Firewall Management Center at the Global level.
Procedure
Step 1
Choose System ( ) > Health > Exclude.
Step 2
Click Add Device.
Step 3
In the Device Exclusion dialog box, under Available Devices, click Add ( ) against the device that you
want to exclude from health monitoring.
Step 4
Click Exclude. The selected device is displayed in the exclusion main page.
Step 5
To remove the device from the exclusion list, click Delete (
Step 6
Click Apply.
).
What to do next
To exclude individual health policy modules on appliances, see Excluding Health Policy Modules, on page
344.
Excluding Health Policy Modules
You can exclude individual health policy modules on appliances. You may want to do this to prevent events
from the module from changing the status for the appliance to warning or critical.
After the exclusion settings take effect, the appliance shows the number of modules being exluded in the
device from health monitoring.
Cisco Secure Firewall Management Center Administration Guide, 7.2
344
Health and Monitoring
Expired Health Monitor Exclusions
Tip
Make sure that you keep track of individually excluded modules so you can reactivate them when you need
them. You may miss necessary warning or critical messages if you accidentally leave a module disabled.
In a multidomain deployment, administrators in ancestor domains can exclude health modules in descendant
domains. However, administrators in descendant domains can override this ancestor configuration and clear
the exclusion for policies applied in their domains. You can only exclude Secure Firewall Management Center
health modules at the Global level.
Procedure
Step 1
Choose System ( ) > Health > Exclude.
Step 2
Click Edit (
Step 3
In the Exclude Health Modules dialog box, by default, all the modules of the device are excluded from health
monitoring. Certain modules are applicable to specific devices only; for more information, see Health Modules,
on page 329.
Step 4
To specify the duration of the exclusion for the device, from the Exclude Period drop-down list, select the
duration.
Step 5
To choose modules to be excluded from health monitoring, click the Enable Module Level Exclusion link.
The Exclude Health Modules dialog box displays all the modules of the device. The modules that are not
applicable for the associated health policies are disabled by default. To exclude a module, perform the following:
) next to the appliance you want to modify.
a. Click the Slider (
) button next to the desired module.
b. To specify the duration of the exclusion for the selected modules, from the Exclude Period drop-down
list, select the duration.
Step 6
If you select an Exclude Period other than Permanent, for your exclusion configuration, you can choose to
automatically delete the configuration when it expires. To enable this setting, check the Auto-delete expired
configurations check box.
Step 7
Click OK.
Step 8
In the device exclusion main page, click Apply.
Expired Health Monitor Exclusions
When the exclusion period for a device or modules lapses, you can choose to clear or renew the exclusion.
Procedure
Step 1
Choose System ( ) > Health > Exclude.
The Warning ( ) icon is displayed against the device indicating the expiry of the duration of exclusion of
the device or the modules from alerting.
Cisco Secure Firewall Management Center Administration Guide, 7.2
345
Health and Monitoring
Health Monitor Alerts
Step 2
To renew the exclusion of the device, click Edit ( ) next to the appliance. In the Exclude Health Modules
dialog box, click the Renew link. The exclusion period of the device is extended with the current value.
Step 3
To clear the device from being excluded, click Delete (
from exclusion, and then click Apply.
Step 4
To renew or clear the modules from exclusion, click Edit ( ) next to the appliance. In the Exclude Health
Modules dialog box, click the Enable Module Level Exclusion link, and then click the Renew or Clear link
against the modules. When you click Renew, the exclusion period is extended on the module with the current
value.
) next to the appliance, click Remove the device
Health Monitor Alerts
You can set up alerts to notify you through email, through SNMP, or through the syslog when the status
changes for the modules in a health policy. You can associate an existing alert response with health event
levels to trigger and alert when health events of a particular level occur.
For example, if you are concerned that your appliances may run out of hard disk space, you can automatically
send an email to a system administrator when the remaining disk space reaches the warning level. If the hard
drive continues to fill, you can send a second email when the hard drive reaches the critical level.
In a multidomain deployment, you can view and modify health monitor alerts created in the current domain
only.
Health Monitor Alert Information
The alerts generated by the health monitor contain the following information:
• Severity, which indicates the severity level of the alert.
• Module, which specifies the health module whose test results triggered the alert.
• Description, which includes the health test results that triggered the alert.
The table below describes these severity levels.
Table 22: Alert Severities
Severity
Description
Critical
The health test results met the criteria to trigger a Critical alert
status.
Warning
The health test results met the criteria to trigger a Warning alert
status.
Normal
The health test results met the criteria to trigger a Normal alert
status.
Error
The health test did not run.
Cisco Secure Firewall Management Center Administration Guide, 7.2
346
Health and Monitoring
Creating Health Monitor Alerts
Severity
Description
Recovered
The health test results met the criteria to return to a normal alert
status, following a Critical or Warning alert status.
Creating Health Monitor Alerts
You must be an Admin user to perform this procedure.
When you create a health monitor alert, you create an association between a severity level, a health module,
and an alert response. You can use an existing alert or configure a new one specifically to report on system
health. When the severity level occurs for the selected module, the alert triggers.
If you create or update a threshold in a way that duplicates an existing threshold, you are notified of the
conflict. When duplicate thresholds exist, the health monitor uses the threshold that generates the fewest alerts
and ignores the others. The timeout value for the threshold must be between 5 and 4,294,967,295 minutes.
In a multidomain deployment, you can view and modify health monitor alerts created in the current domain
only.
Before you begin
• Configure an alert response that governs the Secure Firewall Management Center's communication with
the SNMP, syslog, or email server where you send the health alert; see Secure Firewall Management
Center Alert Responses, on page 517.
Procedure
Step 1
Choose System ( ) > Health > Monitor Alerts.
Step 2
Click Add.
Step 3
In the Add Health Alert dialog box, enter a name for the health alert in the Health Alert Name field.
Step 4
From the Severity drop-down list, choose the severity level you want to use to trigger the alert.
Step 5
From the Alert drop-down list, choose the alert response that you want to trigger when the specified severity
level is reached. If you have not yet Secure Firewall Management Center Alert Responses, click Alerts to
visit the Alerts page and set them.
Step 6
From the Health Modules list, choose the health policy modules for which you want the alert to apply.
Step 7
Optionally, in the Threshold Timeout field, enter the number of minutes that should elapse before each
threshold period ends and the threshold count resets.
Even if the policy run time interval value is less than the threshold timeout value, the interval between two
reported health events from a given module is always greater. For example, if you change the threshold timeout
to 8 minutes and the policy run time interval is 5 minutes, there is a 10-minute interval (5 x 2) between reported
events.
Step 8
Click Save to save the health alert.
Cisco Secure Firewall Management Center Administration Guide, 7.2
347
Health and Monitoring
Editing Health Monitor Alerts
Editing Health Monitor Alerts
You must be an Admin user to perform this procedure.
You can edit existing health monitor alerts to change the severity level, health module, or alert response
associated with the health monitor alert.
In a multidomain deployment, you can view and modify health monitor alerts created in the current domain
only.
Procedure
Step 1
Choose System ( ) > Health > Monitor Alerts.
Step 2
Click the Edit (
Step 3
In the Edit Health Alert dialog box, from the Alert drop-down list, select the required alert entry, or click
Alerts link to configure a new alert entry.
Step 4
Click Save.
) icon that is provided against the required health alert that you want to modify.
Deleting Health Monitor Alerts
In a multidomain deployment, you can view and modify health monitor alerts created in the current domain
only.
Procedure
Step 1
Choose System ( ) > Health > Monitor Alerts.
Step 2
Click Delete (
) next to the health alert you want to delete, and then click Delete health alert to delete it.
What to do next
• Disable or delete the underlying alert response to ensure that alerting does not continue; see Secure
Firewall Management Center Alert Responses, on page 517.
About the Health Monitor
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The health monitor provides the compiled health status for all devices managed by the Secure Firewall
Management Center, plus the Secure Firewall Management Center itself. The health monitor is composed of:
• The Health Status summary page ― Provides you with an at-a-glance view of the health of the Secure
Firewall Management Center and all of the devices that the management center manages. Devices are
Cisco Secure Firewall Management Center Administration Guide, 7.2
348
Health and Monitoring
About the Health Monitor
listed individually, or grouped according to their geolocation, high availability, or cluster status where
applicable.
• View the health summary of the management center and any device when you hover on the hexagon
that represents the device health.
• The dot to the left of a device indicates its health:
• Green ― No alarms.
• Orange ― At least one health warning.
• Red ― At least one critical health alarm.
• The Monitoring navigation pane ― Allows you to navigate the device hierarchy. You can view health
monitors for individual devices from the navigation pane.
In a multidomain deployment, the health monitor in an ancestor domain displays data from all descendant
domains. In the descendant domains, it displays data from the current domain only.
Procedure
Step 1
Choose System ( ) > Health > Monitor.
Step 2
View the status of the management center and its managed devices in the Health Status landing page.
a) Hover your pointer over a hexagon to view the health summary of a device. The popup window shows a
truncated summary of the top five health alerts. Click on the popup to open a detailed view of the health
alert summary.
b) In the device list, click Expand (
for a device.
) and Collapse (
) to expand and collapse the list of health alerts
When you expand the row, all of the health alerts are listed, including the status, title, and details.
Note
Step 3
Health alerts are sorted by their severity level.
Use the Monitoring navigation pane to access device-specific health monitors. When you use the Monitoring
navigation pane:
a) Click Home to return Health Status summary page.
b) Click Firewall Management Center to view the health monitor for the Secure Firewall Management
Center itself.
c) In the device list, click Expand (
devices.
) and Collapse (
) to expand and collapse the list of managed
When you expand the row, all of the devices are listed.
d) Click on a device to view a device-specific health monitor.
Cisco Secure Firewall Management Center Administration Guide, 7.2
349
Health and Monitoring
Using the Management Center Health Monitor
What to do next
• See Device Health Monitors, on page 352 for information about the compiled health status and metrics
for any device managed by the Secure Firewall Management Center.
• See Using the Management Center Health Monitor, on page 350 for information about the health status
of the Secure Firewall Management Center.
To return to the Health Status landing page at any time, click Home.
Using the Management Center Health Monitor
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The management center monitor provides a detailed view of the health status of the Secure Firewall Management
Center. The health monitor is composed of:
• High Availability (if configured)―The High Availability (HA) panel displays the current HA status,
including the status of the Active and Standby units, the last sync time, and overall device health.
• Event Rate―The Event Rate panel shows the maximum event rate as a base line as well as the overall
event rate received by the management center.
• Event Capacity―The Event Capacity panel shows the current consumption by event categories, including
the retention time of events, the current vs. maximum event capacity, and a capacity overflow mechanism
where you are alerted when events are stored beyond the configured maximum capacity of the management
center.
• Process Health―The Process Health panel has an at-a-glace view of the critical processes as well as a
tab that lets you see state of all processed, including the CPU and memory usage for each process.
• CPU―The CPU panel lets you toggle between the average CPU usage (default) and the CPU usage of
all cores.
• Memory―The Memory panel shows the overall memory usage on the management center.
• Interface―The Interface panel shows avaerage input and output rate of all interfaces.
• Disk Usage―The Disk Usage panel shows the use of entire disk, and the use of the critical partitions
where management center data is stored.
Tip
Your session normally logs you out after 1 hour of inactivity (or another configured interval). If you plan to
passively monitor health status for long periods of time, consider exempting some users from session timeout,
or changing the system timeout settings. See Add an Internal User, on page 111 and Configure Session Timeouts,
on page 92 for more information.
Procedure
Step 1
Choose System ( ) > Health > Monitor.
Step 2
Use the Monitoring navigation pane to access the management center and device-specific health monitors.
Cisco Secure Firewall Management Center Administration Guide, 7.2
350
Health and Monitoring
Running All Modules for an Appliance
• A standalone management center is shown as a single node; a high-availability management center is
shown as a pair of nodes.
• The health monitor is available to both the active and standby management center in an HA pair.
Step 3
Explore the management center dashboard.
The management center dashboard includes a summary view of the HA state of the management center (if
configured), as well as at-a-glance views of management center processes and device metrics such as CPU,
memory, and disk usage.
Running All Modules for an Appliance
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
Health module tests run automatically at the policy run time interval you configure when you create a health
policy. However, you can also run all health module tests on demand to collect up-to-date health information
for the appliance.
In a multidomain deployment, you can run health module tests for appliances in the current domain and in
any descendant domains.
Procedure
Step 1
View the health monitor for the appliance.
Step 2
Click Run All Modules. The status bar indicates the progress of the tests, then the Health Monitor Appliance
page refreshes.
Note
When you manually run health modules, the first refresh that automatically occurs may not reflect
the data from the manually run tests. If the value has not changed for a module that you just ran
manually, wait a few seconds, then refresh the page by clicking the device name. You can also wait
for the page to refresh again automatically.
Running a Specific Health Module
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
Health module tests run automatically at the policy run time interval you configure when you create a health
policy. However, you can also run a health module test on demand to collect up-to-date health information
for that module.
In a multidomain deployment, you can run health module tests for appliances in the current domain and in
any descendant domains.
Procedure
Step 1
View the health monitor for the appliance.
Cisco Secure Firewall Management Center Administration Guide, 7.2
351
Health and Monitoring
Generating Health Module Alert Graphs
Step 2
In the Module Status Summary graph, click the color for the health alert status category you want to view.
Step 3
In the Alert Detail row for the alert for which you want to view a list of events, click Run.
The status bar indicates the progress of the test, then the Health Monitor Appliance page refreshes.
Note
When you manually run health modules, the first refresh that automatically occurs may not reflect
the data from the manually run tests. If the value has not changed for a module that you just manually
ran, wait a few seconds, then refresh the page by clicking the device name. You can also wait for
the page to refresh automatically again.
Generating Health Module Alert Graphs
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
You can graph the results over a period of time of a particular health test for a specific appliance.
Procedure
Step 1
View the health monitor for the appliance.
Step 2
In the Module Status Summary graph of the Health Monitor Appliance page, click the color for the health
alert status category you want to view.
Step 3
In the Alert Detail row for the alert for which you want to view a list of events, click Graph.
Tip
If no events appear, you may need to adjust the time range.
Device Health Monitors
The device health monitor provides the compiled health status for any device managed by the Secure Firewall
Management Center. The device health monitor collects health metrics for Firepower devices in order to
predict and repond to system events. The device health monitor is comprised of the following components:
• System Details ― Displays information about the managed device, including the installed Firepower
version and other deployment details.
• Troubleshooting & Links ― Provides convenient links to frequently used troubleshooting topics and
procedures.
• Health alerts ― A health alert monitor provides an at-a-glance view of the health of the device.
• Time range ― An adjustable time window to constrain the information that appears in the various device
metrics windows.
• Device metrics ― An array of key Firepower device health metrics catagorized across predefined
dashboards, including:
• CPU ― CPU utilization, including the CPU usage by process and by physical cores.
• Memory ― Device memory utilization, including data plane and Snort memory usage.
Cisco Secure Firewall Management Center Administration Guide, 7.2
352
Health and Monitoring
Viewing System Details and Troubleshooting
• Interfaces ― Interface status and aggregate traffic statistics.
• Connections ― Connection statistics (such as elephant flows, active connections, peak connections,
and so on) and NAT translation counts.
• Snort ― Statistics related to the Snort process.
• Disk Usage ― Device disk usage, including the disk size and disk utilization per partition.
• Critical Processes ― Statistics related to managed processes, including process restarts and other
select health monitors such as CPU and memory utilization.
Viewing System Details and Troubleshooting
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The System Details section provides a general system information for a selected device. You can also launch
troubleshooting tasks for that device.
Procedure
Step 1
Choose System ( ) > Health > Monitor.
Use the Monitoring navigation pane to access device-specific health monitors.
Step 2
In the device list, click Expand (
Step 3
Click on a device to view a device-specific health monitor.
Step 4
Click the link for View System & Troubleshoot Details …
) and Collapse (
) to expand and collapse the list of managed devices.
This panel is collapsed by default. Clicking on the link expands the collapsed section to see System Details
and Troubleshooting & Links for the device. The system details include:
• Version: The Firepower software version.
• Model: The device model.
• Mode: The firewall mode. The threat defense device supports two firewall modes for regular firewall
interfaces: Routed mode and Transparent mode.
• VDB: The Cisco vulnerability database (VDB) version.
• SRU: The intrusion rule set version.
• Snort: The Snort version.
Step 5
You have the following troubleshoot choices:
• Generate troubleshooting files; see Producing Troubleshooting Files for Specific System Functions, on
page 407
• Generate and download advanced troubleshooting files; see Downloading Advanced Troubleshooting
Files, on page 408.
• Create and modify health policies; see Creating Health Policies, on page 340.
Cisco Secure Firewall Management Center Administration Guide, 7.2
353
Health and Monitoring
Viewing the Device Health Monitor
• Create and modify health monitor alerts; see Creating Health Monitor Alerts, on page 347.
Viewing the Device Health Monitor
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The device health monitor provides a detailed view of the health status of a Firepower device. The device
health monitor compiles device metrics and provides health status and trends of the device in an array of
dashboards.
Procedure
Step 1
Choose System ( ) > Health > Monitor.
Use the Monitoring navigation pane to access device-specific health monitors.
Step 2
In the device list, click Expand (
Step 3
View the Health Alerts for the device in the alert notification at the top of page, directly to the right of the
device name.
) and Collapse (
) to expand and collapse the list of managed devices.
Hover your pointer over the Health Alerts to view the health summary of the device. The popup window
shows a truncated summary of the top five health alerts. Click on the popup to open a detailed view of the
health alert summary.
Step 4
You can configure the time range from the drop-down in the upper-right corner. The time range can reflect a
period as short as the last hour (the default) or as long as two weeks. Select Custom from the drop-down to
configure a custom start and end date.
Click the refresh icon to set auto refresh to 5 minutes or to toggle off auto refresh.
Step 5
Click on deployment icon for a deployment overlay on the trend graph, with respect to the selected time range.
The deployment icon indicates the number of deployments during the selected time-range. A vertical band
indicates the deployment start and end time. In the case of multiple deployments, multiple bands/lines will
appear. Click on the icon on top of the dotted line to view the deployment details.
Step 6
The device monitor reports health and performance metrics in several predefined dashboards by default. The
metrics dashboards include:
• Overview ― Highlights key metrics from the other predefined dashboards, including CPU, memory,
interfaces, connection statistics; plus disk usage and critical process information.
• CPU ― CPU utilization, including the CPU usage by process and by physical cores.
• Memory ― Device memory utilization, including data plane and Snort memory usage.
• Interfaces ― Interface status and aggregate traffic statistics.
• Connections ― Connection statistics (such as elephant flows, active connections, peak connections, and
so on) and NAT translation counts.
• Snort ― Statistics related to the Snort process.
Cisco Secure Firewall Management Center Administration Guide, 7.2
354
Health and Monitoring
Correlating Device Metrics
You can navigate through the various metrics dashboards by clicking on the labels. See Threat Defense Metrics,
on page 356 for a comprehensive list of the supported device metrics.
Step 7
Click the plus sign (+) in the upper right corner of the device monitor to create a custom correlation dashboard
by building your own variable set from the available metric groups; see Correlating Device Metrics, on page
355.
Correlating Device Metrics
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The device health monitor includes an array of key Firepower device metrics that serve to predict and repond
to system events. The health of any Firepower device can be determined by these reported metrics.
The device monitor reports these metrics in several predefined dashboards by default. These dashboards
include:
• Overview ― Highlights key metrics from the other predefined dashboards, including CPU, memory,
interfaces, connection statistics; plus disk usage and critical process information.
• CPU ― CPU utilization, including the CPU usage by process and by physical cores.
• Memory ― Device memory utilization, including data plane and Snort memory usage.
• Interfaces ― Interface status and aggregate traffic statistics.
• Connections ― Connection statistics (such as elephant flows, active connections, peak connections, and
so on) and NAT translation counts.
• Snort ― Statistics related to the Snort process.
• ASP Drops ― Statistics related to the Accelerated Security Path (ASP) performance and behavior.
You can add custom dashboards to correlate metrics that are interrelated. Select from predefined correlation
groups, such as CPU and Snort; or create a custom correlation dashboard by building your own variable set
from the available metric groups.
Before you begin
To view and correlate the time series data (device metrics) in the health monitor dashboard, enable REST API
(Settings > Configuration > REST API Preferences).
Note
Correlating device metrics is available only for threat defense 6.7 and later versions. Hence, for threat defense
versions earlier than 6.7, the health monitor dashboard does not display these metrics even if you enable REST
API.
Procedure
Step 1
Choose System ( ) > Health > Monitor.
Use the Monitoring navigation pane to access device-specific health monitors.
Cisco Secure Firewall Management Center Administration Guide, 7.2
355
Health and Monitoring
Threat Defense Metrics
Step 2
In the device list, click Expand (
Step 3
Click the plus sign (+) in the upper right corner of the device monitor to add a new dashboard.
Step 4
From the Select Correlation Group drop-down, choose a predefined correlation group or or create a custom
group.
Step 5
To create a dashboard from a predefined correlation group, select the group and click Add.
) and Collapse (
) to expand and collapse the list of managed devices.
• CPU - Data Plane
• CPU - Snort
• CPU - Others
• Memory - Data Plane
• Packet drops
Step 6
To create a custom correlation dashboard:
a) Choose Custom.
b) Optionally, enter a unique name in the Dashboard Name field or accept the default.
c) Next, select a group from the Select Metric Group drop-down, then select corresponding metrics from
the Select Metrics drop-down.
• Connections; see Connection Group Metrics, on page 358 for available metrics.
• CPU; see CPU Group Metrics, on page 356 for available metrics.
• Critical Process; see Critical Process Group Metrics, on page 363 for available metrics.
• Deployed Configuration; see Deployed Configuration Group Metrics, on page 362 for available metrics.
• Disk; see Disk Group Metrics, on page 363 for available metrics.
• Interface; see Interface Group Metrics, on page 358 for available metrics.
• Snort; see Snort Group Metrics, on page 359 for available metrics.
• ASP Drops; see ASP Drop Metrics, on page 361 for available metrics.
Step 7
Click Add Metrics to add and select metrics from another group.
Step 8
To remove an individual metric, click the x on the right side of the item. Click the delete icon (a trash can) to
remove the entire group.
Step 9
Click Add to complete the workflow and add the dashboard to the health monitor.
Step 10
You can Edit or Delete custom correlation dashboards.
Threat Defense Metrics
The following sections describe the health metrics available from threat defense devices.
CPU Group Metrics
The health monitor tracks statistics related to the CPU utilization, including the CPU usage by process and
by physical cores.
Table 23: CPU Group Metrics
Metric
Description
Control Plane
The average CPU utilization for the control plane, for percent
the last one minute.
Cisco Secure Firewall Management Center Administration Guide, 7.2
356
Format
Health and Monitoring
Memory Group Metrics
Metric
Description
Format
Data Plane
The average CPU utilization for the data plane, for
the last one minute.
percent
Snort
The average CPU utilization for the Snort process,
for the last one minute.
percent
System
The average CPU utilization for the system processes, percent
for the last one minute.
Physical cores
The average CPU utilization for all the cores, for the percent
last one minute.
Memory Group Metrics
The health monitor tracks statistics related to the device memory utilization, including data plane and Snort
memory usage.
Table 24: Memory Group Metrics
Metric
Description
Format
Buffer cache
The buffer cache.
bytes
Free
The total free memory.
bytes
Maximum Data Plane
The maximum memory used by the data plane.
bytes
Maximum Snort
The maximum memory used by the Snort process.
bytes
Maximum Swap for Snort
The maximum swap memory used by the Snort
process.
bytes
Remaining Memory Block (1550) The free memory in a 1550 byte block.
number
Remaining Memory Block (256)
The free memory in a 256 byte block.
number
System Used
The total memory used by the system.
bytes
Total
The total memory available.
bytes
Total Swap
The total memory available for swap.
bytes
Data Plane
The total memory used by the data plane.
bytes
Percent Used by Data Plane
The percent of memory used by the data plane.
percent
Percent Used by Snort
The percent of memory used by the Snort process.
percent
Percent Used for Swap
The percent of memory used for swap.
percent
Percent Used by System
The percent of memory used by the system.
percent
Cisco Secure Firewall Management Center Administration Guide, 7.2
357
Health and Monitoring
Interface Group Metrics
Metric
Description
Format
Percent Used by System and Swap The percent of memory used by the system and swap percent
combined.
Snort
The total memory used by the Snort process.
bytes
Used Swap
The total memory used for swap.
bytes
Used Swap by Snort
The total swap memory used by the Snort process.
bytes
Interface Group Metrics
The health monitor tracks statistics related to the device interfaces, including the interface status and aggregate
traffic statistics.
Table 25: Interface Group Metrics
Metric
Description
Format
Drop Packets
The number of packets dropped.
number
Average Input Packet Size
The average size of incoming packets.
bytes
Input Rate
The total incoming bytes.
bytes
Input Packets
The total incoming packets.
number
Average Output Packet Size
The average size of outgoing packets.
bytes
Output Rate
The total outgoing bytes.
bytes
Output Packets
The total outgoing packets.
number
Status
The status of an interface; 1 for up and 0 for down.
1 or 0
Connection Group Metrics
The health monitor tracks statistics related to the connections and NAT translation counts.
Cisco Secure Firewall Management Center Administration Guide, 7.2
358
Health and Monitoring
Snort Group Metrics
Table 26: Connection Group Metrics
Metric
Description
Format
Elephant Flows
Shows the number of active elephant flows.
number
Elephant flows are connections that are large enough
to affect overall system performance. By default,
elephant flows are those larger than 1GB/10 seconds.
You can adjust the byte and time thresholds for
identifying elephant flows in the threat defense CLI
using the system support elephant-flow-detection
command.
Note
A flow is considered an elephant flow only
when both the byte and time thresholds are
surpassed.
Connections in use
Shows the number of connections in use.
number
Peak Connections
Shows the maximum number of simultaneous
connections.
number
Total Connections per second
The connections-per-second for all connection types. number
TCP Connections per second
The connections-per-second for TCP connection
types.
number
UDP Connections per second
The connections-per-second for UDP connection
types.
number
Preserve Connections Enabled
Preserves existing TCP/UDP connections on routed number
and transparent interfaces in case the Snort process
goes down.
Connections Preserved
Connections for which preserve-connection is
currently enabled.
number
Preserve Connections Most
Enabled
The most number of connections ever preserved.
number
Peak Connections Preserved
The most number of peak connections ever preserved. number
NAT Translations
Displays the translation count.
number
Peak NAT Translations
Displays the historic maximum of concurrent
translations at a time.
number
Snort Group Metrics
The health monitor tracks statistics related to the Snort process.
Cisco Secure Firewall Management Center Administration Guide, 7.2
359
Health and Monitoring
Snort Group Metrics
Table 27: Snort Group Metrics
Metric
Description
Blocked list flows
The number of flows from policy configuration that number
were dropped by Snort.
Blocked packets
The number of blocked packets.
Denied flows
The number of denied flow events. The data plane number
sends denied flow events to Snort when it decides to
drop a flow before sending it to Snort.
End of flows
The data plane sends end-of-flow events to Snort
when a fast path flow ends.
number
Fast forwarded flows
The number of flows that were fast forwarded by
policy, and thus not inspected.
number
Dropped frames forwarded from
the data plane
The number of dropped frames forwarded from the
data plane.
number
Injected packets dropped
The number of packets that Snort added to the traffic number
stream that were dropped.
Injected packets
The number of packets Snort created and added to the number
traffic stream. For example, if you configure a block
with reset action, Snort generates packets to reset the
connection.
Instances
The number of snort instances (processes).
Packet receiving queue utilization The queue utilization rate for the data plane receive
percentage
queue.
Format
number
number
percent
Packets bypassed due to Snort busy The number of packets that bypassed inspection when number
Snort was too busy to handle the packets.
Packets bypassed due to Snort
down
The number of packets that bypassed inspection when number
Snort was down.
Packets bypassed due to RX queue The number of packets bypassed due to a receive
full
queue full.
number
Packets bypassed due to TX queue The number of packets bypassed due to a transmit
full
queue full.
number
Passed packets
The number of packets sent to Snort from the data
plane.
number
Start of flows
The number of start-of-flow events. These events help number
Snort keep track of the connections and report the
connection events.
Cisco Secure Firewall Management Center Administration Guide, 7.2
360
Health and Monitoring
ASP Drop Metrics
ASP Drop Metrics
The health monitor tracks statistics related to the the accelerated security path (ASP) dropped packets or
connections.
Table 28: ASP Drop Metrics
Metric
Description
Format
Connection limit exceeded
Counts the number of flows closed when the
connection limit has been exceeded.
number
Connection limit reached
Counts the number of dropped packets when the
connection limit or host connection limit has been
exceeded.
number
L2 rule drop
Counts the number of denied packets due to a Layer number
2 ACL.
L2 rule VXLAN drop
Counts the number of denied packets due to a failure number
to locate a VXLAN out_tag when applying Layer 2
ACL checks.
NAT reverse path failed
Counts the number of rejected attempts to connect to number
a translated host using the translated host's real
address.
NAT failed
Counts the number of failed attempts to create an xlate number
to translate an IP or transport header.
No valid v4 adjacency
Counts the number of dropped packets when the
number
security appliance has tried to obtain an adjacency
and could not obtain mac-address for next hop (IPv4).
No valid v6 adjacency
Counts the number of dropped packets when the
number
security appliance has tried to obtain an adjacency
and could not obtain mac-address for next hop (IPv6).
Packet blocklisted by Snort; Packet Counts the number of packets dropped as requested number
blocked by Snort
by the Snort module.
Frame drops – Snort busy; Frame Counts the number of frames dropped as the Snort number
drops – Snort down; Frame drops module is busy and unable to handle the frame; the
– Snort drop
Snort module is down; the Snort module requests the
drop.
Dispatch queue limit reached
Counts the number of times a device's load balance number
ASP dispatcher reaches its queue limit. When more
packets are attempted, tail drop occurs and this counter
is incremented.
Cisco Secure Firewall Management Center Administration Guide, 7.2
361
Health and Monitoring
Deployed Configuration Group Metrics
Metric
Description
Format
Destination MAC L2 lookup failed Counts the number of Layer 2 destination MAC
number
address lookups which fail. Upon the lookup failure,
the appliance will begin the destination MAC
discovery process and attempt to find the location of
the host via ARP and/or ICMP messages.
Inspection failure
Counts the number of times the appliance fails to
number
enable protocol inspection carried out by the network
processor for the connection. The cause could be
memory allocation failure, or for ICMP error message,
the appliance not being able to find any established
connection related to the frame embedded in the ICMP
error message.
NAT no xlate to pat pool
Counts no pre-existing xlate found for a connection number
with a destination matching a mapped address in a
PAT pool.
No routes to host
Counts the number of times the security appliance
number
tries to send a packet out of an interface and does not
find a route for it in routing table.
Packet dropped as number of
packet queued
Counts the number of packets dropped when the
number
appliance receives a retransmitted data packet that is
already in the out of order packet queue.
Number of segments queued to an For a flow, the number of packets queued to the
number
inspection reached limit
inspector has reached the limit, thus terminating the
flow.
Blocked or blocklisted by Snort
Counts the number of times a packet is dropped as
requested by the Snort module.
number
Packet drop silently by Snort
Counts the number of times a packet is dropped
silently as requested by the Snort module.
number
Un-synced first TCP packet
Counts the number of times a non SYN packet is
received as the first packet of a non intercepted and
non nailed connection.
number
Deployed Configuration Group Metrics
The health monitor tracks statistics related to the deployed configuration, such as the number of IPS rules and
the number of ACEs.
Cisco Secure Firewall Management Center Administration Guide, 7.2
362
Health and Monitoring
Disk Group Metrics
Table 29: Deployed Configuration Group Metrics
Metric
Description
Format
Number of ACEs
The number of access control entries (ACE), or rules. number
An access control list (ACL) is composed of one or
more ACEs.
Number of rules
The number of rules in an intrusion policy.
number
Disk Group Metrics
The health monitor tracks statistics related to the device disk usage, including the disk size and disk utilization
per partition.
Table 30: Disk Group Metrics
Metric
Description
Format
Total
The total size of the device disk.
bytes
Used
The total space used on the device disk.
bytes
% Used by /ngfw
The percent of disk space used by the /ngfw partition. percent
% Used by /ngfw/Volume
The percent of disk space used by the /ngfw/Volume percent
partition.
% Used by /dev/cgroups
The percent of disk space used by the /dev/cgroups
partition.
percent
% Used by /mnt/disk0
The percent of disk space used by the /mnt/disk0
partition.
percent
% Used by /var/volatile
The percent of disk space used by the /var/volatile
partition.
percent
Critical Process Group Metrics
The health monitor tracks statistics related to process restarts for managed processes. In addition, for each
critical process the health monitor tracks CPU utilization, memory utilization, uptime, and status.
Table 31: Critical Process Group Metrics
Metric
Description
Format
CPU utilization
The average CPU utilization for the control plane and percent
data plane combined, for the last one minute.
Restart count
The average CPU utilization for the control plane, for percent
the last one minute.
Status
The average CPU utilization for the data plane, for
the last one minute.
percent
Cisco Secure Firewall Management Center Administration Guide, 7.2
363
Health and Monitoring
Health Monitor Status Categories
Metric
Description
Format
Uptime
The average CPU utilization for the Snort process,
for the last one minute.
percent
Memory used
The average CPU utilization for the system processes, percent
for the last one minute.
Health Monitor Status Categories
Available status categories are listed by severity in the table below.
Table 32: Health Status Indicator
Status Level
Status Icon
Status Color in Pie Chart Description
Error
Error (
Black
Indicates that at least one health monitoring module
has failed on the appliance and has not been
successfully re-run since the failure occurred.
Contact your technical support representative to
obtain an update to the health monitoring module.
Red
Indicates that the critical limits have been exceeded
for at least one health module on the appliance and
the problem has not been corrected.
Yellow
Indicates that warning limits have been exceeded
for at least one health module on the appliance and
the problem has not been corrected.
Critical
Warning
)
Critical (
)
Warning (
)
This status also indicates a transitionary state, where,
the required data is temporarily unavailable or could
not be processed because of changes in the device
configuration. Depending on the monitoring cycle,
this transitionary state is auto-corrected.
Normal
Recovered
Disabled
Normal (
)
Recovered (
Disabled (
)
)
Green
Indicates that all health modules on the appliance
are running within the limits configured in the health
policy applied to the appliance.
Green
Indicates that all health modules on the appliance
are running within the limits configured in the health
policy applied to the appliance, including modules
that were in a Critical or Warning state.
Blue
Indicates that an appliance is disabled or excluded,
that the appliance does not have a health policy
applied to it, or that the appliance is currently
unreachable.
Cisco Secure Firewall Management Center Administration Guide, 7.2
364
Health and Monitoring
Health Event Views
Health Event Views
The Health Event View page allows you to view health events logged by the health monitor on the Secure
Firewall Management Center logs health events. The fully customizable event views allow you to quickly
and easily analyze the health status events gathered by the health monitor. You can search event data to easily
access other information that may be related to the events you are investigating. If you understand what
conditions each health module tests for, you can more effectively configure alerting for health events.
You can perform many of the standard event view functions on the health event view pages.
Viewing Health Events
You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.
The Table View of Health Events page provides a list of all health events on the specified appliance.
When you access health events from the Health Monitor page on your Secure Firewall Management Center,
you retrieve all health events for all managed appliances.
In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.
Tip
You can bookmark this view to allow you to return to the page in the health events workflow containing the
Health Events table of events. The bookmarked view retrieves events within the time range you are currently
viewing, but you can then modify the time range to update the table with more recent information if needed.
Procedure
Choose System ( ) > Health > Events.
Tip
If you are using a custom workflow that does not include the table view of health events, click
(switch workflow). On the Select Workflow page, click Health Events.
Note
If no events appear, you may need to adjust the time range.
Viewing Health Events by Module and Appliance
Procedure
Step 1
View the health monitor for the appliance; see Viewing the Device Health Monitor, on page 354.
Step 2
In the Module Status Summary graph, click the color for the event status category you want to view.
The Alert Detail list toggles the display to show or hide events.
Cisco Secure Firewall Management Center Administration Guide, 7.2
365
Health and Monitoring
Viewing the Health Events Table
Step 3
In the Alert Detail row for the alert for which you want to view a list of events, click Events.
The Health Events page appears, containing results for a query with the name of the appliance and the name
of the specified health alert module as constraints. If no events appear, you may need to adjust the time range.
Step 4
If you want to view all health events for the specified appliance, expand Search Constraints, and click the
Module Name constraint to remove it.
Viewing the Health Events Table
In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.
Procedure
Step 1
Choose System ( ) > Health > Events.
Step 2
You have the following choices:
• Bookmark — To bookmark the current page so that you can quickly return to it, click Bookmark This
Page, provide a name for the bookmark, and click Save.
• Change Workflow — To choose another health events workflow, click (switch workflow).
• Delete Events — To delete health events, check the check box next to the events you want to delete, and
click Delete. To delete all the events in the current constrained view, click Delete All, then confirm you
want to delete all the events.
• Generate Reports — Generate a report based on data in the table view — click Report Designer.
• Modify — Modify the time and date range for events listed in the Health table view. Note that events
that were generated outside the appliance's configured time window (whether global or event-specific)
may appear in an event view if you constrain the event view by time. This may occur even if you
configured a sliding time window for the appliance.
• Navigate — Navigate through event view pages.
• Navigate Bookmark — To navigate to the bookmark management page, click View Bookmarks from
any event view.
• Navigate Other — Navigate to other event tables to view associated events.
• Sort — Sort the events that appear, change what columns display in the table of events, or constrain the
events that appear
• View All — To view event details for all events in the view, click View All.
• View Details — To view the details associated with a single health event, click the down arrow link on
the left side of the event.
• View Multiple — To view event details for multiple health events, choose the check box next to the rows
that correspond with the events you want to view details for and then click View.
• View Status — To view all events of a particular status, click status in the Status column for an event
with that status.
Cisco Secure Firewall Management Center Administration Guide, 7.2
366
Health and Monitoring
The Health Events Table
The Health Events Table
The Health Monitor modules you choose to enable in your health policy run various tests to determine appliance
health status. When the health status meets criteria that you specify, a health event is generated.
The table below describes the fields that can be viewed and searched in the health events table.
Table 33: Health Event Fields
Field
Description
Module Name
Specify the name of the module which generated the
health events you want to view. For example, to view
events that measure CPU performance, type CPU. The
search should retrieve applicable CPU Usage and CPU
temperature events.
Test Name
The name of the health module that generated the
event.
(Search only)
Time
The timestamp for the health event.
(Search only)
Description
The description of the health module that generated
the event. For example, health events generated when
a process was unable to execute are labeled Unable
to Execute.
Value
The value (number of units) of the result obtained by
the health test that generated the event.
For example, if the Secure Firewall Management
Center generates a health event whenever a device it
is monitoring is using 80 percent or more of its CPU
resources, the value could be a number from 80 to
100.
Units
The units descriptor for the result. You can use the
asterisk (*) to create wildcard searches.
For example, if the Secure Firewall Management
Center generates a health event when a device it is
monitoring is using 80 percent or more of its CPU
resources, the units descriptor is a percentage sign
(%).
Status
The status (Critical, Yellow, Green, or Disabled)
reported for the appliance.
Cisco Secure Firewall Management Center Administration Guide, 7.2
367
Health and Monitoring
History for Health Monitoring
Field
Description
Domain
For health events reported by managed devices, the
domain of the device that reported the health event.
For health events reported by the Secure Firewall
Management Center, Global. This field is only present
in a multidomain deployment.
Device
The appliance where the health event was reported.
History for Health Monitoring
Feature
Version Details
Health Monitor UI
Modifications
7.1
Following UI page were improvised for better usability and presentation of data:
• Policy
• Exclude
• Monitor Alerts
New/modified screens: Settings > Health > Policy, Settings > Health > Exclude, and
Settings > Health > Monitor Alerts.
Elephant Flow Detection
7.1
The health monitor includes the following enhancements:
• The Connection statistics includes active elephant flows.
• The Connection Group Metrics includes the number of active elephant flows.
The Elephant Flow Detection feature is not supported on the Cisco Firepower 2100 series.
Cisco Secure Firewall Management Center Administration Guide, 7.2
368
Health and Monitoring
History for Health Monitoring
Feature
Version Details
New health modules
7.0.0
We added the following health modules:
• AMP Connection Status: Monitors AMP cloud connectivity from the threat defense.
• AMP Threat Grid Status: Monitors AMP Threat Grid cloud connectivity from the threat
defense.
• ASP Drop: Monitors the connections dropped by the data plane accelerated security path.
• Advanced Snort Statistics: Monitors Snort statistics related to packet performance, flow
counters, and flow events.
• Chassis Status FTD: Monitors chassis environmental metrics on the Firepower 2100 and
1000 platforms.
• Event Stream Status: Monitors connections to third-party client applications that use the
Event Streamer.
• FMC Access Configuration Changes: Monitors access configuration changes made
directly on the management center.
• FMC HA Status: Monitors the active and standby management center and the sync status
between the devices. Replaces the HA Status module.
• FTD HA Status: Monitors the active and standby threat defense HA pair and the sync
status between the devices.
• File System Integrity Check: Performs a file system integrity check if the system has CC
mode or UCAPL mode enabled.
• Flow Offload: Monitors hardware flow offload statistics on the Firepower 9300 and 4100
platforms.
• Hit Count: Monitors the number of times a particular rule is hit on the access control
policy.
• MySQL Status: Monitors the status of the MySQL database.
• NTP Status FTD: Monitors the NTP clock synchronisation status of the managed device.
• RabbitMQ Status: Monitors the status of the RabbitMQ messaging broker.
• Routing Statistics: Monitors both IPv4 and IPv6 route information from the threat defense.
• SSE Connection Status: Monitors SSE cloud connectivity from the threat defense.
• Sybase Status: Monitors the status of the Sybase database.
• Unresolved Groups Monitor: Monitors the unresolved groups used in access control
policies.
• VPN Statistics: Monitors site-to-site and remote access VPN tunnel statistics.
• xTLS Counters: Monitors xTLS/SSL flows, memory and cache effectiveness.
Cisco Secure Firewall Management Center Administration Guide, 7.2
369
Health and Monitoring
History for Health Monitoring
Feature
Version Details
Health monitor
enhancements
7.0.0
The health monitor adds the following enhancements:
• Enhanced management center dashboard with summary views of:
• High Availability
• Event Rate & Capacity
• Process Health
• CPU thresholds
• Memory
• Interface rates
• Disk Usage
• Enhanced threat defense dashboard:
• Health alert for split brain scenario
• Additional health metrics available from new Health Modules
New health modules
6.7.0
The CPU Usage module is no longer used. Instead, see the following modules for CPU usage:
• CPU Usage (per core): Monitors the CPU usage on all of the cores.
• CPU Usage Data Plane: Monitors the average CPU usage of all data plane processes on
the device.
• CPU Usage Snort: Monitors the average CPU usage of the Snort processes on the device.
• CPU Usage System: Monitors the average CPU usage of all system processes on the
device.
The following modules were added to track statistics:
• Connection Statistics: Monitors the connection statistics and NAT translation counts.
• Critical Process Statistics: Monitors the state of critical processes, their resource
consumption, and the restart counts.
• Deployed Configuration Statistics: Monitors statistics about the deployed configuration,
such as the number of ACEs and IPS rules.
• Snort Statistics: Monitors the Snort statistics for events, flows, and packets.
The following modules were added to track memory usage:
• Memory Usage Data Plane: Monitors the percentage of allocated memory used by the
Data Plane processes.
• Memory Usage Snort: Monitors the percentage of allocated memory used by the Snort
process.
Cisco Secure Firewall Management Center Administration Guide, 7.2
370
Health and Monitoring
History for Health Monitoring
Feature
Version Details
Health monitor
enhancements
6.7.0
The health monitor adds the following enhancements:
• Health Status summary page that provides an at-a-glance view of the health of the
Firepower Management Center and all of the devices that the management center manages.
• The Monitoring navigation pane allows you to navigate the device hierarchy.
• Managed devices are listed individually, or grouped according to their geolocation, high
availability, or cluster status where applicable.
• You can view health monitors for individual devices from the navigation pane.
• Custom dashboards to correlate interrelated metrics. Select from predefined correlation
groups, such as CPU and Snort; or create a custom correlation dashboard by building
your own variable set from the available metric groups.
Functionality moved to the 6.7.0
Threat Data Updates on
Devices module
The Local Malware Analysis module is no longer used. Instead, see the Threat Data Updates
on Devices module for this information.
New health module:
Configuration Memory
Allocation
7.0.0
Version 6.6.3 improves device memory management and introduces a new health module:
Configuration Memory Allocation.
URL Filtering Monitor
improvements
6.5.0
The URL Filtering Monitor module now alerts if the management center fails to register to
the Cisco cloud.
URL Filtering Monitor
improvements
6.4.0
You can now configure time thresholds for URL Filtering Monitor alerts.
6.6.3
Some information formerly provided by the Security Intelligence module and the URL Filtering
Module is now provided by the Threat Data Updates on Devices module.
This module alerts when the size of your deployed configurations puts a device at risk of
running out of memory. The alert shows you how much memory your configurations require,
and by how much this exceeds the available memory. If this happens, re-evaluate your
configurations. Most often you can reduce the number or complexity of access control rules
or intrusion policies.
New health module: Threat 6.3.0
Data Updates on Devices
A new module, Threat Data Updates on Devices, was added.
This module alerts you if certain intelligence data and configurations that devices use to detect
threats has not been updated on the devices within the time period you specify.
Cisco Secure Firewall Management Center Administration Guide, 7.2
371
Health and Monitoring
History for Health Monitoring
Cisco Secure Firewall Management Center Administration Guide, 7.2
372
CHAPTER
12
Audit and Syslog
The following topics describe how to audit activity on your system:
• The System Log, on page 373
• About System Auditing, on page 375
The System Log
The System Log (syslog) page provides you with system log information for the appliance.
You can audit activity on your system in two ways. The appliances that are part of the system generate an
audit record for each user interaction with the web interface, and also record system status messages in the
system log.
The system log displays each message generated by the system. The following items are listed in order:
• the date that the message was generated
• the time that the message was generated
• the host that generated the message
• the message itself
Viewing the System Log
System log information is local. For example, you cannot use the Secure Firewall Management Center to
view system status messages in the system logs on your managed devices.
You can filter messages using most syntax accepted by the UNIX file search utility Grep. This includes using
Grep-compatible regular expressions for pattern matching.
Before you begin
You must be an Admin or Maintenace user and be in the Global domain to view system statistics.
Cisco Secure Firewall Management Center Administration Guide, 7.2
373
Health and Monitoring
Syntax for System Log Filters
Procedure
Step 1
Choose System ( ) > Monitoring > Syslog.
Step 2
To search for specific message content in the system log:
a) Enter a word or query in the filter field as described in Syntax for System Log Filters, on page 374.
Only Grep-compatible search syntax is supported.
Examples:
To search for all log entries that contain the user name “Admin,” use Admin.
To search for all log entries that are generated on November 27, use Nov[[:space:]]*27 or Nov.*27
(but not Nov 27 or Nov*27 ).
To search for all log entries that contain authorization debugging information on November 5, use
Nov[[:space:]]*5.*AUTH.*DEBUG.
b) To make your search case-sensitive, select Case-sensitive. (By default, filters are not case-sensitive.)
c) To search for all system log messages that do not meet the criteria you entered, select Exclusion.
d) Click Go.
Syntax for System Log Filters
The following table shows the regular expression syntax you can use in System Log filters:
Table 34: System Log Filter Syntax
Syntax Component
Description
Example
.
Matches any character or white
space
Admi. matches Admin, AdmiN,
Admi1, and Admi&
[[:alpha:]]
Matches any alphabetic character
[[:alpha:]]dmin
bdmin, and Cdmin
matches Admin,
[[:upper:]]
Matches any uppercase alphabetic
character
[[:upper:]]dmin
Bdmin, and Cdmin
matches Admin,
[[:lower:]]
Matches any lowercase alphabetic
character
[[:lower:]]dmin
bdmin, and cdmin
matches admin,
[[:digit:]]
Matches any numeric character
[[:digit:]]dmin
1dmin, and 2dmin
matches 0dmin,
[[:alnum:]]
Matches any alphanumeric
character
[[:alnum:]]dmin matches 1dmin,
admin, 2dmin, and bdmin
[[:space:]]
Matches any white space, including Feb[[:space:]]29 matches logs
tabs
from February 29th
Cisco Secure Firewall Management Center Administration Guide, 7.2
374
Health and Monitoring
About System Auditing
Syntax Component
Description
Example
*
Matches zero or more instances of
the character or expression it
follows
ab* matches a, ab, abb, ca, cab, and
cabb
?
Matches zero or one instances
ab?
\
Allows you to search for a
character typically interpreted as
regular expression syntax
alert\?
[ab]*
matches anything
matches a or ab
matches alert?
About System Auditing
The appliances that are part of the system generate an audit record for each user interaction with the web
interface.
Related Topics
Standard Reports, on page 491
Audit Records
Secure Firewall Management Centers log read-only auditing information for user activity. Audit logs are
presented in a standard event view that allows you to view, sort, and filter audit log messages based on any
item in the audit view. You can easily delete and report on audit information and can view detailed reports of
the changes that users make.
The audit log stores a maximum of 100,000 entries. When the number of audit log entries exceeds 100,000,
the appliance prunes the oldest records from the database to reduce the number to 100,000.
Related Topics
SSO Guidelines for the Management Center, on page 130
Viewing Audit Records
On a Secure Firewall Management Center, you can view a table of audit records. The predefined audit workflow
includes a single table view of events. You can manipulate the table view depending on the information you
are looking for. You can also create a custom workflow that displays only the information that matches your
specific needs.
In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.
Before you begin
You must be an Admin user to perform this procedure.
Cisco Secure Firewall Management Center Administration Guide, 7.2
375
Health and Monitoring
Audit Log Workflow Fields
Procedure
Step 1
Access the audit log workflow using System ( ) > Monitoring > Audit.
Step 2
If no events appear, you may need to adjust the time range. For more information, see Event Time Constraints,
on page 635.
Events that were generated outside the appliance's configured time window (whether global or
event-specific) may appear in an event view if you constrain the event view by time. This may occur
even if you configured a sliding time window for the appliance.
Note
Step 3
You have the following choices:
• To learn more about the contents of the columns in the table, see The System Log, on page 373.
• To sort and constrain events on the current workflow page, see Using Table View Pages, on page 626.
• To navigate between pages in the current workflow, keeping the current constraints, click the appropriate
page link at the top left of the workflow page. For more information, see Using Workflows, on page 618.
• To drill down to the next page in the workflow, see Using Drill-Down Pages, on page 626.
• To constrain on a specific value, click a value within a row. If you click a value on a drill-down page,
you move to the next page and constrain on the value. Note that clicking a value within a row in a table
view constrains the table view and does not drill down to the next page. See Event View Constraints,
on page 641 for more information.
Tip
Table views always include “Table View” in the page name.
• To delete audit records, check the check boxes next to events you want to delete, then click Delete, or
click Delete All to delete all events in the current constrained view.
• To bookmark the current page so you can quickly return to it, click Bookmark This Page. For more
information, see Bookmarks, on page 648.
• To navigate to the bookmark management page, click View Bookmarks. For more information, see
Bookmarks, on page 648.
• To generate a report based on the data in the current view, click Report Designer. For more information,
see Creating a Report Template from an Event View, on page 495.
• To view a summary of a change recorded in the audit log, click Compare next to applicable events in
the Message column. For more information, see Using the Audit Log to Examine Changes, on page 378.
Related Topics
Event View Constraints, on page 641
Audit Log Workflow Fields
The following table describes the audit log fields that can be viewed and searched.
Table 35: Audit Log Fields
Field
Description
Time
Time and date that the appliance generated the audit
record.
User
User name of the user that triggered the audit event.
Cisco Secure Firewall Management Center Administration Guide, 7.2
376
Health and Monitoring
The Audit Events Table View
Field
Description
Subsystem
The full menu path the user followed to generate the
audit record. For example, System ( ) >
Monitoring > Audit is the menu path to view the
audit log.
In a few cases where a menu path is not relevant, the
Subsystem field displays only the event type. For
example, Login classifies user login attempts.
Message
The action the user performed or the button the user
clicked on the page.
For example, Page View signifies that the user simply
viewed the page indicated in the Subsystem, while
Save means that the user clicked the Save button on
the page.
Changes made to the system appear with a Compare
icon that you can click to see a summary of the
changes.
Source IP
IP address associated with the host used by the user.
Note: When searching this field you must type a
specific IP address; you cannot use IP ranges when
searching audit logs.
Domain
The current domain of the user when the audit event
was triggered. This field is only present if you have
ever configured the Secure Firewall Management
Center for multitenancy.
Configuration Change
Specifies whether to view audit records of
configuration changes in the search results. (yes or
no)
(search only)
Count
The number of events that match the information that
appears in each row. Note that the Count field appears
only after you apply a constraint that creates two or
more identical rows. This field is not searchable.
Related Topics
Event Searches, on page 653
The Audit Events Table View
You can change the layout of the event view or constrain the events in the view by a field value. When disabling
columns, after you click the Close ( ) in the column heading that you want to hide, in the pop-up window
that appears, click Apply. When you disable a column, it is disabled for the duration of your session (unless
you add it back later). Note that when you disable the first column, the Count column is added.
Cisco Secure Firewall Management Center Administration Guide, 7.2
377
Health and Monitoring
Using the Audit Log to Examine Changes
To hide or show other columns, or to add a disabled column back to the view, select or clear the appropriate
check boxes before you click Apply.
Clicking a value within a row in a table view constrains the table view and does not drill down to the next
page in the workflow.
Tip
Table views always include “Table View” in the page name.
Related Topics
Using Workflows, on page 618
Using the Audit Log to Examine Changes
You can use the audit log to view detailed reports of some of the changes to your system. These reports
compare the current configuration of your system to its most recent configuration before a supported change
was made.
The Compare Configurations page displays the differences between the system configuration before changes
and the running configuration in a side-by-side format. The audit event type, time of last modification, and
name of the user who made the change are displayed in the title bar above each configuration.
Differences between the two configurations are highlighted:
• Blue indicates that the highlighted setting is different in the two configurations, and the difference is
noted in red text.
• Green indicates that the highlighted setting appears in one configuration but not the other.
In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.
Before you begin
You must be an Admin user to perform this procedure.
Procedure
Step 1
Choose System ( ) > Monitoring > Audit.
Step 2
Click Compare next to an applicable audit log event in the Message column.
Tip
You can navigate through changes individually by clicking Previous or Next above the title bar. If
the change summary is more than one page long, you can also use the scroll bar on the right to view
additional changes.
Suppressing Audit Records
If your auditing policy does not require that you audit specific types of user interactions with the system, you
can prevent those interactions from generating audit records. For example, by default, each time a user views
Cisco Secure Firewall Management Center Administration Guide, 7.2
378
Health and Monitoring
Audit Block Types
the online help, the system generates an audit record. If you do not need to keep a record of these interactions,
you can automatically suppress them.
To configure audit event suppression, you must have access to an appliance’s admin user account, and you
must be able to either access the appliance’s console or open a secure shell.
Caution
Make sure that only authorized personnel have access to the appliance and to its admin account.
Before you begin
You must be an Admin user to perform this procedure.
Procedure
In the /etc/sf directory, create one or more AuditBlock files in the following form, where type is one of the
types described in Audit Block Types, on page 379:
AuditBlock.type
Note
If you create an AuditBlock.type file for a specific type of audit message, but later decide that
you no longer want to suppress them, you must delete the contents of the AuditBlock.type file but
leave the file itself on the system.
Audit Block Types
The contents for each audit block type must be in a specific format, as described in the following table. Make
sure you use the correct capitalization for the file names. Note also that the contents of the files are case
sensitive.
Note that when you add an AuditBlock file, an audit record with a subsystem of Audit and a message of
Audit Filter type Changed is added to the audit events. For security reasons, this audit record cannot be
suppressed.
Table 36: Audit Block Types
Type
Description
Address
Create a file named AuditBlock.address and include,
one per line, each IP address that you want to suppress
from the audit log. You can use partial IP addresses
provided that they map from the beginning of the
address. For example, the partial address 10.1.1
matches addresses from 10.1.1.0 through
10.1.1.255.
Cisco Secure Firewall Management Center Administration Guide, 7.2
379
Health and Monitoring
Audited Subsystems
Type
Description
Message
Create a file named AuditBlock.message and include,
one per line, the message substrings that you want to
suppress.
Note that substrings are matched so that if you include
backup in your file, all messages that include the word
backup are suppressed.
Subsystem
Create a file named AuditBlock.subsystem and
include, one per line, each subsystem that you want
to suppress.
Note that substrings are not matched. You must use
exact strings. See Audited Subsystems, on page 380
for a list of subsystems that are audited.
User
Create a file named AuditBlock.user and include,
one per line, each user account that you want to
suppress. You can use partial string matching provided
that they map from the beginning of the username.
For example, the partial username IPSAnalyst
matches the user names IPSAnalyst1 and
IPSAnalyst2.
Audited Subsystems
The following table lists audited subsystems.
Table 37: Subsystem Names
Name
Includes user interactions with...
Admin
Administrative features such as system and access
configuration, time synchronization, backup and
restore, device management, user account
management, and scheduling
Alerting
Alerting functions such as email, SNMP, and syslog
alerting
Audit Log
Audit event views
Audit Log Search
Audit event searches
Command Line
Command line interface
Configuration
Email alerting
contextual cross-launch
External resources added to the system or accessed
from dashboards and event views
COOP
Continuity of operations feature
Cisco Secure Firewall Management Center Administration Guide, 7.2
380
Health and Monitoring
Audited Subsystems
Name
Includes user interactions with...
Date
Date and time range for event views
Default Subsystem
Options that do not have assigned subsystems
Detection & Prevention Policy
Menu options for intrusion policies
Error
System-level errors
eStreamer
eStreamer configuration
EULA
Reviewing the end user license agreement
Events
Intrusion and discovery event views
Events Reviewed
Reviewed intrusion events
Events Search
Any event search
Failed to install rule update
rule_update_id
Installing rule updates
Header
Initial presentation of the user interface after a user
logs in
Health
Health monitoring
Health Events
Health monitoring event views
Help
Online help
High Availability
Establishing and managing Secure Firewall
Management Centers in high availability pairs
IDS Impact Flag
Impact flag configuration for intrusion events
IDS Policy
Intrusion policies
IDSRule sid:sig_id rev:rev_num
Intrusion rules by SID
Install
Installing updates
Intrusion Events
Intrusion events
Login
Web interface login and logout functions
Logout
Web interface logout functions
Menu
Any menu option
Configuration export > config_type > config_name Importing configurations of a specific type and name
Permission Escalation
User role escalation
Preferences
User preferences, such as the time zone for a user
account and individual event preferences
Cisco Secure Firewall Management Center Administration Guide, 7.2
381
Health and Monitoring
About Sending Audit Logs to an External Location
Name
Includes user interactions with...
Policy
Any policy, including intrusion policies
Register
Registering devices on a management center
RemoteStorageDevice
Configuring remote storage devices
Reports
Report listing and report designer features
Rules
Intrusion rules, including the intrusion rules editor
and the rule importation process
Rule Update Import Log
Viewing the rule update import log
Rule Update Install
Installing rule updates
Session Expiration
Web interface session timeouts
Status
Syslog, as well as host and performance statistics
System
Various system-wide settings
Task Queue
Viewing background process status
Users
Creating and modifying user accounts and roles
About Sending Audit Logs to an External Location
To send audit logs to an external location from the management center, see:
• Audit Logs, on page 72
• Audit Log Certificate, on page 75
Cisco Secure Firewall Management Center Administration Guide, 7.2
382
CHAPTER
13
Statistics
The following topics describe how to monitor the system:
• About System Statistics, on page 383
• The Host Statistics Section, on page 383
• The Disk Usage Section, on page 384
• The Processes Section, on page 384
• The SFDataCorrelator Process Statistics Section, on page 391
• The Intrusion Event Information Section, on page 392
• Viewing System Statistics, on page 392
About System Statistics
The Statistics page lists the current status of general appliance statistics, including disk usage and system
processes, Data Correlator statistics, and intrusion event information.
The Host Statistics Section
The following table describes the host statistics listed on the Statistics page.
Table 38: Host Statistics
Category
Description
Time
The current time on the system.
Uptime
The number of days (if applicable), hours, and minutes
since the system was last started.
Memory Usage
The percentage of system memory that is being used.
Load Average
The average number of processes in the CPU queue
for the past 1 minute, 5 minutes, and 15 minutes.
Disk Usage
The percentage of the disk that is being used. Click
the arrow to view more detailed host statistics.
Cisco Secure Firewall Management Center Administration Guide, 7.2
383
Health and Monitoring
The Disk Usage Section
Category
Description
Processes
A summary of the processes running on the system.
The Disk Usage Section
The Disk Usage section of the Statistics page provides a quick synopsis of disk usage, both by category and
by partition status. If you have a malware storage pack installed on a device, you can also check its partition
status. You can monitor this page from time to time to ensure that enough disk space is available for system
processes and the database.
Tip
You can also use the Disk Usage health monitor to monitor disk usage and alert on low disk space conditions.
The Processes Section
The Processes section of the Statistics page allows you to see the processes that are currently running on an
appliance. It provides general process information and specific information for each running process. You
can use the Secure Firewall Management Center’s web interface to view the process status for any managed
device.
Note that there are two different types of processes that run on an appliance: daemons and executable files.
Daemons always run, and executable files are run when required.
Process Status Fields
When you expand the Processes section of the Statistics page, you can also view the following:
Cpu(s)
Lists the following CPU usage information:
• user process usage percentage
• system process usage percentage
• nice usage percentage (CPU usage of processes that have a negative nice value, indicating a higher
priority). Nice values indicate the scheduled priority for system processes and can range between -20
(highest priority) and 19 (lowest priority).
• idle usage percentage
Mem
Lists the following memory usage information:
• total number of kilobytes in memory
• total number of used kilobytes in memory
Cisco Secure Firewall Management Center Administration Guide, 7.2
384
Health and Monitoring
Process Status Fields
• total number of free kilobytes in memory
• total number of buffered kilobytes in memory
Swap
Lists the following swap usage information:
• total number of kilobytes in swap
• total number of used kilobytes in swap
• total number of free kilobytes in swap
• total number of cached kilobytes in swap
The following table describes each column that appears in the Processes section.
Table 39: Process List Columns
Column
Description
Pid
The process ID number
Username
The name of the user or group running the process
Pri
The process priority
Nice
The nice value, which is a value that indicates the
scheduling priority of a process. Values range between
-20 (highest priority) and 19 (lowest priority)
Size
The memory size used by the process (in kilobytes
unless the value is followed by m, which indicates
megabytes)
Res
The amount of resident paging files in memory (in
kilobytes unless the value is followed by m, which
indicates megabytes)
Cisco Secure Firewall Management Center Administration Guide, 7.2
385
Health and Monitoring
System Daemons
Column
Description
State
The process state:
• D — process is in uninterruptible sleep (usually
Input/Output)
• N — process has a positive nice value
• R — process is runnable (on queue to run)
• S — process is in sleep mode
• T — process is being traced or stopped
• W — process is paging
• X — process is dead
• Z — process is defunct
• < — process has a negative nice value
Time
The amount of time (in hours:minutes:seconds) that
the process has been running
Cpu
The percentage of CPU that the process is using
Command
The executable name of the process
Related Topics
System Daemons, on page 386
Executables and System Utilities, on page 388
System Daemons
Daemons continually run on an appliance. They ensure that services are available and spawn processes when
required. The following table lists daemons that you may see on the Process Status page and provides a brief
description of their functionality.
Note
The table below is not an exhaustive list of all processes that may run on an appliance.
Table 40: System Daemons
Daemon
Description
crond
Manages the execution of scheduled commands (cron
jobs)
dhclient
Manages dynamic host IP addressing
Cisco Secure Firewall Management Center Administration Guide, 7.2
386
Health and Monitoring
System Daemons
Daemon
Description
fpcollect
Manages the collection of client and server
fingerprints
httpd
Manages the HTTP (Apache web server) process
httpsd
Manages the HTTPS (Apache web server with SSL)
service, and checks for working SSL and valid
certificate authentication; runs in the background to
provide secure web access to the appliance
keventd
Manages Linux kernel event notification messages
klogd
Manages the interception and logging of Linux kernel
messages
kswapd
Manages Linux kernel swap memory
kupdated
Manages the Linux kernel update process, which
performs disk synchronization
mysqld
Manages database processes
ntpd
Manages the Network Time Protocol (NTP) process
pm
Manages all system processes, starts required
processes, restarts any process that fails unexpectedly
reportd
Manages reports
safe_mysqld
Manages safe mode operation of the database; restarts
the database daemon if an error occurs and logs
runtime information to a file
SFDataCorrelator
Manages data transmission
sfestreamer (management center only)
Manages connections to third-party client applications
that use the Event Streamer
sfmgr
Provides the RPC service for remotely managing and
configuring an appliance using an sftunnel connection
to the appliance
SFRemediateD (management center only)
Manages remediation responses
sftimeserviced (management center only)
Forwards time synchronization messages to managed
devices
sfmbservice
Provides access to the sfmb message broker process
running on a remote appliance, using an sftunnel
connection to the appliance. Currently used only by
health monitoring to send health events and alerts
from a managed device to a Secure Firewall
Management Center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
387
Health and Monitoring
Executables and System Utilities
Daemon
Description
sftroughd
Listens for connections on incoming sockets and then
invokes the correct executable (typically the Cisco
message broker, sfmb) to handle the request
sftunnel
Provides the secure communication channel for all
processes requiring communication with a remote
appliance
sshd
Manages the Secure Shell (SSH) process; runs in the
background to provide SSH access to the appliance
syslogd
Manages the system logging (syslog) process
Executables and System Utilities
There are a number of executables on the system that run when executed by other processes or through user
action. The following table describes the executables that you may see on the Process Status page.
Table 41: System Executables and Utilities
Executable
Description
awk
Utility that executes programs written in the awk
programming language
bash
GNU Bourne-Again Shell
cat
Utility that reads files and writes content to standard
output
chown
Utility that changes user and group file permissions
chsh
Utility that changes the default login shell
SFDataCorrelator (management center only)
Analyzes binary files created by the system to generate
events, connection data, and network maps
cp
Utility that copies files
df
Utility that lists the amount of free space on the
appliance
echo
Utility that writes content to standard output
egrep
Utility that searches files and folders for specified
input; supports extended set of regular expressions
not supported in standard grep
find
Utility that recursively searches directories for
specified input
Cisco Secure Firewall Management Center Administration Guide, 7.2
388
Health and Monitoring
Executables and System Utilities
Executable
Description
grep
Utility that searches files and directories for specified
input
halt
Utility that stops the server
httpsdctl
Handles secure Apache Web processes
hwclock
Utility that allows access to the hardware clock
ifconfig
Indicates the network configuration executable.
Ensures that the MAC address stays constant
iptables
Handles access restriction based on changes made to
the Access Configuration page.
iptables-restore
Handles iptables file restoration
iptables-save
Handles saved changes to the iptables
kill
Utility that can be used to end a session and process
killall
Utility that can be used to end all sessions and
processes
ksh
Public domain version of the Korn shell
logger
Utility that provides a way to access the syslog
daemon from the command line
md5sum
Utility that prints checksums and block counts for
specified files
mv
Utility that moves (renames) files
myisamchk
Indicates database table checking and repairing
mysql
Indicates a database process; multiple instances may
appear
openssl
Indicates authentication certificate creation
perl
Indicates a perl process
ps
Utility that writes process information to standard
output
sed
Utility used to edit one or more text files
sfheartbeat
Identifies a heartbeat broadcast, indicating that the
appliance is active; heartbeat used to maintain contact
between a device and Secure Firewall Management
Center
Cisco Secure Firewall Management Center Administration Guide, 7.2
389
Health and Monitoring
Executables and System Utilities
Executable
Description
sfmb
Indicates a message broker process; handles
communication between Secure Firewall Management
Centers and device.
sh
Public domain version of the Korn shell
shutdown
Utility that shuts down the appliance
sleep
Utility that suspends a process for a specified number
of seconds
smtpclient
Mail client that handles email transmission when
email event notification functionality is enabled
snmptrap
Forwards SNMP trap data to the SNMP trap server
specified when SNMP notification functionality is
enabled
snort
Indicates that Snort is running
ssh
Indicates a Secure Shell (SSH) connection to the
appliance
sudo
Indicates a sudo process, which allows users other
than admin to run executables
top
Utility that displays information about the top CPU
processes
Note
The CPU usage output of this utility is a
split-up of different types of usages of the
CPU core. You must add both user and
system processes usage to know the actual
total CPU usage.
For example, if the output of top command
is: %Cpu(s): 76.6 us, 22.1 sy, 0.0
ni, 0.0 id, 0.0 wa, 0.0 hi, 1.3 si,
0.0 st
Here, 76.6% of CPU time is used by user
processes, 22.1% of CPU time is used by
system(kernel) processes. The total CPU
usage is 98.7%.
Thus, the CPU usage reported in this utility
appear to be different from the Health
Monitor dashboard. In addition, this utility
uses a three seconds interval to calculate
the CPU usage. Whereas, the management
center health monitor uses one-second
intervals.
Cisco Secure Firewall Management Center Administration Guide, 7.2
390
Health and Monitoring
The SFDataCorrelator Process Statistics Section
Executable
Description
touch
Utility that can be used to change the access and
modification times of specified files
vim
Utility used to edit text files
wc
Utility that performs line, word, and byte counts on
specified files
Related Topics
Configure an Access List, on page 71
The SFDataCorrelator Process Statistics Section
On a Secure Firewall Management Center, you can view statistics about the Data Correlator and network
discovery processes for the current day. As the managed devices perform data acquisition, decoding, and
analysis, the network discovery process correlates the data with the fingerprint and vulnerability databases,
then produces binary files that are processed by the Data Correlator running on the Secure Firewall Management
Center. The Data Correlator analyzes the information from the binary files, generates events, and creates
network maps.
The statistics that appear for network discovery and the Data Correlator are averages for the current day, using
statistics gathered between 12:00 AM and 11:59 PM for each device.
The following table describes the statistics displayed for the Data Correlator process.
Table 42: Data Correlator Process Statistics
Category
Description
Events/Sec
Number of discovery events that the Data Correlator
receives and processes per second
Connections/Sec
Number of connections that the Data Correlator
receives and processes per second
CPU Usage — User (%)
Average percentage of CPU time spent on user
processes for the current day
CPU Usage — System (%)
Average percentage of CPU time spent on system
processes for the current day
VmSize (KB)
Average size of memory allocated to the Data
Correlator for the current day, in kilobytes
VmRSS (KB)
Average amount of memory used by the Data
Correlator for the current day, in kilobytes
Cisco Secure Firewall Management Center Administration Guide, 7.2
391
Health and Monitoring
The Intrusion Event Information Section
The Intrusion Event Information Section
On both the Secure Firewall Management Center and managed devices, you can view summary information
about intrusion events on the Statistics page. This information includes the date and time of the last intrusion
event, the total number of events that have occurred in the past hour and the past day, and the total number
of events in the database.
Note
The information in the Intrusion Event Information section of the Statistics page is based on intrusion events
stored on the managed device rather than those sent to the Secure Firewall Management Center. No intrusion
event information is listed on this page if the managed device cannot (or is configured not to) store intrusion
events locally.
The following table describes the statistics displayed in the Intrusion Event Information section of the Statistics
page.
Table 43: Intrusion Event Information
Statistic
Description
Last Alert Was
The date and time that the last event occurred
Total Events Last Hour
The total number of events that occurred in the past
hour
Total Events Last Day
The total number of events that occurred in the past
twenty-four hours
Total Events in Database
The total number of events in the events database
Viewing System Statistics
The display includes statistics for the Secure Firewall Management Center and its managed devices.
Before you begin
You must be an Admin or Maintenance user and be in the Global domain to view system statistics.
Procedure
Step 1
Choose System ( ) > Monitoring > Statistics.
Step 2
Choose a device from the Select Device(s) list, and click Select Devices.
Step 3
View available statistics.
Step 4
In the Disk Usage section, you can:
• Hover your pointer over a disk usage category in the By Category stacked bar to view (in order):
Cisco Secure Firewall Management Center Administration Guide, 7.2
392
Health and Monitoring
Viewing System Statistics
• the percentage of available disk space used by that category
• the actual storage space on the disk
• the total disk space available for that category
• Click the down arrow next to By Partition to expand it. If you have a malware storage pack installed,
the /var/storage partition usage is displayed.
Step 5
(Optional) Click the arrow next to Processes to view the information described in Viewing System Statistics,
on page 392.
Cisco Secure Firewall Management Center Administration Guide, 7.2
393
Health and Monitoring
Viewing System Statistics
Cisco Secure Firewall Management Center Administration Guide, 7.2
394
CHAPTER
14
Troubleshooting
The following topics describe ways to diagnose problems you may encounter:
• First Steps for Troubleshooting, on page 395
• System Messages, on page 395
• View Basic System Information, on page 398
• Managing System Messages, on page 398
• Memory Usage Thresholds for Health Monitor Alerts, on page 402
• Disk Usage and Drain of Events Health Monitor Alerts, on page 403
• Health Monitor Reports for Troubleshooting, on page 406
• General Troubleshooting, on page 408
• Connection-based Troubleshooting, on page 408
• Advanced Troubleshooting for the Secure Firewall Threat Defense Device, on page 409
• Feature-Specific Troubleshooting, on page 416
First Steps for Troubleshooting
• Before you make changes to try to fix a problem, generate a troubleshooting file to capture the original
problem. See Health Monitor Reports for Troubleshooting, on page 406 and its subsections.
You may need this troubleshooting file if you need to contact Cisco TAC for support.
• Start your investigation by looking at error and warning messages in the Message Center. See System
Messages, on page 395
• Look for applicable Tech Notes and other troubleshooting resources under the "Troubleshoot and Alerts"
heading on the product documentation page for your product. See First Steps for Troubleshooting, on
page 395.
System Messages
When you need to track down problems occurring in the system, the Message Center is the place to start your
investigation. This feature allows you to view the messages that the system continually generates about system
activities and status.
Cisco Secure Firewall Management Center Administration Guide, 7.2
395
Health and Monitoring
Message Types
To open the Message Center, click on the System Status icon, located next to the Deploy menu in the main
menu. This icon can take one of the following forms, depending on the system status:
•
— Indicates one or more errors and any number of warnings are present on the system.
•
— Indicates one or more warnings and no errors are present on the system.
•
— Indicates no warnings or errors are present on the system.
If a number is displayed with the icon, it indicates the total current number of error or warning messages.
To close the Message Center, click anywhere outside of it within the web interface.
In addition to the Message Center, the web interface displays pop-up notifications in immediate response to
your activities and ongoing system activities. Some pop-up notifications automatically disappear after five
seconds, while others are "sticky," meaning they display until you explicitly dismiss them by clicking Dismiss
(
Tip
). Click the Dismiss link at the top of the notifications list to dismiss all notifications at once.
Hovering your cursor over a non-sticky pop-up notification causes it to be sticky.
The system determines which messages it displays to users in pop-up notifications and the Message Center
based on their licenses, domains, and access roles.
Message Types
The Message Center displays messages reporting system activities and status organized into three different
tabs:
Deployments
This tab displays current status related to configuration deployment for each appliance in your system,
grouped by domain. The system reports the following deployment status values on this tab. You can get
additional detail about the deployment jobs by clicking Show History.
• Running (Spinning) — The configuration is in the process of deploying.
• Success — The configuration has successfully been deployed.
• Warning ( ) — Warning deployment statuses contribute to the message count displayed with the
Warning System Status icon.
• Failure — The configuration has failed to deploy; see Out-of-Date Policies. Failed deployments
contribute to the message count displayed with the Error System Status icon.
Health
This tab displays current health status information for each appliance in your system, grouped by domain.
Health status is generated by health modules as described in About Health Monitoring, on page 327. The
system reports the following health status values on this tab:
• Warning ( ) — Indicates that warning limits have been exceeded for a health module on an
appliance and the problem has not been corrected. The Health Monitoring page indicates these
Cisco Secure Firewall Management Center Administration Guide, 7.2
396
Health and Monitoring
Message Management
conditions with a Yellow Triangle ( ). Warning statuses contribute to the message count displayed
with the Warning System Status icon.
• Critical ( ) — Indicates that critical limits have been exceeded for a health module on an appliance
and the problem has not been corrected. The Health Monitoring page indicates these conditions
with a Critical ( ) icon. Critical statuses contribute to the message count displayed with the Error
System Status icon.
• Error ( ) — Indicates that a health monitoring module has failed on an appliance and has not
been successfully re-run since the failure occurred. The Health Monitoring page indicates these
conditions with a Error icon. Error statuses contribute to the message count displayed with the
Error System Status icon.
You can click on links in the Health tab to view related detailed information on the Health Monitoring
page. If there are no current health status conditions, the Health tab displays no messages.
Tasks
Certain tasks (such as configuration backups or update installation) can require some time to complete.
This tab displays the status of these long-running tasks, and can include tasks initiated by you or, if you
have appropriate access, other users of the system. The tab presents messages in reverse chronological
order based on the most recent update time for each message. Some task status messages include links
to more detailed information about the task in question. The system reports the following task status
values on this tab:
• Waiting() — Indicates a task that is waiting to run until another in-progress task is complete. This
message type displays an updating progress bar.
• Running — Indicates a task that is in-progress. This message type displays an updating progress
bar.
• Retrying — Indicates a task that is automatically retrying. Note that not all tasks are permitted to
try again. This message type displays an updating progress bar.
• Success — Indicates a task that has completed successfully.
• Failure — Indicates a task that did not complete successfully. Failed tasks contribute to the message
count displayed with the Error System Status icon.
• Stopped or Suspended — Indicates a task that was interrupted due to a system update. Stopped
tasks cannot be resumed. After normal operations are restored, start the task again.
• Skipped — A process in progress prevented the task from starting. Try again to start the task.
New messages appear in this tab as new tasks are started. As tasks complete (status success, failure, or
stopped), this tab continues to display messages with final status indicated until you remove them. Cisco
recommends you remove messages to reduce clutter in the Tasks tab as well as the message database.
Message Management
From the Message Center you can:
• Configure pop-up notification behavior (choosing whether to display them).
Cisco Secure Firewall Management Center Administration Guide, 7.2
397
Health and Monitoring
View Basic System Information
• Display additional task status messages from the system database (if any are available that have not been
removed).
• Remove individual task status messages. (This affects all users who can view the removed messages.)
• Remove task status messages in bulk. (This affects all users who can view the removed messages.)
Tip
Cisco recommends that you periodically remove accumulated task status messages from the Task tab to reduce
clutter in the display as well the database. When the number of messages in the database approaches 100,000,
the system automatically deletes task status messages that you have removed.
View Basic System Information
The About page displays information about your appliance, including the model, serial number, and version
information for various components of the system. It also includes Cisco copyright information.
Procedure
Step 1
Click Help in the toolbar at the top of the page.
Step 2
Choose About.
View Appliance Information
Procedure
Choose System ( ) > Configuration.
Managing System Messages
Procedure
Step 1
Click System Status to display the Message Center.
Step 2
You have the following choices:
• Click Deployments to view messages related to configuration deployments. See Viewing Deployment
Messages, on page 399. You must be an Admin user or have the Deploy Configuration to Devices
permission to view these messages.
Cisco Secure Firewall Management Center Administration Guide, 7.2
398
Health and Monitoring
Viewing Deployment Messages
• Click Health to view messages related to the health of your Secure Firewall Management Center and
the devices registered to it. See Viewing Health Messages, on page 400. You must be an Admin user or
have the Health permission to view these messages.
• Click Tasks to view or manage messages related to long-running tasks. See Viewing Task Messages,
on page 400 or Managing Task Messages, on page 401. Everyone can see their own tasks. To see the tasks
of other users, you must be an Admin user or have the View Other Users' Tasks permission.
• Click Cog ( ) in the upper right corner of the Message Center to configure pop-up notification behavior.
See Configuring Notification Behavior, on page 401.
Viewing Deployment Messages
You must be an Admin user or have the Deploy Configuration to Devices permission to view these messages.
Procedure
Step 1
Click System Status to display the Message Center.
Step 2
Click Deployments.
Step 3
You have the following choices:
• Click total to view all current deployment statuses.
• Click a status value to view only messages with that deployment status.
• Hover your cursor over the time elapsed indicator for a message (for example, 1m 5s) to view the elapsed
time, and start and stop times for the deployment.
Step 4
Click show deployment history to view more detailed information about the deployment jobs.
The Deployment History table lists the deployment jobs in the left column in reverse chronological order.
a) Select a deployment job.
The table in the right column shows each device that was included in the job, and the deployment status
per device.
b) To view responses from the device, and commands sent to the device during deployment, click download
in the Transcript column for the device.
The transcript includes the following sections:
• Snort Apply—If there are any failures or responses from Snort-related policies, messages appear
in this section. Normally, the section is empty.
• CLI Apply—This section covers features that are configured using commands sent to the Lina
process.
• Infrastructure Messages—This section shows the status of different deployment modules.
In the CLI Apply section, the deployment transcript includes commands sent to the device, and any
responses returned from the device. These response can be informative messages or error messages. For
failed deployments, look for messages that indicate errors with the commands. Examining these errors
Cisco Secure Firewall Management Center Administration Guide, 7.2
399
Health and Monitoring
Viewing Health Messages
can be particularly helpful if you are using FlexConfig policies to configure customized features. These
errors can help you correct the script in the FlexConfig object that is trying to configure the commands.
Note
There is no distinction made in the transcript between commands sent for managed features and
those generated from FlexConfig policies.
For example, the following sequence shows that the management center sent commands to configure
GigabitEthernet0/0 with the logical name outside. The device responded that it automatically set the
security level to 0. The threat defense does not use the security level for anything.
========= CLI APPLY =========
FMC >> interface GigabitEthernet0/0
FMC >> nameif outside
FTDv 192.168.0.152 >> [info] : INFO: Security level for "outside" set to 0 by default.
Viewing Health Messages
You must be an Admin user or have the Health permission to view these messages.
Procedure
Step 1
Click System Status to display the Message Center.
Step 2
Click Health.
Step 3
You have the following choices:
• Click total to view all current health statuses.
• Click on a status value to view only messages with that status.
• Hover your cursor over the relative time indicator for a message (for example, 3 day(s) ago) to view the
time of the most recent update for that message.
• To view detailed health status information for a particular message, click the message.
• To view complete health status on the Health Monitoring page, click Health Monitor.
Related Topics
About Health Monitoring, on page 327
Viewing Task Messages
Everyone can see their own tasks. To see the tasks of other users, you must be an Admin user or have the
View Other Users' Tasks permission.
Procedure
Step 1
Click System Status to display the Message Center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
400
Health and Monitoring
Managing Task Messages
Step 2
Click Tasks.
Step 3
You have the following choices:
• Click total to view all current task statuses.
• Click a status value to view only messages for tasks with the that status.
Note
Messages for stopped tasks appear only in the total list of task status messages. You cannot
filter on stopped tasks.
• Hover your cursor over the relative time indicator for a message (e.g., 3 day(s) ago) to view the time of
the most recent update for that message.
• Click any link within a message to view more information about the task.
• If more task status messages are available for display, click Fetch more messages at the bottom of the
message list to retrieve them.
Managing Task Messages
Everyone can see their own tasks. To see the tasks of other users, you must be an Admin user or have the
View Other Users' Tasks permission.
Procedure
Step 1
Click System Status to display the Message Center.
Step 2
Click Tasks.
Step 3
You have the following choices:
• If more task status messages are available for display, click on Fetch more messages at the bottom of
the message list to retrieve them.
• To remove a single message for a completed task (status stopped, success, or failure), click on Remove
( ) next to the message.
• To remove all messages for all tasks that have completed (status stopped, success, or failure), filter the
messages on total and click on Remove all completed tasks.
• To remove all messages for all tasks that have completed successfully, filter the messages on success,
and click on Remove all successful tasks.
• To remove all messages for all tasks that have failed, filter the messages on failure, and click on Remove
all failed tasks.
Configuring Notification Behavior
Note
This setting affects all pop-up notifications and persists between login sessions.
Cisco Secure Firewall Management Center Administration Guide, 7.2
401
Health and Monitoring
Memory Usage Thresholds for Health Monitor Alerts
Procedure
Step 1
Click System Status to display the Message Center.
Step 2
Click Cog (
Step 3
To enable or disable pop-up notification display, click the Show notifications slider.
Step 4
Click Cog (
Step 5
Click System Status again to close the Message Center.
) in the upper right corner of the Message Center.
) again to hide the slider.
Memory Usage Thresholds for Health Monitor Alerts
The Memory Usage health module compares memory usage on an appliance to the limits configured for the
module and alerts when usage exceeds the levels. The module monitors data from managed devices and from
the management center itself.
Two configurable thresholds for memory usage, Critical and Warning, can be set as a percentage of memory
used. When these thresholds are exceeded, a health alarm is generated with the severity level specified.
However, the health alarm system does not calculate these thresholds in an exact manner.
With high memory devices, certain processes are expected to use a larger percentage of total system memory
than in a low memory footprint device. The design is to use as much of the physical memory as possible while
leaving a small value of memory free for ancillary processes.
Compare two devices, one with 32 GB of memory and one with 4 GB of memory. In the device with 32 GB
of memory, 5% of memory (1.6GB) is a much larger value of memory to leave for ancillary processes than
in the device with 4 GB of memory (5% of 4GB = 200MB).
To account for the higher percentage use of system memory by certain processes, the management center
calculates the total memory to include both total physical memory and total swap memory. Thus the enforced
memory threshold for the user-configured threshold input can result in a Health Event where the “Value”
column of the event does not match the value that was entered to determine the exceeded threshold.
The following table shows examples of user-input thresholds and the enforced thresholds, depending on the
installed system memory.
Note
The values in this table are examples. You can use this information to extrapolate thresholds for devices that
do not match the installed RAM shown here, or you can contact Cisco TAC for more precise threshold
calculations.
Table 44: Memory Usage Thresholds Based On Installed RAM
User-input Threshold Value
10%
Enforced Threshold Per Installed Memory (RAM)
4 GB
6 GB
32 GB
48 GB
10%
34%
72%
81%
Cisco Secure Firewall Management Center Administration Guide, 7.2
402
Health and Monitoring
Disk Usage and Drain of Events Health Monitor Alerts
User-input Threshold Value
Enforced Threshold Per Installed Memory (RAM)
4 GB
6 GB
32 GB
48 GB
20%
20%
41%
75%
83%
30%
30%
48%
78%
85%
40%
40%
56%
81%
88%
50%
50%
63%
84%
90%
60%
60%
70%
88%
92%
70%
70%
78%
91%
94%
80%
80%
85%
94%
96%
90%
90%
93%
97%
98%
100%
100%
100%
100%
100%
Disk Usage and Drain of Events Health Monitor Alerts
The Disk Usage health module compares disk usage on a managed device’s hard drive and malware storage
pack to the limits configured for the module and alerts when usage exceeds the percentages configured for
the module. This module also alerts when the system excessively deletes files in monitored disk usage
categories, or when disk usage excluding those categories reaches excessive levels, based on module thresholds.
This topic describes the symptoms and troubleshooting guidelines for two health alerts generated by the Disk
Usage health module:
• Frequent Drain of Events
• Drain of Unprocessed Events
The disk manager process manages the disk usage of a device. Each type of file monitored by the disk manager
is assigned a silo. Based on the amount of disk space available on the system the disk manager computes a
High Water Mark (HWM) and a Low Water Mark (LWM) for each silo.
To display detailed disk usage information for each part of the system, including silos, LWMs, and HWMs,
use the show disk-manager command.
Examples
Following is an example of the disk manager information.
> show disk-manager
Silo
Temporary Files
Action Queue Results
User Identity Events
UI Caches
Backups
Used
0 KB
0 KB
0 KB
4 KB
0 KB
Minimum
499.197 MB
499.197 MB
499.197 MB
1.462 GB
3.900 GB
Maximum
1.950 GB
1.950 GB
1.950 GB
2.925 GB
9.750 GB
Cisco Secure Firewall Management Center Administration Guide, 7.2
403
Health and Monitoring
Disk Usage and Drain of Events Health Monitor Alerts
Updates
Other Detection Engine
Performance Statistics
Other Events
IP Reputation & URL Filtering
Archives & Cores & File Logs
Unified Low Priority Events
RNA Events
File Capture
Unified High Priority Events
IPS Events
0 KB
0 KB
33 KB
0 KB
0 KB
0 KB
1.329 MB
0 KB
0 KB
0 KB
0 KB
5.850 GB
2.925 GB
998.395 MB
1.950 GB
2.437 GB
3.900 GB
4.875 GB
3.900 GB
9.750 GB
14.625 GB
11.700 GB
14.625 GB
5.850 GB
11.700 GB
3.900 GB
4.875 GB
19.500 GB
24.375 GB
15.600 GB
19.500 GB
34.125 GB
29.250 GB
Health Alert Format
When the Health Monitor process on the management center runs (once every 5 minutes or when a manual
run is triggered) the Disk Usage module looks into the diskmanager.log file and, if the correct conditions are
met, the respective health alert is triggered.
The structures of these health alerts are as follows:
• Frequent drain of <SILO NAME>
• Drain of unprocessed events from <SILO NAME>
For example,
• Frequent drain of Low Priority Events
• Drain of unprocessed events from Low Priority Events
It’s possible for any silo to generate a Frequent drain of <SILO NAME> health alert. However, the most
commonly seen are the alerts related to events. Among the event silos, the Low Priority Events are often seen
because these type of events are generated by the device more frequently.
A Frequent drain of <SILO NAME> event has a Warning severity level when seen in relation to an
event-related silo, because events will be queued to be sent to the management center. For a non-event related
silo, such as the Backups silo, the alert has a Critical severity level because this information is lost.
Important
Only event silos generate a Drain of unprocessed events from <SILO NAME> health alert. This alert always
has Critical severity level.
Additional symptoms besides the alerts can include:
• Slowness on the management center user interface
• Loss of events
Common Troubleshoot Scenarios
A Frequent drain of <SILO NAME> event is caused by too much input into the silo for its size. In this case,
the disk manager drains (purges) that file at least twice in the last 5-minute interval. In an event type silo, this
is typically caused by excessive logging of that event type.
In the case of a Drain of unprocessed events of <SILO NAME> health alert, this can also be caused by a
bottleneck in the event processing path.
Cisco Secure Firewall Management Center Administration Guide, 7.2
404
Health and Monitoring
Disk Usage and Drain of Events Health Monitor Alerts
There are three potential bottlenecks with respect to these Disk Usage alerts:
• Excessive logging ― The EventHandler process on threat defense is oversubscribed (it reads slower than
what Snort writes).
• Sftunnel bottleneck ― The Eventing interface is unstable or oversubscribed.
• SFDataCorrelator bottleneck ― The data transmission channel between the management center and the
managed device is oversubscribed.
Excessive Logging
One of the most common causes for the health alerts of this type is excessive input. The difference between
the Low Water Mark (LWM) and High Water Mark (HWM) gathered from the show disk-manager command
shows how much space there is available to take on that silo to go from LWM (freshly drained) to the HWM
value. If there are frequent drain of events (with or without unprocessed events) the first thing to review is
the logging configuration.
• Check for double logging ― Double logging scenarios can be identified if you look at the correlator
perfstats on the management center:
admin@FMC:~$ sudo perfstats -Cq < /var/sf/rna/correlator-stats/now
• Check logging settings for the ACP ― Review the logging settings of the Access Control Policy (ACP).
If logging both "Beginning" and "End" of connection, log only the end as it will include everything
included when the beginning is logged as well as reduce the amount of events.
Ensure that you follow the best practices described in Best Practices for Connection Logging, on page
690.
Communications Bottleneck ― Sftunnel
Sftunnel is responsible for encrypted communications between the management center and the managed
device. Events are sent over the tunnel to the management center. Connectivity issues and/or instability in the
communication channel (sftunnel) between the managed device and the management center can be due to:
• Sftunnel is down or is unstable (flaps).
Ensure that the management center and the managed device have reachability between their management
interfaces on TCP port 8305.
The sftunnel process should be stable and should not restart unexpectedly. Verify this by checking the
/var/log/message file and search for messages that contain the sftunneld string.
• Sftunnel is oversubscribed.
Review trend data from the Heath Monitor and look for signs of oversubscription of the management
center's management interface, which can be a spike in management traffic or a constant oversubscription.
Use as a secondary management interface for Firepower-eventing. To use this interface, you must
configure its IP address and other parameters at the threat defense CLI using the configure network
management-interface command.
Communications Bottleneck ― SFDataCorrelator
The SFDataCorrelator manages data transmission between the management center and the managed device;
on the management center, it analyzes binary files created by the system to generate events, connection data,
Cisco Secure Firewall Management Center Administration Guide, 7.2
405
Health and Monitoring
Health Monitor Reports for Troubleshooting
and network maps. The first step is to review the diskmanager.log file for important information to be
gathered, such as:
• The frequency of the drain.
• The number of files with Unprocessed Events drained.
• The occurrence of the drain with Unprocessed Events.
Each time the disk manager process runs it generates an entry for each of the different silos on its own log
file, which is located under [/ngfw]/var/log/diskmanager.log. Information gathered from the diskmanager.log
(in CSV format) can be used to help narrow the search for a cause.
Additional troubleshooting steps:
• The command stats_unified.pl can help you to determine if the managed device does have some data
which needs to be sent to management center. This condition can happen when the managed device and
the management center experience a connectivity issue. The managed device stores the log data onto a
hard drive.
admin@FMC:~$ sudo stats_unified.pl
• The manage_proc.pl command can reconfigure the correlator on the management center side.
root@FMC:~# manage_procs.pl
Before You Contact Cisco Technical Assistance Center (TAC)
It is highly recommended to collect these items before you contact Cisco TAC:
• Screenshots of the health alerts seen.
• Troubleshoot file generated from the management center.
• Troubleshoot file generated from the affected managed device.
Date and Time when the problem was first seen.
• Information about any recent changes done to the policies (if applicable).
The output of the stats_unified.pl command as described in the Communications Bottleneck ―
SFDataCorrelator, on page 405.
Health Monitor Reports for Troubleshooting
In some cases, if you have a problem with your appliance, Support may ask you to supply troubleshooting
files to help them diagnose the problem. The system can produce troubleshooting files with information
targeted to specific functional areas, as well as advanced troubleshooting files you retrieve in cooperation
with Support. You can select any of the options listed in the table below to customize the contents of a
troubleshooting file for a specific function.
Note that some options overlap in terms of the data they report, but the troubleshooting files will not contain
redundant copies, regardless of what options you select.
Cisco Secure Firewall Management Center Administration Guide, 7.2
406
Health and Monitoring
Producing Troubleshooting Files for Specific System Functions
Table 45: Selectable Troubleshoot Options
This option...
Reports...
Snort Performance and Configuration
data and configuration settings related to Snort on the appliance
Hardware Performance and Logs
data and logs related to the performance of the appliance hardware
System Configuration, Policy, and Logs
configuration settings, data, and logs related to the current system
configuration of the appliance
Detection Configuration, Policy, and Logs
configuration settings, data, and logs related to detection on the
appliance
Interface and Network Related Data
configuration settings, data, and logs related to inline sets and
network configuration of the appliance
Discovery, Awareness, VDB Data, and Logs
configuration settings, data, and logs related to the current
discovery and awareness configuration on the appliance
Upgrade Data and Logs
data and logs related to prior upgrades of the appliance
All Database Data
all database-related data that is included in a troubleshoot report
All Log Data
all logs collected by the appliance database
Network Map Information
current network topology data
Producing Troubleshooting Files for Specific System Functions
You can generate and download customized troubleshooting files that you can send to Support.
In a multidomain deployment, you can generate and download troubleshooting files for devices in descendant
domains.
Before you begin
You must be an Admin, Maintenance, Security Analyst, or Security Analyst (Read Only) user to perform this
task.
Procedure
Step 1
Perform the steps in Viewing the Device Health Monitor, on page 354.
Step 2
Click Generate Troubleshooting Files.
Step 3
Choose All Data to generate all possible troubleshooting data, or check individual boxes as described in
Viewing Task Messages, on page 400.
Step 4
Click OK.
Step 5
View task messages in the Message Center; see Viewing Task Messages, on page 400.
Step 6
Find the task that corresponds to the troubleshooting files you generated.
Cisco Secure Firewall Management Center Administration Guide, 7.2
407
Health and Monitoring
Downloading Advanced Troubleshooting Files
Step 7
After the appliance generated the troubleshooting files and the task status changes to Completed, click Click
to retrieve generated files.
Step 8
Follow your browser's prompts to download the file. (The troubleshooting files are downloaded in a single
.tar.gz file.)
Step 9
Follow the directions from Support to send the troubleshooting files to Cisco.
Downloading Advanced Troubleshooting Files
In a multidomain deployment, you can generate and download troubleshooting files for devices in descendant
domains. You can download files from the Secure Firewall Management Center only from the Global domain.
Before you begin
You must be an Admin, Maintenance, Security Analyst, or Security Analyst (Read Only) user to perform this
task.
Procedure
Step 1
View the health monitor for the appliance; see Viewing the Device Health Monitor, on page 354.
Step 2
Click Advanced Troubleshooting.
Step 3
In File Download, enter the file name supplied by Support.
Step 4
Click Download.
Step 5
Follow your browser's prompts to download the file.
Note
Step 6
For managed devices, the system renames the file by prepending the device name to the file name.
Follow the directions from Support to send the troubleshooting files to Cisco.
General Troubleshooting
An internal power failure (hardware failure, power surge, and so on) or an external power failure (unplugged
cord) can result in an ungraceful shutdown or reboot of the system. This can result in data corruption.
Connection-based Troubleshooting
Connection-based troubleshooting or debugging provides uniform debugging across modules to collect
appropriate logs for a specific connection. It also supports level-based debugging up to seven levels and
enables uniform log collection mechanism across modules. Connection-based debugging supports the following:
• A common connection-based debugging subsystem to troubleshoot issues in threat defense
• Uniform format for debug messages across modules
• Persistent debug messages across reboots
Cisco Secure Firewall Management Center Administration Guide, 7.2
408
Health and Monitoring
Troubleshoot a Connection
• End-to-end debugging across modules based on an existing connection
• Debugging ongoing connections
Note
Connection-based debugging is not supported on Firepower 2100 Series devices.
For more information about the troubleshooting connections, see Troubleshoot a Connection , on page 409.
Troubleshoot a Connection
Procedure
Step 1
Configure a filter to identify a connection using the debug packet-condition command.
Example:
Debug packet-condition match tcp 192.168.100.177 255.255.255.255 192.168.102.177
255.255.255.255
Step 2
Enable debugs for the interested modules and the corresponding levels. Enter the debug packet command.
Example:
Debug packet acl 5
Step 3
Start debugging the packets using the following command:
debug packet-start
Step 4
Fetch the debug messages from database to analyze the debug messages using the following command:
show packet-debugs
Step 5
Stop debugging the packets using the following command:
debug packet-stop
Advanced Troubleshooting for the Secure Firewall Threat
Defense Device
You can use Packet Tracer and Packet Capture features for performing an in-depth troubleshooting analysis
on a Secure Firewall Threat Defense device. Packet-tracer allows a firewall administrator to inject a virtual
packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is
evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and intrusion detection. The
power of the utility comes from the ability to simulate real-world traffic by specifying source and destination
addresses with protocol and port information. Packet capture is available with the trace option, which provides
you with a verdict as to whether the packet is dropped or successful.
Cisco Secure Firewall Management Center Administration Guide, 7.2
409
Health and Monitoring
Using the Threat Defense CLI from the Web Interface
For more information about the troubleshooting files, see Downloading Advanced Troubleshooting Files, on
page 408.
Using the Threat Defense CLI from the Web Interface
You can execute selected threat defense command line interface (CLI) commands from the Secure Firewall
Management Center web interface. These commands are ping, traceroute, and show (except for show history
and show banner).
In a multidomain deployment, you can enter threat defense CLI commands through the Secure Firewall
Management Center web interface for managed devices in descendant domains.
Note
In deployments using Secure Firewall Management Center high availability, this feature is available only in
the active Secure Firewall Management Center.
For more information on the threat defense CLI, see the Command Reference for Secure Firewall Threat
Defense.
Before you begin
You must be an Admin, Maintenance, or Security Analyst user to use the CLI.
Procedure
Step 1
View the health monitor for the appliance; see Viewing the Device Health Monitor, on page 354.
Step 2
Click Advanced Troubleshooting.
Step 3
Click Threat Defense CLI.
Step 4
From the Command drop-down list, select a command.
Step 5
Optionally, enter command parameters in the Parameters text box.
Step 6
Click Execute to view the command output.
Packet Tracer Overview
Using the packet tracer, you can test your policy configuration by modeling a packet based on source and
destination addressing, and protocol characteristics. The trace does a policy lookup to test access rules, NAT,
routing, access policies and rate limiting policies, to check if the packet would be permitted or denied. The
packet flow is simulated based on interfaces, source address, destination address, ports and protocols. By
testing packets this way, you can see the results of your policies and test whether the types of traffic you want
to allow or deny are handled as desired. Besides verifying your configuration, you can use the tracer to debug
unexpected behavior, such as packets being denied when they should be allowed. To simulate the packet fully,
packet tracer traces the data path; slow-path and fast-path modules. Processing is transacted based on per-session
and per-packet basis. Tracing packets and capture with trace log the tracing data on per packet basis when the
Next-Generation Firewall (NGFW) processes packets per-session or per-packet.
Cisco Secure Firewall Management Center Administration Guide, 7.2
410
Health and Monitoring
Use the Packet Tracer
You can now initiate a packet-tracer using a PCAP file that has complete flow. Currently, PCAP with a single
TCP/UDP based flow with a maximum of 100 packets only is supported. PCAP replay is not supported for
features that dynamically modify the packet during replay, such as IPsec, VPN, SSL or HTTPs decryption,
NAT, and so on.
The packet tracer tool reads the PCAP file, initializes the state for client and server replay entities. The tool
starts replaying the packets in a synchronized manner by collecting and storing the trace output of each packet
within the PCAP for subsequent processing and display.
Packet replay is executed by the sequence of the packet in the PCAP file and any interference to the replay
activity terminates it and concludes the replay.
The trace output is generated for all the packets in PCAP on specified ingress interface and egress interface,
thereby providing a complete context of flow evaluation.
Use the Packet Tracer
You can use a packet tracer on Secure Firewall Threat Defense devices. You must be an Admin or Maintenance
user to use this tool.
Procedure
Step 1
On the management center, choose Devices > Packet Tracer.
Step 2
From the Select Device drop-down, choose the device on which you want to run the trace.
Step 3
From the Interface drop-down, choose the ingress interface for the packet trace.
Step 4
To use a PCAP replay in the packet-tracer, do the following:
a) Click Select a PCAP File.
b) To upload a new PCAP file, click Upload a PCAP file. To reuse a recently uploaded file, click the file
from the list.
Note
Only .pcap and .pcapng file formats are supported. The PCAP file can contain only a single
TCP/UDP based flow with a maximum of 100 packets. The maximum character limit on the
PCAP file name (including the file formats) is 64.
c) In the Upload PCAP box, you can either drag a PCAP file or click in the box to browse and upload the
file. On selecting the file, the upload process starts automatically.
d) Go to this Step 13.
Step 5
To define the trace parameters, from the Protocol drop-down menu, select the packet type for the trace, and
specify the protocol characteristics:
• ICMP—Enter the ICMP type, ICMP code (0-255), and optionally, the ICMP identifier.
• TCP/UDP/SCTP—Enter the source and destination port numbers.
• GRE/IPIP—Enter the protocol number, 0-255.
• ESP—Enter the SPI value for Source, 0-4294967295.
• RAWIP—Enter the port number, 0-255.
Step 6
Select the Source type for the packet trace, and enter the source IP address.
Cisco Secure Firewall Management Center Administration Guide, 7.2
411
Health and Monitoring
Use the Packet Tracer
Source and destination types include IPv4, IPv6, and fully-qualified domain names (FQDN). You can specify
IPv4 or IPv6 addresses and FQDN, if you use Cisco TrustSec.
Step 7
Select the Source Port for the packet trace.
Step 8
Select the Destination type for the packet trace, and enter the destination IP address.
Destination type options vary depending on the source type that you select.
Step 9
Select the Destination Port for the packet trace.
Step 10
Optionally, if you want to trace a packet where the Security Group Tag (SGT) value is embedded in the Layer
2 CMD header (TrustSec), enter a valid SGT number.
Step 11
If you want packet tracer to enter a parent interface, which is later redirected to a sub-interface, enter a VLAN
ID.
This value is optional for non-sub-interfaces only, since all the interface types can be configured on a
sub-interface.
Step 12
Specify a Destination MAC Address for the packet trace.
If the Secure Firewall Threat Defense device is running in transparent firewall mode, and the ingress interface
is VTEP, Destination MAC Address is required if you enter a value in VLAN ID. Whereas if the interface
is a bridge group member, Destination MAC Address is optional if you enter a VLAN ID value, but required
if you do not enter a VLAN ID value.
If the Secure Firewall Threat Defense is running in routed firewall mode, VLAN ID and Destination MAC
Address are optional if the input interface is a bridge group member.
Step 13
(Optional) If you want the packet-tracer to ignore the security checks on the simulated packet, click Bypass
all security checks for simulated packet. This enables packet-tracer to continue with tracing of packet
through the system which, otherwise would have been dropped.
Step 14
(Optional) To allow the packet to be sent out through the egress interface from the device, click Allow
simulated packet to transmit from device.
Step 15
(Optional) If you want the packet-tracer to consider the injected packet as an IPsec/SSL VPN decrypted packet,
click Treat simulated packet as IPsec/SSL VPN decrypt.
Step 16
Click Trace.
The Trace Result displays the results for each phase that the PCAP packets has traveled through the system.
Click on the individual packet to view the traces results for the packet. You can do the following:
• Copy ( ) the trace results to clipboard.
• Expand or collapse ( ) the displayed results.
• Maximize ( ) the trace result screen.
The time elapsed information that is useful to gauge the processing efforts are displayed for each phase. The
total time that is taken for the entire flow of packets flowing from an ingress to an egress interface is also
displayed in the results section.
The Trace History pane displays the stored trace details for each PCAP trace. It can store up to 100 packet
traces. You can select a saved trace and run the packet trace activity again. You can do the following:
• Search for a trace using any of the trace parameters.
Cisco Secure Firewall Management Center Administration Guide, 7.2
412
Health and Monitoring
Packet Capture Overview
• Disable saving of the trace to history using the
button.
• Delete specific trace results.
• Clear all the traces.
Packet Capture Overview
The packet capture feature with trace option allows real packets that are captured on the ingress interface to
be traced through the system. The trace information is displayed at a later stage. These packets are not dropped
on the egress interface, as they are real data-path traffic. Packet capture for threat defense devices supports
troubleshooting and analysis of data packets.
Once the packet is acquired, Snort detects the tracing flag that is enabled in the packet. Snort writes tracer
elements, through which the packet traverses. Snort verdict as a result of capturing packets can be one of .the
following:
Table 46: Snort Verdicts
Verdict
Description
Pass
Allow analyzed packet.
Block
Packet not forwarded.
Replace
Packet modified.
AllowFlow
Flow passed without inspection.
BlockFlow
Flow was blocked.
Ignore
Flow was blocked; occurs only for sessions with flows
blocked on passive interfaces.
Retry
Flow is stalled, waiting on a enamelware or URL
category/reputation query. In the event of a timeout,
processing continues with an unknown result: in the
case of enamelware, the file is allowed; in the case of
URL category/reputation, AC rule lookup continues
with an uncategorized and unknown reputation.
Based on the Snort verdict, the packets are dropped or allowed. For example, the packet is dropped if the
Snort verdict is BlockFlow, and the subsequent packets in the session are dropped before reaching Snort.
When the Snort verdict is Block or BlockFlow, the Drop Reason can be one of the following:
Table 47: Drop Reasons
Blocked or Flow Blocked by...
Cause
Snort
Snort is unable to process the packet, erg., snort can’t
decode packet since it is corrupted or has invalid
format.
Cisco Secure Firewall Management Center Administration Guide, 7.2
413
Health and Monitoring
Packet Capture Overview
Blocked or Flow Blocked by...
Cause
the App Id preprocessed
App Id module/preprocessed does not block packet
by itself; but this may indicate that App Id detection
causes other module (erg., firewall) to match a
blocking rule.
the SSL preprocessed
There is a block/reset rule in SSL policy to match the
traffic.
the firewall
There is a block/reset rule in firewall policy to match
the traffic.
the captive portal preprocessed
There is a block/reset rule using the identity policy to
match the traffic.
the safe search preprocessed
There is a block/reset rule using the safe-search feature
in firewall policy to match the traffic.
the SI preprocessed
There is a block/reset rule a in Security Intelligence
tab of AC Policy to block the traffic, erg., DNS or
URL SI rule.
the filterer preprocessed
There is a block/reset rule in filterer tab of AC policy
to match the traffic.
the stream preprocessed
There is an intrusion rule blocking/reset stream
connection, erg., blocking when TCP normalization
error.
the session preprocessed
This session was already blocked earlier by some
other module, so session preprocessed is blocking
further packets of the same session.
the fragmentation preprocessed
Blocking because earlier fragment of the data is
blocked.
the snort response preprocessed
There is a react snort rule, erg., sending a response
page on a particular HTTP traffic.
the snort response preprocessed
There is a snort rule to send custom response on
packets matching conditions.
the reputation preprocessed
Packet matches a reputation rule, erg., blocking a
given IP address.
the x-Link2State preprocessed
Blocking due to buffer overflow vulnerability detected
in SMTP.
back orifice preprocessed
Blocking due to detection of back orifice data.
the SMB preprocessed
There is a snort rule to block SMB traffic.
the file process preprocessed
There is file policy that blocks a file, erg., enamelware
blocking.
Cisco Secure Firewall Management Center Administration Guide, 7.2
414
Health and Monitoring
Use the Capture Trace
Blocked or Flow Blocked by...
Cause
the IPS preprocessed
There is a snort rule using IPS, erg., rate filtering.
The packet capture feature allows you to capture and download packets that are stored in the system memory.
However, the buffer size is limited to 32 MB due to memory constraint. Systems capable of handling very
high volume of packet captures exceed the maximum buffer size quickly and thereby the necessity of increasing
the packet capture limit is required. It is achieved by using the secondary memory (by creating a file to write
the capture data). The maximum supported file size is 10 GB.
When the file-size is configured, the captured data gets stored to the file and the file name is assigned based
on the capture name recapture .
The file-size option is used when you need to capture packets with the size limit more than 32 MB.
For information, see the Command Reference for Secure Firewall Threat Defense.
Use the Capture Trace
Packet capture data includes information from Snort and preprocessors about verdicts and actions the system
takes while processing a packet. Multiple packet captures are possible at a time. You can configure the system
to modify, delete, clear, and save captures.
Note
Capturing packet data requires packet copy. This operation may cause delays while processing packets and
may also degrade the packet throughput. Cisco recommends that you use packet filters to capture specific
traffic data.
The saved traffic data can be downloaded in pcap or ASCII file formats.
Before you begin
You can use packet capture on Secure Firewall Threat Defense devices. You must be an Admin or Maintenance
user to use this tool.
Procedure
Step 1
On the management center, choose Devices > Device Management.
Step 2
Select a device.
Step 3
Click troubleshooting.
The Health Monitor page appears.
Step 4
Click Advanced Troubleshooting.
Step 5
Select Capture w/Trace.
Step 6
Click Add Capture.
Step 7
Enter the Name for capturing the trace.
Step 8
Select the Interface for the capturing the trace.
Step 9
Specify Match Criteria details:
a) Select the Protocol.
b) Enter the IP address for the Source Host.
Cisco Secure Firewall Management Center Administration Guide, 7.2
415
Health and Monitoring
Feature-Specific Troubleshooting
c) Enter the IP address for the Destination Host.
d) (Optional) Check SGT number check box, and enter a Security Group Tag (SGT).
Step 10
Specify Buffer details:
a) (Optional) Enter a maximum Packet Size.
b) (Optional) Enter a minimum Buffer Size.
c) Select either Continuous Capture if you want the traffic captured without interruption, or Stop when
full if you want the capture to stop when the maximum buffer size is reached.
d) Select Trace if you want to capture the details for each packet.
e) (Optional) Check Trace Count check box. Default value is 50. You can enter values in the range of
1-1000.
Step 11
Click Save.
Feature-Specific Troubleshooting
See the following table for feature-specific troubleshooting tips and techniques.
Table 48: Feature-Specific Troubleshooting Topics
Feature
Relevant Troubleshooting Information
Application control
Best Practices for Application Control in the Cisco Secure
Firewall Management Center Device Configuration Guide
LDAP external authentication
Troubleshooting LDAP Authentication Connections, on page 185
Licensing
Troubleshooting Smart Licensing, on page 258
Troubleshoot Specific License Reservation, on page 270
Management Center high availability
Troubleshooting Management Center High Availability, on page
280
User rule conditions
Troubleshoot User Control in the Cisco Secure Firewall
Management Center Device Configuration Guide
User identity sources
For troubleshooting information on ISE/ISE-PIC, TS Agent
Identity Source, Captive Portal Identity Source, and Remote
Access VPN Identity Source, see the corresponding sections in
the Cisco Secure Firewall Management Center Device
Configuration Guide
Troubleshooting LDAP Authentication Connections, on page 185
URL filtering
Troubleshoot URL Filtering in the Cisco Secure Firewall
Management Center Device Configuration Guide
Realms and user data downloads
Troubleshoot Realms and User Downloads in the Cisco Secure
Firewall Management Center Device Configuration Guide
Cisco Secure Firewall Management Center Administration Guide, 7.2
416
Health and Monitoring
Feature-Specific Troubleshooting
Feature
Relevant Troubleshooting Information
Network discovery
Troubleshooting Your Network Discovery Strategy in the Cisco
Secure Firewall Management Center Device Configuration Guide
Custom Security Group Tag (SGT) rule conditions
Custom SGT Rule Conditions in the Cisco Secure Firewall
Management Center Device Configuration Guide
SSL rules
Chapter on SSL rules in the Cisco Secure Firewall Device
Manager Configuration Guide
Cisco Threat Intelligence Director (TID)
Troubleshoot Secure Firewall threat intelligence director in the
Cisco Secure Firewall Management Center Device Configuration
Guide
Secure Firewall Threat Defense syslog
About Configuring Syslog in the Cisco Secure Firewall
Management Center Device Configuration Guide
Intrusion performance statistics
Intrusion Performance Statistic Logging Configuration in the
Cisco Secure Firewall Management Center Device Configuration
Guide
Connection-based Troubleshooting
Connection-based Troubleshooting, on page 408
Cisco Secure Firewall Management Center Administration Guide, 7.2
417
Health and Monitoring
Feature-Specific Troubleshooting
Cisco Secure Firewall Management Center Administration Guide, 7.2
418
PA R T
IV
Tools
• Backup/Restore, on page 421
• Scheduling, on page 451
• Import/Export, on page 473
• Data Purge and Storage, on page 479
CHAPTER
15
Backup/Restore
• About Backup and Restore, on page 421
• Requirements for Backup and Restore, on page 423
• Guidelines and Limitations for Backup and Restore, on page 424
• Best Practices for Backup and Restore, on page 425
• Backing Up Management Centers or Managed Devices, on page 429
• Restoring Management Centers and Managed Devices, on page 433
• Manage Backups and Remote Storage, on page 447
• History for Backup and Restore, on page 450
About Backup and Restore
The ability to recover from a disaster is an essential part of any system maintenance plan. As part of your
disaster recovery plan, we recommend that you perform periodic backups to a secure remote location.
On-Demand Backups
You can perform on-demand backups for the management center and many threat defense devices from the
management center.
For more information, see Backing Up Management Centers or Managed Devices, on page 429.
Scheduled Backups
You can use the scheduler on management center to automate backups. You can also schedule remote device
backups from the management center.
The management center setup process schedules weekly configuration-only backups, to be stored locally.
This is not a substitute for full off-site backups—after initial setup finishes, you should review your scheduled
tasks and adjust them to fit your organization's needs.
For more information, see Scheduled Backups, on page 453.
Storing Backup Files
You can store backups locally. However, we recommend you back up management centers and managed
devices to a secure remote location by mounting an NFS, SMB, or SSHFS network volume as remote storage.
After you do this, all subsequent backups are copied to that volume, but you can still use the management
center to manage them.
Cisco Secure Firewall Management Center Administration Guide, 7.2
421
Tools
About Backup and Restore
For more information, see Remote Storage Management, on page 64 and Manage Backups and Remote
Storage, on page 447.
Restoring the Management Center and Managed Devices
You restore the management center from the Backup Management page. You must use the threat defense CLI
to restore threat defense devices, except for the ISA 3000 zero-touch restore, which uses an SD card and the
reset button.
For more information, see Restoring Management Centers and Managed Devices, on page 433.
What Is Backed Up?
Management Center backups can include:
• Configurations.
All configurations you can set on the management center web interface are included in a configuration
backup, with the exception of remote storage and audit log server certificate settings. In a multidomain
deployment, you must back up configurations. You cannot back up events or TID data only.
• Events.
Event backups include all events in the management center database. However, management center event
backups do not include intrusion event review status. Restored intrusion events do not appear on Reviewed
Events pages.
• Threat Intelligence Director (TID) data.
For more information, see About Backing Up and Restoring threat intelligence director Data in the Cisco
Secure Firewall Management Center Device Configuration Guide.
Device backups are always configuration-only.
What Is Restored?
Restoring configurations overwrites all backed-up configurations, with very few exceptions. On the management
center, restoring events and TID data overwrites all existing events and TID data, with the exception of
intrusion events.
Make sure you understand and plan for the following:
• You cannot restore what is not backed up.
Management Center configuration backups do not include remote storage and audit log server certificate
settings, so you must reconfigure these after restore. Also, because management center event backups
do not include intrusion event review status, restored intrusion events do not appear on Reviewed Events
pages.
• Restoring fails VPN certificates.
The threat defense restore process removes VPN certificates and all VPN configurations from threat
defense devices, including certificates added after the backup was taken. After you restore the threat
defense device, you must re-add/re-enroll all VPN certificates, and redeploy the device.
• Restoring to a configured management center — instead of factory-fresh or reimaged — merges intrusion
events and file lists.
Cisco Secure Firewall Management Center Administration Guide, 7.2
422
Tools
Requirements for Backup and Restore
The management center event restore process does not overwrite intrusion events. Instead, the intrusion
events in the backup are added to the database. To avoid duplicates, delete existing intrusion events
before you restore.
The management center configuration restore process does not overwrite clean and custom detection file
lists used by malware defense. Instead, it merges existing file lists with the file lists in the backup. To
replace file lists, delete existing file lists before you restore.
Requirements for Backup and Restore
Backup and restore has the following requirements.
Model Requirements: Backup
You can back up:
• management centers
• threat defense standalone devices, native instances, container instances, and HA pairs
• threat defense virtual for VMware devices, either standalone or HA pairs
Backup is not supported for:
• threat defense clusters
• threat defense virtual implementations other than threat defense virtual for VMware
If you need to replace a device where backup and restore is not supported, you must manually recreate
device-specific configurations. However, backing up the management center does back up policies and other
configurations that you deploy to managed devices, as well as events already transmitted from the devices to
the management center.
Model Requirements: Restore
A replacement managed device must be the same model as the one you are replacing, with the same number
of network modules and same type and number of physical interfaces.
For management centers, you can use backup and restore not only in an RMA scenario, but also to migrate
configurations and events between management centers. For details, including supported target and destination
models, see the Firepower Management Center Model Migration Guide.
Version Requirements
As the first step in any backup, note the patch level. To restore a backup, the old and the new appliance must
be running the same Firepower version, including patches.
Additionally, to restore Firepower software on a Firepower 4100/9300 chassis, the chassis must be running
a compatible FXOS version.
For management center backups, you are not required to have the same VDB or SRU. Note, however, that
restoring a backup will replace existing VDB with the VDB in the backup file.
Cisco Secure Firewall Management Center Administration Guide, 7.2
423
Tools
Guidelines and Limitations for Backup and Restore
License Requirements
Address licensing or orphan entitlements concerns as described in the best practices and procedures. If you
notice licensing conflicts, contact Cisco TAC.
Domain Requirements
To:
• Back up or restore the management center: Global only.
• Back up a device from the management center: Global only.
• Restore a device: None. Restore devices locally.
In a multidomain deployment you cannot back up only events/TID data. You must also back up configurations.
Guidelines and Limitations for Backup and Restore
Backup and restore has the following guidelines and limitations.
Backup and Restore is for Disaster Recovery/RMA
Backup and restore is primarily intended for RMA scenarios. Before you begin the restore process of a faulty
or failed physical appliance, contact Cisco TAC for replacement hardware.
You can also use backup and restore to migrate configurations and events between management centers. This
makes it easier to replace management centers due to technical or business reasons such as a growing
organization, migration from a physical to a virtual implementation, hardware refresh, and so on.
Backup and Restore is not Configuration Import/Export
A backup file contains information that uniquely identifies an appliance, and cannot be shared. Do not use
the backup and restore process to copy configurations between appliances or devices, or as a way to save
configurations while testing new ones. Instead, use the import/export feature.
For example, threat defense device backups include the device's management IP address and all information
the device needs to connect to its managing management center. Do not restore the threat defense backup to
a device being managed by a different management center; the restored device will attempt to connect to the
management center specified in the backup.
Restore is Individual and Local
You restore to management centers and manageed devices individually and locally. This means:
• You cannot batch-restore to high availability (HA) management centers or devices. The restore procedures
in this guide explain how to restore in an HA environment.
• You cannot use the management center to restore a device. For the management center, you can use the
web interface to restore. For threat defense devices, you must use the threat defense CLI, except for the
ISA 3000 zero-touch restore, which uses an SD card and the reset button.
• You cannot use management center user accounts to log into and restore one of its managed devices.
Management Centers and devices maintain their own user accounts.
Cisco Secure Firewall Management Center Administration Guide, 7.2
424
Tools
Configuration Import/Export Guidelines for Firepower 4100/9300
Configuration Import/Export Guidelines for Firepower 4100/9300
You can use the configuration export feature to export an XML file containing logical device and platform
configuration settings for your Firepower 4100/9300 chassis to a remote server or your local computer. You
can later import that configuration file to quickly apply the configuration settings to your Firepower 4100/9300
chassis to return to a known good configuration or to recover from a system failure.
Guidelines and Restrictions
• Do not modify the contents of the configuration file. If a configuration file is modified, configuration
import using that file might fail.
• Application-specific configuration settings are not contained in the configuration file. You must use the
configuration backup tools provided by the application to manage application-specific settings and
configurations.
• When you import a configuration to the Firepower 4100/9300 chassis, all existing configuration on the
Firepower 4100/9300 chassis (including any logical devices) are deleted and completely replaced by the
configuration contained in the import file.
• Except in an RMA scenario, we recommend you only import a configuration file to the same Firepower
4100/9300 chassis where the configuration was exported.
• The platform software version of the Firepower 4100/9300 chassis where you are importing should be
the same version as when the export was taken. If not, the import operation is not guaranteed to be
successful. We recommend you export a backup configuration whenever the Firepower 4100/9300 chassis
is upgraded or downgraded.
• The Firepower 4100/9300 chassis where you are importing must have the same Network Modules installed
in the same slots as when the export was taken.
• The Firepower 4100/9300 chassis where you are importing must have the correct software application
images installed for any logical devices defined in the export file that you are importing.
• To avoid overwriting existing backup files, change the file name in the backup operation or copy the
existing file to another location.
Best Practices for Backup and Restore
Backup and restore has the following best practices.
When to Back Up
We recommend backing up during a maintenance window or other time of low use.
While the system collects backup data, there may be a temporary pause in data correlation (management center
only), and you may be prevented from changing configurations related to the backup. If you include event
data, event-related features such as eStreamer are not available.
You should back up in the following situations:
• Regular scheduled backups.
As part of your disaster recovery plan, we recommend that you perform periodic backups.
Cisco Secure Firewall Management Center Administration Guide, 7.2
425
Tools
Best Practices for Backup and Restore
The Version 6.5.0+ management center setup process schedules weekly configuration-only backups, to
be stored locally. This is not a substitute for full off-site backups—after initial setup finishes, you should
review your scheduled tasks and adjust them to fit your organization's needs. For more information, see
Scheduled Backups, on page 453.
• After SLR changes.
Back up the management center after you make changes to Specific Licensing Reservations (SLRs). If
you make changes and then restore an older backup, you will have issues with your Specific Licensing
return code and can accrue orphan entitlements.
• Before upgrade or reimage.
If an upgrade fails catastrophically, you may have to reimage and restore. Reimaging returns most settings
to factory defaults, including the system password. If you have a recent backup, you can return to normal
operations more quickly.
• After upgrade.
Back up after you upgrade, so you have a snapshot of your freshly upgraded deployment. We recommend
you back up the management center after you upgrade its managed devices, so your new management
center backup file 'knows' that its devices have been upgraded.
Maintaining Backup File Security
Backups are stored as unencrypted archive (.tar) files.
Private keys in PKI objects—which represent the public key certificates and paired private keys required to
support your deployment—are decrypted before they are backed up. The keys are reencrypted with a randomly
generated key when you restore the backup.
Caution
We recommend you back up management centers and devices to a secure remote location and verify transfer
success. Backups left locally may be deleted, either manually or by the upgrade process, which purges locally
stored backups.
Especially because backup files are unencrypted, do not allow unauthorized access. If backup files are modified,
the restore process will fail. Keep in mind that anyone with the Admin/Maint role can access the Backup
Management page, where they can move and delete files from remote storage.
In the management center's system configuration, you can mount an NFS, SMB, or SSHFS network volume
as remote storage. After you do this, all subsequent backups are copied to that volume, but you can still use
the management center to manage them. For more information, see Remote Storage Management, on page
64 and Manage Backups and Remote Storage, on page 447.
Note that only the management center mounts the network volume. Managed device backup files are routed
through the management center. Make sure you have the bandwidth to perform a large data transfer between
the management center and its devices. For more information, see Guidelines for Downloading Data from
the Firepower Management Center to Managed Devices (Troubleshooting TechNote).
Backup and Restore in Management Center High Availability Deployments
In management center high availability deployments, backing up one management center does not back up
the other. You should regularly back up both peers. Do not restore one HA peer with the backup file from the
other. A backup file contains information that uniquely identifies an appliance, and cannot be shared.
Cisco Secure Firewall Management Center Administration Guide, 7.2
426
Tools
Best Practices for Backup and Restore
Note that you can replace an HA management center without a successful backup. For more information on
replacing HA <ph
conref="../../../../_common_collection_files/r_secure-firewall-reuseable-names-and-phrases.xml#reference_egb_lhh_rpb/ph_Fpwr_Mgmt_Ctr_Short"/>s,
both with and without successful backups, see Replacing Management Centers in a High Availability Pair,
on page 290.
Backup and Restore in Threat Defense High Availability Deployments
In an threat defense HA deployment, you should:
• Back up the device pair from the management center, but restore individually and locally from the threat
defense CLI.
The backup process produces unique backup files for threat defense HA devices. Do not restore one HA
peer with the backup file from the other. A backup file contains information that uniquely identifies an
appliance, and cannot be shared.
The threat defense HA device's role is noted in its backup file name. When you restore, make sure you
choose the appropriate backup file: primary vs secondary.
• Do not suspend or break HA before you restore.
Maintaining the HA configuration ensures replacement devices can easily reconnect after restore. Note
that you will have to resume HA synchronization to make this happen.
• Do not run the restore CLI command on both peers at the same time.
Assuming you have successful backups, you can replace either or both peers in an HA pair. Any physical
replacement tasks you can perform simultaneously: unracking, reracking, and so on. However, do not
run the restore command on the second device until the restore process completes for the first device,
including the reboot.
Note that you can replace the threat defense HA device without a successful backup; see Replace a Unit in
Threat Defense High Availability Pair.
Backup and Restore for Firepower 4100/9300 Chassis
To restore Firepower software on a Firepower 4100/9300 chassis, the chassis must be running a compatible
FXOS version.
When you back up a Firepower 4100/9300 chassis, we strongly recommend you also back up FXOS
configurations. For additional best practices, see Configuration Import/Export Guidelines for Firepower
4100/9300 , on page 425.
Before Backup
Before you back up, you should:
• Update the VDB and SRU on the management center.
We always recommend you use the latest vulnerability database (VDB) and intrusion rules (SRU). Before
you back up the management center, check the Cisco Support & Download site for newer versions.
• Check Disk Space.
Before you begin a backup, make sure you have enough disk space on the appliance or on your remote
storage server. The space available is displayed on the Backup Management page.
Cisco Secure Firewall Management Center Administration Guide, 7.2
427
Tools
Best Practices for Backup and Restore
Backups can fail if there is not enough space. Especially if you schedule backups, make sure you regularly
prune backup files or allocate more disk space to the remote storage location.
Before Restore
Before restore, you should:
• Revert licensing changes.
Revert any licensing changes made since you took the backup.
Otherwise, you may have license conflicts or orphan entitlements after the restore. However, do not
unregister from Cisco Smart Software Manager (CSSM). If you unregister from CSSM, you must
unregister again after you restore, then re-register.
After the restore completes, reconfigure licensing. If you notice licensing conflicts or orphan entitlements,
contact Cisco TAC.
• Disconnect faulty appliances.
Disconnect the management interface, and for devices, the data interfaces.
Restoring threat defense devices sets the management IP address of the replacement device to the
management IP address of the old device. To avoid IP conflicts, disconnect the old device from the
management network before you restore the backup on its replacement.
Note that restoring the management center does not change the management IP address. You must set
that manually on the replacement — just make sure you disconnect the old appliance from the network
before you do.
• Do not unregister managed devices.
Whether you are restoring the management center or managed device, do not unregister devices from
the management center, even if you physically disconnect an appliance from the network.
If you unregister, you will need to redo some device configurations, such as security zone to interface
mappings. After you restore, the management center and devices should begin communicating normally.
• Reimage.
In an RMA scenario, the replacement appliance will arrive configured with factory defaults. However,
if the replacement appliance is already configured, we recommend you reimage. Reimaging returns most
settings to factory defaults, including the system password. You can only reimage to major versions, so
you may need to patch after you reimage.
If you do not reimage, keep in mind that management center intrusion events and file lists are merged
rather than overwritten.
After Restore
After restore, you should:
• Reconfigure anything that was not restored.
This can include reconfiguring licensing, remote storage, and audit log server certificate settings. You
also must re-add/re-enroll failed threat defense VPN certificates.
• Update the VDB and SRU on the management center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
428
Tools
Backing Up Management Centers or Managed Devices
We always recommend you use the latest vulnerability database (VDB) and intrusion rules (SRU). This
is especially important for the VDB, because the VDB in the backup will overwrite the VDB on the
replacement management center.
• Deploy.
After you restore the management center, deploy to all managed devices. After you restore a device,
deploy to that device. You must deploy. If the a device or devices are not marked out of date, force deploy
from the Device Management page: Redeploy Existing Configurations to a Device.
Backing Up Management Centers or Managed Devices
You can perform on-demand or scheduled backups for supported appliances.
You do not need a backup profile to back up devices from the management center. However, management
center backups require backup profiles. The on-demand backup process allows you to create a new backup
profile.
For more information, see:
• Back up the Management Center, on page 429
• Back up a Device from the Management Center, on page 431
• Create a Backup Profile, on page 432
• Scheduled Backups, on page 453
Back up the Management Center
Use this procedure to perform an on-demand management center backup.
Before you begin
You must read and understand the requirements, guidelines, limitations, and best practices. You do not want
to skip any steps or ignore security concerns. Careful planning and preparation can help you avoid missteps.
• Requirements for Backup and Restore, on page 423
• Guidelines and Limitations for Backup and Restore, on page 424
• Best Practices for Backup and Restore, on page 425
Procedure
Step 1
Select System ( ) > Tools > Backup/Restore.
The Backup Management page lists all locally and remotely stored backups. It also lists how much disk space
you have available to store backups. Backups can fail if there is not enough space.
Step 2
Choose whether to use an existing backup profile or start fresh.
Management Center backups require that you use or create a backup profile.
Cisco Secure Firewall Management Center Administration Guide, 7.2
429
Tools
Back up the Management Center
• Click Backup Profiles to use an existing backup profile.
Next to the profile you want to use, click the edit icon. You can then click Start Backup to begin the
backup right now. Or, if you want to edit the profile, go on to the next step.
• Click Firepower Management Backup to start fresh and create a new backup profile.
Enter a Name for the backup profile.
Step 3
Choose what to back up:
• Back Up Configuration
• Back Up Events
• Back Up Threat Intelligence Director
In a multidomain deployment, you must back up configurations. You cannot back up events or TID data only.
For details on what is and what is not backed up for each of these choices, see About Backup and Restore,
on page 421.
Step 4
Note the Storage Location for management center backup files.
This will either be local storage in /var/sf/backup/, or a remote network volume. For more information,
see Manage Backups and Remote Storage, on page 447.
Step 5
(Optional) Enable Copy when complete to copy completed management center backups to a remote server.
Provide a hostname or IP address, the path to the remote directory, and a username and password. To use an
SSH public key instead of a password, copy the contents of the SSH Public Key field to the specified user's
authorized_keys file on the remote server.
Note
Step 6
This option is useful if you want to store backups locally and also SCP them to a remote location.
If you configured SSH remote storage, do not copy backup files to the same directory using Copy
when complete.
(Optional) Enable Email and enter an email address to be notified when the backup completes.
To receive email notifications, you must configure the management center to connect to a mail server:
Configuring a Mail Relay Host and Notification Address, on page 81.
Step 7
Click Start Backup to start the on-demand backup.
If you are not using an existing backup profile, the system automatically creates one and uses it. If you decide
not to run the backup now, you can click Save or Save As New to save the profile. In either case, you can use
the newly created profile to configure scheduled backups.
Step 8
Monitor progress in the Message Center.
While the system collects backup data, there may be a temporary pause in data correlation, and you may be
prevented from changing configurations related to the backup. If you configured remote storage or enabled
Copy when complete, the management center may write temporary files to the remote server. These files are
cleaned up at the end of the backup process.
Cisco Secure Firewall Management Center Administration Guide, 7.2
430
Tools
Back up a Device from the Management Center
What to do next
If you configured remote storage or enabled Copy when complete, verify transfer success of the backup file.
Back up a Device from the Management Center
Use this procedure to perform an on-demand backup of any of the following devices:
• threat defense: physical devices, standalone or HA
• threat defense virtual: VMware, standalone or HA
Backup and restore is not supported for any other platforms or configurations, including clustered devices.
Before you begin
You must read and understand the requirements, guidelines, limitations, and best practices. You do not want
to skip any steps or ignore security concerns. Careful planning and preparation can help you avoid missteps.
• Requirements for Backup and Restore, on page 423
• Guidelines and Limitations for Backup and Restore, on page 424
• Best Practices for Backup and Restore, on page 425
If you are backing up a Firepower 4100/9300 chassis, it is especially important that you also back up FXOS
configurations: Exporting an FXOS Configuration File, on page 432.
Procedure
Step 1
Select System ( ) > Tools > Backup/Restore, then click Managed Device Backup.
Step 2
Select one or more Managed Devices.
Step 3
Note the Storage Location for device backup files.
This will either be local storage in /var/sf/remote-backup/, or a remote network volume. For the
ISA 3000, if you have an SD card installed, a copy of the backup will also be made on the SD card at
/mnt/disk3/backup. For more information, see Manage Backups and Remote Storage, on page 447.
Step 4
If you did not configure remote storage, choose whether you want to Retrieve to Management Center.
• Enabled (default): Saves the backup to the management center in /var/sf/remote-backup/.
• Disabled: Saves the backup to the device in /var/sf/backup.
If you configured remote backup storage, backup files are saved remotely and this option has no effect.
Step 5
Click Start Backup to start the on-demand backup.
Step 6
Monitor progress in the Message Center.
What to do next
If you configured remote storage, verify transfer success of the backup file.
Cisco Secure Firewall Management Center Administration Guide, 7.2
431
Tools
Exporting an FXOS Configuration File
Exporting an FXOS Configuration File
Use the configuration export feature to export an XML file containing logical device and platform configuration
settings for your Firepower 4100/9300 chassis to a remote server or your local computer.
Note
This procedure explains how to use Secure Firewall chassis manager to export FXOS configurations when
you back up threat defense. For the CLI procedure, see the appropriate version of the Cisco Firepower
4100/9300 FXOS CLI Configuration Guide.
Before you begin
Review the Configuration Import/Export Guidelines for Firepower 4100/9300 .
Procedure
Step 1
Choose System > Configuration > Export on the Secure Firewall chassis manager.
Step 2
To export a configuration file to your local computer:
a) Click Local.
b) Click Export.
The configuration file is created and, depending on your browser, the file might be automatically
downloaded to your default download location or you might be prompted to save the file.
Step 3
To export the configuration file to a remote server:
a) Click Remote.
b) Choose the protocol to use when communicating with the remote server. This can be one of the following:
FTP, TFTP, SCP, or SFTP.
c) Enter the hostname or IP address of the location where the backup file should be stored. This can be a
server, storage array, local drive, or any read/write media that the Firepower 4100/9300 chassis can access
through the network.
If you use a hostname rather than an IP address, you must configure a DNS server.
d) If you are using a non-default port, enter the port number in the Port field.
e) Enter the username the system should use to log in to the remote server. This field does not apply if the
protocol is TFTP.
f) Enter the password for the remote server username. This field does not apply if the protocol is TFTP.
g) In the Location field, enter the full path to where you want the configuration file exported including the
filename.
h) Click Export.
The configuration file is created and exported to the specified location.
Create a Backup Profile
A backup profile is a saved set of preferences—what to back up, where to store the backup file, and so on.
Cisco Secure Firewall Management Center Administration Guide, 7.2
432
Tools
Restoring Management Centers and Managed Devices
Management Center backups require backup profiles. Backup profiles are not required to back up a device
from the management center.
When you perform an on-demand management center backup, if you do not pick an existing backup profile,
the system automatically creates one and uses it. You can then use the newly created profile to configure
scheduled backups.
The following procedure explains how to create a backup profile without performing an on-demand backup.
Procedure
Step 1
Select System ( ) > Tools > Backup/Restore, then click Backup Profiles.
Step 2
Click Create Profile and enter a Name.
Step 3
Choose what to back up.
• Back Up Configuration
• Back Up Events
• Back Up Threat Intelligence Director
In a multidomain deployment, you must back up configurations. You cannot back up events or TID data only.
For details on what is and what is not backed up for each of these choices, see About Backup and Restore,
on page 421.
Step 4
Note the Storage Location for backup files.
This will either be local storage in /var/sf/backup/, or a remote network volume. For the ISA 3000, if
you have an SD card installed, a copy of the backup will also be made on the SD card at
/mnt/disk3/backup. For more information, see Manage Backups and Remote Storage, on page 447.
Step 5
(Optional) Enable Copy when complete to copy completed management center backups to a remote server.
Provide a hostname or IP address, the path to the remote directory, and a username and password. To use an
SSH public key instead of a password, copy the contents of the SSH Public Key field to the specified user's
authorized_keys file on the remote server.
Note
Step 6
This option is useful if you want to store backups locally and also SCP them to a remote location.
If you configured SSHFS remote storage, do not copy backup files to the same directory using Copy
when complete.
(Optional) Enable Email and enter an email address to be notified when the backup completes.
To receive email notifications, you must configure the management center to connect to a mail server:
Configuring a Mail Relay Host and Notification Address, on page 81.
Step 7
Click Save.
Restoring Management Centers and Managed Devices
For the management center, you use the web interface to restore from backup. For threat defense devices, you
must use the threat defense CLI. You cannot use the management center to restore a device.
Cisco Secure Firewall Management Center Administration Guide, 7.2
433
Tools
Restore Management Center from Backup
The following sections explain how to restore management centers and managed devices.
• Restore Management Center from Backup, on page 434
• Replacing Management Centers in a High Availability Pair, on page 290
• Restore Threat Defense from Backup: Firepower 1000/2100/3100, ISA 3000 (Non-Zero-Touch), on page
435 (includes high availability examples)
• Zero-Touch Restore Threat Defense from Backup: ISA 3000, on page 438
• Restore Threat Defense from Backup: Firepower 4100/9300 Chassis, on page 440
• Restore Threat Defense from Backup: Threat Defense Virtual, on page 445
Restore Management Center from Backup
When you restore management center backups, you can choose to restore any or all of the components included
in the backup file (events, configurations, TID data).
Note
Restoring configurations overwrites all configurations, with very few exceptions. It also reboots the management
center. Restoring events and TID data overwrites all existing events and TID data, with the exception of
intrusion events. Make sure you are ready.
Use this procedure to restore the management center from backup. For more information on backup and restore
in management center HA deployments, see Replacing Management Centers in a High Availability Pair, on
page 290.
Before you begin
You must read and understand the requirements, guidelines, limitations, and best practices. You do not want
to skip any steps or ignore security concerns. Careful planning and preparation can help you avoid missteps.
• Requirements for Backup and Restore, on page 423
• Guidelines and Limitations for Backup and Restore, on page 424
• Best Practices for Backup and Restore, on page 425
Procedure
Step 1
Log into the management center you want to restore.
Step 2
Select System ( ) > Tools > Backup/Restore.
The Backup Management page lists all locally and remotely stored backup files. You can click a backup file
to view its contents.
If the backup file is not in the list and you have it saved on your local computer, click Upload Backup; see
Manage Backups and Remote Storage, on page 447.
Step 3
Select the backup file you want to restore and click Restore.
Cisco Secure Firewall Management Center Administration Guide, 7.2
434
Tools
Restore Threat Defense from Backup: Firepower 1000/2100/3100, ISA 3000 (Non-Zero-Touch)
Step 4
Select from the available components to restore, then click Restore again to begin.
Step 5
Monitor progress in the Message Center.
If you are restoring configurations, you can log back in after the management center reboots.
What to do next
• If necessary, reconfigure any licensing settings that you reverted before the restore. If you notice licensing
conflicts or orphan entitlements, contact Cisco TAC.
• If necessary, reconfigure remote storage and audit log server certificate settings. These settings are not
included in backups.
• (Optional) Update the SRU and VDB. If the SRU or the VDB available on the Cisco Support & Download
site is newer than the version currently running, we recommend you install the newer version.
• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall
Management Center Administration Guide.
Restore Threat Defense from Backup: Firepower 1000/2100/3100, ISA 3000
(Non-Zero-Touch)
Threat Defense backup and restore is intended for RMA. Restoring configurations overwrites all configurations
on the device, including the management IP address. It also reboots the device.
In case of hardware failure, this procedure outlines how to replace a Firepower 1000/2100/3100 or ISA 3000
threat defense device, either standalone or in an HA pair. It assumes you have access to a successful backup
of the device or devices you are replacing; see Back up a Device from the Management Center, on page 431.
For zero-touch restore on the ISA 3000 using an SD card, see Zero-Touch Restore Threat Defense from
Backup: ISA 3000, on page 438.
In threat defense HA deployments, you can use this procedure to replace either or both peers. To replace both,
perform all steps on both devices simultaneously, except the restore CLI command itself. Note that you can
replace threat defense HA devices without a successful backup; see Replace a Unit in Threat Defense High
Availability Pair.
Note
Do not unregister from the management center, even when disconnecting a device from the network. In threat
defense HA deployments, do not suspend or break HA. Maintaining these links ensures replacement devices
can automatically reconnect after restore.
Before you begin
You must read and understand the requirements, guidelines, limitations, and best practices. You do not want
to skip any steps or ignore security concerns. Careful planning and preparation can help you avoid missteps.
• Requirements for Backup and Restore, on page 423
• Guidelines and Limitations for Backup and Restore, on page 424
Cisco Secure Firewall Management Center Administration Guide, 7.2
435
Tools
Restore Threat Defense from Backup: Firepower 1000/2100/3100, ISA 3000 (Non-Zero-Touch)
• Best Practices for Backup and Restore, on page 425
Procedure
Step 1
Contact Cisco TAC for replacement hardware.
Obtain an identical model, with the same number of network modules and same type and number of physical
interfaces. You can begin the RMA process from the Cisco Returns Portal.
Step 2
Locate a successful backup of the faulty device.
Depending on your backup configuration, device backups may be stored:
• On the faulty device itself in /var/sf/backup.
• On the management center in /var/sf/remote-backup.
• In a remote storage location.
In threat defense HA deployments, you back up the pair as a unit but the backup process produces unique
backup files. The device's role is noted in the backup file name.
If the only copy of the backup is on the faulty device, copy it somewhere else now. If you reimage the device,
the backup will be erased. If something else goes wrong, you may not be able to recover the backup. For more
information, see Manage Backups and Remote Storage, on page 447.
The replacement device will need the backup, but can retrieve it with SCP during the restore process. We
recommend you put the backup somewhere SCP-accessible to the replacement device. Or, you can copy the
backup to the replacement device itself.
Step 3
Remove (unrack) the faulty device.
Disconnect all interfaces. In threat defense HA deployments, this includes the failover link.
See the hardware installation and getting started guides for your model: Cisco Secure Firewall Threat Defense:
Install and Upgrade Guides.
Note
Step 4
Do not unregister from the management center, even when disconnecting a device from the network.
In threat defense HA deployments, do not suspend or break HA. Maintaining these links ensures
replacement devices can automatically reconnect after restore.
Install the replacement device and connect it to the management network.
Connect the device to power and the management interface to the management network. In threat defense HA
deployments, connect the failover link. However, do not connect the data interfaces.
See the hardware installation guide for your model: Cisco Secure Firewall Threat Defense: Install and Upgrade
Guides.
Step 5
(Optional) Reimage the replacement device.
In an RMA scenario, the replacement device will arrive configured with factory defaults. If the replacement
device is not running the same major version as the faulty device, we recommend you reimage.
See the Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide.
Step 6
Perform initial configuration on the replacement device.
Cisco Secure Firewall Management Center Administration Guide, 7.2
436
Tools
Restore Threat Defense from Backup: Firepower 1000/2100/3100, ISA 3000 (Non-Zero-Touch)
Access the threat defense CLI as the admin user. You can use the console or you can SSH to the factory-default
management interface IP address (192.168.45.45). A setup wizard prompts you to configure the management
IP address, gateway, and other basic network settings.
Do not set the same management IP address as the faulty device. This can cause problems if you need to
register the device in order to patch it. The restore process will correctly reset the management IP address.
See the initial configuration topics in the getting started guide for your model: Cisco Secure Firewall Threat
Defense: Install and Upgrade Guides.
Note
Step 7
If you need to patch the replacement device, start the management center registration process as
described in the getting started guide. If you do not need to patch, do not register.
Make sure the replacement device is running the same Firepower software version, including patches, as the
faulty device.
Ensure that the existing device should not be deleted from the management center. The replacement device
should be unmanaged from the physical network and the new hardware as well as the replacing threat defense
patch should have the same version. The threat defense CLI does not have an upgrade command. To patch:
a) From the management center web interface, complete the device registration process: Add a Device to
the Management Center.
Create a new AC policy and use the default action "Network Discovery". Leave this policy as is; do not
add any features or modifications. This is being used to register the device and deploy a policy with no
features so that you do not require licenses, and you will then be able to patch the device. Once backup
is restored, it should restore the licensing and policy into the expected state.
b) Patch the device: Cisco Firepower Management Center Upgrade Guide.
c) Unregister the freshly patched device from the management center: Delete a Device from the Management
Center.
If you do not unregister, you will have a ghost device registered to the management center after the restore
process brings your "old" device back up.
Step 8
Make sure the replacement device has access to the backup file.
The restore process can retrieve the backup with SCP, so we recommend you put the backup somewhere
accessible. Or, you can manually copy the backup to the replacement device itself, to /var/sf/backup.
Step 9
From the threat defense CLI, restore the backup.
Access the threat defense CLI as the admin user. You can use the console or you can SSH to the newly
configured management interface (IP address or hostname). Keep in mind that the restore process will change
this IP address.
To restore:
• With SCP: restore remote-manager-backup location scp-hostname username filepath backup tar-file
• From the local device: restore remote-manager-backup backup tar-file
In threat defense HA deployments, make sure you choose the appropriate backup file: primary vs secondary.
The role is noted in the backup file name. If you are restoring both devices in the HA pair, do this sequentially.
Do not run the restore command on the second device until the restore process completes for the first device,
including the reboot.
Step 10
Log into the management center and wait for the replacement device to connect.
Cisco Secure Firewall Management Center Administration Guide, 7.2
437
Tools
Zero-Touch Restore Threat Defense from Backup: ISA 3000
When the restore is done, the device logs you out of the CLI, reboots, and automatically connects to the
management center. At this time, the device should appear out of date.
Step 11
Before you deploy, perform any post-restore tasks and resolve any post-restore issues:
• Resolve licensing conflicts or orphan entitlements. Contact Cisco TAC.
• Resume HA synchronization. From the threat defense CLI, enter configure
See Suspend and Resume High Availability.
high-availability resume.
• Re-add/re-enroll all VPN certificates. The restore process removes VPN certificates from threat defense
devices, including certificates added after the backup was taken. See Managing Threat Defense Certificates.
Step 12
Deploy configurations.
You must deploy. If a restored device is not marked out of date, force deploy from the Device Management
page: Redeploy Existing Configurations to a Device.
Step 13
Connect the device's data interfaces.
See the hardware installation guide for your model: Cisco Secure Firewall Threat Defense: Install and Upgrade
Guides.
What to do next
Verify that the restore succeeded and the replacement device is passing traffic as expected.
Zero-Touch Restore Threat Defense from Backup: ISA 3000
Threat Defense backup and restore is intended for RMA. Restoring configurations overwrites all configurations
on the device, including the management IP address. It also reboots the device.
In case of hardware failure, this procedure outlines how to replace an ISA 3000 threat defense device, either
standalone or in an HA pair. It assumes you have a backup of the failed unit on an SD card; see Back up a
Device from the Management Center, on page 431.
In threat defense HA deployments, you can use this procedure to replace either or both peers. To replace both,
perform all steps on both devices simultaneously, except the restore CLI command itself. Note that you can
replace threat defense HA devices without a successful backup; see Replace a Unit in Threat Defense High
Availability Pair.
Note
Do not unregister from the management center, even when disconnecting a device from the network. In threat
defense HA deployments, do not suspend or break HA. Maintaining these links ensures replacement devices
can automatically reconnect after restore.
Before you begin
You must read and understand the requirements, guidelines, limitations, and best practices. You do not want
to skip any steps or ignore security concerns. Careful planning and preparation can help you avoid missteps.
• Requirements for Backup and Restore, on page 423
Cisco Secure Firewall Management Center Administration Guide, 7.2
438
Tools
Zero-Touch Restore Threat Defense from Backup: ISA 3000
• Guidelines and Limitations for Backup and Restore, on page 424
• Best Practices for Backup and Restore, on page 425
Procedure
Step 1
Contact Cisco TAC for replacement hardware.
Obtain an identical model, with the same number of network modules and same type and number of physical
interfaces. You can begin the RMA process from the Cisco Returns Portal.
Step 2
Remove the SD card from the faulty device, and unrack the device.
Disconnect all interfaces. In threat defense HA deployments, this includes the failover link.
Note
Step 3
Do not unregister from the management center, even when disconnecting a device from the network.
In threat defense HA deployments, do not suspend or break HA. Maintaining these links ensures
replacement devices can automatically reconnect after restore.
Rerack the replacement device, and connect it to the management network. In threat defense HA deployments,
connect the failover link. However, do not connect the data interfaces.
If you need to reimage the device or apply a software patch, connect the power connector.
Step 4
(May be required) Reimage the replacement device.
In an RMA scenario, the replacement device will arrive configured with factory defaults. If the replacement
device is not running the same major version as the faulty device, you need to reimage. Obtain the installer
from https://www.cisco.com/go/isa3000-software.
See the Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage Guide to reimage.
Step 5
(May be required) Make sure the replacement device is running the same Firepower software version, including
the same patch version, as the faulty device. If you need to patch the device, you can connect to Secure Firewall
device manager (device manager) to install the patch.
The following procedure assumes you have a factory default configuration. If you already configured the
device, you can log into device manager and go directly to the Device > Upgrades page to install the patch.
In either case, obtain the patch package from https://www.cisco.com/go/isa3000-software.
a) Connect your computer directly to the inside (Ethernet 1/2) interface, and access device manager on the
default IP address: https://192.168.95.1.
b) Enter the admin username and the default password Admin123, then click Login.
c) Complete the setup wizard. Keep in mind that you are not going to retain anything you configure in device
manager; you only want to get past any initial configuration so you can apply the patches, so it doesn't
matter what you enter in the setup wizard.
d) Go to the Device > Upgrades page.
The System Upgrade section shows the currently running software version.
e) Upload the patch file by clicking Browse.
f) Click Install to start the installation process.
Information next to the icon indicates whether the device will reboot during installation. You are
automatically logged out of the system. Installation might take 30 minutes or more.
Cisco Secure Firewall Management Center Administration Guide, 7.2
439
Tools
Restore Threat Defense from Backup: Firepower 4100/9300 Chassis
Wait before logging into the system again. The Device Summary, or System monitoring dashboard, should
show the new version.
Note
Do not simply refresh the browser window. Instead, delete any path from the URL, and reconnect
to the home page. This ensures that cached information gets refreshed with the latest code.
Step 6
Insert the SD card in the replacement device.
Step 7
Power on or reboot the device and shortly after it starts the bootup, depress and hold the Reset button for no
fewer than 3 seconds and no longer than 15 seconds.
If you used device manager to install a patch, you can reboot from the Device > System Settings >
Reboot/Shutdown page. From the threat defense CLI, use the reboot command. If you have not yet attached
power, attach it now.
Use a standard size #1 paper clip with wire gauge 0.033 inch or smaller to depress the Reset button. The
restoration process is triggered during bootup. The device restores the configuration, and then reboots. The
device will then register with the management center automatically.
If you are restoring both devices in an HA pair, do this sequentially. Do not restore the second device until
the restore process completes for the first device, including the reboot.
Step 8
Log into the management center and wait for the replacement device to connect.
At this time, the device should appear out of date.
Step 9
Before you deploy, perform any post-restore tasks and resolve any post-restore issues:
• Resolve licensing conflicts or orphan entitlements. Contact Cisco TAC.
• Resume HA synchronization. From the threat defense CLI, enter configure
See Suspend and Resume High Availability.
high-availability resume.
• Re-add/re-enroll all VPN certificates. The restore process removes VPN certificates from threat defense
devices, including certificates added after the backup was taken. See Managing Threat Defense Certificates.
Step 10
Deploy configurations.
You must deploy. If a restored device is not marked out of date, force deploy from the Device Management
page: Redeploy Existing Configurations to a Device.
Step 11
Connect the device's data interfaces.
See the hardware installation guide for your model: Cisco Secure Firewall Threat Defense: Install and Upgrade
Guides.
What to do next
Verify that the restore succeeded and the replacement device is passing traffic as expected.
Restore Threat Defense from Backup: Firepower 4100/9300 Chassis
Threat Defense backup and restore is intended for RMA. Restoring configurations overwrites all configurations
on the device, including the management IP address. It also reboots the device.
Cisco Secure Firewall Management Center Administration Guide, 7.2
440
Tools
Restore Threat Defense from Backup: Firepower 4100/9300 Chassis
In case of hardware failure, this procedure outlines how to replace a Firepower 4100/9300. It assumes you
have access to a successful backups of:
• The logical device or devices you are replacing; see Back up a Device from the Management Center, on
page 431.
• FXOS configurations; see Exporting an FXOS Configuration File, on page 432.
Note
Do not unregister from the management center, even when disconnecting a device from the network.
Maintaining registration ensures replacement devices can automatically reconnect after restore.
Before you begin
You must read and understand the requirements, guidelines, limitations, and best practices. You do not want
to skip any steps or ignore security concerns. Careful planning and preparation can help you avoid missteps.
• Requirements for Backup and Restore, on page 423
• Guidelines and Limitations for Backup and Restore, on page 424
• Best Practices for Backup and Restore, on page 425
Procedure
Step 1
Contact Cisco TAC for replacement hardware.
Obtain an identical model, with the same number of network modules and same type and number of physical
interfaces. You can begin the RMA process from the Cisco Returns Portal.
Step 2
Locate a successful backup of the faulty device.
Depending on your backup configuration, device backups may be stored:
• On the faulty device itself in /var/sf/backup.
• On the management center in /var/sf/remote-backup.
• In a remote storage location.
If the only copy of the backup is on the faulty device, copy it somewhere else now. If you reimage the device,
the backup will be erased. If something else goes wrong, you may not be able to recover the backup. For more
information, see Manage Backups and Remote Storage, on page 447.
The replacement device will need the backup, but can retrieve it with SCP during the restore process. We
recommend you put the backup somewhere SCP-accessible to the replacement device. Or, you can copy the
backup to the replacement device itself.
Step 3
Locate a successful backup of your FXOS configurations.
Step 4
Remove (unrack) the faulty device.
Disconnect all interfaces.
Cisco Secure Firewall Management Center Administration Guide, 7.2
441
Tools
Restore Threat Defense from Backup: Firepower 4100/9300 Chassis
See the hardware installation and getting started guides for your model: Cisco Secure Firewall Threat Defense:
Install and Upgrade Guides.
Note
Step 5
Do not unregister from the management center, even when disconnecting a device from the network.
Maintaining registration ensures replacement devices can automatically reconnect after restore.
Install the replacement device and connect it to the management network.
Connect the device to power and the management interface to the management network. However, do not
connect the data interfaces.
See the hardware installation guide for your model: Cisco Secure Firewall Threat Defense: Install and Upgrade
Guides.
Step 6
(Optional) Reimage the replacement device.
In an RMA scenario, the replacement device will arrive configured with factory defaults. If the replacement
device is not running the same major version as the faulty device, we recommend you reimage.
See the instructions on restoring the factory default configuration in the appropriate Cisco Firepower 4100/9300
FXOS Firepower Chassis Manager Configuration Guide.
Step 7
Make sure FXOS is running a compatible version.
You must be running a compatible FXOS version before you re-add logical devices. You can use chassis
manager to import your backed-up FXOS configurations: Importing a Configuration File, on page 443.
Step 8
Use chassis manager to add logical devices and perform initial configurations.
Do not set the same management IP addresses as the logical device or devices on the faulty chassis. This can
cause problems if you need to register a logical device in order to patch it. The restore process will correctly
reset the management IP address.
See the management center deployment chapter in the getting started guide for your model: Cisco Secure
Firewall Threat Defense: Install and Upgrade Guides.
Note
Step 9
If you need to patch a logical device, register to the management center as described in the getting
started guide. If you do not need to patch, do not register.
Make sure the replacement device is running the same Firepower software version, including patches, as the
faulty device.
Ensure that the existing device should not be deleted from the management center. The replacement device
should be unmanaged from the physical network and the new hardware as well as the replacing threat defense
patch should have the same version. The threat defense CLI does not have an upgrade command. To patch:
a) From the management center web interface, complete the device registration process: Add a Device to
the Management Center.
Create a new AC policy and use the default action "Network Discovery". Leave this policy as is; do not
add any features or modifications. This is being used to register the device and deploy a policy with no
features so that you do not require licenses, and you will then be able to patch the device. Once backup
is restored, it should restore the licensing and policy into the expected state.
b) Patch the device: Cisco Firepower Management Center Upgrade Guide.
c) Unregister the freshly patched device from the management center: Delete a Device from the Management
Center.
Cisco Secure Firewall Management Center Administration Guide, 7.2
442
Tools
Importing a Configuration File
If you do not unregister, you will have a ghost device registered to the management center after the restore
process brings your "old" device back up.
Step 10
Make sure the replacement device has access to the backup file.
The restore process can retrieve the backup with SCP, so we recommend you put the backup somewhere
accessible. Or, you can manually copy the backup to the replacement device itself, to /var/sf/backup.
Step 11
From the threat defense CLI, restore the backup.
Access the threat defense CLI as the admin user. You can use the console or you can SSH to the newly
configured management interface (IP address or hostname). Keep in mind that the restore process will change
this IP address.
To restore:
• With SCP: restore remote-manager-backup location scp-hostname username filepath backup tar-file
• From the local device: restore remote-manager-backup backup tar-file
Step 12
Log into the management center and wait for the replacement device to connect.
When the restore is done, the device logs you out of the CLI, reboots, and automatically connects to the
management center. At this time, the device should appear out of date.
Step 13
Before you deploy, perform any post-restore tasks and resolve any post-restore issues:
• Resolve licensing conflicts or orphan entitlements. Contact Cisco TAC.
• Re-add/re-enroll all VPN certificates. The restore process removes VPN certificates from threat defense
devices, including certificates added after the backup was taken. See Managing Threat Defense Certificates.
Step 14
Deploy configurations.
You must deploy. If a restored device is not marked out of date, force deploy from the Device Management
page: Redeploy Existing Configurations to a Device.
Step 15
Connect the device's data interfaces.
See the hardware installation guide for your model: Cisco Secure Firewall Threat Defense: Install and Upgrade
Guides.
What to do next
Verify that the restore succeeded and the replacement device is passing traffic as expected.
Importing a Configuration File
You can use the configuration import feature to apply configuration settings that were previously exported
from your Firepower 4100/9300 chassis. This feature allows you to return to a known good configuration or
to recover from a system failure.
Cisco Secure Firewall Management Center Administration Guide, 7.2
443
Tools
Importing a Configuration File
Note
This procedure explains how to use chassis manager to import FXOS configurations before you restore the
software. For the CLI procedure, see the appropriate version of the Cisco Firepower 4100/9300 FXOS CLI
Configuration Guide.
Before you begin
Review the Configuration Import/Export Guidelines for Firepower 4100/9300 .
Procedure
Step 1
Choose System > Tools > Import/Export on the chassis manager.
Step 2
To import from a local configuration file:
a) Click Local.
b) Click Choose File to navigate to and select the configuration file that you want to import.
c) Click Import.
A confirmation dialog box opens asking you to confirm that you want to proceed and warning you that
the chassis might need to restart.
d) Click Yes to confirm that you want to import the specified configuration file.
The existing configuration is deleted and the configuration specified in the import file is applied to the
Firepower 4100/9300 chassis. If there is a breakout port configuration change during the import, the
Firepower 4100/9300 chassis will need to restart.
Step 3
To import from a configuration file on a remote server:
a) Click Remote.
b) Choose the protocol to use when communicating with the remote server. This can be one of the following:
FTP, TFTP, SCP, or SFTP.
c) If you are using a non-default port, enter the port number in the Port field.
d) Enter the hostname or IP address of the location where the backup file is stored. This can be a server,
storage array, local drive, or any read/write media that the Firepower 4100/9300 chassis can access through
the network.
If you use a hostname rather than an IP address, you must configure a DNS server.
e) Enter the username the system should use to log in to the remote server. This field does not apply if the
protocol is TFTP.
f) Enter the password for the remote server username. This field does not apply if the protocol is TFTP.
g) In the File Path field, enter the full path to the configuration file including the file name.
h) Click Import.
A confirmation dialog box opens asking you to confirm that you want to proceed and warning you that
the chassis might need to restart.
i) Click Yes to confirm that you want to import the specified configuration file.
The existing configuration is deleted and the configuration specified in the import file is applied to the
Firepower 4100/9300 chassis. If there is a breakout port configuration change during the import, the
Firepower 4100/9300 chassis will need to restart.
Cisco Secure Firewall Management Center Administration Guide, 7.2
444
Tools
Restore Threat Defense from Backup: Threat Defense Virtual
Restore Threat Defense from Backup: Threat Defense Virtual
Use this procedure to replace a faulty or failed threat defense virtual device for VMware.
Note
Do not unregister from the management center, even when disconnecting a device from the network.
Maintaining registration ensures replacement devices can automatically reconnect after restore.
Before you begin
You must read and understand the requirements, guidelines, limitations, and best practices. You do not want
to skip any steps or ignore security concerns. Careful planning and preparation can help you avoid missteps.
• Requirements for Backup and Restore, on page 423
• Guidelines and Limitations for Backup and Restore, on page 424
• Best Practices for Backup and Restore, on page 425
Procedure
Step 1
Locate a successful backup of the faulty device.
Depending on your backup configuration, device backups may be stored:
• On the faulty device itself in /var/sf/backup.
• On the management center in /var/sf/remote-backup.
• In a remote storage location.
If the only copy of the backup is on the faulty device, copy it somewhere else now. If you reimage the device,
the backup will be erased. If something else goes wrong, you may not be able to recover the backup. For more
information, see Manage Backups and Remote Storage, on page 447.
The replacement device will need the backup, but can retrieve it with SCP during the restore process. We
recommend you put the backup somewhere SCP-accessible to the replacement device. Or, you can copy the
backup to the replacement device itself.
Step 2
Remove the faulty device.
Shut down, power off, and delete the virtual machine. For procedures, see the documentation for your virtual
environment.
Step 3
Deploy a replacement device.
See the Cisco Secure Firewall Threat Defense Virtual for VMware Getting Started Guide.
Step 4
Perform initial configuration on the replacement device.
Use the VMware console to access the threat defense CLI as the admin user. A setup wizard prompts you to
configure the management IP address, gateway, and other basic network settings.
Cisco Secure Firewall Management Center Administration Guide, 7.2
445
Tools
Restore Threat Defense from Backup: Threat Defense Virtual
Do not set the same management IP address as the faulty device. This can cause problems if you need to
register the device in order to patch it. The restore process will correctly reset the management IP address.
See the CLI setup topics in the getting started guide: Cisco Secure Firewall Threat Defense Virtual for VMware
Getting Started Guide.
Note
Step 5
If you need to patch the replacement device, start the management center registration process as
described in the getting started guide. If you do not need to patch, do not register.
Make sure the replacement device is running the same Firepower software version, including patches, as the
faulty device.
Ensure that the existing device should not be deleted from the management center. The replacement device
should be unmanaged from the physical network and the new hardware as well as the replacing threat defense
patch should have the same version. The threat defense CLI does not have an upgrade command. To patch:
a) From the management center web interface, complete the device registration process: Add a Device to
the Management Center.
Create a new AC policy and use the default action "Network Discovery". Leave this policy as is; do not
add any features or modifications. This is being used to register the device and deploy a policy with no
features so that you do not require licenses, and you will then be able to patch the device. Once backup
is restored, it should restore the licensing and policy into the expected state.
b) Patch the device: Cisco Firepower Management Center Upgrade Guide.
c) Unregister the freshly patched device from the management center: Delete a Device from the Management
Center.
If you do not unregister, you will have a ghost device registered to the management center after the restore
process brings your "old" device back up.
Step 6
Make sure the replacement device has access to the backup file.
The restore process can retrieve the backup with SCP, so we recommend you put the backup somewhere
accessible. Or, you can manually copy the backup to the replacement device itself, to /var/sf/backup.
Step 7
From the threat defense CLI, restore the backup.
Access the threat defense CLI as the admin user. You can use the console or you can SSH to the newly
configured management interface (IP address or hostname). Keep in mind that the restore process will change
this IP address.
To restore:
• With SCP: restore remote-manager-backup location scp-hostname username filepath backup tar-file
• From the local device: restore remote-manager-backup backup tar-file
Step 8
Log into the management center and wait for the replacement device to connect.
When the restore is done, the device logs you out of the CLI, reboots, and automatically connects to the
management center. At this time, the device should appear out of date.
Step 9
Before you deploy, perform any post-restore tasks and resolve any post-restore issues:
• Resolve licensing conflicts or orphan entitlements. Contact Cisco TAC.
Cisco Secure Firewall Management Center Administration Guide, 7.2
446
Tools
Manage Backups and Remote Storage
• Re-add/re-enroll all VPN certificates. The restore process removes VPN certificates from threat defense
devices, including certificates added after the backup was taken. See Managing Threat Defense Certificates.
Step 10
Deploy configurations.
You must deploy. If a restored device is not marked out of date, force deploy from the Device Management
page: Redeploy Existing Configurations to a Device.
Step 11
Add and configure data interfaces.
See the Cisco Secure Firewall Threat Defense Virtual for VMware Getting Started Guide and the documentation
for your virtual environment.
What to do next
Verify that the restore succeeded and the replacement device is passing traffic as expected.
Manage Backups and Remote Storage
Backups are stored as unencrypted archive (.tar) files. The file name includes identifying information that can
include:
• The name of the backup profile or scheduled task associated with the backup.
• The display name or IP address of the backed-up appliance.
• The appliance's role, such as a member of an HA pair.
We recommend you back up appliances to a secure remote location and verify transfer success. Backups left
on an appliance may be deleted, either manually or by the upgrade process; upgrades purge locally stored
backups. For more information on your options, see Backup Storage Locations, on page 448.
Caution
Especially because backup files are unencrypted, do not allow unauthorized access. If backup files are modified,
the restore process will fail. Keep in mind that anyone with the Admin/Maint role can access the Backup
Management page, where they can move and delete files from remote storage.
The following procedure describes how to manage backup files.
Procedure
Step 1
Select System ( ) > Tools > Backup/Restore.
The Backup Management page lists available backups. It also lists how much disk space you have available
to store backups. Backups can fail if there is not enough space.
Step 2
Do one of the following:
Cisco Secure Firewall Management Center Administration Guide, 7.2
447
Tools
Backup Storage Locations
Table 49: Remote Storage and Backup File Management
To
Do This
Enable or disable remote storage Click Enable Remote Storage for Backups.
for backups without having to edit
This option appears only after you configure remote storage. Toggling
the management center system
it here also toggles it in the system configuration (System >
configuration.
Configuration > Remote Storage Device).
Tip
To quickly access your remote storage configuration, click
Remote Storage at the upper right of the Backup
Management page.
Note
To store backup on the remote storage location, you must
also enable the Retrieve to Management Center option (see
Back up a Device from the Management Center, on page 431).
Move a file between the
Click Move.
management center and the remote
You can move a file back and forth as many times as you want. This
storage location.
will delete—not copy—the file from the current location.
When you move a backup file from remote storage to the management
center, where it is stored on the management center depends on the kind
of backup:
• Management Center backups: /var/sf/backup
• Device backups: /var/sf/remote-backup
View the contents of the backup.
Click the backup file.
Delete a backup file.
Choose a backup file and click Delete.
You can delete both locally and remotely stored backup files.
Upload a backup file from your
computer.
Click Upload Backup, choose a backup file, and click Upload Backup
again.
Download a backup to your
computer.
Choose a backup file and click Download.
Unlike moving a backup file, this does not delete the backup from the
management center.
Backup Storage Locations
The following table describes backup storage options for management centers and managed devices.
Cisco Secure Firewall Management Center Administration Guide, 7.2
448
Tools
Backup Storage Locations
Table 50: Backup Storage Locations
Location
Details
Note
Remote, by mounting a
network volume (NFS, SMB,
SSHFS).
Backup is stored on a remote storage location only when you have
configured remote storage and enabled the Retrieve to
Management Center option (see Back up a Device from the
Management Center, on page 431).
In the management center's system configuration, you can mount an NFS,
SMB, or SSHFS network volume as remote storage for management center
and device backups; see Remote Storage Management, on page 64.)
After you do this, all subsequent management center backups and management
center-initiated device backups are copied to that volume, but you can still
use the management center to manage them (restore, download, upload, delete,
move).
Note that only the management center mounts the network volume. Managed
device backup files are routed through the management center. Make sure
you have the bandwidth to perform a large data transfer between the
management center and its devices. For more information, see Guidelines
for Downloading Data from the Firepower Management Center to Managed
Devices (Troubleshooting TechNote).
Remote, by copying (SCP).
Note
Backup is stored on a remote storage location only when you have
configured remote storage and enabled the Retrieve to
Management Center option (see Back up a Device from the
Management Center, on page 431).
For the management center, you can use a Copy when complete option to
securely copy (SCP) completed backups to a remote server.
Compared with remote storage by mounting a network volume, Copy when
complete cannot copy to NFS or SMB volumes. You cannot provide CLI
options or set a disk space threshold, and it does not affect remote storage of
reports. You also cannot manage backup files after they are copied out.
This option is useful if you want to store backups locally and SCP them to a
remote location.
Note
Local, on the management
center.
If you configure SSHFS remote storage in the management center
system configuration, do not copy backup files to the same
directory using Copy when complete.
If you do not configure remote storage by mounting a network volume, you
can save backup files on the management center:
• management center backups are saved to /var/sf/backup.
• Device backups are saved to /var/sf/remote-backup on the
management center if you enable the Retrieve to Management Center
option when you perform the backup.
Cisco Secure Firewall Management Center Administration Guide, 7.2
449
Tools
History for Backup and Restore
Location
Details
Local, on the device internal Device backup files are saved to /var/sf/backup on the device if you:
flash memory.
• Do not configure remote storage by mounting a network volume.
• Do not enable Retrieve to Management Center.
Local, on the device SD card. For the ISA 3000, when you back up the device to the local
/var/sf/backup internal flash memory location, if you have an SD card
installed, the backup is automatically copied to the SD card at
/mnt/disk3/backup/ for use with zero-touch restore.
History for Backup and Restore
Feature
Version
Details
Zero-touch restore for 7.0
the ISA 3000 using the
SD card
When you perform a local backup, the backup file is copied to the SD
card if present. To restore the configuration on a replacement device,
simply install the SD card in the new device, and depress the Reset
button for 3 to 15 seconds during the device bootup.
Support for backup and 6.7
restore of threat
defense container
instances
You can now use the management center to perform on-demand remote
backups of threat defense container instances on the Firepower
4100/9300.
VDB requirements for 6.6
restore
Restoring the management center from backup now replaces the existing
VDB with the VDB in the backup file. You no longer need to match
VDB versions before you restore.
Automatically
scheduled backups
6.5
For new or reimaged management centers, the setup process creates a
weekly scheduled task to back up management center configurations
and store them locally.
On-demand remote
backups of managed
devices
6.3
You can now use the management center to perform on-demand remote
backups of certain managed devices.
For supported platforms, see Requirements for Backup and Restore, on
page 423.
New/modified screens: System > Tools > Backup/Restore > Managed
Device Backup
New/modified threat defense CLI commands: restore
Cisco Secure Firewall Management Center Administration Guide, 7.2
450
CHAPTER
16
Scheduling
The following topics explain how to schedule tasks:
• About Task Scheduling, on page 451
• Requirements and Prerequisites for Task Scheduling, on page 452
• Configuring a Recurring Task, on page 452
• Scheduled Task Review, on page 468
• History for Scheduled Tasks, on page 471
About Task Scheduling
You can schedule many different types of administrative tasks to run at designated times, either once or on a
recurring basis.
Important
Keep the following best practices in mind when considering the tasks to schedule for your system:
• As a part of initial configuration, the system schedules a weekly task to download the latest software
updates. If the task scheduling fails and the management center has internet access, we recommend you
schedule a recurring task for downloading software updates as described in Automating Software
Downloads, on page 463. This task downloads software updates to the management center. It is your
responsibility to install any updates this task downloads.
• As a part of initial configuration, the system schedules a weekly task to perform a locally stored
configuration-only management center backup. If the task scheduling fails we recommend you schedule
a recurring task to perform a backup as described in Schedule Management Center Backups, on page
454.
• As a part of initial configuration the system downloads and installs the latest vulnerability database
(VDB) update from the Cisco Support & Download site. This is a one-time operation. To keep the system
up to date, if the management center has internet access, we recommend you schedule tasks to perform
automatic recurring VDB update downloads and installations as described in Vulnerability Database
Update Automation, on page 465.
Tasks configured using this feature are scheduled in UTC, which means when they occur locally depends on
the date and your specific location. Also, because tasks are scheduled in UTC, they do not adjust for Daylight
Cisco Secure Firewall Management Center Administration Guide, 7.2
451
Tools
Requirements and Prerequisites for Task Scheduling
Saving Time, summer time, or any such seasonal adjustments that you may observe in your location. If you
are affected, scheduled tasks occur one hour "later" in the summer than in the winter, according to local time.
Important
We strongly recommend you review scheduled tasks to be sure they occur when you intend.
Note
Some tasks (such as those involving automated software updates or that require pushing updates to managed
devices) may place a significant load on networks with low bandwidths. You should schedule tasks like these
to run during periods of low network use.
Requirements and Prerequisites for Task Scheduling
Model Support
Any.
Supported Domains
Any
User Roles
• Admin
• Maintenace User
Configuring a Recurring Task
You set the frequency for a recurring task using the same process for all types of tasks.
Note that the time displayed on most pages on the web interface is the local time, which is determined by
using the time zone you specify in your local configuration. Further, the Secure Firewall Management Center
automatically adjusts its local time display for daylight saving time (DST), where appropriate. However,
recurring tasks that span the transition dates from DST to standard time and back do not adjust for the transition.
That is, if you create a task scheduled for 2:00 AM during standard time, it will run at 3:00 AM during DST.
Similarly, if you create a task scheduled for 2:00 AM during DST, it will run at 1:00 AM during standard
time.
Procedure
Step 1
Select System ( ) > Tools > Scheduling.
Step 2
Click Add Task.
Step 3
From the Job Type drop-down list, select the type of task that you want to schedule.
Cisco Secure Firewall Management Center Administration Guide, 7.2
452
Tools
Scheduled Backups
Step 4
Click Recurring next to the Schedule task to run option.
Step 5
In the Start On field, specify the date when you want to start your recurring task.
Step 6
In the Repeat Every field, specify how often you want the task to recur.
You can either type a number or click Up ( ) and Down (
and click Days to run the task every two days.
) to specify the interval. For example, type 2
Step 7
In the Run At field, specify the time when you want to start your recurring task.
Step 8
For a task to be run on a weekly or monthly basis, select the days when you want to run the task in the Repeat
On field.
Step 9
Select the remaining options for the type of task you are creating:
• Backup - Schedule backup jobs as described in Schedule Management Center Backups, on page 454.
• Download CRL - Schedule certificate revocation list downloads as described in Configuring Certificate
Revocation List Downloads, on page 455.
• Deploy Policies - Schedule policy deployment as described in Automating Policy Deployment, on page
456.
• Nmap Scan - Schedule Nmap scans as described in Scheduling an Nmap Scan, on page 458.
• Report - Schedule report generation as described in Automating Report Generation, on page 459
• Cisco Recommended Rules - Schedule automatic update of Cisco recommended rules as described in
Automating Cisco Recommendations, on page 460
• Download Latest Update - Schedule software or VDB update downloads as described in Automating
Software Downloads, on page 463 or Automating VDB Update Downloads, on page 466.
• Install Latest Update - Schedule installation of software or VDB updates on a Secure Firewall Management
Center or managed device as described in Automating Software Installs, on page 464 or Automating VDB
Update Installs, on page 466
• Push Latest Update - Schedule push of software updates to managed devices as described in Automating
Software Pushes, on page 463.
• Update URL Filtering Database - Scheduling automatic update of URL filtering data as described in
Automating URL Filtering Updates Using a Scheduled Task, on page 467
Step 10
Click Save
Scheduled Backups
You can use the scheduler on a Secure Firewall Management Center to automate its own backups. You can
also schedule remote device backups from the management center. For more information on backups, see
Backup/Restore, on page 421.
Note that not all devices support remote backups.
Cisco Secure Firewall Management Center Administration Guide, 7.2
453
Tools
Schedule Management Center Backups
Schedule Management Center Backups
You can use the scheduler on the Secure Firewall Management Center to automate both management center
and device backups. Note that not all devices support remote backups. For more information, see
Backup/Restore, on page 421.
Note
As a part of initial configuration, the system schedules a weekly task to perform a locally stored
configuration-only management center backup. If the task scheduling fails we recommend you schedule a
recurring task to perform a backup as described in this topic.
Before you begin
Create a backup profile that specifies your backup preferences. See Create a Backup Profile, on page 432.
You must be in the global domain to perform this task.
Procedure
Step 1
Choose System ( ) > Tools > Scheduling.
Step 2
From the Job Type list, select Backup.
Step 3
Specify whether you want to back up Once or Recurring.
• For one-time tasks, use the drop-down lists to specify the start date and time.
• For recurring tasks, see Configuring a Recurring Task, on page 452.
Step 4
Enter a Job Name.
Step 5
For the Backup Type, click Management Center.
Step 6
Choose a Backup Profile.
Step 7
(Optional) Enter a Comment.
Keep comments brief. They will appear in the Task Details section of the schedule calendar page.
Step 8
(Optional) Enter an email address, or a comma-separated list of email addresses, in the Email Status To:
field.
For information on setting up an email relay server to send task status messages, see Configuring a Mail Relay
Host and Notification Address, on page 81.
Step 9
Click Save.
Schedule Remote Device Backups
You can use the scheduler on the Secure Firewall Management Center to automate both management center
and device backups. Note that not all devices support remote backups. For more information, see
Backup/Restore, on page 421.
You must be in the global domain to perform this task.
Cisco Secure Firewall Management Center Administration Guide, 7.2
454
Tools
Configuring Certificate Revocation List Downloads
Procedure
Step 1
Choose System ( ) > Tools > Scheduling.
Step 2
From the Job Type list, select Backup.
Step 3
Specify whether you want to back up Once or Recurring.
• For one-time tasks, use the drop-down lists to specify the start date and time.
• For recurring tasks, see Configuring a Recurring Task, on page 452.
Step 4
Enter a Job Name.
Step 5
For the Backup Type, click Device.
Step 6
Select one or more devices.
If your device is not listed, it does not support remote backup.
Step 7
If you did not configure remote storage for backups, choose whether you want to Retrieve to Management
Center.
• Enabled (default): Saves the backup to the management center in /var/sf/remote-backup/.
• Disabled: Saves the backup to the device in /var/sf/backup/.
If you configured remote backup storage, backup files are saved remotely and this option has no effect. For
more information, see Manage Backups and Remote Storage, on page 447.
Step 8
(Optional) Enter a Comment.
Keep comments brief. They will appear in the Task Details section of the schedule calendar page.
Step 9
(Optional) Enter an email address, or a comma-separated list of email addresses, in the Email Status To:
field.
For information on setting up an email relay server to send task status messages, see Configuring a Mail Relay
Host and Notification Address, on page 81.
Step 10
Click Save.
Configuring Certificate Revocation List Downloads
You must perform this procedure using the local web interface for the Secure Firewall Management Center.
In a multidomain deployment, this task is only supported in the Global domain for the Secure Firewall
Management Center.
The system automatically creates the Download CRL task when you enable downloading a certificate revocation
list (CRL) in the local configuration on an appliance where you enable user certificates or audit log certificates
for the appliance. You can use the scheduler to edit the task to set the frequency of the update.
Cisco Secure Firewall Management Center Administration Guide, 7.2
455
Tools
Automating Policy Deployment
Before you begin
• Enable and configure user certificates or audit log certificates and set one or more CRL download URLs.
See Requiring Valid HTTPS Client Certificates, on page 49 and Require Valid Audit Log Server
Certificates, on page 78 for more information.
Procedure
Step 1
Select System ( ) > Tools > Scheduling.
Step 2
Click Add Task.
Step 3
From Job Type, select Download CRL.
Step 4
Specify how you want to schedule the CRL download, Once or Recurring:
• For one-time tasks, use the drop-down lists to specify the start date and time.
• For recurring tasks, see Configuring a Recurring Task, on page 452 for details.
Step 5
Type a name in the Job Name field.
Step 6
If you want to comment on the task, type a comment in the Comment field.
The comment field appears in the Task Details section of the schedule calendar page; keep comments brief.
Step 7
If you want to email task status messages, type an email address (or multiple email addresses separated by
commas) in the Email Status To: field. You must have a valid email relay server configured on the Secure
Firewall Management Center to send status messages.
Step 8
Click Save.
Related Topics
Configuring a Mail Relay Host and Notification Address, on page 81
Automating Policy Deployment
After modifying configuration settings in the management center, you must deploy those changes to the
affected devices.
In a multidomain deployment, you can schedule policy deployments only for your current domain.
Caution
When you deploy, resource demands may result in a small number of packets dropping without inspection.
Additionally, deploying some configurations restarts the Snort process, which interrupts traffic inspection.
Whether traffic drops during this interruption or passes without further inspection depends on how the target
device handles traffic. See Snort Restart Traffic Behavior and Configurations that Restart the Snort Process
When Deployed or Activated.
Procedure
Step 1
Select System ( ) > Tools > Scheduling.
Cisco Secure Firewall Management Center Administration Guide, 7.2
456
Tools
Nmap Scan Automation
Step 2
Click Add Task.
Step 3
From Job Type, select Deploy Policies.
Step 4
Specify how you want to schedule the task, Once or Recurring:
• For one-time tasks, use the drop-down lists to specify the start date and time.
• For recurring tasks, see Configuring a Recurring Task, on page 452 for details.
Step 5
Type a name in the Job Name field.
Step 6
In the Device field, select a device where you want to deploy policies.
Step 7
Select or deselect the Skip deployment for up-to-date devices check box, as required.
By default, the Skip deployment for up-to-date devices option is enabled to improve performance during
the policy deployment process.
Note
Step 8
The system does not perform a scheduled policy deployment task if a policy deployment initiated
from the management center web interface is in progress. Correspondingly, the system does not
permit you to initiate a policy deployment from the web interface if a scheduled policy deployment
task is in-progress.
If you want to comment on the task, type a comment in the Comment field.
The comment field displays in the Tasks Details section of the schedule calendar page; keep comments brief.
Step 9
If you want to email task status messages, type an email address (or multiple email addresses separated by
commas) in the Email Status To: field. You must have a valid email relay server configured to send status
messages.
Step 10
Click Save.
Related Topics
Configuring a Mail Relay Host and Notification Address, on page 81
Out-of-Date Policies
Nmap Scan Automation
You can schedule regular Nmap scans of targets on your network. Automated scans allow you to refresh
information previously supplied by an Nmap scan. Because the system cannot update Nmap-supplied data,
you need to rescan periodically to keep that data up to date. You can also schedule scans to automatically test
for unidentified applications or servers on hosts in your network.
Note that a Discovery Administrator can also use an Nmap scan as a remediation. For example, when an
operating system conflict occurs on a host, that conflict may trigger an Nmap scan. Running the scan obtains
updated operating system information for the host, which resolves the conflict.
If you have not used the Nmap scanning capability before, you configure Nmap scanning before defining a
scheduled scan.
Related Topics
Nmap Scanning
Cisco Secure Firewall Management Center Administration Guide, 7.2
457
Tools
Scheduling an Nmap Scan
Scheduling an Nmap Scan
After Nmap replaces a host’s operating system, applications, or servers detected by the system with the results
from an Nmap scan, the system no longer updates the information replaced by Nmap for the host.
Nmap-supplied service and operating system data remains static until you run another Nmap scan. If you plan
to scan a host using Nmap, you may want to set up regularly scheduled scans to keep Nmap-supplied operating
systems, applications, or servers up to date. If the host is deleted from the network map and re-added, any
Nmap scan results are discarded and the system resumes monitoring of all operating system and service data
for the host.
In a multidomain deployment:
• You can schedule scans only for your current domain
• The remediation and Nmap targets you select must exist at your current domain or an ancestor domain.
• Choosing to perform an Nmap scan on a non-leaf domain scans the same targets in each descendant of
that domain.
Procedure
Step 1
Select System ( ) > Tools > Scheduling.
Step 2
Click Add Task.
Step 3
From Job Type, select Nmap Scan.
Step 4
Specify how you want to schedule the task, Once or Recurring:
• For one-time tasks, use the drop-down lists to specify the start date and time.
• For recurring tasks, see Configuring a Recurring Task, on page 452 for details.
Step 5
Type a name in the Job Name field.
Step 6
In the Nmap Remediation field, select an Nmap remediation.
Step 7
In the Nmap Target field, select the scan target.
Step 8
In the Domain field, select the domain whose network map you want to augment.
Step 9
If you want to comment on the task, type a comment in the Comment field.
Tip
The comment field appears in the Task Details section of the calendar schedule page; keep comments
brief.
Step 10
If you want to email task status messages, type an email address (or multiple email addresses separated by
commas) in the Email Status To: field. You must have a valid email relay server configured to send status
messages.
Step 11
Click Save.
Related Topics
Configuring a Mail Relay Host and Notification Address, on page 81
Cisco Secure Firewall Management Center Administration Guide, 7.2
458
Tools
Automating Report Generation
Automating Report Generation
You can automate reports so that they run at regular intervals.
In a multidomain deployment, you can schedule reports only for your current domain.
Before you begin
• For reports other than risk reports: Create a report template. See Report Templates, on page 492 for more
information.
• If you want to distribute email reports using the scheduler, configure a mail relay host and specify report
recipients and message information. See Configuring a Mail Relay Host and Notification Address, on
page 81 and (for reports other than risk reports) Distributing Reports by Email at Generation Time, on
page 511 or (for risk reports) Generating, Viewing, and Printing Risk Reports, on page 490.
• (Optional) Set or change the file name, output format, time window, or email distribution settings of the
scheduled report. See Specify Report Generation Settings for a Scheduled Report, on page 460.
• If you will choose PDF as the report output format, look at the report template and verify that the number
of results in each section of the template does not exceed the limit for PDFs. For information, see Report
Template Fields, on page 492.
Procedure
Step 1
Select System ( ) > Tools > Scheduling.
Step 2
Click Add Task.
Step 3
From the Job Type list, select Report.
Step 4
Specify how you want to schedule the task, Once or Recurring:
• For one-time tasks, use the drop-down lists to specify the start date and time.
• For recurring tasks, see Configuring a Recurring Task, on page 452 for details.
Step 5
Type a name in the Job Name field.
Step 6
In the Report Template field, select a risk report or report template.
Step 7
If you want to comment on the task, type a comment in the Comment field.
The comment field appears in the Tasks Details section of the schedule calendar page; keep comments brief.
Step 8
If you want to email task status messages, type an email address (or multiple email addresses separated by
commas) in the Email Status To: field. You must have a valid email relay server configured to send status
messages.
Note
Configuring this option does not distribute the reports.
Step 9
If you do not want to receive report email attachments when reports have no data (for example, when no
events of a certain type occurred during the report period), select the If report is empty, still attach to email
check box.
Step 10
Click Save.
Cisco Secure Firewall Management Center Administration Guide, 7.2
459
Tools
Specify Report Generation Settings for a Scheduled Report
Specify Report Generation Settings for a Scheduled Report
You must have Admin or Security Analyst privileges to perform this task.
To specify or change the file name, output format, time window, or email distribution settings of a scheduled
report:
Procedure
Step 1
Select Overview > Reporting > Report Templates.
Step 2
Click Edit for the report template to change.
Step 3
If you will select PDF output:
a) Look to see whether any of the sections in the report shows a yellow triangle beside the number of results.
b) If you see any yellow triangles, mouse over the triangle to view the maximum number of results allowable
for that section for PDF output.
c) For each section with a yellow triangle, reduce the number of results to a number below the limit.
d) When there are no more yellow triangles, click Save.
Step 4
Click Generate.
Note
If you want to change report generation settings without generating the report now, you must click
Generate from the template configuration page. Changes will not be saved if you click Generate
from the template list view unless you generate the report.
Step 5
Modify settings.
Step 6
To save the new settings without generating the report, click Cancel.
To save the new settings and generate the report, click Generate and skip the rest of the steps in this procedure.
Step 7
Click Save.
Step 8
If you see a prompt to save even though you haven't made changes, click OK.
Automating Cisco Recommendations
You can automatically generate rule state recommendations based on network discovery data for your network
using the most recently saved configuration settings in a custom intrusion policy.
Note
If the system automatically generates scheduled recommendations for an intrusion policy with unsaved changes,
you must discard your changes in that policy and commit the policy if you want the policy to reflect the
automatically generated recommendations.
When the task runs, the system automatically generates recommended rule states, and modifies the states of
intrusion rules based on the configuration of your policy. Modified rule states take effect the next time you
deploy your intrusion policy.
In a multidomain deployment, you can automate recommendations for intrusion policies at the current domain
level. The system builds a separate network map for each leaf domain. In a multidomain deployment, if you
Cisco Secure Firewall Management Center Administration Guide, 7.2
460
Tools
Software Update Automation
enable this feature in an intrusion policy in an ancestor domain, the system generates recommendations using
data from all descendant leaf domains. This can enable intrusion rules tailored to assets that may not exist in
all leaf domains, which can affect performance.
Before you begin
• Configure Cisco recommended rules in an intrusion policy as described in the Cisco Secure Firewall
Management Center Device Configuration Guide.
• If you want to email task status messages, configure a valid email relay server.
• You must have the Threat Smart License or Protection Classic License to generate recommendations.
Procedure
Step 1
Choose System ( ) > Tools > Scheduling.
Step 2
Click Add Task.
Step 3
From Job Type, choose Cisco Recommended Rules.
Step 4
Specify how you want to schedule the task, Once or Recurring:
• For one-time tasks, use the drop-down lists to specify the start date and time.
• For recurring tasks, see Configuring a Recurring Task, on page 452 for details.
Step 5
Enter a name in the Job Name field.
Step 6
Next to Policies, choose one or more intrusion policies where you want to generate recommendations. Check
All Policies check box to choose all intrusion policies.
Step 7
(Optional) Enter a comment in the Comment field.
Keep comments brief. Comments appear in the Task Details section of the schedule calendar page.
Step 8
(Optional) To email task status messages, type an email address (or multiple email addresses separated by
commas) in the Email Status To: field.
Step 9
Click Save.
Related Topics
Conflicts and Changes: Network Analysis and Intrusion Policies
About Cisco Recommended Rules
Configuring a Mail Relay Host and Notification Address, on page 81
Software Update Automation
You can automatically download and apply most patches and feature releases to the system.
Cisco Secure Firewall Management Center Administration Guide, 7.2
461
Tools
Software Update Automation
Important
As a part of initial configuration, the system schedules a weekly task to download the latest software updates.
If the task scheduling fails and the management center has internet access, we recommend you schedule a
recurring task for downloading software updates as described in Automating Software Downloads, on page
463. This task downloads software updates to the management center. It is your responsibility to install any
updates this task downloads.
The tasks you must schedule to install software updates vary depending on whether you are updating the
management center or are using a management center to update managed devices.
Note
Cisco strongly recommends that you use your management centers to update the devices they manage.
• To update the management center, schedule the software installation using the Install Latest Update task.
• To use a management center to automate software updates for its managed devices, you must schedule
two tasks:
• Push (copy) the update to managed devices using the Push Latest Update task.
• Install the update on managed devices using the Install Latest Update task.
When scheduling updates to managed devices, schedule the push and install tasks to happen in succession;
you must first push the update to the device before you can install it. To automate software updates on
a device group, you must select all the devices within the group. Allow enough time between tasks for
the process to complete; schedule tasks at least 30 minutes apart. If you schedule a task to install an
update and the update has not finished copying from the management center to the device, the installation
task will not succeed. However, if the scheduled installation task repeats daily, it will install the pushed
update when it runs the next day.
Note
You must manually upload and install updates in two situations. First, you cannot schedule major updates to
the system. Second, you cannot schedule updates for or pushes from management center that cannot access
the Support Site. If your management center is not directly connected to the Internet, you should use
management interfaces configuration to set up a proxy to allow it to download updates from the Support Site.
Note that a task scheduled to install an update on a device group will install the pushed update to each device
within the device group simultaneously. Allow enough time for the scheduled task to complete for each device
within the device group.
If you want to have more control over this process, you can use the Once option to download and install
updates during off-peak hours after you learn that an update has been released.
Related Topics
Management Interfaces, on page 55
Updates, on page 203
Cisco Secure Firewall Management Center Administration Guide, 7.2
462
Tools
Automating Software Downloads
Automating Software Downloads
You can create a scheduled task that automatically downloads the latest software updates from Cisco. You
can use this task to schedule download of updates you plan to install manually.
You must be in the global domain to perform this task.
Procedure
Step 1
Select System ( ) > Tools > Scheduling.
Step 2
Click Add Task.
Step 3
From the Job Type list, select Download Latest Update.
Step 4
Specify how you want to schedule the task, Once or Recurring:
• For one-time tasks, use the drop-down lists to specify the start date and time.
• For recurring tasks, see Configuring a Recurring Task, on page 452 for details.
Step 5
Type a name in the Job Name field.
Step 6
Next to Update Items, check Software check box.
Step 7
If you want to comment on the task, type a comment in the Comment field.
The comment field appears in the Task Details section of the schedule calendar page; keep comments brief.
Step 8
If you want to email task status messages, type an email address (or multiple email addresses separated by
commas) in the Email Status To: field. You must have a valid email relay server configured to send status
messages.
Step 9
Click Save.
Related Topics
Configuring a Mail Relay Host and Notification Address, on page 81
Automating Software Pushes
If you want to automate the installation of software updates on managed devices, you must push the updates
to the devices before installing.
When you create the task to push software updates to managed devices, make sure you allow enough time
between the push task and a scheduled install task for the updates to be copied to the device.
You must be in the global domain to perform this task.
Procedure
Step 1
Select System ( ) > Tools > Scheduling.
Step 2
Click Add Task.
Step 3
From the Job Type list, select Push Latest Update.
Step 4
Specify how you want to schedule the task, Once or Recurring:
Cisco Secure Firewall Management Center Administration Guide, 7.2
463
Tools
Automating Software Installs
• For one-time tasks, use the drop-down lists to specify the start date and time.
• For recurring tasks, see Configuring a Recurring Task, on page 452 for details.
Step 5
Type a name in the Job Name field.
Step 6
From the Device drop-down list, select the device that you want to update.
Step 7
If you want to comment on the task, type a comment in the Comment field.
The comment field appears in the Task Details section of the schedule calendar page; keep comments brief.
Step 8
If you want to email task status messages, type an email address (or multiple email addresses separated by
commas) in the Email Status To: field. You must have a valid email relay server configured to send status
messages.
Step 9
Click Save.
Related Topics
Configuring a Mail Relay Host and Notification Address, on page 81
Automating Software Installs
Make sure you allow enough time between the task that pushes the update to a managed device and the task
that installs the update.
You must be in the global domain to perform this task.
Caution
Depending on the update being installed, the a 