Cisco Secure Firewall Management Center Virtual Guide

Cisco Secure Firewall Management Center Virtual Guide
Add to My manuals

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

Manual
Cisco Secure Firewall Management Center Virtual Guide | Manualzz

Cisco Secure Firewall Management Center Administration Guide, 7.2

First Published: 2022-06-06

Last Modified: 2022-06-28

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,

INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH

THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,

CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT

LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS

HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on standards documentation, or language that is used by a referenced third-party product.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html

. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 2022 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

P A R T I

C H A P T E R 1

Getting Started 39

Management Center Overview 1

Quick Start: Basic Setup 1

Installing and Performing Initial Setup on Physical Appliances 2

Deploying Virtual Appliances 2

Logging In for the First Time 3

Setting Up Basic Policies and Configurations 4

Threat Defense Devices 6

Features 6

Appliance and System Management Features 7

High Availability and Scalability Features by Platform 8

Features for Detecting, Preventing, and Processing Potential Threats 9

Integration with External Tools 11

Search the Management Center 11

Search for Web Interface Menu Options 14

Search for Policies 15

Search for Objects 17

Search for How To Walkthroughs 20

Switching Domains on the Secure Firewall Management Center 20

The Context Menu 21

Sharing Data with Cisco 23

Online Help, How To, and Documentation 23

User Guides on Cisco.com

24

License Statements in the Documentation 25

Supported Devices Statements in the Documentation 25

Cisco Secure Firewall Management Center Administration Guide, 7.2

iii

Contents

C H A P T E R 2

P A R T I I

C H A P T E R 3

Access Statements in the Documentation 26

IP Address Conventions 26

Additional Resources 26

Logging into the Management Center 27

User Accounts 27

System User Interfaces 29

Web Interface Considerations 30

Session Timeout 30

Logging Into the Secure Firewall Management Center Web Interface 31

Logging Into the Management Center Web Interface Using SSO 32

Logging Into the Secure Firewall Management Center with CAC Credentials 33

Logging Into the Management Center Command Line Interface 33

View Your Last Login 34

Logging Out of the Management Center Web Interface 35

History for Logging into the Management Center 35

System Settings 37

System Configuration 39

Requirements and Prerequisites for the System Configuration 40

About System Configuration 40

Navigating the Secure Firewall Management Center System Configuration 40

System Configuration Settings 40

Appliance Information 42

HTTPS Certificates 43

Default HTTPS Server Certificates 43

Custom HTTPS Server Certificates 44

HTTPS Server Certificate Requirements 44

HTTPS Client Certificates 45

Viewing the Current HTTPS Server Certificate 46

Generating an HTTPS Server Certificate Signing Request 46

Importing HTTPS Server Certificates 48

Requiring Valid HTTPS Client Certificates 49

iv

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

Renewing the Default HTTPS Server Certificate 50

External Database Access Settings 50

Enabling External Access to the Database 51

Database Event Limits 52

Configuring Database Event Limits 52

Database Event Limits 52

Management Interfaces 55

About Management Center Management Interfaces 55

Management Interfaces on the Management Center 55

Management Interface Support Per Management Center Model 56

Network Routes on Management Center Management Interfaces 56

NAT Environments 57

Management and Event Traffic Channel Examples 59

Modify Management Center Management Interfaces 60

Shut Down or Restart 64

Shut Down or Restart the Management Center 64

Remote Storage Management 64

Management Center Remote Storage - Supported Protocols and Versions 65

Configuring Local Storage 65

Configuring NFS for Remote Storage 66

Configuring SMB for Remote Storage 66

Configuring SSH for Remote Storage 67

Remote Storage Management Advanced Options 68

Change Reconciliation 69

Configuring Change Reconciliation 69

Change Reconciliation Options 69

Policy Change Comments 70

Configuring Comments to Track Policy Changes 70

Access List 71

Configure an Access List 71

Audit Logs 72

Stream Audit Logs to Syslog 72

Stream Audit Logs to an HTTP Server 74

Audit Log Certificate 75

Cisco Secure Firewall Management Center Administration Guide, 7.2

v

Contents

Securely Stream Audit Logs 75

Obtain a Signed Audit Log Client Certificate for the Management Center 76

Import an Audit Log Client Certificate into the Management Center 77

Require Valid Audit Log Server Certificates 78

View the Audit Log Client Certificate on the Management Center 79

Dashboard Settings 79

Enabling Custom Analysis Widgets for Dashboards 79

DNS Cache 80

Configuring DNS Cache Properties 80

Email Notifications 80

Configuring a Mail Relay Host and Notification Address 81

Language Selection 81

Set the Language for the Web Interface 82

Login Banners 82

Customize the Login Banner 82

SNMP Polling 83

Configure SNMP Polling 83

Time and Time Synchronization 84

Synchronize Time on the Management Center with an NTP Server 85

Synchronize Time Without Access to a Network NTP Server 86

About Changing Time Synchronization Settings 87

View Current System Time, Source, and NTP Server Connection Status 87

NTP Server Status 88

Global User Configuration Settings 89

Set Password Reuse Limit 90

Track Successful Logins 90

Enabling Temporary Lockouts 91

Set Maximum Number of Concurrent Sessions 91

Session Timeouts 92

Configure Session Timeouts 92

Vulnerability Mapping 92

Mapping Vulnerabilities for Servers 93

Remote Console Access Management 93

Configuring Remote Console Settings on the System 94

vi

Cisco Secure Firewall Management Center Administration Guide, 7.2

C H A P T E R 4

Lights-Out Management User Access Configuration 95

Enabling Lights-Out Management User Access 95

Serial Over LAN Connection Configuration 96

Configuring Serial Over LAN with IPMItool 97

Configuring Serial Over LAN with IPMIutil 97

Lights-Out Management Overview 97

Configuring Lights-Out Management with IPMItool 99

Configuring Lights-Out Management with IPMIutil 99

REST API Preferences 99

Enabling REST API Access 99

VMware Tools and Virtual Systems 100

Enabling VMware Tools on the Secure Firewall Management Center for VMware 100

(Optional) Opt Out of Web Analytics Tracking 101

History for System Configuration 101

Users 105

About Users 105

Internal and External Users 105

Web Interface and CLI Access 106

User Roles 106

User Passwords 108

Guidelines and Limitations for User Accounts for Management Center 110

Requirements and Prerequisites for User Accounts for Management Center 111

Add an Internal User 111

Configure External Authentication for the Management Center 113

About External Authentication for the Management Center 113

About LDAP 114

About RADIUS 115

Add an LDAP External Authentication Object for Management Center 115

Add a RADIUS External Authentication Object for Management Center 122

Enable External Authentication for Users on the Management Center 127

Configure Common Access Card Authentication with LDAP 128

Configure SAML Single Sign-On 129

About SAML Single Sign-On 129

Contents

Cisco Secure Firewall Management Center Administration Guide, 7.2

vii

Contents

SSO Guidelines for the Management Center 130

SSO User Accounts 130

User Role Mapping for SSO Users 131

Enable Single Sign-On at the Management Center 132

Configure Single Sign-On with Okta 133

Review the Okta Org 133

Configure the Management Center Service Provider Application for Okta 134

Configure the Management Center for Okta SSO 136

Configure User Role Mapping for Okta at the Management Center 137

Configure User Role Mapping at the Okta IdP 138

Okta User Role Mapping Examples 140

Configure Single Sign-On with OneLogin 145

Review the OneLogin Subdomain 146

Configure the Management Center Service Provider Application for OneLogin 146

Configure the Management Center for OneLogin SSO 148

Configure User Role Mapping for OneLogin at the Management Center 149

Configure User Role Mapping at the OneLogin IdP 150

OneLogin User Role Mapping Examples 153

Configure Single Sign-On with Azure AD 157

Review the Azure Tenant 158

Configure the Management Center Service Provider Application for Azure 158

Configure the Management Center for Azure SSO 160

Configure User Role Mapping for Azure at the Management Center 161

Configure User Role Mapping at the Azure IdP 162

Azure User Role Mapping Examples 165

Configure Single Sign-On with PingID 170

Review the PingID PingOne for Customers Environment 171

Configure the Management Center Service Provider Application for PingID PingOne for

Customers 171

Configure the Management Center for SSO with PingID PingOne for Customers 173

Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider 174

Familiarize Yourself with the SSO Identity Provider and the SSO Federation 175

Configure Management Center Service Provider Application for Any SAML 2.0-Compliant SSO

Provider 175

viii

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

C H A P T E R 5

Configure the Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider 177

Configure User Role Mapping at the Management Center for SAML 2.0-Compliant SSO

Providers 178

Configure Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO

Providers 179

Customize User Roles for the Web Interface 180

Create Custom User Roles 180

Deactivate User Roles 182

Enable User Role Escalation 183

Set the Escalation Target Role 183

Configure a Custom User Role for Escalation 184

Escalate Your User Role 184

Troubleshooting LDAP Authentication Connections 185

Configure User Preferences 186

Changing Your Password 187

Changing an Expired Password 187

Change the Web Interface Appearance 188

Specifying Your Home Page 188

Configuring Event View Settings 189

Event View Preferences 189

File Download Preferences 190

Default Time Windows 191

Default Workflows 192

Setting Your Default Time Zone 193

Specifying Your Default Dashboard 193

History for Users 194

Domains 195

Introduction to Multitenancy Using Domains 195

Domains Terminology 196

Domain Properties 197

Requirements and Prerequisites for Domains 198

Managing Domains 198

Creating New Domains 199

Cisco Secure Firewall Management Center Administration Guide, 7.2

ix

Contents

C H A P T E R 6

C H A P T E R 7

Moving Data Between Domains 200

Moving Devices Between Domains 201

History for Domain Management 202

Updates 203

About System Updates 203

Requirements and Prerequisites for System Updates 205

Guidelines and Limitations for System Updates 205

Upgrade System Software 206

Update the Vulnerability Database (VDB) 206

Manually Update the VDB 206

Schedule VDB Updates 208

Update the Geolocation Database 208

Schedule GeoDB Updates 208

Manually Update the GeoDB (Internet Connection) 209

Manually Update the GeoDB (No Internet Connection) 209

Update Intrusion Rules 210

Update Intrusion Rules One-Time Manually 211

Update Intrusion Rules One-Time Automatically 212

Schedule Intrusion Rule Updates 213

Best Practices for Importing Local Intrusion Rules 213

Import Local Intrusion Rules 215

Rule Update Log 215

Intrusion Rule Update Log Table 216

Viewing the Intrusion Rule Update Log 216

Fields in an Intrusion Rule Update Log 217

Viewing Details of the Intrusion Rule Update Import Log 218

Maintain Your Air-Gapped Deployment 219

History for System Updates 220

Licenses 229

About Licenses 229

Smart Software Manager and Accounts 230

Licensing Options for Air-Gapped Deployments 230

x

Cisco Secure Firewall Management Center Administration Guide, 7.2

How Licensing Works for the Management Center and Devices 230

Periodic Communication with the Smart Software Manager 231

Evaluation Mode 231

Out-of-Compliance State 231

Unregistered State 232

End-User License Agreement 232

License Types and Restrictions 232

Management Center Virtual Licenses 234

Base Licenses 234

Malware Defense Licenses 235

Threat Licenses 235

URL Filtering Licenses 236

Secure Client Licenses 236

Licensing for Export-Controlled Functionality 237

Threat Defense Virtual Licenses 238

License PIDs 239

Requirements and Prerequisites for Licensing 245

Requirements and Prerequisites for Licensing for High Availability, Clustering, and

Multi-Instance 246

Licensing for Management Center High Availability 246

Licensing for Device High-Availability 246

Licensing for Device Clusters 247

Licensing for Multi-Instance Deployments 247

Create a Smart Account and Add Licenses 248

Configure Smart Licensing 249

Register the Management Center for Smart Licensing 249

Register the Management Center with the Smart Software Manager 249

Register the Management Center with the Smart Software Manager On-Prem 252

Enable the Export Control Feature for Accounts Without Global Permission 253

Assign Licenses to Devices 254

Assign Licenses to a Single Device 254

Assign Licenses to Multiple Managed Devices 255

Manage Smart Licensing 256

Deregister the Management Center 256

Contents

Cisco Secure Firewall Management Center Administration Guide, 7.2

xi

Contents

C H A P T E R 8

Synchronize or Reauthorize the Management Center 256

Monitoring Smart License Status 257

Monitoring Smart Licenses 258

Troubleshooting Smart Licensing 258

Configure Specific License Reservation (SLR) 261

Requirements and Prerequisites for Specific License Reservation 261

Verify that your Smart Account is Ready to Deploy Specific License Reservation 261

Enable the Specific Licensing Menu Option 262

Enter the Specific License Reservation Authorization Code into the Management Center 263

Assign Specific Licenses to Managed Devices 264

Manage Specific License Reservation 265

Important! Maintain Your Specific License Reservation Deployment 265

Update a Specific License Reservation 265

Deactivate and Return the Specific License Reservation 267

Monitoring Specific License Reservation Status 269

Troubleshoot Specific License Reservation 270

Configure Legacy Management Center PAK-Based Licenses 271

Additional Information about Licensing 272

History for Licenses 273

High Availability 275

About Secure Firewall Management Center High Availability 275

Roles v. Status in Management Center High Availability 276

Event Processing on Management Center High Availability Pairs 277

AMP Cloud Connections and Malware Information 277

URL Filtering and Security Intelligence 277

User Data Processing During Management Center Failover 277

Configuration Management on Management Center High Availability Pairs 277

Management Center High Availability Disaster Recovery 277

Single Sign-On and High Availability Pairs 278

Management Center High Availability Behavior During a Backup 278

Management Center High Availability Split-Brain 278

Upgrading Management Centers in a High Availability Pair 279

Troubleshooting Management Center High Availability 280

xii

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

C H A P T E R 9

P A R T I I I

Requirements for Management Center High Availability 281

Hardware Requirements 281

Virtual Platform Requirements 282

Software Requirements 282

License Requirements for Management Center High Availability Configurations 282

Prerequisites for Management Center High Availability 283

Establishing Management Center High Availability 284

Viewing Management Center High Availability Status 285

Configuration Data Synced between Firepower Management Centers during High Availability 286

Configuring External Access to the Management Center Database in a High Availability Pair 287

Using CLI to Resolve Device Registration in Management Center High Availability 287

Switching Peers in a Management Center High Availability Pair 288

Pausing Communication Between Paired Firepower Management Centers 288

Restarting Communication Between Paired Firepower Management Centers 288

Changing the IP Address of a Management Center in a High Availability Pair 289

Disabling Management Center High Availability 289

Replacing Management Centers in a High Availability Pair 290

Replace a Failed Primary Management Center (Successful Backup) 290

Replace a Failed Primary Management Center (Unsuccessful Backup) 291

Replace a Failed Secondary Management Center (Successful Backup) 292

Replace a Failed Secondary Management Center (Unsuccessful Backup) 293

Management Center High Availability Disaster Recovery 294

History for Management Center High Availability 294

Security Certifications Compliance 295

Security Certifications Compliance Modes 295

Security Certifications Compliance Characteristics 296

Security Certifications Compliance Recommendations 297

Appliance Hardening 298

Protecting Your Network 299

Enable Security Certifications Compliance 300

Health and Monitoring 303

Cisco Secure Firewall Management Center Administration Guide, 7.2

xiii

Contents

C H A P T E R 1 0

Dashboards 305

About Dashboards 305

Dashboard Widgets 306

Widget Availability 306

Dashboard Widget Availability by User Role 307

Predefined Dashboard Widgets 308

The Appliance Information Widget 308

The Appliance Status Widget 309

The Correlation Events Widget 309

The Current Interface Status Widget 309

The Current Sessions Widget 310

The Custom Analysis Widget 310

The Disk Usage Widget 314

The Interface Traffic Widget 315

The Intrusion Events Widget 315

The Network Compliance Widget 316

The Product Licensing Widget 316

The Product Updates Widget 317

The RSS Feed Widget 317

The System Load Widget 318

The System Time Widget 318

The Allow List Events Widget 318

Managing Dashboards 318

Adding a Dashboard 319

Adding Widgets to a Dashboard 319

Configuring Widget Preferences 320

Creating Custom Dashboards 321

Custom Dashboard Options 321

Customizing the Widget Display 322

Editing Dashboards Options 323

Modifying Dashboard Time Settings 323

Renaming a Dashboard 324

Viewing Dashboards 325

xiv

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

C H A P T E R 1 1

Health 327

Requirements and Prerequisites for Health Monitoring 327

About Health Monitoring 327

Health Modules 329

Configuring Health Monitoring 339

Health Policies 340

Default Health Policy 340

Creating Health Policies 340

Applying Health Policies 341

Editing Health Policies 342

Deleting Health Policies 343

Device Exclusion in Health Monitoring 343

Excluding Appliances from Health Monitoring 344

Excluding Health Policy Modules 344

Expired Health Monitor Exclusions 345

Health Monitor Alerts 346

Health Monitor Alert Information 346

Creating Health Monitor Alerts 347

Editing Health Monitor Alerts 348

Deleting Health Monitor Alerts 348

About the Health Monitor 348

Using the Management Center Health Monitor 350

Running All Modules for an Appliance 351

Running a Specific Health Module 351

Generating Health Module Alert Graphs 352

Device Health Monitors 352

Viewing System Details and Troubleshooting 353

Viewing the Device Health Monitor 354

Health Monitor Status Categories 364

Health Event Views 365

Viewing Health Events 365

Viewing Health Events by Module and Appliance 365

Viewing the Health Events Table 366

Cisco Secure Firewall Management Center Administration Guide, 7.2

xv

Contents

C H A P T E R 1 2

C H A P T E R 1 3

C H A P T E R 1 4

The Health Events Table 367

History for Health Monitoring 368

Audit and Syslog 373

The System Log 373

Viewing the System Log 373

Syntax for System Log Filters 374

About System Auditing 375

Audit Records 375

Viewing Audit Records 375

Suppressing Audit Records 378

About Sending Audit Logs to an External Location 382

Statistics 383

About System Statistics 383

The Host Statistics Section 383

The Disk Usage Section 384

The Processes Section 384

Process Status Fields 384

System Daemons 386

Executables and System Utilities 388

The SFDataCorrelator Process Statistics Section 391

The Intrusion Event Information Section 392

Viewing System Statistics 392

Troubleshooting 395

First Steps for Troubleshooting 395

System Messages 395

Message Types 396

Message Management 397

View Basic System Information 398

View Appliance Information 398

Managing System Messages 398

Viewing Deployment Messages 399

xvi

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

P A R T I V

C H A P T E R 1 5

Viewing Health Messages 400

Viewing Task Messages 400

Managing Task Messages 401

Configuring Notification Behavior 401

Memory Usage Thresholds for Health Monitor Alerts 402

Disk Usage and Drain of Events Health Monitor Alerts 403

Health Monitor Reports for Troubleshooting 406

Producing Troubleshooting Files for Specific System Functions 407

Downloading Advanced Troubleshooting Files 408

General Troubleshooting 408

Connection-based Troubleshooting 408

Troubleshoot a Connection 409

Advanced Troubleshooting for the Secure Firewall Threat Defense Device 409

Using the Threat Defense CLI from the Web Interface 410

Packet Tracer Overview 410

Use the Packet Tracer 411

Packet Capture Overview 413

Use the Capture Trace 415

Feature-Specific Troubleshooting 416

Tools 419

Backup/Restore 421

About Backup and Restore 421

Requirements for Backup and Restore 423

Guidelines and Limitations for Backup and Restore 424

Configuration Import/Export Guidelines for Firepower 4100/9300 425

Best Practices for Backup and Restore 425

Backing Up Management Centers or Managed Devices 429

Back up the Management Center 429

Back up a Device from the Management Center 431

Exporting an FXOS Configuration File 432

Create a Backup Profile 432

Restoring Management Centers and Managed Devices 433

Cisco Secure Firewall Management Center Administration Guide, 7.2

xvii

Contents

C H A P T E R 1 6

Restore Management Center from Backup 434

Restore Threat Defense from Backup: Firepower 1000/2100/3100, ISA 3000 (Non-Zero-Touch) 435

Zero-Touch Restore Threat Defense from Backup: ISA 3000 438

Restore Threat Defense from Backup: Firepower 4100/9300 Chassis 440

Importing a Configuration File 443

Restore Threat Defense from Backup: Threat Defense Virtual 445

Manage Backups and Remote Storage 447

Backup Storage Locations 448

History for Backup and Restore 450

Scheduling 451

About Task Scheduling 451

Requirements and Prerequisites for Task Scheduling 452

Configuring a Recurring Task 452

Scheduled Backups 453

Schedule Management Center Backups 454

Schedule Remote Device Backups 454

Configuring Certificate Revocation List Downloads 455

Automating Policy Deployment 456

Nmap Scan Automation 457

Scheduling an Nmap Scan 458

Automating Report Generation 459

Specify Report Generation Settings for a Scheduled Report 460

Automating Cisco Recommendations 460

Software Update Automation 461

Automating Software Downloads 463

Automating Software Pushes 463

Automating Software Installs 464

Vulnerability Database Update Automation 465

Automating VDB Update Downloads 466

Automating VDB Update Installs 466

Automating URL Filtering Updates Using a Scheduled Task 467

Scheduled Task Review 468

Task List Details 469

xviii

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

C H A P T E R 1 7

C H A P T E R 1 8

P A R T V

C H A P T E R 1 9

Viewing Scheduled Tasks on the Calendar 469

Editing Scheduled Tasks 470

Deleting Scheduled Tasks 470

History for Scheduled Tasks 471

Import/Export 473

About Configuration Import/Export 473

Configurations that Support Import/Export 473

Special Considerations for Configuration Import/Export 474

Requirements and Prerequisites for Configuration Import/Export 475

Exporting Configurations 475

Importing Configurations 476

Import Conflict Resolution 477

Data Purge and Storage 479

Data Stored on the Management Center 479

Purging Data from the Management Center Database 480

External Data Storage 481

Comparison of Security Analytics and Logging Remote Event Storage Options 481

Remote Data Storage in Cisco Secure Cloud Analytics 482

Remote Data Storage on a Secure Network Analytics Appliance 482

History for Data Storage 483

Reporting and Alerting 487

Reports 489

Requirements and Prerequisites for Reports 489

Introduction to Reports 489

Risk Reports 490

Risk Report Templates 490

Generating, Viewing, and Printing Risk Reports 490

Standard Reports 491

About Designing Reports 492

Report Templates 492

Cisco Secure Firewall Management Center Administration Guide, 7.2

xix

Contents

C H A P T E R 2 0

C H A P T E R 2 1

Report Template Fields 492

Report Template Creation 494

Report Template Configuration 497

Managing Report Templates 508

About Generating Reports 510

Generating Reports 510

Report Generation Options 511

Distributing Reports by Email at Generation Time 511

Schedule Future Reports 512

About Working with Generated Reports 512

Viewing Reports 512

Downloading Reports 513

Storing Reports Remotely 513

Moving Reports to Remote Storage 514

Deleting Reports 515

History for Reporting 515

External Alerting with Alert Responses 517

Secure Firewall Management Center Alert Responses 517

Configurations Supporting Alert Responses 518

Requirements and Prerequisites for Alert Responses 518

Creating an SNMP Alert Response 519

Creating a Syslog Alert Response 520

Syslog Alert Facilities 521

Syslog Severity Levels 522

Creating an Email Alert Response 523

Configuring Impact Flag Alerting 523

Configuring Discovery Event Alerting 524

Configuring Malware defense Alerting 524

External Alerting for Intrusion Events 527

About External Alerting for Intrusion Events 527

License Requirements for External Alerting for Intrusion Events 528

Requirements and Prerequisites for External Alerting for Intrusion Events 528

xx

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

P A R T V I

C H A P T E R 2 2

Configuring SNMP Alerting for Intrusion Events 528

Intrusion SNMP Alert Options 529

Configuring Syslog Alerting for Intrusion Events 530

Facilities and Severities for Intrusion Syslog Alerts 531

Configuring Email Alerting for Intrusion Events 532

Intrusion Email Alert Options 532

Event and Asset Analysis Tools 535

Context Explorer 537

About the Context Explorer 537

Differences Between the Dashboard and the Context Explorer 538

The Traffic and Intrusion Event Counts Time Graph 538

The Indications of Compromise Section 539

The Hosts by Indication Graph 539

The Indications by Host Graph 539

The Network Information Section 539

The Operating Systems Graph 539

The Traffic by Source IP Graph 540

The Traffic by Source User Graph 540

The Connections by Access Control Action Graph 540

The Traffic by Destination IP Graph 541

The Traffic by Ingress/Egress Security Zone Graph 541

The Application Information Section 541

Focusing the Application Information Section 542

The Traffic by Risk/Business Relevance and Application Graph 542

The Intrusion Events by Risk/Business Relevance and Application Graph 542

The Hosts by Risk/Business Relevance and Application Graph 543

The Application Details List 543

The Security Intelligence Section 543

The Security Intelligence Traffic by Category Graph 544

The Security Intelligence Traffic by Source IP Graph 544

The Security Intelligence Traffic by Destination IP Graph 544

The Intrusion Information Section 544

Cisco Secure Firewall Management Center Administration Guide, 7.2

xxi

Contents

The Intrusion Events by Impact Graph 545

The Top Attackers Graph 545

The Top Users Graph 545

The Intrusion Events by Priority Graph 545

The Top Targets Graph 545

The Top Ingress/Egress Security Zones Graph 545

The Intrusion Event Details List 546

The Files Information Section 546

The Top File Types Graph 546

The Top File Names Graph 546

The Files by Disposition Graph 547

The Top Hosts Sending Files Graph 547

The Top Hosts Receiving Files Graph 547

The Top Malware Detections Graph 548

The Geolocation Information Section 548

The Connections by Initiator/Responder Country Graph 548

The Intrusion Events by Source/Destination Country Graph 548

The File Events by Sending/Receiving Country Graph 549

The URL Information Section 549

The Traffic by URL Graph 549

The Traffic by URL Category Graph 549

The Traffic by URL Reputation Graph 550

Requirements and Prerequisites for the Context Explorer 550

Refreshing the Context Explorer 550

Setting the Context Explorer Time Range 551

Minimizing and Maximizing Context Explorer Sections 551

Drilling Down on Context Explorer Data 552

Filters in the Context Explorer 553

Data Type Field Options 554

Creating a Filter from the Add Filter Window 556

Creating a Quick Filter from the Context Menu 557

Saving Filtered Context Explorer Views 557

Viewing Filter Data 557

Deleting a Filter 558

xxii

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

C H A P T E R 2 3

C H A P T E R 2 4

C H A P T E R 2 5

Network Map 559

Requirements and Prerequisites for the Network Map 559

The Network Map 559

The Hosts Network Map 560

The Network Devices Network Map 561

The Mobile Devices Network Map 561

The Indications of Compromise Network Map 562

The Application Protocols Network Map 562

The Vulnerabilities Network Map 563

The Host Attributes Network Map 564

Viewing Network Maps 564

Custom Network Topologies 565

Creating Custom Topologies 565

Importing Networks from the Network Discovery Policy 566

Manually Adding Networks to Your Custom Topology 567

Activating and Deactivating Custom Topologies 567

Editing Custom Topologies 567

Lookups 569

Introduction to Lookups 569

Performing Whois Lookups 569

Finding URL Category and Reputation 570

Finding Geolocation Information for an IP Address 571

Event Analysis Using External Tools 573

Integrate with Cisco SecureX 573

Configure the Management Center Devices to Send Events to the Cisco Cloud 573

Configure Cisco Success Network Enrollment 575

Configure Cisco Support Diagnostics Enrollment 576

Access SecureX Using the Ribbon 577

Event Analysis with SecureX Threat Response 577

View Event Data in SecureX Threat Response 578

Event Investigation Using Web-Based Resources 578

Cisco Secure Firewall Management Center Administration Guide, 7.2

xxiii

Contents

P A R T V I I

C H A P T E R 2 6

About Managing Contextual Cross-Launch Resources 579

Requirements for Custom Contextual Cross-Launch Resources 579

Add Contextual Cross-Launch Resources 579

Investigate Events Using Contextual Cross-Launch 581

Configure Cross-Launch Links for Secure Network Analytics 581

About Sending Syslog Messages for Security Events 582

About Configuring the System to Send Security Event Data to Syslog 583

Best Practices for Configuring Security Event Syslog Messaging 583

Send Security Event Syslog Messages from Threat Defense Devices 583

Send Security Event Syslog Messages from Classic Devices 586

Configuration Locations for Security Event Syslogs 587

Anatomy of Security Event Syslog Messages 591

Facility in Security Event Syslog Messages 593

Firepower Syslog Message Types 594

Limitations of Syslog for Security Events 595 eStreamer Server Streaming 595

Comparison of Syslog and eStreamer for Security Eventing 596

Data Sent Only via eStreamer, Not via Syslog 596

Choosing eStreamer Event Types 597

Configuring eStreamer Client Communications 598

Event Analysis in Splunk 598

Event Analysis in IBM QRadar 599

History for Analyzing Event Data Using External Tools 599

Workflows and Tables 605

Workflows 607

Overview: Workflows 607

Predefined Workflows 608

Predefined Intrusion Event Workflows 608

Predefined Malware Workflows 609

Predefined File Workflows 610

Predefined Captured File Workflows 610

Predefined Connection Data Workflows 611

xxiv

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

Predefined Security Intelligence Workflows 613

Predefined Host Workflows 613

Predefined Indications of Compromise Workflows 613

Predefined Applications Workflows 614

Predefined Application Details Workflows 615

Predefined Servers Workflows 615

Predefined Host Attributes Workflows 615

The Predefined Discovery Events Workflow 616

Predefined User Workflows 616

Predefined Vulnerabilities Workflows 616

Predefined Third-Party Vulnerabilities Workflows 617

Predefined Correlation and Allow List Workflows 617

Predefined System Workflows 617

Custom Table Workflows 618

Using Workflows 618

Workflow Access by User Role 620

Workflow Selection 620

Workflow Pages 622

Workflow Page Navigation Tools 623

Workflow Page Traversal Tools 623

File Trajectory Icons 624

Host Profile Icons 624

Threat Score Icons 624

User Icons 625

The Workflow Toolbar 625

Using Drill-Down Pages 626

Using Table View Pages 626

Work in Secure Firewall Management Center with Connection Events Stored on a Secure Network

Analytics Appliance 627

Geolocation 628

Connection Event Graphs 629

Using Connection Event Graphs 629

Event Time Constraints 635

Per-Session Time Window Customization for Events 636

Cisco Secure Firewall Management Center Administration Guide, 7.2

xxv

Contents

C H A P T E R 2 7

C H A P T E R 2 8

The Default Time Window for Events 639

Event View Constraints 641

Constraining Events 642

Compound Event View Constraints 643

Using Compound Event View Constraints 643

Inter-Workflow Navigation 644

Working with the Unified Event Viewer 645

Unified Event Viewer Column Descriptions 647

Bookmarks 648

Creating Bookmarks 649

Viewing Bookmarks 649

History for Workflows 650

Event Search 653

Event Searches 653

Search Constraints 653

General Search Constraints 654

Wildcards and Symbols in Searches 654

Objects and Application Filters in Searches 655

Time Constraints in Searches 655

IP Addresses in Searches 655

URLs in Searches 657

Managed Devices in Searches 657

Ports in Searches 657

Event Fields in Searches 658

Performing a Search 658

Saving a Search 660

Loading a Saved Search 660

Query Overrides Via the Shell 661

Shell-Based Query Management Syntax 661

Stopping Long-Running Queries 662

History for Searching for Events 662

Custom Workflows 663

xxvi

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

C H A P T E R 2 9

P A R T V I I I

C H A P T E R 3 0

Introduction to Custom Workflows 663

Saved Custom Workflows 663

Custom Workflow Creation 664

Creating Custom Workflows Based on Non-Connection Data 665

Creating Custom Connection Data Workflows 666

Custom Workflow Use and Management 667

Viewing Custom Workflows Based on Predefined Tables 667

Viewing Custom Workflows Based on Custom Tables 668

Editing Custom Workflows 668

Custom Tables 669

Introduction to Custom Tables 669

Predefined Custom Tables 669

Possible Table Combinations 670

User-Defined Custom Tables 673

Creating a Custom Table 673

Modifying a Custom Table 674

Deleting a Custom Table 675

Viewing a Workflow Based on a Custom Table 675

Searching Custom Tables 675

History for Custom Tables 677

Events and Assets 679

Connection Logging 681

About Connection Logging 681

Connections That Are Always Logged 682

Other Connections You Can Log 682

How Rules and Policy Actions Affect Logging 683

Logging for Fastpathed Connections 684

Logging for Monitored Connections 684

Logging for Trusted Connections 684

Logging for Blocked Connections 684

Logging for Allowed Connections 686

Cisco Secure Firewall Management Center Administration Guide, 7.2

xxvii

Contents

C H A P T E R 3 1

Beginning vs End-of-Connection Logging 687

Secure Firewall Management Center vs External Logging 688

Limitations of Connection Logging 689

When Events Appear in the Event Viewer 689

Best Practices for Connection Logging 690

Requirements and Prerequisites for Connection Logging 692

Configure Connection Logging 692

Logging Connections with Tunnel and Prefilter Rules 692

Logging Decryptable Connections with TLS/SSL Rules 693

Logging Connections with Security Intelligence 694

Logging Connections with Access Control Rules 694

Logging Connections with a Policy Default Action 695

Limiting Logging of Long URLs 696

Connection and Security Intelligence Events 699

About Connection Events 699

Connection vs. Security Intelligence Events 700

NetFlow Connections 700

Connection Summaries (Aggregated Data for Graphs) 700

Long-Running Connections 701

Combined Connection Summaries from External Responders 701

Connection and Security Intelligence Event Fields 701

About Connection and Security Intelligence Event Fields 716

A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields 716

Connection Event Reasons 717

Requirements for Populating Connection Event Fields 718

Information Available in Connection Event Fields 720

Using Connection and Security Intelligence Event Tables 724

Viewing Files and Malware Detected in a Connection 726

Viewing Intrusion Events Associated with a Connection 727

Encrypted Connection Certificate Details 727

Viewing the Connection Summary Page 728

History for Connection and Security Intelligence Events 729

xxviii

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

C H A P T E R 3 2

Intrusion Events 733

About Intrusion Events 733

Tools for Reviewing and Evaluating Intrusion Events 733

License Requirements for Intrusion Events 734

Requirements and Prerequisites for Intrusion Events 734

Viewing Intrusion Events 735

About Intrusion Event Fields 735

Intrusion Event Fields 736

Intrusion Event Impact Levels 747

Viewing Connection Data Associated with Intrusion Events 749

Marking Intrusion Events Reviewed 749

Viewing Previously Reviewed Intrusion Events 750

Marking Reviewed Intrusion Events Unreviewed 750

Preprocessor Events 750

Preprocessor Generator IDs 751

Intrusion Event Workflow Pages 753

Using Intrusion Event Workflows 754

Intrusion Event Drill-Down Page Constraints 756

Intrusion Event Table View Constraints 757

Using the Intrusion Event Packet View 757

Event Information Fields 759

Frame Information Fields 765

Data Link Layer Information Fields 766

Viewing Network Layer Information 766

Viewing Transport Layer Information 769

Viewing Packet Byte Information 771

Internally Sourced Intrusion Events 771

Viewing Intrusion Event Statistics 771

Host Statistics 772

Event Overview 773

Event Statistics 773

Viewing Intrusion Event Performance Graphs 774

Intrusion Event Performance Statistics Graph Types 774

Cisco Secure Firewall Management Center Administration Guide, 7.2

xxix

Contents

C H A P T E R 3 3

C H A P T E R 3 4

Viewing Intrusion Event Graphs 778

History for Intrusion Events 780

File/Malware Events and Network File Trajectory 781

About File/Malware Events and Network File Trajectory 781

File and Malware Events 782

File and Malware Event Types 782

File Events 782

Malware Events 783

Retrospective Malware Events 783

Malware Events Generated by Secure Endpoint 784

Using File and Malware Event Workflows 785

File and Malware Event Fields 786

Malware Event Sub-Types 796

Information Available in File and Malware Event Fields 797

View Details About Analyzed Files 800

File Composition Report 800

View File Details in AMP Private Cloud 800

Threat Scores and Dynamic Analysis Summary Reports 801

Viewing Dynamic Analysis Results in the Cisco Secure Malware Analytics Cloud 802

Using Captured File Workflows 802

Captured File Fields 803

Stored Files Download 807

Manually Submit Files for Analysis 808

Network File Trajectory 809

Recently Detected Malware and Analyzed Trajectories 809

Network File Trajectory Detailed View 809

Network File Trajectory Summary Information 810

Network File Trajectory Map and Related Events List 811

Using a Network File Trajectory 812

Work with Event Data in the Secure Endpoint Console 814

History for File and Malware Events and Network File Trajectory 815

Host Profiles 817

xxx

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

Requirements and Prerequisites for Host Profiles 817

Host Profiles 818

Host Profile Limitations 819

Viewing Host Profiles 819

Basic Host Information in the Host Profile 819

Operating Systems in the Host Profile 821

Viewing Operating System Identities 823

Setting the Current Operating System Identity 824

Operating System Identity Conflicts 824

Making a Conflicting Operating System Identity Current 825

Resolving an Operating System Identity Conflict 825

Servers in the Host Profile 825

Server Details in the Host Profile 827

Viewing Server Details 828

Editing Server Identities 828

Resolving Server Identity Conflicts 829

Web Applications in the Host Profile 829

Deleting Web Applications from the Host Profile 831

Host Protocols in the Host Profile 831

Deleting a Protocol From the Host Profile 831

Indications of Compromise in the Host Profile 832

VLAN Tags in the Host Profile 832

User History in the Host Profile 832

Host Attributes in the Host Profile 833

Predefined Host Attributes 833

Allow List Host Attributes 833

User-Defined Host Attributes 834

Creating Text- or URL-Based Host Attributes 835

Creating Integer-Based Host Attributes 835

Creating List-Based Host Attributes 835

Setting Host Attribute Values 836

Allow List Violations in the Host Profile 836

Creating Shared Allow List Host Profiles 837

Malware Detections in the Host Profile 837

Cisco Secure Firewall Management Center Administration Guide, 7.2

xxxi

Contents

C H A P T E R 3 5

Vulnerabilities in the Host Profile 838

Downloading Patches for Vulnerabilities 839

Deactivating Vulnerabilities for Individual Hosts 839

Deactivating Individual Vulnerabilities 840

Scan Results in the Host Profile 841

Scanning a Host from the Host Profile 841

History for Host Profiles 842

Discovery Events 843

Requirements and Prerequisites for Discovery Events 843

Discovery and Identity Data in Discovery Events 843

Viewing Discovery Event Statistics 844

The Statistics Summary Section 845

The Event Breakdown Section 846

The Protocol Breakdown Section 846

The Application Protocol Breakdown Section 847

The OS Breakdown Section 847

Viewing Discovery Performance Graphs 847

Discovery Performance Graph Types 848

Using Discovery and Identity Workflows 848

Discovery and Host Input Events 850

Discovery Event Types 850

Host Input Event Types 854

Viewing Discovery and Host Input Events 856

Discovery Event Fields 856

Host Data 858

Viewing Host Data 858

Host Data Fields 858

Creating a Traffic Profile for Selected Hosts 862

Creating a Compliance Allow List Based on Selected Hosts 863

Host Attribute Data 863

Viewing Host Attributes 864

Host Attribute Data Fields 864

Setting Host Attributes for Selected Hosts 865

xxxii

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

C H A P T E R 3 6

Indications of Compromise Data 865

View and Work with Indications of Compromise Data 866

Indications of Compromise Data Fields 868

Editing Indication of Compromise Rule States for a Single Host or User 868

Viewing Source Events for Indication of Compromise Tags 869

Resolving Indication of Compromise Tags 869

Server Data 869

Viewing Server Data 870

Server Data Fields 870

Application and Application Details Data 873

Viewing Application Data 873

Application Data Fields 874

Viewing Application Detail Data 875

Application Detail Data Fields 876

Vulnerability Data 877

Vulnerability Data Fields 877

Vulnerability Deactivation 879

Viewing Vulnerability Data 879

Viewing Vulnerability Details 880

Deactivating Multiple Vulnerabilities 881

Third-Party Vulnerability Data 881

Viewing Third-Party Vulnerability Data 881

Third-Party Vulnerability Data Fields 882

Active Sessions, Users, and User Activity Data 883

User-Related Fields 884

Active Sessions Data 890

User Data 891

User Activity Data 894

User Profile and Host History 896

History for Working with Discovery Events 898

Correlation and Compliance Events 899

Viewing Correlation Events 899

Correlation Event Fields 900

Cisco Secure Firewall Management Center Administration Guide, 7.2

xxxiii

Contents

P A R T I X

C H A P T E R 3 7

C H A P T E R 3 8

Using Compliance Allow List Workflows 903

Viewing Allow List Events 904

Allow List Event Fields 905

Viewing Allow List Violations 906

Allow List Violation Fields 907

Remediation Status Events 908

Viewing Remediation Status Events 908

Remediation Status Table Fields 909

Using the Remediation Status Events Table 910

Correlation and Compliance 913

Compliance Lists 915

Introduction to Compliance Allow Lists 915

Compliance Allow List Target Networks 916

Compliance Allow List Host Profiles 917

Operating System-Specific Host Profiles 918

Shared Host Profiles 918

Allow Violation Triggers 919

Requirements and Prerequisites for Compliance 920

Creating a Compliance Allow List 920

Setting Target Networks for a Compliance Allow List 922

Building Allow List Host Profiles 922

Adding an Application Protocol to a Compliance Allow List 924

Adding a Client to a Compliance Allow List 924

Adding a Web Application to a Compliance Allow List 925

Adding a Protocol to a Compliance Allow List 925

Managing Compliance Allow Lists 926

Editing a Compliance Allow List 926

Managing Shared Host Profiles 928

Correlation Policies 929

Introduction to Correlation Policies and Rules 929

Requirements and Prerequisites for Compliance 930

xxxiv

Cisco Secure Firewall Management Center Administration Guide, 7.2

Contents

C H A P T E R 3 9

Configuring Correlation Policies 931

Adding Responses to Rules and Allow Lists 931

Managing Correlation Policies 932

Configuring Correlation Rules 933

Syntax for Intrusion Event Trigger Criteria 934

Syntax for Malware Event Trigger Criteria 937

Syntax for Discovery Event Trigger Criteria 938

Syntax for User Activity Event Trigger Criteria 941

Syntax for Host Input Event Trigger Criteria 942

Syntax for Connection Event Trigger Criteria 943

Syntax for Traffic Profile Changes 946

Syntax for Correlation Host Profile Qualifications 948

Syntax for User Qualifications 951

Connection Trackers 952

Adding a Connection Tracker 953

Syntax for Connection Trackers 953

Syntax for Connection Tracker Events 956

Sample Configuration for Excessive Connections From External Hosts 956

Sample Configuration for Excessive BitTorrent Data Transfers 958

Snooze and Inactive Periods 960

Correlation Rule Building Mechanics 960

Adding and Linking Conditions in Correlation Rules 962

Using Multiple Values in Correlation Rule Conditions 963

Managing Correlation Rules 963

Configuring Correlation Response Groups 964

Managing Correlation Response Groups 965

Traffic Profiling 967

Introduction to Traffic Profiles 967

Traffic Profile Conditions 969

Requirements and Prerequisites for Traffic Profiles 971

Managing Traffic Profiles 971

Configuring Traffic Profiles 972

Adding Traffic Profile Conditions 973

Cisco Secure Firewall Management Center Administration Guide, 7.2

xxxv

Contents

C H A P T E R 4 0

P A R T X

C H A P T E R 4 1

Adding Host Profile Qualifications to a Traffic Profile 973

Syntax for Traffic Profile Conditions 974

Syntax for Host Profile Qualifications in a Traffic Profile 975

Using Multiple Values in a Traffic Profile Condition 977

Remediations 979

Requirements and Prerequisites for Remediations 979

Introduction to Remediations 979

Cisco ISE EPS Remediations 980

Configuring ISE EPS Remediations 981

Cisco IOS Null Route Remediations 982

Configuring Remediations for Cisco IOS Routers 983

Nmap Scan Remediations 987

Set Attribute Value Remediations 988

Configuring Set Attribute Remediations 988

Managing Remediation Modules 989

Managing Remediation Instances 990

Managing Instances for a Single Remediation Module 990

Reference 993

Secure Firewall Management Center Command Line Reference 995

About the Secure Firewall Management Center CLI 995

Secure Firewall Management Center CLI Modes 996

Secure Firewall Management Center CLI Management Commands 996 exit 996 expert 996

? (question mark) 997

Secure Firewall Management Center CLI Show Commands 997 version 997

Secure Firewall Management Center CLI Configuration Commands 998 password 998

Secure Firewall Management Center CLI System Commands 998 generate-troubleshoot 998

xxxvi

Cisco Secure Firewall Management Center Administration Guide, 7.2

C H A P T E R 4 2

lockdown 999

reboot 1000 restart 1000 shutdown 1000

History for the Secure Firewall Management Center CLI 1001

Security, Internet Access, and Communication Ports 1003

Security Requirements 1003

Cisco Clouds 1003

Internet Access Requirements 1004

Communication Port Requirements 1007

Contents

Cisco Secure Firewall Management Center Administration Guide, 7.2

xxxvii

Contents xxxviii

Cisco Secure Firewall Management Center Administration Guide, 7.2

P A R T

I

Getting Started

Management Center Overview, on page 1

Logging into the Management Center, on page 27

C H A P T E R

1

Management Center Overview

The Secure Firewall Management Center is a powerful, web-based, multi-device manager that runs on its own server hardware, or as a virtual device on a hypervisor. You should use the management center if you want a multi-device manager, and you require all features on the threat defense. The management center also provides powerful analysis and monitoring of traffic and events.

Cisco Defense Orchestrator (CDO) can act as the primary manager using a full-featured, cloud-delivered management center. In this use case, you can use an on-premises management center for analytics only. The on-prem management center does not support policy configuration or upgrading. Chapters and procedures in this guide related to configuration and other unsupported features do not apply to CDO-managed devices.

For the management center used as the primary manager: The management center is not compatible with other managers because the management center owns the threat defense configuration, and you are not allowed to configure the threat defense directly, bypassing the management center.

Quick Start: Basic Setup, on page 1

Threat Defense Devices, on page 6

Features, on page 6

Search the Management Center, on page 11

Switching Domains on the Secure Firewall Management Center, on page 20

The Context Menu, on page 21

Sharing Data with Cisco, on page 23

Online Help, How To, and Documentation, on page 23

IP Address Conventions, on page 26

Additional Resources, on page 26

Quick Start: Basic Setup

The Firepower feature set is powerful and flexible enough to support basic and advanced configurations. Use the following sections to quickly set up a Secure Firewall Management Center and its managed devices to begin controlling and analyzing traffic.

Cisco Secure Firewall Management Center Administration Guide, 7.2

1

Getting Started

Installing and Performing Initial Setup on Physical Appliances

Installing and Performing Initial Setup on Physical Appliances

Procedure

Install and perform initial setup on all physical appliances using the documentation for your appliance:

• Management Center

• Cisco Firepower Management Center Getting Started Guide for your hardware model, available from http://www.cisco.com/go/firepower-mc-install

• Threat Defense managed devices

• Cisco Firepower 1010 Getting Started Guide

• Cisco Firepower 1100 Getting Started Guide

• Cisco Firepower 2100 Getting Started Guide

• Cisco Secure Firewall 3100 Getting Started Guide

• Cisco Firepower 4100 Getting Started Guide

• Cisco Firepower 9300 Getting Started Guide

• Cisco Firepower Threat Defense for the ISA 3000 Using Firepower Management Center Quick

Start Guide

Deploying Virtual Appliances

Follow these steps if your deployment includes virtual appliances. Use the documentation roadmap to locate the documents listed below: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/ firepower-roadmap.html

.

Procedure

Step 1

Step 2

Determine the supported virtual platforms you will use for the Management Center and devices (these may not be the same). See the Cisco Firepower Compatibility Guide .

Deploy virtual Firepower Management Centers using the documentation for your environment:

• management center virtual running on VMware: Cisco Secure Firewall Management Center Virtual

Getting Started Guide

• management center virtual running on AWS: Cisco Secure Firewall Management Center Virtual Getting

Started Guide

• management center virtual running on KVM: Cisco Secure Firewall Management Center Virtual Getting

Started Guide

2

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Logging In for the First Time

Step 3 Deploy virtual devices using the documentation for your appliance:

• threat defense virtual running on VMware: Cisco Secure Firewall Threat Defense Virtual for VMware

Getting Started Guide

• threat defense virtual running on AWS: Cisco Secure Firewall Threat Defense Virtual for AWS Getting

Started Guide

• threat defense virtual running on KVM: Cisco Secure Firewall Threat Defense Virtual for KVM Getting

Started Guide

• threat defense virtual running on Azure: Cisco Secure Firewall Threat Defense Virtual for Azure Getting

Started Guide

Logging In for the First Time

Before logging in to a new management center for the first time, prepare the appliance as described in

Installing and Performing Initial Setup on Physical Appliances, on page 2

or

Deploying Virtual Appliances, on page

2 .

The first time you log in to a new management center (or an management center newly restored to factory defaults), use the admin account for either the CLI or the web interface and follow the instructions in the

Cisco Firepower Management Center Getting Started Guide for your management center model. Once you complete the initial configuration process, the following aspects of your system will be configured:

• The passwords for the two admin accounts (one for web interface access and the other for CLI access) will be set to the same value, complying with strong password requirements as described in

Guidelines and Limitations for User Accounts for Management Center, on page 110 . The system synchronizes the

passwords for the two admin accounts only during the initial configuration process. If you change the password for either admin account thereafter, they will no longer be the same and the strong password requirement can be removed from the web interface admin account. (See

Add an Internal User, on page

111

.)

• The following network settings the management center uses for network communication through its management interface (eth0) will be set to default values or values you supply:

• Fully qualified domain name (

<hostname>.<domain>

)

• Boot protocol for IPv4 configuration (DHCP or Static/Manual)

• IPv4 address

• Network mask

• Gateway

• DNS Servers

• NTP Servers

Values for these settings can be viewed and changed through the management center web interface; see

Modify Management Center Management Interfaces, on page 60

and

Time and Time Synchronization, on page 84

for more information.

Cisco Secure Firewall Management Center Administration Guide, 7.2

3

Getting Started

Setting Up Basic Policies and Configurations

• As a part of initial configuration, the system configures a weekly automatic GeoDB update. If configuring the update fails and the management center has internet access, we recommend you configure regular

GeoDB updates as described in

Schedule GeoDB Updates, on page 208

.

• As a part of initial configuration, the system schedules a weekly task to download the latest software updates. If the task scheduling fails and the management center has internet access, we recommend you schedule a recurring task for downloading software updates as described in

Automating Software

Downloads, on page 463

.

Important This task downloads software updates to the management center. It is your responsibility to install any updates this task downloads.

• As a part of initial configuration, the system schedules a weekly task to perform a locally stored configuration-only management center backup. If the task scheduling fails we recommend you schedule a recurring task to perform a backup as described in

Schedule Management Center Backups, on page

454 .

• As a part of initial configuration the system downloads and installs the latest vulnerability database

(VDB) update from the Cisco Support & Download site. This is a one-time operation. To keep the system up to date, if the management center has internet access, we recommend you schedule tasks to perform automatic recurring VDB update downloads and installations as described in

Vulnerability Database

Update Automation, on page 465 .

• As a part of initial configuration the system configures a daily automatic intrusion rule update from the

Cisco Support & Download site. (The system deploys automatic intrusion rule updates to affected managed devices when it next deploys affected policies.) If configuring the update fails and the management center has internet access, we recommend you configure regular intrusion rule updates as described in

Schedule

Intrusion Rule Updates, on page 213 .

On completion of management center initial configuration, the web interface displays the device management page, described in Cisco Secure Firewall Management Center Device Configuration Guide .

(This is the default login page only for the first time the admin user logs in. On subsequent logins by the admin or any user, the default login page is determined as described in

Specifying Your Home Page, on page

188 .)

Once you have completed the initial configuration, begin controlling and analyzing traffic by configuring basic policies as described in

Setting Up Basic Policies and Configurations, on page 4 .

Setting Up Basic Policies and Configurations

You must configure and deploy basic policies in order to see data in the dashboard, Context Explorer, and event tables.

Note This is not a full discussion of policy or feature capabilities. For guidance on other features and more advanced configurations, see the rest of this guide.

4

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Setting Up Basic Policies and Configurations

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Before you begin

• Log into the web interface using the admin account for either the web interface or CLI and perform the initial configuration as described in the Cisco Firepower Management Center Getting Started Guide for your hardware model, available from https://www.cisco.com/c/en/us/support/security/defense-center/ products-installation-guides-list.html

.

Procedure

Set a time zone for this account as described in

Setting Your Default Time Zone, on page 193 .

If needed, add licenses as described in

Licenses, on page 229

.

Add managed devices to your deployment as described in Add a Device to the Management Center in the

Cisco Secure Firewall Management Center Device Configuration Guide .

Configure your managed devices as described in:

• Interface Overview in the Cisco Secure Firewall Management Center Device Configuration Guide , to configure transparent or routed mode on Firepower Threat Defense devices

• Interface Overview in the Cisco Secure Firewall Management Center Device Configuration Guide , to configure interfaces on threat defense devices

Configure an access control policy as described in Creating a Basic Access Control Policy in the Cisco Secure

Firewall Management Center Device Configuration Guide .

• In most cases, Cisco suggests setting the Balanced Security and Connectivity intrusion policy as your default action. For more information, see Access Control Policy Default Action and System-Provided

Network Analysis and Intrusion Policies in the Cisco Secure Firewall Management Center Device

Configuration Guide .

• In most cases, Cisco suggests enabling connection logging to meet the security and compliance needs of your organization. Consider the traffic on your network when deciding which connections to log so that you do not clutter your displays or overwhelm your system. For more information, see

About

Connection Logging, on page 681

.

Apply the system-provided default health policy as described in

Applying Health Policies, on page 341 .

Customize a few of your system configuration settings:

• If you want to allow inbound connections for a service (for example, SNMP or the syslog), modify the ports in the access list as described in

Configure an Access List, on page 71

.

• Understand and consider editing your database event limits as described in

Configuring Database Event

Limits, on page 52

.

• If you want to change the display language, edit the language setting as described in

Set the Language for the Web Interface, on page 82

.

• If your organization restricts network access using a proxy server, edit your proxy settings as described in

Modify Management Center Management Interfaces, on page 60 .

Customize your network discovery policy as described in Configuring the Network Discovery Policy in the

Cisco Secure Firewall Management Center Device Configuration Guide . By default, the network discovery

Cisco Secure Firewall Management Center Administration Guide, 7.2

5

Getting Started

Threat Defense Devices

Step 9

Step 10 policy analyzes all traffic on your network. In most cases, Cisco suggests restricting discovery to the addresses in RFC 1918.

Consider customizing these other common settings:

• If you do not want to display message center pop-ups, disable notifications as described in

Configuring

Notification Behavior, on page 401

.

• If you want to customize the default values for system variables, understand their use as described in

Variable Sets in the Cisco Secure Firewall Management Center Device Configuration Guide .

• If you want to create additional locally authenticated user accounts to access the management center, see

Add an Internal User, on page 111

.

• If you want to use LDAP or RADIUS external authentication to allow access to the management center, see

Configure External Authentication for the Management Center, on page 113 .

Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management

Center Device Configuration Guide .

What to do next

• Review and consider configuring other features described in

Features, on page 6

and the rest of this guide.

Threat Defense Devices

In a typical deployment, multiple traffic-handling devices report to one Secure Firewall Management Center, which you use to perform administrative, management, analysis, and reporting tasks.

A threat defense device is a next-generation firewall (NGFW) that also has NGIPS capabilities. NGFW and platform features include site-to-site and remote access VPN, robust routing, NAT, clustering, and other optimizations in application inspection and access control.

Threat Defense is available on a wide range of physical and virtual platforms.

Compatibility

For details on manager-device compatibility, including the software compatible with specific device models, virtual hosting environments, operating systems, and so on, see the Cisco Secure Firewall Threat Defense

Release Notes and Cisco Firepower Compatibility Guide .

Features

These tables list some commonly used features.

6

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Appliance and System Management Features

Appliance and System Management Features

To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/ firepower-roadmap.html

.

If you want to...

Manage user accounts for logging in to your Firepower appliances

Configure...

Firepower authentication

Monitor the health of system hardware and software

Health monitoring policy

Back up data on your appliance

Upgrade to a new Firepower version

Backup and restore

System updates

As described in...

Users, on page 105

and Users for

Devices in the Cisco Secure

Firewall Management Center

Device Configuration Guide

About Health Monitoring, on page 327

Backup/Restore, on page 421

Cisco Firepower Management

Center Upgrade Guide, Version

6.0–7.0

Firepower Release Notes

Baseline your physical appliance Restore to factory defaults

(reimage)

Apply licenses in order to take advantage of license-controlled functionality

Smart licensing

The Cisco Firepower

Management Center Upgrade

Guide, Version 6.0–7.0

, for a list of links to instructions on performing fresh installations.

Update the VDB, intrusion rule updates, or GeoDB on your appliance

Vulnerability Database (VDB) updates, intrusion rule updates, or Geolocation Database

(GeoDB) updates

Updates, on page 203

About Licenses, on page 229

Ensure continuity of appliance operations Managed device high availability and/or management center high availability

About Firepower Threat Defense

High Availability in the Cisco

Secure Firewall Management

Center Device Configuration

Guide

About Secure Firewall

Management Center High

Availability, on page 275

Configure a device to route traffic between two or more interfaces

Routing Reference for Routing in the

Cisco Secure Firewall

Management Center Device

Configuration Guide

Cisco Secure Firewall Management Center Administration Guide, 7.2

7

Getting Started

High Availability and Scalability Features by Platform

If you want to...

Configure packet switching between two or more networks

Translate private addresses into public addresses for internet connections

Network Address Translation

(NAT)

Establish a secure tunnel between managed threat defense devices

Establish secure tunnels between remote users and managed threat defense devices

Segment user access to managed devices, configurations, and events

View and manage appliance configuration using a REST API client

Troubleshoot issues

Configure...

Device switching

Site-to-Site virtual private network (VPN)

Remote Access VPN

Multitenancy using domains

REST API and REST API

Explorer

N/A

As described in...

Configure Bridge Group

Interfaces in the Cisco Secure

Firewall Management Center

Device Configuration Guide

Network Address Translation in the Cisco Secure Firewall

Management Center Device

Configuration Guide

VPN Overview in the Cisco

Secure Firewall Management

Center Device Configuration

Guide

VPN Overview in the Cisco

Secure Firewall Management

Center Device Configuration

Guide

Introduction to Multitenancy

Using Domains, on page 195

REST API Preferences, on page

99

Firepower REST API Quick

Start Guide

Troubleshooting, on page 395

High Availability and Scalability Features by Platform

High availability configurations (sometimes called failover) ensure continuity of operations. Clustered configurations group multiple devices together as a single logical device, achieving increased throughput and redundancy.

Platform

Management Center

Management Center Virtual

High Availability

Yes

Yes (See

Virtual Platform

Requirements, on page 282

for important details)

Clustering

Secure Firewall Threat Defense:

• Firepower 1000

• Firepower 2100

• ISA 3000

Yes —

8

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Features for Detecting, Preventing, and Processing Potential Threats

Platform High Availability

Secure Firewall Threat Defense:

• Firepower 4100/9300 chassis

Yes

Secure Firewall Threat Defense

Virtual:

• VMware

• KVM

Yes

Secure Firewall Threat Defense

Virtual (public cloud):

• AWS

• Azure

Clustering

Yes

Related Topics

About Secure Firewall Threat Defense High Availability

About Secure Firewall Management Center High Availability

, on page 275

Features for Detecting, Preventing, and Processing Potential Threats

To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/ firepower-roadmap.html

.

If you want to...

Configure...

As described in...

Inspect, log, and take action on network traffic

Access control policy, the parent of several other policies

Introduction to Access Control in the Cisco Secure Firewall

Management Center Device

Configuration Guide

Block or monitor connections to or from

IP addresses, URLs, and/or domain names

Security Intelligence within your access control policy

About Security Intelligence in the Cisco Secure Firewall

Management Center Device

Configuration Guide

Control the websites that users on your network can access

URL filtering within your policy rules

URL Filtering in the Cisco

Secure Firewall Management

Center Device Configuration

Guide

Monitor malicious traffic and intrusions on your network

Intrusion policy Intrusion Policy Basics in the

Cisco Secure Firewall

Management Center Device

Configuration Guide

Cisco Secure Firewall Management Center Administration Guide, 7.2

9

Getting Started

Features for Detecting, Preventing, and Processing Potential Threats

If you want to...

Block encrypted traffic without inspection

Inspect encrypted or decrypted traffic

Configure...

SSL policy

As described in...

SSL Policies Overview in the

Cisco Secure Firewall

Management Center Device

Configuration Guide

Tailor deep inspection to encapsulated traffic and improve performance with fastpathing

Prefilter policy About Prefiltering in the Cisco

Secure Firewall Management

Center Device Configuration

Guide

Rate limit network traffic that is allowed or trusted by access control

Quality of Service (QoS) policy About QoS Policies in the Cisco

Secure Firewall Management

Center Device Configuration

Guide

Allow or block files (including malware) on your network

File/malware policy

Operationalize data from threat intelligence sources

Cisco Threat Intelligence

Director (TID)

Network Malware Protection and File Policies in the Cisco

Secure Firewall Management

Center Device Configuration

Guide

Secure Firewall threat intelligence director Overview in the Cisco Secure Firewall

Management Center Device

Configuration Guide

Configure passive or active user authentication to perform user awareness and user control

User awareness, user identity, identity policies

Collect host, application, and user data from traffic on your network to perform user awareness

Use tools beyond your Firepower system to collect and analyze data about network traffic and potential threats

Network Discovery policies

Integration with external tools

Perform application detection and control Application detectors

About User Identity Sources in the Cisco Secure Firewall

Management Center Device

Configuration Guide

About Identity Policies in the

Cisco Secure Firewall

Management Center Device

Configuration Guide

Network Discovery Policies in the Cisco Secure Firewall

Management Center Device

Configuration Guide

Event Analysis Using External

Tools, on page 573

Troubleshoot issues N/A

Application Detection in the

Cisco Secure Firewall

Management Center Device

Configuration Guide

Troubleshooting, on page 395

10

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Integration with External Tools

Integration with External Tools

To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/ firepower-roadmap.html

.

If you want to...

Configure...

Automatically launch remediations when conditions on your network violate an associated policy

Remediations

Stream event data from a management center to a custom-developed client application eStreamer integration

Query database tables on a management center using a third-party client

External database access

As described in...

Introduction to Remediations, on page 979

Firepower System Remediation

API Guide

eStreamer Server Streaming, on page 595

Firepower System eStreamer

Integration Guide

External Database Access

Settings, on page 50

Firepower System Database

Access Guide

Augment discovery data by importing data from third-party sources

Host input Host Input Data in the Cisco

Secure Firewall Management

Center Device Configuration

Guide

Firepower System Host Input

API Guide

Investigate events using external event data storage tools and other data resources

Integration with external event analysis tools

Event Analysis Using External

Tools, on page 573

Troubleshoot issues N/A

Troubleshooting, on page 395

Search the Management Center

You can use the global search feature to quickly locate and navigate to elements of your Secure Firewall

Management Center configuration.

Note This feature is supported in Light and Dusk themes only. To change the theme, see

Change the Web Interface

Appearance, on page 188

.

You can search the management center configuration for the following entities:

• Names of web interface pages in top-level menus. (See

Search for Web Interface Menu Options, on page

14 .)

Cisco Secure Firewall Management Center Administration Guide, 7.2

11

Getting Started

Search the Management Center

• For certain policy types:

• Policy names

• Policy descriptions

• Rule names

• Rule comments

(See

Search for Policies, on page 15

.)

• For certain object types:

• Object names

• Object descriptions

• Configured values

(See

Search for Objects, on page 17

.)

• How To walkthroughs.

The search returns a list of walkthroughs that contain the search term, with links to each. (See

Search for How To Walkthroughs, on page 20 .)

Keep the following in mind when using global search:

• When you open the global search tool, the most recent ten searches appear in a history list below the search text box. You can select an item from this list to re-execute a search.

• When you type a search expression, the interface replaces the search history with search results that update as you type your search; you do not need to press Enter to execute the search.

• You can navigate the history list or the search results using the mouse or the keyboard arrow keys and the Enter key. Pressing the Enter key selects the currently highlighted item in the search results. In the case of results for web interface pages, this causes the management center interface to display the highlighted page. For objects and policies, this displays details about the found entity.

• Search is not case-sensitive.

• You can use the following wildcard characters in your search:

• ? matches any single character.

• * matches any 0 or more characters.

• ^ anchors the search term it preceeds to the beginning of matched entities.

• $ anchors the search term it follows to the end of matched entitites

Wildcards cannot be escaped.

• For greater effciency, global search does not return indirect search results; that is, global search does not return policies or objects that reference objects where a search term is found. However, you can determine which policies or objects reference many found objects by viewing the Usages tab for the found object in the search detail pane.

12

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Search the Management Center

• Global search returns the top results for your search expression determined by its relevance to the most commonly used configuration entities in the management center. If global search fails to return something you are expecting to find, try refining your search, try using the search or filter tool that appears at the top of many GUI pages, or try some of the configuration-specific search features the web interface offers:

• Searching for Rules in the Cisco Secure Firewall Management Center Device Configuration Guide

• Searching and Filtering the NAT Rule Table in the Cisco Secure Firewall Management Center

Device Configuration Guide

Event Search

Searching Custom Tables

Global Search in a Multidomain Deployment

In a multidomain deployment, by default search returns only objects and policies defined within the current domain and its ancestor domains. You can see objects and policies in child domains by toggling an option in the search results dialog.

For an object search, if your search expression is found in objects defined in domains other than your current domain, the search results display the names of the domains within which those objects reside. If your search expression is found in objects defined within your current domain, the search results display the object values.

In the example screenshot below, the deployment consists of three domains at three levels: Global, Domain1, and SubDomainA. The user, whose current domain is Domain1, has entered a search for the string “example” in both ancestor and child domains.

Figure 1: Example of Global Search in a Multidomain Environment

Cisco Secure Firewall Management Center Administration Guide, 7.2

13

Getting Started

Search for Web Interface Menu Options

1 The user has chosen to search child domains

(SubDomainA) as well as the current domain

(Domain1) and its ancestor (Global).

2 A matching network object ExampleHostOne defined in the parent domain Global is displayed with the domain name, and the External Domain

( ) icon indicating the user must switch domains to edit details.

3 The matching network object ExampleHostThree defined in the child domain SubDomainA is displayed with the domain name, and the

4

External Domain ( ) icon indicating the user must switch domains to edit details. This object is currently selected.

The matching network object ExampleHostThree is currently selected, and information is provided in the right pane. The External Domain ( ) icon indicates that when the user clicks Edit ( ), the system will prompt the user to confirm a domain change before allowing edit access to the object.

5 The matching network object ExampleHostTwo, defined in the current domain, is displayed with the object value, and with the Current Domain

6

( ) icon indicating the user may edit this object without switching domains.

The matching access control policy

ExampleACPolicyOne defined in the parent domain Global is displayed with the domain name, and the External Domain ( ) icon indicating the user must switch domains to edit details.

7 The matching access control policy

ExampleACPolicyThree defined in the child domain SubDomainA is displayed with the domain name, and the External Domain ( ) icon indicating the user must switch domains to edit details.

8 The matching access control policy

ExampleACPolicyTwo defined in the current domain is displayed with the Current Domain

( ) icon indicating the user may edit details without switching domains.

Search for Web Interface Menu Options

You can search to find locations of pages in the top-level menus of the web interface. For example, to view or configure Quality of Service settings, search for QoS .

Before you begin

This feature is not available in the Classic theme. To change the theme, see

Change the Web Interface

Appearance, on page 188 .

Procedure

Step 1

Step 2

Use one of two methods to initiate a search:

• In the menu bar at the top of the management center web interface, click Search ( ).

• With focus outside of a text box, type

/

(forward slash).

Enter one or more letters of the name of the menu option you seek. Search results appear below the text box and update as you type; you do not need to press Enter to execute the search.

14

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Search for Policies

Step 3 Search results appear grouped by category. To go to a page listed under Navigation , click the menu path in the search results list.

Search for Policies

The following table indicates which policy types you can search for by name:

In Scope Out of Scope

Access Control Policy

Prefilter Policy

Threat Defense NAT

Policy

Intrusion category

• Intrusion Policy

• Network Analysis

Policy

Threat Defense Platform Settings

Firepower Settings Policy

Firepower NAT Policy

QoS Policy

FlexConfig Policy

DNS Policy

Malware & File Policy

SSL Policy

Identity Policy

Network Discovery

Application Detector

Correlation Policy

VPN category

• Dynamic Access Policy

• Site To Site

• Remote Access

Global search returns polices whose names match the search term, as well as access control policies using rules whose name or comments match the search term. If you see an access control policy in the search result list whose name does not match the search, the match was made on the name or comments for a rule configured within the policy.

Cisco Secure Firewall Management Center Administration Guide, 7.2

15

Getting Started

Search for Policies

Important Global search returns the top results for your search expression determined by its relevance to the most commonly used configuration entities in the management center. Your search term may exist in policy types that are not in scope for this search feature. For a full description of the global search feature and alternative search methods, see

Search the Management Center .

Before you begin

This feature is not available in the Classic theme. To change the theme, see

Change the Web Interface

Appearance, on page 188 .

Procedure

Step 1

Step 2

Step 3

Step 4

Use one of two methods to initiate a search:

• In the menu bar at the top of the management center web interface, click Search ( ).

• With focus outside of a text box, type

/

(forward slash).

Enter a search expression in the search text box. Search results appear below the text box and update as you type; you do not need to press Enter to execute the search.

(Optional) In a multidomain deployment, if your current domain has descendant domains, you can toggle

Include child domains in search results to see policies in those descendant domains.

Search results appear grouped by category. In a multidomain deployment, within the Policies category the search results are grouped by the domains within which found policies are defined. Under the Policies category you can do the following:

To:

View search results for a single policy type.

Do this:

Click the policy type in the search results, such as

Access Control Policy.

View details about a policy.

View the Access Control policies that reference

Intrusion and Network Analysis policies.

Click the policy name in the search results list to view the details pane and display the General tab.

Click the name of the Intrusion or Network Analysis policy in the search results to view the details pane and display the Usages tab.

Open the policy configuration page for a policy in a separate browser window.

Click the policy name in the search results, and in the details pane click Edit ( ).

In a multidomain deployment, if you choose to edit a policy not defined within your current domain the system will prompt you to change your current domain.

16

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Search for Objects

Search for Objects

The following table indicates which object types listed on the Object Management page ( Objects > Object

Management ) are in scope for the Global Search feature:

In Scope Out of Scope

AAA Server category

• RADIUS Server Group

• Single Sign-On Server

Application Filters

Cipher Suite List

Community List Category

• Community

Access List category

• Extended Access List

• Standard Access List

Address Pools category

• IPv4 Pools

• IPv6 Pools

Distinguished Name category

• Individual Distinguished Name

Objects

• Distinguised Name Object Groups

AS Path

Community List category

• Extended Community

File List

FlexConfig category

• FlexConfig Object

• Text Object

DNS Server Group

External Attributes Category

• Dynamic Object

• Security Group Tag

Geolocation

Interface category

• Security Zone

• Interface Group

PKI category

• External Cert Groups

• External Certs

• Internal CA Groups

• Internal CAs

• Internal Cert Groups

• Internal Certs

• Trusted CA Groups

• Trusted CAs

Key Chain

Network (includes Network, Host, Range, FQDN, Network Group)

Security Intelligence category

• DNS Lists and Feeds

PKI category

• Network Lists and Feeds

Cert Enrollment

• URL Lists and Feeds

Policy List Sinkhole

Cisco Secure Firewall Management Center Administration Guide, 7.2

17

Getting Started

Search for Objects

In Scope

Port (objects and groups, TCP, UDP, ICMP, ICMP6, other)

Prefix List category

• IPV4 Prefix List

• IPV6 Prefix List

Route Map

SLA Monitor

Time Range

Time Zone

Tunnel Zone

URL (Objects, groups)

VLAN Tag (Objects, groups)

VPN category

• Certificate Map

• Group Policy

• IKEv1 IPsec Proposal

• IKEv1 Policy

• IKEv2 IPSec Proposal

• IKEv2 Policy

Out of Scope

Variable Set

VPN category

• AnyConnect File

• Custom Attribute

Global search returns objects whose names or description match the search term, as well as objects with configured values that match the search term. If you see an object in the search result list whose name does not match the search, the match was made on the description or a configured value within the object.

Important Global search returns the top results for your search expression determined by its relevance to the most commonly used configuration entities in the management center. Your search term may exist in object types that are not in scope for this search feature. For a full description of the global search feature and alternative search methods, see

Search the Management Center .

Object searches can be particularly useful when you need to locate network information within your deployment.

You can search for the following in object names, descriptions, or configured values:

• IPv4 and IPv6 address information, including the following formats:

• Full addresses (For example,

194.164.0.23

,

2001:0db8:85a3:0000:0000:8a2e:0370:7334

.)

• Partial addresses (For example,

194.164, 2001:db8

.)

18

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Search for Objects

• Ranges (For example,

192.164.1.1-192.168.1.5

or

2001:db8::0202-2001:db8::8329

. Do not add a space before or after the hyphen.) Global search returns objects using network addresses that match any within the specified range.

• CIDR notation. (For example

192.168.1.0/24

,

2002::1234:abcd:ffff:101/64

.) Global search returns objects using network addresses that match any within the specified CIDR block.

• Port information:

• Port numbers (For example,

22 or

80

.)

• Protocols. (For example, https or ssh

.)

• Fully qualified domain names. (For example, www.cisco.com.

)

• URLs. (For example, http://www.cisco.com.

)

• Encryption standards or hash types. (For example,

AES-128 or

SHA

.)

• VLAN tag numbers. (For example,

568

.)

Before you begin

This feature is not available in the Classic theme. To change the theme, see

Change the Web Interface

Appearance, on page 188

.

Procedure

Step 1

Step 2

Step 3

Step 4

Use one of two methods to initiate a search:

• In the menu bar at the top of the management center web interface, click Search ( ).

• With focus outside of a text box, type

/

(forward slash).

Enter a search expression in the search text box. Search results appear below the text box and update as you type; you do not need to press Enter to execute the search.

If your search expression is found in objects defined in domains other than your current default domain, the search results display the names of the domains within which those objects reside. If your search expression is found in objects defined within your current domain, the search results display the object values.

(Optional) In a multidomain deployment, if your current domain has descendant domains, you can toggle

Include child domains in search results to see objects in those descendant domains.

Search results appear divided by category. In a multidomain deployment, within the Objects category the search results are grouped by the domains within which found objects are defined. Under the Objects category you can do the following:

To:

View search results for a single object type.

Do this:

Click on the object type in the search results, such as

Network .

View details about an object in the search results.

Click the object name in the search results to view the details pane and display the General tab.

Cisco Secure Firewall Management Center Administration Guide, 7.2

19

Getting Started

Search for How To Walkthroughs

To: Do this:

View a list of polices or objects that use an object in the search results.

Click the object name in the search results to view the details pane and display the Usages tab.

Note Global Search does not provide usage information for all object types.

Open the object configuration page for an object in a separate browser window.

Click the object name in the search results, and in the details pane click Edit ( ).

In a multidomain deployment, if you choose to edit an object not defined within your current domain the system will prompt you to change your current domain.

Search for How To Walkthroughs

You can search for How To walkthroughs that address tasks of interest. For example, to find walkthroughs that describe device set up procedures, you can search for the term "device."

Before you begin

This feature is not available in the Classic theme. To change the theme, see

Change the Web Interface

Appearance, on page 188 .

Procedure

Step 1

Step 2

Step 3

Use one of two methods to initiate a search:

• In the menu bar at the top of the management center web interface, click Search ( ).

• With focus outside of a text box, type

/

(forward slash).

Enter a search term associated with a task for which you would like to see a walkthrough. Search results appear below the text box and update as you type; you do not need to press Enter to execute the search.

Search results appear grouped by category. To view a walkthrough listed under How-Tos , click the walkthrough title in the search results list. For more information on How To walkthroughs, see

Online Help, How To, and

Documentation, on page 23

.

Switching Domains on the Secure Firewall Management Center

In a multidomain deployment, user role privileges determine which domains a user can access and which privileges the user has within each of those domains. You can associate a single user account with multiple

20

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

The Context Menu domains and assign different privileges for that user in each domain. For example, you can assign a user read-only privileges in the Global domain, but Administrator privileges in a descendant domain.

Users associated with multiple domains can switch between domains within the same web interface session.

Under your user name in the toolbar, the system displays a tree of available domains. The tree:

• Displays ancestor domains, but may disable access to them based on the privileges assigned to your user account.

• Hides any other domain your user account cannot access, including sibling and descendant domains.

When you switch to a domain, the system displays:

• Data that is relevant to that domain only.

• Menu options determined by the user role assigned to you for that domain.

Procedure

From the drop-down list under your user name, choose the domain you want to access.

The Context Menu

Certain pages in the web interface support a right-click (most common) or left-click context menu that you can use as a shortcut for accessing other features. The contents of the context menu depend where you access it—not only the page but also the specific data.

For example:

• IP address hotspots provide information about the host associated with that address, including any available whois and host profile information.

• SHA-256 hash value hotspots allow you to add a file’s SHA-256 hash value to the clean list or custom detection list, or view the entire hash value for copying.

On pages or locations that do not support the context menu, the normal context menu for your browser appears.

Policy Editors

Many policy editors contain hotspots over each rule. You can insert new rules and categories; cut, copy, and paste rules; set the rule state; and edit the rule.

Intrusion Rules Editor

The intrusion rules editor contains hotspots over each intrusion rule. You can edit the rule, set the rule state, configure thresholding and suppression options, and view rule documentation. Optionally, after clicking Rule documentation in the context menu, you can click Rule Documentation in the documentation pop-up window to view more-specific rule details.

Cisco Secure Firewall Management Center Administration Guide, 7.2

21

The Context Menu

Getting Started

Event Viewer

Event pages (the drill-down pages and table views available under the Analysis menu) contain hotspots over each event, IP address, URL, DNS query, and certain files’ SHA-256 hash values. While viewing most event types, you can:

• View related information in the Context Explorer.

• Drill down into event information in a new window.

• View the full text in places where an event field contains text too long to fully display in the event view, such as a file’s SHA-256 hash value, a vulnerability description, or a URL.

• Open a web browser window with detailed information about the element from an external source, using the Contextual Cross-Launch feature. For more information, see

Event Investigation Using

Web-Based Resources, on page 578 .

While viewing connection events, you can add items to the default Security Intelligence Block and Do

Not Block lists:

• An IP address, from an IP address hotspot.

• A URL or domain name, from a URL hotspot.

• A DNS query, from a DNS query hotspot.

While viewing captured files, file events, and malware events, you can:

• Add a file to or remove a file from the clean list or custom detection list.

• Download a copy of the file.

• View nested files inside an archive file.

• Download the parent archive file for a nested file.

• View the file composition.

• Submit the file for local malware and dynamic analysis.

While viewing intrusion events, you can perform similar tasks to those in the intrusion rules editor or an intrusion policy:

• Edit the triggering rule.

• Set the rule state, including disabling the rule.

• Configure thresholding and suppression options.

• View rule documentation. Optionally, after clicking Rule documentation in the context menu, you can click Rule Documentation in the documentation pop-up window to view more-specific rule details.

Intrusion Event Packet View

Intrusion event packet views contain IP address hotspots. The packet view uses a left-click context menu.

22

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Sharing Data with Cisco

Dashboard

Many dashboard widgets contain hotspots to view related information in the Context Explorer. Dashboard widgets can also contain IP address and SHA-256 hash value hotspots.

Context Explorer

The Context Explorer contains hotspots over its charts, tables, and graphs. If you want to examine data from graphs or lists in more detail than the Context Explorer allows, you can drill down to the table views of the relevant data. You can also view related host, user, application, file, and intrusion rule information.

The Context Explorer uses a left-click context menu, which also contains filtering and other options unique to the Context Explorer.

Sharing Data with Cisco

You can opt to share data with Cisco using the following features:

• Cisco Success Network

See

Configure Cisco Success Network Enrollment, on page 575

• Web analytics

See

(Optional) Opt Out of Web Analytics Tracking, on page 101

Online Help, How To, and Documentation

You can reach the online help from the web interface:

• By clicking the context-sensitive help link on each page

• By choosing Help > Online

How To is a widget that provides walkthroughs to navigate through tasks on management center. The walkthroughs guide you to perform the steps required to achieve a task by taking you through each step, one after the other irrespective of the various UI screens that you may have to navigate, to complete the task. The

How To widget is enabled by default. To disable the widget, choose User Preferences from the drop-down list under your user name, and uncheck the Enable How-Tos check box in How-To Settings . To open the walkthroughs, choose Help > How-Tos .

Note The walkthroughs are generally available for all UI pages, and are not user role sensitive. However, depending on the privileges of the user, some of the menu items will not appear on the management center interface.

Thereby, the walkthroughs will not execute on such pages.

The following walkthroughs are available on management center:

• Register management center with Cisco Smart Account: This walkthrough guides you to register management center with Cisco Smart Account.

• Set up a Device and add it to management center: This walkthrough guides you to set up a device and to add the device to management center.

Cisco Secure Firewall Management Center Administration Guide, 7.2

23

Getting Started

User Guides on Cisco.com

• Configure Date and Time: This walkthrough guides you to configure the date and time of the threat defense devices using a platform settings policy.

• Configure Interface Settings: This walkthrough guides you to configure the interfaces on the threat defense devices.

• Create an Access Control Policy: An access control policy consists of a set of ordered rules, which are evaluated from top to bottom. This walkthrough guides you to create an access control policy.

• Add an Access Control Rule - A Feature Walkthrough: This walkthrough describes the components of an access control rule, and how you can use them in management center.

• Configure Routing Settings: Various routing protocols are supported by threat defense. A static route defines where to send traffic for specific destination networks. This walkthrough guides you to configure static routing for the devices.

• Create a NAT Policy - A Feature Walkthrough: This walkthrough guides you to create a NAT policy and walks you through the various features of a NAT rule.

You can find additional documentation using the documentation roadmap: http://www.cisco.com/c/en/us/td/ docs/security/firepower/roadmap/firepower-roadmap.html

.

User Guides on Cisco.com

The following documents may be helpful when configuring Secure Firewall Management Center deployments,

Version 6.0+.

Note Some of the linked documents are not applicable to Secure Firewall Management Center deployments. For example, some links on Secure Firewall Threat Defense pages are specific to deployments managed by Secure

Firewall device manager, and some links on hardware pages are unrelated to management center. To avoid confusion, pay careful attention to document titles. Also, some documents cover multiple products and therefore may appear on multiple product pages.

Secure Firewall Management Center

• Secure Firewall Management Center hardware appliances: http://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html

• Secure Firewall Management Center Virtual appliances:

• http://www.cisco.com/c/en/us/support/security/defense-center-virtual-appliance/ tsd-products-support-series-home.html

• http://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html

Secure Firewall Threat Defense, also called NGFW (Next Generation Firewall) devices

• Secure Firewall Threat Defense software: http://www.cisco.com/c/en/us/support/security/firepower-ngfw/tsd-products-support-series-home.html

24

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

License Statements in the Documentation

• Secure Firewall Threat Defense Virtual: http://www.cisco.com/c/en/us/support/security/firepower-ngfw-virtual/ tsd-products-support-series-home.html

• Firepower 1000 series: https://www.cisco.com/c/en/us/support/security/firepower-1000-series/ tsd-products-support-series-home.html

• Firepower 2100 series: https://www.cisco.com/c/en/us/support/security/firepower-2100-series/ tsd-products-support-series-home.html

• Secure Firewall 3100: https://www.cisco.com/c/en/us/support/security/secure-firewall-3100-series/series.html

• Firepower 4100 series: https://www.cisco.com/c/en/us/support/security/firepower-4100-series/ tsd-products-support-series-home.html

• Firepower 9300: https://www.cisco.com/c/en/us/support/security/firepower-9000-series/ tsd-products-support-series-home.html

• ISA 3000: https://www.cisco.com/c/en/us/support/security/industrial-security-appliance-isa/ tsd-products-support-series-home.html

License Statements in the Documentation

The License statement at the beginning of a section indicates which Classic or Smart license you must assign to a managed device to enable the feature described in the section.

Because licensed capabilities are often additive, the license statement provides only the highest required license for each feature.

An “or” statement in a License statement indicates that you must assign a particular license to the managed device to enable the feature described in the section, but an additional license can add functionality. For example, within a file policy, some file rule actions require that you assign a Protection license to the device while others require that you assign a Malware license.

For more information about licenses, see

About Licenses, on page 229 .

Related Topics

About Licenses , on page 229

Supported Devices Statements in the Documentation

The Supported Devices statement at the beginning of a chapter or topic indicates that a feature is supported only on the specified device series, family, or model. For example, many features are supported only on Secure

Firewall Threat Defense devices.

Cisco Secure Firewall Management Center Administration Guide, 7.2

25

Getting Started

Access Statements in the Documentation

For more information on platforms supported by this release, see the release notes.

Access Statements in the Documentation

The Access statement at the beginning of each procedure in this documentation indicates the predefined user roles required to perform the procedure. Any of the listed roles can perform the procedure.

Users with custom roles may have permission sets that differ from those of the predefined roles. When a predefined role is used to indicate access requirements for a procedure, a custom role with similar permissions also has access. Some users with custom roles may use slightly different menu paths to reach configuration pages. For example, users who have a custom role with only intrusion policy privileges access the network analysis policy via the intrusion policy instead of the standard path through the access control policy.

IP Address Conventions

You can use IPv4 Classless Inter-Domain Routing (CIDR) notation and the similar IPv6 prefix length notation to define address blocks in many places in the system.

When you use CIDR or prefix length notation to specify a block of IP addresses, the system uses only the portion of the network IP address specified by the mask or prefix length. For example, if you type 10.1.2.3/8, the system uses 10.0.0.0/8.

In other words, although Cisco recommends the standard method of using a network IP address on the bit boundary when using CIDR or prefix length notation, the system does not require it.

Additional Resources

The Firewalls Community is an exhaustive repository of reference material that complements our extensive documentation. This includes links to 3D models of our hardware, hardware configuration selector, product collateral, configuration examples, troubleshooting tech notes, training videos, lab and Cisco Live sessions, social media channels, Cisco Blogs and all the documentation published by the Technical Publications team.

Some of the individuals posting to community sites or video sharing sites, including the moderators, work for Cisco Systems. Opinions expressed on those sites and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party.

Note Some of the videos, technical notes, and reference material in the Firewalls Community points to older versions of the management center. Your version of the management center and the version referenced in the videos or technical notes might have differences in the user interface that cause the procedures not to be identical.

26

Cisco Secure Firewall Management Center Administration Guide, 7.2

C H A P T E R

2

Logging into the Management Center

The following topics describe how to log into the system:

User Accounts, on page 27

System User Interfaces, on page 29

Logging Into the Secure Firewall Management Center Web Interface, on page 31

Logging Into the Management Center Web Interface Using SSO, on page 32

Logging Into the Secure Firewall Management Center with CAC Credentials, on page 33

Logging Into the Management Center Command Line Interface, on page 33

View Your Last Login, on page 34

Logging Out of the Management Center Web Interface, on page 35

History for Logging into the Management Center, on page 35

User Accounts

You must provide a username and password to obtain local access to the web interface or CLI on management center or a managed device. On managed devices, CLI users with Config level access can use the expert command to access the Linux shell. On the management center, all CLI users can use the expert command.

The threat defense and management center can be configured to use external authentication, storing user credentials on an external LDAP or RADIUS server; you can withhold or provide CLI access rights to external users. The management center can be configured to support Single Sign-On (SSO) using any SSO provider conforming to the Security Assertion Markup Language (SAML) 2.0 open standard for authentication and authorization.

The management center CLI provides a single admin user who has access to all commands. The features management center web interface users can access are controlled by the privileges an administrator grants to the user account. On managed devices, the features that users can access for both the CLI and the web interface are controlled by the privileges an administrator grants to the user account.

Note The system audits user activity based on user accounts; make sure that users log into the system with the correct account.

Cisco Secure Firewall Management Center Administration Guide, 7.2

27

Getting Started

User Accounts

Caution All management center CLI users and, on managed devices, users with Config level CLI access can obtain root privileges in the Linux shell, which can present a security risk. For system security reasons, we strongly recommend:

• If you establish external authentication, make sure that you restrict the list of users with CLI access appropriately.

• When granting CLI access privileges on managed devices, restrict the list of internal users with Config level CLI access.

• Do not establish Linux shell users; use only the pre-defined admin user and users created by the admin user within the CLI.

Caution We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the Firepower user documentation.

Different appliances support different types of user accounts, each with different capabilities.

Secure Firewall Management Centers

Secure Firewall Management Centers support the following user account types:

• A pre-defined admin account for web interface access, which has the administrator role and can be managed through the web interface.

• Custom user accounts, which provide web interface access and which admin users and users with administrator privileges can create and manage.

• A pre-defined admin account for CLI access. Users logging in with this account can use the expert command to gain access to the Linux shell.

During initial configuration, the passwords for the CLI admin account and the web interface admin account are synchronized but, optionally, thereafter you can configure separate passwords for the two admin accounts.

Caution For system security reasons, Cisco strongly recommends that you not establish additional Linux shell users on any appliance.

Secure Firewall Threat Defense and Secure Firewall Threat Defense Virtual Devices

Secure Firewall Threat Defense and Secure Firewall Threat Defense Virtual devices support the following user account types:

• A pre-defined admin account which can be used for all forms of access to the device.

• Custom user accounts, which admin users and users with Config access can create and manage.

The Secure Firewall Threat Defense supports external authentication for SSH users.

28

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

System User Interfaces

System User Interfaces

Depending on appliance type, you can interact with appliances using a web-based GUI, auxiliary CLI, or the

Linux shell. In a Secure Firewall Management Center deployment, you perform most configuration tasks from the management center GUI. Only a few tasks require that you access the appliance directly using the

CLI or Linux shell. We strongly discourage using the Linux shell unless directed by Cisco TAC or explicit instructions in the user documentation.

For information on browser requirements, see the Firepower Release Notes .

Note On all appliances, after a user makes three consecutive failed attempts to log into the CLI via SSH, the system terminates the SSH connection.

Appliance

Secure Firewall Management

Center

Web-Based GUI

• Supported for predefined admin user and custom user accounts.

• Can be used for administrative, management, and analysis tasks.

Auxiliary CLI

• Supported for predefined admin user and custom external user accounts.

• Accessible using an SSH, serial, or keyboard and monitor connection.

• Should be used only for administration and troubleshooting directed by

Cisco TAC.

Linux Shell

• Supported for predefined admin user.

• Must be accessed via expert command from the

Secure Firewall

Management Center CLI.

• Accessible using an SSH, serial, or keyboard and monitor connection.

• Should be used only for administration and troubleshooting directed by

Cisco TAC or by explicit instructions in the management center documentation.

Secure Firewall Threat Defense —

Secure Firewall Threat Defense

Virtual

• Supported for predefined admin user and custom user accounts.

• Accessible in physical devices using an SSH, serial, or keyboard and monitor connection.

Accessible in virtual devices via SSH or VM console.

• Can be used for setup and troubleshooting directed by

Cisco TAC.

• Supported for predefined admin user and custom user accounts.

• Accessible by CLI users with Config access using the expert command.

• Should be used only for administration and troubleshooting directed by

Cisco TAC or by explicit instructions in the management center documentation..

Cisco Secure Firewall Management Center Administration Guide, 7.2

29

Getting Started

Web Interface Considerations

Related Topics

Add an Internal User , on page 111

Web Interface Considerations

• If your organization uses Common Access Cards (CACs) for authentication, external users authenticated with LDAP can use CAC credentials to obtain access to the web interface of an appliance.

• The menus and menu options listed at the top of the default home page are based on the privileges for your user account. However, the links on the default home page include options that span the range of user account privileges. If you click a link that requires different privileges from those granted to your account, the system displays a warning message and logs the activity.

• Some processes that take a significant amount of time may cause your web browser to display a message that a script has become unresponsive. If this occurs, make sure you allow the script to continue until it finishes.

Related Topics

Specifying Your Home Page , on page 188

Session Timeout

By default, the system automatically logs you out of a session after 1 hour of inactivity, unless you are otherwise configured to be exempt from session timeout.

Note For SSO users, when the management center session times out, the display briefly redirects to the IdP interface, and then the management center login page. Unless the SSO session has been terminated from elsewhere, anyone can access the management center without providing login credentials simply by clicking on the Single

Sign-On link on the login page. To ensure management center security and prevent others from accessing the management center using your SSO account, we recommend you not leave an management center login session unattended, and log out of the SSO federation at the IdP when you log out of the management center.

Users with the Administrator role can change the session timeout interval for an appliance via the following settings:

System > Configuration > Shell Timeout

Related Topics

Configure Session Timeouts , on page 92

Configure SAML Single Sign-On

, on page 129

30

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Logging Into the Secure Firewall Management Center Web Interface

Logging Into the Secure Firewall Management Center Web

Interface

Note This task applies to internal users and external users authenticated by LDAP or RADIUS servers. For SSO login, see

Logging Into the Management Center Web Interface Using SSO, on page 32

.

Users are restricted to a single active session. If you try to log in with a user account that already has an active session, the system prompts you to terminate the other session or log in as a different user.

In a NAT environment where multiple management centers share the same IP address:

• Each management center can support only one login session at a time.

• To access different management centers, use a different browser for each login (for example Firefox and

Chrome), or set the browser to incognito or private mode.

Before you begin

• If you do not have access to the web interface, contact your system administrator to modify your account privileges, or log in as a user with Administrator access and modify the privileges for the account.

• Create user accounts as described in

Add an Internal User, on page 111

.

Procedure

Step 1

Step 2

Step 3

Direct your browser to https://ipaddress_or_hostname/ , where ipaddress or hostname corresponds to your management center.

In the Username and Password fields, enter your user name and password. Pay attention to the following guidelines:

• User names are not case-sensitive.

• In a multidomain deployment, prepend the user name with the domain where your user account was created. You are not required to prepend any ancestor domains. For example, if your user account was created in SubdomainB, which has an ancestor DomainA, enter your user name in the following format:

SubdomainB\username

• If your organization uses SecurID ® tokens when logging in, append the token to your SecurID PIN and use that as your password to log in. For example, if your PIN is

1111 and the SecurID token is

222222

, enter

1111222222

. You must have already generated your SecurID PIN before you can log into the system.

Click Login .

Related Topics

Session Timeout , on page 30

Cisco Secure Firewall Management Center Administration Guide, 7.2

31

Getting Started

Logging Into the Management Center Web Interface Using SSO

Logging Into the Management Center Web Interface Using SSO

The management center can be configured to participate in any Single-Sign On (SSO) federation implemented with an SSO provider conforming to the Security Assertion Markup Language (SAML) 2.0 open standard.

SSO user accounts must be established at the identitiy provider (IdP) and must use email addresses for their account names. If your user name is not an email address, or SSO login fails, contact your system administrator.

Note The management center does not support logging in with CAC credentials for SSO accounts.

Users are restricted to a single active session. If you try to log in with a user account that already has an active session, the system prompts you to terminate the other session or log in as a different user.

In a NAT environment where multiple management centers share the same IP address:

• Each management center can support only one login session at a time.

• To access different management centers, use a different browser for each login (for example Firefox and

Chrome), or set the browser to incognito or private mode.

Before you begin

• Configure the management center for SSO access. See

Configure SAML Single Sign-On, on page 129 .

• If you do not have access to the web interface, contact your system administrator to configure your account at the SSO IdP.

Procedure

Step 1

Step 2

Step 3

Direct your browser to https://ipaddress_or_hostname/ , where ipaddress or hostname corresponds to your management center.

Note SSO users must consistently access the management center using the login URL specifically configured for SSO access; ask your administrator for this information.

Click on the Single Sign-On link.

The system responds in one of two ways:

• If you are already logged into the SSO federation, the management center default home page appears.

• If you are not already logged into the SSO federation, the management center redirects your browser to the login page for your IdP. After you complete the login process at the IdP, the management center default home page appears.

Related Topics

Session Timeout

, on page 30

Configure SAML Single Sign-On

, on page 129

32

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Logging Into the Secure Firewall Management Center with CAC Credentials

Logging Into the Secure Firewall Management Center with CAC

Credentials

Users are restricted to a single active session. If you try to log in with a user account that already has an active session, the system prompts you to terminate the other session or log in as a different user.

In a NAT environment where multiple management centers share the same IP address:

• Each management center can support only one login session at a time.

• To access different management centers, use a different browser for each login (for example Firefox and

Chrome), or set the browser to incognito or private mode.

Caution Do not remove a CAC during an active browsing session. If you remove or replace a CAC during a session, your web browser terminates the session and the system logs you out of the web interface.

Before you begin

• If you do not have access to the web interface, contact your system administrator to modify your account privileges, or log in as a user with Administrator access and modify the privileges for the account.

• Create user accounts as described in the

Add an Internal User, on page 111

.

• Configure CAC authentication and authorization as described in

Configure Common Access Card

Authentication with LDAP, on page 128 .

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Insert a CAC as instructed by your organization.

Direct your browser to https://ipaddress_or_hostname/ , where ipaddress or hostname corresponds to your management center.

If prompted, enter the PIN associated with the CAC you inserted in step 1.

If prompted, choose the appropriate certificate from the drop-down list.

Click Continue .

Related Topics

Configure Common Access Card Authentication with LDAP

, on page 128

Session Timeout , on page 30

SSO Guidelines for the Management Center

, on page 130

Logging Into the Management Center Command Line Interface

The admin CLI user and certain custom external users can log into the management center CLI.

Cisco Secure Firewall Management Center Administration Guide, 7.2

33

Getting Started

View Your Last Login

Caution We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the management center documentation.

Note For all appliances, after a user makes three consecutive failed attempts to log into the CLI via SSH, the system terminates the SSH connection.

Before you begin

Complete the initial configuration process as the admin user. See

Logging In for the First Time, on page 3

.

Procedure

Step 1

Step 2

Use the admin user name and password to connect to the management center via SSH or the console port.

If your organization uses SecurID ® tokens when logging in, append the token to your SecurID PIN and use that as your password to log in. For example, if your PIN is

1111 and the SecurID token is

222222

, enter

1111222222

. You must have already generated your SecurID PIN before you can log in.

Use any of the available CLI commands.

View Your Last Login

If you suspect that an unauthorized user has used your credentials to sign in to the Secure Firewall Management

Center, you can see the date, time, and IP address from which your credentials were last used to log in:

Before you begin

This feature is not available if you are using the Classic theme. You can select a UI theme in User Preferences.

Procedure

Step 1

Step 2

Step 3

Step 4

Sign in to the Secure Firewall Management Center.

At the top right corner of your browser window, look for the User ID that you used to sign in.

Click your user name.

Information about your previous login is shown at the bottom of the menu that appears.

34

Cisco Secure Firewall Management Center Administration Guide, 7.2

Getting Started

Logging Out of the Management Center Web Interface

Logging Out of the Management Center Web Interface

When you are no longer actively using the management center web interface, Cisco recommends that you log out, even if you are only stepping away from your web browser for a short period of time. Logging out ends your web session and ensures that no one can use the interface with your credentials.

Note If you are logging out of an SSO session at the management center, when you log out the system redirects your browser to the SSO IdP for your organization. To ensure management center security and prevent others from accessing the management center using your SSO account, we recommend you log out of the SSO federation at the IdP.

Procedure

Step 1

Step 2

From the drop-down list under your user name, choose Logout .

If you are logging out of an SSO session at the management center, the system redirects you to the SSO IdP for your organization. Log out at the IdP to ensure management center security.

Related Topics

Session Timeout , on page 30

History for Logging into the Management Center

Feature Version Details

Added support for Single

Sign-On (SSO) using any

SAML 2.0-compliant

SSO provider.

6.7

Added the ability for users configured at any third-party SAML 2.0-compliant identity provider

(IdP) to log into the management center using a new

New/Modified screen:

Login screen

Single Sign-On link on the login page.

View information about the last time you signed in to the Secure Firewall

Management Center

6.5

Automatic CLI access for the management center

6.5

View the date, time, and IP address from which you last logged in.

New/Modified menus:

The menu at the top right of the window that shows the username that you used to log in.

Supported platforms: management center

When you use SSH to log into the management center, you automatically access the CLI. Although strongly discouraged, you can then use the CLI expert command to access the Linux shell.

Note This feature deprecates the Version 6.3 ability to enable and disable CLI access for the management center. As a consequence of deprecating this option, the virtual management center no longer displays the System > Configuration > Console

Configuration page, which still appears on physical management centers.

Cisco Secure Firewall Management Center Administration Guide, 7.2

35

Getting Started

History for Logging into the Management Center

Feature

Limit number of SSH login failures

Ability to enable and disable CLI access for the management center

6.3

Version Details

6.3

When a user accesses any device via SSH and fails three successive login attempts, the device terminates the SSH session.

New/Modified screens:

New check box available to administrators in management center web interface: Enable CLI

Access on the System ( ) > Configuration > Console Configuration page.

• Checked: Logging into the management center using SSH accesses the CLI.

• Unchecked: Logging into management center using SSH accesses the Linux shell. This is the default state for fresh Version 6.3 installations as well as upgrades to Version 6.3 from a previous release.

Supported platforms: management center

36

Cisco Secure Firewall Management Center Administration Guide, 7.2

P A R T

II

System Settings

System Configuration, on page 39

Users, on page 105

Domains, on page 195

Updates, on page 203

Licenses, on page 229

High Availability, on page 275

Security Certifications Compliance, on page 295

C H A P T E R

3

System Configuration

The following topics explain how to configure system configuration settings on Secure Firewall Management

Centers and managed devices:

Requirements and Prerequisites for the System Configuration, on page 40

About System Configuration, on page 40

Appliance Information, on page 42

HTTPS Certificates, on page 43

External Database Access Settings, on page 50

Database Event Limits, on page 52

Management Interfaces, on page 55

Shut Down or Restart, on page 64

Remote Storage Management, on page 64

Change Reconciliation, on page 69

Policy Change Comments, on page 70

Access List, on page 71

Audit Logs, on page 72

Audit Log Certificate, on page 75

Dashboard Settings, on page 79

DNS Cache, on page 80

Email Notifications, on page 80

Language Selection, on page 81

Login Banners, on page 82

SNMP Polling, on page 83

Time and Time Synchronization, on page 84

Global User Configuration Settings, on page 89

Session Timeouts, on page 92

Vulnerability Mapping, on page 92

Remote Console Access Management, on page 93

REST API Preferences, on page 99

VMware Tools and Virtual Systems, on page 100

(Optional) Opt Out of Web Analytics Tracking, on page 101

History for System Configuration, on page 101

Cisco Secure Firewall Management Center Administration Guide, 7.2

39

System Settings

Requirements and Prerequisites for the System Configuration

Requirements and Prerequisites for the System Configuration

Model Support

Management Center

Supported Domains

Global

User Roles

Admin

About System Configuration

System Configuration settings apply to your Secure Firewall Management Center.

Navigating the Secure Firewall Management Center System Configuration

The system configuration identifies basic settings for a Secure Firewall Management Center.

Procedure

Step 1

Step 2

Choose System ( ) > Configuration .

Use the navigation panel to choose configurations to change; see

Table 1: System Configuration Settings , on page 40

for more information.

System Configuration Settings

Note that for managed devices, many of these configurations are handled by a platform settings policy applied from the management center; see .

Table 1: System Configuration Settings

Setting

Access Control

Preferences

Access List

Audit Log

Description

Configure the system to prompt users for a comment when they add or modify an access control policy; see

Policy Change Comments, on page 70 .

Control which computers can access the system on specific ports; see

Access List, on page 71 .

Configure the system to send an audit log to an external host; see

Audit Logs, on page 72 .

40

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

System Configuration Settings

Setting

Audit Log Certificate

Change Reconciliation

Console Configuration

Dashboard

Database

DNS Cache

Description

Configure the system to secure the channel when streaming the audit log to an external host; see

Audit

Log Certificate, on page 75

.

Configure the system to send a detailed report of changes to the system over the last 24 hours; see

Change

Reconciliation, on page 69

.

Configure console access via VGA or serial port, or via Lights-Out Management (LOM); see

Remote

Console Access Management, on page 93

.

Enable Custom Analysis widgets on the dashboard; see

Dashboard Settings, on page 79 .

Specify the maximum number of each type of event that the Secure Firewall Management Center can store; see

Database Event Limits, on page 52

.

Configure the system to resolve IP addresses automatically on event view pages; see

DNS Cache, on page 80 .

Email Notification

External Database Access Enable external read-only access to the database, and provide a client driver to download; see

External

Database Access Settings, on page 50

.

HTTPS Certificate

Configure a mail host, select an encryption method, and supply authentication credentials for email-based notifications and reporting; see

Email Notifications, on page 80 .

Information

Request an HTTPS server certificate, if needed, from a trusted authority and upload certificates to the system; see

HTTPS Certificates, on page 43

.

View current information about the appliance and edit the display name; see

Appliance Information, on page 42 .

Intrusion Policy

Preferences

Language

Login Banner

Configure the system to prompt users for a comment when they modify an intrusion policy; see

Policy

Change Comments, on page 70 .

Specify a different language for the web interface; see

Language Selection, on page 81 .

Create a custom login banner that appears when users log in; see

Login Banners, on page 82 .

Management Interfaces Change options such as the IP address, hostname, and proxy settings of the appliance; see

Management

Interfaces, on page 55

.

Network Analysis Policy

Preferences

Configure the system to prompt users for a comment when they modify a network analysis policy; see

Policy Change Comments, on page 70 .

Process Shut down, reboot, or restart Firepower processes; see

Shut Down or Restart, on page 64

.

Remote Storage Device Configure remote storage for backups and reports; see

Remote Storage Management, on page 64 .

REST API Preferences Enable or disable access to the Secure Firewall Management Center via the Firepower REST API; see

REST API Preferences, on page 99

.

Shell Timeout

SNMP

Configure the amount of idle time, in minutes, before a user’s login session times out due to inactivity; see

Session Timeouts, on page 92 .

Enable Simple Network Management Protocol (SNMP) polling; see

SNMP Polling, on page 83

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

41

System Settings

Appliance Information

Setting

Time

Time Synchronization

Description

View and change the current time setting; see

Time and Time Synchronization, on page 84 .

Manage time synchronization on the system; see

Time and Time Synchronization, on page 84 .

UCAPL/CC Compliance Enable compliance with specific requirements set out by the United States Department of Defense; see

Enable Security Certifications Compliance, on page 300 .

User Configuration Configure the Secure Firewall Management Center to track successful login history and password history for all users, or enforce temporary lockouts on users who enter invalid login credentials; see

Global User

Configuration Settings, on page 89

VMware Tools

Vulnerability Mapping

Enable and use VMware Tools on a Secure Firewall Management Center Virtual; see

VMware Tools and

Virtual Systems, on page 100

.

Map vulnerabilities to a host IP address for any application protocol traffic received or sent from that address; see

Vulnerability Mapping, on page 92

.

Web Analytics Enable and disable collection of non-personally-identifiable information from your system. See

(Optional)

Opt Out of Web Analytics Tracking, on page 101

.

Appliance Information

The System > Configuration page of the web interface includes the information listed in the table below.

Unless otherwise noted, all fields are read-only.

Note See also the Help > About page, which includes similar but slightly different information.

Field

Name

Product Model

Serial Number

Software Version

Description

A descriptive name you assign to the management centerappliance. Although you can use the host name as the name of the appliance, entering a different name in this field does not change the host name.

This name is used in certain integrations. For example, it appears in the Devices list for integrations with

SecureX and SecureX threat response.

If you change the name, all registered devices are marked out of date and deployment is required to push the new name to the devices.

The model name of the appliance.

The serial number of the appliance.

The version of the software currently installed on the appliance.

42

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

HTTPS Certificates

Field

Operating System

Operating System Version

IPv4 Address

IPv6 Address

Current Policies

Model Number

Description

The operating system currently running on the appliance.

The version of the operating system currently running on the appliance.

The IPv4 address of the default ( eth0

) management interface. If IPv4 management is disabled, this field indicates that.

The IPv6 address of the default ( eth0

) management interface. If IPv6 management is disabled, this field indicates that.

The system-level policies currently deployed. If a policy has been updated since it was last deployed, the name of the policy appears in italics.

The appliance-specific model number stored on the internal flash drive. This number may be important for troubleshooting.

HTTPS Certificates

Secure Sockets Layer (SSL)/TLS certificates enable Secure Firewall Management Centers to establish an encrypted channel between the system and a web browser. A default certificate is included with all Firepower devices, but it is not generated by a certificate authority (CA) trusted by any globally known CA. For this reason, consider replacing it with a custom certificate signed by a globally known or internally trusted CA.

Caution The management center supports 4096-bit HTTPS certificates. If the certificate used by the management center was generated using a public server key larger than 4096 bits, you will not be able to log in to the management center web interface. If this happens, contact Cisco TAC.

Default HTTPS Server Certificates

If you use the default server certificate provided with an appliance, do not configure the system to require a valid HTTPS client certificate for web interface access because the default server certificate is not signed by the CA that signs your client certificate.

The lifetime of the default server certificate depends on when the certificate was generated. To view your default server certificate expiration date, choose System ( ) > Configuration > HTTPS Certificate .

Note that some Firepower software upgrades can automatically renew the certificate. For more information, see the appropriate version of the Cisco Firepower Release Notes .

On the Secure Firewall Management Center, you can renew the default certificate on the System ( ) >

Configuration > HTTPS Certificate page.

Cisco Secure Firewall Management Center Administration Guide, 7.2

43

System Settings

Custom HTTPS Server Certificates

Custom HTTPS Server Certificates

You can use the Secure Firewall Management Center web interface to generate a server certificate request based on your system information and the identification information you supply. You can use that request to sign a certificate if you have an internal certificate authority (CA) installed that is trusted by your browser.

You can also send the resulting request to a certificate authority to request a server certificate. After you have a signed certificate from a certificate authority (CA), you can import it.

HTTPS Server Certificate Requirements

When you use HTTPS certificates to secure the connection between your web browser and the Firepower appliance web interface, you must use certificates that comply with the Internet X.509 Public Key Infrastructure

Certificate and Certificate Revocation List (CRL) Profile (RFC 5280) . When you import a server certificate to the appliance, the system rejects the certificate if it does not comply with version 3 (X.509 v3) of that standard.

Before importing an HTTPS server certificate, be certain it includes the following fields:

Certificate Field Description

Version

Serial number

Signature

Issuer

Validity

Subject

Subject Alternative Name

Subject Public Key Info

Version of the encoded certificate. Use version

3

. See

RFC 5280, section 4.1.2.1

.

A positive integer assigned to the certificate by the issuing CA. Issuer and serial number together uniquely identify the certificate. See RFC 5280, section 4.1.2.2

.

Identifier for the algorithm used by the CA to sign the certificate. Must match the signatureAlgorithm field.

See RFC 5280, section 4.1.2.3

.

Identifies the entity that signed and issued the certificate. See RFC 5280, section 4.1.2.4

.

Interval during which the CA warrants that it will maintain information about the status of the certificate.

See RFC 5280, section 4.1.2.5

.

Identifies the entitity associated with the public key stored in the subject public key field; must be an

X.500 disinguished name (DN). See RFC 5280, section 4.1.2.6

.

Domain names and IP addresses secured by the certificate. Subject Alternative Name is defined in section RFC 5280, section 4.2.1.6

.

We recommend you use this field if the certificate is used for multiple domains or IP addresses.

Public key and an identifier for its algorithm. See RFC

5280, section 4.1.2.7

.

44

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

HTTPS Client Certificates

Certificate Field

Authority Key Identifier

Subject Key Identifier

Key Usage

Basic Constraints

Extended Key Usage extension signatureAlgorithm signatureValue

Description

Provides a means of identifying the public key corresponding to the private key used to sign a certificate. See RFC 5280, section 4.2.1.1

.

Provides a means of identifying certificates that contain a particular public key. See RFC 5280, section

4.2.1.2

.

Defines the purpose of the key contained in the certificates. See RFC 5280, section 4.2.1.3

.

Identifies whether the certificate Subject is a CA, and the maximum depth of validation certification paths that include this certificate. See RFC 5280, section

4.2.1.9

. This field is not strictly required for server certificates used in Firepower appliances, but we strongly recommend including this field and specifying critical CA:FALSE

.

Indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the Key Usage extension. See RFC 5280, section 4.2.1.12

. Be certain you import certificates that can be used as server certificates.

Identifier for the algorithm the CA used to sign the certificate. Must match the Signature field. See RFC

5280, section 4.1.1.2

.

Digital signature. See RFC 5280, section 4.1.1.3

.

HTTPS Client Certificates

You can restrict access to the system web server using client browser certificate checking. When you enable user certificates, the web server checks that a user’s browser client has a valid user certificate selected. That user certificate must be generated by the same trusted certificate authority that is used for the server certificate.

The browser cannot load the web interface under any of the following circumstances:

• The user selects a certificate in the browser that is not valid.

• The user selects a certificate in the browser that is not generated by the certificate authority that signed the server certificate.

• The user selects a certificate in the browser that is not generated by a certificate authority in the certificate chain on the device.

To verify client browser certificates, configure the system to use the online certificate status protocol (OCSP) or load one or more certificate revocation lists (CRLs). Using the OCSP, when the web server receives a connection request it communicates with the certificate authority to confirm the client certificate's validity before establishing the connection. If you configure the server to load one or more CRLs, the web server

Cisco Secure Firewall Management Center Administration Guide, 7.2

45

System Settings

Viewing the Current HTTPS Server Certificate compares the client certificate against those listed in the CRLs. If a user selects a certificate that is listed in a

CRL as a revoked certificate, the browser cannot load the web interface.

Note If you choose to verify certificates using CRLs, the system uses the same CRLs to validate both client browser certificates and audit log server certificates.

Viewing the Current HTTPS Server Certificate

Procedure

Step 1

Step 2

Choose System ( ) > Configuration .

Click HTTPS Certificate .

Generating an HTTPS Server Certificate Signing Request

If you install a certificate that is not signed by a globally known or internally trusted CA, the user's browser displays a security warning when they try to connect to the web interface.

A certificate signing request (CSR) is unique to the appliance or device from which you generated it. You cannot generate a CSR for multiple devices from a single appliance. Although all fields are optional, we recommend entering values for the following: CN, Organization, Organization Unit, City/Locality,

State/Province, Country/Region, and Subject Alternative Name.

The key generated for the certificate request is in Base-64 encoded PEM format.

Procedure

Step 1

Step 2

Step 3

Choose System ( ) > Configuration .

Click HTTPS Certificate .

Click Generate New CSR .

46

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Generating an HTTPS Server Certificate Signing Request

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

The following figure shows an example.

Enter a country code in the Country Name (two-letter code) field.

Enter a state or province postal abbreviation in the State or Province field.

Enter a Locality or City .

Enter an Organization name.

Enter an Organizational Unit (Department) name.

Enter the fully qualified domain name of the server for which you want to request a certificate in the Common

Name field.

Note Enter the fully qualified domain name of the server exactly as it should appear in the certificate in the Common Name field. If the common name and the DNS hostname do not match, you receive a warning when connecting to the appliance.

To request a certificate that secures multiple domain names or IP addresses, enter the folowing information in the Subject Alternative Name section: a) Domain Names : Enter the fully qualified domains and subdomains (if any) secured by the Subject

Alternative Name.

b) IP Addresses : Enter the IP addresses secured by the Subject Alternative Name.

Click Generate .

Open a text editor.

Copy the entire block of text in the certificate request, including the

BEGIN CERTIFICATE REQUEST and

END

CERTIFICATE REQUEST lines, and paste it into a blank text file.

Save the file as servername .csr

, where servername is the name of the server where you plan to use the certificate.

Click Close .

What to do next

• Submit the certificate request to the certificate authority.

Cisco Secure Firewall Management Center Administration Guide, 7.2

47

System Settings

Importing HTTPS Server Certificates

• When you receive the signed certificate, import it to the Secure Firewall Management Center; see

Importing HTTPS Server Certificates, on page 48 .

Importing HTTPS Server Certificates

If the signing authority that generated the certificate requires you to trust an intermediate CA, you must also supply a certificate chain (or certificate path).

If you require client certificates, accessing an appliance via the web interface will fail when the server certificate does not meet either of the following criteria:

• The certificate is signed by the same CA that signed the client certificate.

• The certificate is signed by a CA that has signed an intermediate certificate in the certificate chain.

Caution The Secure Firewall Management Center supports 4096-bit HTTPS certificates. If the certificate used by the

Secure Firewall Management Center was generated using a public server key larger than 4096 bits, you will not be able to log in to the management center web interface. For more information about updating HTTPS

Certificates to Version 6.0.0, see "Update Management Center HTTPS Certificates to Version 6.0" in Firepower

System Release Notes, Version 6.0

. If you generate or import an HTTPS Certificate and cannot log in to the management center web interface, contact Support.

Before you begin

• Generate a certificate signing request; see

Generating an HTTPS Server Certificate Signing Request, on page 46

.

• Upload the CSR file to the certificate authority where you want to request a certificate, or use the CSR to create a self-signed certificate.

• Confirm that the certificate meets the requirements described in

HTTPS Server Certificate Requirements, on page 44 .

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Configuration .

Click HTTPS Certificate .

Click Import HTTPS Server Certificate .

Open the server certificate in a text editor, copy the entire block of text, including the

BEGIN CERTIFICATE and

END CERTIFICATE lines. Paste this text into the Server Certificate field.

Whether you must supply a Private Key depends on how you generated the Certificate Signing Request:

• If you generated the Certificate Signing Request using the Secure Firewall Management Center web interface (as described in

Generating an HTTPS Server Certificate Signing Request, on page 46 ), the

system already has the private key and you need not enter one here.

48

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Requiring Valid HTTPS Client Certificates

Step 6

Step 7

• If you generated the Certificate Signing Request using some other means, you must supply the private key here. Open the private key file and copy the entire block of text, include the

BEGIN RSA PRIVATE

KEY and

END RSA PRIVATE KEY lines. Paste this text into the Private Key field.

Open any required intermediate certificates, copy the entire block of text for each, and paste it into the

Certificate Chain field. If you received a root certificate, paste it here. If you received an intermediate certificate, paste it below the root certificate. In both cases, copy the entire block of text, including the

BEGIN

CERTIFICATE and

END CERTIFICATE lines.

Click Save .

Requiring Valid HTTPS Client Certificates

Use this procedure to require users connecting to the management center web interface to supply a user certificate. The system supports validating HTTPS client certificates using either OCSP or imported CRLs in

Privacy-enhanced Electronic Mail (PEM) format.

If you choose to use CRLs, to ensure that the list of revoked certificates stays current, you can create a scheduled task to update the CRLs. The system displays the most recent refresh of the CRLs.

Note To access the web interface after enabling client certificates, you must have a valid client certificate present in your browser (or a CAC inserted in your reader).

Before you begin

• Import a server certificate signed by the same certificate authority that signed the client certificate to be used for the connection; see

Importing HTTPS Server Certificates, on page 48

.

• Import the server certificate chain if needed; see

Importing HTTPS Server Certificates, on page 48

.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose System ( ) > Configuration .

Click HTTPS Certificate .

Choose Enable Client Certificates . If prompted, select the appropriate certificate from the drop-down list.

You have three options:

• To verify client certificates using one or more CRLS, select Enable Fetching of CRL and continue with

Step 5.

• To verify client certificates using OCSP, select Enable OCSP and skip to Step 7.

• To accept client certificates without checking for revocation, skip to Step 8.

Enter a valid URL to an existing CRL file and click Add CRL . Repeat to add up to 25 CRLs.

Click Refresh CRL to load the current CRL or CRLs from the specified URL or URLs.

Note Enabling fetching of the CRL creates a scheduled task to regularly update the CRL or CRLs. Edit the task to set the frequency of the update.

Cisco Secure Firewall Management Center Administration Guide, 7.2

49

System Settings

Renewing the Default HTTPS Server Certificate

Step 7

Step 8

Verify that the client certificate is signed by the certificate authority loaded onto the appliance and the server certificate is signed by a certificate authority loaded in the browser certificate store. (These should be the same certificate authority.)

Caution Saving a configuration with enabled client certificates, with no valid client certificate in your browser certificate store, disables all web server access to the appliance. Make sure that you have a valid client certificate installed before saving settings.

Click Save .

Related Topics

Configuring Certificate Revocation List Downloads , on page 455

Renewing the Default HTTPS Server Certificate

You can only view server certificates for the appliance you are logged in to.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Configuration .

Click HTTPS Certificate .

The button appears only if your system is configured to use the default HTTPS server certificate.

Click Renew HTTPS Certificate . (This option appears on the display below the certificate information only if your system is configured to used the default HTTPS server certificate.)

(Optional) In the Renew HTTPS Certificate dialog box, select Generate New Key to generate a new key for the certificate.

In the Renew HTTPS Certificate dialog box, click Save .

What to do next

You can confirm that the certificate has been renewed by checking that that certificate validity dates displayed on the HTTPS Certificate page have updated.

External Database Access Settings

You can configure the Secure Firewall Management Center to allow read-only access to its database by a third-party client. This allows you to query the database using SQL using any of the following:

• industry-standard reporting tools such as Actuate BIRT, JasperSoft iReport, or Crystal Reports

• any other reporting application (including a custom application) that supports JDBC SSL connections

• the Cisco-provided command-line Java application called RunQuery, which you can either run interactively or use to obtain comma-separated results for a single query

50

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Enabling External Access to the Database

Use the Secure Firewall Management Center's system configuration to enable database access and create an access list that allows selected hosts to query the database. Note that this access list does not also control appliance access.

You can also download a package that contains the following:

• RunQuery, the Cisco-provided database query tool

• InstallCert, a tool you can use to retrieve and accept the SSL certificate from the Secure Firewall

Management Center you want to access

• the JDBC driver you must use to connect to the database

See the Firepower System Database Access Guide for information on using the tools in the package you downloaded to configure database access.

Enabling External Access to the Database

Procedure

Step 5

Step 6

Step 7

Step 8

Step 9

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Click External Database Access .

Select the Allow External Database Access check box.

Enter an appropriate value in the Server Hostname field. Depending on your third-party application requirements, this value can be either the fully qualified domain name (FQDN), IPv4 address, or IPv6 address of the Secure Firewall Management Center.

Note In management center high availability setups, enter only the active peer details. We do not recommend entering details of the standby peer.

Next to Client JDBC Driver , click Download and follow your browser’s prompts to download the client.zip

package.

To add database access for one or more IP addresses, click Add Hosts . An IP Address field appears in the

Access List field.

In the IP Address field, enter an IP address or address range, or any.

Click Add .

Click Save .

Tip If you want to revert to the last saved database settings, click Refresh .

Related Topics

IP Address Conventions , on page 26

Cisco Secure Firewall Management Center Administration Guide, 7.2

51

System Settings

Database Event Limits

Database Event Limits

To manage disk space, the management center periodically prunes the oldest intrusion events, audit records,

Security Intelligence data, and URL filtering data from the event database. For each event type, you can specify how many records the management center retains after pruning; never rely on the event database containing more records of any type than the retention limit configured for that type. To improve performance, tailor the event limits to the number of events you regularly work with. You can optionally choose to receive email notifications when pruning occurs. For some event types, you can disable storage.

To manually delete individual events, use the event viewer. (Note that in Versions 6.6.0+, you cannot manually delete connection or security Intelligence events in this way.)You can also manually purge the database; see

Data Purge and Storage, on page 479 .

Configuring Database Event Limits

Before you begin

• If you want to receive email notifications when events are pruned from the Secure Firewall Management

Center's database, you must configure an email server; see

Configuring a Mail Relay Host and Notification

Address, on page 81 .

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Configuration .

Choose Database .

For each of the databases, enter the number of records you want to store.

For information on how many records each database can maintain, see

Database Event Limits, on page 52

.

Optionally, in the Data Pruning Notification Address field, enter the email address where you want to receive pruning notifications.

Click Save .

Database Event Limits

The following table lists the minimum and maximum number of records for each event type that you can store on a Secure Firewall Management Center.

52

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Database Event Limits

Table 2: Database Event Limits

Event Type Upper Limit Lower Limit

Intrusion events

Discovery events

10 million (management center Virtual)

30 million (management center1000, management center1600)

60 million (management center2500, management center2600, FMCv 300)

300 million (management center4500, management center4600)

10 million (management center Virtual)

20 million (management center2500, management center2600, management center4500, management center4600,

FMCv 300)

10,000

Zero (disables storage)

Connection events 50 million (management center Virtual) Zero (disables storage)

Security Intelligence events

100 million (management center1000, management center1600)

300 million (management center2500, management center2600, FMCv 300)

1 billion (management center4500, management center4600)

If you set the Maximum Connection

Events value to zero, then connection events that are not associated with Security

Intelligence, intrusion, file, and malware events are not stored on the management center.

Limit is shared between connection events and Security Intelligence events. The sum of the configured maximums cannot exceed this limit.

Caution Setting

Events

Maximum Connection to zero immediately purges existing connection events other than Security

Intelligence events.

Connection summaries

(aggregated connection events)

50 million (management center Virtual)

100 million (management center1000, management center1600)

300 million (management center2500, management center2600, FMCv 300)

1 billion (management center4500, management center4600)

See below for the effect of this setting on

Maximum Flow Rate.

These settings do not affect connection summaries.

Zero (disables storage)

Cisco Secure Firewall Management Center Administration Guide, 7.2

53

System Settings

Database Event Limits

Event Type

Correlation events and compliance allow list events

Malware events

Upper Limit

1 million (management center Virtual)

2 million (management center2500, management center2600, management center4500, management center4600,

FMCv 300)

10 million (management center Virtual)

20 million (management center2500, management center2600, management center4500, management center4600,

FMCv 300)

File events

Health events

Audit records

10 million (management center Virtual)

20 million (management center2500, management center2600, management center4500, management center4600,

FMCv 300)

1 million

100,000

Remediation status events

10 million

Allow list violation history a 30-day history of violations

10 million User activity (user events)

User logins (user history)

10 million

Intrusion rule update import log records

1 million

VPN

Troubleshooting database

10 million

Lower Limit

One

10,000

Zero (disables storage)

Zero (disables storage)

One

One

One day’s history

One

One

One

Zero (disables storage)

Maximum Flow Rate

The Maximum flow rate (flows per second) value for your management center hardware model is specified in the Platform Specifications section of the management center datasheet at https://www.cisco.com/c/en/ us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html?cachemode=refresh

If you set the Maximum Connection Events value in platform settings to zero, then connection events that are not associated with Security Intelligence, intrusion, file, and malware events are not counted toward the maximum flow rate for your management center hardware.

54

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Management Interfaces

Any non-zero value in this field causes ALL connection events to be counted against the maximum flow rate.

Other event types on this page do not count against the maximum flow rate.

Management Interfaces

After setup, you can change the management network settings, including adding more management interfaces, hostname, search domains, DNS servers, and HTTP proxy on the management center.

About Management Center Management Interfaces

By default, the management center manages all devices on a single management interface. You can also perform initial setup on the management interface and log into the management center on this interface as an administrator. The management interface is also used to communicate with the Smart Licensing server, to download updates, and to perform other management functions.

For information about device management interfaces, see About Device Management Interfaces in the Cisco

Secure Firewall Management Center Device Configuration Guide .

Management Interfaces on the Management Center

The management center uses the eth0 interface for initial setup, HTTP access for administrators, management of devices, as well as other management functions such as licensing and updates.

You can also configure additional management interfaces on the same network, or on different networks.

When the management center manages large numbers of devices, adding more management interfaces can improve throughput and performance. You can also use these interfaces for all other management functions.

You might want to use each management interface for particular functions; for example, you might want to use one interface for HTTP administrator access and another for device management.

For device management, the management interface carries two separate traffic channels: the management traffic channel carries all internal traffic (such as inter-device traffic specific to managing the device), and the event traffic channel carries all event traffic (such as web events). You can optionally configure a separate event-only interface on the management center to handle event traffic; you can configure only one event interface. Event traffic can use a large amount of bandwidth, so separating event traffic from management traffic can improve the performance of the management center. For example, you can assign a 10

GigabitEthernet interface to be the event interface, if available, while using 1 GigabitEthernet interfaces for management. You might want to configure an event-only interface on a completely secure, private network while using the regular management interface on a network that includes Internet access, for example. You can also use both management and event interfaces on the same network if the goal is only to take advantage of increased throughput. Managed devices will send management traffic to the management center's management interface and event traffic to the management center's event-only interface. If the managed device cannot reach the event-only interface, then it will fall back to sending events to the management interface.

Note All management interfaces support HTTP administrator access as controlled by your Access List configuration

(

Configure an Access List, on page 71 ). Conversely, you cannot restrict an interface to

only HTTP access; management interfaces always support device management (management traffic, event traffic, or both).

Cisco Secure Firewall Management Center Administration Guide, 7.2

55

System Settings

Management Interface Support Per Management Center Model

Note Only the eth0 interface supports DHCP IP addressing. Other management interfaces only support static IP addresses.

Management Interface Support Per Management Center Model

See the hardware installation guide for your model for the management interface locations.

See the following table for supported management interfaces on each management center model.

Table 3: Management Interface Support on the Management Center

Model

MC1000

MC2500, MC4500

MC1600, MC2600, MC4600

Management Center Virtual

Management Interfaces eth0 (Default) eth1 eth0 (Default) eth1 eth2 eth3 eth0 (Default) eth1 eth2 eth3

CIMC (Supported for Lights-Out Management only.) eth0 (Default)

Network Routes on Management Center Management Interfaces

Management interfaces (including event-only interfaces) support only static routes to reach remote networks.

When you set up your management center, the setup process creates a default route to the gateway IP address that you specify. You cannot delete this route; you can only modify the gateway address.

You can configure multiple management interfaces on some platforms. The default route does not include an egress interface, so the interface chosen depends on the gateway address you specify, and which interface's network the gateway belongs to. In the case of multiple interfaces on the default network, the device uses the lower-numbered interface as the egress interface.

At least one static route is recommended per management interface to access remote networks. We recommend placing each interface on a separate network to avoid potential routing problems, including routing problems from other devices to the management center. If you do not experience problems with interfaces on the same network, then be sure to configure static routes correctly. For example, on the management center both eth0 and eth1 are on the same network, but you want to manage a different group of devices on each interface. The default gateway is 192.168.45.1. If you want eth1 to manage devices on the remote 10.6.6.0/24 destination

56

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

NAT Environments network, you can create a static route for 10.6.6.0/24 through eth1 with the same gateway of 192.168.45.1.

Traffic to 10.6.6.0/24 will hit this route before it hits the default route, so eth1 will be used as expected.

If you want to use two management center interfaces to manage remote devices that are on the same network, then static routing on the management center may not scale well, because you need separate static routes per device IP address.

Another example includes separate management and event-only interfaces on both the management center and the managed device. The event-only interfaces are on a separate network from the management interfaces.

In this case, add a static route through the event-only interface for traffic destined for the remote event-only network, and vice versa.

NAT Environments

Network address translation (NAT) is a method of transmitting and receiving network traffic through a router that involves reassigning the source or destination IP address. The most common use for NAT is to allow private networks to communicate with the internet. Static NAT performs a 1:1 translation, which does not pose a problem for management center communication with devices, but port address translation (PAT) is more common. PAT lets you use a single public IP address and unique ports to access the public network; these ports are dynamically assigned as needed, so you cannot initiate a connection to a device behind a PAT router.

Normally, you need both IP addresses (along with a registration key) for both routing purposes and for authentication: the management center specifies the device IP address when you add a device, and the device specifies the management center IP address. However, if you only know one of the IP addresses, which is the minimum requirement for routing purposes, then you must also specify a unique NAT ID on both sides of the connection to establish trust for the initial communication and to look up the correct registration key. The management center and device use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration.

For example, you add a device to the management center, and you do not know the device IP address (for example, the device is behind a PAT router), so you specify only the NAT ID and the registration key on the management center; leave the IP address blank. On the device, you specify the management center IP address, the same NAT ID, and the same registration key. The device registers to the management center's IP address.

At this point, the management center uses the NAT ID instead of IP address to authenticate the device.

Although the use of a NAT ID is most common for NAT environments, you might choose to use the NAT

ID to simplify adding many devices to the management center. On the management center, specify a unique

NAT ID for each device you want to add while leaving the IP address blank, and then on each device, specify both the management center IP address and the NAT ID. Note: The NAT ID must be unique per device.

The following example shows three devices behind a PAT IP address. In this case, specify a unique NAT ID per device on both the management center and the devices, and specify the management center IP address on the devices.

Cisco Secure Firewall Management Center Administration Guide, 7.2

57

NAT Environments

Figure 2: NAT ID for Managed Devices Behind PAT

System Settings

The following example shows the management center behind a PAT IP address. In this case, specify a unique

NAT ID per device on both the management center and the devices, and specify the device IP addresses on the management center.

Figure 3: NAT ID for Management Center Behind PAT

58

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Management and Event Traffic Channel Examples

Management and Event Traffic Channel Examples

Note If you use a data interface for management on an threat defense, you cannot use separate management and event interfaces for that device.

The following example shows the Secure Firewall Management Center and managed devices using only the default management interfaces.

Figure 4: Single Management Interface on the Secure Firewall Management Center

The following example shows the Secure Firewall Management Center using separate management interfaces for devices; and each managed device using 1 management interface.

Figure 5: Mutliple Management Interfaces on the Secure Firewall Management Center

The following example shows the Secure Firewall Management Center and managed devices using a separate event interface.

Figure 6: Separate Event Interface on the Secure Firewall Management Center and Managed Devices

Cisco Secure Firewall Management Center Administration Guide, 7.2

59

System Settings

Modify Management Center Management Interfaces

The following example shows a mix of multiple management interfaces and a separate event interface on the

Secure Firewall Management Center and a mix of managed devices using a separate event interface, or using a single management interface.

Figure 7: Mixed Management and Event Interface Usage

Modify Management Center Management Interfaces

Caution Do NOT push the management center deployments over a VPN tunnel that is terminating directly on the threat defense. Pushing the management center deployments can potentially inactivate the tunnel and disconnect the management center and the threat defense.

Recovering the device from this situation can be very disruptive and require executing the disaster recovery procedure. This procedure resets the threat defense configuration to factory defaults by changing manager from management center to local and configuring the device from beginning. For more information, see Best

Practices for Deploying Configuration Changes in the Firepower Management Center Device Configuration

Guide .

Modify the management interface settings on the Secure Firewall Management Center. You can optionally enable additional management interfaces or configure an event-only interface.

Caution Be careful when making changes to the management interface to which you are connected; if you cannot re-connect because of a configuration error, you need to access the management center console port to re-configure the network settings in the Linux shell. You must contact Cisco TAC to guide you in this operation.

Note If you change the management center IP address, then see Edit the management center IP Address or Hostname on the Device in the Cisco Secure Firewall Management Center Device Configuration Guide . If you change the management center IP address or hostname, you should also change the value at the device CLI so the configurations match. Although in most cases, the management connection will be reestablished without changing the management center IP address or hostname on the device, in at least one case, you must perform this task for the connection to be reestablished: when you added the device to the management center and you specified the NAT ID only. Even in other cases, we recommend keeping the management center IP address or hostname up to date for extra network resiliency.

60

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Modify Management Center Management Interfaces

Note In a high availability configuration, when you modify the management IP address of a registered Firepower device from the device CLI or from management center, the secondary management center does not reflect the changes even after an HA synchronization. To ensure that the secondary management center is also updated, switch roles between the two management centers, making the secondary management center as the active unit. Modify the management IP address of the registered Firepower device on the device management page of the now active management center.

Before you begin

• For information about how device management works, see About Device Management Interfaces in the

Cisco Secure Firewall Management Center Device Configuration Guide .

• If you use a proxy:

• Proxies that use NT LAN Manager (NTLM) authentication are not supported.

• If you use or will use Smart Licensing, the proxy FQDN cannot have more than 64 characters.

Procedure

Step 1

Step 2

Choose System ( ) > Configuration , and then choose Management Interfaces .

In the Interfaces area, click Edit next to the interface that you want to configure.

All available interfaces are listed in this section. You cannot add more interfaces.

You can configure the following options on each management interface:

• Enabled —Enable the management interface. Do not disable the default eth0 management interface.

Some processes require the eth0 interface.

• Channels —Configure an event-only interface; you can configure only one event interface on the management center. To do so, uncheck the Management Traffic check box, and leave the Event Traffic check box checked. You can optionally disable Event Traffic for the management interface(s). In either case, the device will try to send events to the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel. You cannot disable both event and management channels on an interface.

• Mode —Specify a link mode. Note that any changes you make to auto-negotiation are ignored for

GigabitEthernet interfaces.

• MDI/MDIX —Set the Auto-MDIX setting.

• MTU —Set the maximum transmission unit (MTU). The default is 1500. The range within which you can set the MTU can vary depending on the model and interface type.

Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298 does not comply with the minimum IPv6 MTU setting of 1280, and any value below 594 does not comply with the minimum IPv4 MTU setting of 576. For example, the system automatically trims a configured value of 576 to 558.

• IPv4 Configuration —Set the IPv4 IP address. Choose:

Cisco Secure Firewall Management Center Administration Guide, 7.2

61

System Settings

Modify Management Center Management Interfaces

• Static —Manually enter the IPv4 Management IP address and IPv4 Netmask .

• DHCP —Set the interface to use DHCP (eth0 only).

• Disabled —Disable IPv4. Do not disable both IPv4 and IPv6.

• IPv6 Configuration —Set the IPv6 IP address. Choose:

• Static —Manually enter the IPv6 Management IP address and IPv6 Prefix Length .

• DHCP —Set the interface to use DHCPv6 (eth0 only).

• Router Assigned —Enable stateless autoconfiguration.

• Disabled —Disable IPv6. Do not disable both IPv4 and IPv6.

• IPv6 DAD —When you enable IPv6, enable or disable duplicate address detection (DAD). You might want to disable DAD because the use of DAD opens up the possibility of denial of service attacks. If you disable this setting, you need check manually that this interface is not using an already-assigned address.

Step 3

Step 4

In the Routes area, edit a static route by clicking Edit ( ), or add a route by clicking Add ( ).

View the route table by clicking .

You need a static route for each additional interface to reach remote networks. For more information about when new routes are needed, see

Network Routes on Management Center Management Interfaces, on page

56

.

Note For the default route, you can change only the gateway IP address. The egress interface is chosen automatically by matching the specified gateway to the interface's network.

You can configure the following settings for a static route:

• Destination —Set the destination address of the network to which you want to create a route.

• Netmask or Prefix Length —Set the netmask (IPv4) or prefix length (IPv6) for the network.

• Interface —Set the egress management interface.

• Gateway —Set the gateway IP address.

In the Shared Settings area, set network parameters shared by all interfaces.

Note If you selected DHCP for the eth0 interface, you cannot manually specify some shared settings derived from the DHCP server.

You can configure the following shared settings:

• Hostname —Set the management center hostname. The hostname must start and end with a letter or digit, and have only letters, digits, or a hyphen. If you change the hostname, reboot the management center if you want the new hostname reflected in syslog messages. Syslog messages do not reflect a new hostname until after a reboot.

• Domains —Set the search domain(s) for the management center, separated by commas. These domains are added to hostnames when you do not specify a fully-qualified domain name in a command, for

62

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Modify Management Center Management Interfaces example, ping system . The domains are used only on the management interface, or for commands that go through the management interface.

• Primary DNS Server , Secondary DNS Server , Tertiary DNS Server —Set the DNS servers to be used in order of preference.

• Remote Management Port —Set the remote management port for communication with managed devices.

The management center and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

Note Cisco strongly recommends that you keep the default settings for the remote management port, but if the management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.

Step 5

Step 6

Step 7

Step 8

In the ICMPv6 area, configure ICMPv6 settings.

• Allow Sending Echo Reply Packets —Enable or disable Echo Reply packets. You might want to disable these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the management center management interfaces for testing purposes.

• Allow Sending Destination Unreachable Packets —Enable or disable Destination Unreachable packets.

You might want to disable these packets to guard against potential denial of service attacks.

In the Proxy area, configure HTTP proxy settings.

The management center is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and

TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest.

See proxy requirements in the prerequisites to this topic.

a) Check the Enabled check box.

b) In the HTTP Proxy field, enter the IP address or fully-qualified domain name of your proxy server.

See requirements in the prerequisites to this topic.

c) In the Port field, enter a port number.

d) Supply authentication credentials by choosing Use Proxy Authentication , and then provide a User Name and Password .

Click Save .

If you change the management center IP address, then see If you change the management center IP address, then see Edit the management center IP Address or Hostname on the Device in the Cisco Secure Firewall

Management Center Device Configuration Guide .

If you change the management center IP address or hostname, you should also change the value at the device

CLI so the configurations match. Although in most cases, the management connection will be reestablished without changing the management center IP address or hostname on the device, in at least one case, you must perform this task for the connection to be reestablished: when you added the device to the management center and you specified the NAT ID only. Even in other cases, we recommend keeping the management center IP address or hostname up to date for extra network resiliency.

Cisco Secure Firewall Management Center Administration Guide, 7.2

63

System Settings

Shut Down or Restart

Shut Down or Restart

Use the web interface to control the shut down and restart of processes on the management center. You can:

• Shut down: Initiate a graceful shutdown of the appliance.

Caution Do not shut off Firepower appliances using the power button; it may cause a loss of data. Using the web interface (or CLI) prepares the system to be safely powered off and restarted without losing configuration data.

• Reboot: Shut down and restart gracefully.

• Restart the console: Restart the communications, database, and HTTP server processes. This is typically used during troubleshooting.

Tip For virtual devices, refer to the documentation for your virtual platform. For VMware in particular, custom power options are part of VMware Tools.

Shut Down or Restart the Management Center

Procedure

Step 1

Step 2

Step 3

Choose System ( ) > Configuration .

Choose Process .

Do one of the following:

Shut down

Reboot

Click Run Command next to Shutdown Management Center .

Click Run Command next to Reboot Management Center .

Note Rebooting logs you out, and the system runs a database check that can take up to an hour to complete.

Restart the console Click Run Command next to Restart Management Center Console .

Note Restarting may cause deleted hosts to reappear in the network map.

Remote Storage Management

On Secure Firewall Management Centers, you can use the following for local or remote storage for backups and reports:

64

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Management Center Remote Storage - Supported Protocols and Versions

• Network File System (NFS)

• Server Message Block (SMB)/Common Internet File System (CIFS)

• Secure Shell (SSH)

You cannot send backups to one remote system and reports to another, but you can choose to send either to a remote system and store the other on the Secure Firewall Management Center.

Tip After configuring and selecting remote storage, you can switch back to local storage only if you have not increased the connection database limit.

Management Center Remote Storage - Supported Protocols and Versions

NFS Version SSH Version SMB Version Mangement Center

Version

6.4

6.5

6.6

6.7

V3/V4

V3/V4

V3/V4

V3/V4 openssh 7.3p1

ciscossh 1.6.20

ciscossh 1.6.20

ciscossh 1.6.20

V2/V3

V2/V3

V2/V3

V2/V3

Commands to Enable Protocol Version

Run the following commands as a root user to enable the protocol version:

• NFS —

/bin/mount -t nfs '10.10.4.225':'/home/manual-check' '/mnt/remote-storage' -o

'rw,vers=4.0'

• SMB —

/usr/bin/mount.cifs //10.10.0.100/pyallapp-share/testing-smb /mnt/remote-storage

-o username=administrator,password=******,vers=3.0

Configuring Local Storage

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Choose Remote Storage Device .

Choose Local (No Remote Storage) from the Storage Type drop-down list.

Click Save .

Cisco Secure Firewall Management Center Administration Guide, 7.2

65

System Settings

Configuring NFS for Remote Storage

Configuring NFS for Remote Storage

Before you begin

• Ensure that your external remote storage system is functional and accessible from your management center.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose System ( ) > Configuration .

Click Remote Storage Device .

Choose NFS from the Storage Type drop-down list.

Add the connection information:

• Enter the IPv4 address or hostname of the storage system in the Host field.

• Enter the path to your storage area in the Directory field.

Optionally, check the Use Advanced Options check box and enter any required command line options; see

Remote Storage Management Advanced Options, on page 68 .

Under System Usage :

• Choose Use for Backups to store backups on the designated host.

• Choose Use for Reports to store reports on the designated host.

• Enter Disk Space Threshold for backup to remote storage. Default is 90%.

To test the settings, click Test .

Click Save .

Configuring SMB for Remote Storage

Before you begin

Ensure that your external remote storage system is functional and accessible from your management center:

• The system recognizes top-level SMB shares, not full file paths. You must use Windows to share the exact directory you want to use.

• Make sure the Windows user you will use to access the SMB share from the management center has ownership of and read/change access to the share location.

• To ensure security, you should install SMB 2.0 or greater.

66

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configuring SSH for Remote Storage

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose System ( ) > Configuration .

Click Remote Storage Device .

Choose SMB from the Storage Type drop-down list.

Add the connection information:

• Enter the IPv4 address or hostname of the storage system in the Host field.

• Enter the share of your storage area in the Share field.

• Optionally, enter the domain name for the remote storage system in the Domain field.

• Enter the user name for the storage system in the Username field and the password for that user in the

Password field.

Optionally, check the Use Advanced Options check box and enter any required command line options; see

Remote Storage Management Advanced Options, on page 68

.

Under System Usage :

• Choose Use for Backups to store backups on the designated host.

• Choose Use for Reports to store reports on the designated host.

To test the settings, click Test .

Click Save .

Configuring SSH for Remote Storage

Before you begin

• Ensure that your external remote storage system is functional and accessible from your Secure Firewall

Management Center.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Click Remote Storage Device .

Choose SSH from the Storage Type drop-down list.

Add the connection information:

• Enter the IP address or host name of the storage system in the Host field.

• Enter the path to your storage area in the Directory field.

• Enter the storage system’s user name in the Username field and the password for that user in the Password field. To specify a network domain as part of the connection user name, precede the user name with the domain followed by a forward slash (/).

Cisco Secure Firewall Management Center Administration Guide, 7.2

67

System Settings

Remote Storage Management Advanced Options

Step 5

Step 6

Step 7

Step 8

• To use SSH keys, copy the content of the SSH Public Key field and place it in your authorized_keys file.

Optionally, check the Use Advanced Options check box and enter any required command line options; see

Remote Storage Management Advanced Options, on page 68 .

Under System Usage:

• Choose Use for Backups to store backups on the designated host.

• Choose Use for Reports to store reports on the designated host.

If you want to test the settings, you must click Test .

Click Save .

Remote Storage Management Advanced Options

If you select the Network File System (NFS) protocol, Server Message Block (SMB) protocol, or

SSH to use secure file transfer protocol (SFTP) to store your reports and backups, you can select the Use Advanced

Options check box to use one of the mount binary options as documented in an NFS, SMB, or SSH mount man page.

If you select SMB, you can enter the security mode in the Command Line Options field using the following format: sec= mode where mode is the security mode you want to use for remote storage.

Table 4: SMB Security Mode Settings

Mode

[none] krb5 krb5i ntlm ntlmi ntlmv2 ntlmv2i

Description

Attempt to connect as null user (no name).

Use Kerberos version 5 authentication.

Use Kerberos authentication and packet signing.

Use NTLM password hashing. (Default)

Use NTLM password hashing with signing (may be

Default if

/proc/fs/cifs/PacketSigningEnabled is on or if server requires signing).

Use NTLMv2 password hashing.

Use NTLMv2 password hashing with packet signing.

68

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Change Reconciliation

Change Reconciliation

To monitor the changes that users make and ensure that they follow your organization’s preferred standard, you can configure the system to send, via email, a detailed report of changes made over the past 24 hours.

Whenever a user saves changes to the system configuration, a snapshot is taken of the changes. The change reconciliation report combines information from these snapshots to present a clear summary of recent system changes.

The following sample graphic displays a User section of an example change reconciliation report and lists both the previous value for each configuration and the value after changes. When users make multiple changes to the same configuration, the report lists summaries of each distinct change in chronological order, beginning with the most recent.

You can view changes made during the previous 24 hours.

Configuring Change Reconciliation

Before you begin

• Configure an email server to receive emailed reports of changes made to the system over a 24 hour period; see

Configuring a Mail Relay Host and Notification Address, on page 81

for more information.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose System ( ) > Configuration .

Click Change Reconciliation .

Check the Enable check box.

Choose the time of day you want the system to send out the change reconciliation report from the Time to

Run drop-down lists.

Enter email addresses in the Email to field.

Tip Once you have added email addresses, click Resend Last Report to send recipients another copy of the most recent change reconciliation report.

If you want to include policy changes, check the Include Policy Configuration check box.

If you want to include all changes over the past 24 hours, check the Show Full Change History check box.

Click Save .

Related Topics

Using the Audit Log to Examine Changes

, on page 378

Change Reconciliation Options

The Include Policy Configuration option controls whether the system includes records of policy changes in the change reconciliation report. This includes changes to access control, intrusion, system, health, and network

Cisco Secure Firewall Management Center Administration Guide, 7.2

69

System Settings

Policy Change Comments discovery policies. If you do not select this option, the report will not show changes to any policies. This option is available on Secure Firewall Management Centers only.

The Show Full Change History option controls whether the system includes records of all changes over the past 24 hours in the change reconciliation report. If you do not select this option, the report includes only a consolidated view of changes for each category.

Note The change reconciliation report does not include changes to threat defense interfaces and routing settings.

Policy Change Comments

You can configure the system to track several policy-related changes using the comment functionality when users modify access control, intrusion, or network analysis policies.

With policy change comments enabled, administrators can quickly assess why critical policies in a deployment were modified. Optionally, you can have changes to intrusion and network analysis policies written to the audit log.

Configuring Comments to Track Policy Changes

You can configure the system to prompt users for comments when they modify an access control policy, intrusion policy, or network analysis policy. You can use comments to track users’ reasons for policy changes.

If you enable comments on policy changes, you can make the comment optional or mandatory. The system prompts the user for a comment when each new change to a policy is saved.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

The system configuration options appear in the left navigation panel.

Configure the policy comment preferences for any of the following:

• Click Access Control Preferences for comment preferences for access control policies.

• Click Intrusion Policy Preferences for comment preferences for intrusion policies.

• Click Network Analysis Policy Preferences for comment preferences for network analysis policies.

You have the following choices for each policy type:

• Disabled —Disables change comments.

• Optional —Gives users the option to describe their changes in a comment.

• Required —Requires users to describe their changes in a comment before saving.

Optionally for intrusion or network analysis policy comments:

• Check Write changes in Intrusion Policy to audit log to write all intrusion policy changes to the audit log.

70

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Access List

Step 5

Step 6

• Check Write changes in Network Analysis Policy to audit log to write all network analysis policy changes to the audit log.

To get notifications for changes to any overridden system-defined rules during LSP updates, ensure that the

Retain user overrides for deleted Snort 3 rules check box is checked. As a system default, this check box is checked. When this check box is checked, the system retains the rule overrides in the new replacement rules that are added as part of the LSP update. The notifications are shown in the Tasks tab under the Notifications icon that is located next to Cog ( ).

Click Save .

Access List

You can limit access to the management center by IP address and port. By default, the following ports are enabled for any IP address:

• 443 (HTTPS) for web interface access.

• 22 (SSH) for CLI access.

You can also add access to poll for SNMP information over port 161. Because SNMP is disabled by default, you must first enable SNMP before you can add SNMP access rules. For more information, see

Configure

SNMP Polling, on page 83

.

Caution By default, access is not restricted. To operate in a more secure environment, consider adding access for specific IP addresses and then deleting the default any option.

Configure an Access List

This access list does not control external database access. See

Enabling External Access to the Database, on page 51

.

Caution If you delete access for the IP address that you are currently using to connect to the management center, and there is no entry for “

IP=any port=443

”, you will lose access when you save.

Before you begin

By default, the access list includes rules for HTTPS and SSH. To add SNMP rules to the access list, you must first enable SNMP. For more information, see

Configure SNMP Polling, on page 83

.

Procedure

Step 1 Choose System ( ) > Configuration .

Cisco Secure Firewall Management Center Administration Guide, 7.2

71

System Settings

Audit Logs

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

(Optional) Click SNMP to configure SNMP if you want to add SNMP rules to the access list. By default,

SNMP is disabled; see

Configure SNMP Polling, on page 83

.

Click Access List .

To add access for one or more IP addresses, click Add Rules .

In the IP Address field, enter an IP address or address range, or any.

Choose SSH , HTTPS , SNMP , or a combination of these options to specify which ports you want to enable for these IP addresses.

Click Add .

Click Save .

Related Topics

IP Address Conventions

, on page 26

Audit Logs

The Secure Firewall Management Center records user activity in read-only audit logs. You can review audit log data in several ways:

• Use the web interface:

Audit and Syslog, on page 373

.

Audit logs are presented in a standard event view where you can view, sort, and filter audit log messages based on any item in the audit view. You can easily delete and report on audit information and you can view detailed reports of the changes that users make.

• Stream audit log messages to the syslog:

Stream Audit Logs to Syslog, on page 72

..

• Stream audit log messages to an HTTP server:

Stream Audit Logs to an HTTP Server, on page 74

.

Streaming audit log data to an external server allows you to conserve space on the management center. Note that sending audit information to an external URL may affect system performance.

Optionally, you can secure the channel for audit log streaming, enable TLS and mutual authentication using

TLS certificates ; see

Audit Log Certificate, on page 75

.

Streaming to Multiple Syslog Servers

You can stream audit log data to a maximum of five syslog servers. However, if you have enabled TLS for secured audit log streaming, you can stream only to a single syslog server.

Stream Audit Logs to Syslog

When this feature is enabled, audit log records appear in the syslog in the following format :

Date Time Host [ Tag ] Sender : User_Name @ User_IP , Subsystem , Action

Where the local date, time, and originating hostname precede the bracketed optional tag, and the sending device name precedes the audit log message.

For example, if you specify a tag of

FMC-AUDIT-LOG for audit log messages from your management center, a sample audit log message from your management center could appear as follows:

72

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Stream Audit Logs to Syslog

Mar 01 14:45:24 localhost [FMC-AUDIT-LOG] Dev-MC7000: [email protected], Operations > Monitoring,

Page View

If you specify a severity and facility, these values do not appear in syslog messages; instead, they tell the system that receives the syslog messages how to categorize them.

Before you begin

Make sure the management center can communicate with the syslog server. When you save your configuration, the system uses ICMP/ARP and TCP SYN packets to verify that the syslog server is reachable. Then, the system uses port 514/UDP to stream audit logs. If you secure the channel (optional, see

Audit Log Certificate, on page 75 ), the system uses 6514/TCP.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Configuration .

Click Audit Log .

Choose Enabled from the Send Audit Log to Syslog drop-down menu.

The following fields are applicable only for audit logs sent to syslog:

Option

Host

Description

The IP address or the fully qualified name of the syslog server to which you will send audit logs. You can add a maximum of five syslog hosts, seperated by commas.

Note You can specify multiple syslog hosts, only when TLS is disabled for the

Audit Server Certificate.

Facility

Severity

Tag

The subsystem that creates the message.

Choose a facility described in

Syslog Alert Facilities, on page 521 . For example, choose

AUDIT.

The severity of the message.

Choose a severity described in

Syslog Severity Levels, on page 522 .

An optional tag to include in audit log syslog messages.

Best practice: Enter a value in this field to easily differentiate audit log messages from other, similar syslog messages such as health alerts.

For example, if you want all audit log records sent to the syslog to be labeled with

FMC-AUDIT-LOG

, enter

FMC-AUDIT-LOG in the field.

(Optional) To test whether the IP address of the syslog servers are valid, click Test Syslog Server .

The system sends the following packets to verify whether the syslog server is reachable: a.

ICMP echo request b.

TCP SYN on 443 and 80 ports c.

ICMP time stamp query

Cisco Secure Firewall Management Center Administration Guide, 7.2

73

System Settings

Stream Audit Logs to an HTTP Server

Step 6 d.

TCP SYN on random ports

Note If the Management Center and syslog server are in the same subnet, ARP is used instead of ICMP.

The system displays the result for each server.

Click Save .

Stream Audit Logs to an HTTP Server

When this feature is enabled, the appliance sends audit log records to an HTTP server in the following format:

Date Time Host [ Tag ] Sender : User_Name @ User_IP , Subsystem , Action

Where the local date, time, and originating hostname precede the bracketed optional tag, and the sending appliance name precedes the audit log message.

For example, if you specify a tag of

FROMMC

, a sample audit log message could appear as follows:

Mar 01 14:45:24 localhost [FROMMC] Dev-MC7000: [email protected], Operations > Monitoring,

Page View

Before you begin

Make sure the device can communicate with the HTTP server. Optionally, secure the channel; see

Audit Log

Certificate, on page 75 .

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Configuration .

Click Audit Log .

Optionally, in the Tag field, enter the tag name that you want to appear with the message. For example, if you want all audit log records to be preceded with

FROMMC

, enter

FROMMC in the field.

Choose Enabled from the Send Audit Log to HTTP Server drop-down list.

In the URL to Post Audit field, designate the URL where you want to send the audit information. Enter a

URL that corresponds to a Listener program that expects the HTTP POST variables as listed:

• subsystem

• actor

• event_type

• message

• action_source_ip

• action_destination_ip

• result

• time

74

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Audit Log Certificate

Step 6

• tag

(if defined; see Step 3)

Caution To allow encrypted posts, use an HTTPS URL. Sending audit information to an external URL may affect system performance.

Click Save .

Audit Log Certificate

You can use Transport Layer Security (TLS) certificates to secure communications between the management center and a trusted audit log server.

Client Certificates (Required)

Generate a certificate signing request (CSR), submit it to a Certificate Authority (CA) for signing, then import the signed certificate onto the management center. Use the local system configuration:

Obtain a Signed Audit

Log Client Certificate for the Management Center, on page 76

and

Import an Audit Log Client Certificate into the Management Center, on page 77

.

Server Certificates (Optional)

For additional security, we recommend you require mutual authentication between the management center and the audit log server. To accomplish this, load one or more certificate revocation lists (CRLs). You cannot stream audit logs to servers with revoked certificates listed in those CRLs.

Firepower supports CRLs encoded in Distinguished Encoding Rules (DER) format. Note that these are the same CRLs that the system uses to validate HTTPS client certificates for the management center web interface.

Use the local system configuration:

Require Valid Audit Log Server Certificates, on page 78 .

Securely Stream Audit Logs

If you stream the audit log to a trusted HTTP server or syslog server, you can use Transport Layer Security

(TLS) certificates to secure the channel between the management center and the server. You must generate a unique client certificate for each appliance you want to audit.

Before you begin

See ramifications of requiring client and server certificates at

Audit Log Certificate, on page 75

.

Procedure

Step 1 Obtain and install a signed client certificate on the management center: a)

Obtain a Signed Audit Log Client Certificate for the Management Center, on page 76 :

Generate a Certificate Signing Request (CSR) from the management center based on your system information and the identification information you supply.

Submit the CSR to a recognized, trusted certificate authority (CA) to request a signed client certificate.

Cisco Secure Firewall Management Center Administration Guide, 7.2

75

System Settings

Obtain a Signed Audit Log Client Certificate for the Management Center

Step 2

Step 3

If you will require mutual authentication between the management center and the audit log server, the client certificate must be signed by the same CA that signed the server certificate to be used for the connection.

b) After you receive the signed certificate from the certificate authority, import it into the management center.

See

Import an Audit Log Client Certificate into the Management Center, on page 77 .

Configure the communication channel with the server to use Transport Layer Security (TLS) and enable mutual authentication.

See

Require Valid Audit Log Server Certificates, on page 78

.

Configure audit log streaming if you have not yet done so.

See

Stream Audit Logs to Syslog, on page 72

or

Stream Audit Logs to an HTTP Server, on page 74 .

Obtain a Signed Audit Log Client Certificate for the Management Center

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Important The Audit Log Certificate page is not available on a standby Secure Firewall Management Center in a high availability setup. You cannot perform this task from a standby Secure Firewall Management Center.

The system generates certificate request keys in Base-64 encoded PEM format.

Before you begin

Keep the following in mind:

• To ensure security, use a globally recognized and trusted Certificate Authority (CA) to sign your certificate.

• If you will require mutual authentication between the appliance and the audit log server, the same

Certificate Authority must sign both the client certificate and the server certificate.

Procedure

Choose System ( ) > Configuration .

Click Audit Log Certificate .

Click Generate New CSR .

Enter a country code in the Country Name (two-letter code) field.

Enter a state or province postal abbreviation in the State or Province field.

Enter a Locality or City .

Enter an Organization name.

Enter an Organizational Unit (Department) name.

Enter the fully qualified domain name of the server for which you want to request a certificate in the Common

Name field.

Note If the common name and the DNS hostname do not match, audit log streaming will fail.

76

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Import an Audit Log Client Certificate into the Management Center

Step 10

Step 11

Step 12

Step 13

Step 14

Click Generate .

Open a new blank file with a text editor.

Copy the entire block of text in the certificate request, including the

BEGIN CERTIFICATE REQUEST and

END

CERTIFICATE REQUEST lines, and paste it into a blank text file.

Save the file as clientname .csr

, where clientname is the name of the appliance where you plan to use the certificate.

Click Close .

What to do next

• Submit the certificate signing request to the certificate authority that you selected using the guidelines in the "Before You Begin" section of this procedure.

• When you receive the signed certificate, import it to the appliance; see

Import an Audit Log Client

Certificate into the Management Center, on page 77 .

Import an Audit Log Client Certificate into the Management Center

In the management center high availability setup, you must use the active peer.

Before you begin

Obtain a Signed Audit Log Client Certificate for the Management Center, on page 76 .

• Make sure you are importing the signed certificate for the correct management center.

• If the signing authority that generated the certificate requires you to trust an intermediate CA, be prepared to provide the necessary certificate chain (or certificate path). The CA that signed the client certificate must be the same CA that signed any intermediate certificates in the certificate chain.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

On the management center, choose System ( ) > Configuration .

Click Audit Log Certificate .

Click Import Audit Client Certificate .

Open the client certificate in a text editor, copy the entire block of text, including the

BEGIN CERTIFICATE and

END CERTIFICATE lines. Paste this text into the Client Certificate field.

To upload a private key, open the private key file and copy the entire block of text, including the

BEGIN RSA

PRIVATE KEY and

END RSA PRIVATE KEY lines. Paste this text into the Private Key field.

Open any required intermediate certificates, copy the entire block of text for each, and paste it into the

Certificate Chain field.

Click Save .

Cisco Secure Firewall Management Center Administration Guide, 7.2

77

System Settings

Require Valid Audit Log Server Certificates

Require Valid Audit Log Server Certificates

The system supports validating audit log server certificates using imported CRLs in Distinguished Encoding

Rules (DER) format.

Note If you choose to verify certificates using CRLs, the system uses the same CRLs to validate both audit log server certificates and certificates used to secure the HTTP connection between an appliance and a web browser.

Important You cannot perform this procedure on the standby Secure Firewall Management Center in a high availablity pair.

Before you begin

• Understand the ramifications of requiring mutual authentication and of using certificate revocation lists

(CRLs) to ensure that certificates are still valid. See

Audit Log Certificate, on page 75

.

• Obtain and import the client certificate following the steps in

Securely Stream Audit Logs, on page 75

and the topics referenced in that procedure.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

On the management center, choose System ( ) > Configuration .

Click Audit Log Certificate .

To use Transport Layer Security to securely stream the audit log to an external server, choose Enable TLS .

If you want to accept server certificates without verification (not recommended): a) Deselect Enable Mutual Authentication .

b) Click Save and skip the remainder of this procedure.

To verify the certificate of the audit log server, choose Enable Mutual Authentication .

(If you enabled mutual authentication) To automatically recognize certificates that are no longer valid: a) Select Enable Fetching of CRL .

Note Enabling fetching of the CRL creates a scheduled task to regularly update the CRL or CRLs.

b) Enter a valid URL to an existing CRL file and click Add CRL .

Repeat to add up to 25 CRLs.

c) Click Refresh CRL to load the current CRL or CRLs from the specified URL or URLs.

Verify that you have a valid server certificate generated by the same certificate authority that created the client certificate.

Click Save .

78

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

View the Audit Log Client Certificate on the Management Center

What to do next

(Optional) Set the frequency of CRL updates. See

Configuring Certificate Revocation List Downloads, on page 455 .

View the Audit Log Client Certificate on the Management Center

You can view the audit log client certificate only for the appliance that you are logged in to. In management center high availability pairs, you can view the certificate only on the active peer.

Procedure

Step 1

Step 2

Choose System ( ) > Configuration .

Click Audit Log Certificate .

Dashboard Settings

Dashboards provide you with at-a-glance views of current system status through the use of widgets: small, self-contained components that provide insight into different aspects of the system. The system is delivered with several predefined dashboard widgets.

You can configure the Secure Firewall Management Center so that Custom Analysis widgets are enabled on the dashboard.

Related Topics

About Dashboards

, on page 305

Enabling Custom Analysis Widgets for Dashboards

Use Custom Analysis dashboard widgets to create a visual representation of events based on a flexible, user-configurable query.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Click Dashboard .

Check the Enable Custom Analysis Widgets check box to allow users to add Custom Analysis widgets to dashboards.

Click Save .

Related Topics

About Dashboards

, on page 305

Cisco Secure Firewall Management Center Administration Guide, 7.2

79

System Settings

DNS Cache

DNS Cache

You can configure the system to resolve IP addresses automatically on the event view pages. You can also configure basic properties for DNS caching performed by the appliance. Configuring DNS caching allows you to identify IP addresses you previously resolved without performing additional lookups. This can reduce the amount of traffic on your network and speed the display of event pages when IP address resolution is enabled.

Configuring DNS Cache Properties

DNS resolution caching is a system-wide setting that allows the caching of previously resolved DNS lookups.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Configuration .

Choose DNS Cache .

From the DNS Resolution Caching drop-down list, choose one of the following:

• Enabled —Enable caching.

• Disabled —Disable caching.

In the DNS Cache Timeout (in minutes) field, enter the number of minutes a DNS entry remains cached in memory before it is removed for inactivity.

The default setting is 300 minutes (five hours).

Click Save .

Related Topics

Configuring Event View Settings , on page 189

Email Notifications

Configure a mail host if you plan to:

• Email event-based reports

• Email status reports for scheduled tasks

• Email change reconciliation reports

• Email data-pruning notifications

• Use email for discovery event, impact flag, correlation event alerting, intrusion event alerting, and health event alerting

80

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configuring a Mail Relay Host and Notification Address

When you configure email notification, you can select an encryption method for the communication between the system and mail relay host, and can supply authentication credentials for the mail server if needed. After configuring, you can test the connection.

Configuring a Mail Relay Host and Notification Address

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Choose System ( ) > Configuration .

Click Email Notification .

In the Mail Relay Host field, enter the hostname or IP address of the mail server you want to use. The mail host you enter must allow access from the appliance.

In the Port Number field, enter the port number to use on the email server.

Typical ports include:

• 25, when using no encryption

• 465, when using SSLv3

• 587, when using TLS

Choose an Encryption Method :

• TLS —Encrypt communications using Transport Layer Security.

• SSLv3 —Encrypt communications using Secure Socket Layers.

• None —Allow unencrypted communication.

Note Certificate validation is not required for encrypted communication between the appliance and mail server.

In the From Address field, enter the valid email address you want to use as the source email address for messages sent by the appliance.

Optionally, to supply a user name and password when connecting to the mail server, choose Use

Authentication . Enter a user name in the Username field. Enter a password in the Password field.

To send a test email using the configured mail server, click Test Mail Server Settings .

A message appears next to the button indicating the success or failure of the test.

Click Save .

Language Selection

You can use the Language page to specify a different language for the web interface.

Cisco Secure Firewall Management Center Administration Guide, 7.2

81

System Settings

Set the Language for the Web Interface

Set the Language for the Web Interface

The language you specify here is used for the web interface for every user. You can choose from:

• English

• French

• Chinese (simplified)

• Chinese (traditional)

• Japanese

• Korean

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Click Language .

Choose the language you want to use.

Click Save .

Login Banners

You can use the Login Banner page to specify session, login, or custom message banners for a security appliance or shared policy.

You can use ASCII characters and carriage returns to create a custom login banner. The system does not preserve tab spacing. If your login banner is too large or causes errors, Telnet or SSH sessions can fail when the system attempts to display the banner.

Customize the Login Banner

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Choose Login Banner .

In the Custom Login Banner field, enter the login banner text you want to use.

Click Save .

82

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

SNMP Polling

SNMP Polling

You can enable Simple Network Management Protocol (SNMP) polling. This feature supports use of versions

1, 2, and 3 of the SNMP protocol. This feature allows access to the standard management information base

(MIB), which includes system details such as contact, administrative, location, service information, IP addressing and routing information, and transmission protocol usage statistics.

Note When selecting SNMP versions for the SNMP protocol, note that SNMPv2 only supports read-only communities and SNMPv3 only supports read-only users. SNMPv3 also supports encryption with AES128.

Enabling SNMP polling does not cause the system to send SNMP traps; it only makes the information in the

MIBs available for polling by your network management system.

Configure SNMP Polling

Before you begin

Add SNMP access for each computer you plan to use to poll the system. See

Configure an Access List, on page 71

.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Note The SNMP MIB contains information that could be used to attack your deployment. We recommend that you restrict your access list for SNMP access to the specific hosts that will be used to poll for the MIB. We also recommend you use SNMPv3 and use strong passwords for network management access.

Procedure

Choose System ( ) > Configuration .

Click SNMP .

From the SNMP Version drop-down list, choose the SNMP version you want to use:

• Version 1 or Version 2 : Enter a read-only SNMP community name in the Community String field, then skip to the end of the procedure.

Note Do not include special characters (< > / % # & ? ', etc.) in the SNMP community string name.

• Version 3 : Click Add User to display the user definition page. SNMPv3 only supports read-only users and encryption with AES128.

Enter a Username .

Choose the protocol you want to use for authentication from the Authentication Protocol drop-down list.

Enter the password required for authentication with the SNMP server in the Authentication Password field.

Re-enter the authentication password in the Verify Password field.

Cisco Secure Firewall Management Center Administration Guide, 7.2

83

System Settings

Time and Time Synchronization

Step 8

Step 9

Step 10

Step 11

Step 12

Choose the privacy protocol you want to use from the Privacy Protocol list, or choose None to not use a privacy protocol.

Enter the SNMP privacy key required by the SNMP server in the Privacy Password field.

Re-enter the privacy password in the Verify Password field.

Click Add .

Click Save .

Time and Time Synchronization

Synchronizing the system time on your Secure Firewall Management Center (management center) and its managed devices is essential to successful operation of your Firepower System. We recommend that you specify NTP servers during management center initial configuration, but you can use the information in this section to establish or change time sychronization settings after intial configuration is complete.

Use a Network Time Protocol (NTP) server to synchronize system time on the management center and all devices. The management center supports secure communications with NTP servers using MD5, SHA-1, or

AES-128 CMAC symmetric key authentication; for system security, we recommend using this feature.

The management center can also be configured to connect solely with authenticated NTP servers; using this option improves security in a mixed-authentication environment, or when migrating your system to different

NTP servers. It is redundant to use this setting in an environment where all reachable NTP servers are authenticated.

Note If you specified an NTP server for the management center during initial configuration, the connection with that NTP server is not secured. You must edit the configuration for that connection to specify MD5, SHA-1, or AES-128 CMAC keys.

Caution Unintended consequences can occur when time is not synchronized between the management center and managed devices.

To synchronize time on management center and managed devices, see:

• Recommended:

Synchronize Time on the Management Center with an NTP Server, on page 85

This topic provides instructions for configuring your management center to synchronize with an NTP server or servers and includes links to instructions on configuring managed devices to synchronize with the same NTP server or servers.

• Otherwise:

Synchronize Time Without Access to a Network NTP Server, on page 86

This topic provides instructions for setting the time on your management center, configuring your management center to serve as an NTP server, and links to instructions on configuring managed devices to synchronize with the management center NTP server.

84

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Synchronize Time on the Management Center with an NTP Server

Synchronize Time on the Management Center with an NTP Server

Time synchronization among all of the components of your system is critically important.

The best way to ensure proper time synchronization between Secure Firewall Management Center and all managed devices is to use an NTP server on your network.

The management center supports NTPv4.

You must have Admin or Network Admin privileges to do this procedure.

Before you begin

Note the following:

• If your management center and managed devices cannot access a network NTP server, do not use this procedure. Instead, see

Synchronize Time Without Access to a Network NTP Server, on page 86

.

• Do not specify an untrusted NTP server.

• If you plan to establish a secure connection with an NTP server (recommended for system security), obtain an SHA-1, MD5, or AES-128 CMAC key number and value configured on that NTP server.

• Connections to NTP servers do not use configured proxy settings.

• Firepower 4100 Series devices and Firepower 9300 devices cannot use this procedure to set the system time. Instead, configure those devices to use the same NTP server(s) that you configure using this procedure. For instructions, see the documentation for your hardware model.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Caution If the Secure Firewall Management Center is rebooted and your DHCP server sets an NTP server record different than the one you specify here, the DHCP-provided NTP server will be used instead. To avoid this situation, configure your DHCP server to use the same NTP server.

Procedure

Choose System ( ) > Configuration .

Click Time Synchronization .

If Serve Time via NTP is Enabled , choose Disabled to disable the management center as an NTP server.

For the Set My Clock option, choose Via NTP .

Click Add .

In the Add NTP Server dialog box, enter the host name or IPv4 or IPv6 address of an NTP server.

(Optional) To secure communication between your management center and the NTP server: a) Select MD5 , SHA-1 or AES-128 CMAC from the Key Type drop-down list.

b) Enter an the corresponding MD5, SHA-1, or AES-128 CMAC Key Number and Key Value from the specified NTP server.

Click Add .

To add more NTP servers, repeat Steps 5 through 8.

Cisco Secure Firewall Management Center Administration Guide, 7.2

85

System Settings

Synchronize Time Without Access to a Network NTP Server

Step 10

Step 11

(Optional) To force the management center to use only an NTP server that successfully authenticates, check the Use the authenticated NTP server only check box.

Click Save .

What to do next

Set managed devices to synchronize with the same NTP server or servers:

• Configure device platform settings: Configure NTP Time Synchronization for Threat Defense in the

Cisco Secure Firewall Management Center Device Configuration Guide .

Note that even if you force the management center to make a secure connection with an NTP server ( Use the authenticated NTP server only ), device connections to that server do not use authentication.

• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall

Management Center Administration Guide .

Synchronize Time Without Access to a Network NTP Server

If your devices cannot directly reach the network NTP server, or your organization does not have a network

NTP server, a physical-hardware Secure Firewall Management Center can serve as an NTP server.

Important • Do not use this procedure unless you have no other NTP server. Instead, use the procedure in

Synchronize

Time on the Management Center with an NTP Server, on page 85 .

• Do not use a virtual Secure Firewall Management Center as an NTP server.

To change the time manually after configuring the Secure Firewall Management Center as an NTP server, you must disable the NTP option, change the time manually, and then re-enable the NTP option.

Procedure

Step 1 Manually set the system time on the Secure Firewall Management Center: a) Choose System ( ) > Configuration .

b) Click Time Synchronization .

c) If Serve Time via NTP is Enabled , choose Disabled .

d) Click Save .

e) For Set My Clock , choose Manually in Local Configuration .

f) Click Save .

g) In the navigation panel at the left side of the screen, click Time .

h) Use the Set Time drop-down lists to set the time.

i) If the time zone displayed is not UTC, click it and set the time zone to UTC .

j) Click Save .

k) Click Done .

l) Click Apply .

86

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

About Changing Time Synchronization Settings

Step 2

Step 3

Set the Secure Firewall Management Center to serve as an NTP server: a) In the navigation panel at the left side of the screen, click Time Synchronization .

b) For Serve Time via NTP , choose Enabled .

c) Click Save .

Set managed devices to synchronize with the Secure Firewall Management Center NTP server: a) In the Time Synchronization settings for the platform settings policy assigned to your managed devices, set the clock to synchronize Via NTP from Management Center .

b) Deploy the change to managed devices.

For instructions:

For threat defense devices, see Configure NTP Time Synchronization for Threat Defense in the Cisco Secure

Firewall Management Center Device Configuration Guide .

About Changing Time Synchronization Settings

• Your management center and its managed devices are heavily dependent on accurate time. The system clock is a system facility that maintains the time of the system. The system clock is set to Universal

Coordinated Time (UTC), which is the primary time standard by which the world regulates clocks and time.

DO NOT ATTEMPT TO CHANGE THE SYSTEM TIME. Changing the system time zone from UTC is NOT supported, and doing so will require you to reimage the device to recover from an unsupported state.

• If you configure the management center to serve time using NTP, and then later disable it, the NTP service on managed devices still attempts to synchronize time with the management center. You must update and redeploy any applicable platform settings policies to establish a new time source.

• To change the time manually after configuring the Secure Firewall Management Center as an NTP server, you must disable the NTP option, change the time manually, and then re-enable the NTP option.

View Current System Time, Source, and NTP Server Connection Status

Time settings are displayed on most pages in local time using the time zone you set on the Time Zone page in User Preferences (the default is America/New York), but are stored on the appliance using UTC time.

Restriction The Time Zone function (in User Preferences) assumes that the default system clock is set to UTC time. DO

NOT ATTEMPT TO CHANGE THE SYSTEM TIME. Be advised that changing the system time from UTC is NOT supported, and doing so will require you to reimage the device to recover from an unsupported state.

Procedure

Step 1 Choose System ( ) > Configuration .

Cisco Secure Firewall Management Center Administration Guide, 7.2

87

System Settings

NTP Server Status

Step 2 Click Time .

The current time is displayed using the time zone specified for your account in User Preferences.

If your appliance uses an NTP server: For information about the table entries, see

NTP Server Status, on page

88

.

NTP Server Status

If you are synchronizing time from an NTP server, you can view connection status on the Time page (choose

System > Configuration ).

Table 5: NTP Status

Column

NTP Server

Status

Description

The IP address or name of the configured NTP server.

The status of the NTP server time synchronization:

• Being Used indicates that the appliance is synchronized with the NTP server.

• Available indicates that the NTP server is available for use, but time is not yet synchronized.

• Not Available indicates that the NTP server is in your configuration, but the NTP daemon is unable to use it.

• Pending indicates that the NTP server is new or the NTP daemon was recently restarted. Over time, its value should change to Being Used , Available , or Not

Available .

• Unknown indicates that the status of the NTP server is unknown.

Authentication

Offset

The authentication status for communication between the management center and the

NTP server:

• none indicates no authentication is configured.

• bad indicates authentication is configured but has failed.

• ok indicates authentication is successful.

If authentication has been configured, the system displays the key number and key type (SHA-1, MD5, or AES-128 CMAC) following the status value. For example: bad, key 2, MD5 .

The number of milliseconds of difference between the time on the appliance and the configured NTP server. Negative values indicate that the appliance is behind the NTP server, and positive values indicate that it is ahead.

88

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Global User Configuration Settings

Column

Last Update

Description

The number of seconds that have elapsed since the time was last synchronized with the NTP server. The NTP daemon automatically adjusts the synchronization times based on a number of conditions. For example, if you see larger update times such as

300 seconds, that indicates that the time is relatively stable and the NTP daemon has determined that it does not need to use a lower update increment.

Global User Configuration Settings

Global User Configuration settings affect all users on the Secure Firewall Management Center. Configure these settings on the User Configuration page ( System ( ) > Configuration > User Configuration ):

• Password Reuse Limit : The number of passwords in a user’s most recent history that cannot be reused.

This limit applies to web interface access for all users. For the admin user, this applies to CLI access as well; the system maintains separate password lists for each form of access. Setting the limit to zero (the default) places no restrictions on password reuse. See

Set Password Reuse Limit, on page 90

.

• Track Successful Logins : The number of days that the system tracks successful logins to the Secure

Firewall Management Center, per user, per access method (web interface or CLI). When users log in, the system displays their successful login count for the interface being used. When Track Successful

Logins is set to zero (the default), the system does not track or report successful login activity. See

Track

Successful Logins, on page 90 .

• Max Number of Login Failures : The number of times in a row that users can enter incorrect web interface login credentials before the system temporarily blocks the account from access for a configurable time period. If a user continues login attempts while the temporary lockout is in force:

• The system refuses access for that account (even with a valid password) without informing the user that a temporary lockout is in force.

• The system continues to increment the failed login count for that account with each login attempt.

• If the user exceeds the Maximum Number of Failed Logins configured for that account on the individual User Configuration page, the account is locked out until an admin user reactivates it.

• Set Time in Minutes to Temporarily Lockout Users : The duration in minutes for a temporary web interface user lockout if Max Number of Failed Logins is non-zero.

• Max Concurrent Sessions Allowed : The number of sessions of a particular type (read-only or read/write) that can be open at the same time. The type of session is determined by the roles assigned to a user. If a user is assigned only read-only roles, that user's session is counted toward the (Read Only) session limit.

If a user has any roles with write privileges, the session is counted toward the Read/Write session limit.

For example, if a user is assigned the Admin role and the Maximum sessions for users with Read/Write privileges/CLI users is set to 5, the user will not be allowed to log in if there are already five other users logged in that have read/write privileges.

Cisco Secure Firewall Management Center Administration Guide, 7.2

89

System Settings

Set Password Reuse Limit

Note Predefined user roles and custom user roles that the system considers read-only for the purposes of concurrent session limits, are labeled with (Read Only) in the role name on the System ( ) > Users > Users and the System ( ) > Users >

User Roles . If a user role does not contain (Read Only) in the role name, the system considers the role to be read/write. The system automatically applies

(Read Only) to roles that meet the required criteria. You cannot make a role read-only by adding that text string manually to the role name.

For each type of session, you can set a maximum limit ranging from 1 to 1024. When Max Concurrent

Sessions Allowed is set to zero (the default), the number of concurrent sessions is unlimited.

If you change the concurrent session limit to a value more restrictive, the system will not close any currently open sessions; it will, however, prevent new sessions beyond the number specified from being opened.

Set Password Reuse Limit

If you enable the Password Reuse Limit , the system keeps encrypted password histories for management center users. Users cannot reuse passwords in their histories. You can specify the number of stored passwords for each user, per access method (web interface or CLI). A user's current password counts towards this number.

If you lower the limit, the system deletes older passwords from the history. Increasing the limit does not restore deleted passwords.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Click User Configuration .

Set the Password Reuse Limit to the number of passwords you want to maintain in the history (maximum

256).

To disable password reuse checking, enter 0.

Click Save .

Track Successful Logins

Use this procedure to enable tracking successful logins for each user for a specified number of days. When this tracking is enabled, the system displays the successful login count when users log into the web interface or the CLI.

Note If you lower the number of days, the system deletes records of older logins. If you then increase the limit, the system does not restore the count from those days. In that case, the reported number of successful logins may be temporarily lower than the actual number.

90

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Enabling Temporary Lockouts

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Click User Configuration .

Set Track Successful Login Days to the number of days to track successful logins (maximum 365).

To disable login tracking, enter 0.

Click Save .

Enabling Temporary Lockouts

Enable the temporary timed lockout feature by specifying the number of failed login attempts in a row that the system allows before the lockout goes into effect.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Configuration .

Click User Configuration .

Set the Max Number of Login Failures to the maximum number of consecutive failed login attempts before the user is temporarily locked out.

To disable the temporary lockout, enter zero.

Set the Time in Minutes to Temporarily Lockout Users to the number of minutes to lock out users who have triggered a temporary lockout.

When this value is zero, users do not have to wait to retry to log in, even if the Max Number of Login Failures is non-zero.

Click Save .

Set Maximum Number of Concurrent Sessions

You can specify the maximum number of sessions of a particular type (read-only or read/write) that can be open at the same time. The type of session is determined by the roles assigned to a user. If a user is assigned only read-only roles, that user's session is counted toward the Read Only session limit. If a user has any roles with write privileges, the session is counted toward the Read/Write session limit.

Procedure

Step 1

Step 2

Choose System ( ) > Configuration .

Click User Configuration .

Cisco Secure Firewall Management Center Administration Guide, 7.2

91

System Settings

Session Timeouts

Step 3

Step 4

For each type of session ( Read Only and Read/Write ), set the Max Concurrent Sessions Allowed to the maximum number of sessions of that type that can be open at the same time.

To apply no limits on concurrent users by session type, enter zero.

Note If you change the concurrent session limit to a value more restrictive, the system will not close any currently open sessions; it will, however, prevent new sessions beyond the number specified from being opened.

Click Save .

Session Timeouts

Unattended login sessions may be security risks. You can configure the amount of idle time before a user’s login session times out due to inactivity.

Note that you can exempt specific web interface users from timeout, for scenarios where you plan to passively, securely monitor the system for long periods of time. Users with the Administrator role, whose complete access to menu options poses an extra risk if compromised, cannot be made exempt from session timeouts.

Configure Session Timeouts

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Click CLI Timeout .

Configure session timeouts:

• Web interface (management center only): Configure the Browser Session Timeout (Minutes) . The default value is

60

; the maximum value is

1440

(24 hours).

To exempt users from this session timeout, see

Add an Internal User, on page 111

.

• CLI: Configure the CLI Timeout (Minutes) field. The default value is

0

; the maximum value is

1440

(24 hours).

Click Save .

Vulnerability Mapping

The system automatically maps vulnerabilities to a host IP address for any application protocol traffic received or sent from that address, when the server has an application ID in the discovery event database and the packet header for the traffic includes a vendor and version.

92

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Mapping Vulnerabilities for Servers

For any servers which do not include vendor or version information in their packets, you can configure whether the system associates vulnerabilities with server traffic for these vendor and versionless servers.

For example, a host serves SMTP traffic that does not have a vendor or version in the header. If you enable the SMTP server on the Vulnerability Mapping page of a system configuration, then save that configuration to the Secure Firewall Management Center managing the device that detects the traffic, all vulnerabilities associated with SMTP servers are added to the host profile for the host.

Although detectors collect server information and add it to host profiles, the application protocol detectors will not be used for vulnerability mapping, because you cannot specify a vendor or version for a custom application protocol detector and cannot select the server for vulnerability mapping.

Mapping Vulnerabilities for Servers

This procedure requires any Smart License or the Protection classic license.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Choose Vulnerability Mapping .

You have the following choices:

Tip

• To prevent vulnerabilities for a server from being mapped to hosts that receive application protocol traffic without vendor or version information, clear the check box for that server.

• To cause vulnerabilities for a server to be mapped to hosts that receive application protocol traffic without vendor or version information, check the check box for that server.

You can check or clear all check boxes at once using the check box next to Enabled .

Click Save .

Remote Console Access Management

You can use a Linux system console for remote access on supported systems via either the VGA port (which is the default) or the serial port on the physical appliance. Use the Console Configuration page to choose the option most suitable to the physical layout of your organization’s Firepower deployment.

On supported physical-hardware-based systems, you can use Lights-Out Management (LOM) on a Serial

Over LAN (SOL) connection to remotely monitor or manage the system without logging into the management interface of the system. You can perform limited tasks, such as viewing the chassis serial number or monitoring such conditions as fan speed and temperature, using a command line interface on an out-of-band management connection. The cable connection to support LOM varies by management center model:

• For management center models MC1600, MC2600, and MC4600, use a connection with the CIMC port to support LOM. See the Cisco Firepower Managemenet Center 1600, 2600, and 4600 Getting Started

Guide for more information.

Cisco Secure Firewall Management Center Administration Guide, 7.2

93

System Settings

Configuring Remote Console Settings on the System

• For all other management center hardware models, use a connection with the default (eth0) management port to support LOM. See the Cisco Firepower Management Center Getting Started Guide for your hardware model.

You must enable LOM for both the system and the user you want to manage the system. After you enable the system and the user, you use a third-party Intelligent Platform Management Interface (IPMI) utility to access and manage your system.

Configuring Remote Console Settings on the System

You must be an Admin user to perform this procedure.

Before you begin

• Disable Spanning Tree Protocol (STP) on any third-party switching equipment connected to the device’s management interface.

• If you plan to enable Lights-Out Management see the Getting Started Guide for your appliance for information about installing and using an Intelligent Platform Management Interface (IPMI) utility.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Click Console Configuration .

Choose a remote console access option:

• Choose VGA to use the appliance's VGA port.

• Choose Physical Serial Port to use the appliance's serial port.

• Choose Lights-Out Management to use an SOL connection on the management center. (This may use the default management port or the CIMC port depending on your management center model. See the

Getting Started Guide for your model for more information.)

To configure LOM via SOL:

• Choose the address Configuration for the system ( DHCP or Manual ).

• If you chose manual configuration, enter the necessary IPv4 settings:

• Enter the IP Address to be used for LOM.

Note The LOM IP address must be different from and in the same subnet as the management center management interface IP address.

• Enter the Netmask for the system.

• Enter the Default Gateway for the system.

Step 5 Click Save .

94

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Lights-Out Management User Access Configuration

Step 6 The system displays the following warning: "You will have to reboot your system for these changes to take effect." Click OK to reboot now or Cancel to reboot later.

What to do next

• If you configured serial access, be sure the rear-panel serial port is connected to a local computer, terminal server, or other device that can support remote serial access over ethernet as described in the Getting

Started Guide for your management center model.

• If you configured Lights-Out Management, enable a Lights-Out Management user; see

Lights-Out

Management User Access Configuration, on page 95

.

Lights-Out Management User Access Configuration

You must explicitly grant Lights-Out Management permissions to users who will use the feature. LOM users also have the following restrictions:

• You must assign the Administrator role to the user.

• The username may have up to 16 alphanumeric characters. Hyphens and longer user names are not supported for LOM users.

• A user’s LOM password is the same as that user’s system password. The password must comply with the requirements described in

User Passwords, on page 108

. Cisco recommends that you use a complex, non-dictionary-based password of the maximum supported length for your appliance and change it every three months.

• Physical Secure Firewall Management Centers can have up to 13 LOM users.

Note that if you deactivate, then reactivate, a user with LOM while a that user is logged in, or restore a user from a backup during that user’s login session, that user may need to log back into the web interface to regain access to impitool commands.

Enabling Lights-Out Management User Access

You must be an Admin user to perform this procedure.

Use this task to grant LOM access to an existing user. To grant LOM access to a new user, see

Add an Internal

User, on page 111

.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Users > Users .

To grant LOM user access to an existing user, click Edit ( ) next to a user name in the list.

Under User Configuration , enable the Administrator role.

Check the Allow Lights-Out Management Access check box.

Click Save .

Cisco Secure Firewall Management Center Administration Guide, 7.2

95

System Settings

Serial Over LAN Connection Configuration

Serial Over LAN Connection Configuration

You use a third-party IPMI utility on your computer to create a Serial Over LAN connection to the appliance.

If your computer uses a Linux-like or Mac environment, use IPMItool; for Windows environments, you can use IPMIutil or IPMItool, depending on your Windows version.

Note Cisco recommends using IPMItool version 1.8.12 or greater.

Linux

IPMItool is standard with many distributions and is ready to use.

Mac

You must install IPMItool on a Mac. First, confirm that your Mac has Apple's XCode Developer tools installed, making sure that the optional components for command line development are installed (UNIX Development and System Tools in newer versions, or Command Line Support in older versions). Then you can install macports and the IPMItool. Use your favorite search engine for more information or try these sites: https://developer.apple.com/technologies/tools/ http://www.macports.org/ http://github.com/ipmitool/ipmitool/

Windows

For Windows Versions 10 and greater with Windows Subsystem for Linux (WSL) enabled, as well as some older versions of Windows Server, you can use IPMItool. Otherwise, you must compile IPMIutil on your

Windows system; you can use IPMIutil itself to compile. Use your favorite search engine for more information or try this site: http://ipmiutil.sourceforge.net/man.html#ipmiutil

Understanding IPMI Utility Commands

Commands used for IPMI utilities are composed of segments as in the following example for IPMItool on

Mac: ipmitool -I lanplus -H IP_address -U user_name command where:

• ipmitool invokes the utility.

-I lanplus specifies to use an encrypted IPMI v2.0 RMCP+ LAN Interface for the session.

-H IP_address indicates the IP address you have configured for Lights-Out Management on the appliance you want to access.

-U user_name is the name of an authorized remote session user.

• command is the name of the command you want to use.

96

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configuring Serial Over LAN with IPMItool

Note Cisco recommends using IPMItool version 1.8.12 or greater.

The same command for IMPIutil on Windows looks like this: ipmiutil command -V 4 -J 3 -N IP_address -U user_name

This command connects you to the command line on the appliance where you can log in as if you were physically present at the appliance. You may be prompted to enter a password.

Configuring Serial Over LAN with IPMItool

You must be an Admin user with LOM access to perform this procedure.

Procedure

Using IPMItool, enter the following command, and a password if prompted: ipmitool -I lanplus -H IP_address -U user_name sol activate

Configuring Serial Over LAN with IPMIutil

You must be an Admin user with LOM access to perform this procedure.

Procedure

Using IPMIutil, enter the following command, and a password if prompted: ipmiutil -J 3 -N IP_address -U username sol -a

Lights-Out Management Overview

Lights-Out Management (LOM) provides the ability to perform a limited set of actions over an SOL connection on the default ( eth0

) management interface without the need to log into the system. You use the command to create a SOL connection followed by one of the LOM commands. After the command is completed, the connection ends.

Caution In rare cases, if your computer is on a different subnet than the system's management interface and the system is configured for DHCP, attempting to access LOM features can fail. If this occurs, you can either disable and then re-enable LOM on the system, or use a computer on the same subnet as the system to ping its management interface. You should then be able to use LOM.

Cisco Secure Firewall Management Center Administration Guide, 7.2

97

System Settings

Lights-Out Management Overview

Caution Cisco is aware of a vulnerability inherent in the Intelligent Platform Management Interface (IPMI) standard

(CVE-2013-4786). Enabling Lights-Out Management (LOM) on an system exposes this vulnerability. To mitigate this vulnerability, deploy your systems on a secure management network accessible only to trusted users and use a complex, non-dictionary-based password of the maximum supported length for your system and change it every three months. To prevent exposure to this vulnerability, do not enable LOM.

If all attempts to access your system have failed, you can use LOM to restart your system remotely. Note that if a system is restarted while the SOL connection is active, the LOM session may disconnect or time out.

Caution Do not restart your system unless it does not respond to any other attempts to restart. Remotely restarting does not gracefully reboot the system and you may lose data.

Table 6: Lights-Out Management Commands

IPMItool

(not applicable)

-I lanplus

-H hostname/IP address

-U sol activate sol deactivate chassis power cycle chassis power on chassis power off sdr

IPMIutil

-V 4

-J 3

-N nodename/IP address

-U sol -a sol -d power -c power -u power -d sensor

Description

Enables admin privileges for the

IPMI session

Enables encryption for the IPMI session

Indicates the LOM IP address or hostname for the management center

Indicates the username of an authorized LOM account

Starts the SOL session

Ends the SOL session

Restarts the appliance

Powers up the appliance

Powers down the appliance

Displays appliance information, such as fan speeds and temperatures

For example, to display a list of appliance information, the IPMItool command is: ipmitool -I lanplus -H IP_address -U user_name sdr

Note Cisco recommends using IPMItool version 1.8.12 or greater.

98

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configuring Lights-Out Management with IPMItool

The same command with the IPMIutil utility is: ipmiutil sensor -V 4 -J 3 -N IP_address -U user_name

Configuring Lights-Out Management with IPMItool

You must be an Admin user with LOM access to perform this procedure.

Procedure

Enter the following command for IPMItool and a password if prompted: ipmitool -I lanplus -H IP_address -U user_name command

Configuring Lights-Out Management with IPMIutil

You must be an Admin user with LOM access to perform this procedure.

Procedure

Enter the following command for IPMIutil and a password if prompted: ipmiutil -J 3 -N IP_address -U username command

REST API Preferences

The Firepower REST API provides a lightweight interface for third-party applications to view and manage appliance configuration using a REST client and standard HTTP methods. For more information on the

Firepower REST API, see the Firepower REST API Quick Start Guide .

By default, the Secure Firewall Management Center allows requests from applications using the REST API.

You can configure the Secure Firewall Management Center to block this access.

Enabling REST API Access

Note In deployments using the management center high availability, this feature is available only in the active management center.

Cisco Secure Firewall Management Center Administration Guide, 7.2

99

System Settings

VMware Tools and Virtual Systems

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose the Cog ( ) in the upper right corner to open the system menu.

Click REST API Preferences .

To enable or disable REST API access to the management center, check or uncheck the Enable REST API check box.

Click Save .

Access the REST API Explorer at: https://<management_center_IP_or_name>:<https_port>/api/api-explorer

VMware Tools and Virtual Systems

VMware Tools is a suite of performance-enhancing utilities intended for virtual machines. These utilities allow you to make full use of the convenient features of VMware products. Firepower virtual appliances running on VMware support the following plugins:

• guestInfo

• powerOps

• timeSync

• vmbackup

You can also enable VMware Tools on all supported versions of ESXi. For information on the full functionality of VMware Tools, see the VMware website ( http://www.vmware.com/ ).

Enabling VMware Tools on the Secure Firewall Management Center for

VMware

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Configuration .

Click VMware Tools .

Click Enable VMware Tools .

Click Save .

100

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

(Optional) Opt Out of Web Analytics Tracking

(Optional) Opt Out of Web Analytics Tracking

By default, in order to improve Firepower products, Cisco collects non-personally-identifiable usage data, including but not limited to page interactions, browser versions, product versions, user location, and management

IP addresses or hostnames of your management center appliances.

Data collection begins after you accept the End User License Agreement. If you do not want Cisco to continue to collect this data, you can opt out using the following procedure.

Procedure

Step 1

Step 2

Step 3

Choose System > Configuration .

Click Web Analytics .

Make your choice and click Save .

What to do next

(Optional) Determine whether to share data via the

Configure Cisco Success Network Enrollment .

History for System Configuration

Feature

French language option

Version

7.2

Details

Exempt most connection events from event rate limits

7.0

Support for AES-128

CMAC authentication for

NTP servers

7.0

Subject Alternative Name

(SAN)

6.6

You can now switch the management center web interface to French from System ( )

> Configuration > Language .

Setting the Maximum Connection Events value for the Connection Database to zero now exempts low priority connection events from counting towards the flow rate limit for your management center hardware. Previously, setting this value to zero applied only to event storage, and did not affect the flow rate limit.

New/modified screens: System > Configuration > Database

Supported platforms: Hardware management centers.

Connections between the management center and NTP servers can be secured with

AES-128 CMAC keys as well as previously-supported MD5 and SHA-1 keys.

New/modified screens: System ( ) > Configuration > Time Synchronization

When creating an HTTPS certificate for the management center, you can specify SAN fields. We recommend you use SAN if the certificate secures multiple domain names or IP addresses. For more information about SAN, see RFC 5280, section 4.2.1.6

.

New/modified screens: System ( ) > Configuration > HTTPS Certificate

Cisco Secure Firewall Management Center Administration Guide, 7.2

101

System Settings

History for System Configuration

Feature

HTTPS Certificates

Secure NTP

Web analytics

Automatic CLI access for the management center

Configurable session limits for read-only and read/write access

Ability to disable Duplicate

Address Detection (DAD) on management interfaces

Version

6.6

6.5

6.5

6.5

6.5

6.4

Details

The default HTTPS server certificate provided with the system now expires in 800 days.

If your appliance uses a default certificate that was generated before you upgraded to

Version 6.6, the certificate lifetime varies depending on the Firepower version being used when the certificate was generated. See

Default HTTPS Server Certificates, on page 43

for more information.

Supported platforms: Hardware management centers.

The management center supports secure communications with NTP servers using SHA1 or MD5 symmetric key authentication.

New/modified screens: System ( ) > Configuration > Time Synchronization

Web analytics data collection begins after you accept the EULA. As before, you can opt not to continue to share data. See

(Optional) Opt Out of Web Analytics Tracking, on page 101 .

When you use SSH to log into the management center, you automatically access the

CLI. Although strongly discouraged, you can then use the CLI expert command to access the Linux shell.

Note This feature deprecates the Version 6.3 ability to enable and disable CLI access for the management center. As a consequence of deprecating this option, the virtual management center no longer displays the System >

Configuration > Console Configuration page, which still appears on physical management centers.

Added the Max Concurrent Sessions Allowed setting. This setting allows the administrator to specify the maximum number of sessions of a particular type (read-only or read/write) that can be open at the same time.

Note Predefined user roles and custom user roles that the system considers readonly for the purposes of concurrent session limits, are labeled with (Read

Only) in the role name on the System > Users > Users and the System >

Users > User Roles . If a user role does not contain (Read Only) in the role name, the system considers the role to be read/write.

New/modified screens:

• System > Configuration > User Configuration

• System > Users > User Roles

When you enable IPv6, you can disable DAD. You might want to disable DAD because the use of DAD opens up the possibility of denial of service attacks. If you disable this setting, you need check manually that this interface is not using an already-assigned address.

New/modified screens: System > Configuration > Management Interfaces >

Interfaces > Edit Interface dialog box > IPv6 DAD check box

Supported platforms: management center

102

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

History for System Configuration

Feature Version

Ability to disable ICMPv6

Echo Reply and Destination

Unreachable messages on management interfaces

6.4

Global User Configuration

Settings

HTTPS Certificates

6.3

6.3

Details

When you enable IPv6, you can now disable ICMPv6 Echo Reply and Destination

Unreachable messages. You might want to disable these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the device management interfaces for testing purposes.

New/modified screens: System > Configuration > Management Interfaces > ICMPv6

New/modified commands: configure network ipv6 destination-unreachable , configure network ipv6 echo-reply

Supported platforms: management center (web interface only), threat defense (CLI only)

Added the Track Successful Logins setting. The system can track the number of successful logins each management center account has performed within a selected number of days. When this feature is enabled, on log in users see a message reporting how many times they have successfully logged in to the system in the past configured number of days. (Applies to web interface as well as shell/CLI access.)

Added the Password Reuse Limit setting. The system can track the password history for each account for a configurable number of previous passwords. The system prevents all users from re-using passwords that appear in that history. (Applies to web interface as well as shell/CLI access.)

Added the Max Number of Login Failures and Set Time in Minutes to Temporarily

Lockout Users settings. These allow the administrator to limit the number of times in a row a user can enter incorrect web interface login credentials before the system temporarily blocks the account for a configurable period of time.

New/modified screens: System > Configuration > User Configuration

Supported platforms: management center

The default HTTPS server certificate provided with the system now expires in three years. If your appliance uses a default server certificate that was generated before you upgraded to Version 6.3, the server certificate will expire 20 years from when it was first generated. If you are using the default HTTPS server certificate the system now provides the ability to renew it.

New/modified screens: System > Configuration > HTTPS Certificate page > Renew

HTTPS Certificate .

Supported platforms: management center

Cisco Secure Firewall Management Center Administration Guide, 7.2

103

System Settings

History for System Configuration

Feature Version

Ability to enable and disable

CLI access for the management center

6.3

Details

There is a new check box available to administrators in management center web interface:

Enable CLI Access on the System ( ) > Configuration > Console Configuration page.

• Checked: Logging into the management center using SSH accesses the CLI.

• Unchecked: Logging into management center using SSH accesses the Linux shell.

This is the default state for fresh Version 6.3 installations as well as upgrades to

Version 6.3 from a previous release.

Previous to Version 6.3, there was only one setting on the Console Configuration page, and it applied to physical devices only. So the Console Configuration page was not available on virtual management centers. With the addition of this new option, the

Console Configuration page now appears on virtual management centers as well as physical. However, for virtual management centers, this check box is the only thing that appears on the page.

Supported platforms: management center

104

Cisco Secure Firewall Management Center Administration Guide, 7.2

C H A P T E R

4

Users

The management center includes default admin accounts for web and CLI access. This chapter discusses how to create custom user accounts. See

Logging into the Management Center, on page 27

for detailed information about logging into the management center with a user account.

About Users, on page 105

Guidelines and Limitations for User Accounts for Management Center, on page 110

Requirements and Prerequisites for User Accounts for Management Center, on page 111

Add an Internal User, on page 111

Configure External Authentication for the Management Center, on page 113

Configure SAML Single Sign-On, on page 129

Customize User Roles for the Web Interface, on page 180

Troubleshooting LDAP Authentication Connections, on page 185

Configure User Preferences, on page 186

History for Users, on page 194

About Users

You can add custom user accounts on managed devices, either as internal users or as external users on a LDAP or RADIUS server. Each managed device maintains separate user accounts. For example, when you add a user to the management center, that user only has access to the management center; you cannot then use that username to log directly into a managed device. You must separately add a user on the managed device.

Internal and External Users

Managed devices support two types of users:

• Internal user—The device checks a local database for user authentication.

• External user—If the user is not present in the local database, the system queries an external LDAP or

RADIUS authentication server.

Cisco Secure Firewall Management Center Administration Guide, 7.2

105

System Settings

Web Interface and CLI Access

Web Interface and CLI Access

The management center has a web interface, CLI (accessible from the console (either the serial port or the keyboard and monitor) or using SSH to the management interface), and Linux shell. For detailed information about the management UIs, see

System User Interfaces, on page 29

.

See the following information about management center user types, and which UI they can access:

• admin user—The management center supports two different internal admin users: one for the web interface, and another with CLI access. The system initialization process synchronizes the passwords for these two admin accounts so they start out the same, but they are tracked by different internal mechanisms and may diverge after initial configuration. See the Getting Started Guide for your model for more information on system initialization. (To change the password for the web interface admin , use

Integration > Users > Users . To change the password for the CLI admin , use the management center

CLI command configure password .)

• Internal users—Internal users added in the web interface have web interface access only.

• External users—External users have web interface access, and you can optionally configure CLI access.

• SSO users—SSO users have web interface access only.

User Roles

Caution CLI users can access the Linux shell using the expert command. We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the management center documentation. CLI users can obtain sudoers privileges in the Linux shell, which can present a security risk.

For system security reasons, we strongly recommend that you:

• Restrict the list of external users with CLI access appropriately.

• Do not add users directly in the Linux shell; only use the procedures in this chapter.

CLI User Role

CLI external users on the management center do not have a user role; they can use all available commands.

Web Interface User Roles

User privileges are based on the assigned user role. For example, you can grant analysts predefined roles such as Security Analyst and Discovery Admin and reserve the Administrator role for the security administrator managing the device. You can also create custom user roles with access privileges tailored to your organization’s needs.

The management center includes the following predefined user roles:

106

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

User Roles

Note Predefined user roles that the system considers read-only for the purposes of concurrent session limits, are labeled with (Read Only) in the role name under System ( ) > Users > Users and System ( ) > Users >

User Roles . If a user role does not contain (Read Only) in the role name, the system considers the role to be read/write. For more information on concurrent session limits, see

Global User Configuration Settings, on page 89 .

Access Admin

Provides access to access control policy and associated features in the Policies menu. Access Admins cannot deploy policies.

Administrator

Administrators have access to everything in the product; their sessions present a higher security risk if compromised, so you cannot make them exempt from login session timeouts.

You should limit use of the Administrator role for security reasons.

Discovery Admin

Provides access to network discovery, application detection, and correlation features in the Policies menu. Discovery Admins cannot deploy policies.

External Database User (Read Only)

Provides read-only access to the database using an application that supports JDBC SSL connections. For the third-party application to authenticate to the appliance, you must enable database access in the system settings. On the web interface, External Database Users have access only to online help-related options in the Help menu. Because this role’s function does not involve the web interface, access is provided only for ease of support and password changes.

Intrusion Admin

Provides access to all intrusion policy, intrusion rule, and network analysis policy features in the Policies and Objects menus. Intrusion Admins cannot deploy policies.

Maintenance User

Provides access to monitoring and maintenance features. Maintenance Users have access to maintenance-related options in the Health and System menus.

Network Admin

Provides access to access control, SSL inspection, DNS policy, and identity policy features in the Policies menu, as well as device configuration features in the Devices menus. Network Admins can deploy configuration changes to devices.

Security Analyst

Provides access to security event analysis features, and read-only access to health events, in the Overview ,

Analysis , Health , and System menus.

Security Analyst (Read Only)

Provides read-only access to security event analysis features and health event features in the Overview ,

Analysis , Health , and System menus.

User with this role can also:

Cisco Secure Firewall Management Center Administration Guide, 7.2

107

System Settings

User Passwords

• From the health monitor pages for specific devices, generate and download troubleshooting files.

• Under user preferences, set file download preferences.

• Under user preferences, set the default time window for event views (with the exception of the

Audit Log Time Window ).

Security Approver

Provides limited access to access control and associated policies and network discovery policies in the

Policies menu. Security Approvers can view and deploy these policies, but cannot make policy changes.

Threat Intelligence Director (TID) User

Provides access to Threat Intelligence Director configurations in the Intelligence menu. Threat Intelligence

Director (TID) Users can view and configure TID.

User Passwords

The following rules apply to passwords for internal user accounts on the management center, with Lights-Out

Management (LOM) enabled or disabled. Different password requirements apply for externally authenticated accounts or in systems with security certifications compliance enabled. See

Configure External Authentication for the Management Center, on page 113

and

Security Certifications Compliance, on page 295

for more information.

During management center initial configuration, the system requires the admin user to set the account password to comply with strong password requirements described in the table below. For physical management centers, the strong password requirements with LOM enabled are used, and for virtual management centers, the strong password requirements with LOM not enabled are used. At this time the system synchronizes the passwords for the web interface admin and the CLI access admin . After initial configuration, the web interface admin can remove the strong password requirement, but the CLI access admin must always comply with strong password requirements with LOM not enabled.

108

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

User Passwords

LOM Not Enabled LOM Enabled

Password Strength

Checking On

Passwords must include:

• At least eight characters, or the number of characters configured for the user by the administrator, whichever is greater.

Passwords must include:

• Between eight and twenty characters

(On MC 1000, MC 2500, and MC

4500 the upper limit is fourteen characters rather than twenty.)

• No more than two sequentially repeating characters

• No more than two sequentially repeating characters

• At least one lower case letter

• At least one upper case letter

• At least one digit

• At least one special character such as

! @ # * - _ +

• At least one lower case letter

• At least one upper case letter

• At least one digit

• At least one special character such as

! @ # * - _ +

The system checks passwords against a special dictionary containing not only many English dictionary words, but also other character strings that could be easily cracked with common password hacking techniques.

The rules for special characters vary between different series of physical management centers. We recommend restricting your choice of special characters to those listed in the final bullet above.

Do not include the user name in the password.

The system checks passwords against a special dictionary containing not only many English dictionary words, but also other character strings that could be easily cracked with common password hacking techniques.

Cisco Secure Firewall Management Center Administration Guide, 7.2

109

System Settings

Guidelines and Limitations for User Accounts for Management Center

LOM Not Enabled

Password Strength

Checking Off

Passwords must include the minimum number of characters configured for the user by the administrator. (See

Add an

Internal User, on page 111

for more information.)

LOM Enabled

Passwords must include:

• Between eight and twenty characters

(On MC 1000, MC 2500, and MC

4500 the upper limit is fourteen characters rather than twenty.)

• Characters from at least three of the following four categories:

• Uppercase letters

• Lowercase letters

• Digits

• Special characters such as ! @ #

* - _ +

The rules for special characters vary between different series of physical management centers. We recommend restricting your choice of special characters to those listed in the final bullet above.

Do not include the user name in the password.

Guidelines and Limitations for User Accounts for Management

Center

Defaults

• The management center includes an admin user as a local user account for all forms of access; you cannot delete the admin user. The default initial password is Admin123 ; the system forces you to change this during the initialization process. See the Getting Started Guide for your model for more information about system initialization.

• By default the following settings apply to all user accounts on the management center:

• There are no limits on password reuse.

• The system does not track successful logins.

• The system does not enforce a timed temporary lockout for users who enter incorrect login credentials.

• There are no user-defined limits on the number of read-only and read/write sessions that can be open at the same time.

110

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Requirements and Prerequisites for User Accounts for Management Center

You can change these settings for all users as a system configuration. ( System ( ) > Configuration >

User Configuration ) See

Global User Configuration Settings, on page 89

.

Requirements and Prerequisites for User Accounts for

Management Center

Model Support

Management Center

Supported Domains

• SSO configuration—Global only.

• All other features—Any.

User Roles

• SSO configuration—Only users with the Admin role authenticated internally or by LDAP or RADIUS can configure SSO.

• All other features—Any user with the Admin role.

Configure Common Access Card Authentication with LDAP, on page 128

also supports the Network

Admin role.

Add an Internal User

This procedure describes how to add custom internal user accounts for the management center.

The System > Users > Users shows both internal users that you added manually and external users that were added automatically when a user logged in with LDAP or RADIUS authentication. For external users, you can modify the user role on this screen if you assign a role with higher privileges; you cannot modify the password settings.

In a multidomain deployment on the management center, users are only visible in the domain in which they are created. Note that if you add a user in the Global domain, but then assign a user role for a leaf domain, then that user still shows on the Global Users page where it was added, even though the user "belongs" to a leaf domain.

If you enable security certifications compliance or Lights-Out Management (LOM) on a device, different password restrictions apply. For more information on security certifications compliance, see

Security

Certifications Compliance, on page 295

.

When you add a user in a leaf domain, that user is not visible from the global domain.

Cisco Secure Firewall Management Center Administration Guide, 7.2

111

System Settings

Add an Internal User

Note Avoid having multiple Admin users simultaneously creating new users on the management center, as this may cause an error resulting from a conflict in user database access.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Choose Integration > Users .

Click Create User .

Enter a User Name .

The username must comply with the following restrictions:

• Maximum 32 alphanumeric characters, plus hyphen (-), underscore (_) and period (.).

• Letters may be upper or lower case.

• Cannot include any punctuation or special characters other than hyphen (-), underscore (_) and period

(.).

Real Name : Enter descriptive information to identify the user or department to whom the account belongs.

The Use External Authentication Method checkbox is checked for users that were added automatically when they logged in with LDAP or RADIUS. You do not need to pre-configure external users, so you can ignore this field. For an external user, you can revert this user to an internal user by unchecking the check box.

Enter values in the Password and Confirm Password fields.

The values must conform to the password options you set for this user.

Set the Maximum Number of Failed Logins .

Enter an integer, without spaces, that determines the maximum number of times each user can try to log in after a failed login attempt before the account is locked. The default setting is 5 tries; use 0 to allow an unlimited number of failed logins. The admin account is exempt from being locked out after a maximum number of failed logins unless you enabled security certification compliance.

Set the Minimum Password Length .

Enter an integer, without spaces, that determines the minimum required length, in characters, of a user's password. The default setting is 8 . A value of 0 indicates that no minimum length is required.

Set the Days Until Password Expiration .

Enter the number of days after which the user’s password expires. The default setting is 0 , which indicates that the password never expires. If you change from the default, then the Password Lifetime column of the

Users list indicates the days remaining on each user’s password.

Set the Days Before Password Expiration Warning .

Enter the number of warning days users have to change their password before their password actually expires.

The default setting is 0 days.

Set user Options .

112

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure External Authentication for the Management Center

Step 12

Step 13

Step 14

• Force Password Reset on Login —Forces users to change their passwords the next time they log in.

• Check Password Strength —Requires strong passwords. When password strength checking is enabled, passwords must comply with the strong password requirements described in

User Passwords, on page

108

.

• Exempt from Browser Session Timeout —Exempts a user’s login sessions from termination due to inactivity. Users with the Administrator role cannot be made exempt.

In the User Role Configuration area, assign user role(s). For more information about user roles, see

Customize

User Roles for the Web Interface, on page 180

.

For external users, if the user role is assigned through group membership (LDAP), or based on a user attribute

(RADIUS), you cannot remove the minimum access rights. You can, however, assign additional rights. If the user role is the default user role that you set on the device, then you can modify the role in the user account without limitations. When you modify the user role, the Authentication Method column on the Users tab provides a status of External - Locally Modified .

The options you see depend on whether the device is in a single domain or multidomain deployment.

• Single domain—Check the user role(s) you want to assign the user.

• Multidomain—In a multidomain deployment, you can create user accounts in any domain in which you have been assigned Administrator access. Users can have different privileges in each domain. You can assign user roles in both ancestor and descendant domains. For example, you can assign read-only privileges to a user in the Global domain, but Administrator privileges in a descendant domain. See the following steps: a.

Click Add Domain .

b.

Choose a domain from the Domain drop-down list.

c.

Check the user roles you want to assign the user.

d.

Click Save .

(Optional, for physical management centers only.) If you have assigned the user the Administrator role, the

Administrator Options appear. You can select Allow Lights-Out Management Access to grant Lights-Out

Management access to the user. See

Lights-Out Management Overview, on page 97

for more information about Lights-Out Management.

Click Save .

Configure External Authentication for the Management Center

To enable external authentication, you need to add one or more external authentication objects.

About External Authentication for the Management Center

When you enable external authentication, the management center verifies the user credentials with an LDAP or RADIUS server as specified in an external authentication object .

Cisco Secure Firewall Management Center Administration Guide, 7.2

113

System Settings

About LDAP

You can configure multiple external authentication objects for web interface access. For example, if you have

5 external authentication objects, users from any of them can be authenticated to access the web interface.

You can use only one external authentication object for CLI access. If you have more than one external authentication object enabled, then users can authenticate using only the first object in the list.

External authentication objects can be used by the management center and threat defense devices. You can share the same object between the different appliance/device types, or create separate objects.

Note The timeout range is different for the threat defense and the management center, so if you share an object, be sure not to exceed the threat defense's smaller timeout range (1-30 seconds for LDAP, and 1-300 seconds for

RADIUS). If you set the timeout to a higher value, the threat defense external authentication configuration will not work.

For the management center, enable the external authentication objects directly on the System > Users >

External Authentication tab; this setting only affects management center usage, and it does not need to be enabled on this tab for managed device usage. For threat defense devices, you must enable the external authentication object in the platform settings that you deploy to the devices.

Web interface users are defined separately from CLI users in the external authentication object. For CLI users on RADIUS, you must pre-configure the list of RADIUS usernames in the external authentication object. For

LDAP, you can specify a filter to match CLI users on the LDAP server.

You cannot use an LDAP object for CLI access that is also configured for CAC authentication.

Note Users with CLI access can gain Linux shell access with the expert command. Linux shell users can obtain root privileges, which can present a security risk. Make sure that you:

• Restrict the list of users with CLI or Linux shell access.

• Do not create Linux shell users.

About LDAP

The Lightweight Directory Access Protocol (LDAP) allows you to set up a directory on your network that organizes objects, such as user credentials, in a centralized location. Multiple applications can then access those credentials and the information used to describe them. If you ever need to change a user's credentials, you can change them in one place.

Microsoft has announced that Active Directory servers will start enforcing LDAP binding and LDAP signing in 2020. Microsoft is making these a requirement because when using default settings, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server. For more information, see 2020 LDAP channel binding and LDAP signing requirement for Windows on the Microsoft support site.

If you have not done so already, we recommend you start using TLS/SSL encryption to authenticate with an

Active Directory server.

114

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

About RADIUS

About RADIUS

Remote Authentication Dial In User Service (RADIUS) is an authentication protocol used to authenticate, authorize, and account for user access to network resources. You can create an authentication object for any

RADIUS server that conforms to RFC 2865 .

Firepower devices support the use of SecurID tokens. When you configure authentication by a server using

SecurID, users authenticated against that server append the SecurID token to the end of their SecurID PIN and use that as their password when they log in. You do not need to configure anything extra on the Firepower device to support SecurID.

Add an LDAP External Authentication Object for Management Center

Add an LDAP server to support external users for device management.

In a multidomain deployment, external authentication objects are only available in the domain in which they are created.

Before you begin

• You must specify DNS server(s) for domain name lookup on your device. Even if you specify an IP address and not a hostname for the LDAP server on this procedure, the LDAP server may return a URI for authentication that can include a hostname. A DNS lookup is required to resolve the hostname. See

Modify Management Center Management Interfaces, on page 60

to add DNS servers.

• If you are configuring an LDAP authentication object for use with CAC authentication, do not remove the CAC inserted in your computer. You must have a CAC inserted at all times after enabling user certificates.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose Integration > Users .

Click the External Authentication tab.

Click Add External Authentication Object .

Set the Authentication Method to LDAP .

(Optional) Check the check box for CAC if you plan to use this authentication object for CAC authentication and authorization.

You must also follow the procedure in

Configure Common Access Card Authentication with LDAP, on page

128

to fully configure CAC authentication and authorization. You cannot use this object for CLI users.

Enter a Name and optional Description .

Choose a Server Type from the drop-down list.

Tip If you click Set Defaults , the device populates the User Name Template , UI Access Attribute ,

CLI Access Attribute , Group Member Attribute , and Group Member URL Attribute fields with default values for the server type.

For the Primary Server , enter a Host Name/IP Address .

Cisco Secure Firewall Management Center Administration Guide, 7.2

115

System Settings

Add an LDAP External Authentication Object for Management Center

Step 9

Step 10

Step 11

If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host name used in this field. In addition, IPv6 addresses are not supported for encrypted connections.

(Optional) Change the Port from the default.

(Optional) Enter the Backup Server parameters.

Enter LDAP-Specific Parameters .

a) Enter the Base DN for the LDAP directory you want to access. For example, to authenticate names in the

Security organization at the Example company, enter ou=security,dc=example,dc=com

. Alternatively click Fetch DNs , and choose the appropriate base distinguished name from the drop-down list.

b) (Optional) Enter the Base Filter . For example, if the user objects in a directory tree have a physicalDeliveryOfficeName attribute and users in the New York office have an attribute value of

NewYork for that attribute, to retrieve only users in the New York office, enter

(physicalDeliveryOfficeName=NewYork)

.

If you are using CAC authentication, to filter only active user accounts (excluding the disabled user accounts), enter

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

. This criteria retrieves user accounts within AD belonging to ldpgrp group and with userAccountControl attribute value that is not

2

(disabled).

c) Enter a User Name for a user who has sufficient credentials to browse the LDAP server. For example, if you are connecting to an OpenLDAP server where user objects have a uid attribute, and the object for the administrator in the Security division at your example company has a uid value of

NetworkAdmin

, you might enter uid=NetworkAdmin,ou=security,dc=example,dc=com.

d) Enter the user password in the Password and the Confirm Password fields.

e) (Optional) Click Show Advanced Options to configure the following advanced options.

• Encryption —Click None , TLS , or SSL .

If you change the encryption method after specifying a port, you reset the port to the default value for that method. For None or TLS , the port resets to the default value of 389. If you choose SSL encryption, the port resets to 636.

• SSL Certificate Upload Path —For SSL or TLS encryption, you must choose a certificate by clicking

Choose File .

If you previously uploaded a certificate and want to replace it, upload the new certificate and redeploy the configuration to your devices to copy over the new certificate.

Note TLS encryption requires a certificate on all platforms. We recommend that you upload a certificate for SSL to prevent man-in-the-middle attacks.

always

• User Name Template —Provide a template that corresponds with your UI Access Attribute . For example, to authenticate all users who work in the Security organization of the Example company by connecting to an OpenLDAP server where the UI access attribute is uid

, you might enter uid=%s,ou=security,dc=example,dc=com in the User Name Template field. For a Microsoft Active

Directory server, you could enter

%[email protected]

.

This field is required for CAC authentication.

• Shell User Name Template —Provide a template that corresponds with your CLI Access Attribute to authenticate CLI users. For example, to authenticate all users who work in the Security organization by connecting to an OpenLDAP server where the CLI access attribute is sAMAccountName

, you might enter

%s in the Shell User Name Template field.

116

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Add an LDAP External Authentication Object for Management Center

Step 12

Step 13

• Timeout —Enter the number of seconds before rolling over to the backup connection, between 1 and

1024. The default is 30.

Note The timeout range is different for threat defense and the management center, so if you share an object, be sure not to exceed the threat defense's smaller timeout range (1-30 seconds). If you set the timeout to a higher value, the threat defense LDAP configuration will not work.

(Optional) Configure Attribute Mapping to retrieve users based on an attribute.

• Enter a UI Access Attribute , or click Fetch Attrs to retrieve a list of available attributes. For example, on a Microsoft Active Directory Server, you may want to use the UI access attribute to retrieve users, because there may not be a uid attribute on Active Directory Server user objects. Instead, you can search the userPrincipalName attribute by typing userPrincipalName in the UI Access Attribute field.

This field is required for CAC authentication.

• Set the CLI Access Attribute if you want to use a shell access attribute other than the user distinguished type. For example, on a Microsoft Active Directory Server, use the sAMAccountName

CLI access attribute to retrieve CLI access users by typing sAMAccountName

.

(Optional) Configure Group Controlled Access Roles .

If you do not configure a user’s privileges using group-controlled access roles, a user has only the privileges granted by default in the external authentication policy.

a) (Optional) In the fields that correspond to user roles, enter the distinguished name for the LDAP groups that contain users who should be assigned to those roles.

Any group you reference must exist on the LDAP server. You can reference static LDAP groups or dynamic LDAP groups. Static LDAP groups are groups where membership is determined by group object attributes that point to specific users, and dynamic LDAP groups are groups where membership is determined by creating an LDAP search that retrieves group users based on user object attributes. Group access rights for a role only affect users who are members of the group.

If you use a dynamic group, the LDAP query is used exactly as it is configured on the LDAP server. For this reason, the Firepower device limits the number of recursions of a search to 4 to prevent search syntax errors from causing infinite loops.

Example:

Enter the following in the Administrator field to authenticate names in the information technology organization at the Example company: cn=itgroup,ou=groups, dc=example,dc=com b) Choose a Default User Role for users that do not belong to any of the specified groups.

c) If you use static groups, enter a Group Member Attribute .

Example:

If the member attribute is used to indicate membership in the static group for default Security Analyst access, enter member

.

d) If you use dynamic groups, enter a Group Member URL Attribute .

Cisco Secure Firewall Management Center Administration Guide, 7.2

117

System Settings

Add an LDAP External Authentication Object for Management Center

Step 14

Step 15

Step 16

Example:

If the memberURL attribute contains the LDAP search that retrieves members for the dynamic group you specified for default Admin access, enter memberURL

.

If you change a user's role, you must save/deploy the changed external authentication object and also remove the user from the Users screen. The user will be re-added automatically the next time they log in.

(Optional) Set the CLI Access Filter to allow CLI users.

To prevent LDAP authentication of CLI access, leave this field blank. To specify CLI users, choose one of the following methods:

• To use the same filter you specified when configuring authentication settings, choose Same as Base

Filter .

• To retrieve administrative user entries based on attribute value, enter the attribute name, a comparison operator, and the attribute value you want to use as a filter, enclosed in parentheses. For example, if all network administrators have a manager attribute which has an attribute value of shell

, you can set a base filter of

(manager=shell)

.

The usernames must be Linux-valid:

• Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

• All lowercase

• Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

Note

Note

Users with CLI access can gain Linux shell access with the expert command. Linux shell users can obtain root privileges, which can present a security risk. Make sure that you restrict the list of users with CLI or Linux shell access.

Do not create any internal users that have the same user name as users included in the CLI Access

Filter . The only internal management center user should be admin ; do not include an admin user in the CLI Access Filter .

(Optional) Click Test to test connectivity to the LDAP server.

The test output lists valid and invalid user names. Valid user names are unique, and can include underscores

(

_

), periods (

.

), hyphens (

-

), and alphanumeric characters. Note that testing the connection to servers with more than 1000 users only returns 1000 users because of UI page size limitations. If the test fails, see

Troubleshooting LDAP Authentication Connections, on page 185

.

(Optional) You can also enter Additional Test Parameters to test user credentials for a user who should be able to authenticate: enter a User Name uid and Password , and then click Test .

If you are connecting to a Microsoft Active Directory Server and supplied a UI access attribute in place of uid

, use the value for that attribute as the user name. You can also specify a fully qualified distinguished name for the user.

Tip If you mistype the name or password of the test user, the test fails even if the server configuration is correct. To verify that the server configuration is correct, click Test without entering user information in the Additional Test Parameters field first. If that succeeds, supply a user name and password to test with the specific user.

118

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Add an LDAP External Authentication Object for Management Center

Step 17

Step 18

Example:

To test if you can retrieve the

JSmith user credentials at the Example company, enter

JSmith and the correct password.

Click Save .

Enable use of this server. See

Enable External Authentication for Users on the Management Center, on page

127 .

Examples

Basic Example

The following figures illustrate a basic configuration of an LDAP login authentication object for a

Microsoft Active Directory Server. The LDAP server in this example has an IP address of 10.11.3.4.

The connection uses port 389 for access.

Cisco Secure Firewall Management Center Administration Guide, 7.2

119

System Settings

Add an LDAP External Authentication Object for Management Center

This example shows a connection using a base distinguished name of

OU=security,DC=it,DC=example,DC=com for the security organization in the information technology domain of the Example company.

However, because this server is a Microsoft Active Directory server, it uses the sAMAccountName attribute to store user names rather than the uid attribute. Choosing the MS Active Directory server type and clicking Set Defaults sets the UI Access Attribute to sAMAccountName

. As a result, the system checks the sAMAccountName attribute for each object for matching user names when a user attempts to log into the system.

In addition, a CLIAccess Attribute of sAMAccountName causes each sAMAccountName attribute to be checked for all objects in the directory for matches when a user logs into a CLI account on the appliance.

Note that because no base filter is applied to this server, the system checks attributes for all objects in the directory indicated by the base distinguished name. Connections to the server time out after the default time period (or the timeout period set on the LDAP server).

Advanced Example

This example illustrates an advanced configuration of an LDAP login authentication object for a

Microsoft Active Directory Server. The LDAP server in this example has an IP address of 10.11.3.4.

The connection uses port 636 for access.

120

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Add an LDAP External Authentication Object for Management Center

This example shows a connection using a base distinguished name of

OU=security,DC=it,DC=example,DC=com for the security organization in the information technology domain of the Example company. However, note that this server has a base filter of

(cn=*smith)

.

The filter restricts the users retrieved from the server to those with a common name ending in smith

.

The connection to the server is encrypted using SSL and a certificate named certificate.pem

is used for the connection. In addition, connections to the server time out after 60 seconds because of the Timeout setting.

Because this server is a Microsoft Active Directory server, it uses the sAMAccountName attribute to store user names rather than the uid attribute. Note that the configuration includes a UI Access

Attribute of sAMAccountName

. As a result, the system checks the sAMAccountName attribute for each object for matching user names when a user attempts to log into the system.

In addition, a CLI Access Attribute of sAMAccountName causes each sAMAccountName attribute to be checked for all objects in the directory for matches when a user logs into a CLI account on the appliance.

This example also has group settings in place. The Maintenance User role is automatically assigned to all members of the group with a member group attribute and the base domain name of

CN=SFmaintenance,DC=it,DC=example,DC=com

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

121

Add a RADIUS External Authentication Object for Management Center

System Settings

The CLI Access Filter is set to be the same as the base filter, so the same users can access the appliance through the CLI as through the web interface.

Add a RADIUS External Authentication Object for Management Center

Add a RADIUS server to support external users for device management.

In a multidomain deployment, external authentication objects are only available in the domain in which they are created.

Procedure

Step 1 Choose Integration > Users .

122

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Add a RADIUS External Authentication Object for Management Center

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Click External Authentication .

Click Add External Authentication Object .

Set the Authentication Method to RADIUS .

Enter a Name and optional Description .

For the Primary Server , enter a Host Name/IP Address .

(Optional) Change the Port from the default.

Enter the RADIUS Secret Key .

(Optional) Enter the Backup Server parameters.

(Optional) Enter RADIUS-Specific Parameters .

a) Enter the Timeout in seconds before retrying the primary server, between 1 and 1024. The default is 30.

Note The timeout range is different for the threat defense and the management center, so if you share an object, be sure not to exceed the threat defense's smaller timeout range (1-300 seconds). If you set the timeout to a higher value, the threat defense RADIUS configuration will not work.

b) Enter the Retries before rolling over to the backup server. The default is 3.

c) In the fields that correspond to user roles, enter the name of each user or identifying attribute-value pair that should be assigned to those roles.

Separate usernames and attribute-value pairs with commas.

Example:

If you know all users who should be Security Analysts have the value

Analyst for their

User-Category attribute, you can enter

User-Category=Analyst in the Security Analyst field to grant that role to those users.

Example:

To grant the Administrator role to the users jsmith and jdoe

, enter jsmith, jdoe in the Administrator field.

Example:

To grant the Maintenance User role to all users with a

User-Category value of

Maintenance

, enter

User-Category=Maintenance in the Maintenance User field.

d) Select the Default User Role for users that do not belong to any of the specified groups.

If you change a user's role, you must save/deploy the changed external authentication object and also remove the user from the Users screen. The user will be re-added automatically the next time they log in.

(Optional) Define Custom RADIUS Attributes .

If your RADIUS server returns values for attributes not included in the dictionary file in

/etc/radiusclient/

, and you plan to use those attributes to set roles for users with those attributes, you need to define those attributes. You can locate the attributes returned for a user by looking at the user’s profile on your RADIUS server.

a) Enter an Attribute Name .

When you define an attribute, you provide the name of the attribute, which consists of alphanumeric characters. Note that words in an attribute name should be separated by dashes rather than spaces.

b) Enter the Attribute ID as an integer.

Cisco Secure Firewall Management Center Administration Guide, 7.2

123

System Settings

Add a RADIUS External Authentication Object for Management Center

Step 12

Step 13

Step 14

The attribute ID should be an integer and should not conflict with any existing attribute IDs in the etc/radiusclient/dictionary file.

c) Choose the Attribute Type from the drop-down list.

You also specify the type of attribute: string, IP address, integer, or date.

d) Click Add to add the custom attribute.

When you create a RADIUS authentication object, a new dictionary file for that object is created on the device in the

/var/sf/userauth directory. Any custom attributes you add are added to the dictionary file.

Example:

If a RADIUS server is used on a network with a Cisco router, you might want to use the

Ascend-Assign-IP-Pool attribute to grant a specific role to all users logging in from a specific IP address pool.

Ascend-Assign-IP-Pool is an integer attribute that defines the address pool where the user is allowed to log in, with the integer indicating the number of the assigned IP address pool.

To declare that custom attribute, you create a custom attribute with an attribute name of

Ascend-IP-Pool-Definition

, an attribute ID of

218

, and an attribute type of integer

.

You could then enter

Ascend-Assign-IP-Pool=2 in the Security Analyst (Read Only) field to grant read-only security analyst rights to all users with an

Ascend-IP-Pool-Definition attribute value of

2.

(Optional) In the CLI Access Filter area Administrator CLI Access User List field, enter the user names that should have CLI access, separated by commas.

Make sure that these usernames match usernames on the RADIUS server. The names must be Linux-valid usernames:

• Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

• All lowercase

• Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

To prevent RADIUS authentication of CLI access, leave the field blank.

Note Users with CLI access can gain Linux shell access with the obtain root privileges, which can present a security risk. Make sure that you restrict the list of users with CLI or Linux shell access.

expert command. Linux shell users can

Note Remove any internal users that have the same user name as users included in the shell access filter.

For the management center, the only internal CLI user is admin , so do not also create an admin external user.

(Optional) Click Test to test management center connectivity to the RADIUS server.

(Optional) You can also enter Additional Test Parameters to test user credentials for a user who should be able to authenticate: enter a User Name and Password , and then click Test .

Tip If you mistype the name or password of the test user, the test fails even if the server configuration is correct. To verify that the server configuration is correct, click Test without entering user information in the Additional Test Parameters field first. If that succeeds, supply a user name and password to test with the specific user.

Example:

124

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Add a RADIUS External Authentication Object for Management Center

Step 15

Step 16

To test if you can retrieve the

JSmith user credentials at the Example company, enter

JSmith and the correct password.

Click Save .

Enable use of this server. See

Enable External Authentication for Users on the Management Center, on page

127 .

Examples

Simple User Role Assignments

The following figure illustrates a sample RADIUS login authentication object for a server running

Cisco Identity Services Engine (ISE) with an IP address of 10.10.10.98 on port 1812. No backup server is defined.

The following example shows RADIUS-specific parameters, including the timeout (30 seconds) and number of failed retries before the Firepower System attempts to contact the backup server, if any.

This example illustrates important aspects of RADIUS user role configuration:

Users ewharton and gsand are granted web interface Administrative access.

The user cbronte is granted web interface Maintenance User access.

The user jausten is granted web interface Security Analyst access.

The user ewharton can log into the device using a CLI account.

The following graphic depicts the role configuration for the example:

Cisco Secure Firewall Management Center Administration Guide, 7.2

125

Add a RADIUS External Authentication Object for Management Center

System Settings

Roles for Users Matching an Attribute-Value Pair

You can use an attribute-value pair to identify users who should receive a particular user role. If the attribute you use is a custom attribute, you must define the custom attribute.

The following figure illustrates the role configuration and custom attribute definition in a sample

RADIUS login authentication object for the same ISE server as in the previous example.

In this example, however, the

MS-RAS-Version custom attribute is returned for one or more of the users because a Microsoft remote access server is in use. Note the

MS-RAS-Version custom attribute is a string. In this example, all users logging in to RADIUS through a Microsoft v. 5.00 remote access server should receive the Security Analyst (Read Only) role, so you enter the attribute-value pair of

MS-RAS-Version=MSRASV5.00

in the Security Analyst (Read Only) field.

126

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Enable External Authentication for Users on the Management Center

Enable External Authentication for Users on the Management Center

When you enable external authentication for management users, the management center verifies the user credentials with an LDAP or RADIUS server as specified in an External Authentication object.

Before you begin

Add one or more external authentication objects according to

Add an LDAP External Authentication Object for Management Center, on page 115

and

Add a RADIUS External Authentication Object for Management

Center, on page 122 .

Procedure

Step 1

Step 2

Step 3

Step 4

Choose Integration > Users .

Click External Authentication .

Set the default user role for external web interface users.

Users without a role cannot perform any actions. Any user roles defined in the external authentication object overrides this default user role.

a) Click the Default User Roles value (by default, none selected).

a) In the Default User Role Configuration dialog box, check the role(s) that you want to use.

b) Click Save .

Click the Slider enabled ( ) next to the each external authentication object that you want to use. If you enable more than 1 object, then users are compared against servers in the order specified. See the next step to reorder servers.

If you enable shell authentication, you must enable an external authentication object that includes a CLI

Access Filter . Also, CLI access users can only authenticate against the server whose authentication object is highest in the list.

Cisco Secure Firewall Management Center Administration Guide, 7.2

127

System Settings

Configure Common Access Card Authentication with LDAP

Step 5

Step 6

Step 7

(Optional) Drag and drop servers to change the order in which authentication they are accessed when an authentication request occurs.

Choose Shell Authentication > Enabled if you want to allow CLI access for external users.

The first external authentication object name is shown next to the Enabled option to remind you that only the first object is used for CLI.

Click Save and Apply .

Configure Common Access Card Authentication with LDAP

If your organization uses Common Access Cards (CACs), you can configure LDAP authentication to authenticate management center users logging into the web interface. With CAC authentication, users have the option to log in directly without providing a separate username and password for the device.

CAC-authenticated users are identified by their electronic data interchange personal identifier (EDIPI) numbers.

After 24 hours of inactivity, the device deletes CAC-authenticated users from the Users tab. The users are re-added after each subsequent login, but you must reconfigure any manual changes to their user roles.

Before you begin

You must have a valid user certificate present in your browser (in this case, a certificate passed to your browser via your CAC) to enable user certificates as part of the CAC configuration process. After you configure CAC authentication and authorization, users on your network must maintain the CAC connection for the duration of their browsing session. If you remove or replace a CAC during a session, your web browser terminates the session and the system logs you out of the web interface.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Insert a CAC as directed by your organization.

Direct your browser to https://ipaddress_or_hostname/ , where ipaddress or hostname corresponds to your device.

If prompted, enter the PIN associated with the CAC you inserted in step 1.

If prompted, choose the appropriate certificate from the drop-down list.

On the Login page, in the Username and Password fields, log in as a user with Administrator privileges.

You cannot yet log in using your CAC credentials.

Choose System > Users > External Authentication .

Create an LDAP authentication object exclusively for CAC, following the procedure in

Add an LDAP External

Authentication Object for Management Center, on page 115 . You must configure the following:

• CAC check box.

• LDAP-Specific Parameters > Show Advanced Options > User Name Template .

• Attribute Mapping > UI Access Attribute .

Click Save .

128

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure SAML Single Sign-On

Step 9

Step 10

Step 11

Step 12

Step 13

Enable external authentication and CAC authentication as described in

Enable External Authentication for

Users on the Management Center, on page 127

.

Choose System ( ) > Configuration , and click HTTPS Certificate .

Import a HTTPS server certificate, if necessary, following the procedure outlined in

Importing HTTPS Server

Certificates, on page 48

.

The same certificate authority (CA) must issue the HTTPS server certificate and the user certificates on the

CACs you plan to use.

Under HTTPS User Certificate Settings , choose Enable User Certificates . For more information, see

Requiring Valid HTTPS Client Certificates, on page 49

.

Log into the device according to

Logging Into the Secure Firewall Management Center with CAC Credentials, on page 33 .

Configure SAML Single Sign-On

You can configure your management center to use Single Sign-On, a system by which a central identity provider (IdP) provides authentication and authorization for users logging into the management center as well as other applications within an organization. The applications configured to take part in such an SSO arrangement are said to be federated service provider applications. SSO users can log in once to gain access to all service provider applications that are members of the same federation.

About SAML Single Sign-On

An management center configured for SSO presents a link for single sign-on on the Login page. Users configured for SSO access click on this link and are redirected to the IdP for authentication and authorization, rather than supplying a username and password on the management center Login page. Once successfully authenticated by the IdP, SSO users are redirected back to the management center web interface and logged in. All the communication between the management center and the IdP to accomplish this takes place using the browser as an intermediary; as a result, the management center does not require a network connection to directly access the identity provider.

The management center supports SSO using any SSO provider conforming to the Security Assertion Markup

Language (SAML) 2.0 open standard for authentication and authorization. The management center web interface offers configuration options for the following SSO providers:

• Okta

• OneLogin

• Azure

• PingID's PingOne for Customers cloud solution

Note The Cisco Secure Sign On SSO product does not recognize the management center as a pre-integrated service provider.

Cisco Secure Firewall Management Center Administration Guide, 7.2

129

System Settings

SSO Guidelines for the Management Center

SSO Guidelines for the Management Center

Keep the following in mind when you configure an management center to be a member of an SSO federation:

• The management center can support SSO with only one SSO provider at a time—you cannot configure the management center to use, for instance, both Okta and OneLogin for SSO.

• management centers in a high availability configuration can support SSO, but you must keep the following considerations in mind:

• SSO configuration is not synchronized between the members of the high availability pair; you must configure SSO separately on each member of the pair.

• Both management centers in a high availability pair must use the same IdP for SSO. You must configure a service provider application at the IdP for each management center configured for SSO.

• In a high availability pair of management centers where both are configured to support SSO, before a user can use SSO to access the secondary management center for the first time, that user must first use SSO to log into the primary management center at least once.

• When configuring SSO for management centers in a high availability pair:

• If you configure SSO on the primary management center, you are not required to configure

SSO on the secondary management center.

• If you configure SSO on the secondary management center, you are required to configure SSO on the primary management center as well. (This is because SSO users must login into the primary management center at least once before logging into the secondary management center.)

• In an management center that uses multi-tenancy, the SSO configuration can be applied only at the global domain level, and applies to the global domain and all subdomains.

• Only users with the Admin role authenticated internally or by LDAP or RADIUS can configure SSO.

• The management center does not support SSO initiated from the IdP.

• The management center does not support logging in with CAC credentials for SSO accounts.

• Do not configure SSO in deployments using CC mode.

• SSO activities are logged in the management center audit log with Login or Logout specified in the

Subsystem field.

Related Topics

High Availability , on page 275

Domains , on page 195

Logging Into the Secure Firewall Management Center with CAC Credentials , on page 33

Security Certifications Compliance , on page 295

Audit Records

, on page 375

SSO User Accounts

Identity providers can support user and group configuration directly, or they often can import users and groups from other user management applications such as Active Directory, RADIUS, or LDAP. This documentation focuses on configuring the management center to work with the IdP to support SSO assuming that IdP users

130

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

User Role Mapping for SSO Users and groups are already established; to configure an IdP to support users and groups from other user management applications, consult the IdP vendor documentation.

Most account characteristics for SSO users, including the user name and password, are established at the IdP.

SSO accounts do not appear on the management center web interface Users page until those accounts log in the first time.

Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.

The following account characteristics for SSO users can be configured from the management center web interface under System > User > Edit User :

• Real Name

• Exempt from Browser Session Timeout

User Role Mapping for SSO Users

By default, all users given SSO access to an management center are assigned the Security Analyst (Read

Only) role. You can change this default, as well as override it for specific SSO users or groups with user role mapping . After you have established and successfully tested the management center SSO configuration, you can configure user role mapping to establish what management center user roles SSO users are assigned when they log in.

User role mapping requires coordinating configuration settings at the management center with settings at the

SSO IdP application. User roles can be assigned to users or to groups defined at the IdP application. Users may or may not be members of groups, and user or group definitions may or may not be imported to the IdP from other user management systems within your organization, such as Active Directory. For this reason, to effectively configure management center SSO user role mapping you must be familiar with how your SSO federation is organized and how users, groups and their roles are assigned at the SSO IdP application. This documentation focuses on configuring the management center to work with the IdP to support user role mapping; to create users or groups within the IdP, or import users or groups into the IdP from a user management application, consult the IdP vendor documentation.

In user role mapping, the IdP maintains a role attribute for the management center service provider application, and each user or group with access to that management center is configured with a string or expression for the role attribute (requirements for the attribute value are different for each IdP). At the management center the name of the that role attribute is part of the SSO configuration. The management center SSO configuration also contains a list of expressions assigned to a list of management center user roles. When a user logs into the management center using SSO, the management center compares the value of the role attribute for that user (or that user's group, depending upon configuration) against the expressions for each management center user role. The management center assigns the user all the roles where the expression matches the attribute value the user has provided.

Cisco Secure Firewall Management Center Administration Guide, 7.2

131

System Settings

Enable Single Sign-On at the Management Center

Note You can configure management center roles to be mapped based on individual user permissions or based on group permissions, but a single management center application cannot support role mapping for both groups and individual users.

Enable Single Sign-On at the Management Center

Before you begin

• At the SAML SSO management application, configure a service provider application for the management center and assign users or groups to the service provider application:

• To configure an management center service provider application for Okta, see

Configure the

Management Center Service Provider Application for Okta, on page 134

.

• To configure an management center service provider application for OneLogin, see

Configure the

Management Center Service Provider Application for OneLogin, on page 146 .

• To configure an management center service provider application for Azure, see

Configure the

Management Center Service Provider Application for Azure, on page 158 .

• To configure an management center service provider application for PingID's PingOne for Customers cloud solution, see

Configure the Management Center Service Provider Application for PingID

PingOne for Customers, on page 171

.

• To configure an management center service provider application for any SAML 2.0-compliant SSO provider, see

Configure Management Center Service Provider Application for Any SAML

2.0-Compliant SSO Provider, on page 175

.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Users > Single Sign-On .

Click the Single Sign-On (SSO) Configuration slider to enable SSO.

Click the Configure SSO button.

At the Select FMC SAML Provider dialog, click the radio button for the SSO IdP of your choice and click

Next .

What to do next

Proceed with the instructions appropriate to your choice of SSO provider:

• Configure the management center for Okta SSO; see

Configure the Management Center for Okta SSO, on page 136

.

• Configure the management center for SSO using PingID's PingOne for Customers cloud solution; see

Configure the Management Center for SSO with PingID PingOne for Customers, on page 173 .

132

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure Single Sign-On with Okta

• Configure the management center for Azure SSO; see

Configure the Management Center for Azure SSO, on page 160

.

• Configure the management center for OneLogin SSO; see

Configure the Management Center for OneLogin

SSO, on page 148

.

• Configure the management center for SSO using any SAML 2.0-compliant provider; see

Configure the

Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider, on page 177 .

Configure Single Sign-On with Okta

See the following tasks to configure SSO using Okta:

Okta UI Admin

Console

Okta UI Admin

Console

Review the Okta Org, on page 133

Configure the Management Center Service Provider Application for Okta, on page 134

management center

Enable Single Sign-On at the Management Center, on page 132

management center

Configure the Management Center for Okta SSO, on page 136

management center

Configure User Role Mapping for Okta at the Management Center, on page 137

Okta UI Admin

Console

Configure User Role Mapping at the Okta IdP, on page 138

Review the Okta Org

In Okta, the entity that encompasses all the federated devices and applications that a user can access with the same SSO account is called an org . Before adding the management center to an Okta org, be familiar with its configuration; consider the following questions:

• How many users will have access to the management center?

Cisco Secure Firewall Management Center Administration Guide, 7.2

133

System Settings

Configure the Management Center Service Provider Application for Okta

• Are users within the Okta org members of groups?

• Are user and group definitions native to Okta or imported from a user management application such as

Active Directory, RADIUS, or LDAP?

• Do you need to add more users or groups to the Okta org to support SSO on the management center?

• What kind of user role assignments do you want to make? (If you choose not to assign user roles, the management center automatically assigns a configurable default user role to all SSO users.)

• How must users and groups within the Okta org be organized to support the required user role mapping?

Keep in mind that you can configure management center roles to be mapped based on individual user permissions or based on group permissions, but a single management center application cannot support role mapping for both groups and individual users.

This documentation assumes you are already familiar with the Okta Classic UI Admin Console, and have an account that can perform configuration functions requiring Super Admin permissions. If you need more information, see Okta's documentation available online.

Configure the Management Center Service Provider Application for Okta

Use these instructions at the Okta Classic UI Admin Console to create an management center service provider application within Okta and assign users or groups to that application. You should be familiar with SAML

SSO concepts and the Okta admin console. This documentation does not describe all the Okta functions you need to establish a fully functional SSO org; for instance, to create users and groups, or to import user and group definitions from another user management application, see the Okta documentation.

Note If you plan to assign user groups to the management center application, do not also assign users within those groups as individuals.

Note The management center cannot support role mapping using multiple SSO attributes; you must select either user role mapping or group role mapping and configure a single attribute to convey user role information from

OneLogin to the management center.

Before you begin

• Familiarize yourself with the SSO federation and its user and groups; see

Review the Okta Org, on page

133 .

• Create user accounts and/or groups in your Okta org if necessary.

134

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure the Management Center Service Provider Application for Okta

Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.

• Confirm the login URL for the target management center ( https:// ipaddress_or_hostname

).

Note If your management center web interface can be reached with multiple URLs

(for instance, a fully-qualified domain name as well as an IP address), SSO users must consistently access the management center using the login URL that you configure in this task.

Procedure

Step 1

Step 2

Step 3

From the Okta Classic UI Admin Console, create a service provider application for the management center.

Configure the management center application with the following selections:

• Select

Web for the Platform .

• Select

SAML 2.0

for the Sign on method .

• Provide a Single sign on URL .

This is the management center URL to which the browser sends information on behalf of the IdP.

Append the string saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs

.

• Enable Use this for Recipient URL and Destination URL .

• Enter an Audience URI (SP Entity ID) .

This is a globally unique name for the service provider (the management center), often formatted as a

URL.

Append the string

/saml/metadata to the management center login URL. For example: https://ExampleFMC/saml/metadata

.

• For Name ID Format choose

Unspecified

.

(Optional if you are assigning groups to the application.) Assign individual Okta users to the management center application. (If you plan to assign groups to the management center application, do not assign users that are members of those groups as individuals.)

(Optional if you are assigning individual users to the application.) Assign Okta groups to the management center application.

Cisco Secure Firewall Management Center Administration Guide, 7.2

135

System Settings

Configure the Management Center for Okta SSO

Step 4 (Optional) To make SSO setup at the management center easier, you can download the SAML XML metadata file for the management center service provider application from Okta to your local computer.

What to do next

Enable single sign-on; see

Enable Single Sign-On at the Management Center, on page 132

.

Configure the Management Center for Okta SSO

Use these instructions at the management center web interface.

Before you begin

• Create an management center service provider application at the Okta Classic UI Admin Console; see

Configure the Management Center Service Provider Application for Okta, on page 134

.

• Enable single sign-on; see

Enable Single Sign-On at the Management Center, on page 132

.

Procedure

Step 1 (This step continues directly from

Enable Single Sign-On at the Management Center, on page 132 .) At the

Configure Okta Metadata dialog, you have two choices:

• To enter the SSO configuration information manually: a.

Click the Manual Configuration radio button.

b.

Enter the following values from the Okta SSO Service Provider application. (Retrieve these values from the Okta Classic UI Admin Console.)

• Identity Provider Single Sign-On URL

• Identity Provider Issuer

• X.509 Certificate

• If you saved the XML metadata file generated by Okta to your local computer (Step 4 in

Configure the

Management Center Service Provider Application for Okta, on page 134

), you can upload the file to the management center: a.

Click the Upload XML File radio button.

b.

Follow the on-screen instructions to navigate to and choose the XML metadata file on your local computer.

Step 2

Step 3

Step 4

Click Next .

At the Verify Metadata dialog, review the configuration parameters and click Save .

Click Test Configuration . If the system displays an error message, review the SSO configuration for the management center as well as the Okta service provider application configuration, correct any errors, and try again.

136

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure User Role Mapping for Okta at the Management Center

Step 5 When the system reports a successful configuration test, click Apply .

What to do next

You may optionally configure user role mapping for SSO users; see

Configure User Role Mapping for Okta at the Management Center, on page 137

. If you choose not to configure role mapping, by default all SSO users that log into the management center are assigned the user role you configure in Step 4 of

Configure User Role

Mapping for Okta at the Management Center, on page 137

.

Configure User Role Mapping for Okta at the Management Center

The fields to configure for user role mapping at the management center web interface are the same regardless of your choice of SSO provider. But the values you configure must take into account how the SAML SSO provider you use implements user role mapping.

Before you begin

• Review the Okta user group mapping information; see

Review the Okta Org, on page 133 .

• Configure an SSO service provider application for the management center; see

Configure the Management

Center Service Provider Application for Okta, on page 134

.

• Enable and configure single sign-on at the management center; see

Enable Single Sign-On at the

Management Center, on page 132

, and

Configure the Management Center for Okta SSO, on page 136

.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose System > Users .

Click the Single Sign-On tab.

Expand Advanced Configuration (Role Mapping) .

Select an management center user role to assign users as a default value from the Default User Role drop-down.

Enter a Group Member Attribute . This string must match an attribute name configured at the Okta management center provider application for user role mapping for either users or groups. (See Step 1 of

Configure a User Attribute for Role Mapping at the Okta IdP, on page 138

or Step 1 of

Configure a Group

Attribute for Role Mapping at the Okta IdP, on page 139

.)

Next to each management center user role you wish to assign to SSO users, enter a regular expression. (The management center uses a restricted version of Google's RE2 regular expression standard supported by Golang and Perl.) The management center compares these values against the user role mapping attribute value the

IdP sends to the management center with SSO user information. The management center grants users a union of all the roles for which a match is found.

What to do next

• Configure user role mapping at the service provider application; see

Configure User Role Mapping at the Okta IdP, on page 138

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

137

System Settings

Configure User Role Mapping at the Okta IdP

Configure User Role Mapping at the Okta IdP

You can configure SSO user role mapping at the Okta Classic UI Admin Console based on individual user permissions or based on group permissions.

• To map based on individual user permissions, see

Configure a User Attribute for Role Mapping at the

Okta IdP, on page 138 .

• To map based on group permissions, see

Configure a Group Attribute for Role Mapping at the Okta IdP, on page 139

.

When an SSO user logs in to the management center, Okta presents to the management center a user or group role attribute value configured at the Okta IdP. The management center compares that attribute value against the regular expressions assigned to each management center user role in the SSO configuration, and grants the user all the roles for which a match is found. (If no match is found, the management center grants the user a configurable default user role.) The expression you assign to each management center user role must comply with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl. The management center treats the attribute value received from Okta as a regular expression using that same standard for purposes of comparison with the management center user role expressions.

Note A single management center cannot support role mapping for both groups and individual users; you must choose one mapping method for the management center service provider application and use it consistently.

Furthermore, the management center can support group role mapping using only one group attribute statement per management center service provider application configured in Okta. Generally group-based roll mapping is more efficient for an management center with many users. You should take into account user and group definitions established throughout your Okta org.

Configure a User Attribute for Role Mapping at the Okta IdP

Use these instructions at the Okta Classic UI Admin Console to add a custom role mapping attribute to the

Okta default user profile.

Okta service provider applications may use one of two types of user profiles:

• Okta user profiles, which can be extended with any custom attribute.

• App user profiles, which can be extended only with attributes from a predefined list that Okta generates by querying a third-party application or directory (such as Active directory, LDAP, or Radius) for supported attributes.

You may use either type of user profile in your Okta org; consult Okta documentation for information on how to configure them. Whichever type of user profile you use, to support user role mapping with the management center you must configure a custom attribute in the profile to convey each user's role mapping expression to the management center.

This documentation describes role mapping using Okta user profiles; mapping with App profiles requires familiarity with the third-party user management application in use at your organization to set up custom attributes. See the Okta documentation for details.

Before you begin

• Configure an management center service provider application at the Okta IdP as described in

Configure the Management Center Service Provider Application for Okta, on page 134 .

138

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure a Group Attribute for Role Mapping at the Okta IdP

• Configure SSO user role mapping at the management center as described in

Configure User Role Mapping for Okta at the Management Center, on page 137

.

Procedure

Step 1

Step 2

Add a new attribute to the default Okta user profile:

• For Data type choose string

.

• Provide the Variable name the Okta IdP will send to the management center, containing an expression to match for user role mapping. This variable name must match the string you entered at the management center SSO configuration for Group Member Attribute . (See Step 5 in

Configure User Role Mapping for Okta at the Management Center, on page 137

.)

For each user assigned to the management center service provider application using this profile, assign a value to the user role attribute you have just created.

Use an expression to represent the role or roles the management center will assign to the user. The management center compares this string against the expressions you assigned to each management center user role in Step

6 of

Configure User Role Mapping for Okta at the Management Center, on page 137

. (For purposes of comparison with the management center user role expressions, the management center treats the attribute value received from Okta as an expression complying with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl.)

Configure a Group Attribute for Role Mapping at the Okta IdP

Use these instructions at the Okta Classic UI Admin Console to add a custom role mapping group attribute to the management center service provider application. The management center can support group role mapping using only one group attribute statement per Okta management center service provider application.

Okta service provider applications may use one of two types of groups:

• Okta groups, which can be extended with any custom attribute.

• Application groups, which can be extended only with attributes from a predefined list that Okta generates by querying a third-party application or directory (such as Active directory, LDAP, or Radius) for supported attributes.

You may use either type of group in your Okta org; consult Okta documentation for information on how to configure them. Whichever type of group you use, to support user role mapping with the management center you must configure a custom attribute for the group to convey its role mapping expression to the management center.

This documentation describes role mapping using Okta groups; mapping with application groups requires familiarity with the third-party user management application in use at your organization to set up custom attributes. See the Okta documentation for details.

Before you begin

• Configure an management center service provider application at the Okta IdP; see

Configure the

Management Center Service Provider Application for Okta, on page 134

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

139

System Settings

Okta User Role Mapping Examples

• Configure user role mapping at the management center;

Configure User Role Mapping for Okta at the

Management Center, on page 137 .

Procedure

Create a new SAML group attribute for the management center service provider application:

• For Name , use the same string you entered at the management center SSO configuration for Group

Member Attribute . (See Step 5 in

Configure User Role Mapping for Okta at the Management Center, on page 137

.)

• For Filter , specify an expression to represent the role or roles the management center will assign to the members of the group. Okta compares this value against the names of the group(s) of which a user is a member, and sends the management center the group names that match. The management center in turn compares those group names against the regular expressions you assigned to each management center user role in Step 6 of

Configure User Role Mapping for Okta at the Management Center, on page 137

.

Okta User Role Mapping Examples

As the following examples demonstrate, the SSO configurations at the management center to support user role mapping are the same for both individual users and for groups. The difference lies in the settings at the management center service provider application in Okta.

Note You can configure management center roles to be mapped based on individual user permissions or based on group permissions, but a single management center application cannot support role mapping for both groups and individual users. Furthermore, the management center can support group role mapping using only one group attribute statement per management center service provider application configured in Okta.

Okta Role Mapping Example for Individual User Accounts

In role mapping for individual users, the Okta management center service application has a custom attribute whose name matches the name of the Group Member Attribute on the management center. (In this example,

UserRole

). The user profile in Okta also has a custom attribute (in this example, a variable named

FMCrole

.)

The definition for the application custom attribute

UserRole establishes that when Okta passes user role mapping information to the management center, it will use the custom attribute value assigned for the user in question.

The following diagrams illustrate how the relevant fields and values in the management center and Okta configurations correspond to each other in user role mapping for individual accounts. Each diagram uses the same SSO configurations at the management center and at the Okta UI Admin Console, but the configuration for each user at the Okta UI Admin Console differs to assign each user different roles at the management center.

• In this diagram [email protected] uses the

FMCrole value

FMCAdmin and the management center assigns her the Administrator role.

140

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Okta Role Mapping Example for Individual User Accounts

• In this diagram [email protected] uses the

FMCrole value

PolicyAdmin

, and the management center assigns him the roles Access Admin, Discovery Admin, and Intrusion Admin.

Cisco Secure Firewall Management Center Administration Guide, 7.2

141

System Settings

Okta Role Mapping Example for Groups

• Other users assigned to the Okta service application for this management center are assigned the default user role Security Analyst (Read Only) for one of the following reasons:

• They have no value assigned to the

FMCrole variable in their Okta user profile.

• The value assigned to the

FMCrole variable in their Okta user profile does not match any expression configured for a user role in the SSO configuration at the management center.

Okta Role Mapping Example for Groups

In role mapping for groups, the Okta management center service application has a custom group attribute whose name matches the name of the Group Member Attribute on the management center (in this example,

UserRole

). When Okta processes a request for management center SSO login, it compares the user's group membership against the expression assigned to the management center service application group attribute (in this case

^(.*)Admin$

). Okta sends to the management center the user's group membership(s) that match the group attribute. The management center compares the group names it receives against the regular expressions it has configured for each user role, and assigns user roles accordingly.

The following diagrams illustrate how the relevant fields and values in the management center and Okta configurations correspond to each other in user role mapping for groups. Each diagram uses the same SSO configurations at the management center and at the Okta UI Admin Console, but the configuration for each user at the Okta UI Admin Console differs to assign each user different roles at the management center.

• In this diagram [email protected] is a member of the Okta IdP group

Admin

, which matches the expression

^(.*)Admin$

. Okta sends the management center Fred's

Admin group membership, and the management center assigns him the Administrator role.

142

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Okta Role Mapping Example for Groups

• In this diagram [email protected] is a member of the Okta IdP group

PolicyAdmin

, which matches the expression

^(.*)Admin$

. Okta sends the management center Sue's

PolicyAdmin group membership, and the management center assigns her the roles Access Admin, Discovery Admin, and Intrusion Admin.

Sue is also a member of the Okta group

Maint

, but because this group name does not match the expression assigned to the group membership attribute in the Okta management center service application, Okta does not send information about Sue's

Maint group membership to the management center, and her membership in the

Maint group plays no part in the roles the management center assigns to her.

Cisco Secure Firewall Management Center Administration Guide, 7.2

143

Okta Role Mapping Example for Groups

System Settings

• In this diagram [email protected] is a member of the Okta IdP group

Maint

. This group name does not match the expression

^(.*)Admin$

, so, when [email protected] logs into the management center,

Okta does not send information about Sean's

Maint group membership to the management center and

Sean is assigned the default user role (Security Analyst (Read Only)) rather than the Maintenance User role.

144

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure Single Sign-On with OneLogin

These diagrams illustrate the importance of advance planning when establishing a role mapping strategy. In this example, any Okta user with access to this management center who is a member of only the

Maint group can be assigned only the default user role. The management center supports using only one custom group attribute in its Okta Service Application configuration. The expression you assign to that attribute and the group names you establish to match against it must be carefully crafted. You can add more flexibility to role mapping by using regular expressions in the user role assignment strings in the management center SSO configuration. (The expression you assign to each management center user role must comply with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl.)

Configure Single Sign-On with OneLogin

See the following tasks to configure SSO using OneLogin:

Cisco Secure Firewall Management Center Administration Guide, 7.2

145

System Settings

Review the OneLogin Subdomain management center

Review the OneLogin Subdomain, on page 146

management center

Configure the Management Center Service Provider Application for OneLogin, on page 146

Enable Single Sign-On at the Management Center, on page 132

OneLogin Admin

Portal

OneLogin Admin

Portal

OneLogin Admin

Portal

Configure the Management Center for OneLogin SSO, on page 148

Configure User Role Mapping for OneLogin at the Management Center, on page 149

management center

Configure User Role Mapping at the OneLogin IdP, on page 150

Review the OneLogin Subdomain

In OneLogin, the entity that encompasses all the federated devices and applications that a user can access with the same SSO account is called a subdomain. Before adding the management center to a OneLogin subdomain, be familiar with its configuration; consider the following questions:

• How many users will have access to the management center?

• Are users within the OneLogin subdomain members of groups?

• Are users and groups from a third-party directory such as Active Directory, Google Apps, or LDAP synchronized with the OneLogin subdomain?

• Do you need to add more users or groups to the OneLogin subdomain to support SSO on the management center?

• What kind of management center user role assignments do you want to make? (If you choose not to assign user roles, the management center automatically assigns a configurable default user role to all

SSO users.)

• How must users and groups within the OneLogin subdomain be organized to support the required user role mapping?

Keep in mind that you can configure management center roles to be mapped based on individual users or based on groups, but a single management center application cannot support role mapping for both groups and individual users.

This documentation assumes you are already familiar with the OneLogin Admin Portal, and have an account with Super User privilege. To configure user role mapping, you will also need a subscription to the OneLogin

Unlimited plan, which supports Custom User Fields. If you need more information, see the OneLogin documentation available online.

Configure the Management Center Service Provider Application for OneLogin

Use these instructions at the OneLogin Admin Portal to create an management center service provider application within OneLogin and assign users or groups to that application. You should be familiar with

SAML SSO concepts and the OneLogin Admin Portal. This documentation does not describe all the OneLogin

146

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure the Management Center Service Provider Application for OneLogin functions you need to establish a fully functional SSO org; for instance, to create users and groups, or to import user and group definitions from another user management application, see the OneLogin documentation.

Note If you plan to assign user groups to the management center application, do not also assign users within those groups as individuals.

Note The management center cannot support role mapping using multiple SSO attributes; you must select either user role mapping or grup role mapping and configure a single attribute to convey user role information from

OneLogin to the management center.

Before you begin

• Familiarize yourself with the OneLogin subdomain and its users and groups; see

Review the OneLogin

Subdomain, on page 146 .

• Create user accounts in your OneLogin subdomain if necessary.

Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.

• Confirm the login URL for the target management center ( https:// ipaddress_or_hostname /

).

Note If your management center web interface can be reached with multiple URLs.

(for instance, a fully-qualified domain name as well as an IP address), SSO users must consistently access the management center using the login URL that you configure in this task.

Procedure

Step 1

Step 2

Create the management center service provider application using the SAML Test Connector (Advanced) as its basis.

Configure the application with the following settings:

• For the Audience (Entity ID) , append the string

/saml/metadata to the management center login URL.

For example: https://ExampleFMC/saml/metadata

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

147

System Settings

Configure the Management Center for OneLogin SSO

Step 3

Step 4

• For Recipient , append the string / saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs

.

• For ACS (Consumer) URL Validator , enter an expression that OneLogin uses to confirm it is using the correct management center URL. You can create a simple validator by using the ACS URL and altering it as follows:

• Append a

^ to the beginning of the ACS URL.

• Append a

$ to the end of the ACS URL.

• Insert a

\ preceding every

/ and

?

within the ACS URL.

For example, for the ACS URL https://ExampleFMC/saml/acs

, an appropriate URL validator would be

^https:\/\/ExampleFMC\/saml\/acs$

.

• For ACS (Consumer) URL , append the string

/saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs

.

• For Login URL , append the string

/saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs

.

• For the SAML Initiator , choose

Service Provider

.

Assign OneLogin users to the management center service provider application.

(Optional) To make SSO setup at the management center easier, you can download the SAML XML metadata for the management center service provider application from OneLogin to your local computer.

What to do next

Enable single sign-on; see

Enable Single Sign-On at the Management Center, on page 132

.

Configure the Management Center for OneLogin SSO

Use these instructions at the management center web interface.

Before you begin

• Create an management center service provider application at the OneLogin Admin Portal; see

Configure the Management Center Service Provider Application for OneLogin, on page 146

.

• Enable single sign-on; see

Enable Single Sign-On at the Management Center, on page 132

.

Procedure

Step 1 (This step continues directly from

Enable Single Sign-On at the Management Center, on page 132 .) At the

Configure OneLogin Metadata dialog, you have two choices:

• To enter the SSO configuration information manually: a.

Click the Manual Configuration radio button.

148

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure User Role Mapping for OneLogin at the Management Center b.

Enter the following SSO configuration values from the OneLogin service provide application:

• Identity Provider Single Sign-On URL : Enter the SAML 2.0 Endpoint (HTTP) from

OneLogin.

• Identity Provider Issuer : Enter the Issuer URL from OneLogin.

• X.509 Certificate : Enter the X.509 Certificate from OneLogin.

• If you saved the XML metadata file generated by OneLogin to your local computer (Step 4 in

Configure the Management Center Service Provider Application for OneLogin, on page 146 ), you can upload the

file to the management center: a.

Click the Upload XML File radio button.

b.

Follow the on-screen instructions to navigate to and choose the XML metadata file on your local computer.

Step 2

Step 3

Step 4

Step 5

Click Next .

At the Verify Metadata dialog, review the configuration parameters and click Save .

Click Test Configuration . If the system displays an error message, review the SSO configuration for the management center as well as the OneLogin service provider application configuration, correct any errors, and try again.

When the system reports a successful configuration test, click Apply .

What to do next

You may optionally configure user role mapping for SSO users; see

Configure User Role Mapping for

OneLogin at the Management Center, on page 149 . If you choose not to configure role mapping, by default

all SSO users that log into the management center are assigned the user role you configure in Step 4 of

Configure User Role Mapping for OneLogin at the Management Center, on page 149 .

Configure User Role Mapping for OneLogin at the Management Center

The fields to configure for user role mapping at the management center web interface are the same regardless of your choice of SSO provider. But the values you configure must take into account how the SAML SSO provider you use implements user role mapping.

Before you begin

• Review the OneLogin users and groups, see

Review the OneLogin Subdomain, on page 146

.

• Configure an SSO service provider application for the management center; see

Configure the Management

Center Service Provider Application for OneLogin, on page 146 .

• Enable and configure single sign-on at the management center; see

Enable Single Sign-On at the

Management Center, on page 132

, and

Configure the Management Center Service Provider Application for OneLogin, on page 146 .

Cisco Secure Firewall Management Center Administration Guide, 7.2

149

System Settings

Configure User Role Mapping at the OneLogin IdP

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Users > Single Sign-OnSystem > Users .

Expand Advanced Configuration (Role Mapping) .

Select an management center user role to assign to users as a default value from the Default User Role drop-down.

Enter a Group Member Attribute . This string must match the field name for a custom parameter you define for role mapping at the management center service provider application in OneLogin. (See Step 1 of

Configure

User Role Mapping for Individual Users at the OneLogin IdP, on page 151

or Step 1 of

Configure User Role

Mapping for Groups at the OneLogin IdP, on page 152

.)

Next to each management center user roll you wish to assign to SSO users, enter a regular expression. The management center compares these values against the user role mapping attribute the IdP sends to the management center with SSO user information. The management center grants users a union of all the roles for which a match is found.

What to do next

Configure user role mapping at the service provider application; see

Configure User Role Mapping at the

OneLogin IdP, on page 150 .

Configure User Role Mapping at the OneLogin IdP

You can configure SSO user role mapping at the Onelogin Admin Portal based on individual permissions or based on group permissions.

• To map based on individual user permissions, see

Configure User Role Mapping for Individual Users at the OneLogin IdP, on page 151

.

• To map based on group permissions, see

Configure User Role Mapping for Groups at the OneLogin IdP, on page 152

.

When an SSO user logs into the management center, OneLogin presents to the management center a user or group role attribute value that gets its value from a custom user field configured at the OneLogin IdP. The management center compares that attribute value against the regular expression assigned to each management center user role in the SSO configuration, and grants the user all the roles for which a match is found. (If no match is found, the management center grants the user a configurable default user role.) The expression you assign to each management center user role must comply with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl. The management center treats the attribute value received from OneLogin as a regular expression using that same standard for purposes of comparison with the management center user role expressions.

Note A single management center cannot support role mapping for both groups and individual users; you must choose one mapping method for the management center service provider application and use it consistently.

The management center can support role mapping using only one custom user field configured in OneLogin.

Generally group-based role mapping is more efficient for an management center with many users. You should take into account user and group definitions established throughout your OneLogin subdomain.

150

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure User Role Mapping for Individual Users at the OneLogin IdP

Configure User Role Mapping for Individual Users at the OneLogin IdP

Use the OneLogin Admin Portal to create a custom parameter for the management center service provider application and a custom user field. These provide the means for OneLogin to pass user role information to the management center during the SSO login process.

Before you begin

• Review the OneLogin subdomain and its users and groups; see

Review the OneLogin Subdomain, on page 146

.

• Create and configure an management center service provider application in OneLogin; see

Configure the Management Center Service Provider Application for OneLogin, on page 146 .

• Configure SSO user role mapping as described in

Configure User Role Mapping for OneLogin at the

Management Center, on page 149

.

Procedure

Step 1

Step 2

Step 3

Create a custom parameter for the management center service provider application.

• For the Field Name , use the same name you used for the Group Member Attribute in the management center SSO configuration. (See Step 4 in

Configure User Role Mapping for OneLogin at the Management

Center, on page 149

.)

• For the Value , provide a mnemonic name such as

FMCUserRole

. This must match the name of the customer user field you will configure in Step 2 of this procedure.

Create a custom user field to contain user role information for each OneLogin user with access the management center.

• For the field Name , provide a mnemonic name such as

FMCUserRole

. This must match the value provided for the application custom parameter described in Step 1 of this procedure.

• For the Short name , provide an abbreviated alternate name for the field. (This is used for OneLogin programmatic interfaces.)

For each user with access to the management center service provider application, assign a value to the custom user field you created in Step 2 of this procedure.

When a user logs into the management center using SSO, the value you assign to this field for that user is the value the management center compares against the expressions you assigned to management center user roles in the SSO configuration. (See Step 5 in

Configure User Role Mapping for OneLogin at the Management

Center, on page 149 .)

What to do next

• Test your role mapping scheme by logging into the management center using SSO from various accounts and confirming that users are assigned management center user roles as you expect.

Cisco Secure Firewall Management Center Administration Guide, 7.2

151

System Settings

Configure User Role Mapping for Groups at the OneLogin IdP

Configure User Role Mapping for Groups at the OneLogin IdP

Use the OneLogin Admin Portal to create a custom parameter for the management center service provider application and a custom user field. Assign OneLogin users to groups. Then create one or more mappings between the custom user field and the user group so OneLogin assigns a value to the custom user field based on the user's group membership. These provide the means for OneLogin to pass group-based user role information to the management center during the SSO login process.

OneLogin service provider applications may use one of two types of groups:

• Groups native to OneLogin.

• Groups synchronized from third-party applications such as Active Directory, Google Apps, or LDAP.

You may user either type of group for management center group role mapping. This documentation describes role mapping using OneLogin groups; using third-party application groups requires familiarity with the third-party user management application in use at your organization. See the OneLogin documentation for details.

Before you begin

• Review the OneLogin subdomain and its users and groups; see

Review the OneLogin Subdomain, on page 146 .

• Create and configure an management center service provider application in OneLogin; see

Configure the Management Center Service Provider Application for OneLogin, on page 146

.

• Configure SSO user role mapping as described in

Configure User Role Mapping for OneLogin at the

Management Center, on page 149 .

Procedure

Step 1

Step 2

Step 3

Create a custom parameter for the management center service provider application.

• For the Field Name , use the same name you used for the Group Member Attribute in the management center SSO configuration. (See Step 4 in

Configure User Role Mapping for OneLogin at the Management

Center, on page 149 .)

• For the Value , provide a mnemonic name such as

FMCUserRole

. This must match the name of the customer user field you will configure in Step 2 of this procedure.

Create a custom user field to contain user role information for each OneLogin user with access the management center.

• For the field Name , provide a mnemonic name such as

FMCUserRole

. This must match the value provided for the application custom parameter described in Step 1 of this procedure.

• For the Short name , provide an abbreviated alternate name for the field. (This is used for OneLogin programmatic interfaces.)

Create one or more user field mappings to assign group-based values to the custom user field you created in

Step 2 of this procedure. Create as many mappings as you need to assign the correct management center user role to each OneLogin user group.

152

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

OneLogin User Role Mapping Examples

• Create one or more Conditions for the mapping, comparing the user Group field against group names.

• If you create multiple Conditions , choose whether a user's group must match any or all of the conditions for the mapping to take place.

• Create an Action for the mapping, to assign a value to the custom user field you created in Step 2 of this procedure. Provide the field Name , and the string that OneLogin assigns to this custom user field for all users that meet the Conditions you specified.

The management center compares this string against the expressions you assign to each management center user role in Step 5 of

Configure User Role Mapping for OneLogin at the Management Center, on page 149

.

• Reapply All Mappings when you have completed your changes.

What to do next

• Test your role mapping scheme by logging into the management center using SSO from various accounts and confirming that users are assigned management center user roles as you expect.

OneLogin User Role Mapping Examples

As the following examples demonstrate, the SSO configurations at the management center to support user role mapping are the same for both individual users and for groups. The difference lies in the settings at the management center service provider application in OneLogin.

Note A single management center cannot support role mapping for both groups and individual users; you must choose one mapping method for the management center service provider application and use it consistently.

The management center can support role mapping using only one custom user field configured in OneLogin.

Generally group-based role mapping is more efficient for an management center with many users. You should take into account user and group definitions established throughout your OneLogin subdomain.

OneLogin Role Mapping Example for Individual User Accounts

In role mapping for individual users, the OneLogin management center service application has a custom parameter whose name matches the name of the Group Member attribute on the management center (in this example,

UserRole

). OneLogin also has a custom user field defined (in this example,

FMCUserRole

). The definition for the application custom parameter

UserRole establishes that when OneLogin passes user role mapping information to the management center, it will use the value of the custom user field

FMCUserRole for the user in question.

The following diagrams illustrate how the relevant fields and values in the management center and OneLogin configurations correspond to each other in user role mapping for individual accounts. Each diagram uses the same SSO configurations at the management center and at the OneLogin Admin portal, but the configuration for each user at the OneLogin Admin portal differs to assign each user different roles at the management center.

• In this diagram [email protected] uses the

FMCUserRole value

PolicyAdmin and the management center assigns him the roles Access Admin, Discovery Admin, and Intrusion Admin.

Cisco Secure Firewall Management Center Administration Guide, 7.2

153

OneLogin Role Mapping Example for Individual User Accounts

System Settings

• In this diagram [email protected] uses the

FMCUserRole value

FMCAdmin

, and the management center assigns her the Administrator role.

• Other users assigned to the OneLogin service application for this management center are assigned the default user role Security Analyst (Read Only) for one of the following reasons:

154

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

OneLogin Role Mapping Example for Groups

• They have no value assigned to the

FMCUserRole custom user field.

• The value assigned to the

FMCUserRole custom user field does not match any expression configured for a user role in the SSO configuration at the management center.

OneLogin Role Mapping Example for Groups

In role mapping for groups, the OneLogin management center service application has a has a custom parameter whose name matches the name of the Group Member attribute on the management center (in this example,

UserRole

). OneLogin also has a custom user field defined (in this example,

FMCUserRole

). The definition for the application custom parameter

UserRole establishes that when OneLogin passes user role mapping information to the management center, it will use the value of the custom user field

FMCUserRole for the user in question. To support user group mapping, you must establish a mapping within OneLogin to assign a value for each user's

FMCUserRole field based on that user's OneLogin group membership.

The following diagrams illustrate how the relevant fields and values in the management center and OneLogin configurations correspond to each other in user role mapping for groups. Each diagram uses the same SSO configurations at the management center and at the OneLogin Admin portal, but the configuration for each user at the OneLogin Admin portal differs to assign each user different roles at the management center.

• In this diagram [email protected] is a member of the OneLogin IdP group

FMCPolicyAdminGroup

. A

OneLogin mapping assigns the value

PolicyAdmin to the custom user field

FMCUserRole for members of the

FMCPolicyAdminGroup

. The management center assigns Fred and other members of the

FMCPolicyAdminGroup the roles Access Admin, Discovery Admin, and Intrusion Admin.

Cisco Secure Firewall Management Center Administration Guide, 7.2

155

System Settings

OneLogin Role Mapping Example for Groups

• In this diagram [email protected] is a member of the OneLogin IdP group

FMCAdminGroup

. A OneLogin mapping assigns the value FMCAdmin to the custom user field

FMCUserRole for members of the

FMCAdminGroup

. The management center assigns Sue and other members of the

FMCAdminGroup the

Administrator role.

• In this diagram [email protected] is a member of the Idp group

FMCMaintGroup

. There is no OneLogin mapping associated with this group, so OneLogin does not assign a value to the custom user field

FMCUserRole for Sean. The management center assigns Sean the default user role (Security Analyst

(Read Only)) rather than the Maintenance User role.

156

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure Single Sign-On with Azure AD

Configure Single Sign-On with Azure AD

See the following tasks to configure SSO using Azure:

Azure AD Portal

Azure AD Portal

Review the Azure Tenant, on page 158

Configure the Management Center Service Provider Application for Azure, on page 158

Cisco Secure Firewall Management Center Administration Guide, 7.2

157

System Settings

Review the Azure Tenant management center

Enable Single Sign-On at the Management Center, on page 132

management center

Configure the Management Center for Azure SSO, on page 160

management center

Azure AD Portal

Configure User Role Mapping for Azure at the Management Center, on page

161

Configure User Role Mapping at the Azure IdP, on page 162

Review the Azure Tenant

Azure AD is Microsoft's multitenant cloud based identity and access management service. In Azure, the entity that encompasses all the federated devices that a user can access with the same SSO account is called a tenant .

Before adding the management center to an Azure tenant, be familiar with its organization; consider the following questions:

• How many users will have access to the management center?

• Are users within the Azure tenant members of groups?

• Are users and groups from another directory product?

• Do you need to add more users or groups to the Azure tenant to support SSO on the management center?

• What kind of management center user role assignments do you want to make? (If you choose not to assign user roles, the management center automatically assigns a configurable default user role to all

SSO users.)

• How must users and groups within the Azure tenant be organized to support the required user role mapping?

• Keep in mind that you can configure management center roles to be mapped based on individual users or based on groups, but a single management center application cannot support role mapping for both groups and individual users.

This documentation assumes you are already familiar with the Azure Active Directory Portal and have an account with application admin privileges for the Azure AD tenant. Keep in mind that the management center supports Azure SSO only with tenant-specific single sign-on and single sign-out endpoints. You must have an Azure AD Premium P1 or above license and Global Administrator permissions; see Azure documentation for more information.

Configure the Management Center Service Provider Application for Azure

Use the Azure Active Directory Portal to create an management center service provider application within your Azure Active Directory tenant and establish basic configuration settings.

Note If you plan to assign user groups to the management center application, do not also assign users within those groups as individuals.

158

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure the Management Center Service Provider Application for Azure

Note The management center cannot support role mapping using multiple SSO attributes; you must select either user role mapping or grup role mapping and configure a single attribute to convey user role information from

OneLogin to the management center.

Before you begin

• Familiarize yourself with your Azure tenant and its users and groups; see

Review the Azure Tenant, on page 158

.

• Create user accounts and/or groups in your Azure tenant if necessary.

Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.

• Confirm the login URL for the target management center ( https:// ipaddress_or_hostname

)

Note If your management center web interface can be reached with multiple URLs

(for instance, a fully-qualified domain name as well as an IP address), SSO users must consistently access the management center using the login URL that you configure in this task.

Procedure

Step 1

Step 2

Step 3

Create the management center service provider application using the Azure AD SAML Toolkit as its basis.

Configure the application with the following setttings for Basic SAML Configuration :

• For the Identifier (Entity ID) append the string

/saml/metadata to the management center login URL.

For example: https://ExampleFMC/saml/metadata

.

• For the Reply URL (Assertion Consumer Service URL) append the string

/saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs

.

• For the Sign on URL append the string

/saml/acs to the management center login URL. For example: https://ExampleFMC/saml/acs

.

Edit the Unique User Identifier Name (Name ID) claim for the application to force the username for sign-on at the management center to be the email address associated with the user account:

• For Source choose

Attribute

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

159

System Settings

Configure the Management Center for Azure SSO

Step 4

Step 5

Step 6

Step 7

Step 8

• For Source attribute : Choose user.mail.

Generate a certificate to secure SSO on the management center. Use the following options for the certificate:

• Select Sign SAML Response and Assertion for the Signing Option.

• Select SHA-256 for the Signing Algorithm.

Download the Base-64 version of the certificate to your local computer; you will need it when you configure

Azure SSO at the management center web interface

In the SAML-based Sign-on information for the application, note the following values:

• Login URL

• Azure AD Identifier

You will need these values when you configure Azure SSO at the management center web interface.

(Optional) to make SSO setup at the management center easier, you can download the SAML XML metadata file for the management center service provider application (called the Federation Metadata XML in the

Azure Portal) to your local computer.

Assign existing Azure users and groups to the management center service application.

Note

Note

If you plan to assign user groups to the management center Application, do not also assign users within those groups as individuals.

If you plan to configure user role mapping, you can configure roles to be mapped based on individual user permissions or based on group permissions, but a single management center application cannot support role mapping for both groups and individual users.

What to do next

Enable single sign-on; see

Enable Single Sign-On at the Management Center, on page 132

.

Configure the Management Center for Azure SSO

Use these instructions at the management center web interface.

Before you begin

• Create an management center service provider application at the Azure AD Portal; see

Configure the

Management Center Service Provider Application for Azure, on page 158

.

• Enable single sign-on; see

Enable Single Sign-On at the Management Center, on page 132

.

Procedure

Step 1 (This step continues directly from

Enable Single Sign-On at the Management Center, on page 132 .) At the

Configure Azure Metadata dialog, you have two choices:

• To enter the SSO configuration information manually:

160

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure User Role Mapping for Azure at the Management Center a.

Click the Manual Configuration radio button.

b.

Enter the values you retrieved from the Azure SSO Service Provider application:

• For Identity Provider Single Sign-On URL enter the Login URL you noted in Step 6 of

Configure the Management Center Service Provider Application for Azure, on page 158

.

• For Identity Provider Issuer enter the Azure AD Identifier you noted in Step 6 of

Configure the

Management Center Service Provider Application for Azure, on page 158

.

• For the X.509 Certificate , use the certificate you downloaded from Azure in Step 5 of

Configure the Management Center Service Provider Application for Azure, on page 158

. (Use a text editor to open the certificate file, copy the contents, and paste it into the X.509 Certificate field.)

• If you saved the XML metadata file generated by Azure to your local computer (Step 7 of

Configure the

Management Center Service Provider Application for Azure, on page 158 ), you can upload the file the

management center: a.

Click the Upload XML File radio button.

b.

Follow the on-screen instructions to navigate to and choose the XML metadata file on your local computer.

Step 2

Step 3

Step 4

Step 5

Click Next .

At the Verify Metadata dialog, review the configuration parameters and click Save .

Click Test Configuration . If the System displays an error message, review the SSO configuration for the management center as well as the Azure service provider application, correct any errors, and try again.

When the system reports a successful configuration test, click Apply .

What to do next

You may optionally configure role mapping for SSO users; see

Configure User Role Mapping for Azure at the Management Center, on page 161

. If you choose not to configure role mapping, by default all SSO users that log into the management center are assigned the default user role you configure in Step 4 of

Configure

User Role Mapping for Azure at the Management Center, on page 161 .

Configure User Role Mapping for Azure at the Management Center

The fields to configure for user role mapping at the management center web interface are the same regardless of your choice of SSO provider. But the values you configure must take into account how the SAML SSO provider you use implements user role mapping.

Before you begin

• Review the existing Azure users and groups; see

Review the Azure Tenant, on page 158 .

• Configure an SSO service provider application for the management center; see

Configure the Management

Center Service Provider Application for Azure, on page 158 .

• Enable and configure single sign-on at the management center; see

Enable Single Sign-On at the

Management Center, on page 132 , and

Configure the Management Center for Azure SSO, on page 160

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

161

System Settings

Configure User Role Mapping at the Azure IdP

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose System > Users .

Click the Single Sign-On tab.

Expand Advanced Configuration (Role Mapping) .

Select an management center user role to assign users as a default value from the Default User Role drop-down.

Enter a Group Member Attribute . This string must match the name of the user claim you create for the management center service provider application in Azure; see Step 1 of

Configure User Role Mapping for

Individual Users at the Azure IdP, on page 163

or Step 1 of

Configure User Role Mapping for Groups at the

Azure IdP, on page 164

.

Next to each management center user role you wish to assign to SSO users, enter a regular expression. (The management center uses a restricted version of Google's RE2 regular expression standard supported by Golang and Perl.) The management center compares these values against the user role mapping attribute value the

IdP sends to the management center with SSO user information. The management center grants users a union of all the roles for which a match is found.

What to do next

Configure user role mapping at the service provider application; see

Configure User Role Mapping at the

Azure IdP, on page 162

.

Configure User Role Mapping at the Azure IdP

You can configure SSO user role mapping at the Azure AD Portal based on individual user permissions or based on group permissions.

• To map based on individual user permissions, see

Configure User Role Mapping for Individual Users at the Azure IdP

.

• To map based on group permissions, see

Configure User Role Mapping for Groups at the Azure IdP .

When an SSO user logs into the management center, Azure presents to the management center a user or group role attribute value that gets its value from an application role configured at the Azure AD Portal. The management center compares that attribute value against the regular expression assigned to each management center user role in the SSO configuration, and grants the user all the roles for which a match is found. (If no match is found, the management center grants the user a configurable default user role.) The expression you assign to each management center user role must comply with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl. The management center treats the attribute value received from Azure as a regular expression using that same standard for purposes of comparison with the management center user role expressions.

Note A single management center cannot support role mapping for both groups and individual users; you must choose one mapping method for the management center service provider application and use it consistently.

The management center can support role mapping using only one claim configured in Azure. Generally group-based role mapping is more efficient for an management center with many users. You should take into account user and group definitions established throughout your Azure tenant.

162

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure User Role Mapping for Individual Users at the Azure IdP

Configure User Role Mapping for Individual Users at the Azure IdP

To establish role mapping for individual users of the management center service application in Azure, use the

Azure AD Portal to add a claim to the application, add roles to the application's registration manifest, and assign roles to users.

Before you begin

• Review the Azure tenant; see

Review the Azure Tenant, on page 158

.

• Create and configure an management center service provider application in Azure; see

Configure the

Management Center Service Provider Application for Azure, on page 158 .

• Configure SSO user role mapping as described in

Configure User Role Mapping for Azure at the

Management Center, on page 161

.

Procedure

Step 1

Step 2

Step 3

Add a user claim to the SSO configuration for the management center service application with the following characteristics:

• Name : Use the same string you entered for the Group Member Attribute in the management center

SSO configuration. (See Step 5 in

Configure User Role Mapping for Azure at the Management Center, on page 161

.)

• Source : Choose

Attribute

.

• Source attribute : Choose user.assignedroles

.

Edit the manifest for the management center service application (in JSON format) and add application roles to represent management center user roles you wish to assign to SSO users. The simplest approach is to copy an existing application role definition and change the following properties:

• displayName

: The name for the role that will appear in the AD Azure Portal.

• description

: A brief description of the role.

Id

: An alphanumeric string that must be unique among ID properties within the manifest.

• value

: A string to represent one or more management center user roles. (Note: Azure does not permit spaces in this string.)

For each user assigned to the management center Service application, assign one of the application roles you have added to the manifest for that application. When a user logs in to the management center using SSO, the application role you assign to that user is the value Azure sends to the management center in the claim for the service application. The management center compares the claim against the expressions you assigned to management center user roles in the SSO configuration (See Step 6 of

Configure User Role Mapping for

Azure at the Management Center, on page 161

.), and assigns the user all the management center user roles for which there is a match.

Cisco Secure Firewall Management Center Administration Guide, 7.2

163

System Settings

Configure User Role Mapping for Groups at the Azure IdP

What to do next

• Test your role mapping scheme by logging into the management center using SSO from various accounts and confirming that users are assigned management center user roles as you expect.

Configure User Role Mapping for Groups at the Azure IdP

To establish role mapping for user groups for the management center service application in Azure, use the

Azure AD Portal to add a claim to the application, add roles to the application's registration manifest, and assign roles to groups.

Before you begin

• Review the Azure tenant; see

Review the Azure Tenant, on page 158 .

• Create and configure an management center service provider application in Azure; see

Configure the

Management Center Service Provider Application for Azure, on page 158

.

• Configure SSO user role mapping as described in

Configure User Role Mapping for Azure at the

Management Center, on page 161 .

Procedure

Step 1

Step 2

Step 3

Add a user claim to the SSO configuration for the management center service application with the following characteristics:

• Name : Use the same string you entered for the Group Member Attribute in the management center

SSO configuration. (See Step 5 in

Configure User Role Mapping for Azure at the Management Center, on page 161

.)

• Source : Choose

Attribute

.

• Source attribute : Choose user.assignedroles

.

Edit the manifest for the management center service application (in JSON format) and add application roles to represent management center user roles you wish to assign to SSO users. The simplest approach is to copy an existing application role definition and change the following properties:

• displayName

: The name for the role that will appear in the Ad Azure Portal.

• description

: A brief description of the role.

Id

: An alphanumeric string that must be unique among id properties within the manifest.

• value

: A string to represent one or more management center user roles. (Azure does not permit spaces in this string.)

For each group assigned to the management center Service application, assign one of the application roles you have added to the manifest for that application. When a user logs in to the management center using SSO, the application role you assign to that user's group is the value Azure sends to the management center in the claim for the service application. The management center compares the claim against the expressions you assigned to management center user roles in the SSO configuration (see Step 6 of

Configure User Role Mapping

164

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Azure User Role Mapping Examples

for Azure at the Management Center, on page 161

), and assigns the user all the management center user roles for which there is a match.

What to do next

Test your role mapping scheme by logging into the management center using SSO from various accounts and confirming that users are assigned management center user roles as you expect.

Azure User Role Mapping Examples

As the following examples demonstrate, the SSO configurations at the management center to support user role mapping are the same for both individual users and for groups. The difference lies in the settings at the management center service provider application in Azure.

Note You can configure management center roles to be mapped based on individual permissions or based on group permissions, but a single management center application cannot support role mapping for both groups and individual users. The management center can support role mapping using only one claim configured in Azure.

Azure Role Mapping Example for Individual User Accounts

In role mapping for individual users, the Azure management center service application has custom roles defined within its manifest. (In this case, FMCAdmin and PolicyAdmin.) These roles can be assigned to users;

Azure stores role assignments for each user in that user's assignedroles attribute. The application also has a custom user claim defined, and this claim is configured to get its value from the assigned user role for a user logging into the management center using SSO. Azure passes the claim value to the management center during the SSO login process, and the management center compares the claim value against strings assigned to each management center user role in the management center SSO configuration.

The following diagrams illustrate how the relevant fields and values in the management center and Azure configurations correspond to each other in user role mapping for individual accounts. Each diagram uses the same SSO configurations at the management center and at the Azure AD portal, but the configuration for each user at the Azure AD portal differs to assign each user different roles at the management center.

• In this diagram sue@ example.com uses the assignedroles attribute value

FMCAdmin

, and the management center assigns her the management center Administrator role.

Cisco Secure Firewall Management Center Administration Guide, 7.2

165

Azure Role Mapping Example for Individual User Accounts

System Settings

• In this diagram fred @ example .com uses the assignedroles attribute value

PolicyAdmin

, and the management center assigns him the roles Access Admin, Discovery Admin, and Intrusion Admin.

• Other users assigned to the Azure service application for this management center are assigned the default user role Security Analyst (Read Only) for one of the following reasons:

166

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Azure Role Mapping Example for Groups

• They have no value assigned to their assignedroles attribute.

• The value assigned to their assignedroles attribute does not match any expression configured for a user role in the SSO configuration at the management center.

Azure Role Mapping Example for Groups

In role mapping for groups, the Azure management center service application has custom roles defined within its manifest. (In this case, FMCAdmin, AccessAdmin, Discovery Admin, and Maint.) These roles can be assigned to groups; Azure passes role assignments for each group to group members' assignedroles attribute.

The application also has a custom user claim defined, and this claim is configured to get its value from the assigned user role for a user logging into the management center using SSO. Azure passes the claim value to the management center during the SSO login process, and the management center compares the claim value against strings assigned to each management center user role in the management center SSO configuration.

The following diagrams illustrate how the relevant fields and values in the management center and Azure configurations correspond to each other in user role mapping for groups. Each diagram uses the same SSO configurations at the management center and at the Azure AD portal, but the configuration for each user at the Azure AD portal differs to assign each user different roles at the management center.

• In this diagram [email protected] is a member of the groups

FMCAccessAdmins and

FMCDiscoveryAdmins

.

From these groups she inherits the custom roles

AccessAdmin and

DiscoveryAdmin

. When Sue logs into the management center using SSO the management center assigns her the roles Access Admin and

Discovery Admin.

Cisco Secure Firewall Management Center Administration Guide, 7.2

167

Azure Role Mapping Example for Groups

System Settings

• In this diagram [email protected] is a member of the

FMCAdmins group, from which he inherits the custom role

FMCAdmin

. When Fred logs into the management center using SSO the management center assigns him the Administrator role.

168

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Azure Role Mapping Example for Groups

• In this diagram [email protected] is a member of the

FMCMaintUsers group, but because no custom role has been assigned to

FMCMaintUsers within the Azure management center service provider application,

Sean has no roles assigned to him, and when he logs into the management center using SSO, the management center assigns him the default role Security Analyst (Read Only).

Cisco Secure Firewall Management Center Administration Guide, 7.2

169

Configure Single Sign-On with PingID

System Settings

Configure Single Sign-On with PingID

See the following tasks to configure SSO using PingID's PingOne for Customers product:

170

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Review the PingID PingOne for Customers Environment

PingOne for

Customers

Administrator's

Console

PingOne for

Customers

Administrator's

Console management center

Review the PingID PingOne for Customers Environment, on page 171

.

Configure the Management Center Service Provider Application for PingID

PingOne for Customers, on page 171

.

Enable Single Sign-On at the Management Center, on page 132

.

management center

Configure the Management Center for SSO with PingID PingOne for Customers, on page 173

.

Review the PingID PingOne for Customers Environment

PingOne for Customers is PingID's cloud-hosted identity-as-a-service (IDaaS) product. In PingOne for

Customers, the entity that encompasses all the federated devices that a user can access with the same SSO account is called an environment. Before adding the management center to a PingOne environment, be familiar with its organization; consider the following questions:

• How many users will have access to the management center?

• Do you need to add more users to support SSO access to the management center?

This documentation assumes you are already familiar with the PingOne for Customers Administrator Console and have an account with the Organization Admin role.

Configure the Management Center Service Provider Application for PingID PingOne for Customers

Use the PingOne for Customers Administrator Console to create an management center service provider application within your PingOne for Customers environment and establish basic configuration settings. This documentation does not describe all the PingOne for Customers functions you need to establish a fully functional SSO environment; for instance, to create users see the PingOne for Customers documentation.

Before you begin

• Familiarize yourself with your PingOne for Customers environment and its users.

• Create additional users if necessary.

Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.

Cisco Secure Firewall Management Center Administration Guide, 7.2

171

System Settings

Configure the Management Center Service Provider Application for PingID PingOne for Customers

• Confirm the login URL for the target management center ( https:// ipaddress_or_hostname

)

Note If your management center web interface can be reached with multiple URLs

(for instance, a fully-qualified domain name as well as an IP address), SSO users must consistently access the management center using the login URL that you configure in this task.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Use the PingOne for Customer Administrator Console to create the application in your environment using these settings:

• Choose the Web App application type.

• Choose the SAML connection type.

Configure the application with the following settings for the SAML Connection:

• For the ACS URL , append the string

/sam/acs to the management center login URL. For example: https://ExampleFMC/saml/acs

.

• For the Signing Certificate , choose Sign Assertion & Response.

• For the Signing Algorithm choose RSA_SHA256.

• For the Entity ID , append the string

/saml/metadata to the management center login URL. For example: https://ExampleFMC/saml/metadata

.

• For the SLO Binding select HTTP POST.

• For the Assertion Validity Duration enter 300.

In the SAMLConnection information for the application, note the following values:

• Single Sign-On Service

• Issuer ID

You will need these values when you configure SSO using PingID's PingOne for Customers product at the management center web interface.

For SAML ATTRIBUTES , make the following selections for a single required attribute:

• PINGONE USER ATTRIBUTE:

Email Address

• APPLICATION ATTRIBUTE: saml_subject

Download the signing certificate in X509 PEM (

.crt

) format and save it to your local computer.

(Optional) to make SSO setup at the management center easier, you can download the SAML XML metadata file for the management center service provider application to your local computer.

172

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure the Management Center for SSO with PingID PingOne for Customers

Step 7 Enable the application.

What to do next

Enable single sign-on; see

Enable Single Sign-On at the Management Center, on page 132 .

Configure the Management Center for SSO with PingID PingOne for Customers

Use these instructions at the management center web interface.

Before you begin

• Create an management center service provider application at the PingOne for Customers Administrator

Console; see

Configure the Management Center Service Provider Application for PingID PingOne for

Customers, on page 171 .

• Enable single sign-on; see

Enable Single Sign-On at the Management Center, on page 132 .

Procedure

Step 1 (This step continues directly from

Enable Single Sign-On at the Management Center, on page 132

.) At the

Configure PingID Metadata dialog, you have two choices:

• To enter the SSO configuration information manually: a.

Click the Manual Configuration radio button.

b.

Enter the values you retrieved from the PingOne for Customers Administrator Console:

• For Identity Provider Single Sign-On URL enter the Single Signon Service you noted in Step

3 of

Configure the Management Center Service Provider Application for PingID PingOne for

Customers, on page 171

.

• For Identity Provider Issuer enter the Issuer ID you noted in Step 3 of

Configure the

Management Center Service Provider Application for PingID PingOne for Customers, on page

171

.

• For the X.509 Certificate , use the certificate you downloaded from PingOne for Customers in

Step 5 of

Configure the Management Center Service Provider Application for PingID PingOne for Customers, on page 171 . (Use a text editor to open the certificate file, copy the contents, and

paste it into the X.509 Certificate field.)

• If you saved the XML metadata file generated by PingOne for Customers to your local computer (Step

6 of

Configure the Management Center Service Provider Application for PingID PingOne for Customers, on page 171

), you can upload the file to the management center: a.

Click the Upload XML File radio button.

b.

Follow the on-screen instructions to navigate to and choose the XML metadata file on your local computer.

Cisco Secure Firewall Management Center Administration Guide, 7.2

173

System Settings

Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Click Next .

At the Verify Metadata dialog, review the configuration parameters and click Save .

Expand Advanced Configuration (Role Mapping) .

Select an management center user role to assign users as a default value from the Default User Role drop-down.

Click Test Configuration . If the System displays an error message, review the SSO configuration for the management center as well as the PingOne for Customers service provider application, correct any errors, and try again.

When the system reports a successful configuration test, click Apply .

Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider

The management center supports single sign-on with any SSO identity provider (IdP) compliant with the

SAML 2.0 SSO protocol. Generic instructions to use a wide range of SSO providers must address the tasks to be performed at a high level; establishing SSO using a provider not specifically addressed in this documentation requires that you be proficient with the IdP of your choice. These tasks help you determine the steps to configure the management center for single sign-on using any SAML 2.0-compliant SSO provider:

IdP Administration Application

IdP Administration Application management center management center

Familiarize Yourself with the SSO

Identity Provider and the SSO

Federation, on page 175 .

Configure Management Center

Service Provider Application for

Any SAML 2.0-Compliant SSO

Provider, on page 175

.

Enable Single Sign-On at the

Management Center, on page 132 .

Configure the Management Center for SSO Using Any SAML

2.0-Compliant SSO Provider, on page 177

.

174

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Familiarize Yourself with the SSO Identity Provider and the SSO Federation management center

IdP Administration Application

Configure User Role Mapping at the Management Center for SAML

2.0-Compliant SSO Providers, on page 178

.

Configure Management Center

User Role Mapping at the IdP for

SAML 2.0-Compliant SSO

Providers, on page 179 .

Familiarize Yourself with the SSO Identity Provider and the SSO Federation

Read the IdP vendor documentation with the following considerations in mind:

• Does the SSO provider require that users subscribe to or register with any services before using the IdP?

• What terminology does the SSO provider use for common SSO concepts? For instance, to refer to a group of federated service provider applications, Okta uses "org" where Azure uses "tenant."

• Does the SSO provider support SSO exclusively, or a suite of functions—for instance, multifactor authentication or domain management? (This can affect configuration of some elements shared between features—especially users and groups.)

• What permissions does an IdP user account need to configure SSO?

• What configurations does the SSO provider require you to establish for a service provider application?

For instance, Okta automatically generates an X509 Certificate to secure its communications with the management center, while Azure requires that you generate that certificate using the Azure portal interface.

• How are users and groups created and configured? How are users assigned to groups? How are users and groups granted access to service provider applications?

• Does the SSO provider require that at least one user be assigned to a service provider application before the SSO connection can be tested?

• Does the SSO provider support user groups? How are user and group attributes configured? How can you map attributes to management center user roles in the SSO configuration?

• Do you need to add more users or groups to the federation to support SSO on the management center?

• Are users within the federation members of groups?

• Are user and group definition native to the IdP or imported from a user management application such as

Active Directory, RADIUS, or LDAP?

• What kind of user role assignments do you want to make? (If you choose not to assign user roles, the management center automatically assigns the user a configurable default user role role to all SSO users.)

• How must users and groups within the federation be organized to support your plan for user role mapping?

Configure Management Center Service Provider Application for Any SAML 2.0-Compliant SSO

Provider

Generally SSO providers require that you configure a service provider application at the IdP for each federated application. All IdPs that support SAML 2.0 SSO need the same configuration information for service provider

Cisco Secure Firewall Management Center Administration Guide, 7.2

175

System Settings

Configure Management Center Service Provider Application for Any SAML 2.0-Compliant SSO Provider applications, but some IdP's automatically generate some configuration settings for you, while others require that you configure all settings yourself.

Note If you plan to assign user groups to the management center Application, do not also assign users within those groups as individuals.

Note The management center cannot support role mapping using multiple SSO attributes; you must select either user role mapping or group role mapping and configure a single attribute to convey user role information from the IdP to the management center.

Before you begin

• Familiarize yourself with the SSO federation and its users and groups; see

Familiarize Yourself with the

SSO Identity Provider and the SSO Federation, on page 175 .

• Confirm your IdP account has the necessary permissions to perform this task.

• Create user accounts and/or groups in your SSO federation if necessary.

Note The system requires that user names for SSO accounts as well as the NameID attribute the IdP sends to the management center during the SAML login process must be both be valid email addresses. Many IdP's automatically use the username of the user trying to logon as the NameID attribute, but you should confirm this is the case for your IdP. Keep this in mind when configuring a service provider application at your IdP and creating IdP user accounts that are to be granted SSO access to the management center.

• Confirm the login URL for the target management center ( https:// ipaddress_or_hostname

)

Note If your management center web interface can be reached with multiple URLs.

(for instance, a full-qualified domain name as well as an IP address), SSO users must consistently access the management center using the login URL that you configure in this task.

Procedure

Step 1

Step 2

Create a new service provider application at the IdP.

Configure values required by the IdP. Be sure to include the fields listed below, required to support SAML

2.0 SSO functionality with the management center. (Because different SSO service providers use different terminology for SAML concepts, this list provides alternate names for these fields to help you find the right settings in the IdP application.):

176

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure the Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider

Step 3

Step 4

Step 5

• Service Provider Entity ID, Service Provider Identifier, Audience URI: A globally unique name for the service provider (the management center), formatted as a URL. To create this, append the string

/saml/metadata to the management center login URL, such as https://ExampleFMC/saml/metadata

.

• Single Sign on URL, Recipient URL, Assertion Consumer Service URL: The service provider

(management center) address to which the browser sends information on behalf of the IdP. To create this, append the string saml/acs to the management center login URL, such as https://ExampleFMC/saml/acs

.

• X.509 Certificate: Certificate to secure communications between the management center and the IdP.

Some IdP's may automatically generate the certificate, and some may require that you explicitly generate it using the IDP interface.

(Optional if you are assigning groups to the application) Assign individual users to the management center application. (If you plan to assign groups to the management center application, do not assign members of those groups as individuals.)

(Optional if you are assigning individual users to the application.) Assign user groups to the management center application.

(Optional) Some IdP's provide the ability to generate a SAML XML metadata file containing the information you have configured in this task formatted to comply with SAML 2.0 standards. If your IdP provides this ability, you can download the file to your local computer to ease the SSO configuration process at the management center.

What to do next

Enable single sign-on; see

Enable Single Sign-On at the Management Center, on page 132 .

Configure the Management Center for SSO Using Any SAML 2.0-Compliant SSO Provider

Use these instructions at the management center web interface. To configure the management center for SSO using any SAML 2.0-compliant SSO provider, you need information from the IdP.

Before you begin

• Review the organization of your SSO federation, and its users and groups.

• Configure an management center service provider application at the IdP; see

Configure the Management

Center for SSO Using Any SAML 2.0-Compliant SSO Provider, on page 177 .

• Gather the following SSO configuration information for the service provider application from the IdP.

Because different SSO service providers use different terminology for SAML concepts, this list provides alternate names for these fields to help you find the right values in the IdP application:

• Identity Provider Single Sign-On URL, Login URL: The IdP URL where the browser sends information on behalf of the management center.

• Identity Provider Issuer, Identity Provider Issuer URL, Issuer URL: A globally unique name for the

IdP, often formatted as a URL.

• An X.509 digital certificate to secure communications between the management center and the IdP.

• Enable single sign-on; see

Enable Single Sign-On at the Management Center, on page 132 .

Cisco Secure Firewall Management Center Administration Guide, 7.2

177

System Settings

Configure User Role Mapping at the Management Center for SAML 2.0-Compliant SSO Providers

Procedure

Step 1 (This step continues directly from

Enable Single Sign-On at the Management Center, on page 132 .) At the

Configure SAML Metadata dialog, you have two choices:

• To enter the SSO configuration information manually: a.

Click the Manual Configuration radio button.

b.

Enter the following values previously obtained from the SSO Service Provider application:

• Identity Provider Single Sign-On URL

• Identity Provider Issuer

• X.509 Certificate

• If you saved an the XML metadata file generated at the IdP (Step 5 in

Configure Management Center

Service Provider Application for Any SAML 2.0-Compliant SSO Provider, on page 175

), you can upload the file to the management center: a.

Click the Upload XML File radio button.

b.

Follow the on-screen instructions to navigate to and choose the XML metadata file on your local computer.

Step 2

Step 3

Step 4

Step 5

Click Next .

At the Verify Metadata dialog, review the configuration parameters and click Save .

Click Test Configuration . If the system displays an error message, review the SSO configuration for the management center as well as the service provider application configuration at the IdP, correct any errors, and try again.

When the system reports a successful configuration test, click Apply .

What to do next

You may optionally configure user role mapping for SSO users; see

Configure User Role Mapping at the

Management Center for SAML 2.0-Compliant SSO Providers, on page 178 . If you choose not to configure

role mapping, by default all SSO users that log into the management center are assigned the default user role you configure in Step 4 of

Configure User Role Mapping at the Management Center for SAML 2.0-Compliant

SSO Providers, on page 178 .

Configure User Role Mapping at the Management Center for SAML 2.0-Compliant SSO Providers

To implement SAML SSO user role mapping you must establish coordinating configurations at the IdP and at the management center.

• At the IdP, establish user or group attributes to convey user role information and assign values to them; the IdP sends these to the management center once it has authenticated and authorized an SSO user.

• At the management center, associate values with each of the management center user roles you want to assign to users.

178

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO Providers

When the IdP sends the management center the user or group attribute associated with an authorized user, the management center compares the attribute value against values associated with each management center user role, and assigns the user all the roles that produce a match. The management center performs this comparison treating both values as regular expressions complying with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl.

The fields to configure for user role mapping at the management center web interface are the same regardless of your choice of SSO provider. But the values you configure must take into account how the SAML SSO provider you use implements user role mapping. Your IdP may enforce syntactical limitations on user or group attributes; if so, you must devise a user role mapping scheme using role names and regular expressions compatible with those requirements.

Before you begin

• Configure an SSO service provider application for the management center; see

Configure Management

Center Service Provider Application for Any SAML 2.0-Compliant SSO Provider, on page 175 .

• Enable and configure single sign-on at the management center, see

Enable Single Sign-On at the

Management Center, on page 132

, and

Configure the Management Center for SSO Using Any SAML

2.0-Compliant SSO Provider, on page 177

.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose System > Users .

Click the Single Sign-On tab.

Expand Advanced Configuration (Role Mapping) .

Select an management center user role to assign users as a default value from the Default User Role drop-down.

Enter a Group Member Attribute . This string must match an attribute name configured at the IdP management center service provider application for user role mapping using either users or groups. (See Step 1 of

Configure

Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO Providers, on page 179 .)

Next to each management center user role you wish to assign to SSO users, enter a regular expression. (The management center uses a restricted version of Google's RE2 regular expression standard supported by Golang and Perl.) The management center compares these values against the user role mapping attribute value the

IdP sends to the management center with SSO user information. The management center grants users a union of all the roles for which a match is found.

What to do next

Configure user role mapping at the service provider application; see

Configure Management Center User Role

Mapping at the IdP for SAML 2.0-Compliant SSO Providers, on page 179 .

Configure Management Center User Role Mapping at the IdP for SAML 2.0-Compliant SSO Providers

The detailed steps for configuring user role mapping are different for each IdP. You must determine how to create a custom user or group attribute for the service provider application, and assign values to the attribute for each user or group at the IdP to convey user or group privileges to the management center. Keep in mind the following:

Cisco Secure Firewall Management Center Administration Guide, 7.2

179

System Settings

Customize User Roles for the Web Interface

• If your IdP imports user or group profiles from a third-party user management application (such as Active directory, LDAP, or Radius), this may affect how you can use attributes for role mapping.

• Take into account user and group role definitions throughout your SSO federation.

• The management center cannot support role mapping using multiple SSO attributes; you must select either user role mapping or group role mapping and configure a single attribute to convey user role information from the IdP to the management center.

• Group role mapping is generally more efficient for an management center with many users.

• If you assign user groups to management center applications, do not also assign users within those groups as individuals.

• For the purpose of determining a match with management center user roles, the management center treats user and group role attribute values received from the IdP as regular expressions complying with the restricted version of Google's RE2 regular expression standard supported by Golang and Perl. Your IdP may enforce certain syntactical limitations on user or group attributes. if so, you must devise a user role mapping scheme using role names and regular expressions compatible with those requirements.

Before you begin

• Confirm your IdP account has the necessary permissions to perform this task.

• Configure an management center service provider application at the IdP (see

Configure Management

Center Service Provider Application for Any SAML 2.0-Compliant SSO Provider, on page 175

).

Procedure

Step 1

Step 2

At the IdP, create or designate an attribute to be sent to the management center to contain role mapping information for each user sign-in. This may be a user attribute, a group attribute, or a different attribute that obtains its value from a source such as user or group definitions maintained by the IdP or a third party user management application.

Configure how the attribute gets its value. Coordinate the possible values with the values associated with the user roles in the management center SSO configuration.

Customize User Roles for the Web Interface

Each user account must be defined with a user role. This section describes how to manage user roles and how to configure a custom user role for web interface access. For default user roles, see

User Roles, on page 106 .

Create Custom User Roles

Custom user roles can have any set of menu-based and system permissions, and may be completely original, copied from a predefined or another custom user role, or imported from another device.

180

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Create Custom User Roles

Note Custom user roles that the system considers read-only for the purposes of concurrent session limits, are automatically labeled by the system with (Read Only) in the role name on the System ( ) > Users > Users tab and the System ( ) > Users > User Roles tab. If a user role does not contain (Read Only) in the role name, the system considers the role to be read/write.

When you create a custom role or modify an existing custom role, the system automatically applies (Read

Only) to the role name if all of the selected permissions for that role meet the required criteria for being read-only. You cannot make a role read-only by adding that text string manually to the role name. For more information on concurrent session limits, see

Global User Configuration Settings, on page 89

.

Caution Users with menu-based User Management permissions have the ability to elevate their own privileges or create new user accounts with extensive privileges, including the Administrator user role. For system security reasons we strongly recommend you restrict the list of users with User Management permissions appropriately.

Procedure

Step 1

Step 2

Step 3

Choose Integration > Users .

Click User Roles .

Add a new user role with one of the following methods:

• Click Create User Role .

• Click the Copy ( ) next to the user role you want to copy.

• Import a custom user role from another device: a.

On the old device, click the Export ( ) to save the role to your PC.

b.

On the new device, choose System > Tools > Import/Export .

c.

Click Upload Package , then follow the instructions to import the saved user role to the new device.

Step 4

Step 5

Step 6

Enter a Name for the new user role. User role names are case sensitive.

(Optional) Add a Description .

Choose Menu-Based Permissions for the new role.

When you choose a permission, all of its children are chosen, and the multi-value permissions use the first value. If you clear a high-level permission, all of its children are cleared also. If you choose a permission but not its children, it appears in italic text.

Copying a predefined user role to use as the base for your custom role preselects the permissions associated with that predefined role.

You can apply restrictive searches to a custom user role. These searches constrain the data a user can see in the tables on the pages available under the Analysis menu. You can configure a restrictive search by first creating a private saved search and selecting it from the Restrictive Search drop-down menu under the appropriate menu-based permission.

Cisco Secure Firewall Management Center Administration Guide, 7.2

181

System Settings

Deactivate User Roles

Step 7

Step 8

Step 9

(Optional) Check the External Database Access check box to set database access permissions for the new role.

This option provides read-only access to the database using an application that supports JDBC SSL connections.

For the third-party application to authenticate to the device, you must enable database access in the system settings.

(Optional) To set escalation permissions for the new user role, see

Enable User Role Escalation, on page 183 .

Click Save .

Example

You can create custom user roles for access control-related features to designate whether users can view and modify access control and associated policies.

The following table lists custom roles that you could create and user permissions granted for each example. The table lists the privileges required for each custom role. In this example, Policy Approvers can view (but not modify) access control and intrusion policies. They can also deploy configuration changes to devices.

Table 7: Sample Access Control Custom Roles

Custom Role Permission

Access Control

Access Control Policy yes yes

Modify Access Control Policy yes

Intrusion Policy no

Modify Intrusion Policy

Deploy Configuration to

Devices

Example: Access Control Editor Example: Intrusion & Network

Analysis Editor

Example: Policy Approver no no no no no yes yes no yes yes no yes no yes

Deactivate User Roles

Deactivating a role removes that role and all associated permissions from any user who is assigned that role.

You cannot delete predefined user roles, but you can deactivate them.

In a multidomain deployment, the system displays custom user roles created in the current domain, which you can edit. It also displays custom user roles created in ancestor domains, which you cannot edit. To view and edit custom user roles in a lower domain, switch to that domain.

Procedure

Step 1 Choose Integration > Users .

182

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Enable User Role Escalation

Step 2

Step 3

Click User Roles .

Click the slider next to the user role you want to activate or deactivate.

If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

If you deactivate, then reactivate, a role with Lights-Out Management while a user with that role is logged in, or restore a user or user role from a backup during that user’s login session, that user must log back into the web interface to regain access to IPMItool commands.

Enable User Role Escalation

You can give custom user roles the permission, with a password, to temporarily gain the privileges of another, targeted user role in addition to those of the base role. This feature allows you to easily substitute one user for another during an absence, or to more closely track the use of advanced user privileges. Default user roles do not support escalation.

For example, a user whose base role has very limited privileges can escalate to the Administrator role to perform administrative actions. You can configure this feature so that users can use their own passwords, or so they use the password of another user that you specify. The second option allows you to easily manage one escalation password for all applicable users.

To configure user role escalation, see the following workflow.

Procedure

Step 1

Step 2

Step 3

Set the Escalation Target Role, on page 183 . Only one user role at a time can be the escalation target role.

Configure a Custom User Role for Escalation, on page 184 .

(For the logged in user)

Escalate Your User Role, on page 184

.

Set the Escalation Target Role

You can assign any of your user roles, predefined or custom, to act as the system-wide escalation target role.

This is the role to which a custom role can escalate, if it has the ability. Only one user role at a time can be the escalation target role. Each escalation lasts for the duration of a login session and is recorded in the audit log.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Integration > Users .

Click User Roles .

Click Configure Permission Escalation .

Choose a user role from the Escalation Target drop-down list.

Click OK to save your changes.

Cisco Secure Firewall Management Center Administration Guide, 7.2

183

System Settings

Configure a Custom User Role for Escalation

Changing the escalation target role is effective immediately. Users in escalated sessions now have the permissions of the new escalation target.

Configure a Custom User Role for Escalation

Users for whom you want to enable escalation must belong to a custom user role with escalation enabled.

This procedure describes how to enable escaltion for a custom user role.

Consider the needs of your organization when you configure the escalation password for a custom role. If you want to easily manage many escalating users, you might want to choose another user whose password serves as the escalation password. If you change that user’s password or deactivate that user, all escalating users who require that password are affected. This action allows you to manage user role escalation more efficiently, especially if you choose an externally-authenticated user that you can manage centrally.

Before you begin

Set a target user role according to

Set the Escalation Target Role, on page 183 .

Procedure

Step 1

Step 2

Step 3

Begin configuring your custom user role as described in

Create Custom User Roles, on page 180 .

In System Permissions , choose the Set this role to escalate to: Maintenance User check box.

The current escalation target role is listed beside the check box.

Choose the password that this role uses to escalate. You have two options:

• Choose Authenticate with the assigned user’s password if you want users with this role to use their own passwords when they escalate, .

• Choose Authenticate with the specified user’s password and enter that username if you want users with this role to use the password of another user.

Note When authenticating with another user’s password, you can enter any username, even that of a deactivated or nonexistent user. Deactivating the user whose password is used for escalation makes escalation impossible for users with the role that requires it. You can use this feature to quickly remove escalation powers if necessary.

Step 4 Click Save .

Escalate Your User Role

When a user has an assigned custom user role with permission to escalate, that user can escalate to the target role’s permissions at any time. Note that escalation has no effect on user preferences.

Procedure

Step 1 From the drop-down list under your user name, choose Escalate Permissions .

184

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Troubleshooting LDAP Authentication Connections

Step 2

Step 3

If you do not see this option, your administrator did not enable escalation for your user role.

Enter the authentication password.

Click Escalate . You now have all permissions of the escalation target role in addition to your current role.

Escalation lasts for the remainder of your login session. To return to the privileges of your base role only, you must log out, then begin a new session.

Troubleshooting LDAP Authentication Connections

If you create an LDAP authentication object and it either does not succeed in connecting to the server you select, or does not retrieve the list of users you want, you can tune the settings in the object.

If the connection fails when you test it, try the following suggestions to troubleshoot your configuration:

• Use the messages displayed at the top of the web interface screen and in the test output to determine which areas of the object are causing the issue.

• Check that the user name and password you used for the object are valid:

• Check that you have the rights to browse to the directory indicated in your base-distinguished name by connecting to the LDAP server using a third-party LDAP browser.

• Check that the user name is unique to the directory information tree for the LDAP server.

• If you see an LDAP bind error 49 in the test output, the user binding for the user failed. Try authenticating to the server through a third-party application to see if the binding fails through that connection as well.

• Check that you have correctly identified the server:

• Check that the server IP address or host name is correct.

• Check that you have TCP/IP access from your local appliance to the authentication server where you want to connect.

• Check that access to the server is not blocked by a firewall and that the port you have configured in the object is open.

• If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host name used for the server.

• Check that you have not used an IPv6 address for the server connection if you are authenticating

CLI access.

• If you used server type defaults, check that you have the correct server type and click Set Defaults again to reset the default values.

• If you typed in your base-distinguished name, click Fetch DNs to retrieve all the available base distinguished names on the server, and select the name from the list.

• If you are using any filters, access attributes, or advanced settings, check that each is valid and typed correctly.

Cisco Secure Firewall Management Center Administration Guide, 7.2

185

System Settings

Configure User Preferences

• If you are using any filters, access attributes, or advanced settings, try removing each setting and testing the object without it.

• If you are using a base filter or a CLI access filter, make sure that the filter is enclosed in parentheses and that you are using a valid comparison operator (maximum 450 characters, including the enclosing parentheses).

• To test a more restricted base filter, try setting it to the base distinguished name for the user to retrieve just that user.

• If you are using an encrypted connection:

• Check that the name of the LDAP server in the certificate matches the host name that you use to connect.

• Check that you have not used an IPv6 address with an encrypted server connection.

• If you are using a test user, make sure that the user name and password are typed correctly.

• If you are using a test user, remove the user credentials and test the object.

• Test the query that you are using by connecting to the LDAP server and using this syntax: ldapsearch -x -b 'base_distinguished_name'

-h LDAPserver_ip_address -p port -v -D

'user_distinguished_name' -W 'base_filter'

For example, if you are trying to connect to the security domain on myrtle.example.com

using the [email protected]

user and a base filter of ( cn=*

), you could test the connection using this statement: ldapsearch -x -b 'CN=security,DC=myrtle,DC=example,DC=com'

-h myrtle.example.com -p 389 -v -D

'[email protected]' -W '(cn=*)'

If you can test your connection successfully but authentication does not work after you deploy a platform settings policy, check that authentication and the object you want to use are both enabled in the platform settings policy that is applied to the device.

If you connect successfully but want to adjust the list of users retrieved by your connection, you can add or change a base filter or CLI access filter or use a more restrictive or less restrictive base DN.

While authenticating a connection to Active Directory (AD) server, rarely the connection event log indicates blocked LDAP traffic although the connection to AD server is successful. This incorrect connection log occurs when the AD server sends a duplicate reset packet. The threat defense device identifies the second reset packet as part of a new connection request and logs the connection with Block action.

Configure User Preferences

Depending on your user role, you can specify certain preferences for your user account.

186

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Changing Your Password

In a multidomain deployment, user preferences apply to all domains where your account has access. When specifying home page and dashboard preferences, keep in mind that certain pages and dashboard widgets are constrained by domain.

Changing Your Password

All user accounts are protected with a password. You can change your password at any time, and depending on the settings for your user account, you may have to change your password periodically.

When password strength checking is enabled, passwords must comply with the strong password requirements described in

Guidelines and Limitations for User Accounts for Management Center, on page 110

.

If you are an LDAP or a RADIUS user, you cannot change your password through the web interface.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

From the drop-down list under your user name, choose User Preferences .

Click Change Password .

Optionally, check the Show password check box to see the password while using this dialog.

Enter your Current Password .

You have two options:

• Enter your new password for New Password and Confirm Password .

• Click Generate Password to have the system create a password for you which complies with the listed criteria. (Generated passwords are non-mnemonic; take careful note of the password if you choose this option.)

Click Apply .

Changing an Expired Password

Depending on the settings for your user account, your password may expire. The password expiration time period is set when your account is created. If your password has expired, the Password Expiration Warning page appears.

Procedure

On the Password Expiration Warning page, you have two choices:

• Click Change Password to change your password now. If you have zero warning days left, you must change your password.

Tip When password strength checking is enabled, passwords must comply with the strong password requirements described in

Guidelines and Limitations for User Accounts for Management

Center, on page 110

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

187

System Settings

Change the Web Interface Appearance

• Click Skip to change your password later.

Change the Web Interface Appearance

You can change the way the web interface appears.

Procedure

Step 1

Step 2

From the drop-down list under your user name, choose User Preferences . The General tab displays by default.

Select a theme:

• Light

• Dusk

• Classic (the look and feel of releases earlier than 6.6)

Specifying Your Home Page

You can specify the page within the web interface to use as your home page for the appliance. The default home page is the default dashboard ( Overview > Dashboards ), except for user accounts with no dashboard access, such as External Database users. (See

Specifying Your Default Dashboard, on page 193

to set the default dashboard.)

In a multidomain deployment, the home page you choose applies to all domains where your user account has access. When choosing a home page for an account that frequently accesses multiple domains, keep in mind that certain pages are constrained to the Global domain.

Procedure

Step 1

Step 2

Step 3

Step 4

From the drop-down list under your user name, choose User Preferences .

Click Home Page .

Choose the page you want to use as your home page from the drop-down list.

The options in the drop-down list are based on the access privileges for your user account. For more information, see

User Roles, on page 106

.

Click Save .

188

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configuring Event View Settings

Configuring Event View Settings

Use the Event View Settings page to configure characteristics of event views on the Secure Firewall

Management Center. Note that some event view configurations are available only for specific user roles. Users with the External Database User role can view parts of the event view settings user interface, but changing those settings has no meaningful result.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

From the drop-down list under your user name, choose User Preferences .

Click Event View Settings .

In the Event Preferences section, configure the basic characteristics of event views; see

Event View

Preferences, on page 189 .

In the File Preferences section, configure file download preferences; see

File Download Preferences, on page

190 .

In the Default Time Windows section, configure the default time window or windows; see

Default Time

Windows, on page 191 .

In the Default Workflow sections, configure default workflows; see

Default Workflows, on page 192 .

Click Save .

Event View Preferences

Use the Event Preferences section of the Event View Settings page to configure basic characteristics of event views. This section is available for all user roles, although it has little to no significance for users who cannot view events.

The following fields appear in the Event Preferences section:

• The Confirm “All” Actions field controls whether the appliance forces you to confirm actions that affect all events in an event view.

For example, if this setting is enabled and you click Delete All on an event view, you must confirm that you want to delete all the events that meet the current constraints (including events not displayed on the current page) before the appliance will delete them from the database.

• The Resolve IP Addresses field allows the appliance, whenever possible, to display host names instead of IP addresses in event views.

Note that an event view may be slow to display if it contains a large number of IP addresses and you have enabled this option. Note also that for this setting to take effect, you must use management interfaces configuration to establish a DNS server in the system settings.

• The Expand Packet View field allows you to configure how the packet view for intrusion events appears.

By default, the appliance displays a collapsed version of the packet view:

• None - collapse all subsections of the Packet Information section of the packet view

• Packet Text - expand only the Packet Text subsection

• Packet Bytes - expand only the Packet Bytes subsection

Cisco Secure Firewall Management Center Administration Guide, 7.2

189

System Settings

File Download Preferences

• All - expand all sections

Regardless of the default setting, you can always manually expand the sections in the packet view to view detailed information about a captured packet.

• The Rows Per Page field controls how many rows of events per page you want to appear in drill-down pages and table views.

• The Refresh Interval field sets the refresh interval for event views in minutes. Entering

0 disables the refresh option. Note that this interval does not apply to dashboards.

• The Statistics Refresh Interval controls the refresh interval for event summary pages such as the Intrusion

Event Statistics and Discovery Statistics pages. Entering

0 disables the refresh option. Note that this interval does not apply to dashboards.

• The Deactivate Rules field controls which links appear on the packet view of intrusion events generated by standard text rules:

• All Policies - a single link that deactivates the standard text rule in all the locally defined custom intrusion policies

• Current Policy - a single link that deactivates the standard text rule in only the currently deployed intrusion policy. Note that you cannot deactivate rules in the default policies.

• Ask - links for each of these options

To see these links on the packet view, your user account must have either Administrator or Intrusion Admin access.

File Download Preferences

Use the File Preferences section of the Event View Settings page to configure basic characteristics of local file downloads. This section is only available to users with the Administrator, Security Analyst, or Security

Analyst (Read Only) user roles.

Note that if your appliance does not support downloading captured files, these options are disabled.

The following fields appear in the File Preferences section:

• The Confirm ‘Download File’ Actions check box controls whether a File Download pop-up window appears each time you download a file, displaying a warning and prompting you to continue or cancel.

Caution Cisco strongly recommends you do not download malware, as it can cause adverse consequences. Exercise caution when downloading any file, as it may contain malware. Ensure you have taken any necessary precautions to secure the download destination before downloading files.

Note that you can disable this option any time you download a file.

• When you download a captured file, the system creates a password-protected .zip archive containing the file. The Zip File Password field defines the password you want to use to restrict access to the .zip file.

If you leave this field blank, the system creates archive files without passwords.

190

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Default Time Windows

• The Show Zip File Password check box toggles displaying plain text or obfuscated characters in the

Zip File Password field. When this field is cleared, the Zip File Password displays obfuscated characters.

Default Time Windows

The time window, sometimes called the time range, imposes a time constraint on the events in any event view.

Use the Default Time Windows section of the Event View Settings page to control the default behavior of the time window.

User role access to this section is as follows:

• Administrators and Maintenance Users can access the full section.

• Security Analysts and Security Analysts (Read Only) can access all options except Audit Log Time

Window .

• Access Admins, Discovery Admins, External Database Users, Intrusion Admins, Network Admins, and

Security Approvers can access only the Events Time Window option.

Note that, regardless of the default time window setting, you can always manually change the time window for individual event views during your event analysis. Also, keep in mind that time window settings are valid for only the current session. When you log out and then log back in, time windows are reset to the defaults you configured on this page.

There are three types of events for which you can set the default time window:

• The Events Time Window sets a single default time window for most events that can be constrained by time.

• The Audit Log Time Window sets the default time window for the audit log.

• The Health Monitoring Time Window sets the default time window for health events.

You can only set time windows for event types your user account can access. All user types can set event time windows. Administrators, Maintenance Users, and Security Analysts can set health monitoring time windows. Administrators and Maintenance Users can set audit log time windows.

Note that because not all event views can be constrained by time, time window settings have no effect on event views that display hosts, host attributes, applications, clients, vulnerabilities, user identity, or compliance allow list violations.

You can either use Multiple time windows, one for each of these types of events, or you can use a Single time window that applies to all events. If you use a single time window, the settings for the three types of time window disappear and a new Global Time Window setting appears.

There are three types of time window:

• static , which displays all the events generated from a specific start time to a specific end time

• expanding , which displays all the events generated from a specific start time to the present; as time moves forward, the time window expands and new events are added to the event view

• sliding , which displays all the events generated from a specific start time (for example, one day ago) to the present; as time moves forward, the time window “slides” so that you see only the events for the range you configured (in this example, for the last day)

Cisco Secure Firewall Management Center Administration Guide, 7.2

191

System Settings

Default Workflows

The maximum time range for all time windows is from midnight on January 1, 1970 (UTC) to 3:14:07 AM on January 19, 2038 (UTC).

The following options appear in the Time Window Settings drop-down list:

• The Show the Last - Sliding option allows you configure a sliding default time window of the length you specify.

The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the present. As you change event views, the time window “slides” so that you always see events from the last hour.

• The Show the Last - Static/Expanding option allows you to configure either a static or expanding default time window of the length you specify.

For static time windows, enable the Use End Time check box. The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.

For expanding time windows, disable the Use End Time check box. The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the present. As you change event views, the time window expands to the present time.

• The Current Day - Static/Expanding option allows you to configure either a static or expanding default time window for the current day. The current day begins at midnight, based on the time zone setting for your current session.

For static time windows, enable the Use End Time check box. The appliance displays all the events generated from midnight to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.

For expanding time windows, disable the Use End Time check box. The appliance displays all the events generated from midnight to the present. As you change event views, the time window expands to the present time. Note that if your analysis continues for over 24 hours before you log out, this time window can be more than 24 hours.

• The Current Week - Static/Expanding option allows you to configure either a static or expanding default time window for the current week. The current week begins at midnight on the previous Sunday, based on the time zone setting for your current session.

For static time windows, enable the Use End Time check box. The appliance displays all the events generated from midnight to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occurred during the static time window.

For expanding time windows, disable the Use End Time check box. The appliance displays all the events generated from midnight Sunday to the present. As you change event views, the time window expands to the present time. Note that if your analysis continues for over 1 week before you log out, this time window can be more than 1 week.

Default Workflows

A workflow is a series of pages displaying data that analysts use to evaluate events. For each event type, the appliance ships with at least one predefined workflow. For example, as a Security Analyst, depending on the type of analysis you are performing, you can choose among ten different intrusion event workflows, each of which presents intrusion event data in a different way.

192

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Setting Your Default Time Zone

The appliance is configured with a default workflow for each event type. For example, the Events by Priority and Classification workflow is the default for intrusion events. This means whenever you view intrusion events (including reviewed intrusion events), the appliance displays the Events by Priority and Classification workflow.

You can, however, change the default workflow for each event type. The default workflows you are able to configure depend on your user role. For example, intrusion event analysts cannot set default discovery event workflows.

Setting Your Default Time Zone

This setting determines the times displayed in the web interface for your user account only, for things like task scheduling and viewing dashboards. This setting does not change the system time or affect any other user, and does not affect data stored in the system, which generally uses UTC.

Warning The Time Zone function (in User Preferences) assumes that the system clock is set to UTC time. DO NOT

ATTEMPT TO CHANGE THE SYSTEM TIME. Changing the system time from UTC is NOT supported, and doing so will require you to reimage the device to recover from an unsupported state.

Note This feature does not affect the time zone used for time-based policy application. Set the time zone for a device in Devices > Platform Settings .

Procedure

Step 1

Step 2

Step 3

Step 4

From the drop-down list under your user name, choose User Preferences .

Click Time Zone .

Choose the continent or area that contains the time zone you want to use.

Choose the country and state name that corresponds with the time zone you want to use.

Specifying Your Default Dashboard

The default dashboard appears when you choose Overview > Dashboards . Unless changed, the default dashboard for all users is the Summary dashboard. You can change the default dashboard if your user role is

Administrator, Maintenance, or Security Analyst.

In a multidomain deployment, the default dashboard you choose applies to all domains where your user account has access. When choosing a dashboard for an account that frequently accesses multiple domains, keep in mind that certain dashboard widgets are constrained by domain.

Procedure

Step 1 From the drop-down list under your user name, choose User Preferences .

Cisco Secure Firewall Management Center Administration Guide, 7.2

193

System Settings

History for Users

Step 2

Step 3

Step 4

Click Dashboard Settings .

Choose the dashboard you want to use as your default from the drop-down list. If you choose None , when you select Overview > Dashboards , you can then choose a dashboard to view.

Click Save .

History for Users

Feature Version

Support for the Service-Type attribute for threat defense users defined on the

RADIUS server

6.4

External Authentication for threat defense

SSH Access

6.2.3

Details

For RADIUS authentication of threat defense CLI users, you used to have to pre-define the usernames in the RADIUS external authentication object and manually make sure that the list matched usernames defined on the RADIUS server. You can now define CLI users on the RADIUS server using the Service-Type attribute and also define both Basic and Config user roles. To use this method, be sure to leave the shell access filter blank in the external authentication object.

New/Modified screens:

System > Users > External

Authentication > Add External

Authentication Object > Shell Access

Filter

Supported platforms: threat defense

You can now configure external authentication for SSH access to the threat defense using LDAP or RADIUS.

New/Modified screens:

Devices > Platform Settings > External

Authentication

Supported platforms: threat defense

194

Cisco Secure Firewall Management Center Administration Guide, 7.2

C H A P T E R

5

Domains

The following topics describe how to manage multitenancy using domains:

Introduction to Multitenancy Using Domains, on page 195

Requirements and Prerequisites for Domains, on page 198

Managing Domains, on page 198

Creating New Domains, on page 199

Moving Data Between Domains, on page 200

Moving Devices Between Domains, on page 201

History for Domain Management, on page 202

Introduction to Multitenancy Using Domains

The management center allows you to implement multitenancy using domains . Domains segment user access to managed devices, configurations, and events. You can create up to 100 subdomains under a top-level Global domain, in two or three levels.

When you log into the management center, you log into a single domain, called the current domain . Depending on your user account, you may be able to switch to other domains.

In addition to any restrictions imposed by your user role, your current domain level can also limit your ability to modify various configurations. The management center limits most management tasks, like system software updates, to the Global domain.

The management center limits other tasks to leaf domains , which are domains with no subdomains. For example, you must associate each managed device with a leaf domain, and perform device management tasks from the context of that leaf domain. Note that each device can only belong to a single domain.

Each leaf domain builds its own network map, based on the discovery data collected by that leaf domain’s devices. Events reported by a managed device (connection, intrusion, malware, and so on) are also associated with the device's leaf domain.

One Domain Level: Global

If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain, which in this scenario is also a leaf domain. Except for domain management, the system hides domain-specific configurations and analysis options until you add subdomains.

Cisco Secure Firewall Management Center Administration Guide, 7.2

195

System Settings

Domains Terminology

Two Domain Levels: Global and Second-Level

In a two-level multidomain deployment, the Global domain has direct descendant domains only. For example, a managed security service provider (MSSP) can use a single management center to manage network security for multiple customers:

• Administrators at the MSSP logging into the Global domain, cannot view or edit customers’ deployments.

They must log into respective second-level named subdomains to manage the customers' deployment.

• Administrators for each customer can log into second-level named subdomains to manage only the devices, configurations, and events applicable to their organizations. These local administrators cannot view or affect the deployments of other customers of the MSSP.

Three Domain Levels: Global, Second-Level, and Third-Level

In a three-level multidomain deployment, the Global domain has subdomains, at least one of which has its own subdomain. To extend the previous example, consider a scenario where an MSSP customer—already restricted to a subdomain—wants to further segment its deployment. This customer wants to separately manage two classes of device: devices placed on network edges and devices placed internally:

• Administrators for the customer logging into the second-level subdomain cannot view or edit the customer's edge network deployments. They must log into the respective leaf domain to manage the devices deployed on the network edge.

• Administrators for the customer’s edge network can log into a third-level (leaf) domain to manage only the devices, configurations, and events applicable to devices deployed on the network edge. Similarly, administrators for the customer’s internal network can log into a different third-level domain to manage internal devices, configurations, and events. Edge and internal administrators cannot view each other's deployment.

Note In the management center that uses multi-tenancy, the SSO configuration can be applied only at the global domain level, and applies to the global domain and all subdomains.

Related Topics

Configure SAML Single Sign-On

, on page 129

Domains Terminology

This documentation uses the following terms when describing domains and multidomain deployments:

Global Domain

In a multidomain deployment, the top-level domain. If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain. Administrators in the Global domain can manage the entire Firepower System deployment.

Subdomain

A second or third-level domain.

Second-level domain

A child of the Global domain. Second-level domains can be leaf domains, or they can have subdomains.

196

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Domain Properties

Third-level domain

A child of a second-level domain. Third-level domains are always leaf domains.

Leaf domain

A domain with no subdomains. Each device must belong to a leaf domain.

Descendant domain

A domain descending from the current domain in the hierarchy.

Child domain

A domain’s direct descendant.

Ancestor domain

A domain from which the current domain descends.

Parent domain

A domain’s direct ancestor.

Sibling domain

A domain with the same parent.

Current domain

The domain you are logged into now. The system displays the name of the current domain before your user name at the top right of the web interface. Unless your user role is restricted, you can edit configurations in the current domain.

Domain Properties

To modify a domain's properties, you must have Administrator access in that domain's parent domain.

Name and Description

Each domain must have a unique name within its hierarchy. A description is optional.

Parent Domain

Second- and third-level domains have a parent domain. You cannot change a domain's parent after you create the domain.

Devices

Only leaf domains may contain devices. In other words, a domain may contain subdomains or devices, but not both. You cannot save a deployment where a non-leaf domain directly controls a device.

In the domain editor, the web interface displays available and selected devices according to their current place in your domain hierarchy.

Host Limit

The number of hosts the management center can monitor, and therefore store in network maps, depends on its model. In a multidomain deployment, leaf domains share the available pool of monitored hosts, but have separate network maps.

To ensure that each leaf domain can populate its network map, you can set host limits at each subdomain level. If you set a domain's host limit to 0 , the domain shares in the general pool.

Cisco Secure Firewall Management Center Administration Guide, 7.2

197

System Settings

Requirements and Prerequisites for Domains

Setting the host limit has a different effect at each domain level:

• Leaf — For a leaf domain, a host limit is a simple limit on the number of hosts the leaf domain can monitor.

• Second Level — For a second-level domain that manages third-level leaf domains, a host limit represents the total number of hosts that the leaf domains can monitor. The leaf domains share the pool of available hosts.

• Global — For the Global domain, the host limit is equal to the total number of hosts the management center can monitor. You cannot change it

The sum of subdomains' host limits can add up to more than their parent domain's host limit. For example, if the Global domain host limit is 150,000, you can configure multiple subdomains each with a host limit of 100,000. Any of those domains, but not all, can monitor 100,000 hosts.

The network discovery policy controls what happens when you detect a new host after you reach the host limit; you can drop the new host, or replace the host that has been inactive for the longest time.

Because each leaf domain has its own network discovery policy, each leaf domain governs its own behavior when the system discovers a new host.

If you reduce the host limit for a domain and its network map contains more hosts than the new limit, the system deletes the hosts that have been inactive the longest.

Related Topics

Host Limit

Network Discovery Data Storage Settings

Requirements and Prerequisites for Domains

Model Support

Any.

Supported Domains

Any

User Roles

• Admin

Managing Domains

To modify a domain's properties, you must have Administrator access in that domain's parent domain.

Procedure

Step 1 Choose System ( ) > Domains .

198

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Creating New Domains

Step 2

Step 3

Step 4

Manage your domains:

• Add — Click Add Domain , or click Add Subdomain next to the parent domain; see

Creating New

Domains, on page 199 .

• Edit — Click Edit ( ) next to the domain you want to modify; see

Domain Properties, on page 197 .

• Delete — Click Delete ( ) next to the empty domain you want to delete, then confirm your choice.

Move devices from domains you want to delete by editing their destination domain.

When you are done making changes to the domain structure and all devices are associated with leaf domains, click Save to implement your changes.

If prompted, make additional changes:

• If you changed a leaf domain to a parent domain, move or delete the old network map; see

Moving Data

Between Domains, on page 200 .

• If you moved devices between domains and must assign new policies and security zones or interface groups, see

Moving Devices Between Domains, on page 201

.

What to do next

• Configure user roles and policies (access control, network discovery, and so on) for any new domains.

Update device properties as needed.

• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall

Management Center Administration Guide .

Creating New Domains

You can create up to 100 subdomains under a top-level Global domain, in two or three levels.

You must assign all devices to a leaf domain before you can implement the domain configuration. When you add a subdomain to a leaf domain, the domain stops being a leaf domain and you must reassign its devices.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

In a Global or a second-level domain, choose System ( ) > Domains .

Click Add Domain , or click Add Subdomain next to the parent domain.

Enter a Name and Description .

Choose a Parent Domain .

On Devices , choose the Available Devices to add to the domain, then click Add to Domain or drag and drop into the list of Selected Devices .

Optionally, click Advanced to limit the number of hosts the new domain may monitor; see

Domain Properties, on page 197

.

Click Save to return to the domain management page.

The system warns you if any devices are assigned to non-leaf domains. Click Create New Domain to create a new domain for those devices. Click Keep Unassigned if you plan to move the devices to existing domains.

Cisco Secure Firewall Management Center Administration Guide, 7.2

199

System Settings

Moving Data Between Domains

Step 8

Step 9

When you are done making changes to the domain structure and all devices are associated with leaf domains, click Save to implement your changes.

If prompted, make additional changes:

• If you changed a leaf domain to a parent domain, move or delete the old network map; see

Moving Data

Between Domains, on page 200

.

• If you moved devices between domains and must assign new policies and security zones or interface groups, see

Moving Devices Between Domains, on page 201 .

What to do next

• Configure user roles and policies (access control, network discovery, and so on) for any new domains.

Update device properties as needed.

• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall

Management Center Administration Guide .

Moving Data Between Domains

Because events and network maps are associated with leaf domains, when you change a leaf domain to a parent domain, you have two choices:

• Move the network map and associated events to a new leaf domain.

• Delete the network map but retain the events. In this case, the events remain associated with the parent domain until the system prunes events as needed or as configured. Or, you can delete old events manually.

Before you begin

Implement a domain configuration where a former leaf domain is now a parent domain; see

Managing Domains, on page 198 .

Procedure

Step 1

Step 2

For each former leaf domain that is now a parent domain:

• Choose a new Leaf Domain to inherit the Parent Domain 's events and network map.

• Choose None to delete the parent domain's network map, but retain old events.

Click Save .

What to do next

• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall

Management Center Administration Guide .

200

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Moving Devices Between Domains

Moving Devices Between Domains

You can move devices between domains when you are in the global domain or a second-level domain. Moving a device between domains can affect the configurations and policies applied to the device. The system automatically retains and updates what it can. It deletes what it cannot update, namely, object overrides, dynamic routing configuration, static routes, IP pool associated with the diagnostic interface,and DDNS.

When you assign a remote access VPN policy to a device, you can move the device from one domain to another, only if the target domain is a descendant of the domain in which remote access VPN is configured.

You can move the device into any child domain without deleting the enrolled certificate on the device.

Specifically:

• If the health policy applied to a moved device is inaccessible in the new domain, you can choose a new health policy.

• If the access control policy assigned to a moved device is not valid or accessible in the new domain, choose a new policy. Every device must have an assigned access control policy.

• If the interfaces on the moved device belong to a security zone that is inaccessible in the new domain, you can choose a new zone.

• Interfaces are removed from:

• Security zones that are inaccessible in the new domain and not used in an access control policy.

• All interface groups.

If devices require a policy update but you do not need to move interfaces between zones, the system displays a message stating that zone configurations are up to date. For example, if a device's interfaces belong to a security zone configured in a common ancestor domain, you do not need to update zone configurations when you move devices from subdomain to subdomain.

Before you begin

• Implement a domain configuration where you moved a device from domain to domain and now must assign new policies and security zones; see

Managing Domains, on page 198 .

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

In the Move Devices dialog box, under Select Device(s) to Configure , check the device you want to configure.

Check multiple devices to assign the same health and access control policies.

Choose an Access Control Policy to apply to the device, or choose New Policy to create a new policy.

Choose a Health Policy to apply to the device, or choose None to leave the device without a health policy.

If prompted to assign interfaces to new zones, choose a New Security Zone for each listed interface, or choose

None to assign it later.

After you configure all affected devices, click Save to save policy and zone assignments.

Cisco Secure Firewall Management Center Administration Guide, 7.2

201

System Settings

History for Domain Management

Step 6 Click Save to implement the domain configuration.

What to do next

• Update other configurations on the moved device that were affected by the move.

• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall

Management Center Administration Guide .

History for Domain Management

Feature

Increased maximum number of supported domains

Version

6.5

Details

You can now add up to to 100 domains. Previously, the maximum was 50 domains.

Supported platforms: Secure

Firewall Management Center

202

Cisco Secure Firewall Management Center Administration Guide, 7.2

C H A P T E R

6

Updates

The following topics explain how to update Firepower deployments:

About System Updates, on page 203

Requirements and Prerequisites for System Updates, on page 205

Guidelines and Limitations for System Updates, on page 205

Upgrade System Software, on page 206

Update the Vulnerability Database (VDB), on page 206

Update the Geolocation Database, on page 208

Update Intrusion Rules, on page 210

Maintain Your Air-Gapped Deployment, on page 219

History for System Updates, on page 220

About System Updates

You can use the management center to upgrade the system software for itself and the devices it manages. You can also update various databases and feeds that provide advanced services.

For management centers with internet access, the system can often obtain updates directly from Cisco. We recommend you schedule or enable automatic updates whenever possible. Some updates are auto-enabled by the initial setup process or when you enable the related feature. Other updates you must schedule yourself.

After initial setup, we recommend you review all auto-updates and adjust them if necessary.

Cisco Secure Firewall Management Center Administration Guide, 7.2

203

System Settings

About System Updates

Table 8: Upgrades and Updates

Component Description Details

System software Major software releases contain new features, functionality, and enhancements.

They may include infrastructure or architectural changes.

Direct Download: Select releases only, usually some time after the release is available for manual download. The length of the delay depends on release type, release adoption, and other factors.

Maintenance releases contain general bug and security related fixes. Behavior changes are rare, and are related to those fixes.

Schedule: Patches only, on System ( ) > Tools > Scheduling .

Uninstall: Patches only.

Revert/Reimage: Major and maintenance releases only.

Patches are on-demand updates limited to critical fixes with time urgency.

See:

Upgrade System Software, on page 206

Hotfixes can address specific customer issues.

Vulnerability database

(VDB)

The Cisco vulnerability database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The system uses the VDB to help determine whether a particular host increases your risk of compromise.

Direct Download: Yes.

Schedule: Yes, on System ( ) > Tools > Scheduling .

Uninstall: No.

See:

Update the Vulnerability Database (VDB), on page 206

Geolocation database

(GeoDB)

The Cisco geolocation database (GeoDB) is a database of geographical and connection-related data associated with routable IP addresses.

Direct Download: Yes.

Schedule:

Uninstall:

Yes, on

No.

System ( ) > Updates .

See:

Update the Geolocation Database, on page 208

Intrusion rules

(SRU/LSP)

Security Intelligence feeds

Intrusion rule updates provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings.

Direct Download: Yes.

Schedule: Yes, on System ( ) > Updates .

Uninstall: No.

Rule updates may also delete rules, provide new rule categories and default variables, and modify default variable values.

See:

Update Intrusion Rules, on page 210

Security Intelligence feeds are collections of IP addresses, domain names, and URLs that you can use to quickly filter traffic that matches an entry.

Direct Download: Yes.

Schedule: Yes, on Objects > Object Management .

Uninstall: No.

See: Cisco Secure Firewall Management Center Device

Configuration Guide

204

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Requirements and Prerequisites for System Updates

Component

URL categories and reputations

Description Details

URL filtering allows you to control access to websites based on the URL’s general classification (category) and risk level

(reputation).

(

Direct Download: Yes.

Schedule:

) >

Yes, on >

Tools >

Integration > Cloud Services or System

Scheduling , depending on your requirements.

Uninstall: No.

See: Cisco Secure Firewall Management Center Device

Configuration Guide

Requirements and Prerequisites for System Updates

Model Support

Any

Supported Domains

Global unless indicated otherwise.

User Roles

Admin

Guidelines and Limitations for System Updates

Before You Update

Before you update any component of your Firepower deployment (including intrusion rules, VDB, or GeoDB) read the release notes or advisory text that accompanies the update. These provide critical and release-specific information, including compatibility, prerequisites, new capabilities, behavior changes, and warnings.

Scheduled Updates

The system schedules tasks — including updates — in UTC. This means that when they occur locally depends on the date and your specific location. Also, because updates are scheduled in UTC, they do not adjust for

Daylight Saving Time, summer time, or any such seasonal adjustments that you may observe in your location.

If you are affected, scheduled updates occur one hour "later" in the summer than in the winter, according to local time.

Important We strongly recommend you review scheduled updates to be sure they occur when you intend.

Cisco Secure Firewall Management Center Administration Guide, 7.2

205

System Settings

Upgrade System Software

Bandwidth Guidelines

To upgrade a Firepower appliance (or perform a readiness check), the upgrade package must be on the appliance. Firepower upgrade package sizes vary. Make sure you have the bandwidth to perform a large data transfer to your managed devices. See Guidelines for Downloading Data from the Firepower Management

Center to Managed Devices (Troubleshooting TechNote).

Upgrade System Software

This guide does not contain detailed upgrade instructions for either system software or companion operating systems. Instead, see the Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center for your version.

For information on scheduling downloads and installations for system software patches, see

Software Update

Automation, on page 461 . Note that the initial setup process automatically schedules a weekly patch download.

After setup, you should review the auto-scheduled configurations and adjust them if necessary.

Update the Vulnerability Database (VDB)

The Cisco vulnerability database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The system uses the VDB to help determine whether a particular host increases your risk of compromise.

Cisco issues periodic updates to the VDB. The time it takes to update the VDB and its associated mappings on the Secure Firewall Management Center depends on the number of hosts in your network map. As a rule of thumb, divide the number of hosts by 1000 to determine the approximate number of minutes to perform the update.

When you set up a new or reimaged management center, the system automatically attempts to update the vulnerability database (VDB). This is a one-time operation. If the management center has internet access, we recommend you schedule tasks to perform automatic recurring VDB update downloads and installations.

Caution In most cases, the first deploy after updating the VDB restarts the Snort process on managed devices. The system warns you that this can happen — warnings can appear after manual VDB updates, when you schedule

VDB updates, during background VDB updates, when you deploy, and so on. Snort restarts cause an interruption in traffic inspection and, depending on how the managed device handles traffic, possibly interrupts traffic flow. For more information, see Snort Restart Traffic Behavior .

Manually Update the VDB

To update the VDB, the VDB update package must be on the management center.

If the management center cannot access the internet, or you want to manually upload the VDB update to the management center, use this procedure. To automate VDB updates, use task scheduling ( System ( ) > Tools >

Scheduling ). For details, see

Vulnerability Database Update Automation, on page 465 .

206

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Manually Update the VDB

Before you begin

• Download the update from https://www.cisco.com/go/firepower-software .

Note Beginning with VDB Release 343, all application detector information is available through Cisco Secure Firewall Application Detectors . This site includes a searchable database of application detectors. The release notes provide information on changes for a particular VDB release.

• Consider the update's effect on traffic flow and inspection due to Snort restarts. We recommend performing updates in a maintenance window.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Updates , then click Product Updates .

Choose how you want to upload the VDB update to the management center.

• Download directly from Cisco.com: Click Download Updates . If it can access the Cisco Support &

Download site, the management center downloads the latest VDB. Note that the management center also downloads a package for each patch and hotfix (but not major release) associated with the version your appliances are currently running.

• Upload manually: Click Upload Update , then Choose File . Browse to the update you downloaded earlier, and click Upload .

VDB updates appear on the same page as Firepower software upgrade and uninstaller packages.

Install the update.

a) Click Install next to the Vulnerability and Fingerprint Database update.

b) Choose the management center.

c) Click Install .

(Optional) Monitor update progress in the Message Center.

Do not perform tasks related to mapped vulnerabilities until the update completes. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the update. Instead, contact Cisco TAC.

After the update completes, the system uses the new vulnerability information. However, you must deploy before updated application detectors and operating system fingerprints can take effect.

Verify update success.

Choose Help > About to view the current VDB version.

What to do next

Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management

Center Administration Guide .

Cisco Secure Firewall Management Center Administration Guide, 7.2

207

System Settings

Schedule VDB Updates

Schedule VDB Updates

If your management center has internet access, we recommend you schedule regular VDB updates. See

Vulnerability Database Update Automation, on page 465

.

Update the Geolocation Database

The geolocation database (GeoDB) is a database that you can leverage to view and filter traffic based on geographical location.

The system comes with an initial GeoDB country code package that maps IP addresses to countries/continents, so that information should always be available. If you update the GeoDB, the system also downloads an IP package with contextual data. This contextual data includes additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. We also issue periodic updates to the GeoDB, and you must regularly update the GeoDB to have accurate geolocation information.

As a part of initial configuration, the system configures a weekly automatic GeoDB update. If configuring the update fails and the management center has internet access, we recommend you configure regular GeoDB updates as described in

Schedule GeoDB Updates, on page 208 .

The time needed to update the GeoDB depends on your appliance, but can take up to 45 minutes depending on the size of the update—for example, if this is the first time you are downloading the full GeoDB. Although a GeoDB update does not interrupt any other system functions (including the ongoing collection of geolocation information), the update does consume system resources while it completes. Consider this when planning your updates.

The GeoDB update overrides any previous versions of the GeoDB and is effective immediately. When you update the GeoDB, the management center automatically updates the related data on its managed devices. It may take a few minutes for a GeoDB update to take effect throughout your deployment. You do not need to re-deploy after you update.

The System ( ) > Updates > Geolocation Updates page and the Help ( ) > About page both list the current version.

Schedule GeoDB Updates

As a part of initial configuration, the system configures a weekly automatic GeoDB update. If configuring the update fails and the management center has internet access, we recommend you configure regular GeoDB updates as described in this procedure.

Before you begin

Make sure the management center can access the internet.

Procedure

Step 1

Step 2

Step 3

Choose System ( ) > Updates > Geolocation Updates .

Under Recurring Geolocation Updates, check Enable Recurring Weekly Updates from the Support Site .

Specify the Update Start Time .

208

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Manually Update the GeoDB (Internet Connection)

Step 4 Click Save .

Manually Update the GeoDB (Internet Connection)

Use this procedure to perform an on-demand update of the GeoDB if the management center has internet access.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Updates > Geolocation Updates .

Under One-Time Geolocation Update, choose Download and install geolocation update from the Support

Site .

Click Import .

You can monitor update progress in the Message Center.

Verify update success.

The Geolocation Updates page and the Help ( ) > About page both list the current version.

Manually Update the GeoDB (No Internet Connection)

Use this procedure to perform an on-demand update of the GeoDB if the management center does not have internet access.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Download the GeoDB from the Cisco Support & Download site: https://www.cisco.com/go/firepower-software .

Select or search for your model (or choose any model—you use the same GeoDB for all management centers), then browse to the Coverage and Content Updates page.

Make sure you download both the country code and the IP packages.

Choose System ( ) > Updates > Geolocation Updates .

Under One-Time Geolocation Update, choose Upload and install geolocation update .

Click Choose File , then browse to the country code package you downloaded earlier.

Click Import .

You can monitor update progress in the Message Center.

Repeat steps 4 and 5 for the IP package.

Verify update success.

Cisco Secure Firewall Management Center Administration Guide, 7.2

209

System Settings

Update Intrusion Rules

The Geolocation Updates page and the Help ( ) > About page both list the current version.

Update Intrusion Rules

As new vulnerabilities become known, the Talos Intelligence Group releases intrusion rule updates that you can import onto your Secure Firewall Management Center, and then implement by deploying the changed configuration to your managed devices. These updates affect intrusion rules, preprocessor rules, and the policies that use the rules.

Intrusion rule updates are cumulative, and Cisco recommends you always import the latest update. You cannot import an intrusion rule update that either matches or predates the version of the currently installed rules.

An intrusion rule update may provide the following:

• New and modified rules and rule states —Rule updates provide new and updated intrusion and preprocessor rules. For new rules, the rule state may be different in each system-provided intrusion policy.

For example, a new rule may be enabled in the Security over Connectivity intrusion policy and disabled in the Connectivity over Security intrusion policy. Rule updates may also change the default state of existing rules, or delete existing rules entirely.

• New rule categories —Rule updates may include new rule categories, which are always added.

• Modified preprocessor and advanced settings �� Rule updates may change the advanced settings in the system-provided intrusion policies and the preprocessor settings in system-provided network analysis policies. They can also update default values for the advanced preprocessing and performance options in your access control policies.

• New and modified variables —Rule updates may modify default values for existing default variables, but do not override your changes. New variables are always added.

In a multidomain deployment, you can import local intrusion rules in any domain, but you can import intrusion rule updates from Talos in the Global domain only.

Understanding When Intrusion Rule Updates Modify Policies

Intrusion rule updates can affect both system-provided and custom network analysis policies, as well as all access control policies:

• system provided —Changes to system-provided network analysis and intrusion policies, as well as any changes to advanced access control settings, automatically take effect when you re-deploy the policies after the update.

• custom —Because every custom network analysis and intrusion policy uses a system-provided policy as its base, or as the eventual base in a policy chain, rule updates can affect custom network analysis and intrusion policies. However, you can prevent rule updates from automatically making those changes.

This allows you to update system-provided base policies manually, on a schedule independent of rule update imports. Regardless of your choice (implemented on a per-custom-policy basis), updates to system-provided policies do not override any settings you customized.

210

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Update Intrusion Rules One-Time Manually

Note that importing a rule update discards all cached changes to network analysis and intrusion policies. For your convenience, the Rule Updates page lists policies with cached changes and the users who made those changes.

Deploying Intrusion Rule Updates

For changes made by an intrusion rule update to take effect, you must redeploy configurations. When importing a rule update, you can configure the system to automatically redeploy to affected devices. This approach is especially useful if you allow the intrusion rule update to modify system-provided base intrusion policies.

Recurring Intrusion Rule Updates

You can import rule updates on a daily, weekly, or monthly basis, using the Rule Updates page.

If your deployment includes a high availability pair of Secure Firewall Management Centers, import the update on the primary only. The secondary Secure Firewall Management Center receives the rule update as part of the regular synchronization process.

Applicable subtasks in the intrusion rule update import occur in the following order: download, install, base policy update, and configuration deploy. When one subtask completes, the next subtask begins.

At the scheduled time, the system installs the rule update and deploys the changed configuration as you specified in the previous step. You can log off or use the web interface to perform other tasks before or during the import. When accessed during an import, the Rule Update Log displays a Red Status ( ), and you can view messages as they occur in the Rule Update Log detailed view. Depending on the rule update size and content, several minutes may pass before status messages appear.

As a part of initial configuration the system configures a daily automatic intrusion rule update from the Cisco

Support & Download site. (The system deploys automatic intrusion rule updates to affected managed devices when it next deploys affected policies.) If configuring the update fails and the management center has internet access, we recommend you configure regular intrusion rule updates as described in

Schedule Intrusion Rule

Updates, on page 213 .

Importing Local Intrusion Rules

A local intrusion rule is a custom standard text rule that you import from a local machine as a plain text file with ASCII or UTF-8 encoding. You can create local rules using the instructions in the Snort users manual, which is available at http://www.snort.org

.

In a multidomain deployment, you can import local intrusion rules in any domain. You can view local intrusion rules imported in the current domain and ancestor domains.

Update Intrusion Rules One-Time Manually

Import a new intrusion rule update manually if your Secure Firewall Management Center does not have

Internet access.

Procedure

Step 1

Step 2

Manually download the update from the Cisco Support Site

( http://www.cisco.com/cisco/web/support/index.html

).

Choose System ( ) > Updates , then click Rule Updates .

Cisco Secure Firewall Management Center Administration Guide, 7.2

211

System Settings

Update Intrusion Rules One-Time Automatically

Step 3

Step 4

Step 5

Step 6

If you want to move all user-defined rules that you have created or imported to the deleted folder, you must click Delete All Local Rules in the toolbar, then click OK .

Choose Rule Update or text rule file to upload and install and click Browse to navigate to and choose the rule update file.

If you want to automatically re-deploy policies to your managed devices after the update completes, choose

Reapply all policies after the rule update import completes .

Click Import . The system installs the rule update and displays the Rule Update Log detailed view.

Note Contact Support if you receive an error message while installing the rule update.

Update Intrusion Rules One-Time Automatically

Note This section applies only to Snort 2.

To import a new intrusion rule update automatically, your appliance must have Internet access to connect to the Support Site.

Before you begin

• Ensure the management center has internet access; see

Security, Internet Access, and Communication

Ports, on page 1003

.

Procedure

Step 2

Step 3

Step 4

Step 5

Step 6

Step 1 Choose System ( ) > Updates .

Note You can also click Import Rules on the intrusion rules editor page ( Objects > Intrusion Rules ).

Click Rule Updates .

If you want to move all user-defined rules that you have created or imported to the deleted folder, click Delete

All Local Rules in the toolbar, then click OK .

Choose Download new Rule Update from the Support Site .

If you want to automatically re-deploy the changed configuration to managed devices after the update completes, check the Reapply all policies after the rule update import completes check box.

Click Import .

The system installs the rule update and displays the Rule Update Log detailed view.

Caution Contact Support if you receive an error message while installing the rule update.

212

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Schedule Intrusion Rule Updates

Schedule Intrusion Rule Updates

Note This section applies only to Snort 2.

As a part of initial configuration the system configures a daily automatic intrusion rule update from the Cisco

Support & Download site. (The system deploys automatic intrusion rule updates to affected managed devices when it next deploys affected policies.) If configuring the update fails and the management center has internet access, we recommend you configure regular intrusion rule updates as described in this section.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose System ( ) > Updates .

Note You can also click Import Rules on the intrusion rules editor page ( Objects > Intrusion Rules ).

Click Rule Updates .

If you want to move all user-defined rules that you have created or imported to the deleted folder, click Delete

All Local Rules in the toolbar, then click OK .

Check Enable Recurring Rule Update Imports from the Support Site check box.

Import status messages appear beneath the Recurring Rule Update Imports section heading.

In the Import Frequency field, specify:

• The frequency of the update ( Daily , Weekly , or Monthly )

• The day of the week or month you want the update to occur

• The time you want the update to start

If you want to automatically re-deploy the changed configuration to your managed devices after the update completes, check the Deploy updated policies to targeted devices after rule update completes check box.

Click Save .

Caution Contact Support if you receive an error message while installing the intrusion rule update.

The status message under the Recurring Rule Update Imports section heading changes to indicate that the rule update has not yet run.

Best Practices for Importing Local Intrusion Rules

Observe the following guidelines when importing a local rule file:

• The rules importer requires that all custom rules are imported in a plain text file encoded in ASCII or

UTF-8.

• The text file name can include alphanumeric characters, spaces, and no special characters other than underscore (

_

), period (

.

), and dash (

-

).

• The system imports local rules preceded with a single pound character (#), but they are flagged as deleted.

Cisco Secure Firewall Management Center Administration Guide, 7.2

213

System Settings

Best Practices for Importing Local Intrusion Rules

• The system imports local rules preceded with a single pound character (#), and does not import local rules preceded with two pound characters (##).

• Rules cannot contain any escape characters.

• In a multidomain deployment, the system assigns a GID of 1 to a rule imported into or created in the

Global domain, and a domain-specific GID between 1000 and 2000 for all other domains.

• You do not have to specify a Generator ID (GID) when importing a local rule. If you do, specify only

GID 1 for a standard text rule.

• When importing a rule for the first time, do not specify a Snort ID (SID) or revision number. This avoids collisions with SIDs of other rules, including deleted rules. The system will automatically assign the rule the next available custom rule SID of 1000000 or greater, and a revision number of 1.

If you must import rules with SIDs, a SID can be any unique number 1,000,000 or greater.

In a multidomain deployment, if multiple administrators are importing local rules at the same time, SIDs within an individual domain might appear to be non-sequential because the system assigned the intervening numbers in the sequence to another domain.

• When importing an updated version of a local rule you have previously imported, or when reinstating a local rule you have deleted, you must include the SID assigned by the system and a revision number greater than the current revision number. You can determine the revision number for a current or deleted rule by editing the rule.

Note The system automatically increments the revision number when you delete a local rule; this is a device that allows you to reinstate local rules. All deleted local rules are moved from the local rule category to the deleted rule category.

• Import local rules on the primary management center in a high availability pair to avoid SID numbering issues.

• The import fails if a rule contains any of the following: .

• A SID greater than 2147483647.

• A list of source or destination ports that is longer than 64 characters.

• When importing into the Global domain in a multidomain deployment, a GID:SID combination uses GID 1 and a SID that already exists in another domain; this indicates that the combination existed before Version 6.2.1. You can reimport the rule using GID 1 and a unique SID.

• Policy validation fails if you enable an imported local rule that uses the deprecated threshold keyword in combination with the intrusion event thresholding feature in an intrusion policy.

• All imported local rules are automatically saved in the local rule category.

• The system always sets local rules that you import to the disabled rule state. You must manually set the state of local rules before you can use them in your intrusion policy.

214

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Import Local Intrusion Rules

Import Local Intrusion Rules

• Make sure your local rule file follows the guidelines described in

Best Practices for Importing Local

Intrusion Rules, on page 213 .

• Make sure your process for importing local intrusion rules complies with your security policies.

• Consider the import's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts.

We recommend scheduling rule updates during maintenance windows.

• You can perform this task in any domain.

Use this procedure to import local intrusion rules. Imported intrusion rules appear in the local rule category in a disabled state.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Updates , then click Rule Updates .

(Optional) Delete existing local rules.

Click Delete All Local Rules , then confirm that you want to move all created and imported intrusion rules to the deleted folder.

Under One-Time Rule Update/Rules Import , choose Rule update or text rule file to upload and install , then click Choose File and browse to your local rule file.

Click Import .

Monitor import progress in the Message Center.

To display the Message Center, click System Status on the menu bar. Even if the Message Center shows no progress for several minutes or indicates that the import has failed, do not restart the import. Instead, contact

Cisco TAC.

What to do next

• Edit intrusion policies and enable the rules you imported.

• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall

Management Center Device Configuration Guide

Rule Update Log

The Secure Firewall Management Center generates a record for each rule update and local rule file that you import.

Each record includes a time stamp, the name of the user who imported the file, and a status icon indicating whether the import succeeded or failed. You can maintain a list of all rule updates and local rule files that you import, delete any record from the list, and access detailed records for all imported rules and rule update components.

Cisco Secure Firewall Management Center Administration Guide, 7.2

215

System Settings

Intrusion Rule Update Log Table

The Rule Update Import Log detailed view lists a detailed record for each object imported in a rule update or local rule file. You can also create a custom workflow or report from the records listed that includes only the information that matches your specific needs.

Intrusion Rule Update Log Table

Table 9: Intrusion Rule Update Log Fields

Field

Summary

Time

User ID

Status

Description

The name of the import file. If the import fails, a brief statement of the reason for the failure appears under the file name.

The time and date that the import started.

The user name of the user that triggered the import.

Whether the import:

• Succeeded ( )

• failed or is currently in progress Red Status ( )

The red status icon indicating an unsuccessful or incomplete import appears on the

Rule Update Log page during the import and is replaced by the green icon only when the import has successfully completed.

Tip You can view import details as they appear while an intrusion rule update import is in progress.

Viewing the Intrusion Rule Update Log

In a multidomain deployment, you can view data for the current domain and for any descendant domains.

You cannot view data from higher level or sibling domains.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Updates .

Tip You can also click Import Rules on the intrusion rules editor page ( Objects > Intrusion Rules ).

Click Rule Updates .

Click Rule Update Log .

You have two options:

• View — To view details for each object imported in a rule update or local rule file, click View ( ) next to the file you want to view; see

Viewing Details of the Intrusion Rule Update Import Log, on page 218 .

• Delete — To delete an import file record from the import log, including detailed records for all objects included with the file, click Delete ( ) next to the import file name.

216

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Fields in an Intrusion Rule Update Log

Note Deleting the file from the log does not delete any object imported in the import file, but only deletes the import log records.

Fields in an Intrusion Rule Update Log

Tip You search the entire Rule Update Import Log database even when you initiate a search by clicking Search on the toolbar from the Rule Update Import Log detailed view with only the records for a single import file displayed. Make sure you set your time constraints to include all objects you want to include in the search.

Table 10: Rule Update Import Log Detailed View Fields

Field

Action

Description

An indication that one of the following has occurred for the object type:

• new

(for a rule, this is the first time the rule has been stored on this appliance)

• changed

(for a rule update component or rule, the rule update component has been modified, or the rule has a higher revision number and the same GID and SID)

• collision

(for a rule update component or rule, import was skipped because its revision conflicts with an existing component or rule on the appliance)

• deleted

(for rules, the rule has been deleted from the rule update)

• enabled

(for a rule update edit, a preprocessor, rule, or other feature has been enabled in a default policy provided with the system)

• disabled

(for rules, the rule has been disabled in a default policy provided with the system)

• drop

(for rules, the rule has been set to Drop and Generate Events in a default policy provided with the system)

• error

(for a rule update or local rule file, the import failed)

• apply

(the Reapply all policies after the rule update import completes option was enabled for the import)

Default Action

Details

Domain

GID

The default action defined by the rule update. When the imported object type is rule

, the default action is

Pass

,

Alert

, or

Drop

. For all other imported object types, there is no default action.

A string unique to the component or rule. For rules, the GID, SID, and previous revision number for a changed rule, displayed as previously (GID:SID:Rev)

. This field is blank for a rule that has not changed.

The domain whose intrusion policies can use the updated rule. Intrusion policies in descendant domains can also use the rule. This field is only present in a multidomain deployment.

The generator ID for a rule. For example,

1

(standard text rule, Global domain or legacy GID) or

3

(shared object rule).

Cisco Secure Firewall Management Center Administration Guide, 7.2

217

System Settings

Viewing Details of the Intrusion Rule Update Import Log

Field

Name

Policy

Rev

Rule Update

SID

Time

Type

Count

Description

The name of the imported object, which for rules corresponds to the rule Message field, and for rule update components is the component name.

For imported rules, this field displays

All

. This means that the rule was imported successfully, and can be enabled in all appropriate default intrusion policies. For other types of imported objects, this field is blank.

The revision number for a rule.

The rule update file name.

The SID for a rule.

The time and date the import began.

The type of imported object, which can be one of the following:

• rule update component

(an imported component such as a rule pack or policy pack)

• rule

(for rules, a new or updated rule; note that in Version 5.0.1 this value replaced the update value, which is deprecated)

• policy apply

(the Reapply all policies after the rule update import completes option was enabled for the import)

The count (

1

) for each record. The Count field appears in a table view when the table is constrained, and the

Rule Update Log detailed view is constrained by default to rule update records. This field is not searchable.

Viewing Details of the Intrusion Rule Update Import Log

In a multidomain deployment, you can view data for the current domain and for any descendant domains.

You cannot view data from higher level or sibling domains.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Updates .

Tip You can also click Import Rules on the intrusion rules editor page ( Objects > Intrusion Rules ).

Click Rule Updates .

Click Rule Update Log .

Click View ( ) next to the file whose detailed records you want to view.

You can take any of the following actions:

• Bookmark—To bookmark the current page, click Bookmark This Page .

• Edit Search—To open a search page prepopulated with the current single constraint, choose Edit Search or Save Search next to Search Constraints.

• Manage bookmarks—To navigate to the bookmark management page, click Report Designer .

218

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Maintain Your Air-Gapped Deployment

• Report—To generate a report based on the data in the current view, click Report Designer .

• Search—To search the entire Rule Update Import Log database for rule update import records, click

Search .

• Sort—To sort and constain records on the current workflow page, see

Using Drill-Down Pages, on page

626

for more information.

• Switch workflows—To temporarily use a different workflow, click (switch workflows) .

Maintain Your Air-Gapped Deployment

If your management center is not connected to the internet, essential updates will not occur automatically.

You must manually obtain and install these updates. See the following information:

Manually Update the VDB, on page 206

Update Intrusion Rules One-Time Manually, on page 211

Manually Update the GeoDB (No Internet Connection), on page 209

• The upgrade guide at https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/ fpmc-upgrade-guide.html

Cisco Secure Firewall Management Center Administration Guide, 7.2

219

System Settings

History for System Updates

History for System Updates

Feature Version

Copy upgrade packages

("peer-to-peer sync") from device to device.

7.2

Details

Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers.

This feature is supported for Version 7.2+ standalone devices managed by the same standalone management center. It is not supported for:

• Container instances.

• Device high availability pairs and clusters.

Note that Version 7.1+ group members can get the package from each other as part of their normal sync process. Copying the upgrade package to one group member automatically syncs it to all group members.

• Devices managed by high availability management centers.

• Devices in different domains, or devices separated by a NAT gateway.

• CDO-managed devices added to the management center in analytics mode.

• Devices upgrading from Version 7.1 or earlier, regardless of management center version.

Auto-upgrade to Snort 3 after successful threat defense upgrade.

7.2

New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status

When you use a Version 7.2+ management center to upgrade threat defense, you can now choose whether to Upgrade Snort 2 to Snort 3 .

After the software upgrade, eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For migration assistance, see the

Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

This option is supported for major and maintenance threat defense upgrades to Version

7.2+. It is not supported for threat defense upgrades to Version 7.0 or 7.1, or for patches to any version.

220

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

History for System Updates

Feature

Upgrade for single-node clusters.

Version

7.2

Revert threat defense upgrades from the CLI.

GeoDB is split into two packages.

Upgrade does not automatically generate troubleshooting files.

7.2

7.2

7.2

Details

You can now use the device upgrade page ( Devices > Device Upgrade ) to upgrade clusters with only one active node. Any deactivated nodes are also upgraded. Previously, this type of upgrade would fail. This feature is not supported from the system updates page ( System > Updates ).

Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices.

Supported platforms: Firepower 4100/9300, Secure Firewall 3100

You can now revert threat defense upgrades from the device CLI if communications between the management center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.

Caution Reverting from the CLI can cause configurations between the device and the management center to go out of sync, depending on what you changed post-upgrade. This can cause further communication and deployment issues.

New/modified CLI commands: upgrade revert , show upgrade revert-info .

In May 2022, shortly before the Version 7.2 release, we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on.

If your Version 7.2+ management center has internet access and you enable recurring updates or you manually kick off a one-time update from the Cisco Support & Download site, the system automatically obtains and imports both packages. However, if you manually download updates—for example, in an air-gapped deployment—make sure you get and import both GeoDB packages:

• Country code package: Cisco_GEODB_Updatedate build .sh.REL.tar

• IP package: Cisco_IP_GEODB_Updatedate build .sh.REL.tar

The Geolocation Updates ( System ( ) > Updates > Geolocation Updates ) page and the About page ( Help > About ) list the versions of the packages currently being used by the system.

To save time and disk space, the management center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files.

To manually generate troubleshooting files for the management center, choose System

( ) > Health > Monitor , click Firewall Management Center in the left panel, then

View System & Troubleshoot Details , then Generate Troubleshooting Files .

Cisco Secure Firewall Management Center Administration Guide, 7.2

221

System Settings

History for System Updates

Feature Version

Revert a successful device upgrade.

7.1

Improvements to the upgrade workflow for clustered and high availability devices.

Improved threat defense upgrade performance and status reporting.

7.1

7.0

Details

You can now revert major and maintenance upgrades to threat defense from the management center web interface. Reverting returns the software to its state just before the last upgrade, also called a snapshot . Reverting after patching necessarily removes patches as well.

If you think you might need to revert, you must use the System > Updates page to upgrade threat defense. The System Updates page is the only place you can enable the

Enable revert after successful upgrade option, which configures the system to save a revert snapshot when you initiate the upgrade. This is in contrast to our usual recommendation to use the wizard on the Devices > Device Upgrade page.

This is not supported for container instances on the Firepower 4100/9300.

The threat defense upgrade wizard now correctly displays clustered and high availability unit as groups, rather than as individual devices. The system can identify, report, and preemptively require fixes for group-related issues you might have. For example, you cannot upgrade a cluster on the Firepower 4100/9300 if you have made unsynced changes on chassis manager.

You can also specify the upgrade order of data units in a cluster.

Upgrading threat defense is now easier faster, more reliable, and takes up less disk space. A new Upgrades tab in the Message Center provides further enhancements to upgrade status and error reporting.

222

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

History for System Updates

Feature Version

Easy-to-follow threat defense upgrade workflow.

7.0

Details

A new device upgrade page ( Devices > Device Upgrade ) provides an easy-to-follow workflow for upgrading Version 6.4+ threat defense.

The system walks you through important pre-upgrade stages, including:

• Selecting devices to upgrade.

• Copying the upgrade package to the devices.

• Compatibility and readiness checks.

To begin, use the new Upgrade Firepower Software action on the Device Management page ( Devices > Device Management > Select Action ).

Note You must still use the System Updates page ( System > Updates ) page to upload or specify the location of threat defense upgrade packages. You must also use the System Updates page to upgrade the management center itself, as well as all non-threat defense managed devices.

As you proceed with the upgrade workflow, the system displays basic information about your selected devices, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a device does not "pass" a stage in the workflow, it does not appear in the next stage.

If you navigate away from workflow, your progress is preserved, although other users with Administrator access can reset, modify, or continue the workflow.

Note In Version 7.0, the Device Upgrade page does not correctly display devices in clusters or high availability pairs. Even though you must select and upgrade these devices as a unit, the workflow displays them as standalone devices.

Device status and upgrade readiness are evaluated and reported on an individual basis. This means it is possible for one unit to appear to "pass" to the next stage while the other unit or units do not. However, these devices are still grouped. Running a readiness check on one, runs it on all. Starting the upgrade on one, starts it on all.

To avoid possible time-consuming upgrade failures, manually ensure all group members are ready to move on to the next step of the workflow before you click Next .

Cisco Secure Firewall Management Center Administration Guide, 7.2

223

System Settings

History for System Updates

Feature Version

Upgrade more threat defense devices at once.

7.0

Details

The threat defense upgrade workflow lifts the following restrictions:

• Simultaneous device upgrades.

The number of devices you can upgrade at once is now limited by your management network bandwidth—not the system's ability to manage simultaneous upgrades.

Previously, we recommended against upgrading more than five devices at a time.

Important Only upgrades to threat defense Version 6.7+ see this improvement. If you are upgrading devices to an older threat defense release—even if you are using the new upgrade workflow—we still recommend you limit to five devices at a time.

• Grouping upgrades by device model.

You can now queue and invoke upgrades for all threat defense models at the same time, as long as the system has access to the appropriate upgrade packages.

Previously, you would choose an upgrade package, then choose the devices to upgrade using that package. That meant that you could upgrade multiple devices at the same time only if they shared an upgrade package. For example, you could upgrade two Firepower 2100 series devices at the same time, but not a Firepower

2100 series and a Firepower 1000 series.

224

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

History for System Updates

Feature Version

Improved threat defense upgrade status reporting and cancel/retry options.

6.7

Upgrades remove PCAP files to save disk space.

Custom intrusion rule import warns when rules collide.

6.7

6.7

Details

You can now view the status of threat defense device upgrades and readiness checks in progress on the Device Management page, as well as a 7-day history of upgrade success/failures. The Message Center also provides enhanced status and error messages.

A new Upgrade Status pop-up, accessible from both Device Management and the

Message Center with a single click, shows detailed upgrade information, including percentage/time remaining, specific upgrade stage, success/failure data, upgrade logs, and so on.

Also on this pop-up, you can manually cancel failed or in-progress upgrades ( Cancel

Upgrade ), or retry failed upgrades ( Retry Upgrade ). Canceling an upgrade reverts the device to its pre-upgrade state.

Note To be able to manually cancel or retry a failed upgrade, you must disable the new auto-cancel option, which appears when you use the management center to upgrade an threat defense device: Automatically cancel on upgrade failure and roll back to the previous version . With the option enabled, the device automatically reverts to its pre-upgrade state upon upgrade failure.

Auto-cancel is not supported for patches. In an HA or clustered deployment, auto-cancel applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted.

New/modified screens:

• System > Update > Product Updates > Available Updates > Install icon for the threat defense upgrade package

• Devices > Device Management > Upgrade

• Message Center > Tasks

New/modified CLI commands: show upgrade status detail , show upgrade status continuous , show upgrade status , upgrade cancel , upgrade retry

Upgrades now remove locally stored PCAP files. You must have enough free disk space or the upgrade fails.

The management center now warns you of rule collisions when you import custom

(local) intrusion rules. Previously, the system would silently skip the rules that cause collisions—with the exception of Version 6.6.0.1, where a rule import with collisions would fail entirely.

On the Rule Updates page, if a rule import had collisions, a warning icon is displayed in the Status column. For more information, hover your pointer over the warning icon and read the tooltip.

Note that a collision occurs when you try to import an intrusion rule that has the same

SID/revision number as an existing rule. You should always make sure that updated versions of custom rules have new revision numbers; for more best practices, see

Best

Practices for Importing Local Intrusion Rules, on page 213

.

New/modified screens: We added a warning icon to System > Updates > Rule Updates .

Cisco Secure Firewall Management Center Administration Guide, 7.2

225

System Settings

History for System Updates

Feature

Get threat defense upgrade packages from an internal web server.

The management center downloads and installs the latest VDB during initial setup.

The management center schedules software downloads and GeoDB updates during initial setup.

Version

6.6

6.6

6.5

Scheduled tasks postponed during management center upgrades.

6.7

6.6.3

6.4.0.10

Details threat defense devices can now get upgrade packages from your own internal web server, rather than from the management center. This is especially useful if you have limited bandwidth between the management center and its devices. It also saves space on the management center.

Note This feature is supported only for threat defense devices running Version

6.6+. It is not supported for upgrades to Version 6.6, nor is it supported for the management center or Classic devices.

New/modified screens: We added a Specify software update source option to the page where you upload upgrade packages.

When you set up a new or reimaged management center, the system automatically attempts to update the vulnerability database (VDB).

This is a one-time operation. If the management center has internet access, we recommend you schedule tasks to perform automatic recurring VDB update downloads and installations.

When you set up a new or reimaged management center, the system automatically schedules:

• A weekly task to download software updates for the management center and its managed devices.

• Weekly updates for the GeoDB.

The tasks are scheduled in UTC, which means that when they occur locally depends on the date and your specific location. Also, because tasks are scheduled in UTC, they do not adjust for Daylight Saving Time, summer time, or any such seasonal adjustments that you may observe in your location. If you are affected, scheduled tasks occur one hour “later” in the summer than in the winter, according to local time. We recommend you review the auto-scheduled configurations and adjust them if necessary.

Scheduled tasks are now postponed during management center upgrades. Any task scheduled to begin during the upgrade will begin five minutes after the post-upgrade reboot.

Note Before you begin any upgrade, you must still make sure running tasks are complete. Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed.

Note that this feature is supported for all upgrades from a supported version. This includes

Version 6.4.0.10 and later patches, Version 6.6.3 and later maintenance releases, and

Version 6.7+. This feature is not supported for upgrades to a supported version from an unsupported version.

226

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

History for System Updates

Feature

Signed SRU, VDB, and

GeoDB updates.

Version

6.4

Faster upgrade.

Copy upgrade packages to managed devices before the upgrade.

The management center warns of Snort restart before

VDB updates.

6.4

6.2.3

6.2.3

Details

So the system can verify that you are using the correct update files, the system now uses signed updates for intrusion rules (SRU), the vulnerability database (VDB), and the geolocation database (GeoDB). Earlier versions continue to use unsigned updates.

Unless you manually download updates from the Cisco Support & Download site—for example, in an air-gapped deployment—you should not notice any difference in functionality.

If, however, you do manually download and install SRU, VDB, and GeoDB updates, make sure you download the correct package for your current version. Signed update files begin with 'Cisco' instead of 'Sourcefire,' and terminate in .sh.REL.tar instead of

.sh:

• SRU: Cisco_Firepower_SRUdate build -vrt.sh.REL.tar

• VDB: Cisco_VDB_Fingerprint_Database-4.5.0version .sh.REL.tar

• GeoDB: Cisco_GEODB_Updatedate build .sh.REL.tar

Do not untar signed (.tar) packages.

Improvements to the event database allow faster upgrade.

You can now copy (or push) an upgrade package from the management center to a managed device before you run the actual upgrade. This is useful because you can push during times of low bandwidth use, outside of the upgrade maintenance window.

When you push to high availability, clustered, or stacked devices, the system sends the upgrade package to the active/control/primary first, then to the standby/data/secondary.

New/modified screens: System > Updates

The management center now warns you that Vulnerability Database (VDB) updates restart the Snort process. This interrupts traffic inspection and, depending on how the managed device handles traffic, possibly interrupts traffic flow. You can cancel the install until a more convenient time, such as during a maintenance window.

These warnings can appear:

• After you download and manually install a VDB.

• When you create a scheduled task to install the VDB.

• When the VDB installs in the background, such as during a previously scheduled task or as part of a software upgrade.

Cisco Secure Firewall Management Center Administration Guide, 7.2

227

History for System Updates

System Settings

228

Cisco Secure Firewall Management Center Administration Guide, 7.2

C H A P T E R

7

Licenses

This chapter provides in-depth information about the different license types, service subscriptions, licensing requirements and more.

Note The Management Center supports either a Smart License or a legacy PAK (Product Activation Keys) license for its platform license. For more information about using the PAK license, see

Configure Legacy Management

Center PAK-Based Licenses, on page 271 .

About Licenses, on page 229

Requirements and Prerequisites for Licensing, on page 245

Create a Smart Account and Add Licenses, on page 248

Configure Smart Licensing, on page 249

Configure Specific License Reservation (SLR), on page 261

Configure Legacy Management Center PAK-Based Licenses, on page 271

Additional Information about Licensing, on page 272

History for Licenses, on page 273

About Licenses

Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure—you control what users can access. With Smart Licensing you get:

• Easy Activation: Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more PAKs (Product Activation Keys).

• Unified Management: My Cisco Entitlements (MCE) provides a complete view into all of your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.

• License Flexibility: Your software is not node-locked to your hardware, so you can easily use and transfer licenses as needed.

To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).

For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide

Cisco Secure Firewall Management Center Administration Guide, 7.2

229

System Settings

Smart Software Manager and Accounts

Smart Software Manager and Accounts

When you purchase one or more licenses, you manage them in the Smart Software Manager: https://software.cisco.com/#module/SmartLicensing . The Smart Software Manager lets you create a master account for your organization. If you do not yet have an account, click the link to set up a new account . The

Smart Software Manager lets you create a master account for your organization.

By default, your licenses are assigned to the Default Virtual Account under your master account. As the account administrator, you can create additional virtual accounts; for example, for regions, departments, or subsidiaries. Multiple virtual accounts help you manage large numbers of licenses and devices.

You manage licenses by virtual account. Only that virtual account’s devices can use the licenses assigned to the account. If you need additional licenses, you can transfer an unused license from another virtual account.

You can also transfer devices between virtual accounts.

Licensing Options for Air-Gapped Deployments

The following table compares the available licensing options for environments without internet access. Your sales representative may have additional advice for your specific situation.

Table 11: Comparison of Licensing Options for Air-Gapped Networks

Smart Software Manager On-Prem

Scalable for a large number of products

Specific License Reservation

Best for a small number of devices

Automated licensing management, usage and asset management visibility

No incremental operational costs to add devices

Flexible, easier to use, less overhead

Limited usage and asset management visibility

Linear operational costs over time to add devices

Significant administrative and manual overhead for moves, adds, and changes

Out-of-compliance status is allowed initially and at various expiration states

Out-of-compliance status impacts system functioning

For more information, see

Register the Management

Center with the Smart Software Manager On-Prem, on page 252

For more information, see

Configure Specific License

Reservation (SLR), on page 261

How Licensing Works for the Management Center and Devices

The management center registers with the Smart Software Manager, and then assigns licenses for each managed device. Devices do not register directly with the Smart Software Manager.

A physical management center does not require a license for its own use. The management center virtual does require a platform license.

230

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Periodic Communication with the Smart Software Manager

Periodic Communication with the Smart Software Manager

In order to maintain your product license entitlement, your product must communicate periodically with the

Smart Software Manager.

You use a Product Instance Registration Token to register the management center with the Smart Software

Manager. The Smart Software Manager issues an ID certificate for communication between the management center and the Smart Software Manager. This certificate is valid for one year, although it will be renewed every six months. If an ID certificate expires (after a year with no communication), the management center may be removed from your account.

The management center communicates with the Smart Software Manager on a periodic basis. If you make changes in the Smart Software Manager, you can refresh the authorization on the management center so the changes immediately take effect. You also can wait for the management center to communicate as scheduled.

Your management center must either have direct internet access to the management center, or use one of the options described in

Licensing Options for Air-Gapped Deployments, on page 230 . In non-airgapped

deployments, normal license communication occurs every 30 days, but with the grace period, your management center will operate for up to 90 days without calling home. You must contact the management center before

90 days have passed, or else the management center will revert to an unregistered state.

Evaluation Mode

Before the management center registers with the Smart Software Manager, it operates for 90 days in evaluation mode. You can assign feature licenses to managed devices, and they will remain in compliance for the duration of evaluation mode. When this period ends, the management center becomes unregistered.

If you register the management center with the Smart Software Manager, the evaluation mode ends. If you later deregister the management center, you cannot resume evaluation mode, even if you did not initially use all 90 days.

For more information about the unregistered state, see

Unregistered State, on page 232

.

Note You cannot receive an evaluation license for Strong Encryption (3DES/AES); you must register with the

Smart Software Manager to receive the export-compliance token that enables the Strong Encryption

(3DES/AES) license.

Out-of-Compliance State

The management center can become out of compliance in the following situations:

• Over-utilization—When the managed devices or the management center virtual uses unavailable licenses.

• License expiration—When a managed device term-based license expires.

In an out-of-compliance state, see the following effects:

• Management Center Virtual platform license—Operation is not affected.

• All managed device licenses—Operation is not affected.

Cisco Secure Firewall Management Center Administration Guide, 7.2

231

System Settings

Unregistered State

After you resolve the licensing problem, the management center will show that it is now in compliance after its regularly scheduled authorization with the Smart Software Manager. To force an authorization, click

Re-Authorize on the System ( ) > Licenses > Smart Licenses page.

Unregistered State

The management center can become unregistered in the following situations:

• Evaluation mode expiration—Evaluation mode expires after 90 days.

• Manual deregistration of the management center

• Lack of communication with the Smart Software Manager—The management center does not communicate with the Smart Software Manager for 1 year. Note: After 90 days, the management center authorization expires, but it can successfully resume communication within one year to automatically re-authorize.

After a year, the ID certificate expires, and the management center is removed from your account so you will have to manually re-register the management center.

In an unregistered state, the management center cannot deploy any configuration changes to devices for features that require licenses .

End-User License Agreement

The Cisco end-user license agreement (EULA) and any applicable supplemental agreement (SEULA) that governs your use of this product are available from http://www.cisco.com/go/softwareterms .

License Types and Restrictions

This section describes the types of licenses available.

Table 12: Smart Licenses

Duration License You

Assign

Base

Subscription You

Purchase

Based on license type

Granted Capabilities

Perpetual or Subscription

Note Base subscription licenses are supported only on Threat

Defense

Virtual.

Except for Specific License

Reservation and the Secure Firewall

3100, base perpetual licenses are automatically assigned with all threat defenses.

User and application control

Switching and routing

NAT

For details, see

Base Licenses, on page 234

.

232

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

License Types and Restrictions

License You

Assign

Threat

Malware defense

Subscription You

Purchase

Duration

• T

• TC (Threat + URL)

Subscription

• TMC (Threat +

Malware defense +

URL)

• TM (Threat +

Malware defense)

• TMC (Threat +

Malware defense +

URL)

• AMP

Subscription

URL Filtering

Management

Center Virtual

• TC (Threat + URL) Subscription

• TMC (Threat +

Malware defense +

URL)

• URL

Based on license type • Regular Smart

Licensing—

Perpetual

• Specific License

Reservation—

Subscription

Export-Controlled

Features

No subscription required Perpetual

Granted Capabilities

Intrusion detection and prevention

File control

Security Intelligence filtering

For details, see

Threat Licenses, on page 235

Malware defense

Secure Malware Analytics

File storage

For details, see

Malware Defense

Licenses, on page 235

and License

Requirements for File and Malware

Policies in the Cisco Secure

Firewall Management Center

Device Configuration Guide .

Category and reputation-based

URL filtering

For details, see

URL Filtering

Licenses, on page 236 .

The platform license determines the number of devices the management center virtual can manage.

For details, see

Management Center

Virtual Licenses, on page 234 .

Features that are subject to national security, foreign policy, and anti-terrorism laws and regulations; see

Licensing for Export-Controlled

Functionality, on page 237

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

233

System Settings

Management Center Virtual Licenses

License You

Assign

Subscription You

Purchase

Remote Access

VPN:

• AnyConnect

Apex

Based on license type

• AnyConnect

Plus

• AnyConnect

VPN Only

Duration Granted Capabilities

Subscription or perpetual Remote access VPN configuration.

Your account must allow export-controlled functionality to configure remote access VPN. You select whether you meet export requirements when you register the device. The threat defense can use any valid Secure Client license. The available features do not differ based on license type.

For more information, see

Secure

Client Licenses, on page 236

and

VPN Licensing in the Cisco Secure

Firewall Management Center

Device Configuration Guide .

Note Subscription licenses are term-based licenses.

Management Center Virtual Licenses

The management center virtual requires a platform license that correlates with the number of devices it can manage.

The management center virtual supports Smart Licensing.

In regular Smart Licensing, these licenses are perpetual.

In Specific License Reservation, these licenses are subscription-based.

Base Licenses

The Base license allows you to:

• Configure your devices to perform switching and routing (including DHCP relay and NAT)

• Configure devices as a high availability pair

• Configure clustering

• Implement user and application control by adding user and application conditions to access control rules

Secure Firewall 3100

You obtain a Base license when you purchase the Secure Firewall 3100.

234

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Malware Defense Licenses

Other Models

Except in deployments using Specific License Reservation, a Base license is automatically added to your account when you register a device to the management center. For Specific License Reservation, you need to add the Base license to your account.

Malware Defense Licenses

A Malware defense license lets you perform malware defense and Secure Malware Analytics. With this feature, you can use devices to detect and block malware in files transmitted over your network. To support this feature license, you can purchase the Malware defense (AMP) service subscription as a stand-alone subscription or in combination with Threat (TM) or Threat and URL Filtering (TMC) subscriptions.

Threat Licenses

Note Managed devices with Malware defense licenses enabled periodically attempt to connect to the Secure Malware

Analytics Cloud even if you have not configured dynamic analysis. Because of this, the device’s Interface

Traffic dashboard widget shows transmitted traffic; this is expected behavior.

You configure malware defense as part of a file policy, which you then associate with one or more access control rules. File policies can detect your users uploading or downloading files of specific types over specific application protocols. Malware defense allows you to use local malware analysis and file preclassification to inspect a restricted set of those file types for malware. You can also download and submit specific file types to the Secure Malware Analytics Cloud for dynamic and Spero analysis to determine whether they contain malware. For these files, you can view the network file trajectory, which details the path the file has taken through your network. The Malware license also allows you to add specific files to a file list and enable the file list within a file policy, allowing those files to be automatically allowed or blocked on detection.

If you disable all your Malware defense licenses, the system stops querying the Secure Malware Analytics

Cloud, and also stops acknowledging retrospective events sent from the Secure Malware Analytics Cloud.

You cannot re-deploy existing access control policies if they include malware defense configurations. Note that for a very brief time after a Malware defense license is disabled, the system can use existing cached file dispositions. After the time window expires, the system assigns a disposition of

Unavailable to those files.

Note that a Malware defense license is required only if you deploy malware defense and Secure Malware

Analytics. Without a Malware defense license, the management center can receive Secure Endpoint malware events and indications of compromise (IOC) from the Secure Malware Analytics Cloud.

See also important information at License Requirements for File and Malware Policies in the Cisco Secure

Firewall Management Center Device Configuration Guide .

A Threat license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering:

• Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.

• File control allows you to detect and, optionally, block users from uploading (sending) or downloading

(receiving) files of specific types over specific application protocols.

Malware defense , which requires a Malware defense license, allows you to inspect and block a restricted set of those file types based on their dispositions.

Cisco Secure Firewall Management Center Administration Guide, 7.2

235

System Settings

URL Filtering Licenses

• Security Intelligence filtering allows you to block —deny traffic to and from—specific IP addresses,

URLs, and DNS domain names, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately block connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.

You can purchase a Threat license as a stand-alone subscription (T) or in combination with URL Filtering

(TC), Malware defense (TM), or both (TMC).

If you disable Threat on managed devices, the management center stops acknowledging intrusion and file events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria stop firing. Additionally, the management center will not contact the internet for either Cisco-provided or third-party Security Intelligence information. You cannot re-deploy existing intrusion policies until you re-enable Threat.

URL Filtering Licenses

The URL Filtering license allows you to write access control rules that determine the traffic that can traverse your network based on URLs requested by monitored hosts, correlated with information about those URLs.

To support this feature license, you can purchase the URL Filtering (URL) service subscription as a stand-alone subscription or in combination with Threat (TC) or Threat and Malware defense (TMC) subscriptions.

Tip Without a URL Filtering license, you can specify individual URLs or groups of URLs to allow or block. This gives you granular, custom control over web traffic, but does not allow you to use URL category and reputation data to filter network traffic.

Although you can add category and reputation-based URL conditions to access control rules without a URL

Filtering license, the management center will not download URL information. You cannot deploy the access control policy until you first add a URL Filtering license to the management center, then enable it on the devices targeted by the policy.

If you disable the URL Filtering license on managed devices, you may lose access to URL filtering. If your license expires or if you disable it, access control rules with URL conditions immediately stop filtering URLs, and your management center can no longer download updates to URL data. You cannot re-deploy existing access control policies if they include rules with category and reputation-based URL conditions.

Secure Client Licenses

You can configure remote access VPN using the Secure Client and standards-based IPSec/IKEv2.

To enable remote cccess VPN, you must purchase and enable one of the following licenses: AnyConnect

Plus , AnyConnect Apex , or AnyConnect VPN Only . You can select AnyConnect Plus and AnyConnect

Apex if you have both licenses and you want to use them both. The Any Connect VPN only license cannot be used with Apex or Plus . The Secure Client license must be shared with the Smart Account. For more instructions, see http://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf

.

You cannot deploy the remote access VPN configuration to the device if the specified device does not have the entitlement for a minimum of one of the specified Secure Client license types. If the registered license moves out of compliance or entitlements expire, the system displays licensing alerts and health events.

While using remote access VPN, your Smart Account must have the export controlled features (strong encryption) enabled. The threat defense requires strong encryption (which is higher than DES) for successfully establishing remote access VPN connections with Secure Clients.

236

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Licensing for Export-Controlled Functionality

You cannot deploy remote access VPN if the following are true:

• Smart Licensing on the management center is running in evaluation mode.

• Your Smart Account is not configured to use export-controlled features (strong encryption).

Licensing for Export-Controlled Functionality

Features that require export-controlled functionality

Certain software features are subject to national security, foreign policy, and anti-terrorism laws and regulations.

These export-controlled features include:

• Security certifications compliance

• Remote access VPN

• Site-to-site VPN with strong encryption

• SSH platform policy with strong encryption

• SSL policy with strong encryption

• Functionality such as SNMPv3 with strong encryption

How to determine whether export-controlled functionality is currently enabled for your system

To determine whether export-controlled functionality is currently enabled for your system: Go to System >

Licenses > Smart Licenses and see if Export-Controlled Features displays Enabled .

About enabling export-controlled functionality

If Export-Controlled Features shows Disabled and you want to use features that require strong encryption, there are two ways to enable strong cryptographic features. Your organization may be eligible for one or the other (or neither), but not both.

• If there is no option to enable export-controlled functionality when you generate a new Product Instance

Registration Token in the Smart Software Manager, contact your account representative.

When approved by Cisco, you can manually add a strong encryption license to your account so you can use export-controlled features. For more information, see

Enable the Export Control Feature for Accounts

Without Global Permission, on page 253

• If the option “Allow export-controlled functionality on the products registered with this token” appears when you generate a new Product Instance Registration Token in the Smart Software Manager, make sure you check it before generating the token.

If you did not enable export-controlled functionality for the Product Instance Registration Token that you used to register the management center, then you must deregister and then re-register the management center using a new Product Instance Registration Token with export-controlled functionality enabled.

If you registered devices to the management center in evaluation mode or before you enabled strong encryption on the management center, reboot each managed device to make strong encryption available. In a high availability deployment, the active and standby devices must be rebooted together to avoid an Active-Active condition.

Cisco Secure Firewall Management Center Administration Guide, 7.2

237

System Settings

Threat Defense Virtual Licenses

The entitlement is perpetual and does not require a subscription.

More Information

For general information about export controls, see https://www.cisco.com/c/en/us/about/legal/ global-export-trade.html

.

Threat Defense Virtual Licenses

This section describes the performance-tiered license entitlements available for the threat defense virtual.

Any threat defense virtual license can be used on any supported threat defense virtual vCPU/memory configuration. This allows threat defense virtual customers to run on a wide variety of VM resource footprints.

This also increases the number of supported AWS and Azure instances types. When configuring the threat defense virtual VM, the maximum supported number of cores (vCPUs) is 16 ; and the maximum supported memory is 32 GB RAM .

Performance Tiers for Threat Defense Virtual Smart Licensing

Session limits for RA VPNs are determined by the installed threat defense virtual platform entitlement tier, and enforced via a rate limiter. The following table summarizes the session limits based on the entitlement tier and rate limiter.

Table 13: Threat Defense Virtual Licensed Feature Limits Based on Entitlement

Performance Tier Rate Limit RA VPN Session Limit

FTDv5, 100Mbps

FTDv10, 1Gbps

FTDv20, 3Gbps

FTDv30, 5Gbps

FTDv50, 10Gbps

FTDv100, 16Gbps

Device Specifications

(Core/RAM)

4 core/8 GB

4 core/8 GB

4 core/8 GB

8 core/16 GB

12 core/24 GB

16 core/32 GB

100Mbps

1Gbps

3Gbps

5Gbps

10Gbps

16Gbps

50

250

250

250

750

10,000

Threat Defense Virtual Performance Tier Licensing Guidelines and Limitations

Please keep the following guidelines and limitations in mind when licensing your threat defense virtual device.

• The threat defense virtual supports performance-tiered licensing that provides different throughput levels and VPN connection limits based on deployment requirements.

• Any threat defense virtual license can be used on any supported threat defense virtual core/memory configuration. This allows the threat defense virtual customers to run on a wide variety of VM resource footprints.

• You can select a performance tier when you deploy the threat defense virtual, whether your device is in evaluation mode or is already registered with Cisco Smart Software Manager.

238

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

License PIDs

Note Make sure your Smart Licensing account contains the available licenses you need.

It’s important to choose the tier that matches the license you have in your account.

If you are upgrading your threat defense virtual to Version 7.0, you can choose

FTDv - Variable to maintain your current license compliance. Your threat defense virtual continues to perform with session limits based on your device capabilities

(number of cores/RAM).

• The default performance tier is FTDv50 when deploying a new threat defense virtual device, or when provisioning the threat defense virtual using the REST API.

• Base licenses are subscription-based and mapped to performance tiers. Your virtual account needs to have the Base license entitlements for the threat defense virtual devices, as well as for IPS , malware defense, and Secure Firewall Threat Defense URL Filtering licenses.

• Each HA peer consumes one entitlement, and the entitlements on each HA peer must match, including

Base license.

• A change in performance tier for an HA pair should be applied to the primary peer.

• You assign feature licenses to the cluster as a whole, not to individual nodes. However, each node of the cluster consumes a separate license for each feature. The clustering feature itself does not require any licenses.

• Universal PLR licensing is applied to each device in an HA pair separately. The secondary device will not automatically mirror the performance tier of the primary device. It must be updated manually.

License PIDs

When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart

Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions search field on the Cisco Commerce Workspace . Search for the following license Product IDs (PIDs).

Figure 8: License Search

Management Center Virtual PIDs

• VMware:

• SF-FMC-VMW-2-K9—2 devices

• SF-FMC-VMW-10-K9—10 devices

• SF-FMC-VMW-K9—25 devices

• SF-FMC-VMW-300-K9—300 devices

Cisco Secure Firewall Management Center Administration Guide, 7.2

239

License PIDs

System Settings

• KVM:

• SF-FMC-KVM-2-K9—2 devices

• SF-FMC-KVM-10-K9—10 devices

• SF-FMC-KVM-K9—25 devices

• PAK-based VMware:

• FS-VMW-2-SW-K9—2 devices

• FS-VMW-10-SW-K9—10 devices

• FS-VMW-SW-K9—25 devices

Threat Defense Virtual PIDs

When you order FTDV-SEC-SUB, you must choose a base license and optional feature licenses (12 month term):

• Base license:

• FTD-V-5S-BSE-K9

• FTD-V-10S-BSE-K9

• FTD-V-20S-BSE-K9

• FTD-V-30S-BSE-K9

• FTD-V-50S-BSE-K9

• FTD-V-100S-BSE-K9

• Threat, Malware defense, and URL license combination:

• FTD-V-5S-TMC

• FTD-V-10S-TMC

• FTD-V-20S-TMC

• FTD-V-30S-TMC

• FTD-V-50S-TMC

• FTD-V-100S-TMC

• RA VPN—See the Cisco AnyConnect Ordering Guide .

Firepower 1010 PIDs

• Threat, Malware defense, and URL license combination:

• L-FPR1010T-TMC=

240

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

License PIDs

When you add the above PID to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

• L-FPR1010T-TMC-1Y

• L-FPR1010T-TMC-3Y

• L-FPR1010T-TMC-5Y

• RA VPN—See the Cisco AnyConnect Ordering Guide .

Firepower 1100 PIDs

• Threat, Malware defense, and URL license combination:

• L-FPR1120T-TMC=

• L-FPR1140T-TMC=

• L-FPR1150T-TMC=

When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

• L-FPR1120T-TMC-1Y

• L-FPR1120T-TMC-3Y

• L-FPR1120T-TMC-5Y

• L-FPR1140T-TMC-1Y

• L-FPR1140T-TMC-3Y

• L-FPR1140T-TMC-5Y

• L-FPR1150T-TMC-1Y

• L-FPR1150T-TMC-3Y

• L-FPR1150T-TMC-5Y

• RA VPN—See the Cisco AnyConnect Ordering Guide .

Firepower 2100 PIDs

• Threat, Malware defense, and URL license combination:

• L-FPR2110T-TMC=

• L-FPR2120T-TMC=

• L-FPR2130T-TMC=

• L-FPR2140T-TMC=

When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

Cisco Secure Firewall Management Center Administration Guide, 7.2

241

System Settings

License PIDs

• L-FPR2110T-TMC-1Y

• L-FPR2110T-TMC-3Y

• L-FPR2110T-TMC-5Y

• L-FPR2120T-TMC-1Y

• L-FPR2120T-TMC-3Y

• L-FPR2120T-TMC-5Y

• L-FPR2130T-TMC-1Y

• L-FPR2130T-TMC-3Y

• L-FPR2130T-TMC-5Y

• L-FPR2140T-TMC-1Y

• L-FPR2140T-TMC-3Y

• L-FPR2140T-TMC-5Y

• RA VPN—See the Cisco AnyConnect Ordering Guide .

Secure Firewall 3100 PIDs

• Base license:

• L-FPR3110-BSE=

• L-FPR3120-BSE=

• L-FPR3130-BSE=

• L-FPR3140-BSE=

• Threat, Malware defense, and URL license combination:

• L-FPR3110T-TMC=

• L-FPR3120T-TMC=

• L-FPR3130T-TMC=

• L-FPR3140T-TMC=

When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

• L-FPR3110T-TMC-1Y

• L-FPR3110T-TMC-3Y

• L-FPR3110T-TMC-5Y

• L-FPR3120T-TMC-1Y

• L-FPR3120T-TMC-3Y

242

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

License PIDs

• L-FPR3120T-TMC-5Y

• L-FPR3130T-TMC-1Y

• L-FPR3130T-TMC-3Y

• L-FPR3130T-TMC-5Y

• L-FPR3140T-TMC-1Y

• L-FPR3140T-TMC-3Y

• L-FPR3140T-TMC-5Y

• RA VPN—See the Cisco AnyConnect Ordering Guide .

Firepower 4100 PIDs

• Threat, Malware defense, and URL license combination:

• L-FPR4110T-TMC=

• L-FPR4112T-TMC=

• L-FPR4115T-TMC=

• L-FPR4120T-TMC=

• L-FPR4125T-TMC=

• L-FPR4140T-TMC=

• L-FPR4145T-TMC=

• L-FPR4150T-TMC=

When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

• L-FPR4110T-TMC-1Y

• L-FPR4110T-TMC-3Y

• L-FPR4110T-TMC-5Y

• L-FPR4112T-TMC-1Y

• L-FPR4112T-TMC-3Y

• L-FPR4112T-TMC-5Y

• L-FPR4115T-TMC-1Y

• L-FPR4115T-TMC-3Y

• L-FPR4115T-TMC-5Y

• L-FPR4120T-TMC-1Y

• L-FPR4120T-TMC-3Y

Cisco Secure Firewall Management Center Administration Guide, 7.2

243

License PIDs

System Settings

• L-FPR4120T-TMC-5Y

• L-FPR4125T-TMC-1Y

• L-FPR4125T-TMC-3Y

• L-FPR4125T-TMC-5Y

• L-FPR4140T-TMC-1Y

• L-FPR4140T-TMC-3Y

• L-FPR4140T-TMC-5Y

• L-FPR4145T-TMC-1Y

• L-FPR4145T-TMC-3Y

• L-FPR4145T-TMC-5Y

• L-FPR4150T-TMC-1Y

• L-FPR4150T-TMC-3Y

• L-FPR4150T-TMC-5Y

• RA VPN—See the Cisco AnyConnect Ordering Guide .

Firepower 9300 PIDs

• Threat, Malware defense, and URL license combination:

• L-FPR9K-24T-TMC=

• L-FPR9K-36T-TMC=

• L-FPR9K-40T-TMC=

• L-FPR9K-44T-TMC=

• L-FPR9K-48T-TMC=

• L-FPR9K-56T-TMC=

When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

• L-FPR9K-24T-TMC-1Y

• L-FPR9K-24T-TMC-3Y

• L-FPR9K-24T-TMC-5Y

• L-FPR9K-36T-TMC-1Y

• L-FPR9K-36T-TMC-3Y

• L-FPR9K-36T-TMC-5Y

• L-FPR9K-40T-TMC-1Y

244

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Requirements and Prerequisites for Licensing

• L-FPR9K-40T-TMC-3Y

• L-FPR9K-40T-TMC-5Y

• L-FPR9K-44T-TMC-1Y

• L-FPR9K-44T-TMC-3Y

• L-FPR9K-44T-TMC-5Y

• L-FPR9K-48T-TMC-1Y

• L-FPR9K-48T-TMC-3Y

• L-FPR9K-48T-TMC-5Y

• L-FPR9K-56T-TMC-1Y

• L-FPR9K-56T-TMC-3Y

• L-FPR9K-56T-TMC-5Y

• RA VPN—See the Cisco AnyConnect Ordering Guide .

ISA 3000 PIDs

• Threat, Malware defense, and URL license combination:

• L-ISA3000T-TMC=

When you add the above PID to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

• L-ISA3000T-TMC-1Y

• L-ISA3000T-TMC-3Y

• L-ISA3000T-TMC-5Y

• RA VPN—See the Cisco AnyConnect Ordering Guide .

Requirements and Prerequisites for Licensing

For Specific License Reservation requirements, see

Requirements and Prerequisites for Specific License

Reservation, on page 261

.

General Prerequisites

• Make sure NTP is configured on the management center and managed devices. Time must be synchronized for registration to succeed.

For a Firepower 4100/9300, you must configure NTP on the chassis using the same NTP server for the chassis as for the management center.

Cisco Secure Firewall Management Center Administration Guide, 7.2

245

System Settings

Requirements and Prerequisites for Licensing for High Availability, Clustering, and Multi-Instance

Supported Domains

Global, except where indicated.

User Roles

• Admin

Requirements and Prerequisites for Licensing for High Availability, Clustering, and Multi-Instance

This section describes the licensing requirements for High Availability (for device High Availability and also management center virtual High Availability), clustering, and multi-instance deployments.

Licensing for Management Center High Availability

Each device requires the same licenses whether managed by a single management center or by management centers in a high availability pair (hardware or virtual).

Example: If you want to enable advanced malware protection for two devices managed by a management center pair, buy two Malware licenses and two TM subscriptions, register the active management center with the Smart Software Manager, then assign the licenses to the two devices on the active management center.

Only the active management center is registered with the Smart Software Manager. When failover occurs, the system communicates with Smart Software Manager to release the license entitlements from the originally-active management center and assign them to the newly-active management center.

In Specific License Reservation deployments, only the primary management center requires a Specific License

Reservation.

Hardware Management Center

No special license is required for hardware management centers in a high availability pair.

Management Center Virtual

You will need two identically licensed management center virtuals.

Example: For the management center virtual high availability pair managing 10 devices, you can use:

• Two (2) management center virtual 10 entitlements

• 10 device licenses

If you break the high availability pair, the management center virtual entitlements associated with the secondary management center virtual are released. (In the example, you would then have two standalone management center virtual 10s.)

Licensing for Device High-Availability

Both threat defense units in a high availability configuration must have the same licenses.

High availability configurations require two license entitlements: one for each device in the pair.

246

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Licensing for Device Clusters

Before high availability is established, it does not matter which licenses are assigned to the secondary/standby device. During high availability configuration, the management center releases any unnecessary licenses assigned to the standby unit and replaces them with identical licenses assigned to the primary/active unit. For example, if the active unit has a Base license and a Threat license, and the standby unit has only a Base license, the management center communicates with the Smart Software Manager to obtain an available Threat license from your account for the standby unit. If your license account does not include enough purchased entitlements, your account becomes Out-of-Compliance until you purchase the correct number of licenses.

Licensing for Device Clusters

Each threat defense virtual cluster node requires the same performance tier license. We recommend using the same number of CPUs and memory for all members, or else peformance will be limited on all nodes to match the least capable member. The throughput level will be replicated from the control node to each data node so they match.

You assign feature licenses to the cluster as a whole, not to individual nodes. However, each node of the cluster consumes a separate license for each feature. The clustering feature itself does not require any licenses.

When you add the control node to the management center, you can specify the feature licenses you want to use for the cluster. Before you create the cluster, it doesn't matter which licenses are assigned to the data nodes; the license settings for the control node are replicated to each of the data nodes. You can modify licenses for the cluster in the Devices > Device Management > Cluster > License area.

Note If you add the cluster before the management center is licensed (and running in Evaluation mode), then when you license the management center, you can experience traffic disruption when you deploy policy changes to the cluster. Changing to licensed mode causes all data units to leave the cluster and then rejoin.

Licensing for Multi-Instance Deployments

All licenses are consumed per security engine/chassis (for the Firepower 4100) or per security module (for the Firepower 9300), and not per container instance. See the following details:

• Base licenses are automatically assigned: one per security module/engine.

• Feature licenses are manually assigned to each instance; but you only consume one license per feature per security module/engine. For example, for the Firepower 9300 with 3 security modules, you only need one URL Filtering license per module for a total of 3 licenses, regardless of the number of instances in use.

• For High Availability, see License Requirements for Threat Defense Devices in a High Availability Pair .

For example:

Table 14: License Usage for Container Instances on a Firepower 9300

Firepower 9300

Security Module 1

Instance

Instance 1

Instance 2

Instance 3

Licenses

Base, URL Filtering, Malware

Base, URL Filtering

Base, URL Filtering

Cisco Secure Firewall Management Center Administration Guide, 7.2

247

System Settings

Create a Smart Account and Add Licenses

Firepower 9300

Security Module 2

Instance

Instance 4

Instance 5

Security Module 3 Instance 6

Instance 7

Table 15: Total Number of Licenses

Base

3

URL Filtering

2

Malware

3

Licenses

Base, Threat

Base, URL Filtering, Malware,

Threat

Base, Malware, Threat

Base, Threat

Threat

2

Create a Smart Account and Add Licenses

You should set up this account before you purchase licenses.

Before you begin

Your account representative or reseller may have set up a Smart Account on your behalf. If so, obtain the necessary information to access the account from that person instead of using this procedure, then verify that you can access the account.

For general information about Smart Accounts, see http://www.cisco.com/go/smartaccounts .

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Request a Smart Account:

For instructions, see https://community.cisco.com/t5/licensing-enterprise-agreements/ request-a-smart-account-for-customers/ta-p/3636515?attachment-id=150577 .

For additional information, see https://communities.cisco.com/docs/DOC-57261 .

Wait for an email telling you that your Smart Account is ready to set up. When it arrives, click the link it contains, as directed.

Set up your Smart Account:

Go here: https://software.cisco.com/software/company/smartaccounts/home?route=module/accountcreation .

For instructions, see https://community.cisco.com/t5/licensing-enterprise-agreements/ complete-smart-account-setup-for-customers/ta-p/3636631?attachment-id=132604 .

Verify that you can access the account in the Smart Software Manager.

Go to https://software.cisco.com/#module/SmartLicensing and sign in.

Make sure your Smart Licensing account contains the available licenses you need.

248

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure Smart Licensing

When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart

Account. However, if you need to add licenses yourself, see Cisco Commerce Workspace . For license PIDs, see

License PIDs, on page 239 .

Configure Smart Licensing

This section describes how to use Smart Licensing using the Smart Software Manager or the Smart Software

Manager On-Prem. To use Specific License Reservation, see

Configure Specific License Reservation (SLR), on page 261

.

Register the Management Center for Smart Licensing

You can register the management center directly to the Smart Software Manager over the internet, or when using an air-gapped network, with the Smart Software Manager On-Prem.

Register the Management Center with the Smart Software Manager

Register the management center with the Smart Software Manager.

Before you begin

• Make sure your Smart Licensing account contains the available licenses you need.

When you bought your device from Cisco or a reseller, your licenses should have been linked to your

Smart Account. However, if you need to add licenses yourself, see Cisco Commerce Workspace . For license PIDs, see

License PIDs, on page 239 .

• Ensure that the management center can reach the Smart Software Manager at tools.cisco.com:443.

• Make sure you configure NTP. During registration, a key exchange occurs between the Smart Agent and the Smart Software Manager, so time must be in sync for proper registration.

For the Firepower 4100/9300, you must configure NTP on the chassis using the same NTP server for the chassis as for the management center.

• If your organization has multiple management centers, make sure each management center has a unique name that clearly identifies and distinguishes it from other management centers that may be registered to the same virtual account. This name is critical for managing your Smart License entitlements and ambiguous names will lead to problems later.

Procedure

Step 1 In the Smart Software Manager , request and copy a registration token for the virtual account to which you want to add this device.

a) Click Inventory .

Cisco Secure Firewall Management Center Administration Guide, 7.2

249

System Settings

Register the Management Center with the Smart Software Manager b) On the General tab, click New Token .

c) On the Create Registration Token dialog box enter the following settings, and then click Create Token :

• Description

• Expire After —Cisco recommends 30 days.

• Allow export-controlled functionaility on the products registered with this token —Enables the export-compliance flag if you are in a country that allows for strong encryption. You must select this option now if you plan to use this functionality. If you enable this functionality later, you will need to re-register your device with a new product key and reload the device. If you do not see this option, your account does not support export-controlled functionality.

The token is added to your inventory.

d) Click the arrow icon to the right of the token to open the Token dialog box so you can copy the token ID to your clipboard. Keep this token ready for later in the procedure when you need to register the threat defense.

250

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Figure 9: View Token

Register the Management Center with the Smart Software Manager

Figure 10: Copy Token

Step 2

Step 3

Step 4

Step 5

In the management center, choose System ( ) > Licenses > Smart Licenses .

Click Register .

Paste the token you generated from Smart Software Manager into the Product Instance Registration Token field.

Make sure there are no empty spaces or blank lines at the beginning or end of the text.

Decide whether to send usage data to Cisco.

• Enable Cisco Success Network is enabled by default. You can click sample data to see the kind of data Cisco collects. For more information, see

Configure Cisco Success Network Enrollment, on page

575

.

• Enable Cisco Support Diagnostics is disabled by default. You can review the kind of data Cisco collects in the link provided above the check box. For more information, see

Configure Cisco Support Diagnostics

Enrollment, on page 576 .

Note • When enabled, Cisco Support Diagnostics is enabled in the devices in the next sync cycle.

The management center sync with the device runs once every 30 minutes.

• When enabled, Cisco Support Diagnostics is enabled automatically on any new device registered in this management center.

Step 6 Click Apply Changes .

Cisco Secure Firewall Management Center Administration Guide, 7.2

251

System Settings

Register the Management Center with the Smart Software Manager On-Prem

What to do next

• Add your devices to the management center; see Add a Device to the Management Center .

• Assign licenses to your devices; see

Assign Licenses to Multiple Managed Devices, on page 255 .

Register the Management Center with the Smart Software Manager On-Prem

As described in

Periodic Communication with the Smart Software Manager, on page 231

, the management center must communicate regularly with Cisco to maintain your license entitlement. If you have one of the following situations, you might want to use a Smart Software Manager On-Prem (formerly known as "Smart

Software Satellite Server") as a proxy for connections to the Smart Software Manager:

• Your management center is offline or otherwise has limited or no connectivity (in other words, is deployed in an air-gapped network.)

(For an alternate solution for air-gapped networks, see

Licensing Options for Air-Gapped Deployments, on page 230

.)

• Your management center has permanent connectivity, but you want to manage your Smart Licenses via a single connection from your network.

The Smart Software Manager On-Prem allows you to schedule synchronization or manually synchronize

Smart License authorization with the Smart Software Manager.

For more information about the Smart Software Manager On-Prem, see https://www.cisco.com/c/en/us/buy/ smart-accounts/software-manager.html#~on-prem

Procedure

Step 1

Step 2

Deploy and set up Smart Software Manager On-Prem.

• See the documentation for the Smart Software Manager On-Prem, available from https://www.cisco.com/ c/en/us/buy/smart-accounts/software-manager.html#~on-prem .

• Make a note of the CN of the TLS/SSL certificate on your Smart Software Manager On-Prem.

• Go to http://www.cisco.com/security/pki/certs/clrca.cer

and copy the entire body of the TLS/SSL certificate

(from "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----") into a place you can access during configuration.

Register the management center with the Smart Software Manager On-Prem.

a) Choose > Integration .

b) Click Smart Software Satellite .

c) Select Connect to Cisco Smart Software Satellite Server .

d) Enter the URL of your Smart Software Manager On-Prem, using the CN value you collected in the prerequisites of this procedure, in the following format: https://FQDN_or_hostname_of_your_SSM_On-Prem/Transportgateway/services/DeviceRequestHandler

The FQDN or hostname must match the CN value of the certificate presented by your Smart Software

Manager On-Prem.

e) Add a new SSL Certificate and paste the certificate text that you copied earlier.

252

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Enable the Export Control Feature for Accounts Without Global Permission

Step 3

Step 4 f) Click Apply .

g) Select System > Licenses > Smart Licenses and click Register .

h) Create a new token on Smart Software Manager On-Prem.

i) Copy the token.

j) Paste the token into the form on the management center page.

k) Click Apply Changes .

The management center is now registered to Smart Software Manager On-Prem.

After you assign licenses to devices, synchronize Smart Software Manager On-Prem to the Smart Software

Manager.

See the Smart Software Manager On-Prem documentation, above.

Schedule ongoing synchronization times.

Enable the Export Control Feature for Accounts Without Global Permission

If your Smart Account is not authorized for strong encryption, but Cisco has determined that you are allowed to use strong encryption, you can manually add a stong encryption license to your account.

Before you begin

• Make sure that your deployment does not already support the export-controlled functionality.

If your deployment supports export-controlled features, you will see an option that allows you to enable export-controlled functionality in the Create Registration Token page in the Smart Software Manager.

For more information, see https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html

.

• Make sure your deployment is not using an evaluation license.

• In the Smart Software Manager , on the Inventory > Licenses page, verify that you have the license that corresponds to your management center:

Management Center Model

All management center virtuals

Export Control License

Cisco Virtual FMC Series Strong Encryption

(3DES/AES)

Cisco FMC 1K Series Strong Encryption

(3DES/AES)

Cisco FMC 2K Series Strong Encryption

(3DES/AES)

Cisco FMC 4K Series Strong Encryption

(3DES/AES)

1000, 1600

2500, 2600

4500, 4600

Cisco Secure Firewall Management Center Administration Guide, 7.2

253

System Settings

Assign Licenses to Devices

Procedure

Step 1

Step 2

Choose System > Licenses > Smart Licenses .

Note If you see the Request Export Key , your account is approved for the export-controlled functionality and you can proceed to use the required feature.

Click Request Export Key to generate an export key.

Tip If the export control key request fails, make sure that your virtual account has a valid Export Control license.

Disable the export control license by clicking Return Export Key

What to do next

You can now deploy configurations or policies that use the export-controlled features.

Remember The new export-controlled licenses and all features enabled by it do not take effect on the threat defense devices until the devices are rebooted. Until then, only the features supported by the older license will be active.

In High Availability deployments both the threat defense devices need to be rebooted simultaneously, to avoid an Active-Active condition.

Assign Licenses to Devices

You can assign most licenses when you register a device to the management center. You can also assign licenses per device, or for multiple devices.

Assign Licenses to a Single Device

Although there are some exceptions, you cannot use the features associated with a license if you disable it on a managed device.

Note For container instances on the same security module/engine, you apply the license to each instance; note that the security module/engine consumes only one license per feature for all instances on the security module/engine.

Note For the threat defense cluster, you apply the licenses to the cluster as a whole; note that each unit in the cluster consumes a separate license per feature.

254

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Assign Licenses to Multiple Managed Devices

Before you begin

You must have Admin or Network Admin privileges to perform this task. When operating with multiple domains, you must do this task in leaf domains.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Devices > Device Management .

Next to the device where you want to assign or disable a license, click Edit ( ).

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Click Device .

Next to the License section, click Edit ( ).

Check or clear the appropriate check boxes to assign or disable licenses for the device.

Click Save .

Deploy configuration changes; see Deploy Configuration Changes .

What to do next

Verify license status: Go to System ( ) > Licenses > Smart Licenses , enter the hostname or IP address of the device into the filter at the top of the Smart Licenses table, and verify that only a green circle with a Check

Mark ( ) appears for each device, for each license type. If you see any other icon, hover over the icon for more information.

Assign Licenses to Multiple Managed Devices

Devices managed by the management center obtain their licenses via the management center, not directly from the Smart Software Manager.

Use this procedure to enable licensing on multiple devices at once.

Note For container instances on the same security module/engine, you apply the license to each instance; note that the security module/engine consumes only one license per feature for all instances on the security module/engine.

Note For the threat defense cluster, you apply the licenses to the cluster as a whole; note that each unit in the cluster consumes a separate license per feature.

Procedure

Step 1 Choose System ( ) > Licenses > Smart Licenses or Specific Licenses .

Cisco Secure Firewall Management Center Administration Guide, 7.2

255

System Settings

Manage Smart Licensing

Step 2

Step 3

Click Edit Licenses .

For each type of license you want to add to a device: a) Click the tab for that type of license.

b) Click a device in the list on the left.

c) Click Add to move that device to the list on the right.

d) Repeat for each device to receive that type of license.

For now, don't worry about whether you have licenses for all of the devices you want to add.

e) Repeat this subprocedure for each type of license you want to add.

f) To remove a license, click the Delete ( ) next to the device.

g) Click Apply .

What to do next

Verify that your licenses are correctly installed. Follow the procedure in

Monitoring Smart Licenses, on page

258 .

Manage Smart Licensing

This section describes how to manage Smart Licensing.

Deregister the Management Center

Deregister your management center from the Smart Software Manager to release all of the license entitlements back to your Smart Account so they can be used for other devices. For example, deregister if you need to decommission the management center or reimage it.

See

Unregistered State, on page 232

for more information about license enforcement in an unregistered state.

Procedure

Step 1

Step 2

Choose System ( ) > Licenses > Smart Licenses .

Click Deregister ( ).

Synchronize or Reauthorize the Management Center

By default, the ID certificate is automatically renewed every 6 months, and the license entitlement is renewed every 30 days. You might want to manually renew the registration for either of these items if you have a limited window for internet access, or if you make any licensing changes in the Smart Software Manager, for example.

256

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Monitoring Smart License Status

Procedure

Step 1

Step 2

Step 3

Choose System ( ) > Licenses > Smart Licenses .

To renew the ID certificate, click Synchronize ( )

To renew the license entitlements, click Re-Authorize .

Monitoring Smart License Status

The Smart License Status section of the System > Licenses > Smart Licenses page provides an overview of license usage on the management center, as described below.

Usage Authorization

Possible status values are:

• In-compliance ( ) — All licenses assigned to managed devices are in compliance and the management center is communicating successfully with the Smart Software Manager.

• License is in compliance but communication with licensing authority has failed — Device licenses are in compliance, but the management center is not able to communicate with the Cisco licensing authority.

• Out-of-compliance icon or unable to communicate with License Authority — One or more managed devices is using a license that is out of compliance, or the management center has not communicated with the Smart Software Manager in more than 90 days.

Product Registration

Specifies the last date when the management center contacted the Smart Software Manager and registered.

Assigned Virtual Account

Specifies the Virtual Account under the Smart Account that you used to generate the Product Instance

Registration Token and register the management center. If this deployment is not associated with a particular virtual account within your Smart Account, this information is not displayed.

Export-Controlled Features

If this option is enabled, you can deploy restricted features. For details, see

Licensing for Export-Controlled

Functionality, on page 237 .

Cisco Success Network

Specifies whether you have enabled Cisco Success Network for the management center. If this option is enabled, you provide usage information and statistics to Cisco which are essential to provide you with technical support. This information also allows Cisco to improve the product and make you aware of unused available features so that you can maximize the value of the product in your network. See

Configure Cisco Success

Network Enrollment, on page 575

for more information.

Cisco Secure Firewall Management Center Administration Guide, 7.2

257

System Settings

Monitoring Smart Licenses

Monitoring Smart Licenses

To view the license status for the management center and its managed devices, use the Smart Licenses page.

For each type of license in your deployment, the page lists the total number of licenses consumed, whether the license is in compliance or out of compliance, the device type, and the domain and group where the device is deployed. You can also view the management center's Smart License Status. Container instances on the same security module/engine only consume one license per security module/engine. Therefore, even though the management center lists each container instance separately under each license type, the number of licenses consumed for feature license types will only be one.

Other than the Smart Licenses page, there are a few other ways you can view licenses:

• The Product Licensing dashboard widget provides an at-a-glance overview of your licenses.

See

Adding Widgets to a Dashboard, on page 319

and

Dashboard Widget Availability by User Role, on page 307

and

The Product Licensing Widget, on page 316

.

• The Device Management page ( Devices > Device Management ) lists the licenses applied to each of your managed devices.

• The Smart License Monitor health module communicates license status when used in a health policy.

Procedure

Step 1

Step 2

Step 3

Choose System ( ) > Licenses > Smart Licenses .

In the Smart Licenses table, click the arrow at the left side of each License Type folder to expand that folder.

In each folder, verify that each device has a green circle with a Check Mark ( ) in the License Status column.

Note If you see duplicate management center virtual licenses, each represents one managed device.

If all devices show a green circle with a Check Mark ( ), your devices are properly licensed and ready to use.

If you see any License Status other than a green circle with a Check Mark ( ), hover over the status icon to view the message.

What to do next

• If you had any devices that did not have a green circle with a Check Mark ( ), you may need to purchase more licenses.

Troubleshooting Smart Licensing

Expected Licenses Do Not Appear in My Smart Account

If the licenses you expect to see are not in your Smart Account, try the following:

258

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Convert a Classic License for Use on the Threat Defense

• Make sure they are not in a different Virtual Account. Your organization's license administrator may need to assist you with this.

• Check with the person who sold you the licenses to be sure that transfer to your account is complete.

Unable to Connect to Smart License Server

Check the obvious causes first. For example, make sure your management center has outside connectivity.

See

Internet Access Requirements, on page 1004

.

Unexpected Out-of-Compliance Notification or Other Error

• If a device is already registered to a different management center, you need to deregister the original management center before you can license the device under a new management center. See

Deregister the Management Center, on page 256 .

• Management Center Virtual instance only - Make sure that the virtual account does not have only perpetual tags when you switch to subscription licensing.

• Check if the term of the subscription license has expired.

Troubleshoot Other Issues

For solutions to other common issues, see https://www.cisco.com/c/en/us/support/docs/security/ firepower-management-center/215838-fmc-and-ftd-smart-license-registration-a.html

Convert a Classic License for Use on the Threat Defense

You can convert licenses using either the License Registration Portal or the Smart Software Manager, and you can convert an unused Product Authorization Key (PAK) or a Classic license that has already been assigned to a device.

Note You cannot undo this process. You cannot convert a Smart License to a Classic license, even if the license was originally a Classic license.

In documentation on Cisco.com, Classic licenses may also be referred to as "traditional" licenses.

Before you begin

• It is easiest to convert a Classic license to a Smart License when it is still an unused PAK that has not yet been assigned to a product instance.

• Your hardware must be able to run threat defense. See the Cisco Firepower Compatibility Guide at https://www.cisco.com/c/en/us/support/security/defense-center/products-device-support-tables-list.html

.

• You must have a Smart Account. If you do not have one, create one. See

Create a Smart Account and

Add Licenses, on page 248 .

• The PAKs or licenses that you want to convert must appear in your Smart Account.

• If you convert using the License Registration Portal instead of the Smart Software Manager, you must have your Smart Account credentials in order to initiate the conversion process.

Cisco Secure Firewall Management Center Administration Guide, 7.2

259

System Settings

Convert a Classic License for Use on the Threat Defense

Procedure

Step 1

Step 2

The conversion process you follow depends on whether or not the license has been consumed:

• If the PAK that you want to convert has never been used, follow instructions for converting a PAK.

• If the PAK you want to convert has already been assigned to a device, follow instructions for converting a Classic license.

Make sure your existing classic license is still registered to your device.

See instructions for your type of conversion (PAK or installed Classic license) in the following documentation:

• To convert PAKs or licenses using the License Registration Portal:

• To view a video that steps you through the License Registration Portal part of the conversion process, click https://salesconnect.cisco.com/#/content-detail/7da52358-0fc1-4d85-8920-14a1b7721780 .

• Search for "Convert" in the following document: https://cisco.app.box.com/s/ mds3ab3fctk6pzonq5meukvcpjizt7wu .

There are three conversion procedures. Choose the conversion procedure applicable to your situation.

• Sign in to the License Registration Portal at https://tools.cisco.com/SWIFT/LicensingUI/Home and follow the instructions in the documentation above.

• To convert PAKs or licenses using the Smart Software Manager:

• Converting Hybrid Licenses to Smart Software Licenses QRG : https://community.cisco.com/t5/licensing-enterprise-agreements/ converting-hybrid-licenses-to-smart-software-licenses-qrg/ta-p/3628609?attachment-id=134907

• Sign in to the Smart Software Manager at https://software.cisco.com/

#SmartLicensing-LicenseConversion and follow the instructions for your type of conversion (PAK or installed Classic license) in the documentation above.

Step 3

Step 4

Step 5

Freshly install threat defense on your hardware.

See the instructions for your hardware at https://www.cisco.com/c/en/us/support/security/firepower-ngfw/ products-installation-guides-list.html

.

If you will use the device manager to manage this device as a standalone device:

See information about licensing the device in the device manager configuration guide at https://www.cisco.com/ c/en/us/support/security/firepower-ngfw/products-installation-and-configuration-guides-list.html

.

Skip the rest of this procedure.

If you have already deployed Smart Licensing on your management center: a) Set up Smart Licensing on your new threat defense.

See

Assign Licenses to Multiple Managed Devices, on page 255 .

b) Verify that the new Smart License has been successfully applied to the device.

See

Monitoring Smart Licenses, on page 258 .

260

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure Specific License Reservation (SLR)

Step 6 If you have not yet deployed Smart Licensing on your management center:

See

Configure Smart Licensing, on page 249

. (Skip any steps that do not apply or that you have already completed.)

Configure Specific License Reservation (SLR)

You can use the Specific License Reservation feature to deploy Smart Licensing in an air-gapped network.

Note Various names are used at Cisco for Specific License Reservation, including SLR, SPLR, PLR, and Permanent

License Reservation. These terms may also be used at Cisco to refer to similar but not necessarily identical licensing models.

When Specific License Reservation is enabled, the management center reserves licenses from your virtual account for a specified duration without accessing the Smart Software Manager or using Smart Software

Manager On-Prem.

Features that require access to the internet, such as URL Lookups or contextual cross-launch to public web sites, will not work.

Cisco does not collect web analytics or telemetry data for deployments that use Specific License Reservation.

Requirements and Prerequisites for Specific License Reservation

• Work with your account representative to obtain approval for Specific License Reservation for your products.

Obtain confirmation from your account representative that the Specific License Reservation is ready for use and reflected in your Smart Account.

• If you are currently using regular Smart Licensing, de-register the management center before you implement Specific License Reservation. For information, see

Deregister the Management Center, on page 256

.

All Smart Licenses that are currently deployed to the management center will be returned to the pool of available licenses in your account, and you can re-use them when you implement Specific License

Reservation.

• Specific License Reservation uses the same licenses as regular Smart Licensing.

• (Recommended) If you deploy the management center pair in a high availability configuration, configure high availability before you assign licenses. If you already assigned licenses to devices on the secondary management center, be sure to unassign them.

Verify that your Smart Account is Ready to Deploy Specific License Reservation

To prevent problems when deploying your Specific License Reservation, complete this procedure before you make any changes in your management center.

Cisco Secure Firewall Management Center Administration Guide, 7.2

261

System Settings

Enable the Specific Licensing Menu Option

Before you begin

• Ensure that you have met the requirements described in

Requirements and Prerequisites for Specific

License Reservation, on page 261 .

• Make sure you have your Smart Software Manager credentials.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Sign in to the Smart Software Manager: https://software.cisco.com/#SmartLicensing-Inventory

If applicable, select the correct account from the top right corner of the page.

If necessary, click Inventory .

Click Licenses .

Verify the following:

• There is a License Reservation button.

• There are enough platform and feature licenses for the devices and features you will deploy, including management center virtual entitlements for your devices, if applicable.

If any of these items is missing or incorrect, contact your account representative to resolve the problem.

Note Do not continue with this process until any problems are corrected.

Enable the Specific Licensing Menu Option

This procedure changes the "Smart Licenses" menu option to "Specific Licenses" in the management center.

Procedure

Step 1

Step 2

Step 3

Step 4

Access the management center console using a USB keyboard and VGA monitor, or use SSH to access the management interface.

Log into the management center CLI admin account.

Enter the expert command to access the Linux shell.

Execute the following command to access the Specific License Reservation options: sudo manage_slr.pl

Example: admin@fmc63betaslr: ~$ sudo manage_slr.pl

Password:

**************** Configuration Utility **************

262

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Enter the Specific License Reservation Authorization Code into the Management Center

Step 5

Step 6

Step 7

Step 8

Step 9

1 Show SLR Status

2 Enable SLR

3 Disable SLR

0 Exit

**************************************************************

Enter choice:

Enable Specific License Reservation by selecting option 2 .

Select option 0 to exit the manage_slr utility.

Type exit to exit the Linux shell.

Enter exit to exit the command line interface.

Verify that you can access the Specific License Reservation page in the management center web interface:

• If the System > Licenses > Smart Licenses page is currently displayed, refresh the page.

• Otherwise, choose System > Licenses > Specific Licenses .

Enter the Specific License Reservation Authorization Code into the

Management Center

Procedure

Step 1

Step 2

Generate the reservation request code.

a) In the management center, choose System > Licenses > Specific Licenses .

b) Click Generate .

c) Make a note of the Reservation Request Code .

Generate the reservation authorization code.

a) Go to the Cisco Smart Software Manager: https://software.cisco.com/#SmartLicensing-Inventory b) If necessary, select the correct account from the top right of the page.

c) If necessary, click Inventory .

d) Click Licenses .

e) Click License Reservation .

f) Enter the code that you generated from management center into the Reservation Request Code box.

g) Click Next .

h) Select Reserve a specific license .

i) Scroll down to display the entire License grid.

j) Under Quantity To Reserve , enter the number of each platform and feature license needed for your deployment.

Cisco Secure Firewall Management Center Administration Guide, 7.2

263

System Settings

Assign Specific Licenses to Managed Devices

Note • You must explicitly include a Base license for each managed device, or, for multi-instance deployments, for each container.

• If you are using the management center virtual, you must include a platform entitlement for each container (in multi-instance deployments) or each managed device (all other deployments).

• If you use strong encryption functionality:

• If your entire Smart Account is enabled for export-controlled functionality, you do not need to do anything here.

• If your organization's entitlement is per-management center, you must select the appropriate license.

For the correct license name to choose for your management center, see the prerequisites in

Enable the Export Control Feature for Accounts Without Global

Permission, on page 253

.

Step 3

Step 4 k) Click Next .

l) Click Generate Authorization Code .

At this point, the license is now in use according to the Smart Software Manager.

m) Download the Authorization Code in preparation for entering it into the management center.

Enter the authorization code in the management center.

a) In the management center, click Browse to upload the text file with the authorization code that you generated from the Smart Software Manager.

b) Click Install .

c) Verify that the Specific License Reservation page shows the Usage Authorization status as authorized.

d)

Click the Reserved License tab to verify the licenses selected while generating the Authorization Code .

If you do not see the licenses you require, then add the necessary licenses. For more info, see

Update a Specific

License Reservation

.

Assign Specific Licenses to Managed Devices

Use this procedure to quickly assign licenses to multiple managed devices at one time.

You can also use this procedure to disable or move licenses from one device to another. If you disable a license for a device, you cannot use the features associated with that license on that device.

Procedure

Step 1

Step 2

Step 3

Choose System > Licenses > Specific Licenses .

Click Edit Licenses .

Click each tab and assign licenses to devices as needed.

264

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Manage Specific License Reservation

Step 4

Step 5

Step 6

Click Apply .

Click the Assigned Licenses tab and verify that your licenses are correctly installed on each device.

Deploy configuration changes; see Deploy Configuration Changes .

Manage Specific License Reservation

This section describes how to manage Specific License Reservation.

Important! Maintain Your Specific License Reservation Deployment

To update the threat data and software that keep your deployment effective, see

Maintain Your Air-Gapped

Deployment, on page 219 .

To ensure that all functionality continues to work without interruption, monitor your license expiration dates

(on the Reserved Licenses tab).

Update a Specific License Reservation

After you have successfully deployed Specific Licenses on your management center, you can add or remove entitlements at any time using this procedure.

Use this procedure if you need to renew your licenses after they expire. If you do not have the required licenses, the following actions are restricted:

• Device registration

• Policy deployment

Procedure

Step 1

Step 2

In the management center, obtain the unique product instance identifier of this management center: a) Select System > Licenses > Specific Licenses .

b) Make a note of the Product Instance value.

You will need this value several times during this process.

In the Smart Software Manager, identify the management center to update: a) Go to the Smart Software Manager: https://software.cisco.com/#SmartLicensing-Inventory b) If necessary, click Inventory .

c) Click Product Instances .

d) Look for a product instance that has FP in the Type column and a generic SKU (not a hostname) in the

Name column. You may also be able to use the values in other table columns to help determine which management center is the correct management center. Click the name.

e) Look at the UUID and see if it is the UUID of the management center that you are trying to modify.

If not, you must repeat these steps until you find the correct management center.

Cisco Secure Firewall Management Center Administration Guide, 7.2

265

System Settings

Update a Specific License Reservation

Step 3 When you have located the correct management center in the Smart Software Manager, update the reserved licenses and generate a new authorization code: a) On the page that shows the correct UUID, choose Actions > Update Reserved Licenses .

b) Update the reserved licenses as needed.

Note • You must explicitly include a Base license for each managed device, or, for multi-instance deployments, for each container.

• If you are using the management center virtual, you must include a platform entitlement for each container (in multi-instance deployments) or each managed device (all other deployments).

• If you use strong encryption functionality:

• If your entire Smart Account is enabled for export-controlled functionality, you do not need to do anything here.

• If your organization's entitlement is per-management center, you must select the appropriate license.

For the correct license name to choose for your management center, see the prerequisites in

Enable the Export Control Feature for Accounts Without Global

Permission, on page 253

.

Step 4

Step 5 c) Click Next and verify the details.

d) Click Generate Authorization Code .

e) Download the Authorization Code in preparation for entering it into the management center.

f) Leave the Update Reservation page open. You will return to it later in this procedure.

Update the Specific Licenses in the management center.

a) Choose System > Licenses > Specific Licenses .

b) Click Edit SLR .

c) Click Browse to upload the newly generated authorization code.

d) Click Install to update the licenses.

After successful installation of the authorization code, ensure that the licenses shown in the Reserved column ofmanagement center, matches with the licenses that you have reserved in the Smart Software

Manager.

e) Make a note of the Confirmation Code .

Enter the confirmation code in the Smart Software Manager: a) Return to the Smart Software Manager page that you left open earlier in this procedure.

b) Choose Actions > Enter Confirmation Code :

266

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Deactivate and Return the Specific License Reservation

Step 6

Step 7 c) Enter the confirmation code that you generated from the management center.

In the management center, verify that your licenses are reserved as you expect them, and that each feature for each managed device shows a green circle with a Check Mark ( ).

If necessary, see

Monitoring Specific License Reservation Status, on page 269

for more information.

Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall Management

Center Device Configuration Guide .

Deactivate and Return the Specific License Reservation

If you no longer need a specific license, you must return it to your Smart Account.

Important If you do not follow all of the steps in this procedure, the license remains in an in-use state and cannot be re-used.

This procedure releases all license entitlements associated with the management center back to your virtual account. After you de-register, no updates or changes on licensed features are allowed.

Cisco Secure Firewall Management Center Administration Guide, 7.2

267

Deactivate and Return the Specific License Reservation

Procedure

Step 1

Step 2

Step 3

In the management center Web interface, select System > Licenses > Specific Licenses .

Make a note of the Product Instance identifier for this management center.

Generate a return code from the management center.

a) Click Return SLR .

The following figure shows Return SLR.

System Settings

Step 4

Step 5

Devices become unlicensed and the management center moves to the de-registered state.

b) Make a note of the Return Code .

In the Smart Software Manager, identify the management center to deregister: a) Go to the Smart Software Manager: https://software.cisco.com/#SmartLicensing-Inventory b) If necessary, click Inventory .

c) Click Product Instances .

d) Look for a product instance that has FP in the Type column and a generic SKU (not a hostname) in the

Name column. You may also be able to use the values in other table columns to help determine which management center is the correct management center. Click the name.

e) Look at the UUID and see if it is the UUID of the management center that you are trying to modify.

If not, you must repeat these steps until you find the correct management center.

When you have identified the correct management center, return the licenses to your Smart Account: a) On the page that shows the correct UUID, choose Actions > Remove .

b) Enter the reservation return code that you generated from the management center into the Remove Product

Instance dialog box.

c) Click Remove Product Instance .

The specific reserved licenses are returned to the available pool in your Smart Account and this management center is removed from the Smart Software Manager Product Instances list.

268

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Monitoring Specific License Reservation Status

Step 6 Disable the Specific License in the management center Linux shell: a) Access the management center console using a USB keyboard and VGA monitor, or use SSH to access the management interface.

b) Log in to the management center CLI admin account. This gives you access to the command line interface.

c) Enter the expert command to access the Linux shell.

d) Execute the following command: sudo manage_slr.pl

Example: admin@fmc63betaslr: ~$ sudo manage_slr.pl

Password:

**************** Configuration Utility **************

1 Show SLR Status

2 Enable SLR

3 Disable SLR

0 Exit

**************************************************************

Enter choice: e) Select menu option 3 to disable the Specific License Reservation.

f) Select option 0 to exit the manage_slr utility.

g) Enter exit to exit the Linux shell.

h) Enter exit to exit the command line interface.

Monitoring Specific License Reservation Status

The System > Licenses > Specific Licenses page provides an overview of license usage on the management center, as described below.

Usage Authorization

Possible status values are:

• Authorized — The management center is in compliance and registered successfully with the License

Authority, which has authorized the license entitlements for the appliance.

• Out-of-compliance — If licenses are expired or if the management center has overused licenses even though they are not reserved, status shows as Out-of-Compliance. License entitlements are enforced in

Specific License Reservation, so you must take action.

Product Registration

Specifies registration status and the date that an authorization code was last installed or renewed on the management center.

Cisco Secure Firewall Management Center Administration Guide, 7.2

269

System Settings

Troubleshoot Specific License Reservation

Export-Controlled Features

Specifies whether you have enabled export-controlled functionality for the management center.

For more information about Export-Controlled Features, see

Licensing for Export-Controlled Functionality, on page 237 .

Product Instance

The Universally Unique Identifier (UUID) of this management center. This value identifies this device in the

Smart Software Manager.

Confirmation Code

The Confirmation Code is needed if you update or deactivate and return Specific Licenses.

Assigned Licenses Tab

Shows the licenses assigned to each device and the status of each.

Reserved Licenses Tab

Shows the number of licenses used and available to be assigned, and license expiration dates.

Troubleshoot Specific License Reservation

How do I identify a particular management center in the Product Instance list in Smart Software Manager?

On the Product Instances page in Smart Software Manager, if you cannot identify the product instance based on a value in one of the columns in the table, you must click the name of each generic product instance of type FP to view the product instance details page. The UUID value on this page uniquely identifies one management center.

In the management center web interface, the UUID for the management center is the Product Instance value displayed on the System > Licenses > Specific Licenses page.

I do not see a License Reservation button in the Smart Software Manager

If you do not see the License Reservation button, then your account is not authorized for Specific License

Reservation. If you have already enabled Specific License Reservation in the Linux shell and generated a request code, perform the following:

1.

If you have already generated a Request Code in the management center web interface, cancel the request code.

2.

Disable Specific License Reservation in the management center Linux shell as described within the section

Deactivate and Return the Specific License Reservation, on page 267 .

3.

Register the management center with the Smart Software Manager in regular mode using smart token.

4.

Contact Cisco TAC to enable Specific License for your smart account.

270

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configure Legacy Management Center PAK-Based Licenses

I was interrupted in the middle of the licensing process. How can I pick up where I left off?

If you have generated but not yet downloaded an Authorization code from the Smart Software Manager, you can go to the Product Instance page in the Smart Software Manager, click the product instance, then click

Download Reservation Authorization Code .

I am unable to register devices to the management center virtual

Make sure you have enough management center virtual entitlements in your Smart Account to cover the devices you want to register, then update your deployment to add the necessary entitlements.

See

Update a Specific License Reservation, on page 265

.

I have enabled Specific Licensing, but now I do not see a Smart License page.

This is the expected behavior. When you enable Specific Licensing, Smart Licensing is disabled. You can use the Specific License page to perform licensing operations.

If you want to use Smart Licensing, you must return the Specific License. For more information see,

Deactivate and Return the Specific License Reservation, on page 267

.

What if I do not see a Specific License page in the management center virtual?

You need to enable Specific License to view the Specific License page. For more information see,

Enable the

Specific Licensing Menu Option, on page 262 .

I have disabled Specific Licensing, but forgot to copy the Return Code. What should I do?

The Return Code is saved in the management center virtual. You must re-enable the Specific License from the Linux shell (see

Enable the Specific Licensing Menu Option, on page 262 ), then refresh the management

center virtual web interface. Your Return Code will be displayed.

Configure Legacy Management Center PAK-Based Licenses

The management center supports either a Smart License or a legacy PAK (Product Activation Key) license for its platform license. This procedure describes how to apply a PAK-based license.

Before you begin

• Make sure you have the product activation key (PAK) from the Software Claim Certificate that Cisco provided when you purchased the license. If you have a legacy, pre-Cisco license, contact Support.

Procedure

Step 1 The license key uniquely identifies the management center in the Smart Software Manager. It is composed of a product code (for example, 66) and the MAC address of the management port (eth0) of the management center; for example, 66:00:00:77:FF:CC:88.

a) Choose System ( ) > Licenses > Classic Licenses .

b) Click Add New License .

c) Note the value in the License Key field at the top of the Add Feature License dialog.

Cisco Secure Firewall Management Center Administration Guide, 7.2

271

System Settings

Additional Information about Licensing

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Choose System ( ) > Licenses > Classic Licenses .

Click Add New License .

Continue as appropriate:

• If you have already obtained the license text, skip to Step 8.

• If you still need to obtain the license text, go to the next step.

Click Get License to open the License Registration Portal.

Note If you cannot access the Internet using your current computer, switch to a computer that can, and browse to http://cisco.com/go/license .

Generate a license from the PAK in the License Registration Portal: https://cisco.com/go/license .

This step requires the PAK you received during the purchase process, as well as the license key for the management center.

For more information on using this portal, see: https://slexui.cloudapps.cisco.com/SWIFT/LicensingUI/Quickstart

You will need your account credentials in order to access these links.

Copy the license text from either the License Registration Portal display, or the email the License Registration

Portal sends you.

Important The licensing text block in the portal or email message may include more than one license. Each license is bounded by a BEGIN LICENSE line and an END LICENSE line. Make sure that you copy and paste only one license at a time.

Return to the Add Feature License page in the management center virtual’s web interface.

Paste the license text into the License field.

Click Verify License .

If the license is invalid, make sure that you correctly copied the license text.

Click Submit License .

Additional Information about Licensing

For additional information to help resolve common licensing questions, see the following documents:

• FAQ— https://www.cisco.com/c/en/us/td/docs/security/firepower/licensing/faq/firepower-license-FAQ.html

• License Roadmap— https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/ firepower-licenseroadmap.html

272

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

History for Licenses

History for Licenses

Feature Version

Performance tier licensing for the threat defense virtual

7.0

Licensing for multi-instance capability for the threat defense on the Firepower

4100/9300

6.3

Specific License

Reservation for air-gapped deployments

6.3

Export-controlled functionality for restricted customers

6.3

Details

Performance-tiered licensing provides different throughput levels and VPN connection limits based on deployment requirements. License tiers map to new threat defense virtual models.

You can now deploy multiple threat defense container instances on a Firepower

4100/9300. You only need a single license per feature per security module/engine. The base license is automatically assigned to each instance.

New/Modified screens: System > Licenses > Smart Licenses

Supported platforms: threat defense on the Firepower 4100/9300

Customers whose deployments cannot connect to the internet to communicate with the

Cisco License Authority can use a Specific License Reservation.

New/Modified screens: System > Licenses > Specific Licenses (This option is not available by default.)

Supported platforms: management center, threat defense

Certain customers whose Smart Accounts are not otherwise eligible to use restricted functionality can purchase term-based licenses, with approval.

Supported platforms: management center, threat defense

Cisco Secure Firewall Management Center Administration Guide, 7.2

273

History for Licenses

System Settings

274

Cisco Secure Firewall Management Center Administration Guide, 7.2

C H A P T E R

8

High Availability

The following topics describe how to configure Active/Standby high availability of Cisco Secure Firewall

Management Centers:

About Secure Firewall Management Center High Availability, on page 275

Requirements for Management Center High Availability, on page 281

Prerequisites for Management Center High Availability, on page 283

Establishing Management Center High Availability, on page 284

Viewing Management Center High Availability Status, on page 285

Configurations Synced on Management Center High Availability Pairs, on page 286

Configuring External Access to the Management Center Database in a High Availability Pair, on page

287

Using CLI to Resolve Device Registration in Management Center High Availability, on page 287

Switching Peers in a Management Center High Availability Pair, on page 288

Pausing Communication Between Paired Firepower Management Centers, on page 288

Restarting Communication Between Paired Firepower Management Centers, on page 288

Changing the IP Address of a Management Center in a High Availability Pair, on page 289

Disabling Management Center High Availability, on page 289

Replacing Management Centers in a High Availability Pair, on page 290

History for Management Center High Availability, on page 294

About Secure Firewall Management Center High Availability

To ensure the continuity of operations, the high availability feature allows you to designate redundant Secure

Firewall Management Centers to manage devices. Secure Firewall Management Centers support Active/Standby high availability where one appliance is the active unit and manages devices. The standby unit does not actively manage devices. The active unit writes configuration data into a data store and replicates data for both units, using synchronization where necessary to share some information with the standby unit.

Active/Standby high availability lets you configure a secondary Secure Firewall Management Center to take over the functionality of a primary Secure Firewall Management Center if the primary fails. When the primary

Secure Firewall Management Center fails, you must promote the secondary Secure Firewall Management

Center to become the active unit.

Event data streams from managed devices to both Secure Firewall Management Centers in the high availability pair. If one Secure Firewall Management Center fails, you can monitor your network without interruption using the other Secure Firewall Management Center.

Cisco Secure Firewall Management Center Administration Guide, 7.2

275

System Settings

Roles v. Status in Management Center High Availability

Note that Secure Firewall Management Centers configured as a high availability pair do not need to be on the same trusted management network, nor do they have to be in the same geographic location.

Caution Because the system restricts some functionality to the active Secure Firewall Management Center, if that appliance fails, you must promote the standby Secure Firewall Management Center to active.

Note Triggering a switchover on management center immediately after a successful change deployment can lead to preview configuration not working on the new active management center. This does not impact policy deploy functionality. It is recommended to trigger a switchover on the management center after the necessary sync is completed.

About Remote Access VPN High Availability

If the primary device has Remote Access VPN configuration with an identity certificate enrolled using a

CertEnrollment object, the secondary device must have an identity certificate enrolled using the same

CertEnrollment object. The CertEnrollment object can have different values for the primary and secondary devices due to device-specific overriddes. The limitation is only to have the same CertEnrollment object enrolled on the two devices before the high availability formation.

SNMP Behavior in Secure Firewall Management Center High Availability

In an SNMP-configured HA pair, when you deploy an alert policy, the primary Secure Firewall Management

Center sends the SNMP traps. When the primary Secure Firewall Management Center fails, the secondary

Secure Firewall Management Center which becomes the active unit, sends the SNMP traps without the need for any additional configuration.

Roles v. Status in Management Center High Availability

Primary/Secondary Roles

When setting up Secure Firewall Management Centers in a high availability pair, you configure one Secure

Firewall Management Center to be primary and the other as secondary. During configuration, the primary unit's policies are synchronized to the secondary unit. After this synchronization, the primary Secure Firewall

Management Center becomes the active peer, while the secondary Secure Firewall Management Center becomes the standby peer, and the two units act as a single appliance for managed device and policy configuration.

Active/Standby Status

The main differences between the two Secure Firewall Management Centers in a high availability pair are related to which peer is active and which peer is standby. The active Secure Firewall Management Center remains fully functional, where you can manage devices and policies. On the standby Secure Firewall

Management Center, functionality is hidden; you cannot make any configuration changes.

276

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Event Processing on Management Center High Availability Pairs

Event Processing on Management Center High Availability Pairs

Since both Secure Firewall Management Centers in a high availability pair receive events from managed devices, the management IP addresses for the appliances are not shared. This means that you do not need to intervene to ensure continuous processing of events if a Secure Firewall Management Center fails.

AMP Cloud Connections and Malware Information

Although they share file policies and related configurations, Secure Firewall Management Centers in a high availability pair share neither Cisco AMP cloud connections nor malware dispositions. To ensure continuity of operations, and to ensure that detected files’ malware dispositions are the same on both Secure Firewall

Management Centers, both primary and secondary Secure Firewall Management Centers must have access to the AMP cloud.

URL Filtering and Security Intelligence

URL filtering and Security Intelligence configurations and information are synchronized between Secure

Firewall Management Centers in a high availability deployment. However, only the primary Secure Firewall

Management Center downloads URL category and reputation data for updates to Security Intelligence feeds.

If the primary Secure Firewall Management Center fails, not only must you make sure that the secondary

Secure Firewall Management Center can access the internet to update threat intelligence data, but you must also use the web interface on the secondary Secure Firewall Management Center to promote it to active.

User Data Processing During Management Center Failover

If the primary Secure Firewall Management Center fails, the Secondary Secure Firewall Management Center propagates to managed devices user-to-IP mappings from the TS Agent identity source; and propagates SGT mappings from the ISE/ISE-PIC identity source. Users not yet seen by identity sources are identified as

Unknown.

After the downtime, the Unknown users are re identified and processed according to the rules in your identity policy.

Configuration Management on Management Center High Availability Pairs

In a high availability deployment, only the active Secure Firewall Management Center can manage devices and apply policies. Both Secure Firewall Management Centers remain in a state of continuous synchronization.

If the active Secure Firewall Management Center fails, the high availability pair enters a degraded state until you manually promote the standby appliance to the active state. Once the promotion is complete, the appliances leave maintenance mode.

Management Center High Availability Disaster Recovery

In case of a disaster recovery situation, a manual switchover must be performed. When the primary management center - FMC1 fails, access the web interface of the secondary management center - FMC2 and switch peers.

This is applicable conversely also in case the secondary (FMC2) fails. For more information, see

Switching

Peers in a Management Center High Availability Pair, on page 288 .

For restoring a failed management center, refer to

Replacing Management Centers in a High Availability Pair, on page 290

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

277

System Settings

Single Sign-On and High Availability Pairs

Single Sign-On and High Availability Pairs management centers in a high availability configuration can support Single Sign-On, but you must keep the following considerations in mind:

• SSO configuration is not synchronized between the members of the high availability pair; you must configure SSO separately on each member of the pair.

• Both management centers in a high availability pari must use the same identity provider (IdP) for SSO.

You must configure a service provider application at the IdP for each management center configured for

SSO.

• In a high availabilty pair of management centers where both are configured to support SSO, before a user can use SSO to access the secondary management center for the first time, that user must first use

SSO to log into the primary management center at least once.

• When configuring SSO for management centers in a high availability pair:

• If you configure SSO on the primary management center, you are not required to configure SSO on the secondary management center.

• If you configure SSO on the secondary management center, you are required to configure SSO on the primary management center as well. (This is because SSO users must log in to the primary management center at least once before logging into the secondary management center.)

Related Topics

Configure SAML Single Sign-On

, on page 129

Management Center High Availability Behavior During a Backup

When you perform a Backup on a management center high availability pair, the Backup operation pauses synchronization between the peers. During this operation, you may continue using the active management center, but not the standby peer.

After Backup is completed, synchronization resumes, which briefly disables processes on the active peer.

During this pause, the High Availability page briefly displays a holding page until all processes resume.

Management Center High Availability Split-Brain

If the active Secure Firewall Management Center in a high-availability pair goes down (due to power issues, network/connectivity issues), you can promote the standby Secure Firewall Management Center to an active state. When the original active peer comes up, both peers can assume they are active. This state is defined as

'split-brain'. When this situation occurs, the system prompts you to choose an active appliance, which demotes the other appliance to standby.

If the active Secure Firewall Management Center goes down (or disconnects due to a network failure), you may either break high availability or switch roles. The standby Secure Firewall Management Center enters a degraded state.

278

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Upgrading Management Centers in a High Availability Pair

Note Whichever appliance you use as the secondary loses all of its device registrations and policy configurations when you resolve split-brain. For example, you would lose modifications to any policies that existed on the secondary but not on the primary. If the Secure Firewall Management Center is in a high availability split-brain scenario where both appliances are active, and you register managed devices and deploy policies before you resolve split-brain, you must export any policies and unregister any managed devices from the intended standby

Secure Firewall Management Center before re-establishing high availability. You may then register the managed devices and import the policies to the intended active Secure Firewall Management Center.

Upgrading Management Centers in a High Availability Pair

Cisco electronically distributes several different types of updates periodically. These include major and minor upgrades to the system software. You may need to install these updates on Secure Firewall Management

Centers in a high availability setup.

Warning Make sure that there is at least one operational Secure Firewall Management Center during an upgrade.

Before you begin

Read the release notes or advisory text that accompanies the upgrade. The release notes provide important information, including supported platforms, compatibility, prerequisites, warnings, and specific installation and uninstallation instructions.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Access the web interface of the active Secure Firewall Management Center and pause data synchronization; see

Pausing Communication Between Paired Firepower Management Centers, on page 288

.

Upgrade the standby Secure Firewall Management Center.

When the upgrade completes, the standby unit becomes active. When both peers are active, the high availability pair is in a degraded state (split-brain).

Upgrade the other Secure Firewall Management Center.

Decide which Secure Firewall Management Center you want to use as the standby. Any additional devices or policies added to the standby after pausing synchronization are not synced to the active Secure Firewall

Management Center. Unregister only those additional devices and export any configurations you want to preserve.

When you choose a new active Secure Firewall Management Center, the Secure Firewall Management Center you designate as secondary will lose device registrations and deployed policy configurations, which are not synced.

Resolve split-brain by choosing the new active Secure Firewall Management Center which has all the latest required configurations for policies and devices.

Cisco Secure Firewall Management Center Administration Guide, 7.2

279

System Settings

Troubleshooting Management Center High Availability

Troubleshooting Management Center High Availability

This section lists troubleshooting information for some common management center high availability operation errors.

Error Description Solution

You must reset your password on the active management center before you can log into the standby

You attempted to log into the standby management center when a force password reset is enabled for your account.

As the database is read-only for a standby management center, reset the password on the login page of the active management center.

500 Internal

System processes are starting, please wait

Also, the web interface does not respond.

May appear when attempting to access the web interface while performing critical management center high availability operations, including switching peer roles or pausing and resuming synchronization.

Wait until the operation completes before using the web interface.

May appear when the management center reboots (manually or while recovering from a power down) during a high availability or data synchronization operation.

1.

Access the management center shell and use the manage_hadc.pl

command to access the management center high availability configuration utility.

Note Run the utility as a root user, using sudo

.

2.

Pause mirroring operations by using option 5.

Reload the management center web interface.

3.

Use the web interface to resume synchronization. Choose System >

Integration , then click the High

Availability tab and choose Resume

Synchronization .

280

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Requirements for Management Center High Availability

Error Description Solution

Device Registration

Status:Host

<string> is not reachable

During the initial configuration of a threat defense, if the management center IP address and NAT ID are specified, the

Host field can be left blank. However, in an HA environment with both the management centers behind a NAT, this error occurs when you add the threat defense on the secondary management center.

1.

Delete the threat defense from primary management center. See Delete a

Device from the Management Center in Cisco Secure Firewall Management

Center Device Configuration Guide .

2.

Remove managers from threat defense using the configure manager delete command. See Command Reference for Secure Firewall Threat Defense .

3.

Add threat defense to the management center with the IP address or name of the threat defense device in the Host field. See Add a Device to the

Management Center in Cisco Secure

Firewall Management Center Device

Configuration Guide .

Requirements for Management Center High Availability

Model Support

See

Hardware Requirements, on page 281

.

Virtual Model Support

See

Virtual Platform Requirements, on page 282 .

Supported Domains

Global

User Roles

Admin

Hardware Requirements

• Supported hardware models:

MC1000, MC1600, MC2500, MC2600, MC4500, MC4600

• The two Secure Firewall Management Centers in a high availability configuration must be the same model.

• The primary Secure Firewall Management Center backup must not be restored to the secondary Secure

Firewall Management Center.

Cisco Secure Firewall Management Center Administration Guide, 7.2

281

System Settings

Virtual Platform Requirements

• Bandwidth Requirements : There must be atleast a 5Mbps network bandwidth between two Secure

Firewall Management Centers to setup a high availability configuration between them.

• The two Secure Firewall Management Centers in a high availability configuration may be physically and geographically separated from each other in different data centers.

• See also

License Requirements for Management Center High Availability Configurations, on page 282 .

Virtual Platform Requirements

Requirements for establishing high availability (HA) using two management center virtual virtual appliances:

• management center virtual must be running on VMware ESXi.

• management center virtual-HA is supported on management center virtual 10, 25, and 300.

• The two management center virtual appliances in a high availability configuration must have the same device management capacity. For example, you cannot pair an management center virtual 25 with an management center virtual 300.

• High availability licensing requirements are different for virtual vs hardware management center. See

License Requirements for Management Center High Availability Configurations, on page 282 .

Software Requirements

Access the Appliance Information widget to verify the software version, the intrusion rule update version and the vulnerability database update. By default, the widget appears on the Status tab of the Detailed

Dashboard and the Summary Dashboard . For more information, see

The Appliance Information Widget, on page 308

• The two Secure Firewall Management Centers in a high availability configuration must have the same major (first number), minor (second number), and maintenance (third number) software version.

• The two Secure Firewall Management Centers in a high availability configuration must have the same version of the intrusion rule update installed.

• The two Secure Firewall Management Centers in a high availability configuration must have the same version of the vulnerability database update installed.

• The two Secure Firewall Management Centers in a high availability configuration must have the same version of the LSP (Lightweight Security Package) installed.

Warning If the software versions, intrusion rule update versions and vulnerability database update versions are not identical on both Secure Firewall Management Centers, you cannot establish high availability.

LicenseRequirementsforManagementCenterHighAvailabilityConfigurations

Each device requires the same licenses whether managed by a single management center or by management centers in a high availability pair (hardware or virtual).

282

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Prerequisites for Management Center High Availability

Example: If you want to enable advanced malware protection for two devices managed by a management center pair, buy two Malware licenses and two TM subscriptions, register the active management center with the Smart Software Manager, then assign the licenses to the two devices on the active management center.

Only the active management center is registered with the Smart Software Manager. When failover occurs, the system communicates with Smart Software Manager to release the license entitlements from the originally-active management center and assign them to the newly-active management center.

In Specific License Reservation deployments, only the primary management center requires a Specific License

Reservation.

Hardware Management Center

No special license is required for hardware management centers in a high availability pair.

Management Center Virtual

You will need two identically licensed management center virtuals.

Example: For the management center virtual high availability pair managing 10 devices, you can use:

• Two (2) management center virtual 10 entitlements

• 10 device licenses

If you break the high availability pair, the management center virtual entitlements associated with the secondary management center virtual are released. (In the example, you would then have two standalone management center virtual 10s.)

Prerequisites for Management Center High Availability

Before establishing a Secure Firewall Management Center high availability pair:

• Export required policies from the intended secondary Secure Firewall Management Center to the intended primary Secure Firewall Management Center. For more information, see

Exporting Configurations, on page 475

.

• Make sure that the intended secondary Secure Firewall Management Center does not have any devices added to it. Delete devices from the intended secondary Secure Firewall Management Center and register these devices to the intended primary Secure Firewall Management Center. For more information see

Delete a Device from the Management Center and Add a Device to the Management Center .

• Import the policies into the intended primary Secure Firewall Management Center. For more information, see

Importing Configurations, on page 476

.

• On the intended primary Secure Firewall Management Center, verify the imported policies, edit them as needed and deploy them to the appropriate device. For more information, see Deploy Configuration

Changes in the Cisco Secure Firewall Management Center Device Configuration Guide .

• On the intended primary Secure Firewall Management Center, associate the appropriate licenses to the newly added devices. For more information see

Assign Licenses to a Single Device, on page 254

.

You can now proceed to establish high availability. For more information, see

Establishing Management

Center High Availability, on page 284 .

Cisco Secure Firewall Management Center Administration Guide, 7.2

283

System Settings

Establishing Management Center High Availability

Establishing Management Center High Availability

Establishing high availability can take a significant amount of time, even several hours, depending on the bandwidth between the peers and the number of policies. It also depends on the number of devices registered to the active Secure Firewall Management Center, which need to be synced to the standby Secure Firewall

Management Center. You can view the High Availability page to check the status of the high availability peers.

Before you begin

• Confirm that both the Secure Firewall Management Centers adhere to the high availability system requirements. For more information , see

Requirements for Management Center High Availability, on page 281 .

• Confirm that you completed the prerequisites for establishing high availability. For more information, see

Prerequisites for Management Center High Availability, on page 283

.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Log into the Secure Firewall Management Center that you want to designate as the secondary.

Choose > Integration .

Choose High Availability .

Under Role for this Secure Firewall Management Center, choose Secondary .

Enter the hostname or IP address of the primary Secure Firewall Management Center in the Primary Firepower

Management Center Host text box.

You can leave this empty if the primary Secure Firewall Management Center does not have an IP address reachable from the peer management center (which can be public or private IP address). In this case, use both the Registration Key and the Unique NAT ID fields. You need to specify the IP address of at least one management center to enable HA connection.

Enter a one-time-use registration key in the Registration Key text box.

The registration key is any user-defined alphanumeric value up to 37 characters in length. This registration key will be used to register both -the secondary and the primary Secure Firewall Management Centers.

If you did not specify the primary IP address, or if you do not plan to specify the secondary IP address on the primary Secure Firewall Management Center, then in the Unique NAT ID field, enter a unique alphanumeric

ID. See

NAT Environments, on page 57

for more information.

Click Register .

Using an account with Admin access, log into the Secure Firewall Management Center that you want to designate as the primary.

Choose > Integration .

Choose High Availability .

Under Role for this Secure Firewall Management Center, choose Primary .

Enter the hostname or IP address of the secondary Secure Firewall Management Center in the Secondary

Firepower Management Center Host text box.

284

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Viewing Management Center High Availability Status

Step 14

Step 15

Step 16

You can leave this empty if the secondary Secure Firewall Management Center does not have an IP address reachable from the peer management center (which can be public or private IP address). In this case, use both the Registration Key and the Unique NAT ID fields. You need to specify the IP address of at least one management center to enable HA connection.

Enter the same one-time-use registration key in the Registration Key text box you used in step 6.

If required, enter the same NAT ID that you used in step 7 in the Unique NAT ID text box.

Click Register .

What to do next

After establishing a Secure Firewall Management Center high availability pair, devices registered to the active

Secure Firewall Management Center are automatically registered to the standby Secure Firewall Management

Center.

Note When a registered device has a NAT IP address, automatic device registration fails and the secondary Secure

Firewall Management Center High Availablity page lists the device as local, pending. You can then assign a different NAT IP address to the device on the standby Secure Firewall Management Center High Availability page. If automatic registration otherwise fails on the standby Secure Firewall Management Center, but the device appears to be registered to the active Firepower Management Center, see

Using CLI to Resolve Device

Registration in Management Center High Availability, on page 287 .

Viewing Management Center High Availability Status

After you identify your active and standby management centers, you can view information about the local management center and its peer.

Note In this context, Local Peer refers to the appliance where you are viewing the system status. Remote Peer refers to the other appliance, regardless of active or standby status.

Procedure

Step 1

Step 2

Step 3

Log into one of the management centers that you paired using high availability.

Choose > Integration .

Choose High Availability .

You can view:

Summary Information

• The health status of the high availability pair. The status of a correctly functioning system will oscillate between "Healthy" and "Synchronization task is in progress" as the standby unit receives configuration changes from the active unit.

Cisco Secure Firewall Management Center Administration Guide, 7.2

285

System Settings

Configurations Synced on Management Center High Availability Pairs

• The current synchronization status of the high availability pair

• The IP address of the active peer and the last time it was synchronized

• The IP address of the standby peer and the last time it was synchronized

System Status

• The IP addresses for both peers

• The operating system for both peers

• The software version for both peers

• The appliance model of both peers

Note You can view export control and compliance status only on the active management center.

ConfigurationsSyncedonManagementCenterHighAvailability

Pairs

When you establish high availability between two management centers, the following configuration data is synced between them:

• License entitlements

• Access control policies

• Intrusion rules

• Malware and file policies

• DNS policies

• Identity policies

• SSL policies

• Prefilter policies

• Network discovery rules

• Application detectors

• Correlation policy rules

• Alerts

• Scanners

• Response groups

• Contextual cross-launch of external resources for investigating events

286

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Configuring External Access to the Management Center Database in a High Availability Pair

• Remediation settings, although you must install custom modules on both management centers. For more information on remediation settings, see

Managing Remediation Modules, on page 989 .

Configuring External Access to the Management Center

Database in a High Availability Pair

In a high availability setup, we recommend you to use only the active peer to configure the external access to the database. When you configure the standby peer for external database access, it leads to frequent disconnections. To restore the connectivity, you must

Pausing Communication Between Paired Firepower

Management Centers

and

Restarting Communication Between Paired Firepower Management Centers

the synchronization of the standby peer. For information on how to enable external database access to Secure

Firewall Management Centers, see

Enabling External Access to the Database, on page 51

.

Using CLI to Resolve Device Registration in Management Center

High Availability

If automatic device registration fails on the standby Secure Firewall Management Center, but appears to be registered to the active Secure Firewall Management Center, complete the following steps:

Warning If you do an RMA of Secondary Secure Firewall Management Center or add a Secondary Secure Firewall

Management Center, the managed FTDs are unregistered and as a result, their configuration may be deleted.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Unregister the device from the active Secure Firewall Management Center.

Log into the CLI for the affected device.

Run the CLI command: configure manager delete .

This command disables and removes the current Secure Firewall Management Center.

Run the CLI command: configure manager add .

This command configures the device to initiate a connection to a Secure Firewall Management Center.

Tip Configure remote management on the device, only for the active Secure Firewall Management

Center. When high availability is established, devices are automatically added to be managed by the standby Secure Firewall Management Center.

Log into the active Secure Firewall Management Center and register the device.

Cisco Secure Firewall Management Center Administration Guide, 7.2

287

System Settings

Switching Peers in a Management Center High Availability Pair

Switching Peers in a Management Center High Availability Pair

Because the system restricts some functionality to the active Secure Firewall Management Center, if that appliance fails, you must promote the standby Secure Firewall Management Center to active:

Procedure

Step 1

Step 2

Step 3

Step 4

Log into one of the Secure Firewall Management Centers that you paired using high availability.

Choose > Integration .

Choose High Availability .

Choose Switch Peer Roles to change the local role from Active to Standby, or Standby to Active. With the

Primary or Secondary designation unchanged, the roles are switched between the two peers.

Pausing Communication Between Paired Firepower

Management Centers

If you want to temporarily disable high availability, you can disable the communications channel between the Secure Firewall Management Centers. If you pause synchronization on the active peer, you can resume synchronization on either the standby or active peer. However, if you pause synchronization on the standby peer, you only can resume synchronization on the standby peer.

Procedure

Step 1

Step 2

Step 3

Step 4

Log into one of the Secure Firewall Management Centers that you paired using high availability.

Choose > Integration .

Choose High Availability .

Choose Pause Synchronization .

Restarting Communication Between Paired Firepower

Management Centers

If you temporarily disable high availability, you can restart high availability by enabling the communications channel between the Secure Firewall Management Centers. If you paused synchronization on the active unit, you can resume synchronization on either the standby or active unit. However, if you paused synchronization on the standby unit, you only can resume synchronization on the standby unit.

288

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Changing the IP Address of a Management Center in a High Availability Pair

Procedure

Step 1

Step 2

Step 3

Step 4

Log into one of the Secure Firewall Management Centers that you paired using high availability.

Choose > Integration .

Choose High Availability .

Choose Resume Synchronization .

Changing the IP Address of a Management Center in a High

Availability Pair

If the IP address for one of the high availability peers changes, high availability enters a degraded state. To recover high availability, you must manually change the IP address.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Log into one of the Secure Firewall Management Centers that you paired using high availability.

Choose > Integration .

Choose High Availability .

Choose Peer Manager .

Choose Edit ( ).

Enter the display name of the appliance, which is used only within the context of the system.

Entering a different display name does not change the host name for the appliance.

Enter the fully qualified domain name or the name that resolves through the local DNS to a valid IP address

(that is, the host name), or the host IP address.

Click Save .

Disabling Management Center High Availability

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Log into one of the Secure Firewall Management Centers in the high availability pair.

Choose > Integration .

Choose High Availability .

Choose Break High Availability .

Choose one of the following options for handling managed devices:

Cisco Secure Firewall Management Center Administration Guide, 7.2

289

System Settings

Replacing Management Centers in a High Availability Pair

Step 6

Note

• To control all managed devices with this Secure Firewall Management Center, choose Manage registered devices from this console . All devices will be unregistered from the peer.

• To control all managed devices with the other Secure Firewall Management Center, choose Manage registered devices from peer console . All devices will be unregistered from this Secure Firewall

Management Center.

• To stop managing devices altogether, choose Stop managing registered devices from both consoles .

All devices will be unregistered from both Secure Firewall Management Centers.

If you choose to manage the registered devices from the secondary Secure Firewall Management

Center, the devices will be unregistered from the primary Secure Firewall Management Center. The devices are now registered to be managed by the secondary Secure Firewall Management Center.

However the licenses that were applied to these devices are deregistered on account of the high availability break operation. You must now proceed to re-register (enable) the licenses on the devices from the secondary Secure Firewall Management Center. For more information see

Assign Licenses to Devices, on page 254 .

Click OK .

Replacing Management Centers in a High Availability Pair

If you need to replace a failed unit in a Secure Firewall Management Center high availability pair, you must follow one of the procedures listed below. The table lists four possible failure scenarios and their corresponding replacement procedures.

Failure Status

Primary management center failed

Secondary management center failed

Data Backup Status

Data backup successful

Replacement Procedure

Replace a Failed Primary Management Center (Successful

Backup), on page 290

Data backup not successful

Replace a Failed Primary Management Center

(Unsuccessful Backup), on page 291

Data backup successful

Replace a Failed Secondary Management Center

(Successful Backup), on page 292

Data backup not successful

Replace a Failed Secondary Management Center

(Unsuccessful Backup), on page 293

Replace a Failed Primary Management Center (Successful Backup)

Two Secure Firewall Management Centers, FMC1 and FMC2, are part of a high availability pair. FMC1 is the primary and FMC2 is the secondary. This task describes the steps to replace a failed primary Secure

Firewall Management Center, FMC1, when data backup from the primary is successful.

Before you begin

Verify that the data backup from the failed primary Secure Firewall Management Center is successful.

290

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Replace a Failed Primary Management Center (Unsuccessful Backup)

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC1.

When the primary Secure Firewall Management Center - FMC1 fails, access the web interface of the secondary

Secure Firewall Management Center - FMC2 and switch peers. For more information, see

Switching Peers in a Management Center High Availability Pair, on page 288

.

This promotes the secondary Secure Firewall Management Center - FMC2 to active.

You can use FMC2 as the active Secure Firewall Management Center until the primary Secure Firewall

Management Center - FMC1 is replaced.

Caution Do not break Secure Firewall Management Center High Availability from FMC2, since licenses that were synced to FMC2 from FMC1 (before failure ), will be removed from FMC2 and you will be unable to perform any deploy actions from FMC2.

Reimage the replacement Secure Firewall Management Center with the same software version as FMC1.

Restore the data backup retrieved from FMC1 to the new Secure Firewall Management Center.

Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates, vulnerability database (VDB) updates and system software updates to match FMC2.

The new Secure Firewall Management Center and FMC2 will now both be active peers, resulting in a high availability split-brain.

When the Secure Firewall Management Center web interface prompts you to choose an active appliance, select FMC2 as active.

This syncs the latest configuration from FMC2 to the newSecure Firewall Management Center - FMC1.

When the configuration syncs successfully, access the web interface of the secondary Secure Firewall

Management Center - FMC2 and switch roles to make the primarySecure Firewall Management Center -

FMC1 active. For more information, see

Switching Peers in a Management Center High Availability Pair, on page 288 .

What to do next

High availability has now been re-established and the primary and the secondary Secure Firewall Management

Centers will now work as expected.

Replace a Failed Primary Management Center (Unsuccessful Backup)

Two Secure Firewall Management Centers - FMC1 and FMC2 are part of a high availability pair. FMC1 is the primary and FMC2 is the secondary. This task describes the steps to replace a failed primary Secure

Firewall Management Center -FMC1 when data backup from the primary is unsuccessful.

Procedure

Step 1 Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC1.

Cisco Secure Firewall Management Center Administration Guide, 7.2

291

System Settings

Replace a Failed Secondary Management Center (Successful Backup)

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

When the primary Secure Firewall Management Center - FMC1 fails, access the web interface of the secondary

Secure Firewall Management Center - FMC2 and switch peers. For more information, see

Switching Peers in a Management Center High Availability Pair, on page 288 .

This promotes the secondary Secure Firewall Management Center - FMC2 to active.

You can use FMC2 as the active Secure Firewall Management Center until the primary Secure Firewall

Management Center - FMC1 is replaced.

Caution Do not break Secure Firewall Management Center High Availability from FMC2, since licenses that were synced to FMC2 from FMC1 (before failure ), will be removed from FMC2 and you will be unable to perform any deploy actions from FMC2.

Reimage the replacement Secure Firewall Management Center with the same software version as FMC1.

Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates, vulnerability database (VDB) updates and system software updates to match FMC2.

Deregister the Secure Firewall Management Center - FMC2 from the Cisco Smart Software Manager. For more information, see

Deregister the Management Center, on page 256 .

Deregistering a Secure Firewall Management Center from the Cisco Smart Software Manager removes the

Management Center from your virtual account. All license entitlements associated with the Secure Firewall

Management Center release back to your virtual account. After deregistration, the Secure Firewall Management

Center enters Enforcement mode where no update or changes on licensed features are allowed.

Access the web interface of the secondary Secure Firewall Management Center - FMC2 and break Secure

Firewall Management Center high availability. For more information, see

Disabling Management Center High

Availability, on page 289 . When prompted to select an option for handling managed devices, choose

Manage registered devices from this console .

As a result, licenses that were synced to the secondary Secure Firewall Management Center- FMC2, will be removed and you cannot perform deployment activities from FMC2.

Re-establish Secure Firewall Management Center high availability, by setting up the Secure Firewall

Management Center - FMC2 as the primary and Secure Firewall Management Center - FMC1 as the secondary.

For more information , see

Establishing Management Center High Availability, on page 284 .

Register a Smart License to the primary Secure Firewall Management Center - FMC2. For more information see

Register the Management Center with the Smart Software Manager, on page 249 .

What to do next

High availability has now been re-established and the primary and the secondary Secure Firewall Management

Centers will now work as expected.

Replace a Failed Secondary Management Center (Successful Backup)

Two Secure Firewall Management Centers - FMC1 and FMC2 are part of a high availability pair. FMC1 is the primary and FMC2 is the secondary. This task describes the steps to replace a failed secondary Secure

Firewall Management Center -FMC2 when data backup from the secondary is successful.

Before you begin

Verify that the data backup from the failed secondary Secure Firewall Management Center is successful.

292

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Replace a Failed Secondary Management Center (Unsuccessful Backup)

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC2.

Continue to use the primary Secure Firewall Management Center - FMC1 as the active Secure Firewall

Management Center.

Reimage the replacement Secure Firewall Management Center with the same software version as FMC2.

Restore the data backup from FMC2 to the new Secure Firewall Management Center.

Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates, vulnerability database (VDB) updates and system software updates to match FMC1.

Resume data synchronization (if paused) from the web interface of the new Secure Firewall Management

Center - FMC2, to synchronize the latest configuration from the primary Secure Firewall Management Center

- FMC1. For more information, see

Restarting Communication Between Paired Firepower Management

Centers, on page 288 .

Classic and Smart Licenses work seamlessly.

What to do next

High availability has now been re-established and the primary and the secondary Secure Firewall Management

Centers will now work as expected.

Replace a Failed Secondary Management Center (Unsuccessful Backup)

Two Secure Firewall Management Centers - FMC1 and FMC2 are part of a high availability pair. FMC1 is the primary and FMC2 is the secondary. This task describes the steps to replace a failed secondary Secure

Firewall Management Center -FMC2 when data backup from the secondary is unsuccessful.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Contact Support to request a replacement for a failed Secure Firewall Management Center - FMC2.

Continue to use the primary Secure Firewall Management Center - FMC1 as the active Secure Firewall

Management Center.

Reimage the replacement Secure Firewall Management Center with the same software version as FMC2.

Install required Secure Firewall Management Center patches, geolocation database (GeoDB) updates, vulnerability database (VDB) updates and system software updates to match FMC1.

Access the web interface of the primary Secure Firewall Management Center - FMC1 and break Secure

Firewall Management Center high availability. For more information, see

Disabling Management Center High

Availability, on page 289

. When prompted to select an option for handling managed devices, choose Manage registered devices from this console .

Re-establish Secure Firewall Management Center high availability, by setting up the Secure Firewall

Management Center - FMC1 as the primary and Secure Firewall Management Center - FMC2 as the secondary.

For more information , see

Establishing Management Center High Availability, on page 284

.

• When high availability is successfully established, the latest configuration from the primary Secure

Firewall Management Center - FMC1 is synchronized to the secondary Secure Firewall Management

Center - FMC2.

Cisco Secure Firewall Management Center Administration Guide, 7.2

293

System Settings

Management Center High Availability Disaster Recovery

• Classic and Smart Licenses work seamlessly.

What to do next

High availability has now been re-established and the primary and the secondary Secure Firewall Management

Centers will now work as expected.

Management Center High Availability Disaster Recovery

In case of a disaster recovery situation, a manual switchover must be performed. When the primary management center - FMC1 fails, access the web interface of the secondary management center - FMC2 and switch peers.

This is applicable conversely also in case the secondary (FMC2) fails. For more information, see

Switching

Peers in a Management Center High Availability Pair, on page 288 .

For restoring a failed management center, refer to

Replacing Management Centers in a High Availability Pair, on page 290 .

History for Management Center High Availability

Feature Version

Management Center high availability with management center virtual on VMWare

6.7

Single Sign-On 6.7

Details

You can now achieve management center high availability using management center virtual running on VMWare.

See requirements at

Virtual Platform Requirements, on page 282

.

Supported platforms: management center virtual 10, 25, and 300 for

VMWare

When configuring one or both members of a high-availability pair for single sign-on, you must take into account special considerations.

Supported platforms: management center.

294

Cisco Secure Firewall Management Center Administration Guide, 7.2

C H A P T E R

9

Security Certifications Compliance

The following topics describe how to configure your system to comply with security certifications standards:

Security Certifications Compliance Modes, on page 295

Security Certifications Compliance Characteristics, on page 296

Security Certifications Compliance Recommendations, on page 297

Enable Security Certifications Compliance, on page 300

Security Certifications Compliance Modes

Your organization might be required to use only equipment and software complying with security standards established by the U.S. Department of Defense and global certification organizations. Firepower supports compliance with the following security certifications standards:

• Common Criteria (CC): a global standard established by the international Common Criteria Recognition

Arrangement, defining properties for security products

• Unified Capabilities Approved Products List (UCAPL): a list of products meeting security requirements established by the U.S. Defense Information Systems Agency (DISA)

Note The U.S. Government has changed the name of the Unified Capabilities Approved

Products List (UCAPL) to the Department of Defense Information Network

Approved Products List (DODIN APL). References to UCAPL in this documentation and the Secure Firewall Management Center web interface can be interpreted as references to DODIN APL.

• Federal Information Processing Standards (FIPS) 140: a requirements specification for encryption modules

You can enable security certifications compliance in CC mode or UCAPL mode. Enabling security certifications compliance does not guarantee strict compliance with all requirements of the security mode selected. For more information on hardening procedures, refer to the guidelines for this product provided by the certifying entity.

Caution After you enable this setting, you cannot disable it. If you need to take an appliance out of CC or UCAPL mode, you must reimage.

Cisco Secure Firewall Management Center Administration Guide, 7.2

295

System Settings

Security Certifications Compliance Characteristics

Security Certifications Compliance Characteristics

The following table describes behavior changes when you enable CC or UCAPL mode. (Restrictions on login accounts refers to command line access, not web interface access. )

System Change Secure Firewall

Management Center

Classic Managed

Devices

Secure Firewall Threat

Defense

CC Mode UCAPL

Mode

Yes

Yes

CC Mode

Yes

UCAPL

Mode

Yes

CC Mode

Yes

UCAPL

Mode

Yes

FIPS compliance is enabled.

The system does not allow remote storage for backups or reports.

Yes

Yes

The system starts an additional system audit daemon.

No

The system boot loader is secured.

The system applies additional security to login accounts.

No

No

The system disables the reboot key sequence

Ctrl+Alt+Del.

No

The system enforces a maximum of ten simultaneous login sessions.

No

Passwords must be at least 15 characters long, and must consist of alphanumeric characters of mixed case and must include at least one numeric character.

No

The minimum required password length for the local admin user can be configured using the local device

CLI.

No

Passwords cannot be a word that appears in a dictionary or include consecutive repeating characters.

No

The system locks out users other than admin after three failed login attempts in a row. In this case, the password must be reset by an administrator.

No

The system stores password history by default.

No

The admin user can be locked out after a maximum number of failed login attempts configurable through the web interface.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

No

No

No

No

No

No

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

No

No

No

No

No

No

Yes

No

No

No

No

No

No

No

No

No

Yes

No

No

No

296

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Security Certifications Compliance Recommendations

System Change Secure Firewall

Management Center

CC Mode UCAPL

Mode

The admin user can be locked out after a maximum number of failed login attempts configurable through the local appliance CLI.

No No

Yes

Classic Managed

Devices

CC Mode UCAPL

Mode

Yes, regardless of security certifications compliance enablement.

Yes, regardless of security certifications compliance enablement.

Yes

Secure Firewall Threat

Defense

CC Mode UCAPL

Mode

Yes

Yes Yes Yes Yes The system automtically rekeys an SSH session with an appliance:

Yes

• After a key has been in use for one hour of session activity

• After a key has been used to transmit 1 GB of data over the connection

The system performs a file system integrity check

(FSIC) at boot-time. If the FSIC fails, Firepower software does not start, remote SSH access is disabled, and you can access the appliance only via local console. If this happens, contact Cisco TAC.

Yes Yes Yes Yes Yes Yes

Security Certifications Compliance Recommendations

Cisco recommends that you observe the following best practices when using a system with security certifications compliance enabled:

• To enable security certifications compliance in your deployment, enable it first on the Secure Firewall

Management Center, then enable it in the same mode on all managed devices.

Caution The Secure Firewall Management Center will not receive event data from a managed device unless both are operating in the same security certifications compliance mode.

• For all users, enable password strength checking and set the minimum password length to the value required by the certifying agency.

• If you are using Secure Firewall Management Centers in a high-availability configuration, configure them both to use the same security certifications compliance mode.

• When you configure Secure Firewall Threat Defense on a Firepower 4100/9300 to operate in CC or

UCAPL mode, you should also configure the Firepower 4100/9300 to operate in CC mode. For more

Cisco Secure Firewall Management Center Administration Guide, 7.2

297

System Settings

Appliance Hardening information, see the Cisco Firepower 4100/9300 FXOS Firepower Chassis Manager Configuration

Guide .

• Do not configure the system to use any of the following features:

• Email reports, alerts, or data pruning notifications.

• Nmap Scan, Cisco IOS Null Route, Set Attribute Value, or ISE EPS remediations.

• Remote storage for backups or reports.

• Third-party client access to the system database.

• External notifications or alerts transmitted via email (SMTP), SNMP trap, or syslog.

• Audit log messages transmitted to an HTTP server or to a syslog server without using SSL certificates to secure the channel between the appliance and the server.

• Do not enable external authentication using LDAP or RADIUS in deployments using CC mode.

• Do not enable CACs in deployments using CC mode.

• Disable access to the Secure Firewall Management Center and managed devices via the Firepower REST

API in deployments using CC or UCAPL mode.

• Enable CACs in deployments using UCAPL mode.

• Do not configure SSO in deployments using CC mode.

• Do not configure Secure Firewall Threat Defense devices into a high availability pair unless they are both using the same security certifications compliance mode.

Note The system does not support CC or UCAPL mode for:

• Secure Firewall Threat Defense devices in clusters

• Secure Firewall Threat Defense container instances on the Firepower 4100/9300

Appliance Hardening

For information about features you can use to further harden your system, see the latest versions of the Cisco

Firepower Mangement Center Hardening Guide and the Cisco Secure Firewall Threat Defense Hardening

Guide , as well as the following topics within this document:

Licenses, on page 229

Users, on page 105

Logging into the Management Center, on page 27

Audit Logs, on page 72

Audit Log Certificate, on page 75

Time and Time Synchronization, on page 84

298

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Protecting Your Network

• Configure NTP Time Synchronization for Threat Defense in the Cisco Secure Firewall Management

Center Device Configuration Guide

Creating an Email Alert Response, on page 523

Configuring Email Alerting for Intrusion Events, on page 532

• Configure SMTP in the Cisco Secure Firewall Management Center Device Configuration Guide

• About SNMP for the Firepower 1000/2100 Series in the Cisco Secure Firewall Management Center

Device Configuration Guide

• Configure SNMP in the Cisco Secure Firewall Management Center Device Configuration Guide

Creating an SNMP Alert Response, on page 519

• Configure Dynamic DNS in the Cisco Secure Firewall Management Center Device Configuration Guide

DNS Cache, on page 80

Audit and Syslog, on page 373

Access List, on page 71

Security Certifications Compliance, on page 295

Configuring SSH for Remote Storage, on page 67

Audit Log Certificate, on page 75

HTTPS Certificates, on page 43

Customize User Roles for the Web Interface, on page 180

Add an Internal User, on page 111

Session Timeouts, on page 92

• About Configuring Syslog in the Cisco Secure Firewall Management Center Device Configuration Guide

Schedule Management Center Backups, on page 454

• Site-to-Site VPNs for Threat Defense in the Cisco Secure Firewall Management Center Device

Configuration Guide

• Remote Access VPN in the Cisco Secure Firewall Management Center Device Configuration Guide

• FlexConfig Policies in the Cisco Secure Firewall Management Center Device Configuration Guide

Protecting Your Network

See the following topics to learn about features you can configure to protect your network:

• Access Control Policies

• Security Intelligence in the Cisco Secure Firewall Management Center Device Configuration Guide

• Getting Started with Intrusion Policies in the Cisco Secure Firewall Management Center Device

Configuration Guide

Cisco Secure Firewall Management Center Administration Guide, 7.2

299

System Settings

Enable Security Certifications Compliance

• Tuning Intrusion Policies Using Rules in the Cisco Secure Firewall Management Center Device

Configuration Guide

• Custom Intrusion Rules in the Cisco Secure Firewall Management Center Device Configuration Guide

Update Intrusion Rules, on page 210

• Global Limit for Intrusion Event Logging in the Cisco Secure Firewall Management Center Device

Configuration Guide

• Transport and Network Layer Preprocessors in the Cisco Secure Firewall Management Center Device

Configuration Guide

• Specific Threat Detection in the Cisco Secure Firewall Management Center Device Configuration Guide

• Application Layer Preprocessors in the Cisco Secure Firewall Management Center Device Configuration

Guide

Audit and Syslog, on page 373

Intrusion Events, on page 733

Event Search, on page 653

Workflows, on page 607

Login Banners, on page 82

Updates, on page 203

Enable Security Certifications Compliance

This configuration applies to either a Secure Firewall Management Center or managed device:

• For the Secure Firewall Management Center, this configuration is part of the system configuration.

• For a managed device, you apply this configuration from the management center as part of a platform settings policy.

In either case, the configuration does not take effect until you save your system configuration changes or deploy the shared platform settings policy.

Caution After you enable this setting, you cannot disable it. If you need to take the appliance out of CC or UCAPL mode, you must reimage.

Before you begin

• We recommend you register all devices that you plan to be part of your deployment to the management center before enabling security certifications compliance on any appliances.

• Secure Firewall Threat Defense devices cannot use an evaluation license; your Smart Software Manager account must be enabled for export-controlled features.

300

Cisco Secure Firewall Management Center Administration Guide, 7.2

System Settings

Enable Security Certifications Compliance

• Secure Firewall Threat Defense devices must be deployed in routed mode.

• You must be an Admin user to perform this task.

Procedure

Step 1

Step 2

Step 3

Step 4

Depending on whether you are configuring an management center or a managed device:

• management center: Choose System ( ) > Configuration .

• threat defense device: Choose Devices > Platform Settings and create or edit a Secure Firewall Threat

Defense policy.

Click UCAPL/CC Compliance .

Note Appliances reboot when you enable UCAPL or CC compliance. The management center reboots when you save the system configuration; managed devices reboot when you deploy configuration changes.

To permanently enable security certifications compliance on the appliance, you have two choices:

• To enable security certifications compliance in Common Criteria mode, choose CC from the drop-down list.

• To enable security certifications compliance in Unified Capabilities Approved Products List mode, choose

UCAPL from the drop-down list.

Click Save .

What to do next

• Establish additional configuration changes as described in the guidelines for this product provided by the certifying entity.

• Deploy configuration changes; see Deploy Configuration Changes in the Cisco Secure Firewall

Management Center Administration Guide .

Cisco Secure Firewall Management Center Administration Guide, 7.2

301

Enable Security Certifications Compliance

System Settings

302

Cisco Secure Firewall Management Center Administration Guide, 7.2

P A R T

III

Health and Monitoring

Dashboards, on page 305

Health, on page 327

Audit and Syslog, on page 373

Statistics, on page 383

Troubleshooting, on page 395

C H A P T E R

10

Dashboards

The following topics describe how to use dashboards:

About Dashboards, on page 305

Dashboard Widgets, on page 306

Managing Dashboards, on page 318

About Dashboards

Dashboards provide you with at-a-glance views of current system status, including data about the events collected and generated by the system. You can also use dashboards to see information about the status and overall health of the appliances in your deployment. Keep in mind that the information the dashboard provides depends on how you license, configure, and deploy the system.

Note Ensure that you have enabled REST API ( Settings > Configuration > REST API Preferences ) to view the correlated device metrics on the dashboard.

Tip The dashboard is a complex, highly customizable monitoring feature that provides exhaustive data. For a broad, brief, and colorful picture of your monitored network, use the Context Explorer.

A dashboard uses tabs to display widgets: small, self-contained components that provide insight into different aspects of the system. For example, the predefined Appliance Information widget tells you the appliance name, model, and currently running software version. The system constrains widgets by the dashboard time range, which you can change to reflect a period as short as the last hour or as long as the last year.

The system is delivered with several predefined dashboards, which you can use and modify. If your user role has access to dashboards (Administrator, Maintenance User, Security Analyst, Security Analyst [Read Only], and custom roles with the Dashboards permission), by default your home page is the predefined Summary

Dashboard. However, you can configure a different default home page, including non-dashboards. You can also change the default dashboard. Note that if your user role cannot access dashboards, your default home page is relevant to the role; for example, a Discovery Admin sees the Network Discovery page.

You can also use predefined dashboards as the base for custom dashboards, which you can either share or restrict as private. Unless you have Administrator access, you cannot view or modify private dashboards created by other users.

Cisco Secure Firewall Management Center Administration Guide, 7.2

305

Health and Monitoring

Dashboard Widgets

Note Some drill-down pages and table views of events include a Dashboard toolbar link that you can click to view a relevant predefined dashboard. If you delete a predefined dashboard or tab, the associated toolbar links do not function.

In a multidomain deployment, you cannot view dashboards from ancestor domains; however, you can create new dashboards that are copies of the higher-level dashboards.

Dashboard Widgets

A dashboard has one or more tabs, each of which can display one or more widgets in a three-column layout.

The system is delivered with many predefined dashboard widgets, each of which provides insight into a different aspect of the system. Widgets are grouped into three categories:

• Analysis & Reporting widgets display data about the events collected and generated by the system.

• Miscellaneous widgets display neither event data nor operations data. Currently, the only widget in this category displays an RSS feed.

• Operations widgets display information about the status and overall health of the system.

The dashboard widgets that you can view depend on:

• the type of appliance you are using

• your user role

• your current domain (in a multidomain deployment)

In addition, each dashboard has a set of preferences that determines its behavior.

You can minimize and maximize widgets, add and remove widgets from tabs, as well as rearrange the widgets on a tab.

Note For widgets that display event counts over a time range, the total number of events may not reflect the number of events for which detailed data is available in the tables on pages under the Analysis menu. This occurs because the system sometimes prunes older event details to manage disk space usage. To minimize the occurrence of event detail pruning, you can fine-tune event logging to log only those events most important to your deployment.

Widget Availability

The dashboard widgets that you can view depend on the type of appliance you are using, your user role, and your current domain (in a multidomain deployment).

In a multidomain deployment, if you do not see a widget that you expect to see, switch to the Global domain.

See

Switching Domains on the Secure Firewall Management Center, on page 20

.

Note that:

306

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Dashboard Widget Availability by User Role

• An invalid widget is one that you cannot view because you are using the wrong type of appliance.

• An unauthorized widget is one that you cannot view because your user account does not have the necessary privileges.

For example, the Appliance Status widget is available only on the management center for users with

Administrator, Maintenance User, Security Analyst, or Security Analyst (Read Only) account privileges.

Although you cannot add an unauthorized or invalid widget to a dashboard, an imported dashboard may contain unauthorized or invalid widgets. For example, such widgets can be present if the imported dashboard:

• Was created by a user with different access privileges, or

• Belongs to an ancestor domain.

Unavailable widgets are disabled and display error messages that indicate why you cannot view them.

Individual widgets also display error messages when those widgets have timed out or are otherwise experiencing problems.

Note You can delete or minimize unauthorized and invalid widgets, as well as widgets that display no data, keeping in mind that modifying a widget on a shared dashboard modifies it for all users of the appliance.

Dashboard Widget Availability by User Role

The following table lists the user account privileges required to view each widget. Only user accounts with

Administrator, Maintenance User, Security Analyst, or Security Analyst (Read Only) access can use dashboards.

Users with custom roles may have access to any combination of widgets, or none at all, as their user roles permit.

Table 16: User Roles and Dashboard Widget Availability

Widget Administrator Maintenance User Security Analyst yes yes

Security Analyst

(RO) yes Appliance

Information

Appliance Status

Disk Usage

Interface Traffic yes yes

Correlation Events yes

Current Interface

Status yes

Current Sessions

Custom Analysis yes yes yes yes no no yes yes yes no yes no yes yes yes yes yes yes no yes yes yes no yes yes

Cisco Secure Firewall Management Center Administration Guide, 7.2

307

Health and Monitoring

Predefined Dashboard Widgets

Widget Administrator

Intrusion Events

Network

Compliance

Product Licensing

Product Updates

RSS Feed

System Load

System Time

Allow List Events yes yes yes yes yes yes yes yes yes yes yes yes yes no

Maintenance User Security Analyst no no yes yes

Security Analyst

(RO) yes yes no no yes yes yes yes no no yes yes yes yes

Predefined Dashboard Widgets

The system is delivered with several predefined widgets that, when used on dashboards, can provide you with at-a-glance views of current system status. These views include:

• data about the events collected and generated by the system

• information about the status and overall health of the appliances in your deployment

Note The dashboard widgets you can view depend on the type of appliance you are using, your user role, and your current domain in a multidomain deployment.

The Appliance Information Widget

The Appliance Information widget provides a snapshot of the appliance. It appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard .

The Appliance Information Widget in management center displays information about the management center

High Availability if management center is configured in High Availability. For instance, it shows information about management center Role, Status, Detail Status, and Last Contact. The widget provides:

• The name, IPv4 address, IPv6 address, and model of the appliance

• The versions of the system software, operating system, Snort, rule update, rule pack, module pack, vulnerability database (VDB), and geolocation update installed on the appliances with dashboards, except for virtual Secure Firewall Management Center

• For managed appliances, the name and status of the communications link with the managing appliance

You can configure the widget to display more or less information by modifying the widget preferences to display a simple or an advanced view; the preferences also control how often the widget updates.

308

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

The Appliance Status Widget

The Appliance Status Widget

The Appliance Status widget indicates the health of the appliance and of any appliances it is managing. Note that because the Secure Firewall Management Center does not automatically apply a health policy to managed devices, you must manually apply a health policy to devices or their status appears as

Disabled

. This widget appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.

You can configure the widget to display appliance status as a pie chart or in a table by modifying the widget preferences.

The preferences also control how often the widget updates.

You can click a section on the pie chart or one of the numbers on the appliance status table to go to the Health

Monitor page and view the compiled health status of the appliance and of any appliances it is managing.

The Correlation Events Widget

The Correlation Events widget shows the average number of correlation events per second, by priority, over the dashboard time range. It appears by default on the Correlation tab of the Detailed Dashboard.

You can configure the widget to display correlation events of different priorities by modifying the widget preferences, as well as to choose a linear (incremental) or logarithmic (factor of ten) scale.

Check one or more Priorities check boxes to display separate graphs for events of specific priorities, including events that do not have a priority. Choose Show All to display an additional graph for all correlation events, regardless of priority. The preferences also control how often the widget updates.

You can click a graph to view correlation events of a specific priority, or click the All graph to view all correlation events. In either case, the events are constrained by the dashboard time range; accessing correlation events via the dashboard changes the events (or global) time window for the appliance.

The Current Interface Status Widget

The Current Interface Status widget shows the status of all interfaces on the appliance, enabled or unused. On a Secure Firewall Management Center, you can display the management ( eth0

, eth1

, and so on) interfaces.

On a managed device, you can choose to show only sensing ( s1p1 and so on) interfaces or both management and sensing interfaces. Interfaces are grouped by type: management, inline, passive, switched, routed, and unused.

For each interface, the widget provides:

• the name of the interface

• the link state of the interface

• the link mode (for example, 100Mb full duplex, or 10Mb half duplex) of the interface

• the type of interface, that is, copper or fiber

• the amount of data received (Rx) and transmitted (Tx) by the interface

The color of the ball representing link state indicates the current status, as follows:

• green: link is up and at full speed

• yellow: link is up but not at full speed

• red: link is not up

Cisco Secure Firewall Management Center Administration Guide, 7.2

309

Health and Monitoring

The Current Sessions Widget

• gray: link is administratively disabled

• blue: link state information is not available (for example, ASA)

The widget preferences control how often the widget updates.

The Current Sessions Widget

The Current Sessions widget shows which users are currently logged into the appliance, the IP address associated with the machine where the session originated, and the last time each user accessed a page on the appliance (based on the local time for the appliance). The user that represents you, that is, the user currently viewing the widget, is marked with a User icon and rendered in bold type. Sessions are pruned from this widget’s data within one hour of logoff or inactivity. This widget appears by default on the Status tabs of the

Detailed Dashboard and the Summary Dashboard.

On the Current Sessions widget, you can:

• click any user name to manage user accounts on the User Management page.

• click the Host icon or Compromised Host icon next to any IP address to view the host profile for the associated machine.

• click any IP address or access time to view the audit log constrained by that IP address and by the time that the user associated with that IP address logged on to the web interface.

The widget preferences control how often the widget updates.

The Custom Analysis Widget

The Custom Analysis widget is a highly customizable widget that allows you to display detailed information on the events collected and generated by the system.

The widget is delivered with multiple presets that provide quick access to information about your deployment.

The predefined dashboards make extensive use of these presets. You can use these presets or create a custom configuration. At a minimum, a custom configuration specifies the data you are interested in (table and field), and an aggregation method for that data. You can also set other display-related preferences, including whether you want to show events as relative occurences (bar graph) or over time (line graph).

The widget displays the last time it updated, based on local time. The widget updates with a frequency that depends on the dashboard time range. For example, if you set the dashboard time range to an hour, the widget updates every five minutes. On the other hand, if you set the dashboard time range to a year, the widget updates once a week. To determine when the dashboard will update next, hover your pointer over the Last updated notice in the bottom left corner of the widget.

Note A red-shaded Custom Analysis widget indicates that its use is harming system performance. If the widget continues to stay red over time, remove the widget. You can also disable all Custom Analysis widgets from the Dashboard settings in your system configuration ( System > Configuration > Dashboard )

Displaying Relative Occurrences of Events (Bar Graphs)

For bar graphs in the Custom Analysis widget, the colored bars in the widget background show the relative number of occurrences of each event. Read the bars from right to left.

310

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

The Custom Analysis Widget

The Direction icon indicates and controls the sort order of the display. A downward-pointing icon indicates descending order; an upward-pointing icon indicates ascending order. To change the sort order, click the icon.

Next to each event, the widget can display one of three icons to indicate any changes from the most recent results:

• The new event icon Add ( ) signifies that the event is new to the results.

• The Up Arrow icon indicates that the event has moved up in the standings since the last time the widget updated. A number indicating how many places the event has moved up appears next to the icon.

• The Down Arrow icon indicates that the event has moved down in the standings since the last time the widget updated. A number indicating how many places the event has moved down appears next to the icon.

Displaying Events Over Time (Line Graphs)

If you want information on events or other collected data over time, you can configure the Custom Analysis widget to display a line graph, such as one that displays the total number of intrusion events generated in your deployment over time.

Limitations to the Custom Analysis Widget

A Custom Analysis widget may indicate that you are unauthorized to view the data that is configured to display. For example, Maintenance Users are not authorized to view discovery events. As another example, the widget does not display information related to unlicensed features. However, you (and any other users who share the dashboard) can modify the widget preferences to display data that you can see, or even delete the widget. If you want to make sure that this does not happen, save the dashboard as private.

When viewing user data, the system displays only authoritative users.

When viewing URL category information, the system does not display uncategorized URLs.

When viewing intrusion events aggregated by Count , the count includes reviewed events for intrusion events; if you view the count in tables on pages under the Analysis menus, the count will not include reviewed events.

Note In a multidomain deployment, the system builds a separate network map for each leaf domain. As a result, a leaf domain can contain an IP address that is unique within its network, but identical to an IP address in another leaf domain. When you view Custom Analysis widgets in an ancestor domain, multiple instances of that repeated IP address can be displayed. At first glance, they might appear to be duplicate entries. However, if you drill down to the host profile information for each IP address, the system shows that they belong to different leaf domains.

How to Create Dashboard Widgets for a Device

Any widgets that show events from devices can be configured to use a filter that limits the display of events for a given device or a set of devices.

1.

Create and save a search: Go to Analysis > Search and enter the search parameters to match the specific device names.

Cisco Secure Firewall Management Center Administration Guide, 7.2

311

Health and Monitoring

Custom Analysis Widget Preferences

Note You must provide exact text match as there is no drop-down listing the deployed device names.

2.

Go to Overview > Dashboards > Add Widgets to create a Custom Analysis widget.

3.

Return to Overview > Dashboards and modify the new widget to customize with the scope of search.

Preset

Table (required)

Example: Configuration of Custom Analysis Widget

You can configure the Custom Analysis widget to display a list of recent intrusion events by configuring the widget to display data from the Intrusion Events table. Choosing the Classification field and aggregating this data by Count displays the number of events that were generated for each type.

On the other hand, aggregating by Unique Events displays the number of unique intrusion events of each type (for example, how many detections of network trojans, potential violations of corporate policy, attempted denial-of-service attacks, and so on).

You can further customize the widget using a saved search, either one of the predefined searches delivered with your appliance or a custom search that you created. For example, constraining the first example (intrusion events using the Classification field, aggregated by Count ) using the Dropped

Events search displays the number of intrusion events that were dropped for each type.

Related Topics

Modifying Dashboard Time Settings

, on page 323

Custom Analysis Widget Preferences

The following table describes the preferences you can set in the Custom Analysis widget.

Different preferences appear depending on how you configure the widget. For example, a different set of preferences appears if you configure the widget to show relative occurrences of events (a bar graph) vs a graph over time (a line graph). Some preferences, such as Filter, only appear if you choose a specific table from which to display data.

Table 17: Custom Analysis Widget Preferences

Preference

Title

Details

If you do not specify a title for the widget, the system uses the configured event type as the title.

Custom Analysis presets provide quick access to information about your deployment. The predefined dashboards make extensive use of these presets. You can use these presets or you can create a custom configuration.

The table of events or assets that contains the data the widget displays.

312

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Viewing Associated Events from the Custom Analysis Widget

Preference

Field (required)

Aggregate (required)

Filter

Search

Show

Results

Show Movers

Time Zone

Color

Details

The specific field of the event type you want to display. To show data over time (line graphs), choose Time . To show relative occurrences of events (bar graphs), choose another option.

The aggregation method configures how the widget groups the data it displays. For most event types, the default option is Count .

You can use application filters to constrain data from the

Application Statistics and Intrusion Event Statistics by Application tables.

You can use a saved search to constrain the data that the widget displays. You do not have to specify a search, although some presets use predefined searches.

Only you can access searches that you have saved as private. If you configure the widget on a shared dashboard and constrain its events using a private search, the widget resets to not using the search when another user logs in. This affects your view of the widget as well. If you want to make sure that this does not happen, save the dashboard as private.

Only fields that constrain connection summaries can constrain

Custom Analysis dashboard widgets based on connection events.

Invalid saved searches are dimmed.

If you constrain a Custom Analysis widget using a saved search, then edit the search, the widget does not reflect your changes until the next time it updates.

Choose whether you want to display the most ( Top ) or the least

( Bottom ) frequently occurring events.

Choose the number of result rows to display.

Choose whether you want to display the icons that indicate changes from the most recent results.

Choose the time zone you want to use to display results.

You can change the color of the bars in the widget's bar graph.

Related Topics

Configuring Widget Preferences

, on page 320

Viewing Associated Events from the Custom Analysis Widget

From a Custom Analysis widget, you can invoke an event view (workflow) that provides detailed information about the events displayed in the widget. The events appear in the default workflow for that event type, constrained by the dashboard time range. This also changes the appropriate time window on the Secure Firewall

Management Center, depending on how many time windows you configured and on the event type.

For example:

Cisco Secure Firewall Management Center Administration Guide, 7.2

313

Health and Monitoring

The Disk Usage Widget

• If you configure multiple time windows, then access health events from a Custom Analysis widget, the events appear in the default health events workflow, and the health monitoring time window changes to the dashboard time range.

• If you configure a single time window and then access any type of event from the Custom Analysis widget, the events appear in the default workflow for that event type, and the global time window changes to the dashboard time range.

Procedure

You have the following choices:

• On any Custom Analysis widget, click View ( ) in the lower right corner of the widget to view all associated events, constrained by the widget preferences.

• On a Custom Analysis widget showing relative occurrences of events (bar graph), click any event to view associated events constrained by the widget preferences, as well as by that event.

The Disk Usage Widget

The Disk Usage widget displays the percentage of space used on the hard drive, based on disk usage category.

It also indicates the percentage of space used on and capacity of each partition of the appliance’s hard drive.

The Disk Usage widget displays the same information for the malware storage pack if installed in the device, or if the Secure Firewall Management Center manages a device containing a malware storage pack. This widget appears by default on the Status tabs of the Default Dashboard and the Summary Dashboard.

The By Category stacked bar displays each disk usage category as a proportion of the total available disk space used. The following table describes the available categories.

Table 18: Disk Usage Categories

Disk Usage Category

Events

Files

Backups

Updates

Other

Description all events logged by the system all files stored by the system all backup files all files related to updates, such as rule updates and system updates system troubleshooting files and other miscellaneous files free space remaining on the appliance Free

You can hover your pointer over a disk usage category in the By Category stacked bar to view the percentage of available disk space used by that category, the actual storage space on the disk, and the total disk space available for that category. Note that if you have a malware storage pack installed, the total disk space available for the Files category is the available disk space on the malware storage pack.

314

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

The Interface Traffic Widget

You can configure the widget to display only the By Category stacked bar, or you can show the stacked bar plus the admin (

/

),

/Volume

, and

/boot partition usage, as well as the

/var/storage partition if the malware storage pack is installed, by modifying the widget preferences.

The widget preferences also control how often the widget updates, as well as whether it displays the current disk usage or collected disk usage statistics over the dashboard time range.

The Interface Traffic Widget

The Interface Traffic widget shows the rate of traffic received (Rx) and transmitted (Tx) on the appliance’s management interface. The widget does not appear by default on any of the predefined dashboards.

Devices with Malware licenses enabled periodically attempt to connect to the AMP cloud even if you have not configured dynamic analysis. Because of this, these devices show transmitted traffic; this is expected behavior.

The widget preferences control how often the widget updates.

The Intrusion Events Widget

The Intrusion Events widget shows the intrusion events that occurred over the dashboard time range, organized by priority. This includes statistics on intrusion events with dropped packets and different impacts. This widget appears by default on the Intrusion Events tab of the Summary Dashboard.

In the widget preferences, you can choose:

• Event Flags to display separate graphs for events with dropped packets, would have dropped packets, or specific impacts. Choose All to display an additional graph for all intrusion events, regardless of impact or rule state.

For explanations of the icons, see

Intrusion Events, on page 733 . The arrow (if any) that appears above

the impact level numbers describes the inline result and is defined as follows:

Table 19: Inline Result Field Contents in Workflow and Table Views

This Icon Indicates

The system dropped the packet that triggered the rule.

IPS would have dropped the packet if you enabled the Drop when Inline intrusion policy option (in an inline deployment), or if a Drop and Generate rule generated the event while the system was pruning.

IPS may have transmitted or delivered the packet to the destination, but the connection that contained this packet is now blocked.

The triggered rule was not set to Drop and Generate Events No icon (blank)

In a passive deployment, the system does not drop packets, including when an inline interface is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion policy.

• Show to specify Average Events Per Second (EPS) or Total Events .

• Vertical Scale to specify Linear (incremental) or Logarithmic (factor of ten) scale.

• How often the widget updates.

Cisco Secure Firewall Management Center Administration Guide, 7.2

315

Health and Monitoring

The Network Compliance Widget

On the widget, you can:

• Click a graph corresponding to dropped packets, to would have dropped packets, or to a specific impact to view intrusion events of that type.

• Click the graph corresponding to dropped events to view dropped events.

• Click the graph corresponding to would have dropped events to view would have dropped events.

• Click the All graph to view all intrusion events.

The resulting event view is constrained by the dashboard time range; accessing intrusion events via the dashboard changes the events (or global) time window for the appliance. Note that packets in a passive deployment are not dropped, regardless of intrusion rule state or the inline drop behavior of the intrusion policy.

The Network Compliance Widget

The Network Compliance widget summarizes your hosts’ compliance with the allow lists you configured. By default, the widget displays a pie chart that shows the number of hosts that are compliant, non-compliant, and that have not been evaluated, for all compliance allow lists in active correlation policies. This widget appears by default on the Correlation tab of the Detailed Dashboard.

You can configure the widget to display network compliance either for all allow lists or for a specific allow list by modifying the widget preferences.

If you choose to display network compliance for all allow lists, the widget considers a host to be non-compliant if it is not compliant with any allow list in an active correlation policy.

You can also use the widget preferences to specify which of three different styles you want to use to display network compliance.

The Network Compliance style (the default) displays a pie chart that shows the number of hosts that are compliant, non-compliant, and that have not been evaluated. You can click the pie chart to view the host violation count, which lists the hosts that violate at least one allow list.

The Network Compliance over Time (%) style displays a stacked area graph showing the relative proportion of hosts that are compliant, non-compliant, and that have not yet been evaluated, over the dashboard time range.

The Network Compliance over Time style displays a line graph that shows the number of hosts that are compliant, non-compliant, and that have not yet been evaluated, over the dashboard time range.

The preferences control how often the widget updates. You can check the Show Not Evaluated box to hide events which have not been evaluated.

The Product Licensing Widget

The Product Licensing widget shows the device and feature licenses currently installed on the Secure Firewall

Management Center. It also indicates the number of items licensed and the number of remaining licensed items allowed. It does not appear by default on any of the predefined dashboards.

The top section of the widget displays all device and feature licenses installed on the Secure Firewall

Management Center, including temporary licenses, while the Expiring Licenses section displays only temporary and expired licenses.

The bars in the widget background show the percentage of each type of license that is being used; you should read the bars from right to left. Expired licenses are marked with a strikethrough.

316

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

The Product Updates Widget

You can configure the widget to display either the features that are currently licensed, or all the features that you can license, by modifying the widget preferences. The preferences also control how often the widget updates.

You can click any of the license types to go to the License page of the local configuration and add or delete feature licenses.

The Product Updates Widget

The Product Updates widget provides you with a summary of the software currently installed on the appliance as well as information on updates that you have downloaded, but not yet installed. This widget appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.

Because the widget uses scheduled tasks to determine the latest version, it displays Unknown until you configure a scheduled task to download, push or install updates.

You can configure the widget to hide the latest versions by modifying the widget preferences. The preferences also control how often the widget updates.

The widget also provides you with links to pages where you can update the software. You can:

• Manually update an appliance by clicking the current version.

• Create a scheduled task to download an update by clicking the latest version.

The RSS Feed Widget

The RSS Feed widget adds an RSS feed to a dashboard. By default, the widget shows a feed of Cisco security news. It appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.

You can also configure the widget to display a preconfigured feed of company news, the Snort.org blog, or the Cisco Threat Research blog, or you can create a custom connection to any other RSS feed by specifying its URL in the widget preferences. The management center can display encrypted RSS feeds only if they use trusted server certificates signed by a certificate authority (CA) that the management center recognizes. If you configure the RSS Feed widget to display an encrypted RSS feed that uses a CA the management center does not recognize, or that uses a self-signed certificate, the verification fails and the widget does not display the feed.

Feeds update every 24 hours (although you can manually update the feed), and the widget displays the last time the feed was updated based on the local time of the appliance. Keep in mind that the appliance must have access to the web site (for the two preconfigured feeds) or to any custom feed you configure.

When you configure the widget, you can also choose how many stories from the feed you want to show in the widget, as well as whether you want to show descriptions of the stories along with the headlines; keep in mind that not all RSS feeds use descriptions.

On the RSS Feed widget, you can:

• click one of the stories in the feed to view the story

• click the more link to go to the feed’s web site

• click Update ( ) to manually update the feed

Cisco Secure Firewall Management Center Administration Guide, 7.2

317

Health and Monitoring

The System Load Widget

The System Load Widget

The System Load widget shows the CPU usage (for each CPU), memory (RAM) usage, and system load (also called the load average, measured by the number of processes waiting to execute) on the appliance, both currently and over the dashboard time range. It appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.

You can configure the widget to show or hide the load average by modifying the widget preferences. The preferences also control how often the widget updates.

The System Time Widget

The System Time widget shows the local system time, uptime, and boot time for the appliance. It appears by default on the Status tabs of the Detailed Dashboard and the Summary Dashboard.

You can configure the widget to hide the boot time by modifying the widget preferences. The preferences also control how often the widget synchronizes with the appliance’s clock.

The Allow List Events Widget

The Allow List Events widget shows the average events per second by priority, over the dashboard time range.

It appears by default on the Correlation tab of the Default Dashboard.

You can configure the widget to display allow list events of different priorities by modifying the widget preferences.

In the widget preferences, you can:

• choose one or more Priorities check boxes to display separate graphs for events of specific priorities, including events that do not have a priority

• choose Show All to display an additional graph for all allow list events, regardless of priority

• choose Vertical Scale to choose Linear (incremental) or Logarithmic (factor of ten) scale

The preferences also control how often the widget updates.

You can click a graph to view allow list events of a specific priority, or click the All graph to view all allow list events. In either case, the events are constrained by the dashboard time range; accessing allow list events via the dashboard changes the events (or global) time window for the Secure Firewall Management Center.

Managing Dashboards

Procedure

Step 1

Step 2

Choose Overview > Dashboards , and then choose the dashboard you want to modify from the menu.

Manage your dashboards:

• Create Dashboards — Create a custom dashboard; see

Creating Custom Dashboards, on page 321

.

• Delete Dashboards — To delete a dashboard, click Delete ( ) next to the dashboard you want to delete.

If you delete your default dashboard, you must define a new default or the appliance prompts you to choose a dashboard every time you attempt to view a dashboard.

318

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Adding a Dashboard

Step 3

Step 4

• Edit Options — Edit custom dashboard options; see

Editing Dashboards Options, on page 323

.

• Modify Time Constraints — Modify the time display or pause/unpause the dashboard as described in

Modifying Dashboard Time Settings, on page 323

.

Add (see

Adding a Dashboard, on page 319

), Delete (click Close ( )), and Rename (see

Renaming a

Dashboard, on page 324 ) dashboards.

Note You cannot change the order of dashboards.

Manage dashboard widgets:

Tip

• Add Widgets — Add widgets to a dashboard; see

Adding Widgets to a Dashboard, on page 319 .

• Configure Preferences — Configure widget preferences; see

Configuring Widget Preferences, on page

320

.

• Customize Display — Customize the widget display; see

Customizing the Widget Display, on page 322

.

• View Events — View associated events from the Custom Analysis Widget; see

Viewing Associated

Events from the Custom Analysis Widget, on page 313

.

Every configuration of the Custom Analysis widget in the Cisco predefined dashboards corresponds to a system preset for that widget. If you change or delete one of these widgets, you can restore it by creating a new Custom Analysis widget based on the appropriate preset.

Adding a Dashboard

Procedure

Step 1

Step 2

Step 3

Step 4

View the dashboard you want to modify; see

Viewing Dashboards, on page 325

.

Click Add ( ).

Enter a name.

Click OK .

Adding Widgets to a Dashboard

Each tab can display one or more widgets in a three-column layout. When adding a widget to a dashboard, you choose the tab to which you want to add the widget. The system automatically adds it to the column with the fewest widgets. If all columns have an equal number of widgets, the new widget is added to the leftmost column. You can add a maximum of 15 widgets to a dashboard tab.

Tip After you add widgets, you can move them to any location on the tab. You cannot, however, move widgets from tab to tab.

Cisco Secure Firewall Management Center Administration Guide, 7.2

319

Health and Monitoring

Configuring Widget Preferences

The dashboard widgets you can view depend on the type of appliance you are using, your user role, and your current domain (in a multidomain deployment). Keep in mind that because not all user roles have access to all dashboard widgets, users with fewer permissions viewing a dashboard created by a user with more permissions may not be able to use all of the widgets on the dashboard. Although the unauthorized widgets still appear on the dashboard, they are disabled.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

View the dashboard where you want to add a widget; see

Viewing Dashboards, on page 325

.

Click the tab where you want to add the widget.

Click Add Widgets . You can view the widgets in each category by clicking on the category name, or you can view all widgets by clicking All Categories .

Click Add next to the widgets you want to add. The Add Widgets page indicates how many widgets of each type are on the tab, including the widget you want to add.

Tip To add multiple widgets of the same type (for example, you may want to add multiple RSS Feed widgets, or multiple Custom Analysis widgets), click Add again.

When you are finished adding widgets, click Done to return to the dashboard.

What to do next

• If you added a Custom Analysis widget, configure the widget preferences; see

Configuring Widget

Preferences, on page 320 .

Related Topics

Widget Availability

, on page 306

Configuring Widget Preferences

Each widget has a set of preferences that determines its behavior.

Procedure

Step 1

Step 2

Step 3

On the title bar of the widget whose preferences you want to change, click Show Preferences ( ).

Make changes as needed.

On the widget title bar, click Hide Preferences ( ) to hide the preferences section.

320

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Creating Custom Dashboards

Creating Custom Dashboards

Tip Instead of creating a new dashboard, you can export a dashboard from another appliance, then import it onto your appliance. You can then edit the imported dashboard to suit your needs.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose Overview > Dashboards > Management .

Click Create Dashboard .

Modify the custom dashboard options as described in

Custom Dashboard Options, on page 321

.

Click Save .

Custom Dashboard Options

The table below describes options you can use when creating or editing custom dashboards.

Table 20: Custom Dashboard Options

Option

Copy Dashboard

Name

Description

Change Tabs Every

Description

When you create a custom dashboard, you can choose to base it on any existing dashboard, whether user-created or system-defined. This option makes a copy of the preexisting dashboard, which you can modify to suit your needs. Optionally, you can create a blank new dashboard by choosing None . This option is available only when you create a new dashboard.

In a multidomain deployment, you can copy any non-private dashboards from ancestor domains.

A unique name for the custom dashboard.

A brief description of the custom dashboard.

Specifies (in minutes) how often the dashboard should cycle through its tabs. Unless you pause the dashboard or your dashboard has only one tab, this setting advances your view to the next tab at the interval you specify. To disable tab cycling, enter

0 in the Change Tabs Every field.

Cisco Secure Firewall Management Center Administration Guide, 7.2

321

Health and Monitoring

Customizing the Widget Display

Option

Refresh Page Every

Save As Private

Description

Determines how often the entire dashboard page automatically refreshes.

Refreshing the entire dashboard allows you to see any preference or layout changes that were made to a shared dashboard by another user, or that you made to a private dashboard on another computer, since the last time the dashboard refreshed. A frequent refresh can be useful, for example, in a networks operations center (NOC) where a dashboard is displayed at all times. If you make changes to the dashboard at a local computer, the dashboard in the NOC automatically refreshes at the interval you specify, and no manual refresh is required.

This refresh does not update the data, and you do not need to refresh the entire dashboard to see data updates; individual widgets update according to their preferences.

This value must be greater than the Change Tabs Every setting.

Unless you pause the dashboard, this setting will refresh the entire dashboard at the interval you specify. To disable the periodic page refresh, enter

0 in the Refresh Page Every field.

Note This setting is separate from the update interval available on many individual widgets; although refreshing the dashboard page resets the update interval on individual widgets, widgets will update according to their individual preferences even if you disable the

Refresh Page Every setting.

Determines whether the custom dashboard can be viewed and modified by all users of the appliance or is associated with your user account and reserved solely for your own use. Keep in mind that any user with dashboard access, regardless of role, can modify shared dashboards. If you want to make sure that only you can modify a particular dashboard, save it as private.

Customizing the Widget Display

You can minimize and maximize widgets, as well as rearrange the widgets on a tab.

Procedure

Step 1

Step 2

View a dashboard; see

Viewing Dashboards, on page 325 .

Customize the widget display:

• To rearrange a widget on a tab, click the title bar of the widget you want to move, then drag it to its new location.

322

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Editing Dashboards Options

Note You cannot move widgets from tab to tab. If you want a widget to appear on a different tab, you must delete it from the existing tab and add it to the new tab.

• To minimize or maximize a widget on the dashboard, click Minimize ( ) or Maximize ( ) in a widget’s title bar.

• To delete a widget if you no longer want to view it on a tab, click Close ( ) in the title bar of the widget.

Editing Dashboards Options

Procedure

Step 1

Step 2

Step 3

Step 4

View the dashboard you want to edit; see

Viewing Dashboards, on page 325 .

Click Edit ( ).

Change the options as described in

Custom Dashboard Options, on page 321 .

Click Save .

Modifying Dashboard Time Settings

You can change the time range to reflect a period as short as the last hour (the default) or as long as the last year. When you change the time range, the widgets that can be constrained by time automatically update to reflect the new time range.

The maximum number of data points in any graph is 300, and the time setting determines how much time is summarized within each data point. Following is the number of data points, and the time span covered, in the dashboards for each time range:

• 1 hour = 12 data points, 5 minutes each

• 6 hours = 72 data points, 5 minutes each

• 1 day = 288 data points, 5 minutes each

• 1 week = 300 data points, 33.6 minutes each

• 2 weeks = 300 data points, 67.2 minutes each

• 30 days = 300 data points, 144 minutes each

• 90 days = 300 data points, 432 minutes each

• 180 days = 300 data points, 864 minutes each

• 1 year = 300 data points, 1752 minutes each

Note that not all widgets can be constrained by time. For example, the dashboard time range has no effect on the Appliance Information widget, which provides information that includes the appliance name, model, and current version of the software.

Cisco Secure Firewall Management Center Administration Guide, 7.2

323

Health and Monitoring

Renaming a Dashboard

Keep in mind that for enterprise deployments of the Firepower System, changing the time range to a long period may not be useful for widgets like the Custom Analysis widget, depending on how often newer events replace older events.

You can also pause a dashboard, which allows you to examine the data provided by the widgets without the display changing and interrupting your analysis. Pausing a dashboard has the following effects:

• Individual widgets stop updating, regardless of any Update Every widget preference.

• Dashboard tabs stop cycling, regardless of the Cycle Tabs Every setting in the dashboard properties.

• Dashboard pages stop refreshing, regardless of the Refresh Page Every setting in the dashboard properties.

• Changing the time range has no effect.

When you are finished with your analysis, you can unpause the dashboard. Unpausing the dashboard causes all appropriate widgets on the page to update to reflect the current time range. In addition, dashboard tabs resume cycling and the dashboard page resumes refreshing according to the settings you specified in the dashboard properties.

If you experience connectivity problems or other issues that interrupt the flow of system information to the dashboard, the dashboard automatically pauses and an error notice appears until the problem is resolved.

Note Your session normally logs you out after 1 hour of inactivity (or another configured interval), regardless of whether the dashboard is paused. If you plan to passively monitor the dashboard for long periods of time, consider exempting some users from session timeout, or changing the system timeout settings.

Procedure

Step 1

Step 2

Step 3

View the dashboard where you want to add a widget; see

Viewing Dashboards, on page 325

.

Optionally, to change the dashboard time range, choose a time range from the Show the Last drop-down list.

Optionally, pause or unpause the dashboard on the time range control, using Pause ( ) or Play ( ).

Renaming a Dashboard

Procedure

Step 1

Step 2

Step 3

Step 4

View the dashboard you want to modify; see

Viewing Dashboards, on page 325 .

Click the dasboard title you want to rename.

Type a name.

Click OK .

324

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Viewing Dashboards

Viewing Dashboards

By default, the home page for your appliance displays the default dashboard. If you do not have a default dashboard defined, the home page shows the Dashboard Management page, where you can choose a dashboard to view.

Procedure

At any time, you can do one of the following:

• To view the default dashboard for your appliance, choose Overview > Dashboards .

• To view a specific dashboard, choose Overview > Dashboards , and choose the dashboard from the menu.

• To view all available dashboards, choose Overview > Dashboards > Management . You can then choose

View ( ) next to an individual dashboard to view it.

Cisco Secure Firewall Management Center Administration Guide, 7.2

325

Viewing Dashboards

Health and Monitoring

326

Cisco Secure Firewall Management Center Administration Guide, 7.2

C H A P T E R

11

Health

The following topics describe how to use health monitoring:

Requirements and Prerequisites for Health Monitoring, on page 327

About Health Monitoring, on page 327

Health Policies, on page 340

Device Exclusion in Health Monitoring, on page 343

Health Monitor Alerts, on page 346

About the Health Monitor, on page 348

Health Event Views, on page 365

History for Health Monitoring, on page 368

Requirements and Prerequisites for Health Monitoring

Model Support

Any

Supported Domains

Any

User Roles

Admin

Maintenace User

About Health Monitoring

The health monitor on the Secure Firewall Management Center tracks a variety of health indicators to ensure that the hardware and software in the system are working correctly. You can use the health monitor to check the status of critical functionality across your deployment.

You can configure the frequency for running the health modules for alerting. Secure Firewall Management

Center also supports time series data collection. You can configure the frequency of collecting the time series data on the device and its health modules. The device monitor reports these metrics in several predefined

Cisco Secure Firewall Management Center Administration Guide, 7.2

327

Health and Monitoring

About Health Monitoring health monitor dashboards by default. The metric data is collected for analysis and hence no alerting is associated with it.

You can use the health monitor to create a collection of tests, referred to as a health policy , and apply the health policy to one or more appliances. The tests, referred to as health modules , are scripts that test for criteria you specify. You can modify a health policy by enabling or disabling tests or by changing test settings, and you can delete health policies that you no longer need. You can also suppress messages from selected appliances by excluding them.

The tests in a health policy run automatically at the interval you configure. You can also run all tests, or a specific test, on demand. The health monitor collects health events based on the test conditions configured.

Note All appliances automatically report their hardware status via the Hardware Alarms health module. The Secure

Firewall Management Center also automatically reports status using the modules configured in the default health policy. Some health modules, such as the Appliance Heartbeat module, run on the Secure Firewall

Management Center and report the status of the Secure Firewall Management Center's managed devices. For the health modules to provide managed device status, you must deploy all health policies to the device.

You can use the health monitor to access health status information for the entire system, for a particular appliance, or, in a multidomain deployment, a particular domain. Hexagon charts and status tables on the

Health Monitor page provide a visual summary of the status of all appliances on your network, including the

Secure Firewall Management Center. Individual appliance health monitors let you drill down into health details for a specific appliance.

Fully customizable event views allow you to quickly and easily analyze the health status events gathered by the health monitor. These event views allow you to search and view event data and to access other information that may be related to the events you are investigating. For example, if you want to see all the occurrences of

CPU usage with a certain percentage, you can search for the CPU usage module and enter the percentage value.

You can also configure email, SNMP, or syslog alerting in response to health events. A health alert is an association between a standard alert and a health status level. For example, if you need to make sure an appliance never fails due to hardware overload, you can set up an email alert. You can then create a health alert that triggers that email alert whenever CPU, disk, or memory usage reaches the Warning level you configure in the health policy applied to that appliance. You can set alerting thresholds to minimize the number of repeating alerts you receive.

You can also generate troubleshooting files for an appliance if you are asked to do so by Support.

Because health monitoring is an administrative activity, only users with administrator user role privileges can access system health data.

328

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Health Modules

Health Modules

Health modules, or health tests, test for the criteria you specify in a health policy.

Table 21: Health Modules

Module

AMP Connection

Status

AMP for Endpoints

Status

AMP for Firepower

Status

Appliances threat defense management center management center

AMP Threat Grid

Connectivity

Appliance Heartbeat threat defense management center

ASP Drop threat defense

Automatic Application

Bypass threat defense

Event Backlog Status management center

Description

The module alerts if the threat defense cannot connect to the AMP cloud or

Cisco AMP Private Cloud after an initial successful connection, or if the private cloud cannot contact the public AMP cloud. Disabled by default.

The module alerts if the management center cannot connect to the AMP cloud or Cisco AMP Private Cloud after an initial successful connection, or if the private cloud cannot contact the public AMP cloud. It also alerts if you deregister an AMP cloud connection using the Secure Endpoint management console.

This module alerts if:

• The management center cannot contact the AMP cloud (public or private) or the Secure Malware Analytics Cloud or Appliance, or the AMP private cloud cannot contact the public AMP cloud.

• The encryption keys used for the connection are invalid.

• A device cannot contact the Secure Malware Analytics Cloud or Secure

Malware Analytics Appliance to submit files for dynamic analysis.

• An excessive number of files are detected in network traffic based on the file policy configuration.

If your management center loses connectivity to the Internet, the system may take up to 30 minutes to generate a health alert.

The module alerts if the threat defense cannot connect to the AMP Threat

Grid cloud after an initial successful connection.

This module determines if an appliance heartbeat is being heard from the appliance and alerts based on the appliance heartbeat status.

This module monitors the connections dropped by the data plane accelerated security path.

This module monitors bypassed detection applications

This module alerts if the backlog of event data awaiting transmission from the device to the management center has grown continuously for more than

30 minutes.

To reduce the backlog, evaluate your bandwidth and consider logging fewer events.

Cisco Secure Firewall Management Center Administration Guide, 7.2

329

Health and Monitoring

Health Modules

Module Appliances

CPU Usage (per core) management center and threat defense

CPU Usage Data Plane

CPU Usage Snort

CPU Usage System

Network Card Reset

Chassis Environment

Status

Cluster/HA Failover

Status

Database Size threat defense threat defense threat defense

Sensor threat defense threat defense management center

Description

This module checks that the CPU usage on all of the cores is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is

80

. The Critical

Threshold % default value is

90

.

This module checks that the average CPU usage of all data plane processes on the device is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is

80

. The Critical Threshold % default value is

90

.

This module checks that the average CPU usage of the Snort processes on the device is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is

80

. The Critical Threshold % default value is

90

.

This module checks that the average CPU usage of all system processes on the device is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is

80

. The Critical Threshold % default value is

90

.

This module checks for network cards which have restarted due to hardware failure and alerts when a reset occurs.

This module monitors chassis parameters such as fan speed and chassis temperature, and enables you to set a warning threshold and critical threshold for temperature. The Critical Chassis Temperature (Celsius) default value is

85

. The Warning Chassis Temperature (Celsius) default value is

75

.

This module monitors the status of device clusters. The module alerts if:

• A new primary unit is elected to a cluster.

• A new secondary unit joins a cluster.

• A primary or secondary unit leaves a cluster.

This module checks the size of the configuration database and alerts when the size exceeds the values (in gigabytes) configured for the module.

330

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Health Modules

Module

Configuration

Resource Utilization

Appliances threat defense

Connection Statistics threat defense

Critical Process

Statistics threat defense

Deployed

Configuration Statistics threat defense

Disk Status management center and threat defense

Description

This module alerts if the size of your deployed configurations puts a device at risk of running out of memory.

The alert shows you how much memory your configurations require, and by how much this exceeds the available memory. If this happens, re-evaluate your configurations. Most often you can reduce the number or complexity of access control rules or intrusion policies.

Snort Memory Allocation

• Total Snort Memory indicates the memory allotted for the Snort 2 instances running on the threat defense device.

• Available Memory indicates the memory allotted by the system for a

Snort 2 instance. Note that this value is not just the difference between the Total Snort Memory and the combined memory reserved for other modules. This value is derived after few other computations and then divided by the number of Snort 2 processes.

A negative Available Memory value indicates that Snort 2 instance does not have enough memory for the deployed configuration. For support, contact Cisco Technical Assistance Center (TAC).

This module monitors the connection statistics and NAT translation counts.

This module monitors the state of critical processes, their resource consumption, and the restart counts.

This module monitors statistics about the deployed configuration, such as the number of ACEs and IPS rules.

This module examines performance of the hard disk, and malware storage pack (if installed) on the appliance.

This module generates a Warning (yellow) health alert when the hard disk and RAID controller (if installed) are in danger of failing, or if an additional hard drive is installed that is not a malware storage pack. This module generates an Alert (red) health alert when an installed malware storage pack cannot be detected.

Cisco Secure Firewall Management Center Administration Guide, 7.2

331

Health and Monitoring

Health Modules

Module

Disk Usage

Event Monitor

Event Stream Status

Management Center

Access Configuration

Changes

Management Center

HA Status

Threat Defense HA

(Split-brain check)

File System Integrity

Check

Appliances management center and threat defense management center management center management center management center threat defense management center and threat defense

Flow Offload Statistics threat defense

Hardware Alarms threat defense

Description

This module compares disk usage on the appliance’s hard drive and malware storage pack to the limits configured for the module and alerts when usage exceeds the percentages configured for the module. This module also alerts when the system excessively deletes files in monitored disk usage categories, or when disk usage excluding those categories reaches excessive levels, based on module thresholds. See

Disk Usage and Drain of Events Health Monitor

Alerts, on page 403

for information about troubleshooting scenarios for Disk

Usage alerts.

Use the Disk Usage health status module to monitor disk usage for the

/ and

/volume partitions on the appliance and track draining frequency. Although the disk usage module lists the

/boot partition as a monitored partition, the size of the partition is static so the module does not alert on the boot partition.

Attention If you receive alerts for high unmanaged disk usage for the partition

/volume even though the usage is below the critical or warning threshold specified in the health policy, this could indicate that there are files which need to be deleted manually from the system.

Contact TAC if you receive these alerts.

This module monitors overall incoming event rate to management center.

This module monitors connections to third-party client applications that use the Event Streamer on the management center.

This module monitors access configuration changes made on the management center directly using the configure network management-data-interface command.

This module monitors and alerts on the high availability status of the management center. If you have not established management center high availability, the HA Status is Not in HA .

Note This module replaces the HA Status module, which previously provided HA status for the management center. In Version 7.0, we added HA status for managed devices.

This module monitors and alerts on the high availability status of the threat defense and provides a health alert for a split brain scenario. If you have not established threat defense high availability, the HA Status is Not in HA .

This module performs a file system integrity check and runs if the system has CC mode or UCAPL mode enabled, or if the system runs an image signed with a DEV key. This module is enabled by default.

This module monitors hardware flow offload statistics for a managed device.

This module determines if hardware needs to be replaced on a physical managed device and alerts based on the hardware status. The module also reports on the status of hardware-related daemons.

332

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Health Modules

Module

Health Monitor Process

Health Monitor Process

Discovery Host Limit

ISE Connection

Monitor

Appliances

Any

Any management center management center

Inline Link Mismatch

Alarms

Any managed device

Interface Status Any

Intrusion and File

Event Rate

License Monitor

Any managed device management center

Description

This module monitors the status of the health monitor itself and alerts if the number of minutes since the last health event received by the management center exceeds the Warning or Critical limits.

This module monitors the status of the health monitor itself and alerts if the number of minutes since the last health event received by the management center exceeds the Warning or Critical limits.

This module determines if the number of hosts the management center can monitor is approaching the limit and alerts based on the warning level configured for the module. For more information, see Host Limit .

This module monitors the status of the server connections between the Cisco

Identity Services Engine (ISE) and the management center. ISE provides additional user data, device type data, device location data, SGTs (Security

Group Tags), and SXP (Security Exchange Protocol) services.

This module monitors the ports associated with inline sets and alerts if the two interfaces of an inline pair negotiate different speeds.

This module determines if the device currently collects traffic and alerts based on the traffic status of physical interfaces and aggregate interfaces. For physical interfaces, the information includes interface name, link state, and bandwidth. For aggregate interfaces, the information includes interface name, number of active links, and total aggregate bandwidth.

This module compares the number of intrusion events per second to the limits configured for this module and alerts if the limits are exceeded. If the Intrusion and File Event Rate is zero, the intrusion process may be down or the managed device may not be sending events. Select Analysis > Intrusions > Events to check if events are being received from the device.

Typically, the event rate for a network segment averages 20 events per second.

For a network segment with this average rate, Events per second (Critical) should be set to

50 and Events per second (Warning) should be set to

30

. To determine limits for your system, find the Events/Sec value on the Statistics page for your device ( System ( ) > Monitoring > Statistics ), then calculate the limits using these formulas:

• Events per second (Critical) = Events/Sec * 2.5

• Events per second (Warning) = Events/Sec * 1.5

The maximum number of events you can set for either limit is 999, and the

Critical limit must be higher than the Warning limit.

This module monitors license expiration.

Cisco Secure Firewall Management Center Administration Guide, 7.2

333

Health and Monitoring

Health Modules

Module

Link State Propagation

Local Malware

Analysis

Memory Usage

Memory Usage Data

Plane

Memory Usage Snort

MySQL Statistics

Appliances

ISA 3000 management center and threat defense

Any threat defense threat defense management center

Description

This module determines when a link in a paired inline set fails and triggers the link state propagation mode.

If a link state propagates to the pair, the status classification for that module changes to Critical and the state reads:

Module Link State Propagation: ethx_ethy is Triggered where x and y are the paired interface numbers.

This module monitors ClamAV updates for Local Malware Analysis.

This module compares memory usage on the appliance to the limits configured for the module and alerts when usage exceeds the levels configured for the module.

For appliances with more than 4 GB of memory, the preset alert thresholds are based on a formula that accounts for proportions of available memory likely to cause system problems. On >4 GB appliances, because the interval between Warning and Critical thresholds may be very narrow, Cisco recommends that you manually set the Warning Threshold % value to

50

.

This will further ensure that you receive memory alerts for your appliance in time to address the issue. See

Memory Usage Thresholds for Health Monitor

Alerts, on page 402

for additional information about how thresholds are calculated.

Beginning with Version 6.6.0, the minimum required RAM for management center virtual upgrades to Version 6.6.0+ is 28 GB, and the recommended

RAM for management center virtual deployments is 32 GB. We recommend you do not decrease the default settings: 32 GB RAM for most management center virtual instances, 64 GB for the management center virtual 300

(VMware only).

Attention A critical alert is generated by the health monitor when insufficient

RAM is allocated to an management center virtual deployment.

Complex access control policies and rules can command significant resources and negatively affect performance.

This module checks the percentage of allocated memory used by the Data

Plane processes and alerts when memory usage exceeds the percentages configured for the module. The Warning Threshold % default value is

80

.

The Critical Threshold % default value is

90

.

This module checks the percentage of allocated memory used by the Snort process and alerts when memory usage exceeds the percentages configured for the module. The Warning Threshold % default value is

80

. The Critical

Threshold % default value is

90

.

This module monitors the status of the MySQL database, including the database size, number of active connections, and memory use. Disabled by default.

334

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Health Modules

Module

NTP Statistics

Firepower Platform

Faults

Power Supply

Process Status

RRD Server Process

RabbitMQ Status

Appliances threat defense threat defense

Description

This module monitors the NTP clock synchronization status of the managed device. Disabled by default.

This module generates an alert for platforms faults for Firepower 1000, 2100, and 3000 series devices, a fault is a mutable object that is managed by the management center. Each fault represents a failure in the Firepower 1000,

2100, and 3000 instance or an alarm threshold that has been raised. During the lifecycle of a fault, it can change from one state or severity to another.

Each fault includes information about the operational state of the affected object at the time the fault was raised. If the fault is transitional and the failure is resolved, then the object transitions to a functional state.

For more information, see the Cisco Firepower 1000/2100 FXOS Faults and

Error Messages Guide .

Physical management centers This module determines if power supplies on the device require replacement and alerts based on the power supply status.

Any This module determines if processes on the appliance exit or terminate outside of the process manager.

If a process is deliberately exited outside of the process manager, the module status changes to Warning and the health event message indicates which process exited, until the module runs again and the process has restarted. If a process terminates abnormally or crashes outside of the process manager, the module status changes to Critical and the health event message indicates the terminated process, until the module runs again and the process has restarted.

management center This module determines if the round robin data server that stores time series data is running properly. The module will alert If the RRD server has restarted since the last time it updated; it will enter Critical or Warning status if the number of consecutive updates with an RRD server restart reaches the numbers specified in the module configuration.

management center This module collects various statistics for RabbitMQ.

Cisco Secure Firewall Management Center Administration Guide, 7.2

335

Health and Monitoring

Health Modules

Module

Realm

Snort Reconfiguring

Detection

Routing Statistics

Any managed device threat defense

SSE Connection Status threat defense

Security Intelligence management center

Smart License Monitor

Appliances

Any managed device management center

Description

Enables you to set a warning threshold for realm or user mismatches, which are:

• User mismatch: A user is reported to the management centerwithout being downloaded.

A typical reason for a user mismatch is that the user belongs to a group you have excluded from being downloaded to the management center.

Review the information discussed in Cisco Secure Firewall Management

Center Device Configuration Guide .

• Realm mismatch: A user logs into a domain that corresponds to a realm not known to the management center.

For more information, Cisco Secure Firewall Management Center Device

Configuration Guide .

This module alerts if a device reconfiguration has failed.

This module monitors the current state of routing table.

The module alerts if the threat defense cannot connect to the SSE cloud after an initial successful connection. Disabled by default.

This module alerts if Security Intelligence is in use and the management center cannot update a feed, or feed data is corrupt or contains no recognizable

IP addresses.

See also the Threat Data Updates on Devices module.

This module alerts if:

• There is a communication error between the Smart Licensing Agent

(Smart Agent) and the Smart Software Manager.

• The Product Instance Registration Token has expired.

• The Smart License usage is out of compliance.

• The Smart License authorization or evaluation mode has expired.

336

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Health Modules

Module

Snort Identity Memory

Usage

Appliances threat defense

Snort Statistics

Snort3 Statistics threat defense threat defense

Smart License Monitor management center

Sybase Statistics management center

Description

Enables you to set a warning threshold for Snort identity processing and alerts when memory usage exceeds the level configured for the module. The Critical

Threshold % default value is

80

.

This health module specifically keeps track of the total space used for the user identity information in Snort. It displays the current memory usage details, the total number of user-to-IP bindings, and user-group mapping details. Snort records these details in a file. If the memory usage file is not available, the Health Alert for this module displays Waiting for data . This could happen during a Snort restart due to a new install or a major update, switch from Snort2 to Snort3 or back, or major policy deployment. Depending on the health monitoring cycle, and when the file is available, the warning disappears, and the health monitor displays the details for this module with its status turned Green.

This module monitors the Snort statistics for events, flows, and packets.

This module collects and monitors the Snort3 statistics for events, flows, and packets.

This module monitors Smart Licensing status.

This module monitors the status of the Sybase database on the management center, including the database size, number of active connections, and memory use.

Cisco Secure Firewall Management Center Administration Guide, 7.2

337

Health and Monitoring

Health Modules

Module

Threat Data Updates on Devices

Appliances

Any

Time Series Data

(RRD) Monitor management center

Time Synchronization

Status management center

Description

Certain intelligence data and configurations that devices use to detect threats are updated on the management center from the cloud every 30 minutes.

This module alerts you if this information has not been updated on the devices within the time period you have specified.

Monitored updates include:

• Local URL category and reputation data

• Security Intelligence URL lists and feeds, including global Block and

Do Not Block lists and URLs from Threat Intelligence Director

• Security Intelligence network lists and feeds (IP addresses), including global Block and Do Not Block lists and IP addresses from Threat

Intelligence Director

• Security Intelligence DNS lists and feeds, including global Block and

Do Not Block lists and domains from Threat Intelligence Director

• Local malware analysis signatures (from ClamAV)

• SHA lists from Threat Intelligence Director, as listed on the Objects >

Object Management > Security Intelligence > Network Lists and

Feeds page

• Dynamic analysis settings configured on the Integration > AMP >

Dynamic Analysis Connections page

• Threat Configuration settings related to expiration of cached URLs, including the Cached URLs Expire setting on the System > Integration

> Cloud Services page. (Updates to the URL cache are not monitored by this module.)

• Communication issues with the Cisco cloud for sending events. See the

Cisco Cloud box on the System > Integration > Cloud Services page.

Note Threat Intelligence Director updates are included only if TID is configured on your system and you have feeds.

By default, this module sends a warning after 1 hour and a critical alert after

24 hours.

If this module indicates failure on the management center or on any devices, verify that the management center can reach the devices.

This module tracks the presence of corrupt files in the directory where time series data (such as correlation event counts) are stored and alerts when files are flagged as corrupt and removed.

This module tracks the synchronization of a device clock that obtains time using NTP with the clock on the NTP server and alerts if the difference in the clocks is more than ten seconds.

338

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Configuring Health Monitoring

Module Appliances

URL Filtering Monitor management center

Unresolved Groups

Monitor

VPN Statistics management center management center

VPN Status management center

XTLS Counters threat defense

Description

This module alerts if the management center fails to:

• Register with the Cisco cloud.

• Download URL threat data updates from the Cisco cloud.

• Complete URL lookups.

You can configure time thresholds for these alerts.

See also the Threat Data Updates on Devices module.

Monitors unresolved groups used in policies.

This module monitors Site to Site and RA VPN tunnels between Firepower devices.

This module alerts when one or more VPN tunnels between Firepower devices are down.

This module tracks:

• Site-to-site VPN for Secure Firewall Threat Defense

Attention Site-to-site VPN tunnels created with Virtual Tunnel

Interfaces (VTIs) do not generate health alerts when the tunnel goes down. If you experience packet loss over a VPN with

VTIs, check your VPN configuration.

• Remote access VPN for Secure Firewall Threat Defense

This module monitors XTLS/SSL flows, memory and cache effectiveness.

Disabled by default.

Configuring Health Monitoring

Procedure

Step 1

Step 2

Step 3

Determine which health modules you want to monitor as discussed in

Health Modules, on page 329 .

You can set up specific policies for each kind of appliance, enabling only the appropriate tests for that appliance.

Tip To quickly enable health monitoring without customizing the monitoring behavior, you can apply the default policy provided for that purpose.

Apply a health policy to each appliance where you want to track health status as discussed in

Creating Health

Policies, on page 340

.

(Optional.) Configure health monitor alerts as discussed in

Creating Health Monitor Alerts, on page 347

.

Cisco Secure Firewall Management Center Administration Guide, 7.2

339

Health and Monitoring

Health Policies

You can set up email, syslog, or SNMP alerts that trigger when the health status level reaches a particular severity level for specific health modules.

Health Policies

A health policy contains configured health test criteria for several modules. You can control which health modules run against each of your appliances and configure the specific limits used in the tests run by each module.

When you configure a health policy, you decide whether to enable each health module for that policy. You also select the criteria that control which health status each enabled module reports each time it assesses the health of a process.

You can create one health policy that can be applied to every appliance in your system, customize each health policy to the specific appliance where you plan to apply it, or use the default health policy provided for you.

In a multidomain deployment, administrators in ancestor domains can apply health policies to devices in descendant domains, which descendant domains can use or replace with customized local policies.

Default Health Policy

The Secure Firewall Management Center setup process creates and applies an initial health policy, in which most—but not all—available health modules are enabled. The system also applies this initial policy to devices added to the Secure Firewall Management Center.

This initial health policy is based on a default health policy, which you can neither view nor edit, but which you can copy when you create a custom health policy.

Upgrades and the Default Health Policy

When you upgrade the management center, any new health modules are added to all health policies, including the initial health policy, default health policy, and any other custom health policies. Usually, new health modules are added in an enabled state.

Note For a new health module to begin monitoring and alerting, reapply health policies after upgrade.

Creating Health Policies

If you want to customize a health policy to use with your appliances, you can create a new policy. The settings in the policy initially populate with the settings from the health policy you choose as a basis for the new policy.

You can edit the policy to specify your preferences, such as enable or disable modules within the policy, change the alerting criteria for each module as needed, and specify the run time intervals.

In a multidomain deployment, the system displays policies created in the current domain, which you can edit.

It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain. Administrators in ancestor domains can apply health policies to devices in descendant domains, which descendant domains can use or replace with customized local policies.

340

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Applying Health Policies

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose System ( ) > Health > Policy .

Click Create Policy .

Enter a name for the policy.

Choose the existing policy that you want to use as the basis for the new policy from the Base Policy drop-down list.

Enter a description for the policy.

Choose Save .

What to do next

• Apply the health policy on devices as described in

Applying Health Policies, on page 341

.

• Edit the policy to specify the module-level policy settings as described in

Editing Health Policies, on page 342

.

Applying Health Policies

When you apply a health policy to an appliance, the health tests for all the modules you enabled in the policy automatically monitor the health of the processes and hardware on the appliance. Health tests then continue to run at the intervals you configured in the policy, collecting health data for the appliance and forwarding that data to the Secure Firewall Management Center.

If you enable a module in a health policy and then apply the policy to an appliance that does not require that health test, the health monitor reports the status for that health module as disabled.

If you apply a policy with all modules disabled to an appliance, it removes all applied health policies from the appliance so no health policy is applied.

When you apply a different policy to an appliance that already has a policy applied, expect some latency in the display of new data based on the newly applied tests.

In a multidomain deployment, the system displays policies created in the current domain, which you can edit.

It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain. Administrators in ancestor domains can apply health policies to devices in descendant domains, which descendant domains can use or replace with customized local policies.

Procedure

Step 1

Step 2

Step 3

Choose System ( ) > Health > Policy .

Click the Deploy health policy ( ) next to the policy you want to apply.

Choose the appliances where you want to apply the health policy.

Note You cannot remove the policy from an appliance after you have deployed it. To stop health monitoring for an appliance, create a health policy with all modules disabled and apply it to the appliance.

Cisco Secure Firewall Management Center Administration Guide, 7.2

341

Health and Monitoring

Editing Health Policies

Step 4 Click Apply to apply the policy to the appliances you chose.

What to do next

• Optionally, monitor the task status; see

Viewing Task Messages, on page 400

.

Monitoring of the appliance starts as soon as the policy is successfully applied.

Editing Health Policies

In a multidomain deployment, the system displays policies created in the current domain, which you can edit.

It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain. Administrators in ancestor domains can apply health policies to devices in descendant domains, which descendant domains can use or replace with customized local policies.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Health > Policy .

Click Edit ( ) next to the policy you want to modify.

To edit the policy name and its description, click the Edit ( ) icon provided against the policy name.

The Health Modules tab displays all the device modules and its attributes. Click the toggle button that is provided against the module and its attributes—turn on ( ) or turn off ( ) to enable or disable testing of health status respectively. To execute a bulk enable or disable testing on the health modules, click the Select

All toggle button. For information on the modules, see

Health Modules, on page 329

.

Note • The modules and attributes are flagged with the supporting appliances—threat defense, management center, or both.

• You cannot choose to include or exclude the individual attributes of CPU and Memory modules.

Step 5

Step 6

Step 7

Where appropriate, set the Critical and Warning threshold percentages.

In the Run Time Intervals tab, enter the relevant values in the fields:

• Health Module Run Interval —The frequency for running the health modules. The minimum interval is 5 minutes.

• Metric Collection Interval —The frequency of collecting the time series data on the device and its health modules. The device monitor reports these metrics in several predefined health monitor dashboards by default. For detailed information on the dashboard, see

About Dashboards, on page 305 . The metric data

is collected for analysis and hence no alerting is associated with it.

Click Save .

342

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Deleting Health Policies

What to do next

• Apply the health policy to each appliance as described in

Applying Health Policies, on page 341

. This option allows you to apply the changes and update the policy status for all affected policies.

Deleting Health Policies

You can delete health policies that you no longer need. If you delete a policy that is still applied to an appliance, the policy settings remain in effect until you apply a different policy. In addition, if you delete a health policy that is applied to a device, any health monitoring alerts in effect for the device remain active until you disable the underlying associated alert response.

In a multidomain deployment, you can only delete health policies created in the current domain.

Tip To stop health monitoring for an appliance, create a health policy with all modules disabled and apply it to the appliance.

Procedure

Step 1

Step 2

Choose System ( ) > Health > Policy .

Click Delete ( ) next to the policy you want to delete, and then click Delete health policy to delete it.

A message appears, indicating if the deletion was successful.

Device Exclusion in Health Monitoring

In the course of normal network maintenance, you disable appliances or make them temporarily unavailable.

Because those outages are deliberate, you do not want the health status from those appliances to affect the summary health status on your Secure Firewall Management Center.

You can use the health monitor exclude feature to disable health monitoring status reporting on an appliance or module. For example, if you know that a segment of your network will be unavailable, you can temporarily disable health monitoring for a managed device on that segment to prevent the health status on the Secure

Firewall Management Center from displaying a warning or critical state because of the lapsed connection to the device.

When you disable health monitoring status, health events are still generated, but they have a disabled status and do not affect the health status for the health monitor. If you remove the appliance or module from the excluded list, the events that were generated during the exclusion continue to show a status of disabled.

To temporarily disable health events from an appliance, go to the exclusion configuration page and add an appliance to the device exclude list. After the setting takes effect, the system no longer considers the excluded appliance when calculating the overall health status. The Health Monitor Appliance Status Summary lists the appliance as disabled.

You can also disable an individual health module. For example, when you reach the host limit on a Secure

Firewall Management Center, you can disable Host Limit status messages.

Cisco Secure Firewall Management Center Administration Guide, 7.2

343

Health and Monitoring

Excluding Appliances from Health Monitoring

Note that on the main Health Monitor page you can distinguish between appliances that are excluded if you expand to view the list of appliances with a particular status by clicking the arrow in that status row.

Note On a Secure Firewall Management Center, Health Monitor exclusion settings are local configuration settings.

Therefore, if you exclude a device, then delete it and later re-register it with the Secure Firewall Management

Center, the exclusion settings remain persistent. The newly re-registered device remains excluded.

In a multidomain deployment, administrators in ancestor domains can exclude an appliance or health module in descendant domains. However, administrators in the descendant domains can override the ancestor configuration and clear the exclusion for devices in their domain.

Excluding Appliances from Health Monitoring

You can exclude appliances individually or by group, model, or associated health policy.

If you need to set the events and health status for an individual appliance to disabled, you can exclude the appliance. After the exclusion settings take effect, the appliance shows as disabled in the Health Monitor

Appliance Module Summary, and health events for the appliance have a status of disabled.

In a multidomain deployment, excluding an appliance in an ancestor domain excludes it for all descendant domains. Descendant domains can override this inherited configuration and clear the exclusion. You can only exclude the Secure Firewall Management Center at the Global level.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose System ( ) > Health > Exclude .

Click Add Device .

In the Device Exclusion dialog box, under Available Devices , click Add ( ) against the device that you want to exclude from health monitoring.

Click Exclude . The selected device is displayed in the exclusion main page.

To remove the device from the exclusion list, click Delete ( ).

Click Apply .

What to do next

To exclude individual health policy modules on appliances, see

Excluding Health Policy Modules, on page

344 .

Excluding Health Policy Modules

You can exclude individual health policy modules on appliances. You may want to do this to prevent events from the module from changing the status for the appliance to warning or critical.

After the exclusion settings take effect, the appliance shows the number of modules being exluded in the device from health monitoring.

344

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Expired Health Monitor Exclusions

Tip Make sure that you keep track of individually excluded modules so you can reactivate them when you need them. You may miss necessary warning or critical messages if you accidentally leave a module disabled.

In a multidomain deployment, administrators in ancestor domains can exclude health modules in descendant domains. However, administrators in descendant domains can override this ancestor configuration and clear the exclusion for policies applied in their domains. You can only exclude Secure Firewall Management Center health modules at the Global level.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose System ( ) > Health > Exclude .

Click Edit ( ) next to the appliance you want to modify.

In the Exclude Health Modules dialog box, by default, all the modules of the device are excluded from health monitoring. Certain modules are applicable to specific devices only; for more information, see

Health Modules, on page 329

.

To specify the duration of the exclusion for the device, from the Exclude Period drop-down list, select the duration.

To choose modules to be excluded from health monitoring, click the Enable Module Level Exclusion link.

The Exclude Health Modules dialog box displays all the modules of the device. The modules that are not applicable for the associated health policies are disabled by default. To exclude a module, perform the following: a.

Click the Slider ( ) button next to the desired module.

b.

To specify the duration of the exclusion for the selected modules, from the Exclude Period drop-down list, select the duration.

If you select an Exclude Period other than Permanent , for your exclusion configuration, you can choose to automatically delete the configuration when it expires. To enable this setting, check the Auto-delete expired configurations check box.

Click OK .

In the device exclusion main page, click Apply .

Expired Health Monitor Exclusions

When the exclusion period for a device or modules lapses, you can choose to clear or renew the exclusion.

Procedure

Step 1 Choose System ( ) > Health > Exclude .

The Warning ( ) icon is displayed against the device indicating the expiry of the duration of exclusion of the device or the modules from alerting.

Cisco Secure Firewall Management Center Administration Guide, 7.2

345

Health and Monitoring

Health Monitor Alerts

Step 2

Step 3

Step 4

To renew the exclusion of the device, click Edit ( ) next to the appliance. In the Exclude Health Modules dialog box, click the Renew link. The exclusion period of the device is extended with the current value.

To clear the device from being excluded, click Delete ( ) next to the appliance, click Remove the device from exclusion , and then click Apply .

To renew or clear the modules from exclusion, click Edit ( ) next to the appliance. In the Exclude Health

Modules dialog box, click the Enable Module Level Exclusion link, and then click the Renew or Clear link against the modules. When you click Renew , the exclusion period is extended on the module with the current value.

Health Monitor Alerts

You can set up alerts to notify you through email, through SNMP, or through the syslog when the status changes for the modules in a health policy. You can associate an existing alert response with health event levels to trigger and alert when health events of a particular level occur.

For example, if you are concerned that your appliances may run out of hard disk space, you can automatically send an email to a system administrator when the remaining disk space reaches the warning level. If the hard drive continues to fill, you can send a second email when the hard drive reaches the critical level.

In a multidomain deployment, you can view and modify health monitor alerts created in the current domain only.

Health Monitor Alert Information

The alerts generated by the health monitor contain the following information:

• Severity, which indicates the severity level of the alert.

• Module, which specifies the health module whose test results triggered the alert.

• Description, which includes the health test results that triggered the alert.

The table below describes these severity levels.

Table 22: Alert Severities

Severity

Critical

Warning

Normal

Error

Description

The health test results met the criteria to trigger a Critical alert status.

The health test results met the criteria to trigger a Warning alert status.

The health test results met the criteria to trigger a Normal alert status.

The health test did not run.

346

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Creating Health Monitor Alerts

Severity

Recovered

Description

The health test results met the criteria to return to a normal alert status, following a Critical or Warning alert status.

Creating Health Monitor Alerts

You must be an Admin user to perform this procedure.

When you create a health monitor alert, you create an association between a severity level, a health module, and an alert response. You can use an existing alert or configure a new one specifically to report on system health. When the severity level occurs for the selected module, the alert triggers.

If you create or update a threshold in a way that duplicates an existing threshold, you are notified of the conflict. When duplicate thresholds exist, the health monitor uses the threshold that generates the fewest alerts and ignores the others. The timeout value for the threshold must be between 5 and 4,294,967,295 minutes.

In a multidomain deployment, you can view and modify health monitor alerts created in the current domain only.

Before you begin

• Configure an alert response that governs the Secure Firewall Management Center's communication with the SNMP, syslog, or email server where you send the health alert; see

Secure Firewall Management

Center Alert Responses, on page 517

.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose System ( ) > Health > Monitor Alerts .

Click Add .

In the Add Health Alert dialog box, enter a name for the health alert in the Health Alert Name field.

From the Severity drop-down list, choose the severity level you want to use to trigger the alert.

From the Alert drop-down list, choose the alert response that you want to trigger when the specified severity level is reached. If you have not yet

Secure Firewall Management Center Alert Responses

, click Alerts to visit the Alerts page and set them.

From the Health Modules list, choose the health policy modules for which you want the alert to apply.

Optionally, in the Threshold Timeout field, enter the number of minutes that should elapse before each threshold period ends and the threshold count resets.

Even if the policy run time interval value is less than the threshold timeout value, the interval between two reported health events from a given module is always greater. For example, if you change the threshold timeout to 8 minutes and the policy run time interval is 5 minutes, there is a 10-minute interval (5 x 2) between reported events.

Click Save to save the health alert.

Cisco Secure Firewall Management Center Administration Guide, 7.2

347

Health and Monitoring

Editing Health Monitor Alerts

Editing Health Monitor Alerts

You must be an Admin user to perform this procedure.

You can edit existing health monitor alerts to change the severity level, health module, or alert response associated with the health monitor alert.

In a multidomain deployment, you can view and modify health monitor alerts created in the current domain only.

Procedure

Step 1

Step 2

Step 3

Step 4

Choose System ( ) > Health > Monitor Alerts .

Click the Edit ( ) icon that is provided against the required health alert that you want to modify.

In the Edit Health Alert dialog box, from the Alert drop-down list, select the required alert entry, or click

Alerts link to configure a new alert entry.

Click Save .

Deleting Health Monitor Alerts

In a multidomain deployment, you can view and modify health monitor alerts created in the current domain only.

Procedure

Step 1

Step 2

Choose System ( ) > Health > Monitor Alerts .

Click Delete ( ) next to the health alert you want to delete, and then click Delete health alert to delete it.

What to do next

• Disable or delete the underlying alert response to ensure that alerting does not continue; see

Secure

Firewall Management Center Alert Responses, on page 517

.

About the Health Monitor

You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.

The health monitor provides the compiled health status for all devices managed by the Secure Firewall

Management Center, plus the Secure Firewall Management Center itself. The health monitor is composed of:

• The Health Status summary page ― Provides you with an at-a-glance view of the health of the Secure

Firewall Management Center and all of the devices that the management center manages. Devices are

348

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

About the Health Monitor listed individually, or grouped according to their geolocation, high availability, or cluster status where applicable.

• View the health summary of the management center and any device when you hover on the hexagon that represents the device health.

• The dot to the left of a device indicates its health:

• Green ― No alarms.

• Orange ― At least one health warning.

• Red ― At least one critical health alarm.

• The Monitoring navigation pane ― Allows you to navigate the device hierarchy. You can view health monitors for individual devices from the navigation pane.

In a multidomain deployment, the health monitor in an ancestor domain displays data from all descendant domains. In the descendant domains, it displays data from the current domain only.

Procedure

Step 1

Step 2

Step 3

Choose System ( ) > Health > Monitor .

View the status of the management center and its managed devices in the Health Status landing page.

a) Hover your pointer over a hexagon to view the health summary of a device. The popup window shows a truncated summary of the top five health alerts. Click on the popup to open a detailed view of the health alert summary.

b) In the device list, click Expand ( ) and Collapse ( ) to expand and collapse the list of health alerts for a device.

When you expand the row, all of the health alerts are listed, including the status, title, and details.

Note Health alerts are sorted by their severity level.

Use the Monitoring navigation pane to access device-specific health monitors. When you use the Monitoring navigation pane: a) Click Home to return Health Status summary page.

b) Click Firewall Management Center to view the health monitor for the Secure Firewall Management

Center itself.

c) In the device list, click Expand ( ) and Collapse ( ) to expand and collapse the list of managed devices.

When you expand the row, all of the devices are listed.

d) Click on a device to view a device-specific health monitor.

Cisco Secure Firewall Management Center Administration Guide, 7.2

349

Health and Monitoring

Using the Management Center Health Monitor

What to do next

• See

Device Health Monitors, on page 352

for information about the compiled health status and metrics for any device managed by the Secure Firewall Management Center.

• See

Using the Management Center Health Monitor, on page 350

for information about the health status of the Secure Firewall Management Center.

To return to the Health Status landing page at any time, click Home .

Using the Management Center Health Monitor

You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.

The management center monitor provides a detailed view of the health status of the Secure Firewall Management

Center. The health monitor is composed of:

• High Availability (if configured)―The High Availability (HA) panel displays the current HA status, including the status of the Active and Standby units, the last sync time, and overall device health.

• Event Rate―The Event Rate panel shows the maximum event rate as a base line as well as the overall event rate received by the management center.

• Event Capacity―The Event Capacity panel shows the current consumption by event categories, including the retention time of events, the current vs. maximum event capacity, and a capacity overflow mechanism where you are alerted when events are stored beyond the configured maximum capacity of the management center.

• Process Health―The Process Health panel has an at-a-glace view of the critical processes as well as a tab that lets you see state of all processed, including the CPU and memory usage for each process.

• CPU―The CPU panel lets you toggle between the average CPU usage (default) and the CPU usage of all cores.

• Memory―The Memory panel shows the overall memory usage on the management center.

• Interface―The Interface panel shows avaerage input and output rate of all interfaces.

• Disk Usage―The Disk Usage panel shows the use of entire disk, and the use of the critical partitions where management center data is stored.

Tip Your session normally logs you out after 1 hour of inactivity (or another configured interval). If you plan to passively monitor health status for long periods of time, consider exempting some users from session timeout, or changing the system timeout settings. See

Add an Internal User, on page 111

and

Configure Session Timeouts, on page 92

for more information.

Procedure

Step 1

Step 2

Choose System ( ) > Health > Monitor .

Use the Monitoring navigation pane to access the management center and device-specific health monitors.

350

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Running All Modules for an Appliance

Step 3

• A standalone management center is shown as a single node; a high-availability management center is shown as a pair of nodes.

• The health monitor is available to both the active and standby management center in an HA pair.

Explore the management center dashboard.

The management center dashboard includes a summary view of the HA state of the management center (if configured), as well as at-a-glance views of management center processes and device metrics such as CPU, memory, and disk usage.

Running All Modules for an Appliance

You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.

Health module tests run automatically at the policy run time interval you configure when you create a health policy. However, you can also run all health module tests on demand to collect up-to-date health information for the appliance.

In a multidomain deployment, you can run health module tests for appliances in the current domain and in any descendant domains.

Procedure

Step 1

Step 2

View the health monitor for the appliance.

Click Run All Modules . The status bar indicates the progress of the tests, then the Health Monitor Appliance page refreshes.

Note When you manually run health modules, the first refresh that automatically occurs may not reflect the data from the manually run tests. If the value has not changed for a module that you just ran manually, wait a few seconds, then refresh the page by clicking the device name. You can also wait for the page to refresh again automatically.

Running a Specific Health Module

You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.

Health module tests run automatically at the policy run time interval you configure when you create a health policy. However, you can also run a health module test on demand to collect up-to-date health information for that module.

In a multidomain deployment, you can run health module tests for appliances in the current domain and in any descendant domains.

Procedure

Step 1 View the health monitor for the appliance.

Cisco Secure Firewall Management Center Administration Guide, 7.2

351

Health and Monitoring

Generating Health Module Alert Graphs

Step 2

Step 3

In the Module Status Summary graph, click the color for the health alert status category you want to view.

In the Alert Detail row for the alert for which you want to view a list of events, click Run .

The status bar indicates the progress of the test, then the Health Monitor Appliance page refreshes.

Note When you manually run health modules, the first refresh that automatically occurs may not reflect the data from the manually run tests. If the value has not changed for a module that you just manually ran, wait a few seconds, then refresh the page by clicking the device name. You can also wait for the page to refresh automatically again.

Generating Health Module Alert Graphs

You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.

You can graph the results over a period of time of a particular health test for a specific appliance.

Procedure

Step 1

Step 2

Step 3

View the health monitor for the appliance.

In the Module Status Summary graph of the Health Monitor Appliance page, click the color for the health alert status category you want to view.

In the Alert Detail row for the alert for which you want to view a list of events, click Graph .

Tip If no events appear, you may need to adjust the time range.

Device Health Monitors

The device health monitor provides the compiled health status for any device managed by the Secure Firewall

Management Center. The device health monitor collects health metrics for Firepower devices in order to predict and repond to system events. The device health monitor is comprised of the following components:

• System Details ― Displays information about the managed device, including the installed Firepower version and other deployment details.

• Troubleshooting & Links ― Provides convenient links to frequently used troubleshooting topics and procedures.

• Health alerts ― A health alert monitor provides an at-a-glance view of the health of the device.

• Time range ― An adjustable time window to constrain the information that appears in the various device metrics windows.

• Device metrics ― An array of key Firepower device health metrics catagorized across predefined dashboards, including:

• CPU ― CPU utilization, including the CPU usage by process and by physical cores.

• Memory ― Device memory utilization, including data plane and Snort memory usage.

352

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Viewing System Details and Troubleshooting

• Interfaces ― Interface status and aggregate traffic statistics.

• Connections ― Connection statistics (such as elephant flows, active connections, peak connections, and so on) and NAT translation counts.

• Snort ― Statistics related to the Snort process.

• Disk Usage ― Device disk usage, including the disk size and disk utilization per partition.

• Critical Processes ― Statistics related to managed processes, including process restarts and other select health monitors such as CPU and memory utilization.

Viewing System Details and Troubleshooting

You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.

The System Details section provides a general system information for a selected device. You can also launch troubleshooting tasks for that device.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Choose System ( ) > Health > Monitor .

Use the Monitoring navigation pane to access device-specific health monitors.

In the device list, click Expand ( ) and Collapse ( ) to expand and collapse the list of managed devices.

Click on a device to view a device-specific health monitor.

Click the link for View System & Troubleshoot Details …

This panel is collapsed by default. Clicking on the link expands the collapsed section to see System Details and Troubleshooting & Links for the device. The system details include:

• Version: The Firepower software version.

• Model: The device model.

• Mode: The firewall mode. The threat defense device supports two firewall modes for regular firewall interfaces: Routed mode and Transparent mode.

• VDB: The Cisco vulnerability database (VDB) version.

• SRU: The intrusion rule set version.

• Snort: The Snort version.

You have the following troubleshoot choices:

• Generate troubleshooting files; see

Producing Troubleshooting Files for Specific System Functions, on page 407

• Generate and download advanced troubleshooting files; see

Downloading Advanced Troubleshooting

Files, on page 408 .

• Create and modify health policies; see

Creating Health Policies, on page 340 .

Cisco Secure Firewall Management Center Administration Guide, 7.2

353

Health and Monitoring

Viewing the Device Health Monitor

• Create and modify health monitor alerts; see

Creating Health Monitor Alerts, on page 347 .

Viewing the Device Health Monitor

You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.

The device health monitor provides a detailed view of the health status of a Firepower device. The device health monitor compiles device metrics and provides health status and trends of the device in an array of dashboards.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose System ( ) > Health > Monitor .

Use the Monitoring navigation pane to access device-specific health monitors.

In the device list, click Expand ( ) and Collapse ( ) to expand and collapse the list of managed devices.

View the Health Alerts for the device in the alert notification at the top of page, directly to the right of the device name.

Hover your pointer over the Health Alerts to view the health summary of the device. The popup window shows a truncated summary of the top five health alerts. Click on the popup to open a detailed view of the health alert summary.

You can configure the time range from the drop-down in the upper-right corner. The time range can reflect a period as short as the last hour (the default) or as long as two weeks. Select Custom from the drop-down to configure a custom start and end date.

Click the refresh icon to set auto refresh to 5 minutes or to toggle off auto refresh.

Click on deployment icon for a deployment overlay on the trend graph, with respect to the selected time range.

The deployment icon indicates the number of deployments during the selected time-range. A vertical band indicates the deployment start and end time. In the case of multiple deployments, multiple bands/lines will appear. Click on the icon on top of the dotted line to view the deployment details.

The device monitor reports health and performance metrics in several predefined dashboards by default. The metrics dashboards include:

• Overview ― Highlights key metrics from the other predefined dashboards, including CPU, memory, interfaces, connection statistics; plus disk usage and critical process information.

• CPU ― CPU utilization, including the CPU usage by process and by physical cores.

• Memory ― Device memory utilization, including data plane and Snort memory usage.

• Interfaces ― Interface status and aggregate traffic statistics.

• Connections ― Connection statistics (such as elephant flows, active connections, peak connections, and so on) and NAT translation counts.

• Snort ― Statistics related to the Snort process.

354

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Correlating Device Metrics

Step 7

You can navigate through the various metrics dashboards by clicking on the labels. See

Threat Defense Metrics, on page 356

for a comprehensive list of the supported device metrics.

Click the plus sign ( + ) in the upper right corner of the device monitor to create a custom correlation dashboard by building your own variable set from the available metric groups; see

Correlating Device Metrics, on page

355 .

Correlating Device Metrics

You must be an Admin, Maintenance, or Security Analyst user to perform this procedure.

The device health monitor includes an array of key Firepower device metrics that serve to predict and repond to system events. The health of any Firepower device can be determined by these reported metrics.

The device monitor reports these metrics in several predefined dashboards by default. These dashboards include:

• Overview ― Highlights key metrics from the other predefined dashboards, including CPU, memory, interfaces, connection statistics; plus disk usage and critical process information.

• CPU ― CPU utilization, including the CPU usage by process and by physical cores.

• Memory ― Device memory utilization, including data plane and Snort memory usage.

• Interfaces ― Interface status and aggregate traffic statistics.

• Connections ― Connection statistics (such as elephant flows, active connections, peak connections, and so on) and NAT translation counts.

• Snort ― Statistics related to the Snort process.

• ASP Drops ― Statistics related to the Accelerated Security Path (ASP) performance and behavior.

You can add custom dashboards to correlate metrics that are interrelated. Select from predefined correlation groups, such as CPU and Snort; or create a custom correlation dashboard by building your own variable set from the available metric groups.

Before you begin

To view and correlate the time series data (device metrics) in the health monitor dashboard, enable REST API

( Settings > Configuration > REST API Preferences ).

Step 1

Note Correlating device metrics is available only for threat defense 6.7 and later versions. Hence, for threat defense versions earlier than 6.7, the health monitor dashboard does not display these metrics even if you enable REST

API.

Procedure

Choose System ( ) > Health > Monitor .

Use the Monitoring navigation pane to access device-specific health monitors.

Cisco Secure Firewall Management Center Administration Guide, 7.2

355

Health and Monitoring

Threat Defense Metrics

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

In the device list, click Expand ( ) and Collapse ( ) to expand and collapse the list of managed devices.

Click the plus sign ( + ) in the upper right corner of the device monitor to add a new dashboard.

From the Select Correlation Group drop-down, choose a predefined correlation group or or create a custom group.

To create a dashboard from a predefined correlation group, select the group and click Add .

• CPU - Data Plane

• CPU - Snort

• CPU - Others

• Memory - Data Plane

• Packet drops

To create a custom correlation dashboard: a) Choose Custom .

b) Optionally, enter a unique name in the Dashboard Name field or accept the default.

c) Next, select a group from the Select Metric Group drop-down, then select corresponding metrics from the Select Metrics drop-down.

• Connections; see

Connection Group Metrics, on page 358

for available metrics.

• CPU; see

CPU Group Metrics, on page 356

for available metrics.

• Critical Process; see

Critical Process Group Metrics, on page 363

for available metrics.

• Deployed Configuration; see

Deployed Configuration Group Metrics, on page 362

for available metrics.

• Disk; see

Disk Group Metrics, on page 363

for available metrics.

• Interface; see

Interface Group Metrics, on page 358

for available metrics.

• Snort; see

Snort Group Metrics, on page 359

for available metrics.

• ASP Drops; see

ASP Drop Metrics, on page 361

for available metrics.

Click Add Metrics to add and select metrics from another group.

To remove an individual metric, click the x on the right side of the item. Click the delete icon (a trash can) to remove the entire group.

Click Add to complete the workflow and add the dashboard to the health monitor.

You can Edit or Delete custom correlation dashboards.

Threat Defense Metrics

The following sections describe the health metrics available from threat defense devices.

CPU Group Metrics

The health monitor tracks statistics related to the CPU utilization, including the CPU usage by process and by physical cores.

Table 23: CPU Group Metrics

Metric

Control Plane

Description Format

The average CPU utilization for the control plane, for the last one minute.

percent

356

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Memory Group Metrics

Metric

Data Plane

Snort

System

Physical cores

Description

The average CPU utilization for the data plane, for the last one minute.

The average CPU utilization for the Snort process, for the last one minute.

Format percent percent

The average CPU utilization for the system processes, for the last one minute.

percent

The average CPU utilization for all the cores, for the last one minute.

percent

Memory Group Metrics

The health monitor tracks statistics related to the device memory utilization, including data plane and Snort memory usage.

Table 24: Memory Group Metrics

Metric

Buffer cache

Free

Maximum Data Plane

Maximum Snort

Maximum Swap for Snort

Description

The buffer cache.

The total free memory.

The maximum memory used by the data plane.

The maximum memory used by the Snort process.

The maximum swap memory used by the Snort process.

Remaining Memory Block (1550) The free memory in a 1550 byte block.

Remaining Memory Block (256)

System Used

Total

The free memory in a 256 byte block.

The total memory used by the system.

The total memory available.

Total Swap

Data Plane

Percent Used by Data Plane

Percent Used by Snort

Percent Used for Swap

Percent Used by System

The total memory available for swap.

The total memory used by the data plane.

The percent of memory used by the data plane.

The percent of memory used by the Snort process.

The percent of memory used for swap.

The percent of memory used by the system.

Format bytes bytes bytes bytes bytes number number bytes bytes bytes bytes percent percent percent percent

Cisco Secure Firewall Management Center Administration Guide, 7.2

357

Health and Monitoring

Interface Group Metrics

Metric

Snort

Description

The total memory used by the Snort process.

Format

Percent Used by System and Swap The percent of memory used by the system and swap combined.

percent bytes

Used Swap

Used Swap by Snort

The total memory used for swap.

The total swap memory used by the Snort process.

bytes bytes

Interface Group Metrics

The health monitor tracks statistics related to the device interfaces, including the interface status and aggregate traffic statistics.

Table 25: Interface Group Metrics

Metric

Drop Packets

Average Input Packet Size

Input Rate

Input Packets

Average Output Packet Size

Output Rate

Output Packets

Status

Description

The number of packets dropped.

The average size of incoming packets.

The total incoming bytes.

The total incoming packets.

The average size of outgoing packets.

Format number bytes bytes number bytes

The total outgoing bytes.

The total outgoing packets.

bytes number

The status of an interface; 1 for up and 0 for down.

1 or 0

Connection Group Metrics

The health monitor tracks statistics related to the connections and NAT translation counts.

358

Cisco Secure Firewall Management Center Administration Guide, 7.2

Health and Monitoring

Snort Group Metrics

Table 26: Connection Group Metrics

Metric

Elephant Flows

Connections in use

Peak Connections

Total Connections per second

TCP Connections per second

UDP Connections per second

Preserve Connections Enabled

Connections Preserved

Description Format

Shows the number of active elephant flows.

Elephant flows are connections that are large enough to affect overall system performance. By default, elephant flows are those larger than 1GB/10 seconds.

You can adjust the byte and time thresholds for identifying elephant flows in the threat defense CLI using the system support elephant-flow-detection command.

Note A flow is considered an elephant flow only when both the byte and time thresholds are surpassed.

number

Shows the number of connections in use.

Shows the maximum number of simultaneous connections.

number number

The connections-per-second for all connection types.

number

The connections-per-second for TCP connection types.

The connections-per-second for UDP connection types.

number number

Preserves existing TCP/UDP connections on routed and transparent interfaces in case the Snort process goes down.

number

Connections for which preserve-connection is currently enabled.

number

The most number of connections ever preserved.

number Preserve Connections Most

Enabled

Peak Connections Preserved

NAT Translations

Peak NAT Translations

The most number of peak connections ever preserved.

number

Displays the translation count.

Displays the historic maximum of concurrent translations at a time.

number number

Snort Group Metrics

The health monitor tracks statistics related to the Snort process.

Cisco Secure Firewall Management Center Administration Gui