cisco firepower management center getting started guide ......understandtherestoreprocess 25...

Cisco Firepower Management Center Getting Started Guide for Models1000, 2500, and 4500First Published: 2017-02-21

Last Modified: 2019-09-25

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHERWARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.comgo trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and anyother company. (1721R)

© 2017–2019 Cisco Systems, Inc. All rights reserved.

www.cisco.com/go/trademarks

www.cisco.com/go/trademarks

C O N T E N T S

Introduction 1C H A P T E R 1

Physical Interfaces 1

Related Documentation 2

License Requirements 3C H A P T E R 2

Classic Licenses 3

Smart Licenses 3

Firepower Management Center Installation and Initial Setup 5C H A P T E R 3

Initial Setup Overview 5

Access the CLI or the Linux Shell on the FMC 7

Install the Appliance 7

Access the FMC Using a Keyboard and Monitor (Versions 6.2 - 6.4.x) 10

Perform the FMC Initial Setup (Versions 6.2 - 6.4.x) 11

Configure Classic Licenses During Initial Setup (Versions 6.2 - 6.4.x) 13

Initial Setup Using the Web Interface (Versions 6.5 and Later) 14

Initial Setup Using the CLI (Versions 6.5 and Later) 17

Automatic Initial Configuration (Versions 6.5 and Later) 20

Firepower Management Center Initial Administration and Configuration 21C H A P T E R 4

Individual User Accounts 21

Device Registration 22

Health and System Policies 22

Software and Database Updates 22

Restore Firepower Management Centers to Factory Defaults 25C H A P T E R 5

Cisco Firepower Management Center Getting Started Guide for Models 1000, 2500, and 4500iii

Understand the Restore Process 25

The Restore Utility Menu 27

Restore a Firepower Management Center to its Factory Defaults 28

Obtain the Restore ISO and Update Files 29

Start the Restore Utility Using KVM or Physical Serial Port 30

Start the Restore Utility Using Lights-Out Management 31

Identify the Appliance's Management Interface 32

Specify the ISO Image Location and Transport Method 32

Restore Files Download Configuration 33

Select System Software and Rule Updates during Restore 34

Download the ISO and Update Files and Mount the Image 35

Update the Restore Image 35

Install the New System Software Version 36

Save and Load Firepower Management Center Configurations 39C H A P T E R 6

Save a Firepower Management Center Configuration 39

Load a Saved Firepower Management Center Configuration 40

Set Up Alternate Firepower Management Center Access 41C H A P T E R 7

Set Up Serial Access 41

Set Up Lights Out Management 42

IPMI Utility Installation 43

LOM Commands 43

Enable Lights-Out Management 44

Enable Lights-Out Management Users 45

Redirect Console Output 45

Use the Web Interface to Redirect the Console Output 45

Use the Shell to Redirect the Console Output 46

Preconfigure Firepower Management Centers 47C H A P T E R 8

Required Preconfiguration Information 47

Optional Preconfiguration Information 48

Preconfigure Time Management 48

Install the System 49

Cisco Firepower Management Center Getting Started Guide for Models 1000, 2500, and 4500iv

Contents

Prepare a Firepower Management Center for Shipment 49

Delete a Classic License from a Firepower Management Center 49

Shipping Considerations 50

Troubleshooting the Appliance Preconfiguration 50

Erase the Hard Drive 51C H A P T E R 9

Erase the Hard Drive 51

Cisco Firepower Management Center Getting Started Guide for Models 1000, 2500, and 4500v

Contents

Cisco Firepower Management Center Getting Started Guide for Models 1000, 2500, and 4500vi

Contents

C H A P T E R 1Introduction

This document provides the instructions for initial setup and configuration of the Firepower ManagementCenter (FMC) 1000, 2500, and 4500.

See the Cisco Firepower Management Center 1000, 2500, and 4500 Hardware Installation Guide for adescription of the hardware features.

• Physical Interfaces, on page 1• Related Documentation, on page 2

Physical InterfacesThe following figure illustrates the rear panel of the FMC 1000, and identifies ports you need to follow theinstructions in this document.Figure 1: FMC 1000 Rear Panel

Serial console port

This port is disabled by default; use the VGA portand keyboard USB port instead.

22 USB keyboard ports

You can connect a keyboard, and along with amonitor on the VGA port, you can access theconsole.

1

VGA interface

Enabled by default.

4eth0 management interface (labeled "1")

Gigabit Ethernet 10/100/1000 Mbps interface,RJ-45

eth0 is the default management interface.

3

Cisco Firepower Management Center Getting Started Guide for Models 1000, 2500, and 45001

https://www.cisco.com/c/en/us/td/docs/security/firepower/1000_2500_4500/hw/guide/b_install_guide_1000_2500_4500/b_FMC_M4_HIG_chapter_00.html

You can use Lights-Out-Management (LOM) on the default management interface (eth0) on a Serial OverLAN (SOL) connection to remotely monitor or manage the FMC system. For information about using LOMand SOL, see the Firepower Management Center Getting Started Guide for your model.

Note

The following figure illustrates the rear panel of the FMC 2500 and 4500, and identifies ports you need tofollow the instructions in this document.Figure 2: FMC 2500 and 4500 Rear Panel

Serial console port

This port is disabled by default; use the VGA portand keyboard USB port instead.

22 USB keyboard ports

You can connect a keyboard, and along with amonitor on the VGA port, you can access theconsole.

1

VGA interface

Enabled by default.




3

Related DocumentationFor detailed hardware installation instructions, see the Cisco Firepower Management Center 1000, 2500, and4500 Hardware Installation Guide.

For a complete list of the Cisco Firepower series documentation and where to find it, see the documentationroadmap.


IntroductionRelated Documentation

https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-guides-list.html



http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html

http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html

C H A P T E R 2License Requirements

You can license a variety of features to create an optimal Firepower system deployment for your organization.The FMCmanages licenses for your devices, but you do not need a feature license to use an FMC. The licensetypes offered by the Firepower system depend on the types of devices you want to manage.

See the FirepowerManagement Center Configuration Guide for more information about Classic Licenses andSmart Licenses, the types of licenses for each device class, and how to manage the licenses across yourdeployment.

• Classic Licenses, on page 3• Smart Licenses, on page 3

Classic LicensesFor 7000 and 8000 Series, ASA FirePOWER, and NGIPSv devices, you must use Classic Licenses. Devicesthat use Classic Licenses are sometimes referred to as Classic devices.

If your FMC is running Firepower Version 6.2 - 6.4.x:We recommend that you purchase licenses beforebeginning the initial setup process, and add the licenses to the FMC during the initial setup; for more informationsee Configure Classic Licenses During Initial Setup (Versions 6.2 - 6.4.x), on page 13. If you do not addlicenses during initial setup, you must add licenses for managed devices after the initial setup process is over.Whether you add licenses during or after the initial setup process, you can assign licenses to managed deviceswhen you register those devices to the FMC, or after you have registered them to the FMC.

If you are setting up a reimaged appliance and you kept your license settings as part of the restore process,the license section of the initial setup page may be prepopulated.

Note

If your FMC is running Firepower Version 6.5+: You must add licenses for managed devices to the FMCafter completing the Initial ConfigurationWizard; see the FirepowerManagement Center Configuration Guidefor your version. You can assign licenses to managed devices when you register those devices to the FMC,or after you have registered them to the FMC.

Smart LicensesFor Firepower Threat Defense physical and virtual devices, you must use Smart Licenses.


http://www.cisco.com/go/firepower-config


Cisco Smart Software Licensing lets you purchase and centrally manage a pool of licenses. Smart licensesare not tied to a specific serial number or license key. Smart licensing lets you assess your license usage andneeds at a glance.

If your FMC is running Firepower Version 6.5+:When you have completed the Initial ConfigurationWizard, the system displays a pop-up dialog box that offers you the opportunity to quickly and easily set upSmart Licensing. Using this dialog is optional; if your FMC will be managing Firepower Threat Defensedevices and you are familiar with Smart Licensing, use this dialog. Otherwise dismiss this dialog and referto ”Licensing the Firepower System” in the Firepower Management Center Configuration Guide for yourversion.


License RequirementsSmart Licenses

https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html#id_47280

C H A P T E R 3Firepower Management Center Installation andInitial Setup

This chapter describes how to install an FMC and perform the initial setup process.

• Initial Setup Overview, on page 5• Access the CLI or the Linux Shell on the FMC, on page 7• Install the Appliance, on page 7• Perform the FMC Initial Setup (Versions 6.2 - 6.4.x), on page 11• Initial Setup Using the Web Interface (Versions 6.5 and Later), on page 14• Initial Setup Using the CLI (Versions 6.5 and Later), on page 17• Automatic Initial Configuration (Versions 6.5 and Later), on page 20

Initial Setup OverviewAfter you install an FMC, you must complete an initial setup process to configure the new appliance.

If your FMC is running Firepower Version 6.2 - 6.4.x:

The first time you log in to the FMCweb interface, the initial administration page provides you with the abilityto configure the new appliance to communicate on your trusted management network. You must also performinitial administrative-level tasks such as changing the administrator password, accepting the end user licenseagreement (EULA), setting the time, and scheduling updates.

You can perform this initial setup process accessing the FMC either using a laptop directly connected to theappliance, or using an Ethernet connection through your trusted local management network. The followingdiagram illustrates the choices you can make when setting up FMCs running Firepower Versions 6.2 - 6.4.x:Figure 3: FMC Setup Workflow, Versions 6.2 - 6.4.x

To install and set up an FMC running Versions 6.2 - 6.4.x:


• Install the appliance as described in Install the Appliance, on page 7.

• Before connecting the FMC to your network you must change the FMC eth0 IP address to match yournetwork and perform the initial setup; you have one of two choices:

• Access the FMC using the VGA/keyboard connection to set the eth0 IP address before performingthe initial setup; see Access the FMCUsing a Keyboard and Monitor (Versions 6.2 - 6.4.x), on page10

Then access the FMC with a web browser to perform the initial configuration process; see Performthe FMC Initial Setup (Versions 6.2 - 6.4.x), on page 11.

• Access the FMC with a web browser to perform the initial configuration using the web interfaceand set the eth0 IP address as a part of that process; see Perform the FMC Initial Setup (Versions6.2 - 6.4.x), on page 11.

If your FMC is running Firepower Versions 6.5+:

The first time you log in to the FMC, an Initial ConfigurationWizard guides you through configuring the newappliance to communicate on your trusted management network. Versions of this wizard exist for both theweb interface and for CLI access; it presents a streamlined initial configuration process and automaticallyestablishes some weekly maintenance activites to keep your system up-to-date and your data backed up.

You can use the Initial Configuration Wizard by accessing the FMC either using a laptop directly connectedto the appliance, or using an Ethernet connection through your trusted local management network. Thefollowing diagram illustrates the choices you can make when setting up FMCs running Firepower Versions6.5 +:Figure 4: FMC Setup Workflow, Versions 6.5+

To install and set up an FMC running Versions 6.5 +:

• Install the appliance as described in Install the Appliance, on page 7.

• The FMC is preconfigured to accept an IP4 address assigned by DHCP. You can change this during theinitial configuration process; you have one of two choices:

• Access the FMC using the VGA/keyboard connection to perform the initial configuration using theCLI; see Initial Setup Using the CLI (Versions 6.5 and Later), on page 17

• Access the FMC with a web browser to perform the initial configuration using the web interface;see Initial Setup Using the Web Interface (Versions 6.5 and Later), on page 14.


Firepower Management Center Installation and Initial SetupInitial Setup Overview

Access the CLI or the Linux Shell on the FMCAccessing the FMCCLI or the Linux shell requires a different sequence of steps depending on what Firepowerversion the FMC is running.

We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicitinstructions in the user documentation.

Caution

Before you begin

Establish a direct physical connection with the FMC using a keyboard and monitor or establish an SSH sessionwith the FMC's management interface.

Procedure

Step 1 Log into the FMC using the credentials for the CLI admin user.Step 2 Determine your next action depending on the Firepower version in use:

• If your FMC is running Firepower Version 6.2.x, this gives you direct access to the Linux shell.

• If your FMC is running Firepower Version 6.3.x or 6.4.x and the FMC CLI is not enabled, this givesyou direct access to the Linux shell.

• If your FMC is running Firepower Version 6.3.x or 6.4.x and the FMC CLI is enabled, this gives youaccess to the FMC CLI. To access the Linux shell, continue with Step 3.

• If your FMC is running Firepower Version 6.5+, this gives you access to the FMC CLI. To access theLinux shell, continue with Step 3.

Step 3 To access the Linux shell from the FMC CLI, enter the expert command.

Install the ApplianceThis procedure references the rear panel ports of the FMC 2500 and 4500. The FMC 1000 is the same exceptthat it does not have the two 10-G SFP+ ports above the Ethernet ports.

AC power supplies have internal grounding so no additional chassis grounding is required when the supportedAC power cords are used. For more information about supported power cords, see the Cisco FirepowerManagement Center 1000, 2500, and 4500 Hardware Installation Guide.

Before you begin

Read the Regulatory and Compliance Safety Information document before installing the FMC chassis.Important


Firepower Management Center Installation and Initial SetupAccess the CLI or the Linux Shell on the FMC



http://www.cisco.com/c/en/us/support/security/defense-center/products-installation-guides-list.html

• Rack-mount the appliance as described in the Cisco Firepower Management Center 1000, 2500, and4500 Hardware Installation Guide.

• Configure a local computer with the following network settings:

• IP address: 192.168.45.2

• Netmask: 255.255.255.0

• Default gateway: 192.168.45.1

Disable any other network connections on this computer.

After rack-mounting the chassis, follow these steps to connect cables, turn on power, and verify connectivity.Use the following figure to identify the rear panel ports.Figure 5: Cable Connections

eth3 management interface

10-Gigabit Ethernet SFP+ support

Use only Cisco-supported SFPs.

2eth2 management interface

10-Gigabit Ethernet SFP+ support

Use only Cisco-supported SFPs.

1

Serial console port

Use the console cable (RJ45 to DB9) to connecta computer to the appliance.

This port is disabled by default.

4USB keyboard port3

eth1 management interface (labeled "2")





5

VGA port7

Procedure

Step 1 (Optional) VGA port and USB port (items 3 and 7 on the Cable Connections figure) —Connect a monitor tothe VGA port and a keyboard to the USB port.You can use this configuration to perform initial setup at the CLI using the method appropriate to your version:

• Initial Setup Using the CLI (Versions 6.5 and Later), on page 17.


Firepower Management Center Installation and Initial SetupInstall the Appliance



• Access the FMC Using a Keyboard and Monitor (Versions 6.2 - 6.4.x), on page 10.

You can alternatively complete initial setup using HTTPS on eth0 (see Step 2).

Step 2 eth0 management interface (item 5 on the Cable Connections figure, labeled "1" on the rear panel)— Usingan Ethernet cable, connect the eth0 interface to the default management network reachable from yourmanagement PC. This interface is the default management interface and is enabled by default. Confirm thatthe link LED is on for both the network interface on the local computer and the FMC management interface.You can use this configuration to perform initial setup using HTTPS using the method appropriate to yourversion:

• Initial Setup Using the Web Interface (Versions 6.5 and Later), on page 14.

• Perform the FMC Initial Setup (Versions 6.2 - 6.4.x), on page 11

You can also use this connection to to perform routine management, and to manage devices from the FMCweb interface.

Step 3 (Optional) eth1 management interface (item 6 on the Cable Connections figure)—Connect this managementinterface to the same or different network from your other management interfaces depending on your networkneeds. For information about management interfaces and network topology, see the Firepower ManagementCenter Configuration Guide for your version.

Step 4 (Optional) eth2 and eth3 management interfaces (items 1 and 2 on the Cable Connections figure) —If yourmodel includes 10-Gigabit Ethernet SFP+ interfaces, install any FMC-supported SFP+ transceivers and cablesas needed. You can connect these interfaces to the same or different network from your other managementinterfaces depending on your network needs. For more information about management interfaces and networktopology, see the Firepower Management Center Configuration Guide.

Each FMC-supported SFP+ transceiver (FS2K-NIC-SFP/FS4K-NIC-SFP) has an internal serial EEPROMthat is encoded with security information. This encoding allows us to identify and validate that the SFPtransceiver meets the requirements for the FMC chassis.

Only Cisco certified SFP+ transceivers are compatible with the 10-G interfaces. Cisco TAC mayrefuse support for any interoperability problems that result from using an untested third-party SFPtransceiver.

Note

Step 5 Power—Use one of the supported power cords to connect the power supplies of the chassis to your powersource. For more information about supported power cords, see the Cisco Firepower Management Center1000, 2500, and 4500 Hardware Installation Guide.

Step 6 Verify—Press the Power button on the front of the chassis, and verify that the front panel power status LEDis on.

What to do next

• If the FMC is using Firepower Version 6.5+, it is preconfigured to accept an IP4 address assigned byDHCP. You can change this during the initial configuration process; you have one of two choices:

• Access the FMC using the VGA/keyboard connection to perform the initial configuration using theCLI; see Initial Setup Using the CLI (Versions 6.5 and Later), on page 17

• Access the FMC with a web browser to perform the initial configuration using the web interface;see Initial Setup Using the Web Interface (Versions 6.5 and Later), on page 14.


Firepower Management Center Installation and Initial SetupInstall the Appliance

https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html





• If the FMC is using Firepower Version 6.2 - 6.4.x, before connecting the FMC to your network you mustchange the FMC eth0 IP address to match your network and perform the initial setup; you have one oftwo choices:

• Access the FMC using the VGA/keyboard connection to set the eth0 IP address before performingthe initial setup; see Access the FMCUsing a Keyboard and Monitor (Versions 6.2 - 6.4.x), on page10.

• Proceed directly to the initial setup process and set the eth0 IP address as a part of that process; seePerform the FMC Initial Setup (Versions 6.2 - 6.4.x), on page 11.

Access the FMC Using a Keyboard and Monitor (Versions 6.2 - 6.4.x)You can connect a USB keyboard and VGA monitor to the appliance, which is useful for rack-mountedappliances connected to a keyboard, video, and mouse (KVM) switch.

When performing this task, refer to the diagram at Physical Interfaces, on page 1 to identify the rear-panelports.

Procedure

Step 1 Using the supplied Ethernet cable, connect the management interface (eth0) at the rear of the chassis to aprotected management network.

Step 2 Connect the monitor to the VGA port and the keyboard to one of the USB ports on the rear of the chassis.Step 3 Access the Linux shell on the FMC using admin as the username and Admin123 as the password. (The

password is case-sensitive.) Use the steps appropriate to your Firepower version; see Access the CLI or theLinux Shell on the FMC, on page 7.

Step 4 Run the following script to configure the FMC network settings:sudo /usr/local/sf/bin/configure-network

Step 5 Answer the prompts to provide the IPv4 and (optionally) IPv6 configuration information for your appliance.Step 6 The final prompt gives you the opportunity to confirm the settings.

Are these settings correct: (y or n)?

Review the settings you have entered.

• If the settings are correct, enter y and press Enter to accept the settings and continue.

• If the settings are incorrect, enter n and press Enter. You are prompted to enter the information again.

Step 7 After you have accepted the settings, enter exit to log out of the shell.

What to do next

Complete the setup process as described in Perform the FMC Initial Setup (Versions 6.2 - 6.4.x), on page 11.


Firepower Management Center Installation and Initial SetupAccess the FMC Using a Keyboard and Monitor (Versions 6.2 - 6.4.x)

Perform the FMC Initial Setup (Versions 6.2 - 6.4.x)For all FMCs, you must complete the setup process by logging into the FMC's web interface and choosinginitial configuration options on a setup page. At a minimum, you must change the administrator password,specify network settings if you haven't already, and accept the EULA.

Procedure

Step 1 Direct your browser to https://mgmt_ip/, wheremgmt_ip is the IP address of the FMC’s management interface:

• For an FMC connected to a computer with an Ethernet cable, direct the browser on that computer to thedefault management interface IPv4 address: https://192.168.45.45/.

• For an FMCwhere network settings are already configured, use a computer on your management networkto browse to the IP address of the FMC’s management interface.

Step 2 Log in using admin as the username and Admin123 as the password.Step 3 In the Change Password section of the Setup page, change the password for the admin accounts. The admin

account for the web interface has Administrator privileges and cannot be deleted. We recommend that youuse a strong password that is at least eight alphanumeric characters of mixed case and includes at least onenumeric character. Avoid using words that appear in a dictionary.

The admin accounts for accessing a FMC through the shell as opposed to accessing a FMC usingthe web interface are not the same, and may use different passwords. This setting changes bothadmin passwords to the same value.

Note

Step 4 The FMC’s network settings allow it to communicate on your management network. Configure these settingsin the Network Settings section of the Setup page:

• If you already configured the network settings for appliance access using a keyboard and monitor, theNetwork Settings section of the Setup page may be prepopulated.

• If values are not prepopulated underNetwork Settings, or if you want to change the prepopulated values,you must choose the management network protocol. The Firepower system provides a dual stackimplementation for both IPv4 and IPv6 management environments; you can specify IPv4, IPv6, or Both.

Depending on your protocol choice, the Setup page displays fields where you must enter the IPv4 orIPv6 management IP address, netmask or prefix length, and default gateway for the FMC. You can alsospecify up to three DNS servers, as well as the host name and domain for the device.

• For IPv4, you must enter the address and netmask in dotted decimal form (for example, a netmaskof 255.255.0.0).

• For IPv6 networks, check theAssign the IPv6 address using router autoconfiguration check boxto automatically assign IPv6 network settings. Otherwise, youmust set the address in colon-separatedhexadecimal form and the number of bits in the prefix (for example, a prefix length of 112).

Step 5 (Optional) In the Time Settings section of the Setup page you can set the time for a FMC one of two ways:either manually or using the network time protocol (NTP) from an NTP server.

• To set the time using network time protocol (NTP), check Via NTP from and specify an NTP server theFMC can access.


Firepower Management Center Installation and Initial SetupPerform the FMC Initial Setup (Versions 6.2 - 6.4.x)

• To set the time manually, checkManually and enter the current time in the provided fields.

To choose the time zone used on the local web interface for the admin account, click the current time zonevalue and choose a time zone from the pop-up window.

To ensure proper time synchronization between the FMC and its managed devices, we recommendusing an NTP server on your network. See the Time and Time Synchronization section in theFirepower Management Center Configuration Guide for more information.

Note

Step 6 (Optional) If you plan to perform intrusion detection and prevention in your deployment, in the RecurringRule Update Imports section of the Setup page, we recommend that you check Enable Recurring RuleUpdate Imports from the Support Site.

You can specify the Import Frequency, as well as configure the system to perform an intrusion Policy Deployafter each rule update. To perform a rule update as part of the initial configuration process, check the InstallNow checkbox.

The Vulnerability Research Team (VRT) releases intrusion rule updates as new vulnerabilities become known.Rule updates provide new and updated intrusion rules and preprocessor rules, modified states for existingrules, and modified default intrusion policy settings. Rule updates may also delete rules and provide new rulecategories and system variables.

Rule updates may contain new binaries. Make sure your process for downloading and installing rule updatescomplies with your security policies. In addition, rule updates may be large, so make sure to import rulesduring periods of low network use.

Step 7 (Optional) If you plan to perform geolocation-related analysis in your deployment, in the RecurringGeolocation Updates section of the Setup page, we recommend that you check Enable Recurring WeeklyUpdates from the Support Site and specify the Update Start Time using the provided fields. To performa GeoDB update as part of the initial configuration process, check the Install Now checkbox.

GeoDB updates may be large and may take up to 45 minutes to install after download. You should update theGeoDB during periods of low network use.

FMCs can display geographical information about the routed IP addresses associated with events generatedby the system, as well as monitor geolocation statistics in the dashboard and Context Explorer. The FMC’sgeolocation database (GeoDB) contains information to support this feature such as an IP address’s associatedISP, connection type, proxy information, and exact location. Enabling regular GeoDB updates ensures thatthe system uses up-to-date geolocation information.

Step 8 (Optional) In theAutomatic Backups section of the Setup page, you can check Enable Automatic Backupsto create a scheduled task that creates a weekly backup of the configurations on the FMC that can be restoredin case of failure.

Step 9 You use the FMC to manage licenses for the devices it manages. The license types offered by the Firepowersystem depend upon the type of device you want to manage:

• For 7000 and 8000 Series, ASA with FirePOWER Services, and NGIPSv devices, you must use ClassicLicenses. Devices that use Classic Licenses are sometimes referred to as Classic devices.

You must enable Classic Licenses on your managed devices before you can use licensed features. Youcan enable a license during the initial setup of the FMC, when you add a device to the FMC, or by editingthe device’s general properties after you add the device.

To enable a Classic License during the initial setup of your FMC, follow the instructions in ConfigureClassic Licenses During Initial Setup (Versions 6.2 - 6.4.x), on page 13.

• For FTD physical and virtual devices, you must use Smart Licenses.


Firepower Management Center Installation and Initial SetupPerform the FMC Initial Setup (Versions 6.2 - 6.4.x)


If you plan to manage devices that use Cisco Smart Software Licensing, refer to the product documentationfor those devices for information on how to add Smart Licenses to the FMC.

The Firepower Management Center Configuration Guide provides more information about Classic Licensesand Smart Licenses, the types of licenses for each class, and how tomanage the licenses across your deployment.

Step 10 Read the End User License Agreement carefully; if you agree to abide by its provisions, then check te Ihave read and agree to the End User License Agreement checkbox.

Step 11 Make sure that all the information you provided is correct, and click Apply.

The FMC applies your configuration according to your selections, displays the Summary Dashboard page,and logs you into the web interface as the admin user, which has the Administrator role.

If your network environment uses NAT, the browser may time out attempting to reach the FMCusing the address configured on the intial setup page. In this case, enter the correct address in thebrowser address window and try again.

Note

Step 12 If you connected directly to the appliance's management interface using an Ethernet cable, disconnect thecomputer and connect the FMC’smanagement interface to themanagement network. To complete the remainingprocedures in the guide use a browser on a computer on the management network to access the FMC GUI atthe IP address or host name that you just configured.

Step 13 Verify that the initial setup was successful by monitoring the Tasks tab in the Message Center.

What to do next

• Optionally, configure the FMC for Serial or Lights OutManagement (LOM) access; see Set UpAlternateFirepower Management Center Access, on page 41.

• Perform the activities described in FirepowerManagement Center Initial Administration and Configuration,on page 21.

Configure Classic Licenses During Initial Setup (Versions 6.2 - 6.4.x)You use the FMC to manage classic licenses for 7000 and 8000 Series, ASA with FirePOWER Services, andNGIPSv.

You must enable Classic Licenses on your managed devices before you can use licensed features. You canenable a license during the initial setup of the FMC (as described in the procedure below), when you add adevice to the FMC, or by editing the device’s general properties after you add the device.

Note

Before you begin

Before you add a classic license to the FMC, make sure you have the Product Authorization Key (PAK)provided by Cisco when you purchased the license. If you have a legacy, pre-Cisco license, contact CiscoTAC.


Firepower Management Center Installation and Initial SetupConfigure Classic Licenses During Initial Setup (Versions 6.2 - 6.4.x)


Procedure

Step 1 Obtain the License Key for your chassis from the License Settings section on the Initial Setup page.

The License Key is clearly labeled (for example, 66:18:E7:6E:D9:93:35).

Step 2 To obtain your license, navigate to https://www.cisco.com/go/license/ where you are prompted for the LicenseKey (for example, 66:18:E7:6E:D9:93:35) and the PAK.

If you ordered additional licenses, you can enter the PAKs for those licenses at the same time,separating them with commas.

Note

Step 3 Follow the on-screen instructions to generate a license or licenses, which will be emailed to you.Step 4 Paste the license or licenses in the validation box and click Add/Verify.

Initial Setup Using the Web Interface (Versions 6.5 and Later)If you have HTTPS access to the FMC, you can access the appliance web interface for initial setup.When youlog into the FMC web interface for the first time, the FMC presents an Initial Configuration Wizard to enableyou to quickly and easily configure basic settings for the appliance. This wizard consists of three screens andone pop-up dialog box:

• The first screen forces you to change the password for the admin user from the default value ofAdmin123.

• The second screen presents the End User License Agreement (EULA), which you are required to acceptbefore using the appliance.

• The third screen allows you to change network settings for the appliance management interface. Thispage is prepopulated with current settings, which you may change.

If you are setting up an appliance after restoring it to factory defaults (see Restore FirepowerManagementCenters to Factory Defaults, on page 25) and you did not delete the appliance's license and networksettings, the prompts will be pre-populated with the retained values.

• The wizard performs validation on the values you enter on this screen to confirm the following:

• Syntactical correctness

• Compatibility of the entered values (for instance, compatible IP address and gateway, or DNSprovided when NTP servers are specified using FQDNs)

• Network connectivity between the FMC and the DNS and NTP servers

The wizard displays the results of these tests in real time on the screen, which allows you to makecorrections and test the viability of your configuration before clicking Finish at the bottom of the screen.The NTP and DNS connectivity tests are nonblocking; you can click Finish before the wizard completesthe connectivity tests. If the system reports a connectivity problem after you click Finish, you cannotchange the settings in the wizard, but you can configure these connections using the web interface aftercompleting the initial setup.


Firepower Management Center Installation and Initial SetupInitial Setup Using the Web Interface (Versions 6.5 and Later)

https://www.cisco.com/go/license/

The system does not perform connectivity testing if you enter configuration values that would result incutting off the existing connection between the FMC and the browser. In this case the wizard displaysno connectivity status information for DNS or NTP.

• After you have completed the three wizard screens, a pop-up dialog box appears that offers you theopportunity to (optionally) quickly and easily set up Smart Licensing.

When you have completed the Initial Configuration Wizard and completed or dismissed the Smart Licensingdialog, the system displays the device management page, described in “Device Management Basics” in theFirepower Management Center Configuration Guide for your version.

Before you begin

• Install the FMC as described in Install the Appliance, on page 7

• Be sure you have the following information needed for the FMC to communicate on your managementnetwork:

• An IPv4 management IP address.

The FMC management interface is preconfigured to accept an IP4 address assigned by DHCP.Consult with your system administrator to determinewhat IP address your DHCP has been configuredto assign to the FMCMAC address. In scenarios where no DHCP is available, the FMCmanagementinterface uses the IPv4 address 192.168.45.45.

• A network mask and a default gateway (if not using DHCP).

Procedure

Step 1 Use a web browser to navigate to the FMC's IP address: https://<FMC-IP>.

The login page appears.

Step 2 Log into the FMC using admin as the username and Admin123 as the password for the admin account. (Thepassword is case-sensitive.)

Step 3 At the Change Password screen:a) (Optional) Check the Show password check box to see the password while using this screen.b) (Optional) Click theGenerate Password button to have the system create a password for you that complies

with the listed criteria. (Generated passwords are nonmnemonic; take careful note of the password if youchoose this option.)

c) To set a password of your choosing, enter a new password in theNew Password andConfirm Passwordtext boxes.

The password must comply with the criteria listed in the dialog.

The FMC compares your password against a password cracking dictionary that checks not onlyfor many English dictionary words but also other character strings that could be easily crackedwith common password hacking techniques. For example, the initial configuration script mayreject passwords such as "abcdefg" or "passw0rd".

Note





On completion of the initial configuration process the system sets the passwords for the twoadmin accounts (one for web access and the other for CLI access) to the same value. Thepassword must comply with the strong password requirements described in the FirepowerManagement Center Configuration Guide for your version. If you change the password foreither admin account thereafter, they will no longer be the same, and the strong passwordrequirement can be removed from the web interface admin account.

Note

d) Click Next.

Once you click Next on the Change Password screen and the wizard has accepted the new adminpassword, that password is in effect for both the web interface and CLI admin accounts even if you donot complete the remaining wizard activities.

Step 4 At the User Agreement screen, read the EULA and click Accept to proceed.

If you click Decline the wizard logs you out of the FMC.

Step 5 Click Next.Step 6 At the Change Network Settings screen:

a) Enter a Fully Qualified Domain Name. Accept the default value, if one is shown, or enter a fully qualifieddomain name (syntax <hostname>.<domain>) or host name.

b) Choose the boot protocol for the Configure IPV4 option, either Using DHCP or Using Static/Manual.c) Accept the displayed value, if one is shown, for IPV4 Address or enter a new value. Use dotted decimal

form (for example, 192.168.45.45).d) Accept the displayed value, if one is shown, forNetworkMask or enter a new value. Use dotted decimal

form (for example, 255.255.0.0).e) You can accept the displayed value, if one is shown, for Gateway or enter a new default gateway. Use

dotted decimal form (for example, 192.168.0.1).f) (Optional) For DNS Group you can accept the default value, Cisco Umbrella DNS.

To change the DNS settings, choose Custom DNS Servers from the drop-down list, and enter IPv4addresses for the Primary DNS and Secondary DNS. Configure no DNS Server by choosing CustomDNS Servers from the drop-down list and leaving the Primary DNS and Secondary DNS fields blank.

g) For NTP Group Servers you can accept the default value,Default NTP Servers. In this case the systemuses 0.sourcefire.pool.ntp.org as the primary NTP server, and 1.sourcefire.pool.ntp.org as the secondaryNTP server.

To configure other NTP servers, choose Custom NTP Group Servers from the drop-down list and enterthe FQDNs or IP addresses of one or two NTP servers reachable from your network.

Step 7 Click Finish.

The wizard performs validation on the values you enter on this screen to confirm syntactical correctness,compatibility of the entered values, and network connectivity between the FMC and the DNS and NTP servers.If the system reports a connectivity problem after you click Finish, you cannot change the settings in thewizard, but you can configure these connections using the FMC web interface after completing the initialsetup.





What to do next

• If you performed initial configuration on a newly-restored FMC and chose to retain network settingsduring the restore, but changed network settings during initial configuration, you need to reconnect tothe FMC using the new network information.

• The system displays a pop-up dialog box that offers you the opportunity to quickly and easily set upSmart Licensing. Using this dialog box is optional; if your FMC will be managing Firepower ThreatDefense devices and you are familiar with Smart Licensing, use this dialog. Otherwise dismiss this dialogand refer to ”Licensing the Firepower System” in the Firepower Management Center ConfigurationGuide for your version.

• Confirm that the FMC has successfully configured weekly maintenance activites to keep your systemup-to-date and your data backed up. See Automatic Initial Configuration (Versions 6.5 and Later), onpage 20 .

• When you have completed the Initial Configuration Wizard and completed or dismissed the SmartLicensing dialog, the system displays the device management page, described in “Device ManagementBasics” in the Firepower Management Center Configuration Guide. Establish basic configuration foryour FMC as described in Firepower Management Center Initial Administration and Configuration, onpage 21. You can configure the FMC for IPv6 addressing after completing the initial setup using theweb interface as described in the Firepower Management Center Configuration Guide for your version.

• You can optionally configure the FMC for Serial or Serial over Lights-Out-Management access asdescribed in Set Up Alternate Firepower Management Center Access, on page 41.

Initial Setup Using the CLI (Versions 6.5 and Later)This task can be used to perform initial configuration for an FMC connected to a USB keyboard and VGAmonitor for console access.You must complete an Initial Configuration Wizard that configures the newappliance to communicate on your trusted management network. The wizard requires that you accept the enduser license agreement (EULA) and change the administrator password.

Before you begin

• Install the FMC as described in Install the Appliance, on page 7

• Be sure you have the following information needed for the FMC to communicate on your managementnetwork:

• An IPv4 management IP address.

The FMC management interface is preconfigured to accept an IP4 address assigned by DHCP.Consult with your system administrator to determinewhat IP address your DHCP has been configuredto assign to the FMCMAC address. In scenarios where no DHCP is available, the FMCmanagementinterface uses the IPv4 address 192.168.45.45.

• A network mask and a default gateway (if not using DHCP).


Firepower Management Center Installation and Initial SetupInitial Setup Using the CLI (Versions 6.5 and Later)




Procedure

Step 1 Log into the FMC at the console using admin as the username andAdmin123 as the password for the adminaccount. Note that the password is case-sensitive.

Step 2 When prompted, press Enter to display the End User License Agreement (EULA).Step 3 Review the EULA. When prompted, enter yes, YES, or press Enter to accept the EULA.

You cannot proceed without accepting the EULA. If you respond with anything other than yes,YES, or Enter, the system logs you out.

Important

Step 4 To ensure system security and privacy, the first time you log in to the FMC you are required to change theadmin password. When the system prompts for a new password, enter a new password complying with therestrictions displayed, and enter the same password again when the system prompts for confirmation.

The FMC compares your password against a password cracking dictionary that checks not only formany English dictionary words but also other character strings that could be easily cracked withcommon password hacking techniques. For example, the initial configuration script may rejectpasswords such as "abcdefg" or "passw0rd".

Note

On completion of the initial configuration process the system sets the passwords for the two adminaccounts (one for web access and the other for CLI access) to the same value, complying with thestrong password requirements described in the FirepowerManagement Center Configuration Guidefor your version. If you change the password for either admin account thereafter, they will no longerbe the same, and the strong password requirement can be removed from the web interface adminaccount.

Note

Step 5 Answer the prompts to configure network settings.When following the prompts, for multiple-choice questions, your options are listed in parentheses, such as(y/n). Defaults are listed in square brackets, such as [y]. Note the following when responding to prompts:

• If you are setting up an appliance after restoring it to factory defaults (see Restore FirepowerManagementCenters to Factory Defaults, on page 25) and you did not delete the appliance's license and networksettings, the prompts will be pre-populated with the retained values.

• Press Enter to accept the default.

• For hostname, supply a fully qualified domain name (<hostname>.<domain>) or host name. This fieldis required.

• If you choose to configure IPv4 manually, the system prompts for IPv4 address, netmask, and defaultgateway. If you choose DHCP, the system uses DHCP to assign these values. If you choose not to useDHCP, you must supply values for these fields; use standard dotted decimal notation.

• Configuring a DNS server is optional; to specify no DNS server enter none. Otherwise specify IPv4addresses for one or two DNS servers. If you specify two addresses, separate them with a comma.

• You must enter the fully qualified domain name or IP address for at least one NTP server reachable fromyour network. You may specify two servers (a primary and a secondary); separate their information witha comma.

Example:



Enter a hostname or fully qualified domain name for this system [firepower]: fmcConfigure IPv4 via DHCP or manually? (dhcp/manual) [DHCP]: manualEnter an IPv4 address for the management interface [192.168.45.45]: 10.10.0.66Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.224Enter the IPv4 default gateway for the management interface [ ]: 10.10.0.65Enter a comma-separated list of DNS servers or 'none' [CiscoUmbrella]:208.67.222.222,208.67.220.220Enter a comma-separated list of NTP servers [0.sourcefire.pool.ntp.org,1.sourcefire.pool.ntp.org]:

Step 6 The system displays a summary of your configuration selections. Review the settings you have entered.

Example:

Hostname: fmcIPv4 configured via: manual configurationManagement interface IPv4 address: 10.10.0.66Management interface IPv4 netmask: 255.255.255.224Management interface IPv4 gateway: 10.10.0.65DNS servers: 208.67.222.222,208.67.220.220NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org

Step 7 The final prompt gives you the opportunity to confirm the settings.

• If the settings are correct, enter y and press Enter to accept the settings and continue.

• If the settings are incorrect, enter n and press Enter. The system prompts for the information again,beginning with hostname.

Example:

Are these settings correct? (y/n) yIf your networking information has changed, you will need to reconnect.

Updated network configuration.

Step 8 After you have accepted the settings, enter exit to exit the FMC CLI.

What to do next

• If you performed initial configuration on a newly-restored FMC and chose to retain network settingsduring the restore, but changed network settings during initial configuration, you will need to reconnectto the FMC using the new network information.

• Confirm that the FMC has successfully configured weekly maintenance activites to keep your systemup-to-date and your data backed up. See Automatic Initial Configuration (Versions 6.5 and Later), onpage 20 .

• When you have completed the Initial Configuration Wizard and completed or dismissed the SmartLicensing dialog, the system displays the device management page, described in “Device ManagementBasics” in the Firepower Management Center Configuration Guide. Establish basic configuration foryour FMC as described in Firepower Management Center Initial Administration and Configuration, onpage 21. You can configure the FMC for IPv6 addressing after completing the initial setup using theweb interface as described in the Firepower Management Center Configuration Guide for your version.



• You can optionally configure the FMC for Serial or Serial over Lights-Out-Management access asdescribed in Set Up Alternate Firepower Management Center Access, on page 41.

Automatic Initial Configuration (Versions 6.5 and Later)During initial configuration (whether performed through the Initial ConfigurationWizard or through the CLI),the FMC automatically configures weekly maintenance tasks to keep your system up-to-date and your databacked up.

These tasks are scheduled in UTC, which means that when they occur locally depends on the date and yourspecific location. Also, because tasks are scheduled in UTC, they do not adjust for daylight saving time,summer time, or any such seasonal adjustments that you may observe in your location. If you are affected,scheduled tasks occur one hour "later" in the summer than in the winter, according to local time.

We strongly recommend you review the auto scheduled configurations and adjust them if necessary.Note

• GeoDB Updates

The FMC automatically schedules GeoDB updates to occur each week at the same randomly selectedtime. You can observe the status of this update using the web interface Message Center. If the systemfails to configure the update and your FMC has internet access, we recommend you configure regularGeoDB updates as described in the FirepowerManagement Center Configuration Guide for your version.

• FMC Software Updates

The FMC automatically schedules a weekly task to download the latest software for the FMC and itsmanaged devices. This task is scheduled to occur between 2 and 3 AM UTC on Sunday mornings;depending on the date and your specific location this can occur any time from Saturday afternoon toSunday afternoon local time. You can observe the status of this task using the web interface MessageCenter. If the task scheduling fails and your FMC has internet access, we recommend you schedule arecurring task for downloading software updates as described in the Firepower Management CenterConfiguration Guide for your version.

This task only downloads software patch and hotfix updates for the version your appliances are currentlyrunning; it it your responsibility to install any updates this task downloads. See the Cisco FirepowerManagement Center Upgrade Guide for more information.

• Weekly FMC Configuration Backup

The FMC automatically schedules a weekly task to perform a locally-stored configuration-only backupat 2 AMUTC on Monday mornings; depending on the date and your specific location this can occur anytime from Saturday afternoon to Sunday afternoon local time. You can observe the status of this taskusing the web interface Message Center. If the task scheduling fails, we recommend you schedule arecurring task to perform backups as described in the Firepower Management Center ConfigurationGuide for your version.


Firepower Management Center Installation and Initial SetupAutomatic Initial Configuration (Versions 6.5 and Later)






C H A P T E R 4Firepower Management Center InitialAdministration and Configuration

After you complete the initial setup process for an FMC and verify its success, we recommend that youcomplete various administrative tasks that make your deployment easier to manage. You should also completeany tasks you skipped during the initial setup, such as licensing. For detailed information on any the tasksdescribed in the following sections, as well as information on how you can begin to configure your deployment,see the Firepower Management Center Configuration Guide for your software version.

• Individual User Accounts, on page 21• Device Registration, on page 22• Health and System Policies, on page 22• Software and Database Updates, on page 22

Individual User AccountsAfter you complete the initial setup, the only web interface user on the system is the admin user, which hasthe Administrator role and access. Users with that role have full menu and configuration access to the system.We recommend that you limit the use of the admin account (and the Administrator role) for security andauditing reasons. In the FMC GUI, manage user accounts on the System > Users > User page.

The admin accounts for accessing a FMC using the shell and accessing an FMC using the web interface arenot the same, and may use different passwords.

Note

Creating a separate account for each person who uses the system allows your organization not only to auditactions and changes made by each user, but also to limit each person’s associated user access role or roles.This is especially important on the FMC, where you perform most of your configuration and analysis tasks.For example, an analyst needs access to event data to analyze the security of your network, but may not requireaccess to administrative functions for the deployment.

The system includes ten predefined user roles designed for a variety of administrators and analysts using theweb interface. You can also create custom user roles with specialized access privileges.



Device RegistrationAn FMC can manage any device, physical or virtual, currently supported by the Firepower system:

• Firepower Threat Defense—Provides a unified next-generation firewall and next-generation IPS device.

• Firepower Threat Defense Virtual—A 64-bit virtual device that is designed to work in multiple hypervisorenvironments, reduce administrative overhead, and increase operational efficiency.

• Cisco ASAwith FirePOWERServices (or an ASA FirePOWERmodule)—Provides the first-line systempolicy and passes traffic to the Firepower system for discovery and access control. However, you cannotuse the FMC web interface to configure ASA FirePOWER interfaces. Cisco ASA with FirePOWERServices has a software and CLI unique to the ASA platform that you can use to install the system andto perform other platform-specific administrative tasks.

• 7000 and 8000 Series appliances—Physical devices purpose-built for the Firepower system. 7000 and8000 Series devices have a range of throughputs, but share most of the same capabilities. In general,8000 Series devices are more powerful than 7000 Series devices; they also support additional featuressuch as 8000 Series fastpath rules, link aggregation, and stacking. Youmust configure remotemanagementon the device before you can register the device to an FMC.

• NGIPSv—A 64-bit virtual device deployed in the VMware VSphere environment. NGIPSv devices donot support any of the system’s hardware-based features such as redundancy and resource sharing,switching, and routing.

To register managed devices to an FMC use the Devices > Device Management page on the FMC GUI; seethe device management information in the Firepower Management Center Configuration Guide for yourversion.

Health and System PoliciesBy default, all appliances have an initial system policy applied. The system policy governs settings that arelikely to be similar for multiple appliances in a deployment, such as mail relay host preferences and timesynchronization settings. We recommend that you use the FMC to apply the same system policy to itself andall the devices it manages.

By default, the FMC also has a health policy applied. A health policy, as part of the health monitoring feature,provides the criteria for the system to continuously monitor the performance of the appliances in yourdeployment. We recommend that you use the FMC to apply a health policy to all the devices it manages.

Software and Database UpdatesYou should update the system software on your appliances before you begin any deployment. We recommendthat all the appliances in your deployment run the most recent version of the Firepower system. If you areusing them in your deployment, you should also install the latest intrusion rule updates, VDB, and GeoDB.


Firepower Management Center Initial Administration and ConfigurationDevice Registration


Before you update any part of the Firepower system, you must read the release notes or advisory text thataccompanies the update. The release notes provide important information, including supported platforms,compatibility, prerequisites, warnings, and specific installation and uninstallation instructions.

Caution

If your FMC is running Firepower Versions 6.5+:

During initial configuration the FMC establishes the following activities to keep your system up-to-date andyour data backed up:

• Weekly automatic GeoDB updates

• A weekly task to download the latest software for the FMC and its managed devices

This task only downloads software updates to the FMC. It is your responsibilityto install any updates this task downloads. See theCicso Firepower ManagementCenter Upgrade Guide for more informaction.

Important

• A weekly task to perform a locally-stored configuration-only FMC backup

You can observe the status of these activities using the web interface Message Center. If the system fails toconfigure any of these activities and your FMC has internet access, we recommend you configure theseactivities yourself as described in the Firepower Management Center Configuration Guide for your version.

For more information, see Automatic Initial Configuration (Versions 6.5 and Later), on page 20.


Firepower Management Center Initial Administration and ConfigurationSoftware and Database Updates


Firepower Management Center Initial Administration and ConfigurationSoftware and Database Updates

C H A P T E R 5Restore Firepower Management Centers toFactory Defaults

Cisco provides ISO images on its Support Site for restoring or reimaging FMCs to their original factorysettings.

• Understand the Restore Process, on page 25• The Restore Utility Menu, on page 27• Restore a Firepower Management Center to its Factory Defaults, on page 28

Understand the Restore ProcessThe ISO image you use to restore an appliance depends on when Cisco introduced support for that appliancemodel. Unless the ISO image was released with a minor version to accommodate a new appliance model, ISOimages are usually associated with major versions of the system software (for example, 6.1 or 6.2). To avoidinstalling an incompatible version of the system, we recommend that you always use the most recent ISOimage available for your appliance. For your convenience, you can install system software and intrusion ruleupdates as part of the restore process. Keep in mind that only FMCs require rule updates.

FMCs use an internal flash drive to boot the appliance so you can run the restore utility.

We also recommend that you always run the latest version of the system software supported by your appliance.After you restore an appliance to the latest supported major version, you should update its system software,intrusion rules, and Vulnerability Database (VDB). For more information, see the release notes for the updateyou want to apply, as well as the Firepower Management Center Configuration Guide for your version.

Before you begin restoring your appliances to factory defaults, be aware of the following recommendationsand expected behavior of the system during the restore process:

• To avoid disrupting traffic flow on your network, we recommend restoring your applinaces during amaintenance window or at a time when the interruption has the least impact on your deployment.

• We recommend that you delete or move any backup files that reside on your appliance, and then backup current event and configuration data to an external location.

• Restoring your appliance to factory defaults results in the loss of almost all configuration and event dataon the appliance, including the console display settings. Although the restore utility can retain theappliance’s license, network, and (in some cases) LOM settings, you must perform all other setup tasksafter the restore process completes.



Retention of LOM settings after the restore process varies by Firepower version:

• If you restore the FMC to Version 6.2.3 or earlier, the system does not reset LOM settings regardlessof whether you choose to delete the license and network settings.

• If you restore the FMC to Version 6.3+, the system resets LOM settings regardless of whether youchoose to delete the license and network settings.

• To restore an FMC, boot from the appliance’s internal flash drive, and use an interactivemenu to downloadand install the ISO image on the appliance. For your convenience, you can install system software andintrusion rule updates as part of the restore process.

You cannot restore an appliance using its web interface.Note

• To restore an FMC, you must connect to it in one of the following ways:

• Keyboard andMonitor/KVM—You can connect a USB keyboard andVGAmonitor to the appliance,which is useful for rack-mounted appliances connected to a KVM (keyboard, video, and mouse)switch. See the figure at Physical Interfaces, on page 1 to identify the USB and VGA ports. If youhave a KVM that is remote-accessible, you can restore appliances without having physical access.

• Serial Connection/Laptop—You can use the RJ-45 to DP-9 console cable supplied with the appliance(Cisco part number 72-3383-XX) to connect a computer to the appliance. Refer to the figure atPhysical Interfaces, on page 1 to identify the serial port. To interact with the appliance, use terminalemulation software such as HyperTerminal or XModem.

• Lights-Out Management Using Serial over LAN—You can perform a limited set of actions onFMCs using LOMwith an SOL connection. If you do not have physical access to an appliance, youcan use LOM to perform the restore process. After you connect to an appliance using LOM, youissue commands to the restore utility as if you were using a physical serial connection.

You can use LOM on the default (eth0) management interface only (see thediagram at Physical Interfaces, on page 1 ). To restore an FMC using LOM,you must grant LOM permission to the admin user. For more information, seeSet Up Lights Out Management, on page 42.

Note

When restoring a device to factory settings for Version 6.3 + using LOM, if youdo not have physical access to the appliance you will be unable to access theappliance after the restore.

Caution

The procedures in this chapter explain how to restore an appliance without powering it down. However, ifyou need to power down for any reason, use the appliance’s web interface, the system shutdown commandfrom the FMC CLI (supported in Versions 6.3+), or the shutdown -h now command from the appliance shell.

Note


Restore Firepower Management Centers to Factory DefaultsUnderstand the Restore Process

The Restore Utility MenuThe restore utility for FMCs uses an interactive menu to guide you through the restoration process.

The menu displays the options listed in the following table:

Table 1: Restore Menu Options

For more information, see...DescriptionOption

Identify the Appliance's ManagementInterface, on page 32

Specify network information about themanagement interface on the applianceyou want to restore, so that theappliance can communicate with theserver where you placed the ISO andany update files.

1 IP Configuration

Specify the ISO Image Location andTransport Method, on page 32

Specify the location of the ISO imageyou will use to restore the appliance, aswell as any credentials the applianceneeds to download the file.

2 Choose the transportprotocol

Select System Software and RuleUpdates during Restore, on page 34

Specify a system software and intrusionrules update to be applied after theappliance is restored to the base versionin the ISO image.

3 Select Patches/RuleUpdates

Download the ISO andUpdate Files andMount the Image, on page 35

Download the appropriate ISO imageand any system software or intrusionrule updates. Mount the ISO image.

4 Download and MountISO

Restore a Firepower ManagementCenter to its Factory Defaults, on page28

Invoke the restore process.5 Run the Install

Save and Load Firepower ManagementCenter Configurations, on page 39

Save any set of restore configurationsfor later use, or load a saved set.

6 Save Configuration.

7 Load Configuration

Erase the Hard Drive, on page 51Securely scrub the hard drive to ensurethat its contents can no longer beaccessed.

8 Wipe Contents of Disk

Navigate the menu using the arrow keys. To select a menu option, use the Up and Down arrow keys. Use theRight and Left Arrow keys to toggle between the OK and Cancel buttons at the bottom of the page.

The menu presents two options:

• To select a numbered option, first highlight the correct option using the up and down arrows, then pressEnter while the OK button at the bottom of the page is highlighted.

• To select a multiple-choice (radio button) option, first highlight the correct option using the up and downkeys, then press the space bar to mark that option with an X. To accept your selection, press Enterwhilethe OK button is highlighted.


Restore Firepower Management Centers to Factory DefaultsThe Restore Utility Menu

Restore a Firepower Management Center to its Factory DefaultsThis topic provides a high-level description of the tasks required to restore a FMC to factory defaults, and theorder in which you must perform them.

Before you begin

Become familiar with the FMC's interactive restore menu. For more information, see The Restore UtilityMenu, on page 27.

Procedure

Step 1 Obtain the restore and ISO update files. See Obtain the Restore ISO and Update Files, on page 29.Step 2 Start the restore process using one of these two methods:

• Start the Restore Utility Using KVM or Physical Serial Port, on page 30• Start the Restore Utility Using Lights-Out Management, on page 31 (This is useful if you do not havephysical access to the appliance.)

When restoring a device to factory settings for Versions 6.3+ using LOM, if you do not havephysical access to the appliance and you delete the license and network settings, you will beunable to access the appliance after the restore.

Caution

Step 3 Use the interactive restore menu to identify the appliance’s management interface. See Identify the Appliance'sManagement Interface, on page 32.

Step 4 Use the interactive restore menu to specify the ISO image location and transport method. See Specify the ISOImage Location and Transport Method, on page 32.

Step 5 (Optional) Use the interactive restore menu to select system software and/or rule updates to include with therestore process. See Select System Software and Rule Updates during Restore, on page 34.

Step 6 (Optional) Save the system configuration you have selected for use in future restore activities. See Save aFirepower Management Center Configuration, on page 39.

Step 7 Use the interactive restore menu to download the ISO and update files, and mount the image on the appliance.See Download the ISO and Update Files and Mount the Image, on page 35.

Step 8 You have two options based on the software version to which you are restoring the appliance:

• If you are restoring the system to a different major version, perform the two-pass restore process:

1. The first pass updates the restore image. See Update the Restore Image, on page 35.

2. The second pass installs the new version of the system software. See Install the New System SoftwareVersion, on page 36.

• If you are restoring the system to the same major version, you need only install the new version of thesystem software. See Install the New System Software Version, on page 36.


Restore Firepower Management Centers to Factory DefaultsRestore a Firepower Management Center to its Factory Defaults

What to do next

Restoring your FMC to factory default settings results in the loss of almost all configuration and event dataon the appliance, including console display settings.

• If you did not delete the appliance’s license and network settings, you can use a computer on yourmanagement network to browse directly to the appliance’s web interface to perform the setup. For moreinformation, see Firepower Management Center Installation and Initial Setup, on page 5.

• If you deleted license and network settings, you must configure the appliance as if it were new, beginningwith configuring it to communicate on your management network. For more information, see Install theAppliance, on page 7.

• If you deregistered the FMC from the Cisco Smart Software Manager, register the appliance to the CiscoSmart Software Manager. Choose System > Licenses > Smart Licenses and click the register icon.

Retention of LOM settings after the restore process varies by Firepower version:

• If you restore the FMC to Version 6.2.3 or earlier, the system does not reset LOM settings regardless ofwhether you choose to delete the license and network settings.

• If you restore the FMC to Version 6.3+, the system resets LOM settings regardless of whether you chooseto delete the license and network settings. After you complete the initial setup process, do one of thefollowing:

• If you want to use a serial or SOL/LOM connection to access your appliance's console, redirectconsole output; see Redirect Console Output, on page 45.

• If you want to use LOM, you must re-enable the feature, as well as enable at least one LOM user.For more information, see Set Up Lights Out Management, on page 42 .

Note

Obtain the Restore ISO and Update Files

Before you begin

Cisco provides ISO images for restoring appliances to their original factory settings. Before you restore anappliance, obtain the correct ISO image from the Support Site as described here.

Procedure

Step 1 Using the username and password for your support account, log into the Support Site at https://sso.cisco.com/autho/forms/CDClogin.html.

Step 2 Browse to the software download section at: https://software.cisco.com/download/navigator.html.Step 3 Enter a search string in the Find area on the page that appears for the system software you want to download

and install.

Example:

To find software downloads for Firepower, enter Firepower.


Restore Firepower Management Centers to Factory DefaultsObtain the Restore ISO and Update Files

https://sso.cisco.com/autho/forms/CDClogin.html

https://sso.cisco.com/autho/forms/CDClogin.html

https://software.cisco.com/download/navigator.html

Step 4 Find the image (ISO image) that you want to download. You can click one of the links on the left side of thepage to view the appropriate section of the page.

Example:

Click 6.3.0 to view the images and release notes for Version 6.3.0 of the Firepower system.Step 5 Click the ISO image you want to download.

The file begins downloading.Step 6 Copy the files to an HTTP (web) server, FTP server, or SCP-enabled host that the appliance can access on its

management network.

Do not transfer ISO or update files using email; the files can become corrupted. Also, do not changethe names of the files; the restore utility requires that they be named as they are on the Support Site.

Caution

Start the Restore Utility Using KVM or Physical Serial PortFor FMCs, Cisco provides a restore utility on an internal flash drive.

Before you begin

Be sure you have completed the appropriate previous steps in the restore process as described in Restore aFirepower Management Center to its Factory Defaults, on page 28.

Procedure

Step 1 Using your keyboard/monitor or serial connection, log into the appliance’s shell using the admin account.Use the steps appropriate to your Firepower version; see Access the CLI or the Linux Shell on the FMC, onpage 7.

Step 2 Reboot the appliance; enter sudo reboot. Provide the admin password when prompted.Step 3 Monitor the reboot status. When the boot menu appears, quickly select Option 3 to restore the system.

The boot menu gives you only a few seconds to make your selection before timing out. If you missyour window of opportunity, the appliance proceeds with the reboot process. Wait until the rebootis complete and try again.

Note

Step 4 The system prompts for the display mode for the restore utility’s interactive menu:

• For a keyboard and monitor connection, enter 1 and press Enter.• For a serial connection, enter 2 and press Enter.

If you do not select a display mode, the restore utility defaults to the option marked with an asterisk (*).

The display mode menu gives you only a few seconds to make your selection before timing out. Ifyou miss your window of opportunity and accidentally reboot the appliance into system restoremode with the wrong console selection, wait until the reboot is complete, then the power down theappliance. (You must use the power button to shut down the appliance at this time because the FMCsoftware is not running.) Then power on the FMC and start over with this task.

Note


Restore Firepower Management Centers to Factory DefaultsStart the Restore Utility Using KVM or Physical Serial Port

Unless this is the first time you have restored the appliance to this major version, the utility automaticallyloads the last restore configuration you used. To continue, confirm the settings in a series of pages.

Step 5 Press Enter to confirm the copyright notice.

Start the Restore Utility Using Lights-Out ManagementIf you need to restore an appliance to factory defaults and do not have physical access, you can use LOM toperform the restore process.

For Versions 6.3+, the restore process resets the LOM settings on the device; you cannot access a newlyrestored appliance using LOM.

Note

When restoring a device to factory settings for Versions 6.3+ using LOM, if you do not have physical accessto the appliance and you delete the license and network settings, you will be unable to access the applianceafter the restore.

Caution

Before you begin

• Be sure you have have completed the appropriate previous steps in the restore process as described inRestore a Firepower Management Center to its Factory Defaults, on page 28.

• You must enable the LOM feature and you must grant LOM permission to the admin user. For moreinformation, see Set Up Lights Out Management, on page 42.

Procedure

Step 1 At your computer’s command prompt, enter the IPMI command to start the SOL session:

• For IPMItool, enter: sudo ipmitool -I lanplus -H IP_address -U admin sol activate• For ipmiutil, enter: sudo ipmiutil sol -a -V4 -J3 -N IP_address -U admin -P password

The IP_address is the IP address of the management interface on the appliance and password is the passwordfor the admin account. Note that IPMItool prompts you for the password after you issue the sol activatecommand.

Step 2 Reboot the appliance as root user; enter sudo reboot. Provide the admin password when prompted.Step 3 Monitor the reboot status. When the boot menu appears, quickly select Option 3 to restore the system.

The boot menu gives you only a few seconds to make your selection before timing out. If you missyour window of opportunity, the appliance proceeds with the reboot process. Wait for the rebootto complete and try again.

Note

Step 4 The system prompts for the display mode for the restore utility’s interactive menu. Enter 2 and press Enterto load the interactive restore menu using the appliance’s serial connection.


Restore Firepower Management Centers to Factory DefaultsStart the Restore Utility Using Lights-Out Management


The display mode menu gives you only a few seconds to make your selection before timing out. Ifyou miss your window of opportunity and accidentally reboot the appliance into system restoremode with Option 1 (for a keyboard and monitor connection), you must obtain physical access tothe appliance, wait until the reboot is complete, then the power down the appliance. (You must usethe power button to shut down the appliance at this time because the FMC software is not running.)Then power on the FMC and start over with this task.

Important

Unless this is the first time you have restored the appliance to this major version, the utility automaticallyloads the last restore configuration you used. To continue, confirm the settings in a series of pages.


Identify the Appliance's Management InterfaceThe first step in running the restore utility is to identify the management interface on the appliance you wantto restore, so that the appliance can communicate with the server where you copied the ISO and any updatefiles.

Before you begin

Be sure you have have completed the appropriate previous steps in the restore process as described in Restorea Firepower Management Center to its Factory Defaults, on page 28.

Procedure

Step 1 From the restore utility main menu, choose 1 IP Configuration.Step 2 Choose the appliance’s management interface (generally eth0).Step 3 Choose the protocol you are using for your management network: IPv4 or IPv6.

Options for assigning an IP address to the management interface appear.Step 4 Choose a method to assign an IP address to the management interface:

• Static: A series of pages prompts you to manually enter the IP address, network mask or prefix length,and default gateway for the management interface.

• DHCP: The appliance automatically detects the IP address, network mask or prefix length, and defaultgateway for the management interface, and then displays the IP address.

Step 5 When prompted, confirm your settings.

If prompted, confirm the IP address assigned to the appliance’s management interface. If you are using LOM,remember that the management IP address for the appliance is not the LOM IP address.

Specify the ISO Image Location and Transport MethodAfter you configure the management IP address that the restore process will use to download the files it needs,you must identify which ISO image you will use to restore the appliance. This is the ISO image that you


Restore Firepower Management Centers to Factory DefaultsIdentify the Appliance's Management Interface

downloaded from the Support Site (see Obtain the Restore ISO and Update Files, on page 29) and stored ona web server, FTP server, or SCP-enabled host.

Before you begin


Procedure

Step 1 From the restore utility main menu, choose 2 Choose the transport protocol.Step 2 On the page that appears, choose either HTTP, FTP, or SCP.Step 3 Use the series of pages presented by the restore utility to provide the necessary information for the protocol

you chose; see Restore Files Download Configuration, on page 33.

If your information was correct, the appliance connects to the server and displays a list of the Cisco ISOimages in the location you specified.

Step 4 Choose the ISO image you want to use.Step 5 When prompted, confirm your settings.

Restore Files Download ConfigurationBefore you can identify which ISO image you will use to restore the appliance, you must configure themanagement IP address that the restore process uses to download the files it needs. The interactive menu onthe FMC prompts you to enter information to complete the download as listed in the following table.

Table 2: Information Needed to Download Restore Files

You must provide...To use...

• IP address for the web server

• Full path to the ISO image directory (for example,/downloads/ISOs/)

HTTP

• IP address for the FTP server

• Path to the ISO image directory, relative to the home directory ofthe user whose credentials you want to use (for example,mydownloads/ISOs/)

• Authorized user name and password for the FTP server

FTP


Restore Firepower Management Centers to Factory DefaultsRestore Files Download Configuration

You must provide...To use...

• IP address for the SCP server

• Authorized username for the SCP server

• Full path to the ISO image directory

• Password for the username you entered earlier

Before you enter your password, you may be prompted toadd the SCP server to its list of trusted hosts. You must acceptto continue.

Note

SCP

Select System Software and Rule Updates during RestoreYou can optionally use the restore utility to update the system software and intrusion rules after the applianceis restored to the base version in the ISO image. Note that only FMCs require rule updates.

The restore utility can use only one system software update and one rule update. However, system updatesare cumulative back to the last major version; rule updates are also cumulative.We recommend that you obtainthe latest updates available for your appliance; see Obtain the Restore ISO and Update Files, on page 29.

If you choose not to update the appliance during the restore process, you can update later using the system’sweb interface. For more information, see the release notes for the update you want to install, as well as theUpdating System Software chapter in the Firepower Management Center Configuration Guide.

Before you begin


Procedure

Step 1 From the restore utility main menu, choose 3 Select Patches/Rule Updates.

The restore utility uses the protocol and location you specified in the previous procedure (see Specify the ISOImage Location and Transport Method, on page 32) to retrieve and display a list of any system softwareupdate files in that location. If you are using SCP, enter your password when prompted to display the list ofupdate files.

Step 2 Choose the system software update, if any, you want to use. You do not have to choose an update; press Enterwithout selecting an update to continue. If there are no system software updates in the appropriate location,the system prompts you to press Enter to continue.

The restore utility retrieves and displays a list of rule update files. If you are using SCP, to display the listenter your password when prompted.

Step 3 Select the rule update, if any, you want to use. You do not have to select an update; press Enter withoutselecting an update to continue. If there are no rule updates in the appropriate location, the system promptsyou to press Enter to continue.


Restore Firepower Management Centers to Factory DefaultsSelect System Software and Rule Updates during Restore


Download the ISO and Update Files and Mount the Image

Before you begin


Procedure

Step 1 From the restore utility main menu, choose 4 Download and Mount ISO.Step 2 When prompted, confirm your choice. If you are downloading from an SCP server, enter your password when

prompted. The system downloads and mounts the appropriate files.

Update the Restore ImageWhen restoring an appliance to a different major version, this first pass by the restore utility updates theappliance’s restore image, and, if necessary, the restore utility itself.

If you are restoring an appliance to the same major version, or if this is your second pass through the process,do not use these instructions; see Install the New System Software Version, on page 36.

Note

Before you begin


Procedure

Step 1 From the restore utility main menu, choose 5 Run the Install.Step 2 When prompted (twice), confirm that you want to reboot the appliance.Step 3 The system prompts for the display mode for the restore utility’s interactive menu:

• For a keyboard and monitor connection, enter 1 and press Enter.• For a serial connection, enter 2 and press Enter.


Unless this is the first time you have restored the appliance to this major version, the utility automaticallyloads the last restore configuration you used. To continue, confirm the settings displayed in the next series ofpages.



Restore Firepower Management Centers to Factory DefaultsDownload the ISO and Update Files and Mount the Image

What to do next

Complete the tasks in the second pass of the restore process. See Install the New System Software Version,on page 36.

Install the New System Software VersionPerform the following tasks if you are restoring an appliance to the same major version, or if this is yoursecond pass through the two-step restore process.

The restore process resets the console display settings to the default mode of using the VGA port.Note

Before you begin

• Be sure you have have completed the appropriate previous steps in the restore process as described inRestore a Firepower Management Center to its Factory Defaults, on page 28.

• If you are performing this task as the second pass in the two-pass system restore process, you must firstdownload and mount the ISO image. See Download the ISO and Update Files and Mount the Image, onpage 35. (If you are performing the two-pass restore process, this will be the second time you downloadand mount the ISO image.)

Procedure

Step 1 From the restore utility main menu, choose 5 Run the Install.Step 2 Confirm that you want to restore the appliance.Step 3 Choose whether you want to delete the appliance’s license and network settings.

In most cases, you do not want to delete these settings; retaining them can make the initial setup processshorter. Changing settings after the restore and subsequent initial setup is often less time consuming thantrying to reset them now.

For Versions 6.3+, the restore process resets the LOM settings on the device; you cannot access anewly restored appliance using LOM. When restoring a device to Versions 6.3+ factory settingsusing LOM, if you do not have physical access to the appliance you will be unable to access theappliance after the restore.

Caution

Step 4 Enter your final confirmation that you want to restore the appliance.

The final stage of the restore process begins. When it is completed, if prompted, confirm that you want toreboot the appliance.

Make sure you allow sufficient time for the restore process to complete. On appliances with internalflash drives, the utility first updates the flash drive, which is then used to perform other restore tasks.If you quit (by pressing Ctrl + C, for example) during the flash update, you could cause anunrecoverable error. If you think the restore is taking too long or you experience any other issueswith the process, do not quit. Instead, contact Cisco TAC.

Caution


Restore Firepower Management Centers to Factory DefaultsInstall the New System Software Version

Always reimage your appliances during a maintenance window.Note



C H A P T E R 6Save and Load Firepower Management CenterConfigurations

You can use the restore utility to save a configuration should you need to restore an FMC. Although the restoreutility automatically saves the last configuration used, you can save multiple configurations, which includethe following:

• Network information about the management interface on the appliance. For more information, see Identifythe Appliance's Management Interface, on page 32.

• Location of the ISO image, as well as the transport protocol and any credentials the appliance needs todownload the file. For more information, see Specify the ISO Image Location and Transport Method,on page 32.

• System software and intrusion rules updates, if any, that you want to apply after the appliance is restoredto the base version in the ISO image. For more information, see Select System Software and Rule Updatesduring Restore, on page 34.

The system does not save SCP passwords. If the configuration specifies that the utility must use SCP to transferISO and other files to the appliance, you must re-authenticate to the server to complete the restore process.

The best time to save a configuration is after you provide the information listed above, but before you downloadand mount the ISO image.

• Save a Firepower Management Center Configuration, on page 39• Load a Saved Firepower Management Center Configuration, on page 40

Save a Firepower Management Center ConfigurationBefore you begin

Complete Steps 1 through 5 of Restore a Firepower Management Center to its Factory Defaults, on page 28.

Procedure

Step 1 From the restore utility main menu, choose 6 Save Configuration.

The utility displays the settings in the configuration you are saving.


Step 2 When prompted, confirm that you want to save the configuration.Step 3 When prompted, enter a name for the configuration.

What to do next

If you want to use the saved configuration to perform a system restore, continue with Step 7 of Restore aFirepower Management Center to its Factory Defaults, on page 28.

Load a Saved Firepower Management Center ConfigurationYou can load a previously-saved configuration to restore an FMC.

Procedure

Step 1 From the restore utility main menu, choose 7 Load Configuration.

The utility presents a list of saved restore configurations. The first option, default_config, is the configurationyou last used to restore the appliance. The other options are restore configurations that you have saved.

Step 2 Choose the configuration you want to use.

The utility displays the settings in the configuration you are loading.

Step 3 When prompted, confirm that you want to load the configuration.

The configuration is loaded. If prompted, confirm the IP address assigned to the appliance’s managementinterface.

What to do next

To use the configuration you just loaded to restore the system, continue with Step 7 of Restore a FirepowerManagement Center to its Factory Defaults, on page 28.


Save and Load Firepower Management Center ConfigurationsLoad a Saved Firepower Management Center Configuration

C H A P T E R 7Set Up Alternate Firepower Management CenterAccess

After you have completed the initial setup process, you can establish alternate means of accessing the FMCby doing one of the following:

• You can set up the FMC for direct access from a local computer to its serial port.

• You can set up the FMC for Lights Out Management (LOM) access using a Serial over LAN (SOL)connection on the default (eth0) management interface. This allows you to perfom a limited number ofmaintenance tasks without having physical access to the appliance.

Before configuring the FMC for serial or LOM/SOL access, we recommend that you redirect console outputto the serial port.

• Set Up Serial Access, on page 41• Set Up Lights Out Management, on page 42• Redirect Console Output, on page 45

Set Up Serial AccessBefore you begin

• Perform the installation and initial setup as described in Firepower Management Center Installation andInitial Setup, on page 5.

• Obtain and install terminal emulation software (such as HyperTerminal or XModem) on the local computerto interact with the FMC.

• Redirect console ouput to the serial port. See Redirect Console Output, on page 45

Procedure

Step 1 Locate the serial port on the the FMC rear panel.Use item 4 in the diagram for your model below:

• FMC 1000 rear panel:


• FMC 2500 and FMC 4500 rear panel:

Step 2 Use the RJ-45 to DP-9 console cable supplied with the appliance (Cisco part number 72-3383-XX) to connecta local computer to the FMC serial port.

Step 3 Use terminal emulation software (such as HyperTerminal or XModem) on the local computer to interact withthe FMC. Set the terminal emulator for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.

Set Up Lights Out ManagementThe Lights Out Management (LOM) feature allows you to perform a limited set of actions on a FirepowerManagement Center using a Serial over LAN (SOL) connection. With LOM, you use a CLI on an out-of-bandmanagement connection to perform tasks such as viewing the chassis serial number, or monitoring conditionssuch as fan speed and temperature. Note that you can use Lights-Out Management on the default (eth0)management interface only.

If you need to restore a Firepower Management Center to factory defaults and do not have physical access tothe appliance, you can use Lights Out Management (LOM) to perform the restore process.

For Versions 6.3+, the restore process resets the LOM settings on the device; you cannot access an appliancenewly restored to Versions 6.3+ using LOM. When restoring a device to Version 6.3+ factory settings usingLOM, if you do not have physical access to the appliance and you delete the license and network settings,you will be unable to access the appliance after the restore.

Caution

Other Firepower appliances also support LOM. You configure LOM and LOM users for each appliance usingeach appliance’s local web interface. That is, you cannot use the Firepower Management Center to configureLOM on a Firepower device. Similarly, because users are managed independently for each appliance, enablingor creating an LOM-enabled user on the Firepower Management Center does not transfer that capability tousers on Firepower devices.

Note


Set Up Alternate Firepower Management Center AccessSet Up Lights Out Management

For more information on Lights OutManagement, see "Remote Console AccessMangement" in the FirepowerManagement Center Configuration Guide for your version.

Before you begin

• Install an Intelligent Platform Management Interface (IMPI) utility on your local computer. See IPMIUtility Installation, on page 43 for more information.

• Determine which commands are needed to access an appliance using the IPMI tool. See LOMCommands,on page 43 for more information.

• Redirect console ouput to the serial port. See Redirect Console Output, on page 45

Procedure

Step 1 Enable LOM for the appliance. See Enable Lights-Out Management, on page 44.Step 2 Enable LOM for users who will use the feature. See Enable Lights-Out Management Users, on page 45.Step 3 Use a third-party IPMI utility to access the appliance.

IPMI Utility InstallationYou can use a third-party IPMI utility on your computer to create an SOL connection to the appliance. IPMItoolis standard with many Linux distributions, but on Mac and Windows systems you must install a utility.

If your computer is running Mac OS, install IPMItool. First, confirm that your Mac has Apple's xCodedeveloper tools package installed. Make sure the optional components for command line development areinstalled ("UNIX Development” and "System Tools" in newer versions, or "Command Line Support" in olderversions). Finally, install MacPorts and IPMItool. For more information, use your favorite search engine orsee these sites: https://developer.apple.com/technologies/tools/ and http://www.macports.org/.

For Windows environments, use ipmiutil, which you must compile yourself. If you do not have access to acompiler, you can use ipmiutil itself to compile. For more information, use your favorite search engine or seethis site: http://ipmiutil.sourceforge.net/.

LOM CommandsThe syntax of LOM commands depends on the utility you are using, but LOM commands generally containthe elements listed in the following table.

Table 3: LOM Command Syntax

Descriptionipmiutil (Windows)IPMItool (Linux/Mac)

Invokes the IPMI utility.ipmiutilipmitool

For ipmiutil only, enables admin privilegesfor the LOM session.

-V4n/a

Enables encryption for the LOM session.-J3-I lanplus


Set Up Alternate Firepower Management Center AccessIPMI Utility Installation



https://developer.apple.com/technologies/tools/

http://www.macports.org/

http://ipmiutil.sourceforge.net/

Descriptionipmiutil (Windows)IPMItool (Linux/Mac)

Specifies the IP address of the managementinterface on the appliance.

-N IP_address-H IP_address

Specifies the username of an authorized LOMaccount.

-U username-U username

For ipmiutil only, specifies the password foran authorized LOM account.

-P passwordn/a (prompted on login)

The command you want to issue to theappliance. Note that where you issue thecommand depends on the utility:

• For IPMItool, enter the command last:ipmitool -I lanplus -H IP_address -Uusername command

• For ipmiutil, enter the command first:ipmiutil command -V4 -J3 -NIP_address -U username -P password

commandcommand

For a full list of LOM commands supported by the Firepower system, see "LOMCommands" in the FirepowerManagement Center Configuration Guide.

Enable Lights-Out Management

Procedure

Step 1 In the FMC web interface, choose System > Configuration, then click Console Configuration.Step 2 Enable remote access by choosing Physical Serial Port.Step 3 Enter the necessary IPv4 settings:

• Choose the address Configuration for the system (DHCP orManual)

• Enter the IP Address to be used for LOM.

The LOM IP address must be different from the management interface IP address of the system.Note

• Enter the Netmask for the system.

• Enter the Default Gateway for the system.

Step 4 Click Save.


Set Up Alternate Firepower Management Center AccessEnable Lights-Out Management



What to do next

You must explicitly grant LOM permissions to users who will use the feature. See Enable Lights-OutManagement Users, on page 45.

Enable Lights-Out Management Users

Before you begin

LOM users must meet the following restrictions:

• You must assign the Administrator role to the user.

• The username may have up to 16 alphanumeric characters. Hyphens and longer usernames are notsupported for LOM users.

• The password may have up to 20 alphanumeric characters. Longer passwords are not supported for LOMusers. A user’s LOM password is the same as that user’s system password.

• FMCs can have up to 13 LOM users.

Procedure

Step 1 In the FMC web interface, select System > Users and on the Users tab, either edit an existing user to addLOM permissions, or create a new user that you will use for LOM access to the appliance.

Step 2 Under User Role Configuration, check the Administrator check box if it is not already checked.Step 3 Check the Allow Lights-Out Management Access check box and save your changes.

Redirect Console OutputBy default, FMCs direct initialization status, or init, messages to the VGA port. If you want to use the physicalserial port or SOL to access the console, we recommend you redirect console output to the serial port afteryou complete the initial setup. You can accomplish this from the web interface or the shell.

Use the Web Interface to Redirect the Console Output

Before you begin

Complete the initial setup process. See Firepower Management Center Installation and Initial Setup, on page5.

Procedure

Step 1 Choose System > Configuration.Step 2 Choose Console Configuration.


Set Up Alternate Firepower Management Center AccessEnable Lights-Out Management Users

Step 3 Select a remote console access option:

• Choose VGA to use the appliance’s VGA port.• Choose Physical Serial Port to use the appliance’s serial port, or to use LOM/SOL.

Step 4 To configure LOM using SOL, enter the appropriate IPv4 settings:

• Choose the address Configuration for the appliance (DHCP orManual).

• Enter the IP Address to be used for LOM.

The LOM IP address must be different from the management interface IP address of the system.Note

• Enter the Netmask for the system.

• Enter the Default Gateway for the system.

Step 5 Click Save.

Use the Shell to Redirect the Console Output

Before you begin

Complete the initial setup process. See Firepower Management Center Installation and Initial Setup, on page5.

Procedure

Step 1 Use the FMC CLI admin credentials to access the Linux shell on the FMC using the method apppropriate toyour Firepower version; see Access the CLI or the Linux Shell on the FMC, on page 7.

Step 2 At the prompt, set the console output by entering one of the following commands:

• To direct console messages to the VGA port: sudo /usr/local/sf/bin/configure_console.sh vga

• To direct console messages to the physical serial port: sudo /usr/local/sf/bin/configure_console.sh

serial

• To direct consolemessages to SOL (when using LOM): sudo /usr/local/sf/bin/configure_console.sh

sol

Step 3 To implement your changes, reboot the appliance by entering sudo reboot.


Set Up Alternate Firepower Management Center AccessUse the Shell to Redirect the Console Output

C H A P T E R 8Preconfigure Firepower Management Centers

You can preconfigure your Firepower Management Center (FMC) at a staging location (a central location topreconfigure or stage multiple appliances) to be deployed at a target location (any location other than thestaging location).

To preconfigure and deploy an appliance to a target location, perform the following steps:

1. Install the system on the device at the staging location.

2. Shut down and ship the appliance to the target location.

3. Deploy the appliance in the target locations.

Save all packing materials and include all reference material and power cords when repackaging the appliance.Note

• Required Preconfiguration Information, on page 47• Optional Preconfiguration Information, on page 48• Preconfigure Time Management, on page 48• Install the System, on page 49• Prepare a Firepower Management Center for Shipment, on page 49• Delete a Classic License from a Firepower Management Center, on page 49• Shipping Considerations, on page 50• Troubleshooting the Appliance Preconfiguration, on page 50

Required Preconfiguration InformationBefore preconfiguring the appliance, collect the network settings, licenses, and other pertinent informationfor the staging location and the target location.

It can be helpful to create a spreadsheet to manage this information at the staging location and the targetlocation.

Note

During the initial setup, you configure your appliance with enough information to connect the appliance tothe network and install the system.


At a minimum, you need the following information to preconfigure your appliance:

• New password (initial setup requires changing the password)

• Hostname of the appliance

• Domain name of the appliance

• IP management address of the appliance

• Network mask of the appliance at the target location

• Default gateway of the appliance at the target location

• IP address of the DNS server at the staging location, or, if accessible, the target location

• IP address of the NTP server at the staging location, or, if accessible, the target location

Optional Preconfiguration InformationYou can change some default configurations, including the following:

• The time zone (if you choose to manually set the time for your appliances)

• The remote storage location for automatic backups

• The LOM IP address to enable LOM

Preconfigure Time ManagementProcedure

Step 1 Synchronize time to a physical NTP server.Step 2 Set the IP addresses for the DNS and NTP servers using one of the following methods:

• If your network at the staging location can access the DNS and NTP servers at the target location, usethe IP addresses for the DNS and NTP servers at the target location.

• If your network at the staging location cannot access the DNS and NTP servers at the target location,use the staging location information and reset at the target location.

Step 3 Use the time zone for the target deployment if you set the time on the appliance manually instead of usingNTP. For more information, see the Firepower Management Center Configuration Guide for your version.


Preconfigure Firepower Management CentersOptional Preconfiguration Information


Install the SystemProcedure

Step 1 Use the installation procedures described in Firepower Management Center Installation and Initial Setup, onpage 5.

Step 2 For more information on installing the chassis, see the Cisco Firepower Management Center 1600, 2600, and4600 Hardware Installation Guide.

Prepare a Firepower Management Center for ShipmentProcedure

Step 1 Safely power down the FMC. For more information, see the Cisco FirepowerManagement Center 1000, 2500,and 4500 Hardware Installation Guide.

Step 2 Ensure that your appliance is safely prepared for shipping. For more information, see Shipping Considerations,on page 50.

Delete a Classic License from a Firepower Management CenterUse the following procedure if you need to delete a license for any reason.

Before you begin

Keep in mind that because Cisco generates Classic licenses based on each FMC’s unique license key, youcannot delete a license from one FMC and reuse it on a different FMC. For more information, see “Licensingthe Firepower System” in the Firepower Management Center Configuration Guide for your version.

Procedure

Step 1 Choose System > Licenses > Classic Licenses.

Step 2 Next to the license you want to delete, click the delete icon ( ).

Deleting a license removes the licensed capability from all devices using that license. For example, if yourProtection license is valid and enabled for 100 managed devices, deleting the license removes protectioncapabilities from all 100 devices.


Preconfigure Firepower Management CentersInstall the System

https://www.cisco.com/c/en/us/td/docs/security/firepower/1600_2600_4600/hw/b_install_guide_1600_2600_4600.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/1600_2600_4600/hw/b_install_guide_1600_2600_4600.html




Step 3 Confirm that you want to delete the license. The license is deleted.

Shipping ConsiderationsTo prepare the appliance for shipment to the target location, you must safely power down and repackage theappliance. Keep in mind the following considerations:

• Use the original packaging to repack the appliance.

• Include all reference material and power cords with the appliance.

• Provide all setting and configuration information to the target location, including the new password andthe detection mode.

Troubleshooting the Appliance PreconfigurationIf your appliance is correctly preconfigured for target deployment, you can install and deploy the FMCwithoutfurther configuration.

If you have difficulty logging into the appliance, the preconfiguration may have an error. Try the followingtroubleshooting procedures:

• Confirm that all power cables and communication cables are connected properly to the appliance.

• Confirm that you have the current password for your appliance. The initial setup at the staging locationprompts you to change your password. See the configuration information provided by the staging locationfor the new password.

• Confirm that the network settings are correct. For more information, see Firepower Management CenterInstallation and Initial Setup, on page 5.

• Confirm that the correct communication ports are functioning properly. For information on managingfirewall ports and the required open ports, see the Firepower Management Center Configuration Guide.

If you continue to experience difficulty, contact your IT department.


Preconfigure Firepower Management CentersShipping Considerations


C H A P T E R 9Erase the Hard Drive

You can securely erase the hard drive on a Firepower Management Center to ensure that its contents can nolonger be accessed. For example, if you need to return a defective appliance that contains sensitive data, youcan use this feature to overwrite the data on it.

• Erase the Hard Drive, on page 51

Erase the Hard DriveThis mode of erasing the disk meets the following military standard:

• The hard drive erase sequence is compliant with the DoD 5220.22-M procedure for sanitizing removableand non removable rigid disks, which requires overwriting all addressable locations with a character, itscomplement, a random character, and then verification.See the DoD document for additional constraints.

Erasing your hard drive results in the loss of all data on the appliance, which is then rendered inoperable.Caution

You can erase the hard drive using an option in the appliance's interactive menu. For more information, seeThe Restore Utility Menu, on page 27.

Procedure

Step 1 Follow the instructions in one of the following sections to display the restore utility’s interactive menudepending on how you are accessing the appliance:

• Start the Restore Utility Using KVM or Physical Serial Port, on page 30• Start the Restore Utility Using Lights-Out Management, on page 31

Step 2 From the restore utility main menu, choose 8 Wipe Contents of Disk.Step 3 When prompted, confirm that you want to erase the hard drive. The process may take several hours to complete;

larger drives will take longer.



Erase the Hard DriveErase the Hard Drive

cisco firepower management center getting started guide ......understandtherestoreprocess 25...

Documents