Advertisement
Quick Links
Cisco Firepower Management Center 1600, 2600,
and 4600 Getting Started Guide
First Published: 2019-06-26
Last Modified: 2021-02-19
Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started
Guide
The Firepower Management Center (FMC) 1600, 2600, and 4600 Getting Started Guide explains FMC
installation, login, setup, initial administrative settings, and configuration for your secure network. This
document also describes maintenance activities such as establishing alternative means of FMC access, adding
managed devices to the FMC, FMC factory reset, saving and loading configurations, erasing the hard drive,
and performing an appliance shutdown or restart.
In a typical deployment on a large network, you install multiple managed devices on network segments. Each
device controls, inspects, monitors, and analyzes traffic, and then reports to a managing FMC. The FMC
provides a centralized management console with a web interface that you can use to perform administrative,
management, analysis, and reporting tasks in service to securing your local network.
About the Firepower Management Center Models 1600, 2600, and 4600
The following topics provide information about front and rear panel features that you need to follow the
instructions in this document.
Rear Panel Features
The following figure illustrates the rear panel of the FMC 1600, 2600, and 4600. For more information on
the rear-panel features, see the
Guide.
Figure 1: Rear Panel
Cisco Firepower Management Center 1600, 2600, and 4600 Hardware Installation
Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide
1
Advertisement
Related Manuals for Cisco Firepower Management Center 1600
Summary of Contents for Cisco Firepower Management Center 1600
- Page 1 The following figure illustrates the rear panel of the FMC 1600, 2600, and 4600. For more information on the rear-panel features, see the Cisco Firepower Management Center 1600, 2600, and 4600 Hardware Installation Guide. Figure 1: Rear Panel Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide...
- Page 2 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Front Panel LEDs and their States USB 3.0 Type A (USB 1) USB 3.0 Type A (USB 2) You can connect a keyboard, and along with a You can connect a keyboard, and along with a...
- Page 3 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Front Panel LEDs and their States Figure 2: Front Panel LEDs and their States Drive fault LED: Drive activity LED: • Off—The drive is operating properly. • Off—There is no drive in the drive tray (no access, no fault).
- Page 4 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Front Panel LEDs and their States System status LED: Power supply status LED: • Green—The chassis is running in normal • Green—All power supplies are operating operating condition. normally.
- Page 5 Accessing the FMC CLI or the Linux shell requires a different sequence of steps depending on what Firepower version the FMC is running. Caution We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the user documentation. Before you begin Establish a direct physical connection with the FMC using the serial port, a keyboard and monitor, or establish an SSH session with the FMC's management interface.
- Page 6 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Install the FMC for Versions 6.5 and Later Caution Do not shut off the FMC using the power button; this may cause data loss. Using the web interface or shutdown commands prepares the system to be safely powered off and restarted without losing configuration data.
- Page 7 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Review Network Deployment for Versions 6.5 and Later Figure 3: Example Network Deployment By default the FMC connects to your local management network through its management interface (eth0). Through this connection the FMC communicates with a management computer; managed devices; services such as DHCP, DNS, NTP;...
- Page 8 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide End to End Procedure to Install the FMC for Versions 6.5 and Later To establish the connection between the FMC and one of its managed devices, you need the IP address of at least one of the devices: the FMC or the managed device.
- Page 9 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Connect Cables Turn On Power Verify Status for Versions 6.5 and Later Pre-Configuration Review Network Deployment for Versions 6.5 and Later, on page 6 Pre-Configuration Connect Cables Turn On Power Verify Status for Versions 6.5 and Later, on...
- Page 10 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Connect Cables Turn On Power Verify Status for Versions 6.5 and Later • Connect a local computer to the FMC serial port as described in Step 7. (To use this connection see Up Serial Access, on page 39.)
- Page 11 Setup Using the CLI for Versions 6.5 and Later, on page Step 7 (Optional) Use the RJ-45 to DB-9 console cable supplied with the appliance (Cisco part number 72-3383-XX) to connect a local computer to the FMC serial port. (You may need a DB-9-to-USB adaptor to connect to the local computer.) You can use this connection for serial access (see...
- Page 12 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Perform Initial Setup at the Web Interface for Versions 6.5 and Later Perform Initial Setup at the Web Interface for Versions 6.5 and Later If you have HTTPS access to the FMC IP address (either the address obtained from DHCP or the default 192.168.45.45), you can perform initial setup using HTTPS at the appliance web interface.
- Page 13 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Perform Initial Setup at the Web Interface for Versions 6.5 and Later • An IPv4 management IP address. The FMC management interface is preconfigured to accept an IP4 address assigned by DHCP.
- Page 14 Note the FMC using the new network information. f) (Optional) For DNS Group you can accept the default value, Cisco Umbrella DNS. To change the DNS settings, choose Custom DNS Servers from the drop-down list, and enter IPv4 addresses for the Primary DNS and Secondary DNS. If your FMC does not have internet access you cannot use a DNS outside of your local network.
- Page 15 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide FMC Initial Setup Using the CLI for Versions 6.5 and Later The wizard performs validation on the values you enter on this screen to confirm syntactical correctness, compatibility of the entered values, and network connectivity between the FMC and the DNS and NTP servers.
- Page 16 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide FMC Initial Setup Using the CLI for Versions 6.5 and Later • A network mask and a default gateway (if not using DHCP). • Connect to the FMC using one of three methods: •...
- Page 17 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide FMC Initial Setup Using the CLI for Versions 6.5 and Later • If you choose to configure IPv4 manually, the system prompts for IPv4 address, netmask, and default gateway. If you choose DHCP, the system uses DHCP to assign these values. If you choose not to use DHCP, you must supply values for these fields;...
- Page 18 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Review Automatic Initial Configuration for Versions 6.5 and Later Step 8 After you have accepted the settings, you can enter exit to exit the FMC CLI. What to do next •...
- Page 19 In Versions 6.6+, the FMC downloads and installs the latest vulnerability database (VDB) update from the Cisco support site. This is a one-time operation. You can observe the status of this update using the web interface Message Center. To keep your system up to date, if your FMC has internet access, we...
- Page 20 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Review Network Deployment for Versions 6.3-6.4 Figure 5: Example Network Deployment By default the FMC connects to your local management network through its management interface (eth0). Through this connection the FMC communicates with a management computer; managed devices; services such as DHCP, DNS, NTP;...
- Page 21 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide End to End Procedure to Install an FMC to Run Software Versions 6.3 - 6.4 To establish the connection between the FMC and one of its managed devices, you need the IP address of at least one of the devices: the FMC or the managed device.
- Page 22 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Connect Cables Turn On Power Verify Status for Versions 6.3 - 6.4 Pre-Configuration Review Network Deployment for Versions 6.3-6.4, on page 19 Pre-Configuration Connect Cables Turn On Power Verify Status for Versions 6.3 - 6.4, on page...
-
Page 23: Management Center
Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Connect Cables Turn On Power Verify Status for Versions 6.3 - 6.4 • Connect the FMC CIMC port to a local network reachable from a local computer where you will run an IPMI utility for Lights-Out Management, as described in Step 8. - Page 24 6.3 - 6.4, on page Step 7 (Optional) Use the RJ-45 to DB-9 console cable supplied with the appliance (Cisco part number 72-3383-XX) to connect a local computer to the FMC serial port. (You may need a DB-9-to-USB adaptor to connect to the local computer.) You can use this connection for serial access (see...
- Page 25 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide (Optional) Configure Network Settings Using a Physical Connection for Software Versions 6.3 - 6.4 (Optional) Configure Network Settings Using a Physical Connection for Software Versions 6.3 - 6.4 You can use a USB keyboard and VGA monitor connected directly to the appliance to access the Linux shell and run a script to establish the network configuration for the appliance.
- Page 26 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide FMC Initial Setup Using the Web Interface for Software Versions 6.3 - 6.4 Step 2 Log in using admin as the username and Admin123 as the password. (The password is case-sensitive.) Step 3 In the Change Password section of the Setup page, change the password for the admin accounts.
- Page 27 Configure Classic Licensing, on page • For FTD physical and virtual devices, you must use Smart Licenses. If you plan to manage devices that use Cisco Smart Software Licensing, you must add smart licenses after completing initial setup, as described in...
- Page 28 Before you begin Before you add a classic license to the FMC, make sure you have the Product Authorization Key (PAK) provided by Cisco when you purchased the license. If you have a legacy, pre-Cisco license, contact Cisco TAC. Procedure Step 1 Obtain the License Key for your chassis from the License Settings section on the Initial Setup page.
-
Page 29: Configure Fmc Administrative Settings
Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Configure FMC Administrative Settings Step 4 Paste the license or licenses in the validation box and click Add/Verify. Configure FMC Administrative Settings After you complete the initial setup process for an FMC and verify its success, we recommend that you complete various administrative tasks that make your deployment easier to manage. - Page 30 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Configure Time Settings The system includes ten predefined user roles designed for a variety of administrators and analysts using the web interface. Creating a separate account for each person who uses the system allows your organization not only to audit actions and changes made by each user, but also to limit each person’s associated user access...
- Page 31 Versions 6.3 - 6.4. For Firepower Versions 6.3 - 6.4: Add Smart licenses after completing initial setup. For each license: • Obtain a product license registration token for Smart Licensing from the Cisco Smart Software Manager (CSSM). Consult the...
- Page 32 Decide whether to send usage data to Cisco. • Enable Cisco Success Network is enabled by default. You can click sample data to see the kind of data Cisco collects. To help you make your decision, read the Cisco Success Network information block.
- Page 33 • When enabled, Cisco Support Diagnostics is enabled in the FTD devices in the next sync Note cycle. The FMC sync with the FTD runs once every 30 minutes. • When enabled, any new FTD registered in this FMC in the future will have Cisco Support Diagnostics enabled on it automatically. Step 4 Click Apply Changes.
- Page 34 Generate a Classic License and Add it to the Firepower Management Center Before you begin • Confirm you have access to the Cisco Product License Registration Portal at https://cisco.com/go/license. • Review the information about types of Classic licenses in the...
- Page 35 Schedule Weekly GeoDB Updates The Cisco Geolocation Database (GeoDB) is a database of geographical data (such as country, city, coordinates) and connection-related data (such as Internet service provider, domain name, connection type) associated with routable IP addresses.
- Page 36 FMC, and then implement by deploying the changed configuration to your managed devices. These updates affect intrusion rules, preprocessor rules, and the policies that use the rules. Intrusion rule updates are cumulative, and Cisco recommends you always import the latest update. Before you begin Make sure the FMC can access the internet.
- Page 37 Use these instructions to schedule regular automatic downloads and installations of the latest VDB update. The Cisco Talos Intelligence Group (Talos) issues periodic VDB updates no more than once daily. We strongly recommend you always maintain the latest VDB update on your FMC.
-
Page 38: Add Managed Devices To The Fmc
Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Add Managed Devices to the FMC Step 4 Type a Job Name, and next to Update Items, check the Vulnerability Database check box. Step 5 Click Save. Step 6 Select System >... - Page 39 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Set Up Alternate FMC Access In a NAT environment, you may not need to spedify the IP address or hostname of the device, if you already specified the IP address or hostname of the FMC when you configured the device to be managed by the FMC.
- Page 40 Locate the serial port on the FMC rear panel, item 4 in the diagram b e l o w . Step 2 Use the RJ-45 to DB-9 console cable supplied with the appliance (Cisco part number 72-3383-XX) to connect a local computer to the FMC serial port. Step 3 Use terminal emulation software (such as HyperTerminal or XModem) on the local computer to interact with the FMC.
-
Page 41: Connect Cables Turn On Power Verify Status For Versions 6.3 - 6.4
Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide IPMI Utility Installation Before you begin • Install an Intelligent Platform Management Interface (IMPI) utility on your local computer. See IPMI Utility Installation, on page 41 for more information. - Page 42 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Enable Lights-Out Management IPMItool (Linux/Mac) ipmiutil (Windows) Description -U username -U username Specifies the username of an authorized LOM account. n/a (prompted on login) -P password For ipmiutil only, specifies the password for an authorized LOM account.
- Page 43 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Enable Lights-Out Management Users The LOM IP address must be different from and in the same subnet as the FMC management Note interface IP address. • Enter the Netmask for the system.
- Page 44 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Use the Shell to Redirect the Console Output Before you begin Complete the initial setup process appropriate to your Firepower version: • For Firepower Versions 6.5 and later see Install the FMC for Versions 6.5 and Later, on page...
- Page 45 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Preconfigure FMCs Preconfigure FMCs You can preconfigure your FMC at a staging location (a central location to preconfigure or stage multiple appliances) to be deployed at a target location (any locatiaon other than the staging location).
- Page 46 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Preconfigure Time Management • The time zone (if you choose to manually set the time for your appliances) • The remote storage location for automatic backups • The LOM IP address to enable LOM...
- Page 47 Utility The FMC provides a system restore utility that you can use to perform the a number of maintenance functions: • Restore an FMC to factory settings using an ISO image Cisco provides on its Support Site. See About the Restore Process, on page...
- Page 48 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide The Restore Utility Menu • Save a set of FMC configurations, or load a previously-saved FMC configurations. See Save and Load Firepower Management Center Configurations, on page 59 • Securely scrub the FMC hard drive to ensure that its contents can no longer be accessed. See...
- Page 49 About the Restore Process The ISO image you use to restore an appliance depends on when Cisco introduced support for that appliance model. Unless the ISO image was released with a minor version to accommodate a new appliance model, ISO images are usually associated with major versions of the system software (for example, 6.1 or 6.2).
- Page 50 Restore a Firepower Management Center to its Factory Defaults • Serial Connection/Laptop—You can use the RJ-45 to DP-9 console cable supplied with the appliance (Cisco part number 72-3383-XX) to connect a computer to the appliance. Refer to the figure at Rear Panel Features, on page 1 to identify the serial port.
- Page 51 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Restore a Firepower Management Center to its Factory Defaults When restoring a device to factory settings using LOM, if you do not have physical access to Caution the appliance and you delete the license and network settings, you will be unable to access the appliance after the restore.
- Page 52 Obtain the Restore ISO and Update Files • If you deregistered the FMC from the Cisco Smart Software Manager, register the appliance to the Cisco Smart Software Manager. Choose System > Licenses > Smart Licenses and click the register icon.
- Page 53 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Start the Restore Utility Using KVM or Physical Serial Port Start the Restore Utility Using KVM or Physical Serial Port For FMCs, Cisco provides a restore utility on an internal flash drive.
- Page 54 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Start the Restore Utility Using Lights-Out Management Caution When restoring a device to factory settings using LOM, if you do not have physical access to the appliance and you delete the license and network settings, you will be unable to access the appliance after the restore.
- Page 55 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Identify the Appliance's Management Interface Identify the Appliance's Management Interface The first step in running the restore utility is to identify the management interface on the appliance you want to restore, so that the appliance can communicate with the server where you copied the ISO and any update files.
- Page 56 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Restore Files Download Configuration If your information was correct, the appliance connects to the server and displays a list of the Cisco ISO images in the location you specified.
- Page 57 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Download the ISO and Update Files and Mount the Image If you choose not to update the appliance during the restore process, you can update later using the system’s web interface.
- Page 58 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Install the New System Software Version Note If you are restoring an appliance to the same major version, or if this is your second pass through the process, do not use these instructions; see...
- Page 59 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Save and Load Firepower Management Center Configurations page 57. (If you are performing the two-pass restore process, this will be the second time you download and mount the ISO image.)
- Page 60 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Save a Firepower Management Center Configuration The system does not save SCP passwords. If the configuration specifies that the utility must use SCP to transfer ISO and other files to the appliance, you must re-authenticate to the server to complete the restore process.
- Page 61 Cisco Firepower Management Center 1600, 2600, and 4600 Getting Started Guide Erase the Hard Drive What to do next To use the configuration you just loaded to restore the system, continue with Step 7 of Restore a Firepower Management Center to its Factory Defaults, on page Erase the Hard Drive You can securely erase the hard drive on an FMC to ensure that its contents can no longer be accessed.
- Page 62 Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html.