Cisco Firepower management center 1000 User manual

Cisco Firepower Management Center 1000, 2500,

and 4500 Getting Started Guide

First Published: 2017-02-21

Last Modified: 2020-04-06

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started

Guide

The Firepower Management Center (FMC) 1000, 2500, and 4500 Getting Started Guide explains FMC

installation, login, setup, initial administrative settings, and configuration for your secure network. This

document also describes maintenance activities such as establishing alternative means of FMC access, adding

managed devices to the FMC, FMC factory reset, saving and loading configurations, erasing the hard drive,

and performing an appliance shutdown or restart.

In a typical deployment on a large network, you install multiple managed devices on network segments. Each

device controls, inspects, monitors, and analyzes traffic, and then reports to a managing FMC. The FMC

provides a centralized management console with a web interface that you can use to perform administrative,

management, analysis, and reporting tasks in service to securing your local network.

About the Firepower Management Center Models 1000, 2500, and 4500

The following topics provide information about front and rear panel features that you need to follow the

instructions in this document.

Physical Interfaces

The following figure illustrates the rear panel of the FMC 1000, and identifies ports you need to follow the

instructions in this document. For information on all the rear-panel ports, see the Cisco Firepower Management

Center 1000, 2500, and 4500 Hardware Installation Guide.

Figure 1: FMC 1000 Rear Panel

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Serial console port22 USB keyboard ports

You can connect a keyboard, and along with a

monitor on the VGA port, you can access the

console.

VGA interface

Console message are sent to this port by default.

4eth0 management interface (labeled "1")

Gigabit Ethernet 10/100/1000 Mbps interface,

RJ-45

eth0 is the default management interface.

You can use Lights-Out-Management (LOM) on the default management interface (eth0) on a Serial Over

LAN (SOL) connection to remotely monitor or manage the FMC system. For information about using LOM

and SOL, see Set Up Lights-Out Management, on page 41.

Note

The following figure illustrates the rear panel of the FMC 2500 and 4500, and identifies ports you need to

follow the instructions in this document. For information on all the rear-panel ports, see the Cisco Firepower

Management Center 1000, 2500, and 4500 Hardware Installation Guide.

Figure 2: FMC 2500 and 4500 Rear Panel

Serial console port22 USB keyboard ports

You can connect a keyboard, and along with a

monitor on the VGA port, you can access the

console.

VGA interface

Console message are sent to this port by default.

4eth0 management interface (labeled "1")

Gigabit Ethernet 10/100/1000 Mbps interface,

RJ-45

eth0 is the default management interface.

Front Panel LEDs and their States

The following figure illustrates the front panel of the FMC 1000, 2500, and 4500, identifies the LED lights,

and provides the information you need to determine appliance status based on the LEDs. The FMC 2500 has

four SAS drives, and the FMC 4500 has six SAS drives, each with the same drive fault and drive activity

LEDs as shown in the diagram. For information on all the front-panel features, see the Cisco Firepower

Management Center 1000, 2500, and 4500 Hardware Installation Guide.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Front Panel LEDs and their States

Figure 3: Front Panel LEDs, Buttons, and their States

Drive activity LED

• Off—There is no drive in the drive tray (no

access, no fault).

• Green—The drive is ready.

• Green, flashing—The drive is reading or

writing data.

2Drive fault LED

• Off—The drive is operating properly.

• Amber—Drive fault detected.

• Amber, flashing—The device is rebuilding.

• Amber, flashing in 1-second

intervals—Drive locate function activated.

Unit identification button/LED

• Off—The unit identification function is not

in use.

• Blue—The unit identification function is

activated.

4Power button/power status LED

• OFf—There is no AC power to the chassis.

• Amber—The chassis is in standby power

mode.

• Green—The chassis is in main power mode.

Power is supplied to all components.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Front Panel LEDs and their States

Fan status LED

• Green—All fans are operating properly.

• Amber—One or more fans breached the

critical threshold.

• Amber, flashing—One or more fans

breached the unrecoverable threshold.

6System status LED

• Green—The chassis is running in normal

operating condition.

• Green, flashing—The chassis is performing

system initialization and memory check.

• Amber—The chassis is in a degraded

operational state. For example:

• Power supply redundancy is lost.

• CPUs are mismatched.

• At least one CPU is faulty.

• At least one DIMM is faulty.

• At least one drive in a RAID

configuration failed.

•Amber, flashing—The chassis is in a critical

fault state. For example:

• Boot failed.

• Fatal CPU and/or bus error is detected.

• The chassis is in an over-temperature

condition.

Power supply status LED

• Green—All power supplies are operating

normally.

• Amber—One or more power supplies are in

a degraded operational state.

• Amber, flashing—One or more power

supplies are in a critical fault state.

8Temperature status LED

• Green—The chassis is operating at normal

temperature.

• Amber—One or more temperature sensors

breached the critical threshold.

• Amber, flashing—One or more temperature

sensors breached the unrecoverable

threshold.

Network link activity LED

• Off—The Ethernet link is idle.

• Green—One or more Ethernet ports are

link-active, but there is no activity.

•Green, flashing—One or more Ethernet ports

are link-active with activity.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Front Panel LEDs and their States

Related Documentation

For virtual devices, refer to the documentation for your virtual platform. For VMware in particular, custom

power options are part of VMware Tools.

Tip

Do not shut off the FMC using the power button; this may cause data loss. Using the web interface or shutdown

commands prepares the system to be safely powered off and restarted without losing configuration data.

Caution

Procedure

Step 1 Choose System >Configuration> Process

Step 2 Choose one of the following:

•Shutdown Management Center to initiate a graceful shutdown of the FMC.

•Reboot Management Center to shutdown and restart the FMC gracefully.

•Restart Management Center Console to restart the communications, database, and HTTP server

processes. This is typically used during troubleshooting, and may cause deleted hosts to reappear in the

network map.

Install the FMC for Versions 6.5 and Later

Follow these instructions to install an FMC that will run Firepower Versions 6.5 and later.

Review Network Deployment for Versions 6.5 and Later

To deploy the FMC you need information about the environment within which it will operate. The following

figure shows an example network configuration for a Firepower deployment.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Install the FMC for Versions 6.5 and Later

Figure 4: Example Network Deployment

By default the FMC connects to your local management network through its management interface (eth0).

Through this connection the FMC communicates with a management computer; managed devices; services

such as DHCP, DNS, NTP; and the internet.

The FMC requires internet access to support Smart Licensing, AMP (Advanced Malware Protection) and TID

(Threat Intelligence Director) services. Depending on services provided by your local management network,

the FMC may also require internet access to reach an NTP or DNS server. You can configure your network

to provide internet access to the FMC directly or through a firewall device.

You can upload updates for system software, as well as the Vulnerability Database (VDB), Geolocation

Database (GEoDB), and intrusion rules directly to the FMC from an internet connection or from a local

computer that has previously downloaded these updates from the internet.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Review Network Deployment for Versions 6.5 and Later

To establish the connection between the FMC and one of its managed devices, you need the IP address of at

least one of the devices: the FMC or the managed device. We recommend using both IP addresses if available.

However, you may only know one IP address. For example, managed devices may be using private addresses

behind NAT, so you only know the FMC address. In this case you can specify the FMC address on the managed

device plus a one-time, unique password of your choice called a NAT ID. On the FMC, you specify the same

NAT ID to identify the managed device.

The initial setup and configuration process described in this document assumes the FMC will have internet

access. If you are deploying an FMC in an air-gapped environment, see the Firepower Management Center

Configuration Guide for your version for alternative methods you can use to support certain features such as

configuring a proxy for HTTP communications, or using a Smart Software Satellite Server for Smart Licensing.

In a deployment where the FMC has internet access, you can upload updates for system software, as well as

the Vulnerability Database (VDB), Geolocation Database (GEoDB), and intrusion rules directly to the FMC

from an internet connection. But if the FMC does not have internet access, the FMC can upload these updates

from a local computer that has previously downloaded them from the internet. Additionally, in an air-gapped

deployment you might use the FMC to serve time to devices in your deployment.

Initial Network Configuration for FMCs Using Firepower Versions 6.5+:

• Management Interface

By default the FMC seeks out a local DHCP server for the IP address, network mask, and default gateway

to use for the management interface (eth0). If the FMC cannot reach a DHCP server, it uses the default

IPv4 address 192.168.45.45, netmask 255.255.255.0, and gateway 192.168.45.1. During initial setup

you can accept these defaults or specify different values.

If you choose to use IPv6 addressing for the management interface, you must configure this through the

web interface after completing the initial setup.

• DNS Server(s)

Specify the IP addresses for up to two DNS servers. If you are using an evaluation license you may

choose not to use DNS. (During initial configuration you can also provide a hostname and domain to

faciliate communications between the FMC and other hosts through DNS; you can configure additional

domains after completing intial setup.)

• NTP Server(s)

Synchronizing the system time on your FMC and its managed devices is essential to successful operation

of your Firepower System; setting FMC time synchronization is required during initial configuration.

You can accept the default (0.sourcefire.pool.ntp.org and 1.sourcefire.pool.ntp.org as the primary and

secondary NTP servers, respectively), or supply FQDNs or IP addresses for one or two trusted NTP

servers reachable from your network. (If you are not using DNS you may not use FQDNs to specify NTP

servers.)

End to End Procedure to Install the FMC for Versions 6.5 and Later

See the following tasks to deploy and configure an FMC that will run Firepower Versions 6.5 and later.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

End to End Procedure to Install the FMC for Versions 6.5 and Later

Review Network Deployment for Versions 6.5 and Later, on page 6Pre-Configuration

Connect Cables Turn On Power Verify Status for Versions 6.5 and Later, on

page 9

Pre-Configuration

Use one of the following:

•Perform Initial Setup at the Web Interface for Versions 6.5 and Later, on

page 12

•FMC Initial Setup Using the CLI for Versions 6.5 and Later, on page 15

Firepower

Management Center

Review Automatic Initial Configuration for Versions 6.5 and Later, on page

Firepower

Management Center

Configure FMC Administrative Settings, on page 29Firepower

Management Center

Add Managed Devices to the FMC, on page 38Firepower

Management Center

Connect Cables Turn On Power Verify Status for Versions 6.5 and Later

This procedure references the rear panel ports of the FMC 2500 and 4500. The FMC 1000 is the same except

that it does not have the two 10-G SFP+ ports above the Ethernet ports.

AC power supplies have internal grounding so no additional chassis grounding is required when the supported

AC power cords are used. For more information about supported power cords, see the Cisco Firepower

Management Center 1000, 2500, and 4500 Hardware Installation Guide.

After rack-mounting the chassis, follow these steps to connect cables, turn on power, and verify connectivity.

Use the following figure to identify the rear panel ports.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Connect Cables Turn On Power Verify Status for Versions 6.5 and Later

Figure 5: Cable Connections

(Models 2500 and 4500 only.)

eth3 management interface

10-Gigabit Ethernet SFP+ support

Use only Cisco-supported SFPs.

2(Models 2500 and 4500 only.)

eth2 management interface

10-Gigabit Ethernet SFP+ support

Use only Cisco-supported SFPs.

Serial console port

Use the console cable (RJ45 to DB9) to connect

a computer to the appliance.

4USB keyboard port3

eth1 management interface (labeled "2")

Gigabit Ethernet 10/100/1000 Mbps interface,

RJ-45

6eth0 management interface (labeled "1")

Gigabit Ethernet 10/100/1000 Mbps interface,

RJ-45

eth0 is the default management interface.

VGA port (DE-15 connector)

Console messages are sent to this port by default.

Before you begin

Read the Regulatory and Compliance Safety Information document before installing the FMC chassis.

Important

• Rack-mount the appliance as described in the Cisco Firepower Management Center 1000, 2500, and

4500 Hardware Installation Guide.

Procedure

Step 1 (Optional, applies only to models 2500 and 4500) eth2 management interface —If your model includes

10-Gigabit Ethernet SFP+ interfaces, install any FMC-supported SFP+ transceivers and cables as needed.

You can connect this interface to the same or different network from your other management interfaces

depending on your network needs. For more information about management interfaces and network topology,

see the Firepower Management Center Configuration Guide.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Connect Cables Turn On Power Verify Status for Versions 6.5 and Later

Each FMC-supported SFP+ transceiver (FS2K-NIC-SFP/FS4K-NIC-SFP) has an internal serial EEPROM

that is encoded with security information. This encoding allows us to identify and validate that the SFP

transceiver meets the requirements for the FMC chassis.

Only Cisco certified SFP+ transceivers are compatible with the 10-G interfaces. Cisco TAC may

refuse support for any interoperability problems that result from using an untested third-party SFP

transceiver.

Note

Step 2 (Optional, applies only to models 2500 and 4500) eth3 management interface —If your model includes

10-Gigabit Ethernet SFP+ interfaces, install any FMC-supported SFP+ transceivers and cables as needed.

You can connect this interface to the same or different network from your other management interfaces

depending on your network needs. For more information about management interfaces and network topology,

see the Firepower Management Center Configuration Guide.

Each FMC-supported SFP+ transceiver (FS2K-NIC-SFP/FS4K-NIC-SFP) has an internal serial EEPROM

that is encoded with security information. This encoding allows us to identify and validate that the SFP

transceiver meets the requirements for the FMC chassis.

Only Cisco certified SFP+ transceivers are compatible with the 10-G interfaces. Cisco TAC may

refuse support for any interoperability problems that result from using an untested third-party SFP

transceiver.

Note

Step 3 (Optional) USB port —Connect a keyboard to the USB port.

You can use this connection and a monitor connected to the VGA port to configure network settings and

perform initial setup at the CLI.

Step 4 (Optional) Use the RJ-45 to DP-9 console cable supplied with the appliance (Cisco part number 72-3383-XX)

to connect a local computer to the FMC serial port. You can use this connection for serial or Lights Out

Management access to the FMC; see Set Up Alternate FMC Access, on page 40.

Step 5 eth0 management interface (labeled "1" on the rear panel)— Using an Ethernet cable, connect the eth0 interface

to the default management network reachable from your management PC. This interface is the default

management interface and is enabled by default. Confirm that the link LED is on for both the network interface

on the local computer and the FMC management interface.

You can use this connection to configure network settings and perform initial setup using HTTPS. You can

also use this connection to perform routine management, and to manage devices from the FMC web interface.

Step 6 (Optional) eth1 management interface (labeled "2" on the rear panel)—Connect this management interface

to the same or different network from your other management interfaces depending on your network needs.

For information about management interfaces and network topology, see the Firepower Management Center

Configuration Guide for your version.

Step 7 (Optional) VGA port —Connect a monitor to the VGA port.

You can use this connection and a keyboard connected to a USB port to configure network settings and perform

initial setup at the CLI.

Step 8 Power supply—Use one of the supported power cords to connect the power supplies of the chassis to your

power source. For more information about supported power cords, see the Cisco Firepower Management

Center 1000, 2500, and 4500 Hardware Installation Guide.

Step 9 Power—Press the Power button on the front of the chassis, and verify that the front panel power status LED

is on.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Connect Cables Turn On Power Verify Status for Versions 6.5 and Later

Step 10 Verify— Use the diagram in Front Panel LEDs and their States, on page 2 to check that the front-panel

LEDs reflect a good status.

Perform Initial Setup at the Web Interface for Versions 6.5 and Later

If you have HTTPS access to the FMC IP address (either the address obtained from DHCP or the default

192.168.45.45), you can perform initial setup using HTTPS at the appliance web interface. If you need to

manually set the FMC IP address, see FMC Initial Setup Using the CLI for Versions 6.5 and Later, on page

15.

When you log into the FMC web interface for the first time, the FMC presents an Initial Configuration Wizard

to enable you to quickly and easily configure basic settings for the appliance. This wizard consists of three

screens and one pop-up dialog box:

•The first screen forces you to change the password for the admin user from the default value of Admin123.

• The second screen presents the End User License Agreement (EULA), which you are required to accept

before using the appliance.

• The third screen allows you to change network settings for the appliance management interface. This

page is prepopulated with current settings, which you may change.

If you are setting up an appliance after restoring it to factory defaults (see About the Restore Process, on

page 50) and you did not delete the appliance's license and network settings, the prompts will be

pre-populated with the retained values.

• The wizard performs validation on the values you enter on this screen to confirm the following:

• Syntactical correctness

• Compatibility of the entered values (for instance, compatible IP address and gateway, or DNS

provided when NTP servers are specified using FQDNs)

• Network connectivity between the FMC and the DNS and NTP servers

The wizard displays the results of these tests in real time on the screen, which allows you to make

corrections and test the viability of your configuration before clicking Finish at the bottom of the screen.

The NTP and DNS connectivity tests are nonblocking; you can click Finish before the wizard completes

the connectivity tests. If the system reports a connectivity problem after you click Finish, you cannot

change the settings in the wizard, but you can configure these connections using the web interface after

completing the initial setup.

The system does not perform connectivity testing if you enter configuration values that would result in

cutting off the existing connection between the FMC and the browser. In this case the wizard displays

no connectivity status information for DNS or NTP.

• After you have completed the three wizard screens, a pop-up dialog box appears that offers you the

opportunity to (optionally) quickly and easily set up Smart Licensing.

When you have completed the Initial Configuration Wizard and completed or dismissed the Smart Licensing

dialog, the system displays the device management page, described in “Device Management Basics” in the

Firepower Management Center Configuration Guide for your version.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Perform Initial Setup at the Web Interface for Versions 6.5 and Later

Before you begin

• Install the FMC as described in Connect Cables Turn On Power Verify Status for Versions 6.5 and Later,

on page 9.

• Be sure you have the following information needed for the FMC to communicate on your management

network:

• An IPv4 management IP address.

The FMC management interface is preconfigured to accept an IP4 address assigned by DHCP.

Consult with your system administrator to determine what IP address your DHCP has been configured

to assign to the FMC MAC address. In scenarios where no DHCP is available, the FMC management

interface uses the IPv4 address 192.168.45.45.

• A network mask and a default gateway (if not using DHCP).

• If you are not using DHCP, configure a local computer with the following network settings:

• IP address: 192.168.45.2

• Netmask: 255.255.255.0

• Default gateway: 192.168.45.1

Disable any other network connections on this computer.

Procedure

Step 1 Use a web browser to navigate to the FMC's IP address: https://<FMC-IP>.

The login page appears.

Step 2 Log into the FMC using admin as the username and Admin123 as the password for the admin account. (The

password is case-sensitive.)

Step 3 At the Change Password screen:

a) (Optional) Check the Show password check box to see the password while using this screen.

b) (Optional) Click the Generate Password button to have the system create a password for you that complies

with the listed criteria. (Generated passwords are nonmnemonic; take careful note of the password if you

choose this option.)

c) To set a password of your choosing, enter a new password in the New Password and Confirm Password

text boxes.

The password must comply with the criteria listed in the dialog.

The FMC compares your password against a password cracking dictionary that checks not only

for many English dictionary words but also other character strings that could be easily cracked

with common password hacking techniques. For example, the initial configuration script may

reject passwords such as "abcdefg" or "passw0rd".

Note

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Perform Initial Setup at the Web Interface for Versions 6.5 and Later

On completion of the initial configuration process the system sets the passwords for the two

admin accounts (one for web access and the other for CLI access) to the same value. The

password must comply with the strong password requirements described in the Firepower

Management Center Configuration Guide for your version. If you change the password for

either admin account thereafter, they will no longer be the same, and the strong password

requirement can be removed from the web interface admin account.

Note

d) Click Next.

Once you click Next on the Change Password screen and the wizard has accepted the new admin

password, that password is in effect for both the web interface and CLI admin accounts even if you do

not complete the remaining wizard activities.

Step 4 At the User Agreement screen, read the EULA and click Accept to proceed.

If you click Decline the wizard logs you out of the FMC.

Step 5 Click Next.

Step 6 At the Change Network Settings screen:

a) Enter a Fully Qualified Domain Name. If default value is shown, you may use that if it is compatible

with your network configuration. Otherwise, enter a fully qualified domain name (syntax

<hostname>.<domain>) or hostname.

b) Choose the boot protocol for the Configure IPv4 option, either Using DHCP or Using Static/Manual.

c) Accept the displayed value, if one is shown, for IPv4 Address or enter a new value. Use dotted decimal

form (for example, 192.168.45.45).

If you change the IP address during initial configuration, you need to reconnect to the FMC

using the new network information.

Note

d) Accept the displayed value, if one is shown, for Network Mask or enter a new value. Use dotted decimal

form (for example, 255.255.0.0).

If you change the network mask during initial configuration, you need to reconnect to the FMC

using the new network information.

Note

e) You can accept the displayed value, if one is shown, for Gateway or enter a new default gateway. Use

dotted decimal form (for example, 192.168.0.1).

If you change the gateway address during initial configuration, you may need to reconnect to

the FMC using the new network information.

Note

f) (Optional) For DNS Group you can accept the default value, Cisco Umbrella DNS.

To change the DNS settings, choose Custom DNS Servers from the drop-down list, and enter IPv4

addresses for the Primary DNS and Secondary DNS. If your FMC does not have internet access you

cannot use a DNS outside of your local network. Configure no DNS Server by choosing Custom DNS

Servers from the drop-down list and leaving the Primary DNS and Secondary DNS fields blank.

If you use FQDNs rather than IP addresses to specify NTP servers, you must specify DNS at

this time. If you are using an evaluation license DNS is optional, but DNS is required to use

permanent licenses for your deployment.

Note

g) For NTP Group Servers you can accept the default value, Default NTP Servers. In this case the system

uses 0.sourcefire.pool.ntp.org as the primary NTP server, and 1.sourcefire.pool.ntp.org as the secondary

NTP server.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Perform Initial Setup at the Web Interface for Versions 6.5 and Later

To configure other NTP servers, choose Custom NTP Group Servers from the drop-down list and enter

the FQDNs or IP addresses of one or two NTP servers reachable from your network. If your FMC does

not have internet access you cannot use an NTP server outside of your local network.

If you change network settings during initial configuration, you need to reconnect to the FMC using

the new network information.

Note

Step 7 Click Finish.

The wizard performs validation on the values you enter on this screen to confirm syntactical correctness,

compatibility of the entered values, and network connectivity between the FMC and the DNS and NTP servers.

If the system reports a connectivity problem after you click Finish, you cannot change the settings in the

wizard, but you can configure these connections using the FMC web interface after completing the initial

setup.

What to do next

• If you changed network settings during initial configuration, you need to reconnect to the FMC using

the new network information.

• The system displays a pop-up dialog box that offers you the opportunity to quickly and easily set up

Smart Licensing. Using this dialog box is optional; if your FMC will be managing Firepower Threat

Defense devices and you are familiar with Smart Licensing, use this dialog. Otherwise dismiss this dialog

and refer to ”Licensing the Firepower System” in the Firepower Management Center Configuration

Guide for your version.

• Review the weekly maintenance activites the FMC configures automatically as a part of the initial

configuration process. These activities are designed to keep your system up-to-date and your data backed

up. See Review Automatic Initial Configuration for Versions 6.5 and Later, on page 18 .

• When you have completed the Initial Configuration Wizard and completed or dismissed the Smart

Licensing dialog, the system displays the device management page, described in the Firepower

Management Center Configuration Guide. Establish basic configuration for your FMC as described in

Configure FMC Administrative Settings, on page 29.

• You can configure the FMC for IPv6 addressing after completing the initial setup using the web interface

as described in the Firepower Management Center Configuration Guide for your version.

•You can optionally configure the FMC for Serial over LAN or Lights-Out-Management access as described

in Set Up Alternate FMC Access, on page 40.

FMC Initial Setup Using the CLI for Versions 6.5 and Later

You can perform initial setup using the CLI as an alternative to using the web interface. You must complete

an Initial Configuration Wizard that configures the new appliance to communicate on your trusted management

network. The wizard requires that you accept the end user license agreement (EULA) and change the

administrator password.

Before you begin

• Install the FMC as described in Connect Cables Turn On Power Verify Status for Versions 6.5 and Later,

on page 9.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

FMC Initial Setup Using the CLI for Versions 6.5 and Later

• Be sure you have the following information needed for the FMC to communicate on your management

network:

• An IPv4 management IP address.

The FMC management interface is preconfigured to accept an IP4 address assigned by DHCP.

Consult with your system administrator to determine what IP address your DHCP has been configured

to assign to the FMC MAC address. In scenarios where no DHCP is available, the FMC management

interface uses the IPv4 address 192.168.45.45.

• A network mask and a default gateway (if not using DHCP).

• Connect to the FMC using one of three methods:

• Establish an SSH connection using the IPv4 management IP address.

• Connect a USB keyboard and VGA monitor to the FMC for console access.

• Connect a local computer to the FMC serial port with an RJ-45 to DP-9 console cable.

Use SSH to connect to the FMC using the IPv4 management IP address.

Procedure

Step 1 Log into the FMC at the console using admin as the username and Admin123 as the password for the admin

account. Note that the password is case-sensitive.

Step 2 When prompted, press Enter to display the End User License Agreement (EULA).

Step 3 Review the EULA. When prompted, enter yes,YES, or press Enter to accept the EULA.

You cannot proceed without accepting the EULA. If you respond with anything other than yes,

YES, or Enter, the system logs you out.

Important

Step 4 To ensure system security and privacy, the first time you log in to the FMC you are required to change the

admin password. When the system prompts for a new password, enter a new password complying with the

restrictions displayed, and enter the same password again when the system prompts for confirmation.

The FMC compares your password against a password cracking dictionary that checks not only for

many English dictionary words but also other character strings that could be easily cracked with

common password hacking techniques. For example, the initial configuration script may reject

passwords such as "abcdefg" or "passw0rd".

Note

On completion of the initial configuration process the system sets the passwords for the two admin

accounts (one for web access and the other for CLI access) to the same value, complying with the

strong password requirements described in the Firepower Management Center Configuration Guide

for your version. If you change the password for either admin account thereafter, they will no longer

be the same, and the strong password requirement can be removed from the web interface admin

account.

Note

Step 5 Answer the prompts to configure network settings.

When following the prompts, for multiple-choice questions, your options are listed in parentheses, such as

(y/n). Defaults are listed in square brackets, such as [y]. Note the following when responding to prompts:

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

FMC Initial Setup Using the CLI for Versions 6.5 and Later

• If you are setting up an appliance after restoring it to factory defaults (see About the Restore Process, on

page 50) and you did not delete the appliance's license and network settings, the prompts will be

pre-populated with the retained values.

• Press Enter to accept the default.

• For hostname, supply a fully qualified domain name (<hostname>.<domain>) or host name. This field

is required.

• If you choose to configure IPv4 manually, the system prompts for IPv4 address, netmask, and default

gateway. If you choose DHCP, the system uses DHCP to assign these values. If you choose not to use

DHCP, you must supply values for these fields; use standard dotted decimal notation.

• Configuring a DNS server is optional; to specify no DNS server enter none. Otherwise specify IPv4

addresses for one or two DNS servers. If you specify two addresses, separate them with a comma. (If

you specify more than two DNS servers, the system ignores the additional entries.) If your FMC does

not have internet access you cannot use a DNS outside of your local network.

If you are using an evaluation license, specifying DNS is optional at this time, but DNS is

required to use permanent licenses for your deployment.

Note

• You must enter the fully qualified domain name or IP address for at least one NTP server reachable from

your network. (You may not specify FQDNs for NTP servers if you are not using DHCP.) You may

specify two servers (a primary and a secondary); separate their information with a comma. (If you specify

more than two DNS servers, the system ignores the additional entries.) If your FMC does not have internet

access you cannot use an NTP server outside of your local network.

Example:

Enter a hostname or fully qualified domain name for this system [firepower]: fmc

Configure IPv4 via DHCP or manually? (dhcp/manual) [DHCP]: manual

Enter an IPv4 address for the management interface [192.168.45.45]: 10.10.0.66

Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.224

Enter the IPv4 default gateway for the management interface [ ]: 10.10.0.65

Enter a comma-separated list of DNS servers or 'none' [CiscoUmbrella]:

208.67.222.222,208.67.220.220

Enter a comma-separated list of NTP servers [0.sourcefire.pool.ntp.org,

1.sourcefire.pool.ntp.org]:

Step 6 The system displays a summary of your configuration selections. Review the settings you have entered.

Example:

Hostname: fmc

IPv4 configured via: manual configuration

Management interface IPv4 address: 10.10.0.66

Management interface IPv4 netmask: 255.255.255.224

Management interface IPv4 gateway: 10.10.0.65

DNS servers: 208.67.222.222,208.67.220.220

NTP servers: 0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org

Step 7 The final prompt gives you the opportunity to confirm the settings.

• If the settings are correct, enter yand press Enter to accept the settings and continue.

• If the settings are incorrect, enter nand press Enter. The system prompts for the information again,

beginning with hostname.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

FMC Initial Setup Using the CLI for Versions 6.5 and Later

Example:

Are these settings correct? (y/n) y

If your networking information has changed, you will need to reconnect.

Updated network configuration.

Step 8 After you have accepted the settings, you can enter exit to exit the FMC CLI.

What to do next

• You can connect to the FMC web interface using the network information you have just configured.

• Review the weekly maintenance activites the FMC configures automatically as a part of the initial

configuration process. These activities are designed to keep your system up-to-date and your data backed

up. See Review Automatic Initial Configuration for Versions 6.5 and Later, on page 18 .

• You can configure the FMC for IPv6 addressing after completing the initial setup using the web interface

as described in the Firepower Management Center Configuration Guide for your version.

•You can optionally configure the FMC for Serial over LAN or Lights-Out-Management access as described

in Set Up Alternate FMC Access, on page 40.

Review Automatic Initial Configuration for Versions 6.5 and Later

As a part of initial configuration (whether performed through the Initial Configuration Wizard or through the

CLI), the FMC automatically configures maintenance tasks to keep your system up-to-date and your data

backed up.

These tasks are scheduled in UTC, which means that when they occur locally depends on the date and your

specific location. Also, because tasks are scheduled in UTC, they do not adjust for daylight saving time,

summer time, or any such seasonal adjustments that you may observe in your location. If you are affected,

scheduled tasks occur one hour "later" in the summer than in the winter, according to local time.

We strongly recommend you review the auto scheduled configurations, confirm that the FMC has established

them successfully, and adjust them if necessary.

Note

• Weekly GeoDB Updates

The FMC automatically schedules GeoDB updates to occur each week at the same randomly selected

time. You can observe the status of this update using the web interface Message Center. You can see the

configuration for this automatic update in the web interface under System >Updates >Geolocation

Updates>Recurring Geolocation Updates. If the system fails to configure the update and your FMC

has internet access, we recommend you configure regular GeoDB updates as described in the Firepower

Management Center Configuration Guide for your version.

• Weekly FMC Software Updates

The FMC automatically schedules a weekly task to download the latest software for the FMC and its

managed devices. This task is scheduled to occur between 2 and 3 AM UTC on Sunday mornings;

depending on the date and your specific location this can occur any time from Saturday afternoon to

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Review Automatic Initial Configuration for Versions 6.5 and Later

Sunday afternoon local time. You can observe the status of this task using the web interface Message

Center. You can see the configuration for this task in the web interface under System >Tools >

Scheduling. If the task scheduling fails and your FMC has internet access, we recommend you schedule

a recurring task for downloading software updates as described in the Firepower Management Center

Configuration Guide for your version.

This task only downloads software patch and hotfix updates for the version your appliances are currently

running; it it your responsibility to install any updates this task downloads. See the Cisco Firepower

Management Center Upgrade Guide for more information.

• Weekly FMC Configuration Backup

The FMC automatically schedules a weekly task to perform a locally-stored configuration-only backup

at 2 AM UTC on Monday mornings; depending on the date and your specific location this can occur any

time from Saturday afternoon to Sunday afternoon local time. You can observe the status of this task

using the web interface Message Center. You can see the configuration for this task in the web interface

under System >Tools >Scheduling. If the task scheduling fails, we recommend you schedule a recurring

task to perform backups as described in the Firepower Management Center Configuration Guide for

your version.

• Vulnerability Database Update

In Versions 6.6+, the FMC downloads and installs the latest vulnerability database (VDB) update from

the Cisco support site. This is a one-time operation. You can observe the status of this update using the

web interface Message Center. To keep your system up to date, if your FMC has internet access, we

recommend you schedule tasks to perform automatic recurring VDB update downloads and installations

as described in the Firepower Management Center Configuration Guide for your version.

• Daily Intrusion Rule Update

In Versions 6.6+, the FMC configures a daily automatic intrusion rule update from the Cisco support

site. The FMC deploys automatic intrusion rule upates to affected managed devices when it next deploys

affected policies. You can observe the status of this task using the web interface Message Center. You

can see the configuration for this task in the web interface under System >Updates >Rule Updates. If

configuring the update fails and your FMC has internet access, we recommend you configure regular

intrusion rule updates as described in the Firepower Management Center Configuration Guide for your

version.

Install the FMC for Software Versions 6.2 - 6.4

Follow these instructions to install an FMC that will run Firepower Versions 6.2 - 6.4.

Review Network Deployment for Versions 6.2-6.4

To deploy the FMC you need information about the environment within which it will operate. The following

figure shows an example network configuration for a Firepower deployment.

Cisco Firepower Management Center 1000, 2500, and 4500 Getting Started Guide

Install the FMC for Software Versions 6.2 - 6.4

Figure 6: Example Network Deployment