Cisco Firepower Management Center 750 User manual
Cisco Systems, Inc. www.cisco.com
Cisco Firepower Management Center Getting Started Guide 1
Cisco Firepower Management Center 750,
1500, 2000, 3500, and 4000 Getting
Started Guide
Updated: April 6, 2020
This guide is organized as follows:
Package Contents
License Requirements
Installation and Initial Setup for Versions 6.5+
Installation and Initial Setup for Versions 5.4 - 6.4.x
Administration Recommendations
Redirecting Console Output
Setting Up Lights-Out Management
Restoring a Firepower Management Center to Factory Defaults
Preconfiguring Firepower Management Centers
Scrubbing the Hard Drive
Related Documentation
Package Contents
This section lists the items included with each model. Note that contents are subject to change, and your exact contents
might contain additional or fewer items.
Chassis Models
Firepower Management Center 750 (1U model). The following illustration of the rear of the chassis indicates
the location of the management interface on a MC750.
Figure 1 MC750 Chassis and Management Interface
1Management interface
Package Contents
Cisco Firepower Management Center Getting Started Guide 2
Firepower Management Center 1500 (1U model). The following illustration of the rear of the chassis indicates
the location of the management interface on a MC1500.
Figure 2 MC1500 Chassis and Management Interface
Firepower Management Center 3500 (1U model). The following illustration of the rear of the chassis indicates
the location of the management interface on a MC3500.
Figure 3 MC3500 Chassis and Management Interface
Firepower Management Center 2000/4000 (1U model). The following illustration of the rear of the chassis
indicates the location of the management interface.
Figure 4 MC2000 and MC4000
Included Items
One power cord per power supply.
One straight-through Cat 5e Ethernet cables per chassis.
One rack-mounting kit per chassis.
1Management interface
1Management interface
1Management interface
License Requirements
Cisco Firepower Management Center Getting Started Guide 3
License Requirements
You can license a variety of features to create an optimal Firepower System deployment for your organization. You
use the Firepower Management Center to manage licenses for itself and the devices it manages. The license types
offered by the Firepower System depend upon the type of device you want to manage:
Classic Licenses
For 7000 and 8000 Series, ASA FirePOWER, and NGIPSv devices, you must use Classic Licenses. Devices that
use Classic Licenses are sometimes referred to as Classic devices.
If your FMC is using a Firepower Version previous to 6.5: Cisco recommends that you use the initial setup page
to add the classic licenses your organization has purchased; see License Settings, page 15. If you do not add
classic licenses during initial setup, any devices you register during initial setup are added to the Management
Center as unlicensed; you must license each of them individually after the initial setup process is over. Note that
if you are setting up a reimaged appliance and you kept your license settings as part of the restore process, this
section of the initial setup page may be prepopulated.
If your FMC is using Firepower Version 6.5+: You must add classic licenses for managed devices after completing
the Initial Configuration Wizard. You can assign licenses to managed devices when you register them to the
Firepower Management Center, or after you have registered them to the Firepower Management Center.
Smart Licenses
For Firepower Threat Defense physical and virtual devices, you must use Smart Licenses.
Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key
(PAK) licenses, smart licenses are not tied to a specific serial number or license key. Smart licensing lets you
assess your license usage and needs at a glance.
Refer to the Firepower Management Center Configuration Guide for information about Classic Licenses and Smart
Licenses, the types of licenses for each class, and how to manage the licenses across your deployment.
Accessing the CLI or the Linux Shell on the FMC
Accessing the FMC CLI or the Linux shell requires a different sequence of steps depending on what Firepower
version the FMC is running. Refer to this topic when you encounter instructions in this document to log into to the
FMC CLI or Linux shell.
Caution: We strongly recommend that you do you do not use the Linux shell unless directed by TAC or explicit
instructions in the user documentation.
Before You Begin:
Establish a direct physical connection with the FMC using a keyboard and monitor or establish an SSH session with
the FMC’s managment interface.
Procedure
1. Log into the FMC using the credentials for the CLI admin user.
Determine your next action depending on the Firepower version in use:
—If your FMC is running Firepower Version 5.4 - 6.2.x, this gives you direct access to the Linux shell.
—If your FMC is running Firepower Version 6.3.x or 6.4.x and the FMC CLI is not enabled, this gives you direct
access to the Linux shell.
—If your FMC is running Firepower Version 6.3.x or 6.4.x and the FMC CLI is enabled, this gives you access
to the FMC CLI. To access the Linux shell, continue with Step 2.
Installation and Initial Setup for Versions 6.5+
Cisco Firepower Management Center Getting Started Guide 4
—If your FMC is running Firepower Version 6.5+, this gives you access to the FMC CLI. To access the Linux
shell, continue with Step 2.
2. To access the Linux shell form the FMC CLI, enter the expert command.
Installation and Initial Setup for Versions 6.5+
Note: Firepower Versions 6.5+ are not supported on FMC models 750, 1500, and 3500.
The first time you log into the FMC running Versions 6.5+, an Initial Configuration Wizard guides you through
configuring the new appliance to communicate on your trusted management network. The wizard presents a
streamlined initial configuration process and automatically establishes some weekly maintenance activities to
keep your system up-to-date and your data backed up.
The FMC management interface is pre-configured to accept an IPv4 address assigned by the Dynamic Host
Configuration Protocol (DHCP). If the FMC fails to obtain a DHCP lease, the management interface uses a fallback
IPv4 address of 192.168.45.45.
Note: If you are connecting to an FMC for the first time after performing a System Restore and you chose to retain
license and network settings, the management interface IP address is the same as it was before you performed
the System Restore. Proceed directly to Firepower Management Center Initial Configuration Wizard, page 7.
To install and set up an FMC running Versions 6.5+:
1. Install the appliance as described in Install the Appliance, page 4.
2. To perform the initial setup you have one of two choices:
—If your network does not use DHCP and your PC cannot reach the fallback address (or the address retained
in a System Restore), we recommend you perform the initial setup by connecting a computer directly to
the FMC’s physical management interface as described in Access the Firepower Management Center
Using the Management Interface, page 5.
—If your local DHCP will assign an address to the FMC, use a keyboard and monitor to set up the appliance;
see Access the Firepower Management Center Using a Keyboard and Monitor, page 6.
Install the Appliance
These instructions are an abbreviated version of the steps to physically install the appliance. For detailed
instructions, see the Cisco Firepower Management Center 750, 1500, 2000, 3500, and 4000 Hardware Installation
Guide.
Procedure
1. Mount the appliance in your rack using the mounting kit and its supplied instructions.
2. Attach power cords to both power supplies and plug them into separate power sources.
If you do not connect both power supplies, an amber warning indicator lights on the chassis front panel and
the FMC web interface displays a health alert.
3. Turn on the appliance by pressing the power switch located on the front panel.
After you press the power switch the appliance may turn on briefly and then appear to shut down with the
exception of the amber power indicator light on the chassis front panel. This is normal; pressing the power
button again causes the appliance to power up with the power indicator light green.
Installation and Initial Setup for Versions 6.5+
Cisco Firepower Management Center Getting Started Guide 5
What to Do Next
The FMC management interface is pre-configured to accept an IPv4 address assigned by DHCP, but failing to
obtain a DHCP lease, the management interface uses a fallback IPv4 address of192.168.45.45. Or, if you are
connecting to an FMC for the first time after performing a System Restore and you chose to retain license and
network settings, the IP address is the same as it was before you performed the System Restore. Ensure that
you have established one of the following methods of accessing the appliance before proceeding:
—If your network does not use DHCP and your PC cannot reach the fallback address (or the address retained
in a System Restore), we recommend you perform the initial setup by connecting a computer directly to
the FMC’s physical management interface as described in Access the Firepower Management Center
Using the Management Interface, page 5.
—If your local DHCP will assign an address to the FMC, use a keyboard and monitor to set up the appliance;
see Access the Firepower Management Center Using a Keyboard and Monitor, page 6.
Perform the initial configuration process; see Firepower Management Center Initial Configuration Wizard,
page 7.
Optionally use the Smart License pop-up dialog to configure Smart Licensing. See Smart Licensing Dialog,
page 9.
Once you complete the Initial setup process, you can optionally configure the FMC for Serial or Serial over LAN
(SOL) access; see Redirecting Console Output, page 19 and Setting Up Lights-Out Management, page 20.
After you complete setup, you will use the Firepower Management Center‘s web interface to perform most
management and analysis tasks for your deployment. For more information, see Administration
Recommendations, page 17.
Access the Firepower Management Center Using the Management
Interface
The FMC management interface is pre-configured to accept an IPv4 address assigned by DHCP, but in scenarios
where no DHCP is involved, the management interface uses the IPv4 address 192.168.45.45. Or, if you are
connecting to an FMC for the first time after performing a System Restore and you chose to retain license and
network settings, the IP address is the same as it was before you performed the System Restore.
Before You Begin:
Configure a local computer, which must not be connected to the Internet, with the following network settings:
—IP address: 192.168.45.2
—netmask: 255.255.255.0
—default gateway: 192.168.45.1
Determine the IP address assigned to the management interface of the FMC:
—If you are connecting to an FMC for the first time after performing a System Restore (see Restoring a
Firepower Management Center to Factory Defaults, page 22 ) and you chose to retain license and network
settings, the IP address is the same as it was before you performed the System Restore.
—Otherwise the FMC management interface IP address is 192.168.45.45.
Procedure
1. Using the supplied Ethernet cable, connect the network interface on the preconfigured computer directly to
the management interface on the appliance.
Confirm that the link LED is on for both the network interface on the local computer and the management
interface on the appliance.
Installation and Initial Setup for Versions 6.5+
Cisco Firepower Management Center Getting Started Guide 6
2. Use a web browser to navigate to the appliance’s IP address:
https://<Management IP Address>
The login page appears.
3. Log in to the web interface using admin as the username and Admin123 as the password. (Note the password
is case-sensitive.)
What to Do Next
Complete the setup process using the procedures in Firepower Management Center Initial Configuration
Wizard, page 7.
Access the Firepower Management Center Using a Keyboard and
Monitor
You can connect a USB keyboard and VGA monitor to the appliance, which is useful for rack-mounted appliances
connected to a keyboard, video, and mouse (KVM) switch. The FMC management interface is pre-configured to
accept an IPv4 address assigned by DHCP, but failing to obtain a DHCP lease, the management interface uses a
fallback IPv4 address of192.168.45.45. If your network does not use DHCP and your PC cannot reach that
address, we recommend you perform the initial setup by connecting to the FMC directly as described in Access
the Firepower Management Center Using the Management Interface, page 5.
Before You Begin:
Determine the IP address assigned to the management interface of the FMC:
If you are setting up a new FMC for the first time, check with your network administrator to determine the IP
address that DHCP will assign to the FMC’s MAC address when you connect it to the local network. (You can
find the MAC address on a label or pullout card on the appliance.)
If no DHCP is present, or if the DHCP has no free addresses in its pool, the FMC management interface uses
the IP address 192.168.45.45. In this case if your PC cannot reach that address we recommend you perform
the initial setup by connecting to the FMC directly as described in Access the Firepower Management Center
Using the Management Interface, page 5.
If you are connecting to an FMC for the first time after performing a System Restore (see Restoring a Firepower
Management Center to Factory Defaults, page 22) and you chose to retain license and network settings, the
IP address is the same as it was before you performed the System Restore.
Procedure
1. Using the supplied Ethernet cable, connect the management interface on the back of the FMC to a protected
management network.
2. Use a web browser to navigate to the FMC web interface login page:
https://<Management IP Address>
The login page appears.
3. Log into the web interface using admin as the username and Admin123 as the password. Note that the password
is case-sensitive.
What to Do Next
Complete the setup process using the procedures in Firepower Management Center Initial Configuration
Wizard, page 7.
Installation and Initial Setup for Versions 6.5+
Cisco Firepower Management Center Getting Started Guide 7
Firepower Management Center Initial Configuration Wizard
When you log into the FMC web interface for the first time on a new appliance, or an appliance on which you have
just performed a System Restore, the FMC presents an Initial Configuration Wizard to enable you to quickly and
easily configure basic settings for the appliance. This wizard consists of three screens and one pop-up dialog:
The first screen forces you to change the password for the admin user from the default value of Admin123.
The second screen presents the End User License Agreement (EULA), which you are required to accept before
using the appliance.
The third screen allows you to change network settings for the appliance management interface. This page is
pre-populated with current settings, which you may change.
After you have completed the three wizard screens, a pop-up dialog appears that offers you the opportunity
to (optionally) quickly and easily set up Smart Licensing.
When you have completed the Initial Configuration Wizard and completed or dismissed the Smart Licensing dialog,
the system displays the device management page, described in “Device Management Basics” in the Firepower
Management Center Configuration Guide for your version.
Change Password
To ensure system security and privacy, the first time you log in to the FMC you are required to change the admin
password. When the Change Password wizard screen appears, you have two options:
Enter a new password in the New Password and Confirm Password text boxes. The password must comply
with the criteria listed in the dialog.
Click the Generate Password button to have the system create a password for you which complies with the
listed criteria. (Generated passwords are non-mnemonic; take careful note of the password if you choose this
option.)
Check the Show password checkbox to see the password while using this screen. The wizard displays a list of criteria
the new password must satisfy; a green check mark appears next to each criterion that has been met. If the new
password does not meet all the listed criteria the wizard rejects the password and prevents you from proceeding
to the next page.
The FMC compares your password against a password cracking dictionary that checks not only for many English
dictionary words but also for other character strings that could be easily cracked with common password hacking
techniques. For example, the initial configuration script may reject passwords such as “abcdefg” or “passw0rd”.
Note: On completion of the initial configuration process the system sets the passwords for the two admin
accounts (one for web access and the other for CLI access) to the same value, complying with the strong
password requirements described in the Firepower Management Center Configuration Guide for your version. If
you change the password for either admin account thereafter, they will no longer be the same, and the strong
password requirement can be removed from the web interface admin account.
Note: Once you click Next on the Change Password screen and the wizard has accepted the new admin password,
that password is in effect for both the web interface and CLI admin accounts even if you do not complete the
remaining wizard activities.
End User License Agreement (EULA)
Before using the Firepower Management Center, you must accept the EULA displayed on the second Initial
Configuration Wizard screen. Read the EULA and click Accept to proceed. If you click Decline the wizard logs you
out of the FMC.
Installation and Initial Setup for Versions 6.5+
Cisco Firepower Management Center Getting Started Guide 8
Change Network Settings
The final Initial Configuration Wizard screen gives you the opportunity to change the network settings the FMC
uses for network communications through its management interface (eth0). If you are logging in for the first time
after performing a System Restore in which you chose to retain network and license settings, the wizard is
pre-populated with the same values the FMC used before the System Restore.
The wizard performs validation on the values you enter on this screen to confirm the following:
syntactical correctness
compatibility of the entered values (for instance, compatible IP address and gateway, or DNS provided when
NTP servers are specified using FQDNs )
network connectivity between the FMC and the DNS and NTP servers
The wizard displays the results of these tests in real-time on the screen, permitting you to make corrections and
test the viability of your configuration before clicking Finish at the bottom of the screen. The NTP and DNS
connectivity tests are not blocking; you can click Finish before the wizard completes the connectivity tests. If the
system reports a connectivity problem after you click Finish, you cannot change the settings in the wizard, but you
can configure these connections using the FMC web interface after completing the initial setup.
The system does not perform connectivity testing if you enter configuration values that would result in cutting off
the existing connection between the FMC and the browser. In this case the wizard displays no connectivity status
information for DNS or NTP.
You can set values for the following fields:
Fully Qualified Domain Name
You must provide a FQDN. You can do one of the following:
accept the displayed value, if one is shown
enter a fully qualified domain name (syntax <hostname>.<domain>) or host name
Boot Protocol for IPv4 Configuration
Choose one of the following methods of IP address assignment from the drop-down labeled Configure IPv4:
Using DHCP
Using Static/Manual
IPv4 Address
This field is required. You can accept the displayed value, if one is shown, or enter a new value. Use dotted decimal
form (for example, 192.168.45.45).
Network Mask
This field is required. You can accept the displayed value, if one is shown, or enter a new value. Use dotted decimal
form (for example, 255.255.0.0).
Gateway
You can accept the displayed gateway value if one is shown, or enter a new default gateway. Use dotted decimal
form (for example, 192.168.0.1).
DNS Group
Choose an optional Domain Name Server group for the FMC. You can:
Accept the default value, Cisco Umbrella DNS.
Installation and Initial Setup for Versions 6.5+
Cisco Firepower Management Center Getting Started Guide 9
Select Custom DNS Servers from the drop-down list, and enter IPv4 addresses for the Primary DNS and Secondary
DNS.
Configure no DNS Server by selecting Custom DNS Servers from the drop-down list and leaving the Primary DNS
and Secondary DNS fields blank.
NTP Group Servers
You must use an NTP Server to ensure proper synchronization between the FMC and its managed devices. Choose
one of the following from the drop-down list:
Default NTP Servers By default the system uses 0.sourcefire.pool.ntp.org as the primary NTP server, and
1.sourcefire.pool.ntp.org as the secondary NTP server.
Custom NTP Servers Enter the FQDN or IP addresses of one or two NTP servers reachable from your network.
Smart Licensing Dialog
After you click Finish on the Change Network Settings screen of the Initial Configuration Wizard, the system displays
a pop-up that offers you the opportunity to quickly and easily set up Smart Licensing. Using this dialog is optional;
if your FMC will be managing Firepower Threat Defense devices and you are familiar with Smart Licensing, use
this dialog. Otherwise dismiss this dialog and refer to ”Licensing the Firepower System” in the Firepower
Management Center Configuration Guide for your version.
Automatic Initial Configuration
After you have completed the Initial Configuration Wizard the FMC automatically configures weekly maintenance
activities to keep your system up-to-date and your data backed up:
The tasks are scheduled in UTC, which means that when they occur locally depends on the date and your specific
location. Also, because tasks are schedule in UTC, they do not adjust for Daylight Saving Time, summer time, or
any such seasonal adjustments that you may observe in your location. If you are affected, scheduled tasks occur
one hour “later” in the summer than in the winter, according to local time.
Note: We strongly recommend you review the auto-scheduled configurations and adjust them if necessary.
Weekly GeoDB Updates
The FMC automatically schedules GeoDB updates to occur each week at the same randomly selected time.
You can observe the status of this task using the web interface Message Center. If the system fails to configure
the update and your FMC has internet access, we recommend you configure regular GeoDB updates as
described in the Firepower Management Center Configuration Guide for your software version.
Weekly FMC Software Updates
The FMC automatically schedules a weekly task to download the latest software for the FMC and its managed
devices. This task is scheduled to occur between 2 and 3 AM UTC on Sunday mornings; depending on the
date and your specific location this can occur anywhere from Saturday afternoon to Sunday afternoon local
time. You can observe the status of this task using the web interface Message Center. If the task scheduling
fails and your FMC has internet access, we recommend you schedule a recurring task for downloading
software updates as described in the Firepower Management Center Configuration Guide for your version.
This task only downloads software patch and hotfix updates for the version your appliances are currently
running; it is your responsibility to install any updates this task downloads. See the Cisco Firepower
Management Center Upgrade Guide for more information.
Weekly FMC Configuration Backup
Installation and Initial Setup for Versions 5.4 - 6.4.x
Cisco Firepower Management Center Getting Started Guide 10
The FMC automatically schedules a weekly task to perform a locally-stored configuration-only backup at 2
AM UTC on Monday mornings; depending on the date and your specific location this can occur anywhere from
Saturday afternoon to Sunday afternoon local time. You can observe the status of this task using the web
interface Message Center. If the task scheduling fails, we recommend you schedule a recurring task to
perform backups as described in the Firepower Management Center Configuration Guide for your version.
Vulnerability Database Update
In Versions 6.6+, the FMC downloads and installs the latest vulnerability database (VDB) update from the Cisco
support site. This is a one-time operation. You can observe the status of this update using the web interface
Message Center. To keep your system up to date, if your FMC has internet access, we recommend you
schedule tasks to perform automatic recurring VDB update downloads and installations as described in the
Firepower Management Center Configuration Guide for your version.
Daily Intrusion Rule Update
In Versions 6.6+, the FMC configures a daily automatic intrusion rule update from the Cisco support site. The
FMC deploys automatic intrusion rule updates to affected managed devices when it next deploys affected
policies. You can observe the status of this update using the web interface Message Center. You can see the
configuration for this task in the web interface under System > Updates > Rule Updates. If configuring the update
fails and your FMC has internet access, we recommend you configure regular intrusion rule updates as
described in the Firepower Management Center Configuration Guide for your version.
Installation and Initial Setup for Versions 5.4 - 6.4.x
Firepower Versions 5.4 - 6.4.x are supported on all FMC models addressed in this document: 750, 1500, 2000,
3500 and 4000.
When you install an appliance, make sure that you can access the appliance’s console for initial setup. You can
access the console for initial setup using a keyboard and monitor with KVM, or using an Ethernet connection to
the management interface.
The first time you log into the FMC web interface, the initial administration page provides you with the ability to
configure the new appliance to communicate on your trusted management network. You must also perform initial
administrative-level tasks such as changing the administrator password, accepting the end user license
agreement (EULA), setting the time, and scheduling updates. The options you choose during setup and
registration determine the default interfaces, inline sets, zones, and policies that the system creates and applies
to managed devices.
You can perform this initial setup process accessing the FMC either using a laptop directly connected to the
appliance, or using an Ethernet connection through your trusted local management network. The following
diagram illustrates the choices you can make when setting up FMC’s running Firepower Versions 5.4 - 6.4.x:
Note: If you are deploying multiple appliances, set up your devices first, then their managing Firepower
Management Center. The initial setup process for a device allows you to preregister it to a Management Center;
the setup process for a Management Center allows you to add and license preregistered managed devices.
Installation and Initial Setup for Versions 5.4 - 6.4.x
Cisco Firepower Management Center Getting Started Guide 11
Note: If you are setting up an appliance after restoring it to factory defaults (see Restoring a Firepower
Management Center to Factory Defaults, page 22) and you did not delete the appliance’s license and network
settings, you can use a computer on your management network to browse directly to the appliance’s web interface
to perform the setup. Skip to Initial Setup Page: Management Centers, page 13.
To install and set up an FMC running Versions 5.4 - 6.4.x:
1. Install the appliance as described in Install the Appliance, page 4.
2. Before connecting the FMC to your network you must change the FMC eth0 IP address to match your network
and perform the initial setup; you have one of two choices:
—Access the FMC using the VGA/keyboard connection to set the eth0 IP address before performing the
initial setup; see Access the Firepower Management Center Using a Keyboard and Monitor, page 6.
Then access the FMC with a web browser to perform the initial configuration process; see Initial Setup
Page: Management Centers, page 13.
—Access the FMC using an ethernet connection directly from the eth0 interface to a local computer; see
Access the Firepower Management Center Using the Management Interface, page 5.
Then access the FMC with a web browser to perform the initial configuration and set the eth0 IP address
as a part of that process; see Initial Setup Page: Management Centers, page 13.
Install the Appliance
These instructions are an abbreviated version of the steps to physically install the appliance. For detailed
instructions, see the Cisco Firepower Management Center 1000, 2500, and 4500 Hardware Installation Guide.
Procedure
1. Mount the appliance in your rack using the mounting kit and its supplied instructions.
2. Attach the power cord to the appliance and plug into a power source.
If your appliance has redundant power supplies, attach power cords to both power supplies and plug them
into separate power sources.
3. Turn on the appliance.
What to Do Next
If you are connecting a computer directly to the appliance’s physical management interface to set up the
appliance, continue to Management Center Setup Using the Management Interface, page 11.
If you are using a keyboard and monitor to set up the appliance, continue to Management Center Setup Using
a Keyboard and Monitor (KVM), page 12.
Management Center Setup Using the Management Interface
Procedure
1. Configure a local computer, which must not be connected to the internet, with the following network settings:
—IP address: 192.168.45.2
—netmask: 255.255.255.0
—default gateway: 192.168.45.1
Installation and Initial Setup for Versions 5.4 - 6.4.x
Cisco Firepower Management Center Getting Started Guide 12
(The FMC management interface is preconfigured with a default IPv4 address. However, you can reconfigure
the management interface with an IPv6 address as part of the setup process.)
2. Using the supplied Ethernet cable, connect the network interface on the preconfigured computer directly to
the management interface on the appliance.
Confirm that the link LED is on for both the network interface on the local computer and the management
interface on the appliance.
3. Use a web browser to navigate to the appliance’s default IP address:
https:// 192.168.45.45
The login page appears.
4. Log in using admin as the username and Admin123 as the password.
What to Do Next
Complete the setup process using the procedures in Initial Setup Page: Management Centers, page 13.
Management Center Setup Using a Keyboard and Monitor (KVM)
You can connect a USB keyboard and VGA monitor to the appliance, which is useful for rack-mounted appliances
connected to a keyboard, video, and mouse (KVM) switch.
Before You Begin
Be sure you have, at minimum, the information needed to allow the appliance to communicate on your
management network:
—An IPv4 or IPv6 management IP address
—A netmask or prefix length
—A default gateway
Procedure
1. Using the supplied Ethernet cable, connect the management interface on the back of the appliance to a
protected management network.
2. Connect the monitor to the VGA port and the keyboard to one of the USB ports.
3. Access the Linux shell on the FMC using using admin as the username and Admin123 as the password. (Note
that the password is case-sensitive.) Use the steps appropriate to your Firepower version; see Accessing the
CLI or the Linux Shell on the FMC, page 3.
4. Run the following script:
sudo /usr/local/sf/bin/configure-network
The following prompt (appended with the current value) appears:
Management IP address?
5. Enter the IP address you want to assign to the management interface or press Enter to accept the current
value. For example:
10.2.2.20
The following prompt (appended with the current value) appears:
Management netmask?
6. Enter the netmask for the interface’s IP address or press Enter to accept the current value. For example:
Installation and Initial Setup for Versions 5.4 - 6.4.x
Cisco Firepower Management Center Getting Started Guide 13
255.255.255.0
The following prompt (appended with the current value) appears:
Management gateway?
7. Enter the gateway for the interface’s IP address or press Enter to accept the current value. For example:
10.2.1.1
The following prompt appears:
Are these settings correct: (y or n)?
8. If the settings are correct, type y and press Enter to accept the settings and continue.
If the settings are incorrect, type n and press Enter. You are prompted to enter the information again.
9. After you have accepted the settings, log out of the shell.
What to Do Next
Complete the setup process using the procedures in Initial Setup Page: Management Centers, page 13.
Initial Setup Page: Management Centers
For all Management Centers, you must complete the setup process by logging into the Management Center’s web
interface and specifying initial configuration options on a setup page. You must change the administrator
password, specify network settings if you haven’t already, and accept the EULA.
In Versions 5.4.x, the setup process also allows you to register and license devices. Before you can register a
device, you must complete the setup process on the device itself, as well as add the Management Center as a
remote manager, or the registration will fail.
Procedure
1. Direct your browser to https://mgmt_ip/, where mgmt_ip is the IP address of the Management Center’s
management interface:
—For a Management Center connected to a computer with an Ethernet cable, direct the browser on that
computer to the default management interface IPv4 address: https://192.168.45.45/.
—For a Management Center where network settings are already configured, use a computer on your
management network to browse to the IP address of the Management Center’s management interface.
2. Log in using admin as the username and Admin123 as the password.
See the following sections for information on completing the setup:
—Change Password, page 14
—Network Settings, page 14
—Time Settings, page 15
—Recurring Rule Update Imports, page 15
—Recurring Geolocation Updates, page 15
—Automatic Backups, page 15
—License Settings, page 15
—Device Registration, page 16
—End User License Agreement, page 17
Installation and Initial Setup for Versions 5.4 - 6.4.x
Cisco Firepower Management Center Getting Started Guide 14
3. When you are finished, click Apply.
The Management Center is configured according to your selections. You are logged into the web interface as
the admin user, which has the Administrator role.
Note: If you connected directly to the device using an Ethernet cable, disconnect the computer and connect
the Management Center’s management interface to the management network. Use a browser on a computer
on the management network to access the Management Center at the IP address or host name that you just
configured, and complete the rest of the procedures in this guide.
4. Confirm that the initial setup was successful:
—For versions previous to 6.0, use the Task Status page (System > Monitoring > Task Status) to verify that the
initial setup was successful.
The page auto-refreshes every ten seconds. Monitor the page until it lists a status of Completed for the initial
device registration and policy apply tasks. If, as part of setup, you configured an intrusion rule or
geolocation update, you can also monitor those tasks.
—For versions 6.0+, click the System Status icon and view the Tasks tab in the Message Center.
The Management Center is ready to use. See the Firepower Management Center Configuration Guide for more
information on configuring your deployment.
What to Do Next
Continue with Administration Recommendations, page 17.
Setup Options
Change Password
You must change the password for the admin account. This account has Administrator privileges and cannot be
deleted.
Cisco recommends that you use a strong password that is at least eight alphanumeric characters of mixed case
and includes at least one numeric character. Avoid using words that appear in a dictionary.
Note: The admin accounts for accessing a Firepower Management Center using the shell versus accessing a
Firepower Management Center using the web interface are not the same, and may use different passwords.
Network Settings
A Management Center’s network settings allow it to communicate on your management network. If you already
configured the network settings, this section of the page may be prepopulated.
The Firepower System provides a dual stack implementation for both IPv4 and IPv6 management environments.
You must specify the management network protocol (IPv4, IPv6, or Both). Depending on your choice, the setup page
displays various fields where you must set the IPv4 or IPv6 management IP address, netmask or prefix length, and
default gateway:
For IPv4, you must set the address and netmask in dotted decimal form (for example: a netmask of
255.255.0.0).
For IPv6 networks, you can select the Assign the IPv6 address using router autoconfiguration check box to
automatically assign IPv6 network settings. Otherwise, you must set the address in colon-separated
hexadecimal form and the number of bits in the prefix (for example: a prefix length of 112).
You can also specify up to three DNS servers, as well as the host name and domain for the device.
Installation and Initial Setup for Versions 5.4 - 6.4.x
Cisco Firepower Management Center Getting Started Guide 15
Time Settings
You can set the time for a Management Center either manually or via network time protocol (NTP) from an NTP
server.
You can also specify the time zone used on the local web interface for the admin account. Click the current time
zone to change it using a pop-up window.
Recurring Rule Update Imports
As new vulnerabilities become known, the Cisco Talos Intelligence Group releases intrusion rule updates. Rule
updates provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and
modified default intrusion policy settings. Rule updates may also delete rules and provide new rule categories and
system variables.
If you plan to perform intrusion detection and prevention in your deployment, Cisco recommends that you Enable
Recurring Rule Update Imports from the Support Site.
You can specify the Import Frequency, as well as configure the system to perform an intrusion Policy Reapply after each
rule update. To perform a rule update as part of the initial configuration process, select Install Now.
Rule updates may contain new binaries. Make sure your process for downloading and installing rule updates
complies with your security policies. In addition, rule updates may be large, so make sure to import rules during
periods of low network use.
Recurring Geolocation Updates
Firepower Management Centers can display geographical information about the routed IP addresses associated
with events generated by the system, as well as monitor geolocation statistics in the dashboard and Context
Explorer.
The Management Center’s geolocation database (GeoDB) contains information such as an IP address’s associated
Internet service provider (ISP), connection type, proxy information, and exact location. Enabling regular GeoDB
updates ensures that the system uses up-to-date geolocation information. If you plan to perform
geolocation-related analysis in your deployment, Cisco recommends that you Enable Recurring Weekly Updates from
the Support Site.
You can specify the weekly update frequency for the GeoDB. Click the time zone to change it using a pop-up
window. To download the database as part of the initial configuration process, select Install Now.
GeoDB updates may be large and may take up to 45 minutes to install after download. You should update the
GeoDB during periods of low network use.
Automatic Backups
The Firepower Management Center provides a mechanism for archiving data so configurations can be restored in
case of failure. As part of the initial setup, you can Enable Automatic Backups.
Enabling this setting creates a scheduled task that creates a weekly backup of the configurations on the
Management Center.
License Settings
You use the Firepower Management Center to manage licenses for itself and the devices it manages. The license
types offered by the Firepower System depend upon the type of device you want to manage:
For 7000 and 8000 Series, ASA FirePOWER, and NGIPSv devices, you must use Classic Licenses. Devices
that use Classic Licenses are sometimes referred to as Classic devices.
For Firepower Threat Defense physical and virtual devices, you must use Smart Licenses.
Installation and Initial Setup for Versions 5.4 - 6.4.x
Cisco Firepower Management Center Getting Started Guide 16
Before you add a classic license to the Firepower Management Center, make sure you have the PAK provided by
Cisco when you purchased the license. If you have a legacy, pre-Cisco license, contact Support.
Note: You must enable Classic Licenses on your managed devices before you can use licensed features. You can
enable a license during the initial setup of the Firepower Management Center, when you add a device to the
Firepower Management Center, or by editing the device’s general properties after you add the device.
Procedure
1. Obtain the License Key for your chassis during the initial setup from the License Settings section of the initial
setup page.
The License Key is clearly labeled; for example, 66:18:E7:6E:D9:93:35.
Note: You can find the License Key on a Firepower Management Center at any time when you click the Add
New License button from the System>Licenses>Classic Licenses page.
2. To obtain your license, navigate to https://www.cisco.com/go/license/ where you will be prompted for the
license key (66:18:E7:6E:D9:93:35) and the Product Authorization Key (PAK).
Note: If you ordered additional licenses, you can enter the PAKs separated commas for those licenses at the
same time.
3. Follow the on-screen instructions to generate a license or licenses, which will be emailed to you.
4. Paste the license or licenses in the validation box click Add/Verify.
What to Do Next
Continue with initial setup.
Note: If you have devices that use Cisco Smart Licensing, you use the System>Licenses>Smart Licenses page
to add and verify licenses. Refer to the product documentation for those devices for information on how to add
Smart Licenses to the Firepower Management Center. The Firepower Management Center Configuration Guide
provides more information about Classic Licenses and Smart Licenses, the types of licenses for each class, and
how to manage the licenses across your deployment.
Device Registration
A Firepower Management Center can manage any device, physical or virtual, currently supported by the Firepower
System. You must configure remote management on the device before you can register the device to a
Management Center.
If you are using Firepower System Version 6.0 or greater, see the device management information in the Firepower
Management Center Configuration Guide for instructions on registering your devices.
If you are using a Firepower System Version previous to 6.0, you can add 7000 and 8000 Series devices to the
Management Center during the initial setup process. However, if a device and the Management Center are
separated by a NAT device, you must add it after the setup process completes; see the Firepower 7000 and 8000
Series Installation Guide.
You must configure both traffic channels to use the same management interface when you use a non-default
management interface to connect your Management Center and managed device and those appliances are
separated by a NAT device. See “Deploying on a Management Network” in the Firepower 7000 and 8000 Series
Installation Guide for more information.
When you register a managed device to a Management Center, leave the Apply Default Access Control Policies check
box enabled if you want to automatically apply access control policies to devices upon registration. Note that you
cannot choose which policy the Management Center applies to each device, only whether to apply them. The
policy that is applied to each device depends on the detection mode (see Setting Up Firepower Managed Devices
in the Firepower 7000 and 8000 Series Installation Guide) you chose when configuring the device, as listed in the
following table.
Administration Recommendations
Cisco Firepower Management Center Getting Started Guide 17
An exception occurs if you previously managed a device with a Management Center and you changed the device’s
initial interface configuration. In this case, the policy applied by this new Management Center page depends on
the changed (current) configuration of the device. If there are interfaces configured, the Management Center
applies the Default Intrusion Prevention policy. Otherwise, the Management Center applies the Default Access
Control policy.
If a device is incompatible with an access control policy, the policy apply fails. This incompatibility could occur for
multiple reasons, including licensing mismatches, model restrictions, passive vs inline issues, and other
misconfigurations. If the initial access control policy apply fails, the initial network discovery policy apply also fails.
After you resolve the issue that caused the failure, you must manually apply access control and network discovery
policies to the device. For more information about issues that could cause access control policy apply to fail, see
the Firepower Management Center Configuration Guide.
To add a device, type its Hostname or IP Address, as well as the Registration Key you specified when you registered the
device. Remember this is a simple key that you specified, up to 37 characters in length, and is not the same as a
license key.
Then, use the check boxes to add licensed capabilities to the device. You can only select licenses you have already
added to the Management Center; see License Settings, page 15.
Not all licenses are supported on all managed devices. However, the setup page does not prevent you from
enabling unsupported licenses on managed devices, or enabling a capability for which you do not have a
model-specific license. This is because the Management Center does not determine the device model until later.
The system cannot enable an invalid license, and attempting to enable an invalid license does not decrement your
available license count.
After you enable licenses, click Add to save the device’s registration settings and, optionally, add more devices. If
you selected the wrong options or mis-typed a device name, click Delete to remove it. You can then re-add the
device.
End User License Agreement
Read the EULA carefully and, if you agree to abide by its provisions, select the check box. Make sure that all
the information you provided is correct, and click Apply.
The Management Center is configured according to your selections. You are logged into the web interface as
the admin user, which has the Administrator role. Continue with step 3. in Initial Setup Page: Management
Centers, page 13 to complete the initial setup of the Management Center.
Administration Recommendations
After you complete the initial setup process for an appliance and verify its success, Cisco recommends that you
complete various administrative tasks that make your deployment easier to manage. You should also complete any
tasks you skipped during the initial setup, such as device registration and licensing. For detailed information on
any the tasks described in the following sections, as well as information on how you can begin to configure your
deployment, see the Firepower Management Center Configuration Guide for your software version.
Table 1 Default Access Control Policy Applied Per Detection Mode
Detection Mode Default Access Control Policy
Inline Default Intrusion Prevention
Passive Default Intrusion Prevention
Access Control Default Access Control
Network Discovery Default Network Discovery
Administration Recommendations
Cisco Firepower Management Center Getting Started Guide 18
Individual User Accounts
After you complete the initial setup, the only user on the system is the admin user, which has the Administrator
role and access. Users with that role have full menu and configuration access to the system, including via the
shell or CLI. Cisco recommends that you limit the use of the admin account (and the Administrator role) for
security and auditing reasons.
Note: The admin accounts for accessing a Firepower Management Center via the shell versus accessing a
Firepower Management Center via the web interface are not the same, and may use different passwords.
Creating a separate account for each person who will use the system allows your organization not only to audit
actions and changes made by each user, but also to limit each person’s associated user access role or roles.
This is especially important on the Management Center, where you perform most of your configuration and
analysis tasks. For example, an analyst needs access to event data to analyze the security of your network,
but may not require access to administrative functions for the deployment.
The system includes ten predefined user roles designed for a variety of administrators and analysts. You can
also create custom user roles with specialized access privileges.
Device Registration
For all Firepower versions you can register devices to the FMC after completing the FMC initial setup.
Note: If you are using a Firepower System version previous to 6.0, you can add 7000 and 8000 Series devices to
the Management Center during the initial setup process; see Device Registration, page 16 for information.
A Firepower Management Center can manage any device, physical or virtual, currently supported by your version
of the Firepower System. Depending on your Firepower version this may include:
Firepower 7000 and 8000 Series appliances—physical devices purpose-built for theFirepower System.
Firepower 7000 and 8000 Series devices have a range of throughputs, but share most of the same
capabilities. In general, 8000 Series devices are more powerful than 7000 Series devices; they also support
additional features such as 8000 Series fastpath rules, link aggregation, and stacking. You must configure
remote management on the device before you can register the device to a Firepower Management Center.
NGIPSv—a 64-bit virtual device deployed in the VMware VSphere environment. NGIPSv devices do not support
any of the system’s hardware-based features such as redundancy and resource sharing, switching, and
routing.
Cisco ASA with FirePOWER Services (or an ASA FirePOWER module)—provides the first-line system policy
and passes traffic to the Firepower System for discovery and access control. However, you cannot use the
Firepower Management Center web interface to configure ASA FirePOWER interfaces. Cisco ASA with
FirePOWER Services has a software and command line interface (CLI) unique to the ASA platform to install
the system and to perform other platform-specific administrative tasks.
Firepower Threat Defense—provides a unified next-generation firewall and next-generation IPS device.
Firepower Threat Defense Virtual—a 64-bit virtual device that is designed to work in multiple hypervisor
environments, reduce administrative overhead, and increase operational efficiency.
To register managed devices to a Firepower Management Center, see the device management information in the
Firepower Management Center Configuration Guide for your software version. For information on compatibility
among Firepower devices and software versions, see the Cisco Firepower Compatibility Guide.
Health and System Policies
By default, all appliances have an initial system policy applied. The system policy governs settings that are
likely to be similar for multiple appliances in a deployment, such as mail relay host preferences and time
synchronization settings. Cisco recommends that you use the Management Center to apply the same system
policy to itself and all the devices it manages.
Redirecting Console Output
Cisco Firepower Management Center Getting Started Guide 19
By default, the Management Center also has a health policy applied. A health policy, as part of the health
monitoring feature, provides the criteria for the system continuously monitoring the performance of the
appliances in your deployment. Cisco recommends that you use the Management Center to apply a health
policy to all the devices it manages.
Software and Database Updates
You should update the system software on your appliances before you begin any deployment. Cisco
recommends that all the appliances in your deployment run the most recent version of the Firepower System.
If you are using them in your deployment, you should also install the latest intrusion rule updates, VDB, and
GeoDB. For Versions 6.5+, the Initial Configuration Wizard automatically configures some of these update
activities for you; see Automatic Initial Configuration, page 9 for more information.
Caution: Before you update any part of the Firepower System, you must read the release notes or advisory
text that accompanies the update. The release notes provide important information, including supported
platforms, compatibility, prerequisites, warnings, and specific installation and uninstallation instructions.
Redirecting Console Output
By default, Management Centers direct initialization status, or init, messages to the VGA port. If you want to use
the physical serial port or SOL to access the console, Cisco recommends you redirect console output to the serial
port after you complete the initial setup.
To redirect console output using the shell, you run a script from the appliance’s shell.
Using the Shell to Redirect the Console Output
Procedure
1. Using your keyboard/monitor or serial connection, log into the appliance’s shell using an account with
Administrator privileges. Use the steps appropriate to your Firepower version; see Accessing the CLI or the
Linux Shell on the FMC, page 3.
The prompt for the appliance appears.
2. At the prompt, set the console output by typing one of the following commands:
—To access the appliance using the VGA port:
sudo /usr/local/sf/bin/configure_console.sh vga
—To access the appliance using the physical serial port:
sudo /usr/local/sf/bin/configure_console.sh serial
—To access the appliance using LOM via SOL:
sudo /usr/local/sf/bin/configure_console.sh sol
3. To implement your changes, reboot the appliance by typing sudo reboot.
The appliance reboots.
Using the Web Interface to Redirect the Console Output
Procedure
1. Select System > Configuration.
Setting Up Lights-Out Management
Cisco Firepower Management Center Getting Started Guide 20
2. Select Console Configuration.
3. Select a remote console access option:
—Select VGA to use the appliance's VGA port. This is the default option.
—Select Physical Serial Port to use the appliance's serial port, or to use LOM/SOL on a Management Center.
If you selected Physical Serial Port, the LOM settings appear.
4. To configure LOM via SOL, enter the appropriate settings:
—DHCP Configuration for the appliance (DHCP or Static).
—IP Address to be used for LOM. The LOM IP address must be different from the management interface IP
address of the appliance.
—Netmask for the appliance.
—Default Gateway for the appliance.
5. Click Save.
Remote console configuration for the appliance is saved. If you configured Lights-Out Management, you must
enable it for at least one user; see Enabling LOM and LOM Users, page 37.
Setting Up Lights-Out Management
If you need to restore a Firepower device to factory defaults and do not have physical access to the appliance,
you can use Lights-Out Management (LOM) to perform the restore process. Note that you can use Lights-Out
Management on the default (eth0) management interface only.
The LOM feature allows you to perform a limited set of actions on a Firepower device, using a Serial over LAN
(SOL) connection. With LOM, you use a command line interface on an out-of-band management connection to
perform tasks such as viewing the chassis serial number, or monitoring conditions such as fan speed and
temperature.
Caution: The Firepower Management Center 2000 and 4000 introduced Cisco's Unified Computing System
(UCS) platform into the Firepower System. These models do not support Cisco functionality that uses tools
on the baseboard management controller (BMC), such as the UCS Manager or the Cisco Integrated
Management Controller (CIMC), to make any configuration changes or firmware updates.
The syntax of LOM commands depends on the utility you are using, but LOM commands generally contain the
elements listed in the following table.
.
Table 2 LOM Command Syntax
IPMItool
(Linux/Mac)
ipmiutil (Windows) Description
ipmitool ipmiutil Invokes the IPMI utility.
n/a -V4 For ipmiutil only, enables admin privileges for the
LOM session.
-I lanplus -J3 Enables encryption for the LOM session.
-H IP_address -N IP_address Specifies the IP address of the management
interface on the appliance.
This manual suits for next models
9
Other Cisco Server manuals
Cisco
Cisco ONS 15454 ETSI User manual
Cisco
Cisco UCS C240 M4 Installation and maintenance instructions
Cisco
Cisco UCS C220 Installation and maintenance instructions
Cisco
Cisco UCS C Series Assembly instructions
Cisco
Cisco SNS-3415 series Instruction Manual
Cisco
Cisco UCS C Series Manual
Cisco
Cisco UCS C22 M3 System manual
Cisco
Cisco UCS C460 M4 User manual
Cisco
Cisco UCS C220 M5 User manual
Cisco
Cisco UCS E Series User manual
Cisco
Cisco UCS C200 Installation and maintenance instructions
Cisco
Cisco VCS Series User manual
Cisco
Cisco UCS C3160 Installation and maintenance instructions
Cisco
Cisco UCS B420 M3 Manual
Cisco
Cisco UCS 5100 Quick guide
Cisco
Cisco UCS C24 Installation and maintenance instructions
Cisco
Cisco UCS B460 M4 Manual
Cisco
Cisco UCS C240 M4 Installation and maintenance instructions
Cisco
Cisco UCS 5100 Manual
Cisco
Cisco Expressway CE1200 User manual
Popular Server manuals by other brands
LG
LG Centric PCS150R Pro Installation & setup guide
Lenovo
Lenovo ThinkServer RD330 Oplysninger om garanti og support
Lenovo
Lenovo ThinkServer RD530 Benutzerhandbuch
Lenovo
Lenovo THINKSERVER RS210 warranty and support information
Acksys
Acksys WLg-DONGLE Quick installation guide
Allworx
Allworx Allworx 10x installation guide