Cisco Firepower management center 750 User manual

Cisco Systems, Inc. www.cisco.com

Cisco Firepower Management Center Getting Started Guide 1

Cisco Firepower Management Center 750,

1500, 2000, 3500, and 4000 Getting

Started Guide

Updated: April 6, 2020

This guide is organized as follows:

Package Contents

License Requirements

Installation and Initial Setup for Versions 6.5+

Installation and Initial Setup for Versions 5.4 - 6.4.x

Administration Recommendations

Redirecting Console Output

Setting Up Lights-Out Management

Restoring a Firepower Management Center to Factory Defaults

Preconfiguring Firepower Management Centers

Scrubbing the Hard Drive

Related Documentation

Package Contents

This section lists the items included with each model. Note that contents are subject to change, and your exact contents

might contain additional or fewer items.

Chassis Models

Firepower Management Center 750 (1U model). The following illustration of the rear of the chassis indicates

the location of the management interface on a MC750.

Figure 1 MC750 Chassis and Management Interface

1Management interface

Package Contents

Cisco Firepower Management Center Getting Started Guide 2

Firepower Management Center 1500 (1U model). The following illustration of the rear of the chassis indicates

the location of the management interface on a MC1500.

Figure 2 MC1500 Chassis and Management Interface

Firepower Management Center 3500 (1U model). The following illustration of the rear of the chassis indicates

the location of the management interface on a MC3500.

Figure 3 MC3500 Chassis and Management Interface

Firepower Management Center 2000/4000 (1U model). The following illustration of the rear of the chassis

indicates the location of the management interface.

Figure 4 MC2000 and MC4000

Included Items

One power cord per power supply.

One straight-through Cat 5e Ethernet cables per chassis.

One rack-mounting kit per chassis.

1Management interface

License Requirements

Cisco Firepower Management Center Getting Started Guide 3

License Requirements

You can license a variety of features to create an optimal Firepower System deployment for your organization. You

use the Firepower Management Center to manage licenses for itself and the devices it manages. The license types

offered by the Firepower System depend upon the type of device you want to manage:

Classic Licenses

For 7000 and 8000 Series, ASA FirePOWER, and NGIPSv devices, you must use Classic Licenses. Devices that

use Classic Licenses are sometimes referred to as Classic devices.

If your FMC is using a Firepower Version previous to 6.5: Cisco recommends that you use the initial setup page

to add the classic licenses your organization has purchased; see License Settings, page 15. If you do not add

classic licenses during initial setup, any devices you register during initial setup are added to the Management

Center as unlicensed; you must license each of them individually after the initial setup process is over. Note that

if you are setting up a reimaged appliance and you kept your license settings as part of the restore process, this

section of the initial setup page may be prepopulated.

If your FMC is using Firepower Version 6.5+: You must add classic licenses for managed devices after completing

the Initial Configuration Wizard. You can assign licenses to managed devices when you register them to the

Firepower Management Center, or after you have registered them to the Firepower Management Center.

Smart Licenses

For Firepower Threat Defense physical and virtual devices, you must use Smart Licenses.

Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key

(PAK) licenses, smart licenses are not tied to a specific serial number or license key. Smart licensing lets you

assess your license usage and needs at a glance.

Refer to the Firepower Management Center Configuration Guide for information about Classic Licenses and Smart

Licenses, the types of licenses for each class, and how to manage the licenses across your deployment.

Accessing the CLI or the Linux Shell on the FMC

Accessing the FMC CLI or the Linux shell requires a different sequence of steps depending on what Firepower

version the FMC is running. Refer to this topic when you encounter instructions in this document to log into to the

FMC CLI or Linux shell.

Caution: We strongly recommend that you do you do not use the Linux shell unless directed by TAC or explicit

instructions in the user documentation.

Before You Begin:

Establish a direct physical connection with the FMC using a keyboard and monitor or establish an SSH session with

the FMC’s managment interface.

Procedure

1. Log into the FMC using the credentials for the CLI admin user.

Determine your next action depending on the Firepower version in use:

—If your FMC is running Firepower Version 5.4 - 6.2.x, this gives you direct access to the Linux shell.

—If your FMC is running Firepower Version 6.3.x or 6.4.x and the FMC CLI is not enabled, this gives you direct

access to the Linux shell.

—If your FMC is running Firepower Version 6.3.x or 6.4.x and the FMC CLI is enabled, this gives you access

to the FMC CLI. To access the Linux shell, continue with Step 2.

Installation and Initial Setup for Versions 6.5+

Cisco Firepower Management Center Getting Started Guide 4

—If your FMC is running Firepower Version 6.5+, this gives you access to the FMC CLI. To access the Linux

shell, continue with Step 2.

2. To access the Linux shell form the FMC CLI, enter the expert command.

Installation and Initial Setup for Versions 6.5+

Note: Firepower Versions 6.5+ are not supported on FMC models 750, 1500, and 3500.

The first time you log into the FMC running Versions 6.5+, an Initial Configuration Wizard guides you through

configuring the new appliance to communicate on your trusted management network. The wizard presents a

streamlined initial configuration process and automatically establishes some weekly maintenance activities to

keep your system up-to-date and your data backed up.

The FMC management interface is pre-configured to accept an IPv4 address assigned by the Dynamic Host

Configuration Protocol (DHCP). If the FMC fails to obtain a DHCP lease, the management interface uses a fallback

IPv4 address of 192.168.45.45.

Note: If you are connecting to an FMC for the first time after performing a System Restore and you chose to retain

license and network settings, the management interface IP address is the same as it was before you performed

the System Restore. Proceed directly to Firepower Management Center Initial Configuration Wizard, page 7.

To install and set up an FMC running Versions 6.5+:

1. Install the appliance as described in Install the Appliance, page 4.

2. To perform the initial setup you have one of two choices:

—If your network does not use DHCP and your PC cannot reach the fallback address (or the address retained

in a System Restore), we recommend you perform the initial setup by connecting a computer directly to

the FMC’s physical management interface as described in Access the Firepower Management Center

Using the Management Interface, page 5.

—If your local DHCP will assign an address to the FMC, use a keyboard and monitor to set up the appliance;

see Access the Firepower Management Center Using a Keyboard and Monitor, page 6.

Install the Appliance

These instructions are an abbreviated version of the steps to physically install the appliance. For detailed

instructions, see the Cisco Firepower Management Center 750, 1500, 2000, 3500, and 4000 Hardware Installation

Guide.

Procedure

1. Mount the appliance in your rack using the mounting kit and its supplied instructions.

2. Attach power cords to both power supplies and plug them into separate power sources.

If you do not connect both power supplies, an amber warning indicator lights on the chassis front panel and

the FMC web interface displays a health alert.

3. Turn on the appliance by pressing the power switch located on the front panel.

After you press the power switch the appliance may turn on briefly and then appear to shut down with the

exception of the amber power indicator light on the chassis front panel. This is normal; pressing the power

button again causes the appliance to power up with the power indicator light green.

Installation and Initial Setup for Versions 6.5+

Cisco Firepower Management Center Getting Started Guide 5

What to Do Next

The FMC management interface is pre-configured to accept an IPv4 address assigned by DHCP, but failing to

obtain a DHCP lease, the management interface uses a fallback IPv4 address of192.168.45.45. Or, if you are

connecting to an FMC for the first time after performing a System Restore and you chose to retain license and

network settings, the IP address is the same as it was before you performed the System Restore. Ensure that

you have established one of the following methods of accessing the appliance before proceeding:

—If your network does not use DHCP and your PC cannot reach the fallback address (or the address retained

in a System Restore), we recommend you perform the initial setup by connecting a computer directly to

the FMC’s physical management interface as described in Access the Firepower Management Center

Using the Management Interface, page 5.

—If your local DHCP will assign an address to the FMC, use a keyboard and monitor to set up the appliance;

see Access the Firepower Management Center Using a Keyboard and Monitor, page 6.

Perform the initial configuration process; see Firepower Management Center Initial Configuration Wizard,

page 7.

Optionally use the Smart License pop-up dialog to configure Smart Licensing. See Smart Licensing Dialog,

page 9.

Once you complete the Initial setup process, you can optionally configure the FMC for Serial or Serial over LAN

(SOL) access; see Redirecting Console Output, page 19 and Setting Up Lights-Out Management, page 20.

After you complete setup, you will use the Firepower Management Center‘s web interface to perform most

management and analysis tasks for your deployment. For more information, see Administration

Recommendations, page 17.

Access the Firepower Management Center Using the Management

Interface

The FMC management interface is pre-configured to accept an IPv4 address assigned by DHCP, but in scenarios

where no DHCP is involved, the management interface uses the IPv4 address 192.168.45.45. Or, if you are

connecting to an FMC for the first time after performing a System Restore and you chose to retain license and

network settings, the IP address is the same as it was before you performed the System Restore.

Before You Begin:

Configure a local computer, which must not be connected to the Internet, with the following network settings:

—IP address: 192.168.45.2

—netmask: 255.255.255.0

—default gateway: 192.168.45.1

Determine the IP address assigned to the management interface of the FMC:

—If you are connecting to an FMC for the first time after performing a System Restore (see Restoring a

Firepower Management Center to Factory Defaults, page 22 ) and you chose to retain license and network

settings, the IP address is the same as it was before you performed the System Restore.

—Otherwise the FMC management interface IP address is 192.168.45.45.

Procedure

1. Using the supplied Ethernet cable, connect the network interface on the preconfigured computer directly to

the management interface on the appliance.

Confirm that the link LED is on for both the network interface on the local computer and the management

interface on the appliance.

Installation and Initial Setup for Versions 6.5+

Cisco Firepower Management Center Getting Started Guide 6

2. Use a web browser to navigate to the appliance’s IP address:

https://<Management IP Address>

The login page appears.

3. Log in to the web interface using admin as the username and Admin123 as the password. (Note the password

is case-sensitive.)

What to Do Next

Complete the setup process using the procedures in Firepower Management Center Initial Configuration

Wizard, page 7.

Access the Firepower Management Center Using a Keyboard and

Monitor

You can connect a USB keyboard and VGA monitor to the appliance, which is useful for rack-mounted appliances

connected to a keyboard, video, and mouse (KVM) switch. The FMC management interface is pre-configured to

accept an IPv4 address assigned by DHCP, but failing to obtain a DHCP lease, the management interface uses a

fallback IPv4 address of192.168.45.45. If your network does not use DHCP and your PC cannot reach that

address, we recommend you perform the initial setup by connecting to the FMC directly as described in Access

the Firepower Management Center Using the Management Interface, page 5.

Before You Begin:

Determine the IP address assigned to the management interface of the FMC:

If you are setting up a new FMC for the first time, check with your network administrator to determine the IP

address that DHCP will assign to the FMC’s MAC address when you connect it to the local network. (You can

find the MAC address on a label or pullout card on the appliance.)

If no DHCP is present, or if the DHCP has no free addresses in its pool, the FMC management interface uses

the IP address 192.168.45.45. In this case if your PC cannot reach that address we recommend you perform

the initial setup by connecting to the FMC directly as described in Access the Firepower Management Center

Using the Management Interface, page 5.

If you are connecting to an FMC for the first time after performing a System Restore (see Restoring a Firepower

Management Center to Factory Defaults, page 22) and you chose to retain license and network settings, the

IP address is the same as it was before you performed the System Restore.

Procedure

1. Using the supplied Ethernet cable, connect the management interface on the back of the FMC to a protected

management network.

2. Use a web browser to navigate to the FMC web interface login page:

https://<Management IP Address>

The login page appears.

3. Log into the web interface using admin as the username and Admin123 as the password. Note that the password

is case-sensitive.

What to Do Next

Complete the setup process using the procedures in Firepower Management Center Initial Configuration

Wizard, page 7.

Installation and Initial Setup for Versions 6.5+

Cisco Firepower Management Center Getting Started Guide 7

Firepower Management Center Initial Configuration Wizard

When you log into the FMC web interface for the first time on a new appliance, or an appliance on which you have

just performed a System Restore, the FMC presents an Initial Configuration Wizard to enable you to quickly and

easily configure basic settings for the appliance. This wizard consists of three screens and one pop-up dialog:

The first screen forces you to change the password for the admin user from the default value of Admin123.

The second screen presents the End User License Agreement (EULA), which you are required to accept before

using the appliance.

The third screen allows you to change network settings for the appliance management interface. This page is

pre-populated with current settings, which you may change.

After you have completed the three wizard screens, a pop-up dialog appears that offers you the opportunity

to (optionally) quickly and easily set up Smart Licensing.

When you have completed the Initial Configuration Wizard and completed or dismissed the Smart Licensing dialog,

the system displays the device management page, described in “Device Management Basics” in the Firepower

Management Center Configuration Guide for your version.

Change Password

To ensure system security and privacy, the first time you log in to the FMC you are required to change the admin

password. When the Change Password wizard screen appears, you have two options:

Enter a new password in the New Password and Confirm Password text boxes. The password must comply

with the criteria listed in the dialog.

Click the Generate Password button to have the system create a password for you which complies with the

listed criteria. (Generated passwords are non-mnemonic; take careful note of the password if you choose this

option.)

Check the Show password checkbox to see the password while using this screen. The wizard displays a list of criteria

the new password must satisfy; a green check mark appears next to each criterion that has been met. If the new

password does not meet all the listed criteria the wizard rejects the password and prevents you from proceeding

to the next page.

The FMC compares your password against a password cracking dictionary that checks not only for many English

dictionary words but also for other character strings that could be easily cracked with common password hacking

techniques. For example, the initial configuration script may reject passwords such as “abcdefg” or “passw0rd”.

Note: On completion of the initial configuration process the system sets the passwords for the two admin

accounts (one for web access and the other for CLI access) to the same value, complying with the strong

password requirements described in the Firepower Management Center Configuration Guide for your version. If

you change the password for either admin account thereafter, they will no longer be the same, and the strong

password requirement can be removed from the web interface admin account.

Note: Once you click Next on the Change Password screen and the wizard has accepted the new admin password,

that password is in effect for both the web interface and CLI admin accounts even if you do not complete the

remaining wizard activities.

End User License Agreement (EULA)

Before using the Firepower Management Center, you must accept the EULA displayed on the second Initial

Configuration Wizard screen. Read the EULA and click Accept to proceed. If you click Decline the wizard logs you

out of the FMC.

Installation and Initial Setup for Versions 6.5+

Cisco Firepower Management Center Getting Started Guide 8

Change Network Settings

The final Initial Configuration Wizard screen gives you the opportunity to change the network settings the FMC

uses for network communications through its management interface (eth0). If you are logging in for the first time

after performing a System Restore in which you chose to retain network and license settings, the wizard is

pre-populated with the same values the FMC used before the System Restore.

The wizard performs validation on the values you enter on this screen to confirm the following:

syntactical correctness

compatibility of the entered values (for instance, compatible IP address and gateway, or DNS provided when

NTP servers are specified using FQDNs )

network connectivity between the FMC and the DNS and NTP servers

The wizard displays the results of these tests in real-time on the screen, permitting you to make corrections and

test the viability of your configuration before clicking Finish at the bottom of the screen. The NTP and DNS

connectivity tests are not blocking; you can click Finish before the wizard completes the connectivity tests. If the

system reports a connectivity problem after you click Finish, you cannot change the settings in the wizard, but you

can configure these connections using the FMC web interface after completing the initial setup.

The system does not perform connectivity testing if you enter configuration values that would result in cutting off

the existing connection between the FMC and the browser. In this case the wizard displays no connectivity status

information for DNS or NTP.

You can set values for the following fields:

Fully Qualified Domain Name

You must provide a FQDN. You can do one of the following:

accept the displayed value, if one is shown

enter a fully qualified domain name (syntax <hostname>.<domain>) or host name

Boot Protocol for IPv4 Configuration

Choose one of the following methods of IP address assignment from the drop-down labeled Configure IPv4:

Using DHCP

Using Static/Manual

IPv4 Address

This field is required. You can accept the displayed value, if one is shown, or enter a new value. Use dotted decimal

form (for example, 192.168.45.45).

Network Mask

This field is required. You can accept the displayed value, if one is shown, or enter a new value. Use dotted decimal

form (for example, 255.255.0.0).

Gateway

You can accept the displayed gateway value if one is shown, or enter a new default gateway. Use dotted decimal

form (for example, 192.168.0.1).

DNS Group

Choose an optional Domain Name Server group for the FMC. You can:

Accept the default value, Cisco Umbrella DNS.

Installation and Initial Setup for Versions 6.5+

Cisco Firepower Management Center Getting Started Guide 9

Select Custom DNS Servers from the drop-down list, and enter IPv4 addresses for the Primary DNS and Secondary

DNS.

Configure no DNS Server by selecting Custom DNS Servers from the drop-down list and leaving the Primary DNS

and Secondary DNS fields blank.

NTP Group Servers

You must use an NTP Server to ensure proper synchronization between the FMC and its managed devices. Choose

one of the following from the drop-down list:

Default NTP Servers By default the system uses 0.sourcefire.pool.ntp.org as the primary NTP server, and

1.sourcefire.pool.ntp.org as the secondary NTP server.

Custom NTP Servers Enter the FQDN or IP addresses of one or two NTP servers reachable from your network.

Smart Licensing Dialog

After you click Finish on the Change Network Settings screen of the Initial Configuration Wizard, the system displays

a pop-up that offers you the opportunity to quickly and easily set up Smart Licensing. Using this dialog is optional;

if your FMC will be managing Firepower Threat Defense devices and you are familiar with Smart Licensing, use

this dialog. Otherwise dismiss this dialog and refer to ”Licensing the Firepower System” in the Firepower

Management Center Configuration Guide for your version.

Automatic Initial Configuration

After you have completed the Initial Configuration Wizard the FMC automatically configures weekly maintenance

activities to keep your system up-to-date and your data backed up:

The tasks are scheduled in UTC, which means that when they occur locally depends on the date and your specific

location. Also, because tasks are schedule in UTC, they do not adjust for Daylight Saving Time, summer time, or

any such seasonal adjustments that you may observe in your location. If you are affected, scheduled tasks occur

one hour “later” in the summer than in the winter, according to local time.

Note: We strongly recommend you review the auto-scheduled configurations and adjust them if necessary.

Weekly GeoDB Updates

The FMC automatically schedules GeoDB updates to occur each week at the same randomly selected time.

You can observe the status of this task using the web interface Message Center. If the system fails to configure

the update and your FMC has internet access, we recommend you configure regular GeoDB updates as

described in the Firepower Management Center Configuration Guide for your software version.

Weekly FMC Software Updates

The FMC automatically schedules a weekly task to download the latest software for the FMC and its managed

devices. This task is scheduled to occur between 2 and 3 AM UTC on Sunday mornings; depending on the

date and your specific location this can occur anywhere from Saturday afternoon to Sunday afternoon local

time. You can observe the status of this task using the web interface Message Center. If the task scheduling

fails and your FMC has internet access, we recommend you schedule a recurring task for downloading

software updates as described in the Firepower Management Center Configuration Guide for your version.

This task only downloads software patch and hotfix updates for the version your appliances are currently

running; it is your responsibility to install any updates this task downloads. See the Cisco Firepower

Management Center Upgrade Guide for more information.

Weekly FMC Configuration Backup

Installation and Initial Setup for Versions 5.4 - 6.4.x

Cisco Firepower Management Center Getting Started Guide 10

The FMC automatically schedules a weekly task to perform a locally-stored configuration-only backup at 2

AM UTC on Monday mornings; depending on the date and your specific location this can occur anywhere from

Saturday afternoon to Sunday afternoon local time. You can observe the status of this task using the web

interface Message Center. If the task scheduling fails, we recommend you schedule a recurring task to

perform backups as described in the Firepower Management Center Configuration Guide for your version.

Vulnerability Database Update

In Versions 6.6+, the FMC downloads and installs the latest vulnerability database (VDB) update from the Cisco

support site. This is a one-time operation. You can observe the status of this update using the web interface

Message Center. To keep your system up to date, if your FMC has internet access, we recommend you

schedule tasks to perform automatic recurring VDB update downloads and installations as described in the

Firepower Management Center Configuration Guide for your version.

Daily Intrusion Rule Update

In Versions 6.6+, the FMC configures a daily automatic intrusion rule update from the Cisco support site. The

FMC deploys automatic intrusion rule updates to affected managed devices when it next deploys affected

policies. You can observe the status of this update using the web interface Message Center. You can see the

configuration for this task in the web interface under System > Updates > Rule Updates. If configuring the update

fails and your FMC has internet access, we recommend you configure regular intrusion rule updates as

described in the Firepower Management Center Configuration Guide for your version.

Installation and Initial Setup for Versions 5.4 - 6.4.x

Firepower Versions 5.4 - 6.4.x are supported on all FMC models addressed in this document: 750, 1500, 2000,

3500 and 4000.

When you install an appliance, make sure that you can access the appliance’s console for initial setup. You can

access the console for initial setup using a keyboard and monitor with KVM, or using an Ethernet connection to

the management interface.

The first time you log into the FMC web interface, the initial administration page provides you with the ability to

configure the new appliance to communicate on your trusted management network. You must also perform initial

administrative-level tasks such as changing the administrator password, accepting the end user license

agreement (EULA), setting the time, and scheduling updates. The options you choose during setup and

registration determine the default interfaces, inline sets, zones, and policies that the system creates and applies

to managed devices.

You can perform this initial setup process accessing the FMC either using a laptop directly connected to the

appliance, or using an Ethernet connection through your trusted local management network. The following

diagram illustrates the choices you can make when setting up FMC’s running Firepower Versions 5.4 - 6.4.x:

Note: If you are deploying multiple appliances, set up your devices first, then their managing Firepower

Management Center. The initial setup process for a device allows you to preregister it to a Management Center;

the setup process for a Management Center allows you to add and license preregistered managed devices.

This manual suits for next models

Other Cisco Server manuals

Cisco

Cisco UCS Series User manual

Cisco

Cisco Catalyst 6800 User manual

Cisco

Cisco 5100 User manual

Cisco

Cisco UCS C210 Installation and maintenance instructions

Cisco

Cisco C880 M4 User manual

Cisco

Cisco N20-B6625-1 System manual

Cisco

Cisco UCS 5100 Quick start guide

Cisco

Cisco UCS C460 M4 User manual

Cisco

Cisco UCS 82598KR User manual

Cisco

Cisco C880 M4 User manual

Cisco

Cisco SNS-3515 series Manual

Cisco

Cisco ONS 15454 SONET User manual

Cisco

Cisco UCS B420 M4 Manual

Cisco

Cisco UCS C Series Instruction Manual

Cisco

Cisco UCS C260 M2 User manual

Cisco

Cisco Meraki MX65 User manual

Cisco

Cisco UCS B420 M3 Installation and operation manual

Cisco

Cisco ISE-3315 User manual

Cisco

Cisco C880 M4 Mounting instructions

Cisco

Cisco UCS C Series User manual

Cisco

Cisco UCS Invicta C3124SA Manual

Cisco

Cisco GSS-4492R-K9 Instruction Manual

Cisco

Cisco UCS C220 M3 Installation and maintenance instructions

Cisco

Cisco UCS B440-M1 User manual

Popular Server manuals by other brands

HP Tc2120 - Server - 256 MB RAM installation guide

Lenovo

Lenovo ThinkServer RD230 manual

Avocent

Avocent CPS810 Installer/user guide

Dell

Dell PowerEdge R6615 Installation and service manual

FreeWave

FreeWave HT2+ installation guide

GIGA-BYTE TECHNOLOGY

GIGA-BYTE TECHNOLOGY G492-Z50 user manual

Lanner

Lanner HTCA-E400 user manual

Bull

Bull NovaScale T840 E2 user guide

Asus

Asus RS740-E70RS24-EG Configuration guide

Meinberg

Meinberg LANTIME M300/TCR manual 

HP ProLiant SL335s G7 Maintenance and service guide

ZyXEL Communications

ZyXEL Communications VANTAGE RADIUS 50 user guide

Lantronix

Lantronix xDirect-IAP quick start guide

Fujitsu

Fujitsu PRIMEQUEST 2400E3 General description

IBM

IBM 9040-MR9 manual

IBM

IBM 306m - eServer xSeries - 8849 user guide

green hippo

green hippo Hippotizer Nevis+ quick start guide

IBM

IBM 8203-E4A Brochure & specs

Cisco Firepower Management Center 750 User manual

Popular Server manuals by other brands