Getting Started With Firepower

Cisco Firepower is an integrated suite of network security and traffic management products, deployed either on purpose-built platforms or as a software solution. The system is designed to help you handle network traffic in a way that complies with your organization’s security policy—your guidelines for protecting your network.

In a typical deployment, multiple traffic-sensing managed devices installed on network segments monitor traffic for analysis and report to a manager:

  • Firepower Management Center

  • Firepower Device Manager

  • Adaptive Security Device Manager (ASDM)

Managers provide a centralized management console with graphical user interface that you can use to perform administrative, management, analysis, and reporting tasks.

This guide focuses on the Firepower Management Center managing appliance. For information about the Firepower Device Manager or ASA with FirePOWER Services managed via ASDM, see the guides for those management methods.

  • Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager

  • ASA with FirePOWER Services Local Management Configuration Guide

Quick Start: Basic Setup

The Firepower feature set is powerful and flexible enough to support basic and advanced configurations. Use the following sections to quickly set up a Firepower Management Center and its managed devices to begin controlling and analyzing traffic.

Installing and Performing Initial Setup on Physical Appliances

Procedure


Install and perform initial setup on all physical appliances using the documentation for your appliance:


Deploying Virtual Appliances

Follow these steps if your deployment includes virtual appliances. Use the documentation roadmap to locate the documents listed below: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html.

Procedure


Step 1

Determine the supported virtual platforms you will use for the Management Center and devices (these may not be the same). See the Cisco Firepower Compatibility Guide.

Step 2

Deploy virtual Firepower Management Centers on the supported Public and Private cloud environment. See, Cisco Secure Firewall Management Center Virtual Getting Started Guide.

Step 3

Deploy virtual devices for your appliance on the supported Public and Private cloud environment. For details, see the following documentation.


Logging In for the First Time

Before logging in to a new FMC for the first time, prepare the appliance as described in Installing and Performing Initial Setup on Physical Appliances or Deploying Virtual Appliances.

The first time you log in to a new FMC (or an FMC newly restored to factory defaults), use the admin account for either the CLI or the web interface and follow the instructions in the Cisco Firepower Management Center Getting Started Guide for your FMC model. Once you complete the initial configuration process, the following aspects of your system will be configured:

  • The passwords for the two admin accounts (one for web interface access and the other for CLI access) will be set to the same value, complying with strong password requirements as described in Guidelines and Limitations for User Accounts. The system synchronizes the passwords for the two admin accounts only during the initial configuration process. If you change the password for either admin account thereafter, they will no longer be the same and the strong password requirement can be removed from the web interface admin account. (See Add an Internal User at the Web Interface.)

  • The following network settings the FMC uses for network communication through its management interface (eth0) will be set to default values or values you supply:

    • Fully qualified domain name (<hostname>.<domain>)

    • Boot protocol for IPv4 configuration (DHCP or Static/Manual)

    • IPv4 address

    • Network mask

    • Gateway

    • DNS Servers

    • NTP Servers

    Values for these settings can be viewed and changed through the FMC web interface; see Modify FMC Management Interfaces and Time and Time Synchronization for more information.

  • As a part of initial configuration the FMC configures a weekly automatic GeoDB update. You can observe the status of this update using the web interface Message Center. If configuring the update fails and your FMC has internet access, we recommend you configure regular GeoDB updates as described in Schedule GeoDB Updates.

  • As a part of initial configuration the FMC schedules a weekly task to download the latest software for the FMC and its managed devices. You can observe the status of this task using the web interface Message Center. If the task scheduling fails and your FMC has internet access, we recommend you schedule a recurring task for downloading software updates as described in Automating Software Downloads.


    Important


    This task only downloads software updates to the FMC. It is your responsibility to install any updates this task downloads. See the Cisco Firepower Management Center Upgrade Guide for more information.
  • As a part of initial configuration the FMC schedules a weekly task to perform a locally-stored configuration-only backup. You can observe the status of this task using the web interface Message Center. If the task scheduling fails we recommend you schedule a recurring task to perform a backup as described in Schedule FMC Backups.

On completion of FMC initial configuration, the web interface displays the device management page, described in Device Management Basics. (This is the default login page only for the first time the admin user logs in. On subsequent logins by the admin or any user, the default login page is determined as described in Specifying Your Home Page.)

Once you have completed the initial configuration, begin controlling and analyzing traffic by configuring basic policies as described in Setting Up Basic Policies and Configurations.

Setting Up Basic Policies and Configurations

You must configure and deploy basic policies in order to see data in the dashboard, Context Explorer, and event tables.


Note


This is not a full discussion of policy or feature capabilities. For guidance on other features and more advanced configurations, see the rest of this guide.


Before you begin

Procedure


Step 1

Set a time zone for this account as described in Setting Your Default Time Zone.

Step 2

If needed, add licenses as described in Licensing the Firepower System.

Step 3

Add managed devices to your deployment as described in Add a Device to the FMC.

Step 4

Configure your managed devices as described in:

Step 5

Configure an access control policy as described in Creating a Basic Access Control Policy.

Step 6

Apply the system-provided default health policy as described in Applying Health Policies.

Step 7

Customize a few of your system configuration settings:

Step 8

Customize your network discovery policy as described in Configuring the Network Discovery Policy. By default, the network discovery policy analyzes all traffic on your network. In most cases, Cisco suggests restricting discovery to the addresses in RFC 1918.

Step 9

Consider customizing these other common settings:

Step 10

Deploy configuration changes; see Deploy Configuration Changes.


What to do next

  • Review and consider configuring other features described in Firepower Features and the rest of this guide.

Firepower Devices

In a typical deployment, multiple traffic-handling devices report to one Firepower Management Center, which you use to perform administrative, management, analysis, and reporting tasks.

Classic Devices

Classic devices run next-generation IPS (NGIPS) software. They include:

  • NGIPSv, hosted on VMware.

  • ASA with FirePOWER Services, available on select ASA 5500-X series devices (also includes ISA 3000). The ASA provides the first-line system policy, and then passes traffic to an ASA FirePOWER module for discovery and access control.

    Note that you must use the ASA CLI or ASDM to configure the ASA-based features on an ASA FirePOWER device. This includes device high availability, switching, routing, VPN, NAT, and so on. You cannot use the FMC to configure ASA FirePOWER interfaces, and the FMC GUI does not display ASA interfaces when the ASA FirePOWER is deployed in SPAN port mode. Also, you cannot use the FMC to shut down, restart, or otherwise manage ASA FirePOWER processes.

Firepower Threat Defense Devices

A Firepower Threat Defense (FTD) device is a next-generation firewall (NGFW) that also has NGIPS capabilities. NGFW and platform features include site-to-site and remote access VPN, robust routing, NAT, clustering, and other optimizations in application inspection and access control.

FTD is available on a wide range of physical and virtual platforms.

Compatibility

For details on manager-device compatibility, including the software compatible with specific device models, virtual hosting environments, operating systems, and so on, see the Cisco Firepower Release Notes and Cisco Firepower Compatibility Guide.

End of Sale for Firepower 7000/8000 Series Devices

You cannot upgrade to or freshly install Firepower Version 6.5+ on 7000/8000 series devices. This guide and the related online help do not contain information on configuring or managing those devices.

If you are managing 7000/8000 series devices running supported older Firepower versions, use the following resources:

Firepower Features

These tables list some commonly used Firepower features.

Appliance and System Management Features

To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html.

If you want to... Configure... As described in...

Manage user accounts for logging in to your Firepower appliances

Firepower authentication

User Accounts for FMC and User Accounts for Devices

Monitor the health of system hardware and software

Health monitoring policy

About Health Monitoring

Back up data on your appliance

Backup and restore

Backup and Restore

Upgrade to a new Firepower version

System updates

Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0

Firepower Release Notes

Baseline your physical appliance

Restore to factory defaults (reimage)

The Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0, for a list of links to instructions on performing fresh installations.

Update the VDB, intrusion rule updates, or GeoDB on your appliance

Vulnerability Database (VDB) updates, intrusion rule updates, or Geolocation Database (GeoDB) updates

System Updates

Apply licenses in order to take advantage of license-controlled functionality

Classic or Smart licensing

About Firepower Licenses

Ensure continuity of appliance operations

Managed device high availability and/or Firepower Management Center high availability

About Firepower Threat Defense High Availability

About Firepower Management Center High Availability

Configure a device to route traffic between two or more interfaces

Routing

Routing Overview for Firepower Threat Defense

Configure packet switching between two or more networks

Device switching

Configure Bridge Group Interfaces

Translate private addresses into public addresses for internet connections

Network Address Translation (NAT)

Network Address Translation (NAT) for Firepower Threat Defense

Establish a secure tunnel between managed Firepower Threat Defense

Site-to-Site virtual private network (VPN)

VPN Overview for Firepower Threat Defense

Establish secure tunnels between remote users and managed Firepower Threat Defense devices

Remote Access VPN

VPN Overview for Firepower Threat Defense

Segment user access to managed devices, configurations, and events

Multitenancy using domains

Introduction to Multitenancy Using Domains

View and manage appliance configuration using a REST API client

REST API and REST API Explorer

REST API Preferences

Firepower REST API Quick Start Guide

Troubleshoot issues

N/A

Troubleshooting the System

High Availability and Scalability Features by Platform

High availability configurations (sometimes called failover) ensure continuity of operations. Clustered configurations group multiple devices together as a single logical device, achieving increased throughput and redundancy.

Platform

High Availability

Clustering

Firepower Management Center

Yes

Firepower Management Center Virtual

Firepower Threat Defense:

  • Firepower 1000 series

  • Firepower 2100 series

  • ASA 5500-X series

  • ISA 3000

Yes

Firepower Threat Defense:

  • Firepower 4100/9300 chassis

Yes

Yes

Firepower Threat Defense Virtual:

  • VMware

  • KVM

Yes

Firepower Threat Defense Virtual (public cloud):

  • AWS

  • Azure

NGIPSv

ASA FirePOWER

In these deployments, the ASA device provides the first-line system policy, then passes traffic to an ASA FirePOWER module for discovery and access control. See the ASA documentation for information on high availability and scalability configurations.

Features for Detecting, Preventing, and Processing Potential Threats

To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html.

If you want to... Configure... As described in...

Inspect, log, and take action on network traffic

Access control policy, the parent of several other policies

Introduction to Access Control

Block or monitor connections to or from IP addresses, URLs, and/or domain names

Security Intelligence within your access control policy

About Security Intelligence

Control the websites that users on your network can access

URL filtering within your policy rules

URL Filtering

Monitor malicious traffic and intrusions on your network

Intrusion policy

Intrusion Policy Basics

Block encrypted traffic without inspection

Inspect encrypted or decrypted traffic

SSL policy

SSL Policies Overview

Tailor deep inspection to encapsulated traffic and improve performance with fastpathing

Prefilter policy

About Prefiltering

Rate limit network traffic that is allowed or trusted by access control

Quality of Service (QoS) policy

About QoS Policies

Allow or block files (including malware) on your network

File/malware policy

File Policies and Malware Protection

Operationalize data from threat intelligence sources

Cisco Threat Intelligence Director (TID)

Threat Intelligence Director Overview

Configure passive or active user authentication to perform user awareness and user control

User awareness, user identity, identity policies

About User Identity Sources

About Identity Policies

Collect host, application, and user data from traffic on your network to perform user awareness

Network Discovery policies

Overview: Network Discovery Policies

Use tools beyond your Firepower system to collect and analyze data about network traffic and potential threats

Integration with external tools

Event Analysis Using External Tools

Perform application detection and control

Application detectors

Overview: Application Detection

Troubleshoot issues

N/A

Troubleshooting the System

Integration with External Tools

To locate unfamiliar documents, see: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html.

If you want to... Configure... As described in...

Automatically launch remediations when conditions on your network violate an associated policy

Remediations

Introduction to Remediations

Firepower System Remediation API Guide

Stream event data from a Firepower Management Center to a custom-developed client application

eStreamer integration

eStreamer Server Streaming

Firepower System eStreamer Integration Guide

Query database tables on a Firepower Management Center using a third-party client

External database access

External Database Access Settings

Firepower System Database Access Guide

Augment discovery data by importing data from third-party sources

Host input

Host Input Data

Firepower System Host Input API Guide

Investigate events using external event data storage tools and other data resources

Integration with external event analysis tools

Event Analysis Using External Tools

Troubleshoot issues

N/A

Troubleshooting the System

Switching Domains on the Firepower Management Center

In a multidomain deployment, user role privileges determine which domains a user can access and which privileges the user has within each of those domains. You can associate a single user account with multiple domains and assign different privileges for that user in each domain. For example, you can assign a user read-only privileges in the Global domain, but Administrator privileges in a descendant domain.

Users associated with multiple domains can switch between domains within the same web interface session.

Under your user name in the toolbar, the system displays a tree of available domains. The tree:

  • Displays ancestor domains, but may disable access to them based on the privileges assigned to your user account.

  • Hides any other domain your user account cannot access, including sibling and descendant domains.

When you switch to a domain, the system displays:

  • Data that is relevant to that domain only.

  • Menu options determined by the user role assigned to you for that domain.

Procedure


From the drop-down list under your user name, choose the domain you want to access.


The Context Menu

Certain pages in the Firepower System web interface support a right-click (most common) or left-click context menu that you can use as a shortcut for accessing other features in the Firepower System. The contents of the context menu depend where you access it—not only the page but also the specific data.

For example:

  • IP address hotspots provide information about the host associated with that address, including any available whois and host profile information.

  • SHA-256 hash value hotspots allow you to add a file’s SHA-256 hash value to the clean list or custom detection list, or view the entire hash value for copying.

On pages or locations that do not support the Firepower System context menu, the normal context menu for your browser appears.

Policy Editors

Many policy editors contain hotspots over each rule. You can insert new rules and categories; cut, copy, and paste rules; set the rule state; and edit the rule.

Intrusion Rules Editor

The intrusion rules editor contains hotspots over each intrusion rule. You can edit the rule, set the rule state, configure thresholding and suppression options, and view rule documentation. Optionally, after clicking Rule documentation in the context menu, you can click Rule Documentation in the documentation pop-up window to view more-specific rule details.

Event Viewer

Event pages (the drill-down pages and table views available under the Analysis menu) contain hotspots over each event, IP address, URL, DNS query, and certain files’ SHA-256 hash values. While viewing most event types, you can:

  • View related information in the Context Explorer.

  • Drill down into event information in a new window.

  • View the full text in places where an event field contains text too long to fully display in the event view, such as a file’s SHA-256 hash value, a vulnerability description, or a URL.

  • Open a web browser window with detailed information about the element from a source external to Firepower, using the Contextual Cross-Launch feature. For more information, see Event Investigation Using Web-Based Resources.

While viewing connection events, you can add items to the default Security Intelligence Block and Do Not Block lists:

  • An IP address, from an IP address hotspot.

  • A URL or domain name, from a URL hotspot.

  • A DNS query, from a DNS query hotspot.

While viewing captured files, file events, and malware events, you can:

  • Add a file to or remove a file from the clean list or custom detection list.

  • Download a copy of the file.

  • View nested files inside an archive file.

  • Download the parent archive file for a nested file.

  • View the file composition.

  • Submit the file for local malware and dynamic analysis.

While viewing intrusion events, you can perform similar tasks to those in the intrusion rules editor or an intrusion policy:

  • Edit the triggering rule.

  • Set the rule state, including disabling the rule.

  • Configure thresholding and suppression options.

  • View rule documentation. Optionally, after clicking Rule documentation in the context menu, you can click Rule Documentation in the documentation pop-up window to view more-specific rule details.

Intrusion Event Packet View

Intrusion event packet views contain IP address hotspots. The packet view uses a left-click context menu.

Dashboard

Many dashboard widgets contain hotspots to view related information in the Context Explorer. Dashboard widgets can also contain IP address and SHA-256 hash value hotspots.

Context Explorer

The Context Explorer contains hotspots over its charts, tables, and graphs. If you want to examine data from graphs or lists in more detail than the Context Explorer allows, you can drill down to the table views of the relevant data. You can also view related host, user, application, file, and intrusion rule information.

The Context Explorer uses a left-click context menu, which also contains filtering and other options unique to the Context Explorer.

Firepower Online Help, How To, and Documentation

You can reach the online help from the web interface:

  • By clicking the context-sensitive help link on each page

  • By choosing Help > Online

How To is a widget that provides walkthroughs to navigate through tasks on Firepower Management Center. The walkthroughs guide you to perform the steps required to achieve a task by taking you through each step, one after the other irrespective of the various UI screens that you may have to navigate, to complete the task. The How To widget is enabled by default. To disable the widget, choose User Preferences from the drop-down list under your user name, and uncheck the Enable How-Tos check box in How-To Settings.


Note


The walkthroughs are generally available for all UI pages, and are not user role sensitive. However, depending on the privileges of the user, some of the menu items will not appear on the Firepower Management Center interface. Thereby, the walkthroughs will not execute on such pages.


The following walkthroughs are available on Firepower Management Center:

  • Register FMC with Cisco Smart Account: This walkthrough guides you to register Firepower Management Center with Cisco Smart Account.

  • Set up a Device and add it to FMC: This walkthrough guides you to set up a device and to add the device to Firepower Management Center.

  • Configure Date and Time: This walkthrough guides you to configure the date and time of the Firepower Threat Defense devices using a platform settings policy.

  • Configure Interface Settings: This walkthrough guides you to configure the interfaces on the Firepower Threat Defense devices.

  • Create an Access Control Policy: An access control policy consists of a set of ordered rules, which are evaluated from top to bottom. This walkthrough guides you to create an access control policy.

  • Add an Access Control Rule - A Feature Walkthrough: This walkthrough describes the components of an access control rule, and how you can use them in Firepower Management Center.

  • Configure Routing Settings: Various routing protocols are supported by Firepower Threat Defense. A static route defines where to send traffic for specific destination networks. This walkthrough guides you to configure static routing for the devices.

  • Create a NAT Policy - A Feature Walkthrough: This walkthrough guides you to create a NAT policy and walks you through the various features of a NAT rule.

You can find additional documentation related to the Firepower system using the documentation roadmap: http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html.

Top-Level Documentation Listing Pages for FMC Deployments

The following documents may be helpful when configuring Firepower Management Center deployments, Version 6.0+.


Note


Some of the linked documents are not applicable to Firepower Management Center deployments. For example, some links on Firepower Threat Defense pages are specific to deployments managed by Firepower Device Manager, and some links on hardware pages are unrelated to FMC. To avoid confusion, pay careful attention to document titles. Also, some documents cover multiple products and therefore may appear on multiple product pages.

Firepower Management Center

Firepower Threat Defense, also called NGFW (Next Generation Firewall) devices

Classic devices, also called NGIPS (Next Generation Intrusion Prevention System) devices

License Statements in the Documentation

The License statement at the beginning of a section indicates which Classic or Smart license you must assign to a managed device in the Firepower System to enable the feature described in the section.

Because licensed capabilities are often additive, the license statement provides only the highest required license for each feature.

An “or” statement in a License statement indicates that you must assign a particular license to the managed device to enable the feature described in the section, but an additional license can add functionality. For example, within a file policy, some file rule actions require that you assign a Protection license to the device while others require that you assign a Malware license.

For more information about licenses, see About Firepower Licenses.

Supported Devices Statements in the Documentation

The Supported Devices statement at the beginning of a chapter or topic indicates that a feature is supported only on the specified device series, family, or model. For example, many features are supported only on Firepower Threat Defense devices.

For more information on platforms supported by this release, see the release notes.

Access Statements in the Documentation

The Access statement at the beginning of each procedure in this documentation indicates the predefined user roles required to perform the procedure. Any of the listed roles can perform the procedure.

Users with custom roles may have permission sets that differ from those of the predefined roles. When a predefined role is used to indicate access requirements for a procedure, a custom role with similar permissions also has access. Some users with custom roles may use slightly different menu paths to reach configuration pages. For example, users who have a custom role with only intrusion policy privileges access the network analysis policy via the intrusion policy instead of the standard path through the access control policy.

For more information about user roles, see User Roles and Customize User Roles for the Web Interface.

Firepower System IP Address Conventions

You can use IPv4 Classless Inter-Domain Routing (CIDR) notation and the similar IPv6 prefix length notation to define address blocks in many places in the Firepower System.

When you use CIDR or prefix length notation to specify a block of IP addresses, the Firepower System uses only the portion of the network IP address specified by the mask or prefix length. For example, if you type 10.1.2.3/8, the Firepower System uses 10.0.0.0/8.

In other words, although Cisco recommends the standard method of using a network IP address on the bit boundary when using CIDR or prefix length notation, the Firepower System does not require it.

Additional Resources

The Firewalls Community is an exhaustive repository of reference material that complements our extensive documentation. This includes links to 3D models of our hardware, hardware configuration selector, product collateral, configuration examples, troubleshooting tech notes, training videos, lab and Cisco Live sessions, social media channels, Cisco Blogs and all the documentation published by the Technical Publications team.

Some of the individuals posting to community sites or video sharing sites, including the moderators, work for Cisco Systems. Opinions expressed on those sites and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party.


Note


Some of the videos, technical notes, and reference material in the Firewalls Community points to older versions of the FMC. Your version of the FMC and the version referenced in the videos or technical notes might have differences in the user interface that cause the procedures not to be identical.

History for Getting Started with Firepower

Feature

Version

Details

Initial Configuration Wizard

6.5

Initial login on a new or newly-restored-to-factory-defaults FMC now presents the admin user with an Initial Configuration Wizard documented in the Cisco Firepower Management Center Getting Started Guide for FMC models that support Version 6.5. The wizard configures the following:

  • The passwords for the two admin accounts (one for web interface access and the other for CLI access) are set to the same value, complying with strong password requirements.

  • The network settings the FMC uses for network communication through its management interface (eth0) are established.

  • Weekly automatic updates for the GeoDB and system software for the FMC and its managed devices are scheduled.

  • Weekly locally-stored configuration-only automatic backups for the FMC are scheduled.

New/Modified Screens:

Initial login for admin user

Supported Platforms: FMC