FMC Getting Started

FMC Getting Started Guide

Last Updated: [last-modified] (UTC)

 

If you’re new to Firepower Management Centre before, you might find it a bit intimidating. This is especially true if you’re used to configuring ASA’s with ASDM.

This article is going to give you a place to get started. We’ll start by getting FMC 6.2 virtual edition running. Then, we’ll work on setting up some basic policies.

In this article, we’ll run through these steps:

  1. Deploy the FMC virtual appliance
  2. Configure Licensing
  3. System Configuration
  4. Configure a Health Policy
  5. Install Updates
  6. Configure an Access Control Policy
  7. Add a Device

 

At the end of the article, there is a Where to Next? section. This has ideas for extra policies and configuration that you may need next.

 

 

Deploy FMC

Before starting, allow relevant ports through any existing firewalls you may have. Here are some recommendations:

  • TCP/443 – This is for the FMC web console
  • UDP/53 – For FMC DNS lookups
  • TCP/8305 – So FMC can communicate with managed devices
  • TCP/43 – So FMC can perform WHOIS lookups
  • TCP/32137 – FMC connection to the AMP cloud and Threat Intelligence

 

To deploy FMC, follow Cisco’s deployment guide. It’s pretty straight-forward, so we’re not going to rehash it all here.

 

 

Configure Licensing

There are two types of licenses; Classic and Smart. Different devices use different license types. Here’s the quick overview:

  • FMC – Use smart licenses
  • Threat Defence – Use smart licenses
  • ASA with Firepower Services – Use classic licenses

 

Smart Licensing

Smart licenses require a Smart Licensing account to be set up. Cisco have a guide on how this is done. As part of this, you may need to convert classic licenses to smart licenses.

Make sure that you’re happy with converting licenses before you start. Smart licenses cannot convert back to classic licenses without logging a support ticket.

 

Once you have a smart account ready, you need to register it in FMC:

  1. Login to the Smart Software Manager
  2. Browse to Liccense -> Smart Software Licensing
  3. Click the Inventory tab
  4. Click New Token
  5. Copy the token to clipboard
  6. Enter the details, and click Create Token
  7. Go to FMC, and browse to System -> Licenses -> Smart Licenses
  8. Click Register
  9. Paste in the token, and Apply Changes
  10. Your Smart Licenses will be listed in the table

 

Classic Licensing

Classic licenses use the traditional PAK method. These licenses need to be manually added to FMC. To do this:

  1. Get the PAK/license file from Cisco
  2. System -> Licenses -> Classic Licenses
  3. Click Add New License
  4. Copy contents of license file in here, and click Submit License

 

 

System Configuration

Basic FMC settings are in System -> Configuration. The categories are in a list down the left side.

What you apply here is up to you. Consider settings these options:

  • Access-list – IP’s that can access FMC
  • Change Reconciliation – Email a report of changes on a regular basis
  • Email Notification – SMTP settings
  • Access Control Preferences – When changing rules, this requires adding comments to the changes
  • Name – Server name
  • Management Interfaces – Set hostname and DNS servers
  • Time Synchronization – NTP settings

 

 

Health Policy

FMC and managed devices both use health policies. If you want, you can have one policy for everything.

  1. System -> Health -> Policy
  2. Enter a Name and Description
  3. Set the policy options as you see fit
  4. Save the policy and exit
  5. Click the green check box to apply the policy

Consider enabling these settings:

  • AMP for Firepower (if licensed)
  • Hardware alerts (CPU, disk, memory)
  • HA alerts (if HA is used)

 

After applying the policy, browse to System -> Health -> Monitor to see the current status.

 

 

Install Updates

Browse to System -> Updates, and you will see that there are three types of updates. These are:

  • Product Updates – Updates for FMC, appliances, and the vulnerability database
  • Rule Updates – Updates for IPS rules
  • Geolocation Updates – Updates for the Geolocation IP database

 

In the Product Updates tab, click Download Updates to get the latest updates from Cisco. Or, download them from Cisco’s download site, and click click Upload Update.

When there are updates to install, click the install icon next to it. Best practice is to run the pre-install checks first. When you’re happy, install the update. Devices may reboot during the update process.

Go to the Rules Updates tab. Run a one-time update for now. This will take a while to run. Also, configure regular updates to allow this to happen transparently.

Go to the Geolocation Updates tab. As before, run a one-time update, and then schedule regular updates.

To see the update progress, click the Status icon, between the Deploy button and the Status tab.

 

Access Control Policy

Each device needs at least an Access Control Policy (ACP). At it’s simplest, the ACP provides firewall rules. In a more advanced deployment, it is also used to tie extra security policies together.

For now, we’ll look at creating a basic policy to get started with.

Browse to Policies -> Access Control, and click New Policy. Enter a Name and Description for the policy.

Leave the default action as Block all Traffic for now. This means that the policy will not allow any traffic, unless it’s explicitly allowed.

There will be no devices to add in yet, so leave them empty. Save the policy.

 

More detail can be found in the Access Control Policy article

[maxbutton id=”4″ text=”Access Control Policies” url=”https://networkdirection.net/FMC+Access+Control+Policies”]

 

 

Add a Device

There are two parts to adding devices to FMC. Configuring the device, and configuring FMC.

 

Device Configuration

  1. Logon to the Firepower CLI of the device
  2. Enter configure manager add x.x.x.x key
    • x.x.x.x is the IP address of FMC
    • key is a password that you choose
  3. Log out of the CLI

 

FMC Configuration

  1. Browse to Devices -> Device Management
  2. Click Add -> Add Device
  3. Enter this information:
    • Host – IP of the device
    • Display Name – Name of the device (this will appear in FMC)
    • Registration Key – The password defined earlier on the CLI
    • Group – Leave as ‘none’ for now. This is optional, and can be added later
    • Access Control Policy – Specify the empty policy created earlier
    • Select the licenses that apply to this device
  4. Click Register. FMC will add the device. This will take a while, so be patient

 

 

Where to Next?

You now have a functioning FMC! There’s plenty more to do before you will get the full value though.

Here are some extra steps you may want to take, depending on your needs. Coming soon are plenty of articles available to help you along the way.

 

 

References

Lab Minutes – SEC0160 – ASA FirePower FireSight Basic Configuration (Part 1)

 

Leave a Reply