There are two types of FMC Licenses: Classic (or Traditional) and Smart License.
The Classic License is the older form of license at Cisco and requires a product authorization key (PAK) to activate and are non-transferrable between devices. They are used by 7000 and 8000 Series devices, ASA FirePOWER modules, and NGIPSv.
The Cisco Smart Licensing is the newer form of license at Cisco. It allows you to manage a pool of licenses centrally. Unlike Classic licenses, Smart Licenses are not tied to a specific serial number or PAK. You activate a Smart License from the Firepower Management Center or the Firepower Device Manager. Your Smart Account holds the Smart Licenses that your company has purchased. Licenses must be in your Smart Account before you can see them in the Smart Software Manager (CSSM) and consume them. Your Cisco account representative or authorized reseller deposits your purchased licenses to your Smart Account, and may create your Smart Account for you.
To perform FMC OS (apply any minor or major patches) and Vulnerability Database (VDB) update, go to Updates > Product Updates. Make sure the FMC has Internet connectivity to the Cisco cloud.
You can verify the installation status by clicking on the green check icon beside the Deploy tab.
A Task Notification will be displayed saying the update was Successfully Installed
Verify FMC task by clicking the green check icon.
It took me around 31 hours to install the geolocation database (due to my low VM specs). It's best practice to perform this task in a change window and at midnight where there's low traffic usage.
You can download a demo license (L-5506W-TAMC-E45D) for the Cisco ASA5506W-X FirePOWER from the Cisco Licensing Portal in order to enable the URL Filtering and Malware features.
To get FMC License Key go to System > Licenses > Classic Licenses (for ASA with FirePOWER module)
Click Add New License
You can ask Cisco TAC for the Protect+Control license for free. Make sure to provide TAC the ASA Model Info (ASA5506W in this case).
I was initially provided with a wrong PROTECT+CONTROL License for an ASA5506 and wasn't able to apply Application Control Policy rules. Copy and paste the license key > Submit License
Click Return to License Page (at the very bottom).
You should see a count of one (1) under Protection and Control Licenses. Click Add New License
Copy and paste URLFilter and Submit License.
Do the same steps for MALWARE License.
TAC sent me the wrong PROTECTION+CONTROL License for the ASA5506 (without W) twice and was given the correct PROTECTION+CONTROL License the ASA5506W but with a quantity of two.
To
monitor FMCv appliance System Health, go to System > Health > Monitor.
You can view a Status Summary (with Count) of the FMCv appliance.
To modify the Health Policy, go to System > Health > Policy.
There's an initial Health Policy (file name is when the FMC first booted up) > click edit (pencil icon) on the right.
Rename the initial Health Policy name (FMCv_HEALTH_POLICY in this case). I'll just show the rest of the Health Policy options and leave the default value.
Click Save Policy and Exit towards the bottom of the page.
Notice the policy is out-of-date. You need to apply the new or edited Health Policy by clicking Apply (check icon) on the right.
Tick the FMCv appliance > Apply.
A pop-up message will show the Health Policy was applied successfully. Just refresh the web browser (or hit F5).
To view Health Event logs, go to System > Health > Events.
To temporarily disable Health Event/monitoring (if performing a System maintenance), go to System > Health > Blacklist.
Tick the FMC appliance > click Blacklist Selected Devices.
To create Health Alerts via email, SNMP, Syslog, etc, go to System > Health > Monitor Alerts.
To view System-related Audit logs, to go System > Monitoring > Audit.
To view Syslog, go to System > Monitoring > Syslog.
To view FMC appliance/system statistics, go to System > Monitoring > Statistics.
The Classic License is the older form of license at Cisco and requires a product authorization key (PAK) to activate and are non-transferrable between devices. They are used by 7000 and 8000 Series devices, ASA FirePOWER modules, and NGIPSv.
The Cisco Smart Licensing is the newer form of license at Cisco. It allows you to manage a pool of licenses centrally. Unlike Classic licenses, Smart Licenses are not tied to a specific serial number or PAK. You activate a Smart License from the Firepower Management Center or the Firepower Device Manager. Your Smart Account holds the Smart Licenses that your company has purchased. Licenses must be in your Smart Account before you can see them in the Smart Software Manager (CSSM) and consume them. Your Cisco account representative or authorized reseller deposits your purchased licenses to your Smart Account, and may create your Smart Account for you.
To perform FMC OS (apply any minor or major patches) and Vulnerability Database (VDB) update, go to Updates > Product Updates. Make sure the FMC has Internet connectivity to the Cisco cloud.
Notice
there's No updates available. You can either manually upload the patch by
clicking + Upload Update or retrieve it from Cisco cloud by clicking Download
updates.
I've
clicked Download updates in this case. This will take about 10 minutes depending on your FMC specs, the available updates on Cisco cloud and Internet
speed.
Notice
there are two Product Updates. I'll just install the Sourcefire Vulnerability
and Fingerprint Database Updates since it's doesn't require a reboot. Click
Install.
Tick the
FMC appliance. A pop-up message or warning will appear saying the operation
might interrupt traffic inspection. Click OK > Install.
It's best
practice to perform FMC updates in a change window and with low user traffic
(usually at midnight).
You can verify the installation status by clicking on the green check icon beside the Deploy tab.
A Task Notification will be displayed saying the update was Successfully Installed
To
perform FMC rule update (IPS/Snort), go to System > Updates > Rule
Updates.
You can
also manually apply a one-time Rule Update by clicking Rule update or text rule
file to upload and install > Browse for the file > Import.
Or you
can click Download new rule update from the Support Site > Import.
You can
also tick Enable Recurring Rule Update Import from the Support Site and
schedule the Import Frequency. I set the Recurring Rule Update Import from
Cisco cloud every Saturday 12am.
I didn't
tick or enable Policy Deploy. It's best practice to read the release notes
first and test the new rules before deploying in production. Click Save.
To
perform FMC Geolocation Database (GeoDB) for identifying routable (public) IP
address, go to System > Updates > Geolocation Updates. Notice the Running
geolocation update version: None
Like the
Rule Update, you can manually Upload and install geolocation update > Browse
the file > Import.
Or
perform a one-time geolocation update: tick Download and install geolocation
update from the Support Site > Import.
Notice
the note that geolocation database updates may be large and can take up to 45
minutes.
You can
also perform Recurring Geolocation Updates: tick Enable Recurring Weekly
Updates from the Support Site > under Update Start Time choose the day and
time. Click Save.
Verify FMC task by clicking the green check icon.
It took me around 31 hours to install the geolocation database (due to my low VM specs). It's best practice to perform this task in a change window and at midnight where there's low traffic usage.
You can download a demo license (L-5506W-TAMC-E45D) for the Cisco ASA5506W-X FirePOWER from the Cisco Licensing Portal in order to enable the URL Filtering and Malware features.
To get FMC License Key go to System > Licenses > Classic Licenses (for ASA with FirePOWER module)
Click Add New License
You can ask Cisco TAC for the Protect+Control license for free. Make sure to provide TAC the ASA Model Info (ASA5506W in this case).
I was initially provided with a wrong PROTECT+CONTROL License for an ASA5506 and wasn't able to apply Application Control Policy rules. Copy and paste the license key > Submit License
Click Return to License Page (at the very bottom).
You should see a count of one (1) under Protection and Control Licenses. Click Add New License
Copy and paste URLFilter and Submit License.
Do the same steps for MALWARE License.
TAC sent me the wrong PROTECTION+CONTROL License for the ASA5506 (without W) twice and was given the correct PROTECTION+CONTROL License the ASA5506W but with a quantity of two.
You can view a Status Summary (with Count) of the FMCv appliance.
To modify the Health Policy, go to System > Health > Policy.
There's an initial Health Policy (file name is when the FMC first booted up) > click edit (pencil icon) on the right.
Rename the initial Health Policy name (FMCv_HEALTH_POLICY in this case). I'll just show the rest of the Health Policy options and leave the default value.
Click Save Policy and Exit towards the bottom of the page.
Notice the policy is out-of-date. You need to apply the new or edited Health Policy by clicking Apply (check icon) on the right.
Tick the FMCv appliance > Apply.
A pop-up message will show the Health Policy was applied successfully. Just refresh the web browser (or hit F5).
To view Health Event logs, go to System > Health > Events.
To temporarily disable Health Event/monitoring (if performing a System maintenance), go to System > Health > Blacklist.
Tick the FMC appliance > click Blacklist Selected Devices.
To create Health Alerts via email, SNMP, Syslog, etc, go to System > Health > Monitor Alerts.
To view System-related Audit logs, to go System > Monitoring > Audit.
To view Syslog, go to System > Monitoring > Syslog.
To view FMC appliance/system statistics, go to System > Monitoring > Statistics.
No comments:
Post a Comment