Thursday, March 7, 2019

Installing Cisco Virtual FMC 6.2.3 in VMware Workstation

There are a number of Cisco Firepower Management Center models. Choose the one that’s right for your organization based on the number of sensor appliances to be monitored (both physical and virtual), the number of hosts in your environment, and the anticipated security events rate. All models provide the same management capabilities, including:
* Centralized device, license, event, and policy management
* Role-based management (segmented and isolated views and duties based on administrator role or group)
* Customizable dashboard with custom and template-based reports
* Comprehensive reporting and alerts for both general and focused information
* Event and contextual information displayed in hyperlinked tables, graphs, and charts
* Network behavior and performance monitoring
* Robust high-availability options to help ensure there’s no single point of failure
* Correlation and remediation features for real-time threat response
* Open APIs for integration with third-party solutions and customer work streams, such as firewalls, network infrastructure, log management, SIEM, trouble ticketing, and patch management

With an FMC, you can manage one or more devices running:
* The same major version as the FMC, including patches. Although you can manage a patched device with an unpatched FMC, we recommend you upgrade both. This allows you to take advantage of any new features and bug fixes.
* Some older major versions and patches to those major versions. Although you can manage an older device with a newer FMC, you cannot fully take advantage of new features and bug fixes until you upgrade both.


I was able to deploy the Cisco Firepower Management Center virtual (FMCv) in VMware Workstation. You can download the FMCv appliance compressed image from the Cisco software download site (with valid CCO account). The FMCv can support up to 25 sensors. Since I'm running ASA version 9.8(2)38 and FirePOWER version 6.2.3-83 based on the compatibility matrix, I need to run an FMC using version 6.2.3.

Extract Cisco_Firepower_Management_Center_Virtual_VMware-6.2.3-83.tar > double-click the VMware ESXi OVF file in order for the VMware Workstation to import the VM settings.


Click Import



Right-click on FMC VM > click Network Adapter > change Network Connection to Custom:VMNet0 (my internal 192.168.1.0/24 subnet).


Power on the VM (click the green arrow).





The installation almost took 40 mins to finish. The default login is: admin / Admin123


Backup the VM by doing a right-click > Power Off.


I've renamed the VM to FMCv > right-click > Snapshot > type a name > Take Snapshot.



I moved the VM under the CYBER folder > Power on the VM.

The FMC booted but showed an error that it didn't shutdown properly and running DB (database) check. This will take around 5 mins to finish.
 

Issue an ifconfig to view the FMC management IP address which is 192.166.45.45/24 (default)

To change the FMC IP address, issue a sudo Ifconfig eth0 192.168.1.200 netmask 255.255.255.0
 
Type the default password (Admin123) when prompted.



From a machine or NMS on the same subnet, open a web browser and type https://192.168.1.200. It will show a warning Your connection is not secure since the FMC self-sign cert is not yet installed on the machine.

Click Advanced > Add Exception > Confirm Security Exception in order to accept the self-signed certificate.


You'll get to the FMC main login page. Notice there's a warning System processes are starting, please wait.

I waited for several minutes/hours and even rebooted the VM but the error is still there. Just let it run overnight if you're using VMWare Workstation and the error will be gone the next day.


Login again using the default credentials: admin / Admin123


Once you're login, it will ask you to change the default password. You can also change other settings such as the FMC hostname, domain and DNS server on this page.


Skip the rest of the fields (you can change these System settings later). Tick I have read and agree to the End User License Agreement > click Apply


This will take a few minutes to finish and then the Summary Dashboard will be displayed.


To perform the FMC post-installation configuration (before adding any managed devices such as FTD or ASA with FirePOWER), just go to System > Configuration tab.


You'll be automatically redirected to Information, where you can change the FMC Name (FQDN).


You can lockdown remote access on certain NMS IP or subnet by going to Access > Add Rules.


Type the IP address > tick Port: SSH, HTTPS or SNMP > click Add > click Save every time you make any changes.



You can remove the any Host entries afterwards (click the trash bin icon).


You can perform FMC appliance Shutdown, Reboot or Restart under Process. These can only be performed on a FMC hardware or server platforms such as the FMC 1000, FMC 2500 or FMC 4500.
  
You can perform these actions in the vSphere client when running FMC a VMware environment.
 

The Audit Log Certificate is used to integrate with a Public Key Infrastructure (PKI).


You can enable and send Syslogs under Audit Log.


Choose Enabled under Send Audit Log to Syslog > type the Syslog server IP address under Host > choose SYSLOG under the Facility code


Choose INFO (Severity level 6) under the Severity level.


You optionally type a Tag (FMC in this case) to identify the syslog was generated by the FMC > click Save.


I ran a 3CDaemon Syslog server in my NMS (192.168.1.100). Notice an Informational Syslog (Severity Level 6) was generated from FMCv.


You can create a custom login banner under Login Banner > type the banner message (complying with your IT/security policy) > Save.


You'll see the custom banner whenever you login to FMC via SSH or HTTPS.



You can enable Change Reconciliation to send an email report for any changes made on the FMC.

I'll just show the rest of the FMC configuration options. You can refer to the FMC configuration guide for more info.










You can edit the FMC Management IPv4 address (eth0), add static routes, hostname, DNS settings and Remote Management Port (8305) under Management Interfaces.


Click edit (pencil icon) on the right of eth0 to edit the Management Interface.


Click add (+ symbol) under Routes to add static routes.


You'll need a default route to reach remote networks other than FMC's local network (192.168.1.0/24).

admin@FMCv-LAB:~$ ping 8.8.8.8
connect: Network is unreachable

To configure a static default route, tick Default Route > type the IP address under Gateway > click OK.
 

Click Save (at the bottom page).


You should now be able to ping remote networks (Google DNS).

admin@FMCv-LAB:~$ ping 8.8.8.8
ping: icmp open socket: Operation not permitted      // ISSUE sudo TO ALLOW root COMMANDS TO BE EXECUTED
admin@FMCv-LAB:~$
admin@FMCv-LAB:~$ sudo ping 8.8.8.8
Password:
Last login: Tue Feb  5 09:43:04 UTC 2019
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=118 time=9.24 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=118 time=6.04 ms
64 bytes from 8.8.8.8: icmp_req=3 ttl=118 time=7.57 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 6.047/7.620/9.242/1.304 ms







The FMC uses its own local clock 127.127.1.1 by default. To configure a NTP server,  go to Time Synchronization (or click the hyperlink).


You can use Google free NTP server time.google.com
 

Notice the Google NTP Server 216.239.35.8 Status changed to Being Used. The FMC by default will retain its local NTP Server 127.127.1.1 as backup.






1 comment:

  1. "You'll get to the FMC main login page. Notice there's a warning System processes are starting, please wait."

    Stuck here. Wonder whether waiting ~24 hours will be worth it. Can't find any solutions online, and definitely can't afford the luxury of using TAC.

    Nice post.

    ReplyDelete