Friday, April 19, 2019

Configuring Devices in Cisco FMC

Before you can manage a Firepower System device, you must set up a two-way, SSL-encrypted communication channel between the device and the Firepower Management Center. The appliances use the channel to share configuration and event information. High availability peers also use the channel, which is by default on port 8305/tcp.

To enable communications between two appliances, you must provide a way for the appliances to recognize each other. There are three criteria the Firepower System uses when allowing communications:

* The hostname or IP address of the appliance with which you are trying to establish communication.

* In NAT environments, even if the other appliance does not have a routable address, you must provide a hostname or an IP address either when you are configuring remote management, or when you are adding the managed appliance.

* A self-generated alphanumeric registration key up to 37 characters in length that identifies the connection.

* An optional unique alphanumeric NAT ID that can help the Firepower System establish communications in a NAT environment.

* The NAT ID must be unique among all NAT IDs used to register managed appliances.


Connect to the FirePOWER module CLI using the session sfr ASA privilege exec command.

ASA5506W-X# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

ASA5506X-FP login: admin
Password:
Last login: Tue Nov 20 05:14:43 UTC 2018 on ttyS1

Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5506W v6.2.3 (build 83)

Last login: Tue Mar 12 08:01:01 UTC 2019 on cron

> system support ping 192.168.1.200      // VERIFY CONNECTIVITY TO FMC
Last login: Tue Mar 12 08:32:17 UTC 2019 on pts/0
PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data.
64 bytes from 192.168.1.200: icmp_req=1 ttl=64 time=4.42 ms
64 bytes from 192.168.1.200: icmp_req=2 ttl=64 time=0.998 ms
64 bytes from 192.168.1.200: icmp_req=3 ttl=64 time=1.03 ms
64 bytes from 192.168.1.200: icmp_req=4 ttl=64 time=0.996 ms
64 bytes from 192.168.1.200: icmp_req=5 ttl=64 time=3.78 ms
^C
--- 192.168.1.200 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 0.996/2.247/4.420/1.528 ms

> configure manager add 192.168.1.200 cisco      // ADD FMC IP; USE THE SAME REGISTRATION KEY ON FMC
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

> show managers
Host                      : 192.168.1.200
Registration Key          : ****
Registration              : pending
RPC Status                :


To add a device in FMC, go to Devices > Device Management > Add.
 

You can optionally create a Group if managing several devices.


Fill in the device info and create a dummy policy in order to complete the device registration. Skip the Unique ID if the FMC is not behind any NAT device.


Temporarily create a new Policy (if this is the initial device added) > select Note for Base Policy > click Network Discovery > Save.
 

Once you tick Protection license, the Control, Malware and URL Filtering will be available (except VPN). Click Register.


Adding the device (or sensor) will take a couple of minutes.


Notice the green check icon which indicates the device was successfully added.



You can verify the ASA FirePOWER registration status using the show managers command.

> show managers
Type                      : Manager
Host                      : 192.168.1.200
Registration              : Completed


To check if Health Policy is applied to the ASA FirePOWER device, go to Health > Policy.
 

The FMC automatically applied the configured Health Policy to the ASA FirePOWER device (Applied To: 2 appliances). Click on the green check icon (Apply) to verify.



To view device information go to Devices > Device Management > Edit (pencil icon).





If you need to remove the FMC (manager), you can use the configure manager delete command on the FirePOWER module CLI:

> configure manager delete

> show managers
No managers configured.

No comments:

Post a Comment