Cisco Firepower Management Center (FMC) & Cloud-Delivered Firepower Management Center (cdFMC)

Only Cisco Firepower Threat Defense (FTD) unified image is supported.

To use a Cisco FMC management station, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. Log in to your Cisco FMC device dashboard.
  2. Create a new user. Click System > Users > Create User. In the User Configuration dialog box:
    • Enter a user name and password.

    This cannot be a shared account, it should be designated as use only for device retrieval information. FMC allows each admin account to have one active session at a time. If SIP /Security Manager used a shared account, a retrieval initiated by SIP /Security Manager could disconnect an admin user connected to FMC if both were using the same account for connectivity.

    • Select Security Approver as the User Role.
    • Click Save.

If you will use Policy Automation, you must also create a user account with the user role of Administrator.

  1. Enable API. Click System > Configuration.
    • Click REST API Preferences.
    • Verify that the Enable REST API check box is selected.
  2. Enable access. Click System > Configuration.
    • Click Access List.
    • Add a rule that will allows the data collector to connect using HTTPS/443. All connectivity is made to FMC manager over exposed API using 443.
    • Click Save.
  3. Enable change support. Click System > Configuration > Audit Log.
    • Set Send Audit Log to Syslog to enabled.
    • Set Host to the IP address of the data collector monitoring the FMC and its devices.

Each firewall device must have its own unique host name for change detection to work properly.

    Central syslog must be configured with the FMC's IP address and each firewall must be configured with a Syslog Match Name that matches its device name.

  1. For FMC versions prior to 6.3.0:
    1. Enable logging for each rule. Click Policies > Access Control > Access Control.
    2. Click the Edit icon for the rule.
    3. Click the Logging tab and select Log at End of Connection.
    4. Under Send Connection Events To, select Syslog Server.
    5. Select the syslog server that was created for the data collector monitoring the FMC and its child devices. If the server is not listed, you will need to add it first and then select it.

Only one syslog destination can be set at a time. If multiple syslog destinations are required, a syslog relay must be setup. Syslog configurations set in FMC's Devices > Platform Settings is not supported for versions prior to 6.3.0.

  1. For FMC version 6.3.0 and above:
    1. Click Devices > Platform Settings > Syslog.
      • On the Logging Setup tab, select Enable Logging.
      • On the Syslog Servers tab, click Add.
      • In the IP Address field, select or enter the data collector monitoring the FMC and its child devices.
      • Select UDP.
      • The Port should be 514.

      • Under Reachable By, select Device Management Interface.

      • Save the platform settings.

      Do not enable the Syslog IDs on the Syslog Settings tab. These are not read by SIP for Firepower devices.

    2. Enable logging for each rule.
      • In Policies > Access Control > Access Control, edit the policy, open each rule to log.

      • Click the Logging tab and select Log at End of Connection.

      • Under Send Connection Events to, select Syslog Server.
    3. Set the Default Syslog Setting for Access Control Policy.
      • In Policies > Access Control > Access Control, edit the policy, click the Logging tab.
      • Select the FTD 6.3 and later: Use the syslog settings configured in the FTD Platform Settings policy deployed on the device check box.
      • Leave Syslog Severity set to ALERT.
      • Save the Access Control Policy and Deploy the changes.

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Management Stations.
  1. Click Create, and then click Cisco > Firepower Management Center (FMC).
  1. General Properties section.
  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match names (optional). You can enter multiple names separated by a comma.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. For Collection Configuration, enable Update Rule Documentation on Member Devices to allow Rule Documentation fields on member devices to inherit a value from the management station. Any management stations Rule Documentation field updates will override updates on the member device. A rule marked to be removed will not be updated.
  1. Device Settings section.

Credentials

For FMC:

  1. In the User Name box, type the user name used for the administrator account.
  2. In the Password box, type the password used for the administrator account.
  3. In the Re-enter Password box, retype the password entered above.

For cdFMC:

  1. Select the Use Cloud-Based Retrieval checkbox.
  2. Enter the cloud-based retrieval URL without https://. This is found in the Cisco Defense OrchestratorTools and Services > Firewall Management Center hostname.
  3. Enter the Access Token.

The Auth API (Accss) Token is a static token key that is only visible to copy when it is created. In the CDO UI, click Tools and Services > Settings.  under General Settings is a My Tokens variable. If already enabled you will see a green check for API Token and a Refresh or Revoke option. You will need to select an option to retrieve the token if it was not saved elsewhere.

  1. Policy Automation section.
    1. In the User Name box, type the user name used for the administrator role account.
    2. In the Password box, type the password used for the administrator role account.
    3. In the Re-enter Password box, retype the password entered above.
  2. Monitoring section.
    1. By default, the Enable Change Monitoring check box is selected.
      • Enter an optional Alternate Syslog Source IP.
    2. Select the Perform Change Verification check box to allow the Data Collector to verify there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.
  1. Retrieval section.

Scheduled Retrieval

  • Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection.
    • Set the Scheduled Retrieval Time to fit your requirements.
    • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

  • Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected.

    • Select a Check for Change Method type from the list.

      • General will check for configuration changes after the specified interval, and perform a retrieval is changes are detected, This option will need the Check for Change Interval field box selected and populated.

      • Specific requires FirePower 6.7 or higher.

Manual retrievals against FirePower Firewalls (FTDs) are not possible when “Specific” Check for Change is enabled. Retrievals will only happen on Active members of HA pairs. Passive members of HA pairs are not expected to have revisions. Change user will show up as the DC service account when “Specific” Check for Change is enabled. For example, “dc_servername” First “Specific” Check for Change retrieval will generate a revision for the manager (FMC) and firewalls (FTDs). These FTD revisions may have changes that aren’t deployed yet. Future revisions will only be created on the firewalls when they are deployed and match the configuration of the FMC.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).
  1. Advanced section.
    • Select which, if any, of the Skip APIs that are not configured checkboxes for file retrievals.
    • Enter a time in seconds in the Configuration Retrieval Timeout box to set how long to wait before a system timeout during a retrieval. The default time is 120 seconds.
    • Select the Batch Config Retrieval check box only if you are manually sending configurations for this device using your data collector's batchconfig directory. When enabled, online retrievals will be disabled. If enabled, the Management IP Address must be populated.
    • Select the Retrieve FTDs Running-Config check box to enable retrieving the running-configuration files for the child devices from the FMC.
  1. Click Save.
    Devices being managed will be listed in the Discovered Devices section.