System Configuration. The following topics explain how to configure system configuration settings on Firepower Management Centers and managed devices:

Size: px
Start display at page:

Download "System Configuration. The following topics explain how to configure system configuration settings on Firepower Management Centers and managed devices:"

Transcription

1 The following topics explain how to configure system configuration settings on Firepower Management Centers and managed devices: Introduction to, page 2 Appliance Information, page 5 Custom HTTPS Certificates, page 6 External Database Settings, page 10 Database Event Limits, page 11 Management Interfaces, page 14 System Shut Down and Restart, page 29 Remote Storage Management, page 31 Change Reconciliation, page 35 Policy Change Comments, page 36 The List, page 37 Audit Logs, page 39 Dashboard Settings, page 40 DNS Cache, page 41 Notifications, page 42 Language Selection, page 43 Login Banners, page 44 SNMP Polling, page 45 STIG Compliance, page 47 Time and Time Synchronization, page 49 Session Timeouts, page 53 Vulnerability Mapping, page 54 1

2 Introduction to Remote Console Management, page 55 VMware Tools and Virtual Systems, page 62 Introduction to System configuration settings apply to either a Firepower or a Classic managed device (7000 and 8000 Series, ASA FirePOWER, NGIPSv): For the Firepower these configuration settings are part of a "local" system configuration. that system configuration on the Firepower is specific to a single system, and changes to a 's system configuration affect only that system. For a Classic managed device, you apply a configuration from the Firepower as part of a platform settings policy. You create a shared policy to configure a subset of the system configuration settings, appropriate for managed devices, that are likely to be similar across a deployment. Tip For 7000 and 8000 Series devices, you can perform limited system configuration tasks from the local web interface, such as console configuration and remote management. These are t the same configurations that you apply to a 7000 or 8000 Series device using a platform settings policy. Navigating the Firepower Global only The system configuration identifies basic settings for a Firepower. Choose System > Configuration. Use the navigation panel to choose configurations to change; see Table 1: Settings, on page 3 for more information. Settings The following table describes the system configuration settings for the Firepower. For 7000 and 8000 Series devices, the table also identifies which settings you configure from the device's local web interface, and which you configure using a platform settings policy deployed from the Firepower. 2

3 Settings Table 1: Settings Setting Description Also configurable from: Platform Settings 7000 & 8000 Series Information View current information about the appliance and edit the display name; see Appliance Information, on page 5. yes HTTPS Certificate Request an HTTPS server certificate, if needed, from a trusted authority and upload certificates to the system; see Custom HTTPS Certificates, on page 6. yes External Database Enable external read-only access to the database, and provide a client driver to download; see External Database Settings, on page 10. Database Specify the maximum number of each type of event that the Firepower can store; see Database Event Limits, on page 11. Management Interfaces Change options such as the IP address, hostname, and proxy settings of the appliance; see Management Interfaces, on page 14. yes Process Shut down, reboot, or restart Firepower System-related processes; see System Shut Down and Restart, on page 29. yes Remote Storage Device Configure remote storage for backups and reports; see Remote Storage Management, on page 31. Change Reconciliation Configure the system to send a detailed report of changes to the system over the last 24 hours; see Change Reconciliation, on page 35. yes Control Preferences Configure the system to prompt users for a comment when they add or modify an access control policy; see Policy Change Comments, on page 36. List Control which computers can access the system on specific ports; see The List, on page 37. yes Audit Log Configure the system to send an audit log to an external host; see Audit Logs, on page 39. yes Dashboard Enable Custom Analysis widgets on the dashboard; see Dashboard Settings, on page 40. DNS Cache Configure the system to resolve IP addresses automatically on event view pages; see DNS Cache, on page 41. Notification Configure a mail host, select an encryption method, and supply authentication credentials for -based tifications and reporting; see Notifications, on page 42. 3

4 Settings Setting Description Also configurable from: Platform Settings 7000 & 8000 Series External Authentication Set the default user role for any user who is authenticated by an external RADIUS, LDAP or Microsoft Active Directory repository; see External Authentication Settings yes Intrusion Policy Preferences Configure the system to prompt users for a comment when they modify an intrusion policy; see Policy Change Comments, on page 36. Language Specify a different language for the web interface; see Language Selection, on page 43. yes Login Banner Create a custom login banner that appears when users log in; see Login Banners, on page 44. yes Network Analysis Policy Preferences Configure the system to prompt users for a comment when they modify a network analysis policy; see Policy Change Comments, on page 36. SNMP Enable Simple Network Management Protocol (SNMP) polling; see SNMP Polling, on page 45. yes STIG Compliance Enable compliance with specific requirements set out by the United States Department of Defense; see STIG Compliance, on page 47. yes Time View the current time setting and, if the time synchronization setting in the current system configuration is set to Manually in Local Configuration, change the time; see Time and Time Synchronization, on page 49. yes Time Synchronization Manage time synchronization on the system; see Time and Time Synchronization, on page 49. yes Shell Timeout Configure the amount of idle time, in minutes, before a user s login session times out due to inactivity; see Session Timeouts, on page 53. yes Vulnerability Mapping Map vulnerabilities to a host IP address for any application protocol traffic received or sent from that address; see Vulnerability Mapping, on page 54. Console Configuration Configure console access via VGA or serial port, or via Lights-Out Management (LOM); see Remote Console Management, on page 55. limited VMware Tools Enable and use VMware Tools on a Firepower Virtual; see VMware Tools and Virtual Systems, on page 62. n/a n/a Related Topics Introduction to Firepower Platform Settings 4

5 Appliance Information Appliance Information The Information page of the web interface includes the information listed in the table below. Unless otherwise ted, all fields are read-only. Field Name Product Model Serial Number Software Version Prohibit Packet Transfer to the Firepower Operating System Operating System Version IPv4 Address IPv6 Address Current Policies Model Number Description A name you assign to the appliance. that this name is only used within the context of the Firepower System. Although you can use the host name as the name of the appliance, entering a different name in this field does t change the host name. The model name of the appliance. The serial number of the appliance. The version of the software currently installed on the appliance. Specifies whether the managed device sends packet data with events, allowing the data to be stored on the Firepower. This setting is available on the local web interface on 7000 and 8000 Series devices. The operating system currently running on the appliance. The version of the operating system currently running on the appliance. The IPv4 address of the default (eth0) management interface. If IPv4 management is disabled, this field indicates that. The IPv6 address of the default (eth0) management interface. If IPv6 management is disabled, this field indicates that. The system-level policies currently deployed. If a policy has been updated since it was last deployed, the name of the policy appears in italics. The appliance-specific model number stored on the internal flash drive. This number may be important for troubleshooting. Viewing and Modifying the System Information Global only 7000 & 8000 Series 5

6 Custom HTTPS Certificates The Information page on the Firepower s web interface or on the 7000 and 8000 Series local web interface provides information about your system, including read-only information such as the product name and model number. The page also provides you with an option to change the display name of the system and, for 7000 and 8000 Series devices, prohibit packet transfer. Prohibiting packet transfer can be a good idea in a low-bandwidth deployment where you are t concerned about the specific content of the packet that triggered the intrusion policy violation. Choose System > Configuration. Optionally, change the system information settings: Name To change the display name, enter a name in the Name field. Prohibit packet transfer To prevent sending packet data to the Firepower, check the Prohibit Packet Transfer to the check box. This option is only available from a 7000 or 8000 Series device's local web interface. Step 3 Click Save. Custom HTTPS Certificates Secure Sockets Layer (SSL) certificates enable Firepower s and 7000 and 8000 Series devices to establish an encrypted channel between the system and a web browser. A default certificate is included with all Firepower devices, but it is t generated by a certificate authority (CA) trusted by any globally kwn CA. For this reason, consider replacing it with a custom certificate signed by a globally kwn or internally trusted CA. You can use the Firepower web interface to generate a certificate request based on your system information and the identification information you supply. You can use that request to self-sign a certificate if you have an internal certificate authority (CA) installed that is trusted by your browser. You can also send the resulting request to a certificate authority to request a server certificate. After you have a signed certificate from a certificate authority (CA), you can import it. You can restrict access to the Firepower System web server using client browser certificate checking. When you enable user certificates, the web server checks that a user s browser client has a valid user certificate selected. That user certificate must be generated by the same trusted certificate authority used for the server certificate. The browser cant load the web interface under any of the following circumstances: The user selects a certificate in the browser that is t valid. The user selects a certificate in the browser that is t generated by the certificate authority that signed the server certificate. The user selects a certificate in the browser that is t generated by a certificate authority in the certificate chain on the device. 6

7 Viewing the Current Server Certificate You can also load a certificate revocation list (CRL) for the server. The CRL lists any certificates that the certificate authority has revoked, so the web server can verify that the client browser certificate is valid. If the user selects a certificate that is listed in the CRL as a revoked certificate, the browser cant load the web interface. Viewing the Current Server Certificate Global only 7000 & 8000 Series You can only view server certificates for the appliance you are logged into. Choose System > Configuration. Click HTTPS Certificate. Generating and Submitting a Certificate Signing Request N/A Classic Global only When you generate a certificate request through the local configuration HTTPS Certificate page using this procedure, you can only generate a certificate for a single system. Similarly, if you install a certificate that is t signed by a globally kwn or internally trusted CA, you receive a security warning when you connect to the system. The key generated for the certificate request is in Base-64 encoded PEM format. 7

8 Server Certificate Upload Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step Choose System > Configuration. Click HTTPS Certificate. Click Generate New CSR. Enter a country code in the Country Name (two-letter code) field. Enter a state or province postal abbreviation in the State or Province field. Enter a Locality or City. Enter an Organization name. Enter an Organizational Unit (Department) name. Enter the fully qualified domain name of the server for which you want to request a certificate in the Common Name field. You must enter the fully qualified domain name of the server exactly as it should appear in the certificate in the Common Name field. If the common name and the DNS host name do t match, you receive a warning when connecting to the appliance. Click Generate. Open a text editor. Copy the entire block of text in the certificate request, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines, and paste it into a blank text file. Save the file as servername.csr, where servername is the name of the server where you plan to use the certificate. Click Save. What to Do Next Upload the signed server certificate; see Uploading Server Certificates, on page 8. Server Certificate Upload If the signing authority that generated the certificate requires you to trust an intermediate CA, you must also supply a certificate chain, sometimes referred to as a certificate path. If you require user certificates, they must be generated by a certificate authority whose intermediate authority is included in the certificate chain. Uploading Server Certificates Global only 7000 & 8000 Series 8

9 Requiring Valid User Certificates If the signing authority that generated the certificate requires you to trust an intermediate CA, you must also supply a certificate chain, sometimes referred to as a certificate path. If you require user certificates, they must be generated by a certificate authority whose intermediate authority is included in the certificate chain. Before You Begin Generate a certificate signing request; see Generating and Submitting a Certificate Signing Request, on page 7. Upload the CSR file to the certificate authority where you want to request a certificate, or use the CSR to create a self-signed certificate. Step 3 Step 4 Step 5 Step 6 Step 7 Choose System > Configuration. Click HTTPS Certificate. Click Import HTTPS Certificate. Open the server certificate in a text editor, copy the entire block of text, including the BEGIN CERTIFICATE and END CERTIFICATE lines, and paste it into the Server Certificate field. If you want to upload a private key, open the private key file, copy the entire block of text, including the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY lines, and paste it into the Private Key field. Open any intermediate certificates you need to provide, copy the entire block of text, for each, and paste it into the Certificate Chain field. Click Save. Requiring Valid User Certificates Global only 7000 & 8000 Series The system supports upload of CRLs in Distinguished Encoding Rules (DER) format. You can only load one CRL for a server. To ensure that the list of revoked certificates stays current, you can create a scheduled task to update the CRL. The most recent refresh of the CRL is listed in the interface. You must have a valid user certificate present in your browser (or a CAC inserted in your reader) to enable user certificates and to access the web interface after doing so. 9

10 External Database Settings Before You Begin Use the same certificate authority used for the server certificate to generate the user certificate. Upload the intermediate certificate for the certificates; see Server Certificate Upload, on page 8. Step 3 Step 4 Step 5 Step 6 Step 7 Choose System > Configuration. Click HTTPS Certificate. Choose Enable User Certificates. If prompted, select the appropriate certificate from the drop-down list. If you want to retrieve the CRL, choose Enable Fetching of CRL. Enter a valid URL to an existing CRL file and click Refresh CRL. The current CRL at the supplied URL loads to the server. Enabling fetching of the CRL creates a scheduled task to update the CRL on a regular basis. Edit the task to set the frequency of the update. Verify that you have a valid user certificate generated by the same certificate authority that created the server certificate. Caution If you save a configuration with enabled user certificates, but you do t have a valid user certificate in your browser certificate store, you disable all web server access to the appliance. Make sure you have a valid certificate installed before saving settings. Click Save. External Database Settings You can configure the Firepower to allow read-only access to its database by a third-party client. This allows you to query the database using SQL using any of the following: industry-standard reporting tools such as Actuate BIRT, JasperSoft ireport, or Crystal Reports any other reporting application (including a custom application) that supports JDBC SSL connections the Cisco-provided command-line Java application called RunQuery, which you can either run interactively or use to obtain comma-separated results for a single query Use the Firepower 's system configuration to enable database access and create an access list that allows selected hosts to query the database. that this access list does t also control appliance access. You can also download a package that contains the following: RunQuery, the Cisco-provided database query tool InstallCert, a tool you can use to retrieve and accept the SSL certificate from the Firepower Management Center you want to access the JDBC driver you must use to connect to the database 10

11 Enabling External to the Database See the Firepower System Database Guide for information on using the tools in the package you downloaded to configure database access. Enabling External to the Database Global only Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Choose System > Configuration. Click External Database. Select the Allow External Database check box. Enter an appropriate value in the Server Hostname field. Depending on your third-party application requirements, this value can be either the fully qualified domain name (FQDN), IPv4 address, or IPv6 address of the Firepower. Next to Client JDBC Driver, click Download and follow your browser s prompts to download the client.zip package. To add database access for one or more IP addresses, click Add Hosts. An IP Address field appears in the List field. In the IP Address field, enter an IP address or address range, or any. Click Add. Click Save. Tip If you want to revert to the last saved database settings, click Refresh. Related Topics Firepower System IP Address Conventions Database Event Limits You can specify the maximum number of each type of event that the Firepower can store. To improve performance, you should tailor event limits to the number of events you regularly work with. For some event types, you can disable storage. The system automatically prunes intrusion events, discovery events, audit records, security intelligence data, or URL filtering data from the appliance's database. You can configure the system to generate automated tifications when events are automatically pruned. You can also manually prune the discovery and user databases to remove selected discovery data; and you can purge discovery and connection data from the Firepower database. 11

12 Configuring Database Event Limits Configuring Database Event Limits Global only Before You Begin If you want to receive tifications when events are pruned from the Firepower Management Center's database, you must configure an server; see Configuring a Mail Relay Host and Notification Address, on page 42. Step 3 Step 4 Step 5 Choose System > Configuration. Choose Database. For each of the databases, enter the number of records you want to store. For information on how many records each database can maintain, see Database Event Limits, on page 12. Optionally, in the Data Pruning Notification Address field, enter the address where you want to receive pruning tifications. Click Save. Database Event Limits The following table lists the minimum and maximum number of records for each event type that you can store on a Firepower. Table 2: Database Event Limits Event Type Intrusion events Discovery events Upper Limit 10 million ( Virtual) 20 million (MC750) 30 million (MC1500) 60 million (MC2000) 150 million (MC3500) 300 million (MC4000) 10 million 20 million (MC2000 and MC4000) Lower Limit 10,000 Zero (disables storage) 12

13 Configuring Database Event Limits Event Type Connection events Security Intelligence events Upper Limit 50 million ( Virtual) 50 million (MC750) 100 million (MC1500) 300 million (MC2000) 500 million (MC3500) 1 billion (MC4000) Limit is shared between connection events and Security Intelligence events. The sum of the configured maximums cant exceed this limit. Lower Limit Zero (disables storage) Connection summaries (aggregated connection events) Correlation events and compliance white list events Malware events File events Health events Audit records Remediation status events White list violation history User activity (user events) User logins (user history) Intrusion rule update import log records 50 million ( Virtual) 50 million (MC750) 100 million (MC1500) 300 million (MC2000 ) 500 million (MC3500) 1 billion (MC4000) 1 million 2 million (MC2000 and MC4000) 10 million 20 million (MC2000 and MC4000) 10 million 20 million (MC2000 and MC4000) 1 million 100, million a 30-day history of violations 10 million 10 million 1 million Zero (disables storage) One 10,000 Zero (disables storage) Zero (disables storage) One One One day s history One One One 13

14 Management Interfaces Management Interfaces After setup, you can change the management network settings, including adding more management interfaces, hostname, search domains, DNS servers, and HTTP proxy on both the and the managed devices. About Management Interfaces By default, the Firepower manages all devices on a single management interface. Each device includes a single management interface for communicating with the. You also perform initial setup on the management interface (for both the and managed devices), and log into the on this interface as an administrator. Management interfaces are also used to communicate with the Smart Licensing server, to download updates, and to perform other management functions. Management Interfaces on the Firepower The Firepower uses the eth0 interface for initial setup, HTTP access for administrators, management of devices, as well as other management functions such as licensing and updates. You can also configure additional management interfaces on the same network, or on different networks. When the manages large numbers of devices, adding more management interfaces can improve throughput and performance. You can also use these interfaces for all other management functions. You might want to use each management interface for particular functions; for example, you might want to use one interface for HTTP administrator access and ather for device management. For device management, the management interface carries two separate traffic channels: the management traffic channel carries all internal traffic (such as inter-device traffic specific to managing the device), and the event traffic channel carries all event traffic (such as web events). You can optionally configure a separate event-only interface on the to handle event traffic; you can configure only one event interface. Event traffic can use a large amount of bandwidth, so separating event traffic from management traffic can improve the performance of the. For example, you can assign a 10 GigabitEthernet interface to be the event interface, if available, while using 1 GigabitEthernet interfaces for management. You might want to configure an event-only interface on a completely secure, private network while using the regular management interface on a network that includes Internet access, for example. You can also use both management and event interfaces on the same network if the goal is only to take advantage of increased throughput. All management interfaces support HTTP administrator access as controlled by your List configuration (Configuring the List for Your System, on page 38). Conversely, you cant restrict an interface to only HTTP access; management interfaces always support device management (management traffic, event traffic, or both). The following functions are supported only on the default management interface (eth0): DHCP IP addressing; other management interfaces need to use static IP addresses. Use of the NAT ID when registering a new device. 14

15 About Management Interfaces Lights-Out Management. Management Interfaces on Managed Devices Some models include an additional management interface that you can configure for event-only traffic, so you can separate management and event traffic when communicating with the. When you set up your device, you specify the IP address that you want to connect to. Both management and event traffic go to this address at initial registration. : In some situations, the might establish the initial connection on a different management interface; subsequent connections should use the management interface with the specified IP address. If both the device and the have separate event interfaces, then after they learn about each other's event interfaces during management communication, subsequent event traffic is sent between these interfaces if the network allows. If the event network goes down, then event traffic reverts to the regular management interface. The device uses a separate event interface when possible, but the management interface is always the backup. If you use only one management interface on the managed device, then you cant send management traffic to the management interface, and then send event traffic to the separate event interface; both and managed device must have separate event interfaces. Management Interface Support See the hardware installation guide for your model for the management interface locations. For the Firepower 4100/9300 chassis (the Firepower 4100 and 9300), the MGMT interface is for chassis management, t for Firepower Threat Defense logical device management. You must configure a separate NIC interface to be of type mgmt (and/or firepower-eventing), and then assign it to the Firepower Threat Defense logical device. For Firepower Threat Defense on any chassis, the physical management interface is shared between the Diagstic logical interface, which is useful for SNMP or syslog, and is configured along with data interfaces in the, and the Management logical interface for communication. See Management/Diagstic Interface and Network Deployment for more information. See the following tables for supported management interfaces on each Firepower and managed device model. Table 3: Management Interface Support on the Firepower Model MC750, MC1500, MC3500 Management Interfaces eth0 (Default) eth1 15

16 About Management Interfaces Model MC2000, MC4000 Firepower Virtual Management Interfaces eth0 (Default) eth1 eth2 eth3 eth0 (Default) Table 4: Management Interface Support on Managed Devices Model 7000 series 8000 series NGIPSv Management Interface eth0 eth0 eth0 Optional Event Interface No support eth1 No support ASA FirePOWER services module on the ASA 5585-X eth0 eth0 is the internal name of the Management 1/0 interface. eth1 eth1 is the internal name of the Management 1/1 interface. ASA FirePOWER services module on the ASA 5506-X, 5508-X, or 5516-X eth0 eth0 is the internal name of the Management 1/1 interface. No support ASA FirePOWER services module on the ASA 5512-X through 5555-X eth0 eth0 is the internal name of the Management 0/0 interface. No support Firepower Threat Defense on the ASA 5506-X, 5508-X, or 5516-X br1 br1 is the internal name of the Management 1/1 interface. No support Firepower Threat Defense on the ASA 5512-X through 5555-X br1 br1 is the internal name of the Management 0/0 interface. No support 16

17 About Management Interfaces Model Firepower Threat Defense on the Firepower 4100 and 9300 Firepower Threat Defense Virtual Management Interface management0 br1 management0 is the internal name of this interface, regardless of the physical interface ID. Optional Event Interface management1 No support management1 is the internal name of this interface, regardless of the physical interface ID. Network Routes on Management Interfaces Management interfaces (including event-only interfaces) support only static routes to reach remote networks. When you set up your or managed device, the setup process creates a default route to the gateway IP address that you specify. You cant delete this route; you can only modify the gateway address. The default route always uses the lowest-numbered management interface (e.g. eth0). At least 1 static route is recommended per management interface to access remote networks, including when multiple interfaces are on the same network. For example, on the both eth0 and eth1 are on the same network, but you want to manage a different group of devices on each interface. The default gateway is If you want eth1 to manage devices on the remote /24 destination network, you can create a static route for /24 through eth1 with the same gateway of Traffic to /24 will hit this route before it hits the default route, so eth1 will be used as expected. If you want to use 2 interfaces to manage remote devices that are on the same network, then static routing on the may t scale well, because you need separate static routes per device IP address. Ather example includes separate management and event-only interfaces on both the and the managed device. The event-only interfaces are on a separate network from the management interfaces. In this case, add a static route through the event-only interface for traffic destined for the remote event-only network, and vice versa. The routing for management interfaces is completely separate from routing that you configure for data interfaces. 17

18 About Management Interfaces Management and Event Traffic Channel Examples The following example shows the Firepower and managed devices using only the default management interfaces. Figure 1: Single Management Interface on the Firepower The following example shows the Firepower using separate management interfaces for devices; and each managed device using 1 management interface. Figure 2: Mutliple Management Interfaces on the Firepower The following example shows the Firepower and managed devices using a separate event interface. Figure 3: Separate Event Interface on the Firepower and Managed Devices 18

19 Configure Management Interfaces The following example shows a mix of multiple management interfaces and a separate event interface on the Firepower and a mix of managed devices using a separate event interface, or using a single management interface. Figure 4: Mixed Management and Event Interface Usage Configure Management Interfaces You can change management interface settings for Firepower appliances: Firepower Use the web interface. (The Firepower supports Linux shell access only under Cisco TAC supervision.) Firepower Threat Defense devices, NGIPSv, ASA FirePOWER Use the CLI 7000 & 8000 Series devices Use the limited web interface or the CLI. See the following sections. Related Topics Communication Ports Requirements Configure Firepower Management Interfaces Global only Modify the management interface settings on the Firepower. You can optionally enable additional management interfaces or configure an event-only interface. Caution Be careful when making changes to the management interface to which you are connected; if you cant re-connect because of a configuration error, you need to access the console port to re-configure the network settings in the Linux shell. You must contact Cisco TAC to guide you in this operation. 19

20 Configure Management Interfaces Choose System > Configuration, and then choose Management Interfaces. In the Interfaces area, click Edit next to the interface that you want to configure. All available interfaces are listed in this section. You cant add more interfaces. You can configure the following options on each management interface: Enabled Enable the management interface. Do t disable the default eth0 management interface. Some processes require the eth0 interface. Channels Configure an event-only interface; you can configure only one event interface on the. To do so, uncheck the Management Traffic check box, and leave the Event Traffic check box checked. You can optionally disable Event Traffic for the management interface(s). In either case, the device will try to send events to the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel. You cant disable both event and management channels on an interface. Mode Specify a link mode. that any changes you make to auto-negotiation are igred for GigabitEthernet interfaces. MTU Set the maximum transmission unit (MTU). The default is The range within which you can set the MTU can vary depending on the model and interface type. Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298 does t comply with the minimum IPv6 MTU setting of 1280, and any value below 594 does t comply with the minimum IPv4 MTU setting of 576. For example, the system automatically trims a configured value of 576 to 558. MDI/MDIX Set the Auto-MDIX setting. IPv4 Configuration Set the IPv4 IP address. Choose: Static Manually enter the IPv4 management IP address and netmask. DHCP Set the interface to use DHCP (eth0 only). Disabled Disable IPv4. Do t disable both IPv4 and IPv6. IPv6 Configuration Set the IPv6 IP address. Choose: Static Manually enter the IPv6 management IP address and prefix length. DHCP Set the interface to use DHCPv6 (eth0 only). Router Assigned Enable stateless autoconfiguration. Disabled Disable IPv6. Do t disable both IPv4 and IPv6. Step 3 In the Routes area, edit a static route by clicking the edit icon ( ), or add a route by clicking the add icon ( ). View the route statistics by clicking the view icon ( ). You need a static route for each additional interface to reach remote networks. For more information about when new routes are needed, see Network Routes on Management Interfaces, on page

21 Configure Management Interfaces For the default route, you can change only the gateway IP address. The default route always uses the eth0 interface. You can configure the following settings for a static route: Destination Set the destination address of the network to which you want to create a route. Netmask or Prefix Length Set the netmask (IPv4) or prefix length (IPv6) for the network. Interface Set the egress management interface. Gateway Set the gateway IP address. Step 4 In the Shared Settings area, set network parameters shared by all interfaces. If you selected DHCP for the eth0 interface, you cant manually specify some shared settings derived from the DHCP server. You can configure the following shared settings: Hostname Set the hostname. If you change the hostname, reboot the Management Center if you want the new hostname reflected in syslog messages. Syslog messages do t reflect a new hostname until after a reboot. Domains Set the search domain(s) for the, separated by commas. These domains are added to hostnames when you do t specify a fully-qualified domain name in a command, for example, ping system. The domains are used only on the management interface, or for commands that go through the management interface. Primary DNS Server, Secondary DNS Server, Tertiary DNS Server Set the DNS servers to be used in order of preference. Remote Management Port Set the remote management port for communication with managed devices. The and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port Cisco strongly recommends that you keep the default settings for the remote management port, but if the management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other. Step 5 Step 6 Step 7 In the Proxy area, configure HTTP proxy settings. The is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest. Proxies that use NT LAN Manager (NTLM) authentication are t supported. a) Check the Enabled check box. b) In the HTTP Proxy field, enter the IP address or fully-qualified domain name of your proxy server. c) In the Port field, enter a port number. d) Supply authentication credentials by choosing Use Proxy Authentication, and then provide a User Name and Password. Click Save. If you changed the management IP address, it might affect communication between the and managed devices. Changing the IP address will t affect the current connection. However, if the device or reloads, then the connection needs to be reestablished. You need at least one of the devices (Management 21

22 Configure Management Interfaces Center or managed device) to have the correct IP address of the peer. For example, if you added the device on the and specified a NAT ID (instead of an IP address), then the IP address that you defined on the device at setup will be wrong, and the device will t be able to reestablish communications. Moreover, you cant update the IP address on a device; you can only replace the IP address and re-register as a new device (configure manager add). On the other hand, if the kws the correct IP address of the managed device, then even if the managed device has the wrong IP address for the, then the can successfully establish the connection. Configure Classic Device Management Interfaces at the Web Interface N/A 7000 & 8000 Series Global only Modify the management interface settings on the managed device using the web interface. You can optionally enable an event interface if your model supports it. Caution Be careful when making changes to the management interface; if you cant re-connect because of a configuration error, you will need to access the device console port and reconfigure the settings at the CLI. Choose System > Configuration, and then choose Management Interfaces. In the Interfaces area, click Edit next to the interface that you want to configure. All available interfaces are listed in this section. You cant add more interfaces. You can configure the following options on each management interface: Enabled Enable the management interface. Do t disable the default eth0 management interface. Some processes require the eth0 interface. Channels (8000 series only) Configure an event-only interface. You can enable the eth1 management interface on your 8000 series device to act as an event interface. To do so, uncheck the Management Traffic check box, and leave the Event Traffic check box checked. For the eth0 management interface, leave both check boxes checked. The Firepower event-only interface cant accept management channel traffic, so you should simply disable the management channel on the device event interface. You can optionally disable Event Traffic for the management interface. In either case, the device will try to send events on the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel. You cant disable both event and management channels on an interface. 22

23 Configure Management Interfaces Mode Specify a link mode. that any changes you make to auto-negotiation are igred for GigabitEthernet interfaces. MTU Set the maximum transmission unit (MTU). The default is The range within which you can set the MTU can vary depending on the model and interface type. Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298 does t comply with the minimum IPv6 MTU setting of 1280, and any value below 594 does t comply with the minimum IPv4 MTU setting of 576. For example, the system automatically trims a configured value of 576 to 558. MDI/MDIX Set the Auto-MDIX setting. IPv4 Configuration Set the IPv4 IP address. Choose: Static Manually enter the IPv4 management IP address and netmask. DHCP Set the interface to use DHCP (eth0 only). Disabled Disable IPv4. Do t disable both IPv4 and IPv6. IPv6 Configuration Set the IPv6 IP address. Choose: Static Manually enter the IPv6 management IP address and prefix length. DHCP Set the interface to use DHCPv6 (eth0 only). Router Assigned Enable stateless autoconfiguration. Disabled Disable IPv6. Do t disable both IPv4 and IPv6. Step 3 In the Routes area, edit a static route by clicking the edit icon ( ), or add a route by clicking the add icon ( ). View the route statistics by clicking the view icon ( ). You need to add a static route for the event-only interface if the Firepower is on a remote network; otherwise, all traffic will match the default route through the management interface. For the default route, you can change only the gateway IP address. The default route always uses the eth0 interface. For information about routing, see Network Routes on Management Interfaces, on page 17. You can configure the following settings for a static route: Destination Set the destination address of the network to which you want to create a route. Netmask or Prefix Length Set the netmask (IPv4) or prefix length (IPv6) for the network. Interface Set the egress management interface. Gateway Set the gateway IP address. Step 4 In the Shared Settings area, set network parameters shared by all interfaces. If you selected DHCP for the eth0 interface, you cant manually specify some shared settings derived from the DHCP server. You can configure the following shared settings: Hostname Set the device hostname. If you change the hostname, reboot the device if you want the new hostname reflected in syslog messages. Syslog messages do t reflect a new hostname until after a reboot. 23

24 Configure Management Interfaces Domains Set the search domain(s) for the device, separated by commas. These domains are added to hostnames when you do t specify a fully-qualified domain name in a command, for example, ping system. The domains are used only on the management interface, or for commands that go through the management interface. Primary DNS Server, Secondary DNS Server, Tertiary DNS Server Set the DNS servers to be used in order of preference. Remote Management Port Set the remote management port for communication with the Management Center. The and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port Cisco strongly recommends that you keep the default settings for the remote management port, but if the management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other. Step 5 Step 6 Step 7 Step 8 In the LCD Panel area, check the Allow reconfiguration of network settings check box to enable changing network settings using the device s LCD panel. You can use the LCD panel to edit the IP address for the device. Confirm that any changes you make are reflected on the managing Firepower. In some cases, you may need to update the data manually on the Firepower as well. Caution Allowing reconfiguration using the LCD panel can present a security risk. You need only physical access, t authentication, to configure network settings using the LCD panel. The web interface warns you that enabling this option is a potential security issue. In the Proxy area, configure HTTP proxy settings. The device is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest. Proxies that use NT LAN Manager (NTLM) authentication are t supported. a) Check the Enabled check box. b) In the HTTP Proxy field, enter the IP address or fully-qualified domain name of your proxy server. c) In the Port field, enter a port number. d) Supply authentication credentials by choosing Use Proxy Authentication, and then provide a User Name and Password. Click Save. If you changed the management IP address, it might affect communication between the and the managed device. Changing the IP address will t affect the current connection. However, if the device or reloads, then the connection needs to be reestablished. You need at least one of the devices (Management Center or managed device) to have the correct IP address of the peer. For example, if you specified a NAT ID (instead of an IP address) for the during device setup, then the device IP address that you defined on the when you added the device will be wrong, and the Management Center will t be able to reestablish communications. In this case, you must change the management IP address of the device in the ; see Editing Device Management Settings. 24

25 Configure Management Interfaces Configure Firepower Threat Defense or Classic Device Management Interfaces at the CLI Firepower Threat Defense Global only Classic Modify the management interface settings on the managed device using the CLI. Many of these settings are ones that you set when you performed the initial setup; this procedure lets you change those settings, and set additional settings such as enabling an event interface if your model supports it, or adding static routes. For information about the CLI, see Command Line Referencein this guide. Caution When using SSH, be careful when making changes to the management interface; if you cant re-connect because of a configuration error, you will need to access the device console port. Before You Begin For the Firepower Threat Defense, you can create user accounts that can log into the CLI using the configure user add command; see Configuration Commands. For the 7000 & 8000 Series devices, you can create user accounts at the web interface as described in Creating a User Account. Connect to the device CLI, either from the console port or using SSH. See Logging Into the Command Line Interface on Firepower Threat Defense Devices or Logging Into the Command Line Interface on Classic Devices. Log in with the username and password. Step 3 Enable an event-only interface (for supported models; see Management Interface Support, on page 15): configure network management-interface enable management_interface configure network management-interface disable-management-channel management_interface Example: This example is for a Firepower 4100 or 9300 device; valid interface names differ by device type. > configure network management-interface enable management1 Configuration updated successfully > configure network management-interface disable-management-channel management1 Preserve existing configuration- currently IP addresses on eth1 to update (bootproto IPv4:,bootproto IPv6: at /usr/local/sf/lib/perl/5.10.1/sf/networkconf/networksettings.pm line 821. Configuration updated successfully > 25

26 Configure Management Interfaces The Firepower event-only interface cant accept management channel traffic, so you should simply disable the management channel on the device event interface. You can optionally disable events for the management interface using the configure network management-interface disable-events-channel command. In either case, the device will try to send events on the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel. You cant disable both event and management channels on an interface. Step 4 Configure the network settings of the management interface and/or event interface: If you do t specify the management_interface argument, then you change the network settings for the default management interface. When configuring an event interface, be sure to specify the management_interface argument. The event interface can be on a separate network from the management interface, or on the same network. If you are connected to the interface you are configuring, you will be disconnected. You can re-connect to the new IP address. a) Configure the IPv4 address: Manual configuration: configure network ipv4 manual ip_address netmask gateway_ip [management_interface] that the gateway_ip in this command is only used to create the default route for the primary management interface. If you set the gateway for an event-only interface, then this command igres the gateway and does t create a default or static route for it. You must create a static route separately using the configure network static-routes command. Example: > configure network ipv4 manual management1 Setting IPv4 network configuration. Network settings changed. > DHCP (supported on the default management interface only): configure network ipv4 dhcp b) Configure the IPv6 address: Stateless autoconfiguration: configure network ipv6 router [management_interface] Example: > configure network ipv6 router management0 Setting IPv6 network configuration. Network settings changed. > Manual configuration: 26

27 Configure Management Interfaces configure network ipv6 manual ip6_address ip6_prefix_length [ip6_gateway_ip] [management_interface] that the ipv6_gateway_ip in this command is only used to create the default route for the primary management interface. If you set the gateway for an event-only interface, then this command igres the gateway and does t create a default or static route for it. You must create a static route separately using the configure network static-routes command. Example: > configure network ipv6 manual 2001:0DB8:BA98:: management1 Setting IPv6 network configuration. Network settings changed. > DHCPv6 (supported on the default management interface only): configure network ipv6 dhcp Step 5 Add a static route for the event-only interface if the Firepower is on a remote network; otherwise, all traffic will match the default route through the management interface. configure network static-routes {ipv4 ipv6}add management_interface destination_ip netmask_or_prefix gateway_ip For the default route, do t use this command; you can only change the default route gateway IP address when you use the configure network ipv4 or ipv6 commands for the default management interface (see step 4). For information about routing, see Network Routes on Management Interfaces, on page 17. Example: > configure network static-routes ipv4 add management Configuration updated successfully > configure network static-routes ipv6 add management1 2001:0DB8:AA89:: :0DB8:BA98::3211 Configuration updated successfully > To display static routes, enter show network-static-routes (the default route is t shown): > show network-static-routes [ IPv4 Static Routes ] Interface : management1 Destination : Gateway : Netmask : [ ] Step 6 Set the hostname: configure network hostname name 27

Classic Device Management Basics

Classic Device Management Basics The following topics describe how to manage Classic devices (7000 and 8000 Series devices, ASA with FirePOWER Services, and NGIPSv) in the Firepower System: Remote Management Configuration, page 1 Interface

More information

Platform Settings for Classic Devices

Platform Settings for Classic Devices The following topics explain Firepower platform settings and how to configure them on Classic devices: Introduction to Firepower Platform Settings, page 1 Configuring Firepower Platform Settings, page

More information

Logging into the Firepower System

Logging into the Firepower System The following topics describe how to log into the Firepower System: Firepower System User Accounts, on page 1 User Interfaces in Firepower Management Center Deployments, on page 3 Logging Into the Firepower

More information

User Accounts for Management Access

User Accounts for Management Access The Firepower Management Center and managed devices include a default admin account for management access. This chapter discusses how to create custom user accounts for supported models. See Logging into

More information

User Identity Sources

User Identity Sources The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The

More information

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a laptop or desktop computer connected to the Internet. This allows mobile workers

More information

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418 This chapter describes how to maintain the configuration and firmware, reboot or reset the security appliance, manage the security license and digital certificates, and configure other features to help

More information

Host Identity Sources

Host Identity Sources The following topics provide information on host identity sources: Overview: Host Data Collection, on page 1 Determining Which Host Operating Systems the System Can Detect, on page 2 Identifying Host Operating

More information

RealPresence Access Director System Administrator s Guide

RealPresence Access Director System Administrator s Guide [Type the document title] Polycom RealPresence Access Director System Administrator s Guide 2.1.0 March 2013 3725-78703-001A Polycom Document Title 1 Trademark Information POLYCOM and the names and marks

More information

Device Management Basics

Device Management Basics The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Adding Devices to the Firepower Management

More information

Realms and Identity Policies

Realms and Identity Policies The following topics describe realms and identity policies: Introduction:, page 1 Creating a Realm, page 5 Creating an Identity Policy, page 11 Creating an Identity Rule, page 15 Managing Realms, page

More information

Device Management Basics

Device Management Basics The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Add Devices to the Firepower Management Center,

More information

The following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models

The following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models The following topics explain how to get started configuring Firepower Threat Defense. Is This Guide for You?, page 1 Logging Into the System, page 2 Setting Up the System, page 6 Configuration Basics,

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 2 Smart Licensing for the Firepower System,

More information

Device Management Basics

Device Management Basics The following topics describe how to manage devices in the Firepower System: The Device Management Page, page 1 Remote Management Configuration, page 2 Adding Devices to the Firepower Management Center,

More information

User Identity Sources

User Identity Sources The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, page 1 The User

More information

Firepower Management Center High Availability

Firepower Management Center High Availability The following topics describe how to configure Active/Standby high availability of Cisco Firepower Management Centers: About, on page 1 Establishing, on page 7 Viewing Status, on page 8 Configurations

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, page 1 Service Subscriptions for Firepower Features, page 1 Classic Licensing for the Firepower System,

More information

Configuring High Availability (HA)

Configuring High Availability (HA) 4 CHAPTER This chapter covers the following topics: Adding High Availability Cisco NAC Appliance To Your Network, page 4-1 Installing a Clean Access Manager High Availability Pair, page 4-3 Installing

More information

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user

More information

Licensing the Firepower System

Licensing the Firepower System The following topics explain how to license the Firepower System. About Firepower Feature Licenses, on page 1 Service Subscriptions for Firepower Features, on page 2 Smart Licensing for the Firepower System,

More information

Connection Logging. About Connection Logging

Connection Logging. About Connection Logging The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: About, page 1 Strategies, page 2 Logging Decryptable Connections with SSL

More information

Security, Internet Access, and Communication Ports

Security, Internet Access, and Communication Ports Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Security Requirements Security Requirements, on

More information

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SOURCEFIRE 3D SYSTEM RELEASE NOTES SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3.0.3 of the Sourcefire 3D System. Even if you are familiar with the

More information

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3. Installing and Configuring VMware Identity Manager Connector 2018.8.1.0 (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on

More information

The following topics describe how to use backup and restore features in the Firepower System:

The following topics describe how to use backup and restore features in the Firepower System: The following topics describe how to use backup and restore features in the Firepower System: Introduction, page 1 Limitations, page 1 Backup Files, page 2 Backing up a Firepower Management Center, page

More information

Realms and Identity Policies

Realms and Identity Policies The following topics describe realms and identity policies: About, page 1 Create a Realm, page 8 Create an Identity Policy, page 15 Create an Identity Rule, page 15 Manage a Realm, page 20 Manage an Identity

More information

Command Line Reference

Command Line Reference This reference explains the command line interface (CLI) for the following classic devices: 7000 and 8000 Series ASA FirePOWER NGIPSv Firepower Threat Defense Note You cannot use the CLI on the Firepower

More information

Connection Logging. Introduction to Connection Logging

Connection Logging. Introduction to Connection Logging The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections

More information

Task Scheduling. Introduction to Task Scheduling. Configuring a Recurring Task

Task Scheduling. Introduction to Task Scheduling. Configuring a Recurring Task The following topics explain how to schedule tasks: Introduction to, on page 1 Configuring a Recurring Task, on page 1 Scheduled Task Review, on page 17 Introduction to You can schedule many different

More information

LDAP Directory Integration

LDAP Directory Integration LDAP Server Name, Address, and Profile Configuration, on page 1 with Cisco Unified Communications Manager Task List, on page 1 for Contact Searches on XMPP Clients, on page 6 LDAP Server Name, Address,

More information

Configuring the Management Access List

Configuring the Management Access List The following topics explain how to configure the various system settings that are grouped together on the page. The settings cover overall system function. Configuring the Management Access List, page

More information

Backup and Restore Introduction

Backup and Restore Introduction The ability to recover from a disaster is an essential part of any system maintenance plan. As part of your disaster recovery plan, Cisco recommends that you back up the Firepower Management Center and

More information

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2015 Cisco and/or its affiliates. All rights

More information

Cisco TelePresence VCS Cluster Creation and Maintenance

Cisco TelePresence VCS Cluster Creation and Maintenance Cisco TelePresence VCS Cluster Creation and Maintenance Deployment Guide Cisco VCS X8.5 Cisco TMS 13.2 or later December 2014 Contents Introduction 4 Prerequisites 5 Upgrading an X7.1 or later cluster

More information

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SOURCEFIRE 3D SYSTEM RELEASE NOTES SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.2 Original Publication: October 18, 2013 Last Updated: October 18, 2013 These release notes are valid for Version 5.2.0.2 of the Sourcefire 3D System. Even

More information

Set Up Cisco ISE in a Distributed Environment

Set Up Cisco ISE in a Distributed Environment Cisco ISE Deployment Terminology, page 1 Personas in Distributed Cisco ISE Deployments, page 2 Cisco ISE Distributed Deployment, page 2 Configure a Cisco ISE Node, page 5 Administration Node, page 8 Policy

More information

Overview of the Cisco NCS Command-Line Interface

Overview of the Cisco NCS Command-Line Interface CHAPTER 1 Overview of the Cisco NCS -Line Interface This chapter provides an overview of how to access the Cisco Prime Network Control System (NCS) command-line interface (CLI), the different command modes,

More information

Security, Internet Access, and Communication Ports

Security, Internet Access, and Communication Ports Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Overview: Security, Internet Access, and Communication

More information

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SOURCEFIRE 3D SYSTEM RELEASE NOTES SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.2 Original Publication: April 21, 2014 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.2 of the Sourcefire 3D System. Even

More information

Monitoring the Device

Monitoring the Device The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring

More information

Realms and Identity Policies

Realms and Identity Policies The following topics describe realms and identity policies: About, page 1 Create a Realm, page 8 Create an Identity Policy, page 14 Create an Identity Rule, page 15 Manage a Realm, page 17 Manage an Identity

More information

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

VMware Identity Manager Connector Installation and Configuration (Legacy Mode) VMware Identity Manager Connector Installation and Configuration (Legacy Mode) VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until

More information

Cisco Expressway Cluster Creation and Maintenance

Cisco Expressway Cluster Creation and Maintenance Cisco Expressway Cluster Creation and Maintenance Deployment Guide Cisco Expressway X8.6 July 2015 Contents Introduction 4 Prerequisites 5 Upgrading an X8.n cluster to X8.6 6 Prerequisites 6 Upgrade Expressway

More information

The following topics describe how to manage various policies on the Firepower Management Center:

The following topics describe how to manage various policies on the Firepower Management Center: The following topics describe how to manage various policies on the Firepower Management Center: Policy Deployment, page 1 Policy Comparison, page 11 Policy Reports, page 12 Out-of-Date Policies, page

More information

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user

More information

Command Line Reference

Command Line Reference This reference explains the command line interface (CLI) for the following devices: 7000 and 8000 Series ASA FirePOWER NGIPSv Note You cannot use the CLI on the Firepower Management Center. The Firepower

More information

Getting Started. About the ASA for Firepower How the ASA Works with the Firepower 2100

Getting Started. About the ASA for Firepower How the ASA Works with the Firepower 2100 This chapter describes how to deploy the ASA on the Firepower 2100 in your network, and how to perform initial configuration. About the ASA for Firepower 2100, page 1 Connect the Interfaces, page 4 Power

More information

Firepower Threat Defense Remote Access VPNs

Firepower Threat Defense Remote Access VPNs About, page 1 Firepower Threat Defense Remote Access VPN Features, page 3 Firepower Threat Defense Remote Access VPN Guidelines and Limitations, page 4 Managing, page 6 Editing Firepower Threat Defense

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Before You Update: Important Notes

Before You Update: Important Notes Before you update, familiarize yourself with the update process, the system's behavior during the update, compatibility issues, and required pre or post-update configuration changes. Caution Note Do not

More information

Certificate Renewal on Cisco Identity Services Engine Configuration Guide

Certificate Renewal on Cisco Identity Services Engine Configuration Guide Certificate Renewal on Cisco Identity Services Engine Configuration Guide Document ID: 116977 Contributed by Roger Nobel, Cisco TAC Engineer. Jun 26, 2015 Contents Introduction Prerequisites Requirements

More information

vcenter Server Appliance Configuration Modified on 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

vcenter Server Appliance Configuration Modified on 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7 vcenter Server Appliance Configuration Modified on 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Managing Certificates

Managing Certificates CHAPTER 12 The Cisco Identity Services Engine (Cisco ISE) relies on public key infrastructure (PKI) to provide secure communication for the following: Client and server authentication for Transport Layer

More information

Remote Access VPN. Remote Access VPN Overview. Maximum Concurrent VPN Sessions By Device Model

Remote Access VPN. Remote Access VPN Overview. Maximum Concurrent VPN Sessions By Device Model Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a computer or other supported ios or Android device connected to the Internet.

More information

Security, Internet Access, and Communication Ports

Security, Internet Access, and Communication Ports Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Security Requirements Security Requirements, on

More information

Configuring Management Access

Configuring Management Access 37 CHAPTER This chapter describes how to access the ASA for system management through Telnet, SSH, and HTTPS (using ASDM), how to authenticate and authorize users, how to create login banners, and how

More information

vcloud Director Tenant Portal Guide vcloud Director 8.20

vcloud Director Tenant Portal Guide vcloud Director 8.20 vcloud Director Tenant Portal Guide vcloud Director 8.20 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation,

More information

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2 Deploying VMware Identity Manager in the DMZ JULY 2018 VMware Identity Manager 3.2 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have

More information

IPMI Configuration Guide

IPMI Configuration Guide IPMI Configuration Guide 1. Introduction of IPMI Server Manager... 2 2. IPMI Server Manager GUI Overview... 3 1 1. Introduction of IPMI Server Manager IPMI Server Manager allows remote access of computers

More information

Set Up Cisco ISE in a Distributed Environment

Set Up Cisco ISE in a Distributed Environment Cisco ISE Deployment Terminology, page 1 Personas in Distributed Cisco ISE Deployments, page 2 Cisco ISE Distributed Deployment, page 2 Configure a Cisco ISE Node, page 5 Administration Node, page 8 Policy

More information

Managing Deployment. Understanding Deployment CHAPTER

Managing Deployment. Understanding Deployment CHAPTER CHAPTER 8 The settings and policies you define in Security Manager must be deployed to your devices so that you can implement them in your network. The steps you take to deploy configurations to devices

More information

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server Configure a Presence Gateway for Microsoft Exchange Integration, page 1 SAN and Wildcard Certificate Support, page

More information

Security, Internet Access, and Communication Ports

Security, Internet Access, and Communication Ports Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: About Security, Internet Access, and Communication

More information

Cisco Unified Communications Operating System Administration Guide for Cisco Unity Connection Release 12.x

Cisco Unified Communications Operating System Administration Guide for Cisco Unity Connection Release 12.x Cisco Unified Communications Operating System Administration Guide for Cisco Unity Connection Release 12.x First Published: -- Last Modified: -- Americas Headquarters Cisco Systems, Inc. 170 West Tasman

More information

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS Pass4sure.500-285.42q Number: 500-285 Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco 500-285 Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed 500-285

More information

Installation and Configuration Guide

Installation and Configuration Guide Installation and Configuration Guide h-series 800-782-3762 www.edgewave.com 2001 2011 EdgeWave Inc. (formerly St. Bernard Software). All rights reserved. The EdgeWave logo, iprism and iguard are trademarks

More information

Interfaces for Firepower Threat Defense

Interfaces for Firepower Threat Defense This chapter includes Firepower Threat Defense interface configuration including Ethernet settings, EtherChannels, VLAN subinterfaces, IP addressing, and more. About Firepower Threat Defense Interfaces,

More information

Cisco VXC PCoIP Configuration

Cisco VXC PCoIP Configuration As a user or administrator you can interact with your Cisco VXC clients through the embedded HTTPS web interface (the Administrative Web Interface) and On Screen Display (OSD). Users can connect or disconnect

More information

ExtraHop 7.0 ExtraHop Trace Admin UI Guide

ExtraHop 7.0 ExtraHop Trace Admin UI Guide ExtraHop 7.0 ExtraHop Trace Admin UI Guide 2018 ExtraHop Networks, Inc. All rights reserved. This manual in whole or in part, may not be reproduced, translated, or reduced to any machinereadable form without

More information

Configuring SSL CHAPTER

Configuring SSL CHAPTER 7 CHAPTER This chapter describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section

More information

External Alerting with Alert Responses

External Alerting with Alert Responses The following topics describe how to send external event alerts from the Firepower Management Center using alert responses: Firepower Management Center Alert Responses, page 1 Creating an SNMP Alert Response,

More information

System Administration

System Administration Changing the Management IP Address, on page 1 Changing the Application Management IP, on page 3 Changing the Firepower 4100/9300 Chassis Name, on page 5 Pre-Login Banner, on page 6 Rebooting the Firepower

More information

Interfaces for Firepower Threat Defense

Interfaces for Firepower Threat Defense This chapter includes Firepower Threat Defense interface configuration including Ethernet settings, EtherChannels, VLAN subinterfaces, IP addressing, and more. About Firepower Threat Defense Interfaces,

More information

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces.

More information

Configuring SSL. SSL Overview CHAPTER

Configuring SSL. SSL Overview CHAPTER 7 CHAPTER This topic describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section are:

More information

Configure the Cisco DNA Center Appliance

Configure the Cisco DNA Center Appliance Review Cisco DNA Center Configuration Wizard Parameters, page 1 Configure Cisco DNA Center Using the Wizard, page 5 Review Cisco DNA Center Configuration Wizard Parameters When Cisco DNA Center configuration

More information

System Setup. Accessing the Administration Interface CHAPTER

System Setup. Accessing the Administration Interface CHAPTER CHAPTER 3 The system can be configured through the web interface to provide the networking configuration for the appliance and other system settings that are important such as time and SSL certificate.

More information

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management). Contents Introduction Prerequisites Requirements Components Used Background Information Outbound SSL Decryption Inbound SSL Decryption Configuration for SSL Decryption Outbound SSL decryption (Decrypt

More information

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SOURCEFIRE 3D SYSTEM RELEASE NOTES SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.7 Original Publication: October 20, 2014 These release notes are valid for Version 5.2.0.7 of the Sourcefire 3D System. Even if you are familiar with the

More information

6.1. Getting Started Guide

6.1. Getting Started Guide 6.1 Getting Started Guide Netmon Getting Started Guide 2 Contents Contents... 2 Appliance Installation... 3 IP Address Assignment (Optional)... 3 Logging In For the First Time... 5 Initial Setup... 6 License

More information

DHCP and DDNS Services for Threat Defense

DHCP and DDNS Services for Threat Defense The following topics explain DHCP and DDNS services and how to configure them on Threat Defense devices. About DHCP and DDNS Services, on page 1 Guidelines for DHCP and DDNS Services, on page 3 Configure

More information

Managing CX Devices in Multiple Device Mode

Managing CX Devices in Multiple Device Mode Tip Device inventory management applies to PRSM in Multiple Device mode only. If you are configuring a CX device through a direct connection to the device, you do not need to add the device to the inventory

More information

Updating to Version 6.2.2

Updating to Version 6.2.2 Before you begin the update, you must thoroughly read and understand these release notes, especially Before You Update: Important Notes and Pre-Update Readiness Checks. If you are unsure whether you should

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.5.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Manage Certificates. Certificates Overview

Manage Certificates. Certificates Overview Certificates Overview, page 1 Show Certificates, page 3 Download Certificates, page 4 Install Intermediate Certificates, page 4 Delete a Trust Certificate, page 5 Regenerate a Certificate, page 6 Upload

More information

ExtraHop 6.1 ExtraHop Explore Admin UI Guide

ExtraHop 6.1 ExtraHop Explore Admin UI Guide ExtraHop 6.1 ExtraHop Explore Admin UI Guide 2018 ExtraHop Networks, Inc. All rights reserved. This manual in whole or in part, may not be reproduced, translated, or reduced to any machinereadable form

More information

F5 BIG-IQ Centralized Management: Licensing and Initial Setup. Version 5.2

F5 BIG-IQ Centralized Management: Licensing and Initial Setup. Version 5.2 F5 BIG-IQ Centralized Management: Licensing and Initial Setup Version 5.2 Table of Contents Table of Contents BIG-IQ System Introduction...5 About BIG-IQ Centralized Management... 5 How do I navigate

More information

Aggregate Interfaces and LACP

Aggregate Interfaces and LACP The following topics explain aggregate interface configuration and how LACP functions on managed devices: About Aggregate Interfaces, on page 1 LAG Configuration, on page 2 Link Aggregation Control Protocol

More information

LDAP Directory Integration

LDAP Directory Integration LDAP Server Name, Address, and Profile Configuration, page 1 with Cisco Unified Communications Manager Task List, page 1 for Contact Searches on XMPP Clients, page 6 LDAP Server Name, Address, and Profile

More information

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3 Deploying VMware Identity Manager in the DMZ SEPT 2018 VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have

More information

Cisco Expressway Cluster Creation and Maintenance

Cisco Expressway Cluster Creation and Maintenance Cisco Expressway Cluster Creation and Maintenance Deployment Guide First Published: December 2009 Last Updated: April 2017 Cisco Expressway X8.9.2 Cisco Systems, Inc. www.cisco.com Contents Preface 3 Change

More information

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet Interfaces.

More information

Configuring SSL. SSL Overview CHAPTER

Configuring SSL. SSL Overview CHAPTER CHAPTER 8 Date: 4/23/09 This topic describes the steps required to configure your ACE (both the ACE module and the ACE appliance) as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination.

More information

akkadian Global Directory 3.0 System Administration Guide

akkadian Global Directory 3.0 System Administration Guide akkadian Global Directory 3.0 System Administration Guide Updated July 19 th, 2016 Copyright and Trademarks: I. Copyright: This website and its content is copyright 2014 Akkadian Labs. All rights reserved.

More information

Configuring the SMA 500v Virtual Appliance

Configuring the SMA 500v Virtual Appliance Using the SMA 500v Virtual Appliance Configuring the SMA 500v Virtual Appliance Registering Your Appliance Using the 30-day Trial Version Upgrading Your Appliance Configuring the SMA 500v Virtual Appliance

More information

KACE Systems Deployment Appliance (K2000) 4.1. Administrator Guide

KACE Systems Deployment Appliance (K2000) 4.1. Administrator Guide KACE Systems Deployment Appliance (K2000) 4.1 Administrator Guide Table of Contents About the KACE Systems Deployment Appliance (K2000)... 9 Getting started... 10 Tasks for getting started using the K2000

More information

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager VMware Identity Manager Cloud Deployment DEC 2017 VMware AirWatch 9.2 VMware Identity Manager You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

CCNA Semester 2 labs. Labs for chapters 2 10

CCNA Semester 2 labs. Labs for chapters 2 10 CCNA Semester 2 labs Labs for chapters 2 10 2.2.2.5 Lab - Configuring IPv4 Static and Default Routes 2.3.2.4 Lab - Troubleshooting Static Routes 3.2.1.9 Lab - Configuring Basic RIPv2 5.2.2.9 Lab - Configuring

More information

Cisco Threat Intelligence Director (TID)

Cisco Threat Intelligence Director (TID) The topics in this chapter describe how to configure and use TID in the Firepower System. Overview, page 1 Requirements for Threat Intelligence Director, page 4 How To Set Up, page 6 Analyze TID Incident

More information