About Device Management
Use the Firepower Management Center to manage your devices.
About the Firepower Management Center and Device Management
When the Firepower Management Center manages a device, it sets up a two-way, SSL-encrypted communication channel between itself and the device. The Firepower Management Center uses this channel to send information to the device about how you want to analyze and manage your network traffic to the device. As the device evaluates the traffic, it generates events and sends them to the Firepower Management Center using the same channel.
By using the Firepower Management Center to manage devices, you can:
-
configure policies for all your devices from a single location, making it easier to change configurations
-
install various types of software updates on devices
-
push health policies to your managed devices and monitor their health status from the Firepower Management Center
The Firepower Management Center aggregates and correlates intrusion events, network discovery information, and device performance data, allowing you to monitor the information that your devices are reporting in relation to one another, and to assess the overall activity occurring on your network.
You can use a Firepower Management Center to manage nearly every aspect of a device’s behavior.
Note |
Although a Firepower Management Center can manage devices running certain previous releases as specified in the compatibility matrix available at http://www.cisco.com/c/en/us/support/security/defense-center/products-device-support-tables-list.html, new features are not available to these previous-release devices. |
What Can Be Managed by a Firepower Management Center?
You can use the Firepower Management Center as a central management point in a Firepower System deployment to manage the following devices:
-
7000 and 8000 Series devices
-
ASA FirePOWER modules
-
NGIPSv devices
When you manage a device, information is transmitted between the Firepower Management Center and the device over a secure, SSL-encrypted TCP tunnel.
The following illustration lists what is transmitted between a Firepower Management Center and its managed devices. Note that the types of events and policies that are sent between the appliances are based on the device type.
Beyond Policies and Events
In addition to deploying policies to devices and receiving events from them, you can also perform other device-related tasks on the Firepower Management Center.
Backing Up a Device
You cannot create or restore backup files for NGIPSv devices or ASA FirePOWER modules.
When you perform a backup of a physical managed device from the device itself, you back up the device configuration only. To back up configuration data and, optionally, unified files, perform a backup of the device using the managing Firepower Management Center.
To back up event data, perform a backup of the managing Firepower Management Center.
Updating Devices
From time to time, Cisco releases updates to the Firepower System, including:
-
intrusion rule updates, which may contain new and updated intrusion rules
-
vulnerability database (VDB) updates
-
geolocation updates
-
software patches and updates
You can use the Firepower Management Center to install an update on the devices it manages.
About Device Management Interfaces
Each device includes a single dedicated Management interface for communicating with the FMC.
You can perform initial setup on the management interface, or on the console port.
Management interfaces are also used to communicate with the Smart Licensing server, to download updates, and to perform other management functions.
Management Interfaces on
When you set up your device, you specify the FMC IP address that you want to connect to. Both management and event traffic go to this address at initial registration. Note: In some situations, the FMC might establish the initial connection on a different management interface; subsequent connections should use the management interface with the specified IP address.
If the FMC has a separate event-only interface, the managed device sends subsequent event traffic is sent to the FMC event-only interface if the network allows. In addition, some managed-device models include an additional management interface that you can configure for event-only traffic. If the event network goes down, then event traffic reverts to the regular management interfaces on the FMC and/or on the managed device.
Management Interface Support Per Device Model
See the hardware installation guide for your model for the management interface locations.
See the following table for supported management interfaces on each managed device model.
Model |
Management Interface |
Optional Event Interface |
||||
---|---|---|---|---|---|---|
7000 series |
eth0 |
No support |
||||
8000 series |
eth0 |
eth1 |
||||
ASA FirePOWER services module on the ASA 5585-X |
eth0
|
eth1
|
Network Routes on Device Management Interfaces
Management interfaces (including event-only interfaces) support only static routes to reach remote networks. When you set up your managed device, the setup process creates a default route to the gateway IP address that you specify. You cannot delete this route; you can only modify the gateway address.
Note |
The routing for management interfaces is completely separate from routing that you configure for data interfaces. |
The default route always uses the lowest-numbered management interface (e.g. management0).
At least one static route is recommended per management interface to access remote networks. We recommend placing each interface on a separate network to avoid potential routing problems, including routing problems from other devices to the FTD. If you do not experience problems with interfaces on the same network, then be sure to configure static routes correctly. For example, both management0 and management1 are on the same network, but the FMC management and event interfaces are on different networks. The gateway is 192.168.45.1. If you want management1 to connect to the FMC's event-only interface at 10.6.6.1/24, you can create a static route for 10.6.6.0/24 through management1 with the same gateway of 192.168.45.1. Traffic to 10.6.6.0/24 will hit this route before it hits the default route, so management1 will be used as expected.
Another example includes separate management and event-only interfaces on both the FMC and the managed device. The event-only interfaces are on a separate network from the management interfaces. In this case, add a static route through the event-only interface for traffic destined for the remote event-only network, and vice versa.
NAT Environments
Network address translation (NAT) is a method of transmitting and receiving network traffic through a router that involves reassigning the source or destination IP address. The most common use for NAT is to allow private networks to communicate with the internet. Static NAT performs a 1:1 translation, which does not pose a problem for FMC communication with devices, but port address translation (PAT) is more common. PAT lets you use a single public IP address and unique ports to access the public network; these ports are dynamically assigned as needed, so you cannot initiate a connection to a device behind a PAT router.
Normally, you need both IP addresses (along with a registration key) for both routing purposes and for authentication: the FMC specifies the device IP address when you add a device, and the device specifies the FMC IP address. However, if you only know one of the IP addresses, which is the minimum requirement for routing purposes, then you must also specify a unique NAT ID on both sides of the connection to establish trust for the initial communication and to look up the correct registration key. The FMC and device use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration.
For example, you add a device to the FMC, and you do not know the device IP address (for example, the device is behind a PAT router), so you specify only the NAT ID and the registration key on the FMC; leave the IP address blank. On the device, you specify the FMC IP address, the same NAT ID, and the same registration key. The device registers to the FMC's IP address. At this point, the FMC uses the NAT ID instead of IP address to authenticate the device.
Although the use of a NAT ID is most common for NAT environments, you might choose to use the NAT ID to simplify adding many devices to the FMC. On the FMC, specify a unique NAT ID for each device you want to add while leaving the IP address blank, and then on each device, specify both the FMC IP address and the NAT ID. Note: The NAT ID must be unique per device.
The following example shows three devices behind a PAT IP address. In this case, specify a unique NAT ID per device on both the FMC and the devices, and specify the FMC IP address on the devices.
The following example shows the FMC behind a PAT IP address. In this case, specify a unique NAT ID per device on both the FMC and the devices, and specify the device IP addresses on the FMC.
Management and Event Traffic Channel Examples
The following example shows the Firepower Management Center and managed devices using only the default management interfaces.
The following example shows the Firepower Management Center using separate management interfaces for devices; and each managed device using 1 management interface.
The following example shows the Firepower Management Center and managed devices using a separate event interface.
The following example shows a mix of multiple management interfaces and a separate event interface on the Firepower Management Center and a mix of managed devices using a separate event interface, or using a single management interface.