Getting Started

The following topics explain how to get started configuring Firepower Threat Defense.

Is This Guide for You?

This guide explains how to configure Firepower Threat Defense using the Firepower Device Manager web-based configuration interface included on Firepower Threat Defense devices.

Firepower Device Manager lets you configure the basic features of the software that are most commonly used for small or mid-size networks. It is especially designed for networks that include a single device or just a few, where you do not want to use a high-powered multiple-device manager to control a large network containing many Firepower Threat Defense devices.

If you are managing large numbers of devices, or if you want to use the more complex features and configurations that Firepower Threat Defense allows, use Firepower Management Center to configure your devices instead of the integrated Firepower Device Manager.

You can use Firepower Device Manager on the following devices.

Table 1. Firepower Device Manager Supported Models

Device Model

Minimum Firepower Threat Defense Software Version

ASA 5506-X, 5506H-X, 5506W-X, 5512-X

6.1

ASA 5508-X, 5516-X

6.1

ASA 5515-X, 5525-X, 5545-X, 5555-X

6.1

Firepower 2100 series: 2110, 2120, 2130, 2140

6.2.1

Firepower Threat Defense Virtual for VMware

6.2.2

New Features in Firepower Device Manager/FTD 6.2

Released: January 23, 2017

The following table lists the new features available in FTD 6.2 when configured using Firepower Device Manager.

Feature

Description

Cisco Defense Orchestrator Cloud Management

You can manage the device using the Cisco Defense Orchestrator cloud-based portal. Select Device > System Settings > Cloud Management. For more information on Cisco Defense Orchestrator, see http://www.cisco.com/go/cdo.

Drag and drop for access rules

You can drag and drop access rules to move them in the rules table.

FTD software upgrade

You can install software upgrades through Firepower Device Manager. Select Device > Updates.

FTD default configuration changes

For new or reimaged devices, the default configuration includes significant changes, including:

  • (ASA 5506-X, 5506W-X, 5506H-X.) Except for the first data interface, and the Wi-Fi interface on an ASA 5506W-X, all other data interfaces on these device models are structured into the “inside” bridge group and enabled. There is a DHCP server on the inside bridge group. You can plug endpoints or switches into any bridged interface and endpoints get addresses on the 192.168.1.0/24 network.

  • The inside interface IP address is now 192.168.1.1, and a DHCP server is defined on the interface with the address pool 192.168.1.5-192.168.1.254.

  • HTTPS access is enabled on the inside interface, so you can open Firepower Device Manager through the inside interface at the default address, 192.168.1.1. For the ASA 5506-X models, you can do this through any inside bridge group member interface.

  • The management port hosts a DHCP server for the 192.168.45.0/24 network. You can plug a workstation directly into the management port, get an IP address, and open Firepower Device Manager to configure the device.

  • The OpenDNS public DNS servers are now the default DNS servers for the management interface. Previously, there were no default DNS servers. You can configure different DNS servers during device setup.

  • The default gateway for the management IP address is to use the data interfaces to route to the Internet. Thus, you do not need to wire the Management physical interface to a network.

Management interface and access changes

Several changes to how the management address, and access to Firepower Device Manager, works:

  • You can now open data interfaces to HTTPS (for Firepower Device Manager) and SSH (for CLI) connections. You do not need a separate management network, or to connect the Management/Diagnostic physical port to the inside network, to manage the device. Select Device > System Settings > Management Access List.

  • The system can obtain system database updates through the gateway for the outside interface. You do not need to have an explicit route from the management interface or network to the Internet. The default is to use internal routes through the data interfaces. However, you can set a specific gateway if you prefer to use a separate management network. Select Device > System Settings > Management Interface.

  • You can use Firepower Device Manager to configure the management interface to obtain its IP address through DHCP. Select Device > System Settings > Management Interface.

  • You can configure a DHCP server on the management address if you configure a static address. Select Device > System Settings > Management Interface.

Miscellaneous user interface changes

The following are notable changes to the Firepower Device Manager user interface.

  • Device main menu item. In previous releases, this menu item was the host name of your device. Also, the page opened is called Device Summary instead of Device Dashboard.

  • You cannot select an alternative outside interface during initial device setup. The first data interface is the default outside interface.

  • Device > System Settings > Cloud Preferences is now called Device > System Settings > URL Filtering Preferences.

  • The System Settings > DHCP Server page is now organized on two tabs, with the table of DHCP servers separated from the global parameters.

Site-to-site VPN connections

You can configure site-to-site virtual private network (VPN) connections using preshared keys. You can configure IKEv1 and IKEv2 connections.

Integrated Routing and Bridging support.

Integrated Routing and Bridging provides the ability to route between a bridge group and a routed interface. A bridge group is a group of interfaces that the FTD device bridges instead of routes. The FTD device is not a true bridge in that the FTD device continues to act as a firewall: access control between interfaces is controlled, and all of the usual firewall checks are in place.

This feature lets you configure bridge groups and to route between bridge groups and between a bridge group and a routed interface. The bridge group participates in routing by using a Bridge Virtual Interface (BVI) to act as a gateway for the bridge group. Integrated Routing and Bridging provides an alternative to using an external Layer 2 switch if you have extra interfaces on the FTD device to assign to the bridge group. The BVI can be a named interface and can participate separately from member interfaces in some features, such as DHCP server, where you configure other features on bridge group member interfaces, such as NAT and access control rules.

Select Device > Interfaces to configure a bridge group.

New Features in Firepower Device Manager/FTD 6.2.1

Released: May 15, 2017

The following table lists the new features available in FTD 6.2.1 when configured using Firepower Device Manager.


Note

This release applies to Firepower 2100 series only.


Feature

Description

Remote access VPN configuration.

You can configure remote access SSL VPN for the AnyConnect client. Configure RA VPN from the Device > Remote Access VPN group. Configure RA VPN licenses from the Device > Smart License group.

Firepower 2100 series device configuration.

You can configure FTD on Firepower 2100 series devices using Firepower Device Manager.

New Features in Firepower Device Manager/FTD 6.2.2

Released: September 5, 2017

The following table lists the new features available in FTD 6.2.2 when configured using Firepower Device Manager.

Feature

Description

Remote access VPN configuration for ASA 5500-X series devices.

You can configure remote access SSL VPN for the AnyConnect client on ASA 5500-X series devices. Configure RA VPN from the Device > Remote Access VPN group. Configure RA VPN licenses from the Device > Smart License group.

Firepower Threat Defense Virtual for VMware device configuration.

You can configure FTD on Firepower Threat Defense Virtual for VMware devices using Firepower Device Manager. Other virtual platforms are not supported by Firepower Device Manager.

Note 

You must install a new 6.2.2 image to get Firepower Device Manager support. You cannot upgrade an existing virtual machine from an older version and then switch to Firepower Device Manager.

Logging Into the System

There are two interfaces to the Firepower Threat Defense device:

Firepower Device Manager Web Interface

Firepower Device Manager runs in your web browser. You use this interface to configure, manage, and monitor the system.

Command Line Interface (CLI, Console)

Use the CLI for troubleshooting. You can also use it for initial setup instead of Firepower Device Manager.

The following topics explain how to log into these interfaces and manage your user account.

Logging Into Firepower Device Manager

Use the Firepower Device Manager to configure, manage, and monitor the system. The features that you can configure through the browser are not configurable through the command-line interface (CLI); you must use the web interface to implement your security policies.

Use a current version of Firefox, Chrome, Safari, Edge, or Internet Explorer.

Before you begin

You can log into Firepower Device Manager using the admin username only. You cannot create additional users for Firepower Device Manager access.

Procedure


Step 1

Using a browser, open the home page of the system, for example, https://ftd.example.com.

You can use any of the following addresses. You can use the IPv4 or IPv6 address or the DNS name, if you have configured one.

  • The management address. By default, this is 192.168.45.45 on the Management/Diagnostic interface.

  • The address of a data interface that you have opened for HTTPS access. By default (on hardware platforms), the “inside” interface allows HTTPS access, so you can connect to the default inside address 192.168.1.1. On device models where the inside interface is a bridge group, you can connect to this address through any bridge group member interface.

Tip 

If your browser is not configured to recognize the server certificate, you will see a warning about an untrusted certificate. Accept the certificate as an exception, or in your trusted root certificate store.

Step 2

Enter the admin username and password, then click Login.

The default admin password is Admin123.

Your session will expire after 20 minutes of inactivity, and you will be prompted to log in again. You can log out by selecting Log Out from the user icon drop-down menu in the upper right of the page.

User Profile button


Logging Into the Command Line Interface (CLI)

Use the command-line interface (CLI) to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session.

To log into the CLI, do one of the following:

  • Use the console cable included with the device to connect your PC to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. See the hardware guide for your device for more information about the console cable.


    Note

    On Firepower 2100 series devices, the CLI on the Console port is FXOS. You can get to the FTD CLI using the connect ftd command. Use the FXOS CLI for chassis-level troubleshooting only. Use the FTD CLI for basic configuration, monitoring, and normal system troubleshooting. See the FXOS documentation for information on FXOS commands.


  • For Firepower Threat Defense Virtual, open the virtual console.

  • Use an SSH client to make a connection to the management IP address. You can also connect to the address on a data interface if you open the interface for SSH connections (see Configuring the Management Access List). SSH access to data interfaces is disabled by default. Log in using the admin username (default password is Admin123) or another CLI user account.

Tips

Changing Your Password

You should periodically change your password. The following procedure explains how to change the password while logged into Firepower Device Manager.


Note

If you are logged into the CLI, you can change your password using the configure password command. You can change the password for a different CLI user with the configure user password username command.


Procedure


Step 1

Select Profile from the user icon drop-down list in the upper right of the menu.

User Profile button

Step 2

Click the Password tab.

Step 3

Enter your current password.

Step 4

Enter your new password and then confirm it.

Step 5

Click Change.


Setting User Profile Preferences

You can set preferences for the user interface and change your password.

Procedure


Step 1

Select Profile from the user icon drop-down list in the upper right of the menu.

User Profile button

Step 2

On the Profile tab, configure the following and click Save.

  • Time Zone for Scheduling Tasks—Select the time zone you want to use for scheduling tasks such as backups and updates. The browser time zone is used for dashboards and events, if you set a different zone.
  • Color Theme—Select the color theme you want to use in the user interface.
Step 3

On the Password tab, you can enter a new password and click Change.


Creating Local User Accounts for the FTD CLI

You can create users for CLI access on FTD devices. These accounts do not allow access to the management application, but to the CLI only. The CLI is useful for troubleshooting and monitoring purposes.

You cannot create local user accounts on more than one device at a time. Each device has its own set of unique local user CLI accounts.

Procedure


Step 1

Log into the device CLI using an account with config privileges.

The admin user account has the required privileges, but any account with config privileges will work. You can use an SSH session or the Console port.

For certain device models, the Console port puts you into the FXOS CLI. Use the connect ftd command to get to the FTD CLI.

Step 2

Create the user account.

configure user add username {basic | config }

You can define the user with the following privilege levels:

  • config —Gives the user configuration access. This gives the user full administrator rights to all commands.

  • basic —Gives the user basic access. This does not allow the user to enter configuration commands.

Example:

The following example adds a user account named joecool with config access rights. The password is not shown as you type it.


> configure user add joecool config
Enter new password for user joecool: newpassword
Confirm new password for user joecool: newpassword
> show user
Login              UID   Auth Access  Enabled Reset    Exp Warn  Str Lock Max
admin             1000  Local Config  Enabled    No  Never  N/A  Dis   No N/A
joecool           1001  Local Config  Enabled    No  Never  N/A  Dis   No   5

Note 

Tell users they can change their passwords using the configure password command.

Step 3

(Optional.) Adjust the characteristics of the account to meet your security requirements.

You can use the following commands to change the default account behavior.

  • configure user aging username max_days warn_days

    Sets an expiration date for the user's password. Specify the maximum number of days for the password to be valid followed by the number of days before expiration the user will be warned about the upcoming expiration. Both values are 1 to 9999, but the warning days must be less than the maximum days. When you create the account, there is no expiration date for the password.

  • configure user forcereset username

    Forces the user to change the password on the next login.

  • configure user maxfailedlogins username number

    Sets the maximum number of consecutive failed logins you will allow before locking the account, from 1 to 9999. Use the configure user unlock command to unlock accounts. The default for new accounts is 5 consecutive failed logins.

  • configure user minpasswdlen username number

    Sets a minimum password length, which can be from 1 to 127.

  • configure user strengthcheck username { enable | disable }

    Enables or disables password strength checking, which requires a user to meet specific password criteria when changing their password. When a user’s password expires or if the configure user forcereset command is used, this requirement is automatically enabled the next time the user logs in.

Step 4

Manage user accounts as necessary.

Users can get locked out of their accounts, or you might need to remove accounts or fix other issues. Use the following commands to manage the user accounts on the system.

  • configure user access username { basic | config }

    Changes the privileges for a user account.

  • configure user delete username

    Deletes the specified account.

  • configure user disable username

    Disables the specified account without deleting it. The user cannot log in until you enable the account.

  • configure user enable username

    Enables the specified account.

  • configure user password username

    Changes the password for the specified user. Users should normally change their own password using the configure password command.

  • configure user unlock username

    Unlocks a user account that was locked due to exceeding the maximum number of consecutive failed login attempts.


Setting Up the System

You must complete an initial configuration to make the system function correctly in your network. Successful deployment includes attaching cables correctly and configuring the addresses needed to insert the device into your network and connect it to the Internet or other upstream router. The following procedure explains the process.

Before you begin

Before you start the initial setup, the device includes some default settings. For details, see Default Configuration Prior to Initial Setup.

Procedure


Step 1

Connect the Interfaces

Step 2

Complete the Initial Configuration

For details about the resulting configuration, see Configuration After Initial Setup.

Step 3

Configure the Wireless Access Point (ASA 5506W-X)


Connect the Interfaces

The default configuration assumes that certain interfaces are used for the inside and outside networks. Initial configuration will be easier to complete if you connect network cables to the interfaces based on these expectations.

The default configuration for hardware models is designed to let you attach your workstation directly to the inside interface. For device models where the inside interface is a bridge group, you can attach to any member interface. Alternatively, you can also directly attach your workstation to the Management port. Use DHCP to obtain an address on the correct network. The interfaces are on different networks, so do not try to connect any of the inside interfaces and the Management port to the same network.

Do not connect any of the inside interfaces or the Management interface to a network that has an active DHCP server. This will conflict with the DHCP servers that are already running on the inside and Management ports. If you want to use a different DHCP server for the network, just connect your workstation directly to the Management port, complete initial configuration, and then disable the unwanted DHCP servers. You can then connect the device to the network.

The following topics show how to cable the system for this topology when using the inside interfaces to configure the device.

Cabling for ASA 5506-X, 5506W-X, and 5506H-X

Figure 1. ASA 5506W-X (with Wi-Fi), 5506-X (without Wi-Fi)

Cabling for ASA 5506-X, 5508-X, 5516-X.

Figure 2. ASA 5506H-X

Cabling for 5506H-X

  • Attach GigabitEthernet 1/1 to the ISP/WAN modem or other outside device. By default, the IP address is obtained using DHCP, but you can set a static address during initial configuration.

  • Attach GigabitEthernet 1/2 (or another of the inside bridge group member ports) to your workstation, the one you will use to configure the device. Configure the workstation to obtain an IP address using DHCP. The workstation gets an address on the 192.168.1.0/24 network.


    Note

    You have a couple of other options for connecting the management workstation. You can also directly connect it to the Management port. The workstation gets an address through DHCP on the 192.168.45.0/24 network. Another option is to leave your workstation attached to a switch, and attach that switch to one of the inside ports such as GigabitEthernet1/2. However, you must ensure that no other device on the switch's network is running a DHCP server, because it will conflict with the one running on the inside bridge group, 192.168.1.1.


  • Optionally, attach other endpoints or switches to the other ports in the inside bridge group. You might want to wait until you complete the initial device setup before adding endpoints. If you add switches, ensure that there are no other DHCP servers running on those networks, as this conflicts with the DHCP server running on the inside bridge group.

Cabling for ASA 5508-X and 5516-X


Cabling for the ASA 5508-X, 5516-X.

  • Attach GigabitEthernet 1/1 to the ISP/WAN modem or other outside device. By default, the IP address is obtained using DHCP, but you can set a static address during initial configuration.

  • Attach GigabitEthernet 1/2 to your workstation, the one you will use to configure the device. Configure the workstation to obtain an IP address using DHCP. The workstation gets an address on the 192.168.1.0/24 network.


    Note

    You have a couple of other options for connecting the management workstation. You can also directly connect it to the Management port. The workstation gets an address through DHCP on the 192.168.45.0/24 network. Another option is to leave your workstation attached to a switch, and attach that switch to GigabitEthernet1/2. However, you must ensure that no other device on the switch's network is running a DHCP server, because it will conflict with the one running on the inside interface, 192.168.1.1.


Cabling for ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X


Cabling for ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X.

  • Attach GigabitEthernet 0/0 to the ISP/WAN modem or other outside device. By default, the IP address is obtained using DHCP, but you can set a static address during initial configuration.

  • Attach GigabitEthernet 0/1 to your workstation, the one you will use to configure the device. Configure the workstation to obtain an IP address using DHCP. The workstation gets an address on the 192.168.1.0/24 network.


    Note

    You have a couple of other options for connecting the management workstation. You can also directly connect it to the Management port. The workstation gets an address through DHCP on the 192.168.45.0/24 network. Another option is to leave your workstation attached to a switch, and attach that switch to GigabitEthernet0/1. However, you must ensure that no other device on the switch's network is running a DHCP server, because it will conflict with the one running on the inside interface, 192.168.1.1.


Cabling for Firepower 2100


Cabling for Firepower 2100 series devices.

  • Attach Ethernet 1/1 to the ISP/WAN modem or other outside device. By default, the IP address is obtained using DHCP, but you can set a static address during initial configuration.

  • Attach Ethernet 1/2 to your workstation, the one you will use to configure the device. Configure the workstation to obtain an IP address using DHCP. The workstation gets an address on the 192.168.1.0/24 network.


    Note

    You have a couple of other options for connecting the management workstation. You can also directly connect it to the Management port. The workstation gets an address through DHCP on the 192.168.45.0/24 network. Another option is to leave your workstation attached to a switch, and attach that switch to Ethernet 1/2. However, you must ensure that no other device on the switch's network is running a DHCP server, because it will conflict with the one running on Ethernet 1/2, 192.168.1.1.


Virtual Cabling for Firepower Threat Defense Virtual

To install Firepower Threat Defense Virtual, see the Cisco Firepower Threat Defense Virtual Quick Start Guide for your virtual platform at http://www.cisco.com/c/en/us/support/security/firepower-ngfw-virtual/products-installation-guides-list.html. Firepower Device Manager is supported on VMware only.

The Firepower Threat Defense Virtual default configuration puts the management interface and inside interface on the same subnet. You must have Internet connectivity on the management interface in order to use Smart Licensing and to obtain updates to system databases.

Thus, the default configuration is designed so that you can connect both the Management0/0 and GigabitEthernet0/1 (inside) to the same network on the virtual switch. The default management address uses the inside IP address as the gateway. Thus, the management interface routes through the inside interface, then through the outside interface, to get to the Internet.

You also have the option of attaching Management0/0 to a different subnet than the one used for the inside interface, as long as you use a network that has access to the Internet. Ensure that you configure the management interface IP address and gateway appropriately for the network.

Note that the management interface IP configuration is defined on Device > System Settings > Management Interface. It is not the same as the IP address for the Management0/0 (diagnostic) interface listed on Device > Interfaces > View Configuration.

How VMware Network Adapters and Interfaces Map to Firepower Threat Defense Physical Interfaces

You can configure up to 10 interfaces for a VMware Firepower Threat Defense Virtual device. You must configure a minimum of 4 interfaces.

Ensure that the Management0-0 source network is associated to a VM network that can access the Internet. This is required so that the system can contact the Cisco Smart Software Manager and also to download system database updates.

You assign the networks when you install the OVF. As long as you configure an interface, you can later change the virtual network through the VMware Client. However, if you need to add a new interface, the process is more cumbersome, as explained in Add Interfaces to Firepower Threat Defense Virtual.

The following table explains how the VMware network adapter and source interface map to the Firepower Threat Defense Virtual physical interface names. For additional interfaces, the naming follows the same pattern, increasing the relevant numbers by one. All additional interfaces are data interfaces. For more information on assigning virtual networks to virtual machines, see the VMware online help.

Table 2. Source to Destination Network Mapping

Network Adapter

Source Network

Destination Network (Physical Interface Name

Function

Network adapter 1

Management0-0

Diagnostic0/0

Management and diagnostic

Network adapter 2

GigabitEthernet0-0

GigabitEthernet0/0

Inside data

Network adapter 3

GigabitEthernet0-1

GigabitEthernet0/1

Outside data

Network adapter 4

GigabitEthernet0-2

GigabitEthernet0/2

Data traffic

Network adapter 5

GigabitEthernet0-3

GigabitEthernet0/3

Data traffic

Network adapter 6

GigabitEthernet0-4

GigabitEthernet0/4

Data traffic

Network adapter 7

GigabitEthernet0-5

GigabitEthernet0/5

Data traffic

Network adapter 8

GigabitEthernet0-6

GigabitEthernet0/6

Data traffic

Network adapter 9

GigabitEthernet0-7

GigabitEthernet0/7

Data traffic

Network adapter 10

GigabitEthernet0-8

GigabitEthernet0/8

Data traffic

Complete the Initial Configuration

When you initially log into Firepower Device Manager, you are taken through the device setup wizard to complete the initial system configuration.

Before you begin

Ensure that you connect a data interface to your gateway device, for example, a cable modem or router. For edge deployments, this would be your Internet-facing gateway. For data center deployments, this would be a back-bone router. Use the default “outside” interface for your model (see Connect the Interfaces and Default Configuration Prior to Initial Setup).

Then, connect your workstation to the “inside” interface for your hardware model. For models where the inside interface is a bridge group, you can connect to any bridge group member interface, which is any data port other than the outside interface. Alternatively, you can connect to the Management/Diagnostic physical interface. For Firepower Threat Defense Virtual, simply ensure that you have connectivity to the management IP address.

(Except for Firepower Threat Defense Virtual, which requires connectivity to the Internet from the management IP address.) The Management/Diagnostic physical interface does not need to be connected to a network. By default, the system obtains system licensing and database and other updates through the data interfaces, typically the outside interface, that connect to the Internet. If you instead want to use a separate management network, you can connect the Management/Diagnostic interface to a network and configure a separate management gateway after you complete initial setup.

Procedure


Step 1

Log into Firepower Device Manager.

  1. Assuming you did not go through initial configuration in the CLI, open Firepower Device Manager at https:// ip-address , where the address is one of the following.

    • If you are connected to the inside interface, or one of the inside bridge group data interfaces for models that have a default inside bridge group: https://192.168.1.1.

    • (Required for Firepower Threat Defense Virtual.) If you are connected to the Management physical interface: https://192.168.45.45.

  2. Log in with the username admin, password Admin123.

Step 2

If this is the first time logging into the system, and you did not use the CLI setup wizard, you are prompted to read and accept the End User License Agreement and change the admin password.

You must complete these steps to continue.

Step 3

Configure the following options for the outside and management interfaces and click Next.

Caution 

Your settings are deployed to the device when you click Next. The interface will be named “outside” and it will be added to the “outside_zone” security zone. Ensure that your settings are correct. If you end up configuring an IP address on the outside interface that is on the same subnet as the inside interface, and you are connected to Firepower Device Manager on the inside address, the wizard will hang when you click Next, because the address on the inside interface will be removed. To recover, see What to Do if the Outside Subnet Conflicts with the Inside Subnet (Setup Wizard Hangs at Step 1).

Outside Interface

  • Configure IPv4—The IPv4 address for the outside interface. You can use DHCP or manually enter a static IP address, subnet mask, and gateway. You can also select Off to not configure an IPv4 address. Do not configure an IP address on the same subnet as the default inside address (see Default Configuration Prior to Initial Setup), either statically or through DHCP.

  • Configure IPv6—The IPv6 address for the outside interface. You can use DHCP or manually enter a static IP address, prefix, and gateway. You can also select Off to not configure an IPv6 address.

Management Interface

  • DNS Servers—The DNS server for the system's management address. Enter one or more addresses of DNS servers for name resolution. The default is the OpenDNS public DNS servers. If you edit the fields and want to return to the default, click Use OpenDNS to reload the appropriate IP addresses into the fields. Your ISP might require that you use specific DNS servers. If after completing the wizard, you find that DNS resolution is not working, see Troubleshooting DNS for the Management Interface.

  • Firewall Hostname—The hostname for the system's management address.

Step 4

Configure the system time settings and click Next.

  • Time Zone—Select the time zone for the system.
  • NTP Time Server—Select whether to use the default NTP servers or to manually enter the addresses of your NTP servers. You can add multiple servers to provide backups.
Step 5

Configure the smart licenses for the system.

You must have a smart license account to obtain and apply the licenses that the system requires. Initially, you can use the 90-day evaluation license and set up smart licensing later.

To register the device now, click the link to log into your Smart Software Manager account, generate a new token, and copy the token into the edit box.

To use the evaluation license, select Start 90 day evaluation period without registration. To later register the device and obtain smart licenses, click Device, then click the link in the Smart Licenses group.

Step 6

Click Finish.


What to do next

  • If you want to use features covered by optional licenses, such as category-based URL filtering, intrusion inspection, or malware prevention, enable the required licenses. See Enabling or Disabling Optional Licenses.

  • If this is a new system, the other interfaces on device models that have a default inside bridge group are ready to use as members of the inside bridge group. You can connect end points directly to the interfaces. For models that have a single default physical interface, you can connect the other data interfaces to distinct networks and configure the interfaces. For bridge group member interfaces, you can also remove them from the bridge group and configure additional unique networks. For information on configuring interfaces, see How to Add a Subnet and Configuring Interfaces.

  • If you are managing the device through the inside interface or bridge group member interface, and you want to open CLI sessions through the inside interface, open the inside interface or bridge group to SSH connections. See Configuring the Management Access List.

  • Go through the use cases to learn how to use the product. See Use Cases for Firepower Threat Defense.

What to Do if the Outside Subnet Conflicts with the Inside Subnet (Setup Wizard Hangs at Step 1)

If you connect to Firepower Device Manager through the inside interface, you might find that the setup wizard hangs when you click Next during step 1, where you configure the outside interface. Note that normally it takes a while to complete this step, so hanging means that it continues for 10+ minutes. If you refresh the browser, you will see that you have lost the connection to Firepower Device Manager. (If you connected through the management IP address, the wizard does not hang, but you might still have a problem as described in the symptoms below.)

The most likely reason this happens is that both the outside and inside interfaces were assigned addresses on the same subnet, which results in the inside interface losing its configuration.

The default configuration includes a static address on the inside interface, and a DHCP server, so that the device is functional and can pass traffic and support attached workstations immediately after you complete the setup wizard.

However, having a default inside address works only if you do not configure an address on the same subnet on the outside interface. This includes the situation where you attach to an ISP device that provides an address through DHCP to the outside address. Some ISPs use the same 192.168.1.0/24 subnet for their inside interface (which attaches to your outside interface) as Firepower Threat Defense uses for the inside address.

To resolve this problem, you must change the IP address on the inside interface.


Note

This topic focuses on hardware models and their defaults. On virtual models, the default inside IP address is different, and is on the same subnet as the management IP address. You can still end up with an inside/outside subnet conflict, but it is less likely.


Symptoms for an inside/outside subnet conflict

Following are the symptoms that you have addresses on the same subnet on the inside and outside interfaces.

  • During the device setup wizard, the wizard hangs when you click Next in step 1. Note that normally it takes a while to complete this step, so hanging means that it continues for 10+ minutes.

  • If you are connected to the Console port, you would see the following message in the CLI. You will also get this message if you try to deploy the configuration (without subsequent change) from Firepower Device Manager.

    
    ERROR: Failed to apply IP address to interface GigabitEthernet1/1, 
    as the network overlaps with interface GigabitEthernet1/2. 
    Two interfaces cannot be in the same subnet.
    
    
  • If you get through setup, or exit it, the connection graphic will show no connection to any external services, such as the gateway, DNS and NTP servers, and Smart Licensing. The Deploy icon in the menu will also show that a deployment is needed.

  • From the CLI, the interface and dhcp configurations are inconsistent for the inside and outside interfaces when viewed using the show running-config and show startup-config commands.

Procedure


Step 1

If you were connected to the inside interface during device setup, complete the setup.

  1. Reconnect to the device by plugging into the Management port. If necessary, release and renew your workstation’s DHCP address to get a new address on the management network (192.168.45.0/24). If necessary, configure a static address for your workstation in the 192.168.45.1-192.168.45.44 range.

  2. Open Firepower Device Manager at https://192.168.45.45.

  3. You should see a prompt asking you to start your 90-day evaluation license. Select this option and click Confirm.

  4. Choose Device > System Settings > NTP, configure the NTP servers, and click Save. If the default servers fit your requirements, you can skip this step.

  5. Select Profile from the user icon drop-down list in the upper right of the menu, select the time zone for the device, and click Save.

    User Profile button

  6. If you do not want to use the evaluation license, choose Device > Smart License > View Configuration, click Request Register, then follow the instructions to register the device. See Registering the Device. (You can also enable any optional licenses you need at this time.)

Step 2

Remove the DHCP server from the inside interface.

  1. Choose Device > System Settings > DHCP Server.

  2. Click the DHCP Servers tab.

  3. Mouse over the Actions column in the inside interface row and click the delete icon (delete icon).

Step 3

Change the address on the inside interface.

  1. Select Device.

  2. In the Interfaces group, click the link that indicates the number of enabled interfaces (for example, 3 Enabled).

  3. Mouse over the Actions column for the inside interface and click the edit icon (edit icon).

  4. On the IPv4 Address tab, enter a static address on a unique subnet, for example, 192.168.2.1/24 or 192.168.46.1/24. Note that the default management address is 192.168.45.45/24, so do not use that subnet.

    You also have the option to use DHCP to obtain an address if you have a DHCP server already running on the inside network.

  5. Click OK.

Step 4

(Optional.) Configure DHCP server on the inside address.

If you configure a static address for the inside interface, you can configure a DHCP server to provide addresses to workstations that attach to the inside network. This is a typical setup.

  1. Choose Device > System Settings > DHCP Server.

  2. Click the DHCP Servers tab.

  3. Click +.

  4. Select the option to enable the server and select the inside interface.

  5. For the address pool, enter a range on the same subnet as the inside address.

    For example, if the inside address is 192.168.2.1/24, you might use 192.168.2.5-192.168.2.254. Do not include addresses that are statically assigned to nodes on the network. Consider leaving a few addresses outside the pool so you can assign static addresses when needed.

  6. Click OK.

Step 5

Click the Deploy button in the menu to deploy your changes.

Deploy changes button, highlighted when there are changes to deploy.

Step 6

Click Deploy Now.

After deployment completes, the connection graphic should show green for the external services.


Configure the Wireless Access Point (ASA 5506W-X)

The ASA 5506W-X includes a Cisco Aironet 702i wireless access point integrated into the device. The wireless access point is disabled by default. Connect to the access point web interface so that you can enable the wireless radios and configure the SSID and security settings.

The access point connects internally over the GigabitEthernet1/9 interface. All Wi-Fi clients belong to the GigabitEthernet1/9 network. Your security policy determines how the Wi-Fi network can access any networks on other interfaces. The access point does not contain any external interfaces or switch ports.

The following procedure explains how to configure the access point. The procedure assumes that you completed the device setup wizard. If you instead manually configured the device, you might need to adjust the steps based on your configuration.

For more information, see the following manuals:

Before you begin

If you are unable to reach the access point, and the FTD device has the suggested configuration, and other networking issues are not found, then you may want to restore the access point default configuration. You must access the FTD CLI (connect to the console port, or configure SSH access). From the FTD CLI, enter the following commands.


> system support diagnostic-cli 
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

firepower> enable
Password: <press enter, by default, the password is blank>
firepower# hw-module module wlan recover configuration 

If you need to troubleshoot the access point further, connect to the access point CLI using the session wlan console command.

Procedure


Step 1

Configure and enable the wireless interface, GigabitEthernet1/9.

  1. Click Device, then click the link in the Interfaces group to open the list of interfaces.

  2. Click the edit icon (edit icon) for the GigabitEthernet1/9 interface.

  3. Configure the following options.

    • Interface Name—Enter a name for the interface, for example, wifi.

    • Status—Click the slider to enable the interface.

    • IPv4 Address—Select Static for the address type, then enter an address and subnet mask. For example, 192.168.10.1/24.

  4. Click Save.

Step 2

Add the Wi-Fi interface to the same security zone as the inside interfaces.

The device setup wizard puts the members of the inside bridge group in a security zone named inside_zone. The Wi-Fi interface needs to be in the same zone so that you can reach the access point web interface (made possible by the default Inside_Inside_Rule access rule).

  1. Click Objects in the menu, then select Security Zones from the table of contents.

  2. Click the edit icon (edit icon) for inside_zone.

  3. Click + under Interfaces and select the wifi interface.

Step 3

Verify that there is an access control rule to allow traffic between interfaces in the inside_zone security zone.

The device setup wizard creates a rule to allow traffic to flow from the inside_zone to the outside_zone, which allows inside users to get to the Internet.

The wizard also create a rule to allow traffic to flow between the inside_zone and inside_zone, so that internal hosts can reach each other.

By adding the wifi interface to inside_zone, Wi-Fi users are also included in both of these rules, so that they can reach the Internet and other internal users.

If you did not complete the wizard, these rules might not exist. Because the default action is to block all traffic, you must create these rules. The following procedure explains how to create a rule to enable traffic between the interfaces in the inside_zone security zone.

  1. Click Policies in the menu.

  2. Click + above the Access Control table to add a rule.

  3. Configure at least the following options in the rule.

    • Title—Enter a name for the rule. For example, Inside_Inside.

    • Action—Either Allow or Trust.

    • Source/Destination > Source Zones—Select inside_zone.

    • Source/Destination > Destination Zones—Select inside_zone.

  4. Click OK.

Step 4

Configure the DHCP server on the wireless interface.

The DHCP server supplies IP addresses to devices that connect to the access point. It also supplies an address to the access point itself.

  1. Click Device.

  2. Click System Settings > DHCP Server.

  3. Click the DHCP Servers tab.

  4. Click + above the DHCP server table.

  5. Configure the following DHCP server properties.

    • Enable DHCP Server—Click the slider to enable the DHCP server.

    • Interface—Select the wifi interface.

    • Address Pool—Enter the address pool for DHCP clients. For example, if you used the example address for the wireless interface, the pool would be 192.168.10.2-192.168.10.254. The pool must be on the same subnet as the IP address for the interface, and it cannot include the address of the interface or the broadcast address.

  6. Click OK.

Step 5

Click the Deploy button in the menu, then click the Deploy Now button, to deploy your changes to the device.

Deploy changes button, highlighted when there are changes to deploy.

Wait until the deployment finishes before you continue.

Step 6

Configure the wireless access point.

The wireless access point obtains its address from the DHCP pool defined for the wireless interface. It should get the first address in the pool. If you used the example addresses, this is 192.168.10.2. (Try the next address in the pool if the first one does not work.)

  1. Use a new browser window to go to the wireless access point IP address, for example, http://192.168.10.2.

    The access point web interface should appear.

    You must be on the inside network, or a network that can route to it, to open this address.

  2. Log in with the username cisco and password Cisco.

  3. On the left, click Easy Setup > Network Configuration.

  4. In the Radio Configuration area, for each of the Radio 2.4GHz and Radio 5GHz sections, set at least the following parameters and click Apply for each section.

    • SSID—The Service Set Identifier. This is the name of the wireless network. Users will see this name when selecting a wireless network for their Wi-Fi connection.

    • Broadcast SSID in Beacon—Select this option.

    • Universal Admin Mode: Disable.

    • Security—Select whichever security option you want to use.

Step 7

While in the wireless access point web interface, enable the radios.

  1. On the left, click Summary, and then on the main page under Network Interfaces, click the link for the 2.4 GHz radio.

  2. Click the Settings tab.

  3. For the Enable Radio setting, click the Enable radio button, and then click Apply at the bottom of the page.

  4. Repeat the process for the 5 GHz radio.


Default Configuration Prior to Initial Setup

Before you initially configure the Firepower Threat Defense device using the local manager (Firepower Device Manager), the device includes the following default configuration.

This configuration assumes that you open the Firepower Device Manager through the inside interface, typically by plugging your computer directly into the interface, and use the DHCP server defined on the inside interface to supply your computer with an IP address. See the table below for the default inside and outside interfaces by device model. Alternatively, you can plug your computer into the Management/Diagnostic physical interface and use DHCP to obtain an address. See the configuration settings table for the default inside and management IP addresses, which you use to open Firepower Device Manager in your browser.

The exception is Firepower Threat Defense Virtual, where the configuration assumes that you put both the management and inside interfaces on the same subnet, and the management address uses the inside address as its gateway to the Internet (going through the outside interface). Configure the device through the management IP address.

Default Configuration Settings

Setting

Default

Can be changed during initial configuration?

Password for admin user.

Admin123

Yes. You must change the default password.

Management IP address.

192.168.45.45

No.

Management gateway.

The data interfaces on the device. Typically the outside interface becomes the route to the Internet. This gateway works for from-the-box traffic only.

For Firepower Threat Defense Virtual: 192.168.45.1

No.

DHCP server on the management interface.

Enabled with the address pool 192.168.45.46-192.168.45.254.

For Firepower Threat Defense Virtual, there is no DHCP server on the management interface.

No.

DNS servers for the management interface.

The OpenDNS public DNS servers, 208.67.220.220 and 208.67.222.222 .

Yes

Inside interface IP address.

192.168.1.1/24

For Firepower Threat Defense Virtual: 192.168.45.1/24

No.

DHCP server for inside clients.

Running on the inside interface with the address pool 192.168.1.5 - 192.168.1.254.

For Firepower Threat Defense Virtual, the address pool on the inside interface is 192.168.45.46 - 192.168.45.254.

No.

DHCP auto-configuration for inside clients. (Auto-configuration supplies clients with addresses for WINS and DNS servers.)

Enabled on outside interface.

Yes, but indirectly. If you configure a static IPv4 address for the outside interface, DHCP server auto-configuration is disabled.

Outside interface IP address.

Obtained through DHCP from Internet Service Provider (ISP) or upstream router.

Yes.

Default Interfaces by Device Model

You cannot select different inside and outside interfaces during initial configuration. To change the interface assignments after configuration, edit the interface and DHCP settings. You must remove an interface from the bridge group before you can configure it as a non-switched interface.

Firepower Threat Defense device

Outside Interface

Inside Interface

ASA 5506-X

ASA 5506H-X

ASA 5506W-X

GigabitEthernet1/1

BVI1, which contains all other data interfaces except the outside interface, and for the 5506W-X, the wireless interface GigabitEthernet1/9.

ASA 5508-X

ASA 5516-X

GigabitEthernet1/1

GigabitEthernet1/2

ASA 5512-X

ASA 5515-X

ASA 5525-X

ASA 5545-X

ASA 5555-X

GigabitEthernet0/0

GigabitEthernet0/1

Firepower 2100 series

Ethernet1/1

Ethernet1/2.

Firepower Threat Defense Virtual

GigabitEthernet0/0

GigabitEthernet0/1

Configuration After Initial Setup

After you complete the setup wizard, the device configuration will include the following settings. The table shows whether a particular setting is something you explicitly chose or whether it was defined for you based on your other selections. Validate any "implied" configurations and edit them if they do not serve your needs.

Setting

Configuration

Explicit, implied, or default configuration

Password for admin user.

Whatever you entered.

Explicit.

Management IP address.

192.168.45.45

Default.

Management gateway.

The data interfaces on the device. Typically the outside interface becomes the route to the Internet. The management gateway works for from-the-box traffic only.

For Firepower Threat Defense Virtual: 192.168.45.1

Default.

DHCP server on management interface.

Enabled with the address pool 192.168.45.46-192.168.45.254.

For Firepower Threat Defense Virtual, there is no DHCP server on the management interface.

Default.

DNS servers for the management interface.

Whatever you entered.

Explicit.

Management hostname.

firepower or whatever you entered.

Explicit.

Management access through data interfaces.

A data interface management access list rule allows HTTPS access through the inside interface. For models that have an inside bridge group, this covers all member interfaces of the inside bridge group. SSH connections are not allowed. Both IPv4 and IPv6 connections are allowed.

The exception is Firepower Threat Defense Virtual, where no data interfaces have default access rules.

Implied.

System time.

The time zone and NTP servers you selected.

Explicit.

Smart license.

Either registered with a base license, or the evaluation period activated, whichever you selected.

Subscription licenses are not enabled. Go to the smart licensing page to enable them.

Explicit.

Inside interface IP address.

192.168.1.1/24

For Firepower Threat Defense Virtual: 192.168.45.1/24

Default.

DHCP server for inside clients.

Running on the inside interface with the address pool 192.168.1.5 - 192.168.1.254.

For Firepower Threat Defense Virtual, the address pool on the inside interface is 192.168.45.46 - 192.168.45.254.

Default.

DHCP auto-configuration for inside clients. (Auto-configuration supplies clients with addresses for WINS and DNS servers.)

Enabled on outside interface if you use DHCP to obtain the outside interface IPv4 address.

If you use static addressing, DHCP auto-configuration is disabled.

Explicit, but indirectly.

Data interface configuration.

(Models that do not have an inside bridge group.) The outside and inside interfaces are the only ones configured and enabled. All other data interfaces are disabled.

(Models that have an inside bridge group.) All data interfaces (such as GigabitEthernet1/2) except the outside interface are enabled and part of the inside bridge group. You can plug end points or switches into these ports and obtain addresses from the DHCP server for the inside interface. These interfaces are named inside_1, inside_2, and so forth.

Default.

Outside physical interface and IP address.

The default outside port based on the device model. See Default Configuration Prior to Initial Setup.

The IP address is obtained by DHCP, or it is a static address as entered (IPv4, IPv6, or both).

Interface is Default.

Addressing is Explicit.

Static routes.

If you configure a static IPv4 or IPv6 address for the outside interface, a static default route is configured for IPv4/IPv6 as appropriate, pointing to the gateway you defined for that address type. If you select DHCP, the default route is obtained from the DHCP server.

Network objects are also created for the gateway and the "any" address, that is, 0.0.0.0/0 for IPv4, ::/0 for IPv6.

Implied.

Security zones.

inside_zone, containing the inside interface. For models that have an inside bridge group, the zone contains all members of the inside bridge group interface.

outside_zone, containing the outside interface.

(You can edit these zones to add other interfaces, or create your own zones.)

Implied.

Access control policy.

A rule trusting all traffic from the inside_zone to the outside_zone. This allows without inspection all traffic from users inside your network to get outside, and all return traffic for those connections.

For models that have an inside bridge group, a second rule trusting all traffic between the interfaces in the inside_zone. This allows without inspection all traffic between users on your inside network.

The default action for any other traffic is to block it. This prevents any traffic initiated from outside to enter your network.

Implied.

NAT

(Models that do not have an inside bridge group.) An interface dynamic PAT rule translates the source address for any IPv4 traffic destined to the outside interface to a unique port on the outside interface's IP address.

(Models that have an inside bridge group.) For each member of the inside bridge group, an interface dynamic PAT rule translates the source address for any IPv4 traffic destined to the outside interface to a unique port on the outside interface’s IP address. These appear in the NAT rule table and you can edit them later if desired.

There are additional hidden PAT rules to enable HTTPS access through the inside interfaces, and routing through the data interfaces for the management address. These do not appear in the NAT table, but you will see them if you use the show nat command in the CLI.

Implied.

Configuration Basics

The following topics explain the basic methods for configuring the device.

Configuring the Device

When you initially log into Firepower Device Manager, you are guided through a setup wizard to help you configure basic settings. Once you complete the wizard, use the following method to configure other features and to manage the device configuration.

If you have trouble distinguishing items visually, select a different color scheme in the user profile. Select Profile from the user icon drop-down menu in the upper right of the page.

User Profile button

Procedure


Step 1

Click Device to get to the Device Summary.

The dashboard shows a visual status for the device, including enabled interfaces and whether key settings are configured (colored green) or still need to be configured. For more information, see Viewing Interface and Management Status.

Above the status image is a summary of the device model, software version, VDB (System and Vulnerability Database) version, and the last time intrusion rules were updated.

Below the image are groups for the various features you can configure, with summaries of the configurations in each group, and actions you can take to manage the system configuration.

Step 2

Click the links in each group to configure the settings or perform the actions.

Following is a summary of the groups:

  • Interface—You should have at least two data interfaces configured in addition to the management interface. See Interfaces.

  • Routing—The routing configuration. You must define a default route. Other routes might be necessary depending on your configuration. See Routing.

  • Updates—Geolocation, intrusion rule, and vulnerability database updates, and system software upgrades. Set up a regular update schedule to ensure that you have the latest database updates if you use those features. You can also go to this page if you need to download an update before the regularly schedule update occurs. See Updating System Databases.

  • System Settings—This group includes a variety of settings. Some are basic settings that you would configure when you initially set up the device and then rarely change. See System Settings.

  • Smart License—Shows the current state of the system licenses. You must install the appropriate licenses to use the system. Some features require additional licenses. See Licensing the System.

  • Backup and Restore—Back up the system configuration or restore a previous backup. See Backing Up and Restoring the System.

  • Troubleshoot—Generate a troubleshooting file at the request of the Cisco Technical Assistance Center. See Creating a Troubleshooting File.

  • Site-to-Site VPN—The site-to-site virtual private network (VPN) connections between this device and remote devices. See Managing Site-to-Site VPNs.

  • Remote Access VPN—The remote access virtual private network (VPN) configuration that allows outside clients to connect to your inside network. See Configuring Remote Access VPN.

Step 3

Click the Deploy button in the menu to deploy your changes.

Deploy changes button, highlighted when there are changes to deploy.

Changes are not active on the device until you deploy them. See Deploying Your Changes.


What to do next

Click Policies in the main menu and configure the security policy for the system. You can also click Objects to configure the objects needed in those policies.

Configuring Security Policies

Use the security policies to implement your organization’s acceptable use policy and to protect your network from intrusions and other threats.

Procedure


Step 1

Click Policies.

The Security Policies page shows the general flow of a connection through the system, and the order in which security policies are applied.

Step 2

Click the name of a policy and configure it.

You might not need to configure each policy type, although you must always have an access control policy. Following is a summary of the policies:

  • Identity—If you want to correlate network activity to individual users, or control network access based on user or user group membership, use the identity policy to determine the user associated with a given source IP address. See Configuring Identity Policies.

  • NAT (Network Address Translation)—Use the NAT policy to convert internal IP addresses to externally routeable addresses. See Configure NAT.

  • Access Control—Use the access control policy to determine which connections are allowed on the network. You can filter by security zone, IP address, protocol, port, application, URL, user or user group. You also apply intrusion and file (malware) policies using access control rules. Use this policy to implement URL filtering. See Configuring the Access Control Policy.

Step 3

Click the Deploy button in the menu to deploy your changes.

Deploy changes button, highlighted when there are changes to deploy.

Changes are not active on the device until you deploy them. See Deploying Your Changes.


Deploying Your Changes

When you update a policy or setting, the change is not immediately applied to the device. There is a two step process for making configuration changes:

  1. Make your changes.

  2. Deploy your changes.

This process gives you the opportunity to make a group of related changes without forcing you to run a device in a “partially configured” manner. Also, because some changes require inspection engines to restart, with traffic dropping during the restart, consider deploying changes when potential disruptions will have the least impact.

After you complete the changes you want to make, use the following procedure to deploy them to the device.


Caution

The Firepower Threat Defense device using the Firepower Device Manager drops traffic when the inspection engines are busy because of a software resource issue, or down because a configuration requires the engines to restart during configuration deployment. For detailed information on changes that require a restart, see Configuration Changes that Restart Inspection Engines.


Procedure


Step 1

Click the Deploy Changes icon in the upper right of the web page.

The icon is highlighted with a dot when there are undeployed changes.

Deploy changes button, highlighted when there are changes to deploy.

The Deployment Summary page opens. The window shows a list of previous deployments with summary information on the changes (“modified objects”), when the deployment was initiated and completed, and the status of each deployment.

If the icon is not highlighted, you can still click it to see the results of previous deployment jobs.

Deploy configuration button.

Step 2

Click Deploy Now.


Configuration Changes that Restart Inspection Engines

Any of the following configurations or actions restart inspection engines when you deploy configuration changes.


Caution

When you deploy, resource demands may result in a small number of packets dropping without inspection. Additionally, deploying some configurations requires inspection engines to restart, which interrupts traffic inspection and drops traffic.


Deployment

Any deployment restarts the inspection engines.

System Database Updates
  • If an Intrusion Rule update increases the amount of memory required by the database, the inspection engines restart.

System Updates

Installing a system update or patch that does not reboot the system and includes a binary change requires inspection engines to restart. Binary changes can include changes to inspection engines, a preprocessor, the vulnerability database (VDB), or a shared object rule. Note also that a patch that does not include a binary change can sometimes require a Snort restart.

Viewing Interface and Management Status

The Device Summary includes a graphical view of your device and select settings for the management address. To open the Device Summary, click Device.

Elements on this graphic change color based on the status of the element. Mousing over elements sometimes provides additional information. Use this graphic to monitor the following items.


Note

The interface portion of the graphic, including interface status information, is also available on the Interfaces page and the Monitoring > System dashboard.


Interface Status

Mouse over a port to see its IP addresses, and enabled and link statuses. The IP addresses can be statically assigned or obtained using DHCP. Mousing over a Bridge Virtual Interface (BVI) also shows the list of member interfaces.

Interface ports use the following color coding:

  • Green—The interface is configured, enabled, and the link is up.

  • Gray—The interface is not enabled.

  • Orange/Red—The interface is configured and enabled, but the link is down. If the interface is wired, this is an error condition that needs correction. If the interface is not wired, this is the expected status.

Inside, Outside Network Connections

The graphic indicates which port is connected to the outside (or upstream) and inside networks, under the following conditions.

  • Inside Network—The port for the inside network is shown for the interface named “inside” only. If there are additional inside networks, they are not shown. If you do not name any interface “inside,” no port is marked as the inside port.

  • Outside Network—The port for the outside network is shown for the interface named “outside” only. As with the inside network, this name is required, or no port is marked as the outside port.

Management Setting Status

The graphic shows whether the gateway, DNS servers, NTP servers, and Smart Licensing are configured for the management address, and whether those settings are functioning correctly.

Green indicates that the feature is configured and functioning correctly, gray indicates that it is not configured or not functioning correctly. For example, the DNS box is gray if the servers cannot be reached. Mouse over the elements to see more information.

If you find problems, correct them as follows:

  • Management port and gateway—Select System Settings > Management Interface.

  • DNS servers—Select System Settings > DNS Server.

  • NTP servers—Select System Settings > NTP. Also see Troubleshooting NTP.

  • Smart License—Click the View Configuration link in the Smart License group.

Viewing System Task Status

System tasks include actions that occur without your direct involvement, such as retrieving and applying various database updates. You can view a list of these tasks and their status to verify that these system tasks are completing successfully.

Procedure


Step 1

Click the Task List button in the main menu.

Task list button.

The task list opens, displaying the status and details of system tasks.

Step 2

Evaluate the task status.

If you find a persistent problem, you might need to fix the device configuration. For example, a persistent failure to obtain database updates could indicate that there is no path to the Internet for the device's management IP address. You might need to contact the Cisco Technical Assistance Center (TAC) for some issues as indicted in the task descriptions.

You can do the following with the task list:

  • Click the Success or Failures buttons to filter the list based on these statuses.

  • Click the delete icon (delete icon) for a task to remove it from the list.

  • Click Remove All Completed Tasks to empty the list of all tasks that are not in progress.