Configure the FMC Endpoint Update App

The following task enables you to configure the FMC endpoint update app to communicate with the FMC.

Prerequisites for Configuration

The following topics discuss prerequisite tasks you must complete before configuring the FMC Endpoint Update App.

Configure the FMC Domains and Subdomains

Data in one APIC tenant is pushed and merged to one particular FMC domain you configure. APIC does not modify or delete any other object in another FMC domain. Note that objects defined in a domain are visible and usable in an FMC's subdomains, and that can be a way to share an object across subdomains.

For more information about domains, see the chapter on domain management in the Cisco Firepower Management Center Configuration Guide.

Create domains and subdomains

Before you continue, make sure you have created all users, domains, and subdomains on the FMC. Subdomain users must be created in the correct domain (System > Users > Create User. If necessary, click Add Domain to add the user to the desired domain.)

To create a domain on the FMC:

  1. Log in to the FMC.

  2. Click System > Domains > Add Domain.

  3. Enter the required information.

  4. Click Save.

  5. Click Save.

Examples

When you create a device in the FMC Endpoint Update App:

  • Enter a username only to push and merge the configuration to the default Global domain on the FMC.

  • Enter a domain and username in the format domain \ user to get dynamic data from the tenant and access the FMC as user and update the objects of the subdomain named domain of the Global domain.

  • Enter a domain and username in the format domain1 / domain2 \ user2 to get dynamic data from the APIC tenant and access the FMC as user2 and update the objects of the subdomain domain2 , which is a subdomain of domain1 , which is a subdomain of Global.

For example, to push the APIC configuration for a tenant named ExampleTenant to the Global \ domain1 \ domain2 domain on an FMC with IP address 192.0.2.25 as a user named SampleUser:

  1. Log in to APIC.

  2. Click Apps > Apps.

  3. Under FMC Endpoint Update, click Open.

  4. Click Add Tenant/FMC.

  5. Add the following row to the table.

Create Users for the FMC Endpoint Update App

You must create one dedicated FMC user for the FMC Endpoint Update App to update network object and dynamic object configuration:

  • The dedicated user is exclusively for the FMC endpoint update app to update the FMC network object configuration

  • In addition, you must have a second administative user that can be shared between the FMC endpoint update app and other FMC functions. (This can be an existing user or a new user.)

Each user must have the Administrator role. Each ASA user must have privilege level 15. It's necessary to have to users to avoid the FMC endpoint update app logging out the administrator unexpectedly.

The task that follows discusses how to create users on the FMC only. To create ASA users, see the Cisco ASA Series General Operations ASDM Configuration Guide.

Procedure

Step 1

Log in to the FMC if you haven't done so already.

Step 2

Click System > Users > Users.

Step 3

Click Create User.

Step 4

Under User Role Configuration, check Administrator.

Step 5

(Optional.) Click Add Domain to give the user access to a particular domain.

Both FMC users must be administrators in the same domains.

Step 6

Enter the other information required to configure the user; consult the online help for assistance.

What to do next

See Configure the FMC Endpoint Update App.

Configure the FMC Endpoint Update App

To configure the FMC endpoint update app, complete the following procedure:

Before you begin

Before you configure and use the FMC Endpoint Update App, complete all of the following tasks:

Procedure

Step 1

Log in to APIC.

Step 2

Click Apps > Apps > FMC Endpoint Update.

Step 3

Locate the FMC endpoint update app.

Step 4

Click Open.

Step 5

Click (Config Devices) > Add Device.

The following figure shows an example.

Step 6

For Type, click either FMC or ASA.

Step 7

Enter or edit the following information.

Item Description

Update Interval

Enter the interval, in seconds, to update the FMC. Default is 60. The minimum interval is 30 seconds because updating too frequently might negatively impact system performance with a large number of FMCs.

Add Tenant/FMC

Click to add a row to the table and enter the following information:

  • APIC Tenant Name: Enter the name of an existing tenant.

  • FMC IP: Enter the FMC's IP address or fully-qualified host name. If your FMC is behind a NAT device, separate the IP address from the port with a colon character; for example, 192.2.0.9:5001.

  • FMC Domain/Username: Enter the username used by the app to sign in to the FMC. The username must be different than the username you use to sign in to the FMC. Otherwise, if they're the same, your sessions might get disconnected.

    Enter the domain and subdomain name, if any, to which to push data. Domain names can consist of alphanumeric characters or the \ and / characters only. For more information, see Configure the FMC Domains and Subdomains.

  • FMC Password: Enter the FMC user's password.

Click Remove at the end of the row to remove an FMC tenant.

Site Prefix

Enter a unique alphanumeric string to create a network group object on the FMC. In a multi-tenant environment, different network group objects prevent the configuration sent by APIC from being confused with any other configuration.

Step 8

After you’ve configured all your FMCs, click Submit Data.