The FMC and your management computer reside at a remote headquarters, and can reach the FTD over the internet.

The FMC and your management computer reside on the inside network with your other inside end points.

Defaults or previously entered values appear in brackets. To accept previously entered values, press Enter.

See the following guidelines:

• Configure IPv4 via DHCP or manually?—In 6.7 and later: If you want to use a data interface for FMC access instead of the management interface, choose manual. Although you do not plan to use the Management interface, you must set an IP address, for example, a private address. You cannot configure a data interface for management if the management interface is set to DHCP, because the default route, which must be data-interfaces (see the next bullet), might be overwritten with one received from the DHCP server.

• Enter the IPv4 default gateway for the management interface—In 6.7 and later: If you want to use a data interface for FMC access instead of the management interface, set the gateway to be data-interfaces. This setting forwards management traffic over the backplane so it can be routed through the FMC access data interface. If you want to use the Management interface for FMC access, you should set a gateway IP address on the Management 1/1 network.

• If your networking information has changed, you will need to reconnect—If you are connected with SSH but you change the IP address at initial setup, you will be disconnected. Reconnect with the new IP address and password. Console connections are not affected.

• Manage the device locally?—Enter no to use FMC. A yes answer means you will use Firepower Device Manager instead.

• Configure firewall mode?—We recommend that you set the firewall mode at initial configuration. Changing the firewall mode after initial setup erases your running configuration. Note that data interface FMC access is only supported in routed firewall mode.

configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE} reg_key [nat_id]

• {hostname | IPv4_address | IPv6_address | DONTRESOLVE}—Specifies either the FQDN or IP address of the FMC. If the FMC is not directly addressable, use DONTRESOLVE and also specify the nat_id. At least one of the devices, either the FMC or the FTD, must have a reachable IP address to establish the two-way, SSL-encrypted communication channel between the two devices. If you specify DONTRESOLVE in this command, then the FTD must have a reachable IP address or hostname.

• reg_key—Specifies a one-time registration key of your choice that you will also specify on the FMC when you register the FTD. The registration key must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-).

• nat_id—Specifies a unique, one-time string of your choice that you will also specify on the FMC when you register the FTD when one side does not specify a reachable IP address or hostname. It is required if you set the FMC to DONTRESOLVE. The NAT ID must not exceed 37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID cannot be used for any other devices registering to the FMC.

  Note	If you use a data interface for management, then you must specify the NAT ID on both the FTD and FMC for registration.

If the FMC is behind a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:

If the FTD is behind a NAT device, enter a unique NAT ID along with the FMC IP address or hostname, for example:

configure network management-data-interface

You are then prompted to configure basic network settings for the data interface.

See the following details for using this command:

• The original Management interface cannot use DHCP if you want to use a data interface for management. If you did not set the IP address manually during initial setup, you can set it now using the configure network {ipv4 | ipv6} manual command. If you did not already set the Management interface gateway to data-interfaces, this command will set it now.

• FMC access from a data interface has the following limitations:

  • You can only enable FMC access on one physical, data interface. You cannot use a subinterface or EtherChannel.

  • This interface cannot be management-only.

  • Routed firewall mode only, using a routed interface.

  • High Availability is not supported. You must use the Management interface in this case.

  • PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support between the FTD and the WAN modem.

  • The interface must be in the global VRF only.

  • You cannot use separate management and event-only interfaces.

  • SSH is not enabled by default for data interfaces, so you will have to enable SSH later using FMC. Because the Management interface gateway will be changed to be the data interfaces, you also cannot SSH to the Management interface from a remote network unless you add a static route for the Management interface using the configure network static-routes command.

• When you add the FTD to the FMC, the FMC discovers and maintains the interface configuration, including the following settings: interface name and IP address, static route to the gateway, DNS servers, and DDNS server. For more information about the DNS server configuration, see below. In FMC, you can later make changes to the FMC access interface configuration, but make sure you don't make changes that can prevent the FTD or FMC from re-establishing the management connection. If the management connection is disrupted, the FTD includes the configure policy rollback command to restore the previous deployment.

• If you configure a DDNS server update URL, the FTD automatically adds certificates for all of the major CAs from the Cisco Trusted Root CA bundle so that the FTD can validate the DDNS server certificate for the HTTPS connection. The FTD supports any DDNS server that uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).

• This command sets the data interface DNS server. The Management DNS server that you set with the setup script (or using the configure network dns servers command) is used for management traffic. The data DNS server is used for DDNS (if configured) or for security policies applied to this interface.

  On the FMC, the data interface DNS servers are configured in the Platform Settings policy that you assign to this FTD. When you add the FTD to the FMC, the local setting is maintained, and the DNS servers are not added to a Platform Settings policy. However, if you later assign a Platform Settings policy to the FTD that includes a DNS configuration, then that configuration will overwrite the local setting. We suggest that you actively configure the DNS Platform Settings to match this setting to bring the FMC and the FTD into sync.

  Also, local DNS servers are only retained by FMC if the DNS servers were discovered at initial registration. For example, if you registered the device using the Management interface, but then later configure a data interface using the configure network management-data-interface command, then you must manually configure all of these settings in FMC, including the DNS servers, to match the FTD configuration.

• You can change the management interface after you register the FTD to the FMC, to either the Management interface or another data interface.

• The FQDN that you set in the setup wizard will be used for this interface.

• You can clear the entire device configuration as part of the command; you might use this option in a recovery scenario, but we do not suggest you use it for initial setup or normal operation.

• To disable data managemement, enter the configure network management-data-interface disable command.

configure network management-data-interface client ip_address netmask

By default, all networks are allowed.

https://fmc_ip_address

When you bought your device from Cisco or a reseller, your licenses should have been linked to your Smart Software License account. However, if you need to add licenses yourself, use the Find Products and Solutions search field on the Cisco Commerce Workspace. Search for the following license PIDs:

• Threat, Malware, and URL license combination:

  • L-ASA5508T-TMC=

  • L-ASA5516T-TMC=

  When you add one of the above PIDs to your order, you can then choose a term-based subscription corresponding with one of the following PIDs:

  • L-ASA5508T-TMC-1Y

  • L-ASA5508T-TMC-3Y

  • L-ASA5508T-TMC-5Y

  • L-ASA5516T-TMC-1Y

  • L-ASA5516T-TMC-3Y

  • L-ASA5516T-TMC-5Y

• RA VPN—See the Cisco AnyConnect Ordering Guide.

Registering requires you to generate a registration token in the Smart Software Manager. See the FMC configuration guide for detailed instructions.

Set the following parameters:

• Host—Enter the IP address or hostname of the FTD you want to add. You can leave this field blank if you specified both the FMC IP address and a NAT ID in the FTD initial configuration.

• Display Name—Enter the name for the FTD as you want it to display in the FMC.

• Registration Key—Enter the same registration key that you specified in the FTD initial configuration.

• Domain—Assign the device to a leaf domain if you have a multidomain environment.

• Group—Assign it to a device group if you are using groups.

• Access Control Policy—Choose an initial policy. Unless you already have a customized policy you know you need to use, choose Create new policy, and choose Block all traffic. You can change this later to allow traffic; see Allow Traffic from Inside to Outside.

  

• Smart Licensing—Assign the Smart Licenses you need for the features you want to deploy: Malware (if you intend to use malware inspection), Threat (if you intend to use intrusion prevention), and URL (if you intend to implement category-based URL filtering). Note: You can apply an AnyConnect remote access VPN license after you add the device, from the System > Licenses > Smart Licenses page.

• Unique NAT ID—Specify the NAT ID that you specified in the FTD initial configuration.

• Transfer Packets—Allow the device to transfer packets to the FMC. When events like IPS or Snort are triggered with this option enabled, the device sends event metadata information and packet data to the FMC for inspection. If you disable it, only event information will be sent to the FMC, but packet data is not sent.

If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the FTD fails to register, check the following items:

• Ping—Access the FTD CLI, and ping the FMC IP address using the following command:

  ping system ip_address

  If the ping is not successful, check your network settings using the show network command. If you need to change the FTD Management IP address, use the configure network {ipv4 | ipv6} manual command. If you configured a data interface for FMC access, use the configure network management-data-interface command.

• Registration key, NAT ID, and FMC IP address—Make sure you are using the same registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on the FMC using the configure manager add command.

For more troubleshooting information, see https://cisco.com/go/fmc-reg-error.

• 9600 baud

• 8 data bits

• No parity

• 1 stop bit

After logging in, for information on the commands available in the CLI, enter help or ? . For usage information, see the Cisco Firepower Threat Defense Command Reference.

shutdown

Alternatively, you can reboot the system by typing y at the prompt.