After you complete the initial setup, the only web interface user on the system is the admin user, which has the Administrator role and access. Users with that role have full menu and configuration access to the system. We recommend that you limit the use of the admin account (and the Administrator role) for security and auditing reasons. In the management center virtual GUI, manage user accounts on the System > Users > User page.

Note	The admin accounts for accessing the management center virtual using the shell and accessing the management center virtual using the web interface are not the same, and may use different passwords.

Creating a separate account for each person who uses the system allows your organization not only to audit actions and changes made by each user, but also to limit each person’s associated user access role or roles. This is especially important on the management center virtual, where you perform most of your configuration and analysis tasks. For example, an analyst needs access to event data to analyze the security of your network, but may not require access to administrative functions for the deployment.

The system includes ten predefined user roles designed for a variety of administrators and analysts using the web interface. You can also create custom user roles with specialized access privileges.

The management center can manage any device, physical or virtual, currently supported by the system:

• Threat Defense—Provides a unified next-generation firewall and next-generation IPS device.

• Threat Defense Virtual—A 64-bit virtual device that is designed to work in multiple hypervisor environments, reduce administrative overhead, and increase operational efficiency.

• Cisco ASA with FirePOWER Services (or an ASA FirePOWER module)—Provides the first-line system policy and passes traffic to the system for discovery and access control. However, you cannot use the management center web interface to configure ASA FirePOWER interfaces. Cisco ASA with FirePOWER Services has a software and CLI unique to the ASA platform that you can use to install the system and to perform other platform-specific administrative tasks.

• 7000 and 8000 Series appliances—Physical devices purpose-built for the system. 7000 and 8000 Series devices have a range of throughputs, but share most of the same capabilities. In general, 8000 Series devices are more powerful than 7000 Series devices; they also support additional features such as 8000 Series fastpath rules, link aggregation, and stacking. You must configure remote management on the device before you can register the device to the management center.

• NGIPSv—A 64-bit virtual device deployed in the VMware VSphere environment. NGIPSv devices do not support any of the system’s hardware-based features such as redundancy and resource sharing, switching, and routing.

To register managed devices to the management center use the Devices > Device Management page on the management center GUI; see the device management information in the Secure Firewall Management Center Configuration Guide for your version.

By default, all appliances have an initial system policy applied. The system policy governs settings that are likely to be similar for multiple appliances in a deployment, such as mail relay host preferences and time synchronization settings. We recommend that you use the management center to apply the same system policy to itself and all the devices it manages.

By default, the management center also has a health policy applied. A health policy, as part of the health monitoring feature, provides the criteria for the system to continuously monitor the performance of the appliances in your deployment. We recommend that you use the management center to apply a health policy to all the devices it manages.

You should update the system software on your appliances before you begin any deployment. We recommend that all the appliances in your deployment run the most recent version of the system. If you are using them in your deployment, you should also install the latest intrusion rule updates, VDB, and GeoDB.

Caution

Before you update any part of the system, you must read the release notes or advisory text that accompanies the update. The release notes provide important information, including supported platforms, compatibility, prerequisites, warnings, and specific installation and uninstallation instructions.

If your Management Center is running Versions 6.5+:

As a part of configuration the management center establishes the following activities to keep your system up-to-date and your data backed up:

• Weekly automatic GeoDB updates

• A weekly task to download the latest software for the management center and its managed devices

  Important

  This task only downloads software updates to the management center. It is your responsibility to install any updates this task downloads. See the Cisco Secure Firewall Management Center Upgrade Guide for more informaction.

• A weekly task to perform a locally-stored configuration-only the management center backup

If your Management Center is running Versions 6.6+, as a part of initial configuration the management center downloads and installs the latest vulnerability (VDB) update from the Cisco support site. This is a one-time operation.

You can observe the status of these activities using the web interface Message Center. If the system fails to configure any of these activities and your management center has internet access, we recommend you configure these activities yourself as described in the Secure Firewall Management Center Configuration Guide for your version.