After you complete the initial setup, the only web interface user on the system is the admin user, which has the Administrator role and access. Users with that role have full menu and configuration access to the system. We recommend that you limit the use of the admin account (and the Administrator role) for security and auditing reasons. In the FMC GUI, manage user accounts on the System > Users > User page.

Note	The admin accounts for accessing a FMC using the shell and accessing an FMC using the web interface are not the same, and may use different passwords.

Creating a separate account for each person who uses the system allows your organization not only to audit actions and changes made by each user, but also to limit each person’s associated user access role or roles. This is especially important on the FMC, where you perform most of your configuration and analysis tasks. For example, an analyst needs access to event data to analyze the security of your network, but may not require access to administrative functions for the deployment.

The system includes ten predefined user roles designed for a variety of administrators and analysts using the web interface. You can also create custom user roles with specialized access privileges.

An FMC can manage any device, physical or virtual, currently supported by the Firepower system:

• Firepower Threat Defense—Provides a unified next-generation firewall and next-generation IPS device.

• Firepower Threat Defense Virtual—A 64-bit virtual device that is designed to work in multiple hypervisor environments, reduce administrative overhead, and increase operational efficiency.

• Cisco ASA with FirePOWER Services (or an ASA FirePOWER module)—Provides the first-line system policy and passes traffic to the Firepower system for discovery and access control. However, you cannot use the FMC web interface to configure ASA FirePOWER interfaces. Cisco ASA with FirePOWER Services has a software and CLI unique to the ASA platform that you can use to install the system and to perform other platform-specific administrative tasks.

• 7000 and 8000 Series appliances—Physical devices purpose-built for the Firepower system. 7000 and 8000 Series devices have a range of throughputs, but share most of the same capabilities. In general, 8000 Series devices are more powerful than 7000 Series devices; they also support additional features such as 8000 Series fastpath rules, link aggregation, and stacking. You must configure remote management on the device before you can register the device to an FMC.

• NGIPSv—A 64-bit virtual device deployed in the VMware VSphere environment. NGIPSv devices do not support any of the system’s hardware-based features such as redundancy and resource sharing, switching, and routing.

To register managed devices to an FMC use the Devices > Device Management page on the FMC GUI; see the device management information in the Firepower Management Center Configuration Guide for your version.

By default, all appliances have an initial system policy applied. The system policy governs settings that are likely to be similar for multiple appliances in a deployment, such as mail relay host preferences and time synchronization settings. We recommend that you use the FMC to apply the same system policy to itself and all the devices it manages.

By default, the FMC also has a health policy applied. A health policy, as part of the health monitoring feature, provides the criteria for the system to continuously monitor the performance of the appliances in your deployment. We recommend that you use the FMC to apply a health policy to all the devices it manages.

You should update the system software on your appliances before you begin any deployment. We recommend that all the appliances in your deployment run the most recent version of the Firepower system. If you are using them in your deployment, you should also install the latest intrusion rule updates, VDB, and GeoDB.

Caution

Before you update any part of the Firepower system, you must read the release notes or advisory text that accompanies the update. The release notes provide important information, including supported platforms, compatibility, prerequisites, warnings, and specific installation and uninstallation instructions.

If your FMC is running Firepower Versions 6.5+:

As a part of configuration the FMC establishes the following activities to keep your system up-to-date and your data backed up:

• Weekly automatic GeoDB updates

• A weekly task to download the latest software for the FMC and its managed devices

  Important

  This task only downloads software updates to the FMC. It is your responsibility to install any updates this task downloads. See the Cicso Firepower Management Center Upgrade Guide for more informaction.

• A weekly task to perform a locally-stored configuration-only FMC backup

If your FMC is running Firepower Versions 6.6+, as a part of initial configuration the FMC downloads and installs the latest vulnerability (VDB) update from the Cisco support site. This is a one-time operation.

You can observe the status of these activities using the web interface Message Center. If the system fails to configure any of these activities and your FMC has internet access, we recommend you configure these activities yourself as described in the Firepower Management Center Configuration Guide for your version.