Skip to main content

 

 

Cisco Defense Orchestrator

Firepower Threat Defense Device Settings

Configure an FTD Device's Device Settings

Use this procedure to configure settings on a single FTD device:

  1. Open the Devices & Services page.
  2. Select the device for you want to configure its settings.
  3. In the Management pane at the right, click Settings.
  4. Click the System Settings tab.
  5. Edit any of these device settings:

Configure Management Access

By default, you can reach the device's management address from any IP address. System access is protected by username and password only. However, you can configure an access list to allow connections from specific IP addresses or subnets only to provide another level of protection.

You can also open data interfaces to allow Firepower Device Manager or SSH connections to the CLI. You can then manage the device without using the management address. For example, you could allow management access to the outside interface, so that you can configure the device remotely. The username and password protects against unwanted connections. By default, HTTPS management access to data interfaces is enabled on the inside interface, but it's disabled on the outside interface. For device models that have a default “inside” bridge group, this means that you can make Firepower Device Manager connections through any data interface within the bridge group to the bridge group IP address (default is 192.168.1.1). You can open a management connection only on the interface through which you enter the device.

Caution: If you constrain access to specific addresses, you can easily lock yourself out of the system. If you delete access for the IP address that you are currently using, and there's no entry for “any” address, you'll lose access to the system when you deploy the policy. Be mindful of this when configuring the access list.

  • To create rules for management interfaces:
  1. Click New Access in the Management Interface section.
  • Protocol. Select whether the rule is for HTTPS (port 443) or SSH (port 22).
  • Allowed Networks. Select the network object that defines the IPv4 or IPv6 network or host that should be able to access the system. To specify "any" address, select any-ipv4 (0.0.0.0/0) and any-ipv6(::/0).

2. Click Save.

  • To create rules for data interfaces:
  1. Click New Access in the Data Interface section.
  • Interface. Select the interface on which you want to allow management access.
  • Protocol. Select whether the rule is for HTTPS (port 443), SSH (port 22), or both. You cannot configure HTTPS rules for the outside interface if it's used in a remote access VPN connection profile.
  • Allowed Networks. Select the network object that defines the IPv4 or IPv6 network or host that should be able to access the system. To specify "any" address, select any-ipv4 (0.0.0.0/0) and any-ipv6 (::/0).

2. Click Save.
3. Deploy to FTD device.

Configure Logging Settings

This procedure describes how to enable logging of diagnostic (data) messages, file and malware events, intrusion events, and console events. Connection events are not logged as a result of these settings. Connection events are logged if connection logging is configured on access rules, security intelligence policies, or SSL decryption rules.

  1. Open an FTD device's settings.
  2. On the System Settings page click Logging in the settings menu.
  3. Data logging. Slide the Data Logging slider to On to capture diagnostic logging syslog messages. Click the plus button blue_cross_button.png to specify the syslog server object that represents the syslog server that you want to send the events to. (You can also create a syslog server object at this point.) Additionally, select the minimum level of event severity you want to log. 

This will send data logging events for any type of syslog message, with your minimum chosen severity level, to the syslog server. 

Note: CDO doesn't currently support creating a Custom Logging Filter for Data Logging. For finer control of which messages you send to the syslog server, we recommend you define this setting in FDM. To do so, log on to FDM, and navigate System Settings > Logging Settings

Tip: Do not enable data logging if you are a Cisco Security Analytics and Logging customer unless you forward the data logging events to a syslog server other than the Secure Event Connector. Data events (diagnostic events) are not traffic events. Sending the data events to a different syslog server removes the burden on the SEC from analyzing and filtering them out.

  1. File/Malware Log Settings. Slide the slider to On to capture File events and Malware events. Specify the syslog server object that represents the syslog server that you want to send the events to. You can also create a syslog server object at this point if you have not already.

File and malware events are generated at the same severity level. The minimum level of event severity you select will be assigned to all file and malware events.  

File and malware events are reported when a file or malware policy in any access control rule has been triggered. This is not the same as a connection event. Note that the syslog settings for file and malware events are relevant only if you apply file or malware policies, which require the Threat and Malware licenses.

For Cisco Security Analytics and Logging subscribers:

  • If you send events to the Cisco cloud through a Secure Event Connector (SEC), specify the SEC as your syslog server. You will then be able to see these events alongside file policy and malware policy connection events. 
  • If you send events directly to the Cisco cloud without an SEC, you do not need to enable this setting. File and malware events are sent if the access control rule is configured to send connection events. 
  1. Intrusion Logging. Send intrusion events to a syslog server by specifying the syslog server object that represents the syslog server you want to send events to. You can also create a syslog server object at this point if you have not already. 

Intrusion events are reported when an intrusion policy in any access control rule has been triggered. This is not the same as a connection event. Note that the syslog settings for intrusion events are relevant only if you apply intrusion policies, which require the Threat license.

For Cisco Security Analytics and Logging subscribers:

  • If you send events to the Cisco cloud through a Secure Event Connector (SEC), specify the SEC as your syslog server. You will then be able to see these events alongside file policy and malware policy connection events. 
  • If you send events directly to the Cisco cloud without an SEC, you do not need to enable this setting. Intrusion events are sent to the Cisco cloud if the access control rule is configured to send connection events. 
  1. Console Filter. Slide the slider to On to send data logging (diagnostic logging) events to a console rather than to a syslog server. Additionally, select the minimum level of event severity you want to log. This will send a data logging event for any type of syslog message, with your chosen severity level. 

You will see these messages when you log into the CLI on the console port of your FTD. You can also see these logs in an SSH session to other FTD interfaces (including the management interface) by using the show console-output command. In addition, you can see these messages in real time in the diagnostic CLI by entering system support diagnostic-cli from the main CLI.

3. Click Save.
4. Deploy your changes to the FTD device.

Message Severity Levels

The following table lists the syslog message severity levels.

 

Level Number

Severity Level

Description

0

emergencies

System is unusable.

1

alert

Immediate action is needed.

2

critical

Critical conditions.

3

error

Error conditions.

4

warning

Warning conditions.

5

notification

Normal but significant conditions.

6

informational

Informational messages only.

7

debugging

Debugging messages only.

Note

Firepower Threat Defense does not generate syslog messages with a severity level of zero (emergencies).

Configure DHCP Servers

A Dynamic Host Configuration Protocol (DHCP) server provides network configuration parameters, such as IP addresses, to DHCP clients. You can configure a DHCP server on an interface to provide configuration parameters to DHCP clients on the attached network.

An IPv4 DHCP client uses a broadcast rather than a multicast address to reach the server. The DHCP client listens for messages on UDP port 68. The DHCP server listens for messages on UDP port 67. The DHCP server does not support BOOTP requests.

DHCP clients must be on the same network as the interface on which the server is enabled. There cannot be an intervening router between the server and client, although there can be a switch.

Caution: Do not configure a DHCP server on a network that already has a DHCP server operating on it. The two servers will conflict with each other, and the results will be unpredictable.

  1. The section has two areas. Initially, the Configuration section shows the global parameters. The DHCP Servers area shows the interfaces on which you have configured a server, whether the server is enabled, and the address pool for the server.

  2. In the Configuration section, configure auto configuration and global settings.

    DHCP auto configuration enables the DHCP server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client that's running on the specified interface. Typically, you would use auto configuration if you're obtaining an address using DHCP on the outside interface, but you could choose any interface that obtains its address through DHCP. If you cannot use auto configuration, you can manually define the required options.

    1. Click the Enable Auto Configuration slider to On if you want to use auto configuration, and in the From Interface pull-down, select the interface that's obtaining its address through DHCP.

    2. If you do not enable auto configuration, or if you want to override any of the automatically configured settings, configure the following global options. These settings are sent to DHCP clients on all interfaces that host DHCP server.

      1. Primary WINS IP AddressSecondary WINS IP Address. The addresses of the Windows Internet Name Service (WINS) servers that clients should use for NetBIOS name resolution.

      2. Primary DNS IP AddressSecondary DNS IP Address. The addresses of the Domain Name System (DNS) servers that clients should use for domain name resolution. Click Apply Umbrella Settings if you want to populate the DNS IP address fields with Cisco Umbrella DNS servers. Clicking the button loads the appropriate IP addresses into the fields.
    3. Click Save.
  3. In the DHCP Servers section, either edit an existing server, or click New DHCP Server to add and configure a new server.

    1. Configure the server properties:
      1. Enable DHCP Server. Whether to enable the server. You can configure a server but keep it disabled until you are ready to use it.

      2. Interface. Select the interface on which you will provide DHCP addresses to clients. The interface must have a static IP address; you cannot be using DHCP to obtain the interface address if you want to run a DHCP server on the interface. For bridge groups, you configure the DHCP server on the Bridge Virtual Interface (BVI), not the member interfaces, and the server operates on all member interfaces. You cannot configure DHCP server on the Diagnostic interface, configure it on the Management interface instead, on the Device > System Settings > Management Interface page.

      3. Address Pool. Add the single IP address or an IP address range of a DHCP server. The range of IP addresses from lowest to highest that the server is allowed to provide to clients that request an address. The range of IP addresses must be on the same subnet as the selected interface and cannot include: the IP address of the interface itself, the broadcast address, or the subnet network address. Specify the start and end address for the pool, separated by a hyphen. For example, 10.100.10.12-10.100.10.250.
    2. Click OK.
  4. Click Save.
  5. Deploy to FTD device.

Configure DNS Server

A Domain Name System (DNS) server is used to resolve hostnames to IP addresses. DNS servers are used by the management interface.

  1. In Primary, Secondary, Tertiary DNS IP Address, enter the IP addresses of up to three DNS servers in order of preference. The primary DNS server is used unless it cannot be contacted, in which case the secondary is tried, and finally the tertiary. Click Apply Umbrella Settings if you want to populate the DNS IP address fields with Cisco Umbrella DNS servers. Clicking the button loads the appropriate IP addresses into the fields.

  2. In Domain Search Name, enter the domain name for your network; for example, example.com. This domain gets appended to hostnames that are not fully qualified; for example, serverA becomes serverA.example.com.

  3. Click Save.
  4. Deploy to FTD device.

Management Interface

The management interface is a virtual interface attached to the physical Management port. The physical port is named the Diagnostic interface, which you can configure on the Interfaces page with the other physical ports. On Firepower Threat Defense Virtual, this duality is maintained even though both interfaces are virtual.

The management interface has two uses:

  • You can open web and SSH connections to the IP address and configure the device through the interface.

  • The system obtains smart licensing and database updates through this IP address.

If you use the CLI setup wizard, you configure the management address and gateway for the device during initial system configuration. If you use the Firepower Device Manager setup wizard, the management address and gateway remain the defaults.

If necessary, you can change these addresses through Firepower Device Manager. You can also change the management address and gateway in the CLI using the configure network ipv4 manual and configure network ipv6 manual commands.

You can define static addresses, or obtain an address through DHCP if another device on the management network is acting as a DHCP server. By default, the management address is static, and a DHCP server runs on the port (except for Firepower Threat Defense Virtual, which does not have a DHCP server). Thus, you can plug a device directly into the management port and get a DHCP address for your workstation. This makes it easy to connect to and configure the device.

Caution: If you change the address to which you are currently connected, you will lose access to Firepower Device Manager (or the CLI) when you save the changes, as they are applied immediately. You will need to reconnect to the device. Ensure that the new address is valid and available on the management network.

  1. Configure the management IP address, network mask or IPv6 prefix, and gateway (if necessary) for IPv4, IPv6, or both. You must configure at least one set of properties. Leave one set blank to disable that addressing method.

  2. Select Type > DHCP to obtain the address and gateway through DHCP or IPv6 auto configuration. However, you cannot use DHCP if you are using the data interfaces as the gateway. In this case, you must use a static address.
  3. Click Save.
  4. Deploy to FTD device.

Hostname

You can change the device hostname.

  1. In the Firewall Hostname field, enter a new hostname for the device.
  2. Click Save.
  3. Deploy to FTD device.

Configure NTP Server

Configure Network Time Protocol (NTP) servers to set the time on the system.

  1. Select whether you want to use your own (manual) or Cisco's time servers.
  • New NTP Server. Enter the fully qualified domain name or IP address of the NTP server you want to use. For example, ntp1.example.com or 10.100.10.10.
  • Use Default.

2. Click Save.
3. Deploy to FTD device.

Configure URL Filtering

The system obtains the URL category and reputation database from Cisco Collective Security Intelligence (CSI). These preferences control database updates and how the system handles URLs with unknown category or reputation. You must enable the URL Filtering license to set these preferences.

Caution: You can configure URL Filtering Preferences if you do not have a URL Filtering Smart License, but you need the smart license to deploy. You will be blocked from deploying until you add a URL Filtering Smart License. 

  1. Enable the applicable options:
  • Click the Enable Automatic Updates slider On to automatically check for and download updated URL data, which includes category and reputation information. After you deploy, the FTD checks for updates every 30 minutes.
  • Click the Query Cisco CSI for Unknown URLs slider to ON to check the Cisco CSI for updated information on URLs that do not have category and reputation data in the local URL filtering database.
  • URL Time to Live is only in effect if you enable the Query Cisco CSI for Unknown URLs option. This determines how long to cache the category and reputation lookup values for a given URL. When the time to live expires, the next attempted access of the URL results in a fresh category/reputation lookup. A shorter time results in more accurate URL filtering, a longer time results in better performance for unknown URLs. The default selection is Never
  1. Click Save
  2. Deploy to FTD device.