Skip to main content

 

 

Cisco Defense Orchestrator

Firepower Threat Defense Device Settings

Open an FTD Device's Device Settings

Use this procedure to configure settings on an FTD device:

  1. Open the Devices & Services page.
  2. Select the device for you want to configure its settings.
  3. In the Management pane at the right, click Settings.
  4. Click the System Settings tab.
  5. Edit any of these device settings:

Configure Management Access

By default, you can reach the device's management address from any IP address. System access is protected by username and password only. However, you can configure an access list to allow connections from specific IP addresses or subnets only to provide another level of protection.

You can also open data interfaces to allow Firepower Device Manager or SSH connections to the CLI. You can then manage the device without using the management address. For example, you could allow management access to the outside interface, so that you can configure the device remotely. The username and password protects against unwanted connections. By default, HTTPS management access to data interfaces is enabled on the inside interface, but it's disabled on the outside interface. For device models that have a default “inside” bridge group, this means that you can make Firepower Device Manager connections through any data interface within the bridge group to the bridge group IP address (default is 192.168.1.1). You can open a management connection only on the interface through which you enter the device.

Caution: If you constrain access to specific addresses, you can easily lock yourself out of the system. If you delete access for the IP address that you are currently using, and there's no entry for “any” address, you'll lose access to the system when you deploy the policy. Be mindful of this when configuring the access list.

  • To create rules for management interfaces:
  1. Click New Access in the Management Interface section.
  • Protocol. Select whether the rule is for HTTPS (port 443) or SSH (port 22).
  • Allowed Networks. Select the network object that defines the IPv4 or IPv6 network or host that should be able to access the system. To specify "any" address, select any-ipv4 (0.0.0.0/0) and any-ipv6(::/0).

2. Click Save.

  • To create rules for data interfaces:
  1. Click New Access in the Data Interface section.
  • Interface. Select the interface on which you want to allow management access.
  • Protocol. Select whether the rule is for HTTPS (port 443), SSH (port 22), or both. You cannot configure HTTPS rules for the outside interface if it's used in a remote access VPN connection profile.
  • Allowed Networks. Select the network object that defines the IPv4 or IPv6 network or host that should be able to access the system. To specify "any" address, select any-ipv4 (0.0.0.0/0) and any-ipv6 (::/0).

2. Click Save.
3. Deploy to FTD device.

Associating IKEV policy objects to VPN Settings

The user must manually associate the newly created IKEV policy objects to VPN settings for deploying them to FTD device. However, the default objects are already present in the device.  

  1. On the System Setting's page, click VPN in the settings menu.
  2. Click the plus button blue_cross_button.png to add the IKEV policy object.
  3. Click the IKEV policy object that you want from the drop-down and click Select.
  4. Click OK. The select policy object is added to the list. 
  5. Click Save.
  6. Return to the Devices & Services page and you should see that the configuration status of the device you made changes to is now "Not synced."
  7. Select the device and in the Not Synced pane at the right, click Preview and Deploy... 
    For more information, see Deploy Configuration Changes from Defense Orchestrator to FTD.

Configure Logging Settings

Diagnostic logging provides syslog messages for events that are not connection events. You configure connection logging within individual access control rules, security intelligence rules, and SSL decryption rules. The following procedure describes how to configure the logging of diagnostic messages.

  1. Open an FTD device's device settings.
  2. On the System Setting's page click Logging in the settings menu.
  3. Click the Diagnostic Log Settings slider to On.
  4. Turn the slider to On for each of the locations where you want to see diagnostic log messages, and select a minimum severity level. By enabling most of the following options, you are enabling diagnostic log settings by default. You can log messages to the following locations:
  • Syslog Filter. These messages are sent to the external syslog server that you specify. Click the plus button blue_cross_button.png to create or choose a New Syslog Server. Select the minimum level of event severity you want to log. 
  • Console Filter. These messages appear when you log into the CLI on the console port. You can also see these logs in an SSH session to other interfaces (including the management address) by using the show console-output command. In addition, you can see these messages in real time in the diagnostic CLI, enter system support diagnostic-cli from the main CLI.
  • File/Malware Log Settings. These messages are sent to the external syslog server that you specify. Note that the syslog setting for file/malware events is relevant only if you apply file or malware policies, which require the Threat and Malware licenses. If you subscribe to Cisco Security Analytics and Logging, you can create a syslog server analytics and logging
  • Intrusion Setting. These messages are sent to the external syslog server that you specify. Note that enabling this option does not automatically enable diagnostic log settings. If you subscribe to Cisco Security Analytics and Logging, you can create a syslog server analytics and logging

3. Click Save.
4. Deploy to FTD device.

Configure DHCP Servers

A Dynamic Host Configuration Protocol (DHCP) server provides network configuration parameters, such as IP addresses, to DHCP clients. You can configure a DHCP server on an interface to provide configuration parameters to DHCP clients on the attached network.

An IPv4 DHCP client uses a broadcast rather than a multicast address to reach the server. The DHCP client listens for messages on UDP port 68. The DHCP server listens for messages on UDP port 67. The DHCP server does not support BOOTP requests.

DHCP clients must be on the same network as the interface on which the server is enabled. There cannot be an intervening router between the server and client, although there can be a switch.

Caution: Do not configure a DHCP server on a network that already has a DHCP server operating on it. The two servers will conflict with each other, and the results will be unpredictable.

  1. The section has two areas. Initially, the Configuration section shows the global parameters. The DHCP Servers area shows the interfaces on which you have configured a server, whether the server is enabled, and the address pool for the server.

  2. In the Configuration section, configure auto configuration and global settings.

    DHCP auto configuration enables the DHCP server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client that's running on the specified interface. Typically, you would use auto configuration if you're obtaining an address using DHCP on the outside interface, but you could choose any interface that obtains its address through DHCP. If you cannot use auto configuration, you can manually define the required options.

    1. Click the Enable Auto Configuration slider to On if you want to use auto configuration, and in the From Interface pull-down, select the interface that's obtaining its address through DHCP.

    2. If you do not enable auto configuration, or if you want to override any of the automatically configured settings, configure the following global options. These settings are sent to DHCP clients on all interfaces that host DHCP server.

      1. Primary WINS IP AddressSecondary WINS IP Address. The addresses of the Windows Internet Name Service (WINS) servers that clients should use for NetBIOS name resolution.

      2. Primary DNS IP AddressSecondary DNS IP Address. The addresses of the Domain Name System (DNS) servers that clients should use for domain name resolution. Click Apply Umbrella Settings if you want to populate the DNS IP address fields with Cisco Umbrella DNS servers. Clicking the button loads the appropriate IP addresses into the fields.
    3. Click Save.
  3. In the DHCP Servers section, either edit an existing server, or click New DHCP Server to add and configure a new server.

    1. Configure the server properties:
      1. Enable DHCP Server. Whether to enable the server. You can configure a server but keep it disabled until you are ready to use it.

      2. Interface. Select the interface on which you will provide DHCP addresses to clients. The interface must have a static IP address; you cannot be using DHCP to obtain the interface address if you want to run a DHCP server on the interface. For bridge groups, you configure the DHCP server on the Bridge Virtual Interface (BVI), not the member interfaces, and the server operates on all member interfaces. You cannot configure DHCP server on the Diagnostic interface, configure it on the Management interface instead, on the Device > System Settings > Management Interface page.

      3. Address Pool. Add the single IP address or an IP address range of a DHCP server. The range of IP addresses from lowest to highest that the server is allowed to provide to clients that request an address. The range of IP addresses must be on the same subnet as the selected interface and cannot include: the IP address of the interface itself, the broadcast address, or the subnet network address. Specify the start and end address for the pool, separated by a hyphen. For example, 10.100.10.12-10.100.10.250.
    2. Click OK.
  4. Click Save.
  5. Deploy to FTD device.

Configure DNS Server

A Domain Name System (DNS) server is used to resolve hostnames to IP addresses. DNS servers are used by the management interface.

  1. In Primary, Secondary, Tertiary DNS IP Address, enter the IP addresses of up to three DNS servers in order of preference. The primary DNS server is used unless it cannot be contacted, in which case the secondary is tried, and finally the tertiary. Click Apply Umbrella Settings if you want to populate the DNS IP address fields with Cisco Umbrella DNS servers. Clicking the button loads the appropriate IP addresses into the fields.

  2. In Domain Search Name, enter the domain name for your network; for example, example.com. This domain gets appended to hostnames that are not fully qualified; for example, serverA becomes serverA.example.com.

  3. Click Save.
  4. Deploy to FTD device.

 

Management Interface

The management interface is a virtual interface attached to the physical Management port. The physical port is named the Diagnostic interface, which you can configure on the Interfaces page with the other physical ports. On Firepower Threat Defense Virtual, this duality is maintained even though both interfaces are virtual.

The management interface has two uses:

  • You can open web and SSH connections to the IP address and configure the device through the interface.

  • The system obtains smart licensing and database updates through this IP address.

If you use the CLI setup wizard, you configure the management address and gateway for the device during initial system configuration. If you use the Firepower Device Manager setup wizard, the management address and gateway remain the defaults.

If necessary, you can change these addresses through Firepower Device Manager. You can also change the management address and gateway in the CLI using the configure network ipv4 manual and configure network ipv6 manual commands.

You can define static addresses, or obtain an address through DHCP if another device on the management network is acting as a DHCP server. By default, the management address is static, and a DHCP server runs on the port (except for Firepower Threat Defense Virtual, which does not have a DHCP server). Thus, you can plug a device directly into the management port and get a DHCP address for your workstation. This makes it easy to connect to and configure the device.

Caution: If you change the address to which you are currently connected, you will lose access to Firepower Device Manager (or the CLI) when you save the changes, as they are applied immediately. You will need to reconnect to the device. Ensure that the new address is valid and available on the management network.

  1. Configure the management IP address, network mask or IPv6 prefix, and gateway (if necessary) for IPv4, IPv6, or both. You must configure at least one set of properties. Leave one set blank to disable that addressing method.

  2. Select Type > DHCP to obtain the address and gateway through DHCP or IPv6 auto configuration. However, you cannot use DHCP if you are using the data interfaces as the gateway. In this case, you must use a static address.
  3. Click Save.
  4. Deploy to FTD device.

 

Hostname

You can change the device hostname.

  1. In the Firewall Hostname field, enter a new hostname for the device.
  2. Click Save.
  3. Deploy to FTD device.

Configure NTP Server

Configure Network Time Protocol (NTP) servers to set the time on the system.

  1. Select whether you want to use your own (manual) or Cisco's time servers.
  • New NTP Server. Enter the fully qualified domain name or IP address of the NTP server you want to use. For example, ntp1.example.com or 10.100.10.10.
  • Use Default.

2. Click Save.
3. Deploy to FTD device.

Configure URL Filtering

The system obtains the URL category and reputation database from Cisco Collective Security Intelligence (CSI). These preferences control database updates and how the system handles URLs with unknown category or reputation. You must enable the URL Filtering license to set these preferences.

Caution: You can configure URL Filtering Preferences if you do not have a URL Filtering Smart License, but you need the smart license to deploy. You will be blocked from deploying until you add a URL Filtering Smart License. 

  1. Enable the applicable options:
  • Click the Enable Automatic Updates slider On to automatically check for and download updated URL data, which includes category and reputation information. After you deploy, the FTD checks for updates every 30 minutes.
  • Click the Query Cisco CSI for Unknown URLs slider to ON to check the Cisco CSI for updated information on URLs that do not have category and reputation data in the local URL filtering database.
  • URL Time to Live is only in effect if you enable the Query Cisco CSI for Unknown URLs option. This determines how long to cache the category and reputation lookup values for a given URL. When the time to live expires, the next attempted access of the URL results in a fresh category/reputation lookup. A shorter time results in more accurate URL filtering, a longer time results in better performance for unknown URLs. The default selection is Never
  1. Click Save
  2. Deploy to FTD device.