Skip to main content

 

 

Cisco Defense Orchestrator

Managing FMC with Cisco Defense Orchestrator

About Firepower Management Centers

Note: FMC support is limited to onboarding, viewing its managed devices, viewing objects associated with the FMC, and cross-launching to the FMC UI for FMCs running Version 6.4 or later. Additional FMC features will be supported soon. For functionality that may not be supported by CDO at this time, you must use the FMC console. See the Firepower Management Center Configuration Guide of the version your system is running.

The Firepower Management Center (FMC) is a centralized management console with graphical user interface that you can use to perform administrative, management, analysis, and reporting tasks. It is a management console that is comparable, but not identical, to ASDM and FDM. For a list of FMC devices and software versions that CDO supports, see Software and Hardware support by CDO.

Version Support

CDO supports FMCs running Version 6.4 and later. An FMC can manage older devices, usually a few major versions back. For example, a Version 6.6.0 FMC can manage a Version 6.4.0 device. If an FMC manages a device that is running a version earlier than 6.4, the device may be displayed in the Device & Services page, but cannot be deployed to or its policies modified from CDO. You must make changes and deploy from the FMC UI. 

Note: If a managed device is disabled, or unreachable, CDO may display the device in the Device & Services page, but cannot successfully send requests or view device information.

How does CDO Communicate with an FMC

CDO acts as a REST API client to send requests to the FMC, and the FMC then uses its desiganted client to channel the requests to its managed devices. Because the FMC does not allow multiple logins with the same login credentials, we recommend creating a new user on the FMC specifically for CDO communication that has administrator-level permissions. This new user will have to be replicated on CDO, as either a CDO-provided Administrator or a custom user role with system and devices permission. Without an admin login, CDO will not be able to successfully use REST API commands to modify or create policy, rules, or objects. 

Onboard or Remove an FMC

You can onboard or remove an FMC at any time. The FMC and its registered device must be running at least Version 6.4 to be read by CDO. To onboard an FMC and its registered devices, see Onboard an FMC for more information. 
Once an FMC is onboarded, selecting the FMC or an FMC-managed device from the Devices & Services page automatically cross-launches to the selected FMC web UI as a new tab. Removing an FMC from your CDO tenant also removes the devices registered to that FMC. See Remove an FMC from CDO for more information. 

If an FMC experiences an "Invalid Credentials" status after onboarding, you can reconnect the appliance. See Troubleshoot Invalid Credentials for more information.

Note: FMCs running Firepower 6.6 do not support the reconnect feature. If you have to reconnect the appliance, we recommend removing the FMC and re-onboarding the appliance.

FMC High Availability Pairs

CDO does not support high availability (HA) functionality for FMC appliances. If a pair of FMC appliances are configured for HA, the pair is listed as individual appliances in the Devices & Services page.

Devices Managed by an FMC

Once you onboard an FMC to CDO, all of the devices registered to that FMC are also read into CDO. From the Devices & Services page, you can see device information such as name, IP address, type of device, software version, and the state. If you click select a device that is currently managed by an FMC, CDO automatically launches the FMC console that manages the devices.

Use the filter icon to further organize the Devices & Services page. From here you can opt to view all the onboarded FMCs or devices managed by an FMC, as well as the other supported device types. 

Objects

When you onboard an FMC to CDO, CDO imports the objects from the FMC-managed FTD devices. Once imported to CDO, the objects are read-only. Though the FMC objects are read-only, CDO allows you to apply a copy of the objects to other devices on your tenant that are not managed by the FMC. The copy is disassociated from the original object so you can edit the copy without changing the value of the object that was imported from the FMC. FMC objects can be used on any device you manage that support that object type. See FMC Objects for more information.

FMC supports the following object types:

  • Network Objects
  • Network-Group Objects
  • Service/Port Objects
  • URL/URL Groups Objects

Object Issues

CDO does not identify duplicate, inconsistent, or unused objects on an FMC. You will not be able to filter objects based on these issue states.  

Eventing

Searching and filtering the Historical and Live event tables for specific events, works the same way as it does when searching and filtering for other information in CDO. See Searching for and Filtering Events in the Event Logging Page for more information. 

Cisco Security Analytics and Logging 

Cisco Security Analytics and Logging allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your Firepower Threat Defense (FTD) devices and view them in one place in Cisco Defense Orchestrator (CDO).

The events are stored in the Cisco cloud and viewable from the Event Logging page in CDO where you can filter and review them to gain a clear understanding of what security rules are triggering in your network. The Logging and Troubleshooting package gives you these capabilities.

With the Firewall Analytics and Monitoring package, the system can apply Stealthwatch Cloud dynamic entity modeling to your FTD events, and use behavioral modeling analytics to generate Stealthwatch Cloud observations and alerts. If you obtain a Total Network Analytics and Monitoring package, the system applies dynamic entity modeling to both your FTD events and your network traffic, and generates observations and alerts. You can cross-launch from CDO to a SWC portal provisioned for you, using Cisco Single Sign-On. See Cisco Security Analytics and Logging for more information.