Modify Threat Defense Management Interfaces at the CLI
Modify the management interface settings on the managed device using the CLI. Many of these settings are ones that you set when you performed the initial setup; this procedure lets you change those settings, and set additional settings such as enabling an event interface if your model supports it, or adding static routes.
Note | This topic applies to the dedicated Management interface. You can alternatively configure a data interface for management. If you want to change network settings for that interface, you should do so within management center and not at the CLI. If you need to troubleshoot a disrupted management connection, and need to make changes directly on the threat defense, see Modify the Threat Defense Data Interface Used for Management at the CLI. |
For information about the threat defense CLI, see the Cisco Secure Firewall Threat Defense Command Reference.
Note | When using SSH, be careful when making changes to the management interface; if you cannot re-connect because of a configuration error, you will need to access the device console port. |
Note | If you change the device management IP address, then see the following tasks for management center connectivity depending on how you identified the management center during initial device setup using the configure manager add command:
|
Note | In a High Availability management center configuration, when you modify the management IP address from the device CLI or from the management center, the secondary management center does not reflect the changes even after an HA synchronization. To ensure that the secondary management center is also updated, switch roles between the two management centers, making the secondary management center the active unit. Modify the management IP address of the registered device on the device management page of the now active management center. |
Before you begin
-
You can create user accounts that can log into the CLI using the configure user add command; see Add an Internal User at the CLI. You can also configure AAA users according to External Authentication.
Procedure
Step 1 | Connect to the device CLI, either from the console port or using SSH. | ||
Step 2 | Log in with the Admin username and password. | ||
Step 3 | (Firepower 4100/9300/Secure Firewall 4200 only) Enable the second management interface as an event-only interface. configure network management-interface enable management1 configure network management-interface disable-management-channel management1 You always need a management interface for management traffic. If your device has a second management interface, you can enable it for event-only traffic. You can optionally disable events for the main management interface using the configure network management-interface disable-events-channel command. In either case, the device will try to send events on the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel. You cannot disable both event and management channels on an interface. To use a separate event interface, you also need to enable an event interface on the management center. See the Cisco Secure Firewall Management Center Administration Guide. Example:
| ||
Step 4 | Configure the IP address of the management interface and/or event interface: If you do not specify the management_interface argument, then you change the network settings for the default management interface. When configuring an event interface, be sure to specify the management_interface argument. The event interface can be on a separate network from the management interface, or on the same network. If you are connected to the interface you are configuring, you will be disconnected. You can re-connect to the new IP address. | ||
Step 5 | For IPv6, enable or disable ICMPv6 Echo Replies and Destination Unreachable messages. These messages are enabled by default. configure network ipv6 destination-unreachable {enable | disable} configure network ipv6 echo-reply {enable | disable} You might want to disable these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the device management interfaces for testing purposes. Example:
| ||
Step 6 | Enable a DHCP server on the default management interface to provide IP addresses to connected hosts: configure network ipv4 dhcp-server-enable start_ip_address end_ip_address Example:
You can only configure a DHCP server when you set the management interface IP address manually. This command is not supported on the management center virtual. To display the status of the DHCP server, enter show network-dhcp-server:
| ||
Step 7 | Add a static route for the event-only interface if the management center is on a remote network; otherwise, all traffic will match the default route through the management interface. configure network static-routes {ipv4 | ipv6}add management_interface destination_ip netmask_or_prefix gateway_ip For the default route, do not use this command; you can only change the default route gateway IP address when you use the configure network ipv4 or ipv6 commands (see Step 4). Example:
To display static routes, enter show network-static-routes (the default route is not shown):
| ||
Step 8 | Set the hostname: configure network hostname name Example:
Syslog messages do not reflect a new hostname until after a reboot. | ||
Step 9 | Set the search domains: configure network dns searchdomains domain_list Example:
Set the search domain(s) for the device, separated by commas. These domains are added to hostnames when you do not specify a fully-qualified domain name in a command, for example, ping system . The domains are used only on the management interface, or for commands that go through the management interface. | ||
Step 10 | Set up to 3 DNS servers, separated by commas: configure network dns servers dns_ip_list Example:
| ||
Step 11 | Set the remote management port for communication with the management center: configure network management-interface tcpport number Example:
The management center and managed devices communicate using a two-way, TLS-1.3-encrypted communication channel, which by default is on port 8305.
| ||
Step 12 | (Threat Defense only) Set the management or eventing interface MTU. The MTU is 1500 bytes by default. configure network mtu [bytes] [interface_id]
Example:
| ||
Step 13 | Configure an HTTP proxy. The device is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest. After issuing the command, you are prompted for the HTTP proxy address and port, whether proxy authentication is required, and if it is required, the proxy username, proxy password, and confirmation of the proxy password.
configure network http-proxy Example:
| ||
Step 14 | If you change the device management IP address, then see the following tasks for management center connectivity depending on how you identified the management center during initial device setup using the configure manager add command:
|