Setting up the Cisco Firepower Management

Center and FTDv Image

in DD MCP
Table of Contents
Introduction .......................................................................................................................... 3
Loading Servers into Domain and Prepping for Connection ..................................................... 4
Configuring the FMC and Validating Access from the Internet .............................................. 13
Configuring the Firepower Threat Defense Device ................................................................ 17
Accessing the FMC for the 1st Time and Adding the FTDv Device ........................................... 21
Introduction
This document is provided to help in the deployment of the Cisco Firepower Management Center (FMC),
and the virtual Firepower Threat Defense (FTDv), in the Dimension Data (DD) Managed Cloud Platform
(MCP). This scope of this document will provide setup and configuration of Firepower Threat Defense
services to the point of being able to access the FMC and associate the FTDv device with the FMC.

No configuration guidance will be provided relative to health or security policy of the system. For help in
configuring device health, licensing, and policy configuration, please refer to the following links for
configuring the Firepower services:

Install and Upgrade Guides

Configuration Examples and TechNotes

Configuration Guides

Provided below is a conceptual image of the environment:

Company ‘X’ Data

Center Cloud
FMCv

FireSIG
Management HT
Network
I-Net
Security Admin VPN vServer1
Workstation
FTDv
SSH Connection to DD
Cloud FMCv Company MCP Company ‘X’ vServer2
MCP
‘X’ Firewall MCP Environment
Firewall
Cloud vServer3
Loading Servers into Domain and Prepping for Connection
The MCP cloud can be accessed via the following URL:
https://caas.dimensiondata.cloud/

Credentials, along with the URL listed above are provided with the purchase of Dimension Data MCP
subscription.

After signing into the MCP cloud, navigating to the region and correct datacenter may be required.

As seen in the image above, this session is presently associated with the ‘North America’ region, but no
Data Center is chosen. For this particular session, the servers are located in the US - East 3 - MCP 2.0
(NA9) Data Center. The names of the Data Centers are live links. Hover your pointer over the desired Data
Center.

Once the Data Center is chosen, the Network Domain must be selected:
In this instance, only one choice is presented: ‘Cisco Demo’. Again, the name is a live link, and clicking on
the name will take you to the resources in the Network Domain:

In the configuration process, the first thing to complete is to deploy servers. To expand and see what is
currently deployed, click the ‘+’ to the right of the Servers bar. As the Firepower Management Center and
the Firepower Threat Defense (virtual) will not be present, choose the ‘Deploy Server’ ‘+’ in the left
column.
To filter out only the desired servers, in the ‘Filters’ drop-down, select Client Images.

Depending on the contract and services different companies have, the filtered images may differ. The
desired images for this exercise are: Cisco Firepower Management Center and Cisco Firepower Threat
Defense.
Note *: For the FTDv, it is required to deploy the device with Four (4) interfaces:

• Firepower Threat Defense Virtual interface requirements:

– Management interfaces (2) — One used to connect the Firepower Threat Defense Virtual to the
Firepower Management Center, second used for diagnostics; cannot be used for through traffic.

– Traffic interfaces (2) — Used to connect the Firepower Threat Defense Virtual to inside hosts and to
the public network.

http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/aws/ftdv-aws-qsg.html
Each NIC that is added must be deployed in a unique VLAN. Please refer to the ‘VLANs and Servers’ menu
bar to see the various VLAN’s that are available. If there are NOT available VLANs, in the ‘VLANs and

Servers’ menu bar, from the pull down, select the ‘ + Add VLAN’ option to add a VLAN till
the desire or required number of VLANs are defined.

Choose one of the images. When an image is chosen a check mark will be displayed initially. Choose the
‘>Next’ button. The following screen in displayed:
 • Verify that the Network Domain displayed in the pull down is the desired location. Complete the
following:
• Server Name*
• VLAN* - For VLAN, be sure to choose the VLAN that will be used for Management (connecting to
the FMC, and the FTDv communicating to the FMC)
• IPv4 Address – this is usually automatically defined. Depending on the use case, the user
environment may need or want to change the address (either host or network, or both).

Adding interfaces can be completed as follows:

If the required number of interfaces have not yet been deployed, from the networking menu bar,
from the actions pull down, Interfaces can be added and associated with the available VLANs.

Once all the interfaces are added, choose the ‘> Customize’ button. On the bottom, right side of the
screen, select the ‘NIC Type’ pull down and select the ‘VMXNET3’ option.
Once the desired Server information is input, choose ‘√Deploy’.

Once the images have been installed (which could take some time) the following ‘similar’ screen should
appear. Naming conventions and number of servers in the inventory may differ. In this instance ‘FMC’ and
‘FTD’ have been deployed:
In order to access the Firepower Management Center (FMC) from the public internet Firewall rules and a
public IP Address need to be defined.
For Firewall rules, Select the ‘+’ mark on the right side of the Firewall Rules bar:

After reviewing the firewalls rules (if there are any) and it is determined that a rule is required, from the
‘Actions’ pull down, choose ‘+ Add Firewall Rule’. The rule can be as open or restrictive as possible. As
many organizations, will establish a VPN into the Cloud hosted environment, many choose to not restrict
traffic initially, and strengthen the policy when the environment is setup. The recommended best
practices is to identify the networks that will allowed to access the environment in order to best protect
the services that will be hosted.

Next, a public IP needs to be provided. This is a NAT rule that will be setup. This public address is the
address that will be used to connect to the Firepower Management Center from a public link.
From the ‘Public IPv4 Addresses and NAT Rules bar, select the ‘+’ on the right side:

When the item is expanded, the ‘Actions’ menu becomes available. There will only be on choice, which
will be ‘+ Add Public IPv4 Address Block’. Choose the only selection, which is to add a block. Depending on
how the environment is setup, a couple of address will be shown with no Server or Private IP/VIP
populated.

On the right side of an empty row there will be a Gear with a down arrow (pull down menu).

depress the pull down menu and select ‘Create a NAT Rule’

A window will be displayed that shows the Public IP for this NAT rule, with an area to fill in the ‘Server / IP
Address*’

Populate the ‘Server / IP Address*’ area with the internal address that the FMC was given. Depress the ‘√
Create’ button when finished. The result will appear as follows:
Configuring the FMC and Validating Access from the Internet
The FMC will require minimum configuration so that users can access the device. The FMC console can be
accessed from the server area of the cloud environment. Verify that the image is started, validated by the
image being ‘green’. If the image is ‘red’, from the right side of the row that the server is located, choose
the ‘gear’ pull down, and ‘start’ the image:

Once the image is started, from the same pull down, choose ‘>_ Console’ to establish a command line
session to the FMC.
Login using the credentials provided.
From there the Interface and route present state will be identified to determine if changes need to be
made.

In this particular example, the interface IP address and the default gateway are not set to the desired
settings. The interface IP address should be set to 10.0.4.7/24, and the default gateway needs to be set to
10.0.4.1.
*Note – The addressed called out are specific to this MCP environment, please validate the address
scheme of the environment to define the proper addresses for Interfaces and gateways.

In order to change the interface IP and Default Gateway, it is required to enter admin state. This is done
with the ‘sudo’ command.

Refer to the following command line configuration example for syntax. Again, addresses used are for the
example environment.
Once these commands are executed the FMC should be accessible. From a workstation connected to the
Internet, verify that the Firepower Management Center is accessible. Remember that the IP address
needed to access the FMC from the internet is the PUBLIC IP Address.

*note: The command lines to configure the interface and default route are followed by the commands to
verify the configuration.
Configuring the Firepower Threat Defense Device
The previous exercise provided instruction on preparing access to the Firepower Management Center.
This exercise will prepare the device to be associated to the Firepower Management Center.

There will be no configuration of interface other than interfaces required for management and eventing
(reporting back to the Management Center).

As the Firepower Management Center (FMC) and the Firepower Threat Defense (FTD) device
management interfaces are on the same subnet, a NAT translation is not required.

*Note: A NAT translation will be required if an external (untrusted) interface is required to be accessed
from an external public address.

As with the FMC, the FTD device will need to be accessed via the console. The same steps of power on the
device, and accessing the device through the console, as done with the FMC.

As with the FMC, the console option will be greyed out until the device is running.

Logging into the FTD Device for the 1st time will take the user through a set of steps.

The first setup item is to accept the ‘EULA’ – End User License Agreement. This will require the user to
<ENTER> . Use the space bar to proceed a page at a time till the end is reached – each page will end with
‘—More—‘ until the end is reached.
When the end is reached, the following line is displayed:

Enter ‘YES’ to proceed.

The System will then initialize (this could take some time).

Once the system initializes, the user will be asked to change the password.
From that point the system will move into an automated setup menu. Before proceeding have the IP
addresses that were allocated during setup. Input the corresponding IP’s for each VLAN. Also, have the
Firepower Management Center IP address ready for input. The DD MCP system does not always respond
well to using the number pad to the right of the main keyboard, however the number keys at the top of
the keyboard function properly.
It is important to place the Cisco FTDv into routed mode. Every interface will require an IP address.

The two most common commands for pointing the FTDv to the FMC are:

➢ Configure network management-port XXXX

➢ Configure manager add FMC-IP-Address (secret) (NAT ID)

For this particular example, the manager will be configured only.

• This is the initial pairing of the FTDv device to the FMC.

• FMC IP address (10.0.4.7) Note* - if the FTDv device is on a network that is at a remote
location (branch office), the public IP Address of the FMC needs to be defined
• User any Registration Key (e.g. C1sco12345)
• Append with the Unique NAT ID (e.g. 12345)
• Registration Key and NAT ID to be used on FMC.
*Note – The IP address, Secret, and NAT ID or used only as examples. Please use the assigned IP for the
environment being configured, and choose a Secret and NAT ID that are unique.
Accessing the FMC for the 1st Time and Adding the FTDv Device
When the FMC is accessed for the 1st time, the ‘Change Password’ screen will be displayed. Other settings
are also available but are out of scope for this document:

Select and record a new password, move to the bottom of the page:

Check the End User License agreement, and click the ‘Apply’ button. If an ‘NTP’ error is encountered, set
NTP to manual and proceed. NTP configuration can easily be configured from the web interface.

When the user chooses ‘Apply’, the web interface will try to reconnect to the private IP Address of the
FMC (unsuccessfully). In the Browser URL Bar, input the FMC public IP address, and proceed. The console
may immediately proceed to the ‘Summary Dashboard’. No widget windows will populate as there are no
devices configured in the FMC at this point.

To add a device to the FMC, navigate to the ‘Devices’ option in the FMC, and select ‘Device Management’
From the Device Management screen, move to the right side of the screen and depress the ‘Add…’ pull
down menu, scroll down and choose ‘+ Add Device’:

The following window will appear:

In this example the IP address of the FTDv device is known, however if the host IP address or FQDN are
not known, the ‘DONTRESOLVE’ key word can be used. In this example, ‘DONTRESOLVE’ will be used.
Make sure to pull down the Advanced options to populate the ‘Unique NAT ID:’. This particular example
does not require the field to be populated, but for the example it shall be

The following information will be populated:

• Host (e.g. DONTRESOLVE)

• Registration Key (e.g. cisco123)
 • Group (leave at None)
• Access Group Policy (e.g. Cisco POV Access Control Policy)
• Select all available Licenses (If license registration has not yet been completed, there will
be no licenses to select)
• Unique NAT ID (e.g. 12345)

As there are no Access Control Policies yet configured, the device cannot be added. The ‘Access Group
Policy’ pull down allows a policy to be created on the fly. Choose the ‘Create new policy’ from the pull
down, and populate the Name field. Selecting a base policy is NOT required, however choosing a ‘Default
Action:’ is required. Make a selection that is most appropriate and in compliance with corporate policy.
This is only an initial policy.

Choose ‘Register’ to bring the FTDv device under the FMC management.

The FMC browser interface will appear as follows after the device is successfully added. There may be
alarms or warnings. The most common is time synchronization.

To investigate warnings and alarms the user can choose the red circle on the up right of the browser
between the ‘Deploy’ and ‘System’ menu items.

Click on the explanation mark, and then choose ‘Health’. The following screen may appear:

*Note – the alarms and severity may be different than what is captured in the example.
In this particular example: Timing is not synchronized and the AMP connector cannot connect to the
cloud.
The FTDv device has not been configured to use any specific NTP server, nor has an AMP account been
setup.

We will address the NTP issue ONLY in this example.

Under Device, navigate to ‘Platform Settings’ and on the right side of the screen select ‘+ New Policy’ –
The choice for either Firepower or Threat Defense will be present. Choose ‘Threat Defense’

The following screen will appear:

Name the policy, Select the FTD device (this is defined by an IP address in this example, and select the
‘Add to Policy’ button in the middle of the window. Select Save.

The configuration progression will display the following screen:

Navigate to the ‘Time Synchronization’ option and highlight.

The following will appear:

Select one of the two choices in the middle of the NTP configuration window. If the ‘Via NTP From’ option
is selected, have the IP address or FQDN ready.

*Note – If the ‘Via NTP From’ option is selected, a public IP Address and public DNS setting may need to
be configured.

For this example, the ‘Via NTP from Management Center’ is chosen (the blue button actually needs to be
selected, even though the bubble is already populated). Once the bubble is selected, the ‘Save’ button at
the top, right of the screen will be active. Select ‘Save’ to apply the NTP policy to the FTDv device.
This completes the initial setup of the Firepower Management Center (virtual) and the Firepower Threat
Defense (virtual) appliance. There are still key activities to complete that are out of scope of this
document. Of which, licensing is key. With the advent of Cisco ‘Smart Licensing’ there are options an
organization can exercise to employ licensing, and if an example is shown, may contradict how an
organization is employing licensing.

Please use the following references to get started:

Install and Upgrade Guides

Configuration Examples and TechNotes

Configuration Guides