Adding Cisco Firepower Management Center (FMC) Devices

Overview

SecureTrack monitors Cisco Firepower Management Center devices for policy revision changes. To help you organize the information for your devices, see the device information worksheet. For the full list of supported TOS features for your device, see the feature support table.

To monitor an FMC device (and its managed devices) in TOS Classic, you must complete the following procedures:

1. Add the Cisco FMC device to TOS Classic.

2. Import the domains and devices managed by the Cisco FMC device.

3. Select devices managed by the Cisco FMC device for which you want to retrieve dynamic topology information.

4. Edit the configuration of a managed Cisco firewall device, including enabling or disabling the option to Collect dynamic topology information.

Prerequisites

• Separate authentication credentials for both SecureTrack and SecureChange.

• TOS Classic and the monitored devices must be synchronized with the correct date and time, either manually or automatically. We recommend that you also configure the devices to resolve DNS queries.

• Monitoring Cisco Firepower Management Center (FMC) devices requires HTTP access via port 443.

• To collect Dynamic Topology information, make sure that SSH or Telnet access to the device is enabled.

• The following minimum user roles are required:

  • Administrator

  • Access Admin

  • Network Admin

• To collect usage, configure the FMC device to send syslogs to TOS Classic.

  • The syslog device ID for the FTD device managed by the FMC is required to enable TOS Classic to collect usage data.

• The following commands to collect Dynamic Topology:

  Command	Description
  show route	Extracts the routing table
  show interface	Extracts the interfaces
  connect ftd	Use this command to change the FTD context for running the show route and show interface commands

In the Cisco Firepower Management Center (FMC), the REST API is enabled by default:

• Before you begin, confirm that the REST API is enabled.

• If you use UCAPL mode, confirm that the REST API is disabled.

To enable the REST API:

1. In the FMC, go to System > Configuration > REST API Preferences > Enable REST API.

2. Check Enable REST API.

3. Click Save.

   Save Successful displays when the REST API is enabled.

Monitor a Cisco Device

To configure TOS Classic to monitor the policy revisions of a Cisco device:

1. In TOS Classic, go to Settings >  Monitoring > Manage Devices.

2. Select the appropriate device type:

   

3. Configure the device settings:

   

   • Name for Display

   • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

   • Get revisions from: One of the following:

     • IP Address: Revisions are retrieved automatically.
     • Offline File: This option is disabled for FMC devices.
   • ST server: In a distributed deployment, select which TOS Classic server monitors this device (Not shown in image)
   • Enable Topology: Collects routing information for building the network Interactive Map.

4. Click Next.

5. Configure the TOS Classic connection to the Cisco device, according to the parameters required by the device:

   

   • Enter the authentication details needed to connect to the Cisco device.

     If you are using SecureChange, you need to enter separate access credentials for both SecureTrack and SecureChange. However, If you are only using SecureTrack, leave the SecureChange section empty.

     TOS Classic uses JSON API format to retrieve Cisco FMC device information.

   • To use default settings (recommended in most cases), leave the Port number blank.

   • Click Establish connection to set up encrypted communication between TOS Classic and the Cisco device. The following message appears:

     

   • To retrieve the FMC certificate using a DNS address, select Retrieve certificate using DNS Address, and enter the address of the DNS server.

6. Click Next.

7. Configure the Syslog authentication:

   

   • Log ID: The Log ID which corresponds to the User Defined ID in the FMC Syslog Settings. This tag is used for Data Usage.
   • Log Tag: The Tag ID which corresponds to the Tag configured in Configuration > Audit Log > Tag. This tag is used for Accountability. You cannot define the same Tag ID in multiple FMC devices.
   • Protocol: The Protocol is UDP by default and disabled.

8. Click Next.

9. In Monitoring Settings, do one of the following:

   

   • Select Default to use the default time configured in Periodic Polling (1 hour).

   • Select Custom and configure the monitoring mode and settings.

     For both Custom options, you can use the timing page settings

     • Real-Time Monitoring using syslog - Select Custom settings to configure the 'Save policy' interval, 'Install policy interval', and Automatic fetch frequency.

       For more information, see Configuring a Cisco FMC to Send Syslogs.

   • Periodic Polling: select Custom settings and configure the Polling frequency (jow often TOS Classic fetches the configuration from each device).

     If you select 1 day, you can then select the exact time (hour and minute) for the daily polling.

10. Click Next. 

11. Save the configuration.

    The Cisco device now appears in the Monitored Devices tree.

Import the domains or devices managed by the Cisco device

To import devices or domains managed by the Cisco device into TOS Classic:

1. Make sure you receive the first Cisco policy revision.

2. Select the Cisco device from the device tree.

3. Click Import Managed Devices or Import Domains and Managed Devices.

4. From the list of devices managed by the Cisco device, select the devices to import and click Import.

5. In the Usage Tracking section:

   • Enable tracking of rule usage: Select to enable usage for rules to be collected and saved in the SecureTrack database.

   • Enable tracking of object usage: Select to enable usage for objects in rules to be collected and saved in the SecureTrack database.

   If these options are selected:

   • The collected usage is displayed in the Last Hit column in Policy Browser.

   • Automatic Policy Generation (APG) is enabled.

   • The Rule and Object Usage Report is enabled.

6. Do one of the following:

   • Click Reset to update the list of managed devices.

   • Click Done to return to the device tree.

     The managed devices appear under the Cisco device in the device tree.

   • If available, click to Collect Dynamic Routing Information for the managed devices.

     

Edit the Dynamic Topology settings for devices managed by a Cisco FMC device

To collect Dynamic Topology information, make sure that SSH or Telnet access to the device is enabled.

To configure a Cisco FMC device to retrieve Dynamic Topology information for its managed devices in TOS Classic:

1. Select the Cisco FMC device from the device tree.

2. Click to Collect Dynamic Routing Information.

3. In Select FirePower Devices to Retrieve Dynamic Topology:

   

   1. Select the devices for which you want to retrieve Dynamic Topology.
   2. For each device, provide an IP address that can be routed from TOS Classic.

   3. Enter the Authentication Details for the FMC FirePower devices and click Save.

      All the selected devices must have the same user name and password.

Edit the configuration of a managed Cisco firewall device

To edit the configuration of a managed Cisco firewall device in TOS Classic:

1. Select the Cisco firewall device from the device tree.

2. Click Edit Configuration.

   

3. Edit the General Settings.

4. In the Usage Tracking section:

   • Enable tracking of rule usage: Select to enable usage for rules to be collected and saved in the SecureTrack database.
   • Enable tracking of object usage: Select to enable usage for objects in rules to be collected and saved in the SecureTrack database.

   If these options are selected:

   • The collected usage is displayed in the Last Hit column in Policy Browser.
   • Automatic Policy Generation (APG) is enabled.
   • The Rule and Object Usage Report is enabled.

5. In the Topology section:

   • Enable Topology: Collects routing information for building the network Interactive Map.

   • Collect dynamic topology information: Enables dynamic topology collection when dynamic addressing (DHCP) or routing protocols (OSPF and BGP) are in use.

     When dynamic topology is enabled:

     • Both static and dynamic routes are displayed on the interactive map.
     • Static routes are not shown as part of the revisions.

6. Click Next.

   

7. Edit the connection details and click Next.

8. Click Save to complete the device configuration.

How Do I Get Here?

In TOS Classic, go to Settings >  Monitoring > Manage Devices.