Monitoring Cloud-Delivered FMC Devices

Overview

SecureTrack monitors Cisco cloud-delivered Firewall Management Center (cdFMC) devices for policy revision changes.

Firewall Management Center was formerly Firepower Management Center.

To see which TOS features are supported for your device, review the feature support table.

Prerequisites

• An API URL and API Key for the cdFMC device

  API URL: You can take this from the cdFMC URL.

  Example

  

  API Key: You can find this in the cdFMC user interface, in the User Management tab.

  Example

  

• Separate authentication credentials for both SecureTrack and SecureChange.

• TOS Aurora and the monitored devices must be synchronized with the correct date and time, either manually or automatically. We recommend that you also configure the devices to resolve DNS queries.

• Monitoring Cisco Firewall Management Center (FMC) devices requires HTTP access via port 443.

• To collect Dynamic Topology information, make sure that SSH or Telnet access to the device is enabled.

• At least one of the following user roles is required:

  • Administrator

  • Access Admin

  • Network Admin

• To collect usage, configure the FMC device to send syslogs to TOS Aurora.

  • The syslog device ID for the FTD device managed by the FMC is required to enable TOS Aurora to collect usage data.

• The following commands to collect Dynamic Topology:

  Command	Description
  show route	Extracts the routing table
  show interface	Extracts the interfaces
  connect ftd	Use this command to change the FTD context for running the show route and show interface commands

In the Cisco Firewall Management Center (FMC), the REST API is enabled by default:

• Before you begin, confirm that the REST API is enabled.

• If you use UCAPL mode, confirm that the REST API is disabled.

Enable the REST API

1. In the FMC, go to System > Configuration > REST API Preferences > Enable REST API.

2. Check Enable REST API.

3. Click Save.

   Save Successful displays when the REST API is enabled.

Add a Device

1. Select Cisco > FMC:

   

2. Configure the device settings:

   

   • Name for Display

   • ST server: In a distributed deployment, select which TOS Aurora cluster monitors this device (not shown in image)

   • Enable Topology: Collects routing information for building the network Interactive Map.

   • Cisco Firepower type: Choose cdFMC.

     For non-cloud FMC devices, see Monitoring FMC Devices.

3. Click Next.

4. Enter the API key and API URL.

   

   • Click Establish connection to set up encrypted communication between TOS Aurora and the Cisco device. The following message appears:

     

5. Click Next.

6. Configure the Syslog authentication:

   

   • Log ID: The Log ID which corresponds to the User Defined ID in the FMC Syslog Settings. This tag is used for Data Usage.
   • Log Tag: The Tag ID which corresponds to the Tag configured in Configuration > Audit Log > Tag. This tag is used for Accountability. You cannot define the same Tag ID in multiple FMC devices.
   • Protocol: The Protocol is UDP by default and disabled.

7. Click Next.

8. In Monitoring Settings, do one of the following:

   

   • Select Default to use the default time configured in Periodic Polling (1 hour).

   • Select Custom and configure the monitoring mode and settings.

     For both Custom options, you can use the timing page settings

     • Real-Time Monitoring using syslog - Select Custom settings to configure the 'Save policy' interval, 'Install policy interval', and Automatic fetch frequency.

       For more information, see Configuring a Cisco FMC to Send Syslogs.

   • Periodic Polling: select Custom settings and configure the Polling frequency (jow often TOS Aurora fetches the configuration from each device).

     If you select 1 day, you can then select the exact time (hour and minute) for the daily polling.

9. Click Next. 

10. Save the configuration.

    The Cisco device now appears in the Monitored Devices tree.

Configure a Monitored Device

After you add a device, further configuration options are available.

Options vary depending on your environment.

Example:

• Edit configuration: Use the wizard to modify selected device settings. See Add a Device in this topic.

• Delete this device: Type yes to confirm that you want to delete the device.

• Import Domains and Managed Devices

• Migrate (ST servers): Available in distributed deployments. Select the server where the device will be monitored and click Migrate.

• Migrate (Domains): Available in multi-domain deployments. Select the domain where the device will be monitored and click Migrate.

• Collect Dynamic Routing Information

Edit the Configuration of a Managed Cisco Firewall Device

1. Select the Cisco firewall device from the device tree.

2. Click Edit Configuration.

   

3. Edit the General Settings.

4. In the Usage Tracking section:

   • Enable tracking of rule usage: Select to enable usage for rules to be collected and saved in the SecureTrack database.
   • Enable tracking of object usage: Select to enable usage for objects in rules to be collected and saved in the SecureTrack database.

   If these options are selected:

   • The collected usage is displayed in the Last Hit column in Rule Viewer.
   • Automatic Policy Generation (APG) is enabled.
   • The Rule and Object Usage Report is enabled.

5. In the Topology section:

   • Enable Topology: Collects routing information for building the network Interactive Map.

   • Collect dynamic topology information: Enables dynamic topology collection when dynamic addressing (DHCP) or routing protocols (OSPF and BGP) are in use.

     When dynamic topology is enabled:

     • Both static and dynamic routes are displayed on the interactive map.
     • Static routes are not shown as part of the revisions.

6. Click Next.

   

7. Edit the connection details and click Next.

8. Click Save to complete the device configuration.

How Do I Get Here?

SecureTrack > Monitoring > Manage Devices