Firepower Management Center 4000

Cisco Firepower Management Center 4000 Configuration Guide

  • Hello! I am an AI chatbot trained to assist you with the Cisco Firepower Management Center 4000 Configuration Guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Firepower Management Center Configuration Guide, Version 6.2.3
First Published: 2018-03-29
Last Modified: 2020-08-03
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright ©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
©2018–2020 Cisco Systems, Inc. All rights reserved.
CONTENTS
Getting Started With Firepower 1
CHAPTER 1
Quick Start: Basic Setup 2
Installing and Performing Initial Setup on Physical Appliances 2
Deploying Virtual Appliances 3
Logging In for the First Time 3
Setting Up Basic Policies and Configurations 4
Firepower Devices 6
Firepower Features 6
Appliance and System Management Features 6
High Availability and Scalability Features by Platform 8
Features for Detecting, Preventing, and Processing Potential Threats 9
Integration with External Tools 10
Switching Domains on the Firepower Management Center 11
The Context Menu 11
Sharing Data with Cisco 13
Firepower Online Help, How To, and Documentation 13
Top-Level Documentation Listing Pages for FMC Deployments 13
License Statements in the Documentation 15
Supported Devices Statements in the Documentation 16
Access Statements in the Documentation 16
Firepower System IP Address Conventions 16
Additional Resources 16
Your User Account 19
PART I
Logging into the Firepower System 21
CHAPTER 2
Firepower Management Center Configuration Guide, Version 6.2.3
iii
Firepower System User Accounts 21
Firepower System User Interfaces 23
Web Interface Considerations 25
Session Timeout 26
Logging Into the Firepower Management Center Web Interface 26
Logging Into the Web Interface of a 7000 or 8000 Series Device 27
Logging Into the Firepower Management Center with CAC Credentials 28
Logging Into a 7000 or 8000 Series Device with CAC Credentials 28
Logging Into the CLI on 7000/8000 Series, ASA FirePOWER, and NGIPSv Devices 29
Logging Into the Command Line Interface on FTD Devices 30
Logging Out of a Firepower System Web Interface 31
Specifying User Preferences 33
CHAPTER 3
User Preferences Introduction 33
Changing Your Password 33
Changing an Expired Password 34
Specifying Your Home Page 34
Configuring Event View Settings 35
Event View Preferences 35
File Download Preferences 36
Default Time Windows 37
Default Workflows 39
Setting Your Default Time Zone 39
Specifying Your Default Dashboard 39
User Accounts for Management Access 41
CHAPTER 4
About User Accounts 41
Internal and External Users 41
Web Interface and CLI or Shell Access 42
User Roles 43
Web Interface User Roles 43
CLI User Roles 44
Requirements and Prerequisites for User Accounts 44
Guidelines and Limitations for User Accounts 45
Firepower Management Center Configuration Guide, Version 6.2.3
iv
Contents
Add an Internal User Account 45
Add an Internal User at the Web Interface 45
Add an Internal User at the CLI 47
Configure External Authentication 49
About External Authentication 50
External Authentication for the Firepower Management Center and 7000 and 8000 Series 50
External Authentication for the Firepower Threat Defense 50
About LDAP 51
About RADIUS 51
Add an LDAP External Authentication Object 51
Add a RADIUS External Authentication Object 59
Enable External Authentication for Users on the Firepower Management Center 64
Enable External Authentication for Users on Managed Devices 65
Configure Common Access Card Authentication with LDAP 65
Customize User Roles for the Web Interface 67
Create Custom User Roles 67
Deactivate User Roles 69
Enable User Role Escalation 69
Set the Escalation Target Role 70
Configure a Custom User Role for Escalation 70
Escalate Your User Role 71
Configure Cisco Security Manager Single Sign-on 71
Troubleshooting LDAP Authentication Connections 72
History for User Accounts 74
Firepower System Management 75
PART II
Licensing the Firepower System 77
CHAPTER 5
About Firepower Licenses 77
Requirements and Prerequisites for Licensing 78
License Requirements for Firepower Management Center 78
Firepower Management Center Virtual Licenses 78
Evaluation License Caveats 78
Smart vs. Classic Licenses 79
Firepower Management Center Configuration Guide, Version 6.2.3
v
Contents
License Firepower Threat Defense Devices (FTD) 79
How to License Firepower Threat Defense Devices 80
Smart Software Manager (CSSM) 83
Periodic Communication with the License Authority 83
Service Subscriptions for FTD Features 83
FTD License Types and Restrictions 84
Base Licenses 86
Malware Licenses for Firepower Threat Defense Devices 86
Threat Licenses 87
URL Filtering Licenses for Firepower Threat Defense Devices 88
AnyConnect Licenses 88
Licensing for Export-Controlled Functionality 88
Licensing for High-Availability Configurations 89
Licensing for FTD Clusters 90
Create a Smart Account to Hold Your Licenses 90
How to Configure Smart Licensing with Direct Internet Access 91
Obtain a Product License Registration Token for Smart Licensing 91
Register Smart Licenses 92
Smart Software Satellite Server Overview 94
How to Deploy a Smart Software Satellite Server 94
Assign Licenses to Multiple Managed Devices 95
View FTD Licenses and License Status 96
FTD License Status 97
Move or Remove Licenses from FTD Devices 98
Transfer FTD Licenses to a Different Firepower Management Center 99
If FTD License Status is Out of Compliance 99
Deregister a Firepower Management Center from the Cisco Smart Software Manager 99
Synchronize a Firepower Management Center with the Cisco Smart Software Manager 100
Troubleshoot FTD Licensing 100
License Classic Devices ( Firepower 7000/8000 Series, ASA FirePOWER, and NGIPSv) 101
Product License Registration Portal 101
Service Subscriptions for Firepower Features (Classic Licensing) 101
Classic License Types and Restrictions 102
Protection Licenses 103
Firepower Management Center Configuration Guide, Version 6.2.3
vi
Contents
Control Licenses 104
URL Filtering Licenses for Classic Devices 105
Malware Licenses for Classic Devices 105
VPN Licenses for 7000 and 8000 Series Devices 106
Classic Licenses in Device Stacks and High-Availability Pairs 106
View Your Classic Licenses 107
Identify the License Key 107
Generate a Classic License and Add It to the Firepower Management Center 108
How to Convert a Classic License for Use on an FTD Device 109
Assign Licenses to Managed Devices from the Device Management Page 111
License Expiration 112
Additional Information about Firepower Licensing 114
Cisco Success Network 115
Cisco Success Network Telemetry Data 115
Enrolled Device Data 116
Software Version Data 116
Managed Device Data 117
Telemetry Example File 117
Changing Cisco Success Network Enrollment 119
End-User License Agreement 120
System Software Updates 121
CHAPTER 6
About Firepower Updates 121
Requirements and Prerequisites for System Software Updates 122
Guidelines and Limitations for Firepower Updates 122
Upgrade Firepower System Software 123
Update the Vulnerability Database (VDB) Manually 123
Update the Geolocation Database (GeoDB) 125
Manually Update the GeoDB (Internet Connection) 125
Manually Update the GeoDB (No Internet Connection) 126
Schedule GeoDB Updates 126
Update Intrusion Rules 127
Update Intrusion Rules One-Time Manually 128
Update Intrusion Rules One-Time Automatically 129
Firepower Management Center Configuration Guide, Version 6.2.3
vii
Contents
Configure Recurring Intrusion Rule Updates 130
Best Practices for Importing Local Intrusion Rules 131
Import Local Intrusion Rules 132
Rule Update Log 132
Intrusion Rule Update Log Table 133
Viewing the Intrusion Rule Update Log 133
Fields in an Intrusion Rule Update Log 134
Viewing Details of the Intrusion Rule Update Import Log 135
Maintain Your Air-Gapped Deployment 136
Backup and Restore 137
CHAPTER 7
About Backup and Restore 137
Requirements for Backup and Restore 139
Guidelines and Limitations for Backup and Restore 140
Best Practices for Backup and Restore 140
Backing Up Firepower Appliances 143
Back up the FMC 143
Back up a Device from the FMC 145
Back up a 7000/8000 Series Device Locally 145
Create a Backup Profile 147
Restoring Firepower Appliances 148
Restore an FMC from Backup 148
Restore a 7000/8000 Series Device from Backup 149
Manage Backups and Remote Storage 150
Backup Storage Locations 151
Configuration Import and Export 153
CHAPTER 8
About Configuration Import/Export 153
Configurations that Support Import/Export 153
Special Considerations for Configuration Import/Export 154
Requirements and Prerequisites for Configuration Import/Export 155
Exporting Configurations 155
Importing Configurations 156
Import Conflict Resolution 157
Firepower Management Center Configuration Guide, Version 6.2.3
viii
Contents
Task Scheduling 159
CHAPTER 9
About Task Scheduling 159
Requirements and Prerequisites for Task Scheduling 159
Configuring a Recurring Task 160
Scheduled Backups 161
Schedule FMC Backups 161
Schedule Local 7000 & 8000 Series Device Backups 162
Configuring Certificate Revocation List Downloads 162
Automating Policy Deployment 163
Nmap Scan Automation 164
Scheduling an Nmap Scan 164
Automating Report Generation 165
Specify Report Generation Settings for a Scheduled Report 166
Automating Firepower Recommendations 167
Software Update Automation 168
Automating Software Downloads 169
Automating Software Pushes 170
Automating Software Installs 170
Vulnerability Database Update Automation 171
Automating VDB Update Downloads 172
Automating VDB Update Installs 173
Automating URL Filtering Updates Using a Scheduled Task 174
Scheduled Task Review 175
Task List Details 175
Viewing Scheduled Tasks on the Calendar 176
Editing Scheduled Tasks 176
Deleting Scheduled Tasks 177
Data Storage 179
CHAPTER 10
Data Stored on the FMC 179
Purging Data from the FMC Database 180
External Data Storage 181
Firepower Management Center Configuration Guide, Version 6.2.3
ix
Contents
Firepower Management Center High Availability 183
CHAPTER 11
About Firepower Management Center High Availability 183
System Requirements Firepower Management Center High Availability 184
Hardware Requirements 184
Software Requirements 184
License Requirements 185
Roles v. Status in Firepower Management Center High Availability 185
Requirements and Prerequisites to Establish Firepower Management Center High Availability 186
Event Processing on Firepower Management Center High Availability Pairs 186
AMP Cloud Connections and Malware Information 187
URL Filtering and Security Intelligence 187
User Data Processing During Firepower Management Center Failover 187
Configuration Management on Firepower Management Center High Availability Pairs 187
Cisco Threat Intelligence Director (TID) and High Availability Configurations 187
Firepower Management Center High Availability Behavior During a Backup 188
Firepower Management Center High Availability Split-Brain 188
Upgrading Firepower Management Centers in a High Availability Pair 188
Troubleshooting Firepower Management Center High Availability 189
Establishing Firepower Management Center High Availability 190
Viewing Firepower Management Center High Availability Status 192
Configuration Data Synced between Firepower Management Centers during High Availability 192
Using CLI to Resolve Device Registration in Firepower Management Center High Availability 193
Switching Peers in a Firepower Management Center High Availability Pair 194
Pausing Communication Between Paired Firepower Management Centers 194
Restarting Communication Between Paired Firepower Management Centers 195
Changing the IP address of a Firepower Management Center in a High Availability Pair 195
Disabling Firepower Management Center High Availability 196
Replacing FMCs in a High Availability Pair 196
Replace a Failed Primary FMC (Successful Backup) 197
Replace a Failed Primary FMC (Unsuccessful Backup) 198
Replace a Failed Secondary FMC (Successful Backup) 199
Replace a Failed Secondary FMC (Unsuccessful Backup) 200
Firepower Management Center Configuration Guide, Version 6.2.3
x
Contents
Device Management Basics 201
CHAPTER 12
About Device Management 201
About the Firepower Management Center and Device Management 201
What Can Be Managed by a Firepower Management Center? 202
Beyond Policies and Events 202
About Device Management Interfaces 203
Management Interfaces on 203
Management Interface Support Per Device Model 203
Network Routes on Device Management Interfaces 205
NAT Environments 205
Management and Event Traffic Channel Examples 207
Requirements and Prerequisites for Device Management 208
Complete the FTD Initial Configuration 209
Add a Device to the FMC 212
Delete a Device from the FMC 214
Add a Device Group 215
Configure Device Settings 215
Managing System Shut Down 215
Edit Management Settings 216
Update the Hostname or IP Address in FMC 216
Edit General Settings 217
Edit License Settings 218
Edit Advanced Settings 218
Configure Automatic Application Bypass 218
Inspect Local Router Traffic 219
Configure Fastpath Rules (8000 Series) 220
Modify Management Interfaces at the CLI 221
Change the Manager for the Device 226
Reestablish the Management Connection if You Change the FMC IP Address 226
Identify a New FMC 227
Switch from Firepower Device Manager to FMC 228
Switch from FMC to Firepower Device Manager 229
Viewing Device Information 231
Firepower Management Center Configuration Guide, Version 6.2.3
xi
Contents
Device Management Page Information 231
General Information 231
License Information 232
System Information 232
Health Information 233
Management Information 233
Advanced Settings 233
History for Device Management Basics 234
System Monitoring and Troubleshooting 235
PART III
Dashboards 237
CHAPTER 13
About Dashboards 237
Firepower System Dashboard Widgets 238
Widget Availability 238
Dashboard Widget Availability by User Role 239
Predefined Dashboard Widgets 240
The Appliance Information Widget 240
The Appliance Status Widget 241
The Correlation Events Widget 241
The Current Interface Status Widget 241
The Current Sessions Widget 242
The Custom Analysis Widget 242
The Disk Usage Widget 246
The Interface Traffic Widget 247
The Intrusion Events Widget 247
The Network Compliance Widget 248
The Product Licensing Widget 248
The Product Updates Widget 249
The RSS Feed Widget 249
The System Load Widget 249
The System Time Widget 249
The White List Events Widget 250
Managing Dashboards 250
Firepower Management Center Configuration Guide, Version 6.2.3
xii
Contents
Adding a Dashboard 251
Adding Widgets to a Dashboard 251
Configuring Widget Preferences 252
Creating Custom Dashboards 252
Custom Dashboard Options 253
Customizing the Widget Display 254
Editing Dashboards Options 255
Modifying Dashboard Time Settings 255
Renaming a Dashboard 256
Viewing Dashboards 256
Health Monitoring 257
CHAPTER 14
Requirements and Prerequisites for Health Monitoring 257
About Health Monitoring 257
Health Modules 259
Configuring Health Monitoring 264
Health Policies 265
Default Health Policy 265
Creating Health Policies 265
Applying Health Policies 266
Editing Health Policies 267
Deleting Health Policies 267
The Health Monitor Blacklist 268
Blacklisting Appliances 268
Blacklisting Health Policy Modules 269
Health Monitor Alerts 270
Health Monitor Alert Information 270
Creating Health Monitor Alerts 271
Editing Health Monitor Alerts 271
Deleting Health Monitor Alerts 272
Using the Health Monitor 272
Health Monitor Status Categories 273
Viewing Appliance Health Monitors 274
Running All Modules for an Appliance 275
Firepower Management Center Configuration Guide, Version 6.2.3
xiii
Contents
Running a Specific Health Module 275
Generating Health Module Alert Graphs 276
Health Event Views 276
Viewing Health Events 276
Viewing Health Events by Module and Appliance 277
Viewing the Health Events Table 277
Hardware Alert Details for 7000 and 8000 Series Devices 278
The Health Events Table 280
History for Health Monitoring 281
Monitoring the System 283
CHAPTER 15
About System Statistics 283
The Host Statistics Section 283
The Disk Usage Section 284
The Processes Section 284
Process Status Fields 284
System Daemons 286
Executables and System Utilities 288
The SFDataCorrelator Process Statistics Section 290
The Intrusion Event Information Section 291
Viewing System Statistics 292
Troubleshooting the System 293
CHAPTER 16
First Steps for Troubleshooting 293
System Messages 293
Message Types 294
Message Management 295
View Basic System Information 296
View Appliance Information 296
Managing System Messages 296
Viewing Deployment Messages 297
Viewing Health Messages 298
Viewing Task Messages 298
Managing Task Messages 299
Firepower Management Center Configuration Guide, Version 6.2.3
xiv
Contents
Configuring Notification Behavior 299
Memory Usage Thresholds for Health Monitor Alerts 300
Health Monitor Reports for Troubleshooting 301
Producing Troubleshooting Files for Specific System Functions 302
Downloading Advanced Troubleshooting Files 303
Advanced Troubleshooting for the Firepower Threat Defense Device 303
Using the FTD CLI from the Web Interface 303
Packet Tracer Overview 304
Use the Packet Tracer 304
Packet Capture Overview 305
Use the Capture Trace 307
Feature-Specific Troubleshooting 308
Deployment Management 311
PART IV
Domain Management 313
CHAPTER 17
Introduction to Multitenancy Using Domains 313
Domains Terminology 314
Domain Properties 315
Requirements and Prerequisites for Domains 316
Managing Domains 316
Creating New Domains 317
Moving Data Between Domains 318
Moving Devices Between Domains 319
Policy Management 321
CHAPTER 18
Requirements and Prerequisites for Policy Management 321
Policy Deployment 321
Best Practices for Deploying Configuration Changes 322
Restart Warnings for Firepower Threat Defense Devices 323
Deploy Configuration Changes 324
Redeploy Existing Configurations to a Device 326
Snort®Restart Scenarios 327
Inspect Traffic During Policy Apply 328
Firepower Management Center Configuration Guide, Version 6.2.3
xv
Contents
Snort®Restart Traffic Behavior 328
Configurations that Restart the Snort Process When Deployed or Activated 330
Changes that Immediately Restart the Snort Process 332
Policy Comparison 332
Comparing Policies 333
Policy Reports 334
Generating Current Policy Reports 334
Out-of-Date Policies 335
Performance Considerations for Limited Deployments 335
Discovery Without Intrusion Prevention 336
Intrusion Prevention Without Discovery 337
History for Policy Management 338
Rule Management: Common Characteristics 341
CHAPTER 19
Requirements and Prerequisites for Rule Management 341
Introduction to Rules 341
Rule Condition Types 343
Rule Condition Mechanics 345
Interface Conditions 346
Configuring Interface Conditions 347
Network Conditions 348
Configuring Network Conditions 349
Tunnel Endpoint Conditions 350
Configuring Tunnel Endpoint Conditions 351
VLAN Conditions 352
Port and ICMP Code Conditions 353
Configuring Port Conditions 354
Encapsulation Conditions 355
Application Conditions (Application Control) 355
Configuring Application Conditions and Filters 356
Application Characteristics 358
Best Practices for Application Control 359
Best Practices for Configuring Application Control 361
Application-Specific Notes and Limitations 362
Firepower Management Center Configuration Guide, Version 6.2.3
xvi
Contents
Troubleshoot Application Control Rules 363
URL Conditions (URL Filtering) 364
User, Realm, and ISE Attribute Conditions (User Control) 364
User Control Prerequisites 365
Configuring User and Realm Conditions 366
Configuring ISE Attribute Conditions 367
Troubleshoot User Control 368
Custom SGT Conditions 369
ISE SGT vs Custom SGT Rule Conditions 369
Autotransition from Custom SGTs to ISE SGTs 370
Configuring Custom SGT Conditions 370
Troubleshooting Custom SGT Conditions 371
Searching for Rules 371
Filtering Rules by Device 371
Identify Rules with Issues 372
Rule and Other Policy Warnings 373
Reusable Objects 375
CHAPTER 20
Introduction to Reusable Objects 376
The Object Manager 378
Editing Objects 378
Viewing Objects and Their Usage 379
Filtering Objects or Object Groups 380
Sorting Objects 380
Object Groups 380
Grouping Reusable Objects 381
Object Overrides 382
Managing Object Overrides 383
Allowing Object Overrides 384
Adding Object Overrides 384
Editing Object Overrides 384
Network Objects 385
Creating Network Objects 386
Port Objects 387
Firepower Management Center Configuration Guide, Version 6.2.3
xvii
Contents
Creating Port Objects 388
Tunnel Zones 388
Application Filters 388
VLAN Tag Objects 389
Creating VLAN Tag Objects 389
Security Group Tag Objects 389
Creating Security Group Tag Objects 390
URL Objects 390
Creating URL Objects 391
Geolocation Objects 391
Creating Geolocation Objects 392
Interface Objects: Interface Groups and Security Zones 392
Creating Security Zone and Interface Group Objects 393
Time Range Objects 394
Creating Time Range Objects 394
Variable Sets 395
Variable Sets in Intrusion Policies 396
Variables 396
Predefined Default Variables 397
Network Variables 399
Port Variables 401
Advanced Variables 402
Variable Reset 402
Adding Variables to Sets 403
Nesting Variables 404
Managing Variable Sets 406
Creating Variable Sets 407
Managing Variables 407
Adding Variables 408
Editing Variables 409
Security Intelligence Lists and Feeds 410
How to Modify Security Intelligence Objects 411
Blacklist Now, Whitelist Now, and Global Lists 412
Security Intelligence Lists and Multitenancy 413
Firepower Management Center Configuration Guide, Version 6.2.3
xviii
Contents
Changing the Update Frequency for Security Intelligence Feeds 414
Custom Security Intelligence Lists and Feeds 415
Custom Lists and Feeds: Requirements 415
URL Lists and Feeds: URL Syntax and Matching Criteria 415
Custom Security Intelligence Feeds 416
Custom Security Intelligence Lists 418
Sinkhole Objects 420
Creating Sinkhole Objects 420
File Lists 420
Source Files for File Lists 421
Adding Individual SHA-256 Values to File Lists 422
Uploading Individual Files to File Lists 422
Uploading Source Files to File Lists 423
Editing SHA-256 Values in File Lists 424
Downloading Source Files from File Lists 425
Cipher Suite Lists 425
Creating Cipher Suite Lists 426
Distinguished Name Objects 426
Creating Distinguished Name Objects 427
PKI Objects 428
Internal Certificate Authority Objects 429
CA Certificate and Private Key Import 430
Importing a CA Certificate and Private Key 430
Generating a New CA Certificate and Private Key 431
New Signed Certificates 431
Creating an Unsigned CA Certificate and CSR 431
Uploading a Signed Certificate Issued in Response to a CSR 432
CA Certificate and Private Key Downloads 433
Downloading a CA Certificate and Private Key 433
Trusted Certificate Authority Objects 433
Trusted CA Object 434
Adding a Trusted CA Object 434
Certificate Revocation Lists in Trusted CA Objects 435
Adding a Certificate Revocation List to a Trusted CA Object 435
Firepower Management Center Configuration Guide, Version 6.2.3
xix
Contents
External Certificate Objects 436
Adding External Certificate Objects 436
Internal Certificate Objects 437
Adding Internal Certificate Objects 437
Certificate Enrollment Objects 438
Adding Certificate Enrollment Objects 439
Certificate Enrollment Object SCEP Options 440
Certificate Enrollment Object Certificate Parameters 441
Certificate Enrollment Object Key Options 442
Certificate Enrollment Object Revocation Options 443
SLA Monitor Objects 443
Prefix Lists 445
Configure IPv6 Prefix List 445
Configure IPv4 Prefix List 446
Route Maps 446
Access List 449
Configure Extended ACL Objects 450
Configure Standard ACL Objects 451
AS Path Objects 452
Community Lists 452
Policy Lists 453
VPN Objects 455
FTD IKE Policies 455
Configure IKEv1 Policy Objects 455
Configure IKEv2 Policy Objects 456
FTD IPsec Proposals 458
Configure IKEv1 IPsec Proposal Objects 458
Configure IKEv2 IPsec Proposal Objects 459
FTD Group Policy Objects 460
Configure Group Policy Objects 460
Group Policy General Options 461
Group Policy AnyConnect Options 463
Group Policy Advanced Options 465
FTD File Objects 466
Firepower Management Center Configuration Guide, Version 6.2.3
xx
Contents
/