Secure Firewall Management Center (FMC) Administration

Before adding Secure Firewall devices to the FMC, the FMC itself must first be configured with a valid IP address, other than the factory default. To do this, log into the CLI of the FMC and enter:

sudo configure-network

Once the FMC has an IP address, you can begin onboarding devices. Navigate to Devices > Device Management and click Add > Add Device. Here, you’ll enter the IP address of your Secure Firewall Threat Defense (FTD) device and the same shared secret key that you configured earlier on the device.

During the onboarding process, you must assign a policy to the new device. If you haven’t already created an Access Control Policy (ACP), the FMC allows you to configure a default policy to enable basic functionality, such as network discovery or preliminary traffic inspection.

 

A secure communication channel between the FMC and the sensor (FTD) is established using stunnel, which operates over TCP port 8305. To verify the status of this encrypted tunnel, log into the CLI of either the FMC or the Secure Firewall sensor and run the following script:

sftunnel_status.pl

 

For additional diagnostics, you can check whether the stunnel port is open or actively listening by issuing:

netstat -a | grep 8305

 

You can also confirm the registration status of the FTD device with the FMC by using this command on the sensor:

show managers

 

If you discover that the stunnel is not functioning properly or needs to be restarted, you can issue the following command to manage background processes and restart the communication channel:

manage_procs.pl

Choose the option related to restarting the sftunnel process when prompted. This ensures the encrypted control channel is re-established correctly, allowing the FMC to continue managing the Secure Firewall device effectively.

 

Viewing Secure Firewall Hardware and Software Settings

To verify the software versions running on your Cisco Secure Firewall Management Center (FMC), including critical components like Snort, the Vulnerability Database (VDB), and system modules, navigate to Help > About in the FMC web interface. This section displays detailed version information such as:

  • The FMC model (e.g., VMWare-based deployment)
  • Software version (e.g., 6.2.3 build 20)
  • Operating system version
  • Snort engine version
  • Rule update and rulepack version
  • Module pack version
  • VDB version and timestamp
  • Hostname

These details are crucial for ensuring compatibility between the FMC and Secure Firewall Threat Defense (FTD) devices, particularly when applying updates or troubleshooting inspection and policy behaviors.

If you need to check the software and hardware versions of registered Secure Firewall devices themselves, go to Devices > Device Management. This page lists all managed devices and displays their name, model, and the version of the software they’re running. This allows administrators to quickly confirm whether their devices are in sync with the FMC or if firmware updates may be required.

Having quick access to this version data is also valuable when opening TAC cases, performing upgrade planning, or validating whether features are supported in your current deployment.

In addition to the web interface, software version information can also be retrieved via the CLI for both the FMC and Secure Firewall devices. This is useful in lab environments, during audits, or when direct GUI access is not available.

To check the version on the Secure Firewall Management Center (FMC), SSH into the FMC as an admin user. Once logged in, you’ll see version information displayed automatically. For example:


This confirms both the underlying OS and the FMC software version.

To verify the version on the Secure Firewall Threat Defense (FTD) sensor, SSH into the device and issue the following command:

show version

This command provides detailed version output for the sensor, including:

  • Model and build number (e.g., Cisco Secure Firewall Threat Defense for VMWare v6.2.3, Build 20)
  • Unique device identifier (UUID)
  • Rules update version (e.g., 2017-09-13-001-vrt)
  • Vulnerability Database (VDB) version (e.g., 290)

This CLI verification method ensures you can confidently audit or validate software versions across your deployment, even in environments without GUI access or during troubleshooting scenarios.

 

Secure Firewall Device Administration

To begin configuring a new Cisco Secure Firewall Threat Defense (FTD) device, you must first establish basic network settings via the CLI. This includes assigning an IP address, subnet mask, and default gateway to the management interface. Use the following command:

configure manager ipv4 manual 192.168.1.46 255.255.255.0 192.168.1.254

 

After setting up the basic management IP configuration, the next step is to associate the FTD with its management platform—the Cisco Firepower Management Center (FMC). This is done by specifying the FMC’s IP address and a shared registration key. The command below accomplishes this:

configure manager add 192.168.1.100 ISEc0ld

Once the FTD is successfully added in FMC, you can customize device-specific settings by navigating to the Devices > Device Management section in the FMC interface. Click the pencil icon to access settings such as the device hostname, license options, and system health policies.

 

Within the device view, you can manage and apply licenses for various protection services such as Control, Malware, URL Filtering, and VPN. You can also issue shutdown or restart commands for the sensor (sensor shutdown -h for halt or sensor shutdown -r for reboot). To monitor applied health policies, click on the linked title of the Health Policy.

A critical performance-related feature is Automatic Application Bypass (AAB). AAB allows the system to bypass inspection if packet processing is delayed beyond a configured threshold. If enabled, and the sensor detects that Snort processing exceeds this threshold (e.g., 3000 ms), it will terminate all Snort processes and restart the inspection engine to avoid further delay. Generated Snort cores are stored in the /var/common directory for analysis.

Other configurable settings accessible from the Device include:

  • Devices – For general device management.
  • Interfaces – Manage and enable interfaces individually.
  • Inline Sets – Group Layer 2 interfaces for inline traffic inspection. Key settings include:
  • Routing – Static and dynamic routing configuration.
    • Link state propagation, which mirrors link status across interfaces in the pair.
    • Strict TCP enforcement, mimicking stateful inspection behavior.
    • TAP mode, useful for passive monitoring without packet modification.
    • DHCP – Configure dynamic IP addressing if required.
  • VTEP – To configure VXLAN and Geneve interfaces

After configuring the desired settings, it’s important to deploy the configuration. Click the Deploy button at the top right of the FMC interface. This action applies your changes to the managed device. The deployment process typically takes from a few seconds to a couple of minutes, during which a summary of pending changes is displayed for review.

 

License Verification in the FMC

Managing licenses in Cisco Secure Firewall Management Center (FMC) is a critical step in ensuring your deployment has access to the right features, including advanced threat detection, URL filtering, and AnyConnect VPN capabilities.

To verify active Smart Licenses on the FMC, navigate to System > Licenses > Smart Licenses.

This section displays all Smart License entitlements, including license types, status, expiration periods, and whether export-controlled features are enabled. You can also see your assigned virtual account and whether Cisco Network Participation is enabled. Common Smart License types include:

  • Firewall Managment Center Virtual
  • Essentials
  • Malware Defense
  • IPS
  • URL
  • Carrier
  • Secure Client Premier, Advantage, VPN Only

To confirm which licenses are actively being assigned to each Secure Firewall Threat Defense (FTD) device, go to Devices > Device Management. The licensing information is visible directly in the device list, showing what features are enabled on each unit. This is useful for correlating applied licenses with operational policies such as malware inspection or access control enforcement.

For deeper license configuration, click the pencil icon next to a device. On the Device tab, you’ll see a breakdown of all enabled and disabled license features:

  • Essentials: Required for all deployments
  • Malware Defense: Enables advanced malware protection (AMP)
  • IPS: Provides intrusion detection and prevention
  • Carrier: This license covers carrier feature enablement that allows for inspection of Diameter, GTP/GPRS and SCTP protocols
  • URL: Supports content filtering and category-based restrictions
  • Secure Client Licenses: Optional, depending on VPN requirements

From here, you can add or remove licenses as needed by editing the configuration.

 

Monitoring FMC System Performance: CPU and Memory Usage

To keep your Cisco Secure Firewall Management Center (FMC) operating efficiently, it’s important to monitor its system performance, especially CPU and memory usage. The FMC offers built-in dashboards that provide a clear overview of current resource consumption, allowing administrators to identify bottlenecks and plan for capacity.

To view this data, navigate to Overview > Dashboards > Summary Dashboard > Status within the FMC interface. This will bring up the Summary Dashboard, which provides system health information at a glance.

In the System Load panel, you’ll find real-time statistics on each CPU core’s utilization, memory usage, and the average system load. This data is presented in graph format over the past hour and shows the current usage for:

  • CPU Cores (0–7): Useful for understanding processing load distribution
  • Memory: Displays overall RAM utilization as a percentage
  • Load Average: A combined metric summarizing average resource pressure

Alongside this, other widgets display vital appliance details such as:

  • Software and rule update versions
  • VDB (Vulnerability Database) version
  • System time, uptime, and boot time
  • Currently logged-in users and session data

This view helps admins determine whether performance issues are stemming from CPU saturation, memory exhaustion, or abnormal system behavior. If needed, the dashboard can be customized with additional widgets to monitor disk usage, rule update statuses, or even RSS feeds from Cisco Talos for threat intel.

 

FMC Global Configuration: Managing System-Wide Settings

Cisco Secure Firewall Management Center (FMC) provides a centralized configuration page for managing global system behavior. To access it, navigate to System > Configuration. This section is essential for defining administrative, interface, logging, and security preferences that affect all devices and users managed by the FMC.

 

 

  • Access Control Preferences – This is where you can configure to track changes to access control rules by allowing or requiring users to comment when they save. You can also configure the FMC to evaluate and optimize the network/host policy objects that you use in the rules when it creates the associated network object groups on the device.
  • Access List – ACL to access the FMC interface and ports that it can be accessed by. You can configure this to access SSH, HTTPS, and SNMP connections from specific IPs here via the ACL.
  • Audit Log – Where you can choose to enable the audit log and send it to a syslog server and configure the structure of those syslog messages.
  • Audit Log Certificate – Where you can enable TLS and mutual authentication. You can generate a Certificate Signing Request (CSR) from this page and import an audit client certificate.
  • Change Management – You can configure audit trackign and official approval before changes here.
  • Change Reconciliation – This is where change reconciliation can be configured including the time to run, email where all the changes will be sent to, whether to include the policy configuration information in that email, and whether or not to show the full change history.
  • DNS Cache – You can enable DNS resolution caching and the cache timeout here.
  • Dashboard – Whether or not to enable custom analysis widgets here. This is enabled by default.
  • Database – This is where you can configure the maximum events that the FMC will store. This can be granularly configured here for the different types of events.
  • Email Notification – This is where you configure the mail relay host information for your SMTP server.
  • External Database Access – This is to allow external database access and to configure it here.
  • HTTPS Certificate – Where you can configure the HTTPS certificate. You can generate a new Certificate Signing Request (CSR) from this page and import an HTTP server certificate here.
  • Information – This is just another page that you can find out about the currently assigned health policy, serial number, software versions, and change the hostname of the FMC.
  • Intrusion Policy Preferences – This is where you can enforce comments on policy change and whether or not to write the changes to the intrusion policy audit log.
  • Language – Choose the language for the FMC.
  • Login Banner – Configure a pre-login banner on the FMC for both the GUI and the CLI.
  • Management Interfaces – This is where you can configure static routes for the FMC, IP addresses on the interfaces, shared settings such as hostname, domains, DNS server, remote management port, and proxy settings.
  • Manager Remote Access – If the managed devices do not have public IP addresses, then enter the management center’s FQDN or public IP address that the device wil use to establish the management connection.
  • Network Analysis Policy Preferences – This is where you can enforce comments on policy change and whether or not to write the changes in the NAP to audit log.
  • Process – This allows us to use the web interface to control the shut down and restart of processes on the management center.
  • REST API Preferences – This is to enable the REST API. By default, it is enabled.
  • Remote Storage Devices – This is to configure remote sotrage. By default, none is configured. You can configure NFS, SSH, or SMB.
  • SNMP – This is to enable SNMP, pick the version, and configure the community strings and/or users. By default, it is disabled.
  • Session Timeout – This is where you can configure the amount of ile time before a user’s login session times out due to inactivity both in the GUI and the CLI.
  • Time –  This is to view the current time settings and if NTP is synced, but you can’t change anything here.
  • Time Synchronization – This is where you can enable the FMC to act as an NTP server to the sensors (enabled by default) and whether or not to manually set the clock or have it set via NTP. If you wish to enable NTP, you may configure it here.
  • UCAPL/CC Compliance – To enable either. By default, neither are enabled.
  • Upgrade Confirmation – Generates a pending configuration changes report when you complete the next major version upgrade of the management center.
  • User Configuration – Configure certain settings globally for local user accounts on the FMC such as password reuse limit, track successful logins, the maximum number of login failures, set time in minutes to temporarily lockout users, and maximum concurrent sessions allowed.
  • VMware Tools – This is where to have VMware tools installed for the FMCv. For the FMCv, it’s enabled by default.
  • Vulnerability Mapping – Where you can enable specific apps for vulnerability mapping if you choose. Keep it at the default unless there is a reason to change something.
  • Web Analytics – Cisco collects non-personally-identifiable usage data, including but not limited to page interactions, browser versions, product versions, user location, and management IP addresses or hostnames of your management center appliances. Choose to share usage information with Cisco or not.

 

Monitoring with FMC Health Policy & Alerts

The Secure Firewall Management Center (FMC) includes a robust Health Policy feature that helps administrators monitor the operational status of both the FMC and managed sensors. This functionality ensures visibility into system performance and alerts you when critical thresholds are reached, helping to maintain network reliability and security posture.

To configure a Health Policy, navigate to System > Health > Policy within the FMC interface.

 

Begin by creating a new policy using the Create Policy button. When prompted, you can choose to base your new policy on an existing one, such as the default health policy, or start from scratch. You’ll then assign a name to your policy and optionally provide a description to clarify its purpose or scope.

 

Once the new Health Policy is created, it will appear in the policy list. Click the pencil icon next to the policy name to open it for editing. This is where the true customization begins. From the edit screen, you can define specific parameters for monitoring, such as what metrics to watch (e.g., CPU usage, disk status, memory consumption), how often checks should run, and what thresholds should trigger alerts.

 

The policy configuration interface is split into categories, including:

  • Appliance/Hardware 
    • Appliance Heartbeat – Monitors if the attached appliances are alive and connected to management center.
    • File System Integrity Check – Runs FSIC if the system has CC/UCAPL enabled or it runs an image signed with DEV key.
    • Hardware Statistics – Monitors the hardware statistics such as fan speed and temperature.
  • CPU – Collects CPU statistics
    • CPU Core Usuage – Monitors CPU usage on all the cores, threshold set here will be applicable to all the cores
  • Database
    • Database – Database and EO Integrity Check
    • MariaDB Statistics – Collects statistics of MariaDB database
  • Discovery
    • Discovery Host Limit – Monitors discovery host limit usage
    • User Agent Status (deprecated)
  • Disk
    • Disk Status – Monitors disk status, generates an alert for disk failures
    • Disk Usuage – Monistors disk usuage
  • Event
    • Event Monitor – Monitors overall incoming event rate
    • eStream Status – Monitors the status of the eStream
  • Health Monitoring 
    • Event Backlog Status – Monitors backlog status of health events, generates an alert if the event backlog is more than an hour
    • Health Monitor Process – Monitors the status of the Health Monitor itself, generates an alert if no health events generated within the configured duration
  • High Availability 
    • Firewall Management Center HA Status – Monitor Firewall Management Center HA and sync status
    • Firewall Threat Defense HA (Split-brain check) – Monitors Firewall Threat Defense HA for split-brain (Both HA members are in active state)
  • Integration 
    • CSDAC Dynamic Attributes Connector – Monitors Dynamic Attributes Connector status
    • ISE Connection Monitor – Monitors ISE connection status
    • Passive Identity Agent Monitor – Monitors the status of Passive AD Agents
    • Realm – Monitors the number of unrecognized user/domain sessions, generates an alert when percentage of unrecognized sessions goes beyond the configured threshold.
  • Malware
    • AMP for Endpoints Status
    • AMP for Firepower Status
    • Local Malware Analysis – Monitors ClamAV updates for Local Malware Analysis
  • Memory – Collect memory statistics
    • Health Alerts – Enable or disable health alerts for specific memory metrics with custom thresholds
    • Memory Usage – Monitors overall memory usage, tracks ACE usage against platform limits if OGS is configured. Recommended to not to exceed the warning and critical thresholds beyond 88% and 90% respectively
  • Network Card/Interface 
    • Interface Statistics – Monitors interface traffic
  • Processes
    • Critical Process Statistics – Monitors the state of critical processes, their resource consumption and restart counts
    • Process Status – Monitor daemon processes
    • RRD Server Process – Monitors the status of the rrd_server process
    • RabbitMQ Statistics – Collects statistics of RabbitMQ
    • Time Series Data (RRD) Monitor – Monitors time series data collection by RRD process
    • Web Server Connection Statistics – Monitors concurrent connections to web server per IP address
  • Threat Data Updates
    • Security Intelligence – Monitors updates for Security Intelligence data
    • Threat Data Updates on Devices – Alerts if threat intelligence data on managed devices is not updated
    • URL Filtering Monitor – Monitors updates for URL filtering data
  • Time Synchronization
    • Time Server Status – Monitors configuration of the NTP server. Raises an alert when NTP server is unavailable or invalid
    • Time Synchronization Status – Monitors the time difference of managed devices
  • Smart License Monitor – Monitors Smart Licensing Status
  • Talos Connectivity Status – Monitors Talos Connectivity status
  • Unresolved Groups Monitor – Monitor Unresolved Groups used in Policies
  • Zero-Touch Provisioning – Monitors Zero-Touch Provisioning

Each category allows you to specify run intervals (in minutes) and set alert conditions that suit your operational requirements. For example, you might configure alerts to notify you if disk usage exceeds 85% or if a failover condition is detected on a sensor.

By tailoring these settings, you can proactively identify and address issues within your Secure Firewall deployment, minimizing downtime and ensuring high availability. The modular nature of the policy makes it suitable for both large enterprise networks and smaller-scale deployments that still demand reliability and insight.

After you create your policy, you can choose to apply it to a device by clicking on the Deploy Health Policy button next to the device.

 

If you would like to view the health events after a policy is saved, you can navigate to System > Health> Events to view them.

 

 

 

You may also view a real time Helath Monitoring Dashboard of the management appliance or a firewall by navigating to System > Health Monitor

 

 

Creating Health Monitor Alerts

To create alerts based on your Health Policy to notify you of any changes, navigate to System > Health > Monitor Alerts.

 

This is where you can choose which modules to alert on and what severity to alert on. If you have email, SNMP, or Syslog enabled, you can create an alert using it by clicking the Add button on this screen.

 

 

If you don’t have syslog, email, or SNMP neabled, click on the Alerts link to the right of the Alert field.

 

You will be taken to the Policies> Actions> Alerts screen where you can click on the Create Alert button to create a new kind of alert for email, SNMP, or Syslog.

 

Health Monitor Alert Exclusions

You also have the option to exclude a health event on a certain device by navigating to System> Health> Exclude.

 

Click the Add Device button to add the device to exclude.

 

Select the device you would like to exclude and click the Exclude button.

 

Click the pencil to edit which events to exclude.

 

You can then choose the exclusion period and click on the enable module level exclusion link to pick specific modules to exclude.