Skip to main content

 

 

Cisco Defense Orchestrator

Onboard an FTD HA Pair with a Registration Key

Onboarding Prerequisites for Customers Running FTD Version 6.4 or 6.5

  • Onboarding devices that are running FTD Version 6.4 with a registration key is only supported for the US region (defenseorchestrator.com). To connect to the EU region (defenseorchestrator.eu), they must onboard their High Availability (HA) pair with username, password, and IP address.
  • Customers running FTD release 6.5 or later, and connecting either to the US, EU, or APJC regions can use this method of onboarding.
  • Devices running FTD software version 6.4 and 6.5 must not be registered with Cisco Smart Software Manager before onboarding them with a registration key. You will need to unregister the smart licenses of those FTDs before onboarding them to CDO. See "Unregistering a Smart-licensed FTD" below.

Before You Begin 

Before you onboard your FTD High Availability (HA) pair, be sure both devices meet the following requirements:

  • Your HA pair is already formed prior to onboarding to the Defense Orchestrator.
  • Both devices are in a healthy state. The pair could be either primary/active and secondary/standby or primary/standby and secondary/active modes. Unhealthy devices will not successfully sync to CDO. 
  • Your HA pair is managed by Firepower Device Manager (FDM), not a Firepower Management Center (FMC).
  • Review Connect Cisco Defense Orchestrator to Your Managed Devices for the networking requirements needed to connect CDO to your FTD HA pair.
  • Both devices of an HA pair must be licensed with the same license. The devices may be using a 90-day evaluation license.

Warning: If you already have a SecureX or Cisco Threat Response (CTR) account, you will need to merge your CDO account and SecureX/CTR account in order for your devices to be registered with SecureX. Until your accounts are merged, you will not be able to see your device’s events in SecureX or benefit from other SecureX features. We strongly recommend merging your accounts before you create a CDO module in SecureX. Your accounts can be merged through the SecureX portal. See Merge Accounts for instructions.

Onboard an FTD HA Pair Running Version 6.4 or Version 6.5

To onboard an FTD HA pair running Version 6.4 or 6.5, first onboard one of the peer devices. It does not matter if you onboard the active or standby, the primary or secondary device. 

Note: If you onboard either device of an HA pair with a registration key, you must onboard the other peer device using the same method.

Use the following steps to onboard an HA pair running Version 6.4 or 6.5:

  1. Onboard a peer device. See Onboard an FTD Running Software Version 6.4 or 6.5 Using a Registration Key to onboard the first device within the pair.
  2. Navigate to the Devices & Services page. Once the device is synced, select the device so it is highlighted. In the action pane located directly below Device Details, click Onboard Device
  3. Enter the HA Peer Device Name for the peer device that has already been onboarded. Click Next.
  4. If you provided a smart license for the first device, CDO repopulates that license so you can use it for onboarding this current device.Click Next

Note: If you unregistered your device's Smart License to onboard your FTD, this is where you re-apply the smart license.  

  1. CDO automatically generates that registration key for the device you are preparing to onboarding. Click the Copy icon copy_icon.png to copy the registration key.
  2. Log into the FDM UI of the FTD you are onboarding. 
  3. In System Settings, click Cloud Services
  4. In the Cisco Defense Orchestrator tile, click Get Started.
  5. In the Registration Key field, paste the registration key that you generated in CDO.

Copy_token_FDM.jpg

  1. In the Region field, select the Cisco cloud region that your tenant is assigned to: 
  • If you log in to defenseorchestrator.com, choose US.
  • If you log in to defenseorchestrator.eu, choose EU.
  • If you log in to apj.cdo.cisco.com, choose APJ.

Note: This step is not applicable to the FTD device running on software version 6.4.

  1. Click Register and then Accept the Cisco Disclosure.
  2. Return to CDO and, in the Create Registration Key area, click Next.
  3. Click Go to Devices & Services. CDO automatically onboards the device and combines them as a single entry. Similar to the first peer device you onboard, the device status changes from "Unprovisioned" to "Locating" to "Syncing" to "Synced."

 

Onboard an FTD HA Pair Running Version 6.6 or Version 6.7 and later

To onboard an FTD HA pair running Version 6.6 or 6.7, you must first onboard one of the peer devices. It does not matter if you onboard the active or standby, the primary or secondary device. 

Note: If you onboard either device of an HA pair with a registration key, you must onboard the peer device using the same method.

Use the following steps for onboard an HA pair running Version 6.6 or 6.7:

  1. Onboard a peer device. See Onboard an FTD Running Software Version 6.6+ Using a Registration Key for more information.
  2. Navigate to the Devices & Services page. Once the device is synced, select the device so it is highlighted. In the action pane located directly below Device Details, click Onboard Device
  3. Enter the HA Peer Device Name for the peer device that has already been onboarded. Click Next.
  4. If you provided a smart license for the first device, CDO repopulates that license so you can use it for onboarding this current device.Click Next
  5. CDO automatically generates that registration key for the device you are preparing to onboarding. Click the Copy icon copy_icon.png to copy the registration key.
  6. Log into the FDM UI of the FTD you want to onboard to CDO. 
  7. Under System Settings, click Cloud Services.
  8. In the Enrollment Type area, click Security/CDO Account.

Note: For devices running Version 6.6, note that the Tenancy tab for CDO is titled Security Account and you must manually enable CDO in the FDM UI.

FDM_Enrollment_Registration.jpg

  1. In the Region field, select the Cisco cloud region that your tenant is assigned to: 
  • If you log in to defenseorchestrator.com, choose US.
  • If you log in to defenseorchestrator.eu, choose EU.
  • If you log in to apj.cdo.cisco.com, choose APJ.
  1. In the Registration Key field, paste the registration key that you generated in CDO.
  2. For devices running FTD 6.7 or later in the Service Enrollment area, check Enable Cisco Defense Orchestrator
  3. Review the information about the Cisco Success Network Enrollment. If you do not want to participate, uncheck the Enroll Cisco Success Network checkbox. 
  4. Click Register and then Accept the Cisco Disclosure. FDM sends the registration request to CDO.
  5. Return to CDO, in the Create Registration Key area, click Next.
  6. In the Smart License area, you can apply a smart license to the FTD device and click Next or you can click Skip to continue the onboarding with a 90-day evaluation license or if the device is already smart-licensed. For more information, see Applying or Updating a Smart License

Note: If your device is running Version 6.6, you need to manually enable communication to CDO. From the device's FDM UI, navigate to System Settings > Cloud Services and, in Cisco Defense Orchestrator tile, click Enable.

FDM_Enable_CDO.JPG

  1. Return to CDO, click Go to Devices & Services. CDO automatically onboards the device and combines them as a single entry. Similar to the first peer device you onboard, the device status changes from "Unprovisioned" to "Locating" to "Syncing" to "Synced."

 

Related Articles

  • Was this article helpful?