There are different methods of onboarding an Firepower Threat Defense (FTD) device. We recommend using the registration key method. See Connect Cisco Defense Orchestrator to Your Managed Devices for more information about what network access is required for CDO to manage your device.
Onboarding an FTD with a Serial Number
This procedure is a simplified method of onboarding the Firepower 1000 or 2100 series physical devices running FTD software version 6.7 or later. To onboard the device, you need the chassis serial number or PCA serial number of the device and ensure that the device is added to a network that can reach the Internet. FTD devices onboarded using their serial number do not require a Secure Device Connector to connect your tenant.
You can onboard new factory-shipped devices or already configured devices to CDO.
See Onboard a Firepower Threat Defense using Device Serial Number for more information.
Onboarding an FTD with a Registration Key
We recommend onboarding FTD devices with a registration key. This is beneficial if your FTD is assigned an IP address using DHCP. If that IP address changes for some reason, your FTD remains connected to CDO if you have onboarded it with a registration key. FTD devices onboarded using a registration key do not require a Secure Device Connector to connect your tenant.
See these topics:
Onboarding an FTD Device Using Credentials
You can onboard an FTD using device credentials and the IP address of the device's outside, inside, or management interface depending on how the device is configured in your network. See Device Addressing later in this article.
CDO needs HTTPS access to the FTD in order to manage it. How you allow HTTPS access to the device depends on how your FTD is configured in your network and whether you onboard the device using a Secure Device Connector or a Cloud Connector.
Note: If you connect to https://www.defenseorchestrator.eu, and you are using FTD software version 6.4, you must onboard an FTD with this method. You cannot use onboard a Firepower Threat Defense device using a registration key.
When using device credentials to connect CDO to a device, it a best practice to download and deploy a Secure Device Connector (SDC) in your network to manage the communication between CDO and the device. Typically, these devices are non-perimeter based, do not have a public IP address, or have an open port to the outside interface. The FTD, when onboarded with credentials, can be onboarded to CDO using an SDC.
Note that customers also using the FTD as the head-end for VPN connections will not be able to use the outside interface to manage their device.
Onboarding an FTD HA Pair
You can onboard an FTD high availability pair that has been formed outside of CDO using their serial numbers, the registration key method, or the credentials method. Onboard one peer device and CDO automatically detects that it's paired with another device. CDO streamlines the onboarding process for the other peer device using the credentials or key that you have already provided and combines the pair into a single entry in the Devices & Services page. FTD devices onboarded using a registration key or serial number do not require an SDC to connect to your tenant.
See Onboard an FTD HA Pair with a Registration Key and Onboard an FTD HA Pair using Username, Password, and IP Address for more information.
FTD Configuration Prerequisites for Onboarding
FTD Device Management
You can only onboard FTD devices that are being managed by Firepower Device Manager (FDM). These FTD's must also be configured for local management. FTD's being managed by Firepower Management Center (FMC) cannot be managed by CDO.
If the device is not configured for local management, you must switch to local management before onboarding the device. See the Switching Between Local and Remote Management chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager.
The device must have at least a base license installed before it can be onboarded to CDO although you can have a Smart License applied in some circumstances.
|Onboarding Method||FTD Software Version||90-day Evaluation licensed allowed?||Can the device already be smart-licensed before onboarding?||Can the device already be registered with Cisco Cloud Services before onboarding?|
|Credentials (user name and password)||All||Yes||Yes||Yes|
|Registration Key||6.4 or 6.5||Yes||No. Unregister the smart license and then onboard the device.||N/A|
|Registration Key||6.6 or later||Yes||Yes||No. Unregister the device from Cisco Cloud Services and then onboard the device.|
|Low Touch Provisioning||6.7 or later||Yes||Yes||Yes|
|Onboarding a device with a Serial Number||6.7 or later||Yes||Yes||Yes|
It is a best practice that the address you use to onboard the FTD device is a static address. If the device's IP address is assigned by DHCP, it would be optimal to use a DDNS (dynamic domain name system) to automatically update your FTD's domain name entry with the new IP address of the device if it changes.
Note: FTD does not natively support DDNS; you must configure your own DDNS.
Important: If your device gets an IP address from a DHCP server, and you do not have a DDNS server updating the FTD's domain name entry with any new IP addresses, or your FTD receives a new address, you can change the IP address CDO maintains for the device and then reconnect the device. Better still, onboard the device with a registration key.