Skip to main content



Cisco Defense Orchestrator

Onboard an FTD

There are two methods of onboarding an Firepower Thread Defense device: through the username and password affiliated with the device or through the device's registration key . We strongly recommend using the registration key method. 

Onboard an FTD with a Registration Key

We strongly recommend onboarding FTD devices with a registration key. You can onboard your FTD device using a registration key rather than using an IP address, username, and password. This is especially beneficial if your FTD is assigned an IP address using DHCP. If that IP address changes for some reason, your FTD remains connected to CDO. See these topics:

Onboard an FTD Device Using Username, Password, and IP Address

You can onboard an FTD using the device's administrator username and password, and the IP address of the device's outside, inside, or management interface depending on how the device is configured in your network. See Device Addressing later in this article. 

CDO needs HTTPS access to the FTD in order to manage it. How you allow HTTPS access to the device depends on how your FTD is configured in your network and whether your Secure Device Connector is installed on-premise or in the cloud.

Note: If you connect to, and you are using FTD software version 6.4, you must onboard an FTD with this method. You cannot use onboard a Firepower Threat Defense device using a registration key.

Users with a cloud SDC may allow management access to the FTD's outside interface. Users with an on-premise SDC can manage their FTD using the inside or management interface. Note that customers also using the FTD as the head-end for VPN connections will not be able to use the outside interface to manage their device. 

See Connect Cisco Defense Orchestrator to the Secure Device Connector for more information about how to connect CDO to your SDC and what network access needs to be allowed.

Configuration Prerequisites

FTD Device Management

Important: You can only onboard Firepower Threat Defense (FTD) devices that are being managed by Firepower Device Manager (FDM). These FTD's must also be configured for local management. FTD's being managed by Firepower Management Center (FMC) cannot be managed by CDO. 

If the device is not configured for local management, you must switch to local management before onboarding the device. See the Switching Between Local and Remote Management chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version the device runs. 


The device must have at least a base license installed before it can be onboarded to CDO although you can have a Smart License applied in some circumstances.

Onboarding Method FTD Software Version 90-day Evaluation licensed allowed? Can the device already be smart-licensed before onboarding? Can the device already be registered with Cisco Cloud Services before you onboarding?
Credentials (user name and password)  All Yes Yes Yes
Registration Key 6.4 or 6.5 Yes No. Unregister the smart license and then onboard the device.  N/A
Registration Key 6.6+ Yes Yes No. Unregister the device from Cisco Cloud Services and then onboard the device.

 See Cisco Firepower System Feature Licenses for more information.

Device Addressing

It is a best practice that the address you use to onboard the FTD device is a static address. If the device's IP address is assigned by DHCP, it would be optimal to use a DDNS (dynamic domain name system) to automatically update your FTD's domain name entry with the new IP address of the device if it changes.

Note: FTD does not natively support DDNS; you must configure your own DDNS.

Important: If your device gets an IP address from a DHCP server, you do not have a DDNS server updating the FTD's domain name entry with any new IP addresses, or your FTD receives a new address, you can change the IP address CDO maintains for the device and then reconnect the device


Related Topics