This article explains the prerequisites for onboarding a Firepower Threat Defense (FTD) device to CDO.
CDO needs HTTPS access to the Firepower Threat Defense (FTD) device in order to manage it. How you allow HTTPS access to the device depends on how your FTD is configured in your network and whether your Secure Device Connector is installed on-premise or in the cloud.
Users with a cloud SDC may allow management access to the FTD's outside interface. Users with an on-premise SDC can manage their FTD using the inside or management interface.
Note: Customers also using the FTD as the head-end for VPN connections will not be able to use the outside interface to manage their device.
See Connect Cisco Defense Orchestrator to the Secure Device Connector for more information about how to connect CDO to your SDC and what network access needs to be allowed.
Methods of Onboarding an FTD
There are two methods of onboarding an FTD:
- Onboard a Firepower Threat Defense Device Using Username, Password, and IP Address. You can onboard an FTD using the device's administrator username and password, and the IP address of the device.The IP address can be the FTD's outside address, an inside address, or the management address depending on how the device is configured in your network. See Device Addressing later in this article.
- Onboard a Firepower Threat Defense Device with a Registration Token. You can onboard your FTD device using a registration token rather than using an IP address, username and password. This is especially beneficial if your FTD is assigned an IP address using DHCP. If that IP address changes for some reason, your FTD remains connected to CDO.
Device Platform Requirements
You can onboard to CDO a Firepower Threat Defense firewall running on any of these hardware platforms:
- ASA 5508-x, ASA 5515-x, ASA 5516-x, ASA 5525-x, ASA 5545-x, ASA 5555-x
- Firepower 1000 series
- Firepower 2100 Series
Virtual Machine Requirements
You can onboard to CDO a virtual FTD installed on a VMware or KVM hypervisor.
You can onboard an FTD device running Firepower Threat Defense software version 6.4.0 or 6.4.0.x.
FTD Device Configuration Before Onboarding
FTD Device Management
You can only onboard Firepower Threat Defense (FTD) devices that are being managed by Firepower Device Manager (FDM). These FTD's must also be configured for local management. FTD's being managed by Firepower Management Center (FMC) cannot be managed by CDO.
If the device is not configured for local management, you must switch to local management before onboarding the device. See the Switching Between Local and Remote Management chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.4.0 or 6.4.0.x.
License the FTD device before attempting to onboard it. See Cisco Firepower System Feature Licenses for more information. (The device can also be running the 90-day evaluation license.)
It is a best practice that the address you use to onboard the FTD device is a static address. However, if the address is assigned by DHCP, it would be optimal to use a DDNS (dynamic domain name system) to automatically update your FTD's domain name entry with the new IP address of the device if it changes.
Note: FTD does not natively support DDNS, so you would need to configure your own DDNS.
Important: If your device gets an IP address form a DHCP server, you do not have a DDNS server updating the FTD's domain name entry with any new IP addresses, and your FTD receives a new address, you can change the IP address CDO maintains for the device and then reconnect the device.
Completed FTD Device Configuration
You should have completed the FTD initial setup wizard. See the chapter "Firepower Threat Defense Deployment with FDM" in the "Getting Started Guide" for the device you want to onboard or "Firepower Threat Defense Virtual (using Firepower Device Manager)" for virtual devices.
- Onboard a Firepower Threat Defense Device Using Username, Password, and IP Address
- Onboard a Firepower Threat Defense Device with a Registration Token