This procedure describes how to onboard a Firepower Threat Defense (FTD) device using a registration key. This method is the recommended way of onboarding the FTD device to CDO and is beneficial if your FTD is assigned an IP address using DHCP. If that IP address changes for some reason, your FTD remains connected to CDO. Additionally, your FTD can have an address on your local area network, and as long as it can access the outside network, it can be onboarded to CDO using this method.
Warning: If you already have a SecureX or Cisco Threat Response (CTR) account, you will need to merge your CDO account and SecureX/CTR account in order for your devices to be registered with SecureX. Until your accounts are merged, you will not be able to see your device’s events in SecureX or benefit from other SecureX features. We strongly recommend merging your accounts before you create a CDO module in SecureX. Your accounts can be merged through the SecureX portal. See Merge Accounts for instructions.
- For customers running FTD release 6.4, this method of onboarding is only supported for the US region (defenseorchestrator.com).
- For customers running FTD release 6.4, and connecting to the EU region (defenseorchestrator.eu), they must onboard their device with username, password, and IP address.
- Customers running FTD release 6.5 or later, and connecting either to the US, EU, or APJC region (apj.cdo.cisco.com) regions can use this method of onboarding.
- Make sure your device is managed by Firepower Device Manager (FDM), not Firepower Management Center (FMC).
- Devices running FTD software version 6.4 and 6.5 must not be registered with Cisco Smart Software Manager before onboarding them with a registration key. You will need to unregister the smart licenses of those FTDs before onboarding them to CDO. See "Unregistering a Smart-licensed FTD" below.
- The device may be using a 90-day evaluation license.
- Log in to the FTD's, FDM and make sure that there are no pending changes waiting on the device.
- Make sure DNS is configured properly on your FTD device.
- Make sure the time services are configured properly on the FTD device.
- Make sure the FTD device shows the correct date and time otherwise the onboarding will fail.
- Review Connect Cisco Defense Orchestrator to the Secure Device Connector.
Unregistering a Smart-licensed FTD
If the device you want to onboard is running FTD software version 6.4 or 6.5, and is already smart-licensed, the device is likely to be registered with Cisco Smart Software Manager. You must unregister the device from Cisco Smart Software Manager before you onboard it to CDO with a registration Key. When you unregister, the base license and all optional licenses associated with the device, are freed in your virtual account.
After unregistering the device, the current configuration and policies on the device continue to work as-is, but you cannot make or deploy any changes.
- Log on to the FTD using FDM.
- Click the device icon in the FDM menu.
- In the Smart License area, click View Configuration.
- Click the Go to Cloud Services gear menu and select Unregister Device.
- Read the warning and click Unregister to unregister the device.
To onboard an FTD using a registration key, follow this procedure:
- Log in to CDO.
- In the navigation pane, click Devices & Services and click the blue plus button to Onboard a device.
- Click FTD.
Important: When you attempt to onboard an FTD device, CDO prompts you to read and accept the Firepower Threat Defense End User License Agreement (EULA), which is a one-time activity in your tenant. Once you accept this agreement, CDO doesn't prompt it again in subsequent FTD onboarding. If the EULA agreement changes in the future, you must accept it again when prompted.
- On the Onboard FTD Device screen, click Use Registration Key.
- In the Device Name step:
- Select the Secure Device Connector (SDC) that this device will communicate with. The default SDC is displayed but you can change it by clicking the SDC name.
- Enter the device name in the Device Name field. This could be the hostname of the device or any other name you choose.
Important: If you already have a SecureX or Cisco Threat Response (CTR) account, you will need to merge your CDO account and SecureX/CTR account in order for your devices to be registered with SecureX. Your accounts can be merged through the SecureX portal. See Merge Your CDO and SecureX Accounts for instructions. Until your accounts are merged, you will not be able to see your device’s events in SecureX or benefit from other SecureX features.In the Database Updates step, the Immediately perform security updates, and enable recurring updates is enabled by default.
- In the Database Updates area, the Immediately perform security updates, and enable recurring updates is enabled by default.
This option immediately triggers a security update as well as automatically schedules the device to check for additional updates every Monday at 2AM. See Update FTD Security Databases and Schedule a Security Database Update for more information.
Note: Disabling this option does not affect any previously scheduled updates you may have configured through FDM.
- In the Create Registration Key area, CDO generates a registration key.
Note: If you move away from the onboarding screen after the key is generated and before the device is fully onboarded, you will not be able to return to the onboarding screen; however, CDO creates a placeholder for that device on the Device & Services page. When you select the device's placeholder, you will be able to see the key for that device in an action pane located to the right.
- Click the Copy icon to copy the registration key.
Note: You can skip copying the registration key and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and later register it or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
On the Devices & Services page, you will see that the device is now in the connectivity state, "Unprovisioned". Copy the registration key appearing under Unprovisioned to Firepower Defense Manager to complete the onboarding process.
- Log into the FDM of the FTD you want to onboard to CDO.
- In System Settings, click Cloud Services.
- In the Cisco Defense Orchestrator tile, click Get Started.
- In the Region field, select the Cisco cloud region that your tenant is assigned to:
- If you log in to defenseorchestrator.com, choose US.
- If you log in to defenseorchestrator.eu, choose EU.
- If you log in to apj.cdo.cisco.com, Choose APJ.
Note: This step is not applicable to the FTD device running on software version 6.4.
- In the Registration Key field, paste the registration key that you generated in CDO.
- Click Register and then Accept the Cisco Disclosure. FDM sends the registration request to CDO.
- Return to CDO. In the Smart License area, you can apply a smart license to the FTD device and click Next.
Note: If you unregistered your device's Smart License to onboard your FTD, this is where you can re-apply the smart license.
For more information, see Applying or Updating a Smart License.
You can also click Skip to continue the onboarding with a 90-day evaluation license.
- Return to CDO, open the Devices & Services page and see that the device status progresses from "Unprovisioned" to "Locating" to "Syncing" to "Synced."
If you are onboarding an FTD HA pair, you must onboard the peer device to CDO as well. See step 2 in Onboard an FTD HA Pair with a Registration Key for more information.
Troubleshooting Device Registration Failure during Onboarding with a Registration Key
Failed to Resolve Cloud Service FQDN
If the device registration fails due to failure in resolving cloud service FQDN, check network connectivity or the DNS configuration and attempt to onboard the device again.
Failed Because of an Invalid Registration Key
If the device registration fails due to an invalid registration key, which may occur when you paste incorrect registration key in FDM.
Copy the same registration key from CDO again and attempt to register the device. If the device is already smart licensed, ensure that you remove the smart license before pasting the registration key in FDM.
Failed Because of Insufficient License
If the device connectivity status shows "Insufficient License", do the following:
- Wait for some time until the device attains the license. Typically it takes some time for Cisco Smart Software Manager to apply a new license to the device.
- If the device status doesn’t change, refresh the CDO portal by signing out from CDO and signing back to resolve any network communication glitch between license server and device.
- If the portal refresh doesn’t change the device status, perform the following:
- Generate a new new registration key from Cisco Smart Software Manager and copy it. You can watch the Generate Smart Licensing video for more information.
- In the CDO navigation bar, click the Devices & Services page.
- Select the device with the Insufficient License state.
- In the Device Details pane, click Manage Licenses appearing in Insufficient Licenses.
The Manage Licenses window appears.
- In the Activate field, paste the new registration key and click Register Device.
Once the new registration key is applied successfully to the device, its connectivity state turns to Online.