This procedure describes how to onboard a Firepower Threat Defense (FTD) device using a registration token. This method is the recommended way of onboarding the FTD device to CDO and is beneficial if your FTD is assigned an IP address using DHCP. If that IP address changes for some reason, your FTD remains connected to CDO. Additionally, your FTD can have an address on your local area network, and as long as it can access the outside network, it can be onboarded to CDO using this method.
- This method of onboarding is currently available for FTD 6.4 and later releases and to customers connecting to defenseorchestrator.cisco.com.
Note: This method is also available to customers connecting to defenseorchestrator.cisco.eu only from FTD 6.5 and later releases.
- Make sure your device is managed by Firepower Device Manager, not Firepower Management Center.
- Make sure the licenses installed on the device are not registered with Cisco Smart Software Manager. You will need to un-register the FTD if it is already smart-licensed.
- The device may be using a 90-day evaluation license.
- Log in to the FTD's, Firepower Device Manager and make sure that there are no pending changes waiting on the device.
- Make sure DNS is configured properly on your FTD device.
- Make sure the time services are configured properly on the FTD device.
- Make sure the FTD device shows the correct date and time otherwise the onboarding will fail.
- Review Connect to Cisco Defense Orchestrator using Secure Device Connector.
Unregistering a Smart-Licensed FTD
If the FTD is already smart-licensed, the device is likely to be registered with Cisco Smart Software Manager. You will need to unregister the device from Cisco Smart Software Manager before you onboard it to CDO with a registration token. When you unregister, the base license and all optional licenses associated with the device, are freed in your virtual account.
After unregistering the device, the current configuration and policies on the device continue to work as-is, but you cannot make or deploy any changes.
- Log on to the FTD using Firepower Device Manager (FDM).
- Click the name of the device in the FDM menu, then click View Configuration in the Smart License summary area.
- From the gear drop-down menu, select Unregister Device.
- Read the warning and click Unregister to unregister the device.
To onboard an FTD using a registration token, follow this procedure:
- Log in to CDO.
- In the navigation pane, click Devices & Services and click the blue plus button to Onboard a device.
- Click the FTD card.
- On the Onboard FTD Device screen, click Use Token.
- In step 1, enter the device name. This could be the hostname of the device or any other name you choose.
- Click Next.
- In step 2, the Immediately perform security updates, and enable recurring updates is enabled by default.
This option immediately triggers a security update as well as automatically schedules the device to check for additional updates every Monday at 2AM. See Update FTD Security Databases and Schedule a Security Database Update for more information.
Note: Disabling this option does not affect any previously scheduled updates you may have configured through FDM.
- Click Next.
- In step 3, CDO generates a registration token.
Note: If you move away from the onboarding screen after the token is generated and before the device is fully onboarded, you will not be able to return to the onboarding screen; however, CDO creates a placeholder for that device on the Device & Services page. When you select the device's placeholder, you will be able to see the token for that device, on that page.
- Click the Copy icon to copy the registration token.
Note: You can skip copying the registration token and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and later register it or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
The device is now in the connectivity state, "Unprovisioned". Copy the registration key appearing under Unprovisioned to Firepower Defense Manager to complete the onboarding process.
- Log into the Firepower Device Manager (FDM) for the FTD you want to onboard to CDO.
- Under System Settings, click Cloud Services.
- In the Cisco Defense Orchestrator area, expand Get Started.
- In the Registration Key field, paste the registration token that you generated in CDO.
- Click Register and then Accept the Cisco Disclosure. FDM sends the registration request to CDO.
- Click the Task List link to see the progress of the device enrollment.
When the Task List displays the Cloud Service message, "Device has been enrolled," return to the Onboard FTD Device page in CDO.
- In step 3 of the CDO onboarding wizard, CDO polls for the device.
When you see "The device connected successfully" in step 3 of the onboarding wizard, click Next.
Note: After an hour of polling, if the device is not found, you will be given a link to click to refresh the search for another hour.
- In step 4, you can apply a smart-license to the FTD device and click Next. For more information, see Applying or Updating a Smart-License.
You can click Skip to continue the onboarding with a 90-day evaluation license.
- In step 5, click Go to devices page to view the onboarded device.