This procedure describes how to onboard a Firepower Threat Defense (FTD) device using a registration token. This onboarding method is especially beneficial if your FTD is assigned an IP address using DHCP. If that IP address changes for some reason, your FTD remains connected to CDO. Additionally, your FTD can have an address on your local area network, and as long as it can access the outside network, it can be onboarded to CDO using this method.
- This method of onboarding is currently available for FTD 6.4 releases and to customers connecting to defenseorchestrator.cisco.com. It is not yet available for customers connecting to defenseorchestrator.cisco.eu.
- Make sure your device is managed by Firepower Device Manager, not Firepower Management Center.
- Make sure the licenses installed on the device are not registered with Cisco Smart Software Manager. You will need to un-register the FTD if it is already smart-licensed.
- The device may be using a 90-day evaluation license.
- Log in to the FTD's, Firepower Device Manager and make sure that there are no pending changes waiting on the device.
- Make sure DNS is configured properly on your FTD device.
- Make sure the time services are configured properly on the FTD device.
- Review Connect to Cisco Defense Orchestrator using Secure Device Connector.
Unregistering a Smart-Licensed FTD
If the FTD is already smart-licensed, the device is likely to be registered with Cisco Smart Software Manager. You will need to unregister the device from Cisco Smart Software Manager before you onboard it to CDO with a registration token. When you unregister, the base license and all optional licenses associated with the device, are freed in your virtual account.
After unregistering the device, the current configuration and policies on the device continue to work as-is, but you cannot make or deploy any changes.
- Log on to the FTD using Firepower Device Manager.
- Click the name of the device in the FDM menu, then click View Configuration in the Smart License summary area.
- From the gear drop-down menu, select Unregister Device.
- Read the warning and click Unregister to unregister the device.
To onboard a Firepower Threat Defense Device using a registration token, follow this procedure:
- Log in to CDO.
- In the navigation pane, click Devices & Services page and click the blue plus button to Onboard a device.
- Click the Firepower Threat Defense Device card.
- On the Onboard FTD Device screen, click Use Token.
- In step 1 of the onboarding wizard, give the device a name. This could be the hostname of the device or any other name you choose.
- Click Next.
- Click Generate Token. CDO generates a registration token.
Note: If you move away from the onboarding screen after the token is generated and before the device is fully onboarded, you will not be able to return to the onboarding screen; however, CDO creates a placeholder for that device on the Device & Services page. When you select the device's placeholder, you will be able to see the token for that device, on that page.
- Click the Copy icon to copy the registration token.
Note: You can skip copying the registration token and click Next and continue creating the device. You should see the device is now in the connectivity state, "Unprovisioned".
Copy the registration key appearing under Unprovisioned to Firepower Defense Manager to complete the onboarding process.
- Log into the Firepower Device Manager (FDM) for the Firepower Threat Defense device you want to onboard to CDO.
- Under System Settings, click Cloud Services.
- In the Cisco Defense Orchestrator area, expand Get Started.
- In the Registration Key field, paste the registration token that you generated in CDO.
- Click Register and then Accept the Cisco Disclosure. FDM sends the registration request to CDO.
- Click the Task List link to see the progress of the device enrollment.
- When the Task List displays the Cloud Service message, "Device has been enrolled," return to the Onboard FTD Device page in CDO.
- In step 2 of the onboarding wizard, CDO polls for the device.
Note: After an hour of polling, if the device is not found, you will be given a link to click to refresh the polling for another hour.
- When you see "The device connected successfully" in step 2 of the onboarding wizard, click Next.
- If you want to smart-license or re-smart-license the device, logon to the Cisco Smart Software Manager and generate a new smart license token. Copy the new token in the box provided and click Next.
Note: If you do not want to smart-license, click Skip.
- Click Go to devices page to go to the Devices & Services page and see the progress of the onboarding process.
The device starts synchronizing and applies the smart-license.
- Open the Devices & Services page and you should see that the device is now in the connectivity state, Online. You may need to click "Refresh Licenses" to update the Connectivity state.
Smart-licensing an Onboarded FTD Device
You can apply a smart-license to an FTD device that is onboarded using its credentials and uses a 90-day evaluation version.
To smart-license such devices, follow this procedure:
- In the navigation pane, click Devices & Services page and select the FTD device that you want to license.
- Under Device Details, click View Licenses.
- Click License Registration.
- Follow the on-screen instructions and enter the smart-license generated from Cisco Smart Software Manager.
- Click Save.