This procedure describes how to onboard a Firepower Threat Defense (FTD) version 6.6+ device using a registration key. This method is the recommended way of onboarding the FTD device to CDO and is beneficial if your FTD is assigned an IP address using DHCP. If that IP address changes for some reason, your FTD remains connected to CDO. Additionally, your FTD can have an address on your local area network, and as long as it can access the outside network, it can be onboarded to CDO using this method.
Warning: If you already have a SecureX or Cisco Threat Response (CTR) account, you will need to merge your CDO account and SecureX/CTR account in order for your devices to be registered with SecureX. Until your accounts are merged, you will not be able to see your device’s events in SecureX or benefit from other SecureX features. We strongly recommend merging your accounts before you create a CDO module in SecureX. Your accounts can be merged through the SecureX portal. See Merge Accounts for instructions.
If you want to onboard an FTD running software version 6.4 or 6.5, see Onboard an FTD Running Software Version 6.4 or 6.5 Using a Registration Key.
- This method of onboarding is currently available for FTD 6.6+ releases and to customers connecting to defenseorchestrator.com, defenseorchestrator.eu, and apj.cdo.cisco.com.
- Review Connect Cisco Defense Orchestrator to Your Managed Devices for the networking requirements needed to connect CDO to your FTD.
- Make sure your device is managed by Firepower Device Manager (FDM), not Firepower Management Center (FMC).
- The device can be using a 90-day evaluation license or it can be smart-licensed. Devices running FTD software version 6.6+ can be onboarded to CDO using a registration key without unregistering any installed smart licenses.
- The device cannot already be registered with Cisco Cloud Services. See "Unregistering an FTD from Cisco Cloud Services" below before onboarding.
- Log in to the FTD's FDM UI and make sure that there are no pending changes waiting on the device.
- Make sure DNS is configured properly on your FTD device.
- Make sure the time services are configured on the FTD device.
- Make sure the FTD device shows the correct date and time otherwise the onboarding will fail.
Unregistering an FTD from Cisco Cloud Services
If the device you want to onboard is running FTD software version 6.6+ and is already registered with the Cisco cloud, you must unregister the device from Cisco Cloud Services before you onboard it to CDO with a registration key.
Note: If you onboard an FTDv running Version 7.0, registering the FTDv to CDO automatically resets the performance-tiered Smart Licensing selection to Variable, which is the default tier. You must manually re-select the tier that matches the license associated with the device through the FDM UI after onboarding.
Use this procedure to check and make sure it is not registered to Cisco Cloud Services:
- Log on to the FTD using FDM.
- Click the device icon in the FDM menu.
- Expand the System Settings menu until you see Cloud Services and then click Cloud Services.
- In the Cloud Services page, click the gear menu and select Unregister Cloud Services.
- Read the warning and click Unregister to unregister the device.
To onboard an FTD using a registration key, follow this procedure:
- Log in to CDO.
- In the navigation pane, click Devices & Services and click the blue plus button to Onboard a device.
- Click FTD.
Important: When you attempt to onboard an FTD device, CDO prompts you to read and accept the Firepower Threat Defense End User License Agreement (EULA), which is a one-time activity in your tenant. Once you accept this agreement, CDO doesn't prompt it again in subsequent FTD onboarding. If the EULA agreement changes in the future, you must accept it again when prompted.
- On the Onboard FTD Device screen, click Use Registration Key.
- Enter the device name in the Device Name field. This could be the hostname of the device or any other name you choose.
- In the Database Updates area, the Immediately perform security updates, and enable recurring updates is enabled by default. This option immediately triggers a security update as well as automatically schedules the device to check for additional updates every Monday at 2AM. See Update FTD Security Databases and Schedule a Security Database Update for more information.
Note: Disabling this option does not affect any previously scheduled updates you may have configured through FDM.
- In the Create Registration Key step, CDO generates a registration key.
Note: If you move away from the onboarding screen after the key is generated and before the device is fully onboarded, you will not be able to return to the onboarding screen; however, CDO creates a placeholder for that device on the Device & Services page. When you select the device's placeholder, you will be able to see the key for that device, on that page.
- Click the Copy icon to copy the registration key.
Note: You can skip copying the registration key and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and register it later, or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
On the Devices & Services page, you will see that the device is now in the connectivity state, "Unprovisioned". Copy the registration key appearing under Unprovisioned to Firepower Defense Manager to complete the onboarding process.
- Log into the FDM of the FTD you are onboarding.
- Under System Settings, click Cloud Services.
- In the Region field, select the Cisco cloud region that your tenant is assigned to:
- If you log in to defenseorchestrator.com, choose US.
- If you log in to defenseorchestrator.eu, choose EU.
- If you log in to apj.cdo.cisco.com, choose APJ.
- In the Enrollment Type area, click Security/CDO Account.
Note: For devices running Version 6.6, note that the Tenancy tab for CDO is titled Security Account and you must manually enable CDO in the FDM UI.
- In the Registration Key field, paste the registration key that you generated in CDO.
- For devices running FTD 6.7 or later in the Service Enrollment area, check Enable Cisco Defense Orchestrator.
- Review the information about the Cisco Success Network Enrollment. If you do not want to participate, uncheck the Enroll Cisco Success Network checkbox.
- Click Register and then Accept the Cisco Disclosure. FDM sends the registration request to CDO.
- Return to CDO, in the Create Registration Key area, click Next.
- In the Smart License area, you can apply a smart license to the FTD device and click Next or you can click Skip to continue the onboarding with a 90-day evaluation license or if the device is already smart-licensed. For more information, see Applying or Updating a Smart License.
Note: If your device is running Version 6.6, you need to manually enable communication to CDO. From the device's FDM UI, navigate to System Settings > Cloud Services and, in Cisco Defense Orchestrator tile, click Enable.
- Return to CDO, open the Devices & Services page and see that the device status progresses from "Unprovisioned" to "Locating" to "Syncing" to "Synced."
- If you onboarded an FTDv running Version 7.0, you must manually reset the performance-tiered Smart Licensing selection through the FDM UI. See Managing Smart Licenses for more information.
- If you are onboarding an FTD HA pair, you must onboard the peer device to CDO as well. See step 2 in Onboard an FTD HA Pair with a Registration Key for more information.
Troubleshooting Device Registration Failure during Onboarding with a Registration Key
Failed to Resolve Cloud Service FQDN
If the device registration fails due to failure in resolving cloud service FQDN, check network connectivity or the DNS configuration and attempt to onboard the device again.
Failed Because of an Invalid Registration Key
If the device registration fails due to an invalid registration key, which may occur when you paste an incorrect registration key in FDM.
Copy the same registration key from CDO again and attempt to register the device. If the device is already smart licensed, ensure that you remove the smart license before pasting the registration key in FDM.
Failed Because of Insufficient License
If the device connectivity status shows "Insufficient License", do the following:
- Wait for some time until the device attains the license. Typically it takes some time for Cisco Smart Software Manager to apply a new license to the device.
- If the device status doesn’t change, refresh the CDO portal by signing out from CDO and signing back to resolve any network communication problems between license server and device.
- If the portal refresh doesn’t change the device status, perform the following:
- Generate a new new registration key from Cisco Smart Software Manager and copy it. You can watch the Generate Smart Licensing video for more information.
- In the CDO navigation bar, click the Devices & Services page.
- Select the device with the Insufficient License state.
- In the Device Details pane, click Manage Licenses appearing in Insufficient Licenses.
The Manage Licenses window appears.
- In the Activate field, paste the new registration key and click Register Device.
Once the new registration key is applied successfully to the device, its connectivity state turns to Online.