This procedure describes how to onboard a Firepower Threat Defense (FTD) device using a registration key. This method is the recommended way of onboarding the FTD device to CDO and is beneficial if your FTD is assigned an IP address using DHCP. If that IP address changes for some reason, your FTD remains connected to CDO. Additionally, your FTD can have an address on your local area network, and as long as it can access the outside network, it can be onboarded to CDO using this method.
Warning: If you already have a SecureX or Cisco Threat Response (CTR) account, you will need to merge your CDO account and SecureX/CTR account in order for your devices to be registered with SecureX. Until your accounts are merged, you will not be able to see your device’s events in SecureX or benefit from other SecureX features. We strongly recommend merging your accounts before you create a CDO module in SecureX. Your accounts can be merged through the SecureX portal. See Merge Accounts for instructions.
- This method of onboarding is currently available for FTD 6.4 and later releases and to customers connecting to defenseorchestrator.cisco.com.
Note: This method is also available to customers connecting to defenseorchestrator.cisco.eu only from FTD 6.5 and later releases.
- Make sure your device is managed by Firepower Device Manager (FDM), not Firepower Management Center (FMC).
- Make sure the licenses installed on the device are not registered with Cisco Smart Software Manager. You will need to un-register the FTD if it is already smart licensed.
- The device may be using a 90-day evaluation license.
- Log in to the FTD's, FDM and make sure that there are no pending changes waiting on the device.
- Make sure DNS is configured properly on your FTD device.
- Make sure the time services are configured properly on the FTD device.
- Make sure the FTD device shows the correct date and time otherwise the onboarding will fail.
- Review Connect Cisco Defense Orchestrator to the Secure Device Connector.
Unregistering a Smart Licensed FTD
If the FTD is already smart licensed, the device is likely to be registered with Cisco Smart Software Manager. You must unregister the device from Cisco Smart Software Manager before you onboard it to CDO with a registration Key. When you unregister, the base license and all optional licenses associated with the device, are freed in your virtual account.
After unregistering the device, the current configuration and policies on the device continue to work as-is, but you cannot make or deploy any changes.
- Log on to the FTD using FDM.
- Click the name of the device in the FDM menu, then click View Configuration in the Smart License summary area.
- From the gear drop-down menu, select Unregister Device.
- Read the warning and click Unregister to unregister the device.
To onboard an FTD using a registration key, follow this procedure:
- Log in to CDO.
- In the navigation pane, click Devices & Services and click the blue plus button to Onboard a device.
- Click on FTD.
Important: When you attempt to onboard an FTD device, CDO prompts you to read and accept the Firepower Threat Defense End User License Agreement (EULA), which is a one-time activity in your tenant. Once you accept this agreement, CDO doesn't prompt it again in subsequent FTD onboarding. If the EULA agreement changes in the future, you must accept it again when prompted.
- On the Onboard FTD Device screen, click Use Registration Key.
- In the Device Name area, enter the device name in the Device Name field. This could be the hostname of the device or any other name you choose.
- Click Next.
- In the Database Updates area, the Immediately perform security updates, and enable recurring updates is enabled by default.
This option immediately triggers a security update as well as automatically schedules the device to check for additional updates every Monday at 2AM. See Update FTD Security Databases and Schedule a Security Database Update for more information.
Note: Disabling this option does not affect any previously scheduled updates you may have configured through FDM.
- Click Next.
- In the Create Registration Key area, CDO generates a registration key.
Note: If you move away from the onboarding screen after the key is generated and before the device is fully onboarded, you will not be able to return to the onboarding screen; however, CDO creates a placeholder for that device on the Device & Services page. When you select the device's placeholder, you will be able to see the key for that device, on that page.
- Click the Copy icon to copy the registration key.
Note: You can skip copying the registration key and click Next to complete the place holder entry for the device and later, register the device. This option is useful when you're attempting to create the device first and later register it or if you're a Cisco partner installing a Proof of Value (POV) device in a customer network.
The device is now in the connectivity state, "Unprovisioned". Copy the registration key appearing under Unprovisioned to Firepower Defense Manager to complete the onboarding process.
- Log into the FDM of the FTD you want to onboard to CDO.
- Under System Settings, click Cloud Services.
- In the Cisco Defense Orchestrator area, expand Get Started.
- In the Registration Key field, paste the registration key that you generated in CDO.
- Click Register and then Accept the Cisco Disclosure. FDM sends the registration request to CDO.
- Click the Task List link to see the progress of the device enrollment.
When the Task List displays the Cloud Service message, "Device has been enrolled," return to the Onboard FTD Device page in CDO.
- In the Create Registration Key area, CDO polls for the device.
When you see "The device connected successfully" in step 3 of the onboarding wizard, click Next.
Note: After an hour of polling, if the device is not found, you will be given a link to click to refresh the search for another hour.
- In the Smart License area, you can apply a smart license to the FTD device and click Next. For more information, see Applying or Updating a Smart License.
You can click Skip to continue the onboarding with a 90-day evaluation license.
- In the Done area, click Go to devices page to view the onboarded device.
Troubleshooting Device Registration Failure during Onboarding with a Registration Key
Failed to Resolve Cloud Service FQDN
If the device registration fails due to failure in resolving cloud service FQDN, check network connectivity or the DNS configuration and attempt to onboard the device again.
Failed Because of an Invalid Registration Key
If the device registration fails due to an invalid registration key, which may occur when you paste incorrect registration key in FDM.
Copy the same registration key from CDO again and attempt to register the device. If the device is already smart licensed, ensure that you remove the smart license before pasting the registration key in FDM.