Skip to main content



Cisco Defense Orchestrator

Low-Touch Provisioning of a New FTD Device

Low-touch provisioning is a feature that allows a new factory-shipped FTD 1000 or 2100 series devices (running software version 6.7 or later) to be provisioned and configured automatically, eliminating most of the manual tasks involved with onboarding the device to CDO. The low-touch provisioning process minimizes the need to log in to a physical device. It's intended for remote offices or other locations where your employees are less experienced working with networking devices. 

Important: If you want to use this method to onboard an FTD device running on an older software version (6.4, 6.5, and 6.6), you need to perform a fresh installation (reimage) of the software on that device instead of an upgrade.

To use the low-touch provisioning process, you onboard the FTD 6.7 device to CDO, connect it to a network that can reach the internet, and power on the device. 

Note: You can power-on the device before or after onboarding it to CDO. We recommend that you onboard the device to CDO first and power-on the device and connect it to your branch network second. When you onboard the device in CDO, the device is associated with your CDO tenant in the Cisco cloud. After you power on the device and connect it to your network, the device connects to the Cisco cloud and, because the device is already associated with your tenant, CDO syncs the device's configuration automatically. 

To claim the device, perform the following:

  1. Onboard the device in CDO using the procedure described in the Procedure for Onboarding FTD using Device Serial Number section. Here, you must select Default Password Not Changed because the device password hasn’t been changed.
  2. After the FTD connects to the cloud, your tenant will finish the onboarding process. The device Connectivity status changes to "claiming". 
  3. Connect the network cable to either the Ethernet 1/1 or Management 1/1 interface. Ensure that that interface has a route to the internet. Once you power on the device, it receives its IPv4 address from a DHCP server and connects to the Cisco cloud. The default configuration on the device uses DHCP to obtain an address on the outside interface.

    The device automatically checks if it's already been claimed in the Cisco cloud. In this case, since the device has already been claimed in CDO, it gets assigned directly to CDO's tenant and is onboarded to CDO.

    Note: If you haven't claimed the device in CDO (that is, powered on the device before claiming it), the device is parked in the Cisco cloud until it's claimed. You can’t push the device's configuration or manage the device by any management tool in this state. Once you claim the device in CDO, it starts the initial provisioning and onboards the device automatically.

The device Connectivity status changes to "Online" and the Configuration status changes to "Synced". The FTD device is onboarded to CDO.

You can see the Status LED (FTD 1010) or SYS LED (FTD 2100) flashing green on the rear panel of the hardware. The device LED continues to flash in green when it's connected to the cloud. If the device can't connect to the Cisco cloud or lose its connectivity after being connected, you can see the Status LED (FTD 1010) or SYS LED (FTD 2100) flashing alternate green and amber.

See this video: Installing Your Cisco Firepower Firewall Using Low-touch Provisioning to understand the LED indicators.


If you have logged into the FTD console, SSH, or FDM, you would have changed the device's password during your first login. You can still use the low-touch provisioning process for onboarding the device using CDO. After you log into FDM, ensure that you do not complete the device setup wizard step that configures the outside interface. If you complete this step, the device is unregistered from the cloud, and you cannot use the low-touch provisioning process. 

When you log into FDM, you will see the following screen on the dashboard. 


Without proceeding further on the FDM UI, go to the serial number onboarding wizard and onboard the device. Here, you must select Default Password Changed because the device password has already been changed. See Procedure for Onboarding FTD using Device Serial Number.

CDO changes the device Connectivity status changes to "Online" and the Configuration status changes to the "Synced" state. The FTD device is onboarded to CDO. You can see the Status LED (FTD 1010) or SYS LED (FTD 2100) flashing green on the rear panel of the hardware. The device LED continues to flash in green when it's connected to the cloud.

  • Was this article helpful?