Skip to main content



Cisco Defense Orchestrator

Procedure for Onboarding an FTD using the Device's Serial Number

This procedure is applicable for onboarding a new factory-shipped FTD 1000 or 2100 series FTD 6.7+ device. You can power on the device before or after onboarding it to CDO. We recommend that you onboard the device to CDO using its serial number first, and power on the device second.  See Low-Touch Provisioning of a New FTD Device for a full explanation.

You can also use this procedure to onboard a device purchased from an external vendor or onboard a device already managed by another cloud tenant in a different region. However, if the device is already registered to the external vendor's cloud tenant or a cloud tenant in a different region, CDO doesn't onboard the device but displays the "Device serial number already claimed" error message. In such cases, the CDO admin must unregister the device's serial number from its previous cloud tenant and then claim the CDO device in their own tenant. See the Device Serial Number Already Claimed section in the troubleshooting chapter. 


Software and Hardware Requirements 

Support onboarding of physical Firepower 1000 series and Firepower 2100 series with software version 6.7 or later. 

Configuration Prerequisites for Hardware Installation 

  • The network at the branch office cannot use the address space. The network on Ethernet 1/1 (outside) cannot use the address space. The default IP address of the Ethernet 1/2 "inside" interface on the 1000 and 2100 series devices running FTD 6.7 is may conflict with the DHCP address allocated by your WAN modem if it's on that subnet.
  • inside—Ethernet 1/2, IP address

  • outside—Ethernet 1/1, IP address from DHCP or an address you specify during setup



If you are unable to change the outside interface settings, use FDM to change the subnet on the Ethernet 1/2 "inside" interface settings to avoid conflict. For example, you could change to the following subnet settings:

  • IP Address:
  • DHCP server range: 

To learn about the steps for configuring the physical interface, see the "Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager". In the "Interfaces" chapter, see the "Configure a Physical Interface" section. 

  • The FTD device must be installed and connected to the Cisco Cloud. 
  • The outside or management interface of the device must be connected to a network providing DHCP addressing. Typically, the device has a default DHCP client on the outside or management interface. 
    Note: If the management interface is connected to a network having a DHCP server, it takes precedence over the outside interface for Linux stack initiated traffic. 
  • Your outside or management interface needs to access to be able to access the following SSE domains for the serial onboarding method.
    • US Region
      • (common across geographies)
      • mx* (currently only
      • (for customer success)
      • (for CTR and CDO)
      • (allows for device registration to the regional Cisco cloud)
    • EU Region
      • (common across geographies)
      • mx* (currently only
      • (for customer success)
      • (for CTR and CDO)
      • (allows for device registration to the regional Cisco cloud)
    • APJ Region
      • (common across geographies)
      • mx* (currently only
      • (for customer success)
      • (for CTR and CDO)
      • (allows for device registration to the regional Cisco cloud)
  • The outside interface of the device must have DNS access to Cisco Umbrella DNS.

Before Claiming the Device in CDO

Before claiming the device in CDO, make sure that you have the following information: 

  • Chassis serial number or PCA number of the FTD device. You can find this information on the bottom of the hardware chassis or on the carton box in which your device is delivered. In the following example picture, you can see the serial number "*******X0R9" on the bottom of the FTD 1010 chassis.
  • The default password of the device. 
  • A smart license generated from Cisco Smart Software Manager for using the additional capabilities. However, you can complete the device onboarding using a 90-day evaluation license and later apply the smart license.

Onboarding Procedure

Caution: When the FTD device is being onboarded in CDO, we recommend that you not perform the device easy setup on FDM. This causes a provisional error in CDO. 

We recommend that you onboard the device to CDO using its serial number before the devices are powered on and connected to your branch networks. 

  1. If you are onboarding a device purchased from an external vendor, you must the device first. For more information, see the "Reimage Procedures" chapter of the Cisco FXOS Troubleshooting Guide for the Firepower 1000/21000 with FTD guide.
  2. Log in to CDO.
  3. In the navigation pane, click Devices & Services and click the blue plus button blue_cross_button.png to Onboard a device.
  4. Click on FTD.

Important: When you attempt to onboard an FTD device, CDO prompts you to read and accept the Firepower Threat Defense End User License Agreement (EULA), which is a one-time activity in your tenant. Once you accept this agreement, CDO doesn't prompt it again in subsequent FTD onboarding. If the EULA agreement changes in the future, you must accept it again when prompted.

  1. On the Onboard FTD Device screen, click Use Serial Number.
  1. In the Connection step, provide the following details and click Next.


  1. Device Serial Number: Enter the serial number or the PCA number of the device you want to onboard. 
  2. Device Name: Provide a name for the device.
  3. In the Password Reset step, provide the following details and click Next.
    • Default Password Not Changed: Select this option to change the default password of a new device. 
      Note: If the device's default password is already changed, the entries made in this field will be ignored. 
      • New Password and Confirm Password: Enter a new password for the device. Ensure that the new password meets the requirements mentioned onscreen. 
    • Default Password Changed: Select this option only for the device whose default password has already been changed using FDM or on Firepower eXtensible Operating System (FXOS) Console.  
  4. In the Smart License step, select the required option and click Next
    • Apply Smart License: Select this option if your device is not smart licensed already. You have to generate a token using the Cisco Smart Software Manager and copy in this field. 
    • Device Already Licensed: Select this option if your device has already been licensed.
      Note: If the default password has already been changed, this radio button will be selected automatically. However, you can choose another option that you want.
    • Use 90-day Evaluation License: Apply a 90-day evaluation license. 
  5. In the Subscription Licenses step, perform the following:
    Important: If the Device Already Licensed is selected in the Smart License step, you cannot perform any selection in this step. CDO displays Keep Existing Subscription and moves to the Labels step.
    • If the smart license is applied, you can enable the additional licenses you want and click Next.  
    • If the evaluation license is enabled, all other licenses are available except for the RA VPN license. Select the licenses that you want and click Next to continue. 
      Note: You can continue only with the base license 
  6. In the Labels step, you can enter a label name if required. Click Go to Devices and Services.

CDO starts claiming the device, and you will see the Claiming message on the right. CDO continuously polls for an hour to determine if the device is online and registered to the cloud. Once it's registered to the cloud, CDO starts the initial provisioning and onboards the device successfully. The device registration can be confirmed when the LED status flashes green on the device. If the device can't connect to the Cisco cloud or lose its connectivity after being connected, you can see the Status LED (FTD 1010) or SYS LED (FTD 2100) flashing alternate green and amber.

If the device is still not registered to the cloud within the first one hour, a time-out occurs, and now CDO polls periodically for every 10 minutes to determine the device status and remain in Claiming state. When the device is turned on and connected to the cloud, you don't have to wait for 10 minutes to know its onboarding status. You can click the Check Status link anytime to see the status. CDO starts the initial provisioning and onboards the device successfully.  

Important: Suppose you have already completed the device setup wizard (see Onboard an Already Configured FTD Device), the device is unregistered from the cloud, and in this case, CDO remains in Claiming state. You need to complete manual registration from FDM to add it to CDO. (In FDM, go to System Settings > Cloud Services and select the Auto-enroll with Tenancy from Cisco Defense Orchestrator option and click Register). Then, click Check Status.

  • Was this article helpful?