At this time, CDO supports a limited set of ciphers for onboarding SSH devices. The supported ciphers are:
aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm, email@example.com, aes256-gcm, firstname.lastname@example.org
To determine the ciphers your server supports, execute
ssh -vv <ip_address> on your on-prem SDC. Now you can successfully onboard you SSH device.
Before you onboard your device, review Connect to Cisco Defense Orchestrator using Secure Device Connector.
To onboard a Firepower Threat Defense Device using SSH, follow this procedure:
- In the navigation pane, click Devices & Services page.
- Click the blue plus button to onboard a device.
- Click the Integrations tile.
- Give the device a name.
- Select the Secure Device Connector (SDC) that this device will communicate with. The default SDC is displayed but you can change it by clicking the SDC name.
- In the Integrations drop-down menu, select Generic SSH.
- Enter the device's location as either the FDQN or IPv4 address. The default SSH port is 22.
- Click Go. CDO locates the device and prepares to integrate the configuration.
- Download the SSH fingerprint and save locally. If you've never connected to this device through SSH before, this fingerprint allows you to confirm the device.
- Enter the Username and Password login credentials for the device you are onboarding. CDO cannot successfully read the existing configuration without the correct login information.
- (Optional) Enter the Enable Password if you've previously configured one for this device.
- (Optional) Select a Configuration Command from the drop-down menu, or enter a custom command in the textbox. This command will be used as the configuration for the device; if OOB is enabled, CDO checks for changes and you can view the current value of this in the Configuration page. Note that you can change this command once the device is successfully onboarded to CDO.
- Click Connect.
Note: If the login credentials were incorrect, you will be prompted to review the connection details. Here you can re-enter the login information. If you exit the review without correcting the credentials, the device has an integration instance in the Devices & Services page but the device is not onboarded or synchronized.
- (Optional) Add labels to this device.
- Click Continue.
- The device onboards to CDO. Click Finish.
- Return to the Devices & Services page. After the device has been successfully onboarded, you will see that the Configuration Status is "Synced" and the Connectivity state is "Online."
Note: Once a device is onboarded, you can change the configuration command to be executed. You can use a custom command or create a CLI macro.
- (Optional) If you want you can write a note about the device by typing it in the device's Notes page. See Device Notes for more information.