Prerequisites to Onboard a Device to Cloud-Delivered Firewall Management Center

Onboard Limitations and Requirements

Be aware of the following limitations when onboarding a device to the cloud-delivered Firewall Management Center:

  • Devices must be running version 7.0.3, or version 7.2 and later. We strongly recommend version 7.2 or later.

  • You do not need an on-premises or virtual SDC to onboard your device.

  • You cannot directly onboard high availability pairs. You must break the HA pair and onboard each device individually, then recreate the pair in the cloud-delivered Firewall Management Center UI.

    Note

    You can migrate an HA pair that is managed by an On-Prem Firewall Management Center by following the Migrate FTD to Cloud-Delivered Firewall Management Center process. Confirm both peers are in a healthy state prior to migrating.

  • The cloud-delivered Firewall Management Center does not support clustered devices.

  • The cloud-delivered Firewall Management Center does not support multi-instance deployments. Note that Firepower 4100 and Firepower 9300 multi-instance deployments are treated as traditional stadnalone devices.

  • Only devices that are configured for local management and are managed by a FDM can be onboarded with the serial number and low-touch provisioning methods.

  • If the device is managed by an on-prem management center, you can either onboard the device to cloud-delivered Firewall Management Center or migrate the device. Migrating retains any existing policies and objects, whereas onboarding the device removes most policies and all objects. See Migrate FTD to Cloud-Delivered Firewall Management Center for more information.

  • If your device is currently managed by a FDM, unregister all your smart licenses before you onboard the device. Even if you switch device management, the Cisco Smart Software Manager will retain the smart licenses.

  • If you have previously onboarded a device that was managed by a FDM and deleted the device from CDO with the intention of re-onboarding for cloud management, you must register the FDM to the SSE cloud after deleting the device. See the "Access Security Services Exchange" chapter in the Firepower and Cisco SecureX Threat Response Integration Guide.

Tip

Onboarding a device to the cloud-delivered Firewall Management Center removes any policies and most objects configured through the previous manager. If your device is currently managed by an on-prem management center, it is possible to migrate the device and retain your policies and objects. See Migrate FTD to Cloud-Delivered Firewall Management Center for more information.

Network Requirements

Before you onboard a device, ensure the following ports have external and outbound access. Confirm the following ports on the device are allowed. If communication ports are blocked behind a firewall, onboarding the device may fail.

Port

 Protocol / Feature

Details

443/tcp

HTTPS

Send and receive data from the internet.

443

HTTPS

Communicate with the AMP cloud (public or private)

8305/tcp

Appliance communications

Securely communicate between appliances in a deployment.

Management and Data Interfaces

Make sure your device is correctly configured with either a management or data interface.

To configure a management or data interface on your device, see Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI.