Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center

Onboard Limitations and Requirements

Be aware of the following limitations when onboarding a device to the cloud-delivered Firewall Management Center:

  • Devices must be running version 7.0.3, or version 7.2 and later. We strongly recommend version 7.2 or later.

  • You do not need an on-premises or virtual SDC to onboard your device.

  • You can migrate an HA pair that is managed by an On-Prem Firewall Management Center by following the Migrate FTD to Cloud-Delivered Firewall Management Center process. Confirm both peers are in a healthy state prior to migrating.

  • Only devices that are configured for local management and are managed by a device manager can be onboarded with the serial number and low-touch provisioning methods.

  • If the device is managed by an on-prem management center, you can either onboard the device to cloud-delivered Firewall Management Center or migrate the device. Migrating retains any existing policies and objects, whereas onboarding the device removes most policies and all objects. See Migrate FTD to Cloud-Delivered Firewall Management Center for more information.

  • If your device is currently managed by a device manager, unregister all your smart licenses before you onboard the device. Even if you switch device management, the Cisco Smart Software Manager will retain the smart licenses.

  • If you have previously onboarded a device that was managed by a device manager and deleted the device from CDO with the intention of re-onboarding for cloud management, you must register the device manager to the Security Services Exchange cloud after deleting the device. See the "Access Security Services Exchange" chapter in the Firepower and Cisco SecureX Threat Response Integration Guide.

Tip

Onboarding a device to the cloud-delivered Firewall Management Center removes any policies and most objects configured through the previous manager. If your device is currently managed by an on-prem management center, it is possible to migrate the device and retain your policies and objects. See Migrate FTD to Cloud-Delivered Firewall Management Center for more information.

Network Requirements

Before you onboard a device, ensure the following ports have external and outbound access. Confirm the following ports on the device are allowed. If communication ports are blocked behind a firewall, onboarding the device may fail.

Note

You cannot configure these ports in the CDO UI. You must enable these ports through the device's SSH.

Device Port Requirements

Port

 Protocol / Feature

Details

443/tcp

HTTPS

Send and receive data from the internet.

443

HTTPS

Communicate with the AMP cloud (public or private)

8305/tcp

Appliance communications

Securely communicate between appliances in a deployment.

Management and Data Interfaces

Make sure your device is correctly configured with either a management or data interface.

To configure a management or data interface on your device, see Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI.