Onboard a Threat Defense Device
Attention | Secure Firewall device manager (FDM) support and functionality is only available upon request. If you do not already have Firewall device manager support enabled on your tenant you cannot manage or deploy to FDM-managed devices. Send a request to the support team to enable this platform. |
There are different methods of onboarding a threat defense device. We recommend using the registration key method.
If you experience issues while onboarding a device, see Troubleshoot FDM-Managed Device Onboarding Using Serial Number or Failed Because of Insufficient License for more information.
Onboard a Threat Defense Device to Cloud-delivered Firewall Management Center
You can onboard threat defense devices running version 7.2 and later to the Cloud-delivered Firewall Management Center. See Onboard an FTD to the Cloud-Delivered Firewall Management Center for more information.
Onboard a Threat Defense Device with a Serial Number
This procedure is a simplified method of onboarding the Firepower 1000, Firepower 2100, or Secure Firewall 3100 series physical devices running supported versions of software. To onboard the device, you need the chassis serial number or PCA serial number of the device and ensure that the device is added to a network that can reach the internet.
You can onboard new factory-shipped devices or already configured devices to CDO.
See Onboard an FDM-Managed Device using the Device's Serial Number for more information.
Onboard a Threat Defense Device with a Registration Key
We recommend onboarding threat defense devices with a registration key. This is beneficial if your device is assigned an IP address using DHCP. If that IP address changes for some reason, your threat defense device remains connected to CDO if you have onboarded it with a registration key.
Onboard an Threat Defense Device Using Credentials
You can onboard a threat defense device using the device credentials and the IP address of the device's outside, inside, or management interface depending on how the device is configured in your network. To onboard a device with crednetials, see Onboard an FDM-Managed Device Using Username, Password, and IP Address. To onboard with an interface address, see Device Addressing later in this article.
CDO needs HTTPS access to the device in order to manage it. How you allow HTTPS access to the device depends on how your device is configured in your network and whether you onboard the device using a Secure Device Connector or a Cloud Connector.
Note | If you connect to https://www.defenseorchestrator.eu and you are using software version 6.4, you must onboard the threat defense device with this method. You cannot use the registration key method. |
When using device credentials to connect CDO to a device, it a best practice to download and deploy a Secure Device Connector (SDC) in your network to manage the communication between CDO and the device. Typically, these devices are non-perimeter based, do not have a public IP address, or have an open port to the outside interface. The threat defense device, when onboarded with credentials, can be onboarded to CDO using an SDC.
Note that customers also using the threat defense devie as the head-end for VPN connections will not be able to use the outside interface to manage their device.
Onboard a Threat Defense Cluster
You can onboard a threat defense device that is clustered prior to onboarding to CDO. Clustering lets you group multiple firewall threat defense units together as a single logical device that provides the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.
See Onboard a Clustered Secure Firewall Threat Defense Device.
FDM-Managed Device Configuration Prerequisites for Onboarding
FDM-Managed Device Management
You can only onboard threat defense devices that are being managed by Secure Firewall device manager (FDM). threat defense devices being managed by Secure Firewall Management Center cannot be managed by the cloud-delivered Firewall Management Center.
If the device is not configured for local management, you must switch to local management before onboarding the device. See the Switching Between Local and Remote Management chapter of the Secure Firewall Threat Defense Configuration Guide for Firepower Device Manager.
Licensing
The device must have at least an license installed before it can be onboarded to CDO although you can have a Smart License applied in some circumstances.
|
Onboarding Method |
Secure Firewall device manager Software Version |
90-day Evaluation licensed allowed? |
Can the device already be smart-licensed before onboarding? |
Can the device already be registered with Cisco Cloud Services before you onboarding? |
|---|---|---|---|---|
|
Credentials (user name and password) |
6.4 or later |
Yes |
Yes |
Yes |
| Registration Key |
6.4 or 6.5 |
Yes |
No. Unregister the smart license and then onboard the device. |
N/A |
|
Registration Key |
6.6 or later |
Yes |
Yes |
No. Unregister the device from Cisco Cloud Services and then onboard the device. |
|
Low Touch Provisioning |
6.7 or later |
Yes |
Yes |
Yes |
|
Onboarding a device with a Serial Number |
6.7 or later |
Yes |
Yes |
Yes |
See Cisco Firepower System Feature Licenses for more information.
Device Addressing
It is a best practice that the address you use to onboard the FDM-managed device is a static address. If the device's IP address is assigned by DHCP, it would be optimal to use a DDNS (dynamic domain name system) to automatically update your device's domain name entry with the new IP address of the device if it changes.
Note | FDM-managed devices do not natively support DDNS; you must configure your own DDNS. |
Important | If your device gets an IP address from a DHCP server, and you do not have a DDNS server updating the FDM-managed device's domain name entry with any new IP addresses, or your device receives a new address, you can change the IP address CDO maintains for the device and then reconnect the device. Better still, onboard the device with a registration key. |