Manage SAL (OnPrem) for CDO-Managed Threat Defense Devices
Starting with Secure Firewall Threat Defense(formerly Firepower Threat Defense) version 7.2, you can choose to send fully qualified events that are generated by CDO-managed threat defense devices to the management center. The management center receives and displays data analytics for these events. The management center receiving and displaying the event data is also referred to as an analytics-only management center. .
If your devices are enabled to send connection events to a Secure Network Analytics Manager using SAL (OnPrem), you can view and work with these remotely stored events in the management center event viewer and context explorer, and include them when generating reports. By deploying the Secure Network Analytics appliance and integrating it with the firewall deployment, you can export the event data to the Secure Network Analytics appliance. This allows you to view and manage the events in the management center UI. From the management center interface, you can also cross-launch to Secure Network Analytics Manager to view and manage the events data.
The management center can receive and display event analytics for the following CDO-managed threat defense devices:
-
New or existing threat defense devices onboarded to CDO
For information on onboarding a threat defense device to CDO, see Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center.
The workflow is as follows:
-
Onboard a threat defense device to CDO.
Onboard the threat defense devices using the onboarding methods that are described in Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center. The onboarding process includes assigning policies and choosing the appropriate licenses.
-
Register this threat defense device in the appropriate management center.
For the management center to display events generated by a CDO-managed threat defense device, you must register the threat defense device in the management center. To register this device in the management center, enable the device to be registered using the configure manager add {hostname | IPv4_address | IPv6_address}reg_key[nat_id] CLI, and then add the device to the management center using the CDO Managed Device check box.
NoteThe registration key and the NAT ID must be unique from those used while onboarding the device to CDO.
For more information, see Add a Device to the Management Center and Complete the Threat Defense Initial Configuration Using the CLI in Firepower Management Center Device Configuration Guide.
-
View events in the management center or cross-launch to a configured Secure Network Analytics Manager.
To view and work with the events in the management center event viewer. If the Secure Network Analytics appliance is deployed and integrated with the firewall deployment, you can export the event data to the Secure Network Analytics appliance. This allows you to cross-launch from the management center UI to the Secure Network Analytics Manager to view and manage the events data.
For more information, see Events and Assets and Event Analysis Using External Tools.
-
-
Existing threat defense devices on the management center.
You can change the management of the threat defense devices from management center to CDO using the change threat defense manager functionality. The change threat defense manager functionality provides you to ability to change the management of threat defense devices from management center to CDO. While changing the manager, you can choose to retain the events data generated by these threat defense devices on the management center. If you choose to retain the events data on the management center, a copy of the threat defense device in an analytics-only mode is retained on the management center.
For more information, see Migrate Secure Firewall Threat Defense to Cloud.
The workflow is as follows:
-
Onboard the management center to CDO
To onboard the existing threat defense devices from management center to CDO, you must onboard the appropriate management center to CDO.
For more information, see Onboard an FMC.
-
Complete the change threat defense management process
During the change threat defense management process, while changing the device manager, you can choose to retain events data generated by these threat defense devices on the management center.
For more information, see Migrate Secure Firewall Threat Defense to Cloud.
-
View events in the management center or cross-launch to configured Secure Network Analytics appliance.
To view and work with the events in the management center event viewer. If the Secure Network Analytics appliance is deployed and integrated with the firewall deployment, you can export the event data to the Secure Network Analytics appliance. This allows you to cross-launch from the management center UI to the Secure Network Analytics Manager to view and manage the events data.
For more information, see Events and Assets and Event Analysis Using External Tools.
-