Onboard a Device with a CLI Registration Key
Use the procedure below to onboard a device for cloud-delivered Firewall Management Center with a CLI registration key.
Note | If your device is currently managed by an on-prem management center, onboarding the device will fail. You can either delete the device from the on-prem management center and onboard as a fresh, new device with no policies or objects, or you can migrate the device and retain the existing policies and objects. See Migrate FTD to Cloud-Delivered Firewall Managmenet Center for more information. |
Important | You can create a CDO-managed, standalone logical threat defense device using the Secure Firewall chassis manager or the FXOS CLI. |
Before you begin
Before you onboard a device, be sure to complete the following tasks:
-
Cloud-delivered Firewall Management Center is enabled for your tenant.
-
Confirm the device's CLI configuration is successfully completed. See Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI for more information.
-
Review the prerequesites and limitations before you onboard the device. See "Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center" in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for more information.
-
The device can be configured for either local management with Secure Firewall device manager or remote management with Secure Firewall Management Center.
NoteIf you want the device to maintain management from the Secure Firewall device manager, select FDM and see Onboard an FDM-Managed Device Running Software Version 6.6+ Using a Registration Key for more information.
-
Device must be running version 7.0.3, or 7.2.0 and later.
-
You have reset the device's SSH password as part of the bootstrap process. If you have you not reset the SSH password, CDO recommends using the Onboard a Threat Defense Device to Cloud-delivered Firewall Management Center using Zero-Touch Provisioning method
Procedure
Step 1 | Log in to CDO. |
Step 2 | In the left pane, click Inventory. |
Step 3 | In the top-right corner, click Onboard (). |
Step 4 | Click the FTD tile. |
Step 5 | Under Management Mode, ensure you select FTD. By selecting FTD under Management Mode, you will not be able to manage the device using the previous management platform. All existing policy configurations except for interface configurations will be reset. You must re-configure policies after you onboard the device. |
Step 6 | Select Use CLI Registration Key as the onboarding method. |
Step 7 | Enter the device name in the Device Name field and click Next. |
Step 8 | In the Policy Assignment step, use the drop-down menu to select an access control policy to deploy once the device is onboarded. If you have no policies configured, select the Default Access Control Policy. |
Step 9 | Specify whether the device you are onboarding is a physical or virtual device. If you are onboarding a virtual device, you must select the device's performance tier from the drop-down menu. |
Step 10 | Select the subscription licenses you want to apply to the device. Click Next. |
Step 11 | CDO generates a command with the registration key. Connect to the device you are onboarding using SSH. Log in as "admin" or a user with equivalent admin privileges and paste the entire registration key as is into the device's CLI. Note: For Firepower 1000, Firepower 2100, ISA 3000, and threat
defense virtual devices, open an SSH connection to the device and log in as |
Step 12 | Click Next in the CDO onboarding wizard. |
Step 13 | (Optional) Add labels to your device to help sort and filter the Inventory page. Enter a label and select the blue plus button. Labels are applied to the device after it's onboarded to CDO. |
What to do next
-
If you did not already, create a custom access control policy to customize the security for your environment. See Access Control Overview in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for more information.
-
Enable Cisco Security Analytics and Logging (SAL) to view events in the CDO dashboard or register the device to an Secure Firewall Management Center for security analytics. See Cisco Security Analytics and Logging in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for more information.