Onboard a Threat Defense Device with Low-Touch Provisioning

Before you begin

If you onboard a device with the intention of managing it with an on-prem management center, the on-prem management center must be running version 7.4 and later. Earlier versions do not support low-touch provisioning.

Procedure

Step 1

If you are onboarding a device purchased from an external vendor, you must reimage the device first. For more information, see the "Reimage Procedures" chapter of the Cisco FXOS Troubleshooting Guide.

Step 2

Log in to CDO.

Step 3

In the navigation pane, click Inventory and click the blue plus button to Onboard a device.

Step 4

Click the FTD tile.

Important

When you attempt to onboard a device, CDO prompts you to read and accept the End User License Agreement (EULA), which is a one-time activity in your tenant. Once you accept this agreement, CDO doesn't prompt it again in subsequent onboarding. If the EULA agreement changes in the future, you must accept it again when prompted.

Step 5

On the Onboard FTD Device screen, click Use Serial Number.

Step 6

Expand the drop-down menu and select which manager you want to onboard the device to. Select an on-prem FMC from the list and click Next. Note that the on-prem management center included in the list are running version 7.4 or later. If you do not have an on-prem management center running that version, click + Onboard On-Prem FMC.

We strongly recommend opting to use cdFMC as the managing platform. If you do not have cdFMC enabled, click the link available to request one for your tenant.

Step 7

In the Connection step, enter the device's serial number and device name. Click Next.

Step 8

For low-touch provisioning, the device must be brand new, or has been reimaged. For the Password Reset, be sure to select Yes, this new device has never been logged into or configured for a manager. Enter a new password and confirm the new password for the device, then click Next.

Step 9

For Policy Assignment, use the drop-down menu to select a access control policy to be deployed once the device is onboarded. If you do not have a customized policy, CDO auto-selects the default access control policy. Click Next.

Step 10

Select all licenses you want applied to the device. Click Next.

Step 11

(Optional) Add labels to the device. CDO applies these labels once the device successfully onboards.

What to do next

CDO starts claiming the device, and you will see the Claiming message on the right. CDO continuously polls for an hour to determine if the device is online and registered to the cloud. Once it's registered to the cloud, CDO starts the initial provisioning and onboards the device successfully. The device registration can be confirmed when the LED status flashes green on the device. If the device can't connect to the Cisco cloud or lose its connectivity after being connected, you can see the Status LED (Firepower 1000) or SYS LED (Firepower 2100) flashing alternate green and amber.

If the device is still not registered to the cloud within the first one hour, a time-out occurs, and now CDO polls periodically for every 10 minutes to determine the device status and remain in Claiming state. When the device is turned on and connected to the cloud, you don't have to wait for 10 minutes to know its onboarding status. You can click the Check Status link anytime to see the status. CDO starts the initial provisioning and onboards the device successfully.