Onboard a Device with a CLI Registration Key

Use the procedure below to onboard a device for cloud-delivered Firewall Management Center with a CLI registration key.


If your device is currently managed by an on-prem management center, onboarding the device will fail. You can either delete the device from the on-prem management center and onboard as a fresh, new device with no policies or objects, or you can migrate the device and retain the existing policies and objects. See Migrate FTD to Cloud-Delivered Firewall Managmenet Center for more information.

Before you begin

Before you onboard a device, be sure to complete the following tasks:


Step 1

Log in to CDO.

Step 2

In the navigation pane, click Inventory and click the blue plus button.

Step 3

Select the FTD tile.

Step 4

Under Management Mode, be sure FTD is selected.


By selecting FTD under Management Mode, you will not be able to manage the device using the previous managing platform. All existing policy configurations except for interface configurations will be reset. You must re-configure policies after you onboard the device.

If you want the device to maintain management from the Firepower Device Manager, select FDM and see Onboard an FDM-Managed Device Running Software Version 6.6+ Using a Registration Key for more information.

Step 5

Select Use CLI Registration Key as the onboarding method.

Step 6

Enter the device name in the Device Name field and click Next.

Step 7

In the Policy Assignment step, use the drop-down menu to select an access control policy to deploy once the device is onboarded. If you have no policies configured, select the Default Access Control Policy.

Step 8

Specify whether the device you are onboarding is a physical or virtual device. If you are onboarding a virtual device, you must select the device's performance tier from the drop-down menu.

Step 9

Select the licenses you want applied to the device. Click Next.

Step 10

CDO generates a command with the registration key. Paste the entire registration key as is into the device's CLI.

Note: For Firepower 1000, Firepower 2100, ISA 3000, and FTDv devices, open an SSH connection to the device and log in as admin. Copy the entire registration command and paste it into the device's CLI interface at the prompt. In the CLI, enter Y to complete the registration. If your device was previously managed by FDM, enter Yes to confirm the submission.

Step 11

Click Next in the CDO onboarding wizard.

Step 12

(Optional) Add labels to your device to help sort and filter the Inventory page. Enter a label and select the blue plus button. Labels are applied to the device after it's onboarded to CDO.

What to do next

From the Inventory page, select the device you just onboarded and select any of the options listed under the Management pane located to the right. We strongly recommend the following actions:
  • Create a custom access control policy to customize the security for your environment. See the Access Control Policies chapter for more information.

  • Enable Cisco Security Analytics and Logging (SAL) to view events in the CDO dashboard or register the device to an Firepower Management Center for security analytics. See the Cisco Security Analytics and Logging chapter for more information.