Low-Touch Provisioning of a New Threat Defense Device

Low-touch provisioning is a feature that allows a new factory-shipped Firepower 1000, Firepower 2100, or Secure Firewall 3100 series device to be provisioned and configured automatically, eliminating most of the manual tasks involved with onboarding the device to CDO. The low-touch provisioning is intended for remote offices or other locations where your employees are less experienced working with networking devices.

To use the low-touch provisioning process, you must onboard the device to CDO, connect it to a network that can reach the internet, and power on the device.

Note

You can power-on the device before or after onboarding it to CDO. We recommend that you onboard the device to CDO first and power-on the device and connect it to your branch network second. When you onboard the device in CDO, the device is associated with your CDO tenant in the Cisco cloud and CDO automatically syncs the device configuration.

To claim the device, perform the following:

Procedure

Step 1

Onboard the device in CDO using the procedure described in the section. Here, you must select Default Password Not Changedbecause the device password hasn't been changed.

Step 2

After the device connects to the cloud, your tenant will finish the onboarding process. The device Connectivity status changes to "claiming".

Step 3

Connect the network cable to either the Ethernet 1/1 or Management 1/1 interface. Ensure that that interface has a route to the internet. Once you power on the device, it receives its IPv4 address from a DHCP server and connects to the Cisco cloud. The default configuration on the device uses DHCP to obtain an address on the outside interface.

The device automatically checks if it's already been claimed in the Cisco cloud. In this case, since the device has already been claimed in CDO, it gets assigned directly to CDO tenant and is onboarded to CDO.

Note

If you haven't claimed the device in CDO (that is, powered on the device before claiming it), the device is parked in the Cisco cloud until it's claimed. You can't push the device's configuration or manage the device by any management tool in this state. Once you claim the device in CDO, it starts the initial provisioning and onboards the device automatically.

The device Connectivity status changes to "Online" and the Configuration status changes to "Synced". The device is onboarded to CDO.

You can see the Status LED (Firepower 1010), SYS LED (Firepower 2100), or S LED Secure Firewall 3100) flashing green on the rear panel of the hardware. The device LED continues to flash in green when it's connected to the cloud. If the device can't connect to the Cisco cloud or loses its connectivity after being connected, you can see the Status LED (Firepower 1010), SYS LED (Firepower 2100), or M LED (Secure Firewall 3100) flashing alternate green and amber.

See this video: Installing Your Cisco Firepower Firewall Using Low-touch Provisioning video to understand the LED indicators.

Without proceeding further on the Secure Firewall Threat Defense UI, go to the serial number onboarding wizard and onboard the device. Here, you must select Default Password Changedbecause the device password has already been changed. See Procedure for Onboarding FDM-Managed Device using Device Serial Number.