Onboard a Threat Defense Device

Attention

Secure Firewall device manager (FDM) support and functionality is only available upon request. If you do not already have Firewall device manager support enabled on your tenant you cannot manage or deploy to FDM-managed devices. Send a request to the support team to enable this platform.

There are different methods of onboarding a threat defense device. We recommend using the registration key method.

If you experience issues while onboarding a device, see Troubleshoot FDM-Managed Device Onboarding Using Serial Number or Failed Because of Insufficient License for more information.

Onboard a Threat Defense Device to Cloud-delivered Firewall Management Center

You can onboard threat defense devices running version 7.2 and later to the Cloud-delivered Firewall Management Center. See Onboard an FTD to the Cloud-Delivered Firewall Management Center for more information.

Onboard a Threat Defense Device with a Serial Number

This procedure is a simplified method of onboarding the Firepower 1000, Firepower 2100, or Secure Firewall 3100 series physical devices running supported versions of software. To onboard the device, you need the chassis serial number or PCA serial number of the device and ensure that the device is added to a network that can reach the internet.

You can onboard new factory-shipped devices or already configured devices to CDO.

See Onboard an FDM-Managed Device using the Device's Serial Number for more information.

Onboard a Threat Defense Device with a Registration Key

We recommend onboarding threat defense devices with a registration key. This is beneficial if your device is assigned an IP address using DHCP. If that IP address changes for some reason, your threat defense device remains connected to CDO if you have onboarded it with a registration key.

Onboard an Threat Defense Device Using Credentials

You can onboard a threat defense device using the device credentials and the IP address of the device's outside, inside, or management interface depending on how the device is configured in your network. To onboard a device with credentials, see Onboard an FDM-Managed Device Using Username, Password, and IP Address. To onboard with an interface address, see Device Addressing later in this article.

CDO needs HTTPS access to the device in order to manage it. How you allow HTTPS access to the device depends on how your device is configured in your network and whether you onboard the device using a Secure Device Connector or a Cloud Connector.

Note

If you connect to https://www.defenseorchestrator.eu and you are using software version 6.4, you must onboard the threat defense device with this method. You cannot use the registration key method.

When using device credentials to connect CDO to a device, it a best practice to download and deploy a Secure Device Connector (SDC) in your network to manage the communication between CDO and the device. Typically, these devices are non-perimeter based, do not have a public IP address, or have an open port to the outside interface. The threat defense device, when onboarded with credentials, can be onboarded to CDO using an SDC.

Note that customers also using the threat defense devie as the head-end for VPN connections will not be able to use the outside interface to manage their device.

Onboard a Threat Defense Cluster

You can onboard a threat defense device that is clustered prior to onboarding to CDO. Clustering lets you group multiple firewall threat defense units together as a single logical device that provides the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.

See Onboard a Clustered Secure Firewall Threat Defense Device.

FDM-Managed Device Configuration Prerequisites for Onboarding

FDM-Managed Device Management

You can only onboard threat defense devices that are being managed by Secure Firewall device manager (FDM). threat defense devices being managed by Secure Firewall Management Center cannot be managed by the cloud-delivered Firewall Management Center.

If the device is not configured for local management, you must switch to local management before onboarding the device. See the Switching Between Local and Remote Management chapter of the Secure Firewall Threat Defense Configuration Guide for Firepower Device Manager.

Licensing

The device must have at least an license installed before it can be onboarded to CDO although you can have a Smart License applied in some circumstances.

Onboarding Method

Secure Firewall device manager Software Version

90-day Evaluation licensed allowed?

Can the device already be smart-licensed before onboarding?

Can the device already be registered with Cisco Cloud Services before you onboarding?

Credentials (user name and password)

6.4 or later

Yes

Yes

Yes

Registration Key

6.4 or 6.5

Yes

No. Unregister the smart license and then onboard the device.

N/A

Registration Key

6.6 or later

Yes

Yes

No. Unregister the device from Cisco Cloud Services and then onboard the device.

Zero-Touch Provisioning

6.7 or later

Yes

Yes

Yes

Onboarding a device with a Serial Number

6.7 or later

Yes

Yes

Yes

See Cisco Firepower System Feature Licenses for more information.

Device Addressing

It is a best practice that the address you use to onboard the FDM-managed device is a static address. If the device's IP address is assigned by DHCP, it would be optimal to use a DDNS (dynamic domain name system) to automatically update your device's domain name entry with the new IP address of the device if it changes.

Note

FDM-managed devices do not natively support DDNS; you must configure your own DDNS.

Important

If your device gets an IP address from a DHCP server, and you do not have a DDNS server updating the FDM-managed device's domain name entry with any new IP addresses, or your device receives a new address, you can change the IP address CDO maintains for the device and then reconnect the device. Better still, onboard the device with a registration key.