Onboard a Secure Firewall Threat Defense Device With Zero-Touch Provisioning

Caution

When the device is being onboarded in CDO, we recommend that you not perform the device easy setup using the Secure Firewall device manager. This causes provisional error in CDO.

Before you begin

  • The threat defense device must not be prevously or currently managed by Firewall Device Manager or Management Center. If the device is currently managed by a platform, see Onboard a Configured FDM-Managed Device using the Device's Serial Number.

  • If you onboard a device with the intention of managing it with an on-prem management center, the on-prem management center must be running version 7.4 and later.

Procedure


Step 1

If you are onboarding a device purchased from an external vendor, you must reimage the device first. For more information, see the "Reimage Procedures" chapter of the Cisco FXOS Troubleshooting Guide.

Step 2

Log in to CDO.

Step 3

In the navigation pane, click Inventory and click the blue plus button to Onboard a device.

Step 4

Click the FTD tile.

Important

When you attempt to onboard a device, CDO prompts you to read and accept the End User License Agreement (EULA), which is a one-time activity in your tenant. Once you accept this agreement, CDO doesn't prompt it again in subsequent onboarding. If the EULA agreement changes in the future, you must accept it again when prompted.

Step 5

On the Onboard FTD Device screen, click Use Serial Number.

Step 6

In the Select FMC step, use the drop-down menu to select an on-prem management center that has already been onboarded to CDO. Click Next.

The on-prem management center must be running version 7.4 or higher. If you do not have an on-prem management center onboarded, click +Onboard On-Prem FMC for the onboarding wizard.

Step 7

In the Connection step, enter the device's serial number and device name. Click Next.

Step 8

For zero-touch provisioning, the device must be brand new, or has been reimaged. For the Password Reset, be sure to select Yes, this new device has never been logged into or configured for a manager. Enter a new password and confirm the new password for the device, then click Next.

Step 9

For Policy Assignment, use the drop-down menu to select a access control policy to be deployed once the device is onboarded. If you do not have a customized policy, CDO auto-selects the default access control policy. Click Next.

Step 10

Select all licenses you want to apply to the device. Click Next.

Step 11

(Optional) Add labels to the device. CDO applies these labels once the device successfully onboards.


What to do next

CDO starts claiming the device, and you will see the Claiming message on the right. CDO continuously polls for an hour to determine if the device is online and registered to the cloud. Once it's registered to the cloud, CDO starts the initial provisioning and onboards the device successfully. The device registration can be confirmed when the LED status flashes green on the device. If the device can't connect to the Cisco cloud or lose its connectivity after being connected, you can see the Status LED (Firepower 1000) or SYS LED (Firepower 2100) flashing alternate green and amber.

If the device is still not registered to the cloud within the first one hour, a time-out occurs, and now CDO polls periodically for every 10 minutes to determine the device status and remain in Claiming state. When the device is turned on and connected to the cloud, you don't have to wait for 10 minutes to know its onboarding status. You can click the Check Status link anytime to see the status. CDO starts the initial provisioning and onboards the device successfully.