Onboard an On-Premises Firewall Management Center to Security Cloud Control

Security Cloud Control provides two methods to onboard on-premises Firewall Management Centers.

• Preferred method (direct onboarding without Secure Device Connector): Auto discover and onboard on-premises Firewall Management Center integrated with Cisco Security Cloud. This direct method is recommended because most cloud assist features are supported only when on-premises Firewall Management Center is onboarded directly without using Secure Device Connector (SDC). Direct onboarding provides full access to cloud assist capabilities, such as zero-touch provisioning, centralized device visibility, and policy optimization. This is the preferred method for most use cases. For more information about integrating on-premises Firewall Management Center with Cisco Security Cloud, refer to Integrate an On-Premises Firewall Management Center With Cisco Security Cloud.

• Alternative method (using SDC): Use on-premises Firewall Management Center credentials with SDC is supported but intended only for very rare use cases. Onboarding with SDC limits access to many cloud assist features available with direct onboarding. Choose SDC if direct onboarding is not possible.

  For more information, see Allow inbound access for direct cloud connectivity.

Security Cloud Control complements FMC by enabling:

• Consistent policy enforcement through shared object management with FMCs.

  For more information, see the Objects section in Managing On-Prem Firewall Management Center with Security Cloud Control.

• Zero-touch provisioning of Firewall Threat Defense devices. For more information, refer to Onboard a Device to On-Premises Firewall Management Center with Zero-Touch Provisioning.

• Centralized visibility and management of security devices. For more information, refer to Device and Service Management.

• Integration with cloud Cisco Secure Dynamic Attributes Connector (CSDC) and Cloud-Delivered Firewall Management Center. For more information, refer to Cisco Secure Dynamic Attributes Connector.

Limitations and Guidelines

• Onboarding an on-premises Firewall Management Center also onboards all devices registered to it. Disabled or unreachable devices may appear in the Security Devices page in Security Cloud Control but cannot be managed or queried.

• Onboarding does not cascade policies from on-premises Firewall Management Center to Security Cloud Control or Cloud-Delivered Firewall Management Center. To migrate Firewall Threat Defense devices to Cloud-Delivered Firewall Management Center, use the built-in Migrate FTD to cdFMC feature. For more information, refer to Migrate Threat Defense to Cloud-delivered Firewall Management Center.

• We recommend creating a dedicated user on the on-premises Firewall Management Center with administrator-level permissions specifically for Security Cloud Control communication. If you log in to on-premises Firewall Management Center with the same credentials during onboarding, the process will fail. This recommendation applies only to credentials-based onboarding, not to direct integration.

• For this dedicated user, set the Maximum Number of Failed Logins to zero.

• For on-premises Firewall Management Centers version 7.4 or later, if a switchover causes a loss of cloud connectivity, disable and then re-enable SecureX, Security Cloud Control, or Cisco Security Cloud (depending on your version) to restore the connection.