Onboard a Threat Defense Device to On-Prem Firewall Management Center using Zero-Touch Provisioning

Only the Firepower 1000, Firepower 2100, and Secure Firewall 3100 devices can be onboarded with the zero-touch provisioning method.

Before you begin

Confirm the following is completed prior to onboarding:

  • You have a CDO tenant. If you do not, see Request a CDO Tenant for more information.

  • An on-prem FMC must be fully set up, configured, and already recognized as a management center within your CDO tenant before onboarding any new devices.

  • The device is freshly installed but has never been logged into by either the device CLI, a management center, or the device manager.

  • The device is running version 7.2 or later. Version 7.0.3 does not support zero-touch provisioning.

Procedure

Step 1

Log in to CDO.

Step 2

In the left pane, click Inventory.

Step 3

In the top-right corner, click Onboard ().

Step 4

Click the FTD tile.

Step 5

Under Management Mode, ensure you select FTD. By selecting FTD under Management Mode, you will not be able to manage the device using the previous management platform. All existing policy configurations except for interface configurations will be reset. You must re-configure policies after you onboard the device.

Note

If you are using the 90-day Evaluation License, the number of days left is listed under the FTD and FDM toggle options. Click the Manage Subscription License link to opt into a full subscription license. See Managed Device Licensing Types for more information.

Step 6

Click Use Serial Number.

Step 7

Select an available on-prem FMC from the drop-down list. Click Next.

Note

  • On-prem FMCs running version 7.4 or later and onboarded with Cisco Security Cloud are displayed in the drop-dwon.

  • Provide the Public IP address or FQDN value of the selected on-prem FMC unless

    • The FTD is publicly reachable

    • The FTD is running a version earlier than 7.4

    • The connection is being made through the data interface

Step 8

Enter the Device Serial Number and the Device Name. Click Next.

Step 9

Choose an option depending on whether the device is logged into and configured for a manager:

  • If your device is brand new and has never been configured for a manager, click Yes, this new device has never been logged into or configured for a manager.

  • If your device has been previously registered for a manager or is still registered to a manager, click No, this device has been logged into and configured for a manager.

Step 10

Click Next.

Step 11

In the Policy Assignment step, use the drop-down menu to select an access control policy to deploy once the device is onboarded. If you have no policies configured, select the Default Access Control Policy.

Step 12

Select the subscription licenses you want to apply to the device. Click Next.

What to do next

Once the device is synchronized, select the device you just onboarded from the Inventory page and select any of the options listed under the Device Management pane located to the right. We strongly recommend the following actions:

  • If you did not already, create a custom access control policy to customize the security for your environment.

    Fo more information, see Access Control Overview.

  • Enable Cisco Security Analytics and Logging (SAL) to view events in the CDO dashboard or register the device to an Secure Firewall Management Center for security analytics.

    Fo more information, see Cisco Security Analytics and Logging.