Onboard ASA Device to Security Cloud Control

Use this procedure to onboard a single live ASA device, not an ASA model, to Security Cloud Control. If you want to onboard multiple ASAs at once, refer to Onboard ASAs in Bulk.

Before you begin

Device Prerequisites

  • Review Allow inbound access for direct cloud connectivity.

  • The device must be running version 8.4 or later.

    Note

    TLS 1.2 became available for the ASA management plane in version 9.3(2). To onboard to Security Cloud Control using version 9.3(2), a local SDC is required.

  • The running configuration file of your ASA must be less than 4.5 MB.

    To confirm the size of your running configuration file, refer to Confirming ASA Running Configuration Size.

  • IP addressing: Each ASA, ASAv, or ASA security context must have a unique IP address, and the SDC must connect to it on the interface configured to receive management traffic.

Certificate Prerequisites

If your ASA device does not have a compatible certificate, onboarding the device may fail. Make sure that these requirements are met:

  • The device must use TLS version 1.0 or later.

  • The certificate presented by the device must not be expired, and its issuance date must be in the past. This means the certificate is already valid and not scheduled to become valid later.

  • The certificate must be a SHA-256 certificate. SHA-1 certificates are not accepted.

  • One of the following conditions must be met:

    • The device uses a self-signed certificate, and it is the same as the most recent one trusted by an authorized user.

    • The device uses a certificate signed by a trusted Certificate Authority (CA) and provides a certificate chain that links the presented leaf certificate to the relevant CA.

For more information about certificate errors during the onboarding process, refer to Cannot onboard ASA due to certificate error.

Open SSL Cipher Prerequisites

If the device does not have a compatible SSL cipher suite, it cannot successfully communicate to the Secure Device Connector (SDC). Use any of these cipher suites:

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • DHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-SHA256

  • DHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • DHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA256

  • DHE-RSA-AES256-SHA256

If the cipher suite you use on your ASA is not in this list, it is not supported by the SDC. You must update the cipher suite on your ASA.

Procedure

Step 1

Choose Security Devices.

Step 2

Click the Onboard device or service () icon.

Step 3

Click the ASA tile.

Step 4

In the Locate Device step, perform the following:

  1. Click the Secure Device Connector button and select a Secure Device Connector installed in your network. If you do not want to use an SDC, Security Cloud Control can connect to your ASA using the Cloud Connector. The method you select depends on how you connect Security Cloud Control to your managed devices.

  2. Enter a name for the device.

  3. Enter the location of the device or service (IP address, FQDN, or URL). The default port is 443.

  4. Click Next.

Step 5

In the Credentials step, enter the username and password of the ASA administrator, or similar highest-privilege ASA user, that Security Cloud Control will use to connect to the device and click Next.

Step 6

(Optional) You can enter a label for the device in the Done step. This label lets you filter your list of devices. For more information about labels and label groups, refer to Labels and Label Groups.

Step 7

After labeling your device or service, you can view it in the Security Devices list.

Note

Analyzing the configuration may take some time, depending on its size and the number of devices or services.