Onboard a Secure Firewall Threat Defense Device With Zero-Touch Provisioning
Caution | When the device is being onboarded in Security Cloud Control, we recommend that you not perform the device easy setup using the Secure Firewall device manager. This causes provisional error in Security Cloud Control. |
Before you begin
-
The threat defense device must not be prevously or currently managed by Firewall Device Manager or Management Center.
-
You have an active SecureX account. If you do not have a SecureX account, see SecureX and Security Cloud Control for more information.
-
Your Security Cloud Control and SecureX account are merged. See Link Your Cisco Security Cloud Control and SecureX or Cisco XDR Tenant Accounts for more information.
-
If you onboard a device with the intention of managing it with an on-premises management center, the on-premises management center must be running version 7.4 and later.
Procedure
Step 1 | If you are onboarding a device purchased from an external vendor, you must reimage the device first. For more information, see the "Reimage Procedures" chapter of the Cisco FXOS Troubleshooting Guide. | ||
Step 2 | Log in to Security Cloud Control. | ||
Step 3 | In the navigation pane, click Security Devices. | ||
Step 4 | Click the blue plus button to Onboard a device. | ||
Step 5 | Click the FTD tile.
| ||
Step 6 | On the Onboard FTD Device screen, click Use Serial Number. | ||
Step 7 | In the Select FMC step, use the drop-down menu to select an on-premises management center that has already been onboarded to Security Cloud Control. Click Next. The on-premises management center must be running version 7.4 or higher. If you do not have an on-premises management center onboarded, click +Onboard On-Prem FMC for the onboarding wizard. | ||
Step 8 | In the Connection step, enter the device's serial number and device name. Click Next. | ||
Step 9 | For zero-touch provisioning, the device must be brand new, or has been reimaged. For the Password Reset, be sure to select Yes, this new device has never been logged into or configured for a manager. Enter a new password and confirm the new password for the device, then click Next. | ||
Step 10 | For Policy Assignment, use the drop-down menu to select a access control policy to be deployed once the device is onboarded. If you do not have a customized policy, Security Cloud Control auto-selects the default access control policy. Click Next. | ||
Step 11 | Select all licenses you want to apply to the device. Click Next. | ||
Step 12 | (Optional) Add labels to the device. Security Cloud Control applies these labels once the device successfully onboards. |
What to do next
Security Cloud Control starts claiming the device, and you will see the Claiming message on the right. Security Cloud Control continuously polls for an hour to determine if the device is online and registered to the cloud. Once it's registered to the cloud, Security Cloud Control starts the initial provisioning and onboards the device successfully. The device registration can be confirmed when the LED status flashes green on the device. If the device can't connect to the Cisco cloud or lose its connectivity after being connected, you can see the Status LED (Firepower 1000) or SYS LED (Firepower 2100) flashing alternate green and amber.
If the device is still not registered to the cloud within the first one hour, a time-out occurs, and now Security Cloud Control polls periodically for every 10 minutes to determine the device status and remain in Claiming state. When the device is turned on and connected to the cloud, you don't have to wait for 10 minutes to know its onboarding status. You can click the Check Status link anytime to see the status. Security Cloud Control starts the initial provisioning and onboards the device successfully.