Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center
Onboard Limitations and Requirements
Be aware of the following limitations when onboarding a device to the cloud-delivered Firewall Management Center:
-
Devices must be running version 7.0.3, or version 7.2 and later. We strongly recommend version 7.2 or later.
-
You can migrate an HA pair that is managed by an On-Prem Firewall Management Center by following the Migrate FTD to Cloud-Delivered Firewall Management Center process. Confirm both peers are in a healthy state prior to migrating.
-
Only devices that are configured for local management and are managed by a device manager can be onboarded with the serial number and zero-touch provisioning methods.
-
If the device is managed by an on-prem management center, you can either onboard the device to cloud-delivered Firewall Management Center or migrate the device. Migrating retains any existing policies and objects, whereas onboarding the device removes most policies and all objects. See Migrate FTD to Cloud-Delivered Firewall Management Center for more information.
-
If your device is currently managed by a device manager, unregister all your smart licenses before you onboard the device. Even if you switch device management, the Cisco Smart Software Manager will retain the smart licenses.
-
If you have previously onboarded a device that was managed by a device manager and deleted the device from CDO with the intention of re-onboarding for cloud management, you must register the device manager to the Security Services Exchange cloud after deleting the device. See the "Access Security Services Exchange" chapter in the Firepower and Cisco SecureX Threat Response Integration Guide.
Tip | Onboarding a device to the cloud-delivered Firewall Management Center removes any policies and most objects configured through the previous manager. If your device is currently managed by an on-prem management center, it is possible to migrate the device and retain your policies and objects. See Migrate FTD to Cloud-Delivered Firewall Management Center for more information. |
Network Requirements
Before you onboard a device, ensure the following ports have external and outbound access. Confirm the following ports on the device are allowed. If communication ports are blocked behind a firewall, onboarding the device may fail.
Note | You cannot configure these ports in the CDO UI. You must enable these ports through the device's SSH. |
Port |
Protocol / Feature |
Details |
---|---|---|
443/tcp |
HTTPS |
Send and receive data from the internet. |
443 |
HTTPS |
Communicate with the AMP cloud (public or private) |
8305/tcp |
Appliance communications |
Securely communicate between appliances in a deployment. |
Management and Data Interfaces
Make sure your device is correctly configured with either a management or data interface.
To configure a management or data interface on your device, see Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI.