Onboard an On-Premises Management Center to Security Cloud Control
Security Cloud Control provides the following methods to onboard on-premises management centers:
-
(Recommended) Auto discover and onboard on-premises management center integrated with Cisco Security Cloud
Review Connect Security Cloud Control to your Managed Devices for more information.
Note |
Security Cloud Control complements FMC by allowing you to:
|
Limitations and Guidelines
These are the limitations applicable to onboarding an on-premises management center:
-
Onboarding an on-premises management center also onboards all of the devices registered to the on-premises management center. Be aware that if a managed device is disabled, or unreachable, Security Cloud Control may display the device in the Security Devices page, but cannot successfully send requests or view device information.
-
We recommend creating a new user on the on-premises management center specifically for Security Cloud Control communication that has administrator-level permissions. If you onboard an on-premises management center and then simultaneously log into that on-premises management center with the same login credentials, onboarding fails.
-
If you create a new user on the on-premises management center for Security Cloud Control communication, the Maximum Number of Failed Logins for the user configuration must be set to "0".
-
For On-Premises Management Centers running version 7.4 and older, if you experience a switchover and the FMC is no longer connected to the cloud, try disabling SecureX and then re-enabling it.
Auto-Onboard an On-Premises Management Center Integrated with Cisco Security Cloud
The auto-discovery and onboarding feature is enabled by default in Security Cloud Control, so you can expect all on-premises management centers that are running Version 7.2 or later and integrated with Cisco Security Cloud are automatically discovered and onboarded to Security Cloud Control. Additionally, the associated threat defense devices are onboarded to Security Cloud Control.
Security Cloud Control also onboards the on-premises management center high availability (HA) pair.
Before you begin
-
Allow outbound traffic from port 443 on the on-premises management center.
Procedure
Step 1 |
Integrate the on-premises management center you want to onboard with Cisco Security Cloud and register it with a Security Cloud Control tenant. See Integrate On-Premises Management Center With Cisco Security Cloud. |
Step 2 |
Log in to the Security Cloud Control tenant that was registered with the on-premises management center. |
Step 3 |
In the left pane, click . All on-premises management centers associated with your tenant is displayed in the FMC tab. See View Onboarded On-Premises Firewall Management Center. |
Integrate On-Premises Management Center With Cisco Security Cloud
This procedure describes how to integrate the on-premises management center with Cisco Security Cloud. By enabling Cisco Security Cloud integration, your management center gets registered to the Cisco cloud tenancy.
Before you begin
-
Security Cloud Control uses Cisco security cloud sign on as its identity provider and Duo for multifactor authentication. Ensure that you have your Cisco security cloud sign on credentials and can sign in to the Cisco regional cloud where your account was created.
-
A Security Cloud Control tenant is required to integrate the on-premises management center with Cisco Security Cloud. If you do not already have a Security Cloud Control tenant, request one. See Create a Security Cloud Control Tenant for more information.
Procedure
Step 1 |
In your on-premises management center, perform the following:
|
Step 2 |
For on-premises management center version between 7.2 and 7.4.x, click Enable Secure X. For on-premises management center version 7.6 or later, click Cisco Security Cloud. A separate browser tab opens to log you in to your Security Cloud Control account. Make sure this page is not blocked by a pop-up blocker. |
Step 3 |
Click Continue to Cisco SSO. |
Step 4 |
Log in to your Security Cloud Control account. If you do not have a security cloud sign on account to log in to Security Cloud Control and you want to create one, click Sign up now in the Security Cloud Sign On page. See Create a New Cisco Security Cloud Sign On Account. |
Step 5 |
Choose a Security Cloud Control tenant that you want to use for this integration. The on-premises management center and the managed devices get onboarded to the Security Cloud Control tenant that you choose here. If you do not already have a Security Cloud Control tenant or if you want to use a new tenant for this integration, create a new tenant. See Create a Security Cloud Control Tenant for more information. |
Step 6 |
Verify that the code displayed in the Security Cloud Control login page matches the code provided by the on-premises management center. |
Step 7 |
Click Authorize FMC. |
Step 8 |
In the on-premises management center UI, click Save to save the configuration. You can view the task progress under .The registration task can take up to 90 second to complete. If you must use on-premises management center while the registration task is in progress, open the on-premises management center in a new window. |
Disable Auto-Onboarding of an On-Premises Management Center
Disabling the auto-onboarding of the on-premises management centers functionality prevents auto onboarding of new on-premises management centers from your Cisco Security Cloud to this Security Cloud Control tenant.
Only a Super Admin or Admin user on Security Cloud Control can enable or disable this functionality.
Procedure
Step 1 |
In the left pane, click |
Step 2 |
In the General Settings screen, click the Auto onboard On-Prem FMCs with Cisco Security Cloud toggle button to disable the auto onboarding of on-premises management center functionality. |
Step 3 |
Click Confirm. |
Onboard an On-Premises Firewall Management Center to Security Cloud Control with Credentials
To onboard an on-premises management center to Security Cloud Control with credentials, follow this procedure:
Before you begin
The following prerequisites must be met:
-
For Cloud Secure Device Connector (SDC): Allow inbound traffic on port 443 of the on-premises management center.
The SDC reaches the on-premises management center by allowing inbound traffic on port 443.
Both the Security Cloud Control and the SDC are hosted in the cloud.
-
For On-Premises Secure Device Connector (SDC): Allow outbound connectivity on port 443 of the SDC.
The SDC requires connectivity to the Security Cloud Control, making it imperative to permit outbound traffic from the SDC to the Security Cloud Control. No additonal port configuration required on the on-premises FMC.
Procedure
Step 1 |
In the left pane, click . |
||
Step 2 |
Click to onboard an on-premises management center. |
||
Step 3 |
Click Firewall Management Center. |
||
Step 4 |
Select the Use Credentials card. |
||
Step 5 |
Click the Secure Device Connector button and select an SDC installed in your network. If you would rather not use an SDC, Security Cloud Control can connect to your on-premises management center using the Cloud Connector. Your choice depends on how you connect Security Cloud Control to your managed devices. |
||
Step 6 |
Enter the device name and location. Click Next. |
||
Step 7 |
Enter the Username and Password of the account credentials you want to use to access the on-premises management center. Click Next. |
||
Step 8 |
The device is onboarded. From here you can opt to add labels to your on-premises management center, or click Go to Services to view the page of onboarded devices. If healthy, the FMC is displayed with a Synced status.
|
Redirect Security Cloud Control to an On-Premises Firewall Management Center
After you have onboarded an On-Premises Management Center to Security Cloud Control, you must update the management interface's hostname in the On-Premises Management Center UI to contain the FQDN. If you do not, you cannot cross-launch from Security Cloud Control.
Use the following procedure to update the management interface hostname and redirect from Security Cloud Control to the On-Premises Management Center:
Procedure
Step 1 |
Log into the On-Premises Management Center UI. |
Step 2 |
Navigate to . |
Step 3 |
Select the Management Interfaces tab. |
Step 4 |
Expand the Shared Settings header and click the edit icon. |
Step 5 |
Locate the Hostname field and enter the FMC's FQDN. |
Step 6 |
Save changes. Note: You may have to log out of Security Cloud Control before you can click Manage Devices in Firepower Management Center and cross-launch to the On-Premises Management Center UI. |