Onboard an On-Prem Management Center to CDO
CDO provides the following methods to onboard on-prem management centers:
-
(Recommended) Auto discover and onboard on-prem management center integrated with Cisco Security Cloud
Review Connect Cisco Defense Orchestrator to your Managed Devices for more information.
Limitations and Guidelines
These are the limitations applicable to onboarding an on-prem management center:
-
Onboarding an on-prem management center also onboards all of the devices registered to the on-prem management center. Be aware that if a managed device is disabled, or unreachable, CDO may display the device in the Inventory page, but cannot successfully send requests or view device information.
-
We recommend creating a new user on the on-prem management center specifically for CDO communication that has administrator-level permissions. If you onboard an on-prem management center and then simultaneously log into that on-prem management center with the same login credentials, onboarding fails.
-
If you create a new user on the on-prem management center for CDO communication, the Maximum Number of Failed Logins for the user configuration must be set to "0".
Auto-Onboard an On-Prem Management Center Integrated with Cisco Security Cloud
The auto-discovery and onboarding feature is enabled by default in CDO, so you can expect all on-prem management centers that are running Version 7.2 or later and integrated with Cisco Security Cloud are automatically discovered and onboarded to CDO. Additionally, the associated threat defense devices are onboarded to CDO. Onboarding the active on-prem management center high availability (HA) pair to CDO is also supported.
Before you begin
-
Allow outbound traffic from port 443 on the on-prem management center.
Procedure
Step 1 |
Integrate the on-prem management center with Cisco Security Cloud and register it with a CDO tenant. To integrate the on-prem management center version between 7.2 and 7.4.x with Cisco Security Cloud, see Cisco Secure Firewall Management Center (Version 7.2 to Version 7.4.x) for steps and more information.
|
||
Step 2 |
Log in to the CDO tenant that was registered with the on-prem management center. |
||
Step 3 |
In the left pane, choose Tools & Services > Firewall Management Center. All on-prem management centers associated with your tenant is displayed in the FMC tab. |
Disable Auto-Onboarding of an On-Prem Management Center
Disabling the auto-onboarding of the on-prem management centers functionality prevents auto onboarding of new on-prem management centers from your Cisco Security Cloud to this CDO tenant.
Only a Super Admin or Admin user on CDO can enable or disable this functionality.
Procedure
Step 1 |
In the left pane, choose Settings > General Settings. |
Step 2 |
In the General Settings screen, click the Auto onboard On-Prem FMCs with Cisco Security Cloud toggle button to disable the auto onboarding of on-prem management center functionality. |
Step 3 |
Click Confirm. |
Onboard an On-Prem Firewall Management Center to CDO with Credentials
To onboard an On-Prem Firewall Management Center to CDO with credentials, follow this procedure:
Before you begin
Make sure you allow proper port access on your on-prem management center:
-
Allow inbound connectivity on port 443 if you are onboarding the on-premises FMC using an on-premises Secure Device Connector.
-
Allow outbound connectivity on port 443 if you are onboarding the FMC using the Cloud Connector.
Procedure
Step 1 |
In the left pane, click . |
||
Step 2 |
Click to onboard an On-Prem Firewall Management Center. |
||
Step 3 |
Click Firewall Management Center. |
||
Step 4 |
Select the Use Credentials card. |
||
Step 5 |
Click the Secure Device Connector button and select an SDC installed in your network. If you would rather not use an SDC, CDO can connect to your On-Prem Management Center using the Cloud Connector. Your choice depends on how you connect CDO to your managed devices. |
||
Step 6 |
Enter the device name and location. Click Next. |
||
Step 7 |
Enter the Username and Password of the account credentials you want to use to access the On-Prem Management Center. Click Next. |
||
Step 8 |
The device is onboarded. From here you can opt to add labels to your On-Prem Management Center, or click Go to Services to view the page of onboarded devices. If healthy, the FMC is displayed with a Synced status.
|
Redirect CDO to an On-Prem Firewall Management Center
After you have onboarded an On-Prem Management Center to CDO, you must update the management interface's hostname in the On-Prem Management Center UI to contain the FQDN. If you do not, you cannot cross-launch from CDO.
Use the following procedure to update the management interface hostname and redirect from CDO to the On-Prem Management Center:
Procedure
Step 1 |
Log into the On-Prem Management Center UI. |
Step 2 |
Navigate to . |
Step 3 |
Select the Management Interfaces tab. |
Step 4 |
Expand the Shared Settings header and click the edit icon. |
Step 5 |
Locate the Hostname field and enter the FMC's FQDN. |
Step 6 |
Save changes. Note: You may have to log out of CDO before you can click Manage Devices in Firepower Management Center and cross-launch to the On-Prem Management Center UI. |