The
domains feature
allows you to implement multitenancy within a Firepower System deployment, by
segmenting user access to managed devices, configurations, and events. You can
create up to 50 subdomains under a top-level Global domain, in two or three
levels.
When you log into the
Firepower Management
Center,
you log into a single domain, called the
current domain.
Depending on your user account, you may be able to switch to other domains.
In addition to any
restrictions imposed by your user role, your current domain level can also
limit your ability to modify various Firepower System configurations. The
system limits most management tasks, like system software updates, to the
Global domain.
The system limits
other tasks to
leaf domains, which are domains with no subdomains. For example,
managed devices must belong to leaf domains. After you register a device to the
Firepower Management
Center,
you perform all device management tasks from the device’s leaf domain.
Tip |
Each task topic in
this guide has a
Supported
Domains value that indicates the domain levels where you can
perform the task.
|
Each leaf domain
builds its own network map, based on the discovery data collected by that leaf
domain’s devices. Events reported by a managed device (connection, intrusion,
malware, and so on) are also associated with the device's leaf domain.
One Domain
Level: Global
If you do not
configure multitenancy, all devices, configurations, and events belong to the
Global domain, which is by definition a leaf domain. Except for domain
management, the system hides domain-specific configurations and analysis
options until you add subdomains.
Two Domain
Levels: Global and Second-Level (Leaf)
In a two-level
multidomain deployment, the Global domain has direct descendant domains only.
For example, a managed security service provider (MSSP) can use a single
Firepower Management
Center
to manage network security for multiple customers:
-
Administrators at the MSSP can log into the Global domain to
manage all customers’ deployments.
-
Administrators for each customer can log into second-level named
subdomains to manage only the devices, configurations, and events applicable to
their organizations. These local administrators cannot view or affect the
deployments of other customers of the MSSP.
Three Domain
Levels: Global, Second-Level, and Third-Level (Leaf)
In a three-level
multidomain deployment, the Global domain has subdomains, at least one of which
has its own subdomain. To extend the previous example, consider a scenario
where an MSSP customer—already restricted to a subdomain—wants to further
segment its deployment. This customer wants to separately manage two classes of
device: devices placed on network edges and devices placed internally:
-
Administrators for the customer can log into a second-level
subdomain to manage the customer’s entire deployment.
-
Administrators for the customer’s edge network can log into a leaf
domain to manage only the devices, configurations, and events applicable to
devices deployed on the network edge. Similarly, administrators for the
customer’s internal network can log into a different third-level domain to
manage internal devices, configurations, and events. Edge and internal
administrators cannot view each other's deployment.