Domain Management

The following topics describe how to manage multitenancy using domains:

Introduction to Multitenancy Using Domains

The domains feature allows you to implement multitenancy within a Firepower System deployment, by segmenting user access to managed devices, configurations, and events. You can create up to 50 subdomains under a top-level Global domain, in two or three levels.

When you log into the Firepower Management Center, you log into a single domain, called the current domain. Depending on your user account, you may be able to switch to other domains.

In addition to any restrictions imposed by your user role, your current domain level can also limit your ability to modify various Firepower System configurations. The system limits most management tasks, like system software updates, to the Global domain.

The system limits other tasks to leaf domains, which are domains with no subdomains. For example, managed devices must belong to leaf domains. After you register a device to the Firepower Management Center, you perform all device management tasks from the device’s leaf domain.


Tip

Each task topic in this guide has a Supported Domains value that indicates the domain levels where you can perform the task.

Each leaf domain builds its own network map, based on the discovery data collected by that leaf domain’s devices. Events reported by a managed device (connection, intrusion, malware, and so on) are also associated with the device's leaf domain.

One Domain Level: Global

If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain, which is by definition a leaf domain. Except for domain management, the system hides domain-specific configurations and analysis options until you add subdomains.

Two Domain Levels: Global and Second-Level (Leaf)

In a two-level multidomain deployment, the Global domain has direct descendant domains only. For example, a managed security service provider (MSSP) can use a single Firepower Management Center to manage network security for multiple customers:

  • Administrators at the MSSP can log into the Global domain to manage all customers’ deployments.

  • Administrators for each customer can log into second-level named subdomains to manage only the devices, configurations, and events applicable to their organizations. These local administrators cannot view or affect the deployments of other customers of the MSSP.

Three Domain Levels: Global, Second-Level, and Third-Level (Leaf)

In a three-level multidomain deployment, the Global domain has subdomains, at least one of which has its own subdomain. To extend the previous example, consider a scenario where an MSSP customer—already restricted to a subdomain—wants to further segment its deployment. This customer wants to separately manage two classes of device: devices placed on network edges and devices placed internally:

  • Administrators for the customer can log into a second-level subdomain to manage the customer’s entire deployment.

  • Administrators for the customer’s edge network can log into a leaf domain to manage only the devices, configurations, and events applicable to devices deployed on the network edge. Similarly, administrators for the customer’s internal network can log into a different third-level domain to manage internal devices, configurations, and events. Edge and internal administrators cannot view each other's deployment.

Domains Terminology

This documentation uses the following terms when describing domains and multidomain deployments:

Global Domain

In a multidomain deployment, the top-level domain. If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain. Administrators in the Global domain can manage the entire Firepower System deployment.

Subdomain

A second or third-level domain.

Second-level domain

A child of the Global domain. Second-level domains can be leaf domains, or they can have subdomains.

Third-level domain

A child of a second-level domain. Third-level domains are always leaf domains.

Leaf domain

A domain with no subdomains. Each device must belong to a leaf domain.

Descendant domain

A domain descending from the current domain in the hierarchy.

Child domain

A domain’s direct descendant.

Ancestor domain

A domain from which the current domain descends.

Parent domain

A domain’s direct ancestor.

Sibling domain

A domain with the same parent.

Current domain

The domain you are logged into now. The system displays the name of the current domain before your user name at the top right of the web interface. Unless your user role is restricted, you can edit configurations in the current domain.

Domain Properties

To modify a domain's properties, you must have Administrator access in that domain's parent domain.

Name and Description

Each domain must have a unique name within its hierarchy. A description is optional.

Parent Domain

Second- and third-level domains have a parent domain. You cannot change a domain's parent after you create the domain.

Devices

Only leaf domains may contain devices. In other words, a domain may contain subdomains or devices, but not both. You cannot save a deployment where a non-leaf domain directly controls a device.

In the domain editor, the web interface displays available and selected devices according to their current place in your domain hierarchy.

Host Limit

The number of hosts a Firepower Management Center can monitor, and therefore store in network maps, depends on its model. In a multidomain deployment, leaf domains share the available pool of monitored hosts, but have separate network maps.

To ensure that each leaf domain can populate its network map, you can set host limits at each subdomain level. If you set a domain's host limit to 0, the domain shares in the general pool.

Setting the host limit has a different effect at each domain level:

  • Leaf — For a leaf domain, a host limit is a simple limit on the number of hosts the leaf domain can monitor.

  • Second Level — For a second-level domain that manages third-level leaf domains, a host limit represents the total number of hosts that the leaf domains can monitor. The leaf domains share the pool of available hosts.

  • Global — For the Global domain, the host limit is equal to the total number of hosts a Firepower Management Center can monitor. You cannot change it

The sum of subdomains' host limits can add up to more than their parent domain's host limit. For example, if the Global domain host limit is 150,000, you can configure multiple subdomains each with a host limit of 100,000. Any of those domains, but not all, can monitor 100,000 hosts.

The network discovery policy controls what happens when you detect a new host after you reach the host limit; you can drop the new host, or replace the host that has been inactive for the longest time. Because each leaf domain has its own network discovery policy, each leaf domain governs its own behavior when the system discovers a new host.

If you reduce the host limit for a domain and its network map contains more hosts than the new limit, the system deletes the hosts that have been inactive the longest.

Managing Domains

Smart License

Classic License

Supported Device

Supported Domains

Access

Any

Any

Any

Any

Admin

To modify a domain's properties, you must have Administrator access in that domain's parent domain.

Procedure
    Step 1   Choose System > Domains.
    Step 2   Manage your domains:
    • Add — Click Add Domain, or click the Add Subdomain icon next to the parent domain; see Creating a New Domain.
    • Edit — Click the edit icon () next to the domain you want to modify; see Domain Properties.
    • Delete — Click the delete icon () next to the empty domain you want to delete, then confirm your choice. Move devices from domains you want to delete by editing their destination domain.
    Step 3   Click Save to save the domain configuration.

    You cannot save until you assign all devices to leaf domains.

    What to Do Next

    Creating a New Domain

    Smart License

    Classic License

    Supported Device

    Supported Domains

    Access

    Any

    Any

    Any

    Global & second-level

    Admin

    You can create one or two levels of subdomain below the Global domain. You can have a total of 50 domains, including the Global domain.

    You must assign all devices to a leaf domain before you can save the domain configuration. When you add a subdomain to a leaf domain, the domain stops being a leaf domain and you must reassign its devices.

    Procedure
      Step 1   In a Global or a second-level domain, choose System > Domains.
      Step 2   Click Add Domain, or click the Add Subdomain icon next to the parent domain.
      Step 3   Enter a Name and Description.
      Step 4   Choose a Parent Domain.
      Step 5   On the Devices tab, choose the Available Devices to add to the domain, then click Add to Domain or drag and drop into the list of Selected Devices.
      Step 6   Optionally, click the Advanced tab to limit the number of hosts the new domain may monitor; see Domain Properties.
      Step 7   Click Save to create the new domain. The system warns you if any devices are assigned to non-leaf domains. Click Create New Domain to create a new domain, or Keep Unassigned to cancel.
      Step 8   Click Save to save the domain configuration.
      What to Do Next

      Moving Data Between Domains

      Smart License

      Classic License

      Supported Device

      Supported Domains

      Access

      Any

      Any

      Any

      Any

      Admin

      Because events and network maps are associated with leaf domains, when you change a leaf domain to a parent domain, you have two choices:

      • Move the network map and associated events to a new leaf domain.

      • Delete the network map but retain the events. In this case, the events remain associated with the parent domain until the system prunes events as needed or as configured. Or, you can delete old events manually.

      Before You Begin

      • Save a domain configuration where a former leaf domain is now a parent domain; see Managing Domains.

      Procedure
        Step 1   For each former leaf domain that is now a parent domain, you have two choices:
        • Choose a new Leaf Domain to inherit the Parent Domain's events and network map.
        • Choose None to delete the parent domain's network map, but retain old events.
        Step 2   Click Save.
        What to Do Next

        Moving Devices Between Domains

        Smart License

        Classic License

        Supported Device

        Supported Domains

        Access

        Any

        Any

        Any

        Global & second-level

        Admin

        Moving a device between domains can affect the configurations and policies applied to the device. The system automatically keeps and updates what it can, and deletes what it cannot.

        When you move a device, the system can prompt you to choose the following new, essential configurations:

        • Access Control Policy — If the access control policy assigned to a moved device is not valid or accessible in the new domain, choose a new policy. Every device must have an assigned access control policy.

        • Health Policy — If the health policy applied to a moved device is inaccessible in the new domain, you can choose a new health policy.

        • Security Zones — If the interfaces on the moved devices belong to a security zone that is inaccessible in the new domain, you can choose a new zone.

        If devices require a policy update but you do not need to move interfaces between zones, the system displays a message stating that zone configurations are up to date. For example, if a device's interfaces belong to a security zone configured in a common ancestor domain, you do not need to update zone configurations when you move devices from subdomain to subdomain.

        Before You Begin

        • Save a domain configuration where you moved a device from domain to domain and now must assign new policies and security zones; see Managing Domains.

        Procedure
          Step 1   In the Move Devices dialog box, under Select Device(s) to Configure, check the device you want to configure.

          Check multiple devices to assign the same health and access control policies.

          Step 2   Choose an Access Control Policy to apply to the device, or choose New Policy to create a new policy.
          Step 3   Choose a Health Policy to apply to the device, or choose None to leave the device without a health policy.
          Step 4   If prompted to assign interfaces to new zones, choose a New Security Zone for each listed interface, or choose None to assign it later.
          Step 5   After you configure all affected devices, click Save to save policy and zone assignments.
          Step 6   Click Save to save the domain configuration.
          What to Do Next