The Firepower System
allows you to implement multitenancy using
domains. Domains segment user access to managed devices,
configurations, and events. You can create up to 50 subdomains under a
top-level Global domain, in two or three levels.
When you log into the
you log into a single domain, called the
Depending on your user account, you may be able to switch to other domains.
In addition to any
restrictions imposed by your user role, your current domain level can also
limit your ability to modify various Firepower System configurations. The
system limits most management tasks, like system software updates, to the
The system limits
other tasks to
which are domains with no subdomains. For example, you must associate each
managed device with a leaf domain, and perform device management tasks from the
context of that leaf domain.
Each task topic in
this guide has a
Domains value that indicates the domain levels where you can
perform the task.
Each leaf domain
builds its own network map, based on the discovery data collected by that leaf
domain’s devices. Events reported by a managed device (connection, intrusion,
malware, and so on) are also associated with the device's leaf domain.
If you do not
configure multitenancy, all devices, configurations, and events belong to the
Global domain, which in this scenario is also a leaf domain. Except for domain
management, the system hides domain-specific configurations and analysis
options until you add subdomains.
Levels: Global and Second-Level
In a two-level
multidomain deployment, the Global domain has direct descendant domains only.
For example, a managed security service provider (MSSP) can use a single
to manage network security for multiple customers:
at the MSSP can log into the Global domain to manage all customers’
for each customer can log into second-level named subdomains to manage only the
devices, configurations, and events applicable to their organizations. These
local administrators cannot view or affect the deployments of other customers
of the MSSP.
Levels: Global, Second-Level, and Third-Level
In a three-level
multidomain deployment, the Global domain has subdomains, at least one of which
has its own subdomain. To extend the previous example, consider a scenario
where an MSSP customer—already restricted to a subdomain—wants to further
segment its deployment. This customer wants to separately manage two classes of
device: devices placed on network edges and devices placed internally:
for the customer can log into a second-level subdomain to manage the customer’s
for the customer’s edge network can log into a third-level (leaf) domain to
manage only the devices, configurations, and events applicable to devices
deployed on the network edge. Similarly, administrators for the customer’s
internal network can log into a different third-level domain to manage internal
devices, configurations, and events. Edge and internal administrators cannot
view each other's deployment.