Introduction to Multitenancy Using Domains
The Firepower System allows you to implement multitenancy using domains. Domains segment user access to managed devices, configurations, and events. You can create up to 50 subdomains under a top-level Global domain, in two or three levels.
When you log into the Firepower Management Center, you log into a single domain, called the current domain. Depending on your user account, you may be able to switch to other domains.
In addition to any restrictions imposed by your user role, your current domain level can also limit your ability to modify various Firepower System configurations. The system limits most management tasks, like system software updates, to the Global domain.
The system limits other tasks to leaf domains, which are domains with no subdomains. For example, you must associate each managed device with a leaf domain, and perform device management tasks from the context of that leaf domain.
Each leaf domain builds its own network map, based on the discovery data collected by that leaf domain’s devices. Events reported by a managed device (connection, intrusion, malware, and so on) are also associated with the device's leaf domain.
One Domain Level: Global
If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain, which in this scenario is also a leaf domain. Except for domain management, the system hides domain-specific configurations and analysis options until you add subdomains.
Two Domain Levels: Global and Second-Level
In a two-level multidomain deployment, the Global domain has direct descendant domains only. For example, a managed security service provider (MSSP) can use a single Firepower Management Center to manage network security for multiple customers:
Administrators at the MSSP logging into the Global domain, cannot view or edit customers’ deployments. They must log into respective second-level named subdomains to manage the customers' deployment.
Administrators for each customer can log into second-level named subdomains to manage only the devices, configurations, and events applicable to their organizations. These local administrators cannot view or affect the deployments of other customers of the MSSP.
Three Domain Levels: Global, Second-Level, and Third-Level
In a three-level multidomain deployment, the Global domain has subdomains, at least one of which has its own subdomain. To extend the previous example, consider a scenario where an MSSP customer—already restricted to a subdomain—wants to further segment its deployment. This customer wants to separately manage two classes of device: devices placed on network edges and devices placed internally:
Administrators for the customer logging into the second-level subdomain cannot view or edit the customer's edge network deployments. They must log into the respective leaf domain to manage the devices deployed on the network edge.
Administrators for the customer’s edge network can log into a third-level (leaf) domain to manage only the devices, configurations, and events applicable to devices deployed on the network edge. Similarly, administrators for the customer’s internal network can log into a different third-level domain to manage internal devices, configurations, and events. Edge and internal administrators cannot view each other's deployment.
In an FMC that uses multi-tenancy, the SSO configuration can be applied only at the global domain level, and applies to the global domain and all subdomains.
This documentation uses the following terms when describing domains and multidomain deployments:
- Global Domain
In a multidomain deployment, the top-level domain. If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain. Administrators in the Global domain can manage the entire Firepower System deployment.
A second or third-level domain.
- Second-level domain
A child of the Global domain. Second-level domains can be leaf domains, or they can have subdomains.
- Third-level domain
A child of a second-level domain. Third-level domains are always leaf domains.
- Leaf domain
A domain with no subdomains. Each device must belong to a leaf domain.
- Descendant domain
A domain descending from the current domain in the hierarchy.
- Child domain
A domain’s direct descendant.
- Ancestor domain
A domain from which the current domain descends.
- Parent domain
A domain’s direct ancestor.
- Sibling domain
A domain with the same parent.
- Current domain
The domain you are logged into now. The system displays the name of the current domain before your user name at the top right of the web interface. Unless your user role is restricted, you can edit configurations in the current domain.
To modify a domain's properties, you must have Administrator access in that domain's parent domain.
- Name and Description
Each domain must have a unique name within its hierarchy. A description is optional.
- Parent Domain
Second- and third-level domains have a parent domain. You cannot change a domain's parent after you create the domain.
Only leaf domains may contain devices. In other words, a domain may contain subdomains or devices, but not both. You cannot save a deployment where a non-leaf domain directly controls a device.
In the domain editor, the web interface displays available and selected devices according to their current place in your domain hierarchy.
- Host Limit
The number of hosts a FMC can monitor, and therefore store in network maps, depends on its model. In a multidomain deployment, leaf domains share the available pool of monitored hosts, but have separate network maps.
To ensure that each leaf domain can populate its network map, you can set host limits at each subdomain level. If you set a domain's host limit to 0, the domain shares in the general pool.
Setting the host limit has a different effect at each domain level:
Leaf — For a leaf domain, a host limit is a simple limit on the number of hosts the leaf domain can monitor.
Second Level — For a second-level domain that manages third-level leaf domains, a host limit represents the total number of hosts that the leaf domains can monitor. The leaf domains share the pool of available hosts.
Global — For the Global domain, the host limit is equal to the total number of hosts a FMC can monitor. You cannot change it
The sum of subdomains' host limits can add up to more than their parent domain's host limit. For example, if the Global domain host limit is 150,000, you can configure multiple subdomains each with a host limit of 100,000. Any of those domains, but not all, can monitor 100,000 hosts.
The network discovery policy controls what happens when you detect a new host after you reach the host limit; you can drop the new host, or replace the host that has been inactive for the longest time. Because each leaf domain has its own network discovery policy, each leaf domain governs its own behavior when the system discovers a new host.
If you reduce the host limit for a domain and its network map contains more hosts than the new limit, the system deletes the hosts that have been inactive the longest.