Zero Touch Provisioning of Secure Firewall Threat Defense Using Security Cloud Control
This document provides information on easy deployment of threat defense devices using zero-touch provisioning for customers using the Security Cloud Control.
 Note |
For the on-premises management center zero-touch provisioning, see the getting started guide for your model. |
For details about the end-to-end process of zero-touch provisioning of a threat
defense device, 
watch this video.
This document is targeted at the following device models:
|
Model |
Version |
||
|---|---|---|---|
|
Firepower 1000 |
7.2 or later |
||
|
Secure Firewall 1210/1220 |
7.6 or later |
||
|
Firepower 2100 |
7.2, 7.3, or 7.4 |
||
|
Secure Firewall 3100
|
7.2 or later |
Branch Manager: Prepare and Connect a Threat Defense Device to Your Network
The zero-touch provisioning method enables your IT department to onboard the device to the Cloud-delivered Firewall Management Center and configure it remotely after you connect your brand-new threat defense device to your network.
Ensure that the threat defense device has never been logged into or configured for a manager. Zero-Touch Provisioning is intended for devices that are in factory-state only. Any preconfiguration can prevent onboarding the device using zero-touch provisioning method, based on your settings.
Ensure that the device is running threat defense, Version 7.2 or later.
Reimage your device
If your device is not already running threat defense, Version 7.2 or later, you can reimage the device to support zero-touch provisioning. See the appropriate getting started guide for your device model:
Connect a Threat Defense Device to Your Network
If you received a device at your branch office and your job is to plug it in to your network,
watch this video.
The video displays unpacking your device and describes the LED sequences on the device that indicate the device's status while it gets deployed. These are the steps described in the video:
-
Examine the shipping carton in which the device arrived. It should have a plain white sticker identifying the software installed on the device. The software package number should resemble one of the examples in the following table:
Device Models that Support Zero-Touch Provisioning Supported Software Version Software Package Firepower 1000 series device models: 1010, 1120, 1140, 1150 7.2 or later SF-F1K-TDx.x-K9
For example, SF-F1K-TD7.2-K9
Secure Firewall 1210/1220 7.6 or later SF-F1200-TDx.x-K9
For example, SF-F1200-TD7.6-K9
Firepower 2100 series device models: 2110, 2120, 2130, 2140 7.2, 7.3, or 7.4 SF-F2K-TDx.x-K9
For example, SF-F2K-TD7.2-K9
Secure Firewall 3100 series device models: 3110, 3120, 3130, 3140 7.2 or later SF-F3K-TDx.x-K9
For example, SF-F3K-TD7.2-K9
Secure Firewall 3100 series device model: 3105 7.3 or later SF-F3K-TDx.x-K9
For example, SF-F3K-TD7.3-K9
-
Before racking the device or discarding the shipping carton, record the device's serial number and share it with your IT department for management purposes. The serial number of the device is located on the shipping carton the device came in and on a label affixed to the device itself. See Find Your Device's Serial Number for more information.
-
Unpack the box and take inventory of the contents. Keep the shipping carton until you have plugged in the device, you have connected it to your network, and the device has successfully contacted the Cisco cloud.
-
Connect the device to power.
-
Connect the network cable from the Ethernet 1/1 interface of your device to the WAN modem. Your WAN modem is your branch's connection to the internet and your device's route to the internet as well.
Note
Do not connect the network cable from the device's Management interface to your WAN.
Figure 1. Firepower 1010 Cabling 
Figure 2. Firepower 1100 Cabling 
Figure 3. Secure Firewall 1210/1220 Cabling 
Figure 4. Firepower 2100 Cabling 
Figure 5. Secure Firewall 3100 Cabling 
-
See the S (System), SYS, or M (Managed) LED, depending on your model, to determine if the device has reached the Cisco cloud. The table below provides the LED statuses and the approximate time they occur after powering on the device and connecting the Ethernet cables. Note that the time required to reach the Cisco cloud may vary slightly based on network conditions and the specific firewall model.
LED Status Description Time After Device Powered On (minutes:seconds) Fast flashing green SYS — Firepower 2100
S — All other models
The device is booting up correctly. 01:00 Fast flashing amber SYS — Firepower 2100
S — All other models
The device failed to boot correctly. 01:00 Solid green SYS — Firepower 2100
S — All other models
The application is loaded on the device. 10:00 Solid amber SYS — Firepower 2100
S — All other models
The application failed to load correctly on the device. 10:00 Slow flashing green SYS — Firepower 2100
S — Firepower 1000
M — Secure Firewall 3100 and Secure Firewall 1210/1220
The device is connected to the Cisco cloud. 15:00 Alternating green and amber SYS — Firepower 2100
S — Firepower 1000
M — Secure Firewall 3100 and Secure Firewall 1210/1220
The device failed to connect to the Cisco cloud. 15:00 Solid green M — Secure Firewall 3100 and Secure Firewall 1210/1220
The device is configured for a manager and ready to be managed. 20:00
Find Your Device's Serial Number
Your IT department needs your device's serial number to onboard the device remotely. You can find the serial number in three different places.
The Label on the Shipping Carton
The serial number is printed on the label on the shipping carton the device came in. Here is an example:
The Label on the Chassis
Firepower 1010: The serial number is on a label at the bottom of the device.
Firepower 1100: The serial number is on a label at the back of the device or at the bottom of the device.
Secure Firewall 1210/1220: The serial number is on a label at the back of the device.
Firepower 2100: The serial number is on a label on a pull-out tab at the front of the device.
Secure Firewall 3100:The serial number is on a label on a pull-out tab at the front of the device.
Connect to the Device Console Using a Console Cable
You can connect a console cable from a device such as a laptop to your firewall, open up a terminal window, and enter a few commands to display the device's serial number.
Note |
This procedure connects a computer to the firewall using a console cable to retrieve the device's serial number. It is for advanced users who are comfortable working with a command-line interface and possibly installing software drivers on their laptops. |
-
See the appropriate hardware installation guide for your device model for instructions on how to connect a laptop to your device using a console cable.
For more information, refer to the Getting Started Guide for your specific model.
-
Log in to the device as the admin user. You need to enter the default password if this is your first login attempt: Admin123. You will then be prompted to change the password.
-
At the
firepower#prompt, entershow chassis detail. Here is an example of the output from a 1010 series device. Your device's model number will be listed in the Serial Number (SN) field:firepower# show chassis detail Chassis: Chassis: 1 Overall Status: Operable Oper qualifier: N/A Operability: Operable Product Name: Cisco Firepower 1010 Security Appliance PID: FPR-1010 VID: V01 Vendor: Cisco Systems, Inc Serial (SN): JMX2405X0R9 HW Revision: 0.6 PCB Serial Number: JAD24040S6L Power State: Ok Thermal Status: Ok Boot Status: OK Current Task: firepower#The output shows two serial numbers. You must report the value of the Serial (SN) field to your IT department to complete the onboarding process.
Onboard a Device to Cloud-delivered Firewall Management Center Using Zero-Touch Provisioning
If you are a Cloud-delivered Firewall Management Center administrator and someone at a branch office has connected a device to their network, follow the zero-touch provisioning method described in this section.
Note |
If you want to onboard a fully configured new device, use the CLI registration key method to onboard the device. See Onboard a Threat Defense to the Cloud-delivered Firewall Management Cloud-delivered Firewall Management Center Using Serial Number for more information. |
Procedure
|
Step 1 |
Log in to Security Cloud Control. |
|
Step 2 |
In the left pane, click . |
|
Step 3 |
Click the Onboard a device or service ( |
|
Step 4 |
Click the FTD tile. |
|
Step 5 |
Under Management Mode, ensure you select FTD. |
|
Step 6 |
Click the Use Serial Number tile. |
|
Step 7 |
From the Select FMC drop-down list, choose Cloud-Delivered FMC and click Next. |
|
Step 8 |
In the Connection step, enter the Device Serial Number and the Device Name. |
|
Step 9 |
Click Next. |
|
Step 10 |
In the Password Reset step, choose an option depending on whether the device was logged into and had the default-password changed or not:
|
|
Step 11 |
Click Next. |
|
Step 12 |
In the Policy Assignment step, use the drop-down menu to select an access control policy to deploy once the device is onboarded. If you have no policies configured, select the Default Access Control Policy. |
|
Step 13 |
Click Next. |
|
Step 14 |
Select the subscription licenses you want to apply to the device. Click Next. |
|
Step 15 |
In the Done step, click Go to Security Devices to go back to the Security Devices page. |
) icon to add a new device.
What to do next
-
If you did not already, create a custom access control policy to customize the security for your environment. See Access Control Overview in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Firewall in Security Cloud Control for more information.
-
Enable Cisco Security Analytics and Logging (SAL) to view events in the Security Cloud Control dashboard or register the device to an Secure Firewall Management Center for security analytics. See Cisco Security Analytics and Logging in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Firewall in Security Cloud Control for more information.
Feedback