CISCO FTD MANAGED BY CDO FMC

Cisco’s Firepower Threat Defence (FTD) Firewall suite can be managed by a centrally hosted FMC (Firepower Management Centre) when there are multiple hosts which require policy alignment and widescale configuration deployments. In this instance FMC has to be purchased and hosted within the organisations environment, this adds management complexity and an onus on the organisation to provide a central resilient platform to ensure FMC uptime and reachability. To avoid this administrative overhead and CAPEX cost an organization may choose to utilize Cisco’s cloud hosted FMC solution within the Cisco Defence Orchestrator (CDO) suite of tools. With this Cisco will provision a resilient FMC solution accessible through the CDO dashboard which can be used to manage of the FTD instances without the need to provision a central FMC.

Pre-requisites

In order to onboard an FTD device to CDO there are some simple pre-requisites. The FTD device is required to be connected to the internet with reachability to domains within *.cdo.cisco.com on the below ports depicted on the diagram in a direction. Without these ports being open the FTD will not be onboarded onto the CDO hosted FMC.

In order to onboard an FTD, it is a requirement to have a SecureX account to log in to CDO. This can easily be created on the Cisco.com website. Once this has been created you can associate the account with the CDO tenant for your organisation.

Onboarding Process

First things first, power on your FTD and make sure that it is operational and passes all the necessary checks as per the manufacturer’s for your platform. Once you have completed the checks perform the initial configuration of the device as per the device documentation. You can find the initial setup guide on the Cisco Website address Security – Support and Downloads – Cisco.

In this demonstration we will be using a 4000 series FTD (specifically the 4115). This model comes with a Firepower Chassis running on FXOS and within this chassis you create FTD virtual machines. As a result, we are required to assign interfaces to a function to be used with the FTD when that is created. The interfaces on the chassis need to be assigned to either a data or management function. For the FTD to phone home initially we will create a management interface to assign to the FTD.

Once we have created the interfaces which we would like to use on our FTD, we then need to create the FTD. To do this navigate to the ‘Logical Devices’ Tab and ‘Add’ a ‘Standalone’ device. CDO does not support the onboarding of clustered devices.

This will bring up a pop up window where we define the template to build the virtual FTD, including the software version. It is strongly recommended that a software version 7.2+ is used for CDO onboarding. We are creating a ‘native’ device which will use the entire resources of the chassis. You can choose to create a ‘container’ instance if you would like to create more than one FTD.

Now we can assign the data interfaces we specified previously to our FTD instance. As we are using a native instance I have assigned all the Data ports to this FTD. Ethernet 1/8 is the interface we determined to be the Management interface.

Once you have assigned the data ports, click on the FTD icon to configure it. This is where we will configure the pre-defined Management interface.

The next step is to configure the settings for the FTD. Initially we will create an FDM locally managed system, however this will change once we get to the CLI of the machine to follow the CDO steps for onboarding the device. In the settings section we also define the domains, DNS servers, passwords and the firewall mode. As we are configuring a perimeter firewall device in this example we will choose Routed mode. Now that the settings are complete create the FTD instance.

From here we will navigate to CDO to begin the onboarding process. Once you are in your CDO tenant navigate to the ‘Inventory’ page and click on the blue coloured onboarding button in the top right of the page.

From here select an FTD to onboard.

We will use the CLI registration key to onboard the FTD.

Fill out the required fields making sure to note the CLI key which we will use to paste into the FTD CLI.

Connect to the FTD CLI and paste the provided command from CDO. This will set off the onboarding process.

Once the FTD has onboarded with CDO you should see the Device in the inventory. You can now configure and manage your FTD device from the CDO hosted FMC.

Summary

Centralised management of your organisations Firepower devices via an FMC is a desired management aspect of the Cisco Firewall suite. With the development of the cloud hosted FMC service on CDO this opens extra options to organisations which want to reduce their onsite server footprint or prefer the management platform to be handled by an external provider. Once the FTD is onboarded onto this service Cisco will manage all of the patching and configuration aspects related to FMC and this leaves you and your organization to focus solely on your Firewalls.