At least one of the devices, either the management center or the threat defense device, must have a reachable
IP address to establish the two-way, TLS-1.3-encrypted communication channel between the two devices.
b) If you chose Yes, then enter the Management Center/CDO Hostname/IP Address.
c) Specify the Management Center/CDO Registration Key.
This key is a one-time registration key of your choice that you will also specify on the management center
when you register the threat defense device. The registration key must not exceed 37 characters. Valid
characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-). This ID can be used for
multiple devices registering to the management center.
d) Specify a NAT ID.
This ID is a unique, one-time string of your choice that you will also specify on the management center.
This field is required if you only specify the IP address on one of the devices; but we recommend that
you specify the NAT ID even if you know the IP addresses of both devices. The NAT ID must not exceed
37 characters. Valid characters include alphanumerical characters (A–Z, a–z, 0–9) and the hyphen (-).
This ID cannot be used for any other devices registering to the management center. The NAT ID is used
in combination with the IP address to verify that the connection is coming from the correct device; only
after authentication of the IP address/NAT ID will the registration key be checked.
Step 9 Configure the Connectivity Configuration.
a) Specify the FTD Hostname.
This FQDN will be used for the outside interface, or whichever interface you choose for the Management
Center/CDO Access Interface.
b) Specify the DNS Server Group.
Choose an existing group, or create a new one. The default DNS group is called
CiscoUmbrellaDNSServerGroup, which includes the OpenDNS servers.
This setting sets the data interface DNS server. The Management DNS server that you set with the setup
wizard is used for management traffic. The data DNS server is used for DDNS (if configured) or for
security policies applied to this interface. You are likley to choose the same DNS server group that you
used for Management, because both management and data traffic reach the DNS server through the outside
interface.
On the management center, the data interface DNS servers are configured in the Platform Settings policy
that you assign to this threat defense. When you add the threat defense to the management center, the
local setting is maintained, and the DNS servers are not added to a Platform Settings policy. However, if
you later assign a Platform Settings policy to the threat defense that includes a DNS configuration, then
that configuration will overwrite the local setting. We suggest that you actively configure the DNS Platform
Settings to match this setting to bring the management center and the threat defense into sync.
Also, local DNS servers are only retained by the management center if the DNS servers were discovered
at initial registration.
c) For the Management Center/CDO Access Interface, choose outside.
You can choose any configured interface, but this guide assumes you are using outside.
Step 10 If you chose a different data interface from outside, then add a default route.
You will see a message telling you to check that you have a default route through the interface. If you chose
outside, you already configured this route as part of the setup wizard. If you chose a different interface, then
you need to manually configure a default route before you connect to the management center. See Configure
Cisco Firepower 2100 Getting Started Guide
59
Threat Defense Deployment with a Remote Management Center
Pre-Configuration Using the Device Manager