Domain Management

The following topics describe how to manage multitenancy using domains:

Introduction to Multitenancy Using Domains

The Firepower System allows you to implement multitenancy using domains. Domains segment user access to managed devices, configurations, and events. You can create up to 50 subdomains under a top-level Global domain, in two or three levels.

When you log into the Firepower Management Center, you log into a single domain, called the current domain. Depending on your user account, you may be able to switch to other domains.

In addition to any restrictions imposed by your user role, your current domain level can also limit your ability to modify various Firepower System configurations. The system limits most management tasks, like system software updates, to the Global domain.

The system limits other tasks to leaf domains, which are domains with no subdomains. For example, you must associate each managed device with a leaf domain, and perform device management tasks from the context of that leaf domain.

Each leaf domain builds its own network map, based on the discovery data collected by that leaf domain’s devices. Events reported by a managed device (connection, intrusion, malware, and so on) are also associated with the device's leaf domain.

One Domain Level: Global

If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain, which in this scenario is also a leaf domain. Except for domain management, the system hides domain-specific configurations and analysis options until you add subdomains.

Two Domain Levels: Global and Second-Level

In a two-level multidomain deployment, the Global domain has direct descendant domains only. For example, a managed security service provider (MSSP) can use a single Firepower Management Center to manage network security for multiple customers:

  • Administrators at the MSSP logging into the Global domain, cannot view or edit customers’ deployments. They must log into respective second-level named subdomains to manage the customers' deployment.

  • Administrators for each customer can log into second-level named subdomains to manage only the devices, configurations, and events applicable to their organizations. These local administrators cannot view or affect the deployments of other customers of the MSSP.

Three Domain Levels: Global, Second-Level, and Third-Level

In a three-level multidomain deployment, the Global domain has subdomains, at least one of which has its own subdomain. To extend the previous example, consider a scenario where an MSSP customer—already restricted to a subdomain—wants to further segment its deployment. This customer wants to separately manage two classes of device: devices placed on network edges and devices placed internally:

  • Administrators for the customer logging into the second-level subdomain cannot view or edit the customer's edge network deployments. They must log into the respective leaf domain to manage the devices deployed on the network edge.

  • Administrators for the customer’s edge network can log into a third-level (leaf) domain to manage only the devices, configurations, and events applicable to devices deployed on the network edge. Similarly, administrators for the customer’s internal network can log into a different third-level domain to manage internal devices, configurations, and events. Edge and internal administrators cannot view each other's deployment.


Note


In an FMC that uses multi-tenancy, the SSO configuration can be applied only at the global domain level, and applies to the global domain and all subdomains.


Domains Terminology

This documentation uses the following terms when describing domains and multidomain deployments:

Global Domain

In a multidomain deployment, the top-level domain. If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain. Administrators in the Global domain can manage the entire Firepower System deployment.

Subdomain

A second or third-level domain.

Second-level domain

A child of the Global domain. Second-level domains can be leaf domains, or they can have subdomains.

Third-level domain

A child of a second-level domain. Third-level domains are always leaf domains.

Leaf domain

A domain with no subdomains. Each device must belong to a leaf domain.

Descendant domain

A domain descending from the current domain in the hierarchy.

Child domain

A domain’s direct descendant.

Ancestor domain

A domain from which the current domain descends.

Parent domain

A domain’s direct ancestor.

Sibling domain

A domain with the same parent.

Current domain

The domain you are logged into now. The system displays the name of the current domain before your user name at the top right of the web interface. Unless your user role is restricted, you can edit configurations in the current domain.

Domain Properties

To modify a domain's properties, you must have Administrator access in that domain's parent domain.

Name and Description

Each domain must have a unique name within its hierarchy. A description is optional.

Parent Domain

Second- and third-level domains have a parent domain. You cannot change a domain's parent after you create the domain.

Devices

Only leaf domains may contain devices. In other words, a domain may contain subdomains or devices, but not both. You cannot save a deployment where a non-leaf domain directly controls a device.

In the domain editor, the web interface displays available and selected devices according to their current place in your domain hierarchy.

Host Limit

The number of hosts a FMC can monitor, and therefore store in network maps, depends on its model. In a multidomain deployment, leaf domains share the available pool of monitored hosts, but have separate network maps.

To ensure that each leaf domain can populate its network map, you can set host limits at each subdomain level. If you set a domain's host limit to 0, the domain shares in the general pool.

Setting the host limit has a different effect at each domain level:

  • Leaf — For a leaf domain, a host limit is a simple limit on the number of hosts the leaf domain can monitor.

  • Second Level — For a second-level domain that manages third-level leaf domains, a host limit represents the total number of hosts that the leaf domains can monitor. The leaf domains share the pool of available hosts.

  • Global — For the Global domain, the host limit is equal to the total number of hosts a FMC can monitor. You cannot change it

The sum of subdomains' host limits can add up to more than their parent domain's host limit. For example, if the Global domain host limit is 150,000, you can configure multiple subdomains each with a host limit of 100,000. Any of those domains, but not all, can monitor 100,000 hosts.

The network discovery policy controls what happens when you detect a new host after you reach the host limit; you can drop the new host, or replace the host that has been inactive for the longest time. Because each leaf domain has its own network discovery policy, each leaf domain governs its own behavior when the system discovers a new host.

If you reduce the host limit for a domain and its network map contains more hosts than the new limit, the system deletes the hosts that have been inactive the longest.

Requirements and Prerequisites for Domains

Model Support

Any.

Supported Domains

Any

User Roles

  • Admin

Managing Domains

To modify a domain's properties, you must have Administrator access in that domain's parent domain.

Procedure


Step 1

Choose System > Domains.

Step 2

Manage your domains:

  • Add — Click Add Domain, or click Add Subdomain next to the parent domain; see Creating New Domains.
  • Edit — Click Edit (edit icon) next to the domain you want to modify; see Domain Properties.
  • Delete — Click Delete (delete icon) next to the empty domain you want to delete, then confirm your choice. Move devices from domains you want to delete by editing their destination domain.

Step 3

When you are done making changes to the domain structure and all devices are associated with leaf domains, click Save to implement your changes.

Step 4

If prompted, make additional changes:


What to do next

  • Configure user roles and policies (access control, network discovery, and so on) for any new domains. Update device properties as needed.

  • Deploy configuration changes; see Deploy Configuration Changes.

Creating New Domains

You can create up to 50 subdomains under a top-level Global domain, in two or three levels.

You must assign all devices to a leaf domain before you can implement the domain configuration. When you add a subdomain to a leaf domain, the domain stops being a leaf domain and you must reassign its devices.

Procedure


Step 1

In a Global or a second-level domain, choose System > Domains.

Step 2

Click Add Domain, or click Add Subdomain next to the parent domain.

Step 3

Enter a Name and Description.

Step 4

Choose a Parent Domain.

Step 5

On Devices, choose the Available Devices to add to the domain, then click Add to Domain or drag and drop into the list of Selected Devices.

Step 6

Optionally, click Advanced to limit the number of hosts the new domain may monitor; see Domain Properties.

Step 7

Click Save to return to the domain management page.

The system warns you if any devices are assigned to non-leaf domains. Click Create New Domain to create a new domain for those devices. Click Keep Unassigned if you plan to move the devices to existing domains.

Step 8

When you are done making changes to the domain structure and all devices are associated with leaf domains, click Save to implement your changes.

Step 9

If prompted, make additional changes:


What to do next

  • Configure user roles and policies (access control, network discovery, and so on) for any new domains. Update device properties as needed.

  • Deploy configuration changes; see Deploy Configuration Changes.

Moving Data Between Domains

Because events and network maps are associated with leaf domains, when you change a leaf domain to a parent domain, you have two choices:

  • Move the network map and associated events to a new leaf domain.

  • Delete the network map but retain the events. In this case, the events remain associated with the parent domain until the system prunes events as needed or as configured. Or, you can delete old events manually.

Before you begin

Implement a domain configuration where a former leaf domain is now a parent domain; see Managing Domains.

Procedure


Step 1

For each former leaf domain that is now a parent domain:

  • Choose a new Leaf Domain to inherit the Parent Domain's events and network map.
  • Choose None to delete the parent domain's network map, but retain old events.

Step 2

Click Save.


What to do next

Moving Devices Between Domains

You can move devices between domains when you are in the global domain or a second-level domain. Moving a device between domains can affect the configurations and policies applied to the device. The system automatically retains and updates what it can. It deletes what it cannot update, namely, object overrides, dynamic routing configuration, static routes, IP pool associated with the diagnostic interface,and DDNS.

If you assign a Remote Access VPN policy to a device, you cannot move the same device from one domain to another domain.

Specifically:

  • If the health policy applied to a moved device is inaccessible in the new domain, you can choose a new health policy.

  • If the access control policy assigned to a moved device is not valid or accessible in the new domain, choose a new policy. Every device must have an assigned access control policy.

  • If the interfaces on the moved device belong to a security zone that is inaccessible in the new domain, you can choose a new zone.

  • Interfaces are removed from:

    • Security zones that are inaccessible in the new domain and not used in an access control policy.

    • All interface groups.

If devices require a policy update but you do not need to move interfaces between zones, the system displays a message stating that zone configurations are up to date. For example, if a device's interfaces belong to a security zone configured in a common ancestor domain, you do not need to update zone configurations when you move devices from subdomain to subdomain.

Before you begin

  • Implement a domain configuration where you moved a device from domain to domain and now must assign new policies and security zones; see Managing Domains.

Procedure


Step 1

In the Move Devices dialog box, under Select Device(s) to Configure, check the device you want to configure.

Check multiple devices to assign the same health and access control policies.

Step 2

Choose an Access Control Policy to apply to the device, or choose New Policy to create a new policy.

Step 3

Choose a Health Policy to apply to the device, or choose None to leave the device without a health policy.

Step 4

If prompted to assign interfaces to new zones, choose a New Security Zone for each listed interface, or choose None to assign it later.

Step 5

After you configure all affected devices, click Save to save policy and zone assignments.

Step 6

Click Save to implement the domain configuration.


What to do next

  • Update other configurations on the moved device that were affected by the move.

  • Deploy configuration changes; see Deploy Configuration Changes.