Skip to main content



Cisco Defense Orchestrator

Finding Your Device's TCP, UDP, and NSEL Port Used for Cisco Security Analytics (SaaS) and Logging

Cisco Security Analytics and Logging (SaaS) allows you to send events from your ASA or FTD devices to certain UDP, TCP, or NSEL ports on the Secure Event Connector (SEC). The SEC then forwards those events to the Cisco cloud.

If these ports aren't already in use, the SEC makes them available to receive events and the Cisco Security Analytics and Logging documentation recommends using them when you configure the feature.

  • TCP: 10125
  • UDP: 10025
  • NSEL: 10425

If those ports are already in use, before you configure Cisco Security Analytics and Logging, look at your SEC device details to determine what ports it is actually using to receive events.

To find the port numbers the SEC uses: 

  1. From any page in CDO, open the account menu and select Secure Connectors.


  1. In the Secure Connectors page, select the SEC you want to send events to.
  2. In the Details pane, you will see the TCP, UDP, and NetFlow (NSEL) port you should send events to.


  • Was this article helpful?