Onboard an On-Prem FMC

Review Connect Cisco Defense Orchestrator to your Managed Devices for more information.

Note

CDO does not support creating or modifying objects or policies associated with the On-Prem FMC or the devices registered to the On-Prem FMC. You must make these changes in the On-Prem FMC UI.

Limitations and Guidelines

These are the limitations applicable to onboarding an On-Prem FMC:

  • You can onboard an On-Prem FMC to CDO. Onboarding an On-Prem FMC also onboards all of the devices registered to the On-Prem FMC. Be aware that if a managed device is disabled, or unreachable, CDO may display the device in the Inventory page, but cannot successfully send requests or view device information.

  • We recommend creating a new user on the On-Prem FMC specifically for CDO communication that has administrator-level permissions. If you onboard an On-Prem FMC and then simultaneously log into that On-Prem FMC with the same login credentials, onboarding fails.

  • If you create a new user on the On-Prem FMC for CDO communication, the Maximum Number of Failed Logins for the user configuration must be set to "0".

Network Requirements

Before you onboard a device, ensure the following ports have external access. If communication ports are blocked behind a firewall, onboarding the device may fail.

Port Protocol/Feature Platforms Direction Details
7/UDP UDP/audit logging CDO Outbound Verify connectivity with the syslog server when configuring audit logging.

53/tcp

53/udp

DNS

Outbound

DNS

67/udp

68/udp

DHCP

Outbound

DHCP

123/udp

NTP

Outbound

Synchronize time.

162/udp

SNMP

Outbound

Send SNMP alerts to a remote trap server.

389/tcp

636/tcp

LDAP

Outbound

Communicate with an LDAP server for external authentication.

Obtain metadata for detected LDAP users (CDO only).

Configurable.

443/tcp

HTTPS

Outbound

Send and receive data from the internet.

514/udp

Syslog (alerts)

Outbound

Send alerts to a remote syslog server.

1812/udp

1813/udp

RADIUS

Outbound

Communicate with a RADIUS server for external authentication and accounting.

Configurable.

8305/tcp

Appliance communications

Both

Securely communicate between appliances in a deployment.

Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default.