Onboard an On-Prem Management Center

Review Connect Cisco Defense Orchestrator to your Managed Devices for more information.

Note

CDO does not support creating or modifying objects or policies associated with the On-Prem Management Center or the devices registered to the On-Prem Management Center. You must make these changes in the On-Prem Management Center UI.

Limitations and Guidelines

These are the limitations applicable to onboarding an On-Prem Management Center:

  • You can onboard an On-Prem Management Center to CDO. Onboarding an On-Prem Management Center also onboards all of the devices registered to the On-Prem Management Center. Be aware that if a managed device is disabled, or unreachable, CDO may display the device in the Inventory page, but cannot successfully send requests or view device information.

  • We recommend creating a new user on the On-Prem Management Center specifically for CDO communication that has administrator-level permissions. If you onboard an On-Prem Management Center and then simultaneously log into that On-Prem Management Center with the same login credentials, onboarding fails.

  • If you create a new user on the On-Prem Management Center for CDO communication, the Maximum Number of Failed Logins for the user configuration must be set to "0".

Network Requirements

Before you onboard a device, ensure the following ports have external access. If communication ports are blocked behind a firewall, onboarding the device may fail.

Port Protocol/Feature Platforms Direction Details
7/UDP UDP/audit logging FMC Outbound Verify connectivity with the syslog server when configuring audit logging.

53/tcp

53/udp

DNS

Outbound

DNS

67/udp

68/udp

DHCP

Outbound

DHCP

123/udp

NTP

Outbound

Synchronize time.

162/udp

SNMP

Outbound

Send SNMP alerts to a remote trap server.

389/tcp

636/tcp

LDAP

Outbound

Communicate with an LDAP server for external authentication.

Obtain metadata for detected LDAP users (FMC only).

Configurable.

443/tcp

HTTPS

FMC

Inbound

Allow inbound connection to port 443 if you are onboarding the FMC with an on-premises Secure Device Connector.

443/tcp

HTPS

FMC

Outbound

Allow outbound traffic from port 443 if onboarding the FMC to CDO using the cloud connector.

443/tcp

HTPS

FMC

Outbound

Allow outbound connection for port 443 if onboarding the FMC using SecureX.

443/tcp

HTTPS

Outbound

Send and receive data from the internet.

514/udp

Syslog (alerts)

Outbound

Send alerts to a remote syslog server.

1812/udp

1813/udp

RADIUS

Outbound

Communicate with a RADIUS server for external authentication and accounting.

Configurable.

8305/tcp

Appliance communications

Both

Securely communicate between appliances in a deployment.

Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default.