Prerequesites to Onboard a Device to Cloud-Delivered Firewall Management Center
Onboard Limitations and Requirements
Be aware of the following limitations when onboarding a device to the cloud-delivered Firewall Management Center:
-
Devices must be running version 7.0.3, or version 7.2 and later. CDO strongly recommends version 7.2.
-
You cannot directly onboard high availability pairs. You must break the HA pair and onboard each device individually, then recreate the pair in the cloud-delivered Firewall Management Center UI.
NoteYou can migrate an HA pair with the Migrate FTD to Cloud feature. Confirm both peers are in a healthy state prior to migrating.
-
The cloud-delivered Firewall Management Center does not support clustered devices.
-
The cloud-delivered Firewall Management Center does not support multi-instance deployments.
-
If the device is already onboarded to CDO and is managed by a FDM, you must delete the device from CDO before you onboard the device for cloud-delivered Firewall Management Center. Attempting to onboard a device for cloud-delivered Firewall Management Center that is currently associated with a CDO tenant results in failure.
-
If the device is managed by an On-Prem FMC, you can change the manager with the Migrate FTD to Cloud feature. See Migrate FTD from FMC to Cloud for more information.
-
If you have previously onboarded a device that was managed by a FDM and deleted the device from CDO with the intention of re-onboarding for cloud management, you must register the FDM to the SSE cloud after deleting the device. See the "Access Security Services Exchange" chapter in the Firepower and Cisco SecureX Threat Response Integration Guide.
Warning | If your device is currently managed by a FDM, unregister all your smart licenses before you onboard the device. Even if you switch device management, the Cisco Smart Software Manager will retain the smart licenses. |
Network Requirements
Before you onboard a device, ensure the following ports have exernal access. If communication ports are blocked behind a firewall, onboarding the device may fail.
|
Port |
Protocol / Feature |
Outbound Direction |
Details |
|---|---|---|---|
| 7/UDP | UDP/audit logging | Outbound | Verify connectivity with the syslog server when configuring audit logging. |
|
25/tcp |
SMTP |
Outbound |
Send email notices and alerts. |
|
53/tcp 53/udp |
DNS |
Outbound |
DNS |
|
67/udp 68/udp |
DHCP |
Outbound |
DHCP |
|
80/tcp |
HTTP |
Outbound |
Download or query URL category and reputation data (port 443 also required). |
|
123/udp |
NTP |
Outbound |
Synchronize time. |
|
162/udp |
SNMP |
Outbound |
Send SNMP alerts to a remote trap server. |
|
389/tcp 636/tcp |
LDAP |
Outbound |
Communicate with an LDAP server for external authentication. Obtain metadata for detected LDAP users. Configurable. |
|
443/tcp |
HTTPS |
Outbound |
Send and receive data from the internet.. |
|
443 |
HTTPS |
Outbound |
Communicate with the AMP cloud (public or private) |
|
514/udp |
Syslog (alerts) |
Outbound |
Send alerts to a remote syslog server. |
|
1812/udp 1813/udp |
RADIUS |
Outbound |
Communicate with a RADIUS server for external authentication and accounting. Configurable. |
|
5222/tcp |
ISE |
Outbound |
Communicate with an ISE identity source. |
|
6514/tcp |
Syslog (audit events) |
Outbound |
Send audit logs to a remote syslog server, when TLS is configured. |
|
8305/tcp |
Appliance communications |
Both |
Securely communicate between appliances in a deployment. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default. |
|
8989/tcp |
Cisco Success Network |
Outbound |
Transmit usage information and statistics. |
Management and Data Interfaces
Make sure your device is correctly configured with either a mangement or data interface.
Each device includes a single dedicated management interface for communicating with the manager. Management interfaces are also used to communicate with the Smart Licensing server, to download updates and perform other management functions.
You can optionally configure the device to use a data interface for management instead of the dedicated Management interface. You must still perform initial setup on the management interface, or on the console port.
To configure a management or data interface on your device, see Complete the FTD Initial Configuration Using the CLI.