Prerequesites to Onboard a Device to Cloud-Delivered Firewall Management Center

Onboard Limitations and Requirements

Be aware of the following limitations when onboarding a device to the cloud-delivered Firewall Management Center:

  • Devices must be running version 7.0.3, or version 7.2 and later. CDO strongly recommends version 7.2.

  • You cannot directly onboard high availability pairs. You must break the HA pair and onboard each device individually, then recreate the pair in the cloud-delivered Firewall Management Center UI.

    Note

    You can migrate an HA pair with the Migrate FTD to Cloud feature. Confirm both peers are in a healthy state prior to migrating.

  • The cloud-delivered Firewall Management Center does not support clustered devices.

  • The cloud-delivered Firewall Management Center does not support multi-instance deployments.

  • If the device is already onboarded to CDO and is managed by a FDM, you must delete the device from CDO before you onboard the device for cloud-delivered Firewall Management Center. Attempting to onboard a device for cloud-delivered Firewall Management Center that is currently associated with a CDO tenant results in failure.

  • If the device is managed by an On-Prem FMC, you can change the manager with the Migrate FTD to Cloud feature. See Migrate FTD from FMC to Cloud for more information.

  • If you have previously onboarded a device that was managed by a FDM and deleted the device from CDO with the intention of re-onboarding for cloud management, you must register the FDM to the SSE cloud after deleting the device. See the "Access Security Services Exchange" chapter in the Firepower and Cisco SecureX Threat Response Integration Guide.

Warning

If your device is currently managed by a FDM, unregister all your smart licenses before you onboard the device. Even if you switch device management, the Cisco Smart Software Manager will retain the smart licenses.

Network Requirements

Before you onboard a device, ensure the following ports have exernal access. If communication ports are blocked behind a firewall, onboarding the device may fail.

Port

Protocol / Feature

Outbound Direction

Details

7/UDP UDP/audit logging Outbound Verify connectivity with the syslog server when configuring audit logging.

25/tcp

SMTP

Outbound

Send email notices and alerts.

53/tcp

53/udp

DNS

Outbound

DNS

67/udp

68/udp

DHCP

Outbound

DHCP

80/tcp

HTTP

Outbound

Download or query URL category and reputation data (port 443 also required).

123/udp

NTP

Outbound

Synchronize time.

162/udp

SNMP

Outbound

Send SNMP alerts to a remote trap server.

389/tcp

636/tcp

LDAP

Outbound

Communicate with an LDAP server for external authentication.

Obtain metadata for detected LDAP users.

Configurable.

443/tcp

HTTPS

Outbound

Send and receive data from the internet..

443

HTTPS

Outbound

Communicate with the AMP cloud (public or private)

514/udp

Syslog (alerts)

Outbound

Send alerts to a remote syslog server.

1812/udp

1813/udp

RADIUS

Outbound

Communicate with a RADIUS server for external authentication and accounting.

Configurable.

5222/tcp

ISE

Outbound

Communicate with an ISE identity source.

6514/tcp

Syslog (audit events)

Outbound

Send audit logs to a remote syslog server, when TLS is configured.

8305/tcp

Appliance communications

Both

Securely communicate between appliances in a deployment.

Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default.

8989/tcp

Cisco Success Network

Outbound

Transmit usage information and statistics.

Management and Data Interfaces

Make sure your device is correctly configured with either a mangement or data interface.

Each device includes a single dedicated management interface for communicating with the manager. Management interfaces are also used to communicate with the Smart Licensing server, to download updates and perform other management functions.

You can optionally configure the device to use a data interface for management instead of the dedicated Management interface. You must still perform initial setup on the management interface, or on the console port.

To configure a management or data interface on your device, see Complete the FTD Initial Configuration Using the CLI.