Troubleshoot Device Connectivity Loss After Cloud-delivered Firewall Management Center Update

A cloud-delivered Firewall Management Center is assigned a dynamic IP address when it is added to a CDO tenant. When the management center is updated, the management center receives a new dynamic IP address.

If you have a firewall inspecting the outbound traffic from your threat defense device to the cloud-delivered Firewall Management Center, your firewall rules must allow the threat defense traffic to flow to the FQDN and port of the management center rather than its IP address, or the management center will not be able to manage your threat defense device.

For example, if your network traffic rule allowing management traffic from your threat defense device to the cloud-delivered Firewall Management Center looks like this:

allow all traffic <my-threat-defense-ip-src> to 200.165.200.225

where 200.165.200.225 is the management address of the cloud-delivered Firewall Management Center, change the one allow rule to these two allow rules as both ports 443 and 8305 need to be open:

allow all traffic <my-threat-defense-ip-src > to <my-cdfFMC-FQDN>:443

allow all traffic <my-threat-defense-ip-src > to <my-cdfFMC-FQDN>:8305

See “Network Requirements” in Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center for more port information.

Where do I find the domain name of my cloud-delivered Firewall Management Center?

Where do I find the domain name of my cloud-delivered Firewall Management Center?

1. Log in to CDO.

2. From the menu bar, navigate Tools & Services > Firewall Management Center.

3. Select the Cloud-delivered Firewall Management Center in the FMC table.

4. In the top-right corner of the screen, you will see the Hostname of the management center. This is the FQDN.