Prerequisites to Onboard a Device to Cloud-Delivered Firewall Management Center
Onboard Limitations and Requirements
Be aware of the following limitations when onboarding a device to the cloud-delivered Firewall Management Center:
-
Devices must be running at least Version 7.2 or later.
-
You cannot directly onboard high availability pairs. You must break the HA pair and onboard each device individually, then recreate the pair in the FMC UI.
-
FMC does not support clustered devices.
-
FMC does not support multi-instance deployments.
-
If the device is already onboarded to CDO and is managed by a FDM, you must delete the device from CDO before you onboard the device to the FMC. Attempting to onboard a device for FMC that is currently associated with a CDO tenant results in failure.
-
The device cannot already be registered with Cisco Cloud Services. See Unregistering an FDM-Managed Device from Cisco Cloud Services on how to unregister the device before you onboard.
-
If the device is managed by a FDM, unregister the device from the FDM prior to onboarding. See "Change Device Manager from Secure Firewall Management Center to CDO" in the cloud-delivered Firewall Management Center help for more information.
-
If you have previously onboarded a FTD device that was managed by a FDM and deleted the device from CDO with the intention of re-onboarding for cloud management, you must register the FDM to the SSE cloud after deleting the device. See the "Access Security Services Exchange" chapter in the Firepower and Cisco SecureX Threat Response Integration Guide.
Warning | If your device is currently managed by a FDM, unregister all your smart licenses before you onboard the device for FMC through CDO. Even if you switch device management, the Cisco Smart Software Manager will retain the smart licenses. |
Network Requirements
Before you onboard a device, ensure the following ports have exernal access. If communication ports are blocked behind a firewall, onboarding the device may fail.
| Port | Protocol/Feature | Platforms | Direction | Details |
|---|---|---|---|---|
| 7/UDP | UDP/audit logging | CDO | Outbound | Verify connectivity with the syslog server when configuring audit logging. |
|
53/tcp 53/udp |
DNS |
Outbound |
DNS |
|
|
67/udp 68/udp |
DHCP |
Outbound |
DHCP |
|
|
123/udp |
NTP |
Outbound |
Synchronize time. |
|
|
162/udp |
SNMP |
Outbound |
Send SNMP alerts to a remote trap server. |
|
|
389/tcp 636/tcp |
LDAP |
Outbound |
Communicate with an LDAP server for external authentication. Obtain metadata for detected LDAP users (CDO only). Configurable. |
|
|
443/tcp |
HTTPS |
Outbound |
Send and receive data from the internet. |
|
|
514/udp |
Syslog (alerts) |
Outbound |
Send alerts to a remote syslog server. |
|
|
1812/udp 1813/udp |
RADIUS |
Outbound |
Communicate with a RADIUS server for external authentication and accounting. Configurable. |
|
|
8305/tcp |
Appliance communications |
Both |
Securely communicate between appliances in a deployment. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default. |
Management and Data Interfaces
Make sure your device is correctly configured with either a mangement or data interface.
Each device includes a single dedicated management interface for communicating with the manager. Management interfaces are also used to communicate with the Smart Licensing server, to download updates and perform other management functions.
You can optionally configure the device to use a data interface for management instead of the dedicated Management interface. You must still perform initial setup on the management interface, or on the console port.