Communication Ports
For deployments behind a network barrier—like an edge firewall—make sure you allow traffic on the required ports. Note that ports not required for essential or default operations remain closed until needed by a configuration or feature.
Ports forFirewall Management Center
The management center uses these ports to communicate.
|
Inbound Port |
Protocol/Feature |
Details |
|---|---|---|
|
22/tcp |
SSH |
Secure remote connections to the appliance. |
|
161/udp |
SNMP |
Allow access to MIBs via SNMP polling. |
|
443/tcp |
HTTPS |
Required. Access the management center web interface. |
|
443/tcp |
HTTPS |
Onboard an on-prem Firewall Management Center to Security Cloud Control with Secure Device Connector (on-prem). |
|
443/tcp |
HTTPS |
Communicate with integrated and third-party products using the REST API. |
|
443/tcp |
HTTPS |
Integrate with Secure Endpoint. |
|
623/udp |
SOL/LOM |
Lights-Out Management (LOM) using a Serial Over LAN (SOL) connection. |
|
1500/tcp 2000/tcp |
Database access |
Allow read-only access to the event database by a third-party client. |
|
8302/tcp |
eStreamer |
Communicate with an eStreamer client. |
|
8305/tcp |
Appliance communications |
Required. Securely communicate with managed devices. Also initiates connections on this port. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default. |
|
8307/tcp |
Host input client |
Communicate with a host input client. |
|
8989/tcp |
Cisco Support Diagnostics |
Accepts authorized requests and transmits usage information and statistics. Also initiates connections on this port. |
|
Outbound Port |
Protocol/Feature |
Details |
|---|---|---|
|
7/udp 514/udp 6514/tcp |
Syslog (audit logging) |
Verify connectivity with the syslog server when configuring audit logging (7/udp). Send audit logs to a remote syslog server, when TLS is not configured (514/udp). Send audit logs to a remote syslog server, when TLS is configured (6514/tcp). |
|
25/tcp |
SMTP |
Send email notices and alerts. |
|
53/tcp 53/udp |
DNS |
Required. DNS |
|
67/udp 68/udp |
DHCP |
DHCP |
|
80/tcp |
HTTP |
Send and receive data from the internet. See Internet Resources Accessed. |
|
80/tcp |
HTTP |
Download custom Security Intelligence feeds over HTTP. |
|
80/tcp |
HTTP |
Download or query URL category and reputation data. This feature also uses 443/tcp. |
|
80/tcp |
HTTP |
Display RSS feeds in the dashboard. |
|
123/udp |
NTP |
Synchronize time. |
|
162/udp |
SNMP |
Send SNMP alerts to a remote trap server. |
|
389/tcp 636/tcp |
LDAP |
Communicate with an LDAP server for external authentication. Obtain metadata for detected LDAP users. Configurable. |
|
443/tcp |
HTTPS |
Send and receive data from the internet. See Internet Resources Accessed. |
|
443/tcp |
HTTPS |
Communicate with the Secure Malware Analytics Cloud (public or private). |
|
443/tcp |
HTTPS |
Integrate with Secure Endpoint. Also accepts connections on this port. |
|
443/tcp |
HTTPS |
Onboard an on-prem Firewall Management Center to Security Cloud Control with Cisco Security Cloud or Secure Device Connector (cloud). |
|
1812/udp 1813/udp |
RADIUS |
Communicate with a RADIUS server for external authentication and accounting. Configurable. |
|
5222/tcp |
ISE |
Communicate with an ISE identity source. |
|
8305/tcp |
Appliance communications |
Required. Securely communicate with managed devices. Also accepts connections on this port. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default. |
|
8989/tcp |
Cisco Support Diagnostics |
Accepts authorized requests and transmits usage information and statistics. Also accepts connections on this port. |
|
8989/tcp |
Cisco Success Network |
Transmit usage information and statistics. |
Ports for Managed Devices
Managed devices use these ports to communicate.
|
Inbound Port |
Protocol/Feature |
Details |
|---|---|---|
|
22/tcp |
SSH |
Secure remote connections to the appliance. |
|
161/udp |
SNMP |
Allow access to MIBs via SNMP polling. |
|
443/tcp |
HTTPS |
Communicate with integrated and third-party products using the REST API. |
|
443/tcp |
Remote access VPN (SSL/IPSec) |
Allow secure VPN connections to your network from remote users. |
|
500/udp 4500/udp |
Remote access VPN (IKEv2) |
Allow secure VPN connections to your network from remote users. |
|
885/tcp |
Captive portal |
Communicate with a captive portal identity source. |
|
8305/tcp |
Appliance communications |
Required. Securely communicate with the Firewall Management Center. Also initiates connections on this port. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default. |
|
8989/tcp |
Cisco Support Diagnostics |
Accepts authorized requests. Also initiates connections on this port. |
|
Outbound Port |
Protocol/Feature |
Details |
|---|---|---|
|
53/tcp 53/udp |
DNS |
DNS |
|
67/udp 68/udp |
DHCP |
DHCP |
|
123/udp |
NTP |
Synchronize time. |
|
162/udp |
SNMP |
Send SNMP alerts to a remote trap server. |
|
1812/udp 1813/udp |
RADIUS |
Communicate with a RADIUS server for external authentication and accounting. Configurable. |
|
389/tcp 636/tcp |
LDAP |
Communicate with an LDAP server for external authentication. Configurable. |
|
443/tcp |
HTTPS |
Send and receive data from the internet; see Internet Resources Accessed. |
|
514/udp |
Syslog (audit logging) |
Send audit logs to a remote syslog server, when TLS is not configured. |
|
8305/tcp |
Appliance communications |
Required. Securely communicate with the Firewall Management Center. Also accepts connections on this port. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default. |
|
8514/udp |
Secure Network Analytics Manager |
Send syslog messages to Secure Network Analytics using Security Analytics and Logging (On Premises). |
|
8989/tcp |
Cisco Support Diagnostics |
Transmits usage information and statistics. Also accepts connections on this port. |