Communication Port Requirements
The management center communicates with managed devices using a two-way, SSL-encrypted communication channel on port 8305/tcp. This port must remain open for basic communication. Other ports allow secure management, as well as access to external resources required by specific features. In general, feature-related ports remain closed until you enable or configure the associated feature. Do not change or close an open port until you understand how this action will affect your deployment.
For information on internet resources the system may contact over these ports, see Internet Access Requirements.
Ports for Management Center
|
Inbound Port |
Protocol/Feature |
Details |
|---|---|---|
|
443/tcp |
HTTPS |
Access the web interface. |
|
443/tcp |
HTTPS |
Submit queries to Cisco Security Packet Analyzer. |
|
443/tcp |
HTTPS |
Communicate with integrated and third-party products using the REST API. |
|
443/tcp |
HTTPS |
Integrate with Secure Endpoint. Outbound also required. |
|
8305/tcp |
Appliance communications |
Securely communicate between appliances in a deployment. Outbound also required. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default. |
|
8989/tcp |
Cisco Support Diagnostics |
Accepts authorized requests and transmits usage information and statistics. Outbound also required. |
|
Outbound Port |
Protocol/Feature |
Details |
|---|---|---|
|
7/udp 514/udp 6514/tcp |
Syslog (audit logging) |
Verify connectivity with the syslog server when configuring audit logging (7/udp). Send audit logs to a remote syslog server, when TLS is not configured (514/udp). Send audit logs to a remote syslog server, when TLS is configured (6514/tcp). |
|
25/tcp |
SMTP |
Send email notices and alerts. |
|
53/tcp 53/udp |
DNS |
DNS |
|
67/udp 68/udp |
DHCP |
DHCP |
|
80/tcp |
HTTP |
Download custom Security Intelligence feeds over HTTP. |
|
80/tcp |
HTTP |
Download or query URL category and reputation data. Outbound 443/tcp also required. |
|
123/udp |
NTP |
Synchronize time. |
|
162/udp |
SNMP |
Send SNMP alerts to a remote trap server. |
|
389/tcp 636/tcp |
LDAP |
Communicate with an LDAP server for external authentication. Obtain metadata for detected LDAP users. Configurable. |
|
443/tcp |
HTTPS |
Communicate with the Secure Malware Analytics Cloud (public or private). |
|
443/tcp |
HTTPS |
Send and receive data from the internet. |
|
443/tcp |
HTTPS |
Integrate with AMP for Endpoints. Inbound also required. |
|
1812/udp 1813/udp |
RADIUS |
Communicate with a RADIUS server for external authentication and accounting. Configurable. |
|
5222/tcp |
ISE |
Communicate with an ISE identity source. |
|
8305/tcp |
Appliance communications |
Securely communicate between appliances in a deployment. Inbound also required. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default. |
Ports for Managed Devices
|
Inbound Port |
Protocol/Feature |
Details |
|---|---|---|
|
22/tcp |
SSH |
Secure remote connections to the appliance. |
|
161/udp |
SNMP |
Allow access to MIBs via SNMP polling. |
|
443/tcp |
HTTPS |
Communicate with integrated and third-party products using the REST API. |
|
443/tcp |
Remote access VPN (SSL/IPSec) |
Allow secure VPN connections to your network from remote users. |
|
500/udp 4500/udp |
Remote access VPN (IKEv2) |
Allow secure VPN connections to your network from remote users. |
|
885/tcp |
Captive portal |
Communicate with a captive portal identity source. |
|
8305/tcp |
Appliance communications |
Securely communicate between appliances in a deployment. Outbound also required. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default. |
|
Outbound Port |
Protocol/Feature |
Details |
|---|---|---|
|
53/tcp 53/udp |
DNS |
DNS |
|
67/udp 68/udp |
DHCP |
DHCP |
|
123/udp |
NTP |
Synchronize time. |
|
162/udp |
SNMP |
Send SNMP alerts to a remote trap server. |
|
1812/udp 1813/udp |
RADIUS |
Communicate with a RADIUS server for external authentication and accounting. Configurable. |
|
389/tcp 636/tcp |
LDAP |
Communicate with an LDAP server for external authentication. Configurable. |
|
443/tcp |
HTTPS |
Send and receive data from the internet. |
|
514/udp |
Syslog (audit logging) |
Send audit logs to a remote syslog server, when TLS is not configured. |
|
8305/tcp |
Appliance communications |
Securely communicate between appliances in a deployment. Inbound also required. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default. |
|
8514/UDP |
Secure Network Analytics Manager |
Send syslog messages to Secure Network Analytics using Security Analytics and Logging (On Premises) |