Internet Access Requirements
By default, Firepower appliances are configured to connect to the internet on ports 443/tcp (HTTPS) and 80/tcp (HTTP). If you do not want your appliances to have direct access to the internet, you can configure a proxy server.
In most cases, it is the Cisco Defense Orchestrator that accesses the internet. However, sometimes managed devices also access the internet. For example, if your malware protection configuration uses dynamic analysis, managed devices submit files directly to the Threat Grid Cloud. Or, you may synchronize a device to an external NTP server.
Additionally, unless you disable web analytics tracking, your browser may contact Google web analytics servers to send non-personally-identifiable usage data to Cisco.
Tip | If you are using AMP for Networks or AMP for Endpoints, your location can determine which AMP cloud resources the CDO accesses. The Required Server Addresses for Proper AMP Operations Troubleshooting TechNote lists the internet resources (including static IP addresses) required not only by Firepower appliances, but also by Cisco AMP components like connectors and private cloud appliances. |
Both CDOs in a high availability pair should have internet access. Depending on the feature, sometimes both peers access the internet, and sometimes only the active peer does.
Feature | Reason |
CDO High Availability | Resource |
---|---|---|---|
AMP for Networks |
Malware cloud lookups. |
Both peers perform lookups. |
See important tip above this table! cloud-sa.amp.cisco.com cloud-sa.eu.amp.cisco.com cloud-sa.apjc.amp.cisco.com
cloud-sa-589592150.us-east-1. |
Download signature updates for file preclassification and local malware analysis. |
Active peer downloads, syncs to standby. |
updates.vrt.sourcefire.com amp.updates.vrt.sourcefire.com | |
Submit files for dynamic analysis (managed devices). Query for dynamic analysis results (CDO). |
Both peers query for dynamic analysis reports. |
fmc.api.threatgrid.com fmc.api.threatgrid.eu | |
AMP for Endpoints integration |
Receive malware events detected by AMP for Endpoints from the AMP cloud. Display malware events detected by the system in AMP for Endpoints. Use centralized file Block and Allow lists created in AMP for Endpoints to override dispositions from the AMP cloud. |
Both peers receive events. You must also configure the cloud connection on both peers (configuration is not synced). |
See Firepower information in https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html#anc5. See also the important tip above this table! |
Security Intelligence |
Download Security Intelligence feeds. |
Active peer downloads, syncs to standby. |
intelligence.sourcefire.com |
URL filtering |
Download URL category and reputation data. Manually query (look up) URL category and reputation data. Query for uncategorized URLs. |
Active CDO downloads, syncs to standby. |
https://updates-talos.sco.cisco.com IPV4:
IPv6
|
Cisco Smart Licensing |
Communicate with the Cisco Smart Software Manager. |
Active peer communicates. |
tools.cisco.com:443 www.cisco.com |
Cisco Success Network |
Transmit usage information and statistics. |
Active peer communicates. |
api-sse.cisco.com:8989 https://dex.sse.itd.cisco.com https://dex.eu.sse.itd.cisco.com |
Cisco Support Diagnostics |
Accepts authorized requests and transmits usage information and statistics. |
Active peer communicates. |
api-sse.cisco.com:8989 |
System updates |
Download updates directly from Cisco to the CDO:
|
Update intrusion rules, the VDB, and the GeoDB on the active peer, which then syncs to the standby. Upgrade the system software independently on each peer. See the Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0. |
cisco.com sourcefire.com |
Cisco Threat Response integration |
See the Firepower and Cisco Threat Response Integration Guide available from https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-and-configuration-guides-list.html. |
||
Time synchronization |
Synchronize time in your deployment. Not supported with a proxy server. |
Any appliance using an external NTP server must have internet access. |
0.sourcefire.pool.ntp.org 1.sourcefire.pool.ntp.org 2.sourcefire.pool.ntp.org 3.sourcefire.pool.ntp.org |
RSS feeds |
Display the Cisco Threat Research Blog on the dashboard. |
Any appliance displaying RSS feeds must have internet access. |
blogs.cisco.com/talos cloud.google.com |
Whois |
Request whois information for an external host. Not supported with a proxy server. | Any appliance requesting whois information must have internet access. |
The whois client tries to guess the right server to query. If it cannot guess, it uses:
|