AMP for Endpoint CWS Exceptions

jmeetze80 — Fri, 21 Feb 2020 05:30:00 GMT

Recently Cisco/SourceFire released a bulletin about a cloud migration for our SourceFire AMP clients and that we would need to update some policies to ensure our clients can talk to Cisco's cloud servers. I deployed the updated policy to one of our test groups and noticed that my FireAMP client could not reach out to the internet so it was displaying a "Disconnected Status". On a hunch, I disabled my CWS client service and my FireAMP client was able to connect and displayed a "Connected Status".

I found in our SourceFire management console that there are some firewall settings provided for this new cloud migration, that includes a number of IP's needed to communicate over 443. They even offer a copy feature or option to download the files to a text file so you can easily update your firewall with these new IP's.

My issue is that there is no easy way to import these into our CWS profile so that we can exempt these IP's from being sent through the cloud proxy. I had to copy and paste each one of these one at a time, which took quite a while. I think, that since these are both Cisco products, they should work together and we should not have to enter these IP's manually. This process just seems very inefficient as far as managing this solution. It's very hard to update these exceptions in the profile editor.

I'm wondering if there's a way that the developers of these products could integrate these exceptions or at least make it easier to copy and paste the whole list into the profile editor? I could see me having to do this if I were using another vendor's product with CWS, but seeing as these are both SourceFire products, it just seems like these two solutions would work together out of the box.

Below is a list of all of the IP's I had to enter one at a time just so you can see how much I'm talking about. If it were just 10 or so, that wouldn't be so bad, but these is a lot to keep up with. I did open TAC case SR-638860975 to see if they had any suggestions and they advised me that the only way to add these IP's into my CWS Profile editor was do it one at a time like I explained earlier.

23.23.197.169

23.23.198.191

23.23.224.83

50.16.244.193

52.0.55.209

52.2.63.194

52.2.128.246

52.3.149.24

52.3.178.163

52.3.190.47

52.4.98.101

52.4.151.41

52.4.245.162

52.4.246.178

52.5.92.125

52.6.103.57

52.6.197.200

52.20.14.163

52.20.123.238

52.20.141.147

52.21.52.149

52.21.117.50

52.21.134.210

52.22.64.192

52.22.156.183

52.23.13.34

52.23.16.199

52.23.73.146

52.23.87.4

52.23.107.89

52.23.134.105

52.23.140.222

52.70.11.137

52.70.13.27

52.70.35.37

52.70.47.45

52.70.56.136

52.70.58.10

52.70.59.59

52.70.59.121

52.70.60.74

52.70.61.174

52.70.61.181

52.70.61.193

52.70.63.25

54.83.45.221

54.88.208.235

54.221.210.7

54.221.255.190

54.225.226.117

54.225.227.9

54.225.227.30

54.225.227.45

54.225.227.105

54.225.228.145

54.225.228.166

54.225.228.244

54.227.247.102

107.20.158.55

107.20.203.8

107.20.229.191

107.20.234.220

107.21.212.157

107.21.217.202

107.21.218.60

128.177.8.0/24

174.129.203.65

Thanks,

Josh

topic AMP for Endpoint CWS Exceptions in Endpoint Security

AMP for Endpoint CWS Exceptions