topic Re: Trusted URL access policy in Network Security

Trusted URL access policy

Namgyal — Wed, 19 Mar 2025 05:13:24 GMT

I need to access only trusted URL from Cisco FMC to update security intelligence and vdb updates.

somebody kindly help me to configure this policy, It is because my system is in isolated environment and only FMC is allowed to access cisco intelligence site and can't access to any other URLs.

kindly help....

Re: Trusted URL access policy

Rob Ingram — Wed, 19 Mar 2025 07:06:42 GMT

@Namgyal configure manual URL objects or FQDN in your Access Control Policy and allow access for the following:-

SI = intelligence.sourcefire.com
VDB = talosintelligence.com and support.sourcefire.com

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/760/management-center-admin-76/reference-ports.html

Re: Trusted URL access policy

Namgyal — Fri, 21 Mar 2025 01:11:20 GMT

@Rob Ingram
Thank you for your response, after adding as you suggested forllowing messages are displaying.
i think it is not able to access it.
* DNS Feed "Cisco-DNS-and-URL-Intelligence-Feed" Failed to download from https://intelligence.sourcefire.com/auto-update/auto-dl.cgi/xx:xx:xx:xx:xx:xx/GetCurrent/rep_dd.md5: Timeout was reached
* Network Feed "Cisco-Intelligence-Feed" Failed to download from https://intelligence.sourcefire.com/auto-update/auto-dl.cgi/xx:xx:xx:xx:xx:xx /GetCurrent/rep_dd.md5: Timeout was reached

Re: Trusted URL access policy

Rob Ingram — Fri, 21 Mar 2025 06:57:25 GMT

@Namgyal can the FMC resolve the DNS hostname?

Have a look in the logs to see if that traffic is allowed or denied. Provide screenshots.

Re: Trusted URL access policy

Namgyal — Fri, 21 Mar 2025 09:42:35 GMT

@Rob Ingram
following are the screen shots

Re: Trusted URL access policy

Rob Ingram — Fri, 21 Mar 2025 09:45:39 GMT

@Namgyal why is the destination zone "dmz", shouldn't it be "outside"? Remove the zone completely and try again.

Re: Trusted URL access policy

Namgyal — Fri, 21 Mar 2025 09:55:05 GMT

＠@Rob Ingram

can't change the zone, it is because, the system is isolated and internet access is just for FMC.

Re: Trusted URL access policy

Rob Ingram — Fri, 21 Mar 2025 10:00:02 GMT

@Namgyal if those URLs you've defined are not accessible via the DMZ interface, the FMC will never be able to communicate with those destinations. The rule you created was just for the FMC as the source, so if you change the destination zone accordingly only the FMC will be able to access those destination URLs.

Re: Trusted URL access policy

Namgyal — Fri, 21 Mar 2025 10:06:06 GMT

@Rob Ingram

we just need internet access to FMC for VDB and SI only, none of other resources required the internet connection.

Re: Trusted URL access policy

Rob Ingram — Fri, 21 Mar 2025 10:10:56 GMT

@Namgyal I am aware of your requirements. When you create a specific rule from source of the FMC only, no other device would have internet access.

If no other resources behind the firewall will have internet access, is having update to date SI and VDB a concern?

Re: Trusted URL access policy

Namgyal — Mon, 24 Mar 2025 00:27:07 GMT

@Rob Ingram

the system is in isolated environment and we don't need none of other network device get internet connection,

it just need internet connection to FMC for updating vdb and si and distribute it to FTD connected to it.
and If add allowed everything then it can access the sites as you mentioned, and if allowed the mentioned one then it cant not access.