Re: URL to trust for amp for endpoint

ssambourg · ‎08-23-2017

Hello,

I find on this doc https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html URL to open for AMP for Endpoint operations.

After deploying my configuration my AMP connector is still disconnected and when I try to sync the policy I see these outputs in my capture-traffic :

11:17:07.149991 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 1500)
ec2-46-137-99-242.eu-west-1.compute.amazonaws.com.https > crc1.dom-opac45.fr.1269: Flags [.], cksum 0xefe7 (correct), seq 4452:5912, ack 286, win 65535, length 1460
11:17:07.149994 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 374)
ec2-46-137-99-242.eu-west-1.compute.amazonaws.com.https > crc1.dom-opac45.fr.1269: Flags [.], cksum 0x403d (correct), seq 5912:6246, ack 286, win 65535, length 334
11:17:07.150765 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 378)
ec2-46-137-99-242.eu-west-1.compute.amazonaws.com.https > crc1.dom-opac45.fr.1269: Flags [.], cksum 0x535b (correct), seq 6246:6584, ack 286, win 65535, length 338
11:17:07.150774 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 49)
ec2-46-137-99-242.eu-west-1.compute.amazonaws.com.https > crc1.dom-opac45.fr.1269: Flags [.], cksum 0x1aca (correct), seq 6584:6593, ack 286, win 65535, length 9
11:17:07.151181 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 40)
crc1.dom-opac45.fr.1269 > ec2-46-137-99-242.eu-west-1.compute.amazonaws.com.https: Flags [R], cksum 0x37e7 (correct), seq 1297440847, win 65535, length 0

So it seems that AMP try to communicate directly with fqdn *compute.amazonaws.com.https ?

Jetsy Mathew · ‎08-24-2017

Hello ssambourg

So when you are deploying AMP , the endpoints should have the reachability to the required servers. We have 3 clouds available which is APJC, EU and NAM cloud. Based on the cloud that you are registered with please add the static ip address mentioned for each Cloud in the following link.

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html

If there is any firewall or proxy in between , you must enable all those required ip address for the successful communication of AMP.

Let me know if you have any questions.

Rate if this answer helps you.

Regards

Jetsy

ssambourg · ‎08-24-2017

Hello Jetsy,

I've set up FQDN trust in my FTD device.

I saw that the reverse DNS resolution of AMP IP addresses point to compute.amazonaws and the capture-traffic on FTD device during a SyncPolicy on AMP E Connector give output between my endpoint and compute.amazonaws.

I think it was the mistake but it was a FTD configuration. Now working with this URL group as mentionned in the doc :

amp.cisco.com
amp.sourcefire.com
api.sourcefire.com
panacea.threatgrid.com

Instead of allowing this URL group, I tried to open FireAMP & FireAMP-SSL app in FTD but that don't match my access rule with App condition (which would be better in case of URL changing / adding).

Sylvain

natolin · ‎09-13-2017

Jetsy,

unfortunately you're are wrong:(. As we used static IP addresses from the mentioned document for some time, until Cisco has changed them for some other not documented, we created TAC. Matt Jacobs @AMP_support states that using static ip addresses is wrong as (...)The TechZone Document is not as up to date as the server list(...) due to some very Cisco complicated matters as (...)there are other teams that control the hosts and addresing. Additionally, we use clustered servers, so there are rotating IPs on these servers.(...). Oh really - every TAC, you can learn something new, anyway switching to whitelisting urls should do.

Nat

@ssambourg We're glad that there's at least on other company that uses AMP;)

Jetsy Mathew · ‎08-29-2017

Hello ,

The workstations should be able to reach the amp servers.

Regards

Jetsy

rjross2086 · ‎11-07-2017

I see a lot of discussion in this topic - but I don't see any resolutions.

I myself have just added a whitelist rule for Application "FireAmp" and "FireAmp SSL" - Endpoints still not syncing to cloud.

I then added all the "URLs" on the guidance in a separate rule. https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html

Still not syncing.

I do a "capture-traffic" on the FTDv device - and I see it trying to resolve AWS URLs. What is going on here really?

ec2-46-51-182-202.eu-west-1.compute.amazonaws.com.https 21:10:02.118066 IP ec2-46-51-182-202.eu-west-1.compute.amazonaws.com.https > 10.170.142.11.54989: Flags [.], ack 203, win 123, length 0
21:10:02.118066 IP ec2-46-51-182-202.eu-west-1.compute.amazonaws.com.https > 10.170.142.11.54989: Flags [.], ack 203, win 123, length 1338
21:10:02.118066 IP ec2-46-51-182-202.eu-west-1.compute.amazonaws.com.https > 10.170.142.11.54989: Flags [.], ack 203, win 123, length 1338
21:10:02.118066 IP ec2-46-51-182-202.eu-west-1.compute.amazonaws.com.https > 10.170.142.11.54989: Flags [.], ack 203, win 123, length 1338
21:10:02.118066 IP ec2-46-51-182-202.eu-west-1.compute.amazonaws.com.https > 10.170.142.11.54989: Flags [P.], ack 203, win 123, length 82
21:10:02.118066 IP ec2-46-51-182-202.eu-west-1.compute.amazonaws.com.https > 10.170.142.11.54989: Flags [.], ack 203, win 123, length 1338

Marvin Rhoads · ‎11-07-2017

Unfortunately this is a bit of a moving target due to the dynamic nature of how the AMP cloud-based services are architected.

I'd suggest you open a case with Cisco TAC to get the latest guidance.

ssambourg · ‎01-29-2018

Hello,

Trust the stream from AMP4E Clients to AMP EU CLoud URL resolved my issue.

At first URL was not trust... just allow and something in IPS Policy block.

HTH