cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1797
Views
15
Helpful
9
Replies
Highlighted
Beginner

FMC with restricted Internet Connection: Need URLs!!

Hi. I haven't been able to find the information.

We're deploying a new virtual FMC that is going to manage 2 FTD devices (2100). This customer doesn't want to give full Internet access to this machine, they say they want to restrict to certains ports and public IP Addresses.

 

How can I find which URLs/Public IP Address we need to consider? I need connection to Smart Licensing, since we will be using Smart Licenses for FTD, and I know FMC also needs to consult to the cloud for AMP analysis, VDB- Snort updates, Security Intelligence, etc.

 

I appreciate if someone can help us to find out which URLs we need to permit, or how can we approach this!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: FMC with restricted Internet Connection: Need URLs!!

As far as smart licensing is concerned, we need to make sure that the URL:
https://smart-satellite.cisco.com:443 to be resolved by the FMC at any given point in time.
9 REPLIES 9
VIP Advocate

Re: FMC with restricted Internet Connection: Need URLs!!

Required ports and access for the Firepower is documented here:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/security__internet_access__and_communication_ports.html

 

From an allowed URL perspective, I know of a few that the Firepower uses (at least previously):

support.sourcefire.com

software.cisco.com

intelligence.sourcefire.com

database.brightcloud.com

service.brightcloud.com

 

My recommendation is to remove the FMC from any access restriction rules. I have had trouble with FMC downloading URL Databases when I put it through existing content filters/proxies etc. 

Beginner

Re: FMC with restricted Internet Connection: Need URLs!!

thanks a lot Rahul

I had already seen that document, where they explain the reason for Internet access (by feature), but URL's are not included. Unfortunately this customer insists on filtering by domains or Public IP Addresses, but I'm seeing it quite difficult.
VIP Advocate

Re: FMC with restricted Internet Connection: Need URLs!!

I agree with you, but the only ones I have are the ones below:

 

support.sourcefire.com

software.cisco.com

intelligence.sourcefire.com

database.brightcloud.com

service.brightcloud.com

 

If you can use wildcard's, then try allowing .cisco, .sourcefire and .brightcloud to the allow list. The problem with static ip addresses is that the content is mostly stored on AWS or on CDN's, which almost always changes. 

Cisco Employee

Re: FMC with restricted Internet Connection: Need URLs!!

Beginner

Re: FMC with restricted Internet Connection: Need URLs!!

Thanks a lot, that's very useful.

 

However, I'm still worried about the connection to Smart Licensing Portal. FTD devices use Smart Licensing, and FMC will need a connection to the cloud. I've read so many documents about Smart Licensing but none of them give me information about IP addreses or URLs.

Everyone's tags (1)
Cisco Employee

Re: FMC with restricted Internet Connection: Need URLs!!

As far as smart licensing is concerned, we need to make sure that the URL:
https://smart-satellite.cisco.com:443 to be resolved by the FMC at any given point in time.
Beginner

Re: FMC with restricted Internet Connection: Need URLs!!

Hi Raghunat, but that URL is not resolvable, are you sure we need that one?

Re: FMC with restricted Internet Connection: Need URLs!!

Hi Raghunath.
Good solution to resolve the internet restrictions in FMC server and use smartlicense. But this no resolve the fact that we need to have the FMC witch internet connection to have a database updated, receive feeds right?

Beginner

Re: FMC with restricted Internet Connection: Need URLs!!

The URL https://smart-satellite.cisco.com:443 is not accessible.

 

Is this URL is mandatory or Is there any other URL instead of this ?