Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9107
Views
15
Helpful
10
Replies

FMC with restricted Internet Connection: Need URLs!!

Go to solution
Soporteco
Level 1
Level 1

‎07-25-2018 02:00 PM - edited ‎02-21-2020 08:01 AM

Hi. I haven't been able to find the information.

We're deploying a new virtual FMC that is going to manage 2 FTD devices (2100). This customer doesn't want to give full Internet access to this machine, they say they want to restrict to certains ports and public IP Addresses.

 

How can I find which URLs/Public IP Address we need to consider? I need connection to Smart Licensing, since we will be using Smart Licenses for FTD, and I know FMC also needs to consult to the cloud for AMP analysis, VDB- Snort updates, Security Intelligence, etc.

 

I appreciate if someone can help us to find out which URLs we need to permit, or how can we approach this!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Raghunath Kulkarni
Cisco Employee
Cisco Employee
In response to Soporteco

‎07-26-2018 06:25 PM

As far as smart licensing is concerned, we need to make sure that the URL:
https://smart-satellite.cisco.com:443 to be resolved by the FMC at any given point in time.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-25-2018 02:05 PM - edited ‎07-25-2018 02:11 PM

Required ports and access for the Firepower is documented here:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/security__internet_access__and_communication_ports.html

 

From an allowed URL perspective, I know of a few that the Firepower uses (at least previously):

support.sourcefire.com

software.cisco.com

intelligence.sourcefire.com

database.brightcloud.com

service.brightcloud.com

 

My recommendation is to remove the FMC from any access restriction rules. I have had trouble with FMC downloading URL Databases when I put it through existing content filters/proxies etc. 

Go to solution
Soporteco
Level 1
Level 1
In response to Rahul Govindan

‎07-25-2018 04:43 PM

thanks a lot Rahul

I had already seen that document, where they explain the reason for Internet access (by feature), but URL's are not included. Unfortunately this customer insists on filtering by domains or Public IP Addresses, but I'm seeing it quite difficult.
0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Soporteco

‎07-25-2018 05:19 PM

I agree with you, but the only ones I have are the ones below:

 

support.sourcefire.com

software.cisco.com

intelligence.sourcefire.com

database.brightcloud.com

service.brightcloud.com

 

If you can use wildcard's, then try allowing .cisco, .sourcefire and .brightcloud to the allow list. The problem with static ip addresses is that the content is mostly stored on AWS or on CDN's, which almost always changes. 

0 Helpful

Go to solution
Soporteco
Level 1
Level 1
In response to Raghunath Kulkarni

‎07-26-2018 10:29 AM

Thanks a lot, that's very useful.

 

However, I'm still worried about the connection to Smart Licensing Portal. FTD devices use Smart Licensing, and FMC will need a connection to the cloud. I've read so many documents about Smart Licensing but none of them give me information about IP addreses or URLs.

0 Helpful

Go to solution
Raghunath Kulkarni
Cisco Employee
Cisco Employee
In response to Soporteco

‎07-26-2018 06:25 PM

As far as smart licensing is concerned, we need to make sure that the URL:
https://smart-satellite.cisco.com:443 to be resolved by the FMC at any given point in time.
0 Helpful

Go to solution
Soporteco
Level 1
Level 1
In response to Raghunath Kulkarni

‎07-27-2018 09:58 AM

Hi Raghunat, but that URL is not resolvable, are you sure we need that one?

0 Helpful

Go to solution
Tiago Andrade de Paula
Level 1
Level 1
In response to Raghunath Kulkarni

‎04-17-2019 07:02 AM

Hi Raghunath.
Good solution to resolve the internet restrictions in FMC server and use smartlicense. But this no resolve the fact that we need to have the FMC witch internet connection to have a database updated, receive feeds right?

0 Helpful

Go to solution
lingesha.ts
Level 1
Level 1
In response to Raghunath Kulkarni

‎07-25-2019 12:22 AM

The URL https://smart-satellite.cisco.com:443 is not accessible.

 

Is this URL is mandatory or Is there any other URL instead of this ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card