FTD reaching out to Security Intelligence

Knassi · ‎05-23-2024

Hi,

Is the FMC managed FTD supposed to be reaching out to CISCO for security Intelligence?

I have an FTD reaching out to 63.97.201.67.

Is that normal. I thought the FMC reaches out to import and deploy to the FTDs.

MHM Cisco World · ‎05-23-2024

https://www.cisco.com/c/en/us/support/docs/security/threat-grid-cloud/214465-required-ip-and-ports-for-threat-grid.html

it not relate to SI it is AMP
https://www.cisco.com/c/en/us/support/security/amp-threat-grid-cloud/series.html

check this

MHM

Sheraz.Salim · ‎05-23-2024

Yes, that is normal. While FMC manages multiple FTD devices and pushes security policies to them, FTD can also reach out to third-party security intelligence sources for updates, such as the Cisco Talos Intelligence reputation feed at 63.97.201.67.

In summary, FMC manages your FTD devices and provides them with security policies. FTDs can get security intelligence from FMC or directly from third-party sources like Cisco Talos Intelligence. Here is the link to read more into it.

please do not forget to rate.

Knassi · ‎05-23-2024

What i need is the FMC reaching out to cisco. Only the FMC will pull updated and deploy them to the FTD. Now can i configure the FTD to never reach out to any HTTP/s?

Sheraz.Salim · ‎05-23-2024

May I inquire about the specific motivation behind your interest in this? I ask because there seems to be a deliberate design choice resembling that of Cisco Firewall.

I have not test this method but it may work and may not work. To ensure that only the Firepower Management Center (FMC) reaches out to Cisco for updates and that the FTD devices do not reach out to any HTTP/s URLs, you can configure your FTD devices accordingly.

Ensure that the FTD devices are not set to independently reach out for updates. This can typically be done through the FMC by configuring the device settings.

Implement access control policies to block outbound HTTP/s traffic from the FTD devices. (Do this in change windows if possible).

You can configure the FMC to handle all the updates

Ensure that your FMC is configured to fetch updates from Cisco and then deploy them to the FTD devices.

-Go to System > Updates in the FMC.

Ensure the FMC is scheduled to check for and download updates from Cisco.

Deploy these updates to your managed FTD devices.

please do not forget to rate.

Knassi · ‎05-23-2024

Please how do i Ensure that the FTD devices are not set to independently reach out for updates. This can typically be done through the FMC by configuring the device settings.?

The configure manager is set on the FMC, but for some reason that FTD is reaching outside. I can make a rule blocking those connections but i want to tell the FTD itself not to reach out but to only talk to the FMC

Sheraz.Salim · ‎05-23-2024

What you might can do is deny the FTD managment interface accessing the Internet.

OR

you can define a new subnet range where this new subnet does not have internet access. In order to change the mgmt ip address follow this post Here pasting what has been said.

1) From FMC, click Devices > Device Management, and edit the FTD

2) Go to Device tab under that device in "Management" section (as in Rodrigo's screenshot) and switch the toggle to "Disable Management"

** After disabling management for the FTD from FMC, I confirmed I CAN still hit the "management" IP of the FTD and login by SSH directly. It does not shutdown the management/diagnostic on the FTD itself.

3) Log in the FTD by its management IP and change the IP address:

configure network ipv4 manual 10.99.0.24 255.255.255.0 10.99.0.1

4) Go back to FMC, click the pencil to edit the "Management" IP and update it to the new one. Then switch back the toggle to "Enable Management"

Wait a few minutes and refresh and it should turn green again.

At first I thought we may need console access, thinking it might "shutdown" the mgmtIf itself, but it stays up after disabling from FMC. So as long as the "new" IP will still be reachable and we are sure, then we do not necessarily need console (although I would highly recommend changing FTD IP via local console instead of relying on SSH to the new IP, if we are in any way doubtful).

Using this method, there was no need to Deploy, all interface config and policies remained and the FMC/FTD reestablished the Mgmt link seamlessly.

please do not forget to rate.

Marvin Rhoads · ‎05-23-2024

As noted in the thread, the communications you are observing are not SI updates. It is the FTD sending information to ThreatGrid (now known as Secure Malware Analytics) for things like checking if a file is known malicious or, depending on your file policy, possibly submitting a file for analysis in the cloud.