Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1974
Views
0
Helpful
3
Replies

How can I access the Internet without opening the firewall by URL in Firepower Management Center?

Go to solution
HWAN
Level 1
Level 1

‎01-28-2021 09:24 PM

Hi teams,

 

I have some questions.

 

I know FMC needs open the firewall URL for internet access(rule download, SM licensing ..).

When I see FMC guide, It is just displayed url such as 'www.cisco.com'(please see below picture).

 

2132.png

It is simple and best.

But, How can I request to Firewall team in case of out-of-date firewall?

FW can't set rule to allow or deny using URL. It's possible only ip address.

To my knowledge, ip address of servers changes sometimes.

So, It is very hard to set ip address for access internet.

 

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎01-29-2021 02:58 AM

Usually it is access TO the FMC that should be restricted.  Access to the internet (Cisco) from the FMC is over HTTPS and is encrypted.  But, depending on which firewall this traffic is passing through, you might want to look into access-lists using FQDN objects.  Keep in mind when using this you need to configure name-servers on the ASA for lookups.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/acl_objects.html

 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎01-29-2021 02:58 AM

Usually it is access TO the FMC that should be restricted.  Access to the internet (Cisco) from the FMC is over HTTPS and is encrypted.  But, depending on which firewall this traffic is passing through, you might want to look into access-lists using FQDN objects.  Keep in mind when using this you need to configure name-servers on the ASA for lookups.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/acl_objects.html

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
HWAN
Level 1
Level 1
In response to Marius Gunnerud

‎01-31-2021 09:20 PM

Thanks for your reply.

 

I will try to request to security team creating object using FQDN.

Actually I don't know whether use firewall that can configure FQDN or not.

 

Thank you!

 

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7

‎01-29-2021 10:16 AM

In case the upstream firewall does not support I'd recommend permitting tcp/443 from FMC to the Internet. As already stated you could use features like FQDN objects but that might not always be a viable solution if the required domains resolve to a lot of different ip addresses.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card