01-28-2021 09:24 PM
Hi teams,
I have some questions.
I know FMC needs open the firewall URL for internet access(rule download, SM licensing ..).
When I see FMC guide, It is just displayed url such as 'www.cisco.com'(please see below picture).
It is simple and best.
But, How can I request to Firewall team in case of out-of-date firewall?
FW can't set rule to allow or deny using URL. It's possible only ip address.
To my knowledge, ip address of servers changes sometimes.
So, It is very hard to set ip address for access internet.
Thank you.
Solved! Go to Solution.
01-29-2021 02:58 AM
Usually it is access TO the FMC that should be restricted. Access to the internet (Cisco) from the FMC is over HTTPS and is encrypted. But, depending on which firewall this traffic is passing through, you might want to look into access-lists using FQDN objects. Keep in mind when using this you need to configure name-servers on the ASA for lookups.
01-29-2021 02:58 AM
Usually it is access TO the FMC that should be restricted. Access to the internet (Cisco) from the FMC is over HTTPS and is encrypted. But, depending on which firewall this traffic is passing through, you might want to look into access-lists using FQDN objects. Keep in mind when using this you need to configure name-servers on the ASA for lookups.
01-31-2021 09:20 PM
Thanks for your reply.
I will try to request to security team creating object using FQDN.
Actually I don't know whether use firewall that can configure FQDN or not.
Thank you!
01-29-2021 10:16 AM
In case the upstream firewall does not support I'd recommend permitting tcp/443 from FMC to the Internet. As already stated you could use features like FQDN objects but that might not always be a viable solution if the required domains resolve to a lot of different ip addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide