11-20-2018 12:43 PM - edited 03-12-2019 07:06 AM
Hello All,
We have a ASA 5512 running Firepower 6.2.3.6-37 software. We recently reimaged our ASA from the old ASA software to this new FTD software 6.2.3.6-37. Our internet access is controlled by another higher dept and restricted to a few specific websites.
Can someone please send me a list of URL(s) required for smart licenses Registration, VRT rules and VDB, database updates ? I can follow up with my dept to whitelist these urls . I have looked at the firepower documentation and it just says the "management interface" needs to have internet access for smart license registration etc..
I am currently using FDM to manage this ASA.
Thanks in advance.
Solved! Go to Solution.
11-20-2018 07:28 PM
There are several locations. The following articles highlight some of them but I am not aware of a consolidated listing.
Updates:
Security Intelligence feeds:
URL Filtering database:
I'd check with your higher department and ask them to pull the logs of what's being blocked from your FMC. That's the most definitive source as it is based on current observed behavior, not a listing from possibly dated support articles.
11-20-2018 07:28 PM
There are several locations. The following articles highlight some of them but I am not aware of a consolidated listing.
Updates:
Security Intelligence feeds:
URL Filtering database:
I'd check with your higher department and ask them to pull the logs of what's being blocked from your FMC. That's the most definitive source as it is based on current observed behavior, not a listing from possibly dated support articles.
11-21-2018 07:00 AM
Thanks Marvin. That was very helpul. I was able to register but now when i do a VRT rule update or VDB update i get an error message in my FDM Web UI saying "Peer certificate cannot be authenticated with known CA certificates" .
Any advice on this one ? i am about to reach out cisco tac.
Thanks again
11-21-2018 09:11 AM
There was a recently fixed bug that affected some users in this way.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm03931
The fix is in 6.2.3.7.
11-21-2018 12:47 PM
Hi Marvin, Even on 6.2.37 i am still getting that error. Upon further troubleshooting, i see my ASA running Firepower doesn't have any ciphers available . Please see below output. Anything that you can recommend ?
root@ciscoasa:~# sudo openssl s_client -connect support.sourcefire.com:443
CONNECTED(00000003)
write:errno=104
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 242 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1542828379
Timeout : 300 (sec)
Verify return code: 0 (ok)
11-21-2018 08:08 PM
Is there a proxy server in the path between your FMC and the Internet? If so, you need to configure FMC to use it.
04-13-2023 04:41 AM
Hi Marvin,
I am seeing the same issue on 7.0.1 (FTD managed via FDM). The workaround for the bug says manually update VDB/GeoDB. Is there a permanent fix for this?
Cheers.
04-13-2023 05:24 AM
The ability to download updates from cisco.com to 7.0.1 is affected by this field notice:
https://www.cisco.com/c/en/us/support/docs/field-notices/723/fn72332.html
Upgrade to 7.0.5 and it will be fixed.
04-13-2023 09:37 AM
Hi Marvin,
Thank you. Much appreciated
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide