Re: Trusted URL access policy

Namgyal · ‎03-18-2025

I need to access only trusted URL from Cisco FMC to update security intelligence and vdb updates.

somebody kindly help me to configure this policy, It is because my system is in isolated environment and only FMC is allowed to access cisco intelligence site and can't access to any other URLs.

kindly help....

Rob Ingram · ‎03-18-2025

@Namgyal configure manual URL objects or FQDN in your Access Control Policy and allow access for the following:-

SI = intelligence.sourcefire.com
VDB = talosintelligence.com and support.sourcefire.com

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/760/management-center-admin-76/reference-ports.html

Namgyal · ‎03-20-2025

@Rob Ingram
Thank you for your response, after adding as you suggested forllowing messages are displaying.
i think it is not able to access it.
* DNS Feed "Cisco-DNS-and-URL-Intelligence-Feed" Failed to download from https://intelligence.sourcefire.com/auto-update/auto-dl.cgi/xx:xx:xx:xx:xx:xx/GetCurrent/rep_dd.md5: Timeout was reached
* Network Feed "Cisco-Intelligence-Feed" Failed to download from https://intelligence.sourcefire.com/auto-update/auto-dl.cgi/xx:xx:xx:xx:xx:xx /GetCurrent/rep_dd.md5: Timeout was reached

Rob Ingram · ‎03-20-2025

@Namgyal can the FMC resolve the DNS hostname?

Have a look in the logs to see if that traffic is allowed or denied. Provide screenshots.

Namgyal · ‎03-21-2025

@Rob Ingram
following are the screen shots

Rob Ingram · ‎03-21-2025

@Namgyal why is the destination zone "dmz", shouldn't it be "outside"? Remove the zone completely and try again.

Namgyal · ‎03-21-2025

＠@Rob Ingram

can't change the zone, it is because, the system is isolated and internet access is just for FMC.

Rob Ingram · ‎03-21-2025

@Namgyal if those URLs you've defined are not accessible via the DMZ interface, the FMC will never be able to communicate with those destinations. The rule you created was just for the FMC as the source, so if you change the destination zone accordingly only the FMC will be able to access those destination URLs.

Namgyal · ‎03-21-2025

@Rob Ingram

we just need internet access to FMC for VDB and SI only, none of other resources required the internet connection.

Rob Ingram · ‎03-21-2025

@Namgyal I am aware of your requirements. When you create a specific rule from source of the FMC only, no other device would have internet access.

If no other resources behind the firewall will have internet access, is having update to date SI and VDB a concern?

Namgyal · ‎03-23-2025

@Rob Ingram

the system is in isolated environment and we don't need none of other network device get internet connection,

it just need internet connection to FMC for updating vdb and si and distribute it to FTD connected to it.
and If add allowed everything then it can access the sites as you mentioned, and if allowed the mentioned one then it cant not access.