01-15-2018 06:08 AM - edited 07-05-2021 08:05 AM
What are the Cisco URLs that must be allowed through firewalls to allow Prime Infrastructure to connect to Cisco to download updates using a CCO account?
Solved! Go to Solution.
01-16-2018 02:13 AM
01-15-2018 08:03 AM
01-15-2018 11:18 PM
https://software.cisco.com/download/release.html?mdfid=286304360&softwareid=284272932&release=3.1.0
01-16-2018 01:53 AM
Ok. Perhaps I have not explained the issue very well. On Prime Infrastructure (3.1 in this case) I can browse to 'Administration / Licenses and Software Updates / Software Update' where "You can download the latest updates from cisco.com or upload an update file to your server. "If I select 'downloads' this pops up a window asking for Cisco CCO login and then connects to Cisco, compares your current deployment with available updates/patches and allows you to download those updates/patches directly to Prime for deployment.
To allow this feature to work you need to allow the appropriate Cisco URLs through your firewalls. The URLs involved are NOT the standard software mall.
I know these URLs are published by Cisco but (as usual with Cisco) they are not easily found. I am looking for the Cisco guide that lists the URLs that must be allowed through firewall to allow this direct-download feature to work.
Many thanks in advance.
01-16-2018 02:13 AM
01-18-2018 03:25 AM
Hey Scott,
We have allowed the following in the firewall:
FTP from Prime to Any
SSL from Prime to Any
Web Browsing from Prime to Any
This will by default allow all the response traffic between Prime and the destination.
BTW, the URLs that u have allowed for port 443 , please update us if that works for all the requirements of Prime from the internet. Like software download, Point patch download, IOS image download from Cisco site to Prime, EOL/EOS notifications, PSIRT notifications etc. If these URLs work for you , we will also give it a try. More restricted is the communication for Prime to Internet , more secure it will be.
Cheers,
Manish
01-16-2018 02:16 AM
OK i understand your issue now
you can do one thing for the time being you can by pass your http traffic from your firewall till the updates complete or all every http traffic instead of passing specific URL in your firewall. once the updates completes you can apply the filter again.
or contact to TAC to ask about exact URL because url could be the same but cisco keep changes their IP for security reason so tac can assist you better if nothing works
01-16-2018 02:17 AM
Hey Scott,
I remember facing this challenge in our organization. Actually , Cisco , on the backend is using Akamai storage servers to host the images and software. The Prime requests get redirected to Akamai servers during the update downloads. We witnessed this by capturing the traffic on the firewall.
We raised a TAC case to get this info , but as usual TAC was least helpful. We later solved it ourselves. Give me some time and I will get back to you with the exact list.
Cheers,
Manish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: