Security, Internet Access, and Communication Ports...Security,InternetAccess,andCommunication Ports...

Security, Internet Access, and CommunicationPorts

The following topics provide information on system security, internet access, and communication ports:

• Security Requirements, on page 1• Internet Access Requirements, on page 1• Communication Port Requirements, on page 3

Security RequirementsTo safeguard the FirepowerManagement Center, you should install it on a protected internal network. Althoughthe FMC is configured to have only the necessary services and ports available, you must make sure that attackscannot reach it (or any managed devices) from outside the firewall.

If the FMC and its managed devices reside on the same network, you can connect the management interfaceson the devices to the same protected internal network as the FMC. This allows you to securely control thedevices from the FMC. You can also configure multiple management interfaces to allow the FMC to manageand isolate traffic from devices on other networks.

Regardless of how you deploy your appliances, inter-appliance communication is encrypted. However, youmust still take steps to ensure that communications between appliances cannot be interrupted, blocked, ortampered with; for example, with a distributed denial of service (DDoS) or man-in-the-middle attack.

Internet Access RequirementsBy default, Firepower appliances are configured to connect to the internet on ports 443/tcp (HTTPS) and80/tcp (HTTP). If you do not want your appliances to have direct access to the internet, you can configure aproxy server.

In most cases, it is the FirepowerManagement Center that accesses the internet. However, sometimes manageddevices also access the internet. For example, if your malware protection configuration uses dynamic analysis,managed devices submit files directly to the Cisco Threat Grid cloud. Or, you may synchronize a device toan external NTP server.

Security, Internet Access, and Communication Ports1

If you are using AMP for Networks or AMP for Endpoints, your location can determine which AMP cloudresources the FMC accesses. The Required Server Addresses for Proper AMP Operations TroubleshootingTechNote lists the internet resources (including static IP addresses) required not only by Firepower appliances,but also by Cisco AMP components like connectors and private cloud appliances.

Tip

Table 1: Firepower Internet Access Requirements

ResourceReasonFeature

cloud-sa.amp.sourcefire.com

cloud-sa.eu.amp.sourcefire.com

cloud-sa.apjc.amp.sourcefire.com

cloud-sa-589592150.us-east-1.elb.amazonaws.com

Malware cloud lookups.AMP for Networks

updates.vrt.sourcefire.com

amp.updates.vrt.sourcefire.com

Download signature updates for filepreclassification and local malware analysis.

panacea.threatgrid.comSubmit files for dynamic analysis (manageddevices).

Query for dynamic analysis results (FMC).

api.amp.sourcefire.com

api.eu.amp.sourcefire.com

api.apjc.amp.sourcefire.com

export.amp.sourcefire.com

export.eu.amp.sourcefire.com

export.apjc.amp.sourcefire.com

Receive malware events detected by AMP forEndpoints from the AMP cloud.

AMP for Endpoints integration

intelligence.sourcefire.comDownload Security Intelligence feeds.Security Intelligence

database.brightcloud.com

service.brightcloud.com

Download URL category and reputation data.

Manually query URL category and reputationdata.

Query for uncategorized URLs.

URL filtering

cisco.com

sourcefire.com

Download updates directly from Cisco to theappliance:

• System software

• Intrusion rules

• Vulnerability database (VDB)

• Geolocation database (GeoDB)

System updates


Security, Internet Access, and Communication PortsSecurity, Internet Access, and Communication Ports

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html

ResourceReasonFeature

0.sourcefire.pool.ntp.org




Synchronize time in your deployment.

Not supported with a proxy server.

Time synchronization

blogs.cisco.com/talos

cloud.google.com

Display the Cisco Threat Research Blog on thedashboard.

RSS feeds

The whois client tries to guess the right server toquery. If it cannot guess, it uses:

• NIC handles: whois.networksolutions.com

• IPv4 addresses and network names:whois.arin.net

Request whois information for an external host.

Not supported with a proxy server.

Whois

Communication Port RequirementsFirepower appliances communicate using a two-way, SSL-encrypted communication channel on port 8305/tcp.This port must remain open for basic intra-platform communication.

Other ports allow secure management, as well as access to external resources required by specific features.In general, feature-related ports remain closed until you enable or configure the associated feature. Do notchange or close an open port until you understand how this action will affect your deployment.

Table 2: Firepower Communication Port Requirements

DetailsDirectionPlatformsProtocol/FeaturePort

Secure remote connections to the appliance.InboundFMC

Any device

SSH22/tcp

Send email notices and alerts.OutboundFMCSMTP25/tcp

DNS.OutboundFMC

Any device

DNS53/tcp

53/udp

DHCP.OutboundFMC

Any device

DHCP67/udp

68/udp

Display RSS feeds in the dashboard.OutboundFMC

7000 & 8000 Series

HTTP80/tcp

Download or query URL category andreputation data (port 443 also required).

OutboundFMCHTTP80/tcp


Security, Internet Access, and Communication PortsCommunication Port Requirements


Download custom Security Intelligence feedsover HTTP.

OutboundFMCHTTP80/tcp

Synchronize time.OutboundFMC

Any device

NTP123/udp

Allow access to MIBs via SNMP polling.InboundFMC

Any device

SNMP161/udp

Send SNMP alerts to a remote trap server.OutboundFMC

Any device

SNMP162/udp

Communicate with an LDAP server for externalauthentication.

Obtainmetadata for detected LDAP users (FMConly).

Configurable.

OutboundFMC

7000 & 8000 Series

LDAP389/tcp

636/tcp

Access the web interface.InboundFMC

7000 & 8000 Series

HTTPS443/tcp

Send and receive data from the internet. Fordetails, see Internet Access Requirements, onpage 1.

OutboundFMC

Any device

HTTPS443/tcp

Communicate with the AMP cloud (public orprivate)

See also information for port 32137.

OutboundFMCHTTPS443

Integrate with AMP for EndpointsInbound andOutbound

FMCHTTPS443

Send alerts to a remote syslog server.OutboundFMC

Any device

Syslog (alerts)514/udp

Lights-Out Management (LOM) using a SerialOver LAN (SOL) connection.

InboundFMC

7000 & 8000 Series

SOL/LOM623/udp

Communicate with a captive portal identitysource.

InboundAny deviceCaptive portal885/tcp

Allow read-only access to the event databaseby a third-party client.

InboundFMCDatabase access1500/tcp

2000/tcp

Communicate with a RADIUS server forexternal authentication and accounting.

Configurable.

OutboundFMC

7000 & 8000 Series

RADIUS1812/udp

1813/udp




Communicate with User Agents.InboundFMCUser Agent3306/tcp

Communicate with an ISE identity source.OutboundFMCISE5222/tcp

Communicate with an eStreamer client.InboundFMC

7000 & 8000 Series

eStreamer8302/tcp

Securely communicate between appliances ina deployment.

Configurable. If you change this port, you mustchange it for all appliances in the deployment.We recommend you keep the default.

BothFMC

Any device

Appliancecommunications

8305/tcp

Communicate with a host input client.InboundFMCHost input client8307/tcp

Communicate with the Cisco AMP cloud.

This is a legacy configuration. We recommendyou use the default (443).

OutboundFMCAMP for Networks32137/tcp

Related TopicsIdentifying the LDAP Authentication ServerConfiguring RADIUS Connection Settings



fpmc-config-guide-v60_chapter4.pdf#nameddest=unique_114fpmc-config-guide-v60_chapter4.pdf#nameddest=unique_123



Security, Internet Access, and Communication PortsSecurity RequirementsInternet Access RequirementsCommunication Port Requirements

Date post:	20-Feb-2021
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Security, Internet Access, and Communication Ports...Security,InternetAccess,andCommunication Ports...

Documents