CISCO ASA FirePOWER Secure Firewall Threat Defense and SecureX Threat Response User Guide

CISCO ASA FirePOWER Secure Firewall Threat Defense and SecureX Threat

Response

Product Information

Specifications

• Default Internet Access Ports: 443/tcp (HTTPS) and 80/tcp (HTTP)
• Proxy Server Configuration: You can configure a proxy server if you do not want direct internet access for your appliances.
• FMC Internet Access: The FMC (Firepower Management Center) accesses the internet by default. Both FMCs in a high availability pair should have internet access.
• Managed Devices Internet Access: Managed devices may also access the internet for certain functionalities such as malware protection configuration using dynamic analysis or synchronization with an external NTP server.
• Web Analytics Tracking: Unless disabled, your browser may contact Google or Amplitude web analytics servers to provide non-personally-identifiable usage data to Cisco.

Product Usage Instructions

Internet Access Configuration
To configure internet access for your appliances, follow these steps:

1. Ensure that the FMC and managed devices are connected to the network.
2. If you want direct internet access, no additional configuration is required.
3. If you prefer to use a proxy server, obtain the proxy server details from your network administrator.
4. Access the FMC interface and navigate to the network settings.
5. Enter the proxy server details in the designated fields.
6. Save the configuration and verify internet connectivity by accessing external resources through your appliances.

Required Server Addresses
For proper Cisco Secure Endpoint & Malware Analytics operations, make sure to configure the following server addresses:

• AMP for Networks Malware Cloud Lookups: updates.vrt.sourcefire.com, amp.updates.vrt.sourcefire.com
• FMC High Availability: fmc.api.threatgrid.com, fmc.api.threatgrid.eu
• AMP for Endpoints Integration: Check the Required Server Addresses documentation for AMP for Endpoints integration.
• Security Intelligence Feeds: intelligence.sourcefire.com

Other Features and Communication Ports
The product also supports the following features and communication ports:

• URL Filtering: Download URL category and reputation data. Manually query URL category and reputation data. Query for uncategorized URLs.
• Cisco Smart Licensing: Communicate with the Cisco Smart Software Manager.
• Cisco Success Network: Transmit usage information and statistics.
• Cisco Support Diagnostics: Accept authorized requests and transmit usage information and statistics.

FAQ

• Q: How can I disable web analytics tracking?
  A: To disable web analytics tracking, access your browser settings and disable any analytics-related features or extensions.

• Q: Can I configure different proxy servers for FMC and managed devices?
  A: Yes, you can configure different proxy servers for FMC and managed devices. Simply enter the respective proxy server details in their respective network settings.

• Q: Where can I find more information about configuring server addresses for AMP for endpoint integration?
  A: You can find more information about configuring server addresses for AMP for endpoint integration in the documentation provided specifically for that integration.

The following topics provide information on system security, internet access, and communication ports

Security Requirements

To safeguard the Firepower Management Center, you should install it on a protected internal network. Although the FMC is configured to have only the necessary services and ports available, you must make sure that attacks cannot reach it (or any managed devices) from outside the firewall.

If the FMC and its managed devices reside on the same network, you can connect the management interfaces on the devices to the same protected internal network as the FMC. This allows you to securely control the devices from the FMC. You can also configure multiple management interfaces to allow the FMC to manage and isolate traffic from devices on other networks. Regardless of how you deploy your appliances, inter-appliance communication is encrypted. However, you must still take steps to ensure that communications between appliances cannot be interrupted, blocked, or tampered with; for example, with a distributed denial of service (DDoS) or man-in-the-middle attack.

Cisco Clouds

The FMC communicates with resources in the Cisco cloud for the following features:

• Advanced Malware Protection
  The public cloud is configured by default; to make changes, see Change AMP Options.

• URL filtering
  For information, see:

  • URL Filtering Options
  • Enable URL Filtering Using Category and Reputation

• Integration with Cisco Security Analytics and Logging (SaaS) See Remote Data Storage in the Stealthwatch Cloud.

• Integration with SecureX and Cisco SecureX threat response
  For details, see the integration documents linked from:

  • Integrate with Cisco SecureX
  • Event Analysis with Cisco SecureX Threat Response

• The proactive support feature
  For information, see Cisco Support Diagnostics.

• Cisco Success Network
  For information, see Cisco Success Network.

Internet Access Requirements

By default, the system is configured to connect to the internet on ports 443/tcp (HTTPS) and 80/tcp (HTTP). If you do not want your appliances to have direct access to the internet, you can configure a proxy server. For many features, your location can determine which resources the system access. In most cases, it is the FMC that accesses the internet. Both FMCs in a high availability pair should have internet access. Depending on the feature, sometimes both peers access the internet, and sometimes only the active peer does.

Sometimes, managed devices also access the internet. For example, if your malware protection configuration uses dynamic analysis, managed devices submit files directly to the Threat Grid cloud. Or, you may synchronize a device to an external NTP server. Additionally, unless you disable web analytics tracking, your browser may contact Google (google.com) or Amplitude (amplitude.com) web analytics servers to provide non-personally identifiable usage data to Cisco.

Table 1: Internet Access Requirements

Required Server Addresses for Proper Cisco Secure Endpoint & Malware Analytics Operations.
Download signature updates for file pre-classification and local malware analysis.| Active peer downloads, and syncs to standby.| updates.vrt.sourcefire.com amp.updates.vrt.sourcefire.com
Submit files for dynamic analysis (managed devices).

Query for dynamic analysis results (FMC).

| Both peers query for dynamic analysis reports.| fmc.api.threatgrid.com fmc.api.threatgrid.eu
AMP for endpoint integration| Receive malware events detected by AMP for Endpoints from the AMP cloud.

Display malware events detected by the Firepower system in AMP for Endpoints.

Use centralized file Block and Allow lists created in AMP for

Endpoints to override dispositions from the AMP cloud.

| Both peers receive events.

You must also configure the cloud connection on both peers (configuration is not synced).

| See Required Server Addresses for Proper Cisco Secure Endpoint & Malware Analytics Operations.
---|---|---|---
Security Intelligence| Download Security Intelligence feeds.| Active peer downloads, and syncs to standby.| intelligence.sourcefire.com
URL filtering| Download URL category and reputation data.

Manually query (look up) URL category and reputation data.

Query for uncategorized URLs.

| Active FMC downloads, syncs to standby.| URLs:

•  regsvc.sco.cisco.com

•  est.sco.cisco.com

•  updates-talos.sco.cisco.com

•  updates.ironport.com

__

IPV4 blocks:

•  146.112.62.0/24

•  146.112.63.0/24

•  146.112.255.0/24

•  146.112.59.0/24

__

IPv6 blocks:

•  2a04:e4c7:ffff::/48

•  2a04:e4c7:fffe::/48

Cisco Smart Licensing| Communicate with the Cisco Smart Software Manager.| Active peer communicates.| tools.cisco.com :443

www.cisco.com

Cisco Success Network| Transmit usage information and statistics.| Active peer communicates.| api-sse.cisco.com:8989 dex.sse.itd.cisco.com

dex.eu.sse.itd.cisco.com

Cisco Support Diagnostics| Accepts authorized requests and transmits usage information and statistics.| Active peer communicates.| api-sse.cisco.com:8989
System updates| Download updates directly to the FMC:

•  System software

•  Intrusion rules

•  Vulnerability database (VDB)

•  Geolocation database (GeoDB)

| Update intrusion rules, the VDB, and the GeoDB on the active peer, which then syncs to the standby.

Upgrade the system software independently on each peer. See the Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0.

| amazonaws.com cisco.com sourcefire.com
---|---|---|---
Cisco SecureX integration| See the Cisco Secure Firewall Threat Defense and Cisco SecureX Threat Response Integration Guide.
Time synchronization| Synchronize time in your deployment.

Not supported with a proxy server.

| Any appliance using an external NTP server must have internet access.| 0.sourcefire.pool.ntp.org 1.sourcefire.pool.ntp.org 2.sourcefire.pool.ntp.org

3.sourcefire.pool.ntp.org

RSS feeds| Display the Cisco Threat Research Blog on the dashboard.| Any appliance displaying RSS feeds must have internet access.| blog.talosintelligence.com blogs.cisco.com

feeds.feedburner.com

Whois| Request whois information for an external host.

Not supported with a proxy server.

| Any appliance requesting whois information must have internet access.| The whois client tries to guess the right server to query. If it cannot be guessed, it uses:

•  NIC handles:

whois.networksolutions.com

•  IPv4 addresses and network names: whois.arin.net

Communication Port Requirements

• Firepower appliances communicate using a two-way, SSL-encrypted communication channel on port 8305/tcp. This port must remain open for basic intra-platform communication.
• Other ports allow secure management, as well as access to external resources required by specific features. In general, feature-related ports remain closed until you enable or configure the associated feature. Do not change or close an open port until you understand how this action will affect your deployment.

Table 2: Firepower Communication Port Requirements

syslog server when configuring audit logging.
22/tcp| SSH| FMC

Any device

| Inbound| Secure remote connections to the appliance.
25/tcp| SMTP| FMC| Outbound| Send email notices and alerts.
53/tcp

53/udp

| DNS| FMC

Any device

| Outbound| DNS
67/udp

68/udp

| DHCP| FMC

Any device

| Outbound| DHCP
80/tcp| HTTP| FMC| Outbound| Display RSS feeds in the dashboard.
80/tcp| HTTP| FMC| Outbound| Download or query URL category and reputation data (port 443 is also required).
80/tcp| HTTP| FMC| Outbound| Download custom Security Intelligence feeds over HTTP.
123/udp| NTP| FMC

Any device

| Outbound| Synchronize time.
161/udp| SNMP| FMC

Any device

| Inbound| Allow access to MIBs via SNMP polling.
162/udp| SNMP| FMC

Any device

| Outbound| Send SNMP alerts to a remote trap server.
389/tcp 636/tcp| LDAP| FMC FTD| Outbound| Communicate with an LDAP server for external authentication.

Obtain metadata for detected LDAP users (FMC only).

Configurable.

443/tcp| HTTPS| FMC| Inbound| Access the web interface.
443/tcp| Remote access VPN (SSL/IPSec)| FTD| Inbound| Allow secure VPN connections to your network from remote users.
500/udp

4500/udp

| Remote access VPN (IKEv2)| FTD| Inbound| Allow secure VPN connections to your network from remote users.
443/tcp| HTTPS| FMC FTD| Inbound| Communicate with integrated and third-party products using the Firepower REST API, including the Cisco Terminal Services (TS) Agent.
---|---|---|---|---
443/tcp| HTTPS| FMC

Any device

| Outbound| Send and receive data from the internet.
443| HTTPS| FMC| Outbound| Communicate with the AMP cloud (public or private)
443| HTTPS| FMC| Inbound and Outbound| Integrate with AMP for Endpoints
514/udp| Syslog (alerts)| FMC

Any device

| Outbound| Send alerts to a remote syslog server.
623/udp| SOL/LOM| FMC| Inbound| Lights-Out Management (LOM) using a Serial Over LAN (SOL) connection.
885/tcp| Captive portal| Any device| Inbound| Communicate with a captive portal identity source.
1500/tcp

2000/tcp

| Database access| FMC| Inbound| Allow read-only access to the event database by a third-party client.
1812/udp 1813/udp| RADIUS| FMC FTD| Outbound| Communicate with a RADIUS server for external authentication and accounting.

Configurable.

5222/tcp| ISE| FMC| Outbound| Communicate with an ISE identity source.
6514/tcp| Syslog (audit events)| FMC

NGIPSv

ASA FirePOWER

| Outbound| Send audit logs to a remote syslog server, when TLS is configured.
8302/tcp| eStreamer| FMC| Inbound| Communicate with an eStreamer client.
8305/tcp| Appliance

communications

| FMC

Any device

| Both| Securely communicate between appliances in a deployment.

Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default.

8307/tcp| Host input client| FMC| Inbound| Communicate with a host input client.
8514/UDP| Stealthwatch Management Console| Managed FTD devices| Outbound| Send Syslog messages to Secure Network Analytics using Cisco Security Analytics and Logging (On-Premises)
8989/tcp| Cisco Success Network| FMC| Outbound| Transmit usage information and statistics.
---|---|---|---|---
8989/tcp| Cisco Support Diagnostics| FMC

Firepower Threat Defense

| Both| Accepts authorized requests and transmits usage information and statistics.

Related Topics

• Add an LDAP External Authentication Object for FMC
• Add a RADIUS External Authentication Object for FMC

References

• Required Server Addresses for Proper Cisco Secure Endpoint & Malware Analytics Operations - Cisco
• Cisco Secure Firewall Threat Defense and Cisco SecureX Threat Response Integration Guide - Cisco

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>