Security, Internet Access, and Communication Ports

The following topics provide information on system security, internet access, and communication ports:

Security Requirements

To safeguard the Firepower Management Center, you should install it on a protected internal network. Although the FMC is configured to have only the necessary services and ports available, you must make sure that attacks cannot reach it (or any managed devices) from outside the firewall.

If the FMC and its managed devices reside on the same network, you can connect the management interfaces on the devices to the same protected internal network as the FMC. This allows you to securely control the devices from the FMC. You can also configure multiple management interfaces to allow the FMC to manage and isolate traffic from devices on other networks.

Regardless of how you deploy your appliances, inter-appliance communication is encrypted. However, you must still take steps to ensure that communications between appliances cannot be interrupted, blocked, or tampered with; for example, with a distributed denial of service (DDoS) or man-in-the-middle attack.

Cisco Clouds

The Firepower System uses Cisco’s Collective Security Intelligence (CSI) cloud to obtain the threat intelligence data it uses to assess risk for files and to obtain URL category and reputation. With the correct licenses, you can specify communications options for the AMP for Networks and URL Filtering features.

Additional information:

Internet Access Requirements

By default, the system is configured to connect to the internet on ports 443/tcp (HTTPS) and 80/tcp (HTTP). If you do not want your appliances to have direct access to the internet, you can configure a proxy server. For many features, your location can determine which resources the system access.

In most cases, it is the FMC that accesses the internet. However, sometimes managed devices also access the internet. For example, if your malware protection configuration uses dynamic analysis, managed devices submit files directly to the Cisco Threat Grid cloud. Or, you may synchronize a device to an external NTP server.

Table 1. Internet Access Requirements

Feature

Reason

Resource

AMP for Networks

Malware cloud lookups.

See Required Server Addresses for Proper Cisco Secure Endpoint & Malware Analytics Operations.

Download signature updates for file preclassification and local malware analysis.

updates.vrt.sourcefire.com

amp.updates.vrt.sourcefire.com

Submit files for dynamic analysis (managed devices).

Query for dynamic analysis results (FMC).

panacea.threatgrid.com

AMP for Endpoints integration

Receive malware events detected by AMP for Endpoints from the AMP cloud.

See Required Server Addresses for Proper Cisco Secure Endpoint & Malware Analytics Operations.

Security Intelligence

Download Security Intelligence feeds.

intelligence.sourcefire.com

URL filtering

Download URL category and reputation data.

Manually query URL category and reputation data.

Query for uncategorized URLs.

database.brightcloud.com

service.brightcloud.com

System updates

Download updates directly from Cisco to the appliance:

  • System software

  • Intrusion rules

  • Vulnerability database (VDB)

  • Geolocation database (GeoDB)

cisco.com

sourcefire.com

Time synchronization

Synchronize time in your deployment.

Not supported with a proxy server.

0.sourcefire.pool.ntp.org

1.sourcefire.pool.ntp.org

2.sourcefire.pool.ntp.org

3.sourcefire.pool.ntp.org

RSS feeds

Display the Cisco Threat Research Blog on the dashboard.

feeds.feedburner.com

feeds.sourcefire.com

Whois

Request whois information for an external host.

Not supported with a proxy server.

The whois client tries to guess the right server to query. If it cannot guess, it uses:

  • NIC handles: whois.networksolutions.com

  • IPv4 addresses and network names: whois.arin.net

Communication Port Requirements

Firepower appliances communicate using a two-way, SSL-encrypted communication channel on port 8305/tcp. This port must remain open for basic intra-platform communication.

Other ports allow secure management, as well as access to external resources required by specific features. In general, feature-related ports remain closed until you enable or configure the associated feature. Do not change or close an open port until you understand how this action will affect your deployment.

Table 2. Firepower Communication Port Requirements
Port Protocol/Feature Platforms Direction Details
7/UDP UDP/audit logging FMC, classic Outbound Verify connectivity with the syslog server when configuring audit logging.

22/tcp

SSH

FMC

Any device

Inbound

Secure remote connections to the appliance.

25/tcp

SMTP

FMC

Outbound

Send email notices and alerts.

53/tcp

53/udp

DNS

FMC

Any device

Outbound

DNS

67/udp

68/udp

DHCP

FMC

Any device

Outbound

DHCP

80/tcp

HTTP

FMC

7000/8000 series

Outbound

Display RSS feeds in the dashboard.

80/tcp

HTTP

FMC

Outbound

Download or query URL category and reputation data (port 443 also required).

80/tcp

HTTP

FMC

Outbound

Download custom Security Intelligence feeds over HTTP.

123/udp

NTP

FMC

Any device

Outbound

Synchronize time.

161/udp

SNMP

FMC

Any device

Inbound

Allow access to MIBs via SNMP polling.

162/udp

SNMP

FMC

Any device

Outbound

Send SNMP alerts to a remote trap server.

389/tcp

636/tcp

LDAP

FMC

7000/8000 series

Outbound

Communicate with an LDAP server for external authentication.

Obtain metadata for detected LDAP users (FMC only).

Configurable.

443/tcp

HTTPS

FMC

7000/8000 series

Inbound

Access the web interface.

443/tcp

HTTPS

FMC

Any device

Outbound

Send and receive data from the internet. For details, see Internet Access Requirements.

443

HTTPS

FMC

Outbound

Communicate with the AMP cloud (public or private)

See also information for port 32137.

443

HTTPS

FMC

Inbound and Outbound

Integrate with AMP for Endpoints

514/udp

Syslog (alerts)

FMC

Any device

Outbound

Send alerts to a remote syslog server.

623/udp

SOL/LOM

FMC

7000/8000 series

Inbound

Lights-Out Management (LOM) using a Serial Over LAN (SOL) connection.

885/tcp

Captive portal

Any device

Inbound

Communicate with a captive portal identity source.

1500/tcp

2000/tcp

Database access

FMC

Inbound

Allow read-only access to the event database by a third-party client.

1812/udp

1813/udp

RADIUS

FMC

7000/8000 series

Outbound

Communicate with a RADIUS server for external authentication and accounting.

Configurable.

3306/tcp

User Agent

FMC

Inbound

Communicate with User Agents.

5222/tcp

ISE

FMC

Outbound

Communicate with an ISE identity source.

8302/tcp

eStreamer

FMC

7000/8000 series

Inbound

Communicate with an eStreamer client.

8305/tcp

Appliance communications

FMC

Any device

Both

Securely communicate between appliances in a deployment.

Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default.

8307/tcp

Host input client

FMC

Inbound

Communicate with a host input client.

32137/tcp

AMP for Networks

FMC

Outbound

Communicate with the Cisco AMP cloud.

This is a legacy configuration. We recommend you use the default (443).