Security, Internet Access, and Communication

Ports
The following topics provide information on system security, internet access, and communication ports:
• Security Requirements, on page 1
• Cisco Clouds, on page 1
• Internet Access Requirements, on page 2
• Communication Port Requirements, on page 4

Security Requirements
To safeguard the Firepower Management Center, you should install it on a protected internal network. Although
the FMC is configured to have only the necessary services and ports available, you must make sure that attacks
cannot reach it (or any managed devices) from outside the firewall.
If the FMC and its managed devices reside on the same network, you can connect the management interfaces
on the devices to the same protected internal network as the FMC. This allows you to securely control the
devices from the FMC. You can also configure multiple management interfaces to allow the FMC to manage
and isolate traffic from devices on other networks.
Regardless of how you deploy your appliances, inter-appliance communication is encrypted. However, you
must still take steps to ensure that communications between appliances cannot be interrupted, blocked, or
tampered with; for example, with a distributed denial of service (DDoS) or man-in-the-middle attack.

Cisco Clouds
The Firepower System uses Cisco’s Collective Security Intelligence (CSI) cloud to obtain the threat intelligence
data it uses to assess risk for files and to obtain URL category and reputation. With the correct licenses, you
can specify communications options for the AMP for Networks and URL Filtering features.
Additional information:
• Advanced Malware Protection
The public cloud is configured by default; to make changes, see Change AMP Options.
• URL filtering

Security, Internet Access, and Communication Ports

1
 Security, Internet Access, and Communication Ports
Internet Access Requirements

For information, see:

• URL Filtering Options
• Enable URL Filtering Using Category and Reputation

Internet Access Requirements

By default, Firepower appliances are configured to connect to the internet on ports 443/tcp (HTTPS) and
80/tcp (HTTP). If you do not want your appliances to have direct access to the internet, you can configure a
proxy server.
In most cases, it is the Firepower Management Center that accesses the internet. However, sometimes managed
devices also access the internet. For example, if your malware protection configuration uses dynamic analysis,
managed devices submit files directly to the Cisco Threat Grid cloud. Or, you may synchronize a device to
an external NTP server.

Tip If you are using AMP for Networks or AMP for Endpoints, your location can determine which AMP cloud
resources the FMC accesses. The Required Server Addresses for Proper AMP Operations Troubleshooting
TechNote lists the internet resources (including static IP addresses) required not only by Firepower appliances,
but also by Cisco AMP components like connectors and private cloud appliances.

Table 1: Firepower Internet Access Requirements

Feature Reason Resource

AMP for Networks Malware cloud lookups. cloud-sa.amp.sourcefire.com
cloud-sa.eu.amp.sourcefire.com
cloud-sa.apjc.amp.sourcefire.com

cloud-sa-589592150.us-east-1.
elb.amazonaws.com

Download signature updates for file updates.vrt.sourcefire.com

preclassification and local malware analysis.
amp.updates.vrt.sourcefire.com

Submit files for dynamic analysis (managed panacea.threatgrid.com

devices).
Query for dynamic analysis results (FMC).

Security, Internet Access, and Communication Ports

2
 Security, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports

Feature Reason Resource

AMP for Endpoints integration Receive malware events detected by AMP for api.amp.sourcefire.com
Endpoints from the AMP cloud.
api.eu.amp.sourcefire.com
api.apjc.amp.sourcefire.com
export.amp.sourcefire.com
export.eu.amp.sourcefire.com
export.apjc.amp.sourcefire.com

Security Intelligence Download Security Intelligence feeds. intelligence.sourcefire.com

URL filtering Download URL category and reputation data. database.brightcloud.com

Manually query URL category and reputation service.brightcloud.com
data.
Query for uncategorized URLs.

Cisco Smart Licensing Communicate with the Cisco Smart Software tools.cisco.com
Manager.

System updates Download updates directly from Cisco to the cisco.com

appliance:
sourcefire.com
• System software
• Intrusion rules
• Vulnerability database (VDB)
• Geolocation database (GeoDB)

Time synchronization Synchronize time in your deployment. 0.sourcefire.pool.ntp.org

Not supported with a proxy server. 1.sourcefire.pool.ntp.org
2.sourcefire.pool.ntp.org
3.sourcefire.pool.ntp.org

RSS feeds Display the Cisco Threat Research Blog on the blogs.cisco.com/talos
dashboard.
cloud.google.com

Whois Request whois information for an external host. The whois client tries to guess the right server to
query. If it cannot guess, it uses:
Not supported with a proxy server.
• NIC handles: whois.networksolutions.com
• IPv4 addresses and network names:
whois.arin.net

Security, Internet Access, and Communication Ports

3
 Security, Internet Access, and Communication Ports
Communication Port Requirements

Communication Port Requirements

Firepower appliances communicate using a two-way, SSL-encrypted communication channel on port 8305/tcp.
This port must remain open for basic intra-platform communication.
Other ports allow secure management, as well as access to external resources required by specific features.
In general, feature-related ports remain closed until you enable or configure the associated feature. Do not
change or close an open port until you understand how this action will affect your deployment.

Table 2: Firepower Communication Port Requirements

Port Protocol/Feature Platforms Direction Details

7/UDP UDP/audit logging FMC, classic Outbound Verify connectivity with the syslog server when
configuring audit logging.
22/tcp SSH FMC Inbound Secure remote connections to the appliance.
Any device

25/tcp SMTP FMC Outbound Send email notices and alerts.

53/tcp DNS FMC Outbound DNS.

53/udp Any device

67/udp DHCP FMC Outbound DHCP.

68/udp Any device

80/tcp HTTP FMC Outbound Display RSS feeds in the dashboard.

7000 & 8000 Series

80/tcp HTTP FMC Outbound Download or query URL category and

reputation data (port 443 also required).

80/tcp HTTP FMC Outbound Download custom Security Intelligence feeds

over HTTP.

123/udp NTP FMC Outbound Synchronize time.

Any device

161/udp SNMP FMC Inbound Allow access to MIBs via SNMP polling.
Any device

162/udp SNMP FMC Outbound Send SNMP alerts to a remote trap server.
Any device

Security, Internet Access, and Communication Ports

4
 Security, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports

Port Protocol/Feature Platforms Direction Details

389/tcp LDAP FMC Outbound Communicate with an LDAP server for external
authentication.
636/tcp FTD
Obtain metadata for detected LDAP users (FMC
7000 & 8000 Series
only).
Configurable.

443/tcp HTTPS FMC Inbound Access the web interface.

7000 & 8000 Series

443/tcp HTTPS FMC Outbound Send and receive data from the internet. For
details, see Internet Access Requirements, on
Any device
page 2.

443 HTTPS FMC Outbound Communicate with the AMP cloud (public or
private)
See also information for port 32137.

443 HTTPS FMC Inbound and Integrate with AMP for Endpoints
Outbound

514/udp Syslog (alerts) FMC Outbound Send alerts to a remote syslog server.
Any device

623/udp SOL/LOM FMC Inbound Lights-Out Management (LOM) using a Serial

Over LAN (SOL) connection.
7000 & 8000 Series

885/tcp Captive portal Any device Inbound Communicate with a captive portal identity
source.

1500/tcp Database access FMC Inbound Allow read-only access to the event database
by a third-party client.
2000/tcp

1812/udp RADIUS FMC Outbound Communicate with a RADIUS server for

external authentication and accounting.
1813/udp FTD
Configurable.
7000 & 8000 Series

3306/tcp User Agent FMC Inbound Communicate with User Agents.

5222/tcp ISE FMC Outbound Communicate with an ISE identity source.

8302/tcp eStreamer FMC Inbound Communicate with an eStreamer client.

7000 & 8000 Series

Security, Internet Access, and Communication Ports

5
 Security, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports

Port Protocol/Feature Platforms Direction Details

8305/tcp Appliance FMC Both Securely communicate between appliances in
communications a deployment.
Any device
Configurable. If you change this port, you must
change it for all appliances in the deployment.
We recommend you keep the default.

8307/tcp Host input client FMC Inbound Communicate with a host input client.

32137/tcp AMP for Networks FMC Outbound Communicate with the Cisco AMP cloud.
This is a legacy configuration. We recommend
you use the default (443).

Related Topics
Identifying the LDAP Authentication Server
Configuring RADIUS Connection Settings

Security, Internet Access, and Communication Ports

6