Configure Firewall for Secure Web Appliance

Available Languages

Download Options

PDF (15.4 KB)
View with Adobe Reader on a variety of devices
ePub (81.6 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (69.8 KB)
View on Kindle device or Kindle app on multiple devices

Updated:April 27, 2026

Document ID:218441

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

Prerequisites

Firewall Rules

References

Introduction

This document describes ports that are needed to be open for operation of Cisco Secure Web Appliance (SWA).

Prerequisites

General Knowledge of Transmission Control Protocol/Internet Protocol (TCP/IP).

Understand Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) differences and behaviours.

Firewall Rules

The table lists possible ports that are needed to be opened for the proper operation of Cisco SWA.

Note: Port numbers are all default values, if any of them have been changed, consider the new value.

Default port	Protocol	InBound/OutBound	Host name	Purpose
20 21	TCP	InBound or OutBound	AsyncOS Management IP. ( inbound ) FTP server ( outbound )	File Transfer Protocol (FTP) for aggregation of log files. Data ports TCP 1024 and higher must also be open
22	TCP	InBound	AsyncOS Management IP	Secure Shell Protocol (SSH) access to the Secure Shell Protocol (SSH), Aggregation of log files
22	TCP	OutBound	SSH Server	SSH aggregation of log files. Secure copy protocol (SCP) push to log server.
25	TCP	OutBound	Simple Mail Transfer Protocol (SMTP) server IP	Send alerts via Email
53	UDP	OutBound	Domain Name System (DNS) servers	DNS if configured to use Internet root servers or other DNS servers outside the firewall. Also for SenderBase queries.
8080	TCP	InBound	AsyncOS Management IP address	Hypertext Transfer Protocol (HTTP) access to the Graphical User Interface (GUI)
8443	TCP	InBound	AsyncOS Management IP address	Hypertext Transfer Protocol Secure (HTTPs) access to GUI
80 443	TCP	OutBound	downloads.ironport.com	McAfee definitions
80 443	TCP	OutBound	updates.ironport.com	AsyncOS upgrades and McAfee definitions
88	TCP & UDP	OutBound	Kerberos Key Distribution Center (KDC) / Active Directory Domain Server	Kerberos Authentication
88	UDP	InBound	Kerberos Key Distribution Center (KDC) / Active Directory Domain Server	Kerberos Authentication
445	TCP	OutBound	Microsoft SMB	Active Directory authentication realm (NTLMSSP and Basic)
389	TCP & UDP	OutBound	Lightweight Directory Access Protocol (LDAP ) Server	LDAP Authentication
3268	TCP	OutBound	LDAP Global Catalog (GC)	LDAP GC
636	TCP	OutBound	LDAP over Secure Sockets Layer (SSL)	LDAP SSL
3269	TCP	OutBound	LDAP GC over SSL	LDAP GC SSL
135	TCP	InBound & OutBound	End-point resolution - Port Mapper Net Log-on fixed port	End-point Resolution
161 162	UDP	OutBound	Simple Network Management Protocol (SNMP) Server	SNMP Queries
161	UDP	InBound	AsyncOS Management IP	SNMP Traps
123	UDP	OutBound	Network Time Protocol (NTP) server	NTP time synchronization
443	TCP	OutBound	update-manifests.ironport.com	Obtain the list of the latest files from the update server (for physical hardware)
443	TCP	OutBound	update-manifests.sco.cisco.com	Obtain the list of the latest files from the update server (for virtual hardware)
443	TCP	OutBound	regsvc.sco.cisco.com est.sco.cisco.com updates-talos.sco.cisco.com updates.ironport.com serviceconfig.talos.cisco.com grpc.talos.cisco.com IPv4 146.112.62.0/24 146.112.63.0/24 146.112.255.0/24 146.112.59.0/24 IPv6 2a04:e4c7:ffff::/48 2a04:e4c7:fffe::/48	Cisco Talos Intelligence Services Obtain Uniform Resource Locator (URL) category and reputation data.
443	TCP	OutBound	cloud-sa.amp.cisco.com cloud-sa.amp.sourcefire.com cloud-sa.eu.amp.cisco.com api.amp.cisco.com api.amp.sourcefire.com	Advance Malware Protection (AMP) Public Cloud
443	TCP	OutBound	AMERICAS api-sse.cisco.com mx01.sse.itd.cisco.com dex.sse.itd.cisco.com EUROPE api.eu.sse.itd.cisco.com mx01.eu.sse.itd.cisco.com dex.eu.sse.itd.cisco.com ASIA/PACIFIC api.apj.sse.itd.cisco.com mx01.apj.sse.itd.cisco.com dex.apj.sse.itd.cisco.com	Cisco Cloud Services on Secure Web Appliance. The required URLs are different per Secure Cloud Servers region.
443	TCP	OutBound	panacea.threatgrid.com panacea.threatgrid.eu	For Secure Malware Analytics Portal and Integrated Devices
80 3128	TCP	InBound	Proxy Clients	Default Clients connectivity to HTTP/HTTPS Proxy
80 443	TCP	OutBound	Default gateway	HTTP and HTTPS Proxy Traffic Out
514	UDP	OutBound	Syslog server	Syslog server to collect logs
990	TCP	OutBound	cxd.cisco.com	To upload the debug logs that are collected by Cisco Technical Assistance Collaborative (TAC). File Transfer Protocol of SSL (FTPS) Implicit.
21	TCP	OutBound	cxd.cisco.com	To upload the debug logs that are collected by Cisco TAC. FTPS Explicit or FTP
443	TCP	OutBound	cxd.cisco.com	To upload the debug logs that are collected by Cisco TAC over HTTPS
22	TCP	OutBound	cxd.cisco.com	To upload the debug logs that are collected by Cisco TAC over SCP and Secure File Transfer Protocol (SFTP)
22 25 (Default) 53 80 443 4766	TCP	OutBound	s.tunnels.ironport.com	Remote access to backend
443	TCP	OutBound	smartreceiver.cisco.com	Smart Licensing

References

Configure Firewall for AD Domain and Trusts - Windows Server | Microsoft Learn

Security, Internet Access, and Communication Ports - Cisco

Required IP and Ports for Secure Malware Analytics - Cisco

Customer File Uploads to Cisco Technical Assistance Center - Cisco

Technote on FAQ for Remote Access on Cisco ESA/WSA/SMA - Cisco

Smart Licensing Overview and Best Practices for Cisco Email and Web Security (ESA, WSA, SMA) - Cisco

Revision History

Revision	Publish Date	Comments
4.0	27-Apr-2026	Updated AMP and Cloud Services sections within the host table.
3.0	31-Oct-2023	Recertification
2.0	20-Apr-2023	Initial Release
1.0	30-Nov-2022	Initial Release

Contributed by Cisco Engineers

Amirhossein Mojarrad
Cisco TAC
Zaid Alali
Cisco TAC
Sarah Ayman Al Madi
Cisco TAC

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

Configure Firewall for Secure Web Appliance

Available Languages

Download Options

Bias-Free Language

Contents

Introduction

Prerequisites

Firewall Rules

References

Revision History

Contributed by Cisco Engineers

Was this Document Helpful?

Contact Cisco

This Document Applies to These Products