This document describes the servers that are required in order to enable the Cisco Advanced Malware Protection (AMP) product and Threat Grid product to communicate and complete updates, lookups, and reports. In order to complete the operations successfully, your firewall must allow connectivity from the Connector/Appliance to the required servers.
Caution: All of the servers use a round-robin IP address schema for load balancing, fault-tolerance, and uptime. Therefore, the IP addresses might change, and Cisco recommends that the firewall be configured with CNAME instead of an IP address.
Caution: Any traffic coming towards Cisco servers cannot be subjected to the TLS decryption.
This Tech Zone article applies to the following Cisco Products integrating with AMP and Threat Grid:
Cisco AMP for Networks (Firepower Management Center and Sensors)
Cisco AMP for Network Virtual Appliance
Cisco AMP for Endpoints Private Cloud
Cisco AMP for Endpoints Public Cloud
Cisco Email Security Appliance and Cloud Email Security (ESA and CES)
Cisco Web Security Appliance (WSA)
Threat Grid Cloud and/or Appliance
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Required Server Addresses for Proper AMP Operations
The AMP and Threat Grid servers are located in three different locations:
North America (AMP and Threat Grid)
Europe (AMP and Threat Grid)
Japan (AMP only)
This table lists the server locations for North America. Based on the account creation date, the server addresses might be different:
If your firewall blocks outbound TCP connections on port 443 (which is usually not the case), you must change your firewall settings before you update any policies. If your account was established after February 2016, you already have static IP addresses written into the standard policies. If your account was established prior to February 2016, you can contact the Cisco Technical Assistance Center (TAC) to request a migration of the policies to the static IP addresses.
Note: In order to ensure continuity of operations, and to ensure that the detected file malware dispositions are the same on both of the Firepower Management Centers, both the Primary and Secondary Management Centers must have access to the servers listed in this document.
Note: The AMP Console does not use Static IPs and must be accessed through DNS.