PDF(66.7 KB) View with Adobe Reader on a variety of devices
ePub(95.7 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(92.9 KB) View on Kindle device or Kindle app on multiple devices
Updated:November 14, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the servers that are required in order to enable the Cisco Secure Endpoint (formerly Cisco AMP) product and Cisco Secure Malware Analytics (formerly Threat Grid) product to communicate and complete updates, lookups, and reports. In order to complete the operations successfully, your firewall must allow connectivity from the Connector/Appliance to the required servers.
Caution: All of the servers use a round-robin IP address schema for load balancing, fault tolerance, and uptime. Therefore, the IP addresses might change, and Cisco recommends that the firewall be configured with CNAME instead of an IP address.
Caution: Any traffic coming towards Cisco servers cannot be subjected to the TLS decryption.
This Tech Zone article applies to the following Cisco Products integrating with Cisco Secure Endpoint (AMP) product and Malware Analytics(Threat Grid):
Cisco Secure Endpoints for Networks (Firepower Management Center and Sensors)
Cisco Secure Endpoint Private Cloud
Cisco Secure Endpoint Public Cloud
Cisco Secure Email Appliance and Cisco Email Security (ESA and CES)
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Required Server Addresses for Proper Cisco Secure Endpoint Operations
The Cisco Secure Endpoint and Cisco Secure Malware Analytics servers are located in three different locations:
North America (Cisco Secure Endpoint and Cisco Secure Malware Analytics)
Europe (Cisco Secure Endpoint and Cisco Secure Malware Analytics)
Japan (Cisco Secure Endpoint only)
This table lists the server locations for North America. Based on the account creation date, the server addresses might be different:
If your firewall blocks outbound TCP connections on port 443 (which is usually not the case), you must change your firewall settings before you update any policies. If your account was established after February 2016, you already have static IP addresses written into the standard policies. If your account was established prior to February 2016, you can contact the Cisco Technical Assistance Center (TAC) to request a migration of the policies to the static IP addresses.
Note: In order to ensure continuity of operations, and to ensure that the detected file malware dispositions are the same on both of the Firepower Management Centers, both the Primary and Secondary Management Centers must have access to the servers listed in this document.
Note: The Cisco Secure Endpoint Console does not use Static IPs and must be accessed through DNS.