Security and Internet Access

Lists of URLs used by the dynamic attributes connector when communicating with cloud service providers and the FMC.

Security Requirements

To safeguard the Cisco Secure Dynamic Attributes Connector, you should install it on a protected internal network. Although the dynamic attributes connector is configured to have only the necessary services and ports available, you must make sure that attacks cannot reach it.

If the dynamic attributes connector and the FMC reside on the same network, you can connect the FMC to the same protected internal network as the dynamic attributes connector.

Regardless of how you deploy your appliances, inter-system communication is encrypted. However, you must still take steps to ensure that communications between appliances cannot be interrupted, blocked, or tampered with; for example, with a distributed denial of service (DDoS) or man-in-the-middle attack.

Internet Access Requirements

By default, the dynamic attributes connector is configured to communicate with the Firepower System over the internet using HTTPS on port 443/tcp (HTTPS). If you do not want the dynamic attributes connector to have direct access to the internet, you can configure a proxy server.

The following information informs you of the URLs the dynamic attributes connector use to communicate with the FMC and with external servers.

Table 1. Dynamic Attributes Connector FMC access requirements
URL Reason
https://fmc-ip/api/fmc_platform/v1/ auth/generatetoken

Authentication

https://fmc-ip/api/fmc_config/ v1/domain/domain-id/object/dynamicobjects

GET and POST dynamic objects

https://fmc-ip/api/fmc_config/ v1/domain/ domain-id/object/dynamicobjects/ object-id/mappings?action=add

Add mappings

https://fmc-ip/api/fmc_config/ v1/domain/domain-id /object/dynamicobjects/ object-id/mappings?action=remove

Remove mappings
Table 2. Dynamic Attributes Connector vCenter access requirements
URL Reason
https://vcenter-ip/rest/com/vmware/cis/session

Authentication

https://vcenter-ip/rest/vcenter/vm

Get VM information

https://nsx-ip/api/v1/fabric/virtual-machines/ vm-id

Get NSX-T tag associated with the virtual machine

Dynamic Attributes Connector AWS access requirements

The dynamic attributes connector calls built-in SDK methods to get instance information. These methods internally query service endpoint URLs based on the specified region in the .dynamic attributes connector They are documented in AWS website https://docs.aws.amazon.com/general/latest/gr/ec2-service.html.

Dynamic Attributes Connector Azure access requirements

The dynamic attributes connector calls built-in SDK methods to get instance information. These methods internally call call https://login.microsoft.com (for authentication) and https://management.azure.com (to get instance information).