Security, Internet Access, and Communication Ports
Security and Hardening
Communication Ports
Internet Resources Accessed

Security, Internet Access, and Communication Ports

The following topics provide information on system security, internet access, and communication ports:

Security and Hardening

To safeguard the Firewall Management Center, you should install it on a protected internal network. Although the Firewall Management Center is configured to have only the necessary services and ports available, you must make sure that attacks cannot reach it (or any managed devices) from outside the firewall.

If the Firewall Management Center and its managed devices reside on the same network, you can connect the management interfaces on the devices to the same protected internal network as the Firewall Management Center. This allows you to securely control the devices from the Firewall Management Center. You can also configure multiple management interfaces to allow the Firewall Management Center to manage and isolate traffic from devices on other networks.

Regardless of how you deploy your appliances, inter-appliance communication is encrypted. However, you must still take steps to ensure that communications between appliances cannot be interrupted, blocked, or tampered with; for example, with a distributed denial of service (DDoS) or man-in-the-middle attack.

Communication Ports

For deployments behind a network barrier—like an edge firewall—make sure you allow traffic on the required ports. Note that ports not required for essential or default operations remain closed until needed by a configuration or feature.

Ports for Firewall Management Center

The management center uses these ports to communicate.

Table 1. Inbound Ports for Firewall Management Center
Inbound Port	Protocol/Feature	Details
22/tcp	SSH	Secure remote connections to the appliance.
161/udp	SNMP	Allow access to MIBs via SNMP polling.
443/tcp	HTTPS	Required. Access the management center web interface.
443/tcp	HTTPS	Onboard an on-prem Firewall Management Center to CDO with Secure Device Connector (on-prem).
443/tcp	HTTPS	Communicate with integrated and third-party products using the REST API.
443/tcp	HTTPS	Integrate with Secure Endpoint.
623/udp	SOL/LOM	Lights-Out Management (LOM) using a Serial Over LAN (SOL) connection.
1500/tcp 2000/tcp	Database access	Allow read-only access to the event database by a third-party client.
8302/tcp	eStreamer	Communicate with an eStreamer client.
8305/tcp	Appliance communications	Required. Securely communicate with managed devices. Also initiates connections on this port. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default.
8307/tcp	Host input client	Communicate with a host input client.
8989/tcp	Cisco Support Diagnostics	Accepts authorized requests and transmits usage information and statistics. Also initiates connections on this port.

Table 2. Outbound Ports for Firewall Management Center
Outbound Port	Protocol/Feature	Details
7/udp 514/udp 6514/tcp	Syslog (audit logging)	Verify connectivity with the syslog server when configuring audit logging (7/udp). Send audit logs to a remote syslog server, when TLS is not configured (514/udp). Send audit logs to a remote syslog server, when TLS is configured (6514/tcp).
25/tcp	SMTP	Send email notices and alerts.
53/tcp 53/udp	DNS	Required. DNS
67/udp 68/udp	DHCP	DHCP
80/tcp	HTTP	Send and receive data from the internet. See Internet Resources Accessed.
80/tcp	HTTP	Download custom Security Intelligence feeds over HTTP.
80/tcp	HTTP	Download or query URL category and reputation data. This feature also uses 443/tcp.
80/tcp	HTTP	Display RSS feeds in the dashboard.
123/udp	NTP	Synchronize time.
162/udp	SNMP	Send SNMP alerts to a remote trap server.
389/tcp 636/tcp	LDAP	Communicate with an LDAP server for external authentication. Obtain metadata for detected LDAP users. Configurable.
443/tcp	HTTPS	Send and receive data from the internet. See Internet Resources Accessed.
443/tcp	HTTPS	Communicate with the Secure Malware Analytics Cloud (public or private).
443/tcp	HTTPS	Integrate with Secure Endpoint. Also accepts connections on this port.
443/tcp	HTTPS	Onboard an on-prem Firewall Management Center to CDO with Cisco Security Cloud or Secure Device Connector (cloud).
1812/udp 1813/udp	RADIUS	Communicate with a RADIUS server for external authentication and accounting. Configurable.
5222/tcp	ISE	Communicate with an ISE identity source.
8305/tcp	Appliance communications	Required. Securely communicate with managed devices. Also accepts connections on this port. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default.
8989/tcp	Cisco Support Diagnostics	Accepts authorized requests and transmits usage information and statistics. Also accepts connections on this port.
8989/tcp	Cisco Success Network	Transmit usage information and statistics.

Ports for Managed Devices

Managed devices use these ports to communicate.

Table 3. Inbound Ports for Managed Devices
Inbound Port	Protocol/Feature	Details
22/tcp	SSH	Secure remote connections to the appliance.
161/udp	SNMP	Allow access to MIBs via SNMP polling.
443/tcp	HTTPS	Communicate with integrated and third-party products using the REST API.
443/tcp	Remote access VPN (SSL/IPSec)	Allow secure VPN connections to your network from remote users.
500/udp 4500/udp	Remote access VPN (IKEv2)	Allow secure VPN connections to your network from remote users.
885/tcp	Captive portal	Communicate with a captive portal identity source.
8305/tcp	Appliance communications	Required. Securely communicate with the Firewall Management Center. Also initiates connections on this port. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default.
8989/tcp	Cisco Support Diagnostics	Accepts authorized requests. Also initiates connections on this port.

Table 4. Outbound Ports for Managed Devices
Outbound Port	Protocol/Feature	Details
53/tcp 53/udp	DNS	DNS
67/udp 68/udp	DHCP	DHCP
123/udp	NTP	Synchronize time.
162/udp	SNMP	Send SNMP alerts to a remote trap server.
1812/udp 1813/udp	RADIUS	Communicate with a RADIUS server for external authentication and accounting. Configurable.
389/tcp 636/tcp	LDAP	Communicate with an LDAP server for external authentication. Configurable.
443/tcp	HTTPS	Send and receive data from the internet; see Internet Resources Accessed.
514/udp	Syslog (audit logging)	Send audit logs to a remote syslog server, when TLS is not configured.
8305/tcp	Appliance communications	Required. Securely communicate with the Firewall Management Center. Also accepts connections on this port. Configurable. If you change this port, you must change it for all appliances in the deployment. We recommend you keep the default.
8514/udp	Secure Network Analytics Manager	Send syslog messages to Secure Network Analytics using Security Analytics and Logging (On Premises).
8989/tcp	Cisco Support Diagnostics	Transmits usage information and statistics. Also accepts connections on this port.

Internet Resources Accessed

In addition to the system accessing the internet, your browser may contact Amplitude (amplitude.com) web analytics servers to provide non-personally-identifiable usage data to Cisco.

Internet Resources Accessed by Firewall Management Center

The Firewall Management Center connects to the internet on ports 443/tcp (HTTPS) and 80/tcp (HTTP). You can configure a proxy server, except for NTP and whois. For some features, your location determines which resources you access. Some features also require device access.

Table 5. Intelligence
Feature	Reason	High Availability	Resource
Intrusion rules	Download intrusion rules (SRU/LSP).	Active peer downloads, syncs to standby.	est.sco.cisco.com updates-talos.sco.cisco.com updates-dyn-talos.sco.cisco.com updates.ironport.com Cisco regional cloud: About Cisco Regional Cloud
Security intelligence	Download security intelligence feeds.	Active peer downloads, syncs to standby.	intelligence.sourcefire.com
URL filtering	Download URL category and reputation data. Manually query (look up) URL category and reputation data. Query for uncategorized URLs.	Active peer downloads, syncs to standby.	URLs: est.sco.cisco.com *.talos.cisco.com updates-talos.sco.cisco.com updates-dyn-talos.sco.cisco.com updates.ironport.com Cisco regional cloud: About Cisco Regional Cloud IPv4 blocks: 146.112.62.0/24 146.112.63.0/24 146.112.255.0/24 146.112.59.0/24 IPv6 blocks: 2a04:e4c7:ffff::/48 2a04:e4c7:fffe::/48
Malware Defense	Secure Malware Analytics Cloud lookups.	Both peers perform lookups.	Required Server Addresses for Proper Cisco Secure Endpoint & Malware Analytics Operations
	Download signature updates for file preclassification and local malware analysis.	Active peer downloads, syncs to standby.	updates.vrt.sourcefire.com amp.updates.vrt.sourcefire.com
	Query for dynamic analysis results.	Both peers query for dynamic analysis reports.	fmc.api.threatgrid.com fmc.api.threatgrid.eu
Secure Endpoint	Receive malware events detected by Secure Endpoint from the cloud. Display malware events detected by the system in Secure Endpoint. Use centralized file Block and Allow lists created in Secure Endpoint to override dispositions from the cloud.	Both peers receive events. You must also configure the cloud connection on both peers (configuration is not synced).	Required Server Addresses for Proper Cisco Secure Endpoint & Malware Analytics Operations
Event enrichment	Download Talos taxonomy. Query Talos for event enrichment.	Both peers communicate.	URLs: est.sco.cisco.com *.talos.cisco.com Cisco regional cloud: About Cisco Regional Cloud IPv4 blocks: 146.112.62.0/24 146.112.63.0/24 146.112.255.0/24 146.112.59.0/24 IPv6 blocks: 2a04:e4c7:ffff::/48 2a04:e4c7:fffe::/48
Vulnerability database	Download VDB updates.	Active peer downloads, syncs to standby.	support.sourcefire.com
Geolocation database	Download GeoDB updates.	Active peer downloads, syncs to standby.	support.sourcefire.com

Table 6. Integration
Feature	Reason	High Availability	Resource
Cisco Secure Dynamic Attributes Connector	Get packages from the Amazon Elastic Container Registry (Amazon ECR).	Each peer downloads its own packages.	public.ecr.aws csdac-cosign.s3.us-west-1. amazonaws.com
Cisco XDR	Send events to Cisco Security Cloud.	All units send events.	Cisco Secure Firewall Threat Defense and Cisco XDR Integration Guide

Table 7. Support
Feature	Reason	High Availability	Resource
CA certificate bundles	Queries for new CA certificates at a daily system-defined time. The local CA bundle contains certificates to access several Cisco services.	Each peer downloads its own certificates.	cisco.com/security/pki
Licensing	Communicate with the Cisco Smart Software Manager.	Active peer communicates.	www.cisco.com smartreceiver.cisco.com
Upgrades	Download product (management center and device/chassis) upgrades.	Downloading the Firewall Management Center upgrade package on one peer attempts the download on both. If only one peer has internet access, you can sync the package during the upgrade process. Device upgrade packages stored on the Firewall Management Center do not sync, but they don't need to.	cdo-ftd-images.s3-us-west-2.amazonaws.com
Cisco Success Network	Transmit usage information and statistics.	Active peer communicates.	api-sse.cisco.com:8989 dex.sse.itd.cisco.com dex.eu.sse.itd.cisco.com
Cisco Support Diagnostics	Accepts authorized requests and transmits usage information and statistics.	Active peer communicates.	api-sse.cisco.com:8989
RSS feeds	Display the Cisco Threat Research Blog on the dashboard.	Both peers communicate.	blog.talosintelligence.com

Table 8. Administration
Feature	Reason	High Availability	Resource
Time synchronization (NTP)	Synchronize time in your deployment. Not supported with a proxy server.	Both peers communicate with the NTP server.	User configured
Whois	Request whois information for an external host. Not supported with a proxy server.	Any appliance requesting whois information must have internet access.	The whois client tries to guess the right server to query. If it cannot guess, it uses: NIC handles: whois.networksolutions.com IPv4 addresses and network names: whois.arin.net

Internet Resources Accessed by Managed Devices

Managed devices connect to the internet on ports 443/tcp (HTTPS) and 80/tcp (HTTP). You can configure a proxy server, except for NTP. For some features, your location determines which resources you access.

Table 9. Internet Resources Accessed by Managed Devices
Feature	Reason	High Availability/Clustering	Resource
CA certificate bundles	Queries for new CA certificates at a daily system-defined time. The local CA bundle contains certificates to access several Cisco services.	Each unit downloads its own certificates.	cisco.com/security/pki
Malware Defense	Submit files for dynamic analysis.	All units submit files.	fmc.api.threatgrid.com fmc.api.threatgrid.eu
Cisco Support Diagnostics	Accepts authorized requests and transmits usage information and statistics.	All units communicate.	api-sse.cisco.com:8989
Time synchronization	Synchronize time in your deployment. Not supported with a proxy server.	All units communicate with the NTP server.	User configured.
Upgrades	Download upgrades directly to managed devices. Tests the connection once a week. Requires a Version 7.6.1+ Firewall Management Center. Devices can be older.	Upgrade packages do not sync. Each unit must get its own from the internet, the active Firewall Management Center, or an internal server.	cdo-ftd-images.s3-us-west-2.amazonaws.com

Cisco Secure Firewall Management Center Administration Guide, 7.6

Bias-Free Language

Book Title

Cisco Secure Firewall Management Center Administration Guide, 7.6

Chapter Title