Internet Resources Accessed by Managed Devices
Managed devices access the following outside resources. For deployments behind a network barrier—like an edge firewall—make sure you allow traffic on the required ports to the listed resources. In addition to managed devices accessing the internet, your browser may contact Amplitude (amplitude.com) web analytics servers to provide non-personally-identifiable usage data to Cisco.
Feature |
Reason |
HA/Clustering |
Port |
Resource |
---|---|---|---|---|
Required for initial setup |
||||
DNS |
DNS |
All units communicate with the DNS server. |
53/tcp 53/udp |
The following are the default OpenDNS servers: 208.67.222.222 and 208.67.220.220 2620:119:35::35 |
NTP |
Synchronize time. Not supported with a proxy server. |
All units communicate with the NTP server. |
123/udp |
The following are the default NTP servers: 0.sourcefire.pool.ntp.org 1.sourcefire.pool.ntp.org 2.sourcefire.pool.ntp.org 3.sourcefire.pool.ntp.org |
Required for general operations |
||||
CA certificate bundles |
The local CA bundle contains certificates to access several Cisco services. Queries for new CA certificates at a daily system-defined time. |
Each unit downloads its own certificates. |
443/tcp |
cisco.com/security/pki |
Cisco Support Diagnostics |
Accepts authorized requests and transmits usage information and statistics. |
All units communicate. |
443/tcp |
api-sse.cisco.com:8989 |
Required for specific configurations or features |
||||
Malware Defense |
Submit files for dynamic analysis. |
All units submit files. |
443/tcp |
fmc.api.threatgrid.com fmc.api.threatgrid.eu |
Upgrades |
Download upgrades directly to managed devices. Tests the connection once a week. |
Upgrade packages do not sync. Each unit must get its own. |
443/tcp |
cdo-ftd-images.s3-us-west-2.amazonaws.com |
Umbrella DNS |
Direct DNS queries to Cisco Umbrella for validation and policy enforcement. |
All units communicate. |
443/tcp |
api.opendns.com |
To onboard and manage devices using zero-touch provisioning, ensure that you allow inbound access on port 443 (or whichever port you have configured for your device management) to the following IP addresses that are associated to Security Cloud Control:
Security Cloud Control Region |
IP |
---|---|
Asia-Pacific-Japan (APJ) |
54.199.195.111 52.199.243.0 |
Australia (AUS) |
13.55.73.159 13.238.226.118 |
Europe, the Middle East, or Africa (EMEA) |
35.157.12.126 35.157.12.15 |
India (IN) |
35.154.115.175 13.201.213.99 |
United States (US) |
52.34.234.2 52.36.70.147 |