Cisco
Login
Search
Software Secure Firewall Threat Defense
Platform Secure Firewall Threat Defense Virtual
Activity Onboard

Reference Security, Internet Access, and Communication Ports Internet Resources Accessed

Last updated: Jul 29, 2025

Internet Resources Accessed

In addition to the system accessing the internet, your browser may contact Google (google.com) or Amplitude (amplitude.com) web analytics servers to provide non-personally-identifiable usage data to Cisco.

Internet Resources Accessed by Firewall Management Center

The management center connects to the internet on ports 443/tcp (HTTPS) and 80/tcp (HTTP). You can configure a proxy server, except for NTP and whois. For some features, your location determines which resources you access. Some features also require device access; see the next table.

Table 1. Internet Resources Accessed by Firewall Management Center

Feature

Reason

High Availability

Resource

CA certificate bundles

Queries for new CA certificates at a daily system-defined time. The local CA bundle contains certificates to access several Cisco services.

Each peer downloads its own certificates.

cisco.com/security/pki

Malware Defense

Secure Malware Analytics Cloud lookups.

Both peers perform lookups.

Required Server Addresses for Proper Cisco Secure Endpoint & Malware Analytics Operations

Download signature updates for file preclassification and local malware analysis.

Active peer downloads, syncs to standby.

updates.vrt.sourcefire.com

amp.updates.vrt.sourcefire.com

Query for dynamic analysis results.

Both peers query for dynamic analysis reports.

fmc.api.threatgrid.com

fmc.api.threatgrid.eu

Security intelligence

Download security intelligence feeds.

Active peer downloads, syncs to standby.

intelligence.sourcefire.com

URL filtering

Download URL category and reputation data.

Manually query (look up) URL category and reputation data.

Query for uncategorized URLs.

Active peer downloads, syncs to standby.

URLs:

  • regsvc.sco.cisco.com

  • est.sco.cisco.com

  • updates-talos.sco.cisco.com

  • updates-dyn-talos.sco.cisco.com

  • updates.ironport.com

IPv4 blocks:

  • 146.112.62.0/24

  • 146.112.63.0/24

  • 146.112.255.0/24

  • 146.112.59.0/24

IPv6 blocks:

  • 2a04:e4c7:ffff::/48

  • 2a04:e4c7:fffe::/48

Cisco Secure Dynamic Attributes Connector

Get packages from the Amazon Elastic Container Registry (Amazon ECR).

Each peer downloads its own packages.

public.ecr.aws

csdac-cosign.s3.us-west-1. amazonaws.com

Secure Endpoint

Receive malware events detected by Secure Endpoint from the cloud.

Display malware events detected by the system in Secure Endpoint.

Use centralized file Block and Allow lists created in Secure Endpoint to override dispositions from the cloud.

Both peers receive events.

You must also configure the cloud connection on both peers (configuration is not synced).

Required Server Addresses for Proper Cisco Secure Endpoint & Malware Analytics Operations

Cisco Smart Software Manager

Communicate with the Smart Software Manager.

Active peer communicates.

www.cisco.com

smartreceiver.cisco.com

Cisco Success Network

Transmit usage information and statistics.

Active peer communicates.

api-sse.cisco.com:8989

dex.sse.itd.cisco.com

dex.eu.sse.itd.cisco.com

Cisco Support Diagnostics

Accepts authorized requests and transmits usage information and statistics.

Active peer communicates.

api-sse.cisco.com:8989

Cisco XDR integration

Configure devices to send events to the Cisco Security Cloud.

Active peer communicates.

Cisco Secure Firewall Threat Defense and Cisco XDR Integration Guide

Time synchronization

Synchronize time in your deployment.

Not supported with a proxy server.

Both peers communicate with the NTP server.

User configured

RSS feeds

Display the Cisco Threat Research Blog on the dashboard.

Both peers communicate.

blog.talosintelligence.com

Upgrades

Download product (management center and device) upgrades.

Upgrade packages do not sync.

7.4.0 only: support.sourcefire.com

7.4.x: cdo-ftd-images.s3-us-west-2.amazonaws.com

Intrusion rules

Download intrusion rules (SRU/LSP).

Active peer downloads, syncs to standby.

talosintelligence.com

Vulnerability database

Download VDB updates.

Active peer downloads, syncs to standby.

support.sourcefire.com

Geolocation database

Download GeoDB updates.

Active peer downloads, syncs to standby.

support.sourcefire.com

Whois

Request whois information for an external host.

Not supported with a proxy server.

Any appliance requesting whois information must have internet access.

The whois client tries to guess the right server to query. If it cannot guess, it uses:

  • NIC handles: whois.networksolutions.com

  • IPv4 addresses and network names: whois.arin.net

Internet Resources Accessed by Managed Devices

Managed devices connect to the internet on ports 443/tcp (HTTPS) and 80/tcp (HTTP). You can configure a proxy server, except for NTP. For some features, your location determines which resources you access.

Table 2. Internet Resources Accessed by Managed Devices

Feature

Reason

High Availability/Clustering

Resource

CA certificate bundles

Queries for new CA certificates at a daily system-defined time. The local CA bundle contains certificates to access several Cisco services.

Each unit downloads its own certificates.

cisco.com/security/pki

Malware Defense

Submit files for dynamic analysis.

All units submit files.

fmc.api.threatgrid.com

fmc.api.threatgrid.eu

Cisco Support Diagnostics

Accepts authorized requests and transmits usage information and statistics.

All units communicate.

api-sse.cisco.com:8989

Time synchronization

Synchronize time in your deployment.

Not supported with a proxy server.

All units communicate with the NTP server.

User configured.

Cisco XDR integration

Send events to the Cisco Security Cloud.

All units send events.

Cisco Secure Firewall Threat Defense and Cisco XDR Integration Guide

Previous topic Communication Ports Next topic Cloud Services