Security and Internet Access

Lists of URLs used by the dynamic attributes connector when communicating with cloud service providers and the management center.

Security Requirements

To safeguard the Cisco Secure Dynamic Attributes Connector, you should install it on a protected internal network. Although the dynamic attributes connector is configured to have only the necessary services and ports available, you must make sure that attacks cannot reach it.

If the dynamic attributes connector and the management center reside on the same network, you can connect the management center to the same protected internal network as the dynamic attributes connector.

Regardless of how you deploy your appliances, inter-system communication is encrypted. However, you must still take steps to ensure that communications between appliances cannot be interrupted, blocked, or tampered with; for example, with a distributed denial of service (DDoS) or man-in-the-middle attack.

Internet Access Requirements

By default, the dynamic attributes connector is configured to communicate with the Firepower System over the internet using HTTPS on port 443/tcp (HTTPS). If you do not want the dynamic attributes connector to have direct access to the internet, you can configure a proxy server.

The following information informs you of the URLs the dynamic attributes connector use to communicate with the management center and with external servers.

Table 1. Dynamic Attributes Connector management center access requirements
URL Reason
https://fmc-ip/api/fmc_platform/v1/ auth/generatetoken

Authentication

https://fmc-ip/api/fmc_config/ v1/domain/domain-id/object/dynamicobjects

GET and POST dynamic objects

https://fmc-ip/api/fmc_config/ v1/domain/ domain-id/object/dynamicobjects/ object-id/mappings?action=add

Add mappings

https://fmc-ip/api/fmc_config/ v1/domain/domain-id /object/dynamicobjects/ object-id/mappings?action=remove

Remove mappings
Table 2. Dynamic Attributes Connector vCenter access requirements
URL Reason
https://vcenter-ip/rest/com/vmware/cis/session

Authentication

https://vcenter-ip/rest/vcenter/vm

Get VM information

https://nsx-ip/api/v1/fabric/virtual-machines/ vm-id

Get NSX-T tag associated with the virtual machine

Migration from DockerHub to Amazon ECR

Docker images for the Cisco Secure Dynamic Attributes Connector are being migrated from Docker Hub to Amazon Elastic Container Registry (Amazon ECR).

To use the new field packages, you must allow access through your firewall or proxy to all of the following URLs:

Dynamic Attributes Connector Azure access requirements

The dynamic attributes connector calls built-in SDK methods to get instance information. These methods internally call call https://login.microsoft.com (for authentication) and https://management.azure.com (to get instance information).