Firewall IP ranges address for C160 AS-AV... updates

secstd · ‎05-09-2010

Hello,

On our Cisco FW, we have opened tcp 80/443 flow for the sites shown below. We found IP adresses doing DNS Lookup. Unfortunately it seems IPs ares different dependeing the time / date we perform DNS lookup. Result, we didn't open enough, Updates are KO.

What are the IP ranges we should open on our FW?

Any other solution?

Many thanks in advance for the help

Sites List

-------------

80 HTTP Out downloads.ironport.com Service updates, except for AsyncOS upgrades and McAfee definitions.

80 HTTP Out updates.ironport.com AsyncOS upgrades and McAfee Anti-Virus definitions.

443 TCP Out res.cisco.com Cisco Registered Envelope Service

443 TCP Out updates-static.ironport.com Verify the latest files for the update server.

443 TCP Out phonehome.senderbase.org Receive/Send Virus Outbreak

MAC

Ferenc Hevesi · ‎05-14-2010

KB articles #422, #994, #1020 on Ironport's support site list the required IP addresses/URLs and configuration options.

As per #422 "...downloads.ironport.com will be served via Akamai's servers. Due to the dynamic nature of this service, this means that the actual IP addresses will be changing constantly. The full URL remains: http://downloads.ironport.com/asyncos/upgrade"

If your FW policy does not allow dynamic connections, use the static IPs/hostnames in the articles. I'd add downloads-static.ironport.com/204.15.82.8 and update-manifests.ironport.com/204.15.82.17. to your list.