Required IPs and Ports for Secure Malware Analytics

Available Languages

Download Options

  • PDF     (52.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (82.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (72.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 17, 2024
Document ID:214465

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document outlines the essential network configurations you need to implement on your firewall to ensure seamless operation of Secure Malware Analytics.

    Contributed by Cisco TAC Engineers.

    Secure Malware Analytics Clouds

    US (United States) Cloud

    Access URL: https://panacea.threatgrid.com

    Hostname IP Port Details
    panacea.threatgrid.com

    IPv4:

    63.97.201.67

    63.162.55.67

    IPv6:

    2602:811:9007:6::61

    2602:811:900b:6::6e

    443

    For Secure Malware Analytics Portal and Integrated Devices (ESA/WSA/FTD/ODNS/Meraki) 

    glovebox.chi.threatgrid.com

    IPv4: 200.194.241.35

    IPv6:

    2602:811:900f:6::6e

    443

    Sample Interaction window

    glovebox.rcn.threatgrid.com

    IPv4:

    63.97.201.67

    IPv6:

    2602:811:9007:6::61

    		 443 

    Sample Interaction window

    glovebox.scl.threatgrid.com

    IPv4:

    63.162.55.67

    IPv6:

    2602:811:900b:6::6e

    		 443

    Sample Interaction window

    fmc.api.threatgrid.com

    IPv4:

    63.97.201.67

    63.162.55.67

    IPv6:

    2602:811:9007:6::61

    2602:811:900b:6::6e

    		 443 FMC/FTD  File Analysis Service

    EU (Europe) Cloud

    Access URL: https://panacea.threatgrid.eu

    Hostname IP Port Details

    panacea.threatgrid.eu

    62.67.214.195

    200.194.242.35

    		 443  For Secure Malware Analytics Portal and Integrated Devices (ESA/WSA/FTD/ODNS/Meraki) 

    glovebox.muc.threatgrid.eu

    		 62.67.214.195 443  Sample Interaction window

    glovebox.fam.threatgrid.eu

    		 200.194.242.35 443  Sample Interaction window

    fmc.api.threatgrid.eu

    62.67.214.195

    200.194.242.35

    		 443  FMC/FTD  File Analysis Service

    The old IP 89.167.128.132 has been retired, please update your firewall rules with above IPs.

    CA (Canada) Cloud

    Access URL: https://panacea.threatgrid.ca

    Hostname IP Port Details

    panacea.threatgrid.ca

    200.194.240.35

    		 443  For Secure Malware Analytics Portal and Integrated Devices (ESA/WSA/FTD/ODNS/Meraki) 

    glovebox.kam.threatgrid.ca

    		 200.194.240.35 443  Sample Interaction window
    fmc.api.threatgrid.ca 200.194.240.35 443  FMC/FTD  File Analysis Service

    AU (Australia) Cloud

    Access URL: https://panacea.threatgrid.com.au

    Hostname IP Port Details

    panacea.threatgrid.com.au

    124.19.22.171

    		 443  For Secure Malware Analytics Portal and Integrated Devices (ESA/WSA/FTD/ODNS/Meraki) 

    glovebox.syd.threatgrid.com.au

    		 124.19.22.171 443  Sample Interaction window
    fmc.api.threatgrid.com.au 124.19.22.171 443  FMC/FTD  File Analysis Service

    Secure Malware Analytics Appliance

    The following are the recommended firewall rules per interface of the Secure Malware Analytics Appliance.

    Dirty Interface

    This is used by VMs to communicate with the internet so that samples can resolve DNS and communicate with command and control (C&C) servers.
    Allow:
    Direction
    Protocol
    Port
    Destination
    Hostname
    Details
    Outbound
    IP
    ANY
    ANY

    Recommended except where specified in the Deny section here.

    Used to allow connectivity for analysis.
    Outbound
    TCP
    22
    54.173.231.161 1
    63.97.201.98 
    63.162.55.98 2
    support-snapshots.threatgrid.com
    Used for automatic support diagnostic uploads
    Note: Requires software version 1.2+
    Outbound
    TCP
    22
    54.173.181.217 1
    54.173.182.46 1
    63.162.55.97 2
    63.97.201.97 2
    appliance-updates.threatgrid.com
    Appliance Updates
    Outbound
    TCP
    19791
    54.164.165.137 1
    34.199.44.202 1
    63.97.201.96 
    63.162.55.96 2
    rash.threatgrid.com
    Remote Support / Appliance Support Mode
    Outbound
    TCP
    22
    		 54.173.124.172 1

    63.97.201.99 2

    63.162.55.99 2
    appliance-licensing.threatgrid.com
    License Management

    1These IPs will be disabled in the near future.

    2These are the IPs that would replace the ones in 1. We suggest adding both IPs until the communication about the IP changes is made in the near future.

    Remote Network Exit

    This is used by the appliance to tunnel VM traffic to a remote exit formerly known as tg-tunnel. 
    Direction Protocol Port Destination
    Outbound TCP 21413

    173.198.252.53
    Outbound TCP 21413

    163.182.175.193 **
    Outbound  TCP 21417

    69.55.5.250
    Outbound TCP 21415

    69.55.5.250
    Outbound TCP 21413

    76.8.60.91

    Note: Remote Exit 4.14.36.142 has been removed and is no longer in production. Ensure to have all IPs mentioned added to your firewall exception list.

    ** Remote Exit 163.182.175.193 will be replaced by 173.198.252.53

    Deny:
    Direction
    Protocol
    Port(s)
    Destination
    Details
    Outbound
    SMTP
    		 ANY
    ANY
    To prevent malware from sending out spam.
    Inbound
    IP
    ANY
    Secure Malware Analytics Appliance Dirty Interface

    Recommended except where specified in the Allow section above.

    Used to allow communication for analysis.

    Clean Interface

    This is used by various connected services to submit samples as well as UI access for analysts.
    Allow:
    Direction
    Protocol
    Port(s)
    Destination
    Details
    Inbound
    TCP
    443 and 8443
    Secure Malware Analytics Appliance Clean Interface
    WebUI and API access
    Inbound
    TCP
    9443
    Secure Malware Analytics Appliance Clean Interface
    Used for Glovebox
    Inbound
    TCP
    22
    		 Secure Malware Analytics Appliance Clean Interface
    Admin TUI access over SSH
    Outbound
    TCP
    19791
    Host: rash.threatgrid.com
    54.164.165.137 
    34.199.44.202 1
    63.97.201.96 
    63.162.55.96 2
    Recovery Mode for Secure Malware Analytics Support.

    1These IPs will be disabled in the near future.

    2These are the IPs that would replace the ones in 1. We suggest adding both IPs until the communication about the IP changes is made in the near future.

    Admin Interface

    This is used to access to the administration console or user interface.
    Allow:
    Direction
    Protocol
    Port(s)
    Destination
    Details
    Inbound
    TCP
    443 and 8443
    Secure Malware Analytics Appliance Admin Interface
    		 Used to configure settings for hardware and licensing.
    Inbound
    TCP
    22
    		 Secure Malware Analytics Appliance Admin Interface Admin TUI access over SSH

    Revision History

    Revision Publish Date Comments
    9.0
    17-Oct-2024
    Addition of IPv6 addresses
    8.0
    12-Jul-2024
    Added the IP Requirements for the new Australia Cloud, Updated the Network Requirements for the EU Region, Added New Glovebox IP in NAM
    3.0
    23-Oct-2023
    Updated the Required IP Information
    2.0
    03-Oct-2023
    Updated the Network Requirements for Canada DC
    1.0
    06-Oct-2021
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products