Your Splunk Enterprise deployment must be connected to the Internet. If your deployment is not connected to the Internet, disable these sources or source them in an alternate way.
To set up firewall rules for these sources, you might want to use a proxy server to collect the intelligence before forwarding it to Splunk Enterprise Security and allow the IP address for the proxy server to access Splunk Enterprise Security. The IP addresses for these sources can change.
So we use a proxy server and whitelist urls in it to download threat intel.
I would not recommend automatic updates of the DA-ESS-ContentUpdate. I do a manual check every month to see if there is an update and download it and apply it to my search heads.
If you just want to open up ports then you need to open your search head to https / port 443 to be able to communicate with the internet.