Cisco provides feeds containing IP addresses, domain names, and
URLs with poor reputation, as determined by Talos:
You can only populate the Blacklist or Whitelist either by uploading a customized text file containing a list of IP addresses or via the Connection Event log (doing a right-click on the Responder IP).
To view the configured Security Intelligence ACP, go to Policies > Access Control > click edit (pencil icon on the far right) > Security Intelligence tab.
Click Logging (scroll icon on the far right).
DNS Blacklist Logging is enabled by default. This is to monitor SI Events.
I can initially ping DNS server public IPs before configuring Any Blacklist Rule.
You can verify the ping test under Policies > Connections > Events.
I just clicked on the Initiator IP 192.168.1.100 (my Windows wired test machine) to filter Events to a single IP.
You can Blacklist a Destination IP address (Responder IP) by doing a right-click on the specific IP > Blacklist IP Now.
Confirm by clicking Blacklist Now.
You can verify the added Blacklist IP by going again to Objects > Security Intelligence > Network Lists and Feed > Global-Blacklist > edit (pencil icon).
Notice the OpenDNS public IP is listed under the Blacklist.
The other way to update the Blacklist (or Whitelist) is by uploading a customized text file containing the IP addresses.
Go under Objects > Security Intelligence > Network Lists and Feed > click Add Network Lists and Feeds.
Type a Name and select List under Type.
Browse for the customized text file containing the IP addresses > click Upload > Save.
Notice the Number of IPs changed (2 DNS server public IPs)
Go back again to the Security Intelligence ACP under Policies > Access Control > edit (pencil icon) > Security Intelligence tab.
Locate and click the customized Blacklist (MY_BLACKLIST) under Available Objects > Networks > click Add to Blacklist > Save.
You can also change the Action (bypass) for the Blacklist Object by doing right-click > choose between Block or Monitor-only.
Click Deploy > select a device > Deploy (at the bottom).
Open a new command prompt and do the ping test again. Notice the ping to DNS public IPs timed out this time.
To view SI Events go to Analysis > Connections > Security Intelligence Events.
Notice there's an IP Block (under Reason column), the Responder IP are the Blacklisted DNS server public IPs and hit the customized Security Intelligence Category (MY_BLACKLIST).
You can change the Update Frequency on each feed.
You can also manually add a Dynamic SI Feed by clicking on Add Network Lists and Feeds > under Type select Feed > type/paste the Feed URL and MD5 URL > click Save.
To configure Dynamic SI (Feed), you'll need to edit the ACP by going to Policies > Access Control > edit (pencil icon).
Under Security Intelligence tab > Available Objects > Networks > choose and select the pre-configured SI objects (hold Ctrl for multiple selection) > click Add to Blacklist.
Click Save and Deploy.
These are the ping test prior to deploying the SI ACP.
Open a new command prompt and do the ping test
again. Notice the ping timed out after the ACP was deployed.
Notice the public IP 80.82.77.33 was identified by the SI Category as Attackers and the 173.239.8.164 was identified as a Cryptomining site.
To Whitelist an IP address (previously Blacklisted), go to Security Intelligence Events > click a specific Blacklisted Responder IP > right-click > Whitelist IP Now.
Click White List Now to confirm the selected IP.
I also Whitelist OpenDNS public IP 208.67.222.222
You can verify the Whitelist IPs under Objects > Security Intelligence > Network Lists and Feed > edit Global-Whitelist.
The Whitelist immediately took effect without Saving and Deploy the ACP.
Verify under Analysis > Connections > Events (normal Events) and notice the Whitelisted public IPs are now Trusted (at the very bottom).
- the Intelligence Feed, which comprises several regularly updated collections of IP addresses.
- the DNS and URL Intelligence Feed, which comprises several regularly updated collections of domain names and URLs.
The Intelligence Feeds keep track
of open relays, known attackers, bogus IP addresses (bogon), and so on. Because
the Intelligence Feeds are regularly updated, using them ensures that the
system uses up-to-date information to filter your network traffic. Malicious IP
addresses, domain names, and URLs that represent security threats such as
malware, spam, botnets, and phishing may appear and disappear faster than you
can update and deploy new policies.
You can also customize the
feature to suit the unique needs of your organization, for example:
- third-party feeds—you can supplement the Intelligence Feeds with third-party reputation feeds, which are dynamic lists that the Firepower Management Center downloads from the internet on a regular basis
- global blacklist and custom blacklists—the system allows you to manually blacklist specific IP addresses, URLs, or domain names in many ways depending on your needs
- whitelisting to eliminate false positives—when a blacklist is too broad in scope, or incorrectly blocks traffic that you want to allow (for example, to vital resources), you can override a blacklist with a custom whitelist
- enforcing blacklisting by security zone—to improve performance, you may want to target enforcement, for example, restricting spam blacklisting to a zone that handles email traffic
- monitoring instead of blacklisting—especially useful in passive deployments and for testing feeds before you implement them; you can merely monitor and log the violating sessions instead of blocking them, generating end-of-connection events
There are
two types of Cisco Security Intelligence (SI) in FMC:
- Static Whitelist/Blacklist IP addresses
- Dynamic Feed (Cisco Security Intelligence Cloud)
You can
configure Static (List) Security Intelligence under Objects
> Security Intelligence > Network Lists and Feed. The Global-Blacklist and Global-Whitelist are blank by default.
You can only populate the Blacklist or Whitelist either by uploading a customized text file containing a list of IP addresses or via the Connection Event log (doing a right-click on the Responder IP).
To view the configured Security Intelligence ACP, go to Policies > Access Control > click edit (pencil icon on the far right) > Security Intelligence tab.
Click Logging (scroll icon on the far right).
DNS Blacklist Logging is enabled by default. This is to monitor SI Events.
I can initially ping DNS server public IPs before configuring Any Blacklist Rule.
You can verify the ping test under Policies > Connections > Events.
I just clicked on the Initiator IP 192.168.1.100 (my Windows wired test machine) to filter Events to a single IP.
You can Blacklist a Destination IP address (Responder IP) by doing a right-click on the specific IP > Blacklist IP Now.
Confirm by clicking Blacklist Now.
You can verify the added Blacklist IP by going again to Objects > Security Intelligence > Network Lists and Feed > Global-Blacklist > edit (pencil icon).
Notice the OpenDNS public IP is listed under the Blacklist.
The other way to update the Blacklist (or Whitelist) is by uploading a customized text file containing the IP addresses.
Go under Objects > Security Intelligence > Network Lists and Feed > click Add Network Lists and Feeds.
Type a Name and select List under Type.
Browse for the customized text file containing the IP addresses > click Upload > Save.
Notice the Number of IPs changed (2 DNS server public IPs)
Go back again to the Security Intelligence ACP under Policies > Access Control > edit (pencil icon) > Security Intelligence tab.
Locate and click the customized Blacklist (MY_BLACKLIST) under Available Objects > Networks > click Add to Blacklist > Save.
You can also change the Action (bypass) for the Blacklist Object by doing right-click > choose between Block or Monitor-only.
Click Deploy > select a device > Deploy (at the bottom).
Open a new command prompt and do the ping test again. Notice the ping to DNS public IPs timed out this time.
To view SI Events go to Analysis > Connections > Security Intelligence Events.
Notice there's an IP Block (under Reason column), the Responder IP are the Blacklisted DNS server public IPs and hit the customized Security Intelligence Category (MY_BLACKLIST).
There are
two Dynamic SI Feeds configured by default: Cisco-Intelligence-Feed
and Cisco-TID-Feed (started on version
6.2.2)
You can change the Update Frequency on each feed.
You can also manually add a Dynamic SI Feed by clicking on Add Network Lists and Feeds > under Type select Feed > type/paste the Feed URL and MD5 URL > click Save.
To configure Dynamic SI (Feed), you'll need to edit the ACP by going to Policies > Access Control > edit (pencil icon).
Under Security Intelligence tab > Available Objects > Networks > choose and select the pre-configured SI objects (hold Ctrl for multiple selection) > click Add to Blacklist.
Click Save and Deploy.
I just
searched for a Blacklist IP that's pingable. The Blacklisted IPs are constantly
updated so I just chose a random public IP for ping test.
These are the ping test prior to deploying the SI ACP.
I tried
to open a suspected Malware website/IP address. You can find a list of suspected Malware IPs on this link.
Notice the public IP 80.82.77.33 was identified by the SI Category as Attackers and the 173.239.8.164 was identified as a Cryptomining site.
To Whitelist an IP address (previously Blacklisted), go to Security Intelligence Events > click a specific Blacklisted Responder IP > right-click > Whitelist IP Now.
Click White List Now to confirm the selected IP.
I also Whitelist OpenDNS public IP 208.67.222.222
You can verify the Whitelist IPs under Objects > Security Intelligence > Network Lists and Feed > edit Global-Whitelist.
The Whitelist immediately took effect without Saving and Deploy the ACP.
Verify under Analysis > Connections > Events (normal Events) and notice the Whitelisted public IPs are now Trusted (at the very bottom).