topic When you have a host in Network Security

FMC Whitelisting

GRANT3779 — Fri, 21 Feb 2020 14:12:06 GMT

Within the FMC i have noticed I can whitelist hosts (by right clicking) when looking at potential threats/compromises.

If I whitelist a host, what exactly does this do backend? I'm unclear as to what this achieves ACP wise or how it has any affect at all other than cosmetically during Network Discovery.

Does it just stop alerts during network discovery?

When you have a host

Marvin Rhoads — Sun, 02 Jul 2017 04:12:40 GMT

When you have a host whitelisted (or blacklisted for that matter), connections to/from it are handled by Security intelligence (SI). SI is a step prior to Access control Policy (ACP) processing.

If a host is blacklisted, SI will drop the connections and not analyze them further.

If a host is whitelisted, SI will proceed to evaluate connections for it per any applicable settings in your ACP.

Reference: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security_Intelligence_Blacklisting.html

Is the white/blacklisting

GRANT3779 — Sun, 02 Jul 2017 10:29:09 GMT

Is the white/blacklisting purely based on IP and nothing more specific higher up the layers?,

When adding hosts to the lists, is this list/SI information pushed to the device regardless of which ACP i deploy? Is it integrated to ACPs or do I have choice of pushing out SI?

It's mostly IP layer. You can

Marvin Rhoads — Mon, 03 Jul 2017 09:51:01 GMT

It's mostly IP layer. You can also blacklilst/whiteelist DNS FQDNs.

The SI lists are pushed to the devices independent of ACP. I'm not sure of the mechanism but I believe it (including the local lists) happens as part of updating the Cisco feeds.