topic If I recall correctly the in Network Security

how to view the Security Intelligence feeds

vaibhav.parlekar1 — Tue, 12 Mar 2019 13:19:56 GMT

Hi Team,

We are planning to deploy the security intelligence feeds into the firewall policy. But is there a way we can see the list of IP's in the list to ensure benign IP's are not being blocked.

Is there a way we can export the SI feeds into a CSV & manually assess the IP's using open source tools ?

If I recall correctly the

Marvin Rhoads — Sun, 19 Mar 2017 08:07:27 GMT

The feeds are installed in a couple of files under /var/sf/iprep_download. While you can look at them manually, they are updated throughout the day and any manual process would be quickly overwhelmed.

You might find it easier to just watch connection events for all "Blocked" actions and go from there. If you find a false positive you can whitelist it and report the error to Cisco. For what it's worth I've not had that be a problem in the couple dozen installations I've worked with.

As Marvin said your only

Oliver Kaiser — Fri, 24 Mar 2017 14:27:35 GMT

As Marvin said your only option would be checking the files at /var/sf/iprep_download. If you want to check the feeds against some other list or check occurrences I would recommend using cron to copy them using scp. Then use whatever you like to analyse the data.

Is there a Cli guide for the

vaibhav.parlekar1 — Mon, 27 Mar 2017 22:48:43 GMT

Is there a Cli guide for the FMC to use these commands. I am having a hard time working on the FMC Cli especially since it only supports a linux shell with no help available for commands. The FTD Cli guide is pretty helpful.

The FMC command line is not

Marvin Rhoads — Tue, 28 Mar 2017 02:44:41 GMT

The FMC command line is not something Cisco encourages accessing outside the few basic things they document in a couple of tech notes and troubleshooting documents.

As you noted it's a raw Linux bash shell and one can quite easily make a mistake there that has severe consequences for the overall system.

If you're not comfortable with basic Linux commands, I recommend opening a TAC case when you have any issues under the hood of the FMC. I have found the team that handles FirePOWER-related issues to be quite knowledgable and helpful.