topic Re: FMC Threat Intelligence in Network Security

FMC Threat Intelligence

Meisam Azizzadeh — Sun, 21 Aug 2022 09:35:09 GMT

Hello,

I have several problems with Cisco Threat Intelligence. I want to block for example several ASN. I found their IP prefixes but sometimes Threat Intelligence doesn't block all IP prefixes in this IP scope so I manually blocked them. Is there any limitation for Threat Intelligence? How can I block these IPs prefix? what is the best practice?
Thank you in advance.

Re: FMC Threat Intelligence

balaji.bandi — Sun, 21 Aug 2022 09:29:20 GMT

I have several problems with Cisco Threat Intelligence

If so many problems in production environment, suggest to contact partner and validate what you doing correct, we do understand some bugs on cisco product.

To get the best out of the product get the right resource to reply and the best way.

you need to provide environmental information what is version of code running, what FTD you have, how is your FMC setup done.

provide some use cases how you deployed and what logs you see or observed.

check CTI deployment guide :

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/cisco_threat_intelligence_director__tid_.html

Re: FMC Threat Intelligence

Marvin Rhoads — Sun, 21 Aug 2022 11:52:54 GMT

Are you asking about Threat Intelligence (Threat Intelligence Director feature) or Security Intelligence?

From your question I would think it is actually the latter. How did you add the desired prefixes to be blocked?

Re: FMC Threat Intelligence

Meisam Azizzadeh — Sun, 21 Aug 2022 12:12:51 GMT

I've created a .txt file and added IPs prefix list into the file. I've tried to block IPs in the file via TID by uploading the file as a flat file. But I have still had same problems. Also I've tried to block the file by adding it into the Network Lists and Feeds and block that file's prefix by adding it into Security Intelligence in the Access control policy but I have the same problems that not all IPs in the same subnet is block.
For example, according to the attached file, I've blocked 162.142.125/24 by adding it into the txt file. some of the IPs in the same range are blocking but some of them are not.

According to cisco's "Inspection procedure," it should be blocked before being matched by IPS policies.

Re: FMC Threat Intelligence

Marvin Rhoads — Mon, 22 Aug 2022 08:07:44 GMT

One thing to consider - If there are any existing connection or flows to/from the addresses of interest those will persist until you clear connections.