topic I just tested in lab and it in Network Security

Security Intelligence URL Blacklist

keithcclark71 — Tue, 12 Mar 2019 09:19:16 GMT

I created a static list for URL blacklist and applied to my ACP. I was under assumption that the security Intelligence settings override any rules defined within the ACP. Just to see what traffic was getting through to my Allow_All rule with IPS defined I superceded it with a Block ALL rule which catched the URL that I specified to be blocked within the Security intelligence section. Very frustrating to say the least. What should be taking place here???

You are right, SI blocklist

Ajay Saini — Thu, 04 May 2017 18:58:07 GMT

You are right, SI blocklist should take preference. If there is a URL in blacklist, it should not fall back to the other policies.

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security_Intelligence_Blacklisting.html

Did you make sure that all the policies were deployed before generating the result. Also, please check if the SI blacklist was added in the same ACP rule. Because rules are matched in top-down order, if the top rule matches IPS policy and a below rule has SI blacklist option added, the top rule would be preferred.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Getting-Started.html

HTH

-AJ

I believe Security

Marvin Rhoads — Fri, 05 May 2017 05:06:08 GMT

I believe Security Intelligence customization only applies to sites and addresses that are included in the SI feed from Cisco Talos.

If you want to blacklist a general URL, you should do it in an ACP rule under the URL tab and not under SI.

I just tested in lab and it

Ajay Saini — Fri, 05 May 2017 15:44:57 GMT

I just tested in lab and it worked as expected. I created a list(created a notepad with cisco.com as URL) under SI. Then called that URL under blacklist under ACP SI option.

cisco.com was allowed earlier and as soon as I used SI blacklist option for the list created earlier, it got blocked. And I also see under 'Security Intelligence Events'.

That means that SI should be preferred when it comes to blacklist. Ofcourse for whitelist URL, it will make it go through other ACP rules.

Let me know if you need any of the screenshots from my lab.

HTH

-AJ

Thanks Ajay.

Marvin Rhoads — Fri, 05 May 2017 16:44:49 GMT

Thanks Ajay.

I thought I had seen something contrary to that at a customer (with whitelist instead) but I didn't capture the data to prove it. 🙂