We are having an issue with IP Black/White list. We've developed a containment policy which whitelists several necessary addresses (e.g. AMP addresses and DNS services), and configured the blacklist to the rest of the network's private IP address space (isolating it from other hosts). In our testing, the Blacklist is NOT enforced by the connector. We've even tested explicit addresses to verify that the connector is not taking the blocking action. DFC is enabled, the IP lists are assigned to the right policy, and the policy is associated with the appropriate group. Has anyone actually been able to block custom address?
I did. I created an object group listing those IP i want to block, under Security Intelligence. Then under the Access Control Policy, security intelligence, I add that object to the blacklist column. This particular Object group, is for our own internal Intel.
I ran a test to ensure this works. First, I found an IP to block. I ran nslookup on msn.com and it returned a single IP: 22.214.171.124.
Next, I went into the console at console.amp.cisco.com to Outbreak Control > IP Blacklists & Whitelists. Here I created an IP List. I gave it a name and selected Blacklist as the List Type. Next, I put in the IP 126.96.36.199/32.
After this was saved, I went to Management > Policies and edited the policy that is applied to my endpoint. In the IP Blacklists & Whitelists section I clicked edit, selected my newly created Blacklist and clicked Add, then OK.
Once back at my policy I clicked Update Policy.
Then, I went to my endpoint, opened the connector, clicked settings and clicked Sync Policy. Once the policy was synced, I tried to telnet to 188.8.131.52 on port 80. It was blocked and I received a popup stating it was blocked.
NOTE: Image attached.
I removed the blacklist and updated policy in console and endpoint. Tried to telnet to 184.108.40.206 on port 80 again and now it was successful.
hi,please tell me.
I created an IP Blacklists 220.127.116.11
①first I tried to ping to 18.104.22.168
⇒was not blocled
②but I tried to telnet to 22.214.171.124
then I tried to ping to 126.96.36.199
Why ping was blocked from the beginning ?