Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5503
Views
0
Helpful
5
Replies

Is anyone using Custom URL Feeds

bnidacoc
Level 1
Level 1

‎10-24-2017 07:07 AM - edited ‎02-21-2020 06:33 AM

Has anyone implemented successfully or unsuccessfully the custom feed feature in FMC 6.1.0 (or later)?  The feed list creation is in Object Management, URL Lists and Feeds.

 

Our security group is constantly coming up with domain names to be blocked and we're likely in the hundreds (thousand+ likely within the next 12 months) and there is no way this will stop.  Our URL objects list has exploded and I don't quite think that this product was developed with managing a huge list of blocked domains in mind.  

 

I want to do a custom URL feed that our security group maintains its member URL domains on and keep us out of the blocked domain membership management business.  We can add a feed configuration and they add/remove domains as needed.

 

The most info I've found on it is in the FMC self help, not in the 2400+ page FMC User Guide.  I'll paste below what I've found.

 

Is anyone doing this?  Results?

 

_________________

Security Intelligence Lists and Feeds

The Security Intelligence feature allows you to specify the traffic that can traverse your network based on the source or destination IP address, domain name, or URL. You configure Security Intelligence in access control policies, separate from access control rules. This is especially useful if you want to blacklist — deny traffic to and from — specific IP addresses or URLs, before the traffic is analyzed by access control rules. You can also add IP addresses, URLs, and domain names to a whitelist to force the system to handle their connections using access control.

If you are not sure whether you want to blacklist a particular IP address or URL, a monitor-only setting allows the system to handle a connection using access control, but also logs the connection’s match to the blacklist.

By default, access control policies use Global whitelists and blacklists for IP addresses and URLs. Similarly, DNS policies use the Global DNS whitelist and blacklist.

In a multidomain deployment, access control policies can also use:

  • Descendant whitelists and blacklists. In ancestor domains, descendant lists represent items whitelisted or blacklisted in subdomains. Descendant lists can also contain items added for lower-level domains by higher-level domain administrators. From an ancestor domain, you cannot view the contents of descendant lists.
  • Domain-specific whitelists and blacklists. In subdomains, domain-specific lists represent items whitelisted or blacklisted in or for the named domain. You can view the contents of domain-specific lists for ancestor domains, and edit the contents of the domain-specific list for your domain.

Global, Descendant, and Domain-specific lists apply to any zone, and you can disable them on a per-policy basis.

Finally, you can build custom whitelists and blacklists for IP addresses, URLs, or domain names, using:

  • network or URL objects
  • network, URL, or DNS categories
  • Security Intelligence lists and feeds

You can constrain these by security zone. In a DNS policy, you can also constrain DNs based on network or VLAN.

Comparing Feeds and Lists

A Security Intelligence feed is a dynamic collection of IP addresses, URLs, or domain names that the Firepower Management Center downloads from an HTTP or HTTPS server at the interval you configure. Because feeds are regularly updated, the system can use up-to-date information to filter your network traffic.


Note

 

The system does not perform peer SSL certificate verification when downloading custom feeds, nor does the system support the use of certificate bundles or self-signed certificates to verify the remote peer.

To help you build blacklists, the Firepower System provides:

  • the Intelligence Feed, which represents IP addresses determined by Talos to have a poor reputation
  • the DNS and URL Intelligence Feed, comprised of domain names and URLs with a poor reputation

When the Firepower Management Center downloads updated feed information, it automatically updates its managed devices. Although it may take a few minutes for a feed update to take effect throughout your deployment, you do not have to re-deploy access control policies after you create or modify a feed, or after a scheduled feed update.


Note

 

If you want strict control over when the system downloads a feed from the Internet, you can disable automatic updates for that feed. However, Cisco recommends that you allow automatic updates. Although you can manually perform on-demand updates, allowing the system to download feeds on a regular basis provides you with the most up-to-date, relevant data.

A Security Intelligence list, contrasted with a feed, is a simple static list of IP addresses, domain names, or URLs that you manually upload to the system. Use custom lists to augment and fine-tune feeds and default whitelists and blacklists. Note that editing custom lists (as well as editing network objects and removing entries from a whitelist or blacklist) require an access control policy deploy for your changes to take effect.

Formatting and Corrupt Feed Data

Feed and list source must be a simple text file no larger than 500MB, with one IP address, address block, URL, or domain name per line. Each source must contain only IP addresses, or URLs, or domain names. List source files must use the .txt extension.

In a DNS list entry, you can specify an asterisk (*) wildcard character for a domain label. All labels match the wildcard. For example, an entry of www.example.* matches bothwww.example.com and www.example.co.

If you add comment lines within the source file, they must start with the pound (#) character. If you upload a source file with comments, the system removes your comments during upload. Source files you download contain all your entries without your comments.

If the system downloads a corrupt feed or a feed with no recognizable entries, the system continues using the old feed data (unless it is the first download). However, if the system can recognize even one entry in the feed, it uses the entries it can recognize.

The default health policy includes the Security Intelligence module, which alerts in a few situations involving Security Intelligence filtering, including if the system cannot update a feed, or if a feed is corrupt or contains no recognizable entries.

Managing Feeds and Lists

You create and manage Security Intelligence lists and feeds, collectively called Security Intelligence objects, using the object manager’s Security Intelligence page.

Note that you cannot delete a custom list or feed that is currently being used in a saved or deployed access control policy. In a multidomain deployment, you also cannot delete a Global list or the default domain-associated lists. You can, however, remove individual items from these lists if the lists belong to the current domain. Similarly, although you cannot delete Intelligence Feeds, editing them allows you to disable or change the update frequency.

 

 

 

3 people had this problem
Labels:
0 Helpful
5 Replies 5

Mohammad.qubtan1
Level 1
Level 1

‎10-30-2017 12:32 PM

Yeah I'm having an issue with this.

 

I've added a custom URL list, created an access rule stating users from X AD group are allowed to hit sites within the list, but doesn't work.

 

I can take one of the domains from the list, create an individual object and add it to the same rule....then it works.  

 

The URL list downloads and shows the full list, so that to me implies the list formatting is correct but the matching isn't working for us.

0 Helpful

bnidacoc
Level 1
Level 1
In response to Mohammad.qubtan1

‎11-06-2017 08:00 AM

Hmm.  How is your list formatted?  I understand the instructions to say one URL per line.  Although, I had only considered adding domain names, like xyzbadsite.com (and not using www.xyzbadsite.com/index.html).  Can you paste a short sample?

0 Helpful

tahscolony
Level 1
Level 1

‎04-25-2018 08:51 AM

I am currently trying to get the Microsoft Office 365 feed going so that we can whitelist them as we get a lot of false positives in IPS through O365.   Problem I have is I got a download error. The feed is an XML file too, so is that an issue?  I use the same feed on Cisco WSA and it works like a charm.

0 Helpful

jmhouse96
Level 1
Level 1
In response to tahscolony

‎08-30-2018 05:22 AM

In a test box I was able to get the O365 feed from Microsoft to work, but it is my understanding they are changing the feed and at Cisco Live while we were discussing this with the WSA team, Cisco was not sure if they would be able to update the new feed immediately so they warned me to not move this test into production with the O365 feed at this point. I have not heard anything about an update on this since then. 

 

I am currently looking to move my blacklist to an internal xml file that can be called on by the WSA so when our InfoSec team wants to block a new site they can update the xml file and the WSA's will get the update without manual intervention. That plan is still in my head at this point, but need to find time to implement this idea. 

0 Helpful

antonkolev
Level 1
Level 1

‎11-14-2019 12:24 PM

Do you know what is the maximum URL  entries  the Firepower can get from 3rd party custom feed 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card