cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

410
Views
0
Helpful
1
Replies
Highlighted

Security Intelligence Feed Order of Events

We had a recent event take place in which an IP address of a web site was being actively blocked by TALOS Security Intelligence as a Malware site. We created a URL Object, added to whitelist, and the site continued to be blocked by IP address. Our only solution was to add the IP address to the global whitelist. 

 

Is this expected behavior? It seems backward to us, as websites sometimes change IP address. Does the FMC always read the IP Blacklist prior to the URL whitelist?

1 REPLY 1
Hall of Fame Master

Re: Security Intelligence Feed Order of Events

Yes - SI (IP) precedes SI (DNS and URL) in the FTD Order of Operations. That's because IP blacklist/whitelist can be done in advance of running through any SSL and Network Analysis policies as well as preprocessors - all of which consume additional resources on the sensor.

FTD OOO.PNG