cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2031
Views
5
Helpful
10
Replies
Beginner

Security Intelligence Update Frequency Custom Time

Is it possible create Update Frequency 1m, 5m for feed list?  

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

At the moment this is not

At the moment this is not possible (or rather not supported). You could manually edit the config file on the filesystem for lower intervals, but the timeout for feed download is 300 seconds, so I would not advice to go any lower since that might cause issues.

If you wanna go down the unsupported road goto /etc/sf/iprep_sources.conf and edit the update_freq (1 = 5 minutes, 2 = 10 minutes, etc.). Configuration is re-read by the daemon automatically but keep in mind that changes on the fmc ui side will overwrite the file again.

You can check /var/log/messages for security intelligence downloads via cat /var/log/messages | grep -i iprep

I think the interval settings will improve in a future release, but we will see. :)

10 REPLIES 10
Rising star

The minimum update frequency

The minimum update frequency is 30 minutes. The default update frequency is 120 minutes.

You may change the interval at Objects > Object Management > Security Intelligence.

I have attached a screenshot showing the available update frequency intervals which are available for feeds.

Beginner

I know it, thats why I ask

I know it, thats why I ask about 1m or 5m. 30 minutes it's a bit lag time. For example there are active attacks and it is necessary to wait for 30 minutes, it is awful.

P.S. I mean a custom automatic blacklist

Rising star

At the moment this is not

At the moment this is not possible (or rather not supported). You could manually edit the config file on the filesystem for lower intervals, but the timeout for feed download is 300 seconds, so I would not advice to go any lower since that might cause issues.

If you wanna go down the unsupported road goto /etc/sf/iprep_sources.conf and edit the update_freq (1 = 5 minutes, 2 = 10 minutes, etc.). Configuration is re-read by the daemon automatically but keep in mind that changes on the fmc ui side will overwrite the file again.

You can check /var/log/messages for security intelligence downloads via cat /var/log/messages | grep -i iprep

I think the interval settings will improve in a future release, but we will see. :)

Re: At the moment this is not

Folks,

 

Is there any change with the default update frequency 30 Min to lesser than this, with new FMC versions? 

 

Thanks!

Hall of Fame Master

Re: At the moment this is not

30 minutes remains the minimum period for SI updates as of the current Firepower 6.4.0.3. I doubt that will change as it takes a certain amount of time to download and process the feeds themselves as they can be relatively large. You wouldn't want to try to get a new one while the old one was still downloading or else your system could lock up in a race condition.

Note that some things like URL lookup and AMP File reputation will be real time. It's only the Global Blacklists and Whitelists for IP reputation, URLs and DNS that depend on the SI feeds.

Beginner

Re: At the moment this is not

Is there a way to set this up exactly for 6:30 and 30 minutes frequency on wards. I have set it up for 30 minutes frequency but can see update happening on random time. I would like to set it up for round figure ( like 6:00 , 6:30 , 7:00 and on wards ).

 

Any help?

Engager

Re: At the moment this is not

hi,

you can change the FMC SI update to a minimum of either 5 or 15 mins.

see helpful link:

http://wannabecybersecurity.blogspot.com/2019/06/configuring-cisco-fmc-security.html

Hall of Fame Master

Re: At the moment this is not

@johnlloyd_13 It looks like you can change the "Security Intelligence Network Lists and Feeds" (and TID feed if you have Threat Intelligence Director enabled) down to 5 minutes. However the "DNS and URL Intelligence Feed" cannot go below 30 minutes.

 

I just checked this on both a 6.2.3.14 and a 6.4.0.3 FMC. Can you confirm the same on your system?

Engager

Re: At the moment this is not

hi marvin,

i used FMC 6.2.3. should be the same as you've mentioned for the DNS and URL feeds.

Highlighted

Re: At the moment this is not

It seems like, its still 30 Min. @john - per what you referring above if for default Cisco Intelligence feed and TID Feed, but if you go there and feed manually it will go minimum for 30 Min - that's the minimum.

 

Unrelated...

Is there is way to confirm if the IP has been added to the manual feed or not via CLI or any other way?