Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1653
Views
0
Helpful
4
Replies

Security Intelligence URL Blacklist

keithcclark71
Level 3
Level 3

‎05-04-2017 08:58 AM - edited ‎03-12-2019 02:19 AM

I created a static list for URL blacklist and applied to my ACP. I was under assumption that the security Intelligence settings override any rules defined within the ACP.   Just to see what traffic was getting through to my Allow_All rule with IPS defined I superceded it with a Block ALL rule which catched the URL that I specified to be blocked within the Security intelligence section. Very frustrating to say the least. What should be taking place here??? 

Labels:
0 Helpful
4 Replies 4

Ajay Saini
Level 7
Level 7

‎05-04-2017 11:58 AM

You are right, SI blocklist should take preference. If there is a URL in blacklist, it should not fall back to the other policies. 

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security_Intelligence_Blacklisting.html

Did you make sure that all the policies were deployed before generating the result. Also, please check if the SI blacklist was added in the same ACP rule. Because rules are matched in top-down order, if the top rule matches IPS policy and a below rule has SI blacklist option added, the top rule would be preferred.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Getting-Started.html

HTH

-AJ

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-04-2017 10:06 PM

I believe Security Intelligence customization only applies to sites and addresses that are included in the SI feed from Cisco Talos.

If you want to blacklist a general URL, you should do it in an ACP rule under the URL tab and not under SI.

0 Helpful

Ajay Saini
Level 7
Level 7

‎05-05-2017 08:44 AM

I just tested in lab and it worked as expected. I created a list(created a notepad with cisco.com as URL) under SI. Then called that URL under blacklist under ACP SI option.

cisco.com was allowed earlier and as soon as I used SI blacklist option for the list created earlier, it got blocked. And I also see under 'Security Intelligence Events'.

That means that SI should be preferred when it comes to blacklist. Ofcourse for whitelist URL, it will make it go through other ACP rules. 

Let me know if you need any of the screenshots from my lab.

HTH

-AJ 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ajay Saini

‎05-05-2017 09:44 AM

Thanks Ajay.

I thought I had seen something contrary to that at a customer (with whitelist instead) but I didn't capture the data to prove it. :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card