Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3507
Views
10
Helpful
7
Replies

Check If IP is already blocked by Cisco Security Intelligence on Cisco FTD

Go to solution
p.costa
Level 1
Level 1

‎03-26-2021 10:28 AM

Hi all,

I would like to address a question that I could not find the answer in the documentation.

 

We have a Cisco FTD and we are asked to add an IP to the global black list. We are also using CIsco Security Intelligence. How can we check if the IP is already being blocked from The Cisco Security Intelligence and how its is categorized? (ex. CnC, attacker, etc.)

We could check if it's already block so could avoid blocking it manually.

 

Thanks for you help!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-28-2021 07:17 AM

You can either use the talosintellignece.com site for a quick check or else look at the actual SI feeds that have been downloaded to your device(s). 

Both methods are described in more detail at the following blog post:

https://www.lammle.com/post/how-to-find-the-list-of-ip-url-and-dns-entries-in-the-cisco-firepower-feed/

View solution in original post

7 Replies 7

Go to solution
manabans
Cisco Employee
Cisco Employee

‎03-27-2021 07:48 PM

Lookup feature can be used on FMC UI to identify Regional Information Registries (RIR) information (whois) for any IP address.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/using_lookups.html

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-28-2021 07:17 AM

You can either use the talosintellignece.com site for a quick check or else look at the actual SI feeds that have been downloaded to your device(s). 

Both methods are described in more detail at the following blog post:

https://www.lammle.com/post/how-to-find-the-list-of-ip-url-and-dns-entries-in-the-cisco-firepower-feed/

Go to solution
p.costa
Level 1
Level 1
In response to Marvin Rhoads

‎03-29-2021 12:28 AM

Hi Marvin

thanks for your reply. I will try searching on the SI feeds that have been downloaded to my device. Unfurtunately I cannot find the oprion on the Talos portal to download the blacklist, maybe it was removed.

 

Best Regards,

Pier

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to p.costa

‎03-29-2021 06:13 AM - edited ‎03-29-2021 06:14 AM

They have removed the ability to download the entire Talos blacklist but you can still check on individual addresses.

For example: https://talosintelligence.com/reputation_center/lookup?search=8.8.8.8

Note in the bottom right of the page the indication of whether the address is on the "Talos Security Intelligence Block List"

Go to solution
p.costa
Level 1
Level 1
In response to Marvin Rhoads

‎04-01-2021 02:13 AM

Thanks, that's very helpful. So I can consider that Talos Security Intelligence Block List and Cisco Security Intelligence are pretty much the same.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to p.costa

‎04-01-2021 10:00 AM

Yes - that's correct

0 Helpful

Go to solution
regz20
Level 1
Level 1

‎11-17-2023 06:27 PM

So if I found the IP in Talos saying that it was added to their blocklist.  Can I skip adding this IP to my manual list? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card