Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2270
Views
0
Helpful
3
Replies

Cisco Firepower Security Intellegence Blacklist Feed

croll9898
Level 1
Level 1

‎07-13-2018 05:48 AM - edited ‎02-21-2020 07:59 AM

Does anyone have any suggestions for 3rd party feeds that your FMC could subscribe to or creating my own feed that we could subscribe to?

 

For example, we got hit with a phishing scam and the URL wasn't blocked by the default feeds the FMC subscribes to.  My goal is to subscribe to a feed that may have had this URL listed or create new feed that we could add URLs to going forward that our FTD and other could subscribe.

 

Bonus question...we also use Umbrella for remote disconnected clients and ideally we'd like to update this list or subscribe to a list that can be used in both solutions so we're not doubling our efforts.

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-14-2018 11:00 PM

Have you verified the Security Intelligence setup in your applied Access Control Policy? It should include the Phishing category in the Blacklist, something like the following:

 

SI Setup.PNG

0 Helpful

croll9898
Level 1
Level 1
In response to Marvin Rhoads

‎07-16-2018 04:58 AM

Yes, we have that setup.  The only different is we don't have an a URL List and Feed object "Test_Blacklist".  I'm looking to create a URL and/or DNS List and Feed to subscribe and I was wondering if any had examples (Free or Paid).

 

My goal was to subcribe/create a feed that I could subscribe the FMC and OpenDNS to limit adding said URL to both solutions.  However, DNS, I did some digging on Friday and they both have API's.  I'm going to create a script to prompt for a URL and then add said URL to the FMC URL blacklist object and Open DNS blacklist object.

Preview file
121 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to croll9898

‎07-16-2018 07:17 AM

OK, so your basic setup is correct. 

 

Right now Firepower and Umbrella don't use all of the same data sources but over time Cisco has been working to reconcile those via the Talos threat intelligence feeds. You can consume Taxii-based feeds into FMC but not into Umbrella at this time.

 

If you manage to use the API to better inform them both you should write up your experience and consider publishing the project on Github. It would be a welcome addition to the community.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card