Firepower Security Intelligence Questions

ChristopherCraddock66504 · ‎12-16-2020

Dear Community,

I had a couple questions regarding the Security Intelligence piece of the Access Control Policy:

1) Is there a way to drill down into the Network and URL Feed Objects to see what IP's and URLs are actually contained within? For example, there are Network and URL Feed objects called "Malware" that of course get dynamically updated by Cisco as the feeds get updated. Is there any way to actually open these objects to see what IP's and URL's are contained within? For some reason I am unable to find it.

2) When it comes to the URL objects in the Security Intelligence feed, how are these acted upon by the FTD? For instance I moved all the bad URL feed objects (URL Attackers, URL Malware etc.) to the Blacklist section of the SI section. Are these objects resolved to IP addresses "underneath the covers" and then if a device tries to connect with one of those IP's the traffic gets blocked? Or is it blocking based on header inspection and if that URL is seen it gets blocked?

Thank you.

Rob Ingram · ‎12-16-2020

Hi @ChristopherCraddock66504

The SI files are downloaded to the FMC in /var/sf/ folder with sub-folders for /sidns_download siurl_download etc. These files are pushed to the FTD and stored in /ngfw/var/sf. The filenames will be based on a UUID, so you'd need to open each file to determine the category (it's named at the top of the list).

AFAIK a DNS request of a domain named in the list would be performed, the FTD would intercept and spoof the DNS server and return a non-existent domain message to the client attempting to access a site defined.

HTH