Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
717
Views
0
Helpful
4
Replies

FMC Threat Intelligence

Meisam Azizzadeh
Level 1
Level 1

‎08-21-2022 01:57 AM - edited ‎08-21-2022 02:35 AM

Hello,

I have several problems with Cisco Threat Intelligence. I want to block for example several ASN. I found their IP prefixes but sometimes Threat Intelligence doesn't block all IP prefixes in this IP scope so I manually blocked them. Is there any limitation for Threat Intelligence? How can I block these IPs prefix? what is the best practice?
Thank you in advance.

 

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎08-21-2022 02:29 AM 

I have several problems with Cisco Threat Intelligence

If so many problems in production environment, suggest to contact partner and validate what you doing correct, we do understand some bugs on cisco product.

To get the best out of the product get the right resource to reply and the best way.

you need to provide environmental information what is version of code running, what FTD you have, how is your FMC setup done.

provide some use cases how you deployed and what logs you see or observed.

check CTI deployment guide :

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/cisco_threat_intelligence_director__tid_.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-21-2022 04:52 AM

Are you asking about Threat Intelligence (Threat Intelligence Director feature) or Security Intelligence?

From your question I would think it is actually the latter. How did you add the desired prefixes to be blocked?

0 Helpful

Meisam Azizzadeh
Level 1
Level 1
In response to Marvin Rhoads

‎08-21-2022 05:12 AM

I've created a .txt file and added IPs prefix list into the file. I've tried to block IPs in the file via TID by uploading the file as a flat file. But I have still had same problems. Also I've tried to block the file by adding it into the Network Lists and Feeds and block that file's prefix by adding it into Security Intelligence in the Access control policy but I have the same problems that not all IPs in the same subnet is block.
For example, according to the attached file, I've blocked 162.142.125/24 by adding it into the txt file. some of the IPs in the same range are blocking but some of them are not.

According to cisco's "Inspection procedure," it should be blocked before being matched by IPS policies.

Preview file
29 KB
Preview file
47 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Meisam Azizzadeh

‎08-22-2022 01:07 AM

One thing to consider - If there are any existing connection or flows to/from the addresses of interest those will persist until you clear connections.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card