Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7679
Views
0
Helpful
3
Replies

FMC Whitelisting

Go to solution
GRANT3779
Spotlight
Spotlight

‎07-01-2017 03:21 PM - edited ‎02-21-2020 06:12 AM

Within the FMC i have noticed I can whitelist hosts (by right clicking) when looking at potential threats/compromises. 

If I whitelist a host, what exactly does this do backend? I'm unclear as to what this achieves ACP wise or how it has any affect at all other than cosmetically during Network Discovery. 

Does it just stop alerts during network discovery? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-01-2017 09:12 PM

When you have a host whitelisted (or blacklisted for that matter), connections to/from it are handled by Security intelligence (SI). SI is a step prior to Access control Policy (ACP) processing.

If a host is blacklisted, SI will drop the connections and not analyze them further.

If a host is whitelisted, SI will proceed to evaluate connections for it per any applicable settings in your ACP.

Reference: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security_Intelligence_Blacklisting.html

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-01-2017 09:12 PM

When you have a host whitelisted (or blacklisted for that matter), connections to/from it are handled by Security intelligence (SI). SI is a step prior to Access control Policy (ACP) processing.

If a host is blacklisted, SI will drop the connections and not analyze them further.

If a host is whitelisted, SI will proceed to evaluate connections for it per any applicable settings in your ACP.

Reference: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security_Intelligence_Blacklisting.html

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to Marvin Rhoads

‎07-02-2017 03:29 AM

Is the white/blacklisting purely based on IP and nothing more specific higher up the layers?, 

When adding hosts to the lists, is this list/SI information pushed to the device regardless of which ACP i deploy? Is it integrated to ACPs or do I have choice of pushing out SI?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to GRANT3779

‎07-03-2017 02:51 AM

It's mostly IP layer. You can also blacklilst/whiteelist DNS FQDNs.

The SI lists are pushed to the devices independent of ACP. I'm not sure of the mechanism but I believe it (including the local lists) happens as part of updating the Cisco feeds.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card