07-01-2017 03:21 PM - edited 02-21-2020 06:12 AM
Within the FMC i have noticed I can whitelist hosts (by right clicking) when looking at potential threats/compromises.
If I whitelist a host, what exactly does this do backend? I'm unclear as to what this achieves ACP wise or how it has any affect at all other than cosmetically during Network Discovery.
Does it just stop alerts during network discovery?
Solved! Go to Solution.
07-01-2017 09:12 PM
When you have a host whitelisted (or blacklisted for that matter), connections to/from it are handled by Security intelligence (SI). SI is a step prior to Access control Policy (ACP) processing.
If a host is blacklisted, SI will drop the connections and not analyze them further.
If a host is whitelisted, SI will proceed to evaluate connections for it per any applicable settings in your ACP.
Reference: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security_Intelligence_Blacklisting.html
07-01-2017 09:12 PM
When you have a host whitelisted (or blacklisted for that matter), connections to/from it are handled by Security intelligence (SI). SI is a step prior to Access control Policy (ACP) processing.
If a host is blacklisted, SI will drop the connections and not analyze them further.
If a host is whitelisted, SI will proceed to evaluate connections for it per any applicable settings in your ACP.
Reference: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security_Intelligence_Blacklisting.html
07-02-2017 03:29 AM
Is the white/blacklisting purely based on IP and nothing more specific higher up the layers?,
When adding hosts to the lists, is this list/SI information pushed to the device regardless of which ACP i deploy? Is it integrated to ACPs or do I have choice of pushing out SI?
07-03-2017 02:51 AM
It's mostly IP layer. You can also blacklilst/whiteelist DNS FQDNs.
The SI lists are pushed to the devices independent of ACP. I'm not sure of the mechanism but I believe it (including the local lists) happens as part of updating the Cisco feeds.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide