11-06-2018 05:48 AM - edited 03-12-2019 07:04 AM
Hello,
Connecting to FMC via ssh, I saw no Cisco Security Intelligence feeds in the following directories:
/var/sf/iprep_download
/var/sf/sidns_download
/var/sf/sifile_download
/var/sf/siurl_download
I'd like to get these feeds (as files) to complete the SI configuration. Please show me where are they located? I didn't find them in Cisco Talos website nor Cisco software download.
Notice that my FMC, IPS are in an isolated environnement, there is no internet access allowed.
Thanks very much.
Regards.
Solved! Go to Solution.
11-06-2018 07:53 AM
As of the current Firepower release (6.2.3.x), Cisco does not support offline downloading of SI feeds for "air gap" deployments like this.
There may be some changes in 6.3; but you will have to wait and see what makes the cut for that release.
11-06-2018 07:54 AM
Hi,
SI Feed is comprised of several regularly updated lists of IP addresses that have poor reputations, as determined by the Cisco Talos Security Intelligence and Research Group (Talos). It is important to keep the intelligence feed regularly updated so that a Cisco FireSIGHT System can use up-to-date information in order to filter your network traffic.
Not sure you will get it updated offline and the default update frequency is 30 mins. So if this updates not worked properly or if your SI updates are old and not getting updated from Talos properly then SI will malfunction. So if you would like use SI feature you should be connected to internet.
HTH
Abheesh
11-06-2018 07:32 AM
Hi
To update the SI feed via GUI.
Go to Objects > Object Management > Security Intelligence > Network Lists & Feeds and click update feeds
Objects > Object Management > Security Intelligence > DNS Lists & Feeds and click update feeds
Objects > Object Management > Security Intelligence > URL Lists & Feeds and click update feeds
Then go to cli and check if the files are downloaded.
You can edit the feeds to change the default update intervals.
HTH
Abheesh
11-06-2018 07:38 AM
hello,
As I mentioned, I don't have internet access. So it failed when I clicked on update feeds.
11-06-2018 07:54 AM
Hi,
SI Feed is comprised of several regularly updated lists of IP addresses that have poor reputations, as determined by the Cisco Talos Security Intelligence and Research Group (Talos). It is important to keep the intelligence feed regularly updated so that a Cisco FireSIGHT System can use up-to-date information in order to filter your network traffic.
Not sure you will get it updated offline and the default update frequency is 30 mins. So if this updates not worked properly or if your SI updates are old and not getting updated from Talos properly then SI will malfunction. So if you would like use SI feature you should be connected to internet.
HTH
Abheesh
11-06-2018 08:28 AM
Thanks Adheesh for your quick answer.
So, I have to find a solution to get internet access for FMC.
Regards.
11-06-2018 07:53 AM
As of the current Firepower release (6.2.3.x), Cisco does not support offline downloading of SI feeds for "air gap" deployments like this.
There may be some changes in 6.3; but you will have to wait and see what makes the cut for that release.
03-27-2019 11:13 PM
How about manual download the SI update periodly and then update to the FMC?
03-28-2019 02:21 AM
Only Firepower SRU, VDB and GeoDB Content Updates are available for offline download.
SI (IP and DNS lists) feeds can only be ingested directly into FMC.
10-22-2020 07:17 PM
Marvin,
Any thoughts on FMC 6.6 ? It appears that the FMC is reaching out to the url via IPv6. However, there isn’t an option to disable IPv6.
Best regards,
10-23-2020 04:20 AM
FMC will try to download the feeds and updates via their respective URLs. Cisco (or more accurately the CDN Cisco uses) serves up those URLs via both IPv4 and IPv6 addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide