Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16263
Views
11
Helpful
9
Replies

how to get Cisco Security Intelligence feeds

Go to solution
h.dam
Level 1
Level 1

‎11-06-2018 05:48 AM - edited ‎03-12-2019 07:04 AM

Hello,

Connecting to FMC via ssh, I saw no Cisco Security Intelligence feeds in the following directories:

/var/sf/iprep_download

/var/sf/sidns_download

/var/sf/sifile_download

/var/sf/siurl_download 

 

I'd like to get these feeds (as files) to complete the SI configuration. Please show me where are they located? I didn't find them in Cisco Talos website nor Cisco software download.

Notice that my FMC, IPS are in an isolated environnement, there is no internet access allowed.

 

Thanks very much.

 

Regards.

 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-06-2018 07:53 AM

As of the current Firepower release (6.2.3.x), Cisco does not support offline downloading of SI feeds for "air gap" deployments like this.

 

There may be some changes in 6.3; but you will have to wait and see what makes the cut for that release.

View solution in original post

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to h.dam

‎11-06-2018 07:54 AM

Hi,

SI Feed is comprised of several regularly updated lists of IP addresses that have poor reputations, as determined by the Cisco Talos Security Intelligence and Research Group (Talos). It is important to keep the intelligence feed regularly updated so that a Cisco FireSIGHT System can use up-to-date information in order to filter your network traffic.

 

Not sure you will get it updated offline and the default update frequency is 30 mins. So if this updates not worked properly or if your SI updates are old and not getting updated from Talos properly then SI will malfunction. So if you would like use SI feature you should be connected to internet.

 

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117997-technote-firesight-00.html

 

HTH

Abheesh

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni

‎11-06-2018 07:32 AM

Hi 

To update the SI feed via GUI.

Go to Objects > Object Management > Security Intelligence > Network Lists & Feeds  and click update feeds

Objects > Object Management > Security Intelligence > DNS Lists & Feeds and click update feeds

Objects > Object Management > Security Intelligence > URL Lists & Feeds and click update feeds

Then go to cli and check if the files are downloaded.

 

You can edit the feeds to change the default update intervals.

 

HTH

Abheesh

Go to solution
h.dam
Level 1
Level 1
In response to Abheesh Kumar

‎11-06-2018 07:38 AM

hello,

 

As I mentioned, I don't have internet access. So it failed when I clicked on update feeds.

0 Helpful

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to h.dam

‎11-06-2018 07:54 AM

Hi,

SI Feed is comprised of several regularly updated lists of IP addresses that have poor reputations, as determined by the Cisco Talos Security Intelligence and Research Group (Talos). It is important to keep the intelligence feed regularly updated so that a Cisco FireSIGHT System can use up-to-date information in order to filter your network traffic.

 

Not sure you will get it updated offline and the default update frequency is 30 mins. So if this updates not worked properly or if your SI updates are old and not getting updated from Talos properly then SI will malfunction. So if you would like use SI feature you should be connected to internet.

 

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117997-technote-firesight-00.html

 

HTH

Abheesh

 

0 Helpful

Go to solution
h.dam
Level 1
Level 1
In response to Abheesh Kumar

‎11-06-2018 08:28 AM

Thanks Adheesh for your quick answer.

 

So, I have to find a solution to get internet access for FMC.

 

Regards.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-06-2018 07:53 AM

As of the current Firepower release (6.2.3.x), Cisco does not support offline downloading of SI feeds for "air gap" deployments like this.

 

There may be some changes in 6.3; but you will have to wait and see what makes the cut for that release.

Go to solution
wihuang
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎03-27-2019 11:13 PM

How about manual download the SI update periodly and then update to the FMC?

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to wihuang

‎03-28-2019 02:21 AM

Only Firepower SRU, VDB and GeoDB Content Updates are available for offline download.

 

SI (IP and DNS lists) feeds can only be ingested directly into FMC.

0 Helpful

Go to solution
dvargas@nwfcu.org
Level 1
Level 1
In response to Marvin Rhoads

‎10-22-2020 07:17 PM

Marvin,

 

Any thoughts on FMC 6.6 ? It appears that the FMC is reaching out to the url via IPv6. However, there isn’t an option to disable IPv6.

 

Best regards,

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dvargas@nwfcu.org

‎10-23-2020 04:20 AM

FMC will try to download the feeds and updates via their respective URLs. Cisco (or more accurately the CDN Cisco uses) serves up those URLs via both IPv4 and IPv6 addresses.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card