Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2091
Views
0
Helpful
4
Replies

how to view the Security Intelligence feeds

vaibhav.parlekar1
Level 1
Level 1

‎03-17-2017 05:02 PM - edited ‎03-12-2019 06:19 AM

Hi Team, 

We are planning to deploy the security intelligence feeds into the firewall policy. But is there a way we can see the list of IP's in the list to ensure benign IP's are not being blocked.

Is there a way we can export the SI feeds into a CSV & manually assess the IP's using open source tools ?

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-19-2017 01:07 AM

The feeds are installed in a couple of files under /var/sf/iprep_download. While you can look at them manually, they are updated throughout the day and any manual process would be quickly overwhelmed. 

You might find it easier to just watch connection events for all "Blocked" actions and go from there. If you find a false positive you can whitelist it and report the error to Cisco. For what it's worth I've not had that be a problem in the couple dozen installations I've worked with.

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Marvin Rhoads

‎03-24-2017 07:27 AM

As Marvin said your only option would be checking the files at /var/sf/iprep_download. If you want to check the feeds against some other list or check occurrences I would recommend using cron to copy them using scp. Then use whatever you like to analyse the data.

0 Helpful

vaibhav.parlekar1
Level 1
Level 1
In response to Oliver Kaiser

‎03-27-2017 03:48 PM

Is there a Cli guide for the FMC to use these commands. I am having a hard time working on the FMC Cli especially since it only supports a linux shell with no help available for commands. The FTD Cli guide is pretty helpful.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to vaibhav.parlekar1

‎03-27-2017 07:44 PM

The FMC command line is not something Cisco encourages accessing outside the few basic things they document in a couple of tech notes and troubleshooting documents.

As you noted it's a raw Linux bash shell and one can quite easily make a mistake there that has severe consequences for the overall system.

If you're not comfortable with basic Linux commands, I recommend opening a TAC case when you have any issues under the hood of the FMC. I have found the team that handles FirePOWER-related issues to be quite knowledgable and helpful.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card