cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1966
Views
3
Helpful
7
Replies

IP Blocklist changes are not being detected on FMCv

Raphaz117
Level 1
Level 1
Hello everyone,
 
Here at my workplace, we have noticed recently that when updating our custom IP Blocklist (uploading a new .txt file to it), the FMCv no longer detect it as a change to be applied, therefore the Deploy option states that there are no changes to be deployed.
 
To be sure if the Blocklist was updated, we checked the Access Control and noticed that the new IPs were not added, The only way we currently found to add new IPs to a blocklist was to create a new blocklist policy containing the previous IPs and the new ones.
 
Could this have something to do with our recent FMCv update or is it a known bug? We used to be on version 6.5.0.4 and recently updated to 7.0.1.1
7 Replies 7

Eric R. Jones
Level 4
Level 4

We created to object groups of IP addresses and then bundled that into a single object group.

That object group gets assigned to a policy for the devices.

When you say your uploading a text file you create a notepad version of all your IP's you want in and upload that to the FMC via AMP or Intelligence?

I did some google foo and found this.

https://community.cisco.com/t5/network-security/need-to-add-ip-addresses-to-global-blacklist-in-fmc/td-p/4172120

It's the last entry for this thread.

 

 

Sorry for the late reply, but this procedure that you suggested is exactly what we do. The problem is that after updating our FMC to 7.0.1.1, whenever we update our List with new IPs, FMC doesn't detect that there has been changes to our policies, therefore, we can't deploy the changes.

 

The only workaround we have right now is creating a whole new list and manually activating it it at Security Intelligence everytime we want to add something, instead of updating the current one, but that is too much time-consuming compared to how it used to be.

Arvind_AR
Level 1
Level 1

Hello All,

 

I am facing the same issue on FMC version 7.0.6 is there a solution or workaround provided for this issue

IP and URL blocklists function like Security Intelligence feeds. That is, they immediately sync to managed devices without requiring a deployment.

Hi Marvin,

Thank you so much for your quick response.

It was not the same before(6.6.5.2), is it a new feature in 7.0 i cannot find this detail in release notes. It will be helpful if you can share any reference documents for the same.

@Arvind_AR I can't find a document at the moment that specifically says so but I verified the behavior just now in my lab. I started a ping to 8.8.8.8 (success), looked for the connection in the Analysis > Connection Events and right-clicked the 8.8.8.8 destination to "Add IP to Block List".

The pings started failing and new connection events showed Block action due to IP Block Reason. Checking in Object Management under Security Intelligence, Network List and Feeds showed the Global-Block-List now has that single address in it. I removed the address and, after about 30 seconds, the pings began to succeed again.

No deployment was done at any time.

IP BlockIP Block

@Marvin Rhoads  Noted, Thanks for confirming.

Review Cisco Networking for a $25 gift card