Need to add IP addresses to global blacklist in FMC

baskervi · ‎10-22-2020

We have a list of IP addresses that need to be blacklisted. However, I'm not able to figure out how or where to enter these, because I don't see a way to enter anything into the global blacklist. The Global Blacklist is listed under Networks in the Security Intelligence tab, but there is only an X and trashcan next to this. Within Objects | Object Management | Security Intelligence | Network Lists and Feeds, the Global-Blacklist has a pencil, but when I open it, there is nothing. I'm missing something, so where do I need to enter the IPs at? This is for a Firepower 2140 running 6.4. Thank you.

balaji.bandi · ‎10-23-2020

You need to add an IP address from that edit place you want to block IP address - check below example :

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117993-technote-firesight-00.html

there is also feeds available

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/security_intelligence_blacklisting.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎10-23-2020

The default object Global-Blacklist and Global-Whitelist do not allow you to add manually any IP to them. You can populate those by right click on the interested IP from the connections analysis events. However, if you want to add your custom list, you need to create a text file with all the IP addresses/CIDRs to be added to the black or white list, add a new object in Object Management > Security Intelligence > Network Lists and Feeds, select List as the type, and upload the text file you created, and then add the new object to the Security Intelligence tab under the Access Control Policy.