Solved: Re: Security Intelligence - Block List - Bogon

davidb84 · ‎06-10-2026

Does anyone know if it's normal for the Cisco Talos Feed to have 0 objects in the BOGON list? I found when mousing over the "Bogon" in the block list it shows 0 objects. In FMC, this is under Access Policy > Security Intelligence > Block List.

Security Intelligence feeds are downloading fine. I do have IPS licensing.

Marvin Rhoads · ‎06-11-2026

The current SI feed appears to indeed have zero bogon addresses listed. I confirmed it on two separate FMCs.

You can verify the raw files under /var/sf/iprep_download in your FMC. That folder contains files for the various IP reputation feeds from TALOS. They all are named by UUIDs but you can check the mapping to human-readable name by looking at rep_dd.yaml. There you will see the various categories listed with their associated attributes. For example:

  bogon:
    ID: 10
    UUID: 5f8148f1-e5e4-427a-aa3b-ee1c2745c350
    expiration: never
    long: IP Addresses that are known to not be allocated but are sending traffic
    short: Bogon Address

If we look at that file, we see just the header (with no addresses listed):

/var/sf/iprep_download$ cat 5f8148f1-e5e4-427a-aa3b-ee1c2745c350
#Cisco intelligence feed: Bogon

...matching the zero address shown in the FMC GUI.

View solution in original post

Kasun Bandara · ‎06-10-2026

@davidb84 hi, bogon is IP ranges which are not assigned to use in public ip space. not sure why talos showing 0 objects in it. but blocking this will help to avoid some attacker using illegitimate IP addresses to attack.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

davidb84 · ‎06-11-2026

Would anyone have the ability to check their BOGON object and verify if it shows 0 objects as pictured above?

AigarsK · ‎06-11-2026

My cdFMC is also reporting 0 objects

Marvin Rhoads · ‎06-11-2026

The current SI feed appears to indeed have zero bogon addresses listed. I confirmed it on two separate FMCs.

You can verify the raw files under /var/sf/iprep_download in your FMC. That folder contains files for the various IP reputation feeds from TALOS. They all are named by UUIDs but you can check the mapping to human-readable name by looking at rep_dd.yaml. There you will see the various categories listed with their associated attributes. For example:

  bogon:
    ID: 10
    UUID: 5f8148f1-e5e4-427a-aa3b-ee1c2745c350
    expiration: never
    long: IP Addresses that are known to not be allocated but are sending traffic
    short: Bogon Address

If we look at that file, we see just the header (with no addresses listed):

/var/sf/iprep_download$ cat 5f8148f1-e5e4-427a-aa3b-ee1c2745c350
#Cisco intelligence feed: Bogon

...matching the zero address shown in the FMC GUI.

davidb84 · ‎06-11-2026

So what's the correct way to block BOGONs if this feed is empty? Manually maintain a list?

Marvin Rhoads · ‎06-11-2026

I haven't read Cisco's rationale for having no addresses in the bogon category.

Normally I would expect the upstream ISP to block bogons in their router(s) eBGP configuration and thus you would never see them at your edge firewall. I suppose if you wanted, you could use a custom IP list and use that to block them as well.