cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2165
Views
0
Helpful
1
Replies

Security Intelligence Feed Order of Events

twistedtechmike
Level 1
Level 1

We had a recent event take place in which an IP address of a web site was being actively blocked by TALOS Security Intelligence as a Malware site. We created a URL Object, added to whitelist, and the site continued to be blocked by IP address. Our only solution was to add the IP address to the global whitelist. 

 

Is this expected behavior? It seems backward to us, as websites sometimes change IP address. Does the FMC always read the IP Blacklist prior to the URL whitelist?

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes - SI (IP) precedes SI (DNS and URL) in the FTD Order of Operations. That's because IP blacklist/whitelist can be done in advance of running through any SSL and Network Analysis policies as well as preprocessors - all of which consume additional resources on the sensor.

FTD OOO.PNG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: