Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2281
Views
0
Helpful
1
Replies

Security Intelligence Feed Order of Events

twistedtechmike
Level 1
Level 1

‎07-25-2019 11:20 AM - edited ‎02-21-2020 09:20 AM

We had a recent event take place in which an IP address of a web site was being actively blocked by TALOS Security Intelligence as a Malware site. We created a URL Object, added to whitelist, and the site continued to be blocked by IP address. Our only solution was to add the IP address to the global whitelist. 

 

Is this expected behavior? It seems backward to us, as websites sometimes change IP address. Does the FMC always read the IP Blacklist prior to the URL whitelist?

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-26-2019 08:59 PM - edited ‎07-26-2019 09:02 PM

Yes - SI (IP) precedes SI (DNS and URL) in the FTD Order of Operations. That's because IP blacklist/whitelist can be done in advance of running through any SSL and Network Analysis policies as well as preprocessors - all of which consume additional resources on the sensor.

FTD OOO.PNG

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card