We had a recent event take place in which an IP address of a web site was being actively blocked by TALOS Security Intelligence as a Malware site. We created a URL Object, added to whitelist, and the site continued to be blocked by IP address. Our only solution was to add the IP address to the global whitelist.
Is this expected behavior? It seems backward to us, as websites sometimes change IP address. Does the FMC always read the IP Blacklist prior to the URL whitelist?
Yes - SI (IP) precedes SI (DNS and URL) in the FTD Order of Operations. That's because IP blacklist/whitelist can be done in advance of running through any SSL and Network Analysis policies as well as preprocessors - all of which consume additional resources on the sensor.