Solved: Security Intelligence Manual Feeds not Updating

kothare · ‎09-03-2025

Issue Summary:
Our FMC is running on version 7.2.9 (build 44). The Threat license is out of compliance, but we should still be able to update manual feeds. However, we are facing issues when updating Security Intelligence (SI) feeds manually.

Observed Behaviour:
- Manual feed update appears to run, but Security Intelligence is not refreshed as expected.
- Feed status sometimes shows as "success," but the data is not ingested into FMC/FTD.
- From FMC CLI the feed is fetching from the HTTP server but not pushing to FTD.

As per ChatGPT Relevant Cisco Bugs:
CSCwc47155 – Custom SI feed not refreshing.
CSCwe28871 – Feeds show success, but data not ingested.
Request:
Please confirm if our issue aligns with the above bugs in version 7.2.9 and suggest the recommended fix or workaround (patch, upgrade, or configuration change).

kothare · ‎09-08-2025

Findings:
- Feed URL reachability and format were fine.
- However, SI updates were not getting applied to FTD.
- Upon investigation, it was observed that the root filesystem (/dev/root) on the FMC had reached 100% utilization.
- Due to lack of disk space in the root partition, certain FMC services could not function properly, resulting in SI update failures.
Resolution:
- We analysed and identified large backup and log files consuming root partition space.
- After cleaning up unnecessary files and reducing disk utilization, the SI services started working as expected.
- Post cleanup, FMC was able to successfully update and push both network and URL Security Intelligence feeds to FTD.

Logs:
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687# du -sh *|sort -h
4.0Kbackups
16Ktmp1692
2.2Gtmp7870_prometheus
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687# cd tmp7870_prometheus root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus# du -sh *|sort -h
2.2Gprometheus.tgz
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus# ls /vol Volume -ll
total 28
drwxr-xr-x 21 root root 4096 Sep 3 17:17 7.2.9-44
drwxr-xr-x 8 root root 4096 May 7 08:48 home
drwxr-xr-x 4 root root 4096 May 7 05:12 lib
drwx------ 2 root root 16384 May 7 04:57 lost+found
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus# mv prometheus.tgz /Volume
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus# ls -ll
total 0
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus# dif f -h
Filesystem Size Used Avail Use% Mounted on
/dev/root 3.7G 1.6G 2.0G 44% /
devtmpfs 63G 0 63G 0% /dev
/dev/sda1 488M 11M 477M 3% /boot/EFI
/dev/sda5 8.7T 2.1T 6.3T 25% /Volume
none 63G 208K 63G 1% /dev/shm
tmpfs 63G 0 63G 0% /sys/fs/cgroup
tmpfs 63G 0 63G 0% /sys/fs/cgroup/pm
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus#

Thanks all for time & support.

View solution in original post

balaji.bandi · ‎09-03-2025

Is this ever worked, or working one failed ?

May be bug, but lets take a look troubleshooting the issue first before we accept as bug. Cisco advising 7.4.X or more version for stable to uprade.

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117997-technote-firesight-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kothare · ‎09-04-2025

We observed an issue in Cisco FMC v7.2.9 (Build 44) related to manual Security Intelligence (SI) feeds when the Threat license is out of compliance or expired.

Background

- Before license expiry, we had successfully configured and able to update manual feeds.

- According to Cisco’s documentation, even without a valid Threat license, existing Security - Intelligence feeds should continue to function, and manual feeds should remain editable and usable.

Problem Statement

-Once the Threat license expired, if we attempt to edit or add new entries to any manual feed:

- The update fails.

- The entire feed count resets to zero (0) instead of retaining the existing entries.

- This effectively removes all prior entries whenever a modification is made.

Observations

- Existing feeds (added before license expiry) still work as expected.

- The issue only occurs when editing or appending entries after the license went out of compliance.

- Logs from FTD confirm that feeds are pulled, but only partial or empty data is passed through.

- This behaviour contradicts Cisco’s expected functionality, where manual feeds should remain operational even without an active license.

MHM Cisco World · ‎09-04-2025

- The issue only occurs when editing or appending entries after the license went out of compliance. <<- you answer the Q

you can not download SI after license expired

MHM

kothare · ‎09-04-2025

We should create new entries in the list feed.
And we are using HTTP feed. Also getting 200 OK request. But it's not working.

admin@DC-INTERNET-FW-01:/ngfw/Volume/home/admin$ curl -I http://10.196.220.131/Firewall/ipv4_blacklistall_11_aa.txt
HTTP/1.1 200 OK
Date: Thu, 04 Sep 2025 10:12:38 GMT
Server: Apache/2.4.29 (Unix) PHP/7.3.2
Last-Modified: Thu, 04 Sep 2025 07:11:51 GMT
ETag: "15a04d-63df46f75abbc"
Accept-Ranges: bytes
Content-Length: 1417293
Content-Type: text/plain

admin@DC-INTERNET-FW-01:/ngfw/Volume/home/admin$

balaji.bandi · ‎09-05-2025

as per my understand you still need License for some features to work.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-license.html#concept_5B8D7BC78F154A34A31118D05B26D851

The referece of feeds from internet should work, but use them you need to have valid License. (i guess)

admin@DC-INTERNET-FW-01:/ngfw/Volume/home/admin$ curl -I http://10.196.220.131/Firewall/ipv4_blacklistall_11_aa.txt

is this feed from Local Network ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎09-03-2025

> show logging | grep SI <<- can you check this

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117997-technote-firesight-00.html

MHM

kothare · ‎09-04-2025

> show logging | grep SI <== Running this command in FTD generates logs of logs.
Actually, there is an interface namely DC_INTERNET_INSIDEINT so, all logs generated is shown.
Can you specify the exact string to find.

kothare · ‎09-08-2025

Findings:
- Feed URL reachability and format were fine.
- However, SI updates were not getting applied to FTD.
- Upon investigation, it was observed that the root filesystem (/dev/root) on the FMC had reached 100% utilization.
- Due to lack of disk space in the root partition, certain FMC services could not function properly, resulting in SI update failures.
Resolution:
- We analysed and identified large backup and log files consuming root partition space.
- After cleaning up unnecessary files and reducing disk utilization, the SI services started working as expected.
- Post cleanup, FMC was able to successfully update and push both network and URL Security Intelligence feeds to FTD.

Logs:
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687# du -sh *|sort -h
4.0Kbackups
16Ktmp1692
2.2Gtmp7870_prometheus
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687# cd tmp7870_prometheus root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus# du -sh *|sort -h
2.2Gprometheus.tgz
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus# ls /vol Volume -ll
total 28
drwxr-xr-x 21 root root 4096 Sep 3 17:17 7.2.9-44
drwxr-xr-x 8 root root 4096 May 7 08:48 home
drwxr-xr-x 4 root root 4096 May 7 05:12 lib
drwx------ 2 root root 16384 May 7 04:57 lost+found
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus# mv prometheus.tgz /Volume
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus# ls -ll
total 0
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus# dif f -h
Filesystem Size Used Avail Use% Mounted on
/dev/root 3.7G 1.6G 2.0G 44% /
devtmpfs 63G 0 63G 0% /dev
/dev/sda1 488M 11M 477M 3% /boot/EFI
/dev/sda5 8.7T 2.1T 6.3T 25% /Volume
none 63G 208K 63G 1% /dev/shm
tmpfs 63G 0 63G 0% /sys/fs/cgroup
tmpfs 63G 0 63G 0% /sys/fs/cgroup/pm
root@DC-MGMT-FMC-01:/mnt/remote-storage/sf-storage/6575359e-fcfe-11ea-9f64-dea40845f687/tmp7870_prometheus#

Thanks all for time & support.

MHM Cisco World · ‎09-08-2025

sorry I see your comment today
grep SI <<- meaning see any log relate to SI

anyway I see you find issue and solve it

thanks a lot for update us

MHM