Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7124
Views
10
Helpful
10
Replies

Security Intelligence Update Frequency Custom Time

Go to solution
admins0011111
Level 1
Level 1

‎10-28-2016 02:41 AM - edited ‎03-12-2019 06:11 AM

Is it possible create Update Frequency 1m, 5m for feed list?  

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to admins0011111

‎11-08-2016 10:47 AM

At the moment this is not possible (or rather not supported). You could manually edit the config file on the filesystem for lower intervals, but the timeout for feed download is 300 seconds, so I would not advice to go any lower since that might cause issues.

If you wanna go down the unsupported road goto /etc/sf/iprep_sources.conf and edit the update_freq (1 = 5 minutes, 2 = 10 minutes, etc.). Configuration is re-read by the daemon automatically but keep in mind that changes on the fmc ui side will overwrite the file again.

You can check /var/log/messages for security intelligence downloads via cat /var/log/messages | grep -i iprep

I think the interval settings will improve in a future release, but we will see. :)

View solution in original post

10 Replies 10

Go to solution
Oliver Kaiser
Level 7
Level 7

‎10-30-2016 01:19 PM

The minimum update frequency is 30 minutes. The default update frequency is 120 minutes.

You may change the interval at Objects > Object Management > Security Intelligence.

I have attached a screenshot showing the available update frequency intervals which are available for feeds.

Preview file
88 KB

Go to solution
admins0011111
Level 1
Level 1
In response to Oliver Kaiser

‎11-02-2016 10:52 PM

I know it, thats why I ask about 1m or 5m. 30 minutes it's a bit lag time. For example there are active attacks and it is necessary to wait for 30 minutes, it is awful.

P.S. I mean a custom automatic blacklist

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to admins0011111

‎11-08-2016 10:47 AM

At the moment this is not possible (or rather not supported). You could manually edit the config file on the filesystem for lower intervals, but the timeout for feed download is 300 seconds, so I would not advice to go any lower since that might cause issues.

If you wanna go down the unsupported road goto /etc/sf/iprep_sources.conf and edit the update_freq (1 = 5 minutes, 2 = 10 minutes, etc.). Configuration is re-read by the daemon automatically but keep in mind that changes on the fmc ui side will overwrite the file again.

You can check /var/log/messages for security intelligence downloads via cat /var/log/messages | grep -i iprep

I think the interval settings will improve in a future release, but we will see. :)

Go to solution
pro_engineering
Level 1
Level 1
In response to Oliver Kaiser

‎07-25-2019 08:56 AM

Folks,

 

Is there any change with the default update frequency 30 Min to lesser than this, with new FMC versions? 

 

Thanks!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pro_engineering

‎07-26-2019 09:28 PM

30 minutes remains the minimum period for SI updates as of the current Firepower 6.4.0.3. I doubt that will change as it takes a certain amount of time to download and process the feeds themselves as they can be relatively large. You wouldn't want to try to get a new one while the old one was still downloading or else your system could lock up in a race condition.

Note that some things like URL lookup and AMP File reputation will be real time. It's only the Global Blacklists and Whitelists for IP reputation, URLs and DNS that depend on the SI feeds.

0 Helpful

Go to solution
fcbob
Level 1
Level 1
In response to Marvin Rhoads

‎09-20-2019 06:18 AM

Is there a way to set this up exactly for 6:30 and 30 minutes frequency on wards. I have set it up for 30 minutes frequency but can see update happening on random time. I would like to set it up for round figure ( like 6:00 , 6:30 , 7:00 and on wards ).

 

Any help?

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to pro_engineering

‎07-28-2019 07:55 PM

hi,

you can change the FMC SI update to a minimum of either 5 or 15 mins.

see helpful link:

http://wannabecybersecurity.blogspot.com/2019/06/configuring-cisco-fmc-security.html

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎07-28-2019 08:07 PM

@johnlloyd_13 It looks like you can change the "Security Intelligence Network Lists and Feeds" (and TID feed if you have Threat Intelligence Director enabled) down to 5 minutes. However the "DNS and URL Intelligence Feed" cannot go below 30 minutes.

 

I just checked this on both a 6.2.3.14 and a 6.4.0.3 FMC. Can you confirm the same on your system?

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎07-28-2019 08:36 PM

hi marvin,

i used FMC 6.2.3. should be the same as you've mentioned for the DNS and URL feeds.

0 Helpful

Go to solution
pro_engineering
Level 1
Level 1
In response to johnlloyd_13

‎08-22-2019 07:53 AM

It seems like, its still 30 Min. @john - per what you referring above if for default Cisco Intelligence feed and TID Feed, but if you go there and feed manually it will go minimum for 30 Min - that's the minimum.

 

Unrelated...

Is there is way to confirm if the IP has been added to the manual feed or not via CLI or any other way?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card