Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2473
Views
10
Helpful
4
Comments

Verifying Security Intelligence Feed on Cisco Secure Firewall

Anupam Pavithran
Cisco Employee
Cisco Employee

‎01-07-2022 05:32 AM - edited ‎01-07-2022 05:41 AM

Introduction

This article describes the set of logs that can be verified related to SI feeds, starting from configuring to periodic updates.

The information in this document is based on Cisco FMC and FTD that runs software Version 6.6.5 or later.

 

Verification

1. The logs shown below can be found in usmsharedsvcs.log upon configuring a new SI feed. Here we've created IP List Feed with name BANLIST.

Path on FMC /opt/CSCOpx/MDC/log/operation/usmsharedsvcs.log

USMS: 12-29 16:50:39 ** URL: POST https://localhost6/csm/api/object/IPListObject
USMS: 12-29 16:50:39 {
USMS: 12-29 16:50:39   "data": {
USMS: 12-29 16:50:39     "attributes": {
USMS: 12-29 16:50:39       "domain": {
USMS: 12-29 16:50:39         "uuid": "e276abec-e0f2-11e3-8169-6d9ed49b625f"
USMS: 12-29 16:50:39       }
USMS: 12-29 16:50:39     },
USMS: 12-29 16:50:39     "data": {
USMS: 12-29 16:50:39       "listType": 2,
USMS: 12-29 16:50:39       "name": "BANLIST",
USMS: 12-29 16:50:39       "needUpdate": 1,
USMS: 12-29 16:50:39       "numOfIPv4": 0,
USMS: 12-29 16:50:39       "numOfIPv6": 0,
USMS: 12-29 16:50:39       "source": {
USMS: 12-29 16:50:39         "listURL": "https://www.binarydefense.com/banlist.txt",
USMS: 12-29 16:50:39         "updateFreq": 120,
USMS: 12-29 16:50:39         "verifyMethod": "MD5SUM"
USMS: 12-29 16:50:39       }
USMS: 12-29 16:50:39     },
USMS: 12-29 16:50:39     "isGroup": "false",
USMS: 12-29 16:50:39     "name": "BANLIST",
USMS: 12-29 16:50:39     "revision": 0,
USMS: 12-29 16:50:39     "tstamp": 1640796638994,
USMS: 12-29 16:50:39     "type": "IPListObject",
USMS: 12-29 16:50:39     "uuid": "73a9b852-68c7-11ec-b80e-b8a88d9a9218"
USMS: 12-29 16:50:39   },
USMS: 12-29 16:50:39   "requestID": "73b15abc68c711ecb80eb8a88d9a9218",
USMS: 12-29 16:50:39   "version": "6.6.5"
USMS: 12-29 16:50:39 }


2. The Name and the unique Identifier (UUID) of the configured SI Feed can be found in the FMC's database. The output shown below is example of IP List, similarly we can check URL and DNS Feed  using "eo_tool list URLListObject" and "eo_tool listDNSListObject" respectively. You can see the BANLIST and associated UUID.

root@FMC-SEVEN-HILLS:/var/log# eo_tool list IPListObject
  0. 8527413e-6167-11e1-a8bf-e99ce99bfdf1 (Cisco-Intelligence-Feed)
  1. d8eea83e-6167-11e1-a154-589de99bfdf1 (Global-Whitelist)
  2. c76556bc-6167-11e1-88e8-479de99bfdf1 (Global-Blacklist)
  3. 64ba6dde-ff4f-11e4-bd1f-94b1fb0f5dcb (Descendant-Whitelists_-_Global)
  4. fe771d90-ff55-11e4-add5-f249fb0f5dcb (Descendant-Blacklists_-_Global)
  5. abbaf1fa-6161-11e1-a1b1-e99ce9f1f2f3 (Cisco-TID-Feed)
  6. 73a9b852-68c7-11ec-b80e-b8a88d9a9218 (BANLIST)   <<----
  7. 03709ed4-faab-47af-bade-4435f8daee27 (Spyware)
  8. 937cf5e8-76d1-4ba2-a83c-475dc80c3845 (Ioc)
  9. A27C6AAE-8E52-4174-A81A-47C59FECC092 (Exploitkit)
 10. 5f8148f1-e5e4-427a-aa3b-ee1c2745c350 (Bogon)
 11. 1b117672-7453-478c-be31-b72e89ca1acb (Open_proxy)
 12. 8af156ca-8020-4608-9278-01b87458ea46 (Newly_seen)
 13. 3e2af68e-5fc8-4b1c-b5bc-b4e7cab598ba (Spam)
 14. d3899830-d481-4773-b4e2-7daa7acf5e44 (Link_sharing)
 15. 6ba968f4-7a25-4793-a2c8-7cc77f1ff437 (Bots)
 16. abdc925f-4f85-4504-90a7-c891979ac517 (Cryptomining)
 17. 8c3e31be-ca41-43c8-87cb-82a35b0f20e2 (Malicious)
 18. 5a0b6d6b-e2c3-436f-b4a1-48248b330a26 (Attackers)
 19. 032ba433-c295-11e4-a919-d4ae5275a468 (Response)
 20. 23f2a124-8278-4c03-8c9d-d28fe08b5e98 (Malware)
 21. 60f4e2ab-d96c-44a0-bd38-830252b63f46 (CnC)
 22. 2CCDA18E-DDFF-4F5C-AF9A-F009852183F4 (Suspicious)
 23. b1df3aa8-2841-4c88-8e64-bfaacec7fedd (Dga)
 24. 02213098-6d94-4680-8ce8-2d0816389f56 (High_risk)
 25. 30f9e69c-d64c-479c-821d-0e4edab8217a (Open_relay)
 26. 2b15cb6f-a3fc-4e0e-a342-ccc5e5803263 (Tor_exit_node)
 27. d7d996a6-6b92-4a56-8f10-e8506e431ca5 (Phishing)
 28. bde824fd-36dd-4a7c-9cc1-80e40ac7aa35 (Banking_fraud)
 29. 14c19bfa-3188-11ec-b568-c54e4c4aa3d0 (TID IPv4 Block)
 30. 14c31a0c-3188-11ec-b568-c54e4c4aa3d0 (TID IPv4 Monitor)
 31. 14c45e26-3188-11ec-b568-c54e4c4aa3d0 (TID IPv6 Block)
 32. 14c577ca-3188-11ec-b568-c54e4c4aa3d0 (TID IPv6 Monitor)

 

3. Now check the feed download status on FMC, grepping the UUID of BANLIST from the above output.

root@FMC-SEVEN-HILLS:/var/log# grep 73a9b852-68c7-11ec-b80e-b8a88d9a9218 messages | grep "Successfully downloaded" | tail
Dec 31 08:52:29 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 10:52:29 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 12:52:31 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 14:52:32 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 16:52:32 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 18:52:33 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 20:52:34 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Dec 31 22:52:36 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Jan  1 00:52:31 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218
Jan  1 02:52:34 FMC-SEVEN-HILLS SF-IMS[7498]: [9565] CloudAgent:IPReputation [INFO] Successfully downloaded 73a9b852-68c7-11ec-b80e-b8a88d9a9218

 

4. From the managed FTD, first check the type of list.

root@FPR-1140-2:/ngfw/var/log# eo_tool list IPListObject
 0. 8527413e-6167-11e1-a8bf-e99ce99bfdf1 (Cisco-Intelligence-Feed)
 1. c76556bc-6167-11e1-88e8-479de99bfdf1 (Global-Blacklist)
 2. d8eea83e-6167-11e1-a154-589de99bfdf1 (Global-Whitelist)

 

5. Lastly check the blacklist feed status. If the feed has any new addition, the "entries loaded" counter will increase.

root@FPR-1140-2:/ngfw/var/log# grep c76556bc-6167-11e1-88e8-479de99bfdf1 messages | tail
Dec 31 18:57:04 firepower-1140 SF-IMS[8670]:     Processing blacklist file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf
Dec 31 18:57:04 firepower-1140 SF-IMS[8670]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf)
Dec 31 20:58:15 firepower-1140 SF-IMS[8670]:     Processing blacklist file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf
Dec 31 20:58:15 firepower-1140 SF-IMS[8670]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf)
Dec 31 22:55:17 firepower-1140 SF-IMS[8670]:     Processing blacklist file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf
Dec 31 22:55:17 firepower-1140 SF-IMS[8670]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf)
Jan  1 00:54:20 firepower-1140 SF-IMS[8670]:     Processing blacklist file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf
Jan  1 00:54:20 firepower-1140 SF-IMS[8670]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf)
Jan  1 02:54:24 firepower-1140 SF-IMS[8670]:     Processing blacklist file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf
Jan  1 02:54:24 firepower-1140 SF-IMS[8670]:     Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /ngfw/var/sf/iprep_download/c76556bc-6167-11e1-88e8-479de99bfdf1.blf)

 

Comments
yuzaimee_yahaya
Level 1
Level 1
‎01-30-2022 01:49 AM

what about error received Method Not Allowed 405 for Network Feed HTTP?

 

On version 6.5 no issue but Version 7.0.1 have this error when update feed 

Anupam Pavithran
Cisco Employee
Cisco Employee
‎01-30-2022 07:30 AM

@yuzaimee_yahaya 

You are likely hitting the below defect, I'd suggest opening a TAC case to verify the same.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz59464

 

//anupam

yuzaimee_yahaya
Level 1
Level 1
‎01-30-2022 07:53 AM

@Anupam Pavithran 

 

Thanks for the info.

 

Currently working with TAC, and still working on  troubleshooting . However, TAC testing on labs for version 7.0.1( my fmc is version 7.0.1 upgraded from ver 6.5.0.2) and from packet captured by  tcpdump it is GET Request Method from FMC lab. 

 

But from my FMC is POST Request Method. I will wait for TAC Engineer confirmation by sharing this info.

 

Thanks 

davparker
Level 1
Level 1
‎06-20-2024 01:22 PM

Is this performed in expert mode, or system support diagnostic?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents