Cisco Cisco Firepower Management Center 2000
5-4
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with Security Intelligence Lists and Feeds
The Network Objects pop-up window appears.
Step 4
Type a
Name
for the network object. You can use any printable standard ASCII characters except curly
braces (
{}
).
Step 5
For each IP address or address block you want to add to the network object, type its value and click
Add
.
Step 6
Click
Save
.
The network object is added.
Working with Security Intelligence Lists and Feeds
License:
Protection
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
The Security Intelligence feature allows you to, per access control policy, specify the traffic that can
traverse your network based on the source or destination IP address. This is especially useful if you want
to blacklist — deny traffic to and from — specific IP addresses, before the traffic is subjected to analysis
by access control rules. Similarly, you can add IP addresses to the whitelist to force the system to handle
their connections using access control.
traverse your network based on the source or destination IP address. This is especially useful if you want
to blacklist — deny traffic to and from — specific IP addresses, before the traffic is subjected to analysis
by access control rules. Similarly, you can add IP addresses to the whitelist to force the system to handle
their connections using access control.
If you are not sure whether you want to blacklist a particular IP address, you can use a “monitor-only”
setting, which allows the system to handle the connection using access control, but also logs the
connection’s match to the blacklist.
setting, which allows the system to handle the connection using access control, but also logs the
connection’s match to the blacklist.
A global whitelist and global blacklist are included by default in every access control policy, and apply
to any zone. Additionally, within each access control policy, you can build a separate whitelist and
blacklist using a combination of network objects and groups as well as Security Intelligence lists and
feeds, all of which you can constrain by security zone.
to any zone. Additionally, within each access control policy, you can build a separate whitelist and
blacklist using a combination of network objects and groups as well as Security Intelligence lists and
feeds, all of which you can constrain by security zone.
Note
Although they have all other Protection capabilities by default, Series 2 devices cannot perform Security
Intelligence filtering.
Intelligence filtering.
Comparing Feeds and Lists
A Security Intelligence feed is a dynamic collection of IP addresses that the Defense Center downloads
from an HTTP or HTTPS server at the interval you configure. Because feeds are regularly updated, the
system can use up-to-date information to filter your network traffic. To help you build blacklists, Cisco
provides the Intelligence Feed, which represents IP addresses determined by the Cisco VRT to have a
poor reputation.
from an HTTP or HTTPS server at the interval you configure. Because feeds are regularly updated, the
system can use up-to-date information to filter your network traffic. To help you build blacklists, Cisco
provides the Intelligence Feed, which represents IP addresses determined by the Cisco VRT to have a
poor reputation.
When the Defense Center downloads updated feed information, it automatically updates its managed
devices. Although it may take a few minutes for a feed update to take effect throughout your deployment,
you do not have to reapply access control policies after you create or modify a feed, or after a scheduled
feed update.
devices. Although it may take a few minutes for a feed update to take effect throughout your deployment,
you do not have to reapply access control policies after you create or modify a feed, or after a scheduled
feed update.
Note
If you want strict control over when the Defense Center downloads a feed from the Internet, you can
disable automatic updates for that feed. However, Cisco recommends that you allow automatic updates.
Although you can manually perform on-demand updates, allowing the system to download feeds on a
regular basis provides you with the most up-to-date, relevant data.
disable automatic updates for that feed. However, Cisco recommends that you allow automatic updates.
Although you can manually perform on-demand updates, allowing the system to download feeds on a
regular basis provides you with the most up-to-date, relevant data.