Cisco Cisco Firepower Management Center 4000
5-5
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with Security Intelligence Lists and Feeds
A Security Intelligence list, contrasted with a feed, is a simple static list of IP addresses that you
manually upload to the Defense Center. Use custom lists to augment and fine-tune feeds and the global
whitelist and blacklist. Note that editing custom lists (as well as editing network objects and removing
IP addresses from the global whitelist or blacklist) require an access control policy apply for your
changes to take effect.
manually upload to the Defense Center. Use custom lists to augment and fine-tune feeds and the global
whitelist and blacklist. Note that editing custom lists (as well as editing network objects and removing
IP addresses from the global whitelist or blacklist) require an access control policy apply for your
changes to take effect.
Formatting and Corrupt Feed Data
Feed and list source must be a simple text file no larger than 500MB, with one IP address or address
block per line. Comment lines must start with the
block per line. Comment lines must start with the
#
character. List source files must use the
.txt
extension.
If the Defense Center downloads a corrupt feed or a feed with no recognizable IP addresses, the system
continues using the old feed data (unless it is the first download). However, if the system can recognize
even one IP address in the feed, the Defense Center updates its managed devices with the addresses it
can recognize.
continues using the old feed data (unless it is the first download). However, if the system can recognize
even one IP address in the feed, the Defense Center updates its managed devices with the addresses it
can recognize.
The default health policy includes the Security Intelligence module, which alerts in a few situations
involving Security Intelligence filtering, including if the Defense Center cannot update a feed, or if a
feed is corrupt or contains no recognizable IP addresses.
involving Security Intelligence filtering, including if the Defense Center cannot update a feed, or if a
feed is corrupt or contains no recognizable IP addresses.
Internet Access and High Availability
The system uses port 443/HTTPS to download the Intelligence Feed, and either 443/HTTP or 80/HTTP
to download custom or third-party feeds. To update feeds, you must open the appropriate port, both
inbound and outbound, on the Defense Center. If your Defense Center does not have direct access to the
feed site, it can use a proxy server (see
to download custom or third-party feeds. To update feeds, you must open the appropriate port, both
inbound and outbound, on the Defense Center. If your Defense Center does not have direct access to the
feed site, it can use a proxy server (see
Note
The Defense Center does not perform peer SSL certificate verification when downloading custom feeds,
nor does the system support the use of certificate bundles or self-signed certificates to verify the remote
peer.
nor does the system support the use of certificate bundles or self-signed certificates to verify the remote
peer.
Although Security Intelligence objects are synchronized between Defense Centers in a high availability
deployment, only the primary Defense Center downloads feed updates. If the primary Defense Center
fails, you must not only make sure that the secondary Defense Center has access to the feed sites, but
also use the web interface on the secondary Defense Center to promote it to
deployment, only the primary Defense Center downloads feed updates. If the primary Defense Center
fails, you must not only make sure that the secondary Defense Center has access to the feed sites, but
also use the web interface on the secondary Defense Center to promote it to
Active
. For more
information, see
Managing Feeds and Lists
You create and manage Security Intelligence lists and feeds, collectively called Security Intelligence
objects, using the object manager’s Security Intelligence page. (For information on creating and
managing network objects and groups, see
objects, using the object manager’s Security Intelligence page. (For information on creating and
managing network objects and groups, see
.)
Note that you cannot delete a custom list or feed that is currently being used in a saved or applied access
control policy. You also cannot delete a global list, although you can remove individual IP addresses.
Similarly, although you cannot delete the Intelligence Feed, editing it allows you to disable or change
the frequency of its updates.
control policy. You also cannot delete a global list, although you can remove individual IP addresses.
Similarly, although you cannot delete the Intelligence Feed, editing it allows you to disable or change
the frequency of its updates.
Security Intelligence Object Quick Reference
The following table provides a quick reference to the objects you can use to perform Security
Intelligence filtering.
Intelligence filtering.