Cisco Cisco Firepower Management Center 4000
5-6
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with Security Intelligence Lists and Feeds
For more information on creating, managing, and using Security Intelligence lists and feeds, see:
•
•
•
•
•
•
Working with the Global Whitelist and Blacklist
License:
Protection
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
In the course of your analysis, you can build a Security Intelligence global blacklist by using the IP
address context menu in an event view, the Context Explorer, or a dashboard. For example, if you notice
a set of routable IP addresses in intrusion events associated with exploit attempts, you can immediately
blacklist those IP addresses. You can also build a global whitelist in a similar fashion.
address context menu in an event view, the Context Explorer, or a dashboard. For example, if you notice
a set of routable IP addresses in intrusion events associated with exploit attempts, you can immediately
blacklist those IP addresses. You can also build a global whitelist in a similar fashion.
The system’s global whitelist and blacklist are included by default in every access control policy, and
apply to any zone. You can opt not to use these global lists on a per-policy basis.
apply to any zone. You can opt not to use these global lists on a per-policy basis.
When you add an IP address to a global list, the Defense Center automatically updates its managed
devices. Although it may take a few minutes for your changes to take effect throughout your deployment,
you do not have to reapply access control policies after adding an IP address to a global list. Conversely,
after you delete IP addresses from the global whitelist or blacklist, you must apply your access control
policies for your changes to take effect.
devices. Although it may take a few minutes for your changes to take effect throughout your deployment,
you do not have to reapply access control policies after adding an IP address to a global list. Conversely,
after you delete IP addresses from the global whitelist or blacklist, you must apply your access control
policies for your changes to take effect.
Note that although you can add network objects with a netmask of /0 to the whitelist or blacklist, address
blocks using a
blocks using a
/0
netmask in those objects will be ignored and whitelist and blacklist filtering will not
occur based on those addresses. Address blocks with a
/0
netmask from security intelligence feeds will
Table 5-1
Security Intelligence Object Capabilities
Capability
Global Whitelist or Blacklist
Intelligence
Feed
Feed
Custom Feed
Custom List
Network
Object
Object
method of use
in access control policies by
default
default
in any access control policy as either a whitelist or blacklist object
can be constrained by
security zone?
security zone?
no
yes
yes
yes
yes
can be deleted?
no
no
yes, unless currently being used in a saved or
applied access control policy
applied access control policy
object manager edit
capabilities
capabilities
delete IP addresses only (add
IP addresses using the context
menu)
IP addresses using the context
menu)
disable or
change update
frequency
change update
frequency
fully modify
upload a
modified list
only
modified list
only
fully modify
requires access policy
control reapply when
modified?
control reapply when
modified?
yes when deleting (adding IP
addresses does not require
reapply)
addresses does not require
reapply)
no
no
yes
yes