Cisco Cisco Firepower Management Center 4000
5-8
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with Security Intelligence Lists and Feeds
Working with the Intelligence Feed
License:
Protection
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
To help you build blacklists, Cisco provides the Intelligence Feed, which is comprised of several
regularly updated lists of IP addresses determined by the VRT to have a poor reputation. Each list in the
feed represents a specific category: open relays, known attackers, bogus IP addresses (bogon), and so
on. In an access control policy, you can blacklist any or all of the categories.
regularly updated lists of IP addresses determined by the VRT to have a poor reputation. Each list in the
feed represents a specific category: open relays, known attackers, bogus IP addresses (bogon), and so
on. In an access control policy, you can blacklist any or all of the categories.
Because the intelligence feed is regularly updated, the system can use up-to-date information to filter
your network traffic. Malicious IP addresses that represent security threats such as malware, spam,
botnets, and phishing may appear and disappear faster than you can update and apply new policies.
your network traffic. Malicious IP addresses that represent security threats such as malware, spam,
botnets, and phishing may appear and disappear faster than you can update and apply new policies.
Although you cannot delete the Intelligence Feed, editing it allows you to change the frequency of its
updates. By default, the feed updates every two hours.
updates. By default, the feed updates every two hours.
To modify the intelligence feed’s update frequency:
Access:
Admin/Network Admin
Step 1
On the object manager’s Security Intelligence page, next to the Intelligence Feed, click the edit icon
(
(
).
The Cisco Security Intelligence pop-up window appears.
Step 2
Edit the
Update Frequency
.
You can select from various intervals from two hours to one week. You can also disable feed updates.
Step 3
Click
Save
.
Your changes are saved.
Working with Custom Security Intelligence Feeds
License:
Protection
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
Custom or third-party Security Intelligence feeds allow you to augment the Intelligence Feed with other
regularly-updated reputable whitelists and blacklists on the Internet. You can also set up an internal feed,
which is useful if you want to update multiple Defense Centers in your deployment using one source list.
regularly-updated reputable whitelists and blacklists on the Internet. You can also set up an internal feed,
which is useful if you want to update multiple Defense Centers in your deployment using one source list.
When you configure a feed, you specify its location using a URL; the URL cannot be Punycode-encoded.
By default, the Defense Center downloads the entire feed source on the interval you configure, then
automatically updates its managed devices.
By default, the Defense Center downloads the entire feed source on the interval you configure, then
automatically updates its managed devices.
Optionally, you can configure the system to use an md5 checksum to determine whether to download an
updated feed. If the checksum has not changed since the last time the Defense Center downloaded the
feed, the system does not need to re-download it. You may want to use md5 checksums for internal feeds,
especially if they are large. The md5 checksum must be stored in a simple text file with only the
checksum. Comments are not supported.
updated feed. If the checksum has not changed since the last time the Defense Center downloaded the
feed, the system does not need to re-download it. You may want to use md5 checksums for internal feeds,
especially if they are large. The md5 checksum must be stored in a simple text file with only the
checksum. Comments are not supported.