top of page

FMC | Security Intelligence Blacklisting

As a first line of defense against malicious Internet content, the Firepower System includes the Security

Intelligence feature, which allows you to immediately blacklist (block) connections based on the latest

reputation intelligence, removing the need for a more resource-intensive, in-depth analysis.

Security Intelligence works by blocking traffic to or from IP addresses, URLs, or domain names that have a

known bad reputation. This traffic filtering takes place before any other policy-based inspection, analysis, or

traffic handling (although it does occur after hardware-level handling, such as fast-pathing).

Note that you could create access control rules that perform a similar function to Security Intelligence filtering

by manually restricting traffic by IP address or URL. However, access control rules are wider in scope, more

complex to configure, and cannot automatically update using dynamic feeds.

Traffic blacklisted by Security Intelligence is immediately blocked and therefore is not subject to any further

inspection—not for intrusions, exploits, malware, and so on, but also not for network discovery. You can

override blacklisting with whitelisting to force access control rule evaluation, and, recommended in passive

deployments, you can use a “monitor-only” setting for Security Intelligence filtering. This allows the system

to analyze connections that would have been blacklisted, but also logs the match to the blacklist and generates

an end-of-connection security intelligence event.

Procedure to block some websites:

#1) In the Access Control Policy editor, click the Security Intelligence tab;

#2) Click the URLs tab to add New URL list;

#3) Change the Type box to "List", import your .txt file and upload it;

#4) Now you can deploy and test.

194 views0 comments

Recent Posts

See All

Securing IOS-XE Routing Protocols

Securing the routing information prevents an attacker from introducing false routing information into the network, which could be used as part of a Denial of Service (DoS) or Man-in-the-Middle (MiTM)

Cisco Duo Log Sync (DLS)

Duologsync (DLS) is a utility written by Duo Security that supports fetching logs from Duo endpoints and ingesting them to different SIEMs. Logging: A logging filepath can be specified in config.yml.

Umbrella VA logging to Remote Syslog Server

Syslog is a protocol that computer systems use to send event data logs to a central location for storage. Logs can then be accessed by analysis and reporting software to perform audits, monitoring, tr


bottom of page