Skip to main content



Cisco Defense Orchestrator

FTD Security Intelligence Policy

About Security Intelligence

The Security Intelligence policy gives you an early opportunity to drop unwanted traffic based on source/destination IP address or destination URL. The system drops the traffic on the blocked list before evaluating it with the access control policy, thus reducing the amount of system resources used.

You can block traffic based on the following:

  • Cisco Talos feeds—Cisco Talos provides access to regularly updated security intelligence feeds. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations. The system downloads feed updates regularly, and thus new threat intelligence is available without requiring you to redeploy the configuration.

Note: Cisco Talos feeds are updated by default every hour. You can change the update frequency, and even update the feeds on demand, by logging into Firepower Device Manager and navigating from the home page: Device > Updates > View Configuration. 

  • Network and URL objects—If you know of specific IP addresses or URLs you want to block, you can create objects for them and add them to the Blocked list or the Allowed list.

You create separate blocked and allowed lists for IP addresses (networks) and URLs.

License Requirements for Security Intelligence

You must enable the Threat license on the FTD to use Security Intelligence.


For more information, see the Security Intelligence Feed Categories section of the Security Policies chapter of the appropriate Cisco FTD Configuration Guide for Firepower Device Manager