The Security Intelligence policy gives you an early opportunity to drop unwanted traffic based on source/destination IP address or destination URL. Any allowed connections are still evaluated by access control policies and might eventually be dropped. You must enable the Threat license to use Security Intelligence.
- On the Devices & Services page, select the Firepower Threat Defense (FTD) device for which you are going to create or edit a Security Intelligence policy.
- In the Management pane at the right, click Policy.
- In the FTD Policies page, click Security Intelligence in the policy bar.
- If the policy is not enabled, click the Security Intelligence slider to enable it or click Enable in the About Security Intelligence information box.
Note: You can disable Security Intelligence at any time by clicking the Security Intelligence toggle off. Your configuration is preserved, so that when you enable the policy again you do not need to reconfigure it.
- Select the row for Blocked List. Notice that, depending on your table view, there are plus signs in the networks, network objects, network feeds, URLs, URL objects, and URL feeds columns.
- Click the plus sign to add a network object, network feed, URL object, or URL Feed to the blocked list.
- In the Add Networks to Blocked List dialog box and Add URL Object to Blocked List dialog box, you can search for an existing object or create one to suit your needs. Check the object you want to block and then click Select.
Note: Security Intelligence ignores IP address blocks using a /0 netmask. This includes the any-ipv4 and any-ipv6 network objects. Do not select these objects for network block-listing.
- In the Add URL Objects to Blocked List and Add Network Feeds to Blocked List dialog, check a feed that you want to block and click Select. You can read the description of the feed by clicking the down arrow at the end of the feed row. They are also described in Security Intelligence Feed Categories.
- If you know there are networks, IP addresses, or URLs that are included in the any of the network groups, network feeds, URL objects, or URL feeds you specified in the previous step, that you want to make an exception for, click the row for the Allowed List.
- Select or create objects for the networks, IP addresses, and URLs that you want to make exceptions for. When you click Select or Add they are added to the Allowed List row.
- Return to the Devices & Services page and click Preview and Deploy... to preview your changes and Deploy them to the device.
- (Optional) To log events generated by the Security Intelligence policy:
- Click the Logging Settings icon to configure logging. If you enable logging, any matches to blocked list entries are logged. Matches to exception entries are not logged, although you get log messages if exempted connections match access control rules with logging enabled.
- Enable event logging by clicking the Connection Events Logging toggle.
- Choose where to send your events:
- Clicking None saves events to your FTD. They are visible in the FDM Events viewer. Storage space on the FTD is very limited. It is best to store your connection events on a syslog server, by defining a syslog server object, instead of choosing None.
- Clicking Create or Choose allows you to create or choose a syslog server, represented by a syslog server object, to send logging events to. Because event storage on the device is limited, sending events to an external syslog server can provide more long-term storage and enhance your event analysis.