Security intelligence

Security Intelligence is an early line of defense against malicious internet content that

  • uses reputation intelligence to quickly block connections to or from IP addresses, URLs, and domain names through Security Intelligence block listing

  • operates as the first phase of access control, before the system performs more resource-intensive evaluation, and

  • improves performance by quickly excluding traffic that does not require inspection.

Security intelligence capabilities and limitations

Security Intelligence provides both automated threat protection and customizable security controls:

  • Cisco intelligence feeds: Cisco provides access to regularly updated intelligence feeds. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations.

  • Custom Block lists: You can configure custom Block lists to supplement Cisco's intelligence feeds.

  • Do Not Block lists: These exempt traffic from being blocked by a Block list, but do not automatically trust or fastpath matching traffic.

  • Monitor-only Block lists: These allow monitoring of traffic without blocking it, ensuring traffic is subject to further analysis with the rest of access control.

Note
You cannot use a Block list to block fastpathed traffic. Prefilter evaluation occurs before Security Intelligence filtering. Fastpathed traffic bypasses all further evaluation, including Security Intelligence.