Best Practices for Security Intelligence

  • Configure your access control policies to block threats detected by Cisco-provided Security Intelligence feeds. See Configuration Example: Security Intelligence Blocking.

  • If you want to supplement the Cisco-provided Security Intelligence feeds with custom threat data, or manually block emerging threats:

  • To test new feeds, or for passive deployments, set the action from block to monitor only. See Security Intelligence Monitoring.

  • If you need to exclude specific sites or addresses from Security Intelligence blocking, see Override Security Intelligence Blocking.

  • If your Firepower deployment is integrated with Cisco XDR and you use custom Security Intelligence lists and feeds, be sure to update Security Services Exchange with these lists and feeds. For details, see instructions for configuring auto-promotion of events in the Security Services Exchange online help.

  • System-provided Security Intelligence categories may change over time and without notification; you should plan to check periodically for changes, and modify your policies accordingly.

  • You should also configure URL filtering, a separate feature with separate licensing requirements, for further protection against malicious sites. See URL Filtering Rules.

  • To reduce latency and CPU overhead, avoid referencing a single, massive SI feed object across your entire security policy. Instead, utilize customized objects to create smaller, targeted subsets of your intelligence data.

  • Using URL/Domain feeds instead of IP blocklists can reduce CPU overhead because domain filtering is generally more efficient and less resource-intensive than managing massive IP blocklists.

  • Excluding trusted IPs by adding known good or essential partner IP addresses to an "Do Not Block" list in Security Intelligence (SI) feeds helps reduce CPU overhead as the firewall or security device bypasses unnecessary scanning and deeper inspection for these IPs.