Configure Firepower Security Intelligence Policy

Procedure

Step 1

In the navigation pane, click Inventory.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the FTD tab and select the FDM-managed device for which you are going to create or edit a security intelligence policy.

Step 4

In the Management pane at the right, click Policy.

Step 5

In the FDM-managed device Policies page, click Security Intelligence in the policy bar.

Step 6

If the policy is not enabled, click the Security Intelligence slider to enable it or click Enable in the About Security Intelligence information box.

Note

You can disable Security Intelligence at any time by clicking the Security Intelligence toggle off. Your configuration is preserved, so that when you enable the policy again you do not need to reconfigure it.

Step 7

Select the row for Blocked List. Notice that, depending on your table view, there are plus signs in the networks, network objects, network feeds, URLs, URL objects, and URL feeds columns.

  • In the Add Networks to Blocked List dialog box and Add URL Object to Blocked List dialog box, you can search for an existing object or create one to suit your needs. Check the object you want to block and then click Select.

    Note

    Security Intelligence ignores IP address blocks using a /0 netmask. This includes the any-ipv4 and any-ipv6 network objects. Do not select these objects for network block-listing.

  • In the Add URL Objects to Blocked List and Add Network Feeds to Blocked List dialog, check a feed that you want to block and click Select. You can read the description of the feed by clicking the down arrow at the end of the feed row. They are also described in Security Intelligence Feed Categories.

Step 8

If you know there are networks, IP addresses, or URLs that are included in the any of the network groups, network feeds, URL objects, or URL feeds you specified in the previous step, that you want to make an exception for, click the row for the Allowed List.

Step 9

Select or create objects for the networks, IP addresses, and URLs that you want to make exceptions for. When you click Select or Add they are added to the Allowed List row.

Step 10

(Optional) To log events generated by the Security Intelligence policy:

  1. Click the Logging Settings icon to configure logging. If you enable logging, any matches to blocked list entries are logged. Matches to exception entries are not logged, although you get log messages if exempted connections match access control rules with logging enabled.

  2. Enable event logging by clicking the Connection Events Logging toggle.

  3. Choose where to send your events:

    • Clicking None saves events to your FDM-managed device. They are visible in the FDM Events viewer. Storage space on the FDM-managed device is very limited. It is best to store your connection events on a syslog server, by defining a syslog server object, instead of choosing None.

    • Clicking Create or Choose allows you to create or choose a syslog server, represented by a syslog server object, to send logging events to. Because event storage on the device is limited, sending events to an external syslog server can provide more long-term storage and enhance your event analysis.

    If you have a subscription to Cisco Security Analytics and Logging, send events to a Secure Event Connector by configuring a syslog object with the SEC's IP address and port. See Cisco Security Analytics and Logging for more information about this feature.

Step 11

(Optional) For any rule that you created, you can select it and add a comment about it in the Add Comments field. To learn more about rule comments see, Adding Comments to Rules in FTD Policies and Rulesets.

Step 12

Review and deploy now the changes you made, or wait and deploy multiple changes at once.