Security Intelligence Sources
-
System-provided feeds
Cisco provides access to regularly updated intelligence feeds for domains, URLs and IP addresses. For more information, see Security Intelligence.
-
Third-party feeds
Optionally, supplement Cisco-provided feeds with third-party reputation feeds, which are dynamic lists that the Secure Firewall Management Center downloads from the internet on a regular basis. See Custom Security Intelligence Feeds.
-
Custom Block lists or feeds (or objects or groups)
Block specific IP addresses, URLs, or domain names using a manually-created list or feed (for IP addresses, you can also use network objects or groups.)
For example, if you become aware of malicious sites or addresses that are not yet blocked by a feed, add these sites to a custom Security Intelligence list and add this custom list to the Block list in the Security Intelligence tab of your access control policy, as described in Custom Security Intelligence Lists and Configure Security Intelligence.
For IP addresses, you can optionally use network objects rather than lists or feeds for this purpose; for information, see Network. (For URLs, using lists and feeds is strongly recommended over other methods.)
-
Custom Do Not Block lists or feeds
Override Security Intelligence blocking for specific sites or addresses. See Override Security Intelligence Blocking.
-
Global Block lists (one each for Network, URL and DNS)
While reviewing events, you can immediately add an event's IP address, URL, or domain to the applicable Global Block List so that Security Intelligence will handle future traffic from that source. See Global and Domain Security Intelligence Lists.
-
Global Do Not Block lists (one each for Network, URL and DNS)
While reviewing events, you can immediately add an event's IP address, URL, or domain to the applicable Global Do Not Block List if you do not want Security Intelligence to block future traffic from that source. See Global and Domain Security Intelligence Lists.