Configuration Example: Security Intelligence Blocking

Configure your access control policy to block all threats detectable by the system's regularly updated Security Intelligence feeds.

The number of objects in the Block lists plus the number in the Do Not Block lists cannot exceed 125 network objects, or 32767 URL objects and lists.

Note

The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments.

Caution

From Security Intelligence in an access control policy, adding multiple objects to a Do Not Block list or Block list, or deleting multiple objects, sometimes restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information. Note that whether the Snort process restarts can vary by device, depending on the memory available for inspection.

Before you begin

To ensure that all options are available to select, add at least one managed device to your management center.
Configure a DNS policy to block all Security Intelligence threat categories for domains. For more information, see DNS Policies.
If you have, or will have, custom lists of entities to block, create a Security Intelligence object of each type (URLs, DNS, Networks.) See Security Intelligence Lists and Feeds.

Procedure

Step 1	Click Policies > Access Control.
Step 2	Create a new access control policy or edit an existing policy.
Step 3	In the access control policy editor, click Security Intelligence. If the controls are dimmed, settings are inherited from an ancestor policy, or you do not have permission to modify the configuration. If the configuration is unlocked, uncheck Inherit from base policy to enable editing.
Step 4	Click Networks to add blocking criteria for IP addresses. Scroll down in the Networks list and select all of the threat categories listed below the Global lists. If applicable, select the security zones for which you want to block these threats. Click Add to Block List. If you have created custom lists or feeds with addresses to block, add those to the Block List using the same steps as above.
Step 5	Click URLs to add blocking criteria for URLs, and repeat the steps you followed for Networks.
Step 6	Choose a DNS policy from the DNS Policy drop-down list; see DNS Policy Overview.
Step 7	Click Save.

What to do next

Enable logging for these connections; see Logging Connections with Security Intelligence.
Deploy configuration changes; see Deploy Configuration Changes.
For additional protection, configure URL filtering to block malicious URLs. See URL Filtering.