Configure Security Intelligence

Each access control policy has Security Intelligence options. You can add network objects, URL objects and lists, and Security Intelligence feeds and lists to a Block list or Do Not Block list, and constrain any of these by security zone. You can also associate a DNS policy with your access control policy, and add domain names to a Block or Do Not Block list.

The number of objects in the Do Not Block lists plus the number in the Block lists cannot exceed 125 network objects, or 32767 URL objects and lists.

Note

The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments.

Caution

From Security Intelligence in an access control policy, adding multiple objects to a Block or Do Not Block list, or deleting multiple objects, sometimes restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information. Note that whether the Snort process restarts can vary by device, depending on the memory available for inspection.

Before you begin

Tip: For guidance on minimum configuration recommendations, see also Configuration Example: Security Intelligence Blocking.
To ensure that all options are available to select, add at least one managed device to your management center.
In passive deployments, or if you want to set Security Intelligence filtering to monitor-only, enable logging; see Logging Connections with Security Intelligence.
Configure a DNS policy to take Security Intelligence action for domains. For more information, see DNS Policies.

Procedure

Step 1

In the access control policy editor, click Security Intelligence.

If the controls are dimmed, settings are inherited from an ancestor policy, or you do not have permission to modify the configuration. If the configuration is unlocked, uncheck Inherit from base policy to enable editing.

Step 2

You have the following options:

Click Networks to add network objects (IP addresses).
Click URLs to add URL objects.

Step 3

Find the Available Objects you want to add to the Block or Do Not Block list. You have the following options:

Search the available objects by typing in the Search by name or value field. Clear the search string by clicking Reload () or Clear ().
If no existing list or feed meets your needs, click Add (), select New Network List or New URL List, and proceed as described in Creating Security Intelligence Feeds or Uploading New Security Intelligence Lists to the Cisco Defense Orchestrator.
If no existing object meets your needs, click Add (), select New Network Object or New URL Object, and proceed as described in Creating Network Objects.

Security Intelligence ignores IP address blocks using a /0 netmask.

Step 4

Choose one or more Available Objects to add.

Step 5

(Optional) Choose an Available Zone to constrain the selected objects by zone.

You cannot constrain system-provided Security Intelligence lists by zone.

Note

The Any zone for an SI list applies only to interfaces that are part of a security zone. However, an exception is that if a device does not have any interfaces associated with a security zone, then the Any zone will match any interface.

For example, if you have five interfaces on a device and none of them are associated with a security zone, any SI list that is assigned to the Any zone will be inspected against traffic on ALL interfaces on the device. If you add one interface to a security zone on that device, it effectively would remove SI inspection on the other four interfaces, where the zone is set to Any for an SI list. If you add the other four interfaces to a security zone, they will be evaluated by the SI list attached to the Any zone.

Step 6

Click Add to Do Not Block list or Add to Block list, or click and drag the selected objects to either list.

To remove an object from a Block or Do Not Block list, click Delete ( delete icon ) To remove multiple objects, choose the objects and right-click to Delete Selected.

Step 7

(Optional) Set objects on the Block list to monitor-only by right-clicking the object under Block List, then choosing Monitor-only (do not block).

You cannot set system-provided global Security Intelligence lists to monitor only.

Step 8

Choose a DNS policy from the DNS Policy drop-down list.

Step 9

Click Save.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.