About Firepower Management Center (FMC)
Firewall Management Center (FMC) provides comprehensive information about the network users, applications, devices, threats, and vulnerabilities and analyzes your network constantly. FMC then provides tailored recommendations regarding security policies to implement, plus the prioritization of security events to investigate.
Block a IP on FMC
Unblock a IP on FMC
Block a domain on FMC
Unblock a Domain on FMC
Block a URL on FMC
Unblock a URL on FMC
Enable Firewall Management Center EDL App in SIRP
First, log in to SIRP, then go to Apps from the left navigation bar.
Locate the app named Firewall Management Center EDL
Enable the Firewall Management Center EDL app by clicking on the toggle button under the Status.
4. Once enabled, click on the configuration button to add the following configuration:
Configuration Name <string with no spaces>
EDL-Name <string with no spaces>
5. Execute the following supported actions one by one on any particular container (incident or alert) or from Automation Playground:
6. As each action gets executed, you will get unique URLs of the EDL files. For example:
Use these URLs to configure the EDL in the Cisco Firewall Management Center by following these steps:
Configure Firewall Management Center External Dynamic Lists
Open your FMC instance Select Object > Security Intelligence > Network Lists and Feed.
Add Network lists and Feeds
Open your FMC instance Select Object > Security Intelligence > DNS Lists and Feed.
Add DNS lists and Feeds
Open your FMC instance Select Object > Security Intelligence >URL Lists and Feed.
Add URL lists and Feeds
After the last step, you should be able to execute the FMC actions on-demand or through Playbooks to block and unblock IP, Domains &URLs.
Finding the URL and DNS addresses in the URL and DNS Lists and Feeds objects
Inside the ACP Security Intelligence tab, you can hover over one of the Network, DNS or URL categories. A pop up will indicate how many entries are currently in this category.
To view the Actual entries in each of these objects
To find these you must SSH to either a FTD device or the FMC. You will find the three types of security intelligence entries in the following three locations:
Here you will find separate text files for each security intelligence category. You will also find text files for any of your custom feeds as well.
Here is an example of finding the DNS feed file by using: cd /var/sf/sidns_download and then listing the files using ls
The files have unrecognizable UUID (Universally Unique IDentifier) names but if you use cat, head or tail to look at their contents you will see they are simply text files. Each one contains the name of the list as a comment in the first line.
Using this technique you can find out the contents of any of the security intelligence download files for each of the three categories. One huge caveat however, these files are updated frequently. Depending on the update frequency you have selected, an entry that was here 5 minutes ago may be gone now. If you’re trying to troubleshoot an issue or predict whether a given IP, domain or URL will be blocked this may not be a viable technique.