Cisco FMC Integration
H
Written by Hassan Shozeb
Updated over a week ago

About Firepower Management Center (FMC)

Firewall Management Center (FMC) provides comprehensive information about the network users, applications, devices, threats, and vulnerabilities and analyzes your network constantly. FMC then provides tailored recommendations regarding security policies to implement, plus the prioritization of security events to investigate.

Supported Actions

S.no

Action

Description

1

Block IP

Block a IP on FMC

2

Unblock IP

Unblock a IP on FMC

3

Block Domain

Block a domain on FMC

4

Unblock Domain

Unblock a Domain on FMC

5

Block URL

Block a URL on FMC

6

Unblock URL

Unblock a URL on FMC

Enable Firewall Management Center EDL App in SIRP

  1. First, log in to SIRP, then go to Apps from the left navigation bar.

  2. Locate the app named Firewall Management Center EDL

  3. Enable the Firewall Management Center EDL app by clicking on the toggle button under the Status.

4. Once enabled, click on the configuration button to add the following configuration:

  1. Configuration Name <string with no spaces>

  2. EDL-Name <string with no spaces>

5. Execute the following supported actions one by one on any particular container (incident or alert) or from Automation Playground:

  • Block IP

  • Block URL

  • Block Domain

6. As each action gets executed, you will get unique URLs of the EDL files. For example:

https://<hostname>/2/Cisco_fmc/edl-fmc/ip_list.txt

https://<hostname >/2/Cisco_fmc/edl-fmcl/domain_list.txt

https://<hostname>/2/Cisco_fmc/edl-fmc/url_list.txt


Note : FMC only recognized Edl's with the hostname. EDL's with IP address are not recognized by the FMC.

Example: https://sirp.local.com/2/Cisco_fmc/edl-fmc/ip_list.txt

A-record will added against the SIRP IP in the Zone File for generating EDL's on hostname.

Use these URLs to configure the EDL in the Cisco Firewall Management Center by following these steps:

Configure Firewall Management Center External Dynamic Lists

  • Open your FMC instance Select Object > Security Intelligence > Network Lists and Feed.

Add Network lists and Feeds

https://<SIRP-hostname>/2/Cisco_fmc/edl-fmc/ip_list.txt paste in Feed URL

  • Open your FMC instance Select Object > Security Intelligence > DNS Lists and Feed.

Add DNS lists and Feeds

https://<SIRP-hostname>/2/Cisco_fmc/edl-fmc/domain_list.txt paste in Feed URL

  • Open your FMC instance Select Object > Security Intelligence >URL Lists and Feed.

Add URL lists and Feeds

https://<SIRP-hostname>/2/Cisco_fmc/edl-fmc/url_list.txt paste in Feed URL

After the last step, you should be able to execute the FMC actions on-demand or through Playbooks to block and unblock IP, Domains &URLs.

Finding the URL and DNS addresses in the URL and DNS Lists and Feeds objects

Inside the ACP Security Intelligence tab, you can hover over one of the Network, DNS or URL categories. A pop up will indicate how many entries are currently in this category.

To view the Actual entries in each of these objects

To find these you must SSH to either a FTD device or the FMC. You will find the three types of security intelligence entries in the following three locations:

Type this commands in FMC CLI .The Unique UUID will apper above the EDL you provided in FMC

  • cat /etc/sf/iprep_sources.conf


  • cat /etc/sf/url_sources.conf


  • cat /etc/sf/dns_sources.conf

    Copy these unique UUID of IP,URL and Domain and then open the below directories to find the contents of the EDL's.

  • Network– /var/sf/iprep_download

  • DNS– /var/sf/sidns_download

  • URL– /var/sf/siurl_download

Here you will find separate text files for each security intelligence category. You will also find text files for any of your custom feeds as well.

Here is an example of finding the DNS feed file by using: cd /var/sf/sidns_download and then listing the files using ls

The files have unrecognizable UUID (Universally Unique IDentifier) names but if you use cat, head or tail to look at their contents you will see they are simply text files. Each one contains the name of the list as a comment in the first line.

Using this technique you can find out the contents of any of the security intelligence download files for each of the three categories. One huge caveat however, these files are updated frequently. Depending on the update frequency you have selected, an entry that was here 5 minutes ago may be gone now. If you’re trying to troubleshoot an issue or predict whether a given IP, domain or URL will be blocked this may not be a viable technique.


Did this answer your question?