About Firepower Management Center (FMC)
Firewall Management Center (FMC) provides comprehensive information about the network users, applications, devices, threats, and vulnerabilities and analyzes your network constantly. FMC then provides tailored recommendations regarding security policies to implement, plus the prioritization of security events to investigate.
Supported Actions
S.no | Action | Description |
1 | Block IP | Block IP on FMC |
2 | Unblock IP | Unblock IP on FMC |
3 | Block Domain | Block Domain on FMC |
4 | Unblock Domain | Unblock a Domain on FMC |
5 | Block URL | Block a URL on FMC |
6 | Unblock URL | Unblock a URL on FMC |
Enable Firewall Management Center EDL App in SIRP
Log in to SIRP, then go to Apps from the left navigation bar.
Locate the app named Firewall Management Center EDL
Enable the Firewall Management Center EDL app by clicking on the toggle button under the Status.
Once enabled, click on the configuration button to add the following configuration:
Configuration Name <string with no spaces>
EDL-Name <string with no spaces>
5. Execute the following supported actions one by one on any particular container (incident or alert) or from Automation Playground:
Block IP
Block URL
Block Domain
As each action gets executed, you will get unique URLs of the EDL files. For example:
https://<hostname >/2/Cisco_fmc/edl-fmcl/domain_list.txt
https://<hostname>/2/Cisco_fmc/edl-fmc/url_list.txt
Note: FMC only recognizes EDLs with their hostname. EDL's with IP addresses are not recognized by the FMC.
Example: https://sirp.local.com/2/Cisco_fmc/edl-fmc/ip_list.txt
A-record will added against the SIRP IP in the Zone File for generating EDLs on the hostname.
Use these URLs to configure the EDL in the Cisco Firewall Management Center by following these steps:
Configure Firewall Management Center External Dynamic Lists & Define SIRP Certificate in the Trusted CA list
Add SIRP certificate in FMC Trusted CAs list in Object >PKI > Trusted CAs
Open your FMC instance Select Object > Security Intelligence > Network Lists and Feed.
Add Network lists and Feeds
https://<SIRP-hostname>/2/Cisco_fmc/edl-fmc/ip_list.txt paste in Feed URL
Open your FMC instance Select Object > Security Intelligence > DNS Lists and Feed.
Add DNS lists and Feeds
https://<SIRP-hostname>/2/Cisco_fmc/edl-fmc/domain_list.txt paste in Feed URL
Open your FMC instance Select Object > Security Intelligence >URL Lists and Feed.
Add URL lists and Feeds
https://<SIRP-hostname>/2/Cisco_fmc/edl-fmc/url_list.txt paste in Feed URL
After the last step, you should be able to execute the FMC actions on-demand or through Playbooks to block and unblock IP, Domains &URLs.
Finding the URL and DNS addresses in the URL and DNS Lists and Feeds objects
Inside the ACP Security Intelligence tab, you can hover over one of the Network, DNS, or URL categories. A pop-up will indicate how many entries are currently in this category.
To view the Actual entries in each of these objects
To find these you must SSH to either a FTD device or the FMC. You will find the three types of security intelligence entries in the following three locations:
Type this command in FMC CLI. The Unique UUID will appear above the EDL you provided in FMC
cat /etc/sf/iprep_sources.conf
cat /etc/sf/url_sources.conf
cat /etc/sf/dns_sources.conf
Copy these unique UUID of IP, URL and Domain, then open the below directories to find the contents of the EDLs.
Network– /var/sf/iprep_download
DNS– /var/sf/sidns_download
URL– /var/sf/siurl_download
Here you will find separate text files for each security intelligence category. You will also find text files for any of your custom feeds as well.
Here is an example of finding the DNS feed file by using: cd /var/sf/sidns_download and then listing the files using ls
The files have unrecognizable UUID (Universally Unique IDentifier) names but if you use cat, head, or tail to look at their contents you will see they are simply text files. Each one contains the name of the list as a comment in the first line.
Using this technique you can find out the contents of any of the security intelligence download files for each of the three categories. One huge caveat, however, these files are updated frequently. Depending on the update frequency you have selected, an entry that was here 5 minutes ago may be gone now. If you’re trying to troubleshoot an issue or predict whether a given IP, domain, or URL will be blocked this may not be a viable technique.