Cisco Firepower DBL Configuration Guide – Samurai Help Center

Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.

The guide outlined steps to automatically integrate DBL with Cisco Firepower. The maximum list size for DBL is 20,000. This maximum is subject to change without notice due to device specifications and performance.

Connection Requirements

You will need to ensure your Firepower device(s) can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.

Parameter	Note
Connection Port	TCP / 80
DBL URL	NTT will provide a unique URL to you to download the DBL URL list

Table 1: Connections requirements

To complete this integration you have to:

Have submitted a request via the Samurai Help Center and have been provided the necessary DBL endpoint URL/IP address.

From your Cisco Firepower Management Console (FMC):

Create a feed that captures the DBL URLs
Set Security Intelligence Settings for DBL URL
Confirm Blocking
Create a feed that captures the DBL IP list
Set Security Intelligence Settings for DBL IP

You may also want to refer to the Cisco FMC documentation.

Create a feed that captures the DBL URLs

1. Login to your FMC

2. Click Objects – Object Management

3. Click Security Intelligence – URL Lists and Feeds in the left pane.

4. Click Add URL Lists and Feeds

5. Enter the following information in Security Intelligence for URL List/Feed and click Save

Parameter	Entry
Name	whatever you want, in our example we have used ABTI_for_URL
Feed URL	Feed URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL
MD5 URL	MD5 URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL
Update Frequency	(Optional) - If you set the Update Frequency to less than 30 minutes, the MD5 URL is required

Set Security Intelligence Settings

Set the feed you created in Create a feed that captures the DBL URLs to Security Intelligence.

1. Click Policies – Access Control

2. Select the Policy for which you want to set the Feed

(For example: Select sample-fp-policy as depicted below)

3. If you do not have a Policy, create one from New Policy and follow the procedure

4. Select Security Intelligence

5. Select URLs

6. Select the Feed you created in Create a feed that captures the DBL URLs (our example was ABTI_for_URL)

7. Under Available Zones, select Any and click Add to Block List

8. Click Save

9. Click Deploy

Confirm Blocking

Verify that the test URL is blocked.

1. From a browser that leverages the Cisco Firepower inspection path, access the following test URL:

http://ameblo.jp/testment12016/entry-12576105325.html

2. Verify that it is blocked. If blocking does not occur check through the configuration again. Our example block screen looks like this:

Create a feed that captures the DBL IP list

1. Click Objects – Object Management

2. Click Security Intelligence – Network Lists and Feeds in the left pane

3. Click Add Network Lists and Feeds

4. Enter the following information in Security Intelligence for URL List/Feed and click Save

Parameter	Entry
Name	whatever you want, in our example we have used ABTI_for_IP
Feed URL	Feed URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL
MD5 URL	MD5 URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL
Update Frequency	(Optional) - If you set the Update Frequency to less than 30 minutes, the MD5 URL is required