Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.
The guide outlined steps to automatically integrate DBL with Cisco Firepower. The maximum list size for DBL is 20,000. This maximum is subject to change without notice due to device specifications and performance.
Connection Requirements
You will need to ensure your Firepower device(s) can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.
Parameter | Note |
Connection Port | TCP / 80 |
DBL URL | NTT will provide a unique URL to you to download the DBL URL list |
Table 1: Connections requirements
To complete this integration you have to:
- Have submitted a request via the Samurai Help Center and have been provided the necessary DBL endpoint URL/IP address.
From your Cisco Firepower Management Console (FMC):
- Create a feed that captures the DBL URLs
- Set Security Intelligence Settings for DBL URL
- Confirm Blocking
- Create a feed that captures the DBL IP list
- Set Security Intelligence Settings for DBL IP
You may also want to refer to the Cisco FMC documentation.
Create a feed that captures the DBL URLs
1. Login to your FMC
2. Click Objects – Object Management
3. Click Security Intelligence – URL Lists and Feeds in the left pane.
4. Click Add URL Lists and Feeds
5. Enter the following information in Security Intelligence for URL List/Feed and click Save
Parameter | Entry |
Name | whatever you want, in our example we have used ABTI_for_URL |
Feed URL | Feed URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL |
MD5 URL | MD5 URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL |
Update Frequency | (Optional) - If you set the Update Frequency to less than 30 minutes, the MD5 URL is required |
Set Security Intelligence Settings
Set the feed you created in Create a feed that captures the DBL URLs to Security Intelligence.
1. Click Policies – Access Control
2. Select the Policy for which you want to set the Feed
(For example: Select sample-fp-policy as depicted below)
3. If you do not have a Policy, create one from New Policy and follow the procedure
4. Select Security Intelligence
5. Select URLs
6. Select the Feed you created in Create a feed that captures the DBL URLs (our example was ABTI_for_URL)
7. Under Available Zones, select Any and click Add to Block List
8. Click Save
9. Click Deploy
Confirm Blocking
Verify that the test URL is blocked.
1. From a browser that leverages the Cisco Firepower inspection path, access the following test URL:
2. Verify that it is blocked. If blocking does not occur check through the configuration again. Our example block screen looks like this:
Create a feed that captures the DBL IP list
1. Click Objects – Object Management
2. Click Security Intelligence – Network Lists and Feeds in the left pane
3. Click Add Network Lists and Feeds
4. Enter the following information in Security Intelligence for URL List/Feed and click Save
Parameter | Entry |
Name | whatever you want, in our example we have used ABTI_for_IP |
Feed URL | Feed URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL |
MD5 URL | MD5 URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL |
Update Frequency | (Optional) - If you set the Update Frequency to less than 30 minutes, the MD5 URL is required |
Set Security Intelligence Settings for DBL IP
1. Click Policies – Access Control
2. Select the Policy for which you want to set the Feed
(For example: Select sample-fp-policy as depicted below)
3. If you do not have a Policy, create one from New Policy and follow the procedure
4. Select Security Intelligence
5. Select Networks
6. Select the Feed you created in Create a feed that captures the DBL IP list (our example was ABTI_for_IP)
7. Under Available Zones, select Any and click Add to Block List
8. Click Save
9. Click Deploy
Comments
0 comments
Article is closed for comments.