As a first line of defense against malicious Internet content,
the Firepower System includes the Security Intelligence feature, which allows
you to immediately blacklist (block) connections based on the latest reputation
intelligence, removing the need for a more resource-intensive, in-depth
analysis. This traffic filtering takes place
before most other policy-based inspection, analysis, or
traffic handling, although it does occur after hardware-level handling, such as
fast-pathing.
Enabling Security Intelligence logging logs all blocked and
monitored connections handled by an access control policy’s target devices.
Logging monitored connections allows the system to further analyze connections
that would have been blacklisted, but still log the match to the blacklist. The
system does not log whitelist matches, however; logging of whitelisted
connections depends on their eventual disposition.
When the system logs a connection event as the result of
Security Intelligence filtering, it also logs a matching Security Intelligence
event, which is a special kind of connection event that you can view and
analyze separately. Both types of events use the
Action and
Reason fields to reflect the blacklist match.
Additionally, so that you can identify the blacklisted IP address in the
connection, host icons next to blacklisted and monitored IP addresses look
slightly different in the event viewer.
Logging Blocked
Blacklisted Connections
For a blocked connection, the system logs
beginning-of-connection Security Intelligence and connection events. Because
blacklisted traffic is immediately denied without further inspection, there is
no unique end of connection to log. For these events, the action is
Block. The reason is:
-
IP
Block if the system blocked traffic based on the IP address.
-
DNS Block if the
system blocked traffic based on the domain name.
-
URL Block if the
system blocked traffic based on the URL.
IP Block,
DNS
Block, and
URL
Block connection events have a threshold of 15 seconds per unique
initiator-responder pair. That is, once the system generates an event when it
blocks a connection, it does not generate another connection event for
additional blocked connections between those two hosts for the next 15 seconds,
regardless of port or protocol.
Logging
Monitored Blacklisted Connections
For connections monitored—rather than blocked—by Security
Intelligence, the system logs end-of-connection Security Intelligence and
connection events to the
Firepower Management
Center
database. This logging occurs regardless of how the connection is later handled
by an SSL policy, access control rule, or the access control default action.
For these connection events, the action depends on the
connection’s eventual disposition. The
Reason field contains
IP Monitor,
DNS
Monitor, or
URL
Monitor. It also contains any other reason why the connection may have
been logged.
Note that the system may also generate beginning-of-connection
events for monitored connections, depending on the logging settings in the
access control rule or default action that later handles the connection.