About Security Intelligence
As an early line of defense against malicious internet content, Security Intelligence uses reputation intelligence to quickly block connections to or from IP addresses, URLs, and domain names. This is called Security Intelligence blacklisting.
Security Intelligence is the first phase of access control, before the system performs more resource-intensive evaluation. Blacklisting improves performance by quickly excluding traffic that does not require inspection.
You cannot blacklist fastpathed traffic. 8000 Series fastpathing occurs before Security Intelligence filtering. Fastpathed traffic bypasses all further evaluation, including Security Intelligence.
Although you can configure custom blacklists, Cisco provides access to regularly updated intelligence feeds. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations.
You can refine Security Intelligence blacklisting with whitelists and monitor-only blacklists. These mechanisms exempt traffic from being blacklisted, but do not automatically trust or fastpath matching traffic. Traffic whitelisted or monitored at the Security Intelligence stage is intentionally subject to further analysis with the rest of access control.