Symptoms: Connections that should be blacklisted by Security Intelligence are instead evaluated by access control rules. The Security Intelligence health module alerts that it is out of memory.
Cause: Memory limitations. Cisco Intelligence Feeds are based on the latest threat intelligence from Cisco Talos Security Intelligence and Research Group
(Talos). These feeds tend to get larger as time passes. When a Firepower device receives a feed update, it loads as many entries as it can into the memory it has allocated for Security Intelligence. When a device cannot load all the entries, it may not block traffic as expected. Some connections that should be blacklisted instead continue to be evaluated by access control rules.
Affected platforms: Lower-memory devices are most likely to have this issue, especially if you blacklist a lot of Security Intelligence categories or are also filtering URLs based on category and reputation. These devices include Firepower 7010, 7020, and 7030; ASA 5506, 5508, 5516, 5512, 5515, and 5525; NGIPSv.
Workaround: If you think this is happening, redeploy configurations to the affected devices. This can allocate more memory to Security Intelligence. If the issue persists, contact Cisco Technical Assistance Center (TAC), who can help you verify the issue and propose a solution appropriate to your deployment.