Cisco Firepower DBL Configuration Guide

The guide outlined steps to automatically integrate DBL with Cisco Firepower. The maximum list size for DBL is 20,000. This maximum is subject to change without notice due to device specifications and performance.

Submit a ticket

To continue with this configuration guide you must first submit a ticket via the Samurai MDR portal. Add the following information within your request:

Ticket fieldInformation
TitleDBL Onboarding Request for Cisco Firepower device(s)
DescriptionAdd hostname and IP address (internet facing) of your Cisco Firepower devices. For example: mycfw1.acme.org, 19.16*.2*.2 If enrolling multiple devices please add each device on individual line*

Submit the ticket and you will hear back from us with additional information (e.g DBL URL) to continue with the configuration below.

Connection Requirements

You will need to ensure your Firepower device(s) can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.

ParameterNote
Connection PortTCP / 80
DBL URLNTT will provide a unique URL to you to download the DBL URL list

Table 1: Connections requirements

To complete this integration you have to:

  • Have submitted a ticket via the Samurai MDR portal and have been provided the necessary DBL endpoint URL/IP address.

From your Cisco Firepower Management Console (FMC):

mceclip0.png You may also want to refer to the Cisco FMC documentation.

Create a feed that captures the DBL URLs

  1. Login to your FMC

  2. Click ObjectsObject Management

  1. Click Security IntelligenceURL Lists and Feeds in the left pane.

  1. Click Add URL Lists and Feeds

  1. Enter the following information in Security Intelligence for URL List/Feed and click Save
ParameterEntry
Namewhatever you want, in our example we have used ABTI_for_URL
Feed URLFeed URL will be provided to you upon enablement of the add-on Our screen captures display an example URL
MD5 URLMD5 URL will be provided to you upon enablement of the add-on Our screen captures display an example URL
Update Frequency(Optional) - If you set the Update Frequency to less than 30 minutes, the MD5 URL is required

Set Security Intelligence Settings

Set the feed you created in Create a feed that captures the DBL URLsto Security Intelligence.

  1. Click PoliciesAccess Control

  1. Select the Policy for which you want to set the Feed

(For example: Select sample-fp-policy as depicted below)

  1. If you do not have a Policy, create one from New Policy and follow the procedure

  2. Select Security Intelligence

  1. Select URLs

  1. Select the Feed you created in Create a feed that captures the DBL URLs(our example was ABTI_for_URL)

  1. Under Available Zones, select Any and click Add to Block List

  1. Click Save

  1. Click Deploy

Confirm Blocking

Verify that the test URL is blocked.

  1. From a browser that leverages the Cisco Firepower inspection path, access the following test URL:
  1. Verify that it is blocked. If blocking does not occur check through the configuration again. Our example block screen looks like this:

Create a feed that captures the DBL IP list

  1. Click ObjectsObject Management

  1. Click Security IntelligenceNetwork Lists and Feeds in the left pane

  1. Click Add Network Lists and Feeds

  2. Enter the following information in Security Intelligence for URL List/Feed and click Save

ParameterEntry
Namewhatever you want, in our example we have used ABTI_for_IP
Feed URLFeed URL will be provided to you upon enablement of the add-on Our screen captures display an example URL
MD5 URLMD5 URL will be provided to you upon enablement of the add-on Our screen captures display an example URL
Update Frequency(Optional) - If you set the Update Frequency to less than 30 minutes, the MD5 URL is required

Set Security Intelligence Settings for DBL IP

  1. Click PoliciesAccess Control**

  1. Select the Policy for which you want to set the Feed

(For example: Select sample-fp-policy as depicted below)

  1. If you do not have a Policy, create one from New Policy and follow the procedure

  2. Select Security Intelligence

  1. Select Networks

  1. Select the Feed you created in Create a feed that captures the DBL IP list (our example was ABTI_for_IP)

  1. Under Available Zones, select Any and click Add to Block List

  1. Click Save

  1. Click Deploy

Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by *raising a ticket in the Samurai MDR portal and we shall get it updated.