13.01.2021

Firepower Dns Policy

72

Windows

Dear,we noticed that cisco firepower FTD 2130 is sending DNS requests to the open DNS 208.67.222.222 which is not required and we didn't configured.we need to disable this featrue, please advice COVID-19 Response - Stealthwatch use cases for managing a sh.

To edit a DNS policy: Step 1 Select Configuration ASA FirePOWER Configuration Policies DNS Policy. Step 2 Edit your DNS policy: † Name and Description - To change the name or description, click the field and type the new information. † Rules - To add, categorize, enable, disable, or otherwise manage DNS rules, click the Rules tab. DNS-based Security Intelligence allows you to use your FirePOWER implementation to blacklist traffic based on the domain name lookup requested by a client workstation. Policy, or anything like that?. Would the above process work, or is there anything you would do differently? Also, I’ll be changing the DNS settings, but not sure I have the expert mode password, guessing a reboot of the ASA would suffice instead of clearing a process? Thanks in advance folks. Rules in a DNS policy are numbered, starting at 1. The ASA FirePOWER module matches traffic to DNS rules in top-down order by ascending rule number. When you create a DNS policy, the ASA FirePOWER module populates it with a default Global DNS Whitelist rule, and a default Global DNS Blacklis t rule.

DNS-based Security Intelligence allows you to use your FirePOWER implementation to blacklist traffic based on the domain name lookup requested by a client workstation.

What’s cool is that items configured here are blocked BEFORE access control rules so you can block bad traffic without wasting resources inspection it further based on the work Cisco has already done, and continues to do via the Cisco Talos Security Intelligence and Research Group. These lists we’ll select below are automatically updated as Cisco locates new threats.

Firepower Dns Policy Vs

This document assumes you already have your FirePOWER implementation working and configured (version 6.0 minimum), if you don’t check out this article:

This document also assumes you want to use Cisco’s pre-configured and automatically updated domain name intelligence lists.

Initial Configuration

  • Navigate to Policies > Access Control and edit your Access Control Policy
  • Click on the Security Intelligence tab
  • Highlight the networks you want to block and click Add to Blacklist.
  • Click URLs and highlight the Cisco maintained groups you want to block and click Add to Blacklist.
  • The default setting is block when you add them to the blacklist. Right click on any of the categories you would prefer to not block, but gather intelligence on and choose Monitor.
  • Here’s what my policy looks like before I click Save. I’ve highlighted what I’m blocking which is all but Tor_exit_node
  • If you click on the HTTP Responses tab you can set what is provided when a page is blocked. The default is to provide nothing, so the page just errors out instead of loading. Alternatively you can change it to system provided or create your own page.
  • Click Save and Deploy to load up the new settings.

Review Policy Hits45 sound clash tunes download.

Firepower Dns Policy

After your new changes have been deployed you can check and see what’s hitting and what’s not.

Firepower Dns Policy Manager

  • Navigate to Analysis > Connections > Security Intelligence Events

Firepower Dns Policy Definition

I’ll be doing more detailed write-ups on both dashboards and Analysis in the future.