Cisco Secure Firewall Guide

Use this guide to integrate Cybora with Cisco Secure Firewall through Security Intelligence feeds. The most common workflow is to create the feed in Secure Firewall Management Center and then apply it in the block or do-not-block logic of your access control policy.

What Cisco Secure Firewall can do with a Cybora feed

• Cisco Security Intelligence can consume dynamic feeds for IP addresses, domains, and URLs.
• The feed is fetched over HTTP or HTTPS and updated on a configured interval.
• The imported feed can then be used in the Security Intelligence section of the access control workflow to block or monitor matching traffic.
• This approach works especially well when you want threat intelligence enforced early, before the rest of the access control logic is evaluated.

Before you start

• Use Secure Firewall Management Center or cloud-delivered FMC with Security Intelligence support.
• Make sure your deployment meets Cisco’s documented requirements for Security Intelligence and custom feeds.
• Make sure the management center can reach the Cybora feed URL over HTTPS.
• Choose the correct feed type: Network for IP addresses, DNS for domains, or URL for URLs.

Create the feed object

1. Go to Objects > Object Management.
2. Expand the Security Intelligence section and open the feed type that matches your Cybora feed.
3. Add a new feed object.
4. Enter a clear feed name.
5. Set Type to Feed.
6. Paste the Cybora feed URL into Feed URL.
7. Configure an MD5 URL only if your feed workflow supports it and you need Cisco to optimize frequent refresh checks.
8. Set the Update Frequency to match your Cybora plan. If your Cisco workflow requires an MD5 URL for very frequent refresh intervals, use an interval that stays within both Cisco’s requirements and your Cybora plan. Only one request is permitted within the allowed interval, and excessive polling may cause the feed to be blocked.
9. Save the feed object.

Apply the feed in policy

1. Open the relevant Access Control Policy.
2. In the Security Intelligence section, add the Cybora feed to the Block list or the appropriate matching logic.
3. If you want a monitor-first rollout, enable logging and use the feed in a non-blocking or observation-oriented workflow first.
4. If you want immediate protection, use the feed in blocking mode so matching IPs, domains, or URLs are denied directly.
5. Deploy the configuration to the managed devices.

Validation

1. Confirm that the feed downloads successfully in Object Management.
2. Verify that the feed is referenced in the intended access control policy.
3. Trigger a manual feed update if you need to validate connectivity immediately.
4. Review Security Intelligence events and connection logs to confirm matches and enforcement.

Further reading

• Security Intelligence
• Custom Security Intelligence Feeds
• Creating Security Intelligence Feeds
• Custom Lists and Feeds: Requirements