Blacklist an IP in Firepower

Sometimes you may want to quickly block a scanning/probing IP address without having to deal directly with the Access Control Policy. This can be done in the FMC within the Events view. Go to Analysis -> Connections -> Events

Depending on volume of traffic, you may have to click ‘Edit Search‘ and look by Initiator or Responder IP. Once found, right-click on the IP address and select ‘Blacklist IP Now‘ and confirm,

In the Events window, you will notice the Action change to Block with the Reason showing IP Block. To verify, go to Objects -> Object Management and click ‘Network Lists and Feeds

Click Global-Blacklist and locate the IP address that was added.

From this window, you can easily remove the IP address if necessary and Save the file.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s