Cisco CCNP Security 300-710 SNCF – Cisco NGFW Firepower Threat Defense (FTD) Part 7

39. Lecture-39:Configure and Verify Security Intelligence SI Lab.

So we discuss about security intelligence it is basically group of public IP addresses for malware spam exploit Malaysia malware and URL which keep record and you can use them and it’s updated automatically which we call them Feed. Feed is nothing but a dynamic list and you can also change the timer. How frequently you can get this one? I’ll show you that one before doing lab keep in mind if you white list any Blake list IP and even it is in the list of Blake list and also whitelist so whitelist override the Blake list. What does it mean? Suppose someone is a terrorist and you say he is not a terrorist. So for you it will override. It will follow your rule. So suppose one IP is Bain already in blacklist but you make it whitelist. So it will be allowed in your network even though in security intelligent feed its blacklist and you are using security intelligent but again it will not block because you whitelist them. So it means whitelist override the blacklist. I will show you in the lab but just keep in mind this point. That’s why I highlight this point. What else? So security intelligence before apply security intelligence let copy some IP which is Blakelist from Malaysia. This one suppose and I already show you but let me show you again and ping from inside network that I am reachable or not so let me paste this one it’s pingable it means my network is using malicious IP to reach them. And let me test another one. Maybe I’m wrong so let me test another 184 yes it’s also reachable. Let me test the last one and let me ping them again. So it’s also reachable. So it means before applying security intelligent all these Malaysia suspicious blacklist IP are reachable from my network.

Because I don’t have such technology to know before that these are blacklist IP and block them. But there is N which is called security intelligence how we can use this feature? So go to your policy access control policy edit them okay first I need to delete all these category we yesterday we are done. I don’t need because it will block some gaming website and maybe I will test so let me remove those one which we done yesterday. I just need only one policy allowed everything. So let’s go to security intelligent click on this tab NSAID access Control policy and there is network and URL and network these are my network or some are built in. I don’t want to block these so from where? Security intelligence. Let’s start start from here global blacklist and global whitelist. I will tell you about these two later on but a start from attacker we discussed the category go down and it’s reaching up to this point and shift and click shift so the list which I click first is a taker and the last one is responses okay and click add to blacklist. So you see SA to network. You know network because these are the network IPS. So it’s added here. But URL is not here. Now let’s go to URL and do the same thing. Click on URL Global Blacklist and leave it. These start from attacker. Click and go to the last one. Not last one, this one. Because these two we create yesterday. These two URL object. Click on this one URL and select let’s see it’s two or not selected here. It’s okay. And click to add to Blake list, not whitelist. And you see now it’s added here. So basically in Blakelist we have 46 things. But these are network. There is a difference. This is network. This is logs. You want to enable logs. So click on this. It is by default enable. So whenever these IP block, it will generate logs in your analysis so that we can see if you go down. So there is another category of URL. Again, there is logs which is enabled. It’s a good thing. Okay.

And when you right click, so there is you want to block. Maybe you don’t want to block. You want to monitor only, monitor only. It will generate log. But the IP will be allowed. And you can select all and you can delete all and one. You can delete one by one as well. Maybe you don’t want attacker to block attacker categories. So you can delete as well. So this thing is clear to you? Yeah. Now, coming to whitelist. There is Global Whitelist and Global Whitelist URL. This is for IPS and Network. This one is for URL. So nothing is whitelist yet. Suppose maybe some of the IP you want to make them whitelist here. Here is available zone from where these attack can come. So it’s better to keep it any means. This attack can come from inside, outside, DMZ, whatever. But if you want to be more specific, you can say from outside. Because these are normally coming from outside and maybe from inside. So it’s better to keep them any. So now it’s done. This how what we do and save this one. Now I attach Security Intelligent to my excess rule and let’s deploy it, okay? And select this one and apply. So until it’s deploy, let’s go. What I done. So I go to Security intelligent Tab and access control list. I select from attacker to this one by shift key. Okay? And then I say add to blacklist and it’s added to blacklist. Okay? And then right click, I show you that you can do monitor only. You can block, you can select and you can delete for some reason if you want to delete and then network. I edit here and also URL I added here and save the policy. And after save the policy. Now I will get some IP.

The IP which I test before it was pinging. Now we will test again. Okay. And where we can find these IP? Maybe so you can go to this place to find out some IP and check them. Okay, so if I go to this link more and more is also used to show you. Some. So because I’m already here, you can type and it will show you some IPS. So these are blacklisted IPS. So if I copy this one it’s not yet apply so let quickly let me ping this IP again so it will be ping before the apply yeah, you see, it’s pinging. Okay, so one IP and let me copy another IP to test as well before the attack because the policy is not yet deploy. So let me sorry. Ping and test? I think so. The policies apply now, that’s why. Oh no, not yet. So some of the IP sometime not pinging. So let me copy another one. Okay. And let ping this one. Okay. So this one is also black. Maybe it’s pushed you almost. So let’s test another one before the 36 94 and let me ping. Okay. Yes, pinging. We will test this one IPS also enough. So let’s wait now. So when this policy is pushed, because you are working here in FMC and when you do something in FMC, it has to be pushed to FTD, then it will start work. Okay, so it’s working and let’s do here. So what we done, we copy some IP and we test them. And then after the attack we will see after the apply we will do again and we will see it’s block or not. Then we can verify from connection and also there is a security intelligent events. So from two places we can verify if you click on analysis. So there is event. Let me open events. And there is another one, security intelligent even the special place for this one. So from these two places we can verify this one. So now let’s see. So now we open. Okay, so we can ping these IP, the test IP before they apply security intelligence is allowed. Okay. And security intelligence nothing is block yet because we never use security intelligence before, so nothing is there, we just apply security intelligence. So this is security intelligent events. This one is normal events for everything. So let’s go back. Yes, it’s completed. Now let’s test again. So let me ping the same IP which was pinging before. If everything is okay, it has to be blocked this time and it’s still pinging, I believe. Let’s see no, the first ping maybe because they have already established connection so it’s not working and let’s check the other IP. It’s also not working. And let’s ping this IP. It’s also not working.

And list 91 10 four it’s also not working. And how we know this is not working and it’s blocked by security intelligence. So let’s go back to this one and refresh this one events. Okay. And verify from here the same thing you can do for URL as well. You see it say the reason is action is block block, block three IPS has been blocked from one, one is my system. This one. This is PC one docker. This is one one. This is the source. And they say that from one one to this IP 1049-1124 before 91, the same IP from this country. It was allowed. You see. Then 10 four was also pinging is allowed. Now it’s a block. Because now we are using security intelligent. And also responder IP is cross here before same IP IP 124 and it’s not here. Okay, this the respondent country like India. This one SRB some country name and BR a and I don’t know this one. Hong Kong, Canada and these are the country name. Then this is security. Intelligent category. The first IP belong to Malware because we have a different category. Okay, I close that slide. And also on their website there is a category. I show you there is intelligent category. Okay. So they say the category was in CNC. The last IP was from Command and Control. And these two IPS were from Malware inside to outside zone. And here is all the detail which policies block and every detail and more detail. You can also go now. Let’s check out from security. Intelligent events. Nothing is there yet. So let me refresh this one. And now you will see those three IP detail. Yes. So they say this is the date. This the action block reason was IP block initial initiate or who initiates one. And these are three responder IP. Okay. And this is Security Intelligent inside to outside. And this ping request was sent because I was using ICMP to send a ping. So ICMP means Internet Control Message Protocol. So this Security Intelligent, the same thing, you can use URL as well. So what was the list? The list was in the other file. So we can go by the way, by another way, all the things control C and let me go to CDR and SF and LS. So there are many things. The one which we need s URL. Okay. So should be there. Okay, let me see this one. So this is DNS. DNS we will do a bit later.

This is file, but the one I need for URL, this one. So let me go to this folder and CD this one and LS. So these are URL. Again, you need to use head is better to show you few of them because maybe some of them is huge list. So this is high risk and nothing is there. So let me type head again and type the second one. Okay. So again okay, keep in mind and URL, maybe you will find IP as well. So don’t confuse because some URL is only IPS because you can use IP as a URL as well. Yeah, you can type suppose this the IP. So this is the URL as well. Maybe you know what I’m saying like maybe suppose if you open a browser so you can access a website, behind every URL there is IP basically, but DNS translating that IP. So there can be many website which you can access by what is called PYIP. So that’s why these IP are here. So don’t confuse that. Under URL. There is IP. So it’s okay. So let me type another one. Maybe we can find some URL as well to test properly. So yeah, it’s good now. So let me go to this one. They say that this website is under which category? I don’t know, where is this mentioned category? Anyway, I don’t care, let’s type this one.

So it will be block and how we know this block is a URL block. Okay, so this one is access maybe it’s not coming under the or maybe I access them through Https. So let me test another one is this one. Yeah, let me by the way, we can ping and test as well. It’s not only to access from browser, it will be blocked by the way, from everywhere. But I’m just telling this block, I just want to show you by URL as well, that’s my main point. So let me refresh this one and also let me refresh the security intelligent event table. So you see this time say responses. So security intelligent was responses. Maybe this was from responses and URL. There are also many categories, so that’s why it may be the name is this one and it’s from Turkey, by the way. So it’s the two IP which we test and it’s block. Okay, and let’s go to here as well. So it will show you IP block this 131 and you can see and you can see more detail as well. So it can be URL domain. Forget about the domain because domain we will do a bit later means DNS. Right now our targeted security intelligence is a URL in IP. So we test and it’s working and then we verify. Yeah, there is a third place to verify as well. If you go to Dashboard and there is a special dashboard for this purpose, let me go to Nord Dashboard. There was another place I can verify more detail. Yeah, context explorer. You can go to Context Explorer and see more detail about security intelligence by graphical. So sometimes we understand better than graph. Graph. So you can come to this analysis and Context Explorer. Okay, so now I’m here and there is a place for security context. So let go traffic by source. No, I just need security intelligence. So yeah, here is so it says security intelligent and we discuss what is security intelligent. So it’s a response is Malware and CNC, we use CNC and we use Malware for test IP. So this the initiator IP, they say source IP.

So one is my system from where we are testing. So this is his detail and how many connection this PC created and these are the destination which we test 131, 124, 91 and 104. And you see how many connection we connect to one. And this IP we make four connection. So that’s the source, that’s the destination and these are the detail responses we use responses, we use malware NCNC. So you can find out more detail from here as well. The source, destination if for some reason manager asks you what malware website they visit, which thing and source and destination user detail by user, you can do by IP. You know the top user because right now we don’t have a user, later on in the course we will do so. You can verify from here, by the way. Okay, so this was the first led to use Security Intelligence. And the default one, the default category we blocked, that was URL. Let me show you again from where we went to Access Control, we added Access Control Policy and we give instruction to Access Control Policy that please use Security Intelligent predefined network category which is start from here attacker to tell this one and then we say use URL category as well and we put them in blacklist here. OK, so this one and then when we test so all those things which is coming under these there can be 1000 and thousand entries. Like in this one only 1159 object insert only in this one. So your CPU, your Ram, your Snot engine, everything is utilized. You already block before entering your network. So it’s a good thing. So this was a Security intelligence but we can do many other things as well like a custom, like a whitelist, temporary whitelist and playlist temporary. So let’s do it in the next video.

40. Lecture-40:Security Intelligence Custom Blacklist & Whitelist.

Thing we can do in security intelligent to create our own custom Blake list and custom whitelist list means list and the one which you want to allow it is whitelist and the thing which you want to block is Blake list. So how we can do you need to create your own list. Either you can get feeds from outside, you can search on Google and you can find many feed website which they can give you if you say that Blake list IP feed links. So they will give you many feed list like this one which is dynamically updated. Suppose this one, they have a many category and these are the website name and other detail and you can get this list feed which dynamically update and you can put them in your firewall and you can host them in your own as well. So let me by the way, let me close this one and let me go back. Okay? And let’s do again. So you can create your own blank list feed. Either list list I already created. Just to save some time, just type the IP how you can find IP. So go to CMD and type Nslookup. There are there are many other ways. Just ping any website, it will show you the IP. But one of them is this one. Type Facebook. com just for a test purpose. So I believe the first IP belong to Yah 30 113 69 is Facebook IP and then suppose@yahoo. com Oh@yahoo. com has many IPS. We live with this one and Msnmsn. com 61. So MSN is not there. I don’t know which IPI put. So the first one is Facebook. com, second one, let me check, maybe Twitter. Normally I do this one.

No. 65 is not there so it’s not Twitter as well. Anyway, whatever these IP we will test by IP and also if you want to find the IP of some website you can ping suppose@yahoo. com so it will give you the IP here as well. You can do by this way as well. Okay so I have a list of some IP which is block but not block we want to block our own list even security intelligence already there but let me go and test this IP can I ping this IP? Okay, so I can ping because these are a good IP. It’s not like by the way, I can find out this is Facebook. I can find out the name by this way as well. I just realized. So that let me show you. I think so Ping by D and it’s a D or something. There is a way to show you the name of the domain. Anyway, so I can ping this IP and let me check this IP I can ping before apply my own list. Yeah, this one is also possible. And let’s ping this IP as well from inside. And let test yes, also. And the last IP to testing yes. So all four IPS are Pinging because these are proper IPS. But I want to block maybe it’s not good for me. So I have Create IP list here. And you can put many IP one by one. Not in one line, more than one. That’s the way to create your own list. Same way I have a list of URL. So I have Twitter. com. I can reach to Twitter. com from my inside network if I go there. And Twitter. So it has to reachable yes, and I can reach to Facebook. com. Yeah, there is no such Listion because these are a good website. So let me test facebookcom, yes and Flickr and MSN and Yahoo, whatever all these are reachable. Okay, so I create some few URLs as well. List.

Now how I can block these? So let’s go to yeah, let me discuss first. So custom Blacklist and custom whitelist. You can create what you can do. Go to objects. Object management to create your custom list, which I already have. Go to security. Intelligent. It’s here. Security Intelligent. First one, forget about this one. We will do a bit later DNS. Right now we are targeting Network and URL. Go to network list and feeds. We already know what is Feed and what is List. This is the default one, which I show you and we update them. You can click on here to update the security integer fee which automatically coming. We will discuss global Blacklist and global whitelist a bit later. Right now my target is to create my own List. Click on Aid network list and feed. So let me give them my Blake list. IPS and what is this is Feed or List. I already explained what is the difference between this one feed I need a link to show here and you need to Feed URL link. I search many, I think. So I show you here somewhere. But right now I’m interested in List which is easy to show you. That’s why. Otherwise feed I just will put the URL address will block those URL IP which is embedded feed list So I say List browse and I already show you my one s IP List and then Upload. So how many IPS were there? So it will show you four IPS and say Save. So this is my Blake List IPS. Our network is created here, but you need to update them manually. It’s up to you. But this one is feed. It’s dynamically. Now let’s go to URL list and feed. This time I have a URL as well. There is by default to forget about that. We will discuss and click URL this time and again I want List, not Feed. And here I will say my Blake List URL and browse this one. On my desktop there is URL List upload. Click on upload button. Okay. It will show you how many URL five and Save. It will show you here. It’s come up here my blacklist URL and my blacklist IPS. So I create my own list.

Keep in mind you can create a feed as well. Let me show you. Maybe you are thinking that what is feed? Suppose this is feed list dynamic URL. You can search many of them on Google. Copy this one just to show you one. Maybe you are thinking of how we can create a feed and say my feed and choose from here rather than list choose a feed and that’s the feed URL MD Five. If they have MD five hash, you can put an update up to 2 hours or change and save. That’s it, your feed is ready. So whatever in that website list up feed, it will get automatically. So it’s the same thing like a list but this only dynamic. Now it’s done. No, the last thing you need to do, go to policy again. Access control. Edit your access control policy. Go to Security Intelligence and this time tell them that I have my own blacklist so it was by name up my so let’s go to yeah, here is so my list appear here. Now where is four object? Because I put only four IP. Click on this one and add to Blakelist. And now let’s go to URL and say that I have a Blake list URL where five objects are inside. I know there are five object because this is my URL list where 12345 objects are there. So here I will say my Blake list URL and add to blacklist URL.

List verify is added here or not. So my blacklist URL and it should be my blacklist IPS with four objects done save. So it means those were by default. And now I create my own custom category. You get my point? What we can do? And then go to deploy and deploy whatever you’ve done, a change is deploy to your FTT firewall. So after deploy we can check these website, it will be not pinging. And also those IPS before it was working, I can access them and I can ping them as well. I ping those IPS and let’s say after apply this policy, we will ping out these IP again. So let me open the list again so that we can test them. So these are the IPS and I need this system only. So let’s go back if the policy deploy or not yet. So it will take some time and until date one let’s verify. So what I done custom blacklists. So we create our own IP list. In notepad, you can type one by one like this one. Then we upload, okay? And then we add them to the blacklist. We go to Security Intelligent, access Control, security intelligent tab and this way then we will test them. So this is the way. Okay? And now after that we’re going to test. So in this way you can create your custom list either feed feed, you can host your own website and you can get many feeds from internet when you search, you can use the same technology in Palo Alto as well, I think so I did not teach you that topic.

But there is a way to external feed, you can get IPS and whenever those list of IP dynamically update, so the feed will come to your firewall and it will block those IPS automatically. There are many free available, okay, on the internet, so you can get those feed as well. And feed we normally use maybe for news as well, if I have somewhere here feeds so feed do what we use for many things for news and some other thing as well. So it’s the same approach is here by the way. Okay, so we are waiting to push these custom list and URL, then we will test them. Okay, let’s see now it has to apply quickly, but for some reason still in progress, it will take only as completed and let’s go now to test. So before I ping this IP, it was pinging. Let’s see again. Okay, so it’s wrong, something is wrong, it has to be ping. Okay, it’s blocked now, sometimes it takes time. So 55 is not working and if you want, let me show you from here copy and let me clear this one and ping and let’s test the IP. No, it’s not pinging and let’s test the second IP and ping. So it’s not working and let’s ping the third one.

Okay, this is our own list clear website IP, but I stopped them and the last one to test properly and here is let me paste this one. No how we can verify. So let’s go to analysis and events. And here before how many IPS are there? 12345. Let’s refresh and you will see those IP will be there as well. After this one you see is here. The 35 is this one, then 14 is this, the last one. Okay, 193 is this one and 55 is this one. And let’s say it’s block. All belong to one of the IPS belong to Sodia, or the other is USA. And what is the security intelligent category? My blocklist IP, the custom one, not their category, custom created IP. Blakelist IPS are there and it’s block and you can see it’s block IP. So you can create your own list to block maybe which is not good for you. And also it’s mentioned here by the way. So this one is the normal events and this one is security events. I will show you the graph as well. But before going to graph, what about the URL? Okay, so URL will not work because it’s https URL. So why not we will ping them rather than to access them. So let’s go to inside PC and let’s try to ping this IP.

Okay, so it means Twitter is using some other IP, that’s why it’s working, it has to be blocked and let the use Facebook. Okay, so it’s also reachable by the way, it hasn’t to be let me test through browser because we need to block the behind IPS as well. I just saw let me http and by name if I try to it hasn’t to work and for some reason it’s working. So it means our URL is not properly configured either SSL is enabled, that’s the reason as well. So now it’s not properly blocking by the way. Http and let me type flicker so it’s also reachable. So this one is not properly working. Let me verify from here. Okay, and let’s see table view so it’s accessible by the way, it has to be blocked as well. URL either IPS. Yeah, so it’s allowed all these IP, these URL URL will be mentioned somewhere here. Okay, this is the DNS request. Okay, so it’s not showing us the URL detail, but it has to be so for some reason because I know it’s SSL issue, but it will be block either URL either IP. It has to block them because it’s our own blacklist URL and IPS. So now let’s go to okay, the last thing to verify so another way to verify is Context Explorer. Okay? So our own blacklist IPS, it will show you that list this time before it was malware and so many other things. So let’s see it’s showing our blacklist or not. So let’s go to security intelligence and here you will find my blacklist IP. It should be here. So it’s here now it says my blacklist IPS. Okay? And these are the blacklist IP which we put them 3555-1041 and 91. So issuing us these destinations because it’s our own list, but we put them as A and blacklist. Okay, so this was the custom black list and custom whitelist. Okay, you can whitelist them as well. Custom whitelist as well. Suppose what we done, the IPS which was allowed, we block them so we can do the opposite as well. If I go to network so this is my blacklist IP, I block them which was an allowed list I can create those IPS are block. Yeah, this IP we test them is block. Let’s test this IP only just to show you, only one IP copy and if I go inside system so it will not work because this IP coming under Blake list IP.

So if I clear the screen and ping this one okay, I did not copy them and paste okay, so it’s black, but I want to allow this IP. So create the same way a list go to notepad and paste this IP, save it list of IP, just only this one. And suppose I say white list, I just give them any name, it’s wrong but anyway and you can do the same opposite direction. Just go to your network and say I want to create and say my whitelist IP and type the list browse and what is the white list? This one only one IP which is in blacklist. Okay? And let me say save only one IP is there. And now let’s go to Access Control Policy and edit the policy and go to Security Intelligence and go to Security Intelligence and Network type my one. So what was the my? Here is here is my whitelist. Add to whitelist, not blacklist. It will come here, you see, here is it should be here. Where is yeah, here is my whitelist. Only one IP is there just to show you and save the changes. So this IP is here as well somewhere, and it’s also here. So what do you think? SN blacklist as well and SN whitelist as well. So what will happen? This IP will be pinging or not? I told you this point, if I go up, I highlight that the whitelist override the blacklist.

So because I’m going to whitelist this IP even though it’s block. And from here I can clearly say this IP was block. What was the IP? 131. You see, 131 is block 31 and 131 from Turkey is block. And also if I check from this, 1131 is blocked because I pinged them, it should be their record will be n Security Intelligent as well. It’s here 131 inter case block. Okay. It’s from response to security. Intelligent category. But I allowed them, I put them in the list. So let’s see it’s deploy or not? So when this deploy, you will see this IP will start work. It’s not working. Yeah, because yet the policy is not pushed. So let’s see now if the policy is done, it will take 1 minute and after a minute this IP will start to work. And if I show you again, I block again, it will show block again. There will be another response, because I try again. So let’s see now it’s here again block and from security here is in Security Intelligence. It will be again, there will be this IP and block, because right now it’s not push, you see? Now just wait for a moment so that I can prove you okay. Just wait a minute and you will see, this IP will start work. Even though this IP is somewhere in blacklist, still this is in blacklist, but I whitelist them and let’s see what’s going to happen. It will start work or not.

So it will take time to push the update from FMC to FTD to push this policy, whatever we change. So basically I create a file and I put the blacklist IP and then I upload that file to object, and then I call that object. Okay, it’s done. Now let’s see. Okay, so let me ping again, because they have separate connections, which is not working. It has to work now. And let’s see, you see it start working. And now let’s go bake and verify this one. And now let’s go bake and refresh this one. So before 131 from Turkey it was not working. Okay. It will not show here by the way, because this only show the blacklist. So let’s go to this one. And if you refresh them so this IP will be allowed now it will be not anymore blog so let’s see now in events you see now it’s a allowed same IP 31 to ten. It was blocked three time I put them in the white list and now it’s working. So you get my idea what I am saying and why I highlight this one. So if your IP is present in blacklist and you make them whitelist, so it will consider whitelist because whitelist will override the blacklist even though it’s still in blacklist. And that Blake list is somewhere because the category when we check category is responses. So in response is this IP is still there. This IP is in responses URL responses NS URL responses already I call them. But still this IP is working because of whitelist. Okay? So let me stop this Swiss ping. Yeah, you can see. Okay so this was to create our own custom whitelist and Blakelist.

41. Lecture-41:Security Intelligence Global Blacklist & Whitelist.

Thing related to security. Intelligence is global blacklist and global whitelist. So what the heck is these two things? I told you I will explain you a bit later. So if we go to object object Management, okay. And if we go to Security Intelligence and we we go to network list and feed so there are two extra thing. We discussed the other thing, but there are two things they say global Blacklist and Global Whitelist and the same thing mentioned in URL. List and feed Global Blacklist for URL and Global Whitelist for URL. Let’s go back to network one. So let me open if there is anything. So no is empty. Can I put something? No. Let’s go to Whitelist. Can I put something? No. Can I upload something? No. Okay. Can I delete these two? No. Let’s go to URL feed Global Whitelist URL. Can I put something? No. Can I put in this one? No. So what the hell is these two things? This is daily basis. We are using some time. A huge traffic is coming from a source IP and you want to block them temporary. So you can put them in Global Blacklist. And you don’t need to deploy anything. It will be black straight away. The same is for Whitelist if you want to violate someone temporary. So nothing is the area. And these two let’s do some changes. Let me put this one and Global Blacklist nothing is there. How we can do? Go to analysis and events. I’m in events. Okay. And let’s ping something which is a proper IP. Suppose let me ping something I don’t want to block at eight. Let’s ping one one. So I’m reachable to one one one is DNS like eight eight eight. It’s very famous and fast DNS. So I can ping this IP.

Suppose huge traffic is coming from this IP. Let me refresh it and events. Okay. And manager told me that who the hell is sending this huge traffic? And you say 192-1681 is sending the traffic to one one one, which is Australia. So he said block temporary, right click on this and say blacklist IP now. And done. And now let’s see that the ping stop are working after a while because it’s already established. After a while it will stop and let’s go to blacklist. Sorry. Blacklist IP. Click on it. That IP will be here automatically. Look at now it’s automatically here. I just right click on it and I say blacklist IP now. But it has to be stopped by the way. Let’s see, it takes some time sometime let me ping again. You don’t need to deploy, by the way. But for some reason maybe we have something inside which this IP has to be blocked. It’s very strange. Yeah, it’s blocked now. It takes time. I don’t know, for some reason maybe it’s late, but in real world it will be blocked straight away. You see, I cannot ping now. And how I know that it’s been blocked. Let’s test again. Before it was allowed one one. And now if I check again, it will be block. You see, now it’s block. They say IP block global Blacklist. So who the hell is Global Blacklist? This one and Global blacklist there is IP. So when done, your network speed is okay now. And your manager say okay, now allow this destination, IP is okay now. So you just come here and remove and save. That’s it. So you get the point why we are using this global Blacklist and Global Whitelist. Now let’s test any IP which is blacklist. Suppose this IP I know is blacklist. But the manager told you to allow this IP temporary to someone and he requests you normally in this country, not in US and UK, but in this country you need to follow manager whatever it is wrong or right. So this IP is not reachable. The request came to my firewall and when I check it will be block. So it will show me this IP. What is the IP? Which IPI copy? I don’t know, let me see. 133 133 eight. So let me refresh again. So let’s see, it will be in the Blake list. Okay, so let me Vietnam, maybe some country. And he said no allowed for him, right? Click on this Blake List IP and say put them in whitelist IP. So two things we done already allowed IP, we put them in the blacklist and already blacklist IP, we put them in a whitelist. Let’s go to Global Whitelist. This IP automatically came here 103 381338 and let’s test again. It has to work now. For some reason it take time, but in real what it will work straight away.

But because it’s a lab environment and maybe for some reason it take time and it start now. And now if I go back before this IP was here is block IP block. But if I refresh the table, same IP, 133 eight will be allowed now. Okay, so you get what is Global Blacklist and Global Whitelist and did I apply something? No. Did I deploy something? No, straight away it working. So now it worked. It’s a allowed. Just before a minute it was blog. And from here I can verify from here and Global Whitelist, I put them in a whitelist. It was a blacklist IP, even though it in blacklist still. But because whitelist will override again, I’m telling the same thing. It’s override the rule. So delete and save. So these two things, you cannot delete them and you cannot put IP directly. But when you block them from events, that’s the daily job. Daily you will do such activities. So these two things are important for daily base, appraisal task, operational task. When you do so normally, you will do these things normally. Now let’s go back to URL. The same thing. Any URL. Global Blakelist URL and global Whitelist. So how we can do. So I just need URL. So URL normally coming. I just need to go to events and I just need to test. I need URL because let’s go to let’s try another URL. It’s better to visit. Okay, just 1 minute. Let me visit any URL. Facebook was allowed, I believe. So let’s blog Facebook.

Okay, so suppose Facebook I’m visiting Facebook and let’s visit Twitter. com as well. Okay, so Twitter is accessible and Facebook is not working. Maybe that URL start working now. Okay, so Twitter is enough. Let’s go back to my events. I just need any URL. So let’s refresh this one. Okay, because this was I apply by IP, right? Click an IP button. Right now I need a URL. So let’s go to URL. Yeah, it’s coming. DNS query but URL for some reason it’s not. Yes, it’s come up now. Okay, this is DNS. Sorry. I need URL here. It has to show me. Okay, let’s go to another page to test. For some reason, URL is properly not showing me. Let’s do@yahoo. com I just need one URL. So URL is there now yahoo. And let’s verify this one. Maybe Yahoo can come for some reason. I just need one URL so that I can show you. That how you can put them in a Blake list and whitelist global. Okay, let’s see now. There should be and DNS is showing me. But in URL it has to show me the URL. For some reason it’s not showing me. Anyway, let me show you from here. So when you right click on here. So you say this for DNS but I need for domain. Sorry for URL. Okay, it will show you like this. I don’t know what to do to show me. Okay, let me try maybe from another maybe something wrong from Docker is not showing properly. So let me go to window and window. Let me type. Let me access any URL that I can show you. Just give me a minute to access it. Maybe something is wrong from Docker.

They are getting the full detail, the firewall. So why not try from here? So I’m going to open a browser and window and test any URL. Okay, just a minute. The browser will open and let me type@yahoo. com and let’s open MSN. com as well. So at least one of the link will go there and Twitter. com. Okay, so I’m trying from another inside PC. Maybe the issue is from the docker and even Google. com is okay for me. I will block Google. com URL. Okay, so let’s see. Yahoo is going now and Twitter and this one just wait so they can send the details. Then we will refresh there and we will see. Okay, so yahoo almost here. Slow a bit, but it’s okay. And it’s okay. Let’s see now. So let me refresh again this one and see that I can see the URL this time because this is specially for here. So you need to come here. Okay. And DNS? Query. Still I cannot see the URL. It’s very strained by the way. So just need to refresh so that I can no chance of any URL from here as well. Anyway, it’s the same approach. The only difference is you need to come here. And it’s DNS only showing because DNS is our next topic. The same approach. But that one is Blakelist DNS. It has to show URL here, URL category and URL. So when you click on URL, you can make them blacklist and whitelist same like IP. Let me go through next page. Maybe if I have somewhere in old one, maybe an old log. If we have something anywhere in URL so I can show you. So let me go to second page. And here is again, it’s not showing URL category. Let’s go to another page. If we have somewhere so that I can just click and show you rest of the thing you already understand what is global Whitelist and Global blacklist. So IP either. URL okay.

So it’s even Facebook. It has to show like this here as well in URL. So still for some reason just checking another page. So if we find something, nothing is there. So let’s go back to the first one. Okay. And here is URL. So nothing is there anyway. So you can do the same thing when you apply. So URL will be display here. If you whitelist them, it will show here if you blacklist them. So it will show you here. Okay. So it will show you a URL like this one. Okay. Either this with the Google one. So when you right click. So there is Blakelist http and https connection URL. And here is domain. So domain is different. We will be disclosed in DNS. But here I will say put them in URL blacklist. So when you click on this one, okay. Side here and say blacklist now. Okay. So it’s blacklist now, okay. And second thing, suppose if I say this one to whitelist. So right click and say whitelist this one now. And come here and say whitelist now, okay. And if I go to object now device sorry, object and object management. And if I go to security intelligent and URL now. So you will see. Let’s go to security intelligent URL list and feed and blacklist c now you see it’s there now. And I put them some here as well. Here is so this one is a white list and this one is blacklist. So this one was in whitelist. But I make them a blacklist. So now you cannot access this URL which is not a good URL. I don’t want to test them because we need some proper URL which we can test. But unfortunately URL was not coming.

So that’s why in the same way, suppose if you want so you can put them in black. Sorry it’s a domain this one. And put them in whitelist now. So if you go back to Update and Whitelist, there will be two now. So this is the way to use global blacklist and global whitelist. So you need to go to events and right click there and Blacklist IP and Whitelist IP now by IP. And when you go there, it will be there. And the same thing you can do by URL and also Blacklist, but the name is a bit different. They say global Blacklist for URL and Global Whitelist for URL. But the IP just give them the name global Whitelist and the network one, global Blacklist and Global Whitelist. And here the name is a bit different, global Whitelist for URL. So it’s okay now. Yeah. So these are the different ways to protect your network using security intelligence.

• Category: Uncategorized