Troubleshoot Security Intelligence Feed Update Failures on the Firepower Management Center

Available Languages

Download Options

  • PDF     (46.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (88.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (77.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 15, 2023
Document ID:117997

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to troubleshoot issues with Security Intelligence Feed updates.

    Background

    The Security Intelligence Feed is composed of several regularly updated lists of IP addresses that have poor reputations, as determined by the Cisco Talos Security Intelligence and Research Group (Talos). It is important to keep the intelligence feed regularly updated so that a Cisco Firepower System can use up-to-date information in order to filter your network traffic.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Firepower Management Center

    • Security Intelligence Feed

    Components Used

    The information in this document is based on a Cisco Firepower Management Center that runs software Version 5.2 or later.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Problem

    A Security Intelligence Feed update failure occurs. You can verify the failure by either the web GUI or the CLI (explained further in the sections that follow).

    Verify the Problem from the Web GUI

    When the Security Intelligence Feed update failure occurs, the Firepower Management Center displays health alerts.

    Verify the Problem from the CLI

    In order to determine the root cause of an update failure with the Security Intelligence Feed, enter this command into the CLI of the Firepower Management Center:

    admin@Sourcefire3D:~$ cat /var/log/messages

    Search for either of these warnings in the messages:

    Sourcefire3D SF-IMS[2004]: [2011] CloudAgent:IPReputation [WARN] Cannot download
     Sourcefire_Intelligence_Feed

    Sourcefire3D SF-IMS[24085]: [24090] CloudAgent:IPReputation [WARN] Download
     unsucessful: Failure when receiving data from the peer

    Solution

    Complete these steps in order to troubleshoot the problem:

    1. Verify that the intelligence.sourcefire.com site is active. Navigate to https://intelligence.sourcefire.comin a browser. 

    2. Access the CLI of the Firepower Management Center by Secure Shell (SSH).

    3. Ping intelligence.sourcefire.com from the Firepower Management Center:

      admin@Sourcefire3D:~$ sudo ping intelligence.sourcefire.com
      verify you receive an output similar to this:
      64 bytes from x (xxx.xxx.xx.x): icmp_req=1 ttl=244 time=4.05 ifyou do not receive a response similar to that shown, then you can have an outbound connectivity issue, or you do not have a route to intelligence.sourcefire.com.
    4. Resolve the hostname for intelligence.sourcefire.com:

      admin@Firepower:~$ sudo nslookup intelligence.sourcefire.com
      Verify you receive a response similar to this:

      Server: 8.8.8.8
      Address: 8.8.8.8#53

      Name: intelligence.sourcefire.com
      Address: xxx.xxx.xx.x

      Note: The aforementioned output uses the Google Public Domain Name System (DNS) Server as an example. The output depends on the DNS settings configured in System > Local > Configuration, under the Network section. If you do not receive a response similar to that shown, then ensure the DNS settings are correct.

      Caution: The server uses a round-robin IP address schema for load balancing, fault-tolerance, and uptime. Therefore, the IP addresses can change, and Cisco recommends the firewall be configured with a CNAME instead of an IP address.

    5. Check the connectivity to intelligence.sourcefire.com with the use of Telnet:

      admin@Firepower:~$ sudo telnet intelligence.sourcefire.com 443
      Verify you receive an output similar to this:

      Trying xxx.xxx.xx.x...
      Connected to intelligence.sourcefire.com.
      Escape character is '^]'.

      Note: If you can complete the second step successfully but are unable to Telnet to intelligence.sourcefire.com over port 443, you can have a firewall rule that blocks port 443 outbound for intelligence.sourcefire.com.

    6. Navigate to System > Local > Configuration and verify the proxy settings of the Manual Proxy configuration under the Network section.

      Note: If this proxy does Secure Sockets Layer (SSL) inspection, you must put into place a bypass rule that bypasses the proxy for intelligence.sourcefire.com.

    7. Test if you can perform an HTTP GET request against intelligence.sourcefire.com:

      admin@Firepower:~sudo curl -vvk https://intelligence.sourcefire.com
      * About to connect() to intelligence.sourcefire.com port 443 (#0)
      *   Trying 192.168.79.58...
      * Adding handle: conn: 0xec5630
      * Adding handle: send: 0
      * Adding handle: recv: 0
      * Curl_addHandleToPipeline: length: 1
      * - Conn 0 (0xec5630) send_pipe: 1, recv_pipe: 0
      * Connected to intelligence.sourcefire.com (192.168.79.58) port 443 (#0)
      * SSLv3, TLS handshake, Client hello (1):
      * SSLv3, TLS handshake, Server hello (2):
      * SSLv3, TLS handshake, CERT (11):
      * SSLv3, TLS handshake, Server key exchange (12):
      * SSLv3, TLS handshake, Server finished (14):
      * SSLv3, TLS handshake, Client key exchange (16):
      * SSLv3, TLS change cipher, Client hello (1):
      * SSLv3, TLS handshake, Finished (20):
      * SSLv3, TLS change cipher, Client hello (1):
      * SSLv3, TLS handshake, Finished (20):
      * SSL connection using DHE-RSA-AES256-SHA
      * Server certificate:
      * 	 subject: O=Sourcefire Inc.; OU=VRT Department of Intelligence;
             emailAddress=vrt-systems@sourcefire.com; L=Columbia; ST=MD; C=US;
             CN=intelligence.sourcefire.com
      * 	 start date: 2016-02-29 22:50:29 GMT
      * 	 expire date: 2019-02-28 22:50:29 GMT
      * 	 issuer: O=Sourcefire Inc.; OU=VRT Department of Intelligence;
             emailAddress=vrt-systems@sourcefire.com; L=Columbia; ST=MD; C=US;
             CN=intelligence.sourcefire.com; nsCaRevocationUrl=
             https://intelligence.sourcefire.com/vrtca.crl
      * 	 SSL certificate verify result: unable to get local issuer certificate
             (20), continuing anyway.
      > GET / HTTP/1.1
      > User-Agent: curl/7.31.0
      > Host: intelligence.sourcefire.com
      > Accept: */*
      > 
      < HTTP/1.1 200 OK
      < Date: Tue, 01 Mar 2016 13:06:16 GMT
      * Server Apache is not blacklisted
      < Server: Apache
      < Last-Modified: Tue, 09 Dec 2014 20:08:06 GMT
      < ETag: "9da27-3-509ce19e67580"
      < Accept-Ranges: bytes
      < Content-Length: 3
      < Content-Type: text/html
      < 
      :)
      * Connection #0 to host intelligence.sourcefire.com left intact

      Note: The smiley face at the end of the curl command output indicates a successful connection.

      Note: If you use a proxy, the curl command requires a username. The command is curl -U <user> -vvk https://intelligence.sourcefire.com. Additionally, after you enter the command, you are prompted enter the proxy password.

    8. Verify the HTTPS traffic used in order to download the Security Intelligence feed does not pass through an SSL decryptor. In order to verify no SSL decryption occurs, validate the Server Certificate information in the output from Step 6. If the Server Certificate does not match what displayed in the example that follows, then you can have an SSL decryptor that resigns the certificate. If the traffic passes through an SSL decryptor, you must bypass all of the traffic that goes to intelligence.sourcefire.com.

      admin@Firepower:~$ sudo curl -vvk https://intelligence.sourcefire.com
      * About to connect() to intelligence.sourcefire.com port 443 (#0)
      *   Trying 192.168.79.58...
      * Adding handle: conn: 0xec5630
      * Adding handle: send: 0
      * Adding handle: recv: 0
      * Curl_addHandleToPipeline: length: 1
      * - Conn 0 (0xec5630) send_pipe: 1, recv_pipe: 0
      * Connected to intelligence.sourcefire.com (192.168.79.58) port 443 (#0)
      * SSLv3, TLS handshake, Client hello (1):
      * SSLv3, TLS handshake, Server hello (2):
      * SSLv3, TLS handshake, CERT (11):
      * SSLv3, TLS handshake, Server key exchange (12):
      * SSLv3, TLS handshake, Server finished (14):
      * SSLv3, TLS handshake, Client key exchange (16):
      * SSLv3, TLS change cipher, Client hello (1):
      * SSLv3, TLS handshake, Finished (20):
      * SSLv3, TLS change cipher, Client hello (1):
      * SSLv3, TLS handshake, Finished (20):
      * SSL connection using DHE-RSA-AES256-SHA
      * Server certificate:
      * 	 subject: O=Sourcefire Inc.; OU=VRT Department of Intelligence;
             emailAddress=vrt-systems@sourcefire.com; L=Columbia; ST=MD; C=US;
             CN=intelligence.sourcefire.com
      * 	 start date: 2016-02-29 22:50:29 GMT
      * 	 expire date: 2019-02-28 22:50:29 GMT
      * 	 issuer: O=Sourcefire Inc.; OU=VRT Department of Intelligence;
             emailAddress=vrt-systems@sourcefire.com; L=Columbia; ST=MD; C=US;
             CN=intelligence.sourcefire.com; nsCaRevocationUrl=
             https://intelligence.sourcefire.com/vrtca.crl
      * 	 SSL certificate verify result: unable to get local issuer certificate
             (20), continuing anyway.
      > GET / HTTP/1.1
      > User-Agent: curl/7.31.0
      > Host: intelligence.sourcefire.com
      > Accept: */*
      > 
      < HTTP/1.1 200 OK
      < Date: Tue, 01 Mar 2016 13:06:16 GMT
      * Server Apache is not blacklisted
      < Server: Apache
      < Last-Modified: Tue, 09 Dec 2014 20:08:06 GMT
      < ETag: "9da27-3-509ce19e67580"
      < Accept-Ranges: bytes
      < Content-Length: 3
      < Content-Type: text/html
      < 
      :)
      * Connection #0 to host intelligence.sourcefire.com left intact

    Note: The SSL decryption must be bypassed for the Security Intelligence Feed because the SSL decryptor sends the Firepower Management Center an unknown certificate in the SSL handshake. The certificate sent to the Firepower Management Center is not signed by a Sourcefire-trusted CA, so the connection is untrusted.

    Related Information

    Revision History

    Revision Publish Date Comments
    2.0
    15-Mar-2023
    Updated to comply with current Cisco publication standards.
    1.0
    17-Jul-2014
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Nazmul Rajib
      TAC
    • Foster Lipkey
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products