19-15
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 19 Managing Firewall Botnet Traffic Filter Rules
Botnet Traffic Filter Rules Page
The Device Whitelist contains domain names or IP addresses of sites that are deemed to be acceptable.
If the dynamic database includes blacklisted addresses that you think should not be blacklisted, you can
manually enter them into a static whitelist. Static whitelist entries take precedence over entries in the
static blacklist and the Cisco dynamic database. Whitelisted addresses still generate syslog messages,
but because you are only targeting blacklist syslog messages, they are informational.
To configure the static database:
• Click the Add Row button to define static database entries using the Device Whitelist or Device
Blacklist Dialog Box, page 19-15.
• Select an entry and click the Edit Row button to edit an existing entry.
Timesaver Select an entry and press F2 or double-click on an entry in the Device Whitelist or Device Blacklist to
edit that entry in place.
• Select an entry and click the Delete Row button to delete it.
Navigation Path
From the Botnet Traffic Filter Rules Page, page 19-9, click the Whitelist/Blacklist tab.
Related Topics
• Adding Entries to the Static Database, page 19-5
• Understanding Botnet Traffic Filtering, page 19-1
• Task Flow for Configuring the Botnet Traffic Filter, page 19-2
• Device Whitelist or Device Blacklist Dialog Box, page 19-15
• Botnet Traffic Filter Rules Page, page 19-9
• Dynamic Blacklist Configuration Tab, page 19-10
• Traffic Classification Tab, page 19-11
Device Whitelist or Device Blacklist Dialog Box
Use the Device Whitelist or Device Blacklist dialog box to manually define domain names or IP
addresses that you want to add to the whitelisted (safe) or blacklisted (malicious) lists. You can use the
static blacklist to supplement the Cisco dynamic database or you can use the static blacklist alone if you
can identify all the malware sites that you want to target. Names or addresses that appear on both the
whitelist and the dynamic blacklist are identified only as whitelist addresses in syslog messages and
reports.
Domain names can be complete (including the host name, such as www.cisco.com), or partial (such as
cisco.com). For partial names, all web site hosts on that domain are either whitelisted or blacklisted. You
can also enter host IP addresses. Use a comma or new line to separate multiple entries.
Navigation Path
From the Whitelist/Blacklist Tab, page 19-14, click the Add Rows button beneath the Device Whitelist
or Device Blacklist tables, or select an entry and click the Edit Row button.
Related Topics
• Adding Entries to the Static Database, page 19-5