1. Logsign Support Center
  2. Logsign Unified SecOps Platform
  3. Responses

Cisco FMC Response Integration User Guide

Updated

Why this is required

Our API does not add IPs directly into a firewall rule.
Instead, the API updates a Dynamic Object (an IP list).
For the blocking to actually work on the firewall, Cisco FMC must have:

  1. A Dynamic Object (IP list) that will contain the IPs
  2. A BLOCK rule in the correct Access Control Policy (ACP)
  3. The Dynamic Object linked inside that BLOCK rule (Source or Destination)
  4. The changes Deployed to the managed devices (FTD)

If these steps are not completed, the API may return success, but you will experience “IP is added but blocking does not work”.

Step 1 — Create the Dynamic Object (IP List)

  1. Log in to Cisco Firepower Management Center (FMC).
  2. Go to: Objects → Object Management → Dynamic Objects
  3. Click Add / New Dynamic Object.

  4. Set: 

    Object Type: IP

    Name: (example) LOGSIGN_BLOCKLIST

  5. Click Save.

What this means:
LOGSIGN_BLOCKLIST is the container where the API will add/remove IP addresses.

Step 2 — Create a BLOCK Rule in the Correct Access Control Policy (ACP)

  1. In FMC, go to:
    Policies → Access Control
  2. Open the Access Control Policy (ACP) that is actually used by the traffic you want to block.
  3. Click Add Rule.

  4. Set:

    Name: (example) LOGSIGN_BLOCK_RULE

    Action: BLOCK

  5. Click Save.

Important note:
The Dynamic Object alone does nothing. Blocking happens only when a rule is created and configured to use that Dynamic Object.

Step 3 — Link the Dynamic Object inside the BLOCK Rule (Most Critical Step)

  1. Open the rule you created: LOGSIGN_BLOCK_RULE.
  2. Decide what you want to block:

Option A — Block “source IPs” (attacker/source side)

  • Go to the rule’s Source section
  • Choose Dynamic Objects
  • Select: LOGSIGN_BLOCKLIST

Option B — Block “destination IPs” (target side)

  • Go to the rule’s Destination section
  • Choose Dynamic Objects
  • Select: LOGSIGN_BLOCKLIST

      3. Click Save.

What this means:
The rule now works like this:

“If Source/Destination matches any IP inside LOGSIGN_BLOCKLIST, then BLOCK.”

Step 4 — Deploy / Publish Changes (Required for Real Blocking)

  1. In FMC, go to:
    Deploy (or Pending Changes → Deploy)
  2. Select the device(s) / FTD(s) where this ACP is applied.
  3. Click Deploy and wait until deployment finishes successfully.

Why this is required:
Until you deploy, the rule is not pushed to the firewall devices, so nothing changes in production traffic.

What the Customer Must Provide to Logsign (UI Input)

In Logsign UI, the customer will provide:

  1. RuleName → the exact name of the BLOCK rule they created
    Example: LOGSIGN_BLOCK_RULE
  2. Dynamic Object Name → the exact name of the Dynamic Object
    Example: LOGSIGN_BLOCKLIST

Important:
The names must match exactly (case-sensitive and spaces included if any).

Quick Troubleshooting (Common Reasons “Blocking Doesn’t Work”)

  • The wrong Access Control Policy (ACP) was edited (traffic uses a different policy)
  • The Dynamic Object was created, but not linked inside the rule
  • The rule action is not BLOCK
  • The rule is disabled
  • Changes were not Deployed
  • The rule is in a section/order that never matches the traffic (rule order matters)
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.