- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Logging into the FireSIGHT System
This chapter details the steps you must take to log into and log out of the FireSIGHT System, using the appliance-based web interface as well as the command line interface (CLI). You can also configure externally authenticated user accounts that use LDAP or RADIUS credentials.
After you have logged into the web interface, the context menu feature provides extra information and helpful navigation links when you hover your pointer over certain areas.
Logging into the Appliance
The FireSIGHT System Defense Center has a web interface that you can use to perform administrative, management, and analysis tasks. Physical managed devices also have a web interface that you can use to perform initial setup and basic analysis and configuration tasks. For information on browser requirements, refer to the release notes for this version of the FireSIGHT System.
Virtual managed devices do not have web interfaces. For these devices (and Series 3 devices as well), the FireSIGHT System provides an interactive CLI that you can use to perform any tasks that you cannot complete using the device’s managing Defense Center.
Cisco NGIPS for Blue Coat X-Series also does not have a web interface. However, it has a CLI unique to the X-Series platform. You use this CLI to install the system and to perform other platform-specific administrative tasks. For more information, including how to log in to the X-Series platform CLI, see the Cisco NGIPS for Blue Coat X-Series Installation and Configuration Guide .
ASA FirePOWER devices have their own management applications (ASDM and CSM) and CLI for configuring the ASA device. In addition, the FireSIGHT System provides an interactive CLI that you can use to perform any tasks that you cannot complete using the device’s managing Defense Center. You use the ASA-specific tools to install the system and to perform other platform-specific administrative tasks. See the ASA documentation for more information.
Note Because FirePOWER appliances audit user activity based on user accounts, make sure that users log into the system with the correct account.
You must provide a username and password to obtain access to the web interface, CLI, or shell of an appliance. After you log into an appliance, the features you can access are controlled by the privileges granted to your user account. For more information, see Managing User Accounts.
Optionally, if your organization uses Common Access Cards (CACs) for authentication, you can use your CAC credentials to obtain access to the web interface of an appliance. For more information about CAC authentication and authorization, see Understanding LDAP Authentication With CAC.
Caution If you supply incorrect credentials multiple times, your shell access account may be locked. If you supply correct credentials and the login is refused, contact your system administrator rather than repeatedly attempting to log in.
The first time you visit the appliance home page during a web session, you can view information about your last login session for that appliance. You can see the following information about your last login:
- the day of the week, month, date, and year of the login
- the appliance-local time of the login in 24-hour notation
- the host and domain name last used to access the appliance
By default, your session automatically logs you out after 1 hour of inactivity, unless you are otherwise configured to be exempt from session timeout. Users with the Administrator role can change the session timeout interval in the system policy. For more information, see Managing User Login Settings and Configuring User Interface Settings.
Note that some processes that take a significant amount of time may cause your web browser to display a message that a script has become unresponsive. If this occurs, make sure you allow the script to continue until it finishes.
Note For fresh installations (new or reimaged) of the system on an appliance, you must log in using the administrative (admin) user account to complete the initial setup process, which is described in the FireSIGHT System Installation Guide. After you create other user accounts as described in Adding New User Accounts, you and other users should use those accounts to log in to the web interface.
Tip You must configure CAC authentication and authorization before users on your network can log in to the CAC Login page using their CAC credentials. For more information, see Understanding LDAP Authentication With CAC.
To log into the appliance via the web interface:
Step 1 Direct your browser to
https://
hostname
/
, where
hostname
corresponds to the host name of the appliance.
Step 2 In the Username and Password fields, type your user name and password. User names are case sensitive.
If your organization uses SecurID® tokens when logging in, append the token to your SecurID PIN and use that as your password to log in. For example, if your PIN is
1111
and the SecurID token is
222222
, type
1111222222
. You must have already generated your SecurID PIN before you can log into the FireSIGHT System.
The default start page appears. If you selected a custom home page for your user account, that page is displayed instead. See Specifying Your Home Page for more information.
Tip If you do not have access to the web interface, contact your system administrator to modify your account privileges, or log in as a user with Administrator access and modify the privileges for the account. For more information, see Modifying User Privileges and Options.
The menus and menu options listed at the top of the page are based on the privileges for your user account. However, the links on the default home page include options that span the range of user account privileges. If you click a link that requires different privileges from those granted to your account, the following warning message is displayed:
You can either select a different option from the available menus or click Back in your browser window to return to the previous page.
To log into the appliance via the web interface using CAC credentials:
Step 1 Insert a CAC as instructed by your organization.
Step 2 Direct your browser to
https://
hostname
/
, where
hostname
corresponds to the host name of the appliance.
Step 3 If prompted, enter the PIN associated with the CAC you inserted in step 1 .
Step 4 If prompted, select the appropriate certificate from the drop-down list.
The browser accepts your selection and the CAC Login page appears.
Step 5 To authenticate using your CAC credentials, click Continue .
To authenticate using your user name and password, enter them in the Username and Password fields. User names are case sensitive.
The default start page appears. If you selected a custom home page for your user account, that page is displayed instead. See Specifying Your Home Page for more information.
Tip If you do not have access to the web interface, contact your system administrator to modify your account privileges, or log in as a user with Administrator access and modify the privileges for the account. For more information, see Modifying User Privileges and Options.
The menus and menu options listed at the top of the page are based on the privileges for your user account. However, the links on the default home page include options that span the range of user account privileges. If you click a link that requires different privileges from those granted to your account, the following warning message is displayed:
You can either select a different option from the available menus or click Back in your browser window to return to the previous page.
Note Do not remove a CAC during an active browsing session. If you remove or replace a CAC during a session, your web browser terminates the session and the system logs you out of the web interface.
To log into a Series 3, virtual, or ASA FirePOWER device via the command line:
Access: CLI Basic Configuration
Step 1 For Series 3 and virtual devices, open an SSH connection to the appliance at hostname , where hostname corresponds to the host name of the appliance. For ASA FirePOWER devices, open the SSH connection to the ASA FirePOWER module at the management address.
The
login as:
command prompt appears.
Step 2 Type your user name and press Enter.
Step 3 Type your password and press Enter.
If your organization uses SecurID® tokens when logging in, append the token to your SecurID PIN and use that as your password to log in. For example, if your PIN is
1111
and the SecurID token is
222222
, type
1111222222
. You must have already generated your SecurID PIN before you can log into the FireSIGHT System.
The login banner appears, followed by the
>
prompt.
You can use any of the commands allowed by your level of command line access. See the Command Line Reference for more information on available CLI commands.
Logging Out of the Appliance
When you are no longer actively using the web interface, Cisco recommends that you log out, even if you are only stepping away from your web browser for a short period of time. Logging out ends your web session and ensures that no one can use the appliance with your credentials.
By default, your session automatically logs you out after 1 hour of inactivity, unless you are otherwise configured to be exempt from session timeout. Users with the Administrator role can change the session timeout interval in the system policy. For more information, see Managing User Login Settings and Configuring User Interface Settings.
Step 1 Click Logout on the toolbar.
Using the Context Menu
For your convenience, certain pages in the web interface support a pop-up context menu that you can use as a shortcut for accessing other features in the FireSIGHT System. The contents of the menu depend on the hotspot where you access it—not only the page but also the specific data.
For example, IP address hotspots in event views, intrusion event packet views, the dashboard, and the Context Explorer provide additional options. Use the IP address context menu by right-clicking on the hotspot to learn more about the host associated with that address, including any available whois and host profile information. Except on the DC500 Defense Center, which does not support Security Intelligence filtering, you can also add an individual IP address to the Security Intelligence global whitelist or blacklist.
As another example, SHA-256 value hotspots in event views and the dashboard allow you to add a file’s SHA-256 hash value to the clean list or custom detection list, or view the entire hash value for copying. Note that this functionality is also not supported on the DC500 Defense Center.
The following list describes many of the options available in the context menu on various pages of the web interface. On pages or locations where the Cisco context menu is not supported, the normal context menu for your browser appears.
Access Control, SSL, and NAT Policy Editors
The access control, SSL, and NAT policy editors contain hotspots over each rule. You can use the context menu to insert new rules and categories; cut, copy, and paste rules; set the rule state; and edit the rule.
The intrusion rule editor contains hotspots over each intrusion rule. You can use the context menu to edit the rule, set the rule state (including disabling the rule), configure thresholding and suppression options, and view rule documentation.
Event pages (drill-down pages and table views) contain hotspots over each event, IP address, and certain detected files’ SHA-256 hash values. For most event types, you can use the context menu to view related information in the Context Explorer, or drill down into event information in a new window. In places where an event field contains text too long to fully display in the event view, such as a file’s SHA-256 hash value, a vulnerability description, or a URL, you can use the context menu to view the full text.
For captured files, file events, and malware events, you can use the context menu to add a file to or remove a file from the clean list or custom detection list, download a copy of the file, view nested files inside an archive file, download the parent archive file for a nested file, or submit the file to the Collective Security Intelligence Cloud for dynamic analysis.
For intrusion events, you can use the context menu to perform similar tasks to those in the intrusion rule editor or an intrusion policy: edit the triggering rule, set the rule state (including disabling the rule), configure thresholding and suppression options, and view rule documentation.
Intrusion event packet views contain IP address hotspots. Note that the packet view uses a left-click context menu instead of a right-click menu.
Many dashboard widgets contain hotspots to view related information in the Context Explorer. Dashboard widgets can also contain IP address and SHA-256 value hotspots.
The Context Explorer contains hotspots over its charts, tables, and graphs. If you want to examine data from graphs or lists in more detail than the Context Explorer allows, you can drill down to the table views of the relevant data. You can also view related host, user, application, file, and intrusion rule information.
Note that the Context Explorer uses a left-click context menu, which also contains filtering and other options unique to the Context Explorer. For detailed information, see Drilling Down on Context Explorer Data.
Step 1 On a hotspot-enabled page in the web interface, hover your pointer over a hotspot.
Except in the Context Explorer, a
Right-click for menu
message appears.
Step 2 Invoke the context menu:
A pop-up context menu appears with options appropriate for the hotspot.
Step 3 Select one of the options by left-clicking the name of the option.
If you are using the access control policy editor or NAT policy editor, the rule is modified. Otherwise, a new browser window opens based on the option you selected.
Feedback