- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
- Understanding Licensing
Licensing the FireSIGHT System
You can license a variety of features to create an optimal FireSIGHT System deployment for your organization. You use the Defense Center to manage licenses for itself and the devices it manages.
Understanding Licensing
You can license a variety of features to create an optimal FireSIGHT System deployment for your organization. A FireSIGHT license is included with your Defense Center and is required to perform host, application, and user discovery.
Additional model-specific licenses allow your managed devices to perform a variety of functions including:
- intrusion detection and prevention
- Security Intelligence filtering
- file control and advanced malware protection
- application, user, and URL control
- switching and routing
- device clustering
- network address translation (NAT)
- virtual private network (VPN) deployments
There are a few ways you may lose access to licensed features in the FireSIGHT System. You can remove licenses from the Defense Center, which affects all of its managed devices. You can also disable licensed capabilities on specific managed devices. Finally, some licenses may expire. Though there are some exceptions, you cannot use the features associated with an expired or deleted license.
Certain licenses, like the FireSIGHT license, are perpetual. Other licenses require that you purchase a service subscription to enable the license.
- License Types and Restrictions
- Service Subscriptions
- Licensing High Availability Pairs
- Licensing Stacked and Clustered Devices
- Licensing Series 2 Appliances
- Understanding FireSIGHT Host and User License Limits
License Types and Restrictions
This section describes the types of licenses available in a FireSIGHT System deployment. The licenses you can enable on an appliance depend on its model, version, and (for managed devices) the other licenses enabled.
For virtual and Series 3 devices, licenses are model specific; you cannot enable a license on a managed device unless the license exactly matches the device’s model. For example, you cannot use a 3D8250 Protection license to enable Protection capabilities on a 3D8140 device. As your organization and deployment grow, you can purchase additional licenses for additional managed devices.
Series 2 devices automatically have Protection capabilities (with the exception of Security Intelligence filtering). Although you do not need to explicitly enable Protection on Series 2 devices, you also cannot enable any other licenses.
Also note that although you can enable Control on a virtual device or ASA FirePOWER device to perform user and application control, these devices do not support switching, routing, stacking, or clustering.
The following table summarizes FireSIGHT System licenses.
advanced malware protection (network-based malware detection and blocking) |
|||||
Note that the DC500 Defense Center does not support the capabilities provided by a URL Filtering or Malware license.
FireSIGHT
A FireSIGHT license is included with your Defense Center and allows you to perform host, application, and user discovery. Discovery data allows the system to create a complete, up-to-the-minute profile of your network, and correlate threat, endpoint, and network intelligence with user identity information. You can use discovery data to perform traffic profiling, assess network compliance, and implement correlation policies.
Your FireSIGHT license also determines how many individual hosts and users you can monitor with the Defense Center and its managed devices. Note that the user limit applies independently to the following:
- the Users database, which contains a record for each user detected by the FireSIGHT System
- the number of users you can use in access control rules to perform user control, also called access-controlled users
For information on the consequences of reaching the licensed limit, see Understanding FireSIGHT Host and User License Limits.
Without a FireSIGHT license, you can still perform basic system configuration, monitoring, network-based access control (zone, network, VLAN, and port rule conditions), connection logging, and reporting. Additionally, you can receive endpoint-based malware events from the Collective Security Intelligence Cloud without a FireSIGHT license, although your organization does need a FireAMP subscription.
Tip The License statements in this guide assume your Defense Center has a FireSIGHT license. However, if the Defense Center was previously running Version 4.10.x, you may be able to use legacy RNA Host and RUA User licenses instead of a FireSIGHT license. For more information, see Protection.
Protection
Supported Devices: Series 3, Virtual, X-Series, ASA FirePOWER
A Protection license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering:
- Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
- File control allows you to detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols. With a Malware license (see Malware), you can also inspect and block a restricted set of those file types based on their malware dispositions.
- Security Intelligence filtering allows you to blacklist—deny traffic to and from—specific IP addresses, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately blacklist connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.
A Protection license (along with a Control license) is automatically included in the purchase of any managed device. This license is perpetual, but you must also purchase a TA subscription to enable system updates.
Although you can configure an access control policy to perform Protection-related inspection without a license, you cannot apply the policy until you first add a Protection license to the Defense Center, then enable it on the devices targeted by the policy.
If you delete your Protection license from the Defense Center or disable Protection on managed devices, the Defense Center stops acknowledging intrusion and file events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria stop firing. Additionally, the Defense Center will not contact the internet for either Cisco-provided or third-party Security Intelligence information. You cannot reapply existing policies until you re-enable Protection.
Because a Protection license is required for URL Filtering, Malware, and Control licenses, deleting or disabling a Protection license has the same effect as deleting or disabling your URL Filtering, Malware, or Control license.
Note Series 2 devices automatically have most Protection capabilities; you do not have to purchase or enable Protection licenses for these devices. However, Series 2 devices cannot perform Security Intelligence filtering.
Control
Supported Devices: Series 3, Virtual, ASA FirePOWER
Supported Defense Centers: feature dependent
A Control license allows you to implement user and application control by adding user and application conditions to access control rules. It also allows you to configure your Series 3 managed devices to perform switching and routing (including DHCP relay and NAT), as well as cluster managed devices. To enable Control on a managed device, you must also enable Protection.
Note Although you can enable a Control license on a virtual device or ASA FirePOWER device, these devices do not support switching, routing, stacking, or clustering.
A Control license is automatically included (along with a Protection license) in the purchase of any managed device. This license is perpetual, but you must also purchase a TA subscription to enable system updates.
Although you can add user and application conditions to access control rules without a Control license, you cannot apply the policy until you first add a Control license to the Defense Center, then enable it on the devices targeted by the policy.
Note that the DC500 Defense Center does not support adding user conditions in access control rules.
Without a Control license, you cannot create switched, routed, or hybrid interfaces on your managed devices; create NAT entries; or configure DHCP relay for virtual routers. Although you can create virtual switches and routers, they are not useful without switched and routed interfaces to populate them. Further, you cannot apply a device configuration that includes switching or routing to a managed device where you have not enabled Control. Additionally, establishing clustering between managed devices requires that the devices are enabled for Control.
If you delete your Control license from the Defense Center or disable Control on individual devices, the affected devices do not stop performing switching or routing, nor do device clusters break. Although you can edit and delete existing configurations, you cannot apply your changes to the affected devices. You cannot add new switched, routed, or hybrid interfaces, nor can you add new NAT entries, configure DHCP relay, or establish device clustering. Finally, you cannot reapply existing access control policies if they include rules with user or application conditions.
URL Filtering
Supported Devices: Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers: Any except DC500
URL filtering allows you to write access control rules that determine the traffic that can traverse your network based on URLs requested by monitored hosts, correlated with information about those URLs, which is obtained from the Cisco cloud by the Defense Center. To enable URL Filtering, you must also enable a Protection license.
Tip Without a URL Filtering license, you can specify individual URLs or groups of URLs to allow or block. This gives you granular, custom control over web traffic, but does not allow you to use URL category and reputation data to filter network traffic.
You can purchase a URL Filtering license as a services subscription combined with Threat & Apps (TAC) or Threat & Apps and Malware (TAMC), or as an add-on subscription (URL) for a system where Threat & Apps (TA) is already enabled.
Although you can add category and reputation-based URL conditions to access control rules without a URL Filtering license, the Defense Center will not contact the cloud for URL information. You cannot apply the access control policy until you first add a URL Filtering license to the Defense Center, then enable it on the devices targeted by the policy.
You may lose access to URL filtering if you delete the license from the Defense Center or disable URL Filtering on managed devices. Also, URL Filtering licenses may expire. If your license expires or if you delete or disable it, access control rules with URL conditions immediately stop filtering URLs, and your Defense Center can no longer contact the cloud. You cannot reapply existing access control policies if they include rules with category and reputation-based URL conditions.
Malware
Supported Devices: Series 3, Virtual, ASA FirePOWER
Supported Defense Centers: Any except DC500
A Malware license allows you to perform advanced malware protection, that is, use managed devices to detect and block malware in files transmitted over your network. To enable Malware on a managed device, you must also enable Protection.
Note Managed devices with Malware licenses enabled periodically attempt to connect to the Cisco cloud even if you have not configured dynamic analysis. Because of this, the device’s Interface Traffic dashboard widget shows transmitted traffic; this is expected behavior.
You configure malware detection as part of a file policy, which you then associate with one or more access control rules. File policies can detect your users uploading or downloading files of specific types over specific application protocols. The Malware license allows you to inspect a restricted set of those file types for malware, as well as download and submit specific file types to the Cisco cloud for dynamic and Spero analysis to determine whether they contain malware. The Malware license also allows you add specific files to a file list and enable the file list within a file policy, allowing those files to be automatically allowed or blocked on detection.
You can purchase a Malware license as a subscription combined with Threat &Apps (TAM) or Threat & Apps and URL Filtering (TAMC), or as an add-on subscription (AMP) for a system where Threat & Apps (TA) is already enabled.
Although you can add a malware-detecting file policy to an access control rule without a Malware license, the file policy is marked with a warning icon (
) in the access control rule editor. Within the file policy, Malware Cloud Lookup rules are also marked with the warning icon. Before you can apply an access control policy that includes a malware-detecting file policy, you
must
add a Malware license, then enable it on the devices targeted by the policy. If you later disable the license on the devices, you cannot reapply an existing access control policy to those devices if it includes file policies that perform malware detection.
If you delete all your Malware licenses or they all expire, the Defense Center stops performing malware cloud lookups, and also stops acknowledging retrospective events sent from the Cisco cloud. You cannot reapply existing access control policies if they include file policies that perform malware detection. Note that for a very brief time after a Malware license expires or is deleted, the system can use cached dispositions for files detected by Malware Cloud Lookup file rules. After the time window expires, the system assigns a disposition of
Unavailable
to those files, rather than performing a lookup.
Note that a Malware license is only required if you want the system to detect malware in network traffic. Without a Malware license, the Defense Center can receive endpoint-based malware events from the Cisco cloud if your organization has a FireAMP subscription. For more information, see Understanding Malware Protection and File Control.
VPN
VPN allows you to establish secure tunnels between endpoints via a public source, such as the Internet or other network. You can configure the FireSIGHT System to build secure VPN tunnels between the virtual routers of Cisco managed devices. To enable VPN, you must also enable Protection and Control licenses. To purchase a VPN license, contact Sales.
Without a VPN license, you cannot configure a VPN deployment with your managed devices. Although you can create deployments, they are not useful without at least one VPN-enabled routed interface to populate them.
If you delete your VPN license from the Defense Center or disable VPN on individual devices, the affected devices do not break the current VPN deployments. Although you can edit and delete existing deployments, you cannot apply your changes to the affected devices.
Service Subscriptions
A service subscription enables specific features on a managed device for a set length of time. Service subscriptions can be purchased in one-, three-, or five-year terms. If a subscription expires, Cisco notifies you that you must renew the subscription. If a subscription expires, you might not be able to use the related features, depending on the feature type.
Your purchase of a managed device automatically includes Control and Protection licenses. These licenses are perpetual, but you must also purchase a TA service subscription to enable system updates. Additional service subscriptions are optional.
Service subscriptions correspond to the licenses you assign to managed devices in the FireSIGHT System, as follows:
Licensing High Availability Pairs
Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
Defense Centers in a high availability pair do not share licenses. You must apply equivalent licenses to each member of the pair. Because Cisco generates licenses based on each Defense Center’s unique license key, you cannot use the same licenses on different Defense Centers.
Licensing Stacked and Clustered Devices
Supported Devices: feature dependent
Individual devices must have equivalent licenses before they can be stacked or clustered. After you stack devices, you can change the licenses for the entire stack. However, you cannot change the enabled licenses on a device cluster.
You can stack 3D8140, 3D8200 family, 3D8300 family, and 3D9900 devices of the same model that meet the requirements described in Managing Stacked Devices. You can cluster two devices of the same Series 3 model that meet the requirements described in Clustering Devices.
Licensing Series 2 Appliances
With the exception of the DC500, Series 2 and Series 3 Defense Center licensing is identical. Because the DC500 does not support URL filtering or network-based malware detection, it cannot take advantage of URL Filtering or Malware licenses.
Series 2 devices automatically have the capabilities, except for Security Intelligence, enabled by a Protection license. You cannot disable the Protection license on Series 2 devices, and you cannot enable other licenses.
See the following sections for more information:
- Service Subscriptions describes the types of licenses available in a FireSIGHT System deployment.
- Summary of Supported Capabilities by Managed Device Model summarizes supported and unsupported features on Series 2 appliances.
Understanding FireSIGHT Host and User License Limits
The FireSIGHT license on your Defense Center determines how many individual hosts and users you can monitor with the Defense Center and its managed devices, as well as how many users you can use to perform user control. FireSIGHT host and user license limits are model specific, as listed in the following table.
For example, you can monitor 1000 hosts and 1000 users with the DC500.
If your Defense Center was previously running Version 4.10.x of the FireSIGHT System and you used an ISO file to “restore” the appliance to Version 5.x factory defaults, you may be able to use your legacy RNA Host and RUA User licenses instead of a FireSIGHT license.
Understanding the FireSIGHT Host Limit
The FireSIGHT license on your Defense Center determines how many individual hosts you can monitor with the Defense Center and its managed devices, and therefore how many hosts you can store in your network map.
Note that the system counts MAC-only hosts separately from hosts identified by both IP addresses and MAC addresses. All IP addresses associated with a host are counted together as one host.
When the system detects activity associated with a host with an IP address in your monitored network (as defined by your network discovery policy), that host is added to the network map.
If you reach the host limit and the system detects a new host, whether the new host is added to the network map depends on the When Host Limit Reached setting in your network discovery policy. You can configure the system either to stop adding new hosts to the database, or to replace the hosts that have remained inactive for the longest time.
Note Even if you cannot add a new host to the network map, the system still performs access control on that host’s network traffic. Although reaching the FireSIGHT host limit does not prevent you from performing access control on hosts discovered after you reached your licensed limit, you cannot view or perform analysis on those hosts using host profile data. For example, you cannot use compliance white lists to monitor network compliance for those hosts, or use those hosts in host profile qualifications, and so on.
You can also manually delete a host, an entire subnet, or all of your hosts from the network map. Keep in mind, however, that if the system detects activity associated with a deleted host, it re-adds the host to the network map.
Note also that if the system has not detected network traffic from a host in the last Host Timeout period specified in your network discovery policy, the host is removed from the network map. The default setting is 10080 minutes (7 days).
To help you track your host license use, the FireSIGHT Host License Limit health module warns you if you have fewer than a configurable number of host licenses left.
Understanding the FireSIGHT User Limit
The FireSIGHT license on your Defense Center determines how many individual users you can monitor. When the system detects activity from a new user, that user is added to the Users database. You can detect users in the following ways:
- You can use the network discovery policy to configure managed devices to passively detect logins for LDAP, AIM, POP3, IMAP, Oracle, SIP (VoIP), FTP, HTTP, MDNS, and SMTP users.
- You can install User Agents on your Microsoft Active Directory LDAP servers to detect authentications against Active Directory credentials.
After you reach the licensed limit, in most cases the system stops adding new users to the database. To add new users, you must either manually delete users from the database, or purge all users from the database.
However, the system favors authoritative user logins. If you have reached the licensed limit and the system detects an authoritative user login for a previously undetected user, the system deletes the non-authoritative user who has remained inactive for the longest time, and replaces it with the new user.
Tip Note that if you are using managed devices to detect user activity, you can restrict user logging by protocol to help minimize username clutter and preserve FireSIGHT user licenses. For example, monitoring users discovered via AIM, POP3, and IMAP may add users not relevant to your organization due to network access from contractors, visitors, and other guests. For more information, see Restricting User Logging.
Understanding the Access-Controlled User Limit
Supported Devices: Series 3, Virtual, ASA FirePOWER
The FireSIGHT license on your Defense Center determines not only how many individual users you can monitor, but also how many users you can use in access control rules to perform user control. These users are called access-controlled users .
Note To perform user control, your organization must use Microsoft Active Directory. The system uses User Agents running on Active Directory servers to associate access-controlled users with IP addresses, which is what allows access control rules to trigger.
You specify the groups that access-controlled users must belong to by configuring a connection (called a user awareness object ) between the Defense Center and an Active Directory server. Then, on a regular basis, the Defense Center queries the server and retrieves a list of the users in the groups you specified in the authentication object. You can then use these users to perform access control.
You must make sure the total number of users in the groups you specify in the authentication object is less than your FireSIGHT user license. If your parameters are too broad, the Defense Center obtains information on as many users as it can and reports the number of users it failed to retrieve in the task queue. For performance and licensing reasons, Cisco recommends that you specify only the groups that represent the users you want to use in access control.
Viewing Your Licenses
Use the Licenses page to view the licenses for a Defense Center and its managed devices. For each type of appliance in your deployment, the page lists the total number of licenses you have as well as the portion of those licenses that are in use.
Keep in mind that on this page, the number of FireSIGHT User licenses in use represents the number of users detected by the FireSIGHT System, that is, the number of users in the Users database. It does not represent the number of access-controlled users you are using for access control. For more information, see Understanding FireSIGHT Host and User License Limits.
The Licenses page also provides details on each of your licenses. For each model, you can see how many licenses of each type you have, and how many managed devices you can license with each type of license. For licenses that expire, the page provides you with the expiration date.
Other than the Licenses page, there are a few other ways you can view licenses and license limits:
- The Product Licensing dashboard widget provides an at-a-glance overview of your licenses.
- The Device Management page ( Devices > Device Management ) lists the licenses applied to each of your managed devices.
- Two health modules, License Monitor and FireSIGHT Host License Limit, communicate license status when used in a health policy.
Step 1 Select System > Licenses .
Adding a License to the Defense Center
Before you add a license to the Defense Center, make sure you have the activation key provided by Cisco when you purchased the license.
With the exception of FireSIGHT, you must enable licenses on your managed devices before you can use licensed features. You can enable a license either when you add a device to the Defense Center, or by editing the device’s general properties after you add the device, Note that because Series 2 devices automatically have Protection capabilities, with the exception of Security Intelligence filtering, you cannot disable these capabilities, nor can you apply other licenses to a Series 2 device. See Changing a Device’s Licensed Capabilities.
Note If you add licenses after a backup has completed, these licenses will not be removed or overwritten if this backup is restored. To prevent a conflict on restore, remove those licenses before restoring the backup, noting where the licenses were used, and add and reconfigure them after restoring the backup. If a conflict occurs, contact Support.
Step 1 Select System > Licenses .
Step 2 Click Add New License .
Step 3 Did you receive an email with your license?
If the license is correct, the license is added. Skip the rest of the procedure.
The Licensing Center web site appears. If you cannot access the Internet, switch to a computer that can. Note the license key at the bottom of the page and browse to https://tools.cisco.com/SWIFT/LicensingUI/Home .
Step 4 Follow the on-screen instructions to obtain your license, which will be sent to you in an email.
Tip You can also request a license on the Licenses tab after you log into the Support Site.
Step 5 Copy the license from the email, paste it into the License field in the Defense Center’s web interface, and click Submit License .
If the license is valid, it is added. You can now enable the license’s capabilities on your managed devices, as described in Changing a Device’s Licensed Capabilities.
Deleting a License
Use the following procedure if you need to delete a license for any reason. Keep in mind that because Cisco generates licenses based on each Defense Center’s unique license key, when you delete the license from one Defense Center and then reuse it on a different Defense Center, you must request a new license based on the license key from the new Defense Center.
In most cases, deleting a license removes your ability to use features enabled by that license. For more information, see Service Subscriptions.
Step 1 Select System > Licenses .
Step 2 Next to the license you want to delete, click the delete icon (
).
Deleting a license removes the licensed capability from all devices using that license. For example, if your Protection license is valid for and enabled on 100 managed devices, deleting the license removes Protection capabilities from all 100 devices.
Step 3 Confirm that you want to delete the license.
Changing a Device’s Licensed Capabilities
Supported Devices: Series 3, Virtual, X-Series, ASA FirePOWER
To change the licensed capabilities of a Series 3 device, virtual device, Cisco NGIPS for Blue Coat X-Series, or ASA FirePOWER device, edit the device’s general properties on the Device Management page. Although there are some exceptions, you cannot use the features associated with a license if you disable it on a managed device.
Series 2 devices automatically have Protection capabilities, with the exception of Security Intelligence filtering. You cannot disable these capabilities, nor can you apply other licenses to a Series 2 device. Note that, although you cannot use a Malware or URL Filtering license with a DC500 Defense Center, you can use a DC500 to enable or change these and other licensed capabilities of a Series 3 device, virtual device, Cisco NGIPS for Blue Coat X-Series, or ASA FirePOWER device.
For detailed information on the licenses you can enable, including version, model, and other requirements, see Service Subscriptions.
To enable or disable a device’s licensed capabilities:
Step 1 Select Devices > Device Management .
The Device Management page appears.
Step 2 Next to the device where you want to enable or disable a license, click the edit icon (
).
The Interfaces tab for that device appears.
Step 4 Next to the License section, click the edit icon (
).
The License pop-up window appears.
Step 5 Enable or disable the licensed capabilities of the device by clearing or selecting the appropriate check boxes.
The changes are saved but do not take effect until you apply the device configuration; see Applying Changes to Devices.
Feedback