FireSIGHT System User Guide Version 5.4.1

What Can Be Managed by a Defense Center?

You can use your Defense Center as a central management point in a FireSIGHT System deployment to manage the following devices:

• FirePOWER managed devices
• Cisco ASA with FirePOWER Services devices
• software-based devices, such as virtual devices and Cisco NGIPS for Blue Coat X-Series

Note Cisco recommends than you manage no more than three devices (including software-based devices) with the DC500 model Defense Center. For details on DC500 database limitations see the Database Event Limits table.

When you manage a device, information is transmitted between the Defense Center and the device over a secure, SSL-encrypted TCP tunnel.

The following illustration lists what is transmitted between a Defense Center and its managed devices. Note that the types of events and policies that are sent between the appliances are based on the device type.

Beyond Policies and Events

License: Any

In addition to applying policies to devices and receiving events from them, you can also perform other device-related tasks on the Defense Center.

Backing Up a Device

You cannot create or restore backup files for virtual managed devices, Cisco NGIPS for Blue Coat X-Series, or Cisco ASA with FirePOWER Services.

When you perform a backup of a physical managed device from the device itself, you back up the device configuration only . To back up configuration data and, optionally, unified files, perform a backup of the device using the managing Defense Center.

To back up event data, perform a backup of the managing Defense Center. For more information, see Creating Backup Files.

Updating Devices

From time to time, Cisco releases updates to the FireSIGHT System, including:

• intrusion rule updates, which may contain new and updated intrusion rules
• vulnerability database updates
• geolocation updates
• software patches and updates

You can use the Defense Center to install an update on the devices it manages.

Using Redundant Defense Centers

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

You can set up two Defense Centers as a high availability pair. This ensures redundant functionality in case one of the Defense Centers fails. Policies, user accounts, and more are shared between the two Defense Centers. Events are automatically sent to both Defense Centers. See Configuring High Availability for more information.

Using a Single Management Interface

License: Any

Supported Devices: Any

Supported Defense Centers: Any

When you register your device to a Defense Center, you establish a single communication channel that carries all traffic between the management interface on the Defense Center and the management interface on the device.

The following graphic shows the default single communication channel. One interface carries one communication channel that contains both management and event traffic.

Using Multiple Management Interfaces

License: Any

Supported Devices: Series 3

Supported Defense Centers: Series 3, Virtual

You can enable and configure multiple management interfaces, each with a unique IP address (IPv4 or IPv6) and, optionally, a hostname, to provide greater traffic throughput by sending each traffic channel to a different management interface. Configure a smaller interface to carry the lighter management traffic load, and a larger interface to carry the heavier event traffic load. You can register devices to separate management interfaces and configure both traffic channels for the same interface, or use a dedicated management interface to carry the event traffic channels for all devices managed by the Defense Center.

You can also create a route from a specific management interface on your Defense Center to a device on a different network. When you register a device on a different network to a non-default management interface, traffic on that device is isolated from traffic on devices registered to the default ( eth0 ) management interface. See Using Network Routes for more information.

Non-default management interfaces have many of the same capabilities as the default management interface (such as using high availability between the Defense Centers) with the following exceptions:

• You can configure DHCP on the default ( eth0 ) management interface only. Additional ( eth1 and so on) interfaces require unique static IP addresses and hostnames.
• You must configure both traffic channels to use the same management interface when you use a non-default management interface to connect your Defense Center and managed device and those appliances are separated by a NAT device.
• You can use Lights-Out Management on the default management interface only.
• On the 70xx Family, you can separate traffic into two channels and configure those channels to send traffic to one or more management interfaces on the Defense Center. However, because the 70xx Family contains only one management interface, the device receives traffic sent from the Defense Center on only one management interface.

Using Traffic Channels

License: Any

Supported Devices: Series 3

Supported Defense Centers: Series 3, Virtual

When you use two traffic channels on one management interface, you create two connections between the Defense Center and the managed device. One channel carries management traffic and one carries event traffic, separately and on the same interface.

The following example shows the communication channel with two separate traffic channels on the same interface.

When you use multiple management interfaces, you can improve your performance by dividing the traffic channels over two management interfaces, thus increasing the traffic flow by adding the capacity of both interfaces. One interface carries the management traffic channel and the other carries the event traffic channel. If either interface fails, all traffic reroutes to the active interface and the connection is maintained.

The following graphic shows the management traffic channel and the event traffic channel over two management interfaces.

You can use a dedicated management interface to carry only event traffic from multiple devices. In this configuration, each device is registered to a different management interface to carry the management traffic channel, and one management interface on the Defense Center carries all event traffic channels from all devices. If an interface fails, traffic reroutes to the active interface and the connection is maintained. Note that because event traffic for all devices is carried on the same interface, traffic is not isolated between networks.

The following graphic shows two devices using different management channel traffic interfaces sharing the same dedicated interface for event traffic channels.

When you use two traffic channels on one management interface, you create two connections between the Defense Center and the managed device. One channel carries management traffic and one carries event traffic, separately and on the same interface. Using multiple management interfaces, you can improve your performance further by dividing the traffic channels over two management interfaces, thus increasing the traffic flow by adding the capacity of both interfaces. One interface carries the management traffic channel and the other carries the event traffic channel. If either interface fails, all traffic reroutes to the active interface and the connection is maintained.

You can also use a dedicated management interface to carry only event traffic from multiple devices. In this configuration, each device is registered to a different management interface to carry the management traffic channel, and one management interface on the Defense Center carries all event traffic channels from all devices. If an interface fails, traffic reroutes to the active interface and the connection is maintained. Note that because event traffic for all devices is carried on the same interface, traffic is not isolated between networks.

Using Network Routes

License: Any

Supported Devices: Series 3

Supported Defense Centers: Series 3, Virtual

You can create a route from a specific management interface on your Defense Center to a different network. When you register a device from that network to the specified management interface on the Defense Center, you provide an isolated connection between the Defense Center and the device on a different network. Configure both traffic channels to use the same management interface to ensure that traffic from that device remains isolated from device traffic on other networks. Because the routed interface is isolated from all other interfaces on the Defense Center, if the routed management interface fails, the connection is lost.

Tip Cisco recommends that you use the static IP address when you register a Defense Center and its devices using any management interface other than the default (eth0) management interface. DHCP is supported only on the default management interface.

After you install your Defense Center, you configure multiple management interfaces using the web interface. See Configuring Appliance Settings in the FireSIGHT System User Guide for more information.

The following graphic shows two devices isolating network traffic by using separate management interfaces for all traffic. You can add more management interfaces to configure separate management and event traffic channel interfaces for each device.

Using High Availability

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

DC1500s, DC2000s, DC3500s, and DC4000s support high availability configurations; DC750s and the virtual Defense Centers do not. Cisco strongly recommends that both Defense Centers in a high availability pair be the same model. Do not attempt to set up high availability between different Defense Center models.

Although Defense Centers in high availability mode are designated primary and secondary , you can make policy or other changes to either Defense Center. However, Cisco recommends that you change configurations only on the primary Defense Center and that you keep your secondary Defense Center as a backup.

Defense Centers periodically update each other on changes to their configurations, and any change you make to one Defense Center should be applied on the other Defense Center within ten minutes. (Each Defense Center has a five-minute synchronization cycle, but the cycles themselves could be out of synchronization by as much as five minutes, so changes appear within two five-minute cycles.) During this ten-minute window, configurations may appear differently on the Defense Centers.

For example, if you create a policy on your primary Defense Center and apply it to a device that is also managed by your secondary Defense Center, the device could contact the secondary Defense Center before the Defense Centers contact each other. Because the device has a policy applied to it that the secondary Defense Center does not recognize, the secondary Defense Center displays a new policy with the name “unknown” until the Defense Centers synchronize.

Also, if you make conflicting policy or other changes to both Defense Centers within the same window between Defense Centers syncs, the last change you make takes precedence, regardless of the designations of the Defense Center as primary and secondary.

Before you establish a high availability pair, note the following prerequisites:

• Make sure both Defense Centers have a user account named admin with Administrator privileges. These accounts must use the same password.
• Make sure that other than the admin account, the two Defense Centers do not have user accounts with identical user names. Remove or rename one of the duplicate user accounts before you establish high availability.

Note that Defense Centers configured as a high availability pair do not need to be on the same trusted management network, nor do they have to be in the same geographic location.

To ensure continuity of operations, both Defense Centers in a high availability pair must have Internet access; see Internet Access Requirements. For specific features, the primary Defense Center contacts the Internet, then shares information with the secondary during the synchronization process. Therefore, if the primary fails, you should promote the secondary to Active as described in Monitoring and Changing High Availability Status.

For more information on which configurations are shared or not shared between members of a high availability pair, see:

• Shared Configurations
• Health and System Policies
• Correlation Responses
• Licenses
• URL Filtering and Security Intelligence
• Cloud Connections and Malware Information
• User Agents

Shared Configurations

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

Defense Centers in a high availability pair share the following information:

• user account attributes, authentication configurations, and custom user roles
• authentication objects for user accounts and user awareness, as well as the users and groups that are available to user conditions in access control rules
• custom dashboards
• custom workflows and tables
• device attributes, such as the device’s host name, where events generated by the device are stored, and the group in which the device resides
• access control, SSL, network analysis, intrusion, file, and network discovery policies
• local intrusion rules
• custom intrusion rule classifications
• network discovery policies
• user-defined application protocol detectors and the applications they detect
• activated custom fingerprints
• host attributes
• network discovery user feedback, including notes and host criticality; the deletion of hosts, applications, and networks from the network map; and the deactivation or modification of vulnerabilities
• correlation policies and rules, compliance white lists, and traffic profiles
• change reconciliation snapshots and report settings
• intrusion rule, geolocation database (GeoDB), and vulnerability database (VDB) updates
• reusable objects, including variable sets, associated with any of the above configurations

Health and System Policies

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

Health and system policies for Defense Centers and managed devices are shared in high availability pairs. Allow enough time to ensure that information about health policies, modules, blacklists, is synchronized on a newly activated Defense Center.

Note Although system policies are shared by Defense Centers in a high availability pair, they are not automatically applied. If you want identical system policies on both Defense Centers, apply the policy after it synchronizes.

Defense Centers in a high availability pair share the following system and health policy information:

• system policies
• system policy configurations (what policy is applied where)
• health policies
• health monitoring configurations (what policy is applied where)
• which appliances are blacklisted from health monitoring
• which appliances have individual health monitoring policies blacklisted

Correlation Responses

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

Although Defense Centers share correlation policies, rules, and responses, Defense Centers do not share the associations between correlation rules and their responses. This is to avoid launching duplicate responses when correlation policies are violated.

You must upload and install any custom remediation modules and configure remediation instances on your secondary Defense Center before remediations are available to associate with correlation policies. If the primary Defense Center fails, not only should you quickly associate your correlation policies with the appropriate responses and remediations on the secondary Defense Center, but you must also use the web interface on the secondary Defense Center to promote it to Active to maintain continuity of operations. For more information, see Monitoring and Changing High Availability Status. For more information about correlation responses, see Creating Correlation Policies and Creating Remediations.

When you restore your primary Defense Center after a failure, if you created associations between rules or white lists and their responses and remediations on the secondary Defense Center, make sure you remove the associations so responses and remediations will only be generated by the primary Defense Center.

Licenses

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

Defense Centers in a high availability pair do not share licenses. You must add equivalent licenses to each member of the pair. For more information, see Understanding Licensing.

URL Filtering and Security Intelligence

License: URL Filtering or Protection

Supported Devices: Series 3, virtual, X-Series, ASA FirePOWER

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

URL filtering and Security Intelligence configurations and information are synchronized between Defense Centers in a high availability deployment. However, only the primary Defense Center downloads URL category and reputation data and for updates to Security Intelligence feeds.

If the primary Defense Center fails, not only must you make sure that the secondary Defense Center can access the URL filtering cloud and any configured feed sites, but you must also use the web interface on the secondary Defense Center to promote it to Active. For information, see Monitoring and Changing High Availability Status.

Cloud Connections and Malware Information

License: Any or Malware

Supported Devices: Any except Series 2 or X-Series

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

Although they share file policies and related configurations, Defense Centers in a high availability pair share neither Collective Security Intelligence Cloud connections nor malware dispositions. To ensure continuity of operations, and to ensure that detected files’ malware dispositions are the same on both Defense Centers, both primary and secondary Defense Centers must have access to the cloud. For more information, see Understanding Malware Protection and File Control.

User Agents

License: FireSIGHT

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

User Agents can connect to up to five Defense Centers at a time. You should connect agents to the primary Defense Center. If the primary Defense Center fails, you must make sure that any agents can communicate with the secondary Defense Center. See Using User Agents to Report Active Directory Logins for more information.

Guidelines for Implementing High Availability

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

To take advantage of high availability, you must follow the guidelines in the following sections.

Primary and Secondary Defense Center Requirements

You must designate one Defense Center as the primary Defense Center and one as the secondary. When appliances switch from Active to Inactive (and vice versa), they retain their original primary and secondary designations.

Regardless of their designations as primary and secondary, both Defense Centers can be configured with policies, rules, managed devices, and so on before you set up high availability.

To avoid confusion, start with the secondary Defense Center in its original state. That is, you have not created or modified any policies, nor created any new rules, nor have you previously managed any devices with it. To make sure the secondary Defense Center is in its original state, restore it to factory defaults. Note that this also deletes event and configuration data from the Defense Center. For more information, see the FireSIGHT System Installation Guide .

Version Requirements

Both Defense Centers must be running the same software and rule update version. Additionally, this software version must be the same or newer than the software version of managed devices.

Communication Requirements

By default, paired Defense Centers use port 8305/tcp for communications. You can change the port as described in Changing the Management Port.

The two Defense Centers do not need to be on the same network segment, but each of the Defense Centers must be able to communicate with the other and with the devices they share. That is, the primary Defense Center must be able to contact the secondary Defense Center at the IP address on the secondary Defense Center’s own management interface, and vice versa. In addition, each Defense Center must be able to contact the devices it manages or the devices must be able to contact the Defense Center.

Setting Up High Availability

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

To use high availability, you must designate one Defense Center as the primary and another Defense Center of the same model as the secondary. For information about editing the remote management communications between the two appliances, see Editing Remote Management.

Before you configure high availability, make sure you synchronize time settings between the Defense Centers you want to link. For details on setting time, see Synchronizing Time.

Depending upon the number of policies and custom standard text rules they have, it may take up to 10 minutes before all the rules and policies appear on both Defense Centers. You can view the High Availability page to check the status of the link between the two Defense Centers. You can also monitor the Task Status to see when the process completes. See Monitoring and Changing High Availability Status.

If one of the Defense Centers in the high availability pair must be reimaged, disable the high availability link first. After you reimage the Defense Center, re-establish the high availability pair and the data will synchronize from the existing Defense Center to the newly added Defense Center. If a Defense Center cannot be reimaged (for example, the appliance has failed), contact Support.

To set up high availability for two Defense Centers:

Access: Admin

Step 1 Log into the Defense Center that you want to designate as the secondary Defense Center.

Step 2 Select System > Local > Registration .

The Registration page appears.

Step 3 Click High Availability .

The High Availability page appears.

Step 4 Click the secondary Defense Center option.

The Secondary Defense Center Setup page appears.

Step 5 Type the hostname or IP address of the primary Defense Center in the Primary DC Host text box.

Note that you can leave the Primary DC Host field empty if the management host does not have a routable address. In that case, use both the Registration Key and the Unique NAT ID fields.

Step 6 Type a one-time-use registration key in the Registration Key text box

Step 7 Optionally, in the Unique NAT ID field, type a unique alphanumeric registration ID that you want to use to identify the primary Defense Center. Do not see Managing Stacked Devices. See Working in NAT Environments on 4-8 for more information.

Step 8 Click Register .

A success message appears, and the Peer Manager page appears, showing the current state of the secondary Defense Center.

Step 9 Using an account with Admin access, log into the Defense Center that you want to designate as the primary.

Step 10 Select System > Local > Registration .

The Registration page appears.

Step 11 Click High Availability .

The High Availability page appears.

Step 12 Click the primary Defense Center option.

The Primary Defense Center Setup page appears.

Step 13 Type the hostname or IP address of the secondary Defense Center in the Secondary DC Host text box.

Step 14 Type the same one-time-use registration key in the Registration Key text box you used in step 6 .

Step 15 If you used a unique NAT ID on the secondary Defense Center, type the same registration ID that you used in step 7 in the Unique NAT ID text box.

Step 16 Click Register .

A success message appears, and the Peer Manager page appears, showing the current state of the primary Defense Center.

Monitoring and Changing High Availability Status

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

After you have identified your primary and secondary Defense Centers, from either appliance in the high availability pair you can view information about the local Defense Center and its peer, including:

• the peer IP address or host name
• the peer product model
• the peer software version
• the peer operating system
• the amount of time since the members of the high availability pair last synchronized
• the role and status of the local appliance (Active & Primary, Inactive & Primary, Inactive & Secondary, or Active & Secondary)

You can also use the High Availability page to change the roles of the Defense Centers if the primary Defense Center fails. Because the system restricts the following functionality to the primary Defense Center, if that appliance fails, you must promote the secondary Defense Center to Active:

• Updates to URL category and reputation data; see URL Filtering and Security Intelligence for more information.
• Updates to Security Intelligence feeds; see URL Filtering and Security Intelligence for more information.
• Associations between correlation rules and responses; see Correlation Responses for more information.

To check high availability status:

Access: Admin

Step 1 Log into one of the Defense Centers that you linked using high availability.

Step 2 Select System > Local > Registration .

The Registration page appears.

Step 3 Click High Availability .

The High Availability page appears.

Step 4 Under High Availability Status , you can view the following information about the Defense Centers in the high availability pair:

• the peer IP address or host name
• the peer product model
• the peer software version
• the peer operating system
• the amount of time since the members of the high availability pair last synchronized
• the role and status of the local appliance (Active & Primary, Inactive & Primary, Inactive & Secondary, or Active & Secondary)
• the option to switch roles between the two Defense Centers

Step 5 The two Defense Centers automatically synchronize within ten minutes (five minutes for each Defense Center) after any action that affects a shared feature. For example, if you create a new policy on one Defense Center, it is automatically shared with the other Defense Center within 5 minutes. However, if you want to synchronize the policy immediately, click Synchronize .

Note If you delete a device from a Defense Center configured in a high availability pair and intend to re-add it, Cisco recommends that you wait at least five minutes before adding the device back. This interval ensures that the high availability pair resynchronizes first. If you do not wait five minutes, it may take more than one synchronization cycle to add the device to both Defense Centers.

Step 6 Click Switch Roles to change the local role from Active to Inactive, or Inactive to Active.

With the Primary or Secondary designation unchanged, the roles are switched between the two peers.

Step 7 Click Peer Manager in the toolbar.

The Peer Manager page appears.

You can view the following information:

• the IP address of the other Defense Center in the high availability pair
• the status, registered or unregistered, of the communications link
• the state, enabled or disabled, of the high availability pair

For information about editing the remote management communications between the two appliances, see Editing Remote Management.

Disabling High Availability and Unregistering Devices

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

If you want to remove one of the Defense Centers from a high availability pair, you must first disable the high availability link between them.

To disable a high availability pair:

Access: Admin

Step 1 Log into one of the Defense Centers in the high availability pair.

Step 2 Select System > Local > Registration .

The Registration page appears.

Step 3 Click High Availability .

The High Availability page appears.

Step 4 Select one of the following options from the Handle Registered Devices drop-down list:

• To control all the managed devices with the Defense Center where you are accessing this page, select Unregister devices on the other peer .
• To control all the managed devices with the other Defense Center, select Unregister devices on this peer .
• To stop managing the devices altogether, select Unregister devices on both peers .

Step 5 Click Break High Availability .

After you answer the prompt Do you really want to Break High Availability? by selecting OK , high availability is disabled and any managed devices are deleted from the Defense Centers according to your selection.

You can enable high availability with a different Defense Center as described in Setting Up High Availability.

Pausing Communication Between Paired Defense Centers

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

If you want to temporarily disable high availability, you can disable the communications channel between the Defense Centers.

To disable the communications channel for a high availability pair:

Access: Admin

Step 1 Click Peer Manager .

The Peer Manager page appears.

Step 2 Click the slider to disable the communications channel between the two Defense Centers.

For information about editing the remote management communications between the two appliances, see Editing Remote Management.

Restarting Communication Between Paired Defense Centers

License: Any

Supported Defense Centers: DC1000, DC1500, DC2000, DC3000, DC3500, DC4000

If you temporarily disabled high availability, you can enable the communications channel between the Defense Centers to restart high availability.

To enable the communications channel for a high availability pair:

Access: Admin

Step 1 Click Peer Manager .

The Peer Manager page appears.

Step 2 Click the slider to enable the communications channel between the two Defense Centers.

For information about editing the remote management communications between the two appliances, see Editing Remote Management.

Understanding the Device Management Page

License: Any

The Device Management page provides you with a range of information and options that you can use to manage your registered devices, device clusters, and device groups. The page displays a list of all the devices currently registered on the Defense Center.

You can use the sort-by drop-down list to sort the appliance list according to your needs. Devices are displayed in the appliance list grouped by the category you select. You can sort by:

• Group (that is, device group); see Managing Device Groups for more information
• Type (that is, the type of licenses applied to the device); see Licensing the FireSIGHT System for more information
• Model (that is, the model of the device being managed by the Defense Center)
• Health Policy; see Using Health Monitoring for more information
• System Policy; see Managing System Policies for more information
• Access Control Policy; see Managing Access Control Policies for more information

For device groups, you can expand and collapse the list of devices in the group. The list appears collapsed by default.

See the following table for more information about the appliance list.

See the following sections for more information:

• Configuring Remote Management
• Adding Devices to the Defense Center
• Managing Device Groups
• Clustering Devices
• Managing Stacked Devices

Configuring Remote Management

License: Any

Before you can manage one FireSIGHT System appliance with another, you must set up a two-way, SSL-encrypted communication channel between the two appliances. The appliances use the channel to share configuration and event information. High availability peers also use the channel, which is by default on port 8305/tcp.

You must configure remote management on the appliance that will be managed, that is, on the device that you want to manage with a Defense Center. After you configure remote management, you can use the managing appliance’s web interface to add the managed appliance to your deployment.

Note that the procedure in this section explains how to configure remote management on FirePOWER physical appliances.

To enable communications between two appliances, you must provide a way for the appliances to recognize each other. There are three criteria the FireSIGHT System uses when allowing communications:

• the hostname or IP address of the appliance with which you are trying to establish communication

In NAT environments, even if the other appliance does not have a routable address, you must provide a hostname or an IP address either when you are configuring remote management, or when you are adding the managed appliance.

• a self-generated alphanumeric registration key up to 37 characters in length that identifies the connection
• an optional unique alphanumeric NAT ID that can help the FireSIGHT System establish communications in a NAT environment

The NAT ID must be unique among all NAT IDs used to register managed appliances. For more information, see Working in NAT Environments.

When you register a managed device to a Defense Center, you can select an access control policy to apply to the device. However, if the device is incompatible with the policy, the policy apply fails. This incompatibility could occur for multiple reasons, including licensing mismatches, model restrictions, passive vs inline issues, and other misconfigurations. If the initial access control policy apply fails, the initial network discovery policy apply also fails. After you resolve the issue that caused the failure, you must manually apply access control and network discovery policies to the device. For more information about issues that could cause access control policy apply to fail, see Troubleshooting Access Control Policies and Rules.

To configure remote management of the local appliance:

Access: Admin

Step 1 On the web interface for the device you want to manage, select System > Local > Registration .

The Remote Management page appears.

Step 2 Click Add Manager .

The Add Remote Management page appears.

Step 3 In the Management Host field, type the IP address or the hostname of the appliance that you want to use to manage this appliance.

The hostname is the fully qualified domain name or the name that resolves through the local DNS to a valid IP address.

In a NAT environment, you do not need to specify an IP address or hostname here if you plan to specify it when you add the managed appliance. In this case, the FireSIGHT System uses the NAT ID you will provide later to identify the remote manager on the managed appliance’s web interface.

Step 4 In the Registration Key field, type the registration key that you want to use to set up communications between appliances.

Step 5 For NAT environments, in the Unique NAT ID field, type a unique alphanumeric NAT ID that you want to use to set up communications between appliances.

Step 6 Click Save .

After the appliances confirm that they can communicate with each other, the Pending Registration status appears.

Step 7 Use the managing appliance’s web interface to add this appliance to your deployment.

For more information, see Adding Devices to the Defense Center.

Note When enabling remote management of a device, in some high availability deployments that use NAT, you may also need to add the secondary Defense Center as a manager. For more information, contact Support.

Editing Remote Management

License: Any

Use the following procedure to edit the hostname or IP address of the managing appliance. You can also change the display name of the managing appliance, which is a name only used within the context of the FireSIGHT System. Although you can use the hostname as the display name of the appliance, entering a different display name does not change the hostname.

Note that you cannot add devices running software more than one major version lower than the Defense Center. For example, if your Defense Center is running Version 5.4.0, you can add devices running 5.3.x or higher but not devices running 5.2.x.

Tip You can click the slider to enable or disable management of the managed device. Disabling management blocks the connection between the Defense Center and the device, but does not delete the device from the Defense Center. If you no longer want to manage a device, see Deleting Devices.

To edit remote management:

Access: Admin

Step 1 On the web interface for the device, select System > Local > Registration .

The Remote Management page appears.

Step 2 Click the edit icon ( ) next to the manager for which you want to edit remote management settings.

The Edit Remote Management page appears.

Step 3 In the Name field, change the display name of the managing appliance.

Step 4 In the Host field, change the IP address or the hostname of the managing appliance.

The hostname is the fully qualified domain name or the name that resolves through the local DNS to a valid IP address.

Step 5 Click Save .

Your changes are saved.

Changing the Management Port

License: Any

FireSIGHT System appliances communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

Although Cisco strongly recommends that you keep the default setting, if the management port conflicts with other communications on your network, you can choose a different port. Usually, changes to the management port are made during installation of the FireSIGHT System.

To change the management port:

Access: Admin

Step 1 On the web interface for the device, select System > Local > Configuration .

The Information page appears.

Step 2 Click Network .

The Network Settings page appears.

Step 3 In the Remote Management Port field, enter the port number that you want to use.

Step 4 Click Save .

The management port is changed.

Step 5 Repeat this procedure for every appliance in your deployment that must communicate with this appliance.

Adding Devices to the Defense Center

License: Any

When you manage a device, you set up a two-way, SSL-encrypted communication channel between the Defense Center and the device. The Defense Center uses this channel to send information about how you want to analyze your network traffic to the device. As the device evaluates the traffic, it generates events and sends them to the Defense Center using the same channel. For more information about configuring this channel, see Configuring Remote Management.

Note that you cannot add devices running software more than one major version lower than the Defense Center. For example, if your Defense Center is running Version 5.4, you can add devices running Version 5.3.x or higher but not devices running Version 5.2.x.

Before you manage a device with a Defense Center, you must make sure that the network settings are configured correctly on the device. This is usually completed as part of the installation process. See Configuring Management Interfaces for more information.

Note that if you registered a Defense Center and a device using IPv4 and want to convert them to IPv6, you must delete and re-register the device.

When you register a managed device to a Defense Center, you can select an access control policy to apply to the device. However, if the device is incompatible with the policy, the policy apply fails. This incompatibility could occur for multiple reasons, including licensing mismatches, model restrictions, passive vs inline issues, and other misconfigurations. If the initial access control policy apply fails, the initial network discovery policy apply also fails. After you resolve the issue that caused the failure, you must manually apply access control and network discovery policies to the device. For more information on issues that could cause access control policy apply to fail, see Troubleshooting Access Control Policies and Rules.

When you register a device cluster or device stack, although you can select licenses, these licenses cannot be applied upon device registration. This ensures that the cluster or stack is running the proper licenses to prevent it from entering a degraded state with mismatched licenses. After registration, you can evaluate the licenses in either the general properties (cluster) or stack properties (stack) of the Device Management page. For more information, see Establishing Device Clusters or Establishing Device Stacks.

When you register a Series 2 device, although you can select licenses, any licenses you select are not applied upon device registration. Series 2 devices automatically have Protection capabilities, with the exception of Security Intelligence filtering. You cannot disable these capabilities, nor can you apply other licenses to a Series 2 device.

Tip To modify the detailed configuration of a device, click the edit icon () next to the device. See Editing Device Configuration and Configuring Sensing Interfaces for more information.

To add a device to a Defense Center:

Access: Admin/Network Admin

Step 1 Configure the device to be managed by the Defense Center.

For FirePOWER devices, use the procedure in Configuring Remote Management. After the device confirms communication with the Defense Center, the Pending Registration status appears.

For virtual devices, Cisco NGIPS for Blue Coat X-Series, and ASA FirePOWER devices, configure remote management using the device’s command line interface (CLI).

Note In some high availability deployments where network address translation (NAT) is used, you may also need to add the secondary Defense Center as a manager. For more information, contact Support.

Step 2 On the web interface for the Defense Center, select Devices > Device Management .

The Device Management page appears.

Step 3 From the Add drop-down menu, select Add Device .

The Add Device pop-up window appears.

Step 4 In the Host field, type the IP address or the hostname of the device you want to add.

The hostname of the device is the fully qualified domain name or the name that resolves through the local DNS to a valid IP address.

Note that in a NAT environment, you may not need to specify the IP address or host name of the device, if you already specified the IP address or host name of the Defense Center when you configured the device to be managed by the Defense Center. For more information, see Working in NAT Environments.

Step 5 In the Registration Key field, type the same registration key that you used when you configured the device to be managed by the Defense Center.

Step 6 Optionally, add the device to a device group by selecting the group from the Group drop-down list.

For more information about device groups, see Managing Device Groups.

Step 7 From the Access Control Policy drop-down list, select an initial policy to apply to the device:

• The Default Access Control policy blocks all traffic from entering your network.
• The Default Intrusion Prevention policy allows all traffic that is also passed by the Balanced Security and Connectivity intrusion policy.
• The Default Network Discovery policy allows all traffic, which is inspected by network discovery only.
• You can select any existing user-defined access control policy.

For more information, see Managing Access Control Policies.

Step 8 Select licenses to apply to the device. Note that:

• Control, Malware, and URL Filtering licenses require a Protection license.
• You cannot enable a VPN license on a virtual device, Cisco NGIPS for Blue Coat X-Series, or ASA FirePOWER device.
• You cannot enable a Control license on Cisco NGIPS for Blue Coat X-Series.
• Although you can enable a Control license on a virtual device or ASA FirePOWER device, these devices do not support fast-path rules, switching, routing, stacking, or clustering.
• You cannot change the license settings on clustered devices.
• For stacked devices, you enable or disable the licenses for the stack on the Stack page of the appliance editor.
• When you register a Series 2 device, any licenses you select are not applied upon device registration. Series 2 devices automatically have Protection capabilities, with the exception of Security Intelligence filtering. You cannot disable these capabilities, nor can you apply other licenses to a Series 2 device.

For more information, see Licensing the FireSIGHT System.

Step 9 If you used a NAT ID to identify the device when you configured it to be managed by the Defense Center, expand the Advanced section and enter the same NAT ID in the Unique NAT ID field.

Step 10 To allow the device to transfer packets to the Defense Center, select the Transfer Packets check box.

This option is enabled by default. If you disable it, you completely prohibit packet transfer to the Defense Center.

Step 11 Click Register .

The device is added to the Defense Center. Note that it may take up to two minutes for the Defense Center to verify the device’s heartbeat and establish communication.

Applying Changes to Devices

License: Any

After you make changes to the configuration of a device, a device cluster, or a device stack, you must apply the changes before they take effect throughout the system. Note that the device must have unapplied changes or this option remains disabled.

Tip You can apply device changes from the Device Management page or from the Interfaces tab of the appliance editor.

To apply changes to the device:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to apply changes, click the apply icon ( ).

Step 3 When prompted, click Apply .

The device changes are applied.

Tip Optionally, from the Apply Device Changes dialog box, click View Changes. The Device Management Revision Comparison Report page appears in a new browser window. For more information, see Using the Device Management Revision Comparison Report.

Step 4 Click OK .

You are returned to the Device Management page.

Using the Device Management Revision Comparison Report

License: Any

A device management comparison report allows you to view the changes you have made to an appliance before you apply them. The report displays all differences between the current appliance configuration and the proposed appliance configuration. This gives you an opportunity to discover any potential configuration errors.

To compare appliance changes before applying them:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the appliance where you want to apply changes, click the apply icon ( ).

The Apply Device Changes pop-up window appears. Note that the appliance must have unapplied changes or the apply icon remains disabled.

Step 3 Click View Changes .

The Device Management Revision Comparison Report page appears in a new window.

Step 4 Click Previous and Next to scroll through the differences between the current appliance configuration and the proposed appliance configuration.

Step 5 Optionally, click Comparison Report to produce a PDF version of the report.

Deleting Devices

License: Any

If you no longer want to manage a device, you can delete it from the Defense Center. Deleting a device severs all communication between the Defense Center and the device. To manage the device again at a later date, you must re-add it to the Defense Center.

Note If you delete a device from a Defense Center configured in a high availability pair and want to re-add it, Cisco recommends that you wait at least five minutes before re-adding it. This interval ensures that the high availability pair resynchronizes so that both Defense Centers recognize the deletion. If you do not wait five minutes, it may take more than one synchronization cycle to add the device to both Defense Centers.

To delete a device from the Defense Center:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device you want to delete, click the delete icon ( ).

When prompted, confirm that you want to delete the device. Communication between the device and the Defense Center is discontinued and the device is deleted from the Device Management page. If the device has a system policy that causes it to receive time from the Defense Center via NTP, the device reverts to local time management.

Adding Device Groups

License: Any

The following procedure explains how to add a device group so you can easily apply policies and install updates on multiple devices.

If you add the primary device in a stack or a cluster to a group, both devices are added to the group. If you unstack or uncluster the devices, both devices remain in that group.

To create a device group and add devices to it:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 From the Add drop-down menu, select Add Group .

The Add Group pop-up window appears.

Step 3 In the Name field, type the name of the group.

Step 4 Under Available Devices , select one or more appliances to add to the device group. Use Ctrl or Shift while clicking to select multiple appliances.

Step 5 Click Add to include the selected appliances in the device group.

Step 6 Click OK .

The device group is added.

Editing Device Groups

License: Any

You can change the set of devices that reside in any device group. You must remove an appliance from its current group before you can add it to a new group.

Moving an appliance to a new group does not change its policy to the policy previously applied to the group. To change the device’s policy, you must apply a new policy to the device or device group.

Note that if you add the primary device in a stack or a cluster to a group, both devices are added to the group. If you unstack or uncluster the devices, both devices remain in that group.

To edit a device group:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device group you want to edit, click the edit icon ( ).

The Edit Group pop-up window appears.

Step 3 Optionally, in the Name field, type a new name for the group

Step 4 Under Available Devices , select one or more appliances to add to the device group. Use Ctrl or Shift while clicking to select multiple appliances.

Step 5 Click Add to include the selected appliances in the device group.

Step 6 To remove selected appliances from the device group, click the delete icon ( ).

Step 7 Click OK .

The changes to the device group are saved.

Deleting Device Groups

License: Any

If you delete a device group that contains devices, the devices are moved to the Ungrouped category on the Device Management page. They are not deleted from the Defense Center.

To delete a device group:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device group you want to delete, click the delete icon ( ).

Step 3 When prompted, confirm that you want to delete the device group.

The device group is deleted.

Establishing Device Clusters

License: Control

Supported Devices: Series 3

Before you establish a device cluster, you must meet the following prerequisites:

• Configure interfaces on each device or each primary device in a stack.
• Each device or device stack primary member that you include in the cluster must be the same model and have identical copper or fiber interfaces.
• Both devices or device stacks must have normal health status, run the same software, and have the same licenses. See Using the Health Monitor for more information. In particular, the devices cannot have hardware failures that would cause them to enter maintenance mode and trigger a failover.
• You cannot mismatch devices and stacks in a cluster. You must cluster single devices with single devices or device stacks with device stacks that have identical hardware configurations, except for the presence of a malware storage pack. For example, you can cluster a 3D8290 with a 3D8290; none, one, or all devices in either stack might have an installed malware storage pack. For more information on the malware storage pack, see the FireSIGHT System Malware Storage Pack Guide .

• If the devices are targeted by NAT policies, both peers must have the same NAT policy.

When establishing a device cluster, you designate one of the devices or stacks as active and the other as backup. The system applies a merged configuration to the clustered devices. If there is a conflict, the system applies the configuration from the device or stack you designated as active.

After you cluster the devices, you cannot change the license options for individual clustered devices, but you can change the license for the entire cluster. See Editing Device Clusters for more information. If there are interface attributes that need to be set on switched interfaces or routed interfaces, the system establishes the cluster, but sets it to a pending status. After you configure the necessary attributes, the system completes the device cluster and sets it to a normal status.

After you establish clustered pair, the system treats the peer devices or stacks as a single device on the Device Management page. Device clusters display the cluster icon ( ) in the appliance list. Any configuration changes you make are synchronized between the clustered devices. The Device Management page displays which device or stack in the cluster is active, which changes after manual or automatic failover. See Placing a Clustered Device into Maintenance Mode for more information about manual failover.

Removing registration of a device cluster from a Defense Center removes registration from both devices or stacks. You remove a device cluster from the Defense Center as you would an individual managed device. See Deleting Devices for more information.

You can then register the cluster on another Defense Center. To register clustered single devices, you add remote management to the active device in the cluster and then add that device to the Defense Center, which adds the entire cluster. To register clustered stacked devices, you add remote management to the primary device of the either stack and then add that device to the Defense Center, which adds the entire cluster. See Adding Devices to the Defense Center for more information.

After you establish a device cluster, you can configure a high availability link interface, as explained in Configuring HA Link Interfaces.

To cluster devices or device stacks:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 From the Add drop-down menu, select Add Cluster .

The Add Cluster pop-up window appears.

Step 3 In the Name field, type the name of the cluster.

You may enter alphanumeric characters and special characters, with the exception of the following characters, which are invalid: +, (, ), {, }, #, &, \, <, >, ?, ‘, and “.

Step 4 Select the Active device or stack for the cluster.

Step 5 Select the Backup device or stack for the cluster.

Step 6 Click Cluster .

The device cluster is added. This process takes a few minutes as the process synchronizes system data.

Editing Device Clusters

License: Control

Supported Devices: Series 3

After you establish a device cluster, most changes you make to the device configuration also change the configuration of the entire cluster.

You can view the status of the cluster by hovering your pointer over the status icon in the General section. You can also view which device or stack is the active peer and backup peer in the cluster.

See the following sections for more information:

• Editing General Device Settings
• Enabling and Disabling Device Licenses
• Establishing Clustered State Sharing
• Editing Advanced Device Settings

To edit a device cluster:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device cluster where you want to edit the configuration, click the edit icon ( ).

The Cluster page appears.

Step 3 Use the sections on the Cluster page to make changes to the clustered configuration as you would a single device configuration.

Configuring Individual Devices in a Cluster

License: Control

Supported Devices: Series 3

After you establish a device cluster, you can still configure some attributes for each device within the cluster. You can make changes to a clustered device just as you would to a single device.

See the following sections for more information:

• Editing General Device Settings
• Editing Device System Settings
• Viewing the Health of a Device
• Editing Device Management Settings

To configure an individual device in a cluster:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device cluster where you want to edit the configuration, click the edit icon ( ).

The Cluster page appears.

Step 3 Click Devices .

The Devices page appears.

Step 4 From the Selected Device drop-down list, select the device you want to modify.

Step 5 Use the sections on the Devices page to make changes to the individual clustered device as you would a single device.

Configuring Individual Device Stacks in a Cluster

License: Control

Supported Devices: Series 3

After you cluster a pair of stacked devices, the system limits the stack attributes that you can edit. You can edit the name of a stack in a clustered stack. In addition, you can edit the network configuration of the stack, as described in Configuring Interfaces on a Clustered Device.

To edit the name of a stack in a cluster:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device cluster where you want to edit the configuration, click the edit icon ( ).

The Cluster page appears.

Step 3 Click Stacks .

The Stacks page appears.

From the Selected Device drop-down list, select the stack you want to modify.

Step 4 Next to the General section, click the edit icon ( ).

The General pop-up window appears.

Configuring Interfaces on a Clustered Device

License: Control

Supported Devices: Series 3

You can configure interfaces on individual devices in a cluster. However, you must also configure an equivalent interface on the peer device in the cluster. For clustered stacks, you configure identical interfaces on the primary devices of the stacks. When you configure virtual routers, you select the stack where you want to configure the routers. See Configuring Virtual Routers for more information.

The Interfaces page of a clustered device includes the hardware and interfaces views that you find on an individual device. See Configuring Sensing Interfaces for more information.

To configure interfaces on a clustered device:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device cluster where you want to configure interfaces, click the edit icon ( ).

The Cluster page appears.

Step 3 Click Interfaces .

The Interfaces page appears.

Step 4 From the Selected Device drop-down list, select the device you want to modify.

Step 5 Configure interfaces as you would on an individual device. See Configuring Sensing Interfaces for more information.

Switching the Active Peer in a Cluster

License: Control

Supported Devices: Series 3

After you establish a device cluster, you can manually switch the active and backup peer devices or stacks.

To switch the active peer in a cluster:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device cluster that you want to change the active peer, click the switch active peer icon ( ).

The Switch Active Peer pop-up window appears.

Step 3 Click Yes to immediately make the backup device the active device in the cluster. Click No to cancel and return to the Device Management page.

Placing a Clustered Device into Maintenance Mode

License: Control

Supported Devices: Series 3

After you establish a cluster, you can manually trigger failover by placing one of the clustered devices or stacks into maintenance mode to perform maintenance on the devices. In maintenance mode, the system administratively takes down all interfaces except for the management interface. After maintenance is completed, you can re-enable the device to resume normal operation.

Note You should not place both members of a cluster into maintenance mode at the same time. Doing so will prevent that cluster from inspecting traffic.

To place a clustered device into maintenance mode:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the clustered device you want to place in maintenance mode, click the toggle maintenance mode icon ( ).

The Confirm Maintenance Mode pop-up window appears.

Step 3 Click Yes to confirm maintenance mode or click No to cancel.

Step 4 Click the toggle maintenance mode icon ( ) again to bring the device out of maintenance mode.

Replacing a Device in a Clustered Stack

License: Control

Supported Devices: Series 3

After you place a stack that is a cluster member into maintenance mode, you can replace a secondary device in the stack for another device. You can only select devices that are not currently stacked or clustered. The new device must follow the same guidelines for establishing a device stack. See Establishing Device Stacks.

To replace a device in a clustered stack:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the stack member you want to place into maintenance mode, click the toggle maintenance mode icon ( ).

The Confirm Maintenance Mode pop-up window appears.

Step 3 Click Yes to confirm maintenance mode or click No to cancel.

Step 4 Click the replace device icon ( ).

The Replace Device pop-up window appears.

Step 5 Select the Replacement Device from the drop-down list.

Step 6 Click Replace to replace the device or click Cancel to keep the current device and return to the Device Management page.

Step 7 Click the toggle maintenance mode icon ( ) again to bring the stack immediately out of maintenance mode.

You do not need to reapply the device configuration.

Establishing Clustered State Sharing

License: Control

Supported Devices: Series 3

Clustered state sharing allows clustered devices or clustered stacks to synchronize as much state as necessary, so that if either device or stack fails, the other peer can take over with no interruption to traffic flow. Without state sharing, the following features may not fail over properly:

• Strict TCP enforcement
• Unidirectional access control rules
• Blocking persistence

Note, however, that enabling state sharing slows system performance.

You must configure and enable HA link interfaces on both devices or the primary stacked devices in the cluster before you can configure clustered state sharing. 82xx Family and 83xx Family devices require a 10G HA link, while other model devices require a 1G HA link. See Configuring HA Link Interfaces for more information.

Note If clustered devices fail over, the system terminates all existing SSL-encrypted sessions on the active device. Even if you establish clustered state sharing, these sessions must be renegotiated on the backup device. If the server establishing the SSL session supports session reuse and the backup device does not have the SSL session ID, it cannot renegotiate the session. For more information, see Clustering Devices.

Strict TCP Enforcement

When you enable strict TCP enforcement for a domain, the system drops any packets that are out of order on TCP sessions. For example, the system drops non-SYN packets received on an unestablished connection. With state sharing, devices in the cluster allow TCP sessions to continue after failover without having to reestablish the connection, even if strict TCP enforcement is enabled. You can enable strict TCP enforcement on inline sets, virtual routers, and virtual switches.

Unidirectional Access Control Rules

If you have configured unidirectional access control rules, network traffic may match a different access control rule than intended when the system reevaluates a connection midstream after failover. For example, consider if you have a policy containing the following two access control rules:

Without state sharing, if an allowed connection from 192.168.1.1 to 192.168.2.1 is still active following a failover and the next packet is seen as a response packet, the system denies the connection. With state sharing, a midstream pickup would match the existing connection and continue to be allowed.

Blocking Persistence

While many connections are blocked on the first packet based on access control rules or other factors, there are cases where the system allows some number of packets through before determining that the connection should be blocked. With state sharing, the system immediately blocks the connection on the peer device or stack as well.

When establishing clustered state sharing, you can configure the following options:

Enabled

Click the check box to enable state sharing. Clear the check box to disable state sharing.

Minimum Flow Lifetime

Specify the minimum time (in milliseconds) for a session before the system sends any synchronization messages for it. You can use any integer from 0 to 65535. The system does not synchronize any sessions that have not met the minimum flow lifetime, and the system synchronizes only when a packet is received for the connection.

Minimum Sync. Interval

Specify the minimum time (in milliseconds) between update messages for a session. You can use any integer from 0 to 65535. The minimum synchronization interval prevents synchronization messages for a given connection from being sent more frequently than the configured value after the connection reaches the minimum lifetime.

Maximum HTTP URL Length

Specify the maximum characters for the URL the system synchronizes between the clustered devices. You may use any integer from 0 to 225.

Note Cisco recommends that you use the default values, unless your deployment presents a good reason to change them. Decreasing the values allows increased clustered peer readiness, while increasing the values allows better performance.

To establish clustered state sharing:

Access: Admin/Network Admin

Step 1 Configure HA link interfaces for each device in the cluster.

See Configuring HA Link Interfaces for more information.

Step 2 Select Devices > Device Management .

The Device Management page appears.

Step 3 Next to the device cluster you want to edit, click the edit icon ( ).

The Cluster page appears.

Step 4 Next to the State Sharing section, click the edit icon ( ).

The State Sharing pop-up window appears.

Step 5 Configure the state sharing, as described earlier in this section.

Step 6 Click OK .

Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

Troubleshooting Clustered State Sharing

License: Control

Supported Devices: Series 3

After you enable state sharing, you can view the following information about the configuration in the State Sharing section of the Cluster page:

• The HA link interface that is being used and its current link state
• Detailed synchronization statistics for troubleshooting issues

The state sharing statistics are primarily counters for different aspects of the clustered synchronization traffic sent and received, along with some other error counters. In addition, you can view the latest system logs for each device in the cluster.

See the following sections for more information about the statistics you can view for each device and how you can use them to troubleshoot your clustered state sharing configuration.

Messages Received (Unicast)

Messages received are the number of cluster synchronization messages received from the clustered peer.

The value should be close to the number of messages sent by the peer. During active use, the values may not match, but should be close. If traffic stops, the values should become stable and the messages received will match the messages sent.

For troubleshooting, you should view both the messages received and the messages sent, compare the rate of increase, and make sure the values are close. The sent value on each peer should be incrementing at approximately the same rate as the received value on the opposite peer.

Contact Support if the received messages stop incrementing or increment slower than the messages sent by the peer.

Packets Received

The system batches multiple messages into single packets in order to decrease overhead. The Packets Received counter displays the total number of these data packets, as well as other control packets that have been received by a device.

The value should be close to the number of packets sent by the peer device. During active use, the values may not match, but should be close. Because the number of messages received should be close and incrementing at the same rate as the number of messages sent by the peer, the number of packets received should have the same behavior.

For troubleshooting, you should view both the packets received and the messages sent, compare the rate of increase, and make sure the values are increasing at the same rate. If the sent value on the clustered peer is incrementing, the received value on the device should also increase at the same rate.

Contact Support if the received packets stop incrementing or increment slower than the messages sent by the peer.

Total Bytes Received

Total bytes received are the number of bytes that make up the packets received by the peer.

The value should be close to the number of bytes sent by the other peer. During active use, the values may not match, but should be close.

For troubleshooting, you should view both the total bytes received and the messages sent, compare the rate of increase, and make sure the values are increasing at the same rate. If the sent value on the clustered peer is incrementing, the received value on the device should also increase at the same rate.

Contact Support if the received bytes stop incrementing or increment slower than the messages sent by the peer.

Protocol Bytes Received

Protocol bytes received are the number of bytes of protocol overhead received, which includes everything but the payload of session state synchronization messages.

The value should be close to the number of bytes sent by the peer. During active use, the values may not match, but should be close.

For troubleshooting, you should view the total bytes received to discover how much actual state data is being shared in comparison to protocol data. If the protocol data is a large percentage of the data being sent, you can adjust the minimum sync interval.

Contact Support if the protocol bytes received increment at a similar rate to the total bytes received. Protocol bytes received should be minimal in relation to the total bytes received.

Messages Sent

Messages sent are the number of cluster synchronization messages sent to the clustered peer.

This data is useful in comparison to the number of messages received. During active use, the values may not match, but should be close.

For troubleshooting, you should view both the messages received and the messages sent, compare the rate of increase, and make sure the values are close.

Contact Support if the messages sent increment at a similar rate to the total bytes received.

Bytes Sent

Bytes sent are the total number of bytes sent that make up the cluster synchronization messages sent to the peer.

This data are useful in comparison to the number of messages received. During active use, the values may not match, but should be close. The number of bytes received on the peer should be close to, but not more than this value.

Contact Support if the total bytes received is not incrementing at about the same rate as the bytes sent.

Tx Errors

Tx errors are the number of memory allocation failures the system encounters when trying to allocate space for messages to be sent to the clustered peer.

This value should be zero at all times on both peers. Contact Support if this number is not zero or if the number steadily increases, which indicates the system has encountered an error where it cannot allocate memory.

Tx Overruns

Tx overruns are the number of times the system attempts and fails to place a message into the transit queue.

This value should be zero at all times on both peers. When the value is not zero or is steadily increasing, it indicates that the system is sharing too much data across the HA link that cannot be sent quickly enough.

You should increase the HA link MTU if it was previously set below the default value (9918 or 9922). You can change the minimum flow lifetime and minimum synchronization interval settings to reduce the amount of data shared across the HA link to prevent the number from incrementing.

Contact Support if this value persists or continues to increase.

Recent Logs

The system log displays the most recent clustered synchronization messages. The log should not display any ERROR or WARN messages. It should remain comparable between the peers, such as the same number of sockets being connected.

However, the data displayed may be opposite in some instances, for example, one peer reports that it received a connection from the other peer and references different IP addresses. The log provides a comprehensive view of the clustered state sharing connection, and any errors within the connection.

Contact Support if the log displays an ERROR or WARN message, or any message that does not appear to be purely informational.

To view clustered state sharing statistics:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device cluster you want to edit, click the edit icon ( ).

The Cluster page for the device cluster appears.

Step 3 In the State Sharing section, click the view statistics icon ( ).

The State Sharing Statistics pop-up window appears.

Step 4 Optionally, select a Device to view if your cluster is composed of device stacks.

Step 5 Optionally, click Refresh to update the statistics.

Step 6 Optionally, click View to view the latest data log for each clustered device.

Separating Clustered Devices

License: Control

Supported Devices: Series 3

When you break device clustering, the active device or stack retains full deployment functionality. The backup device or stack loses its interface configurations and fails over to the active device or stack, unless you choose to leave the interface configurations active, in which case the backup device or stack resumes normal operation. Breaking a cluster always removes the configuration of passive interfaces on the backup devices. Any devices in maintenance mode resume normal operation upon breaking the cluster.

To separate a clustered device:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device cluster you want to break, click the break cluster icon ( ).

The Confirm Break pop-up window appears.

Step 3 Optionally, select the check box to remove the interface configurations on the backup device or stack, which means all interfaces except for the management interface are administratively taken down.

Step 4 Click Yes .

The device cluster is separated.

Establishing Device Stacks

License: Any

Supported Devices: 3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900

You can increase the amount of traffic inspected on a network segment by stacking two fiber-based 3D9900s, two 3D8140 devices, up to four 3D8250s, a 3D8260, a 3D8270, a 3D8290, up to four 3D8350s, a 3D8360, a 3D8370, or a 3D8390, up to four AMP8350s, an AMP8360, and AMP8370, or an AMP8390 and using their combined resources in a single, shared, configuration. Before you begin, you must:

• decide which unit will be the primary device
• cable the units properly before designating the primary/secondary relationship. For information about cabling, see the FireSIGHT System Installation Guide .

Note If you have clustered devices, you cannot stack a device cluster or a device in a clustered pair. However, you can cluster a device stack. See Clustering Devices for more information.

After you establish a device stack, the system treats the devices as a single device on the Device Management page. Device stacks display the stack icon ( ) in the appliance list.

Removing registration of a device stack from a Defense Center also removes registration from both devices. You delete stacked devices from the Defense Center as you would a single managed device; you can then register the stack on another Defense Center. You only need to register one of the stacked devices on the new Defense Center for the entire stack to appear. See Deleting Devices and Adding Devices to the Defense Center for more information.

After you establish the device stack, you cannot change which devices are primary or secondary unless you break and reestablish the stack. However, you can:

• add secondary devices to an existing stack of two or three 3D8250s, a 3D8260, or a 3D8270 up to the limit of four 3D8250s in a stack
• add secondary devices to an existing stack of two or three 3D8350s, a 3D8360, or a 3D8370 up to the limit of four 3D8350s in a stack
• add secondary devices to an existing stack of two or three AMP8350s, an AMP8360, or an AMP8370 up to the limit of four AMP8350s in a stack

For additional devices, the primary device in the stack must have the necessary stacking NetMods for additional cabled devices. For example, if you have a 3D8260 where the primary only has a single stacking NetMod, you cannot add another secondary device to this stack. You add secondary devices to an existing stack in the same manner that you initially establish a stacked device configuration.

To establish a stacked device configuration:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 From the Add drop-down menu, select Add Stack .

The Add Stack pop-up window appears.

Step 3 From the Primary drop-down list, select the device that you cabled for primary operation.

Note If you edit a device that is not cabled as the primary device, you cannot perform the next series of steps.

Step 4 In the Name field, type the name of the stack. You may enter alphanumeric characters and special characters, with the exception of the following characters, which are invalid: +, (, ), {, }, #, &, \, <, >, ?, ‘, and “.

Step 5 Click Add to select the devices you want to form a stack with.

The Add Secondary Connection pop-up window appears. The following graphic displays the primary device front view for a 3D8140.

Step 6 From the Slot on Primary Device drop-down list, select the stacking network module that connects the primary device to the secondary device.

Step 7 From the Secondary Device drop-down list, select the device you cabled for secondary operation.

Note All devices in a stack must be of the same hardware model (for example, 3D9900 with 3D9900, 3D8140 with 3D8140, and so on). You can stack a total of four devices (one primary device and up to three secondary devices) in the 82xx Family and in the 83xx Family.

Step 8 From the Slot on Secondary Device drop-down list, select the stacking network module that connects the secondary device to the primary device.

Step 9 Click Add .

The Add Stack window reappears with the new secondary device included.

Step 10 Optionally, repeat steps 5 through 9 if you are adding secondary devices to an existing stack of 3D8250s, a 3D8260, a 3D8270, an existing stack of 3D8350s, a 3D8360, or a 3D8370, or an existing stack of AMP8350s, an AMP8360, or an AMP8370.

Step 11 Click Stack .

The device stack is established or the additional secondary devices are added. Note that this process takes a few minutes as the process synchronizes system data.

Editing Device Stacks

License: Any

Supported Devices: 3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900

After you establish a device stack, most changes you make to the device configuration also change the configuration of the entire stack. On the Stack page of the appliance editor, you can make changes to the stack configuration as on the Device page of a single device.

You can change the display name of the stack, enable and disable licenses, view system and health policies, configure automatic application bypass, and set up fast-path rules.

See the following sections for more information:

• Editing General Device Settings
• Enabling and Disabling Device Licenses
• Editing Advanced Device Settings

To edit a stacked configuration:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the stacked device where you want to edit the configuration, click the edit icon ( ).

The Stack page for that device appears.

Step 3 Use the sections on the Stack page to make changes to the stacked configuration as you would a single device configuration.

Configuring Individual Devices in a Stack

License: Any

Supported Devices: 3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900

After you establish a device stack, you can still configure some attributes for only one device within the stack. On the Devices page of the appliance editor, you can make changes to a device configured in a stack as on the Device page of a single device.

You can change the display name of a device, view system settings, shut down or restart a device, view health information, and edit device management settings.

See the following sections for more information:

• Editing General Device Settings
• Editing Device System Settings
• Viewing the Health of a Device
• Editing Device Management Settings

To configure an individual device in a stack:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the stacked device where you want to edit the configuration, click the edit icon ( ).

The Stack page for that device appears.

Step 3 Click Devices .

The Devices page appears.

Step 4 From the Selected Device drop-down list, select the device you want to modify.

Step 5 Use the sections on the Devices page to make changes to the individual stacked device as you would a single device.

Configuring Interfaces on a Stacked Device

License: Any

Supported Devices: 3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900

Except for the management interface, you configure stacked device interfaces on the Interfaces page of the primary device in the stack. You can select any device in the stack to configure the management interface. See Configuring Management Interfaces for more information.

The Interfaces page of a Series 3 stacked device includes the hardware and interfaces views that you find on an individual device. The interfaces page of a 3D9900 does not include these views. See Configuring Sensing Interfaces for more information.

To configure interfaces on a stacked device:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the stacked device where you want to configure interfaces, click the edit icon ( ).

The Stack page for that device appears.

Step 3 Click Interfaces .

The Interfaces page appears.

Step 4 From the Selected Device drop-down list, select the device you want to modify.

Step 5 Configure interfaces as you would on an individual device. See Configuring Sensing Interfaces for more information.

Separating Stacked Devices

License: Any

Supported Devices: 3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900

If you no longer need to use a stacked configuration for your devices, you can break the stack and separate the devices.

To separate stacked devices:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device stack you want to break, click the break stack icon ( ).

The Confirm Break pop-up window appears.

Tip To remove a secondary device from a stack of three or more 3D8250 devices without breaking the stack, click the remove from stack icon (). Removing the secondary device causes a brief disruption of traffic inspection, traffic flow, or link state as the system reconfigures the stack for operation without the extra device.

Step 3 Click Yes .

The device stack is separated.

Replacing a Device in a Stack

License: Any

Supported Devices: 3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900

To replace a stacked device, you must break the stack.

Warning If the Defense Center cannot communicate with the device, you must connect to the device and use CLI commands to separate the stack and unregister the device from the Defense Center. For more information, see stacking disable and delete CLI commands in Configuration Commands.

To replace a device in a device stack:

Step 1 Select the stack with the device to replace and break that stack. For more information, see Separating Stacked Devices.

Step 2 Unregister the device from the Defense Center. For more information, see Disabling High Availability and Unregistering Devices.

Step 3 Register the replacement device to the Defense Center. For more information, see Adding Devices to the Defense Center.

Step 4 Create a device stack that includes the replacement device. For more information, see Establishing Device Stacks.

Editing General Device Settings

License: Any

The General section of the Device tab displays the managed device settings listed below, which you can change.

Name

The assigned name for the managed device.

Transfer Packets

Indicates whether packet data is transferred to the Defense Center to be stored with events.

To edit the general device settings:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to edit the assigned name, click the edit icon ( ).

The Interfaces page for that device appears.

Step 3 Click Device .

The Device page appears.

Tip For stacked devices, you edit the assigned device name for the stack on the Stack page of the appliance editor. You can edit the assigned device name for an individual device on the Devices page of the appliance editor.

Step 4 Next to the General section, click the edit icon ( ).

The General pop-up window appears.

Step 5 In the Name field, type a new assigned name for the device. You may enter alphanumeric characters and special characters, with the exception of the following characters, which are invalid: +, (, ), {, }, #, &, \, <, >, ?, ‘, and “.

Step 6 Select the Transfer Packets check box to allow packet data to be stored with events on the Defense Center. Clear the check box to prevent the managed device from sending packet data with the events.

Step 7 Click Save .

The changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

Enabling and Disabling Device Licenses

License: Any

Supported Devices: Series 3, Virtual, X-Series, ASA FirePOWER

You can enable licenses on your device if you have available licenses on your Defense Center. Note that:

• Control, Malware, and URL Filtering licenses require a Protection license.
• You cannot enable a VPN license on a virtual device, Cisco NGIPS for Blue Coat X-Series, or ASA FirePOWER devices.
• Although you can enable a Control license on a virtual device, Cisco NGIPS for Blue Coat X-Series, or ASA FirePOWER device, these devices do not support fast-path rules, switching, routing, stacking, or clustering. Cisco NGIPS for Blue Coat X-Series also does not support application or user control.
• You cannot change the license settings on clustered devices.
• Because Series 2 devices automatically have Protection capabilities, with the exception of Security Intelligence filtering, you cannot disable these capabilities, nor can you apply other licenses to a Series 2 device.

For more information, see Licensing the FireSIGHT System.

To enable or disable device licenses:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to enable or disable licenses, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 Click Device .

The Devices tab appears.

Tip For stacked devices, you enable or disable the licenses for the stack on the Stack page of the appliance editor.

Step 4 Next to the License section, click the edit icon ( ).

The License pop-up window appears.

Step 5 You have the following options:

• To enable a license, select the check box next to the license name.
• To disable a license, clear the check box next to the license name.

Step 6 Click Save .

The changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

Editing Device System Settings

License: Any

The System section of the Device tab displays a read-only table of system information, as described in the following table.

You can also shut down or restart the device.

Note You cannot shut down or restart X-Series or ASA FirePOWER devices with the FireSIGHT System user interface. See the Cisco NGIPS for Blue Coat X-Series Installation Guide or the ASA documentation for more information on how to shut down the respective devices.

To shut down and restart a managed device:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device that you want to restart, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 Click Device .

The Devices tab appears.

Tip For stacked devices, you shut down or restart an individual device on the Devices page of the appliance editor.

Step 4 To shut down the device, click the shut down device icon ( ).

Step 5 When prompted, confirm that you want to shut down the device.

You are returned to the Device Management page.

Step 6 To restart the device, click the restart device icon ( ).

Step 7 When prompted, confirm that you want to restart the device.

The device is restarted.

Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

Viewing the Health of a Device

License: Any

The Health section of the Device tab displays health-related information. You can view an icon showing the current health status of the managed device. You can also click the icon to navigate to the Health Monitor page for that device. See Interpreting Health Monitor Status for more information.

You can click the Policy link to view a read-only version of the currently applied health policy. See Editing Health Policies for more information.

You can also click the Blacklist link to go to the Health Blacklist page, where you can enable and disable health blacklist modules. See Blacklisting a Health Policy Module for more information.

Editing Device Management Settings

License: Any

The Management section of the Device tab displays the remote management information listed below.

Host

The current management host name or IP address of the device. You can use this setting to specify the management host name and regenerate the virtual IP address.

Note In some cases, if you edit the host name or IP address of a device by another method (using the device’s LCD panel or CLI, for example), you may need to use the procedure below to manually update the host name or IP address on the managing Defense Center.

Status

Specifies the status of the communication channel between the Defense Center and the managed device.

Tip You can click the slider to enable or disable management of the managed device. Disabling management blocks the connection between the Defense Center and the device, but does not delete the device from the Defense Center. If you no longer want to manage a device, see Deleting Devices.

To modify device management options:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to modify management options, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 Click Device .

The Devices tab appears.

Tip For stacked devices, you modify management options on an individual device on the Devices page of the appliance editor.

Step 4 Next to the Management section, click the edit icon ( ).

The Management pop-up window appears.

Step 5 In the Host field, enter the name or IP address of the management host.

Step 6 Click Save .

Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

Understanding Advanced Device Settings

License: Any

Supported Devices: feature dependent

The Advanced section of the Device tab displays a table of advanced configuration settings, as described in the following table.

You can use the Advanced section to edit any of these settings. See the following sections for more information:

• Automatic Application Bypass
• Editing Advanced Device Settings
• Configuring Fast-Path Rules

Automatic Application Bypass

License: Any

The Automatic Application Bypass (AAB) feature limits the time allowed to process packets through an interface and allows packets to bypass detection if the time is exceeded. The feature functions with any deployment; however, it is most valuable in inline deployments.

You balance packet processing delays with your network’s tolerance for packet latency. When a malfunction within Snort or a device misconfiguration causes traffic processing time to exceed a specified threshold, AAB causes Snort to restart within ten minutes of the failure, and generates troubleshoot data that can be analyzed to investigate the cause of the excessive processing time.

In Version 5.4.1 and higher, the default behavior for the AAB option varies by device, as follows:

• Series 3: off
• Series 2 and virtual: on
• ASA FirePOWER: not supported
• X-Series: not supported

If you upgrade from a version earlier than 5.3, the existing setting is retained. You can change the bypass threshold if the option is selected. The default setting is 3000 milliseconds (ms). The valid range is from 250 ms to 60,000 ms.

Typically, you use Rule Latency Thresholding in the intrusion policy to fast-path packets after the latency threshold value is exceeded. Rule Latency Thresholding does not shut down the engine or generate troubleshoot data. For more information, see Configuring Packet and Intrusion Rule Latency Thresholds.

Note AAB is activated only when an excessive amount of time is spent processing a single packet. If AAB engages the Snort process restarts. which temporarily interrupts traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles traffic. See How Snort Restarts Affect Traffic for more information.

If detection is bypassed, the device generates a health monitoring alert. For more information on that health monitoring alert, see Using the Health Monitor.

For more information about enabling Automatic Application Bypass and setting the bypass threshold, see Editing Advanced Device Settings.

Editing Advanced Device Settings

License: Any

Supported Devices: feature dependent

You can use the Advanced section of the Devices tab to modify the Automatic Application Bypass and Inspect Local Router Traffic settings. You can also configure fast-path rules, as explained in Configuring Fast-Path Rules.

Note the following:

• you can configure fast-path rules only on 8000 Series and 3D9900 devices.
• you can configure Inspect Local Router Traffic only on Series 3 devices

To modify advanced device settings:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to edit advanced device settings, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 Click Device .

The Devices tab appears.

Tip For stacked devices, you edit the advanced device settings for the stack on the Stack page of the appliance editor.

Step 4 Next to the Advanced section, click the edit icon ( ).

The Advanced pop-up window appears.

Step 5 Optionally, select Automatic Application Bypass if your network is sensitive to latency. Automatic Application Bypass is most useful in inline deployments. For more information, see Automatic Application Bypass.

Step 6 When you select the Automatic Application Bypass option, you can type a Bypass Threshold in milliseconds (ms). The default setting is 3000 ms and the valid range is from 250 ms to 60,000 ms.

Step 7 Optionally, select the Inspect Local Router Traffic check box to inspect exception traffic when deployed as a router.

Step 8 Optionally, configure fast-path rules. For more information, see Configuring Fast-Path Rules.

Step 9 Click Save .

Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

Configuring Fast-Path Rules

License: Any

Supported Devices: 8000 Series, 3D9900

You can create fast-path rules to send traffic directly through a device with no further inspection. Fast-path rules divert traffic that does not need to be analyzed to bypass the device. Fast-path rules either send traffic to the fast-path (out of the interface) or allow it to continue into the device for further analysis. Their advantage is the speed at which they determine the correct path for the traffic. Because the fast-path rules function at the hardware level, they only determine limited information about the packet.

See the following sections for more information:

• Adding IPv4 Fast-Path Rules
• Adding IPv6 Fast-Path Rules
• Deleting Fast-Path Rules

Adding IPv4 Fast-Path Rules

License: Any

Supported Devices: 8000 Series, 3D9900

Fast-path rules send traffic to the fast-path (out of the interface) or into the device for further analysis. You can use the following criteria to select the IPv4 traffic you want to divert to the fast-path and not inspect:

• initiator or responder IP address or CIDR block
• protocol
• initiator or responder port, for TCP or UDP protocols
• VLAN ID
• bidirectional option

Note that the outermost ID is used for fast-path rules.

Tip To edit an existing fast-path rule, click the edit icon () next to the rule.

To build or edit IPv4 fast-path rules:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to add a fast-path rule, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 Click Device .

The Devices tab appears.

Step 4 Next to the Advanced section, click the edit icon ( ).

The Advanced pop-up window appears.

Step 5 Click New IPv4 Rule to add a fast-path rule.

The New IPv4 Rule pop-up window appears.

Step 6 From the Domain drop-down list, select an inline set or passive security zone. See Setting Up an IPS Device for more information.

Step 7 Use CIDR notation in the Initiator and the Responder fields to designate the IP addresses of initiators or responders whose packets should bypass further analysis.

Your rule matches packets from the designated initiators or packets to the designated responders. For information on using CIDR notation in the FireSIGHT System, see IP Address Conventions.

Step 8 Optionally, from the Protocol drop-down list, select the protocol on which you want the rule to act or select All to match traffic from any protocol on the list.

Step 9 Optionally, if you chose the TCP or UDP protocol in step 8 , enter initiator and responder ports in the Initiator Port and the Responder Port fields to designate ports.

Tip You can enter a comma-separated list of port numbers in each rule. You cannot use port ranges in IPv4 fast-path rules. Note that a blank port value is treated as Any.

If you also select the Bidirectional option, your filter criteria are narrowed to packets from those initiator ports or packets to those responder ports.

Step 10 Optionally, enter a VLAN ID in the VLAN field.

Your rule matches only traffic for that VLAN. Note that a blank VLAN value is treated as Any .

Step 11 Optionally, select the Bidirectional option to filter all traffic traveling between the specified initiator and responder IP addresses. Clear the option to filter only traffic from the specified initiator IP address to the specified responder IP address.

Step 12 Click Save .

The rule is added under Fast-Path Rules in the Advanced pop-up window. Although the rule is added, you must click Save again to save the rule. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

Adding IPv6 Fast-Path Rules

License: Any

Supported Devices: Series 3, 3D9900

Fast-path rules send traffic to the fast-path (out of the interface) or into the device for further analysis. You can use the following criteria to select the IPv6 traffic you want to divert to the fast-path and not inspect:

• initiator or responder IP address or address block
• protocol
• initiator or responder port, for TCP or UDP protocols
• VLAN ID
• bidirectional option

Note that the outermost VLAN ID is used for fast-path rules.

Tip To edit an existing fast-path rule, click the edit icon () next to the rule.

To add an IPv6 fast-path rule:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to add a fast-path rule, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 Click Device .

The Devices tab appears.

Step 4 Next to the Advanced section, click the edit icon.

The Advanced pop-up window appears.

Step 5 Click New IPv6 Rule to add a fast-path rule.

The New IPv6 Rule pop-up window appears. Note that the initiator and responder fields are fixed and indicate that the filter applies to IPv6 packets from any initiator or responder.

Step 6 From the Domain drop-down list, select an inline set or passive security zone. See Setting Up an IPS Device for more information.

Step 7 Type IP addresses or use IPv6 prefix length notation to specify address blocks in the Initiator and the Responder fields for the IP addresses of initiators or responders whose packets should bypass further analysis.

Your rule matches packets from the designated initiators or packets to the designated responders. For information on using IPv6 prefix length notation in the FireSIGHT System, see IP Address Conventions.

Step 8 Optionally, from the Protocol drop-down list, select the protocol on which you want the rule to act or select All to match traffic from any protocol on the list.

Your fast-path rule matches only the selected protocol’s packets.

Step 9 Optionally, if you chose the TCP or UDP protocol in step 7 , enter initiator and responder ports in the Initiator Port and the Responder Port fields to designate ports.

Tip You can enter a comma-separated list of port numbers in each rule. You cannot use port ranges in IPv6 fast-path rules. Note that a blank port value is treated as Any.

Step 10 Optionally, enter a VLAN ID in the VLAN field.

Your rule matches only traffic for that VLAN. Note that a blank VLAN value is treated as Any .

Step 11 Optionally, select Bidirectional to filter all traffic traveling between the specified initiator and responder ports. Clear the option to specify that your rule matches only packets from those initiator ports or packets to those responder ports.

Step 12 Click Save .

The rule is added under Fast-Path Rules in the Advanced pop-up window.

Step 13 In the Advanced pop-up window, click Save .

The rule is saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

Deleting Fast-Path Rules

License: Any

Supported Devices: 8000 Series, 3D9900

The following procedure explains how to delete any IPv4 or IPv6 fast-path rule.

To delete any fast-path rule:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to delete a fast-path rule, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 Click Device .

The Devices tab appears.

Step 4 Next to the Advanced section, click the edit icon ( ).

The Advanced pop-up window appears.

Step 5 Next to the fast-path rule you want to delete, click the delete icon ( ).

Step 6 When prompted, confirm that you want to delete the rule.

The rule is removed from the Advanced pop-up window.

Step 7 Click Save .

Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

The following table explains how to use the physical hardware view.

The interfaces table view, which is below the Series 3 hardware view, lists all the available interfaces you have on a device. The table includes an expandable navigation tree you can use to view all configured interfaces. You can click the arrow icon next to an interface to collapse or expand the interface to hide or view its subcomponents. The interfaces table view also provides summarized information about each interface, as described in the following table. Note that only 8000 Series devices display the MAC Address and IP Address columns. See the following table for more information.

Note that you can only configure a total of 1024 interfaces on a FirePOWER managed device.

Note The Defense Center does not display ASA interfaces when the ASA FirePOWER device is deployed in SPAN port mode.

See the following sections for details on the different ways you can configure interfaces on a device:

• Configuring HA Link Interfaces
• MTU Ranges for Managed Devices
• Managing Cisco ASA with FirePOWER Services Interfaces
• Disabling Interfaces
• Preventing Duplicate Connection Logging
• Setting Up an IPS Device
• Setting Up Virtual Switches
• Setting Up Virtual Routers
• Setting Up Aggregate Interfaces
• Setting Up Hybrid Interfaces

Configuring HA Link Interfaces

License: Any

Supported Devices: Series 3

After you establish a device cluster, you can configure a physical interface as a high availability (HA) link interface. This link acts as a redundant communications channel for sharing health information between the clustered devices. When you configure an HA link interface on one device, you automatically configure an interface on the second device. You must configure both HA links on the same broadcast domain. See Clustering Devices for more information.

Dynamic NAT relies on dynamically allocating IP addresses and ports to map to other IP addresses and ports. Without an HA link, these mappings are lost in a failover, causing all translated connections to fail as they are routed through the now active device in the cluster.

To configure an HA link interface:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the clustered device where you want to configure the HA link interface, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 Next to the interface you want to configure as a HA link interface, click the edit icon ( ).

The Edit Interface pop-up window appears.

Step 4 Click HA Link to display the HA link options.

Step 5 Select the Enabled check box to allow the HA link interface to provide link.

If you clear the check box, the interface becomes disabled and administratively taken down.

Step 6 From the Mode drop-down list, select an option to designate the link mode or select Autonegotiation to specify that the interface is configured to autonegotiate speed and duplex settings.

Step 7 From the MDI/MDIX drop-down list, select an option to designate whether the interface is configured for MDI (medium dependent interface), MDIX (medium dependent interface crossover), or Auto-MDIX.

Normally, MDI/MDIX is set to Auto-MDIX , which automatically handles switching between MDI and MDIX to attain link.

Step 8 In the MTU field, type a maximum transmission unit (MTU), which designates the largest size packet allowed.

The range within which you can set the MTU can vary depending on the FireSIGHT System device model and the interface type. See MTU Ranges for Managed Devices for more information.

Step 9 Click Save .

Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

MTU Ranges for Managed Devices

License: Any

Note that for Cisco NGIPS for Blue Coat X-Series, you configure the interface MTU using the Cisco NGIPS for Blue Coat X-Series CLI. See the Cisco NGIPS for Blue Coat X-Series Installation Guide for more information.

Note Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298 does not comply with the minimum IPv6 MTU setting of 1280, and any value below 594 does not comply with the minimum IPv4 MTU setting of 576. For example, the system automatically trims a configured value of 576 to 558.

The following table lists MTU configuration ranges for managed devices.

Managing Cisco ASA with FirePOWER Services Interfaces

License: Protection

Supported Devices: ASA FirePOWER

When editing an ASA FirePOWER interface, you can configure only the interface’s security zone from the FireSIGHT Defense Center. See Working with Security Zones for more information.

You fully configure ASA FirePOWER interfaces using the ASA-specific software and CLI. If you edit an ASA FirePOWER device and switch from multiple context mode to single context mode (or visa versa), the device renames all of its interfaces. You must reconfigure all FireSIGHT System security zones, correlation rules, and related configurations to use the updated ASA FirePOWER interface names. For more information about ASA FirePOWER interface configuration, see the ASA documentation.

Note You cannot change the type of ASA FirePOWER interface, nor can you disable the interface from the FireSIGHT Defense Center.

To edit an ASA FirePOWER Interface:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to edit the interface, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 Next to the interface you want to edit, click the edit icon ( ).

The Edit Interface pop-up window appears.

Step 4 From the Security Zone drop-down list, select an existing security zone or select New to add a new security zone.

Step 5 Click Save .

The security zone is configured. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

Disabling Interfaces

License: Any

You can disable an interface by setting the interface type to None . Disabled interfaces appear grayed out in the interface list.

Note You cannot change the type of an ASA FirePOWER interface, nor can you disable the interface from the FireSIGHT Defense Center.

To disable an interface:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to disable the interface, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 Next to the interface you want to disable, click the edit icon ( ).

The Edit Interface pop-up window appears.

Step 4 Click None .

Step 5 Click Save .

Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.

Preventing Duplicate Connection Logging

License: Any

When you update a security zone object, the system saves a new revision of the object. As a result, if you have managed devices in the same security zone that have different revisions of the security zone object configured in the interfaces, you may log what appear to be duplicate connections.

If you notice duplicate connection reporting, you can update all managed devices to use the same revision of the object.

To synchronize security zone object revisions across devices:

Access: Admin/Network Admin

Step 1 Select Devices > Device Management .

The Device Management page appears.

Step 2 Next to the device where you want to update the security zone selection, click the edit icon ( ).

The Interfaces tab for that device appears.

Step 3 For each interface logging duplicate connection events, change the Security Zone to another zone, click Save , then change it back to the desired zone, and click Save again.

Step 4 Repeat steps 2 through 3 for each device logging duplicate events.

Step 5 After all interfaces on all devices have been edited, apply device changes to all managed devices at once.