Cisco Cisco Firepower Management Center 4000
37-15
FireSIGHT System User Guide
Chapter 37 Using Host Profiles
Working with Servers in the Host Profile
Protocol
The name of the protocol the server uses.
Port
The port where the server runs.
Application Protocol
One of:
–
the name of the application protocol
–
pending
, if the system cannot positively or negatively identify the application protocol for one
of several reasons
–
unknown
, if the system cannot identify the application protocol based on known application
protocol fingerprints or if the server was added through host input by adding a vulnerability with
port information without adding a corresponding server
port information without adding a corresponding server
When you hover the mouse on an application protocol name, the tags display. For information on
tags, see
tags, see
Vendor and Version
The vendor and version identified by the FireSIGHT System, by Nmap, or by another active source,
or acquired via the host input feature. The field is blank if none of the available sources provides an
identification.
or acquired via the host input feature. The field is blank if none of the available sources provides an
identification.
Note that if the host is running a server that violates a compliance white list in an activated correlation
policy, the Defense Center marks the non-compliant server with the white list violation icon (
policy, the Defense Center marks the non-compliant server with the white list violation icon (
).
See the following sections for more information:
•
•
•
Server Detail
License:
FireSIGHT
The Defense Center lists up to 16 passively detected (Cisco- or NetFlow-detected) identities per server.
A server can have multiple passive identities if the system detects multiple vendors or versions of that
server. For example, a load balancer between your managed device and your web server farm may cause
your system to identify multiple passive identities for HTTP if your web servers are not running the same
version of the server software. Note that the Defense Center does not limit the number of server identities
from active sources such as user input, scanners, or other applications.
A server can have multiple passive identities if the system detects multiple vendors or versions of that
server. For example, a load balancer between your managed device and your web server farm may cause
your system to identify multiple passive identities for HTTP if your web servers are not running the same
version of the server software. Note that the Defense Center does not limit the number of server identities
from active sources such as user input, scanners, or other applications.
The Defense Center displays the current identity in bold. The system uses the current identity of a server
for multiple purposes, including assigning vulnerabilities to a host, impact assessment, evaluating
correlation rules written against host profile qualifications and compliance white lists, and so on.
for multiple purposes, including assigning vulnerabilities to a host, impact assessment, evaluating
correlation rules written against host profile qualifications and compliance white lists, and so on.
Tip
For information on changing the server identity and resolving identity conflicts from the server detail,
see
see