Cisco Cisco Firepower Management Center 2000

Every host on the network is assigned a host attribute that has the same name as the white list. This host 
attribute has one of the following values:

, for valid targets that are compliant with the white list

, for valid targets that violate the white list

, for invalid targets and hosts that have not yet been evaluated for any reason

Note that if your network is large and the system is in the process of evaluating all the valid targets in 
the network map against the white list, targets that have not yet been evaluated are marked as 

Not 

Evaluated

. As the system completes its processing, more hosts move from 

Not Evaluated

 to either 

Compliant

 or 

Non-Compliant

. The system can evaluate approximately 100 hosts per second.

Additionally, a host may be marked as 

Not Evaluated

 if the system has insufficient information to 

determine whether the host is in compliance. For example, this may occur if the system has detected a 
new host but has not yet gathered relevant information on the operating system, clients, application 
protocols, web applications, or protocols running on the host.

If you change or delete a host attribute from a host and that change or deletion means that the host is no 
longer a valid target, the host changes from either 

Compliant

 or 

Non-Compliant

 to 

Not Evaluated

.

For more information on host attributes, see 

.

FireSIGHT

After the initial white list evaluation, the system generates a white list event when it detects that a valid 
target is violating the white list. White list events are a special kind of correlation event, and are logged 
to the Defense Center correlation event database. You can view white list events in a workflow, or search 
for specific white list events. For more information, see 

.

White list violations occur when the system generates an event that indicates that a host is out of 
compliance. Similarly, discovery events may indicate that a previously non-compliant host is now 
compliant, although the system does not generate a white list event when this occurs. 

The following events can change the compliance of a host:

the system detects a change in a host’s operating system

the system detects an identity conflict for a host’s operating system or an application protocol on the 
host

the system detects a new TCP server port (for example, a port used by SMTP or web servers) active 
on a host, or a new UDP server running on a host

the system detects a change in a discovered TCP or UDP server running on a host, for example, a 
version change due to an upgrade

the system detects a new client running on a host

the system drops a client from its database due to inactivity

the system detects a new web application running on a host

the system drops a web application from a host profile due to inactivity

the system detects that a host is communicating with a new network protocol, such as Novell 
Netware or IPv6, or a new transport protocol, such as ICMP or EGP