Cisco Cisco Firepower Management Center 4000
35-18
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding NetFlow
Number of Connection Events Generated Per Monitored Session
For connections detected directly by managed devices, depending on the access control rule action, you
can log a bidirectional connection event at the beginning or end of a connection, or both.
can log a bidirectional connection event at the beginning or end of a connection, or both.
However, because NetFlow-enabled devices export unidirectional connection data, the system always
generates at least two connection events for each connection detected by NetFlow-enabled devices,
depending on how you configured the devices. This also means that a summary’s connection count is
incremented by two for every connection based on NetFlow data, providing an inflated count of the
number of connections that are actually occurring on your network.
generates at least two connection events for each connection detected by NetFlow-enabled devices,
depending on how you configured the devices. This also means that a summary’s connection count is
incremented by two for every connection based on NetFlow data, providing an inflated count of the
number of connections that are actually occurring on your network.
Note that if you configure your NetFlow-enabled devices to output records only when the connection
ends, the system generates two connection events for that session. On the other hand, if you configure
your NetFlow-enabled devices to output records at a fixed interval even if a connection is still ongoing,
the system generates a connection event for each record exported by the device. For example, if you
configure your NetFlow-enabled devices to output records for long-running connections every five
minutes, and a particular connection lasts twelve minutes, the system generates six connection events
for that session:
ends, the system generates two connection events for that session. On the other hand, if you configure
your NetFlow-enabled devices to output records at a fixed interval even if a connection is still ongoing,
the system generates a connection event for each record exported by the device. For example, if you
configure your NetFlow-enabled devices to output records for long-running connections every five
minutes, and a particular connection lasts twelve minutes, the system generates six connection events
for that session:
•
one pair of events for the first five minutes
•
one pair for the second five minutes
•
a final pair when the connection is terminated
For this reason. Cisco strongly recommends that you configure your NetFlow-enabled devices to output
records only when monitored sessions close.
records only when monitored sessions close.
Host and Operating System Data
Although you can configure the network discovery policy to add hosts to the network map based on
NetFlow records, the host profile does not include any operating system or NetBIOS data for the hosts
involved in the connection, nor can the system identify if the hosts are network devices (bridges, routers,
NAT devices, or load balancers). You can, however, manually set a host’s operating system identity using
the host input feature.
NetFlow records, the host profile does not include any operating system or NetBIOS data for the hosts
involved in the connection, nor can the system identify if the hosts are network devices (bridges, routers,
NAT devices, or load balancers). You can, however, manually set a host’s operating system identity using
the host input feature.
Application Data
For connections detected directly by managed devices, the system can identify application protocols,
clients, and web applications by examining the packets in the connection.
clients, and web applications by examining the packets in the connection.
When the system processes NetFlow records, the system uses a port correlation in
/etc/sf/services
to
extrapolate application protocol identity. However, there is no vendor or version information for those
application protocols, nor do connection logs contain information on client or web applications used in
the session. You can, however, manually provide this information using the host input feature.
application protocols, nor do connection logs contain information on client or web applications used in
the session. You can, however, manually provide this information using the host input feature.
Note that a simple port correlation means that application protocols running on non-standard ports may
be unidentified or misidentified. Additionally, if no correlation exists, the system marks the application
protocol as
be unidentified or misidentified. Additionally, if no correlation exists, the system marks the application
protocol as
unknown
in connection logs.
Vulnerability Mappings
The FireSIGHT System cannot determine which vulnerabilities might affect hosts added to the network
map based on NetFlow records, unless you use the host input feature to manually set either a host’s
operating system identity or an application protocol identity. Note that because there is no client
information in NetFlow connections, you cannot associate client vulnerabilities with NetFlow hosts.
map based on NetFlow records, unless you use the host input feature to manually set either a host’s
operating system identity or an application protocol identity. Note that because there is no client
information in NetFlow connections, you cannot associate client vulnerabilities with NetFlow hosts.