Cisco Cisco Firepower Management Center 4000

FireSIGHT

If the system detects servers running on a host on your monitored network or if servers are added through 
the host input feature or through a scanner or other active source, the Defense Center lists them in the 
Servers section of the host profile.

The Defense Center lists up to 100 servers per host. After that limit is reached, new server information 
from any source, whether active or passive, is discarded until you delete a server from the host or a server 
times out. For more information, see 

.

If you scan a host using Nmap, Nmap adds the results of previously undetected servers running on open 
TCP ports to the Servers list. If you perform an Nmap scan on a host or import Nmap results, an 
expandable Scan Results section also appears in the host profile, listing the server information detected 
on the host by the Nmap scan. See 

 and 

 for more information. In addition, note that if the host is deleted from the 

network map, the Nmap scan results for that server for the host are discarded. 

Although you can configure your network discovery policy to add server and clients to the network map 
based on data exported by NetFlow-enabled devices, the available information about these applications 
is limited. For more information, see 

.

The process for working with servers in the host profile differs depending on how you accessed the 
profile:

If you accessed the host profile by drilling down through the Servers network map, the details for 
that server appear with the server name highlighted in bold. If you want to view the details for any 
other server on the host, click the view icon (

) next to that server name.

If you accessed the host profile in any other way, expand the Servers section and click the view icon 
(

) next to the server whose details you want to see.

You can also perform the following actions:

To analyze the connection events associated with a particular server on the host, click the events icon 
next to the server.

The first page of your preferred workflow for connection events appears, showing connection events 
constrained by the port and protocol of the server, as well as the IP address of the host. If you do not 
have a preferred workflow for connection events, you must select one. For more information about 
connection data, see 

To delete a server from the host profile, click the delete icon (

) next to the server.

The server is deleted from the host profile, but will appear again if the system detects traffic from 
the server again. Note that deleting a server from a host may bring the host into compliance with a 
white list.

To resolve a server identity conflict, click the resolve icon next to the server.

You can choose one of the conflicting identities, choose a variation on one of those identities, or set 
a new user-defined identity.

To edit a server identity, click the edit icon (

) next to the server.

You can choose the current identity, choose a variation on that identity, or set a new user-defined 
identity.

Descriptions of the columns in the Servers list follow.