Cisco Cisco Firepower Management Center 4000
C H A P T E R
40-1
FireSIGHT System User Guide
40
Creating Traffic Profiles
A traffic profile is just that—a profile of the traffic on your network, based on connection data collected
over a time span that you specify. You can use connection data collected by your devices, the connection
data exported by any or all of your NetFlow-enabled devices, or both.
over a time span that you specify. You can use connection data collected by your devices, the connection
data exported by any or all of your NetFlow-enabled devices, or both.
After you create a traffic profile, you can detect abnormal network traffic by evaluating new traffic
against your profile, which presumably represents normal network traffic.
against your profile, which presumably represents normal network traffic.
Keep in mind that the FireSIGHT System uses connection data to create traffic profiles and trigger
correlation rules based on traffic profile changes. You cannot include connections that you do not log to
the Defense Center database in traffic profiles. The system uses only end-of-connection data to populate
connection summaries (see
correlation rules based on traffic profile changes. You cannot include connections that you do not log to
the Defense Center database in traffic profiles. The system uses only end-of-connection data to populate
connection summaries (see
), which the system then
uses to create connection graphs and traffic profiles. Therefore, if you want to create and use traffic
profiles, make sure you log connection events at the end of connections.
profiles, make sure you log connection events at the end of connections.
The time span used to collect data to build your traffic profile is called the profiling time window (PTW).
The PTW is a sliding window; that is, if your PTW is one week (the default), your traffic profile includes
connection data collected over the last week. You can change the PTW to be as short as an hour or as
long as several weeks.
The PTW is a sliding window; that is, if your PTW is one week (the default), your traffic profile includes
connection data collected over the last week. You can change the PTW to be as short as an hour or as
long as several weeks.
When you first activate a traffic profile, it collects and evaluates connection data according to the criteria
you have set, for a learning period equal in time to the PTW. The Defense Center does not evaluate rules
you have written against the traffic profile until the learning period is complete.
you have set, for a learning period equal in time to the PTW. The Defense Center does not evaluate rules
you have written against the traffic profile until the learning period is complete.
You can create profiles using all the traffic on a monitored network segment, or you can create more
targeted profiles using criteria based on the data in the connection events. For example, you could set the
profile conditions so that the traffic profile only collects data where the detected session uses a specific
port, protocol, or application. Or, you could add a host profile qualification to the traffic profile to collect
data only for hosts that exhibit a host criticality of
targeted profiles using criteria based on the data in the connection events. For example, you could set the
profile conditions so that the traffic profile only collects data where the detected session uses a specific
port, protocol, or application. Or, you could add a host profile qualification to the traffic profile to collect
data only for hosts that exhibit a host criticality of
high
.
Finally, when you create a traffic profile, you can specify inactive periods—periods in which connection
data do not affect profile statistics and rules written against the profile do not trigger. You can also
change how often the traffic profile aggregates and calculates statistics on collected connection data.
data do not affect profile statistics and rules written against the profile do not trigger. You can also
change how often the traffic profile aggregates and calculates statistics on collected connection data.
The following graphic shows a traffic profile with a PTW of one day and a sampling rate of five minutes.