Cisco Cisco Firepower Management Center 4000

After you create and activate a traffic profile and its learning period is complete, you can create 
correlation rules that trigger when you detect anomalous traffic. For example, you could write a rule that 
triggers if the amount of data traversing your network (measured in packets, KBytes, or number of 
connections) suddenly spikes to three standard deviations above the mean amount of traffic, which could 
indicate an attack or other security policy violation. Then, you could include that rule in a correlation 
policy to alert you of the traffic spike or to perform a remediation in response. For information on using 
traffic profiles to detect abnormal network traffic, see 

.

You create traffic profiles on the Traffic Profiles page. The slider icon next to each profile indicates 
whether the profile is active. If you want to base a correlation rule on a traffic profile change, you must 
activate the profile. If the slider icon is blue with a check mark, the profile is active. If it is gray with an 
x, the profile is inactive. For more information, see 

.

The progress bar shows the status of the traffic profile’s learning period. When the progress bar reaches 
100%, correlation rules written against the profile will trigger.

You can sort traffic profiles by state (active versus inactive) or alphabetically by name using the 

 

drop-down list.