Cisco Cisco Firepower Management Center 4000
40-7
FireSIGHT System User Guide
Chapter 40 Creating Traffic Profiles
Setting Profile Options
Setting Profile Options
License:
FireSIGHT
The profiling time window (PTW) is the sliding time window, equal in length to the learning period, that
the FireSIGHT System uses to calculate statistics for the traffic profile. The default PTW is one week,
but you can change it to be as short as an hour or as long as several weeks.
the FireSIGHT System uses to calculate statistics for the traffic profile. The default PTW is one week,
but you can change it to be as short as an hour or as long as several weeks.
Also, traffic profiles are based on aggregated connection data. By default, traffic profiles generate
statistics on connection events generated by the system over five-minute intervals. However, you can set
this sampling rate anywhere between the default five minutes and one hour.
statistics on connection events generated by the system over five-minute intervals. However, you can set
this sampling rate anywhere between the default five minutes and one hour.
Keep in mind that you should set your PTW and sampling rate so that your traffic profiles contain enough
data to be statistically meaningful. For example, a PTW of one day with a sampling rate of one hour
would only contain 24 data points, which may not be enough for accurate analysis of network traffic
patterns.
data to be statistically meaningful. For example, a PTW of one day with a sampling rate of one hour
would only contain 24 data points, which may not be enough for accurate analysis of network traffic
patterns.
Tip
Your PTW should include at least 100 data points.
Application Protocol >
Application Port
Type the application protocol port number.
Application Protocol >
Protocol
Select the protocol from the drop-down list.
Client > Client
Select a client from the drop-down list.
Client > Client Version
Type the client version.
Web Application
Select a client from the drop-down list.
MAC Address > MAC
Address
Address
Type all or part of the MAC address of the host.
MAC Address > MAC Type
Select whether the MAC type is
ARP/DHCP Detected
.
That is, select whether the system positively identified the MAC address as belonging to the
host (
host (
is ARP/DHCP Detected
), whether the system is seeing many hosts with that MAC address
because, for example, there is a router between the device and the host (
is not ARP/DHCP
Detected
), or whether the MAC type is irrelevant (
is any
).
MAC Vendor
Type all or part of the MAC vendor of hardware used by the host.
any available host attribute,
including the default
compliance white list host
attribute
including the default
compliance white list host
attribute
Specify the appropriate value, which depends on the type of host attribute you select:
•
If the host attribute type is Integer, enter an integer value in the range defined for the
attribute.
attribute.
•
If the host attribute type is Text, and enter a text value.
•
If the host attribute type is List, select a valid list string from the drop-down list.
•
If the host attribute type is URL, enter a URL value.
For more information on host attributes, see
.
Table 40-2
Syntax for Host Profile Qualifications (continued)
If you specify...
Select an operator, then...