Cisco Cisco Firepower Management Center 4000
41-2
FireSIGHT System User Guide
Chapter 41 Configuring Remediations
Creating Remediations
•
The Cisco IOS Null Route module, which, if you are running Cisco routers that use Cisco IOS®
Version 12.0 or higher, allows you to dynamically block traffic sent to an IP address or network that
violates a correlation policy.
Version 12.0 or higher, allows you to dynamically block traffic sent to an IP address or network that
violates a correlation policy.
See
for more information.
•
The Cisco PIX Shun module, which, if you are running Cisco PIX® Firewall Version 6.0 or higher,
allows you to dynamically block traffic sent from an IP address that violates a correlation policy.
allows you to dynamically block traffic sent from an IP address that violates a correlation policy.
See
for more information.
•
The Nmap Scanning module, which allows you to actively scan specific targets to determine
operating systems and servers running on those hosts.
operating systems and servers running on those hosts.
See
for more information.
•
The Set Attribute Value module, which allows you to set a host attribute on a host where a
correlation event occurs.
correlation event occurs.
See
.
You can create multiple instances for each remediation module, where each instance represents a
connection to a specific appliance. For example, if you have four Cisco IOS routers where you want to
send remediations, you should configure four instances of the Cisco IOS remediation module.
connection to a specific appliance. For example, if you have four Cisco IOS routers where you want to
send remediations, you should configure four instances of the Cisco IOS remediation module.
When you create an instance, you specify the configuration information necessary for the Defense
Center to establish a connection with the appliance. Then, for each configured instance, you add
remediations that describe the actions you want the appliance to perform when a policy is violated.
Center to establish a connection with the appliance. Then, for each configured instance, you add
remediations that describe the actions you want the appliance to perform when a policy is violated.
After they are configured, you can add remediations to what are called response groups, or you can
assign the remediations specifically to rules within correlation policies. When the system executes these
remediations, it generates a remediation status event, which includes details such as the remediation
name, the policy and rule that triggered it, and the exit status message. For more information on these
events, see
assign the remediations specifically to rules within correlation policies. When the system executes these
remediations, it generates a remediation status event, which includes details such as the remediation
name, the policy and rule that triggered it, and the exit status message. For more information on these
events, see
.
In addition to the default modules that Cisco provides, you can write custom remediation modules that
perform other specific tasks when policy violations trigger. Refer to the Remediation API Guide for more
information about writing your own remediation modules and installing them on the Defense Center. If
you are installing a custom module, you can use the Modules page to install, view, and delete new
modules.
perform other specific tasks when policy violations trigger. Refer to the Remediation API Guide for more
information about writing your own remediation modules and installing them on the Defense Center. If
you are installing a custom module, you can use the Modules page to install, view, and delete new
modules.
To install a new module on the Defense Center:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Actions > Modules
.
The Modules page appears.
Step 2
Click
Browse
to navigate to the location where you saved the file that contains the custom remediation
module (refer to the Remediation API Guide for more information).
Step 3
Click
Install
.
The custom remediation module installs.
To view or delete a module from the Defense Center:
Access:
Admin/Discovery Admin