Cisco Cisco Firepower Management Center 4000
41-3
FireSIGHT System User Guide
Chapter 41 Configuring Remediations
Creating Remediations
Step 1
Select
Policies > Actions > Modules
.
The Modules page appears.
Step 2
Perform one of the following actions:
•
Click
View
to view the module.
The Module Detail page appears.
•
Click
Delete
next to the module you want to delete. You cannot delete default modules provided by
Cisco.
The remediation module is deleted.
Configuring Remediations for Cisco IOS Routers
License:
FireSIGHT
Cisco provides a Cisco IOS Null Route remediation module that allows you to block a single IP address
or an entire block of addresses using Cisco’s “null route” command when a correlation policy is violated.
This forwards all traffic sent to the host or network listed as the source or destination host in the event
that violated the correlation policy to the router’s NULL interface, causing it to be dropped (note that
this will not block traffic sent from the violating host or network).
or an entire block of addresses using Cisco’s “null route” command when a correlation policy is violated.
This forwards all traffic sent to the host or network listed as the source or destination host in the event
that violated the correlation policy to the router’s NULL interface, causing it to be dropped (note that
this will not block traffic sent from the violating host or network).
The Cisco IOS Null Route remediation module supports Cisco routers running Cisco IOS 12.0 and
higher. You must have level 15 administrative access to the router to execute Cisco IOS remediations.
higher. You must have level 15 administrative access to the router to execute Cisco IOS remediations.
Note
A destination-based remediation only works if you configure it to launch when a correlation rule that is
based on a connection event or intrusion event triggers. Discovery events only transmit source hosts.
based on a connection event or intrusion event triggers. Discovery events only transmit source hosts.
Caution
When a Cisco IOS remediation is activated, there is no timeout period. To remove the blocked IP address
or network from the router, you must manually clear the routing change from the router itself.
or network from the router, you must manually clear the routing change from the router itself.
To create remediations for routers running Cisco IOS:
Access:
Admin/Discovery Admin
Step 1
Enable Telnet on the Cisco router.
Refer to the documentation provided with your Cisco router or IOS software for more information about
enabling Telnet.
enabling Telnet.
Step 2
On the Defense Center, add a Cisco IOS Null Route instance for each Cisco IOS router you plan to use
with the Defense Center.
with the Defense Center.
See
for the procedures.
Step 3
Create specific remediations for each instance, based on the type of response you want to elicit on the
router when correlation policies are violated.
router when correlation policies are violated.
Each available remediation type is described in the following sections:
•