Cisco Cisco Firepower Management Center 4000
41-8
FireSIGHT System User Guide
Chapter 41 Configuring Remediations
Creating Remediations
For example, to block traffic to an entire Class C network when a single host triggered a rule (this is not
recommended), use
recommended), use
255.255.255.0
or
24
as the netmask.
As another example, to block traffic to 30 addresses that include the triggering IP address, specify
255.255.255.224
or
27
as the netmask. In this case, if the IP address
10.1.1.15
triggers the remediation,
all IP addresses between
10.1.1.1
and
10.1.1.30
are blocked. To block only the triggering IP address,
leave the field blank, enter
32
, or enter
255.255.255.255
.
Step 7
Click
Create
, then click
Done
.
The remediation is added.
Configuring Remediations for Cisco PIX Firewalls
License:
FireSIGHT
Cisco provides a Cisco PIX Shun remediation module that allows you to block an IP address or network
using Cisco’s “shun” command. This blocks all traffic sent from either the source or destination host that
violated the correlation policy and closes all current connections (note that this will not block traffic sent
through the firewall to the host).
using Cisco’s “shun” command. This blocks all traffic sent from either the source or destination host that
violated the correlation policy and closes all current connections (note that this will not block traffic sent
through the firewall to the host).
The Cisco PIX Shun remediation module supports Cisco PIX Firewall 6.0 and higher. You must have
level 15 administrative access or higher to launch Cisco PIX remediations.
level 15 administrative access or higher to launch Cisco PIX remediations.
Note
A destination-based remediation only works if you configure it to launch when a correlation rule that is
based on a connection event or intrusion event triggers. Discovery events only transmit source hosts.
based on a connection event or intrusion event triggers. Discovery events only transmit source hosts.
Caution
When a Cisco PIX remediation is activated, no timeout period is used. To unblock the IP address or
network, you must manually remove the rule from the firewall.
network, you must manually remove the rule from the firewall.
To create remediations for Cisco PIX firewalls:
Access:
Admin/Discovery Admin
Step 1
Enable Telnet or SSH (Cisco recommends SSH) on the firewall.
Refer to the documentation provided with your Cisco PIX firewall for more information about enabling
SSH or Telnet.
SSH or Telnet.
Step 2
On the Defense Center, add a Cisco PIX Shun instance for each Cisco PIX firewall you plan to use with
the Defense Center.
the Defense Center.
See
Step 3
Create specific remediations for each instance, based on the type of response you want to elicit on the
firewall when correlation policies are violated.
firewall when correlation policies are violated.
The available remediation types are described in the following sections:
•
•