Cisco Cisco Firepower Management Center 4000

Page of 1844
 
41-11
FireSIGHT System User Guide
 
Chapter 41      Configuring Remediations
  Creating Remediations
To add the remediation:
Access: 
Admin/Discovery Admin
Step 1
Select 
Policies > Actions > Instances
.
The Instances page appears.
Step 2
Next to the instance where you want to add the remediation, click 
View
.
If you have not yet added an instance, see 
.
The Edit Instance page appears.
Step 3
In the 
Configured Remediations
 section, select 
Block Source
 and click 
Add
.
The Edit Remediation page appears.
Step 4
In the 
Remediation Name
 field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For 
example, if you have multiple Cisco PIX firewall instances and multiple remediations for each instance, 
you may want to specify a name such as 
PIX_01_BlockSrc
.
Step 5
Optionally, in the 
Description
 field, enter a description of the remediation.
The remediation is added.
Configuring Nmap Remediations
License: 
FireSIGHT
You can respond to a correlation event by scanning the host where the triggering event occurred. You 
can choose to scan only the port from the event that triggered the correlation event. 
To set up Nmap scanning in response to a correlation event, you must first create an Nmap scan instance, 
then add an Nmap scan remediation. You can then configure Nmap scanning as responses to violations 
of rules within the policy. 
See the following sections:
  •
  •
Adding an Nmap Scan Instance
License: 
FireSIGHT
You can set up a separate scan instance for each Nmap module that you want to use to scan hosts on your 
network for operating system and server information. You can set up scan instances for the local Nmap 
module on your Defense Center and for any managed devices you want to use to run scans remotely. The 
results of each scan are always stored on the Defense Center where you configure the scan, even if you 
run the scan from a remote managed device. To prevent accidental or malicious scanning of 
mission-critical hosts, you can create a blacklist for the instance to indicate the hosts that should never 
be scanned with the instance.
Note that you cannot add a scan instance with the same name as any existing scan instance.