Cisco Cisco Firepower Management Center 4000
42-11
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Using Custom Fingerprinting
Note
To create an accurate fingerprint, traffic must be seen by the appliance collecting the fingerprint.
If you are connected through a switch, traffic to a system other than the appliance may not be
seen by the system.
If you are connected through a switch, traffic to a system other than the appliance may not be
seen by the system.
Step 14
After the fingerprint is created, you must activate it before the Defense Center can use it to identify hosts.
See
See
for more information.
Fingerprinting Servers
License:
FireSIGHT
Server fingerprints identify operating systems based on the SYN-ACK packet that the host uses to
respond to an incoming connection to a running TCP application. Before you begin, you should obtain
the following information about the host you want to fingerprint:
respond to an incoming connection to a running TCP application. Before you begin, you should obtain
the following information about the host you want to fingerprint:
•
The number of network hops between the host and the appliance you use to obtain the fingerprint.
Cisco strongly recommends that you directly connect an unused interface on the appliance to the
same subnet that the host is connected to.
Cisco strongly recommends that you directly connect an unused interface on the appliance to the
same subnet that the host is connected to.
•
The network interface (on the appliance) that is connected to the network where the host resides.
•
The actual operating system vendor, product, and version of the host.
•
An IP address that is not currently in use and is authorized on the network where the host is located.
Tip
If the Defense Center does not have direct contact with monitored hosts, you can specify a managed
device that is closest to the host you intend to fingerprint when specifying server fingerprint properties.
device that is closest to the host you intend to fingerprint when specifying server fingerprint properties.
To obtain a server fingerprint for a host:
Access:
Admin/Discovery Admin
Step 1
Select
Policies
>
Network Discovery,
then click
Custom Operating Systems
.
The Custom Fingerprint page appears.
Step 2
Click
Create Custom Fingerprint
.
The Create Custom Fingerprint page appears.
Step 3
From the
Device
list, select the Defense Center or the managed device that you want to use to collect the
fingerprint.
Step 4
In the
Fingerprint Name
field, type an identifying name for the fingerprint.
Step 5
In the
Fingerprint Description
field, type a description for the fingerprint.
Step 6
From the
Fingerprint Type
list, select
Server
.
Server fingerprinting options appear.
Step 7
In the
Target IP Address
field, type an IP address of the host you want to fingerprint. Note that the
fingerprint will only be based on traffic to and from the host IP address you specify, not any of the host’s
other IP addresses (if it has any).
other IP addresses (if it has any).