Cisco Cisco Firepower Management Center 4000
5-14
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with Application Filters
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
When the FireSIGHT System analyzes IP traffic, it attempts to identify the commonly used applications
on your network. Application awareness is crucial to performing application-based access control. The
system is delivered with detectors for many applications, and Cisco frequently updates and adds
additional detectors via system and vulnerability database (VDB) updates. You can also create your own
application protocol detectors to enhance the system’s detection capabilities.
on your network. Application awareness is crucial to performing application-based access control. The
system is delivered with detectors for many applications, and Cisco frequently updates and adds
additional detectors via system and vulnerability database (VDB) updates. You can also create your own
application protocol detectors to enhance the system’s detection capabilities.
Application filters group applications according to criteria associated with the applications’ risk,
business relevance, type, categories, and tags; see the
business relevance, type, categories, and tags; see the
table. When you create
an application protocol detector, you must characterize the application using those criteria as well. Using
application filters allows you to quickly create application conditions for access control rules because
you do not have to search for and add applications individually; for more information, see
application filters allows you to quickly create application conditions for access control rules because
you do not have to search for and add applications individually; for more information, see
.
Another advantage to using application filters is that you do not have to update access control rules that
use filters when you modify or add new applications. For example, if you configure your access control
policy to block all social networking applications, and a VDB update includes a new social networking
application detector, the policy is updated when you update the VDB. Although you must reapply the
policy before the system can block the new application, you do not have to update the access control rule
that blocks the application.
use filters when you modify or add new applications. For example, if you configure your access control
policy to block all social networking applications, and a VDB update includes a new social networking
application detector, the policy is updated when you update the VDB. Although you must reapply the
policy before the system can block the new application, you do not have to update the access control rule
that blocks the application.
If the Cisco-provided application filters do not group applications according to your needs, you can
create your own filters. User-defined filters can group and combine Cisco-provided filters. For example,
you could create a filter that would allow you to block all very high risk, low business relevance
applications. You can also create a filter by manually specifying individual applications, although you
should keep in mind those filters do not automatically update when you update the system software or
the VDB.
create your own filters. User-defined filters can group and combine Cisco-provided filters. For example,
you could create a filter that would allow you to block all very high risk, low business relevance
applications. You can also create a filter by manually specifying individual applications, although you
should keep in mind those filters do not automatically update when you update the system software or
the VDB.
As with Cisco-provided application filters, you can use user-defined application filters in access control
rules. You can also use user-defined filters in the following additional ways:
rules. You can also use user-defined filters in the following additional ways:
•
To search for applications using the event viewer; see
•
To constrain a table view in a report template; see
•
To filter application statistics in a Custom Analysis dashboard widget; see
You use the object manager (
Objects > Object Management
) to create and manage application filters. Note
that you can also create an application filter on the fly while adding an application condition to an access
control rule.
control rule.
The Application Filters list contains the Cisco-provided application filters that you can select to build
your own filter. You can constrain the filters that appear by using a search string; this is especially useful
for categories and tags.
your own filter. You can constrain the filters that appear by using a search string; this is especially useful
for categories and tags.
The Available Applications list contains the individual applications in the filters you select. You can also
constrain the applications that appear by using a search string.
constrain the applications that appear by using a search string.
The system links multiple filters of the same filter type with an OR operation. Consider a scenario where
the medium risk filter contains 100 applications and the high risk filter contains 50 applications. If you
select both filters, the system would display 150 available applications.
the medium risk filter contains 100 applications and the high risk filter contains 50 applications. If you
select both filters, the system would display 150 available applications.
The system links different types of filters with an AND operation. For example, if you select the medium
and high risk filters and the medium and high business relevance filters, the system displays the
applications that have medium or high risk, and also have medium or high business relevance.
and high risk filters and the medium and high business relevance filters, the system displays the
applications that have medium or high risk, and also have medium or high business relevance.