Cisco Cisco Firepower Management Center 4000
55-19
FireSIGHT System User Guide
Chapter 55 Using Health Monitoring
Configuring Health Policies
Configuring Inline Link Mismatch Alarm Monitoring
License:
Any
Use the Inline Link Mismatch Alarm health status module to track when the interfaces on either side of
an inline set negotiate different connection speeds. If different negotiated speeds are detected, this
module generates an alert.
an inline set negotiate different connection speeds. If different negotiated speeds are detected, this
module generates an alert.
To configure inline link mismatch monitoring:
Access:
Admin/Maint
Step 1
In the Health Policy Configuration page, select
Inline Link Mismatch Alarms
.
The Health Policy Configuration — Inline Link Mismatch Alarms page appears.
Step 2
Select
On
for the
Enabled
option to enable use of the module for health status testing.
Step 3
You have three options:
•
To save your changes to this module and return to the Health Policy page, click
Save Policy and Exit
.
•
To return to the Health Policy page without saving any of your settings for this module, click
Cancel
.
•
To temporarily save your changes to this module and switch to another module’s settings to modify,
select the other module from the list at the left of the page. If you click
select the other module from the list at the left of the page. If you click
Save Policy and Exit
when you
are done, all changes you made will be saved; if you click
Cancel
, you discard all changes.
You must apply the health policy to the appropriate Defense Center if you want your settings to take
effect. See
effect. See
for more information.
Configuring Intrusion Event Rate Monitoring
License:
Protection
Use the Intrusion Event Rate health status module to set limits for the number of packets per second that
trigger a change in the health status. If the event rate on the monitored device exceeds the number of
events per second configured in the Events per second (Warning) limit, the status classification for that
module changes to Warning. If the event rate exceeds the number of events per second configured in the
Events per second (Critical) limit, the status classification for that module changes to Critical. That
status data feeds into the health monitor.
trigger a change in the health status. If the event rate on the monitored device exceeds the number of
events per second configured in the Events per second (Warning) limit, the status classification for that
module changes to Warning. If the event rate exceeds the number of events per second configured in the
Events per second (Critical) limit, the status classification for that module changes to Critical. That
status data feeds into the health monitor.
Typically, the event rate for a network segment averages 20 events per second. For a network segment
with this average rate, Events per second (Critical) should be set to
with this average rate, Events per second (Critical) should be set to
50
and Events per second (Warning)
should be set to
30
. To determine limits for your system, find the Events/Sec value on the Statistics page
for your device (
System > Monitoring > Statistics
), then calculate the limits using these formulas:
•
Events per second (Critical) = Events/Sec * 2.5
•
Events per second (Warning) = Events/Sec * 1.5
The maximum number of events you can set for either limit is 999, and the Critical limit must be higher
than the Warning limit.
than the Warning limit.
To configure Intrusion Event Rate Monitor health module settings:
Access:
Admin/Maint
Step 1
On the Health Policy Configuration page, select
Intrusion Event Rate
.