Cisco Cisco Firepower Management Center 4000
14-35
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Logging Connection, File, and Malware Information
To optimize performance, Cisco recommends that you log either the beginning or the end of the
connection, but not both. Note that for a single connection, the end-of-connection event contains all of
the information in the beginning-of-connection event, as well as information that was gathered over the
duration of the session.
connection, but not both. Note that for a single connection, the end-of-connection event contains all of
the information in the beginning-of-connection event, as well as information that was gathered over the
duration of the session.
Also, keep in mind that the FireSIGHT System uses connection data to display the Connection Summary
dashboard, create traffic profiles, trigger correlation rules based on connection data or traffic profile
changes, and add connection trackers to correlation rules. For connections that you do not log to the
Defense Center database, you cannot take advantage of these features.
dashboard, create traffic profiles, trigger correlation rules based on connection data or traffic profile
changes, and add connection trackers to correlation rules. For connections that you do not log to the
Defense Center database, you cannot take advantage of these features.
You can log connection events to the Defense Center database, as well as to the system log (syslog) or
to an SNMP trap server. When and how you can log connections depends on the rule action (see
to an SNMP trap server. When and how you can log connections depends on the rule action (see
), as summarized in the following table.
Note that regardless of an access control rule’s logging configuration, the system may automatically log
connections that contain file or intrusion events; see
connections that contain file or intrusion events; see
Deciding Where to Log or Send Connection Events
When you log a connection event, you can save it to the Defense Center database. The FireSIGHT
System uses connection data to display the Connection Summary dashboard, create traffic profiles,
trigger correlation rules based on connection data or traffic profile changes, and add connection trackers
to correlation rules. If you want to take advantage of these features, you must log connections to the
Defense Center database. For information on database limits, see
System uses connection data to display the Connection Summary dashboard, create traffic profiles,
trigger correlation rules based on connection data or traffic profile changes, and add connection trackers
to correlation rules. If you want to take advantage of these features, you must log connections to the
Defense Center database. For information on database limits, see
You can also log connection events to the syslog or to an SNMP trap server using alert responses. For
information on setting up alert responses, see
information on setting up alert responses, see
Logging the Beginning or End of a Connection
Depending on the rule action, you can log a connection event at the beginning or end of a connection, or
both. Because matching traffic is denied without further inspection, the system can log only
beginning-of-connection events for blocked or Security Intelligence blacklisted traffic.
both. Because matching traffic is denied without further inspection, the system can log only
beginning-of-connection events for blocked or Security Intelligence blacklisted traffic.
Table 14-4
Rule Action or Logging Option
Log at:
Send to:
Beginning
End
Defense Center
Syslog/SNMP
Trust
Default Action: Trust
yes
yes
yes
yes
Allow
Default Action: Intrusion
Default Action: Discovery
yes
yes
yes
yes
Monitor
no
yes (required)
yes (required)
yes
Block
Block with reset
Default Action: Block
yes
no
yes
yes
Interactive Block
Interactive Block with reset
yes
yes (if bypassed,
events show Allow
action)
events show Allow
action)
yes
yes
Security Intelligence
yes
no
yes
yes