Cisco Cisco Firepower Management Center 4000
27-3
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Understanding Compliance White Lists
After you create a white list and add it to an active correlation policy, the system evaluates the white
list’s targets against its host profiles to determine whether the targets are in compliance with the white
list. After this initial evaluation, the system generates a white list event when it detects that a valid target
is violating the white list.
list’s targets against its host profiles to determine whether the targets are in compliance with the white
list. After this initial evaluation, the system generates a white list event when it detects that a valid target
is violating the white list.
For more information, see the following sections:
•
explains how white lists only target the hosts that you
specify.
•
explains the different kinds of profiles that
describe which clients, application protocols, web applications, and protocols are allowed to run on
your network.
your network.
•
explains how the system evaluates the hosts on
your network against white lists, and how you can tell which hosts are in compliance and which are
not.
not.
•
explains how the system detects and notifies you of
white list violations.
Understanding White List Targets
License:
FireSIGHT
When you create a white list, you first specify the portions of your network it applies to. You can use a
white list to evaluate all the hosts on your monitored network, or you can restrict the white list to evaluate
only certain network segments or even individual hosts. You can further restrict the white list so that it
evaluates only hosts that have a certain host attribute or that belong to a certain VLAN. A host that is
eligible to be evaluated by a white list is called a valid target (or target). A valid target:
white list to evaluate all the hosts on your monitored network, or you can restrict the white list to evaluate
only certain network segments or even individual hosts. You can further restrict the white list so that it
evaluates only hosts that have a certain host attribute or that belong to a certain VLAN. A host that is
eligible to be evaluated by a white list is called a valid target (or target). A valid target:
•
must be in one of the IP address blocks you specify. You can also exclude blocks of IP addresses.
•
must have at least one of the host attributes you specify.
For example, you could configure a white list to evaluate only hosts that have a high host criticality.
For information on host attributes, including host criticality, see
For information on host attributes, including host criticality, see
and
.
•
must belong to one of the VLANs you specify.
If a host does not meet all of these criteria, it is not evaluated against the white list, regardless of whether
its host profile is in violation of the white list.
its host profile is in violation of the white list.
If your white list contains more than one target, a host must meet the criteria specified in only one of
them to be considered valid. For example, if you create a target that includes the 10.10.x.x network and
one that excludes the 10.10.x.x network, a host in that network is considered a valid target. Note that if
your white list does not contain any targets, none of the hosts on your network will be evaluated against
the white list.
them to be considered valid. For example, if you create a target that includes the 10.10.x.x network and
one that excludes the 10.10.x.x network, a host in that network is considered a valid target. Note that if
your white list does not contain any targets, none of the hosts on your network will be evaluated against
the white list.
The target networks for your white list are listed on the left of the Create White List page. Note that the
default white list uses targets of 0.0.0.0/0 and ::/0, which represent the entire monitored network. If you
choose to use this white list, you can leave the target network as-is or modify it to reflect your network
environment.
default white list uses targets of 0.0.0.0/0 and ::/0, which represent the entire monitored network. If you
choose to use this white list, you can leave the target network as-is or modify it to reflect your network
environment.
For information on creating white list targets, see