Cisco Cisco Firepower Management Center 4000
34-3
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with File Storage
File storage requires a device running Version 5.3 or later, a Malware license, and sufficient disk space
on the device. If the device’s primary hard drive does not have enough space, and you do not have a
malware storage pack installed, you cannot store files on the device.
on the device. If the device’s primary hard drive does not have enough space, and you do not have a
malware storage pack installed, you cannot store files on the device.
Caution
Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an
unsupported hard drive may damage the device. Malware storage pack kits are available for purchase
only from Cisco, and are for use only with 8000 Series devices running Version 5.3 or later of the
FireSIGHT System. Contact Support if you require assistance with the malware storage pack. See the
FireSIGHT System Malware Storage Pack Guide for more information.
unsupported hard drive may damage the device. Malware storage pack kits are available for purchase
only from Cisco, and are for use only with 8000 Series devices running Version 5.3 or later of the
FireSIGHT System. Contact Support if you require assistance with the malware storage pack. See the
FireSIGHT System Malware Storage Pack Guide for more information.
Note that because you cannot use a Malware license with a DC500, nor can you enable a Malware license
on a Series 2 device, you cannot use those appliances to capture or store files.
on a Series 2 device, you cannot use those appliances to capture or store files.
For more information, see:
•
•
Understanding Captured File Storage
License:
Malware
Supported Devices:
8000 Series
Based on your file policy configuration, your device may store a substantial amount of file data to the
hard drive. You can install a malware storage pack in the device; the system stores files to the malware
storage pack, allowing more room on the primary hard drive to store events and configuration files. The
system periodically deletes older files.
hard drive. You can install a malware storage pack in the device; the system stores files to the malware
storage pack, allowing more room on the primary hard drive to store events and configuration files. The
system periodically deletes older files.
Caution
Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an
unsupported hard drive may damage the device. Malware storage pack kits are available for purchase
only from Cisco, and are for use only with 8000 Series devices running Version 5.3 or later of the
FireSIGHT System. Contact Support if you require assistance with the malware storage pack. See the
FireSIGHT System Malware Storage Pack Guide for more information.
unsupported hard drive may damage the device. Malware storage pack kits are available for purchase
only from Cisco, and are for use only with 8000 Series devices running Version 5.3 or later of the
FireSIGHT System. Contact Support if you require assistance with the malware storage pack. See the
FireSIGHT System Malware Storage Pack Guide for more information.
Without a malware storage pack installed, when you configure a device to store files, it allocates a set
portion of the primary hard drive’s space solely to captured file storage. When you install a malware
storage pack in a device and configure the device to store files, the device instead allocates the entire
malware storage pack for storing captured files. The device cannot store any other information on the
malware storage pack.
portion of the primary hard drive’s space solely to captured file storage. When you install a malware
storage pack in a device and configure the device to store files, the device instead allocates the entire
malware storage pack for storing captured files. The device cannot store any other information on the
malware storage pack.
When the allocated space for captured file storage fills to capacity, the system deletes the oldest stored
files until the allocated space reaches a system-defined threshold. Based on the number of files stored,
you may see a substantial drop in disk usage after the system deletes files.
files until the allocated space reaches a system-defined threshold. Based on the number of files stored,
you may see a substantial drop in disk usage after the system deletes files.
If a device has already stored files when you install a malware storage pack, the next time you restart the
device, any captured files stored on the primary hard drive are moved to the malware storage pack. Any
future files the device stores are stored to the malware storage pack. If the device’s primary hard drive
does not have enough available space nor an installed malware storage pack, you cannot store files.
device, any captured files stored on the primary hard drive are moved to the malware storage pack. Any
future files the device stores are stored to the malware storage pack. If the device’s primary hard drive
does not have enough available space nor an installed malware storage pack, you cannot store files.
Note that you cannot include stored files in system backup files. For more information, see