Cisco Cisco FirePOWER Appliance 8250
37-23
FireSIGHT System User Guide
Chapter 37 Using Host Profiles
Working with White List Violations in the Host Profile
A compliance white list (or white list) is a set of criteria that allows you to specify the operating systems,
application protocols, clients, web applications, and protocols that are allowed to run on a specific
subnet.
application protocols, clients, web applications, and protocols that are allowed to run on a specific
subnet.
If you add a white list to an active correlation policy, when the system detects that a host is violating the
white list, the Defense Center logs a white list event—which is a special kind of correlation event— to
the database. Each of these white list events is associated with a white list violation, which indicates how
and why a particular host is violating a white list. If a host violates one or more white lists, you can view
these violations in its host profile in two ways.
white list, the Defense Center logs a white list event—which is a special kind of correlation event— to
the database. Each of these white list events is associated with a white list violation, which indicates how
and why a particular host is violating a white list. If a host violates one or more white lists, you can view
these violations in its host profile in two ways.
First, the host profile lists all of the individual white list violations associated with the host.
Descriptions of the white list violation information in the host profile follow.
Type
The type of the violation, that is, whether the violation occurred as a result of a non-compliant
operating system, application, server, or protocol.
operating system, application, server, or protocol.
Reason
The specific reason for the violation. For example, if you have a white list that allows only Microsoft
Windows hosts, the host profile displays the current operating system running on the host (such as
Windows hosts, the host profile displays the current operating system running on the host (such as
Linux Linux 2.4, 2.6
)
White List
The name of the white list associated with the violation.
Second, in the sections associated with operating systems, applications, protocols, and servers, the
Defense Center marks non-compliant elements with the white list violation icon (
Defense Center marks non-compliant elements with the white list violation icon (
). For example, for
a white list that allows only Microsoft Windows hosts, the host profile displays the white list violation
icon next to the operating system information for that host.
icon next to the operating system information for that host.
Note that you can use a host’s profile to create a shared host profile for compliance white lists. For more
information, see the next section,
information, see the next section,
Creating a White List Host Profile from a Host Profile
License:
FireSIGHT
Shared host profiles for compliance white lists specify which operating systems, application protocols,
clients, web applications, and protocols are allowed to run on target hosts across multiple white lists.
That is, if you create multiple white lists but want to use the same host profile to evaluate hosts running
a particular operating system across the white lists, use a shared host profile.
clients, web applications, and protocols are allowed to run on target hosts across multiple white lists.
That is, if you create multiple white lists but want to use the same host profile to evaluate hosts running
a particular operating system across the white lists, use a shared host profile.
You can use a host profile of any host with a known IP address to create a shared host profile that your
compliance white lists can use. However, note that you cannot create a shared host profile based on an
individual host's host profile if the system has not yet identified the operating system of the host.
compliance white lists can use. However, note that you cannot create a shared host profile based on an
individual host's host profile if the system has not yet identified the operating system of the host.
To create a shared host profile for compliance white lists based on a host profile:
Access:
Admin
Step 1
Access a host profile from any network map or any event view.
For more information, see
.
Step 2
Click
Generate White List Profile
.