Cisco Cisco FirePOWER Appliance 8250
41-12
FireSIGHT System User Guide
Chapter 41 Configuring Remediations
Creating Remediations
To create a scan instance:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2
Select
Nmap Remediation (v1.0)
from the
Add a module type
drop-down list and click
Add
.
The Edit Instance page appears.
Step 3
In the
Instance Name
field, enter a name that includes 1 to 63 alphanumeric characters, with no spaces
and no special characters other than underscore (_) and dash (-).
Step 4
In the
Description
field, specify a description that includes 0 to 255 alphanumeric characters, including
spaces and special characters.
Step 5
Optionally, in the
Black Listed Scan hosts
field, specify any hosts or networks that should never be scanned
with this scan instance, using the following syntax:
•
For IPv6 hosts, an exact IP address (for example,
2001:DB8::fedd:eeff
)
•
For IPv4 hosts, an exact IP address (for example,
192.168.1.101
) or an IP address block using
CIDR notation (for example,
192.168.1.0/24
scans the 254 hosts between
192.168.1.1
and
192.168.1.254
, inclusive)
If you specifically target a scan to a host that is in a blacklisted network, that scan will not run. For
information on using CIDR notation in the FireSIGHT System, see
information on using CIDR notation in the FireSIGHT System, see
.
Step 6
Optionally, to run the scan from a remote managed device instead of the Defense Center, specify the
name or IP address of the managed device in the
name or IP address of the managed device in the
Remote Device Name
field.
Step 7
Click
Create
.
The scan instance is created.
Nmap Scan Remediations
License:
FireSIGHT
You can define the settings for an Nmap scan by creating an Nmap remediation. An Nmap remediation
can be used as a response in a correlation policy, run on demand, or scheduled to run at a specific time.
In order for the results of an Nmap scan to appear in the network map, the scanned host must already
exist in the network map. Note that NetFlow, the host input feature, and the system itself can add hosts
to the network map.
can be used as a response in a correlation policy, run on demand, or scheduled to run at a specific time.
In order for the results of an Nmap scan to appear in the network map, the scanned host must already
exist in the network map. Note that NetFlow, the host input feature, and the system itself can add hosts
to the network map.
For more information on the specific settings in an Nmap remediation, see
.
Note that Nmap-supplied server and operating system data remains static until you run another Nmap
scan. If you plan to scan a host for operating system and server data using Nmap, you may want to set
up regularly scheduled scans to keep any Nmap-supplied operating system and server data up-to-date.
For more information, see
scan. If you plan to scan a host for operating system and server data using Nmap, you may want to set
up regularly scheduled scans to keep any Nmap-supplied operating system and server data up-to-date.
For more information, see
. Also note that if the host is deleted from
the network map, any Nmap scan results for that host are discarded.