Cisco Cisco FirePOWER Appliance 7030
40-4
FireSIGHT System User Guide
Chapter 40 Creating Traffic Profiles
Specifying Traffic Profile Conditions
You build traffic profile conditions in the
Profile Conditions
section of the Create Profile page. See
the syntax you can use to build conditions is fully described in
.
Tip
If you want to use the settings from an existing traffic profile, click
Copy Settings
and, in the pop-up
window, select the traffic profile you want to use and click
Load
.
Syntax for Traffic Profile Conditions
License:
FireSIGHT
The following table describes how to build a traffic profile condition.
Keep in mind that NetFlow records do not contain information about which host in the connection is the
initiator and which is the responder. When the system processes NetFlow records, it uses an algorithm
to determine this information based on the ports each host is using, and whether those ports are
well-known. For more information, see
initiator and which is the responder. When the system processes NetFlow records, it uses an algorithm
to determine this information based on the ports each host is using, and whether those ports are
well-known. For more information, see
.
Table 40-1
Syntax for Profile Conditions
If you specify...
Select an operator, then...
Application Protocol
Select an application protocol name from the drop-down list of available protocols.
Application Protocol
Category
Category
Select an application protocol category name from the drop-down list of available categories.
Client
Select a client name from the drop-down list of available clients.
Client Category
Select a client category name from the drop-down list of available categories.
Connection Type
Specify in the traffic profile whether you want to use connection data collected by your Cisco
devices or by NetFlow-enabled devices. If you do not specify a connection type, the traffic
profile includes both.
devices or by NetFlow-enabled devices. If you do not specify a connection type, the traffic
profile includes both.
Initiator IP,
Responder IP, or
Initiator/Responder IP
Initiator/Responder IP
Use a specific IP address or CIDR notation to specify a range of IP addresses.
See
for a description of the syntax allowed for
IP addresses. Note, however, that you cannot use the
local
or
remote
keywords to specify IP
addresses that are or are not in the networks you are monitoring.
NetFlow Device
Select the NetFlow-enabled device whose data you want to use to create the traffic profile. If
you did not add any NetFlow-enabled devices to your deployment (using the local
configuration), the NetFlow Device drop-down list is blank.
you did not add any NetFlow-enabled devices to your deployment (using the local
configuration), the NetFlow Device drop-down list is blank.