Cisco Cisco FirePOWER Appliance 7010
37-19
FireSIGHT System User Guide
Chapter 37 Using Host Profiles
Working with Applications in the Host Profile
•
Viewing Applications in the Host Profile
License:
FireSIGHT
The system can detect a variety of clients and web applications running on the hosts on your network.
Note
Note that you must select the
Applications
check box in discovery rules for NetFlow devices in your
network discovery policy for the system to detect applications on the hosts in your monitored network.
This option is enabled by default in NetFlow rules and cannot be disabled for rules used for discovery
via managed devices.
This option is enabled by default in NetFlow rules and cannot be disabled for rules used for discovery
via managed devices.
The host profile displays the product and version of the detected applications on a host, any available
client or web application information, and the time that the application was last detected in use.
client or web application information, and the time that the application was last detected in use.
The Defense Center lists up to 16 clients running on the host. After that limit is reached, new client
information from any source, whether active or passive, is discarded until you delete a client application
from the host or the system deletes the client from the host profile due to inactivity (the client times out).
information from any source, whether active or passive, is discarded until you delete a client application
from the host or the system deletes the client from the host profile due to inactivity (the client times out).
Additionally, for each detected web browser, the host profile displays the first 100 web applications
accessed. After that limit is reached, new web applications associated with that browser from any source,
whether active or passive, are discarded until either:
accessed. After that limit is reached, new web applications associated with that browser from any source,
whether active or passive, are discarded until either:
•
the web browser client application times out, or
•
you delete application information associated with a web application from the host profile
Descriptions of the application information that appears in a host profile follow.
Application Protocol
Displays the application protocol used by the application (HTTP browser, DNS client, and so on).
Client
Client information derived from payload if identified by the FireSIGHT System, or captured by
Nmap, or by another active source, or acquired via the host input feature. The field is blank if none
of the available sources provides an identification.
Nmap, or by another active source, or acquired via the host input feature. The field is blank if none
of the available sources provides an identification.
Version
Displays the version of the client.
Web Application
For web browsers, the content detected by the system in the http traffic. Web application information
indicates the specific type of content (for example, WMV or QuickTime) identified by the
FireSIGHT System, captured by Nmap, captured by another active source, or acquired via the host
input feature. The field is blank if none of the available sources provides an identification.
indicates the specific type of content (for example, WMV or QuickTime) identified by the
FireSIGHT System, captured by Nmap, captured by another active source, or acquired via the host
input feature. The field is blank if none of the available sources provides an identification.
Note that if the host is running an application that violates a compliance white list in an activated
correlation policy, the Defense Center marks the non-compliant application with the white list violation
icon (
correlation policy, the Defense Center marks the non-compliant application with the white list violation
icon (
).
To analyze the connection events associated with a particular application on the host, click the events
icon (
icon (
) next to the application. The first page of your preferred workflow for connection events
appears, showing connection events constrained by the type, product, and version of the application, as